Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature] Support for derp's verify-client-url #1953

Closed
2 tasks done
117503445 opened this issue May 19, 2024 · 6 comments · May be fixed by #1957 or #2046
Closed
2 tasks done

[Feature] Support for derp's verify-client-url #1953

117503445 opened this issue May 19, 2024 · 6 comments · May be fixed by #1957 or #2046
Labels
enhancement New feature or request needs design doc stale

Comments

@117503445
Copy link

117503445 commented May 19, 2024
edited
Loading

Use case

When I deploy derp myself and don't want it to be used by other unauthorized clients, the traditional approach is to have derp access tailscaled to verify that the clientKey is in the list via derp's verify-clients parameter.

But I don't want to deploy tailscale on derp's nodes, and derp provides the verify-client-url parameter to determine if the clientKey is in the list via HTTP. I want Headscale to support this HTTP interface, so I can set derp's verify-client-url to the Headscale interface.

Description

See https://github.com/tailscale/tailscale/blob/964282d34f06ecc06ce644769c66b0b31d118340/derp/derp_server.go#L1159.

Derp sent a POST request to verifyClientsURL with the following JSON

{
  "NodePublic": "clientKey",
  "Source": "clientIP"
}

The expected return is

{
    "Allow": true
}

Contribution

  • I can write the design doc for this feature
  • I can contribute this feature

How can it be implemented?

In Headscale, it could be to provide an HTTP interface that receives an authentication request, checks if the clientKey is in the list of nodes, and returns Allow.
@117503445 117503445 added the enhancement New feature or request label May 19, 2024
@ohdearaugustin
Copy link
Collaborator

I think this would be a useful feature with a clear use case.

@117503445
Copy link
Author

I think this would be a useful feature with a clear use case.

I can try to contribute to this feature :)

@kradalby
Copy link
Collaborator

Sounds good, but please write up a plan for it before you start coding too much.

@117503445 117503445 mentioned this issue May 25, 2024
Open
6 tasks
@117503445
Copy link
Author

117503445 commented May 25, 2024
edited
Loading

Sounds good, but please write up a plan for it before you start coding too much.

see #1957, I think this feature is relatively simple. We can start with a simple implementation and discuss what needs to be improved.

@ArcticLampyrid ArcticLampyrid mentioned this issue Aug 7, 2024
Open
6 tasks
@github-actions GitHub Actions
Copy link
Contributor

This issue is stale because it has been open for 90 days with no activity.

@github-actions github-actions bot added the stale label Aug 26, 2024
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Sep 2, 2024

This issue was closed because it has been inactive for 14 days since being marked as stale.

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Sep 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request needs design doc stale
Projects
None yet
Milestone
No milestone
3 participants
@kradalby @ohdearaugustin @117503445