mirror of
https://github.com/juanfont/headscale.git
synced 2024-11-26 08:53:05 +00:00
making alternatives constants
This commit is contained in:
Justin Angel
parent
d44b2a7c01
commit
310e7b15c7
2 changed files with 17 additions and 15 deletions
22
app.go
22
app.go
|
|
@ -61,6 +61,10 @@ const (
|
|||
errUnsupportedLetsEncryptChallengeType = Error(
|
||||
"unknown value for Lets Encrypt challenge type",
|
||||
)
|
||||
|
||||
DisabledClientAuth = "disabled"
|
||||
RelaxedClientAuth = "relaxed"
|
||||
EnforcedClientAuth = "enforced"
|
||||
)
|
||||
|
||||
// Config contains the initial Headscale configuration.
|
||||
|
|
@ -647,19 +651,19 @@ func (h *Headscale) getTLSSettings() (*tls.Config, error) {
|
|||
}
|
||||
|
||||
var clientAuthMode tls.ClientAuthType
|
||||
if h.cfg.TLSClientAuthMode == "disabled" {
|
||||
switch h.cfg.TLSClientAuthMode {
|
||||
case DisabledClientAuth:
|
||||
// Client cert is _not_ required.
|
||||
clientAuthMode = tls.NoClientCert
|
||||
} else if h.cfg.TLSClientAuthMode == "relaxed" {
|
||||
// Client cert required, but not verified.
|
||||
case RelaxedClientAuth:
|
||||
// Client cert required, but _not verified_.
|
||||
clientAuthMode = tls.RequireAnyClientCert
|
||||
} else if h.cfg.TLSClientAuthMode == "enforced" {
|
||||
// Client cert is required and verified.
|
||||
case EnforcedClientAuth:
|
||||
// Client cert is _required and verified_.
|
||||
clientAuthMode = tls.RequireAndVerifyClientCert
|
||||
} else {
|
||||
return nil, errors.New(
|
||||
"Invalid tls_clientAuthMode provided: " +
|
||||
h.cfg.TLSClientAuthMode)
|
||||
default:
|
||||
return nil, Error("Invalid tls_client_auth_mode provided: " +
|
||||
h.cfg.TLSClientAuthMode)
|
||||
}
|
||||
|
||||
log.Info().Msg(fmt.Sprintf(
|
||||
|
|
|
|||
10
docs/tls.md
10
docs/tls.md
|
|
@ -37,14 +37,12 @@ using TLS certificates. The capability can be configured by by applying one of
|
|||
the following values to the `tls_client_auth_mode` setting in the configuration
|
||||
file.
|
||||
|
||||
| Value | Behavior |
|
||||
| ----- | -------- |
|
||||
| `disabled` | Disable mTLS (default). |
|
||||
| `relaxed` | A client certificate is required, but it is not verified. |
|
||||
| Value | Behavior |
|
||||
| ---------- | ---------------------------------------------------------- |
|
||||
| `disabled` | Disable mTLS (default). |
|
||||
| `relaxed` | A client certificate is required, but it is not verified. |
|
||||
| `enforced` | Requires clients to supply a certificate that is verified. |
|
||||
|
||||
|
||||
```yaml
|
||||
tls_client_auth_mode: ""
|
||||
```
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue