Comment on Replacing Cloudflare Tunnels with Tailscale?
ck_@discuss.tchncs.de 11 months agoBoth CF and Tailscale play MITM with your HTTPS connection
That’s not correct, tailscale does not intercept the traffic, TLS is terminated on the node. Tailscale mandates HTTPS / TLS with ts.net certificates so it can route traffic to the correct node in your tailnet.
lemmyvore@feddit.nl 11 months ago
There’s still going to be a gap where traffic is unencrypted and under their software’s control. The gap takes place on your node rather then one of their servers but it still exists. You can’t avoid the TLS gap when you switch domain names mid-connection.
Whether having the gap on their node rather than on Tailscale’s server is more acceptable is up to OP to decide; but they have to understand that the gap exists. The solution I proposed doesn’t have a TLS gap.
ck_@discuss.tchncs.de 11 months ago
That’s just not true. When you run an nginx proxy on a tailscale node, that nginx will terminate the TLS. There is no “gap” between your browser and that server.
lemmyvore@feddit.nl 11 months ago
Only if that nginx is advertising the .ts.net domain, and using the certificates for the .ts.net domain, which means you have to export and renew them manually via
tailscale cert. If you let Tailscale manage them you will have a TLS gap.ck_@discuss.tchncs.de 11 months ago
Precisely. Except there is no “Tailscale manage them for you”.
So you could summarize your answer as " Tailscale certificates work like let encrypt".