HTTPS: is there a built-in reverse proxy to map HTTPS to HTTP?


I am building a setup where we share a web server with HTTP interface in our team via tailscale. The server is only accessible on the tailscale network, but of course I want to ensure that team members can access the server via HTTPS using the MagicDNS feature tailscale provides.

For this purpose I have created a docker compose file that creates two containers, one with the aplication server, and one with the tailscale client running in ‘userspace’ mode.

For HTTPS access I have enabled the feature in the settings panel, and after generating the certificates and adding those to the application server I can access the web interface over HTTPS as expected.

However, in order to get this to work I had to configure the web server to run an actual HTTPS server on port 443, and I had to share the certificate files between the tailscale container and the web application.

The reason I am creating this topic: in the documentation on enabling HTTPS it is stated:

If you obtain a TLS certificate for a node using MagicDNS, it will be 
accessible at both, using 
HTTPS, and also at http://machine-name, without HTTPS but using 
MagicDNS as a DNS nameserver.

This would mean that tailscale itself would reverse proxy the HTTPS requests to the HTTP port of the webserver and handle the certificates. This would be great if it would work this way, because then the tailscale daemon can take care of renewing the certificates without need to interact with other applications. The application in this case only needs to provide a plain HTTP interface.

Am I missing something to allow my setup to work like it is stated in the documentation, or is the documentation talking about future features of tailscale?

Side note: I tried the same on a computer without the docker involved using a simple web server and a system-installed tailscale client and the behaviour is identical: there is no link between an HTTP server running on a host and HTTPS access via magic DNS and the fully qualified domain name.

Thanks for any insights,

1 Like


just as an update, the people from support tell me:

You can use Caddy as the reverse proxy. It has built-in support for Tailscale SSL certificiates. We have some more information about that here: Use Caddy to manage Tailscale HTTPS certificates · Tailscale

Best regards,


See this part of my doc for setting up VSCode Web and Tailscale:

Hello @kayvan,

thanks for the link. I have setup a docker container based on the official Tailscale image with Caddy integrated to implement the automatic certificate fetching.

I wrote down the details on github and the docker image is available on docker hub.

Kind regards,

1 Like