ipn,cmd/tailscale/cli: set correct SNI name for TLS-terminated TCP Services (#17752)

Fixes #17749.

Signed-off-by: Naman Sood <mail@nsood.in>

ipn/serve.go

@@ -433,24 +433,37 @@ func (sc *ServeConfig) SetTCPForwarding(port uint16, fwdAddr string, terminateTL
 	if sc == nil {
 		sc = new(ServeConfig)
 	}
-	tcpPortHandler := &sc.TCP
-	if svcName := tailcfg.AsServiceName(host); svcName != "" {
-		svcConfig, ok := sc.Services[svcName]
-		if !ok {
-			svcConfig = new(ServiceConfig)
-			mak.Set(&sc.Services, svcName, svcConfig)
-		}
-		tcpPortHandler = &svcConfig.TCP
-	}
-
-	handler := &TCPPortHandler{
+	mak.Set(&sc.TCP, port, &TCPPortHandler{
 		TCPForward:    fwdAddr,
 		ProxyProtocol: proxyProtocol, // can be 0
-	}
+	})
+
 	if terminateTLS {
-		handler.TerminateTLS = host
+		sc.TCP[port].TerminateTLS = host
+	}
+}
+
+// SetTCPForwardingForService sets the fwdAddr (IP:port form) to which to
+// forward connections from the given port on the service. If terminateTLS
+// is true, TLS connections are terminated, with only the FQDN that corresponds
+// to the given service being permitted, before passing them to the fwdAddr.
+func (sc *ServeConfig) SetTCPForwardingForService(port uint16, fwdAddr string, terminateTLS bool, svcName tailcfg.ServiceName, proxyProtocol int, magicDNSSuffix string) {
+	if sc == nil {
+		sc = new(ServeConfig)
+	}
+	svcConfig, ok := sc.Services[svcName]
+	if !ok {
+		svcConfig = new(ServiceConfig)
+		mak.Set(&sc.Services, svcName, svcConfig)
+	}
+	mak.Set(&svcConfig.TCP, port, &TCPPortHandler{
+		TCPForward:    fwdAddr,
+		ProxyProtocol: proxyProtocol, // can be 0
+	})
+
+	if terminateTLS {
+		svcConfig.TCP[port].TerminateTLS = fmt.Sprintf("%s.%s", svcName.WithoutPrefix(), magicDNSSuffix)
 	}
-	mak.Set(tcpPortHandler, port, handler)
 }
 
 // SetFunnel sets the sc.AllowFunnel value for the given host and port.