Change default port order to 443, 3080

[klizhentas]

Feature Request

tsh login --proxy=example.com by default tries 3080 and then 443. The problem is that most of the time 3080 is blocked, and the above command will hang before trying next port 443. Why don't we switch the order of ports, with 443 being the default, and 3080 a fallback.

Motivation

This will improve UX for everyone

[sskousen]

Not sure if it would be possible, but using the Happy Eyeballs algorithm (https://tools.ietf.org/html/rfc8305), used for IPv4/IPv6, could give the best of both worlds. Basically, send a request on both 443 and 3080, and see which one comes back first (and is a valid teleport endpoint).

I was also bitten by the default 3080 thing, and switched from 443 just to make my developers' lives easier.

[tcsc]

Useful debugging tip: drop packets to 3080 on the loopback:

$ [sudo] iptables -I INPUT -i lo -p tcp --dport 3080 -j DROP

[tcsc]

Does this fallback behaviour still exist in teleport >= 6? When I run the current master it looks to time out on 3080 and then bail without trying anything else:

$ build/tsh login --insecure --proxy=localhost -d
DEBU [CLIENT]    open /home/trent/.tsh/localhost.yaml: no such file or directory client/api.go:719
INFO [CLIENT]    No teleport login given. defaulting to trent client/api.go:973
INFO [CLIENT]    no host login given. defaulting to trent client/api.go:983
INFO [CLIENT]    [KEY AGENT] Connected to the system agent: "/run/user/1000/keyring/ssh" client/api.go:2618
DEBU [CLIENT]    attempting to use loopback pool for local proxy addr: localhost:3080 client/api.go:2582
DEBU [CLIENT]    could not open any path in: /var/lib/teleport/webproxy_cert.pem client/api.go:2588

ERROR REPORT:
Original Error: *url.Error Get "https://localhost:3080/webapi/ping": dial tcp 127.0.0.1:3080: connect: connection timed out
Stack Trace:
        /home/trent/work/teleport/vendor/github.com/gravitational/teleport/api/client/webclient.go:80 github.com/gravitational/teleport/api/client.Ping
        /home/trent/work/teleport/lib/client/api.go:2230 github.com/gravitational/teleport/lib/client.(*TeleportClient).Ping
        /home/trent/work/teleport/lib/client/api.go:2102 github.com/gravitational/teleport/lib/client.(*TeleportClient).Login
        /home/trent/work/teleport/tool/tsh/tsh.go:750 main.onLogin
        /home/trent/work/teleport/tool/tsh/tsh.go:547 main.Run
        /home/trent/work/teleport/tool/tsh/tsh.go:256 main.main
        /usr/local/go/src/runtime/proc.go:225 runtime.main
        /usr/local/go/src/runtime/asm_amd64.s:1371 runtime.goexit
User Message: Get "https://localhost:3080/webapi/ping": dial tcp 127.0.0.1:3080: connect: connection timed out

[yusufharip]

Hi @tcsc how to setup the config to enable accessing web UI without using port in the end of url?

current --> https://teleport.myteam.com:3080 to be --> https://teleport.myteam.com

Is it possible right now?

[nklaassen]

Hi @yusufharip. To avoid specifying the port number in the url, you will need to configure your teleport proxy to listen on the standard https port 443.

For this example, you would need a config like:

...
proxy_service:
  public_addr: teleport.myteam.com:443
  web_listen_addr: 0.0.0.0:443

You can check our configuration reference for more details.

[yusufharip]

Thanks @nklaassen work perfectly.

[russjones]

Fixed in Teleport 6.2.