[shibel]

I need to finish off that blog post.

With Tailscale, you can basically point a domain to the FQDN of a machine you’re sharing with people and the domain will simply work for them (and only them)[1]. But for it to work without them having to know or specify the specific application port, you have to grant them access to 443 (and 80) in your Tailscale ACL for that specific host.

So yeah, now immich.familydomain.com works without family members having to remember the specific port. BUT, serveradmin.familydomain.com (another app on the same host) will ALSO be accessible to them (from a networking POV). We opened port 443/80 for that host after all.

I took a few hours with Claude back in January (?) and we wrote a tiny Go authorization gateway which basically consults both Tailscale’s public API and Tailscale’s `localapi` and returns the appropriate response to Caddy based on the requesting user’s actual allowed ports.

So now I can share different apps (subdomains) with different people without forfeiting access controls, all driven by Tailscale’s policy file.

(I hope I didn’t mess up the crux of it, pretty late here)

Edit: why not (something like) Authentik? Quoting from the draft:

  I contemplated this for a bit but one thing I kept thinking about is:

  _They're already logged in to Tailscale_

  Why do I need to install and configure another full-blown app dedicated to doing something Tailscale already did? Why have the users go through two hops of authentication?”

[1]: https://www.youtube.com/watch?v=Vt4PDUXB_fg

[sfifs]

I found cloudflare zero trust excellent for this and it works perfectly well on the free tier (I do use cloudflare as my registrar)

[dizhn]

Pangolin would have been a better direct fit than Authentik. It does come with an embedded idP nowadays but can also use Authentik. Another tool to keep an eye on is Netbird which is like a tailscale like mesh but has proxy support for whatever app you want to share with or without authentication.

[abeyer]

authentik is also an oidc provider... couldn't it also be the way they auth to tailscale too?

[shibel]

Maybe…I really didn’t want to have to install another app just because I’m sharing though. My line of thinking was/is:

If tomorrow I decide not to share with anyone, I don’t want to have to reconfigure stuff. I simply edit the Tailscale policy file, and (maybe) spin down my server.