derp/derphttp: make CONNECT Host match request-target's authority-form

This CONNECT client doesn't match what Go's net/http.Transport does (making the two values match). This makes it match. This is all pretty unspecified but most clients & doc examples show these matching. And some proxy implementations (such as Zscaler) care. Updates tailscale/corp#18716 Change-Id: I135c5facbbcec9276faa772facbde1bb0feb2d26 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
nshalman · Mar 27, 2024 · 3e6306a · 3e6306a
1 parent 8f27520
commit 3e6306a
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/derp/derphttp/derphttp_client.go b/derp/derphttp/derphttp_client.go
@@ -795,7 +795,7 @@ func (c *Client) dialNodeUsingProxy(ctx context.Context, n *tailcfg.DERPNode, pr
 		authHeader = fmt.Sprintf("Proxy-Authorization: %s\r\n", v)
 	}
 
-	if _, err := fmt.Fprintf(proxyConn, "CONNECT %s HTTP/1.1\r\nHost: %s\r\n%s\r\n", target, pu.Hostname(), authHeader); err != nil {
+	if _, err := fmt.Fprintf(proxyConn, "CONNECT %s HTTP/1.1\r\nHost: %s\r\n%s\r\n", target, target, authHeader); err != nil {
 		if ctx.Err() != nil {
 			return nil, ctx.Err()
 		}