FR: Enhance the funnel to allow all https traffic

[stuffa]

What are you trying to do?

I want to selfhost a service like CapRover or Coolify. Both provide thier own reverse proxy, so I do not want to use the one provies by the trailscale proxy Both manage Lets Encrypt certificates, so I dont want tailscale to manage the certificates I just want https requests routed to port 443 on the server on tailscale I want to be able to cname *.mydomain.com to the tailscale dns name so that LetsEncrypt verification works All tcp:443 packes arrive at the server I would have thought that running "tailscale serve tcp:443 tcp://localhost:443" would do this but no. It will only pass the one SNIdomain (The tailscale domain)

How should we solve this?

When I enable a funnel allow me to pass the RHS (Right Hand Side) of the SNIdomain i wantt to use. For security do a dns lookup to check that the SNI specified points (cname) to the tailscale dns name for the server I am using Then pass anthing that matches *.mySNIdomain

ie:

tailscale server tcp:443 tcp://localhost:443 tailscale funnel 443 mySNIdomain on

would allow "https://*.mySNIdomain" to the server (note the wildcard)

In order to service the issuing of LetsEncrypt certificate the tailscael funnel would also need to permit port 80 (http) to the SNI domain only ie: http://mySNIdomain so that we can prove ownership of the domain to LetsEncrypt If you are concerned about security you can limit this to a file at the root and a get request

Now I can reach all the services I host on the server. wiki.SNIdomain, forms.mySNIdomain, mail.mySNIdomain etc

What is the impact of not solving this?

Non Tailscale users can reasch a self hosted server behind CGNAT. Double NAT, any number of NAT Any number of services can be hosted on the server. As new services are added not extra tailscale config needs to be added

Anything else?

No response

[DentonGentry]

If you have the domain name and the certificate, it seems like a hosting provider would be a reasonable way to handle the service.

[stuffa]

I run a 8 Meg Rpi4 with a 1 TB SSD drive. It runs a bunch of services that are used infrequently, it is to expensive have this up on a hosting provider all the time. As I develop a new apps, containers I just push it to Caprover or Coolify of the RPi, and CapRover and Coolify generate a new certificate when needed, and it can be accessed. I used to do run this isn the past, but now my ISP uses Double NAT. So I can't access it any longer, from the internet. And the allocation of LetsEncrypt certificates also fails.
I already use tailscale to reach the server. And funnel looked promising, but its not quite there yet. needs more features Hoppy Networks looks like it may do the job. I will probably try that next, But it adds another US$80 a year to my IT budget for only one small service. I might be better of building and managing my own tunnel via a hosting providor as then I have a host that is up all the time and costs less and a fixed IPv4 address.

[normanr]

Another way to think of this would be as "bring your own domain/hostnames". If the hostname were setup as a CNAME to the tailnet hostname, then the funnel proxy could resolve the tailnet hostname pretty easily. I'm guessing that there would need to be a double-check to stop random hostnames being set to one of your tailnet hostnames, so maybe something like #1543 (and then this sounds very similar to #7650 - although that request isn't for funnel requests).

[halfninja]

I'd like to be able to have a CNAME (added to my external DNS provider) point to my abc.x-y.ts.net name and for Funnel to handle the certificate issuing (with a double-check as you mention).

[ai-Ev1lC0rP]

Did you get this working?

it seems like a funnel rule once you have the CName set.

I have the ssl working via -- nginx on another machine and they show that they have valid certs on both Cap Rover and Coolify.... but the certbots keep looping because those certbots arent issuing the certs..... and I'm working through those mitigation steps now. I honestly think I can get them working through either funnel or ssh rule (for coolify anyway) . CapRover is ridged ASF in the server config. I'm new(er) to Tail Scale but this seems like a legit service. This use case is specifically what I wanted it for.

[halfninja]

I just got a VM running as a node on which I am running Caddy to get the cert and reverse-proxy to the Tailscale IP of my laptop. The VM can be pretty small, it just needs a public IP (and be either static or have a stable name you can CNAME to)

[ai-Ev1lC0rP]

It took me a minute to hear what you said, built that's essentially what I ended up doing. Thanks for the response my fellow swashbuckler. I appreciate the time! I ended up changed my DNS to Cloudflare and just simply having it do DNS lookup not the Cloudflare tunneling soi can do my own nginx back-end ON a wildcard without having to do the DNS Challenge. I did see though (and i'm going to try to set the variable and test later on) i think i can set that api key as a variable and then set http challenge to dns_01 challenge and it SHOULD use that file as long as i have it in the same syntax that the env variable is expecting. *you could always hard code it in but ... nah ....It took me a minute to hear what you said, built that's essentially what I ended up doing. Thanks for the response my fellow swashbuckler. I appreciate the time! I ended up changed my DNS to Cloudflare and just simply having it do DNS lookup not the Cloudflare tunneling so i can do my own nginx back-end ON a wildcard through tailscale that forces my traffic through an exit node.... without having to do the DNS Challenge, or poke holes in my firewall...

on a side note i.e. on the ACME front. even though it isnt on their officially 'supported' list of auto-renew, and i havent tested it....i'm going to try to set the variable and test later on) i think i can set that api key as a variable and then set http challenge to dns_01 challenge and it SHOULD use that file as long as i have it in the same syntax that the env variable is expecting. *you could always hard code it in but ... nah

[beatgammit]

I would like this as well, but I'd like to forward arbitrary ports to internal services. Some stuff I'd like to host:

• NextCloud on custom domain - share pictures and whatnot with family and friends
• simplex chat - arbitrary port (I choose), routed by domain; need a port range
• IPFS and similar p2p apps; need a port range

I would be okay with a bandwidth cap to prevent abuse and the traffic here should be pretty minimal. Also, due to the niche nature of the request, I think it's reasonable to charge as an add-on service.

I'm behind NAT at the ISP level, so the alternative is a VPS that just port forwards to the tail network. But spinning up and maintaining a VPS just to reverse proxy requests seems like a huge waste. I'm happy managing my own certificates and whatnot, I just need the traffic on those ports to make it to my home network.