diff --git a/cmd/tailscale/cli/serve_legacy.go b/cmd/tailscale/cli/serve_legacy.go index 443a404ab..e75e27fac 100644 --- a/cmd/tailscale/cli/serve_legacy.go +++ b/cmd/tailscale/cli/serve_legacy.go @@ -159,6 +159,7 @@ type serveEnv struct { http uint // HTTP port tcp uint // TCP port tlsTerminatedTCP uint // a TLS terminated TCP port + promoteHTTPS bool // promote HTTP to HTTPS subcmd serveMode // subcommand yes bool // update without prompt diff --git a/cmd/tailscale/cli/serve_v2.go b/cmd/tailscale/cli/serve_v2.go index 009a61198..1d6eeaa03 100644 --- a/cmd/tailscale/cli/serve_v2.go +++ b/cmd/tailscale/cli/serve_v2.go @@ -123,6 +123,7 @@ func newServeV2Command(e *serveEnv, subcmd serveMode) *ffcli.Command { fs.UintVar(&e.https, "https", 0, "Expose an HTTPS server at the specified port (default mode)") if subcmd == serve { fs.UintVar(&e.http, "http", 0, "Expose an HTTP server at the specified port") + fs.BoolVar(&e.promoteHTTPS, "promote-https", false, "Promote HTTP to HTTPS (default false)") } fs.UintVar(&e.tcp, "tcp", 0, "Expose a TCP forwarder to forward raw TCP packets at the specified port") fs.UintVar(&e.tlsTerminatedTCP, "tls-terminated-tcp", 0, "Expose a TCP forwarder to forward TLS-terminated TCP packets at the specified port") @@ -223,6 +224,11 @@ func (e *serveEnv) runServeCombined(subcmd serveMode) execFunc { return errHelpFunc(subcmd) } + if srvType == serveTypeHTTP && e.promoteHTTPS { + fmt.Fprintf(e.stderr(), "error: --promote-https is only valid for HTTPS\n\n") + return errHelpFunc(subcmd) + } + sc, err := e.lc.GetServeConfig(ctx) if err != nil { return fmt.Errorf("error getting serve config: %w", err) @@ -295,7 +301,7 @@ func (e *serveEnv) runServeCombined(subcmd serveMode) execFunc { if err := e.validateConfig(parentSC, srvPort, srvType); err != nil { return err } - err = e.setServe(sc, st, dnsName, srvType, srvPort, mount, args[0], funnel) + err = e.setServe(sc, st, dnsName, srvType, srvPort, mount, args[0], funnel, e.promoteHTTPS) msg = e.messageForPort(sc, st, dnsName, srvType, srvPort) } if err != nil { @@ -365,7 +371,7 @@ func serveFromPortHandler(tcp *ipn.TCPPortHandler) serveType { } } -func (e *serveEnv) setServe(sc *ipn.ServeConfig, st *ipnstate.Status, dnsName string, srvType serveType, srvPort uint16, mount string, target string, allowFunnel bool) error { +func (e *serveEnv) setServe(sc *ipn.ServeConfig, st *ipnstate.Status, dnsName string, srvType serveType, srvPort uint16, mount string, target string, allowFunnel bool, promoteHTTPS bool) error { // update serve config based on the type switch srvType { case serveTypeHTTPS, serveTypeHTTP: @@ -390,6 +396,8 @@ func (e *serveEnv) setServe(sc *ipn.ServeConfig, st *ipnstate.Status, dnsName st // update the serve config based on if funnel is enabled e.applyFunnel(sc, dnsName, srvPort, allowFunnel) + sc.SetRedirectToHTTPS(dnsName, srvPort, promoteHTTPS) + return nil } diff --git a/ipn/ipn_clone.go b/ipn/ipn_clone.go index de35b60a7..4acb24452 100644 --- a/ipn/ipn_clone.go +++ b/ipn/ipn_clone.go @@ -158,9 +158,10 @@ func (src *HTTPHandler) Clone() *HTTPHandler { // A compilation failure here means this code must be regenerated, with the command at the top of this file. var _HTTPHandlerCloneNeedsRegeneration = HTTPHandler(struct { - Path string - Proxy string - Text string + Path string + Proxy string + Text string + Redirect string }{}) // Clone makes a deep copy of WebServerConfig. diff --git a/ipn/ipn_view.go b/ipn/ipn_view.go index ff48b9c89..878413174 100644 --- a/ipn/ipn_view.go +++ b/ipn/ipn_view.go @@ -314,15 +314,17 @@ func (v *HTTPHandlerView) UnmarshalJSON(b []byte) error { return nil } -func (v HTTPHandlerView) Path() string { return v.ж.Path } -func (v HTTPHandlerView) Proxy() string { return v.ж.Proxy } -func (v HTTPHandlerView) Text() string { return v.ж.Text } +func (v HTTPHandlerView) Path() string { return v.ж.Path } +func (v HTTPHandlerView) Proxy() string { return v.ж.Proxy } +func (v HTTPHandlerView) Text() string { return v.ж.Text } +func (v HTTPHandlerView) Redirect() string { return v.ж.Redirect } // A compilation failure here means this code must be regenerated, with the command at the top of this file. var _HTTPHandlerViewNeedsRegeneration = HTTPHandler(struct { - Path string - Proxy string - Text string + Path string + Proxy string + Text string + Redirect string }{}) // View returns a readonly view of WebServerConfig. diff --git a/ipn/ipnlocal/local.go b/ipn/ipnlocal/local.go index 9a57776a0..a608b76b5 100644 --- a/ipn/ipnlocal/local.go +++ b/ipn/ipnlocal/local.go @@ -314,9 +314,9 @@ type LocalBackend struct { webClient webClient webClientListeners map[netip.AddrPort]*localListener // listeners for local web client traffic - serveListeners map[netip.AddrPort]*localListener // listeners for local serve traffic - serveProxyHandlers sync.Map // string (HTTPHandler.Proxy) => *reverseProxy - + serveListeners map[netip.AddrPort]*localListener // listeners for local serve traffic + serveProxyHandlers sync.Map // string (HTTPHandler.Proxy) => *reverseProxy + serveRedirectHandlers sync.Map // string (HTTPHandler.Redirect) => http.Handler // statusLock must be held before calling statusChanged.Wait() or // statusChanged.Broadcast(). statusLock sync.Mutex @@ -5614,6 +5614,7 @@ func (b *LocalBackend) setTCPPortsInterceptedFromNetmapAndPrefsLocked(prefs ipn. handlePorts = append(handlePorts, servePorts...) b.setServeProxyHandlersLocked() + b.setServeRedirectHandlersLocked() // don't listen on netmap addresses if we're in userspace mode if !b.sys.IsNetstack() { @@ -5677,6 +5678,51 @@ func (b *LocalBackend) setServeProxyHandlersLocked() { }) } +// setServeRedirectHandlersLocked ensures there is an http redirect handler for +// each redirect specified in serveConfig. It expects serveConfig to be valid +// and up-to-date, so should be called after reloadServeConfigLocked. +func (b *LocalBackend) setServeRedirectHandlersLocked() { + if !b.serveConfig.Valid() { + return + } + var redirects map[string]bool + b.serveConfig.RangeOverWebs(func(_ ipn.HostPort, conf ipn.WebServerConfigView) (cont bool) { + conf.Handlers().Range(func(_ string, h ipn.HTTPHandlerView) (cont bool) { + redirect := h.Redirect() + if redirect == "" { + // Only create redirect handlers for servers with a redirect target. + return true + } + + mak.Set(&redirects, redirect, true) + if _, ok := b.serveRedirectHandlers.Load(redirect); ok { + return true + } + + b.logf("serve: creating a new redirect handler for %s", redirect) + rh, err := b.redirectHandlerForRedirect(redirect, 301) + if err != nil { + b.logf("[unexpected] could not create redirect handler for %v: %s", redirect, err) + return true + } + b.serveRedirectHandlers.Store(redirect, rh) + + return true + }) + return true + }) + + // Clean up redirect handlers that are no longer present in configuration. + b.serveRedirectHandlers.Range(func(key, value any) bool { + redirect := key.(string) + if !redirects[redirect] { + b.logf("serve: closing idle connections to %s", redirect) + b.serveRedirectHandlers.Delete(redirect) + } + return true + }) +} + // operatorUserName returns the current pref's OperatorUser's name, or the // empty string if none. func (b *LocalBackend) operatorUserName() string { diff --git a/ipn/ipnlocal/serve.go b/ipn/ipnlocal/serve.go index 67d521f09..ffabdde01 100644 --- a/ipn/ipnlocal/serve.go +++ b/ipn/ipnlocal/serve.go @@ -700,6 +700,21 @@ func (rp *reverseProxy) shouldProxyViaH2C(r *http.Request) bool { return r.ProtoMajor == 2 && strings.HasPrefix(rp.backend, "http://") && isGRPCContentType(contentType) } +// redirectHandlerForRedirect creates a new HTTP redirect handler for a particular url. +// `targetURL` is a HTTPHandler.Redirect string (url). +func (b *LocalBackend) redirectHandlerForRedirect(targetURL string, code int) (http.Handler, error) { + u, err := url.Parse(targetURL) + if err != nil { + return nil, fmt.Errorf("invalid url %s: %w", targetURL, err) + } + + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + u.Path = r.URL.Path + u.RawPath = r.URL.RawPath + http.Redirect(w, r, u.String(), code) + }), nil +} + // isGRPC accepts an HTTP request's content type header value and determines // whether this is gRPC content. grpc-go considers a value that equals // application/grpc or has a prefix of application/grpc+ or application/grpc; a @@ -797,6 +812,15 @@ func (b *LocalBackend) serveWebHandler(w http.ResponseWriter, r *http.Request) { h.ServeHTTP(w, r) return } + if v := h.Redirect(); v != "" { + h, ok := b.serveRedirectHandlers.Load(v) + if !ok { + http.Error(w, "unknown redirect destination", http.StatusInternalServerError) + return + } + h.(http.Handler).ServeHTTP(w, r) + return + } http.Error(w, "empty handler", 500) } diff --git a/ipn/ipnlocal/serve_test.go b/ipn/ipnlocal/serve_test.go index e43de1765..e76f2bfd6 100644 --- a/ipn/ipnlocal/serve_test.go +++ b/ipn/ipnlocal/serve_test.go @@ -461,6 +461,63 @@ func TestServeHTTPProxyPath(t *testing.T) { }) } } + +func TestServeHTTPRedirect(t *testing.T) { + b := newTestBackend(t) + tests := []struct { + name string + requestPath string + wantPath string + }{ + { + name: "http / -> https /", + requestPath: "/", + wantPath: "/", + }, + { + name: "http /foo -> https /foo", + requestPath: "/foo", + wantPath: "/foo", + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + conf := &ipn.ServeConfig{ + Web: map[ipn.HostPort]*ipn.WebServerConfig{ + "example.ts.net:80": {Handlers: map[string]*ipn.HTTPHandler{ + "/": {Redirect: "https://example.ts.net"}, + }}, + "example.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{ + "/": {Text: "foo bar"}, + }}, + }, + } + if err := b.SetServeConfig(conf, ""); err != nil { + t.Fatal(err) + } + req := &http.Request{ + URL: &url.URL{Path: tt.requestPath}, + TLS: &tls.ConnectionState{ServerName: "example.ts.net"}, + } + req = req.WithContext(serveHTTPContextKey.WithValue(req.Context(), + &serveHTTPContext{ + DestPort: 80, + SrcAddr: netip.MustParseAddrPort("1.2.3.4:1234"), // random src + })) + + w := httptest.NewRecorder() + b.serveWebHandler(w, req) + + // Verify what path was requested + p := w.Result().Header.Get("Location") + wantLoc := fmt.Sprintf("https://example.ts.net%s", tt.wantPath) + if p != wantLoc { + t.Errorf("wanted request path %s got %s", wantLoc, p) + } + }) + } +} + func TestServeHTTPProxyHeaders(t *testing.T) { b := newTestBackend(t) diff --git a/ipn/serve.go b/ipn/serve.go index 5c0a97ed3..1fa5b0982 100644 --- a/ipn/serve.go +++ b/ipn/serve.go @@ -136,6 +136,8 @@ type HTTPHandler struct { Text string `json:",omitempty"` // plaintext to serve (primarily for testing) + Redirect string `json:",omitempty"` // redirect requests to this URL + // TODO(bradfitz): bool to not enumerate directories? TTL on mapping for // temporary ones? Error codes? Redirects? } @@ -320,6 +322,43 @@ func (sc *ServeConfig) SetFunnel(host string, port uint16, setOn bool) { } } +// SetRedirectToHTTPS configures a TCPPortHandler and HTTPHandler to redirect all +// traffic from port 80 to HTTPS, using the provided `host` and `port` for the +// redirect URL. If setOn is false, it removes any active redirect handlers on +// port 80. +func (sc *ServeConfig) SetRedirectToHTTPS(host string, port uint16, setOn bool) { + if sc == nil { + sc = new(ServeConfig) + } + + hp := HostPort(net.JoinHostPort(host, "80")) + if setOn { + mak.Set(&sc.TCP, 80, &TCPPortHandler{HTTP: true}) + var url string + if port == 443 { + url = fmt.Sprintf("https://%s", host) + } else { + url = fmt.Sprintf("https://%s:%d", host, port) + } + handler := &HTTPHandler{Redirect: url} + if _, ok := sc.Web[hp]; !ok { + mak.Set(&sc.Web, hp, new(WebServerConfig)) + } + // Overwrite any existing handlers as we're handling all HTTP traffic. + sc.Web[hp].Handlers = map[string]*HTTPHandler{"/": handler} + } else { + // If we're running with HTTP to HTTPS promotion, we need to remove any + // existing Redirect handlers. + if tcph, exists := sc.TCP[80]; exists && tcph.HTTP { + if wh, exists := sc.Web[hp]; exists { + if wh.Handlers["/"].Redirect != "" { + delete(wh.Handlers, "/") + } + } + } + } +} + // RemoveWebHandler deletes the web handlers at all of the given mount points // for the provided host and port in the serve config. If cleanupFunnel is // true, this also removes the funnel value for this port if no handlers remain.