Mirrors/juanfont.headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2025-10-28 10:51:44 +01:00
Code Issues Projects Releases Wiki Activity

Remove insecure, only allow valid certs

Browse Source
This commit is contained in:
Kristoffer Dalby 2022-02-12 19:35:55 +00:00
parent 4078e75b50
commit 315ff9daf0
3 changed files with 10 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
app.go
View File

@ -121,7 +121,6 @@ type DERPConfig struct {
type CLIConfig struct { type CLIConfig struct {
Address string Address string
APIKey string APIKey string
Insecure bool
Timeout time.Duration Timeout time.Duration
} }

13
cmd/headscale/cli/utils.go
View File

@ -59,7 +59,6 @@ func LoadConfig(path string) error {
viper.SetDefault("grpc_listen_addr", ":50443") viper.SetDefault("grpc_listen_addr", ":50443")
viper.SetDefault("cli.insecure", false)
viper.SetDefault("cli.timeout", "5s") viper.SetDefault("cli.timeout", "5s")
if err := viper.ReadInConfig(); err != nil { if err := viper.ReadInConfig(); err != nil {
@ -328,7 +327,6 @@ func getHeadscaleConfig() headscale.Config {
CLI: headscale.CLIConfig{ CLI: headscale.CLIConfig{
Address: viper.GetString("cli.address"), Address: viper.GetString("cli.address"),
APIKey: viper.GetString("cli.api_key"), APIKey: viper.GetString("cli.api_key"),
Insecure: viper.GetBool("cli.insecure"),
Timeout: viper.GetDuration("cli.timeout"), Timeout: viper.GetDuration("cli.timeout"),
}, },
} }
@ -413,18 +411,9 @@ func getHeadscaleCLIClient() (context.Context, v1.HeadscaleServiceClient, *grpc.
grpc.WithPerRPCCredentials(tokenAuth{ grpc.WithPerRPCCredentials(tokenAuth{
token: apiKey, token: apiKey,
}), }),
)
if cfg.CLI.Insecure {
grpcOptions = append(grpcOptions,
grpc.WithTransportCredentials(insecure.NewCredentials()),
)
} else {
grpcOptions = append(grpcOptions,
grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, "")), grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, "")),
) )
} }
}
log.Trace().Caller().Str("address", address).Msg("Connecting via gRPC") log.Trace().Caller().Str("address", address).Msg("Connecting via gRPC")
conn, err := grpc.DialContext(ctx, address, grpcOptions...) conn, err := grpc.DialContext(ctx, address, grpcOptions...)
@ -500,7 +489,7 @@ func (t tokenAuth) GetRequestMetadata(
} }
func (tokenAuth) RequireTransportSecurity() bool { func (tokenAuth) RequireTransportSecurity() bool {
return false return true
} }
// loadOIDCMatchMap is a wrapper around viper to verifies that the keys in // loadOIDCMatchMap is a wrapper around viper to verifies that the keys in

4
docs/remote-cli.md
View File

@ -88,5 +88,5 @@ Checklist:
- Make sure you have the _same_ `headscale` version on your server and workstation - Make sure you have the _same_ `headscale` version on your server and workstation
- Make sure you use version `0.13.0` or newer. - Make sure you use version `0.13.0` or newer.
- Verify that your TLS certificate is valid - Verify that your TLS certificate is valid and trusted
- If it is not valid, set the environment variable `HEADSCALE_CLI_INSECURE=true` to allow insecure certs. - If you do not have access to a trusted certificate (e.g. from Let's Encrypt), add your self signed certificate to the trust store of your OS.