-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature] Support for derp's verify-client-url #1953
Comments
I think this would be a useful feature with a clear use case. |
I can try to contribute to this feature :) |
Sounds good, but please write up a plan for it before you start coding too much. |
see #1957, I think this feature is relatively simple. We can start with a simple implementation and discuss what needs to be improved. |
This issue is stale because it has been open for 90 days with no activity. |
This issue was closed because it has been inactive for 14 days since being marked as stale. |
Use case
When I deploy derp myself and don't want it to be used by other unauthorized clients, the traditional approach is to have derp access tailscaled to verify that the clientKey is in the list via derp's
verify-clients
parameter.But I don't want to deploy tailscale on derp's nodes, and derp provides the
verify-client-url
parameter to determine if the clientKey is in the list via HTTP. I want Headscale to support this HTTP interface, so I can set derp'sverify-client-url
to the Headscale interface.Description
See https://github.com/tailscale/tailscale/blob/964282d34f06ecc06ce644769c66b0b31d118340/derp/derp_server.go#L1159.
Derp sent a POST request to
verifyClientsURL
with the following JSONThe expected return is
Contribution
How can it be implemented?
In Headscale, it could be to provide an HTTP interface that receives an authentication request, checks if the clientKey is in the list of nodes, and returns Allow.
The text was updated successfully, but these errors were encountered: