Making client authentication mode configurable

This commit is contained in:
Justin Angel 2022-01-29 12:59:31 -05:00
parent 052fccdc98
commit 9e619fc020
2 changed files with 29 additions and 3 deletions

20
app.go
View file

@ -89,6 +89,7 @@ type Config struct {
TLSCertPath string
TLSKeyPath string
TLSClientAuthMode string
ACMEURL string
ACMEEmail string
@ -644,12 +645,29 @@ func (h *Headscale) getTLSSettings() (*tls.Config, error) {
if !strings.HasPrefix(h.cfg.ServerURL, "https://") {
log.Warn().Msg("Listening with TLS but ServerURL does not start with https://")
}
// Leaving flexibility here to support other authentication modes
// if desired.
var client_auth_mode tls.ClientAuthType
msg := "Client authentication (mTLS) "
if(h.cfg.TLSClientAuthMode == "disabled"){
log.Warn().Msg(msg + "is disabled")
client_auth_mode = tls.NoClientCert
}else if (h.cfg.TLSClientAuthMode == "relaxed"){
log.Warn().Msg(msg + "is relaxed. Client certs will be required but will not be verified.")
client_auth_mode = tls.RequireAnyClientCert
}else{
log.Warn().Msg(msg + "is enforced. Disable or relax in the configuration file.")
client_auth_mode = tls.RequireAndVerifyClientCert
}
tlsConfig := &tls.Config{
ClientAuth: tls.RequireAnyClientCert,
ClientAuth: client_auth_mode,
NextProtos: []string{"http/1.1"},
Certificates: make([]tls.Certificate, 1),
MinVersion: tls.VersionTLS12,
}
tlsConfig.Certificates[0], err = tls.LoadX509KeyPair(h.cfg.TLSCertPath, h.cfg.TLSKeyPath)
return tlsConfig, err

View file

@ -40,6 +40,7 @@ func LoadConfig(path string) error {
viper.SetDefault("tls_letsencrypt_cache_dir", "/var/www/.cache")
viper.SetDefault("tls_letsencrypt_challenge_type", "HTTP-01")
viper.SetDefault("tls_client_auth_mode", "disabled")
viper.SetDefault("ip_prefix", "100.64.0.0/10")
@ -80,6 +81,12 @@ func LoadConfig(path string) error {
!strings.HasPrefix(viper.GetString("server_url"), "https://") {
errorText += "Fatal config error: server_url must start with https:// or http://\n"
}
auth_mode := viper.GetString("tls_client_auth_mode")
if (auth_mode != "disabled" && auth_mode != "enforced"){
errorText += "Invalid tls_client_auth_mode supplied. Accepted values: disabled, enforced."
}
if errorText != "" {
//nolint
return errors.New(strings.TrimSuffix(errorText, "\n"))
@ -251,6 +258,7 @@ func getHeadscaleConfig() headscale.Config {
TLSCertPath: absPath(viper.GetString("tls_cert_path")),
TLSKeyPath: absPath(viper.GetString("tls_key_path")),
TLSClientAuthMode: viper.GetString("tls_client_auth_mode"),
DNSConfig: dnsConfig,