hscontrol/types/config.go

@@ -30,7 +30,7 @@ const (
 
 var (
 	errOidcMutuallyExclusive = errors.New("oidc_client_secret and oidc_client_secret_path are mutually exclusive")
-	errServerURLSuffix       = errors.New("server_url cannot be part of base_domain in a way that could make the DERP and headscale server unreachable")
+	errServerURLSuffix       = errors.New("server_url cannot be a suffix of the base_domain, this will cause the headscale server and embedded DERP to become unreachable from the Tailscale node.")
 )
 
 type IPAllocationStrategy string
@@ -928,9 +928,9 @@ func LoadServerConfig() (*Config, error) {
 // This is because Tailscale takes over the domain in BaseDomain,
 // causing the headscale server and DERP to be unreachable.
 // For Tailscale upstream, the following is true:
-// - DERP run on their own domains.
-// - Control plane runs on login.tailscale.com/controlplane.tailscale.com.
-// - MagicDNS (BaseDomain) for users is on a *.ts.net domain per tailnet (e.g. tail-scale.ts.net).
+// - DERP run on their own domains
+// - Control plane runs on login.tailscale.com/controlplane.tailscale.com
+// - MagicDNS (BaseDomain) for users is on a *.ts.net domain per tailnet (e.g. tail-scale.ts.net)
 func isSafeServerURL(serverURL, baseDomain string) error {
 	server, err := url.Parse(serverURL)
 	if err != nil {
@@ -946,8 +946,8 @@ func isSafeServerURL(serverURL, baseDomain string) error {
 
 	s := len(serverDomainParts)
 	b := len(baseDomainParts)
-	for i := range len(baseDomainParts) {
-		if serverDomainParts[s-i-1] != baseDomainParts[b-i-1] {
+	for i := 1; i < len(baseDomainParts)-1; i++ {
+		if serverDomainParts[s-i] != baseDomainParts[b-i] {
 			return nil
 		}
 	}

hscontrol/types/config_test.go

@@ -140,7 +140,7 @@ func TestReadConfig(t *testing.T) {
 				return LoadServerConfig()
 			},
 			want:    nil,
-			wantErr: errServerURLSuffix.Error(),
+			wantErr: "server_url cannot be a suffix of the base_domain, this will cause the headscale server and embedded DERP to become unreachable from the Tailscale node.",
 		},
 		{
 			name:       "base-domain-not-in-server-url",
@@ -340,7 +340,7 @@ tls_letsencrypt_challenge_type: TLS-ALPN-01
 // server_url: headscale.com, base: headscale.net
 //
 // NOT OK
-// server_url: server.headscale.com, base: headscale.com.
+// server_url: server.headscale.com, base: headscale.com
 func TestSafeServerURL(t *testing.T) {
 	tests := []struct {
 		serverURL, baseDomain,
@@ -362,10 +362,6 @@ func TestSafeServerURL(t *testing.T) {
 			serverURL:  "https://headscale.com",
 			baseDomain: "clients.subdomain.headscale.com",
 		},
-		{
-			serverURL:  "https://headscale.kristoffer.com",
-			baseDomain: "mybase",
-		},
 		{
 			serverURL:  "https://server.headscale.com",
 			baseDomain: "headscale.com",
@@ -388,7 +384,6 @@ func TestSafeServerURL(t *testing.T) {
 			err := isSafeServerURL(tt.serverURL, tt.baseDomain)
 			if tt.wantErr != "" {
 				assert.EqualError(t, err, tt.wantErr)
-
 				return
 			}
 			assert.NoError(t, err)