Fix remote connection for tailscale + docs

ericdallo · ericdallo · commit 004c11a187b0 · 2026-03-29T20:01:29.000-03:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,8 @@
 
 ## Unreleased
 
+- Fix remote connection for tailscale + docs.
+
 ## 0.121.0
 
 - Add `providers/list`, `providers/login`, `providers/loginInput`, `providers/logout` requests and `providers/updated` notification for settings-based provider/model management.
diff --git a/docs/config/remote.md b/docs/config/remote.md
@@ -64,15 +64,21 @@ When enabled, ECA starts an embedded HTTPS server that the web frontend at [web.
     2. Expose ECA's port via Tailscale HTTPS serve:
 
         ```bash
-        sudo tailscale serve --bg --https 7777 http://localhost:7777
-        sudo tailscale serve --bg --https 7778 http://localhost:7778
+        sudo tailscale serve --bg --https 7777 https+insecure://localhost:7777
+        sudo tailscale serve --bg --https 7778 https+insecure://localhost:7778
         # ... repeat for as many ports as you need (7777–7796)
         ```
 
         !!! warning "Use `--https`, not `--tcp`"
             `--tcp` creates a raw TCP proxy that browsers cannot connect to.
             `--https` creates a proper HTTPS reverse proxy with valid certificates.
 
+        !!! note "Why `https+insecure://`?"
+            ECA's built-in server runs HTTPS with a `*.local.eca.dev` certificate.
+            Tailscale Serve must connect to it over TLS (`https+insecure://`), not plain
+            HTTP. The `+insecure` flag tells Tailscale to skip certificate verification
+            since the local cert won't match your Tailscale hostname.
+
     3. Start ECA — it logs a connection URL you can open directly:
 
         ```
diff --git a/src/eca/remote/server.clj b/src/eca/remote/server.clj
@@ -174,7 +174,8 @@
   (try
     (let [opts (if ssl-context
                  {:ssl? true :ssl-port port :http? false
-                  :ssl-context ssl-context :host host :join? false}
+                  :ssl-context ssl-context :sni-host-check? false
+                  :host host :join? false}
                  {:port port :host host :join? false})
           server (jetty/run-jetty handler opts)]
       (logger/debug logger-tag (str "Bound to " host ":" port (when ssl-context " (HTTPS)")))
@@ -190,7 +191,8 @@
   (try
     (let [connector (if ssl-context
                       (let [ssl-factory (doto (SslContextFactory$Server.)
-                                          (.setSslContext ssl-context))]
+                                          (.setSslContext ssl-context)
+                                          (.setSniRequired false))]
                         (doto (ServerConnector. server ^SslContextFactory$Server ssl-factory)
                           (.setHost ^String host)
                           (.setPort (int port))))
