Cloudflare Warp Beta (now Argo Tunnel)

beta
warp

#1

Hello!

Today we are launching a very limited beta for a new feature called Cloudflare Warp. If you signed up and received a confirmation email, you’ve come to the right place.

We’re excited to get your thoughts and ideas about Cloudflare Warp. Let us know what you think - both good and bad, and how you end up using the product. Looking forward to hearing from you.

-Dani


WARP with self-signed certs on origin (or at least less-strict validation)
#2

Where do I sign up?


#3

Where do I sign up?

The first round of slots were filled. We will post an update if/when more open up. Stay tuned!


#4

What is Cloudflare Warp? How do I sign up to these beta service notifications? Thanks!


#5

I’ve just been granted access (woo) and am getting the following

cloudflare-warp --hostname l3.absolutemusic.co.uk --hello-world --api-key MY_API_KEY_FROM_ACCOUNT --api-email MY_EMAIL_ADDRESS_ON_THE_ACCOUNT --debug

INFO[0000] Starting Hello World Server at http://127.0.0.1:61613
INFO[0000] Proxying tunnel requests to http://127.0.0.1:61613
INFO[0000] Starting metrics server                       addr=127.0.0.1:61614
INFO[0001] Connected to LHR
ERRO[0001] Registration error
INFO[0001] Retrying in 1s seconds
INFO[0003] Connected to AMS
ERRO[0003] Registration error
INFO[0003] Retrying in 2s seconds

Do I need to enable anything in the admin panel (can’t see it!)


#6

Do I need to enable anything in the admin panel (can’t see it!)

Thanks for letting us know! We’re taking a look – this is the version for mac downloaded from homebrew?


#7

I’m on high sierra 10.13, homebrew failed

I installed from the curl command.

I’m just trying again now from home and getting the same errors, I’ve made config files etc and these validate but no cigar :frowning:

do you want some form of verbose debug log?


#8

ok, got it running,

the setup / login on 10.13 crashes out, and I had missed out the ca-key on my own yml file

all working now,

time for some serious tinkering.

thanks :slight_smile:


#9

Hi, @dani. One of the best features you should add is multi hostname support which commonly proxy server is configured to host multiple apps. It will be a good option for developers to deploy a container to handle multiple hosts. Thank you.


#10

What level is this designed to run at, purely development sites behind firewalls, or full on production?


#11

I’m unable to login in case of CAPTCHA request. On Ubuntu, installed via curl as explained in the docs, when I create the .cloudflare-warp.yml as in the documentation:

api-key: myApiKey api-email: [email protected] api-ca-key: myCAapiKey

I get this error:

$ cloudflare-warp login
Unable to load Yaml file ‘/root/.cloudflare-warp.yml’: inner error:
‘yaml: mapping values are not allowed in this context’

I’m pretty sure the syntax is correct, there are spaces separating all keys and values.

If I separate the values in lines, like in the example cloudflare-warp.yml in the documentation:

api-key: myApiKey
api-email: [email protected]
api-ca-key: myCAapiKey

I get this different error:

$ cloudflare-warp login
You have an existing config file at ~/.cloudflare-warp.yml which login would overwrite.
If this is intentional, please move or delete that file then run this command again.

My account is not part of any organization.


#12

Had this running this morning quite happily

then

➜  .cloudflare cloudflare-warp --config config.yml
INFO[0000] Proxying tunnel requests to https://xxx.xxx.co.uk
INFO[0000] Starting metrics server                       addr=127.0.0.1:50558
INFO[0001] Connected to LHR
INFO[0001] There are currently 0 active tunnels for this zone. You are allowed to have 2  subsystem=rpc
INFO[0001] Registered at https://xxx.xxx.co.uk
INFO[0001] There are currently 0 active tunnels for this zone. You are allowed to have 2
ERRO[1663] Tunnel error                                  error="Application error: 3002 connection dropped"
INFO[1663] Retrying in 1s seconds
INFO[1665] Connected to LHR
ERRO[1665] Registration error
INFO[1665] Retrying in 2s seconds
INFO[1669] Connected to AMS
ERRO[1669] Registration error
INFO[1669] Retrying in 4s seconds
INFO[1674] Connected to AMS
ERRO[1674] Registration error
INFO[1674] Retrying in 8s seconds
INFO[1683] Connected to AMS
ERRO[1683] Registration error
INFO[1683] Retrying in 16s seconds
INFO[1701] Connected to AMS
ERRO[1701] Registration error
INFO[1701] Quitting...
INFO[1701] Metrics server stopped

#13

Running with --debug flag and just left with no real traffic over it:

Here are the last few lines from output

DEBU[12808] rx (return = (answerId = 0, releaseParamCaps = false, results = (content = <opaque pointer>, capTable = [(senderHosted = 0)])))  subsystem=rpc
DEBU[12808] tx (finish = (questionId = 0, releaseResultCaps = false))  subsystem=rpc
DEBU[12808] read frame                                    data=[FrameHeader DATA stream=1 len=104] dir=read name= subsystem=mux
DEBU[12808] writable                                      dir=write name= stream=1 subsystem=mux
DEBU[12808] rx (return = (answerId = 1, releaseParamCaps = false, results = (content = <opaque pointer>, capTable = [])))  subsystem=rpc
DEBU[12808] output data                                   dir=write len=40 name= stream=1 subsystem=mux
DEBU[12808] tx (finish = (questionId = 1, releaseResultCaps = false))  subsystem=rpc
DEBU[12808] writable                                      dir=write name= stream=1 subsystem=mux
DEBU[12808] output data                                   dir=write len=40 name= stream=1 subsystem=mux
DEBU[12809] read frame                                    data=[FrameHeader DATA stream=1 len=168] dir=read name= subsystem=mux
DEBU[12809] rx (return = (answerId = 2, releaseParamCaps = false, exception = (reason = "backendrpc/backendrpc.capnp:TunnelServer.registerTunnel: rpc exception: rpc: connection closed", type = failed, obsoleteIsCallersFault = false, obsoleteDurability = 0)))  subsystem=rpc
INFO[12809] Connected to AMS
DEBU[12809] tx (finish = (questionId = 2, releaseResultCaps = true))  subsystem=rpc
DEBU[12809] rx error                                      error="context canceled" subsystem=rpc
DEBU[12809] writable                                      dir=write name= stream=1 subsystem=mux
DEBU[12809] tx (abort = (reason = "rpc: shutdown", type = failed, obsoleteIsCallersFault = false, obsoleteDurability = 0))  subsystem=rpc
DEBU[12809] output data                                   dir=write len=40 name= stream=1 subsystem=mux
DEBU[12809] writable                                      dir=write name= stream=1 subsystem=mux
DEBU[12809] output data                                   dir=write len=64 name= stream=1 subsystem=mux
DEBU[12809] resetting stream                              dir=write name= stream=1 subsystem=mux
DEBU[12809] sending GOAWAY code NO_ERROR                  dir=write name= subsystem=mux
DEBU[12809] shutting down                                 dir=read name= subsystem=mux
DEBU[12809] event loop finished                           dir=read name= subsystem=mux
DEBU[12809] aborting writer thread                        dir=write name= subsystem=mux
DEBU[12809] event loop finished                           dir=write name= subsystem=mux
ERRO[12809] Registration error
INFO[12809] Quitting...
INFO[12809] Metrics server stopped

#14

Three things so far:

  • Feedback 1
    • Problem: The automated login/registration process using cloudflare-warp login didn’t worked. Was already reported in this thread here. Worked around it by creating configuration file on my own.
    • Solution: n/a
  • Feedback 2
    • Problem: The warp agent seems to validate certificates on their own, so it seems not to be possible to route sites with self-signed certificates over the tunnel:
      ERRO[0004] HTTP request error error="Get https://internal.domain.tld/: x509: certificate signed by unknown authority".
    • Suggestion: Is there any way to allow even “invalid” certificates? Cloudflare’s SSL-setting to “Flexible” doesn’t seem to change anything here. At least implement a parameter to skip certificate checks.
  • Feedback 3
    • Problem: On every start of the Warp agent an own Origin certificate seems to be issued and added on Cloudflare. Specially when testing and implementing this functionality there were many restarts and tests needed, resulting in hundreds of generated origin certificates. Even after some tries my list is already quite long and ruins the overview in the Cloudflare webinterface.
    • Suggestion: Do not generate an new origin certificate on every new agent start. Some ideas: Bind it to the tunnel url (local webserver), to each agent (generating special agent id?), always using same certificate until own parameter “–generate-new-origin-cert” is specified, generate new ones after a specific time (each hour?) etc.

Overall Cloudflare Warp is a very cool thing! I think they are some interested customers out there, which could benefit from this. I like Warp, but as “Argo” is being required after beta, it’s quite uninteresting for me as a private individual due to the pricing.


#15

Thank you so much @pkernstock for taking the time to give feedback!

Login – yes. We’re going to build a new login mechanism to fix the existing issues.

Self-signed certificates – just checking, are these self-signed certificates at the edge or at the origin?

Lots of origin certificates - ah, yes yes we are fixing!


#16

Thanks so much @alex6! We’re taking a look. Which OS are you running Warp on?


#17

Thanks @CorralPeltzer! Just checking - you did not create the yaml file manually, before getting ‘You have an existing config file at ~/.cloudflare-warp.yml which login would overwrite.’, this is the output of running the login command twice?


#18

@alex6 - during the beta, this should definitely not be used for any production systems.


#19

@itsmechlark - awesome, great idea.


#20

Self-signed certificates – just checking, are these self-signed certificates at the edge or at the origin?

At the origin. (It was an internal webserver.)