MyFavMirrors/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2024-12-28 07:05:51 -05:00
Code Issues Packages Projects Releases Wiki Activity
d99864629f
headscale/development/ref/acls/index.html

129 lines
61 KiB
HTML
Raw Normal View History

Deployed 145bf30b to development with MkDocs 1.6.1 and mike 2.1.3
2024-12-02 10:50:02 -05:00
<!doctype html><html lang=en class=no-js> <head><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1"><meta name=description content="An open source, self-hosted implementation of the Tailscale control server."><meta name=author content="Headscale authors"><link href=https://juanfont.github.io/headscale/development/ref/acls/ rel=canonical><link href=../tls/ rel=prev><link href=../dns/ rel=next><link rel=icon href=../../assets/favicon.png><meta name=generator content="mkdocs-1.6.1, mkdocs-material-9.5.47"><title>ACLs - Headscale</title><link rel=stylesheet href=../../assets/stylesheets/main.6f8fc17f.min.css><link rel=stylesheet href=../../assets/stylesheets/palette.06af60db.min.css><link rel=preconnect href=https://fonts.gstatic.com crossorigin><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback"><style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style><script>__md_scope=new URL("../..",location),__md_hash=e=>[...e].reduce(((e,_)=>(e<<5)-e+_.charCodeAt(0)),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script><meta property=og:type content=website><meta property=og:title content="ACLs - Headscale"><meta property=og:description content="An open source, self-hosted implementation of the Tailscale control server."><meta property=og:image content=https://juanfont.github.io/headscale/development/assets/images/social/ref/acls.png><meta property=og:image:type content=image/png><meta property=og:image:width content=1200><meta property=og:image:height content=630><meta content=https://juanfont.github.io/headscale/development/ref/acls/ property=og:url><meta name=twitter:card content=summary_large_image><meta name=twitter:title content="ACLs - Headscale"><meta name=twitter:description content="An open source, self-hosted implementation of the Tailscale control server."><meta name=twitter:image content=https://juanfont.github.io/headscale/development/assets/images/social/ref/acls.png></head> <body dir=ltr data-md-color-scheme=default data-md-color-primary=white data-md-color-accent=indigo> <input class=md-toggle data-md-toggle=drawer type=checkbox id=__drawer autocomplete=off> <input class=md-toggle data-md-toggle=search type=checkbox id=__search autocomplete=off> <label class=md-overlay for=__drawer></label> <div data-md-component=skip> <a href=#acls-use-case-example class=md-skip> Skip to content </a> </div> <div data-md-component=announce> </div> <div data-md-color-scheme=default data-md-component=outdated hidden> </div> <header class=md-header data-md-component=header> <nav class="md-header__inner md-grid" aria-label=Header> <a href=../.. title=Headscale class="md-header__button md-logo" aria-label=Headscale data-md-component=logo> <img src=../../logo/headscale3-dots.svg alt=logo> </a> <label class="md-header__button md-icon" for=__drawer> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M3 6h18v2H3zm0 5h18v2H3zm0 5h18v2H3z"/></svg> </label> <div class=md-header__title data-md-component=header-title> <div class=md-header__ellipsis> <div class=md-header__topic> <span class=md-ellipsis> Headscale </span> </div> <div class=md-header__topic data-md-component=header-topic> <span class=md-ellipsis> ACLs </span> </div> </div> </div> <form class=md-header__option data-md-component=palette> <input class=md-option data-md-color-media data-md-color-scheme=default data-md-color-primary=white data-md-color-accent=indigo aria-label="Switch to dark mode" type=radio name=__palette id=__palette_0> <label class="md-header__button md-icon" title="Switch to dark mode" for=__palette_1 hidden> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M12 8a4 4 0 0 0-4 4 4 4 0 0 0 4 4 4 4 0 0 0 4-4 4 4 0 0 0-4-4m0 10a6 6 0 0 1-6-6 6 6 0 0 1 6-6 6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31
</span><span id=__span-0-2><a id=__codelineno-0-2 name=__codelineno-0-2 href=#__codelineno-0-2></a><span class=w> </span><span class=c1>// groups are collections of users having a common scope. A user can be in multiple groups</span>
</span><span id=__span-0-3><a id=__codelineno-0-3 name=__codelineno-0-3 href=#__codelineno-0-3></a><span class=w> </span><span class=c1>// groups cannot be composed of groups</span>
</span><span id=__span-0-4><a id=__codelineno-0-4 name=__codelineno-0-4 href=#__codelineno-0-4></a><span class=w> </span><span class=nt>&quot;groups&quot;</span><span class=p>:</span><span class=w> </span><span class=p>{</span>
</span><span id=__span-0-5><a id=__codelineno-0-5 name=__codelineno-0-5 href=#__codelineno-0-5></a><span class=w> </span><span class=nt>&quot;group:boss&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;boss&quot;</span><span class=p>],</span>
</span><span id=__span-0-6><a id=__codelineno-0-6 name=__codelineno-0-6 href=#__codelineno-0-6></a><span class=w> </span><span class=nt>&quot;group:dev&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;dev1&quot;</span><span class=p>,</span><span class=w> </span><span class=s2>&quot;dev2&quot;</span><span class=p>],</span>
</span><span id=__span-0-7><a id=__codelineno-0-7 name=__codelineno-0-7 href=#__codelineno-0-7></a><span class=w> </span><span class=nt>&quot;group:admin&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;admin1&quot;</span><span class=p>],</span>
</span><span id=__span-0-8><a id=__codelineno-0-8 name=__codelineno-0-8 href=#__codelineno-0-8></a><span class=w> </span><span class=nt>&quot;group:intern&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;intern1&quot;</span><span class=p>]</span>
</span><span id=__span-0-9><a id=__codelineno-0-9 name=__codelineno-0-9 href=#__codelineno-0-9></a><span class=w> </span><span class=p>},</span>
</span><span id=__span-0-10><a id=__codelineno-0-10 name=__codelineno-0-10 href=#__codelineno-0-10></a><span class=w> </span><span class=c1>// tagOwners in tailscale is an association between a TAG and the people allowed to set this TAG on a server.</span>
</span><span id=__span-0-11><a id=__codelineno-0-11 name=__codelineno-0-11 href=#__codelineno-0-11></a><span class=w> </span><span class=c1>// This is documented [here](https://tailscale.com/kb/1068/acl-tags#defining-a-tag)</span>
</span><span id=__span-0-12><a id=__codelineno-0-12 name=__codelineno-0-12 href=#__codelineno-0-12></a><span class=w> </span><span class=c1>// and explained [here](https://tailscale.com/blog/rbac-like-it-was-meant-to-be/)</span>
</span><span id=__span-0-13><a id=__codelineno-0-13 name=__codelineno-0-13 href=#__codelineno-0-13></a><span class=w> </span><span class=nt>&quot;tagOwners&quot;</span><span class=p>:</span><span class=w> </span><span class=p>{</span>
</span><span id=__span-0-14><a id=__codelineno-0-14 name=__codelineno-0-14 href=#__codelineno-0-14></a><span class=w> </span><span class=c1>// the administrators can add servers in production</span>
</span><span id=__span-0-15><a id=__codelineno-0-15 name=__codelineno-0-15 href=#__codelineno-0-15></a><span class=w> </span><span class=nt>&quot;tag:prod-databases&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;group:admin&quot;</span><span class=p>],</span>
</span><span id=__span-0-16><a id=__codelineno-0-16 name=__codelineno-0-16 href=#__codelineno-0-16></a><span class=w> </span><span class=nt>&quot;tag:prod-app-servers&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;group:admin&quot;</span><span class=p>],</span>
</span><span id=__span-0-17><a id=__codelineno-0-17 name=__codelineno-0-17 href=#__codelineno-0-17></a>
</span><span id=__span-0-18><a id=__codelineno-0-18 name=__codelineno-0-18 href=#__codelineno-0-18></a><span class=w> </span><span class=c1>// the boss can tag any server as internal</span>
</span><span id=__span-0-19><a id=__codelineno-0-19 name=__codelineno-0-19 href=#__codelineno-0-19></a><span class=w> </span><span class=nt>&quot;tag:internal&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;group:boss&quot;</span><span class=p>],</span>
</span><span id=__span-0-20><a id=__codelineno-0-20 name=__codelineno-0-20 href=#__codelineno-0-20></a>
</span><span id=__span-0-21><a id=__codelineno-0-21 name=__codelineno-0-21 href=#__codelineno-0-21></a><span class=w> </span><span class=c1>// dev can add servers for dev purposes as well as admins</span>
</span><span id=__span-0-22><a id=__codelineno-0-22 name=__codelineno-0-22 href=#__codelineno-0-22></a><span class=w> </span><span class=nt>&quot;tag:dev-databases&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;group:admin&quot;</span><span class=p>,</span><span class=w> </span><span class=s2>&quot;group:dev&quot;</span><span class=p>],</span>
</span><span id=__span-0-23><a id=__codelineno-0-23 name=__codelineno-0-23 href=#__codelineno-0-23></a><span class=w> </span><span class=nt>&quot;tag:dev-app-servers&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;group:admin&quot;</span><span class=p>,</span><span class=w> </span><span class=s2>&quot;group:dev&quot;</span><span class=p>]</span>
</span><span id=__span-0-24><a id=__codelineno-0-24 name=__codelineno-0-24 href=#__codelineno-0-24></a>
</span><span id=__span-0-25><a id=__codelineno-0-25 name=__codelineno-0-25 href=#__codelineno-0-25></a><span class=w> </span><span class=c1>// interns cannot add servers</span>
</span><span id=__span-0-26><a id=__codelineno-0-26 name=__codelineno-0-26 href=#__codelineno-0-26></a><span class=w> </span><span class=p>},</span>
</span><span id=__span-0-27><a id=__codelineno-0-27 name=__codelineno-0-27 href=#__codelineno-0-27></a><span class=w> </span><span class=c1>// hosts should be defined using its IP addresses and a subnet mask.</span>
</span><span id=__span-0-28><a id=__codelineno-0-28 name=__codelineno-0-28 href=#__codelineno-0-28></a><span class=w> </span><span class=c1>// to define a single host, use a /32 mask. You cannot use DNS entries here,</span>
</span><span id=__span-0-29><a id=__codelineno-0-29 name=__codelineno-0-29 href=#__codelineno-0-29></a><span class=w> </span><span class=c1>// as they&#39;re prone to be hijacked by replacing their IP addresses.</span>
</span><span id=__span-0-30><a id=__codelineno-0-30 name=__codelineno-0-30 href=#__codelineno-0-30></a><span class=w> </span><span class=c1>// see https://github.com/tailscale/tailscale/issues/3800 for more information.</span>
</span><span id=__span-0-31><a id=__codelineno-0-31 name=__codelineno-0-31 href=#__codelineno-0-31></a><span class=w> </span><span class=nt>&quot;hosts&quot;</span><span class=p>:</span><span class=w> </span><span class=p>{</span>
</span><span id=__span-0-32><a id=__codelineno-0-32 name=__codelineno-0-32 href=#__codelineno-0-32></a><span class=w> </span><span class=nt>&quot;postgresql.internal&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;10.20.0.2/32&quot;</span><span class=p>,</span>
</span><span id=__span-0-33><a id=__codelineno-0-33 name=__codelineno-0-33 href=#__codelineno-0-33></a><span class=w> </span><span class=nt>&quot;webservers.internal&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;10.20.10.1/29&quot;</span>
</span><span id=__span-0-34><a id=__codelineno-0-34 name=__codelineno-0-34 href=#__codelineno-0-34></a><span class=w> </span><span class=p>},</span>
</span><span id=__span-0-35><a id=__codelineno-0-35 name=__codelineno-0-35 href=#__codelineno-0-35></a><span class=w> </span><span class=nt>&quot;acls&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span>
</span><span id=__span-0-36><a id=__codelineno-0-36 name=__codelineno-0-36 href=#__codelineno-0-36></a><span class=w> </span><span class=c1>// boss have access to all servers</span>
</span><span id=__span-0-37><a id=__codelineno-0-37 name=__codelineno-0-37 href=#__codelineno-0-37></a><span class=w> </span><span class=p>{</span>
</span><span id=__span-0-38><a id=__codelineno-0-38 name=__codelineno-0-38 href=#__codelineno-0-38></a><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span>
</span><span id=__span-0-39><a id=__codelineno-0-39 name=__codelineno-0-39 href=#__codelineno-0-39></a><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;group:boss&quot;</span><span class=p>],</span>
</span><span id=__span-0-40><a id=__codelineno-0-40 name=__codelineno-0-40 href=#__codelineno-0-40></a><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span>
</span><span id=__span-0-41><a id=__codelineno-0-41 name=__codelineno-0-41 href=#__codelineno-0-41></a><span class=w> </span><span class=s2>&quot;tag:prod-databases:*&quot;</span><span class=p>,</span>
</span><span id=__span-0-42><a id=__codelineno-0-42 name=__codelineno-0-42 href=#__codelineno-0-42></a><span class=w> </span><span class=s2>&quot;tag:prod-app-servers:*&quot;</span><span class=p>,</span>
</span><span id=__span-0-43><a id=__codelineno-0-43 name=__codelineno-0-43 href=#__codelineno-0-43></a><span class=w> </span><span class=s2>&quot;tag:internal:*&quot;</span><span class=p>,</span>
</span><span id=__span-0-44><a id=__codelineno-0-44 name=__codelineno-0-44 href=#__codelineno-0-44></a><span class=w> </span><span class=s2>&quot;tag:dev-databases:*&quot;</span><span class=p>,</span>
</span><span id=__span-0-45><a id=__codelineno-0-45 name=__codelineno-0-45 href=#__codelineno-0-45></a><span class=w> </span><span class=s2>&quot;tag:dev-app-servers:*&quot;</span>
</span><span id=__span-0-46><a id=__codelineno-0-46 name=__codelineno-0-46 href=#__codelineno-0-46></a><span class=w> </span><span class=p>]</span>
</span><span id=__span-0-47><a id=__codelineno-0-47 name=__codelineno-0-47 href=#__codelineno-0-47></a><span class=w> </span><span class=p>},</span>
</span><span id=__span-0-48><a id=__codelineno-0-48 name=__codelineno-0-48 href=#__codelineno-0-48></a>
</span><span id=__span-0-49><a id=__codelineno-0-49 name=__codelineno-0-49 href=#__codelineno-0-49></a><span class=w> </span><span class=c1>// admin have only access to administrative ports of the servers, in tcp/22</span>
</span><span id=__span-0-50><a id=__codelineno-0-50 name=__codelineno-0-50 href=#__codelineno-0-50></a><span class=w> </span><span class=p>{</span>
</span><span id=__span-0-51><a id=__codelineno-0-51 name=__codelineno-0-51 href=#__codelineno-0-51></a><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span>
</span><span id=__span-0-52><a id=__codelineno-0-52 name=__codelineno-0-52 href=#__codelineno-0-52></a><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;group:admin&quot;</span><span class=p>],</span>
</span><span id=__span-0-53><a id=__codelineno-0-53 name=__codelineno-0-53 href=#__codelineno-0-53></a><span class=w> </span><span class=nt>&quot;proto&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;tcp&quot;</span><span class=p>,</span>
</span><span id=__span-0-54><a id=__codelineno-0-54 name=__codelineno-0-54 href=#__codelineno-0-54></a><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span>
</span><span id=__span-0-55><a id=__codelineno-0-55 name=__codelineno-0-55 href=#__codelineno-0-55></a><span class=w> </span><span class=s2>&quot;tag:prod-databases:22&quot;</span><span class=p>,</span>
</span><span id=__span-0-56><a id=__codelineno-0-56 name=__codelineno-0-56 href=#__codelineno-0-56></a><span class=w> </span><span class=s2>&quot;tag:prod-app-servers:22&quot;</span><span class=p>,</span>
</span><span id=__span-0-57><a id=__codelineno-0-57 name=__codelineno-0-57 href=#__codelineno-0-57></a><span class=w> </span><span class=s2>&quot;tag:internal:22&quot;</span><span class=p>,</span>
</span><span id=__span-0-58><a id=__codelineno-0-58 name=__codelineno-0-58 href=#__codelineno-0-58></a><span class=w> </span><span class=s2>&quot;tag:dev-databases:22&quot;</span><span class=p>,</span>
</span><span id=__span-0-59><a id=__codelineno-0-59 name=__codelineno-0-59 href=#__codelineno-0-59></a><span class=w> </span><span class=s2>&quot;tag:dev-app-servers:22&quot;</span>
</span><span id=__span-0-60><a id=__codelineno-0-60 name=__codelineno-0-60 href=#__codelineno-0-60></a><span class=w> </span><span class=p>]</span>
</span><span id=__span-0-61><a id=__codelineno-0-61 name=__codelineno-0-61 href=#__codelineno-0-61></a><span class=w> </span><span class=p>},</span>
</span><span id=__span-0-62><a id=__codelineno-0-62 name=__codelineno-0-62 href=#__codelineno-0-62></a>
</span><span id=__span-0-63><a id=__codelineno-0-63 name=__codelineno-0-63 href=#__codelineno-0-63></a><span class=w> </span><span class=c1>// we also allow admin to ping the servers</span>
</span><span id=__span-0-64><a id=__codelineno-0-64 name=__codelineno-0-64 href=#__codelineno-0-64></a><span class=w> </span><span class=p>{</span>
</span><span id=__span-0-65><a id=__codelineno-0-65 name=__codelineno-0-65 href=#__codelineno-0-65></a><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span>
</span><span id=__span-0-66><a id=__codelineno-0-66 name=__codelineno-0-66 href=#__codelineno-0-66></a><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;group:admin&quot;</span><span class=p>],</span>
</span><span id=__span-0-67><a id=__codelineno-0-67 name=__codelineno-0-67 href=#__codelineno-0-67></a><span class=w> </span><span class=nt>&quot;proto&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;icmp&quot;</span><span class=p>,</span>
</span><span id=__span-0-68><a id=__codelineno-0-68 name=__codelineno-0-68 href=#__codelineno-0-68></a><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span>
</span><span id=__span-0-69><a id=__codelineno-0-69 name=__codelineno-0-69 href=#__codelineno-0-69></a><span class=w> </span><span class=s2>&quot;tag:prod-databases:*&quot;</span><span class=p>,</span>
</span><span id=__span-0-70><a id=__codelineno-0-70 name=__codelineno-0-70 href=#__codelineno-0-70></a><span class=w> </span><span class=s2>&quot;tag:prod-app-servers:*&quot;</span><span class=p>,</span>
</span><span id=__span-0-71><a id=__codelineno-0-71 name=__codelineno-0-71 href=#__codelineno-0-71></a><span class=w> </span><span class=s2>&quot;tag:internal:*&quot;</span><span class=p>,</span>
</span><span id=__span-0-72><a id=__codelineno-0-72 name=__codelineno-0-72 href=#__codelineno-0-72></a><span class=w> </span><span class=s2>&quot;tag:dev-databases:*&quot;</span><span class=p>,</span>
</span><span id=__span-0-73><a id=__codelineno-0-73 name=__codelineno-0-73 href=#__codelineno-0-73></a><span class=w> </span><span class=s2>&quot;tag:dev-app-servers:*&quot;</span>
</span><span id=__span-0-74><a id=__codelineno-0-74 name=__codelineno-0-74 href=#__codelineno-0-74></a><span class=w> </span><span class=p>]</span>
</span><span id=__span-0-75><a id=__codelineno-0-75 name=__codelineno-0-75 href=#__codelineno-0-75></a><span class=w> </span><span class=p>},</span>
</span><span id=__span-0-76><a id=__codelineno-0-76 name=__codelineno-0-76 href=#__codelineno-0-76></a>
</span><span id=__span-0-77><a id=__codelineno-0-77 name=__codelineno-0-77 href=#__codelineno-0-77></a><span class=w> </span><span class=c1>// developers have access to databases servers and application servers on all ports</span>
</span><span id=__span-0-78><a id=__codelineno-0-78 name=__codelineno-0-78 href=#__codelineno-0-78></a><span class=w> </span><span class=c1>// they can only view the applications servers in prod and have no access to databases servers in production</span>
</span><span id=__span-0-79><a id=__codelineno-0-79 name=__codelineno-0-79 href=#__codelineno-0-79></a><span class=w> </span><span class=p>{</span>
</span><span id=__span-0-80><a id=__codelineno-0-80 name=__codelineno-0-80 href=#__codelineno-0-80></a><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span>
</span><span id=__span-0-81><a id=__codelineno-0-81 name=__codelineno-0-81 href=#__codelineno-0-81></a><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;group:dev&quot;</span><span class=p>],</span>
</span><span id=__span-0-82><a id=__codelineno-0-82 name=__codelineno-0-82 href=#__codelineno-0-82></a><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span>
</span><span id=__span-0-83><a id=__codelineno-0-83 name=__codelineno-0-83 href=#__codelineno-0-83></a><span class=w> </span><span class=s2>&quot;tag:dev-databases:*&quot;</span><span class=p>,</span>
</span><span id=__span-0-84><a id=__codelineno-0-84 name=__codelineno-0-84 href=#__codelineno-0-84></a><span class=w> </span><span class=s2>&quot;tag:dev-app-servers:*&quot;</span><span class=p>,</span>
</span><span id=__span-0-85><a id=__codelineno-0-85 name=__codelineno-0-85 href=#__codelineno-0-85></a><span class=w> </span><span class=s2>&quot;tag:prod-app-servers:80,443&quot;</span>
</span><span id=__span-0-86><a id=__codelineno-0-86 name=__codelineno-0-86 href=#__codelineno-0-86></a><span class=w> </span><span class=p>]</span>
</span><span id=__span-0-87><a id=__codelineno-0-87 name=__codelineno-0-87 href=#__codelineno-0-87></a><span class=w> </span><span class=p>},</span>
</span><span id=__span-0-88><a id=__codelineno-0-88 name=__codelineno-0-88 href=#__codelineno-0-88></a><span class=w> </span><span class=c1>// developers have access to the internal network through the router.</span>
</span><span id=__span-0-89><a id=__codelineno-0-89 name=__codelineno-0-89 href=#__codelineno-0-89></a><span class=w> </span><span class=c1>// the internal network is composed of HTTPS endpoints and Postgresql</span>
</span><span id=__span-0-90><a id=__codelineno-0-90 name=__codelineno-0-90 href=#__codelineno-0-90></a><span class=w> </span><span class=c1>// database servers. There&#39;s an additional rule to allow traffic to be</span>
</span><span id=__span-0-91><a id=__codelineno-0-91 name=__codelineno-0-91 href=#__codelineno-0-91></a><span class=w> </span><span class=c1>// forwarded to the internal subnet, 10.20.0.0/16. See this issue</span>
</span><span id=__span-0-92><a id=__codelineno-0-92 name=__codelineno-0-92 href=#__codelineno-0-92></a><span class=w> </span><span class=c1>// https://github.com/juanfont/headscale/issues/502</span>
</span><span id=__span-0-93><a id=__codelineno-0-93 name=__codelineno-0-93 href=#__codelineno-0-93></a><span class=w> </span><span class=p>{</span>
</span><span id=__span-0-94><a id=__codelineno-0-94 name=__codelineno-0-94 href=#__codelineno-0-94></a><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span>
</span><span id=__span-0-95><a id=__codelineno-0-95 name=__codelineno-0-95 href=#__codelineno-0-95></a><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;group:dev&quot;</span><span class=p>],</span>
</span><span id=__span-0-96><a id=__codelineno-0-96 name=__codelineno-0-96 href=#__codelineno-0-96></a><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;10.20.0.0/16:443,5432&quot;</span><span class=p>,</span><span class=w> </span><span class=s2>&quot;router.internal:0&quot;</span><span class=p>]</span>
</span><span id=__span-0-97><a id=__codelineno-0-97 name=__codelineno-0-97 href=#__codelineno-0-97></a><span class=w> </span><span class=p>},</span>
</span><span id=__span-0-98><a id=__codelineno-0-98 name=__codelineno-0-98 href=#__codelineno-0-98></a>
</span><span id=__span-0-99><a id=__codelineno-0-99 name=__codelineno-0-99 href=#__codelineno-0-99></a><span class=w> </span><span class=c1>// servers should be able to talk to database in tcp/5432. Database should not be able to initiate connections to</span>
</span><span id=__span-0-100><a id=__codelineno-0-100 name=__codelineno-0-100 href=#__codelineno-0-100></a><span class=w> </span><span class=c1>// applications servers</span>
</span><span id=__span-0-101><a id=__codelineno-0-101 name=__codelineno-0-101 href=#__codelineno-0-101></a><span class=w> </span><span class=p>{</span>
</span><span id=__span-0-102><a id=__codelineno-0-102 name=__codelineno-0-102 href=#__codelineno-0-102></a><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span>
</span><span id=__span-0-103><a id=__codelineno-0-103 name=__codelineno-0-103 href=#__codelineno-0-103></a><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;tag:dev-app-servers&quot;</span><span class=p>],</span>
</span><span id=__span-0-104><a id=__codelineno-0-104 name=__codelineno-0-104 href=#__codelineno-0-104></a><span class=w> </span><span class=nt>&quot;proto&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;tcp&quot;</span><span class=p>,</span>
</span><span id=__span-0-105><a id=__codelineno-0-105 name=__codelineno-0-105 href=#__codelineno-0-105></a><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;tag:dev-databases:5432&quot;</span><span class=p>]</span>
</span><span id=__span-0-106><a id=__codelineno-0-106 name=__codelineno-0-106 href=#__codelineno-0-106></a><span class=w> </span><span class=p>},</span>
</span><span id=__span-0-107><a id=__codelineno-0-107 name=__codelineno-0-107 href=#__codelineno-0-107></a><span class=w> </span><span class=p>{</span>
</span><span id=__span-0-108><a id=__codelineno-0-108 name=__codelineno-0-108 href=#__codelineno-0-108></a><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span>
</span><span id=__span-0-109><a id=__codelineno-0-109 name=__codelineno-0-109 href=#__codelineno-0-109></a><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;tag:prod-app-servers&quot;</span><span class=p>],</span>
</span><span id=__span-0-110><a id=__codelineno-0-110 name=__codelineno-0-110 href=#__codelineno-0-110></a><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;tag:prod-databases:5432&quot;</span><span class=p>]</span>
</span><span id=__span-0-111><a id=__codelineno-0-111 name=__codelineno-0-111 href=#__codelineno-0-111></a><span class=w> </span><span class=p>},</span>
</span><span id=__span-0-112><a id=__codelineno-0-112 name=__codelineno-0-112 href=#__codelineno-0-112></a>
</span><span id=__span-0-113><a id=__codelineno-0-113 name=__codelineno-0-113 href=#__codelineno-0-113></a><span class=w> </span><span class=c1>// interns have access to dev-app-servers only in reading mode</span>
</span><span id=__span-0-114><a id=__codelineno-0-114 name=__codelineno-0-114 href=#__codelineno-0-114></a><span class=w> </span><span class=p>{</span>
</span><span id=__span-0-115><a id=__codelineno-0-115 name=__codelineno-0-115 href=#__codelineno-0-115></a><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span>
</span><span id=__span-0-116><a id=__codelineno-0-116 name=__codelineno-0-116 href=#__codelineno-0-116></a><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;group:intern&quot;</span><span class=p>],</span>
</span><span id=__span-0-117><a id=__codelineno-0-117 name=__codelineno-0-117 href=#__codelineno-0-117></a><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;tag:dev-app-servers:80,443&quot;</span><span class=p>]</span>
</span><span id=__span-0-118><a id=__codelineno-0-118 name=__codelineno-0-118 href=#__codelineno-0-118></a><span class=w> </span><span class=p>},</span>
</span><span id=__span-0-119><a id=__codelineno-0-119 name=__codelineno-0-119 href=#__codelineno-0-119></a>
</span><span id=__span-0-120><a id=__codelineno-0-120 name=__codelineno-0-120 href=#__codelineno-0-120></a><span class=w> </span><span class=c1>// We still have to allow internal users communications since nothing guarantees that each user have</span>
</span><span id=__span-0-121><a id=__codelineno-0-121 name=__codelineno-0-121 href=#__codelineno-0-121></a><span class=w> </span><span class=c1>// their own users.</span>
</span><span id=__span-0-122><a id=__codelineno-0-122 name=__codelineno-0-122 href=#__codelineno-0-122></a><span class=w> </span><span class=p>{</span><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;boss&quot;</span><span class=p>],</span><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;boss:*&quot;</span><span class=p>]</span><span class=w> </span><span class=p>},</span>
</span><span id=__span-0-123><a id=__codelineno-0-123 name=__codelineno-0-123 href=#__codelineno-0-123></a><span class=w> </span><span class=p>{</span><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;dev1&quot;</span><span class=p>],</span><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;dev1:*&quot;</span><span class=p>]</span><span class=w> </span><span class=p>},</span>
</span><span id=__span-0-124><a id=__codelineno-0-124 name=__codelineno-0-124 href=#__codelineno-0-124></a><span class=w> </span><span class=p>{</span><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;dev2&quot;</span><span class=p>],</span><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;dev2:*&quot;</span><span class=p>]</span><span class=w> </span><span class=p>},</span>
</span><span id=__span-0-125><a id=__codelineno-0-125 name=__codelineno-0-125 href=#__codelineno-0-125></a><span class=w> </span><span class=p>{</span><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;admin1&quot;</span><span class=p>],</span><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;admin1:*&quot;</span><span class=p>]</span><span class=w> </span><span class=p>},</span>
</span><span id=__span-0-126><a id=__codelineno-0-126 name=__codelineno-0-126 href=#__codelineno-0-126></a><span class=w> </span><span class=p>{</span><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;intern1&quot;</span><span class=p>],</span><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;intern1:*&quot;</span><span class=p>]</span><span class=w> </span><span class=p>}</span>
</span><span id=__span-0-127><a id=__codelineno-0-127 name=__codelineno-0-127 href=#__codelineno-0-127></a><span class=w> </span><span class=p>]</span>
</span><span id=__span-0-128><a id=__codelineno-0-128 name=__codelineno-0-128 href=#__codelineno-0-128></a><span class=p>}</span>
</span></code></pre></div> </article> </div> <script>var target=document.getElementById(location.hash.slice(1));target&&target.name&&(target.checked=target.name.startsWith("__tabbed_"))</script> </div> <button type=button class="md-top md-icon" data-md-component=top hidden> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M13 20h-2V8l-5.5 5.5-1.42-1.42L12 4.16l7.92 7.92-1.42 1.42L13 8z"/></svg> Back to top </button> </main> <footer class=md-footer> <nav class="md-footer__inner md-grid" aria-label=Footer> <a href=../tls/ class="md-footer__link md-footer__link--prev" aria-label="Previous: TLS"> <div class="md-footer__button md-icon"> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11z"/></svg> </div> <div class=md-footer__title> <span class=md-footer__direction> Previous </span> <div class=md-ellipsis> TLS </div> </div> </a> <a href=../dns/ class="md-footer__link md-footer__link--next" aria-label="Next: DNS"> <div class=md-footer__title> <span class=md-footer__direction> Next </span> <div class=md-ellipsis> DNS </div> </div> <div class="md-footer__button md-icon"> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11z"/></svg> </div> </a> </nav> <div class="md-footer-meta md-typeset"> <div class="md-footer-meta__inner md-grid"> <div class=md-copyright> <div class=md-copyright__highlight> Copyright &copy; 2024 Headscale authors </div> Made with <a href=https://squidfunk.github.io/mkdocs-material/ target=_blank rel=noopener> Material for MkDocs </a> </div> <div class=md-social> <a href=https://github.com/juanfont/headscale target=_blank rel=noopener title=github.com class=md-social__link> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 496 512"><!-- Font Awesome Free 6.7.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6m-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3m44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9M244.8 8C106.1 8 0 113.3 0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8M97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1m-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7m32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1m-11.4-14.7c-1.6 1-1.6 3.6 0 5.9s4.3 3.3 5.6 2.3c1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2"/></svg> </a> <a href=https://ko-fi.com/headscale target=_blank rel=noopener title=ko-fi.com class=md-social__link> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M2 21h18v-2H2M20 8h-2V5h2m0-2H4v10a4 4 0 0 0 4 4h6a4 4 0 0 0 4-4v-3h2a2 2 0 0 0 2-2V5a2 2 0 0 0-2-2"/></svg> </a> <a href=https://github.com/juanfont/headscale/pkgs/container/headscale target=_blank rel=noopener title=github.com class=md-social__link> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 640 512"><!-- Font Awesome Free 6.7.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M349.9 236.3h-66.1v-59.4h66.1z
Reference in New Issue Copy Permalink