From df37d1a639b81e7b9305bba3ef941d38a64604a1 Mon Sep 17 00:00:00 2001 From: Juan Font Alonso Date: Sat, 5 Mar 2022 19:19:21 +0100 Subject: [PATCH] Do not offer the option to be DERP insecure Websockets, in which DERP is based, requires a TLS certificate. At the same time, if we use a certificate it must be valid... otherwise Tailscale wont connect (does not have an Insecure option). So there is no option to expose insecure here --- app.go | 16 +++++++--------- cmd/headscale/cli/utils.go | 2 -- config-example.yaml | 5 +---- 3 files changed, 8 insertions(+), 15 deletions(-) diff --git a/app.go b/app.go index b739a052..34602d60 100644 --- a/app.go +++ b/app.go @@ -122,7 +122,6 @@ type OIDCConfig struct { type DERPConfig struct { ServerEnabled bool - ServerInsecure bool URLs []url.URL Paths []string AutoUpdate bool @@ -280,11 +279,10 @@ func NewHeadscale(cfg Config) (*Headscale, error) { Avoid: false, Nodes: []*tailcfg.DERPNode{ { - Name: "999a", - RegionID: 999, - HostName: host, - DERPPort: port, - InsecureForTests: cfg.DERP.ServerInsecure, + Name: "999a", + RegionID: 999, + HostName: host, + DERPPort: port, }, }, }, @@ -516,9 +514,9 @@ func (h *Headscale) createRouter(grpcMux *runtime.ServeMux) *gin.Engine { router.GET("/swagger/v1/openapiv2.json", SwaggerAPIv1) if h.cfg.DERP.ServerEnabled { - router.Any("/derp", h.EmbeddedDERPHandler) - router.Any("/derp/probe", h.EmbeddedDERPProbeHandler) - router.Any("/bootstrap-dns", h.EmbeddedDERPBootstrapDNSHandler) + router.Any("/derp", h.DERPHandler) + router.Any("/derp/probe", h.DERPProbeHandler) + router.Any("/bootstrap-dns", h.DERPBootstrapDNSHandler) } api := router.Group("/api") diff --git a/cmd/headscale/cli/utils.go b/cmd/headscale/cli/utils.go index 06b9ca98..7277723f 100644 --- a/cmd/headscale/cli/utils.go +++ b/cmd/headscale/cli/utils.go @@ -118,7 +118,6 @@ func LoadConfig(path string) error { func GetDERPConfig() headscale.DERPConfig { enabled := viper.GetBool("derp.server.enabled") - insecure := viper.GetBool("derp.server.insecure") urlStrs := viper.GetStringSlice("derp.urls") @@ -142,7 +141,6 @@ func GetDERPConfig() headscale.DERPConfig { return headscale.DERPConfig{ ServerEnabled: enabled, - ServerInsecure: insecure, URLs: urls, Paths: paths, AutoUpdate: autoUpdate, diff --git a/config-example.yaml b/config-example.yaml index 84b1c906..08cc6c12 100644 --- a/config-example.yaml +++ b/config-example.yaml @@ -57,12 +57,9 @@ ip_prefixes: derp: server: # If enabled, runs the embedded DERP server and merges it into the rest of the DERP config + # The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place enabled: false - # Insecure mode is recommended only for tests. It indicates the tailscale clients - # to use insecure connections to this server. - insecure: false - # List of externally available DERP maps encoded in JSON urls: - https://controlplane.tailscale.com/derpmap/default