Do not offer the option to be DERP insecure
Websockets, in which DERP is based, requires a TLS certificate. At the same time, if we use a certificate it must be valid... otherwise Tailscale wont connect (does not have an Insecure option). So there is no option to expose insecure here
This commit is contained in:
parent
758b1ba1cb
commit
df37d1a639
3 changed files with 8 additions and 15 deletions
8
app.go
8
app.go
|
@ -122,7 +122,6 @@ type OIDCConfig struct {
|
||||||
|
|
||||||
type DERPConfig struct {
|
type DERPConfig struct {
|
||||||
ServerEnabled bool
|
ServerEnabled bool
|
||||||
ServerInsecure bool
|
|
||||||
URLs []url.URL
|
URLs []url.URL
|
||||||
Paths []string
|
Paths []string
|
||||||
AutoUpdate bool
|
AutoUpdate bool
|
||||||
|
@ -284,7 +283,6 @@ func NewHeadscale(cfg Config) (*Headscale, error) {
|
||||||
RegionID: 999,
|
RegionID: 999,
|
||||||
HostName: host,
|
HostName: host,
|
||||||
DERPPort: port,
|
DERPPort: port,
|
||||||
InsecureForTests: cfg.DERP.ServerInsecure,
|
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -516,9 +514,9 @@ func (h *Headscale) createRouter(grpcMux *runtime.ServeMux) *gin.Engine {
|
||||||
router.GET("/swagger/v1/openapiv2.json", SwaggerAPIv1)
|
router.GET("/swagger/v1/openapiv2.json", SwaggerAPIv1)
|
||||||
|
|
||||||
if h.cfg.DERP.ServerEnabled {
|
if h.cfg.DERP.ServerEnabled {
|
||||||
router.Any("/derp", h.EmbeddedDERPHandler)
|
router.Any("/derp", h.DERPHandler)
|
||||||
router.Any("/derp/probe", h.EmbeddedDERPProbeHandler)
|
router.Any("/derp/probe", h.DERPProbeHandler)
|
||||||
router.Any("/bootstrap-dns", h.EmbeddedDERPBootstrapDNSHandler)
|
router.Any("/bootstrap-dns", h.DERPBootstrapDNSHandler)
|
||||||
}
|
}
|
||||||
|
|
||||||
api := router.Group("/api")
|
api := router.Group("/api")
|
||||||
|
|
|
@ -118,7 +118,6 @@ func LoadConfig(path string) error {
|
||||||
|
|
||||||
func GetDERPConfig() headscale.DERPConfig {
|
func GetDERPConfig() headscale.DERPConfig {
|
||||||
enabled := viper.GetBool("derp.server.enabled")
|
enabled := viper.GetBool("derp.server.enabled")
|
||||||
insecure := viper.GetBool("derp.server.insecure")
|
|
||||||
|
|
||||||
urlStrs := viper.GetStringSlice("derp.urls")
|
urlStrs := viper.GetStringSlice("derp.urls")
|
||||||
|
|
||||||
|
@ -142,7 +141,6 @@ func GetDERPConfig() headscale.DERPConfig {
|
||||||
|
|
||||||
return headscale.DERPConfig{
|
return headscale.DERPConfig{
|
||||||
ServerEnabled: enabled,
|
ServerEnabled: enabled,
|
||||||
ServerInsecure: insecure,
|
|
||||||
URLs: urls,
|
URLs: urls,
|
||||||
Paths: paths,
|
Paths: paths,
|
||||||
AutoUpdate: autoUpdate,
|
AutoUpdate: autoUpdate,
|
||||||
|
|
|
@ -57,12 +57,9 @@ ip_prefixes:
|
||||||
derp:
|
derp:
|
||||||
server:
|
server:
|
||||||
# If enabled, runs the embedded DERP server and merges it into the rest of the DERP config
|
# If enabled, runs the embedded DERP server and merges it into the rest of the DERP config
|
||||||
|
# The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place
|
||||||
enabled: false
|
enabled: false
|
||||||
|
|
||||||
# Insecure mode is recommended only for tests. It indicates the tailscale clients
|
|
||||||
# to use insecure connections to this server.
|
|
||||||
insecure: false
|
|
||||||
|
|
||||||
# List of externally available DERP maps encoded in JSON
|
# List of externally available DERP maps encoded in JSON
|
||||||
urls:
|
urls:
|
||||||
- https://controlplane.tailscale.com/derpmap/default
|
- https://controlplane.tailscale.com/derpmap/default
|
||||||
|
|
Loading…
Reference in a new issue