diff --git a/templates/Caddyfile-http.template b/templates/Caddyfile-http.template index 06d7f42..f868fce 100644 --- a/templates/Caddyfile-http.template +++ b/templates/Caddyfile-http.template @@ -7,6 +7,11 @@ } :8008 { + # Tailscale captive portal detection + handle /generate_204 { + respond 204 + } + redir /admin /admin/ handle /admin/* { diff --git a/templates/Caddyfile-https.template b/templates/Caddyfile-https.template index bec0201..06888fe 100644 --- a/templates/Caddyfile-https.template +++ b/templates/Caddyfile-https.template @@ -10,6 +10,11 @@ } ${PUBLIC_SERVER_URL}:${PUBLIC_LISTEN_PORT} { + # Tailscale captive portal detection + handle /generate_204 { + respond 204 + } + redir /admin /admin/ handle /admin/* { diff --git a/templates/headscale.template.yaml b/templates/headscale.template.yaml index cab2b3b..0b360e8 100644 --- a/templates/headscale.template.yaml +++ b/templates/headscale.template.yaml @@ -38,6 +38,15 @@ grpc_listen_addr: 127.0.0.1:50443 # are doing. grpc_allow_insecure: false +# CIDR(s) of reverse proxies (e.g. 127.0.0.1/32) whose +# True-Client-IP, X-Real-IP and X-Forwarded-For headers should +# be honoured. This template trusts loopback by default (for the bundled Caddy); +# set to [] to disable, or replace with your proxy CIDRs. Setting this +# without a proxy in front lets clients spoof their logged source IP. +trusted_proxies: + - 127.0.0.1/32 + - ::1/128 + # The Noise section includes specific configuration for the # TS2021 Noise protocol noise: