Making client authentication mode configurable

This commit is contained in:
Justin Angel 2022-01-29 12:59:31 -05:00
parent 052fccdc98
commit 9e619fc020
2 changed files with 29 additions and 3 deletions

24
app.go
View File

@ -87,8 +87,9 @@ type Config struct {
TLSLetsEncryptCacheDir string TLSLetsEncryptCacheDir string
TLSLetsEncryptChallengeType string TLSLetsEncryptChallengeType string
TLSCertPath string TLSCertPath string
TLSKeyPath string TLSKeyPath string
TLSClientAuthMode string
ACMEURL string ACMEURL string
ACMEEmail string ACMEEmail string
@ -644,12 +645,29 @@ func (h *Headscale) getTLSSettings() (*tls.Config, error) {
if !strings.HasPrefix(h.cfg.ServerURL, "https://") { if !strings.HasPrefix(h.cfg.ServerURL, "https://") {
log.Warn().Msg("Listening with TLS but ServerURL does not start with https://") log.Warn().Msg("Listening with TLS but ServerURL does not start with https://")
} }
// Leaving flexibility here to support other authentication modes
// if desired.
var client_auth_mode tls.ClientAuthType
msg := "Client authentication (mTLS) "
if(h.cfg.TLSClientAuthMode == "disabled"){
log.Warn().Msg(msg + "is disabled")
client_auth_mode = tls.NoClientCert
}else if (h.cfg.TLSClientAuthMode == "relaxed"){
log.Warn().Msg(msg + "is relaxed. Client certs will be required but will not be verified.")
client_auth_mode = tls.RequireAnyClientCert
}else{
log.Warn().Msg(msg + "is enforced. Disable or relax in the configuration file.")
client_auth_mode = tls.RequireAndVerifyClientCert
}
tlsConfig := &tls.Config{ tlsConfig := &tls.Config{
ClientAuth: tls.RequireAnyClientCert, ClientAuth: client_auth_mode,
NextProtos: []string{"http/1.1"}, NextProtos: []string{"http/1.1"},
Certificates: make([]tls.Certificate, 1), Certificates: make([]tls.Certificate, 1),
MinVersion: tls.VersionTLS12, MinVersion: tls.VersionTLS12,
} }
tlsConfig.Certificates[0], err = tls.LoadX509KeyPair(h.cfg.TLSCertPath, h.cfg.TLSKeyPath) tlsConfig.Certificates[0], err = tls.LoadX509KeyPair(h.cfg.TLSCertPath, h.cfg.TLSKeyPath)
return tlsConfig, err return tlsConfig, err

View File

@ -40,6 +40,7 @@ func LoadConfig(path string) error {
viper.SetDefault("tls_letsencrypt_cache_dir", "/var/www/.cache") viper.SetDefault("tls_letsencrypt_cache_dir", "/var/www/.cache")
viper.SetDefault("tls_letsencrypt_challenge_type", "HTTP-01") viper.SetDefault("tls_letsencrypt_challenge_type", "HTTP-01")
viper.SetDefault("tls_client_auth_mode", "disabled")
viper.SetDefault("ip_prefix", "100.64.0.0/10") viper.SetDefault("ip_prefix", "100.64.0.0/10")
@ -80,6 +81,12 @@ func LoadConfig(path string) error {
!strings.HasPrefix(viper.GetString("server_url"), "https://") { !strings.HasPrefix(viper.GetString("server_url"), "https://") {
errorText += "Fatal config error: server_url must start with https:// or http://\n" errorText += "Fatal config error: server_url must start with https:// or http://\n"
} }
auth_mode := viper.GetString("tls_client_auth_mode")
if (auth_mode != "disabled" && auth_mode != "enforced"){
errorText += "Invalid tls_client_auth_mode supplied. Accepted values: disabled, enforced."
}
if errorText != "" { if errorText != "" {
//nolint //nolint
return errors.New(strings.TrimSuffix(errorText, "\n")) return errors.New(strings.TrimSuffix(errorText, "\n"))
@ -251,6 +258,7 @@ func getHeadscaleConfig() headscale.Config {
TLSCertPath: absPath(viper.GetString("tls_cert_path")), TLSCertPath: absPath(viper.GetString("tls_cert_path")),
TLSKeyPath: absPath(viper.GetString("tls_key_path")), TLSKeyPath: absPath(viper.GetString("tls_key_path")),
TLSClientAuthMode: viper.GetString("tls_client_auth_mode"),
DNSConfig: dnsConfig, DNSConfig: dnsConfig,