If Tailscale's unavailable (e.g. you're on the wrong tailnet), it'd be nice as a backup to be easily expand go links from the backup JSON file, using the same templating.

Like:

$ go run github.com/tailscale/golink --resolve-from-backup=/path/to/backup.json go/meet/bar
http://meet.google.com/lookup/bar

cc @willnorris

People are getting "invalid XSRF token" errors when attempting to create new links. Reproducibility seems to be consistent for some people, but to consistently not happen for others.

Looks to be due to an upstream change in the chainguard go image we are using. Tracking in chainguard-images/images#182

I wanted to build a Docker image with the most up to date Tailscale.
From what I could see it seems that go.mod is where I can define the Tailscale version.

It uses a pseudo-version, currently v1.1.1-0.20221106050213-036334e91350, which somehow maps to Tailscale v1.33.0-dev20221229.
But I didn't have any luck figuring out what pseudo-version I would have to set to update it to e.g. Tailscale v1.34.1

Could anyone give me a pointer as to how the specific Tailscale version is selected?

I'm not actually sure if this is an issue, but it surprised me so I thought I'd query it.

I've defined go/cu-devops to take me to our DevOps work board (think Trello), and that works fine. Shows up in the stats as go/cu-devops.

I then remembered the logic strips - so I could visit go/cudevops and did so. This shows up as a separate entry in the stats now, although clicking the (i) on either go/cu-devops or go/cudevops shows the go/cu-devops Link to be edited.

Should we coalesce the stats entries to the Link value, so missing out hypens doesn't duplicate entries for the same Link?

Currently, links with convenient, short names can be ambiguous unless visited. Adding an optional description field would reduce this potential confusion.

The /.all endpoint exists, and you can Control + f in that page, but it might be nice to have a search input on the main page, too.

I'm running golink through docker, and while it used to work, it started producing a 404 error, and now appears to be stuck in a connection loop. I tried removing the docker instance and the machine from tailscale, but this is still occurring with a clean install.

I provided a key using TS_AUTHKEY when creating the instance, but while the machine now exists in the tailscale machines page, it shows no connection, and the docker log seems to suggest the key is invalid. Generating a new authkey and replacing the existing one did not resolve the issue, and did not change the logs as far as I can see.

Docker log:

2023/11/14 16:55:56 control: [v1] authRoutine: state:authenticating; wantLoggedIn=true
2023/11/14 16:55:56 control: [v1] direct.TryLogin(token=false, flags=10)
2023/11/14 16:55:56 control: LoginInteractive -> regen=true
2023/11/14 16:55:56 control: doLogin(regen=true, hasUrl=false)
2023/11/14 16:55:56 control: Generating a new nodekey.
2023/11/14 16:55:56 control: RegisterReq: onode= node=[ZhdCM] fup=false nks=false
2023/11/14 16:55:56 control: RegisterReq: got response; nodeKeyExpired=false, machineAuthorized=false; authURL=false
2023/11/14 16:55:56 control: [v1] TryLogin: invalid key: unable to validate API key
2023/11/14 16:55:56 control: [v1] sendStatus: authRoutine-report: state:authenticating
2023/11/14 16:55:56 control: authRoutine: [v1] backoff: 22694 msec
2023/11/14 16:55:56 Received error: invalid key: unable to validate API key
2023/11/14 16:56:19 control: [v1] authRoutine: state:authenticating; wantLoggedIn=true
2023/11/14 16:56:19 control: [v1] direct.TryLogin(token=false, flags=10)
2023/11/14 16:56:19 control: LoginInteractive -> regen=true
2023/11/14 16:56:19 control: doLogin(regen=true, hasUrl=false)
2023/11/14 16:56:19 control: Generating a new nodekey.
2023/11/14 16:56:19 control: RegisterReq: onode= node=[Hq+DJ] fup=false nks=false
2023/11/14 16:56:19 control: RegisterReq: got response; nodeKeyExpired=false, machineAuthorized=false; authURL=false
2023/11/14 16:56:19 control: [v1] TryLogin: invalid key: unable to validate API key
2023/11/14 16:56:19 control: [v1] sendStatus: authRoutine-report: state:authenticating
2023/11/14 16:56:19 control: authRoutine: [v1] backoff: 24477 msec
2023/11/14 16:56:19 Received error: invalid key: unable to validate API key

This suggestion is born from an internal slack thread. It would be excellent have a text matching feature for go links (using some form of regex) to allow for conditional paths.

My goal: use one machine to run two different instances of "golink", so that I can have two independent sets of bookmarks.

This didn't work out of the box - I created a new key, started up the second instance with the -hostname flag, and then got the error message on the console Duplicate node key.

My suspicion is that I'm running into this:

tailscale data files in the tsnet-golink directory inside [os.UserConfigDir](https://pkg.go.dev/os#UserConfigDir)

and that I have to set two separate os.UserConfigDir paths to keep the two things distinct.

We don't handle query parameters at all right now. There are a few things we should pretty obviously support, but there are also some things that are not so clear.

For example, today http://go/who?q is treated as a link with the short name who?q rather than a link with the short name who and a query string of ?q. That's definitely something we should fix (and simple enough, using r.URL.Path rather than r.RequestURI). And should the query string be included in the final destination link? I think probably so.

What's less clear is when a link's destination URL also contains a query. What happens with any path components from the request? What about query parameters from the request? Do they get combined with the parameters in the destination URL? Do we expose the original query as a template var or func?

It would be great if the golinks server could restore all links from an export if given a JSONL file. That way I could declare all my links in git and use a configmap in k8s to supply them to golink

Start with the go link go/ladder => http://ladder/. When appending a full URL to the extra path, the // gets collapsed down to a single /:

% curl -i http://go/ladder/http://bbc.com/
Location: /ladder/http:/bbc.com/

This isn't technically wrong, but for a project like ladder this is undesirable.

For imageproxy, I dealt with a similar issue by switching to gorilla's Mux, and disabling path cleaning. I'd rather not do that here if we can keep from it. But if I remember correctly, the default http.ServeMux always cleans paths and doesn't provide the ability to disable that. There's work happening on http.ServeMux in go1.22, so I can look and see if any of that would be helpful here.

The golink binary uses tsnet internally to connect to the tailnet. Is there a way to hook up a HEALTHCHECK to return the status of the golink binary’s internal tsnet connection? That sounds tricky now that I write it, but it would be pretty cool if the Docker health status could reflect the tailnet connection status.

The instructions for running on fly.io are currently failing at the deploy step:

==> Creating release
Error Could not find image "ghcr.io/tailscale/golink:main"

It appears this may be related to a change in the way github actions are building docker images, per conversation on the fly.io forums:
https://community.fly.io/t/deploying-to-fly-via-github-action-failing/10171/19

And per that thread, the fix may be as simple as adding provenance: false to the build action

We use Render as our host. I tried deploying the Docker image for golink as a private service on Render, however it's not quite working.

I think it's because Docker services on Render do not have full networking capabilities. Render's team provides a sample script for running the Tailscale daemon here. The script uses the --tun=userspace-networking and --socks5-server=localhost:1055 flags and sets the ALL_PROXY environment variable to socks5://localhost:1055/.

I don't know enough about Tailscale or networking to say what exactly would be needed to make Golink work on Render, but AFAICT there is currently no way to pass custom arguments supported by the standalone Tailscale daemon like --tun to the Tailscale client embedded in the Golink service anyway (I think this is what #79 is requesting).

Happy to provide more details about the exact behavior I'm observing when trying to deploy on Render.

I saw a sqlite busy error when attempting to follow a link earlier. I suspect there may be some concurrency issues on writes that could use a retry.

I've not looked, but when I've had to do this kind of thing before, I had to bring my own lock and/or async writes (e.g., for updating counts where a failure doesn't lead to a real correctness problem).

I think you have to be kind of lucky to see the error in general, but it'd likely show up in a load test.

While it's nice to be able to just use the "main" tag for the latest update, I would like to specifically know when I'm using a newer version of golink.

The primary problem is right now golink will fall behind in versioning from the tailscale.com go module, hence the "upgrade available" notification in the UI. Right now, I just do a re-deploy from time to time in hopes that maybe the tailscale.com version has been upgraded. Sometimes it has been updated and sometimes it hasn't. Instead of just blindly deploying just to see if the dependency has been updated, I'd rather pin to a specific tagged semantic version so I know if there isn't a new semantic version available, then there is no need to re-deploy.

Some of the go-link systems that I've used in the past have supported aliases for a given link. I know it would be possible to just create multiple items using the same link, but ideally if a link gets updated, all the alternate names get updated at once.

Hey there Chainguard here.

We noticed that you are using Chainguard Images, thank you! We wanted to make you aware of an upcoming change that will impact your project.

Starting August 16, 2023 public users will no longer be able to pull images from our registry (cgr.dev/chainguard) by tags other than latest or latest-dev. Please see the announcement for more information.

You are currently using the following.

In https://github.com/tailscale/golink/blob/843e615dbfdfaa927d1794b9e4ef2f6fa6156b2e/Dockerfile:

• cgr.dev/chainguard/go:1.20

Our goal is to prevent your project from experiencing any disruptions. Please see the migration guide for options.

If there's more we can do to help please reply to this issue or email us at [email protected].

Thank you!

Situation: I have an existing golink installation, running on a Pi
locally. There are about 200 links there. I also have a brand new
fly.io installation of golink, following the instructions in the README.

I'd like to migrate the data from my old install to the new one.

One approach is simply to recreate the links, taking as input
the go/.export file and looping around a curl command that
does a PUT as described in go/.help . I think I can do that
with jq, awk, and sh.

A second would be to log into the fly.io console, upload some
files, then modify the Dockerfile to use the -snapshot approach
to get things started. I'm less clear on all of the details there.

Any other options I'm missing? I am pretty sure I'll lose use count
information in any circumstance. I have only a single user in this
tailnet so I won't lose who created the link.

A number of users are seeing somewhat random XSRF errors when updating or deleting links. We think it is due to how XSRF tokens are generated. The /.detail/ page allows you to provide a non-canonical form of the link's short name and it will still resolve properly. For example, the link might be go/foo, but http://go/.detail/F-o-O will still load the correct detail page. In some cases, XSRF token generation and validation is based on the short name provided in the URL (F-o-O in the above example) and sometimes it's based on the canonical form stored in the database (foo in the above example).

It would be cool if golink templates have the field Port, so it would be possible to have a link like:

go/lh -> http://localhost{{if .Port}}:{{.Port}}{{end}}
go/lh:8080 -> http://localhost:8080
go/lh:9090 -> http://localhost:9090

Suggestion:
I think that it's a good idea to support tailscale client flags via env vars.
This will allow the use of the node as an exit-node for example.

It would be nice if golink could serve over https. Some browsers really don't like plain text http.

Tailscale supports this for serving: https://github.com/tailscale/tailscale/blob/main/client/tailscale/example/servetls/servetls.go

But I could not find the equivalent in tsnet. The only reference I found to SSL was here: https://github.com/tailscale/tailscale/blob/main/tsnet/tsnet.go#L377

Trying to deploy on Fly.io and hitting a new error:

#11 0.677 # cd /work; git status --porcelain
#11 0.677 fatal: detected dubious ownership in repository at '/work'
#11 0.677 To add an exception for this directory, call:
#11 0.677
#11 0.677       git config --global --add safe.directory /work
#11 0.678 error obtaining VCS status: exit status 128
#11 0.678       Use -buildvcs=false to disable VCS stamping

I was trying to edit a link I made from my phone and it told me I wasn't the owner and [my address] was. This was surprising. I came back and looked from my computer and saw the same thing.

So I looked at another link that I'd made more recently and I saw that the owner was tagged-devices.

A possible workaround might be #18, but I'm very strongly advocating for this at work, so it might be good to have a better understanding of what's going on here.

Delete is covered, but we could cover more.

I have both hosts directly on my tailnet and those connected to it via subnet routes. When I use one of the former to create a link or access link details, it works great, but if I try and use one of the latter, it fails with the error:

404 Not Found: no match for IP:port

although using the links works fine. I suspect this is because it can't find the Tailscale user from the address of indirectly connected hosts.

Is there a way around this? Perhaps by also checking the subnet route list if the host IP isn't in the tailnet range?

It was really awesome to see that HTTPS was getting added in #99, to resolve #29, which helps workflows for some people. However, I'd rather have HTTPS turned off. I've configured my browser to ignore the missing HTTPS, and don't use the opensearch xml feature. One of the downsides of having this turned on, is that golink needs to acquire a new cert on initial deployment, which takes time to get the service live (not a big problem, but also a bit annoying).

I know you can turn off HTTPS from the Admin console, which I did, as I don't use the HTTPS feature of Tailscale atm. However, I'd like to be able to turn this on in the future, and don't get golink breaking on this, which I'll have completely forgotten about in a couple of months.

Yeah, I know, I guess XKCD 1172 is applicable ;) Though, I am willing to contribute a PR, which I'd gladly do. Would you be willing to accept a PR to add support for a configuration flag to override this behavior?

I am executing this command

docker run -it -v --rm -e TS_AUTHKEY='tskey-auth-kc<>Jn' -v /tmp/golink:/root ghcr.io/tailscale/golink:main  -sqlitedb /root/test.db -verbose

The output looks good: Serving http://go/ ...

I can resolve the hostname:

dscacheutil -q host -a name go
name: go.tig<>.ts.net
ip_address: 100.<>.217.100

But when I attempt to visit http://go the connection times out:

curl go
curl: (28) Failed to connect to go port 80 after 75007 ms: Operation timed out

I must be holding it wrong :)

currently, golink is singly-homed. That can make your coworkers sad when that one instance goes down for whatever reason. We should allow for running multiple redundant copies of golink. At a minimum, we should make it easier to run read-only replicas. Much fancier would be to allow secondary replicas to proxy writes to a single primary replica.

Related: https://github.com/tailscale/corp/issues/18849

Running a minimal container with no volume mounts results in

docker run --rm ghcr.io/tailscale/golink:main
2022/11/14 14:34:02 NewSQLiteDB("/root/golink.db"): unable to open database file: out of memory (14)

or

version: "3"
services:
  golink:
    image: ghcr.io/tailscale/golink:main
    container_name: golink
    restart: unless-stopped
    command: "-verbose -sqlitedb /root/golink.db"

2022/11/14 14:30:55 NewSQLiteDB("/root/golink.db"): unable to open database file: out of memory (14)

However, running and building the binary directly works without an issue:

go run github.com/tailscale/golink/cmd/golink@latest -verbose -sqlitedb /persist/golink/golink.db

Not sure if this is specific to my setup or a wider issue with some more common update. Running Ubuntu 22.04.3, and after a series of system/application updates I'm now getting the below error when trying to start the golinks service using the following Terminal command:

TS_AUTHKEY="tskey-auth-{keygoeshere}" go run ./cmd/golink -sqlitedb golink.db

imports github.com/tailscale/golink
imports tailscale.com/tsnet
imports tailscale.com/ipn/ipnlocal
imports tailscale.com/wgengine
imports tailscale.com/net/tstun
imports gvisor.dev/gvisor/pkg/tcpip
imports gvisor.dev/gvisor/pkg/atomicbitops
imports gvisor.dev/gvisor/pkg/state
imports gvisor.dev/gvisor/pkg/state/wire
imports gvisor.dev/gvisor/pkg/gohacks: build constraints exclude all Go files in /home/administrator/go/pkg/mod/gvisor.dev/[email protected]/pkg/gohacks

Also a Linux complete noob, but I tried running "./update-flake.sh" and "go clean -modcache" which both completed -though the error remains.

If you are not running golink out of a container, it would be helpful to have
a systemd unit file to start the service.

(In my particular case, I'm running two separate golink instance on the same
machine, so that probably means two separate systemd configurations.)

IANAL.

The founder of https://golinks.io holds a number of U.S. trademarks related to the name "GO LINKS". If nobody has done so, it may be advisable to seek guidance from legal to avoid any sort of tiff with a product that offers exactly this functionality that is covered under existing U.S. trademarks.

System configuration: Safari Version 16.0 (17614.1.25.9.10, 17614), macOS Monterey 12.6 (21G115).

I have set up a "go" endpoint, and when I type "go" into the search / URL entry box, it properly sends me to the "go" endpoint on my talent.

I have a link defined, go/gmail . It's listed as a "popular link", and when I click on it it does the expected thing and redirects.

However.

If I type go/gmail into the URL entry box at the top, the system misinterprets go/gmail as a search string, and puts me on a Google search results page.

The issue appears to be "Safari ignores local domain" - https://discussions.apple.com/thread/5504425 - and the suggested workaround (ick) is to either use a fully qualified domain name, or use the http:// prefix. (Or, probably, use Chrome.)

Since #3 was merged neither the export nor the detail API endpoint provide click counts anymore. It might not be required or desirable for snapshots / backups, but it would be great for other integrations e.g. to better sort search results (I made myself a little Alfred integration).

Could we bring back the (optional) export of click counts? Or is there some important reason this functionality was removed?

Hi folks,

Thanks for putting this together, it's incredible!

We're using this in a smaller company, and would like the ability to opt-out of ownership checks when editing links. At our scale (<10 engs) it's somewhat more useful to let anyone change these.

Ideally this would be a checkbox during the golink creation, thinking we can iterate towards there. Useful crawl solution can be a global flag to opt-out of the checks (a la -skip-ownership-checks).

Happy to take this on if you think it's directionally right.

With MagicDNS disabled:

$ dig go +short
100.99.0.1

$ curl go/ -I
curl: (28) Failed to connect to go port 80 after 75437 ms: Couldn't connect to server

With MagicDNS enabled (and a restart):

$ curl go/ -I
НТТР/1.1 302 Found
Content-Type: text/html; charset=utf-8
Location: https:/go.bunny-major.ts.net/
Date: Tue, 19 Dec 2023 18:06:27 GMT

НТТР/1.1 200 0K
Date: Tue, 19 Dec 2023 18:06:27 GMT

The docker logs say:

2023/12/19 18:01:11 tsnet: you must enable HTTPS in the admin panel to proceed. 

Entire log after a restart with MagicDNS disabled: https://pastebin.com/921CSuZZ (can't include it here -- too long)

Status: Downloaded newer image for ghcr.io/tailscale/golink:main
WARNING: The requested image's platform (linux/amd64) does not match the detected host platform (linux/arm/v7) and no specific platform was requested

Hi, any resource to pass this? Attempting to run via docker on my Turris Omnia (Marvell Armada 385 (dual core armv7) running Turris OS(OpenWRT Fork))

Currently each link is owned by a single user, which means that this user needs to always be responsible for managing this link.
It would be swell to make ownership for a link delegated to multiple users (either manually in-app or groups defined in Access Controls in Tailscale).

The release notes for Tailscale 1.68 mention "Auto-updates are available for containers" so presumably if we can get an updated version of the golink container with 1.68 this should mean no more issues like #96 or #41 (or indeed this one)?

Unless I'm missing something, I'd be great to have a way to delete golinks that are no longer needed. I've tried everything I can reasonably think of:

• Sending DELETE requests to go/<name>+ (results in the server just responding with the details for the shortname);
• Sending DELETE requests to go/<name> (results in the server redirecting me to the destination);
• Appending ?action=delete onto go/<name>+ (results in 404)
• Even clearing one or both of the shortname and destination fields in the golink web editor (results in "please fill out this field")

When pinning the go/ tab, I noticed it doesn't have a favicon so it's just showing as a blank box in Safari (haven't tested on other browsers):

It would be great to have some sort of icon included.