Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEAT] Add Tailscale NGINX Auth (Optional: Fallback to ldap auth, Authelia, Authentik #438

Open
1 task done
bakerboy448 opened this issue Dec 6, 2023 · 13 comments
Open
1 task done

[FEAT] Add Tailscale NGINX Auth (Optional: Fallback to ldap auth, Authelia, Authentik #438

bakerboy448 opened this issue Dec 6, 2023 · 13 comments
Labels
enhancement New feature or request

Comments

@bakerboy448
Copy link

Is this a new feature request?

  • I have searched the existing issues

Wanted change

incorporate https://tailscale.com/blog/tailscale-auth-nginx/ thus allowing SSO via tailscale with fallback with fallback to existing auth methods

Perhaps incorporated via a docker mod?

Reason for change

Simplified login and another auth method

Proposed code change

server additions

    # enable for Tailscale (requires tailscale-location.conf in the location block)
    #include /config/nginx/tailscale-server.conf;

location addions

        # enable for Tailscale (requires tailscale-server.conf in the server block)
        #include /config/nginx/tailscale-location.conf;

tailscale-server.conf

location /auth {
  internal;

  proxy_pass http://unix:/run/tailscale.nginx-auth.sock;
  proxy_pass_request_body off;

  proxy_set_header Host $http_host;
  proxy_set_header Remote-Addr $remote_addr;
  proxy_set_header Remote-Port $remote_port;
  proxy_set_header Original-URI $request_uri;
}

# enable for ldap auth fallback auth
#location @fallback_to_ldap {
#    include /config/nginx/ldap-location.conf;
#}

# enable for Authelia fallback auth
location @fallback_to_authelia {
    include /config/nginx/authelia-location.conf;
}

# enable for Authentik fallback auth
#location @fallback_to_authentik {
#    include /config/nginx/authentik-location.conf;
#}

tailscale-location.conf

        # Tailscale authentication
        auth_request /auth;
        auth_request_set $auth_user $upstream_http_tailscale_user;
        auth_request_set $auth_name $upstream_http_tailscale_name;
        auth_request_set $auth_login $upstream_http_tailscale_login;
        auth_request_set $auth_tailnet $upstream_http_tailscale_tailnet;
        auth_request_set $auth_profile_picture $upstream_http_tailscale_profile_picture;

        proxy_set_header X-Webauth-User "$auth_user";
        proxy_set_header X-Webauth-Name "$auth_name";
        proxy_set_header X-Webauth-Login "$auth_login";
        proxy_set_header X-Webauth-Tailnet "$auth_tailnet";
        proxy_set_header X-Webauth-Profile-Picture "$auth_profile_picture";

        # enable for ldap auth fallback auth 
        # error_page 401 = @fallback_to_ldap;

        # enable for Authelia fallback auth 
        error_page 401 = @fallback_to_authelia;

        # enable for Authentik fallback auth 
        #error_page 401 = @fallback_to_authentik;

swag volumes assuming tailscale nginx auth and tailscale on host

      - /var/run/tailscale.nginx-auth.sock:/var/run/tailscale.nginx-auth.sock
      - /run/tailscale.nginx-auth.sock:/run/tailscale.nginx-auth.sock
@bakerboy448 bakerboy448 added the enhancement New feature or request label Dec 6, 2023
@github-actions GitHub Actions
Copy link

github-actions bot commented Dec 6, 2023

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

@aptalca
Copy link
Member

aptalca commented Dec 6, 2023

Looks like it's a go binary, good news for alpine. I like the concept. I agree a mod would be a good idea.

@LinuxServer-CI
Copy link
Contributor

This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions.

@bakerboy448
Copy link
Author

bump for the bot

@LinuxServer-CI
Copy link
Contributor

This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions.

@bakerboy448
Copy link
Author

bump for the bot

@LinuxServer-CI
Copy link
Contributor

This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions.

@bakerboy448
Copy link
Author

bot bumpy

@aptalca
Copy link
Member

aptalca commented Apr 1, 2024

I thought you were going to PR a mod :)

@LinuxServer-CI
Copy link
Contributor

This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions.

@yodaldevoid
Copy link

bump for the bot

@LinuxServer-CI
Copy link
Contributor

This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions.

@bakerboy448
Copy link
Author

glares at the ole bot

POC is in the OP that needs further refinement to be functional if anyone wishes to step up

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
Issue & PR Tracker
Status: Issues
Milestone
No milestone
Development

No branches or pull requests
4 participants
@aptalca @yodaldevoid @LinuxServer-CI @bakerboy448