tsweb: check for key-based debug access before XFF check (#9093)

Fly apps all set X-Forwarded-For, which breaks debug access even
with a preshared key otherwise.

Updates tailscale/corp#3601

Signed-off-by: David Anderson <danderson@tailscale.com>
This commit is contained in:
Dave Anderson 2023-08-25 11:12:11 -07:00 committed by GitHub
parent 6b6a8cf843
commit 7b18ed293b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -51,6 +51,9 @@ func IsProd443(addr string) bool {
// AllowDebugAccess reports whether r should be permitted to access // AllowDebugAccess reports whether r should be permitted to access
// various debug endpoints. // various debug endpoints.
func AllowDebugAccess(r *http.Request) bool { func AllowDebugAccess(r *http.Request) bool {
if allowDebugAccessWithKey(r) {
return true
}
if r.Header.Get("X-Forwarded-For") != "" { if r.Header.Get("X-Forwarded-For") != "" {
// TODO if/when needed. For now, conservative: // TODO if/when needed. For now, conservative:
return false return false
@ -66,7 +69,13 @@ func AllowDebugAccess(r *http.Request) bool {
if tsaddr.IsTailscaleIP(ip) || ip.IsLoopback() || ipStr == envknob.String("TS_ALLOW_DEBUG_IP") { if tsaddr.IsTailscaleIP(ip) || ip.IsLoopback() || ipStr == envknob.String("TS_ALLOW_DEBUG_IP") {
return true return true
} }
if r.Method == "GET" { return false
}
func allowDebugAccessWithKey(r *http.Request) bool {
if r.Method != "GET" {
return false
}
urlKey := r.FormValue("debugkey") urlKey := r.FormValue("debugkey")
keyPath := envknob.String("TS_DEBUG_KEY_PATH") keyPath := envknob.String("TS_DEBUG_KEY_PATH")
if urlKey != "" && keyPath != "" { if urlKey != "" && keyPath != "" {
@ -75,7 +84,6 @@ func AllowDebugAccess(r *http.Request) bool {
return true return true
} }
} }
}
return false return false
} }