golink: listen on HTTPS and redirect HTTP traffic #99
Conversation
Updates #9 On tailnets with TLS enabled serve HTTP traffic with a separate redirectHandler which sends requests to our HTTPS listener destination. Add `-L` to documented examples of using `curl` to follow these redirects if present. Signed-off-by: Patrick O'Doherty <[email protected]>
Signed-off-by: Patrick O'Doherty <[email protected]>
|
|
||
| l80, err := srv.Listen("tcp", ":80") | ||
| // create tsNet server and wait for it to be ready & connected. | ||
| localClient, _ = srv.LocalClient() |
There was a problem hiding this comment.
While we're here, maybe now is a good time to
localClient, err = srv.LocalClient()
if err != nil {
return err
}
There was a problem hiding this comment.
As long as the server is started, LocalClient promises not to report an error in this context.
|
tsnet has the |
|
Though I guess it's also worth keeping in mind that @maisem is working on removing the hard dependence on tsnet (#95), so we can't necessarily assume it will always be tsnet. Maybe the helpers belong in tsweb then? Or maybe this really does just need to be handled in the individual applications, though that would be kind of unfortunate. |
golink.go
Outdated
| return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { | ||
| path := r.URL.Path | ||
| newUrl := fmt.Sprintf("https://%s%s", hostname, path) | ||
| http.Redirect(w, r, newUrl, http.StatusMovedPermanently) |
There was a problem hiding this comment.
I'm not entirely sure this works, I vaguely recall something about go/foo not working once you start doing redirects.
Please use ListenTLS. We currently only send down one CertDomain, that may change in the future but programs today should only account for the exact one. There are no promises made on what that would mean in the future or how that would change. ListenTLS aims to abstract that away from the caller. |
* use `srv.ListenTLS` API instead of DIY'ing it. * DRY up http & https listener code. * use type safe URL generation for redirect handler * use status API to determine HTTPS capabilities directly. * handle http only case gracefully. Signed-off-by: Patrick O'Doherty <[email protected]>
@maisem thank you - I am not surprised to discover that I was "holding it wrong" so to speak. The latest impl with |
* create discrete ctx variables for localClient & tsnet server interactions. * DRY up the http(s) handler code even further. * call log.Fatal for https serving errors that were previously swallowed. Signed-off-by: Patrick O'Doherty <[email protected]>
If users belong to multiple tailnets with golinks deployed (as is common) then permanent redirects for one will conflict with the others. To prevent this we will use `http.StatusFound` to prompt browsers to continue to visit the `go/` URL in the future. Signed-off-by: Patrick O'Doherty <[email protected]>
Inspect the `Host` header to ensure that we do not return HSTS headers for short domains which can lead to some clients pinning short domains to endpoints with invalid certificates. Signed-off-by: Patrick O'Doherty <[email protected]>
patrickod
force-pushed
the
patrickod/https
branch
from
56a3d4e to
8ac87f5
Compare
Append section about HTTPS behavior to the README. Include a note about the use of `-L` with all `curl` scripts in such deployments to prevent silent early termination with empty responses. Signed-off-by: Patrick O'Doherty <[email protected]>
Signed-off-by: Patrick O'Doherty <[email protected]>
Signed-off-by: Patrick O'Doherty <[email protected]>
Signed-off-by: Patrick O'Doherty <[email protected]>
Updates #9
Fixes #29
On tailnets with TLS enabled serve HTTP traffic with a separate redirectHandler which sends requests to our HTTPS listener destination.
Add
-Lto documented examples of usingcurlto follow these redirects if present.