TailscalePolicy on Ops FreeEdge https://ops.freeedge.uk/tags/tailscalepolicy/ Recent content in TailscalePolicy on Ops FreeEdge Hugo en-us Fri, 03 Apr 2026 15:25:00 +0000 Tailscale ACL 策略管理深度解析 https://ops.freeedge.uk/posts/tailscale-acl-policy-deep-dive/ Fri, 03 Apr 2026 15:25:00 +0000 https://ops.freeedge.uk/posts/tailscale-acl-policy-deep-dive/ <h2 id="acl-机制与策略结构">ACL 机制与策略结构</h2> <p>Tailscale ACL(Access Control Lists)在 tailnet policy file(huJSON)中定义,采用声明式 deny-by-default 模式。所有设备间连接均需显式授权。ACL 语法核心为 <code>src</code>(来源)和 <code>dst</code>(目标)规则,授权粒度精确到用户、组、标签和 CIDR。</p> <h3 id="基础语法结构">基础语法结构</h3> <div class="goat svg-container "> <svg xmlns="http://www.w3.org/2000/svg" font-family="Menlo,Lucida Console,monospace" viewBox="0 0 688 57" > <g transform='translate(8,16)'> <text text-anchor='middle' x='0' y='4' fill='currentColor' style='font-size:1em'>"</text> <text text-anchor='middle' x='0' y='36' fill='currentColor' style='font-size:1em'>]</text> <text text-anchor='middle' x='8' y='4' fill='currentColor' style='font-size:1em'>a</text> <text text-anchor='middle' x='16' y='4' fill='currentColor' style='font-size:1em'>c</text> <text text-anchor='middle' x='16' y='20' fill='currentColor' style='font-size:1em'>{</text> <text text-anchor='middle' x='24' y='4' fill='currentColor' style='font-size:1em'>l</text> <text text-anchor='middle' x='32' y='4' fill='currentColor' style='font-size:1em'>s</text> <text text-anchor='middle' x='32' y='20' fill='currentColor' style='font-size:1em'>"</text> <text text-anchor='middle' x='40' y='4' fill='currentColor' style='font-size:1em'>"</text> <text text-anchor='middle' x='40' y='20' fill='currentColor' style='font-size:1em'>a</text> <text text-anchor='middle' x='48' y='4' fill='currentColor' style='font-size:1em'>:</text> <text text-anchor='middle' x='48' y='20' fill='currentColor' style='font-size:1em'>c</text> <text text-anchor='middle' x='56' y='20' fill='currentColor' style='font-size:1em'>t</text> <text text-anchor='middle' x='64' y='4' fill='currentColor' style='font-size:1em'>[</text> <text text-anchor='middle' x='64' y='20' fill='currentColor' style='font-size:1em'>i</text> <text text-anchor='middle' x='72' y='20' fill='currentColor' style='font-size:1em'>o</text> <text text-anchor='middle' x='80' y='20' fill='currentColor' style='font-size:1em'>n</text> <text text-anchor='middle' x='88' y='20' fill='currentColor' style='font-size:1em'>"</text> <text text-anchor='middle' x='96' y='20' fill='currentColor' style='font-size:1em'>:</text> <text text-anchor='middle' x='112' y='20' fill='currentColor' style='font-size:1em'>"</text> <text text-anchor='middle' x='120' y='20' fill='currentColor' style='font-size:1em'>a</text> <text text-anchor='middle' x='128' y='20' fill='currentColor' style='font-size:1em'>c</text> <text text-anchor='middle' x='136' y='20' fill='currentColor' style='font-size:1em'>c</text> <text text-anchor='middle' x='144' y='20' fill='currentColor' style='font-size:1em'>e</text> <text text-anchor='middle' x='152' y='20' fill='currentColor' style='font-size:1em'>p</text> <text text-anchor='middle' x='160' y='20' fill='currentColor' style='font-size:1em'>t</text> <text text-anchor='middle' x='168' y='20' fill='currentColor' style='font-size:1em'>"</text> <text text-anchor='middle' x='176' y='20' fill='currentColor' style='font-size:1em'>,</text> <text text-anchor='middle' x='192' y='20' fill='currentColor' style='font-size:1em'>"</text> <text text-anchor='middle' x='200' y='20' fill='currentColor' style='font-size:1em'>s</text> <text text-anchor='middle' x='208' y='20' fill='currentColor' style='font-size:1em'>r</text> <text text-anchor='middle' x='216' y='20' fill='currentColor' style='font-size:1em'>c</text> <text text-anchor='middle' x='224' y='20' fill='currentColor' style='font-size:1em'>"</text> <text text-anchor='middle' x='232' y='20' fill='currentColor' style='font-size:1em'>:</text> <text text-anchor='middle' x='248' y='20' fill='currentColor' style='font-size:1em'>[</text> <text text-anchor='middle' x='256' y='20' fill='currentColor' style='font-size:1em'>"</text> <text text-anchor='middle' x='264' y='20' fill='currentColor' style='font-size:1em'>u</text> <text text-anchor='middle' x='272' y='20' fill='currentColor' style='font-size:1em'>s</text> <text text-anchor='middle' x='280' y='20' fill='currentColor' style='font-size:1em'>e</text> <text text-anchor='middle' x='288' y='20' fill='currentColor' style='font-size:1em'>r</text> <text text-anchor='middle' x='296' y='20' fill='currentColor' style='font-size:1em'>:</text> <text text-anchor='middle' x='304' y='20' fill='currentColor' style='font-size:1em'>a</text> <text text-anchor='middle' x='312' y='20' fill='currentColor' style='font-size:1em'>l</text> <text text-anchor='middle' x='320' y='20' fill='currentColor' style='font-size:1em'>i</text> <text text-anchor='middle' x='328' y='20' fill='currentColor' style='font-size:1em'>c</text> <text text-anchor='middle' x='336' y='20' fill='currentColor' style='font-size:1em'>e</text> <text text-anchor='middle' x='344' y='20' fill='currentColor' style='font-size:1em'>@</text> <text text-anchor='middle' x='352' y='20' fill='currentColor' style='font-size:1em'>e</text> <text text-anchor='middle' x='360' y='20' fill='currentColor' style='font-size:1em'>x</text> <text text-anchor='middle' x='368' y='20' fill='currentColor' style='font-size:1em'>a</text> <text text-anchor='middle' x='376' y='20' fill='currentColor' style='font-size:1em'>m</text> <text text-anchor='middle' x='384' y='20' fill='currentColor' style='font-size:1em'>p</text> <text text-anchor='middle' x='392' y='20' fill='currentColor' style='font-size:1em'>l</text> <text text-anchor='middle' x='400' y='20' fill='currentColor' style='font-size:1em'>e</text> <text text-anchor='middle' x='408' y='20' fill='currentColor' style='font-size:1em'>.</text> <text text-anchor='middle' x='416' y='20' fill='currentColor' style='font-size:1em'>c</text> <text text-anchor='middle' x='424' y='20' fill='currentColor' style='font-size:1em'>o</text> <text text-anchor='middle' x='432' y='20' fill='currentColor' style='font-size:1em'>m</text> <text text-anchor='middle' x='440' y='20' fill='currentColor' style='font-size:1em'>"</text> <text text-anchor='middle' x='448' y='20' fill='currentColor' style='font-size:1em'>]</text> <text text-anchor='middle' x='456' y='20' fill='currentColor' style='font-size:1em'>,</text> <text text-anchor='middle' x='472' y='20' fill='currentColor' style='font-size:1em'>"</text> <text text-anchor='middle' x='480' y='20' fill='currentColor' style='font-size:1em'>d</text> <text text-anchor='middle' x='488' y='20' fill='currentColor' style='font-size:1em'>s</text> <text text-anchor='middle' x='496' y='20' fill='currentColor' style='font-size:1em'>t</text> <text text-anchor='middle' x='504' y='20' fill='currentColor' style='font-size:1em'>"</text> <text text-anchor='middle' x='512' y='20' fill='currentColor' style='font-size:1em'>:</text> <text text-anchor='middle' x='528' y='20' fill='currentColor' style='font-size:1em'>[</text> <text text-anchor='middle' x='536' y='20' fill='currentColor' style='font-size:1em'>"</text> <text text-anchor='middle' x='544' y='20' fill='currentColor' style='font-size:1em'>t</text> <text text-anchor='middle' x='552' y='20' fill='currentColor' style='font-size:1em'>a</text> <text text-anchor='middle' x='560' y='20' fill='currentColor' style='font-size:1em'>g</text> <text text-anchor='middle' x='568' y='20' fill='currentColor' style='font-size:1em'>:</text> <text text-anchor='middle' x='576' y='20' fill='currentColor' style='font-size:1em'>s</text> <text text-anchor='middle' x='584' y='20' fill='currentColor' style='font-size:1em'>e</text> <text text-anchor='middle' x='592' y='20' fill='currentColor' style='font-size:1em'>r</text> <text text-anchor='middle' x='600' y='20' fill='currentColor' style='font-size:1em'>v</text> <text text-anchor='middle' x='608' y='20' fill='currentColor' style='font-size:1em'>e</text> <text text-anchor='middle' x='616' y='20' fill='currentColor' style='font-size:1em'>r</text> <text text-anchor='middle' x='624' y='20' fill='currentColor' style='font-size:1em'>:</text> <text text-anchor='middle' x='632' y='20' fill='currentColor' style='font-size:1em'>2</text> <text text-anchor='middle' x='640' y='20' fill='currentColor' style='font-size:1em'>2</text> <text text-anchor='middle' x='648' y='20' fill='currentColor' style='font-size:1em'>"</text> <text text-anchor='middle' x='656' y='20' fill='currentColor' style='font-size:1em'>]</text> <text text-anchor='middle' x='672' y='20' fill='currentColor' style='font-size:1em'>}</text> </g> </svg> </div> <ul> <li><strong>action</strong>:<code>accept</code>(允许)或 <code>drop</code>(拒绝,隐式 deny)。</li> <li><strong>src/dst</strong>:支持 <code>user:</code>、<code>group:</code>、<code>tag:</code>、<code>autogroup:</code>、<code>*</code>。</li> <li><strong>端口协议</strong>:<code>dst</code> 格式为 <code>[identity]:[port]/[proto]</code>,如 <code>tag:prod:443/tcp</code>。</li> </ul> <h2 id="tags服务节点身份体系">Tags:服务节点身份体系</h2> <p>Tags(标签)是非用户设备专用身份标识,解决传统 IP-based ACL 的动态性问题。</p>