Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Docker Compose Questions #15

Open
wbste opened this issue Oct 28, 2024 · 0 comments
Open

Docker Compose Questions #15

wbste opened this issue Oct 28, 2024 · 0 comments

Comments

@wbste
Copy link

wbste commented Oct 28, 2024

Hey, thanks for the great write-up and docs! I have a few questions. Take the below for example. Current this docker compose setup is accessible via https/443 AND http/80 (due to network_mode: service I assume). Most (all?) docker images seem to listen on 0.0.0.0, and changing that to 127.0.0.1 should prevent access over the tailscale network, but I'm trying to expose the container both within my LAN and on the tailnet.

services:
  tailscale:
    image: tailscale/tailscale:latest
    hostname: draw
    environment:
      - TS_AUTHKEY=tskey-auth-KEYHERE
      - TS_STATE_DIR=/var/lib/tailscale
      - TS_USERSPACE=false
      - TS_SERVE_CONFIG=/config/serveconfig.json
    volumes:
      - ./tailscale/state:/var/lib/tailscale
      - /dev/net/tun:/dev/net/tun
      - ./serveconfig:/config
    cap_add:
      - net_admin
      - sys_module
    ports:
      - '4000:80'
    restart: unless-stopped
  excalidraw:
    container_name: excalidraw
    image: excalidraw/excalidraw:latest
    restart: unless-stopped
    network_mode: service:tailscale
    depends_on:
      - tailscale

and the serverconfig.json is as follows...

{
  "TCP": {
    "443": {
      "HTTPS": true
    }
  },
  "Web": {
    "${TS_CERT_DOMAIN}:443": {
      "Handlers": {
        "/": {
          "Proxy": "http://127.0.0.1:80"
        }
      }
    }
  }
}
  1. Is there a security concern on the host side, if I add a tunnel to this, now that I expose port 80?
  2. Likewise, is it possible, even if only exposed on my tailnet, to not expose port 80?

Basically I only want to allow access to https://draw.[ts_name].ts.net, regardless of funnel being on or off. Or at least redirect to https/443?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant