Correct URL for reverse proxy setup

I’m running teleport with docker-compose behind a reverse proxy (Traefik, if that matters). I have added the option --insecure-no-tls to the teleport command and can access the teleport web interface on https://teleport.mydomain.com perfectly fine.

This is my proxy section from my teleport.yaml:

proxy_service:
  enabled: "yes"
  listen_addr: 0.0.0.0:3023
  public_addr: teleport.mydomain.com:443
  web_listen_addr: teleport.mydomain.com
  tunnel_listen_addr: 0.0.0.0:3024
  https_keypairs: []

When I create a new user with tctl users add test root,guest I get a registration URL like https://teleport.mydomain.com:3080/web/invite/. When I remove the port (:3080) the invitation link works perfectly fine.
This is not a big deal, but I wonder if I set some configuration value incorrect or where I can configure this behavior.

Another thing is, that I need to use tsh login --proxy teleport.mydomain.com:443 when I access my teleport instance with tsh.
Is there a way to override this behavior and make 443 the default port (as it is for HTTPS)?

What is the reason why teleport exposes the HTTP service on 3080 per default?

I think that setting public_addr under proxy_service should be changing this value for you. Have you restarted Teleport since setting that value?

If this doesn’t help, what version of Teleport are you running? Could you share the rest of your Teleport config file with tokens redacted?

Not for tsh unfortunately, if you’re using a port other than 3080 you’ll need to provide it on the command line as you’re doing currently.

Teleport’s auth and proxy services do not need to run as root; however root permissions (or equivalent capabilities via setcap) are required to bind to ports < 1024. I think that the decision to use 3080 was made back at the product’s inception to help ensure that people didn’t unnecessarily need to run Teleport as root (or mess around with capabilities, which have only really become widely used since the advent of containerization) just to bind to port 443.