tailscale/derp
Tom DNetto c8f4dfc8c0 derp/derphttp,net/netcheck: improve netcheck behavior under MITM proxies
In cases where tailscale is operating behind a MITM proxy, we need to consider
that a lot more of the internals of our HTTP requests are visible and may be
used as part of authorization checks. As such, we need to 'behave' as closely
as possible to ideal.

 - Some proxies do authorization or consistency checks based the on Host header
   or HTTP URI, instead of just the IP/hostname/SNI. As such, we need to
   construct a `*http.Request` with a valid URI everytime HTTP is going to be
   used on the wire, even if its over TLS.
   Aside from the singular instance in net/netcheck, I couldn't find anywhere
   else a http.Request was constructed incorrectly.

 - Some proxies may deny requests, typically by returning a 403 status code. We
   should not consider these requests as a valid latency check, so netcheck
   semantics have been updated to consider >299 status codes as a failed probe.

Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-04-19 12:47:57 -07:00
..
derphttp derp/derphttp,net/netcheck: improve netcheck behavior under MITM proxies 2022-04-19 12:47:57 -07:00
testdata derp: add debug traffic handler 2021-06-18 15:47:55 -07:00
wsconn cmd/derper, derp/derphttp: add websocket support 2021-10-22 12:51:30 -07:00
derp_client.go derp: add Client.LocalAddr method 2021-12-28 15:13:53 -08:00
derp_server.go derp: add (*Server).IsClientConnectedForTest func. (#4331) 2022-03-30 10:50:50 -07:00
derp_test.go derp: set Basic Constraints on metacert 2022-03-17 15:38:21 -07:00
derp.go derp: add new health update and server restarting frame types 2021-08-31 13:31:51 -07:00
dropreason_string.go derp: accept dup clients without closing prior's connection 2021-08-31 08:21:21 -07:00