Here’s my article (hopefully it even make sense) on how to be Using TSDProxy with existing Dockers. It started when I watched a video on TSDProxy, which is a nice community driven project around the use of fast, simple and easy proxies for virtual services (e.g. self hosted dockers) in Tailscale.
Found it quite interesting and wanted to use it in my self-hosted environment. However, as I have already have existing dockers in my self-hosted environment, I was struggling to use the tool. Hopefully I have done the right stuff below. Let me know if I screwed up 🙂
Now just to be clear, everyone’s objectives in doing so are different but let me state what are mine. So you can see if you are going to be similar in the approach of using TSDProxy with existing dockers of yours.
My Objectives in Setting up TSDProxy
(1) I have been using Tailscale as the means of getting into my self hosted services (such as Jellyfin, Stirling PDF, LinkDing, Calibre-Web, Paperless-NGX etc). It has been working great. I can access the services at my home network and outside of my home network.
(2) However, I am using IP addresses provided by Tailscale to access the services. E.g this is the IP address to access Calibre : http://100.119.43.60:7080.
(3) While it is fine, I find it troublesome when using it with password managers or Safari as these are NOT SSL certified and hence it is UNSAFE. I frequently have to go back and froth with copying and pasting user names, passwords etc.
(4) The aim of my exercise is to be able to use SSL certificate for my Tailscale network and then use them to access my services.
The requisites for doing all the following work is to do the steps in this following video. The end goal is to get a fully qualified domain name from Tailscale.
The end result of the work in the video above was great. I can access my Synology DS1520+ easily with MagicDNS and hence a full qualified domain name from Tailscale. Like this…
With a certificate ! 🙂
However, I could NOT access the individual self hosted (Dockers) services with the long name… I read that I need a reserve proxy or Caddy or nginx etc. And then I found TSDProxy :). I hope to be Using TSDProxy with existing Dockers instead of having to create new dockers too.
Setting up TSDProxy
There are instructions in the TSDProxy web site to get started. You can even use the following docker compose file from the Tailscale video to get started. But as usual, I am going to use Portainer to do so.
So first, like all good Dockers work, you need to set up a file share in the Docker folder in Synology.
Then I went into Portainer and set up a new stack using Stacks>Add Stack. Let’s be creative and name the stack “tsdproxy”.
I then enter the following code from the web site called Create a TSDProxy docker-compose.yaml
services:
tsdproxy:
image: almeidapaulopt/tsdproxy:1
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- datadir:/data
- /volume1/docker/tsdproxy:/config
restart: unless-stopped
ports:
- "8080:8080"
volumes:
datadir:The only change I made was of course to point the config file to the docker subfolder we created in step 1.
Actually to the Getting Started instructions, I will then go ahead and deploy the TSDProxy docker. No issues..
Next, we go and check out our /config/tsdproxy.yaml that has been created. We go to the docker folder and we see this. I right click and use the TEXT EDITOR.
I then try my best to configure the right information 🙂
I only made two changes. One is to supply the IP address of my Synology server which is hosting my Dockers and the other is to supply the AuthKey from Tailscale.
You can get an AuthKey from the Tailscale admin page for YOUR TAILSCALE INSTANCE.
And then I re-run the stack again in Portainer. All good.
Then I saw this next step and I don’t know what to do 🙂
Using TSDProxy with existing Dockers in Portainer
So I was struggling by now and keep reading the troubleshooting guide.
To be clear, I made some testing and did created a new service (Stirling PDF) and it actually worked. As in, I managed to get a Stirling PDF service up and running with a fully SSL certificate for the service. WOW.
But that’s NOT good for me. I don’t want a new service. I actually want to be be using TSDProxy with existing Dockers that I have.
Going back to to the troubleshooting guide, I see this…
Verify if you added the label with tsdproxy.enable=trueOr this..
Like what are you talking about. Where do I add these lines ? It seemed to be adding to the compose file.
Then after a while (a few hours..), I realized that it is to add a label to my Docker itself. Yes please laugh at me….
Adding a Label to the Docker
So I went to Portainer and go to the CONTAINER (not the STACK) and then I found this section called (you guessed it..) Container details and then under this section, is a long list of LABELS.
I then intelligently added the label required.
You can see in the last row I have added “tsdproxy.enable” and then true to the Labels. Like the doctor prescribed.
And then you re-deploy the whole container again…
And then you go to Tailscale page to find a new NODE waiting for your approval !! The name of the node is the name of the docker service. You can have a new name if you want to. Yes, use the label : tsdproxy.name: “myserver” in Portainer labels.
Once I approved the Tailscale node, I can go into the details and you can see it is now assigned to a full qualified name.
And I go to the actual web site.. IT WORKS..
With a SSL Certificate for the docker service
Trying TSDProxy on Calibre-Web
To prove this works, I tried it on an existing docker with data which is Calibre-Web as an example. You can read about Calibre-Web in my blog post.
First I made the changes (remember the label you need to add to the container for TSDProxy to pick it up ?) to the Calibre-Web container in Portainer and then redeploy that specific container. Once that’s done, you will be able to see the stack also successfully running.
Again, if it works, I have something to approve in Tailscale.
Then I checked the details for the URL.. it is just the DockerName + the URL given by Tailscale
And when I go to the URL, yes.. it works 🙂
Conclusion
I have a set of Dockers already running very well in my Synology and I use Tailscale as my way of accessing them. I want to use a SSL full qualified domain to access them and so I found this tool called TSDProxy. Through trial and error, I found that it was really easy actually to be using Using TSDProxy with existing Dockers and the changes are pretty minimal and very fast to do !
