From 0afd30d3255dfc3a205c686c1a284ee02670f4b0 Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Sat, 4 Apr 2026 14:02:29 +0100 Subject: [PATCH] docs: refresh shared-secret auth mirrors --- docs/gateway/security/index.md | 7 +++++-- docs/platforms/digitalocean.md | 2 +- docs/web/control-ui.md | 5 +++-- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/docs/gateway/security/index.md b/docs/gateway/security/index.md index 4126182b976..806c467b129 100644 --- a/docs/gateway/security/index.md +++ b/docs/gateway/security/index.md @@ -936,11 +936,14 @@ Important boundary note: **Trust assumption:** tokenless Serve auth assumes the gateway host is trusted. Do not treat this as protection against hostile same-host processes. If untrusted local code may run on the gateway host, disable `gateway.auth.allowTailscale` -and require token/password auth. +and require explicit shared-secret auth with `gateway.auth.mode: "token"` or +`"password"`. **Security rule:** do not forward these headers from your own reverse proxy. If you terminate TLS or proxy in front of the gateway, disable -`gateway.auth.allowTailscale` and use token/password auth (or [Trusted Proxy Auth](/gateway/trusted-proxy-auth)) instead. +`gateway.auth.allowTailscale` and use shared-secret auth (`gateway.auth.mode: +"token"` or `"password"`) or [Trusted Proxy Auth](/gateway/trusted-proxy-auth) +instead. Trusted proxies: diff --git a/docs/platforms/digitalocean.md b/docs/platforms/digitalocean.md index b50a15e058d..5f3bb2390dc 100644 --- a/docs/platforms/digitalocean.md +++ b/docs/platforms/digitalocean.md @@ -133,7 +133,7 @@ Open: `https:///` Notes: - Serve keeps the Gateway loopback-only and authenticates Control UI/WebSocket traffic via Tailscale identity headers (tokenless auth assumes trusted gateway host; HTTP APIs still require token/password). -- To require token/password instead, set `gateway.auth.allowTailscale: false` or use `gateway.auth.mode: "password"`. +- To require explicit shared-secret credentials instead, set `gateway.auth.allowTailscale: false` and use `gateway.auth.mode: "token"` or `"password"`. **Option C: Tailnet bind (no Serve)** diff --git a/docs/web/control-ui.md b/docs/web/control-ui.md index 45d3b208215..8ddc124ffc4 100644 --- a/docs/web/control-ui.md +++ b/docs/web/control-ui.md @@ -141,8 +141,9 @@ By default, Control UI/WebSocket Serve requests can authenticate via Tailscale i verifies the identity by resolving the `x-forwarded-for` address with `tailscale whois` and matching it to the header, and only accepts these when the request hits loopback with Tailscale’s `x-forwarded-*` headers. Set -`gateway.auth.allowTailscale: false` (or force `gateway.auth.mode: "password"`) -if you want to require a token/password even for Serve traffic. +`gateway.auth.allowTailscale: false` if you want to require explicit shared-secret +credentials even for Serve traffic. Then use `gateway.auth.mode: "token"` or +`"password"`. Tokenless Serve auth assumes the gateway host is trusted. If untrusted local code may run on that host, require token/password auth.