From ac995bae6d6828087aa3b5a8e97e0ee7958c4198 Mon Sep 17 00:00:00 2001 From: mlsmaycon Date: Thu, 12 Feb 2026 16:28:29 +0100 Subject: [PATCH] rename url flag to domain and update validation --- management/internals/shared/grpc/proxy.go | 37 ++++++++--------------- proxy/cmd/proxy/cmd/root.go | 12 ++++++-- proxy/server.go | 6 ---- 3 files changed, 22 insertions(+), 33 deletions(-) diff --git a/management/internals/shared/grpc/proxy.go b/management/internals/shared/grpc/proxy.go index cecde960d..5030dde4a 100644 --- a/management/internals/shared/grpc/proxy.go +++ b/management/internals/shared/grpc/proxy.go @@ -9,13 +9,13 @@ import ( "encoding/hex" "errors" "fmt" - "net" "net/url" "strings" "sync" "time" "github.com/coreos/go-oidc/v3/oidc" + "github.com/netbirdio/netbird/shared/management/domain" log "github.com/sirupsen/logrus" "golang.org/x/oauth2" "google.golang.org/grpc/codes" @@ -167,12 +167,9 @@ func (s *ProxyServiceServer) GetMappingUpdate(req *proto.GetMappingUpdateRequest } proxyAddress := req.GetAddress() - log.WithFields(log.Fields{ - "proxy_id": proxyID, - "address": proxyAddress, - "version": req.GetVersion(), - "started": req.GetStartedAt().AsTime(), - }).Info("Proxy connected") + if !isProxyAddressValid(proxyAddress) { + return status.Errorf(codes.InvalidArgument, "proxy address is invalid") + } connCtx, cancel := context.WithCancel(ctx) conn := &proxyConnection{ @@ -189,7 +186,7 @@ func (s *ProxyServiceServer) GetMappingUpdate(req *proto.GetMappingUpdateRequest log.WithFields(log.Fields{ "proxy_id": proxyID, "address": proxyAddress, - "cluster_addr": extractClusterAddr(proxyAddress), + "cluster_addr": proxyAddress, "total_proxies": len(s.GetConnectedProxies()), }).Info("Proxy registered in cluster") defer func() { @@ -222,14 +219,16 @@ func (s *ProxyServiceServer) sendSnapshot(ctx context.Context, conn *proxyConnec return fmt.Errorf("get services from store: %w", err) } - proxyClusterAddr := extractClusterAddr(conn.address) + if !isProxyAddressValid(conn.address) { + return fmt.Errorf("proxy address is invalid") + } var filtered []*reverseproxy.Service for _, service := range services { if !service.Enabled { continue } - if service.ProxyCluster != "" && proxyClusterAddr != "" && service.ProxyCluster != proxyClusterAddr { + if service.ProxyCluster == "" || service.ProxyCluster != conn.address { continue } filtered = append(filtered, service) @@ -277,20 +276,10 @@ func (s *ProxyServiceServer) sendSnapshot(ctx context.Context, conn *proxyConnec return nil } -// extractClusterAddr extracts the host from a proxy address URL. -func extractClusterAddr(addr string) string { - if addr == "" { - return "" - } - u, err := url.Parse(addr) - if err != nil { - return addr - } - host := u.Host - if h, _, err := net.SplitHostPort(host); err == nil { - return h - } - return host +// isProxyAddressValid validates a proxy address +func isProxyAddressValid(addr string) bool { + _, err := domain.ValidateDomains([]string{addr}) + return err == nil } // sender handles sending messages to proxy diff --git a/proxy/cmd/proxy/cmd/root.go b/proxy/cmd/proxy/cmd/root.go index 9ceb4f935..ebb0ff71d 100644 --- a/proxy/cmd/proxy/cmd/root.go +++ b/proxy/cmd/proxy/cmd/root.go @@ -9,6 +9,7 @@ import ( "strings" "syscall" + "github.com/netbirdio/netbird/shared/management/domain" log "github.com/sirupsen/logrus" "github.com/spf13/cobra" "golang.org/x/crypto/acme" @@ -36,7 +37,7 @@ var ( debugLogs bool mgmtAddr string addr string - proxyURL string + proxyDomain string certDir string acmeCerts bool acmeAddr string @@ -69,7 +70,7 @@ func init() { rootCmd.PersistentFlags().BoolVar(&debugLogs, "debug", envBoolOrDefault("NB_PROXY_DEBUG_LOGS", false), "Enable debug logs") rootCmd.Flags().StringVar(&mgmtAddr, "mgmt", envStringOrDefault("NB_PROXY_MANAGEMENT_ADDRESS", DefaultManagementURL), "Management address to connect to") rootCmd.Flags().StringVar(&addr, "addr", envStringOrDefault("NB_PROXY_ADDRESS", ":443"), "Reverse proxy address to listen on") - rootCmd.Flags().StringVar(&proxyURL, "url", envStringOrDefault("NB_PROXY_URL", ""), "The URL at which this proxy will be reached") + rootCmd.Flags().StringVar(&proxyDomain, "domain", envStringOrDefault("NB_PROXY_DOMAIN", ""), "The Domain at which this proxy will be reached. e.g., netbird.example.com") rootCmd.Flags().StringVar(&certDir, "cert-dir", envStringOrDefault("NB_PROXY_CERTIFICATE_DIRECTORY", "./certs"), "Directory to store certificates") rootCmd.Flags().BoolVar(&acmeCerts, "acme-certs", envBoolOrDefault("NB_PROXY_ACME_CERTIFICATES", false), "Generate ACME certificates using HTTP-01 challenges") rootCmd.Flags().StringVar(&acmeAddr, "acme-addr", envStringOrDefault("NB_PROXY_ACME_ADDRESS", ":80"), "HTTP address for ACME HTTP-01 challenges") @@ -128,6 +129,11 @@ func runServer(cmd *cobra.Command, args []string) error { return fmt.Errorf("invalid --forwarded-proto value %q: must be auto, http, or https", forwardedProto) } + _, err := domain.ValidateDomains([]string{proxyDomain}) + if err != nil { + return fmt.Errorf("invalid domain value %q: %w", proxyDomain, err) + } + parsedTrustedProxies, err := proxy.ParseTrustedProxies(trustedProxies) if err != nil { return fmt.Errorf("invalid --trusted-proxies: %w", err) @@ -137,7 +143,7 @@ func runServer(cmd *cobra.Command, args []string) error { Logger: logger, Version: Version, ManagementAddress: mgmtAddr, - ProxyURL: proxyURL, + ProxyURL: proxyDomain, ProxyToken: proxyToken, CertificateDirectory: certDir, CertificateFile: certFile, diff --git a/proxy/server.go b/proxy/server.go index c5455d0b0..62c408d31 100644 --- a/proxy/server.go +++ b/proxy/server.go @@ -218,12 +218,6 @@ func (s *Server) ListenAndServe(ctx context.Context, addr string) (err error) { }() tlsConfig = s.acme.TLSConfig() - // If the ProxyURL is not set, then fallback to the server address. - // Hopefully that should give at least something that we can use. - // If it doesn't, then autocert probably won't work correctly. - if s.ProxyURL == "" { - s.ProxyURL, _, _ = net.SplitHostPort(addr) - } // ServerName needs to be set to allow for ACME to work correctly // when using CNAME URLs to access the proxy. tlsConfig.ServerName = s.ProxyURL