From 2990c2b1cf1df797365c5a1ba038bc15de2f70c0 Mon Sep 17 00:00:00 2001 From: Mihai Parparita Date: Wed, 8 Jun 2022 14:56:52 -0700 Subject: [PATCH] control/controlhttp: use secure WebSockets protocol by default Forcing the insecure protocol (and perserving the port number) is only desired for localhost testing, in prod we need to use wss:// to avoid mixed-content errors. Signed-off-by: Mihai Parparita --- control/controlhttp/client_js.go | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/control/controlhttp/client_js.go b/control/controlhttp/client_js.go index b59980d83..55cee81de 100644 --- a/control/controlhttp/client_js.go +++ b/control/controlhttp/client_js.go @@ -16,7 +16,7 @@ import ( "tailscale.com/types/key" ) -// Variant of Dial that tunnels the request over WebScokets, since we cannot do +// Variant of Dial that tunnels the request over WebSockets, since we cannot do // bi-directional communication over an HTTP connection when in JS. func Dial(ctx context.Context, addr string, machineKey key.MachinePrivate, controlKey key.MachinePublic, protocolVersion uint16, dialer dnscache.DialContextFunc) (*controlbase.Conn, error) { init, cont, err := controlbase.ClientDeferred(machineKey, controlKey, protocolVersion) @@ -24,13 +24,19 @@ func Dial(ctx context.Context, addr string, machineKey key.MachinePrivate, contr return nil, err } - host, addr, err := net.SplitHostPort(addr) + host, _, err := net.SplitHostPort(addr) if err != nil { return nil, err } + wsScheme := "wss" + wsHost := host + if host == "localhost" { + wsScheme = "ws" + wsHost = addr + } wsURL := &url.URL{ - Scheme: "ws", - Host: net.JoinHostPort(host, addr), + Scheme: wsScheme, + Host: wsHost, Path: serverUpgradePath, // Can't set HTTP headers on the websocket request, so we have to to send // the handshake via an HTTP header.