[management,proxy,client] Add L4 capabilities (TLS/TCP/UDP) (#5530)

2026-04-16 15:26:40 +00:00 · 2026-03-14 01:36:44 +08:00
parent fe9b844511
commit 3e6baea405
90 changed files with 9611 additions and 1397 deletions
--- a/proxy/cmd/proxy/cmd/root.go
+++ b/proxy/cmd/proxy/cmd/root.go
@@ -7,6 +7,7 @@ import (
 	"os/signal"
 	"strconv"
 	"syscall"
+	"time"

 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
@@ -34,30 +35,32 @@ var (
 )

 var (
-	logLevel          string
-	debugLogs         bool
-	mgmtAddr          string
-	addr              string
-	proxyDomain       string
-	certDir           string
-	acmeCerts         bool
-	acmeAddr          string
-	acmeDir           string
-	acmeEABKID        string
-	acmeEABHMACKey    string
-	acmeChallengeType string
-	debugEndpoint     bool
-	debugEndpointAddr string
-	healthAddr        string
-	forwardedProto    string
-	trustedProxies    string
-	certFile          string
-	certKeyFile       string
-	certLockMethod    string
-	wildcardCertDir   string
-	wgPort            int
-	proxyProtocol     bool
-	preSharedKey      string
+	logLevel            string
+	debugLogs           bool
+	mgmtAddr            string
+	addr                string
+	proxyDomain         string
+	defaultDialTimeout  time.Duration
+	certDir             string
+	acmeCerts           bool
+	acmeAddr            string
+	acmeDir             string
+	acmeEABKID          string
+	acmeEABHMACKey      string
+	acmeChallengeType   string
+	debugEndpoint       bool
+	debugEndpointAddr   string
+	healthAddr          string
+	forwardedProto      string
+	trustedProxies      string
+	certFile            string
+	certKeyFile         string
+	certLockMethod      string
+	wildcardCertDir     string
+	wgPort              uint16
+	proxyProtocol       bool
+	preSharedKey        string
+	supportsCustomPorts bool
 )

 var rootCmd = &cobra.Command{
@@ -92,9 +95,11 @@ func init() {
 	rootCmd.Flags().StringVar(&certKeyFile, "cert-key-file", envStringOrDefault("NB_PROXY_CERTIFICATE_KEY_FILE", "tls.key"), "TLS certificate key filename within the certificate directory")
 	rootCmd.Flags().StringVar(&certLockMethod, "cert-lock-method", envStringOrDefault("NB_PROXY_CERT_LOCK_METHOD", "auto"), "Certificate lock method for cross-replica coordination: auto, flock, or k8s-lease")
 	rootCmd.Flags().StringVar(&wildcardCertDir, "wildcard-cert-dir", envStringOrDefault("NB_PROXY_WILDCARD_CERT_DIR", ""), "Directory containing wildcard certificate pairs (<name>.crt/<name>.key). Wildcard patterns are extracted from SANs automatically")
-	rootCmd.Flags().IntVar(&wgPort, "wg-port", envIntOrDefault("NB_PROXY_WG_PORT", 0), "WireGuard listen port (0 = random). Fixed port only works with single-account deployments")
+	rootCmd.Flags().Uint16Var(&wgPort, "wg-port", envUint16OrDefault("NB_PROXY_WG_PORT", 0), "WireGuard listen port (0 = random). Fixed port only works with single-account deployments")
 	rootCmd.Flags().BoolVar(&proxyProtocol, "proxy-protocol", envBoolOrDefault("NB_PROXY_PROXY_PROTOCOL", false), "Enable PROXY protocol on TCP listeners to preserve client IPs behind L4 proxies")
 	rootCmd.Flags().StringVar(&preSharedKey, "preshared-key", envStringOrDefault("NB_PROXY_PRESHARED_KEY", ""), "Define a pre-shared key for the tunnel between proxy and peers")
+	rootCmd.Flags().BoolVar(&supportsCustomPorts, "supports-custom-ports", envBoolOrDefault("NB_PROXY_SUPPORTS_CUSTOM_PORTS", true), "Whether the proxy can bind arbitrary ports for UDP/TCP passthrough")
+	rootCmd.Flags().DurationVar(&defaultDialTimeout, "default-dial-timeout", envDurationOrDefault("NB_PROXY_DEFAULT_DIAL_TIMEOUT", 0), "Default backend dial timeout when no per-service timeout is set (e.g. 30s)")
 }

 // Execute runs the root command.
@@ -171,6 +176,8 @@ func runServer(cmd *cobra.Command, args []string) error {
 		WireguardPort:            wgPort,
 		ProxyProtocol:            proxyProtocol,
 		PreSharedKey:             preSharedKey,
+		SupportsCustomPorts:      supportsCustomPorts,
+		DefaultDialTimeout:       defaultDialTimeout,
 	}

 	ctx, stop := signal.NotifyContext(context.Background(), syscall.SIGTERM, syscall.SIGINT)
@@ -203,12 +210,24 @@ func envStringOrDefault(key string, def string) string {
 	return v
 }

-func envIntOrDefault(key string, def int) int {
+func envUint16OrDefault(key string, def uint16) uint16 {
 	v, exists := os.LookupEnv(key)
 	if !exists {
 		return def
 	}
-	parsed, err := strconv.Atoi(v)
+	parsed, err := strconv.ParseUint(v, 10, 16)
+	if err != nil {
+		return def
+	}
+	return uint16(parsed)
+}
+
+func envDurationOrDefault(key string, def time.Duration) time.Duration {
+	v, exists := os.LookupEnv(key)
+	if !exists {
+		return def
+	}
+	parsed, err := time.ParseDuration(v)
 	if err != nil {
 		return def
 	}