[hamishwhc]

Anything stopping us from just creating a CNAME to our tailnet domain and registering certs for it instead of whatever.ts.net? This seems like it should work in my head...

[bradfitz]

Our Funnel ingress servers won't proxy any TCP connection that doesn't have a *.ts.net SNI name currently.

But BYODomain is something that'd be fun to add.

[pbronez]

BYODomain would be great. This would give me a secure & reliable to host public services out of my homelab.

[anderspitman]

It would be great if Tailscale adds this, but there are lots of services that provide this functionality if you need it today, including Cloudflare Tunnel.

[xyzzy_plugh]

Cloudflare's CNAME flattening with proxy enabled would do the trick. The ingress sees a request to the CNAME target so SNI works as usual.

[tonyarkles]

From how I understood the article, they don't do TLS termination but they do SNI snooping to figure out how to route it? So if they don't have all of the infrastructure in place to map the SNI for your CNAME to your Tailscale network, that wouldn't work?