Headscale NGINX Reverse Proxy Configuration
Headscale NGINX Reverse Proxy Configuration
December 6, 2025
Spent some time to get HAProxy to work with Headscale to no avail, so decided to use NGINX which never fails to disappoint. This is a verbatim copy of the Jinja2 template I use in Ansible, but just replace the items in {{ }} with your values.
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name {{ item.server_name }};
ssl_certificate /etc/nginx/ssl/{{ item.certificate }}/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/{{ item.certificate }}/key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
location / {
proxy_pass {{ item.proxy_pass }};
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $server_name;
proxy_redirect http:// https://;
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
}
}Last updated on