this post was submitted on 23 Oct 2025
32 points (94.4% liked)

Selfhosted

53408 readers
357 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
32
Jellyfin, Traefik and Tailscale Config Question (lemmy.world)
submitted 1 month ago by filister@lemmy.world to c/selfhosted@lemmy.world
11 comments fedilink hide all child comments
 

I am running a Proxmox node with a VM running a couple of Podman rootless containers, one of which is Jellyfin. I have also installed Traefik on a separate LXC unprivileged container. I have installed Tailscale on both the VM and the LXC.

What I want now is to create a reverse proxy so that I create subdomains pointing to my registered domain name, e.g. example.com.

I want when trying to access ‘jellyfin.example.com‘ the reverse proxy to point to the Tailscale IP or URL, for example ‘https://media.tbXXX.ts.net:8096‘. But that should work only when connected to the Tailscale network.

Is this even possible? If it is, can you point me to some resources explaining the whole configuration?

you are viewing a single comment's thread
view the rest of the comments
[–] NuXCOM_90Percent@lemmy.zip 3 points 1 month ago* (last edited 1 month ago) (3 children)

This is one of the big problems with tailscale for home users. For people who only access a system remotely (e.g. a corporate VPN) it is amazing. For people who are both on and off network... yeah.

What I actually settled on was NOT using one of my domains and to instead just use the tailscale FQDNS in all situations. Mostly because I saw they added more human readable names so it is now like foo.happy-panda.ts.net instead of foo.tb12415161613616161616.ts.net

  • Externally? I just activate the tailscale app and I can see foo.sad-hamster.ts.net with zero additional config. Which is good if I am using an app on my phone or helping someone I trust set up their own machine without needing to drive/fly out there with a laptop.
  • Internally? I actually just added a simple DNS override locally (I use unbound via opnsense for this but you can also do it with a pihole if you really want to). So foo.sad-hamster.ts.net goes to foo.localdomain which goes to a 192.x IP seamlessly

End result is that I don't need any special config in any devices or apps and everything just uses the tailscale FQDN regardless of whether it is a "client" connected to the tailscale itself. Which ALSO avoids issues where things stop working during an internet outage.

I've seen alternative setups that specify their own DNS server in their tailnet and... that is a lot of effort if you ask me. Also it seems to be the leading cause of "When I connect to my tailnet I can't see the outside internet anymore".

The big drawbacks to this are that it makes assigning actual certs rather messy since the same FQDN goes to multiple very different IPs... at least one of which being a potential security vulnerability since it is assigned by whoever controls the LAN you are on at any given moment. Not the end of the world and, truth be told, I am less likely to bother with proper certs for fully internal resources (unless I am getting paid to do it). So no NEW risk vectors.

The other is that you are kind of at the mercy of tailscale corp changing their business model entirely and suddenly having to deal with the fqdn that points to your plex server now actually being used for the latest dating app and everything catching on fire until you remember you did this. But that is a problem that is multiple years down the road...

Also, depending on what DNS/network shenanigans you do, this could cause other issues. But that is why you always test things yourself.

[–] NuXCOM_90Percent@lemmy.zip 1 points 1 month ago (2 children)

Wait... if you JUST want your domain to point to the tailscale IP and to only work when the client is on the tailnet, this is... super duper easy?

Just install tailscale. Go to your dashboard, and get the IP. And point your domain at that. No tunnels or reverse proxies needed.

[–] filister@lemmy.world 1 points 1 month ago (1 children)

The problem is that I have a couple of services listening on different ports and I want to use the reverse proxy to listen to incoming requests and route the traffic to the corresponding ports. I also want to issue SSL certificates and serve the traffic over TCP port 443.

[–] NuXCOM_90Percent@lemmy.zip 1 points 1 month ago* (last edited 1 month ago)

Presumably most of those services on the same physical host are running in containers? So just add tailscale as a sidecar to that. Each container will be its own host as far as your tailnet is concerned and have its own internal IP. The official tailscale youtube has tutorials on that because it maps much better to a portainer based setup and more or less requires clients to have the tailnet running constantly (which, in my opinion, defeats the purpose of selfhosting but you do you).

Or do a mess with SRV records and... good luck with that