[management,proxy] Add per-target options to reverse proxy (#5501)

shared/management/client/rest/reverse_proxy_services_test.go

@@ -0,0 +1,271 @@
+//go:build integration
+
+package rest_test
+
+import (
+	"context"
+	"encoding/json"
+	"io"
+	"net/http"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/netbirdio/netbird/shared/management/client/rest"
+	"github.com/netbirdio/netbird/shared/management/http/api"
+	"github.com/netbirdio/netbird/shared/management/http/util"
+)
+
+var testServiceTarget = api.ServiceTarget{
+	TargetId:   "peer-123",
+	TargetType: "peer",
+	Protocol:   "https",
+	Port:       8443,
+	Enabled:    true,
+}
+
+var testService = api.Service{
+	Id:      "svc-1",
+	Name:    "test-service",
+	Domain:  "test.example.com",
+	Enabled: true,
+	Auth:    api.ServiceAuthConfig{},
+	Meta: api.ServiceMeta{
+		CreatedAt: time.Date(2026, 1, 1, 0, 0, 0, 0, time.UTC),
+		Status:    "active",
+	},
+	Targets: []api.ServiceTarget{testServiceTarget},
+}
+
+func TestReverseProxyServices_List_200(t *testing.T) {
+	withMockClient(func(c *rest.Client, mux *http.ServeMux) {
+		mux.HandleFunc("/api/reverse-proxies/services", func(w http.ResponseWriter, r *http.Request) {
+			retBytes, _ := json.Marshal([]api.Service{testService})
+			_, err := w.Write(retBytes)
+			require.NoError(t, err)
+		})
+		ret, err := c.ReverseProxyServices.List(context.Background())
+		require.NoError(t, err)
+		require.Len(t, ret, 1)
+		assert.Equal(t, testService.Id, ret[0].Id)
+		assert.Equal(t, testService.Name, ret[0].Name)
+	})
+}
+
+func TestReverseProxyServices_List_Err(t *testing.T) {
+	withMockClient(func(c *rest.Client, mux *http.ServeMux) {
+		mux.HandleFunc("/api/reverse-proxies/services", func(w http.ResponseWriter, r *http.Request) {
+			retBytes, _ := json.Marshal(util.ErrorResponse{Message: "No", Code: 400})
+			w.WriteHeader(400)
+			_, err := w.Write(retBytes)
+			require.NoError(t, err)
+		})
+		ret, err := c.ReverseProxyServices.List(context.Background())
+		assert.Error(t, err)
+		assert.Equal(t, "No", err.Error())
+		assert.Empty(t, ret)
+	})
+}
+
+func TestReverseProxyServices_Get_200(t *testing.T) {
+	withMockClient(func(c *rest.Client, mux *http.ServeMux) {
+		mux.HandleFunc("/api/reverse-proxies/services/svc-1", func(w http.ResponseWriter, r *http.Request) {
+			retBytes, _ := json.Marshal(testService)
+			_, err := w.Write(retBytes)
+			require.NoError(t, err)
+		})
+		ret, err := c.ReverseProxyServices.Get(context.Background(), "svc-1")
+		require.NoError(t, err)
+		assert.Equal(t, testService.Id, ret.Id)
+		assert.Equal(t, testService.Domain, ret.Domain)
+	})
+}
+
+func TestReverseProxyServices_Get_Err(t *testing.T) {
+	withMockClient(func(c *rest.Client, mux *http.ServeMux) {
+		mux.HandleFunc("/api/reverse-proxies/services/svc-1", func(w http.ResponseWriter, r *http.Request) {
+			retBytes, _ := json.Marshal(util.ErrorResponse{Message: "No", Code: 404})
+			w.WriteHeader(404)
+			_, err := w.Write(retBytes)
+			require.NoError(t, err)
+		})
+		ret, err := c.ReverseProxyServices.Get(context.Background(), "svc-1")
+		assert.Error(t, err)
+		assert.Equal(t, "No", err.Error())
+		assert.Nil(t, ret)
+	})
+}
+
+func TestReverseProxyServices_Create_200(t *testing.T) {
+	withMockClient(func(c *rest.Client, mux *http.ServeMux) {
+		mux.HandleFunc("/api/reverse-proxies/services", func(w http.ResponseWriter, r *http.Request) {
+			assert.Equal(t, "POST", r.Method)
+			reqBytes, err := io.ReadAll(r.Body)
+			require.NoError(t, err)
+			var req api.ServiceRequest
+			require.NoError(t, json.Unmarshal(reqBytes, &req))
+			assert.Equal(t, "test-service", req.Name)
+			assert.Equal(t, "test.example.com", req.Domain)
+			retBytes, _ := json.Marshal(testService)
+			_, err = w.Write(retBytes)
+			require.NoError(t, err)
+		})
+		ret, err := c.ReverseProxyServices.Create(context.Background(), api.PostApiReverseProxiesServicesJSONRequestBody{
+			Name:    "test-service",
+			Domain:  "test.example.com",
+			Enabled: true,
+			Auth:    api.ServiceAuthConfig{},
+			Targets: []api.ServiceTarget{testServiceTarget},
+		})
+		require.NoError(t, err)
+		assert.Equal(t, testService.Id, ret.Id)
+	})
+}
+
+func TestReverseProxyServices_Create_Err(t *testing.T) {
+	withMockClient(func(c *rest.Client, mux *http.ServeMux) {
+		mux.HandleFunc("/api/reverse-proxies/services", func(w http.ResponseWriter, r *http.Request) {
+			retBytes, _ := json.Marshal(util.ErrorResponse{Message: "No", Code: 400})
+			w.WriteHeader(400)
+			_, err := w.Write(retBytes)
+			require.NoError(t, err)
+		})
+		ret, err := c.ReverseProxyServices.Create(context.Background(), api.PostApiReverseProxiesServicesJSONRequestBody{
+			Name:    "test-service",
+			Domain:  "test.example.com",
+			Enabled: true,
+			Auth:    api.ServiceAuthConfig{},
+			Targets: []api.ServiceTarget{testServiceTarget},
+		})
+		assert.Error(t, err)
+		assert.Equal(t, "No", err.Error())
+		assert.Nil(t, ret)
+	})
+}
+
+func TestReverseProxyServices_Create_WithPerTargetOptions(t *testing.T) {
+	withMockClient(func(c *rest.Client, mux *http.ServeMux) {
+		mux.HandleFunc("/api/reverse-proxies/services", func(w http.ResponseWriter, r *http.Request) {
+			assert.Equal(t, "POST", r.Method)
+			reqBytes, err := io.ReadAll(r.Body)
+			require.NoError(t, err)
+			var req api.ServiceRequest
+			require.NoError(t, json.Unmarshal(reqBytes, &req))
+
+			require.Len(t, req.Targets, 1)
+			target := req.Targets[0]
+			require.NotNil(t, target.Options, "options should be present")
+			opts := target.Options
+			require.NotNil(t, opts.SkipTlsVerify, "skip_tls_verify should be present")
+			assert.True(t, *opts.SkipTlsVerify)
+			require.NotNil(t, opts.RequestTimeout, "request_timeout should be present")
+			assert.Equal(t, "30s", *opts.RequestTimeout)
+			require.NotNil(t, opts.PathRewrite, "path_rewrite should be present")
+			assert.Equal(t, api.ServiceTargetOptionsPathRewrite("preserve"), *opts.PathRewrite)
+			require.NotNil(t, opts.CustomHeaders, "custom_headers should be present")
+			assert.Equal(t, "bar", (*opts.CustomHeaders)["X-Foo"])
+
+			retBytes, _ := json.Marshal(testService)
+			_, err = w.Write(retBytes)
+			require.NoError(t, err)
+		})
+
+		pathRewrite := api.ServiceTargetOptionsPathRewrite("preserve")
+		ret, err := c.ReverseProxyServices.Create(context.Background(), api.PostApiReverseProxiesServicesJSONRequestBody{
+			Name:    "test-service",
+			Domain:  "test.example.com",
+			Enabled: true,
+			Auth:    api.ServiceAuthConfig{},
+			Targets: []api.ServiceTarget{
+				{
+					TargetId:   "peer-123",
+					TargetType: "peer",
+					Protocol:   "https",
+					Port:       8443,
+					Enabled:    true,
+					Options: &api.ServiceTargetOptions{
+						SkipTlsVerify:  ptr(true),
+						RequestTimeout: ptr("30s"),
+						PathRewrite:    &pathRewrite,
+						CustomHeaders:  &map[string]string{"X-Foo": "bar"},
+					},
+				},
+			},
+		})
+		require.NoError(t, err)
+		assert.Equal(t, testService.Id, ret.Id)
+	})
+}
+
+func TestReverseProxyServices_Update_200(t *testing.T) {
+	withMockClient(func(c *rest.Client, mux *http.ServeMux) {
+		mux.HandleFunc("/api/reverse-proxies/services/svc-1", func(w http.ResponseWriter, r *http.Request) {
+			assert.Equal(t, "PUT", r.Method)
+			reqBytes, err := io.ReadAll(r.Body)
+			require.NoError(t, err)
+			var req api.ServiceRequest
+			require.NoError(t, json.Unmarshal(reqBytes, &req))
+			assert.Equal(t, "updated-service", req.Name)
+			retBytes, _ := json.Marshal(testService)
+			_, err = w.Write(retBytes)
+			require.NoError(t, err)
+		})
+		ret, err := c.ReverseProxyServices.Update(context.Background(), "svc-1", api.PutApiReverseProxiesServicesServiceIdJSONRequestBody{
+			Name:    "updated-service",
+			Domain:  "test.example.com",
+			Enabled: true,
+			Auth:    api.ServiceAuthConfig{},
+			Targets: []api.ServiceTarget{testServiceTarget},
+		})
+		require.NoError(t, err)
+		assert.Equal(t, testService.Id, ret.Id)
+	})
+}
+
+func TestReverseProxyServices_Update_Err(t *testing.T) {
+	withMockClient(func(c *rest.Client, mux *http.ServeMux) {
+		mux.HandleFunc("/api/reverse-proxies/services/svc-1", func(w http.ResponseWriter, r *http.Request) {
+			retBytes, _ := json.Marshal(util.ErrorResponse{Message: "No", Code: 400})
+			w.WriteHeader(400)
+			_, err := w.Write(retBytes)
+			require.NoError(t, err)
+		})
+		ret, err := c.ReverseProxyServices.Update(context.Background(), "svc-1", api.PutApiReverseProxiesServicesServiceIdJSONRequestBody{
+			Name:    "updated-service",
+			Domain:  "test.example.com",
+			Enabled: true,
+			Auth:    api.ServiceAuthConfig{},
+			Targets: []api.ServiceTarget{testServiceTarget},
+		})
+		assert.Error(t, err)
+		assert.Equal(t, "No", err.Error())
+		assert.Nil(t, ret)
+	})
+}
+
+func TestReverseProxyServices_Delete_200(t *testing.T) {
+	withMockClient(func(c *rest.Client, mux *http.ServeMux) {
+		mux.HandleFunc("/api/reverse-proxies/services/svc-1", func(w http.ResponseWriter, r *http.Request) {
+			assert.Equal(t, "DELETE", r.Method)
+			w.WriteHeader(200)
+		})
+		err := c.ReverseProxyServices.Delete(context.Background(), "svc-1")
+		require.NoError(t, err)
+	})
+}
+
+func TestReverseProxyServices_Delete_Err(t *testing.T) {
+	withMockClient(func(c *rest.Client, mux *http.ServeMux) {
+		mux.HandleFunc("/api/reverse-proxies/services/svc-1", func(w http.ResponseWriter, r *http.Request) {
+			retBytes, _ := json.Marshal(util.ErrorResponse{Message: "Not found", Code: 404})
+			w.WriteHeader(404)
+			_, err := w.Write(retBytes)
+			require.NoError(t, err)
+		})
+		err := c.ReverseProxyServices.Delete(context.Background(), "svc-1")
+		assert.Error(t, err)
+		assert.Equal(t, "Not found", err.Error())
+	})
+}

shared/management/http/api/openapi.yml

@@ -3027,6 +3027,28 @@ components:
         - targets
         - auth
         - enabled
+    ServiceTargetOptions:
+      type: object
+      properties:
+        skip_tls_verify:
+          type: boolean
+          description: Skip TLS certificate verification for this backend
+        request_timeout:
+          type: string
+          description: Per-target response timeout as a Go duration string (e.g. "30s", "2m")
+        path_rewrite:
+          type: string
+          description: Controls how the request path is rewritten before forwarding to the backend. Default strips the matched prefix. "preserve" keeps the full original request path.
+          enum: [preserve]
+        custom_headers:
+          type: object
+          description: Extra headers sent to the backend. Hop-by-hop and proxy-managed headers (Host, Connection, Transfer-Encoding, etc.) are rejected.
+          propertyNames:
+            type: string
+            pattern: '^[!#$%&''*+.^_`|~0-9A-Za-z-]+$'
+          additionalProperties:
+            type: string
+            pattern: '^[^\r\n]*$'
     ServiceTarget:
       type: object
       properties:
@@ -3053,6 +3075,8 @@ components:
         enabled:
           type: boolean
           description: Whether this target is enabled
+        options:
+          $ref: '#/components/schemas/ServiceTargetOptions'
       required:
         - target_id
         - target_type

shared/management/http/api/types.gen.go

@@ -326,6 +326,11 @@ const (
 	ServiceTargetTargetTypeResource ServiceTargetTargetType = "resource"
 )
 
+// Defines values for ServiceTargetOptionsPathRewrite.
+const (
+	ServiceTargetOptionsPathRewritePreserve ServiceTargetOptionsPathRewrite = "preserve"
+)
+
 // Defines values for TenantResponseStatus.
 const (
 	TenantResponseStatusActive   TenantResponseStatus = "active"
@@ -367,6 +372,27 @@ const (
 	GetApiEventsNetworkTrafficParamsDirectionINGRESS          GetApiEventsNetworkTrafficParamsDirection = "INGRESS"
 )
 
+// Defines values for GetApiEventsProxyParamsSortBy.
+const (
+	GetApiEventsProxyParamsSortByAuthMethod GetApiEventsProxyParamsSortBy = "auth_method"
+	GetApiEventsProxyParamsSortByDuration   GetApiEventsProxyParamsSortBy = "duration"
+	GetApiEventsProxyParamsSortByHost       GetApiEventsProxyParamsSortBy = "host"
+	GetApiEventsProxyParamsSortByMethod     GetApiEventsProxyParamsSortBy = "method"
+	GetApiEventsProxyParamsSortByPath       GetApiEventsProxyParamsSortBy = "path"
+	GetApiEventsProxyParamsSortByReason     GetApiEventsProxyParamsSortBy = "reason"
+	GetApiEventsProxyParamsSortBySourceIp   GetApiEventsProxyParamsSortBy = "source_ip"
+	GetApiEventsProxyParamsSortByStatusCode GetApiEventsProxyParamsSortBy = "status_code"
+	GetApiEventsProxyParamsSortByTimestamp  GetApiEventsProxyParamsSortBy = "timestamp"
+	GetApiEventsProxyParamsSortByUrl        GetApiEventsProxyParamsSortBy = "url"
+	GetApiEventsProxyParamsSortByUserId     GetApiEventsProxyParamsSortBy = "user_id"
+)
+
+// Defines values for GetApiEventsProxyParamsSortOrder.
+const (
+	GetApiEventsProxyParamsSortOrderAsc  GetApiEventsProxyParamsSortOrder = "asc"
+	GetApiEventsProxyParamsSortOrderDesc GetApiEventsProxyParamsSortOrder = "desc"
+)
+
 // Defines values for GetApiEventsProxyParamsMethod.
 const (
 	GetApiEventsProxyParamsMethodDELETE  GetApiEventsProxyParamsMethod = "DELETE"
@@ -2741,7 +2767,8 @@ type ServiceTarget struct {
 	Enabled bool `json:"enabled"`
 
 	// Host Backend ip or domain for this target
-	Host *string `json:"host,omitempty"`
+	Host    *string               `json:"host,omitempty"`
+	Options *ServiceTargetOptions `json:"options,omitempty"`
 
 	// Path URL path prefix for this target
 	Path *string `json:"path,omitempty"`
@@ -2765,6 +2792,24 @@ type ServiceTargetProtocol string
 // ServiceTargetTargetType Target type (e.g., "peer", "resource")
 type ServiceTargetTargetType string
 
+// ServiceTargetOptions defines model for ServiceTargetOptions.
+type ServiceTargetOptions struct {
+	// CustomHeaders Extra headers sent to the backend. Hop-by-hop and proxy-managed headers (Host, Connection, Transfer-Encoding, etc.) are rejected.
+	CustomHeaders *map[string]string `json:"custom_headers,omitempty"`
+
+	// PathRewrite Controls how the request path is rewritten before forwarding to the backend. Default strips the matched prefix. "preserve" keeps the full original request path.
+	PathRewrite *ServiceTargetOptionsPathRewrite `json:"path_rewrite,omitempty"`
+
+	// RequestTimeout Per-target response timeout as a Go duration string (e.g. "30s", "2m")
+	RequestTimeout *string `json:"request_timeout,omitempty"`
+
+	// SkipTlsVerify Skip TLS certificate verification for this backend
+	SkipTlsVerify *bool `json:"skip_tls_verify,omitempty"`
+}
+
+// ServiceTargetOptionsPathRewrite Controls how the request path is rewritten before forwarding to the backend. Default strips the matched prefix. "preserve" keeps the full original request path.
+type ServiceTargetOptionsPathRewrite string
+
 // SetupKey defines model for SetupKey.
 type SetupKey struct {
 	// AllowExtraDnsLabels Allow extra DNS labels to be added to the peer
@@ -3335,6 +3380,12 @@ type GetApiEventsProxyParams struct {
 	// PageSize Number of items per page (max 100)
 	PageSize *int `form:"page_size,omitempty" json:"page_size,omitempty"`
 
+	// SortBy Field to sort by (url sorts by host then path)
+	SortBy *GetApiEventsProxyParamsSortBy `form:"sort_by,omitempty" json:"sort_by,omitempty"`
+
+	// SortOrder Sort order (ascending or descending)
+	SortOrder *GetApiEventsProxyParamsSortOrder `form:"sort_order,omitempty" json:"sort_order,omitempty"`
+
 	// Search General search across request ID, host, path, source IP, user email, and user name
 	Search *string `form:"search,omitempty" json:"search,omitempty"`
 
@@ -3372,6 +3423,12 @@ type GetApiEventsProxyParams struct {
 	EndDate *time.Time `form:"end_date,omitempty" json:"end_date,omitempty"`
 }
 
+// GetApiEventsProxyParamsSortBy defines parameters for GetApiEventsProxy.
+type GetApiEventsProxyParamsSortBy string
+
+// GetApiEventsProxyParamsSortOrder defines parameters for GetApiEventsProxy.
+type GetApiEventsProxyParamsSortOrder string
+
 // GetApiEventsProxyParamsMethod defines parameters for GetApiEventsProxy.
 type GetApiEventsProxyParamsMethod string
 

shared/management/proto/proxy_service.proto

@@ -4,6 +4,7 @@ package management;
 
 option go_package = "/proto";
 
+import "google/protobuf/duration.proto";
 import "google/protobuf/timestamp.proto";
 
 // ProxyService - Management is the SERVER, Proxy is the CLIENT
@@ -50,9 +51,22 @@ enum ProxyMappingUpdateType {
   UPDATE_TYPE_REMOVED = 2;
 }
 
+enum PathRewriteMode {
+  PATH_REWRITE_DEFAULT = 0;
+  PATH_REWRITE_PRESERVE = 1;
+}
+
+message PathTargetOptions {
+  bool skip_tls_verify = 1;
+  google.protobuf.Duration request_timeout = 2;
+  PathRewriteMode path_rewrite = 3;
+  map<string, string> custom_headers = 4;
+}
+
 message PathMapping {
   string path = 1;
   string target = 2;
+  PathTargetOptions options = 3;
 }
 
 message Authentication {