https://tailscale.com/blog/caddy/

 

  * Pricing
  * Customers
  * Download
  * Blog

  * Docs
  * Log In
  * Use Tailscale

 
Log In Use Tailscale

  * Pricing
  * Docs
  * Download
  * Customers
  * Blog

Use Caddy to manage Tailscale HTTPS certificates

Photo of Brad Fitzpatrick
Brad Fitzpatrick on March 15, 2022

When you connect to a web application on your tailnet over plain
HTTP, you might get a security warning in your browser. Although your
tailnet's connections use WireGuard, which provides end-to-end
encryption at the network layer, your browser isn't aware of that
encryption--so it looks for a valid TLS certificate for that domain.
For internal web apps, this can be confusing to your users, so
Tailscale already allows you to provision HTTPS certificates from
Let's Encrypt for your internal web applications, with tailscale
cert.

If you're running a public web server, though, it will need to get
the certificate from Tailscale to serve your sites over HTTPS on your
tailnet. Caddy is an open source web server--and unlike most web
servers, it provisions and manages HTTPS certificates for you. (We
love it because it uses HTTPS by default!) Caddy also manages
renewing these certificates automatically.

With the beta release of Caddy 2.5, Caddy automatically recognizes
and uses certificates for your Tailscale network (*.ts.net), and can
use Tailscale's HTTPS certificate provisioning when spinning up a new
service.

To use Caddy with your Tailscale network, first make sure you have
HTTPS certificates enabled on your tailnet. Then you will either need
to run Caddy as root, or configure the Caddy user to have access to
Tailscale's socket.

There's nothing else you need to do: Caddy will automatically get its
certificates for *.ts.net domains from Tailscale without any special
configuration. See the documentation to learn more.

To demonstrate, here's a minimal Caddyfile example:

machine-name.domain-alias.ts.net

root * /var/www
file_server

Get started with Caddy to run web servers on Tailscale.

- Back to index

Subscribe for monthly updates

Product updates, blog posts, company news, and more.

[                    ]
[                    ]
Subscribe
Too much email? RSS Twitter

  * Product
  * Overview
  * Pricing
  * Downloads
  * Documentation
  * How It Works
  * Customers
  * Changelog

  * Company
  * Company
  * Newsletter
  * Press Kit
  * Blog
  * Careers
  * Contact Sales
  * Contact Support
  * Community Forum
  * Security Bulletins
  * Twitter
  * GitHub

  * Help & Contact
  * Contact Sales
  * Contact Support
  * Community Forum
  * Security Bulletins
  * Twitter
  * GitHub

 

WireGuard is a registered
trademark of Jason A. Donenfeld.

(c) 2022 Tailscale Inc.

Privacy & Terms