Do not offer the option to be DERP insecure

Websockets, in which DERP is based, requires a TLS certificate. At the same time, if we use a certificate it must be valid... otherwise Tailscale wont connect (does not have an Insecure option). So there is no option to expose insecure here
2025-10-28 10:51:44 +01:00 · 2022-03-05 19:19:21 +01:00 · 2022-03-05 19:19:21 +01:00 · df37d1a639
commit df37d1a639
parent 758b1ba1cb
3 changed files with 8 additions and 15 deletions
--- a/app.go
+++ b/app.go
@ -122,7 +122,6 @@ type OIDCConfig struct {

 type DERPConfig struct {
 	ServerEnabled   bool
-	ServerInsecure  bool
 	URLs            []url.URL
 	Paths           []string
 	AutoUpdate      bool
@ -280,11 +279,10 @@ func NewHeadscale(cfg Config) (*Headscale, error) {
 					Avoid:      false,
 					Nodes: []*tailcfg.DERPNode{
 						{
-							Name:             "999a",
-							RegionID:         999,
-							HostName:         host,
-							DERPPort:         port,
-							InsecureForTests: cfg.DERP.ServerInsecure,
+							Name:     "999a",
+							RegionID: 999,
+							HostName: host,
+							DERPPort: port,
 						},
 					},
 				},
@ -516,9 +514,9 @@ func (h *Headscale) createRouter(grpcMux *runtime.ServeMux) *gin.Engine {
 	router.GET("/swagger/v1/openapiv2.json", SwaggerAPIv1)

 	if h.cfg.DERP.ServerEnabled {
-		router.Any("/derp", h.EmbeddedDERPHandler)
-		router.Any("/derp/probe", h.EmbeddedDERPProbeHandler)
-		router.Any("/bootstrap-dns", h.EmbeddedDERPBootstrapDNSHandler)
+		router.Any("/derp", h.DERPHandler)
+		router.Any("/derp/probe", h.DERPProbeHandler)
+		router.Any("/bootstrap-dns", h.DERPBootstrapDNSHandler)
 	}

 	api := router.Group("/api")
--- a/cmd/headscale/cli/utils.go
+++ b/cmd/headscale/cli/utils.go
@ -118,7 +118,6 @@ func LoadConfig(path string) error {

 func GetDERPConfig() headscale.DERPConfig {
 	enabled := viper.GetBool("derp.server.enabled")
-	insecure := viper.GetBool("derp.server.insecure")

 	urlStrs := viper.GetStringSlice("derp.urls")

@ -142,7 +141,6 @@ func GetDERPConfig() headscale.DERPConfig {

 	return headscale.DERPConfig{
 		ServerEnabled:   enabled,
-		ServerInsecure:  insecure,
 		URLs:            urls,
 		Paths:           paths,
 		AutoUpdate:      autoUpdate,
--- a/config-example.yaml
+++ b/config-example.yaml
@ -57,12 +57,9 @@ ip_prefixes:
 derp:
  server:
    # If enabled, runs the embedded DERP server and merges it into the rest of the DERP config
+    # The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place
    enabled: false

-    # Insecure mode is recommended only for tests. It indicates the tailscale clients
-    # to use insecure connections to this server.
-    insecure: false
-
  # List of externally available DERP maps encoded in JSON
  urls:
    - https://controlplane.tailscale.com/derpmap/default