control/controlclient: disable https on for http://localhost:$port URLs

Previously we required the program to be running in a test or have
TS_CONTROL_IS_PLAINTEXT_HTTP before we disabled its https fallback
on "http" schema control URLs to localhost with ports.

But nobody accidentally does all three of "http", explicit port
number, localhost and doesn't mean it. And when they mean it, they're
testing a localhost dev control server (like I was) and don't want 443
getting involved.

As of the changes for #13597, this became more annoying in that we
were trying to use a port which wasn't even available.

Updates #13597

Change-Id: Icd00bca56043d2da58ab31de7aa05a3b269c490f
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
pull/14113/head
Brad Fitzpatrick 1 week ago committed by Brad Fitzpatrick
parent e73cfd9700
commit 8fd471ce57

@ -17,7 +17,6 @@ import (
"golang.org/x/net/http2" "golang.org/x/net/http2"
"tailscale.com/control/controlhttp" "tailscale.com/control/controlhttp"
"tailscale.com/envknob"
"tailscale.com/health" "tailscale.com/health"
"tailscale.com/internal/noiseconn" "tailscale.com/internal/noiseconn"
"tailscale.com/net/dnscache" "tailscale.com/net/dnscache"
@ -30,7 +29,6 @@ import (
"tailscale.com/util/mak" "tailscale.com/util/mak"
"tailscale.com/util/multierr" "tailscale.com/util/multierr"
"tailscale.com/util/singleflight" "tailscale.com/util/singleflight"
"tailscale.com/util/testenv"
) )
// NoiseClient provides a http.Client to connect to tailcontrol over // NoiseClient provides a http.Client to connect to tailcontrol over
@ -107,11 +105,6 @@ type NoiseOpts struct {
DialPlan func() *tailcfg.ControlDialPlan DialPlan func() *tailcfg.ControlDialPlan
} }
// controlIsPlaintext is whether we should assume that the controlplane is only accessible
// over plaintext HTTP (as the first hop, before the ts2021 encryption begins).
// This is used by some tests which don't have a real TLS certificate.
var controlIsPlaintext = envknob.RegisterBool("TS_CONTROL_IS_PLAINTEXT_HTTP")
// NewNoiseClient returns a new noiseClient for the provided server and machine key. // NewNoiseClient returns a new noiseClient for the provided server and machine key.
// serverURL is of the form https://<host>:<port> (no trailing slash). // serverURL is of the form https://<host>:<port> (no trailing slash).
// //
@ -129,7 +122,7 @@ func NewNoiseClient(opts NoiseOpts) (*NoiseClient, error) {
if u.Scheme == "http" { if u.Scheme == "http" {
httpPort = port httpPort = port
httpsPort = "443" httpsPort = "443"
if (testenv.InTest() || controlIsPlaintext()) && (u.Hostname() == "127.0.0.1" || u.Hostname() == "localhost") { if u.Hostname() == "127.0.0.1" || u.Hostname() == "localhost" {
httpsPort = "" httpsPort = ""
} }
} else { } else {

Loading…
Cancel
Save