Comment by mojzu

3 years ago

I've been using it too and it works well, particularly with Caddy to do automatic certificates with ACME where possible

Plus all my services go through Tailscale, so although I am leaking internal hostnames via DNS, all those records point to is 100.* addresses

6 comments

mojzu

Reply
chrisweekly  3 years ago

I'm a fan of both Caddy and Tailscale; any chance you have any devnotes to share on your setup?

  • mojzu  3 years ago

    My notes were pretty rough but I've tried putting them into a gist here:

    https://gist.github.com/mojzu/b093d79e73e7aa302dde8e335945b2...

    Which covers using step-ca with Caddy to get TLS certs via ACME for subdomains, and protecting internal services using client certificates/mtls

    I then install Tailscale on the host which is running the docker containers, and configure the firewall so that only other 100.* IP addresses can connect to ports 80/443/444. The combination of VPN+MTLS mitigates most of my worries about exposing internal subdomains on public DNS

dolmen  3 years ago

Tailscale+TLS: isn't it two strong layers of encryption?

  • mojzu  3 years ago

    Yeah, it's probably overkill but I think the multiple layers would help in cases I misconfigured something or if an account someone uses to log into Tailscale was compromised. For example when I ran the containers on a linux host I discovered later docker was bypassing the firewall rules and allowing all connections, but it probably wasn't a big deal because of the MTLS (and the server was behind a NAT router anyway so it was only addressable within the local network)