control/controlhttp: allow client and server to communicate over WebSockets

We can't do Noise-over-HTTP in Wasm/JS (because we don't have bidirectional communication), but we should be able to do it over WebSockets. Reuses derp WebSocket support that allows us to turn a WebSocket connection into a net.Conn. Updates #3157 Signed-off-by: Mihai Parparita <mihai@tailscale.com>
2025-10-24 01:31:55 +00:00 · 2022-06-02 16:20:42 -07:00
parent 80157f3f37
commit a9f32656f5
10 changed files with 132 additions and 30 deletions
--- a/control/controlhttp/server.go
+++ b/control/controlhttp/server.go
@@ -11,8 +11,10 @@ import (
 	"fmt"
 	"net/http"

+	"nhooyr.io/websocket"
 	"tailscale.com/control/controlbase"
 	"tailscale.com/net/netutil"
+	"tailscale.com/net/wsconn"
 	"tailscale.com/types/key"
 )

@@ -27,6 +29,9 @@ func AcceptHTTP(ctx context.Context, w http.ResponseWriter, r *http.Request, pri
 		http.Error(w, "missing next protocol", http.StatusBadRequest)
 		return nil, errors.New("no next protocol in HTTP request")
 	}
+	if next == "websocket" {
+		return acceptWebsocket(ctx, w, r, private)
+	}
 	if next != upgradeHeaderValue {
 		http.Error(w, "unknown next protocol", http.StatusBadRequest)
 		return nil, fmt.Errorf("client requested unhandled next protocol %q", next)
@@ -71,3 +76,42 @@ func AcceptHTTP(ctx context.Context, w http.ResponseWriter, r *http.Request, pri

 	return nc, nil
 }
+
+// acceptWebsocket upgrades a WebSocket connection (from a client that cannot
+// speak HTTP) to a Tailscale control protocol base transport connection.
+func acceptWebsocket(ctx context.Context, w http.ResponseWriter, r *http.Request, private key.MachinePrivate) (*controlbase.Conn, error) {
+	c, err := websocket.Accept(w, r, &websocket.AcceptOptions{
+		Subprotocols:   []string{upgradeHeaderValue},
+		OriginPatterns: []string{"*"},
+	})
+	if err != nil {
+		return nil, fmt.Errorf("Could not accept WebSocket connection %v", err)
+	}
+	if c.Subprotocol() != upgradeHeaderValue {
+		c.Close(websocket.StatusPolicyViolation, "client must speak the control subprotocol")
+		return nil, fmt.Errorf("Unexpected subprotocol %q", c.Subprotocol())
+	}
+	if err := r.ParseForm(); err != nil {
+		c.Close(websocket.StatusPolicyViolation, "Could not parse parameters")
+		return nil, fmt.Errorf("parse query parameters: %v", err)
+	}
+	initB64 := r.Form.Get(handshakeHeaderName)
+	if initB64 == "" {
+		c.Close(websocket.StatusPolicyViolation, "missing Tailscale handshake parameter")
+		return nil, errors.New("no tailscale handshake parameter in HTTP request")
+	}
+	init, err := base64.StdEncoding.DecodeString(initB64)
+	if err != nil {
+		c.Close(websocket.StatusPolicyViolation, "invalid tailscale handshake parameter")
+		return nil, fmt.Errorf("decoding base64 handshake parameter: %v", err)
+	}
+
+	conn := wsconn.New(c)
+	nc, err := controlbase.Server(ctx, conn, private, init)
+	if err != nil {
+		conn.Close()
+		return nil, fmt.Errorf("noise handshake failed: %w", err)
+	}
+
+	return nc, nil
+}