sr.aux1.dev / tsproxy
HTTP reverse proxy for Tailscale
fork atom
tsproxy / README.md
at oidc 60 lines 2.2 kB view raw view rendered
Simon Rozet add readme for rick
64037c16
1# Tailscale Proxy 2 3tsproxy is an HTTP reverse proxy that configures a Tailscale device for each upstream. 4 5This command exposes the backend at `http://my-app` and `https://my-app.<tailnet-name>.ts.net`: 6 7`tsproxy --upstream=my-app=http://127.0.0.1:8000` 8 9**NOTE:** [MagicDNS](https://tailscale.com/kb/1081/magicdns/) must be enabled. 10 11Repeat the `--upstream` flag for each backends. 12 13## Funnel 14 15Backends can be exposed on the public Internet using [Tailscale Funnel](https://tailscale.com/kb/1223/tailscale-funnel/). Use the `funnel` option: 16 17`tsproxy --upstream=my-public-app=http://127.0.0.1:8000;funnel` 18 19## Prometheus 20 21`tsproxy` serves metrics about itself and [Prometheus HTTP Service Discovery](https://prometheus.io/docs/prometheus/latest/http_sd/) targets on the host's two tailscale IPs. 22 23To add an upstream to service discovery, use the `prometheus` option: 24 25`tsproxy --upstream=my-app=http://127.0.0.1:8000;prometheus` 26 27Then use this Prometheus scrape config: 28 29 30```yaml 31- job_name: tsproxy 32 http_sd_configs: 33 - url: http://<tsproxy-host>:<tsproxy-port>/sd 34``` 35 36The tsproxy metrics port (flag `--port`) defaults to `32019`. It's automatically registered in service discovery. 37 38## Authentication Headers 39 40The proxy sets the `X-Webauth-User` and `X-Webauth-Name` headers for requests made by users. This works well with [Grafana's Auth Proxy](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/). 41 42Requests originating from tagged nodes (this includes Tailscale's Funnel nodes) are proxied as is, without any additional headers. 43 44## Tailscale ACLs 45 46To add the ACL tag `tag:tsnet` to all devices created by tsproxy, create an [Auth key](https://tailscale.com/kb/1085/auth-keys/), then run the process with `TS_AUTH_KEY=<key>`. All upstreams will automatically be tagged. 47 48This works well for ACLs. 49 50```json 51 "acls": [ 52 {"action": "accept", "src": ["group:admin"], "dst": ["tag:tsnet:80,443"]}, 53 ], 54``` 55 56To change the ACL tag, update `TS_AUTH_KEY` and set `FORCE_REAUTH=1`. 57 58## systemd 59 60This is the systemd unit I use to run `tsproxy`: <https://gist.github.com/sr/f8b1860cca428b04fc2b0b84ea561348>.