Skip to content

Commit

Permalink
README: spelling stuff, security considerations
Browse files Browse the repository at this point in the history 
Signed-off-by: lucasew <lucas59356@gmail.com>
  • Loading branch information
@lucasew
lucasew committed Nov 11, 2024
1 parent 6272f58 commit 9943cd0
Showing 1 changed file with 12 additions and 6 deletions.
18 changes: 12 additions & 6 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,20 +4,19 @@ Simple proxy program to allow exposing individual services to a Tailnet, and
even to the Internet using Tailscale Funnel.

Unfortunately, the Tailscale daemon only allows exposing services using the
current node domain and you can't spawn (so far) nodes for services. With this
current node domain, and you can't spawn (so far) nodes for services. With this
you can!

On first run for one service, you will have to authenticate the service using
your Tailscale account. The authentication can be either done passing an
authentication token through the `TS_AUTHKEY` environment or by reading the
startup logs until you find the authentication link. After authentication,
tailscale will store the certificates and credentials to the location specified
by the `-s` flag so subsequent runs will not require reauthentications and up
to date authorization tokens.
Tailscale will store the certificates and credentials to the location specified
by the `-s` flag so subsequent runs will not require reauthentication and up-to-date authorization tokens.

As the [main build of Tailscale](https://tailscale.com/s/serve-headers), you
can get information about the user acessing the service using the following
headers that get forwared to the upstream service:
can get information about the user accessing the service using the following
headers that get forwarded to the upstream service:
- `Tailscale-User-Login`
- `Tailscale-User-Name`
- `Tailscale-User-Profile-Pic`
Expand All @@ -27,6 +26,13 @@ version! It's as safe and stable as
[tclip](https://github.com/tailscale-dev/tclip) is because this proxy uses the
exact same primitives.

> **Warning**
> You can count on the headers sent by ts-proxy as long as you follow the following conditions:
> - Anything that changes the headers name representation such as Apache with PHP could be cheated
> by passing the header TAILSCALE_USER_LOGIN, for example.
> - If some users can access your actual service directly without passing the traffic through ts-proxy
they can change all the headers they want, including authentication ones.


## Usage

Expand Down

0 comments on commit 9943cd0

Please sign in to comment.