netbird / nginx setup

netbird | pfsync | haproxy | nginx | client

not thoroughly tested as we use haproxy instead

warning

the trick is to use grpc_pass for mgmt and signal

not sure we need all those headers as for dashboard and api

setup

server {
        listen 80;
        listen [::]:80;
        server_name netbird.demo.nethence.com;

        # we need to define location otherwise takes over .well-known/
        location / {
                return 301 https://$host$request_uri;
        }

        # deal with http-01 challenges (no http2 there)
        location ^~ /.well-known/acme-challenge/ {
                default_type "text/plain";
                # trailing slash matters
                alias /var/www/dehydrated/;
        }
}

server {
        listen 443 ssl;
        listen [::]:443 ssl;
        server_name netbird.demo.nethence.com;
        http2 on;

        access_log /var/log/nginx/netbird.access.log json;
        error_log  /var/log/nginx/netbird.error.log warn;

        # http-01 sample
        ssl_certificate         /etc/dehydrated/certs/netbird.demo.nethence.com/fullchain.pem;
        ssl_certificate_key     /etc/dehydrated/certs/netbird.demo.nethence.com/privkey.pem;
        ssl_certificate     /etc/dehydrated/certs/ECC/netbird.demo.nethence.com/fullchain.pem;
        ssl_certificate_key /etc/dehydrated/certs/ECC/netbird.demo.nethence.com/privkey.pem;

        location / {
                proxy_pass http://127.0.0.1:9080;
                proxy_set_header Connection $http_connection;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
        }

        location /api {
                proxy_pass http://127.0.0.1:9444;
                proxy_set_header Connection $http_connection;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
        }

        location /management.ManagementService/ {
                grpc_pass grpcs://127.0.0.1:9444;
        }

        location /signalexchange.SignalExchange/ {
                grpc_pass grpcs://127.0.0.1:9443;
        }

        ssi off;
        autoindex off;
        autoindex_exact_size off;
        location = /robots.txt          { access_log off; log_not_found off; }
        location = /favicon.ico         { access_log off; log_not_found off; }
        location ~ /apple-touch-icon    { access_log off; log_not_found off; }
}

resources

https://github.com/netbirdio/netbird/issues/536