Conncetion refused

[Welsyntoffie]

Here is my compose file...

version: '3.6'

networks:
  tailscale_proxy_example:
    external: false

services:
  influxdb:
    image: influxdb:latest
    container_name: influxdb
    restart: unless-stopped
    ports:
      - '8086:8086'
    volumes:
      - /mnt/media/influxdb:/var/lib/influxdb2


# Grafana - Graphical data visualization
  grafana:
    image: grafana/grafana-enterprise:10.4.2-ubuntu
    container_name: grafana
#   security_opt:
#     - no-new-privileges:false
    restart: unless-stopped
    depends_on:
      - influxdb
#      - ts-grafana
    networks:
     - tailscale_proxy_example
#    network_mode: container:ts-grafana
    ports:
      - "3001:3000"
    user: $PUID
    volumes:
      - /home/pieter/dockerdata/grafana:/var/lib/grafana

    environment:
      GF_INSTALL_PLUGINS: "grafana-clock-panel,grafana-simple-json-datasource,grafana-worldmap-panel,grafana-piechart-panel"
      GF_AUTH_ANONYMOUS_ENABLED: "true"
      GF_SECURITY_ALLOW_EMBEDDING: "true"
      GF_INGRESS_USER: anonymous
#     GF_SECURITY_COOKIE_SAMESITE: none
#     GF_SECURITY_COOKIE_SECURE: "true"
      GF_SECURITY_LOGIN_REMEMBER_DAYS: "365"
      GF_DATE_FORMATS_INTERVAL_HOUR: DD/MM HH:mm
      GF_DATE_FORMATS_INTERVAL_DAY: DD/MM
#     GF_AUTH_BASIC_ENABLED: "true"

  tailscale-whoami-proxy:
    image: hollie/tailscale-caddy-proxy:latest
    volumes:
      - /home/pieter/dockerdata/grafana/tailscale:/var/lib/tailscale # Persist the tailscale state directory
    environment:
      - TS_HOSTNAME=Grafanahttps 	# Hostname you want this instance to have on the tailscale network
      - TS_TAILNET=Grafanahttps         # Your tailnet name without the .ts.net suffix!
      - TS_FUNNEL=on
      - CADDY_TARGET=grafana:3000	# Target service and port
#      - TS_EXTRA_ARGS=--accept-dns      # Optional extra arguments to pass when starting tailscale
#      - SKIP_CADDYFILE_GENERATION=1     # Set this if you want to be able to override /etc/caddy/Caddyfile via a volume mapping      
    restart: on-failure
    init: true
    networks:
     - tailscale_proxy_example

The funnel was not activating by the -TS arg. So I used the cli to activate funnel...

/ # tailscale funnel --bg 3000
Available on the internet:

https://grafanahttps.xxx.ts.net/
|-- proxy http://127.0.0.1:3000

Funnel started and running in the background.
To disable the proxy, run: tailscale funnel --https=443 off
/ # tailscale serve status

# Funnel on:
#     - https://grafanahttps.xxx.ts.net

https://grafanahttps.xxx.ts.net (Funnel on)
|-- / proxy http://127.0.0.1:3000

I did edit tailscale ACL file with tailscale ip and attr funnel.
I did get a cert issued "Valid until 3 months from now"

When I acces it over https the tailscale log shows http: proxy error: dial tcp 127.0.0.1:3000: connect: connection refused
Futher down the logs... handleIngress: got ingress conn for unconfigured "grafanahttps.xxx.ts.net:8443"; rejecting

[hollie]

Hey Pieter,

the tailscale-caddy-proxy image helps you in setting up a reverse proxy for a web service. It does this by integrating a Caddy reverse proxy in the Tailscale default docker container and setting up the proxy config for you based on the environment parameters you pass.

If you want to expose your service to an external user using funnel then I think you're better of using the Tailscale docker container itself.

Also: your TS_TAILNET parameter is not correct, it should be the 'xxx' from the example you give when you are setting up the funnel.

[Welsyntoffie]

So I used your example, added command to listen on port 2001 as I have addgaurd on 80 spun up the compose.
CLI though docker to enable funnel
http: proxy error: dial tcp 127.0.0.1:2001: connect: connection refused

I have been at this for a week. I think I will just except defeat for now, take a long break and try sometime in the future.

[hollie]

Kristof,

as mentioned in the other discussion: please first check with the whoami example from the docker compose in this repo. As long as that is not working it does not make sense to experiment with a more complicated setup. I am exposing 20+ services (HomeAssistant, Proxmox UI, Gitea, custom web interfaces, ...) in this way for as long as this repo exists, so I don't see a reason why it would not work with your setup.

This docker image is not intended/designed to use funnel. The sole purpose of tailscale-caddy-proxy is to do a reverse proxy from a plain Tailscale hostname to a service that is running in a container. This allows other devices on the Tailscale network to access devices in a comparable but not completely the same way that tailscale serve allows you to do. The difference is that with tailscale-caddy-proxy you define a new host on the Tailscale network, while tailscale serve reuses the hostname of the host Tailscale is running on. This limits the number of services you can run on the default HTTPS port to 1 per host. With tailscale-caddy-proxy you spin up as many virtual hosts on a single physical machine as you have services.
So: I still think that you should be able to accomplish what you want with tailscale-caddy-proxy if you take it step by step.

Why do you insist on using the funnel command that exposes your service to the worldwide web? This kind of breaks the idea of having all your services securely behind a VPN.

Regards,
Lieven,

[Welsyntoffie]

I have a computer at work where I access my home assistant to monitor cameras while I am working night shifts and my wife and children sleeping. I can not install tailscale on that computer. I also have 2 tablets where I can not install tailscale on, tbey are old but working as a dashboard just fine. South Africa has loadshedding when power supply is cut for several hours a day. My 5G isp tower has batteries that lasts an hour at most. Tailnet at these times will not be available. From what I have tried using the guide from tailscale prevents me from having local lan access. So with lan gone and loadshedding blocking tailnet my devices can not connect anymore.

…

On Wed, 24 Apr 2024, 20:21 Lieven Hollevoet, ***@***.***> wrote: Kristof, as mentioned in the other discussion: please first check with the whoami example from the docker compose in this repo. As long as that is not working it does not make sense to experiment with a more complicated setup. I am exposing 20+ services (HomeAssistant, Proxmox UI, Gitea, custom web interfaces, ...) in this way for as long as this repo exists, so I don't see a reason why it would not work with your setup. This docker image is not intended/designed to use funnel. The sole purpose of tailscale-caddy-proxy is to do a reverse proxy from a plain Tailscale hostname to a service that is running in a container. This allows other devices on the Tailscale network to access devices in a comparable but not completely the same way that tailscale serve allows you to do. The difference is that with tailscale-caddy-proxy you define a new host on the Tailscale network, while tailscale serve reuses the hostname of the host Tailscale is running on. This limits the number of services you can run on the default HTTPS port to 1 per host. With tailscale-caddy-proxy you spin up as many virtual hosts on a single physical machine as you have services. So: I still think that you should be able to accomplish what you want with tailscale-caddy-proxy if you take it step by step. Why do you insist on using the funnel command that exposes your service to the worldwide web? This kind of breaks the idea of having all your services securely behind a VPN. Regards, Lieven, — Reply to this email directly, view it on GitHub <#9 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ALHIR4HSPVLHSY2JDK6NMSLY67Z2ZAVCNFSM6AAAAABGXF6EV2VHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4TEMJWHE4DE> . You are receiving this because you authored the thread.Message ID: ***@***.*** com>

[Welsyntoffie]

I forgot. I did test the whaomi example. Yes it does work. I can access the service with tailscale switched on using tailnet on my windows 10 pc. This image is working, i just needed to funnel as well. Maybe my idea is just a little over the top, clearly beyond my know how and skills. On Thu, 25 Apr 2024, 00:27 Pieter Bezuidenhout, < ***@***.***> wrote:

…

I have a computer at work where I access my home assistant to monitor cameras while I am working night shifts and my wife and children sleeping. I can not install tailscale on that computer. I also have 2 tablets where I can not install tailscale on, tbey are old but working as a dashboard just fine. South Africa has loadshedding when power supply is cut for several hours a day. My 5G isp tower has batteries that lasts an hour at most. Tailnet at these times will not be available. From what I have tried using the guide from tailscale prevents me from having local lan access. So with lan gone and loadshedding blocking tailnet my devices can not connect anymore. On Wed, 24 Apr 2024, 20:21 Lieven Hollevoet, ***@***.***> wrote: > Kristof, > > as mentioned in the other discussion: please first check with the whoami > example from the docker compose in this repo. As long as that is not > working it does not make sense to experiment with a more complicated setup. > I am exposing 20+ services (HomeAssistant, Proxmox UI, Gitea, custom web > interfaces, ...) in this way for as long as this repo exists, so I don't > see a reason why it would not work with your setup. > > This docker image is not intended/designed to use funnel. The sole > purpose of tailscale-caddy-proxy is to do a reverse proxy from a plain > Tailscale hostname to a service that is running in a container. This allows > other devices on the Tailscale network to access devices in a comparable > but not completely the same way that tailscale serve allows you to do. > The difference is that with tailscale-caddy-proxy you define a new host on > the Tailscale network, while tailscale serve reuses the hostname of the > host Tailscale is running on. This limits the number of services you can > run on the default HTTPS port to 1 per host. With tailscale-caddy-proxy you > spin up as many virtual hosts on a single physical machine as you have > services. > So: I still think that you should be able to accomplish what you want > with tailscale-caddy-proxy if you take it step by step. > > Why do you insist on using the funnel command that exposes your service > to the worldwide web? This kind of breaks the idea of having all your > services securely behind a VPN. > > Regards, > Lieven, > > — > Reply to this email directly, view it on GitHub > <#9 (reply in thread)>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/ALHIR4HSPVLHSY2JDK6NMSLY67Z2ZAVCNFSM6AAAAABGXF6EV2VHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4TEMJWHE4DE> > . > You are receiving this because you authored the thread.Message ID: > ***@***.*** > com> >

[hollie]

Hey Pieter,

I think that for your specific situation Tailscale is not the solution you are looking for, due to the fact that you have systems where you are unable to install the Tailscale client on.
I think that the Cloudflare services are more what you need. Google can point you in the right direction there.

Kind regards,
Lieven.

[Welsyntoffie]

Thank you. I have taken a look at cloudfare and it does seem like the right path. Will be purchasing a domain name. Sometimes free is not always the best option. Thanks again.

…

On Thu, 25 Apr 2024, 08:50 Lieven Hollevoet, ***@***.***> wrote: Hey Pieter, I think that for your specific situation Tailscale is not the solution you are looking for, due to the fact that you have systems where you are unable to install the Tailscale client on. I think that the Cloudflare services are more what you need. Google can point you in the right direction there. Kind regards, Lieven. — Reply to this email directly, view it on GitHub <#9 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ALHIR4EJT5EDKLSCX5I25J3Y7CRU7AVCNFSM6AAAAABGXF6EV2VHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4TEMRRGMZTM> . You are receiving this because you authored the thread.Message ID: ***@***.*** com>