jlelse’s Blog

Thoughts, stories and ideas

Private diary with GoBlog and Tailscale

Published on in 👨‍💻 Dev
Short link: https://b.jlel.se/s/4b9
Share online Translate

Yesterday I wrote about Tailscale. Really cool service! And I’m a little bit obsessed with it, too. Now that I have connected my devices to a network, I had the idea to make my GoBlog diary available only via Tailscale instead of a public domain.

Since I had to spend half the day trying to figure out how this could work, I would like to present my - actually quite simple - solution here.

All services on my server run in Docker containers. This includes GoBlog for my website, my blog and my diary. As a reverse proxy I use Caddy so far. The containers all run in a network and Caddy listens to ports 80 and 443 and forwards the requests to the appropriate container depending on the host of the request.

So instead of forwarding the request using Caddy, I wanted to run Tailscale in a container and have requests forwarded to my diary GoBlog instance.

Since some versions Tailscale supports a mode to run only in userspace. This means that it is no longer necessary to give the container additional rights. Tailscale then connects to the application via a SOCKS5 proxy. Many applications already automatically support the environment variable ALL_PROXY to work via a proxy.

The Docker Compose configuration looks like this:

version: "3"
services:
  goblog:
    container_name: goblog
    image: rg.fr-par.scw.cloud/jlelse/goblog
    restart: unless-stopped
    volumes:
        - ./config:/app/config
        - ./data:/app/data
    environment:
        - TZ=Europe/Berlin
        - ALL_PROXY=socks5://localhost:1055/
    network_mode: service:tailscale
  tailscale:
    hostname: goblogtest
    container_name: tailscale
    image: shaynesweeney/tailscale
    command: tailscaled --tun=userspace-networking --socks5-server=localhost:1055
    volumes:
      - ./tailscale:/var/lib

Now really only I can access my diary and if it should ever happen that I introduce a security hole in GoBlog and someone is able to exploit it, then the danger that my private entries will be exposed is significantly lower.

Tags:

Jan-Lukas Else
Interactions & Comments