cmd/tclipd: Implement disableHTTPS option (#57)

* WIP impl of disableHttps

* Check whether HTTPS is supposed to be disabled when it fails

* rename httpsURL to tclipURL

* README: Run prettier

* cmd/tclipd: rename disableHttps to disableHTTPS

* cmd/tclipd: remove accidental commit

README.md

@@ -14,24 +14,27 @@ number of pastes.
 You can then test your changes to tclip by running `go run
 ./cmd/tclipd` or `go run ./cmd/tclip` as appropriate.
 
-Note that for the first run of `./cmd/tclipd`, you *must* set
+Note that for the first run of `./cmd/tclipd`, you _must_ set
 either the `TS_AUTHKEY` environment variable, or run it with
 `--tsnet-verbose` to get the login URL for Tailscale.
 
 ## Building for prod
 
 The web server:
+
 ```
 nix build .#tclipd
 ```
 
 The docker image:
+
 ```
 nix build .#docker
 docker load < ./result
 ```
 
 The portable service image:
+
 ```
 nix build .#portable-service
 ```
@@ -42,14 +45,15 @@ These configuration options are available as command-line flags and
 environment variables. All of them are optional.
 
 | Command-line flag    | Environment variable | Default value               | Description                                                                                                  |
-|----------------------|----------------------|-----------------------------|--------------------------------------------------------------------------------------------------------------|
+| -------------------- | -------------------- | --------------------------- | ------------------------------------------------------------------------------------------------------------ |
 | `-hostname`          | `TSNET_HOSTNAME`     | `paste`                     | The hostname to use on your tailnet.                                                                         |
 | `-data-location`     | `DATA_DIR`           | `~/.config/tailscale/paste` | Where program data is stored.                                                                                |
 | `-tsnet-verbose`     | `TSNET_VERBOSE`      | `false`                     | If set, tsnet will log verbosely to stderr.                                                                  |
 | `-use-funnel`        | `USE_FUNNEL`         | `false`                     | If set, expose individual pastes to the public internet with [Funnel](https://tailscale.com/kb/1223/funnel). |
 | `-hide-funnel-users` | `HIDE_FUNNEL_USERS`  | `false`                     | If set, don't display the username and profile picture of the user who created the paste in funneled pastes. |
 | `-http-port`         | `HTTP_PORT`          | unset                       | If set, expose individual pastes on a HTTP server running on the given port.                                 |
-| `-control-url`       | `TSNET_CONTROL_URL`  | unset                     | If set, a custom control server to use, e.g. for Headscale users. |
+| `-control-url`       | `TSNET_CONTROL_URL`  | unset                       | If set, a custom control server to use, e.g. for Headscale users.                                            |
+| `-disable-https`     | `DISABLE_HTTPS`      | `false`                     | If set, disable serving on HTTPS with Server. Useful for Headscale deployments.                              |
 
 ## Deploying
 

cmd/tclipd/main.go

@@ -42,6 +42,7 @@ var (
 	hidePasteUserInfo = flag.Bool("hide-funnel-users", hasEnv("HIDE_FUNNEL_USERS"), "if set, display the username and profile picture of the user who created the paste in funneled pastes")
 	httpPort          = flag.String("http-port", envOr("HTTP_PORT", ""), "optional http port to start an http server on, e.g for reverse proxies. will only serve funnel endpoints")
 	controlUrl        = flag.String("control-url", envOr("TSNET_CONTROL_URL", ""), "optional alternate control server URL to use, for e.g. headscale")
+	disableHTTPS      = flag.Bool("disable-https", hasEnv("DISABLE_HTTPS"), "disable http serve, required for Headscale support")
 
 	//go:embed schema.sql
 	sqlSchema string
@@ -84,7 +85,7 @@ type Server struct {
 	lc       *tailscale.LocalClient // localclient to tsnet server
 	db       *sql.DB                // SQLite datastore
 	tmpls    *template.Template     // HTML templates
-	httpsURL string                 // the tailnet/public base URL of this service
+	tclipURL string                 // the tailnet/public base URL of this service
 }
 
 func (s *Server) TailnetIndex(w http.ResponseWriter, r *http.Request) {
@@ -264,12 +265,18 @@ VALUES
 
 	log.Printf("new paste: %s", id)
 
+	protocol := "https"
+
+	if *disableHTTPS {
+		protocol = "http"
+	}
+
 	switch r.Header.Get("Accept") {
 	case "text/plain":
 		w.WriteHeader(http.StatusOK)
-		fmt.Fprintf(w, "https://%s/paste/%s", s.httpsURL, id)
+		fmt.Fprintf(w, "%s://%s/paste/%s", protocol, s.tclipURL, id)
 	default:
-		http.Redirect(w, r, fmt.Sprintf("https://%s/paste/%s", s.httpsURL, id), http.StatusSeeOther)
+		http.Redirect(w, r, fmt.Sprintf("%s://%s/paste/%s", protocol, s.tclipURL, id), http.StatusSeeOther)
 	}
 
 }
@@ -712,10 +719,14 @@ func main() {
 	}
 
 	ctx := context.Background()
-	httpsURL, ok := lc.ExpandSNIName(ctx, *hostname)
+	tclipURL, ok := lc.ExpandSNIName(ctx, *hostname)
 	if !ok {
-		log.Println(httpsURL)
-		log.Fatal("HTTPS is not enabled in the admin panel")
+		if *disableHTTPS {
+			tclipURL = *hostname
+		} else {
+			log.Println(tclipURL)
+			log.Fatal("HTTPS is not enabled in the admin panel")
+		}
 	}
 
 	ln, err := s.Listen("tcp", ":80")
@@ -725,7 +736,7 @@ func main() {
 
 	tmpls := template.Must(template.ParseFS(templateFiles, "tmpl/*.html"))
 
-	srv := &Server{lc, db, tmpls, httpsURL}
+	srv := &Server{lc, db, tmpls, tclipURL}
 
 	tailnetMux := http.NewServeMux()
 	tailnetMux.Handle("/static/", http.FileServer(http.FS(staticFiles)))
@@ -742,12 +753,17 @@ func main() {
 	funnelMux.HandleFunc("/paste/", srv.ShowPost)
 
 	log.Printf("listening on http://%s", *hostname)
-	go func() { log.Fatal(http.Serve(ln, tailnetMux)) }()
 	if *httpPort != "" {
 		log.Printf("listening on :%s", *httpPort)
 		go func() { log.Fatal(http.ListenAndServe(":"+*httpPort, funnelMux)) }()
 	}
 
+	if *disableHTTPS {
+		log.Fatal(http.Serve(ln, tailnetMux))
+	} else {
+		go func() { log.Fatal(http.Serve(ln, tailnetMux)) }()
+	}
+
 	if *useFunnel {
 		log.Println("trying to listen on funnel")
 		ln, err := s.ListenFunnel("tcp", ":443")
@@ -756,7 +772,7 @@ func main() {
 		}
 		defer ln.Close()
 
-		log.Printf("listening on https://%s", httpsURL)
+		log.Printf("listening on https://%s", tclipURL)
 		log.Fatal(MixedCriticalityHandler{
 			Public:  funnelMux,
 			Private: tailnetMux,
@@ -767,7 +783,7 @@ func main() {
 			log.Fatal(err)
 		}
 		defer ln.Close()
-		log.Printf("listening on https://%s", httpsURL)
+		log.Printf("listening on https://%s", tclipURL)
 		log.Fatal(http.Serve(ln, tailnetMux))
 	}
 }