HTTPS using Tailscale
HTTPS using Tailscale
Access HridaAI securely from anywhere on your private network. No ports, no certificates, no public exposure.
Tailscale creates an encrypted mesh VPN (a "tailnet") between your devices. Every device gets a stable hostname like my-server.tail1234.ts.net, and Tailscale can provision trusted HTTPS certificates for it automatically. Your HridaAI instance stays completely private, accessible only to devices on your tailnet.
Tailscale is ideal when you want private, authenticated access across devices without exposing HridaAI to the public internet. Perfect for personal setups, small teams, or accessing a home server from your phone or laptop on the go.
This page covers HTTPS setup specifically. For the complete Tailscale integration story, including SSO authentication, Docker Compose sidecar setup, and more, see the Tailscale Integration Tutorial.
Prerequisitesâ
| Requirement | Details |
|---|---|
| HridaAI | Running locally on port 8080 (default) |
| Tailscale account | Free for personal use at tailscale.com |
| Tailscale installed | On both the server running HridaAI and any client devices |
- macOS
- Linux
- Windows
Download from the Mac App Store or:
brew install tailscalecurl -fsSL https://tailscale.com/install.sh | shDownload from tailscale.com/download.
On the machine running HridaAI:
sudo tailscale upYour machine gets a tailnet hostname like my-server.tail1234.ts.net. Find it with:
tailscale statusFrom any device on the same tailnet, open:
http://my-server.tail1234.ts.net:8080
This connection is already encrypted end-to-end by WireGuard. For browser features that require HTTPS (like Voice Calls), continue to the next step.
Enable HTTPS with Tailscale certificatesâ
Tailscale can provision trusted Let's Encrypt certificates for your tailnet hostname.
Go to Tailscale Admin â DNS and enable HTTPS Certificates.
sudo tailscale cert my-server.tail1234.ts.netThis creates two files in the current directory:
Use tailscale serve to proxy HTTPS traffic directly to HridaAI without any reverse proxy:
sudo tailscale serve https / http://localhost:8080Now access HridaAI at:
https://my-server.tail1234.ts.net
No port number needed. Tailscale handles TLS termination and proxies to your local HridaAI.
Configure HridaAIâ
Set HRIDAAI_URL so OAuth callbacks and internal links resolve correctly:
docker run -d \
-p 8080:8080 \
-e HRIDAAI_URL=https://my-server.tail1234.ts.net \
-v hrida-ai:/app/backend/data \
--name hrida-ai \
ghcr.io/hrida-ai/hrida-ai-studio:mainTailscale Funnel (optional public access)â
If you want to share HridaAI publicly (without requiring Tailscale on the client), Tailscale Funnel exposes your tailscale serve endpoint to the internet:
sudo tailscale funnel https / http://localhost:8080Your HridaAI is now publicly accessible at https://my-server.tail1234.ts.net with a valid TLS certificate. Funnel routes traffic through Tailscale's infrastructure, similar to Cloudflare Tunnel.
Funnel makes your HridaAI accessible to anyone on the internet. Make sure you have authentication configured in HridaAI before enabling it.
Quick referenceâ
| What | Command / Value |
|---|---|
| Connect to tailnet | sudo tailscale up |
| Check hostname | tailscale status |
| Serve over HTTPS | sudo tailscale serve https / http://localhost:8080 |
| Public access (Funnel) | sudo tailscale funnel https / http://localhost:8080 |
| Generate cert manually | sudo tailscale cert my-server.tail1234.ts.net |
| Admin console | login.tailscale.com/admin |
| Set CORS origin | CORS_ALLOW_ORIGIN=https://my-server.tail1234.ts.net |