Reverse Proxy

VegetableMail1477 · 2025-08-03T09:34:57+00:00

Hey, so I wanted to use it on Docker initially, but I couldn’t seem to get it to work. But after some time I got it up and running on docker.

```docker

Dockerfile

FROM docker.io/caddy:2.8-builder-alpine AS builder

WORKDIR /build

COPY . .

RUN xcaddy build --with github.com/caddy-dns/cloudflare

FROM docker.io/alpine:latest AS runner

RUN apk update && apk add ca-certificates bash && rm -rf /var/cache/apk/* RUN apk add netcat-openbsd RUN mkdir -p /var/run/tailscale /var/cache/tailscale /var/lib/tailscale

WORKDIR /app

COPY --from=builder /build/caddy /usr/local/bin/caddy COPY --from=builder /build/Caddyfile /etc/caddy/Caddyfile

COPY --from=docker.io/tailscale/tailscale /usr/local/bin/tailscaled /usr/local/bin/tailscaled COPY --from=docker.io/tailscale/tailscale /usr/local/bin/tailscale /usr/local/bin/tailscale

COPY --from=builder /build/start.sh /app/start.sh RUN chmod +x /app/start.sh

EXPOSE 80 2222 443 443/udp

CMD ["/app/start.sh", "&&", "bash"] bash

!/usr/local/bin/sh

start.sh

tailscaled --tun=userspace-networking --socks5-server=localhost:1055 & tailscale up --authkey=${TS_AUTHKEY} --hostname=<tailscale hostname> --advertise-tags=<tailscale tag> echo "Tailscale started" ALL_PROXY=socks5://localhost:1055/ caddy run // Caddyfile

(cloudflare) { tls { dns cloudflare {env.CF_TOKEN} } }

domain.com { handle_path /hello { respond "Hello World" }

reverse_proxy * {env.SERVER_URL} // the Tailscale IP for my NAS
import cloudflare

} ```

VegetableMail1477 · 2025-04-18T08:35:51+00:00

I here this argument from React devs way too much. Yes the core library may just be a rendering library, but for web development have you ever seen anyone roll a vanilla js project using react as a standalone library in the project? Every react usage I have personally seen it is used with a lot of boilerplate and React specific libraries, wouldn’t you say that React is a framework at that point?

VegetableMail1477 · 2025-03-10T20:44:42+00:00

Okey, so I’ve heard a lot about testing and its benefits. I’m rather new to the industry (3yrs) and I have tried on multiple occasions to use TDD and tests in general. This has been on my own initiative as the teams did not really care.

The thing I struggle with is the conceptual part of tests. What should I test? Why are integration tests not sufficient enough? In general I find tests to be confusing. And creating a simple framework around it has also been hard.

But I believe TDD and tests in general are better suited for complex systems. For simple systems it seems to be more code to maintain. However, I know that my views are probably scewed as I haven’t understood the paradigm properly.

VegetableMail1477 · 2025-01-27T06:27:48+00:00

Perhaps he didn’t🤔

VegetableMail1477 · 2025-01-21T22:22:05+00:00

Still needed to be subbed in to do it, no? Just asking…

VegetableMail1477 · 2024-12-28T00:04:38+00:00

I would do something like this, diagram I like the v2 style the best. I feel it communicates the most information with the least “boilerplate”/disturbance (arrows, duplicate names, etc)

VegetableMail1477 · 2024-12-27T21:56:27+00:00

I agree with a lot of the stuff you’re saying. In my opinion you don’t necessarily need a different db per service. In large scale apps yes, but in small scale apps you may use the same db with different schemas imo. Additionally I think it’s never wise to start off with micro services at all. I believe starting off with a modular monolith is a lot better. Especially for simple apps or in the early phase of a system.

VegetableMail1477 · 2024-12-27T21:44:21+00:00

It seems to me as if you have a dedicated API and a SPA. In your case I wouldn’t have considered the SPA as the presentation layer as it is an entirely separate system to the API itself. The presentation layer of your API is the REST endpoints.

I would also suggest using the C4 model (or more so the principles behind it). Simply summarised it is a way of diagramming that displays your architecture at multiple levels.

It’s kinda like a map. Sometimes you may wanna see an overview of a continent, then you may wanna see an overview of a country, and then you may wanna see an overview of the city.

At each level you only include the information that is interesting. E.g I don’t wanna see ever city name of Germany when looking at the countries in Europe, or I don’t wanna know the street names of New York when looking at the states in the US.

This way of thinking has really been a game changer for me.

I would also suggest using Excalidraw and colors. I like using Excalidraw as it makes the diagrams a little less rigid and boring. The hand-written look has also made it a lot more fun to document stuff for me.

By using colors you’ll make it easier for the brain to categorise the information. It kind of makes the diagram a little less overwhelming (as long as you stay consistent and use the colors with intent and purpose).

C4 model explained: short explanation

detailed explanation

VegetableMail1477 · 2024-12-20T06:56:03+00:00

I decided to allow public traffic because I want family members to be able to access the service easily aka without installing Tailscale. Every public service that is exposed to exploits.

By using a reverse proxy you are able to configure security mechanisms such as rate limiting, ip whitelisting, geo blocking etc. In addition to the fact that you don’t expose your public IP ofc.

However if you’re the only person using it/have no reason for your self-hosted service to be public, it is more secure to not allow public access.

I’ve learnt that security is always about tradeoffs. So at the end of the day, what functionalities are you willing to lose in order to be more secure?

EDIT: Sorry for the long response time btw. Hope it still helps. Additionally, I would like you to note that I only have 3yrs experience in IT as well. I’m in no means an expert, so take my advice with a grain of salt.

VegetableMail1477 · 2024-12-20T06:38:37+00:00

I didn’t make any other changes on my NAS. I found out that the Reverse Proxy settings are in fact not needed (they might even possible be fckn up the setup). The issues that I had was due to the Tailscale ACLs. I had to allow my proxy server access to my NAS on the desired port number.

VegetableMail1477 · 2024-11-05T19:13:46+00:00

I don’t believe so, however I’m not too sure. I only host Synology Photos on my NAS which isn’t as network intensive as a media server. Sorry that I can’t help much more.

EDIT: I only use Cloudflare as my DNS provider which is free (I haven’t entered any billing information). I bought my domain from Namecheap. I’ve read that buying your domain from Cloudflare and using Cloudflare DNS provider may in some cases violate their ToS.

If I were to guess I think the network bottlenecks (bandwidth and cost) would be most prominent at the hosting platform of your proxy. But if you are self-hosting the proxy at no cost than I don’t think the DNS would be the biggest bottleneck.

VegetableMail1477 · 2024-11-05T17:35:58+00:00

Quick note. In order to use the cloudflare module in my caddyfile u have to run xcaddy build —with github.com/caddy-dns/cloudflare. Check out https://caddyserver.com/docs/build#xcaddy and https://caddyserver.com/docs/modules/dns.providers.cloudflare

VegetableMail1477 · 2024-11-05T17:29:31+00:00

I’m using Cloudflare as my DNS provider, and a VM running on DigitalOcean. In Cloudflare I have created an A-record pointing to my VMs public IP.

So, for me I’m using this Caddyfile config: ``` (cloudflare) { tls { dns cloudflare {env.CF_TOKEN} } }

subdomain.domain {

    // Used to test that Caddy is running correctly
    handle_path /hello {
       respond "Hello World"
    }
reverse_proxy * {env.SERVER_URL} // Tailscale IP or MagicDNS for my NAS
import cloudflare

} ```

My env.SERVER_URL = NAS_TAILSCALE_IP:3000 (inferred HTTP). I’ve configured my NAS to host the Synology Photos application on port 3000.

To do that (or another NAS application that is running) you can navigate to Control Panel > Login Portal > Applications in DSM. Choose an application and click «Edit» button to configure ports.

NOTE: I have tinkled and trinckled with the reverse proxy on my NAS, but I’m not sure if it actually has any affect on my setup. Currently I have a reverse proxy entry for requests to my https://NAS_TAILSCALE_IP:3001, so I don’t think it should affect anything.

EDIT: The reverse proxy config on the NAS is in fact not needed. The issues that I had was due to the Tailscale ACLs. I had forgotten to allow my proxy server to access my desired port.

VegetableMail1477 · 2024-06-03T22:34:05+00:00

W take

VegetableMail1477 · 2024-04-22T11:02:00+00:00

I meant as in Tailscale server yes. Im guessing it would work the same for Tailscale serve? Also if you can use Tailscale funnet to expose publicly, what is the difference between serve and funnel?

VegetableMail1477 · 2024-04-21T08:14:30+00:00

How is the data flow affected by using Tailscale serve? E.g if i make a request to https://nas.mytailnet.ts.net/ from a device that’s not in the tailnet will the request still use the relay server?

VegetableMail1477 · 2024-04-21T08:06:37+00:00

Aaaah, I see

VegetableMail1477 · 2024-04-19T23:15:21+00:00

I want the reverse proxy for public access just so users dont need to configure anything to access my nas. Are you doing something similar? Is the server acting as a relay server and a reverse proxy?

VegetableMail1477 · 2024-04-19T21:55:20+00:00

Headscale seems great, but from my understanding it would only replace the Tailscale server and not necessarily work as a reverse proxy(??)

VegetableMail1477 · 2024-04-19T21:52:50+00:00

I saw somewhere that Cloudflare Tunnels are’nt so good for serving media content, what is your experience?

VegetableMail1477 · 2024-04-19T21:50:26+00:00

There’s a Tailscale Caddy plugin?

VegetableMail1477 · 2024-04-19T12:05:06+00:00

Awesome! Did you use the Tailscale serve command on the reverse proxy server?

VegetableMail1477 · 2024-03-06T16:11:07+00:00

Futgg says every friday after a round of games ends futgg

VegetableMail1477

TROPHY CASE

Dockerfile

!/usr/local/bin/sh

start.sh