mirror of
https://github.com/tailscale/tailscale.git
synced 2025-01-07 08:07:42 +00:00
tsweb: check for key-based debug access before XFF check (#9093)
Fly apps all set X-Forwarded-For, which breaks debug access even with a preshared key otherwise. Updates tailscale/corp#3601 Signed-off-by: David Anderson <danderson@tailscale.com>
This commit is contained in:
parent
6b6a8cf843
commit
7b18ed293b
@ -51,6 +51,9 @@ func IsProd443(addr string) bool {
|
|||||||
// AllowDebugAccess reports whether r should be permitted to access
|
// AllowDebugAccess reports whether r should be permitted to access
|
||||||
// various debug endpoints.
|
// various debug endpoints.
|
||||||
func AllowDebugAccess(r *http.Request) bool {
|
func AllowDebugAccess(r *http.Request) bool {
|
||||||
|
if allowDebugAccessWithKey(r) {
|
||||||
|
return true
|
||||||
|
}
|
||||||
if r.Header.Get("X-Forwarded-For") != "" {
|
if r.Header.Get("X-Forwarded-For") != "" {
|
||||||
// TODO if/when needed. For now, conservative:
|
// TODO if/when needed. For now, conservative:
|
||||||
return false
|
return false
|
||||||
@ -66,14 +69,19 @@ func AllowDebugAccess(r *http.Request) bool {
|
|||||||
if tsaddr.IsTailscaleIP(ip) || ip.IsLoopback() || ipStr == envknob.String("TS_ALLOW_DEBUG_IP") {
|
if tsaddr.IsTailscaleIP(ip) || ip.IsLoopback() || ipStr == envknob.String("TS_ALLOW_DEBUG_IP") {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
if r.Method == "GET" {
|
return false
|
||||||
urlKey := r.FormValue("debugkey")
|
}
|
||||||
keyPath := envknob.String("TS_DEBUG_KEY_PATH")
|
|
||||||
if urlKey != "" && keyPath != "" {
|
func allowDebugAccessWithKey(r *http.Request) bool {
|
||||||
slurp, err := os.ReadFile(keyPath)
|
if r.Method != "GET" {
|
||||||
if err == nil && string(bytes.TrimSpace(slurp)) == urlKey {
|
return false
|
||||||
return true
|
}
|
||||||
}
|
urlKey := r.FormValue("debugkey")
|
||||||
|
keyPath := envknob.String("TS_DEBUG_KEY_PATH")
|
||||||
|
if urlKey != "" && keyPath != "" {
|
||||||
|
slurp, err := os.ReadFile(keyPath)
|
||||||
|
if err == nil && string(bytes.TrimSpace(slurp)) == urlKey {
|
||||||
|
return true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return false
|
return false
|
||||||
|
Loading…
x
Reference in New Issue
Block a user