[FR] Reverse Proxy: Support HTTP-only serving mode

[jackylamhk]

Before posting

• I searched existing discussions and issues for similar requests.
• I checked the documentation to confirm this is not already supported.
• This is a product idea or enhancement request, not a support question.
• I removed or anonymized sensitive details from examples and screenshots.

Product area

Other / not sure

Problem or use case

As a self-hosted NetBird user, I want to deploy the NetBird reverse proxy to serve HTTP-only traffic so that I can handle TLS termination and certificate issuance upstream. This will enable usage with an upstream L7 ingress or load balancer, such as ALB or Traefik (without TLS passthrough), along with wildcard certificates.

Proposed solution

Expose the proxy HTTP listener directly on the main port, rather than wrapping the HTTPS listener in the main SNI router.

Alternatives or workarounds considered

While we can make NetBird proxy serve a self-signed certificate for the reverse proxy to re-terminate TLS and re-encrypt traffic, this non-breaking change will enable support for a wider range of environments. This also aligns with the rest of the NetBird stack (e.g., Server, Dashboard) that also serve HTTP-only traffic.

Community impact and priority

Deployment type: self-hosted

Examples from other tools or products

No response

Security, privacy, and compatibility considerations

No response

Implementation ideas

See draft PR #6086

Are you willing to help?

Yes, I can submit a PR if the approach is accepted.

Additional context

No response