On 2025/11/27 14:14, Yiannis Charalambous wrote: > Hi, > > I'm writing to ask for advice for configuring the "headscale" port regarding > the TLS part of > the config. > > For context, the headscale port runs under user "_headscale" and comes with a > mostly complete > > configuration. The developers on the GitHub readme specify that they > discourage the use of > reverse > > proxies like nginx and relayd as headscale is meant to run completely on its > own > > (see > https://github.com/juanfont/headscale?tab=readme-ov-file#running-headscale). > > > Additionally, it's designed to administer its own certs. On OpenBSD, ports > lower than 1024 are > only > > accessible by root processes, so headscale running under user _headscale has > a bit of an issue. > What's > > the recommended approach here? Would it be a good idea to make the iptables > forward any > incoming > > connection from port 80 to another port that headscale has access to (i.e. > 8081)?
In general (I haven't used headscale), since software written in Go seems generally incapable of switching uid, the options are - run on a higher port directly unprivileged - run on a higher port unprivileged and use PF rdr-to (may fail with some software if it sends the port number in the protocol) - run as root or their discouraged option of running via a proxy
