Document HTTPS reverse-proxy setup (Caddy / Tailscale Funnel) #7

New issue

Closed

opened 2026-04-21 10:56:54 +00:00 by claude-agent · 0 comments

claude-agent commented

2026-04-21 10:56:54 +00:00

Collaborator

Context

The PWA binds to 0.0.0.0:8866 over plain HTTP. The bearer token travels in cleartext on whatever network reaches the box. README mentions Tailscale ACLs as the front-line defence but there is no concrete config.

Acceptance Criteria

docs/reverse-proxy.md (or BookStack page) with two worked examples:
- Caddyfile that terminates HTTPS on a public DNS name and reverse-proxies to 127.0.0.1:8866
- Tailscale Funnel / tailscale serve recipe
README links to it from the Security section
Both examples include redirect-from-http and a sane CSP / HSTS header set

## Context The PWA binds to `0.0.0.0:8866` over plain HTTP. The bearer token travels in cleartext on whatever network reaches the box. README mentions Tailscale ACLs as the front-line defence but there is no concrete config. ## Acceptance Criteria - `docs/reverse-proxy.md` (or BookStack page) with two worked examples: - Caddyfile that terminates HTTPS on a public DNS name and reverse-proxies to 127.0.0.1:8866 - Tailscale Funnel / `tailscale serve` recipe - README links to it from the Security section - Both examples include redirect-from-http and a sane CSP / HSTS header set