netbird / nginx setup

netbird | pfsync | haproxy | nginx | client

not thoroughly tested as we use haproxy instead

warningwarning

the trick is to use grpc_pass for mgmt and signal

not sure we need all those headers as for dashboard and api

setupsetup

server {
    listen 80;
    listen [::]:80;
    server_name netbird.demo.nethence.com;

    # we need to define location otherwise takes over .well-known/
    location / {
        return 301 https://$host$request_uri;
    }

    # deal with http-01 challenges (no http2 there)
    location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        # trailing slash matters
        alias /var/www/dehydrated/;
    }
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name netbird.demo.nethence.com;
    http2 on;

    access_log /var/log/nginx/netbird.access.log json;
    error_log  /var/log/nginx/netbird.error.log warn;

    # http-01 sample
    ssl_certificate  /etc/dehydrated/certs/netbird.demo.nethence.com/fullchain.pem;
    ssl_certificate_key     /etc/dehydrated/certs/netbird.demo.nethence.com/privkey.pem;
    ssl_certificate     /etc/dehydrated/certs/ECC/netbird.demo.nethence.com/fullchain.pem;
    ssl_certificate_key /etc/dehydrated/certs/ECC/netbird.demo.nethence.com/privkey.pem;

    location / {
        proxy_pass http://127.0.0.1:9080;
        proxy_set_header Connection $http_connection;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location /api {
        proxy_pass http://127.0.0.1:9444;
        proxy_set_header Connection $http_connection;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location /management.ManagementService/ {
        grpc_pass grpcs://127.0.0.1:9444;
    }

    location /signalexchange.SignalExchange/ {
        grpc_pass grpcs://127.0.0.1:9443;
    }

    ssi off;
    autoindex off;
    autoindex_exact_size off;
    location = /robots.txt    { access_log off; log_not_found off; }
    location = /favicon.ico  { access_log off; log_not_found off; }
    location ~ /apple-touch-icon    { access_log off; log_not_found off; }
}

resourcesresources

https://github.com/netbirdio/netbird/issues/536