I self-host Newsblur using Tailscale DNS [1] and TLS certificates [2] to access it over https. It requires the device you’re on to have Tailscale running as well, but this has the benefit of setting up the Newsblur mobile app to use a custom server and not have to expose Newsblur publicly.
Trick I found was to create a separate VM for Newsblur and set it up as a Tailscale host, this way it gets its own sub-domain on Tailnet with it’s own TLS cert.
Once that was setup, concatenate the cert and key into a single .pem file that HAProxy can use,
cat /var/lib/tailscale/certs/newsblur.tailnet-0000.ts.net.crt /var/lib/tailscale/certs/newsblur.tailnet-0000.ts.net.key > /srv/NewsBlur/config/certificates/newsblur.pem
and update /srv/Newsblur/docker/haproxy/haproxy.docker-compose.cfg to use it,
frontend public
bind :80
bind :443 ssl crt /srv/newsblur/config/certificates/newsblur.pem #ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA no-sslv3
http-response add-header Strict-Transport-Security max-age=0;\ includeSubDomains
option http-server-close
Downside is the cert is only valid for 3 months, and I’m not entirely certain if Tailscale will automatically renew it or it requires a manual process.