Support no_tailscale build tag, added local manual Makefile test for tailscale host

Author: ldemailly

Makefile

@@ -1,14 +1,15 @@
 
 test:
 	go test -race ./...
+	go test -race -tags no_tailscale ./...
 	go run -race . version
 
 test-local:
 	go run -race . -h2 -config-dir sampleConfig/ -redirect-port :8081 -https-port :8443 -http-port :8001
 
 
 docker-test:
-	GOOS=linux go build
+	GOOS=linux go build -tags no_tailscale
 	docker build . --tag fortio/proxy:test
 	docker run -v `pwd`/sampleConfig:/etc/fortio-proxy-config fortio/proxy:test
 
@@ -32,6 +33,11 @@ dev-h2c:
 		-debug-host "debug.fortio.org" \
 		 -routes.json '[{"host":"*", "destination":"http://localhost:8080/"}]'
 
+TAILSCALE_SERVERNAME=$(shell tailscale status --json | jq -r '.Self.DNSName | sub("\\.$$"; "")')
+dev-tailscale:
+	@echo "Visit https://$(TAILSCALE_SERVERNAME)/"
+	go run -race . -loglevel debug -hostid local -certs-domains $(TAILSCALE_SERVERNAME) -debug-host $(TAILSCALE_SERVERNAME)
+
 dev:
 	# Run: curl -H "Host: debug.fortio.org" http://localhost:8001/debug
 	# and curl -H "Host: debug.fortio.org" http://localhost:8000/foo (no redirect with that host header)

README.md

@@ -22,6 +22,8 @@ go install fortio.org/proxy@latest
 sudo setcap CAP_NET_BIND_SERVICE=+eip $(which proxy)
 ```
 
+If you don't need or want the tailscale support, add `-tags no_tailscale` for a much smaller binary.
+
 You can also download one of the many binary [releases](https://github.com/fortio/proxy/releases)
 
 We publish a multi architecture docker image (linux/amd64, linux/arm64) `docker run fortio/proxy`

config/no_tailscale.go

@@ -0,0 +1,12 @@
+//go:build no_tailscale
+// +build no_tailscale
+
+package config
+
+func IsTailscale(_ string) bool {
+	return false
+}
+
+func Tailscale() CertGetter {
+	return nil
+}

config/tailscale.go

@@ -1,6 +1,15 @@
+//go:build !no_tailscale
+// +build !no_tailscale
+
 package config
 
-import "strings"
+// build constraints
+
+import (
+	"strings"
+
+	"tailscale.com/client/tailscale"
+)
 
 // Suffix for server names which will use the tailscale client instead of the autocert client.
 // Not expected to be changed but just in case.
@@ -11,3 +20,9 @@ var TailscaleSuffix = ".ts.net"
 func IsTailscale(serverName string) bool {
 	return strings.HasSuffix(serverName, TailscaleSuffix)
 }
+
+var tcert = &tailscale.LocalClient{}
+
+func Tailscale() CertGetter {
+	return tcert
+}

config/tailscale_common.go

@@ -0,0 +1,7 @@
+package config
+
+import "crypto/tls"
+
+type CertGetter interface {
+	GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error)
+}

config/tailscale_test.go

@@ -1,3 +1,6 @@
+//go:build !no_tailscale
+// +build !no_tailscale
+
 package config_test
 
 import (

proxy_main.go

@@ -24,7 +24,6 @@ import (
 	"fortio.org/proxy/rp"
 	"fortio.org/scli"
 	"golang.org/x/crypto/acme/autocert"
-	"tailscale.com/client/tailscale"
 )
 
 var (
@@ -36,7 +35,6 @@ var (
 	redirect       = flag.String("redirect-port", ":80", "`port` to listen on for redirection")
 	httpPort       = flag.String("http-port", "disabled", "`port` to listen on for non tls traffic (or 'disabled')")
 	acert          *autocert.Manager
-	tcert          = &tailscale.LocalClient{}
 )
 
 func hostPolicy(_ context.Context, host string) error {
@@ -57,7 +55,7 @@ func debugGetCert(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
 		if err := hostPolicy(context.Background(), hello.ServerName); err != nil {
 			return nil, err
 		}
-		return tcert.GetCertificate(hello)
+		return config.Tailscale().GetCertificate(hello)
 	}
 	return acert.GetCertificate(hello)
 }