tmaier/.editorconfig

## .editorconfig
# EditorConfig is awesome: https://EditorConfig.org

# Top-most EditorConfig file
root = true

# All files
[*]
# Set the default charset to UTF-8
charset = utf-8
# Use spaces instead of tabs for indentation
indent_style = space
# Set the number of spaces per indentation level
indent_size = 2
# Trim trailing whitespace
trim_trailing_whitespace = true
# Ensure a newline at the end of each file
insert_final_newline = true

## .gitignore
secret.env

## README.md

      
    Raw
  

              README.md
            
          
    Tailscale & Caddy POC

This POC tests the Tailscale Caddy Plugin.
Test cases


Ability to join different host names with Tailscale
Authenticating via Tailscale

Setup


This PoC uses Docker Compose
Set up secret.env file with the TS_AUTHKEY=tskey-xxxxxx value. Generate it at the Tailscale admin console/Keys

Expected output

curl http://caddy-tailscale-poc-http.YOUR-TAILNET.ts.net
curl https://caddy-tailscale-poc-https.YOUR-TAILNET.ts.net
curl http://caddy-tailscale-poc.YOUR-TAILNET.ts.net
curl https://caddy-tailscale-poc.YOUR-TAILNET.ts.net
All should return with the HTTP response code 200 and the same output (see below).
Issues discovered

Tailscale Authentication does not work with HTTPs

Related issue: tailscale/caddy-tailscale#28


URL
HTTP Response Code
Status


http://caddy-tailscale-poc-http.YOUR-TAILNET.ts.net
200
ok


https://caddy-tailscale-poc-https.YOUR-TAILNET.ts.net
401
broken


http://caddy-tailscale-poc.YOUR-TAILNET.ts.net
200
ok


https://caddy-tailscale-poc.YOUR-TAILNET.ts.net
401
broken


Tailnet is not set in the request headers

Related issue: tailscale/caddy-tailscale#29<>
X-Webauth-Tailnet should bet set to YOUR-TAILNET but it is not.
Hostname: 43826b580f4a
IP: 127.0.0.1
IP: 172.24.0.2
RemoteAddr: 172.24.0.3:59910
GET / HTTP/1.1
Host: caddy-tailscale-poc-http.YOUR-TAILNET.ts.net
User-Agent: curl/8.4.0
Accept: */*
Accept-Encoding: gzip
X-Forwarded-For: 100.124.154.118
X-Forwarded-Host: caddy-tailscale-poc-http.YOUR-TAILNET.ts.net
X-Forwarded-Proto: http
X-Webauth-Email: john@example.org
X-Webauth-Name: John DOe
X-Webauth-Profile-Picture: https://...
X-Webauth-Tailnet:
X-Webauth-User: john


## Caddyfile
{
	order tailscale_auth after basicauth
	auto_https off
}

(redirect) {
	@http {
		protocol http
	}
	redir @http https://{host}{uri}
}

:80 {
	bind tailscale/caddy-tailscale-poc
	tailscale_auth
	reverse_proxy whoami:80 {
		header_up X-Webauth-User {http.auth.user.tailscale_login}
		header_up X-Webauth-Email {http.auth.user.tailscale_user}
		header_up X-Webauth-Name {http.auth.user.tailscale_name}
		header_up X-Webauth-Profile-Picture {http.auth.user.tailscale_profile_picture}
		header_up X-Webauth-Tailnet {http.auth.user.tailscale_tailnet}
	}
}

:443 {
	bind tailscale+tls/caddy-tailscale-poc
	tailscale_auth
	reverse_proxy whoami:80 {
		header_up X-Webauth-User {http.auth.user.tailscale_login}
		header_up X-Webauth-Email {http.auth.user.tailscale_user}
		header_up X-Webauth-Name {http.auth.user.tailscale_name}
		header_up X-Webauth-Profile-Picture {http.auth.user.tailscale_profile_picture}
		header_up X-Webauth-Tailnet {http.auth.user.tailscale_tailnet}
	}
}

:80 {
	bind tailscale/caddy-tailscale-poc-http
	tailscale_auth
	reverse_proxy whoami:80 {
		header_up X-Webauth-User {http.auth.user.tailscale_login}
		header_up X-Webauth-Email {http.auth.user.tailscale_user}
		header_up X-Webauth-Name {http.auth.user.tailscale_name}
		header_up X-Webauth-Profile-Picture {http.auth.user.tailscale_profile_picture}
		header_up X-Webauth-Tailnet {http.auth.user.tailscale_tailnet}
	}
}

:443 {
	bind tailscale+tls/caddy-tailscale-poc-https
	tailscale_auth
	reverse_proxy whoami:80 {
		header_up X-Webauth-User {http.auth.user.tailscale_login}
		header_up X-Webauth-Email {http.auth.user.tailscale_user}
		header_up X-Webauth-Name {http.auth.user.tailscale_name}
		header_up X-Webauth-Profile-Picture {http.auth.user.tailscale_profile_picture}
		header_up X-Webauth-Tailnet {http.auth.user.tailscale_tailnet}
	}
}

## docker-compose.yml
version: "3.8"

services:
  caddy-tailscale:
    build:
      dockerfile: Dockerfile
    pull_policy: build
    restart: unless-stopped
    depends_on:
      - whoami
    env_file:
      - secret.env
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile:ro
      - caddy_data:/data
      - caddy_config:/config

  whoami:
    image: traefik/whoami
    restart: unless-stopped

volumes:
  caddy_data:
  caddy_config:

## Dockerfile
FROM caddy:2-builder-alpine AS builder

RUN xcaddy build \
    --with github.com/tailscale/caddy-tailscale

FROM caddy:2-alpine

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

## secret.env

      
    Raw
  

              secret.env
	# EditorConfig is awesome: https://EditorConfig.org

	# Top-most EditorConfig file
	root = true

	# All files
	[*]
	# Set the default charset to UTF-8
	charset = utf-8
	# Use spaces instead of tabs for indentation
	indent_style = space
	# Set the number of spaces per indentation level
	indent_size = 2
	# Trim trailing whitespace
	trim_trailing_whitespace = true
	# Ensure a newline at the end of each file
	insert_final_newline = true
URL	HTTP Response Code	Status
http://caddy-tailscale-poc-http.YOUR-TAILNET.ts.net	200	ok
https://caddy-tailscale-poc-https.YOUR-TAILNET.ts.net	401	broken
http://caddy-tailscale-poc.YOUR-TAILNET.ts.net	200	ok
https://caddy-tailscale-poc.YOUR-TAILNET.ts.net	401	broken
	{
	order tailscale_auth after basicauth
	auto_https off
	}

	(redirect) {
	@http {
	protocol http
	}
	redir @http https://{host}{uri}
	}

	:80 {
	bind tailscale/caddy-tailscale-poc
	tailscale_auth
	reverse_proxy whoami:80 {
	header_up X-Webauth-User {http.auth.user.tailscale_login}
	header_up X-Webauth-Email {http.auth.user.tailscale_user}
	header_up X-Webauth-Name {http.auth.user.tailscale_name}
	header_up X-Webauth-Profile-Picture {http.auth.user.tailscale_profile_picture}
	header_up X-Webauth-Tailnet {http.auth.user.tailscale_tailnet}
	}
	}

	:443 {
	bind tailscale+tls/caddy-tailscale-poc
	tailscale_auth
	reverse_proxy whoami:80 {
	header_up X-Webauth-User {http.auth.user.tailscale_login}
	header_up X-Webauth-Email {http.auth.user.tailscale_user}
	header_up X-Webauth-Name {http.auth.user.tailscale_name}
	header_up X-Webauth-Profile-Picture {http.auth.user.tailscale_profile_picture}
	header_up X-Webauth-Tailnet {http.auth.user.tailscale_tailnet}
	}
	}

	:80 {
	bind tailscale/caddy-tailscale-poc-http
	tailscale_auth
	reverse_proxy whoami:80 {
	header_up X-Webauth-User {http.auth.user.tailscale_login}
	header_up X-Webauth-Email {http.auth.user.tailscale_user}
	header_up X-Webauth-Name {http.auth.user.tailscale_name}
	header_up X-Webauth-Profile-Picture {http.auth.user.tailscale_profile_picture}
	header_up X-Webauth-Tailnet {http.auth.user.tailscale_tailnet}
	}
	}

	:443 {
	bind tailscale+tls/caddy-tailscale-poc-https
	tailscale_auth
	reverse_proxy whoami:80 {
	header_up X-Webauth-User {http.auth.user.tailscale_login}
	header_up X-Webauth-Email {http.auth.user.tailscale_user}
	header_up X-Webauth-Name {http.auth.user.tailscale_name}
	header_up X-Webauth-Profile-Picture {http.auth.user.tailscale_profile_picture}
	header_up X-Webauth-Tailnet {http.auth.user.tailscale_tailnet}
	}
	}
	version: "3.8"

	services:
	caddy-tailscale:
	build:
	dockerfile: Dockerfile
	pull_policy: build
	restart: unless-stopped
	depends_on:
	- whoami
	env_file:
	- secret.env
	volumes:
	- ./Caddyfile:/etc/caddy/Caddyfile:ro
	- caddy_data:/data
	- caddy_config:/config

	whoami:
	image: traefik/whoami
	restart: unless-stopped

	volumes:
	caddy_data:
	caddy_config:
	FROM caddy:2-builder-alpine AS builder

	RUN xcaddy build \
	--with github.com/tailscale/caddy-tailscale

	FROM caddy:2-alpine

	COPY --from=builder /usr/bin/caddy /usr/bin/caddy