Fork me on GitHub
Teleport

Networking

Improve

Public address

All three Teleport services (proxy, auth, node) have an optional public_addr property. The public address can take an IP or a DNS name. It can also be a list of values:

public_addr: ["proxy-one.example.com", "proxy-two.example.com"]

Specifying a public address for a Teleport service may be useful in the following use cases:

  • You have multiple identical services, like proxies, behind a load balancer.
  • You want Teleport to issue an SSH certificate for the service with the additional principals, e.g.host names.

HTTP CONNECT proxies

Some networks funnel all connections through a proxy server where they can be audited and access control rules are applied. For these scenarios, Teleport supports HTTP CONNECT tunneling.

To use HTTP CONNECT tunneling, simply set either the HTTPS_PROXY or HTTP_PROXY environment variables and when Teleport builds and establishes the reverse tunnel to the main cluster, it will funnel all traffic through the proxy. Specifically, if using the default configuration, Teleport will tunnel ports 3024 (SSH, reverse tunnel) and 3080 (HTTPS, establishing trust) through the proxy.

The value of HTTPS_PROXY or HTTP_PROXY should be in the format scheme://host:port where scheme is either https or http . If the value is host:port , Teleport will prepend http .

It's important to note that for Teleport to use HTTP CONNECT tunneling, the HTTP_PROXY and HTTPS_PROXY environment variables must be set within Teleport's environment. You can also optionally set the NO_PROXY environment variable to avoid use of the proxy when accessing specified hosts/netmasks. When launching Teleport with systemd, this will probably involve adding some lines to your systemd unit file:

[Service]
Environment="HTTP_PROXY=http://proxy.example.com:8080/"
Environment="HTTPS_PROXY=http://proxy.example.com:8080/"
Environment="NO_PROXY=localhost,127.0.0.1,192.168.0.0/16,172.16.0.0/12,10.0.0.0/8"
Note

localhost and 127.0.0.1 are invalid values for the proxy host. If for some reason your proxy runs locally, you'll need to provide some other DNS name or a private IP address for it.

Ports

Teleport services listen on several ports. This table shows the default port numbers.

PortServiceDescription
3022NodeSSH port. This is Teleport's equivalent of port #22 for SSH.
3023ProxySSH port clients connect to. A proxy will forward this connection to port #3022 on the destination node.
3024ProxySSH port used to create "reverse SSH tunnels" from behind-firewall environments into a trusted proxy server.
3025AuthSSH port used by the Auth Service to serve its API to other nodes in a cluster.
3080ProxyHTTPS connection to authenticate tsh users and web users into the cluster. The same connection is used to serve a Web UI.
3026KubernetesHTTPS Kubernetes proxy proxy_service.kube_listen_addr
3027KubernetesKubernetes Service kubernetes_service.listen_addr
3036MySQLMySQL port proxy_service.mysql_addr
Have a suggestion or can’t find something?
IMPROVE THE DOCS