mirror of
https://github.com/tailscale/tailscale.git
synced 2024-12-01 14:05:39 +00:00
64 lines
2.1 KiB
JSON
64 lines
2.1 KiB
JSON
{
|
|
// Declare static groups of users beyond those in the identity service
|
|
"Groups": {
|
|
"group:eng": ["u1@example.com", "u2@example.com"]
|
|
},
|
|
|
|
// Declare convenient hostname aliases to use in place of IP addresses
|
|
"Hosts": {
|
|
"h222": "100.2.2.2"
|
|
},
|
|
|
|
// Access control list
|
|
"ACLs": [
|
|
{
|
|
"Action": "accept",
|
|
// Match any of several users
|
|
"Users": ["a@example.com", "b@example.com"],
|
|
// Match any port on h222, and port 22 of 10.1.2.3
|
|
"Ports": ["h222:*", "10.1.2.3:22"]
|
|
},
|
|
{
|
|
"Action": "accept",
|
|
// Match any user at all
|
|
"Users": ["*"],
|
|
// Match port 80 on one machine, ports 53 and 5353 on a second one,
|
|
// and ports 8000 through 8080 (a port range) on a third one.
|
|
"Ports": ["h222:80", "10.8.8.8:53,5353", "10.2.3.4:8000-8080"]
|
|
},
|
|
{
|
|
"Action": "accept",
|
|
// Match all users in the "Admin" role (network administrators)
|
|
"Users": ["role:Admin", "group:eng"],
|
|
// Allow access to port 22 on all servers
|
|
"Ports": ["*:22"]
|
|
},
|
|
{
|
|
"Action": "accept",
|
|
"Users": ["role:User"],
|
|
// Match only windows and linux workstations (not implemented yet)
|
|
"OS": ["windows", "linux"],
|
|
// Only desktop machines are allowed to access this server
|
|
"Ports": ["10.1.1.1:443"]
|
|
},
|
|
{
|
|
"Action": "accept",
|
|
"Users": ["*"],
|
|
// Match machines which have never been authorized, or which expired.
|
|
// (not implemented yet)
|
|
"MachineAuth": ["unauthorized", "expired"],
|
|
// Logged-in users on unauthorized machines can access the email server.
|
|
// Open the TLS ports for SMTP, IMAP, and HTTP.
|
|
"Ports": ["10.1.2.3:465", "10.1.2.3:993", "10.1.2.3:443"]
|
|
},
|
|
|
|
// Match absolutely everything. Comment out this section if you want
|
|
// the above ACLs to apply.
|
|
{ "Action": "accept", "Users": ["*"], "Ports": ["*:*"] },
|
|
|
|
// Leave this line here so that every rule can end in a comma.
|
|
// It has no effect since it has no matching rules.
|
|
{"Action": "accept"}
|
|
]
|
|
}
|