[Feature] <title>Cloudflare Tunnel support #923

New Issue

adam · 2025-12-29T02:26:08+01:00

adam commented

2025-12-29 02:26:08 +01:00

Originally created by @IronBeardKnight on GitHub (Jan 26, 2025).

Use case

Tunneling headscale through cloudflare to save opening ports.

Description

So after getting it all up and running in docker and then being reverse proxied through traefik and cloudflare tunnel to the point where I can access the domain.com/windows and it shows a page I was pleased, however the fun stops there as the tailscale client uses post instead of get to form a WebSocket connection of which it does not look like headscale supports this.

It is entirely possible that either cloudflare or traefik is stripping a header but I cannot imagine which one or what the issue is considering I have traefik upgrading to websocket already.

Given this error directly from headscale makes me think that its more a headscale issue:

"Could not accept WebSocket connection failed to accept WebSocket connection: WebSocket protocol violation: handshake request method is not GET but "POST""

I know get is the standard for websocket connections but is it not possible to accommodate post for this some how?

I think a lot of the home hosting community steers away from this very fast due to the fact that poxy and tunnel through Cloudflare seems to be broken.

Is there any updated information on this subject as I know the documentation for headscale states cloudflare tunnel is not currently supported?

Contribution

I can write the design doc for this feature
I can contribute this feature

How can it be implemented?

No response

Originally created by @IronBeardKnight on GitHub (Jan 26, 2025). ### Use case Tunneling headscale through cloudflare to save opening ports. ### Description So after getting it all up and running in docker and then being reverse proxied through traefik and cloudflare tunnel to the point where I can access the domain.com/windows and it shows a page I was pleased, however the fun stops there as the tailscale client uses post instead of get to form a WebSocket connection of which it does not look like headscale supports this. It is entirely possible that either cloudflare or traefik is stripping a header but I cannot imagine which one or what the issue is considering I have traefik upgrading to websocket already. Given this error directly from headscale makes me think that its more a headscale issue: "Could not accept WebSocket connection failed to accept WebSocket connection: WebSocket protocol violation: handshake request method is not GET but \"POST\"" I know get is the standard for websocket connections but is it not possible to accommodate post for this some how? I think a lot of the home hosting community steers away from this very fast due to the fact that poxy and tunnel through Cloudflare seems to be broken. Is there any updated information on this subject as I know the documentation for headscale states cloudflare tunnel is not currently supported? ### Contribution - [ ] I can write the design doc for this feature - [ ] I can contribute this feature ### How can it be implemented? _No response_

adam added the enhancement label 2025-12-29 02:26:08 +01:00

adam closed this issue

2025-12-29 02:26:08 +01:00

adam commented

2025-12-29 02:26:09 +01:00

@kradalby commented on GitHub (Jan 26, 2025):

Duplicate of https://github.com/juanfont/headscale/issues/1468, this is an upstream part of protocol, might be intentional. Please search the issue tracker before creating issues.

@kradalby commented on GitHub (Jan 26, 2025): Duplicate of https://github.com/juanfont/headscale/issues/1468, this is an upstream part of protocol, might be intentional. Please search the issue tracker before creating issues.

adam referenced this issue

2025-12-29 02:31:31 +01:00

[PR #923] [CLOSED] docs(README): update contributors #1741

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#923