Remove mTLS stuff from code
This commit is contained in:
Juan Font
Juan Font
parent
f90a3c196c
commit
d461097247
26
app.go
26
app.go
|
|
@ -101,27 +101,6 @@ type Headscale struct {
|
||||||
pollNetMapStreamWG sync.WaitGroup
|
pollNetMapStreamWG sync.WaitGroup
|
||||||
}
|
}
|
||||||
|
|
||||||
// Look up the TLS constant relative to user-supplied TLS client
|
|
||||||
// authentication mode. If an unknown mode is supplied, the default
|
|
||||||
// value, tls.RequireAnyClientCert, is returned. The returned boolean
|
|
||||||
// indicates if the supplied mode was valid.
|
|
||||||
func LookupTLSClientAuthMode(mode string) (tls.ClientAuthType, bool) {
|
|
||||||
switch mode {
|
|
||||||
case DisabledClientAuth:
|
|
||||||
// Client cert is _not_ required.
|
|
||||||
return tls.NoClientCert, true
|
|
||||||
case RelaxedClientAuth:
|
|
||||||
// Client cert required, but _not verified_.
|
|
||||||
return tls.RequireAnyClientCert, true
|
|
||||||
case EnforcedClientAuth:
|
|
||||||
// Client cert is _required and verified_.
|
|
||||||
return tls.RequireAndVerifyClientCert, true
|
|
||||||
default:
|
|
||||||
// Return the default when an unknown value is supplied.
|
|
||||||
return tls.RequireAnyClientCert, false
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func NewHeadscale(cfg *Config) (*Headscale, error) {
|
func NewHeadscale(cfg *Config) (*Headscale, error) {
|
||||||
privateKey, err := readOrCreatePrivateKey(cfg.PrivateKeyPath)
|
privateKey, err := readOrCreatePrivateKey(cfg.PrivateKeyPath)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
@ -855,12 +834,7 @@ func (h *Headscale) getTLSSettings() (*tls.Config, error) {
|
||||||
log.Warn().Msg("Listening with TLS but ServerURL does not start with https://")
|
log.Warn().Msg("Listening with TLS but ServerURL does not start with https://")
|
||||||
}
|
}
|
||||||
|
|
||||||
log.Info().Msg(fmt.Sprintf(
|
|
||||||
"Client authentication (mTLS) is \"%s\". See the docs to learn about configuring this setting.",
|
|
||||||
h.cfg.TLS.ClientAuthMode))
|
|
||||||
|
|
||||||
tlsConfig := &tls.Config{
|
tlsConfig := &tls.Config{
|
||||||
ClientAuth: h.cfg.TLS.ClientAuthMode,
|
|
||||||
NextProtos: []string{"http/1.1"},
|
NextProtos: []string{"http/1.1"},
|
||||||
Certificates: make([]tls.Certificate, 1),
|
Certificates: make([]tls.Certificate, 1),
|
||||||
MinVersion: tls.VersionTLS12,
|
MinVersion: tls.VersionTLS12,
|
||||||
|
|
|
||||||
17
app_test.go
17
app_test.go
|
|
@ -59,20 +59,3 @@ func (s *Suite) ResetDB(c *check.C) {
|
||||||
}
|
}
|
||||||
app.db = db
|
app.db = db
|
||||||
}
|
}
|
||||||
|
|
||||||
// Enusre an error is returned when an invalid auth mode
|
|
||||||
// is supplied.
|
|
||||||
func (s *Suite) TestInvalidClientAuthMode(c *check.C) {
|
|
||||||
_, isValid := LookupTLSClientAuthMode("invalid")
|
|
||||||
c.Assert(isValid, check.Equals, false)
|
|
||||||
}
|
|
||||||
|
|
||||||
// Ensure that all client auth modes return a nil error.
|
|
||||||
func (s *Suite) TestAuthModes(c *check.C) {
|
|
||||||
modes := []string{"disabled", "relaxed", "enforced"}
|
|
||||||
|
|
||||||
for _, v := range modes {
|
|
||||||
_, isValid := LookupTLSClientAuthMode(v)
|
|
||||||
c.Assert(isValid, check.Equals, true)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
|
||||||
25
config.go
25
config.go
|
|
@ -1,7 +1,6 @@
|
||||||
package headscale
|
package headscale
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"crypto/tls"
|
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"io/fs"
|
"io/fs"
|
||||||
|
|
@ -75,9 +74,8 @@ type Config struct {
|
||||||
}
|
}
|
||||||
|
|
||||||
type TLSConfig struct {
|
type TLSConfig struct {
|
||||||
CertPath string
|
CertPath string
|
||||||
KeyPath string
|
KeyPath string
|
||||||
ClientAuthMode tls.ClientAuthType
|
|
||||||
|
|
||||||
LetsEncrypt LetsEncryptConfig
|
LetsEncrypt LetsEncryptConfig
|
||||||
}
|
}
|
||||||
|
|
@ -154,7 +152,6 @@ func LoadConfig(path string, isFile bool) error {
|
||||||
|
|
||||||
viper.SetDefault("tls_letsencrypt_cache_dir", "/var/www/.cache")
|
viper.SetDefault("tls_letsencrypt_cache_dir", "/var/www/.cache")
|
||||||
viper.SetDefault("tls_letsencrypt_challenge_type", http01ChallengeType)
|
viper.SetDefault("tls_letsencrypt_challenge_type", http01ChallengeType)
|
||||||
viper.SetDefault("tls_client_auth_mode", "relaxed")
|
|
||||||
|
|
||||||
viper.SetDefault("log.level", "info")
|
viper.SetDefault("log.level", "info")
|
||||||
viper.SetDefault("log.format", TextLogFormat)
|
viper.SetDefault("log.format", TextLogFormat)
|
||||||
|
|
@ -224,19 +221,6 @@ func LoadConfig(path string, isFile bool) error {
|
||||||
errorText += "Fatal config error: server_url must start with https:// or http://\n"
|
errorText += "Fatal config error: server_url must start with https:// or http://\n"
|
||||||
}
|
}
|
||||||
|
|
||||||
_, authModeValid := LookupTLSClientAuthMode(
|
|
||||||
viper.GetString("tls_client_auth_mode"),
|
|
||||||
)
|
|
||||||
|
|
||||||
if !authModeValid {
|
|
||||||
errorText += fmt.Sprintf(
|
|
||||||
"Invalid tls_client_auth_mode supplied: %s. Accepted values: %s, %s, %s.",
|
|
||||||
viper.GetString("tls_client_auth_mode"),
|
|
||||||
DisabledClientAuth,
|
|
||||||
RelaxedClientAuth,
|
|
||||||
EnforcedClientAuth)
|
|
||||||
}
|
|
||||||
|
|
||||||
// Minimum inactivity time out is keepalive timeout (60s) plus a few seconds
|
// Minimum inactivity time out is keepalive timeout (60s) plus a few seconds
|
||||||
// to avoid races
|
// to avoid races
|
||||||
minInactivityTimeout, _ := time.ParseDuration("65s")
|
minInactivityTimeout, _ := time.ParseDuration("65s")
|
||||||
|
|
@ -266,10 +250,6 @@ func LoadConfig(path string, isFile bool) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
func GetTLSConfig() TLSConfig {
|
func GetTLSConfig() TLSConfig {
|
||||||
tlsClientAuthMode, _ := LookupTLSClientAuthMode(
|
|
||||||
viper.GetString("tls_client_auth_mode"),
|
|
||||||
)
|
|
||||||
|
|
||||||
return TLSConfig{
|
return TLSConfig{
|
||||||
LetsEncrypt: LetsEncryptConfig{
|
LetsEncrypt: LetsEncryptConfig{
|
||||||
Hostname: viper.GetString("tls_letsencrypt_hostname"),
|
Hostname: viper.GetString("tls_letsencrypt_hostname"),
|
||||||
|
|
@ -285,7 +265,6 @@ func GetTLSConfig() TLSConfig {
|
||||||
KeyPath: AbsolutePathFromConfigPath(
|
KeyPath: AbsolutePathFromConfigPath(
|
||||||
viper.GetString("tls_key_path"),
|
viper.GetString("tls_key_path"),
|
||||||
),
|
),
|
||||||
ClientAuthMode: tlsClientAuthMode,
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -71,7 +71,6 @@ func WithTLS() Option {
|
||||||
// TODO(kradalby): Move somewhere appropriate
|
// TODO(kradalby): Move somewhere appropriate
|
||||||
hsic.env = append(hsic.env, fmt.Sprintf("HEADSCALE_TLS_CERT_PATH=%s", tlsCertPath))
|
hsic.env = append(hsic.env, fmt.Sprintf("HEADSCALE_TLS_CERT_PATH=%s", tlsCertPath))
|
||||||
hsic.env = append(hsic.env, fmt.Sprintf("HEADSCALE_TLS_KEY_PATH=%s", tlsKeyPath))
|
hsic.env = append(hsic.env, fmt.Sprintf("HEADSCALE_TLS_KEY_PATH=%s", tlsKeyPath))
|
||||||
hsic.env = append(hsic.env, "HEADSCALE_TLS_CLIENT_AUTH_MODE=disabled")
|
|
||||||
|
|
||||||
hsic.tlsCert = cert
|
hsic.tlsCert = cert
|
||||||
hsic.tlsKey = key
|
hsic.tlsKey = key
|
||||||
|
|
@ -371,7 +370,7 @@ func (t *HeadscaleInContainer) WriteFile(path string, data []byte) error {
|
||||||
return integrationutil.WriteFileToContainer(t.pool, t.container, path, data)
|
return integrationutil.WriteFileToContainer(t.pool, t.container, path, data)
|
||||||
}
|
}
|
||||||
|
|
||||||
//nolint
|
// nolint
|
||||||
func createCertificate() ([]byte, []byte, error) {
|
func createCertificate() ([]byte, []byte, error) {
|
||||||
// From:
|
// From:
|
||||||
// https://shaneutt.com/blog/golang-ca-and-signed-cert-go/
|
// https://shaneutt.com/blog/golang-ca-and-signed-cert-go/
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue