cmd/nginx-auth: maintainer scripts and tailnet checking (#4460)

* cmd/nginx-auth: add maintainer scripts Signed-off-by: Xe <xe@tailscale.com> * cmd/nginx-auth: add Expected-Tailnet header and documentation Signed-off-by: Xe <xe@tailscale.com>
2022-04-20 13:06:05 -04:00
parent 33fa43252e
commit fc2f628d4c
9 changed files with 111 additions and 15 deletions
--- a/cmd/nginx-auth/nginx-auth.go
+++ b/cmd/nginx-auth/nginx-auth.go
@ -17,6 +17,7 @@ import (
 	"net"
 	"net/http"
 	"net/netip"
+	"net/url"
 	"os"
 	"strings"

@ -75,6 +76,12 @@ func main() {
 			return
 		}

+		if expectedTailnet := r.Header.Get("Expected-Tailnet"); expectedTailnet != "" && expectedTailnet != tailnet {
+			w.WriteHeader(http.StatusForbidden)
+			log.Printf("user is part of tailnet %s, wanted: %s", tailnet, url.QueryEscape(expectedTailnet))
+			return
+		}
+
 		h := w.Header()
 		h.Set("Tailscale-Login", strings.Split(info.UserProfile.LoginName, "@")[0])
 		h.Set("Tailscale-User", info.UserProfile.LoginName)