diff --git a/app.go b/app.go index 6accaf9c..73017574 100644 --- a/app.go +++ b/app.go @@ -646,21 +646,26 @@ func (h *Headscale) getTLSSettings() (*tls.Config, error) { log.Warn().Msg("Listening with TLS but ServerURL does not start with https://") } - // Leaving flexibility here to support other authentication modes - // if desired. var client_auth_mode tls.ClientAuthType - msg := "Client authentication (mTLS) " if(h.cfg.TLSClientAuthMode == "disabled"){ - log.Warn().Msg(msg + "is disabled") + // Client cert is _not_ required. client_auth_mode = tls.NoClientCert }else if (h.cfg.TLSClientAuthMode == "relaxed"){ - log.Warn().Msg(msg + "is relaxed. Client certs will be required but will not be verified.") + // Client cert required, but not verified. client_auth_mode = tls.RequireAnyClientCert - }else{ - log.Warn().Msg(msg + "is enforced. Disable or relax in the configuration file.") + }else if (h.cfg.TLSClientAuthMode == "enforced"){ + // Client cert is required and verified. client_auth_mode = tls.RequireAndVerifyClientCert + }else{ + return nil, errors.New( + "Invalid tls_client_auth_mode provided: " + + h.cfg.TLSClientAuthMode) } + log.Info().Msg(fmt.Sprintf( + "Client authentication (mTLS) is \"%s\". See the docs to learn about configuring this setting.", + h.cfg.TLSClientAuthMode)) + tlsConfig := &tls.Config{ ClientAuth: client_auth_mode, NextProtos: []string{"http/1.1"}, diff --git a/cmd/headscale/cli/utils.go b/cmd/headscale/cli/utils.go index 4faf9053..1cbfcf62 100644 --- a/cmd/headscale/cli/utils.go +++ b/cmd/headscale/cli/utils.go @@ -83,8 +83,8 @@ func LoadConfig(path string) error { } auth_mode := viper.GetString("tls_client_auth_mode") - if (auth_mode != "disabled" && auth_mode != "enforced"){ - errorText += "Invalid tls_client_auth_mode supplied. Accepted values: disabled, enforced." + if (auth_mode != "disabled" && auth_mode != "relaxed" && auth_mode != "enforced"){ + errorText += "Invalid tls_client_auth_mode supplied. Accepted values: disabled, relaxed, enforced." } if errorText != "" { diff --git a/docs/tls.md b/docs/tls.md index 557cdf01..f8818ce8 100644 --- a/docs/tls.md +++ b/docs/tls.md @@ -29,3 +29,22 @@ headscale can also be configured to expose its web service via TLS. To configure tls_cert_path: "" tls_key_path: "" ``` + +### Configuring Mutual TLS Authentication (mTLS) + +mTLS is a method by which an HTTPS server authenticates clients, e.g. Tailscale, +using TLS certificates. The capability can be configured by by applying one of +the following values to the `tls_client_auth_mode` setting in the configuration +file. + +| Value | Behavior | +| ----- | -------- | +| `disabled` | Disable mTLS (default). | +| `relaxed` | A client certificate is required, but it is not verified. | +| `enforced` | Requires clients to supply a certificate that is verified. | + + +```yaml +tls_client_auth_mode: "" +``` +