tailscale

Commit Graph

Author	SHA1	Message	Date
James Tucker	3a635db06e	cmd/connector-gen: add helper tool for wide app connector configurations connector-gen can initially generate connector ACL snippets and advertise-routes flags for Github and AWS based on their public IP / domain data. Updates ENG-2425 Signed-off-by: James Tucker <james@tailscale.com>	6 months ago
James Tucker	706e30d49e	disco: correct noun for nacl box type in disco docs Updates #cleanup Signed-off-by: James Tucker <james@tailscale.com>	6 months ago
Sonia Appasamy	c6a274611e	client/web: use Tailscale IP known by peer node Throughout the web UI, we present the tailscale addresses for the self node. In the case of the node being shared out with a user from another tailnet, the peer viewer may actually know the node by a different IP than the node knows itself as (Tailscale IPs can be configured as desired on a tailnet level). This change includes two fixes: 1. Present the self node's addresses in the frontend as the addresses the viewing node knows it as (i.e. the addresses the viewing node uses to access the web client). 2. We currently redirect the viewer to the Tailscale IPv4 address if viewing it by MagicDNS name, or any other name that maps to the Tailscale node. When doing this redirect, which is primarily added for DNS rebinding protection, we now check the address the peer knows this node as, and redirect to specifically that IP. Fixes tailscale/corp#16402 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	6 months ago
Jordan Whited	685b853763	wgengine/magicsock: fix handling of derp.PeerGoneMessage (#10589 ) The switch in Conn.runDerpReader() on the derp.ReceivedMessage type contained cases other than derp.ReceivedPacket that fell through to writing to c.derpRecvCh, which should only be reached for derp.ReceivedPacket. This can result in the last/previous derp.ReceivedPacket to be re-handled, effectively creating a duplicate packet. If the last derp.ReceivedPacket happens to be a disco.CallMeMaybe it may result in a disco ping scan towards the originating peer on the endpoints contained. The change in this commit moves the channel write on c.derpRecvCh and subsequent select awaiting the result into the derp.ReceivedMessage case, preventing it from being reached from any other case. Explicit continue statements are also added to non-derp.ReceivedPacket cases where they were missing, in order to signal intent to the reader. Fixes #10586 Signed-off-by: Jordan Whited <jordan@tailscale.com>	6 months ago
Andrew Dunham	3ae562366b	ipn/ipnlocal: fix usage of slices.Compact Fixes #10595 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I4e96e9c43b8dedb5f88b03368c01b0e46723e15b	6 months ago
Irbe Krumina	1a08ea5990	cmd/k8s-operator: operator can create subnetrouter (#9505 ) * k8s-operator,cmd/k8s-operator,Makefile,scripts,.github/workflows: add Connector kube CRD. Connector CRD allows users to configure the Tailscale Kubernetes operator to deploy a subnet router to expose cluster CIDRs or other CIDRs available from within the cluster to their tailnet. Also adds various CRD related machinery to generate CRD YAML, deep copy implementations etc. Engineers will now have to run 'make kube-generate-all` after changing kube files to ensure that all generated files are up to date. * cmd/k8s-operator,k8s-operator: reconcile Connector resources Reconcile Connector resources, create/delete subnetrouter resources in response to changes to Connector(s). Connector reconciler will not be started unless ENABLE_CONNECTOR env var is set to true. This means that users who don't want to use the alpha Connector custom resource don't have to install the Connector CRD to their cluster. For users who do want to use it the flow is: - install the CRD - install the operator (via Helm chart or using static manifests). For Helm users set .values.enableConnector to true, for static manifest users, set ENABLE_CONNECTOR to true in the static manifest. Updates tailscale/tailscale#502 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	6 months ago
Chris Palmer	b62a3fc895	client/web: keep redirects on-site (#10525 ) Ensure we don't create Location: header URLs that have leading //, which is a schema-less reference to arbitrary 3rd-party sites. That is, //example.com/foo redirects off-site, while /example.com/foo is an on-site path URL. Fixes tailscale/corp#16268 Signed-off-by: Chris Palmer <cpalmer@tailscale.com>	6 months ago
Andrew Dunham	727acf96a6	net/netcheck: use DERP frames as a signal for home region liveness This uses the fact that we've received a frame from a given DERP region within a certain time as a signal that the region is stil present (and thus can still be a node's PreferredDERP / home region) even if we don't get a STUN response from that region during a netcheck. This should help avoid DERP flaps that occur due to losing STUN probes while still having a valid and active TCP connection to the DERP server. RELNOTE=Reduce home DERP flapping when there's still an active connection Updates #8603 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: If7da6312581e1d434d5c0811697319c621e187a0	6 months ago
Andrew Dunham	bac4890467	net/portmapper: be smarter about selecting a UPnP device Previously, we would select the first WANIPConnection2 (and related) client from the root device, without any additional checks. However, some routers expose multiple UPnP devices in various states, and simply picking the first available one can result in attempting to perform a portmap with a device that isn't functional. Instead, mimic what the miniupnpc code does, and prefer devices that are (a) reporting as Connected, and (b) have a valid external IP address. For our use-case, we additionally prefer devices that have an external IP address that's a public address, to increase the likelihood that we can obtain a direct connection from peers. Finally, we split out fetching the root device (getUPnPRootDevice) from selecting the best service within that root device (selectBestService), and add some extensive tests for various UPnP server behaviours. RELNOTE=Improve UPnP portmapping when multiple UPnP services exist Updates #8364 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I71795cd80be6214dfcef0fe83115a5e3fe4b8753	6 months ago
Sonia Appasamy	971fa8dc56	VERSION.txt: this is v1.57.0 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	6 months ago
Flakes Updater	e00141ccbe	go.mod.sri: update SRI hash for go.mod changes Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>	6 months ago
OSS Updater	e78cb9aeb3	go.mod: update web-client-prebuilt module Signed-off-by: OSS Updater <noreply+oss-updater@tailscale.com>	6 months ago
Sonia Appasamy	4fb679d9cd	client/web: fix redirect logic when accessing login client over TS IP Was previously failing to redirect to the manage client when accessing the login client with the Tailscale IP. Updates #10261 Fixes tailscale/corp#16348 Co-authored-by: Will Norris <will@tailscale.com> Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	6 months ago
Anton Tolchanov	869b34ddeb	prober: log HTTP response body on failure Signed-off-by: Anton Tolchanov <anton@tailscale.com>	6 months ago
Andrea Barisani	affe11c503	net/netcheck: only run HTTP netcheck for tamago clients Signed-off-by: Andrea Barisani <andrea@inversepath.com>	6 months ago
Flakes Updater	3ba5fd4baa	go.mod.sri: update SRI hash for go.mod changes Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>	6 months ago
OSS Updater	be19262cc5	go.mod: update web-client-prebuilt module Signed-off-by: OSS Updater <noreply+oss-updater@tailscale.com>	6 months ago
Charlotte Brandhorst-Satzkorn	7370f3e3a7	words: some stellar additions Don't get too starry-eyed reviewing these. Updates tailscale/corp#14698 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	6 months ago
Sonia Appasamy	77f5d669fa	client/web: fix key expiry text when expiry disabled Displays "No expiry" when disabled. Updates #10261 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	6 months ago
Sonia Appasamy	06af3e3014	client/web: only add cache header for assets Updates #10261 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	6 months ago
Flakes Updater	808f19bf01	go.mod.sri: update SRI hash for go.mod changes Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>	6 months ago
OSS Updater	afe138f18d	go.mod: update web-client-prebuilt module Signed-off-by: OSS Updater <noreply+oss-updater@tailscale.com>	6 months ago
Sonia Appasamy	dd0279a6c9	client/web: fix ts connection check Updates #10261 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	6 months ago
Flakes Updater	8c2fcef453	go.mod.sri: update SRI hash for go.mod changes Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>	6 months ago
Sonia Appasamy	343f4e4f26	client/web: refresh auth after syno login Makes sure we refresh auth state after synology auth has run. Updates #10261 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	6 months ago
Will Norris	1b7d289fad	client/web: add debug card to details page Add a new "Debug" card at the bottom of the details page. It's maybe premature to add a separate card for this, since all it currently lists is whether the device is using TUN mode and (for Synology) the DSM version. But I think it may be helpful to add client connectivity data (like shown on admin console machine page) as well as a bug report button. Those can come soon after the 1.56 launch. Updates #10261 Signed-off-by: Will Norris <will@tailscale.com>	6 months ago
OSS Updater	552b1ad094	go.mod: update web-client-prebuilt module Signed-off-by: OSS Updater <noreply+oss-updater@tailscale.com>	6 months ago
Sonia Appasamy	1aee6e901d	client/web: use prefs.ControlURLOrDefault from controlSupportsCheckMode To be safe, use `prefs.ControlURLOrDefault()` rather than the current `prefs.ControlURL` directly. Updates #10261 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	6 months ago
Irbe Krumina	0cdc8e20d6	util/linuxfw: return created chain (#10563 ) Ensure that if getOrCreateChain creates a new chain, it actually returns the created chain Updates tailscale/tailscale#10399 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	6 months ago
Will Norris	d2fbdb005d	client/web: use CSP hash for inline javascript Calculate and set the hash of the one inline script we have in index.html. That script is unlikely to change, so hardcoding the hash seems fine for now. Updates #10261 Updates tailscale/corp#16266 Signed-off-by: Will Norris <will@tailscale.com>	6 months ago
Sonia Appasamy	bc9b9e8f69	client/web: restrict using an exit node on a couple more platforms Completed testing of the new UI on the existing platforms that use it. From testing, QNAP, Unraid, and Home Assistant (in addition to Synology) all do not play well with using an exit node. For now, we're disabling this setting from the UI. CLI should be updated to also disallow selection of an exit node from these platforms. All platforms still allow for advertising as an exit node. Co-authored-by: Will Norris <will@tailscale.com> Updates #10261 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	6 months ago
Will Norris	fc69301fd1	client/web: don't show login button if /ok errors When displaying the login client, we check for connectivity to the management client by calling it's /ok handler. If that response is non-200, then there is something wrong with the management client, so don't render the login button. Updates #10261 Signed-off-by: Will Norris <will@tailscale.com>	6 months ago
Maisem Ali	3aa6468c63	cmd/tailscale/cli: add whois subcommand Initial implementation of a `tailscale whois` subcommand which allows users to observe metadata associated with a Tailscale IP. It also has a `--json` flag to allow consumption programmatically. Updates #4217 Signed-off-by: Maisem Ali <maisem@tailscale.com>	6 months ago
Maisem Ali	fb632036e3	cmd/k8s-operator: drop https:// in capName Add the new format but keep respecting the old one. Updates #4217 Signed-off-by: Maisem Ali <maisem@tailscale.com>	6 months ago
Mario Minardi	4e012794fc	client/web: add metric logging when viewing local / remote node (#10555 ) Add metric logging for the case where a user is viewing a local or remote node. Updates https://github.com/tailscale/tailscale/issues/10261 Signed-off-by: Mario Minardi <mario@tailscale.com>	6 months ago
Mario Minardi	763b9daa84	client/web: add visual indication for exit node pending approval (#10532 ) Add visual indication when running as an exit node prior to receiving admin approval. Updates https://github.com/tailscale/tailscale/issues/10261 Signed-off-by: Mario Minardi <mario@tailscale.com> Co-authored-by: Sonia Appasamy <sonia@tailscale.com>	6 months ago
Will Norris	e9f203d747	client/web: open new window if iframed Previously, we were only breaking out of iframes when accessing the login client over a local IP address (where viewerIdentity is not set). We need to also handle the case where the user is accessing the login client over the Tailscale IP, and similarly break out of the iframe when logging into the management client. Updates #10261 Signed-off-by: Will Norris <will@tailscale.com>	6 months ago
OSS Updater	501478dcdc	go.mod: update web-client-prebuilt module Signed-off-by: OSS Updater <noreply+oss-updater@tailscale.com>	6 months ago
Will Norris	970dc2a976	client/web: remove 'unsafe-inline' from CSP I seem to recall I needed this for things to work properly with the vite dev server, but that doesn't seem to be the case anymore? Everything seems to work fine without it. If we still have issues, we'll need to look into using a nonce or integrity attribute. Updates #10261 Fixes tailscale/corp#16266 Signed-off-by: Will Norris <will@tailscale.com>	6 months ago
Sonia Appasamy	c2fe123232	cmd/tailscaled: update ConfigureWebClient's UseSocketOnly value Previously were always setting `UseSocketOnly` because we were comparing `args.socketpath != ""`, but `args.socketpath` flag always gets filled with `paths.DefaultTailscaledSocket()` when not provided. Rather than comparing to the empty string, compare to the default value to determine if `UseSocketOnly` should be set. Should fix issue with web client being unreachable for Mac App Store variant of the mac build. Updates #16054 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	6 months ago
Mario Minardi	109929d110	client/web: add endpoint for logging device detail click metric (#10505 ) Add an endpoint for logging the device detail click metric to allow for this metric to be logged without having a valid session which is the case when in readonly mode. Updates https://github.com/tailscale/tailscale/issues/10261 Signed-off-by: Mario Minardi <mario@tailscale.com>	6 months ago
Andrew Lytvynov	d8493d4bd5	clientupdate: add explicit Track to Arguments (#10548 ) Instead of overloading the Version field, add an explicit Track field. This fixes a bug where passing a track name in `args.Version` would keep the track name in `updater.Version` and pass it down the code path to commands like `apt-get install`. Now, `updater.Version` should always be a version (or empty string). Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	6 months ago
Irbe Krumina	1b1b6bb634	ALPINE.txt,Dockerfile{.base},build_docker.sh: bump alpine (#10543 ) Bump alpine base image version used to build tailscale/tailscale and tailscale/k8s-operator images 3.16 -> 3.18 Updates #cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com>	6 months ago
License Updater	bac0df6949	licenses: update android licenses Signed-off-by: License Updater <noreply+license-updater@tailscale.com>	6 months ago
Will Norris	5a2e6a6f7d	client/web: use Home Assistant's X-Ingress-Path header When running on Home Assistant, use the X-Ingress-Path header to set the URLPrefix that is passed to the frontend. Also fix handling of errNotUsingTailscale in the auth handler (previously it falling through to a later case and returning a 500). Instead, it's just a terminal state with no auth needed. Also disable SSH on Home Assistant, since it causes problems on startup and doesn't make much sense anyway for that platform. Updates #10261 Signed-off-by: Will Norris <will@tailscale.com>	6 months ago
Sonia Appasamy	a4c7b0574a	client/web: add confirmation dialogs Add confirmation dialogs for disconnecting and stopping advertisement of a subnet route. Updates #10261 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	6 months ago
Will Norris	69b56462fc	client/web: check content-type on PATCH requests Updates #10261 Fixes tailscale/corp#16267 Signed-off-by: Will Norris <will@tailscale.com>	6 months ago
Will Norris	c615fe2296	client/web: add security attributes on session cookie Limit cookies to HTTP requests (not accessible from javascript). Set SameSite to "Lax", which is similar to "Strict" but allows for cookies to be included in requests that come from offsite links. This will be necessary when we link to the web client from the admin console. Updates #10261 Fixes tailscale/corp#16265 Signed-off-by: Will Norris <will@tailscale.com>	6 months ago
Sonia Appasamy	261b6f1e9f	client/web: limit updates ui to unstable builds The updates view still needs a final design pass, limit to unstable track for now. Updates #10261 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	6 months ago
Will Norris	33de922d57	client/web: only enforce path prefix in CGI mode The client has changed a bit since we introduced the path prefix. It is now used for two things: - its original purpose, of ensuring that when the client is run in CGI mode at arbitrary paths, then relative paths for assets continue to work - we also now pass the path to the frontend and use wouter to manage routes for the various subpages of the client. When the client is run behind a reverse proxy (as it is in Home Assistant), it is common for the proxy to rewrite the request so that the backend application doesn't see the path it's being served at. In this case, we don't need to call enforcePrefix, since it's already stripped before it reaches us. However, wouter (or react router library) still sees the original path in the browser, and needs to know what part of it is the prefix that needs to be stripped off. We're handling this by now only calling enforcePrefix when run in CGI mode. For Home Assistant, or any other platform that runs the client behind a reverse proxy with a custom path, they will still need to pass the `-prefix` flag to `tailscale web`, but we will only use it for route handling in the frontend. Updates #10261 Signed-off-by: Will Norris <will@tailscale.com>	6 months ago

1 2 3 4 5 ...

6962 Commits (3a635db06e61b2614f748b5d9fb90c770456d98b) All Branches Search

6962 Commits (3a635db06e61b2614f748b5d9fb90c770456d98b)

All Branches