From 6c0cdb6ed17a90992410269eb75362e48ac303db Mon Sep 17 00:00:00 2001
From: Ghazy Abdallah <ghzooooon@gmail.com>
Date: Thu, 5 Jun 2025 15:15:01 +0300
Subject: [PATCH] [misc] fix: traefik relay accessibility (#3696)

---
 infrastructure_files/base.setup.env           |  2 ++
 infrastructure_files/configure.sh             |  2 ++
 infrastructure_files/docker-compose.yml.tmpl  |  2 +-
 .../docker-compose.yml.tmpl.traefik           | 22 +++----------------
 infrastructure_files/management.json.tmpl     |  2 +-
 infrastructure_files/setup.env.example        | 11 ++++++++++
 6 files changed, 20 insertions(+), 21 deletions(-)

diff --git a/infrastructure_files/base.setup.env b/infrastructure_files/base.setup.env
index ebc38a11f..fdba1f215 100644
--- a/infrastructure_files/base.setup.env
+++ b/infrastructure_files/base.setup.env
@@ -23,6 +23,7 @@ NETBIRD_SIGNAL_PORT=${NETBIRD_SIGNAL_PORT:-10000}
 # Relay
 NETBIRD_RELAY_DOMAIN=${NETBIRD_RELAY_DOMAIN:-$NETBIRD_DOMAIN}
 NETBIRD_RELAY_PORT=${NETBIRD_RELAY_PORT:-33080}
+NETBIRD_RELAY_ENDPOINT=${NETBIRD_RELAY_ENDPOINT:-rel://$NETBIRD_RELAY_DOMAIN:$NETBIRD_RELAY_PORT}
 # Relay auth secret
 NETBIRD_RELAY_AUTH_SECRET=
 
@@ -135,5 +136,6 @@ export COTURN_TAG
 export NETBIRD_TURN_EXTERNAL_IP
 export NETBIRD_RELAY_DOMAIN
 export NETBIRD_RELAY_PORT
+export NETBIRD_RELAY_ENDPOINT
 export NETBIRD_RELAY_AUTH_SECRET
 export NETBIRD_RELAY_TAG
diff --git a/infrastructure_files/configure.sh b/infrastructure_files/configure.sh
index d02e4f40c..6898555aa 100755
--- a/infrastructure_files/configure.sh
+++ b/infrastructure_files/configure.sh
@@ -170,6 +170,7 @@ fi
 if [[ "$NETBIRD_DISABLE_LETSENCRYPT" == "true" ]]; then
   export NETBIRD_DASHBOARD_ENDPOINT="https://$NETBIRD_DOMAIN:443"
   export NETBIRD_SIGNAL_ENDPOINT="https://$NETBIRD_DOMAIN:$NETBIRD_SIGNAL_PORT"
+  export NETBIRD_RELAY_ENDPOINT="rels://$NETBIRD_DOMAIN:$NETBIRD_SIGNAL_PORT/relay"
 
   echo "Letsencrypt was disabled, the Https-endpoints cannot be used anymore"
   echo " and a reverse-proxy with Https needs to be placed in front of netbird!"
@@ -178,6 +179,7 @@ if [[ "$NETBIRD_DISABLE_LETSENCRYPT" == "true" ]]; then
   echo "- $NETBIRD_MGMT_API_ENDPOINT/api -http-> management:$NETBIRD_MGMT_API_PORT"
   echo "- $NETBIRD_MGMT_API_ENDPOINT/management.ManagementService/ -grpc-> management:$NETBIRD_MGMT_API_PORT"
   echo "- $NETBIRD_SIGNAL_ENDPOINT/signalexchange.SignalExchange/ -grpc-> signal:80"
+  echo "- $NETBIRD_RELAY_ENDPOINT/ -http-> relay:33080"
   echo "You most likely also have to change NETBIRD_MGMT_API_ENDPOINT in base.setup.env and port-mappings in docker-compose.yml.tmpl and rerun this script."
   echo " The target of the forwards depends on your setup. Beware of the gRPC protocol instead of http for management and signal!"
   echo "You are also free to remove any occurrences of the Letsencrypt-volume $LETSENCRYPT_VOLUMENAME"
diff --git a/infrastructure_files/docker-compose.yml.tmpl b/infrastructure_files/docker-compose.yml.tmpl
index dc491ae23..b529f9606 100644
--- a/infrastructure_files/docker-compose.yml.tmpl
+++ b/infrastructure_files/docker-compose.yml.tmpl
@@ -57,7 +57,7 @@ services:
     environment:
     - NB_LOG_LEVEL=info
     - NB_LISTEN_ADDRESS=:$NETBIRD_RELAY_PORT
-    - NB_EXPOSED_ADDRESS=$NETBIRD_RELAY_DOMAIN:$NETBIRD_RELAY_PORT
+    - NB_EXPOSED_ADDRESS=$NETBIRD_RELAY_ENDPOINT
     # todo: change to a secure secret
     - NB_AUTH_SECRET=$NETBIRD_RELAY_AUTH_SECRET
     ports:
diff --git a/infrastructure_files/docker-compose.yml.tmpl.traefik b/infrastructure_files/docker-compose.yml.tmpl.traefik
index 8cc3df309..8da3cabb5 100644
--- a/infrastructure_files/docker-compose.yml.tmpl.traefik
+++ b/infrastructure_files/docker-compose.yml.tmpl.traefik
@@ -3,9 +3,6 @@ services:
   dashboard:
     image: netbirdio/dashboard:$NETBIRD_DASHBOARD_TAG
     restart: unless-stopped
-    #ports:
-    #  - 80:80
-    #  - 443:443
     environment:
       # Endpoints
       - NETBIRD_MGMT_API_ENDPOINT=$NETBIRD_MGMT_API_ENDPOINT
@@ -43,11 +40,6 @@ services:
     restart: unless-stopped
     volumes:
       - $SIGNAL_VOLUMENAME:/var/lib/netbird
-    #ports:
-    #  - $NETBIRD_SIGNAL_PORT:80
-  #      # port and command for Let's Encrypt validation
-  #      - 443:443
-  #    command: ["--letsencrypt-domain", "$NETBIRD_LETSENCRYPT_DOMAIN", "--log-file", "console"]
     labels:
     - traefik.enable=true
     - traefik.http.routers.netbird-signal.rule=Host(`$NETBIRD_DOMAIN`) && PathPrefix(`/signalexchange.SignalExchange/`)
@@ -65,12 +57,10 @@ services:
     restart: unless-stopped
     environment:
     - NB_LOG_LEVEL=info
-    - NB_LISTEN_ADDRESS=:$NETBIRD_RELAY_PORT
-    - NB_EXPOSED_ADDRESS=$NETBIRD_RELAY_DOMAIN:$NETBIRD_RELAY_PORT
+    - NB_LISTEN_ADDRESS=:33080
+    - NB_EXPOSED_ADDRESS=$NETBIRD_RELAY_ENDPOINT
     # todo: change to a secure secret
     - NB_AUTH_SECRET=$NETBIRD_RELAY_AUTH_SECRET
-    # ports:
-    #   - $NETBIRD_RELAY_PORT:$NETBIRD_RELAY_PORT
     logging:
       driver: "json-file"
       options:
@@ -79,7 +69,7 @@ services:
     labels:
     - traefik.enable=true
     - traefik.http.routers.netbird-relay.rule=Host(`$NETBIRD_DOMAIN`) && PathPrefix(`/relay`)
-    - traefik.http.services.netbird-relay.loadbalancer.server.port=$NETBIRD_RELAY_PORT
+    - traefik.http.services.netbird-relay.loadbalancer.server.port=33080
 
   # Management
   management:
@@ -91,10 +81,6 @@ services:
       - $MGMT_VOLUMENAME:/var/lib/netbird
       - $LETSENCRYPT_VOLUMENAME:/etc/letsencrypt:ro
       - ./management.json:/etc/netbird/management.json
-    #ports:
-    #  - $NETBIRD_MGMT_API_PORT:443 #API port
-  #    # command for Let's Encrypt validation without dashboard container
-  #    command: ["--letsencrypt-domain", "$NETBIRD_LETSENCRYPT_DOMAIN", "--log-file", "console"]
     command: [
       "--port", "33073",
       "--log-file", "console",
@@ -129,8 +115,6 @@ services:
     domainname: $TURN_DOMAIN
     volumes:
       - ./turnserver.conf:/etc/turnserver.conf:ro
-    #      - ./privkey.pem:/etc/coturn/private/privkey.pem:ro
-    #      - ./cert.pem:/etc/coturn/certs/cert.pem:ro
     network_mode: host
     command:
       - -c /etc/turnserver.conf
diff --git a/infrastructure_files/management.json.tmpl b/infrastructure_files/management.json.tmpl
index c0e57b4fd..4d09816ef 100644
--- a/infrastructure_files/management.json.tmpl
+++ b/infrastructure_files/management.json.tmpl
@@ -21,7 +21,7 @@
         "TimeBasedCredentials": false
     },
     "Relay": {
-        "Addresses": ["rel://$NETBIRD_RELAY_DOMAIN:$NETBIRD_RELAY_PORT"],
+        "Addresses": ["$NETBIRD_RELAY_ENDPOINT"],
         "CredentialsTTL": "24h",
         "Secret": "$NETBIRD_RELAY_AUTH_SECRET"
     },
diff --git a/infrastructure_files/setup.env.example b/infrastructure_files/setup.env.example
index b1b64de78..b5b718a71 100644
--- a/infrastructure_files/setup.env.example
+++ b/infrastructure_files/setup.env.example
@@ -102,4 +102,15 @@ NETBIRD_RELAY_DOMAIN=""
 
 # Relay server connection port. If none is supplied
 # it will default to 33080
+# should be updated to match TLS-port of reverse proxy when netbird is running behind reverse proxy
 NETBIRD_RELAY_PORT=""
+
+# Management API connectin port. If none is supplied
+# it will default to 33073
+# should be updated to match TLS-port of reverse proxy when netbird is running behind reverse proxy
+NETBIRD_MGMT_API_PORT=""
+
+# Signal service connectin port. If none is supplied
+# it will default to 10000
+# should be updated to match TLS-port of reverse proxy when netbird is running behind reverse proxy
+NETBIRD_SIGNAL_PORT=""