This commit is contained in:
Motiejus Jakštys 2024-11-21 20:04:48 +02:00
parent e834017314
commit ddb1370c73
2 changed files with 7 additions and 6 deletions

View file

@ -30,7 +30,7 @@ const (
var ( var (
errOidcMutuallyExclusive = errors.New("oidc_client_secret and oidc_client_secret_path are mutually exclusive") errOidcMutuallyExclusive = errors.New("oidc_client_secret and oidc_client_secret_path are mutually exclusive")
errServerURLSuffix = errors.New("server_url cannot be part of base_domain in a way that could make the DERP and headscale server unreachable.") errServerURLSuffix = errors.New("server_url cannot be part of base_domain in a way that could make the DERP and headscale server unreachable")
) )
type IPAllocationStrategy string type IPAllocationStrategy string
@ -928,9 +928,9 @@ func LoadServerConfig() (*Config, error) {
// This is because Tailscale takes over the domain in BaseDomain, // This is because Tailscale takes over the domain in BaseDomain,
// causing the headscale server and DERP to be unreachable. // causing the headscale server and DERP to be unreachable.
// For Tailscale upstream, the following is true: // For Tailscale upstream, the following is true:
// - DERP run on their own domains // - DERP run on their own domains.
// - Control plane runs on login.tailscale.com/controlplane.tailscale.com // - Control plane runs on login.tailscale.com/controlplane.tailscale.com.
// - MagicDNS (BaseDomain) for users is on a *.ts.net domain per tailnet (e.g. tail-scale.ts.net) // - MagicDNS (BaseDomain) for users is on a *.ts.net domain per tailnet (e.g. tail-scale.ts.net).
func isSafeServerURL(serverURL, baseDomain string) error { func isSafeServerURL(serverURL, baseDomain string) error {
server, err := url.Parse(serverURL) server, err := url.Parse(serverURL)
if err != nil { if err != nil {
@ -946,7 +946,7 @@ func isSafeServerURL(serverURL, baseDomain string) error {
s := len(serverDomainParts) s := len(serverDomainParts)
b := len(baseDomainParts) b := len(baseDomainParts)
for i := 0; i < len(baseDomainParts); i++ { for i := range 0..len(baseDomainParts) {
if serverDomainParts[s-i-1] != baseDomainParts[b-i-1] { if serverDomainParts[s-i-1] != baseDomainParts[b-i-1] {
return nil return nil
} }

View file

@ -340,7 +340,7 @@ tls_letsencrypt_challenge_type: TLS-ALPN-01
// server_url: headscale.com, base: headscale.net // server_url: headscale.com, base: headscale.net
// //
// NOT OK // NOT OK
// server_url: server.headscale.com, base: headscale.com // server_url: server.headscale.com, base: headscale.com.
func TestSafeServerURL(t *testing.T) { func TestSafeServerURL(t *testing.T) {
tests := []struct { tests := []struct {
serverURL, baseDomain, serverURL, baseDomain,
@ -388,6 +388,7 @@ func TestSafeServerURL(t *testing.T) {
err := isSafeServerURL(tt.serverURL, tt.baseDomain) err := isSafeServerURL(tt.serverURL, tt.baseDomain)
if tt.wantErr != "" { if tt.wantErr != "" {
assert.EqualError(t, err, tt.wantErr) assert.EqualError(t, err, tt.wantErr)
return return
} }
assert.NoError(t, err) assert.NoError(t, err)