Allow gRPC server to run insecure
This commit is contained in:
parent
c3b68adfed
commit
4e54796384
3 changed files with 23 additions and 14 deletions
20
app.go
20
app.go
|
@ -69,6 +69,7 @@ type Config struct {
|
|||
ServerURL string
|
||||
Addr string
|
||||
GRPCAddr string
|
||||
GRPCAllowInsecure bool
|
||||
EphemeralNodeInactivityTimeout time.Duration
|
||||
IPPrefixes []netaddr.IPPrefix
|
||||
PrivateKeyPath string
|
||||
|
@ -567,8 +568,7 @@ func (h *Headscale) Serve() error {
|
|||
// https://github.com/soheilhy/cmux/issues/68
|
||||
// https://github.com/soheilhy/cmux/issues/91
|
||||
|
||||
// If TLS has been enabled, set up the remote gRPC server
|
||||
if tlsConfig != nil {
|
||||
if tlsConfig != nil || h.cfg.GRPCAllowInsecure {
|
||||
log.Info().Msgf("Enabling remote gRPC at %s", h.cfg.GRPCAddr)
|
||||
|
||||
grpcOptions := []grpc.ServerOption{
|
||||
|
@ -578,7 +578,14 @@ func (h *Headscale) Serve() error {
|
|||
zerolog.NewUnaryServerInterceptor(),
|
||||
),
|
||||
),
|
||||
}
|
||||
|
||||
if tlsConfig != nil {
|
||||
grpcOptions = append(grpcOptions,
|
||||
grpc.Creds(credentials.NewTLS(tlsConfig)),
|
||||
)
|
||||
} else {
|
||||
log.Warn().Msg("gRPC is running without security")
|
||||
}
|
||||
|
||||
grpcServer := grpc.NewServer(grpcOptions...)
|
||||
|
@ -586,12 +593,7 @@ func (h *Headscale) Serve() error {
|
|||
v1.RegisterHeadscaleServiceServer(grpcServer, newHeadscaleV1APIServer(h))
|
||||
reflection.Register(grpcServer)
|
||||
|
||||
var grpcListener net.Listener
|
||||
// if tlsConfig != nil {
|
||||
// grpcListener, err = tls.Listen("tcp", h.cfg.GRPCAddr, tlsConfig)
|
||||
// } else {
|
||||
grpcListener, err = net.Listen("tcp", h.cfg.GRPCAddr)
|
||||
// }
|
||||
grpcListener, err := net.Listen("tcp", h.cfg.GRPCAddr)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to bind to TCP address: %w", err)
|
||||
}
|
||||
|
@ -600,8 +602,6 @@ func (h *Headscale) Serve() error {
|
|||
|
||||
log.Info().
|
||||
Msgf("listening and serving gRPC on: %s", h.cfg.GRPCAddr)
|
||||
} else {
|
||||
log.Info().Msg("TLS is not configured, not enabling remote gRPC")
|
||||
}
|
||||
|
||||
//
|
||||
|
|
|
@ -59,6 +59,7 @@ func LoadConfig(path string) error {
|
|||
viper.SetDefault("unix_socket_permission", "0o770")
|
||||
|
||||
viper.SetDefault("grpc_listen_addr", ":50443")
|
||||
viper.SetDefault("grpc_allow_insecure", false)
|
||||
|
||||
viper.SetDefault("cli.timeout", "5s")
|
||||
viper.SetDefault("cli.insecure", false)
|
||||
|
@ -284,6 +285,8 @@ func getHeadscaleConfig() headscale.Config {
|
|||
ServerURL: viper.GetString("server_url"),
|
||||
Addr: viper.GetString("listen_addr"),
|
||||
GRPCAddr: viper.GetString("grpc_listen_addr"),
|
||||
GRPCAllowInsecure: viper.GetBool("grpc_allow_insecure"),
|
||||
|
||||
IPPrefixes: prefixes,
|
||||
PrivateKeyPath: absPath(viper.GetString("private_key_path")),
|
||||
BaseDomain: baseDomain,
|
||||
|
|
|
@ -23,6 +23,12 @@ listen_addr: 0.0.0.0:8080
|
|||
# valid certificates.
|
||||
grpc_listen_addr: 0.0.0.0:50443
|
||||
|
||||
# Allow the gRPC admin interface to run in INSECURE
|
||||
# mode. This is not recommended as the traffic will
|
||||
# be unencrypted. Only enable if you know what you
|
||||
# are doing.
|
||||
grpc_allow_insecure: false
|
||||
|
||||
# Private key used encrypt the traffic between headscale
|
||||
# and Tailscale clients.
|
||||
# The private key file which will be
|
||||
|
|
Loading…
Reference in a new issue