starred/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-01-11 20:00:28 +01:00
Code Issues 98 Packages Projects Releases 10 Wiki Activity

Headscale shouldn't start if ACL policy is wrong #253

New Issue
Closed
opened 2025-12-29 01:25:06 +01:00 by adam · 0 comments
adam commented 2025-12-29 01:25:06 +01:00
Owner
Copy Link

Originally created by @reynico on GitHub (Apr 6, 2022).

headscale serve starts even with an invalid ACL policy defined, leading to misconfiguration during runtime as the policies are not enforced. If you set an ACL for developers to only access database.local:5432 but to deny prod-servers.local:22 and the ACL policy file has a typo, developers would have access to both production servers and databases.

2022-04-06T13:55:16Z ERR Could not load the ACL policy error="hujson: line 1, column 1: invalid literal: a" path=/etc/headscale/acls.hujson
2022-04-06T13:55:16Z INF Setting up a DERPMap update worker frequency=86400000
[GIN-debug] [WARNING] Creating an Engine instance with the Logger and Recovery middleware already attached.

[GIN-debug] [WARNING] Running in "debug" mode. Switch to "release" mode in production.
 - using env:   export GIN_MODE=release
 - using code:  gin.SetMode(gin.ReleaseMode)

[GIN-debug] GET    /health                   --> github.com/juanfont/headscale.(*Headscale).createRouter.func1 (3 handlers)
[GIN-debug] GET    /key                      --> github.com/juanfont/headscale.(*Headscale).KeyHandler-fm (3 handlers)
[GIN-debug] GET    /register                 --> github.com/juanfont/headscale.(*Headscale).RegisterWebAPI-fm (3 handlers)
[GIN-debug] POST   /machine/:id/map          --> github.com/juanfont/headscale.(*Headscale).PollNetMapHandler-fm (3 handlers)
[GIN-debug] POST   /machine/:id              --> github.com/juanfont/headscale.(*Headscale).RegistrationHandler-fm (3 handlers)
[GIN-debug] GET    /oidc/register/:mkey      --> github.com/juanfont/headscale.(*Headscale).RegisterOIDC-fm (3 handlers)
[GIN-debug] GET    /oidc/callback            --> github.com/juanfont/headscale.(*Headscale).OIDCCallback-fm (3 handlers)
[GIN-debug] GET    /apple                    --> github.com/juanfont/headscale.(*Headscale).AppleConfigMessage-fm (3 handlers)
[GIN-debug] GET    /apple/:platform          --> github.com/juanfont/headscale.(*Headscale).ApplePlatformConfig-fm (3 handlers)
[GIN-debug] GET    /windows                  --> github.com/juanfont/headscale.(*Headscale).WindowsConfigMessage-fm (3 handlers)
[GIN-debug] GET    /windows/tailscale.reg    --> github.com/juanfont/headscale.(*Headscale).WindowsRegConfig-fm (3 handlers)
[GIN-debug] GET    /api/v1/*any              --> github.com/gin-gonic/gin.WrapF.func1 (4 handlers)
[GIN-debug] POST   /api/v1/*any              --> github.com/gin-gonic/gin.WrapF.func1 (4 handlers)
[GIN-debug] PUT    /api/v1/*any              --> github.com/gin-gonic/gin.WrapF.func1 (4 handlers)
[GIN-debug] PATCH  /api/v1/*any              --> github.com/gin-gonic/gin.WrapF.func1 (4 handlers)
[GIN-debug] HEAD   /api/v1/*any              --> github.com/gin-gonic/gin.WrapF.func1 (4 handlers)
[GIN-debug] OPTIONS /api/v1/*any              --> github.com/gin-gonic/gin.WrapF.func1 (4 handlers)
[GIN-debug] DELETE /api/v1/*any              --> github.com/gin-gonic/gin.WrapF.func1 (4 handlers)
[GIN-debug] CONNECT /api/v1/*any              --> github.com/gin-gonic/gin.WrapF.func1 (4 handlers)
[GIN-debug] TRACE  /api/v1/*any              --> github.com/gin-gonic/gin.WrapF.func1 (4 handlers)
2022-04-06T13:55:16Z INF listening and serving HTTP on: 0.0.0.0:8081

Headscale should exit if it cannot parse the ACL policy file.

Originally created by @reynico on GitHub (Apr 6, 2022). `headscale serve` starts even with an invalid ACL policy defined, leading to misconfiguration during runtime as the policies are not enforced. If you set an ACL for `developers` to only access `database.local:5432` but to deny `prod-servers.local:22` and the ACL policy file has a typo, `developers` would have access to both production servers and databases. ```bash 2022-04-06T13:55:16Z ERR Could not load the ACL policy error="hujson: line 1, column 1: invalid literal: a" path=/etc/headscale/acls.hujson 2022-04-06T13:55:16Z INF Setting up a DERPMap update worker frequency=86400000 [GIN-debug] [WARNING] Creating an Engine instance with the Logger and Recovery middleware already attached. [GIN-debug] [WARNING] Running in "debug" mode. Switch to "release" mode in production. - using env: export GIN_MODE=release - using code: gin.SetMode(gin.ReleaseMode) [GIN-debug] GET /health --> github.com/juanfont/headscale.(*Headscale).createRouter.func1 (3 handlers) [GIN-debug] GET /key --> github.com/juanfont/headscale.(*Headscale).KeyHandler-fm (3 handlers) [GIN-debug] GET /register --> github.com/juanfont/headscale.(*Headscale).RegisterWebAPI-fm (3 handlers) [GIN-debug] POST /machine/:id/map --> github.com/juanfont/headscale.(*Headscale).PollNetMapHandler-fm (3 handlers) [GIN-debug] POST /machine/:id --> github.com/juanfont/headscale.(*Headscale).RegistrationHandler-fm (3 handlers) [GIN-debug] GET /oidc/register/:mkey --> github.com/juanfont/headscale.(*Headscale).RegisterOIDC-fm (3 handlers) [GIN-debug] GET /oidc/callback --> github.com/juanfont/headscale.(*Headscale).OIDCCallback-fm (3 handlers) [GIN-debug] GET /apple --> github.com/juanfont/headscale.(*Headscale).AppleConfigMessage-fm (3 handlers) [GIN-debug] GET /apple/:platform --> github.com/juanfont/headscale.(*Headscale).ApplePlatformConfig-fm (3 handlers) [GIN-debug] GET /windows --> github.com/juanfont/headscale.(*Headscale).WindowsConfigMessage-fm (3 handlers) [GIN-debug] GET /windows/tailscale.reg --> github.com/juanfont/headscale.(*Headscale).WindowsRegConfig-fm (3 handlers) [GIN-debug] GET /api/v1/*any --> github.com/gin-gonic/gin.WrapF.func1 (4 handlers) [GIN-debug] POST /api/v1/*any --> github.com/gin-gonic/gin.WrapF.func1 (4 handlers) [GIN-debug] PUT /api/v1/*any --> github.com/gin-gonic/gin.WrapF.func1 (4 handlers) [GIN-debug] PATCH /api/v1/*any --> github.com/gin-gonic/gin.WrapF.func1 (4 handlers) [GIN-debug] HEAD /api/v1/*any --> github.com/gin-gonic/gin.WrapF.func1 (4 handlers) [GIN-debug] OPTIONS /api/v1/*any --> github.com/gin-gonic/gin.WrapF.func1 (4 handlers) [GIN-debug] DELETE /api/v1/*any --> github.com/gin-gonic/gin.WrapF.func1 (4 handlers) [GIN-debug] CONNECT /api/v1/*any --> github.com/gin-gonic/gin.WrapF.func1 (4 handlers) [GIN-debug] TRACE /api/v1/*any --> github.com/gin-gonic/gin.WrapF.func1 (4 handlers) 2022-04-06T13:55:16Z INF listening and serving HTTP on: 0.0.0.0:8081 ``` Headscale should exit if it cannot parse the ACL policy file.
adam added the bug label 2025-12-29 01:25:06 +01:00
adam closed this issue 2025-12-29 01:25:07 +01:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
CLI
DERP
DNS
Nix
OIDC
SSH
bug
database
documentation
duplicate
enhancement
faq
good first issue
grants
help wanted
might-come
needs design doc
needs investigation
no-stale-bot
out of scope
performance
policy 📝
pull-request
Mirrored from GitHub Pull Request
 question
regression
routes
stale
tags
tailscale-feature-gap
well described ❤️
wontfix
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/headscale#253
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?