sendnrw/netbird
2
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2026-04-21 17:56:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/main' into refactor/permissions-manager

Browse Source 
# Conflicts:
#	management/internals/modules/reverseproxy/domain/manager/manager.go
#	management/internals/modules/reverseproxy/service/manager/api.go
#	management/internals/server/modules.go
#	management/server/http/testing/testing_tools/channel/channel.go
This commit is contained in:
pascal
2026-03-17 12:38:08 +01:00
parent d85ee0b5a2 a590c38d8b
commit 3741eb46dd
244 changed files with 17304 additions and 3509 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
shared/management/client/grpc.go
View File

@@ -56,12 +56,14 @@ type ExposeRequest struct {
Pin string
Password string
UserGroups []string
ListenPort uint16
}
type ExposeResponse struct {
ServiceName string
Domain string
ServiceURL string
ServiceName string
Domain string
ServiceURL string
PortAutoAssigned bool
}
// NewClient creates a new client to Management service
@@ -790,9 +792,10 @@ func (c *GrpcClient) StopExpose(ctx context.Context, domain string) error {
func fromProtoExposeResponse(resp *proto.ExposeServiceResponse) *ExposeResponse {
return &ExposeResponse{
ServiceName: resp.ServiceName,
Domain: resp.Domain,
ServiceURL: resp.ServiceUrl,
ServiceName: resp.ServiceName,
Domain: resp.Domain,
ServiceURL: resp.ServiceUrl,
PortAutoAssigned: resp.PortAutoAssigned,
}
}
@@ -808,6 +811,8 @@ func toProtoExposeServiceRequest(req ExposeRequest) (*proto.ExposeServiceRequest
protocol = proto.ExposeProtocol_EXPOSE_TCP
case int(proto.ExposeProtocol_EXPOSE_UDP):
protocol = proto.ExposeProtocol_EXPOSE_UDP
case int(proto.ExposeProtocol_EXPOSE_TLS):
protocol = proto.ExposeProtocol_EXPOSE_TLS
default:
return nil, fmt.Errorf("invalid expose protocol: %d", req.Protocol)
}
@@ -820,6 +825,7 @@ func toProtoExposeServiceRequest(req ExposeRequest) (*proto.ExposeServiceRequest
Pin: req.Pin,
Password: req.Password,
UserGroups: req.UserGroups,
ListenPort: uint32(req.ListenPort),
}, nil
}

230
shared/management/http/api/openapi.yml
View File

@@ -347,6 +347,10 @@ components:
description: Set Clients auto-update version. "latest", "disabled", or a specific version (e.g "0.50.1")
type: string
example: "0.51.2"
auto_update_always:
description: When true, updates are installed automatically in the background. When false, updates require user interaction from the UI.
type: boolean
example: false
embedded_idp_enabled:
description: Indicates whether the embedded identity provider (Dex) is enabled for this account. This is a read-only field.
type: boolean
@@ -2822,6 +2826,24 @@ components:
type: string
description: "City name from geolocation"
example: "San Francisco"
subdivision_code:
type: string
description: "First-level administrative subdivision ISO code (e.g. state/province)"
example: "CA"
bytes_upload:
type: integer
format: int64
description: "Bytes uploaded (request body size)"
example: 1024
bytes_download:
type: integer
format: int64
description: "Bytes downloaded (response body size)"
example: 8192
protocol:
type: string
description: "Protocol type: http, tcp, or udp"
example: "http"
required:
- id
- service_id
@@ -2831,6 +2853,8 @@ components:
- path
- duration_ms
- status_code
- bytes_upload
- bytes_download
ProxyAccessLogsResponse:
type: object
properties:
@@ -2932,12 +2956,32 @@ components:
id:
type: string
description: Service ID
example: "cs8i4ug6lnn4g9hqv7mg"
name:
type: string
description: Service name
example: "myapp.example.netbird.app"
domain:
type: string
description: Domain for the service
example: "myapp.example.netbird.app"
mode:
type: string
description: Service mode. "http" for L7 reverse proxy, "tcp"/"udp"/"tls" for L4 passthrough.
enum: [http, tcp, udp, tls]
default: http
example: "http"
listen_port:
type: integer
minimum: 0
maximum: 65535
description: Port the proxy listens on (L4/TLS only)
example: 8443
port_auto_assigned:
type: boolean
description: Whether the listen port was auto-assigned
readOnly: true
example: false
proxy_cluster:
type: string
description: The proxy cluster handling this service (derived from domain)
@@ -2950,14 +2994,19 @@ components:
enabled:
type: boolean
description: Whether the service is enabled
example: true
pass_host_header:
type: boolean
description: When true, the original client Host header is passed through to the backend instead of being rewritten to the backend's address
example: false
rewrite_redirects:
type: boolean
description: When true, Location headers in backend responses are rewritten to replace the backend address with the public-facing domain
example: false
auth:
$ref: '#/components/schemas/ServiceAuthConfig'
access_restrictions:
$ref: '#/components/schemas/AccessRestrictions'
meta:
$ref: '#/components/schemas/ServiceMeta'
required:
@@ -3001,9 +3050,23 @@ components:
name:
type: string
description: Service name
example: "myapp.example.netbird.app"
domain:
type: string
description: Domain for the service
example: "myapp.example.netbird.app"
mode:
type: string
description: Service mode. "http" for L7 reverse proxy, "tcp"/"udp"/"tls" for L4 passthrough.
enum: [http, tcp, udp, tls]
default: http
example: "http"
listen_port:
type: integer
minimum: 0
maximum: 65535
description: Port the proxy listens on (L4/TLS only). Set to 0 for auto-assignment.
example: 5432
targets:
type: array
items:
@@ -3013,19 +3076,22 @@ components:
type: boolean
description: Whether the service is enabled
default: true
example: true
pass_host_header:
type: boolean
description: When true, the original client Host header is passed through to the backend instead of being rewritten to the backend's address
example: false
rewrite_redirects:
type: boolean
description: When true, Location headers in backend responses are rewritten to replace the backend address with the public-facing domain
example: false
auth:
$ref: '#/components/schemas/ServiceAuthConfig'
access_restrictions:
$ref: '#/components/schemas/AccessRestrictions'
required:
- name
- domain
- targets
- auth
- enabled
ServiceTargetOptions:
type: object
@@ -3033,13 +3099,16 @@ components:
skip_tls_verify:
type: boolean
description: Skip TLS certificate verification for this backend
example: false
request_timeout:
type: string
description: Per-target response timeout as a Go duration string (e.g. "30s", "2m")
example: "30s"
path_rewrite:
type: string
description: Controls how the request path is rewritten before forwarding to the backend. Default strips the matched prefix. "preserve" keeps the full original request path.
enum: [preserve]
example: "preserve"
custom_headers:
type: object
description: Extra headers sent to the backend. Hop-by-hop and proxy-managed headers (Host, Connection, Transfer-Encoding, etc.) are rejected.
@@ -3049,32 +3118,50 @@ components:
additionalProperties:
type: string
pattern: '^[^\r\n]*$'
example: {"X-Custom-Header": "value"}
proxy_protocol:
type: boolean
description: Send PROXY Protocol v2 header to this backend (TCP/TLS only)
example: false
session_idle_timeout:
type: string
description: Idle timeout before a UDP session is reaped, as a Go duration string (e.g. "30s", "2m").
example: "2m"
ServiceTarget:
type: object
properties:
target_id:
type: string
description: Target ID
example: "cs8i4ug6lnn4g9hqv7mg"
target_type:
type: string
description: Target type (e.g., "peer", "resource")
enum: [peer, resource]
description: Target type
enum: [peer, host, domain, subnet]
example: "subnet"
path:
type: string
description: URL path prefix for this target
description: URL path prefix for this target (HTTP only)
example: "/"
protocol:
type: string
description: Protocol to use when connecting to the backend
enum: [http, https]
enum: [http, https, tcp, udp]
example: "http"
host:
type: string
description: Backend ip or domain for this target
example: "10.10.0.1"
port:
type: integer
description: Backend port for this target. Use 0 or omit to use the scheme default (80 for http, 443 for https).
minimum: 1
maximum: 65535
description: Backend port for this target
example: 8080
enabled:
type: boolean
description: Whether this target is enabled
example: true
options:
$ref: '#/components/schemas/ServiceTargetOptions'
required:
@@ -3094,15 +3181,73 @@ components:
$ref: '#/components/schemas/BearerAuthConfig'
link_auth:
$ref: '#/components/schemas/LinkAuthConfig'
header_auths:
type: array
items:
$ref: '#/components/schemas/HeaderAuthConfig'
HeaderAuthConfig:
type: object
description: Static header-value authentication. The proxy checks that the named header matches the configured value.
properties:
enabled:
type: boolean
description: Whether header auth is enabled
example: true
header:
type: string
description: HTTP header name to check (e.g. "Authorization", "X-API-Key")
example: "X-API-Key"
value:
type: string
description: Expected header value. For Basic auth use "Basic base64(user:pass)". For Bearer use "Bearer token". Cleared in responses.
example: "my-secret-api-key"
required:
- enabled
- header
- value
AccessRestrictions:
type: object
description: Connection-level access restrictions based on IP address or geography. Applies to both HTTP and L4 services.
properties:
allowed_cidrs:
type: array
items:
type: string
format: cidr
example: "192.168.1.0/24"
description: CIDR allowlist. If non-empty, only IPs matching these CIDRs are allowed.
blocked_cidrs:
type: array
items:
type: string
format: cidr
example: "10.0.0.0/8"
description: CIDR blocklist. Connections from these CIDRs are rejected. Evaluated after allowed_cidrs.
allowed_countries:
type: array
items:
type: string
pattern: '^[a-zA-Z]{2}$'
example: "US"
description: ISO 3166-1 alpha-2 country codes to allow. If non-empty, only these countries are permitted.
blocked_countries:
type: array
items:
type: string
pattern: '^[a-zA-Z]{2}$'
example: "DE"
description: ISO 3166-1 alpha-2 country codes to block.
PasswordAuthConfig:
type: object
properties:
enabled:
type: boolean
description: Whether password auth is enabled
example: true
password:
type: string
description: Auth password
example: "s3cret"
required:
- enabled
- password
@@ -3112,9 +3257,11 @@ components:
enabled:
type: boolean
description: Whether PIN auth is enabled
example: false
pin:
type: string
description: PIN value
example: "1234"
required:
- enabled
- pin
@@ -3124,10 +3271,12 @@ components:
enabled:
type: boolean
description: Whether bearer auth is enabled
example: true
distribution_groups:
type: array
items:
type: string
example: "ch8i4ug6lnn4g9hqv7mg"
description: List of group IDs that can use bearer auth
required:
- enabled
@@ -3137,6 +3286,7 @@ components:
enabled:
type: boolean
description: Whether link auth is enabled
example: false
required:
- enabled
ProxyCluster:
@@ -3167,17 +3317,25 @@ components:
id:
type: string
description: Domain ID
example: "ds8i4ug6lnn4g9hqv7mg"
domain:
type: string
description: Domain name
example: "example.netbird.app"
validated:
type: boolean
description: Whether the domain has been validated
example: true
type:
$ref: '#/components/schemas/ReverseProxyDomainType'
target_cluster:
type: string
description: The proxy cluster this domain is validated against (only for custom domains)
example: "eu.proxy.netbird.io"
supports_custom_ports:
type: boolean
description: Whether the cluster supports binding arbitrary TCP/UDP ports
example: true
required:
- id
- domain
@@ -3189,9 +3347,11 @@ components:
domain:
type: string
description: Domain name
example: "myapp.example.com"
target_cluster:
type: string
description: The proxy cluster this domain should be validated against
example: "eu.proxy.netbird.io"
required:
- domain
- target_cluster
@@ -4261,6 +4421,12 @@ components:
requires_authentication:
description: Requires authentication
content: { }
conflict:
description: Conflict
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
securitySchemes:
BearerAuth:
type: http
@@ -9605,6 +9771,29 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
/api/reverse-proxies/clusters:
get:
summary: List available proxy clusters
description: Returns a list of available proxy clusters with their connection status
tags: [ Services ]
security:
- BearerAuth: [ ]
- TokenAuth: [ ]
responses:
'200':
description: A JSON Array of proxy clusters
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/ProxyCluster'
'401':
"$ref": "#/components/responses/requires_authentication"
'403':
"$ref": "#/components/responses/forbidden"
'500':
"$ref": "#/components/responses/internal_error"
/api/reverse-proxies/services:
get:
summary: List all Services
@@ -9654,29 +9843,8 @@ paths:
"$ref": "#/components/responses/requires_authentication"
'403':
"$ref": "#/components/responses/forbidden"
'500':
"$ref": "#/components/responses/internal_error"
/api/reverse-proxies/clusters:
get:
summary: List available proxy clusters
description: Returns a list of available proxy clusters with their connection status
tags: [ Services ]
security:
- BearerAuth: [ ]
- TokenAuth: [ ]
responses:
'200':
description: A JSON Array of proxy clusters
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/ProxyCluster'
'401':
"$ref": "#/components/responses/requires_authentication"
'403':
"$ref": "#/components/responses/forbidden"
'409':
"$ref": "#/components/responses/conflict"
'500':
"$ref": "#/components/responses/internal_error"
/api/reverse-proxies/services/{serviceId}:
@@ -9746,6 +9914,8 @@ paths:
"$ref": "#/components/responses/forbidden"
'404':
"$ref": "#/components/responses/not_found"
'409':
"$ref": "#/components/responses/conflict"
'500':
"$ref": "#/components/responses/internal_error"
delete:

970
shared/management/http/api/types.gen.go
View File

File diff suppressed because it is too large Load Diff

55
shared/management/proto/management.pb.go
View File

@@ -1,7 +1,7 @@
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// protoc-gen-go v1.26.0
// protoc v6.33.3
// protoc v6.33.0
// source: management.proto
package proto
@@ -228,6 +228,7 @@ const (
ExposeProtocol_EXPOSE_HTTPS ExposeProtocol = 1
ExposeProtocol_EXPOSE_TCP ExposeProtocol = 2
ExposeProtocol_EXPOSE_UDP ExposeProtocol = 3
ExposeProtocol_EXPOSE_TLS ExposeProtocol = 4
)
// Enum value maps for ExposeProtocol.
@@ -237,12 +238,14 @@ var (
1: "EXPOSE_HTTPS",
2: "EXPOSE_TCP",
3: "EXPOSE_UDP",
4: "EXPOSE_TLS",
}
ExposeProtocol_value = map[string]int32{
"EXPOSE_HTTP": 0,
"EXPOSE_HTTPS": 1,
"EXPOSE_TCP": 2,
"EXPOSE_UDP": 3,
"EXPOSE_TLS": 4,
}
)
@@ -4047,6 +4050,7 @@ type ExposeServiceRequest struct {
UserGroups []string `protobuf:"bytes,5,rep,name=user_groups,json=userGroups,proto3" json:"user_groups,omitempty"`
Domain string `protobuf:"bytes,6,opt,name=domain,proto3" json:"domain,omitempty"`
NamePrefix string `protobuf:"bytes,7,opt,name=name_prefix,json=namePrefix,proto3" json:"name_prefix,omitempty"`
ListenPort uint32 `protobuf:"varint,8,opt,name=listen_port,json=listenPort,proto3" json:"listen_port,omitempty"`
}
func (x *ExposeServiceRequest) Reset() {
@@ -4130,14 +4134,22 @@ func (x *ExposeServiceRequest) GetNamePrefix() string {
return ""
}
func (x *ExposeServiceRequest) GetListenPort() uint32 {
if x != nil {
return x.ListenPort
}
return 0
}
type ExposeServiceResponse struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
ServiceName string `protobuf:"bytes,1,opt,name=service_name,json=serviceName,proto3" json:"service_name,omitempty"`
ServiceUrl string `protobuf:"bytes,2,opt,name=service_url,json=serviceUrl,proto3" json:"service_url,omitempty"`
Domain string `protobuf:"bytes,3,opt,name=domain,proto3" json:"domain,omitempty"`
ServiceName string `protobuf:"bytes,1,opt,name=service_name,json=serviceName,proto3" json:"service_name,omitempty"`
ServiceUrl string `protobuf:"bytes,2,opt,name=service_url,json=serviceUrl,proto3" json:"service_url,omitempty"`
Domain string `protobuf:"bytes,3,opt,name=domain,proto3" json:"domain,omitempty"`
PortAutoAssigned bool `protobuf:"varint,4,opt,name=port_auto_assigned,json=portAutoAssigned,proto3" json:"port_auto_assigned,omitempty"`
}
func (x *ExposeServiceResponse) Reset() {
@@ -4193,6 +4205,13 @@ func (x *ExposeServiceResponse) GetDomain() string {
return ""
}
func (x *ExposeServiceResponse) GetPortAutoAssigned() bool {
if x != nil {
return x.PortAutoAssigned
}
return false
}
type RenewExposeRequest struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
@@ -4996,7 +5015,7 @@ var file_management_proto_rawDesc = []byte{
0x64, 0x50, 0x6f, 0x72, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x6d, 0x61,
0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x50, 0x6f, 0x72, 0x74, 0x49, 0x6e, 0x66,
0x6f, 0x52, 0x0e, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x6c, 0x61, 0x74, 0x65, 0x64, 0x50, 0x6f, 0x72,
0x74, 0x22, 0xea, 0x01, 0x0a, 0x14, 0x45, 0x78, 0x70, 0x6f, 0x73, 0x65, 0x53, 0x65, 0x72, 0x76,
0x74, 0x22, 0x8b, 0x02, 0x0a, 0x14, 0x45, 0x78, 0x70, 0x6f, 0x73, 0x65, 0x53, 0x65, 0x72, 0x76,
0x69, 0x63, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x70, 0x6f,
0x72, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x04, 0x70, 0x6f, 0x72, 0x74, 0x12, 0x36,
0x0a, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e,
@@ -5010,15 +5029,20 @@ var file_management_proto_rawDesc = []byte{
0x72, 0x6f, 0x75, 0x70, 0x73, 0x12, 0x16, 0x0a, 0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x18,
0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x12, 0x1f, 0x0a,
0x0b, 0x6e, 0x61, 0x6d, 0x65, 0x5f, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x18, 0x07, 0x20, 0x01,
0x28, 0x09, 0x52, 0x0a, 0x6e, 0x61, 0x6d, 0x65, 0x50, 0x72, 0x65, 0x66, 0x69, 0x78, 0x22, 0x73,
0x0a, 0x15, 0x45, 0x78, 0x70, 0x6f, 0x73, 0x65, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x52,
0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x21, 0x0a, 0x0c, 0x73, 0x65, 0x72, 0x76, 0x69,
0x63, 0x65, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x73,
0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x1f, 0x0a, 0x0b, 0x73, 0x65,
0x72, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x75, 0x72, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52,
0x0a, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x55, 0x72, 0x6c, 0x12, 0x16, 0x0a, 0x06, 0x64,
0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x6f, 0x6d,
0x61, 0x69, 0x6e, 0x22, 0x2c, 0x0a, 0x12, 0x52, 0x65, 0x6e, 0x65, 0x77, 0x45, 0x78, 0x70, 0x6f,
0x28, 0x09, 0x52, 0x0a, 0x6e, 0x61, 0x6d, 0x65, 0x50, 0x72, 0x65, 0x66, 0x69, 0x78, 0x12, 0x1f,
0x0a, 0x0b, 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x5f, 0x70, 0x6f, 0x72, 0x74, 0x18, 0x08, 0x20,
0x01, 0x28, 0x0d, 0x52, 0x0a, 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x50, 0x6f, 0x72, 0x74, 0x22,
0xa1, 0x01, 0x0a, 0x15, 0x45, 0x78, 0x70, 0x6f, 0x73, 0x65, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63,
0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x21, 0x0a, 0x0c, 0x73, 0x65, 0x72,
0x76, 0x69, 0x63, 0x65, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
0x0b, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x1f, 0x0a, 0x0b,
0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x75, 0x72, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28,
0x09, 0x52, 0x0a, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x55, 0x72, 0x6c, 0x12, 0x16, 0x0a,
0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64,
0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x12, 0x2c, 0x0a, 0x12, 0x70, 0x6f, 0x72, 0x74, 0x5f, 0x61, 0x75,
0x74, 0x6f, 0x5f, 0x61, 0x73, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x18, 0x04, 0x20, 0x01, 0x28,
0x08, 0x52, 0x10, 0x70, 0x6f, 0x72, 0x74, 0x41, 0x75, 0x74, 0x6f, 0x41, 0x73, 0x73, 0x69, 0x67,
0x6e, 0x65, 0x64, 0x22, 0x2c, 0x0a, 0x12, 0x52, 0x65, 0x6e, 0x65, 0x77, 0x45, 0x78, 0x70, 0x6f,
0x73, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x64, 0x6f, 0x6d,
0x61, 0x69, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69,
0x6e, 0x22, 0x15, 0x0a, 0x13, 0x52, 0x65, 0x6e, 0x65, 0x77, 0x45, 0x78, 0x70, 0x6f, 0x73, 0x65,
@@ -5039,12 +5063,13 @@ var file_management_proto_rawDesc = []byte{
0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x06, 0x0a, 0x02, 0x49, 0x4e, 0x10, 0x00, 0x12, 0x07,
0x0a, 0x03, 0x4f, 0x55, 0x54, 0x10, 0x01, 0x2a, 0x22, 0x0a, 0x0a, 0x52, 0x75, 0x6c, 0x65, 0x41,
0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x0a, 0x0a, 0x06, 0x41, 0x43, 0x43, 0x45, 0x50, 0x54, 0x10,
0x00, 0x12, 0x08, 0x0a, 0x04, 0x44, 0x52, 0x4f, 0x50, 0x10, 0x01, 0x2a, 0x53, 0x0a, 0x0e, 0x45,
0x00, 0x12, 0x08, 0x0a, 0x04, 0x44, 0x52, 0x4f, 0x50, 0x10, 0x01, 0x2a, 0x63, 0x0a, 0x0e, 0x45,
0x78, 0x70, 0x6f, 0x73, 0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x0f, 0x0a,
0x0b, 0x45, 0x58, 0x50, 0x4f, 0x53, 0x45, 0x5f, 0x48, 0x54, 0x54, 0x50, 0x10, 0x00, 0x12, 0x10,
0x0a, 0x0c, 0x45, 0x58, 0x50, 0x4f, 0x53, 0x45, 0x5f, 0x48, 0x54, 0x54, 0x50, 0x53, 0x10, 0x01,
0x12, 0x0e, 0x0a, 0x0a, 0x45, 0x58, 0x50, 0x4f, 0x53, 0x45, 0x5f, 0x54, 0x43, 0x50, 0x10, 0x02,
0x12, 0x0e, 0x0a, 0x0a, 0x45, 0x58, 0x50, 0x4f, 0x53, 0x45, 0x5f, 0x55, 0x44, 0x50, 0x10, 0x03,
0x12, 0x0e, 0x0a, 0x0a, 0x45, 0x58, 0x50, 0x4f, 0x53, 0x45, 0x5f, 0x54, 0x4c, 0x53, 0x10, 0x04,
0x32, 0xfd, 0x06, 0x0a, 0x11, 0x4d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x53,
0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x45, 0x0a, 0x05, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x12,
0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63,

7
shared/management/proto/management.proto
View File

@@ -340,8 +340,8 @@ message PeerConfig {
message AutoUpdateSettings {
string version = 1;
/*
alwaysUpdate = true → Updates happen automatically in the background
alwaysUpdate = false → Updates only happen when triggered by a peer connection
alwaysUpdate = true → Updates are installed automatically in the background
alwaysUpdate = false → Updates require user interaction from the UI
*/
bool alwaysUpdate = 2;
}
@@ -652,6 +652,7 @@ enum ExposeProtocol {
EXPOSE_HTTPS = 1;
EXPOSE_TCP = 2;
EXPOSE_UDP = 3;
EXPOSE_TLS = 4;
}
message ExposeServiceRequest {
@@ -662,12 +663,14 @@ message ExposeServiceRequest {
repeated string user_groups = 5;
string domain = 6;
string name_prefix = 7;
uint32 listen_port = 8;
}
message ExposeServiceResponse {
string service_name = 1;
string service_url = 2;
string domain = 3;
bool port_auto_assigned = 4;
}
message RenewExposeRequest {

1688
shared/management/proto/proxy_service.pb.go
View File

File diff suppressed because it is too large Load Diff

40
shared/management/proto/proxy_service.proto
View File

@@ -27,12 +27,19 @@ service ProxyService {
rpc ValidateSession(ValidateSessionRequest) returns (ValidateSessionResponse);
}
// ProxyCapabilities describes what a proxy can handle.
message ProxyCapabilities {
// Whether the proxy can bind arbitrary ports for TCP/UDP/TLS services.
optional bool supports_custom_ports = 1;
}
// GetMappingUpdateRequest is sent to initialise a mapping stream.
message GetMappingUpdateRequest {
string proxy_id = 1;
string version = 2;
google.protobuf.Timestamp started_at = 3;
string address = 4;
ProxyCapabilities capabilities = 5;
}
// GetMappingUpdateResponse contains zero or more ProxyMappings.
@@ -61,6 +68,10 @@ message PathTargetOptions {
google.protobuf.Duration request_timeout = 2;
PathRewriteMode path_rewrite = 3;
map<string, string> custom_headers = 4;
// Send PROXY protocol v2 header to this backend.
bool proxy_protocol = 5;
// Idle timeout before a UDP session is reaped.
google.protobuf.Duration session_idle_timeout = 6;
}
message PathMapping {
@@ -69,12 +80,27 @@ message PathMapping {
PathTargetOptions options = 3;
}
message HeaderAuth {
// Header name to check, e.g. "Authorization", "X-API-Key".
string header = 1;
// argon2id hash of the expected full header value.
string hashed_value = 2;
}
message Authentication {
string session_key = 1;
int64 max_session_age_seconds = 2;
bool password = 3;
bool pin = 4;
bool oidc = 5;
repeated HeaderAuth header_auths = 6;
}
message AccessRestrictions {
repeated string allowed_cidrs = 1;
repeated string blocked_cidrs = 2;
repeated string allowed_countries = 3;
repeated string blocked_countries = 4;
}
message ProxyMapping {
@@ -91,6 +117,11 @@ message ProxyMapping {
// When true, Location headers in backend responses are rewritten to replace
// the backend address with the public-facing domain.
bool rewrite_redirects = 9;
// Service mode: "http", "tcp", "udp", or "tls".
string mode = 10;
// For L4/TLS: the port the proxy listens on.
int32 listen_port = 11;
AccessRestrictions access_restrictions = 12;
}
// SendAccessLogRequest consists of one or more AccessLogs from a Proxy.
@@ -115,6 +146,9 @@ message AccessLog {
string auth_mechanism = 11;
string user_id = 12;
bool auth_success = 13;
int64 bytes_upload = 14;
int64 bytes_download = 15;
string protocol = 16;
}
message AuthenticateRequest {
@@ -123,9 +157,15 @@ message AuthenticateRequest {
oneof request {
PasswordRequest password = 3;
PinRequest pin = 4;
HeaderAuthRequest header_auth = 5;
}
}
message HeaderAuthRequest {
string header_value = 1;
string header_name = 2;
}
message PasswordRequest {
string password = 1;
}