What IP and port from RemoteAddr is the WhoIs function checking against on Tailscale side?

[kdevan]

For this line: https://github.com/tailscale/caddy-tailscale/blob/main/module.go#L185

What is the RemoteAddr that's being passed checking against on the Tailscale side of things? If it's the Tailscale IPv4 then what is the port supposed to be in this case? If it's an endpoint in the Endpoints section, then where is the correct port supposed to come from?

I think I'm just not understanding what's supposed to be on the other side of the Caddy proxy. In my case I'm trying to put a public domain on the other side of this, so I have an Endpoint IP (client IP) and no port (80 or 443 rather but not a port from the client). Is there any way to make this work with just an Endpoint/client IP?

module.go
info, err := client.WhoIs(r.Context(), r.RemoteAddr)

localclient.go Tailscale 1.36.2

// WhoIs returns the owner of the remoteAddr, which must be an IP or IP:port.
func (lc *LocalClient) WhoIs(ctx context.Context, remoteAddr string) (*apitype.WhoIsResponse, error) {
	body, err := lc.get200(ctx, "/localapi/v0/whois?addr="+url.QueryEscape(remoteAddr))
	if err != nil {
		return nil, err
	}
	return decodeJSON[*apitype.WhoIsResponse](body)
}

The comment above implies it might work with only an IP but without the port we get this error 400 Bad Request: invalid 'addr' parameter. With a port it will do the authorization check.

[bradfitz]

It accepts either a IP or an IP:port.

If it's just a Tailscale IP (CGNAT range or Tailscale IPv6 ULA range) then you don't need a port.

If the IP is the loopback interface, you need the port. This then maps the identity back through the userspace networking proxy

[kdevan]

I believe I tried the Tailscale IP, I just passed it directly instead of RemoteAddr just to see if it works and I still got the 400 Bad Request: invalid 'addr' parameter error. But with the information you've provided I'll do some double checking on my end.

The Tailscale IPv4 from the screenshot below is what I'm trying. And it would be very helpful if you could clarify, are the IP's listed in the Endpoints section here from the loopback interface? If so where does that port number come from? How is it determined?

[bradfitz]

You're going to have to be more specific. What value are you sending? It should look like:

• 100.102.103.104 (some IP in the CGNAT range)
• 100.102.103.104:some-port
• 127.0.0.1:some-port

(or IPv6 equivalent)

[kdevan]

What I'm trying to send is the client_ip as described here. I would be using a trusted proxy set up as described in this pull request, "I decided that the client_ip should always be set (as long as the RemoteAddr is a valid IP address). So in the logs, it will be identical to the remote_ip unless trusted proxies is configured and the proxy passed the client IP in a trusted header."

I see that my own client IP is listed in the Endpoints section for the machine I set up for myself, so I thought maybe the IP:port values in the Endpoints section might be part of this lookup. However, I'm getting the feeling that this is the wrong use case for the WhoIs lookup or that there might need to be an extra step before this to somehow go from client IP to Tailscale IP?

[bradfitz]

Yeah, endpoint IPs are unrelated. WhoIs only wants a Tailscale IP or a localhost:port of a TCP src that tailscaled itself initiated to localhost when proxying an incoming connection.

Any other form of IP won't work.

[kdevan]

Thank you for all of the clarification. Much appreciated.