You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Caddy has the concept of placeholders that allow injecting dynamic values in the Caddy configuration. These can come from a variety of sources such as environment variables, file contents, HTTP Request data, etc. caddy-tailscale currently populates various user data in the http.auth.user placeholder object.
One key thing that we don't currently expose is application grants. This is application-specific data that is defined in the Tailscale policy file, and then passed along to the application to interpret and use. We should make this available to pass along to applications as well as for using it in Caddy CEL expressesions.
So, for example, given the following grant in a Tailscale policy file:
or just pass it along to the backend appplication:
header_up X-Tailscale-Grants {tailscale.grants}
A good example of hooking into the placeholder replacer system can be seen in https://github.com/caddyserver/caddy/blob/master/modules/caddyhttp/replacer.go. Because the application grant itself is opaque, if we want to allow exposing it all then we can't do simple prefix matching like caddyhttp. We might have to bring in a full JSONPath library to evaluate the placeholder.
The text was updated successfully, but these errors were encountered:
Caddy has the concept of placeholders that allow injecting dynamic values in the Caddy configuration. These can come from a variety of sources such as environment variables, file contents, HTTP Request data, etc. caddy-tailscale currently populates various user data in the
http.auth.userplaceholder object.One key thing that we don't currently expose is application grants. This is application-specific data that is defined in the Tailscale policy file, and then passed along to the application to interpret and use. We should make this available to pass along to applications as well as for using it in Caddy CEL expressesions.
So, for example, given the following grant in a Tailscale policy file:
{ "src": "autogroup:admins", "dst": "tag:caddy", "app": { "example.com/app": [ { "admin": true }, ], }, }You could theoretically use that in a Caddyfile with something like:
or just pass it along to the backend appplication:
A good example of hooking into the placeholder replacer system can be seen in https://github.com/caddyserver/caddy/blob/master/modules/caddyhttp/replacer.go. Because the application grant itself is opaque, if we want to allow exposing it all then we can't do simple prefix matching like caddyhttp. We might have to bring in a full JSONPath library to evaluate the placeholder.
The text was updated successfully, but these errors were encountered: