[wtatum]

Fascinating post. I have been reading a lot on Tailscale lately and this kind of application came to mind immediately.

The post briefly mentions that the proxy can be set to listen a unix socket instead of a TCP socket. Is that referring only to the subauth socket, or the entire nginx? It seems like the real security value is in the latter, but that would be nginx config right? Setting it to only accept traffic from Tailscale rather than from :80?

[xena]

The subauth socket. I generally suggest people run all their services on Unix sockets as much as possible to prevent accidentally exposing things to the internet unintentionally, however it's not the best idea to run your reverse proxy on a Unix socket unless you have even more cursed things going on :)

[wtatum]

Thanks for the quick reply, that helps a lot. In the case where we're not intending to handle Internet traffic on the proxy--only Tailscale--it would still be possible to bind the Nginx listener to only the Tailscale adapter though right?

I'm imagining a use-case where Tailscale + Nginx is acting kind of like an Azure App Proxy where you want to ensure that all access to the upstream service is validated against the Tailscale ACL. Maybe that's already implicitly the case since the auth_request goes to nginx-auth, so any traffic that isn't coming from a Tailscale IP is going to be denied anyways.

[xena]

Yes, I think part of my assumption here is that Nginx is already inside a subnet that doesn't allow any non-tailscale traffic to hit port 80.