HTTPS: is there a built-in reverse proxy to map HTTPS to HTTP?

Lieven · September 12, 2022, 9:41am

Hello,

I am building a setup where we share a web server with HTTP interface in our team via tailscale. The server is only accessible on the tailscale network, but of course I want to ensure that team members can access the server via HTTPS using the MagicDNS feature tailscale provides.

For this purpose I have created a docker compose file that creates two containers, one with the aplication server, and one with the tailscale client running in ‘userspace’ mode.

For HTTPS access I have enabled the feature in the settings panel, and after generating the certificates and adding those to the application server I can access the web interface over HTTPS as expected.

However, in order to get this to work I had to configure the web server to run an actual HTTPS server on port 443, and I had to share the certificate files between the tailscale container and the web application.

The reason I am creating this topic: in the documentation on enabling HTTPS it is stated:

If you obtain a TLS certificate for a node using MagicDNS, it will be 
accessible at both https://machine-name.domain-alias.ts.net, using 
HTTPS, and also at http://machine-name, without HTTPS but using 
MagicDNS as a DNS nameserver.

This would mean that tailscale itself would reverse proxy the HTTPS requests to the HTTP port of the webserver and handle the certificates. This would be great if it would work this way, because then the tailscale daemon can take care of renewing the certificates without need to interact with other applications. The application in this case only needs to provide a plain HTTP interface.

Am I missing something to allow my setup to work like it is stated in the documentation, or is the documentation talking about future features of tailscale?

Side note: I tried the same on a computer without the docker involved using a simple web server and a system-installed tailscale client and the behaviour is identical: there is no link between an HTTP server running on a host and HTTPS access via magic DNS and the fully qualified domain name.

Thanks for any insights,
Lieven.

Lieven · October 1, 2022, 12:39pm

Hello,

just as an update, the people from support tell me:

You can use Caddy as the reverse proxy. It has built-in support for Tailscale SSL certificiates. We have some more information about that here: Use Caddy to manage Tailscale HTTPS certificates · Tailscale

Best regards,
Lieven

kayvan · October 5, 2022, 2:30am

See this part of my doc for setting up VSCode Web and Tailscale:

Lieven · October 5, 2022, 1:28pm

Hello @kayvan,

thanks for the link. I have setup a docker container based on the official Tailscale image with Caddy integrated to implement the automatic certificate fetching.

I wrote down the details on github and the docker image is available on docker hub.

Kind regards,
Lieven.

Topic		Replies	Views
HTTPS for multiple services on a single machine Linux	3	2683	April 26, 2023
SSL + magic DNS ideas? Tailscale About articles (troubleshooting, info)	1	2283	March 20, 2021
Can't connect by domain alias	7	1400	May 11, 2022
[SOLVED] Custom sub domain routing through Tailscale with SSL SUPPORT QUESTIONS	4	4396	October 20, 2022
Ability to use DNS-over-HTTPS and Tailscale on ChromeOS recently broken SUPPORT QUESTIONS	1	584	September 3, 2022

HTTPS: is there a built-in reverse proxy to map HTTPS to HTTP?

Related Topics