tailscale

Commit Graph

Author	SHA1	Message	Date
Charlotte Brandhorst-Satzkorn	93618a3518	tailscale: update tailfs functions and vars to use drive naming (#11597 ) This change updates all tailfs functions and the majority of the tailfs variables to use the new drive naming. Updates tailscale/corp#16827 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	2 months ago
Brad Fitzpatrick	b9611461e5	ipn/ipnlocal: q-encode (RFC 2047) Tailscale serve header values Updates #11603 RELNOTE=Tailscale serve headers are now RFC 2047 Q-encoded Change-Id: I1314b65ecf5d39a5a601676346ec2c334fdef042 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	e1bd7488d0	all: remove LenIter, use Go 1.22 range-over-int instead Updates #11058 Updates golang/go#65685 Change-Id: Ibb216b346e511d486271ab3d84e4546c521e4e22 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Percy Wegmann	993acf4475	tailfs: initial implementation Add a WebDAV-based folder sharing mechanism that is exposed to local clients at 100.100.100.100:8080 and to remote peers via a new peerapi endpoint at /v0/tailfs. Add the ability to manage folder sharing via the new 'share' CLI sub-command. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	4 months ago
Irbe Krumina	6ee956333f	ipn/ipnlocal: fix proxy path that matches mount point (#10864 ) Don't append a trailing slash to a request path to the reverse proxy that matches the mount point exactly. Updates tailscale/tailscale#10730 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	4 months ago
Joe Tsai	c25968e1c5	all: make use of ctxkey everywhere (#10846 ) Also perform minor cleanups on the ctxkey package itself. Provide guidance on when to use ctxkey.Key[T] over ctxkey.New. Also, allow for interface kinds because the value wrapping trick also happens to fix edge cases with interfaces in Go. Updates #cleanup Signed-off-by: Joe Tsai <joetsai@digital-static.net>	5 months ago
Tyler Smalley	90eb5379f4	ipn/ipnlocal: log and don't return full file serve error (#10174 ) Previously we would return the full error from Stat or Open, possibily exposing the full file path. This change will log the error and return the generic error message "an error occurred reading the file or directory". Updates tailscale/corp#15485 Signed-off-by: Tyler Smalley <tyler@tailscale.com>	7 months ago
Will Norris	1cb8d2ffdd	ipn/ipnlocal: only call serve handler if non-nil return early if handler is nil. Go ahead and return the error from handler, though in this case the caller isn't doing anything with it (which has always been the case). Updates #10177 Updates #10251 Signed-off-by: Will Norris <will@tailscale.com>	7 months ago
Will Norris	b7918341f9	ipn/ipnlocal: call serve handler for local traffic Tailscale serve maintains a set of listeners so that serve traffic from the local device can be properly served when running in kernel networking mode. #10177 refactored that logic so that it could be reused by the internal web client as well. However, in my refactoring I missed actually calling the serve handler to handle the traffic. Updates #10177 Signed-off-by: Will Norris <will@tailscale.com>	7 months ago
Will Norris	09de240934	ipn/ipnlocal: allow connecting to local web client The local web client has the same characteristic as tailscale serve, in that it needs a local listener to allow for connections from the local machine itself when running in kernel networking mode. This change renames and adapts the existing serveListener to allow it to be used by the web client as well. Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	7 months ago
Maisem Ali	f398712c00	ipn/ipnlocal: prevent changing serve config if conf.Locked This adds a check to prevent changes to ServeConfig if tailscaled is run with a Locked config. Missed in `1fc3573446`. Updates #1412 Signed-off-by: Maisem Ali <maisem@tailscale.com>	7 months ago
Irbe Krumina	eced054796	ipn/ipnlocal: close connections for removed proxy transports (#9884 ) Ensure that when a userspace proxy config is reloaded, connections for any removed proxies are safely closed Updates tailscale/tailscale#9725 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	8 months ago
Irbe Krumina	f09cb45f9d	ipn/ipnlocal: initiate proxy transport once (#9883 ) Initiates http/h2c transport for userspace proxy backend lazily and at most once. Updates tailscale/tailscale#9725 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	8 months ago
Irbe Krumina	09b5bb3e55	ipn/ipnlocal: proxy gRPC requests over h2c if needed. (#9847 ) Updates userspace proxy to detect plaintext grpc requests using the preconfigured host prefix and request's content type header and ensure that these will be proxied over h2c. Updates tailscale/tailscale#9725 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	8 months ago
Maisem Ali	24f322bc43	ipn/ipnlocal: do unexpired cert renewals in the background We were eagerly doing a synchronous renewal of the cert while trying to serve traffic. Instead of that, just do the cert renewal in the background and continue serving traffic as long as the cert is still valid. This regressed in `c1ecae13ab` when we introduced ARI support and were trying to make the experience of `tailscale cert` better. However, that ended up regressing the experience for tsnet as it would not always doing the renewal synchronously. Fixes #9783 Signed-off-by: Maisem Ali <maisem@tailscale.com>	8 months ago
Maisem Ali	319607625f	ipn/ipnlocal: fix log spam from now expected paths These log paths were actually unexpected until the refactor in `fe95d81b43`. This moves the logs to the callsites where they are actually unexpected. Fixes #9670 Signed-off-by: Maisem Ali <maisem@tailscale.com>	8 months ago
Marwan Sulaiman	651620623b	ipn/ipnlocal: close foreground sessions on SetServeConfig This PR ensures zombie foregrounds are shutdown if a new ServeConfig is created that wipes the ongoing foreground ones. For example, "tailscale serve\|funnel reset\|off" should close all open sessions. Updates #8489 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	8 months ago
Brad Fitzpatrick	926c990a09	types/netmap: start phasing out Addresses, add GetAddresses method NetworkMap.Addresses is redundant with the SelfNode.Addresses. This works towards a TODO to delete NetworkMap.Addresses and replace it with a method. This is similar to #9389. Updates #cleanup Change-Id: Id000509ca5d16bb636401763d41bdb5f38513ba0 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Marwan Sulaiman	12d4685328	ipn/localapi, ipn/ipnlocal: add etag support for SetServeConfig This PR adds optimistic concurrency control in the local client and api in order to ensure multiple writes of the ServeConfig do not conflict with each other. Updates #9273 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	9 months ago
Marwan Sulaiman	50990f8931	ipn, ipn/ipnlocal: add Foreground field for ServeConfig This PR adds a new field to the serve config that can be used to identify which serves are in "foreground mode" and then can also be used to ensure they do not get persisted to disk so that if Tailscaled gets ungracefully shutdown, the reloaded ServeConfig will not have those ports opened. Updates #8489 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	9 months ago
Marwan Sulaiman	51d3220153	ipn, ipn/ipnlocal: remove log streaming for StreamServe This PR removes the per request logging to the CLI as the CLI will not be displaying those logs initially. Updates #8489 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	9 months ago
Marwan Sulaiman	45eeef244e	ipn, ipn/ipnlocal: add Foreground field to ServeConfig This PR adds a new field to the ServeConfig which maps WatchIPNBus session ids to foreground serve configs. The PR also adds a DeleteForegroundSession method to ensure the config gets cleaned up on sessions ending. Note this field is not currently used but will be in follow up work. Updates #8489 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	9 months ago
Tyler Smalley	e1fbb5457b	cmd/tailscale: combine serve and funnel for debug wip funnel stream model (#9169 ) > Note > Behind the `TAILSCALE_USE_WIP_CODE` flag In preparing for incoming CLI changes, this PR merges the code path for the `serve` and `funnel` subcommands. See the parent issue for more context. The following commands will run in foreground mode when using the environment flag. ``` tailscale serve localhost:3000 tailscae funnel localhost:3000 ``` Replaces #9134 Updates #8489 Signed-off-by: Tyler Smalley <tyler@tailscale.com> Signed-off-by: Marwan Sulaiman <marwan@tailscale.com> Co-authored-by: Marwan Sulaiman <marwan@tailscale.com>	9 months ago
Marwan Sulaiman	000c0a70f6	ipn, ipn/ipnlocal: clean up documentation and use clock instead of time This PR addresses a number of the follow ups from PR #8491 that were written after getting merged. Updates #8489 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	9 months ago
Marwan Sulaiman	35ff5bf5a6	cmd/tailscale/cli, ipn/ipnlocal: [funnel] add stream mode Adds ability to start Funnel in the foreground and stream incoming connections. When foreground process is stopped, Funnel is turned back off for the port. Exampe usage: ``` TAILSCALE_FUNNEL_V2=on tailscale funnel 8080 ``` Updates #8489 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	9 months ago
Brad Fitzpatrick	84b94b3146	types/netmap, all: make NetworkMap.SelfNode a tailcfg.NodeView Updates #1909 Change-Id: I8c470cbc147129a652c1d58eac9b790691b87606 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Brad Fitzpatrick	58a4fd43d8	types/netmap, all: use read-only tailcfg.NodeView in NetworkMap Updates #8948 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Brad Fitzpatrick	e8551d6b40	all: use Go 1.21 slices, maps instead of x/exp/{slices,maps} Updates #8419 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Sonia Appasamy	49896cbdfa	ipn/ipnlocal: add profile pic header to serve HTTP proxy Fixes #8807 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	10 months ago
Andrew Lytvynov	c1ecae13ab	ipn/{ipnlocal,localapi}: actually renew certs before expiry (#8731 ) While our `shouldStartDomainRenewal` check is correct, `getCertPEM` would always bail if the existing cert is not expired. Add the same `shouldStartDomainRenewal` check to `getCertPEM` to make it proceed with renewal when existing certs are still valid but should be renewed. The extra check is expensive (ARI request towards LetsEncrypt), so cache the last check result for 1hr to not degrade `tailscale serve` performance. Also, asynchronous renewal is great for `tailscale serve` but confusing for `tailscale cert`. Add an explicit flag to `GetCertPEM` to force a synchronous renewal for `tailscale cert`. Fixes #8725 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	10 months ago
Will Norris	f8b0caa8c2	serve: fix hostname for custom http ports When using a custom http port like 8080, this was resulting in a constructed hostname of `host.tailnet.ts.net:8080.tailnet.ts.net` when looking up the serve handler. Instead, strip off the port before adding the MagicDNS suffix. Also use the actual hostname in `serve status` rather than the literal string "host". Fixes #8635 Signed-off-by: Will Norris <will@tailscale.com>	11 months ago
shayne	6697690b55	{cmd/tailscale/cli,ipn}: add http support to tailscale serve (#8358 ) Updates #8357 Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	12 months ago
Sonia Appasamy	0f5090c526	ipn/ipnlocal: add docs header to serve HTTP proxy Adds a `Tailscale-Headers-Info` header whenever the `Tailscale-User-` headers are filled from the HTTP proxy handler. Planning on hooking this shorturl up to KB docs about the header values (i.e. what's a login name vs. display name) and security considerations to keep in mind while using these headers - notibly that they can also be filled from external requests that do not hit tailscaled. Updates https://github.com/tailscale/tailscale/issues/6954 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	12 months ago
Sonia Appasamy	e1cdcf7708	ipn/ipnlocal: add identity headers to HTTP serve proxy Adds two new headers to HTTP serve proxy: - `Tailscale-User-Login`: Filled with requester's login name. - `Tailscale-User-Name`: Filled with requester's display name. These headers only get filled when the SrcAddr is associated with a non-tagged (i.e. user-owned) node within the client's Tailnet. The headers are passed through empty when the request originated from another tailnet, or the public internet (via funnel). Updates https://github.com/tailscale/tailscale/issues/6954 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	12 months ago
Maisem Ali	fe95d81b43	ipn/ipnlocal,wgengine/netstack: move LocalBackend specifc serving logic to LocalBackend The netstack code had a bunch of logic to figure out if the LocalBackend should handle an incoming connection and then would call the function directly on LocalBackend. Move that logic to LocalBackend and refactor the methods to return conn handlers. Updates #cleanup Signed-off-by: Maisem Ali <maisem@tailscale.com>	12 months ago
Heiko Rothe	dc1d8826a2	ipn/ipnlocal: [serve/funnel] add forwarded host and proto header (#8224 ) This replicates the headers also sent by the golang reverse proxy by default. Fixes https://github.com/tailscale/tailscale/issues/7061 Signed-off-by: Heiko Rothe <me@heikorothe.com>	1 year ago
Brad Fitzpatrick	6e967446e4	tsd: add package with System type to unify subsystem init, discovery This is part of an effort to clean up tailscaled initialization between tailscaled, tailscaled Windows service, tsnet, and the mac GUI. Updates #8036 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Mihai Parparita	4722f7e322	all: move network monitoring from wgengine/monitor to net/netmon We're using it in more and more places, and it's not really specific to our use of Wireguard (and does more just link/interface monitoring). Also removes the separate interface we had for it in sockstats -- it's a small enough package (we already pull in all of its dependencies via other paths) that it's not worth the extra complexity. Updates #7621 Updates #7850 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	1 year ago
Andrew Dunham	f85dc6f97c	ci: add more lints (#7909 ) This is a follow-up to #7905 that adds two more linters and fixes the corresponding findings. As per the previous PR, this only flags things that are "obviously" wrong, and fixes the issues found. Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I8739bdb7bc4f75666a7385a7a26d56ec13741b7c	1 year ago
shayne	ba4e58f429	cmd/tailscale/cli: do not allow turning Funnel on while shields-up (#7770 )	1 year ago
shayne	3177ccabe5	ipn/ipnlocal: [serve/funnel] use actual SrcAddr as X-Forwarded-For (#7600 ) The reverse proxy was sending the ingressd IPv6 down as the X-Forwarded-For. This update uses the actual remote addr. Updates tailscale/corp#9914 Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	1 year ago
shayne	7908b6d616	ipn/ipnlocal: [serve] Trim mountPoint prefix from proxy path (#7334 ) This change trims the mountPoint from the request URL path before sending the request to the reverse proxy. Today if you mount a proxy at `/foo` and request to `/foo/bar/baz`, we leak the `mountPoint` `/foo` as part of the request URL's path. This fix makes removed the `mountPoint` prefix from the path so proxied services receive requests as if they were running at the root (`/`) path. This could be an issue if the app generates URLs (in HTML or otherwise) and assumes `/path`. In this case, those URLs will 404. With that, I still think we should trim by default and not leak the `mountPoint` (specific to Tailscale) into whatever app is hosted. If it causes an issue with URL generation, I'd suggest looking at configuring an app-specific path prefix or running Caddy as a more advanced solution. Fixes: #6571 Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	1 year ago
Maisem Ali	b797f773c7	ipn/ipnlocal: add support for funnel in tsnet Previously the part that handled Funnel connections was not aware of any listeners that tsnet.Servers might have had open so it would check against the ServeConfig and fail. Adding a ServeConfig for a TCP proxy was also not suitable in this scenario as that would mean creating two different listeners and have one forward to the other, which really meant that you could not have funnel and tailnet-only listeners on the same port. This also introduces the ipn.FunnelConn as a way for users to identify whether the call is coming over funnel or not. Currently it only holds the underlying conn and the target as presented in the "Tailscale-Ingress-Target" header. Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Brad Fitzpatrick	b1248442c3	all: update to Go 1.20, use strings.CutPrefix/Suffix instead of our fork Updates #7123 Updates #5309 Change-Id: I90bcd87a2fb85a91834a0dd4be6e03db08438672 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Will Norris	71029cea2d	all: update copyright and license headers This updates all source files to use a new standard header for copyright and license declaration. Notably, copyright no longer includes a date, and we now use the standard SPDX-License-Identifier header. This commit was done almost entirely mechanically with perl, and then some minimal manual fixes. Updates #6865 Signed-off-by: Will Norris <will@tailscale.com>	1 year ago
shayne	4471e403aa	ipn/ipnlocal: [serve] listen on all-interfaces for macOS sandboxed (#6771 ) On macOS (AppStore and macsys), we need to bind to ""/all-interfaces due to the network sandbox. Ideally we would only bind to the Tailscale interface, but macOS errors out if we try to to listen on privileged ports binding only to a specific interface. We also implement the lc.Control hook, same as we do for peerapi. It doesn't solve our problem but it's better that we do and would likely be required when Apple gets around to fixing per-interface priviliged port binding. Fixes: #6364 Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	1 year ago
Anton Tolchanov	82b9689e25	ipn/ipnlocal: maintain a proxy handler per backend (#6804 ) By default, `http.Transport` keeps idle connections open hoping to re-use them in the future. Combined with a separate transport per request in HTTP proxy this results in idle connection leak. Fixes #6773	1 year ago
shayne	a97369f097	cmd/tailscale/cli: flesh out serve CLI and tests (#6304 ) Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	2 years ago
Brad Fitzpatrick	3114eacbb8	ipn/ipnlocal: don't warn about serve listener failing on IPv6-less machines Fixes #6303 Change-Id: Ie1ce12938f68dfa0533246bbe3b9d7f3e749a243 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
shayne	74e892cbc2	ipn/ipnlocal: listen to serve ports on netmap addrs (#6282 ) Updates tailscale/corp#7515 Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	2 years ago

1 2

62 Commits (93618a3518d4b822aa5ed5829205f364f4ccfa09)