Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/sr/tsproxy

Last synced: about 1 month ago
JSON representation

Host: GitHub
URL: https://github.com/sr/tsproxy
Owner: sr
Created: 2022-11-18T17:41:10.000Z (about 2 years ago)
Default Branch: main
Last Pushed: 2024-03-29T18:06:44.000Z (9 months ago)
Last Synced: 2024-06-21T16:57:31.429Z (7 months ago)
Language: Go
Size: 131 KB
Stars: 3
Watchers: 5
Forks: 0
Open Issues: 1
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

# Tailscale Proxy

tsproxy is an HTTP reverse proxy that configures a Tailscale device for each upstream.

This command exposes the backend at `http://my-app` and `https://my-app..ts.net`:

`tsproxy --upstream=my-app=http://127.0.0.1:8000`

**NOTE:** [MagicDNS](https://tailscale.com/kb/1081/magicdns/) must be enabled.

Repeat the `--upstream` flag for each backends.

## Funnel

Backends can be exposed on the public Internet using [Tailscale Funnel](https://tailscale.com/kb/1223/tailscale-funnel/). Use the `funnel` option:

`tsproxy --upstream=my-public-app=http://127.0.0.1:8000;funnel`

## Prometheus

`tsproxy` serves metrics about itself and [Prometheus HTTP Service Discovery](https://prometheus.io/docs/prometheus/latest/http_sd/) targets on the host's two tailscale IPs.

To add an upstream to service discovery, use the `prometheus` option:

`tsproxy --upstream=my-app=http://127.0.0.1:8000;prometheus`

Then use this Prometheus scrape config:

```yaml
- job_name: tsproxy
http_sd_configs:
- url: http://:/sd
```

The tsproxy metrics port (flag `--port`) defaults to `32019`. It's automatically registered in service discovery.

## Authentication Headers

The proxy sets the `X-Webauth-User` and `X-Webauth-Name` headers for requests made by users. This works well with [Grafana's Auth Proxy](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/).

Requests originating from tagged nodes (this includes Tailscale's Funnel nodes) are proxied as is, without any additional headers.

## Tailscale ACLs

To add the ACL tag `tag:tsnet` to all devices created by tsproxy, create an [Auth key](https://tailscale.com/kb/1085/auth-keys/), then run the process with `TS_AUTH_KEY=`. All upstreams will automatically be tagged.

This works well for ACLs.

```json
"acls": [
{"action": "accept", "src": ["group:admin"], "dst": ["tag:tsnet:80,443"]},
],
```

To change the ACL tag, update `TS_AUTH_KEY` and set `FORCE_REAUTH=1`.

## systemd

This is the systemd unit I use to run `tsproxy`: .