feat: add verify client config for embedded DERP

2025-03-25 23:11:00 -04:00 · 2024-11-27 16:11:15 +08:00 · 2024-11-27 16:11:15 +08:00 · 55980d6427
commit 55980d6427
parent af4508b9dc
3 changed files with 16 additions and 0 deletions
--- a/config-example.yaml
+++ b/config-example.yaml
@ -87,6 +87,12 @@ derp:
    region_code: "headscale"
    region_name: "Headscale Embedded DERP"

+    # If non-empty, an admission controller URL for permitting client connections
+    verify_client_url: "http://127.0.0.1:8080/verify"
+
+    # Whether derp fail open if verify_client_url is unreachable
+    verify_client_url_fail_open: false
+
    # Listens over UDP at the configured address for STUN connections - to help with NAT traversal.
    # When the embedded DERP server is enabled stun_listen_addr MUST be defined.
    #
--- a/hscontrol/derp/server/derp_server.go
+++ b/hscontrol/derp/server/derp_server.go
@ -44,6 +44,10 @@ func NewDERPServer(
 ) (*DERPServer, error) {
 	log.Trace().Caller().Msg("Creating new embedded DERP server")
 	server := derp.NewServer(derpKey, util.TSLogfWrapper()) // nolint // zerolinter complains
+	if cfg.ServerVerifyClientURL != "" {
+		server.SetVerifyClientURL(cfg.ServerVerifyClientURL)
+		server.SetVerifyClientURLFailOpen(cfg.ServerVerifyFailOpen)
+	}

 	return &DERPServer{
 		serverURL:     serverURL,
--- a/hscontrol/types/config.go
+++ b/hscontrol/types/config.go
@ -185,6 +185,8 @@ type DERPConfig struct {
 	ServerRegionCode                   string
 	ServerRegionName                   string
 	ServerPrivateKeyPath               string
+	ServerVerifyClientURL              string
+	ServerVerifyFailOpen               bool
 	STUNAddr                           string
 	URLs                               []url.URL
 	Paths                              []string
@ -431,6 +433,8 @@ func derpConfig() DERPConfig {
 	serverRegionID := viper.GetInt("derp.server.region_id")
 	serverRegionCode := viper.GetString("derp.server.region_code")
 	serverRegionName := viper.GetString("derp.server.region_name")
+	serverVerifyClientURL := viper.GetString("derp.server.verify_client_url")
+	serverVerifyFailOpen := viper.GetBool("derp.server.verify_client_url_fail_open")
 	stunAddr := viper.GetString("derp.server.stun_listen_addr")
 	privateKeyPath := util.AbsolutePathFromConfigPath(
 		viper.GetString("derp.server.private_key_path"),
@ -475,6 +479,8 @@ func derpConfig() DERPConfig {
 		ServerRegionID:                     serverRegionID,
 		ServerRegionCode:                   serverRegionCode,
 		ServerRegionName:                   serverRegionName,
+		ServerVerifyClientURL:              serverVerifyClientURL,
+		ServerVerifyFailOpen:               serverVerifyFailOpen,
 		ServerPrivateKeyPath:               privateKeyPath,
 		STUNAddr:                           stunAddr,
 		URLs:                               urls,