# tailscale-proxy

> A small Go utility for sharing local dev servers through one Tailscale URL, then tearing it down cleanly.

`tailscale-proxy` is for the local-service problem: you have dev servers running on your machine, someone else needs to reach them, and you do not want a pile of tunnel scripts or one more dashboard.

The use case is ordinary and that is why it matters. A teammate needs to see a local build. A webhook provider needs a temporary endpoint. A mobile device needs to hit a service running on a laptop. The wrong solution is often too much ceremony: accounts, dashboards, config files, random per-session URLs, and half-remembered cleanup steps.

```mermaid
flowchart LR
  A[dev servers] --> B[discover ports]
  B --> C[project route]
  C --> D[Tailscale Serve/Funnel]
  D --> E[reviewer/webhook/device]
  E --> F[teardown]
```

<Tradeoff title="Temporary access still needs a boundary">
  The fastest tunnel is not always the safest one. A useful dev tool makes sharing easy while making
  the trust boundary and teardown obvious.
</Tradeoff>

## What it optimizes for

- Small setup surface.
- Clear local-to-public mapping under one stable Tailscale hostname.
- Tailscale Serve/Funnel as the trust boundary.
- Project-name routes so several dev servers can share one entry point.
- Re-scans that tolerate servers coming and going during normal development.
- Easy teardown when the sharing window is over.

## Where it needs defensive programming

The important details are not glamorous. A dev server restarts. A port disappears for a few seconds.
A WebSocket upgrade needs to keep working. A local path has to be stripped before forwarding. The
proxy has to clean up the Serve/Funnel entry on exit so a temporary share does not become a forgotten
exposure.

That is why I like the repo as a lab entry. It is a small tool, but the safety properties are real:
discover, route, proxy, observe, and tear down.

## The engineering habit

Temporary access should still have a trust model. "Just expose it for a minute" is how dev tooling becomes risky. This repo keeps the sharing path narrow: discovered local services, explicit project routes, one known network boundary, and an easy way to stop.

That is the same principle I want in internal platforms. Make the safe path the easy path. Give engineers tools that fit the real workflow, but do not make them paste tokens into random tunnels or invent their own exposure scripts every time they need feedback.