[Feature] Support for derp's verify-client-url

[117503445]

Use case

When I deploy derp myself and don't want it to be used by other unauthorized clients, the traditional approach is to have derp access tailscaled to verify that the clientKey is in the list via derp's verify-clients parameter.

But I don't want to deploy tailscale on derp's nodes, and derp provides the verify-client-url parameter to determine if the clientKey is in the list via HTTP. I want Headscale to support this HTTP interface, so I can set derp's verify-client-url to the Headscale interface.

Description

See https://github.com/tailscale/tailscale/blob/964282d34f06ecc06ce644769c66b0b31d118340/derp/derp_server.go#L1159.

Derp sent a POST request to verifyClientsURL with the following JSON

{
  "NodePublic": "clientKey",
  "Source": "clientIP"
}

The expected return is

{
    "Allow": true
}

Contribution

• I can write the design doc for this feature
• I can contribute this feature

How can it be implemented?

In Headscale, it could be to provide an HTTP interface that receives an authentication request, checks if the clientKey is in the list of nodes, and returns Allow.

[ohdearaugustin]

I think this would be a useful feature with a clear use case.

[117503445]

I think this would be a useful feature with a clear use case.

I can try to contribute to this feature :)

[kradalby]

Sounds good, but please write up a plan for it before you start coding too much.

[117503445]

Sounds good, but please write up a plan for it before you start coding too much.

see #1957, I think this feature is relatively simple. We can start with a simple implementation and discuss what needs to be improved.