Correct URL for reverse proxy setup

I’m running teleport with docker-compose behind a reverse proxy (Traefik, if that matters). I have added the option --insecure-no-tls to the teleport command and can access the teleport web interface on perfectly fine.

This is my proxy section from my teleport.yaml:

  enabled: "yes"
  https_keypairs: []

When I create a new user with tctl users add test root,guest I get a registration URL like When I remove the port (:3080) the invitation link works perfectly fine.
This is not a big deal, but I wonder if I set some configuration value incorrect or where I can configure this behavior.

Another thing is, that I need to use tsh login --proxy when I access my teleport instance with tsh.
Is there a way to override this behavior and make 443 the default port (as it is for HTTPS)?

What is the reason why teleport exposes the HTTP service on 3080 per default?

I think that setting public_addr under proxy_service should be changing this value for you. Have you restarted Teleport since setting that value?

If this doesn’t help, what version of Teleport are you running? Could you share the rest of your Teleport config file with tokens redacted?

Not for tsh unfortunately, if you’re using a port other than 3080 you’ll need to provide it on the command line as you’re doing currently.

Teleport’s auth and proxy services do not need to run as root; however root permissions (or equivalent capabilities via setcap) are required to bind to ports < 1024. I think that the decision to use 3080 was made back at the product’s inception to help ensure that people didn’t unnecessarily need to run Teleport as root (or mess around with capabilities, which have only really become widely used since the advent of containerization) just to bind to port 443.