Network and ports for PanDev Metrics on-prem
import Head from "@docusaurus/Head";
PanDev Metrics on-prem exposes two TCP ports on the application host: 8080 for the application backend and 9090 for the Spring Boot actuator. This page lists every inbound and outbound network requirement, the recommended reverse-proxy setup, and TLS options.
At a glance
| Property | Value |
|---|---|
| Public inbound | TCP 8080 (or 443 behind a reverse proxy) |
| Internal inbound | TCP 9090 (actuator), 5432 (PostgreSQL), 6379 (Redis) |
| Outbound | HTTPS to configured integrations — minimal, cannot be disabled |
| TLS | Terminated at reverse proxy or via self-signed certificate with client-side validation disabled |
| Air-gapped | Not supported |
Inbound ports
PanDev Metrics opens two TCP ports on the application host. Only 8080 needs to be reachable from outside the host; 9090 stays internal.
| Port | Service | Purpose | Exposure |
|---|---|---|---|
| 8080 | Application backend | REST API for IDE plugins and the frontend | Public (typically behind a reverse proxy on 443) |
| 9090 | Spring Boot actuator | Health, metrics, info endpoints | Internal only |
Database and cache ports are not part of the public surface:
| Port | Service | Exposure |
|---|---|---|
| 5432 | PostgreSQL | Internal (database host ↔ application host only) |
| 6379 | Redis | Internal (application host only) |
Port 8080 — application backend
The backend serves the REST API used by the frontend and by IDE plugins. It must be reachable from:
- The reverse proxy on the same host or in the same network
- IDE plugin hosts (developer workstations or VPN-connected machines)
If port 8080 is closed to developer workstations, IDE plugins do not lose data. The plugins buffer events locally and replay them once connectivity is restored over VPN or the corporate network.
Port 9090 — actuator
The Spring Boot actuator exposes operational endpoints used for health checks and Prometheus scraping. Restrict it to your monitoring network — do not expose it to the public internet.
Common actuator endpoints:
| Endpoint | Purpose |
|---|---|
/actuator/health | Liveness and readiness — returns {"status":"UP"} when healthy |
/actuator/info | Build and version information |
/actuator/metrics | Application metrics in Prometheus format |
Outbound egress
PanDev Metrics on-prem requires minimal outbound HTTPS to reach the systems you connect:
- Your Git provider (GitHub, GitLab Self-Managed or Cloud, Bitbucket, Azure DevOps)
- Your task tracker (Jira Cloud or Data Center, YouTrack, ClickUp, Yandex Tracker, Azure Boards)
- Optional LDAP / Active Directory server (if LDAP integration is enabled)
Outbound egress is minimal but cannot be disabled. Air-gapped deployments are not supported.
Open egress on TCP 443 to the hostnames of the integrations you configure. If your network uses an HTTP proxy, set HTTPS_PROXY and NO_PROXY in the backend container environment.
Reverse proxy
Terminate TLS at a reverse proxy in front of the backend. Nginx and Traefik are both supported — the configuration is standard HTTP reverse-proxy shape.
Nginx
server {
listen 443 ssl http2;
server_name metrics.example.com;
ssl_certificate /etc/ssl/certs/pandev.crt;
ssl_certificate_key /etc/ssl/private/pandev.key;
client_max_body_size 50m;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 60s;
}
}
Traefik
http:
routers:
pandev:
rule: "Host(`metrics.example.com`)"
entryPoints: [websecure]
tls: {}
service: pandev-backend
services:
pandev-backend:
loadBalancer:
servers:
- url: "http://127.0.0.1:8080"
TLS and reverse proxy options
PanDev Metrics works in any of the three TLS configurations below. Choose the one that matches your security policy.
| Option | What you set up | When to use |
|---|---|---|
| Public CA certificate | Reverse proxy with a certificate from Let's Encrypt or your enterprise CA | Default — recommended for any production install reachable from developer workstations |
| Internal CA certificate | Reverse proxy with an internal CA your fleet already trusts | Corporate networks where developer machines trust an internal CA |
| Self-signed + client validation disabled | Backend served directly with a self-signed certificate, plugins configured to skip SSL validation | Air-gapped testing or evaluation only — not recommended for production |
PanDev Metrics IDE plugins support disabling client-side SSL validation when connecting to a self-signed deployment. The setting is per-plugin and is documented in the plugin guides.
Firewall rules
Minimum inbound rules on the application host:
firewall-cmd --permanent --add-port=8080/tcp # only if not fronted by a proxy on 443
firewall-cmd --permanent --add-port=443/tcp # reverse proxy
firewall-cmd --reload
Minimum inbound rules on the database host:
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" \
source address="<APPLICATION_HOST_IP>" port port="5432" protocol="tcp" accept'
firewall-cmd --reload
Restrict PostgreSQL to only accept connections from the application host IP. Do not expose 5432 to the wider network.
HTTP proxy environment
If the application host sits behind a corporate HTTP proxy, configure it through standard environment variables on the backend container:
| Variable | Purpose |
|---|---|
HTTP_PROXY | Proxy URL for plain HTTP — rarely used |
HTTPS_PROXY | Proxy URL for outbound HTTPS to Git / task tracker |
NO_PROXY | Comma-separated hosts to bypass the proxy (Redis, PostgreSQL, internal services) |
Set these in .env alongside the database and Redis variables, then docker compose up -d --force-recreate pandev-metrics.
Constraints and edge cases
- Egress cannot be disabled. PanDev Metrics needs minimal outbound HTTPS to talk to integrations. There is no offline mode.
- Actuator must stay internal. Port 9090 is not designed to be a public surface.
- No mTLS between components. Backend, PostgreSQL, and Redis communicate inside the trusted application network. Add mTLS at the network layer if your policy requires it.
- WebSocket support depends on the reverse proxy. Long-running connections used by parts of the UI need
proxy_read_timeoutraised above the default 60 seconds on Nginx.
Related
- How-to: Install PanDev Metrics on-prem
- Reference: System requirements
- Concept: On-prem architecture