MyFavMirrors/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2025-05-22 01:53:58 -04:00
Code Issues Packages Projects Releases Wiki Activity

Remove subnet router visibility workaround from docs (#2569)

Browse Source 
Previous Headscale versions required a dedicated rule to make a subnet
router visible to clients. This workaround is no longer required.
This commit is contained in:
nblock 2025-05-05 15:24:59 +02:00 committed by GitHub
parent 1dddd3e93b
commit 833e0f66f1
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 6 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
docs/ref/acls.md
View File

@ -149,13 +149,11 @@ Here are the ACL's to implement the same permissions as above:
}, },
// developers have access to the internal network through the router. // developers have access to the internal network through the router.
// the internal network is composed of HTTPS endpoints and Postgresql // the internal network is composed of HTTPS endpoints and Postgresql
// database servers. There's an additional rule to allow traffic to be // database servers.
// forwarded to the internal subnet, 10.20.0.0/16. See this issue
// https://github.com/juanfont/headscale/issues/502
{ {
"action": "accept", "action": "accept",
"src": ["group:dev"], "src": ["group:dev"],
"dst": ["10.20.0.0/16:443,5432", "router.internal:0"] "dst": ["10.20.0.0/16:443,5432"]
}, },
// servers should be able to talk to database in tcp/5432. Database should not be able to initiate connections to // servers should be able to talk to database in tcp/5432. Database should not be able to initiate connections to

16
docs/ref/routes.md
View File

@ -76,27 +76,19 @@ The routes announced by subnet routers are available to the nodes in a tailnet.
nodes can accept and use such routes. Configure an ACL to explicitly manage who can use routes. nodes can accept and use such routes. Configure an ACL to explicitly manage who can use routes.
The ACL snippet below defines three hosts, a subnet router `router`, a regular node `node` and `service.example.net` as The ACL snippet below defines three hosts, a subnet router `router`, a regular node `node` and `service.example.net` as
internal service that can be reached via a route on the subnet router `router`. The first ACL rule allows anyone to see internal service that can be reached via a route on the subnet router `router`. It allows the node `node` to access
the subnet router `router` without allowing access to any service of the subnet router itself. The second ACL rule `service.example.net` on port 80 and 443 which is reachable via the subnet router. Access to the subnet router itself is
allows the node `node` to access `service.example.net` on port 80 and 443 which is reachable via the subnet router. denied.
```json title="Access the routes of a subnet router without the subnet router itself" ```json title="Access the routes of a subnet router without the subnet router itself"
{ {
"hosts": { "hosts": {
// the router is not referenced but announces 192.168.0.0/24"
"router": "100.64.0.1/32", "router": "100.64.0.1/32",
"node": "100.64.0.2/32", "node": "100.64.0.2/32",
"service.example.net": "192.168.0.1/32" "service.example.net": "192.168.0.1/32"
}, },
"acls": [ "acls": [
{
"action": "accept",
"src": [
"*"
],
"dst": [
"router:0"
]
},
{ {
"action": "accept", "action": "accept",
"src": [ "src": [