Allow gRPC server to run insecure
This commit is contained in:
parent
c3b68adfed
commit
4e54796384
3 changed files with 23 additions and 14 deletions
22
app.go
22
app.go
|
@ -69,6 +69,7 @@ type Config struct {
|
||||||
ServerURL string
|
ServerURL string
|
||||||
Addr string
|
Addr string
|
||||||
GRPCAddr string
|
GRPCAddr string
|
||||||
|
GRPCAllowInsecure bool
|
||||||
EphemeralNodeInactivityTimeout time.Duration
|
EphemeralNodeInactivityTimeout time.Duration
|
||||||
IPPrefixes []netaddr.IPPrefix
|
IPPrefixes []netaddr.IPPrefix
|
||||||
PrivateKeyPath string
|
PrivateKeyPath string
|
||||||
|
@ -567,8 +568,7 @@ func (h *Headscale) Serve() error {
|
||||||
// https://github.com/soheilhy/cmux/issues/68
|
// https://github.com/soheilhy/cmux/issues/68
|
||||||
// https://github.com/soheilhy/cmux/issues/91
|
// https://github.com/soheilhy/cmux/issues/91
|
||||||
|
|
||||||
// If TLS has been enabled, set up the remote gRPC server
|
if tlsConfig != nil || h.cfg.GRPCAllowInsecure {
|
||||||
if tlsConfig != nil {
|
|
||||||
log.Info().Msgf("Enabling remote gRPC at %s", h.cfg.GRPCAddr)
|
log.Info().Msgf("Enabling remote gRPC at %s", h.cfg.GRPCAddr)
|
||||||
|
|
||||||
grpcOptions := []grpc.ServerOption{
|
grpcOptions := []grpc.ServerOption{
|
||||||
|
@ -578,7 +578,14 @@ func (h *Headscale) Serve() error {
|
||||||
zerolog.NewUnaryServerInterceptor(),
|
zerolog.NewUnaryServerInterceptor(),
|
||||||
),
|
),
|
||||||
),
|
),
|
||||||
grpc.Creds(credentials.NewTLS(tlsConfig)),
|
}
|
||||||
|
|
||||||
|
if tlsConfig != nil {
|
||||||
|
grpcOptions = append(grpcOptions,
|
||||||
|
grpc.Creds(credentials.NewTLS(tlsConfig)),
|
||||||
|
)
|
||||||
|
} else {
|
||||||
|
log.Warn().Msg("gRPC is running without security")
|
||||||
}
|
}
|
||||||
|
|
||||||
grpcServer := grpc.NewServer(grpcOptions...)
|
grpcServer := grpc.NewServer(grpcOptions...)
|
||||||
|
@ -586,12 +593,7 @@ func (h *Headscale) Serve() error {
|
||||||
v1.RegisterHeadscaleServiceServer(grpcServer, newHeadscaleV1APIServer(h))
|
v1.RegisterHeadscaleServiceServer(grpcServer, newHeadscaleV1APIServer(h))
|
||||||
reflection.Register(grpcServer)
|
reflection.Register(grpcServer)
|
||||||
|
|
||||||
var grpcListener net.Listener
|
grpcListener, err := net.Listen("tcp", h.cfg.GRPCAddr)
|
||||||
// if tlsConfig != nil {
|
|
||||||
// grpcListener, err = tls.Listen("tcp", h.cfg.GRPCAddr, tlsConfig)
|
|
||||||
// } else {
|
|
||||||
grpcListener, err = net.Listen("tcp", h.cfg.GRPCAddr)
|
|
||||||
// }
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("failed to bind to TCP address: %w", err)
|
return fmt.Errorf("failed to bind to TCP address: %w", err)
|
||||||
}
|
}
|
||||||
|
@ -600,8 +602,6 @@ func (h *Headscale) Serve() error {
|
||||||
|
|
||||||
log.Info().
|
log.Info().
|
||||||
Msgf("listening and serving gRPC on: %s", h.cfg.GRPCAddr)
|
Msgf("listening and serving gRPC on: %s", h.cfg.GRPCAddr)
|
||||||
} else {
|
|
||||||
log.Info().Msg("TLS is not configured, not enabling remote gRPC")
|
|
||||||
}
|
}
|
||||||
|
|
||||||
//
|
//
|
||||||
|
|
|
@ -59,6 +59,7 @@ func LoadConfig(path string) error {
|
||||||
viper.SetDefault("unix_socket_permission", "0o770")
|
viper.SetDefault("unix_socket_permission", "0o770")
|
||||||
|
|
||||||
viper.SetDefault("grpc_listen_addr", ":50443")
|
viper.SetDefault("grpc_listen_addr", ":50443")
|
||||||
|
viper.SetDefault("grpc_allow_insecure", false)
|
||||||
|
|
||||||
viper.SetDefault("cli.timeout", "5s")
|
viper.SetDefault("cli.timeout", "5s")
|
||||||
viper.SetDefault("cli.insecure", false)
|
viper.SetDefault("cli.insecure", false)
|
||||||
|
@ -281,9 +282,11 @@ func getHeadscaleConfig() headscale.Config {
|
||||||
}
|
}
|
||||||
|
|
||||||
return headscale.Config{
|
return headscale.Config{
|
||||||
ServerURL: viper.GetString("server_url"),
|
ServerURL: viper.GetString("server_url"),
|
||||||
Addr: viper.GetString("listen_addr"),
|
Addr: viper.GetString("listen_addr"),
|
||||||
GRPCAddr: viper.GetString("grpc_listen_addr"),
|
GRPCAddr: viper.GetString("grpc_listen_addr"),
|
||||||
|
GRPCAllowInsecure: viper.GetBool("grpc_allow_insecure"),
|
||||||
|
|
||||||
IPPrefixes: prefixes,
|
IPPrefixes: prefixes,
|
||||||
PrivateKeyPath: absPath(viper.GetString("private_key_path")),
|
PrivateKeyPath: absPath(viper.GetString("private_key_path")),
|
||||||
BaseDomain: baseDomain,
|
BaseDomain: baseDomain,
|
||||||
|
|
|
@ -23,6 +23,12 @@ listen_addr: 0.0.0.0:8080
|
||||||
# valid certificates.
|
# valid certificates.
|
||||||
grpc_listen_addr: 0.0.0.0:50443
|
grpc_listen_addr: 0.0.0.0:50443
|
||||||
|
|
||||||
|
# Allow the gRPC admin interface to run in INSECURE
|
||||||
|
# mode. This is not recommended as the traffic will
|
||||||
|
# be unencrypted. Only enable if you know what you
|
||||||
|
# are doing.
|
||||||
|
grpc_allow_insecure: false
|
||||||
|
|
||||||
# Private key used encrypt the traffic between headscale
|
# Private key used encrypt the traffic between headscale
|
||||||
# and Tailscale clients.
|
# and Tailscale clients.
|
||||||
# The private key file which will be
|
# The private key file which will be
|
||||||
|
|
Loading…
Reference in a new issue