From 57ea8ed87775e00592dddcd3150a05b52422bb01 Mon Sep 17 00:00:00 2001 From: Ben Schumacher Date: Fri, 12 Jun 2026 09:55:35 +0200 Subject: [PATCH 1/4] Split ports table into inbound and outbound sections Replaces the single wide table (which caused horizontal scrolling) with separate inbound and outbound list-tables for Mattermost Server and Push Proxy. Drops the redundant Direction column since direction is now conveyed by the section heading. --- .../application-architecture.rst | 107 +++++++++++++----- 1 file changed, 81 insertions(+), 26 deletions(-) diff --git a/source/deployment-guide/reference-architecture/application-architecture.rst b/source/deployment-guide/reference-architecture/application-architecture.rst index aa50cb94fc2..41802fa98f0 100644 --- a/source/deployment-guide/reference-architecture/application-architecture.rst +++ b/source/deployment-guide/reference-architecture/application-architecture.rst @@ -72,7 +72,7 @@ To ensure high availability, database systems can leverage clustering, replicati **File Storage**: Manages all multimedia assets (e.g., file uploads, images, videos) shared across channels. Storage solutions include the following options: -- **Local Storage**: Files stored directly on the server’s filesystem. For high availability, redundancy can be achieved using RAID configurations or backups to recover from disk failures. +- **Local Storage**: Files stored directly on the server's filesystem. For high availability, redundancy can be achieved using RAID configurations or backups to recover from disk failures. - **Network Attached Storage (NAS)**: Common for enterprises centralizing file storage within their network. NAS setups can include fault-tolerant configurations like distributed systems or replication for uninterrupted access. - **S3**: Offers cloud-based scalable storage for larger environments or organizations with distributed deployments. The database and file storage handle scalability, ensuring efficient support for millions of messages and files while guaranteeing data consistency. S3 inherently supports high availability by distributing data across multiple availability zones, ensuring no single point of failure. @@ -141,37 +141,92 @@ If Mattermost is accessible from the open internet with no VPN or MFA set up, we Mattermost services ports ^^^^^^^^^^^^^^^^^^^^^^^^^ -The following table lists the Mattermost services ports for Mattermost Server, push proxy, and mobile app clients. System admins with clients that need to speak to the Mattermost server without a proxy can open specific firewall ports as needed. +The following tables list the Mattermost services ports for Mattermost Server, push proxy, and mobile app clients. System admins with clients that need to speak to the Mattermost server without a proxy can open specific firewall ports as needed. **Mattermost Server** -+-------------------------------------------------------------+---------------------------------------+-----------------------------------+-----------+------------+---------------------------------------------------------------+ -| Service Name | Config Setting | Port (default) | Protocol | Direction | Info | -+=============================================================+=======================================+===================================+===========+============+===============================================================+ -| HTTP/Websocket | ServiceSettings.ListenAddress | 8065/80/443 (TLS) | TCP | Inbound | External (no proxy) / Internal (with proxy) | -+-------------------------------------------------------------+---------------------------------------+-----------------------------------+-----------+------------+ Usually this requires port 80 and 443 when running HTTPS. | -| Cluster | ClusterSettings.GossipPort | 8074 | TCP/UDP | Inbound | Internal | -+-------------------------------------------------------------+---------------------------------------+-----------------------------------+-----------+------------+---------------------------------------------------------------+ -| Metrics | MetricsSettings.ListenAddress | 8067 | TCP | Inbound | External (no proxy) / Internal (with proxy) | -+-------------------------------------------------------------+---------------------------------------+-----------------------------------+-----------+------------+---------------------------------------------------------------+ -| Database | SqlSettings.DataSource | 5432 (PostgreSQL) / 3306 (MySQL) | TCP | Outbound | Usually internal (recommended) | -+-------------------------------------------------------------+---------------------------------------+-----------------------------------+-----------+------------+---------------------------------------------------------------+ -| LDAP | LdapSettings.LdapPort | 389 | TCP/UDP | Outbound | | -+-------------------------------------------------------------+---------------------------------------+-----------------------------------+-----------+------------+---------------------------------------------------------------+ -| S3 Storage | FileSettings.AmazonS3Endpoint | 443 (TLS) | TCP | Outbound | | -+-------------------------------------------------------------+---------------------------------------+-----------------------------------+-----------+------------+---------------------------------------------------------------+ -| SMTP | EmailSettings.SMTPPort | 10025 | TCP/UDP | Outbound | | -+-------------------------------------------------------------+---------------------------------------+-----------------------------------+-----------+------------+---------------------------------------------------------------+ -| Push Notifications | EmailSettings.PushNotificationServer | 443 (TLS) | TCP | Outbound | | -+-------------------------------------------------------------+---------------------------------------+-----------------------------------+-----------+------------+---------------------------------------------------------------+ +*Inbound ports* + +.. list-table:: + :header-rows: 1 + :widths: auto + + * - Service + - Config Setting + - Port (default) + - Protocol + - Notes + * - HTTP/WebSocket + - ``ServiceSettings.ListenAddress`` + - 8065 / 80 / 443 (TLS) + - TCP + - External (no proxy) / Internal (with proxy). Ports 80 and 443 are typically used when running HTTPS. + * - Cluster (HA) + - ``ClusterSettings.GossipPort`` + - 8074 + - TCP/UDP + - Internal. Both TCP and UDP must be open. + * - Metrics + - ``MetricsSettings.ListenAddress`` + - 8067 + - TCP + - External (no proxy) / Internal (with proxy). + +*Outbound ports* + +.. list-table:: + :header-rows: 1 + :widths: auto + + * - Service + - Config Setting + - Port (default) + - Protocol + - Notes + * - Database + - ``SqlSettings.DataSource`` + - 5432 (PostgreSQL) / 3306 (MySQL) + - TCP + - Usually internal (recommended). + * - LDAP + - ``LdapSettings.LdapPort`` + - 389 + - TCP/UDP + - + * - S3 Storage + - ``FileSettings.AmazonS3Endpoint`` + - 443 (TLS) + - TCP + - + * - SMTP + - ``EmailSettings.SMTPPort`` + - 10025 + - TCP/UDP + - + * - Push Notifications + - ``EmailSettings.PushNotificationServer`` + - 443 (TLS) + - TCP + - **Push Proxy** -+---------------+-----------------+-----------------+-----------+------------+----------------------------------------------+ -| Service Name | Config Setting | Port (default) | Protocol | Direction | Info | -+===============+=================+=================+===========+============+==============================================+ -| Push Proxy | ListenAddress | 8066 | TCP | Inbound | External (no proxy) / Internal (with proxy) | -+---------------+-----------------+-----------------+-----------+------------+----------------------------------------------+ +*Inbound ports* + +.. list-table:: + :header-rows: 1 + :widths: auto + + * - Service + - Config Setting + - Port (default) + - Protocol + - Notes + * - Push Proxy + - ``ListenAddress`` + - 8066 + - TCP + - External (no proxy) / Internal (with proxy). **Mobile Clients** From 637e3d8f55cdfa24ca2907a6956985b7ec52ce8e Mon Sep 17 00:00:00 2001 From: Ben Schumacher Date: Fri, 12 Jun 2026 10:10:04 +0200 Subject: [PATCH 2/4] Tighten scope notes for Metrics and Push Proxy ports Metrics (8067) should only be reachable by trusted monitoring hosts (e.g. Prometheus), not exposed broadly. Push Proxy (8066) should only be reachable from Mattermost Server nodes. --- .../reference-architecture/application-architecture.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/source/deployment-guide/reference-architecture/application-architecture.rst b/source/deployment-guide/reference-architecture/application-architecture.rst index 41802fa98f0..903c4540402 100644 --- a/source/deployment-guide/reference-architecture/application-architecture.rst +++ b/source/deployment-guide/reference-architecture/application-architecture.rst @@ -165,12 +165,12 @@ The following tables list the Mattermost services ports for Mattermost Server, p - ``ClusterSettings.GossipPort`` - 8074 - TCP/UDP - - Internal. Both TCP and UDP must be open. + - Internal only. Must be reachable between all Mattermost Server nodes. Both TCP and UDP must be open. Enterprise only. * - Metrics - ``MetricsSettings.ListenAddress`` - 8067 - TCP - - External (no proxy) / Internal (with proxy). + - Internal only. Restrict access to trusted monitoring hosts (e.g., Prometheus). Must not be exposed to the public internet. Only required when metrics collection is enabled. *Outbound ports* @@ -226,7 +226,7 @@ The following tables list the Mattermost services ports for Mattermost Server, p - ``ListenAddress`` - 8066 - TCP - - External (no proxy) / Internal (with proxy). + - Internal only. Must be reachable only from Mattermost Server nodes. Required when running a self-hosted push proxy. **Mobile Clients** From 46ffb4466b8acb071e43dbae8b1444a537f84f9e Mon Sep 17 00:00:00 2001 From: Ben Schumacher Date: Fri, 12 Jun 2026 10:12:40 +0200 Subject: [PATCH 3/4] Fix cluster port note: "HA only" is more precise than "Enterprise only" --- .../reference-architecture/application-architecture.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/deployment-guide/reference-architecture/application-architecture.rst b/source/deployment-guide/reference-architecture/application-architecture.rst index 903c4540402..d572aa5ff1b 100644 --- a/source/deployment-guide/reference-architecture/application-architecture.rst +++ b/source/deployment-guide/reference-architecture/application-architecture.rst @@ -165,7 +165,7 @@ The following tables list the Mattermost services ports for Mattermost Server, p - ``ClusterSettings.GossipPort`` - 8074 - TCP/UDP - - Internal only. Must be reachable between all Mattermost Server nodes. Both TCP and UDP must be open. Enterprise only. + - Internal only. Must be reachable between all Mattermost Server nodes. Both TCP and UDP must be open. HA only. * - Metrics - ``MetricsSettings.ListenAddress`` - 8067 From aa6d500da86414fbe74239608d4297a19d4865a3 Mon Sep 17 00:00:00 2001 From: Ben Schumacher Date: Fri, 12 Jun 2026 10:22:11 +0200 Subject: [PATCH 4/4] Remove MySQL port reference from Database row in ports table --- .../reference-architecture/application-architecture.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/deployment-guide/reference-architecture/application-architecture.rst b/source/deployment-guide/reference-architecture/application-architecture.rst index d572aa5ff1b..7c7876ab271 100644 --- a/source/deployment-guide/reference-architecture/application-architecture.rst +++ b/source/deployment-guide/reference-architecture/application-architecture.rst @@ -185,7 +185,7 @@ The following tables list the Mattermost services ports for Mattermost Server, p - Notes * - Database - ``SqlSettings.DataSource`` - - 5432 (PostgreSQL) / 3306 (MySQL) + - 5432 (PostgreSQL) - TCP - Usually internal (recommended). * - LDAP