huanld/tailscale-custom
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases 3 Wiki Activity
Files
2fb067ecbf44484cd240ce4a4ab187eca537b746
tailscale-custom/Setup.wxs
T
huanld 2fb067ecbf
checklocks / checklocks (push) Has been cancelled
Details
CodeQL / Analyze (go) (push) Has been cancelled
Details
natlab-integrationtest / natlab-integrationtest (push) Has been cancelled
Details
CI / gomod-cache (push) Has been cancelled
Details
CI / race-root-integration (1/4) (push) Has been cancelled
Details
CI / race-root-integration (2/4) (push) Has been cancelled
Details
CI / race-root-integration (3/4) (push) Has been cancelled
Details
CI / race-root-integration (4/4) (push) Has been cancelled
Details
CI / test (-race, amd64, 1/3) (push) Has been cancelled
Details
CI / test (-race, amd64, 2/3) (push) Has been cancelled
Details
CI / test (-race, amd64, 3/3) (push) Has been cancelled
Details
CI / test (386) (push) Has been cancelled
Details
CI / test (amd64) (push) Has been cancelled
Details
CI / Windows (benchmarks) (push) Has been cancelled
Details
CI / Windows (1/2) (push) Has been cancelled
Details
CI / Windows (2/2) (push) Has been cancelled
Details
CI / macos (push) Has been cancelled
Details
CI / privileged (push) Has been cancelled
Details
CI / vm (push) Has been cancelled
Details
CI / cross (386, linux) (push) Has been cancelled
Details
CI / cross (amd64, darwin) (push) Has been cancelled
Details
CI / cross (amd64, freebsd) (push) Has been cancelled
Details
CI / cross (amd64, openbsd) (push) Has been cancelled
Details
CI / cross (amd64, windows) (push) Has been cancelled
Details
CI / cross (arm, 5, linux) (push) Has been cancelled
Details
CI / cross (arm, 7, linux) (push) Has been cancelled
Details
CI / cross (arm64, darwin) (push) Has been cancelled
Details
CI / cross (arm64, linux) (push) Has been cancelled
Details
CI / cross (arm64, windows) (push) Has been cancelled
Details
CI / cross (loong64, linux) (push) Has been cancelled
Details
CI / ios (push) Has been cancelled
Details
CI / crossmin (amd64, illumos) (push) Has been cancelled
Details
CI / crossmin (amd64, plan9) (push) Has been cancelled
Details
CI / crossmin (amd64, solaris) (push) Has been cancelled
Details
CI / crossmin (ppc64, aix) (push) Has been cancelled
Details
CI / android (push) Has been cancelled
Details
CI / wasm (push) Has been cancelled
Details
CI / tailscale_go (push) Has been cancelled
Details
CI / fuzz (push) Has been cancelled
Details
CI / depaware (push) Has been cancelled
Details
CI / go_generate (push) Has been cancelled
Details
CI / make_tidy (push) Has been cancelled
Details
CI / licenses (push) Has been cancelled
Details
CI / staticcheck (macOS) (push) Has been cancelled
Details
CI / staticcheck (Linux) (push) Has been cancelled
Details
CI / staticcheck (Windows) (push) Has been cancelled
Details
CI / staticcheck (Portable (1/4)) (push) Has been cancelled
Details
CI / staticcheck (Portable (2/4)) (push) Has been cancelled
Details
CI / staticcheck (Portable (3/4)) (push) Has been cancelled
Details
CI / staticcheck (Portable (4/4)) (push) Has been cancelled
Details
CI / notify_slack (push) Has been cancelled
Details
CI / merge_blocker (push) Has been cancelled
Details
CI / check_mergeability_strict (push) Has been cancelled
Details
CI / check_mergeability (push) Has been cancelled
Details
Dockerfile build / deploy (push) Has been cancelled
Details
test installer.sh / test (curl, alpine:3.21) (push) Has been cancelled
Details
test installer.sh / test (curl, alpine:edge) (push) Has been cancelled
Details
test installer.sh / test (curl, alpine:latest) (push) Has been cancelled
Details
test installer.sh / test (curl, amazonlinux:latest) (push) Has been cancelled
Details
test installer.sh / test (curl, archlinux:latest) (push) Has been cancelled
Details
test installer.sh / test (curl, debian:oldstable-slim) (push) Has been cancelled
Details
test installer.sh / test (curl, debian:sid-slim) (push) Has been cancelled
Details
test installer.sh / test (curl, debian:stable-slim, 1.80.0) (push) Has been cancelled
Details
test installer.sh / test (curl, debian:testing-slim) (push) Has been cancelled
Details
test installer.sh / test (curl, elementary/docker:stable) (push) Has been cancelled
Details
test installer.sh / test (curl, elementary/docker:unstable) (push) Has been cancelled
Details
test installer.sh / test (curl, fedora:latest, 1.80.0) (push) Has been cancelled
Details
test installer.sh / test (curl, kalilinux/kali-dev) (push) Has been cancelled
Details
test installer.sh / test (curl, kalilinux/kali-rolling) (push) Has been cancelled
Details
test installer.sh / test (curl, opensuse/leap:latest) (push) Has been cancelled
Details
test installer.sh / test (curl, opensuse/tumbleweed:latest) (push) Has been cancelled
Details
test installer.sh / test (curl, oraclelinux:8) (push) Has been cancelled
Details
test installer.sh / test (curl, oraclelinux:9) (push) Has been cancelled
Details
test installer.sh / test (curl, parrotsec/core:latest) (push) Has been cancelled
Details
test installer.sh / test (curl, rockylinux:8.7) (push) Has been cancelled
Details
test installer.sh / test (curl, rockylinux:9) (push) Has been cancelled
Details
test installer.sh / test (curl, ubuntu:20.04) (push) Has been cancelled
Details
test installer.sh / test (curl, ubuntu:22.04) (push) Has been cancelled
Details
test installer.sh / test (curl, ubuntu:24.04, 1.80.0) (push) Has been cancelled
Details
test installer.sh / test (wget, debian:oldstable-slim) (push) Has been cancelled
Details
test installer.sh / test (wget, debian:sid-slim) (push) Has been cancelled
Details
update-flake / update-flake (push) Has been cancelled
Details
tailscale.com/cmd/vet / vet (push) Has been cancelled
Details
test installer.sh / notify-slack (push) Has been cancelled
Details
feat: security hardening, production roadmap, admin panel v1 
Client security fixes (cmd/tailscale-tray/main.go):
- SSRF protection in Add Server dialog (validateControlURL): reject
  private/loopback/link-local/cloud-metadata IPs via DNS resolution
- RCE gate on AuthURL/BrowseToURL exec paths (validateAuthURL)
- Sanitized URL logging (sanitizeURLForLog drops query auth tokens)
- Error handling on exec.Command with user-facing showError()

Admin panel security (web-admin):
- Bcrypt password hashing (replaces SHA256)
- Rate limiting: 5 failed logins → 15-min lockout
- Session + login attempt cleanup goroutine (hourly)
- url.QueryEscape / encodeURIComponent for all API params
- Fail-hard startup when no TLS and non-loopback bind
- ADMIN_PASSWORD required (no default), password min 12 chars
- Username regex whitelist

Installer hardening (Setup.wxs):
- util:PermissionEx restricts SCM access: only Administrators +
  SYSTEM can start/stop/reconfigure service. Authenticated Users
  limited to QueryStatus/QueryConfig/Interrogate
- Vital="yes" on ServiceInstall

Docs & roadmap:
- PRODUCTION_ROADMAP.md: 5-milestone plan (security + features +
  distribution + ops) with granular tasks, effort, done-when
- CLIENT_SECURITY_AUDIT.md, SECURITY_FIXES.md, DEPLOYMENT.md
- AI assistant rules (.cursorrules, .antigravityrules, etc.)

Build & distribution:
- build-msi.ps1, deploy-and-sign.ps1, sign-release.ps1
- redeploy.ps1, tray-deploy.ps1, test-msi.ps1
- installer/msi/ alternative WXS setup
- Restored .github/workflows/ removed in mirror cleanup

.gitignore hardened: *.pfx, *.p12, *.key, *.pem, .env*
2026-04-22 15:18:11 +07:00

128 lines
5.8 KiB
XML
Raw Blame History

<Wix xmlns="http://wixtoolset.org/schemas/v4/wxs"
xmlns:util="http://wixtoolset.org/schemas/v4/wxs/util">
<Package Name="Tailscale Custom"
Manufacturer="SoftsBusiness"
Version="1.0.0.0"
UpgradeCode="{510A8C57-BA8F-4B9F-84E3-8E5C4E091054}"
Scope="perMachine">
<!-- Nhúng luôn dữ liệu vào MSI thay vì tách riêng ra file cab1.cab -->
<MediaTemplate EmbedCab="yes" />
<MajorUpgrade DowngradeErrorMessage="A newer version is already installed." />
<Feature Id="MainFeature" Title="Tailscale Custom feature">
<ComponentGroupRef Id="MainComponents" />
<ComponentGroupRef Id="TrayStartupComponents" />
</Feature>
<!-- Chạy Tray App ngay sau khi Cài đặt xong thay vì phải Restart/Login -->
<CustomAction Id="LaunchTrayApp"
Directory="INSTALLFOLDER"
ExeCommand="&quot;[#tailscale_tray.exe]&quot;"
Execute="immediate"
Impersonate="yes"
Return="asyncNoWait" />
<InstallExecuteSequence>
<Custom Action="LaunchTrayApp" After="InstallFinalize" Condition="NOT Installed" />
</InstallExecuteSequence>
<StandardDirectory Id="ProgramFiles64Folder">
<Directory Id="INSTALLFOLDER" Name="Tailscale-Custom" />
</StandardDirectory>
<ComponentGroup Id="MainComponents" Directory="INSTALLFOLDER">
<!-- Cài đặt và Đăng ký Windows Service -->
<Component Id="TailscaledExe" Guid="{9AB5E8B1-3E55-46D9-B357-19E4A9FDEFD7}">
<File Id="tailscaled.exe" Source="dist\tailscaled.exe" KeyPath="yes" />
<!--
Start="auto" + Account="LocalSystem" là cấu hình tiêu chuẩn cho VPN
client (Tailscale official cũng dùng vậy): cần SYSTEM để quản lý TUN
adapter và routing table, cần auto-start để VPN hoạt động sau reboot.
Hardening: dùng util:PermissionEx để chỉ Administrators + SYSTEM mới
được start/stop/reconfigure service. User thường chỉ có QueryStatus.
-->
<ServiceInstall Id="TailscaleService"
Type="ownProcess"
Name="Tailscale-Custom"
DisplayName="Tailscale-Custom"
Description="Tailscale Custom VPN Service"
Start="auto"
Account="LocalSystem"
ErrorControl="normal"
Vital="yes">
<!-- SYSTEM: full control. Administrators: full control.
Authenticated Users: chỉ QueryStatus + QueryConfig + Interrogate.
Users thường KHÔNG thể start/stop/pause/reconfigure/delete. -->
<util:PermissionEx User="SYSTEM"
ServiceQueryStatus="yes"
ServiceQueryConfig="yes"
ServiceEnumerateDependents="yes"
ServiceInterrogate="yes"
ServiceStart="yes"
ServiceStop="yes"
ServicePauseContinue="yes"
ServiceUserDefinedControl="yes"
ServiceChangeConfig="yes"
Delete="yes"
ReadPermission="yes"
ChangePermission="yes"
TakeOwnership="yes" />
<util:PermissionEx User="Administrators"
ServiceQueryStatus="yes"
ServiceQueryConfig="yes"
ServiceEnumerateDependents="yes"
ServiceInterrogate="yes"
ServiceStart="yes"
ServiceStop="yes"
ServicePauseContinue="yes"
ServiceUserDefinedControl="yes"
ServiceChangeConfig="yes"
Delete="yes"
ReadPermission="yes"
ChangePermission="yes" />
<util:PermissionEx User="Authenticated Users"
ServiceQueryStatus="yes"
ServiceQueryConfig="yes"
ServiceInterrogate="yes"
ReadPermission="yes" />
</ServiceInstall>
<!-- Tự động Start service khi cài xong, tự Stop khi gỡ -->
<ServiceControl Id="StartTailscaleService"
Start="install"
Stop="both"
Remove="uninstall"
Name="Tailscale-Custom"
Wait="yes" />
</Component>
<!-- Copy file CMD -->
<Component Id="TailscaleExe" Guid="{E422A633-F1C0-41BC-BA99-ED3E43B718BC}">
<File Id="tailscale.exe" Source="dist\tailscale.exe" KeyPath="yes" />
</Component>
<!-- Copy file Tray App -->
<Component Id="TailscaleTrayExe" Guid="{121EFAD3-3893-4B9B-89EB-B6D74BA24E2A}">
<File Id="tailscale_tray.exe" Source="dist\tailscale-tray.exe" KeyPath="yes" />
</Component>
</ComponentGroup>
<!-- Tự động set Tray Program khởi động cùng Windows thông qua Registry HKLM -->
<ComponentGroup Id="TrayStartupComponents" Directory="INSTALLFOLDER">
<Component Id="RegistryEntries" Guid="{2A65FCA8-3266-4198-8F68-5E2429817E1E}">
<RegistryValue Root="HKLM"
Key="Software\Microsoft\Windows\CurrentVersion\Run"
Name="TailscaleCustomTray"
Type="string"
Value="&quot;[#tailscale_tray.exe]&quot;"
KeyPath="yes" />
</Component>
</ComponentGroup>
</Package>
</Wix>
Reference in New Issue View Git Blame Copy Permalink