Yesterday I wrote about Tailscale. Really cool service! And I’m a little bit obsessed with it, too. Now that I have connected my devices to a network, I had the idea to make my GoBlog diary available only via Tailscale instead of a public domain.
Since I had to spend half the day trying to figure out how this could work, I would like to present my - actually quite simple - solution here.
All services on my server run in Docker containers. This includes GoBlog for my website, my blog and my diary. As a reverse proxy I use Caddy so far. The containers all run in a network and Caddy listens to ports 80 and 443 and forwards the requests to the appropriate container depending on the host of the request.
So instead of forwarding the request using Caddy, I wanted to run Tailscale in a container and have requests forwarded to my diary GoBlog instance.
Since some versions Tailscale supports a mode to run only in userspace. This means that it is no longer necessary to give the container additional rights. Tailscale then connects to the application via a SOCKS5 proxy. Many applications already automatically support the environment variable ALL_PROXY to work via a proxy.
The Docker Compose configuration looks like this:
version: "3"
services:
goblog:
container_name: goblog
image: rg.fr-par.scw.cloud/jlelse/goblog
restart: unless-stopped
volumes:
- ./config:/app/config
- ./data:/app/data
environment:
- TZ=Europe/Berlin
- ALL_PROXY=socks5://localhost:1055/
network_mode: service:tailscale
tailscale:
hostname: goblogtest
container_name: tailscale
image: shaynesweeney/tailscale
command: tailscaled --tun=userspace-networking --socks5-server=localhost:1055
volumes:
- ./tailscale:/var/lib
Now really only I can access my diary and if it should ever happen that I introduce a security hole in GoBlog and someone is able to exploit it, then the danger that my private entries will be exposed is significantly lower.
Update: How to deploy the diary with HTTPS I described on the GoBlog blog.