From a4d49803634b7a197f8818306beebc614354b9e4 Mon Sep 17 00:00:00 2001 From: PizzaLovingNerd Date: Thu, 4 Jun 2026 14:53:23 -0700 Subject: [PATCH 1/2] Update docs for reverse-proxy migration. Fixes https://github.com/netbirdio/netbird/issues/6059. However, make sure to have someone from NetBird review before the pull request. --- .../migration/enable-reverse-proxy.mdx | 39 ++++++++++++++++++- 1 file changed, 37 insertions(+), 2 deletions(-) diff --git a/src/pages/selfhosted/migration/enable-reverse-proxy.mdx b/src/pages/selfhosted/migration/enable-reverse-proxy.mdx index 53dc35e5..0f58f464 100644 --- a/src/pages/selfhosted/migration/enable-reverse-proxy.mdx +++ b/src/pages/selfhosted/migration/enable-reverse-proxy.mdx @@ -73,6 +73,9 @@ The proxy authenticates with the management server using an access token. Genera docker exec -it netbird-server /go/bin/netbird-server token create \ --name "my-proxy" --config /config.yaml ``` + + \ is usually located at `/etc/netbird`. + **Multi-container** (separate `netbirdio/management` image): @@ -80,7 +83,7 @@ docker exec -it netbird-server /go/bin/netbird-server token create \ docker exec -it netbird-management /go/bin/netbird-mgmt token create --name "my-proxy" ``` -This outputs a token in the format `nbx_...` (40 characters). **Save the token immediately** - it is only displayed once. The management server stores only a SHA-256 hash. +This outputs a token in the format `nbx_...` (40 characters). **Save the token immediately** - it is only displayed once. The management server stores only a SHA-256 hash. Make sure not to accidentally copy the 20 character Token ID instead. You can manage tokens later with: @@ -263,7 +266,7 @@ A CrowdSec LAPI (Local API) container runs alongside your deployment, syncs deci | **enforce** | Blocked IPs are denied immediately. If the bouncer is not yet synced, connections are denied (fail-closed). | | **observe** | Blocked IPs are logged but not denied. Use this to evaluate CrowdSec before enforcing. | -#### 7a. Add the CrowdSec container +#### 7a. Add the CrowdSec container and configure Traefik/proxy. Add the following service to your `docker-compose.yml`: @@ -303,6 +306,35 @@ Add `crowdsec_db:` to the `volumes:` section, and update the proxy's `depends_on condition: service_healthy ``` +Inside the configuration for the `traefik` service, inside the `command:` section, add: +```yaml +- "--providers.file.filename=/etc/traefik/dynamic.yaml" +``` + +Inside the `traefik` service `volumes:` section, add: +```yaml +- ./traefik-dynamic.yaml:/etc/traefik/dynamic.yaml:ro +``` + +Inside the `proxy` service `labels:` section, add: +- traefik.tcp.services.proxy-tls.loadbalancer.serverstransport=pp-v2@file~ + +Finally, create a new file called `traefik-dynamic.yaml` containing the following: +```yaml +tcp: + serversTransports: + pp-v2: + proxyProtocol: + version: 2 +``` + + +Then restart Traefik, we will restart the proxy later. + +```bash +docker compose up -d traefik proxy +``` + #### 7b. Start CrowdSec and register a bouncer ```bash @@ -331,6 +363,9 @@ Add these lines to `proxy.env`: ```bash NB_PROXY_CROWDSEC_API_URL=http://crowdsec:8080 NB_PROXY_CROWDSEC_API_KEY= +NB_PROXY_FORWARDED_PROTO=https +NB_PROXY_PROXY_PROTOCOL=true +NB_PROXY_TRUSTED_PROXIES=172.30.0.10 ``` Then restart the proxy: From b5c50ee3e16bcf310941a17ddc327078449e27b8 Mon Sep 17 00:00:00 2001 From: PizzaLovingNerd Date: Thu, 4 Jun 2026 14:59:24 -0700 Subject: [PATCH 2/2] typo fixes for reverse proxy change --- src/pages/selfhosted/migration/enable-reverse-proxy.mdx | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/pages/selfhosted/migration/enable-reverse-proxy.mdx b/src/pages/selfhosted/migration/enable-reverse-proxy.mdx index 0f58f464..0d31cd84 100644 --- a/src/pages/selfhosted/migration/enable-reverse-proxy.mdx +++ b/src/pages/selfhosted/migration/enable-reverse-proxy.mdx @@ -72,10 +72,10 @@ The proxy authenticates with the management server using an access token. Genera ```bash docker exec -it netbird-server /go/bin/netbird-server token create \ --name "my-proxy" --config /config.yaml + +# NOTE: is usually located at `/etc/netbird`. ``` - - \ is usually located at `/etc/netbird`. - + **Multi-container** (separate `netbirdio/management` image): @@ -332,7 +332,7 @@ tcp: Then restart Traefik, we will restart the proxy later. ```bash -docker compose up -d traefik proxy +docker compose up -d traefik ``` #### 7b. Start CrowdSec and register a bouncer