© 2025 Tailscale Inc. | tailscale.com Lazy application authentication Elliot Blackburn 

© 2025 Tailscale Inc. | tailscale.com Hi I’m Elliot, founding engineer at Sunbeam and Tailscale Insider Nice to meet you www.elliotblackburn.com linkedin.com/in/elliot-blackburn [email protected] 

© 2025 Tailscale Inc. | tailscale.com Here’s what we’re going to talk about Internal tools 1 Serve 2 tsnet 3 

© 2025 Tailscale Inc. | tailscale.com Let's talk about auth for internal tools… 

© 2025 Tailscale Inc. | tailscale.com Our internal tool needs to… ➔ Only be accessible on our internal network (VPN) ➔ Limit access to specific people ➔ Identify the user to create audit trails Our requirements 

© 2025 Tailscale Inc. | tailscale.com Tailscale Serve 

© 2025 Tailscale Inc. | tailscale.com 1. A users web browser makes a HTTP request 2. The tailscale client picks this up and sends it to the destination node (if ACL’s or Grants permit it) 3. Tailscale serve on the destination node forwards the traffic onto the attached application 4. Application receives the request and does it’s thing. Simple architecture 

© 2025 Tailscale Inc. | tailscale.com Scaling beyond 1 node 

© 2025 Tailscale Inc. | tailscale.com Serve also attaches some headers onto the request as they pass through which can be used to identify the user making the request. ● Tailscale-User-Login ● Tailscale-User-Name ● Tailscale-User-Profile-Pic (optional) But wait, there’s more! 

© 2025 Tailscale Inc. | tailscale.com ● No need to change your application, or write specific integration code ● No login screens, passwords, or OAuth obstacle courses - that’s already happened ● Horizontal scaling is pretty simple The pros and cons ● Additional infrastructure to manage (proxy node) ● Limited ability to force an identity check (sudo mode) ● Doesn’t tackle application permissions 

© 2025 Tailscale Inc. | tailscale.com tsnet for Native Tailscale Apps 

© 2025 Tailscale Inc. | tailscale.com 1. A users web browser makes a HTTP request 2. The tailscale client picks this up and sends it to the destination node (if ACL’s or Grants permit it) 3. The application itself is the destination node, so it receives the request and returns the response Simpler architecture 

© 2025 Tailscale Inc. | tailscale.com Application capabilities 

© 2025 Tailscale Inc. | tailscale.com ● No additional proxy to manage ● Still no login screens, etc ● Lots of example applications to follow The pros and cons ● Go is the only language with practical support right now for listening directly a tailnet* ● Application capabilities are best accessed through Go* ● Would require a proxy of some kind if you wanted to horizontally scale * libtailscale will hopefully improve on this 

© 2025 Tailscale Inc. | tailscale.com Please come and chat to me, I’d love to meet you! Thank you www.elliotblackburn.com fosstodon.org/@elliotblackburn [email protected]