tailscale · patrickod · Dec 18, 2023 · Dec 8, 2023 · Dec 8, 2023 · Dec 11, 2023
diff --git a/golink.go b/golink.go
@@ -158,6 +158,7 @@ func Run() error {
 		return errors.New("--hostname, if specified, cannot be empty")
 	}
 
+	// create tsNet server and wait for it to be ready & connected.
 	srv := &tsnet.Server{
 		ControlURL: *controlURL,
 		Hostname:   *hostname,
@@ -169,17 +170,55 @@ func Run() error {
 	if err := srv.Start(); err != nil {
 		return err
 	}
+
 	localClient, _ = srv.LocalClient()
+out:
+	for {
+		upCtx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+		defer cancel()
+		status, err := srv.Up(upCtx)
+		if err == nil && status != nil {
+			break out
+		}
+	}
 
-	l80, err := srv.Listen("tcp", ":80")
+	statusCtx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+	status, err := localClient.Status(statusCtx)
 	if err != nil {
 		return err
 	}
+	enableTLS := status.Self.HasCap(tailcfg.CapabilityHTTPS)
+	fqdn := strings.TrimSuffix(status.Self.DNSName, ".")
 
+	httpHandler := serveHandler()
+	if enableTLS {
+		httpsHandler := HSTS(httpHandler)
+		httpHandler = redirectHandler(fqdn)
+
+		httpsListener, err := srv.ListenTLS("tcp", ":443")
+		if err != nil {
+			return err
+		}
+		log.Println("Listening on :443")
+		go func() {
+			log.Printf("Serving https://%s/ ...", fqdn)
+			if err := http.Serve(httpsListener, httpsHandler); err != nil {
+				log.Fatal(err)
+			}
+		}()
+	}
+
+	httpListener, err := srv.Listen("tcp", ":80")
+	log.Println("Listening on :80")
+	if err != nil {
+		return err
+	}
 	log.Printf("Serving http://%s/ ...", *hostname)
-	if err := http.Serve(l80, serveHandler()); err != nil {
+	if err := http.Serve(httpListener, httpHandler); err != nil {
 		return err
 	}
+
 	return nil
 }
 
@@ -286,6 +325,30 @@ func deleteLinkStats(link *Link) {
 	db.DeleteStats(link.Short)
 }
 
+// redirectHandler returns the http.Handler for serving all plaintext HTTP
+// requests. It redirects all requests to the HTTPs version of the same URL.
+func redirectHandler(hostname string) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		http.Redirect(w, r, (&url.URL{Scheme: "https", Host: hostname, Path: r.URL.Path}).String(), http.StatusFound)
+	})
+}
+
+// HSTS wraps the provided handler and sets Strict-Transport-Security header on
+// responses. It inspects the Host header to ensure we do not specify HSTS
+// response on non fully qualified domain name origins.
+func HSTS(h http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		host, found := r.Header["Host"]
+		if found {
+			host := host[0]
+			if strings.Contains(host, ".") {
+				w.Header().Set("Strict-Transport-Security", "max-age=31536000")
+			}
+		}
+		h.ServeHTTP(w, r)
+	})
+}
+
 // serverHandler returns the main http.Handler for serving all requests.
 func serveHandler() http.Handler {
 	mux := http.NewServeMux()

diff --git a/golink_test.go b/golink_test.go
@@ -524,3 +524,41 @@ func TestResolveLink(t *testing.T) {
 		})
 	}
 }
+
+func TestNoHSTSShortDomain(t *testing.T) {
+	var err error
+	db, err = NewSQLiteDB(":memory:")
+	if err != nil {
+		t.Fatal(err)
+	}
+	db.Save(&Link{Short: "foobar", Long: "http://foobar/"})
+
+	tests := []struct {
+		host       string
+		expectHsts bool
+	}{
+		{
+			host:       "go",
+			expectHsts: false,
+		},
+		{
+			host:       "go.prawn-universe.ts.net",
+			expectHsts: true,
+		},
+	}
+	for _, tt := range tests {
+		name := "HSTS: " + tt.host
+		t.Run(name, func(t *testing.T) {
+			r := httptest.NewRequest("GET", "/foobar", nil)
+			r.Header.Add("Host", tt.host)
+
+			w := httptest.NewRecorder()
+			HSTS(serveHandler()).ServeHTTP(w, r)
+
+			_, found := w.Header()["Strict-Transport-Security"]
+			if found != tt.expectHsts {
+				t.Errorf("HSTS expectation: domain %s want: %t got: %t", tt.host, tt.expectHsts, found)
+			}
+		})
+	}
+}
diff --git a/tmpl/help.html b/tmpl/help.html
@@ -114,15 +114,15 @@ <h2 id="api">Application Programming Interface (API)</h2>
 Visit <a href="/.export">go/.export</a> to export all saved links and their metadata in <a href="https://jsonlines.org/">JSON Lines format</a>.
 This is useful to create data snapshots that can be restored later.
 
-<pre>{{`$ curl go/.export
+<pre>{{`$ curl -L go/.export
 {"Short":"go","Long":"http://go","Created":"2022-05-31T13:04:44.741457796-07:00","LastEdit":"2022-05-31T13:04:44.741457796-07:00","Owner":"[email protected]","Clicks":1}
 {"Short":"slack","Long":"https://company.slack.com/{{if .Path}}channels/{{PathEscape .Path}}{{end}}","Created":"2022-06-17T18:05:43.562948451Z","LastEdit":"2022-06-17T18:06:35.811398Z","Owner":"[email protected]","Clicks":4}`}}
 </pre>
 
 <p>
 Create a new link by sending a POST request with a <code>short</code> and <code>long</code> value:
 
-<pre>{{`$ curl -d short=cs -d long=https://cs.github.com/ go
+<pre>{{`$ curl -L -d short=cs -d long=https://cs.github.com/ go
 {"Short":"cs","Long":"https://cs.github.com/","Created":"2022-06-03T22:15:29.993978392Z","LastEdit":"2022-06-03T22:15:29.993978392Z","Owner":"[email protected]"}`}}
 </pre>