All three Teleport services (proxy, auth, node) have an optional
public_addr property. The public address can take an IP or a DNS name. It can
also be a list of values:
public_addr: ["proxy-one.example.com", "proxy-two.example.com"]
Specifying a public address for a Teleport service may be useful in the following use cases:
- You have multiple identical services, like proxies, behind a load balancer.
- You want Teleport to issue an SSH certificate for the service with the additional principals, e.g.host names.
Some networks funnel all connections through a proxy server where they can be audited and access control rules are applied. For these scenarios, Teleport supports HTTP CONNECT tunneling.
To use HTTP CONNECT tunneling, simply set either the
HTTP_PROXY environment variables and when Teleport builds and establishes the reverse tunnel to the main cluster, it will funnel all traffic through the proxy. Specifically, if using the default configuration, Teleport will tunnel ports
3024 (SSH, reverse tunnel) and
3080 (HTTPS, establishing trust) through the proxy.
The value of
HTTP_PROXY should be in the format
scheme://host:port where scheme is either
http . If the value is
host:port , Teleport will prepend
It's important to note that for Teleport to use HTTP CONNECT
HTTPS_PROXY environment variables must be set
within Teleport's environment. You can also optionally set the
environment variable to avoid use of the proxy when accessing specified
hosts/netmasks. When launching Teleport with
systemd, this will probably involve
adding some lines to your
systemd unit file:
[Service] Environment="HTTP_PROXY=http://proxy.example.com:8080/" Environment="HTTPS_PROXY=http://proxy.example.com:8080/" Environment="NO_PROXY=localhost,127.0.0.1,192.168.0.0/16,172.16.0.0/12,10.0.0.0/8"
127.0.0.1 are invalid values for the proxy host. If for some reason your proxy runs locally, you'll need to provide some other DNS name or a private IP address for it.
Teleport services listen on several ports. This table shows the default port numbers.
|3022||Node||SSH port. This is Teleport's equivalent of port |
|3023||Proxy||SSH port clients connect to. A proxy will forward this connection to port |
|3024||Proxy||SSH port used to create "reverse SSH tunnels" from behind-firewall environments into a trusted proxy server.|
|3025||Auth||SSH port used by the Auth Service to serve its API to other nodes in a cluster.|
|3080||Proxy||HTTPS connection to authenticate |
|3026||Kubernetes||HTTPS Kubernetes proxy |
|3027||Kubernetes||Kubernetes Service |
|3036||MySQL||MySQL port |