top | item 31278036

(no title)

wtatum | 3 years ago

Thanks for the quick reply, that helps a lot. In the case where we're not intending to handle Internet traffic on the proxy--only Tailscale--it would still be possible to bind the Nginx listener to only the Tailscale adapter though right?

I'm imagining a use-case where Tailscale + Nginx is acting kind of like an Azure App Proxy where you want to ensure that all access to the upstream service is validated against the Tailscale ACL. Maybe that's already implicitly the case since the auth_request goes to nginx-auth, so any traffic that isn't coming from a Tailscale IP is going to be denied anyways.

discuss

xena|3 years ago

Yes, I think part of my assumption here is that Nginx is already inside a subnet that doesn't allow any non-tailscale traffic to hit port 80.