From 43522287977c436d59caf0774964e2d8fe369712 Mon Sep 17 00:00:00 2001 From: Alisdair MacLeod Date: Thu, 29 Jan 2026 10:03:48 +0000 Subject: [PATCH] allow setting the proxy url for autocert server name --- proxy/README.md | 19 +++++++++++-------- proxy/cmd/proxy/main.go | 6 ++++-- proxy/server.go | 16 ++++++++++++++++ 3 files changed, 31 insertions(+), 10 deletions(-) diff --git a/proxy/README.md b/proxy/README.md index bc0c28b0a..c4b694cf5 100644 --- a/proxy/README.md +++ b/proxy/README.md @@ -40,11 +40,14 @@ When using ACME, the proxy server will store generated certificates in the speci NetBird Proxy deployment configuration is via flags or environment variables, with flags taking precedence over the environment. The following deployment configuration is available: -| Flag | Env | Purpose | Default | -+------+-----+---------+---------+ -| `-mgmt` | `NB_PROXY_MANAGEMENT_ADDRESS` | The address of the management server for the proxy to get configuration from. | `"https://api.netbird.io:443"` | -| `-addr` | `NB_PROXY_ADDRESS` | The address that the reverse proxy will listen on. | `":443` | -| `-cert-dir` | `NB_PROXY_CERTIFICATE_DIRECTORY` | The location that certficates are stored in. | `"./certs"` | -| `-acme-certs` | `NB_PROXY_ACME_CERTIFICATES` | Whether to use ACME to generate certificates. | `false` | -| `-acme-addr` | `NB_PROXY_ACME_ADDRESS` | The HTTP address the proxy will listen on to respond to HTTP-01 ACME challenges | `":80"` | -| `-acme-dir` | `NB_PROXY_ACME_DIRECTORY` | The directory URL of the ACME server to be used | `"https://acme-v02.api.letsencrypt.org/directory"` | + +| Flag | Env | Purpose | Default | +|---------------|----------------------------------|------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------| +| `-debug` | `NB_PROXY_DEBUG_LOGS` | Enable debug logging | `false` | +| `-mgmt` | `NB_PROXY_MANAGEMENT_ADDRESS` | The address of the management server for the proxy to get configuration from. | `"https://api.netbird.io:443"` | +| `-addr` | `NB_PROXY_ADDRESS` | The address that the reverse proxy will listen on. | `":443` | +| `-url` | `NB_PROXY_URL` | The URL that the proxy will be reached at (where endpoints will be CNAMEd to). If unset, this will fall back to the proxy address. | `""` | +| `-cert-dir` | `NB_PROXY_CERTIFICATE_DIRECTORY` | The location that certficates are stored in. | `"./certs"` | +| `-acme-certs` | `NB_PROXY_ACME_CERTIFICATES` | Whether to use ACME to generate certificates. | `false` | +| `-acme-addr` | `NB_PROXY_ACME_ADDRESS` | The HTTP address the proxy will listen on to respond to HTTP-01 ACME challenges | `":80"` | +| `-acme-dir` | `NB_PROXY_ACME_DIRECTORY` | The directory URL of the ACME server to be used | `"https://acme-v02.api.letsencrypt.org/directory"` | diff --git a/proxy/cmd/proxy/main.go b/proxy/cmd/proxy/main.go index ee9944853..bd55ae98d 100644 --- a/proxy/cmd/proxy/main.go +++ b/proxy/cmd/proxy/main.go @@ -49,14 +49,15 @@ func envStringOrDefault(key string, def string) string { func main() { var ( - version, debug, acmeCerts bool - mgmtAddr, addr, certDir, acmeAddr, acmeDir string + version, debug, acmeCerts bool + mgmtAddr, addr, url, certDir, acmeAddr, acmeDir string ) flag.BoolVar(&version, "v", false, "Print version and exit") flag.BoolVar(&debug, "debug", envBoolOrDefault("NB_PROXY_DEBUG_LOGS", false), "Enable debug logs") flag.StringVar(&mgmtAddr, "mgmt", envStringOrDefault("NB_PROXY_MANAGEMENT_ADDRESS", DefaultManagementURL), "Management address to connect to.") flag.StringVar(&addr, "addr", envStringOrDefault("NB_PROXY_ADDRESS", ":443"), "Reverse proxy address to listen on.") + flag.StringVar(&url, "url", envStringOrDefault("NB_PROXY_URL", ""), "The URL at which this proxy will be reached, where CNAME records for proxied endpoints will be directed.") flag.StringVar(&certDir, "cert-dir", envStringOrDefault("NB_PROXY_CERTIFICATE_DIRECTORY", "./certs"), "Directory to store ") flag.BoolVar(&acmeCerts, "acme-certs", envBoolOrDefault("NB_PROXY_ACME_CERTIFICATES", false), "Generate ACME certificates using HTTP-01 challenges.") flag.StringVar(&acmeAddr, "acme-addr", envStringOrDefault("NB_PROXY_ACME_ADDRESS", ":80"), "HTTP address to listen on, used for ACME HTTP-01 certificate generation.") @@ -81,6 +82,7 @@ func main() { srv := proxy.Server{ Version: Version, ManagementAddress: mgmtAddr, + ProxyURL: url, CertificateDirectory: certDir, GenerateACMECertificates: acmeCerts, ACMEChallengeAddress: acmeAddr, diff --git a/proxy/server.go b/proxy/server.go index 8412d0257..787d3343b 100644 --- a/proxy/server.go +++ b/proxy/server.go @@ -14,6 +14,7 @@ import ( "errors" "fmt" "io" + "net" "net/http" "net/url" "path/filepath" @@ -50,6 +51,7 @@ type Server struct { ID string Version string + ProxyURL string ManagementAddress string CertificateDirectory string GenerateACMECertificates bool @@ -129,6 +131,20 @@ func (s *Server) ListenAndServe(ctx context.Context, addr string) (err error) { } }() tlsConfig = s.acme.TLSConfig() + + // If the ProxyURL is not set, then fallback to the server address. + // Hopefully that should give at least something that we can use. + // If it doesn't, then autocert probably won't work correctly. + if s.ProxyURL == "" { + s.ProxyURL, _, _ = net.SplitHostPort(addr) + } + // ServerName needs to be set to allow for ACME to work correctly + // when using CNAME URLs to access the proxy. + tlsConfig.ServerName = s.ProxyURL + + log.WithFields(log.Fields{ + "ServerName": s.ProxyURL, + }).Debug("started ACME challenge server") } else { log.Debug("ACME certificates disabled, using static certificates") // Otherwise pull some certificates from expected locations.