@@ -192,6 +192,44 @@ git push heroku
192192```
1931938. You' re now running your application connecting to your resources via Tailscale.
194194
195+ # # Limit access to web app to Tailscale users
196+
197+ It is possible to serve your web application on Heroku to only users in your tailnet,
198+ but that is outside the scope of this particular buildpack.
199+
200+ That said, this buildpack makes it possible to do so. We solved this by
201+ creating a separate dyno in the ` ` ` ` ` admin_web`
202+ that does the following:
203+
204+ 1. Attempt to restore certificate files from cache.
205+ 2. Revoke previous machine with the desired hostname.
206+ 3. Update current tailscale process to use the desired hostname.
207+ 4. Validate and potentially re-issue certificates for hostname.
208+ 5. Store certificate files in cache.
209+ 6. Serve localhost process on Tailnet for the hostname.
210+ 7. Start web process to serve requests on localhost.
211+
212+ The certificates need to be persisted beyond instances of the dyno to avoid requesting
213+ certificates for the same full DNS path from Let' s Encrypt. Let'
214+ you to 5 requests per week.
215+
216+ The certificate files you' ll need to persist are:
217+
218+ - ``.local/share/tailscale/certs/$TAILSCALE_HOSTNAME.crt``
219+ - ``.local/share/tailscale/certs/$TAILSCALE_HOSTNAME.key``
220+
221+ To serve your application your ``admin_web`` script should do something similar to:
222+
223+ ```shell
224+ # Expose the local 8000 port to the tailnet.
225+ # The URL will be https://<machine-name>.<tailnet>.ts.net
226+ tailscale serve https / http://127.0.0.1:8000
227+ # Generate the current serve status so the logs include the URL.
228+ tailscale serve status
229+ # Start the web server process
230+ exec proxychains4 -f vendor/proxychains-ng/conf/proxychains.conf uvicorn --host 127.0.0.1 --port "8000" project.asgi:application
231+ ```
232+
195233[^1]: You want reusable auth keys here because it will be used across all of your dynos
196234 in the application.
197235
0 commit comments