Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Tailscale Docker Integration - HTTPS Serve not functioning as expected - Example: Heimdall

Featured Replies

I am trying to setup HTTPS Serve functionality on several docker containers.

I have some working, particularly where the docker configuration does not already use port 80/443 for it's internal container ports.

In cases where there is a port/service binding conflict, how can I best configure Tailscale to be used to serve content over HTTPS?

An example of a docker container I'm having issues with is Heimdall.

In the logs, when starting up, tailscale is successfully installed and connected.

However. it will error out before starting the NGINX service stating that port 443 is already in use.

I have worked around this reconfigured the NGINX /heimdall/nginx/site-confs/default.conf file to listen on different ports.

e.g 80 changed to 1080 and 443 changed to 10443:

image.png

However, I cannot connect to the Tailscale endpoint over port 443.

I must use the HTTP or HTTPS port configured in the NGINX configuration.

And the certificate on HTTPS is the self-signed cert provisioned with the docker container.

What I have tried so far:

I have attempted to change the Tailscale Serve Port from 80 (the default) to the NGINX configured port of 1080.

This results in a redirect from http to https with a security warning saying the connection is not secure (but it says the certificate is valid?):

image.png

image.png

And the page itself is a malformed HTML version of the page showing just basic text and no CSS formatting.

I have attempted to change the Tailscale Serve Port from 1080 to 10443.

This results in the following error: 400 Bad Request - The plain HTTP request was sent to HTTPS port

I have also attempted mucking with some of the other parameters:

Tailscale Serve Target (e.g. localhost:1080)

Tailscale Serve Protocol (e.g. https)

Tailscale Serve Protocol Port (e.g. =443)

The three above having mixed results and usually ending in a broken configuration where I had to completely remove the container and appdata folder for heimdall.

I do have HTTPS Certificates enabled in DNS Settings in my Tailscale account.

Other containers seem to mostly work fine when the docker container port is not 80/443. An example of where it is working fine is Ombi where it uses port 3579.

Are there any suggestions I can try to make this function over simply https and port 443 with the let's encrypt cert issued from Tailscale being presented by the service?

Edited by last.rogue

Alot of web server dockers require additional and special headers...

https://www.pomerium.com/blog/heimdall-reverse-proxy

https://www.reddit.com/r/selfhosted/comments/rw14ax/setting_up_heimdall_behind_an_nginx_reverse_proxy/

The issue I have with tailscale and the "serve" feature is its a pain to properly configure and its a 1 docker 1 serve options... so the solution to use a npm reverse proxy was each docker that had a web UI I wanted behind a Reverse proxy need its own npm docker.. so I'm running 5 web server that would require 1 npm each for 1 tail scale serve feature...

first you need to make sure you are telling npm to properly hit Heimdal and are letting nginx fix and pass the header

nginx hemidal per redt...

location / {

proxy_set_header Host $host;

proxy_set_header X-Forwarded-Scheme $scheme;

proxy_set_header X-Forwarded-Proto $scheme;

proxy_set_header X-Forwarded-For $remote_addr;

proxy_set_header X-Real-IP $remote_addr;

proxy_pass $forward_scheme://$server:$port$request_uri;

}


once Heimdal is working though NPM then we can look at unraid settings to setup tailscale...

Review:
https://forums.unraid.net/topic/184659-some-fun-with-tailscale-examples/

is npm a docker compose or unraid CA docker template?

Edited by bmartino1
Data - Typo

  • Author
4 minutes ago, bmartino1 said:

Alot of web server dockers requre additional and specail headers...

https://www.pomerium.com/blog/heimdall-reverse-proxy

https://www.reddit.com/r/selfhosted/comments/rw14ax/setting_up_heimdall_behind_an_nginx_reverse_proxy/

The issue I have with tailscale and the serve feature is its a pain to properly configure and its a 1 docker 1 server options so the solution to use a npm reverse proxy was each docker that had a web UI I wanted behind a Reverse proxy need its own npm docker so I'm running 5 npm for 1 server feature...

first you need to make sure you are telling npm to porperly hit hemidal and are letting nginx fix and pass the header

nginx hemidal per redt...

location / {

proxy_set_header Host $host;

proxy_set_header X-Forwarded-Scheme $scheme;

proxy_set_header X-Forwarded-Proto $scheme;

proxy_set_header X-Forwarded-For $remote_addr;

proxy_set_header X-Real-IP $remote_addr;

proxy_pass $forward_scheme://$server:$port$request_uri;

}


once hemindal is working though NPM then we can look at unraid settings to setup tailscale...

Review:
https://forums.unraid.net/topic/184659-some-fun-with-tailscale-examples/

is npm a docker compose or unraid CA docker template?

Thank you for your reply!

To clarify, I am not using NPM in this instance, NGINX is baked into the heimdall CA docker template.

I do have NPM as a CA docker template. But I am not using it in this instance.

Are you proposing I switch to using NPM with tailscale?

kinda. I don't know the hemidal Docker personally.

My further confusing is that this looks like funnel not server

given you went to

name .yourtailscale. net

image.png


so unless unraid is called hemidal the server shoudl have been

machinename. tailscale network nam. net / docker name given to server


since the docker has both hemdal the server and and npm this may require a separate npm instance.

  • Author
2 hours ago, bmartino1 said:

kinda. I don't know the hemidal Docker personally.

My further confusing is that this looks like funnel not server

given you went to

name .yourtailscale. net

image.png


so unless unraid is called hemidal the server shoudl have been

machinename. tailscale network nam. net / docker name given to server


since the docker has both hemdal the server and and npm this may require a separate npm instance.

Ah more background may be needed for some context.

I am using a custom network and assigning an IP to the heimdall docker instance. As I do for Ombi which works just fine.

Heimdall is the tailscale hostname, and Serve is selected for the serve option:

image.png

It creates a separate machine with a reserved IP and does not tie it to my unraid host.

I have stayed away from funnel as my understanding is that opens it up to the public internet. Which is not what I want to do in this case.

And as a validation of that, I am not able to access this resource from the public internet using the hostname unless I'm connected to my tail network.

Edited by last.rogue

thanks this helps a little bit...

No, Tailscale Funnel does not open all ports. It allows you to expose specific local ports to the internet over HTTPS, but it restricts the allowed ports to 443, 8443, and 10000. Funnel only works over TLS-encrypted connections and has bandwidth limitations. 

this is why i went funnel and tsdprxy with a sidcar method...

sorry I'm not goign to be much help hear. to many pooints of failules and unkonws... I need to look into hemdal and see what npm and it is realy doing to further assist.

as usualy npm is its own seperate docker instance when used this way...

As always review the DOCs!

https://tailscale.com/kb/1464/funnel-vs-sharing

https://docs.unraid.net/unraid-os/release-notes/7.0.0/#tailscale-integration

https://docs.unraid.net/unraid-os/manual/security/tailscale/

TailScale Serve option

the Docker gui options in unraid template set this... So, what does tailsacle serve do...

DOCs: https://tailscale.com/kb/1312/serve

you can setup a portfoward without a Public IP port forwarding and without the vpn client to connect (this is a Tailscale Beta feature! atm...)
https://tailscale.com/kb/1223/funnel

a explained in OG post see Review:
https://forums.unraid.net/topic/184659-some-fun-with-tailscale-examples/

I'm Not saying to use funnel What I'm saying is I'm missing somethign to explain and futher assist in this manner.

I think the issue lies within npm and how it is handling hemdial...

  • Author
On 7/6/2025 at 10:36 AM, bmartino1 said:

thanks this helps a little bit...

No, Tailscale Funnel does not open all ports. It allows you to expose specific local ports to the internet over HTTPS, but it restricts the allowed ports to 443, 8443, and 10000. Funnel only works over TLS-encrypted connections and has bandwidth limitations. 

this is why i went funnel and tsdprxy with a sidcar method...

sorry I'm not goign to be much help hear. to many pooints of failules and unkonws... I need to look into hemdal and see what npm and it is realy doing to further assist.

as usualy npm is its own seperate docker instance when used this way...

As always review the DOCs!

https://tailscale.com/kb/1464/funnel-vs-sharing

https://docs.unraid.net/unraid-os/release-notes/7.0.0/#tailscale-integration

https://docs.unraid.net/unraid-os/manual/security/tailscale/

TailScale Serve option

the Docker gui options in unraid template set this... So, what does tailsacle serve do...

DOCs: https://tailscale.com/kb/1312/serve

you can setup a portfoward without a Public IP port forwarding and without the vpn client to connect (this is a Tailscale Beta feature! atm...)
https://tailscale.com/kb/1223/funnel

a explained in OG post see Review:
https://forums.unraid.net/topic/184659-some-fun-with-tailscale-examples/

I'm Not saying to use funnel What I'm saying is I'm missing somethign to explain and futher assist in this manner.

I think the issue lies within npm and how it is handling hemdial...

Thanks, I'll do some more reading. I appreciate the links!

And to clarify, NPM is not at play here. NGINX is, but it is baked into the Heimdall container.

I will look at layering NPM onto it, but I haven't considered it because the use case I have had around it has been managing multiple subdomains, and I'm just not sure how I would set that up with Tailscale yet.

I have simply been creating a new machine by toggling the 'use tailscale' option in each container I want to connect to my Tail Network.

If I can use NPM's container, connect it to my Tail Network, use Serve to allow HTTPS access to it, and use that as a reverse proxy isolated to my Tailnet then I think I would rather do that as I could have isolated docker networks connected to the NPM container. Just a matter for me of figuring out how to do that.

npm stands for nginx proxy manger.

nginx is just teh web serever front end.

when I say npm I'm not meaing the npm nging seperate instance.

hemidal from my findings is using a baked in nginx npm instance. which is the problem.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.