Hi 
,
we currently have a setup where we have a caddy reverse proxy that also runs tailscale that points to an internal application. When people want to use this internal app they just activate Tailscale go to the url and use it. Since the reverse proxy knows who a user connecting is, is there a save way to use this information to authorize what actions users can perform?
Take a look at forward_auth (Caddyfile directive) — Caddy Documentation which shows how to use the Tailscale NGINX auth tool with Caddy.
Thanks! That is exactly what I am looking for, any idea how I can enable this in a docker container since I don’t have access to systemctl?
I know this is an old thread but it’s showing up at the top of Google results and I’m running into the same issue with systemctl. I’m trying to find a good way to run this in a docker container where nginx or caddy are the main service running.
I am digging into the nginx-auth, service, and socket code to try to match it up with one of the alternative methods for running multiple services in docker, so I’ll update here when I find a solution. It’s not quite as simple as running a binary since there’s the go script and the socket.
Any suggestions would be much appreciated.
Still testing this out but nginx-auth uses the --sockpath flag to listen on a socket: /usr/sbin/tailscale.nginx-auth --sockpath /var/run/tailscale.nginx-auth.sock.