cmd/derper: accept more LetsEncrypt hostnames without explicit config

2025-10-15 19:03:27 +00:00 · 2020-03-02 08:55:44 -08:00
parent cc4afa775f
commit 051b6ef141
2 changed files with 46 additions and 0 deletions
--- a/cmd/derper/derper.go
+++ b/cmd/derper/derper.go
@@ -6,7 +6,9 @@
 package main // import "tailscale.com/cmd/derper"

 import (
+	"context"
 	"encoding/json"
+	"errors"
 	"expvar"
 	"flag"
 	"fmt"
@@ -17,6 +19,7 @@ import (
 	"net/http"
 	"os"
 	"path/filepath"
+	"regexp"
 	"time"

 	"github.com/tailscale/wireguard-go/wgcfg"
@@ -159,6 +162,9 @@ func main() {
 			HostPolicy: autocert.HostWhitelist(*hostname),
 			Cache:      autocert.DirCache(*certDir),
 		}
+		if *hostname == "derp.tailscale.com" {
+			certManager.HostPolicy = prodAutocertHostPolicy
+		}
 		httpsrv.TLSConfig = certManager.TLSConfig()
 		go func() {
 			err := http.ListenAndServe(":80", certManager.HTTPHandler(tsweb.Port80Handler{mux}))
@@ -253,3 +259,12 @@ func serveSTUN() {
 		}
 	}
 }
+
+var validProdHostname = regexp.MustCompile(`^derp(\d+|\-\w+)?\.tailscale\.com\.?$`)
+
+func prodAutocertHostPolicy(_ context.Context, host string) error {
+	if validProdHostname.MatchString(host) {
+		return nil
+	}
+	return errors.New("invalid hostname")
+}