Setup

The included configuration

• configure tailscale API key and update env
• configure drkno/plexsso config.json

config.json

• docker-conmpose up -d
• obtain the Tailscale IP address from the logs

docker logs tailscale | grep full

• launch your browser to http://tailscale-ip:81
  • login to Nginx Proxy Manager with the default credentials
  • update the admin credentials
  • create a new proxy host for tld.com, *.tld.com
    • request a new SSL certificate using DNS Validation
  • create a new proxy host for secure.tld.com, *.secure.tld.com
    • request a new SSL certificate using DNS Validation
    • update the Advanced config

# the advanced rule for the secure domain checks for the drkno/plexsso cookie
# if the cookie is present, the request is forwarded normally
# if the cookie is missing, the user is redirected to the SSO url

location ~* ^/$ {

set $subdomain "";
  if ($host ~* ^([^.]+)\.) 
    { set $subdomain $1; }
  if ($http_cookie !~* "AdminDomain") 
    { return 302 https://sso.tld.com/$subdomain.secure;}
}

# the $subdomain.secure URI ensues that once authentication is complete, the user
# is redirected to the requested host

• • create a new proxy host for admin.tld.com, *.admin.tld.com
    • request a new SSL certificate using DNS Validation
    • update the Advanced config

# for the admin wildcard subdomain, any requests are checked for the
# source network - so any request via the Tailscale connection will be
# allowed, but any valid connection will pass through to the internal proxy

location ~* ^/$ {
  allow 172.250.250.0/24;
  deny all;
}

• update your DNS

# only configure wildcard domains in DNS, to reduce visbility of 
# services that you are running behind your proxy

tld.com - A - 999.999.999.999
*.tld.com - CNAME tld.com

secure.tld.com - CNAME - tld.com
*.secure.tld.com - CNAME - tld.com

admin.tld.com - A - 000.000.000.000
*.admin.tld.com - CNAME - admin.tld.com