starred/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-01-11 20:00:28 +01:00
Code Issues 98 Packages Projects Releases 10 Wiki Activity

Likely ACL regression in 0.23-alphas #695

New Issue
Closed
opened 2025-12-29 02:22:11 +01:00 by adam · 1 comment
adam commented 2025-12-29 02:22:11 +01:00
Owner
Copy Link

Originally created by @jwischka on GitHub (Apr 22, 2024).

Bug description

There appears to be an ACL regression in the latest 0.23-alpha versions. Nodes which should be access limited are able to see (and access) all connected nodes.

My basic setup involves multiple users, some of which should be able to access many or all nodes, and others which should only be able to access select nodes. The acl file is basically a long list of:

{
  "action": "accept",
  "src": ["userYY"],
  "dst": ["userXX:22","userXX:123"],
},

along with

{
  "action": "accept",
  "src": ["userXX"],
  "dst": ["*:*"],
},

In previous versions the expected behavior occurred - user XX could access all nodes, and user YY could access only nodes in user XX, and only port 22/123. In latest alphas, nodes in user YY can access nodes from any user (including user ZZ), and connect to them on all ports.

Environment

  • OS: Linux
  • Headscale version: @kradalby's development version
  • Tailscale version: Various, but observed on 1.54.1 and 1.64.0
  • Headscale is behind a (reverse) proxy
  • Headscale runs in a container

To Reproduce

Logs and attachments

Originally created by @jwischka on GitHub (Apr 22, 2024). <!-- Before posting a bug report, discuss the behaviour you are expecting with the Discord community to make sure that it is truly a bug. The issue tracker is not the place to ask for support or how to set up Headscale. Bug reports without the sufficient information will be closed. Headscale is a multinational community across the globe. Our language is English. All bug reports needs to be in English. --> ## Bug description There appears to be an ACL regression in the latest 0.23-alpha versions. Nodes which should be access limited are able to see (and access) all connected nodes. My basic setup involves multiple users, some of which should be able to access many or all nodes, and others which should only be able to access select nodes. The acl file is basically a long list of: { "action": "accept", "src": ["userYY"], "dst": ["userXX:22","userXX:123"], }, along with { "action": "accept", "src": ["userXX"], "dst": ["*:*"], }, In previous versions the expected behavior occurred - user XX could access all nodes, and user YY could access only nodes in user XX, and only port 22/123. In latest alphas, nodes in user YY can access nodes from any user (including user ZZ), and connect to them on all ports. <!-- A clear and concise description of what the bug is. Describe the expected bahavior and how it is currently different. If you are unsure if it is a bug, consider discussing it on our Discord server first. --> ## Environment <!-- Please add relevant information about your system. For example: - Version of headscale used - Version of tailscale client - OS (e.g. Linux, Mac, Cygwin, WSL, etc.) and version - Kernel version - The relevant config parameters you used - Log output --> - OS: Linux - Headscale version: @kradalby's development version - Tailscale version: Various, but observed on 1.54.1 and 1.64.0 <!-- We do not support running Headscale in a container nor behind a (reverse) proxy. If either of these are true for your environment, ask the community in Discord instead of filing a bug report. --> - [X] Headscale is behind a (reverse) proxy - [X] Headscale runs in a container ## To Reproduce <!-- Steps to reproduce the behavior. --> ## Logs and attachments <!-- Please attach files with: - Client netmap dump (see below) - ACL configuration - Headscale configuration Dump the netmap of tailscale clients: `tailscale debug netmap > DESCRIPTIVE_NAME.json` Please provide information describing the netmap, which client, which headscale version etc. -->
adam added the bug label 2025-12-29 02:22:11 +01:00
adam closed this issue 2025-12-29 02:22:11 +01:00
adam commented 2025-12-29 02:22:16 +01:00
Author
Owner
Copy Link

@jwischka commented on GitHub (Apr 22, 2024):

It turns out this is not so much a regression in headscale as much as a regression in my configuration file due to database changes. When you properly set the acl path, it turns out it works as expected.

@jwischka commented on GitHub (Apr 22, 2024): It turns out this is not so much a regression in headscale as much as a regression in my configuration file due to database changes. When you properly set the acl path, it turns out it works as expected.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
CLI
DERP
DNS
Nix
OIDC
SSH
bug
database
documentation
duplicate
enhancement
faq
good first issue
grants
help wanted
might-come
needs design doc
needs investigation
no-stale-bot
out of scope
performance
policy 📝
pull-request
Mirrored from GitHub Pull Request
 question
regression
routes
stale
tags
tailscale-feature-gap
well described ❤️
wontfix
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/headscale#695
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?