caddy-tailscale-poc

.editorconfig

# EditorConfig is awesome: https://EditorConfig.org

# Top-most EditorConfig file
root = true

# All files
[*]
# Set the default charset to UTF-8
charset = utf-8
# Use spaces instead of tabs for indentation
indent_style = space
# Set the number of spaces per indentation level
indent_size = 2
# Trim trailing whitespace
trim_trailing_whitespace = true
# Ensure a newline at the end of each file
insert_final_newline = true

.gitignore

secret.env

README.md

Tailscale & Caddy POC

This POC tests the Tailscale Caddy Plugin.

Test cases

1. Ability to join different host names with Tailscale
2. Authenticating via Tailscale

Setup

• This PoC uses Docker Compose
• Set up secret.env file with the TS_AUTHKEY=tskey-xxxxxx value. Generate it at the Tailscale admin console/Keys

Expected output

curl http://caddy-tailscale-poc-http.YOUR-TAILNET.ts.net
curl https://caddy-tailscale-poc-https.YOUR-TAILNET.ts.net
curl http://caddy-tailscale-poc.YOUR-TAILNET.ts.net
curl https://caddy-tailscale-poc.YOUR-TAILNET.ts.net

All should return with the HTTP response code 200 and the same output (see below).

Issues discovered

Tailscale Authentication does not work with HTTPs

Related issue: tailscale/caddy-tailscale#28

URL	HTTP Response Code	Status
http://caddy-tailscale-poc-http.YOUR-TAILNET.ts.net	200	ok
https://caddy-tailscale-poc-https.YOUR-TAILNET.ts.net	401	broken
http://caddy-tailscale-poc.YOUR-TAILNET.ts.net	200	ok
https://caddy-tailscale-poc.YOUR-TAILNET.ts.net	401	broken

Tailnet is not set in the request headers

Related issue: tailscale/caddy-tailscale#29<>

X-Webauth-Tailnet should bet set to YOUR-TAILNET but it is not.

Hostname: 43826b580f4a
IP: 127.0.0.1
IP: 172.24.0.2
RemoteAddr: 172.24.0.3:59910
GET / HTTP/1.1
Host: caddy-tailscale-poc-http.YOUR-TAILNET.ts.net
User-Agent: curl/8.4.0
Accept: */*
Accept-Encoding: gzip
X-Forwarded-For: 100.124.154.118
X-Forwarded-Host: caddy-tailscale-poc-http.YOUR-TAILNET.ts.net
X-Forwarded-Proto: http
X-Webauth-Email: [email protected]
X-Webauth-Name: John DOe
X-Webauth-Profile-Picture: https://...
X-Webauth-Tailnet:
X-Webauth-User: john

Caddyfile

{
	order tailscale_auth after basicauth
	auto_https off
}

(redirect) {
	@http {
		protocol http
	}
	redir @http https://{host}{uri}
}

:80 {
	bind tailscale/caddy-tailscale-poc
	tailscale_auth
	reverse_proxy whoami:80 {
		header_up X-Webauth-User {http.auth.user.tailscale_login}
		header_up X-Webauth-Email {http.auth.user.tailscale_user}
		header_up X-Webauth-Name {http.auth.user.tailscale_name}
		header_up X-Webauth-Profile-Picture {http.auth.user.tailscale_profile_picture}
		header_up X-Webauth-Tailnet {http.auth.user.tailscale_tailnet}
	}
}

:443 {
	bind tailscale+tls/caddy-tailscale-poc
	tailscale_auth
	reverse_proxy whoami:80 {
		header_up X-Webauth-User {http.auth.user.tailscale_login}
		header_up X-Webauth-Email {http.auth.user.tailscale_user}
		header_up X-Webauth-Name {http.auth.user.tailscale_name}
		header_up X-Webauth-Profile-Picture {http.auth.user.tailscale_profile_picture}
		header_up X-Webauth-Tailnet {http.auth.user.tailscale_tailnet}
	}
}

:80 {
	bind tailscale/caddy-tailscale-poc-http
	tailscale_auth
	reverse_proxy whoami:80 {
		header_up X-Webauth-User {http.auth.user.tailscale_login}
		header_up X-Webauth-Email {http.auth.user.tailscale_user}
		header_up X-Webauth-Name {http.auth.user.tailscale_name}
		header_up X-Webauth-Profile-Picture {http.auth.user.tailscale_profile_picture}
		header_up X-Webauth-Tailnet {http.auth.user.tailscale_tailnet}
	}
}

:443 {
	bind tailscale+tls/caddy-tailscale-poc-https
	tailscale_auth
	reverse_proxy whoami:80 {
		header_up X-Webauth-User {http.auth.user.tailscale_login}
		header_up X-Webauth-Email {http.auth.user.tailscale_user}
		header_up X-Webauth-Name {http.auth.user.tailscale_name}
		header_up X-Webauth-Profile-Picture {http.auth.user.tailscale_profile_picture}
		header_up X-Webauth-Tailnet {http.auth.user.tailscale_tailnet}
	}
}

docker-compose.yml

version: "3.8"

services:
  caddy-tailscale:
    build:
      dockerfile: Dockerfile
    pull_policy: build
    restart: unless-stopped
    depends_on:
      - whoami
    env_file:
      - secret.env
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile:ro
      - caddy_data:/data
      - caddy_config:/config

  whoami:
    image: traefik/whoami
    restart: unless-stopped

volumes:
  caddy_data:
  caddy_config:

Dockerfile

FROM caddy:2-builder-alpine AS builder

RUN xcaddy build \
    --with github.com/tailscale/caddy-tailscale

FROM caddy:2-alpine

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

secret.env