Hello, first of all many thanks for the tutorial, it perfectly fits my condition where I would like to have reverse proxy without exposing the port.

I am a bit new to docker containers and I have followed your tutorial, without Tailscale docker since I already have it running. However, still it does not work for me. Could you please help?

Below are my configurations

1. Cloudflare API Token

• Zone - Zone - Read
• Zone - DNS - Edit

2. Caddy Configuration

.env file

# Cloudflare API token should be scoped:
# - Zone.Zone: Read
# - Zone.DNS: Edit
CF_API_TOKEN="PnBBlb**HIDDEN**A6KaCt"

docker-compose.yml file

services:
  docker-proxy:
    build:
      context: .
      dockerfile: Dockerfile
    container_name: caddy
    restart: unless-stopped
    env_file: .env
    ports:
      - 80:80
      - 443:443
    networks:
      - caddy-network
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./data:/data/caddy
      - ./config:/config/caddy
    deploy:
      labels:
        caddy.email: "[email protected]"
        caddy: "*.HIDDEN.my.id"
        caddy.tls.dns: "cloudflare $CF_API_TOKEN"

volumes:
  data: {}

networks:
  caddy-network:
    external: true

Dockerfile file ->did not change anything

FROM --platform=linux/arm64/v8 caddy:builder-alpine AS builder

RUN xcaddy build \
    --with github.com/lucaslorentz/caddy-docker-proxy/v2 \
    --with github.com/caddy-dns/cloudflare

FROM caddy:alpine

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

CMD ["caddy", "docker-proxy"]

3. Gitea Configuration

services:
  server:
    image: gitea/gitea:latest
    container_name: gitea
    restart: always
    environment:
      - USER_UID=1000
      - USER_GID=1000
    networks:
      - caddy-network
    volumes:
      - ./data:/data
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    labels:
      caddy: "*.HIDDEN.my.id"
      caddy.2_handle: "@gitea"
      caddy.2_@gitea: "host git.HIDDEN.my.id"
      caddy.2_handle.reverse_proxy: "{{upstreams 3000}}"
      caddy_2_handle.reverse_proxy_0: "{{upstreams 2222}}"

networks:
  caddy-network:
    external: true

4. Local DNS on Pihole
   I have put wildcard address in my pihole.

I expect I can access gitea from git.HIDDEN.my.id. But can't access it
Many thanks for your support

Why is is necessary to go through the whole business with Cloudflare DNS? Couldn't I simply handle all of that with my local DNS?

This is the closest I've found to the setup I want, but falls just short by including any use of public DNS. Tailscale is handling all the interdevice connectivity, why do I need to configure anything that is public facing?

Currently I can access my web servers with their ports over HTTP

tailscaleDeviceName:####

This works okay, but I would like to clean up the experience.

Ideally I would like to be able to visit

service.tailscaleDeviceName

By my understanding this is where the reverse proxy comes in, sorting out all the ports I have servers running on, and giving them proper subdomains. If I wanted I could then use my PiHole for local DNS to turn that URL into whatever I want.

I feel like I am misunderstanding something, but at the same time what I want sounds so feasible.

Sorry this isn't a super clear question, your setup is just the closest I've come to what I'd like mine to looks like.