Restructure Tailscale HTTPS

2021-09-23 08:42:00 +02:00 · 2021-09-23 08:42:00 +02:00 · e9bbfc12d0
parent 2080058dfe
commit e9bbfc12d0
4 changed files with 28 additions and 11 deletions
--- a/config.go
+++ b/config.go
@ -362,6 +362,9 @@ func (a *goBlog) initConfig() error {
 	return nil
 }

-func (a *goBlog) httpsConfigured() bool {
-	return a.cfg.Server.PublicHTTPS || a.cfg.Server.SecurityHeaders || strings.HasPrefix(a.cfg.Server.PublicAddress, "https")
+func (a *goBlog) httpsConfigured(checkAddress bool) bool {
+	return a.cfg.Server.PublicHTTPS ||
+		a.cfg.Server.TailscaleHTTPS ||
+		a.cfg.Server.SecurityHeaders ||
+		(checkAddress && strings.HasPrefix(a.cfg.Server.PublicAddress, "https"))
 }
--- a/http.go
+++ b/http.go
@ -2,7 +2,6 @@ package main

 import (
 	"compress/flate"
-	"crypto/tls"
 	"database/sql"
 	"errors"
 	"fmt"
@ -20,7 +19,6 @@ import (
 	"golang.org/x/crypto/acme"
 	"golang.org/x/crypto/acme/autocert"
 	"golang.org/x/net/context"
-	"tailscale.com/client/tailscale"
 )

 const (
@ -45,7 +43,7 @@ func (a *goBlog) startServer() (err error) {
 		h = h.Append(a.logMiddleware)
 	}
 	h = h.Append(middleware.Recoverer, middleware.Compress(flate.DefaultCompression), middleware.Heartbeat("/ping"))
-	if a.cfg.Server.PublicHTTPS || a.cfg.Server.SecurityHeaders {
+	if a.httpsConfigured(false) {
 		h = h.Append(a.securityHeaders)
 	}
 	finalHandler := h.Then(a.d)
@ -82,10 +80,7 @@ func (a *goBlog) startServer() (err error) {
 		s.Addr = ":https"
 		if a.cfg.Server.TailscaleHTTPS {
 			// HTTPS via Tailscale
-			s.TLSConfig = &tls.Config{
-				GetCertificate: tailscale.GetCertificate,
-			}
-			if err = s.ListenAndServeTLS("", ""); err != nil && err != http.ErrServerClosed {
+			if err = a.startTailscaleHttps(s); err != nil {
 				return err
 			}
 		} else {
--- a/sessions.go
+++ b/sessions.go
@ -32,7 +32,7 @@ func (a *goBlog) initSessions() {
 	a.loginSessions = &dbSessionStore{
 		codecs: securecookie.CodecsFromPairs([]byte(a.cfg.Server.JWTSecret)),
 		options: &sessions.Options{
-			Secure:   a.httpsConfigured(),
+			Secure:   a.httpsConfigured(true),
 			HttpOnly: true,
 			SameSite: http.SameSiteLaxMode,
 			MaxAge:   int((7 * 24 * time.Hour).Seconds()),
@ -43,7 +43,7 @@ func (a *goBlog) initSessions() {
 	a.captchaSessions = &dbSessionStore{
 		codecs: securecookie.CodecsFromPairs([]byte(a.cfg.Server.JWTSecret)),
 		options: &sessions.Options{
-			Secure:   a.httpsConfigured(),
+			Secure:   a.httpsConfigured(true),
 			HttpOnly: true,
 			SameSite: http.SameSiteLaxMode,
 			MaxAge:   int((24 * time.Hour).Seconds()),
--- a/tailscale.go
+++ b/tailscale.go
@ -0,0 +1,19 @@
+package main
+
+import (
+	"crypto/tls"
+	"net/http"
+
+	"tailscale.com/client/tailscale"
+)
+
+func (a *goBlog) startTailscaleHttps(s *http.Server) error {
+	s.Addr = ":https"
+	s.TLSConfig = &tls.Config{
+		GetCertificate: tailscale.GetCertificate,
+	}
+	if err := s.ListenAndServeTLS("", ""); err != nil && err != http.ErrServerClosed {
+		return err
+	}
+	return nil
+}