Allow only exposing services over Tailscale

This works using public DNS, so doesn't need Tailscale's magic DNS to override my local.
2024-03-07 22:30:10 +00:00
parent 451a114262
commit f88d224168
10 changed files with 56 additions and 0 deletions
--- a/ansible/roles/gateway/files/nginx.conf
+++ b/ansible/roles/gateway/files/nginx.conf
@ -21,6 +21,20 @@ map $ssl_preread_server_name $gateway_destination {
 server {
    listen 443;
    listen 8448;
+    listen [::]:443;
+    listen [::]:8448;
    proxy_pass $gateway_destination;
    proxy_protocol on;
 }
+
+server {
+    listen [{{ vps_hosts.private_ipv6_marker }}]:443;
+    listen [{{ vps_hosts.private_ipv6_marker }}]:8448;
+
+    access_log off;
+
+    deny all;
+
+    # This is never used, but need to keep nginx happy
+    proxy_pass 127.0.0.1:80;
+}