#14538: docs: recommend Tailscale Serve for HTTPS access (#14513)
docs
gateway
stale
size: XS
trusted-contributor
Cluster:
Docker and Deployment Improvements
## Summary
Fixes #14513
## Problem
When users access the Control UI over plain HTTP from a non-localhost address, they see:
```
control ui requires HTTPS or localhost (secure context)
```
The error message points toward `allowInsecureAuth: true` as a workaround, but the docs don't prominently recommend **Tailscale Serve** as a simpler, more secure one-command solution.
## Fix
Add a "Quick fix with Tailscale Serve" section to two docs pages:
- **`docs/web/control-ui.md`** — added a subsection under "Insecure HTTP" showing the one-command `tailscale serve` approach
- **`docs/gateway/tailscale.md`** — added a "Quick start (manual Tailscale Serve)" section before the integrated config examples
Both sections show:
```bash
tailscale serve --bg http://127.0.0.1:18789
```
And explain the benefits (automatic HTTPS, tailnet-only, no `allowInsecureAuth` needed).
## Effect on User Experience
**Before fix:**
Users seeing the HTTPS error had to either:
1. Read through the full Tailscale integration docs to configure `gateway.tailscale.mode`
2. Use the insecure `allowInsecureAuth: true` workaround
**After fix:**
Users can immediately try `tailscale serve --bg http://127.0.0.1:18789` — one command, zero OpenClaw config changes, instant HTTPS.
## Testing
- ✅ Docs-only change, no code modified
- ✅ Links use root-relative paths without `.md` extension (Mintlify convention)
- ✅ CHANGELOG updated
<!-- greptile_comment -->
<h2>Greptile Overview</h2>
<h3>Greptile Summary</h3>
This PR updates the documentation to highlight **Tailscale Serve** as the recommended “one-command” way to access the Gateway Control UI over HTTPS, avoiding the insecure `allowInsecureAuth` workaround. It adds a quick-start section to `docs/web/control-ui.md` and a manual Serve quick-start section to `docs/gateway/tailscale.md`, and records the change in the changelog.
The change fits cleanly into the existing web/tailscale docs structure by giving users an immediate HTTPS path before the deeper integrated configuration examples.
<h3>Confidence Score: 4/5</h3>
- This PR is largely safe to merge; the main risk is minor user confusion from incomplete URLs in the new quick-start sections.
- Changes are docs-only and align with existing guidance, but the new quick-start instructions don’t account for `gateway.controlUi.basePath`, which can cause users to open the wrong path when Serve is enabled.
- docs/web/control-ui.md, docs/gateway/tailscale.md
<!-- greptile_other_comments_section -->
**Context used:**
- Context from `dashboard` - CLAUDE.md ([source](https://app.greptile.com/review/custom-context?memory=fd949e91-5c3a-4ab5-90a1-cbe184fd6ce8))
- Context from `dashboard` - AGENTS.md ([source](https://app.greptile.com/review/custom-context?memory=0d0c8278-ef8e-4d6c-ab21-f5527e322f13))
<!-- /greptile_comment -->
Most Similar PRs
#23578: docs(docker): clarify dashboard HTTP access and allowInsecureAuth
by NewdlDewdl · 2026-02-22
73.6%
#10894: Docs: fix legacy branding, add config reference, expand cron troubl...
by biv0711 · 2026-02-07
73.4%
#20422: Fix/tailscale device pairing
by slagyr · 2026-02-18
73.1%
#16251: docs: remove note about personal single-user access from trusted pr...
by nickytonline · 2026-02-14
72.7%
#11205: Android: fix gateway connection and canvas URL for Tailscale serve
by emonty · 2026-02-07
72.7%
#21256: fix: treat ws:// to Tailscale addresses as secure when bind=tailnet
by jessewunderlich · 2026-02-19
72.7%
#11915: Docs: Docker + reverse proxy deployment notes and pairing pitfalls
by walshd1 · 2026-02-08
72.4%
#21772: [Bug]: Allow ws:// to Tailscale CGNAT addresses
by AIflow-Labs · 2026-02-20
72.3%
#14564: fix(gateway): crashes on startup when tailscale meets non-loopback ...
by yinghaosang · 2026-02-12
71.5%
#12834: docs(gateway): clarify there is no standalone clawrouter binary
by JBrady · 2026-02-09
71.5%