this post was submitted on 19 Oct 2025
23 points (96.0% liked)

Selfhosted

60734 readers
209 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Detailed Rules Post

  1. Be civil.

  2. No spam.

  3. Posts are to be related to self-hosting.

  4. Don't duplicate the full text of your blog or readme if you're providing a link.

  5. Submission headline should match the article title.

  6. No trolling.

  7. Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details. Tags [CBH] or [AIP] are required, see the links in Rule 8 for details.

  8. AI-related discussions and AI-involved promotional posts have additional requirements for tagging, as noted in Rule 7 and the AI & Promotional Post Expanded Rules post, and find example disclosures here.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
 

Headscale - Is it ok to use the default config (just editing the address/domain name)? will that be secure enough? Also which ports to I need to forward to my raspberry pi headscale server?

top 7 comments
sorted by: hot top controversial new old
[–] Jason2357@lemmy.ca 12 points 9 months ago (1 children)

In addition to a reverse proxy with mandatory TLS and some IP filtering, I have headscale running on a sub domain (subdomain dns is a wildcard). The main domain is a different, static web page, so anyone scanning IPs for headscale wont see its a headscale machines unless they can guess the subdomain. I figure that might be useful in case theres a zero day that pops up. It just looks like a regular web server to drive-by script kiddies.

[–] tack@feddit.org 7 points 9 months ago* (last edited 9 months ago) (1 children)

That will work as long as your tls certificate is a wildcard cert (of the parent domain), otherwise your subdomains can be found via their certificate records. You probably know this, but caught me out initially, so figured I'll mention it.

[–] Jason2357@lemmy.ca 3 points 9 months ago

Absolutely! I should have said both the dns and certificate are subdomain wildcards. Thanks for clarifying.

[–] mouse@midwest.social 10 points 9 months ago* (last edited 9 months ago)

Look at either putting it behind a reverse proxy or using the built in Let's Encrypt / ACME configuration.

Suggested documentation:

The config linked to in their documentation states

# Address to listen to / bind to on the server
#
# For production:
# listen_addr: 0.0.0.0:8080
listen_addr: 127.0.0.1:8080

# Address to listen to /metrics and /debug, you may want
# to keep this endpoint private to your internal network
metrics_listen_addr: 127.0.0.1:9090

Port 8080 TCP is used for the connection, 9090 TCP is for metrics and not suggested to port forward. If you use a reverse proxy, you do not need to port forward to either of those ports directly, and instead to the reverse proxy.

[–] oyzmo@lemmy.world 3 points 9 months ago* (last edited 9 months ago)

Thanks. enabled the acme service thingy in the config file. Took me some tries before I understood I had to add port 80:80 from the docker yaml in order for headscale to setup the certificate. I guess I need to keep forwarding both 8080 for Headscale and 80 for certificate renewal.

should I, or is there a reason, to setup fail2ban too?

[–] oyzmo@lemmy.world 2 points 9 months ago (1 children)

Next one is the derp server… but that may be out of reach with my knowledge 😅

[–] Spore@lemmy.ml 3 points 9 months ago

The headscale integrated one is mostly enough, you can choose to include the tailscale official ones with their URL as well.