Our great sponsors
-
-
Pomerium
Pomerium is an identity and context-aware reverse proxy for zero-trust access to web applications and services.
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
-
-
tailscale-forward-auth
A basic example of a Tailscale authentication server for Traefik and other proxies
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
Yeah I've been thinking about that too. Something I've been wondering about is tying things to the ACL file through something like "capabilities"[1], but this would probably require a fair bit of per-service hacking. I think it'd be worth it, but it would be a lot of work. The main problem here is that Tailscale ACLs only really have "can connect to port" as the main capability they provide. I think I could end up telling the nginx-auth proxy if the person is a network admin or not (I'm not sure if that capability reliably shows up in whois responses, will need to check), that may be a starting point but it certainly won't scale.
[1]: https://github.com/tailscale/tailscale/issues/4217
You might just want to integrate a policy rules engine like open policy agent: https://www.openpolicyagent.org/ It can act as a server which you bounce a subrequest against to get an authorization answer from a policy you defined ahead of time with a simple language.
And if you don't have time or want to do that, check out Pomerium it's basically a forward auth proxy with OPA policy engine integrated into it already: https://www.pomerium.com/
You might just want to integrate a policy rules engine like open policy agent: https://www.openpolicyagent.org/ It can act as a server which you bounce a subrequest against to get an authorization answer from a policy you defined ahead of time with a simple language.
And if you don't have time or want to do that, check out Pomerium it's basically a forward auth proxy with OPA policy engine integrated into it already: https://www.pomerium.com/
Yep! We have it working here: https://github.com/caddyserver/caddy/pull/4739
It's a generic setup where you can do _anything_ you want via firing off an HTTP request as a clone of the original, and re-handling the request after getting back the response.
Big shoutout to the Authelia team for helping out with testing and confirming that it works. Will be merged very soon (today?) and some follow-up work is coming to make the config for it even shorter (some sugar for the common forward_auth usecase).