Tailscale & HTTPS

Lector is designed to run on your home network. Your reading history, vocabulary, and learning progress stay on hardware you control. There are no cloud accounts, no telemetry, and no external dependencies beyond optional AI translation.

Network access

Lector is designed to be accessed via a WireGuard VPN. We use Tailscale, which takes about five minutes to set up and gives every device on your tailnet a stable IP. This means your data never leaves your network.

With Tailscale, you can access Lector from your phone, from work, or from anywhere, without exposing any ports to the public internet.

Reverse proxy (HTTPS)

If you want HTTPS within your network (recommended), put Lector behind a reverse proxy. Caddy handles automatic TLS with minimal configuration:

lector.home.yourdomain.com {
    # The browser calls the API directly, so send /api/* to the API
    # port (3457) and everything else to the web UI (3000).
    handle /api/* {
        reverse_proxy lector:3457
    }
    handle {
        reverse_proxy lector:3000
    }
}

With a same-origin proxy like this you don't need to publish port 3457 on the host — Caddy reaches it over the container network. Set API_URL=https://lector.home.yourdomain.com in the container's environment so the browser sends its API calls to the same origin, and Caddy routes them to the API. Caddy will automatically provision and renew certificates. Pair this with a local DNS entry (e.g. via Pi-hole or your router) pointing lector.home.yourdomain.com to your server's IP.

Planning on multi-user accounts? A same-origin HTTPS proxy is the shape they're happiest in: session cookies and OAuth callbacks all ride one origin, so no cross-origin configuration is needed — just set BETTER_AUTH_URL to the same origin as API_URL.