Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Simplify SSL Certificates Handling for Tailscale's serve Command by Replacing Dot with Dash in Machine.GetFQDN #1530

Closed
marcellmars opened this issue Aug 17, 2023 · 3 comments
Closed

Simplify SSL Certificates Handling for Tailscale's serve Command by Replacing Dot with Dash in Machine.GetFQDN #1530

marcellmars opened this issue Aug 17, 2023 · 3 comments
Labels
enhancement New feature or request stale

Comments

@marcellmars
Copy link

marcellmars commented Aug 17, 2023
edited
Loading

Why

The Tailscale serve command starts a server that only respond to its specific FQDN (e.g. not its IP address), and that's set up in headscale's codebase as Machine.GivenName + dot + Machine.User.Name. Because of that dot between Machine.GivenName and Machine.User.Name, you'd need an extra wildcard SSL certificate for each User.Name (to cover all of her nodes) if you want to make it accessible to everyone online.

But if we used a dash instead of the dot, it would simplify things. It would just count as one subdomain, so a single wildcard SSL certificate could cover all users in the tailnet.

To test if I am right I came up with a simple patch for this. It makes the server return Machine.GivenName + - + Machine.User.Name. If you get a wildcard SSL certificate from Caddy and set up a reverse proxy to the node running tailscale serve http:1234 / text:"hello world!", it works perfectly. Anyone online would see "hello world!" at the same URL used in the tailnet, and the wildcard SSL certificate would have it covered.

Description

Here's the simple patch which does it:

modified   hscontrol/types/machine.go
@@ -269,7 +269,7 @@ func (machine *Machine) GetFQDN(dnsConfig *tailcfg.DNSConfig, baseDomain string)
 	var hostname string
 	if dnsConfig != nil && dnsConfig.Proxied { // MagicDNS
 		hostname = fmt.Sprintf(
-			"%s.%s.%s",
+			"%s-%s.%s",
 			machine.GivenName,
 			machine.User.Name,
 			baseDomain,

With this setup, a single generic Caddy snippet can handle all users. Without it, you'd have to add every new user to Caddy individually. That would be way more work to keep up with.

I wonder if there's any interest in having something like this as part of the configuration directive. I am happy to discuss it more and eventually make a PR.
@marcellmars marcellmars added the enhancement New feature or request label Aug 17, 2023
@ChibangLW
Copy link
Contributor

Not necessary based on the same motivation but would also result in the same functionality for you (for tagged devices at least): #1405

From my understanding the given name should be unique by appending a suffix if two machines do have the same given name.

@github-actions GitHub Actions
Copy link
Contributor

This issue is stale because it has been open for 90 days with no activity.

@github-actions github-actions bot added the stale label Dec 11, 2023
@github-actions GitHub Actions
Copy link
Contributor

This issue was closed because it has been inactive for 14 days since being marked as stale.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@marcellmars @ChibangLW