starred/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-01-12 04:10:32 +01:00
Code Issues 98 Packages Projects Releases 10 Wiki Activity

[Bug] ACL policy not working after update to v23.0 beta1 #747

New Issue
Closed
opened 2025-12-29 02:23:10 +01:00 by adam · 26 comments
adam commented 2025-12-29 02:23:10 +01:00
Owner
Copy Link

Originally created by @masterwishx on GitHub (Jul 22, 2024).

Is this a support request?

  • This is not a support request

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

SSH not working after updated to beta1 and changed config for it:

image

image

Expected Behavior

wokring in versions befor

Steps To Reproduce

...

Environment

- OS: Ubuntu
- Headscale version: 23.0 beta1
- Tailscale version:

Runtime environment

  • Headscale is behind a (reverse) proxy
  • Headscale runs in a container

Anything else?

No response

Originally created by @masterwishx on GitHub (Jul 22, 2024). ### Is this a support request? - [X] This is not a support request ### Is there an existing issue for this? - [X] I have searched the existing issues ### Current Behavior SSH not working after updated to beta1 and changed config for it: ![image](https://github.com/user-attachments/assets/32290ee2-2e53-4861-b5a6-6cf5348bbb04) ![image](https://github.com/user-attachments/assets/64eddc05-fa6f-4481-b387-6838780a65fe) ### Expected Behavior wokring in versions befor ### Steps To Reproduce ... ### Environment ```markdown - OS: Ubuntu - Headscale version: 23.0 beta1 - Tailscale version: ``` ### Runtime environment - [X] Headscale is behind a (reverse) proxy - [X] Headscale runs in a container ### Anything else? _No response_
adam added the bug label 2025-12-29 02:23:10 +01:00
adam closed this issue 2025-12-29 02:23:10 +01:00
adam commented 2025-12-29 02:23:11 +01:00
Author
Owner
Copy Link

@masterwishx commented on GitHub (Jul 23, 2024):

adding text:

{
  "groups": {
    "group:admin": ["masterwishx"],
    "group:family": ["user1", "user2", "user3"]
  },

  "tagOwners": {
    "tag:cloud-server": ["group:admin"],
    "tag:home-pc": ["group:admin", "group:family"],
    "tag:home-pc-vm": ["group:admin"],
    "tag:home-server": ["group:admin"],
    "tag:home-server-vm": ["group:admin"],
    "tag:home-mobile": ["group:admin", "group:family"],
    "tag:home-mobile-vm": ["group:admin", "group:family"]
  },

  "acls": [
    {
      // admin have access to all servers
      "action": "accept",
      "src": ["group:admin"],
      "dst": ["*:*"]
    },

    {
      // family have access to all home pcs,Speedtest Tracker
      "action": "accept",
      "src": ["group:family"],
      "dst": ["tag:home-pc:*", "tag:home-server:9443", "tag:home-server:8180"]
    }

    // We still have to allow internal users communications since nothing guarantees that each user have
    // their own users.
    //{ "action": "accept", "src": ["admin"], "dst": ["admin:*"] },
    //{ "action": "accept", "src": ["family"], "dst": ["family:*"] }
  ],

  "ssh": [
    {
      "action": "accept",
      //"src": ["tag:cloud-server", "tag:home-server", "tag:home-pc"],
      "src": ["group:admin"],
      "dst": ["tag:cloud-server", "tag:home-server"],
      "users": ["root", "ubuntu", "abc"]
    }
  ]
}
@masterwishx commented on GitHub (Jul 23, 2024): adding text: ``` { "groups": { "group:admin": ["masterwishx"], "group:family": ["user1", "user2", "user3"] }, "tagOwners": { "tag:cloud-server": ["group:admin"], "tag:home-pc": ["group:admin", "group:family"], "tag:home-pc-vm": ["group:admin"], "tag:home-server": ["group:admin"], "tag:home-server-vm": ["group:admin"], "tag:home-mobile": ["group:admin", "group:family"], "tag:home-mobile-vm": ["group:admin", "group:family"] }, "acls": [ { // admin have access to all servers "action": "accept", "src": ["group:admin"], "dst": ["*:*"] }, { // family have access to all home pcs,Speedtest Tracker "action": "accept", "src": ["group:family"], "dst": ["tag:home-pc:*", "tag:home-server:9443", "tag:home-server:8180"] } // We still have to allow internal users communications since nothing guarantees that each user have // their own users. //{ "action": "accept", "src": ["admin"], "dst": ["admin:*"] }, //{ "action": "accept", "src": ["family"], "dst": ["family:*"] } ], "ssh": [ { "action": "accept", //"src": ["tag:cloud-server", "tag:home-server", "tag:home-pc"], "src": ["group:admin"], "dst": ["tag:cloud-server", "tag:home-server"], "users": ["root", "ubuntu", "abc"] } ] } ```
adam commented 2025-12-29 02:23:11 +01:00
Author
Owner
Copy Link

@kradalby commented on GitHub (Jul 25, 2024):

@masterwishx could you run

tailscale debug netmap on one of the ssh dst hosts?

@kradalby commented on GitHub (Jul 25, 2024): @masterwishx could you run `tailscale debug netmap` on one of the ssh dst hosts?
adam commented 2025-12-29 02:23:11 +01:00
Author
Owner
Copy Link

@masterwishx commented on GitHub (Jul 25, 2024):

@masterwishx could you run

tailscale debug netmap on one of the ssh dst hosts?

Sure, will post here...

@masterwishx commented on GitHub (Jul 25, 2024): > @masterwishx could you run > > `tailscale debug netmap` on one of the ssh dst hosts? Sure, will post here...
adam commented 2025-12-29 02:23:12 +01:00
Author
Owner
Copy Link

@masterwishx commented on GitHub (Jul 25, 2024):

i think like no acl file was located when tryed beta1

@masterwishx commented on GitHub (Jul 25, 2024): i think like no acl file was located when tryed beta1
adam commented 2025-12-29 02:23:12 +01:00
Author
Owner
Copy Link

@masterwishx commented on GitHub (Jul 25, 2024):

image

@masterwishx commented on GitHub (Jul 25, 2024): ![image](https://github.com/user-attachments/assets/0c913818-7628-449a-b5c6-2b6f7cf4ae93)
adam commented 2025-12-29 02:23:12 +01:00
Author
Owner
Copy Link

@masterwishx commented on GitHub (Jul 25, 2024):

image

image

@masterwishx commented on GitHub (Jul 25, 2024): ![image](https://github.com/user-attachments/assets/f8d0194f-c585-4905-a045-ee35c0b2aa18) ![image](https://github.com/user-attachments/assets/8ec6985e-e9c6-41ba-bb3c-3c9589d52364)
adam commented 2025-12-29 02:23:15 +01:00
Author
Owner
Copy Link

@masterwishx commented on GitHub (Jul 25, 2024):

When goes back to alpha12 have on same machine:

image

@masterwishx commented on GitHub (Jul 25, 2024): When goes back to alpha12 have on same machine: ![image](https://github.com/user-attachments/assets/0b04681b-90a3-4ffe-b77e-b3ff6c60f709)
adam commented 2025-12-29 02:23:18 +01:00
Author
Owner
Copy Link

@seanob86 commented on GitHub (Jul 25, 2024):

I too having issues with acl’s. In alpha12 nodes that don’t have access to other nodes, now can access other nodes in beta1, when using file mode.

Appears file mode does not work. I switched to database mode then headscale policy set -f [path to acl file]
Then headscale policy get, and can see all acls.

Now restricted nodes based on acl can’t communicate to other nodes as configured.

@seanob86 commented on GitHub (Jul 25, 2024): I too having issues with acl’s. In alpha12 nodes that don’t have access to other nodes, now can access other nodes in beta1, when using file mode. Appears file mode does not work. I switched to database mode then `headscale policy set -f [path to acl file]` Then `headscale policy get`, and can see all acls. Now restricted nodes based on acl can’t communicate to other nodes as configured.
adam commented 2025-12-29 02:23:20 +01:00
Author
Owner
Copy Link

@kradalby commented on GitHub (Jul 26, 2024):

@pallabpain, let me know if you could help have a look at this one, might not be related, but worth a check.

@kradalby commented on GitHub (Jul 26, 2024): @pallabpain, let me know if you could help have a look at this one, might not be related, but worth a check.
adam commented 2025-12-29 02:23:20 +01:00
Author
Owner
Copy Link

@pallabpain commented on GitHub (Jul 26, 2024):

@kradalby Sure. I'll take a look at this. From what @seanob86 reported, I can probably investigate the part when ACL is loaded from a file and whether I messed it up during the re-write. 😅

@pallabpain commented on GitHub (Jul 26, 2024): @kradalby Sure. I'll take a look at this. From what @seanob86 reported, I can probably investigate the part when ACL is loaded from a file and whether I messed it up during the re-write. 😅
adam commented 2025-12-29 02:23:20 +01:00
Author
Owner
Copy Link

@hrtkpf commented on GitHub (Jul 26, 2024):

I also encountered an issue after upgrading to beta1.

My config contains:

acl_policy_path: "/etc/headscale/acls.hujson"
policy:
  mode: file
  path: "/etc/headscale/acls.hujson"

Without acl_policy_path, ACLs do not work at all. headscale policy get returns no ACLs in that case.
When using the deprecated acl_policy_path, everything works and headscale policy get returns the ACLs accordingly.
As previously mentioned, it seems ACLs are not loaded correctly when using the new file mode.

@hrtkpf commented on GitHub (Jul 26, 2024): I also encountered an issue after upgrading to beta1. My config contains: ``` acl_policy_path: "/etc/headscale/acls.hujson" policy: mode: file path: "/etc/headscale/acls.hujson" ``` Without `acl_policy_path`, ACLs do not work at all. `headscale policy get` returns no ACLs in that case. When using the deprecated `acl_policy_path`, everything works and `headscale policy get` returns the ACLs accordingly. As previously mentioned, it seems ACLs are not loaded correctly when using the new file mode.
adam commented 2025-12-29 02:23:21 +01:00
Author
Owner
Copy Link

@masterwishx commented on GitHub (Jul 26, 2024):

I also encountered an issue after upgrading to beta1.

My config contains:

acl_policy_path: "/etc/headscale/acls.hujson"
policy:
  mode: file
  path: "/etc/headscale/acls.hujson"

Without acl_policy_path, ACLs do not work at all. headscale policy get returns no ACLs in that case. When using the deprecated acl_policy_path, everything works and headscale policy get returns the ACLs accordingly. As previously mentioned, it seems ACLs are not loaded correctly when using the new file mode.

That's what I wrote in discord

@masterwishx commented on GitHub (Jul 26, 2024): > I also encountered an issue after upgrading to beta1. > > My config contains: > > ``` > acl_policy_path: "/etc/headscale/acls.hujson" > policy: > mode: file > path: "/etc/headscale/acls.hujson" > ``` > > Without `acl_policy_path`, ACLs do not work at all. `headscale policy get` returns no ACLs in that case. When using the deprecated `acl_policy_path`, everything works and `headscale policy get` returns the ACLs accordingly. As previously mentioned, it seems ACLs are not loaded correctly when using the new file mode. That's what I wrote in discord
adam commented 2025-12-29 02:23:21 +01:00
Author
Owner
Copy Link

@masterwishx commented on GitHub (Jul 26, 2024):

@kradalby @pallabpain
can confirm after added : acl_policy_path: "/etc/headscale/acls.json" all working fine

@masterwishx commented on GitHub (Jul 26, 2024): @kradalby @pallabpain can confirm after added : `acl_policy_path: "/etc/headscale/acls.json"` all working fine
adam commented 2025-12-29 02:23:21 +01:00
Author
Owner
Copy Link

@stratself commented on GitHub (Jul 31, 2024):

I confirm having this bug too. I suggest removing the "for SSH" part in the title as the issue affects all ACLs.

@stratself commented on GitHub (Jul 31, 2024): I confirm having this bug too. I suggest removing the "for SSH" part in the title as the issue affects all ACLs.
adam commented 2025-12-29 02:23:21 +01:00
Author
Owner
Copy Link

@kradalby commented on GitHub (Aug 1, 2024):

I know this is 99% certain that it is related to the ACL changes, but could you help test if the DNS breakage had an impact?

I think #2034 addresses DNS issues, would it be possible for you to help me test it? would be great to avoid another bad release like beta1.

Binary is available here: https://github.com/juanfont/headscale/actions/runs/10195837541?pr=2034

@kradalby commented on GitHub (Aug 1, 2024): I know this is 99% certain that it is related to the ACL changes, but could you help test if the DNS breakage had an impact? I think #2034 addresses DNS issues, would it be possible for you to help me test it? would be great to avoid another bad release like beta1. Binary is available here: https://github.com/juanfont/headscale/actions/runs/10195837541?pr=2034
adam commented 2025-12-29 02:23:22 +01:00
Author
Owner
Copy Link

@masterwishx commented on GitHub (Aug 1, 2024):

I know this is 99% certain that it is related to the ACL changes, but could you help test if the DNS breakage had an impact?

I think #2034 addresses DNS issues, would it be possible for you to help me test it? would be great to avoid another bad release like beta1.

Binary is available here: https://github.com/juanfont/headscale/actions/runs/10195837541?pr=2034

Sure I can check it tomorrow, what is link for docker? :pr2034

@masterwishx commented on GitHub (Aug 1, 2024): > I know this is 99% certain that it is related to the ACL changes, but could you help test if the DNS breakage had an impact? > > I think #2034 addresses DNS issues, would it be possible for you to help me test it? would be great to avoid another bad release like beta1. > > Binary is available here: https://github.com/juanfont/headscale/actions/runs/10195837541?pr=2034 Sure I can check it tomorrow, what is link for docker? :pr2034
adam commented 2025-12-29 02:23:22 +01:00
Author
Owner
Copy Link

@masterwishx commented on GitHub (Aug 2, 2024):

Also I don't have any dns issues for now with beta1, but also installed and using Adguard home as container in host network and using it in config as dns, enabled also tailscale dns on same host becose otherwise magic DNS not working in this machine

@masterwishx commented on GitHub (Aug 2, 2024): Also I don't have any dns issues for now with beta1, but also installed and using Adguard home as container in host network and using it in config as dns, enabled also tailscale dns on same host becose otherwise magic DNS not working in this machine
adam commented 2025-12-29 02:23:22 +01:00
Author
Owner
Copy Link

@kradalby commented on GitHub (Aug 2, 2024):

Sure I can check it tomorrow, what is link for docker? :pr2034

We do not build docker containers for prs/branches sadly, so you will have to build it.

@kradalby commented on GitHub (Aug 2, 2024): > Sure I can check it tomorrow, what is link for docker? :pr2034 We do not build docker containers for prs/branches sadly, so you will have to build it.
adam commented 2025-12-29 02:23:22 +01:00
Author
Owner
Copy Link

@masterwishx commented on GitHub (Aug 2, 2024):

Sure I can check it tomorrow, what is link for docker? :pr2034

We do not build docker containers for prs/branches sadly, so you will have to build it.

OK, got it. Did you asked from me to check?

@masterwishx commented on GitHub (Aug 2, 2024): > > Sure I can check it tomorrow, what is link for docker? :pr2034 > > We do not build docker containers for prs/branches sadly, so you will have to build it. OK, got it. Did you asked from me to check?
adam commented 2025-12-29 02:23:22 +01:00
Author
Owner
Copy Link

@masterwishx commented on GitHub (Aug 2, 2024):

Sure I can check it tomorrow, what is link for docker? :pr2034

We do not build docker containers for prs/branches sadly, so you will have to build it.

Can you give a hint how to build docker for this pr, I'm not sure

@masterwishx commented on GitHub (Aug 2, 2024): > > Sure I can check it tomorrow, what is link for docker? :pr2034 > > We do not build docker containers for prs/branches sadly, so you will have to build it. Can you give a hint how to build docker for this pr, I'm not sure
adam commented 2025-12-29 02:23:23 +01:00
Author
Owner
Copy Link

@kradalby commented on GitHub (Aug 2, 2024):

can confirm after added : acl_policy_path: "/etc/headscale/acls.json" all working fine

I think I've found the error, Cobra, the framework we use for reading the config file has a lot of sharp edges for aliases from old to new configs, so I will make the acl_policy_path a hard error and only read the new one.

Sorry for the inconvenience!

@kradalby commented on GitHub (Aug 2, 2024): > can confirm after added : acl_policy_path: "/etc/headscale/acls.json" all working fine I think I've found the error, Cobra, the framework we use for reading the config file has a lot of sharp edges for aliases from old to new configs, so I will make the `acl_policy_path` a hard error and only read the new one. Sorry for the inconvenience!
adam commented 2025-12-29 02:23:23 +01:00
Author
Owner
Copy Link

@masterwishx commented on GitHub (Aug 2, 2024):

can confirm after added : acl_policy_path: "/etc/headscale/acls.json" all working fine

I think I've found the error, Cobra, the framework we use for reading the config file has a lot of sharp edges for aliases from old to new configs, so I will make the acl_policy_path a hard error and only read the new one.

Sorry for the inconvenience!

It's OK, I'm really sorry for was unable to help becose of docker build...

@masterwishx commented on GitHub (Aug 2, 2024): > > can confirm after added : acl_policy_path: "/etc/headscale/acls.json" all working fine > > I think I've found the error, Cobra, the framework we use for reading the config file has a lot of sharp edges for aliases from old to new configs, so I will make the `acl_policy_path` a hard error and only read the new one. > > Sorry for the inconvenience! It's OK, I'm really sorry for was unable to help becose of docker build...
adam commented 2025-12-29 02:23:23 +01:00
Author
Owner
Copy Link

@pallabpain commented on GitHub (Aug 2, 2024):

can confirm after added : acl_policy_path: "/etc/headscale/acls.json" all working fine

I think I've found the error, Cobra, the framework we use for reading the config file has a lot of sharp edges for aliases from old to new configs, so I will make the acl_policy_path a hard error and only read the new one.

Sorry for the inconvenience!

@kradalby Yes, that was my hunch as well. Apologies for not being able to take a look at the issue.

Per this comment, the db mode works fine and only file mode was unable to get the file path.

Thanks for addressing the issue. :)

@pallabpain commented on GitHub (Aug 2, 2024): > > can confirm after added : acl_policy_path: "/etc/headscale/acls.json" all working fine > > I think I've found the error, Cobra, the framework we use for reading the config file has a lot of sharp edges for aliases from old to new configs, so I will make the `acl_policy_path` a hard error and only read the new one. > > Sorry for the inconvenience! @kradalby Yes, that was my hunch as well. Apologies for not being able to take a look at the issue. Per this [comment](https://github.com/juanfont/headscale/issues/2024#issuecomment-2251403445), the `db` mode works fine and only file mode was unable to get the file path. Thanks for addressing the issue. :)
adam commented 2025-12-29 02:23:23 +01:00
Author
Owner
Copy Link

@asineth0 commented on GitHub (Aug 7, 2024):

also had this issue, why is YAML no longer supported for ACLs? it's so much easier to edit in something like nano/vim

@asineth0 commented on GitHub (Aug 7, 2024): also had this issue, why is YAML no longer supported for ACLs? it's so much easier to edit in something like nano/vim
adam commented 2025-12-29 02:23:23 +01:00
Author
Owner
Copy Link

@kradalby commented on GitHub (Aug 7, 2024):

also had this issue, why is YAML no longer supported for ACLs? it's so much easier to edit in something like nano/vim

We are reducing the maintenance cost for developers, sorry for the inconvenience, but we will only support one format (hujson) forward.

@kradalby commented on GitHub (Aug 7, 2024): > also had this issue, why is YAML no longer supported for ACLs? it's so much easier to edit in something like nano/vim We are reducing the maintenance cost for developers, sorry for the inconvenience, but we will only support one format (hujson) forward.
adam commented 2025-12-29 02:23:24 +01:00
Author
Owner
Copy Link

@asineth0 commented on GitHub (Aug 7, 2024):

also had this issue, why is YAML no longer supported for ACLs? it's so much easier to edit in something like nano/vim

We are reducing the maintenance cost for developers, sorry for the inconvenience, but we will only support one format (hujson) forward.

Can't you just add like 2-3 lines of code, if the files ends with .yaml then convert it over to JSON first? I'm down to submit a patch because yaml genuinely makes this so much easier to manage on a server over SSH, editing JSON over SSH is just painful.

@asineth0 commented on GitHub (Aug 7, 2024): > > also had this issue, why is YAML no longer supported for ACLs? it's so much easier to edit in something like nano/vim > > We are reducing the maintenance cost for developers, sorry for the inconvenience, but we will only support one format (hujson) forward. Can't you just add like 2-3 lines of code, if the files ends with `.yaml` then convert it over to JSON first? I'm down to submit a patch because yaml genuinely makes this so much easier to manage on a server over SSH, editing JSON over SSH is just painful.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
CLI
DERP
DNS
Nix
OIDC
SSH
bug
database
documentation
duplicate
enhancement
faq
good first issue
grants
help wanted
might-come
needs design doc
needs investigation
no-stale-bot
out of scope
performance
policy 📝
pull-request
Mirrored from GitHub Pull Request
 question
regression
routes
stale
tags
tailscale-feature-gap
well described ❤️
wontfix
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/headscale#747
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?