Stuck on loading dashboard #1039

New Issue

Open

opened 2025-11-20 05:22:47 -05:00 by saavagebueno · 51 comments

saavagebueno commented 2025-11-20 05:22:47 -05:00

Owner

Copy Link

Originally created by @MichalMarchewka on GitHub (Jul 1, 2024).

Describe the problem

A Netbird is stuck on loading dashboard.

To Reproduce

Steps to reproduce the behavior:

1. Install and setup Netbird following this guide
2. Try to sign in to Netbird. After putting credentials and MFA Netbird stucks.

Expected behavior

Netbirds successfully loads and https://netbird.REDACTED.net/peers content is reached

Are you using NetBird Cloud?

Self-hosted

NetBird version

0.28.3

NetBird status -d output:

If applicable, add the `netbird status -d' command output.

Screenshots

Additional context

• Netbird is installed on 1 CPU and 2 GM RAM VPS
• docker compose logs contains some errors:

zitadel-1     | time="2024-07-01T21:00:28Z" level=debug msg="trigger iteration" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:414" iteration=0 projection=auth.users3
zitadel-1     | time="2024-07-01T21:00:37Z" level=debug msg="trigger iteration" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:414" iteration=0 projection=auth.tokens
zitadel-1     | time="2024-07-01T21:00:38Z" level=warning msg="instance by host" caller="/home/runner/work/zitadel/zitadel/internal/query/instance.go:210" domain=netbird.REDACTED.net error="failed to connect to `host=zdb user=zitadel database=zitadel`: failed to receive message (context canceled)" host=netbird.REDACTED.net
zitadel-1     | time="2024-07-01T21:00:38Z" level=error msg="unable to set instance" caller="/home/runner/work/zitadel/zitadel/internal/api/http/middleware/instance_interceptor.go:60" error="unable to get instance by host netbird.REDACTED.net: failed to connect to `host=zdb user=zitadel database=zitadel`: failed to receive message (context canceled)" externalDomain=netbird.REDACTED.net origin="https://netbird.REDACTED.net"
zitadel-1     | time="2024-07-01T21:00:38Z" level=debug msg="trigger iteration" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:414" iteration=0 projection=projections.apps7
zitadel-1     | time="2024-07-01T21:00:51Z" level=debug msg="trigger iteration" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:414" iteration=0 projection=projections.restrictions2
zitadel-1     | time="2024-07-01T21:00:51Z" level=debug msg="trigger iteration" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:414" iteration=0 projection=projections.idp_login_policy_links5
zitadel-1     | time="2024-07-01T21:00:52Z" level=debug msg="trigger iteration" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:414" iteration=0 projection=projections.org_domains2
zitadel-1     | time="2024-07-01T21:00:52Z" level=debug msg="trigger iteration" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:414" iteration=0 projection=projections.password_complexity_policies2
zitadel-1     | time="2024-07-01T21:00:52Z" level=debug msg="trigger iteration" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:414" iteration=0 projection=projections.actions3
zitadel-1     | time="2024-07-01T21:00:52Z" level=debug msg="trigger iteration" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:414" iteration=0 projection=projections.system_features
zitadel-1     | time="2024-07-01T21:00:52Z" level=debug msg="trigger iteration" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:414" iteration=0 projection=projections.idp_user_links3
zitadel-1     | time="2024-07-01T21:00:52Z" level=debug msg="unable to query current state" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/state.go:70" error="ERROR: could not obtain lock on row in relation \"current_states\" (SQLSTATE 55P03)" projection=auth.user_sessions
zitadel-1     | time="2024-07-01T21:00:52Z" level=debug msg="state already locked" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:462" projection=auth.user_sessions

Originally created by @MichalMarchewka on GitHub (Jul 1, 2024). **Describe the problem** A Netbird is stuck on loading dashboard. **To Reproduce** Steps to reproduce the behavior: 1. Install and setup Netbird following [this](https://docs.netbird.io/selfhosted/selfhosted-quickstart) guide 2. Try to sign in to Netbird. After putting credentials and MFA Netbird stucks. **Expected behavior** Netbirds successfully loads and https://netbird.REDACTED.net/peers content is reached **Are you using NetBird Cloud?** Self-hosted **NetBird version** 0.28.3 **NetBird status -d output:** If applicable, add the `netbird status -d' command output. **Screenshots**  **Additional context** * Netbird is installed on 1 CPU and 2 GM RAM VPS * `docker compose logs` contains some errors: ``` zitadel-1 | time="2024-07-01T21:00:28Z" level=debug msg="trigger iteration" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:414" iteration=0 projection=auth.users3 zitadel-1 | time="2024-07-01T21:00:37Z" level=debug msg="trigger iteration" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:414" iteration=0 projection=auth.tokens zitadel-1 | time="2024-07-01T21:00:38Z" level=warning msg="instance by host" caller="/home/runner/work/zitadel/zitadel/internal/query/instance.go:210" domain=netbird.REDACTED.net error="failed to connect to `host=zdb user=zitadel database=zitadel`: failed to receive message (context canceled)" host=netbird.REDACTED.net zitadel-1 | time="2024-07-01T21:00:38Z" level=error msg="unable to set instance" caller="/home/runner/work/zitadel/zitadel/internal/api/http/middleware/instance_interceptor.go:60" error="unable to get instance by host netbird.REDACTED.net: failed to connect to `host=zdb user=zitadel database=zitadel`: failed to receive message (context canceled)" externalDomain=netbird.REDACTED.net origin="https://netbird.REDACTED.net" zitadel-1 | time="2024-07-01T21:00:38Z" level=debug msg="trigger iteration" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:414" iteration=0 projection=projections.apps7 zitadel-1 | time="2024-07-01T21:00:51Z" level=debug msg="trigger iteration" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:414" iteration=0 projection=projections.restrictions2 zitadel-1 | time="2024-07-01T21:00:51Z" level=debug msg="trigger iteration" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:414" iteration=0 projection=projections.idp_login_policy_links5 zitadel-1 | time="2024-07-01T21:00:52Z" level=debug msg="trigger iteration" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:414" iteration=0 projection=projections.org_domains2 zitadel-1 | time="2024-07-01T21:00:52Z" level=debug msg="trigger iteration" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:414" iteration=0 projection=projections.password_complexity_policies2 zitadel-1 | time="2024-07-01T21:00:52Z" level=debug msg="trigger iteration" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:414" iteration=0 projection=projections.actions3 zitadel-1 | time="2024-07-01T21:00:52Z" level=debug msg="trigger iteration" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:414" iteration=0 projection=projections.system_features zitadel-1 | time="2024-07-01T21:00:52Z" level=debug msg="trigger iteration" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:414" iteration=0 projection=projections.idp_user_links3 zitadel-1 | time="2024-07-01T21:00:52Z" level=debug msg="unable to query current state" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/state.go:70" error="ERROR: could not obtain lock on row in relation \"current_states\" (SQLSTATE 55P03)" projection=auth.user_sessions zitadel-1 | time="2024-07-01T21:00:52Z" level=debug msg="state already locked" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:462" projection=auth.user_sessions ```

saavagebueno added the dashboardtriage-needed labels 2025-11-20 05:22:47 -05:00

saavagebueno commented 2025-11-20 05:22:48 -05:00

Author

Owner

Copy Link

@Jadefalkner commented on GitHub (Jul 2, 2024):

sounds similar to the problem i faced? maybe it helps

https://github.com/netbirdio/netbird/issues/1699

@Jadefalkner commented on GitHub (Jul 2, 2024): sounds similar to the problem i faced? maybe it helps https://github.com/netbirdio/netbird/issues/1699

saavagebueno commented 2025-11-20 05:22:48 -05:00

Author

Owner

Copy Link

@leoboyerbx commented on GitHub (Jul 3, 2024):

Same problem here

@leoboyerbx commented on GitHub (Jul 3, 2024): Same problem here

saavagebueno commented 2025-11-20 05:22:48 -05:00

Author

Owner

Copy Link

@snoopckuu commented on GitHub (Jul 4, 2024):

Having same issue with Google iDP in Safari. Dashboard won't load and after sometime redirects back to Google Auth window.
However Works in Google Chrome and Edge.

@snoopckuu commented on GitHub (Jul 4, 2024): Having same issue with Google iDP in Safari. Dashboard won't load and after sometime redirects back to Google Auth window. However Works in Google Chrome and Edge.

saavagebueno commented 2025-11-20 05:22:48 -05:00

Author

Owner

Copy Link

@mlsmaycon commented on GitHub (Jul 4, 2024):

@MichalMarchewka can you share the caddy logs?

@mlsmaycon commented on GitHub (Jul 4, 2024): @MichalMarchewka can you share the caddy logs?

saavagebueno commented 2025-11-20 05:22:48 -05:00

Author

Owner

Copy Link

@mlsmaycon commented on GitHub (Jul 4, 2024):

Same problem here

with our quick start guide too? if so, can you share the caddy logs?

@mlsmaycon commented on GitHub (Jul 4, 2024): > Same problem here with our quick start guide too? if so, can you share the caddy logs?

saavagebueno commented 2025-11-20 05:22:48 -05:00

Author

Owner

Copy Link

@mlsmaycon commented on GitHub (Jul 4, 2024):

Having same issue with Google iDP in Safari. Dashboard won't load and after sometime redirects back to Google Auth window. However Works in Google Chrome and Edge.

thanks for reporting, we will validate the issue with Google as IdP. In the mean time, can you check if https://app.netbird.io works well for you?

@mlsmaycon commented on GitHub (Jul 4, 2024): > Having same issue with Google iDP in Safari. Dashboard won't load and after sometime redirects back to Google Auth window. However Works in Google Chrome and Edge. thanks for reporting, we will validate the issue with Google as IdP. In the mean time, can you check if https://app.netbird.io works well for you?

saavagebueno commented 2025-11-20 05:22:49 -05:00

Author

Owner

Copy Link

@snoopckuu commented on GitHub (Jul 5, 2024):

Having same issue with Google iDP in Safari. Dashboard won't load and after sometime redirects back to Google Auth window. However Works in Google Chrome and Edge.

thanks for reporting, we will validate the issue with Google as IdP. In the mean time, can you check if https://app.netbird.io works well for you?

Yep, works well.

@snoopckuu commented on GitHub (Jul 5, 2024): > > Having same issue with Google iDP in Safari. Dashboard won't load and after sometime redirects back to Google Auth window. However Works in Google Chrome and Edge. > > thanks for reporting, we will validate the issue with Google as IdP. In the mean time, can you check if https://app.netbird.io works well for you? Yep, works well.

saavagebueno commented 2025-11-20 05:22:49 -05:00

Author

Owner

Copy Link

@MichalMarchewka commented on GitHub (Jul 7, 2024):

@mlsmaycon Please find logs attached
caddy_logs.txt

@MichalMarchewka commented on GitHub (Jul 7, 2024): @mlsmaycon Please find logs attached [caddy_logs.txt](https://github.com/user-attachments/files/16120784/caddy_logs.txt)

saavagebueno commented 2025-11-20 05:22:49 -05:00

Author

Owner

Copy Link

@joshuahigginson1 commented on GitHub (Jul 10, 2024):

Hi @mlsmaycon , it appears that we've got the same issue after upgrading from v2.3.0 to v2.4.1 of the Netbird Dashboard. Both Chrome and Safari - I was never convinced that we had our auth configured correctly.

Looks like an issue with the change in the Dashboard useRedirect hook.

--- v2.3.0

Logging in or refreshing the page would result in a 100ms ~ 2sec wait for the console to show the Google Accounts page. This will always appear after a 'timeout' appears in the Chrome console.

After authenticating to Google, we see the following logs:

GET https://<our-domain>/auth 404 (Not Found)
Checking to see if there is an authorization response to be delivered.
Potential authorization request  https://<our-domain>/auth ...
Delivering authorization response

Peers page then loads.

Refreshing the page restarts this cycle and loads the Google Accounts page again.

Note: Chrome and Safari both block third-party cookies which is probably why we have to re-authenticate every page refresh.

---v2.4.1

Logging in or refreshing the page would result in a 100ms ~ 2sec wait for the console to show the Google Accounts page. This will always appear after a 'timeout' appears in the Chrome console. The difference between two versions is that we have 36 counts of 'Third Party Cookie will be Blocked' before Google Accounts page appears.

After authenticating to Google, we see the following logs:

GET https://<our-domain>/auth 404 (Not Found)
Checking to see if there is an authorization response to be delivered.
Potential authorization request  https://<our-domain>/auth ...
Delivering authorization response
** GET https://<our-domain>/auth.txt 404 (Not Found) **

Peers page never loads. Eventually, Netbird takes us to the Google Accounts page again.

@joshuahigginson1 commented on GitHub (Jul 10, 2024): Hi @mlsmaycon , it appears that we've got the same issue after upgrading from v2.3.0 to v2.4.1 of the Netbird Dashboard. Both Chrome and Safari - I was never convinced that we had our auth configured correctly. Looks like an issue with the change in the Dashboard useRedirect hook. --- v2.3.0 Logging in or refreshing the page would result in a 100ms ~ 2sec wait for the console to show the Google Accounts page. This will always appear after a 'timeout' appears in the Chrome console. After authenticating to Google, we see the following logs: ``` GET https://<our-domain>/auth 404 (Not Found) Checking to see if there is an authorization response to be delivered. Potential authorization request https://<our-domain>/auth ... Delivering authorization response ``` Peers page then loads. Refreshing the page restarts this cycle and loads the Google Accounts page again. Note: Chrome and Safari both block third-party cookies which is probably why we have to re-authenticate every page refresh. ---v2.4.1 Logging in or refreshing the page would result in a 100ms ~ 2sec wait for the console to show the Google Accounts page. This will always appear after a 'timeout' appears in the Chrome console. The difference between two versions is that we have 36 counts of 'Third Party Cookie will be Blocked' before Google Accounts page appears. After authenticating to Google, we see the following logs: ``` GET https://<our-domain>/auth 404 (Not Found) Checking to see if there is an authorization response to be delivered. Potential authorization request https://<our-domain>/auth ... Delivering authorization response ** GET https://<our-domain>/auth.txt 404 (Not Found) ** ``` Peers page never loads. Eventually, Netbird takes us to the Google Accounts page again.

saavagebueno commented 2025-11-20 05:22:49 -05:00

Author

Owner

Copy Link

@axlroden commented on GitHub (Jul 11, 2024):

I have the same issue after updating to latest image, and running a previously working netbird with google idp.

For some reason it works in firefox, but not in chrome or safari.

Downgrading to v2.3.0 dashboard resolves the issue..

@axlroden commented on GitHub (Jul 11, 2024): I have the same issue after updating to latest image, and running a previously working netbird with google idp. For some reason it works in firefox, but not in chrome or safari. Downgrading to v2.3.0 dashboard resolves the issue..

saavagebueno commented 2025-11-20 05:22:49 -05:00

Author

Owner

Copy Link

@mlsmaycon commented on GitHub (Jul 11, 2024):

@heisbrot can you have a look at this issue?

@mlsmaycon commented on GitHub (Jul 11, 2024): @heisbrot can you have a look at this issue?

saavagebueno commented 2025-11-20 05:22:49 -05:00

Author

Owner

Copy Link

@heisbrot commented on GitHub (Jul 15, 2024):

Hey @MichalMarchewka ,

can you check if your SSL is properly configured? I see some certificate errors in the logs. Was you domain publicly accessible before you started with the getting started guide?

@joshuahigginson1 @axlroden @snoopckuu
Do you have some logs? Or maybe a HAR file for the network requests.
You can also try clearing the cache and cookies of your browser and check if the issue persists. (Or opening incognito)
Does rebuilding the container fix the issue? docker compose up -d --force-recreate dashboard

@heisbrot commented on GitHub (Jul 15, 2024): Hey @MichalMarchewka , can you check if your SSL is properly configured? I see some certificate errors in the logs. Was you domain publicly accessible before you started with the getting started guide? @joshuahigginson1 @axlroden @snoopckuu Do you have some logs? Or maybe a HAR file for the network requests. You can also try clearing the cache and cookies of your browser and check if the issue persists. (Or opening incognito) Does rebuilding the container fix the issue? `docker compose up -d --force-recreate dashboard`

saavagebueno commented 2025-11-20 05:22:50 -05:00

Author

Owner

Copy Link

@ylluminate commented on GitHub (Jul 16, 2024):

I had the same problem, but it seems to be resolved by adjusting the /etc/hosts file. Here's what worked for me:

# /etc/hosts
127.0.0.1       localhost

Initially, I had other hostnames defined before localhost, but this setup caused issues with Docker containers accessing the identity provider configuration. Simplifying the /etc/hosts file to include only localhost for IPv4 resolved the problem.

As we're all probably aware, the /etc/hosts file is used to map IP addresses to hostnames. It's common practice to include multiple hostnames on a single line, such as 127.0.1.1 hostname.domain.tld hostname localhost, to associate multiple hostnames with an IP address. However, this configuration appears to interfere with Docker's DNS resolution inside containers.

In this case, the management container was repeatedly failing to fetch the OIDC configuration due to connection refusals on 127.0.1.1. Changing the /etc/hosts file to the above did resolve this...

If this is what's affecting others as well, and to perhaps avoid similar issues in the future, it might be beneficial to document this behavior as a known issue or recommend best practices for /etc/hosts configurations in the setup guides. Additionally, it could be helpful to investigate why Docker's DNS resolution behaves differently with multiple hostnames and whether there are configuration changes that can make it more robust to different /etc/hosts setups.

I'm not a big Docker fan myself, so I'm not terribly inclined to dig into this any further myself.

@ylluminate commented on GitHub (Jul 16, 2024): I had the same problem, but it seems to be resolved by adjusting the `/etc/hosts` file. Here's what worked for me: ``` # /etc/hosts 127.0.0.1 localhost ``` Initially, I had other hostnames defined before `localhost`, but this setup caused issues with Docker containers accessing the identity provider configuration. Simplifying the `/etc/hosts` file to include only `localhost` for IPv4 resolved the problem. As we're all probably aware, the `/etc/hosts` file is used to map IP addresses to hostnames. It's common practice to include multiple hostnames on a single line, such as `127.0.1.1 hostname.domain.tld hostname localhost`, to associate multiple hostnames with an IP address. However, this configuration appears to interfere with Docker's DNS resolution inside containers. In this case, the management container was repeatedly failing to fetch the OIDC configuration due to connection refusals on `127.0.1.1`. Changing the `/etc/hosts` file to the above did resolve this... If this is what's affecting others as well, and to perhaps avoid similar issues in the future, it might be beneficial to document this behavior as a known issue or recommend best practices for `/etc/hosts` configurations in the setup guides. Additionally, it could be helpful to investigate why Docker's DNS resolution behaves differently with multiple hostnames and whether there are configuration changes that can make it more robust to different `/etc/hosts` setups. I'm not a big Docker fan myself, so I'm not terribly inclined to dig into this any further myself.

saavagebueno commented 2025-11-20 05:22:50 -05:00

Author

Owner

Copy Link

@MichalMarchewka commented on GitHub (Jul 16, 2024):

Hey @heisbrot
Yes, I have now rebuilt it from scratch. Unfortunately, it still doesn't work. Is there a chance to install Netbird without Docker?

Editing /etc/hosts per ylluminate instruction doesn't work for me.

@MichalMarchewka commented on GitHub (Jul 16, 2024): Hey @heisbrot Yes, I have now rebuilt it from scratch. Unfortunately, it still doesn't work. Is there a chance to install Netbird without Docker? Editing /etc/hosts per ylluminate instruction doesn't work for me.

saavagebueno commented 2025-11-20 05:22:50 -05:00

Author

Owner

Copy Link

@ylluminate commented on GitHub (Jul 16, 2024):

@MichalMarchewka that is unfortunate to hear. Had hoped that would work for you. I do agree though, having a non-Docker install path would be good. Docker is such a headache.

@ylluminate commented on GitHub (Jul 16, 2024): @MichalMarchewka that is unfortunate to hear. Had hoped that would work for you. I do agree though, having a non-Docker install path would be good. Docker is such a headache.

saavagebueno commented 2025-11-20 05:22:50 -05:00

Author

Owner

Copy Link

@axlroden commented on GitHub (Jul 17, 2024):

management.txt
dashboard.txt
2.4.0.har.txt
Logs of management and dashboard, and har file on 2.4.0 dashboard.

I tried doing force-recreate as well. Tried without cache on multiple browsers. Only firefox ends up on a peer list, after several reloads. Others either keep refreshing indefinately, or shows the google accounts login screen.

@axlroden commented on GitHub (Jul 17, 2024): [management.txt](https://) [dashboard.txt](https://) [2.4.0.har.txt](https://) Logs of management and dashboard, and har file on 2.4.0 dashboard. I tried doing force-recreate as well. Tried without cache on multiple browsers. Only firefox ends up on a peer list, after several reloads. Others either keep refreshing indefinately, or shows the google accounts login screen.

saavagebueno commented 2025-11-20 05:22:50 -05:00

Author

Owner

Copy Link

@heisbrot commented on GitHub (Jul 17, 2024):

Hey @axlroden

Thank you for the logs. Can you try with the following image netbirdio/dashboard:pr-403 (instead of latest) and see if the problem persists?

@heisbrot commented on GitHub (Jul 17, 2024): Hey @axlroden Thank you for the logs. Can you try with the following image `netbirdio/dashboard:pr-403` (instead of latest) and see if the problem persists?

saavagebueno commented 2025-11-20 05:22:50 -05:00

Author

Owner

Copy Link

@jeehoonkang commented on GitHub (Jul 17, 2024):

@heisbrot I had the same problem, and netbirdio/dashboard:pr-403 fixed the issue. Thanks!

@jeehoonkang commented on GitHub (Jul 17, 2024): @heisbrot I had the same problem, and `netbirdio/dashboard:pr-403` fixed the issue. Thanks!

saavagebueno commented 2025-11-20 05:22:50 -05:00

Author

Owner

Copy Link

@joshuahigginson1 commented on GitHub (Jul 18, 2024):

@heisbrot Thanks you Eduard, PR-403 has solved our issue.

@joshuahigginson1 commented on GitHub (Jul 18, 2024): @heisbrot Thanks you Eduard, PR-403 has solved our issue.

saavagebueno commented 2025-11-20 05:22:51 -05:00

Author

Owner

Copy Link

@snoopckuu commented on GitHub (Jul 20, 2024):

Can we merge the fix into the main branch?

@snoopckuu commented on GitHub (Jul 20, 2024): Can we merge the fix into the main branch?

saavagebueno commented 2025-11-20 05:22:51 -05:00

Author

Owner

Copy Link

@axlroden commented on GitHub (Jul 23, 2024):

can confirm netbirdio/dashboard:pr-403 solved the issue.

@axlroden commented on GitHub (Jul 23, 2024): can confirm netbirdio/dashboard:pr-403 solved the issue.

saavagebueno commented 2025-11-20 05:22:51 -05:00

Author

Owner

Copy Link

@MichalMarchewka commented on GitHub (Jul 25, 2024):

Amazing stuff, it's working now!

Good job, thank you.

@MichalMarchewka commented on GitHub (Jul 25, 2024): Amazing stuff, it's working now! Good job, thank you.

saavagebueno commented 2025-11-20 05:22:51 -05:00

Author

Owner

Copy Link

@TheKayneGame commented on GitHub (Jul 29, 2024):

This issue has not been resolved for me with the PR.

My setup contains Traefik and followed this tutorial from JimsGarage's video.

i am facing the same /peers screen loop.

See netbird-logs.txt for my logs.

I am running it on a local machine and externally its connected through cloudflare.

@TheKayneGame commented on GitHub (Jul 29, 2024): This issue has not been resolved for me with the PR. My setup contains Traefik and followed [this](https://github.com/JamesTurland/JimsGarage/tree/main/Netbird) tutorial from JimsGarage's [video](https://www.youtube.com/watch?v=QQaRB1vL6Q8). i am facing the same /peers screen loop. See [netbird-logs.txt](https://github.com/user-attachments/files/16410947/netbird-logs.txt) for my logs. I am running it on a local machine and externally its connected through cloudflare.

saavagebueno commented 2025-11-20 05:22:51 -05:00

Author

Owner

Copy Link

@git-day commented on GitHub (Aug 14, 2024):

@heisbrot I am also experiencing the same problem as @MichalMarchewka where the login works as expected, but the dashboard never loads.

My setup is new and have followed the advanced guide here https://docs.netbird.io/selfhosted/selfhosted-guide#requirements. The chosen Idp is Zitadel and have followed the guide here on setup https://docs.netbird.io/selfhosted/identity-providers#zitadel.

I've noticed that there are a number of issues on Github which have been raised that are of a similar theme. I too have tried the suggested netbirdio/dashboard:pr-403 image, but doesn't work.

Please let me know if you would like more info about my setup, config, logs or to support troubleshooting.

@git-day commented on GitHub (Aug 14, 2024): @heisbrot I am also experiencing the same problem as @MichalMarchewka where the login works as expected, but the dashboard never loads. My setup is new and have followed the advanced guide here [https://docs.netbird.io/selfhosted/selfhosted-guide#requirements](url). The chosen Idp is Zitadel and have followed the guide here on setup [https://docs.netbird.io/selfhosted/identity-providers#zitadel](url). I've noticed that there are a number of issues on Github which have been raised that are of a similar theme. I too have tried the suggested `netbirdio/dashboard:pr-403` image, but doesn't work. Please let me know if you would like more info about my setup, config, logs or to support troubleshooting.

saavagebueno commented 2025-11-20 05:22:51 -05:00

Author

Owner

Copy Link

@snoopckuu commented on GitHub (Aug 14, 2024):

Hello everyone,

Happy to confirm that dashboard latest version 2.5.0 released yesterday fixed issue for me!

Thank you!

@snoopckuu commented on GitHub (Aug 14, 2024): Hello everyone, Happy to confirm that dashboard latest version 2.5.0 released yesterday fixed issue for me! Thank you!

saavagebueno commented 2025-11-20 05:22:52 -05:00

Author

Owner

Copy Link

@git-day commented on GitHub (Aug 14, 2024):

@snoopckuu , can you please share the version update details?

@git-day commented on GitHub (Aug 14, 2024): @snoopckuu , can you please share the version update details?

saavagebueno commented 2025-11-20 05:22:52 -05:00

Author

Owner

Copy Link

@snoopckuu commented on GitHub (Aug 14, 2024):

@snoopckuu , can you please share the version update details?

Sure, i am talking about this release that fixed the issue: https://github.com/netbirdio/dashboard/releases/tag/v2.5.0

@snoopckuu commented on GitHub (Aug 14, 2024): > @snoopckuu , can you please share the version update details? Sure, i am talking about this release that fixed the issue: https://github.com/netbirdio/dashboard/releases/tag/v2.5.0

saavagebueno commented 2025-11-20 05:22:52 -05:00

Author

Owner

Copy Link

@git-day commented on GitHub (Aug 14, 2024):

@snoopckuu thanks. Is there an easy way to identify what version of the dashboard that has been deployed via docker, given that i can't load the dashboard?

@git-day commented on GitHub (Aug 14, 2024): @snoopckuu thanks. Is there an easy way to identify what version of the dashboard that has been deployed via docker, given that i can't load the dashboard?

saavagebueno commented 2025-11-20 05:22:52 -05:00

Author

Owner

Copy Link

@git-day commented on GitHub (Aug 14, 2024):

@mlsmaycon can you please help point me in the right direction. How do i troubleshoot this issue? Is there a set of logs to reference and assess where the issue might be? At this stage I have nothing to go by.

@git-day commented on GitHub (Aug 14, 2024): @mlsmaycon can you please help point me in the right direction. How do i troubleshoot this issue? Is there a set of logs to reference and assess where the issue might be? At this stage I have nothing to go by.

saavagebueno commented 2025-11-20 05:22:52 -05:00

Author

Owner

Copy Link

@heisbrot commented on GitHub (Aug 15, 2024):

Hey @git-day ,

you can run docker image inspect netbirdio/dashboard.
Under Labels there should be the image version. Latest version as of today is 2.5.0 for the dashboard.

Is your Zitadel instance new? If so you might want to check out the Quick Start Guide. It comes with a one liner to set everything up (including Zitadel, Certificates, etc.). Before running the setup be sure that your domain is pointing to your server.

You can check the logs with docker compose logs dashboard, docker compose logs management

@heisbrot commented on GitHub (Aug 15, 2024): Hey @git-day , you can run `docker image inspect netbirdio/dashboard`. Under Labels there should be the image version. Latest version as of today is 2.5.0 for the dashboard. Is your Zitadel instance new? If so you might want to check out the [Quick Start Guide](https://docs.netbird.io/selfhosted/selfhosted-quickstart). It comes with a one liner to set everything up (including Zitadel, Certificates, etc.). Before running the setup be sure that your domain is pointing to your server. You can check the logs with `docker compose logs dashboard`, `docker compose logs management`

saavagebueno commented 2025-11-20 05:22:52 -05:00

Author

Owner

Copy Link

@git-day commented on GitHub (Aug 16, 2024):

Thanks @heisbrot . Confirmed 2.5.0 is running.

The logs don't show much other than the following error related to cache. Could this be the problem with the dahsboard not logging in ?

management-1 | 2024-08-16T16:16:10Z WARN [context: SYSTEM] management/server/account.go:941: failed warming up cache due to error: unable to get zitadel token, statusCode 400

The dashboard simply never loads and loops with the following logo? What other logs should i look at? Should I look at enabling debug?

@git-day commented on GitHub (Aug 16, 2024): Thanks @heisbrot . Confirmed 2.5.0 is running. The logs don't show much other than the following error related to cache. Could this be the problem with the dahsboard not logging in ? `management-1 | 2024-08-16T16:16:10Z WARN [context: SYSTEM] management/server/account.go:941: failed warming up cache due to error: unable to get zitadel token, statusCode 400` The dashboard simply never loads and loops with the following logo? What other logs should i look at? Should I look at enabling debug? 

saavagebueno commented 2025-11-20 05:22:53 -05:00

Author

Owner

Copy Link

@git-day commented on GitHub (Aug 16, 2024):

@heisbrot at the client end using a browser, i see the following error message. Not sure where to take it from here. Any help is appreciated.

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://nb.external.com:33073/api/users. (Reason: CORS request did not succeed). Status code: (null).

@git-day commented on GitHub (Aug 16, 2024): @heisbrot at the client end using a browser, i see the following error message. Not sure where to take it from here. Any help is appreciated. `Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://nb.external.com:33073/api/users. (Reason: CORS request did not succeed). Status code: (null).`

saavagebueno commented 2025-11-20 05:22:53 -05:00

Author

Owner

Copy Link

@git-day commented on GitHub (Aug 17, 2024):

@heisbrot , I've made a few tweaks to the compose file, and am able to authenticate, much the same way as i previously had, but am now getting a Object { message: "token invalid", code: 401 } error through the browser.

Note really sure what to chase here, Netbird, Nginx or Zitadel. Based on the error above, appears to be Zitadel. Having said this, i have followed the official guides, and triple checked the settings. I have also searched through github for clues re the error, but noting firm that would resolve the issue.

Keen to hear what you think we should tackle here.

@git-day commented on GitHub (Aug 17, 2024): @heisbrot , I've made a few tweaks to the compose file, and am able to authenticate, much the same way as i previously had, but am now getting a `Object { message: "token invalid", code: 401 }` error through the browser. Note really sure what to chase here, Netbird, Nginx or Zitadel. Based on the error above, appears to be Zitadel. Having said this, i have followed the official guides, and triple checked the settings. I have also searched through github for clues re the error, but noting firm that would resolve the issue. Keen to hear what you think we should tackle here. 

saavagebueno commented 2025-11-20 05:22:53 -05:00

Author

Owner

Copy Link

@joshuahigginson1 commented on GitHub (Aug 17, 2024):

Don't want to lead you down the garden path @git-day , we had some CORS issues after hardening the Nginx instance which fronts the dashboard UI.

First off, I'd try launching a separate application and try to connect it to Zitadel directly.

I'd also try an a separate browser, in private mode, just to make sure that no expired auth tokens are being cached in local storage.

Is your url actually set to 'nb.external.com' or did you just sensor this when posting your issue?

@joshuahigginson1 commented on GitHub (Aug 17, 2024): Don't want to lead you down the garden path @git-day , we had some CORS issues after hardening the Nginx instance which fronts the dashboard UI. First off, I'd try launching a separate application and try to connect it to Zitadel directly. I'd also try an a separate browser, in private mode, just to make sure that no expired auth tokens are being cached in local storage. Is your url actually set to 'nb.external.com' or did you just sensor this when posting your issue?

saavagebueno commented 2025-11-20 05:22:53 -05:00

Author

Owner

Copy Link

@git-day commented on GitHub (Aug 17, 2024):

@joshuahigginson1 , thanks for your help here. Let me try another app as you have suggest to auth against Zitadel. Just an FYI, i have run various browsers, Edge, Chrome, Firefox, Brave, including their own respective private modes.

Correct on the obfuscation re domain name.

I'm wondering why it's saying that it can't authenticate. sudo docker compose logs management shows a number of the following errors:

management-1 | 2024-08-17T08:57:42Z ERRO [context: HTTP, requestID: 0a964f71-3e3d-44e2-b510-76351aa50461] management/server/http/middleware/auth_middleware.go:89: Error when validating JWT claims: unable to get zitadel token, statusCode 400 management-1 | 2024-08-17T08:57:42Z ERRO [context: HTTP, requestID: 0a964f71-3e3d-44e2-b510-76351aa50461] management/server/http/util/util.go:81: got a handler error: token invalid management-1 | 2024-08-17T08:57:42Z ERRO [context: HTTP, requestID: 0a964f71-3e3d-44e2-b510-76351aa50461] management/server/telemetry/http_api_metrics.go:191: HTTP response 0a964f71-3e3d-44e2-b510-76351aa50461: GET /api/users status 401

I'm considering trying another Idp, not sure which i should choose to do a quick test with.

@git-day commented on GitHub (Aug 17, 2024): @joshuahigginson1 , thanks for your help here. Let me try another app as you have suggest to auth against Zitadel. Just an FYI, i have run various browsers, Edge, Chrome, Firefox, Brave, including their own respective private modes. Correct on the obfuscation re domain name. I'm wondering why it's saying that it can't authenticate. `sudo docker compose logs management` shows a number of the following errors: `management-1 | 2024-08-17T08:57:42Z ERRO [context: HTTP, requestID: 0a964f71-3e3d-44e2-b510-76351aa50461] management/server/http/middleware/auth_middleware.go:89: Error when validating JWT claims: unable to get zitadel token, statusCode 400 management-1 | 2024-08-17T08:57:42Z ERRO [context: HTTP, requestID: 0a964f71-3e3d-44e2-b510-76351aa50461] management/server/http/util/util.go:81: got a handler error: token invalid management-1 | 2024-08-17T08:57:42Z ERRO [context: HTTP, requestID: 0a964f71-3e3d-44e2-b510-76351aa50461] management/server/telemetry/http_api_metrics.go:191: HTTP response 0a964f71-3e3d-44e2-b510-76351aa50461: GET /api/users status 401` I'm considering trying another Idp, not sure which i should choose to do a quick test with.

saavagebueno commented 2025-11-20 05:22:53 -05:00

Author

Owner

Copy Link

@git-day commented on GitHub (Aug 18, 2024):

@joshuahigginson1 and @heisbrot , i managed to run up an authentik Idp instance and reconfigured netbird to use it, and have resolved the issues encountered above. Zitadel does appear to have an issue, and is unresolved IMO.

In any instance, although i have cleared one hurdle, another one has popped up. This time its related to the an account within a cache. See error message below.

sudo docker compose logs management

management-1 | 2024-08-18T09:34:07Z INFO [context: HTTP, requestID: 8e78b404-1d03-4f6b-9e4f-82a00184879f, accountID: , userID: 4] management/server/account.go:1427: cache invalid. Users unknown to the cache: 2 management-1 | 2024-08-18T09:34:08Z INFO [requestID: 8e78b404-1d03-4f6b-9e4f-82a00184879f, accountID: , userID: 4, context: HTTP] management/server/account.go:1388: refreshing cache for account cqtkjnqde1ds738k3c00 management-1 | 2024-08-18T09:34:08Z WARN management/server/account.go:1261: user 280133991200194563 not found in IDP management-1 | 2024-08-18T09:34:08Z WARN [requestID: 8e78b404-1d03-4f6b-9e4f-82a00184879f, accountID: , userID: 4, context: HTTP] management/server/account.go:1395: cache for account cqtkjnqde1ds738k3c00 reached maximum refresh attempts (2)
These issues appear to be related to the following open issue https://github.com/netbirdio/netbird/issues/1942

When I login through the frontend, it authenticates and redirects to the following page. The odd thing here is that i can't access the dashboard. Assuming this is because its related to the above user not found in IDP ?

How do i troubleshoot this?

@git-day commented on GitHub (Aug 18, 2024): @joshuahigginson1 and @heisbrot , i managed to run up an authentik Idp instance and reconfigured netbird to use it, and have resolved the issues encountered above. Zitadel does appear to have an issue, and is unresolved IMO. In any instance, although i have cleared one hurdle, another one has popped up. This time its related to the an account within a cache. See error message below. `sudo docker compose logs management` `management-1 | 2024-08-18T09:34:07Z INFO [context: HTTP, requestID: 8e78b404-1d03-4f6b-9e4f-82a00184879f, accountID: , userID: 4] management/server/account.go:1427: cache invalid. Users unknown to the cache: 2 management-1 | 2024-08-18T09:34:08Z INFO [requestID: 8e78b404-1d03-4f6b-9e4f-82a00184879f, accountID: , userID: 4, context: HTTP] management/server/account.go:1388: refreshing cache for account cqtkjnqde1ds738k3c00 management-1 | 2024-08-18T09:34:08Z WARN management/server/account.go:1261: user 280133991200194563 not found in IDP management-1 | 2024-08-18T09:34:08Z WARN [requestID: 8e78b404-1d03-4f6b-9e4f-82a00184879f, accountID: , userID: 4, context: HTTP] management/server/account.go:1395: cache for account cqtkjnqde1ds738k3c00 reached maximum refresh attempts (2) ` These issues appear to be related to the following open issue https://github.com/netbirdio/netbird/issues/1942 When I login through the frontend, it authenticates and redirects to the following page. The odd thing here is that i can't access the dashboard. Assuming this is because its related to the above `user not found in IDP` ? How do i troubleshoot this? 

saavagebueno commented 2025-11-20 05:22:53 -05:00

Author

Owner

Copy Link

@joshuahigginson1 commented on GitHub (Aug 18, 2024):

Looks like Netbird has already managed to sync some users from your existing Zitadel setup, and now you've lost the ability to log in as an admin. If you can, this should be a matter of deleting your docker volumes and/or Postgres database. ☺️

@joshuahigginson1 commented on GitHub (Aug 18, 2024): Looks like Netbird has already managed to sync some users from your existing Zitadel setup, and now you've lost the ability to log in as an admin. If you can, this should be a matter of deleting your docker volumes and/or Postgres database. ☺️

saavagebueno commented 2025-11-20 05:22:54 -05:00

Author

Owner

Copy Link

@git-day commented on GitHub (Aug 19, 2024):

@joshuahigginson1 thanks for coming back to me, really appreciate your support!

Yeah, I kind did that by blowing away the cloned github 'netbird' then I pulled down a the latest version, and figured the volumes required by the docker instances would have been removed, but this wasn't the case hence the info above. I've since built a new VM and started fresh, happy to report that the netbird dashboard has appeared and seems stable with Authentik as the Idp.

Having said this, keen to know if you would like me to open another issue re the challenges I had with Zitadel or continue in this thread. Happy to run up another instance for testing / resolution around netbird/Zitadel/Nginx. Let me know.

@git-day commented on GitHub (Aug 19, 2024): @joshuahigginson1 thanks for coming back to me, really appreciate your support! Yeah, I kind did that by blowing away the cloned github 'netbird' then I pulled down a the latest version, and figured the volumes required by the docker instances would have been removed, but this wasn't the case hence the info above. I've since built a new VM and started fresh, happy to report that the netbird dashboard has appeared and seems stable with Authentik as the Idp. Having said this, keen to know if you would like me to open another issue re the challenges I had with Zitadel or continue in this thread. Happy to run up another instance for testing / resolution around netbird/Zitadel/Nginx. Let me know.

saavagebueno commented 2025-11-20 05:22:54 -05:00

Author

Owner

Copy Link

@ShlomiPorush commented on GitHub (Aug 22, 2024):

netbird dashboard has appeared and seems stable with Authentik as the Idp

Hi, how did you manage to get Authentik to work with netbird. i'm stock on the same issues as you mentioned (https://github.com/netbirdio/netbird/issues/2226#issuecomment-2294799417)
2024-08-22T16:45:57Z WARN [context: SYSTEM] management/server/account.go:1022: failed warming up cache due to error: unable to get authentik token, statusCode 400

@ShlomiPorush commented on GitHub (Aug 22, 2024): > netbird dashboard has appeared and seems stable with Authentik as the Idp Hi, how did you manage to get Authentik to work with netbird. i'm stock on the same issues as you mentioned (https://github.com/netbirdio/netbird/issues/2226#issuecomment-2294799417) ` 2024-08-22T16:45:57Z WARN [context: SYSTEM] management/server/account.go:1022: failed warming up cache due to error: unable to get authentik token, statusCode 400 `

saavagebueno commented 2025-11-20 05:22:54 -05:00

Author

Owner

Copy Link

@git-day commented on GitHub (Aug 22, 2024):

@ShlomiPorush we'll need to know a little more about your environment and setup. Assuming you are using a reverse proxy for both Netbird and Authentik?

The article i followed for Authentik setup is https://docs.netbird.io/selfhosted/identity-providers#authentik.

Note that my instance originally ran with Zitadel, which is the error that i received and have since removed Zitadel. When i stood up an instance of Authentik, i chose not to use a reverse proxy, and configured SSL natively with the Authentik instance. I did this to simply reduce any further troubleshooting on the Idp end. This allowed me to ensure that the Netbird config was correct.

Might be useful to look at the logs from the Netbird end sudo docker compose logs management and sudo docker compose logs dashboard.

@git-day commented on GitHub (Aug 22, 2024): @ShlomiPorush we'll need to know a little more about your environment and setup. Assuming you are using a reverse proxy for both Netbird and Authentik? The article i followed for Authentik setup is https://docs.netbird.io/selfhosted/identity-providers#authentik. Note that my instance originally ran with Zitadel, which is the error that i received and have since removed Zitadel. When i stood up an instance of Authentik, i chose not to use a reverse proxy, and configured SSL natively with the Authentik instance. I did this to simply reduce any further troubleshooting on the Idp end. This allowed me to ensure that the Netbird config was correct. Might be useful to look at the logs from the Netbird end `sudo docker compose logs management` and `sudo docker compose logs dashboard`.

saavagebueno commented 2025-11-20 05:22:54 -05:00

Author

Owner

Copy Link

@bachrc commented on GitHub (Aug 29, 2024):

Same error here. Running a fresh install of netbird with Authentik, and it keeps disconnecting me on the dashboard

@bachrc commented on GitHub (Aug 29, 2024): Same error here. Running a fresh install of netbird with Authentik, and it keeps disconnecting me on the dashboard

saavagebueno commented 2025-11-20 05:22:54 -05:00

Author

Owner

Copy Link

@git-day commented on GitHub (Aug 30, 2024):

@bachrc we'll need to know a little more about your environment and setup. Assuming you are using a reverse proxy for both Netbird and Authentik?

@git-day commented on GitHub (Aug 30, 2024): @bachrc we'll need to know a little more about your environment and setup. Assuming you are using a reverse proxy for both Netbird and Authentik?

saavagebueno commented 2025-11-20 05:22:54 -05:00

Author

Owner

Copy Link

@bachrc commented on GitHub (Aug 30, 2024):

No reverse proxies for each, they are on separate vps and they handle themselves the TLS. Both are installed with their own docker

@bachrc commented on GitHub (Aug 30, 2024): No reverse proxies for each, they are on separate vps and they handle themselves the TLS. Both are installed with their own docker

saavagebueno commented 2025-11-20 05:22:55 -05:00

Author

Owner

Copy Link

@arshanskiyav commented on GitHub (Sep 21, 2024):

New install NetBird + KeyCloak (25.0.1) + NGINX (v14 on centos, grpc_socket_keepalive on - commented out, letsencrypt). Each service on a different virtual machine

TCP ports 443,80 forwarded to NGINX

I got:

layout-8d9e50216f3f6630.js:1
GET https://ntbd.domain.com:33073/api/users net::ERR_CONNECTION_TIMED_OUT

Then i add forwarding TCP ports 33073,33080 to NetBird and get this problem::

GET https://ntbd.domain.com:33073/api/users net::ERR_SSL_PROTOCOL_ERROR

@arshanskiyav commented on GitHub (Sep 21, 2024): New install NetBird + KeyCloak (25.0.1) + NGINX (v14 on centos, `grpc_socket_keepalive on` - commented out, letsencrypt). Each service on a different virtual machine TCP ports 443,80 forwarded to NGINX I got: > layout-8d9e50216f3f6630.js:1 > GET https://ntbd.domain.com:33073/api/users net::ERR_CONNECTION_TIMED_OUT Then i add forwarding TCP ports 33073,33080 to NetBird and get this problem:: > GET https://ntbd.domain.com:33073/api/users net::ERR_SSL_PROTOCOL_ERROR

saavagebueno commented 2025-11-20 05:22:55 -05:00

Author

Owner

Copy Link

@git-day commented on GitHub (Sep 21, 2024):

@arshanskiyav can you please share the layout of the environment and where each service sits, as diag would be ideal. Is each service on a sperate network? Can you share the docker compose files for Netbird, NGNIX followed by the nginx.conf. It would also be useful to see the associated Netbird configs, management.json and. What idp are you using?

@git-day commented on GitHub (Sep 21, 2024): @arshanskiyav can you please share the layout of the environment and where each service sits, as diag would be ideal. Is each service on a sperate network? Can you share the docker compose files for Netbird, NGNIX followed by the nginx.conf. It would also be useful to see the associated Netbird configs, management.json and. What idp are you using?

saavagebueno commented 2025-11-20 05:22:55 -05:00

Author

Owner

Copy Link

@arshanskiyav commented on GitHub (Sep 22, 2024):

@arshanskiyav can you please share the layout of the environment and where each service sits, as diag would be ideal. Is each service on a sperate network? Can you share the docker compose files for Netbird, NGNIX followed by the nginx.conf. It would also be useful to see the associated Netbird configs, management.json and. What idp are you using?

Hi, thanks for your reply.

For idp i use - keycloak (v 25.0.1).
Each service is located on a separate virtual machine, but on a shared network (10.110.1.0/24).

• Nginx (nginx001) - 10.110.1.11
• NetBird (ntbd.domain.com as external and vpn001.skz.loc as internal fqdn) - 10.110.1.5
• KeyCloak (sso.domain.com and kc001.skz.loc) - 10.110.1.4
• Windows Server based LDAP server as the next step for setup (DC001) - 10.110.1.2

Nginx is standalone on Centos. Nginx version is 14. My nginx conf basis on the tmpl from netbird/infrastructure_files/nginx.tmpl.conf:

ntbd.domain.com.conf

upstream dashboard {
    # insert the http port of your dashboard container here
#    server vpn001.skz.loc:8011;
    server vpn001.skz.loc;

    # Improve performance by keeping some connections alive.
    keepalive 10;
}
upstream signal {
    # insert the grpc port of your signal container here
    server vpn001.skz.loc:10000;
}
upstream management {
    # insert the grpc+http port of your signal container here
    server vpn001.skz.loc:8012;
}

server {
        server_name ntbd.domain.com;


    # This is necessary so that grpc connections do not get closed early
    # see https://stackoverflow.com/a/67805465
    client_header_timeout 1d;
    client_body_timeout 1d;

    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Scheme $scheme;
    proxy_set_header        X-Forwarded-Proto https;
    proxy_set_header        X-Forwarded-Host $host;
    grpc_set_header         X-Forwarded-For $proxy_add_x_forwarded_for;

    # Proxy dashboard
    location / {
        proxy_pass http://dashboard;
    }
    # Proxy Signal
    location /signalexchange.SignalExchange/ {
        grpc_pass grpc://signal;
        #grpc_ssl_verify off;
        grpc_read_timeout 1d;
        grpc_send_timeout 1d;
#        grpc_socket_keepalive on;
    }
    # Proxy Management http endpoint
    location /api {
        proxy_pass http://management;
    }
    # Proxy Management grpc endpoint
    location /management.ManagementService/ {
        grpc_pass grpc://management;
        #grpc_ssl_verify off;
        grpc_read_timeout 1d;
        grpc_send_timeout 1d;
#        grpc_socket_keepalive on;
    }

    listen 443 ssl http2; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/ntbd.domain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/ntbd.domain.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    if ($host = ntbd.domain.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        server_name ntbd.domain.com;
        listen 80;
    return 404; # managed by Certbot
}

docker-compose.yml

version: "3"
services:
  #UI dashboard
  dashboard:
    image: netbirdio/dashboard:latest
    restart: unless-stopped
    ports:
      - 80:80
      - 443:443
    environment:
      # Endpoints
      - NETBIRD_MGMT_API_ENDPOINT=https://ntbd.domain.com:33073
      - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://ntbd.domain.com:33073
      # OIDC
      - AUTH_AUDIENCE=netbird-client
      - AUTH_CLIENT_ID=netbird-client
      - AUTH_CLIENT_SECRET=
      - AUTH_AUTHORITY=https://sso.domain.com/realms/NETBIRD
      - USE_AUTH0=false
      - AUTH_SUPPORTED_SCOPES=openid profile email offline_access api
      - AUTH_REDIRECT_URI=
      - AUTH_SILENT_REDIRECT_URI=
      - NETBIRD_TOKEN_SOURCE=accessToken
      # SSL
      - NGINX_SSL_PORT=443
      # Letsencrypt
      - LETSENCRYPT_DOMAIN=
      - LETSENCRYPT_EMAIL=
    volumes:
      - netbird-letsencrypt:/etc/letsencrypt/
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
  # Signal
  signal:
    image: netbirdio/signal:latest
    restart: unless-stopped
    volumes:
      - netbird-signal:/var/lib/netbird
    ports:
      - 10000:80
  #      # port and command for Let's Encrypt validation
  #      - 443:443
  #    command: ["--letsencrypt-domain", "", "--log-file", "console"]
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
  # Relay
  relay:
    image: netbirdio/relay:latest
    restart: unless-stopped
    environment:
    - NB_LOG_LEVEL=info
    - NB_LISTEN_ADDRESS=:33080
    - NB_EXPOSED_ADDRESS=ntbd.domain.com:33080
    # todo: change to a secure secret
    - NB_AUTH_SECRET=wxHQy5xhJP4
    ports:
      - 33080:33080
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"

  # Management
  management:
    image: netbirdio/management:latest
    restart: unless-stopped
    depends_on:
      - dashboard
    volumes:
      - netbird-mgmt:/var/lib/netbird
      - netbird-letsencrypt:/etc/letsencrypt:ro
      - ./management.json:/etc/netbird/management.json
    ports:
      - 33073:443 #API port
  #    # command for Let's Encrypt validation without dashboard container
  #    command: ["--letsencrypt-domain", "", "--log-file", "console"]
    command: [
      "--port", "443",
      "--log-file", "console",
      "--log-level", "info",
      "--disable-anonymous-metrics=false",
      "--single-account-mode-domain=ntbd.domain.com",
      "--dns-domain=netbird.selfhosted"
      ]
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
    environment:
      - NETBIRD_STORE_ENGINE_POSTGRES_DSN=

  # Coturn
  coturn:
    image: coturn/coturn:latest
    restart: unless-stopped
    #domainname: ntbd.domain.com # only needed when TLS is enabled
    volumes:
      - ./turnserver.conf:/etc/turnserver.conf:ro
    #      - ./privkey.pem:/etc/coturn/private/privkey.pem:ro
    #      - ./cert.pem:/etc/coturn/certs/cert.pem:ro
    network_mode: host
    command:
      - -c /etc/turnserver.conf
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
volumes:
  netbird-mgmt:
  netbird-signal:
  netbird-letsencrypt:

management.json

{
    "Stuns": [
        {
            "Proto": "udp",
            "URI": "stun:ntbd.domain.com:3478",
            "Username": "",
            "Password": ""
        }
    ],
    "TURNConfig": {
        "TimeBasedCredentials": false,
        "CredentialsTTL": "12h0m0s",
        "Secret": "secret",
        "Turns": [
            {
                "Proto": "udp",
                "URI": "turn:ntbd.domain.com:3478",
                "Username": "self",
                "Password": "PjklExeusQlt6g"
            }
        ]
    },
    "Relay": {
        "Addresses": [
            "rel://ntbd.domain.com:33080"
        ],
        "CredentialsTTL": "24h0m0s",
        "Secret": "wxHQy5xhJP4"
    },
    "Signal": {
        "Proto": "https",
        "URI": "ntbd.domain.com:10000",
        "Username": "",
        "Password": ""
    },
    "Datadir": "/var/lib/netbird/",
    "DataStoreEncryptionKey": "p+CupLYbmWrg+Var+0EQ=",
    "HttpConfig": {
        "LetsEncryptDomain": "",
        "CertFile": "",
        "CertKey": "",
        "AuthAudience": "netbird-client",
        "AuthIssuer": "https://sso.domain.com/realms/NETBIRD",
        "AuthUserIDClaim": "",
        "AuthKeysLocation": "https://sso.domain.com/realms/NETBIRD/protocol/openid-connect/certs",
        "OIDCConfigEndpoint": "https://sso.domain.com/realms/NETBIRD/.well-known/openid-configuration",
        "IdpSignKeyRefreshEnabled": false,
        "ExtraAuthAudience": ""
    },
    "IdpManagerConfig": {
        "ManagerType": "keycloak",
        "ClientConfig": {
            "Issuer": "https://sso.domain.com/realms/NETBIRD",
            "TokenEndpoint": "https://sso.domain.com/realms/NETBIRD/protocol/openid-connect/token",
            "ClientID": "netbird-backend",
            "ClientSecret": "wd6xg2QMyo3",
            "GrantType": "client_credentials"
        },
        "ExtraConfig": {
            "AdminEndpoint": "https://sso.domain.com/admin/realms/NETBIRD"
        },
        "Auth0ClientCredentials": null,
        "AzureClientCredentials": null,
        "KeycloakClientCredentials": null,
        "ZitadelClientCredentials": null
    },
    "DeviceAuthorizationFlow": {
        "Provider": "hosted",
        "ProviderConfig": {
            "ClientID": "netbird-client",
            "ClientSecret": "",
            "Domain": "sso.domain.com",
            "Audience": "netbird-client",
            "TokenEndpoint": "https://sso.domain.com/realms/NETBIRD/protocol/openid-connect/token",
            "DeviceAuthEndpoint": "https://sso.domain.com/realms/NETBIRD/protocol/openid-connect/auth/device",
            "AuthorizationEndpoint": "",
            "Scope": "openid",
            "UseIDToken": false,
            "RedirectURLs": null
        }
    },
    "PKCEAuthorizationFlow": {
        "ProviderConfig": {
            "ClientID": "netbird-client",
            "ClientSecret": "",
            "Domain": "",
            "Audience": "netbird-client",
            "TokenEndpoint": "https://sso.domain.com/realms/NETBIRD/protocol/openid-connect/token",
            "DeviceAuthEndpoint": "",
            "AuthorizationEndpoint": "https://sso.domain.com/realms/NETBIRD/protocol/openid-connect/auth",
            "Scope": "openid profile email offline_access api",
            "UseIDToken": false,
            "RedirectURLs": [
                "http://localhost:53000"
            ]
        }
    },
    "StoreConfig": {
        "Engine": "sqlite"
    },
    "ReverseProxy": {
        "TrustedHTTPProxies": [],
        "TrustedHTTPProxiesCount": 0,
        "TrustedPeers": [
            "0.0.0.0/0"
        ]
    }
}

diagram as i see it

I tried to change the external FQDN in /etc/hosts (ntbd.domain.com) resolution from external IP to 127.0.01 but I got the same error:

GET https://ntbd.domain.com:33073/api/users net::ERR_CONNECTION_TIMED_OUT

And I checked how the name is resolved on the Netbird virtual machine and in the Docker container "dashboard", the name is resolved as 127.0.0.1

Then i add forwarding TCP ports 33073,33080 to NetBird and get this problem::

GET https://ntbd.domain.com:33073/api/users net::ERR_SSL_PROTOCOL_ERROR

@arshanskiyav commented on GitHub (Sep 22, 2024): > @arshanskiyav can you please share the layout of the environment and where each service sits, as diag would be ideal. Is each service on a sperate network? Can you share the docker compose files for Netbird, NGNIX followed by the nginx.conf. It would also be useful to see the associated Netbird configs, management.json and. What idp are you using? Hi, thanks for your reply. For idp i use - keycloak (v 25.0.1). Each service is located on a separate virtual machine, but on a shared network (10.110.1.0/24). - Nginx (nginx001) - 10.110.1.11 - NetBird (ntbd.domain.com as external and vpn001.skz.loc as internal fqdn) - 10.110.1.5 - KeyCloak (sso.domain.com and kc001.skz.loc) - 10.110.1.4 - Windows Server based LDAP server as the next step for setup (DC001) - 10.110.1.2 Nginx is standalone on Centos. Nginx version is 14. My nginx conf basis on the tmpl from `netbird/infrastructure_files/nginx.tmpl.conf`: <details><summary>ntbd.domain.com.conf</summary> ``` upstream dashboard { # insert the http port of your dashboard container here # server vpn001.skz.loc:8011; server vpn001.skz.loc; # Improve performance by keeping some connections alive. keepalive 10; } upstream signal { # insert the grpc port of your signal container here server vpn001.skz.loc:10000; } upstream management { # insert the grpc+http port of your signal container here server vpn001.skz.loc:8012; } server { server_name ntbd.domain.com; # This is necessary so that grpc connections do not get closed early # see https://stackoverflow.com/a/67805465 client_header_timeout 1d; client_body_timeout 1d; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Scheme $scheme; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Host $host; grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # Proxy dashboard location / { proxy_pass http://dashboard; } # Proxy Signal location /signalexchange.SignalExchange/ { grpc_pass grpc://signal; #grpc_ssl_verify off; grpc_read_timeout 1d; grpc_send_timeout 1d; # grpc_socket_keepalive on; } # Proxy Management http endpoint location /api { proxy_pass http://management; } # Proxy Management grpc endpoint location /management.ManagementService/ { grpc_pass grpc://management; #grpc_ssl_verify off; grpc_read_timeout 1d; grpc_send_timeout 1d; # grpc_socket_keepalive on; } listen 443 ssl http2; # managed by Certbot ssl_certificate /etc/letsencrypt/live/ntbd.domain.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/ntbd.domain.com/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot } server { if ($host = ntbd.domain.com) { return 301 https://$host$request_uri; } # managed by Certbot server_name ntbd.domain.com; listen 80; return 404; # managed by Certbot } ``` </details> <details><summary>docker-compose.yml</summary> ``` version: "3" services: #UI dashboard dashboard: image: netbirdio/dashboard:latest restart: unless-stopped ports: - 80:80 - 443:443 environment: # Endpoints - NETBIRD_MGMT_API_ENDPOINT=https://ntbd.domain.com:33073 - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://ntbd.domain.com:33073 # OIDC - AUTH_AUDIENCE=netbird-client - AUTH_CLIENT_ID=netbird-client - AUTH_CLIENT_SECRET= - AUTH_AUTHORITY=https://sso.domain.com/realms/NETBIRD - USE_AUTH0=false - AUTH_SUPPORTED_SCOPES=openid profile email offline_access api - AUTH_REDIRECT_URI= - AUTH_SILENT_REDIRECT_URI= - NETBIRD_TOKEN_SOURCE=accessToken # SSL - NGINX_SSL_PORT=443 # Letsencrypt - LETSENCRYPT_DOMAIN= - LETSENCRYPT_EMAIL= volumes: - netbird-letsencrypt:/etc/letsencrypt/ logging: driver: "json-file" options: max-size: "500m" max-file: "2" # Signal signal: image: netbirdio/signal:latest restart: unless-stopped volumes: - netbird-signal:/var/lib/netbird ports: - 10000:80 # # port and command for Let's Encrypt validation # - 443:443 # command: ["--letsencrypt-domain", "", "--log-file", "console"] logging: driver: "json-file" options: max-size: "500m" max-file: "2" # Relay relay: image: netbirdio/relay:latest restart: unless-stopped environment: - NB_LOG_LEVEL=info - NB_LISTEN_ADDRESS=:33080 - NB_EXPOSED_ADDRESS=ntbd.domain.com:33080 # todo: change to a secure secret - NB_AUTH_SECRET=wxHQy5xhJP4 ports: - 33080:33080 logging: driver: "json-file" options: max-size: "500m" max-file: "2" # Management management: image: netbirdio/management:latest restart: unless-stopped depends_on: - dashboard volumes: - netbird-mgmt:/var/lib/netbird - netbird-letsencrypt:/etc/letsencrypt:ro - ./management.json:/etc/netbird/management.json ports: - 33073:443 #API port # # command for Let's Encrypt validation without dashboard container # command: ["--letsencrypt-domain", "", "--log-file", "console"] command: [ "--port", "443", "--log-file", "console", "--log-level", "info", "--disable-anonymous-metrics=false", "--single-account-mode-domain=ntbd.domain.com", "--dns-domain=netbird.selfhosted" ] logging: driver: "json-file" options: max-size: "500m" max-file: "2" environment: - NETBIRD_STORE_ENGINE_POSTGRES_DSN= # Coturn coturn: image: coturn/coturn:latest restart: unless-stopped #domainname: ntbd.domain.com # only needed when TLS is enabled volumes: - ./turnserver.conf:/etc/turnserver.conf:ro # - ./privkey.pem:/etc/coturn/private/privkey.pem:ro # - ./cert.pem:/etc/coturn/certs/cert.pem:ro network_mode: host command: - -c /etc/turnserver.conf logging: driver: "json-file" options: max-size: "500m" max-file: "2" volumes: netbird-mgmt: netbird-signal: netbird-letsencrypt: ``` </details> <details><summary>management.json</summary> ``` { "Stuns": [ { "Proto": "udp", "URI": "stun:ntbd.domain.com:3478", "Username": "", "Password": "" } ], "TURNConfig": { "TimeBasedCredentials": false, "CredentialsTTL": "12h0m0s", "Secret": "secret", "Turns": [ { "Proto": "udp", "URI": "turn:ntbd.domain.com:3478", "Username": "self", "Password": "PjklExeusQlt6g" } ] }, "Relay": { "Addresses": [ "rel://ntbd.domain.com:33080" ], "CredentialsTTL": "24h0m0s", "Secret": "wxHQy5xhJP4" }, "Signal": { "Proto": "https", "URI": "ntbd.domain.com:10000", "Username": "", "Password": "" }, "Datadir": "/var/lib/netbird/", "DataStoreEncryptionKey": "p+CupLYbmWrg+Var+0EQ=", "HttpConfig": { "LetsEncryptDomain": "", "CertFile": "", "CertKey": "", "AuthAudience": "netbird-client", "AuthIssuer": "https://sso.domain.com/realms/NETBIRD", "AuthUserIDClaim": "", "AuthKeysLocation": "https://sso.domain.com/realms/NETBIRD/protocol/openid-connect/certs", "OIDCConfigEndpoint": "https://sso.domain.com/realms/NETBIRD/.well-known/openid-configuration", "IdpSignKeyRefreshEnabled": false, "ExtraAuthAudience": "" }, "IdpManagerConfig": { "ManagerType": "keycloak", "ClientConfig": { "Issuer": "https://sso.domain.com/realms/NETBIRD", "TokenEndpoint": "https://sso.domain.com/realms/NETBIRD/protocol/openid-connect/token", "ClientID": "netbird-backend", "ClientSecret": "wd6xg2QMyo3", "GrantType": "client_credentials" }, "ExtraConfig": { "AdminEndpoint": "https://sso.domain.com/admin/realms/NETBIRD" }, "Auth0ClientCredentials": null, "AzureClientCredentials": null, "KeycloakClientCredentials": null, "ZitadelClientCredentials": null }, "DeviceAuthorizationFlow": { "Provider": "hosted", "ProviderConfig": { "ClientID": "netbird-client", "ClientSecret": "", "Domain": "sso.domain.com", "Audience": "netbird-client", "TokenEndpoint": "https://sso.domain.com/realms/NETBIRD/protocol/openid-connect/token", "DeviceAuthEndpoint": "https://sso.domain.com/realms/NETBIRD/protocol/openid-connect/auth/device", "AuthorizationEndpoint": "", "Scope": "openid", "UseIDToken": false, "RedirectURLs": null } }, "PKCEAuthorizationFlow": { "ProviderConfig": { "ClientID": "netbird-client", "ClientSecret": "", "Domain": "", "Audience": "netbird-client", "TokenEndpoint": "https://sso.domain.com/realms/NETBIRD/protocol/openid-connect/token", "DeviceAuthEndpoint": "", "AuthorizationEndpoint": "https://sso.domain.com/realms/NETBIRD/protocol/openid-connect/auth", "Scope": "openid profile email offline_access api", "UseIDToken": false, "RedirectURLs": [ "http://localhost:53000" ] } }, "StoreConfig": { "Engine": "sqlite" }, "ReverseProxy": { "TrustedHTTPProxies": [], "TrustedHTTPProxiesCount": 0, "TrustedPeers": [ "0.0.0.0/0" ] } } ``` </details> <details><summary>diagram as i see it</summary>  </details> I tried to change the external FQDN in `/etc/hosts` (ntbd.domain.com) resolution from external IP to 127.0.01 but I got the same error: > GET https://ntbd.domain.com:33073/api/users net::ERR_CONNECTION_TIMED_OUT And I checked how the name is resolved on the Netbird virtual machine and in the Docker container "dashboard", the name is resolved as 127.0.0.1 Then i add forwarding TCP ports 33073,33080 to NetBird and get this problem:: > GET https://ntbd.domain.com:33073/api/users net::ERR_SSL_PROTOCOL_ERROR

saavagebueno commented 2025-11-20 05:22:55 -05:00

Author

Owner

Copy Link

@git-day commented on GitHub (Sep 24, 2024):

@arshanskiyav , try the following.

upstream dashboard {
    # insert the http port of your dashboard container here
#    server vpn001.skz.loc:8011;
    server 10.110.1.5:8086;

    # Improve performance by keeping some connections alive.
    keepalive 10;
}
upstream signal {
    # insert the grpc port of your signal container here
    server 10.110.1.5:8087;
}
upstream management {
    # insert the grpc+http port of your signal container here
    server 10.110.1.5:6443;
}
upstream relay {
    server 10.110.1.5:8088;
}

server {
        listen 443 ssl http2;
        server_name ntbd.domain.com;


    # This is necessary so that grpc connections do not get closed early
    # see https://stackoverflow.com/a/67805465
    client_header_timeout 1d;
    client_body_timeout 1d;

    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Scheme $scheme;
    proxy_set_header        X-Forwarded-Proto https;
    proxy_set_header        X-Forwarded-Host $host;
    grpc_set_header         X-Forwarded-For $proxy_add_x_forwarded_for;

    # Proxy dashboard
    location / {
        proxy_pass http://dashboard;
    }
    # Proxy Signal
    location /signalexchange.SignalExchange/ {
        grpc_pass grpc://signal;
        #grpc_ssl_verify off;
        grpc_read_timeout 1d;
        grpc_send_timeout 1d;
        grpc_socket_keepalive on;
    }
    # Proxy Management http endpoint
    location /api {
        proxy_pass http://management;
    }
    # Proxy Management grpc endpoint
    location /management.ManagementService/ {
        grpc_pass grpc://management;
        #grpc_ssl_verify off;
        grpc_read_timeout 1d;
        grpc_send_timeout 1d;
        grpc_socket_keepalive on;
    }
    # Proxy Relay http endpoint
    location /relay/ {
        proxy_pass http://relay/relay;

        # WebSocket support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";

        # Forward headers
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Host $http_host;
        proxy_cache_bypass $http_upgrade;
    }

    listen 443 ssl http2; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/ntbd.domain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/ntbd.domain.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    if ($host = ntbd.domain.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        server_name ntbd.domain.com;
        listen 80;
    return 404; # managed by Certbot
}

version: "3"
services:
  #UI dashboard
  dashboard:
    image: netbirdio/dashboard:latest
    restart: unless-stopped
    ports:
      - 8086:80
      #- 443:443
    environment:
      # Endpoints
      - NETBIRD_MGMT_API_ENDPOINT=https://ntbd.domain.com:443
      - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://ntbd.domain.com:443
      # OIDC
      - AUTH_AUDIENCE=netbird-client
      - AUTH_CLIENT_ID=netbird-client
      - AUTH_CLIENT_SECRET=
      - AUTH_AUTHORITY=https://sso.domain.com/realms/NETBIRD
      - USE_AUTH0=false
      - AUTH_SUPPORTED_SCOPES=openid profile email offline_access api
      - AUTH_REDIRECT_URI=
      - AUTH_SILENT_REDIRECT_URI=
      - NETBIRD_TOKEN_SOURCE=accessToken
      # SSL
      - NGINX_SSL_PORT=443
      # Letsencrypt
      - LETSENCRYPT_DOMAIN=
      - LETSENCRYPT_EMAIL=
    volumes:
      - netbird-letsencrypt:/etc/letsencrypt/
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
  # Signal
  signal:
    image: netbirdio/signal:latest
    restart: unless-stopped
    volumes:
      - netbird-signal:/var/lib/netbird
    ports:
      - 8087:80
  #      # port and command for Let's Encrypt validation
  #      - 443:443
  #    command: ["--letsencrypt-domain", "", "--log-file", "console"]
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
  # Relay
  relay:
    image: netbirdio/relay:latest
    restart: unless-stopped
    environment:
    - NB_LOG_LEVEL=info
    - NB_LISTEN_ADDRESS=:8088
    - NB_EXPOSED_ADDRESS=rels://ntbd.domain.com:443
    # todo: change to a secure secret
    - NB_AUTH_SECRET=wxHQy5xhJP4
    ports:
      - 8088:8088
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"

  # Management
  management:
    image: netbirdio/management:latest
    restart: unless-stopped
    depends_on:
      - dashboard
    volumes:
      - netbird-mgmt:/var/lib/netbird
      - netbird-letsencrypt:/etc/letsencrypt:ro
      - ./management.json:/etc/netbird/management.json
    ports:
      - 6443:443 #API port
  #    # command for Let's Encrypt validation without dashboard container
  #    command: ["--letsencrypt-domain", "", "--log-file", "console"]
    command: [
      "--port", "443",
      "--log-file", "console",
      "--log-level", "info",
      "--disable-anonymous-metrics=false",
      "--single-account-mode-domain=ntbd.domain.com",
      "--dns-domain=netbird.selfhosted"
      ]
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
    environment:
      - NETBIRD_STORE_ENGINE_POSTGRES_DSN=

  # Coturn
  coturn:
    image: coturn/coturn:latest
    restart: unless-stopped
    #domainname: ntbd.domain.com # only needed when TLS is enabled
    volumes:
      - ./turnserver.conf:/etc/turnserver.conf:ro
    #      - ./privkey.pem:/etc/coturn/private/privkey.pem:ro
    #      - ./cert.pem:/etc/coturn/certs/cert.pem:ro
    network_mode: host
    command:
      - -c /etc/turnserver.conf
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
volumes:
  netbird-mgmt:
  netbird-signal:
  netbird-letsencrypt:

{
    "Stuns": [
        {
            "Proto": "udp",
            "URI": "stun:ntbd.domain.com:3478",
            "Username": "",
            "Password": ""
        }
    ],
    "TURNConfig": {
        "TimeBasedCredentials": false,
        "CredentialsTTL": "12h0m0s",
        "Secret": "secret",
        "Turns": [
            {
                "Proto": "udp",
                "URI": "turn:ntbd.domain.com:3478",
                "Username": "self",
                "Password": "PjklExeusQlt6g"
            }
        ]
    },
    "Relay": {
        "Addresses": [
            "rels://ntbd.domain.com:443"
        ],
        "CredentialsTTL": "24h0m0s",
        "Secret": "wxHQy5xhJP4"
    },
    "Signal": {
        "Proto": "https",
        "URI": "ntbd.domain.com:443",
        "Username": "",
        "Password": ""
    },
    "Datadir": "/var/lib/netbird/",
    "DataStoreEncryptionKey": "p+CupLYbmWrg+Var+0EQ=",
    "HttpConfig": {
        "LetsEncryptDomain": "",
        "CertFile": "",
        "CertKey": "",
        "AuthAudience": "netbird-client",
        "AuthIssuer": "https://sso.domain.com/realms/NETBIRD",
        "AuthUserIDClaim": "",
        "AuthKeysLocation": "https://sso.domain.com/realms/NETBIRD/protocol/openid-connect/certs",
        "OIDCConfigEndpoint": "https://sso.domain.com/realms/NETBIRD/.well-known/openid-configuration",
        "IdpSignKeyRefreshEnabled": false,
        "ExtraAuthAudience": ""
    },
    "IdpManagerConfig": {
        "ManagerType": "keycloak",
        "ClientConfig": {
            "Issuer": "https://sso.domain.com/realms/NETBIRD",
            "TokenEndpoint": "https://sso.domain.com/realms/NETBIRD/protocol/openid-connect/token",
            "ClientID": "netbird-backend",
            "ClientSecret": "wd6xg2QMyo3",
            "GrantType": "client_credentials"
        },
        "ExtraConfig": {
            "AdminEndpoint": "https://sso.domain.com/admin/realms/NETBIRD"
        },
        "Auth0ClientCredentials": null,
        "AzureClientCredentials": null,
        "KeycloakClientCredentials": null,
        "ZitadelClientCredentials": null
    },
    "DeviceAuthorizationFlow": {
        "Provider": "hosted",
        "ProviderConfig": {
            "ClientID": "netbird-client",
            "ClientSecret": "",
            "Domain": "sso.domain.com",
            "Audience": "netbird-client",
            "TokenEndpoint": "https://sso.domain.com/realms/NETBIRD/protocol/openid-connect/token",
            "DeviceAuthEndpoint": "https://sso.domain.com/realms/NETBIRD/protocol/openid-connect/auth/device",
            "AuthorizationEndpoint": "",
            "Scope": "openid",
            "UseIDToken": false,
            "RedirectURLs": null
        }
    },
    "PKCEAuthorizationFlow": {
        "ProviderConfig": {
            "ClientID": "netbird-client",
            "ClientSecret": "",
            "Domain": "",
            "Audience": "netbird-client",
            "TokenEndpoint": "https://sso.domain.com/realms/NETBIRD/protocol/openid-connect/token",
            "DeviceAuthEndpoint": "",
            "AuthorizationEndpoint": "https://sso.domain.com/realms/NETBIRD/protocol/openid-connect/auth",
            "Scope": "openid profile email offline_access api",
            "UseIDToken": false,
            "RedirectURLs": [
                "http://localhost:53000"
            ]
        }
    },
    "StoreConfig": {
        "Engine": "sqlite"
    },
    "ReverseProxy": {
        "TrustedHTTPProxies": [],
        "TrustedHTTPProxiesCount": 0,
        "TrustedPeers": [
            "0.0.0.0/0"
        ]
    }
}

@git-day commented on GitHub (Sep 24, 2024): @arshanskiyav , try the following. ``` upstream dashboard { # insert the http port of your dashboard container here # server vpn001.skz.loc:8011; server 10.110.1.5:8086; # Improve performance by keeping some connections alive. keepalive 10; } upstream signal { # insert the grpc port of your signal container here server 10.110.1.5:8087; } upstream management { # insert the grpc+http port of your signal container here server 10.110.1.5:6443; } upstream relay { server 10.110.1.5:8088; } server { listen 443 ssl http2; server_name ntbd.domain.com; # This is necessary so that grpc connections do not get closed early # see https://stackoverflow.com/a/67805465 client_header_timeout 1d; client_body_timeout 1d; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Scheme $scheme; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Host $host; grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # Proxy dashboard location / { proxy_pass http://dashboard; } # Proxy Signal location /signalexchange.SignalExchange/ { grpc_pass grpc://signal; #grpc_ssl_verify off; grpc_read_timeout 1d; grpc_send_timeout 1d; grpc_socket_keepalive on; } # Proxy Management http endpoint location /api { proxy_pass http://management; } # Proxy Management grpc endpoint location /management.ManagementService/ { grpc_pass grpc://management; #grpc_ssl_verify off; grpc_read_timeout 1d; grpc_send_timeout 1d; grpc_socket_keepalive on; } # Proxy Relay http endpoint location /relay/ { proxy_pass http://relay/relay; # WebSocket support proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; # Forward headers proxy_set_header Host $http_host; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Host $http_host; proxy_cache_bypass $http_upgrade; } listen 443 ssl http2; # managed by Certbot ssl_certificate /etc/letsencrypt/live/ntbd.domain.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/ntbd.domain.com/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot } server { if ($host = ntbd.domain.com) { return 301 https://$host$request_uri; } # managed by Certbot server_name ntbd.domain.com; listen 80; return 404; # managed by Certbot } ``` ``` version: "3" services: #UI dashboard dashboard: image: netbirdio/dashboard:latest restart: unless-stopped ports: - 8086:80 #- 443:443 environment: # Endpoints - NETBIRD_MGMT_API_ENDPOINT=https://ntbd.domain.com:443 - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://ntbd.domain.com:443 # OIDC - AUTH_AUDIENCE=netbird-client - AUTH_CLIENT_ID=netbird-client - AUTH_CLIENT_SECRET= - AUTH_AUTHORITY=https://sso.domain.com/realms/NETBIRD - USE_AUTH0=false - AUTH_SUPPORTED_SCOPES=openid profile email offline_access api - AUTH_REDIRECT_URI= - AUTH_SILENT_REDIRECT_URI= - NETBIRD_TOKEN_SOURCE=accessToken # SSL - NGINX_SSL_PORT=443 # Letsencrypt - LETSENCRYPT_DOMAIN= - LETSENCRYPT_EMAIL= volumes: - netbird-letsencrypt:/etc/letsencrypt/ logging: driver: "json-file" options: max-size: "500m" max-file: "2" # Signal signal: image: netbirdio/signal:latest restart: unless-stopped volumes: - netbird-signal:/var/lib/netbird ports: - 8087:80 # # port and command for Let's Encrypt validation # - 443:443 # command: ["--letsencrypt-domain", "", "--log-file", "console"] logging: driver: "json-file" options: max-size: "500m" max-file: "2" # Relay relay: image: netbirdio/relay:latest restart: unless-stopped environment: - NB_LOG_LEVEL=info - NB_LISTEN_ADDRESS=:8088 - NB_EXPOSED_ADDRESS=rels://ntbd.domain.com:443 # todo: change to a secure secret - NB_AUTH_SECRET=wxHQy5xhJP4 ports: - 8088:8088 logging: driver: "json-file" options: max-size: "500m" max-file: "2" # Management management: image: netbirdio/management:latest restart: unless-stopped depends_on: - dashboard volumes: - netbird-mgmt:/var/lib/netbird - netbird-letsencrypt:/etc/letsencrypt:ro - ./management.json:/etc/netbird/management.json ports: - 6443:443 #API port # # command for Let's Encrypt validation without dashboard container # command: ["--letsencrypt-domain", "", "--log-file", "console"] command: [ "--port", "443", "--log-file", "console", "--log-level", "info", "--disable-anonymous-metrics=false", "--single-account-mode-domain=ntbd.domain.com", "--dns-domain=netbird.selfhosted" ] logging: driver: "json-file" options: max-size: "500m" max-file: "2" environment: - NETBIRD_STORE_ENGINE_POSTGRES_DSN= # Coturn coturn: image: coturn/coturn:latest restart: unless-stopped #domainname: ntbd.domain.com # only needed when TLS is enabled volumes: - ./turnserver.conf:/etc/turnserver.conf:ro # - ./privkey.pem:/etc/coturn/private/privkey.pem:ro # - ./cert.pem:/etc/coturn/certs/cert.pem:ro network_mode: host command: - -c /etc/turnserver.conf logging: driver: "json-file" options: max-size: "500m" max-file: "2" volumes: netbird-mgmt: netbird-signal: netbird-letsencrypt: ``` ``` { "Stuns": [ { "Proto": "udp", "URI": "stun:ntbd.domain.com:3478", "Username": "", "Password": "" } ], "TURNConfig": { "TimeBasedCredentials": false, "CredentialsTTL": "12h0m0s", "Secret": "secret", "Turns": [ { "Proto": "udp", "URI": "turn:ntbd.domain.com:3478", "Username": "self", "Password": "PjklExeusQlt6g" } ] }, "Relay": { "Addresses": [ "rels://ntbd.domain.com:443" ], "CredentialsTTL": "24h0m0s", "Secret": "wxHQy5xhJP4" }, "Signal": { "Proto": "https", "URI": "ntbd.domain.com:443", "Username": "", "Password": "" }, "Datadir": "/var/lib/netbird/", "DataStoreEncryptionKey": "p+CupLYbmWrg+Var+0EQ=", "HttpConfig": { "LetsEncryptDomain": "", "CertFile": "", "CertKey": "", "AuthAudience": "netbird-client", "AuthIssuer": "https://sso.domain.com/realms/NETBIRD", "AuthUserIDClaim": "", "AuthKeysLocation": "https://sso.domain.com/realms/NETBIRD/protocol/openid-connect/certs", "OIDCConfigEndpoint": "https://sso.domain.com/realms/NETBIRD/.well-known/openid-configuration", "IdpSignKeyRefreshEnabled": false, "ExtraAuthAudience": "" }, "IdpManagerConfig": { "ManagerType": "keycloak", "ClientConfig": { "Issuer": "https://sso.domain.com/realms/NETBIRD", "TokenEndpoint": "https://sso.domain.com/realms/NETBIRD/protocol/openid-connect/token", "ClientID": "netbird-backend", "ClientSecret": "wd6xg2QMyo3", "GrantType": "client_credentials" }, "ExtraConfig": { "AdminEndpoint": "https://sso.domain.com/admin/realms/NETBIRD" }, "Auth0ClientCredentials": null, "AzureClientCredentials": null, "KeycloakClientCredentials": null, "ZitadelClientCredentials": null }, "DeviceAuthorizationFlow": { "Provider": "hosted", "ProviderConfig": { "ClientID": "netbird-client", "ClientSecret": "", "Domain": "sso.domain.com", "Audience": "netbird-client", "TokenEndpoint": "https://sso.domain.com/realms/NETBIRD/protocol/openid-connect/token", "DeviceAuthEndpoint": "https://sso.domain.com/realms/NETBIRD/protocol/openid-connect/auth/device", "AuthorizationEndpoint": "", "Scope": "openid", "UseIDToken": false, "RedirectURLs": null } }, "PKCEAuthorizationFlow": { "ProviderConfig": { "ClientID": "netbird-client", "ClientSecret": "", "Domain": "", "Audience": "netbird-client", "TokenEndpoint": "https://sso.domain.com/realms/NETBIRD/protocol/openid-connect/token", "DeviceAuthEndpoint": "", "AuthorizationEndpoint": "https://sso.domain.com/realms/NETBIRD/protocol/openid-connect/auth", "Scope": "openid profile email offline_access api", "UseIDToken": false, "RedirectURLs": [ "http://localhost:53000" ] } }, "StoreConfig": { "Engine": "sqlite" }, "ReverseProxy": { "TrustedHTTPProxies": [], "TrustedHTTPProxiesCount": 0, "TrustedPeers": [ "0.0.0.0/0" ] } } ```

saavagebueno commented 2025-11-20 05:22:55 -05:00

Author

Owner

Copy Link

@git-day commented on GitHub (Nov 18, 2024):

All, adding in the authentik management.json config.

management.json - authentik

{
    "Stuns": [
        {
            "Proto": "udp",
            "URI": "stun:ntbd.domain.com:3478",
            "Username": "",
            "Password": ""
        }
    ],
    "TURNConfig": {
        "TimeBasedCredentials": false,
        "CredentialsTTL": "12h0m0s",
        "Secret": "secret",
        "Turns": [
            {
                "Proto": "udp",
                "URI": "turn:ntbd.domain.com:3478",
                "Username": "self",
                "Password": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
            }
        ]
    },
    "Signal": {
        "Proto": "https",
        "URI": "ntbd.domain.com",
        "Username": "",
        "Password": ""
    },
    "Datadir": "/var/lib/netbird/",
    "DataStoreEncryptionKey": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
    "HttpConfig": {
        "LetsEncryptDomain": "",
        "CertFile": "",
        "CertKey": "",
        "AuthAudience": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
        "AuthIssuer": "https://sso.domain.com/application/o/netbird/",
        "AuthUserIDClaim": "",
        "AuthKeysLocation": "https://sso.domain.com/application/o/netbird/jwks/",
        "OIDCConfigEndpoint": "https://sso.domain.com/application/o/netbird/.well-known/openid-configuration",
        "IdpSignKeyRefreshEnabled": false,
        "ExtraAuthAudience": ""
    },
    "IdpManagerConfig": {
        "ManagerType": "authentik",
        "ClientConfig": {
            "Issuer": "https://sso.domain.com/application/o/netbird",
            "TokenEndpoint": "https://sso.domain.com/application/o/token/",
            "ClientID": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
            "ClientSecret": "",
            "GrantType": "client_credentials"
        },
        "ExtraConfig": {
            "Password": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
            "Username": "ENTER USERNAME"
        },
        "Auth0ClientCredentials": null,
        "AzureClientCredentials": null,
        "KeycloakClientCredentials": null,
        "ZitadelClientCredentials": null
    },
    "DeviceAuthorizationFlow": {
        "Provider": "hosted",
        "ProviderConfig": {
            "ClientID": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
            "ClientSecret": "",
            "Domain": "sso.domain.com",
            "Audience": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
            "TokenEndpoint": "https://sso.domain.com/application/o/token/",
            "DeviceAuthEndpoint": "https://sso.domain.com/application/o/device/",
            "AuthorizationEndpoint": "",
            "Scope": "openid",
            "UseIDToken": false,
            "RedirectURLs": null
        }
    },
    "PKCEAuthorizationFlow": {
        "ProviderConfig": {
            "ClientID": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
            "ClientSecret": "",
            "Domain": "",
            "Audience": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
            "TokenEndpoint": "https://sso.domain.com/application/o/token/",
            "DeviceAuthEndpoint": "",
            "AuthorizationEndpoint": "https://sso.domain.com/application/o/authorize/",
            "Scope": "openid profile email offline_access api",
            "UseIDToken": false,
            "RedirectURLs": [
                "http://localhost:53000"
            ]
        }
    },
    "StoreConfig": {
      "Engine": "sqlite"
  },
  "Relay": {
      "Addresses": ["rels://ntbd.domain.com/relay"],
      "CredentialsTTL": "24h",
      "Secret": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
  },
  "ReverseProxy": {
      "TrustedHTTPProxies": [],
      "TrustedHTTPProxiesCount": 0,
      "TrustedPeers": [
          "0.0.0.0/0"
      ]
  }
}

@git-day commented on GitHub (Nov 18, 2024): All, adding in the authentik management.json config. # management.json - authentik ``` { "Stuns": [ { "Proto": "udp", "URI": "stun:ntbd.domain.com:3478", "Username": "", "Password": "" } ], "TURNConfig": { "TimeBasedCredentials": false, "CredentialsTTL": "12h0m0s", "Secret": "secret", "Turns": [ { "Proto": "udp", "URI": "turn:ntbd.domain.com:3478", "Username": "self", "Password": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" } ] }, "Signal": { "Proto": "https", "URI": "ntbd.domain.com", "Username": "", "Password": "" }, "Datadir": "/var/lib/netbird/", "DataStoreEncryptionKey": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", "HttpConfig": { "LetsEncryptDomain": "", "CertFile": "", "CertKey": "", "AuthAudience": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", "AuthIssuer": "https://sso.domain.com/application/o/netbird/", "AuthUserIDClaim": "", "AuthKeysLocation": "https://sso.domain.com/application/o/netbird/jwks/", "OIDCConfigEndpoint": "https://sso.domain.com/application/o/netbird/.well-known/openid-configuration", "IdpSignKeyRefreshEnabled": false, "ExtraAuthAudience": "" }, "IdpManagerConfig": { "ManagerType": "authentik", "ClientConfig": { "Issuer": "https://sso.domain.com/application/o/netbird", "TokenEndpoint": "https://sso.domain.com/application/o/token/", "ClientID": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", "ClientSecret": "", "GrantType": "client_credentials" }, "ExtraConfig": { "Password": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", "Username": "ENTER USERNAME" }, "Auth0ClientCredentials": null, "AzureClientCredentials": null, "KeycloakClientCredentials": null, "ZitadelClientCredentials": null }, "DeviceAuthorizationFlow": { "Provider": "hosted", "ProviderConfig": { "ClientID": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", "ClientSecret": "", "Domain": "sso.domain.com", "Audience": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", "TokenEndpoint": "https://sso.domain.com/application/o/token/", "DeviceAuthEndpoint": "https://sso.domain.com/application/o/device/", "AuthorizationEndpoint": "", "Scope": "openid", "UseIDToken": false, "RedirectURLs": null } }, "PKCEAuthorizationFlow": { "ProviderConfig": { "ClientID": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", "ClientSecret": "", "Domain": "", "Audience": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", "TokenEndpoint": "https://sso.domain.com/application/o/token/", "DeviceAuthEndpoint": "", "AuthorizationEndpoint": "https://sso.domain.com/application/o/authorize/", "Scope": "openid profile email offline_access api", "UseIDToken": false, "RedirectURLs": [ "http://localhost:53000" ] } }, "StoreConfig": { "Engine": "sqlite" }, "Relay": { "Addresses": ["rels://ntbd.domain.com/relay"], "CredentialsTTL": "24h", "Secret": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" }, "ReverseProxy": { "TrustedHTTPProxies": [], "TrustedHTTPProxiesCount": 0, "TrustedPeers": [ "0.0.0.0/0" ] } } ```

saavagebueno commented 2025-11-20 05:22:55 -05:00

Author

Owner

Copy Link

@markcst commented on GitHub (Dec 22, 2024):

It happens to me as well when I enter my netbird.my-domain.tld page.

I'm using Zitadel selfhosted. I wondered if it was the setting of NETBIRD_AUTH_REDIRECT_URI="/auth" (I did this while following the guide, and I tried to change that in the docker-compose.yml back to the commented one versione (which was #NETBIRD_AUTH_REDIRECT_URI="/peers") but then I got a
{"error":"invalid_request","error_description":"The requested redirect_uri is missing in the client configuration. If you have any questions, you may contact the administrator of the application."} after reloading the page.

So i reverted to the /auth version suggested by the guide - which btw was filled by the ./configure.sh script that gets all the variables from the setup.env and put them in the various netbird config files (docker-compose.yml, management.json, etc.)

No matter what I do, I always end up to the netbird.my-domain.tld/peers page when Netbird seems to do an endless search for peers or something like that.

I'm using Traefik as my reverse proxy

@markcst commented on GitHub (Dec 22, 2024): It happens to me as well when I enter my `netbird.my-domain.tld` page. I'm using Zitadel selfhosted. I wondered if it was the setting of `NETBIRD_AUTH_REDIRECT_URI="/auth"` (I did this while following the [guide](https://docs.netbird.io/selfhosted/identity-providers#zitadel), and I tried to change that in the `docker-compose.yml` back to the commented one versione (which was `#NETBIRD_AUTH_REDIRECT_URI="/peers"`) but then I got a `{"error":"invalid_request","error_description":"The requested redirect_uri is missing in the client configuration. If you have any questions, you may contact the administrator of the application."}` after reloading the page. So i reverted to the `/auth` version suggested by the guide - which btw was filled by the `./configure.sh` script that gets all the variables from the `setup.env` and put them in the various netbird config files (`docker-compose.yml`, `management.json`, etc.) No matter what I do, I always end up to the `netbird.my-domain.tld/peers` page when Netbird seems to do an endless search for peers or something like that.  I'm using Traefik as my reverse proxy

saavagebueno commented 2025-11-20 05:22:56 -05:00

Author

Owner

Copy Link

@alexcrow1974 commented on GitHub (Aug 1, 2025):

I had the same problem when I moved to proxying everything behind nginx. If you're using the docker setup, these setting MUST match the port your are presenting from the outside, not from your container:

services:
  # UI dashboard
  dashboard:
    <<: *default
    image: netbirdio/dashboard:latest
    ports:
      - 8001:80
      - 4443:443
    environment:
      # Endpoints
      - NETBIRD_MGMT_API_ENDPOINT=https://netbird.foobar.com:443
      - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://netbird.foobar.com:443

Don't put the internal/docker ip/ports that nginx has as the backend here, put the URL:port that your proxy is set to listen on.

@alexcrow1974 commented on GitHub (Aug 1, 2025): I had the same problem when I moved to proxying everything behind nginx. If you're using the docker setup, these setting MUST match the port your are presenting from the outside, not from your container: ``` services: # UI dashboard dashboard: <<: *default image: netbirdio/dashboard:latest ports: - 8001:80 - 4443:443 environment: # Endpoints - NETBIRD_MGMT_API_ENDPOINT=https://netbird.foobar.com:443 - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://netbird.foobar.com:443 ``` Don't put the internal/docker ip/ports that nginx has as the backend here, put the URL:port that your proxy is set to listen on.

saavagebueno commented 2025-11-20 05:22:56 -05:00

Author

Owner

Copy Link

@djex commented on GitHub (Oct 2, 2025):

I had the same problem, but it seems to be resolved by adjusting the /etc/hosts file. Here's what worked for me:

# /etc/hosts
127.0.0.1       localhost

Initially, I had other hostnames defined before localhost, but this setup caused issues with Docker containers accessing the identity provider configuration. Simplifying the /etc/hosts file to include only localhost for IPv4 resolved the problem.

As we're all probably aware, the /etc/hosts file is used to map IP addresses to hostnames. It's common practice to include multiple hostnames on a single line, such as 127.0.1.1 hostname.domain.tld hostname localhost, to associate multiple hostnames with an IP address. However, this configuration appears to interfere with Docker's DNS resolution inside containers.

In this case, the management container was repeatedly failing to fetch the OIDC configuration due to connection refusals on 127.0.1.1. Changing the /etc/hosts file to the above did resolve this...

If this is what's affecting others as well, and to perhaps avoid similar issues in the future, it might be beneficial to document this behavior as a known issue or recommend best practices for /etc/hosts configurations in the setup guides. Additionally, it could be helpful to investigate why Docker's DNS resolution behaves differently with multiple hostnames and whether there are configuration changes that can make it more robust to different /etc/hosts setups.

I'm not a big Docker fan myself, so I'm not terribly inclined to dig into this any further myself.

This solved my problem.

@djex commented on GitHub (Oct 2, 2025): > I had the same problem, but it seems to be resolved by adjusting the `/etc/hosts` file. Here's what worked for me: > > ``` > # /etc/hosts > 127.0.0.1 localhost > ``` > > Initially, I had other hostnames defined before `localhost`, but this setup caused issues with Docker containers accessing the identity provider configuration. Simplifying the `/etc/hosts` file to include only `localhost` for IPv4 resolved the problem. > > As we're all probably aware, the `/etc/hosts` file is used to map IP addresses to hostnames. It's common practice to include multiple hostnames on a single line, such as `127.0.1.1 hostname.domain.tld hostname localhost`, to associate multiple hostnames with an IP address. However, this configuration appears to interfere with Docker's DNS resolution inside containers. > > In this case, the management container was repeatedly failing to fetch the OIDC configuration due to connection refusals on `127.0.1.1`. Changing the `/etc/hosts` file to the above did resolve this... > > If this is what's affecting others as well, and to perhaps avoid similar issues in the future, it might be beneficial to document this behavior as a known issue or recommend best practices for `/etc/hosts` configurations in the setup guides. Additionally, it could be helpful to investigate why Docker's DNS resolution behaves differently with multiple hostnames and whether there are configuration changes that can make it more robust to different `/etc/hosts` setups. > > I'm not a big Docker fan myself, so I'm not terribly inclined to dig into this any further myself. This solved my problem.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

feature/affected-peers

dependabot/go_modules/github.com/Azure/go-ntlmssp-0.1.1

debug-logs

ui-refactor

drop-dns-probes

improve-usp-fw

reduce-embed-wg-pool

dns-skip-failover-on-ede

feat/byod-proxy

windows-dns-firewall

fix/relay-healthcheck-non-standard-port

fix/login-persist-url-flags

ssh-config-tmp-cleanup

dependabot/go_modules/github.com/jackc/pgx/v5-5.9.2

fix/login-cmd-root-flags

feat/reseller-openapi-spec

github-issue-resolver

add-steamos-support

fix-darwin-uninstaller

flutter-test

dependabot/npm_and_yarn/proxy/web/postcss-8.5.12

ci/freebsd-pkg-bootstrap

cached-serial-check-on-sync

fix-mgmt-cache-bypass-overlay

revert-easyjson-5938

revert-ice-5820

revert-firewalld-5928

refactor/permissions-manager

wasm-js-func-release

wasm-websocket-dial

revert-dns-5935-systemd-resolved

revert-dns-5935-5945

revert-dns-5945-mgmt-cache

feature/log-most-busy-peers

prototype/ui-wails

vnc-server

coderabbitai/utg/8ae8f20

feature/use-peer-fqdn-on-https

dependabot/go_modules/golang.org/x/image-0.38.0

feature/metrics-push-management-control

release/0.68.3

dependabot/go_modules/github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream-1.7.8

dependabot/go_modules/github.com/aws/aws-sdk-go-v2/service/s3-1.97.3

add-slack-channel

claude/rdp-token-passthrough-eNcqW

transparent-proxy

fix/macos-stale-route-eexist

crowdsec-selfhosted

fix/remove-otel-units

entire/checkpoints/v1

dependabot/go_modules/github.com/go-jose/go-jose/v4-4.1.4

fix/getting-started

feat/static-connectors-combined-server

feature/use-local-keys-embedded

feature/fleetdm

set-env-only-if-not-fork

feature/expose-has-channel

fix/connection-status-race

fix/filter-cgnat-cni-ice-candidates

feature/check-cert-locker-before-acme

test/proxy-fixes

test/proxy-mtu

prototype/ui-tauri

test/proxy-speed

fix-reused-ports

feat/migrate-to-embedded-idp

feature/add-serial-to-proxy-merged

deploy/proxy-serial

test/connection

feature/disable-legacy-port

feature/flag-to-disable-legacy-port

test/perftest

dependabot/go_modules/github.com/pion/dtls/v3-3.0.11

fix/http-redirect

poc-token-command

dn-reverse-proxy

prototype/reverse-proxy-rename

prototype/reverse-proxy-logs-pagination

feature/client-metrics

prototype/reverse-proxy-clusters

debug-dns-route

fix/win-dns-batch

add-extra-route-logs

job-stream-notify-disconnection-eof

deploy/secrets-manager

trigger-proxy-update

bug/update-ios-client-code-build-tags

sync-client-netmap-serial

log/conn-disconn

nmap/compaction-deploy

ci-win-test

feature/disk-encryption-check

wasm-debug

swap-dns-prio

fix/dex-config

feature/migrate-auto-groups-to-table

dependabot/go_modules/github.com/quic-go/quic-go-0.57.0

nmap/compaction

dex-nocgo-stub

feature/exclude-terraform-from-rate-limiting

test-freebsd

retries-refactor

coderabbitai/docstrings/b7e98ac

feat/integrate-zitadel

bug/ios-hanging-reconection

zitadel-idp

feat/network-map-serial

refactor/get-account-no-users

feat/auto-upgrade

feature/report-high-pat-id

feature/temporary-access-for-resource

fix/nmap-fwrules

dont-restart-dns

prototype/ui

update-gomobile

go-dns-for-ice

wasm-ldflags

test-ldflags

wasmbuild-test

feature/networks-s2s

vk/compare-nmaps

dbg/bothmaps

feature/changeset

reorder-dns-shutdown

fix/relay-reconnection-race

fix/nmap-exitnodes

vk/debug/nmap-both

move-licensed-code

feat/better-daemon-connection-lost-message

feat/auto-update-2

test/timings

refactor/getaccount-raw

tests/nmap-getaccount

refactor/nmap

refactor/nmap-limit-buffer

feature/detect-mac-wakeup

feature/extract-modules

quick-setings

feat/sync-limiter

feature/store-cache-impl

fix-install-version

feature/store-metrics

feature/metrics-on-store

feature/use-gorm-cache

loadtest-signal

unsymmetrical-squash

refactor/reducate-signaling

test/update-reduce

feature/store-cache

feature/remote-debug

cli-ws-proxy-backend-addr

feat/mgmt-map-serial

snyk-fix-d9d0081a4c7f9137bdb59d0d50a141a2

snyk-fix-7415cea5a11acd66753540ca2c598c63

job-yml-update

feature/android-allow-selecting-routes

fix/up-sequence

fix/dns-hash-update

snyk-fix-967adae9863f17f108ce8948d9117b8d

log/getaccount-by-peer

signal-suppressor

dns-exit-node

feature/auto-updates

feature/cache-srv-key

merged-fixes

fix/missed-offers-and-debug

debug-and-fixes

poc-wasm-clean-backend-s2s

test/remote-debug

debug-api

dependabot/go_modules/github.com/docker/docker-28.0.0incompatible

fix/remove-gpo-if-empty

fix/test-freebsd

fix/mysql-setup

fix/remove-logout-btn

handle-existing-domain-user

chore/unify-domain-validation

snyk-fix-c5fafc8a50ce1f29046e25a1fc346185

feat/profile-edit-btn

snyk-fix-a54966211e18d4cf67e5a2757cc006d1

log-short-id

feat/logout-ephemeral

log-checks

batch-wg-ops

nb-interface-default

feat/aws-integration

add/race-test

feature/relay-feature-versioning

fix/systemd-service-logs

poc/preprocessed-map

add-account-onboarding

bind-ipv6

fix/merge-main

logs/peerlogs-addpeer

feature/net-297-network-migration

feature/support-skip-auto-apply-exit-node-routes

set-cmd

set-command-with-cursor

feature/limit-update-channel

stop-using-locking-share

feature/poc-lazy-detection

feature/net-248-removal-of-sync-mutex-locks

test/multiple-peer-logging

preresolve

add-ns-punnycode-support

apply-routes-early

windows-search-domains

fix/connecting-route-filter

feature/management/rest-client/impersonate

debug-local-records

resource-fields-snake-case

test/grpc-rate-limit

traffic-correlation-policy

feature/rest-client-options

feat/events-metrics

feature/buf-cli

test/add-ratelimiter

test/remove-write-lock-on-add-peer

fix/add-peer-semaphore

feature/users-roles-endpoint

mlsmaycon-patch-1

debug-user-role

chore/primary-key-on-networks

feature/update-account-peers-buffer-startup

remove-ubuntu2004-runners

refactor/permissions-no-pat-allowed

ref/logrus-factory

use-conntrack-zone

deploy/permissions-account

feature/lazy-connection-idle

ref/improve-test-cov

restore-pr-3440

test/increase-grpc-timeouts

feat/buffer-account-peers-update

test/networkmapgeneration-changes

feature/base-manager

feature/flow-receiver

chore/benchmark-with-large-runner

refactor/handshake-initiator

client/ui-update-systray-icons

userspace-router

wgwatcher-test

output-if-key-already-exists

fix/relay-reconnection

feature/port-forwarding-client-codecleaning

detached2

test/callbacks-nil-iceconninfo

refactor/optimize-peer-expiration

enable-udp-port-for-docker-template

fix/relay-update

feature/apply-posture-netmap

fix/group-update-existing-resource

conntrack-stats

upgrade-okta-sdk

multi-price

test/conn-stat

set-min-parallel-tests-for-management

dns-interceptor

debug-dns

router-dns

add-static-system-info

debug-0.29.4

debug-0.33.0

account-refactoring

relay/2800_quic

route-get-account-refactoring

test/seed-random-routes

feature/get-account-refactoring

test/reconnect-race-condition

refactor/get-account-usage

feature/add-session-id-to-update-channel

improve-ipv4conn

fix/async-pion-event-handling

debug

add-offload

feature/validate-group-association-debug

fix/limit-conn-for-sqlite

test/engine-iface

test/transaction-for-jwt-sync

fix/engine-stop-in-foreground

feature/add-mysql-support

test-migration

refactor/header-size-values

relay/eliminate-gob

test/signal-dispatcher-with-relay

relay/debug

validate-icon

feature/ipv6-support

use-pre-expanded-peers-map

feature/use-signal-dispatcher

validate/peer-status

add-read-write-times

fix/sync-peer-race

feature/relay-status

netmap

evaluate/network-map-hash

fix/lower-dns-resolve-interval-on-fail

feature/relay

fix/go-mod-version

upgrade-nftables

synology-userspace-mode

fix/use-ip-for-default-routes-on-darwin

fix/proxy_close

enable-release-workflow-on-pr

deploy/peer-performance

feature/permanent-turn

feature/permanent-turn-proxy

deploy/posture-check-sqlite

feature/optimize_sqlite_save

debug-ios-behavior

fix/delete-route-only-after-adding

tshoot/windows-logger

remove-new-routing

refactor/eliminate-repo-dependency

add-arm-to-ci

refactor-demo-account-object

test/abc2

test/abc

send-ssh-rosenpass-config-meta

refactor-demo

ensure-schedule-never-runs-non-positive

feature/peer-validator-groupmgm

feature/peer-validator-fix

fix/include-active-dashboard-users

fix/handle-canceling-schedule

fix/geo-download

debug-google-workspace

yury/resolve-ip-to-location

feature/extend-sysinfo

sqlite-async-peer-status

yury/add-postgresql-store

fix/route

test-build

posture-checks-poc

debug-keycloak-idp

poc/netstack

for-pascal-tmp

peer-logout-management

manual-peer-logout

detached

chore/refactor-management

test/dns-bind

fix/enforce-acl-for-containers

yury/use-sync-map-in-updatechannel

fix/events-key-handling

filter-cache-on-load-account

fix/user-expiration

handle-user-context-cancellation

nb-client-k8s-statefulset

fake-addr

fix/iptables_in_docker

ebpf-debug

update-getting-started-flow-use-postgres

fix/peer_list_notification

feature/device-authentication-with-client-secret

feature/keep_alive

feat-groups-from-jwt

separate_proxy_from_wgconfig

fix/wg_conn

wg_conn_fix

wg_bind_parallel_processing

fix-rollback-get-acls

proxy_cfg_cleanup

performance-improvement-rego

update-lock-log-level

feat-client-side-acl

refactor/move_grpcserver_logic_to_account_manager

feature/event-storage

feature/update-idp-redeeming-invite

feature/api-peer-info

return-groupminimum-setupkey

feature/interface-bind

documentation_enhancement

fix-peer-registration

ssh

users_cache

pass-client-caller

client_caller_type

revert-283-feat-fix-windows-installer

periodic-peer-updates

ebpf

braginini/wasm

v0.70.5

v0.70.4

v0.70.3

v0.70.2

v0.70.1

v0.70.0

v0.69.0

v0.68.3

v0.68.2

v0.68.1

v0.68.0

v0.67.4

v0.67.3

v0.67.2

v0.67.1

v0.67.0

v0.66.4

v0.66.3

v0.66.2

v0.66.1

v0.66.0

v0.65.3

v0.65.2

v0.65.1

v0.65.0

v0.64.6

v0.64.5

v0.64.4

v0.64.3

v0.64.2

v0.64.1

v0.64.0

v0.63.0

v0.62.3

v0.62.2

v0.62.1

v0.62.0

v0.61.2

v0.61.1

v0.61.0

v0.60.9

v0.60.8

v0.60.7

v0.60.6

v0.60.5

v0.60.4

v0.60.3

v0.60.2

v0.60.1

v0.60.0

v0.59.13

v0.59.12

v0.59.11

v0.59.10

v0.59.9

v0.59.8

v0.59.7

v0.59.6

v0.59.5

v0.59.4

v0.59.3

v0.59.2

v0.59.1

v0.59.0

v0.58.2

v0.58.1

v0.58.0

v0.57.1

v0.57.0

v0.56.1

v0.56.0

v0.55.1

v0.55.0

v0.54.2

v0.54.1

v0.54.0

v0.53.0

v0.52.2

v0.52.1

v0.52.0

v0.51.2

v0.51.1

v0.51.0

v0.50.3

v0.50.2

v0.50.1

v0.50.0

v0.49.0

v0.48.0-dev2

v0.48.0

v0.47.2

v0.47.1

v0.47.0

v0.46.0

v0.45.3

v0.45.2

v0.45.1

v0.45.0

v0.44.0

v0.43.3

v0.43.2

v0.43.1

v0.43.0

v0.42.0

v0.41.3

v0.41.2

v0.41.1

v0.41.0

v0.40.1

v0.40.0

v0.39.2

v0.39.1

v0.39.0

v0.38.2

v0.38.1

v0.38.0

v0.37.2

v0.37.1

v0.37.0

v0.36.7

v0.36.6

v0.36.5

v0.36.4

v0.36.3

v0.36.2

v0.36.1

v0.36.0

v0.35.2

v0.35.1

v0.35.0

v0.34.1

v0.34.0

v0.33.0

v0.32.0

v0.31.1

v0.31.0

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.4

v0.29.3

0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.9

v0.28.8

v0.28.7

v0.28.6

v0.28.5

v0.28.4

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.10

v0.27.9

v0.27.8

v0.27.7

v0.27.6

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27.0

v0.26.7

v0.26.6

v0.26.5

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.9

v0.25.8

v0.25.7

v0.25.6

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.4

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.9

v0.23.8

v0.23.7

v0.23.6

v0.23.5

v0.23.4

v0.23.3

v0.23.2

v0.23.1

v0.23.0

v0.22.7

v0.22.6

v0.22.5

v0.22.4

v0.22.3

v0.22.2

v0.22.1

v0.22.0

v0.21.11

v0.21.10

v0.21.9

v0.21.8

v0.21.7

v0.21.6

v0.21.5

v0.21.4

v0.21.3

v0.21.2

v0.21.1

v0.21.0

v0.20.8

v0.20.7

v0.20.6

v0.20.5

v0.20.4

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.1

v0.18.0

v0.17.0

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.6

v0.14.5

v0.14.4

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.0

v0.12.0

v0.11.6

v0.11.5

v0.11.4

v0.11.3

v0.11.2

v0.11.1

v0.11.0

v0.10.10

v0.10.9

v0.10.8

v0.10.7

v0.10.6

v0.10.5

v0.10.4

v0.10.3

v0.10.2

v0.10.1

v0.10.0

v0.9.8

v0.9.7

v0.9.6

v0.9.5

v0.9.4

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.12

v0.8.11

v0.8.10

v0.8.9

v0.8.8

v0.8.7

v0.8.6

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.11

v0.5.10

v0.5.1

v0.5.0

v0.4.0

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.3

v0.2.2-beta.1

v0.2.1-beta.5

v0.2.0-beta.5

v0.2.0-beta.4

v0.2.0-beta.3

v0.2.0-beta.2

v0.2.0-beta.1

v0.1.0-beta.3

v0.1.0-beta.2

v0.1.0-beta.1

v0.1.0-rc.2

v0.1.0-rc-1

v0.0.8-hotfix-1

v0.0.8

v0.0.7

v0.0.6

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

v0.0.0

Labels

Clear labels

2021 Q4

2022 Q1

2022 Q1

accessibility

acl

agent

agent

Android

Android

api

authentik

automation

azure

battery-usage

bug

cache

client

client-ui

cloud

cloud-only

cloudflare

community

compatibility

config-idp

config-issue

connection

contribution

coturn

cross-vpn

dashboard

data-usage

distribution

dns

docker

documentation

duplicate

enhancement

enhancement

event-stream

feature-request

freebsd

getting-started

go

good first issue

gui

help wanted

home-assistant

idp

inconsistency

integration

integrations

ios

ipv6

jwt

k8s

keycloak

linux

login

macos

management-service

missing-docs

mobile

moved-internal

needs-review

netbird-ui

networking

new-platform

nginx

notification

okta

openwrt

packaging

peer-management

peer-management

peer-management

performance

postgres

posture-checks

psk

pull-request

Mirrored from GitHub Pull Request

question

refactor

relay

release

rfc

routes

security

security-related

self-hosting

server

signal

sleep-issue

ssh

ssl

status

store

synology

system-compatibility-issue

test-suite

third-party-integration

triage

triage-needed

troubleshooting

UX

waiting-feedback

windows

wontfix

zitadel

No Label dashboard triage-needed

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

saavagebueno

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: SVI/netbird#1039