Allow gRPC server to run insecure

This commit is contained in:
Kristoffer Dalby 2022-02-13 09:08:46 +00:00
parent c3b68adfed
commit 4e54796384
3 changed files with 23 additions and 14 deletions

22
app.go
View File

@ -69,6 +69,7 @@ type Config struct {
ServerURL string ServerURL string
Addr string Addr string
GRPCAddr string GRPCAddr string
GRPCAllowInsecure bool
EphemeralNodeInactivityTimeout time.Duration EphemeralNodeInactivityTimeout time.Duration
IPPrefixes []netaddr.IPPrefix IPPrefixes []netaddr.IPPrefix
PrivateKeyPath string PrivateKeyPath string
@ -567,8 +568,7 @@ func (h *Headscale) Serve() error {
// https://github.com/soheilhy/cmux/issues/68 // https://github.com/soheilhy/cmux/issues/68
// https://github.com/soheilhy/cmux/issues/91 // https://github.com/soheilhy/cmux/issues/91
// If TLS has been enabled, set up the remote gRPC server if tlsConfig != nil || h.cfg.GRPCAllowInsecure {
if tlsConfig != nil {
log.Info().Msgf("Enabling remote gRPC at %s", h.cfg.GRPCAddr) log.Info().Msgf("Enabling remote gRPC at %s", h.cfg.GRPCAddr)
grpcOptions := []grpc.ServerOption{ grpcOptions := []grpc.ServerOption{
@ -578,7 +578,14 @@ func (h *Headscale) Serve() error {
zerolog.NewUnaryServerInterceptor(), zerolog.NewUnaryServerInterceptor(),
), ),
), ),
grpc.Creds(credentials.NewTLS(tlsConfig)), }
if tlsConfig != nil {
grpcOptions = append(grpcOptions,
grpc.Creds(credentials.NewTLS(tlsConfig)),
)
} else {
log.Warn().Msg("gRPC is running without security")
} }
grpcServer := grpc.NewServer(grpcOptions...) grpcServer := grpc.NewServer(grpcOptions...)
@ -586,12 +593,7 @@ func (h *Headscale) Serve() error {
v1.RegisterHeadscaleServiceServer(grpcServer, newHeadscaleV1APIServer(h)) v1.RegisterHeadscaleServiceServer(grpcServer, newHeadscaleV1APIServer(h))
reflection.Register(grpcServer) reflection.Register(grpcServer)
var grpcListener net.Listener grpcListener, err := net.Listen("tcp", h.cfg.GRPCAddr)
// if tlsConfig != nil {
// grpcListener, err = tls.Listen("tcp", h.cfg.GRPCAddr, tlsConfig)
// } else {
grpcListener, err = net.Listen("tcp", h.cfg.GRPCAddr)
// }
if err != nil { if err != nil {
return fmt.Errorf("failed to bind to TCP address: %w", err) return fmt.Errorf("failed to bind to TCP address: %w", err)
} }
@ -600,8 +602,6 @@ func (h *Headscale) Serve() error {
log.Info(). log.Info().
Msgf("listening and serving gRPC on: %s", h.cfg.GRPCAddr) Msgf("listening and serving gRPC on: %s", h.cfg.GRPCAddr)
} else {
log.Info().Msg("TLS is not configured, not enabling remote gRPC")
} }
// //

View File

@ -59,6 +59,7 @@ func LoadConfig(path string) error {
viper.SetDefault("unix_socket_permission", "0o770") viper.SetDefault("unix_socket_permission", "0o770")
viper.SetDefault("grpc_listen_addr", ":50443") viper.SetDefault("grpc_listen_addr", ":50443")
viper.SetDefault("grpc_allow_insecure", false)
viper.SetDefault("cli.timeout", "5s") viper.SetDefault("cli.timeout", "5s")
viper.SetDefault("cli.insecure", false) viper.SetDefault("cli.insecure", false)
@ -281,9 +282,11 @@ func getHeadscaleConfig() headscale.Config {
} }
return headscale.Config{ return headscale.Config{
ServerURL: viper.GetString("server_url"), ServerURL: viper.GetString("server_url"),
Addr: viper.GetString("listen_addr"), Addr: viper.GetString("listen_addr"),
GRPCAddr: viper.GetString("grpc_listen_addr"), GRPCAddr: viper.GetString("grpc_listen_addr"),
GRPCAllowInsecure: viper.GetBool("grpc_allow_insecure"),
IPPrefixes: prefixes, IPPrefixes: prefixes,
PrivateKeyPath: absPath(viper.GetString("private_key_path")), PrivateKeyPath: absPath(viper.GetString("private_key_path")),
BaseDomain: baseDomain, BaseDomain: baseDomain,

View File

@ -23,6 +23,12 @@ listen_addr: 0.0.0.0:8080
# valid certificates. # valid certificates.
grpc_listen_addr: 0.0.0.0:50443 grpc_listen_addr: 0.0.0.0:50443
# Allow the gRPC admin interface to run in INSECURE
# mode. This is not recommended as the traffic will
# be unencrypted. Only enable if you know what you
# are doing.
grpc_allow_insecure: false
# Private key used encrypt the traffic between headscale # Private key used encrypt the traffic between headscale
# and Tailscale clients. # and Tailscale clients.
# The private key file which will be # The private key file which will be