Fix tailscale corner cases

Author: ericdallo

CHANGELOG.md

@@ -2,6 +2,8 @@
 
 ## Unreleased
 
+- Fix remote server failing to bind when other services (e.g. Tailscale) hold the same ports on different network interfaces, by falling back to `127.0.0.1` when `0.0.0.0` is unavailable.
+
 ## 0.116.2
 
 - Fix stopping a prompt corruping other cases of chat.

docs/config.json

@@ -354,8 +354,8 @@
         },
         "port": {
           "type": "integer",
-          "description": "Port the HTTP server listens on. When unset, tries port 7777, then 7778, 7779, etc. up to 10 attempts.",
-          "markdownDescription": "Port the HTTP server listens on. When unset, tries port `7777`, then `7778`, `7779`, etc. up to 10 attempts.",
+          "description": "Port the HTTP server listens on. When unset, tries port 7777, then 7778, 7779, etc. up to 20 attempts.",
+          "markdownDescription": "Port the HTTP server listens on. When unset, tries port `7777`, then `7778`, `7779`, etc. up to 20 attempts.",
           "examples": [
             7777
           ]

docs/config/remote.md

@@ -38,7 +38,7 @@ There are three ways to connect the web frontend to your ECA session. Pick the o
     3. Chrome will show a **Local Network Access** permission prompt — click **Allow**
 
     !!! note "Firewall"
-        Make sure your firewall allows incoming TCP connections on ports `7777`–`7787` (the default ECA port range) from your LAN.
+        Make sure your firewall allows incoming TCP connections on ports `7777`–`7796` (the default ECA port range) from your LAN.
         ECA starts using `7777` and increments for each server running on your machine.
 
 === "Tailscale / VPN"
@@ -60,14 +60,18 @@ There are three ways to connect the web frontend to your ECA session. Pick the o
     **Steps:**
 
     1. Install Tailscale and enable [HTTPS certificates](https://tailscale.com/kb/1153/enabling-https)
-    2. Expose the ECA port range via Tailscale serve so they are reachable over your tailnet:
+    2. Expose the ECA port range via Tailscale HTTPS serve so they are reachable over your tailnet:
 
         ```bash
-        sudo tailscale serve --bg --tcp 7777 tcp://localhost:7777
-        sudo tailscale serve --bg --tcp 7778 tcp://localhost:7778
-        # ... repeat for as many ports as you need (7777–7787)
+        sudo tailscale serve --bg --https 7777 http://localhost:7777
+        sudo tailscale serve --bg --https 7778 http://localhost:7778
+        # ... repeat for as many ports as you need (7777–7796)
         ```
 
+        !!! warning "Use `--https`, not `--tcp`"
+            `--tcp` creates a raw TCP proxy that browsers cannot connect to.
+            `--https` creates a proper HTTPS reverse proxy with valid certificates, which is required for browser-based access from `web.eca.dev`.
+
     3. Start ECA — it will log the connection URL and auth token to stderr. The URL is a deep-link you can open directly:
 
         ```
@@ -117,7 +121,7 @@ All connection methods support the same config options:
     "enabled": true,
     // optional — useful for specifying custom dns like tailscale or your local ip, just for logging purposes in stderr/welcome message
     "host": "192.168.1.42",
-    // optional — defaults to 7777 (auto-increments until 7787 if busy)
+    // optional — defaults to 7777 (auto-increments until 7796 if busy)
     "port": 9876,
     // optional — a random pass is auto-generated when unset, you can use ${env:...}
     "password": "my-secret-token"
@@ -129,6 +133,6 @@ All connection methods support the same config options:
 
 The web frontend provides a connect form where you enter the host and password (or use the deep-link URL logged by ECA).
 
-**Auto-discovery** — When you enter a host and click "Discover", the web UI scans ports `7777`–`7787` in parallel and finds all running ECA instances automatically. This is the default port range ECA uses when auto-assigning ports.
+**Auto-discovery** — When you enter a host and click "Discover", the web UI scans ports `7777`–`7796` in parallel and finds all running ECA instances automatically. This is the default port range ECA uses when auto-assigning ports.
 
 **Multi-session** — You can connect to multiple ECA instances simultaneously. Each connection appears as a tab in the top bar, letting you switch between sessions.

src/eca/remote/server.clj

@@ -63,23 +63,35 @@
     (.isSiteLocalAddress (InetAddress/getByName ip))
     (catch Exception _ false)))
 
-(defn ^:private try-start-jetty
-  "Attempts to start Jetty on the given port. Returns the Server on success,
-   nil when the port is already in use (BindException or Jetty's wrapping IOException)."
+(def ^:private bind-hosts
+  "Ordered list of bind addresses to try per port.
+   0.0.0.0 gives full connectivity; 127.0.0.1 is the fallback when another
+   service (e.g. Tailscale) already holds the port on a specific interface."
+  ["0.0.0.0" "127.0.0.1"])
+
+(defn ^:private try-start-jetty-any-host
+  "Tries to start Jetty on the given port, attempting each bind address in
+   bind-hosts order. Returns the Server on success, nil if all fail."
   ^Server [handler port]
-  (try
-    (jetty/run-jetty handler {:port port :host "0.0.0.0" :join? false})
-    (catch BindException _ nil)
-    (catch IOException _ nil)))
+  (reduce (fn [_ bind-host]
+            (try
+              (let [server (jetty/run-jetty handler {:port port :host bind-host :join? false})]
+                (logger/debug logger-tag (str "Bound to " bind-host ":" port))
+                (reduced server))
+              (catch BindException _ nil)
+              (catch IOException _ nil)))
+          nil
+          bind-hosts))
 
 (defn ^:private start-with-retry
   "Tries sequential ports starting from base-port up to max-port-attempts.
+   For each port, tries all bind-hosts before moving to the next port.
    Returns [server actual-port] on success, nil if all attempts fail."
   [handler base-port]
   (loop [port base-port
          attempts 0]
     (when (< attempts max-port-attempts)
-      (if-let [server (try-start-jetty handler port)]
+      (if-let [server (try-start-jetty-any-host handler port)]
         [server (.getLocalPort ^NetworkConnector (first (.getConnectors ^Server server)))]
         (do (logger/debug logger-tag (str "Port " port " in use, trying " (inc port) "..."))
             (recur (inc port) (inc attempts)))))))
@@ -106,8 +118,8 @@
         (try
           (if-let [[^Server jetty-server actual-port]
                    (if user-port
-                     ;; User-specified port: single attempt, no retry
-                     (if-let [server (try-start-jetty handler user-port)]
+                     ;; User-specified port: single attempt, try all bind hosts
+                     (if-let [server (try-start-jetty-any-host handler user-port)]
                        [server (.getLocalPort ^NetworkConnector (first (.getConnectors ^Server server)))]
                        (do (logger/warn logger-tag "Port" user-port "is already in use."
                                         "Remote server will not start.")