{cmd/tailscale/cli,ipn}: add http support to tailscale serve (#8358)

Updates #8357

Signed-off-by: Shayne Sweeney <shayne@tailscale.com>

ipn/ipn_clone.go

@@ -103,6 +103,7 @@ func (src *TCPPortHandler) Clone() *TCPPortHandler {
 // A compilation failure here means this code must be regenerated, with the command at the top of this file.
 var _TCPPortHandlerCloneNeedsRegeneration = TCPPortHandler(struct {
 	HTTPS        bool
+	HTTP         bool
 	TCPForward   string
 	TerminateTLS string
 }{})

ipn/ipn_view.go

@@ -228,12 +228,14 @@ func (v *TCPPortHandlerView) UnmarshalJSON(b []byte) error {
 }
 
 func (v TCPPortHandlerView) HTTPS() bool          { return v.ж.HTTPS }
+func (v TCPPortHandlerView) HTTP() bool           { return v.ж.HTTP }
 func (v TCPPortHandlerView) TCPForward() string   { return v.ж.TCPForward }
 func (v TCPPortHandlerView) TerminateTLS() string { return v.ж.TerminateTLS }
 
 // A compilation failure here means this code must be regenerated, with the command at the top of this file.
 var _TCPPortHandlerViewNeedsRegeneration = TCPPortHandler(struct {
 	HTTPS        bool
+	HTTP         bool
 	TCPForward   string
 	TerminateTLS string
 }{})

ipn/ipnlocal/local.go

@@ -4129,6 +4129,10 @@ func (b *LocalBackend) setServeProxyHandlersLocked() {
 	b.serveConfig.Web().Range(func(_ ipn.HostPort, conf ipn.WebServerConfigView) (cont bool) {
 		conf.Handlers().Range(func(_ string, h ipn.HTTPHandlerView) (cont bool) {
 			backend := h.Proxy()
+			if backend == "" {
+				// Only create proxy handlers for servers with a proxy backend.
+				return true
+			}
 			mak.Set(&backends, backend, true)
 			if _, ok := b.serveProxyHandlers.Load(backend); ok {
 				return true

ipn/ipnlocal/serve.go

@@ -332,11 +332,8 @@ func (b *LocalBackend) tcpHandlerForServe(dport uint16, srcAddr netip.AddrPort)
 		return nil
 	}
 
-	if tcph.HTTPS() {
+	if tcph.HTTPS() || tcph.HTTP() {
 		hs := &http.Server{
-			TLSConfig: &tls.Config{
-				GetCertificate: b.getTLSServeCertForPort(dport),
-			},
 			Handler: http.HandlerFunc(b.serveWebHandler),
 			BaseContext: func(_ net.Listener) context.Context {
 				return context.WithValue(context.Background(), serveHTTPContextKey{}, &serveHTTPContext{
@@ -345,8 +342,17 @@ func (b *LocalBackend) tcpHandlerForServe(dport uint16, srcAddr netip.AddrPort)
 				})
 			},
 		}
+		if tcph.HTTPS() {
+			hs.TLSConfig = &tls.Config{
+				GetCertificate: b.getTLSServeCertForPort(dport),
+			}
+			return func(c net.Conn) error {
+				return hs.ServeTLS(netutil.NewOneConnListener(c, nil), "", "")
+			}
+		}
+
 		return func(c net.Conn) error {
-			return hs.ServeTLS(netutil.NewOneConnListener(c, nil), "", "")
+			return hs.Serve(netutil.NewOneConnListener(c, nil))
 		}
 	}
 
@@ -406,8 +412,14 @@ func getServeHTTPContext(r *http.Request) (c *serveHTTPContext, ok bool) {
 func (b *LocalBackend) getServeHandler(r *http.Request) (_ ipn.HTTPHandlerView, at string, ok bool) {
 	var z ipn.HTTPHandlerView // zero value
 
+	hostname := r.Host
 	if r.TLS == nil {
-		return z, "", false
+		tcd := "." + b.Status().CurrentTailnet.MagicDNSSuffix
+		if !strings.HasSuffix(hostname, tcd) {
+			hostname += tcd
+		}
+	} else {
+		hostname = r.TLS.ServerName
 	}
 
 	sctx, ok := getServeHTTPContext(r)
@@ -415,7 +427,7 @@ func (b *LocalBackend) getServeHandler(r *http.Request) (_ ipn.HTTPHandlerView,
 		b.logf("[unexpected] localbackend: no serveHTTPContext in request")
 		return z, "", false
 	}
-	wsc, ok := b.webServerConfig(r.TLS.ServerName, sctx.DestPort)
+	wsc, ok := b.webServerConfig(hostname, sctx.DestPort)
 	if !ok {
 		return z, "", false
 	}
@@ -472,7 +484,9 @@ func (b *LocalBackend) proxyHandlerForBackend(backend string) (*httputil.Reverse
 
 func addProxyForwardedHeaders(r *httputil.ProxyRequest) {
 	r.Out.Header.Set("X-Forwarded-Host", r.In.Host)
-	r.Out.Header.Set("X-Forwarded-Proto", "https")
+	if r.In.TLS != nil {
+		r.Out.Header.Set("X-Forwarded-Proto", "https")
+	}
 	if c, ok := getServeHTTPContext(r.Out); ok {
 		r.Out.Header.Set("X-Forwarded-For", c.SrcAddr.Addr().String())
 	}
@@ -634,8 +648,8 @@ func allNumeric(s string) bool {
 	return s != ""
 }
 
-func (b *LocalBackend) webServerConfig(sniName string, port uint16) (c ipn.WebServerConfigView, ok bool) {
-	key := ipn.HostPort(fmt.Sprintf("%s:%v", sniName, port))
+func (b *LocalBackend) webServerConfig(hostname string, port uint16) (c ipn.WebServerConfigView, ok bool) {
+	key := ipn.HostPort(fmt.Sprintf("%s:%v", hostname, port))
 
 	b.mu.Lock()
 	defer b.mu.Unlock()

ipn/serve.go

@@ -76,6 +76,12 @@ type TCPPortHandler struct {
 	// It is mutually exclusive with TCPForward.
 	HTTPS bool `json:",omitempty"`
 
+	// HTTP, if true, means that tailscaled should handle this connection as an
+	// HTTP request as configured by ServeConfig.Web.
+	//
+	// It is mutually exclusive with TCPForward.
+	HTTP bool `json:",omitempty"`
+
 	// TCPForward is the IP:port to forward TCP connections to.
 	// Whether or not TLS is terminated by tailscaled depends on
 	// TerminateTLS.
@@ -103,7 +109,7 @@ type HTTPHandler struct {
 	// temporary ones? Error codes? Redirects?
 }
 
-// WebHandlerExists checks if the ServeConfig Web handler exists for
+// WebHandlerExists reports whether if the ServeConfig Web handler exists for
 // the given host:port and mount point.
 func (sc *ServeConfig) WebHandlerExists(hp HostPort, mount string) bool {
 	h := sc.GetWebHandler(hp, mount)
@@ -128,9 +134,8 @@ func (sc *ServeConfig) GetTCPPortHandler(port uint16) *TCPPortHandler {
 	return sc.TCP[port]
 }
 
-// IsTCPForwardingAny checks if ServeConfig is currently forwarding
-// in TCPForward mode on any port.
-// This is exclusive of Web/HTTPS serving.
+// IsTCPForwardingAny reports whether ServeConfig is currently forwarding in
+// TCPForward mode on any port. This is exclusive of Web/HTTPS serving.
 func (sc *ServeConfig) IsTCPForwardingAny() bool {
 	if sc == nil || len(sc.TCP) == 0 {
 		return false
@@ -143,34 +148,47 @@ func (sc *ServeConfig) IsTCPForwardingAny() bool {
 	return false
 }
 
-// IsTCPForwardingOnPort checks if ServeConfig is currently forwarding
-// in TCPForward mode on the given port.
-// This is exclusive of Web/HTTPS serving.
+// IsTCPForwardingOnPort reports whether if ServeConfig is currently forwarding
+// in TCPForward mode on the given port. This is exclusive of Web/HTTPS serving.
 func (sc *ServeConfig) IsTCPForwardingOnPort(port uint16) bool {
 	if sc == nil || sc.TCP[port] == nil {
 		return false
 	}
-	return !sc.TCP[port].HTTPS
+	return !sc.IsServingWeb(port)
 }
 
-// IsServingWeb checks if ServeConfig is currently serving
-// Web/HTTPS on the given port.
-// This is exclusive of TCPForwarding.
+// IsServingWeb reports whether if ServeConfig is currently serving Web
+// (HTTP/HTTPS) on the given port. This is exclusive of TCPForwarding.
 func (sc *ServeConfig) IsServingWeb(port uint16) bool {
+	return sc.IsServingHTTP(port) || sc.IsServingHTTPS(port)
+}
+
+// IsServingHTTPS reports whether if ServeConfig is currently serving HTTPS on
+// the given port. This is exclusive of HTTP and TCPForwarding.
+func (sc *ServeConfig) IsServingHTTPS(port uint16) bool {
 	if sc == nil || sc.TCP[port] == nil {
 		return false
 	}
 	return sc.TCP[port].HTTPS
 }
 
-// IsFunnelOn checks if ServeConfig is currently allowing
-// funnel traffic for any host:port.
+// IsServingHTTP reports whether if ServeConfig is currently serving HTTP on the
+// given port. This is exclusive of HTTPS and TCPForwarding.
+func (sc *ServeConfig) IsServingHTTP(port uint16) bool {
+	if sc == nil || sc.TCP[port] == nil {
+		return false
+	}
+	return sc.TCP[port].HTTP
+}
+
+// IsFunnelOn reports whether if ServeConfig is currently allowing funnel
+// traffic for any host:port.
 //
 // View version of ServeConfig.IsFunnelOn.
 func (v ServeConfigView) IsFunnelOn() bool { return v.ж.IsFunnelOn() }
 
-// IsFunnelOn checks if ServeConfig is currently allowing
-// funnel traffic for any host:port.
+// IsFunnelOn reports whether if ServeConfig is currently allowing funnel
+// traffic for any host:port.
 func (sc *ServeConfig) IsFunnelOn() bool {
 	if sc == nil {
 		return false