Private diary with GoBlog and Tailscale
Yesterday I wrote about Tailscale. Really cool service! And I’m a little bit obsessed with it, too. Now that I have connected my devices to a network, I had the idea to make my GoBlog diary available only via Tailscale instead of a public domain.
Since I had to spend half the day trying to figure out how this could work, I would like to present my - actually quite simple - solution here.
All services on my server run in Docker containers. This includes GoBlog for my website, my blog and my diary. As a reverse proxy I use Caddy so far. The containers all run in a network and Caddy listens to ports 80 and 443 and forwards the requests to the appropriate container depending on the host of the request.
So instead of forwarding the request using Caddy, I wanted to run Tailscale in a container and have requests forwarded to my diary GoBlog instance.
Since some versions Tailscale supports a mode to run only in userspace. This means that it is no longer necessary to give the container additional rights. Tailscale then connects to the application via a SOCKS5 proxy. Many applications already automatically support the environment variable
ALL_PROXY to work via a proxy.
The Docker Compose configuration looks like this:
version: "3" services: goblog: container_name: goblog image: rg.fr-par.scw.cloud/jlelse/goblog restart: unless-stopped volumes: - ./config:/app/config - ./data:/app/data environment: - TZ=Europe/Berlin - ALL_PROXY=socks5://localhost:1055/ network_mode: service:tailscale tailscale: hostname: goblogtest container_name: tailscale image: shaynesweeney/tailscale command: tailscaled --tun=userspace-networking --socks5-server=localhost:1055 volumes: - ./tailscale:/var/lib
Now really only I can access my diary and if it should ever happen that I introduce a security hole in GoBlog and someone is able to exploit it, then the danger that my private entries will be exposed is significantly lower.
Tags: GoBlog Tailscale