Enable [Tailscale](https://tailscale.com)-based authentication in [Caddy](https://caddyserver.com)

Find a file

AKP 8e3fc3a819 Update Tailscale dependency		2024-10-12 13:35:18 +01:00
.gitignore	Add `.gitignore`	2024-10-10 13:16:34 +01:00
caddyfile.go	Add header remapping and an allowlist	2024-10-12 13:18:15 +01:00
go.mod	Update Tailscale dependency	2024-10-12 13:35:18 +01:00
go.sum	Update Tailscale dependency	2024-10-12 13:35:18 +01:00
README.md	Add docs for allowlist and header remapping	2024-10-12 13:21:45 +01:00
tailscaleAuth.go	Add header remapping and an allowlist	2024-10-12 13:18:15 +01:00

README.md

Tailscale authentication in Caddy

This is a plugin for the Caddy webserver that enables Tailscale-based authentication. It functions similarly to the default basic_auth Caddyfile directive except using the local Tailscale daemon and the remote address of a connection to authenticate based on if a connection is coming via a Tailnet and if so, who it is.

Optionally, the Tailscale-User-{Id,Login,Name} headers are set on the incoming request to allow this to be used as an analogue for forward_auth. The names of these headers can be modified (see below).

Limitations

This module requires the Tailscale daemon to be running on the same machine as the Caddy server.

Example usage

Require all incoming connections to be from within a Tailnet

www.example.com {
  tailscale_auth
  reverse_proxy localhost:9090
}

Require all incoming connections to be from within a Tailnet, setting headers

www.example.com {
  tailscale_auth set_headers
  reverse_proxy localhost:9090
}

Remap header names - there can be multiple remap lines in a block.

www.example.com {
  tailscale_auth set_headers {
    remap Tailscale-User-Login X-Authentik-Email
  }
  reverse_proxy localhost:9090
}

Allow only certain users by email address - there is not currently any way to do this without email addresses.

www.example.com {
  tailscale_auth {
    allowed_logins example@gmail.com
  }
  reverse_proxy localhost:9090
}