July 5, 2025Jul 5 I am trying to setup HTTPS Serve functionality on several docker containers.I have some working, particularly where the docker configuration does not already use port 80/443 for it's internal container ports.In cases where there is a port/service binding conflict, how can I best configure Tailscale to be used to serve content over HTTPS?An example of a docker container I'm having issues with is Heimdall.In the logs, when starting up, tailscale is successfully installed and connected.However. it will error out before starting the NGINX service stating that port 443 is already in use.I have worked around this reconfigured the NGINX /heimdall/nginx/site-confs/default.conf file to listen on different ports.e.g 80 changed to 1080 and 443 changed to 10443:However, I cannot connect to the Tailscale endpoint over port 443.I must use the HTTP or HTTPS port configured in the NGINX configuration.And the certificate on HTTPS is the self-signed cert provisioned with the docker container.What I have tried so far:I have attempted to change the Tailscale Serve Port from 80 (the default) to the NGINX configured port of 1080.This results in a redirect from http to https with a security warning saying the connection is not secure (but it says the certificate is valid?):And the page itself is a malformed HTML version of the page showing just basic text and no CSS formatting.I have attempted to change the Tailscale Serve Port from 1080 to 10443.This results in the following error: 400 Bad Request - The plain HTTP request was sent to HTTPS portI have also attempted mucking with some of the other parameters:Tailscale Serve Target (e.g. localhost:1080)Tailscale Serve Protocol (e.g. https)Tailscale Serve Protocol Port (e.g. =443)The three above having mixed results and usually ending in a broken configuration where I had to completely remove the container and appdata folder for heimdall.I do have HTTPS Certificates enabled in DNS Settings in my Tailscale account.Other containers seem to mostly work fine when the docker container port is not 80/443. An example of where it is working fine is Ombi where it uses port 3579.Are there any suggestions I can try to make this function over simply https and port 443 with the let's encrypt cert issued from Tailscale being presented by the service? Edited July 5, 2025Jul 5 by last.rogue
July 5, 2025Jul 5 Alot of web server dockers require additional and special headers...https://www.pomerium.com/blog/heimdall-reverse-proxyhttps://www.reddit.com/r/selfhosted/comments/rw14ax/setting_up_heimdall_behind_an_nginx_reverse_proxy/The issue I have with tailscale and the "serve" feature is its a pain to properly configure and its a 1 docker 1 serve options... so the solution to use a npm reverse proxy was each docker that had a web UI I wanted behind a Reverse proxy need its own npm docker.. so I'm running 5 web server that would require 1 npm each for 1 tail scale serve feature...first you need to make sure you are telling npm to properly hit Heimdal and are letting nginx fix and pass the headernginx hemidal per redt...location / {proxy_set_header Host $host;proxy_set_header X-Forwarded-Scheme $scheme;proxy_set_header X-Forwarded-Proto $scheme;proxy_set_header X-Forwarded-For $remote_addr;proxy_set_header X-Real-IP $remote_addr;proxy_pass $forward_scheme://$server:$port$request_uri;}once Heimdal is working though NPM then we can look at unraid settings to setup tailscale...Review:https://forums.unraid.net/topic/184659-some-fun-with-tailscale-examples/is npm a docker compose or unraid CA docker template? Edited July 5, 2025Jul 5 by bmartino1 Data - Typo
July 5, 2025Jul 5 Author 4 minutes ago, bmartino1 said:Alot of web server dockers requre additional and specail headers...https://www.pomerium.com/blog/heimdall-reverse-proxyhttps://www.reddit.com/r/selfhosted/comments/rw14ax/setting_up_heimdall_behind_an_nginx_reverse_proxy/The issue I have with tailscale and the serve feature is its a pain to properly configure and its a 1 docker 1 server options so the solution to use a npm reverse proxy was each docker that had a web UI I wanted behind a Reverse proxy need its own npm docker so I'm running 5 npm for 1 server feature...first you need to make sure you are telling npm to porperly hit hemidal and are letting nginx fix and pass the headernginx hemidal per redt...location / {proxy_set_header Host $host;proxy_set_header X-Forwarded-Scheme $scheme;proxy_set_header X-Forwarded-Proto $scheme;proxy_set_header X-Forwarded-For $remote_addr;proxy_set_header X-Real-IP $remote_addr;proxy_pass $forward_scheme://$server:$port$request_uri;}once hemindal is working though NPM then we can look at unraid settings to setup tailscale...Review:https://forums.unraid.net/topic/184659-some-fun-with-tailscale-examples/is npm a docker compose or unraid CA docker template?Thank you for your reply!To clarify, I am not using NPM in this instance, NGINX is baked into the heimdall CA docker template.I do have NPM as a CA docker template. But I am not using it in this instance.Are you proposing I switch to using NPM with tailscale?
July 5, 2025Jul 5 kinda. I don't know the hemidal Docker personally. My further confusing is that this looks like funnel not servergiven you went to name .yourtailscale. netso unless unraid is called hemidal the server shoudl have beenmachinename. tailscale network nam. net / docker name given to serversince the docker has both hemdal the server and and npm this may require a separate npm instance.
July 5, 2025Jul 5 Author 2 hours ago, bmartino1 said:kinda. I don't know the hemidal Docker personally. My further confusing is that this looks like funnel not servergiven you went to name .yourtailscale. netso unless unraid is called hemidal the server shoudl have beenmachinename. tailscale network nam. net / docker name given to serversince the docker has both hemdal the server and and npm this may require a separate npm instance.Ah more background may be needed for some context.I am using a custom network and assigning an IP to the heimdall docker instance. As I do for Ombi which works just fine.Heimdall is the tailscale hostname, and Serve is selected for the serve option:It creates a separate machine with a reserved IP and does not tie it to my unraid host.I have stayed away from funnel as my understanding is that opens it up to the public internet. Which is not what I want to do in this case.And as a validation of that, I am not able to access this resource from the public internet using the hostname unless I'm connected to my tail network. Edited July 5, 2025Jul 5 by last.rogue
July 6, 2025Jul 6 thanks this helps a little bit...No, Tailscale Funnel does not open all ports. It allows you to expose specific local ports to the internet over HTTPS, but it restricts the allowed ports to 443, 8443, and 10000. Funnel only works over TLS-encrypted connections and has bandwidth limitations. this is why i went funnel and tsdprxy with a sidcar method...sorry I'm not goign to be much help hear. to many pooints of failules and unkonws... I need to look into hemdal and see what npm and it is realy doing to further assist.as usualy npm is its own seperate docker instance when used this way...As always review the DOCs!https://tailscale.com/kb/1464/funnel-vs-sharinghttps://docs.unraid.net/unraid-os/release-notes/7.0.0/#tailscale-integrationhttps://docs.unraid.net/unraid-os/manual/security/tailscale/TailScale Serve optionthe Docker gui options in unraid template set this... So, what does tailsacle serve do...DOCs: https://tailscale.com/kb/1312/serveyou can setup a portfoward without a Public IP port forwarding and without the vpn client to connect (this is a Tailscale Beta feature! atm...)https://tailscale.com/kb/1223/funnela explained in OG post see Review:https://forums.unraid.net/topic/184659-some-fun-with-tailscale-examples/I'm Not saying to use funnel What I'm saying is I'm missing somethign to explain and futher assist in this manner.I think the issue lies within npm and how it is handling hemdial...
July 7, 2025Jul 7 Author On 7/6/2025 at 10:36 AM, bmartino1 said:thanks this helps a little bit...No, Tailscale Funnel does not open all ports. It allows you to expose specific local ports to the internet over HTTPS, but it restricts the allowed ports to 443, 8443, and 10000. Funnel only works over TLS-encrypted connections and has bandwidth limitations. this is why i went funnel and tsdprxy with a sidcar method...sorry I'm not goign to be much help hear. to many pooints of failules and unkonws... I need to look into hemdal and see what npm and it is realy doing to further assist.as usualy npm is its own seperate docker instance when used this way...As always review the DOCs!https://tailscale.com/kb/1464/funnel-vs-sharinghttps://docs.unraid.net/unraid-os/release-notes/7.0.0/#tailscale-integrationhttps://docs.unraid.net/unraid-os/manual/security/tailscale/TailScale Serve optionthe Docker gui options in unraid template set this... So, what does tailsacle serve do...DOCs: https://tailscale.com/kb/1312/serveyou can setup a portfoward without a Public IP port forwarding and without the vpn client to connect (this is a Tailscale Beta feature! atm...)https://tailscale.com/kb/1223/funnela explained in OG post see Review:https://forums.unraid.net/topic/184659-some-fun-with-tailscale-examples/I'm Not saying to use funnel What I'm saying is I'm missing somethign to explain and futher assist in this manner.I think the issue lies within npm and how it is handling hemdial...Thanks, I'll do some more reading. I appreciate the links!And to clarify, NPM is not at play here. NGINX is, but it is baked into the Heimdall container.I will look at layering NPM onto it, but I haven't considered it because the use case I have had around it has been managing multiple subdomains, and I'm just not sure how I would set that up with Tailscale yet.I have simply been creating a new machine by toggling the 'use tailscale' option in each container I want to connect to my Tail Network.If I can use NPM's container, connect it to my Tail Network, use Serve to allow HTTPS access to it, and use that as a reverse proxy isolated to my Tailnet then I think I would rather do that as I could have isolated docker networks connected to the NPM container. Just a matter for me of figuring out how to do that.
July 7, 2025Jul 7 npm stands for nginx proxy manger.nginx is just teh web serever front end.when I say npm I'm not meaing the npm nging seperate instance.hemidal from my findings is using a baked in nginx npm instance. which is the problem.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.