From 0f62015ed4e7a7ff03170563854c64b1ed104b44 Mon Sep 17 00:00:00 2001 From: Martin Zihlmann Date: Thu, 14 May 2026 17:14:13 +0200 Subject: [PATCH] derp/derphttp: honor DERPNode.DERPPort in proxied CONNECT dial dialNode picks the destination port from n.DERPPort when non-zero, falling back to 443 (or 3340 when useHTTPS is false). The proxy path, dialNodeUsingProxy, hardcoded "443" in the CONNECT target, so a DERP server reachable only on a custom port was unreachable through HTTPS_PROXY: the proxy would faithfully tunnel to :443 at the DERP hostname, and TLS would either fail cert validation or talk to the wrong service. Mirror dialNode's port selection so both paths behave the same. Fixes #19748 Signed-off-by: Martin Zihlmann --- derp/derphttp/derphttp_client.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/derp/derphttp/derphttp_client.go b/derp/derphttp/derphttp_client.go index a6d49f54ff7c4..fb6e321bcd536 100644 --- a/derp/derphttp/derphttp_client.go +++ b/derp/derphttp/derphttp_client.go @@ -990,7 +990,12 @@ func (c *Client) dialNodeUsingProxy(ctx context.Context, n *tailcfg.DERPNode, pr } }() - target := net.JoinHostPort(n.HostName, "443") + // Keep port selection in sync with dialNode. + port := "443" + if n.DERPPort != 0 { + port = fmt.Sprint(n.DERPPort) + } + target := net.JoinHostPort(n.HostName, port) var authHeader string if v, err := tshttpproxy.GetAuthHeader(pu); err != nil {