Comment on Headscale
Jason2357@lemmy.ca 2 days ago
In addition to a reverse proxy with mandatory TLS and some IP filtering, I have headscale running on a sub domain (subdomain dns is a wildcard). The main domain is a different, static web page, so anyone scanning IPs for headscale wont see its a headscale machines unless they can guess the subdomain. I figure that might be useful in case theres a zero day that pops up. It just looks like a regular web server to drive-by script kiddies.
tack@feddit.org 1 day ago
That will work as long as your tls certificate is also a wildcard of the parent domain, otherwise your subdomains can be found via it’s their certificate records. You probably know this, but caught me out initially, so figured I’ll mention it.
Jason2357@lemmy.ca 1 day ago
Absolutely! I should have said both the dns and certificate are subdomain wildcards. Thanks for clarifying.