Connect to nginx reverse proxy sites with public DNS name

I have a Linux VPS running nginx reverse proxy (two internal sites served through docker) that resolve to a public DNS tied to the VPS public IP. Example: https://site1.domain.com and https://domain.com The sites only resolve to DNS, not IP address. I have the firewall on the VPS only allowing public inbound connections from a select set of public IPs, not the entire public internet.

I would like to user Tailscale to access these websites from my devices other than from the select set of IPs. When I installed Tailscale on the VPS I am able to get to the nginx http interface but not the other two sites. The nginx server_name is set to the public DNS and will only resolve to that domain name.

How to do I set this up to access these sites through Tailscale? Do I need to add the Talescale IP as a server_name in the nginx config (I tried this but it did not work)?

Thanks,

Matt

As of now, you can’t add extra records in the magicdns system - otherwise, you could add domain alias entries for each site in nginx that will resolve over the tailnet.

You can still do that, but you’d have to add entries to the hosts file on each machine that needs to connect to them over the tailnet.

To avoid doing that, my indirect way of solving this if I were in your shoes would be to change the location to be an address such as /app1 and /app2, and proxy_pass from there.

Then you can just add tailnetname as a second entry in server_name and machines on your tailnet can use these addresses to connect: http://tailnetname/app1 and http://tailnetname/app2 .

Thanks, Ill look into changing the app location and add the tailnetname as a second entry in the server_name. In the meantime I can access the sites by browsing directly to the Docker ports bypassing the nginx proxy.

1 Like

You could add a DNS entry pointing to the Tailscale IP (even on public DNS servers if you want). Then, while connected to Tailscale, you could connect to that hostname and Nginx should pick it up.

Make sure your firewall accepts traffic from 100.64.0.0/10