Remove insecure, only allow valid certs
This commit is contained in:
parent
4078e75b50
commit
315ff9daf0
3 changed files with 10 additions and 22 deletions
7
app.go
7
app.go
|
@ -119,10 +119,9 @@ type DERPConfig struct {
|
|||
}
|
||||
|
||||
type CLIConfig struct {
|
||||
Address string
|
||||
APIKey string
|
||||
Insecure bool
|
||||
Timeout time.Duration
|
||||
Address string
|
||||
APIKey string
|
||||
Timeout time.Duration
|
||||
}
|
||||
|
||||
// Headscale represents the base app of the service.
|
||||
|
|
|
@ -59,7 +59,6 @@ func LoadConfig(path string) error {
|
|||
|
||||
viper.SetDefault("grpc_listen_addr", ":50443")
|
||||
|
||||
viper.SetDefault("cli.insecure", false)
|
||||
viper.SetDefault("cli.timeout", "5s")
|
||||
|
||||
if err := viper.ReadInConfig(); err != nil {
|
||||
|
@ -326,10 +325,9 @@ func getHeadscaleConfig() headscale.Config {
|
|||
},
|
||||
|
||||
CLI: headscale.CLIConfig{
|
||||
Address: viper.GetString("cli.address"),
|
||||
APIKey: viper.GetString("cli.api_key"),
|
||||
Insecure: viper.GetBool("cli.insecure"),
|
||||
Timeout: viper.GetDuration("cli.timeout"),
|
||||
Address: viper.GetString("cli.address"),
|
||||
APIKey: viper.GetString("cli.api_key"),
|
||||
Timeout: viper.GetDuration("cli.timeout"),
|
||||
},
|
||||
}
|
||||
}
|
||||
|
@ -413,17 +411,8 @@ func getHeadscaleCLIClient() (context.Context, v1.HeadscaleServiceClient, *grpc.
|
|||
grpc.WithPerRPCCredentials(tokenAuth{
|
||||
token: apiKey,
|
||||
}),
|
||||
grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, "")),
|
||||
)
|
||||
|
||||
if cfg.CLI.Insecure {
|
||||
grpcOptions = append(grpcOptions,
|
||||
grpc.WithTransportCredentials(insecure.NewCredentials()),
|
||||
)
|
||||
} else {
|
||||
grpcOptions = append(grpcOptions,
|
||||
grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, "")),
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
log.Trace().Caller().Str("address", address).Msg("Connecting via gRPC")
|
||||
|
@ -500,7 +489,7 @@ func (t tokenAuth) GetRequestMetadata(
|
|||
}
|
||||
|
||||
func (tokenAuth) RequireTransportSecurity() bool {
|
||||
return false
|
||||
return true
|
||||
}
|
||||
|
||||
// loadOIDCMatchMap is a wrapper around viper to verifies that the keys in
|
||||
|
|
|
@ -88,5 +88,5 @@ Checklist:
|
|||
|
||||
- Make sure you have the _same_ `headscale` version on your server and workstation
|
||||
- Make sure you use version `0.13.0` or newer.
|
||||
- Verify that your TLS certificate is valid
|
||||
- If it is not valid, set the environment variable `HEADSCALE_CLI_INSECURE=true` to allow insecure certs.
|
||||
- Verify that your TLS certificate is valid and trusted
|
||||
- If you do not have access to a trusted certificate (e.g. from Let's Encrypt), add your self signed certificate to the trust store of your OS.
|
||||
|
|
Loading…
Reference in a new issue