From dd3be25956cc0f2961b7c981ba10f7b5ff22ec90 Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Sun, 8 Feb 2026 00:35:52 -0800 Subject: [PATCH] line length --- docs/how-to/expose-service-publicly.md | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/docs/how-to/expose-service-publicly.md b/docs/how-to/expose-service-publicly.md index a034998..cb318cf 100644 --- a/docs/how-to/expose-service-publicly.md +++ b/docs/how-to/expose-service-publicly.md @@ -63,11 +63,18 @@ infrastructure. They can continue to operate in parallel for private access. There are three independent TLS segments — none involve Caddy: -1. **Browser → Fly.io edge**: Fly.io auto-provisions a Let's Encrypt certificate for each custom domain (e.g., `docs.eblu.me`). Validated via TLS-ALPN challenge — no DNS API needed. -2. **nginx → Tailscale ingress**: nginx proxies to `https://.tail8d86e.ts.net`. The Tailscale ingress serves a Tailscale-issued cert. nginx uses `proxy_ssl_verify off` since the underlying tunnel is already encrypted. -3. **WireGuard tunnel**: All Tailscale traffic is encrypted at the network layer regardless of application-level TLS. +1. **Browser → Fly.io edge**: Fly.io auto-provisions a Let's Encrypt + certificate for each custom domain (e.g., `docs.eblu.me`). Validated via + TLS-ALPN challenge — no DNS API needed. +2. **nginx → Tailscale ingress**: nginx proxies to + `https://.tail8d86e.ts.net`. The Tailscale ingress serves a + Tailscale-issued cert. nginx uses `proxy_ssl_verify off` since the + underlying tunnel is already encrypted. +3. **WireGuard tunnel**: All Tailscale traffic is encrypted at the network + layer regardless of application-level TLS. -Caddy continues to serve `*.ops.eblu.me` with its existing Gandi DNS-01 certificates. The two TLS domains are completely independent. +Caddy continues to serve `*.ops.eblu.me` with its existing Gandi DNS-01 +certificates. The two TLS domains are completely independent. ## External references