Some users run "tailscale cert" in a cron job to renew their
certificates on disk. The time until the next cron job run may be long
enough for the old cert to expire with our default heristics.
Add a `--min-validity` flag which ensures that the returned cert is
valid for at least the provided duration (unless it's longer than the
cert lifetime set by Let's Encrypt).
Updates #8725
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
Bump node version to latest lts on the 18.x line which is 18.20.4 at the time of writing.
Updates https://github.com/tailscale/corp/issues/21741
Signed-off-by: Mario Minardi <mario@tailscale.com>
Previously, we were registering TCP and UDP connections in the same map,
which could result in erroneously removing a mapping if one of the two
connections completes while the other one is still active.
Add a "proto string" argument to these functions to avoid this.
Additionally, take the "proto" argument in LocalAPI, and plumb that
through from the CLI and add a new LocalClient method.
Updates tailscale/corp#20600
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I35d5efaefdfbf4721e315b8ca123f0c8af9125fb
Add a new TS_EXPERIMENTAL_ENABLE_FORWARDING_OPTIMIZATIONS env var
that can be set for tailscale/tailscale container running as
a subnet router or exit node to enable UDP GRO forwarding
for improved performance.
See https://tailscale.com/kb/1320/performance-best-practices#linux-optimizations-for-subnet-routers-and-exit-nodes
This is currently considered an experimental approach;
the configuration support is partially to allow further experimentation
with containerized environments to evaluate the performance
improvements.
Updates tailscale/tailscale#12295
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
This adds a new ListenPacket function on tsnet.Server
which acts mostly like `net.ListenPacket`.
Unlike `Server.Listen`, this requires listening on a
specific IP and does not automatically listen on both
V4 and V6 addresses of the Server when the IP is unspecified.
To test this, it also adds UDP support to tsdial.Dialer.UserDial
and plumbs it through the localapi. Then an associated test
to make sure the UDP functionality works from both sides.
Updates #12182
Signed-off-by: Maisem Ali <maisem@tailscale.com>
This is primarily for GUIs, so they don't need to remember the most
recently used exit node themselves.
This adds some CLI commands, but they're disabled and behind the WIP
envknob, as we need to consider naming (on/off is ambiguous with
running an exit node, etc) as well as automatic exit node selection in
the future. For now the CLI commands are effectively developer debug
things to test the LocalAPI.
Updates tailscale/corp#18724
Change-Id: I9a32b00e3ffbf5b29bfdcad996a4296b5e37be7e
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
This change switches the api to /drive, rather than the previous /tailfs
as well as updates the log lines to reflect the new value. It also
cleans up some existing tailfs references.
Updates tailscale/corp#16827
Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>
This change updates all tailfs functions and the majority of the tailfs
variables to use the new drive naming.
Updates tailscale/corp#16827
Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>
This change updates the tailfs file and package names to their new
naming convention.
Updates #tailscale/corp#16827
Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>
- Updates API to support renaming TailFS shares.
- Adds a CLI rename subcommand for renaming a share.
- Renames the CLI subcommand 'add' to 'set' to make it clear that
this is an add or update.
- Adds a unit test for TailFS in ipnlocal
Updates tailscale/corp#16827
Signed-off-by: Percy Wegmann <percy@tailscale.com>
Previously, the configuration of which folders to share persisted across
profile changes. Now, it is tied to the user's profile.
Updates tailscale/corp#16827
Signed-off-by: Percy Wegmann <percy@tailscale.com>
Run yarn-deduplicate on yarn.lock to dedupe packages. This is being done
to reduce the number of redundant packages fetched by yarn when existing
versions in the lockfile satisfy the version dependency we need.
See https://github.com/scinos/yarn-deduplicate for details on the tool
used to perform this deduplication.
Updates #cleanup
Signed-off-by: Mario Minardi <mario@tailscale.com>
Starting in Vite 5, Vite now issues a deprecation warning when using
a CJS-based Vite config file. This commit fixes it by adding the
`"type": "module"` to our package.json to opt our files into ESM module
behaviours.
Fixes #cleanup
Signed-off-by: Ross Zurowski <ross@rosszurowski.com>
Update typescript to 5.3.3. This is a major bump from the previous
version of 4.8.3. This also requires adding newer versions of
@typescript-eslint/eslint-plugin and @typescript-eslint/parser to our
resolutions as eslint-config-react-app pulls in versions that otherwise
do not support typescript 5.x.
eslint-config-react-app has not been updated in 2 years and is seemingly
abandoned, so we may wish to fork it or move to a different eslint config
in the future.
Updates https://github.com/tailscale/corp/issues/17810
Signed-off-by: Mario Minardi <mario@tailscale.com>
Starts using peer capabilities to restrict the management client
on a per-view basis. This change also includes a bulky cleanup
of the login-toggle.tsx file, which was getting pretty unwieldy
in its previous form.
Updates tailscale/corp#16695
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
This change adds a new apiHandler struct for use from serveAPI
to aid with restricting endpoints to specific peer capabilities.
Updates tailscale/corp#16695
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
Instead of modeling remote WebDAV servers as actual
webdav.FS instances, we now just proxy traffic to them.
This not only simplifies the code, but it also allows
WebDAV locking to work correctly by making sure locks are
handled by the servers that need to (i.e. the ones actually
serving the files).
Updates tailscale/corp#16827
Signed-off-by: Percy Wegmann <percy@tailscale.com>
Update vite to 5.1.4, and vitest to 1.3.1 (their latest versions). Also
remove vite-plugin-rewrite-all as this is no longer necessary with vite
5.x and has a dependency on vite 4.x.
Updates https://github.com/tailscale/corp/issues/17715
Signed-off-by: Mario Minardi <mario@tailscale.com>
Update plugin-react-swc to the latest version (3.6.0) ahead of updating vite to 5.x.
Updates https://github.com/tailscale/corp/issues/17715
Signed-off-by: Mario Minardi <mario@tailscale.com>
Update vite-plugin-svgr to the latest version (4.2.0) ahead of updating
vite to 5.x. This is a major version bump from our previous 3.x, and
requires changing the import paths used for SVGs.
Updates https://github.com/tailscale/corp/issues/17715
Signed-off-by: Mario Minardi <mario@tailscale.com>
For user-owned nodes, only the owner is ever allowed to manage the
node.
Updates tailscale/corp#16695
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
Add a WebDAV-based folder sharing mechanism that is exposed to local clients at
100.100.100.100:8080 and to remote peers via a new peerapi endpoint at
/v0/tailfs.
Add the ability to manage folder sharing via the new 'share' CLI sub-command.
Updates tailscale/corp#16827
Signed-off-by: Percy Wegmann <percy@tailscale.com>
add the curly-quotes eslint plugin (same that we use for the admin
panel), and fix existing straight quotes in the current web UI.
Updates #cleanup
Signed-off-by: Will Norris <will@tailscale.com>
The new read-only mode is only accessible when running `tailscale web`
by passing a new `-readonly` flag. This new mode is identical to the
existing login mode with two exceptions:
- the management client in tailscaled is not started (though if it is
already running, it is left alone)
- the client does not prompt the user to login or switch to the
management client. Instead, a message is shown instructing the user
to use other means to manage the device.
Updates #10979
Signed-off-by: Will Norris <will@tailscale.com>
The manage client always listens on http (non-secure) port 5252. If the
login client is loaded over https, then the connectivity check to `/ok`
will fail with a mixed-content error. Mixed-content enforcement is a
browser setting that we have no control over, so there's no way around
this.
In this case of the login client being loaded over https, we skip the
connectivity check entirely. We will always render the sign-in button,
though we don't know for sure if the user has connectivity, so we
provide some additional help text in case they have trouble signing in.
Updates hassio-addons/addon-tailscale#314
Signed-off-by: Will Norris <will@tailscale.com>
Sets up peer capability types for future use within the web client
views and APIs.
Updates tailscale/corp#16695
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
This is simply an extra check to prevent hypothetical issues if a prefix
such as `--prefix="javascript:alert(1)"` was provided. This isn't
really necessary since the prefix is a configuration flag provided by
the device owner, not user input. But it does enforce that we are
always interpreting the provided value as a path relative to the root.
Fixes: tailscale/corp#16268
Signed-off-by: Will Norris <will@tailscale.com>
For consistency w/ the CLI command. And to be more accurate to what
is actually happening on this action - node key is expired.
Also updates the disconnected view shown after logout.
Updates #10261
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
This type seems to be a migration shim for TCP tailscaled sockets
(instead of unix/windows pipes). The `port` field was never set, so it
was effectively used as a string (`path` field).
Remove the whole type and simplify call sites to pass the socket path
directly to `safesocket.Connect`.
Updates #cleanup
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
Throughout the web UI, we present the tailscale addresses for the
self node. In the case of the node being shared out with a user
from another tailnet, the peer viewer may actually know the node
by a different IP than the node knows itself as (Tailscale IPs
can be configured as desired on a tailnet level). This change
includes two fixes:
1. Present the self node's addresses in the frontend as the addresses
the viewing node knows it as (i.e. the addresses the viewing node
uses to access the web client).
2. We currently redirect the viewer to the Tailscale IPv4 address if
viewing it by MagicDNS name, or any other name that maps to the
Tailscale node. When doing this redirect, which is primarily added
for DNS rebinding protection, we now check the address the peer
knows this node as, and redirect to specifically that IP.
Fixestailscale/corp#16402
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
Ensure we don't create Location: header URLs that have leading //, which is a
schema-less reference to arbitrary 3rd-party sites. That is, //example.com/foo
redirects off-site, while /example.com/foo is an on-site path URL.
Fixestailscale/corp#16268
Signed-off-by: Chris Palmer <cpalmer@tailscale.com>
Was previously failing to redirect to the manage client when accessing
the login client with the Tailscale IP.
Updates #10261Fixestailscale/corp#16348
Co-authored-by: Will Norris <will@tailscale.com>
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>