summaryrefslogtreecommitdiffhomepage
path: root/cmd/nginx-auth
AgeCommit message (Collapse)AuthorFilesLines
2023-03-13tailcfg,all: add and use Node.IsTagged()Maisem Ali1-1/+1
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2023-02-25cmd/nginx-auth: build for arm64Denton Gentry1-25/+26
Fixes https://github.com/tailscale/tailscale/issues/6978 Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2023-01-27all: update copyright and license headersWill Norris1-3/+2
This updates all source files to use a new standard header for copyright and license declaration. Notably, copyright no longer includes a date, and we now use the standard SPDX-License-Identifier header. This commit was done almost entirely mechanically with perl, and then some minimal manual fixes. Updates #6865 Signed-off-by: Will Norris <will@tailscale.com>
2023-01-25cmd/nginx-auth: update Expected-Tailnet documentation (#6055)Xe Iaso1-1/+3
Signed-off-by: Xe Iaso <xe@tailscale.com>
2022-10-25cmd/nginx-auth: add experimental status badge to READMEWill Norris1-0/+2
2022-10-25cmd/nginx-auth: increment version.nginx-auth-0.1.2Denton Gentry1-1/+1
We need a new release to handle TCD changes after MagicDNS GA Updates https://github.com/tailscale/tailscale/issues/6048 Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2022-08-31cmd/nginx-auth/nginx-auth: update auth to allow for new domainsnyghtowl1-6/+1
With MagicDNS GA, we are giving every tailnet a tailnet-<hex>.ts.net name. We will only parse out if legacy domains include beta.tailscale.net; otherwise, set tailnet to the full domain format going forward. Signed-off-by: nyghtowl <warrick@tailscale.com>
2022-08-24cmd/nginx-auth: allow use of shared nodesWill Norris1-11/+18
When sharing nodes, the name of the sharee node is not exposed (instead it is hardcoded to "device-of-shared-to-user"), which means that we can't determine the tailnet of that node. Don't immediately fail when that happens, since it only matters if "Expected-Tailnet" is used. Signed-off-by: Will Norris <will@tailscale.com>
2022-04-20cmd/nginx-auth: maintainer scripts and tailnet checking (#4460)Xe Iaso9-11/+107
* cmd/nginx-auth: add maintainer scripts Signed-off-by: Xe <xe@tailscale.com> * cmd/nginx-auth: add Expected-Tailnet header and documentation Signed-off-by: Xe <xe@tailscale.com>
2022-04-14cmd/nginx-auth: create new Tailscale NGINX auth service (#4400)Xe Iaso6-0/+302
This conforms to the NGINX subrequest result authentication protocol[1] using the NGINX module `ngx_http_auth_request_module`. This is based on the example that @peterkeen provided on Twitter[2], but with several changes to make things more tightly locked down: * This listens over a UNIX socket instead of a TCP socket to prevent leakage to the network * This uses systemd socket activation so that systemd owns the socket and can then lock down the service to the bare minimum required to do its job without having to worry about dropping permissions * This provides additional information in HTTP response headers that can be useful for integrating with various services * This has a script to automagically create debian and redhat packages for easier distribution This will be written about on the Tailscale blog. There is more information in README.md. [1]: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/ [2]: https://github.com/peterkeen/tailscale/blob/main/cmd/nginx-auth-proxy/nginx-auth-proxy.go Signed-off-by: Xe Iaso <xe@tailscale.com>
Copyright © 2025 - 2026 Wayne Cole. WTFPL. Attribution appreciated. No warranty. Not liable for bodily damages.