Hacker News new | past | comments | ask | show | jobs | submit login

Could you share your ACL setup? I haven't had time to look at it much but this sounds like exactly what I want to do.



The ACLs might look a bit scary at first, but they are actually quite intuitive once you coded up a rule or two.

It basically works by tagging machines (especially those deployed with an API key) and grouping users. Then you set up rules which allow groups and tags can communicate with each other on specific ports. Since the default rule is DENY, you only need to specify rules for communication you actually want to allow.

For instance you would create a tag for `servers` and a group for `sre`. Then you setup an ACL rule like this to allow SRE to ssh into servers:

    "action": "accept",
    "src":    ["group:sre"],
    "dst": ["tag:server:22"]
Because there is no rule with `group:sre` in `src` and `dst`, SREs cannot connect to each others machines.

The tailscale docs are really good. And the videos they have are a great starting point if you dont come from a networking background.

[0]: https://tailscale.com/kb/1018/acls




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: