Skip to content

Commit

Permalink
Add networking with TLS routing (#13762)
Browse files Browse the repository at this point in the history
* Add networking with TLS routing, fixes #13751
  • Loading branch information
klizhentas committed Jul 3, 2022
1 parent 094db97 commit da95fa2
Showing 1 changed file with 22 additions and 2 deletions.
24 changes: 22 additions & 2 deletions docs/pages/setup/reference/networking.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -114,17 +114,37 @@ numbers for each service.

</Admonition>

### Ports with TLS routing

TLS routing is enabled by default. In this mode, all connections to a Teleport service (e.g., the Teleport
SSH Service or Kubernetes) are routed through the Proxy Service's public web address.

Read more in our [TLS Routing](../../architecture/tls-routing.mdx) guide.

| Port | Service | Description |
| - | - | - |
| 443 | Proxy | In TLS Routing mode, the Proxy handles all protocols, including Web UI, HTTPS, Kubernetes, SSH, and all databases on a single port. |
| 3022 | Node | SSH port. This is Teleport's equivalent of port `#22` for SSH. Only used when Teleport Node is replacing SSH.|
| 3025 | Auth | TLS port used by the Auth Service to serve its API to other Nodes in a cluster.|
| 3028 | Desktop | When using Desktop Service `windows_desktop_service.listen_addr` |

### Ports without TLS routing

In some cases, administrators may want to use separate ports for different services.
In those cases, they can set up separate listeners in the config file.

| Port | Service | Description |
| - | - | - |
| 3022 | Node | SSH port. This is Teleport's equivalent of port `#22` for SSH. |
| 3023 | Proxy | SSH port clients connect to. The Proxy Service will forward this connection to port `#3022` on the destination Node. |
| 3024 | Proxy | SSH port used to create "reverse SSH tunnels" from behind-firewall environments into a trusted proxy server. |
| 3025 | Auth | SSH port used by the Auth Service to serve its API to other Nodes in a cluster. |
| 3080 | Proxy | HTTPS connection to authenticate `tsh` users into the cluster. The same connection is used to serve a Web UI. |
| 3025 | Auth | TLS port used by the Auth Service to serve its API to other Nodes in a cluster. |
| 3080 or 443 | Proxy | HTTPS connection to authenticate `tsh` users into the cluster. The same connection is used to serve a Web UI. |
| 3026 | Kubernetes | HTTPS Kubernetes proxy `proxy_service.kube_listen_addr` |
| 3027 | Kubernetes | Kubernetes Service `kubernetes_service.listen_addr` |
| 3028 | Desktop | Desktop Service `windows_desktop_service.listen_addr` |
| 3036 | MySQL | MySQL port `proxy_service.mysql_addr` |

</TabItem>
<TabItem scope={["cloud"]} label="Teleport Cloud">

Expand Down

0 comments on commit da95fa2

Please sign in to comment.