From 45df6e77ff39d9d68104d3b06a55508aaf5086e9 Mon Sep 17 00:00:00 2001 From: Mike Lloyd <49411532+mike-lloyd03@users.noreply.github.com> Date: Tue, 6 Sep 2022 15:37:39 -0700 Subject: [PATCH] Apply suggestions from code review Thanks for the pointers! Co-authored-by: Juan Font --- docs/reverse-proxy.md | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/docs/reverse-proxy.md b/docs/reverse-proxy.md index db698d86..1f66d3c2 100644 --- a/docs/reverse-proxy.md +++ b/docs/reverse-proxy.md @@ -1,9 +1,13 @@ -# Running behind a reverse proxy +# Running headscale behind a reverse proxy + +Running headscale behind a reverse proxy is useful when running multiple applications on the same server, and you want to reuse the same external IP and port - usually tcp/443 for HTTPS. + +### WebSockets +The reverse proxy MUST be configured to support WebSockets, as it is needed for clients running Tailscale v1.30+. + +WebSockets support is required when using the headscale embedded DERP server. In this case, you will also need to expose the UDP port used for STUN (by default, udp/3478). Please check our [config-example.yaml](https://github.com/juanfont/headscale/blob/main/config-example.yaml). -Running Headscale behind a reverse proxy is suitable for container-based deployments. This is especially useful on a server were port 443 is already being used for other web services. -### Web Sockets -The reverse proxy _must_ be configured to support websockets if you are running headscale 0.17.x+ and tailscale v1.30+. ### TLS Headscale can be configured not to use TLS, leaving it to the reverse proxy to handle. Add the following configuration values to your headscale config file.