derp/derphttp: honor DERPNode.DERPPort in proxied CONNECT dial

dialNode picks the destination port from n.DERPPort when non-zero, falling back to 443 (or 3340 when useHTTPS is false). The proxy path, dialNodeUsingProxy, hardcoded "443" in the CONNECT target, so a DERP server reachable only on a custom port was unreachable through HTTPS_PROXY: the proxy would faithfully tunnel to :443 at the DERP hostname, and TLS would either fail cert validation or talk to the wrong service. Mirror dialNode's port selection so both paths behave the same. Fixes #19748 Signed-off-by: Martin Zihlmann <martizih@outlook.com>
2026-06-25 08:22:18 -04:00 · 2026-05-14 17:14:13 +02:00
parent 2a06fb66d0
commit 0e4c8fc920
1 changed files with 9 additions and 1 deletions
--- a/derp/derphttp/derphttp_client.go
+++ b/derp/derphttp/derphttp_client.go
@@ -867,7 +867,15 @@ func (c *Client) dialNodeUsingProxy(ctx context.Context, n *tailcfg.DERPNode, pr
 		}
 	}()

-	target := net.JoinHostPort(n.HostName, "443")
+	// Keep port selection in sync with dialNode.
+	port := "443"
+	if !c.useHTTPS() {
+		port = "3340"
+	}
+	if n.DERPPort != 0 {
+		port = fmt.Sprint(n.DERPPort)
+	}
+	target := net.JoinHostPort(n.HostName, port)

 	var authHeader string
 	if buildfeatures.HasUseProxy {