Do not offer the option to be DERP insecure

Websockets, in which DERP is based, requires a TLS certificate. At the same time,
if we use a certificate it must be valid... otherwise Tailscale wont connect (does not
have an Insecure option). So there is no option to expose insecure here
This commit is contained in:
Juan Font Alonso 2022-03-05 19:19:21 +01:00
parent 758b1ba1cb
commit df37d1a639
3 changed files with 8 additions and 15 deletions

8
app.go
View file

@ -122,7 +122,6 @@ type OIDCConfig struct {
type DERPConfig struct { type DERPConfig struct {
ServerEnabled bool ServerEnabled bool
ServerInsecure bool
URLs []url.URL URLs []url.URL
Paths []string Paths []string
AutoUpdate bool AutoUpdate bool
@ -284,7 +283,6 @@ func NewHeadscale(cfg Config) (*Headscale, error) {
RegionID: 999, RegionID: 999,
HostName: host, HostName: host,
DERPPort: port, DERPPort: port,
InsecureForTests: cfg.DERP.ServerInsecure,
}, },
}, },
}, },
@ -516,9 +514,9 @@ func (h *Headscale) createRouter(grpcMux *runtime.ServeMux) *gin.Engine {
router.GET("/swagger/v1/openapiv2.json", SwaggerAPIv1) router.GET("/swagger/v1/openapiv2.json", SwaggerAPIv1)
if h.cfg.DERP.ServerEnabled { if h.cfg.DERP.ServerEnabled {
router.Any("/derp", h.EmbeddedDERPHandler) router.Any("/derp", h.DERPHandler)
router.Any("/derp/probe", h.EmbeddedDERPProbeHandler) router.Any("/derp/probe", h.DERPProbeHandler)
router.Any("/bootstrap-dns", h.EmbeddedDERPBootstrapDNSHandler) router.Any("/bootstrap-dns", h.DERPBootstrapDNSHandler)
} }
api := router.Group("/api") api := router.Group("/api")

View file

@ -118,7 +118,6 @@ func LoadConfig(path string) error {
func GetDERPConfig() headscale.DERPConfig { func GetDERPConfig() headscale.DERPConfig {
enabled := viper.GetBool("derp.server.enabled") enabled := viper.GetBool("derp.server.enabled")
insecure := viper.GetBool("derp.server.insecure")
urlStrs := viper.GetStringSlice("derp.urls") urlStrs := viper.GetStringSlice("derp.urls")
@ -142,7 +141,6 @@ func GetDERPConfig() headscale.DERPConfig {
return headscale.DERPConfig{ return headscale.DERPConfig{
ServerEnabled: enabled, ServerEnabled: enabled,
ServerInsecure: insecure,
URLs: urls, URLs: urls,
Paths: paths, Paths: paths,
AutoUpdate: autoUpdate, AutoUpdate: autoUpdate,

View file

@ -57,12 +57,9 @@ ip_prefixes:
derp: derp:
server: server:
# If enabled, runs the embedded DERP server and merges it into the rest of the DERP config # If enabled, runs the embedded DERP server and merges it into the rest of the DERP config
# The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place
enabled: false enabled: false
# Insecure mode is recommended only for tests. It indicates the tailscale clients
# to use insecure connections to this server.
insecure: false
# List of externally available DERP maps encoded in JSON # List of externally available DERP maps encoded in JSON
urls: urls:
- https://controlplane.tailscale.com/derpmap/default - https://controlplane.tailscale.com/derpmap/default