From ff64dc8d89d16057a933c289ce2d3a4b01567403 Mon Sep 17 00:00:00 2001
From: Will Norris <will@tailscale.com>
Date: Thu, 16 May 2024 14:23:38 -0400
Subject: [PATCH] transport: add TLS support

Implement reverseproxy.TLSTransport.  We go ahead and store the provided
TLSConfig object, but for now we only use it to indicate that we should
use TLS.  We don't actually use any of the provided values to configure
the client.

Fixes #25

Signed-off-by: Will Norris <will@tailscale.com>
---
 module.go    |  6 +-----
 transport.go | 31 ++++++++++++++++++++++++++-----
 2 files changed, 27 insertions(+), 10 deletions(-)

diff --git a/module.go b/module.go
index d3b29a5..d66c5bf 100644
--- a/module.go
+++ b/module.go
@@ -42,11 +42,7 @@ func getPlainListener(c context.Context, _ string, addr string, _ net.ListenConf
 	if network == "" {
 		network = "tcp"
 	}
-
-	ln := &tailscaleNode{
-		Server: s.Server,
-	}
-	return ln.Listen(network, ":"+port)
+	return s.Listen(network, ":"+port)
 }
 
 func getTLSListener(c context.Context, _ string, addr string, _ net.ListenConfig) (any, error) {
diff --git a/transport.go b/transport.go
index 601dd33..9a40233 100644
--- a/transport.go
+++ b/transport.go
@@ -7,6 +7,7 @@ import (
 
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
+	"github.com/caddyserver/caddy/v2/modules/caddyhttp/reverseproxy"
 )
 
 func init() {
@@ -18,6 +19,10 @@ type Transport struct {
 	Name string `json:"name,omitempty"`
 
 	node *tailscaleNode
+
+	// A non-nil TLS config enables TLS.
+	// We do not currently use the config values for anything.
+	TLS *reverseproxy.TLSConfig `json:"tls,omitempty"`
 }
 
 func (t *Transport) CaddyModule() caddy.ModuleInfo {
@@ -64,14 +69,30 @@ func (t *Transport) Cleanup() error {
 
 func (t *Transport) RoundTrip(req *http.Request) (*http.Response, error) {
 	if req.URL.Scheme == "" {
-		req.URL.Scheme = "http"
+		if t.TLSEnabled() {
+			req.URL.Scheme = "https"
+		} else {
+			req.URL.Scheme = "http"
+		}
 	}
 	return t.node.HTTPClient().Transport.RoundTrip(req)
 }
 
+// TLSEnabled returns true if TLS is enabled.
+func (h Transport) TLSEnabled() bool {
+	return h.TLS != nil
+}
+
+// EnableTLS enables TLS on the transport.
+func (h *Transport) EnableTLS(config *reverseproxy.TLSConfig) error {
+	h.TLS = config
+	return nil
+}
+
 var (
-	_ http.RoundTripper     = (*Transport)(nil)
-	_ caddy.Provisioner     = (*Transport)(nil)
-	_ caddy.CleanerUpper    = (*Transport)(nil)
-	_ caddyfile.Unmarshaler = (*Transport)(nil)
+	_ http.RoundTripper         = (*Transport)(nil)
+	_ caddy.Provisioner         = (*Transport)(nil)
+	_ caddy.CleanerUpper        = (*Transport)(nil)
+	_ caddyfile.Unmarshaler     = (*Transport)(nil)
+	_ reverseproxy.TLSTransport = (*Transport)(nil)
 )