Running a service behind Tailscale and Caddy reverse proxy using Docker Compose

I would like to share a service on my homelab with other users.

A basic setup is to run the service along with Tailscale in Docker Compose. If the service runs on port 8585, then it is reachable at “http://my-service.my-tailscale-network.ts.net:8585”.

There are two annoyances with this setup. First, the port number is not easy to remember, nor is it conventional. Second, it is not running HTTPS or the domain certificate is invalid. I would like the service be reachable at “https://my-service.my-tailscale-network.ts.net” and the browser will see a valid domain certificate.

Adding Caddy as a reverse proxy solves both annoyances. First, the port number is no longer needed as Caddy port forwards as a reverse proxy. Second, Caddy recognizes “*.ts.net” URLs as Tailscale and will “fetch” valid certificates from Tailscale.

Code is available.

References:

• https://tailscale.com/kb/1215/oauth-clients
• https://tailscale.com/kb/1282/docker
• https://caddyserver.com/docs/quick-starts/reverse-proxy
• https://caddyserver.com/docs/automatic-https#activation
• https://tailscale.com/kb/1190/caddy-certificates?q=caddy