From 39bd0243311a941d1c98fbda7edcf7db57e4a21d Mon Sep 17 00:00:00 2001 From: Jisse Date: Thu, 12 Dec 2024 16:35:09 +0100 Subject: [PATCH] Headscale: Added an option to set an Access-Control-Allow-Origin response header to enable Cross-Origin Resource Sharing (CORS) --- .github/workflows/docs-deploy.yml | 4 ++-- config-example.yaml | 7 +++++++ hscontrol/app.go | 11 +++++++++++ hscontrol/types/config.go | 6 ++++++ 4 files changed, 26 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docs-deploy.yml b/.github/workflows/docs-deploy.yml index 3ea343f8a5..94b285e79a 100644 --- a/.github/workflows/docs-deploy.yml +++ b/.github/workflows/docs-deploy.yml @@ -12,8 +12,8 @@ on: # Stable release tags - v[0-9]+.[0-9]+.[0-9]+ paths: - - 'docs/**' - - 'mkdocs.yml' + - "docs/**" + - "mkdocs.yml" workflow_dispatch: jobs: diff --git a/config-example.yaml b/config-example.yaml index b083091ffb..33e4a1949f 100644 --- a/config-example.yaml +++ b/config-example.yaml @@ -40,6 +40,13 @@ grpc_listen_addr: 127.0.0.1:50443 # are doing. grpc_allow_insecure: false +# The Access-Control-Allow-Origin header specifies which origins are allowed to access resources. +# Options: +# - "*" to allow access from any origin (not recommended for sensitive data). +# - "http://example.com" to only allow access from a specific origin. +# - "" to disable Cross-Origin Resource Sharing (CORS). +Access-Control-Allow-Origin: "" + # The Noise section includes specific configuration for the # TS2021 Noise protocol noise: diff --git a/hscontrol/app.go b/hscontrol/app.go index 1651b8f211..11ae193314 100644 --- a/hscontrol/app.go +++ b/hscontrol/app.go @@ -440,10 +440,21 @@ func (h *Headscale) ensureUnixSocketIsAbsent() error { return os.Remove(h.cfg.UnixSocket) } +func (h *Headscale) corsHeadersMiddleware(next http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.Header().Set("Access-Control-Allow-Origin", h.cfg.AccessControlAllowOrigins) + next.ServeHTTP(w, r) + }) +} + func (h *Headscale) createRouter(grpcMux *grpcRuntime.ServeMux) *mux.Router { router := mux.NewRouter() router.Use(prometheusMiddleware) + if h.cfg.AccessControlAllowOrigins != "" { + router.Use(h.corsHeadersMiddleware) + } + router.HandleFunc(ts2021UpgradePath, h.NoiseUpgradeHandler).Methods(http.MethodPost, http.MethodGet) router.HandleFunc("/health", h.HealthHandler).Methods(http.MethodGet) diff --git a/hscontrol/types/config.go b/hscontrol/types/config.go index 2af3989646..0d5f1d9363 100644 --- a/hscontrol/types/config.go +++ b/hscontrol/types/config.go @@ -63,6 +63,8 @@ type Config struct { Log LogConfig DisableUpdateCheck bool + AccessControlAllowOrigins string + Database DatabaseConfig DERP DERPConfig @@ -292,6 +294,8 @@ func LoadConfig(path string, isFile bool) error { viper.SetDefault("tuning.batch_change_delay", "800ms") viper.SetDefault("tuning.node_mapsession_buffered_chan_size", 30) + viper.SetDefault("Access-Control-Allow-Origin", "") + viper.SetDefault("prefixes.allocation", string(IPAllocationStrategySequential)) if err := viper.ReadInConfig(); err != nil { @@ -852,6 +856,8 @@ func LoadServerConfig() (*Config, error) { GRPCAllowInsecure: viper.GetBool("grpc_allow_insecure"), DisableUpdateCheck: false, + AccessControlAllowOrigins: viper.GetString("Access-Control-Allow-Origin"), + PrefixV4: prefix4, PrefixV6: prefix6, IPAllocation: IPAllocationStrategy(alloc),