tsweb: avoid http-to-https redirect for localhost

If the client is connecting over loopback, then avoid the http-to-https redirect since this is connection within the kernel, rather than over untrusted network, and also because https://localhost is unlikely to work as there isn't a CA that issues certs for localhost. Updates tailscale/corp#11038 Signed-off-by: Joe Tsai <joetsai@digital-static.net>
2024-11-29 04:55:31 +00:00 · 2024-10-14 21:27:15 -07:00 · 2024-10-14 21:27:15 -07:00 · 6a1fd74695
commit 6a1fd74695
parent c763b7a7db
1 changed files with 3 additions and 1 deletions
--- a/tsweb/tsweb.go
+++ b/tsweb/tsweb.go
@ -146,8 +146,10 @@ type Port80Handler struct {
 }

 func (h Port80Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	ipStr, _, _ := net.SplitHostPort(r.RemoteAddr)
+	ip, _ := netip.ParseAddr(ipStr)
 	path := r.RequestURI
-	if path == "/debug" || strings.HasPrefix(path, "/debug") {
+	if ip.IsLoopback() || path == "/debug" || strings.HasPrefix(path, "/debug") {
 		h.Main.ServeHTTP(w, r)
 		return
 	}