WingNews logo WingNews
top | item 33648842

(no title)

hamishwhc | 3 years ago

Anything stopping us from just creating a CNAME to our tailnet domain and registering certs for it instead of whatever.ts.net? This seems like it should work in my head...

discuss

order

bradfitz|3 years ago

Our Funnel ingress servers won't proxy any TCP connection that doesn't have a *.ts.net SNI name currently.

But BYODomain is something that'd be fun to add.

pbronez|3 years ago

BYODomain would be great. This would give me a secure & reliable to host public services out of my homelab.

xyzzy_plugh|3 years ago

Cloudflare's CNAME flattening with proxy enabled would do the trick. The ingress sees a request to the CNAME target so SNI works as usual.

tonyarkles|3 years ago

From how I understood the article, they don't do TLS termination but they do SNI snooping to figure out how to route it? So if they don't have all of the infrastructure in place to map the SNI for your CNAME to your Tailscale network, that wouldn't work?