Funnel With nginx

I have an nginx server running locally, and I want to serve that using funnel, but I can’t seem to get the right serve configuration correctly. I’m trying to just allow any connection to 443 on the node.

so you want funnel → nginx → website?

im not sure if you can run nginx and funnel both on port 443.

you could run nginx only on port 80 and let funnel do the https magic.

first generate a cert

tailscale cert yourhost.your.ts.net

than fire up the funnel

tailscale serve / proxy 80

that will funnel https://yourhost.your.ts.net:443 to http://127.0.0.1:80

for nginx you could do something like

server {
  listen 80 default_server;
  listen [::]:80 default_server;
  root /var/www;
  index index.html;
  location / {
    try_files $uri $uri/ =404;
  }
}

Thank you for the reply, I know I have the cert working because I am able to access nginx while in my tailnet via https. I will try something like only listening on 80 for nginx. But I can also allow tailscale to run the funnel on port 8443 or 10000 right? That wouldn’t conflict with nginx in that case.

yes, you can change the funnel port with

tailscale serve --serve-port 8443 / proxy 80

I will try this and report back. Thank you.

For all who find this result on google, I ended up proxying each path individually instead of using nginx. This seemed to solve my problem.

so you used a command like thiis

tailscale serve --serve-port 8443 / proxy 80

tailscale serve --serve-port 9000 / proxy 9000

tailscale serve --serve-port 6555/ proxy 65

That’s basically right. Except you have to do --serve-port 8443 /service1 proxy 80 etc. You can’t do the root path multiple times.

So I basically entered this command

/ # tailscale serve --serve-port 8443 /service1 proxy 8989

And when I check status

/ # tailscale serve status
https://[machinename].[tailnet].ts.net (Funnel on)
|-- / proxy http://127.0.0.1:40080

https://[machinename].[tailnet].ts.net:8443 (tailnet only)
|-- /service1 proxy http://127.0.0.1:8989

The status shows its on tailnet only. The 40080 was set using

tailscale serve / proxy 40080

What can I do to get multi proxy via funnel? Basically multiple apps across different ports

I think you need to serve in independent paths. In your case, / and /service1 aren’t independent.

Sorry, I am literally learning this on the fly :frowning: Can you do a ELI5 for me on what you mean by they aren’t independent? and how can I potentially fix this?

No worries. When you serve / on a port, any service you serve afterwards is a child of /. So you would need to do /service1 proxy 8989 and /service2 proxy 9898 or something like that.

oh ok, I got it working to some extent. I removed all entries and issued 2 commands

tailscale serve /wetty proxy 2222
tailscale serve /sonarr proxy 8989

And then checked the status and it shows this

/ # tailscale serve status
https:/[machinename].[tailnet].ts.net (Funnel on)
|-- /wetty proxy http://127.0.0.1:2222
|-- /sonarr proxy http://127.0.0.1:8989

Issue is that now, when I try to access these by going to my tailnet (without tunnel being on), I cannot access it. This is the URL I am using

http://[machinename].[tailnet].ts.net/sonarr
http://[machinename].[tailnet].ts.net/wetty

If I remove these and just put the / serve with whatever port, I can access it with the URL

http://[machinename].[tailnet].ts.net

Am I doing it right? Or the URLs need to be different?

What port are you serving the funnel on? You probably need to specify https://[machinename].[tailnet].ts.net:8443/sonarr if you’re serving the funnel on port 8443 for example. Do you have the appropriate certificates set up as well?

so as soon as I do it like

/ # tailscale serve --serve-port 8443 /wetty proxy 2222

then the serve status shows that the service is tailnet only and not funnel :frowning:

I would recommend removing all serves, restarting the client, and trying again.

So I removed everything, even deleted the docker, its images and all AppData and reinstalled tailscale.
Then I ran the following commands

tailscale serve funnel on

tailscale serve --serve-port 443 funnel off
tailscale serve --serve-port 8443 funnel on
tailscale serve --serve-port 8443 /portainer proxy 9000
tailscale serve --serve-port 8443 /sonarr proxy 8989
tailscale serve --serve-port 8443 /wetty proxy 2222

And here is the status

/ # tailscale serve status
https://[machine name].[node name].ts.net:8443 (Funnel on)
|-- /wetty proxy http://127.0.0.1:2222
|-- /sonarr proxy http://127.0.0.1:8989
|-- /portainer proxy http://127.0.0.1:9000

but when I go to these URLs, I get the following errors - Not sure where am I going wrong now :sob: :sob:

https://[machine name].[node name].ts.net:8443/sonarr → Blank Page

https://[machine name].[node name].ts.net:8443/wetty → Cannot GET /wetty

https://[machine name].[node name].ts.net:8443/portainer → 404 page not found

I even tried in Incognito mode

Your config looks right. Have you setup HTTPS properly? Enabling HTTPS · Tailscale

Yes, its on and I ran the command below

tailscale cert [machine name].[node name].ts.net

At this point it really looks like you have everything setup correctly. Last thing I would try is a reboot of your machine.