fix(caddy): route relay WebSocket traffic to relay container

Add /relay* location block to Caddyfile template so that NetBird relay WebSocket connections (rels://) are correctly forwarded to the relay container instead of falling through to the dashboard handler. Without this fix, all relay WebSocket connections silently hit the dashboard container, causing STUN/relay connectivity failures for all deployed NetBird instances. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Fix: Add grpc_pass to NPM advanced_config for Management and Signal endpoints
2026-02-24 10:31:08 +01:00 · 2026-02-23 14:49:43 +01:00
2 changed files with 15 additions and 1 deletions
--- a/app/services/npm_service.py
+++ b/app/services/npm_service.py
@@ -259,7 +259,16 @@ async def create_proxy_host(
        "block_exploits": True,
        "allow_websocket_upgrade": True,
        "access_list_id": 0,
-        "advanced_config": "",
+        "advanced_config": (
+            "location ^~ /management.ManagementService/ {\n"
+            f"    grpc_pass grpc://{forward_host}:{forward_port};\n"
+            "    grpc_set_header Host $host;\n"
+            "}\n"
+            "location ^~ /signalexchange.SignalExchange/ {\n"
+            f"    grpc_pass grpc://{forward_host}:{forward_port};\n"
+            "    grpc_set_header Host $host;\n"
+            "}\n"
+        ),
        "meta": {
            "letsencrypt_agree": True,
            "letsencrypt_email": admin_email,
--- a/templates/Caddyfile.j2
+++ b/templates/Caddyfile.j2
@@ -29,6 +29,11 @@
 		}
 	}

+	# NetBird Relay WebSocket (rels://)
+	handle /relay* {
+		reverse_proxy netbird-{{ subdomain }}-relay:80
+	}
+
 	# Default: NetBird Dashboard
 	handle {
 		reverse_proxy netbird-{{ subdomain }}-dashboard:80