tailscale serve command

Serve content and local servers from your Tailscale node to your tailnet.

You can also choose to enable Funnel via the tailscale funnel command which allows you to publish a tailscale serve server publicly, open to the entire Internet.

Usage

serve http[:<port>] <mount-point> <source> [off]
serve https[:<port>] <mount-point> <source> [off]
serve tcp:<port> tcp://localhost:<local-port> [off]
serve tls-terminated-tcp:<port> tcp://localhost:<local-port> [off]
serve status [--json]
serve reset

Examples

  • To proxy requests to a web server at 127.0.0.1:3000:

    $ tailscale serve https / http://127.0.0.1:3000
    
  • To serve a single file or a directory of files:

    $ tailscale serve https:443 / /home/alice/blog/index.html
    $ tailscale serve https:443 /images/ /home/alice/blog/images
    
  • To serve simple static text:

    $ tailscale serve https:443 / text:"Hello, world!"
    
  • To serve over HTTP (tailnet only):

    $ tailscale serve http / http://127.0.0.1:3000
    
  • To forward incoming TCP connections on port 2222 to a local TCP server on port 22 (e.g. to run OpenSSH in parallel with Tailscale SSH):

    $ tailscale serve tcp:2222 tcp://localhost:22
    
  • To accept TCP TLS connections (terminated within tailscaled) proxied to a local plaintext server on port 80:

    $ tailscale serve tls-terminated-tcp:443 tcp://localhost:80
    

HTTPS and HTTP server

serve http[:<port>] <mount-point> <source> [off]
serve https[:<port>] <mount-point> <source> [off]

The serve offers an HTTPS and HTTP server that has a few modes: a reverse proxy, a file server and a static text server. HTTPS traffic is secured using an automatically provisioned TLS certificate. By default, termination is done by your node’s Tailscale daemon itself.

  • https[:<port>] or http[:<port>] Specifies the port to listen on. If the port is not provided, serve will use the default port of 443 (HTTPS) or 80 (HTTP); however, you can use any valid port number. Note, if you plan to enable Funnel, you must use one of the allowed ports: 443, 8443, or 10000. HTTP servers are tailnet-only and cannot be exposed publicly over Funnel.

  • <mount-point> Is a slash-separated path URL path. The root-level mount point would simply be / and, would be matched by making a request to https://my-node.tailnet.ts.net/, for example. For more information on how these path patterns are matched, refer to the Go ServeMux documentation; our mount points behave similarly.

  • <source> Serve provides 4 options for serving content, an HTTP reverse proxy, a file or directory and static text. A reverse proxy allows you to forward requests to a local HTTP web server. Providing a local file path provides the ability to serve files or directories of files. Serving static text is available mostly for debugging purposes and serves a static response.

    • Reverse proxy

      To serve as a reverse proxy to a local backend, provide a URL for the <source> argument. Note that only http://127.0.0.1 is currently supported for proxies.

      Example: tailscale serve https / http://127.0.0.1:3000

      Or, to serve over HTTP (tailnet-only):

      Example: tailscale serve http / http://127.0.0.1:3000

      HTTP servers are accessible via short MagicDNS names like http://my-node

    • File server

      Provide a full, absolute path, to the file or directory of files you wish to serve. If a directory is specified, this will render a simple directory listing with links to files and sub-directories.

      Example: tailscale serve https:443 / /home/alice/blog/index.html

    • Static text server:

      Specifying text:<value> as a <source> configures a simple static plain-text server.

      Example: tailscale serve https:443 / text:"Hello, world!"

TCP forwarder

serve tcp:<port> tcp://localhost:<local-port> [off]
serve tls-terminated-tcp:<port> tcp://localhost:<local-port> [off]

The serve command offers a TCP forwarder that can be used to forward both raw TCP packets and TLS-terminated TCP packets to a local TCP server. This is useful for forwarding packets to a local TCP server. For example, a web server like Caddy or other TCP-based protocols such as SSH, or RDP. By default, the TCP forwarder forwards raw packets.

  • tcp:<port> Sets up a raw TCP forwarder listening on the specified port. You can use any valid port number.

  • tls-terminated-tcp:<port> Sets up a TLS-terminated TCP forwarder listening on the specified port. You can use any valid port number.

  • tcp://localhost:<local-port> Specifies the local port to forward packets to.

Turning off a server

  • [off] To turn off a tailscale serve command, you can add off to the end of the command you used to turn it on. This will remove the server from the list of active servers. In off commands, the <source> argument is optional, but the <mount-point> argument must be specified.

If this command turned on a server:

$ tailscale serve https:443 / /home/alice/blog/index.html

You can turn it off by running:

$ tailscale serve https:443 / /home/alice/blog/index.html off

You can omit the <source> argument, so these 2 commands are equivalent:

$ tailscale serve https:443 / /home/alice/blog/index.html off
$ tailscale serve https:443 / off

For TCP forwarding, the following off commands are equivalent when the server was started with tailscale serve tcp:2222 tcp://localhost:22:

$ tailscale serve tcp:2222 tcp://localhost:22 off
$ tailscale serve tcp:2222 off

Viewing the status of your servers

serve status [--json]

To view the status of your servers, you can use the status command. This will list all of the servers that are currently running on your node.

  • --json If you wish to view the status in JSON format, you can provide the --json argument.

    Example: tailscale serve status --json

  • funnel {on|off} Funnel allows you to publish a ’tailscale serve’ (HTTPS or TCP) server publicly, open to the entire internet. Turning off Funnel only turns off serving to the internet. Defaults to off. It does not affect serving to your tailnet.

Resetting the server configuration

serve reset

To clear out the current tailscale serve configuration, use the reset command.

Example: tailscale serve reset

Using a valid certificate

tailscale serve https <mount-point> <https:source>

If you have a valid certificate, use https in the <source> argument.

Example: tailscale serve https / https://localhost:8443

Ignoring invalid and self-signed certificate checks

tailscale serve https <mount-point> <https+insecure:source>

If you run a local web server using HTTPS with a self-signed or otherwise invalid certificate, you can specify https+insecure as a special pseudo-protocol for your tailscale serve commands.

Example: tailscale serve https / https+insecure://localhost:8443

Last updated