On 2025/11/27 14:14, Yiannis Charalambous wrote:
> Hi,
> 
> I'm writing to ask for advice for configuring the "headscale" port regarding the TLS part of
> the config. 
> 
> For context, the headscale port runs under user "_headscale" and comes with a mostly complete 
> 
> configuration. The developers on the GitHub readme specify that they discourage the use of
> reverse
> 
> proxies like nginx and relayd as headscale is meant to run completely on its own 
> 
> (see https://github.com/juanfont/headscale?tab=readme-ov-file#running-headscale). 
> 
> 
> Additionally, it's designed to administer its own certs. On OpenBSD, ports lower than 1024 are
> only 
> 
> accessible by root processes, so headscale running under user _headscale has a bit of an issue.
> What's 
> 
> the recommended approach here? Would it be a good idea to make the iptables forward any
> incoming 
> 
> connection from port 80 to another port that headscale has access to (i.e. 8081)?

In general (I haven't used headscale), since software written in
Go seems generally incapable of switching uid, the options are

- run on a higher port directly unprivileged
- run on a higher port unprivileged and use PF rdr-to (may fail with
some software if it sends the port number in the protocol)
- run as root

or their discouraged option of running via a proxy