[management, reverse proxy] Add reverse proxy feature (#5291)

* implement reverse proxy --------- Co-authored-by: Alisdair MacLeod <git@alisdairmacleod.co.uk> Co-authored-by: mlsmaycon <mlsmaycon@gmail.com> Co-authored-by: Eduard Gert <kontakt@eduardgert.de> Co-authored-by: Viktor Liu <viktor@netbird.io> Co-authored-by: Diego Noguês <diego.sure@gmail.com> Co-authored-by: Diego Noguês <49420+diegocn@users.noreply.github.com> Co-authored-by: Bethuel Mmbaga <bethuelmbaga12@gmail.com> Co-authored-by: Zoltan Papp <zoltan.pmail@gmail.com> Co-authored-by: Ashley Mensah <ashleyamo982@gmail.com>
2026-04-16 07:16:38 +00:00 · 2026-02-13 19:37:43 +01:00
parent edce11b34d
commit f53155562f
225 changed files with 35513 additions and 235 deletions
--- a/proxy/auth/auth.go
+++ b/proxy/auth/auth.go
@@ -0,0 +1,76 @@
+// Package auth contains exported proxy auth values.
+// These are used to ensure coherent usage across management and proxy implementations.
+package auth
+
+import (
+	"crypto/ed25519"
+	"crypto/tls"
+	"fmt"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+)
+
+type Method string
+
+var (
+	MethodPassword Method = "password"
+	MethodPIN      Method = "pin"
+	MethodOIDC     Method = "oidc"
+)
+
+func (m Method) String() string {
+	return string(m)
+}
+
+const (
+	SessionCookieName    = "nb_session"
+	DefaultSessionExpiry = 24 * time.Hour
+	SessionJWTIssuer     = "netbird-management"
+)
+
+// ResolveProto determines the protocol scheme based on the forwarded proto
+// configuration. When set to "http" or "https" the value is used directly.
+// Otherwise TLS state is used: if conn is non-nil "https" is returned, else "http".
+func ResolveProto(forwardedProto string, conn *tls.ConnectionState) string {
+	switch forwardedProto {
+	case "http", "https":
+		return forwardedProto
+	default:
+		if conn != nil {
+			return "https"
+		}
+		return "http"
+	}
+}
+
+// ValidateSessionJWT validates a session JWT and returns the user ID and method.
+func ValidateSessionJWT(tokenString, domain string, publicKey ed25519.PublicKey) (userID, method string, err error) {
+	if publicKey == nil {
+		return "", "", fmt.Errorf("no public key configured for domain")
+	}
+
+	token, err := jwt.Parse(tokenString, func(t *jwt.Token) (interface{}, error) {
+		if _, ok := t.Method.(*jwt.SigningMethodEd25519); !ok {
+			return nil, fmt.Errorf("unexpected signing method: %v", t.Header["alg"])
+		}
+		return publicKey, nil
+	}, jwt.WithAudience(domain), jwt.WithIssuer(SessionJWTIssuer))
+	if err != nil {
+		return "", "", fmt.Errorf("parse token: %w", err)
+	}
+
+	claims, ok := token.Claims.(jwt.MapClaims)
+	if !ok || !token.Valid {
+		return "", "", fmt.Errorf("invalid token claims")
+	}
+
+	sub, _ := claims.GetSubject()
+	if sub == "" {
+		return "", "", fmt.Errorf("missing subject claim")
+	}
+
+	methodClaim, _ := claims["method"].(string)
+
+	return sub, methodClaim, nil
+}