From 8223dd49b3489051d2f568a485b482831c666725 Mon Sep 17 00:00:00 2001
From: Will Norris <will@tailscale.com>
Date: Mon, 3 Jun 2024 11:17:31 -0700
Subject: [PATCH] use tailscale cert manager with tailscale-proxy command

Instruct caddy to use the tailscale cert manager.  Also add a --debug
flag to enable debug logging with the tailscale-proxy command.

Also remove a lingering `auto_https off` config in one of our examples.

Fixes #27

Signed-off-by: Will Norris <will@tailscale.com>
---
 command.go                   | 22 ++++++++++++++++++++++
 examples/proxyauth.caddyfile |  1 -
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/command.go b/command.go
index 8d3481a..e34d69b 100644
--- a/command.go
+++ b/command.go
@@ -68,6 +68,7 @@ default, all incoming headers are passed through unmodified.)
 			fs.Bool("change-host-header", false, "Set upstream Host header to address of upstream")
 			fs.Bool("insecure", false, "Disable TLS verification (WARNING: DISABLES SECURITY BY NOT VERIFYING SSL CERTIFICATES!)")
 			fs.Bool("internal-certs", false, "Use internal CA for issuing certs")
+			fs.Bool("debug", false, "Enable debug logging")
 			return fs
 		}(),
 	})
@@ -81,6 +82,7 @@ func cmdTailscaleProxy(fs caddycmd.Flags) (int, error) {
 	changeHost := fs.Bool("change-host-header")
 	insecure := fs.Bool("insecure")
 	internalCerts := fs.Bool("internal-certs")
+	debug := fs.Bool("debug")
 
 	httpPort := strconv.Itoa(caddyhttp.DefaultHTTPPort)
 	httpsPort := strconv.Itoa(caddyhttp.DefaultHTTPSPort)
@@ -205,6 +207,15 @@ func cmdTailscaleProxy(fs caddycmd.Flags) (int, error) {
 			},
 		}
 		appsRaw["tls"] = caddyconfig.JSON(tlsApp, nil)
+	} else if tsBind {
+		tlsApp := caddytls.TLS{
+			Automation: &caddytls.AutomationConfig{
+				Policies: []*caddytls.AutomationPolicy{{
+					ManagersRaw: []json.RawMessage{json.RawMessage(`{"via": "tailscale"}`)},
+				}},
+			},
+		}
+		appsRaw["tls"] = caddyconfig.JSON(tlsApp, nil)
 	}
 
 	var false bool
@@ -216,6 +227,17 @@ func cmdTailscaleProxy(fs caddycmd.Flags) (int, error) {
 		},
 		AppsRaw: appsRaw,
 	}
+	if debug {
+		cfg.Logging = &caddy.Logging{
+			Logs: map[string]*caddy.CustomLog{
+				"default": {
+					BaseLog: caddy.BaseLog{
+						Level: "DEBUG",
+					},
+				},
+			},
+		}
+	}
 
 	err = caddy.Run(cfg)
 	if err != nil {
diff --git a/examples/proxyauth.caddyfile b/examples/proxyauth.caddyfile
index 5f53622..0b023c7 100644
--- a/examples/proxyauth.caddyfile
+++ b/examples/proxyauth.caddyfile
@@ -10,7 +10,6 @@
 
 {
   order tailscale_auth after basicauth
-  auto_https off
   tailscale {
     ephemeral # create all nodes as ephemeral
   }