Lazy application authentication with Tailscale

Transcript

1. © 2025 Tailscale Inc. | tailscale.com Lazy application authentication Elliot

   Blackburn

2. © 2025 Tailscale Inc. | tailscale.com Hi I’m Elliot, founding

   engineer at Sunbeam and Tailscale Insider Nice to meet you www.elliotblackburn.com linkedin.com/in/elliot-blackburn [email protected]

3. © 2025 Tailscale Inc. | tailscale.com Here’s what we’re going

   to talk about Internal tools 1 Serve 2 tsnet 3

4. © 2025 Tailscale Inc. | tailscale.com Let's talk about auth

   for internal tools…

5. © 2025 Tailscale Inc. | tailscale.com Our internal tool needs

   to… ➔ Only be accessible on our internal network (VPN) ➔ Limit access to specific people ➔ Identify the user to create audit trails Our requirements

6. © 2025 Tailscale Inc. | tailscale.com Tailscale Serve

7. © 2025 Tailscale Inc. | tailscale.com 1. A users web

   browser makes a HTTP request 2. The tailscale client picks this up and sends it to the destination node (if ACL’s or Grants permit it) 3. Tailscale serve on the destination node forwards the traffic onto the attached application 4. Application receives the request and does it’s thing. Simple architecture

8. © 2025 Tailscale Inc. | tailscale.com Scaling beyond 1 node

9. © 2025 Tailscale Inc. | tailscale.com Serve also attaches some

   headers onto the request as they pass through which can be used to identify the user making the request. • Tailscale-User-Login • Tailscale-User-Name • Tailscale-User-Profile-Pic (optional) But wait, there’s more!

10. © 2025 Tailscale Inc. | tailscale.com • No need to

    change your application, or write specific integration code • No login screens, passwords, or OAuth obstacle courses - that’s already happened • Horizontal scaling is pretty simple The pros and cons • Additional infrastructure to manage (proxy node) • Limited ability to force an identity check (sudo mode) • Doesn’t tackle application permissions

11. © 2025 Tailscale Inc. | tailscale.com tsnet for Native Tailscale

    Apps

12. © 2025 Tailscale Inc. | tailscale.com 1. A users web

    browser makes a HTTP request 2. The tailscale client picks this up and sends it to the destination node (if ACL’s or Grants permit it) 3. The application itself is the destination node, so it receives the request and returns the response Simpler architecture

13. © 2025 Tailscale Inc. | tailscale.com Application capabilities

14. © 2025 Tailscale Inc. | tailscale.com • No additional proxy

    to manage • Still no login screens, etc • Lots of example applications to follow The pros and cons • Go is the only language with practical support right now for listening directly a tailnet* • Application capabilities are best accessed through Go* • Would require a proxy of some kind if you wanted to horizontally scale * libtailscale will hopefully improve on this

15. © 2025 Tailscale Inc. | tailscale.com Please come and chat

    to me, I’d love to meet you! Thank you www.elliotblackburn.com fosstodon.org/@elliotblackburn [email protected]