headscale

mirror of https://github.com/juanfont/headscale.git synced 2024-09-20 07:16:35 +08:00

The original Tailscale protocol relies on HTTP Long-Polling¹ for communication with the control server. Long story short, the client opens a HTTP 1.1 connection to the server and maintains it open, to receive keep-alives + updates in the tailnet/namespace.

nginx must be aware of this situation if you want to use it as a reverse proxy in front of Headscale. Otherwise it will keep closing the connections from the clients, or even worse - not closing them when it must.

Please find below a reference configuration for a standard proxy_pass config:

server {
    server_name foobar.example.com;

    client_body_timeout 5m;
    client_header_timeout 5m;

    access_log            /var/log/nginx/foobar.example.com.access.log;
    error_log            /var/log/nginx/foobar.example.com.error.log info;

    # reverse proxy
    location / {
         proxy_pass http://127.0.0.1:8080;  # headscale listen_addr
         proxy_read_timeout 6m;
         proxy_ignore_client_abort off;
         proxy_request_buffering off;
         proxy_buffering off;
         proxy_no_cache "always";
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }


    listen 443 ssl; # managed by Certbot
    # extra stuff...

}

¹: https://en.wikipedia.org/wiki/Push_technology#Long_polling