[Bug] loading ACL policy: check with a host results in *v2.Host not supported" #1053

New Issue

adam · 2025-12-29T02:27:58+01:00

adam commented

2025-12-29 02:27:58 +01:00

Originally created by @cchance27 on GitHub (Jun 27, 2025).

Is this a support request?

This is not a support request

Is there an existing issue for this?

I have searched the existing issues

Current Behavior

In 24.3 i was using 2 host names (defined under "hosts") in my ssh check's src... (ssh: src: ["hostname.whatever]), laptop and another computer to be the only valid ssh sources, but it stopped working when I upgraded to the latest release.

Error in logs was: Loading ACL policy: creating policy manager: parsing policy: parsing policy from bytes: type *v2.Host not supported"

I had updated my user rules to the trailing @ as required for the upgrade, then and after some tracing I found it was the use of hostnames in the src for the check on ssh that was breaking it...

I managed to work around it by switching to a tag on those machines which is fine but not sure if this was a bug or something, but the error was confusing and i didn't see a bug report or mention specifically of this issue anywhere.

Expected Behavior

SSH ACL policy to work with hostnames as they did in 0.24.3, or a better error maybe, or just docs that specify that it doesn't work with hostnames?

Steps To Reproduce

use an acl with entries like...

{
	"Hosts": {
		"macbook.xxx.local": "100.64.0.1/32",
	},
        "tagOwners": ["...omitted..."],
	"acls": ["...omitted..."],
	"ssh": [
		{
			"action": "check",
			"src": ["macbook.xxx.local"],
			"dst": ["tag:cloud", "tag:home"],
			"users": ["opc", "pi"],
			"checkPeriod": "24h"
		}
	]
}

start the service

Environment

- OS: Docker
- Headscale version: 0.26.1
- Tailscale version: 1.80.0

Runtime environment

Headscale is behind a (reverse) proxy
Headscale runs in a container

Debug information

Don't think this is needed as its not a connection issue.

Originally created by @cchance27 on GitHub (Jun 27, 2025). ### Is this a support request? - [x] This is not a support request ### Is there an existing issue for this? - [x] I have searched the existing issues ### Current Behavior In 24.3 i was using 2 host names (defined under "hosts") in my ssh check's src... (ssh: src: ["hostname.whatever]), laptop and another computer to be the only valid ssh sources, but it stopped working when I upgraded to the latest release. Error in logs was: Loading ACL policy: creating policy manager: parsing policy: parsing policy from bytes: type *v2.Host not supported" I had updated my user rules to the trailing @ as required for the upgrade, then and after some tracing I found it was the use of hostnames in the src for the check on ssh that was breaking it... I managed to work around it by switching to a tag on those machines which is fine but not sure if this was a bug or something, but the error was confusing and i didn't see a bug report or mention specifically of this issue anywhere. ### Expected Behavior SSH ACL policy to work with hostnames as they did in 0.24.3, or a better error maybe, or just docs that specify that it doesn't work with hostnames? ### Steps To Reproduce 1. use an acl with entries like... ```json { "Hosts": { "macbook.xxx.local": "100.64.0.1/32", }, "tagOwners": ["...omitted..."], "acls": ["...omitted..."], "ssh": [ { "action": "check", "src": ["macbook.xxx.local"], "dst": ["tag:cloud", "tag:home"], "users": ["opc", "pi"], "checkPeriod": "24h" } ] } ``` 2. start the service ### Environment ```markdown - OS: Docker - Headscale version: 0.26.1 - Tailscale version: 1.80.0 ``` ### Runtime environment - [x] Headscale is behind a (reverse) proxy - [x] Headscale runs in a container ### Debug information Don't think this is needed as its not a connection issue.

adam added the bug label 2025-12-29 02:27:58 +01:00

adam closed this issue

2025-12-29 02:27:58 +01:00

adam commented

2025-12-29 02:27:58 +01:00

@nblock commented on GitHub (Jul 20, 2025):

but the error was confusing and i didn't see a bug report or mention specifically of this issue anywhere.

From the CHANGELOG for Headscale 0.26:

The SSH policy has been reworked to be more consistent with the rest of the
policy. In addition, several inconsistencies between our implementation and
Tailscale's upstream has been closed and this might be a breaking change for
some users. Please refer to the
upstream documentation
for more information on which types are allowed in src, dst and users.

This was one of the mentioned inconsistencies that got fixed; from the docs of the src key in the ssh policy:

The source where a connection originates from. This can be a user, group, tag, user:*@, or autogroup. This cannot be a bare wildcard *.

@nblock commented on GitHub (Jul 20, 2025): > but the error was confusing and i didn't see a bug report or mention specifically of this issue anywhere. From the [CHANGELOG for Headscale 0.26](https://github.com/juanfont/headscale/blob/main/CHANGELOG.md#0260-2025-05-14): > The SSH policy has been reworked to be more consistent with the rest of the policy. In addition, several inconsistencies between our implementation and Tailscale's upstream has been closed and this might be a breaking change for some users. Please refer to the [upstream documentation](https://tailscale.com/kb/1337/acl-syntax#tailscale-ssh) for more information on which types are allowed in `src`, `dst` and `users`. This was one of the mentioned inconsistencies that got fixed; from the [docs of the `src` key in the `ssh` policy](https://tailscale.com/kb/1193/tailscale-ssh#src): > The source where a connection originates from. This can be a user, group, tag, user:*@<domain>, or autogroup. This cannot be a bare wildcard *.

adam commented

2025-12-29 02:27:59 +01:00

@cchance27 commented on GitHub (Jul 21, 2025):

feels so weird that an acl wouldn't allow a hostname, i mean i guess for matching the tailscale standard, dropping hostname support just felt weird :S

@cchance27 commented on GitHub (Jul 21, 2025): feels so weird that an acl wouldn't allow a hostname, i mean i guess for matching the tailscale standard, dropping hostname support just felt weird :S

adam referenced this issue

2025-12-29 02:31:57 +01:00

[PR #1053] docs(README): update contributors #1845

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#1053