docs(netbird): describe gRPC routing as the deployed Content-Type matcher

README/SECURITY said gRPC was path-matched (/management.ManagementService/* etc.); the deployed Caddy route selects gRPC by Content-Type: application/grpc* (NetBird's own external-proxy example). Reconciled the prose to what actually runs. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-16 07:54:09 +02:00 · 2026-06-16 07:54:09 +02:00 · 94dd6da14c
commit 94dd6da14c
parent 684718f4a5
2 changed files with 11 additions and 8 deletions
--- a/roles/netbird_coordinator/README.md
+++ b/roles/netbird_coordinator/README.md
@ -26,12 +26,15 @@ This role does **not** add the Caddy route. The route is a separate task and mus
 front several upstreams on `netbird-server` over the boma network, all to the same
 backend:

- HTTP — `/api/*`, `/oauth2/*`
- Native gRPC (h2c) — `/signalexchange.SignalExchange/*`, `/management.ManagementService/*`
- WebSocket — `/relay*`, `/ws-proxy/*` (upgrade + long timeouts)
- Dashboard catch-all — `/*` → `netbird-dashboard`
+- Native gRPC (signal + management) — matched by **`Content-Type: application/grpc*`**
+  (not by path) → `h2c://netbird-server:80`
+- HTTP + WebSocket — paths `/relay*`, `/ws-proxy/*`, `/api/*`, `/oauth2/*` → `netbird-server:80`
+- Dashboard catch-all — `/*` → `netbird-dashboard:80`

-gRPC needs HTTP/2 (h2c) upstream support; WS/gRPC need extended timeouts.
+This matches NetBird's own external-proxy Caddy example: gRPC (the
+`/management.ManagementService/*` + `/signalexchange.SignalExchange/*` services) is
+selected by content-type rather than enumerated by path. gRPC needs HTTP/2 (h2c)
+upstream support; WS/gRPC need long timeouts (Caddy sets none by default).

 ## Variables — `netbird_coordinator__*`

--- a/roles/netbird_coordinator/SECURITY.md
+++ b/roles/netbird_coordinator/SECURITY.md
@ -5,9 +5,9 @@
 - **Published ports:**
  - `443/tcp` — **not host-published**; reached via the M4a Caddy reverse proxy on the
    `boma` Docker network. Caddy fronts the dashboard SPA, the management REST API
-    (`/api`), the embedded Dex IdP (`/oauth2`), native gRPC over h2c
-    (`/management.ManagementService/*`, `/signalexchange.SignalExchange/*`), and the
-    relay WebSocket (`/relay*`, `/ws-proxy/*`). TLS terminates at Caddy (Let's Encrypt
+    (`/api`), the embedded Dex IdP (`/oauth2`), native gRPC over h2c (the management +
+    signal services, matched by `Content-Type: application/grpc*`), and the relay
+    WebSocket (`/relay*`, `/ws-proxy/*`). TLS terminates at Caddy (Let's Encrypt
    HTTP-01); upstreams listen plain `:80` on the internal network only.
  - `3478/udp` — **STUN, host-published directly** (`netbird-server`'s only host port),
    bypassing Caddy because STUN is UDP and not HTTP.