search

cloudflare / cloudflared

Cloudflare Tunnel client (formerly Argo Tunnel)
https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide
Apache License 2.0
8.84k stars 779 forks source link

🐛Cannot enable Post-Quantum tunnel using Environment variable #773

Open priceaj opened 1 year ago

priceaj commented 1 year ago

Describe the bug

Using cloudflared:latest docker image (Version 2022.10.0) The TUNNEL_POST_QUANTUM environment variable does not seem to work.

To Reproduce

My Docker compose is specified as follows:

version: '3'

services:
  cloudflared:
    image: "cloudflare/cloudflared"
    container_name: "cloudflared"
    command:
      - "tunnel"
    environment:
      - TUNNEL_FORCE_PROVISIONING_DNS=true
      - TUNNEL_RUN_FORCE_OVERWRITE=true
      - TUNNEL_URL=https://traefik.local/
      - TUNNEL_HOSTNAME=XXX.XXX.com
      - NO_TLS_VERIFY=TRUE
      - TUNNEL_NAME=tunnel
      - TUNNEL_CRED_FILE=/etc/cloudflared/cloudflared.json
      # logging
      - TUNNEL_LOGLEVEL=debug
      - TUNNEL_TRANSPORT_LOGLEVEL=debug
      - TUNNEL_POST_QUANTUM=true
    volumes:
      - "cloudflared_data:/etc/cloudflared"
    restart: unless-stopped

volumes:
  cloudflared_data:
    external: true

I have tried setting TUNNEL_POST_QUANTUM to TRUE, true, "TRUE", "true"

If it's an issue with Cloudflare Tunnel:

  1. Tunnel ID : N/A
  2. cloudflared config: See docker config above

Expected behavior Expected logs to show a line stating "Using experimental hybrid post-quantum key agreement" as per https://blog.cloudflare.com/post-quantum-tunnel/

Environment and versions

Logs and errors For all cases, when starting up logs show:

2022-10-04T20:12:27Z INF Settings: map[no-autoupdate:true] 2022-10-04T20:12:27Z INF Environmental variables map[XXX TUNNEL_POST_QUANTUM:true XXX] 2022-10-04T20:12:27Z INF Generated Connector ID: XXX 2022-10-04T20:12:27Z INF Initial protocol quic 2022-10-04T20:12:27Z INF ICMP proxy will use XXX as source for IPv4

There should be an additional line after Initial protocol quic mentioning the post quantum key agreement algorithm which is used

Additional context Note that the other two boolean variables specified in the environment variables do seem to work:

  - TUNNEL_FORCE_PROVISIONING_DNS=true
  - TUNNEL_RUN_FORCE_OVERWRITE=true

and both are specified differently in subcommands.go when compared to the postQuantumFlag:

postQuantumFlag = altsrc.NewBoolFlag(&cli.BoolFlag{ forceDeleteFlag = &cli.BoolFlag{ overwriteDNSFlag = &cli.BoolFlag{

Not sure if that could be the cause of the issue

bwesterb commented 1 year ago

Thanks for reporting this and digging into it yourself already a bit.

On cloudflared 2022.9.1 the environmental variables work.

$ cloudflared --version
cloudflared version 2022.9.1 (built 2022-09-21T19:52:59Z)
$ TUNNEL_POST_QUANTUM=true cloudflared tunnel run [...]
2022-10-04T22:46:39Z INF Starting tunnel tunnelID=[...]
2022-10-04T22:46:39Z INF GOOS: darwin, GOVersion: go1.19.1, GoArch: amd64
2022-10-04T22:46:39Z INF Environmental variables map[TUNNEL_POST_QUANTUM:true]
2022-10-04T22:46:39Z INF cloudflared will not automatically update when run from the shell. To enable auto-updates, run cloudflared as a service: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/as-a-service/
2022-10-04T22:46:39Z INF Generated Connector ID: [...]
2022-10-04T22:46:39Z INF Initial protocol quic
2022-10-04T22:46:39Z INF Using experimental hybrid post-quantum key agreement X25519Kyber768Draft00
[...]

Checking the docker image now.

bwesterb commented 1 year ago

Ok, I figured it out. The issue is that you're not running a named Tunnel cloudflared tunnel run name, but instead are using a quick tunnel cloudflared tunnel. The flag is only defined for the former. We'll add the flag to the quick tunnels too, but in the mean time you can use a named Tunnel.

bwesterb commented 1 year ago

Or, if you're impatient, apply

diff --git a/cmd/cloudflared/tunnel/cmd.go b/cmd/cloudflared/tunnel/cmd.go
index a45e6e0c..6acafe4b 100644
--- a/cmd/cloudflared/tunnel/cmd.go
+++ b/cmd/cloudflared/tunnel/cmd.go
@@ -665,6 +665,13 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
                        EnvVars: []string{"TUNNEL_MAX_FETCH_SIZE"},
                        Hidden:  true,
                }),
+               altsrc.NewBoolFlag(&cli.BoolFlag{
+                       Name:    "post-quantum",
+                       Usage:   "When given creates an experimental post-quantum secure tunnel",
+                       Aliases: []string{"pq"},
+                       EnvVars: []string{"TUNNEL_POST_QUANTUM"},
+                       Hidden:  FipsEnabled,
+               }),
                selectProtocolFlag,
                overwriteDNSFlag,
        }...)
priceaj commented 1 year ago

Thanks I thought having the TUNNEL_NAME env var was equilivent to running tunnel run name, but based on what you have said, I guess not, it does create a named tunnel on my cloudflare account though!

To be honest the Docker cloudflared and the environment variables aren't that well documented so I've had to try to piece together a configuration that works, ideally where I can deploy a new service directly from a compose file, in a single step, without having to copy config files around.

Thanks for the fix, I'll wait till it appears in an official version, my docker instance should automatically upgrade and pick it up, so will leave the environment variable in place till it does