From b717d51bd9fdc01d1275ac3cd704f2a6e5aebf78 Mon Sep 17 00:00:00 2001 From: Claude Date: Sun, 17 May 2026 11:27:43 +0000 Subject: [PATCH] infrastructure: drop Traefik/env template churn, keep only UDP port mapping MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reverts the heavier deployment-template additions from the previous follow-up commit. Keeping just the one new line in docker-compose.yml.tmpl that publishes UDP on the relay port — the Traefik variant, the RELAY_LE_VOLUMESUFFIX env plumbing, and the inline ALPN-mux explainer block all go back. Operator guidance for opening UDP/443 lives in the self-hosting docs alongside the existing TCP/443 instructions. --- infrastructure_files/base.setup.env | 5 --- infrastructure_files/configure.sh | 2 -- infrastructure_files/docker-compose.yml.tmpl | 11 ------ .../docker-compose.yml.tmpl.traefik | 34 ++----------------- 4 files changed, 2 insertions(+), 50 deletions(-) diff --git a/infrastructure_files/base.setup.env b/infrastructure_files/base.setup.env index 822dbbb19..e59939191 100644 --- a/infrastructure_files/base.setup.env +++ b/infrastructure_files/base.setup.env @@ -47,10 +47,6 @@ VOLUME_PREFIX="netbird-" MGMT_VOLUMESUFFIX="mgmt" SIGNAL_VOLUMESUFFIX="signal" LETSENCRYPT_VOLUMESUFFIX="letsencrypt" -# Dedicated Let's Encrypt store for the relay. Required only by the Traefik -# deployment, where the relay runs its own ACME client to terminate TLS on -# UDP/443 for WebTransport + raw QUIC (Traefik can't proxy WebTransport). -RELAY_LE_VOLUMESUFFIX="relay-letsencrypt" NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none" NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=${NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE:-$NETBIRD_AUTH_AUDIENCE} @@ -115,7 +111,6 @@ export VOLUME_PREFIX export MGMT_VOLUMESUFFIX export SIGNAL_VOLUMESUFFIX export LETSENCRYPT_VOLUMESUFFIX -export RELAY_LE_VOLUMESUFFIX export NETBIRD_DISABLE_ANONYMOUS_METRICS export NETBIRD_MGMT_SINGLE_ACCOUNT_MODE_DOMAIN export NETBIRD_MGMT_DNS_DOMAIN diff --git a/infrastructure_files/configure.sh b/infrastructure_files/configure.sh index c3d35f084..92252d0b3 100755 --- a/infrastructure_files/configure.sh +++ b/infrastructure_files/configure.sh @@ -112,7 +112,6 @@ mkdir -p $artifacts_path MGMT_VOLUMENAME="${VOLUME_PREFIX}${MGMT_VOLUMESUFFIX}" SIGNAL_VOLUMENAME="${VOLUME_PREFIX}${SIGNAL_VOLUMESUFFIX}" LETSENCRYPT_VOLUMENAME="${VOLUME_PREFIX}${LETSENCRYPT_VOLUMESUFFIX}" -RELAY_LE_VOLUMENAME="${VOLUME_PREFIX}${RELAY_LE_VOLUMESUFFIX}" # if volume with wiretrustee- prefix already exists, use it, else create new with netbird- OLD_PREFIX='wiretrustee-' if docker volume ls | grep -q "${OLD_PREFIX}${MGMT_VOLUMESUFFIX}"; then @@ -128,7 +127,6 @@ fi export MGMT_VOLUMENAME export SIGNAL_VOLUMENAME export LETSENCRYPT_VOLUMENAME -export RELAY_LE_VOLUMENAME #backwards compatibility after migrating to generic OIDC with Auth0 if [[ -z "${NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT}" ]]; then diff --git a/infrastructure_files/docker-compose.yml.tmpl b/infrastructure_files/docker-compose.yml.tmpl index 5fdb95035..ed9949acd 100644 --- a/infrastructure_files/docker-compose.yml.tmpl +++ b/infrastructure_files/docker-compose.yml.tmpl @@ -58,17 +58,6 @@ services: ] # Relay - # - # The relay listens on the same address for three transports, multiplexed by - # ALPN on a single TLS endpoint: - # - TCP: WebSocket (rels:// path /relay) — universal, works through any HTTP proxy - # - UDP: raw QUIC (nb-quic ALPN) — used by native clients - # - UDP: HTTP/3 + WebTransport (h3 ALPN, path /relay) — used by browser/WASM clients - # Both TCP and UDP must be published on the same port. Operators who want to - # disable a transport for clients should NOT remove the port mapping — the - # listener still binds — instead drop the transport from each entry's - # `transports:` list in management.json so the management server stops - # advertising it. relay: <<: *default image: netbirdio/relay:$NETBIRD_RELAY_TAG diff --git a/infrastructure_files/docker-compose.yml.tmpl.traefik b/infrastructure_files/docker-compose.yml.tmpl.traefik index bd73bf8b5..0010974c5 100644 --- a/infrastructure_files/docker-compose.yml.tmpl.traefik +++ b/infrastructure_files/docker-compose.yml.tmpl.traefik @@ -54,48 +54,19 @@ services: - traefik.http.services.netbird-signal.loadbalancer.server.scheme=h2c # Relay - # - # Traefik fronts the TCP/WebSocket side of the relay on port 443 via the HTTP - # router below — this gives us WS over TLS that traverses any HTTP proxy. - # - # WebTransport (h3) and raw QUIC require direct UDP termination on the relay - # itself: Traefik does not proxy WebTransport sessions, and tunnelling the - # h3 stream end-to-end through a reverse proxy defeats the point. The relay - # therefore publishes UDP/443 on the host directly and terminates TLS for - # both ALPNs ("nb-quic" and "h3") on a single socket via ALPN multiplexing. - # - # The relay obtains its own Let's Encrypt certificate (NB_LETSENCRYPT_* - # below) since Traefik's certificate store is not shared with the container. - # The cert is bound to NETBIRD_RELAY_DOMAIN — point this at the same FQDN - # clients use to dial the relay. - # - # If a deployment can't open UDP/443 to the host (firewall, k8s without - # hostPort, etc.), leave it unmapped: native clients fall back to raw QUIC - # over WS and browser clients fall back to WS. Drop "quic"/"wt" from the - # management Relays config in that case so clients don't waste a handshake. relay: <<: *default image: netbirdio/relay:$NETBIRD_RELAY_TAG environment: - NB_LOG_LEVEL=info - - NB_LISTEN_ADDRESS=:443 + - NB_LISTEN_ADDRESS=:33080 - NB_EXPOSED_ADDRESS=$NETBIRD_RELAY_ENDPOINT - - NB_LETSENCRYPT_DOMAINS=$NETBIRD_RELAY_DOMAIN - - NB_LETSENCRYPT_EMAIL=$NETBIRD_LETSENCRYPT_EMAIL - - NB_LETSENCRYPT_DATA_DIR=/var/lib/netbird-relay # todo: change to a secure secret - NB_AUTH_SECRET=$NETBIRD_RELAY_AUTH_SECRET - volumes: - - $RELAY_LE_VOLUMENAME:/var/lib/netbird-relay - ports: - # Direct UDP exposure for QUIC + WebTransport (bypasses Traefik). - - 443:443/udp labels: - # The TCP WS path stays behind Traefik so the existing /relay route keeps - # working for clients that can't open UDP/443. - traefik.enable=true - traefik.http.routers.netbird-relay.rule=Host(`$NETBIRD_DOMAIN`) && PathPrefix(`/relay`) - - traefik.http.services.netbird-relay.loadbalancer.server.port=443 + - traefik.http.services.netbird-relay.loadbalancer.server.port=33080 # Management management: @@ -146,4 +117,3 @@ volumes: $MGMT_VOLUMENAME: $SIGNAL_VOLUMENAME: $LETSENCRYPT_VOLUMENAME: - $RELAY_LE_VOLUMENAME: