fix: correct Signal service port mapping for custom TLS certificates

[krth1k]

Describe your changes

This PR fixes a critical port mapping issue in the Signal service configuration that prevents clients from connecting when using custom TLS certificates.

The Signal service with custom TLS certificates runs HTTPS/WebSocket on internal port 443, not port 80. The current docker-compose template incorrectly maps $NETBIRD_SIGNAL_PORT:80, causing connection failures.

Updated port mapping:

signal:
  ports:
    - $NETBIRD_SIGNAL_PORT:443  # Changed from :80 to :443

Impact:

• ✅ Signal service connects successfully
• ✅ Clients can establish full NetBird connectivity
• ✅ Uses modern HTTPS/WebSocket approach (port 443)
• ℹ️ Port 10000 is kept for backward compatibility only

Issue ticket number and link

Fixes #4762

Stack

Checklist

• Is it a bug fix
• Is a typo/documentation fix
• Is a feature enhancement
• It is a refactor
• Created tests that fail without the change (if possible)

By submitting this pull request, you confirm that you have read and agree to the terms of the Contributor License Agreement.

Documentation

Select exactly one:

• I added/updated documentation for this change [ https://github.com/fix: correct Signal service port mapping for custom TLS certificates #4763 ]
• Documentation is not needed for this change

---

Additional Details

Problem Analysis

When the Signal service runs with custom TLS certificates (via --cert-file and --cert-key flags), it starts the HTTPS/WebSocket server on internal port 443, not port 80.

Evidence from Signal service logs:

signal-1  | INFO signal/cmd/run.go:180: running HTTPS server with WebSocket proxy: [::]:443
signal-1  | INFO signal/cmd/run.go:161: running gRPC backward compatibility server: [::]:10000

This mismatch causes:

• ❌ Signal service shows as "Disconnected" in netbird status
• ❌ Connection refused errors when clients attempt to connect
• ❌ Client timeout errors: "daemon up failed: rpc error: code = DeadlineExceeded"
• ✅ Management service connects successfully (only Signal fails)

Testing Results

Before the fix:

$ nc -zv netbird.example.com 10000
nc: connect to netbird.example.com port 10000 (tcp) failed: Connection refused

$ netbird status
Management: Connected
Signal: Disconnected ❌

After the fix (port 443):

$ netbird status
Management: Connected
Signal: Connected ✅
Relays: 3/3 Available
NetBird IP: 100.65.165.148/16

Configuration Context

This issue specifically affects deployments using:

• Custom TLS certificates (Let's Encrypt via dashboard container or similar)
• Signal service command with --cert-file and --cert-key flags
• Docker Compose setup from infrastructure_files

The configuration in question:

signal:
  command: [
    "--cert-file", "$NETBIRD_MGMT_API_CERT_FILE",
    "--cert-key", "$NETBIRD_MGMT_API_CERT_KEY_FILE",
    "--log-file", "console"
  ]
  ports:
    - $NETBIRD_SIGNAL_PORT:443  # Now correctly maps to HTTPS/WebSocket port

Related Changes

This PR also updates:

• GitHub workflow tests to verify port 443 mapping
• Infrastructure documentation to reflect correct port requirements

---

Summary by CodeRabbit

• Chores

  • Updated signal service host-to-container port mapping to use port 443.
  • Test expectations adjusted to validate the signal port is 443.

• Documentation

  • Infrastructure README updated to list new TCP port requirements: 80, 443, 33073, 10000, 33080; UDP ports remain 3478 and 49152–65535.

[CLAassistant]

All committers have signed the CLA.

[coderabbitai]

Walkthrough

Changed the Signal service container port referenced in the docker-compose template from port 80 to port 443; updated README port documentation and CI test expectation to match the new signal port mapping. No other logic or public API changes.

Changes

Cohort / File(s)	Summary
Signal service port mapping infrastructure_files/docker-compose.yml.tmpl	Changed host-to-container mapping for the Signal service from $NETBIRD_SIGNAL_PORT:80 to $NETBIRD_SIGNAL_PORT:443.
Docs / port requirements README.md	Updated documented required TCP ports to include 80, 443, 33073, 10000, and 33080; UDP ports unchanged (3478, 49152-65535).
CI test update .github/workflows/test-infrastructure-files.yml	Updated test expectation to look for :443 (signal port) in generated docker-compose.yml instead of :80.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Client
  participant Host
  participant SignalContainer

  rect rgb(230,240,255)
    Note over Host,SignalContainer: New mapping (this change)
    Client->>Host: TCP connect to host:$NETBIRD_SIGNAL_PORT
    Host->>SignalContainer: Forward to container:443
    SignalContainer-->>Client: TLS / gRPC / WebSocket responses
  end

  rect rgb(255,240,230)
    Note over Host,SignalContainer: Previous mapping (before change)
    Client->>Host: TCP connect to host:$NETBIRD_SIGNAL_PORT
    Host->>SignalContainer: Forward to container:80
    SignalContainer--x Client: Connection refused / timeout if service listens on 443
  end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Verify infrastructure_files/docker-compose.yml.tmpl contains no other inconsistent port mappings or TLS-related conditionals.
• Confirm .github/workflows/test-infrastructure-files.yml checks match the generated template.
• Ensure README.md port list aligns with runtime behavior and deployment notes.

Poem

🐰 A nibble, a hop, a tiny change,
From eighty shifted to safe 443 range,
Containers hum, connections mend,
The rabbit twitches — signals send,
Hooray — a port right in its place!

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title 'fix: correct Signal service port mapping for custom TLS certificates' is clear and directly summarizes the main change: fixing an incorrect port mapping for the Signal service.
Description check	✅ Passed	The PR description comprehensively addresses the template requirements with detailed problem analysis, testing results, configuration context, and documentation updates. All required sections are well-populated with clear, actionable information.
Linked Issues check	✅ Passed	The PR addresses the core requirement from issue #4762 by changing the Signal service port mapping from internal port 80 to internal port 443 to match where the HTTPS/WebSocket server actually runs with custom TLS certificates.
Out of Scope Changes check	✅ Passed	All changes are directly related to fixing the Signal service port mapping issue: docker-compose template update, README documentation, and workflow test adjustments are all aligned with the stated objectives.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 690292b and 8e03f6c.

📒 Files selected for processing (1)

• .github/workflows/test-infrastructure-files.yml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/test-infrastructure-files.yml

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull Request Overview

This PR fixes the signal service port mapping in the docker-compose template. The internal container port was incorrectly set to 80 instead of the actual default port 10000 that the signal service listens on.

• Changed the signal service port mapping from $NETBIRD_SIGNAL_PORT:80 to $NETBIRD_SIGNAL_PORT:10000

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[krth1k]

Hi @braginini,

Thanks for the feedback! You're absolutely right - I tested with port 443 and it works perfectly.

I've updated the PR to use port 443 instead of 10000:

ports:
  - $NETBIRD_SIGNAL_PORT:443

Testing results with port 443:

$ netbird status
Management: Connected
Signal: Connected ✅
Relays: 3/3 Available

Port 443 is indeed the correct modern approach for Signal service with custom TLS certificates. The previous mapping to port 80 was causing the connection failures.

Thanks for pointing me in the right direction!

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[aljaxus]

I encountered the issue that this MR fixes when I was following the official installation instructions. Was going to create a patch MR and found this one, hence writing this comment and bumping the MR.