Initial commit

Author: malyn

.dockerignore

@@ -0,0 +1,14 @@
+/.git
+/.github
+/.vscode
+*.md
+.dockerignore
+.editorconfig
+.env
+.gitattributes
+.gitignore
+.prettierc
+Dockerfile
+fly.toml
+Justfile
+package*.json

.editorconfig

@@ -0,0 +1,10 @@
+root = true
+
+[*]
+indent_style = space
+insert_final_newline = false
+
+[*.md]
+indent_size = 4
+charset = utf-8
+trim_trailing_whitespace = false

.gitattributes

@@ -0,0 +1,3 @@
+# NPM files are always saved as LF, even on Windows.
+package.json text eol=lf
+package-lock.json text eol=lf

.gitignore

@@ -0,0 +1,3 @@
+/node_modules
+.DS_Store
+.env

.prettierrc

@@ -0,0 +1,10 @@
+{
+  "overrides": [
+    {
+      "files": ["*.md"],
+      "options": {
+        "proseWrap": "always"
+      }
+    }
+  ]
+}

.vscode/settings.json

@@ -0,0 +1,7 @@
+{
+  "editor.formatOnSave": true,
+  "editor.defaultFormatter": "esbenp.prettier-vscode",
+  "files.associations": {
+    "Justfile": "makefile"
+  }
+}

Dockerfile

@@ -0,0 +1,32 @@
+########################################################################
+## Ground Control
+########################################################################
+
+FROM ghcr.io/malyn/groundcontrol AS groundcontrol
+
+
+########################################################################
+## Tailscale
+########################################################################
+
+FROM tailscale/tailscale:v1.38.1 AS tailscale
+
+
+########################################################################
+## Final Image
+########################################################################
+
+FROM openresty/openresty:1.21.4.1-6-alpine-apk
+
+# Copy binaries, scripts, and config.
+WORKDIR /app
+
+COPY --from=groundcontrol /groundcontrol ./
+COPY --from=tailscale /usr/local/bin/tailscaled ./
+COPY --from=tailscale /usr/local/bin/tailscale ./
+
+COPY groundcontrol.toml ./
+COPY nginx.conf /etc/nginx/conf.d/default.conf
+
+# Run Ground Control to monitor all of the processes.
+ENTRYPOINT ["/app/groundcontrol", "/app/groundcontrol.toml"]

Justfile

@@ -0,0 +1,19 @@
+# Just currently loads the `.env` file, but that will be changing, so we
+# are disabling it now since we do not need the functionality.
+set dotenv-load := false
+
+_default:
+    @just --list
+
+# Validate the nginx config.
+validate:
+    @docker build -t dialtun .
+    @docker run -it --rm \
+        --entrypoint "/usr/bin/openresty" \
+        dialtun \
+            -t
+
+# Run dialtun (including Tailscale).
+run:
+    @docker build -t dialtun .
+    @docker run -it --rm -p 8080:8080 --env-file .env dialtun

README.md

@@ -0,0 +1,150 @@
+# dialtun
+
+**Dynamic routing of public HTTPS endpoints to internal ports on your
+Tailscale-connected development machines.**
+
+`dialtun` maps server names in the form `SERVICE-MACHINE.example.com` (where
+`example.com` is any domain you control) to internal machines on your Tailnet.
+`MACHINE` is the exact name of a machine in the Tailscale network. `SERVICE` is
+mapped to a port number by referencing the labels on a (US-based) telephone
+dialpad:
+
+<pre style="font-family: Menlo; line-height: 1.2em;">
+┌─────────────────────────┐
+│ ┌─────┐ ┌─────┐ ┌─────┐ │
+│ │     │ │ ABC │ │ DEF │ │
+│ │  1  │ │  2  │ │  3  │ │
+│ └─────┘ └─────┘ └─────┘ │
+│ ┌─────┐ ┌─────┐ ┌─────┐ │
+│ │ GHI │ │ JKL │ │ MNO │ │
+│ │  4  │ │  5  │ │  6  │ │
+│ └─────┘ └─────┘ └─────┘ │
+│ ┌─────┐ ┌─────┐ ┌─────┐ │
+│ │PQRS │ │ TUV │ │WXYZ │ │
+│ │  7  │ │  8  │ │  9  │ │
+│ └─────┘ └─────┘ └─────┘ │
+│         ┌─────┐         │
+│         │     │         │
+│         │  0  │         │
+│         └─────┘         │
+└─────────────────────────┘
+</pre>
+
+A base port number -- 64000, by default -- is added to the first three numbers
+of the service name. The final result is that a domain name like
+"agendas-devbox1.dev.example.com" would map to port 64243 (64000 + 243) on the
+"devbox1" machine on your Tailnet.
+
+## Important Security Warning
+
+`dialtun` does _not_ authenticate incoming connections. Any port in the
+configured range (64000-64999, by default) is accessible on the public Internet.
+Tailscale ACLs are still consulted, but if you open port 64000 on your machine,
+then you should expect that random machines on the Internet _will_ connect to
+that port.
+
+In other words, goal of `dialtun` is not to create a _secure_ way to talk to
+your internal services -- use normal Tailscale sharing and ACLs for that -- the
+goal is agility and flexibility. The _assumption_ is that whatever you are
+exposing has its own auth model, or is a simple website that is not secret.
+
+## Setup Instructions
+
+### Create Tailscale ACL Tag
+
+Add an ACL tag to your
+[Tailscale Access Controls](https://login.tailscale.com/admin/acls):
+
+1. Add a new tag to the `tagOwners` list, something like this:
+
+    ```json
+    // ACL tags.
+    "tagOwners": {
+        "tag:dialtun": [],
+    },
+    ```
+
+2. Add a section for `dialtun` to the `acls` block (assuming you keep the
+   default port range of 64000-64999):
+
+    ```json
+    "acls": [
+        // ...
+
+        // dialtun can access dev server ports on all machines.
+        {
+            "action": "accept",
+            "src":    ["tag:dialtun"],
+            "dst":    ["autogroup:members:64000-64999"],
+        },
+
+        // ...
+    ],
+    ```
+
+3. (Optionally) Add an ACL test to verify that `dialtun` can access the dev
+   server ports, but not any other ports (such as SSH) on the dev machines (this
+   assumes a dev machine of "devbox1"):
+
+    ```json
+     "acls": [
+        // ...
+
+        // dialtun can access the dev ports on all machines (but not SSH).
+        {
+            "src":    "tag:dialtun",
+            "accept": ["devbox1:64243", "devbox1:64999"],
+            "deny":   ["devbox1:22"],
+        },
+
+        // ...
+     ],
+    ```
+
+### Create Tailscale Auth Key
+
+Create a Tailscale auth key. The key should be Reusable, Ephemeral, and include
+the `dialtun` tag that you defined earlier.
+
+### Create `dialtun` App in Fly.io
+
+_Create_ (but do not yet deploy, since we need to add secrets) the `dialtun` app
+on Fly.io:
+
+```shell
+$ flyctl launch --build-only --image ghcr.io/malyn/dialtun:latest
+```
+
+You can choose an app name, or go with the auto-generated default. The app name
+will not be used, assuming that you create the `CNAME` mapping in the next step.
+
+### Create Wildcard TLS Certificate
+
+Add an IP address to your app, then create a _wildcard_ TLS certificate; both
+will require adding DNS entries to your DNS server. This is documented on the
+Fly.io
+[Custom Domains and SSL Certificates page](https://fly.io/docs/app-guides/custom-domains-with-fly/).
+
+### Add Tailscale Auth Key to Fly.io App
+
+Add the Tailscale auth key secret to the app:
+
+```shell
+$ flyctl secrets import
+TS_AUTHKEY=tskey-auth-...
+<Ctrl-D>
+```
+
+Using `flyctl secrets import` means that your secrets will not show up in your
+shell's command history. Press `Control-D` on a blank line to complete the
+input. `flyctl` will respond with "Secrets are staged for the first deployment"
+
+### Deploy the Fly.io App
+
+Deploy the app:
+
+```shell
+$ flyctl deploy
+```
+
+That's it! You can then access internal machines using `dialtun` URLs.

groundcontrol.toml

@@ -0,0 +1,18 @@
+[[processes]]
+name = "tailscaled"
+run = [
+    "/app/tailscaled",
+    "--state=/data/tailscale/tailscaled.state",
+    "--socket=/var/run/tailscale/tailscaled.sock",
+    "--tun=userspace-networking",
+    "--outbound-http-proxy-listen=localhost:1055",
+]
+
+[[processes]]
+name = "tailscale-up"
+pre = "/app/tailscale up --authkey={{TS_AUTHKEY}}"
+post = "/app/tailscale logout"
+
+[[processes]]
+name = "dialtun"
+run = [ "/usr/bin/openresty", "-g", "daemon off; env DIALTUN_BASE_PORT;" ]

nginx.conf

@@ -0,0 +1,40 @@
+server {
+    listen 8080;
+    listen [::]:8080;
+
+    server_name ~^(?<dialtun_service>[A-Za-z]+)-(?<dialtun_host>[A-Za-z0-9\-]+)\.;
+
+    location / {
+        if ($dialtun_service = "") {
+            return 400;
+        }
+
+        if ($dialtun_host = "") {
+            return 400;
+        }
+
+        set_by_lua_block $backend {
+            local DIGITS = {
+                                  A=2,B=2,C=2,  D=3,E=3,F=3,
+                G=4,H=4,I=4,      J=5,K=5,L=5,  M=6,N=6,O=6,
+                P=7,Q=7,R=7,S=7,  T=8,U=8,V=8,  W=9,X=9,Y=9,Z=9
+            }
+
+            local letters = string.gsub(string.upper(ngx.var.dialtun_service), "[^A-Z]", "")
+            local prefix = string.sub(letters, 1, 3)
+            local numbers = string.gsub(prefix, "[A-Z]", DIGITS)
+
+            return ngx.var.dialtun_host .. ':' .. ((os.getenv("DIALTUN_BASE_PORT") or "64000") + numbers);
+        }
+
+        # We need the final URI to be absolute, but if we do the rewrite
+        # in a single pass then NGINX will see the `http://` prefix and
+        # generate a (302) redirect. The fix is to build the absolute
+        # URI in two `redirect` statements so that the NGINX logic will
+        # not trigger.
+        rewrite ^(.*)$ "://$backend$1";
+        rewrite ^(.*)$ "http$1" break;
+
+        proxy_pass http://localhost:1055;
+    }
+}

package-lock.json

@@ -0,0 +1,6 @@
+{
+  "name": "dialtun",
+  "devDependencies": {
+    "prettier": "2.8.0"
+  }
+}