tailscale zta: use x-forwarded-for value if present and valid #2603
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In trying to set up a livebook instance on our tailnet, we noticed that a direct connections over
http
to the service would identify users correctly, but a reverse-proxied connection overhttps
would identify everyone as the user who created the tailscale key in use by the instance. This is because we had configured an nginx server to terminate TLS with the cert/key fromtailscale cert
, and then rev-proxy to livebook. Even though traffic over tailnets is encrypted already, it is by design transparent to browsers who can still complain abouthttp
. So, in our nginx conf, we had set the request header:However,
Livebook.ZTA.Tailscale
had no knowledge of this header. This PR adds a couple tests to simulate the situation and a new private function in the module to fetch the correct IP to use when queryingtailscaled
.