sendnrw/netbird
2
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2026-04-16 07:16:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

allow setting the proxy url for autocert server name

Browse Source
This commit is contained in:
Alisdair MacLeod
2026-01-29 10:03:48 +00:00
parent 74c770609c
commit 4352228797
3 changed files with 31 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
proxy/README.md
View File

@@ -40,11 +40,14 @@ When using ACME, the proxy server will store generated certificates in the speci
NetBird Proxy deployment configuration is via flags or environment variables, with flags taking precedence over the environment.
The following deployment configuration is available:
| Flag | Env | Purpose | Default |
+------+-----+---------+---------+
| `-mgmt` | `NB_PROXY_MANAGEMENT_ADDRESS` | The address of the management server for the proxy to get configuration from. | `"https://api.netbird.io:443"` |
| `-addr` | `NB_PROXY_ADDRESS` | The address that the reverse proxy will listen on. | `":443` |
| `-cert-dir` | `NB_PROXY_CERTIFICATE_DIRECTORY` | The location that certficates are stored in. | `"./certs"` |
| `-acme-certs` | `NB_PROXY_ACME_CERTIFICATES` | Whether to use ACME to generate certificates. | `false` |
| `-acme-addr` | `NB_PROXY_ACME_ADDRESS` | The HTTP address the proxy will listen on to respond to HTTP-01 ACME challenges | `":80"` |
| `-acme-dir` | `NB_PROXY_ACME_DIRECTORY` | The directory URL of the ACME server to be used | `"https://acme-v02.api.letsencrypt.org/directory"` |
| Flag | Env | Purpose | Default |
|---------------|----------------------------------|------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------|
| `-debug` | `NB_PROXY_DEBUG_LOGS` | Enable debug logging | `false` |
| `-mgmt` | `NB_PROXY_MANAGEMENT_ADDRESS` | The address of the management server for the proxy to get configuration from. | `"https://api.netbird.io:443"` |
| `-addr` | `NB_PROXY_ADDRESS` | The address that the reverse proxy will listen on. | `":443` |
| `-url` | `NB_PROXY_URL` | The URL that the proxy will be reached at (where endpoints will be CNAMEd to). If unset, this will fall back to the proxy address. | `""` |
| `-cert-dir` | `NB_PROXY_CERTIFICATE_DIRECTORY` | The location that certficates are stored in. | `"./certs"` |
| `-acme-certs` | `NB_PROXY_ACME_CERTIFICATES` | Whether to use ACME to generate certificates. | `false` |
| `-acme-addr` | `NB_PROXY_ACME_ADDRESS` | The HTTP address the proxy will listen on to respond to HTTP-01 ACME challenges | `":80"` |
| `-acme-dir` | `NB_PROXY_ACME_DIRECTORY` | The directory URL of the ACME server to be used | `"https://acme-v02.api.letsencrypt.org/directory"` |

6
proxy/cmd/proxy/main.go
View File

@@ -49,14 +49,15 @@ func envStringOrDefault(key string, def string) string {
func main() {
var (
version, debug, acmeCerts bool
mgmtAddr, addr, certDir, acmeAddr, acmeDir string
version, debug, acmeCerts bool
mgmtAddr, addr, url, certDir, acmeAddr, acmeDir string
)
flag.BoolVar(&version, "v", false, "Print version and exit")
flag.BoolVar(&debug, "debug", envBoolOrDefault("NB_PROXY_DEBUG_LOGS", false), "Enable debug logs")
flag.StringVar(&mgmtAddr, "mgmt", envStringOrDefault("NB_PROXY_MANAGEMENT_ADDRESS", DefaultManagementURL), "Management address to connect to.")
flag.StringVar(&addr, "addr", envStringOrDefault("NB_PROXY_ADDRESS", ":443"), "Reverse proxy address to listen on.")
flag.StringVar(&url, "url", envStringOrDefault("NB_PROXY_URL", ""), "The URL at which this proxy will be reached, where CNAME records for proxied endpoints will be directed.")
flag.StringVar(&certDir, "cert-dir", envStringOrDefault("NB_PROXY_CERTIFICATE_DIRECTORY", "./certs"), "Directory to store ")
flag.BoolVar(&acmeCerts, "acme-certs", envBoolOrDefault("NB_PROXY_ACME_CERTIFICATES", false), "Generate ACME certificates using HTTP-01 challenges.")
flag.StringVar(&acmeAddr, "acme-addr", envStringOrDefault("NB_PROXY_ACME_ADDRESS", ":80"), "HTTP address to listen on, used for ACME HTTP-01 certificate generation.")
@@ -81,6 +82,7 @@ func main() {
srv := proxy.Server{
Version: Version,
ManagementAddress: mgmtAddr,
ProxyURL: url,
CertificateDirectory: certDir,
GenerateACMECertificates: acmeCerts,
ACMEChallengeAddress: acmeAddr,

16
proxy/server.go
View File

@@ -14,6 +14,7 @@ import (
"errors"
"fmt"
"io"
"net"
"net/http"
"net/url"
"path/filepath"
@@ -50,6 +51,7 @@ type Server struct {
ID string
Version string
ProxyURL string
ManagementAddress string
CertificateDirectory string
GenerateACMECertificates bool
@@ -129,6 +131,20 @@ func (s *Server) ListenAndServe(ctx context.Context, addr string) (err error) {
}
}()
tlsConfig = s.acme.TLSConfig()
// If the ProxyURL is not set, then fallback to the server address.
// Hopefully that should give at least something that we can use.
// If it doesn't, then autocert probably won't work correctly.
if s.ProxyURL == "" {
s.ProxyURL, _, _ = net.SplitHostPort(addr)
}
// ServerName needs to be set to allow for ACME to work correctly
// when using CNAME URLs to access the proxy.
tlsConfig.ServerName = s.ProxyURL
log.WithFields(log.Fields{
"ServerName": s.ProxyURL,
}).Debug("started ACME challenge server")
} else {
log.Debug("ACME certificates disabled, using static certificates")
// Otherwise pull some certificates from expected locations.