From da95fa236421f2fe785cf75082e76774a351ef0d Mon Sep 17 00:00:00 2001 From: Alexander Klizhentas Date: Sun, 3 Jul 2022 16:20:22 -0700 Subject: [PATCH] Add networking with TLS routing (#13762) * Add networking with TLS routing, fixes #13751 --- docs/pages/setup/reference/networking.mdx | 24 +++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/docs/pages/setup/reference/networking.mdx b/docs/pages/setup/reference/networking.mdx index bcd5514a4c8b0..26ac938797ada 100644 --- a/docs/pages/setup/reference/networking.mdx +++ b/docs/pages/setup/reference/networking.mdx @@ -114,17 +114,37 @@ numbers for each service. +### Ports with TLS routing + +TLS routing is enabled by default. In this mode, all connections to a Teleport service (e.g., the Teleport +SSH Service or Kubernetes) are routed through the Proxy Service's public web address. + +Read more in our [TLS Routing](../../architecture/tls-routing.mdx) guide. + +| Port | Service | Description | +| - | - | - | +| 443 | Proxy | In TLS Routing mode, the Proxy handles all protocols, including Web UI, HTTPS, Kubernetes, SSH, and all databases on a single port. | +| 3022 | Node | SSH port. This is Teleport's equivalent of port `#22` for SSH. Only used when Teleport Node is replacing SSH.| +| 3025 | Auth | TLS port used by the Auth Service to serve its API to other Nodes in a cluster.| +| 3028 | Desktop | When using Desktop Service `windows_desktop_service.listen_addr` | + +### Ports without TLS routing + +In some cases, administrators may want to use separate ports for different services. +In those cases, they can set up separate listeners in the config file. + | Port | Service | Description | | - | - | - | | 3022 | Node | SSH port. This is Teleport's equivalent of port `#22` for SSH. | | 3023 | Proxy | SSH port clients connect to. The Proxy Service will forward this connection to port `#3022` on the destination Node. | | 3024 | Proxy | SSH port used to create "reverse SSH tunnels" from behind-firewall environments into a trusted proxy server. | -| 3025 | Auth | SSH port used by the Auth Service to serve its API to other Nodes in a cluster. | -| 3080 | Proxy | HTTPS connection to authenticate `tsh` users into the cluster. The same connection is used to serve a Web UI. | +| 3025 | Auth | TLS port used by the Auth Service to serve its API to other Nodes in a cluster. | +| 3080 or 443 | Proxy | HTTPS connection to authenticate `tsh` users into the cluster. The same connection is used to serve a Web UI. | | 3026 | Kubernetes | HTTPS Kubernetes proxy `proxy_service.kube_listen_addr` | | 3027 | Kubernetes | Kubernetes Service `kubernetes_service.listen_addr` | | 3028 | Desktop | Desktop Service `windows_desktop_service.listen_addr` | | 3036 | MySQL | MySQL port `proxy_service.mysql_addr` | +