headscale icon indicating copy to clipboard operation
headscale copied to clipboard

Published 20 hours ago verified publisher icon juanfont

add --verify-clients environment variable to docker version

Open vampywiz17 opened this issue 2 years ago • 12 comments

Feature request

PLease add option to set private option to embedded DERP server in docker container.

vampywiz17 avatar Aug 15 '22 07:08 vampywiz17

Hi, can you please try to reword and explain this feature request?

Edit: I think I understand, We would be very happy to take a PR for this, but we do not officially support the docker setup, so it will not be prioritised for now.

kradalby avatar Sep 08 '22 08:09 kradalby

.... but we do not officially support the docker setup, so it will not be prioritised for now.

@kradalby this is a general feature request, not specific for docker 😊 See https://tailscale.com/kb/1118/custom-derp-servers/#optional-restricting-client-access-to-your-derp-node for reference

christian-heusel avatar Nov 13 '22 21:11 christian-heusel

@juanfont

The tailscale derp server gets the valid client list by sending a GET request to http://local-tailscaled.sock/localapi/v0/status I'm thinking of emulating what the tailscale client does by creating a http listener on the said socket.

If this is acceptable, I'll open a PR with the same.

joejose97 avatar Sep 16 '23 15:09 joejose97

Emulating the tailscale control socket API doesn't sound very straightforward, and would come with some downsides (like not being able to easily run tailscale on the headscale system).

It may be better to see about factoring out how the DERP server validates node keys (https://github.com/tailscale/tailscale/blob/main/derp/derp_server.go#L1126-L1142) and make it possible to pull those from headscale rather than the tailscale client socket.

Maybe passing a Verifier function, rather than setting a boolean for whether to verify?

I don't know if that sort of change could be made in a way that would be accepted upstream, or if it would mean maintaining a fork of the derp server.

icb- avatar Oct 02 '23 20:10 icb-

@icb- After reading the derper code, it is feasible to simulate the API; I have created a branch and tested it; derper successfully completed the verification of the Client.

image
  • 1、Derper's verification of its client is mainly completed through the node public key in the status struct.
  • 2、Node public key is obtained from local socket api status request
  • 3、We only need to simulate a local status api and return the public keys of all nodes.
  • 4、After setting up client authentication, derper will automatically connect to this API to obtain the public keys of all nodes.

mritd avatar Oct 21 '23 15:10 mritd

This issue is stale because it has been open for 90 days with no activity.

github-actions[bot] avatar Jan 20 '24 01:01 github-actions[bot]

This is a feature request, therefore the stale bot is a bit out of place here 😄

christian-heusel avatar Jan 20 '24 01:01 christian-heusel

This issue is stale because it has been open for 90 days with no activity.

github-actions[bot] avatar Apr 21 '24 01:04 github-actions[bot]

not stale

6ixfalls avatar Apr 21 '24 01:04 6ixfalls

This is a very important feature and we look forward to implementing it soon

huanshiwushuang avatar Jun 21 '24 08:06 huanshiwushuang