HTTPS for multiple services on a single machine

Greeting everyone - this is my first time on this forum so Hi, Hey, and Howdy. As a preamble I’d like to point out that this post is related to discussion threads that already exist over on the Caddy forum:

as well as a thread that already exists on the Tailscale Github forum, to which Matt Holt from Caddy has already contributed on my behalf:

Long story short, I want to access multiple services, each on a different port, running inside Docker containers, via Tailscale with HTTPS. As of now I’m utilizing Caddy as a reverse proxy to fetch certs from Tailscale and do all the associated legwork, and this works fabulously for a single service, or for multiple services running on different machines with distinct FQDNs. But I’ve got a whole slew of services going on a single box and only a single domain name to go around. The most obvious way to deal with this is using subdomains, but if I understand correctly Tailscale and MagicDNS do not support this plan.

Since I’m not really married to any one course of action, I’m open to the idea of setting up a DNS server on my network to dish out the subdomains, but I’m sufficiently novice at DNS topics that I would need some rather concrete guidance as to how to go about getting this going. I do have experience with Pi-hole so if it can be done using that or dnsmasq or similar, this could be a way forward.

Another possibility might be to just use tailscale cert to provision the certificates and somehow finagle each Docker container individually to make use of the one TLS pair (which would reside outside each container) but I’m not really sure if this is actually technically viable. My Docker kung-fu is just as weak as my DNS mojo so I’d need some help with this strategy as well.

I’m not hung on subdomains as a solution per se, I just want to be able to access all my services. I feel like my use case is probably pretty common so any input about ways of attacking this would be super valuable.

I’ll include my Caddyfile here just for reference, in case it’s not clear what I’m trying to achieve. Note that I’ve commented out all but the one working service since I don’t have actual subdomains at my disposal.

origin.tailnet-c74e.ts.net {
        reverse_proxy origin:34843
}

#origin.tailnet-c74e.ts.net {
#       reverse_proxy origin:1080
#}

#origin.tailnet-c74e.ts.net {
#       reverse_proxy origin:8096
#}

#origin.tailnet-c74e.ts.net {
#       reverse_proxy origin:9090
#}

#origin.tailnet-c74e.ts.net {
#       reverse_proxy origin:3303
#}

#origin.tailnet-c74e.ts.net {
#       reverse_proxy origin:8000
#}

#origin.tailnet-c74e.ts.net {
#       reverse_proxy origin:8001
#}

Thanks in advance to everyone.

2 Likes

Hi, really having the same thing here. Also technically not able to provide a solution but have the big want to have all my services over tailscale behind HTTPS

I’ve been trying to solve the same problem and recently came across GitHub - tailscale/caddy-tailscale: A highly experimental exploration of integrating Tailscale and Caddy. which I plan on giving a try.

tsnet is also promising for Go-based services.

I bodged together a thing that runs each reverse proxy as a separate Tailscale virtual device, so they get their own HTTPS endpoints that way: GitHub - carlmjohnson/tsrproxy: Simple Tailscale reverse proxy.