Fix auth.go not finding the tsnet.Listener. #70
Conversation
beep-beep-beep-boop
force-pushed
the
fix-auth-listener
branch
2 times, most recently
from
4f76a64
to
f2e3ea3
Compare
Signed-off-by: hello <79901832+beep-beep-beep-boop@users.noreply.github.com>
beep-beep-beep-boop
force-pushed
the
fix-auth-listener
branch
from
f2e3ea3
to
726f8df
Compare
|
okay, this doesn't completely fix it. the issue still happens when trying to connect via https to the if you remove the so this won't work: https://caddytest.abc.ts.net {
bind tailscale/caddytest
tailscale_auth # this is causing the issue
templates
respond `Hello, {{placeholder "http.auth.user.id"}}`
}but this will (but it won't authenticate): https://caddytest.abc.ts.net {
bind tailscale/caddytest
templates
respond `Hello, {{placeholder "http.auth.user.id"}}`
} |
|
okay, so the problem is that ever since f2562ba, we no longer just have a @mholt, how gross would it be to have something like: type wrappedListener struct {
net.Listener
wrapped net.Listener
}
func (h *wrappedListener) Unwrap() net.Listener {
return h.wrapped
}and then app.Start has something like: if useTLS {
// create TLS listener - this enables and terminates TLS
tlsln := tls.NewListener(ln, tlsCfg)
ln = &wrappedListener{Listener: tlsln, wrapped: ln}
// ...
}I just tested this, and along with an So basically this: caddyserver/caddy@master...willnorris:caddy:wrappedListener |
Allow unwrapping the net.Listener values inside both http2Listener and tls.listener, the latter with a little indirection. Updates tailscale/caddy-tailscale#70
Allow unwrapping the net.Listener values inside both http2Listener and tls.listener, the latter with a little indirection. Updates tailscale/caddy-tailscale#70
|
I was thinking about using reflection to get to it. having a way to do it built into caddy would be better though i think. |
Signed-off-by: hello <79901832+beep-beep-beep-boop@users.noreply.github.com>
|
I updated the PR to use reflection for now but doing it on caddy's end is probably a better permanent solution. |
|
@willnorris We could do that, but like you mentioned, that chain would stop with a listener out of our control (like tls.Listener). Is the unwrapping needed only in this specific case? |
Yes, the |
|
What if we stick with the current solution (reflection -- not as ugly as I'd have thought!) and if other use cases start showing up, we can consider generalizing a solution upstream in Caddy? |
|
The proposed changes to caddy are quite minimal as well, and far cleaner than having to resort to reflection. Though I do understand that we're likely one of the only ones using |
|
True -- and to clarify, I'm not opposed to that change in Caddy (someday, if needed) -- because it's so minimal. I'm just thinking that for now, let's see if this can work and if we need it to generalize then we can make the change 👍 |
There was a problem hiding this comment.
@beep-beep-beep-boop let's add a note on this new func to revisit in the future if and when Caddy support unwrapping listeners. Otherwise, this LGTM
…tself. Signed-off-by: hello <79901832+beep-beep-beep-boop@users.noreply.github.com> Co-authored-by: Will Norris <will@willnorris.com>
|
I pushed a new commit to go ahead and add the |
This fixes #68
auth.gowas treating the listener as if it was atsnet.Listener, but it was actually atsServerListenerwhich had a member (Listener) that implementedtsnet.Listener. This caused it to fall-through and try to authenticate the request through a locally-runningtailscaled, which would fail if caddy was running in a container without one.I'm not very familiar with go so IDK if there's a less messy-looking way to do this.