HTTPS Tailscale Authentication?

Is it possible to authenticate a user based on Tailscale? Can Serve add the tailscale username to the HTTP headers or something for a proxy to rewrite to an access key based on the user?

My dream is that tailscale users would connect anonymously but since the Tailscale client already is authenticating the connection based on ACL, the proxy could attach the relevant key for the web service to present them their account.

E.g. if you connected to plex you could proxy the username and password automatically based on tailscale user without logging in.

Wait, are tailscale IPs stable to a specific user? Or could someone log out of someone logged in as an administrator and reauthenticate using their personal credentials and the IP remain static? Is that a danger or would killing the tailscale service and restarting with lesser credentials rewrite the IP address? In which case the HTTPS RESTful interface updating on a new unknown IP would be sufficient and wouldn’t require every packet to be inspected.

The IPs are static to each tailscale node.

The correct solution to what you want would be to setting up OIDC authentication at the site to use the same auth mechanism your users are using to authenticate to Tailscale.

I just saw someone else on here mention this, which may be helpful.

1 Like

The challenge is that at least in my use case I’m trying to integrate with minio which doesn’t allow direct authentication for the S3 calls with something like Cyberduck as everything has to happen in the headers and can’t go through a web interface for additional authentication.

I’m intrigued by the caddy plugin. It at least might be able to extend it.