Restructure Tailscale HTTPS

2021-09-23 08:42:00 +02:00 · 2021-09-23 08:42:00 +02:00 · e9bbfc12d0
parent 2080058dfe
commit e9bbfc12d0
4 changed files with 28 additions and 11 deletions
--- a/config.go
+++ b/config.go
@ -362,6 +362,9 @@ func (a *goBlog) initConfig() error {
 	return nil
 }
-func (a *goBlog) httpsConfigured() bool {
+func (a *goBlog) httpsConfigured(checkAddress bool) bool {
-	return a.cfg.Server.PublicHTTPS || a.cfg.Server.SecurityHeaders || strings.HasPrefix(a.cfg.Server.PublicAddress, "https")
+	return a.cfg.Server.PublicHTTPS ||
 		a.cfg.Server.TailscaleHTTPS ||
 		a.cfg.Server.SecurityHeaders ||
 		(checkAddress && strings.HasPrefix(a.cfg.Server.PublicAddress, "https"))
 }
--- a/http.go
+++ b/http.go
@ -2,7 +2,6 @@ package main
 import (
 	"compress/flate"
 	"crypto/tls"
 	"database/sql"
 	"errors"
 	"fmt"
@ -20,7 +19,6 @@ import (
 	"golang.org/x/crypto/acme"
 	"golang.org/x/crypto/acme/autocert"
 	"golang.org/x/net/context"
 	"tailscale.com/client/tailscale"
 )
 const (
@ -45,7 +43,7 @@ func (a *goBlog) startServer() (err error) {
 		h = h.Append(a.logMiddleware)
 	}
 	h = h.Append(middleware.Recoverer, middleware.Compress(flate.DefaultCompression), middleware.Heartbeat("/ping"))
-	if a.cfg.Server.PublicHTTPS || a.cfg.Server.SecurityHeaders {
+	if a.httpsConfigured(false) {
 		h = h.Append(a.securityHeaders)
 	}
 	finalHandler := h.Then(a.d)
@ -82,10 +80,7 @@ func (a *goBlog) startServer() (err error) {
 		s.Addr = ":https"
 		if a.cfg.Server.TailscaleHTTPS {
 			// HTTPS via Tailscale
-			s.TLSConfig = &tls.Config{
+			if err = a.startTailscaleHttps(s); err != nil {
 				GetCertificate: tailscale.GetCertificate,
 			}
 			if err = s.ListenAndServeTLS("", ""); err != nil && err != http.ErrServerClosed {
 				return err
 			}
 		} else {
--- a/sessions.go
+++ b/sessions.go
@ -32,7 +32,7 @@ func (a *goBlog) initSessions() {
 	a.loginSessions = &dbSessionStore{
 		codecs: securecookie.CodecsFromPairs([]byte(a.cfg.Server.JWTSecret)),
 		options: &sessions.Options{
-			Secure:   a.httpsConfigured(),
+			Secure:   a.httpsConfigured(true),
 			HttpOnly: true,
 			SameSite: http.SameSiteLaxMode,
 			MaxAge:   int((7 * 24 * time.Hour).Seconds()),
@ -43,7 +43,7 @@ func (a *goBlog) initSessions() {
 	a.captchaSessions = &dbSessionStore{
 		codecs: securecookie.CodecsFromPairs([]byte(a.cfg.Server.JWTSecret)),
 		options: &sessions.Options{
-			Secure:   a.httpsConfigured(),
+			Secure:   a.httpsConfigured(true),
 			HttpOnly: true,
 			SameSite: http.SameSiteLaxMode,
 			MaxAge:   int((24 * time.Hour).Seconds()),
--- a/tailscale.go
+++ b/tailscale.go
@ -0,0 +1,19 @@
 package main
 import (
 	"crypto/tls"
 	"net/http"
 	"tailscale.com/client/tailscale"
 )
 func (a *goBlog) startTailscaleHttps(s *http.Server) error {
 	s.Addr = ":https"
 	s.TLSConfig = &tls.Config{
 		GetCertificate: tailscale.GetCertificate,
 	}
 	if err := s.ListenAndServeTLS("", ""); err != nil && err != http.ErrServerClosed {
 		return err
 	}
 	return nil
 }