docs: add App Connector documentation and integration tests

- Add App Connectors section to docs/ref/acls.md with configuration examples
- Add App Connectors to feature list in docs/about/features.md
- Add CHANGELOG.md entry for App Connector support
- Add integration tests for app connector functionality

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: matanbaruch

CHANGELOG.md

@@ -55,6 +55,7 @@ sequentially through each stable release, selecting the latest patch version ava
 
 ### Changes
 
+- Add App Connector support for domain-based routing through designated connector nodes [#2987](https://github.com/juanfont/headscale/pull/2987)
 - Smarter change notifications send partial map updates and node removals instead of full maps [#2961](https://github.com/juanfont/headscale/pull/2961)
   - Send lightweight endpoint and DERP region updates instead of full maps [#2856](https://github.com/juanfont/headscale/pull/2856)
 - Add `oidc.email_verified_required` config option to control email verification requirement [#2860](https://github.com/juanfont/headscale/pull/2860)

docs/about/features.md

@@ -32,6 +32,7 @@ provides on overview of Headscale's feature and compatibility with the Tailscale
     - [x] Basic registration
     - [x] Update user profile from identity provider
     - [ ] OIDC groups cannot be used in ACLs
+- [x] [App Connectors](https://tailscale.com/kb/1281/app-connectors) - Route traffic to specific domains through designated connector nodes
 - [ ] [Funnel](https://tailscale.com/kb/1223/funnel) ([#1040](https://github.com/juanfont/headscale/issues/1040))
 - [ ] [Serve](https://tailscale.com/kb/1312/serve) ([#1234](https://github.com/juanfont/headscale/issues/1921))
 - [ ] [Network flow logs](https://tailscale.com/kb/1219/network-flow-logs) ([#1687](https://github.com/juanfont/headscale/issues/1687))

docs/ref/acls.md

@@ -285,3 +285,65 @@ Used in Tailscale SSH rules to allow access to any user except root. Can only be
   "users": ["autogroup:nonroot"]
 }
 ```
+
+## App Connectors
+
+Headscale supports [App Connectors](https://tailscale.com/kb/1281/app-connectors), which allow you to route traffic to specific domains through designated connector nodes. This is useful for accessing internal applications or services that are only reachable from certain nodes in your tailnet.
+
+App connectors are configured in the `appConnectors` field of your ACL policy:
+
+```json
+{
+  "tagOwners": {
+    "tag:connector": ["admin@"]
+  },
+  "appConnectors": [
+    {
+      "name": "Internal Apps",
+      "connectors": ["tag:connector"],
+      "domains": ["internal.example.com", "*.corp.example.com"],
+      "routes": ["10.0.0.0/8"]
+    }
+  ]
+}
+```
+
+### Configuration Fields
+
+| Field | Required | Description |
+|-------|----------|-------------|
+| `name` | No | A human-readable name for this app connector configuration |
+| `connectors` | Yes | A list of tags (e.g., `tag:connector`) or `*` (all nodes) that identifies which nodes can serve as connectors |
+| `domains` | Yes | A list of domain names to route through the connector. Supports wildcards like `*.example.com` |
+| `routes` | No | Optional list of IP prefixes to pre-configure as routes (in addition to dynamically discovered routes from DNS) |
+
+### How It Works
+
+1. Configure tagged nodes as app connectors in your ACL policy
+2. Nodes with the specified tags that advertise themselves as app connectors will receive the domain configuration
+3. When clients query DNS for the configured domains, traffic is automatically routed through the connector nodes
+4. The connector nodes resolve the DNS and forward traffic to the destination
+
+### Example: Multiple Connectors
+
+```json
+{
+  "tagOwners": {
+    "tag:web-connector": ["admin@"],
+    "tag:db-connector": ["admin@"]
+  },
+  "appConnectors": [
+    {
+      "name": "Web Applications",
+      "connectors": ["tag:web-connector"],
+      "domains": ["*.internal.example.com", "dashboard.corp.example.com"]
+    },
+    {
+      "name": "Database Access",
+      "connectors": ["tag:db-connector"],
+      "domains": ["db.internal.example.com"],
+      "routes": ["10.20.30.0/24"]
+    }
+  ]
+}
+```