Add listener side proxy protocol support and enable it in traefik (#5332)

Co-authored-by: mlsmaycon <mlsmaycon@gmail.com>
2026-04-15 23:06:38 +00:00 · 2026-02-17 06:40:10 +08:00
parent baed6e46ec
commit 0146e39714
6 changed files with 276 additions and 55 deletions
--- a/go.mod
+++ b/go.mod
@@ -83,6 +83,7 @@ require (
 	github.com/pion/stun/v3 v3.1.0
 	github.com/pion/transport/v3 v3.1.1
 	github.com/pion/turn/v3 v3.0.1
 	github.com/pires/go-proxyproto v0.11.0
 	github.com/pkg/sftp v1.13.9
 	github.com/prometheus/client_golang v1.23.2
 	github.com/quic-go/quic-go v0.55.0
--- a/go.sum
+++ b/go.sum
@@ -474,6 +474,8 @@ github.com/pion/turn/v3 v3.0.1 h1:wLi7BTQr6/Q20R0vt/lHbjv6y4GChFtC33nkYbasoT8=
 github.com/pion/turn/v3 v3.0.1/go.mod h1:MrJDKgqryDyWy1/4NT9TWfXWGMC7UHT6pJIv1+gMeNE=
 github.com/pion/turn/v4 v4.1.1 h1:9UnY2HB99tpDyz3cVVZguSxcqkJ1DsTSZ+8TGruh4fc=
 github.com/pion/turn/v4 v4.1.1/go.mod h1:2123tHk1O++vmjI5VSD0awT50NywDAq5A2NNNU4Jjs8=
 github.com/pires/go-proxyproto v0.11.0 h1:gUQpS85X/VJMdUsYyEgyn59uLJvGqPhJV5YvG68wXH4=
 github.com/pires/go-proxyproto v0.11.0/go.mod h1:ZKAAyp3cgy5Y5Mo4n9AlScrkCZwUy0g3Jf+slqQVcuU=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
--- a/infrastructure_files/getting-started.sh
+++ b/infrastructure_files/getting-started.sh
@@ -329,6 +329,9 @@ initialize_default_values() {
  BIND_LOCALHOST_ONLY="true"
  EXTERNAL_PROXY_NETWORK=""
  # Traefik static IP within the internal bridge network
  TRAEFIK_IP="172.30.0.10"
  # NetBird Proxy configuration
  ENABLE_PROXY="false"
  PROXY_DOMAIN=""
@@ -393,7 +396,7 @@ check_existing_installation() {
    echo "Generated files already exist, if you want to reinitialize the environment, please remove them first."
    echo "You can use the following commands:"
    echo "  $DOCKER_COMPOSE_COMMAND down --volumes # to remove all containers and volumes"
-    echo "  rm -f docker-compose.yml dashboard.env config.yaml proxy.env nginx-netbird.conf caddyfile-netbird.txt npm-advanced-config.txt"
+    echo "  rm -f docker-compose.yml dashboard.env config.yaml proxy.env traefik-dynamic.yaml nginx-netbird.conf caddyfile-netbird.txt npm-advanced-config.txt"
    echo "Be aware that this will remove all data from the database, and you will have to reconfigure the dashboard."
    exit 1
  fi
@@ -412,6 +415,8 @@ generate_configuration_files() {
        # This will be overwritten with the actual token after netbird-server starts
        echo "# Placeholder - will be updated with token after netbird-server starts" > proxy.env
        echo "NB_PROXY_TOKEN=placeholder" >> proxy.env
        # TCP ServersTransport for PROXY protocol v2 to the proxy backend
        render_traefik_dynamic > traefik-dynamic.yaml
      fi
      ;;
    1)
@@ -559,10 +564,14 @@ init_environment() {
 ############################################
 render_docker_compose_traefik_builtin() {
-  # Generate proxy service section if enabled
+  # Generate proxy service section and Traefik dynamic config if enabled
  local proxy_service=""
  local proxy_volumes=""
  local traefik_file_provider=""
  local traefik_dynamic_volume=""
  if [[ "$ENABLE_PROXY" == "true" ]]; then
    traefik_file_provider='      - "--providers.file.filename=/etc/traefik/dynamic.yaml"'
    traefik_dynamic_volume="      - ./traefik-dynamic.yaml:/etc/traefik/dynamic.yaml:ro"
    proxy_service="
  # NetBird Proxy - exposes internal resources to the internet
  proxy:
@@ -570,7 +579,7 @@ render_docker_compose_traefik_builtin() {
    container_name: netbird-proxy
    # Hairpin NAT fix: route domain back to traefik's static IP within Docker
    extra_hosts:
-      - \"$NETBIRD_DOMAIN:172.30.0.10\"
+      - \"$NETBIRD_DOMAIN:$TRAEFIK_IP\"
    ports:
    - 51820:51820/udp
    restart: unless-stopped
@@ -590,6 +599,7 @@ render_docker_compose_traefik_builtin() {
      - traefik.tcp.routers.proxy-passthrough.service=proxy-tls
      - traefik.tcp.routers.proxy-passthrough.priority=1
      - traefik.tcp.services.proxy-tls.loadbalancer.server.port=8443
      - traefik.tcp.services.proxy-tls.loadbalancer.serverstransport=pp-v2@file
    logging:
      driver: \"json-file\"
      options:
@@ -609,7 +619,7 @@ services:
    restart: unless-stopped
    networks:
      netbird:
-        ipv4_address: 172.30.0.10
+        ipv4_address: $TRAEFIK_IP
    command:
      # Logging
      - "--log.level=INFO"
@@ -636,12 +646,14 @@ services:
      # gRPC transport settings
      - "--serverstransport.forwardingtimeouts.responseheadertimeout=0s"
      - "--serverstransport.forwardingtimeouts.idleconntimeout=0s"
 $traefik_file_provider
    ports:
      - '443:443'
      - '80:80'
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - netbird_traefik_letsencrypt:/letsencrypt
 $traefik_dynamic_volume
    logging:
      driver: "json-file"
      options:
@@ -751,6 +763,10 @@ server:
    cliRedirectURIs:
      - "http://localhost:53000/"
  reverseProxy:
    trustedHTTPProxies:
      - "$TRAEFIK_IP/32"
  store:
    engine: "sqlite"
    encryptionKey: "$DATASTORE_ENCRYPTION_KEY"
@@ -780,6 +796,17 @@ EOF
  return 0
 }
 render_traefik_dynamic() {
  cat <<'EOF'
 tcp:
  serversTransports:
    pp-v2:
      proxyProtocol:
        version: 2
 EOF
  return 0
 }
 render_proxy_env() {
  cat <<EOF
 # NetBird Proxy Configuration
@@ -799,6 +826,10 @@ NB_PROXY_OIDC_CLIENT_ID=netbird-proxy
 NB_PROXY_OIDC_ENDPOINT=$NETBIRD_HTTP_PROTOCOL://$NETBIRD_DOMAIN/oauth2
 NB_PROXY_OIDC_SCOPES=openid,profile,email
 NB_PROXY_FORWARDED_PROTO=https
 # Enable PROXY protocol to preserve client IPs through L4 proxies (Traefik TCP passthrough)
 NB_PROXY_PROXY_PROTOCOL=true
 # Trust Traefik's IP for PROXY protocol headers
 NB_PROXY_TRUSTED_PROXIES=$TRAEFIK_IP
 EOF
  return 0
 }
--- a/proxy/cmd/proxy/cmd/root.go
+++ b/proxy/cmd/proxy/cmd/root.go
@@ -56,6 +56,7 @@ var (
 	certKeyFile       string
 	certLockMethod    string
 	wgPort            int
 	proxyProtocol     bool
 )
 var rootCmd = &cobra.Command{
@@ -90,6 +91,7 @@ func init() {
 	rootCmd.Flags().StringVar(&certKeyFile, "cert-key-file", envStringOrDefault("NB_PROXY_CERTIFICATE_KEY_FILE", "tls.key"), "TLS certificate key filename within the certificate directory")
 	rootCmd.Flags().StringVar(&certLockMethod, "cert-lock-method", envStringOrDefault("NB_PROXY_CERT_LOCK_METHOD", "auto"), "Certificate lock method for cross-replica coordination: auto, flock, or k8s-lease")
 	rootCmd.Flags().IntVar(&wgPort, "wg-port", envIntOrDefault("NB_PROXY_WG_PORT", 0), "WireGuard listen port (0 = random). Fixed port only works with single-account deployments")
 	rootCmd.Flags().BoolVar(&proxyProtocol, "proxy-protocol", envBoolOrDefault("NB_PROXY_PROXY_PROTOCOL", false), "Enable PROXY protocol on TCP listeners to preserve client IPs behind L4 proxies")
 }
 // Execute runs the root command.
@@ -165,6 +167,7 @@ func runServer(cmd *cobra.Command, args []string) error {
 		TrustedProxies:           parsedTrustedProxies,
 		CertLockMethod:           nbacme.CertLockMethod(certLockMethod),
 		WireguardPort:            wgPort,
 		ProxyProtocol:            proxyProtocol,
 	}
 	ctx, stop := signal.NotifyContext(context.Background(), syscall.SIGTERM, syscall.SIGINT)
--- a/proxy/proxyprotocol_test.go
+++ b/proxy/proxyprotocol_test.go
@@ -0,0 +1,106 @@
 package proxy
 import (
 	"net"
 	"net/netip"
 	"testing"
 	"time"
 	proxyproto "github.com/pires/go-proxyproto"
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 func TestWrapProxyProtocol_OverridesRemoteAddr(t *testing.T) {
 	srv := &Server{
 		Logger:         log.StandardLogger(),
 		TrustedProxies: []netip.Prefix{netip.MustParsePrefix("127.0.0.1/32")},
 		ProxyProtocol:  true,
 	}
 	raw, err := net.Listen("tcp", "127.0.0.1:0")
 	require.NoError(t, err)
 	defer raw.Close()
 	ln := srv.wrapProxyProtocol(raw)
 	realClientIP := "203.0.113.50"
 	realClientPort := uint16(54321)
 	accepted := make(chan net.Conn, 1)
 	go func() {
 		conn, err := ln.Accept()
 		if err != nil {
 			return
 		}
 		accepted <- conn
 	}()
 	// Connect and send a PROXY v2 header.
 	conn, err := net.Dial("tcp", ln.Addr().String())
 	require.NoError(t, err)
 	defer conn.Close()
 	header := &proxyproto.Header{
 		Version:           2,
 		Command:           proxyproto.PROXY,
 		TransportProtocol: proxyproto.TCPv4,
 		SourceAddr:        &net.TCPAddr{IP: net.ParseIP(realClientIP), Port: int(realClientPort)},
 		DestinationAddr:   &net.TCPAddr{IP: net.ParseIP("10.0.0.1"), Port: 443},
 	}
 	_, err = header.WriteTo(conn)
 	require.NoError(t, err)
 	select {
 	case accepted := <-accepted:
 		defer accepted.Close()
 		host, _, err := net.SplitHostPort(accepted.RemoteAddr().String())
 		require.NoError(t, err)
 		assert.Equal(t, realClientIP, host, "RemoteAddr should reflect the PROXY header source IP")
 	case <-time.After(2 * time.Second):
 		t.Fatal("timed out waiting for connection")
 	}
 }
 func TestProxyProtocolPolicy_TrustedRequires(t *testing.T) {
 	srv := &Server{
 		Logger:         log.StandardLogger(),
 		TrustedProxies: []netip.Prefix{netip.MustParsePrefix("10.0.0.0/8")},
 	}
 	opts := proxyproto.ConnPolicyOptions{
 		Upstream: &net.TCPAddr{IP: net.ParseIP("10.0.0.1"), Port: 1234},
 	}
 	policy, err := srv.proxyProtocolPolicy(opts)
 	require.NoError(t, err)
 	assert.Equal(t, proxyproto.REQUIRE, policy, "trusted source should require PROXY header")
 }
 func TestProxyProtocolPolicy_UntrustedIgnores(t *testing.T) {
 	srv := &Server{
 		Logger:         log.StandardLogger(),
 		TrustedProxies: []netip.Prefix{netip.MustParsePrefix("10.0.0.0/8")},
 	}
 	opts := proxyproto.ConnPolicyOptions{
 		Upstream: &net.TCPAddr{IP: net.ParseIP("203.0.113.50"), Port: 1234},
 	}
 	policy, err := srv.proxyProtocolPolicy(opts)
 	require.NoError(t, err)
 	assert.Equal(t, proxyproto.IGNORE, policy, "untrusted source should have PROXY header ignored")
 }
 func TestProxyProtocolPolicy_InvalidIPRejects(t *testing.T) {
 	srv := &Server{
 		Logger:         log.StandardLogger(),
 		TrustedProxies: []netip.Prefix{netip.MustParsePrefix("10.0.0.0/8")},
 	}
 	opts := proxyproto.ConnPolicyOptions{
 		Upstream: &net.UnixAddr{Name: "/tmp/test.sock", Net: "unix"},
 	}
 	policy, err := srv.proxyProtocolPolicy(opts)
 	require.NoError(t, err)
 	assert.Equal(t, proxyproto.REJECT, policy, "unparsable address should be rejected")
 }
--- a/proxy/server.go
+++ b/proxy/server.go
@@ -23,6 +23,7 @@ import (
 	"time"
 	"github.com/cenkalti/backoff/v4"
 	proxyproto "github.com/pires/go-proxyproto"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 	log "github.com/sirupsen/logrus"
@@ -92,7 +93,7 @@ type Server struct {
 	DebugEndpointEnabled bool
 	// DebugEndpointAddress is the address for the debug HTTP endpoint (default: ":8444").
 	DebugEndpointAddress string
-	// HealthAddress is the address for the health probe endpoint (default: "localhost:8080").
+	// HealthAddress is the address for the health probe endpoint.
 	HealthAddress string
 	// ProxyToken is the access token for authenticating with the management server.
 	ProxyToken string
@@ -107,6 +108,10 @@ type Server struct {
 	// random OS-assigned port. A fixed port only works with single-account
 	// deployments; multiple accounts will fail to bind the same port.
 	WireguardPort int
 	// ProxyProtocol enables PROXY protocol (v1/v2) on TCP listeners.
 	// When enabled, the real client IP is extracted from the PROXY header
 	// sent by upstream L4 proxies that support PROXY protocol.
 	ProxyProtocol bool
 }
 // NotifyStatus sends a status update to management about tunnel connectivity
@@ -137,23 +142,8 @@ func (s *Server) NotifyCertificateIssued(ctx context.Context, accountID, service
 }
 func (s *Server) ListenAndServe(ctx context.Context, addr string) (err error) {
-	s.startTime = time.Now()
+	s.initDefaults()
 	// If no ID is set then one can be generated.
 	if s.ID == "" {
 		s.ID = "netbird-proxy-" + s.startTime.Format("20060102150405")
 	}
 	// Fallback version option in case it is not set.
 	if s.Version == "" {
 		s.Version = "dev"
 	}
 	// If no logger is specified fallback to the standard logger.
 	if s.Logger == nil {
 		s.Logger = log.StandardLogger()
 	}
 	// Start up metrics gathering
 	reg := prometheus.NewRegistry()
 	s.meter = metrics.New(reg)
@@ -189,40 +179,11 @@ func (s *Server) ListenAndServe(ctx context.Context, addr string) (err error) {
 	s.healthChecker = health.NewChecker(s.Logger, s.netbird)
-	if s.DebugEndpointEnabled {
+	s.startDebugEndpoint()
 		debugAddr := debugEndpointAddr(s.DebugEndpointAddress)
 		debugHandler := debug.NewHandler(s.netbird, s.healthChecker, s.Logger)
 		if s.acme != nil {
 			debugHandler.SetCertStatus(s.acme)
 		}
 		s.debug = &http.Server{
 			Addr:     debugAddr,
 			Handler:  debugHandler,
 			ErrorLog: newHTTPServerLogger(s.Logger, logtagValueDebug),
 		}
 		go func() {
 			s.Logger.Infof("starting debug endpoint on %s", debugAddr)
 			if err := s.debug.ListenAndServe(); err != nil && !errors.Is(err, http.ErrServerClosed) {
 				s.Logger.Errorf("debug endpoint error: %v", err)
 			}
 		}()
 	}
-	// Start health probe server.
+	if err := s.startHealthServer(reg); err != nil {
-	healthAddr := s.HealthAddress
+		return err
 	if healthAddr == "" {
 		healthAddr = "localhost:8080"
 	}
 	s.healthServer = health.NewServer(healthAddr, s.healthChecker, s.Logger, promhttp.HandlerFor(reg, promhttp.HandlerOpts{}))
 	healthListener, err := net.Listen("tcp", healthAddr)
 	if err != nil {
 		return fmt.Errorf("health probe server listen on %s: %w", healthAddr, err)
 	}
 	go func() {
 		if err := s.healthServer.Serve(healthListener); err != nil && !errors.Is(err, http.ErrServerClosed) {
 			s.Logger.Errorf("health probe server: %v", err)
 		}
 	}()
 	// Start the reverse proxy HTTPS server.
 	s.https = &http.Server{
@@ -232,10 +193,19 @@ func (s *Server) ListenAndServe(ctx context.Context, addr string) (err error) {
 		ErrorLog:  newHTTPServerLogger(s.Logger, logtagValueHTTPS),
 	}
 	lc := net.ListenConfig{}
 	ln, err := lc.Listen(ctx, "tcp", addr)
 	if err != nil {
 		return fmt.Errorf("listen on %s: %w", addr, err)
 	}
 	if s.ProxyProtocol {
 		ln = s.wrapProxyProtocol(ln)
 	}
 	httpsErr := make(chan error, 1)
 	go func() {
 		s.Logger.Debugf("starting reverse proxy server on %s", addr)
-		httpsErr <- s.https.ListenAndServeTLS("", "")
+		httpsErr <- s.https.ServeTLS(ln, "", "")
 	}()
 	select {
@@ -251,7 +221,115 @@ func (s *Server) ListenAndServe(ctx context.Context, addr string) (err error) {
 	}
 }
 // initDefaults sets fallback values for optional Server fields.
 func (s *Server) initDefaults() {
 	s.startTime = time.Now()
 	// If no ID is set then one can be generated.
 	if s.ID == "" {
 		s.ID = "netbird-proxy-" + s.startTime.Format("20060102150405")
 	}
 	// Fallback version option in case it is not set.
 	if s.Version == "" {
 		s.Version = "dev"
 	}
 	// If no logger is specified fallback to the standard logger.
 	if s.Logger == nil {
 		s.Logger = log.StandardLogger()
 	}
 }
 // startDebugEndpoint launches the debug HTTP server if enabled.
 func (s *Server) startDebugEndpoint() {
 	if !s.DebugEndpointEnabled {
 		return
 	}
 	debugAddr := debugEndpointAddr(s.DebugEndpointAddress)
 	debugHandler := debug.NewHandler(s.netbird, s.healthChecker, s.Logger)
 	if s.acme != nil {
 		debugHandler.SetCertStatus(s.acme)
 	}
 	s.debug = &http.Server{
 		Addr:     debugAddr,
 		Handler:  debugHandler,
 		ErrorLog: newHTTPServerLogger(s.Logger, logtagValueDebug),
 	}
 	go func() {
 		s.Logger.Infof("starting debug endpoint on %s", debugAddr)
 		if err := s.debug.ListenAndServe(); err != nil && !errors.Is(err, http.ErrServerClosed) {
 			s.Logger.Errorf("debug endpoint error: %v", err)
 		}
 	}()
 }
 // startHealthServer launches the health probe and metrics server.
 func (s *Server) startHealthServer(reg *prometheus.Registry) error {
 	healthAddr := s.HealthAddress
 	if healthAddr == "" {
 		healthAddr = defaultHealthAddr
 	}
 	s.healthServer = health.NewServer(healthAddr, s.healthChecker, s.Logger, promhttp.HandlerFor(reg, promhttp.HandlerOpts{}))
 	healthListener, err := net.Listen("tcp", healthAddr)
 	if err != nil {
 		return fmt.Errorf("health probe server listen on %s: %w", healthAddr, err)
 	}
 	go func() {
 		if err := s.healthServer.Serve(healthListener); err != nil && !errors.Is(err, http.ErrServerClosed) {
 			s.Logger.Errorf("health probe server: %v", err)
 		}
 	}()
 	return nil
 }
 // wrapProxyProtocol wraps a listener with PROXY protocol support.
 // When TrustedProxies is configured, only those sources may send PROXY headers;
 // connections from untrusted sources have any PROXY header ignored.
 func (s *Server) wrapProxyProtocol(ln net.Listener) net.Listener {
 	ppListener := &proxyproto.Listener{
 		Listener:          ln,
 		ReadHeaderTimeout: proxyProtoHeaderTimeout,
 	}
 	if len(s.TrustedProxies) > 0 {
 		ppListener.ConnPolicy = s.proxyProtocolPolicy
 	} else {
 		s.Logger.Warn("PROXY protocol enabled without trusted proxies; any source may send PROXY headers")
 	}
 	s.Logger.Info("PROXY protocol enabled on listener")
 	return ppListener
 }
 // proxyProtocolPolicy returns whether to require, skip, or reject the PROXY
 // header based on whether the connection source is in TrustedProxies.
 func (s *Server) proxyProtocolPolicy(opts proxyproto.ConnPolicyOptions) (proxyproto.Policy, error) {
 	// No logging on reject to prevent abuse
 	tcpAddr, ok := opts.Upstream.(*net.TCPAddr)
 	if !ok {
 		return proxyproto.REJECT, nil
 	}
 	addr, ok := netip.AddrFromSlice(tcpAddr.IP)
 	if !ok {
 		return proxyproto.REJECT, nil
 	}
 	addr = addr.Unmap()
 	// called per accept
 	for _, prefix := range s.TrustedProxies {
 		if prefix.Contains(addr) {
 			return proxyproto.REQUIRE, nil
 		}
 	}
 	return proxyproto.IGNORE, nil
 }
 const (
 	defaultHealthAddr = "localhost:8080"
 	defaultDebugAddr  = "localhost:8444"
 	// proxyProtoHeaderTimeout is the deadline for reading the PROXY protocol
 	// header after accepting a connection.
 	proxyProtoHeaderTimeout = 5 * time.Second
 	// shutdownPreStopDelay is the time to wait after receiving a shutdown signal
 	// before draining connections. This allows the load balancer to propagate
 	// the endpoint removal.
@@ -647,7 +725,7 @@ func (s *Server) protoToMapping(mapping *proto.ProxyMapping) proxy.Mapping {
 // If addr is empty, it defaults to localhost:8444 for security.
 func debugEndpointAddr(addr string) string {
 	if addr == "" {
-		return "localhost:8444"
+		return defaultDebugAddr
 	}
 	return addr
 }