search

tailscale / caddy-tailscale

A highly experimental exploration of integrating Tailscale and Caddy.
Apache License 2.0
386 stars 40 forks source link

Caddyfile fails to load when a hostname is specified #21

Closed adamlesinski closed 3 months ago

adamlesinski commented 12 months ago

My goal is to host a web service behind tailscale, and leverage tailscale's ability to know which user is connecting as an auth mechanism.

I want my service, running as tailscale device my-node, to be accessible over a custom domain name foo.bar.com (placeholder). Once the node is registered with tailscale, I want to set the DNS A record for foo.bar.com to point at my-node's tailscale IP.

I have the following Caddyfile:

{
    order tailscale_auth after basicauth
}

foo.bar.com:443 {
    bind tailscale/my-node
    tailscale_auth

    respond "Success!"
}

I generated a TS_AUTHKEY and set it in caddy's environment before running caddy run --config /etc/config/Caddyfile. I get the following error:

Error: loading initial config: loading new config: http app module: start: listen udp 100.97.63.133:443: bind: cannot assign requested address

I tried changing bind tailscale/my-node to bind tailscale/ and got:

Error: loading initial config: loading new config: http app module: start: listening on tailscale/:443: missing port in address

The error goes away when I drop foo.bar.com from the route directive.

adamlesinski commented 12 months ago

Is this related to https://github.com/tailscale/caddy-tailscale#https-support ? I am managing my own certs (using a DNS-specific provider challenge) so I am not relying on tailscale's cert issuance.

willnorris commented 4 months ago

so, we've changed quite a bit in the plugin since you filed this issue, so I'm wondering if you'd be willing to try again. I setup a similar config, and ended up getting the error:

Error: loading initial config: loading new config: http app module: start: starting HTTP/3 QUIC listener: listen udp: lookup caddytest: no such host

Disabling HTTP3 solved, so I ended up with a config of:

{
  order tailscale_auth after basicauth
  auto_https off
  servers {
    protocols h1 h2
  }
  tailscale {
    ephemeral
  }
}

caddytest.willnorris.net:443 {
  tls domain.cert.pem private.key.pem
  bind tailscale/caddytest
  tailscale_auth
  templates
  respond `Hello, {{placeholder "http.auth.user.id"}}`
}

Note I'm using static TLS cert files rather than using caddy's https support, though I'm not sure that matters for this. So if you get a chance, try again and let me know if still run into the same issue.

willnorris commented 4 months ago

We've now both fixed our QUIC support and properly hooked into caddy's auto_https feature (see the updated https://github.com/tailscale/caddy-tailscale#https-support), so I think this should work much better now. Give it a try with the latest version when you can and let me know how it goes.

mholt commented 3 months ago

Will you're crushing it man

kdevan commented 3 months ago

I have tested this with something like the following and Caddy is booting up and running with no errors.

foo.bar.com:443 {
  bind tailscale/my-node
  tailscale_auth
  templates
  respond `Hello, {placeholder "http.auth.user.id"}}`
}