The table below lists the (default) ports that each Docker image will listen on.
|Docker image||Port (TCP)||Usage|
|nextauth||8888||REST API, TLS is optional and configurable through environment variables.|
|nextauth||8009||Websockets, TLS is optional and configurable through environment variables.|
|nextauth||8888||Mobile API, HTTP-based.|
|nextauth-mgmt*||80||HTTP, server management web interface.|
|nextauth-mgmt*||81||HTTP, account management web interface.|
|nextauth-mgmt*||82||HTTP, identity provider web interface.|
|nextauth-portmap*||80||HTTP, auto-redirects to HTTPS.|
|nextauth-portmap*||443||HTTPS, uses SNI and paths for mapping URLs to services.|
By default the ports of the
nextauth-mgmt containers are not exposed outside of the Docker Compose setup. The
nextauth-portmap utility takes care of mapping incoming connections to the
nextauth-portmap container will not expose the REST API publicly. The REST API should only be used server-side (e.g., by the applications that require nextAuth authentication).
nextauth will make connections to the outside world.
|nextauth||fcm.googleapis.com:443||Push Messages (Android)|
|nextauth||api.push.apple.com:443||Push Messages (iOS)|
|nextauth||license.nextauth.com:443||License Validation Server|
|nextauth||<db server>:<db port>||Database connection, depends on database setup.|
|nextauth||<redis servers>:6379||Redis connection, depends on Redis setup.|
|nextauth||<redis sentinels>:26379||Redis Sentinel connection, depends on Redis setup.|
nextauth-portmap Docker containers will also connect to the
nextauth container(s). Consult the list of incoming ports for details.
When not using
nextauth-portmap all mappings will need to be set up manually on a reverse proxy (e.g., load balancer). The mapping below is only an example of a potential setup.
|wss://ws.example.com||nextauth:8009||Make sure |
|https://api.example.com||nextauth:8888||Optional. Opening up the REST API can be a security risk. See |
|https://dashboard.example.com||nextauth-mgmt:80||Optional. Makes the dashboard available.|
TLS termination always takes place on the reverse proxy. Optionally, a new TLS connection can be set up from the reverse proxy to the
nextauth container for the WebSockets (
nextauth:8009) and API (
nextauth:8888). TLS termination has no impact on the security of the authentication taking place between the Mobile SDK and the NAS, which is completely independent of the usage of TLS.