headscale icon indicating copy to clipboard operation
headscale copied to clipboard
verified publisher icon juanfont

Split TLS options for gRPC and HTTP

Open K3das opened this issue 1 year ago • 1 comments

Why

Currently for a remote CLI you have no choice but to setup TLS. As a result, the public HTTP endpoints also end up encrypted, and in some configurations this sacrifices significant observability (currently my linkerd2 sidecar containers are unable to inspect traffic, monitor endpoint performance, and enforce per-route ACLs). While workarounds are possible (for example running headscale without TLS, and a proxy terminating TLS for gRPC), they would be far from ideal.

Description

One solution is adding split TLS options - to allow a user to enable TLS for gRPC, while not enabling it for other endpoints.

I'm happy to work on this if it's an acceptable change.

K3das avatar Feb 02 '24 09:02 K3das

I see no issues if we split the configuration, as long it is a non breaking change.

ohdearaugustin avatar Mar 14 '24 23:03 ohdearaugustin

This issue is stale because it has been open for 90 days with no activity.

github-actions[bot] avatar Jun 13 '24 01:06 github-actions[bot]

This issue was closed because it has been inactive for 14 days since being marked as stale.

github-actions[bot] avatar Jun 21 '24 01:06 github-actions[bot]