* release bump to 2.4.14

* documentation of tailscale feature
icing · Apr 26, 2022 · 1a770a9 · 1a770a9
1 parent 6592467
commit 1a770a9
Show file tree

Hide file tree

Showing 4 changed files with 56 additions and 4 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,8 @@
+v2.4.14
+----------------------------------------------------------------------------------------------------
+ * Added support for tailscale (https://tailscale.com) certificates to have
+   trusted access to your internal domain names. See README.md for more
+   information on how to set this up.
  * Fix for a memory leak in handling of JSON arrays. This leak was mainly
    triggered by the additions to the `server-status` handler and lead to
    increased process sizes with each request of a status page.

diff --git a/README.md b/README.md
@@ -12,7 +12,7 @@ This repository contains `mod_md`, a module for Apache httpd that helps you to m
 
 Both functions work well together, but you can use one without the other. If you do not want the ACME/Let's Encrypt parts, there is ["Just the Stapling, Mam!"](#just-the-stapling-mam)
 
-***NEW:*** `mod_md` has added support for [External Account Binding](#a-key-to-bind-them) that let's you use Apache ACME with more CAs!
+***NEW:*** users of [tailscale](https://tailscale.com) secure networks can use trusted certificates for their internal domain names. See [the chapter about tailscale](#tailscale) for more information.
 
 ## Thanks
 
@@ -57,6 +57,7 @@ into your Apache server log where `mod_md` logs its version at startup.
     * [Get a Wildcard Cert](#how-to-get-a-wildcard-cert)
     * [Use Other Certificates](#how-to-use-other-certificates)
     * [Have two certs for one Host](#how-to-have-two-certs-for-one-host)
+    * [Use tailscale certificates](#tailscale)
   - Stapling
     * [Staple all my certificates](#how-to-staple-all-my-certificates)
     * [Staple some of my certificates](#how-to-staple-some-of-my-certificates)
@@ -720,6 +721,52 @@ needs to track those, they will not come without restrictions. But several EAB v
 same time seems common practise.
 
 
+# Tailscale
+
+The secure networking provided by [tailscale](https://tailscale.com) allows you to connect your own devices
+in a very easy way without fiddling with firewalls and without public IP addresses. It's a bit of magic.
+
+In its recent versions, it can also give you domain names and your own subdomain underneath the `*.ts.net` suffix. Something like `*.headless-chicken.ts.net` can be yours and your machines appear as, for example, `my-raspberry.headless-chicken.ts.net` in your own network.
+
+But if you run a webserver on it, you'd need a certificate that your browser accept. And tailscale also does 
+that magic and negotiates with Let's Encrypt to provide you with a valid one (and renews it).
+
+Via `mod_md`, you can make use of that service (if you are on **linux** for now). To stick with the example above, you'd configure:
+
+```
+<MDomain my-raspberry.headless-chicken.ts.net>
+  MDCertificateProtocol tailscale
+</MDomain>
+
+<VirtualHost *:443>
+  ServerName my-raspberry.headless-chicken.ts.net
+  SSLEnging on
+  ...
+</VirtualHost>
+```
+
+This works just like certificates from Let's Encrypt. `mod_md` will give you status information on the cert
+and also try to renew it and give you notifications via `MDMessageCmd`. OCSP stapling should be available as
+well, but I have not tested that.
+
+One thing to beware: Apache's attempts to renew, e.g. get a new certificate from the tailscale demon, are
+not necessarily in sync. You might want to adjust your `MDRenewWindow` to only trigger right after tailscale
+should have gotten a new one.
+
+Also, for server restarts, the same rules apply as for ACME certificates.
+
+Is there a dependency between the Apache service and your tailscale daemon? **No**. Both will
+start and operate independent of each other. Apache will start also if your tailscale daemon is down. Just like your Apache will work when Let's Encrypt is not reachable for a while.
+
+**Caveat**: if your Apache is *also* reachable from the public internet, the tailscale domain name will not
+give you enhanced security. Anyone who can contact your server can ask for any domain in `*.ts.net`. There are
+a myriad of options to make secure setups and you should consult the tailscale documentation on how/when/if
+security in a tailscale network can be managed.
+
+**Credits**: the nice and friendly [Caddy server](https://caddyserver.com) was the first HTTP server to add
+tailscale support a couple of days ago. Which inspired me to strive for second place.
+
+
 # Just the Stapling, Mam!
 
 If you just want to use the new OCSP Stapling feature of the module, load it into your apache and configure

diff --git a/configure.ac b/configure.ac
@@ -14,7 +14,7 @@
 #
 
 AC_PREREQ([2.69])
-AC_INIT([mod_md], [2.4.13], [stefan.eissing@greenbytes.de])
+AC_INIT([mod_md], [2.4.14], [stefan.eissing@greenbytes.de])
 
 LT_PREREQ([2.2.6])
 LT_INIT()

diff --git a/src/md_version.h b/src/md_version.h
@@ -27,15 +27,15 @@
  * @macro
  * Version number of the md module as c string
  */
-#define MOD_MD_VERSION "2.4.13-git"
+#define MOD_MD_VERSION "2.4.14-git"
 
 /**
  * @macro
  * Numerical representation of the version number of the md module
  * release. This is a 24 bit number with 8 bits for major number, 8 bits
  * for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203.
  */
-#define MOD_MD_VERSION_NUM 0x02040d
+#define MOD_MD_VERSION_NUM 0x02040e
 
 #define MD_ACME_DEF_URL         "https://acme-v02.api.letsencrypt.org/directory"
 #define MD_TAILSCALE_DEF_URL    "file://localhost/var/run/tailscale/tailscaled.sock"