mirror of
https://github.com/netbirdio/netbird.git
synced 2026-04-18 16:26:38 +00:00
use embedded netbird agent for tunneling
This commit is contained in:
pascal
@@ -1,10 +1,10 @@
|
||||
package reverseproxy
|
||||
|
||||
import (
|
||||
"net"
|
||||
"net/http"
|
||||
"net/http/httputil"
|
||||
|
||||
"github.com/netbirdio/netbird/client/embed"
|
||||
"github.com/netbirdio/netbird/proxy/internal/auth"
|
||||
"github.com/netbirdio/netbird/proxy/internal/auth/oidc"
|
||||
)
|
||||
@@ -12,28 +12,28 @@ import (
|
||||
// Config holds the reverse proxy configuration
|
||||
type Config struct {
|
||||
// ListenAddress is the address to listen on for HTTPS (default ":443")
|
||||
ListenAddress string
|
||||
ListenAddress string `env:"NB_REVERSE_PROXY_LISTEN_ADDRESS" envDefault:":443" json:"listen_address"`
|
||||
|
||||
// ManagementURL is the URL of the management server
|
||||
ManagementURL string `env:"NB_REVERSE_PROXY_MANAGEMENT_URL" json:"management_url"`
|
||||
|
||||
// HTTPListenAddress is the address for HTTP (default ":80")
|
||||
// Used for ACME challenges when HTTPS is enabled, or as main listener when HTTPS is disabled
|
||||
HTTPListenAddress string
|
||||
HTTPListenAddress string `env:"NB_REVERSE_PROXY_HTTP_LISTEN_ADDRESS" envDefault:":80" json:"http_listen_address"`
|
||||
|
||||
// EnableHTTPS enables automatic HTTPS with Let's Encrypt
|
||||
EnableHTTPS bool
|
||||
EnableHTTPS bool `env:"NB_REVERSE_PROXY_ENABLE_HTTPS" envDefault:"false" json:"enable_https"`
|
||||
|
||||
// TLSEmail is the email for Let's Encrypt registration
|
||||
TLSEmail string
|
||||
TLSEmail string `env:"NB_REVERSE_PROXY_TLS_EMAIL" json:"tls_email"`
|
||||
|
||||
// CertCacheDir is the directory to cache certificates (default "./certs")
|
||||
CertCacheDir string
|
||||
|
||||
// RequestDataCallback is called for each proxied request with metrics
|
||||
RequestDataCallback RequestDataCallback
|
||||
CertCacheDir string `env:"NB_REVERSE_PROXY_CERT_CACHE_DIR" envDefault:"./certs" json:"cert_cache_dir"`
|
||||
|
||||
// OIDCConfig is the global OIDC/OAuth configuration for authentication
|
||||
// This is shared across all routes that use Bearer authentication
|
||||
// If nil, routes with Bearer auth will fail to initialize
|
||||
OIDCConfig *oidc.Config
|
||||
OIDCConfig *oidc.Config `json:"oidc_config"`
|
||||
}
|
||||
|
||||
// RouteConfig defines a routing configuration
|
||||
@@ -50,10 +50,8 @@ type RouteConfig struct {
|
||||
// Must have at least one entry. Use "/" or "" for the default/catch-all route.
|
||||
PathMappings map[string]string
|
||||
|
||||
// Conn is the network connection to use for this route
|
||||
// This allows routing through specific tunnels (e.g., WireGuard) per route
|
||||
// This connection will be reused for all requests to this route
|
||||
Conn net.Conn
|
||||
SetupKey string
|
||||
nbClient *embed.Client
|
||||
|
||||
// AuthConfig is optional authentication configuration for this route
|
||||
// Configure ONE of: BasicAuth, PIN, or Bearer (JWT/OIDC)
|
||||
|
||||
@@ -1,54 +0,0 @@
|
||||
package reverseproxy
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"net"
|
||||
"sync"
|
||||
"time"
|
||||
)
|
||||
|
||||
// defaultConn is a lazy connection wrapper that uses the standard network dialer
|
||||
// This is useful for testing or development when not using WireGuard tunnels
|
||||
type defaultConn struct {
|
||||
dialer *net.Dialer
|
||||
mu sync.Mutex
|
||||
conns map[string]net.Conn // cache connections by "network:address"
|
||||
}
|
||||
|
||||
func (dc *defaultConn) Read(b []byte) (n int, err error) {
|
||||
return 0, fmt.Errorf("Read not supported on defaultConn - use dial via Transport")
|
||||
}
|
||||
|
||||
func (dc *defaultConn) Write(b []byte) (n int, err error) {
|
||||
return 0, fmt.Errorf("Write not supported on defaultConn - use dial via Transport")
|
||||
}
|
||||
|
||||
func (dc *defaultConn) Close() error {
|
||||
dc.mu.Lock()
|
||||
defer dc.mu.Unlock()
|
||||
|
||||
for _, conn := range dc.conns {
|
||||
conn.Close()
|
||||
}
|
||||
dc.conns = make(map[string]net.Conn)
|
||||
return nil
|
||||
}
|
||||
|
||||
func (dc *defaultConn) LocalAddr() net.Addr { return nil }
|
||||
func (dc *defaultConn) RemoteAddr() net.Addr { return nil }
|
||||
func (dc *defaultConn) SetDeadline(t time.Time) error { return nil }
|
||||
func (dc *defaultConn) SetReadDeadline(t time.Time) error { return nil }
|
||||
func (dc *defaultConn) SetWriteDeadline(t time.Time) error { return nil }
|
||||
|
||||
// NewDefaultConn creates a connection wrapper that uses the standard network dialer
|
||||
// This is useful for testing or development when not using WireGuard tunnels
|
||||
// The actual dialing happens when the HTTP Transport calls DialContext
|
||||
func NewDefaultConn() net.Conn {
|
||||
return &defaultConn{
|
||||
dialer: &net.Dialer{
|
||||
Timeout: 30 * time.Second,
|
||||
KeepAlive: 30 * time.Second,
|
||||
},
|
||||
conns: make(map[string]net.Conn),
|
||||
}
|
||||
}
|
||||
@@ -1,8 +1,6 @@
|
||||
package reverseproxy
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net"
|
||||
"net/http"
|
||||
"net/http/httputil"
|
||||
"net/url"
|
||||
@@ -187,32 +185,15 @@ func (p *Proxy) createProxy(routeConfig *RouteConfig, target string) *httputil.R
|
||||
// Create reverse proxy
|
||||
proxy := httputil.NewSingleHostReverseProxy(targetURL)
|
||||
|
||||
// Check if this is a defaultConn (for testing)
|
||||
if dc, ok := routeConfig.Conn.(*defaultConn); ok {
|
||||
// For defaultConn, use its dialer directly
|
||||
proxy.Transport = &http.Transport{
|
||||
DialContext: dc.dialer.DialContext,
|
||||
MaxIdleConns: 100,
|
||||
IdleConnTimeout: 90 * time.Second,
|
||||
TLSHandshakeTimeout: 10 * time.Second,
|
||||
ExpectContinueTimeout: 1 * time.Second,
|
||||
}
|
||||
log.Infof("Using default network dialer for route %s (testing mode)", routeConfig.ID)
|
||||
} else {
|
||||
// Configure transport to use the provided connection (WireGuard, etc.)
|
||||
proxy.Transport = &http.Transport{
|
||||
DialContext: func(ctx context.Context, network, address string) (net.Conn, error) {
|
||||
log.Debugf("Using custom connection for route %s to %s", routeConfig.ID, address)
|
||||
return routeConfig.Conn, nil
|
||||
},
|
||||
MaxIdleConns: 1,
|
||||
MaxIdleConnsPerHost: 1,
|
||||
IdleConnTimeout: 0, // Keep alive indefinitely
|
||||
DisableKeepAlives: false,
|
||||
TLSHandshakeTimeout: 10 * time.Second,
|
||||
ExpectContinueTimeout: 1 * time.Second,
|
||||
}
|
||||
log.Infof("Using custom connection for route %s", routeConfig.ID)
|
||||
// Configure transport to use the provided connection (WireGuard, etc.)
|
||||
proxy.Transport = &http.Transport{
|
||||
DialContext: routeConfig.nbClient.DialContext,
|
||||
MaxIdleConns: 1,
|
||||
MaxIdleConnsPerHost: 1,
|
||||
IdleConnTimeout: 0, // Keep alive indefinitely
|
||||
DisableKeepAlives: false,
|
||||
TLSHandshakeTimeout: 10 * time.Second,
|
||||
ExpectContinueTimeout: 1 * time.Second,
|
||||
}
|
||||
|
||||
// Custom error handler
|
||||
|
||||
@@ -49,10 +49,9 @@ func New(config Config) (*Proxy, error) {
|
||||
}
|
||||
|
||||
p := &Proxy{
|
||||
config: config,
|
||||
routes: make(map[string]*RouteConfig),
|
||||
isRunning: false,
|
||||
requestCallback: config.RequestDataCallback,
|
||||
config: config,
|
||||
routes: make(map[string]*RouteConfig),
|
||||
isRunning: false,
|
||||
}
|
||||
|
||||
// Initialize OIDC handler if OIDC is configured
|
||||
@@ -65,6 +64,13 @@ func New(config Config) (*Proxy, error) {
|
||||
return p, nil
|
||||
}
|
||||
|
||||
// SetRequestCallback sets the callback for request metrics
|
||||
func (p *Proxy) SetRequestCallback(callback RequestDataCallback) {
|
||||
p.mu.Lock()
|
||||
defer p.mu.Unlock()
|
||||
p.requestCallback = callback
|
||||
}
|
||||
|
||||
// GetConfig returns the proxy configuration
|
||||
func (p *Proxy) GetConfig() Config {
|
||||
return p.config
|
||||
|
||||
@@ -1,9 +1,17 @@
|
||||
package reverseproxy
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"time"
|
||||
|
||||
log "github.com/sirupsen/logrus"
|
||||
|
||||
"github.com/netbirdio/netbird/client/embed"
|
||||
)
|
||||
|
||||
const (
|
||||
clientStartupTimeout = 30 * time.Second
|
||||
)
|
||||
|
||||
// AddRoute adds a new route to the proxy
|
||||
@@ -20,8 +28,8 @@ func (p *Proxy) AddRoute(route *RouteConfig) error {
|
||||
if len(route.PathMappings) == 0 {
|
||||
return fmt.Errorf("route must have at least one path mapping")
|
||||
}
|
||||
if route.Conn == nil {
|
||||
return fmt.Errorf("route connection (Conn) is required")
|
||||
if route.SetupKey == "" {
|
||||
return fmt.Errorf("route setup key is required")
|
||||
}
|
||||
|
||||
p.mu.Lock()
|
||||
@@ -32,6 +40,19 @@ func (p *Proxy) AddRoute(route *RouteConfig) error {
|
||||
return fmt.Errorf("route for domain %s already exists", route.Domain)
|
||||
}
|
||||
|
||||
client, err := embed.New(embed.Options{DeviceName: fmt.Sprintf("ingress-%s", route.ID), ManagementURL: p.config.ManagementURL, SetupKey: route.SetupKey})
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to create embedded client for route %s: %v", route.ID, err)
|
||||
}
|
||||
|
||||
ctx, _ := context.WithTimeout(context.Background(), clientStartupTimeout)
|
||||
err = client.Start(ctx)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to start embedded client for route %s: %v", route.ID, err)
|
||||
}
|
||||
|
||||
route.nbClient = client
|
||||
|
||||
// Add route with domain as key
|
||||
p.routes[route.Domain] = route
|
||||
|
||||
|
||||
@@ -9,7 +9,7 @@ import (
|
||||
"golang.org/x/crypto/acme/autocert"
|
||||
)
|
||||
|
||||
// Start starts the reverse proxy server
|
||||
// Start starts the reverse proxy server (non-blocking)
|
||||
func (p *Proxy) Start() error {
|
||||
p.mu.Lock()
|
||||
if p.isRunning {
|
||||
@@ -29,7 +29,7 @@ func (p *Proxy) Start() error {
|
||||
return p.startHTTP(handler)
|
||||
}
|
||||
|
||||
// startHTTPS starts the proxy with HTTPS and Let's Encrypt
|
||||
// startHTTPS starts the proxy with HTTPS and Let's Encrypt (non-blocking)
|
||||
func (p *Proxy) startHTTPS(handler http.Handler) error {
|
||||
// Setup autocert manager with dynamic host policy
|
||||
p.autocertManager = &autocert.Manager{
|
||||
@@ -53,32 +53,36 @@ func (p *Proxy) startHTTPS(handler http.Handler) error {
|
||||
}
|
||||
}()
|
||||
|
||||
// Start HTTPS server
|
||||
// Start HTTPS server in background
|
||||
p.server = &http.Server{
|
||||
Addr: p.config.ListenAddress,
|
||||
Handler: handler,
|
||||
TLSConfig: p.autocertManager.TLSConfig(),
|
||||
}
|
||||
|
||||
log.Infof("Starting HTTPS reverse proxy server on %s", p.config.ListenAddress)
|
||||
if err := p.server.ListenAndServeTLS("", ""); err != nil && err != http.ErrServerClosed {
|
||||
return fmt.Errorf("HTTPS server failed: %w", err)
|
||||
}
|
||||
go func() {
|
||||
log.Infof("Starting HTTPS reverse proxy server on %s", p.config.ListenAddress)
|
||||
if err := p.server.ListenAndServeTLS("", ""); err != nil && err != http.ErrServerClosed {
|
||||
log.Errorf("HTTPS server failed: %v", err)
|
||||
}
|
||||
}()
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// startHTTP starts the proxy with HTTP only (no TLS)
|
||||
// startHTTP starts the proxy with HTTP only (non-blocking)
|
||||
func (p *Proxy) startHTTP(handler http.Handler) error {
|
||||
p.server = &http.Server{
|
||||
Addr: p.config.HTTPListenAddress,
|
||||
Handler: handler,
|
||||
}
|
||||
|
||||
log.Infof("Starting HTTP reverse proxy server on %s (HTTPS disabled)", p.config.HTTPListenAddress)
|
||||
if err := p.server.ListenAndServe(); err != nil && err != http.ErrServerClosed {
|
||||
return fmt.Errorf("HTTP server failed: %w", err)
|
||||
}
|
||||
go func() {
|
||||
log.Infof("Starting HTTP reverse proxy server on %s (HTTPS disabled)", p.config.HTTPListenAddress)
|
||||
if err := p.server.ListenAndServe(); err != nil && err != http.ErrServerClosed {
|
||||
log.Errorf("HTTP server failed: %w", err)
|
||||
}
|
||||
}()
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user