Is there a reason to expose your services to the whole internet? That’s what CF tunnels and Tailscale Funnel do.
I can’t really recommend either of them, Funnel forces you to use a .ts.net subdomain you can’t use your own domain. CF allows it but forces you to use their DNS service. Both CF and Tailscale play MITM with your HTTPS connection, meaning they decrypt and reencrypt it on the fly, meaning they are able to look at your unencrypted traffic.
If you really must expose your services publicly then get a cheap VPS, point your domain A
and AAAA
records at its public IPs, make a clear TCP tunnel from your server to the VPS, and forward connections to port 443 on the VPS public interface through the tunnel to the reverse HTTP proxy running on your server (with mandatory TLS encryption and Let’s Encrypt certificates for your domain).
This way you get an unbroken TLS connection all the way through, with nobody in the middle.
The tunnel that you use between your server and the VPS can work behind CGNAT because it’s outgoing, and it doesn’t necessarily need to be encrypted because it will only carry TLS connections anyway. Will be easier on the VPS CPU this way, too.
Auli@lemmy.ca 11 months ago
According to tailscale they do not decrypt just relay.
zzzz@lemmy.world 11 months ago
Also, you can host your own server: headscale.net