mirror of
https://github.com/juanfont/headscale.git
synced 2024-11-26 08:53:05 +00:00
making alternatives constants
This commit is contained in:
parent
d44b2a7c01
commit
310e7b15c7
2 changed files with 17 additions and 15 deletions
22
app.go
22
app.go
|
@ -61,6 +61,10 @@ const (
|
||||||
errUnsupportedLetsEncryptChallengeType = Error(
|
errUnsupportedLetsEncryptChallengeType = Error(
|
||||||
"unknown value for Lets Encrypt challenge type",
|
"unknown value for Lets Encrypt challenge type",
|
||||||
)
|
)
|
||||||
|
|
||||||
|
DisabledClientAuth = "disabled"
|
||||||
|
RelaxedClientAuth = "relaxed"
|
||||||
|
EnforcedClientAuth = "enforced"
|
||||||
)
|
)
|
||||||
|
|
||||||
// Config contains the initial Headscale configuration.
|
// Config contains the initial Headscale configuration.
|
||||||
|
@ -647,19 +651,19 @@ func (h *Headscale) getTLSSettings() (*tls.Config, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
var clientAuthMode tls.ClientAuthType
|
var clientAuthMode tls.ClientAuthType
|
||||||
if h.cfg.TLSClientAuthMode == "disabled" {
|
switch h.cfg.TLSClientAuthMode {
|
||||||
|
case DisabledClientAuth:
|
||||||
// Client cert is _not_ required.
|
// Client cert is _not_ required.
|
||||||
clientAuthMode = tls.NoClientCert
|
clientAuthMode = tls.NoClientCert
|
||||||
} else if h.cfg.TLSClientAuthMode == "relaxed" {
|
case RelaxedClientAuth:
|
||||||
// Client cert required, but not verified.
|
// Client cert required, but _not verified_.
|
||||||
clientAuthMode = tls.RequireAnyClientCert
|
clientAuthMode = tls.RequireAnyClientCert
|
||||||
} else if h.cfg.TLSClientAuthMode == "enforced" {
|
case EnforcedClientAuth:
|
||||||
// Client cert is required and verified.
|
// Client cert is _required and verified_.
|
||||||
clientAuthMode = tls.RequireAndVerifyClientCert
|
clientAuthMode = tls.RequireAndVerifyClientCert
|
||||||
} else {
|
default:
|
||||||
return nil, errors.New(
|
return nil, Error("Invalid tls_client_auth_mode provided: " +
|
||||||
"Invalid tls_clientAuthMode provided: " +
|
h.cfg.TLSClientAuthMode)
|
||||||
h.cfg.TLSClientAuthMode)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
log.Info().Msg(fmt.Sprintf(
|
log.Info().Msg(fmt.Sprintf(
|
||||||
|
|
10
docs/tls.md
10
docs/tls.md
|
@ -37,14 +37,12 @@ using TLS certificates. The capability can be configured by by applying one of
|
||||||
the following values to the `tls_client_auth_mode` setting in the configuration
|
the following values to the `tls_client_auth_mode` setting in the configuration
|
||||||
file.
|
file.
|
||||||
|
|
||||||
| Value | Behavior |
|
| Value | Behavior |
|
||||||
| ----- | -------- |
|
| ---------- | ---------------------------------------------------------- |
|
||||||
| `disabled` | Disable mTLS (default). |
|
| `disabled` | Disable mTLS (default). |
|
||||||
| `relaxed` | A client certificate is required, but it is not verified. |
|
| `relaxed` | A client certificate is required, but it is not verified. |
|
||||||
| `enforced` | Requires clients to supply a certificate that is verified. |
|
| `enforced` | Requires clients to supply a certificate that is verified. |
|
||||||
|
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
tls_client_auth_mode: ""
|
tls_client_auth_mode: ""
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue