mirror of
https://github.com/juanfont/headscale.git
synced 2024-11-26 08:53:05 +00:00
Making client authentication mode configurable
This commit is contained in:
parent
052fccdc98
commit
9e619fc020
2 changed files with 29 additions and 3 deletions
20
app.go
20
app.go
|
@ -89,6 +89,7 @@ type Config struct {
|
|||
|
||||
TLSCertPath string
|
||||
TLSKeyPath string
|
||||
TLSClientAuthMode string
|
||||
|
||||
ACMEURL string
|
||||
ACMEEmail string
|
||||
|
@ -644,12 +645,29 @@ func (h *Headscale) getTLSSettings() (*tls.Config, error) {
|
|||
if !strings.HasPrefix(h.cfg.ServerURL, "https://") {
|
||||
log.Warn().Msg("Listening with TLS but ServerURL does not start with https://")
|
||||
}
|
||||
|
||||
// Leaving flexibility here to support other authentication modes
|
||||
// if desired.
|
||||
var client_auth_mode tls.ClientAuthType
|
||||
msg := "Client authentication (mTLS) "
|
||||
if(h.cfg.TLSClientAuthMode == "disabled"){
|
||||
log.Warn().Msg(msg + "is disabled")
|
||||
client_auth_mode = tls.NoClientCert
|
||||
}else if (h.cfg.TLSClientAuthMode == "relaxed"){
|
||||
log.Warn().Msg(msg + "is relaxed. Client certs will be required but will not be verified.")
|
||||
client_auth_mode = tls.RequireAnyClientCert
|
||||
}else{
|
||||
log.Warn().Msg(msg + "is enforced. Disable or relax in the configuration file.")
|
||||
client_auth_mode = tls.RequireAndVerifyClientCert
|
||||
}
|
||||
|
||||
tlsConfig := &tls.Config{
|
||||
ClientAuth: tls.RequireAnyClientCert,
|
||||
ClientAuth: client_auth_mode,
|
||||
NextProtos: []string{"http/1.1"},
|
||||
Certificates: make([]tls.Certificate, 1),
|
||||
MinVersion: tls.VersionTLS12,
|
||||
}
|
||||
|
||||
tlsConfig.Certificates[0], err = tls.LoadX509KeyPair(h.cfg.TLSCertPath, h.cfg.TLSKeyPath)
|
||||
|
||||
return tlsConfig, err
|
||||
|
|
|
@ -40,6 +40,7 @@ func LoadConfig(path string) error {
|
|||
|
||||
viper.SetDefault("tls_letsencrypt_cache_dir", "/var/www/.cache")
|
||||
viper.SetDefault("tls_letsencrypt_challenge_type", "HTTP-01")
|
||||
viper.SetDefault("tls_client_auth_mode", "disabled")
|
||||
|
||||
viper.SetDefault("ip_prefix", "100.64.0.0/10")
|
||||
|
||||
|
@ -80,6 +81,12 @@ func LoadConfig(path string) error {
|
|||
!strings.HasPrefix(viper.GetString("server_url"), "https://") {
|
||||
errorText += "Fatal config error: server_url must start with https:// or http://\n"
|
||||
}
|
||||
|
||||
auth_mode := viper.GetString("tls_client_auth_mode")
|
||||
if (auth_mode != "disabled" && auth_mode != "enforced"){
|
||||
errorText += "Invalid tls_client_auth_mode supplied. Accepted values: disabled, enforced."
|
||||
}
|
||||
|
||||
if errorText != "" {
|
||||
//nolint
|
||||
return errors.New(strings.TrimSuffix(errorText, "\n"))
|
||||
|
@ -251,6 +258,7 @@ func getHeadscaleConfig() headscale.Config {
|
|||
|
||||
TLSCertPath: absPath(viper.GetString("tls_cert_path")),
|
||||
TLSKeyPath: absPath(viper.GetString("tls_key_path")),
|
||||
TLSClientAuthMode: viper.GetString("tls_client_auth_mode"),
|
||||
|
||||
DNSConfig: dnsConfig,
|
||||
|
||||
|
|
Loading…
Reference in a new issue