rogitproxy is a read-only git protocol proxy for a tailnet. It listens on port 9418 (the git:// protocol port) via tsnet and proxies to an HTTPS or SSH backend (e.g. GitHub). It enforces access control using tailnet grants.
The main use case is allowing sandboxed VMs access to private repositories without exposing HTTPS credentials or SSH keys in the sandbox environment.
$ rogitproxy
In dev mode (no tsnet, listens on localhost):
$ rogitproxy --dev
Then:
git clone git://rogitproxy.your-tailnet.ts.net/org/repo.git
git ls-remote git://rogitproxy.your-tailnet.ts.net/org/repo.git
When the backend is https://github.com (the default) and either a
GitHub App private key is available (at ~/keys/rogitproxy.pem) or in
setec), rogitproxy
authenticates to GitHub using a GitHub App installation token.
Flags:
--github-app-id=N GitHub App ID
--github-app-install-id=N GitHub App installation ID
--setec-url setec server URL, for fetching the private key
In tsnet mode with GitHub App auth enabled, access is controlled by tailnet
grants using the github.com/tailscale/rogitproxy capability. A grant looks
like:
{
"src": ["group:eng@example.com"],
"dst": ["tag:rogitproxy"],
"app": {
"github.com/tailscale/rogitproxy": [{
"repos": ["org/repo1", "org/repo2"],
"access": "pull"
}]
}
}The "access": "pull" type covers all read-only git operations (clone, fetch,
ls-remote).
rogitproxy serves an HTTP status page on port 80 (tsnet) showing the
requesting user's granted repos and usage examples. It also serves
/debug/ via tsweb.Debugger (metrics, pprof, etc.).
Only git-upload-pack (the read-only git protocol command) is permitted.
All other commands, including git-receive-pack (push), are rejected.