---
name: bnna-tls-router
version: 1.0.0
description: BNNA TLS router port conventions and URL patterns. Use when configuring what port a service listens on, constructing direct-IP hostnames, or debugging connectivity on bnna cluster containers.
tags: [bnna, tls-router, ports, networking, alpn]
---

# BNNA TLS Router

All bnna containers are routed through a TLS reverse proxy on **port 443**.
Two URL prefixes control how traffic is handled:

| URL prefix | TLS | Forwarded to backend port |
|------------|-----|--------------------------|
| `tls-<ip-dashes>.<domain>` | terminated (decrypted) | ALPN decrypted port (see table) |
| `tcp-<ip-dashes>.<domain>` | passthrough (raw) | ALPN raw port (see table) |

## ALPN Port Mappings

| ALPN | Raw port | Decrypted port | Notes |
|------|----------|----------------|-------|
| `http/1.1` | 443 | **3080** | Services must listen on 3080 for `tls-*` HTTPS |
| `ssh` | 44322 | **22** | sshd via `sclient --alpn ssh` |
| `postgresql` | 5432 | **15432** | 10000 + 5432 |
| `mysql` | 3306 | **13306** | 10000 + 3306 — MariaDB (also for MySQL) |
| `mssql` | 1433 | **11433** | 10000 + 1433 — SQL Server |
| `h2` | 443 | — | raw passthrough only; no plain port |

General rule: decrypted port = 10000 + default port for non-HTTP protocols.

The decrypted backend port runs `tcpfwd <decrypted-port>:<service-ip>:<default-port>`,
so MariaDB on `172.24.0.22:3306` is reached via `tcpfwd 13306:172.24.0.22:3306`,
and the TLS Router routes the `mysql` ALPN to that 13306 listener.

## Service Port Conventions

| Protocol | Backend listens on | Notes |
|----------|--------------------|-------|
| HTTP/S | **3080** | TLS router terminates, forwards here |
| PostgreSQL | **15432** | 10000 + default port |
| SSH | **22** | standard; router uses ALPN `ssh` |

**Web services must listen on port 3080**, not 80 or 8080.

```sh
# correct — reachable at https://tls-10-11-8-x.a.bnna.net
BNNA_ADDR=:3080

# wrong — not routed by the TLS proxy
BNNA_ADDR=:8080
```

## Direct-IP URL Pattern

Given container IP `10.11.8.42`:

- HTTPS (TLS terminated): `https://tls-10-11-8-42.a.bnna.net`
- Raw TCP passthrough: `tcp-10-11-8-42.a.bnna.net:<raw-port>`

Replace dots in IP with dashes.

## IP Derivation from VMID

```
VMID = {4-digit prefix}{3-digit unit}
prefix = VMID / 1000
p12 = prefix / 100
p34 = prefix % 100
unit = VMID % 1000
IP = 10.{p12}.{p34}.{unit}
Direct-IP CNAME = tls-{p12}-{p34}-{unit}.a.bnna.net (dev)
                = tls-{p12}-{p34}-{unit}.vms.bnna.net (prod)
```

Example — VMID `4001002` (prefix=4001, unit=2):
- IP = `10.40.1.2`
- CNAME target = `tls-10-40-1-2.a.bnna.net`

## Pool Prefixes (Dev Cluster)

| Pool | Prefix | IP range |
|------|--------|----------|
| bnna-dev | 4001 | 10.40.1.x |
| webi | 5001 | 10.50.1.x |
| aj-dev | 1108 | 10.11.8.x |

## SSH Through the TLS Router

SSH to the direct-IP hostname works directly. SSH to a CNAME pointing to a
`tls-*` hostname does NOT work — the router doesn't chase CNAMEs.

Use `~/.ssh/config` to override:

```
Host myapp.example.com
    Hostname tls-10-11-8-42.a.bnna.net
    User app
```

Or use `sclient` ProxyCommand:

```
Host tls-*.a.bnna.net
    ProxyCommand sclient %h 22
```