-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add verify client config for embedded DERP #2260
base: main
Are you sure you want to change the base?
Conversation
Without having had a look at this, it seems very unnecessary to roundtrip this both via the config and via the http endpoint. Can it not be passed internally as a function? if anything, I dont see why it should be configurable. |
@kradalby |
Ok, this rings a bell, I dont think the URL should be configurable, this should be internal, so we should populate it if it is enabled:
I'm on the fence if an option for fail open should be included, my rational is that it should be impossible for it to not be, and if it is you have bigger problems. The URL should be automatically populated and go over localhost, but it should have some logic in case a user uses a footgun like running it on |
I initially considered using httping test result
Due to the potential performance issues with server_url, I tried concatenating the verify URL using
I will remove this option later. |
I think the only thing you need to figure out is how headscale runs, we should code it, not make it configurable, we just need to make sure it doesnt fail if someone for some reason only bound headscale to IPv6 version of localhost. |
The issue I found is that if Headscale is configured with TLS enabled, attempting to access Headscale using localhost triggers a TLS certificate error:
One solution is to remind users in the documentation to map the headscale domain to localhost in their hosts file, but I don’t think this is ideal. I’m not sure if there’s a better solution.
I plan to concatenate the verification URL using |
I see, if headscale terminates the TLS, this is a problem yes, I really dont want to set up another port just for this purpose. I think one solution would be to try to make the http.Client overridable upstream, so we can inject our own that trusts that certificate, I can have a look at that tomorrow.
I dont think this is a viable solution.
Good, thank you. |
We should probably have a section in the integration tests using this option. |
@kradalby Do you think this solution is suitable? If so, I will add integration tests for it later. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is neater, a couple of comments on renaming and restructuring, we probably dont want to use stuff made for testing in the prod path.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, just need some integration tests to verify that it works as intended.
- register the `headscale://` protocol in `http.DefaultTransport` to intercept network requests - update configuration to use a single boolean option `verify_clients`
- `tailscale debug derp` use random node private key
a7cb0e2
to
07a3314
Compare
Added
verify_client_url
andverify_client_url_fail_open
configurations to support client verification in the embedded DERP server.