tailscale/caddy-tailscale tailscale/caddy-tailscale

  • Stars
    star
    238
  • Rank 163,064 (Top 4 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created over 1 year ago
  • Updated about 1 month ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
tailscale/caddy-tailscale
github

tailscale

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A highly experimental exploration of integrating Tailscale and Caddy.

Tailscale Caddy plugin

status: experimental

The Tailscale Caddy plugin brings Tailscale integration to the Caddy web server. It's really multiple plugins in one, providing:

  • the ability for a Caddy server to directly join your Tailscale network without needing a separate Tailscale client.
  • a Caddy authentication provider, so that you can pass a user's Tailscale identity to an applicatiton.
  • a Caddy subcommand to quickly setup a reverse-proxy using either or both of the network listener or authentication provider.

This plugin is still very experimental.

Installation

Use xcaddy to build Caddy with the Tailscale plugin included.

xcaddy build master --with github.com/tailscale/caddy-tailscale

Caddy network listener

New in Caddy 2.6, modules are able to provide custom network listeners. This allows your Caddy server to directly join your Tailscale network without needing a separate Tailcale client running on the machine exposing a network device. Each site can be configured in Caddy to join your network as a separate node, or you can have multiple sites listening on different ports of a single node.

Configuration

Configure Caddy to listen on a special "tailscale" network address. If using a Caddyfile, use the bind directive:

:80 {
    bind tailscale/
}

You can also specify a hostname to use for the Tailscale node:

:80 {
    bind tailscale/myhost
}

If using the Caddy JSON configuration, specify a "tailscale/" network in your listen address:

{
  "apps": {
    "http": {
      "servers": {
        "srv0": {
          "listen": [
            "tailscale/myhost:80"
          ]
        }
      }
    }
  }
}

Caddy will join your Tailscale network and listen only on that network interface. Multiple addresses can be specified if you want to listen on the Tailscale address as well as a local address:

:80 {
  bind tailscale/myhost localhost
}

Different sites can be configured to join the network as different nodes:

:80 {
  bind tailscale/a
}

:80 {
  bind tailscale/b
}

However, having a single Caddy site connect to separate Tailscale nodes doesn't quite work correctly. If this is something you actually need, please open an issue.

HTTPS support

At this time, the Tailscale plugin for Caddy doesn't support using Caddy's native HTTPS resolvers. You will need to use the tailscale+tls bind protocol with a configuration like this:

{
    order tailscale_auth after basicauth
    auto_https off
}

:443 {
    bind tailscale+tls/myhost
}

Please note that because you currently need to turn auto_https support off, it is not advised to use the same instance of Caddy for your external-facing apps as you use for your internal-facing apps. This deficiency will be resolved as soon as possible.

Authenticating to the Tailcale network

New nodes can be added to your Tailscale network by providing an Auth key or by following a special URL. Auth keys are provided to Caddy via the TS_AUTHKEY or TS_AUTHKEY_<HOST> environment variable. So if your network listener was tailscale/myhost, then it would look first for the TS_AUTHKEY_MYHOST environment variable, then TS_AUTHKEY.

If no auth key is provided, then Tailscale will generate a URL that can be used to add the new node and print it to the Caddy log. Tailscale logs can be somewhat noisy so are turned off by default. Set TS_VERBOSE=1 to see the URL logged. After the node had been added to your network, you can restart Caddy without the debug flag.

Caddy authentication provider

Setup the Tailscale authentication provider with tailscale_auth directive. The provider will enforce that all requests are coming from a Tailscale user, as well as set various fields on the Caddy user object that can be passed to applications, similar to nginx-auth.

Set the order directive in your global options to instruct Caddy when to process tailscale_auth. For example, in a Caddyfile:

{
  order tailscale_auth after basicauth
}

:80 {
  tailscale_auth
}

The following fields are set on the Caddy user object:

  • user.id: the Tailscale email-ish user ID
  • user.tailscale_login: the username portion of the Tailscale user ID
  • user.tailscale_user: same as user.id
  • user.tailscale_name: the display name of the Tailscale user
  • user.tailscale_profile_picture: the URL of the Tailscale user's profile picture
  • user.tailscale_tailnet: the name of the Tailscale network the user is a member of

These can be mapped to HTTP headers passed to an application using something like the following in your Caddyfile:

header_up X-Webauth-User {http.auth.user.tailscale_login}
header_up X-Webauth-Email {http.auth.user.tailscale_user}
header_up X-Webauth-Name {http.auth.user.tailscale_name}

When used with a Tailscale listener (described above), that Tailscale connection is used to identify the remote user. Otherwise, the authentication provider will attempt to connect to the Tailscale daemon running on the local machine.

tailscale-proxy subcommand

The Tailscale Caddy plugin also includes a tailscale-proxy subcommand that sets up a simple reverse proxy that can optionally join your Tailscale network, and will enforce Tailscale authentication and map user values to HTTP headers.

For example:

xcaddy tailscale-proxy --from "tailscale/myhost:80" --to localhost:8000

More Repositories

1

tailscale

The easiest, most secure way to use WireGuard and 2FA.
Go
16,304
star
2

golink

A private shortlink service for tailnets
Go
1,120
star
3

tailscale-synology

Synology packages for tailscale.com
833
star
4

tailscale-android

Tailscale Android Client
Kotlin
812
star
5

hujson

HuJSON: JSON for Humans (JWCC: JSON w/ comments and trailing commas)
Go
561
star
6

github-action

A GitHub Action to connect your workflow to your Tailscale network.
472
star
7

tailscale-qpkg

Package Tailscale client in QPKG
Shell
439
star
8

depaware

depaware makes you aware of your Go dependencies
Go
427
star
9

terraform-provider-tailscale

Terraform provider for Tailscale
Go
236
star
10

security-policies

Security policies for Tailscale
234
star
11

sqlite

work in progress
Go
184
star
12

libtailscale

Tailscale C library
Go
153
star
13

pam

An experimental, work-in-progress PAM module for Tailscale
Rust
139
star
14

tailetc

total-memory-cache etcd v3 client
Go
135
star
15

ToBeReviewedBot

GitHub App to watch for PRs merged without a reviewer approving.
Go
111
star
16

cpc

a copy tool
Go
98
star
17

go-mod-archiver

go.mod git archiver
Go
88
star
18

wf

Package for controlling the Windows firewall (aka Windows Filtering Platform, WFP)
Go
75
star
19

gitops-acl-action

GitOps for your Tailscale ACLs
70
star
20

setec

Go
70
star
21

codespace

Experimenting with codespaces
Shell
68
star
22

mkctr

mkctr: cross platform container builder for go
Go
59
star
23

docker-extension

Docker Desktop extension adding Tailscale networking.
TypeScript
58
star
24

wireguard-go

Tailscale's temporary fork of https://git.zx2c4.com/wireguard-go
Go
50
star
25

tailscale-client-go

A client implementation for the Tailscale HTTP API
Go
49
star
26

tailsql

A SQL playground service over Tailscale.
Go
43
star
27

art

implementation of the Allotment Routing Table (ART) algorithm by Donald Knuth, as described in the paper by Yoichi Hariguchi
Go
41
star
28

tmemes

A meme generator for your tailnet!
Go
32
star
29

scertec

ACME client daemon that puts fresh HTTPS certs in setec, and client to get them out of at serving time
Go
29
star
30

squibble

A lightweight schema manager for SQLite databases.
Go
24
star
31

tscert

Minimal package for just the HTTPS cert fetching part of the Tailscale client API
Go
19
star
32

tailscale-chocolatey

Chocolatey packaging for Tailscale IPN
PowerShell
16
star
33

gitpod

Investigation into gitpod.io
Shell
11
star
34

tailscale-aws-host-acl-updater

Update Hosts list in Tailscale ACL file as AWS resources move about.
Go
11
star
35

wintun

Fork of https://git.zx2c4.com/wintun
C
10
star
36

peercred

Go
9
star
37

terms-and-conditions

Terms and conditions for Tailscale
9
star
38

winipcfg-go

old fork of https://git.zx2c4.com/winipcfg-go, from before it moved to the wireguard-windows repo; no longer used by Tailscale
Go
6
star
39

ts-webhook-adapter

Adapter for Tailscale Webhooks for Microsoft Teams and Discord.
Go
6
star
40

go-mod-tidy-broken

demo showing a go mod tidy bug
Go
4
star
41

tb

Go
4
star
42

issue-status

Tailscale's status page
JavaScript
2
star
43

bradtest

Brad's GitHub automation test repo
Go
2
star
44

web-client-prebuilt

Prebuilt assets for the Tailscale web client
HTML
2
star
45

quis-custodiet

quis custodiet ipsos custodes: a service to check whether someone is assigned to oncall on each calendar at squadcast.com.
Go
1
star
46

active-directory-sites-subnets

Populate Active Directory Sites & Subnets table for Tailscale clients
Go
1
star