Ports Réseau — Référence Complète
Tableau exhaustif de tous les ports utilisés par la stack RGZ.
Tableau principal
| Service | Port | Protocole | Exposé | Via Traefik | Direction | Description | Notes |
|---|---|---|---|---|---|---|---|
| Traefik | 80 | TCP | ✅ | - | ingress | HTTP → HTTPS redirect | Port standard |
| Traefik | 443 | TCP | ✅ | - | ingress | HTTPS TLS | Let's Encrypt |
| rgz-api | 8000 | TCP | ❌ | ✅ | internal | FastAPI app | /api/v1/, /webhooks/ |
| rgz-web | 3000 | TCP | ❌ | ✅ | internal | React dashboard | Admin UI |
| rgz-portal | 80 | TCP | ❌ | ✅ | internal | Portail captif | WiFi login |
| rgz-db | 5432 | TCP | ❌ | ❌ | internal | PostgreSQL | DB service |
| rgz-redis | 6379 | TCP | ❌ | ❌ | internal | Redis | Cache service |
| rgz-radius | 1812 | UDP | ✅ | ❌ | ingress | RADIUS Auth | CPE ↔ Core |
| rgz-radius | 1813 | UDP | ✅ | ❌ | ingress | RADIUS Acct | Accounting |
| rgz-radius | 3799 | UDP | ✅ | ❌ | internal | RADIUS CoA | Change-of-Auth |
| rgz-dns | 53 | UDP | ✅ | ❌ | ingress | DNS queries | Unbound |
| rgz-kea | 67 | UDP | ✅ | ❌ | ingress | DHCP | Kea server |
| rgz-prometheus | 9090 | TCP | ✅ | ❌ | internal | Metrics scraper | Monitoring |
| rgz-alertmanager | 9093 | TCP | ✅ | ❌ | internal | Alert engine | Alerting |
| rgz-grafana | 3000 | TCP | ✅ | ✅ | internal | Dashboards | Visualization |
| rgz-elasticsearch | 9200 | TCP | ✅ | ❌ | internal | Logs DB | ES API |
| rgz-elasticsearch | 9300 | TCP | ❌ | ❌ | internal | ES Cluster | Node communication |
| rgz-kibana | 5601 | TCP | ✅ | ❌ | internal | Logs UI | Log search |
| rgz-logstash | 5000 | TCP | ❌ | ❌ | internal | Log pipeline | Syslog input |
| rgz-logstash | 5001 | TCP | ❌ | ❌ | internal | Log pipeline | JSON input |
| rgz-netflow | 2055 | UDP | ✅ | ❌ | ingress | NetFlow v5 | goflow2 |
| rgz-wireguard | 51820 | UDP | ✅ | ❌ | ingress | VPN tunnel | Inter-site |
| rgz-docs | 8080 | TCP | ✅ | ✅ | internal | MkDocs site | Documentation |
| rgz-nginx | 80 | TCP | ❌ | ❌ | internal | Internal proxy | Load balancer |
| rgz-ids | - | - | ❌ | ❌ | internal | Suricata IDS | No explicit port |
| rgz-beat | - | - | ❌ | ❌ | internal | Celery scheduler | No exposed port |
| rgz-canary | - | - | ❌ | ❌ | internal | Test probes | Celery task |
| rgz-gateway | 3799 | UDP | ✅ | ❌ | internal | CoA listen | Host network |
| Portainer | 9000 | TCP | ✅ | ❌ | internal | Docker UI | Optional |
Groupes par direction
Ports Ingress (entrantes depuis Internet)
Ouvrir dans le firewall/NAT:
bash
# HTTP/HTTPS
80/tcp → Traefik redirect
443/tcp → Traefik HTTPS
# RADIUS (CPE)
1812/udp → rgz-radius Auth
1813/udp → rgz-radius Acct
# DNS (public)
53/udp → rgz-dns (optionnel, peut rester interne)
# DHCP (CPE)
67/udp → rgz-kea DHCP
# NetFlow (switches/APs)
2055/udp → rgz-netflow
# WireGuard VPN
51820/udp → rgz-wireguardFirewall rule example (UFW):
bash
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw allow 1812/udp
sudo ufw allow 1813/udp
sudo ufw allow 53/udp
sudo ufw allow 67/udp
sudo ufw allow 2055/udp
sudo ufw allow 51820/udpiptables rule:
bash
# HTTP/HTTPS
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# RADIUS
iptables -A INPUT -p udp --dport 1812 -j ACCEPT
iptables -A INPUT -p udp --dport 1813 -j ACCEPT
# DNS, DHCP, NetFlow, WireGuard
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 67 -j ACCEPT
iptables -A INPUT -p udp --dport 2055 -j ACCEPT
iptables -A INPUT -p udp --dport 51820 -j ACCEPTPorts Internes (intra-réseau Docker)
Accessible depuis le réseau rgz_rgz-net (172.23.0.0/16):
8000/tcp → rgz-api
3000/tcp → rgz-web + rgz-grafana
80/tcp → rgz-portal + rgz-nginx
5432/tcp → rgz-db
6379/tcp → rgz-redis
9090/tcp → rgz-prometheus
9093/tcp → rgz-alertmanager
9200/tcp → rgz-elasticsearch
9300/tcp → rgz-elasticsearch cluster
5601/tcp → rgz-kibana
5000/tcp → rgz-logstash
8080/tcp → rgz-docs
3799/udp → RADIUS CoAPorts Traefik
| Port | Direction | Trafic |
|---|---|---|
| 80 | ingress | HTTP (redirect 301 → 443) |
| 443 | ingress | HTTPS (TLS 1.3) |
| 8080 | internal | Traefik dashboard (optionnel) |
Endpoints Traefik:
bash
# HTTP redirect
GET http://api-rgz.duckdns.org
→ 301 Location: https://api-rgz.duckdns.org
# HTTPS proxy
GET https://api-rgz.duckdns.org/docs
→ 200 (forwarded to rgz-api:8000)
# Dashboard (interne)
GET http://localhost:8080/dashboard
→ Admin panel TraefikDétail par service
API (rgz-api)
Port: 8000/tcp
Network: rgz_rgz-net + traefik-public
Exposé: ✅ Traefik (https://api-rgz.duckdns.org)
Protocol: HTTP/1.1, HTTP/2, WebSocket
Routes:
/api/v1/* → API endpoints
/docs → Swagger UI
/redoc → ReDoc UI
/health → Status
/metrics → Prometheus metrics
/webhooks/kkiapay → KKiaPay callback
/webhooks/letexto → SMS status
/ws/* → WebSocket live updatesDatabase (rgz-db)
Port: 5432/tcp
Network: rgz_rgz-net internal
Exposé: ❌ (jamais exposer DB en production)
Clients: rgz-api, rgz-beat, backups
Auth: POSTGRES_USER / POSTGRES_PASSWORDRedis (rgz-redis)
Port: 6379/tcp
Network: rgz_rgz-net internal
Exposé: ❌
Clients: rgz-api, rgz-beat, Celery broker
Auth: REDIS_PASSWORD (requirepass)FreeRADIUS (rgz-radius)
Ports:
1812/udp → Auth
1813/udp → Accounting
3799/udp → CoA (interne)
Network: rgz_rgz-net + external
Exposé: ✅ (CPE access)
Secret: RADIUS_SECRETKea DHCP (rgz-kea)
Port: 67/udp
Network: rgz_rgz-net
Exposé: ✅ (CPE access)
Pools: VLAN 100-499 (10.x.0.0/24)
Option 82: Remote-ID = NAS-IDUnbound DNS (rgz-dns)
Port: 53/udp
Network: rgz_rgz-net
Exposé: ✅ (optionnel, can be internal)
Mode: Authoritative + Recursive
Features: Blocklist, sinkhole, loggingPrometheus (rgz-prometheus)
Port: 9090/tcp
Network: rgz_rgz-net
Exposé: ✅ (internal access only)
Scrape:
/metrics → rgz-api, rgz-prometheus, rgz-grafana
Interval: 15s
Retention: 15 daysGrafana (rgz-grafana)
Port: 3000/tcp
Network: rgz_rgz-net + traefik-public
Exposé: ✅ (https://grafana-rgz.duckdns.org)
Auth: admin / GRAFANA_ADMIN_PASSWORD
Datasources:
Prometheus → metrics
Elasticsearch → logsAlertManager (rgz-alertmanager)
Port: 9093/tcp
Network: rgz_rgz-net
Exposé: ✅ (internal management)
Channels:
Webhook → Celery task
SMTP → email
Letexto → SMSElasticsearch (rgz-elasticsearch)
Ports:
9200/tcp → HTTP API
9300/tcp → cluster communication
Network: rgz_rgz-net
Exposé: ✅ (internal + auth required)
Auth: elastic / ELASTIC_PASSWORD
Indices:
logstash-api-*
logstash-radius-*
logstash-cpe-*
logstash-netflow-*Kibana (rgz-kibana)
Port: 5601/tcp
Network: rgz_rgz-net
Exposé: ✅ (internal management)
Auth: elastic / KIBANA_PASSWORD
Backend: Elasticsearch 9200Logstash (rgz-logstash)
Ports:
5000/tcp → syslog + json input
5001/tcp → alternative input
Network: rgz_rgz-net
Pipelines:
api_logs → API stdout/stderr
radius_logs → FreeRADIUS syslog
cpe_syslog → CPE remote syslog
netflow → NetFlow v5 UDP
Output: Elasticsearch bulk indexNetFlow (rgz-netflow)
Port: 2055/udp
Network: rgz_rgz-net
Exposé: ✅ (external CPE/switches)
Collector: goflow2
Input: NetFlow v5 datagrams
Output: JSON → ElasticsearchWireGuard VPN (rgz-wireguard)
Port: 51820/udp
Network: rgz_rgz-net
Exposé: ✅ (external sites)
Mode: Site-to-site VPN
Peers: Configuration in WireGuard configMkDocs (rgz-docs)
Port: 8080/tcp
Network: rgz_rgz-net + traefik-public
Exposé: ✅ (https://docs-rgz.duckdns.org)
Content: /docs folder (docs/*.md)
Type: Static site (Material theme)Port allocation strategy
Core services: 8000-8999
Monitoring: 9000-9999
Database/Cache: 5000-6999
System services: 67, 53, 51820 (standard)
External: 80, 443 (HTTPS)Reserved ranges:
0-1023: System/privileged (avoid for containers)
1024-49151: Dynamic/private (use for new services)
49152-65535: Reserved for ephemeralTroubleshooting ports
Port "already in use"
bash
# Vérifier quel processus utilise le port
lsof -i :8000
netstat -tulnp | grep 8000
ss -tulnp | grep 8000
# Tuer le processus
kill -9 <PID>
# Ou changer le port dans .env
API_PORT=8001
docker compose -f docker-compose.core.yml restart rgz-apiService pas accessible sur son port
bash
# Vérifier service écoute
docker logs rgz-api | grep "listening"
# Vérifier port mapping
docker port rgz-api
# 8000/tcp → 127.0.0.1:8000
# Vérifier firewall
sudo ufw status
# Test connectivité
curl -v http://127.0.0.1:8000/health
telnet 127.0.0.1 8000UDP ports (RADIUS, DHCP, DNS)
bash
# Écouter sur port UDP
netstat -tuln | grep 1812
# Test RADIUS
radtest user password 127.0.0.1 1812 secret
# Test DNS
dig @127.0.0.1 google.com
# Test DHCP
dhclient -v eth1Monitoring ports
Prometheus metrics:
process_resident_memory_bytes (per process)
process_cpu_seconds_total
container_network_receive_bytes_total{interface="eth0"}
container_network_transmit_bytes_total{interface="eth0"}
go_goroutines (API, monitoring services)Grafana panels:
- Service port availability
- Latency p50/p95/p99
- Throughput (bytes/sec)
- Error rates
Checklist firewall
Avant mise en production, ouvrir:
bash
☐ 80/tcp (HTTP redirect)
☐ 443/tcp (HTTPS)
☐ 1812/udp (RADIUS auth)
☐ 1813/udp (RADIUS acct)
☐ 53/udp (DNS — optionnel, si exposé)
☐ 67/udp (DHCP)
☐ 2055/udp (NetFlow)
☐ 51820/udp (WireGuard — si activé)Garder fermé (internal only):
bash
☐ 8000/tcp (API)
☐ 3000/tcp (Web, Grafana)
☐ 5432/tcp (PostgreSQL)
☐ 6379/tcp (Redis)
☐ 9090/tcp (Prometheus)
☐ 9093/tcp (AlertManager)
☐ 5601/tcp (Kibana)
☐ 9200/tcp (Elasticsearch)Support
bash
# Vérifier tous les ports ouverts
docker ps -a --format "table {}\t{}"
# Port mapping détaillé
docker port <container>
# Résumé réseau
docker network inspect rgz_rgz-net | grep -A 50 Containers