[mbreese]

I’m a big fan of using subrequest authentication with nginx. I’ve been using it for years, but in my case, it uses plain http-auth to get the credentials from the user (with an ldap backend).

For this implementation, how does the request work for the user? Is it http-auth, or some other SSO web login form?

[zrail]

It's transparent. The user is already authenticated to the tailnet by dint of having a tailscale IP. This implementation asks the local tailscale daemon for who the request's IP belongs to and just passes that back up to nginx. It does some filtering to make sure it's an actual user instead of a service machine (i.e. does the IP have tags or not, basically) but otherwise leans entirely on Tailscale's ACLs.

[mbreese]

Got it. So, it’s a legit SSO process. Being able to control IP addresses has its advantages!

[zrail]

Yep! As the author alluded to elsewhere in the comments, if you want to make _really sure_ that the user is a person in a browser instead of a rogue malware process on their machine you can combine this with a yubikey tap or webauthn attestation step.