starred/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-01-12 04:10:32 +01:00
Code Issues 98 Packages Projects Releases 10 Wiki Activity

Need help/clarification regarding MagicDNS + TLS #460

New Issue
Closed
opened 2025-12-29 01:29:42 +01:00 by adam · 3 comments
adam commented 2025-12-29 01:29:42 +01:00
Owner
Copy Link

Originally created by @ghost on GitHub (Apr 1, 2023).

Let's say that I'm serving a web app (on port 8090) on a home server named server and I'm trying to access it from a device named pc. Also, I'm behind CGNAT.

With Tailscale, I was able to issue Let'sEncrypt certificates for server.tailfe8c.ts.net via running tailscale cert.

The apache config for the web app was like:

Listen 8093

<IfModule mod_ssl.c>
<VirtualHost *:8093>
        ProxyPreserveHost On
        ProxyRequests off
        ProxyPass / http://127.0.0.1:8090/ nocanon
        ProxyPassReverse / http://127.0.0.1:8090/

        AllowEncodedSlashes on
        
        RewriteEngine on

        SSLEngine on
        SSLCertificateFile /home/user/ssl/fullchain.pem
        SSLCertificateKeyFile /home/user/ssl/privkey.pem
</VirtualHost>
</IfModule>

I was able to reach this web app via https://server.tailfe8c.ts.net:8093 without any problems, provided that 100.100.100.100 was listed as a nameserver in my resolv.conf.

I now decided to move to headscale and installed it on an Azure VM, with a domain name of, say qwerty.europe.cloudapp.azure.com.

I can access the web app from pc via http://server:8090/ with MagicDNS enabled but I'm confused about setting up TLS.

How should I configure my settings if I want to access my web app on server via headscale installed on the Azure VM? Especially tls_letsencrypt_hostname, tls_letsencrypt_challenge_type, tls_letsencrypt_listen, and base_domain? What files should I specify for SSLCertificateFile and SSLCertificateKeyFile in the Apache config? If the TLS settings in the headscale config file isn't for the connection between pc and server, for what domain should I issue the certificates for via certbot or acme.sh because nothing I have tried has worked?

Originally created by @ghost on GitHub (Apr 1, 2023). Let's say that I'm serving a web app (on port 8090) on a home server named `server` and I'm trying to access it from a device named `pc`. Also, I'm behind CGNAT. With Tailscale, I was able to issue Let'sEncrypt certificates for `server.tailfe8c.ts.net` via running `tailscale cert`. The apache config for the web app was like: ``` Listen 8093 <IfModule mod_ssl.c> <VirtualHost *:8093> ProxyPreserveHost On ProxyRequests off ProxyPass / http://127.0.0.1:8090/ nocanon ProxyPassReverse / http://127.0.0.1:8090/ AllowEncodedSlashes on RewriteEngine on SSLEngine on SSLCertificateFile /home/user/ssl/fullchain.pem SSLCertificateKeyFile /home/user/ssl/privkey.pem </VirtualHost> </IfModule> ``` I was able to reach this web app via `https://server.tailfe8c.ts.net:8093` without any problems, provided that 100.100.100.100 was listed as a nameserver in my `resolv.conf`. I now decided to move to headscale and installed it on an Azure VM, with a domain name of, say `qwerty.europe.cloudapp.azure.com`. I can access the web app from `pc` via `http://server:8090/` with MagicDNS enabled but I'm confused about setting up TLS. How should I configure my settings if I want to access my web app on `server` via headscale installed on the Azure VM? Especially `tls_letsencrypt_hostname`, `tls_letsencrypt_challenge_type`, `tls_letsencrypt_listen`, and `base_domain`? What files should I specify for `SSLCertificateFile` and `SSLCertificateKeyFile` in the Apache config? If the TLS settings in the headscale config file isn't for the connection between `pc` and `server`, for what domain should I issue the certificates for via `certbot` or `acme.sh` because nothing I have tried has worked?
adam added the bug label 2025-12-29 01:29:42 +01:00
adam closed this issue 2025-12-29 01:29:43 +01:00
adam commented 2025-12-29 01:29:43 +01:00
Author
Owner
Copy Link

@tfasano1 commented on GitHub (Apr 11, 2023):

I've the same question, but using nginx.

@tfasano1 commented on GitHub (Apr 11, 2023): I've the same question, but using nginx.
adam commented 2025-12-29 01:29:44 +01:00
Author
Owner
Copy Link

@loprima-l commented on GitHub (Apr 28, 2023):

http://server:8090/ is now the azure server ? Or you kept the local server ?

@loprima-l commented on GitHub (Apr 28, 2023): http://server:8090/ is now the azure server ? Or you kept the local server ?
adam commented 2025-12-29 01:29:44 +01:00
Author
Owner
Copy Link

@juanfont commented on GitHub (May 10, 2023):

tailscale cert is currently not implemented. It might come in the future.

@juanfont commented on GitHub (May 10, 2023): `tailscale cert` is currently not implemented. It might come in the future.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
CLI
DERP
DNS
Nix
OIDC
SSH
bug
database
documentation
duplicate
enhancement
faq
good first issue
grants
help wanted
might-come
needs design doc
needs investigation
no-stale-bot
out of scope
performance
policy 📝
pull-request
Mirrored from GitHub Pull Request
 question
regression
routes
stale
tags
tailscale-feature-gap
well described ❤️
wontfix
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/headscale#460
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?