mirror of
				https://github.com/tailscale/tailscale.git
				synced 2025-10-26 13:51:10 +01:00 
			
		
		
		
	This conforms to the NGINX subrequest result authentication protocol[1] using the NGINX module `ngx_http_auth_request_module`. This is based on the example that @peterkeen provided on Twitter[2], but with several changes to make things more tightly locked down: * This listens over a UNIX socket instead of a TCP socket to prevent leakage to the network * This uses systemd socket activation so that systemd owns the socket and can then lock down the service to the bare minimum required to do its job without having to worry about dropping permissions * This provides additional information in HTTP response headers that can be useful for integrating with various services * This has a script to automagically create debian and redhat packages for easier distribution This will be written about on the Tailscale blog. There is more information in README.md. [1]: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/ [2]: https://github.com/peterkeen/tailscale/blob/main/cmd/nginx-auth-proxy/nginx-auth-proxy.go Signed-off-by: Xe Iaso <xe@tailscale.com>
		
			
				
	
	
		
			9 lines
		
	
	
		
			185 B
		
	
	
	
		
			SYSTEMD
		
	
	
	
	
	
			
		
		
	
	
			9 lines
		
	
	
		
			185 B
		
	
	
	
		
			SYSTEMD
		
	
	
	
	
	
| [Unit]
 | |
| Description=Tailscale NGINX Authentication socket
 | |
| PartOf=tailscale.nginx-auth.service
 | |
| 
 | |
| [Socket]
 | |
| ListenStream=/var/run/tailscale.nginx-auth.sock
 | |
| 
 | |
| [Install]
 | |
| WantedBy=sockets.target |