update

Author: hhftechnology

.traefik.yml

@@ -1,111 +1,11 @@
 displayName: Tailscale Connectivity Authentication
 type: middleware
-iconPath: .assets/icon.png
 
 import: github.com/hhftechnology/tailscale-access
 
-summary: 'Smart Tailscale authentication using real connectivity testing instead of unreliable IP checking'
+summary: Smart Tailscale authentication using real connectivity testing instead of unreliable IP checking
 
 testData:
-  testDomain: "example.ts.net"
-  sessionTimeout: "24h"
-  allowLocalhost: true
-  enableDebugLogging: false
-  customErrorMessage: "Tailscale VPN connection required to access this service"
-  successMessage: "Tailscale connectivity verified! Redirecting..."
-  secureOnly: true
-  cookieDomain: ""
-
-compatibility:
-  traefik: ">=3.0.0"
-
-description: |
-  # Tailscale Connectivity Authentication
-
-  A revolutionary Traefik middleware that provides secure access control by **actually testing Tailscale connectivity** 
-  rather than relying on unreliable IP address detection.
-
-  ## Key Features
-
-  🎯 **Real Connectivity Testing** - Tests actual ability to reach your Tailscale network, not just IP ranges
-  🔄 **Proxy-Agnostic** - Works regardless of reverse proxies, containers, or network complexity  
-  🎨 **Beautiful UI** - Modern verification interface with real-time feedback
-  🔒 **Secure Sessions** - Cryptographically secure session management
-  ⚡ **High Performance** - Minimal overhead for verified users
-  🛠 **Highly Configurable** - Custom styling, messages, timeouts, and behavior
-
-  ## How It Works
-
-  1. Intercepts requests to protected resources
-  2. Checks for valid verification session
-  3. If unverified, serves interactive verification page
-  4. JavaScript tests connectivity to your `.ts.net` domain
-  5. Creates secure session on successful verification
-  6. Allows access with session cookie
-
-  ## Configuration
-
-  ```yaml
-  http:
-    middlewares:
-      tailscale-auth:
-        plugin:
-          tailscale-connectivity:
-            testDomain: "your-company.ts.net"  # Required
-            sessionTimeout: "24h"
-            allowLocalhost: true
-            customErrorMessage: "VPN connection required"
-  ```
-
-  ## Why This Approach Is Superior
-
-  Traditional IP-based authentication fails in modern networking:
-  - Multiple reverse proxies mangle client IPs
-  - Container networking obscures real IPs  
-  - Cloud load balancers replace source IPs
-  - Headers can be spoofed by malicious actors
-
-  Our connectivity-based approach actually verifies real Tailscale access regardless of network complexity.
-
-author:
-  name: "HHF Technology"
-  email: "support@hhf.technology"
-
-keywords:
-  - tailscale
-  - vpn
-  - authentication
-  - security
-  - access-control
-  - middleware
-  - connectivity-testing
-
-documentation: https://github.com/hhftechnology/tailscale-access/blob/main/README.md
-repository: https://github.com/hhftechnology/tailscale-access
-issues: https://github.com/hhftechnology/tailscale-access/issues
-
-changelog:
-  - version: "2.0.0"
-    date: "2025-05-26"
-    changes:
-      - "🎉 Complete rewrite using connectivity-based verification"
-      - "🎨 Beautiful modern verification UI with real-time feedback"
-      - "🔒 Secure session management with cryptographic tokens"
-      - "⚡ Multi-method connectivity testing (fetch, image, WebSocket)"
-      - "🛠 Extensive customization options (CSS, messages, timeouts)"
-      - "🐳 Enhanced Docker and Kubernetes integration examples"
-      - "📚 Comprehensive documentation and troubleshooting guide"
-      - "🔧 Removed unreliable IP-based detection completely"
-    breaking:
-      - "Configuration format changed from IP ranges to domain testing"
-      - "Session-based authentication replaces per-request IP checking"
-      - "JavaScript-based verification requires client browser support"
-
-  - version: "1.0.0"
-    date: "2025-05-15"
-    changes:
-      - "Initial release with IP-based authentication"
-      - "Support for Tailscale IP range detection"
-      - "Header-based IP extraction for proxy environments"
-    deprecated: true
-    reason: "IP-based approach unreliable in modern networking environments"
+  testDomain: example.ts.net
+  sessionTimeout: 24h
+  allowLocalhost: true

tailscale-access.go

@@ -19,8 +19,11 @@ type Config struct {
 	// Custom verification endpoint (optional)
 	VerificationEndpoint string `json:"verificationEndpoint,omitempty"`
 
-	// Session timeout for verified connections
-	SessionTimeout time.Duration `json:"sessionTimeout,omitempty"`
+	// Session timeout for verified connections (in seconds)
+	SessionTimeoutSeconds int `json:"sessionTimeoutSeconds,omitempty"`
+	
+	// Session timeout as duration string (e.g., "24h", "30m") - will be converted to seconds
+	SessionTimeout string `json:"sessionTimeout,omitempty"`
 
 	// Custom error messages
 	CustomErrorMessage string `json:"customErrorMessage,omitempty"`
@@ -44,32 +47,51 @@ type Config struct {
 
 func CreateConfig() *Config {
 	return &Config{
-		TestDomain:         "your-tailscale-network.ts.net", // User should configure this
-		SessionTimeout:     24 * time.Hour,
-		CustomErrorMessage: "Tailscale connection required to access this service",
-		SuccessMessage:     "Tailscale connectivity verified! Redirecting...",
-		EnableDebugLogging: false,
-		AllowLocalhost:     true,
-		SecureOnly:         true,
-		RequireUserAgent:   true,
+		TestDomain:            "your-tailscale-network.ts.net", // User should configure this
+		SessionTimeout:        "24h",
+		SessionTimeoutSeconds: 86400, // 24 hours in seconds as fallback
+		CustomErrorMessage:    "Tailscale connection required to access this service",
+		SuccessMessage:        "Tailscale connectivity verified! Redirecting...",
+		EnableDebugLogging:    false,
+		AllowLocalhost:        true,
+		SecureOnly:            true,
+		RequireUserAgent:      true,
 	}
 }
 
 type TailscaleConnectivityAuth struct {
-	next    http.Handler
-	name    string
-	config  *Config
-	secrets map[string]time.Time // Simple in-memory session store
+	next            http.Handler
+	name            string
+	config          *Config
+	sessionTimeout  time.Duration // Parsed duration for internal use
+	secrets         map[string]time.Time // Simple in-memory session store
 }
 
 func New(_ context.Context, next http.Handler, config *Config, name string) (http.Handler, error) {
-	// Apply defaults
+	// Apply defaults and validate
 	if config.TestDomain == "" {
 		return nil, fmt.Errorf("testDomain must be configured")
 	}
-	if config.SessionTimeout == 0 {
-		config.SessionTimeout = 24 * time.Hour
+	
+	// Parse session timeout
+	var sessionTimeout time.Duration
+	var err error
+	
+	if config.SessionTimeout != "" {
+		// Try to parse duration string (e.g., "24h", "30m")
+		sessionTimeout, err = time.ParseDuration(config.SessionTimeout)
+		if err != nil {
+			return nil, fmt.Errorf("invalid sessionTimeout format: %v (use format like '24h', '30m', '45s')", err)
+		}
+	} else if config.SessionTimeoutSeconds > 0 {
+		// Use seconds if provided
+		sessionTimeout = time.Duration(config.SessionTimeoutSeconds) * time.Second
+	} else {
+		// Default to 24 hours
+		sessionTimeout = 24 * time.Hour
 	}
+	
+	// Apply other defaults
 	if config.CustomErrorMessage == "" {
 		config.CustomErrorMessage = "Tailscale connection required to access this service"
 	}
@@ -78,10 +100,11 @@ func New(_ context.Context, next http.Handler, config *Config, name string) (htt
 	}
 
 	return &TailscaleConnectivityAuth{
-		next:    next,
-		name:    name,
-		config:  config,
-		secrets: make(map[string]time.Time),
+		next:           next,
+		name:           name,
+		config:         config,
+		sessionTimeout: sessionTimeout,
+		secrets:        make(map[string]time.Time),
 	}, nil
 }
 
@@ -151,7 +174,7 @@ func (t *TailscaleConnectivityAuth) handleVerification(rw http.ResponseWriter, r
 	if status == "success" {
 		// Generate verification token
 		token := t.generateToken()
-		expiry := time.Now().Add(t.config.SessionTimeout)
+		expiry := time.Now().Add(t.sessionTimeout)
 		t.secrets[token] = expiry
 
 		// Set secure cookie
@@ -305,49 +328,59 @@ func (t *TailscaleConnectivityAuth) generateVerificationHTML(originalURL string)
             verificationAttempts++;
             
             try {
-                // Test 1: Try to fetch from the Tailscale domain
-                const testUrl = 'https://' + testDomain + '/';
+                // Test 1: Try HTTP first (more reliable for Tailscale domains)
+                const httpUrl = 'http://' + testDomain + '/';
                 
-                // Use fetch with a timeout
-                const controller = new AbortController();
-                const timeoutId = setTimeout(() => controller.abort(), 5000);
+                const controllerHttp = new AbortController();
+                const timeoutIdHttp = setTimeout(() => controllerHttp.abort(), 5000);
                 
-                const response = await fetch(testUrl, {
+                const httpResponse = await fetch(httpUrl, {
                     method: 'GET',
-                    mode: 'no-cors', // This allows the request even if CORS fails
+                    mode: 'no-cors',
                     cache: 'no-cache',
-                    signal: controller.signal
+                    signal: controllerHttp.signal
                 });
                 
-                clearTimeout(timeoutId);
-                
-                // If we get here, the domain is reachable
-                await reportVerificationResult(true, 'Tailscale domain reachable');
+                clearTimeout(timeoutIdHttp);
+                await reportVerificationResult(true, 'Tailscale domain reachable via HTTP');
                 
-            } catch (error) {
-                console.log('Primary test failed:', error.message);
+            } catch (httpError) {
+                console.log('HTTP test failed:', httpError.message);
                 
-                // Test 2: Try alternative method - image loading
+                // Test 2: Try HTTPS fallback
                 try {
-                    await testImageLoad();
-                    await reportVerificationResult(true, 'Tailscale connectivity confirmed via image test');
-                } catch (imgError) {
-                    console.log('Image test failed:', imgError.message);
+                    const httpsUrl = 'https://' + testDomain + '/';
+                    const controllerHttps = new AbortController();
+                    const timeoutIdHttps = setTimeout(() => controllerHttps.abort(), 5000);
+                    
+                    const httpsResponse = await fetch(httpsUrl, {
+                        method: 'GET',
+                        mode: 'no-cors',
+                        cache: 'no-cache',
+                        signal: controllerHttps.signal
+                    });
                     
-                    // Test 3: Try WebSocket if available
+                    clearTimeout(timeoutIdHttps);
+                    await reportVerificationResult(true, 'Tailscale domain reachable via HTTPS');
+                    
+                } catch (httpsError) {
+                    console.log('HTTPS test failed:', httpsError.message);
+                    
+                    // Test 3: Try image loading with HTTP first
                     try {
-                        await testWebSocket();
-                        await reportVerificationResult(true, 'Tailscale connectivity confirmed via WebSocket');
-                    } catch (wsError) {
-                        console.log('WebSocket test failed:', wsError.message);
-                        await reportVerificationResult(false, error.message + ' (all tests failed)');
+                        await testImageLoad();
+                        await reportVerificationResult(true, 'Tailscale connectivity confirmed via image test');
+                    } catch (imgError) {
+                        console.log('Image test failed:', imgError.message);
+                        await reportVerificationResult(false, 'All connectivity tests failed. HTTP: ' + httpError.message + ', HTTPS: ' + httpsError.message);
                     }
                 }
             }
         }
 
         function testImageLoad() {
             return new Promise((resolve, reject) => {
+                // Try HTTP first (more reliable for Tailscale)
                 const img = new Image();
                 const timeout = setTimeout(() => {
                     reject(new Error('Image load timeout'));
@@ -360,11 +393,28 @@ func (t *TailscaleConnectivityAuth) generateVerificationHTML(originalURL string)
                 
                 img.onerror = () => {
                     clearTimeout(timeout);
-                    reject(new Error('Image load failed'));
+                    // Try HTTPS fallback
+                    const img2 = new Image();
+                    const timeout2 = setTimeout(() => {
+                        reject(new Error('Image load failed (both HTTP and HTTPS)'));
+                    }, 3000);
+                    
+                    img2.onload = () => {
+                        clearTimeout(timeout2);
+                        resolve();
+                    };
+                    
+                    img2.onerror = () => {
+                        clearTimeout(timeout2);
+                        reject(new Error('Image load failed (both HTTP and HTTPS)'));
+                    };
+                    
+                    // Try HTTPS as fallback
+                    img2.src = 'https://' + testDomain + '/favicon.ico?t=' + Date.now();
                 };
                 
-                // Try to load a favicon or small image from the Tailscale domain
-                img.src = 'https://' + testDomain + '/favicon.ico?t=' + Date.now();
+                // Try HTTP first
+                img.src = 'http://' + testDomain + '/favicon.ico?t=' + Date.now();
             });
         }