Tailscale Whois
You can configure Single Sign-On (SSO) for clients that access your Traefik server through Tailscale . Users will be automatically authenticated when the request comes through the Tailscale network.
This offers a similar behavior to the Tailscale nginx-auth component.
- Your container host must be joined to a Tailnet, and you must have the Tailscale service running on the host.
- Make sure that the socket
/var/run/tailscale/is mounted into thetraefik-forward-authcontainer. - Configure Traefik Forward Auth with a
tailscaleWhoisproperty in the provider’s configuration:
You can restrict the Tailnets that can authenticate with your service using this option:
allowedTailnet: If set, restricts users who are part of this specific Tailnet. Note that due to how Tailscale works, Tailnet names are only returned for nodes that are part of the current Tailnet, and not nodes that are being added as “guests”.
Traefik Forward Auth will also include in the session tokens Application Capabilities
that are assigned to the node in the Tailnet’s ACL configuration. Only capabilities listed in the capabilityNames
option are included, whose default value is ["italypaleale.me/traefik-forward-auth"].
For example, you can assign app capabilities to a node by listing them in your ACL configuration:
"grants": [
{
"src": ["user@example.com", "group:engineering"],
"dst": ["tag:traefik"],
"app": {
"italypaleale.me/traefik-forward-auth": [
{ /* Object 1 */ },
{ /* Object 2 */ }
],
}
}
]The session tokens issued by Traefik Forward Auth will then include a claim {"italypaleale.me/traefik-forward-auth": [ { ... }, { ... } ]}.
Full list of configuration options for Tailscale Whois and example