Private networking support

[jazzdan]

I’ve been using Dark for some “internal apps” at work, though pretty much limited to plumbing webhooks between various public services. (for example: vercel -> discord)

But when I started to consider using it for other internal apps, like getting it involved in our deploys, I realized that I wanted to hook my Dark account up to my Tailscale network.

Tailscale is a tool for creating secure networks. You install tailscale, run it, sign in to your account and your computer is connected to your tailscale network. This means that it is given a special Tailscale IP address and can network to your other Tailscale IP addresses. One cool side-effect of this if you run a service that is only accessible to your tailscale network then you know that a) only authorized people can access it and b) you can look up who is connecting simply by looking at their IP address.

Once you start living the Tailscale life rolling authn/authz for internal apps really loses its appeal. If it ever had any 😅

How

By default Tailscale uses the operating system's kernel to enable its magic. But it doesn't need to, you can also use Tailscale as an HTTP proxy to get most of the same benefits.

Here's how I would image it could work in Dark:

1. Authenticate my canvas to my tailscale account
2. For each handler I could configure if that handler is:
   a) connected to Tailscale, and optionally:
   b) only accessible via Tailscale
3. Behind the scenes Dark would know that, for network requests coming to/from that handler to route them through a Tailscale proxy

For my use case I would have a set of handlers that are connected to Tailscale and only accessible from Tailscale, so I could easily build back-of-house admin apps without them being accessible to the internet.

But full disclosure: I don't know how Dark is implemented and I've never actually used Tailscale's HTTP proxy support.

[pbiggar]

Apologies for the slow reply. This is a nice suggestion, it would be cool to give this sort of secure access to handlers.

I don't know how we'd handle the multi-tenant aspect of dark though.