feat(tailscale-nginx-auth): protect reverse proxied services behind tailscale authentication
This commit is contained in:
wi11-holdsworth
parent
dcbee4635b
commit
63c2583d21
24 changed files with 311 additions and 5 deletions
|
|
@ -19,6 +19,19 @@ in
|
|||
];
|
||||
|
||||
caddy.virtualHosts."bazarr.fi33.buzz".extraConfig = ''
|
||||
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
|
||||
uri /auth
|
||||
header_up Remote-Addr {remote_host}
|
||||
header_up Remote-Port {remote_port}
|
||||
header_up Original-URI {uri}
|
||||
copy_headers {
|
||||
Tailscale-User>X-Webauth-User
|
||||
Tailscale-Name>X-Webauth-Name
|
||||
Tailscale-Login>X-Webauth-Login
|
||||
Tailscale-Tailnet>X-Webauth-Tailnet
|
||||
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
|
||||
}
|
||||
}
|
||||
reverse_proxy localhost:${toString port}
|
||||
tls ${certloc}/cert.pem ${certloc}/key.pem {
|
||||
protocols tls1.3
|
||||
|
|
|
|||
|
|
@ -35,6 +35,19 @@ in
|
|||
};
|
||||
|
||||
caddy.virtualHosts."copyparty.fi33.buzz".extraConfig = ''
|
||||
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
|
||||
uri /auth
|
||||
header_up Remote-Addr {remote_host}
|
||||
header_up Remote-Port {remote_port}
|
||||
header_up Original-URI {uri}
|
||||
copy_headers {
|
||||
Tailscale-User>X-Webauth-User
|
||||
Tailscale-Name>X-Webauth-Name
|
||||
Tailscale-Login>X-Webauth-Login
|
||||
Tailscale-Tailnet>X-Webauth-Tailnet
|
||||
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
|
||||
}
|
||||
}
|
||||
reverse_proxy localhost:${toString port}
|
||||
tls ${certloc}/cert.pem ${certloc}/key.pem {
|
||||
protocols tls1.3
|
||||
|
|
|
|||
|
|
@ -36,6 +36,19 @@ in
|
|||
};
|
||||
|
||||
caddy.virtualHosts."couchdb.fi33.buzz".extraConfig = ''
|
||||
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
|
||||
uri /auth
|
||||
header_up Remote-Addr {remote_host}
|
||||
header_up Remote-Port {remote_port}
|
||||
header_up Original-URI {uri}
|
||||
copy_headers {
|
||||
Tailscale-User>X-Webauth-User
|
||||
Tailscale-Name>X-Webauth-Name
|
||||
Tailscale-Login>X-Webauth-Login
|
||||
Tailscale-Tailnet>X-Webauth-Tailnet
|
||||
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
|
||||
}
|
||||
}
|
||||
reverse_proxy localhost:${toString port}
|
||||
tls ${certloc}/cert.pem ${certloc}/key.pem {
|
||||
protocols tls1.3
|
||||
|
|
|
|||
|
|
@ -378,6 +378,19 @@ in
|
|||
};
|
||||
|
||||
caddy.virtualHosts."homepage-dashboard.fi33.buzz".extraConfig = ''
|
||||
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
|
||||
uri /auth
|
||||
header_up Remote-Addr {remote_host}
|
||||
header_up Remote-Port {remote_port}
|
||||
header_up Original-URI {uri}
|
||||
copy_headers {
|
||||
Tailscale-User>X-Webauth-User
|
||||
Tailscale-Name>X-Webauth-Name
|
||||
Tailscale-Login>X-Webauth-Login
|
||||
Tailscale-Tailnet>X-Webauth-Tailnet
|
||||
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
|
||||
}
|
||||
}
|
||||
reverse_proxy localhost:${toString port}
|
||||
tls ${certloc}/cert.pem ${certloc}/key.pem {
|
||||
protocols tls1.3
|
||||
|
|
|
|||
|
|
@ -20,6 +20,19 @@ in
|
|||
];
|
||||
|
||||
caddy.virtualHosts."immich.fi33.buzz".extraConfig = ''
|
||||
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
|
||||
uri /auth
|
||||
header_up Remote-Addr {remote_host}
|
||||
header_up Remote-Port {remote_port}
|
||||
header_up Original-URI {uri}
|
||||
copy_headers {
|
||||
Tailscale-User>X-Webauth-User
|
||||
Tailscale-Name>X-Webauth-Name
|
||||
Tailscale-Login>X-Webauth-Login
|
||||
Tailscale-Tailnet>X-Webauth-Tailnet
|
||||
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
|
||||
}
|
||||
}
|
||||
reverse_proxy localhost:${toString port}
|
||||
tls ${certloc}/cert.pem ${certloc}/key.pem {
|
||||
protocols tls1.3
|
||||
|
|
|
|||
|
|
@ -18,6 +18,19 @@ in
|
|||
];
|
||||
|
||||
caddy.virtualHosts."jellyfin.fi33.buzz".extraConfig = ''
|
||||
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
|
||||
uri /auth
|
||||
header_up Remote-Addr {remote_host}
|
||||
header_up Remote-Port {remote_port}
|
||||
header_up Original-URI {uri}
|
||||
copy_headers {
|
||||
Tailscale-User>X-Webauth-User
|
||||
Tailscale-Name>X-Webauth-Name
|
||||
Tailscale-Login>X-Webauth-Login
|
||||
Tailscale-Tailnet>X-Webauth-Tailnet
|
||||
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
|
||||
}
|
||||
}
|
||||
reverse_proxy localhost:${toString port}
|
||||
tls ${certloc}/cert.pem ${certloc}/key.pem {
|
||||
protocols tls1.3
|
||||
|
|
|
|||
|
|
@ -20,6 +20,19 @@ in
|
|||
];
|
||||
|
||||
caddy.virtualHosts."karakeep.fi33.buzz".extraConfig = ''
|
||||
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
|
||||
uri /auth
|
||||
header_up Remote-Addr {remote_host}
|
||||
header_up Remote-Port {remote_port}
|
||||
header_up Original-URI {uri}
|
||||
copy_headers {
|
||||
Tailscale-User>X-Webauth-User
|
||||
Tailscale-Name>X-Webauth-Name
|
||||
Tailscale-Login>X-Webauth-Login
|
||||
Tailscale-Tailnet>X-Webauth-Tailnet
|
||||
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
|
||||
}
|
||||
}
|
||||
reverse_proxy localhost:${toString port}
|
||||
tls ${certloc}/cert.pem ${certloc}/key.pem {
|
||||
protocols tls1.3
|
||||
|
|
|
|||
|
|
@ -23,6 +23,19 @@ in
|
|||
];
|
||||
|
||||
caddy.virtualHosts."kavita.fi33.buzz".extraConfig = ''
|
||||
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
|
||||
uri /auth
|
||||
header_up Remote-Addr {remote_host}
|
||||
header_up Remote-Port {remote_port}
|
||||
header_up Original-URI {uri}
|
||||
copy_headers {
|
||||
Tailscale-User>X-Webauth-User
|
||||
Tailscale-Name>X-Webauth-Name
|
||||
Tailscale-Login>X-Webauth-Login
|
||||
Tailscale-Tailnet>X-Webauth-Tailnet
|
||||
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
|
||||
}
|
||||
}
|
||||
reverse_proxy localhost:${toString port}
|
||||
tls ${certloc}/cert.pem ${certloc}/key.pem {
|
||||
protocols tls1.3
|
||||
|
|
|
|||
|
|
@ -21,6 +21,19 @@ in
|
|||
];
|
||||
|
||||
caddy.virtualHosts."lidarr.fi33.buzz".extraConfig = ''
|
||||
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
|
||||
uri /auth
|
||||
header_up Remote-Addr {remote_host}
|
||||
header_up Remote-Port {remote_port}
|
||||
header_up Original-URI {uri}
|
||||
copy_headers {
|
||||
Tailscale-User>X-Webauth-User
|
||||
Tailscale-Name>X-Webauth-Name
|
||||
Tailscale-Login>X-Webauth-Login
|
||||
Tailscale-Tailnet>X-Webauth-Tailnet
|
||||
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
|
||||
}
|
||||
}
|
||||
reverse_proxy localhost:${toString port}
|
||||
tls ${certloc}/cert.pem ${certloc}/key.pem {
|
||||
protocols tls1.3
|
||||
|
|
|
|||
|
|
@ -27,6 +27,19 @@ in
|
|||
];
|
||||
|
||||
caddy.virtualHosts."miniflux.fi33.buzz".extraConfig = ''
|
||||
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
|
||||
uri /auth
|
||||
header_up Remote-Addr {remote_host}
|
||||
header_up Remote-Port {remote_port}
|
||||
header_up Original-URI {uri}
|
||||
copy_headers {
|
||||
Tailscale-User>X-Webauth-User
|
||||
Tailscale-Name>X-Webauth-Name
|
||||
Tailscale-Login>X-Webauth-Login
|
||||
Tailscale-Tailnet>X-Webauth-Tailnet
|
||||
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
|
||||
}
|
||||
}
|
||||
reverse_proxy localhost:${toString port}
|
||||
tls ${certloc}/cert.pem ${certloc}/key.pem {
|
||||
protocols tls1.3
|
||||
|
|
|
|||
|
|
@ -14,6 +14,19 @@ in
|
|||
};
|
||||
|
||||
caddy.virtualHosts."ntfy-sh.fi33.buzz".extraConfig = ''
|
||||
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
|
||||
uri /auth
|
||||
header_up Remote-Addr {remote_host}
|
||||
header_up Remote-Port {remote_port}
|
||||
header_up Original-URI {uri}
|
||||
copy_headers {
|
||||
Tailscale-User>X-Webauth-User
|
||||
Tailscale-Name>X-Webauth-Name
|
||||
Tailscale-Login>X-Webauth-Login
|
||||
Tailscale-Tailnet>X-Webauth-Tailnet
|
||||
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
|
||||
}
|
||||
}
|
||||
reverse_proxy localhost:${toString port}
|
||||
tls ${certloc}/cert.pem ${certloc}/key.pem {
|
||||
protocols tls1.3
|
||||
|
|
|
|||
|
|
@ -18,6 +18,19 @@ in
|
|||
};
|
||||
|
||||
caddy.virtualHosts."nzbget.fi33.buzz".extraConfig = ''
|
||||
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
|
||||
uri /auth
|
||||
header_up Remote-Addr {remote_host}
|
||||
header_up Remote-Port {remote_port}
|
||||
header_up Original-URI {uri}
|
||||
copy_headers {
|
||||
Tailscale-User>X-Webauth-User
|
||||
Tailscale-Name>X-Webauth-Name
|
||||
Tailscale-Login>X-Webauth-Login
|
||||
Tailscale-Tailnet>X-Webauth-Tailnet
|
||||
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
|
||||
}
|
||||
}
|
||||
reverse_proxy localhost:${toString port}
|
||||
tls ${certloc}/cert.pem ${certloc}/key.pem {
|
||||
protocols tls1.3
|
||||
|
|
|
|||
|
|
@ -31,6 +31,19 @@ in
|
|||
};
|
||||
|
||||
caddy.virtualHosts."paperless.fi33.buzz".extraConfig = ''
|
||||
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
|
||||
uri /auth
|
||||
header_up Remote-Addr {remote_host}
|
||||
header_up Remote-Port {remote_port}
|
||||
header_up Original-URI {uri}
|
||||
copy_headers {
|
||||
Tailscale-User>X-Webauth-User
|
||||
Tailscale-Name>X-Webauth-Name
|
||||
Tailscale-Login>X-Webauth-Login
|
||||
Tailscale-Tailnet>X-Webauth-Tailnet
|
||||
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
|
||||
}
|
||||
}
|
||||
reverse_proxy localhost:${toString port}
|
||||
tls ${certloc}/cert.pem ${certloc}/key.pem {
|
||||
protocols tls1.3
|
||||
|
|
|
|||
|
|
@ -20,6 +20,19 @@ in
|
|||
];
|
||||
|
||||
caddy.virtualHosts."prowlarr.fi33.buzz".extraConfig = ''
|
||||
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
|
||||
uri /auth
|
||||
header_up Remote-Addr {remote_host}
|
||||
header_up Remote-Port {remote_port}
|
||||
header_up Original-URI {uri}
|
||||
copy_headers {
|
||||
Tailscale-User>X-Webauth-User
|
||||
Tailscale-Name>X-Webauth-Name
|
||||
Tailscale-Login>X-Webauth-Login
|
||||
Tailscale-Tailnet>X-Webauth-Tailnet
|
||||
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
|
||||
}
|
||||
}
|
||||
reverse_proxy localhost:${toString port}
|
||||
tls ${certloc}/cert.pem ${certloc}/key.pem {
|
||||
protocols tls1.3
|
||||
|
|
|
|||
|
|
@ -15,6 +15,19 @@ in
|
|||
};
|
||||
|
||||
caddy.virtualHosts."qbittorrent.fi33.buzz".extraConfig = ''
|
||||
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
|
||||
uri /auth
|
||||
header_up Remote-Addr {remote_host}
|
||||
header_up Remote-Port {remote_port}
|
||||
header_up Original-URI {uri}
|
||||
copy_headers {
|
||||
Tailscale-User>X-Webauth-User
|
||||
Tailscale-Name>X-Webauth-Name
|
||||
Tailscale-Login>X-Webauth-Login
|
||||
Tailscale-Tailnet>X-Webauth-Tailnet
|
||||
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
|
||||
}
|
||||
}
|
||||
reverse_proxy localhost:${toString port}
|
||||
tls ${certloc}/cert.pem ${certloc}/key.pem {
|
||||
protocols tls1.3
|
||||
|
|
|
|||
|
|
@ -31,6 +31,19 @@ in
|
|||
];
|
||||
|
||||
services.caddy.virtualHosts."qui.fi33.buzz".extraConfig = ''
|
||||
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
|
||||
uri /auth
|
||||
header_up Remote-Addr {remote_host}
|
||||
header_up Remote-Port {remote_port}
|
||||
header_up Original-URI {uri}
|
||||
copy_headers {
|
||||
Tailscale-User>X-Webauth-User
|
||||
Tailscale-Name>X-Webauth-Name
|
||||
Tailscale-Login>X-Webauth-Login
|
||||
Tailscale-Tailnet>X-Webauth-Tailnet
|
||||
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
|
||||
}
|
||||
}
|
||||
reverse_proxy localhost:${toString port}
|
||||
tls ${certloc}/cert.pem ${certloc}/key.pem {
|
||||
protocols tls1.3
|
||||
|
|
|
|||
|
|
@ -21,6 +21,19 @@ in
|
|||
];
|
||||
|
||||
caddy.virtualHosts."radarr.fi33.buzz".extraConfig = ''
|
||||
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
|
||||
uri /auth
|
||||
header_up Remote-Addr {remote_host}
|
||||
header_up Remote-Port {remote_port}
|
||||
header_up Original-URI {uri}
|
||||
copy_headers {
|
||||
Tailscale-User>X-Webauth-User
|
||||
Tailscale-Name>X-Webauth-Name
|
||||
Tailscale-Login>X-Webauth-Login
|
||||
Tailscale-Tailnet>X-Webauth-Tailnet
|
||||
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
|
||||
}
|
||||
}
|
||||
reverse_proxy localhost:${toString port}
|
||||
tls ${certloc}/cert.pem ${certloc}/key.pem {
|
||||
protocols tls1.3
|
||||
|
|
|
|||
|
|
@ -29,6 +29,19 @@ in
|
|||
};
|
||||
|
||||
caddy.virtualHosts."radicale.fi33.buzz".extraConfig = ''
|
||||
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
|
||||
uri /auth
|
||||
header_up Remote-Addr {remote_host}
|
||||
header_up Remote-Port {remote_port}
|
||||
header_up Original-URI {uri}
|
||||
copy_headers {
|
||||
Tailscale-User>X-Webauth-User
|
||||
Tailscale-Name>X-Webauth-Name
|
||||
Tailscale-Login>X-Webauth-Login
|
||||
Tailscale-Tailnet>X-Webauth-Tailnet
|
||||
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
|
||||
}
|
||||
}
|
||||
reverse_proxy localhost:${toString port}
|
||||
tls ${certloc}/cert.pem ${certloc}/key.pem {
|
||||
protocols tls1.3
|
||||
|
|
|
|||
|
|
@ -21,6 +21,19 @@ in
|
|||
];
|
||||
|
||||
caddy.virtualHosts."readarr.fi33.buzz".extraConfig = ''
|
||||
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
|
||||
uri /auth
|
||||
header_up Remote-Addr {remote_host}
|
||||
header_up Remote-Port {remote_port}
|
||||
header_up Original-URI {uri}
|
||||
copy_headers {
|
||||
Tailscale-User>X-Webauth-User
|
||||
Tailscale-Name>X-Webauth-Name
|
||||
Tailscale-Login>X-Webauth-Login
|
||||
Tailscale-Tailnet>X-Webauth-Tailnet
|
||||
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
|
||||
}
|
||||
}
|
||||
reverse_proxy localhost:${toString port}
|
||||
tls ${certloc}/cert.pem ${certloc}/key.pem {
|
||||
protocols tls1.3
|
||||
|
|
|
|||
|
|
@ -21,6 +21,19 @@ in
|
|||
];
|
||||
|
||||
caddy.virtualHosts."sonarr.fi33.buzz".extraConfig = ''
|
||||
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
|
||||
uri /auth
|
||||
header_up Remote-Addr {remote_host}
|
||||
header_up Remote-Port {remote_port}
|
||||
header_up Original-URI {uri}
|
||||
copy_headers {
|
||||
Tailscale-User>X-Webauth-User
|
||||
Tailscale-Name>X-Webauth-Name
|
||||
Tailscale-Login>X-Webauth-Login
|
||||
Tailscale-Tailnet>X-Webauth-Tailnet
|
||||
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
|
||||
}
|
||||
}
|
||||
reverse_proxy localhost:${toString port}
|
||||
tls ${certloc}/cert.pem ${certloc}/key.pem {
|
||||
protocols tls1.3
|
||||
|
|
|
|||
|
|
@ -68,6 +68,19 @@ in
|
|||
null;
|
||||
|
||||
caddy.virtualHosts."syncthing.fi33.buzz".extraConfig = ''
|
||||
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
|
||||
uri /auth
|
||||
header_up Remote-Addr {remote_host}
|
||||
header_up Remote-Port {remote_port}
|
||||
header_up Original-URI {uri}
|
||||
copy_headers {
|
||||
Tailscale-User>X-Webauth-User
|
||||
Tailscale-Name>X-Webauth-Name
|
||||
Tailscale-Login>X-Webauth-Login
|
||||
Tailscale-Tailnet>X-Webauth-Tailnet
|
||||
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
|
||||
}
|
||||
}
|
||||
reverse_proxy http://localhost:${toString port}
|
||||
tls ${certloc}/cert.pem ${certloc}/key.pem {
|
||||
protocols tls1.3
|
||||
|
|
|
|||
|
|
@ -1,8 +1,15 @@
|
|||
{
|
||||
services.tailscale = {
|
||||
enable = true;
|
||||
extraSetFlags = [
|
||||
"--accept-dns=true"
|
||||
];
|
||||
services = {
|
||||
tailscale = {
|
||||
enable = true;
|
||||
extraSetFlags = [
|
||||
"--accept-dns=true"
|
||||
];
|
||||
};
|
||||
tailscaleAuth = {
|
||||
enable = true;
|
||||
user = "caddy";
|
||||
group = "caddy";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -50,6 +50,19 @@ in
|
|||
};
|
||||
|
||||
services.caddy.virtualHosts."upbank2firefly.fi33.buzz".extraConfig = ''
|
||||
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
|
||||
uri /auth
|
||||
header_up Remote-Addr {remote_host}
|
||||
header_up Remote-Port {remote_port}
|
||||
header_up Original-URI {uri}
|
||||
copy_headers {
|
||||
Tailscale-User>X-Webauth-User
|
||||
Tailscale-Name>X-Webauth-Name
|
||||
Tailscale-Login>X-Webauth-Login
|
||||
Tailscale-Tailnet>X-Webauth-Tailnet
|
||||
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
|
||||
}
|
||||
}
|
||||
reverse_proxy localhost:${toString port}
|
||||
tls ${certloc}/cert.pem ${certloc}/key.pem {
|
||||
protocols tls1.3
|
||||
|
|
|
|||
|
|
@ -31,6 +31,19 @@ in
|
|||
];
|
||||
|
||||
caddy.virtualHosts."vaultwarden.fi33.buzz".extraConfig = ''
|
||||
forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
|
||||
uri /auth
|
||||
header_up Remote-Addr {remote_host}
|
||||
header_up Remote-Port {remote_port}
|
||||
header_up Original-URI {uri}
|
||||
copy_headers {
|
||||
Tailscale-User>X-Webauth-User
|
||||
Tailscale-Name>X-Webauth-Name
|
||||
Tailscale-Login>X-Webauth-Login
|
||||
Tailscale-Tailnet>X-Webauth-Tailnet
|
||||
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
|
||||
}
|
||||
}
|
||||
reverse_proxy localhost:${toString port}
|
||||
tls ${certloc}/cert.pem ${certloc}/key.pem {
|
||||
protocols tls1.3
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue