tailscale/control/controlhttp, branch knyar/netmapdiff2

net/tlsdial: fix TLS cert validation of HTTPS proxies

2025-06-18T21:20:39Z

If you had HTTPS_PROXY=https://some-valid-cert.example.com running a CONNECT proxy, we should've been able to do a TLS CONNECT request to e.g. controlplane.tailscale.com:443 through that, and I'm pretty sure it used to work, but refactorings and lack of integration tests made it regress. It probably regressed when we added the baked-in LetsEncrypt root cert validation fallback code, which was testing against the wrong hostname (the ultimate one, not the one which we were being asked to validate) Fixes #16222 Change-Id: If014e395f830e2f87f056f588edacad5c15e91bc Signed-off-by: Brad Fitzpatrick

derp/derphttp: remove ban on websockets dependency

2025-04-16T17:10:45Z

The event bus's debug page uses websockets. Updates #15160 Signed-off-by: David Anderson

net/{netx,memnet},all: add netx.DialFunc, move memnet Network impl

2025-04-08T17:07:47Z

This adds netx.DialFunc, unifying a type we have a bazillion other places, giving it now a nice short name that's clickable in editors, etc. That highlighted that my earlier move (03b47a55c7956) of stuff from nettest into netx moved too much: it also dragged along the memnet impl, meaning all users of netx.DialFunc who just wanted netx for the type definition were instead also pulling in all of memnet. So move the memnet implementation netx.Network into memnet, a package we already had. Then use netx.DialFunc in a bunch of places. I'm sure I missed some. And plenty remain in other repos, to be updated later. Updates tailscale/corp#27636 Change-Id: I7296cd4591218e8624e214f8c70dab05fb884e95 Signed-off-by: Brad Fitzpatrick

control/controlhttp: reduce some log spam on context cancel

2025-04-02T14:36:04Z

Change-Id: I3ac00ddb29c16e9791ab2be19f454dabd721e4c3 Signed-off-by: Brad Fitzpatrick

control/controlhttp: set forceNoise443 on Plan 9

2025-04-02T14:36:04Z

Updates #5794 Change-Id: Idc67082f5d367e03540e1a5310db5b466ee03666 Signed-off-by: Brad Fitzpatrick

control/controlhttp: quiet "forcing port 443" log spam

2025-03-25T21:26:24Z

Minimal mitigation that doesn't do the full refactor that's probably warranted. Updates #15402 Change-Id: I79fd91de0e0661d25398f7d95563982ed1d11561 Signed-off-by: Brad Fitzpatrick

control/controlhttp: set *health.Tracker in tests

2024-11-26T23:05:05Z

Observed during another PR: https://github.com/tailscale/tailscale/actions/runs/12040045880/job/33569141807 Updates #cleanup Signed-off-by: Andrew Dunham Change-Id: I9e0f49a35485fa2e097892737e5e3c95bf775a90

cmd/tailscale/cli: create netmon in debug ts2021

2024-11-21T03:37:26Z

Otherwise we'll see a panic if we hit the dnsfallback code and try to call NewDialer with a nil NetMon. Updates #14161 Signed-off-by: Andrew Dunham Change-Id: I81c6e72376599b341cb58c37134c2a948b97cf5f

derp/derphttp: don't link websockets other than on GOOS=js

2024-11-08T06:29:41Z

Or unless the new "ts_debug_websockets" build tag is set. Updates #1278 Change-Id: Ic4c4f81c1924250efd025b055585faec37a5491d Signed-off-by: Brad Fitzpatrick

control/controlhttp/controlhttpserver: split out Accept to its own package

2024-11-08T06:29:41Z

Otherwise all the clients only using control/controlhttp for the ts2021 HTTP client were also pulling in WebSocket libraries, as the server side always needs to speak websockets, but only GOOS=js clients speak it. This doesn't yet totally remove the websocket dependency on Linux because Linux has a envknob opt-in to act like GOOS=js for manual testing and force the use of WebSockets for DERP only (not control). We can put that behind a build tag in a future change to eliminate the dep on all GOOSes. Updates #1278 Change-Id: I4f60508f4cad52bf8c8943c8851ecee506b7ebc9 Signed-off-by: Brad Fitzpatrick