diff --git a/app.go b/app.go index 7301757..a375165 100644 --- a/app.go +++ b/app.go @@ -87,9 +87,9 @@ type Config struct { TLSLetsEncryptCacheDir string TLSLetsEncryptChallengeType string - TLSCertPath string - TLSKeyPath string - TLSClientAuthMode string + TLSCertPath string + TLSKeyPath string + TLSClientAuthMode string ACMEURL string ACMEEmail string @@ -646,28 +646,28 @@ func (h *Headscale) getTLSSettings() (*tls.Config, error) { log.Warn().Msg("Listening with TLS but ServerURL does not start with https://") } - var client_auth_mode tls.ClientAuthType - if(h.cfg.TLSClientAuthMode == "disabled"){ - // Client cert is _not_ required. - client_auth_mode = tls.NoClientCert - }else if (h.cfg.TLSClientAuthMode == "relaxed"){ - // Client cert required, but not verified. - client_auth_mode = tls.RequireAnyClientCert - }else if (h.cfg.TLSClientAuthMode == "enforced"){ - // Client cert is required and verified. - client_auth_mode = tls.RequireAndVerifyClientCert - }else{ - return nil, errors.New( - "Invalid tls_client_auth_mode provided: " + - h.cfg.TLSClientAuthMode) - } + var clientAuthMode tls.ClientAuthType + if h.cfg.TLSClientAuthMode == "disabled" { + // Client cert is _not_ required. + clientAuthMode = tls.NoClientCert + } else if h.cfg.TLSClientAuthMode == "relaxed" { + // Client cert required, but not verified. + clientAuthMode = tls.RequireAnyClientCert + } else if h.cfg.TLSClientAuthMode == "enforced" { + // Client cert is required and verified. + clientAuthMode = tls.RequireAndVerifyClientCert + } else { + return nil, errors.New( + "Invalid tls_clientAuthMode provided: " + + h.cfg.TLSClientAuthMode) + } - log.Info().Msg(fmt.Sprintf( - "Client authentication (mTLS) is \"%s\". See the docs to learn about configuring this setting.", - h.cfg.TLSClientAuthMode)) + log.Info().Msg(fmt.Sprintf( + "Client authentication (mTLS) is \"%s\". See the docs to learn about configuring this setting.", + h.cfg.TLSClientAuthMode)) tlsConfig := &tls.Config{ - ClientAuth: client_auth_mode, + ClientAuth: clientAuthMode, NextProtos: []string{"http/1.1"}, Certificates: make([]tls.Certificate, 1), MinVersion: tls.VersionTLS12, diff --git a/cmd/headscale/cli/utils.go b/cmd/headscale/cli/utils.go index 1cbfcf6..1f9092e 100644 --- a/cmd/headscale/cli/utils.go +++ b/cmd/headscale/cli/utils.go @@ -40,7 +40,7 @@ func LoadConfig(path string) error { viper.SetDefault("tls_letsencrypt_cache_dir", "/var/www/.cache") viper.SetDefault("tls_letsencrypt_challenge_type", "HTTP-01") - viper.SetDefault("tls_client_auth_mode", "disabled") + viper.SetDefault("tls_client_auth_mode", "disabled") viper.SetDefault("ip_prefix", "100.64.0.0/10") @@ -82,10 +82,10 @@ func LoadConfig(path string) error { errorText += "Fatal config error: server_url must start with https:// or http://\n" } - auth_mode := viper.GetString("tls_client_auth_mode") - if (auth_mode != "disabled" && auth_mode != "relaxed" && auth_mode != "enforced"){ - errorText += "Invalid tls_client_auth_mode supplied. Accepted values: disabled, relaxed, enforced." - } + clientAuthMode := viper.GetString("tls_client_auth_mode") + if clientAuthMode != "disabled" && clientAuthMode != "relaxed" && clientAuthMode != "enforced" { + errorText += "Invalid tls_client_auth_mode supplied. Accepted values: disabled, relaxed, enforced." + } if errorText != "" { //nolint @@ -256,9 +256,9 @@ func getHeadscaleConfig() headscale.Config { ), TLSLetsEncryptChallengeType: viper.GetString("tls_letsencrypt_challenge_type"), - TLSCertPath: absPath(viper.GetString("tls_cert_path")), - TLSKeyPath: absPath(viper.GetString("tls_key_path")), - TLSClientAuthMode: viper.GetString("tls_client_auth_mode"), + TLSCertPath: absPath(viper.GetString("tls_cert_path")), + TLSKeyPath: absPath(viper.GetString("tls_key_path")), + TLSClientAuthMode: viper.GetString("tls_client_auth_mode"), DNSConfig: dnsConfig,