1
0
mirror of https://github.com/juanfont/headscale.git synced 2025-08-14 13:51:01 +02:00
This commit is contained in:
Jisse Meruma 2025-03-03 08:55:24 +01:00 committed by GitHub
commit 5d114341e2
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 84 additions and 0 deletions

View File

@ -40,6 +40,16 @@ grpc_listen_addr: 127.0.0.1:50443
# are doing.
grpc_allow_insecure: false
# The allow_origins list will allow you to set the Access-Control-Allow-Origin header to the origin in the list.
# This will allow you to enable cors and set headscale without a reverse proxy.
# Multiple origins can be set in the allow_origins list.
# Options:
# - "*" is disabled (due to security risks).
# - "https://example.com" to only allow access from a specific origin.
# - "https://example.com:1234" to allow access from a specific origin with a port.
cors:
allow_origins: []
# The Noise section includes specific configuration for the
# TS2021 Noise protocol
noise:

View File

@ -455,10 +455,66 @@ func (h *Headscale) ensureUnixSocketIsAbsent() error {
return os.Remove(h.cfg.UnixSocket)
}
// corsHeaderMiddleware will add an "Access-Control-Allow-Origin" to enable CORS.
func (h *Headscale) corsHeadersMiddleware(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// skip disabled CORS endpoints
if !h.enabledCorsRoutes(r.URL.Path) {
next.ServeHTTP(w, r)
return
}
origin := r.Header.Get("Origin")
// we compare origin from the allowed Origins list. Then add the header with origin
for _, allowedOrigin := range h.cfg.AllowedOrigins.Origins {
if allowedOrigin == origin {
w.Header().Set("Vary", "Origin")
w.Header().Set("Access-Control-Allow-Origin", allowedOrigin)
break
}
}
next.ServeHTTP(w, r)
})
}
func (h *Headscale) enabledCorsRoutes(routerPath string) bool {
// enable all api endpoints
if strings.HasPrefix(routerPath, "/api/") {
return true
}
// A list of enabled CORS endpoints
enabledRoutes := []string{
"/health",
"/key",
"/register/{registration_id}",
"/oidc/callback",
"/verify",
"/derp",
"/derp/probe",
"/derp/latency-check",
"/bootstrap-dns",
"/machine/register",
"/machine/map",
}
for _, routes := range enabledRoutes {
if routes == routerPath {
return true
}
}
return false
}
func (h *Headscale) createRouter(grpcMux *grpcRuntime.ServeMux) *mux.Router {
router := mux.NewRouter()
router.Use(prometheusMiddleware)
if len(h.cfg.AllowedOrigins.Origins) != 0 {
router.Use(h.corsHeadersMiddleware)
}
router.HandleFunc(ts2021UpgradePath, h.NoiseUpgradeHandler).Methods(http.MethodPost, http.MethodGet)
router.HandleFunc("/health", h.HealthHandler).Methods(http.MethodGet)

View File

@ -66,6 +66,8 @@ type Config struct {
Log LogConfig
DisableUpdateCheck bool
AllowedOrigins CorsConfig
Database DatabaseConfig
DERP DERPConfig
@ -206,6 +208,10 @@ type LogTailConfig struct {
Enabled bool
}
type CorsConfig struct {
Origins []string
}
type CLIConfig struct {
Address string
APIKey string
@ -328,6 +334,8 @@ func LoadConfig(path string, isFile bool) error {
viper.SetDefault("tuning.batch_change_delay", "800ms")
viper.SetDefault("tuning.node_mapsession_buffered_chan_size", 30)
viper.SetDefault("access_control_allow_origin", "")
viper.SetDefault("prefixes.allocation", string(IPAllocationStrategySequential))
if err := viper.ReadInConfig(); err != nil {
@ -513,6 +521,14 @@ func logtailConfig() LogTailConfig {
}
}
func corsConfig() CorsConfig {
allowedOrigins := viper.GetStringSlice("cors.allowed_origins")
return CorsConfig{
Origins: allowedOrigins,
}
}
func policyConfig() PolicyConfig {
policyPath := viper.GetString("policy.path")
policyMode := viper.GetString("policy.mode")
@ -886,6 +902,8 @@ func LoadServerConfig() (*Config, error) {
GRPCAllowInsecure: viper.GetBool("grpc_allow_insecure"),
DisableUpdateCheck: false,
AllowedOrigins: corsConfig(),
PrefixV4: prefix4,
PrefixV6: prefix6,
IPAllocation: IPAllocationStrategy(alloc),