v1 – panic on authorization by key #328
Description
Describe the bug
First of all, thank you very much for the application! Very interesting idea and good implementation.
I am using v1 version of the application. At first I launched it via authorization without specifying a key. I followed the link that I saw in the application logs. Everything worked.
I was not happy with the fact that applications that I then authorized via the proxy web interface had to be re-authorized after each restart. This is very inconvenient. Therefore, I tried to switch to using keys for authorization.
But no matter what keys I create in Tailscale, I always get panic on startup.
Expected behavior
The expectation is that when I use an authorization key, I am authorized when I launch the application and continue working.
Send config
defaultproxyprovider: default
docker:
local:
host: unix:///var/run/docker.sock
targethostname: 172.31.0.1
files: {}
tailscale:
providers:
default:
authKey: "tskey-client-kxxx"
controlurl: https://controlplane.tailscale.com
datadir: /data/
http:
hostname: 0.0.0.0
port: 8080
log:
level: info
json: false
proxyaccesslog: trueLogs
[+] Running 2/1
✔ Network tsdproxy_default Created 0.3s
✔ Container tsdproxy-tsdproxy-1 Created 0.1s
Attaching to tsdproxy-tsdproxy-1
tsdproxy-tsdproxy-1 | Initializing server
tsdproxy-tsdproxy-1 | Version 1.4.7
tsdproxy-tsdproxy-1 | loading configuration from: /config/tsdproxy.yaml
tsdproxy-tsdproxy-1 | Validating configuration...
tsdproxy-tsdproxy-1 | Setting up logger
tsdproxy-tsdproxy-1 | 5:55AM INF Log Settings Log level=info
tsdproxy-tsdproxy-1 | 5:55AM INF Starting server Version=1.4.7
tsdproxy-tsdproxy-1 | 5:55AM INF Setting up proxy proxies
tsdproxy-tsdproxy-1 | 5:55AM INF Initializing WebServer
tsdproxy-tsdproxy-1 | 5:55AM INF Health check set to ready
tsdproxy-tsdproxy-1 | 5:55AM INF Default Network found defaultIPAdress=172.17.0.1 docker=local module=proxymanager
tsdproxy-tsdproxy-1 | 5:55AM INF Container 04bc902916c7bc02ba81961e0a23da4f026d22816e2137b471c462a9104ece8b started docker=local module=proxymanager
tsdproxy-tsdproxy-1 | 5:55AM INF Trying to auto detect target URL container=/webdav-webdav-1 docker=local module=proxymanager try=0
tsdproxy-tsdproxy-1 | 5:55AM INF Successfully connected using configured host and exposed port address=172.31.0.1 container=/webdav-webdav-1 docker=local module=proxymanager port=443
tsdproxy-tsdproxy-1 | 5:55AM INF setting up proxy hostname=zod module=proxymanager proxyname=zod
tsdproxy-tsdproxy-1 | 5:55AM INF starting proxy module=proxymanager name=zod proxyname=zod
tsdproxy-tsdproxy-1 | 5:55AM INF tsnet running state path /data/default/zod/tailscaled.state Hostname=zod module=proxymanager tailscale=default
tsdproxy-tsdproxy-1 | 5:55AM INF tsnet starting with hostname "zod", varRoot "/data/default/zod" Hostname=zod module=proxymanager tailscale=default
tsdproxy-tsdproxy-1 | 5:55AM INF LocalBackend state is NeedsLogin; running StartLoginInteractive... Hostname=zod module=proxymanager tailscale=default
tsdproxy-tsdproxy-1 | 5:55AM ERR tailscale.watchStatus: backend Hostname=zod module=proxymanager tailscale=default
tsdproxy-tsdproxy-1 | 5:55AM ERR Error Listening on TLS error="tsnet.Up: backend: key cannot be used for node auth: {KeyCapabilityBits(OAUTH_CLIENT|CONTROL_API_SCOPE_AUTH_KEYS) [tag:container]}" module=proxymanager proxyname=zod
tsdproxy-tsdproxy-1 | panic: runtime error: invalid memory address or nil pointer dereference
tsdproxy-tsdproxy-1 | panic: runtime error: invalid memory address or nil pointer dereference
tsdproxy-tsdproxy-1 | [signal SIGSEGV: segmentation violation code=0x1 addr=0x28 pc=0x6e8e07]
tsdproxy-tsdproxy-1 |
tsdproxy-tsdproxy-1 | goroutine 55 [running]:
tsdproxy-tsdproxy-1 | net/http.(*onceCloseListener).close(...)
tsdproxy-tsdproxy-1 | /opt/hostedtoolcache/go/1.24.1/x64/src/net/http/server.go:3924
tsdproxy-tsdproxy-1 | sync.(*Once).doSlow(0xc0002a28b8?, 0xc00046bc68?)
tsdproxy-tsdproxy-1 | /opt/hostedtoolcache/go/1.24.1/x64/src/sync/once.go:78
tsdproxy-tsdproxy-1 | +0xab
tsdproxy-tsdproxy-1 | sync.(*Once).Do(...)
tsdproxy-tsdproxy-1 | /opt/hostedtoolcache/go/1.24.1/x64/src/sync/once.go:69
tsdproxy-tsdproxy-1 | net/http.(*onceCloseListener).Close
tsdproxy-tsdproxy-1 | (0xc002b430b0)
tsdproxy-tsdproxy-1 | /opt/hostedtoolcache/go/1.24.1/x64/src/net/http/server.go:3920 +
tsdproxy-tsdproxy-1 | 0x3b
tsdproxy-tsdproxy-1 | panic(
tsdproxy-tsdproxy-1 | {0x1125520?, 0x368d8d0
tsdproxy-tsdproxy-1 | ?})
tsdproxy-tsdproxy-1 | /opt/hostedtoolcache/go/1.24.1/x64/src/runtime/panic.go:792 +0x132
tsdproxy-tsdproxy-1 | net/http.(*onceCloseListener).Accept(0x2cd8c28?)
tsdproxy-tsdproxy-1 | <autogenerated>:1 +0x1e
tsdproxy-tsdproxy-1 | net/http.(*Server).Serve(0xc0002a2800, {0x0, 0x0})
tsdproxy-tsdproxy-1 | /opt/hostedtoolcache/go/1.24.1/x64/src/net/http/server.go:3424 +0x30c
tsdproxy-tsdproxy-1 | github.com/almeidapaulopt/tsdproxy/internal/proxymanager.(*Proxy).start(0xc0002a2900)
tsdproxy-tsdproxy-1 | /home/runner/work/tsdproxy/tsdproxy/internal/proxymanager/proxy.go:211 +0x205
tsdproxy-tsdproxy-1 | created by github.com/almeidapaulopt/tsdproxy/internal/proxymanager.(*Proxy).Start.func1 in goroutine 54
tsdproxy-tsdproxy-1 | /home/runner/work/tsdproxy/tsdproxy/internal/proxymanager/proxy.go:173 +0x5c
tsdproxy-tsdproxy-1 |
tsdproxy-tsdproxy-1 |
tsdproxy-tsdproxy-1 exited with code 0
Additional context
I tried using different types of keys. Created auth-key, oauth-key. Issued different types of access, tried to issue full access by keys.
I also tried to specify the key directly in the application configuration that will be proxied. The result is always the same.
What is interesting is that for any type of key we get the same error message:
key cannot be used for node auth: {KeyCapabilityBits(OAUTH_CLIENT|CONTROL_API_SCOPE_AUTH_KEYS) [tag:container]}
I tried to fix the panic in the fork. But I couldn't test the changes.
And there is a feeling that the problem is somewhat deeper. Having gotten rid of panic, I will simply receive error messages. And I need to figure out why authorization by key does not work.