2023-01-27 13:37:20 -08:00
|
|
|
// Copyright (c) Tailscale Inc & AUTHORS
|
|
|
|
// SPDX-License-Identifier: BSD-3-Clause
|
2021-12-17 12:40:24 -08:00
|
|
|
|
2022-05-19 14:29:47 -07:00
|
|
|
//go:build !js
|
|
|
|
|
2021-12-17 12:40:24 -08:00
|
|
|
package ipnserver
|
|
|
|
|
|
|
|
import (
|
|
|
|
"io"
|
|
|
|
"net"
|
|
|
|
"net/http"
|
|
|
|
|
|
|
|
"tailscale.com/logpolicy"
|
|
|
|
)
|
|
|
|
|
|
|
|
// handleProxyConnectConn handles a CONNECT request to
|
|
|
|
// log.tailscale.io (or whatever the configured log server is). This
|
|
|
|
// is intended for use by the Windows GUI client to log via when an
|
|
|
|
// exit node is in use, so the logs don't go out via the exit node and
|
|
|
|
// instead go directly, like tailscaled's. The dialer tried to do that
|
|
|
|
// in the unprivileged GUI by binding to a specific interface, but the
|
|
|
|
// "Internet Kill Switch" installed by tailscaled for exit nodes
|
|
|
|
// precludes that from working and instead the GUI fails to dial out.
|
|
|
|
// So, go through tailscaled (with a CONNECT request) instead.
|
2022-11-25 20:54:37 -08:00
|
|
|
func (s *Server) handleProxyConnectConn(w http.ResponseWriter, r *http.Request) {
|
|
|
|
ctx := r.Context()
|
|
|
|
if r.Method != "CONNECT" {
|
|
|
|
panic("[unexpected] miswired")
|
2021-12-17 12:40:24 -08:00
|
|
|
}
|
|
|
|
|
2022-11-25 20:54:37 -08:00
|
|
|
hostPort := r.RequestURI
|
2021-12-17 12:40:24 -08:00
|
|
|
logHost := logpolicy.LogHost()
|
|
|
|
allowed := net.JoinHostPort(logHost, "443")
|
|
|
|
if hostPort != allowed {
|
2022-11-25 20:54:37 -08:00
|
|
|
s.logf("invalid CONNECT target %q; want %q", hostPort, allowed)
|
|
|
|
http.Error(w, "Bad CONNECT target.", http.StatusForbidden)
|
2021-12-17 12:40:24 -08:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2023-07-10 15:45:57 -04:00
|
|
|
dialContext := logpolicy.MakeDialFunc(s.netMon, s.logf)
|
2023-04-17 16:01:41 -07:00
|
|
|
back, err := dialContext(ctx, "tcp", hostPort)
|
2021-12-17 12:40:24 -08:00
|
|
|
if err != nil {
|
2022-11-25 20:54:37 -08:00
|
|
|
s.logf("error CONNECT dialing %v: %v", hostPort, err)
|
|
|
|
http.Error(w, "Connect failure", http.StatusBadGateway)
|
2021-12-17 12:40:24 -08:00
|
|
|
return
|
|
|
|
}
|
|
|
|
defer back.Close()
|
|
|
|
|
2022-11-25 20:54:37 -08:00
|
|
|
hj, ok := w.(http.Hijacker)
|
|
|
|
if !ok {
|
2023-12-05 10:32:35 -05:00
|
|
|
http.Error(w, "CONNECT hijack unavailable", http.StatusInternalServerError)
|
2022-11-25 20:54:37 -08:00
|
|
|
return
|
|
|
|
}
|
|
|
|
c, br, err := hj.Hijack()
|
|
|
|
if err != nil {
|
|
|
|
s.logf("CONNECT hijack: %v", err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
defer c.Close()
|
|
|
|
|
2021-12-17 12:40:24 -08:00
|
|
|
io.WriteString(c, "HTTP/1.1 200 OK\r\n\r\n")
|
|
|
|
|
|
|
|
errc := make(chan error, 2)
|
|
|
|
go func() {
|
|
|
|
_, err := io.Copy(c, back)
|
|
|
|
errc <- err
|
|
|
|
}()
|
|
|
|
go func() {
|
|
|
|
_, err := io.Copy(back, br)
|
|
|
|
errc <- err
|
|
|
|
}()
|
|
|
|
<-errc
|
|
|
|
}
|