This past week, I learned that it's possible to run Tailscale in a local docker-compose.yml on a developer's workstation, and securely allow access to services in the docker-compose file to other users on your Tailnet.
This functionality has many and varied applications, such as more easily allowing developers to pair test a bug, serving as a replacement for ngrok (which is also great!), allowing access to local services from mobile devices (even when they're on a different wireless/mobile network), and so forth.
Setting it up is straightforward, and Tailscale has a nice example at the end of their Docker documentation. I modified this slightly to give myself a user-specific nginx installation on our Tailnet, and had it running in a few minutes:
---
version: "3.7"
services:
tailscale-nginx:
image: tailscale/tailscale:latest
hostname: tailscale-nginx-${USER}
environment:
- TS_AUTHKEY=tskey-auth-<ADD AUTH KEY OR OAUTH SECRET>
- TS_EXTRA_ARGS=--advertise-tags=tag:server
- TS_STATE_DIR=/var/lib/tailscale
- TS_USERSPACE=false
volumes:
- ${PWD}/tailscale-nginx/state:/var/lib/tailscale
devices:
- /dev/net/tun:/dev/net/tun
cap_add:
- net_admin
restart: unless-stopped
nginx:
image: nginx
depends_on:
- tailscale-nginx
network_mode: service:tailscale-nginx
By appending -${USER} to the hostname of the tailscale container, I end up with a "tailscale-nginx-tobias" hostname on our tailnet that I can use to access the nginx container from any device on our Tailnet:
❯ curl tailscale-nginx-tobias
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
Since I have also logged into Tailscale on an Android device I'm using for testing this application, I can connect directly to my local dev server from Android without the headache and security risk of ensuring I'm on the same wifi network and allowing public access to my local machine. Similarly, I can give out this hostname to other trusted users on my organization's Tailnet, and they can help me test a bug fix or even design a new feature from afar.
I hope this post helped you find another way to share local dev server access securely when needed. Feel free to comment below with any questions.
