I need to finish off that blog post.

With Tailscale, you can basically point a domain to the FQDN of a machine you’re sharing with people and the domain will simply work for them (and only them)[1]. But for it to work without them having to know or specify the specific application port, you have to grant them access to 443 (and 80) in your Tailscale ACL for that specific host.

So yeah, now immich.familydomain.com works without family members having to remember the specific port. BUT, serveradmin.familydomain.com (another app on the same host) will ALSO be accessible to them (from a networking POV). We opened port 443/80 for that host after all.

I took a few hours with Claude back in January (?) and we wrote a tiny Go authorization gateway which basically consults both Tailscale’s public API and Tailscale’s `localapi` and returns the appropriate response to Caddy based on the requesting user’s actual allowed ports.

So now I can share different apps (subdomains) with different people without forfeiting access controls, all driven by Tailscale’s policy file.

(I hope I didn’t mess up the crux of it, pretty late here)

Edit: why not (something like) Authentik? Quoting from the draft:

  I contemplated this for a bit but one thing I kept thinking about is:

  _They're already logged in to Tailscale_

  Why do I need to install and configure another full-blown app dedicated to doing something Tailscale already did? Why have the users go through two hops of authentication?”