cmd/nginx-auth: maintainer scripts and tailnet checking (#4460)

* cmd/nginx-auth: add maintainer scripts Signed-off-by: Xe <xe@tailscale.com> * cmd/nginx-auth: add Expected-Tailnet header and documentation Signed-off-by: Xe <xe@tailscale.com>
2022-04-20 13:06:05 -04:00 · 2022-04-20 13:06:05 -04:00 · fc2f628d4c
parent 33fa43252e
commit fc2f628d4c
9 changed files with 111 additions and 15 deletions
--- a/cmd/nginx-auth/README.md
+++ b/cmd/nginx-auth/README.md
@ -117,10 +117,32 @@ header.

 The `Tailscale-Tailnet` header can help you identify which tailnet the session
 is coming from. If you are using node sharing, this can help you make sure that
-you aren't giving administrative access to people outside your tailnet. You will
-need to be sure to check this in your application code. If you use OpenResty,
-you may be able to do more complicated access controls than you can with NGINX
-alone.
+you aren't giving administrative access to people outside your tailnet.
+
+### Allow Requests From Only One Tailnet
+
+If you want to prevent node sharing from allowing users to access a service, add
+the `Expected-Tailnet` header to your auth request:
+
+```nginx
+location /auth {
+  # ...
+  proxy_set_header Expected-Tailnet "tailscale.com";
+}
+```
+
+If a user from a different tailnet tries to use that service, this will return a
+generic "forbidden" error page:
+
+```html
+<html>
+<head><title>403 Forbidden</title></head>
+<body>
+<center><h1>403 Forbidden</h1></center>
+<hr><center>nginx/1.18.0 (Ubuntu)</center>
+</body>
+</html>
+```

 ## Building

--- a/cmd/nginx-auth/deb/postinst.sh
+++ b/cmd/nginx-auth/deb/postinst.sh
@ -0,0 +1,14 @@
+if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
+	  deb-systemd-helper unmask 'tailscale.nginx-auth.socket' >/dev/null || true
+	  if deb-systemd-helper --quiet was-enabled 'tailscale.nginx-auth.socket'; then
+		    deb-systemd-helper enable 'tailscale.nginx-auth.socket' >/dev/null || true
+	  else
+		    deb-systemd-helper update-state 'tailscale.nginx-auth.socket' >/dev/null || true
+	  fi
+
+    if systemctl is-active tailscale.nginx-auth.socket >/dev/null; then
+        systemctl --system daemon-reload >/dev/null || true
+        deb-systemd-invoke stop 'tailscale.nginx-auth.service' >/dev/null || true
+        deb-systemd-invoke restart 'tailscale.nginx-auth.socket' >/dev/null || true
+    fi
+fi
--- a/cmd/nginx-auth/deb/postrm.sh
+++ b/cmd/nginx-auth/deb/postrm.sh
@ -0,0 +1,19 @@
+#!/bin/sh
+set -e
+if [ -d /run/systemd/system ] ; then
+	  systemctl --system daemon-reload >/dev/null || true
+fi
+
+if [ -x "/usr/bin/deb-systemd-helper" ]; then
+    if [ "$1" = "remove" ]; then
+		    deb-systemd-helper mask 'tailscale.nginx-auth.socket' >/dev/null || true
+		    deb-systemd-helper mask 'tailscale.nginx-auth.service' >/dev/null || true
+	  fi
+
+    if [ "$1" = "purge" ]; then
+		    deb-systemd-helper purge 'tailscale.nginx-auth.socket' >/dev/null || true
+		    deb-systemd-helper unmask 'tailscale.nginx-auth.socket' >/dev/null || true
+		    deb-systemd-helper purge 'tailscale.nginx-auth.service' >/dev/null || true
+		    deb-systemd-helper unmask 'tailscale.nginx-auth.service' >/dev/null || true
+	  fi
+fi
--- a/cmd/nginx-auth/deb/prerm.sh
+++ b/cmd/nginx-auth/deb/prerm.sh
@ -0,0 +1,8 @@
+#!/bin/sh
+set -e
+if [ "$1" = "remove" ]; then
+	  if [ -d /run/systemd/system ]; then
+		    deb-systemd-invoke stop 'tailscale.nginx-auth.service' >/dev/null || true
+		    deb-systemd-invoke stop 'tailscale.nginx-auth.socket' >/dev/null || true
+	  fi
+fi
--- a/cmd/nginx-auth/mkdeb.sh
+++ b/cmd/nginx-auth/mkdeb.sh
@ -4,20 +4,28 @@ set -e

 CGO_ENABLED=0 GOARCH=amd64 GOOS=linux go build -o tailscale.nginx-auth .

-mkpkg \
-    --out tailscale-nginx-auth-0.1.0-amd64.deb \
-    --name=tailscale-nginx-auth \
-    --version=0.1.0 \
-    --type=deb\
-    --arch=amd64 \
-    --description="Tailscale NGINX authentication protocol handler" \
-    --files=./tailscale.nginx-auth:/usr/sbin/tailscale.nginx-auth,./tailscale.nginx-auth.socket:/lib/systemd/system/tailscale.nginx-auth.socket,./tailscale.nginx-auth.service:/lib/systemd/system/tailscale.nginx-auth.service
+VERSION=0.1.1

 mkpkg \
-    --out tailscale-nginx-auth-0.1.0-amd64.rpm \
+    --out=tailscale-nginx-auth-${VERSION}-amd64.deb \
    --name=tailscale-nginx-auth \
-    --version=0.1.0 \
+    --version=${VERSION} \
+    --type=deb \
+    --arch=amd64 \
+    --postinst=deb/postinst.sh \
+    --postrm=deb/postrm.sh \
+    --prerm=deb/prerm.sh \
+    --description="Tailscale NGINX authentication protocol handler" \
+    --files=./tailscale.nginx-auth:/usr/sbin/tailscale.nginx-auth,./tailscale.nginx-auth.socket:/lib/systemd/system/tailscale.nginx-auth.socket,./tailscale.nginx-auth.service:/lib/systemd/system/tailscale.nginx-auth.service,./README.md:/usr/share/tailscale/nginx-auth/README.md
+
+mkpkg \
+    --out=tailscale-nginx-auth-${VERSION}-amd64.rpm \
+    --name=tailscale-nginx-auth \
+    --version=${VERSION} \
    --type=rpm \
    --arch=amd64 \
+    --postinst=rpm/postinst.sh \
+    --postrm=rpm/postrm.sh \
+    --prerm=rpm/prerm.sh \
    --description="Tailscale NGINX authentication protocol handler" \
-    --files=./tailscale.nginx-auth:/usr/sbin/tailscale.nginx-auth,./tailscale.nginx-auth.socket:/lib/systemd/system/tailscale.nginx-auth.socket,./tailscale.nginx-auth.service:/lib/systemd/system/tailscale.nginx-auth.service
+    --files=./tailscale.nginx-auth:/usr/sbin/tailscale.nginx-auth,./tailscale.nginx-auth.socket:/lib/systemd/system/tailscale.nginx-auth.socket,./tailscale.nginx-auth.service:/lib/systemd/system/tailscale.nginx-auth.service,./README.md:/usr/share/tailscale/nginx-auth/README.md
--- a/cmd/nginx-auth/nginx-auth.go
+++ b/cmd/nginx-auth/nginx-auth.go
@ -17,6 +17,7 @@ import (
 	"net"
 	"net/http"
 	"net/netip"
+	"net/url"
 	"os"
 	"strings"

@ -75,6 +76,12 @@ func main() {
 			return
 		}

+		if expectedTailnet := r.Header.Get("Expected-Tailnet"); expectedTailnet != "" && expectedTailnet != tailnet {
+			w.WriteHeader(http.StatusForbidden)
+			log.Printf("user is part of tailnet %s, wanted: %s", tailnet, url.QueryEscape(expectedTailnet))
+			return
+		}
+
 		h := w.Header()
 		h.Set("Tailscale-Login", strings.Split(info.UserProfile.LoginName, "@")[0])
 		h.Set("Tailscale-User", info.UserProfile.LoginName)
--- a/cmd/nginx-auth/rpm/postinst.sh
+++ b/cmd/nginx-auth/rpm/postinst.sh
--- a/cmd/nginx-auth/rpm/postrm.sh
+++ b/cmd/nginx-auth/rpm/postrm.sh
@ -0,0 +1,9 @@
+# $1 == 0 for uninstallation.
+# $1 == 1 for removing old package during upgrade.
+
+systemctl daemon-reload >/dev/null 2>&1 || :
+if [ $1 -ge 1 ] ; then
+    # Package upgrade, not uninstall
+    systemctl stop tailscale.nginx-auth.service >/dev/null 2>&1 || :
+    systemctl try-restart tailscale.nginx-auth.socket >/dev/null 2>&1 || :
+fi
--- a/cmd/nginx-auth/rpm/prerm.sh
+++ b/cmd/nginx-auth/rpm/prerm.sh
@ -0,0 +1,9 @@
+# $1 == 0 for uninstallation.
+# $1 == 1 for removing old package during upgrade.
+
+if [ $1 -eq 0 ] ; then
+    # Package removal, not upgrade
+    systemctl --no-reload disable tailscale.nginx-auth.socket > /dev/null 2>&1 || :
+    systemctl stop tailscale.nginx-auth.socket > /dev/null 2>&1 || :
+    systemctl stop tailscale.nginx-auth.service > /dev/null 2>&1 || :
+fi