server_url and base_domain: re-word error message, fix a one-off bug and add a test case for the bug.

hscontrol/types/config.go

@@ -30,7 +30,7 @@ const (
 
 var (
 	errOidcMutuallyExclusive = errors.New("oidc_client_secret and oidc_client_secret_path are mutually exclusive")
-	errServerURLSuffix       = errors.New("server_url cannot be a suffix of the base_domain, this will cause the headscale server and embedded DERP to become unreachable from the Tailscale node.")
+	errServerURLSuffix       = errors.New("server_url cannot be part of base_domain in a way that could make the DERP and headscale server unreachable.")
 )
 
 type IPAllocationStrategy string
@@ -946,8 +946,8 @@ func isSafeServerURL(serverURL, baseDomain string) error {
 
 	s := len(serverDomainParts)
 	b := len(baseDomainParts)
-	for i := 1; i < len(baseDomainParts)-1; i++ {
+	for i := 0; i < len(baseDomainParts); i++ {
-		if serverDomainParts[s-i] != baseDomainParts[b-i] {
+		if serverDomainParts[s-i-1] != baseDomainParts[b-i-1] {
 			return nil
 		}
 	}

hscontrol/types/config_test.go

@@ -140,7 +140,7 @@ func TestReadConfig(t *testing.T) {
 				return LoadServerConfig()
 			},
 			want:    nil,
-			wantErr: "server_url cannot be a suffix of the base_domain, this will cause the headscale server and embedded DERP to become unreachable from the Tailscale node.",
+			wantErr: errServerURLSuffix.Error(),
 		},
 		{
 			name:       "base-domain-not-in-server-url",
@@ -362,6 +362,10 @@ func TestSafeServerURL(t *testing.T) {
 			serverURL:  "https://headscale.com",
 			baseDomain: "clients.subdomain.headscale.com",
 		},
+		{
+			serverURL:  "https://headscale.kristoffer.com",
+			baseDomain: "mybase",
+		},
 		{
 			serverURL:  "https://server.headscale.com",
 			baseDomain: "headscale.com",