top | item 31277812

(no title)

wtatum | 3 years ago

Fascinating post. I have been reading a lot on Tailscale lately and this kind of application came to mind immediately.

The post briefly mentions that the proxy can be set to listen a unix socket instead of a TCP socket. Is that referring only to the subauth socket, or the entire nginx? It seems like the real security value is in the latter, but that would be nginx config right? Setting it to only accept traffic from Tailscale rather than from :80?

discuss

xena|3 years ago

The subauth socket. I generally suggest people run all their services on Unix sockets as much as possible to prevent accidentally exposing things to the internet unintentionally, however it's not the best idea to run your reverse proxy on a Unix socket unless you have even more cursed things going on :)

wtatum|3 years ago

Thanks for the quick reply, that helps a lot. In the case where we're not intending to handle Internet traffic on the proxy--only Tailscale--it would still be possible to bind the Nginx listener to only the Tailscale adapter though right?

I'm imagining a use-case where Tailscale + Nginx is acting kind of like an Azure App Proxy where you want to ensure that all access to the upstream service is validated against the Tailscale ACL. Maybe that's already implicitly the case since the auth_request goes to nginx-auth, so any traffic that isn't coming from a Tailscale IP is going to be denied anyways.