Docker Labels Reference
Quick reference for every Docker label TSDProxy supports. For detailed explanations, see the Docker provider page.
Required Labels
| Label | Value | Description |
|---|---|---|
tsdproxy.enable | "true" | Enable proxying for this container |
This is the only label you need. TSDProxy will use the container name as the Tailscale hostname and auto-detect the first exposed port.
Container Labels
| Label | Default | Description |
|---|---|---|
tsdproxy.name | container name | Tailscale hostname |
tsdproxy.proxyprovider | default provider | Proxy provider to use |
tsdproxy.autodetect | "true" | Auto-detect the target URL |
tsdproxy.containeraccesslog | "true" | Enable access logging |
tsdproxy.ephemeral | "false" | Create an ephemeral Tailscale node |
tsdproxy.runwebclient | "false" | Enable Tailscale web client on port 5252 |
tsdproxy.tsnet_verbose | "false" | Enable verbose Tailscale logging |
tsdproxy.authkey | — | Per-container auth key |
tsdproxy.authkeyfile | — | Path to a file containing the auth key |
tsdproxy.tags | — | Comma-separated Tailscale tags (OAuth only) |
Dashboard Labels
| Label | Default | Description |
|---|---|---|
tsdproxy.dash.visible | "true" | Show this proxy in the dashboard |
tsdproxy.dash.label | proxy name | Display label in the dashboard |
tsdproxy.dash.icon | auto-detected | Icon in library/name format. See icons |
Port Configuration
Syntax
Proxy a port:
tsdproxy.port.<index>: "<proxy port>/<protocol>:<target port>/<protocol>[, <options>]"Short format (auto-detects the target port):
tsdproxy.port.<index>: "<proxy port>/<protocol>"Redirect:
tsdproxy.port.<index>: "<proxy port>/<protocol>-><redirect URL>"- index starts at 1. Use separate indices for multiple ports.
- proxy port is the port exposed on the Tailscale network (e.g. 443, 80, 22).
- protocol is
http,https, ortcp. - target port is the container port to proxy to.
- redirect URL is a full URL like
https://example.com.
Port Options
Append these after a comma to any proxy port config:
| Option | Description |
|---|---|
no_tlsvalidate | Disable TLS certificate validation on the target |
tailscale_funnel | Expose the port publicly via Tailscale Funnel |
no_autodetect | Disable auto-detection of the target URL for this port |
Common Patterns
HTTPS proxy to an HTTP backend:
tsdproxy.port.1: "443/https:80/http"HTTP redirect to HTTPS:
tsdproxy.port.1: "80/http->https://myapp.tailnet-name.ts.net"Self-signed certificate on the backend:
tsdproxy.port.1: "443/https:443/https, no_tlsvalidate"TCP proxy (SSH):
tsdproxy.port.1: "22/tcp:22/tcp"TCP proxy (database):
tsdproxy.port.1: "5432/tcp:5432/tcp"Multiple ports (HTTPS + TCP):
tsdproxy.port.1: "443/https:80/http"
tsdproxy.port.2: "22/tcp:22/tcp"Tailscale Funnel (public internet access):
tsdproxy.port.1: "443/https:80/http, tailscale_funnel"Host network mode (skip auto-detect, explicit target):
tsdproxy.port.1: "443/https:8080/http, no_autodetect"Complete Example
services:
nextcloud:
image: nextcloud:latest
container_name: nextcloud
labels:
tsdproxy.enable: "true"
tsdproxy.name: "cloud"
tsdproxy.ephemeral: "true"
tsdproxy.containeraccesslog: "false"
tsdproxy.tags: "tag:personal,tag:storage"
tsdproxy.dash.label: "Nextcloud"
tsdproxy.dash.icon: "si/nextcloud"
# HTTPS to the container's HTTP port, with Funnel enabled
tsdproxy.port.1: "443/https:80/http, tailscale_funnel"
# HTTP redirect to HTTPS
tsdproxy.port.2: "80/http->https://cloud.tailnet-name.ts.net"Legacy Labels (v1)
These labels still work but are deprecated. See the legacy section on the Docker provider page for details.
| Deprecated Label | Use Instead |
|---|---|
tsdproxy.container_port | tsdproxy.port.* |
tsdproxy.scheme | Protocol in tsdproxy.port.* |
tsdproxy.tlsvalidate | no_tlsvalidate port option |
tsdproxy.funnel | tailscale_funnel port option |
Last updated on