Add reverse proxy documentation #790
Conversation
| proxy_set_header X-Real-IP $remote_addr; | ||
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
| proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; | ||
| add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; |
There was a problem hiding this comment.
This config won't work with Headscale 0.17.x & Tailscale > 1.30.0.
You are missing something like this for proxying WebSockets https://discord.com/channels/896711691637780480/896711692120129540/1015993290417504336
There was a problem hiding this comment.
So I'm actually running 0.17.1-alpha right now and I have the Upgrade and Connection headers set but didn't include them in this PR because I didn't really know what they did haha.
Anyway, I did a bit more research and added them in. I'm not sure if the map variable is needed though. In my configuration, I just have the Connection header set to upgrade. I included it anyway. Let me know what you think.
| Running Headscale behind a reverse proxy is suitable for container-based deployments. This is especially useful on a server were port 443 is already being used for other web services. | ||
|
|
||
| Headscale can be configured not to use TLS, leaving it to the reverse proxy to handle. Add the following configuration values to your headscale config file. | ||
|
|
There was a problem hiding this comment.
Can you please point out that for Headscale v0.17.x+ having the reverse proxy configured to support WebSockets is mandatory? Otherwise Tailscale clients v1.30+ will not work.
WebSockets is also required when running the embedded DERP server.
In the embedded DERP case, even if you run a reverse proxy you will also have to open the specified STUN UDP port (see https://github.com/juanfont/headscale/blob/main/config-example.yaml#L85)
There was a problem hiding this comment.
I added a section saying that web socket configuration is mandatory going forward.
Thanks for the pointers! Co-authored-by: Juan Font <juanfontalonso@gmail.com>
|
Thanks for the suggestions. The only issue I'm still having: Sometimes one of my Linux machines will show that it is |
|
Actually it looks like this is also happening on one of the other Linux machines. The VPN connection is still up though so maybe it's not an issue. |
|
Can you run prettier on the .md? The linter is complaining... |
Done. |
Per our discussion on Discord today, I'm adding a brief description for how to configure a reverse proxy in front of Headscale. The doc is rather concise so please let me know where more information is needed. This only covers nginx for now but more proxy servers can be added as necessary.