tls issues: understanding integration with traefik proxy

[stefangweichinger]

Forgive me asking a question regarding traefik, from the docs I see that this isn't used by the maintainer and therefore only supported by other users somehow.

I read and followed this example:

https://github.com/gurucomputing/headscale-ui/blob/master/documentation/configuration.md#traefik-configuration

but so far I don't get the stack fully working.

What I don't understand yet: headscale-ui brings its own rev-proxy caddy, right? The traefik-labels in the mentioned compose file don't enable TLS within traefik, so traefik seems only to provide http to the external world (?).

If I run it this way I don't get valid TLS for the 2 services.

Do I have to add something like the following?

- traefik.http.routers.headscale-rtr.tls=true
- traefik.http.routers.headscale-rtr.tls.certresolver=http_resolver
- traefik.http.routers.headscale-rtr.entrypoints=websecure

# ui

- traefik.http.routers.headscale-ui-rtr.tls=true
- traefik.http.routers.headscale-ui-rtr.tls.certresolver=http_resolver
- traefik.http.routers.headscale-ui-rtr.entrypoints=websecure

this pulls a TLS-cert and I was able to access the headscale-UI. But if I entered https://headscale.my.tld into the settings, I got "client sent an HTTP request to an HTTPS server" in the logs of the headscale-container.

Here my current compose config:

name: headscale
services:
  headscale:
    command:
      - serve
    container_name: headscale
    image: headscale/headscale:0.23
    labels:
      traefik.enable: "true"
      traefik.http.routers.headscale-rtr.rule: Host(`headscale.my.tld`) && PathPrefix(`/`)
      traefik.http.services.headscale-svc.loadbalancer.server.port: "8080"
    networks:
      proxy: null
    restart: unless-stopped
    volumes:
      - type: bind
        source: /opt/dockerfiles/headscale/config
        target: /etc/headscale
        bind:
          create_host_path: true
      - type: bind
        source: /opt/dockerfiles/headscale/data
        target: /var/lib/headscale
        bind:
          create_host_path: true
  headscale-ui:
    container_name: headscale-ui
    image: ghcr.io/gurucomputing/headscale-ui:latest
    labels:
      traefik.enable: "true"
      traefik.http.routers.headscale-ui-rtr.rule: Host(`headscale.my.tld`) && PathPrefix(`/web`)
      traefik.http.services.headscale-ui-svc.loadbalancer.server.port: "8080"
    networks:
      proxy: null
    restart: unless-stopped
networks:
  proxy:
    name: proxy
    external: true

The container for the ui gives me some warnings:

headscale-ui  | Starting Caddy
headscale-ui  | {"level":"info","ts":1735298138.2229273,"msg":"using provided configuration","config_file":"/data/Caddyfile","config_adapter":"caddyfile"}
headscale-ui  | {"level":"info","ts":1735298138.2524948,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//127.0.0.1:2019","//localhost:2019","//[::1]:2019"]}
headscale-ui  | {"level":"warn","ts":1735298138.254572,"logger":"http.auto_https","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv0","http_port":8080}
headscale-ui  | {"level":"info","ts":1735298138.254701,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv1","https_port":8443}
headscale-ui  | {"level":"warn","ts":1735298138.2547393,"logger":"http.auto_https","msg":"automatic HTTP->HTTPS redirects are disabled","server_name":"srv1"}
headscale-ui  | {"level":"info","ts":1735298138.256623,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00045a180"}
headscale-ui  | {"level":"warn","ts":1735298138.2568386,"logger":"tls","msg":"YOUR SERVER MAY BE VULNERABLE TO ABUSE: on-demand TLS is enabled, but no protections are in place","docs":"https://caddyserver.com/docs/automatic-https#on-demand-tls"}
headscale-ui  | {"level":"info","ts":1735298138.2571683,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
headscale-ui  | {"level":"info","ts":1735298138.2572722,"logger":"http","msg":"enabling HTTP/3 listener","addr":":8443"}
headscale-ui  | {"level":"info","ts":1735298138.2581189,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}
headscale-ui  | {"level":"info","ts":1735298138.2583807,"logger":"http.log","msg":"server running","name":"srv1","protocols":["h1","h2","h3"]}
headscale-ui  | {"level":"info","ts":1735298138.2584145,"logger":"pki.ca.local","msg":"root certificate trust store installation disabled; unconfigured clients may show warnings","path":"storage:pki/authorities/local/root.crt"}
headscale-ui  | {"level":"info","ts":1735298138.2615268,"msg":"autosaved config (load with --resume flag)","file":"/home/appuser/.config/caddy/autosave.json"}
headscale-ui  | {"level":"info","ts":1735298138.2616618,"msg":"serving initial configuration"}
headscale-ui  | {"level":"warn","ts":1735298138.2848473,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/home/appuser/.local/share/caddy","instance":"b356a1f1-d293-456b-a93e-5a745734c4d0","try_again":1735384538.284842,"try_again_in":86399.999998888}
headscale-ui  | {"level":"info","ts":1735298138.285147,"logger":"tls","msg":"finished cleaning storage units"}
headscale     | 2024-12-27T11:15:38Z WRN An updated version of Headscale has been found (0.24.0-beta.2 vs. your current v0.23.0). Check it out https://github.com/juanfont/headscale/releases
headscale     | 
headscale     | 2024-12-27T11:15:38Z WRN 
headscale     | WARN: The "dns.use_username_in_magic_dns" configuration key is deprecated and has been removed. Please see the changelog for more details.
headscale     | 
headscale     | 2024-12-27T11:15:38Z INF Opening database database=sqlite3 path=/var/lib/headscale/db.sqlite
headscale     | 2024-12-27T11:15:38Z WRN Listening without TLS but ServerURL does not start with http://
headscale     | 2024-12-27T11:15:38Z INF listening and serving HTTP on: 127.0.0.1:8080
headscale     | 2024-12-27T11:15:38Z INF listening and serving debug and metrics on: 127.0.0.1:9090
headscale     | 2024-12-27T11:15:38Z INF Setting up a DERPMap update worker frequency=86400000

As far as I understand and read there is no specific config file for the ui-container, right?

thanks for any pointers here!

[stefangweichinger]

I think I got it.

I edited my config like in https://headscale.net/stable/ref/integration/reverse-proxy/#tls and enabled TLS via traefik-labels for both headscale and UI. Now the integration seems to work and I can proceed testing. Thanks ...

[joulester]

Hi! I have the same problem. Do you think I can see your traefik labels and settings that solved it?

[joulester]

Of course did I have a spelling error. your solution worked for me.