starred/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-01-13 12:50:32 +01:00
Code Issues 98 Packages Projects Releases 10 Wiki Activity

failed to set up a HTTP server error="listen tcp :80: bind: permission denied" #473

New Issue
Closed
opened 2025-12-29 01:30:00 +01:00 by adam · 16 comments
adam commented 2025-12-29 01:30:00 +01:00
Owner
Copy Link

Originally created by @TimDowker on GitHub (Apr 14, 2023).

Bug description
Fresh Ubuntu 22.04 container running on Proxmox 7.4 - all updates applied for both host and container. Download and installed latest v0.22.0-alpha2 deb package using command "dpkg -i headscale_0.22.0-alpha2_linux_amd64.deb".

Tried to start it up after modifying the config.yaml (posted below).

Get the following error

Apr 14 12:25:36 hs headscale[366]: 2023-04-14T12:25:36-04:00 FTL ../../../home/runner/work/headscale/headscale/app.go:875 > failed to set up a HTTP server error="listen tcp :80: bind: permission denied"

# headscale will look for a configuration file named `config.yaml` (or `config.json`) in the following order:
#
# - `/etc/headscale`
# - `~/.headscale`
# - current working directory

# The url clients will connect to.
# Typically this will be a domain like:
#
# https://myheadscale.example.com:443
#
#server_url: http://127.0.0.1:8080
server_url: https://hs.example.com:443

# Address to listen to / bind to on the server
#
# For production:
listen_addr: 0.0.0.0:443
#listen_addr: 127.0.0.1:8080

# Address to listen to /metrics, you may want
# to keep this endpoint private to your internal
# network
#
metrics_listen_addr: 127.0.0.1:9090

# Address to listen for gRPC.
# gRPC is used for controlling a headscale server
# remotely with the CLI
# Note: Remote access _only_ works if you have
# valid certificates.
#
# For production:
grpc_listen_addr: 0.0.0.0:50443
#grpc_listen_addr: 127.0.0.1:50443

# Allow the gRPC admin interface to run in INSECURE
# mode. This is not recommended as the traffic will
# be unencrypted. Only enable if you know what you
# are doing.
grpc_allow_insecure: false

# Private key used to encrypt the traffic between headscale
# and Tailscale clients.
# The private key file will be autogenerated if it's missing.
#
private_key_path: /var/lib/headscale/private.key

# The Noise section includes specific configuration for the
# TS2021 Noise protocol
noise:
  # The Noise private key is used to encrypt the
  # traffic between headscale and Tailscale clients when
  # using the new Noise-based protocol. It must be different
  # from the legacy private key.
  private_key_path: /var/lib/headscale/noise_private.key

# List of IP prefixes to allocate tailaddresses from.
# Each prefix consists of either an IPv4 or IPv6 address,
# and the associated prefix length, delimited by a slash.
# While this looks like it can take arbitrary values, it
# needs to be within IP ranges supported by the Tailscale
# client.
# IPv6: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#LL81C52-L81C71
# IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33
ip_prefixes:
  - 11.12.13.0/10
  - fd7a:115c:a1e0::/48

# DERP is a relay system that Tailscale uses when a direct
# connection cannot be established.
# https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp
#
# headscale needs a list of DERP servers that can be presented
# to the clients.
derp:
  server:
    # If enabled, runs the embedded DERP server and merges it into the rest of the DERP config
    # The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place
    enabled: true

    # Region ID to use for the embedded DERP server.
    # The local DERP prevails if the region ID collides with other region ID coming from
    # the regular DERP config.
    region_id: 999

    # Region code and name are displayed in the Tailscale UI to identify a DERP region
    region_code: "headscale"
    region_name: "Headscale Embedded DERP"

    # Listens over UDP at the configured address for STUN connections - to help with NAT traversal.
    # When the embedded DERP server is enabled stun_listen_addr MUST be defined.
    #
    # For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/
    stun_listen_addr: "0.0.0.0:3478"

  # List of externally available DERP maps encoded in JSON
  urls:
    - https://controlplane.tailscale.com/derpmap/default

  # Locally available DERP map files encoded in YAML
  #
  # This option is mostly interesting for people hosting
  # their own DERP servers:
  # https://tailscale.com/kb/1118/custom-derp-servers/
  #
  # paths:
  #   - /etc/headscale/derp-example.yaml
  paths: []

  # If enabled, a worker will be set up to periodically
  # refresh the given sources and update the derpmap
  # will be set up.
  auto_update_enabled: true

  # How often should we check for DERP updates?
  update_frequency: 24h

# Disables the automatic check for headscale updates on startup
disable_check_updates: false

# Time before an inactive ephemeral node is deleted?
ephemeral_node_inactivity_timeout: 30m

# Period to check for node updates within the tailnet. A value too low will severely affect
# CPU consumption of Headscale. A value too high (over 60s) will cause problems
# for the nodes, as they won't get updates or keep alive messages frequently enough.
# In case of doubts, do not touch the default 10s.
node_update_check_interval: 10s

# SQLite config
db_type: sqlite3

# For production:
db_path: /var/lib/headscale/db.sqlite

# # Postgres config
# If using a Unix socket to connect to Postgres, set the socket path in the 'host' field and leave 'port' blank.
# db_type: postgres
# db_host: localhost
# db_port: 5432
# db_name: headscale
# db_user: foo
# db_pass: bar

# If other 'sslmode' is required instead of 'require(true)' and 'disabled(false)', set the 'sslmode' you need
# in the 'db_ssl' field. Refers to https://www.postgresql.org/docs/current/libpq-ssl.html Table 34.1.
# db_ssl: false

### TLS configuration
#
## Let's encrypt / ACME
#
# headscale supports automatically requesting and setting up
# TLS for a domain with Let's Encrypt.
#
# URL to ACME directory
acme_url: https://acme-v02.api.letsencrypt.org/directory

# Email to register with ACME provider
acme_email: "user@example.com"

# Domain name to request a TLS certificate for:
tls_letsencrypt_hostname: "hs.example.com"

# Path to store certificates and metadata needed by
# letsencrypt
# For production:
tls_letsencrypt_cache_dir: /var/lib/headscale/cache

# Type of ACME challenge to use, currently supported types:
# HTTP-01 or TLS-ALPN-01
# See [docs/tls.md](docs/tls.md) for more information
tls_letsencrypt_challenge_type: HTTP-01
#tls_letsencrypt_challenge_type: TLS-ALPN-01
# When HTTP-01 challenge is chosen, letsencrypt must set up a
# verification endpoint, and it will be listening on:
# :http = port 80
tls_letsencrypt_listen: ":http"

## Use already defined certificates:
tls_cert_path: ""
tls_key_path: ""

log:
  # Output formatting for logs: text or json
  format: text
  level: info

# Path to a file containg ACL policies.
# ACLs can be defined as YAML or HUJSON.
# https://tailscale.com/kb/1018/acls/
acl_policy_path: ""

## DNS
#
# headscale supports Tailscale's DNS configuration and MagicDNS.
# Please have a look to their KB to better understand the concepts:
#
# - https://tailscale.com/kb/1054/dns/
# - https://tailscale.com/kb/1081/magicdns/
# - https://tailscale.com/blog/2021-09-private-dns-with-magicdns/
#
dns_config:
  # Whether to prefer using Headscale provided DNS or use local.
  override_local_dns: false

  # List of DNS servers to expose to clients.
  nameservers:
    - 1.1.1.1
    - 1.0.0.1
  # NextDNS (see https://tailscale.com/kb/1218/nextdns/).
  # "abc123" is example NextDNS ID, replace with yours.
  #
  # With metadata sharing:
  # nameservers:
  #   - https://dns.nextdns.io/abc123
  #
  # Without metadata sharing:
  # nameservers:
  #   - 2a07:a8c0::ab:c123
  #   - 2a07:a8c1::ab:c123

  # Split DNS (see https://tailscale.com/kb/1054/dns/),
  # list of search domains and the DNS to query for each one.
  #
  # restricted_nameservers:
  #   foo.bar.com:
  #     - 1.1.1.1
  #   darp.headscale.net:
  #     - 1.1.1.1
  #     - 8.8.8.8

  # Search domains to inject.
  domains: []

  # Extra DNS records
  # so far only A-records are supported (on the tailscale side)
  # See https://github.com/juanfont/headscale/blob/main/docs/dns-records.md#Limitations
  # extra_records:
  #   - name: "grafana.myvpn.example.com"
  #     type: "A"
  #     value: "100.64.0.3"
  #
  #   # you can also put it in one line
  #   - { name: "prometheus.myvpn.example.com", type: "A", value: "100.64.0.3" }

  # Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/).
  # Only works if there is at least a nameserver defined.
  magic_dns: true

  # Defines the base domain to create the hostnames for MagicDNS.
  # `base_domain` must be a FQDNs, without the trailing dot.
  # The FQDN of the hosts will be
  # `hostname.user.base_domain` (e.g., _myhost.myuser.example.com_).
  base_domain: hs.example.com

# Unix socket used for the CLI to connect without authentication
# Note: for production you will want to set this to something like:
unix_socket: /var/run/headscale/headscale.sock
unix_socket_permission: "0770"
#
# headscale supports experimental OpenID connect support,
# it is still being tested and might have some bugs, please
# help us test it.
# OpenID Connect
# oidc:
#   only_start_if_oidc_is_available: true
#   issuer: "https://your-oidc.issuer.com/path"
#   client_id: "your-oidc-client-id"
#   client_secret: "your-oidc-client-secret"
#   # Alternatively, set `client_secret_path` to read the secret from the file.
#   # It resolves environment variables, making integration to systemd's
#   # `LoadCredential` straightforward:
#   client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret"
#   # client_secret and client_secret_path are mutually exclusive.
#
#   # The amount of time from a node is authenticated with OpenID until it
#   # expires and needs to reauthenticate.
#   # Setting the value to "0" will mean no expiry.
#   expiry: 180d
#
#   # Use the expiry from the token received from OpenID when the user logged
#   # in, this will typically lead to frequent need to reauthenticate and should
#   # only been enabled if you know what you are doing.
#   # Note: enabling this will cause `oidc.expiry` to be ignored.
#   use_expiry_from_token: false
#
#   # Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query
#   # parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email".
#
#   scope: ["openid", "profile", "email", "custom"]
#   extra_params:
#     domain_hint: example.com
#
#   # List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the
#   # authentication request will be rejected.
#
#   allowed_domains:
#     - example.com
#   # Note: Groups from keycloak have a leading '/'
#   allowed_groups:
#     - /headscale
#   allowed_users:
#     - alice@example.com
#
#   # If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.
#   # This will transform `first-name.last-name@example.com` to the user `first-name.last-name`
#   # If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following
#   user: `first-name.last-name.example.com`
#
#   strip_email_domain: true

# Logtail configuration
# Logtail is Tailscales logging and auditing infrastructure, it allows the control panel
# to instruct tailscale nodes to log their activity to a remote server.
logtail:
  # Enable logtail for this headscales clients.
  # As there is currently no support for overriding the log server in headscale, this is
  # disabled by default. Enabling this will make your clients send logs to Tailscale Inc.
  enabled: false

# Enabling this option makes devices prefer a random port for WireGuard traffic over the
# default static port 41641. This option is intended as a workaround for some buggy
# firewall devices. See https://tailscale.com/kb/1181/firewalls/ for more information.
randomize_client_port: true
Originally created by @TimDowker on GitHub (Apr 14, 2023). <!-- Headscale is a multinational community across the globe. Our common language is English. Please consider raising the bug report in this language. --> **Bug description** Fresh Ubuntu 22.04 container running on Proxmox 7.4 - all updates applied for both host and container. Download and installed latest v0.22.0-alpha2 deb package using command "dpkg -i headscale_0.22.0-alpha2_linux_amd64.deb". Tried to start it up after modifying the config.yaml (posted below). Get the following error Apr 14 12:25:36 hs headscale[366]: 2023-04-14T12:25:36-04:00 FTL ../../../home/runner/work/headscale/headscale/app.go:875 > failed to set up a HTTP server error="listen tcp :80: bind: permission denied" ``` # headscale will look for a configuration file named `config.yaml` (or `config.json`) in the following order: # # - `/etc/headscale` # - `~/.headscale` # - current working directory # The url clients will connect to. # Typically this will be a domain like: # # https://myheadscale.example.com:443 # #server_url: http://127.0.0.1:8080 server_url: https://hs.example.com:443 # Address to listen to / bind to on the server # # For production: listen_addr: 0.0.0.0:443 #listen_addr: 127.0.0.1:8080 # Address to listen to /metrics, you may want # to keep this endpoint private to your internal # network # metrics_listen_addr: 127.0.0.1:9090 # Address to listen for gRPC. # gRPC is used for controlling a headscale server # remotely with the CLI # Note: Remote access _only_ works if you have # valid certificates. # # For production: grpc_listen_addr: 0.0.0.0:50443 #grpc_listen_addr: 127.0.0.1:50443 # Allow the gRPC admin interface to run in INSECURE # mode. This is not recommended as the traffic will # be unencrypted. Only enable if you know what you # are doing. grpc_allow_insecure: false # Private key used to encrypt the traffic between headscale # and Tailscale clients. # The private key file will be autogenerated if it's missing. # private_key_path: /var/lib/headscale/private.key # The Noise section includes specific configuration for the # TS2021 Noise protocol noise: # The Noise private key is used to encrypt the # traffic between headscale and Tailscale clients when # using the new Noise-based protocol. It must be different # from the legacy private key. private_key_path: /var/lib/headscale/noise_private.key # List of IP prefixes to allocate tailaddresses from. # Each prefix consists of either an IPv4 or IPv6 address, # and the associated prefix length, delimited by a slash. # While this looks like it can take arbitrary values, it # needs to be within IP ranges supported by the Tailscale # client. # IPv6: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#LL81C52-L81C71 # IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33 ip_prefixes: - 11.12.13.0/10 - fd7a:115c:a1e0::/48 # DERP is a relay system that Tailscale uses when a direct # connection cannot be established. # https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp # # headscale needs a list of DERP servers that can be presented # to the clients. derp: server: # If enabled, runs the embedded DERP server and merges it into the rest of the DERP config # The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place enabled: true # Region ID to use for the embedded DERP server. # The local DERP prevails if the region ID collides with other region ID coming from # the regular DERP config. region_id: 999 # Region code and name are displayed in the Tailscale UI to identify a DERP region region_code: "headscale" region_name: "Headscale Embedded DERP" # Listens over UDP at the configured address for STUN connections - to help with NAT traversal. # When the embedded DERP server is enabled stun_listen_addr MUST be defined. # # For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/ stun_listen_addr: "0.0.0.0:3478" # List of externally available DERP maps encoded in JSON urls: - https://controlplane.tailscale.com/derpmap/default # Locally available DERP map files encoded in YAML # # This option is mostly interesting for people hosting # their own DERP servers: # https://tailscale.com/kb/1118/custom-derp-servers/ # # paths: # - /etc/headscale/derp-example.yaml paths: [] # If enabled, a worker will be set up to periodically # refresh the given sources and update the derpmap # will be set up. auto_update_enabled: true # How often should we check for DERP updates? update_frequency: 24h # Disables the automatic check for headscale updates on startup disable_check_updates: false # Time before an inactive ephemeral node is deleted? ephemeral_node_inactivity_timeout: 30m # Period to check for node updates within the tailnet. A value too low will severely affect # CPU consumption of Headscale. A value too high (over 60s) will cause problems # for the nodes, as they won't get updates or keep alive messages frequently enough. # In case of doubts, do not touch the default 10s. node_update_check_interval: 10s # SQLite config db_type: sqlite3 # For production: db_path: /var/lib/headscale/db.sqlite # # Postgres config # If using a Unix socket to connect to Postgres, set the socket path in the 'host' field and leave 'port' blank. # db_type: postgres # db_host: localhost # db_port: 5432 # db_name: headscale # db_user: foo # db_pass: bar # If other 'sslmode' is required instead of 'require(true)' and 'disabled(false)', set the 'sslmode' you need # in the 'db_ssl' field. Refers to https://www.postgresql.org/docs/current/libpq-ssl.html Table 34.1. # db_ssl: false ### TLS configuration # ## Let's encrypt / ACME # # headscale supports automatically requesting and setting up # TLS for a domain with Let's Encrypt. # # URL to ACME directory acme_url: https://acme-v02.api.letsencrypt.org/directory # Email to register with ACME provider acme_email: "user@example.com" # Domain name to request a TLS certificate for: tls_letsencrypt_hostname: "hs.example.com" # Path to store certificates and metadata needed by # letsencrypt # For production: tls_letsencrypt_cache_dir: /var/lib/headscale/cache # Type of ACME challenge to use, currently supported types: # HTTP-01 or TLS-ALPN-01 # See [docs/tls.md](docs/tls.md) for more information tls_letsencrypt_challenge_type: HTTP-01 #tls_letsencrypt_challenge_type: TLS-ALPN-01 # When HTTP-01 challenge is chosen, letsencrypt must set up a # verification endpoint, and it will be listening on: # :http = port 80 tls_letsencrypt_listen: ":http" ## Use already defined certificates: tls_cert_path: "" tls_key_path: "" log: # Output formatting for logs: text or json format: text level: info # Path to a file containg ACL policies. # ACLs can be defined as YAML or HUJSON. # https://tailscale.com/kb/1018/acls/ acl_policy_path: "" ## DNS # # headscale supports Tailscale's DNS configuration and MagicDNS. # Please have a look to their KB to better understand the concepts: # # - https://tailscale.com/kb/1054/dns/ # - https://tailscale.com/kb/1081/magicdns/ # - https://tailscale.com/blog/2021-09-private-dns-with-magicdns/ # dns_config: # Whether to prefer using Headscale provided DNS or use local. override_local_dns: false # List of DNS servers to expose to clients. nameservers: - 1.1.1.1 - 1.0.0.1 # NextDNS (see https://tailscale.com/kb/1218/nextdns/). # "abc123" is example NextDNS ID, replace with yours. # # With metadata sharing: # nameservers: # - https://dns.nextdns.io/abc123 # # Without metadata sharing: # nameservers: # - 2a07:a8c0::ab:c123 # - 2a07:a8c1::ab:c123 # Split DNS (see https://tailscale.com/kb/1054/dns/), # list of search domains and the DNS to query for each one. # # restricted_nameservers: # foo.bar.com: # - 1.1.1.1 # darp.headscale.net: # - 1.1.1.1 # - 8.8.8.8 # Search domains to inject. domains: [] # Extra DNS records # so far only A-records are supported (on the tailscale side) # See https://github.com/juanfont/headscale/blob/main/docs/dns-records.md#Limitations # extra_records: # - name: "grafana.myvpn.example.com" # type: "A" # value: "100.64.0.3" # # # you can also put it in one line # - { name: "prometheus.myvpn.example.com", type: "A", value: "100.64.0.3" } # Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/). # Only works if there is at least a nameserver defined. magic_dns: true # Defines the base domain to create the hostnames for MagicDNS. # `base_domain` must be a FQDNs, without the trailing dot. # The FQDN of the hosts will be # `hostname.user.base_domain` (e.g., _myhost.myuser.example.com_). base_domain: hs.example.com # Unix socket used for the CLI to connect without authentication # Note: for production you will want to set this to something like: unix_socket: /var/run/headscale/headscale.sock unix_socket_permission: "0770" # # headscale supports experimental OpenID connect support, # it is still being tested and might have some bugs, please # help us test it. # OpenID Connect # oidc: # only_start_if_oidc_is_available: true # issuer: "https://your-oidc.issuer.com/path" # client_id: "your-oidc-client-id" # client_secret: "your-oidc-client-secret" # # Alternatively, set `client_secret_path` to read the secret from the file. # # It resolves environment variables, making integration to systemd's # # `LoadCredential` straightforward: # client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret" # # client_secret and client_secret_path are mutually exclusive. # # # The amount of time from a node is authenticated with OpenID until it # # expires and needs to reauthenticate. # # Setting the value to "0" will mean no expiry. # expiry: 180d # # # Use the expiry from the token received from OpenID when the user logged # # in, this will typically lead to frequent need to reauthenticate and should # # only been enabled if you know what you are doing. # # Note: enabling this will cause `oidc.expiry` to be ignored. # use_expiry_from_token: false # # # Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query # # parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email". # # scope: ["openid", "profile", "email", "custom"] # extra_params: # domain_hint: example.com # # # List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the # # authentication request will be rejected. # # allowed_domains: # - example.com # # Note: Groups from keycloak have a leading '/' # allowed_groups: # - /headscale # allowed_users: # - alice@example.com # # # If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed. # # This will transform `first-name.last-name@example.com` to the user `first-name.last-name` # # If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following # user: `first-name.last-name.example.com` # # strip_email_domain: true # Logtail configuration # Logtail is Tailscales logging and auditing infrastructure, it allows the control panel # to instruct tailscale nodes to log their activity to a remote server. logtail: # Enable logtail for this headscales clients. # As there is currently no support for overriding the log server in headscale, this is # disabled by default. Enabling this will make your clients send logs to Tailscale Inc. enabled: false # Enabling this option makes devices prefer a random port for WireGuard traffic over the # default static port 41641. This option is intended as a workaround for some buggy # firewall devices. See https://tailscale.com/kb/1181/firewalls/ for more information. randomize_client_port: true ```
adam added the stalebug labels 2025-12-29 01:30:00 +01:00
adam closed this issue 2025-12-29 01:30:01 +01:00
adam commented 2025-12-29 01:30:01 +01:00
Author
Owner
Copy Link

@kradalby commented on GitHub (Apr 19, 2023):

Hi @TimDowker , I am unable to reproduce this in a fresh VM (both 22.04 and 22.10), is headscale able to bind to :443 and other privileged ports? Have you ran some extra hardening on your system to prevent these ports to be bound?

Do you have anything else bound on port :80?

@kradalby commented on GitHub (Apr 19, 2023): Hi @TimDowker , I am unable to reproduce this in a fresh VM (both 22.04 and 22.10), is headscale able to bind to `:443` and other privileged ports? Have you ran some extra hardening on your system to prevent these ports to be bound? Do you have anything else bound on port `:80`?
adam commented 2025-12-29 01:30:02 +01:00
Author
Owner
Copy Link

@TimDowker commented on GitHub (Apr 20, 2023):

Testing deb package on a fresh Ubuntu 22.04 Proxmox container. Will report back if this is still an issue.

@TimDowker commented on GitHub (Apr 20, 2023): Testing deb package on a fresh Ubuntu 22.04 Proxmox container. Will report back if this is still an issue.
adam commented 2025-12-29 01:30:03 +01:00
Author
Owner
Copy Link

@TimDowker commented on GitHub (Apr 20, 2023):

Same error on a fresh proxmox container running ubuntu template 22.04 with all updates.

Apr 20 13:10:57 hs headscale[10261]: 2023-04-20T13:10:57Z FTL ../../../home/runner/work/headscale/headscale/app.go:875 > failed to set up a HTTP server error="listen tcp :80: bind: permission denied"

@TimDowker commented on GitHub (Apr 20, 2023): Same error on a fresh proxmox container running ubuntu template 22.04 with all updates. `Apr 20 13:10:57 hs headscale[10261]: 2023-04-20T13:10:57Z FTL ../../../home/runner/work/headscale/headscale/app.go:875 > failed to set up a HTTP server error="listen tcp :80: bind: permission denied"`
adam commented 2025-12-29 01:30:03 +01:00
Author
Owner
Copy Link

@TimDowker commented on GitHub (Apr 20, 2023):

Looks like whatever user Go is running as doesn't have the appropriate permissions to bind to port 80 (priviledged port) even though the systemd service file contains "AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_CHOWN"

@TimDowker commented on GitHub (Apr 20, 2023): Looks like whatever user Go is running as doesn't have the appropriate permissions to bind to port 80 (priviledged port) even though the systemd service file contains "AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_CHOWN"
adam commented 2025-12-29 01:30:04 +01:00
Author
Owner
Copy Link

@Porco-Rosso commented on GitHub (Apr 20, 2023):

For anyone also having the same issue, the headscale.sock file location was moved, hence the errors, if you don't edit your config.yaml, when transitioning to the .deb releases.
a5afe4bd06/config-example.yaml (L259)

@Porco-Rosso commented on GitHub (Apr 20, 2023): For anyone also having the same issue, the headscale.sock file location was moved, hence the errors, if you don't edit your config.yaml, when transitioning to the .deb releases. https://github.com/juanfont/headscale/blob/a5afe4bd06223f71a44ea7d42e9fb2ba3d178154/config-example.yaml#L259
adam commented 2025-12-29 01:30:04 +01:00
Author
Owner
Copy Link

@Porco-Rosso commented on GitHub (Apr 20, 2023):

/var/run/headscale/ keeps getting deleted, and installing the .deb doesn't fix it
:/

@Porco-Rosso commented on GitHub (Apr 20, 2023): `/var/run/headscale/` keeps getting deleted, and installing the .deb doesn't fix it :/
adam commented 2025-12-29 01:30:04 +01:00
Author
Owner
Copy Link

@px4860 commented on GitHub (Apr 25, 2023):

/var/run/headscale/ keeps getting deleted, and installing the .deb doesn't fix it :/

so,is there any solution now?

@px4860 commented on GitHub (Apr 25, 2023): > `/var/run/headscale/` keeps getting deleted, and installing the .deb doesn't fix it :/ so,is there any solution now?
adam commented 2025-12-29 01:30:04 +01:00
Author
Owner
Copy Link

@px4860 commented on GitHub (May 5, 2023):

For anyone also having the same issue, the headscale.sock file location was moved, hence the errors, if you don't edit your config.yaml, when transitioning to the .deb releases.

a5afe4bd06/config-example.yaml (L259)

i found the requirements of headscale needs Ubuntu 20.04 or newer, Debian 11 or newer.i use centos7 and get same issue.

@px4860 commented on GitHub (May 5, 2023): > For anyone also having the same issue, the headscale.sock file location was moved, hence the errors, if you don't edit your config.yaml, when transitioning to the .deb releases. > > https://github.com/juanfont/headscale/blob/a5afe4bd06223f71a44ea7d42e9fb2ba3d178154/config-example.yaml#L259 i found the requirements of headscale needs Ubuntu 20.04 or newer, Debian 11 or newer.i use centos7 and get same issue.
adam commented 2025-12-29 01:30:05 +01:00
Author
Owner
Copy Link

@luizvaz commented on GitHub (May 17, 2023):

I had the same problem.
And the cause was letsencrypt setting

# Type of ACME challenge to use, currently supported types:
# HTTP-01 or TLS-ALPN-01
# See [docs/tls.md](docs/tls.md) for more information
tls_letsencrypt_challenge_type: HTTP-01
#tls_letsencrypt_challenge_type: TLS-ALPN-01
# When HTTP-01 challenge is chosen, letsencrypt must set up a
# verification endpoint, and it will be listening on:
# :http = port 80
tls_letsencrypt_listen: ":http"

I am using acme.sh to deal with certificates.
After clearing the hostname the error stopped.

# Domain name to request a TLS certificate for:
tls_letsencrypt_hostname: ""

Probably do you have anything already bonded to the port :80

@luizvaz commented on GitHub (May 17, 2023): I had the same problem. And the cause was letsencrypt setting ``` # Type of ACME challenge to use, currently supported types: # HTTP-01 or TLS-ALPN-01 # See [docs/tls.md](docs/tls.md) for more information tls_letsencrypt_challenge_type: HTTP-01 #tls_letsencrypt_challenge_type: TLS-ALPN-01 # When HTTP-01 challenge is chosen, letsencrypt must set up a # verification endpoint, and it will be listening on: # :http = port 80 tls_letsencrypt_listen: ":http" ``` I am using `acme.sh` to deal with certificates. After clearing the hostname the error stopped. ``` # Domain name to request a TLS certificate for: tls_letsencrypt_hostname: "" ``` Probably do you have anything already bonded to the port :80
adam commented 2025-12-29 01:30:05 +01:00
Author
Owner
Copy Link

@Porco-Rosso commented on GitHub (Jun 30, 2023):

I was running headscale in a debian 11 LXC container under proxmox. Enabling Nesting seems to have made it work.
Will report back if that wasn't the case.

@Porco-Rosso commented on GitHub (Jun 30, 2023): I was running headscale in a debian 11 LXC container under proxmox. Enabling Nesting seems to have made it work. Will report back if that wasn't the case.
adam commented 2025-12-29 01:30:06 +01:00
Author
Owner
Copy Link

@gbraad commented on GitHub (Jul 3, 2023):

It is caused by the following lines:

tls_letsencrypt_challenge_type: HTTP-01
tls_letsencrypt_listen: ":http"

This indicates to listen on port :80 for the challenge to assign a certificate. The description says the following:

# When HTTP-01 challenge is chosen, letsencrypt must set up a
# verification endpoint, and it will be listening on:
# :http = port 80

Which states that with HTTP-01 it will listen on ":80"

Binding to a port <1024 needs root privileges or otherwise granted. If you can set up a proxy for this, you might have listen happen on :8081 and have a forward from an external :80 to this. But that is beyond the scope here. The Permission denied happened because of not having the permissions, which are needed by the Let's Encrypt challenge/response process.

@gbraad commented on GitHub (Jul 3, 2023): It is caused by the following lines: ``` tls_letsencrypt_challenge_type: HTTP-01 tls_letsencrypt_listen: ":http" ``` This indicates to listen on port :80 for the challenge to assign a certificate. The description says the following: ``` # When HTTP-01 challenge is chosen, letsencrypt must set up a # verification endpoint, and it will be listening on: # :http = port 80 ``` Which states that with `HTTP-01` it will listen on `":80"` Binding to a port <1024 needs root privileges or otherwise granted. If you can set up a proxy for this, you might have listen happen on `:8081` and have a forward from an external `:80` to this. But that is beyond the scope here. The Permission denied happened because of not having the permissions, which are needed by the Let's Encrypt challenge/response process.
adam commented 2025-12-29 01:30:06 +01:00
Author
Owner
Copy Link

@Porco-Rosso commented on GitHub (Jul 3, 2023):

That makes sense to me, however I tried disabling nesting, and changing the port listen to both: :8081 and 0.0.0.0:8081, and neither let me start headscale properly.
I'm running a reverse proxy with it's own https certificate, so its strange to not be able to disable the feature on its own.
I imagine others will be running headscale in docker or LXC, so not sure if this falls out of the scope of the project or not.

@Porco-Rosso commented on GitHub (Jul 3, 2023): That makes sense to me, however I tried disabling nesting, and changing the port listen to both: :8081 and 0.0.0.0:8081, and neither let me start headscale properly. I'm running a reverse proxy with it's own https certificate, so its strange to not be able to disable the feature on its own. I imagine others will be running headscale in docker or LXC, so not sure if this falls out of the scope of the project or not.
adam commented 2025-12-29 01:30:06 +01:00
Author
Owner
Copy Link

@Porco-Rosso commented on GitHub (Jul 3, 2023):

For reference I've never had any issues binding to port 80 in any other containers. Is it the headscale user itself in the container that doesn't have the permissions? That wouldn't explain why port 8081 didn't work.

@Porco-Rosso commented on GitHub (Jul 3, 2023): For reference I've never had any issues binding to port 80 in any other containers. Is it the headscale user itself in the container that doesn't have the permissions? That wouldn't explain why port 8081 didn't work.
adam commented 2025-12-29 01:30:06 +01:00
Author
Owner
Copy Link

@gbraad commented on GitHub (Jul 4, 2023):

I've never had any issues binding to port 80 in any other containers

I run rootless, for example with podman. In that case, you aren't able to bind <1024.

@gbraad commented on GitHub (Jul 4, 2023): > I've never had any issues binding to port 80 in any other containers I run rootless, for example with podman. In that case, you aren't able to bind <1024.
adam commented 2025-12-29 01:30:07 +01:00
Author
Owner
Copy Link

@github-actions[bot] commented on GitHub (Dec 20, 2023):

This issue is stale because it has been open for 90 days with no activity.

@github-actions[bot] commented on GitHub (Dec 20, 2023): This issue is stale because it has been open for 90 days with no activity.
adam commented 2025-12-29 01:30:07 +01:00
Author
Owner
Copy Link

@github-actions[bot] commented on GitHub (Dec 27, 2023):

This issue was closed because it has been inactive for 14 days since being marked as stale.

@github-actions[bot] commented on GitHub (Dec 27, 2023): This issue was closed because it has been inactive for 14 days since being marked as stale.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
CLI
DERP
DNS
Nix
OIDC
SSH
bug
database
documentation
duplicate
enhancement
faq
good first issue
grants
help wanted
might-come
needs design doc
needs investigation
no-stale-bot
out of scope
performance
policy 📝
pull-request
Mirrored from GitHub Pull Request
 question
regression
routes
stale
tags
tailscale-feature-gap
well described ❤️
wontfix
No Label bug stale
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/headscale#473
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?