Support for auto_tls #19
Comments
|
Just to clarify, what isn't working properly? |
|
I'm referring to the shortcomings mentioned here: https://github.com/tailscale/caddy-tailscale#https-support (i.e., that the native TLS integration doesn't work and you need to use In particular, I'm hoping to have a single server run as a bidirectional HTTP proxy (serve a local service over |
willnorris
added a commit
that referenced
this issue
May 17, 2024
This provides an alternate implementation for tscert.TailscaledDialer that tries to find a tsnet server for the requested certificate. This allows caddy-tailscale to be used with caddy's auto_https support. Fixes #19 Signed-off-by: Will Norris <will@tailscale.com>
willnorris
added a commit
that referenced
this issue
May 17, 2024
This provides an alternate implementation for tscert.TailscaledDialer that tries to find a tsnet server for the requested certificate. This allows caddy-tailscale to be used with caddy's auto_https support. Fixes #19 Signed-off-by: Will Norris <will@tailscale.com>
willnorris
added a commit
that referenced
this issue
May 17, 2024
This provides an alternate implementation for tscert.TailscaledDialer that tries to find a tsnet server for the requested certificate. This allows caddy-tailscale to be used with caddy's auto_https support. Fixes #19 Signed-off-by: Will Norris <will@tailscale.com>
willnorris
added a commit
that referenced
this issue
May 19, 2024
This provides an alternate implementation for tscert.TailscaledDialer that tries to find a tsnet server for the requested certificate. This allows caddy-tailscale to be used with caddy's auto_https support. Fixes #19 Signed-off-by: Will Norris <will@tailscale.com>
willnorris
added a commit
that referenced
this issue
May 19, 2024
This provides an alternate implementation for tscert.TailscaledDialer that tries to find a tsnet server for the requested certificate. This allows caddy-tailscale to be used with caddy's auto_https support. Fixes #19 Signed-off-by: Will Norris <will@tailscale.com>
willnorris
added a commit
that referenced
this issue
May 31, 2024
This provides an alternate implementation for tscert.TailscaledDialer that tries to find a tsnet server for the requested certificate. This allows caddy-tailscale to be used with caddy's auto_https support. Fixes #19 Signed-off-by: Will Norris <will@tailscale.com>
willnorris
added a commit
that referenced
this issue
Jun 2, 2024
This provides an alternate implementation for tscert.TailscaledDialer that tries to find a tsnet server for the requested certificate. This allows caddy-tailscale to be used with caddy's auto_https support. Fixes #19 Signed-off-by: Will Norris <will@tailscale.com>
willnorris
added a commit
that referenced
this issue
Jun 2, 2024
This provides an alternate implementation for tscert.TailscaledDialer that tries to find a tsnet server for the requested certificate. This allows caddy-tailscale to be used with caddy's auto_https support. Fixes #19 Signed-off-by: Will Norris <will@tailscale.com>
willnorris
added a commit
that referenced
this issue
Jun 2, 2024
This provides an alternate implementation for tscert.TailscaledDialer that tries to find a tsnet server for the requested certificate. This allows caddy-tailscale to be used with caddy's auto_https support. Fixes #19 Signed-off-by: Will Norris <will@tailscale.com>
willnorris
added a commit
that referenced
this issue
Jun 2, 2024
This provides an alternate implementation for tscert.TailscaledDialer that tries to find a tsnet server for the requested certificate. This allows caddy-tailscale to be used with caddy's auto_https support. Fixes #19 Signed-off-by: Will Norris <will@tailscale.com>
willnorris
added a commit
that referenced
this issue
Jun 3, 2024
This provides an alternate implementation for tscert.TailscaledDialer that tries to find a tsnet server for the requested certificate. This allows caddy-tailscale to be used with caddy's auto_https support. Fixes #19 Signed-off-by: Will Norris <will@tailscale.com>
willnorris
added a commit
that referenced
this issue
Jun 3, 2024
This provides an alternate implementation for tscert.TailscaledDialer that tries to find a tsnet server for the requested certificate. This allows caddy-tailscale to be used with caddy's auto_https support. Fixes #19 Signed-off-by: Will Norris <will@tailscale.com>
willnorris
added a commit
that referenced
this issue
Jun 3, 2024
This provides an alternate implementation for tscert.TailscaledDialer that tries to find a tsnet server for the requested certificate. This allows caddy-tailscale to be used with caddy's auto_https support. Fixes #19 Signed-off-by: Will Norris <will@tailscale.com>
willnorris
added a commit
that referenced
this issue
Jun 7, 2024
This provides an http.RoundTripper implementation that dynamically routes requests to the correct tsnet server's LocalAPI based on the ClientHelloInfo in the context. Previously, we were just overriding the tscert Dialer. That worked fine the first time it dialed a LocalAPI, and would correctly dial the right tsnet server. However, tscert caches the Transport with that Dialer, so requests that should be routed to different tsnet servers would be routed incorrectly. Updates #19 Updates #53 Updates #66
willnorris
added a commit
that referenced
this issue
Jun 7, 2024
This provides an http.RoundTripper implementation that dynamically routes requests to the correct tsnet server's LocalAPI based on the ClientHelloInfo in the context. Previously, we were just overriding the tscert Dialer. That worked fine the first time it dialed a LocalAPI, and would correctly dial the right tsnet server. However, tscert caches the Transport with that Dialer, so requests that should be routed to different tsnet servers would be routed incorrectly. Updates #19 Updates #53 Updates #66 Signed-off-by: Will Norris <will@tailscale.com>
willnorris
added a commit
that referenced
this issue
Jun 7, 2024
This provides an http.RoundTripper implementation that dynamically routes requests to the correct tsnet server's LocalAPI based on the ClientHelloInfo in the context. Previously, we were just overriding the tscert Dialer. That worked fine the first time it dialed a LocalAPI, and would correctly dial the right tsnet server. However, tscert caches the Transport with that Dialer, so requests that should be routed to different tsnet servers would be routed incorrectly. Updates #19 Updates #53 Updates #66 Signed-off-by: Will Norris <will@tailscale.com>
willnorris
added a commit
that referenced
this issue
Jun 7, 2024
This provides an http.RoundTripper implementation that dynamically routes requests to the correct tsnet server's LocalAPI based on the ClientHelloInfo in the context. Previously, we were just overriding the tscert Dialer. That worked fine the first time it dialed a LocalAPI, and would correctly dial the right tsnet server. However, tscert caches the Transport with that Dialer, so requests that should be routed to different tsnet servers would be routed incorrectly. Updates #19 Updates #53 Updates #66 Signed-off-by: Will Norris <will@tailscale.com>
willnorris
added a commit
that referenced
this issue
Jun 7, 2024
This provides an http.RoundTripper implementation that dynamically routes requests to the correct tsnet server's LocalAPI based on the ClientHelloInfo in the context. Previously, we were just overriding the tscert Dialer. That worked fine the first time it dialed a LocalAPI, and would correctly dial the right tsnet server. However, tscert caches the Transport with that Dialer, so requests that should be routed to different tsnet servers would be routed incorrectly. Updates #19 Updates #53 Updates #66 Signed-off-by: Will Norris <will@tailscale.com>
willnorris
added a commit
that referenced
this issue
Jun 8, 2024
This provides an http.RoundTripper implementation that dynamically routes requests to the correct tsnet server's LocalAPI based on the ClientHelloInfo in the context. Previously, we were just overriding the tscert Dialer. That worked fine the first time it dialed a LocalAPI, and would correctly dial the right tsnet server. However, tscert caches the Transport with that Dialer, so requests that should be routed to different tsnet servers would be routed incorrectly. Updates #19 Updates #53 Updates #66 Signed-off-by: Will Norris <will@tailscale.com>
willnorris
added a commit
that referenced
this issue
Jun 18, 2024
This provides an http.RoundTripper implementation that dynamically routes requests to the correct tsnet server's LocalAPI based on the ClientHelloInfo in the context. Previously, we were just overriding the tscert Dialer. That worked fine the first time it dialed a LocalAPI, and would correctly dial the right tsnet server. However, tscert caches the Transport with that Dialer, so requests that should be routed to different tsnet servers would be routed incorrectly. Updates #19 Updates #53 Updates #66 Signed-off-by: Will Norris <will@tailscale.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I was wondering what it would take to get the automatic TLS integration working properly.
I don't know too much about Caddy, but in the absence of any other mechanism for cross-server shared state, I was thinking about stuffing the tailscale Server object in a global map under the tailscale package, keyed by
tsnet.Server.CertDomains(), and then callings.LocalClient.CertPair().It isn't the prettiest design, but I'm welcome to other suggestions if you know of a better way to share state between the cert manager and the listener.
If you're OK with that design, I could probably whip something up over the next few days.
The text was updated successfully, but these errors were encountered: