[xena]

Yeah I've been thinking about that too. Something I've been wondering about is tying things to the ACL file through something like "capabilities"[1], but this would probably require a fair bit of per-service hacking. I think it'd be worth it, but it would be a lot of work. The main problem here is that Tailscale ACLs only really have "can connect to port" as the main capability they provide. I think I could end up telling the nginx-auth proxy if the person is a network admin or not (I'm not sure if that capability reliably shows up in whois responses, will need to check), that may be a starting point but it certainly won't scale.

[1]: https://github.com/tailscale/tailscale/issues/4217

[zrail]

That's an interesting issue, thanks for linking. I could see something like this working well:

  location /auth {
    ...
    proxy_set_header X-Required-Caps $required_caps;
    ...
  }

  location /grafana {   
    ...
    set $required_caps "grafana.com/read,grafana.com/write"
    auth_request_set $auth_caps $upstream_http_tailscale_caps;
    proxy_set_header X-Webauth-Caps $auth_caps;
    ...
  }

I.e. pass the caps through an nginx variable up to the `/auth` location, then out to `nginx-auth`, then nginx-auth passes all(?) of the user's caps to the upstream.