Connecting to docker container via public DNS over ts

Tailscale version 1.36.2
Your operating system & version macos / fedora linux

Setup:

  • Cloudflare managing domain and DNS A records pointing to ts IP(s)
  • nginx-proxy-manager docker container on ports 80, 81, and 443
  • portainer on port 9000 (for testing)
  • VPS and laptop on same ts network, working properly
  • entirely default ACL, with no limits in place (yet)

Expected behavior:

I request $host.$domain (ex., http://abc.xyz.net) which Cloudflare resolves to the private $ts-IP [NOTE: this is working fine], and nginx-proxy-manager proxies the request to EITHER $ts-hostname:$port OR $ts-IP:$port, resulting in the display of the application in my browser.

Actual behavior:

  • I can visit http://$ts-IP:port and see the various applications without any issue
  • nslookup is correctly resolving $host.$domain to $ts-IP (for example portainer.$host and $proxy.$host have DNS entries to the same $ts-IP)
  • visiting $host.$domain (and ensuring it is http:// and not https://, as there are no certs issued yet) results in a timeout.

Somewhere in this chain of dns resolution > proxy > serving an http request, something is failing. I am absolutely certain this is user error on my part, as I am still learning tailscale buuuuut any suggestions?