[management, reverse proxy] Add reverse proxy feature (#5291)

* implement reverse proxy --------- Co-authored-by: Alisdair MacLeod <git@alisdairmacleod.co.uk> Co-authored-by: mlsmaycon <mlsmaycon@gmail.com> Co-authored-by: Eduard Gert <kontakt@eduardgert.de> Co-authored-by: Viktor Liu <viktor@netbird.io> Co-authored-by: Diego Noguês <diego.sure@gmail.com> Co-authored-by: Diego Noguês <49420+diegocn@users.noreply.github.com> Co-authored-by: Bethuel Mmbaga <bethuelmbaga12@gmail.com> Co-authored-by: Zoltan Papp <zoltan.pmail@gmail.com> Co-authored-by: Ashley Mensah <ashleyamo982@gmail.com>
2026-04-18 16:26:38 +00:00 · 2026-02-13 19:37:43 +01:00
parent edce11b34d
commit f53155562f
225 changed files with 35513 additions and 235 deletions
--- a/management/server/account.go
+++ b/management/server/account.go
@@ -15,6 +15,7 @@ import (
 	"sync"
 	"time"

+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
 	"github.com/netbirdio/netbird/management/server/job"
 	"github.com/netbirdio/netbird/shared/auth"

@@ -82,8 +83,9 @@ type DefaultAccountManager struct {

 	requestBuffer *AccountRequestBuffer

-	proxyController port_forwarding.Controller
-	settingsManager settings.Manager
+	proxyController     port_forwarding.Controller
+	settingsManager     settings.Manager
+	reverseProxyManager reverseproxy.Manager

 	// config contains the management server configuration
 	config *nbconfig.Config
@@ -113,6 +115,10 @@ type DefaultAccountManager struct {

 var _ account.Manager = (*DefaultAccountManager)(nil)

+func (am *DefaultAccountManager) SetServiceManager(serviceManager reverseproxy.Manager) {
+	am.reverseProxyManager = serviceManager
+}
+
 func isUniqueConstraintError(err error) bool {
 	switch {
 	case strings.Contains(err.Error(), "(SQLSTATE 23505)"),
@@ -321,6 +327,9 @@ func (am *DefaultAccountManager) UpdateAccountSettings(ctx context.Context, acco
 			if err = am.reallocateAccountPeerIPs(ctx, transaction, accountID, newSettings.NetworkRange); err != nil {
 				return err
 			}
+			if err = am.reverseProxyManager.ReloadAllServicesForAccount(ctx, accountID); err != nil {
+				log.WithContext(ctx).Warnf("failed to reload all services for account %s: %v", accountID, err)
+			}
 			updateAccountPeers = true
 		}

--- a/management/server/account/manager.go
+++ b/management/server/account/manager.go
@@ -6,6 +6,7 @@ import (
 	"net/netip"
 	"time"

+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
 	"github.com/netbirdio/netbird/shared/auth"

 	nbdns "github.com/netbirdio/netbird/dns"
@@ -139,4 +140,5 @@ type Manager interface {
 	CreatePeerJob(ctx context.Context, accountID, peerID, userID string, job *types.Job) error
 	GetAllPeerJobs(ctx context.Context, accountID, userID, peerID string) ([]*types.Job, error)
 	GetPeerJobByID(ctx context.Context, accountID, userID, peerID, jobID string) (*types.Job, error)
+	SetServiceManager(serviceManager reverseproxy.Manager)
 }
--- a/management/server/account_test.go
+++ b/management/server/account_test.go
@@ -27,6 +27,8 @@ import (
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/update_channel"
 	"github.com/netbirdio/netbird/management/internals/modules/peers"
 	ephemeral_manager "github.com/netbirdio/netbird/management/internals/modules/peers/ephemeral/manager"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
+	reverseproxymanager "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/manager"
 	"github.com/netbirdio/netbird/management/internals/modules/zones"
 	"github.com/netbirdio/netbird/management/internals/server/config"
 	nbAccount "github.com/netbirdio/netbird/management/server/account"
@@ -1800,6 +1802,14 @@ func TestAccount_Copy(t *testing.T) {
 				Address:   "172.12.6.1/24",
 			},
 		},
+		Services: []*reverseproxy.Service{
+			{
+				ID:        "service1",
+				Name:      "test-service",
+				AccountID: "account1",
+				Targets:   []*reverseproxy.Target{},
+			},
+		},
 		NetworkMapCache: &types.NetworkMapBuilder{},
 	}
 	account.InitOnce()
@@ -3112,6 +3122,8 @@ func createManager(t testing.TB) (*DefaultAccountManager, *update_channel.PeersU
 		return nil, nil, err
 	}

+	manager.SetServiceManager(reverseproxymanager.NewManager(store, manager, permissionsManager, nil, nil))
+
 	return manager, updateManager, nil
 }

--- a/management/server/activity/codes.go
+++ b/management/server/activity/codes.go
@@ -204,6 +204,10 @@ const (
 	UserInviteLinkRegenerated Activity = 106
 	UserInviteLinkDeleted     Activity = 107

+	ServiceCreated Activity = 108
+	ServiceUpdated Activity = 109
+	ServiceDeleted Activity = 110
+
 	AccountDeleted Activity = 99999
 )

@@ -337,6 +341,10 @@ var activityMap = map[Activity]Code{
 	UserInviteLinkAccepted:    {"User invite link accepted", "user.invite.link.accept"},
 	UserInviteLinkRegenerated: {"User invite link regenerated", "user.invite.link.regenerate"},
 	UserInviteLinkDeleted:     {"User invite link deleted", "user.invite.link.delete"},
+
+	ServiceCreated: {"Service created", "service.create"},
+	ServiceUpdated: {"Service updated", "service.update"},
+	ServiceDeleted: {"Service deleted", "service.delete"},
 }

 // StringCode returns a string code of the activity
--- a/management/server/group_test.go
+++ b/management/server/group_test.go
@@ -703,7 +703,7 @@ func TestGroupAccountPeersUpdate(t *testing.T) {
 	t.Run("saving group linked to network router", func(t *testing.T) {
 		permissionsManager := permissions.NewManager(manager.Store)
 		groupsManager := groups.NewManager(manager.Store, permissionsManager, manager)
-		resourcesManager := resources.NewManager(manager.Store, permissionsManager, groupsManager, manager)
+		resourcesManager := resources.NewManager(manager.Store, permissionsManager, groupsManager, manager, manager.reverseProxyManager)
 		routersManager := routers.NewManager(manager.Store, permissionsManager, manager)
 		networksManager := networks.NewManager(manager.Store, permissionsManager, resourcesManager, routersManager, manager)

--- a/management/server/http/handler.go
+++ b/management/server/http/handler.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"net/http"
+	"net/netip"
 	"os"
 	"strconv"
 	"time"
@@ -12,9 +13,19 @@ import (
 	"github.com/rs/cors"
 	log "github.com/sirupsen/logrus"

+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/domain/manager"
+
+	"github.com/netbirdio/netbird/management/server/types"
+
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs"
+	reverseproxymanager "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/manager"
+
+	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
 	idpmanager "github.com/netbirdio/netbird/management/server/idp"

 	"github.com/netbirdio/management-integrations/integrations"
+
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map"
 	"github.com/netbirdio/netbird/management/internals/modules/zones"
 	zonesManager "github.com/netbirdio/netbird/management/internals/modules/zones/manager"
@@ -26,6 +37,8 @@ import (
 	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
 	"github.com/netbirdio/netbird/management/server/permissions"

+	"github.com/netbirdio/netbird/management/server/http/handlers/proxy"
+
 	nbpeers "github.com/netbirdio/netbird/management/internals/modules/peers"
 	"github.com/netbirdio/netbird/management/server/auth"
 	"github.com/netbirdio/netbird/management/server/geolocation"
@@ -60,7 +73,7 @@ const (
 )

 // NewAPIHandler creates the Management service HTTP API handler registering all the available endpoints.
-func NewAPIHandler(ctx context.Context, accountManager account.Manager, networksManager nbnetworks.Manager, resourceManager resources.Manager, routerManager routers.Manager, groupsManager nbgroups.Manager, LocationManager geolocation.Geolocation, authManager auth.Manager, appMetrics telemetry.AppMetrics, integratedValidator integrated_validator.IntegratedValidator, proxyController port_forwarding.Controller, permissionsManager permissions.Manager, peersManager nbpeers.Manager, settingsManager settings.Manager, zManager zones.Manager, rManager records.Manager, networkMapController network_map.Controller, idpManager idpmanager.Manager) (http.Handler, error) {
+func NewAPIHandler(ctx context.Context, accountManager account.Manager, networksManager nbnetworks.Manager, resourceManager resources.Manager, routerManager routers.Manager, groupsManager nbgroups.Manager, LocationManager geolocation.Geolocation, authManager auth.Manager, appMetrics telemetry.AppMetrics, integratedValidator integrated_validator.IntegratedValidator, proxyController port_forwarding.Controller, permissionsManager permissions.Manager, peersManager nbpeers.Manager, settingsManager settings.Manager, zManager zones.Manager, rManager records.Manager, networkMapController network_map.Controller, idpManager idpmanager.Manager, reverseProxyManager reverseproxy.Manager, reverseProxyDomainManager *manager.Manager, reverseProxyAccessLogsManager accesslogs.Manager, proxyGRPCServer *nbgrpc.ProxyServiceServer, trustedHTTPProxies []netip.Prefix) (http.Handler, error) {

 	// Register bypass paths for unauthenticated endpoints
 	if err := bypass.AddBypassPath("/api/instance"); err != nil {
@@ -76,6 +89,10 @@ func NewAPIHandler(ctx context.Context, accountManager account.Manager, networks
 	if err := bypass.AddBypassPath("/api/users/invites/nbi_*/accept"); err != nil {
 		return nil, fmt.Errorf("failed to add bypass path: %w", err)
 	}
+	// OAuth callback for proxy authentication
+	if err := bypass.AddBypassPath(types.ProxyCallbackEndpointFull); err != nil {
+		return nil, fmt.Errorf("failed to add bypass path: %w", err)
+	}

 	var rateLimitingConfig *middleware.RateLimiterConfig
 	if os.Getenv(rateLimitingEnabledKey) == "true" {
@@ -156,6 +173,15 @@ func NewAPIHandler(ctx context.Context, accountManager account.Manager, networks
 	idp.AddEndpoints(accountManager, router)
 	instance.AddEndpoints(instanceManager, router)
 	instance.AddVersionEndpoint(instanceManager, router)
+	if reverseProxyManager != nil && reverseProxyDomainManager != nil {
+		reverseproxymanager.RegisterEndpoints(reverseProxyManager, *reverseProxyDomainManager, reverseProxyAccessLogsManager, router)
+	}
+
+	// Register OAuth callback handler for proxy authentication
+	if proxyGRPCServer != nil {
+		oauthHandler := proxy.NewAuthCallbackHandler(proxyGRPCServer, trustedHTTPProxies)
+		oauthHandler.RegisterEndpoints(router)
+	}

 	// Mount embedded IdP handler at /oauth2 path if configured
 	if embeddedIdpEnabled {
--- a/management/server/http/handlers/peers/peers_handler.go
+++ b/management/server/http/handlers/peers/peers_handler.go
@@ -154,6 +154,11 @@ func (h *Handler) getPeer(ctx context.Context, accountID, peerID, userID string,
 		return
 	}

+	if peer.ProxyMeta.Embedded {
+		util.WriteError(ctx, status.Errorf(status.InvalidArgument, "not allowed to read peer"), w)
+		return
+	}
+
 	settings, err := h.accountManager.GetAccountSettings(ctx, accountID, activity.SystemInitiator)
 	if err != nil {
 		util.WriteError(ctx, err, w)
@@ -321,6 +326,9 @@ func (h *Handler) GetAllPeers(w http.ResponseWriter, r *http.Request) {
 	grpsInfoMap := groups.ToGroupsInfoMap(grps, len(peers))
 	respBody := make([]*api.PeerBatch, 0, len(peers))
 	for _, peer := range peers {
+		if peer.ProxyMeta.Embedded {
+			continue
+		}
 		respBody = append(respBody, toPeerListItemResponse(peer, grpsInfoMap[peer.ID], dnsDomain, 0))
 	}

--- a/management/server/http/handlers/proxy/auth.go
+++ b/management/server/http/handlers/proxy/auth.go
@@ -0,0 +1,208 @@
+package proxy
+
+import (
+	"context"
+	"net"
+	"net/http"
+	"net/netip"
+	"net/url"
+	"strings"
+	"time"
+
+	"github.com/coreos/go-oidc/v3/oidc"
+	"github.com/gorilla/mux"
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/oauth2"
+
+	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
+	"github.com/netbirdio/netbird/management/server/http/middleware"
+	"github.com/netbirdio/netbird/management/server/types"
+	"github.com/netbirdio/netbird/proxy/auth"
+)
+
+// AuthCallbackHandler handles OAuth callbacks for proxy authentication.
+type AuthCallbackHandler struct {
+	proxyService   *nbgrpc.ProxyServiceServer
+	rateLimiter    *middleware.APIRateLimiter
+	trustedProxies []netip.Prefix
+}
+
+// NewAuthCallbackHandler creates a new OAuth callback handler.
+func NewAuthCallbackHandler(proxyService *nbgrpc.ProxyServiceServer, trustedProxies []netip.Prefix) *AuthCallbackHandler {
+	rateLimiterConfig := &middleware.RateLimiterConfig{
+		RequestsPerMinute: 10,
+		Burst:             15,
+		CleanupInterval:   5 * time.Minute,
+		LimiterTTL:        10 * time.Minute,
+	}
+
+	return &AuthCallbackHandler{
+		proxyService:   proxyService,
+		rateLimiter:    middleware.NewAPIRateLimiter(rateLimiterConfig),
+		trustedProxies: trustedProxies,
+	}
+}
+
+// RegisterEndpoints registers the OAuth callback endpoint.
+func (h *AuthCallbackHandler) RegisterEndpoints(router *mux.Router) {
+	router.HandleFunc(types.ProxyCallbackEndpoint, h.handleCallback).Methods(http.MethodGet)
+}
+
+func (h *AuthCallbackHandler) handleCallback(w http.ResponseWriter, r *http.Request) {
+	clientIP := h.resolveClientIP(r)
+	if !h.rateLimiter.Allow(clientIP) {
+		log.WithField("client_ip", clientIP).Warn("OAuth callback rate limit exceeded")
+		http.Error(w, "Too many requests. Please try again later.", http.StatusTooManyRequests)
+		return
+	}
+
+	state := r.URL.Query().Get("state")
+
+	codeVerifier, originalURL, err := h.proxyService.ValidateState(state)
+	if err != nil {
+		log.WithError(err).Error("OAuth callback state validation failed")
+		http.Error(w, "Invalid state parameter", http.StatusBadRequest)
+		return
+	}
+
+	redirectURL, err := url.Parse(originalURL)
+	if err != nil {
+		log.WithError(err).Error("Failed to parse redirect URL")
+		http.Error(w, "Invalid redirect URL", http.StatusBadRequest)
+		return
+	}
+
+	oidcConfig := h.proxyService.GetOIDCConfig()
+
+	provider, err := oidc.NewProvider(r.Context(), oidcConfig.Issuer)
+	if err != nil {
+		log.WithError(err).Error("Failed to create OIDC provider")
+		http.Error(w, "Failed to create OIDC provider", http.StatusInternalServerError)
+		return
+	}
+
+	token, err := (&oauth2.Config{
+		ClientID:    oidcConfig.ClientID,
+		Endpoint:    provider.Endpoint(),
+		RedirectURL: oidcConfig.CallbackURL,
+	}).Exchange(r.Context(), r.URL.Query().Get("code"), oauth2.VerifierOption(codeVerifier))
+	if err != nil {
+		log.WithError(err).Error("Failed to exchange code for token")
+		http.Error(w, "Failed to exchange code for token", http.StatusInternalServerError)
+		return
+	}
+
+	userID := extractUserIDFromToken(r.Context(), provider, oidcConfig, token)
+	if userID == "" {
+		log.Error("Failed to extract user ID from OIDC token")
+		http.Error(w, "Failed to validate token", http.StatusUnauthorized)
+		return
+	}
+
+	// Group validation is performed by the proxy via ValidateSession gRPC call.
+	// This allows the proxy to show 403 pages directly without redirect dance.
+
+	sessionToken, err := h.proxyService.GenerateSessionToken(r.Context(), redirectURL.Hostname(), userID, auth.MethodOIDC)
+	if err != nil {
+		log.WithError(err).Error("Failed to create session token")
+		redirectURL.Scheme = "https"
+		query := redirectURL.Query()
+		query.Set("error", "access_denied")
+		query.Set("error_description", "Service configuration error")
+		redirectURL.RawQuery = query.Encode()
+		http.Redirect(w, r, redirectURL.String(), http.StatusFound)
+		return
+	}
+
+	redirectURL.Scheme = "https"
+
+	query := redirectURL.Query()
+	query.Set("session_token", sessionToken)
+	redirectURL.RawQuery = query.Encode()
+
+	log.WithField("redirect", redirectURL.Host).Debug("OAuth callback: redirecting user with session token")
+	http.Redirect(w, r, redirectURL.String(), http.StatusFound)
+}
+
+func extractUserIDFromToken(ctx context.Context, provider *oidc.Provider, config nbgrpc.ProxyOIDCConfig, token *oauth2.Token) string {
+	rawIDToken, ok := token.Extra("id_token").(string)
+	if !ok {
+		log.Warn("No id_token in OIDC response")
+		return ""
+	}
+
+	verifier := provider.Verifier(&oidc.Config{
+		ClientID: config.ClientID,
+	})
+
+	idToken, err := verifier.Verify(ctx, rawIDToken)
+	if err != nil {
+		log.WithError(err).Warn("Failed to verify ID token")
+		return ""
+	}
+
+	var claims struct {
+		Subject string `json:"sub"`
+	}
+	if err := idToken.Claims(&claims); err != nil {
+		log.WithError(err).Warn("Failed to extract claims from ID token")
+		return ""
+	}
+
+	return claims.Subject
+}
+
+// resolveClientIP extracts the real client IP from the request.
+// When trustedProxies is non-empty and the direct peer is trusted,
+// it walks X-Forwarded-For right-to-left skipping trusted IPs.
+// Otherwise it returns RemoteAddr directly.
+func (h *AuthCallbackHandler) resolveClientIP(r *http.Request) string {
+	remoteIP := extractHost(r.RemoteAddr)
+
+	if len(h.trustedProxies) == 0 || !isTrustedProxy(remoteIP, h.trustedProxies) {
+		return remoteIP
+	}
+
+	xff := r.Header.Get("X-Forwarded-For")
+	if xff == "" {
+		return remoteIP
+	}
+
+	parts := strings.Split(xff, ",")
+	for i := len(parts) - 1; i >= 0; i-- {
+		ip := strings.TrimSpace(parts[i])
+		if ip == "" {
+			continue
+		}
+		if !isTrustedProxy(ip, h.trustedProxies) {
+			return ip
+		}
+	}
+
+	// All IPs in XFF are trusted; return the leftmost as best guess.
+	if first := strings.TrimSpace(parts[0]); first != "" {
+		return first
+	}
+	return remoteIP
+}
+
+func extractHost(remoteAddr string) string {
+	host, _, err := net.SplitHostPort(remoteAddr)
+	if err != nil {
+		return remoteAddr
+	}
+	return host
+}
+
+func isTrustedProxy(ipStr string, trusted []netip.Prefix) bool {
+	addr, err := netip.ParseAddr(ipStr)
+	if err != nil {
+		return false
+	}
+	for _, prefix := range trusted {
+		if prefix.Contains(addr) {
+			return true
+		}
+	}
+	return false
+}
--- a/management/server/http/handlers/proxy/auth_callback_integration_test.go
+++ b/management/server/http/handlers/proxy/auth_callback_integration_test.go
@@ -0,0 +1,523 @@
+//go:build integration
+
+package proxy
+
+import (
+	"context"
+	"crypto/ed25519"
+	"crypto/rand"
+	"encoding/base64"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"testing"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/gorilla/mux"
+	"github.com/stretchr/testify/require"
+
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs"
+	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
+	"github.com/netbirdio/netbird/management/server/store"
+	"github.com/netbirdio/netbird/management/server/types"
+	"github.com/netbirdio/netbird/management/server/users"
+	"github.com/netbirdio/netbird/shared/management/proto"
+)
+
+// fakeOIDCServer creates a minimal OIDC provider for testing.
+type fakeOIDCServer struct {
+	server       *httptest.Server
+	issuer       string
+	signingKey   ed25519.PrivateKey
+	publicKey    ed25519.PublicKey
+	keyID        string
+	tokenSubject string
+	tokenExpiry  time.Duration
+	failExchange bool
+}
+
+func newFakeOIDCServer() *fakeOIDCServer {
+	pub, priv, _ := ed25519.GenerateKey(rand.Reader)
+	f := &fakeOIDCServer{
+		signingKey:  priv,
+		publicKey:   pub,
+		keyID:       "test-key-1",
+		tokenExpiry: time.Hour,
+	}
+	f.server = httptest.NewServer(f)
+	f.issuer = f.server.URL
+	return f
+}
+
+func (f *fakeOIDCServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	switch r.URL.Path {
+	case "/.well-known/openid-configuration":
+		f.handleDiscovery(w, r)
+	case "/token":
+		f.handleToken(w, r)
+	case "/keys":
+		f.handleJWKS(w, r)
+	default:
+		http.NotFound(w, r)
+	}
+}
+
+func (f *fakeOIDCServer) handleDiscovery(w http.ResponseWriter, _ *http.Request) {
+	discovery := map[string]interface{}{
+		"issuer":                 f.issuer,
+		"authorization_endpoint": f.issuer + "/auth",
+		"token_endpoint":         f.issuer + "/token",
+		"jwks_uri":               f.issuer + "/keys",
+		"response_types_supported": []string{
+			"code",
+			"id_token",
+			"token id_token",
+		},
+		"subject_types_supported":               []string{"public"},
+		"id_token_signing_alg_values_supported": []string{"EdDSA"},
+	}
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(discovery)
+}
+
+func (f *fakeOIDCServer) handleToken(w http.ResponseWriter, r *http.Request) {
+	if f.failExchange {
+		http.Error(w, "invalid_grant", http.StatusBadRequest)
+		return
+	}
+
+	if err := r.ParseForm(); err != nil {
+		http.Error(w, "bad request", http.StatusBadRequest)
+		return
+	}
+
+	idToken := f.createIDToken()
+
+	response := map[string]interface{}{
+		"access_token":  "test-access-token",
+		"token_type":    "Bearer",
+		"expires_in":    3600,
+		"id_token":      idToken,
+		"refresh_token": "test-refresh-token",
+	}
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(response)
+}
+
+func (f *fakeOIDCServer) createIDToken() string {
+	now := time.Now()
+	claims := jwt.MapClaims{
+		"iss": f.issuer,
+		"sub": f.tokenSubject,
+		"aud": "test-client-id",
+		"exp": now.Add(f.tokenExpiry).Unix(),
+		"iat": now.Unix(),
+		"nbf": now.Unix(),
+	}
+
+	token := jwt.NewWithClaims(jwt.SigningMethodEdDSA, claims)
+	token.Header["kid"] = f.keyID
+	signed, _ := token.SignedString(f.signingKey)
+	return signed
+}
+
+func (f *fakeOIDCServer) handleJWKS(w http.ResponseWriter, _ *http.Request) {
+	jwks := map[string]interface{}{
+		"keys": []map[string]interface{}{
+			{
+				"kty": "OKP",
+				"crv": "Ed25519",
+				"kid": f.keyID,
+				"x":   base64.RawURLEncoding.EncodeToString(f.publicKey),
+				"use": "sig",
+			},
+		},
+	}
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(jwks)
+}
+
+func (f *fakeOIDCServer) Close() {
+	f.server.Close()
+}
+
+// testSetup contains all test dependencies.
+type testSetup struct {
+	store        store.Store
+	oidcServer   *fakeOIDCServer
+	proxyService *nbgrpc.ProxyServiceServer
+	handler      *AuthCallbackHandler
+	router       *mux.Router
+	cleanup      func()
+}
+
+// testAccessLogManager is a minimal mock for accesslogs.Manager.
+type testAccessLogManager struct{}
+
+func (m *testAccessLogManager) SaveAccessLog(_ context.Context, _ *accesslogs.AccessLogEntry) error {
+	return nil
+}
+
+func (m *testAccessLogManager) GetAllAccessLogs(_ context.Context, _, _ string, _ *accesslogs.AccessLogFilter) ([]*accesslogs.AccessLogEntry, int64, error) {
+	return nil, 0, nil
+}
+
+func setupAuthCallbackTest(t *testing.T) *testSetup {
+	t.Helper()
+
+	ctx := context.Background()
+
+	testStore, cleanup, err := store.NewTestStoreFromSQL(ctx, "", t.TempDir())
+	require.NoError(t, err)
+
+	createTestAccountsAndUsers(t, ctx, testStore)
+	createTestReverseProxies(t, ctx, testStore)
+
+	oidcServer := newFakeOIDCServer()
+
+	tokenStore := nbgrpc.NewOneTimeTokenStore(time.Minute)
+
+	usersManager := users.NewManager(testStore)
+
+	oidcConfig := nbgrpc.ProxyOIDCConfig{
+		Issuer:      oidcServer.issuer,
+		ClientID:    "test-client-id",
+		Scopes:      []string{"openid", "profile", "email"},
+		CallbackURL: "https://management.example.com/reverse-proxy/callback",
+		HMACKey:     []byte("test-hmac-key-for-state-signing"),
+	}
+
+	proxyService := nbgrpc.NewProxyServiceServer(
+		&testAccessLogManager{},
+		tokenStore,
+		oidcConfig,
+		nil,
+		usersManager,
+	)
+
+	proxyService.SetProxyManager(&testServiceManager{store: testStore})
+
+	handler := NewAuthCallbackHandler(proxyService, nil)
+
+	router := mux.NewRouter()
+	handler.RegisterEndpoints(router)
+
+	return &testSetup{
+		store:        testStore,
+		oidcServer:   oidcServer,
+		proxyService: proxyService,
+		handler:      handler,
+		router:       router,
+		cleanup: func() {
+			cleanup()
+			oidcServer.Close()
+		},
+	}
+}
+
+func createTestReverseProxies(t *testing.T, ctx context.Context, testStore store.Store) {
+	t.Helper()
+
+	pub, priv, err := ed25519.GenerateKey(rand.Reader)
+	require.NoError(t, err)
+
+	pubKey := base64.StdEncoding.EncodeToString(pub)
+	privKey := base64.StdEncoding.EncodeToString(priv)
+
+	testProxy := &reverseproxy.Service{
+		ID:        "testProxyId",
+		AccountID: "testAccountId",
+		Name:      "Test Proxy",
+		Domain:    "test-proxy.example.com",
+		Targets: []*reverseproxy.Target{{
+			Path:       strPtr("/"),
+			Host:       "localhost",
+			Port:       8080,
+			Protocol:   "http",
+			TargetId:   "peer1",
+			TargetType: "peer",
+			Enabled:    true,
+		}},
+		Enabled: true,
+		Auth: reverseproxy.AuthConfig{
+			BearerAuth: &reverseproxy.BearerAuthConfig{
+				Enabled:            true,
+				DistributionGroups: []string{"allowedGroupId"},
+			},
+		},
+		SessionPrivateKey: privKey,
+		SessionPublicKey:  pubKey,
+	}
+	require.NoError(t, testStore.CreateService(ctx, testProxy))
+
+	restrictedProxy := &reverseproxy.Service{
+		ID:        "restrictedProxyId",
+		AccountID: "testAccountId",
+		Name:      "Restricted Proxy",
+		Domain:    "restricted-proxy.example.com",
+		Targets: []*reverseproxy.Target{{
+			Path:       strPtr("/"),
+			Host:       "localhost",
+			Port:       8080,
+			Protocol:   "http",
+			TargetId:   "peer1",
+			TargetType: "peer",
+			Enabled:    true,
+		}},
+		Enabled: true,
+		Auth: reverseproxy.AuthConfig{
+			BearerAuth: &reverseproxy.BearerAuthConfig{
+				Enabled:            true,
+				DistributionGroups: []string{"restrictedGroupId"},
+			},
+		},
+		SessionPrivateKey: privKey,
+		SessionPublicKey:  pubKey,
+	}
+	require.NoError(t, testStore.CreateService(ctx, restrictedProxy))
+
+	noAuthProxy := &reverseproxy.Service{
+		ID:        "noAuthProxyId",
+		AccountID: "testAccountId",
+		Name:      "No Auth Proxy",
+		Domain:    "no-auth-proxy.example.com",
+		Targets: []*reverseproxy.Target{{
+			Path:       strPtr("/"),
+			Host:       "localhost",
+			Port:       8080,
+			Protocol:   "http",
+			TargetId:   "peer1",
+			TargetType: "peer",
+			Enabled:    true,
+		}},
+		Enabled: true,
+		Auth: reverseproxy.AuthConfig{
+			BearerAuth: &reverseproxy.BearerAuthConfig{
+				Enabled: false,
+			},
+		},
+		SessionPrivateKey: privKey,
+		SessionPublicKey:  pubKey,
+	}
+	require.NoError(t, testStore.CreateService(ctx, noAuthProxy))
+}
+
+func strPtr(s string) *string {
+	return &s
+}
+
+func createTestAccountsAndUsers(t *testing.T, ctx context.Context, testStore store.Store) {
+	t.Helper()
+
+	testAccount := &types.Account{
+		Id:                     "testAccountId",
+		Domain:                 "test.com",
+		DomainCategory:         "private",
+		IsDomainPrimaryAccount: true,
+		CreatedAt:              time.Now(),
+	}
+	require.NoError(t, testStore.SaveAccount(ctx, testAccount))
+
+	allowedGroup := &types.Group{
+		ID:        "allowedGroupId",
+		AccountID: "testAccountId",
+		Name:      "Allowed Group",
+		Issued:    "api",
+	}
+	require.NoError(t, testStore.CreateGroup(ctx, allowedGroup))
+
+	allowedUser := &types.User{
+		Id:         "allowedUserId",
+		AccountID:  "testAccountId",
+		Role:       types.UserRoleUser,
+		AutoGroups: []string{"allowedGroupId"},
+		CreatedAt:  time.Now(),
+		Issued:     "api",
+	}
+	require.NoError(t, testStore.SaveUser(ctx, allowedUser))
+}
+
+// testServiceManager is a minimal implementation for testing.
+type testServiceManager struct {
+	store store.Store
+}
+
+func (m *testServiceManager) GetAllServices(_ context.Context, _, _ string) ([]*reverseproxy.Service, error) {
+	return nil, nil
+}
+
+func (m *testServiceManager) GetService(_ context.Context, _, _, _ string) (*reverseproxy.Service, error) {
+	return nil, nil
+}
+
+func (m *testServiceManager) CreateService(_ context.Context, _, _ string, _ *reverseproxy.Service) (*reverseproxy.Service, error) {
+	return nil, nil
+}
+
+func (m *testServiceManager) UpdateService(_ context.Context, _, _ string, _ *reverseproxy.Service) (*reverseproxy.Service, error) {
+	return nil, nil
+}
+
+func (m *testServiceManager) DeleteService(_ context.Context, _, _, _ string) error {
+	return nil
+}
+
+func (m *testServiceManager) SetCertificateIssuedAt(_ context.Context, _, _ string) error {
+	return nil
+}
+
+func (m *testServiceManager) SetStatus(_ context.Context, _, _ string, _ reverseproxy.ProxyStatus) error {
+	return nil
+}
+
+func (m *testServiceManager) ReloadAllServicesForAccount(_ context.Context, _ string) error {
+	return nil
+}
+
+func (m *testServiceManager) ReloadService(_ context.Context, _, _ string) error {
+	return nil
+}
+
+func (m *testServiceManager) GetGlobalServices(ctx context.Context) ([]*reverseproxy.Service, error) {
+	return m.store.GetServices(ctx, store.LockingStrengthNone)
+}
+
+func (m *testServiceManager) GetServiceByID(ctx context.Context, accountID, proxyID string) (*reverseproxy.Service, error) {
+	return m.store.GetServiceByID(ctx, store.LockingStrengthNone, accountID, proxyID)
+}
+
+func (m *testServiceManager) GetAccountServices(ctx context.Context, accountID string) ([]*reverseproxy.Service, error) {
+	return m.store.GetAccountServices(ctx, store.LockingStrengthNone, accountID)
+}
+
+func (m *testServiceManager) GetServiceIDByTargetID(_ context.Context, _, _ string) (string, error) {
+	return "", nil
+}
+
+func createTestState(t *testing.T, ps *nbgrpc.ProxyServiceServer, redirectURL string) string {
+	t.Helper()
+
+	resp, err := ps.GetOIDCURL(context.Background(), &proto.GetOIDCURLRequest{
+		RedirectUrl: redirectURL,
+		AccountId:   "testAccountId",
+	})
+	require.NoError(t, err)
+
+	parsedURL, err := url.Parse(resp.Url)
+	require.NoError(t, err)
+
+	return parsedURL.Query().Get("state")
+}
+
+func TestAuthCallback_UserAllowedToLogin(t *testing.T) {
+	setup := setupAuthCallbackTest(t)
+	defer setup.cleanup()
+
+	setup.oidcServer.tokenSubject = "allowedUserId"
+
+	state := createTestState(t, setup.proxyService, "https://test-proxy.example.com/dashboard")
+
+	req := httptest.NewRequest(http.MethodGet, "/reverse-proxy/callback?code=test-auth-code&state="+url.QueryEscape(state), nil)
+	rec := httptest.NewRecorder()
+
+	setup.router.ServeHTTP(rec, req)
+
+	require.Equal(t, http.StatusFound, rec.Code)
+
+	location := rec.Header().Get("Location")
+	require.NotEmpty(t, location)
+
+	parsedLocation, err := url.Parse(location)
+	require.NoError(t, err)
+
+	require.Equal(t, "test-proxy.example.com", parsedLocation.Host)
+	require.NotEmpty(t, parsedLocation.Query().Get("session_token"), "Should include session token")
+	require.Empty(t, parsedLocation.Query().Get("error"), "Should not have error parameter")
+}
+
+func TestAuthCallback_ProxyNotFound(t *testing.T) {
+	setup := setupAuthCallbackTest(t)
+	defer setup.cleanup()
+
+	setup.oidcServer.tokenSubject = "allowedUserId"
+
+	state := createTestState(t, setup.proxyService, "https://test-proxy.example.com/")
+
+	require.NoError(t, setup.store.DeleteService(context.Background(), "testAccountId", "testProxyId"))
+
+	req := httptest.NewRequest(http.MethodGet, "/reverse-proxy/callback?code=test-auth-code&state="+url.QueryEscape(state), nil)
+	rec := httptest.NewRecorder()
+
+	setup.router.ServeHTTP(rec, req)
+
+	require.Equal(t, http.StatusFound, rec.Code)
+
+	location := rec.Header().Get("Location")
+	parsedLocation, err := url.Parse(location)
+	require.NoError(t, err)
+
+	require.Equal(t, "access_denied", parsedLocation.Query().Get("error"))
+}
+
+func TestAuthCallback_InvalidToken(t *testing.T) {
+	setup := setupAuthCallbackTest(t)
+	defer setup.cleanup()
+
+	setup.oidcServer.failExchange = true
+
+	state := createTestState(t, setup.proxyService, "https://test-proxy.example.com/")
+
+	req := httptest.NewRequest(http.MethodGet, "/reverse-proxy/callback?code=invalid-code&state="+url.QueryEscape(state), nil)
+	rec := httptest.NewRecorder()
+
+	setup.router.ServeHTTP(rec, req)
+
+	require.Equal(t, http.StatusInternalServerError, rec.Code)
+	require.Contains(t, rec.Body.String(), "Failed to exchange code")
+}
+
+func TestAuthCallback_ExpiredToken(t *testing.T) {
+	setup := setupAuthCallbackTest(t)
+	defer setup.cleanup()
+
+	setup.oidcServer.tokenSubject = "allowedUserId"
+	setup.oidcServer.tokenExpiry = -time.Hour
+
+	state := createTestState(t, setup.proxyService, "https://test-proxy.example.com/")
+
+	req := httptest.NewRequest(http.MethodGet, "/reverse-proxy/callback?code=test-auth-code&state="+url.QueryEscape(state), nil)
+	rec := httptest.NewRecorder()
+
+	setup.router.ServeHTTP(rec, req)
+
+	require.Equal(t, http.StatusUnauthorized, rec.Code)
+	require.Contains(t, rec.Body.String(), "Failed to validate token")
+}
+
+func TestAuthCallback_InvalidState(t *testing.T) {
+	setup := setupAuthCallbackTest(t)
+	defer setup.cleanup()
+
+	req := httptest.NewRequest(http.MethodGet, "/reverse-proxy/callback?code=test-auth-code&state=invalid-state", nil)
+	rec := httptest.NewRecorder()
+
+	setup.router.ServeHTTP(rec, req)
+
+	require.Equal(t, http.StatusBadRequest, rec.Code)
+	require.Contains(t, rec.Body.String(), "Invalid state")
+}
+
+func TestAuthCallback_MissingState(t *testing.T) {
+	setup := setupAuthCallbackTest(t)
+	defer setup.cleanup()
+
+	req := httptest.NewRequest(http.MethodGet, "/reverse-proxy/callback?code=test-auth-code", nil)
+	rec := httptest.NewRecorder()
+
+	setup.router.ServeHTTP(rec, req)
+
+	require.Equal(t, http.StatusBadRequest, rec.Code)
+}
--- a/management/server/http/handlers/proxy/auth_test.go
+++ b/management/server/http/handlers/proxy/auth_test.go
@@ -0,0 +1,185 @@
+package proxy
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"net/netip"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
+)
+
+func TestAuthCallbackHandler_RateLimiting(t *testing.T) {
+	handler := NewAuthCallbackHandler(&nbgrpc.ProxyServiceServer{}, nil)
+	require.NotNil(t, handler.rateLimiter, "Rate limiter should be initialized")
+
+	req := httptest.NewRequest(http.MethodGet, "/callback?state=test&code=test", nil)
+	req.RemoteAddr = "192.168.1.100:12345"
+
+	t.Run("allows requests under limit", func(t *testing.T) {
+		for i := 0; i < 15; i++ {
+			allowed := handler.rateLimiter.Allow("192.168.1.100")
+			assert.True(t, allowed, "Request %d should be allowed", i+1)
+		}
+	})
+
+	t.Run("blocks requests over limit", func(t *testing.T) {
+		handler.rateLimiter.Reset("192.168.1.200")
+
+		for i := 0; i < 15; i++ {
+			handler.rateLimiter.Allow("192.168.1.200")
+		}
+
+		allowed := handler.rateLimiter.Allow("192.168.1.200")
+		assert.False(t, allowed, "Request over limit should be blocked")
+	})
+
+	t.Run("different IPs have separate limits", func(t *testing.T) {
+		ip1 := "192.168.1.201"
+		ip2 := "192.168.1.202"
+
+		handler.rateLimiter.Reset(ip1)
+		handler.rateLimiter.Reset(ip2)
+
+		for i := 0; i < 15; i++ {
+			handler.rateLimiter.Allow(ip1)
+		}
+
+		assert.False(t, handler.rateLimiter.Allow(ip1), "IP1 should be blocked")
+
+		assert.True(t, handler.rateLimiter.Allow(ip2), "IP2 should be allowed")
+	})
+}
+
+func TestAuthCallbackHandler_RateLimitInHandleCallback(t *testing.T) {
+	handler := NewAuthCallbackHandler(&nbgrpc.ProxyServiceServer{}, nil)
+	testIP := "10.0.0.50"
+
+	handler.rateLimiter.Reset(testIP)
+
+	t.Run("returns 429 when rate limited", func(t *testing.T) {
+		for i := 0; i < 15; i++ {
+			handler.rateLimiter.Allow(testIP)
+		}
+
+		req := httptest.NewRequest(http.MethodGet, "/callback?state=test&code=test", nil)
+		req.RemoteAddr = testIP + ":12345"
+
+		rr := httptest.NewRecorder()
+		handler.handleCallback(rr, req)
+
+		assert.Equal(t, http.StatusTooManyRequests, rr.Code, "Should return 429 status code")
+		assert.Contains(t, rr.Body.String(), "Too many requests", "Should contain rate limit message")
+	})
+}
+
+func TestResolveClientIP(t *testing.T) {
+	trusted := []netip.Prefix{
+		netip.MustParsePrefix("10.0.0.0/8"),
+		netip.MustParsePrefix("172.16.0.0/12"),
+	}
+
+	tests := []struct {
+		name          string
+		remoteAddr    string
+		xForwardedFor string
+		trustedProxy  []netip.Prefix
+		expectedIP    string
+	}{
+		{
+			name:          "no trusted proxies returns RemoteAddr",
+			remoteAddr:    "203.0.113.50:9999",
+			xForwardedFor: "1.2.3.4",
+			trustedProxy:  nil,
+			expectedIP:    "203.0.113.50",
+		},
+		{
+			name:          "untrusted RemoteAddr ignores XFF",
+			remoteAddr:    "203.0.113.50:9999",
+			xForwardedFor: "1.2.3.4, 10.0.0.1",
+			trustedProxy:  trusted,
+			expectedIP:    "203.0.113.50",
+		},
+		{
+			name:          "trusted RemoteAddr with single client in XFF",
+			remoteAddr:    "10.0.0.1:5000",
+			xForwardedFor: "203.0.113.50",
+			trustedProxy:  trusted,
+			expectedIP:    "203.0.113.50",
+		},
+		{
+			name:          "trusted RemoteAddr walks past trusted entries in XFF",
+			remoteAddr:    "10.0.0.1:5000",
+			xForwardedFor: "203.0.113.50, 10.0.0.2, 172.16.0.5",
+			trustedProxy:  trusted,
+			expectedIP:    "203.0.113.50",
+		},
+		{
+			name:         "trusted RemoteAddr with empty XFF falls back to RemoteAddr",
+			remoteAddr:   "10.0.0.1:5000",
+			trustedProxy: trusted,
+			expectedIP:   "10.0.0.1",
+		},
+		{
+			name:          "all XFF IPs trusted returns leftmost",
+			remoteAddr:    "10.0.0.1:5000",
+			xForwardedFor: "10.0.0.2, 172.16.0.1, 10.0.0.3",
+			trustedProxy:  trusted,
+			expectedIP:    "10.0.0.2",
+		},
+		{
+			name:          "XFF with whitespace",
+			remoteAddr:    "10.0.0.1:5000",
+			xForwardedFor: " 203.0.113.50 , 10.0.0.2 ",
+			trustedProxy:  trusted,
+			expectedIP:    "203.0.113.50",
+		},
+		{
+			name:          "multi-hop with mixed trust",
+			remoteAddr:    "10.0.0.1:5000",
+			xForwardedFor: "8.8.8.8, 203.0.113.50, 172.16.0.1",
+			trustedProxy:  trusted,
+			expectedIP:    "203.0.113.50",
+		},
+		{
+			name:       "RemoteAddr without port",
+			remoteAddr: "192.168.1.100",
+			expectedIP: "192.168.1.100",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			handler := NewAuthCallbackHandler(&nbgrpc.ProxyServiceServer{}, tt.trustedProxy)
+
+			req := httptest.NewRequest(http.MethodGet, "/test", nil)
+			req.RemoteAddr = tt.remoteAddr
+			if tt.xForwardedFor != "" {
+				req.Header.Set("X-Forwarded-For", tt.xForwardedFor)
+			}
+
+			ip := handler.resolveClientIP(req)
+			assert.Equal(t, tt.expectedIP, ip)
+		})
+	}
+}
+
+func TestAuthCallbackHandler_RateLimiterConfiguration(t *testing.T) {
+	handler := NewAuthCallbackHandler(&nbgrpc.ProxyServiceServer{}, nil)
+
+	require.NotNil(t, handler.rateLimiter, "Rate limiter should be initialized")
+
+	testIP := "192.168.1.250"
+	handler.rateLimiter.Reset(testIP)
+
+	for i := 0; i < 15; i++ {
+		allowed := handler.rateLimiter.Allow(testIP)
+		assert.True(t, allowed, "Should allow request %d within burst limit", i+1)
+	}
+
+	allowed := handler.rateLimiter.Allow(testIP)
+	assert.False(t, allowed, "Should block request that exceeds burst limit")
+}
--- a/management/server/http/testing/testing_tools/channel/channel.go
+++ b/management/server/http/testing/testing_tools/channel/channel.go
@@ -10,6 +10,10 @@ import (
 	"github.com/stretchr/testify/assert"

 	"github.com/netbirdio/management-integrations/integrations"
+	accesslogsmanager "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs/manager"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/domain/manager"
+	reverseproxymanager "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/manager"
+	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"

 	zonesManager "github.com/netbirdio/netbird/management/internals/modules/zones/manager"
 	recordsManager "github.com/netbirdio/netbird/management/internals/modules/zones/records/manager"
@@ -86,6 +90,14 @@ func BuildApiBlackBoxWithDBState(t testing_tools.TB, sqlFile string, expectedPee
 		t.Fatalf("Failed to create manager: %v", err)
 	}

+	accessLogsManager := accesslogsmanager.NewManager(store, permissionsManager, nil)
+	proxyTokenStore := nbgrpc.NewOneTimeTokenStore(1 * time.Minute)
+	proxyServiceServer := nbgrpc.NewProxyServiceServer(accessLogsManager, proxyTokenStore, nbgrpc.ProxyOIDCConfig{}, peersManager, userManager)
+	domainManager := manager.NewManager(store, proxyServiceServer, permissionsManager)
+	reverseProxyManager := reverseproxymanager.NewManager(store, am, permissionsManager, proxyServiceServer, domainManager)
+	proxyServiceServer.SetProxyManager(reverseProxyManager)
+	am.SetServiceManager(reverseProxyManager)
+
 	// @note this is required so that PAT's validate from store, but JWT's are mocked
 	authManager := serverauth.NewManager(store, "", "", "", "", []string{}, false)
 	authManagerMock := &serverauth.MockManager{
@@ -102,7 +114,7 @@ func BuildApiBlackBoxWithDBState(t testing_tools.TB, sqlFile string, expectedPee
 	customZonesManager := zonesManager.NewManager(store, am, permissionsManager, "")
 	zoneRecordsManager := recordsManager.NewManager(store, am, permissionsManager)

-	apiHandler, err := http2.NewAPIHandler(context.Background(), am, networksManagerMock, resourcesManagerMock, routersManagerMock, groupsManagerMock, geoMock, authManagerMock, metrics, validatorMock, proxyController, permissionsManager, peersManager, settingsManager, customZonesManager, zoneRecordsManager, networkMapController, nil)
+	apiHandler, err := http2.NewAPIHandler(context.Background(), am, networksManagerMock, resourcesManagerMock, routersManagerMock, groupsManagerMock, geoMock, authManagerMock, metrics, validatorMock, proxyController, permissionsManager, peersManager, settingsManager, customZonesManager, zoneRecordsManager, networkMapController, nil, reverseProxyManager, nil, nil, nil, nil)
 	if err != nil {
 		t.Fatalf("Failed to create API handler: %v", err)
 	}
--- a/management/server/idp/auth0.go
+++ b/management/server/idp/auth0.go
@@ -135,7 +135,7 @@ func NewAuth0Manager(config Auth0ClientConfig, appMetrics telemetry.AppMetrics)
 	httpTransport := http.DefaultTransport.(*http.Transport).Clone()
 	httpTransport.MaxIdleConns = 5

-		httpClient := &http.Client{
+	httpClient := &http.Client{
 		Timeout:   idpTimeout(),
 		Transport: httpTransport,
 	}
--- a/management/server/idp/authentik.go
+++ b/management/server/idp/authentik.go
@@ -56,7 +56,7 @@ func NewAuthentikManager(config AuthentikClientConfig, appMetrics telemetry.AppM
 		Timeout:   idpTimeout(),
 		Transport: httpTransport,
 	}
-	
+
 	helper := JsonParser{}

 	if config.ClientID == "" {
--- a/management/server/idp/azure.go
+++ b/management/server/idp/azure.go
@@ -57,11 +57,11 @@ func NewAzureManager(config AzureClientConfig, appMetrics telemetry.AppMetrics)
 	httpTransport := http.DefaultTransport.(*http.Transport).Clone()
 	httpTransport.MaxIdleConns = 5

-		httpClient := &http.Client{
+	httpClient := &http.Client{
 		Timeout:   idpTimeout(),
 		Transport: httpTransport,
 	}
-	
+
 	helper := JsonParser{}

 	if config.ClientID == "" {
--- a/management/server/idp/embedded.go
+++ b/management/server/idp/embedded.go
@@ -91,6 +91,12 @@ func (c *EmbeddedIdPConfig) ToYAMLConfig() (*dex.YAMLConfig, error) {
 	cliRedirectURIs = append(cliRedirectURIs, "/device/callback")
 	cliRedirectURIs = append(cliRedirectURIs, c.Issuer+"/device/callback")

+	// Build dashboard redirect URIs including the OAuth callback for proxy authentication
+	dashboardRedirectURIs := c.DashboardRedirectURIs
+	baseURL := strings.TrimSuffix(c.Issuer, "/oauth2")
+	// todo: resolve import cycle
+	dashboardRedirectURIs = append(dashboardRedirectURIs, baseURL+"/api/reverse-proxy/callback")
+
 	cfg := &dex.YAMLConfig{
 		Issuer: c.Issuer,
 		Storage: dex.Storage{
@@ -118,7 +124,7 @@ func (c *EmbeddedIdPConfig) ToYAMLConfig() (*dex.YAMLConfig, error) {
 				ID:           staticClientDashboard,
 				Name:         "NetBird Dashboard",
 				Public:       true,
-				RedirectURIs: c.DashboardRedirectURIs,
+				RedirectURIs: dashboardRedirectURIs,
 			},
 			{
 				ID:           staticClientCLI,
--- a/management/server/idp/google_workspace.go
+++ b/management/server/idp/google_workspace.go
@@ -51,7 +51,7 @@ func NewGoogleWorkspaceManager(ctx context.Context, config GoogleWorkspaceClient
 		Timeout:   idpTimeout(),
 		Transport: httpTransport,
 	}
-	
+
 	helper := JsonParser{}

 	if config.CustomerID == "" {
--- a/management/server/idp/keycloak.go
+++ b/management/server/idp/keycloak.go
@@ -66,7 +66,7 @@ func NewKeycloakManager(config KeycloakClientConfig, appMetrics telemetry.AppMet
 		Timeout:   idpTimeout(),
 		Transport: httpTransport,
 	}
-	
+
 	helper := JsonParser{}

 	if config.ClientID == "" {
--- a/management/server/idp/pocketid.go
+++ b/management/server/idp/pocketid.go
@@ -90,7 +90,7 @@ func NewPocketIdManager(config PocketIdClientConfig, appMetrics telemetry.AppMet
 		Timeout:   idpTimeout(),
 		Transport: httpTransport,
 	}
-	
+
 	helper := JsonParser{}

 	if config.ManagementEndpoint == "" {
--- a/management/server/idp/util.go
+++ b/management/server/idp/util.go
@@ -76,7 +76,7 @@ const (
 	// Provides the env variable name for use with idpTimeout function
 	idpTimeoutEnv = "NB_IDP_TIMEOUT"
 	// Sets the defaultTimeout to 10s.
-	defaultTimeout  = 10 * time.Second
+	defaultTimeout = 10 * time.Second
 )

 // idpTimeout returns a timeout value for the IDP
--- a/management/server/idp/zitadel.go
+++ b/management/server/idp/zitadel.go
@@ -167,7 +167,7 @@ func NewZitadelManager(config ZitadelClientConfig, appMetrics telemetry.AppMetri
 		Timeout:   idpTimeout(),
 		Transport: httpTransport,
 	}
-	
+
 	helper := JsonParser{}

 	hasPAT := config.PAT != ""
--- a/management/server/mock_server/account_mock.go
+++ b/management/server/mock_server/account_mock.go
@@ -12,6 +12,7 @@ import (
 	"google.golang.org/grpc/status"

 	nbdns "github.com/netbirdio/netbird/dns"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
 	"github.com/netbirdio/netbird/management/server/account"
 	"github.com/netbirdio/netbird/management/server/activity"
 	"github.com/netbirdio/netbird/management/server/idp"
@@ -147,6 +148,10 @@ type MockAccountManager struct {
 	DeleteUserInviteFunc       func(ctx context.Context, accountID, initiatorUserID, inviteID string) error
 }

+func (am *MockAccountManager) SetServiceManager(serviceManager reverseproxy.Manager) {
+	// Mock implementation - no-op
+}
+
 func (am *MockAccountManager) CreatePeerJob(ctx context.Context, accountID, peerID, userID string, job *types.Job) error {
 	if am.CreatePeerJobFunc != nil {
 		return am.CreatePeerJobFunc(ctx, accountID, peerID, userID, job)
--- a/management/server/networks/manager_test.go
+++ b/management/server/networks/manager_test.go
@@ -29,7 +29,7 @@ func Test_GetAllNetworksReturnsNetworks(t *testing.T) {
 	permissionsManager := permissions.NewManager(s)
 	groupsManager := groups.NewManagerMock()
 	routerManager := routers.NewManagerMock()
-	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am)
+	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am, nil)
 	manager := NewManager(s, permissionsManager, resourcesManager, routerManager, &am)

 	networks, err := manager.GetAllNetworks(ctx, accountID, userID)
@@ -52,7 +52,7 @@ func Test_GetAllNetworksReturnsPermissionDenied(t *testing.T) {
 	permissionsManager := permissions.NewManager(s)
 	groupsManager := groups.NewManagerMock()
 	routerManager := routers.NewManagerMock()
-	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am)
+	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am, nil)
 	manager := NewManager(s, permissionsManager, resourcesManager, routerManager, &am)

 	networks, err := manager.GetAllNetworks(ctx, accountID, userID)
@@ -75,7 +75,7 @@ func Test_GetNetworkReturnsNetwork(t *testing.T) {
 	permissionsManager := permissions.NewManager(s)
 	groupsManager := groups.NewManagerMock()
 	routerManager := routers.NewManagerMock()
-	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am)
+	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am, nil)
 	manager := NewManager(s, permissionsManager, resourcesManager, routerManager, &am)

 	networks, err := manager.GetNetwork(ctx, accountID, userID, networkID)
@@ -98,7 +98,7 @@ func Test_GetNetworkReturnsPermissionDenied(t *testing.T) {
 	permissionsManager := permissions.NewManager(s)
 	groupsManager := groups.NewManagerMock()
 	routerManager := routers.NewManagerMock()
-	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am)
+	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am, nil)
 	manager := NewManager(s, permissionsManager, resourcesManager, routerManager, &am)

 	network, err := manager.GetNetwork(ctx, accountID, userID, networkID)
@@ -123,7 +123,7 @@ func Test_CreateNetworkSuccessfully(t *testing.T) {
 	permissionsManager := permissions.NewManager(s)
 	groupsManager := groups.NewManagerMock()
 	routerManager := routers.NewManagerMock()
-	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am)
+	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am, nil)
 	manager := NewManager(s, permissionsManager, resourcesManager, routerManager, &am)

 	createdNetwork, err := manager.CreateNetwork(ctx, userID, network)
@@ -148,7 +148,7 @@ func Test_CreateNetworkFailsWithPermissionDenied(t *testing.T) {
 	permissionsManager := permissions.NewManager(s)
 	groupsManager := groups.NewManagerMock()
 	routerManager := routers.NewManagerMock()
-	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am)
+	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am, nil)
 	manager := NewManager(s, permissionsManager, resourcesManager, routerManager, &am)

 	createdNetwork, err := manager.CreateNetwork(ctx, userID, network)
@@ -171,7 +171,7 @@ func Test_DeleteNetworkSuccessfully(t *testing.T) {
 	permissionsManager := permissions.NewManager(s)
 	groupsManager := groups.NewManagerMock()
 	routerManager := routers.NewManagerMock()
-	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am)
+	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am, nil)
 	manager := NewManager(s, permissionsManager, resourcesManager, routerManager, &am)

 	err = manager.DeleteNetwork(ctx, accountID, userID, networkID)
@@ -193,7 +193,7 @@ func Test_DeleteNetworkFailsWithPermissionDenied(t *testing.T) {
 	permissionsManager := permissions.NewManager(s)
 	groupsManager := groups.NewManagerMock()
 	routerManager := routers.NewManagerMock()
-	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am)
+	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am, nil)
 	manager := NewManager(s, permissionsManager, resourcesManager, routerManager, &am)

 	err = manager.DeleteNetwork(ctx, accountID, userID, networkID)
@@ -218,7 +218,7 @@ func Test_UpdateNetworkSuccessfully(t *testing.T) {
 	permissionsManager := permissions.NewManager(s)
 	groupsManager := groups.NewManagerMock()
 	routerManager := routers.NewManagerMock()
-	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am)
+	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am, nil)
 	manager := NewManager(s, permissionsManager, resourcesManager, routerManager, &am)

 	updatedNetwork, err := manager.UpdateNetwork(ctx, userID, network)
@@ -245,7 +245,7 @@ func Test_UpdateNetworkFailsWithPermissionDenied(t *testing.T) {
 	permissionsManager := permissions.NewManager(s)
 	groupsManager := groups.NewManagerMock()
 	routerManager := routers.NewManagerMock()
-	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am)
+	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am, nil)
 	manager := NewManager(s, permissionsManager, resourcesManager, routerManager, &am)

 	updatedNetwork, err := manager.UpdateNetwork(ctx, userID, network)
--- a/management/server/networks/resources/manager.go
+++ b/management/server/networks/resources/manager.go
@@ -5,6 +5,9 @@ import (
 	"errors"
 	"fmt"

+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
 	"github.com/netbirdio/netbird/management/server/account"
 	"github.com/netbirdio/netbird/management/server/activity"
 	"github.com/netbirdio/netbird/management/server/groups"
@@ -30,21 +33,23 @@ type Manager interface {
 }

 type managerImpl struct {
-	store              store.Store
-	permissionsManager permissions.Manager
-	groupsManager      groups.Manager
-	accountManager     account.Manager
+	store               store.Store
+	permissionsManager  permissions.Manager
+	groupsManager       groups.Manager
+	accountManager      account.Manager
+	reverseProxyManager reverseproxy.Manager
 }

 type mockManager struct {
 }

-func NewManager(store store.Store, permissionsManager permissions.Manager, groupsManager groups.Manager, accountManager account.Manager) Manager {
+func NewManager(store store.Store, permissionsManager permissions.Manager, groupsManager groups.Manager, accountManager account.Manager, reverseproxyManager reverseproxy.Manager) Manager {
 	return &managerImpl{
-		store:              store,
-		permissionsManager: permissionsManager,
-		groupsManager:      groupsManager,
-		accountManager:     accountManager,
+		store:               store,
+		permissionsManager:  permissionsManager,
+		groupsManager:       groupsManager,
+		accountManager:      accountManager,
+		reverseProxyManager: reverseproxyManager,
 	}
 }

@@ -257,6 +262,14 @@ func (m *managerImpl) UpdateResource(ctx context.Context, userID string, resourc
 		event()
 	}

+	// TODO: optimize to only reload reverse proxies that are affected by the resource update instead of all of them
+	go func() {
+		err := m.reverseProxyManager.ReloadAllServicesForAccount(ctx, resource.AccountID)
+		if err != nil {
+			log.WithContext(ctx).Warnf("failed to reload all proxies for account: %v", err)
+		}
+	}()
+
 	go m.accountManager.UpdateAccountPeers(ctx, resource.AccountID)

 	return resource, nil
@@ -309,6 +322,14 @@ func (m *managerImpl) DeleteResource(ctx context.Context, accountID, userID, net
 		return status.NewPermissionDeniedError()
 	}

+	serviceID, err := m.reverseProxyManager.GetServiceIDByTargetID(ctx, accountID, resourceID)
+	if err != nil {
+		return fmt.Errorf("failed to check if resource is used by service: %w", err)
+	}
+	if serviceID != "" {
+		return status.NewResourceInUseError(resourceID, serviceID)
+	}
+
 	var events []func()
 	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		events, err = m.DeleteResourceInTransaction(ctx, transaction, accountID, userID, networkID, resourceID)
--- a/management/server/networks/resources/manager_test.go
+++ b/management/server/networks/resources/manager_test.go
@@ -4,8 +4,10 @@ import (
 	"context"
 	"testing"

+	"github.com/golang/mock/gomock"
 	"github.com/stretchr/testify/require"

+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
 	"github.com/netbirdio/netbird/management/server/groups"
 	"github.com/netbirdio/netbird/management/server/mock_server"
 	"github.com/netbirdio/netbird/management/server/networks/resources/types"
@@ -28,7 +30,9 @@ func Test_GetAllResourcesInNetworkReturnsResources(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	manager := NewManager(store, permissionsManager, groupsManager, &am)
+	ctrl := gomock.NewController(t)
+	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
+	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)

 	resources, err := manager.GetAllResourcesInNetwork(ctx, accountID, userID, networkID)
 	require.NoError(t, err)
@@ -49,7 +53,9 @@ func Test_GetAllResourcesInNetworkReturnsPermissionDenied(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	manager := NewManager(store, permissionsManager, groupsManager, &am)
+	ctrl := gomock.NewController(t)
+	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
+	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)

 	resources, err := manager.GetAllResourcesInNetwork(ctx, accountID, userID, networkID)
 	require.Error(t, err)
@@ -69,7 +75,9 @@ func Test_GetAllResourcesInAccountReturnsResources(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	manager := NewManager(store, permissionsManager, groupsManager, &am)
+	ctrl := gomock.NewController(t)
+	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
+	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)

 	resources, err := manager.GetAllResourcesInAccount(ctx, accountID, userID)
 	require.NoError(t, err)
@@ -89,7 +97,9 @@ func Test_GetAllResourcesInAccountReturnsPermissionDenied(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	manager := NewManager(store, permissionsManager, groupsManager, &am)
+	ctrl := gomock.NewController(t)
+	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
+	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)

 	resources, err := manager.GetAllResourcesInAccount(ctx, accountID, userID)
 	require.Error(t, err)
@@ -112,7 +122,9 @@ func Test_GetResourceInNetworkReturnsResources(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	manager := NewManager(store, permissionsManager, groupsManager, &am)
+	ctrl := gomock.NewController(t)
+	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
+	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)

 	resource, err := manager.GetResource(ctx, accountID, userID, networkID, resourceID)
 	require.NoError(t, err)
@@ -134,7 +146,9 @@ func Test_GetResourceInNetworkReturnsPermissionDenied(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	manager := NewManager(store, permissionsManager, groupsManager, &am)
+	ctrl := gomock.NewController(t)
+	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
+	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)

 	resources, err := manager.GetResource(ctx, accountID, userID, networkID, resourceID)
 	require.Error(t, err)
@@ -161,7 +175,10 @@ func Test_CreateResourceSuccessfully(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	manager := NewManager(store, permissionsManager, groupsManager, &am)
+	ctrl := gomock.NewController(t)
+	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
+	reverseProxyManager.EXPECT().ReloadAllServicesForAccount(gomock.Any(), resource.AccountID).Return(nil).AnyTimes()
+	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)

 	createdResource, err := manager.CreateResource(ctx, userID, resource)
 	require.NoError(t, err)
@@ -187,7 +204,9 @@ func Test_CreateResourceFailsWithPermissionDenied(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	manager := NewManager(store, permissionsManager, groupsManager, &am)
+	ctrl := gomock.NewController(t)
+	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
+	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)

 	createdResource, err := manager.CreateResource(ctx, userID, resource)
 	require.Error(t, err)
@@ -214,7 +233,9 @@ func Test_CreateResourceFailsWithInvalidAddress(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	manager := NewManager(store, permissionsManager, groupsManager, &am)
+	ctrl := gomock.NewController(t)
+	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
+	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)

 	createdResource, err := manager.CreateResource(ctx, userID, resource)
 	require.Error(t, err)
@@ -240,7 +261,9 @@ func Test_CreateResourceFailsWithUsedName(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	manager := NewManager(store, permissionsManager, groupsManager, &am)
+	ctrl := gomock.NewController(t)
+	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
+	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)

 	createdResource, err := manager.CreateResource(ctx, userID, resource)
 	require.Error(t, err)
@@ -270,7 +293,10 @@ func Test_UpdateResourceSuccessfully(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	manager := NewManager(store, permissionsManager, groupsManager, &am)
+	ctrl := gomock.NewController(t)
+	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
+	reverseProxyManager.EXPECT().ReloadAllServicesForAccount(gomock.Any(), accountID).Return(nil).AnyTimes()
+	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)

 	updatedResource, err := manager.UpdateResource(ctx, userID, resource)
 	require.NoError(t, err)
@@ -302,7 +328,9 @@ func Test_UpdateResourceFailsWithResourceNotFound(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	manager := NewManager(store, permissionsManager, groupsManager, &am)
+	ctrl := gomock.NewController(t)
+	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
+	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)

 	updatedResource, err := manager.UpdateResource(ctx, userID, resource)
 	require.Error(t, err)
@@ -332,7 +360,9 @@ func Test_UpdateResourceFailsWithNameInUse(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	manager := NewManager(store, permissionsManager, groupsManager, &am)
+	ctrl := gomock.NewController(t)
+	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
+	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)

 	updatedResource, err := manager.UpdateResource(ctx, userID, resource)
 	require.Error(t, err)
@@ -361,7 +391,9 @@ func Test_UpdateResourceFailsWithPermissionDenied(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	manager := NewManager(store, permissionsManager, groupsManager, &am)
+	ctrl := gomock.NewController(t)
+	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
+	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)

 	updatedResource, err := manager.UpdateResource(ctx, userID, resource)
 	require.Error(t, err)
@@ -383,7 +415,10 @@ func Test_DeleteResourceSuccessfully(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	manager := NewManager(store, permissionsManager, groupsManager, &am)
+	ctrl := gomock.NewController(t)
+	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
+	reverseProxyManager.EXPECT().GetServiceIDByTargetID(gomock.Any(), accountID, resourceID).Return("", nil).AnyTimes()
+	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)

 	err = manager.DeleteResource(ctx, accountID, userID, networkID, resourceID)
 	require.NoError(t, err)
@@ -404,7 +439,9 @@ func Test_DeleteResourceFailsWithPermissionDenied(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	manager := NewManager(store, permissionsManager, groupsManager, &am)
+	ctrl := gomock.NewController(t)
+	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
+	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)

 	err = manager.DeleteResource(ctx, accountID, userID, networkID, resourceID)
 	require.Error(t, err)
--- a/management/server/peer.go
+++ b/management/server/peer.go
@@ -221,6 +221,10 @@ func (am *DefaultAccountManager) UpdatePeer(ctx context.Context, accountID, user
 			return err
 		}

+		if peer.ProxyMeta.Embedded {
+			return fmt.Errorf("not allowed to update peer")
+		}
+
 		settings, err = transaction.GetAccountSettings(ctx, store.LockingStrengthNone, accountID)
 		if err != nil {
 			return err
@@ -489,6 +493,14 @@ func (am *DefaultAccountManager) DeletePeer(ctx context.Context, accountID, peer
 	var settings *types.Settings
 	var eventsToStore []func()

+	serviceID, err := am.reverseProxyManager.GetServiceIDByTargetID(ctx, accountID, peerID)
+	if err != nil {
+		return fmt.Errorf("failed to check if resource is used by service: %w", err)
+	}
+	if serviceID != "" {
+		return status.NewPeerInUseError(peerID, serviceID)
+	}
+
 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		peer, err = transaction.GetPeerByID(ctx, store.LockingStrengthNone, accountID, peerID)
 		if err != nil {
@@ -549,6 +561,99 @@ func (am *DefaultAccountManager) GetPeerNetwork(ctx context.Context, peerID stri
 	return account.Network.Copy(), err
 }

+type peerAddAuthConfig struct {
+	AccountID           string
+	SetupKeyID          string
+	SetupKeyName        string
+	GroupsToAdd         []string
+	AllowExtraDNSLabels bool
+	Ephemeral           bool
+}
+
+func (am *DefaultAccountManager) processPeerAddAuth(ctx context.Context, accountID, userID, encodedHashedKey string, peer *nbpeer.Peer, temporary, addedByUser, addedBySetupKey bool, opEvent *activity.Event) (*peerAddAuthConfig, error) {
+	config := &peerAddAuthConfig{
+		AccountID: accountID,
+		Ephemeral: peer.Ephemeral,
+	}
+
+	switch {
+	case addedByUser:
+		if err := am.handleUserAddedPeer(ctx, accountID, userID, temporary, opEvent, config); err != nil {
+			return nil, err
+		}
+	case addedBySetupKey:
+		if err := am.handleSetupKeyAddedPeer(ctx, encodedHashedKey, peer, opEvent, config); err != nil {
+			return nil, err
+		}
+	default:
+		if peer.ProxyMeta.Embedded {
+			log.WithContext(ctx).Debugf("adding peer for proxy embedded, accountID: %s", accountID)
+		} else {
+			log.WithContext(ctx).Warnf("adding peer without setup key or userID, accountID: %s", accountID)
+		}
+	}
+
+	opEvent.AccountID = config.AccountID
+	if temporary {
+		config.Ephemeral = true
+	}
+
+	return config, nil
+}
+
+func (am *DefaultAccountManager) handleUserAddedPeer(ctx context.Context, accountID, userID string, temporary bool, opEvent *activity.Event, config *peerAddAuthConfig) error {
+	user, err := am.Store.GetUserByUserID(ctx, store.LockingStrengthNone, userID)
+	if err != nil {
+		return status.Errorf(status.NotFound, "failed adding new peer: user not found")
+	}
+	if user.PendingApproval {
+		return status.Errorf(status.PermissionDenied, "user pending approval cannot add peers")
+	}
+
+	if temporary {
+		allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Peers, operations.Create)
+		if err != nil {
+			return status.NewPermissionValidationError(err)
+		}
+		if !allowed {
+			return status.NewPermissionDeniedError()
+		}
+	} else {
+		config.AccountID = user.AccountID
+		config.GroupsToAdd = user.AutoGroups
+	}
+
+	opEvent.InitiatorID = userID
+	opEvent.Activity = activity.PeerAddedByUser
+	return nil
+}
+
+func (am *DefaultAccountManager) handleSetupKeyAddedPeer(ctx context.Context, encodedHashedKey string, peer *nbpeer.Peer, opEvent *activity.Event, config *peerAddAuthConfig) error {
+	sk, err := am.Store.GetSetupKeyBySecret(ctx, store.LockingStrengthNone, encodedHashedKey)
+	if err != nil {
+		return status.Errorf(status.NotFound, "couldn't add peer: setup key is invalid")
+	}
+
+	if !sk.IsValid() {
+		return status.Errorf(status.NotFound, "couldn't add peer: setup key is invalid")
+	}
+
+	if !sk.AllowExtraDNSLabels && len(peer.ExtraDNSLabels) > 0 {
+		return status.Errorf(status.PreconditionFailed, "couldn't add peer: setup key doesn't allow extra DNS labels")
+	}
+
+	opEvent.InitiatorID = sk.Id
+	opEvent.Activity = activity.PeerAddedWithSetupKey
+	config.GroupsToAdd = sk.AutoGroups
+	config.Ephemeral = sk.Ephemeral
+	config.SetupKeyID = sk.Id
+	config.SetupKeyName = sk.Name
+	config.AllowExtraDNSLabels = sk.AllowExtraDNSLabels
+	config.AccountID = sk.AccountID
+
+	return nil
+}
+
 // AddPeer adds a new peer to the Store.
 // Each Account has a list of pre-authorized SetupKey and if no Account has a given key err with a code status.PermissionDenied
 // will be returned, meaning the setup key is invalid or not found.
@@ -557,7 +662,7 @@ func (am *DefaultAccountManager) GetPeerNetwork(ctx context.Context, peerID stri
 // Each new Peer will be assigned a new next net.IP from the Account.Network and Account.Network.LastIP will be updated (IP's are not reused).
 // The peer property is just a placeholder for the Peer properties to pass further
 func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKey, userID string, peer *nbpeer.Peer, temporary bool) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, error) {
-	if setupKey == "" && userID == "" {
+	if setupKey == "" && userID == "" && !peer.ProxyMeta.Embedded {
 		// no auth method provided => reject access
 		return nil, nil, nil, status.Errorf(status.Unauthenticated, "no peer auth method provided, please use a setup key or interactive SSO login")
 	}
@@ -566,6 +671,7 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKe
 	hashedKey := sha256.Sum256([]byte(upperKey))
 	encodedHashedKey := b64.StdEncoding.EncodeToString(hashedKey[:])
 	addedByUser := len(userID) > 0
+	addedBySetupKey := len(setupKey) > 0

 	// This is a handling for the case when the same machine (with the same WireGuard pub key) tries to register twice.
 	// Such case is possible when AddPeer function takes long time to finish after AcquireWriteLockByUID (e.g., database is slow)
@@ -583,63 +689,12 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKe

 	var newPeer *nbpeer.Peer

-	var setupKeyID string
-	var setupKeyName string
-	var ephemeral bool
-	var groupsToAdd []string
-	var allowExtraDNSLabels bool
-	if addedByUser {
-		user, err := am.Store.GetUserByUserID(ctx, store.LockingStrengthNone, userID)
-		if err != nil {
-			return nil, nil, nil, status.Errorf(status.NotFound, "failed adding new peer: user not found")
-		}
-		if user.PendingApproval {
-			return nil, nil, nil, status.Errorf(status.PermissionDenied, "user pending approval cannot add peers")
-		}
-		if temporary {
-			allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Peers, operations.Create)
-			if err != nil {
-				return nil, nil, nil, status.NewPermissionValidationError(err)
-			}
-
-			if !allowed {
-				return nil, nil, nil, status.NewPermissionDeniedError()
-			}
-		} else {
-			accountID = user.AccountID
-			groupsToAdd = user.AutoGroups
-		}
-		opEvent.InitiatorID = userID
-		opEvent.Activity = activity.PeerAddedByUser
-	} else {
-		// Validate the setup key
-		sk, err := am.Store.GetSetupKeyBySecret(ctx, store.LockingStrengthNone, encodedHashedKey)
-		if err != nil {
-			return nil, nil, nil, status.Errorf(status.NotFound, "couldn't add peer: setup key is invalid")
-		}
-
-		// we will check key twice for early return
-		if !sk.IsValid() {
-			return nil, nil, nil, status.Errorf(status.NotFound, "couldn't add peer: setup key is invalid")
-		}
-
-		opEvent.InitiatorID = sk.Id
-		opEvent.Activity = activity.PeerAddedWithSetupKey
-		groupsToAdd = sk.AutoGroups
-		ephemeral = sk.Ephemeral
-		setupKeyID = sk.Id
-		setupKeyName = sk.Name
-		allowExtraDNSLabels = sk.AllowExtraDNSLabels
-		accountID = sk.AccountID
-		if !sk.AllowExtraDNSLabels && len(peer.ExtraDNSLabels) > 0 {
-			return nil, nil, nil, status.Errorf(status.PreconditionFailed, "couldn't add peer: setup key doesn't allow extra DNS labels")
-		}
-	}
-	opEvent.AccountID = accountID
-
-	if temporary {
-		ephemeral = true
+	peerAddConfig, err := am.processPeerAddAuth(ctx, accountID, userID, encodedHashedKey, peer, temporary, addedByUser, addedBySetupKey, opEvent)
+	if err != nil {
+		return nil, nil, nil, err
 	}
+	accountID = peerAddConfig.AccountID
+	ephemeral := peerAddConfig.Ephemeral

 	if (strings.ToLower(peer.Meta.Hostname) == "iphone" || strings.ToLower(peer.Meta.Hostname) == "ipad") && userID != "" {
 		if am.idpManager != nil {
@@ -669,10 +724,11 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKe
 		CreatedAt:                   registrationTime,
 		LoginExpirationEnabled:      addedByUser && !temporary,
 		Ephemeral:                   ephemeral,
+		ProxyMeta:                   peer.ProxyMeta,
 		Location:                    peer.Location,
 		InactivityExpirationEnabled: addedByUser && !temporary,
 		ExtraDNSLabels:              peer.ExtraDNSLabels,
-		AllowExtraDNSLabels:         allowExtraDNSLabels,
+		AllowExtraDNSLabels:         peerAddConfig.AllowExtraDNSLabels,
 	}
 	settings, err := am.Store.GetAccountSettings(ctx, store.LockingStrengthNone, accountID)
 	if err != nil {
@@ -690,7 +746,7 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKe
 		}
 	}

-	newPeer = am.integratedPeerValidator.PreparePeer(ctx, accountID, newPeer, groupsToAdd, settings.Extra, temporary)
+	newPeer = am.integratedPeerValidator.PreparePeer(ctx, accountID, newPeer, peerAddConfig.GroupsToAdd, settings.Extra, temporary)

 	network, err := am.Store.GetAccountNetwork(ctx, store.LockingStrengthNone, accountID)
 	if err != nil {
@@ -726,8 +782,8 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKe
 				return err
 			}

-			if len(groupsToAdd) > 0 {
-				for _, g := range groupsToAdd {
+			if len(peerAddConfig.GroupsToAdd) > 0 {
+				for _, g := range peerAddConfig.GroupsToAdd {
 					err = transaction.AddPeerToGroup(ctx, newPeer.AccountID, newPeer.ID, g)
 					if err != nil {
 						return err
@@ -735,17 +791,20 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKe
 				}
 			}

-			err = transaction.AddPeerToAllGroup(ctx, accountID, newPeer.ID)
-			if err != nil {
-				return fmt.Errorf("failed adding peer to All group: %w", err)
+			if !peer.ProxyMeta.Embedded {
+				err = transaction.AddPeerToAllGroup(ctx, accountID, newPeer.ID)
+				if err != nil {
+					return fmt.Errorf("failed adding peer to All group: %w", err)
+				}
 			}

-			if addedByUser {
+			switch {
+			case addedByUser:
 				err := transaction.SaveUserLastLogin(ctx, accountID, userID, newPeer.GetLastLogin())
 				if err != nil {
 					log.WithContext(ctx).Debugf("failed to update user last login: %v", err)
 				}
-			} else {
+			case addedBySetupKey:
 				sk, err := transaction.GetSetupKeyBySecret(ctx, store.LockingStrengthUpdate, encodedHashedKey)
 				if err != nil {
 					return fmt.Errorf("failed to get setup key: %w", err)
@@ -756,7 +815,7 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKe
 					return status.Errorf(status.PreconditionFailed, "couldn't add peer: setup key is invalid")
 				}

-				err = transaction.IncrementSetupKeyUsage(ctx, setupKeyID)
+				err = transaction.IncrementSetupKeyUsage(ctx, peerAddConfig.SetupKeyID)
 				if err != nil {
 					return fmt.Errorf("failed to increment setup key usage: %w", err)
 				}
@@ -797,7 +856,7 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKe
 	opEvent.TargetID = newPeer.ID
 	opEvent.Meta = newPeer.EventMeta(am.networkMapController.GetDNSDomain(settings))
 	if !addedByUser {
-		opEvent.Meta["setup_key_name"] = setupKeyName
+		opEvent.Meta["setup_key_name"] = peerAddConfig.SetupKeyName
 	}

 	am.StoreEvent(ctx, opEvent.InitiatorID, opEvent.TargetID, opEvent.AccountID, opEvent.Activity, opEvent.Meta)
--- a/management/server/peer/peer.go
+++ b/management/server/peer/peer.go
@@ -24,6 +24,8 @@ type Peer struct {
 	IP net.IP `gorm:"serializer:json"` // uniqueness index per accountID (check migrations)
 	// Meta is a Peer system meta data
 	Meta PeerSystemMeta `gorm:"embedded;embeddedPrefix:meta_"`
+	// ProxyMeta is metadata related to proxy peers
+	ProxyMeta ProxyMeta `gorm:"embedded;embeddedPrefix:proxy_meta_"`
 	// Name is peer's name (machine name)
 	Name string `gorm:"index"`
 	// DNSLabel is the parsed peer name for domain resolution. It is used to form an FQDN by appending the account's
@@ -48,6 +50,7 @@ type Peer struct {
 	CreatedAt time.Time
 	// Indicate ephemeral peer attribute
 	Ephemeral bool `gorm:"index"`
+
 	// Geo location based on connection IP
 	Location Location `gorm:"embedded;embeddedPrefix:location_"`

@@ -57,6 +60,11 @@ type Peer struct {
 	AllowExtraDNSLabels bool
 }

+type ProxyMeta struct {
+	Embedded bool   `gorm:"index"`
+	Cluster  string `gorm:"index"`
+}
+
 type PeerStatus struct { //nolint:revive
 	// LastSeen is the last time peer was connected to the management service
 	LastSeen time.Time
@@ -224,6 +232,7 @@ func (p *Peer) Copy() *Peer {
 		LastLogin:                   p.LastLogin,
 		CreatedAt:                   p.CreatedAt,
 		Ephemeral:                   p.Ephemeral,
+		ProxyMeta:                   p.ProxyMeta,
 		Location:                    p.Location,
 		InactivityExpirationEnabled: p.InactivityExpirationEnabled,
 		ExtraDNSLabels:              slices.Clone(p.ExtraDNSLabels),
--- a/management/server/peer_test.go
+++ b/management/server/peer_test.go
@@ -2489,3 +2489,252 @@ func TestLoginPeer_ApprovedUserCanLogin(t *testing.T) {
 	_, _, _, err = manager.LoginPeer(context.Background(), login)
 	require.NoError(t, err, "Regular user should be able to login peers")
 }
+
+func TestHandleUserAddedPeer(t *testing.T) {
+	manager, _, err := createManager(t)
+	require.NoError(t, err)
+
+	account := newAccountWithId(context.Background(), "test-account", "owner", "", "", "", false)
+	err = manager.Store.SaveAccount(context.Background(), account)
+	require.NoError(t, err)
+
+	t.Run("regular user can add peer", func(t *testing.T) {
+		regularUser := types.NewRegularUser("regular-user-1", "", "")
+		regularUser.AccountID = account.Id
+		regularUser.AutoGroups = []string{"group1", "group2"}
+		err = manager.Store.SaveUser(context.Background(), regularUser)
+		require.NoError(t, err)
+
+		opEvent := &activity.Event{}
+		config := &peerAddAuthConfig{}
+
+		err = manager.handleUserAddedPeer(context.Background(), account.Id, regularUser.Id, false, opEvent, config)
+		require.NoError(t, err)
+		assert.Equal(t, account.Id, config.AccountID)
+		assert.Equal(t, regularUser.AutoGroups, config.GroupsToAdd)
+		assert.Equal(t, regularUser.Id, opEvent.InitiatorID)
+		assert.Equal(t, activity.PeerAddedByUser, opEvent.Activity)
+	})
+
+	t.Run("pending approval user cannot add peer", func(t *testing.T) {
+		pendingUser := types.NewRegularUser("pending-user", "", "")
+		pendingUser.AccountID = account.Id
+		pendingUser.PendingApproval = true
+		err = manager.Store.SaveUser(context.Background(), pendingUser)
+		require.NoError(t, err)
+
+		opEvent := &activity.Event{}
+		config := &peerAddAuthConfig{}
+
+		err = manager.handleUserAddedPeer(context.Background(), account.Id, pendingUser.Id, false, opEvent, config)
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "user pending approval cannot add peers")
+	})
+
+	t.Run("user not found", func(t *testing.T) {
+		opEvent := &activity.Event{}
+		config := &peerAddAuthConfig{}
+
+		err = manager.handleUserAddedPeer(context.Background(), account.Id, "non-existent-user", false, opEvent, config)
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "user not found")
+	})
+
+	t.Run("temporary peer requires permissions", func(t *testing.T) {
+		regularUser := types.NewRegularUser("regular-user-2", "", "")
+		regularUser.AccountID = account.Id
+		err = manager.Store.SaveUser(context.Background(), regularUser)
+		require.NoError(t, err)
+
+		opEvent := &activity.Event{}
+		config := &peerAddAuthConfig{}
+
+		// Should fail because user doesn't have permissions for temporary peers
+		err = manager.handleUserAddedPeer(context.Background(), account.Id, regularUser.Id, true, opEvent, config)
+		require.Error(t, err)
+	})
+}
+
+func TestHandleSetupKeyAddedPeer(t *testing.T) {
+	manager, _, err := createManager(t)
+	require.NoError(t, err)
+
+	account := newAccountWithId(context.Background(), "test-account", "owner", "", "", "", false)
+	err = manager.Store.SaveAccount(context.Background(), account)
+	require.NoError(t, err)
+
+	// Create admin user for setup key creation
+	adminUser := types.NewAdminUser("admin-user")
+	adminUser.AccountID = account.Id
+	err = manager.Store.SaveUser(context.Background(), adminUser)
+	require.NoError(t, err)
+
+	t.Run("valid setup key", func(t *testing.T) {
+		setupKey, err := manager.CreateSetupKey(context.Background(), account.Id, "test-key", types.SetupKeyReusable, time.Hour, []string{}, 0, adminUser.Id, false, false)
+		require.NoError(t, err)
+
+		upperKey := strings.ToUpper(setupKey.Key)
+		hashedKey := sha256.Sum256([]byte(upperKey))
+		encodedHashedKey := b64.StdEncoding.EncodeToString(hashedKey[:])
+
+		opEvent := &activity.Event{}
+		config := &peerAddAuthConfig{}
+		peer := &nbpeer.Peer{ExtraDNSLabels: []string{}}
+
+		err = manager.handleSetupKeyAddedPeer(context.Background(), encodedHashedKey, peer, opEvent, config)
+		require.NoError(t, err)
+		assert.Equal(t, setupKey.Id, config.SetupKeyID)
+		assert.Equal(t, setupKey.Name, config.SetupKeyName)
+		assert.Equal(t, setupKey.AutoGroups, config.GroupsToAdd)
+		assert.Equal(t, setupKey.Ephemeral, config.Ephemeral)
+		assert.Equal(t, setupKey.Id, opEvent.InitiatorID)
+		assert.Equal(t, activity.PeerAddedWithSetupKey, opEvent.Activity)
+	})
+
+	t.Run("invalid setup key", func(t *testing.T) {
+		invalidKey := "invalid-key"
+		hashedKey := sha256.Sum256([]byte(invalidKey))
+		encodedHashedKey := b64.StdEncoding.EncodeToString(hashedKey[:])
+
+		opEvent := &activity.Event{}
+		config := &peerAddAuthConfig{}
+		peer := &nbpeer.Peer{}
+
+		err = manager.handleSetupKeyAddedPeer(context.Background(), encodedHashedKey, peer, opEvent, config)
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "setup key is invalid")
+	})
+
+	t.Run("expired setup key", func(t *testing.T) {
+		setupKey, err := manager.CreateSetupKey(context.Background(), account.Id, "expired-key", types.SetupKeyReusable, time.Millisecond, []string{}, 0, adminUser.Id, false, false)
+		require.NoError(t, err)
+
+		// Wait for key to expire
+		time.Sleep(10 * time.Millisecond)
+
+		upperKey := strings.ToUpper(setupKey.Key)
+		hashedKey := sha256.Sum256([]byte(upperKey))
+		encodedHashedKey := b64.StdEncoding.EncodeToString(hashedKey[:])
+
+		opEvent := &activity.Event{}
+		config := &peerAddAuthConfig{}
+		peer := &nbpeer.Peer{}
+
+		err = manager.handleSetupKeyAddedPeer(context.Background(), encodedHashedKey, peer, opEvent, config)
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "setup key is invalid")
+	})
+
+	t.Run("extra DNS labels not allowed", func(t *testing.T) {
+		setupKey, err := manager.CreateSetupKey(context.Background(), account.Id, "no-dns-key", types.SetupKeyReusable, time.Hour, []string{}, 0, adminUser.Id, false, false)
+		require.NoError(t, err)
+
+		upperKey := strings.ToUpper(setupKey.Key)
+		hashedKey := sha256.Sum256([]byte(upperKey))
+		encodedHashedKey := b64.StdEncoding.EncodeToString(hashedKey[:])
+
+		opEvent := &activity.Event{}
+		config := &peerAddAuthConfig{}
+		peer := &nbpeer.Peer{ExtraDNSLabels: []string{"custom.label"}}
+
+		err = manager.handleSetupKeyAddedPeer(context.Background(), encodedHashedKey, peer, opEvent, config)
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "doesn't allow extra DNS labels")
+	})
+
+	t.Run("extra DNS labels allowed", func(t *testing.T) {
+		setupKey, err := manager.CreateSetupKey(context.Background(), account.Id, "dns-key", types.SetupKeyReusable, time.Hour, []string{}, 0, adminUser.Id, false, true)
+		require.NoError(t, err)
+
+		upperKey := strings.ToUpper(setupKey.Key)
+		hashedKey := sha256.Sum256([]byte(upperKey))
+		encodedHashedKey := b64.StdEncoding.EncodeToString(hashedKey[:])
+
+		opEvent := &activity.Event{}
+		config := &peerAddAuthConfig{}
+		peer := &nbpeer.Peer{ExtraDNSLabels: []string{"custom.label"}}
+
+		err = manager.handleSetupKeyAddedPeer(context.Background(), encodedHashedKey, peer, opEvent, config)
+		require.NoError(t, err)
+		assert.True(t, config.AllowExtraDNSLabels)
+	})
+}
+
+func TestProcessPeerAddAuth(t *testing.T) {
+	manager, _, err := createManager(t)
+	require.NoError(t, err)
+
+	account := newAccountWithId(context.Background(), "test-account", "owner", "", "", "", false)
+	err = manager.Store.SaveAccount(context.Background(), account)
+	require.NoError(t, err)
+
+	adminUser := types.NewAdminUser("admin")
+	adminUser.AccountID = account.Id
+	err = manager.Store.SaveUser(context.Background(), adminUser)
+	require.NoError(t, err)
+
+	t.Run("user authentication flow", func(t *testing.T) {
+		regularUser := types.NewRegularUser("user-auth-test", "", "")
+		regularUser.AccountID = account.Id
+		regularUser.AutoGroups = []string{"group1"}
+		err = manager.Store.SaveUser(context.Background(), regularUser)
+		require.NoError(t, err)
+
+		opEvent := &activity.Event{Timestamp: time.Now()}
+		peer := &nbpeer.Peer{Ephemeral: false}
+
+		config, err := manager.processPeerAddAuth(context.Background(), account.Id, regularUser.Id, "", peer, false, true, false, opEvent)
+		require.NoError(t, err)
+		assert.Equal(t, account.Id, config.AccountID)
+		assert.False(t, config.Ephemeral)
+		assert.Equal(t, regularUser.AutoGroups, config.GroupsToAdd)
+		assert.Equal(t, account.Id, opEvent.AccountID)
+	})
+
+	t.Run("setup key authentication flow", func(t *testing.T) {
+		setupKey, err := manager.CreateSetupKey(context.Background(), account.Id, "auth-test-key", types.SetupKeyReusable, time.Hour, []string{}, 0, adminUser.Id, true, false)
+		require.NoError(t, err)
+
+		upperKey := strings.ToUpper(setupKey.Key)
+		hashedKey := sha256.Sum256([]byte(upperKey))
+		encodedHashedKey := b64.StdEncoding.EncodeToString(hashedKey[:])
+
+		opEvent := &activity.Event{Timestamp: time.Now()}
+		peer := &nbpeer.Peer{Ephemeral: false}
+
+		config, err := manager.processPeerAddAuth(context.Background(), account.Id, "", encodedHashedKey, peer, false, false, true, opEvent)
+		require.NoError(t, err)
+		assert.Equal(t, account.Id, config.AccountID)
+		assert.True(t, config.Ephemeral) // setupKey.Ephemeral is true
+		assert.Equal(t, setupKey.AutoGroups, config.GroupsToAdd)
+		assert.Equal(t, account.Id, opEvent.AccountID)
+	})
+
+	t.Run("temporary flag overrides ephemeral", func(t *testing.T) {
+		regularUser := types.NewRegularUser("temp-user", "", "")
+		regularUser.AccountID = account.Id
+		err = manager.Store.SaveUser(context.Background(), regularUser)
+		require.NoError(t, err)
+
+		opEvent := &activity.Event{Timestamp: time.Now()}
+		peer := &nbpeer.Peer{Ephemeral: false}
+
+		config, err := manager.processPeerAddAuth(context.Background(), account.Id, regularUser.Id, "", peer, true, true, false, opEvent)
+		require.Error(t, err) // Will fail permission check but that's expected
+		_ = config            // avoid unused warning
+	})
+
+	t.Run("proxy embedded peer (no auth)", func(t *testing.T) {
+		opEvent := &activity.Event{Timestamp: time.Now()}
+		peer := &nbpeer.Peer{
+			Ephemeral: false,
+			ProxyMeta: nbpeer.ProxyMeta{Embedded: true},
+		}
+
+		config, err := manager.processPeerAddAuth(context.Background(), account.Id, "", "", peer, false, false, false, opEvent)
+		require.NoError(t, err)
+		assert.Equal(t, account.Id, config.AccountID)
+		assert.False(t, config.Ephemeral)
+		assert.Empty(t, config.GroupsToAdd)
+	})
+}
--- a/management/server/permissions/modules/module.go
+++ b/management/server/permissions/modules/module.go
@@ -3,37 +3,39 @@ package modules
 type Module string

 const (
-	Networks    Module = "networks"
-	Peers       Module = "peers"
-	RemoteJobs  Module = "remote_jobs"
-	Groups      Module = "groups"
-	Settings    Module = "settings"
-	Accounts    Module = "accounts"
-	Dns         Module = "dns"
-	Nameservers Module = "nameservers"
-	Events      Module = "events"
-	Policies    Module = "policies"
-	Routes      Module = "routes"
-	Users       Module = "users"
-	SetupKeys   Module = "setup_keys"
-	Pats        Module = "pats"
+	Networks          Module = "networks"
+	Peers             Module = "peers"
+	RemoteJobs        Module = "remote_jobs"
+	Groups            Module = "groups"
+	Settings          Module = "settings"
+	Accounts          Module = "accounts"
+	Dns               Module = "dns"
+	Nameservers       Module = "nameservers"
+	Events            Module = "events"
+	Policies          Module = "policies"
+	Routes            Module = "routes"
+	Users             Module = "users"
+	SetupKeys         Module = "setup_keys"
+	Pats              Module = "pats"
 	IdentityProviders Module = "identity_providers"
+	Services          Module = "services"
 )

 var All = map[Module]struct{}{
-	Networks:    {},
-	Peers:       {},
-	RemoteJobs:  {},
-	Groups:      {},
-	Settings:    {},
-	Accounts:    {},
-	Dns:         {},
-	Nameservers: {},
-	Events:      {},
-	Policies:    {},
-	Routes:      {},
-	Users:       {},
-	SetupKeys:   {},
-	Pats:        {},
+	Networks:          {},
+	Peers:             {},
+	RemoteJobs:        {},
+	Groups:            {},
+	Settings:          {},
+	Accounts:          {},
+	Dns:               {},
+	Nameservers:       {},
+	Events:            {},
+	Policies:          {},
+	Routes:            {},
+	Users:             {},
+	SetupKeys:         {},
+	Pats:              {},
 	IdentityProviders: {},
+	Services:          {},
 }
--- a/management/server/store/sql_store.go
+++ b/management/server/store/sql_store.go
@@ -18,6 +18,7 @@ import (

 	"github.com/jackc/pgx/v5"
 	"github.com/jackc/pgx/v5/pgxpool"
+	"github.com/rs/xid"
 	log "github.com/sirupsen/logrus"
 	"gorm.io/driver/mysql"
 	"gorm.io/driver/postgres"
@@ -27,6 +28,9 @@ import (
 	"gorm.io/gorm/logger"

 	nbdns "github.com/netbirdio/netbird/dns"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/domain"
 	"github.com/netbirdio/netbird/management/internals/modules/zones"
 	"github.com/netbirdio/netbird/management/internals/modules/zones/records"
 	resourceTypes "github.com/netbirdio/netbird/management/server/networks/resources/types"
@@ -122,11 +126,13 @@ func NewSqlStore(ctx context.Context, db *gorm.DB, storeEngine types.Engine, met
 		return nil, fmt.Errorf("migratePreAuto: %w", err)
 	}
 	err = db.AutoMigrate(
-		&types.SetupKey{}, &nbpeer.Peer{}, &types.User{}, &types.PersonalAccessToken{}, &types.Group{}, &types.GroupPeer{},
+		&types.SetupKey{}, &nbpeer.Peer{}, &types.User{}, &types.PersonalAccessToken{}, &types.ProxyAccessToken{},
+		&types.Group{}, &types.GroupPeer{},
 		&types.Account{}, &types.Policy{}, &types.PolicyRule{}, &route.Route{}, &nbdns.NameServerGroup{},
 		&installation{}, &types.ExtraSettings{}, &posture.Checks{}, &nbpeer.NetworkAddress{},
 		&networkTypes.Network{}, &routerTypes.NetworkRouter{}, &resourceTypes.NetworkResource{}, &types.AccountOnboarding{},
-		&types.Job{}, &zones.Zone{}, &records.Record{}, &types.UserInviteRecord{},
+		&types.Job{}, &zones.Zone{}, &records.Record{}, &types.UserInviteRecord{}, &reverseproxy.Service{}, &reverseproxy.Target{}, &domain.Domain{},
+		&accesslogs.AccessLogEntry{},
 	)
 	if err != nil {
 		return nil, fmt.Errorf("auto migratePreAuto: %w", err)
@@ -1094,6 +1100,7 @@ func (s *SqlStore) getAccountGorm(ctx context.Context, accountID string) (*types
 		Preload("NetworkRouters").
 		Preload("NetworkResources").
 		Preload("Onboarding").
+		Preload("Services.Targets").
 		Take(&account, idQueryCondition, accountID)
 	if result.Error != nil {
 		log.WithContext(ctx).Errorf("error when getting account %s from the store: %s", accountID, result.Error)
@@ -1271,6 +1278,17 @@ func (s *SqlStore) getAccountPgx(ctx context.Context, accountID string) (*types.
 		account.PostureChecks = checks
 	}()

+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		services, err := s.getServices(ctx, accountID)
+		if err != nil {
+			errChan <- err
+			return
+		}
+		account.Services = services
+	}()
+
 	wg.Add(1)
 	go func() {
 		defer wg.Done()
@@ -1672,7 +1690,7 @@ func (s *SqlStore) getPeers(ctx context.Context, accountID string) ([]nbpeer.Pee
 	meta_kernel_version, meta_network_addresses, meta_system_serial_number, meta_system_product_name, meta_system_manufacturer,
 	meta_environment, meta_flags, meta_files, peer_status_last_seen, peer_status_connected, peer_status_login_expired, 
 	peer_status_requires_approval, location_connection_ip, location_country_code, location_city_name, 
-	location_geo_name_id FROM peers WHERE account_id = $1`
+	location_geo_name_id, proxy_meta_embedded, proxy_meta_cluster FROM peers WHERE account_id = $1`
 	rows, err := s.pool.Query(ctx, query, accountID)
 	if err != nil {
 		return nil, err
@@ -1685,12 +1703,12 @@ func (s *SqlStore) getPeers(ctx context.Context, accountID string) ([]nbpeer.Pee
 			lastLogin, createdAt                                                                            sql.NullTime
 			sshEnabled, loginExpirationEnabled, inactivityExpirationEnabled, ephemeral, allowExtraDNSLabels sql.NullBool
 			peerStatusLastSeen                                                                              sql.NullTime
-			peerStatusConnected, peerStatusLoginExpired, peerStatusRequiresApproval                         sql.NullBool
+			peerStatusConnected, peerStatusLoginExpired, peerStatusRequiresApproval, proxyEmbedded          sql.NullBool
 			ip, extraDNS, netAddr, env, flags, files, connIP                                                []byte
 			metaHostname, metaGoOS, metaKernel, metaCore, metaPlatform                                      sql.NullString
 			metaOS, metaOSVersion, metaWtVersion, metaUIVersion, metaKernelVersion                          sql.NullString
 			metaSystemSerialNumber, metaSystemProductName, metaSystemManufacturer                           sql.NullString
-			locationCountryCode, locationCityName                                                           sql.NullString
+			locationCountryCode, locationCityName, proxyCluster                                             sql.NullString
 			locationGeoNameID                                                                               sql.NullInt64
 		)

@@ -1700,7 +1718,7 @@ func (s *SqlStore) getPeers(ctx context.Context, accountID string) ([]nbpeer.Pee
 			&metaOS, &metaOSVersion, &metaWtVersion, &metaUIVersion, &metaKernelVersion, &netAddr,
 			&metaSystemSerialNumber, &metaSystemProductName, &metaSystemManufacturer, &env, &flags, &files,
 			&peerStatusLastSeen, &peerStatusConnected, &peerStatusLoginExpired, &peerStatusRequiresApproval, &connIP,
-			&locationCountryCode, &locationCityName, &locationGeoNameID)
+			&locationCountryCode, &locationCityName, &locationGeoNameID, &proxyEmbedded, &proxyCluster)

 		if err == nil {
 			if lastLogin.Valid {
@@ -1784,6 +1802,12 @@ func (s *SqlStore) getPeers(ctx context.Context, accountID string) ([]nbpeer.Pee
 			if locationGeoNameID.Valid {
 				p.Location.GeoNameID = uint(locationGeoNameID.Int64)
 			}
+			if proxyEmbedded.Valid {
+				p.ProxyMeta.Embedded = proxyEmbedded.Bool
+			}
+			if proxyCluster.Valid {
+				p.ProxyMeta.Cluster = proxyCluster.String
+			}
 			if ip != nil {
 				_ = json.Unmarshal(ip, &p.IP)
 			}
@@ -2039,6 +2063,131 @@ func (s *SqlStore) getPostureChecks(ctx context.Context, accountID string) ([]*p
 	return checks, nil
 }

+func (s *SqlStore) getServices(ctx context.Context, accountID string) ([]*reverseproxy.Service, error) {
+	const serviceQuery = `SELECT id, account_id, name, domain, enabled, auth,
+		meta_created_at, meta_certificate_issued_at, meta_status, proxy_cluster,
+		pass_host_header, rewrite_redirects, session_private_key, session_public_key
+		FROM services WHERE account_id = $1`
+
+	const targetsQuery = `SELECT id, account_id, service_id, path, host, port, protocol,
+		target_id, target_type, enabled
+		FROM targets WHERE service_id = ANY($1)`
+
+	serviceRows, err := s.pool.Query(ctx, serviceQuery, accountID)
+	if err != nil {
+		return nil, err
+	}
+
+	services, err := pgx.CollectRows(serviceRows, func(row pgx.CollectableRow) (*reverseproxy.Service, error) {
+		var s reverseproxy.Service
+		var auth []byte
+		var createdAt, certIssuedAt sql.NullTime
+		var status, proxyCluster, sessionPrivateKey, sessionPublicKey sql.NullString
+		err := row.Scan(
+			&s.ID,
+			&s.AccountID,
+			&s.Name,
+			&s.Domain,
+			&s.Enabled,
+			&auth,
+			&createdAt,
+			&certIssuedAt,
+			&status,
+			&proxyCluster,
+			&s.PassHostHeader,
+			&s.RewriteRedirects,
+			&sessionPrivateKey,
+			&sessionPublicKey,
+		)
+		if err != nil {
+			return nil, err
+		}
+
+		if auth != nil {
+			if err := json.Unmarshal(auth, &s.Auth); err != nil {
+				return nil, err
+			}
+		}
+
+		s.Meta = reverseproxy.ServiceMeta{}
+		if createdAt.Valid {
+			s.Meta.CreatedAt = createdAt.Time
+		}
+		if certIssuedAt.Valid {
+			s.Meta.CertificateIssuedAt = certIssuedAt.Time
+		}
+		if status.Valid {
+			s.Meta.Status = status.String
+		}
+		if proxyCluster.Valid {
+			s.ProxyCluster = proxyCluster.String
+		}
+		if sessionPrivateKey.Valid {
+			s.SessionPrivateKey = sessionPrivateKey.String
+		}
+		if sessionPublicKey.Valid {
+			s.SessionPublicKey = sessionPublicKey.String
+		}
+
+		s.Targets = []*reverseproxy.Target{}
+		return &s, nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	if len(services) == 0 {
+		return services, nil
+	}
+
+	serviceIDs := make([]string, len(services))
+	serviceMap := make(map[string]*reverseproxy.Service)
+	for i, s := range services {
+		serviceIDs[i] = s.ID
+		serviceMap[s.ID] = s
+	}
+
+	targetRows, err := s.pool.Query(ctx, targetsQuery, serviceIDs)
+	if err != nil {
+		return nil, err
+	}
+
+	targets, err := pgx.CollectRows(targetRows, func(row pgx.CollectableRow) (*reverseproxy.Target, error) {
+		var t reverseproxy.Target
+		var path sql.NullString
+		err := row.Scan(
+			&t.ID,
+			&t.AccountID,
+			&t.ServiceID,
+			&path,
+			&t.Host,
+			&t.Port,
+			&t.Protocol,
+			&t.TargetId,
+			&t.TargetType,
+			&t.Enabled,
+		)
+		if err != nil {
+			return nil, err
+		}
+		if path.Valid {
+			t.Path = &path.String
+		}
+		return &t, nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	for _, target := range targets {
+		if service, ok := serviceMap[target.ServiceID]; ok {
+			service.Targets = append(service.Targets, target)
+		}
+	}
+
+	return services, nil
+}
+
 func (s *SqlStore) getNetworks(ctx context.Context, accountID string) ([]*networkTypes.Network, error) {
 	const query = `SELECT id, account_id, name, description FROM networks WHERE account_id = $1`
 	rows, err := s.pool.Query(ctx, query, accountID)
@@ -4230,6 +4379,79 @@ func (s *SqlStore) DeletePAT(ctx context.Context, userID, patID string) error {
 	return nil
 }

+// GetProxyAccessTokenByHashedToken retrieves a proxy access token by its hashed value.
+func (s *SqlStore) GetProxyAccessTokenByHashedToken(ctx context.Context, lockStrength LockingStrength, hashedToken types.HashedProxyToken) (*types.ProxyAccessToken, error) {
+	tx := s.db.WithContext(ctx)
+	if lockStrength != LockingStrengthNone {
+		tx = tx.Clauses(clause.Locking{Strength: string(lockStrength)})
+	}
+
+	var token types.ProxyAccessToken
+	result := tx.Take(&token, "hashed_token = ?", hashedToken)
+	if result.Error != nil {
+		if errors.Is(result.Error, gorm.ErrRecordNotFound) {
+			return nil, status.Errorf(status.NotFound, "proxy access token not found")
+		}
+		return nil, status.Errorf(status.Internal, "get proxy access token: %v", result.Error)
+	}
+
+	return &token, nil
+}
+
+// GetAllProxyAccessTokens retrieves all proxy access tokens.
+func (s *SqlStore) GetAllProxyAccessTokens(ctx context.Context, lockStrength LockingStrength) ([]*types.ProxyAccessToken, error) {
+	tx := s.db.WithContext(ctx)
+	if lockStrength != LockingStrengthNone {
+		tx = tx.Clauses(clause.Locking{Strength: string(lockStrength)})
+	}
+
+	var tokens []*types.ProxyAccessToken
+	result := tx.Find(&tokens)
+	if result.Error != nil {
+		return nil, status.Errorf(status.Internal, "get proxy access tokens: %v", result.Error)
+	}
+
+	return tokens, nil
+}
+
+// SaveProxyAccessToken saves a proxy access token to the database.
+func (s *SqlStore) SaveProxyAccessToken(ctx context.Context, token *types.ProxyAccessToken) error {
+	if result := s.db.WithContext(ctx).Create(token); result.Error != nil {
+		return status.Errorf(status.Internal, "save proxy access token: %v", result.Error)
+	}
+	return nil
+}
+
+// RevokeProxyAccessToken revokes a proxy access token by its ID.
+func (s *SqlStore) RevokeProxyAccessToken(ctx context.Context, tokenID string) error {
+	result := s.db.WithContext(ctx).Model(&types.ProxyAccessToken{}).Where(idQueryCondition, tokenID).Update("revoked", true)
+	if result.Error != nil {
+		return status.Errorf(status.Internal, "revoke proxy access token: %v", result.Error)
+	}
+
+	if result.RowsAffected == 0 {
+		return status.Errorf(status.NotFound, "proxy access token not found")
+	}
+
+	return nil
+}
+
+// MarkProxyAccessTokenUsed updates the last used timestamp for a proxy access token.
+func (s *SqlStore) MarkProxyAccessTokenUsed(ctx context.Context, tokenID string) error {
+	result := s.db.WithContext(ctx).Model(&types.ProxyAccessToken{}).
+		Where(idQueryCondition, tokenID).
+		Update("last_used", time.Now().UTC())
+	if result.Error != nil {
+		return status.Errorf(status.Internal, "mark proxy access token as used: %v", result.Error)
+	}
+
+	if result.RowsAffected == 0 {
+		return status.Errorf(status.NotFound, "proxy access token not found")
+	}
+
+	return nil
+}
+
 func (s *SqlStore) GetPeerByIP(ctx context.Context, lockStrength LockingStrength, accountID string, ip net.IP) (*nbpeer.Peer, error) {
 	tx := s.db
 	if lockStrength != LockingStrengthNone {
@@ -4602,3 +4824,353 @@ func (s *SqlStore) GetPeerIDByKey(ctx context.Context, lockStrength LockingStren

 	return peerID, nil
 }
+
+func (s *SqlStore) CreateService(ctx context.Context, service *reverseproxy.Service) error {
+	serviceCopy := service.Copy()
+	if err := serviceCopy.EncryptSensitiveData(s.fieldEncrypt); err != nil {
+		return fmt.Errorf("encrypt service data: %w", err)
+	}
+	result := s.db.Create(serviceCopy)
+	if result.Error != nil {
+		log.WithContext(ctx).Errorf("failed to create service to store: %v", result.Error)
+		return status.Errorf(status.Internal, "failed to create service to store")
+	}
+
+	return nil
+}
+
+func (s *SqlStore) UpdateService(ctx context.Context, service *reverseproxy.Service) error {
+	serviceCopy := service.Copy()
+	if err := serviceCopy.EncryptSensitiveData(s.fieldEncrypt); err != nil {
+		return fmt.Errorf("encrypt service data: %w", err)
+	}
+
+	// Use a transaction to ensure atomic updates of the service and its targets
+	err := s.db.Transaction(func(tx *gorm.DB) error {
+		// Delete existing targets
+		if err := tx.Where("service_id = ?", serviceCopy.ID).Delete(&reverseproxy.Target{}).Error; err != nil {
+			return err
+		}
+
+		// Update the service and create new targets
+		if err := tx.Session(&gorm.Session{FullSaveAssociations: true}).Save(serviceCopy).Error; err != nil {
+			return err
+		}
+
+		return nil
+	})
+
+	if err != nil {
+		log.WithContext(ctx).Errorf("failed to update service to store: %v", err)
+		return status.Errorf(status.Internal, "failed to update service to store")
+	}
+
+	return nil
+}
+
+func (s *SqlStore) DeleteService(ctx context.Context, accountID, serviceID string) error {
+	result := s.db.Delete(&reverseproxy.Service{}, accountAndIDQueryCondition, accountID, serviceID)
+	if result.Error != nil {
+		log.WithContext(ctx).Errorf("failed to delete service from store: %v", result.Error)
+		return status.Errorf(status.Internal, "failed to delete service from store")
+	}
+
+	if result.RowsAffected == 0 {
+		return status.Errorf(status.NotFound, "service %s not found", serviceID)
+	}
+
+	return nil
+}
+
+func (s *SqlStore) GetServiceByID(ctx context.Context, lockStrength LockingStrength, accountID, serviceID string) (*reverseproxy.Service, error) {
+	tx := s.db.Preload("Targets")
+	if lockStrength != LockingStrengthNone {
+		tx = tx.Clauses(clause.Locking{Strength: string(lockStrength)})
+	}
+
+	var service *reverseproxy.Service
+	result := tx.Take(&service, accountAndIDQueryCondition, accountID, serviceID)
+	if result.Error != nil {
+		if errors.Is(result.Error, gorm.ErrRecordNotFound) {
+			return nil, status.Errorf(status.NotFound, "service %s not found", serviceID)
+		}
+
+		log.WithContext(ctx).Errorf("failed to get service from store: %v", result.Error)
+		return nil, status.Errorf(status.Internal, "failed to get service from store")
+	}
+
+	if err := service.DecryptSensitiveData(s.fieldEncrypt); err != nil {
+		return nil, fmt.Errorf("decrypt service data: %w", err)
+	}
+
+	return service, nil
+}
+
+func (s *SqlStore) GetServiceByDomain(ctx context.Context, accountID, domain string) (*reverseproxy.Service, error) {
+	var service *reverseproxy.Service
+	result := s.db.Preload("Targets").Where("account_id = ? AND domain = ?", accountID, domain).First(&service)
+	if result.Error != nil {
+		if errors.Is(result.Error, gorm.ErrRecordNotFound) {
+			return nil, status.Errorf(status.NotFound, "service with domain %s not found", domain)
+		}
+
+		log.WithContext(ctx).Errorf("failed to get service by domain from store: %v", result.Error)
+		return nil, status.Errorf(status.Internal, "failed to get service by domain from store")
+	}
+
+	if err := service.DecryptSensitiveData(s.fieldEncrypt); err != nil {
+		return nil, fmt.Errorf("decrypt service data: %w", err)
+	}
+
+	return service, nil
+}
+
+func (s *SqlStore) GetServices(ctx context.Context, lockStrength LockingStrength) ([]*reverseproxy.Service, error) {
+	tx := s.db.Preload("Targets")
+	if lockStrength != LockingStrengthNone {
+		tx = tx.Clauses(clause.Locking{Strength: string(lockStrength)})
+	}
+
+	var serviceList []*reverseproxy.Service
+	result := tx.Find(&serviceList)
+	if result.Error != nil {
+		log.WithContext(ctx).Errorf("failed to get services from the store: %s", result.Error)
+		return nil, status.Errorf(status.Internal, "failed to get services from store")
+	}
+
+	for _, service := range serviceList {
+		if err := service.DecryptSensitiveData(s.fieldEncrypt); err != nil {
+			return nil, fmt.Errorf("decrypt service data: %w", err)
+		}
+	}
+
+	return serviceList, nil
+}
+
+func (s *SqlStore) GetAccountServices(ctx context.Context, lockStrength LockingStrength, accountID string) ([]*reverseproxy.Service, error) {
+	tx := s.db.Preload("Targets")
+	if lockStrength != LockingStrengthNone {
+		tx = tx.Clauses(clause.Locking{Strength: string(lockStrength)})
+	}
+
+	var serviceList []*reverseproxy.Service
+	result := tx.Find(&serviceList, accountIDCondition, accountID)
+	if result.Error != nil {
+		log.WithContext(ctx).Errorf("failed to get services from the store: %s", result.Error)
+		return nil, status.Errorf(status.Internal, "failed to get services from store")
+	}
+
+	for _, service := range serviceList {
+		if err := service.DecryptSensitiveData(s.fieldEncrypt); err != nil {
+			return nil, fmt.Errorf("decrypt service data: %w", err)
+		}
+	}
+
+	return serviceList, nil
+}
+
+func (s *SqlStore) GetCustomDomain(ctx context.Context, accountID string, domainID string) (*domain.Domain, error) {
+	tx := s.db
+
+	customDomain := &domain.Domain{}
+	result := tx.Take(&customDomain, accountAndIDQueryCondition, accountID, domainID)
+	if result.Error != nil {
+		if errors.Is(result.Error, gorm.ErrRecordNotFound) {
+			return nil, status.Errorf(status.NotFound, "custom domain %s not found", domainID)
+		}
+
+		log.WithContext(ctx).Errorf("failed to get custom domain from store: %v", result.Error)
+		return nil, status.Errorf(status.Internal, "failed to get custom domain from store")
+	}
+
+	return customDomain, nil
+}
+
+func (s *SqlStore) ListFreeDomains(ctx context.Context, accountID string) ([]string, error) {
+	return nil, nil
+}
+
+func (s *SqlStore) ListCustomDomains(ctx context.Context, accountID string) ([]*domain.Domain, error) {
+	tx := s.db
+
+	var domains []*domain.Domain
+	result := tx.Find(&domains, accountIDCondition, accountID)
+	if result.Error != nil {
+		log.WithContext(ctx).Errorf("failed to get reverse proxy custom domains from the store: %s", result.Error)
+		return nil, status.Errorf(status.Internal, "failed to get reverse proxy custom domains from store")
+	}
+
+	return domains, nil
+}
+
+func (s *SqlStore) CreateCustomDomain(ctx context.Context, accountID string, domainName string, targetCluster string, validated bool) (*domain.Domain, error) {
+	newDomain := &domain.Domain{
+		ID:            xid.New().String(), // Generate our own ID because gorm doesn't always configure the database to handle this for us.
+		Domain:        domainName,
+		AccountID:     accountID,
+		TargetCluster: targetCluster,
+		Type:          domain.TypeCustom,
+		Validated:     validated,
+	}
+	result := s.db.Create(newDomain)
+	if result.Error != nil {
+		log.WithContext(ctx).Errorf("failed to create reverse proxy custom domain to store: %v", result.Error)
+		return nil, status.Errorf(status.Internal, "failed to create reverse proxy custom domain to store")
+	}
+
+	return newDomain, nil
+}
+
+func (s *SqlStore) UpdateCustomDomain(ctx context.Context, accountID string, d *domain.Domain) (*domain.Domain, error) {
+	d.AccountID = accountID
+	result := s.db.Select("*").Save(d)
+	if result.Error != nil {
+		log.WithContext(ctx).Errorf("failed to update reverse proxy custom domain to store: %v", result.Error)
+		return nil, status.Errorf(status.Internal, "failed to update reverse proxy custom domain to store")
+	}
+
+	return d, nil
+}
+
+func (s *SqlStore) DeleteCustomDomain(ctx context.Context, accountID string, domainID string) error {
+	result := s.db.Delete(domain.Domain{}, accountAndIDQueryCondition, accountID, domainID)
+	if result.Error != nil {
+		log.WithContext(ctx).Errorf("failed to delete reverse proxy custom domain from store: %v", result.Error)
+		return status.Errorf(status.Internal, "failed to delete reverse proxy custom domain from store")
+	}
+
+	if result.RowsAffected == 0 {
+		return status.Errorf(status.NotFound, "reverse proxy custom domain %s not found", domainID)
+	}
+
+	return nil
+}
+
+// CreateAccessLog creates a new access log entry in the database
+func (s *SqlStore) CreateAccessLog(ctx context.Context, logEntry *accesslogs.AccessLogEntry) error {
+	result := s.db.Create(logEntry)
+	if result.Error != nil {
+		log.WithContext(ctx).WithFields(log.Fields{
+			"service_id": logEntry.ServiceID,
+			"method":     logEntry.Method,
+			"host":       logEntry.Host,
+			"path":       logEntry.Path,
+		}).Errorf("failed to create access log entry in store: %v", result.Error)
+		return status.Errorf(status.Internal, "failed to create access log entry in store")
+	}
+	return nil
+}
+
+// GetAccountAccessLogs retrieves access logs for a given account with pagination and filtering
+func (s *SqlStore) GetAccountAccessLogs(ctx context.Context, lockStrength LockingStrength, accountID string, filter accesslogs.AccessLogFilter) ([]*accesslogs.AccessLogEntry, int64, error) {
+	var logs []*accesslogs.AccessLogEntry
+	var totalCount int64
+
+	baseQuery := s.db.WithContext(ctx).
+		Model(&accesslogs.AccessLogEntry{}).
+		Where(accountIDCondition, accountID)
+
+	baseQuery = s.applyAccessLogFilters(baseQuery, filter)
+
+	if err := baseQuery.Count(&totalCount).Error; err != nil {
+		log.WithContext(ctx).Errorf("failed to count access logs: %v", err)
+		return nil, 0, status.Errorf(status.Internal, "failed to count access logs")
+	}
+
+	query := s.db.WithContext(ctx).
+		Where(accountIDCondition, accountID)
+
+	query = s.applyAccessLogFilters(query, filter)
+
+	query = query.
+		Order("timestamp DESC").
+		Limit(filter.GetLimit()).
+		Offset(filter.GetOffset())
+
+	if lockStrength != LockingStrengthNone {
+		query = query.Clauses(clause.Locking{Strength: string(lockStrength)})
+	}
+
+	result := query.Find(&logs)
+	if result.Error != nil {
+		log.WithContext(ctx).Errorf("failed to get access logs from store: %v", result.Error)
+		return nil, 0, status.Errorf(status.Internal, "failed to get access logs from store")
+	}
+
+	return logs, totalCount, nil
+}
+
+// applyAccessLogFilters applies filter conditions to the query
+func (s *SqlStore) applyAccessLogFilters(query *gorm.DB, filter accesslogs.AccessLogFilter) *gorm.DB {
+	if filter.Search != nil {
+		searchPattern := "%" + *filter.Search + "%"
+		query = query.Where(
+			"id LIKE ? OR location_connection_ip LIKE ? OR host LIKE ? OR path LIKE ? OR CONCAT(host, path) LIKE ? OR user_id IN (SELECT id FROM users WHERE email LIKE ? OR name LIKE ?)",
+			searchPattern, searchPattern, searchPattern, searchPattern, searchPattern, searchPattern, searchPattern,
+		)
+	}
+
+	if filter.SourceIP != nil {
+		query = query.Where("location_connection_ip = ?", *filter.SourceIP)
+	}
+
+	if filter.Host != nil {
+		query = query.Where("host = ?", *filter.Host)
+	}
+
+	if filter.Path != nil {
+		// Support LIKE pattern for path filtering
+		query = query.Where("path LIKE ?", "%"+*filter.Path+"%")
+	}
+
+	if filter.UserID != nil {
+		query = query.Where("user_id = ?", *filter.UserID)
+	}
+
+	if filter.Method != nil {
+		query = query.Where("method = ?", *filter.Method)
+	}
+
+	if filter.Status != nil {
+		switch *filter.Status {
+		case "success":
+			query = query.Where("status_code >= ? AND status_code < ?", 200, 400)
+		case "failed":
+			query = query.Where("status_code < ? OR status_code >= ?", 200, 400)
+		}
+	}
+
+	if filter.StatusCode != nil {
+		query = query.Where("status_code = ?", *filter.StatusCode)
+	}
+
+	if filter.StartDate != nil {
+		query = query.Where("timestamp >= ?", *filter.StartDate)
+	}
+
+	if filter.EndDate != nil {
+		query = query.Where("timestamp <= ?", *filter.EndDate)
+	}
+
+	return query
+}
+
+func (s *SqlStore) GetServiceTargetByTargetID(ctx context.Context, lockStrength LockingStrength, accountID string, targetID string) (*reverseproxy.Target, error) {
+	tx := s.db
+	if lockStrength != LockingStrengthNone {
+		tx = tx.Clauses(clause.Locking{Strength: string(lockStrength)})
+	}
+
+	var target *reverseproxy.Target
+	result := tx.Take(&target, "account_id = ? AND target_id = ?", accountID, targetID)
+	if result.Error != nil {
+		if errors.Is(result.Error, gorm.ErrRecordNotFound) {
+			return nil, status.Errorf(status.NotFound, "service target with ID %s not found", targetID)
+		}
+
+		log.WithContext(ctx).Errorf("failed to get service target from store: %v", result.Error)
+		return nil, status.Errorf(status.Internal, "failed to get service target from store")
+	}
+
+	return target, nil
+}
--- a/management/server/store/sqlstore_bench_test.go
+++ b/management/server/store/sqlstore_bench_test.go
@@ -20,6 +20,7 @@ import (
 	"github.com/stretchr/testify/assert"

 	nbdns "github.com/netbirdio/netbird/dns"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
 	resourceTypes "github.com/netbirdio/netbird/management/server/networks/resources/types"
 	routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
 	networkTypes "github.com/netbirdio/netbird/management/server/networks/types"
@@ -263,7 +264,7 @@ func setupBenchmarkDB(b testing.TB) (*SqlStore, func(), string) {
 		&types.Policy{}, &types.PolicyRule{}, &route.Route{},
 		&nbdns.NameServerGroup{}, &posture.Checks{}, &networkTypes.Network{},
 		&routerTypes.NetworkRouter{}, &resourceTypes.NetworkResource{},
-		&types.AccountOnboarding{},
+		&types.AccountOnboarding{}, &reverseproxy.Service{}, &reverseproxy.Target{},
 	}

 	for i := len(models) - 1; i >= 0; i-- {
--- a/management/server/store/store.go
+++ b/management/server/store/store.go
@@ -1,5 +1,7 @@
 package store

+//go:generate go run github.com/golang/mock/mockgen -package store -destination=store_mock.go -source=./store.go -build_flags=-mod=mod
+
 import (
 	"context"
 	"errors"
@@ -23,6 +25,9 @@ import (
 	"gorm.io/gorm"

 	"github.com/netbirdio/netbird/dns"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/domain"
 	"github.com/netbirdio/netbird/management/internals/modules/zones"
 	"github.com/netbirdio/netbird/management/internals/modules/zones/records"
 	"github.com/netbirdio/netbird/management/server/telemetry"
@@ -106,6 +111,12 @@ type Store interface {
 	SavePAT(ctx context.Context, pat *types.PersonalAccessToken) error
 	DeletePAT(ctx context.Context, userID, patID string) error

+	GetProxyAccessTokenByHashedToken(ctx context.Context, lockStrength LockingStrength, hashedToken types.HashedProxyToken) (*types.ProxyAccessToken, error)
+	GetAllProxyAccessTokens(ctx context.Context, lockStrength LockingStrength) ([]*types.ProxyAccessToken, error)
+	SaveProxyAccessToken(ctx context.Context, token *types.ProxyAccessToken) error
+	RevokeProxyAccessToken(ctx context.Context, tokenID string) error
+	MarkProxyAccessTokenUsed(ctx context.Context, tokenID string) error
+
 	GetAccountGroups(ctx context.Context, lockStrength LockingStrength, accountID string) ([]*types.Group, error)
 	GetResourceGroups(ctx context.Context, lockStrength LockingStrength, accountID, resourceID string) ([]*types.Group, error)
 	GetGroupByID(ctx context.Context, lockStrength LockingStrength, accountID, groupID string) (*types.Group, error)
@@ -240,6 +251,25 @@ type Store interface {
 	MarkPendingJobsAsFailed(ctx context.Context, accountID, peerID, jobID, reason string) error
 	MarkAllPendingJobsAsFailed(ctx context.Context, accountID, peerID, reason string) error
 	GetPeerIDByKey(ctx context.Context, lockStrength LockingStrength, key string) (string, error)
+
+	CreateService(ctx context.Context, service *reverseproxy.Service) error
+	UpdateService(ctx context.Context, service *reverseproxy.Service) error
+	DeleteService(ctx context.Context, accountID, serviceID string) error
+	GetServiceByID(ctx context.Context, lockStrength LockingStrength, accountID, serviceID string) (*reverseproxy.Service, error)
+	GetServiceByDomain(ctx context.Context, accountID, domain string) (*reverseproxy.Service, error)
+	GetServices(ctx context.Context, lockStrength LockingStrength) ([]*reverseproxy.Service, error)
+	GetAccountServices(ctx context.Context, lockStrength LockingStrength, accountID string) ([]*reverseproxy.Service, error)
+
+	GetCustomDomain(ctx context.Context, accountID string, domainID string) (*domain.Domain, error)
+	ListFreeDomains(ctx context.Context, accountID string) ([]string, error)
+	ListCustomDomains(ctx context.Context, accountID string) ([]*domain.Domain, error)
+	CreateCustomDomain(ctx context.Context, accountID string, domainName string, targetCluster string, validated bool) (*domain.Domain, error)
+	UpdateCustomDomain(ctx context.Context, accountID string, d *domain.Domain) (*domain.Domain, error)
+	DeleteCustomDomain(ctx context.Context, accountID string, domainID string) error
+
+	CreateAccessLog(ctx context.Context, log *accesslogs.AccessLogEntry) error
+	GetAccountAccessLogs(ctx context.Context, lockStrength LockingStrength, accountID string, filter accesslogs.AccessLogFilter) ([]*accesslogs.AccessLogEntry, int64, error)
+	GetServiceTargetByTargetID(ctx context.Context, lockStrength LockingStrength, accountID string, targetID string) (*reverseproxy.Target, error)
 }

 const (
--- a/management/server/store/store_mock.go
+++ b/management/server/store/store_mock.go
--- a/management/server/testdata/auth_callback.sql
+++ b/management/server/testdata/auth_callback.sql
@@ -0,0 +1,17 @@
+-- Schema definitions (must match GORM auto-migrate order)
+CREATE TABLE `accounts` (`id` text,`created_by` text,`created_at` datetime,`domain` text,`domain_category` text,`is_domain_primary_account` numeric,`network_identifier` text,`network_net` text,`network_dns` text,`network_serial` integer,`dns_settings_disabled_management_groups` text,`settings_peer_login_expiration_enabled` numeric,`settings_peer_login_expiration` integer,`settings_regular_users_view_blocked` numeric,`settings_groups_propagation_enabled` numeric,`settings_jwt_groups_enabled` numeric,`settings_jwt_groups_claim_name` text,`settings_jwt_allow_groups` text,`settings_extra_peer_approval_enabled` numeric,`settings_extra_integrated_validator_groups` text,PRIMARY KEY (`id`));
+CREATE TABLE `groups` (`id` text,`account_id` text,`name` text,`issued` text,`peers` text,`integration_ref_id` integer,`integration_ref_integration_type` text,PRIMARY KEY (`id`),CONSTRAINT `fk_accounts_groups_g` FOREIGN KEY (`account_id`) REFERENCES `accounts`(`id`));
+CREATE TABLE `users` (`id` text,`account_id` text,`role` text,`is_service_user` numeric,`non_deletable` numeric,`service_user_name` text,`auto_groups` text,`blocked` numeric,`last_login` datetime DEFAULT NULL,`created_at` datetime,`issued` text DEFAULT "api",`integration_ref_id` integer,`integration_ref_integration_type` text,PRIMARY KEY (`id`),CONSTRAINT `fk_accounts_users_g` FOREIGN KEY (`account_id`) REFERENCES `accounts`(`id`));
+
+-- Test accounts
+INSERT INTO accounts VALUES('testAccountId','','2024-10-02 16:01:38.000000000+00:00','test.com','private',1,'testNetworkIdentifier','{"IP":"100.64.0.0","Mask":"//8AAA=="}','',0,'[]',0,86400000000000,0,0,0,'',NULL,NULL,NULL);
+INSERT INTO accounts VALUES('otherAccountId','','2024-10-02 16:01:38.000000000+00:00','other.com','private',1,'otherNetworkIdentifier','{"IP":"100.64.0.0","Mask":"//8AAA=="}','',0,'[]',0,86400000000000,0,0,0,'',NULL,NULL,NULL);
+
+-- Test groups
+INSERT INTO "groups" VALUES('allowedGroupId','testAccountId','Allowed Group','api','[]',0,'');
+INSERT INTO "groups" VALUES('restrictedGroupId','testAccountId','Restricted Group','api','[]',0,'');
+
+-- Test users
+INSERT INTO users VALUES('allowedUserId','testAccountId','user',0,0,'','["allowedGroupId"]',0,NULL,'2024-10-02 16:01:38.000000000+00:00','api',0,'');
+INSERT INTO users VALUES('nonGroupUserId','testAccountId','user',0,0,'','[]',0,NULL,'2024-10-02 16:01:38.000000000+00:00','api',0,'');
+INSERT INTO users VALUES('otherAccountUserId','otherAccountId','user',0,0,'','["allowedGroupId"]',0,NULL,'2024-10-02 16:01:38.000000000+00:00','api',0,'');
--- a/management/server/types/account.go
+++ b/management/server/types/account.go
@@ -18,6 +18,7 @@ import (

 	"github.com/netbirdio/netbird/client/ssh/auth"
 	nbdns "github.com/netbirdio/netbird/dns"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
 	"github.com/netbirdio/netbird/management/internals/modules/zones"
 	"github.com/netbirdio/netbird/management/internals/modules/zones/records"
 	resourceTypes "github.com/netbirdio/netbird/management/server/networks/resources/types"
@@ -99,6 +100,7 @@ type Account struct {
 	NameServerGroupsG      []nbdns.NameServerGroup           `json:"-" gorm:"foreignKey:AccountID;references:id"`
 	DNSSettings            DNSSettings                       `gorm:"embedded;embeddedPrefix:dns_settings_"`
 	PostureChecks          []*posture.Checks                 `gorm:"foreignKey:AccountID;references:id"`
+	Services               []*reverseproxy.Service           `gorm:"foreignKey:AccountID;references:id"`
 	// Settings is a dictionary of Account settings
 	Settings         *Settings                        `gorm:"embedded;embeddedPrefix:settings_"`
 	Networks         []*networkTypes.Network          `gorm:"foreignKey:AccountID;references:id"`
@@ -108,6 +110,8 @@ type Account struct {

 	NetworkMapCache *NetworkMapBuilder `gorm:"-"`
 	nmapInitOnce    *sync.Once         `gorm:"-"`
+
+	ReverseProxyFreeDomainNonce string
 }

 func (a *Account) InitOnce() {
@@ -902,6 +906,11 @@ func (a *Account) Copy() *Account {
 		networkResources = append(networkResources, resource.Copy())
 	}

+	services := []*reverseproxy.Service{}
+	for _, service := range a.Services {
+		services = append(services, service.Copy())
+	}
+
 	return &Account{
 		Id:                     a.Id,
 		CreatedBy:              a.CreatedBy,
@@ -923,6 +932,7 @@ func (a *Account) Copy() *Account {
 		Networks:               nets,
 		NetworkRouters:         networkRouters,
 		NetworkResources:       networkResources,
+		Services:               services,
 		Onboarding:             a.Onboarding,
 		NetworkMapCache:        a.NetworkMapCache,
 		nmapInitOnce:           a.nmapInitOnce,
@@ -1213,7 +1223,7 @@ func (a *Account) getAllPeersFromGroups(ctx context.Context, groups []string, pe
 	filteredPeers := make([]*nbpeer.Peer, 0, len(uniquePeerIDs))
 	for _, p := range uniquePeerIDs {
 		peer, ok := a.Peers[p]
-		if !ok || peer == nil {
+		if !ok || peer == nil || peer.ProxyMeta.Embedded {
 			continue
 		}

@@ -1776,6 +1786,110 @@ func (a *Account) GetActiveGroupUsers() map[string][]string {
 	return groups
 }

+func (a *Account) GetProxyPeers() map[string][]*nbpeer.Peer {
+	proxyPeers := make(map[string][]*nbpeer.Peer)
+	for _, peer := range a.Peers {
+		if peer.ProxyMeta.Embedded {
+			proxyPeers[peer.ProxyMeta.Cluster] = append(proxyPeers[peer.ProxyMeta.Cluster], peer)
+		}
+	}
+	return proxyPeers
+}
+
+func (a *Account) InjectProxyPolicies(ctx context.Context) {
+	if len(a.Services) == 0 {
+		return
+	}
+
+	proxyPeersByCluster := a.GetProxyPeers()
+	if len(proxyPeersByCluster) == 0 {
+		return
+	}
+
+	for _, service := range a.Services {
+		if !service.Enabled {
+			continue
+		}
+		a.injectServiceProxyPolicies(ctx, service, proxyPeersByCluster)
+	}
+}
+
+func (a *Account) injectServiceProxyPolicies(ctx context.Context, service *reverseproxy.Service, proxyPeersByCluster map[string][]*nbpeer.Peer) {
+	for _, target := range service.Targets {
+		if !target.Enabled {
+			continue
+		}
+		a.injectTargetProxyPolicies(ctx, service, target, proxyPeersByCluster[service.ProxyCluster])
+	}
+}
+
+func (a *Account) injectTargetProxyPolicies(ctx context.Context, service *reverseproxy.Service, target *reverseproxy.Target, proxyPeers []*nbpeer.Peer) {
+	port, ok := a.resolveTargetPort(ctx, target)
+	if !ok {
+		return
+	}
+
+	path := ""
+	if target.Path != nil {
+		path = *target.Path
+	}
+
+	for _, proxyPeer := range proxyPeers {
+		policy := a.createProxyPolicy(service, target, proxyPeer, port, path)
+		a.Policies = append(a.Policies, policy)
+	}
+}
+
+func (a *Account) resolveTargetPort(ctx context.Context, target *reverseproxy.Target) (int, bool) {
+	if target.Port != 0 {
+		return target.Port, true
+	}
+
+	switch target.Protocol {
+	case "https":
+		return 443, true
+	case "http":
+		return 80, true
+	default:
+		log.WithContext(ctx).Warnf("unsupported protocol %s for proxy target %s, skipping policy injection", target.Protocol, target.TargetId)
+		return 0, false
+	}
+}
+
+func (a *Account) createProxyPolicy(service *reverseproxy.Service, target *reverseproxy.Target, proxyPeer *nbpeer.Peer, port int, path string) *Policy {
+	policyID := fmt.Sprintf("proxy-access-%s-%s-%s", service.ID, proxyPeer.ID, path)
+	return &Policy{
+		ID:      policyID,
+		Name:    fmt.Sprintf("Proxy Access to %s", service.Name),
+		Enabled: true,
+		Rules: []*PolicyRule{
+			{
+				ID:       policyID,
+				PolicyID: policyID,
+				Name:     fmt.Sprintf("Allow access to %s", service.Name),
+				Enabled:  true,
+				SourceResource: Resource{
+					ID:   proxyPeer.ID,
+					Type: ResourceTypePeer,
+				},
+				DestinationResource: Resource{
+					ID:   target.TargetId,
+					Type: ResourceType(target.TargetType),
+				},
+				Bidirectional: false,
+				Protocol:      PolicyRuleProtocolTCP,
+				Action:        PolicyTrafficActionAccept,
+				PortRanges: []RulePortRange{
+					{
+						Start: uint16(port),
+						End:   uint16(port),
+					},
+				},
+			},
+		},
+	}
+}
+
 // expandPortsAndRanges expands Ports and PortRanges of a rule into individual firewall rules
 func expandPortsAndRanges(base FirewallRule, rule *PolicyRule, peer *nbpeer.Peer) []*FirewallRule {
 	features := peerSupportedFirewallFeatures(peer.Meta.WtVersion)
--- a/management/server/types/networkmap_golden_test.go
+++ b/management/server/types/networkmap_golden_test.go
@@ -16,6 +16,7 @@ import (
 	"github.com/stretchr/testify/require"

 	"github.com/netbirdio/netbird/dns"
+	"github.com/netbirdio/netbird/management/internals/modules/zones"
 	resourceTypes "github.com/netbirdio/netbird/management/server/networks/resources/types"
 	routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
 	networkTypes "github.com/netbirdio/netbird/management/server/networks/types"
@@ -70,7 +71,7 @@ func TestGetPeerNetworkMap_Golden(t *testing.T) {
 	resourcePolicies := account.GetResourcePoliciesMap()
 	routers := account.GetResourceRoutersMap()

-	legacyNetworkMap := account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, nil, validatedPeersMap, resourcePolicies, routers, nil, account.GetActiveGroupUsers())
+	legacyNetworkMap := account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, []*zones.Zone{}, validatedPeersMap, resourcePolicies, routers, nil, account.GetActiveGroupUsers())
 	normalizeAndSortNetworkMap(legacyNetworkMap)
 	legacyJSON, err := json.MarshalIndent(toNetworkMapJSON(legacyNetworkMap), "", "  ")
 	require.NoError(t, err, "error marshaling legacy network map to JSON")
@@ -115,7 +116,7 @@ func BenchmarkGetPeerNetworkMap(b *testing.B) {
 	b.Run("old builder", func(b *testing.B) {
 		for range b.N {
 			for _, peerID := range peerIDs {
-				_ = account.GetPeerNetworkMap(ctx, peerID, dns.CustomZone{}, nil, validatedPeersMap, nil, nil, nil, account.GetActiveGroupUsers())
+				_ = account.GetPeerNetworkMap(ctx, peerID, dns.CustomZone{}, []*zones.Zone{}, validatedPeersMap, nil, nil, nil, account.GetActiveGroupUsers())
 			}
 		}
 	})
@@ -177,7 +178,7 @@ func TestGetPeerNetworkMap_Golden_WithNewPeer(t *testing.T) {
 	resourcePolicies := account.GetResourcePoliciesMap()
 	routers := account.GetResourceRoutersMap()

-	legacyNetworkMap := account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, nil, validatedPeersMap, resourcePolicies, routers, nil, account.GetActiveGroupUsers())
+	legacyNetworkMap := account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, []*zones.Zone{}, validatedPeersMap, resourcePolicies, routers, nil, account.GetActiveGroupUsers())
 	normalizeAndSortNetworkMap(legacyNetworkMap)
 	legacyJSON, err := json.MarshalIndent(toNetworkMapJSON(legacyNetworkMap), "", "  ")
 	require.NoError(t, err, "error marshaling legacy network map to JSON")
@@ -240,7 +241,7 @@ func BenchmarkGetPeerNetworkMap_AfterPeerAdded(b *testing.B) {
 	b.Run("old builder after add", func(b *testing.B) {
 		for i := 0; i < b.N; i++ {
 			for _, testingPeerID := range peerIDs {
-				_ = account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, nil, validatedPeersMap, nil, nil, nil, account.GetActiveGroupUsers())
+				_ = account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, []*zones.Zone{}, validatedPeersMap, nil, nil, nil, account.GetActiveGroupUsers())
 			}
 		}
 	})
@@ -317,7 +318,7 @@ func TestGetPeerNetworkMap_Golden_WithNewRoutingPeer(t *testing.T) {
 	resourcePolicies := account.GetResourcePoliciesMap()
 	routers := account.GetResourceRoutersMap()

-	legacyNetworkMap := account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, nil, validatedPeersMap, resourcePolicies, routers, nil, account.GetActiveGroupUsers())
+	legacyNetworkMap := account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, []*zones.Zone{}, validatedPeersMap, resourcePolicies, routers, nil, account.GetActiveGroupUsers())
 	normalizeAndSortNetworkMap(legacyNetworkMap)
 	legacyJSON, err := json.MarshalIndent(toNetworkMapJSON(legacyNetworkMap), "", "  ")
 	require.NoError(t, err, "error marshaling legacy network map to JSON")
@@ -402,7 +403,7 @@ func BenchmarkGetPeerNetworkMap_AfterRouterPeerAdded(b *testing.B) {
 	b.Run("old builder after add", func(b *testing.B) {
 		for i := 0; i < b.N; i++ {
 			for _, testingPeerID := range peerIDs {
-				_ = account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, nil, validatedPeersMap, nil, nil, nil, account.GetActiveGroupUsers())
+				_ = account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, []*zones.Zone{}, validatedPeersMap, nil, nil, nil, account.GetActiveGroupUsers())
 			}
 		}
 	})
@@ -458,7 +459,7 @@ func TestGetPeerNetworkMap_Golden_WithDeletedPeer(t *testing.T) {
 	resourcePolicies := account.GetResourcePoliciesMap()
 	routers := account.GetResourceRoutersMap()

-	legacyNetworkMap := account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, nil, validatedPeersMap, resourcePolicies, routers, nil, account.GetActiveGroupUsers())
+	legacyNetworkMap := account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, []*zones.Zone{}, validatedPeersMap, resourcePolicies, routers, nil, account.GetActiveGroupUsers())
 	normalizeAndSortNetworkMap(legacyNetworkMap)
 	legacyJSON, err := json.MarshalIndent(toNetworkMapJSON(legacyNetworkMap), "", "  ")
 	require.NoError(t, err, "error marshaling legacy network map to JSON")
@@ -537,7 +538,7 @@ func TestGetPeerNetworkMap_Golden_WithDeletedRouterPeer(t *testing.T) {
 	resourcePolicies := account.GetResourcePoliciesMap()
 	routers := account.GetResourceRoutersMap()

-	legacyNetworkMap := account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, nil, validatedPeersMap, resourcePolicies, routers, nil, account.GetActiveGroupUsers())
+	legacyNetworkMap := account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, []*zones.Zone{}, validatedPeersMap, resourcePolicies, routers, nil, account.GetActiveGroupUsers())
 	normalizeAndSortNetworkMap(legacyNetworkMap)
 	legacyJSON, err := json.MarshalIndent(toNetworkMapJSON(legacyNetworkMap), "", "  ")
 	require.NoError(t, err, "error marshaling legacy network map to JSON")
@@ -597,7 +598,7 @@ func BenchmarkGetPeerNetworkMap_AfterPeerDeleted(b *testing.B) {
 	b.Run("old builder after delete", func(b *testing.B) {
 		for i := 0; i < b.N; i++ {
 			for _, testingPeerID := range peerIDs {
-				_ = account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, nil, validatedPeersMap, nil, nil, nil, account.GetActiveGroupUsers())
+				_ = account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, []*zones.Zone{}, validatedPeersMap, nil, nil, nil, account.GetActiveGroupUsers())
 			}
 		}
 	})
--- a/management/server/types/proxy.go
+++ b/management/server/types/proxy.go
@@ -0,0 +1,7 @@
+package types
+
+// ProxyCallbackEndpoint holds the proxy callback endpoint
+const ProxyCallbackEndpoint = "/reverse-proxy/callback"
+
+// ProxyCallbackEndpointFull holds the proxy callback endpoint with api suffix
+const ProxyCallbackEndpointFull = "/api" + ProxyCallbackEndpoint
--- a/management/server/types/proxy_access_token.go
+++ b/management/server/types/proxy_access_token.go
@@ -0,0 +1,137 @@
+package types
+
+import (
+	"crypto/sha256"
+	"encoding/base64"
+	"fmt"
+	"hash/crc32"
+	"strings"
+	"time"
+
+	b "github.com/hashicorp/go-secure-stdlib/base62"
+	"github.com/rs/xid"
+
+	"github.com/netbirdio/netbird/base62"
+	"github.com/netbirdio/netbird/management/server/util"
+)
+
+const (
+	// ProxyTokenPrefix is the globally used prefix for proxy access tokens
+	ProxyTokenPrefix = "nbx_"
+	// ProxyTokenSecretLength is the number of characters used for the secret
+	ProxyTokenSecretLength = 30
+	// ProxyTokenChecksumLength is the number of characters used for the encoded checksum
+	ProxyTokenChecksumLength = 6
+	// ProxyTokenLength is the total number of characters used for the token
+	ProxyTokenLength = 40
+)
+
+// HashedProxyToken is a SHA-256 hash of a plain proxy token, base64-encoded.
+type HashedProxyToken string
+
+// PlainProxyToken is the raw token string displayed once at creation time.
+type PlainProxyToken string
+
+// ProxyAccessToken holds information about a proxy access token including a hashed version for verification
+type ProxyAccessToken struct {
+	ID          string `gorm:"primaryKey"`
+	Name        string
+	HashedToken HashedProxyToken `gorm:"type:varchar(255);uniqueIndex"`
+	// AccountID is nil for management-wide tokens, set for account-scoped tokens
+	AccountID *string `gorm:"index"`
+	ExpiresAt *time.Time
+	CreatedBy string
+	CreatedAt time.Time
+	LastUsed  *time.Time
+	Revoked   bool
+}
+
+// IsExpired returns true if the token has expired
+func (t *ProxyAccessToken) IsExpired() bool {
+	if t.ExpiresAt == nil {
+		return false
+	}
+	return time.Now().After(*t.ExpiresAt)
+}
+
+// IsValid returns true if the token is not revoked and not expired
+func (t *ProxyAccessToken) IsValid() bool {
+	return !t.Revoked && !t.IsExpired()
+}
+
+// ProxyAccessTokenGenerated holds the new token and the plain text version
+type ProxyAccessTokenGenerated struct {
+	PlainToken PlainProxyToken
+	ProxyAccessToken
+}
+
+// CreateNewProxyAccessToken generates a new proxy access token.
+// Returns the token with hashed value stored and plain token for one-time display.
+func CreateNewProxyAccessToken(name string, expiresIn time.Duration, accountID *string, createdBy string) (*ProxyAccessTokenGenerated, error) {
+	hashedToken, plainToken, err := generateProxyToken()
+	if err != nil {
+		return nil, err
+	}
+
+	currentTime := time.Now().UTC()
+	var expiresAt *time.Time
+	if expiresIn > 0 {
+		expiresAt = util.ToPtr(currentTime.Add(expiresIn))
+	}
+
+	return &ProxyAccessTokenGenerated{
+		ProxyAccessToken: ProxyAccessToken{
+			ID:          xid.New().String(),
+			Name:        name,
+			HashedToken: hashedToken,
+			AccountID:   accountID,
+			ExpiresAt:   expiresAt,
+			CreatedBy:   createdBy,
+			CreatedAt:   currentTime,
+			Revoked:     false,
+		},
+		PlainToken: plainToken,
+	}, nil
+}
+
+func generateProxyToken() (HashedProxyToken, PlainProxyToken, error) {
+	secret, err := b.Random(ProxyTokenSecretLength)
+	if err != nil {
+		return "", "", err
+	}
+
+	checksum := crc32.ChecksumIEEE([]byte(secret))
+	encodedChecksum := base62.Encode(checksum)
+	paddedChecksum := fmt.Sprintf("%06s", encodedChecksum)
+	plainToken := PlainProxyToken(ProxyTokenPrefix + secret + paddedChecksum)
+	return plainToken.Hash(), plainToken, nil
+}
+
+// Hash returns the SHA-256 hash of the plain token, base64-encoded.
+func (t PlainProxyToken) Hash() HashedProxyToken {
+	h := sha256.Sum256([]byte(t))
+	return HashedProxyToken(base64.StdEncoding.EncodeToString(h[:]))
+}
+
+// Validate checks the format of a proxy token without checking the database.
+func (t PlainProxyToken) Validate() error {
+	if !strings.HasPrefix(string(t), ProxyTokenPrefix) {
+		return fmt.Errorf("invalid token prefix")
+	}
+
+	if len(t) != ProxyTokenLength {
+		return fmt.Errorf("invalid token length")
+	}
+
+	secret := t[len(ProxyTokenPrefix) : len(t)-ProxyTokenChecksumLength]
+	checksumStr := t[len(t)-ProxyTokenChecksumLength:]
+
+	expectedChecksum := crc32.ChecksumIEEE([]byte(secret))
+	expectedChecksumStr := fmt.Sprintf("%06s", base62.Encode(expectedChecksum))
+
+	if string(checksumStr) != expectedChecksumStr {
+		return fmt.Errorf("invalid token checksum")
+	}
+
+	return nil
+}
--- a/management/server/types/proxy_access_token_test.go
+++ b/management/server/types/proxy_access_token_test.go
@@ -0,0 +1,155 @@
+package types
+
+import (
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestPlainProxyToken_Validate(t *testing.T) {
+	tests := []struct {
+		name    string
+		token   PlainProxyToken
+		wantErr bool
+		errMsg  string
+	}{
+		{
+			name:    "valid token",
+			token:   "", // will be generated
+			wantErr: false,
+		},
+		{
+			name:    "wrong prefix",
+			token:   "xyz_8FbPkxioCFmlvCTJbD1RafygfVmS9z15lyNM",
+			wantErr: true,
+			errMsg:  "invalid token prefix",
+		},
+		{
+			name:    "too short",
+			token:   "nbx_short",
+			wantErr: true,
+			errMsg:  "invalid token length",
+		},
+		{
+			name:    "too long",
+			token:   "nbx_8FbPkxioCFmlvCTJbD1RafygfVmS9z15lyNMextra",
+			wantErr: true,
+			errMsg:  "invalid token length",
+		},
+		{
+			name:    "correct length but invalid checksum",
+			token:   "nbx_invalidtoken123456789012345678901234", // exactly 40 chars, invalid checksum
+			wantErr: true,
+			errMsg:  "invalid token checksum",
+		},
+		{
+			name:    "empty token",
+			token:   "",
+			wantErr: true,
+			errMsg:  "invalid token prefix",
+		},
+		{
+			name:    "only prefix",
+			token:   "nbx_",
+			wantErr: true,
+			errMsg:  "invalid token length",
+		},
+	}
+
+	// Generate a valid token for the first test
+	generated, err := CreateNewProxyAccessToken("test", 0, nil, "test")
+	require.NoError(t, err)
+	tests[0].token = generated.PlainToken
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := tt.token.Validate()
+			if tt.wantErr {
+				assert.Error(t, err)
+				if tt.errMsg != "" {
+					assert.Contains(t, err.Error(), tt.errMsg)
+				}
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}
+
+func TestPlainProxyToken_Hash(t *testing.T) {
+	token1 := PlainProxyToken("nbx_8FbPkxioCFmlvCTJbD1RafygfVmS9z15lyNM")
+	token2 := PlainProxyToken("nbx_8FbPkxioCFmlvCTJbD1RafygfVmS9z15lyNM")
+	token3 := PlainProxyToken("nbx_differenttoken1234567890123456789X")
+
+	hash1 := token1.Hash()
+	hash2 := token2.Hash()
+	hash3 := token3.Hash()
+
+	assert.Equal(t, hash1, hash2, "same token should produce same hash")
+	assert.NotEqual(t, hash1, hash3, "different tokens should produce different hashes")
+	assert.NotEmpty(t, hash1)
+}
+
+func TestCreateNewProxyAccessToken(t *testing.T) {
+	t.Run("creates valid token", func(t *testing.T) {
+		generated, err := CreateNewProxyAccessToken("test-token", 0, nil, "test-user")
+		require.NoError(t, err)
+
+		assert.NotEmpty(t, generated.ID)
+		assert.Equal(t, "test-token", generated.Name)
+		assert.Equal(t, "test-user", generated.CreatedBy)
+		assert.NotEmpty(t, generated.HashedToken)
+		assert.NotEmpty(t, generated.PlainToken)
+		assert.Nil(t, generated.ExpiresAt)
+		assert.False(t, generated.Revoked)
+
+		assert.NoError(t, generated.PlainToken.Validate())
+		assert.Equal(t, ProxyTokenLength, len(generated.PlainToken))
+		assert.Equal(t, ProxyTokenPrefix, string(generated.PlainToken[:len(ProxyTokenPrefix)]))
+	})
+
+	t.Run("tokens are unique", func(t *testing.T) {
+		gen1, err := CreateNewProxyAccessToken("test1", 0, nil, "user")
+		require.NoError(t, err)
+
+		gen2, err := CreateNewProxyAccessToken("test2", 0, nil, "user")
+		require.NoError(t, err)
+
+		assert.NotEqual(t, gen1.PlainToken, gen2.PlainToken)
+		assert.NotEqual(t, gen1.HashedToken, gen2.HashedToken)
+		assert.NotEqual(t, gen1.ID, gen2.ID)
+	})
+}
+
+func TestProxyAccessToken_IsExpired(t *testing.T) {
+	past := time.Now().Add(-1 * time.Hour)
+	future := time.Now().Add(1 * time.Hour)
+
+	t.Run("expired token", func(t *testing.T) {
+		token := &ProxyAccessToken{ExpiresAt: &past}
+		assert.True(t, token.IsExpired())
+	})
+
+	t.Run("not expired token", func(t *testing.T) {
+		token := &ProxyAccessToken{ExpiresAt: &future}
+		assert.False(t, token.IsExpired())
+	})
+
+	t.Run("no expiration", func(t *testing.T) {
+		token := &ProxyAccessToken{ExpiresAt: nil}
+		assert.False(t, token.IsExpired())
+	})
+}
+
+func TestProxyAccessToken_IsValid(t *testing.T) {
+	token := &ProxyAccessToken{
+		Revoked: false,
+	}
+
+	assert.True(t, token.IsValid())
+
+	token.Revoked = true
+	assert.False(t, token.IsValid())
+}
--- a/management/server/util/util.go
+++ b/management/server/util/util.go
@@ -50,4 +50,3 @@ func contains[T comparableObject[T]](slice []T, element T) bool {
 	}
 	return false
 }
-