eyjhb/headscale
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

config: disallow same server url and base_domain (#2544)

Browse source 
* config: disallow same server url and base_domain

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

* changelog

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

---------

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
This commit is contained in:
Kristoffer Dalby 2025-04-23 16:24:38 +02:00 committed by GitHub
parent 098ab0357c
commit 30539b2e26
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 11 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
hscontrol/types/config.go
View file

@ -33,6 +33,7 @@ const (
var (
errOidcMutuallyExclusive = errors.New("oidc_client_secret and oidc_client_secret_path are mutually exclusive")
errServerURLSuffix = errors.New("server_url cannot be part of base_domain in a way that could make the DERP and headscale server unreachable")
errServerURLSame = errors.New("server_url cannot use the same domain as base_domain in a way that could make the DERP and headscale server unreachable")
errInvalidPKCEMethod = errors.New("pkce.method must be either 'plain' or 'S256'")
)
@ -999,6 +1000,10 @@ func isSafeServerURL(serverURL, baseDomain string) error {
return err
}
if server.Hostname() == baseDomain {
return errServerURLSame
}
serverDomainParts := strings.Split(server.Host, ".")
baseDomainParts := strings.Split(baseDomain, ".")

1
hscontrol/types/config_test.go
View file

@ -423,6 +423,7 @@ func TestSafeServerURL(t *testing.T) {
{
serverURL: "https://headscale.com",
baseDomain: "headscale.com",
wantErr: errServerURLSame.Error(),
},
{
serverURL: "https://headscale.com",