sendnrw/netbird-docs
2
0
Fork 0
mirror of https://github.com/netbirdio/docs.git synced 2026-04-16 07:26:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update (external) reverse proxy docs (#624)

Browse Source 
- update (external) reverse proxy docs, added 'external' terminology to avoid confusion with the new internal reverse proxy feature
- add templates for combined container setups
- clearer clarifications (3478 needs to be publicy accessible etc)
This commit is contained in:
shuuri-labs
2026-02-19 19:08:08 +01:00
committed by GitHub
parent 1239aceafe
commit 9c74c1b26e
7 changed files with 483 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/pages/manage/reverse-proxy/index.mdx
View File

@@ -11,7 +11,7 @@ NetBird Reverse Proxy lets you expose internal services running on peers or behi
**Availability:** Reverse Proxy is currently only available for **self-hosted** deployments and is currently in **beta**. **Cloud** support is coming soon.
</Note>
<Note>
**Self-hosted requirement:** Self-hosted deployments **must** use [Traefik](/selfhosted/reverse-proxy) as their reverse proxy. Traefik is the only supported reverse proxy that provides TLS passthrough, which is required for the Reverse Proxy feature to function correctly.
**Self-hosted requirement:** Self-hosted deployments **must** use [Traefik](/selfhosted/external-reverse-proxy) as their external reverse proxy. Traefik is the only supported reverse proxy that provides TLS passthrough, which is required for the Reverse Proxy feature to function correctly.
</Note>
<Warning>
The Reverse Proxy feature does not currently support pre-shared keys or Rosenpass. If your network relies on either of these features, reverse proxy services will not function as expected.
@@ -156,7 +156,7 @@ For self-hosted deployments, multiple proxy instances configured with the same `
### Traefik requirement
Self-hosted deployments must use [Traefik](/selfhosted/reverse-proxy) as the reverse proxy in front of the NetBird management server. Traefik is required because it supports TLS passthrough, which allows the NetBird proxy to handle TLS termination directly. Other reverse proxies that do not support TLS passthrough are not compatible with this feature.
Self-hosted deployments must use [Traefik](/selfhosted/external-reverse-proxy) as the external reverse proxy in front of the NetBird management server. Traefik is required because it supports TLS passthrough, which allows the NetBird proxy to handle TLS termination directly. Other reverse proxies that do not support TLS passthrough are not compatible with this feature.
## Prerequisites

4
src/pages/selfhosted/configuration-files.mdx
View File

@@ -488,7 +488,7 @@ When running behind your own reverse proxy (Nginx, Caddy, Nginx Proxy Manager, e
- Dashboard: `127.0.0.1:8080` (HTTP)
- NetBird Server: `127.0.0.1:8081` (HTTP), with gRPC paths using h2c (HTTP/2 cleartext)
See [Reverse Proxy Configuration](/selfhosted/reverse-proxy) for detailed templates for Nginx, Caddy, and other proxies.
See [External Reverse Proxy Configuration](/selfhosted/external-reverse-proxy) for detailed templates for Nginx, Caddy, and other proxies.
### Using External Services (Advanced)
@@ -524,6 +524,6 @@ See the [Scaling Your Self-Hosted Deployment](/selfhosted/maintenance/scaling/sc
## See Also
- [Self-hosting Quickstart Guide](/selfhosted/selfhosted-quickstart) - Get started quickly with default settings
- [Reverse Proxy Configuration](/selfhosted/reverse-proxy) - Nginx, Caddy, NPM, HAProxy setup
- [External Reverse Proxy Configuration](/selfhosted/external-reverse-proxy) - Nginx, Caddy, NPM, HAProxy setup
- [Management SQLite Store](/selfhosted/sqlite-store) - SQLite database details
- [Management Postgres Store](/selfhosted/postgres-store) - PostgreSQL setup

488
src/pages/selfhosted/reverse-proxy.mdx → src/pages/selfhosted/external-reverse-proxy.mdx
View File

@@ -1,13 +1,18 @@
# Reverse Proxy Setup for Self-Hosted NetBird
# External Reverse Proxy Setup for Self-Hosted NetBird
NetBird includes a built-in Traefik reverse proxy that handles TLS certificates automatically via Let's Encrypt. However, if you already have an existing reverse proxy (Nginx, Caddy, etc.), you can configure NetBird to work with it instead.
<Note>
This is not to be confused with our new NetBird reverse proxy service that launched with v0.65.0. To learn more about using NetBird as a reverse proxy, see the [NetBird Proxy documentation](/manage/reverse-proxy).
This is not to be confused with the NetBird reverse proxy service that launched with v0.65.0. The NetBird reverse proxy feature is only compatible with Traefik because it requires TLS passthrough, which Traefik supports natively. To learn more about using NetBird as a reverse proxy, see the [NetBird Proxy documentation](/manage/reverse-proxy).
</Note>
Not all reverse proxies are supported as NetBird uses *gRPC* for various components. Your reverse proxy must support HTTP/2 and gRPC proxying.
Starting with **v0.65.0**, new NetBird installations use a **combined container** (`netbirdio/netbird-server`) that merges management, signal, and relay into a single service. This simplifies reverse proxy configuration because all traffic routes to one backend. The templates on this page cover both setups:
- **[Combined container (v0.65.0+)](#combined-container-setup-v0650)** -- the default for new installations. All backend services run in a single container on one port.
- **[Multi-container (legacy)](#multi-container-setup-legacy)** -- for installations that predate v0.65.0, where management, signal, and relay run as separate containers.
## Quick Setup
### New Deployments
@@ -34,7 +39,450 @@ This option is only available during initial setup with `getting-started.sh`. Fo
For existing NetBird installations, use the configuration templates in the sections below to manually configure your reverse proxy.
## Required Routing Endpoints
---
## Combined Container Setup (v0.65.0+)
Starting with v0.65.0, new NetBird deployments use the `netbirdio/netbird-server` image, which combines management, signal, and relay into a single container. All backend traffic routes to one service on a single port, which simplifies reverse proxy configuration significantly.
<Warning>
UDP port **3478** (STUN) must be publicly accessible and **cannot** be proxied through your reverse proxy. HTTP reverse proxies only handle TCP traffic; STUN requires direct UDP access. Ensure your firewall allows inbound UDP on port 3478 and that this port is published directly from the container (e.g. `3478:3478/udp`), bypassing the reverse proxy entirely.
</Warning>
### Required Routing Endpoints (Combined)
All reverse proxy configurations for the combined container must route the following endpoints to the single `netbird-server` container:
| Path | Protocol | Target | Notes |
|------|----------|--------|-------|
| `/relay*` | WebSocket | netbird-server:80 | WebSocket upgrade required |
| `/ws-proxy/signal*` | WebSocket | netbird-server:80 | WebSocket upgrade required |
| `/ws-proxy/management*` | WebSocket | netbird-server:80 | WebSocket upgrade required |
| `/signalexchange.SignalExchange/*` | gRPC | netbird-server:80 | HTTP/2 (h2c) required |
| `/management.ManagementService/*` | gRPC | netbird-server:80 | HTTP/2 (h2c) required |
| `/api/*` | HTTP | netbird-server:80 | REST API |
| `/oauth2/*` | HTTP | netbird-server:80 | Embedded IdP |
| `/*` | HTTP | dashboard:80 | Catch-all for dashboard |
<Note>
The combined container includes an embedded STUN server that still needs to be directly accessible on UDP port 3478.
</Note>
### Docker Compose for External Proxy (Combined)
When using an external reverse proxy with the combined container, expose the following ports:
```yaml
services:
dashboard:
image: netbirdio/dashboard:latest
ports:
- '127.0.0.1:8080:80'
# ... other config
netbird-server:
image: netbirdio/netbird-server:latest
ports:
- '127.0.0.1:8081:80'
- '3478:3478/udp'
volumes:
- netbird_data:/var/lib/netbird
- ./config.yaml:/etc/netbird/config.yaml
command: ["--config", "/etc/netbird/config.yaml"]
# ... other config
```
<Note>
Binding to `127.0.0.1` is recommended when your reverse proxy runs on the same host. This prevents direct access to the containers and ensures all traffic goes through the proxy.
</Note>
#### Container Port Reference (Combined)
| Service | Host Port | Container Port | Protocol |
|---------|-----------|----------------|----------|
| Dashboard | 8080 | 80 | HTTP |
| NetBird Server | 8081 | 80 | HTTP/gRPC/WebSocket |
| STUN (UDP) | 3478 | 3478 | UDP |
---
### Configuration Templates (Combined)
#### Traefik (Combined)
For Traefik with the combined container, you only need two routers: one for gRPC (which requires an `h2c` backend) and one for everything else (WebSocket, REST API, OAuth2). The dashboard uses a separate low-priority catch-all router.
Replace `netbird.example.com` with your domain, `websecure` with your HTTPS entrypoint, and `letsencrypt` with your certificate resolver name.
```yaml
services:
dashboard:
image: netbirdio/dashboard:latest
networks: [traefik-network]
labels:
- traefik.enable=true
- traefik.http.routers.netbird-dashboard.rule=Host(`netbird.example.com`)
- traefik.http.routers.netbird-dashboard.entrypoints=websecure
- traefik.http.routers.netbird-dashboard.tls=true
- traefik.http.routers.netbird-dashboard.tls.certresolver=letsencrypt
- traefik.http.routers.netbird-dashboard.priority=1
- traefik.http.services.netbird-dashboard.loadbalancer.server.port=80
netbird-server:
image: netbirdio/netbird-server:latest
networks: [traefik-network]
ports:
- '3478:3478/udp'
volumes:
- netbird_data:/var/lib/netbird
- ./config.yaml:/etc/netbird/config.yaml
command: ["--config", "/etc/netbird/config.yaml"]
labels:
- traefik.enable=true
# gRPC router (needs h2c backend for HTTP/2 cleartext)
- traefik.http.routers.netbird-grpc.rule=Host(`netbird.example.com`) && (PathPrefix(`/signalexchange.SignalExchange/`) || PathPrefix(`/management.ManagementService/`))
- traefik.http.routers.netbird-grpc.entrypoints=websecure
- traefik.http.routers.netbird-grpc.tls=true
- traefik.http.routers.netbird-grpc.tls.certresolver=letsencrypt
- traefik.http.routers.netbird-grpc.service=netbird-server-h2c
- traefik.http.routers.netbird-grpc.priority=100
# Backend router (relay, WebSocket, API, OAuth2)
- traefik.http.routers.netbird-backend.rule=Host(`netbird.example.com`) && (PathPrefix(`/relay`) || PathPrefix(`/ws-proxy/`) || PathPrefix(`/api`) || PathPrefix(`/oauth2`))
- traefik.http.routers.netbird-backend.entrypoints=websecure
- traefik.http.routers.netbird-backend.tls=true
- traefik.http.routers.netbird-backend.tls.certresolver=letsencrypt
- traefik.http.routers.netbird-backend.service=netbird-server
- traefik.http.routers.netbird-backend.priority=100
# Services
- traefik.http.services.netbird-server.loadbalancer.server.port=80
- traefik.http.services.netbird-server-h2c.loadbalancer.server.port=80
- traefik.http.services.netbird-server-h2c.loadbalancer.server.scheme=h2c
networks:
traefik-network:
external: true
volumes:
netbird_data:
```
<Note>
The combined container requires two Traefik service definitions pointing to the same port: `netbird-server` for standard HTTP/WebSocket traffic and `netbird-server-h2c` with `scheme=h2c` for gRPC traffic.
</Note>
---
#### Nginx (Combined)
##### Nginx running in Docker (Combined)
If Nginx runs in Docker on the same network as the NetBird containers, use the container names directly:
```nginx
# NetBird Nginx Configuration (Combined Container - Docker network)
upstream netbird_dashboard {
server netbird-dashboard:80;
keepalive 10;
}
upstream netbird_server {
server netbird-server:80;
}
server {
listen 80;
server_name netbird.example.com;
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl http2;
server_name netbird.example.com;
ssl_certificate /path/to/fullchain.pem;
ssl_certificate_key /path/to/privkey.pem;
# Required for long-lived gRPC connections
client_header_timeout 1d;
client_body_timeout 1d;
# Common proxy headers
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host $host;
grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# WebSocket connections (relay, signal, management)
location ~ ^/(relay|ws-proxy/) {
proxy_pass http://netbird_server;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_read_timeout 1d;
}
# Native gRPC (signal + management)
location ~ ^/(signalexchange\.SignalExchange|management\.ManagementService)/ {
grpc_pass grpc://netbird_server;
grpc_read_timeout 1d;
grpc_send_timeout 1d;
grpc_socket_keepalive on;
}
# HTTP routes (API + OAuth2)
location ~ ^/(api|oauth2)/ {
proxy_pass http://netbird_server;
proxy_set_header Host $host;
}
# Dashboard (catch-all)
location / {
proxy_pass http://netbird_dashboard;
}
}
```
##### Nginx running on host (Combined)
If Nginx is installed directly on the host, use localhost addresses:
```nginx
# NetBird Nginx Configuration (Combined Container - Host)
upstream netbird_dashboard {
server 127.0.0.1:8080;
keepalive 10;
}
upstream netbird_server {
server 127.0.0.1:8081;
}
server {
listen 80;
server_name netbird.example.com;
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl http2;
server_name netbird.example.com;
ssl_certificate /path/to/fullchain.pem;
ssl_certificate_key /path/to/privkey.pem;
# Required for long-lived gRPC connections
client_header_timeout 1d;
client_body_timeout 1d;
# Common proxy headers
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host $host;
grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# WebSocket connections (relay, signal, management)
location ~ ^/(relay|ws-proxy/) {
proxy_pass http://netbird_server;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_read_timeout 1d;
}
# Native gRPC (signal + management)
location ~ ^/(signalexchange\.SignalExchange|management\.ManagementService)/ {
grpc_pass grpc://netbird_server;
grpc_read_timeout 1d;
grpc_send_timeout 1d;
grpc_socket_keepalive on;
}
# HTTP routes (API + OAuth2)
location ~ ^/(api|oauth2)/ {
proxy_pass http://netbird_server;
proxy_set_header Host $host;
}
# Dashboard (catch-all)
location / {
proxy_pass http://netbird_dashboard;
}
}
```
---
#### Caddy (Combined)
##### Caddy running in Docker (Combined)
If Caddy runs in Docker on the same network as NetBird, use container names:
```
netbird.example.com {
# Native gRPC (needs HTTP/2 cleartext to backend)
@grpc header Content-Type application/grpc*
reverse_proxy @grpc h2c://netbird-server:80
# Combined server paths (relay, signal, management, OAuth2)
@backend path /relay* /ws-proxy/* /api/* /oauth2/*
reverse_proxy @backend netbird-server:80
# Dashboard (everything else)
reverse_proxy /* netbird-dashboard:80
}
```
##### Caddy running on host (Combined)
If Caddy is installed directly on the host, use localhost addresses:
```
netbird.example.com {
# Native gRPC (needs HTTP/2 cleartext to backend)
@grpc header Content-Type application/grpc*
reverse_proxy @grpc h2c://127.0.0.1:8081
# Combined server paths (relay, signal, management, OAuth2)
@backend path /relay* /ws-proxy/* /api/* /oauth2/*
reverse_proxy @backend 127.0.0.1:8081
# Dashboard (everything else)
reverse_proxy /* 127.0.0.1:8080
}
```
---
#### Nginx Proxy Manager (Combined)
With the combined container, NPM configuration is simpler because all backend traffic routes to the same service.
<Note>
NPM requires backend services to be running before you can create proxy hosts. Start the NetBird containers first, then configure NPM.
</Note>
##### NPM running in Docker (Combined)
**1. Create a Proxy Host in NPM:**
- Domain: `netbird.example.com`
- Forward Hostname/IP: `netbird-dashboard`
- Forward Port: `80`
- Block Common Exploits: enabled
**2. SSL tab:**
- Request or select existing certificate
- **Enable "HTTP/2 Support"** (required for gRPC)
**3. Advanced tab - paste this configuration:**
```nginx
# Required for long-lived connections (gRPC and WebSocket)
client_header_timeout 1d;
client_body_timeout 1d;
# WebSocket connections (relay, signal, management)
location ~ ^/(relay|ws-proxy/) {
proxy_pass http://netbird-server:80;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 1d;
}
# Native gRPC (signal + management)
location ~ ^/(signalexchange\.SignalExchange|management\.ManagementService)/ {
grpc_pass grpc://netbird-server:80;
grpc_read_timeout 1d;
grpc_send_timeout 1d;
grpc_socket_keepalive on;
}
# HTTP routes (API + OAuth2)
location ~ ^/(api|oauth2)/ {
proxy_pass http://netbird-server:80;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
```
##### NPM running on host (Combined)
**1. Create a Proxy Host in NPM:**
- Domain: `netbird.example.com`
- Forward Hostname/IP: `127.0.0.1`
- Forward Port: `8080`
- Block Common Exploits: enabled
**2. SSL tab:**
- Request or select existing certificate
- **Enable "HTTP/2 Support"** (required for gRPC)
**3. Advanced tab - paste this configuration:**
```nginx
# Required for long-lived connections (gRPC and WebSocket)
client_header_timeout 1d;
client_body_timeout 1d;
# WebSocket connections (relay, signal, management)
location ~ ^/(relay|ws-proxy/) {
proxy_pass http://127.0.0.1:8081;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 1d;
}
# Native gRPC (signal + management)
location ~ ^/(signalexchange\.SignalExchange|management\.ManagementService)/ {
grpc_pass grpc://127.0.0.1:8081;
grpc_read_timeout 1d;
grpc_send_timeout 1d;
grpc_socket_keepalive on;
}
# HTTP routes (API + OAuth2)
location ~ ^/(api|oauth2)/ {
proxy_pass http://127.0.0.1:8081;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
```
---
## Multi-Container Setup (Legacy)
The following sections apply to NetBird installations from before v0.65.0 that use separate containers for management, signal, and relay. If you are running a new installation, use the [combined container templates above](#combined-container-setup-v0650).
<Warning>
UDP port **3478** (STUN/TURN via coturn) must be publicly accessible and **cannot** be proxied through your reverse proxy. HTTP reverse proxies only handle TCP traffic; STUN/TURN requires direct UDP access. Ensure your firewall allows inbound UDP on port 3478 and that the coturn container publishes this port directly, bypassing the reverse proxy entirely.
</Warning>
### Required Routing Endpoints (Multi-Container)
All reverse proxy configurations must route the following endpoints:
@@ -54,7 +502,7 @@ All reverse proxy configurations must route the following endpoints:
The `coturn` service still needs to be directly accessible on UDP port 3478 as it handles STUN/TURN traffic.
</Note>
## Docker Compose for External Proxy
### Docker Compose for External Proxy (Multi-Container)
When using an external reverse proxy, expose the NetBird container ports to the host:
@@ -90,7 +538,7 @@ services:
Binding to `127.0.0.1` is recommended when your reverse proxy runs on the same host. This prevents direct access to the containers and ensures all traffic goes through the proxy.
</Note>
### Container Port Reference
#### Container Port Reference (Multi-Container)
| Service | Host Port | Container Port | Protocol |
|---------|-----------|----------------|----------|
@@ -102,9 +550,9 @@ Binding to `127.0.0.1` is recommended when your reverse proxy runs on the same h
---
## Configuration Templates
### Configuration Templates (Multi-Container)
### Traefik
#### Traefik (Multi-Container)
For Traefik, NetBird containers are configured with Docker labels for automatic service discovery. The `getting-started.sh` script will prompt for your Traefik configuration:
@@ -112,7 +560,7 @@ For Traefik, NetBird containers are configured with Docker labels for automatic
- **HTTPS entrypoint**: Your Traefik entrypoint for HTTPS traffic (commonly `websecure`)
- **Certificate resolver**: Your Traefik certresolver for automatic TLS (e.g., `letsencrypt`)
#### Complete Docker Compose with Traefik Labels
##### Complete Docker Compose with Traefik Labels
Add the following labels to your NetBird services in `docker-compose.yml`. Replace:
- `netbird.example.com` with your domain
@@ -205,7 +653,7 @@ networks:
external: true
```
#### Traefik Configuration Requirements
##### Traefik Configuration Requirements
Your Traefik instance must have the following configured:
@@ -247,7 +695,7 @@ entryPoints:
scheme: https
```
#### Example Traefik Docker Compose
##### Example Traefik Docker Compose
If you don't have Traefik set up yet, here's a complete example:
@@ -287,9 +735,9 @@ When using `getting-started.sh` with Traefik, the script will ask for your netwo
---
### Nginx
#### Nginx (Multi-Container)
#### Nginx running in Docker
##### Nginx running in Docker (Multi-Container)
If Nginx is running in Docker, the easiest approach is to have NetBird join the same Docker network. The `getting-started.sh` script will ask for your Nginx network name and configure everything automatically.
@@ -406,7 +854,7 @@ server {
}
```
#### Nginx running on host (not in Docker)
##### Nginx running on host (Multi-Container)
If Nginx is installed directly on the host, use localhost addresses:
@@ -539,7 +987,7 @@ sudo cp /path/to/netbird.conf /etc/nginx/conf.d/netbird.conf
sudo nginx -t && sudo systemctl reload nginx
```
#### TLS Certificate Setup for Nginx
##### TLS Certificate Setup for Nginx
<Note>
**Important difference:** Unlike Caddy which obtains and renews TLS certificates automatically, Nginx requires manual certificate setup and configuration.
@@ -644,9 +1092,9 @@ These settings ensure:
---
### Caddy (External)
#### Caddy (Multi-Container)
#### Caddy running in Docker
##### Caddy running in Docker (Multi-Container)
If Caddy is running in Docker, the easiest approach is to have NetBird join the same Docker network. The `getting-started.sh` script will ask for your Caddy network name and configure everything automatically.
@@ -678,7 +1126,7 @@ netbird.example.com {
}
```
#### Caddy running on host (not in Docker)
##### Caddy running on host (Multi-Container)
If Caddy is installed directly on the host, use localhost addresses:
@@ -717,7 +1165,7 @@ sudo systemctl reload caddy
---
### Nginx Proxy Manager
#### Nginx Proxy Manager (Multi-Container)
Nginx Proxy Manager requires all NetBird routing to be configured via the "Advanced" tab. The Custom Locations feature doesn't properly handle path prefixes.
@@ -725,7 +1173,7 @@ Nginx Proxy Manager requires all NetBird routing to be configured via the "Advan
NPM requires backend services to be running before you can create proxy hosts. The `getting-started.sh` script will start NetBird containers first, then display the configuration instructions.
</Note>
#### NPM running in Docker (recommended)
##### NPM running in Docker (Multi-Container)
If NPM is running in Docker, the easiest approach is to have NetBird join the same Docker network. The script will ask for your NPM network name and configure everything automatically.
@@ -821,7 +1269,7 @@ location /management.ManagementService/ {
```
#### NPM running on host (not in Docker)
##### NPM running on host (Multi-Container)
If NPM is installed directly on the host, use localhost addresses:

4
src/pages/selfhosted/migration/enable-reverse-proxy.mdx
View File

@@ -15,7 +15,7 @@ The NetBird proxy container manages its own TLS certificates (via Let's Encrypt
This capability is called **TLS passthrough**, and among common reverse proxies, **only Traefik supports it** via its TCP routers. Other reverse proxies (Nginx, Caddy, Nginx Proxy Manager) terminate TLS themselves and cannot forward the raw encrypted connection, which breaks the proxy's certificate management.
If your current deployment uses a reverse proxy other than Traefik, you'll need to switch before enabling this feature. See [Switching to Traefik](/selfhosted/reverse-proxy#traefik) for instructions.
If your current deployment uses a reverse proxy other than Traefik, you'll need to switch before enabling this feature. See [Switching to Traefik](/selfhosted/external-reverse-proxy#traefik) for instructions.
## Overview of changes
@@ -397,7 +397,7 @@ If you use the `extra_hosts` approach above, you **must** assign a static IP to
## For users not on Traefik
If your self-hosted deployment currently uses Nginx, Caddy, or another reverse proxy, you'll need to switch to Traefik before enabling the Reverse Proxy feature. See the [Traefik setup instructions](/selfhosted/reverse-proxy#traefik) for a step-by-step guide on configuring Traefik for your NetBird deployment.
If your self-hosted deployment currently uses Nginx, Caddy, or another reverse proxy, you'll need to switch to Traefik before enabling the Reverse Proxy feature. See the [Traefik setup instructions](/selfhosted/external-reverse-proxy#traefik) for a step-by-step guide on configuring Traefik for your NetBird deployment.
## Environment variable reference

4
src/pages/selfhosted/selfhosted-guide.mdx
View File

@@ -215,8 +215,8 @@ Not all reverse proxies are supported as NetBird uses *gRPC* for various compone
**Existing deployments:** Use the configuration templates on the dedicated reverse proxy page.
See the [Reverse Proxy Configuration](/selfhosted/reverse-proxy) page for:
- Complete configuration templates for [Traefik](/selfhosted/reverse-proxy#traefik), [Nginx](/selfhosted/reverse-proxy#nginx), [Caddy](/selfhosted/reverse-proxy#caddy-external), and [Nginx Proxy Manager](/selfhosted/reverse-proxy#nginx-proxy-manager)
See the [External Reverse Proxy Configuration](/selfhosted/external-reverse-proxy) page for:
- Complete configuration templates for [Traefik](/selfhosted/external-reverse-proxy#traefik), [Nginx](/selfhosted/external-reverse-proxy#nginx), [Caddy](/selfhosted/external-reverse-proxy#caddy-external), and [Nginx Proxy Manager](/selfhosted/external-reverse-proxy#nginx-proxy-manager)
- Required routing endpoints and port mappings
- Docker Compose examples for external proxies
- Troubleshooting tips

2
src/pages/selfhosted/selfhosted-quickstart.mdx
View File

@@ -52,7 +52,7 @@ Enter choice [0-5] (default: 0):
**For this quickstart guide, select option `[0]` (Traefik)** - just press Enter to use the default. This option includes a Traefik container in the Docker Compose that handles TLS certificates automatically via Let's Encrypt, requires no additional configuration, and makes it easy to enable the NetBird Proxy in the next step.
<Note>
If you already have a reverse proxy (Traefik, Nginx, etc.) and want to use it instead, the script will guide you through the setup. See the [Reverse Proxy Configuration](/selfhosted/reverse-proxy) guide for detailed instructions on each option.
If you already have a reverse proxy (Traefik, Nginx, etc.) and want to use it instead, the script will guide you through the setup. See the [External Reverse Proxy Configuration](/selfhosted/external-reverse-proxy) guide for detailed instructions on each option.
</Note>