deddit.petersanchez.com

Jellyfin, Traefik and Tailscale Config Question
from filister@lemmy.world to selfhosted@lemmy.world on 23 Oct 09:56
https://lemmy.world/post/37740697

I am running a Proxmox node with a VM running a couple of Podman rootless containers, one of which is Jellyfin. I have also installed Traefik on a separate LXC unprivileged container. I have installed Tailscale on both the VM and the LXC.

What I want now is to create a reverse proxy so that I create subdomains pointing to my registered domain name, e.g. example.com.

I want when trying to access ‘jellyfin.example.com‘ the reverse proxy to point to the Tailscale IP or URL, for example ‘media.tbXXX.ts.net:8096‘. But that should work only when connected to the Tailscale network.

Is this even possible? If it is, can you point me to some resources explaining the whole configuration?

#selfhosted

threaded - newest

thelittleblackbird@lemmy.world on 23 Oct 10:09 next collapse

Yes, it is possible, but you need a domain (example.com) that I guess you want to be resolved from internet and a public face ip.

After that, yep, if the reverse proxy can resolve tailscale names (basically it has tailscale installed in the same machine) and the service is reachable via tailscale, then it is perfect.

In fact in my setup I have a public domain name that is translated into a private domain name in the reverse proxy (exactly what you want with the addition of tailscale)

filister@lemmy.world on 23 Oct 10:38 next collapse

I have a registered domain name already, but I am behind CGNAT and I don’t really have a public IP.

I want to allow access to my services remotely only through Tailscale.

zarlin@lemmy.dbzer0.com on 23 Oct 11:14 next collapse

My setup just has the local IP (of the reverse proxy) in the domain’s DNS records, and I have Tailscale on my home server setup to advertise subnet routes, so I can use the same local IP when at home or remote via Tailscale. No need to use your public IP or open ports or anything.

filister@lemmy.world on 23 Oct 14:46 collapse

Yes, I know that, but I just don’t want to remember the port numbers or create some bookmarks.

I think I can create a CNAME record for *.media to point to the Tailscale address of the reverse proxy and then use the reverse proxy with Cloudflare API key to serve SSL certificates from my domain.

I am currently struggling a bit with the setup though.

thelittleblackbird@lemmy.world on 23 Oct 13:58 collapse

OK I understood that the request came from internet and tailscale was to link the reverse proxy and the server.

In this case try ipv6, pretty sure you have ipv6 and you will have a public address.

But for this case you will need a dns in your network so example.com can be resolved and then your proxy will make the right request.

Yes doable.

[deleted] on 23 Oct 12:35 collapse

NuXCOM_90Percent@lemmy.zip on 23 Oct 14:50 collapse

This is one of the big problems with tailscale for home users. For people who only access a system remotely (e.g. a corporate VPN) it is amazing. For people who are both on and off network… yeah.

What I actually settled on was NOT using one of my domains and to instead just use the tailscale FQDNS in all situations. Mostly because I saw they added more human readable names so it is now like foo.happy-panda.ts.net instead of foo.tb12415161613616161616.ts.net

Externally? I just activate the tailscale app and I can see foo.sad-hamster.ts.net with zero additional config. Which is good if I am using an app on my phone or helping someone I trust set up their own machine without needing to drive/fly out there with a laptop.
Internally? I actually just added a simple DNS override locally (I use unbound via opnsense for this but you can also do it with a pihole if you really want to). So foo.sad-hamster.ts.net goes to foo.localdomain which goes to a 192.x IP seamlessly

End result is that I don’t need any special config in any devices or apps and everything just uses the tailscale FQDN regardless of whether it is a “client” connected to the tailscale itself. Which ALSO avoids issues where things stop working during an internet outage.

I’ve seen alternative setups that specify their own DNS server in their tailnet and… that is a lot of effort if you ask me. Also it seems to be the leading cause of “When I connect to my tailnet I can’t see the outside internet anymore”.

The big drawbacks to this are that it makes assigning actual certs rather messy since the same FQDN goes to multiple very different IPs… at least one of which being a potential security vulnerability since it is assigned by whoever controls the LAN you are on at any given moment. Not the end of the world and, truth be told, I am less likely to bother with proper certs for fully internal resources (unless I am getting paid to do it). So no NEW risk vectors.

The other is that you are kind of at the mercy of tailscale corp changing their business model entirely and suddenly having to deal with the fqdn that points to your plex server now actually being used for the latest dating app and everything catching on fire until you remember you did this. But that is a problem that is multiple years down the road…

Also, depending on what DNS/network shenanigans you do, this could cause other issues. But that is why you always test things yourself.