Closed 117503445 closed 4 weeks ago
I think this would be a useful feature with a clear use case.
I think this would be a useful feature with a clear use case.
I can try to contribute to this feature :)
Sounds good, but please write up a plan for it before you start coding too much.
Sounds good, but please write up a plan for it before you start coding too much.
see #1957, I think this feature is relatively simple. We can start with a simple implementation and discuss what needs to be improved.
This issue is stale because it has been open for 90 days with no activity.
This issue was closed because it has been inactive for 14 days since being marked as stale.
Use case
When I deploy derp myself and don't want it to be used by other unauthorized clients, the traditional approach is to have derp access tailscaled to verify that the clientKey is in the list via derp's
verify-clients
parameter.But I don't want to deploy tailscale on derp's nodes, and derp provides the
verify-client-url
parameter to determine if the clientKey is in the list via HTTP. I want Headscale to support this HTTP interface, so I can set derp'sverify-client-url
to the Headscale interface.Description
See https://github.com/tailscale/tailscale/blob/964282d34f06ecc06ce644769c66b0b31d118340/derp/derp_server.go#L1159.
Derp sent a POST request to
verifyClientsURL
with the following JSONThe expected return is
Contribution
How can it be implemented?
In Headscale, it could be to provide an HTTP interface that receives an authentication request, checks if the clientKey is in the list of nodes, and returns Allow.