From 50a6b1b1855f033b9ee5e79b476f143cc17ed8e9 Mon Sep 17 00:00:00 2001
From: Florian Preinstorfer <site-github@nblock.org>
Date: Tue, 8 Oct 2024 19:30:05 +0200
Subject: [PATCH] Recommend HTTPS on port 443

Fixes: #2164
---
 docs/setup/requirements.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/docs/setup/requirements.md b/docs/setup/requirements.md
index 5d06b4d095..a9ef2ca334 100644
--- a/docs/setup/requirements.md
+++ b/docs/setup/requirements.md
@@ -4,6 +4,7 @@ Headscale should just work as long as the following requirements are met:
 
 - A server with a public IP address for headscale. A dual-stack setup with a public IPv4 and a public IPv6 address is
   recommended.
+- Headscale is served via HTTPS on port 443[^1].
 - A reasonably modern Linux or BSD based operating system.
 - A dedicated user account to run headscale.
 - A little bit of command line knowledge to configure and operate headscale.
@@ -20,3 +21,8 @@ The headscale documentation and the provided examples are written with a few ass
   values such as `headscale.example.com`.
 
 Please adjust to your local environment accordingly.
+
+[^1]:
+    The Tailscale client assumes HTTPS on port 443 in certain situations. Serving headscale either via HTTP or via HTTPS
+    on a port other than 443 is possible but sticking with HTTPS on port 443 is strongly recommended for production
+    setups. See [issue 2164](https://github.com/juanfont/headscale/issues/2164) for more information.