this post was submitted on 03 Oct 2023
22 points (92.3% liked)

Selfhosted

40924 readers
768 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
22
submitted 1 year ago* (last edited 1 year ago) by [email protected] to c/selfhosted
 

What's the easiest way to get https while still using my given tailnet as domain for accessing stuff? The tailscale documentation suggest to download certs to the server and point each service to those certs, but that seems like more work than it should..?

Is a reverse proxy the best option? Or what do people who use tailscale as vpn for their devices use?

I need to point certain services out and accessible to family members, will do this through funnel feature in tailscale, but want https set up before pointing anything out.

Appriciate any suggestions ✨

all 14 comments
sorted by: hot top controversial new old
[–] [email protected] 13 points 1 year ago (1 children)

Tailscalar here. Use tailscale serve. It is a reverse proxy inside tailscaled. It will handle HTTPS certificates for you too. As an example, here's a sample HTTP server proxied to both my tailnet via tailscale serve and to the world with Funnel.

Also as far as I know you need to use Serve in order to use Funnel.

[–] [email protected] 4 points 1 year ago (1 children)

This does seem like the easiest option so far, i'll try to play around with this, thanks!

[–] [email protected] 4 points 1 year ago* (last edited 1 year ago)

No prob! If you run into any problems, feel free to DM me or /u/[email protected]. We're more than happy to help.

[–] svenstaro 4 points 1 year ago (1 children)

The easiest way I found is to use caddy which already has tailscale support and will fetch a certificate for hosts behind your tailnet address.

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago)

I might give Caddy a go if the response from @Mara doesn't work for me, thanks!

[–] [email protected] 3 points 1 year ago (2 children)

It's possible to host a dns server for your domain inside your tailnet, and offer dns responses like: yourwebserver.yourdomain.com = tailnetIP

Then using certbot let's encrypt with DNS challenge and api for your public dns provider, you can get a trusted certificate and automatically bind it.

Your tailnet users if they use your internal dns server will resolve your hosted service on your private tailnet ip and the bound certificate name will match the host name and everyone is happy.

There's more than one way though, but that's how I'd do it. If you don't own a domain then you'll need to host your own private certificate authority and install the root authority certificate on each machine if you want them to trust the certificate chain.

If your family can click the "advanced >continue anyway" button then you don't need to do anything but use a locally generated cert.

[–] [email protected] 5 points 1 year ago (2 children)

Note my bias as I work for Big VPN (Tailscale), but I don't think that teaching people to ignore security warnings is a good thing to do. The CA system is kind of a scam in general, but I think that at least in its current implementation it's better for us to encourage people are aware of those errors and what they mean.

As the sacred texts say: self-signed certificates beget the use of curl -k beget the use of self-signed certificates.

[–] [email protected] 2 points 1 year ago (1 children)

Yeah I also don’t want my folks to have to “ignore” the warnings either. So will defo have the https set up before giving them access.

[–] [email protected] 1 points 1 year ago (1 children)

Not possible without a domain, even just "something.xyz".

The way it works is this:

  • Your operating system has some trusted certificate root authorities root certificates installed from installation of the OS. All OS have this, Linux, Windows, iOS, macos, Android, BSD.
  • when your browser goes to a Web url and it is a https encrypted site it reads the certificate.
  • the certificate has a certificate subject name on it. It also may optionally have some alternative names.
  • the browser then checks if the subject name matches the Web url address. If it does, that's check one.
  • next it checks the certificate validity: it looks at the certificate chain of trust to see if it was signed by a intermediary and then the intermediary was signed by a root certificate authority. Then it can check if any certificate has been revoked along the way.
  • if that's all good, then you'll open without a single warning, and you browse Web sites all day long without any issue.

Now, to get that experience you need to meet those conditions. The machine trying to browse to your website needs to trust the certificate that's presented. So you have a few ways as I previously described.

Note there's no reverse proxy here. But it's also not a toggle on a Web server.

So you don't need a reverse proxy. Reverse proxies allow some cool things but here's two things they solve that you may need solving:

  • when you only own one public IP but you have two Web servers (both listening to 443/80), you need something that looks at incoming requests and identifies based on the http request from the client connecting in 'oh you're after website a' and 'you're after website b".
  • when you have two Web servers running on a single server, you have to have each Web server listening on different ports so you might choose 444/81 for the second Web server. You don't want to offer those non standard ports to public so instead you route traffic via a reverse proxy inbound and it listens for both Web servers on 80/443 and translates it back to the server.

But in this case you don't really need to if you have lots of ips since you're not offering publicly you're offering over tailscale and both Web servers can be accessed directly.

[–] [email protected] 1 points 1 year ago

Thanks for the detailed answer, I was able to solve my problem just with what /u/mara said suggested above :)

[–] [email protected] 1 points 1 year ago (1 children)

Yeah I do not have a domain. I did before but for some reason i struggled to wrap my head around reverse proxies and domains. And I prefer to not have to pay for yet another service as I'm just a student :P

[–] [email protected] 2 points 1 year ago

You can get domains for a few dollars per year. Go to tld-list.com and sort by renewal price.

When I was in school, I used to pay for domains by doing online surveys that paid $1 per survey. Not sure if that's still a thing these days.

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
DNS Domain Name Service/System
HTTP Hypertext Transfer Protocol, the Web
HTTPS HTTP over SSL
IP Internet Protocol
SSL Secure Sockets Layer, for transparent encryption
VPN Virtual Private Network

[Thread #183 for this sub, first seen 3rd Oct 2023, 10:55] [FAQ] [Full list] [Contact] [Source code]