How can we provide access of a specific url to a group in ACL. if I don’t have the IP address.
i want to do something like this …
// Role-based groups of users.
"groups": {
"group:cs": [
],
"group:dev": [
"jhon.doe@xyz.com"
],
},
"acls": [
// the cs group can only access this url specificustomurl.com.
{
"action": "accept",
"src": ["group:cs"],
"dst": [
"specificustomurl.com:443"
],
},
dst cannot be used for domains (i.e. anything that would need to be resolved via DNS).
You can only add hostnames here, which you have to define by specific IPs in a hosts section of the ACLs. So it’s really only static IPs.
Or alternatively, if the host you want to control access to has tailscale installed, then you could tag that host and use the tag to identify it (despite a changing IP).
Example with a hosts section (untested):
// Role-based groups of users.
"groups": {
"group:cs": [
],
"group:dev": [
"jhon.doe@xyz.com"
],
},
"hosts": {
"customhost": "123.123.123.123",
},
"acls": [
// the cs group can only access this IP (as defined by customhost) at port 443.
{
"action": "accept",
"src": ["group:cs"],
"dst": [
"customhost:443"
],
},
To see other valid values for dst, take a look at the tables here: Network access controls (ACLs) · Tailscale