From 315ff9daf064d9ac78af14fa245ebb0136e24863 Mon Sep 17 00:00:00 2001 From: Kristoffer Dalby Date: Sat, 12 Feb 2022 19:35:55 +0000 Subject: [PATCH] Remove insecure, only allow valid certs --- app.go | 7 +++---- cmd/headscale/cli/utils.go | 21 +++++---------------- docs/remote-cli.md | 4 ++-- 3 files changed, 10 insertions(+), 22 deletions(-) diff --git a/app.go b/app.go index aad8156..4922fba 100644 --- a/app.go +++ b/app.go @@ -119,10 +119,9 @@ type DERPConfig struct { } type CLIConfig struct { - Address string - APIKey string - Insecure bool - Timeout time.Duration + Address string + APIKey string + Timeout time.Duration } // Headscale represents the base app of the service. diff --git a/cmd/headscale/cli/utils.go b/cmd/headscale/cli/utils.go index 6a95e27..072e304 100644 --- a/cmd/headscale/cli/utils.go +++ b/cmd/headscale/cli/utils.go @@ -59,7 +59,6 @@ func LoadConfig(path string) error { viper.SetDefault("grpc_listen_addr", ":50443") - viper.SetDefault("cli.insecure", false) viper.SetDefault("cli.timeout", "5s") if err := viper.ReadInConfig(); err != nil { @@ -326,10 +325,9 @@ func getHeadscaleConfig() headscale.Config { }, CLI: headscale.CLIConfig{ - Address: viper.GetString("cli.address"), - APIKey: viper.GetString("cli.api_key"), - Insecure: viper.GetBool("cli.insecure"), - Timeout: viper.GetDuration("cli.timeout"), + Address: viper.GetString("cli.address"), + APIKey: viper.GetString("cli.api_key"), + Timeout: viper.GetDuration("cli.timeout"), }, } } @@ -413,17 +411,8 @@ func getHeadscaleCLIClient() (context.Context, v1.HeadscaleServiceClient, *grpc. grpc.WithPerRPCCredentials(tokenAuth{ token: apiKey, }), + grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, "")), ) - - if cfg.CLI.Insecure { - grpcOptions = append(grpcOptions, - grpc.WithTransportCredentials(insecure.NewCredentials()), - ) - } else { - grpcOptions = append(grpcOptions, - grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, "")), - ) - } } log.Trace().Caller().Str("address", address).Msg("Connecting via gRPC") @@ -500,7 +489,7 @@ func (t tokenAuth) GetRequestMetadata( } func (tokenAuth) RequireTransportSecurity() bool { - return false + return true } // loadOIDCMatchMap is a wrapper around viper to verifies that the keys in diff --git a/docs/remote-cli.md b/docs/remote-cli.md index 1a1dc1d..adcced7 100644 --- a/docs/remote-cli.md +++ b/docs/remote-cli.md @@ -88,5 +88,5 @@ Checklist: - Make sure you have the _same_ `headscale` version on your server and workstation - Make sure you use version `0.13.0` or newer. -- Verify that your TLS certificate is valid - - If it is not valid, set the environment variable `HEADSCALE_CLI_INSECURE=true` to allow insecure certs. +- Verify that your TLS certificate is valid and trusted + - If you do not have access to a trusted certificate (e.g. from Let's Encrypt), add your self signed certificate to the trust store of your OS.