infrastructure: drop Traefik/env template churn, keep only UDP port mapping

Reverts the heavier deployment-template additions from the previous follow-up commit. Keeping just the one new line in docker-compose.yml.tmpl that publishes UDP on the relay port — the Traefik variant, the RELAY_LE_VOLUMESUFFIX env plumbing, and the inline ALPN-mux explainer block all go back. Operator guidance for opening UDP/443 lives in the self-hosting docs alongside the existing TCP/443 instructions.
2026-05-20 15:49:55 +00:00 · 2026-05-17 11:27:43 +00:00
parent a52a004737
commit b717d51bd9
4 changed files with 2 additions and 50 deletions
--- a/infrastructure_files/base.setup.env
+++ b/infrastructure_files/base.setup.env
@@ -47,10 +47,6 @@ VOLUME_PREFIX="netbird-"
 MGMT_VOLUMESUFFIX="mgmt"
 SIGNAL_VOLUMESUFFIX="signal"
 LETSENCRYPT_VOLUMESUFFIX="letsencrypt"
 # Dedicated Let's Encrypt store for the relay. Required only by the Traefik
 # deployment, where the relay runs its own ACME client to terminate TLS on
 # UDP/443 for WebTransport + raw QUIC (Traefik can't proxy WebTransport).
 RELAY_LE_VOLUMESUFFIX="relay-letsencrypt"
 NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none"
 NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=${NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE:-$NETBIRD_AUTH_AUDIENCE}
@@ -115,7 +111,6 @@ export VOLUME_PREFIX
 export MGMT_VOLUMESUFFIX
 export SIGNAL_VOLUMESUFFIX
 export LETSENCRYPT_VOLUMESUFFIX
 export RELAY_LE_VOLUMESUFFIX
 export NETBIRD_DISABLE_ANONYMOUS_METRICS
 export NETBIRD_MGMT_SINGLE_ACCOUNT_MODE_DOMAIN
 export NETBIRD_MGMT_DNS_DOMAIN
--- a/infrastructure_files/configure.sh
+++ b/infrastructure_files/configure.sh
@@ -112,7 +112,6 @@ mkdir -p $artifacts_path
 MGMT_VOLUMENAME="${VOLUME_PREFIX}${MGMT_VOLUMESUFFIX}"
 SIGNAL_VOLUMENAME="${VOLUME_PREFIX}${SIGNAL_VOLUMESUFFIX}"
 LETSENCRYPT_VOLUMENAME="${VOLUME_PREFIX}${LETSENCRYPT_VOLUMESUFFIX}"
 RELAY_LE_VOLUMENAME="${VOLUME_PREFIX}${RELAY_LE_VOLUMESUFFIX}"
 # if volume with wiretrustee- prefix already exists, use it, else create new with netbird-
 OLD_PREFIX='wiretrustee-'
 if docker volume ls | grep -q "${OLD_PREFIX}${MGMT_VOLUMESUFFIX}"; then
@@ -128,7 +127,6 @@ fi
 export MGMT_VOLUMENAME
 export SIGNAL_VOLUMENAME
 export LETSENCRYPT_VOLUMENAME
 export RELAY_LE_VOLUMENAME
 #backwards compatibility after migrating to generic OIDC with Auth0
 if [[ -z "${NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT}" ]]; then
--- a/infrastructure_files/docker-compose.yml.tmpl
+++ b/infrastructure_files/docker-compose.yml.tmpl
@@ -58,17 +58,6 @@ services:
    ]
  # Relay
  #
  # The relay listens on the same address for three transports, multiplexed by
  # ALPN on a single TLS endpoint:
  #   - TCP: WebSocket (rels:// path /relay) — universal, works through any HTTP proxy
  #   - UDP: raw QUIC (nb-quic ALPN) — used by native clients
  #   - UDP: HTTP/3 + WebTransport (h3 ALPN, path /relay) — used by browser/WASM clients
  # Both TCP and UDP must be published on the same port. Operators who want to
  # disable a transport for clients should NOT remove the port mapping — the
  # listener still binds — instead drop the transport from each entry's
  # `transports:` list in management.json so the management server stops
  # advertising it.
  relay:
    <<: *default
    image: netbirdio/relay:$NETBIRD_RELAY_TAG
--- a/infrastructure_files/docker-compose.yml.tmpl.traefik
+++ b/infrastructure_files/docker-compose.yml.tmpl.traefik
@@ -54,48 +54,19 @@ services:
    - traefik.http.services.netbird-signal.loadbalancer.server.scheme=h2c
  # Relay
  #
  # Traefik fronts the TCP/WebSocket side of the relay on port 443 via the HTTP
  # router below — this gives us WS over TLS that traverses any HTTP proxy.
  #
  # WebTransport (h3) and raw QUIC require direct UDP termination on the relay
  # itself: Traefik does not proxy WebTransport sessions, and tunnelling the
  # h3 stream end-to-end through a reverse proxy defeats the point. The relay
  # therefore publishes UDP/443 on the host directly and terminates TLS for
  # both ALPNs ("nb-quic" and "h3") on a single socket via ALPN multiplexing.
  #
  # The relay obtains its own Let's Encrypt certificate (NB_LETSENCRYPT_*
  # below) since Traefik's certificate store is not shared with the container.
  # The cert is bound to NETBIRD_RELAY_DOMAIN — point this at the same FQDN
  # clients use to dial the relay.
  #
  # If a deployment can't open UDP/443 to the host (firewall, k8s without
  # hostPort, etc.), leave it unmapped: native clients fall back to raw QUIC
  # over WS and browser clients fall back to WS. Drop "quic"/"wt" from the
  # management Relays config in that case so clients don't waste a handshake.
  relay:
    <<: *default
    image: netbirdio/relay:$NETBIRD_RELAY_TAG
    environment:
    - NB_LOG_LEVEL=info
-    - NB_LISTEN_ADDRESS=:443
+    - NB_LISTEN_ADDRESS=:33080
    - NB_EXPOSED_ADDRESS=$NETBIRD_RELAY_ENDPOINT
    - NB_LETSENCRYPT_DOMAINS=$NETBIRD_RELAY_DOMAIN
    - NB_LETSENCRYPT_EMAIL=$NETBIRD_LETSENCRYPT_EMAIL
    - NB_LETSENCRYPT_DATA_DIR=/var/lib/netbird-relay
    # todo: change to a secure secret
    - NB_AUTH_SECRET=$NETBIRD_RELAY_AUTH_SECRET
    volumes:
      - $RELAY_LE_VOLUMENAME:/var/lib/netbird-relay
    ports:
      # Direct UDP exposure for QUIC + WebTransport (bypasses Traefik).
      - 443:443/udp
    labels:
    # The TCP WS path stays behind Traefik so the existing /relay route keeps
    # working for clients that can't open UDP/443.
    - traefik.enable=true
    - traefik.http.routers.netbird-relay.rule=Host(`$NETBIRD_DOMAIN`) && PathPrefix(`/relay`)
-    - traefik.http.services.netbird-relay.loadbalancer.server.port=443
+    - traefik.http.services.netbird-relay.loadbalancer.server.port=33080
  # Management
  management:
@@ -146,4 +117,3 @@ volumes:
  $MGMT_VOLUMENAME:
  $SIGNAL_VOLUMENAME:
  $LETSENCRYPT_VOLUMENAME:
  $RELAY_LE_VOLUMENAME: