alt Hacker NewsI reverse proxy everything through a Caddy instance running on the same machine so I avoid the firewall dance entirely by just prefixing all my port assignments in the compose file with the loopback IP (eg. 127.0.0.1:3000:3000). Nftables denies all but 80 and 443 and I don't have to worry about restarts/flushes breaking things.
Replies
danparsonson • yesterday at 2:03 PM
This is surely the easiest and I would guess the safest way, and has the added benefit that your proxy (nginx in my case) can handle SSL for you, making certificate deployment a breeze.
A really nifty thing is that you can also of course bind this to the device's tailscale ip!
Also you don't even need the loopback address if the traffic is between one container and another, just a bridge network is fine.