refining
This commit is contained in:
parent
9e619fc020
commit
5935b13b67
3 changed files with 33 additions and 9 deletions
19
app.go
19
app.go
|
@ -646,21 +646,26 @@ func (h *Headscale) getTLSSettings() (*tls.Config, error) {
|
||||||
log.Warn().Msg("Listening with TLS but ServerURL does not start with https://")
|
log.Warn().Msg("Listening with TLS but ServerURL does not start with https://")
|
||||||
}
|
}
|
||||||
|
|
||||||
// Leaving flexibility here to support other authentication modes
|
|
||||||
// if desired.
|
|
||||||
var client_auth_mode tls.ClientAuthType
|
var client_auth_mode tls.ClientAuthType
|
||||||
msg := "Client authentication (mTLS) "
|
|
||||||
if(h.cfg.TLSClientAuthMode == "disabled"){
|
if(h.cfg.TLSClientAuthMode == "disabled"){
|
||||||
log.Warn().Msg(msg + "is disabled")
|
// Client cert is _not_ required.
|
||||||
client_auth_mode = tls.NoClientCert
|
client_auth_mode = tls.NoClientCert
|
||||||
}else if (h.cfg.TLSClientAuthMode == "relaxed"){
|
}else if (h.cfg.TLSClientAuthMode == "relaxed"){
|
||||||
log.Warn().Msg(msg + "is relaxed. Client certs will be required but will not be verified.")
|
// Client cert required, but not verified.
|
||||||
client_auth_mode = tls.RequireAnyClientCert
|
client_auth_mode = tls.RequireAnyClientCert
|
||||||
}else{
|
}else if (h.cfg.TLSClientAuthMode == "enforced"){
|
||||||
log.Warn().Msg(msg + "is enforced. Disable or relax in the configuration file.")
|
// Client cert is required and verified.
|
||||||
client_auth_mode = tls.RequireAndVerifyClientCert
|
client_auth_mode = tls.RequireAndVerifyClientCert
|
||||||
|
}else{
|
||||||
|
return nil, errors.New(
|
||||||
|
"Invalid tls_client_auth_mode provided: " +
|
||||||
|
h.cfg.TLSClientAuthMode)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
log.Info().Msg(fmt.Sprintf(
|
||||||
|
"Client authentication (mTLS) is \"%s\". See the docs to learn about configuring this setting.",
|
||||||
|
h.cfg.TLSClientAuthMode))
|
||||||
|
|
||||||
tlsConfig := &tls.Config{
|
tlsConfig := &tls.Config{
|
||||||
ClientAuth: client_auth_mode,
|
ClientAuth: client_auth_mode,
|
||||||
NextProtos: []string{"http/1.1"},
|
NextProtos: []string{"http/1.1"},
|
||||||
|
|
|
@ -83,8 +83,8 @@ func LoadConfig(path string) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
auth_mode := viper.GetString("tls_client_auth_mode")
|
auth_mode := viper.GetString("tls_client_auth_mode")
|
||||||
if (auth_mode != "disabled" && auth_mode != "enforced"){
|
if (auth_mode != "disabled" && auth_mode != "relaxed" && auth_mode != "enforced"){
|
||||||
errorText += "Invalid tls_client_auth_mode supplied. Accepted values: disabled, enforced."
|
errorText += "Invalid tls_client_auth_mode supplied. Accepted values: disabled, relaxed, enforced."
|
||||||
}
|
}
|
||||||
|
|
||||||
if errorText != "" {
|
if errorText != "" {
|
||||||
|
|
19
docs/tls.md
19
docs/tls.md
|
@ -29,3 +29,22 @@ headscale can also be configured to expose its web service via TLS. To configure
|
||||||
tls_cert_path: ""
|
tls_cert_path: ""
|
||||||
tls_key_path: ""
|
tls_key_path: ""
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Configuring Mutual TLS Authentication (mTLS)
|
||||||
|
|
||||||
|
mTLS is a method by which an HTTPS server authenticates clients, e.g. Tailscale,
|
||||||
|
using TLS certificates. The capability can be configured by by applying one of
|
||||||
|
the following values to the `tls_client_auth_mode` setting in the configuration
|
||||||
|
file.
|
||||||
|
|
||||||
|
| Value | Behavior |
|
||||||
|
| ----- | -------- |
|
||||||
|
| `disabled` | Disable mTLS (default). |
|
||||||
|
| `relaxed` | A client certificate is required, but it is not verified. |
|
||||||
|
| `enforced` | Requires clients to supply a certificate that is verified. |
|
||||||
|
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
tls_client_auth_mode: ""
|
||||||
|
```
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue