logpolicy: also set up TLS dialing (for iOS) for log uploads

This was the last of the three places that do TLS from clients (logs,
control, derp). With this, iOS should be able to use the
memory-efficient x509 root CertPool.
This commit is contained in:
Brad Fitzpatrick 2020-04-26 08:31:14 -07:00
parent c726c1eec9
commit 9497921f52

View File

@ -29,6 +29,7 @@
"tailscale.com/atomicfile" "tailscale.com/atomicfile"
"tailscale.com/logtail" "tailscale.com/logtail"
"tailscale.com/logtail/filch" "tailscale.com/logtail/filch"
"tailscale.com/net/tlsdial"
"tailscale.com/version" "tailscale.com/version"
) )
@ -188,7 +189,7 @@ func New(collection string) *Policy {
} }
return w return w
}, },
HTTPC: &http.Client{Transport: newLogtailTransport()}, HTTPC: &http.Client{Transport: newLogtailTransport(logtail.DefaultHost)},
} }
filchBuf, filchErr := filch.New(filepath.Join(dir, version.CmdName()), filch.Options{}) filchBuf, filchErr := filch.New(filepath.Join(dir, version.CmdName()), filch.Options{})
@ -231,8 +232,9 @@ func (p *Policy) Shutdown(ctx context.Context) error {
return nil return nil
} }
// newLogtailTransport returns the HTTP Transport we use for uploading logs. // newLogtailTransport returns the HTTP Transport we use for uploading
func newLogtailTransport() *http.Transport { // logs to the given host name.
func newLogtailTransport(host string) *http.Transport {
// Start with a copy of http.DefaultTransport and tweak it a bit. // Start with a copy of http.DefaultTransport and tweak it a bit.
tr := http.DefaultTransport.(*http.Transport).Clone() tr := http.DefaultTransport.(*http.Transport).Clone()
@ -273,5 +275,8 @@ func newLogtailTransport() *http.Transport {
tr.ForceAttemptHTTP2 = false tr.ForceAttemptHTTP2 = false
tr.TLSNextProto = map[string]func(authority string, c *tls.Conn) http.RoundTripper{} tr.TLSNextProto = map[string]func(authority string, c *tls.Conn) http.RoundTripper{}
} }
tr.TLSClientConfig = tlsdial.Config(host, tr.TLSClientConfig)
return tr return tr
} }