- I have an ubuntu server
- That is running tailscale
- It is also running docker
- In docker I’m running Traefik reverse proxy
What I Want To Achieve
I want to be able to expose services in traefik and control wether or not they are publically available or only available via the tailscale vpn network.
So I wan´t to create 4 entrypoints in traefik
- web # Listens to port 80 on all interface, i.e. "is public" - websecure # Listens to port 443 on all interface, i.e. "is public" - vpnweb # Listens to port 80 on my vpn interface, i.e. "only on my servers tailscale ip" - vpnwebsecure # Listens to port 443 on my vpn interface, i.e. "only on my servers tailscale ip"
What I Have Tried
I tried binding the ports to docker (
traefik: image: traefik:v2.9 ports: # The HTTP port on tailscale vpn - "100.112.44.28:80:80" # The HTTPS port on tailscale vpn - "100.112.44.28:443:443" # The HTTP port - "80:80" # The HTTPS port - "443:443"
Then specifying the entrypoints in
entryPoints: # Listen on the tailscale subnet vpnweb: address: "100.112.44.28:80" vpnwebsecure: address: "100.112.44.28:443" # Public endpoints web: address: :80 websecure: address: :443
When I start docker I get the following error:
Error response from daemon: driver failed programming external connectivity on endpoint rduce-server-traefik-1 (3aa39971ba9b083e56791d3bb8def68d22e18421a1679f28c5f1847dc28d9ff5): Error starting userland proxy: listen tcp4 100.112.44.28:443: bind: address already in use
and if I check the usage of port 443 I get
❯ sudo lsof -i:443 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME tailscale 3416 root 10u IPv4 1507921 0t0 TCP myserver.localdomain:42230->ec2-34-229-201-48.compute-1.amazonaws.com:https (ESTABLISHED) tailscale 3416 root 36u IPv4 1457760 0t0 TCP myserver.localdomain:37714->derp4g.tailscale.com:https (ESTABLISHED)
and if I check the usage of port 80 I get
❯ sudo lsof -i:80 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME tailscale 3416 root 28u IPv4 948209 0t0 TCP myserver.localdomain:51832->ec2-18-193-255-254.eu-central-1.compute.amazonaws.com:http (ESTABLISHED)
If I check
tailscale status it tells me the server is idle and my desktop connection is
direct and no DERP relay is used.
100.112.44.28 myserver andre@ linux idle; offers exit node 100.105.249.65 mydesktop andre@ windows active; direct 192.168.1.123:41641, tx 17862768 rx 2429328
- Why is tailscale using these ports when there are no derp involved?
- I post it here instead of at the Traefik forum since the docker would be blocked no matter what reverse proxy I would have chosen
- Why can I export port :80 and :443 on all interfaces, but when I pick specific ones I get a conflict?
- Am I approaching this the wrong way? I see that the Traefik beta of v3 contains some integration between Traefik and Tailscale
- What can I do to achieve my goal stated above?