mirror/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2026-06-25 08:22:18 -04:00
Code Issues Packages Projects Releases Wiki Activity

derp/derphttp: honor DERPNode.DERPPort in proxied CONNECT dial

Browse Source 
dialNode picks the destination port from n.DERPPort when non-zero,
falling back to 443 (or 3340 when useHTTPS is false). The proxy path,
dialNodeUsingProxy, hardcoded "443" in the CONNECT target, so a DERP
server reachable only on a custom port was unreachable through
HTTPS_PROXY: the proxy would faithfully tunnel to :443 at the DERP
hostname, and TLS would either fail cert validation or talk to the
wrong service.

Mirror dialNode's port selection so both paths behave the same.

Fixes #19748

Signed-off-by: Martin Zihlmann <martizih@outlook.com>
This commit is contained in:
Martin Zihlmann
2026-05-14 17:14:13 +02:00
parent 2a06fb66d0
commit 0e4c8fc920
1 changed files with 9 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
derp/derphttp/derphttp_client.go
View File

@@ -867,7 +867,15 @@ func (c *Client) dialNodeUsingProxy(ctx context.Context, n *tailcfg.DERPNode, pr
} }
}() }()
target := net.JoinHostPort(n.HostName, "443") // Keep port selection in sync with dialNode.
port := "443"
if !c.useHTTPS() {
port = "3340"
}
if n.DERPPort != 0 {
port = fmt.Sprint(n.DERPPort)
}
target := net.JoinHostPort(n.HostName, port)
var authHeader string var authHeader string
if buildfeatures.HasUseProxy { if buildfeatures.HasUseProxy {