This commit is contained in:
Justin Angel 2022-01-29 13:35:08 -05:00
parent 9e619fc020
commit 5935b13b67
3 changed files with 33 additions and 9 deletions

19
app.go
View file

@ -646,21 +646,26 @@ func (h *Headscale) getTLSSettings() (*tls.Config, error) {
log.Warn().Msg("Listening with TLS but ServerURL does not start with https://") log.Warn().Msg("Listening with TLS but ServerURL does not start with https://")
} }
// Leaving flexibility here to support other authentication modes
// if desired.
var client_auth_mode tls.ClientAuthType var client_auth_mode tls.ClientAuthType
msg := "Client authentication (mTLS) "
if(h.cfg.TLSClientAuthMode == "disabled"){ if(h.cfg.TLSClientAuthMode == "disabled"){
log.Warn().Msg(msg + "is disabled") // Client cert is _not_ required.
client_auth_mode = tls.NoClientCert client_auth_mode = tls.NoClientCert
}else if (h.cfg.TLSClientAuthMode == "relaxed"){ }else if (h.cfg.TLSClientAuthMode == "relaxed"){
log.Warn().Msg(msg + "is relaxed. Client certs will be required but will not be verified.") // Client cert required, but not verified.
client_auth_mode = tls.RequireAnyClientCert client_auth_mode = tls.RequireAnyClientCert
}else{ }else if (h.cfg.TLSClientAuthMode == "enforced"){
log.Warn().Msg(msg + "is enforced. Disable or relax in the configuration file.") // Client cert is required and verified.
client_auth_mode = tls.RequireAndVerifyClientCert client_auth_mode = tls.RequireAndVerifyClientCert
}else{
return nil, errors.New(
"Invalid tls_client_auth_mode provided: " +
h.cfg.TLSClientAuthMode)
} }
log.Info().Msg(fmt.Sprintf(
"Client authentication (mTLS) is \"%s\". See the docs to learn about configuring this setting.",
h.cfg.TLSClientAuthMode))
tlsConfig := &tls.Config{ tlsConfig := &tls.Config{
ClientAuth: client_auth_mode, ClientAuth: client_auth_mode,
NextProtos: []string{"http/1.1"}, NextProtos: []string{"http/1.1"},

View file

@ -83,8 +83,8 @@ func LoadConfig(path string) error {
} }
auth_mode := viper.GetString("tls_client_auth_mode") auth_mode := viper.GetString("tls_client_auth_mode")
if (auth_mode != "disabled" && auth_mode != "enforced"){ if (auth_mode != "disabled" && auth_mode != "relaxed" && auth_mode != "enforced"){
errorText += "Invalid tls_client_auth_mode supplied. Accepted values: disabled, enforced." errorText += "Invalid tls_client_auth_mode supplied. Accepted values: disabled, relaxed, enforced."
} }
if errorText != "" { if errorText != "" {

View file

@ -29,3 +29,22 @@ headscale can also be configured to expose its web service via TLS. To configure
tls_cert_path: "" tls_cert_path: ""
tls_key_path: "" tls_key_path: ""
``` ```
### Configuring Mutual TLS Authentication (mTLS)
mTLS is a method by which an HTTPS server authenticates clients, e.g. Tailscale,
using TLS certificates. The capability can be configured by by applying one of
the following values to the `tls_client_auth_mode` setting in the configuration
file.
| Value | Behavior |
| ----- | -------- |
| `disabled` | Disable mTLS (default). |
| `relaxed` | A client certificate is required, but it is not verified. |
| `enforced` | Requires clients to supply a certificate that is verified. |
```yaml
tls_client_auth_mode: ""
```