### Run Caddy Tailscale Docker Image Source: https://github.com/tailscale/caddy-tailscale/blob/main/README.md Start the pre-built Docker container for the Tailscale-enabled Caddy server. ```sh docker run -it --rm ghcr.io/tailscale/caddy-tailscale ``` -------------------------------- ### Configure Caddyfile for Tailscale Authentication Source: https://context7.com/tailscale/caddy-tailscale/llms.txt Examples of using tailscale_auth and reverse_proxy directives in a Caddyfile for Grafana and production dashboard setups. ```caddyfile :80 { bind tailscale/grafana tailscale_auth reverse_proxy http://localhost:3001 { header_up X-WEBAUTH-USER {http.auth.user.tailscale_login} } } ``` ```caddyfile :443 { bind tailscale/dashboard tls { get_certificate tailscale } tailscale_auth reverse_proxy localhost:8080 { header_up X-Webauth-User {http.auth.user.tailscale_login} header_up X-Tailscale-Tailnet {http.auth.user.tailscale_tailnet} } } ``` -------------------------------- ### Build Caddy from Source Source: https://github.com/tailscale/caddy-tailscale/blob/main/README.md Compile the local cmd/caddy package to create a custom Caddy binary. ```go go build ./cmd/caddy ``` -------------------------------- ### Build Caddy with Tailscale Plugin Source: https://github.com/tailscale/caddy-tailscale/blob/main/README.md Use xcaddy to compile the Caddy binary including the Tailscale plugin dependency. ```sh xcaddy build v2.9.1 --with github.com/tailscale/caddy-tailscale ``` -------------------------------- ### Run Caddy with Tailscale Auth Key Source: https://github.com/tailscale/caddy-tailscale/blob/main/README.md Execute a Caddy instance using a specific configuration file and a Tailscale authentication key. ```sh TS_AUTHKEY= ./caddy run -c examples/ ``` -------------------------------- ### Use tailscale-proxy Subcommand Source: https://context7.com/tailscale/caddy-tailscale/llms.txt CLI commands for building Caddy with the plugin and running reverse proxies with various authentication and security flags. ```bash xcaddy build v2.9.1 --with github.com/tailscale/caddy-tailscale ``` ```bash TS_AUTHKEY=tskey-auth-xxxxx ./caddy tailscale-proxy \ --from "tailscale/myproxy:80" \ --to localhost:8000 ``` ```bash TS_AUTHKEY=tskey-auth-xxxxx ./caddy tailscale-proxy \ --from "tailscale/secure-proxy:443" \ --to localhost:3000 \ --change-host-header ``` ```bash ./caddy tailscale-proxy \ --from "myhost.local:443" \ --to localhost:8080 \ --internal-certs ``` ```bash ./caddy tailscale-proxy \ --from "tailscale/proxy:80" \ --to https://self-signed-server:443 \ --insecure ``` ```bash ./caddy tailscale-proxy \ --from "tailscale/debug-proxy:80" \ --to localhost:9000 \ --debug ``` -------------------------------- ### Set up a Reverse Proxy with tailscale-proxy Subcommand Source: https://github.com/tailscale/caddy-tailscale/blob/main/README.md Utilize the `tailscale-proxy` subcommand to establish a reverse proxy that can optionally join a Tailscale network and enforce authentication. This subcommand is separate from the tailscale proxy transport. ```sh xcaddy tailscale-proxy --from "tailscale/myhost:80" --to localhost:8000 ``` -------------------------------- ### Deploy Caddy with Tailscale in Docker Source: https://context7.com/tailscale/caddy-tailscale/llms.txt Commands and configuration for running the Caddy Tailscale image, including state persistence and Docker Compose usage. ```bash docker pull ghcr.io/tailscale/caddy-tailscale ``` ```bash docker run -it --rm \ -e TS_AUTHKEY="tskey-auth-xxxxx" \ -v ./Caddyfile:/etc/caddy/Caddyfile \ ghcr.io/tailscale/caddy-tailscale ``` ```bash docker run -it --rm \ -e TS_AUTHKEY="tskey-auth-xxxxx" \ -v ./Caddyfile:/etc/caddy/Caddyfile \ -v ./config:/config \ ghcr.io/tailscale/caddy-tailscale ``` ```yaml # docker-compose.yml: # version: '3.8' # services: # caddy: # image: ghcr.io/tailscale/caddy-tailscale # environment: # - TS_AUTHKEY=${TS_AUTHKEY} # volumes: # - ./Caddyfile:/etc/caddy/Caddyfile # - caddy_config:/config # restart: unless-stopped # volumes: # caddy_config: ``` -------------------------------- ### Run Caddy Docker with Custom Configuration Source: https://github.com/tailscale/caddy-tailscale/blob/main/README.md Execute the Caddy Docker container with a mounted Caddyfile and persistent configuration volume. ```sh docker run -it --rm \ -e TS_AUTHKEY="tskey-auth-XXX" \ -v ./custom.caddyfile:/etc/caddy/Caddyfile -v ./config:config \ ghcr.io/tailscale/caddy-tailscale ``` -------------------------------- ### Configure Tailscale Network Listener Source: https://github.com/tailscale/caddy-tailscale/blob/main/README.md Use the bind directive in a Caddyfile to serve sites on a Tailscale network. The trailing slash is required. ```caddyfile :80 { bind tailscale/ } ``` ```caddyfile :80 { bind tailscale/myapp } ``` -------------------------------- ### Configure Tailscale Info Logging to File Source: https://context7.com/tailscale/caddy-tailscale/llms.txt Configure Tailscale logging to output INFO level messages to a specific file. Ensure the log directory exists and Caddy has write permissions. ```caddyfile { # Or log to a specific file log tailscale { level INFO output file /var/log/caddy/tailscale.log } tailscale { ephemeral } } :80 { bind tailscale/myapp respond "Logging enabled" } ``` -------------------------------- ### Configure Tailscale Global Settings Source: https://context7.com/tailscale/caddy-tailscale/llms.txt Set global Tailscale options like auth keys, control servers, and ephemeral mode. Named configurations can override these global settings. ```caddyfile { tailscale { auth_key {env.TS_AUTHKEY} control_url https://controlplane.tailscale.com ephemeral true state_dir /var/lib/caddy/tailscale webui true tags tag:webserver tag:production myapp { auth_key {env.MYAPP_AUTHKEY} hostname myapp-server ephemeral false state_dir /var/lib/caddy/tailscale/myapp webui false tags tag:myapp port 4145 } gitea { hostname gitea ephemeral true } } } ``` -------------------------------- ### Serve Sites on Tailscale Network Listener Source: https://context7.com/tailscale/caddy-tailscale/llms.txt Use the `tailscale` network listener to serve sites privately on your tailnet. Bind to `tailscale/` for the default node or `tailscale/` for specific configurations. ```caddyfile :80 { bind tailscale/ respond "Hello from Tailscale!" } ``` ```caddyfile :80 { bind tailscale/myapp root * /var/www/myapp file_server } ``` ```caddyfile :80 { bind tailscale/site-a respond "This is Site A" } ``` ```caddyfile :80 { bind tailscale/site-b respond "This is Site B" } ``` ```caddyfile :80 { bind tailscale/webserver respond "HTTP on port 80" } ``` ```caddyfile :8080 { bind tailscale/webserver respond "HTTP on port 8080" } ``` ```caddyfile :80 { bind tailscale/myhost localhost respond "Available on Tailscale and localhost" } ``` -------------------------------- ### Configure Different Sites for Tailscale Nodes Source: https://github.com/tailscale/caddy-tailscale/blob/main/README.md Assign different sites to specific Tailscale nodes or ports. ```caddyfile :80 { bind tailscale/myhost } :80 { bind tailscale/my-other-host } ``` ```caddyfile :80 { bind tailscale/myhost } :8080 { bind tailscale/myhost } ``` -------------------------------- ### Configure Tailscale Listener in JSON Source: https://github.com/tailscale/caddy-tailscale/blob/main/README.md Specify a tailscale/ network in the listen address within the Caddy JSON configuration. ```json { "apps": { "http": { "servers": { "srv0": { "listen": ["tailscale/myhost:80"] } } } } } ``` -------------------------------- ### Configure Tailscale in Caddyfile Source: https://github.com/tailscale/caddy-tailscale/blob/main/README.md Defines global and named node configuration options for Tailscale within a Caddyfile. ```caddyfile { tailscale { # Tailscale auth key used to register nodes. auth_key # Alternate control server URL. Leave empty to use the default server. control_url # If true, register ephemeral nodes that are removed after disconnect. # Default: false ephemeral true|false # Directory to store Tailscale state in. A subdirectory will be created for each node. # The default is to store state in the user's config dir (see os.UserConfDir). state_dir # If true, run the Tailscale web UI for remotely managing the node. (https://tailscale.com/kb/1325) # Default: false webui true|false # If set these tags will be included when registering the node tags tag:test # Any number of named node configs can be specified to override global options. { # Tailscale auth key used to register this node. auth_key # Alternate control server URL. control_url # If true, remove this node after disconnect. ephemeral true|false # Hostname to request when registering this node. # Default: used for this node configuration hostname # Directory to store Tailscale state in for this node. No subdirectory is created. state_dir # If true, run the Tailscale web UI for remotely managing this node. webui true|false # If set these tags will be included when registering the node # Overrides global configuration tags tags tag:test # If set this port will be used for tsnet. # When unset tsnet will pick a random available port port 4145 } } } ``` -------------------------------- ### Enable HTTPS for Tailscale Sites Source: https://github.com/tailscale/caddy-tailscale/blob/main/README.md Configure automatic HTTPS using Tailscale certificates. Use the tailscale cert manager if the site address lacks a full ts.net hostname. ```caddyfile https://myhost.tail1234.ts.net { bind tailscale/myhost } ``` ```caddyfile :443 { bind tailscale/myhost tls { get_certificate tailscale } } ``` -------------------------------- ### Implement Tailscale Authentication Source: https://github.com/tailscale/caddy-tailscale/blob/main/README.md Use tailscale_auth to enforce user access and map user identity fields to headers for proxied applications. ```caddyfile :80 { tailscale_auth } ``` ```caddyfile :80 { bind tailscale/gitea tailscale_auth reverse_proxy http://localhost:3000 { header_up X-Webauth-User {http.auth.user.tailscale_login} header_up X-Webauth-Email {http.auth.user.tailscale_user} header_up X-Webauth-Name {http.auth.user.tailscale_name} } } ``` -------------------------------- ### Configure Tailscale Debug Logging Source: https://context7.com/tailscale/caddy-tailscale/llms.txt Enable debug logging for Tailscale operations by setting the log level to DEBUG. This is useful for troubleshooting. ```caddyfile { # Enable debug logging for Tailscale operations log tailscale { level DEBUG } tailscale { ephemeral } } :80 { bind tailscale/myapp respond "Logging enabled" } ``` -------------------------------- ### Enable HTTPS with Tailscale Certificates Source: https://context7.com/tailscale/caddy-tailscale/llms.txt Caddy automatically handles TLS for Tailscale hostnames. For non-ts.net hostnames, use the `tailscale` certificate manager. ```caddyfile https://myhost.tail12345.ts.net { bind tailscale/myhost respond "Secure connection via Tailscale HTTPS" } ``` ```caddyfile :443 { bind tailscale/myhost tls { get_certificate tailscale } respond "HTTPS with Tailscale certificate" } ``` ```caddyfile :80 { bind tailscale/secure-app redir https://{host}{uri} } ``` ```caddyfile :443 { bind tailscale/secure-app tls { get_certificate tailscale } root * /var/www/secure file_server } ``` -------------------------------- ### Configure Caddy JSON for Tailscale Source: https://context7.com/tailscale/caddy-tailscale/llms.txt Full JSON configuration structure for the tailscale app and HTTP server integration. ```json { "apps": { "tailscale": { "auth_key": "tskey-auth-xxxxx", "ephemeral": true, "state_dir": "/var/lib/caddy/tailscale", "nodes": { "myapp": { "hostname": "myapp", "auth_key": "tskey-auth-yyyyy" } } }, "http": { "servers": { "srv0": { "listen": ["tailscale/myapp:80"], "routes": [ { "handle": [ { "handler": "authentication", "providers": { "tailscale": {} } } ] }, { "handle": [ { "handler": "reverse_proxy", "upstreams": [{"dial": "localhost:3000"}], "headers": { "request": { "set": { "X-Webauth-User": ["{http.auth.user.tailscale_login}"] } } } } ] } ] } } } } } ``` -------------------------------- ### Bind Multiple Tailscale Addresses Source: https://github.com/tailscale/caddy-tailscale/blob/main/README.md Specify multiple Tailscale nodes or local addresses in a single bind directive. ```caddyfile :80 { bind tailscale/myhost tailscale/my-other-host localhost } ``` -------------------------------- ### Configure Caddy Reverse Proxy with Tailscale Transport Source: https://github.com/tailscale/caddy-tailscale/blob/main/README.md Use the `tailscale` transport within a `reverse_proxy` directive to route traffic through a specific Tailscale node. Ensure the node name is correctly specified. ```caddyfile :8080 { reverse_proxy http://my-other-node:10000 { transport tailscale myhost } } ``` -------------------------------- ### Configure Tailscale Proxy Transport Source: https://context7.com/tailscale/caddy-tailscale/llms.txt Directs traffic through the tailnet using the transport tailscale directive. Requires specifying a target node or using the default. ```caddyfile :8080 { reverse_proxy http://internal-server { transport tailscale myproxy } } ``` ```caddyfile { tailscale { ephemeral } } ``` ```caddyfile :8080 { reverse_proxy http://backend-server { transport tailscale proxy-node } } ``` ```caddyfile :80 { bind tailscale/backend-server respond "Hello from the private backend!" } ``` ```caddyfile :9000 { reverse_proxy http://another-tailscale-host:3000 { transport tailscale } } ``` -------------------------------- ### Customize Tailscale Logging Source: https://github.com/tailscale/caddy-tailscale/blob/main/README.md Adjusts the logging level for the Tailscale logger using the Caddyfile log option. ```caddyfile { log tailscale { level DEBUG } } ``` -------------------------------- ### Authenticate Tailscale Users Source: https://context7.com/tailscale/caddy-tailscale/llms.txt The `tailscale_auth` directive authenticates requests and populates user metadata. It can be used for displaying user info or passing headers to proxied services. ```caddyfile :80 { bind tailscale/myapp tailscale_auth templates respond `Hello, {http.auth.user.tailscale_name}! Login: {http.auth.user.tailscale_login} Email: {http.auth.user.tailscale_user} Tailnet: {http.auth.user.tailscale_tailnet} Profile Picture: {http.auth.user.tailscale_profile_picture}` } ``` ```caddyfile :80 { bind tailscale/gitea tailscale_auth reverse_proxy http://localhost:3000 { header_up X-Webauth-User {http.auth.user.tailscale_login} header_up X-Webauth-Email {http.auth.user.tailscale_user} header_up X-Webauth-Name {http.auth.user.tailscale_name} } } ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.