rename url flag to domain and update validation

management/internals/shared/grpc/proxy.go

@@ -9,13 +9,13 @@ import (
 	"encoding/hex"
 	"errors"
 	"fmt"
-	"net"
 	"net/url"
 	"strings"
 	"sync"
 	"time"
 
 	"github.com/coreos/go-oidc/v3/oidc"
+	"github.com/netbirdio/netbird/shared/management/domain"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/oauth2"
 	"google.golang.org/grpc/codes"
@@ -167,12 +167,9 @@ func (s *ProxyServiceServer) GetMappingUpdate(req *proto.GetMappingUpdateRequest
 	}
 
 	proxyAddress := req.GetAddress()
-	log.WithFields(log.Fields{
+	if !isProxyAddressValid(proxyAddress) {
-		"proxy_id": proxyID,
+		return status.Errorf(codes.InvalidArgument, "proxy address is invalid")
-		"address":  proxyAddress,
+	}
-		"version":  req.GetVersion(),
-		"started":  req.GetStartedAt().AsTime(),
-	}).Info("Proxy connected")
 
 	connCtx, cancel := context.WithCancel(ctx)
 	conn := &proxyConnection{
@@ -189,7 +186,7 @@ func (s *ProxyServiceServer) GetMappingUpdate(req *proto.GetMappingUpdateRequest
 	log.WithFields(log.Fields{
 		"proxy_id":      proxyID,
 		"address":       proxyAddress,
-		"cluster_addr":  extractClusterAddr(proxyAddress),
+		"cluster_addr":  proxyAddress,
 		"total_proxies": len(s.GetConnectedProxies()),
 	}).Info("Proxy registered in cluster")
 	defer func() {
@@ -222,14 +219,16 @@ func (s *ProxyServiceServer) sendSnapshot(ctx context.Context, conn *proxyConnec
 		return fmt.Errorf("get services from store: %w", err)
 	}
 
-	proxyClusterAddr := extractClusterAddr(conn.address)
+	if !isProxyAddressValid(conn.address) {
+		return fmt.Errorf("proxy address is invalid")
+	}
 
 	var filtered []*reverseproxy.Service
 	for _, service := range services {
 		if !service.Enabled {
 			continue
 		}
-		if service.ProxyCluster != "" && proxyClusterAddr != "" && service.ProxyCluster != proxyClusterAddr {
+		if service.ProxyCluster == "" || service.ProxyCluster != conn.address {
 			continue
 		}
 		filtered = append(filtered, service)
@@ -277,20 +276,10 @@ func (s *ProxyServiceServer) sendSnapshot(ctx context.Context, conn *proxyConnec
 	return nil
 }
 
-// extractClusterAddr extracts the host from a proxy address URL.
+// isProxyAddressValid validates a proxy address
-func extractClusterAddr(addr string) string {
+func isProxyAddressValid(addr string) bool {
-	if addr == "" {
+	_, err := domain.ValidateDomains([]string{addr})
-		return ""
+	return err == nil
-	}
-	u, err := url.Parse(addr)
-	if err != nil {
-		return addr
-	}
-	host := u.Host
-	if h, _, err := net.SplitHostPort(host); err == nil {
-		return h
-	}
-	return host
 }
 
 // sender handles sending messages to proxy

proxy/cmd/proxy/cmd/root.go

@@ -9,6 +9,7 @@ import (
 	"strings"
 	"syscall"
 
+	"github.com/netbirdio/netbird/shared/management/domain"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"golang.org/x/crypto/acme"
@@ -36,7 +37,7 @@ var (
 	debugLogs         bool
 	mgmtAddr          string
 	addr              string
-	proxyURL          string
+	proxyDomain       string
 	certDir           string
 	acmeCerts         bool
 	acmeAddr          string
@@ -69,7 +70,7 @@ func init() {
 	rootCmd.PersistentFlags().BoolVar(&debugLogs, "debug", envBoolOrDefault("NB_PROXY_DEBUG_LOGS", false), "Enable debug logs")
 	rootCmd.Flags().StringVar(&mgmtAddr, "mgmt", envStringOrDefault("NB_PROXY_MANAGEMENT_ADDRESS", DefaultManagementURL), "Management address to connect to")
 	rootCmd.Flags().StringVar(&addr, "addr", envStringOrDefault("NB_PROXY_ADDRESS", ":443"), "Reverse proxy address to listen on")
-	rootCmd.Flags().StringVar(&proxyURL, "url", envStringOrDefault("NB_PROXY_URL", ""), "The URL at which this proxy will be reached")
+	rootCmd.Flags().StringVar(&proxyDomain, "domain", envStringOrDefault("NB_PROXY_DOMAIN", ""), "The Domain at which this proxy will be reached. e.g., netbird.example.com")
 	rootCmd.Flags().StringVar(&certDir, "cert-dir", envStringOrDefault("NB_PROXY_CERTIFICATE_DIRECTORY", "./certs"), "Directory to store certificates")
 	rootCmd.Flags().BoolVar(&acmeCerts, "acme-certs", envBoolOrDefault("NB_PROXY_ACME_CERTIFICATES", false), "Generate ACME certificates using HTTP-01 challenges")
 	rootCmd.Flags().StringVar(&acmeAddr, "acme-addr", envStringOrDefault("NB_PROXY_ACME_ADDRESS", ":80"), "HTTP address for ACME HTTP-01 challenges")
@@ -128,6 +129,11 @@ func runServer(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("invalid --forwarded-proto value %q: must be auto, http, or https", forwardedProto)
 	}
 
+	_, err := domain.ValidateDomains([]string{proxyDomain})
+	if err != nil {
+		return fmt.Errorf("invalid domain value %q: %w", proxyDomain, err)
+	}
+
 	parsedTrustedProxies, err := proxy.ParseTrustedProxies(trustedProxies)
 	if err != nil {
 		return fmt.Errorf("invalid --trusted-proxies: %w", err)
@@ -137,7 +143,7 @@ func runServer(cmd *cobra.Command, args []string) error {
 		Logger:                   logger,
 		Version:                  Version,
 		ManagementAddress:        mgmtAddr,
-		ProxyURL:                 proxyURL,
+		ProxyURL:                 proxyDomain,
 		ProxyToken:               proxyToken,
 		CertificateDirectory:     certDir,
 		CertificateFile:          certFile,

proxy/server.go

@@ -218,12 +218,6 @@ func (s *Server) ListenAndServe(ctx context.Context, addr string) (err error) {
 		}()
 		tlsConfig = s.acme.TLSConfig()
 
-		// If the ProxyURL is not set, then fallback to the server address.
-		// Hopefully that should give at least something that we can use.
-		// If it doesn't, then autocert probably won't work correctly.
-		if s.ProxyURL == "" {
-			s.ProxyURL, _, _ = net.SplitHostPort(addr)
-		}
 		// ServerName needs to be set to allow for ACME to work correctly
 		// when using CNAME URLs to access the proxy.
 		tlsConfig.ServerName = s.ProxyURL