[xena]

The subauth socket. I generally suggest people run all their services on Unix sockets as much as possible to prevent accidentally exposing things to the internet unintentionally, however it's not the best idea to run your reverse proxy on a Unix socket unless you have even more cursed things going on :)

[wtatum]

Thanks for the quick reply, that helps a lot. In the case where we're not intending to handle Internet traffic on the proxy--only Tailscale--it would still be possible to bind the Nginx listener to only the Tailscale adapter though right?

I'm imagining a use-case where Tailscale + Nginx is acting kind of like an Azure App Proxy where you want to ensure that all access to the upstream service is validated against the Tailscale ACL. Maybe that's already implicitly the case since the auth_request goes to nginx-auth, so any traffic that isn't coming from a Tailscale IP is going to be denied anyways.

[xena]

Yes, I think part of my assumption here is that Nginx is already inside a subnet that doesn't allow any non-tailscale traffic to hit port 80.