server: add flag to disable TCP listeners on tsnet and tailscaled

olistrik · olistrik · commit 60a68d1cc48d · 2025-12-04T14:10:30.000+01:00
Signed-off-by: Oli Strik &lt;strik@olii.nl&gt;
diff --git a/flake.nix b/flake.nix
@@ -147,6 +147,12 @@
                 description = "Path to unix socket to listen on";
               };
 
+              disableTCP = mkOption {
+                type = nullOr bool;
+                default = null;
+                description = "Disable the TCP Listeners on tsnet and tailscaled";
+              };
+
               enableFunnel = mkOption {
                 type = bool;
                 default = false;
@@ -237,6 +243,7 @@
                         local-port = cfg.settings.localPort;
                         use-local-tailscaled = cfg.settings.useLocalTailscaled;
                         unix-socket = cfg.settings.unixSocket;
+                        disable-tcp = cfg.settings.disableTCP;
                         funnel = cfg.settings.enableFunnel;
                         enable-sts = cfg.settings.enableSts;
                         log = cfg.settings.logLevel;
diff --git a/tsidp-server.go b/tsidp-server.go
@@ -40,6 +40,7 @@ var (
 	flagLocalPort          = flag.Int("local-port", -1, "allow requests from localhost")
 	flagUseLocalTailscaled = flag.Bool("use-local-tailscaled", false, "use local tailscaled instead of tsnet")
 	flagUnixSocket         = flag.String("unix-socket", "", "use a unix socket instead of tcp")
+	flagDisableTCP         = flag.Bool("disable-tcp", false, "disable the tcp listener on tsnet/tailscaled")
 	flagFunnel             = flag.Bool("funnel", false, "use Tailscale Funnel to make tsidp available on the public internet")
 	flagHostname           = flag.String("hostname", "idp", "tsnet hostname to use instead of idp")
 	flagDir                = flag.String("dir", "", "tsnet state directory; a default one will be created if not provided")
@@ -92,38 +93,41 @@ func main() {
 			slog.Error("getting local.Client status", slog.Any("error", err))
 			os.Exit(1)
 		}
-		portStr := fmt.Sprint(*flagPort)
-		anySuccess := false
-		for _, ip := range st.TailscaleIPs {
-			ln, err := net.Listen("tcp", net.JoinHostPort(ip.String(), portStr))
-			if err != nil {
-				slog.Warn("net.Listen failed", slog.String("ip", ip.String()), slog.Any("error", err))
-				continue
+
+		if !*flagDisableTCP {
+			portStr := fmt.Sprint(*flagPort)
+			anySuccess := false
+			for _, ip := range st.TailscaleIPs {
+				ln, err := net.Listen("tcp", net.JoinHostPort(ip.String(), portStr))
+				if err != nil {
+					slog.Warn("net.Listen failed", slog.String("ip", ip.String()), slog.Any("error", err))
+					continue
+				}
+				anySuccess = true
+				ln = tls.NewListener(ln, &tls.Config{
+					GetCertificate: lc.GetCertificate,
+				})
+				lns = append(lns, ln)
+			}
+			if !anySuccess {
+				slog.Error("failed to listen on any ip", slog.Any("ips", st.TailscaleIPs))
+				os.Exit(1)
 			}
-			anySuccess = true
-			ln = tls.NewListener(ln, &tls.Config{
-				GetCertificate: lc.GetCertificate,
-			})
-			lns = append(lns, ln)
-		}
-		if !anySuccess {
-			slog.Error("failed to listen on any ip", slog.Any("ips", st.TailscaleIPs))
-			os.Exit(1)
-		}
 
-		// tailscaled needs to be setting an HTTP header for funneled requests
-		// that older versions don't provide.
-		// TODO(naman): is this the correct check?
-		if *flagFunnel && !version.AtLeast(st.Version, "1.71.0") {
-			slog.Error("Local tailscaled not new enough to support -funnel. Update Tailscale or use tsnet mode.")
-			os.Exit(1)
-		}
-		cleanup, watcherChan, err = server.ServeOnLocalTailscaled(ctx, lc, st, uint16(*flagPort), *flagFunnel)
-		if err != nil {
-			slog.Error("could not serve on local tailscaled", slog.Any("error", err))
-			os.Exit(1)
+			// tailscaled needs to be setting an HTTP header for funneled requests
+			// that older versions don't provide.
+			// TODO(naman): is this the correct check?
+			if *flagFunnel && !version.AtLeast(st.Version, "1.71.0") {
+				slog.Error("Local tailscaled not new enough to support -funnel. Update Tailscale or use tsnet mode.")
+				os.Exit(1)
+			}
+			cleanup, watcherChan, err = server.ServeOnLocalTailscaled(ctx, lc, st, uint16(*flagPort), *flagFunnel)
+			if err != nil {
+				slog.Error("could not serve on local tailscaled", slog.Any("error", err))
+				os.Exit(1)
+			}
+			defer cleanup()
 		}
-		defer cleanup()
 	} else {
 		hostinfo.SetApp("tsidp")
 		ts := &tsnet.Server{
@@ -147,23 +151,26 @@ func main() {
 			slog.Error("failed to get local client", slog.Any("error", err))
 			os.Exit(1)
 		}
-		var ln net.Listener
-		if *flagFunnel {
-			if err := ipn.CheckFunnelAccess(uint16(*flagPort), st.Self); err != nil {
-				slog.Error("funnel access denied", slog.Any("error", err))
+
+		if !*flagDisableTCP {
+			var ln net.Listener
+			if *flagFunnel {
+				if err := ipn.CheckFunnelAccess(uint16(*flagPort), st.Self); err != nil {
+					slog.Error("funnel access denied", slog.Any("error", err))
+					os.Exit(1)
+				}
+				ln, err = ts.ListenFunnel("tcp", fmt.Sprintf(":%d", *flagPort))
+			} else {
+				ln, err = ts.ListenTLS("tcp", fmt.Sprintf(":%d", *flagPort))
+			}
+
+			if err != nil {
+				slog.Error("failed to listen", slog.Any("error", err))
 				os.Exit(1)
 			}
-			ln, err = ts.ListenFunnel("tcp", fmt.Sprintf(":%d", *flagPort))
-		} else {
-			ln, err = ts.ListenTLS("tcp", fmt.Sprintf(":%d", *flagPort))
-		}
 
-		if err != nil {
-			slog.Error("failed to listen", slog.Any("error", err))
-			os.Exit(1)
+			lns = append(lns, ln)
 		}
-
-		lns = append(lns, ln)
 	}
 
 	srv := server.New(
