From 5935b13b6780180d717cd66a13657c043c11905b Mon Sep 17 00:00:00 2001
From: Justin Angel <justinangel86@gmail.com>
Date: Sat, 29 Jan 2022 13:35:08 -0500
Subject: [PATCH] refining

---
 app.go                     | 19 ++++++++++++-------
 cmd/headscale/cli/utils.go |  4 ++--
 docs/tls.md                | 19 +++++++++++++++++++
 3 files changed, 33 insertions(+), 9 deletions(-)

diff --git a/app.go b/app.go
index 6accaf9c..73017574 100644
--- a/app.go
+++ b/app.go
@@ -646,21 +646,26 @@ func (h *Headscale) getTLSSettings() (*tls.Config, error) {
 			log.Warn().Msg("Listening with TLS but ServerURL does not start with https://")
 		}
 
-        // Leaving flexibility here to support other authentication modes
-        // if desired.
         var client_auth_mode tls.ClientAuthType
-        msg := "Client authentication (mTLS) "
         if(h.cfg.TLSClientAuthMode == "disabled"){
-            log.Warn().Msg(msg + "is disabled")
+            // Client cert is _not_ required.
             client_auth_mode = tls.NoClientCert
         }else if (h.cfg.TLSClientAuthMode == "relaxed"){
-            log.Warn().Msg(msg + "is relaxed. Client certs will be required but will not be verified.")
+            // Client cert required, but not verified.
             client_auth_mode = tls.RequireAnyClientCert
-        }else{
-            log.Warn().Msg(msg + "is enforced. Disable or relax in the configuration file.")
+        }else if (h.cfg.TLSClientAuthMode == "enforced"){
+            // Client cert is required and verified.
             client_auth_mode = tls.RequireAndVerifyClientCert
+        }else{
+            return nil, errors.New(
+                "Invalid tls_client_auth_mode provided: " +
+                h.cfg.TLSClientAuthMode)
         }
 
+        log.Info().Msg(fmt.Sprintf(
+            "Client authentication (mTLS) is \"%s\". See the docs to learn about configuring this setting.",
+            h.cfg.TLSClientAuthMode))
+
 		tlsConfig := &tls.Config{
 			ClientAuth:   client_auth_mode,
 			NextProtos:   []string{"http/1.1"},
diff --git a/cmd/headscale/cli/utils.go b/cmd/headscale/cli/utils.go
index 4faf9053..1cbfcf62 100644
--- a/cmd/headscale/cli/utils.go
+++ b/cmd/headscale/cli/utils.go
@@ -83,8 +83,8 @@ func LoadConfig(path string) error {
 	}
 
     auth_mode := viper.GetString("tls_client_auth_mode")
-    if (auth_mode != "disabled" && auth_mode != "enforced"){
-        errorText += "Invalid tls_client_auth_mode supplied. Accepted values: disabled, enforced."
+    if (auth_mode != "disabled" && auth_mode != "relaxed" && auth_mode != "enforced"){
+        errorText += "Invalid tls_client_auth_mode supplied. Accepted values: disabled, relaxed, enforced."
     }
 
 	if errorText != "" {
diff --git a/docs/tls.md b/docs/tls.md
index 557cdf01..f8818ce8 100644
--- a/docs/tls.md
+++ b/docs/tls.md
@@ -29,3 +29,22 @@ headscale can also be configured to expose its web service via TLS. To configure
 tls_cert_path: ""
 tls_key_path: ""
 ```
+
+### Configuring Mutual TLS Authentication (mTLS)
+
+mTLS is a method by which an HTTPS server authenticates clients, e.g. Tailscale,
+using TLS certificates. The capability can be configured by by applying one of
+the following values to the `tls_client_auth_mode` setting in the configuration
+file.
+
+| Value | Behavior |
+| ----- | -------- |
+| `disabled` | Disable mTLS (default). |
+| `relaxed` | A client certificate is required, but it is not verified. |
+| `enforced` | Requires clients to supply a certificate that is verified. |
+
+
+```yaml
+tls_client_auth_mode: ""
+```
+