Jan-Lukas Else

Thoughts of an IT expert

Private diary with GoBlog and Tailscale

Published on in 👨‍💻 Dev
Updated on
Short link: https://b.jlel.se/s/4b9
⚠️ This entry is already over one year old. It may no longer be up to date. Opinions may have changed.

Yesterday I wrote about Tailscale. Really cool service! And I’m a little bit obsessed with it, too. Now that I have connected my devices to a network, I had the idea to make my GoBlog diary available only via Tailscale instead of a public domain.

Since I had to spend half the day trying to figure out how this could work, I would like to present my - actually quite simple - solution here.

All services on my server run in Docker containers. This includes GoBlog for my website, my blog and my diary. As a reverse proxy I use Caddy so far. The containers all run in a network and Caddy listens to ports 80 and 443 and forwards the requests to the appropriate container depending on the host of the request.

So instead of forwarding the request using Caddy, I wanted to run Tailscale in a container and have requests forwarded to my diary GoBlog instance.

Since some versions Tailscale supports a mode to run only in userspace. This means that it is no longer necessary to give the container additional rights. Tailscale then connects to the application via a SOCKS5 proxy. Many applications already automatically support the environment variable ALL_PROXY to work via a proxy.

The Docker Compose configuration looks like this:

version: "3"
    container_name: goblog
    image: rg.fr-par.scw.cloud/jlelse/goblog
    restart: unless-stopped
        - ./config:/app/config
        - ./data:/app/data
        - TZ=Europe/Berlin
        - ALL_PROXY=socks5://localhost:1055/
    network_mode: service:tailscale
    hostname: goblogtest
    container_name: tailscale
    image: shaynesweeney/tailscale
    command: tailscaled --tun=userspace-networking --socks5-server=localhost:1055
      - ./tailscale:/var/lib

Now really only I can access my diary and if it should ever happen that I introduce a security hole in GoBlog and someone is able to exploit it, then the danger that my private entries will be exposed is significantly lower.

Update: How to deploy the diary with HTTPS I described on the GoBlog blog.

Tags: ,

Jan-Lukas Else
Interactions & Comments