diff --git a/src/pages/selfhosted/configuration-files.mdx b/src/pages/selfhosted/configuration-files.mdx
index 31c40a92..9ed8e2dc 100644
--- a/src/pages/selfhosted/configuration-files.mdx
+++ b/src/pages/selfhosted/configuration-files.mdx
@@ -15,10 +15,9 @@ A standard NetBird self-hosted deployment uses the following configuration files
| File | Purpose |
|------|---------|
-| `docker-compose.yml` | Defines all NetBird services (dashboard, netbird-server), their Docker images, port mappings, volumes, and startup order. Modify this to change resource limits, add services, or adjust networking. |
+| `docker-compose.yml` | Defines all NetBird services (dashboard, netbird-server, traefik), their Docker images, port mappings, volumes, and startup order. Modify this to change resource limits, add services, or adjust networking. |
| `config.yaml` | Central configuration for the NetBird server including listen addresses, authentication settings, STUN ports, and database configuration. Changes here affect how peers connect and authenticate. |
| `dashboard.env` | Configures the web dashboard including API endpoints, OAuth2/OIDC settings, and optional SSL settings for standalone deployments without a reverse proxy. |
-| `Caddyfile` | Configures the built-in Caddy reverse proxy for SSL termination and routing requests to NetBird services. Only present when using the default `getting-started.sh` deployment with Caddy. |
### File Locations
@@ -28,8 +27,7 @@ After running the installation script, configuration files are located in the di
./
├── docker-compose.yml
├── config.yaml
-├── dashboard.env
-└── Caddyfile # Only when using built-in Caddy
+└── dashboard.env
```
---
@@ -44,138 +42,157 @@ The Docker Compose file defines all NetBird services, their dependencies, networ
|---------|-------|---------------|-------------------|-------------|
| `dashboard` | `netbirdio/dashboard` | 80 | 8080:80 | The web-based management console where administrators configure networks, manage peers, create access policies, and view activity logs. Includes an embedded nginx server for serving the UI. |
| `netbird-server` | `netbirdio/netbird-server` | 80, 3478/udp | 8081:80, 3478:3478/udp | The combined NetBird server that includes management, signal, and relay services in a single container. Also provides embedded STUN on UDP 3478 for NAT type detection. |
-| `caddy` | `caddy` | 80, 443 | 80:80, 443:443 | Handles TLS termination and routes incoming HTTPS requests to the appropriate NetBird services. Only included in default `getting-started.sh` deployments; can be replaced with your own reverse proxy. |
+| `traefik` | `traefik:v3.6` | 80, 443 | 80:80, 443:443 | Handles TLS termination via Let's Encrypt and routes incoming HTTPS requests to the appropriate NetBird services. Only included in default `getting-started.sh` deployments; can be replaced with your own reverse proxy. |
-**Internal vs External ports**: Internal ports are what services listen on inside their containers. External (Exposed) ports show the host-to-container mapping used when running without the built-in Caddy (e.g., with Nginx, Traefik, or other reverse proxies). When using the default Caddy deployment, only Caddy exposes ports externally.
+**Internal vs External ports**: Internal ports are what services listen on inside their containers. External (Exposed) ports show the host-to-container mapping used when running without the built-in Traefik (e.g., with Nginx or other reverse proxies). When using the default Traefik deployment, only Traefik exposes ports externally.
The combined server includes an embedded STUN server, eliminating the need for a separate coturn container. STUN functionality is configured via the `stunPorts` setting in `config.yaml`.
-### Default Settings
+### Default Deployment (Built-in Traefik)
-The compose file includes these defaults applied to all services:
+The default `getting-started.sh` deployment generates a Docker Compose file with three services: Traefik (reverse proxy with automatic TLS), the dashboard, and the combined NetBird server. Traefik uses Docker labels on each service to configure routing.
```yaml
-x-default: &default
- restart: 'unless-stopped'
- logging:
- driver: 'json-file'
- options:
- max-size: '500m'
- max-file: '2'
-```
+services:
+ # Traefik reverse proxy (automatic TLS via Let's Encrypt)
+ traefik:
+ image: traefik:v3.6
+ container_name: netbird-traefik
+ restart: unless-stopped
+ networks: [netbird]
+ command:
+ - "--providers.docker=true"
+ - "--providers.docker.exposedbydefault=false"
+ - "--providers.docker.network=netbird"
+ - "--entrypoints.web.address=:80"
+ - "--entrypoints.websecure.address=:443"
+ - "--entrypoints.websecure.transport.respondingTimeouts.readTimeout=0"
+ - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
+ - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
+ - "--certificatesresolvers.letsencrypt.acme.tlschallenge=true"
+ - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
+ ports:
+ - '443:443'
+ - '80:80'
+ volumes:
+ - /var/run/docker.sock:/var/run/docker.sock:ro
+ - netbird_traefik_letsencrypt:/letsencrypt
-### Dashboard Service
+ # UI dashboard
+ dashboard:
+ image: netbirdio/dashboard:latest
+ container_name: netbird-dashboard
+ restart: unless-stopped
+ networks: [netbird]
+ env_file:
+ - ./dashboard.env
+ labels:
+ - traefik.enable=true
+ - traefik.http.routers.netbird-dashboard.rule=Host(`netbird.example.com`)
+ - traefik.http.routers.netbird-dashboard.entrypoints=websecure
+ - traefik.http.routers.netbird-dashboard.tls=true
+ - traefik.http.routers.netbird-dashboard.tls.certresolver=letsencrypt
+ - traefik.http.routers.netbird-dashboard.priority=1
+ - traefik.http.services.netbird-dashboard.loadbalancer.server.port=80
-The dashboard provides the web interface for NetBird management.
+ # Combined server (Management + Signal + Relay + STUN)
+ netbird-server:
+ image: netbirdio/netbird-server:latest
+ container_name: netbird-server
+ restart: unless-stopped
+ networks: [netbird]
+ ports:
+ - '3478:3478/udp'
+ volumes:
+ - netbird_data:/var/lib/netbird
+ - ./config.yaml:/etc/netbird/config.yaml
+ command: ["--config", "/etc/netbird/config.yaml"]
+ labels:
+ - traefik.enable=true
+ # gRPC router (needs h2c backend for HTTP/2 cleartext)
+ - traefik.http.routers.netbird-grpc.rule=Host(`netbird.example.com`) && (PathPrefix(`/signalexchange.SignalExchange/`) || PathPrefix(`/management.ManagementService/`))
+ - traefik.http.routers.netbird-grpc.entrypoints=websecure
+ - traefik.http.routers.netbird-grpc.tls=true
+ - traefik.http.routers.netbird-grpc.tls.certresolver=letsencrypt
+ - traefik.http.routers.netbird-grpc.service=netbird-server-h2c
+ # Backend router (relay, WebSocket, API, OAuth2)
+ - traefik.http.routers.netbird-backend.rule=Host(`netbird.example.com`) && (PathPrefix(`/relay`) || PathPrefix(`/ws-proxy/`) || PathPrefix(`/api`) || PathPrefix(`/oauth2`))
+ - traefik.http.routers.netbird-backend.entrypoints=websecure
+ - traefik.http.routers.netbird-backend.tls=true
+ - traefik.http.routers.netbird-backend.tls.certresolver=letsencrypt
+ - traefik.http.routers.netbird-backend.service=netbird-server
+ # Services
+ - traefik.http.services.netbird-server.loadbalancer.server.port=80
+ - traefik.http.services.netbird-server-h2c.loadbalancer.server.port=80
+ - traefik.http.services.netbird-server-h2c.loadbalancer.server.scheme=h2c
-**With built-in Caddy (default):**
-```yaml
-dashboard:
- image: netbirdio/dashboard:latest
- container_name: netbird-dashboard
- restart: unless-stopped
- networks: [netbird]
- env_file:
- - ./dashboard.env
- logging:
- driver: "json-file"
- options:
- max-size: "500m"
- max-file: "2"
-```
+volumes:
+ netbird_data:
+ netbird_traefik_letsencrypt:
-**With external reverse proxy (exposed ports):**
-```yaml
-dashboard:
- image: netbirdio/dashboard:latest
- container_name: netbird-dashboard
- restart: unless-stopped
- networks: [netbird]
- ports:
- - '127.0.0.1:8080:80'
- env_file:
- - ./dashboard.env
- logging:
- driver: "json-file"
- options:
- max-size: "500m"
- max-file: "2"
+networks:
+ netbird:
```
-The dashboard service is configured via the `dashboard.env` file. See the [dashboard.env section](#dashboard-env) for the full list of environment variables. When using the built-in Caddy, no ports are exposed directly from the dashboard container; Caddy routes traffic to it internally.
+The `readTimeout=0` on the websecure entrypoint is required for gRPC long-lived streams (Management sync and Signal). Without it, Traefik's default 60-second timeout disconnects clients periodically.
-### Combined NetBird Server Service
-
-The combined NetBird server is the core of NetBird, handling peer registration, authentication, signaling, and relay in a single container.
-
-**With built-in Caddy (default):**
-```yaml
-netbird-server:
- image: netbirdio/netbird-server:latest
- container_name: netbird-server
- restart: unless-stopped
- networks: [netbird]
- ports:
- - '3478:3478/udp' # Embedded STUN server (must be exposed publicly)
- volumes:
- - netbird_data:/var/lib/netbird
- - ./config.yaml:/etc/netbird/config.yaml
- command: ["--config", "/etc/netbird/config.yaml"]
- logging:
- driver: "json-file"
- options:
- max-size: "500m"
- max-file: "2"
-```
-
-**With external reverse proxy (exposed ports):**
-```yaml
-netbird-server:
- image: netbirdio/netbird-server:latest
- container_name: netbird-server
- restart: unless-stopped
- networks: [netbird]
- ports:
- - '127.0.0.1:8081:80' # HTTP (for reverse proxy)
- - '3478:3478/udp' # Embedded STUN server (must be exposed publicly)
- volumes:
- - netbird_data:/var/lib/netbird
- - ./config.yaml:/etc/netbird/config.yaml
- command: ["--config", "/etc/netbird/config.yaml"]
- logging:
- driver: "json-file"
- options:
- max-size: "500m"
- max-file: "2"
-```
-
The STUN port (3478/udp) must always be exposed publicly, regardless of reverse proxy configuration. STUN uses UDP for NAT detection and cannot be proxied through HTTP reverse proxies.
-To use an external database, add environment variables:
+### With External Reverse Proxy (Exposed Ports)
+
+When using your own reverse proxy (Nginx, external Traefik, etc.), the script generates a simpler compose file without the Traefik container, exposing service ports on localhost instead:
+
```yaml
- environment:
- - NETBIRD_STORE_ENGINE_POSTGRES_DSN=postgres://user:password@host:5432/netbird
- # Or for MySQL:
- # - NETBIRD_STORE_ENGINE_MYSQL_DSN=user:password@tcp(host:3306)/netbird
+services:
+ dashboard:
+ image: netbirdio/dashboard:latest
+ container_name: netbird-dashboard
+ restart: unless-stopped
+ networks: [netbird]
+ ports:
+ - '127.0.0.1:8080:80'
+ env_file:
+ - ./dashboard.env
+
+ netbird-server:
+ image: netbirdio/netbird-server:latest
+ container_name: netbird-server
+ restart: unless-stopped
+ networks: [netbird]
+ ports:
+ - '127.0.0.1:8081:80'
+ - '3478:3478/udp'
+ volumes:
+ - netbird_data:/var/lib/netbird
+ - ./config.yaml:/etc/netbird/config.yaml
+ command: ["--config", "/etc/netbird/config.yaml"]
+
+volumes:
+ netbird_data:
+
+networks:
+ netbird:
```
+Your reverse proxy should forward traffic to `127.0.0.1:8081` for the NetBird server and `127.0.0.1:8080` for the dashboard. gRPC routes require HTTP/2 (h2c) upstream support.
+
### Volume Configuration
| Volume | Mount Point | Purpose |
|--------|-------------|---------|
| `netbird_data` | `/var/lib/netbird` | Stores the management database (SQLite by default), encryption keys, and persistent state. Back up this volume regularly to preserve your accounts, peers, policies, and setup keys. |
-| `netbird_caddy_data` | `/data` | Stores Caddy's TLS certificates and other persistent data. Only used when deploying with the built-in Caddy reverse proxy. Preserve this volume to maintain TLS certificates across restarts. |
+| `netbird_traefik_letsencrypt` | `/letsencrypt` | Stores Traefik's Let's Encrypt TLS certificates. Only used when deploying with the built-in Traefik reverse proxy. Preserve this volume to maintain TLS certificates across restarts. |
-The `getting-started.sh` deployment uses only two volumes: `netbird_data` for the server database and `netbird_caddy_data` for Caddy's certificate storage.
+The `getting-started.sh` deployment uses only two volumes: `netbird_data` for the server database and `netbird_traefik_letsencrypt` for Traefik's certificate storage.
---
@@ -201,11 +218,8 @@ server:
dataDir: "/var/lib/netbird"
auth:
- enabled: true
issuer: "https://netbird.example.com/oauth2"
signKeyRefreshEnabled: true
- storage:
- type: "sqlite3"
dashboardRedirectURIs:
- "https://netbird.example.com/nb-auth"
- "https://netbird.example.com/nb-silent-auth"
@@ -213,7 +227,8 @@ server:
- "http://localhost:53000/"
store:
- engine: "sqlite"
+ engine: "sqlite" # sqlite, postgres, or mysql
+ dsn: "" # Connection string for postgres or mysql
encryptionKey: "your-encryption-key"
```
@@ -254,18 +269,12 @@ server:
Configures the built-in identity provider that handles user authentication and management.
-
- Enable the embedded identity provider. When `true`, the server hosts OAuth2/OIDC endpoints at `/oauth2/`.
-
The OAuth2/OIDC issuer URL (e.g., `https://netbird.example.com/oauth2`). This URL is used to validate JWT tokens.
Enables automatic refresh of IdP signing keys. Recommended for production.
-
- Storage backend for IdP data. Default: `sqlite3`
-
OAuth2 redirect URIs for the dashboard application.
@@ -274,7 +283,7 @@ Configures the built-in identity provider that handles user authentication and m
-When `auth.enabled` is `true`, the server automatically:
+The embedded identity provider is always enabled in the combined server. It automatically:
- Hosts OIDC discovery at `https://your-domain/oauth2/.well-known/openid-configuration`
- Provides JWKS (signing keys) at `https://your-domain/oauth2/keys`
- Handles token issuance at `https://your-domain/oauth2/token`
@@ -289,6 +298,9 @@ Configures the database backend for storing all NetBird data.
Database engine. Options: `sqlite`, `postgres`, `mysql`. Default: `sqlite`
+
+ Connection string for postgres or mysql engines. For postgres: `host=localhost user=netbird password=secret dbname=netbird port=5432`. Alternatively, use the `NETBIRD_STORE_ENGINE_POSTGRES_DSN` or `NETBIRD_STORE_ENGINE_MYSQL_DSN` environment variables.
+
Key used to encrypt sensitive data in the database. Keep this secure and backed up.
@@ -354,13 +366,13 @@ AUTH_SUPPORTED_SCOPES=openid profile email groups
AUTH_REDIRECT_URI=/nb-auth
AUTH_SILENT_REDIRECT_URI=/nb-silent-auth
-# SSL - disabled when behind reverse proxy (Caddy handles TLS)
+# SSL - disabled when behind reverse proxy (Traefik handles TLS)
NGINX_SSL_PORT=443
LETSENCRYPT_DOMAIN=none
```
-When using the built-in Caddy or an external reverse proxy, set `LETSENCRYPT_DOMAIN=none` because the reverse proxy handles TLS termination. Only set a domain here if running the dashboard standalone without a reverse proxy.
+When using the built-in Traefik or an external reverse proxy, set `LETSENCRYPT_DOMAIN=none` because the reverse proxy handles TLS termination. Only set a domain here if running the dashboard standalone without a reverse proxy.
### Endpoint Configuration
@@ -398,7 +410,7 @@ The dashboard container's embedded nginx server can be configured using these en
The `NGINX_SSL_PORT` and Let's Encrypt variables are **only necessary when running the dashboard standalone** without an external reverse proxy. In standalone mode, the dashboard's embedded nginx handles SSL/TLS termination directly.
-**For most installations** that use the built-in Caddy reverse proxy (the default `getting-started.sh` deployment) or an external reverse proxy like Traefik or Nginx, **you do not need to configure these nginx variables**. The reverse proxy handles SSL termination and routes traffic to the dashboard container, which serves content over HTTP internally.
+**For most installations** that use the built-in Traefik reverse proxy (the default `getting-started.sh` deployment) or an external reverse proxy like Nginx, **you do not need to configure these nginx variables**. The reverse proxy handles SSL termination and routes traffic to the dashboard container, which serves content over HTTP internally.
When behind a reverse proxy:
- Set `LETSENCRYPT_DOMAIN=none` to disable the dashboard's internal Let's Encrypt
@@ -414,18 +426,19 @@ When behind a reverse proxy:
To use PostgreSQL instead of SQLite:
-1. Update `config.yaml`:
+Update `config.yaml`:
```yaml
server:
store:
engine: "postgres"
+ dsn: "host=db-server user=netbird password=secret dbname=netbird port=5432"
```
-2. Set the connection string in `docker-compose.yml`:
+Alternatively, you can use an environment variable instead of putting the DSN in the config file:
```yaml
netbird-server:
environment:
- - NETBIRD_STORE_ENGINE_POSTGRES_DSN=postgres://user:password@host:5432/netbird?sslmode=disable
+ - NETBIRD_STORE_ENGINE_POSTGRES_DSN=host=db-server user=netbird password=secret dbname=netbird port=5432
```
See [Management Postgres Store](/selfhosted/postgres-store) for detailed setup.
@@ -454,7 +467,7 @@ netbird-server:
When running behind your own reverse proxy (Traefik, Nginx, etc.):
1. Set `LETSENCRYPT_DOMAIN=none` in `dashboard.env`
-2. The combined server handles trusted proxy detection automatically when running behind Caddy or other proxies.
+2. The combined server handles trusted proxy detection automatically when running behind Traefik or other proxies.
See [Reverse Proxy Configuration](/selfhosted/reverse-proxy) for detailed templates.
diff --git a/src/pages/selfhosted/maintenance/backup.mdx b/src/pages/selfhosted/maintenance/backup.mdx
index 537c9c1f..f82db025 100644
--- a/src/pages/selfhosted/maintenance/backup.mdx
+++ b/src/pages/selfhosted/maintenance/backup.mdx
@@ -5,17 +5,17 @@ To back up your NetBird installation, you need to copy the configuration files a
The configuration files are located in the folder where you ran [the installation script](/selfhosted/selfhosted-quickstart#installation-script). To back up, copy the files to a backup location:
```bash
mkdir backup
-cp docker-compose.yml Caddyfile dashboard.env management.json relay.env backup/
+cp docker-compose.yml dashboard.env config.yaml backup/
```
For detailed information about each configuration file and its options, see the [Configuration Files Reference](/selfhosted/configuration-files).
-To save the Management service databases, stop the Management service and copy the files from the store directory:
+To save the server databases, stop the server and copy the files from the data directory:
```bash
-docker compose stop management
-docker compose cp -a management:/var/lib/netbird/ backup/
-docker compose start management
+docker compose stop netbird-server
+docker compose cp -a netbird-server:/var/lib/netbird/ backup/
+docker compose start netbird-server
```
## Get In Touch
diff --git a/src/pages/selfhosted/maintenance/remove.mdx b/src/pages/selfhosted/maintenance/remove.mdx
index 66b1dacf..122fe66c 100644
--- a/src/pages/selfhosted/maintenance/remove.mdx
+++ b/src/pages/selfhosted/maintenance/remove.mdx
@@ -5,7 +5,7 @@ To remove the NetBird installation and all related data from your server, run th
# remove all NetBird-related containers and volumes (data)
docker compose down --volumes
# remove downloaded and generated config files
-rm -f docker-compose.yml Caddyfile dashboard.env management.json relay.env
+rm -f docker-compose.yml dashboard.env config.yaml nginx-netbird.conf caddyfile-netbird.txt npm-advanced-config.txt
```
## Get In Touch
diff --git a/src/pages/selfhosted/maintenance/scaling/migrate-sqlite-to-postgresql.mdx b/src/pages/selfhosted/maintenance/scaling/migrate-sqlite-to-postgresql.mdx
index ec3ccd5f..969995bc 100644
--- a/src/pages/selfhosted/maintenance/scaling/migrate-sqlite-to-postgresql.mdx
+++ b/src/pages/selfhosted/maintenance/scaling/migrate-sqlite-to-postgresql.mdx
@@ -95,14 +95,15 @@ server:
store:
engine: "postgres"
+ dsn: "host=postgres-server user=postgres password=password dbname=postgres port=5432"
```
-Then pass the PostgreSQL connection string as an environment variable in your `docker-compose.yml`:
+Alternatively, you can pass the connection string as an environment variable instead of putting it in the config file:
```yaml
netbird-server:
environment:
- - NETBIRD_STORE_ENGINE_POSTGRES_DSN=postgres://postgres:password@postgres-server:5432/postgres
+ - NETBIRD_STORE_ENGINE_POSTGRES_DSN=host=postgres-server user=postgres password=password dbname=postgres port=5432
```
## Restart and Verify
diff --git a/src/pages/selfhosted/maintenance/scaling/scaling-your-self-hosted-deployment.mdx b/src/pages/selfhosted/maintenance/scaling/scaling-your-self-hosted-deployment.mdx
index 3261bc2c..4d817cde 100644
--- a/src/pages/selfhosted/maintenance/scaling/scaling-your-self-hosted-deployment.mdx
+++ b/src/pages/selfhosted/maintenance/scaling/scaling-your-self-hosted-deployment.mdx
@@ -19,10 +19,10 @@ This guide assumes you have already [deployed a single-server NetBird](/selfhost
## Architecture Overview
-The default single-server deployment runs all services on one machine: **Caddy** (reverse proxy), **Dashboard** (web UI),
-and a **combined netbird-server** container that includes Management, Signal, and Relay + STUN as components. Caddy handles TLS termination on ports 80/443, while STUN listens on UDP port 3478. The Management server uses a **SQLite** database by default.
+The default single-server deployment runs all services on one machine: **Traefik** (reverse proxy), **Dashboard** (web UI),
+and a **combined netbird-server** container that includes Management, Signal, and Relay + STUN as components. Traefik handles TLS termination on ports 80/443, while STUN listens on UDP port 3478. The Management server uses a **SQLite** database by default.
-After splitting, the **main server** keeps Caddy, Dashboard, Management, and optionally Signal.
+After splitting, the **main server** keeps Traefik, Dashboard, Management, and optionally Signal.
The **relay servers** run independently on different machines, each handling relay (port 443) and STUN (port 3478) traffic. Peers receive relay addresses from the Management server and connect to them directly. Optionally, the SQLite database can be migrated to **PostgreSQL** on a dedicated server, and Signal can also be extracted to its own machine.
## Guides
diff --git a/src/pages/selfhosted/maintenance/scaling/set-up-external-relays.mdx b/src/pages/selfhosted/maintenance/scaling/set-up-external-relays.mdx
index b43cc327..7bb1e22f 100644
--- a/src/pages/selfhosted/maintenance/scaling/set-up-external-relays.mdx
+++ b/src/pages/selfhosted/maintenance/scaling/set-up-external-relays.mdx
@@ -183,7 +183,6 @@ server:
credentialsTTL: "24h"
auth:
- enabled: true
issuer: "https://netbird.example.com/oauth2"
# ... rest of auth config
```
diff --git a/src/pages/selfhosted/maintenance/upgrade.mdx b/src/pages/selfhosted/maintenance/upgrade.mdx
index 1e8d57f3..9f8c4a17 100644
--- a/src/pages/selfhosted/maintenance/upgrade.mdx
+++ b/src/pages/selfhosted/maintenance/upgrade.mdx
@@ -46,11 +46,11 @@ To upgrade NetBird to the latest version:
2. Review the release notes (see above) for any breaking changes.
3. Pull the latest NetBird docker images:
```bash
- docker compose pull management dashboard signal relay
+ docker compose pull netbird-server dashboard
```
4. Restart the NetBird containers with the new images:
```bash
- docker compose up -d --force-recreate management dashboard signal relay
+ docker compose up -d --force-recreate netbird-server dashboard
```
diff --git a/src/pages/selfhosted/reverse-proxy.mdx b/src/pages/selfhosted/reverse-proxy.mdx
index d74745a0..abf0fd2b 100644
--- a/src/pages/selfhosted/reverse-proxy.mdx
+++ b/src/pages/selfhosted/reverse-proxy.mdx
@@ -1,6 +1,6 @@
# Reverse Proxy Configuration
-NetBird includes a built-in Caddy reverse proxy that handles TLS certificates automatically. However, if you already have an existing reverse proxy (Traefik, Nginx, etc.), you can configure NetBird to work with it instead.
+NetBird includes a built-in Traefik reverse proxy that handles TLS certificates automatically via Let's Encrypt. However, if you already have an existing reverse proxy (Nginx, Caddy, etc.), you can configure NetBird to work with it instead.
Not all reverse proxies are supported as NetBird uses *gRPC* for various components. Your reverse proxy must support HTTP/2 and gRPC proxying.
@@ -14,8 +14,8 @@ The `getting-started.sh` script supports multiple reverse proxy configurations.
```
Which reverse proxy will you use?
- [0] Built-in Caddy (recommended - automatic TLS)
- [1] Traefik (labels added to containers)
+ [0] Traefik (recommended - automatic TLS, included in Docker Compose)
+ [1] Existing Traefik (labels for external Traefik instance)
[2] Nginx (generates config template)
[3] Nginx Proxy Manager (generates config + instructions)
[4] External Caddy (generates Caddyfile snippet)
diff --git a/src/pages/selfhosted/selfhosted-guide.mdx b/src/pages/selfhosted/selfhosted-guide.mdx
index 05ab4664..8a5195f7 100644
--- a/src/pages/selfhosted/selfhosted-guide.mdx
+++ b/src/pages/selfhosted/selfhosted-guide.mdx
@@ -201,7 +201,7 @@ docker compose logs dashboard
## Advanced: Running NetBird behind an existing reverse-proxy
-If you already have a reverse proxy (Traefik, Nginx, Caddy, etc.), you can configure NetBird to work with it instead of using the built-in Caddy.
+If you already have a reverse proxy (Nginx, Caddy, etc.), you can configure NetBird to work with it instead of using the built-in Traefik.
Not all reverse proxies are supported as NetBird uses *gRPC* for various components. Your reverse proxy must support HTTP/2 and gRPC proxying.
diff --git a/src/pages/selfhosted/selfhosted-quickstart.mdx b/src/pages/selfhosted/selfhosted-quickstart.mdx
index 624cf90e..20ffba7e 100644
--- a/src/pages/selfhosted/selfhosted-quickstart.mdx
+++ b/src/pages/selfhosted/selfhosted-quickstart.mdx
@@ -39,8 +39,8 @@ The script will prompt you to select a reverse proxy option:
```
Which reverse proxy will you use?
- [0] Built-in Caddy (recommended - automatic TLS)
- [1] Traefik (labels added to containers)
+ [0] Traefik (recommended - automatic TLS, included in Docker Compose)
+ [1] Existing Traefik (labels for external Traefik instance)
[2] Nginx (generates config template)
[3] Nginx Proxy Manager (generates config + instructions)
[4] External Caddy (generates Caddyfile snippet)
@@ -49,7 +49,7 @@ Which reverse proxy will you use?
Enter choice [0-5] (default: 0):
```
-**For this quickstart guide, select option `[0]` (Built-in Caddy)** - just press Enter to use the default. This option handles TLS certificates automatically via Let's Encrypt and requires no additional configuration.
+**For this quickstart guide, select option `[0]` (Traefik)** - just press Enter to use the default. This option includes a Traefik container in the Docker Compose setup and handles TLS certificates automatically via Let's Encrypt with no additional configuration.
If you already have a reverse proxy (Traefik, Nginx, etc.) and want to use it instead, the script will guide you through the setup. See the [Reverse Proxy Configuration](/selfhosted/reverse-proxy) guide for detailed instructions on each option.
@@ -61,8 +61,8 @@ If you already have a reverse proxy (Traefik, Nginx, etc.) and want to use it in
root@selfhosted-1:~/netbird# bash getting-started.sh
Which reverse proxy will you use?
- [0] Built-in Caddy (recommended - automatic TLS)
- [1] Traefik (labels added to containers)
+ [0] Traefik (recommended - automatic TLS, included in Docker Compose)
+ [1] Existing Traefik (labels for external Traefik instance)
[2] Nginx (generates config template)
[3] Nginx Proxy Manager (generates config + instructions)
[4] External Caddy (generates Caddyfile snippet)
@@ -74,12 +74,12 @@ Rendering initial files...
Starting NetBird services
[+] up 6/6
- ✔ Network combined_netbird Created 0.1s
- ✔ Volume combined_netbird_data Created 0.0s
- ✔ Volume combined_netbird_caddy_data Created 0.0s
- ✔ Container netbird-server Created 0.1s
- ✔ Container netbird-caddy Created 0.1s
- ✔ Container netbird-dashboard Created 0.1s
+ ✔ Network combined_netbird Created 0.1s
+ ✔ Volume combined_netbird_data Created 0.0s
+ ✔ Volume combined_netbird_traefik_letsencrypt Created 0.0s
+ ✔ Container netbird-server Created 0.1s
+ ✔ Container netbird-traefik Created 0.1s
+ ✔ Container netbird-dashboard Created 0.1s
Waiting for NetBird server to become ready . . . done
Done!
@@ -148,6 +148,22 @@ Once your NetBird instance is running, refer to these guides for ongoing mainten
]}
/>
+
+
---
## Troubleshoot