tailscale/sniproxy
Deprecated. Use App Connectors instead (https://tailscale.com/kb/1281/app-connectors)
8.4K
The sniproxy has been deprecated. Use Tailscale app connectors instead.
The sniproxy allows traffic for one or more domains to be carried across the tailnet to the device where an sniproxy is running before egressing to the public Internet. This is useful for cases where the domain has an allowlist of IP addresses: the IP address of the device running sniproxy can be added to the allowlist, and all nodes on the tailnet will have their traffic egress using that IP address.
sniproxy works by setting itself as the nameserver for domain(s) which should transit the tailnet. It returns its own Tailscale IP address in response to any query. When it receives an HTTPS request, it decodes the SNI header to figure out where on the public Internet to steer the request.
Additionally, sniproxy can be configured to forward traffic for specific TCP ports to a fixed domain, such as sending port 22 SSH traffic to github.com. This allows sniproxy to handle traffic types which do not use SNI and cannot be automatically steered to the appropriate destination.
This means:
To use it, please follow these steps.
An Auth key should be created, which will be used in the next step to authenticate the sniproxy.
We'd recommend running the docker image inside tmux
or screen
docker run --env TS\_AUTHKEY=tskey-auth-ab12CD3CNTRL-abcdefghijklmnopqrstuvwxyzabcdef -v ${PWD}:/root/.config/ tailscale/sniproxy:unstable
To configure TCP port forwarding to a destination, add --env TS_APPC_FORWARDS=tcp/<port>/<fqdn>,tcp/<port>/<fqdn>
.
For example: TS_APPC_FORWARDS=tcp/22/github.com
Add a SplitDNS server for the domains to be carried.
The sniproxy is now configured. Accesses to https://www.example.com/ will be carried over the tailnet to the sniproxy before egressing to the Internet. The source IP address will be the public IP address of the device which is running the sniproxy.
When configuring a Software-as-a-Service provider using this mechanism, the provider often uses multiple domains which will all need to be added as SplitDNS entries. A helpful resource for this is the v2fly Project, which curates a list of known domains used by various services.
The sniproxy exports metrics of its operations, reachable from the tailnet on port 8893:
Metrics likely to be of interest:
sniproxy_tls_sessions
: number of TLS sessions proxied by decoding the SNI headersniproxy_tcp_sessions
: if TS_APPC_FORWARDS
has been configured, there will be a counter labeled per TCP port configured. For example:
sniproxy_tcp_sessions{proto="ssh"} 137
sniproxy_tcp_sessions{proto="rdp"} 12
sniproxy_http_promoted
: number of HTTP port 80 sessions which were automatically redirected to HTTPSsniproxy_bad_addrport
, sniproxy_dns_failed
: error countersdocker pull tailscale/sniproxy