add --verify-clients environment variable to docker version

[vampywiz17]

Feature request

PLease add option to set private option to embedded DERP server in docker container.

[kradalby]

Hi, can you please try to reword and explain this feature request?

Edit: I think I understand, We would be very happy to take a PR for this, but we do not officially support the docker setup, so it will not be prioritised for now.

[christian-heusel]

.... but we do not officially support the docker setup, so it will not be prioritised for now.

@kradalby this is a general feature request, not specific for docker 😊
See https://tailscale.com/kb/1118/custom-derp-servers/#optional-restricting-client-access-to-your-derp-node for reference

[joejose97]

@juanfont

The tailscale derp server gets the valid client list by sending a GET request to http://local-tailscaled.sock/localapi/v0/status
I'm thinking of emulating what the tailscale client does by creating a http listener on the said socket.

If this is acceptable, I'll open a PR with the same.

[icb-]

Emulating the tailscale control socket API doesn't sound very straightforward, and would come with some downsides (like not being able to easily run tailscale on the headscale system).

It may be better to see about factoring out how the DERP server validates node keys (https://github.com/tailscale/tailscale/blob/main/derp/derp_server.go#L1126-L1142) and make it possible to pull those from headscale rather than the tailscale client socket.

Maybe passing a Verifier function, rather than setting a boolean for whether to verify?

I don't know if that sort of change could be made in a way that would be accepted upstream, or if it would mean maintaining a fork of the derp server.

[mritd]

@icb- After reading the derper code, it is feasible to simulate the API; I have created a branch and tested it; derper successfully completed the verification of the Client.

• 1、Derper's verification of its client is mainly completed through the node public key in the status struct.
• 2、Node public key is obtained from local socket api status request
• 3、We only need to simulate a local status api and return the public keys of all nodes.
• 4、After setting up client authentication, derper will automatically connect to this API to obtain the public keys of all nodes.

[github-actions]

This issue is stale because it has been open for 90 days with no activity.

[christian-heusel]

This is a feature request, therefore the stale bot is a bit out of place here 😄

[github-actions]

This issue is stale because it has been open for 90 days with no activity.

[6ixfalls]

not stale

[huanshiwushuang]

This is a very important feature and we look forward to implementing it soon

[github-actions]

This issue is stale because it has been open for 90 days with no activity.

[cavoirom]

not stale

[viveksupe]

Given now verify urls are implemented in headscale --verify-client-url.

#2046

We should enable this option for embedded derp server to use those endpoints either as default or via explicit config.