117 lines
3.2 KiB
Go
117 lines
3.2 KiB
Go
// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
// Package tsweb contains code between various Tailscale webservers.
|
|
package tsweb
|
|
|
|
import (
|
|
"expvar"
|
|
_ "expvar"
|
|
"fmt"
|
|
"net"
|
|
"net/http"
|
|
_ "net/http/pprof"
|
|
"os"
|
|
"path/filepath"
|
|
"strings"
|
|
"time"
|
|
|
|
"tailscale.com/interfaces"
|
|
)
|
|
|
|
// NewMux returns a new ServeMux with debugHandler registered (and protected) at /debug/.
|
|
func NewMux(debugHandler http.Handler) *http.ServeMux {
|
|
mux := http.NewServeMux()
|
|
RegisterCommonDebug(mux)
|
|
mux.Handle("/debug/", Protected(debugHandler))
|
|
return mux
|
|
}
|
|
|
|
func RegisterCommonDebug(mux *http.ServeMux) {
|
|
expvar.Publish("uptime", uptimeVar{})
|
|
mux.Handle("/debug/pprof/", Protected(http.DefaultServeMux)) // to net/http/pprof
|
|
mux.Handle("/debug/vars", Protected(http.DefaultServeMux)) // to expvar
|
|
}
|
|
|
|
func DefaultCertDir(leafDir string) string {
|
|
cacheDir, err := os.UserCacheDir()
|
|
if err == nil {
|
|
return filepath.Join(cacheDir, "tailscale", leafDir)
|
|
}
|
|
return ""
|
|
}
|
|
|
|
// IsProd443 reports whether addr is a Go listen address for port 443.
|
|
func IsProd443(addr string) bool {
|
|
_, port, _ := net.SplitHostPort(addr)
|
|
return port == "443" || port == "https"
|
|
}
|
|
|
|
// AllowDebugAccess reports whether r should be permitted to access
|
|
// various debug endpoints.
|
|
func AllowDebugAccess(r *http.Request) bool {
|
|
if r.Header.Get("X-Forwarded-For") != "" {
|
|
// TODO if/when needed. For now, conservative:
|
|
return false
|
|
}
|
|
ipStr, _, err := net.SplitHostPort(r.RemoteAddr)
|
|
if err != nil {
|
|
return false
|
|
}
|
|
ip := net.ParseIP(ipStr)
|
|
return interfaces.IsTailscaleIP(ip) || ip.IsLoopback() || ipStr == os.Getenv("ALLOW_DEBUG_IP")
|
|
}
|
|
|
|
// Protected wraps a provided debug handler, h, returning a Handler
|
|
// that enforces AllowDebugAccess and returns forbiden replies for
|
|
// unauthorized requests.
|
|
func Protected(h http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
if !AllowDebugAccess(r) {
|
|
http.Error(w, "debug access denied", http.StatusForbidden)
|
|
return
|
|
}
|
|
h.ServeHTTP(w, r)
|
|
})
|
|
}
|
|
|
|
var timeStart = time.Now()
|
|
|
|
func Uptime() time.Duration { return time.Since(timeStart).Round(time.Second) }
|
|
|
|
type uptimeVar struct{}
|
|
|
|
func (uptimeVar) String() string { return fmt.Sprint(int64(Uptime().Seconds())) }
|
|
|
|
// Port80Handler is the handler to be given to
|
|
// autocert.Manager.HTTPHandler. The inner handler is the mux
|
|
// returned by NewMux containing registered /debug handlers.
|
|
type Port80Handler struct{ Main http.Handler }
|
|
|
|
func (h Port80Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
path := r.RequestURI
|
|
if path == "/debug" || strings.HasPrefix(path, "/debug") {
|
|
h.Main.ServeHTTP(w, r)
|
|
return
|
|
}
|
|
if r.Method != "GET" && r.Method != "HEAD" {
|
|
http.Error(w, "Use HTTPS", http.StatusBadRequest)
|
|
return
|
|
}
|
|
if path == "/" && AllowDebugAccess(r) {
|
|
// Redirect authorized user to the debug handler.
|
|
path = "/debug/"
|
|
}
|
|
target := "https://" + stripPort(r.Host) + path
|
|
http.Redirect(w, r, target, http.StatusFound)
|
|
}
|
|
|
|
func stripPort(hostport string) string {
|
|
host, _, err := net.SplitHostPort(hostport)
|
|
if err != nil {
|
|
return hostport
|
|
}
|
|
return net.JoinHostPort(host, "443")
|
|
}
|