mirror of
				https://github.com/juanfont/headscale.git
				synced 2025-10-26 21:51:03 +01:00 
			
		
		
		
	Add insecure option
Add option to not _validate_ if the certificate served from headscale is trusted.
This commit is contained in:
		
							parent
							
								
									4841e16386
								
							
						
					
					
						commit
						0018a78d5a
					
				
							
								
								
									
										1
									
								
								app.go
									
									
									
									
									
								
							
							
						
						
									
										1
									
								
								app.go
									
									
									
									
									
								
							| @ -123,6 +123,7 @@ type CLIConfig struct { | |||||||
| 	Address  string | 	Address  string | ||||||
| 	APIKey   string | 	APIKey   string | ||||||
| 	Timeout  time.Duration | 	Timeout  time.Duration | ||||||
|  | 	Insecure bool | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| // Headscale represents the base app of the service. | // Headscale represents the base app of the service. | ||||||
|  | |||||||
| @ -2,6 +2,7 @@ package cli | |||||||
| 
 | 
 | ||||||
| import ( | import ( | ||||||
| 	"context" | 	"context" | ||||||
|  | 	"crypto/tls" | ||||||
| 	"encoding/json" | 	"encoding/json" | ||||||
| 	"errors" | 	"errors" | ||||||
| 	"fmt" | 	"fmt" | ||||||
| @ -60,6 +61,7 @@ func LoadConfig(path string) error { | |||||||
| 	viper.SetDefault("grpc_listen_addr", ":50443") | 	viper.SetDefault("grpc_listen_addr", ":50443") | ||||||
| 
 | 
 | ||||||
| 	viper.SetDefault("cli.timeout", "5s") | 	viper.SetDefault("cli.timeout", "5s") | ||||||
|  | 	viper.SetDefault("cli.insecure", false) | ||||||
| 
 | 
 | ||||||
| 	if err := viper.ReadInConfig(); err != nil { | 	if err := viper.ReadInConfig(); err != nil { | ||||||
| 		return fmt.Errorf("fatal error reading config file: %w", err) | 		return fmt.Errorf("fatal error reading config file: %w", err) | ||||||
| @ -328,6 +330,7 @@ func getHeadscaleConfig() headscale.Config { | |||||||
| 			Address:  viper.GetString("cli.address"), | 			Address:  viper.GetString("cli.address"), | ||||||
| 			APIKey:   viper.GetString("cli.api_key"), | 			APIKey:   viper.GetString("cli.api_key"), | ||||||
| 			Timeout:  viper.GetDuration("cli.timeout"), | 			Timeout:  viper.GetDuration("cli.timeout"), | ||||||
|  | 			Insecure: viper.GetBool("cli.insecure"), | ||||||
| 		}, | 		}, | ||||||
| 	} | 	} | ||||||
| } | } | ||||||
| @ -411,9 +414,23 @@ func getHeadscaleCLIClient() (context.Context, v1.HeadscaleServiceClient, *grpc. | |||||||
| 			grpc.WithPerRPCCredentials(tokenAuth{ | 			grpc.WithPerRPCCredentials(tokenAuth{ | ||||||
| 				token: apiKey, | 				token: apiKey, | ||||||
| 			}), | 			}), | ||||||
|  | 		) | ||||||
|  | 
 | ||||||
|  | 		if cfg.CLI.Insecure { | ||||||
|  | 			tlsConfig := &tls.Config{ | ||||||
|  | 				InsecureSkipVerify: true, | ||||||
|  | 			} | ||||||
|  | 
 | ||||||
|  | 			grpcOptions = append(grpcOptions, | ||||||
|  | 				grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)), | ||||||
|  | 			) | ||||||
|  | 
 | ||||||
|  | 		} else { | ||||||
|  | 			grpcOptions = append(grpcOptions, | ||||||
| 				grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, "")), | 				grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, "")), | ||||||
| 			) | 			) | ||||||
| 		} | 		} | ||||||
|  | 	} | ||||||
| 
 | 
 | ||||||
| 	log.Trace().Caller().Str("address", address).Msg("Connecting via gRPC") | 	log.Trace().Caller().Str("address", address).Msg("Connecting via gRPC") | ||||||
| 	conn, err := grpc.DialContext(ctx, address, grpcOptions...) | 	conn, err := grpc.DialContext(ctx, address, grpcOptions...) | ||||||
|  | |||||||
| @ -5,7 +5,7 @@ | |||||||
| - A workstation to run `headscale` (could be Linux, macOS, other supported platforms) | - A workstation to run `headscale` (could be Linux, macOS, other supported platforms) | ||||||
| - A `headscale` server (version `0.13.0` or newer) | - A `headscale` server (version `0.13.0` or newer) | ||||||
| - Access to create API keys (local access to the `headscale` server) | - Access to create API keys (local access to the `headscale` server) | ||||||
| - `headscale` _must_ be served over TLS/HTTPS with a _trusted_ certificate | - `headscale` _must_ be served over TLS/HTTPS | ||||||
|   - Remote access does _not_ support unencrypted traffic. |   - Remote access does _not_ support unencrypted traffic. | ||||||
| - Port `50443` must be open in the firewall (or port overriden by `grpc_listen_addr` option) | - Port `50443` must be open in the firewall (or port overriden by `grpc_listen_addr` option) | ||||||
| 
 | 
 | ||||||
| @ -89,4 +89,5 @@ Checklist: | |||||||
| - Make sure you have the _same_ `headscale` version on your server and workstation | - Make sure you have the _same_ `headscale` version on your server and workstation | ||||||
| - Make sure you use version `0.13.0` or newer. | - Make sure you use version `0.13.0` or newer. | ||||||
| - Verify that your TLS certificate is valid and trusted | - Verify that your TLS certificate is valid and trusted | ||||||
|   - If you do not have access to a trusted certificate (e.g. from Let's Encrypt), add your self signed certificate to the trust store of your OS. |   - If you do not have access to a trusted certificate (e.g. from Let's Encrypt), add your self signed certificate to the trust store of your OS or | ||||||
|  |   - Set `HEADSCALE_CLI_INSECURE` to 0 in your environement | ||||||
|  | |||||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user