Add insecure option

Add option to not _validate_ if the certificate served from headscale is
trusted.
This commit is contained in:
Kristoffer Dalby 2022-02-13 08:41:49 +00:00
parent 4841e16386
commit 0018a78d5a
3 changed files with 28 additions and 9 deletions

7
app.go
View file

@ -120,9 +120,10 @@ type DERPConfig struct {
} }
type CLIConfig struct { type CLIConfig struct {
Address string Address string
APIKey string APIKey string
Timeout time.Duration Timeout time.Duration
Insecure bool
} }
// Headscale represents the base app of the service. // Headscale represents the base app of the service.

View file

@ -2,6 +2,7 @@ package cli
import ( import (
"context" "context"
"crypto/tls"
"encoding/json" "encoding/json"
"errors" "errors"
"fmt" "fmt"
@ -60,6 +61,7 @@ func LoadConfig(path string) error {
viper.SetDefault("grpc_listen_addr", ":50443") viper.SetDefault("grpc_listen_addr", ":50443")
viper.SetDefault("cli.timeout", "5s") viper.SetDefault("cli.timeout", "5s")
viper.SetDefault("cli.insecure", false)
if err := viper.ReadInConfig(); err != nil { if err := viper.ReadInConfig(); err != nil {
return fmt.Errorf("fatal error reading config file: %w", err) return fmt.Errorf("fatal error reading config file: %w", err)
@ -325,9 +327,10 @@ func getHeadscaleConfig() headscale.Config {
}, },
CLI: headscale.CLIConfig{ CLI: headscale.CLIConfig{
Address: viper.GetString("cli.address"), Address: viper.GetString("cli.address"),
APIKey: viper.GetString("cli.api_key"), APIKey: viper.GetString("cli.api_key"),
Timeout: viper.GetDuration("cli.timeout"), Timeout: viper.GetDuration("cli.timeout"),
Insecure: viper.GetBool("cli.insecure"),
}, },
} }
} }
@ -411,8 +414,22 @@ func getHeadscaleCLIClient() (context.Context, v1.HeadscaleServiceClient, *grpc.
grpc.WithPerRPCCredentials(tokenAuth{ grpc.WithPerRPCCredentials(tokenAuth{
token: apiKey, token: apiKey,
}), }),
grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, "")),
) )
if cfg.CLI.Insecure {
tlsConfig := &tls.Config{
InsecureSkipVerify: true,
}
grpcOptions = append(grpcOptions,
grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)),
)
} else {
grpcOptions = append(grpcOptions,
grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, "")),
)
}
} }
log.Trace().Caller().Str("address", address).Msg("Connecting via gRPC") log.Trace().Caller().Str("address", address).Msg("Connecting via gRPC")

View file

@ -5,7 +5,7 @@
- A workstation to run `headscale` (could be Linux, macOS, other supported platforms) - A workstation to run `headscale` (could be Linux, macOS, other supported platforms)
- A `headscale` server (version `0.13.0` or newer) - A `headscale` server (version `0.13.0` or newer)
- Access to create API keys (local access to the `headscale` server) - Access to create API keys (local access to the `headscale` server)
- `headscale` _must_ be served over TLS/HTTPS with a _trusted_ certificate - `headscale` _must_ be served over TLS/HTTPS
- Remote access does _not_ support unencrypted traffic. - Remote access does _not_ support unencrypted traffic.
- Port `50443` must be open in the firewall (or port overriden by `grpc_listen_addr` option) - Port `50443` must be open in the firewall (or port overriden by `grpc_listen_addr` option)
@ -89,4 +89,5 @@ Checklist:
- Make sure you have the _same_ `headscale` version on your server and workstation - Make sure you have the _same_ `headscale` version on your server and workstation
- Make sure you use version `0.13.0` or newer. - Make sure you use version `0.13.0` or newer.
- Verify that your TLS certificate is valid and trusted - Verify that your TLS certificate is valid and trusted
- If you do not have access to a trusted certificate (e.g. from Let's Encrypt), add your self signed certificate to the trust store of your OS. - If you do not have access to a trusted certificate (e.g. from Let's Encrypt), add your self signed certificate to the trust store of your OS or
- Set `HEADSCALE_CLI_INSECURE` to 0 in your environement