alezmad/nuc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1aa7ebcde3f66b9ee83234775c55bec7628d8ad4
nuc/.artifacts/2026-02-01_21-35_tailscale-funnel-https.md
Alejandro Gutiérrez 59944e9144 Add infrastructure setup artifacts (Feb 1-3) 
Session notes covering Gitea-Coolify webhook fixes, NocoDB/Vaultwarden
credentials, Stalwart mail server setup, Snappymail config, WhyRating
databases and email, CloudBeaver deployment, and Turbostarter setup.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-18 15:17:04 +01:00

144 lines
4.1 KiB
Markdown
Raw Blame History

# Tailscale Funnel - HTTPS for NUC Services
**Date:** 2026-02-01 21:35
**Context:** Using Tailscale Funnel to expose NUC services with automatic HTTPS
## Why Tailscale Funnel?
| Method | Pros | Cons |
|--------|------|------|
| **Tailscale Funnel** | No ports on router, auto HTTPS, handles dynamic IP | Limited to 3 ports |
| Cloudflare Tunnel | Many features, DDoS protection | Spanish ISPs block shared IPs during LaLiga |
| Port forwarding | Full control | Exposes router, needs DDNS, manual certs |
**Key advantage:** Tailscale Funnel works even when Cloudflare IPs are blocked by ISPs.
## Tailscale Container
```bash
# Container name (managed by Coolify)
tailscale-posgwooww0s0c0okssooc4gw
# Execute commands in container
ssh nuc "docker exec tailscale-posgwooww0s0c0okssooc4gw tailscale <command>"
```
## Funnel Basics
### Supported Ports (ONLY these work)
- **443** - Default HTTPS
- **8443** - Alternate HTTPS
- **10000** - Third option
Any other port will fail with an error.
### Public URL
```
https://nuc-tailscale.tail58f5ad.ts.net[:port]
```
## Commands
### Check Current Status
```bash
ssh nuc "docker exec tailscale-posgwooww0s0c0okssooc4gw tailscale funnel status"
```
### Expose a Service (Background)
```bash
# Port 443 (default) - expose Homepage
ssh nuc "docker exec tailscale-posgwooww0s0c0okssooc4gw tailscale funnel --bg http://192.168.1.3:3000"
# Port 8443 - expose Vaultwarden
ssh nuc "docker exec tailscale-posgwooww0s0c0okssooc4gw tailscale funnel --bg --https=8443 http://192.168.1.3:8222"
# Port 10000 - expose another service
ssh nuc "docker exec tailscale-posgwooww0s0c0okssooc4gw tailscale funnel --bg --https=10000 http://192.168.1.3:8080"
```
### Stop a Funnel
```bash
# Stop port 443
ssh nuc "docker exec tailscale-posgwooww0s0c0okssooc4gw tailscale funnel --https=443 off"
# Stop port 8443
ssh nuc "docker exec tailscale-posgwooww0s0c0okssooc4gw tailscale funnel --https=8443 off"
```
### Reset All Funnels
```bash
ssh nuc "docker exec tailscale-posgwooww0s0c0okssooc4gw tailscale funnel reset"
```
## Current Configuration
```
https://nuc-tailscale.tail58f5ad.ts.net (port 443)
└── / → http://127.0.0.1:3000 (Homepage)
https://nuc-tailscale.tail58f5ad.ts.net:8443
└── / → http://192.168.1.3:8222 (Vaultwarden)
```
## Important Notes
### Use Host IP, Not localhost
When proxying to services outside the Tailscale container:
```bash
# WRONG - localhost refers to inside the container
http://localhost:8222
# CORRECT - use NUC's actual IP
http://192.168.1.3:8222
# ALSO WORKS - if on same Docker network
http://host.docker.internal:8222 # May not resolve in all containers
```
### Persistence
Funnels configured with `--bg` persist until:
- Manually stopped
- Container restart
- Tailscale logout
For true persistence across container restarts, add to Coolify's container startup or use a cron job.
### Services Requiring HTTPS
Some services need HTTPS to function (Web Crypto API):
- **Vaultwarden/Bitwarden** - Password encryption
- **WebAuthn/Passkeys** - Authentication
- **Service Workers** - PWA features
- **Geolocation API** - Location access
## Quick Reference
| Service | Local URL | Funnel Command | Public URL |
|---------|-----------|----------------|------------|
| Homepage | http://192.168.1.3:3000 | `funnel --bg http://192.168.1.3:3000` | https://nuc-tailscale.tail58f5ad.ts.net |
| Vaultwarden | http://192.168.1.3:8222 | `funnel --bg --https=8443 http://192.168.1.3:8222` | https://nuc-tailscale.tail58f5ad.ts.net:8443 |
## Troubleshooting
### "invalid port"
Only ports 443, 8443, 10000 are allowed for Funnel.
### "connection refused"
- Service not running on target port
- Wrong IP (use 192.168.1.3, not localhost)
- Firewall blocking connection
### Funnel not accessible
```bash
# Check if Funnel is enabled on Tailscale admin
# https://login.tailscale.com/admin/machines
# Verify funnel status
ssh nuc "docker exec tailscale-posgwooww0s0c0okssooc4gw tailscale funnel status"
```
## Related
- Tailscale Admin: https://login.tailscale.com/admin/machines
- CLAUDE.md: Public Access & Security Architecture section
- Vaultwarden credentials: `.artifacts/2026-02-01_21-25_vaultwarden-credentials.md`
Reference in New Issue View Git Blame Copy Permalink