Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Lazy application authentication with Tailscale

Lazy application authentication with Tailscale

This talk was given at the Tailscale London meetup on 3rd July 2024.

Avatar for Elliot Blackburn

Elliot Blackburn

July 03, 2025
Tweet

More Decks by Elliot Blackburn

Other Decks in Technology

Transcript

  1. © 2025 Tailscale Inc. | tailscale.com Hi I’m Elliot, founding

    engineer at Sunbeam and Tailscale Insider Nice to meet you www.elliotblackburn.com linkedin.com/in/elliot-blackburn [email protected]
  2. © 2025 Tailscale Inc. | tailscale.com Here’s what we’re going

    to talk about Internal tools 1 Serve 2 tsnet 3
  3. © 2025 Tailscale Inc. | tailscale.com Our internal tool needs

    to… ➔ Only be accessible on our internal network (VPN) ➔ Limit access to specific people ➔ Identify the user to create audit trails Our requirements
  4. © 2025 Tailscale Inc. | tailscale.com 1. A users web

    browser makes a HTTP request 2. The tailscale client picks this up and sends it to the destination node (if ACL’s or Grants permit it) 3. Tailscale serve on the destination node forwards the traffic onto the attached application 4. Application receives the request and does it’s thing. Simple architecture
  5. © 2025 Tailscale Inc. | tailscale.com Serve also attaches some

    headers onto the request as they pass through which can be used to identify the user making the request. • Tailscale-User-Login • Tailscale-User-Name • Tailscale-User-Profile-Pic (optional) But wait, there’s more!
  6. © 2025 Tailscale Inc. | tailscale.com • No need to

    change your application, or write specific integration code • No login screens, passwords, or OAuth obstacle courses - that’s already happened • Horizontal scaling is pretty simple The pros and cons • Additional infrastructure to manage (proxy node) • Limited ability to force an identity check (sudo mode) • Doesn’t tackle application permissions
  7. © 2025 Tailscale Inc. | tailscale.com 1. A users web

    browser makes a HTTP request 2. The tailscale client picks this up and sends it to the destination node (if ACL’s or Grants permit it) 3. The application itself is the destination node, so it receives the request and returns the response Simpler architecture
  8. © 2025 Tailscale Inc. | tailscale.com • No additional proxy

    to manage • Still no login screens, etc • Lots of example applications to follow The pros and cons • Go is the only language with practical support right now for listening directly a tailnet* • Application capabilities are best accessed through Go* • Would require a proxy of some kind if you wanted to horizontally scale * libtailscale will hopefully improve on this
  9. © 2025 Tailscale Inc. | tailscale.com Please come and chat

    to me, I’d love to meet you! Thank you www.elliotblackburn.com fosstodon.org/@elliotblackburn [email protected]