Link

Default Network Setup (Using nextauth-portmap)

Incoming Network Connections

The table below lists the (default) ports that each Docker image will listen on.

Docker image Port (TCP) Usage
nextauth 8888 REST API, TLS is optional and configurable through environment variables.
nextauth 8009 Websockets, TLS is optional and configurable through environment variables.
nextauth 8888 Mobile API, HTTP-based.
nextauth-mgmt* 80 HTTP, server management web interface.
nextauth-mgmt* 81 HTTP, account management web interface.
nextauth-mgmt* 82 HTTP, identity provider web interface.
nextauth-portmap* 80 HTTP, auto-redirects to HTTPS.
nextauth-portmap* 443 HTTPS, uses SNI and paths for mapping URLs to services.

(*) Optional

By default the ports of the nextauth and nextauth-mgmt containers are not exposed outside of the Docker Compose setup. The nextauth-portmap utility takes care of mapping incoming connections to the nextauth and nextauth-mgmt containers.

The nextauth-portmap container will not expose the REST API publicly. The REST API should only be used server-side (e.g., by the applications that require nextAuth authentication).

Outgoing Network Connections

Only the nextauth will make connections to the outside world.

Docker image host:port(s) Usage
nextauth fcm.googleapis.com:443 Push Messages (Android)
nextauth api.push.apple.com:443 Push Messages (iOS)
nextauth license.nextauth.com:443 License Validation Server
nextauth <db server>:<db port> Database connection, depends on database setup.
nextauth <redis servers>:6379 Redis connection, depends on Redis setup.
nextauth <redis sentinels>:26379 Redis Sentinel connection, depends on Redis setup.

The nextauth-mgmt and nextauth-portmap Docker containers will also connect to the nextauth container(s). Consult the list of incoming ports for details.

Manual Network Setup (Without nextauth-portmap)

Mapping ports

When not using nextauth-portmap all mappings will need to be set up manually on a reverse proxy (e.g., load balancer). The mapping below is only an example of a potential setup.

Incoming URL Mapping Remarks
wss://ws.example.com nextauth:8009 Make sure NEXTAUTH_DEFAULT_WS_URL matches the configured URL. See NEXTAUTH_WS_TLS_CERT and NEXTAUTH_WS_TLS_KEY for enabling TLS on nextauth:8009.
https://api.example.com nextauth:8888 Optional. Opening up the REST API can be a security risk. See NEXTAUTH_API_TLS_CERT and NEXTAUTH_API_TLS_KEY for enabling TLS on nextauth:8888.
https://dashboard.example.com nextauth-mgmt:80 Optional. Makes the dashboard available.
https://account.example.com nextauth-mgmt:81  
https://idp.example.com nextauth-mgmt:82  

TLS termination always takes place on the reverse proxy. Optionally, a new TLS connection can be set up from the reverse proxy to the nextauth container for the WebSockets (nextauth:8009) and API (nextauth:8888). TLS termination has no impact on the security of the authentication taking place between the Mobile SDK and the NAS, which is completely independent of the usage of TLS.