ingress: allow per-port listen-address override (tailnet-only ingresses)#271
Draft
rgarcia wants to merge 1 commit into
Draft
ingress: allow per-port listen-address override (tailnet-only ingresses)#271rgarcia wants to merge 1 commit into
rgarcia wants to merge 1 commit into
Conversation
Add an optional caddy.port_listen_addresses map (listen port -> bind address) that overrides the global caddy.listen_address for specific Caddy servers. Ports not present in the map continue to use the global listen address. Use case: bind the CDP (9222) and ChromeDriver (9224) ingresses to a non-public interface (e.g. the host's Tailscale IP) so they are not reachable on the public NIC, complementing the host firewall, while the browser API (444) and VNC (443) ingresses stay public on 0.0.0.0. The config field is threaded from CaddyConfig through ingress.Config and into CaddyConfigGenerator, which now resolves the bind address per listen port via listenAddressForPort(). Default behavior is unchanged: when the map is unset/empty, every server binds the global listen_address (default 0.0.0.0). Adds table-driven tests for the generator (override applied, unset, empty map, and empty override value fall-through) and config-load tests for the YAML mapping and the empty default. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Use case
Hypeman's ingress (Caddy) currently binds every listen port to a single
global address (
caddy.listen_address, default0.0.0.0), so all ingressports are exposed on the public NIC.
We want the CDP (
9222) and ChromeDriver (9224) ingresses to be reachableonly on a non-public interface (the host's Tailscale IP) so they are never
served on the public NIC — defense-in-depth at the listener, complementing the
host firewall (which is also being restricted for 9222/9224). The browser API
(
444) and VNC (443) ingresses must stay public.Change
Add an optional config map under
caddythat overrides the listen address forspecific listen ports. Ports not present in the map fall back to the global
listen_address.Caddy already supports a per-server
listenarray, so this is a naturalextension:
buildConfigbuilds one server per listen port, and now resolvesthe bind address per port via
listenAddressForPort(port)instead of alwaysusing the global address.
The field is threaded through:
CaddyConfig.PortListenAddresses(cmd/api/config) →ingress.Config.PortListenAddresses→
CaddyConfigGenerator→ per-serverlisteninbuildConfig.This is config-level (not a per-Ingress API field) so it fits the
Ansible-managed host config and the e2e API client does not need to know the
Tailscale IP.
Backward compatibility
caddy.listen_addressdefault stays0.0.0.0.port_listen_addressesis unset or empty, every server binds the globallisten address exactly as before — no behavior change.
Tests
lib/ingresstable-driven generator tests: override applied (CDP/ChromeDriveron the tailscale IP, 443/444 still on
0.0.0.0), nil map, empty map, andempty-value fall-through.
cmd/api/configtests: YAML loads theport_listen_addressesmap whilelisten_addressstays0.0.0.0; default config has no overrides.go build ./...,go vet ./..., andgo test ./lib/ingress/... ./cmd/api/config/...all pass locally.🤖 Generated with Claude Code