Allow gRPC server to run insecure

This commit is contained in:
Kristoffer Dalby 2022-02-13 09:08:46 +00:00
parent c3b68adfed
commit 4e54796384
3 changed files with 23 additions and 14 deletions

22
app.go
View file

@ -69,6 +69,7 @@ type Config struct {
ServerURL string
Addr string
GRPCAddr string
GRPCAllowInsecure bool
EphemeralNodeInactivityTimeout time.Duration
IPPrefixes []netaddr.IPPrefix
PrivateKeyPath string
@ -567,8 +568,7 @@ func (h *Headscale) Serve() error {
// https://github.com/soheilhy/cmux/issues/68
// https://github.com/soheilhy/cmux/issues/91
// If TLS has been enabled, set up the remote gRPC server
if tlsConfig != nil {
if tlsConfig != nil || h.cfg.GRPCAllowInsecure {
log.Info().Msgf("Enabling remote gRPC at %s", h.cfg.GRPCAddr)
grpcOptions := []grpc.ServerOption{
@ -578,7 +578,14 @@ func (h *Headscale) Serve() error {
zerolog.NewUnaryServerInterceptor(),
),
),
grpc.Creds(credentials.NewTLS(tlsConfig)),
}
if tlsConfig != nil {
grpcOptions = append(grpcOptions,
grpc.Creds(credentials.NewTLS(tlsConfig)),
)
} else {
log.Warn().Msg("gRPC is running without security")
}
grpcServer := grpc.NewServer(grpcOptions...)
@ -586,12 +593,7 @@ func (h *Headscale) Serve() error {
v1.RegisterHeadscaleServiceServer(grpcServer, newHeadscaleV1APIServer(h))
reflection.Register(grpcServer)
var grpcListener net.Listener
// if tlsConfig != nil {
// grpcListener, err = tls.Listen("tcp", h.cfg.GRPCAddr, tlsConfig)
// } else {
grpcListener, err = net.Listen("tcp", h.cfg.GRPCAddr)
// }
grpcListener, err := net.Listen("tcp", h.cfg.GRPCAddr)
if err != nil {
return fmt.Errorf("failed to bind to TCP address: %w", err)
}
@ -600,8 +602,6 @@ func (h *Headscale) Serve() error {
log.Info().
Msgf("listening and serving gRPC on: %s", h.cfg.GRPCAddr)
} else {
log.Info().Msg("TLS is not configured, not enabling remote gRPC")
}
//

View file

@ -59,6 +59,7 @@ func LoadConfig(path string) error {
viper.SetDefault("unix_socket_permission", "0o770")
viper.SetDefault("grpc_listen_addr", ":50443")
viper.SetDefault("grpc_allow_insecure", false)
viper.SetDefault("cli.timeout", "5s")
viper.SetDefault("cli.insecure", false)
@ -281,9 +282,11 @@ func getHeadscaleConfig() headscale.Config {
}
return headscale.Config{
ServerURL: viper.GetString("server_url"),
Addr: viper.GetString("listen_addr"),
GRPCAddr: viper.GetString("grpc_listen_addr"),
ServerURL: viper.GetString("server_url"),
Addr: viper.GetString("listen_addr"),
GRPCAddr: viper.GetString("grpc_listen_addr"),
GRPCAllowInsecure: viper.GetBool("grpc_allow_insecure"),
IPPrefixes: prefixes,
PrivateKeyPath: absPath(viper.GetString("private_key_path")),
BaseDomain: baseDomain,

View file

@ -23,6 +23,12 @@ listen_addr: 0.0.0.0:8080
# valid certificates.
grpc_listen_addr: 0.0.0.0:50443
# Allow the gRPC admin interface to run in INSECURE
# mode. This is not recommended as the traffic will
# be unencrypted. Only enable if you know what you
# are doing.
grpc_allow_insecure: false
# Private key used encrypt the traffic between headscale
# and Tailscale clients.
# The private key file which will be