2023-01-27 13:37:20 -08:00
|
|
|
// Copyright (c) Tailscale Inc & AUTHORS
|
|
|
|
|
// SPDX-License-Identifier: BSD-3-Clause
|
2022-11-09 06:55:17 -08:00
|
|
|
|
2025-09-13 20:20:08 -07:00
|
|
|
//go:build !ts_omit_serve
|
|
|
|
|
|
|
|
|
|
// TODO: move this whole file to its own package, out of ipnlocal.
|
|
|
|
|
|
2022-11-09 06:55:17 -08:00
|
|
|
package ipnlocal
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
2023-09-11 19:33:20 -04:00
|
|
|
"crypto/sha256"
|
2022-11-09 06:55:17 -08:00
|
|
|
"crypto/tls"
|
2023-09-11 19:33:20 -04:00
|
|
|
"encoding/hex"
|
2022-11-11 21:46:26 -05:00
|
|
|
"encoding/json"
|
2022-11-09 06:55:17 -08:00
|
|
|
"errors"
|
2022-11-09 21:04:05 -08:00
|
|
|
"fmt"
|
2022-11-09 06:55:17 -08:00
|
|
|
"io"
|
2025-09-13 20:20:08 -07:00
|
|
|
"maps"
|
2024-04-03 08:48:58 -07:00
|
|
|
"mime"
|
2022-11-09 06:55:17 -08:00
|
|
|
"net"
|
|
|
|
|
"net/http"
|
2022-11-09 21:27:09 -08:00
|
|
|
"net/http/httputil"
|
2022-11-09 15:38:09 -08:00
|
|
|
"net/netip"
|
2022-11-09 21:27:09 -08:00
|
|
|
"net/url"
|
2022-11-10 14:16:37 -08:00
|
|
|
"os"
|
|
|
|
|
"path"
|
2023-08-16 22:09:53 -07:00
|
|
|
"slices"
|
2022-11-07 10:46:42 -05:00
|
|
|
"strconv"
|
2022-11-09 21:27:09 -08:00
|
|
|
"strings"
|
2022-11-10 14:16:37 -08:00
|
|
|
"sync"
|
2023-10-20 12:04:00 +01:00
|
|
|
"sync/atomic"
|
2022-11-09 06:55:17 -08:00
|
|
|
"time"
|
2024-04-03 08:48:58 -07:00
|
|
|
"unicode/utf8"
|
2022-11-09 06:55:17 -08:00
|
|
|
|
2025-10-20 11:40:30 -04:00
|
|
|
"github.com/pires/go-proxyproto"
|
2025-09-13 20:20:08 -07:00
|
|
|
"go4.org/mem"
|
2022-11-09 06:55:17 -08:00
|
|
|
"tailscale.com/ipn"
|
|
|
|
|
"tailscale.com/net/netutil"
|
2022-11-11 21:46:26 -05:00
|
|
|
"tailscale.com/syncs"
|
2022-11-07 10:46:42 -05:00
|
|
|
"tailscale.com/tailcfg"
|
2023-10-19 18:38:37 +01:00
|
|
|
"tailscale.com/types/lazy"
|
2022-11-11 21:46:26 -05:00
|
|
|
"tailscale.com/types/logger"
|
2025-10-03 17:52:41 +01:00
|
|
|
"tailscale.com/types/views"
|
2025-09-28 11:03:46 -07:00
|
|
|
"tailscale.com/util/backoff"
|
2025-09-13 20:20:08 -07:00
|
|
|
"tailscale.com/util/clientmetric"
|
2024-01-16 13:56:23 -08:00
|
|
|
"tailscale.com/util/ctxkey"
|
2022-11-11 21:46:26 -05:00
|
|
|
"tailscale.com/util/mak"
|
2025-09-13 20:20:08 -07:00
|
|
|
"tailscale.com/util/slicesx"
|
2023-01-20 13:40:56 -05:00
|
|
|
"tailscale.com/version"
|
2022-11-09 06:55:17 -08:00
|
|
|
)
|
|
|
|
|
|
2025-09-13 20:20:08 -07:00
|
|
|
func init() {
|
|
|
|
|
hookServeTCPHandlerForVIPService.Set((*LocalBackend).tcpHandlerForVIPService)
|
|
|
|
|
hookTCPHandlerForServe.Set((*LocalBackend).tcpHandlerForServe)
|
|
|
|
|
hookServeUpdateServeTCPPortNetMapAddrListenersLocked.Set((*LocalBackend).updateServeTCPPortNetMapAddrListenersLocked)
|
|
|
|
|
|
|
|
|
|
hookServeSetTCPPortsInterceptedFromNetmapAndPrefsLocked.Set(serveSetTCPPortsInterceptedFromNetmapAndPrefsLocked)
|
|
|
|
|
hookServeClearVIPServicesTCPPortsInterceptedLocked.Set(func(b *LocalBackend) {
|
|
|
|
|
b.setVIPServicesTCPPortsInterceptedLocked(nil)
|
|
|
|
|
})
|
|
|
|
|
|
2025-11-09 16:13:39 -08:00
|
|
|
hookMaybeMutateHostinfoLocked.Add(maybeUpdateHostinfoServicesHashLocked)
|
|
|
|
|
hookMaybeMutateHostinfoLocked.Add(maybeUpdateHostinfoFunnelLocked)
|
|
|
|
|
|
2025-09-13 20:20:08 -07:00
|
|
|
RegisterC2N("GET /vip-services", handleC2NVIPServicesGet)
|
|
|
|
|
}
|
|
|
|
|
|
2023-10-19 07:12:31 +01:00
|
|
|
const (
|
|
|
|
|
contentTypeHeader = "Content-Type"
|
|
|
|
|
grpcBaseContentType = "application/grpc"
|
|
|
|
|
)
|
|
|
|
|
|
2023-09-11 19:33:20 -04:00
|
|
|
// ErrETagMismatch signals that the given
|
|
|
|
|
// If-Match header does not match with the
|
|
|
|
|
// current etag of a resource.
|
|
|
|
|
var ErrETagMismatch = errors.New("etag mismatch")
|
|
|
|
|
|
2024-01-16 13:56:23 -08:00
|
|
|
var serveHTTPContextKey ctxkey.Key[*serveHTTPContext]
|
2022-11-09 21:04:05 -08:00
|
|
|
|
|
|
|
|
type serveHTTPContext struct {
|
2025-01-20 12:02:53 -05:00
|
|
|
SrcAddr netip.AddrPort
|
2025-01-21 17:07:34 -05:00
|
|
|
ForVIPService tailcfg.ServiceName // "" means local
|
2025-01-20 12:02:53 -05:00
|
|
|
DestPort uint16
|
2024-08-08 10:46:45 -04:00
|
|
|
|
|
|
|
|
// provides funnel-specific context, nil if not funneled
|
2025-10-22 09:41:19 +01:00
|
|
|
Funnel *funnelFlow
|
|
|
|
|
// AppCapabilities lists all PeerCapabilities that should be forwarded by serve
|
|
|
|
|
AppCapabilities views.Slice[tailcfg.PeerCapability]
|
2024-08-08 10:46:45 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// funnelFlow represents a funneled connection initiated via IngressPeer
|
|
|
|
|
// to Host.
|
|
|
|
|
type funnelFlow struct {
|
|
|
|
|
Host string
|
|
|
|
|
IngressPeer tailcfg.NodeView
|
2022-11-09 21:04:05 -08:00
|
|
|
}
|
|
|
|
|
|
2023-11-08 16:05:33 -08:00
|
|
|
// localListener is the state of host-level net.Listen for a specific (Tailscale IP, port)
|
2022-11-11 21:46:26 -05:00
|
|
|
// combination. If there are two TailscaleIPs (v4 and v6) and three ports being served,
|
|
|
|
|
// then there will be six of these active and looping in their Run method.
|
|
|
|
|
//
|
|
|
|
|
// This is not used in userspace-networking mode.
|
|
|
|
|
//
|
2024-04-03 10:09:58 -07:00
|
|
|
// localListener is used by tailscale serve (TCP only), the built-in web client and Taildrive.
|
2023-11-08 16:05:33 -08:00
|
|
|
// Most serve traffic and peer traffic for the web client are intercepted by netstack.
|
|
|
|
|
// This listener exists purely for connections from the machine itself, as that goes via the kernel,
|
|
|
|
|
// so we need to be in the kernel's listening/routing tables.
|
|
|
|
|
type localListener struct {
|
2022-11-11 21:46:26 -05:00
|
|
|
b *LocalBackend
|
|
|
|
|
ap netip.AddrPort
|
|
|
|
|
ctx context.Context // valid while listener is desired
|
|
|
|
|
cancel context.CancelFunc // for ctx, to close listener
|
|
|
|
|
logf logger.Logf
|
|
|
|
|
bo *backoff.Backoff // for retrying failed Listen calls
|
|
|
|
|
|
2023-11-08 16:05:33 -08:00
|
|
|
handler func(net.Conn) error // handler for inbound connections
|
2022-11-11 21:46:26 -05:00
|
|
|
closeListener syncs.AtomicValue[func() error] // Listener's Close method, if any
|
|
|
|
|
}
|
|
|
|
|
|
2023-11-08 16:05:33 -08:00
|
|
|
func (b *LocalBackend) newServeListener(ctx context.Context, ap netip.AddrPort, logf logger.Logf) *localListener {
|
2022-11-11 21:46:26 -05:00
|
|
|
ctx, cancel := context.WithCancel(ctx)
|
2023-11-08 16:05:33 -08:00
|
|
|
return &localListener{
|
2022-11-11 21:46:26 -05:00
|
|
|
b: b,
|
|
|
|
|
ap: ap,
|
|
|
|
|
ctx: ctx,
|
|
|
|
|
cancel: cancel,
|
|
|
|
|
logf: logf,
|
|
|
|
|
|
2023-11-08 16:05:33 -08:00
|
|
|
handler: func(conn net.Conn) error {
|
|
|
|
|
srcAddr := conn.RemoteAddr().(*net.TCPAddr).AddrPort()
|
2024-08-08 10:46:45 -04:00
|
|
|
handler := b.tcpHandlerForServe(ap.Port(), srcAddr, nil)
|
2023-11-08 16:05:33 -08:00
|
|
|
if handler == nil {
|
|
|
|
|
b.logf("[unexpected] local-serve: no handler for %v to port %v", srcAddr, ap.Port())
|
|
|
|
|
conn.Close()
|
2023-11-15 07:24:57 -08:00
|
|
|
return nil
|
2023-11-08 16:05:33 -08:00
|
|
|
}
|
2023-11-15 07:24:57 -08:00
|
|
|
return handler(conn)
|
2023-11-08 16:05:33 -08:00
|
|
|
},
|
2022-11-11 21:46:26 -05:00
|
|
|
bo: backoff.NewBackoff("serve-listener", logf, 30*time.Second),
|
|
|
|
|
}
|
2023-11-08 16:05:33 -08:00
|
|
|
|
2022-11-11 21:46:26 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Close cancels the context and closes the listener, if any.
|
2023-11-08 16:05:33 -08:00
|
|
|
func (s *localListener) Close() error {
|
2022-11-11 21:46:26 -05:00
|
|
|
s.cancel()
|
|
|
|
|
if close, ok := s.closeListener.LoadOk(); ok {
|
|
|
|
|
s.closeListener.Store(nil)
|
|
|
|
|
close()
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2023-11-08 16:05:33 -08:00
|
|
|
// Run starts a net.Listen for the localListener's address and port.
|
2022-11-11 21:46:26 -05:00
|
|
|
// If unable to listen, it retries with exponential backoff.
|
|
|
|
|
// Listen is retried until the context is canceled.
|
2023-11-08 16:05:33 -08:00
|
|
|
func (s *localListener) Run() {
|
2022-11-11 21:46:26 -05:00
|
|
|
for {
|
2023-01-20 13:40:56 -05:00
|
|
|
ip := s.ap.Addr()
|
|
|
|
|
ipStr := ip.String()
|
|
|
|
|
|
|
|
|
|
var lc net.ListenConfig
|
|
|
|
|
if initListenConfig != nil {
|
|
|
|
|
// On macOS, this sets the lc.Control hook to
|
|
|
|
|
// setsockopt the interface index to bind to. This is
|
|
|
|
|
// required by the network sandbox to allow binding to
|
|
|
|
|
// a specific interface. Without this hook, the system
|
|
|
|
|
// chooses a default interface to bind to.
|
|
|
|
|
if err := initListenConfig(&lc, ip, s.b.prevIfState, s.b.dialer.TUNName()); err != nil {
|
2023-11-08 16:05:33 -08:00
|
|
|
s.logf("localListener failed to init listen config %v, backing off: %v", s.ap, err)
|
2023-01-20 13:40:56 -05:00
|
|
|
s.bo.BackOff(s.ctx, err)
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
// On macOS (AppStore or macsys) and if we're binding to a privileged port,
|
|
|
|
|
if version.IsSandboxedMacOS() && s.ap.Port() < 1024 {
|
|
|
|
|
// On macOS, we need to bind to ""/all-interfaces due to
|
|
|
|
|
// the network sandbox. Ideally we would only bind to the
|
|
|
|
|
// Tailscale interface, but macOS errors out if we try to
|
|
|
|
|
// to listen on privileged ports binding only to a specific
|
|
|
|
|
// interface. (#6364)
|
|
|
|
|
ipStr = ""
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
tcp4or6 := "tcp4"
|
|
|
|
|
if ip.Is6() {
|
|
|
|
|
tcp4or6 = "tcp6"
|
|
|
|
|
}
|
|
|
|
|
|
2024-06-26 11:18:45 -04:00
|
|
|
// while we were backing off and trying again, the context got canceled
|
|
|
|
|
// so don't bind, just return, because otherwise there will be no way
|
|
|
|
|
// to close this listener
|
|
|
|
|
if s.ctx.Err() != nil {
|
|
|
|
|
s.logf("localListener context closed before binding")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-20 13:40:56 -05:00
|
|
|
ln, err := lc.Listen(s.ctx, tcp4or6, net.JoinHostPort(ipStr, fmt.Sprint(s.ap.Port())))
|
2022-11-11 21:46:26 -05:00
|
|
|
if err != nil {
|
2022-11-13 08:47:34 -08:00
|
|
|
if s.shouldWarnAboutListenError(err) {
|
2023-11-08 16:05:33 -08:00
|
|
|
s.logf("localListener failed to listen on %v, backing off: %v", s.ap, err)
|
2022-11-13 08:47:34 -08:00
|
|
|
}
|
2022-11-11 21:46:26 -05:00
|
|
|
s.bo.BackOff(s.ctx, err)
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
s.closeListener.Store(ln.Close)
|
|
|
|
|
|
2023-11-08 16:05:33 -08:00
|
|
|
s.logf("listening on %v", s.ap)
|
|
|
|
|
err = s.handleListenersAccept(ln)
|
2022-11-11 21:46:26 -05:00
|
|
|
if s.ctx.Err() != nil {
|
|
|
|
|
// context canceled, we're done
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
if err != nil {
|
2023-11-08 16:05:33 -08:00
|
|
|
s.logf("localListener accept error, retrying: %v", err)
|
2022-11-11 21:46:26 -05:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-11-08 16:05:33 -08:00
|
|
|
func (s *localListener) shouldWarnAboutListenError(err error) bool {
|
2023-05-03 13:57:17 -07:00
|
|
|
if !s.b.sys.NetMon.Get().InterfaceState().HasIP(s.ap.Addr()) {
|
2022-11-13 08:47:34 -08:00
|
|
|
// Machine likely doesn't have IPv6 enabled (or the IP is still being
|
|
|
|
|
// assigned). No need to warn. Notably, WSL2 (Issue 6303).
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
// TODO(bradfitz): check errors.Is(err, syscall.EADDRNOTAVAIL) etc? Let's
|
|
|
|
|
// see what happens in practice.
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
|
2023-11-08 16:05:33 -08:00
|
|
|
// handleListenersAccept accepts connections for the Listener. It calls the
|
2023-10-05 22:20:19 -07:00
|
|
|
// handler in a new goroutine for each accepted connection. This is used to
|
2023-11-08 16:05:33 -08:00
|
|
|
// handle local "tailscale serve" and web client traffic originating from the
|
|
|
|
|
// machine itself.
|
|
|
|
|
func (s *localListener) handleListenersAccept(ln net.Listener) error {
|
2022-11-11 21:46:26 -05:00
|
|
|
for {
|
|
|
|
|
conn, err := ln.Accept()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2023-11-08 16:05:33 -08:00
|
|
|
go s.handler(conn)
|
2022-11-11 21:46:26 -05:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// updateServeTCPPortNetMapAddrListenersLocked starts a net.Listen for configured
|
|
|
|
|
// Serve ports on all the node's addresses.
|
|
|
|
|
// Existing Listeners are closed if port no longer in incoming ports list.
|
|
|
|
|
//
|
|
|
|
|
// b.mu must be held.
|
|
|
|
|
func (b *LocalBackend) updateServeTCPPortNetMapAddrListenersLocked(ports []uint16) {
|
2025-09-13 20:20:08 -07:00
|
|
|
if b.sys.IsNetstack() {
|
|
|
|
|
// don't listen on netmap addresses if we're in userspace mode
|
|
|
|
|
return
|
|
|
|
|
}
|
2022-11-11 21:46:26 -05:00
|
|
|
// close existing listeners where port
|
|
|
|
|
// is no longer in incoming ports list
|
|
|
|
|
for ap, sl := range b.serveListeners {
|
|
|
|
|
if !slices.Contains(ports, ap.Port()) {
|
|
|
|
|
b.logf("closing listener %v", ap)
|
|
|
|
|
sl.Close()
|
|
|
|
|
delete(b.serveListeners, ap)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2025-04-24 21:54:48 -05:00
|
|
|
nm := b.NetMap()
|
2022-11-11 21:46:26 -05:00
|
|
|
if nm == nil {
|
|
|
|
|
b.logf("netMap is nil")
|
|
|
|
|
return
|
|
|
|
|
}
|
2023-08-21 10:53:57 -07:00
|
|
|
if !nm.SelfNode.Valid() {
|
2022-11-11 21:46:26 -05:00
|
|
|
b.logf("netMap SelfNode is nil")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2023-09-17 12:53:23 -05:00
|
|
|
addrs := nm.GetAddresses()
|
2024-11-11 13:08:47 -08:00
|
|
|
for _, a := range addrs.All() {
|
2022-11-11 21:46:26 -05:00
|
|
|
for _, p := range ports {
|
|
|
|
|
addrPort := netip.AddrPortFrom(a.Addr(), p)
|
|
|
|
|
if _, ok := b.serveListeners[addrPort]; ok {
|
|
|
|
|
continue // already listening
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
sl := b.newServeListener(context.Background(), addrPort, b.logf)
|
|
|
|
|
mak.Set(&b.serveListeners, addrPort, sl)
|
|
|
|
|
|
|
|
|
|
go sl.Run()
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// SetServeConfig establishes or replaces the current serve config.
|
2023-09-11 19:33:20 -04:00
|
|
|
// ETag is an optional parameter to enforce Optimistic Concurrency Control.
|
|
|
|
|
// If it is an empty string, then the config will be overwritten.
|
2025-11-20 12:40:05 -07:00
|
|
|
//
|
|
|
|
|
// New foreground config cannot override existing listeners--neither existing
|
|
|
|
|
// foreground listeners nor existing background listeners. Background config can
|
|
|
|
|
// change as long as the serve type (e.g. HTTP, TCP, etc.) remains the same.
|
2023-09-11 19:33:20 -04:00
|
|
|
func (b *LocalBackend) SetServeConfig(config *ipn.ServeConfig, etag string) error {
|
2022-11-11 21:46:26 -05:00
|
|
|
b.mu.Lock()
|
|
|
|
|
defer b.mu.Unlock()
|
2023-09-11 19:33:20 -04:00
|
|
|
return b.setServeConfigLocked(config, etag)
|
2023-09-05 14:33:18 -04:00
|
|
|
}
|
2022-11-11 21:46:26 -05:00
|
|
|
|
2023-09-11 19:33:20 -04:00
|
|
|
func (b *LocalBackend) setServeConfigLocked(config *ipn.ServeConfig, etag string) error {
|
2023-04-04 22:20:27 -04:00
|
|
|
prefs := b.pm.CurrentPrefs()
|
|
|
|
|
if config.IsFunnelOn() && prefs.ShieldsUp() {
|
|
|
|
|
return errors.New("Unable to turn on Funnel while shields-up is enabled")
|
|
|
|
|
}
|
2023-10-20 15:37:25 -07:00
|
|
|
if b.isConfigLocked_Locked() {
|
|
|
|
|
return errors.New("can't reconfigure tailscaled when using a config file; config file is locked")
|
|
|
|
|
}
|
2023-04-04 22:20:27 -04:00
|
|
|
|
2025-04-24 21:54:48 -05:00
|
|
|
nm := b.NetMap()
|
2022-11-11 21:46:26 -05:00
|
|
|
if nm == nil {
|
|
|
|
|
return errors.New("netMap is nil")
|
|
|
|
|
}
|
2023-08-21 10:53:57 -07:00
|
|
|
if !nm.SelfNode.Valid() {
|
2022-11-11 21:46:26 -05:00
|
|
|
return errors.New("netMap SelfNode is nil")
|
|
|
|
|
}
|
2023-09-11 19:33:20 -04:00
|
|
|
|
|
|
|
|
// If etag is present, check that it has
|
|
|
|
|
// not changed from the last config.
|
2023-09-18 10:30:58 -04:00
|
|
|
prevConfig := b.serveConfig
|
2023-09-11 19:33:20 -04:00
|
|
|
if etag != "" {
|
|
|
|
|
// Note that we marshal b.serveConfig
|
|
|
|
|
// and not use b.lastServeConfJSON as that might
|
|
|
|
|
// be a Go nil value, which produces a different
|
|
|
|
|
// checksum from a JSON "null" value.
|
2023-09-18 10:30:58 -04:00
|
|
|
prevBytes, err := json.Marshal(prevConfig)
|
2023-09-11 19:33:20 -04:00
|
|
|
if err != nil {
|
|
|
|
|
return fmt.Errorf("error encoding previous config: %w", err)
|
|
|
|
|
}
|
2023-09-18 10:30:58 -04:00
|
|
|
sum := sha256.Sum256(prevBytes)
|
2023-09-11 19:33:20 -04:00
|
|
|
previousEtag := hex.EncodeToString(sum[:])
|
|
|
|
|
if etag != previousEtag {
|
|
|
|
|
return ErrETagMismatch
|
|
|
|
|
}
|
|
|
|
|
}
|
2022-11-11 21:46:26 -05:00
|
|
|
|
2025-11-20 12:40:05 -07:00
|
|
|
if err := validateServeConfigUpdate(prevConfig, config.View()); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2022-11-11 21:46:26 -05:00
|
|
|
var bs []byte
|
|
|
|
|
if config != nil {
|
|
|
|
|
j, err := json.Marshal(config)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return fmt.Errorf("encoding serve config: %w", err)
|
|
|
|
|
}
|
|
|
|
|
bs = j
|
|
|
|
|
}
|
2023-09-11 19:33:20 -04:00
|
|
|
|
2025-01-30 11:24:25 -06:00
|
|
|
profileID := b.pm.CurrentProfile().ID()
|
2023-09-11 19:33:20 -04:00
|
|
|
confKey := ipn.ServeConfigKey(profileID)
|
2022-11-11 21:46:26 -05:00
|
|
|
if err := b.store.WriteState(confKey, bs); err != nil {
|
|
|
|
|
return fmt.Errorf("writing ServeConfig to StateStore: %w", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
b.setTCPPortsInterceptedFromNetmapAndPrefsLocked(b.pm.CurrentPrefs())
|
2023-09-18 10:30:58 -04:00
|
|
|
|
|
|
|
|
// clean up and close all previously open foreground sessions
|
|
|
|
|
// if the current ServeConfig has overwritten them.
|
|
|
|
|
if prevConfig.Valid() {
|
|
|
|
|
has := func(string) bool { return false }
|
|
|
|
|
if b.serveConfig.Valid() {
|
2024-06-15 21:42:34 -07:00
|
|
|
has = b.serveConfig.Foreground().Contains
|
2023-09-18 10:30:58 -04:00
|
|
|
}
|
2025-01-04 10:14:23 -08:00
|
|
|
for k := range prevConfig.Foreground().All() {
|
2023-09-18 10:30:58 -04:00
|
|
|
if !has(k) {
|
|
|
|
|
for _, sess := range b.notifyWatchers {
|
|
|
|
|
if sess.sessionID == k {
|
2024-08-27 23:11:00 -05:00
|
|
|
sess.cancel()
|
2023-09-18 10:30:58 -04:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2025-01-04 10:14:23 -08:00
|
|
|
}
|
2023-09-18 10:30:58 -04:00
|
|
|
}
|
|
|
|
|
|
2022-11-11 21:46:26 -05:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// ServeConfig provides a view of the current serve mappings.
|
|
|
|
|
// If serving is not configured, the returned view is not Valid.
|
|
|
|
|
func (b *LocalBackend) ServeConfig() ipn.ServeConfigView {
|
|
|
|
|
b.mu.Lock()
|
|
|
|
|
defer b.mu.Unlock()
|
|
|
|
|
return b.serveConfig
|
|
|
|
|
}
|
|
|
|
|
|
2023-09-05 14:33:18 -04:00
|
|
|
// DeleteForegroundSession deletes a ServeConfig's foreground session
|
|
|
|
|
// in the LocalBackend if it exists. It also ensures check, delete, and
|
|
|
|
|
// set operations happen within the same mutex lock to avoid any races.
|
|
|
|
|
func (b *LocalBackend) DeleteForegroundSession(sessionID string) error {
|
|
|
|
|
b.mu.Lock()
|
|
|
|
|
defer b.mu.Unlock()
|
2024-06-15 21:42:34 -07:00
|
|
|
if !b.serveConfig.Valid() || !b.serveConfig.Foreground().Contains(sessionID) {
|
2023-09-05 14:33:18 -04:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
sc := b.serveConfig.AsStruct()
|
|
|
|
|
delete(sc.Foreground, sessionID)
|
2023-09-11 19:33:20 -04:00
|
|
|
return b.setServeConfigLocked(sc, "")
|
2023-09-05 14:33:18 -04:00
|
|
|
}
|
|
|
|
|
|
2023-10-05 22:20:19 -07:00
|
|
|
// HandleIngressTCPConn handles a TCP connection initiated by the ingressPeer
|
|
|
|
|
// proxied to the local node over the PeerAPI.
|
|
|
|
|
// Target represents the destination HostPort of the conn.
|
|
|
|
|
// srcAddr represents the source AddrPort and not that of the ingressPeer.
|
|
|
|
|
// getConnOrReset is a callback to get the connection, or reset if the connection
|
|
|
|
|
// is no longer available.
|
|
|
|
|
// sendRST is a callback to send a TCP RST to the ingressPeer indicating that
|
|
|
|
|
// the connection was not accepted.
|
2023-08-18 07:57:44 -07:00
|
|
|
func (b *LocalBackend) HandleIngressTCPConn(ingressPeer tailcfg.NodeView, target ipn.HostPort, srcAddr netip.AddrPort, getConnOrReset func() (net.Conn, bool), sendRST func()) {
|
2022-11-07 10:46:42 -05:00
|
|
|
b.mu.Lock()
|
|
|
|
|
sc := b.serveConfig
|
|
|
|
|
b.mu.Unlock()
|
|
|
|
|
|
2023-10-05 22:20:19 -07:00
|
|
|
// TODO(maisem,bradfitz): make this not alloc for every conn.
|
|
|
|
|
logf := logger.WithPrefix(b.logf, "handleIngress: ")
|
|
|
|
|
|
2022-11-07 10:46:42 -05:00
|
|
|
if !sc.Valid() {
|
2023-10-05 22:20:19 -07:00
|
|
|
logf("got ingress conn w/o serveConfig; rejecting")
|
2022-11-07 10:46:42 -05:00
|
|
|
sendRST()
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2023-09-05 13:51:52 -04:00
|
|
|
if !sc.HasFunnelForTarget(target) {
|
2023-10-05 22:20:19 -07:00
|
|
|
logf("got ingress conn for unconfigured %q; rejecting", target)
|
2022-11-07 10:46:42 -05:00
|
|
|
sendRST()
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2024-08-08 10:46:45 -04:00
|
|
|
host, port, err := net.SplitHostPort(string(target))
|
2022-11-07 10:46:42 -05:00
|
|
|
if err != nil {
|
2023-10-05 22:20:19 -07:00
|
|
|
logf("got ingress conn for bad target %q; rejecting", target)
|
2022-11-07 10:46:42 -05:00
|
|
|
sendRST()
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
port16, err := strconv.ParseUint(port, 10, 16)
|
|
|
|
|
if err != nil {
|
2023-10-05 22:20:19 -07:00
|
|
|
logf("got ingress conn for bad target %q; rejecting", target)
|
2022-11-07 10:46:42 -05:00
|
|
|
sendRST()
|
|
|
|
|
return
|
|
|
|
|
}
|
2023-03-08 12:36:41 -08:00
|
|
|
dport := uint16(port16)
|
|
|
|
|
if b.getTCPHandlerForFunnelFlow != nil {
|
|
|
|
|
handler := b.getTCPHandlerForFunnelFlow(srcAddr, dport)
|
|
|
|
|
if handler != nil {
|
2023-06-08 16:57:40 -07:00
|
|
|
c, ok := getConnOrReset()
|
2023-03-08 12:36:41 -08:00
|
|
|
if !ok {
|
2023-10-05 22:20:19 -07:00
|
|
|
logf("getConn didn't complete from %v to port %v", srcAddr, dport)
|
2023-03-08 12:36:41 -08:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
handler(c)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
}
|
2024-08-08 10:46:45 -04:00
|
|
|
handler := b.tcpHandlerForServe(dport, srcAddr, &funnelFlow{
|
|
|
|
|
Host: host,
|
|
|
|
|
IngressPeer: ingressPeer,
|
|
|
|
|
})
|
2023-06-08 16:57:40 -07:00
|
|
|
if handler == nil {
|
2023-10-05 22:20:19 -07:00
|
|
|
logf("[unexpected] no matching ingress serve handler for %v to port %v", srcAddr, dport)
|
2023-06-08 16:57:40 -07:00
|
|
|
sendRST()
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
c, ok := getConnOrReset()
|
|
|
|
|
if !ok {
|
2023-10-05 22:20:19 -07:00
|
|
|
logf("getConn didn't complete from %v to port %v", srcAddr, dport)
|
2023-06-08 16:57:40 -07:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
handler(c)
|
2022-11-07 10:46:42 -05:00
|
|
|
}
|
|
|
|
|
|
2025-09-13 20:20:08 -07:00
|
|
|
func (b *LocalBackend) vipServicesFromPrefsLocked(prefs ipn.PrefsView) []*tailcfg.VIPService {
|
|
|
|
|
// keyed by service name
|
|
|
|
|
var services map[tailcfg.ServiceName]*tailcfg.VIPService
|
|
|
|
|
if b.serveConfig.Valid() {
|
|
|
|
|
for svc, config := range b.serveConfig.Services().All() {
|
|
|
|
|
mak.Set(&services, svc, &tailcfg.VIPService{
|
|
|
|
|
Name: svc,
|
|
|
|
|
Ports: config.ServicePortRange(),
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for _, s := range prefs.AdvertiseServices().All() {
|
|
|
|
|
sn := tailcfg.ServiceName(s)
|
|
|
|
|
if services == nil || services[sn] == nil {
|
|
|
|
|
mak.Set(&services, sn, &tailcfg.VIPService{
|
|
|
|
|
Name: sn,
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
services[sn].Active = true
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
servicesList := slicesx.MapValues(services)
|
|
|
|
|
// [slicesx.MapValues] provides the values in an indeterminate order, but since we'll
|
|
|
|
|
// be hashing a representation of this list later we want it to be in a consistent
|
|
|
|
|
// order.
|
|
|
|
|
slices.SortFunc(servicesList, func(a, b *tailcfg.VIPService) int {
|
|
|
|
|
return strings.Compare(a.Name.String(), b.Name.String())
|
|
|
|
|
})
|
|
|
|
|
return servicesList
|
|
|
|
|
}
|
|
|
|
|
|
2025-01-20 12:02:53 -05:00
|
|
|
// tcpHandlerForVIPService returns a handler for a TCP connection to a VIP service
|
|
|
|
|
// that is being served via the ipn.ServeConfig. It returns nil if the destination
|
|
|
|
|
// address is not a VIP service or if the VIP service does not have a TCP handler set.
|
|
|
|
|
func (b *LocalBackend) tcpHandlerForVIPService(dstAddr, srcAddr netip.AddrPort) (handler func(net.Conn) error) {
|
|
|
|
|
b.mu.Lock()
|
|
|
|
|
sc := b.serveConfig
|
|
|
|
|
ipVIPServiceMap := b.ipVIPServiceMap
|
|
|
|
|
b.mu.Unlock()
|
|
|
|
|
|
|
|
|
|
if !sc.Valid() {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
dport := dstAddr.Port()
|
|
|
|
|
|
|
|
|
|
dstSvc, ok := ipVIPServiceMap[dstAddr.Addr()]
|
|
|
|
|
if !ok {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
tcph, ok := sc.FindServiceTCP(dstSvc, dstAddr.Port())
|
|
|
|
|
if !ok {
|
|
|
|
|
b.logf("The destination service doesn't have a TCP handler set.")
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if tcph.HTTPS() || tcph.HTTP() {
|
|
|
|
|
hs := &http.Server{
|
|
|
|
|
Handler: http.HandlerFunc(b.serveWebHandler),
|
|
|
|
|
BaseContext: func(_ net.Listener) context.Context {
|
|
|
|
|
return serveHTTPContextKey.WithValue(context.Background(), &serveHTTPContext{
|
|
|
|
|
SrcAddr: srcAddr,
|
2025-01-22 09:24:49 -05:00
|
|
|
ForVIPService: dstSvc,
|
2025-01-20 12:02:53 -05:00
|
|
|
DestPort: dport,
|
|
|
|
|
})
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
if tcph.HTTPS() {
|
|
|
|
|
// TODO(kevinliang10): just leaving this TLS cert creation as if we don't have other
|
|
|
|
|
// hostnames, but for services this getTLSServeCetForPort will need a version that also take
|
|
|
|
|
// in the hostname. How to store the TLS cert is still being discussed.
|
|
|
|
|
hs.TLSConfig = &tls.Config{
|
2025-01-22 09:24:49 -05:00
|
|
|
GetCertificate: b.getTLSServeCertForPort(dport, dstSvc),
|
2025-01-20 12:02:53 -05:00
|
|
|
}
|
|
|
|
|
return func(c net.Conn) error {
|
|
|
|
|
return hs.ServeTLS(netutil.NewOneConnListener(c, nil), "", "")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return func(c net.Conn) error {
|
|
|
|
|
return hs.Serve(netutil.NewOneConnListener(c, nil))
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if backDst := tcph.TCPForward(); backDst != "" {
|
|
|
|
|
return func(conn net.Conn) error {
|
|
|
|
|
defer conn.Close()
|
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
|
|
|
|
|
backConn, err := b.dialer.SystemDial(ctx, "tcp", backDst)
|
|
|
|
|
cancel()
|
|
|
|
|
if err != nil {
|
|
|
|
|
b.logf("localbackend: failed to TCP proxy port %v (from %v) to %s: %v", dport, srcAddr, backDst, err)
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
defer backConn.Close()
|
|
|
|
|
if sni := tcph.TerminateTLS(); sni != "" {
|
|
|
|
|
conn = tls.Server(conn, &tls.Config{
|
|
|
|
|
GetCertificate: func(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
|
|
|
|
|
defer cancel()
|
|
|
|
|
pair, err := b.GetCertPEM(ctx, sni)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
cert, err := tls.X509KeyPair(pair.CertPEM, pair.KeyPEM)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
return &cert, nil
|
|
|
|
|
},
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
errc := make(chan error, 1)
|
|
|
|
|
go func() {
|
|
|
|
|
_, err := io.Copy(backConn, conn)
|
|
|
|
|
errc <- err
|
|
|
|
|
}()
|
|
|
|
|
go func() {
|
|
|
|
|
_, err := io.Copy(conn, backConn)
|
|
|
|
|
errc <- err
|
|
|
|
|
}()
|
|
|
|
|
return <-errc
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2023-06-08 16:57:40 -07:00
|
|
|
// tcpHandlerForServe returns a handler for a TCP connection to be served via
|
2024-08-08 10:46:45 -04:00
|
|
|
// the ipn.ServeConfig. The funnelFlow can be nil if this is not a funneled
|
|
|
|
|
// connection.
|
|
|
|
|
func (b *LocalBackend) tcpHandlerForServe(dport uint16, srcAddr netip.AddrPort, f *funnelFlow) (handler func(net.Conn) error) {
|
2022-11-09 15:38:09 -08:00
|
|
|
b.mu.Lock()
|
|
|
|
|
sc := b.serveConfig
|
|
|
|
|
b.mu.Unlock()
|
2022-11-09 06:55:17 -08:00
|
|
|
|
2022-11-09 15:38:09 -08:00
|
|
|
if !sc.Valid() {
|
2023-06-08 16:57:40 -07:00
|
|
|
return nil
|
2022-11-09 15:38:09 -08:00
|
|
|
}
|
|
|
|
|
|
2023-09-05 13:51:52 -04:00
|
|
|
tcph, ok := sc.FindTCP(dport)
|
2022-11-09 15:38:09 -08:00
|
|
|
if !ok {
|
2023-06-08 16:57:40 -07:00
|
|
|
return nil
|
2022-11-09 15:38:09 -08:00
|
|
|
}
|
|
|
|
|
|
2023-06-21 12:32:20 -04:00
|
|
|
if tcph.HTTPS() || tcph.HTTP() {
|
2022-11-09 21:05:52 -08:00
|
|
|
hs := &http.Server{
|
|
|
|
|
Handler: http.HandlerFunc(b.serveWebHandler),
|
2022-11-09 21:04:05 -08:00
|
|
|
BaseContext: func(_ net.Listener) context.Context {
|
2024-01-16 13:56:23 -08:00
|
|
|
return serveHTTPContextKey.WithValue(context.Background(), &serveHTTPContext{
|
2024-08-08 10:46:45 -04:00
|
|
|
Funnel: f,
|
2022-11-09 21:04:05 -08:00
|
|
|
SrcAddr: srcAddr,
|
|
|
|
|
DestPort: dport,
|
|
|
|
|
})
|
|
|
|
|
},
|
2022-11-09 21:05:52 -08:00
|
|
|
}
|
2023-06-21 12:32:20 -04:00
|
|
|
if tcph.HTTPS() {
|
|
|
|
|
hs.TLSConfig = &tls.Config{
|
2025-01-22 09:24:49 -05:00
|
|
|
GetCertificate: b.getTLSServeCertForPort(dport, ""),
|
2023-06-21 12:32:20 -04:00
|
|
|
}
|
|
|
|
|
return func(c net.Conn) error {
|
|
|
|
|
return hs.ServeTLS(netutil.NewOneConnListener(c, nil), "", "")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-06-08 16:57:40 -07:00
|
|
|
return func(c net.Conn) error {
|
2023-06-21 12:32:20 -04:00
|
|
|
return hs.Serve(netutil.NewOneConnListener(c, nil))
|
2023-06-08 16:57:40 -07:00
|
|
|
}
|
2022-11-09 21:05:52 -08:00
|
|
|
}
|
|
|
|
|
|
2022-11-09 15:38:09 -08:00
|
|
|
if backDst := tcph.TCPForward(); backDst != "" {
|
2023-06-08 16:57:40 -07:00
|
|
|
return func(conn net.Conn) error {
|
|
|
|
|
defer conn.Close()
|
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
|
|
|
|
|
backConn, err := b.dialer.SystemDial(ctx, "tcp", backDst)
|
|
|
|
|
cancel()
|
|
|
|
|
if err != nil {
|
|
|
|
|
b.logf("localbackend: failed to TCP proxy port %v (from %v) to %s: %v", dport, srcAddr, backDst, err)
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
defer backConn.Close()
|
|
|
|
|
if sni := tcph.TerminateTLS(); sni != "" {
|
|
|
|
|
conn = tls.Server(conn, &tls.Config{
|
|
|
|
|
GetCertificate: func(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
|
|
|
|
|
defer cancel()
|
2023-10-12 15:52:41 -07:00
|
|
|
pair, err := b.GetCertPEM(ctx, sni)
|
2023-06-08 16:57:40 -07:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
cert, err := tls.X509KeyPair(pair.CertPEM, pair.KeyPEM)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
return &cert, nil
|
|
|
|
|
},
|
|
|
|
|
})
|
|
|
|
|
}
|
2022-11-10 21:24:22 -08:00
|
|
|
|
2025-10-20 11:40:30 -04:00
|
|
|
var proxyHeader []byte
|
|
|
|
|
if ver := tcph.ProxyProtocol(); ver > 0 {
|
|
|
|
|
// backAddr is the final "destination" of the connection,
|
|
|
|
|
// which is the connection to the proxied-to backend.
|
|
|
|
|
backAddr := backConn.RemoteAddr().(*net.TCPAddr)
|
|
|
|
|
|
|
|
|
|
// We always want to format the PROXY protocol
|
|
|
|
|
// header based on the IPv4 or IPv6-ness of
|
|
|
|
|
// the client. The SourceAddr and
|
|
|
|
|
// DestinationAddr need to match in type, so we
|
|
|
|
|
// need to be careful to not e.g. set a
|
|
|
|
|
// SourceAddr of type IPv6 and DestinationAddr
|
|
|
|
|
// of type IPv4.
|
|
|
|
|
//
|
|
|
|
|
// If this is an IPv6-mapped IPv4 address,
|
|
|
|
|
// though, unmap it.
|
|
|
|
|
proxySrcAddr := srcAddr
|
|
|
|
|
if proxySrcAddr.Addr().Is4In6() {
|
|
|
|
|
proxySrcAddr = netip.AddrPortFrom(
|
|
|
|
|
proxySrcAddr.Addr().Unmap(),
|
|
|
|
|
proxySrcAddr.Port(),
|
|
|
|
|
)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
is4 := proxySrcAddr.Addr().Is4()
|
|
|
|
|
|
|
|
|
|
var destAddr netip.Addr
|
|
|
|
|
if self := b.currentNode().Self(); self.Valid() {
|
|
|
|
|
if is4 {
|
|
|
|
|
destAddr = nodeIP(self, netip.Addr.Is4)
|
|
|
|
|
} else {
|
|
|
|
|
destAddr = nodeIP(self, netip.Addr.Is6)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if !destAddr.IsValid() {
|
|
|
|
|
// Pick a best-effort destination address of localhost.
|
|
|
|
|
if is4 {
|
|
|
|
|
destAddr = netip.AddrFrom4([4]byte{127, 0, 0, 1})
|
|
|
|
|
} else {
|
|
|
|
|
destAddr = netip.IPv6Loopback()
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
header := &proxyproto.Header{
|
|
|
|
|
Version: byte(ver),
|
|
|
|
|
Command: proxyproto.PROXY,
|
|
|
|
|
SourceAddr: net.TCPAddrFromAddrPort(proxySrcAddr),
|
|
|
|
|
DestinationAddr: &net.TCPAddr{
|
|
|
|
|
IP: destAddr.AsSlice(),
|
|
|
|
|
Port: backAddr.Port,
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
if is4 {
|
|
|
|
|
header.TransportProtocol = proxyproto.TCPv4
|
|
|
|
|
} else {
|
|
|
|
|
header.TransportProtocol = proxyproto.TCPv6
|
|
|
|
|
}
|
|
|
|
|
var err error
|
|
|
|
|
proxyHeader, err = header.Format()
|
|
|
|
|
if err != nil {
|
|
|
|
|
b.logf("localbackend: failed to format proxy protocol header for port %v (from %v) to %s: %v", dport, srcAddr, backDst, err)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-06-08 16:57:40 -07:00
|
|
|
// TODO(bradfitz): do the RegisterIPPortIdentity and
|
|
|
|
|
// UnregisterIPPortIdentity stuff that netstack does
|
|
|
|
|
errc := make(chan error, 1)
|
|
|
|
|
go func() {
|
2025-10-20 11:40:30 -04:00
|
|
|
if len(proxyHeader) > 0 {
|
|
|
|
|
if _, err := backConn.Write(proxyHeader); err != nil {
|
|
|
|
|
errc <- err
|
|
|
|
|
backConn.Close() // to ensure that the other side gets EOF
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
}
|
2023-06-08 16:57:40 -07:00
|
|
|
_, err := io.Copy(backConn, conn)
|
|
|
|
|
errc <- err
|
|
|
|
|
}()
|
|
|
|
|
go func() {
|
|
|
|
|
_, err := io.Copy(conn, backConn)
|
|
|
|
|
errc <- err
|
|
|
|
|
}()
|
|
|
|
|
return <-errc
|
|
|
|
|
}
|
2022-11-09 15:38:09 -08:00
|
|
|
}
|
|
|
|
|
|
2023-06-08 16:57:40 -07:00
|
|
|
return nil
|
2022-11-09 06:55:17 -08:00
|
|
|
}
|
|
|
|
|
|
2022-11-10 14:16:37 -08:00
|
|
|
func (b *LocalBackend) getServeHandler(r *http.Request) (_ ipn.HTTPHandlerView, at string, ok bool) {
|
2022-11-09 13:15:59 -08:00
|
|
|
var z ipn.HTTPHandlerView // zero value
|
|
|
|
|
|
2023-06-21 12:32:20 -04:00
|
|
|
hostname := r.Host
|
2022-11-09 06:55:17 -08:00
|
|
|
if r.TLS == nil {
|
2025-04-18 16:52:55 -05:00
|
|
|
tcd := "." + b.CurrentProfile().NetworkProfile().MagicDNSName
|
2023-07-17 16:50:58 -07:00
|
|
|
if host, _, err := net.SplitHostPort(hostname); err == nil {
|
|
|
|
|
hostname = host
|
|
|
|
|
}
|
2023-06-21 12:32:20 -04:00
|
|
|
if !strings.HasSuffix(hostname, tcd) {
|
|
|
|
|
hostname += tcd
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
hostname = r.TLS.ServerName
|
2022-11-09 06:55:17 -08:00
|
|
|
}
|
|
|
|
|
|
2024-01-16 13:56:23 -08:00
|
|
|
sctx, ok := serveHTTPContextKey.ValueOk(r.Context())
|
2022-11-09 21:04:05 -08:00
|
|
|
if !ok {
|
|
|
|
|
b.logf("[unexpected] localbackend: no serveHTTPContext in request")
|
2022-11-10 14:16:37 -08:00
|
|
|
return z, "", false
|
2022-11-09 21:04:05 -08:00
|
|
|
}
|
2025-01-20 12:02:53 -05:00
|
|
|
wsc, ok := b.webServerConfig(hostname, sctx.ForVIPService, sctx.DestPort)
|
2022-11-09 06:55:17 -08:00
|
|
|
if !ok {
|
2022-11-10 14:16:37 -08:00
|
|
|
return z, "", false
|
2022-11-09 06:55:17 -08:00
|
|
|
}
|
2022-11-09 21:16:20 -08:00
|
|
|
|
2022-11-10 14:16:37 -08:00
|
|
|
if h, ok := wsc.Handlers().GetOk(r.URL.Path); ok {
|
|
|
|
|
return h, r.URL.Path, true
|
|
|
|
|
}
|
2023-04-19 21:54:19 -04:00
|
|
|
pth := path.Clean(r.URL.Path)
|
2022-11-09 06:55:17 -08:00
|
|
|
for {
|
2023-04-19 21:54:19 -04:00
|
|
|
withSlash := pth + "/"
|
2022-11-10 14:16:37 -08:00
|
|
|
if h, ok := wsc.Handlers().GetOk(withSlash); ok {
|
|
|
|
|
return h, withSlash, true
|
|
|
|
|
}
|
2023-04-19 21:54:19 -04:00
|
|
|
if h, ok := wsc.Handlers().GetOk(pth); ok {
|
|
|
|
|
return h, pth, true
|
2022-11-09 06:55:17 -08:00
|
|
|
}
|
2023-04-19 21:54:19 -04:00
|
|
|
if pth == "/" {
|
2022-11-10 14:16:37 -08:00
|
|
|
return z, "", false
|
2022-11-09 06:55:17 -08:00
|
|
|
}
|
2023-04-19 21:54:19 -04:00
|
|
|
pth = path.Dir(pth)
|
2022-11-09 06:55:17 -08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2022-12-21 18:36:58 +00:00
|
|
|
// proxyHandlerForBackend creates a new HTTP reverse proxy for a particular backend that
|
|
|
|
|
// we serve requests for. `backend` is a HTTPHandler.Proxy string (url, hostport or just port).
|
2023-10-19 07:12:31 +01:00
|
|
|
func (b *LocalBackend) proxyHandlerForBackend(backend string) (http.Handler, error) {
|
2022-12-21 18:36:58 +00:00
|
|
|
targetURL, insecure := expandProxyArg(backend)
|
|
|
|
|
u, err := url.Parse(targetURL)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("invalid url %s: %w", targetURL, err)
|
|
|
|
|
}
|
2023-10-19 07:12:31 +01:00
|
|
|
p := &reverseProxy{
|
|
|
|
|
logf: b.logf,
|
|
|
|
|
url: u,
|
|
|
|
|
insecure: insecure,
|
|
|
|
|
backend: backend,
|
|
|
|
|
lb: b,
|
|
|
|
|
}
|
|
|
|
|
return p, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// reverseProxy is a proxy that forwards a request to a backend host
|
|
|
|
|
// (preconfigured via ipn.ServeConfig). If the host is configured with
|
|
|
|
|
// http+insecure prefix, connection between proxy and backend will be over
|
|
|
|
|
// insecure TLS. If the backend host has a http prefix and the incoming request
|
|
|
|
|
// has application/grpc content type header, the connection will be over h2c.
|
|
|
|
|
// Otherwise standard Go http transport will be used.
|
|
|
|
|
type reverseProxy struct {
|
2023-10-20 12:04:00 +01:00
|
|
|
logf logger.Logf
|
|
|
|
|
url *url.URL
|
|
|
|
|
// insecure tracks whether the connection to an https backend should be
|
|
|
|
|
// insecure (i.e because we cannot verify its CA).
|
|
|
|
|
insecure bool
|
|
|
|
|
backend string
|
|
|
|
|
lb *LocalBackend
|
2025-09-29 17:57:04 -07:00
|
|
|
httpTransport lazy.SyncValue[*http.Transport] // transport for non-h2c backends
|
|
|
|
|
h2cTransport lazy.SyncValue[*http.Transport] // transport for h2c backends
|
2023-10-20 12:04:00 +01:00
|
|
|
// closed tracks whether proxy is closed/currently closing.
|
|
|
|
|
closed atomic.Bool
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// close ensures that any open backend connections get closed.
|
|
|
|
|
func (rp *reverseProxy) close() {
|
|
|
|
|
rp.closed.Store(true)
|
2025-09-29 17:57:04 -07:00
|
|
|
if h2cT := rp.h2cTransport.Get(func() *http.Transport { return nil }); h2cT != nil {
|
2023-10-20 12:04:00 +01:00
|
|
|
h2cT.CloseIdleConnections()
|
|
|
|
|
}
|
|
|
|
|
if httpTransport := rp.httpTransport.Get(func() *http.Transport {
|
|
|
|
|
return nil
|
|
|
|
|
}); httpTransport != nil {
|
|
|
|
|
httpTransport.CloseIdleConnections()
|
|
|
|
|
}
|
2023-10-19 07:12:31 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (rp *reverseProxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
2023-10-20 12:04:00 +01:00
|
|
|
if closed := rp.closed.Load(); closed {
|
|
|
|
|
rp.logf("received a request for a proxy that's being closed or has been closed")
|
|
|
|
|
http.Error(w, "proxy is closed", http.StatusServiceUnavailable)
|
|
|
|
|
return
|
|
|
|
|
}
|
2023-10-19 07:12:31 +01:00
|
|
|
p := &httputil.ReverseProxy{Rewrite: func(r *httputil.ProxyRequest) {
|
2024-01-23 18:12:56 +00:00
|
|
|
oldOutPath := r.Out.URL.Path
|
2023-10-19 07:12:31 +01:00
|
|
|
r.SetURL(rp.url)
|
2024-01-23 18:12:56 +00:00
|
|
|
|
|
|
|
|
// If mount point matches the request path exactly, the outbound
|
|
|
|
|
// request URL was set to empty string in serveWebHandler which
|
|
|
|
|
// would have resulted in the outbound path set to <proxy path>
|
|
|
|
|
// + '/' in SetURL. In that case, if the proxy path was set, we
|
|
|
|
|
// want to send the request to the <proxy path> (without the
|
|
|
|
|
// '/') .
|
|
|
|
|
if oldOutPath == "" && rp.url.Path != "" {
|
|
|
|
|
r.Out.URL.Path = rp.url.Path
|
|
|
|
|
r.Out.URL.RawPath = rp.url.RawPath
|
|
|
|
|
}
|
|
|
|
|
|
2023-10-19 07:12:31 +01:00
|
|
|
r.Out.Host = r.In.Host
|
|
|
|
|
addProxyForwardedHeaders(r)
|
|
|
|
|
rp.lb.addTailscaleIdentityHeaders(r)
|
2025-10-22 09:41:19 +01:00
|
|
|
if err := rp.lb.addAppCapabilitiesHeader(r); err != nil {
|
|
|
|
|
http.Error(w, err.Error(), http.StatusInternalServerError)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
}} // There is no way to autodetect h2c as per RFC 9113
|
2023-10-19 07:12:31 +01:00
|
|
|
// https://datatracker.ietf.org/doc/html/rfc9113#name-starting-http-2.
|
|
|
|
|
// However, we assume that http:// proxy prefix in combination with the
|
|
|
|
|
// protoccol being HTTP/2 is sufficient to detect h2c for our needs. Only use this for
|
2023-10-20 12:04:00 +01:00
|
|
|
// gRPC to fix a known problem of plaintext gRPC backends
|
2023-10-19 07:12:31 +01:00
|
|
|
if rp.shouldProxyViaH2C(r) {
|
|
|
|
|
rp.logf("received a proxy request for plaintext gRPC")
|
2023-10-19 18:38:37 +01:00
|
|
|
p.Transport = rp.getH2CTransport()
|
2023-10-19 07:12:31 +01:00
|
|
|
} else {
|
2023-10-19 18:38:37 +01:00
|
|
|
p.Transport = rp.getTransport()
|
|
|
|
|
}
|
|
|
|
|
p.ServeHTTP(w, r)
|
|
|
|
|
}
|
|
|
|
|
|
2023-10-20 12:04:00 +01:00
|
|
|
// getTransport returns the Transport used for regular (non-GRPC) requests
|
|
|
|
|
// to the backend. The Transport gets created lazily, at most once.
|
|
|
|
|
func (rp *reverseProxy) getTransport() *http.Transport {
|
|
|
|
|
return rp.httpTransport.Get(func() *http.Transport {
|
2023-10-19 18:38:37 +01:00
|
|
|
return &http.Transport{
|
2023-10-19 07:12:31 +01:00
|
|
|
DialContext: rp.lb.dialer.SystemDial,
|
2023-03-27 10:12:04 -04:00
|
|
|
TLSClientConfig: &tls.Config{
|
2023-10-19 07:12:31 +01:00
|
|
|
InsecureSkipVerify: rp.insecure,
|
2023-03-27 10:12:04 -04:00
|
|
|
},
|
|
|
|
|
// Values for the following parameters have been copied from http.DefaultTransport.
|
|
|
|
|
ForceAttemptHTTP2: true,
|
|
|
|
|
MaxIdleConns: 100,
|
|
|
|
|
IdleConnTimeout: 90 * time.Second,
|
|
|
|
|
TLSHandshakeTimeout: 10 * time.Second,
|
|
|
|
|
ExpectContinueTimeout: 1 * time.Second,
|
2023-10-19 07:12:31 +01:00
|
|
|
}
|
2023-10-19 18:38:37 +01:00
|
|
|
})
|
|
|
|
|
}
|
2023-10-19 07:12:31 +01:00
|
|
|
|
2023-10-20 12:04:00 +01:00
|
|
|
// getH2CTransport returns the Transport used for GRPC requests to the backend.
|
|
|
|
|
// The Transport gets created lazily, at most once.
|
2025-09-29 17:57:04 -07:00
|
|
|
func (rp *reverseProxy) getH2CTransport() http.RoundTripper {
|
|
|
|
|
return rp.h2cTransport.Get(func() *http.Transport {
|
|
|
|
|
var p http.Protocols
|
|
|
|
|
p.SetUnencryptedHTTP2(true)
|
|
|
|
|
tr := &http.Transport{
|
|
|
|
|
Protocols: &p,
|
|
|
|
|
DialTLSContext: func(ctx context.Context, network string, addr string) (net.Conn, error) {
|
2023-10-19 18:38:37 +01:00
|
|
|
return rp.lb.dialer.SystemDial(ctx, "tcp", rp.url.Host)
|
|
|
|
|
},
|
|
|
|
|
}
|
2025-09-29 17:57:04 -07:00
|
|
|
return tr
|
2023-10-19 18:38:37 +01:00
|
|
|
})
|
2023-10-19 07:12:31 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// This is not a generally reliable way how to determine whether a request is
|
|
|
|
|
// for a h2c server, but sufficient for our particular use case.
|
|
|
|
|
func (rp *reverseProxy) shouldProxyViaH2C(r *http.Request) bool {
|
|
|
|
|
contentType := r.Header.Get(contentTypeHeader)
|
|
|
|
|
return r.ProtoMajor == 2 && strings.HasPrefix(rp.backend, "http://") && isGRPCContentType(contentType)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// isGRPC accepts an HTTP request's content type header value and determines
|
|
|
|
|
// whether this is gRPC content. grpc-go considers a value that equals
|
|
|
|
|
// application/grpc or has a prefix of application/grpc+ or application/grpc; a
|
|
|
|
|
// valid grpc content type header.
|
|
|
|
|
// https://github.com/grpc/grpc-go/blob/v1.60.0-dev/internal/grpcutil/method.go#L41-L78
|
|
|
|
|
func isGRPCContentType(contentType string) bool {
|
|
|
|
|
s, ok := strings.CutPrefix(contentType, grpcBaseContentType)
|
2023-10-19 18:38:37 +01:00
|
|
|
return ok && (len(s) == 0 || s[0] == '+' || s[0] == ';')
|
2022-12-21 18:36:58 +00:00
|
|
|
}
|
|
|
|
|
|
2023-06-14 12:36:15 -04:00
|
|
|
func addProxyForwardedHeaders(r *httputil.ProxyRequest) {
|
|
|
|
|
r.Out.Header.Set("X-Forwarded-Host", r.In.Host)
|
2023-06-21 12:32:20 -04:00
|
|
|
if r.In.TLS != nil {
|
|
|
|
|
r.Out.Header.Set("X-Forwarded-Proto", "https")
|
|
|
|
|
}
|
2024-01-16 13:56:23 -08:00
|
|
|
if c, ok := serveHTTPContextKey.ValueOk(r.Out.Context()); ok {
|
2023-06-14 12:36:15 -04:00
|
|
|
r.Out.Header.Set("X-Forwarded-For", c.SrcAddr.Addr().String())
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (b *LocalBackend) addTailscaleIdentityHeaders(r *httputil.ProxyRequest) {
|
|
|
|
|
// Clear any incoming values squatting in the headers.
|
|
|
|
|
r.Out.Header.Del("Tailscale-User-Login")
|
|
|
|
|
r.Out.Header.Del("Tailscale-User-Name")
|
2023-08-07 12:07:16 -04:00
|
|
|
r.Out.Header.Del("Tailscale-User-Profile-Pic")
|
2024-08-08 10:46:45 -04:00
|
|
|
r.Out.Header.Del("Tailscale-Funnel-Request")
|
2023-06-14 14:33:35 -04:00
|
|
|
r.Out.Header.Del("Tailscale-Headers-Info")
|
2023-06-14 12:36:15 -04:00
|
|
|
|
2024-01-16 13:56:23 -08:00
|
|
|
c, ok := serveHTTPContextKey.ValueOk(r.Out.Context())
|
2023-06-14 12:36:15 -04:00
|
|
|
if !ok {
|
|
|
|
|
return
|
|
|
|
|
}
|
2024-08-08 10:46:45 -04:00
|
|
|
if c.Funnel != nil {
|
|
|
|
|
r.Out.Header.Set("Tailscale-Funnel-Request", "?1")
|
|
|
|
|
return
|
|
|
|
|
}
|
2024-06-06 14:48:40 -04:00
|
|
|
node, user, ok := b.WhoIs("tcp", c.SrcAddr)
|
2023-06-14 12:36:15 -04:00
|
|
|
if !ok {
|
2024-08-08 10:46:45 -04:00
|
|
|
return // traffic from outside of Tailnet (funneled or local machine)
|
2023-06-14 12:36:15 -04:00
|
|
|
}
|
|
|
|
|
if node.IsTagged() {
|
|
|
|
|
// 2023-06-14: Not setting identity headers for tagged nodes.
|
|
|
|
|
// Only currently set for nodes with user identities.
|
|
|
|
|
return
|
|
|
|
|
}
|
2024-04-03 08:48:58 -07:00
|
|
|
r.Out.Header.Set("Tailscale-User-Login", encTailscaleHeaderValue(user.LoginName))
|
|
|
|
|
r.Out.Header.Set("Tailscale-User-Name", encTailscaleHeaderValue(user.DisplayName))
|
2023-08-07 12:07:16 -04:00
|
|
|
r.Out.Header.Set("Tailscale-User-Profile-Pic", user.ProfilePicURL)
|
2023-06-14 14:33:35 -04:00
|
|
|
r.Out.Header.Set("Tailscale-Headers-Info", "https://tailscale.com/s/serve-headers")
|
2023-06-14 12:36:15 -04:00
|
|
|
}
|
|
|
|
|
|
2024-04-03 08:48:58 -07:00
|
|
|
// encTailscaleHeaderValue cleans or encodes as necessary v, to be suitable in
|
|
|
|
|
// an HTTP header value. See
|
|
|
|
|
// https://github.com/tailscale/tailscale/issues/11603.
|
|
|
|
|
//
|
|
|
|
|
// If v is not a valid UTF-8 string, it returns an empty string.
|
|
|
|
|
// If v is a valid ASCII string, it returns v unmodified.
|
|
|
|
|
// If v is a valid UTF-8 string with non-ASCII characters, it returns a
|
|
|
|
|
// RFC 2047 Q-encoded string.
|
|
|
|
|
func encTailscaleHeaderValue(v string) string {
|
|
|
|
|
if !utf8.ValidString(v) {
|
|
|
|
|
return ""
|
|
|
|
|
}
|
|
|
|
|
return mime.QEncoding.Encode("utf-8", v)
|
|
|
|
|
}
|
|
|
|
|
|
2025-10-22 09:41:19 +01:00
|
|
|
func (b *LocalBackend) addAppCapabilitiesHeader(r *httputil.ProxyRequest) error {
|
|
|
|
|
const appCapabilitiesHeaderName = "Tailscale-App-Capabilities"
|
|
|
|
|
r.Out.Header.Del(appCapabilitiesHeaderName)
|
2025-10-03 17:52:41 +01:00
|
|
|
|
|
|
|
|
c, ok := serveHTTPContextKey.ValueOk(r.Out.Context())
|
|
|
|
|
if !ok || c.Funnel != nil {
|
2025-10-22 09:41:19 +01:00
|
|
|
return nil
|
2025-10-03 17:52:41 +01:00
|
|
|
}
|
2025-10-22 09:41:19 +01:00
|
|
|
acceptCaps := c.AppCapabilities
|
|
|
|
|
if acceptCaps.IsNil() {
|
|
|
|
|
return nil
|
2025-10-03 17:52:41 +01:00
|
|
|
}
|
|
|
|
|
peerCaps := b.PeerCaps(c.SrcAddr.Addr())
|
|
|
|
|
if peerCaps == nil {
|
2025-10-22 09:41:19 +01:00
|
|
|
return nil
|
2025-10-03 17:52:41 +01:00
|
|
|
}
|
|
|
|
|
|
2025-10-22 09:41:19 +01:00
|
|
|
peerCapsFiltered := make(map[tailcfg.PeerCapability][]tailcfg.RawMessage, acceptCaps.Len())
|
|
|
|
|
for _, cap := range acceptCaps.AsSlice() {
|
2025-10-03 17:52:41 +01:00
|
|
|
if peerCaps.HasCapability(cap) {
|
|
|
|
|
peerCapsFiltered[cap] = peerCaps[cap]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2025-10-15 12:59:10 +01:00
|
|
|
peerCapsSerialized, err := json.Marshal(peerCapsFiltered)
|
2025-10-03 17:52:41 +01:00
|
|
|
if err != nil {
|
2025-10-15 12:59:10 +01:00
|
|
|
b.logf("serve: failed to serialize filtered PeerCapMap: %v", err)
|
2025-10-22 09:41:19 +01:00
|
|
|
return fmt.Errorf("unable to process app capabilities")
|
2025-10-03 17:52:41 +01:00
|
|
|
}
|
|
|
|
|
|
2025-10-22 09:41:19 +01:00
|
|
|
r.Out.Header.Set(appCapabilitiesHeaderName, encTailscaleHeaderValue(string(peerCapsSerialized)))
|
|
|
|
|
return nil
|
2025-10-03 17:52:41 +01:00
|
|
|
}
|
|
|
|
|
|
2025-10-29 21:27:59 -04:00
|
|
|
// parseRedirectWithCode parses a redirect string that may optionally start with
|
|
|
|
|
// a HTTP redirect status code ("3xx:").
|
|
|
|
|
// Returns the status code and the final redirect URL.
|
|
|
|
|
// If no code prefix is found, returns http.StatusFound (302).
|
|
|
|
|
func parseRedirectWithCode(redirect string) (code int, url string) {
|
|
|
|
|
if len(redirect) >= 4 && redirect[3] == ':' {
|
|
|
|
|
if statusCode, err := strconv.Atoi(redirect[:3]); err == nil && statusCode >= 300 && statusCode <= 399 {
|
|
|
|
|
return statusCode, redirect[4:]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return http.StatusFound, redirect
|
|
|
|
|
}
|
|
|
|
|
|
2023-09-05 13:51:52 -04:00
|
|
|
// serveWebHandler is an http.HandlerFunc that maps incoming requests to the
|
|
|
|
|
// correct *http.
|
2022-11-09 06:55:17 -08:00
|
|
|
func (b *LocalBackend) serveWebHandler(w http.ResponseWriter, r *http.Request) {
|
2022-11-10 14:16:37 -08:00
|
|
|
h, mountPoint, ok := b.getServeHandler(r)
|
2022-11-09 06:55:17 -08:00
|
|
|
if !ok {
|
|
|
|
|
http.NotFound(w, r)
|
|
|
|
|
return
|
|
|
|
|
}
|
2022-11-09 13:15:59 -08:00
|
|
|
if s := h.Text(); s != "" {
|
2022-11-09 06:55:17 -08:00
|
|
|
w.Header().Set("Content-Type", "text/plain; charset=utf-8")
|
|
|
|
|
io.WriteString(w, s)
|
|
|
|
|
return
|
|
|
|
|
}
|
2025-10-29 21:27:59 -04:00
|
|
|
if v := h.Redirect(); v != "" {
|
|
|
|
|
code, v := parseRedirectWithCode(v)
|
|
|
|
|
v = strings.ReplaceAll(v, "${HOST}", r.Host)
|
|
|
|
|
v = strings.ReplaceAll(v, "${REQUEST_URI}", r.RequestURI)
|
|
|
|
|
http.Redirect(w, r, v, code)
|
|
|
|
|
return
|
|
|
|
|
}
|
2022-11-09 13:15:59 -08:00
|
|
|
if v := h.Path(); v != "" {
|
2022-11-10 14:16:37 -08:00
|
|
|
b.serveFileOrDirectory(w, r, v, mountPoint)
|
2022-11-09 06:55:17 -08:00
|
|
|
return
|
|
|
|
|
}
|
2022-11-09 13:15:59 -08:00
|
|
|
if v := h.Proxy(); v != "" {
|
2022-12-21 18:36:58 +00:00
|
|
|
p, ok := b.serveProxyHandlers.Load(v)
|
|
|
|
|
if !ok {
|
|
|
|
|
http.Error(w, "unknown proxy destination", http.StatusInternalServerError)
|
2022-11-09 21:27:09 -08:00
|
|
|
return
|
|
|
|
|
}
|
2025-10-15 12:59:10 +01:00
|
|
|
// Inject app capabilities to forward into the request context
|
2025-10-03 17:52:41 +01:00
|
|
|
c, ok := serveHTTPContextKey.ValueOk(r.Context())
|
|
|
|
|
if !ok {
|
|
|
|
|
return
|
|
|
|
|
}
|
2025-10-22 09:41:19 +01:00
|
|
|
c.AppCapabilities = h.AcceptAppCaps()
|
2023-03-27 10:11:46 -04:00
|
|
|
h := p.(http.Handler)
|
|
|
|
|
// Trim the mount point from the URL path before proxying. (#6571)
|
|
|
|
|
if r.URL.Path != "/" {
|
|
|
|
|
h = http.StripPrefix(strings.TrimSuffix(mountPoint, "/"), h)
|
|
|
|
|
}
|
|
|
|
|
h.ServeHTTP(w, r)
|
2022-11-09 06:55:17 -08:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
http.Error(w, "empty handler", 500)
|
|
|
|
|
}
|
|
|
|
|
|
2022-11-10 14:16:37 -08:00
|
|
|
func (b *LocalBackend) serveFileOrDirectory(w http.ResponseWriter, r *http.Request, fileOrDir, mountPoint string) {
|
|
|
|
|
fi, err := os.Stat(fileOrDir)
|
|
|
|
|
if err != nil {
|
|
|
|
|
if os.IsNotExist(err) {
|
|
|
|
|
http.NotFound(w, r)
|
|
|
|
|
return
|
|
|
|
|
}
|
2023-11-16 10:53:40 -08:00
|
|
|
b.logf("error calling stat on %s: %v", fileOrDir, err)
|
|
|
|
|
http.Error(w, "an error occurred reading the file or directory", 500)
|
2022-11-10 14:16:37 -08:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
if fi.Mode().IsRegular() {
|
|
|
|
|
if mountPoint != r.URL.Path {
|
|
|
|
|
http.NotFound(w, r)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
f, err := os.Open(fileOrDir)
|
|
|
|
|
if err != nil {
|
2023-11-16 10:53:40 -08:00
|
|
|
b.logf("error opening %s: %v", fileOrDir, err)
|
|
|
|
|
http.Error(w, "an error occurred reading the file or directory", 500)
|
2022-11-10 14:16:37 -08:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
defer f.Close()
|
|
|
|
|
http.ServeContent(w, r, path.Base(mountPoint), fi.ModTime(), f)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
if !fi.IsDir() {
|
|
|
|
|
http.Error(w, "not a file or directory", 500)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
if len(r.URL.Path) < len(mountPoint) && r.URL.Path+"/" == mountPoint {
|
|
|
|
|
http.Redirect(w, r, mountPoint, http.StatusFound)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var fs http.Handler = http.FileServer(http.Dir(fileOrDir))
|
|
|
|
|
if mountPoint != "/" {
|
|
|
|
|
fs = http.StripPrefix(strings.TrimSuffix(mountPoint, "/"), fs)
|
|
|
|
|
}
|
|
|
|
|
fs.ServeHTTP(&fixLocationHeaderResponseWriter{
|
|
|
|
|
ResponseWriter: w,
|
|
|
|
|
mountPoint: mountPoint,
|
|
|
|
|
}, r)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// fixLocationHeaderResponseWriter is an http.ResponseWriter wrapper that, upon
|
|
|
|
|
// flushing HTTP headers, prefixes any Location header with the mount point.
|
|
|
|
|
type fixLocationHeaderResponseWriter struct {
|
|
|
|
|
http.ResponseWriter
|
|
|
|
|
mountPoint string
|
|
|
|
|
fixOnce sync.Once // guards call to fix
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (w *fixLocationHeaderResponseWriter) fix() {
|
|
|
|
|
h := w.ResponseWriter.Header()
|
|
|
|
|
if v := h.Get("Location"); v != "" {
|
|
|
|
|
h.Set("Location", w.mountPoint+v)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (w *fixLocationHeaderResponseWriter) WriteHeader(code int) {
|
|
|
|
|
w.fixOnce.Do(w.fix)
|
|
|
|
|
w.ResponseWriter.WriteHeader(code)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (w *fixLocationHeaderResponseWriter) Write(p []byte) (int, error) {
|
|
|
|
|
w.fixOnce.Do(w.fix)
|
|
|
|
|
return w.ResponseWriter.Write(p)
|
|
|
|
|
}
|
|
|
|
|
|
2022-11-09 21:27:09 -08:00
|
|
|
// expandProxyArg returns a URL from s, where s can be of form:
|
|
|
|
|
//
|
|
|
|
|
// * port number ("8080")
|
|
|
|
|
// * host:port ("localhost:8080")
|
|
|
|
|
// * full URL ("http://localhost:8080", in which case it's returned unchanged)
|
2022-11-10 09:56:49 -08:00
|
|
|
// * insecure TLS ("https+insecure://127.0.0.1:4430")
|
|
|
|
|
func expandProxyArg(s string) (targetURL string, insecureSkipVerify bool) {
|
2022-11-09 21:27:09 -08:00
|
|
|
if s == "" {
|
2022-11-10 09:56:49 -08:00
|
|
|
return "", false
|
2022-11-09 21:27:09 -08:00
|
|
|
}
|
|
|
|
|
if strings.HasPrefix(s, "http://") || strings.HasPrefix(s, "https://") {
|
2022-11-10 09:56:49 -08:00
|
|
|
return s, false
|
|
|
|
|
}
|
2023-02-01 13:43:06 -08:00
|
|
|
if rest, ok := strings.CutPrefix(s, "https+insecure://"); ok {
|
2022-11-10 09:56:49 -08:00
|
|
|
return "https://" + rest, true
|
2022-11-09 21:27:09 -08:00
|
|
|
}
|
|
|
|
|
if allNumeric(s) {
|
2022-11-10 09:56:49 -08:00
|
|
|
return "http://127.0.0.1:" + s, false
|
2022-11-09 21:27:09 -08:00
|
|
|
}
|
2022-11-10 09:56:49 -08:00
|
|
|
return "http://" + s, false
|
2022-11-09 21:27:09 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func allNumeric(s string) bool {
|
2024-04-16 13:15:13 -07:00
|
|
|
for i := range len(s) {
|
2022-11-09 21:27:09 -08:00
|
|
|
if s[i] < '0' || s[i] > '9' {
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return s != ""
|
|
|
|
|
}
|
|
|
|
|
|
2025-01-21 17:07:34 -05:00
|
|
|
func (b *LocalBackend) webServerConfig(hostname string, forVIPService tailcfg.ServiceName, port uint16) (c ipn.WebServerConfigView, ok bool) {
|
2022-11-09 21:16:20 -08:00
|
|
|
b.mu.Lock()
|
|
|
|
|
defer b.mu.Unlock()
|
|
|
|
|
|
|
|
|
|
if !b.serveConfig.Valid() {
|
|
|
|
|
return c, false
|
2022-11-09 06:55:17 -08:00
|
|
|
}
|
2025-01-22 09:24:49 -05:00
|
|
|
if forVIPService != "" {
|
2025-07-22 16:23:51 -04:00
|
|
|
magicDNSSuffix := b.currentNode().NetMap().MagicDNSSuffix()
|
|
|
|
|
fqdn := strings.Join([]string{forVIPService.WithoutPrefix(), magicDNSSuffix}, ".")
|
|
|
|
|
key := ipn.HostPort(net.JoinHostPort(fqdn, fmt.Sprintf("%d", port)))
|
2025-01-22 09:24:49 -05:00
|
|
|
return b.serveConfig.FindServiceWeb(forVIPService, key)
|
2025-01-20 12:02:53 -05:00
|
|
|
}
|
cmd/tailscale/cli: Add service flag to serve command (#16191)
* cmd/tailscale/cli: Add service flag to serve command
This commit adds the service flag to serve command which allows serving a service and add the service
to the advertisedServices field in prefs (What advertise command does that will be removed later).
When adding proxies, TCP proxies and WEB proxies work the same way as normal serve, just under a
different DNSname. There is a services specific L3 serving mode called Tun, can be set via --tun flag.
Serving a service is always in --bg mode. If --bg is explicitly set t o false, an error message will
be sent out. The restriction on proxy target being localhost or 127.0.0.1 also applies to services.
When removing proxies, TCP proxies can be removed with type and port flag and off argument. Web proxies
can be removed with type, port, setPath flag and off argument. To align with normal serve, when setPath
is not set, all handler under the hostport will be removed. When flags are not set but off argument was
passed by user, it will be a noop. Removing all config for a service will be available later with a new
subcommand clear.
Updates tailscale/corp#22954
Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>
* cmd/tailscale/cli: fix ai comments and fix a test
Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>
* cmd/tailscale/cli: Add a test for addServiceToPrefs
Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>
* cmd/tailscale/cli: fix comment
Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>
* add dnsName in error message
Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>
* change the cli input flag variable type
Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>
* replace FindServiceConfig with map lookup
Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>
* some code simplification and add asServiceName
This commit cotains code simplification for IsServingHTTPS, SetWebHandler, SetTCPForwarding
Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>
* replace IsServiceName with tailcfg.AsServiceName
Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>
* replace all assemble of host name for service with strings.Join
Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>
* cmd/tailscale/cli: adjust parameter order and update output message
This commit updates the parameter order for IsTCPForwardingOnPort and SetWebHandler.
Also updated the message msgServiceIPNotAssigned to msgServiceWaitingApproval to adapt to
latest terminologies around services.
Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>
* cmd/tailscale/cli: flip bool condition
This commit fixes a previous bug added that throws error when serve funnel without service.
It should've been the opposite, which throws error when serve funnel with service.
Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>
* cmd/tailscale/cli: change parameter of IsTCPForwardingOnPort
This commit changes the dnsName string parameter for IsTCPForwardingOnPort to
svcName tailcfg.ServiceName. This change is made to reduce ambiguity when
a single service might have different dnsNames
Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>
* ipn/ipnlocal: replace the key to webHandler for services
This commit changes the way we get the webhandler for vipServices. It used to use the host name
from request to find the webHandler, now everything targeting the vipService IP have the same
set of handlers. This commit also stores service:port instead of FQDN:port as the key in serviceConfig
for Web map.
Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>
* cmd/tailscale/cli: Updated use of service name.
This commit removes serviceName.IsEmpty and use direct comparison to instead. In legacy code, when an empty service
name needs to be passed, a new constant noService is passed. Removed redundant code for checking service name validity
and string method for serviceNameFlag.
Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>
* cmd/tailscale/cli: Update bgBoolFlag
This commit update field name, set and string method of bgBoolFlag to make code cleaner.
Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>
* cmd/tailscale/cli: remove isDefaultService output from srvTypeAndPortFromFlags
This commit removes the isDefaultService out put as it's no longer needed. Also deleted redundant code.
Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>
* cmd/tailscale/cli: remove unnessesary variable declare in messageForPort
Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>
* replace bool output for AsServiceName with err
Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>
* cmd/tailscale/cli: Replace DNSName with NoService if DNSname only used to identify service
This commit moves noService constant to tailcfg, updates AsServiceName to return tailcfg.NoService if the input
is not a valid service name. This commit also removes using the local DNSName as scvName parameter. When a function
is only using DNSName to identify if it's working with a service, the input in replaced with svcName and expect
caller to pass tailcfg.NoService if it's a local serve. This commit also replaces some use of Sprintf with
net.JoinHostPort for ipn.HostPort creation.
Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>
* cmd/tailscale/cli: Remove the returned error for AsServiceName
Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>
* apply suggested code and comment
Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>
* replace local dnsName in test with tailcfg.NoService
Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>
* cmd/tailscale/cli: move noService back and use else where
The constant serves the purpose of provide readability for passing as a function parameter. It's
more meaningful comparing to a . It can just be an empty string in other places.
Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>
* ipn: Make WebHandlerExists and RemoveTCPForwarding accept svcName
This commit replaces two functions' string input with svcName input since they only use the dnsName to
identify service. Also did some minor cleanups
Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>
---------
Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>
2025-07-16 19:37:46 -04:00
|
|
|
key := ipn.HostPort(net.JoinHostPort(hostname, fmt.Sprintf("%d", port)))
|
2023-09-05 13:51:52 -04:00
|
|
|
return b.serveConfig.FindWeb(key)
|
2022-11-09 21:16:20 -08:00
|
|
|
}
|
|
|
|
|
|
2025-01-21 17:07:34 -05:00
|
|
|
func (b *LocalBackend) getTLSServeCertForPort(port uint16, forVIPService tailcfg.ServiceName) func(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
2022-11-09 21:16:20 -08:00
|
|
|
return func(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
|
|
|
|
if hi == nil || hi.ServerName == "" {
|
|
|
|
|
return nil, errors.New("no SNI ServerName")
|
|
|
|
|
}
|
2025-01-20 12:02:53 -05:00
|
|
|
_, ok := b.webServerConfig(hi.ServerName, forVIPService, port)
|
2022-11-09 21:16:20 -08:00
|
|
|
if !ok {
|
|
|
|
|
return nil, errors.New("no webserver configured for name/port")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
|
|
|
|
|
defer cancel()
|
2023-10-12 15:52:41 -07:00
|
|
|
pair, err := b.GetCertPEM(ctx, hi.ServerName)
|
2022-11-09 21:16:20 -08:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
cert, err := tls.X509KeyPair(pair.CertPEM, pair.KeyPEM)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
return &cert, nil
|
2022-11-09 06:55:17 -08:00
|
|
|
}
|
|
|
|
|
}
|
2025-09-13 20:20:08 -07:00
|
|
|
|
|
|
|
|
// setServeProxyHandlersLocked ensures there is an http proxy handler for each
|
|
|
|
|
// backend specified in serveConfig. It expects serveConfig to be valid and
|
|
|
|
|
// up-to-date, so should be called after reloadServeConfigLocked.
|
|
|
|
|
func (b *LocalBackend) setServeProxyHandlersLocked() {
|
|
|
|
|
if !b.serveConfig.Valid() {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
var backends map[string]bool
|
|
|
|
|
for _, conf := range b.serveConfig.Webs() {
|
|
|
|
|
for _, h := range conf.Handlers().All() {
|
|
|
|
|
backend := h.Proxy()
|
|
|
|
|
if backend == "" {
|
|
|
|
|
// Only create proxy handlers for servers with a proxy backend.
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
mak.Set(&backends, backend, true)
|
|
|
|
|
if _, ok := b.serveProxyHandlers.Load(backend); ok {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
b.logf("serve: creating a new proxy handler for %s", backend)
|
|
|
|
|
p, err := b.proxyHandlerForBackend(backend)
|
|
|
|
|
if err != nil {
|
|
|
|
|
// The backend endpoint (h.Proxy) should have been validated by expandProxyTarget
|
|
|
|
|
// in the CLI, so just log the error here.
|
|
|
|
|
b.logf("[unexpected] could not create proxy for %v: %s", backend, err)
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
b.serveProxyHandlers.Store(backend, p)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Clean up handlers for proxy backends that are no longer present
|
|
|
|
|
// in configuration.
|
|
|
|
|
b.serveProxyHandlers.Range(func(key, value any) bool {
|
|
|
|
|
backend := key.(string)
|
|
|
|
|
if !backends[backend] {
|
|
|
|
|
b.logf("serve: closing idle connections to %s", backend)
|
|
|
|
|
b.serveProxyHandlers.Delete(backend)
|
|
|
|
|
value.(*reverseProxy).close()
|
|
|
|
|
}
|
|
|
|
|
return true
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// VIPServices returns the list of tailnet services that this node
|
|
|
|
|
// is serving as a destination for.
|
|
|
|
|
// The returned memory is owned by the caller.
|
|
|
|
|
func (b *LocalBackend) VIPServices() []*tailcfg.VIPService {
|
|
|
|
|
b.mu.Lock()
|
|
|
|
|
defer b.mu.Unlock()
|
|
|
|
|
return b.vipServicesFromPrefsLocked(b.pm.CurrentPrefs())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func handleC2NVIPServicesGet(b *LocalBackend, w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
b.logf("c2n: GET /vip-services received")
|
|
|
|
|
var res tailcfg.C2NVIPServicesResponse
|
|
|
|
|
res.VIPServices = b.VIPServices()
|
2025-11-09 16:13:39 -08:00
|
|
|
res.ServicesHash = vipServiceHash(b.logf, res.VIPServices)
|
2025-09-13 20:20:08 -07:00
|
|
|
|
|
|
|
|
w.Header().Set("Content-Type", "application/json")
|
|
|
|
|
json.NewEncoder(w).Encode(res)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var metricIngressCalls = clientmetric.NewCounter("peerapi_ingress")
|
|
|
|
|
|
|
|
|
|
func init() {
|
|
|
|
|
RegisterPeerAPIHandler("/v0/ingress", handleServeIngress)
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func handleServeIngress(ph PeerAPIHandler, w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
h := ph.(*peerAPIHandler)
|
|
|
|
|
metricIngressCalls.Add(1)
|
|
|
|
|
|
|
|
|
|
// http.Errors only useful if hitting endpoint manually
|
|
|
|
|
// otherwise rely on log lines when debugging ingress connections
|
|
|
|
|
// as connection is hijacked for bidi and is encrypted tls
|
|
|
|
|
if !h.canIngress() {
|
|
|
|
|
h.logf("ingress: denied; no ingress cap from %v", h.remoteAddr)
|
|
|
|
|
http.Error(w, "denied; no ingress cap", http.StatusForbidden)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
logAndError := func(code int, publicMsg string) {
|
|
|
|
|
h.logf("ingress: bad request from %v: %s", h.remoteAddr, publicMsg)
|
|
|
|
|
http.Error(w, publicMsg, code)
|
|
|
|
|
}
|
|
|
|
|
bad := func(publicMsg string) {
|
|
|
|
|
logAndError(http.StatusBadRequest, publicMsg)
|
|
|
|
|
}
|
|
|
|
|
if r.Method != "POST" {
|
|
|
|
|
logAndError(http.StatusMethodNotAllowed, "only POST allowed")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
srcAddrStr := r.Header.Get("Tailscale-Ingress-Src")
|
|
|
|
|
if srcAddrStr == "" {
|
|
|
|
|
bad("Tailscale-Ingress-Src header not set")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
srcAddr, err := netip.ParseAddrPort(srcAddrStr)
|
|
|
|
|
if err != nil {
|
|
|
|
|
bad("Tailscale-Ingress-Src header invalid; want ip:port")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
target := ipn.HostPort(r.Header.Get("Tailscale-Ingress-Target"))
|
|
|
|
|
if target == "" {
|
|
|
|
|
bad("Tailscale-Ingress-Target header not set")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
if _, _, err := net.SplitHostPort(string(target)); err != nil {
|
|
|
|
|
bad("Tailscale-Ingress-Target header invalid; want host:port")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
getConnOrReset := func() (net.Conn, bool) {
|
|
|
|
|
conn, _, err := w.(http.Hijacker).Hijack()
|
|
|
|
|
if err != nil {
|
|
|
|
|
h.logf("ingress: failed hijacking conn")
|
|
|
|
|
http.Error(w, "failed hijacking conn", http.StatusInternalServerError)
|
|
|
|
|
return nil, false
|
|
|
|
|
}
|
|
|
|
|
io.WriteString(conn, "HTTP/1.1 101 Switching Protocols\r\n\r\n")
|
|
|
|
|
return &ipn.FunnelConn{
|
|
|
|
|
Conn: conn,
|
|
|
|
|
Src: srcAddr,
|
|
|
|
|
Target: target,
|
|
|
|
|
}, true
|
|
|
|
|
}
|
|
|
|
|
sendRST := func() {
|
|
|
|
|
http.Error(w, "denied", http.StatusForbidden)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
h.ps.b.HandleIngressTCPConn(h.peerNode, target, srcAddr, getConnOrReset, sendRST)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// wantIngressLocked reports whether this node has ingress configured. This bool
|
|
|
|
|
// is sent to the coordination server (in Hostinfo.WireIngress) as an
|
|
|
|
|
// optimization hint to know primarily which nodes are NOT using ingress, to
|
|
|
|
|
// avoid doing work for regular nodes.
|
|
|
|
|
//
|
|
|
|
|
// Even if the user's ServeConfig.AllowFunnel map was manually edited in raw
|
|
|
|
|
// mode and contains map entries with false values, sending true (from Len > 0)
|
|
|
|
|
// is still fine. This is only an optimization hint for the control plane and
|
|
|
|
|
// doesn't affect security or correctness. And we also don't expect people to
|
|
|
|
|
// modify their ServeConfig in raw mode.
|
|
|
|
|
func (b *LocalBackend) wantIngressLocked() bool {
|
|
|
|
|
return b.serveConfig.Valid() && b.serveConfig.HasAllowFunnel()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// hasIngressEnabledLocked reports whether the node has any funnel endpoint enabled. This bool is sent to control (in
|
|
|
|
|
// Hostinfo.IngressEnabled) to determine whether 'Funnel' badge should be displayed on this node in the admin panel.
|
|
|
|
|
func (b *LocalBackend) hasIngressEnabledLocked() bool {
|
|
|
|
|
return b.serveConfig.Valid() && b.serveConfig.IsFunnelOn()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// shouldWireInactiveIngressLocked reports whether the node is in a state where funnel is not actively enabled, but it
|
|
|
|
|
// seems that it is intended to be used with funnel.
|
|
|
|
|
func (b *LocalBackend) shouldWireInactiveIngressLocked() bool {
|
|
|
|
|
return b.serveConfig.Valid() && !b.hasIngressEnabledLocked() && b.wantIngressLocked()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func serveSetTCPPortsInterceptedFromNetmapAndPrefsLocked(b *LocalBackend, prefs ipn.PrefsView) (handlePorts []uint16) {
|
|
|
|
|
var vipServicesPorts map[tailcfg.ServiceName][]uint16
|
|
|
|
|
|
|
|
|
|
b.reloadServeConfigLocked(prefs)
|
|
|
|
|
if b.serveConfig.Valid() {
|
|
|
|
|
servePorts := make([]uint16, 0, 3)
|
|
|
|
|
for port := range b.serveConfig.TCPs() {
|
|
|
|
|
if port > 0 {
|
|
|
|
|
servePorts = append(servePorts, uint16(port))
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
handlePorts = append(handlePorts, servePorts...)
|
|
|
|
|
|
|
|
|
|
for svc, cfg := range b.serveConfig.Services().All() {
|
|
|
|
|
servicePorts := make([]uint16, 0, 3)
|
|
|
|
|
for port := range cfg.TCP().All() {
|
|
|
|
|
if port > 0 {
|
|
|
|
|
servicePorts = append(servicePorts, uint16(port))
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if _, ok := vipServicesPorts[svc]; !ok {
|
|
|
|
|
mak.Set(&vipServicesPorts, svc, servicePorts)
|
|
|
|
|
} else {
|
|
|
|
|
mak.Set(&vipServicesPorts, svc, append(vipServicesPorts[svc], servicePorts...))
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
b.setServeProxyHandlersLocked()
|
|
|
|
|
|
|
|
|
|
// don't listen on netmap addresses if we're in userspace mode
|
|
|
|
|
if !b.sys.IsNetstack() {
|
|
|
|
|
b.updateServeTCPPortNetMapAddrListenersLocked(servePorts)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
b.setVIPServicesTCPPortsInterceptedLocked(vipServicesPorts)
|
|
|
|
|
|
|
|
|
|
return handlePorts
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// reloadServeConfigLocked reloads the serve config from the store or resets the
|
|
|
|
|
// serve config to nil if not logged in. The "changed" parameter, when false, instructs
|
|
|
|
|
// the method to only run the reset-logic and not reload the store from memory to ensure
|
|
|
|
|
// foreground sessions are not removed if they are not saved on disk.
|
|
|
|
|
func (b *LocalBackend) reloadServeConfigLocked(prefs ipn.PrefsView) {
|
|
|
|
|
if !b.currentNode().Self().Valid() || !prefs.Valid() || b.pm.CurrentProfile().ID() == "" {
|
|
|
|
|
// We're not logged in, so we don't have a profile.
|
|
|
|
|
// Don't try to load the serve config.
|
|
|
|
|
b.lastServeConfJSON = mem.B(nil)
|
|
|
|
|
b.serveConfig = ipn.ServeConfigView{}
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
confKey := ipn.ServeConfigKey(b.pm.CurrentProfile().ID())
|
|
|
|
|
// TODO(maisem,bradfitz): prevent reading the config from disk
|
|
|
|
|
// if the profile has not changed.
|
|
|
|
|
confj, err := b.store.ReadState(confKey)
|
|
|
|
|
if err != nil {
|
|
|
|
|
b.lastServeConfJSON = mem.B(nil)
|
|
|
|
|
b.serveConfig = ipn.ServeConfigView{}
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
if b.lastServeConfJSON.Equal(mem.B(confj)) {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
b.lastServeConfJSON = mem.B(confj)
|
|
|
|
|
var conf ipn.ServeConfig
|
|
|
|
|
if err := json.Unmarshal(confj, &conf); err != nil {
|
|
|
|
|
b.logf("invalid ServeConfig %q in StateStore: %v", confKey, err)
|
|
|
|
|
b.serveConfig = ipn.ServeConfigView{}
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// remove inactive sessions
|
|
|
|
|
maps.DeleteFunc(conf.Foreground, func(sessionID string, sc *ipn.ServeConfig) bool {
|
|
|
|
|
_, ok := b.notifyWatchers[sessionID]
|
|
|
|
|
return !ok
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
b.serveConfig = conf.View()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (b *LocalBackend) setVIPServicesTCPPortsInterceptedLocked(svcPorts map[tailcfg.ServiceName][]uint16) {
|
|
|
|
|
if len(svcPorts) == 0 {
|
|
|
|
|
b.shouldInterceptVIPServicesTCPPortAtomic.Store(func(netip.AddrPort) bool { return false })
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
nm := b.currentNode().NetMap()
|
|
|
|
|
if nm == nil {
|
|
|
|
|
b.logf("can't set intercept function for Service TCP Ports, netMap is nil")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
vipServiceIPMap := nm.GetVIPServiceIPMap()
|
|
|
|
|
if len(vipServiceIPMap) == 0 {
|
|
|
|
|
// No approved VIP Services
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
svcAddrPorts := make(map[netip.Addr]func(uint16) bool)
|
|
|
|
|
// Only set the intercept function if the service has been assigned a VIP.
|
|
|
|
|
for svcName, ports := range svcPorts {
|
|
|
|
|
addrs, ok := vipServiceIPMap[svcName]
|
|
|
|
|
if !ok {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
interceptFn := generateInterceptTCPPortFunc(ports)
|
|
|
|
|
for _, addr := range addrs {
|
|
|
|
|
svcAddrPorts[addr] = interceptFn
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
b.shouldInterceptVIPServicesTCPPortAtomic.Store(generateInterceptVIPServicesTCPPortFunc(svcAddrPorts))
|
|
|
|
|
}
|
2025-11-09 16:13:39 -08:00
|
|
|
|
|
|
|
|
func maybeUpdateHostinfoServicesHashLocked(b *LocalBackend, hi *tailcfg.Hostinfo, prefs ipn.PrefsView) bool {
|
|
|
|
|
latestHash := vipServiceHash(b.logf, b.vipServicesFromPrefsLocked(prefs))
|
|
|
|
|
if hi.ServicesHash != latestHash {
|
|
|
|
|
hi.ServicesHash = latestHash
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func maybeUpdateHostinfoFunnelLocked(b *LocalBackend, hi *tailcfg.Hostinfo, prefs ipn.PrefsView) (changed bool) {
|
|
|
|
|
// The Hostinfo.IngressEnabled field is used to communicate to control whether
|
|
|
|
|
// the node has funnel enabled.
|
|
|
|
|
if ie := b.hasIngressEnabledLocked(); hi.IngressEnabled != ie {
|
|
|
|
|
b.logf("Hostinfo.IngressEnabled changed to %v", ie)
|
|
|
|
|
hi.IngressEnabled = ie
|
|
|
|
|
changed = true
|
|
|
|
|
}
|
|
|
|
|
// The Hostinfo.WireIngress field tells control whether the user intends
|
|
|
|
|
// to use funnel with this node even though it is not currently enabled.
|
|
|
|
|
// This is an optimization to control- Funnel requires creation of DNS
|
|
|
|
|
// records and because DNS propagation can take time, we want to ensure
|
|
|
|
|
// that the records exist for any node that intends to use funnel even
|
|
|
|
|
// if it's not enabled. If hi.IngressEnabled is true, control knows that
|
|
|
|
|
// DNS records are needed, so we can save bandwidth and not send
|
|
|
|
|
// WireIngress.
|
|
|
|
|
if wire := b.shouldWireInactiveIngressLocked(); hi.WireIngress != wire {
|
|
|
|
|
b.logf("Hostinfo.WireIngress changed to %v", wire)
|
|
|
|
|
hi.WireIngress = wire
|
|
|
|
|
changed = true
|
|
|
|
|
}
|
|
|
|
|
return changed
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func vipServiceHash(logf logger.Logf, services []*tailcfg.VIPService) string {
|
|
|
|
|
if len(services) == 0 {
|
|
|
|
|
return ""
|
|
|
|
|
}
|
|
|
|
|
h := sha256.New()
|
|
|
|
|
jh := json.NewEncoder(h)
|
|
|
|
|
if err := jh.Encode(services); err != nil {
|
|
|
|
|
logf("vipServiceHashLocked: %v", err)
|
|
|
|
|
return ""
|
|
|
|
|
}
|
|
|
|
|
var buf [sha256.Size]byte
|
|
|
|
|
h.Sum(buf[:0])
|
|
|
|
|
return hex.EncodeToString(buf[:])
|
|
|
|
|
}
|
2025-11-20 12:40:05 -07:00
|
|
|
|
|
|
|
|
// validateServeConfigUpdate validates changes proposed by incoming serve
|
|
|
|
|
// configuration.
|
|
|
|
|
func validateServeConfigUpdate(existing, incoming ipn.ServeConfigView) error {
|
|
|
|
|
// Error messages returned by this function may be presented to end-users by
|
|
|
|
|
// frontends like the CLI. Thus these error messages should provide enough
|
|
|
|
|
// information for end-users to diagnose and resolve conflicts.
|
|
|
|
|
|
|
|
|
|
if !incoming.Valid() {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// For Services, TUN mode is mutually exclusive with L4 or L7 handlers.
|
|
|
|
|
for svcName, svcCfg := range incoming.Services().All() {
|
|
|
|
|
hasTCP := svcCfg.TCP().Len() > 0
|
|
|
|
|
hasWeb := svcCfg.Web().Len() > 0
|
|
|
|
|
if svcCfg.Tun() && (hasTCP || hasWeb) {
|
|
|
|
|
return fmt.Errorf("cannot configure TUN mode in combination with TCP or web handlers for %s", svcName)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if !existing.Valid() {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// New foreground listeners must be on open ports.
|
|
|
|
|
for sessionID, incomingFg := range incoming.Foreground().All() {
|
|
|
|
|
if !existing.Foreground().Has(sessionID) {
|
|
|
|
|
// This is a new session.
|
|
|
|
|
for port := range incomingFg.TCPs() {
|
|
|
|
|
if _, exists := existing.FindTCP(port); exists {
|
|
|
|
|
return fmt.Errorf("listener already exists for port %d", port)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// New background listeners cannot overwrite existing foreground listeners.
|
|
|
|
|
for port := range incoming.TCP().All() {
|
|
|
|
|
if _, exists := existing.FindForegroundTCP(port); exists {
|
|
|
|
|
return fmt.Errorf("foreground listener already exists for port %d", port)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Incoming configuration cannot change the serve type in use by a port.
|
|
|
|
|
for port, incomingHandler := range incoming.TCP().All() {
|
|
|
|
|
existingHandler, exists := existing.FindTCP(port)
|
|
|
|
|
if !exists {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
existingServeType := serveTypeFromPortHandler(existingHandler)
|
|
|
|
|
incomingServeType := serveTypeFromPortHandler(incomingHandler)
|
|
|
|
|
if incomingServeType != existingServeType {
|
|
|
|
|
return fmt.Errorf("want to serve %q, but port %d is already serving %q", incomingServeType, port, existingServeType)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Validations for Tailscale Services.
|
|
|
|
|
for svcName, incomingSvcCfg := range incoming.Services().All() {
|
|
|
|
|
existingSvcCfg, exists := existing.Services().GetOk(svcName)
|
|
|
|
|
if !exists {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Incoming configuration cannot change the serve type in use by a port.
|
|
|
|
|
for port, incomingHandler := range incomingSvcCfg.TCP().All() {
|
|
|
|
|
existingHandler, exists := existingSvcCfg.TCP().GetOk(port)
|
|
|
|
|
if !exists {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
existingServeType := serveTypeFromPortHandler(existingHandler)
|
|
|
|
|
incomingServeType := serveTypeFromPortHandler(incomingHandler)
|
|
|
|
|
if incomingServeType != existingServeType {
|
|
|
|
|
return fmt.Errorf("want to serve %q, but port %d is already serving %q for %s", incomingServeType, port, existingServeType, svcName)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
existingHasTCP := existingSvcCfg.TCP().Len() > 0
|
|
|
|
|
existingHasWeb := existingSvcCfg.Web().Len() > 0
|
|
|
|
|
|
|
|
|
|
// A Service cannot turn on TUN mode if TCP or web handlers exist.
|
|
|
|
|
if incomingSvcCfg.Tun() && (existingHasTCP || existingHasWeb) {
|
|
|
|
|
return fmt.Errorf("cannot turn on TUN mode with existing TCP or web handlers for %s", svcName)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
incomingHasTCP := incomingSvcCfg.TCP().Len() > 0
|
|
|
|
|
incomingHasWeb := incomingSvcCfg.Web().Len() > 0
|
|
|
|
|
|
|
|
|
|
// A Service cannot add TCP or web handlers if TUN mode is enabled.
|
|
|
|
|
if (incomingHasTCP || incomingHasWeb) && existingSvcCfg.Tun() {
|
|
|
|
|
return fmt.Errorf("cannot add TCP or web handlers as TUN mode is enabled for %s", svcName)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// serveType is a high-level descriptor of the kind of serve performed by a TCP
|
|
|
|
|
// port handler.
|
|
|
|
|
type serveType int
|
|
|
|
|
|
|
|
|
|
const (
|
|
|
|
|
serveTypeHTTPS serveType = iota
|
|
|
|
|
serveTypeHTTP
|
|
|
|
|
serveTypeTCP
|
|
|
|
|
serveTypeTLSTerminatedTCP
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func (s serveType) String() string {
|
|
|
|
|
switch s {
|
|
|
|
|
case serveTypeHTTP:
|
|
|
|
|
return "http"
|
|
|
|
|
case serveTypeHTTPS:
|
|
|
|
|
return "https"
|
|
|
|
|
case serveTypeTCP:
|
|
|
|
|
return "tcp"
|
|
|
|
|
case serveTypeTLSTerminatedTCP:
|
|
|
|
|
return "tls-terminated-tcp"
|
|
|
|
|
default:
|
|
|
|
|
return "unknownServeType"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// serveTypeFromPortHandler is used to get a high-level descriptor of the kind
|
|
|
|
|
// of serve being performed by a port handler.
|
|
|
|
|
func serveTypeFromPortHandler(ph ipn.TCPPortHandlerView) serveType {
|
|
|
|
|
switch {
|
|
|
|
|
case ph.HTTP():
|
|
|
|
|
return serveTypeHTTP
|
|
|
|
|
case ph.HTTPS():
|
|
|
|
|
return serveTypeHTTPS
|
|
|
|
|
case ph.TerminateTLS() != "":
|
|
|
|
|
return serveTypeTLSTerminatedTCP
|
|
|
|
|
case ph.TCPForward() != "":
|
|
|
|
|
return serveTypeTCP
|
|
|
|
|
default:
|
|
|
|
|
return -1
|
|
|
|
|
}
|
|
|
|
|
}
|