Docker
To add a service to your TSDProxy instance, you need to add a label to your service container.
How to enable
Just add the label tsdproxy.enable to true and restart your service. The
container will be started and TSDProxy will be enabled.
labels:
tsdproxy.enable: "true"TSDProxy will use container name as Tailscale server, and will use the first docker
exposed port to proxy traffic. If TSDProxy doesn’t detect the port you want to
proxy, you can use tsdproxy.port label, more details in Port configuration.
Container Labels
tsdproxy.name
If you define a name different from the container name, you can define it with
the label tsdproxy.name and it will be used as the Tailscale server name.
labels:
tsdproxy.enable: "true"
tsdproxy.name: "myserver"tsdproxy.proxyprovider
If you want to use a proxy provider other than the default one, you can define
it with the label tsdproxy.proxyprovider.
labels:
tsdproxy.enable: "true"
tsdproxy.proxyprovider: "providername"tsdproxy.autodetect
Defaults to true. If you are having problems with the internal network interfaces
autodetection, set to false. You can also use the no_autodetect port option
(see Port options).
labels:
tsdproxy.enable: "true"
tsdproxy.autodetect: "false"tsdproxy.containeraccesslog
Enable or disable access logging for this proxy. Defaults to true (enabled).
labels:
tsdproxy.enable: "true"
tsdproxy.containeraccesslog: "false"Port configuration
To have better control over the ports you want to proxy, you can use the
tsdproxy.port labels.
TSDProxy v2 enables the possibility to define multiple ports to proxy. You can
also define http redirects.
How to use it
You can use multiple ports to proxy, just define the tsdproxy.port label with a different index.
Proxy
tsdproxy.port.<index>: "<proxy port>/<proxy Protocol>:<container port>/<container protocol>[, <options>]"- <index> is the index of the port, starting from 1.
- <proxy port> is the port that will be exposed on the Tailscale network. (Examples: 443, 80, 8080)
- <proxy protocol> is the protocol that will be used on the proxy. (Examples: http, https)
- <container port> is the port that will be proxied to the container. (Examples: 80, 8080)
- <container protocol> is the protocol that will be used on the container. (Examples: http, https)
- <options> is a comma separated list of options. See Port options.
Redirect
tsdproxy.port.<index>: "<proxy port>/<proxy Protocol> -> <url>"- <index> is the index of the port, starting from 1.
- <proxy port> is the port that will be exposed on the Tailscale network. (Examples: 443, 80, 8080)
- <proxy protocol> is the protocol that will be used on the proxy. (Examples: http, https)
- <url> is the url that will be redirected to.
Examples
labels:
tsdproxy.enable: "true"
tsdproxy.name: "test"
# add a https proxy to container target port 80
tsdproxy.port.1: "443/https:80/http"
# add a http proxy to container target port 8080, disable TLS validation
tsdproxy.port.2: "80/http:8080/http, no_tlsvalidate"
# short format: proxy only (auto-detects port)
tsdproxy.port.3: "443/https"
# redirect to https://test.funny-name.ts.net
tsdproxy.port.4: "81/http->https://test.funny-name.ts.net"
# redirect to https://othersite.com
tsdproxy.port.5: "82/http->https://othersite.com"
# TCP proxy for SSH (see TCP Proxy & SSH docs for details)
tsdproxy.port.6: "22/tcp:22/tcp"Port options
| Option | Description |
|---|---|
no_tlsvalidate | Disable TLS validation on the target certificate (TLS validation is enabled by default) |
tailscale_funnel | Activate Tailscale Funnel on the port |
no_autodetect | Disable auto-detection of the target URL for this port |
Tailscale Labels
tsdproxy.ephemeral
If you want to use an ephemeral container, you can define it with the label tsdproxy.ephemeral.
labels:
tsdproxy.enable: "true"
tsdproxy.name: "myserver"
tsdproxy.ephemeral: "true"tsdproxy.runwebclient
If you want to enable the Tailscale web client (port 5252), you can define it
with the label tsdproxy.runwebclient.
labels:
tsdproxy.enable: "true"
tsdproxy.name: "myserver"
tsdproxy.runwebclient: "true"tsdproxy.tsnet_verbose
If you want to enable Tailscale’s verbose mode, you can define it with the label
tsdproxy.tsnet_verbose.
labels:
tsdproxy.enable: "true"
tsdproxy.name: "myserver"
tsdproxy.tsnet_verbose: "true"tsdproxy.authkey
Enable TSDProxy authentication with a different AuthKey. This gives the possibility to add tags on your containers if they were defined when created the AuthKey.
labels:
tsdproxy.enable: "true"
tsdproxy.authkey: "YOUR_AUTHKEY_HERE"tsdproxy.authkeyfile
Path to a file containing the AuthKey. This is useful if you want to use Docker secrets.
labels:
tsdproxy.enable: "true"
tsdproxy.authkeyfile: "/run/secrets/authkey"tsdproxy.tags
Use it to apply tags to your proxy. tsdproxy.tags is a comma separated list
of tags. Tags only work with OAuth authentication.
labels:
tsdproxy.enable: "true"
tsdproxy.tags: "tag:example,tag:server,tag:web"Dashboard Labels
tsdproxy.dash.visible
Defaults to true, set to false to hide on Dashboard.
labels:
tsdproxy.enable: "true"
tsdproxy.dash.visible: "false"tsdproxy.dash.label
Sets the proxy label on dashboard. Defaults to tsdproxy.name.
labels:
tsdproxy.enable: "true"
tsdproxy.name: "nas"
tsdproxy.dash.label: "Files"tsdproxy.dash.icon
Sets the proxy icon on dashboard. If not defined, TSDProxy will try to find an icon based on the image name. See available icons in icons.
labels:
tsdproxy.enable: "true"
tsdproxy.dash.icon: "si/portainer"Legacy Labels (v1)
Warning
The following labels are deprecated in v2. They still work for backward compatibility but will be removed in a future version (planned for v2.1+). Migrate to the new port configuration labels as soon as possible.
| Deprecated Label | Replacement |
|---|---|
tsdproxy.container_port | Use tsdproxy.port.* labels instead |
tsdproxy.scheme | Use the protocol in tsdproxy.port.* labels |
tsdproxy.tlsvalidate | Use the no_tlsvalidate option in tsdproxy.port.* labels |
tsdproxy.funnel | Use the tailscale_funnel option in tsdproxy.port.* labels |