Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add networking with TLS routing #13762

Merged
merged 4 commits into from
Jul 3, 2022
Merged

Add networking with TLS routing #13762

Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
6fd4f69
Add networking with TLS routing, fixes #13751
klizhentas Jun 22, 2022
671f074
Update docs/pages/setup/reference/networking.mdx
klizhentas Jun 22, 2022
cbce63d
Fix 3025 port description
klizhentas Jun 23, 2022
ffb4309
Merge branch 'master' into sasha/networking
klizhentas Jul 3, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 20 additions & 1 deletion docs/pages/setup/reference/networking.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,17 +114,36 @@ numbers for each service.

</Admonition>

### Ports with TLS routing

TLS routing is enabled by default. In this mode, all connections to a Teleport service (e.g., the Teleport
SSH Service or Kubernetes) are routed through the Proxy Service's public web address.

Read more in our [TLS Routing](../../architecture/tls-routing.mdx) guide.

| Port | Service | Description |
| - | - | - |
| 443 | Proxy | In TLS Routing mode, the Proxy handles all protocols, including Web UI, HTTPS, Kubernetes, SSH, and all databases on a single port. |
| 3022 | Node | SSH port. This is Teleport's equivalent of port `#22` for SSH. Only used when Teleport Node is replacing SSH.|
| 3025 | Auth | SSH port used by the Auth Service to serve its API to other Nodes in a cluster.|
strideynet marked this conversation as resolved.
Show resolved Hide resolved

### Ports without TLS routing

In some cases, administrators may want to use separate ports for different services.
In those cases, they can set up separate listeners in the config file.

| Port | Service | Description |
| - | - | - |
| 3022 | Node | SSH port. This is Teleport's equivalent of port `#22` for SSH. |
| 3023 | Proxy | SSH port clients connect to. The Proxy Service will forward this connection to port `#3022` on the destination Node. |
| 3024 | Proxy | SSH port used to create "reverse SSH tunnels" from behind-firewall environments into a trusted proxy server. |
| 3025 | Auth | SSH port used by the Auth Service to serve its API to other Nodes in a cluster. |
| 3080 | Proxy | HTTPS connection to authenticate `tsh` users into the cluster. The same connection is used to serve a Web UI. |
| 3080 or 443 | Proxy | HTTPS connection to authenticate `tsh` users into the cluster. The same connection is used to serve a Web UI. |
| 3026 | Kubernetes | HTTPS Kubernetes proxy `proxy_service.kube_listen_addr` |
| 3027 | Kubernetes | Kubernetes Service `kubernetes_service.listen_addr` |
| 3028 | Desktop | Desktop Service `windows_desktop_service.listen_addr` |
| 3036 | MySQL | MySQL port `proxy_service.mysql_addr` |

</TabItem>
<TabItem scope={["cloud"]} label="Teleport Cloud">

Expand Down