mirror of
https://github.com/tailscale/tailscale.git
synced 2024-11-25 19:15:34 +00:00
cmd/tailscale/web: support TLS from env vars.
pfSense stores its SSL certificate and key in the PHP config. We wrote PHP code to pull the two out of the PHP config and into environment variables before running "tailscale web". The pfSense web UI is served over https, we need "tailscale web" to also support https in order to put it in an <iframe>. Signed-off-by: Denton Gentry <dgentry@tailscale.com>
This commit is contained in:
parent
b7b7d21514
commit
27bc4e744c
@ -7,6 +7,7 @@
|
||||
import (
|
||||
"bytes"
|
||||
"context"
|
||||
"crypto/tls"
|
||||
_ "embed"
|
||||
"encoding/json"
|
||||
"encoding/xml"
|
||||
@ -19,6 +20,7 @@
|
||||
"net/http"
|
||||
"net/http/cgi"
|
||||
"net/url"
|
||||
"os"
|
||||
"os/exec"
|
||||
"runtime"
|
||||
"strings"
|
||||
@ -83,6 +85,29 @@ type tmplData struct {
|
||||
cgi bool
|
||||
}
|
||||
|
||||
func tlsConfigFromEnvironment() *tls.Config {
|
||||
crt := os.Getenv("TLS_CRT_PEM")
|
||||
key := os.Getenv("TLS_KEY_PEM")
|
||||
if crt == "" || key == "" {
|
||||
return nil
|
||||
}
|
||||
|
||||
// We support passing in the complete certificate and key from environment
|
||||
// variables because pfSense stores its cert+key in the PHP config. We populate
|
||||
// TLS_CRT_PEM and TLS_KEY_PEM from PHP code before starting tailscale web.
|
||||
// These are the PEM-encoded Certificate and Private Key.
|
||||
|
||||
cert, err := tls.X509KeyPair([]byte(crt), []byte(key))
|
||||
if err != nil {
|
||||
log.Printf("tlsConfigFromEnvironment: %v", err)
|
||||
|
||||
// Fallback to unencrypted HTTP.
|
||||
return nil
|
||||
}
|
||||
|
||||
return &tls.Config{Certificates: []tls.Certificate{cert}}
|
||||
}
|
||||
|
||||
func runWeb(ctx context.Context, args []string) error {
|
||||
if len(args) > 0 {
|
||||
log.Fatalf("too many non-flag arguments: %q", args)
|
||||
@ -96,9 +121,21 @@ func runWeb(ctx context.Context, args []string) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
tlsConfig := tlsConfigFromEnvironment()
|
||||
if tlsConfig != nil {
|
||||
server := &http.Server{
|
||||
Addr: webArgs.listen,
|
||||
TLSConfig: tlsConfig,
|
||||
Handler: http.HandlerFunc(webHandler),
|
||||
}
|
||||
|
||||
log.Printf("web server runNIng on: https://%s", server.Addr)
|
||||
return server.ListenAndServeTLS("", "")
|
||||
} else {
|
||||
log.Printf("web server running on: %s", urlOfListenAddr(webArgs.listen))
|
||||
return http.ListenAndServe(webArgs.listen, http.HandlerFunc(webHandler))
|
||||
}
|
||||
}
|
||||
|
||||
// urlOfListenAddr parses a given listen address into a formatted URL
|
||||
func urlOfListenAddr(addr string) string {
|
||||
|
Loading…
Reference in New Issue
Block a user