tailscale serve command
The CLI commands for both Tailscale Funnel and Tailscale Serve have changed in the 1.52 version of the Tailscale client. If you’ve used Funnel or Serve in previous versions, we recommend reviewing the CLI documentation.
tailscale serve
lets you share a local service securely within your tailnet.
tailscale serve [flags] <target>
You can also choose to use Tailscale Funnel via the tailscale funnel
command to expose your service publicly, open to the entire internet.
Subcommands:
To see various use cases and examples, see Tailscale Serve examples.
Serve command flags
Available flags:
--bg
Determines whether the command should run as a background process.--set-path
Appends the specified path to the base URL for accessing the underlying service.--https <port>
Expose an HTTPS server at the specified port (default).--http <port>
Expose an HTTP server at the specified port.--tcp <port>
Expose a TCP forwarder to forward TCP packets at the specified port.--tls-terminated-tcp <port>
Expose a TCP forwarder to forward TLS-terminated TCP packets at the specified port.
The tailscale serve
command accepts a target that can be a file, directory, text, or most commonly, the location to a service running on the local machine. The location to the local service can be expressed as a port number (for example, 3000
), a partial URL (for example, localhost:3000
), or a full URL including a path (for example, tcp://localhost:3000/foo
, https+insecure://localhost:3000/foo
).
Use HTTPS and HTTP servers
tailscale serve --https=<port> <target> [off]
tailscale serve --http=<port> <target> [off]
The serve
offers an HTTPS and HTTP server that has a few modes: a reverse proxy, a file server, and a static text server. HTTPS traffic is secured using an automatically provisioned TLS certificate. By default, termination is done by your node's Tailscale daemon itself.
-
--https=<port>
orhttp=<port>
Specifies the port to listen on -
--set-path
Is a slash-separated URL path. The root-level mount point would simply be/
and would be matched by making a request tohttps://my-node.example.ts.net/
, for example. For more information on how these path patterns are matched, refer to the Go ServeMux documentation. Our mount points behave similarly. -
<target>
Serve provides 4 options for serving content: an HTTP reverse proxy, a file, a directory, and static text. A reverse proxy lets you forward requests to a local HTTP web server. Providing a local file path provides the ability to serve files or directories of files. Serving static text is available mostly for debugging purposes and serves a static response.-
Reverse proxy
To serve as a reverse proxy to a local backend, provide the location of the
<target>
argument. The location to the local service can be expressed as a port number (for example,3000
), a partial URL (for example,localhost:3000
), or a full URL including a path (for example,tcp://localhost:3000/foo
,https+insecure://localhost:3000/foo
). Note that onlyhttp://127.0.0.1
is currently supported for proxies.Example:
tailscale serve localhost:3000
Or, to serve over HTTP:
Example:
tailscale serve --http=80 localhost:3000
HTTP servers are accessible via short MagicDNS names like
http://my-node
-
File server
Provide a full, absolute path to the file or directory of files you wish to serve. If a directory is specified, this will render a simple directory listing with links to files and sub-directories.
Example:
tailscale serve /home/alice/blog/index.html
Due to macOS app sandbox limitations, this option is only available when using Tailscale's open source variant. If you've installed Tailscale on macOS through the Mac App Store or as a standalone System Extension, you can use Serve to share ports but not files or directories.
-
Static text server
Specifying
text:<value>
as a<target>
configures a simple static plain-text server.Example:
tailscale serve text:"Hello, world!"
-
Use a TCP forwarder
serve --tcp <port> tcp://localhost:<local-port> [off]
serve --tls-terminated-tcp <port> tcp://localhost:<local-port> [off]
The serve
command offers a TCP forwarder that can be used to forward both raw TCP packets and TLS-terminated TCP packets to a local TCP server like Caddy or other TCP-based protocols such as SSH or RDP. By default, the TCP forwarder forwards raw packets.
-
--tcp <port>
Sets up a raw TCP forwarder listening on the specified port. You can use any valid port number. -
--tls-terminated-tcp <port>
Sets up a TLS-terminated TCP forwarder listening on the specified port. You can use any valid port number. -
tcp://localhost:<local-port>
Specifies the local port to forward packets to.
Use a valid certificate
tailscale serve <https:target>
If you have a valid certificate, use https
in the <target>
argument.
Example: tailscale serve https://localhost:8443
Ignore invalid and self-signed certificate checks
tailscale serve <https+insecure:target>
If you run a local web server using HTTPS with a self-signed or otherwise invalid certificate, you can specify https+insecure
as a special pseudo-protocol for your tailscale serve
commands.
Example: tailscale serve https+insecure://localhost:8443
View the status
tailscale serve status [--json]
To view the status of your servers, you can use the status
subcommand. This will list all of the servers that are currently running on your node.
-
--json
If you wish to view the status in JSON format, you can provide the--json
argument.Example:
tailscale serve status --json
Reset Tailscale Serve
tailscale serve reset
To clear out the current tailscale serve
configuration, use the reset
subcommand.
Disable Tailscale Serve
[off]
To turn off atailscale serve
command, you can addoff
to the end of the command you used to turn it on. This will remove the server from the list of active servers. Inoff
commands, the<target>
argument is optional, but all original flags are required.
If this command turned on a server:
tailscale serve --https=443 /home/alice/blog/index.html
You can turn it off by running:
tailscale serve --https=443 /home/alice/blog/index.html off
You can omit the <target>
argument, so these 2 commands are equivalent:
tailscale serve --https=443 --set-path=/foo /home/alice/blog/index.html off
tailscale serve --https=443 --set-path=/foo off
Effects of rebooting and restarting
If you use the tailscale serve
command with the -bg
flag, it runs persistently in the background until you disable it. When you reboot the device or restart Tailscale from the command line using tailscale down
and tailscale up
, Serve will automatically resume sharing.
If you use the tailscale serve
command without the -bg
flag, then reboot the device or restart Tailscale from the command line, Serve must be restarted manually to resume sharing.