tailscale

Commit Graph

Author	SHA1	Message	Date
Rhea Ghosh	043a34500d	VERSION.txt: this is v1.38.4 Signed-off-by: Rhea Ghosh <rhea@tailscale.com>	1 year ago
shayne	214217dd10	cmd/tailscale/cli: [serve] add support for proxy paths (#7800 ) (cherry picked from commit `81fd00a6b7`)	1 year ago
Maisem Ali	00205f0ab6	ssh/tailssh: handle output matching better in tests (#7799 )	1 year ago
shayne	61f36aa1cd	cmd/tailscale/cli: do not allow turning Funnel on while shields-up (#7770 )	1 year ago
Mihai Parparita	296d6820b5	cmd/tailscale/cli: fix inconsistency between serve text and example command Use the same local port number in both, and be more precise about what is being forwarded Signed-off-by: Mihai Parparita <mihai@tailscale.com>	1 year ago
shayne	383b7c747a	cmd/tailscale/cli: make serve and funnel visible in list (#7737 )	1 year ago
David Anderson	c3301abc5e	go.toolchain.rev: update for go 1.20.3 Signed-off-by: David Anderson <danderson@tailscale.com> (cherry picked from commit `45138fcfba`)	1 year ago
Maisem Ali	49e305f862	ssh/tailssh: fix race in errors returned when starting recorder There were two code paths that could fail depending on how fast the recorder responses. This fixes that by returning the correct error from both paths. Fixes #7707 Signed-off-by: Maisem Ali <maisem@tailscale.com> (cherry picked from commit `e04acabfde`)	1 year ago
Maisem Ali	71a5f2a989	ssh/tailssh: add tests for recording failure Updates tailscale/corp#9967 Signed-off-by: Maisem Ali <maisem@tailscale.com> (cherry picked from commit `5ba57e4661`)	1 year ago
Maisem Ali	1b1ac05d95	ssh/tailssh: add session recording test for non-pty sessions Updates tailscale/corp#9967 Signed-off-by: Maisem Ali <maisem@tailscale.com> (cherry picked from commit `09d0b632d4`)	1 year ago
Maisem Ali	e6b81f983e	ssh/tailssh: handle session recording when running in userspace mode Previously it would dial out using the http.DefaultClient, however that doesn't work when tailscaled is running in userspace mode (e.g. when testing). Updates tailscale/corp#9967 Signed-off-by: Maisem Ali <maisem@tailscale.com> (cherry picked from commit `583e86b7df`)	1 year ago
Maisem Ali	8414c591e5	ssh/tailssh: enable recording of non-pty sessions Updates tailscale/corp#9967 Signed-off-by: Maisem Ali <maisem@tailscale.com> (cherry picked from commit `8a246487c2`)	1 year ago
Maisem Ali	0651c1a069	ssh/tailssh: add docs to CastHeader fields Updates tailscale/corp#9967 Signed-off-by: Maisem Ali <maisem@tailscale.com> (cherry picked from commit `8765568373`)	1 year ago
Maisem Ali	2474bd2754	ssh/tailssh: use background context for uploading recordings Otherwise we see errors like ``` ssh-session(sess-20230322T005655-5562985593): recording: error sending recording to <addr>:80: Post "http://<addr>:80/record": context canceled ``` The ss.ctx is closed when the session closes, but we don't want to break the upload at that time. Instead we want to wait for the session to close the writer when it finishes, which it is already doing. Updates tailscale/corp#9967 Signed-off-by: Maisem Ali <maisem@tailscale.com> (cherry picked from commit `c350cd1f06`)	1 year ago
Maisem Ali	40091d0261	ssh/tailssh: allow recorders to be configured on the first or final action Currently we only send down recorders in first action, allow the final action to replace them but not to drop them. Updates tailscale/corp#9967 Signed-off-by: Maisem Ali <maisem@tailscale.com> (cherry picked from commit `d92047cc30`)	1 year ago
Maisem Ali	d216363bc5	ssh/tailssh: add more metadata to recording header Updates tailscale/corp#9967 Signed-off-by: Maisem Ali <maisem@tailscale.com> (cherry picked from commit `7a97e64ef0`)	1 year ago
Maisem Ali	dbbc465bfd	ssh/tailssh: stream SSH recordings to configured recorders Updates tailscale/corp#9967 Signed-off-by: Maisem Ali <maisem@tailscale.com> (cherry picked from commit `916aa782af`)	1 year ago
Charlotte Brandhorst-Satzkorn	598b24d85c	tailcfg: move recorders field from SSHRule to SSHAction Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com> (cherry picked from commit `1b78dc1f33`)	1 year ago
Charlotte Brandhorst-Satzkorn	17c6d5c7c5	tailcfg: add recorders field to SSHRule struct This change introduces the Recorders field to the SSHRule struct. The field is used to store and define addresses where the ssh recorder is located. Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com> (cherry picked from commit `3efd83555f`)	1 year ago
Shayne Sweeney	47ebe6f956	VERSION.txt: this is v1.38.3 Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	1 year ago
shayne	c750186830	ipn/ipnlocal: [serve] Trim mountPoint prefix from proxy path (#7334 ) This change trims the mountPoint from the request URL path before sending the request to the reverse proxy. Today if you mount a proxy at `/foo` and request to `/foo/bar/baz`, we leak the `mountPoint` `/foo` as part of the request URL's path. This fix makes removed the `mountPoint` prefix from the path so proxied services receive requests as if they were running at the root (`/`) path. This could be an issue if the app generates URLs (in HTML or otherwise) and assumes `/path`. In this case, those URLs will 404. With that, I still think we should trim by default and not leak the `mountPoint` (specific to Tailscale) into whatever app is hosted. If it causes an issue with URL generation, I'd suggest looking at configuring an app-specific path prefix or running Caddy as a more advanced solution. Fixes: #6571 Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	1 year ago
shayne	d7bbd4fe03	ipn/ipnlocal: [serve/funnel] use actual SrcAddr as X-Forwarded-For (#7600 ) The reverse proxy was sending the ingressd IPv6 down as the X-Forwarded-For. This update uses the actual remote addr. Updates tailscale/corp#9914 Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	1 year ago
shayne	ac0c0b081d	funnel: change references from alpha to beta (#7613 ) Updates CLI and docs to reference Funnel as beta Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	1 year ago
Maisem Ali	068ed7dbfa	ipn/ipnlocal: use atomicfile.WriteFile in certFileStore Signed-off-by: Maisem Ali <maisem@tailscale.com> (cherry picked from commit `9e81db50f6`)	1 year ago
Maisem Ali	26bf7c4dbe	ipn/ipnlocal: fix cert storage in Kubernetes We were checking against the wrong directory, instead if we have a custom store configured just use that. Fixes #7588 Fixes #7665 Signed-off-by: Maisem Ali <maisem@tailscale.com> (cherry picked from commit `8a11f76a0d`)	1 year ago
Maisem Ali	d47b74e461	ipn/ipnlocal: also store ACME keys in the certStore We were not storing the ACME keys in the state store, they would always be stored on disk. Updates #7588 Signed-off-by: Maisem Ali <maisem@tailscale.com> (cherry picked from commit `ec90522a53`)	1 year ago
Denton Gentry	3db61d07ca	VERSION.txt: this is v1.38.2 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	1 year ago
Mihai Parparita	817aa282c2	net/sockstats: export cellular-only clientmetrics Followup to #7518 to also export client metrics when the active interface is cellular. Updates tailscale/corp#9230 Updates #3363 Signed-off-by: Mihai Parparita <mihai@tailscale.com> (cherry picked from commit `d2dec13392`)	1 year ago
Andrew Dunham	d00c046b72	ssh/tailssh: fix privilege dropping on FreeBSD; add tests On FreeBSD and Darwin, changing a process's supplementary groups with setgroups(2) will also change the egid of the process, setting it to the first entry in the provided list. This is distinct from the behaviour on other platforms (and possibly a violation of the POSIX standard). Because of this, on FreeBSD with no TTY, our incubator code would previously not change the process's gid, because it would read the newly-changed egid, compare it against the expected egid, and since they matched, not change the gid. Because we didn't use the 'login' program on FreeBSD without a TTY, this would propagate to a child process. This could be observed by running "id -p" in two contexts. The expected output, and the output returned when running from a SSH shell, is: andrew@freebsd:~ $ id -p uid andrew groups andrew However, when run via "ssh andrew@freebsd id -p", the output would be: $ ssh andrew@freebsd id -p login root uid andrew rgid wheel groups andrew (this could also be observed via "id -g -r" to print just the gid) We fix this by pulling the details of privilege dropping out into their own function and prepending the expected gid to the start of the list on Darwin and FreeBSD. Finally, we add some tests that run a child process, drop privileges, and assert that the final UID/GID/additional groups are what we expect. More information can be found in the following article: https://www.usenix.org/system/files/login/articles/325-tsafrir.pdf Updates #7616 Alternative to #7609 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I0e6513c31b121108b50fe561c89e5816d84a45b9 (cherry picked from commit `ccace1f7df`)	1 year ago
Tom DNetto	aad01c81b1	cmd/tailscale/cli: move tskey-wrap functionality under lock sign Signed-off-by: Tom DNetto <tom@tailscale.com> (cherry picked from commit `60cd4ac08d`)	1 year ago
Denton Gentry	fd558e2e68	net/interfaces: also allow link-local for AzureAppServices. In May 2021, Azure App Services used 172.16.x.x addresses: ``` 10: eth0@if11: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP link/ether 02:42:ac:10:01:03 brd ff:ff:ff:ff:ff:ff inet 172.16.1.3/24 brd 172.16.1.255 scope global eth0 valid_lft forever preferred_lft forever ``` Now it uses link-local: ``` 2: eth0@if6: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP link/ether 8a:30:1f:50:1d:23 brd ff:ff:ff:ff:ff:ff inet 169.254.129.3/24 brd 169.254.129.255 scope global eth0 valid_lft forever preferred_lft forever ``` This is reasonable for them to choose to do, it just broke the handling in net/interfaces. This PR proposes to: 1. Always allow link-local in LocalAddresses() if we have no better address available. 2. Continue to make isUsableV4() conditional on an environment we know requires it. I don't love the idea of having to discover these environments one by one, but I don't understand the consequences of making isUsableV4() return true unconditionally. It makes isUsableV4() essentially always return true and perform no function. Fixes https://github.com/tailscale/tailscale/issues/7603 Signed-off-by: Denton Gentry <dgentry@tailscale.com> (cherry picked from commit `ebc630c6c0`)	1 year ago
Denton Gentry	3eeff9e7f7	VERSION.txt: this is v1.38.1 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	1 year ago
David Anderson	6c0e6a5f4e	version/mkversion: don't break on tagged go.mod entries I thought our versioning scheme would make go.mod include a commit hash even on stable builds. I was wrong. Fortunately, the rest of this code wants anything that 'git rev-parse' understands (to convert it into a full git hash), and tags qualify. Signed-off-by: David Anderson <danderson@tailscale.com> (cherry picked from commit `9ebab961c9`)	1 year ago
Denton Gentry	10d462d321	VERSION.txt: this is v1.38.0 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	1 year ago
License Updater	51b0169b10	licenses: update win/apple licenses Signed-off-by: License Updater <noreply+license-updater@tailscale.com>	1 year ago
Maisem Ali	b4d3e2928b	tsnet: avoid deadlock on close tsnet.Server.Close was calling listener.Close with the server mutex held, but the listener close method tries to grab that mutex, resulting in a deadlock. Co-authored-by: David Crawshaw <crawshaw@tailscale.com> Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
shayne	2b892ad6e7	cmd/tailscale/cli: [serve] rework commands based on feedback (#6521 ) ``` $ tailscale serve https:<port> <mount-point> <source> [off] $ tailscale serve tcp:<port> tcp://localhost:<local-port> [off] $ tailscale serve tls-terminated-tcp:<port> tcp://localhost:<local-port> [off] $ tailscale serve status [--json] $ tailscale funnel <serve-port> {on\|off} $ tailscale funnel status [--json] ``` Fixes: #6674 Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	1 year ago
Will Norris	6ef2105a8e	log/sockstatlog: only start once; don't copy ticker Signed-off-by: Will Norris <will@tailscale.com>	1 year ago
Maisem Ali	8c4adde083	log/sockstatlog: also shutdown the poll goroutine Co-authored-by: Will Norris <will@tailscale.com> Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	c87782ba9d	cmd/k8s-operator: drop trailing dot in tagged node name Also update tailcfg docs. Updates #5055 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Will Norris	09e0ccf4c2	ipn: add c2n endpoint for sockstats logs Signed-off-by: Will Norris <will@tailscale.com>	1 year ago
Will Norris	a1d9f65354	ipn,log: add logger for sockstat deltas Signed-off-by: Will Norris <will@tailscale.com> Co-authored-by: Melanie Warrick <warrick@tailscale.com>	1 year ago
Maisem Ali	5e8a80b845	all: replace /kb/ links with /s/ equivalents Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	558735bc63	cmd/k8s-operator: require HTTPS to be enabled for AuthProxy Updates #5055 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	489e27f085	cmd/k8s-operator: make auth proxy pass tags as Impersonate-Group We were not handling tags at all, pass them through as Impersonate-Group headers. And use the FQDN for tagged nodes as Impersonate-User. Updates #5055 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	56526ff57f	tailcfg: bump capver for 1.38 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	09aed46d44	cmd/tailscale/cli: update docs and unhide configure Also call out Alpha. Updates #7220 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	223713d4a1	tailcfg,all: add and use Node.IsTagged() Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Andrew Dunham	83fa17d26c	various: pass logger.Logf through to more places Updates #7537 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Id89acab70ea678c8c7ff0f44792d54c7223337c6	1 year ago
Maisem Ali	958c89470b	tsnet: add CertDomains helper (#7533 ) Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago

1 2 3 4 5 ...

5497 Commits (043a34500dd2bb07c34e3b28a56cdbc8b5434454) All Branches Search

5497 Commits (043a34500dd2bb07c34e3b28a56cdbc8b5434454)

All Branches