mirror of
https://github.com/tailscale/tailscale.git
synced 2025-05-06 07:37:38 +00:00
cmd/derper: accept more LetsEncrypt hostnames without explicit config
This commit is contained in:
Brad Fitzpatrick
parent
cc4afa775f
commit
051b6ef141
@ -6,7 +6,9 @@
|
|||||||
package main // import "tailscale.com/cmd/derper"
|
package main // import "tailscale.com/cmd/derper"
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"context"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
|
"errors"
|
||||||
"expvar"
|
"expvar"
|
||||||
"flag"
|
"flag"
|
||||||
"fmt"
|
"fmt"
|
||||||
@ -17,6 +19,7 @@ import (
|
|||||||
"net/http"
|
"net/http"
|
||||||
"os"
|
"os"
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
|
"regexp"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/tailscale/wireguard-go/wgcfg"
|
"github.com/tailscale/wireguard-go/wgcfg"
|
||||||
@ -159,6 +162,9 @@ func main() {
|
|||||||
HostPolicy: autocert.HostWhitelist(*hostname),
|
HostPolicy: autocert.HostWhitelist(*hostname),
|
||||||
Cache: autocert.DirCache(*certDir),
|
Cache: autocert.DirCache(*certDir),
|
||||||
}
|
}
|
||||||
|
if *hostname == "derp.tailscale.com" {
|
||||||
|
certManager.HostPolicy = prodAutocertHostPolicy
|
||||||
|
}
|
||||||
httpsrv.TLSConfig = certManager.TLSConfig()
|
httpsrv.TLSConfig = certManager.TLSConfig()
|
||||||
go func() {
|
go func() {
|
||||||
err := http.ListenAndServe(":80", certManager.HTTPHandler(tsweb.Port80Handler{mux}))
|
err := http.ListenAndServe(":80", certManager.HTTPHandler(tsweb.Port80Handler{mux}))
|
||||||
@ -253,3 +259,12 @@ func serveSTUN() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
var validProdHostname = regexp.MustCompile(`^derp(\d+|\-\w+)?\.tailscale\.com\.?$`)
|
||||||
|
|
||||||
|
func prodAutocertHostPolicy(_ context.Context, host string) error {
|
||||||
|
if validProdHostname.MatchString(host) {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
return errors.New("invalid hostname")
|
||||||
|
}
|
||||||
|
|||||||
31
cmd/derper/derper_test.go
Normal file
31
cmd/derper/derper_test.go
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package main
|
||||||
|
|
||||||
|
import "testing"
|
||||||
|
|
||||||
|
func TestProdAutocertHostPolicy(t *testing.T) {
|
||||||
|
tests := []struct {
|
||||||
|
in string
|
||||||
|
wantOK bool
|
||||||
|
}{
|
||||||
|
{"derp.tailscale.com", true},
|
||||||
|
{"derp.tailscale.com.", true},
|
||||||
|
{"derp1.tailscale.com", true},
|
||||||
|
{"derp2.tailscale.com", true},
|
||||||
|
{"derp02.tailscale.com", true},
|
||||||
|
{"derp-nyc.tailscale.com", true},
|
||||||
|
{"derpfoo.tailscale.com", false},
|
||||||
|
{"derp02.bar.tailscale.com", false},
|
||||||
|
{"example.net", false},
|
||||||
|
}
|
||||||
|
for _, tt := range tests {
|
||||||
|
got := prodAutocertHostPolicy(nil, tt.in) == nil
|
||||||
|
if got != tt.wantOK {
|
||||||
|
t.Errorf("f(%q) = %v; want %v", tt.in, got, tt.wantOK)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
Loading…
x
Reference in New Issue
Block a user