let5see/clawdbot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: harden tailscale serve auth

Browse Source
This commit is contained in:
Peter Steinberger
2026-01-26 12:47:53 +00:00
parent 6859e1e6a6
commit fd9be79be1
10 changed files with 189 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
docs/web/control-ui.md
View File

@@ -70,10 +70,11 @@ Open:
By default, Serve requests can authenticate via Tailscale identity headers
(`tailscale-user-login`) when `gateway.auth.allowTailscale` is `true`. Clawdbot
only accepts these when the request hits loopback with Tailscales
`x-forwarded-*` headers. Set `gateway.auth.allowTailscale: false` (or force
`gateway.auth.mode: "password"`) if you want to require a token/password even
for Serve traffic.
verifies the identity by resolving the `x-forwarded-for` address with
`tailscale whois` and matching it to the header, and only accepts these when the
request hits loopback with Tailscales `x-forwarded-*` headers. Set
`gateway.auth.allowTailscale: false` (or force `gateway.auth.mode: "password"`)
if you want to require a token/password even for Serve traffic.
### Bind to tailnet + token