I’m using the Caddy forward_auth feature with tailscale running in a debian container that launches on Flyio.
Flyio is taking care of assigning an IP address and SSL certificate to the Caddy machine.
The entrypoint for the container looks like this:
/app/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/var/run/tailscale/tailscaled.sock &
until /app/tailscale up --authkey=${TAILSCALE_AUTHKEY} --hostname=caddy
do
sleep 0.1
done
# Since we can't use systemd with the container I'm calling the binary directly.
# Is there a better way to do this? Is systemd maybe doing something that I'm missing?
/usr/sbin/tailscale.nginx-auth --sockpath /var/run/tailscale.nginx-auth.sock &
caddy run --config /config/caddy/caddy.json
This uses an auth token to login to tailscale from the Caddy machine. Everything seems to boot up alright but when I point a domain at the Flyio IP that’s pointing to Caddy and traffic starts to hit the server I get an error in Flyio logs that looks like this:
2023-03-01T07:06:35.488 app[328711db600485] sjc [info] 2023/03/01 07:06:35 can't look up 172.16.131.50:41492: 404 Not Found: no match for IP:port
When I look at the Tailscale admin and click on the new Tailscale Caddy machine that’s created I can see in the endpoints section that the 172.16.131.50:40983 shows up there but the port in the error is different from the port in the endpoint. In subsequent errors for each request to the server, the IP address matches but the port is always a new random port.
2023-03-01T07:34:05.642 app[328711db600485] sjc [info] 2023/03/01 07:34:05 can't look up 172.16.131.50:50432: 404 Not Found: no match for IP:port
2023-03-01T07:38:36.643 app[328711db600485] sjc [info] 2023/03/01 07:38:36 can't look up 172.16.131.50:45097: 404 Not Found: no match for IP:port
2023-03-01T07:40:35.888 app[328711db600485] sjc [info] 2023/03/01 07:40:35 can't look up 172.16.131.50:59723: 404 Not Found: no match for IP:port
Is the mismatched port the possible reason for the error? Is the IP that it’s looking up for each request the right one, one that should be showing up in endpoints?
In Caddy we are passing the http.request.remote.host and http.request.remote.port placeholder values to nginx-auth. Why would the host always be the same IP and the port always be different?
I know this might be an adjustment I need to make with Caddy but I wanted to check first if my Tailscale set up looks alright.
This is all very new to me and likely some misunderstandings on my part. Any help is appreciated!