Remove insecure, only allow valid certs

2024-11-29 18:33:05 +00:00 · 2022-02-12 19:35:55 +00:00 · 2022-02-12 19:35:55 +00:00 · 315ff9daf0
commit 315ff9daf0
parent 4078e75b50
3 changed files with 10 additions and 22 deletions
--- a/app.go
+++ b/app.go
@ -119,10 +119,9 @@ type DERPConfig struct {
 }

 type CLIConfig struct {
-	Address  string
-	APIKey   string
-	Insecure bool
-	Timeout  time.Duration
+	Address string
+	APIKey  string
+	Timeout time.Duration
 }

 // Headscale represents the base app of the service.
--- a/cmd/headscale/cli/utils.go
+++ b/cmd/headscale/cli/utils.go
@ -59,7 +59,6 @@ func LoadConfig(path string) error {

 	viper.SetDefault("grpc_listen_addr", ":50443")

-	viper.SetDefault("cli.insecure", false)
 	viper.SetDefault("cli.timeout", "5s")

 	if err := viper.ReadInConfig(); err != nil {
@ -326,10 +325,9 @@ func getHeadscaleConfig() headscale.Config {
 		},

 		CLI: headscale.CLIConfig{
-			Address:  viper.GetString("cli.address"),
-			APIKey:   viper.GetString("cli.api_key"),
-			Insecure: viper.GetBool("cli.insecure"),
-			Timeout:  viper.GetDuration("cli.timeout"),
+			Address: viper.GetString("cli.address"),
+			APIKey:  viper.GetString("cli.api_key"),
+			Timeout: viper.GetDuration("cli.timeout"),
 		},
 	}
 }
@ -413,17 +411,8 @@ func getHeadscaleCLIClient() (context.Context, v1.HeadscaleServiceClient, *grpc.
 			grpc.WithPerRPCCredentials(tokenAuth{
 				token: apiKey,
 			}),
+			grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, "")),
 		)
-
-		if cfg.CLI.Insecure {
-			grpcOptions = append(grpcOptions,
-				grpc.WithTransportCredentials(insecure.NewCredentials()),
-			)
-		} else {
-			grpcOptions = append(grpcOptions,
-				grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, "")),
-			)
-		}
 	}

 	log.Trace().Caller().Str("address", address).Msg("Connecting via gRPC")
@ -500,7 +489,7 @@ func (t tokenAuth) GetRequestMetadata(
 }

 func (tokenAuth) RequireTransportSecurity() bool {
-	return false
+	return true
 }

 // loadOIDCMatchMap is a wrapper around viper to verifies that the keys in
--- a/docs/remote-cli.md
+++ b/docs/remote-cli.md
@ -88,5 +88,5 @@ Checklist:

 - Make sure you have the _same_ `headscale` version on your server and workstation
 - Make sure you use version `0.13.0` or newer.
- Verify that your TLS certificate is valid
-  - If it is not valid, set the environment variable `HEADSCALE_CLI_INSECURE=true` to allow insecure certs.
+- Verify that your TLS certificate is valid and trusted
+  - If you do not have access to a trusted certificate (e.g. from Let's Encrypt), add your self signed certificate to the trust store of your OS.