[misc] fix: traefik relay accessibility (#3696)

infrastructure_files/base.setup.env

@@ -23,6 +23,7 @@ NETBIRD_SIGNAL_PORT=${NETBIRD_SIGNAL_PORT:-10000}
 # Relay
 NETBIRD_RELAY_DOMAIN=${NETBIRD_RELAY_DOMAIN:-$NETBIRD_DOMAIN}
 NETBIRD_RELAY_PORT=${NETBIRD_RELAY_PORT:-33080}
+NETBIRD_RELAY_ENDPOINT=${NETBIRD_RELAY_ENDPOINT:-rel://$NETBIRD_RELAY_DOMAIN:$NETBIRD_RELAY_PORT}
 # Relay auth secret
 NETBIRD_RELAY_AUTH_SECRET=
 
@@ -135,5 +136,6 @@ export COTURN_TAG
 export NETBIRD_TURN_EXTERNAL_IP
 export NETBIRD_RELAY_DOMAIN
 export NETBIRD_RELAY_PORT
+export NETBIRD_RELAY_ENDPOINT
 export NETBIRD_RELAY_AUTH_SECRET
 export NETBIRD_RELAY_TAG

infrastructure_files/configure.sh

@@ -170,6 +170,7 @@ fi
 if [[ "$NETBIRD_DISABLE_LETSENCRYPT" == "true" ]]; then
   export NETBIRD_DASHBOARD_ENDPOINT="https://$NETBIRD_DOMAIN:443"
   export NETBIRD_SIGNAL_ENDPOINT="https://$NETBIRD_DOMAIN:$NETBIRD_SIGNAL_PORT"
+  export NETBIRD_RELAY_ENDPOINT="rels://$NETBIRD_DOMAIN:$NETBIRD_SIGNAL_PORT/relay"
 
   echo "Letsencrypt was disabled, the Https-endpoints cannot be used anymore"
   echo " and a reverse-proxy with Https needs to be placed in front of netbird!"
@@ -178,6 +179,7 @@ if [[ "$NETBIRD_DISABLE_LETSENCRYPT" == "true" ]]; then
   echo "- $NETBIRD_MGMT_API_ENDPOINT/api -http-> management:$NETBIRD_MGMT_API_PORT"
   echo "- $NETBIRD_MGMT_API_ENDPOINT/management.ManagementService/ -grpc-> management:$NETBIRD_MGMT_API_PORT"
   echo "- $NETBIRD_SIGNAL_ENDPOINT/signalexchange.SignalExchange/ -grpc-> signal:80"
+  echo "- $NETBIRD_RELAY_ENDPOINT/ -http-> relay:33080"
   echo "You most likely also have to change NETBIRD_MGMT_API_ENDPOINT in base.setup.env and port-mappings in docker-compose.yml.tmpl and rerun this script."
   echo " The target of the forwards depends on your setup. Beware of the gRPC protocol instead of http for management and signal!"
   echo "You are also free to remove any occurrences of the Letsencrypt-volume $LETSENCRYPT_VOLUMENAME"

infrastructure_files/docker-compose.yml.tmpl

@@ -57,7 +57,7 @@ services:
     environment:
     - NB_LOG_LEVEL=info
     - NB_LISTEN_ADDRESS=:$NETBIRD_RELAY_PORT
-    - NB_EXPOSED_ADDRESS=$NETBIRD_RELAY_DOMAIN:$NETBIRD_RELAY_PORT
+    - NB_EXPOSED_ADDRESS=$NETBIRD_RELAY_ENDPOINT
     # todo: change to a secure secret
     - NB_AUTH_SECRET=$NETBIRD_RELAY_AUTH_SECRET
     ports:

infrastructure_files/docker-compose.yml.tmpl.traefik

@@ -3,9 +3,6 @@ services:
   dashboard:
     image: netbirdio/dashboard:$NETBIRD_DASHBOARD_TAG
     restart: unless-stopped
-    #ports:
-    #  - 80:80
-    #  - 443:443
     environment:
       # Endpoints
       - NETBIRD_MGMT_API_ENDPOINT=$NETBIRD_MGMT_API_ENDPOINT
@@ -43,11 +40,6 @@ services:
     restart: unless-stopped
     volumes:
       - $SIGNAL_VOLUMENAME:/var/lib/netbird
-    #ports:
-    #  - $NETBIRD_SIGNAL_PORT:80
-  #      # port and command for Let's Encrypt validation
-  #      - 443:443
-  #    command: ["--letsencrypt-domain", "$NETBIRD_LETSENCRYPT_DOMAIN", "--log-file", "console"]
     labels:
     - traefik.enable=true
     - traefik.http.routers.netbird-signal.rule=Host(`$NETBIRD_DOMAIN`) && PathPrefix(`/signalexchange.SignalExchange/`)
@@ -65,12 +57,10 @@ services:
     restart: unless-stopped
     environment:
     - NB_LOG_LEVEL=info
-    - NB_LISTEN_ADDRESS=:$NETBIRD_RELAY_PORT
-    - NB_EXPOSED_ADDRESS=$NETBIRD_RELAY_DOMAIN:$NETBIRD_RELAY_PORT
+    - NB_LISTEN_ADDRESS=:33080
+    - NB_EXPOSED_ADDRESS=$NETBIRD_RELAY_ENDPOINT
     # todo: change to a secure secret
     - NB_AUTH_SECRET=$NETBIRD_RELAY_AUTH_SECRET
-    # ports:
-    #   - $NETBIRD_RELAY_PORT:$NETBIRD_RELAY_PORT
     logging:
       driver: "json-file"
       options:
@@ -79,7 +69,7 @@ services:
     labels:
     - traefik.enable=true
     - traefik.http.routers.netbird-relay.rule=Host(`$NETBIRD_DOMAIN`) && PathPrefix(`/relay`)
-    - traefik.http.services.netbird-relay.loadbalancer.server.port=$NETBIRD_RELAY_PORT
+    - traefik.http.services.netbird-relay.loadbalancer.server.port=33080
 
   # Management
   management:
@@ -91,10 +81,6 @@ services:
       - $MGMT_VOLUMENAME:/var/lib/netbird
       - $LETSENCRYPT_VOLUMENAME:/etc/letsencrypt:ro
       - ./management.json:/etc/netbird/management.json
-    #ports:
-    #  - $NETBIRD_MGMT_API_PORT:443 #API port
-  #    # command for Let's Encrypt validation without dashboard container
-  #    command: ["--letsencrypt-domain", "$NETBIRD_LETSENCRYPT_DOMAIN", "--log-file", "console"]
     command: [
       "--port", "33073",
       "--log-file", "console",
@@ -129,8 +115,6 @@ services:
     domainname: $TURN_DOMAIN
     volumes:
       - ./turnserver.conf:/etc/turnserver.conf:ro
-    #      - ./privkey.pem:/etc/coturn/private/privkey.pem:ro
-    #      - ./cert.pem:/etc/coturn/certs/cert.pem:ro
     network_mode: host
     command:
       - -c /etc/turnserver.conf

infrastructure_files/management.json.tmpl

@@ -21,7 +21,7 @@
         "TimeBasedCredentials": false
     },
     "Relay": {
-        "Addresses": ["rel://$NETBIRD_RELAY_DOMAIN:$NETBIRD_RELAY_PORT"],
+        "Addresses": ["$NETBIRD_RELAY_ENDPOINT"],
         "CredentialsTTL": "24h",
         "Secret": "$NETBIRD_RELAY_AUTH_SECRET"
     },

infrastructure_files/setup.env.example

@@ -102,4 +102,15 @@ NETBIRD_RELAY_DOMAIN=""
 
 # Relay server connection port. If none is supplied
 # it will default to 33080
+# should be updated to match TLS-port of reverse proxy when netbird is running behind reverse proxy
 NETBIRD_RELAY_PORT=""
+
+# Management API connectin port. If none is supplied
+# it will default to 33073
+# should be updated to match TLS-port of reverse proxy when netbird is running behind reverse proxy
+NETBIRD_MGMT_API_PORT=""
+
+# Signal service connectin port. If none is supplied
+# it will default to 10000
+# should be updated to match TLS-port of reverse proxy when netbird is running behind reverse proxy
+NETBIRD_SIGNAL_PORT=""