From df37d1a639b81e7b9305bba3ef941d38a64604a1 Mon Sep 17 00:00:00 2001
From: Juan Font Alonso <juanfontalonso@gmail.com>
Date: Sat, 5 Mar 2022 19:19:21 +0100
Subject: [PATCH] Do not offer the option to be DERP insecure

Websockets, in which DERP is based, requires a TLS certificate. At the same time,
if we use a certificate it must be valid... otherwise Tailscale wont connect (does not
have an Insecure option). So there is no option to expose insecure here
---
 app.go                     | 16 +++++++---------
 cmd/headscale/cli/utils.go |  2 --
 config-example.yaml        |  5 +----
 3 files changed, 8 insertions(+), 15 deletions(-)

diff --git a/app.go b/app.go
index b739a05..34602d6 100644
--- a/app.go
+++ b/app.go
@@ -122,7 +122,6 @@ type OIDCConfig struct {
 
 type DERPConfig struct {
 	ServerEnabled   bool
-	ServerInsecure  bool
 	URLs            []url.URL
 	Paths           []string
 	AutoUpdate      bool
@@ -280,11 +279,10 @@ func NewHeadscale(cfg Config) (*Headscale, error) {
 					Avoid:      false,
 					Nodes: []*tailcfg.DERPNode{
 						{
-							Name:             "999a",
-							RegionID:         999,
-							HostName:         host,
-							DERPPort:         port,
-							InsecureForTests: cfg.DERP.ServerInsecure,
+							Name:     "999a",
+							RegionID: 999,
+							HostName: host,
+							DERPPort: port,
 						},
 					},
 				},
@@ -516,9 +514,9 @@ func (h *Headscale) createRouter(grpcMux *runtime.ServeMux) *gin.Engine {
 	router.GET("/swagger/v1/openapiv2.json", SwaggerAPIv1)
 
 	if h.cfg.DERP.ServerEnabled {
-		router.Any("/derp", h.EmbeddedDERPHandler)
-		router.Any("/derp/probe", h.EmbeddedDERPProbeHandler)
-		router.Any("/bootstrap-dns", h.EmbeddedDERPBootstrapDNSHandler)
+		router.Any("/derp", h.DERPHandler)
+		router.Any("/derp/probe", h.DERPProbeHandler)
+		router.Any("/bootstrap-dns", h.DERPBootstrapDNSHandler)
 	}
 
 	api := router.Group("/api")
diff --git a/cmd/headscale/cli/utils.go b/cmd/headscale/cli/utils.go
index 06b9ca9..7277723 100644
--- a/cmd/headscale/cli/utils.go
+++ b/cmd/headscale/cli/utils.go
@@ -118,7 +118,6 @@ func LoadConfig(path string) error {
 
 func GetDERPConfig() headscale.DERPConfig {
 	enabled := viper.GetBool("derp.server.enabled")
-	insecure := viper.GetBool("derp.server.insecure")
 
 	urlStrs := viper.GetStringSlice("derp.urls")
 
@@ -142,7 +141,6 @@ func GetDERPConfig() headscale.DERPConfig {
 
 	return headscale.DERPConfig{
 		ServerEnabled:   enabled,
-		ServerInsecure:  insecure,
 		URLs:            urls,
 		Paths:           paths,
 		AutoUpdate:      autoUpdate,
diff --git a/config-example.yaml b/config-example.yaml
index 84b1c90..08cc6c1 100644
--- a/config-example.yaml
+++ b/config-example.yaml
@@ -57,12 +57,9 @@ ip_prefixes:
 derp:
   server:
     # If enabled, runs the embedded DERP server and merges it into the rest of the DERP config
+    # The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place
     enabled: false
 
-    # Insecure mode is recommended only for tests. It indicates the tailscale clients
-    # to use insecure connections to this server.
-    insecure: false
-
   # List of externally available DERP maps encoded in JSON
   urls:
     - https://controlplane.tailscale.com/derpmap/default