1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88
| // Example/default ACLs for unrestricted connections. { // Declare static groups of users. Use autogroups for all users or users with a specific role. // "groups": { // "group:example": ["alice@example.com", "bob@example.com"], // },
// Define the tags which can be applied to devices and by which users. // "tagOwners": { // "tag:example": ["autogroup:admin"], // },
// Define grants that govern access for users, groups, autogroups, tags, // Tailscale IP addresses, and subnet ranges. "grants": [ // Allow all connections. // Comment this section out if you want to define specific restrictions. {"src": ["*"], "dst": ["*"], "ip": ["*"]},
// Allow users in "group:example" to access "tag:example", but only from // devices that are running macOS and have enabled Tailscale client auto-updating. // {"src": ["group:example"], "dst": ["tag:example"], "ip": ["*"], "srcPosture":["posture:autoUpdateMac"]}, ],
// Define postures that will be applied to all rules without any specific // srcPosture definition. // "defaultSrcPosture": [ // "posture:anyMac", // ],
// Define device posture rules requiring devices to meet // certain criteria to access parts of your system. // "postures": { // // Require devices running macOS, a stable Tailscale // // version and auto update enabled for Tailscale. // "posture:autoUpdateMac": [ // "node:os == 'macos'", // "node:tsReleaseTrack == 'stable'", // "node:tsAutoUpdate", // ], // // Require devices running macOS and a stable // // Tailscale version. // "posture:anyMac": [ // "node:os == 'macos'", // "node:tsReleaseTrack == 'stable'", // ], // }, // Define users and devices that can use Tailscale SSH. "ssh": [ // Allow all users to SSH into their own devices in check mode. // Comment this section out if you want to define specific restrictions. { "action": "check", "src": ["autogroup:member"], "dst": ["autogroup:self"], "users": ["autogroup:nonroot", "root"], }, ],
// Test access rules every time they're saved. // "tests": [ // { // "src": "alice@example.com", // "accept": ["tag:example"], // "deny": ["100.101.102.103:443"], // }, // ], "derpMap": { "OmitDefaultRegions": true,// OmitDefaultRegions 用来忽略官方的中继节点 "Regions": { "901": { "RegionID": 901, // 900以上 "RegionCode": "Aliyun-JP", // 区域代码,会在 `tailscale netcheck` 显示 "RegionName": "日本东京阿里云", // 区域名称,会在 `tailscale netcheck` 显示 "Nodes": [ { "Name": "aliyun-jp-1", // 随意填写 "RegionID": 901, // 对应上方ID "HostName": "dreper.abc.com", // 填写你的DERP服务域名 "DERPPort": 443, // 你的DERP服务端口 }, ], }, // 更多DERP节点 }, }, }
|