Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FR: tailscale cert serve with reverse proxy mechanism #5656

Open
dcarrion87 opened this issue Sep 16, 2022 · 5 comments
Open

FR: tailscale cert serve with reverse proxy mechanism #5656

dcarrion87 opened this issue Sep 16, 2022 · 5 comments
Labels
fr Feature request L2 Few Likelihood P1 Nuisance Priority level pending T0 New feature Issue type

Comments

@dcarrion87
Copy link

dcarrion87 commented Sep 16, 2022
edited

What are you trying to do?

  • Trying to reverse proxy via tailscale cert without additional tools/systems.

Noticed there was a tailscale cert --serve-demo mechanism that gives a hello world endpoint. Would be great if we could specify remote endpoint to proxy instead.

How should we solve this?

  • Provide option to reverse proxy directly via tailscale cert serve mechanism to avoid having to run tailscale cert, put the files somewhere shared, bring up additional nginx sidecar, etc...
  • Documentation clearer around this and potentially an example for docker / sidecar use.

What is the impact of not solving this?

  • More moving parts working with these certs for dev environments.

Anything else?
@dcarrion87 dcarrion87 added fr Feature request needs-triage labels Sep 16, 2022
@dcarrion87 dcarrion87 changed the title FR: tailscale cert serve with proxy mechanism FR: tailscale cert serve with reverse proxy mechanism Sep 16, 2022
@DentonGentry
Copy link
Contributor

To set expectations: I think it is unlikely that the tailscale CLI command will be extended to be a reverse proxy.

Note: Caddy can autonomously manage Tailscale certs and is designed to function as a reverse proxy (among other functions).

@bradfitz
Copy link
Member

To set expectations: I think it is unlikely that the tailscale CLI command will be extended to be a reverse proxy.

But tailscaled might :)

@dcarrion87
Copy link
Author

dcarrion87 commented Sep 16, 2022
edited

That would be cool.

Unfortunately there's too much implicit voodoo going on that I don't understand with the Caddy socket interfacing mechanism so having to revert back to tacking more pieces together to make this work.

Along the lines of:

wget https://github.com/caddyserver/caddy/releases/download/v2.5.2/caddy_2.5.2_linux_amd64.tar.gz
tar xfz caddy_2.5.2_linux_amd64.tar.gz
cat > Caddyfile <<EOF
coder-${var.namespace}.${var.tailscale_domain}
tls coder-${var.namespace}.${var.tailscale_domain}.crt coder-${var.namespace}.${var.tailscale_domain}.key
reverse_proxy :3000
EOF
tailscale --socket=/tmp/tailscaled.sock cert coder-${var.namespace}.${var.tailscale_domain}
nohup ./caddy run &
exit 0

Works good enough for testing purposes for the moment. At least until I can debug the socket interface mechanism with Caddy.

@dcarrion87
Copy link
Author

dcarrion87 commented Sep 16, 2022
edited

Just on the caddy thing I was able to resolve this: caddyserver/caddy#5041 (comment)

  • Caddy is looking for /var/run/tailscale/tailscaled.sock by default but the container run.sh defaults to /tmp/tailscaled.sock
  • One won't see any errors about this until this is specified in the Caddyfile:
{
    debug
}
tls {
    get_certificate tailscale
}

@DentonGentry
Copy link
Contributor

Possibly relevant: after this feature request was filed, the Tailscale Funnel feature became available in alpha release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
fr Feature request L2 Few Likelihood P1 Nuisance Priority level pending T0 New feature Issue type
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bradfitz @DentonGentry @dcarrion87