From cb25f0d650b4684b242321ee42841408fd1e12e0 Mon Sep 17 00:00:00 2001
From: Jan Hartkopf <j@hartkopf.io>
Date: Mon, 23 Jan 2023 14:08:15 +0100
Subject: [PATCH] Add hint for reverse proxying with Apache

---
 docs/reverse-proxy.md | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/docs/reverse-proxy.md b/docs/reverse-proxy.md
index faadeb92..b00e0f9f 100644
--- a/docs/reverse-proxy.md
+++ b/docs/reverse-proxy.md
@@ -112,3 +112,20 @@ The following Caddyfile is all that is necessary to use Caddy as a reverse proxy
 Caddy v2 will [automatically](https://caddyserver.com/docs/automatic-https) provision a certficate for your domain/subdomain, force HTTPS, and proxy websockets - no further configuration is necessary.
 
 For a slightly more complex configuration which utilizes Docker containers to manage Caddy, Headscale, and Headscale-UI, [Guru Computing's guide](https://blog.gurucomputing.com.au/smart-vpns-with-headscale/) is an excellent reference.
+
+## Apache
+
+The following minimal Apache config will proxy traffic to the Headscale instance on `<IP:PORT>`. Note that `upgrade=any` is required as a parameter for `ProxyPass` so that WebSockets traffic whose `Upgrade` header value is not equal to `WebSocket` (i. e. Tailscale Control Protocol) is forwarded correctly. See the [Apache docs](https://httpd.apache.org/docs/2.4/mod/mod_proxy_wstunnel.html) for more information on this.
+
+```
+<VirtualHost *:443>
+	ServerName <YOUR_SERVER_NAME>
+
+	ProxyPreserveHost On
+	ProxyPass / http://<IP:PORT>/ upgrade=any
+
+	SSLEngine On
+	SSLCertificateFile <PATH_TO_CERT>
+	SSLCertificateKeyFile <PATH_CERT_KEY>
+</VirtualHost>
+```