-
Notifications
You must be signed in to change notification settings - Fork 52
/
Copy pathproxyauth.caddyfile
51 lines (47 loc) · 1.74 KB
/
proxyauth.caddyfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
# This config demonstrates using the authentication provider to pass
# Tailscale user data from a Tailscale-aware reverse proxy to a
# backend application that doesn't know anything about Tailscale.
#
# Run this configuration and then visit <http://caddytest/>.
#
# If you have HTTPS enabled on your tailnet,
# this example will also generate a TLS certificate
# and be available at <https://caddytest.your-tailnet.ts.net>.
{
tailscale {
ephemeral # create all nodes as ephemeral
}
}
# This site will register a new node named caddytest.
# When a user visits <http://caddytest/>, they will be proxied to localhost:3333.
# Their tailscale login (the local part of their email address) will
# be added to the proxied request in the X-Webauth-User header.
:80 {
bind tailscale/caddytest
tailscale_auth
reverse_proxy localhost:3333 {
header_up X-Webauth-User {http.auth.user.tailscale_login}
header_up X-Tailscale-Tailnet {http.auth.user.tailscale_tailnet}
}
}
# This will run an identical site as above, but with TLS enabled.
:443 {
bind tailscale/caddytest
tls {
get_certificate tailscale
}
tailscale_auth
reverse_proxy localhost:3333 {
header_up X-Webauth-User {http.auth.user.tailscale_login}
header_up X-Tailscale-Tailnet {http.auth.user.tailscale_tailnet}
}
}
# This is a regular site that doesn't know anything about Tailscale.
# Imagine this is an application like Gitea or Grafana that supports
# reverse proxy authentication by setting the X-Webauth-User header.
# For this site, we'll simply print out the value of that header.
# But for an actual application, this could immediately log the user in.
:3333 {
templates
respond `Hello, {{.Req.Header.Get "X-Webauth-User"}} from {{.Req.Header.Get "X-Tailscale-Tailnet"}}`
}