pirateMonkey

@pirateMonkey@lemmy.world

This is a remote user, information on this page may be incomplete. View at Source ↗

⁨Comment⁩ on ⁨Tailscale difficulties⁩ ⁨⁨3⁩ ⁨days⁩ ago⁩:
I may be (probably am) worrying too much about this, but doesn’t that remove much of the benefit of running services in containers? My understanding is that one benefit of containerization is so that if one service is somehow compromised, the others remain isolated, but running the service that allows you inside on bare metal gives single point access to the drives that those other services rely on, and that’s from the most likely point someone could get into your network. Alternatively, if Tailscale is containerized and someone gets in, they have access to the other services’ front ends but not the data they rely on since Tailscale itself doesn’t have that access.
⁨Comment⁩ on ⁨Tailscale difficulties⁩ ⁨⁨3⁩ ⁨days⁩ ago⁩:
Yes, I believe I made the stupid mistake of not restarting after enabling. Once I did that the warning went away and I was able to enable subnets, but I’m still not able to see my local services (where I try to access via the IP of the host given by Tailscale or the magicDNS address). So, progress!
⁨Comment⁩ on ⁨Tailscale difficulties⁩ ⁨⁨3⁩ ⁨days⁩ ago⁩:
It’s true, and I was wondering if that would be the route I have to go. Good to know it has been a positive experience.
⁨Comment⁩ on ⁨Tailscale difficulties⁩ ⁨⁨3⁩ ⁨days⁩ ago⁩:
LXC
⁨Comment⁩ on ⁨Tailscale difficulties⁩ ⁨⁨4⁩ ⁨days⁩ ago⁩:
That was an interesting rabbit hole. I’m not sure if it’s related or not, but maybe I’ll give it a shot once I get my head wrapped around what it really means (though by then they might have developed a fix… and I see how long that’s taken so far)
⁨Comment⁩ on ⁨Tailscale difficulties⁩ ⁨⁨4⁩ ⁨days⁩ ago⁩:
Misery loves company! Mine is Verizon and there was a setting that was causing me trouble recently, but probably is unrelated to yours (was DNS rebind protection).
⁨Comment⁩ on ⁨Tailscale difficulties⁩ ⁨⁨4⁩ ⁨days⁩ ago⁩:
No, I thought the routing was to forward the IP from the Tailscale 100.x.x.x subnet(? not sure I’m using that word correctly) to where the resources I want to access are (in my case, my local 192.168 addresses).
⁨Comment⁩ on ⁨Tailscale difficulties⁩ ⁨⁨4⁩ ⁨days⁩ ago⁩:
Yes, the machine that is running Docker/Tailscale is serving as an exit node and it hosts all the other services I want to access, which are also in containers.
⁨Comment⁩ on ⁨Tailscale difficulties⁩ ⁨⁨4⁩ ⁨days⁩ ago⁩:
That’s what I was counting on! Guess I just have to look at it as a learning opportunity.
⁨Comment⁩ on ⁨Tailscale difficulties⁩ ⁨⁨4⁩ ⁨days⁩ ago⁩:
Yeah, I’ve tried the 100.x.x.x IP and their tailscale URLs, neither of which work.
⁨Comment⁩ on ⁨Tailscale difficulties⁩ ⁨⁨4⁩ ⁨days⁩ ago⁩:
Yes, it does (been checking with sysctl net.ipv4.ip_forward, but guess it’s the same thing). It seems like the issue may be that IPv6 may not be enabled within the container. It’s enabled on the host, but the docker logs say ipv6 forwarding is not enabled.
⁨Comment⁩ on ⁨Tailscale difficulties⁩ ⁨⁨4⁩ ⁨days⁩ ago⁩:
Thanks, I did check that my machine had IP forwarding enabled, and it does. I also ran those lines to create the config file as well, but that didn’t change anything. And I do have the lines in my compose file to advertise routes.

⁨Comment⁩ on ⁨Tailscale difficulties⁩ ⁨⁨4⁩ ⁨days⁩ ago⁩:

Sorry for misformatted code.

  tailscale-authkey1:
    image: tailscale/tailscale:latest
    hostname: myhost
    environment:
      - TS_AUTHKEY=xx
      - TS_STATE_DIR=/var/lib/tailscale
      - TS_USERSPACE=false
      - TS_EXTRA_ARGS=--advertise-exit-node,--accept-routes
      - TS_ROUTES=192.168.0.0/24
    volumes:
      - ts-authkey-test:/var/lib/tailscale
      - /dev/net/tun:/dev/net/tun
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    restart: unless-stopped
  nginx-authkey-test:
    image: nginx
    network_mode: service:tailscale-authkey1

Tailscale difficulties
Submitted ⁨⁨4⁩ ⁨days⁩ ago⁩ to ⁨selfhosted@lemmy.world⁩ | ⁨36⁩ ⁨comments⁩
⁨Comment⁩ on ⁨Having trouble setting up Nginx⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
I know this is a week old, but thanks for your input. I hadn’t seen Avahi before, and that’s a cool option, so thanks for sharing it. Part of why I wanted to do things this way was an excuse to practice with running a web server before setting up Foundry, so it’s mostly just testing things out. Of course, if it was just a regular web server, I wouldn’t have had this issue because DNS rebind protection on my router ended up being the problem.
⁨Comment⁩ on ⁨Having trouble setting up Nginx⁩ ⁨⁨3⁩ ⁨weeks⁩ ago⁩:
Part of the idea here is to get comfortable with what’s happening here in a safe/unexposed environment before trying something that I would expose to the internet, and I’m of the understanding that you can do it this way (pass it to the internet, which will then return that internal IP that Nginx should route appropriately.
⁨Comment⁩ on ⁨Having trouble setting up Nginx⁩ ⁨⁨3⁩ ⁨weeks⁩ ago⁩:
Yes, I’m using this container: github.com/NginxProxyManager/nginx-proxy-manager using the compose file as written (except I’m naming it nginx instead of app). It maps ports 80 and 443 for traffic and 81 for the manager, which is running.
⁨Comment⁩ on ⁨Having trouble setting up Nginx⁩ ⁨⁨3⁩ ⁨weeks⁩ ago⁩:
Yep, that makes sense. Thank you!
⁨Comment⁩ on ⁨Having trouble setting up Nginx⁩ ⁨⁨3⁩ ⁨weeks⁩ ago⁩:
Thanks for that flow on how to troubleshoot.

When I try nslookup on the server, it doesn’t seem to be working at all (nslookup google.com returns ** server can’t find nslookup: NXDOMAIN). On Windows, it doesn’t return any IP (*** No internal type for both IPv4 and IPv6 Addresses records available). Looking at my Pi-hole query log, I do see that address was queried and allowed.

How can I check what Cloudflare is seeing (because as I understand that’s the next link in the chain)? I’m not seeing any logs there, but only created my account Saturday…
⁨Comment⁩ on ⁨Having trouble setting up Nginx⁩ ⁨⁨3⁩ ⁨weeks⁩ ago⁩:
Even without full understanding, I think you’re a few steps ahead of me! I was also under the impression that it would be fairly straightforward, but getting lessons in how to troubleshoot (and I appreciate them!)

I was testing with 127.0.0.1 earlier, so that’s makes sense on one level, but not port 3000.

Is my understanding correct that the upstream connection was refused means that it went to Cloudflare who then sent it back to my server, and it was rejected there?
⁨Comment⁩ on ⁨Having trouble setting up Nginx⁩ ⁨⁨3⁩ ⁨weeks⁩ ago⁩:
I’m still very much in a learning mode here, so forgive my ignorance - which logs? Nginx? I’m seeing a fallback_error and fallback_access (which has nothing interesting). There are also some empty files for the host I have set up (proxy-host-1_access/error)

2025/09/01 12:34:54 [error] 193#193: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.1.181, server: nginxproxymanager, request: “GET /api/ HTTP/1.1”, upstream: “127.0.0.1:3000”, host: “192.168.1.196:81”, referrer: “192.168.1.196:81/nginx/certificates”

Where, presumably obviously, 196 is the server and 181 is a laptop. FWIW I don’t see the directory it’s mentioning, /nginx/certificates, but I’m looking at the host’s directory rather than in the container.
⁨Comment⁩ on ⁨Having trouble setting up Nginx⁩ ⁨⁨3⁩ ⁨weeks⁩ ago⁩:
Yeah, just looking for internal access right now so I don’t have to remember the correct port for every service. Will use a VPN (leaning toward Tailscale) for remote access once I get this set up.
Having trouble setting up Nginx
Submitted ⁨⁨3⁩ ⁨weeks⁩ ago⁩ to ⁨selfhosted@lemmy.world⁩ | ⁨20⁩ ⁨comments⁩