[GH-ISSUE #315] Reverse proxy setup questions (Docker, Traefik) #202

New issue

Closed

opened 2026-03-02 02:14:28 +03:00 by kerem · 8 comments

kerem commented 2026-03-02 02:14:28 +03:00

Owner

Copy link

Originally created by @wtfpeter on GitHub (Mar 7, 2021).
Original GitHub issue: https://github.com/amidaware/tacticalrmm/issues/315

Hi guys, I would like to use Tactical RMM via Docker as it looks exactly like what I have been searching for. However I am struggling to fit it into my setup with an existing TraefikV2 reverse proxy already handling all other hosted services.
Can you give me insight into which URLs need to be routed to which tacticalrmm service without using the shipped nginx reverse proxy? I want to continue using Traefik as a reverse proxy.

This is what I have gathered from the docs so far:
APP_HOST:443 -> tactical-frontend:443
API_HOST:80 -> tactical-backend:80
API_HOST:4222 -> tactical-nats:4222
MESH_HOST:443 -> tactical-meshcentral:443

Are there any other URLs that I overlooked?
Are there URLs that need to be routed differently?

In other issues there I see that the nginx config could be used as a template for a non-standard reverse proxy setup, however I am not completely familiar with reading and understanding nginx configs.

Originally created by @wtfpeter on GitHub (Mar 7, 2021). Original GitHub issue: https://github.com/amidaware/tacticalrmm/issues/315 Hi guys, I would like to use Tactical RMM via Docker as it looks exactly like what I have been searching for. However I am struggling to fit it into my setup with an existing TraefikV2 reverse proxy already handling all other hosted services. Can you give me insight into which URLs need to be routed to which tacticalrmm service without using the shipped nginx reverse proxy? I want to continue using Traefik as a reverse proxy. This is what I have gathered from the docs so far: APP_HOST:443 -> tactical-frontend:443 API_HOST:80 -> tactical-backend:80 API_HOST:4222 -> tactical-nats:4222 MESH_HOST:443 -> tactical-meshcentral:443 Are there any other URLs that I overlooked? Are there URLs that need to be routed differently? In other issues there I see that the nginx config could be used as a template for a non-standard reverse proxy setup, however I am not completely familiar with reading and understanding nginx configs.

kerem closed this issue 2026-03-02 02:14:28 +03:00

kerem commented 2026-03-02 02:14:29 +03:00

Author

Owner

Copy link

@dinger1986 commented on GitHub (Mar 7, 2021):

Hello,

I will try and get the info for you.

APP uses ports 80 and 443
Mesh uses ports 80 and 4430>443
API uses ports 80 and 443

That should be all you need to proxy obviously nats as well needs the port forward done.

As long as you can get traefik (which I am not familiar with at all) to forward https on the 3 subdomains it should be fine and then nginx will look after the rest of it.

Nginx doesnt handle 4222 so if its port forwarded should be fine.

Let us know how you get on, you can always join the discussions on discord.

<!-- gh-comment-id:792326327 --> @dinger1986 commented on GitHub (Mar 7, 2021): Hello, I will try and get the info for you. APP uses ports 80 and 443 Mesh uses ports 80 and 4430>443 API uses ports 80 and 443 That should be all you need to proxy obviously nats as well needs the port forward done. As long as you can get traefik (which I am not familiar with at all) to forward https on the 3 subdomains it should be fine and then nginx will look after the rest of it. Nginx doesnt handle 4222 so if its port forwarded should be fine. Let us know how you get on, you can always join the discussions on discord.

kerem commented 2026-03-02 02:14:29 +03:00

Author

Owner

Copy link

@wtfpeter commented on GitHub (Mar 8, 2021):

Thank you for the input, it's much appreciated. I now realize I should have been clearer in what I want to achieve.
I want to completely remove nginx from the stack and move whatever functionality it has to Traefik. I want this for two reasons:

1. Traefik is already handling certificates automatically
2. Adding nginx to the routing could introduce additional errors, for example when using custom host ports to avoid port conflicts with Traefik

For this reason I want to get info on which domains and URLs/paths should be forwarded to which container.

<!-- gh-comment-id:792563078 --> @wtfpeter commented on GitHub (Mar 8, 2021): Thank you for the input, it's much appreciated. I now realize I should have been clearer in what I want to achieve. I want to completely remove nginx from the stack and move whatever functionality it has to Traefik. I want this for two reasons: 1. Traefik is already handling certificates automatically 2. Adding nginx to the routing could introduce additional errors, for example when using custom host ports to avoid port conflicts with Traefik For this reason I want to get info on which domains and URLs/paths should be forwarded to which container.

kerem commented 2026-03-02 02:14:29 +03:00

Author

Owner

Copy link

@bradhawkins85 commented on GitHub (Mar 8, 2021):

You will find you will have issues with the mesh agent not connecting if you mess with the SSL.
I used to have it working with HAProxy but now as soon as another certificate is put between mesh central and the mesh agent they stop communicating. That was with leaving nginx in the mix.
Traefik would need to pass through the mesh central server certificate or you need to update the client configs to match the Traefik SSL cert.

<!-- gh-comment-id:792656368 --> @bradhawkins85 commented on GitHub (Mar 8, 2021): You will find you will have issues with the mesh agent not connecting if you mess with the SSL. I used to have it working with HAProxy but now as soon as another certificate is put between mesh central and the mesh agent they stop communicating. That was with leaving nginx in the mix. Traefik would need to pass through the mesh central server certificate or you need to update the client configs to match the Traefik SSL cert.

kerem commented 2026-03-02 02:14:29 +03:00

Author

Owner

Copy link

@dinger1986 commented on GitHub (Mar 8, 2021):

ok in that case:
rmm.yourdomain uses ports 80 and 443
mesh.yourdomain uses ports 80 and 443>4430
api.yourdomain uses ports 80 and 443

thanks @bradhawkins85 yes that will be a problem as well.

<!-- gh-comment-id:792683819 --> @dinger1986 commented on GitHub (Mar 8, 2021): ok in that case: rmm.yourdomain uses ports 80 and 443 mesh.yourdomain uses ports 80 and 443>4430 api.yourdomain uses ports 80 and 443 thanks @bradhawkins85 yes that will be a problem as well.

kerem commented 2026-03-02 02:14:29 +03:00

Author

Owner

Copy link

@sadnub commented on GitHub (Mar 8, 2021):

@wtfpeter Are you running traefik on the same docker host? If so, I'm not sure how that will work. You might be able to get the container on the same docker network segment as the tactical servers. See here: https://github.com/wh1te909/tacticalrmm/blob/develop/docker/docker-compose.yml

The docker proxy network is the one you need to allow access to the traefik container.

The containers actually offload all ssl to the reverse proxy. The containers themselves listen of these ports:
Api: 80
Mesh: 443 (http)
app: 80

If you can get the traefik container on the docker proxy network you should be good. Just forward your hostnames to the ports above.

You may run into issues because internally the nats container (responsible for agent communication), requires TLS always. Nats does communicate directly to the backend, so a valid certificate is required for that.

<!-- gh-comment-id:792844977 --> @sadnub commented on GitHub (Mar 8, 2021): @wtfpeter Are you running traefik on the same docker host? If so, I'm not sure how that will work. You might be able to get the container on the same docker network segment as the tactical servers. See here: https://github.com/wh1te909/tacticalrmm/blob/develop/docker/docker-compose.yml The docker proxy network is the one you need to allow access to the traefik container. The containers actually offload all ssl to the reverse proxy. The containers themselves listen of these ports: Api: 80 Mesh: 443 (http) app: 80 If you can get the traefik container on the docker proxy network you should be good. Just forward your hostnames to the ports above. You may run into issues because internally the nats container (responsible for agent communication), requires TLS always. Nats does communicate directly to the backend, so a valid certificate is required for that.

kerem commented 2026-03-02 02:14:29 +03:00

Author

Owner

Copy link

@sadnub commented on GitHub (Mar 8, 2021):

You will find you will have issues with the mesh agent not connecting if you mess with the SSL.
I used to have it working with HAProxy but now as soon as another certificate is put between mesh central and the mesh agent they stop communicating. That was with leaving nginx in the mix.
Traefik would need to pass through the mesh central server certificate or you need to update the client configs to match the Traefik SSL cert.

This also. Forgot about that. Mesh needs the IP address of the reverse proxy to get the certificate.

There will be a problem with manually updating the mesh configs, because the configs will be rewritten everytime the mesh container restarts.

To get around that, you could fork the repo and modify the configurations to suit your needs and build the images yourself.

<!-- gh-comment-id:792876824 --> @sadnub commented on GitHub (Mar 8, 2021): > You will find you will have issues with the mesh agent not connecting if you mess with the SSL. > I used to have it working with HAProxy but now as soon as another certificate is put between mesh central and the mesh agent they stop communicating. That was with leaving nginx in the mix. > Traefik would need to pass through the mesh central server certificate or you need to update the client configs to match the Traefik SSL cert. This also. Forgot about that. Mesh needs the IP address of the reverse proxy to get the certificate. There will be a problem with manually updating the mesh configs, because the configs will be rewritten everytime the mesh container restarts. To get around that, you could fork the repo and modify the configurations to suit your needs and build the images yourself.

kerem commented 2026-03-02 02:14:29 +03:00

Author

Owner

Copy link

@wtfpeter commented on GitHub (Mar 9, 2021):

Thanks a lot for all of your input.
@sadnub I am running traefik on a different host. All my hosts are behind a single NAT address with traefik being my reverse proxy for all applications. This means I can't go without traefik, for now.
To me it seems like it would be a better idea to use a dedicated host with a dedicated address for Tactical RMM

<!-- gh-comment-id:793543481 --> @wtfpeter commented on GitHub (Mar 9, 2021): Thanks a lot for all of your input. @sadnub I am running traefik on a different host. All my hosts are behind a single NAT address with traefik being my reverse proxy for all applications. This means I can't go without traefik, for now. To me it seems like it would be a better idea to use a dedicated host with a dedicated address for Tactical RMM

kerem commented 2026-03-02 02:14:29 +03:00

Author

Owner

Copy link

@dinger1986 commented on GitHub (Mar 9, 2021):

you could host it on a VPS, most are fairly inexpensive.

<!-- gh-comment-id:793671265 --> @dinger1986 commented on GitHub (Mar 9, 2021): you could host it on a VPS, most are fairly inexpensive.

kerem referenced this issue 2026-03-14 02:20:17 +03:00

[GH-ISSUE #202] Feature Request : Unraid template #2066

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

master

1.0.0

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.20.1

v0.20.0

v0.19.4

v0.19.3

v0.19.2

v0.19.1

v0.19.0

v0.18.2

v0.18.1

v0.18.0

v0.17.5

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.5

v0.16.4

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.12

v0.15.11

v0.15.10

v0.15.9

v0.15.8

v0.15.7

v0.15.6

v0.15.5

v0.15.4

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.8

v0.14.7

v0.14.6

v0.14.5

v0.14.4

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.4

v0.13.3

v0.13.2

v0.13.1

v0.13.0

v0.12.4

v0.12.3

v0.12.2

v0.12.1

v0.12.0

v0.11.3

v0.11.2

v0.11.1

v0.11.0

v0.10.5

v0.10.4

v0.10.3

v0.10.2

v0.10.1

v0.10.0

v0.9.2

v0.9.1

v0.9.0

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.2

v0.7.1

v0.7.0

v0.6.15

v0.6.14

v0.6.13

v0.6.12

v0.6.11

v0.6.10

v0.6.9

v0.6.8

v0.6.7

v0.6.6

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.32

v0.4.31

v0.4.30

v0.4.29

v0.4.28

v0.4.27

v0.4.26

v0.4.25

v0.4.24

v0.4.23

v0.4.22

v0.4.21

v0.4.20

v0.4.19

v0.4.18

v0.4.17

v0.4.16

v0.4.15

v0.4.14

v0.4.13

v0.4.12

v0.4.11

v0.4.10

v0.4.9

v0.4.8

v0.4.7

v0.4.6

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.23

v0.2.22

v0.2.21

v0.2.20

v0.2.19

v0.2.18

v0.2.17

v0.2.16

v0.2.15

v0.2.14

v0.2.13

v0.2.12

v0.2.11

v0.2.10

v0.2.9

v0.2.8

v0.2.7

v0.2.6

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.8

v0.1.7

v0.1.6

v0.1.5

v0.1.4

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels   

In Process

  

bug

  

bug

  

dev-triage

  

documentation

  

duplicate

  

enhancement

  

fixed

  

good first issue

  

help wanted

  

integration

  

invalid

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

requires agent update

  

security

  

ui tweak

  

wontfix

No labels

In Process

bug

bug

dev-triage

documentation

duplicate

enhancement

fixed

good first issue

help wanted

integration

invalid

pull-request

question

requires agent update

security

ui tweak

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/tacticalrmm#202

No description provided.