Cloudflared automated download

I’ve started to use cloudflared in all of my contract work, and am really impressed with the solution. Switching to Cloudflare tunnels drastically simplifies the platform infrastructure requirements.

I’m building a bare-metal implementation that manually downloads the latest cloudflared binary like this (hostnames mangled because I can’t include links in a post, which is honestly pretty ridiculous):

$ curl -v -L github_com/Cloudflare/cloudflared/releases/latest/download/cloudflared-darwin-amd64.tgz -o /tmp/cloudflared

It appears that github temporarily broke the “latest” redirect, requiring me to use a specific version number, and when I downloaded the binary with curl instead of from the browser, github was returning a seemingly endless streams of random bytes, far more than the expected 18MB.

I’m sure this was a temporary misconfiguration issue, and the problem eventually went away, but it occurred to me that Cloudflare really shouldn’t be hosting such a critical piece of infrastructure on github. I’m not suggesting that Microsoft has any bad intensions, but this is effectively a break in the zero-trust chain, because if you controlled github_com then you could inject a malicious cloudflared binary, one that is often downloaded in an automated/headless way, and one that serves as the SSL-termination point for all of the customer’s traffic. Beyond that, it makes github_com a dependency for your deployment pipeline, and they use AWS for DNS, not Cloudflare.

Ideally the user would be able to download cloudflared directly from cloudflare_com, or at a minimum download a signature/checksum for verification.

Thanks!

1 Like
1 Like

Thumbs up for this!

I’d recommend providing your feedback on the GitHub issue as it’s more likely to be seen by the maintainers of cloudflared there - Sudarshan has already replied giving some insight.

Thanks for flagging this @KianNH ! The reason we want to continue keeping the binaries on Github is to mostly account for some redundancies. Binaries are usually intended to be a fallback mechanism if apt/brew installations somehow fail.

All our releases come with checksums for binaries as well so you can verify downloads.

Finally, if you want to get a specific deb or rpm from the pkg.cloudflare.com site, there is a not so straightforward way: You can always wget https://pkg.cloudflare.com/cloudflared/pool/main/c/cloudflared/cloudflared_2022.9.0_amd64.deb.

Just be sure to replace the version and arch based on your need. Obviously, this isn’t a binary and the deb, but a surefire way to get this outside of your pkg manager.

1 Like

Thanks Sudarsan,

The main reason I don’t consider the binaries a “fallback” is because I’m building an extremely light-weight deployment that can run entirely in user-land.

For example, you have a non-root login on an existing compute resource, all you need is your application source and cloudflared to run an SSL-terminated web service without needing to have root access to install anything with a package-manager.

Ultimately I’d like the only 3rd-party I have to trust to be Cloudflare, since they are also my top-level DNS and SSL-termination anyway.

That’s a completely reasonable expectation. Does the presence of checksums on the release page help with this concern somehow?

@Sudarsan, checksums would only be helpful if they came from cloudflare_com for the same security reasons.