azorius.vedetta.com

Jellyfin, Traefik and Tailscale Config Question
from filister@lemmy.world to selfhosted@lemmy.world on 23 Oct 02:56
https://lemmy.world/post/37740697

I am running a Proxmox node with a VM running a couple of Podman rootless containers, one of which is Jellyfin. I have also installed Traefik on a separate LXC unprivileged container. I have installed Tailscale on both the VM and the LXC.

What I want now is to create a reverse proxy so that I create subdomains pointing to my registered domain name, e.g. example.com.

I want when trying to access ‘jellyfin.example.com‘ the reverse proxy to point to the Tailscale IP or URL, for example ‘media.tbXXX.ts.net:8096‘. But that should work only when connected to the Tailscale network.

Is this even possible? If it is, can you point me to some resources explaining the whole configuration?

#selfhosted

threaded - newest

thelittleblackbird@lemmy.world on 23 Oct 03:09 next collapse

Yes, it is possible, but you need a domain (example.com) that I guess you want to be resolved from internet and a public face ip.

After that, yep, if the reverse proxy can resolve tailscale names (basically it has tailscale installed in the same machine) and the service is reachable via tailscale, then it is perfect.

In fact in my setup I have a public domain name that is translated into a private domain name in the reverse proxy (exactly what you want with the addition of tailscale)

filister@lemmy.world on 23 Oct 03:38 next collapse

I have a registered domain name already, but I am behind CGNAT and I don’t really have a public IP.

I want to allow access to my services remotely only through Tailscale.

zarlin@lemmy.dbzer0.com on 23 Oct 04:14 next collapse

My setup just has the local IP (of the reverse proxy) in the domain’s DNS records, and I have Tailscale on my server setup to advertise subnet routes, so I can use the same local IP when at home or remote via Tailscale. No need to use your public IP or open ports or anything.

filister@lemmy.world on 23 Oct 07:46 collapse

Yes, I know that, but I just don’t want to remember the port numbers or create some bookmarks.

I think I can create a CNAME record for *.media to point to the Tailscale address of the reverse proxy and then use the reverse proxy with Cloudflare API key to serve SSL certificates from my domain.

I am currently struggling a bit with the setup though.

zarlin@lemmy.dbzer0.com on 24 Oct 05:07 collapse

I think I can create a CNAME record for *.media to point to the Tailscale address of the reverse proxy

This approach, but if you setup your server to advertise subnets you can use your local IP range instead of tailscale’s. Port numbers for individual services would be handled by your reverse proxy, you can setup a subdomain route for each service.

Instead of having to keep track of bookmarks you can use something like homepage on the root of your domain, as a dashboard to navigate to all other services.

thelittleblackbird@lemmy.world on 23 Oct 06:58 collapse

OK I understood that the request came from internet and tailscale was to link the reverse proxy and the server.

In this case try ipv6, pretty sure you have ipv6 and you will have a public address.

But for this case you will need a dns in your network so example.com can be resolved and then your proxy will make the right request.

Yes doable.

[deleted] on 23 Oct 05:35 collapse

NuXCOM_90Percent@lemmy.zip on 23 Oct 07:50 collapse

This is one of the big problems with tailscale for home users. For people who only access a system remotely (e.g. a corporate VPN) it is amazing. For people who are both on and off network… yeah.

What I actually settled on was NOT using one of my domains and to instead just use the tailscale FQDNS in all situations. Mostly because I saw they added more human readable names so it is now like foo.happy-panda.ts.net instead of foo.tb12415161613616161616.ts.net

Externally? I just activate the tailscale app and I can see foo.sad-hamster.ts.net with zero additional config. Which is good if I am using an app on my phone or helping someone I trust set up their own machine without needing to drive/fly out there with a laptop.
Internally? I actually just added a simple DNS override locally (I use unbound via opnsense for this but you can also do it with a pihole if you really want to). So foo.sad-hamster.ts.net goes to foo.localdomain which goes to a 192.x IP seamlessly

End result is that I don’t need any special config in any devices or apps and everything just uses the tailscale FQDN regardless of whether it is a “client” connected to the tailscale itself. Which ALSO avoids issues where things stop working during an internet outage.

I’ve seen alternative setups that specify their own DNS server in their tailnet and… that is a lot of effort if you ask me. Also it seems to be the leading cause of “When I connect to my tailnet I can’t see the outside internet anymore”.

The big drawbacks to this are that it makes assigning actual certs rather messy since the same FQDN goes to multiple very different IPs… at least one of which being a potential security vulnerability since it is assigned by whoever controls the LAN you are on at any given moment. Not the end of the world and, truth be told, I am less likely to bother with proper certs for fully internal resources (unless I am getting paid to do it). So no NEW risk vectors.

The other is that you are kind of at the mercy of tailscale corp changing their business model entirely and suddenly having to deal with the fqdn that points to your plex server now actually being used for the latest dating app and everything catching on fire until you remember you did this. But that is a problem that is multiple years down the road…

Also, depending on what DNS/network shenanigans you do, this could cause other issues. But that is why you always test things yourself.

NuXCOM_90Percent@lemmy.zip on 23 Oct 10:08 collapse

Wait… if you JUST want your domain to point to the tailscale IP and to only work when the client is on the tailnet, this is… super duper easy?

Just install tailscale. Go to your dashboard, and get the IP. And point your domain at that. No tunnels or reverse proxies needed.

filister@lemmy.world on 23 Oct 11:29 collapse

The problem is that I have a couple of services listening on different ports and I want to use the reverse proxy to listen to incoming requests and route the traffic to the corresponding ports. I also want to issue SSL certificates and serve the traffic over TCP port 443.

NuXCOM_90Percent@lemmy.zip on 23 Oct 11:54 collapse

Presumably most of those services on the same physical host are running in containers? So just add tailscale as a sidecar to that. Each container will be its own host as far as your tailnet is concerned and have its own internal IP. The official tailscale youtube has tutorials on that because it maps much better to a portainer based setup and more or less requires clients to have the tailnet running constantly (which, in my opinion, defeats the purpose of selfhosting but you do you).

Or do a mess with SRV records and… good luck with that