Ensure we don't create Location: header URLs that have leading //, which is a
schema-less reference to arbitrary 3rd-party sites. That is, //example.com/foo
redirects off-site, while /example.com/foo is an on-site path URL.
Fixestailscale/corp#16268
Signed-off-by: Chris Palmer <cpalmer@tailscale.com>
This uses the fact that we've received a frame from a given DERP region
within a certain time as a signal that the region is stil present (and
thus can still be a node's PreferredDERP / home region) even if we don't
get a STUN response from that region during a netcheck.
This should help avoid DERP flaps that occur due to losing STUN probes
while still having a valid and active TCP connection to the DERP server.
RELNOTE=Reduce home DERP flapping when there's still an active connection
Updates #8603
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: If7da6312581e1d434d5c0811697319c621e187a0
Previously, we would select the first WANIPConnection2 (and related)
client from the root device, without any additional checks. However,
some routers expose multiple UPnP devices in various states, and simply
picking the first available one can result in attempting to perform a
portmap with a device that isn't functional.
Instead, mimic what the miniupnpc code does, and prefer devices that are
(a) reporting as Connected, and (b) have a valid external IP address.
For our use-case, we additionally prefer devices that have an external
IP address that's a public address, to increase the likelihood that we
can obtain a direct connection from peers.
Finally, we split out fetching the root device (getUPnPRootDevice) from
selecting the best service within that root device (selectBestService),
and add some extensive tests for various UPnP server behaviours.
RELNOTE=Improve UPnP portmapping when multiple UPnP services exist
Updates #8364
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I71795cd80be6214dfcef0fe83115a5e3fe4b8753
Was previously failing to redirect to the manage client when accessing
the login client with the Tailscale IP.
Updates #10261Fixestailscale/corp#16348
Co-authored-by: Will Norris <will@tailscale.com>
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
Add a new "Debug" card at the bottom of the details page. It's maybe
premature to add a separate card for this, since all it currently lists
is whether the device is using TUN mode and (for Synology) the DSM
version. But I think it may be helpful to add client connectivity data
(like shown on admin console machine page) as well as a bug report
button. Those can come soon after the 1.56 launch.
Updates #10261
Signed-off-by: Will Norris <will@tailscale.com>
To be safe, use `prefs.ControlURLOrDefault()` rather than the current
`prefs.ControlURL` directly.
Updates #10261
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
Ensure that if getOrCreateChain creates a new chain, it actually returns the created chain
Updates tailscale/tailscale#10399
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
Calculate and set the hash of the one inline script we have in
index.html. That script is unlikely to change, so hardcoding the hash
seems fine for now.
Updates #10261
Updates tailscale/corp#16266
Signed-off-by: Will Norris <will@tailscale.com>
Completed testing of the new UI on the existing platforms that use
it. From testing, QNAP, Unraid, and Home Assistant (in addition to
Synology) all do not play well with using an exit node. For now,
we're disabling this setting from the UI. CLI should be updated to
also disallow selection of an exit node from these platforms.
All platforms still allow for advertising as an exit node.
Co-authored-by: Will Norris <will@tailscale.com>
Updates #10261
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
When displaying the login client, we check for connectivity to the
management client by calling it's /ok handler. If that response is
non-200, then there is something wrong with the management client, so
don't render the login button.
Updates #10261
Signed-off-by: Will Norris <will@tailscale.com>
Initial implementation of a `tailscale whois` subcommand
which allows users to observe metadata associated with a
Tailscale IP. It also has a `--json` flag to allow consumption
programmatically.
Updates #4217
Signed-off-by: Maisem Ali <maisem@tailscale.com>
Add visual indication when running as an exit node prior to receiving
admin approval.
Updates https://github.com/tailscale/tailscale/issues/10261
Signed-off-by: Mario Minardi <mario@tailscale.com>
Co-authored-by: Sonia Appasamy <sonia@tailscale.com>
Previously, we were only breaking out of iframes when accessing the
login client over a local IP address (where viewerIdentity is not set).
We need to also handle the case where the user is accessing the login
client over the Tailscale IP, and similarly break out of the iframe when
logging into the management client.
Updates #10261
Signed-off-by: Will Norris <will@tailscale.com>
I seem to recall I needed this for things to work properly with the vite
dev server, but that doesn't seem to be the case anymore? Everything
seems to work fine without it. If we still have issues, we'll need to
look into using a nonce or integrity attribute.
Updates #10261Fixestailscale/corp#16266
Signed-off-by: Will Norris <will@tailscale.com>
Previously were always setting `UseSocketOnly` because we were
comparing `args.socketpath != ""`, but `args.socketpath` flag
always gets filled with `paths.DefaultTailscaledSocket()` when
not provided. Rather than comparing to the empty string, compare
to the default value to determine if `UseSocketOnly` should be
set.
Should fix issue with web client being unreachable for Mac App
Store variant of the mac build.
Updates #16054
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
Add an endpoint for logging the device detail click metric to allow for
this metric to be logged without having a valid session which is the
case when in readonly mode.
Updates https://github.com/tailscale/tailscale/issues/10261
Signed-off-by: Mario Minardi <mario@tailscale.com>
Instead of overloading the Version field, add an explicit Track field.
This fixes a bug where passing a track name in `args.Version` would keep
the track name in `updater.Version` and pass it down the code path to
commands like `apt-get install`. Now, `updater.Version` should always be
a version (or empty string).
Updates #cleanup
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
Bump alpine base image version used to build tailscale/tailscale
and tailscale/k8s-operator images 3.16 -> 3.18
Updates #cleanup
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
When running on Home Assistant, use the X-Ingress-Path header to set the
URLPrefix that is passed to the frontend.
Also fix handling of errNotUsingTailscale in the auth handler
(previously it falling through to a later case and returning a 500).
Instead, it's just a terminal state with no auth needed.
Also disable SSH on Home Assistant, since it causes problems on startup
and doesn't make much sense anyway for that platform.
Updates #10261
Signed-off-by: Will Norris <will@tailscale.com>
Add confirmation dialogs for disconnecting and stopping advertisement
of a subnet route.
Updates #10261
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
Limit cookies to HTTP requests (not accessible from javascript).
Set SameSite to "Lax", which is similar to "Strict" but allows for
cookies to be included in requests that come from offsite links. This
will be necessary when we link to the web client from the admin console.
Updates #10261Fixestailscale/corp#16265
Signed-off-by: Will Norris <will@tailscale.com>
The client has changed a bit since we introduced the path prefix. It is
now used for two things:
- its original purpose, of ensuring that when the client is run in CGI
mode at arbitrary paths, then relative paths for assets continue to
work
- we also now pass the path to the frontend and use wouter to manage
routes for the various subpages of the client.
When the client is run behind a reverse proxy (as it is in Home
Assistant), it is common for the proxy to rewrite the request so that
the backend application doesn't see the path it's being served at. In
this case, we don't need to call enforcePrefix, since it's already
stripped before it reaches us. However, wouter (or react router
library) still sees the original path in the browser, and needs to know
what part of it is the prefix that needs to be stripped off.
We're handling this by now only calling enforcePrefix when run in CGI
mode. For Home Assistant, or any other platform that runs the client
behind a reverse proxy with a custom path, they will still need to pass
the `-prefix` flag to `tailscale web`, but we will only use it for route
handling in the frontend.
Updates #10261
Signed-off-by: Will Norris <will@tailscale.com>
In Login mode, must first run system auth. But once authorized,
should be able to reach rest of auth logic to check whether the
user can manage the node. This results in showing/hiding the
sign in button in the frontend login toggle.
Updates #10261
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
Calling DebugPacketFilterRules fails when the node is not logged
in, which was causing 500 errors on the node data endpoint after
logging the node out.
Updates #10261
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
Previously, the "RunExitNode" policy merely controlled the visibility of
the "run as exit node" menu item, not the setting itself. This migrates
that setting to a preference option named "AdvertiseExitNode".
Updates ENG-2138
Change-Id: Ia6a125beb6b4563d380c6162637ce4088f1117a0
Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>
Add logging of device management type for the web client auth flow. Namely,
this differentiates between viewing a node you do not own, viewing a local
tagged node, viewing a remote tagged node, managing a local node, and
managing a remote node.
Updates https://github.com/tailscale/tailscale/issues/10261
Signed-off-by: Mario Minardi <mario@tailscale.com>
`tailscaled` and `tailscale` expect the socket to be at
`/var/run/tailscale/tailscaled.sock`, however containerboot
would set up the socket at `/tmp/tailscaled.sock`. This leads to a
poor UX when users try to use any `tailscale` command as they
have to prefix everything with `--socket /tmp/tailscaled.sock`.
To improve the UX, this adds a symlink to
`/var/run/tailscale/tailscaled.sock` to point to `/tmp/tailscaled.sock`.
This approach has two benefits, 1 users are able to continue to use
existing scripts without this being a breaking change. 2. users are
able to use the `tailscale` CLI without having to add the `--socket` flag.
Fixes tailscale/corp#15902
Fixes#6849Fixes#10027
Signed-off-by: Maisem Ali <maisem@tailscale.com>
Even if connected to the login client over tailscale, still check
platform auth so the browser can obtain the tokens it needs to make
platform requests complete successfully.
Updates #10261
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
