[management, reverse proxy] Add reverse proxy feature (#5291)

* implement reverse proxy


---------

Co-authored-by: Alisdair MacLeod <git@alisdairmacleod.co.uk>
Co-authored-by: mlsmaycon <mlsmaycon@gmail.com>
Co-authored-by: Eduard Gert <kontakt@eduardgert.de>
Co-authored-by: Viktor Liu <viktor@netbird.io>
Co-authored-by: Diego Noguês <diego.sure@gmail.com>
Co-authored-by: Diego Noguês <49420+diegocn@users.noreply.github.com>
Co-authored-by: Bethuel Mmbaga <bethuelmbaga12@gmail.com>
Co-authored-by: Zoltan Papp <zoltan.pmail@gmail.com>
Co-authored-by: Ashley Mensah <ashleyamo982@gmail.com>

proxy/internal/debug/client.go

@@ -0,0 +1,388 @@
+// Package debug provides HTTP debug endpoints and CLI client for the proxy server.
+package debug
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+)
+
+// StatusFilters contains filter options for status queries.
+type StatusFilters struct {
+	IPs            []string
+	Names          []string
+	Status         string
+	ConnectionType string
+}
+
+// Client provides CLI access to debug endpoints.
+type Client struct {
+	baseURL    string
+	jsonOutput bool
+	httpClient *http.Client
+	out        io.Writer
+}
+
+// NewClient creates a new debug client.
+func NewClient(baseURL string, jsonOutput bool, out io.Writer) *Client {
+	if !strings.HasPrefix(baseURL, "http://") && !strings.HasPrefix(baseURL, "https://") {
+		baseURL = "http://" + baseURL
+	}
+	baseURL = strings.TrimSuffix(baseURL, "/")
+
+	return &Client{
+		baseURL:    baseURL,
+		jsonOutput: jsonOutput,
+		out:        out,
+		httpClient: &http.Client{
+			Timeout: 30 * time.Second,
+		},
+	}
+}
+
+// Health fetches the health status.
+func (c *Client) Health(ctx context.Context) error {
+	return c.fetchAndPrint(ctx, "/debug/health", c.printHealth)
+}
+
+func (c *Client) printHealth(data map[string]any) {
+	_, _ = fmt.Fprintf(c.out, "Status: %v\n", data["status"])
+	_, _ = fmt.Fprintf(c.out, "Uptime: %v\n", data["uptime"])
+	_, _ = fmt.Fprintf(c.out, "Management Connected: %s\n", boolIcon(data["management_connected"]))
+	_, _ = fmt.Fprintf(c.out, "All Clients Healthy:  %s\n", boolIcon(data["all_clients_healthy"]))
+
+	total, _ := data["certs_total"].(float64)
+	ready, _ := data["certs_ready"].(float64)
+	pending, _ := data["certs_pending"].(float64)
+	failed, _ := data["certs_failed"].(float64)
+	if total > 0 {
+		_, _ = fmt.Fprintf(c.out, "Certificates:         %d ready, %d pending, %d failed (%d total)\n",
+			int(ready), int(pending), int(failed), int(total))
+	}
+	if domains, ok := data["certs_ready_domains"].([]any); ok && len(domains) > 0 {
+		_, _ = fmt.Fprintf(c.out, "  Ready:\n")
+		for _, d := range domains {
+			_, _ = fmt.Fprintf(c.out, "    %v\n", d)
+		}
+	}
+	if domains, ok := data["certs_pending_domains"].([]any); ok && len(domains) > 0 {
+		_, _ = fmt.Fprintf(c.out, "  Pending:\n")
+		for _, d := range domains {
+			_, _ = fmt.Fprintf(c.out, "    %v\n", d)
+		}
+	}
+	if domains, ok := data["certs_failed_domains"].(map[string]any); ok && len(domains) > 0 {
+		_, _ = fmt.Fprintf(c.out, "  Failed:\n")
+		for d, errMsg := range domains {
+			_, _ = fmt.Fprintf(c.out, "    %s: %v\n", d, errMsg)
+		}
+	}
+
+	c.printHealthClients(data)
+}
+
+func (c *Client) printHealthClients(data map[string]any) {
+	clients, ok := data["clients"].(map[string]any)
+	if !ok || len(clients) == 0 {
+		return
+	}
+
+	_, _ = fmt.Fprintf(c.out, "\n%-38s %-9s %-7s %-8s %-8s %-16s %s\n",
+		"ACCOUNT ID", "HEALTHY", "MGMT", "SIGNAL", "RELAYS", "PEERS (P2P/RLY)", "DEGRADED")
+	_, _ = fmt.Fprintln(c.out, strings.Repeat("-", 110))
+
+	for accountID, v := range clients {
+		ch, ok := v.(map[string]any)
+		if !ok {
+			continue
+		}
+
+		healthy := boolIcon(ch["healthy"])
+		mgmt := boolIcon(ch["management_connected"])
+		signal := boolIcon(ch["signal_connected"])
+
+		relaysConn, _ := ch["relays_connected"].(float64)
+		relaysTotal, _ := ch["relays_total"].(float64)
+		relays := fmt.Sprintf("%d/%d", int(relaysConn), int(relaysTotal))
+
+		peersConnected, _ := ch["peers_connected"].(float64)
+		peersTotal, _ := ch["peers_total"].(float64)
+		peersP2P, _ := ch["peers_p2p"].(float64)
+		peersRelayed, _ := ch["peers_relayed"].(float64)
+		peersDegraded, _ := ch["peers_degraded"].(float64)
+		peers := fmt.Sprintf("%d/%d (%d/%d)", int(peersConnected), int(peersTotal), int(peersP2P), int(peersRelayed))
+		degraded := fmt.Sprintf("%d", int(peersDegraded))
+
+		_, _ = fmt.Fprintf(c.out, "%-38s %-9s %-7s %-8s %-8s %-16s %s", accountID, healthy, mgmt, signal, relays, peers, degraded)
+		if errMsg, ok := ch["error"].(string); ok && errMsg != "" {
+			_, _ = fmt.Fprintf(c.out, "  (%s)", errMsg)
+		}
+		_, _ = fmt.Fprintln(c.out)
+	}
+}
+
+func boolIcon(v any) string {
+	b, ok := v.(bool)
+	if !ok {
+		return "?"
+	}
+	if b {
+		return "yes"
+	}
+	return "no"
+}
+
+// ListClients fetches the list of all clients.
+func (c *Client) ListClients(ctx context.Context) error {
+	return c.fetchAndPrint(ctx, "/debug/clients", c.printClients)
+}
+
+func (c *Client) printClients(data map[string]any) {
+	_, _ = fmt.Fprintf(c.out, "Uptime: %v\n", data["uptime"])
+	_, _ = fmt.Fprintf(c.out, "Clients: %v\n\n", data["client_count"])
+
+	clients, ok := data["clients"].([]any)
+	if !ok || len(clients) == 0 {
+		_, _ = fmt.Fprintln(c.out, "No clients connected.")
+		return
+	}
+
+	_, _ = fmt.Fprintf(c.out, "%-38s %-12s %-40s %s\n", "ACCOUNT ID", "AGE", "DOMAINS", "HAS CLIENT")
+	_, _ = fmt.Fprintln(c.out, strings.Repeat("-", 110))
+
+	for _, item := range clients {
+		c.printClientRow(item)
+	}
+}
+
+func (c *Client) printClientRow(item any) {
+	client, ok := item.(map[string]any)
+	if !ok {
+		return
+	}
+
+	domains := c.extractDomains(client)
+	hasClient := "no"
+	if hc, ok := client["has_client"].(bool); ok && hc {
+		hasClient = "yes"
+	}
+
+	_, _ = fmt.Fprintf(c.out, "%-38s %-12v %s %s\n",
+		client["account_id"],
+		client["age"],
+		domains,
+		hasClient,
+	)
+}
+
+func (c *Client) extractDomains(client map[string]any) string {
+	d, ok := client["domains"].([]any)
+	if !ok || len(d) == 0 {
+		return "-"
+	}
+
+	parts := make([]string, len(d))
+	for i, domain := range d {
+		parts[i] = fmt.Sprint(domain)
+	}
+	return strings.Join(parts, ", ")
+}
+
+// ClientStatus fetches the status of a specific client.
+func (c *Client) ClientStatus(ctx context.Context, accountID string, filters StatusFilters) error {
+	params := url.Values{}
+	if len(filters.IPs) > 0 {
+		params.Set("filter-by-ips", strings.Join(filters.IPs, ","))
+	}
+	if len(filters.Names) > 0 {
+		params.Set("filter-by-names", strings.Join(filters.Names, ","))
+	}
+	if filters.Status != "" {
+		params.Set("filter-by-status", filters.Status)
+	}
+	if filters.ConnectionType != "" {
+		params.Set("filter-by-connection-type", filters.ConnectionType)
+	}
+
+	path := "/debug/clients/" + url.PathEscape(accountID)
+	if len(params) > 0 {
+		path += "?" + params.Encode()
+	}
+	return c.fetchAndPrint(ctx, path, c.printClientStatus)
+}
+
+func (c *Client) printClientStatus(data map[string]any) {
+	_, _ = fmt.Fprintf(c.out, "Account: %v\n\n", data["account_id"])
+	if status, ok := data["status"].(string); ok {
+		_, _ = fmt.Fprint(c.out, status)
+	}
+}
+
+// ClientSyncResponse fetches the sync response of a specific client.
+func (c *Client) ClientSyncResponse(ctx context.Context, accountID string) error {
+	path := "/debug/clients/" + url.PathEscape(accountID) + "/syncresponse"
+	return c.fetchAndPrintJSON(ctx, path)
+}
+
+// PingTCP performs a TCP ping through a client.
+func (c *Client) PingTCP(ctx context.Context, accountID, host string, port int, timeout string) error {
+	params := url.Values{}
+	params.Set("host", host)
+	params.Set("port", fmt.Sprintf("%d", port))
+	if timeout != "" {
+		params.Set("timeout", timeout)
+	}
+
+	path := fmt.Sprintf("/debug/clients/%s/pingtcp?%s", url.PathEscape(accountID), params.Encode())
+	return c.fetchAndPrint(ctx, path, c.printPingResult)
+}
+
+func (c *Client) printPingResult(data map[string]any) {
+	success, _ := data["success"].(bool)
+	if success {
+		_, _ = fmt.Fprintf(c.out, "Success: %v:%v\n", data["host"], data["port"])
+		_, _ = fmt.Fprintf(c.out, "Latency: %v\n", data["latency"])
+	} else {
+		_, _ = fmt.Fprintf(c.out, "Failed: %v:%v\n", data["host"], data["port"])
+		c.printError(data)
+	}
+}
+
+// SetLogLevel sets the log level of a specific client.
+func (c *Client) SetLogLevel(ctx context.Context, accountID, level string) error {
+	params := url.Values{}
+	params.Set("level", level)
+
+	path := fmt.Sprintf("/debug/clients/%s/loglevel?%s", url.PathEscape(accountID), params.Encode())
+	return c.fetchAndPrint(ctx, path, c.printLogLevelResult)
+}
+
+func (c *Client) printLogLevelResult(data map[string]any) {
+	success, _ := data["success"].(bool)
+	if success {
+		_, _ = fmt.Fprintf(c.out, "Log level set to: %v\n", data["level"])
+	} else {
+		_, _ = fmt.Fprintln(c.out, "Failed to set log level")
+		c.printError(data)
+	}
+}
+
+// StartClient starts a specific client.
+func (c *Client) StartClient(ctx context.Context, accountID string) error {
+	path := "/debug/clients/" + url.PathEscape(accountID) + "/start"
+	return c.fetchAndPrint(ctx, path, c.printStartResult)
+}
+
+func (c *Client) printStartResult(data map[string]any) {
+	success, _ := data["success"].(bool)
+	if success {
+		_, _ = fmt.Fprintln(c.out, "Client started")
+	} else {
+		_, _ = fmt.Fprintln(c.out, "Failed to start client")
+		c.printError(data)
+	}
+}
+
+// StopClient stops a specific client.
+func (c *Client) StopClient(ctx context.Context, accountID string) error {
+	path := "/debug/clients/" + url.PathEscape(accountID) + "/stop"
+	return c.fetchAndPrint(ctx, path, c.printStopResult)
+}
+
+func (c *Client) printStopResult(data map[string]any) {
+	success, _ := data["success"].(bool)
+	if success {
+		_, _ = fmt.Fprintln(c.out, "Client stopped")
+	} else {
+		_, _ = fmt.Fprintln(c.out, "Failed to stop client")
+		c.printError(data)
+	}
+}
+
+func (c *Client) printError(data map[string]any) {
+	if errMsg, ok := data["error"].(string); ok {
+		_, _ = fmt.Fprintf(c.out, "Error: %s\n", errMsg)
+	}
+}
+
+func (c *Client) fetchAndPrint(ctx context.Context, path string, printer func(map[string]any)) error {
+	data, raw, err := c.fetch(ctx, path)
+	if err != nil {
+		return err
+	}
+
+	if c.jsonOutput {
+		return c.writeJSON(data)
+	}
+
+	if data != nil {
+		printer(data)
+		return nil
+	}
+
+	_, _ = fmt.Fprintln(c.out, string(raw))
+	return nil
+}
+
+func (c *Client) fetchAndPrintJSON(ctx context.Context, path string) error {
+	data, raw, err := c.fetch(ctx, path)
+	if err != nil {
+		return err
+	}
+
+	if data != nil {
+		return c.writeJSON(data)
+	}
+
+	_, _ = fmt.Fprintln(c.out, string(raw))
+	return nil
+}
+
+func (c *Client) writeJSON(data map[string]any) error {
+	enc := json.NewEncoder(c.out)
+	enc.SetIndent("", "  ")
+	return enc.Encode(data)
+}
+
+func (c *Client) fetch(ctx context.Context, path string) (map[string]any, []byte, error) {
+	fullURL := c.baseURL + path
+	if !strings.Contains(path, "format=json") {
+		if strings.Contains(path, "?") {
+			fullURL += "&format=json"
+		} else {
+			fullURL += "?format=json"
+		}
+	}
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, fullURL, nil)
+	if err != nil {
+		return nil, nil, fmt.Errorf("create request: %w", err)
+	}
+
+	resp, err := c.httpClient.Do(req)
+	if err != nil {
+		return nil, nil, fmt.Errorf("request failed: %w", err)
+	}
+	defer func() { _ = resp.Body.Close() }()
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, nil, fmt.Errorf("read response: %w", err)
+	}
+
+	if resp.StatusCode >= 400 {
+		return nil, nil, fmt.Errorf("server error (%d): %s", resp.StatusCode, strings.TrimSpace(string(body)))
+	}
+
+	var data map[string]any
+	if err := json.Unmarshal(body, &data); err != nil {
+		return nil, body, nil
+	}
+
+	return data, body, nil
+}

proxy/internal/debug/client_test.go

@@ -0,0 +1,71 @@
+package debug
+
+import (
+	"bytes"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestPrintHealth_WithCertsAndClients(t *testing.T) {
+	var buf bytes.Buffer
+	c := NewClient("localhost:8444", false, &buf)
+
+	data := map[string]any{
+		"status":                "ok",
+		"uptime":                "1h30m",
+		"management_connected":  true,
+		"all_clients_healthy":   true,
+		"certs_total":           float64(3),
+		"certs_ready":           float64(2),
+		"certs_pending":         float64(1),
+		"certs_failed":          float64(0),
+		"certs_ready_domains":   []any{"a.example.com", "b.example.com"},
+		"certs_pending_domains": []any{"c.example.com"},
+		"clients": map[string]any{
+			"acc-1": map[string]any{
+				"healthy":              true,
+				"management_connected": true,
+				"signal_connected":     true,
+				"relays_connected":     float64(1),
+				"relays_total":         float64(2),
+				"peers_connected":      float64(3),
+				"peers_total":          float64(5),
+				"peers_p2p":            float64(2),
+				"peers_relayed":        float64(1),
+				"peers_degraded":       float64(0),
+			},
+		},
+	}
+
+	c.printHealth(data)
+	out := buf.String()
+
+	assert.Contains(t, out, "Status: ok")
+	assert.Contains(t, out, "Uptime: 1h30m")
+	assert.Contains(t, out, "yes") // management_connected
+	assert.Contains(t, out, "2 ready, 1 pending, 0 failed (3 total)")
+	assert.Contains(t, out, "a.example.com")
+	assert.Contains(t, out, "c.example.com")
+	assert.Contains(t, out, "acc-1")
+}
+
+func TestPrintHealth_Minimal(t *testing.T) {
+	var buf bytes.Buffer
+	c := NewClient("localhost:8444", false, &buf)
+
+	data := map[string]any{
+		"status":               "ok",
+		"uptime":               "5m",
+		"management_connected": false,
+		"all_clients_healthy":  false,
+	}
+
+	c.printHealth(data)
+	out := buf.String()
+
+	assert.Contains(t, out, "Status: ok")
+	assert.Contains(t, out, "Uptime: 5m")
+	assert.NotContains(t, out, "Certificates")
+	assert.NotContains(t, out, "ACCOUNT ID")
+}

proxy/internal/debug/handler.go

@@ -0,0 +1,712 @@
+// Package debug provides HTTP debug endpoints for the proxy server.
+package debug
+
+import (
+	"cmp"
+	"context"
+	"embed"
+	"encoding/json"
+	"fmt"
+	"html/template"
+	"maps"
+	"net/http"
+	"slices"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+	"google.golang.org/protobuf/encoding/protojson"
+
+	nbembed "github.com/netbirdio/netbird/client/embed"
+	nbstatus "github.com/netbirdio/netbird/client/status"
+	"github.com/netbirdio/netbird/proxy/internal/health"
+	"github.com/netbirdio/netbird/proxy/internal/roundtrip"
+	"github.com/netbirdio/netbird/proxy/internal/types"
+	"github.com/netbirdio/netbird/version"
+)
+
+//go:embed templates/*.html
+var templateFS embed.FS
+
+const defaultPingTimeout = 10 * time.Second
+
+// formatDuration formats a duration with 2 decimal places using appropriate units.
+func formatDuration(d time.Duration) string {
+	switch {
+	case d >= time.Hour:
+		return fmt.Sprintf("%.2fh", d.Hours())
+	case d >= time.Minute:
+		return fmt.Sprintf("%.2fm", d.Minutes())
+	case d >= time.Second:
+		return fmt.Sprintf("%.2fs", d.Seconds())
+	case d >= time.Millisecond:
+		return fmt.Sprintf("%.2fms", float64(d.Microseconds())/1000)
+	case d >= time.Microsecond:
+		return fmt.Sprintf("%.2fµs", float64(d.Nanoseconds())/1000)
+	default:
+		return fmt.Sprintf("%dns", d.Nanoseconds())
+	}
+}
+
+func sortedAccountIDs(m map[types.AccountID]roundtrip.ClientDebugInfo) []types.AccountID {
+	return slices.Sorted(maps.Keys(m))
+}
+
+// clientProvider provides access to NetBird clients.
+type clientProvider interface {
+	GetClient(accountID types.AccountID) (*nbembed.Client, bool)
+	ListClientsForDebug() map[types.AccountID]roundtrip.ClientDebugInfo
+}
+
+// healthChecker provides health probe state.
+type healthChecker interface {
+	ReadinessProbe() bool
+	StartupProbe(ctx context.Context) bool
+	CheckClientsConnected(ctx context.Context) (bool, map[types.AccountID]health.ClientHealth)
+}
+
+type certStatus interface {
+	TotalDomains() int
+	PendingDomains() []string
+	ReadyDomains() []string
+	FailedDomains() map[string]string
+}
+
+// Handler provides HTTP debug endpoints.
+type Handler struct {
+	provider   clientProvider
+	health     healthChecker
+	certStatus certStatus
+	logger     *log.Logger
+	startTime  time.Time
+	templates  *template.Template
+	templateMu sync.RWMutex
+}
+
+// NewHandler creates a new debug handler.
+func NewHandler(provider clientProvider, healthChecker healthChecker, logger *log.Logger) *Handler {
+	if logger == nil {
+		logger = log.StandardLogger()
+	}
+	h := &Handler{
+		provider:  provider,
+		health:    healthChecker,
+		logger:    logger,
+		startTime: time.Now(),
+	}
+	if err := h.loadTemplates(); err != nil {
+		logger.Errorf("failed to load embedded templates: %v", err)
+	}
+	return h
+}
+
+// SetCertStatus sets the certificate status provider for ACME prefetch observability.
+func (h *Handler) SetCertStatus(cs certStatus) {
+	h.certStatus = cs
+}
+
+func (h *Handler) loadTemplates() error {
+	tmpl, err := template.ParseFS(templateFS, "templates/*.html")
+	if err != nil {
+		return fmt.Errorf("parse embedded templates: %w", err)
+	}
+
+	h.templateMu.Lock()
+	h.templates = tmpl
+	h.templateMu.Unlock()
+
+	return nil
+}
+
+func (h *Handler) getTemplates() *template.Template {
+	h.templateMu.RLock()
+	defer h.templateMu.RUnlock()
+	return h.templates
+}
+
+// ServeHTTP handles debug requests.
+func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	path := r.URL.Path
+	wantJSON := r.URL.Query().Get("format") == "json" || strings.HasSuffix(path, "/json")
+	path = strings.TrimSuffix(path, "/json")
+
+	switch path {
+	case "/debug", "/debug/":
+		h.handleIndex(w, r, wantJSON)
+	case "/debug/clients":
+		h.handleListClients(w, r, wantJSON)
+	case "/debug/health":
+		h.handleHealth(w, r, wantJSON)
+	default:
+		if h.handleClientRoutes(w, r, path, wantJSON) {
+			return
+		}
+		http.NotFound(w, r)
+	}
+}
+
+func (h *Handler) handleClientRoutes(w http.ResponseWriter, r *http.Request, path string, wantJSON bool) bool {
+	if !strings.HasPrefix(path, "/debug/clients/") {
+		return false
+	}
+
+	rest := strings.TrimPrefix(path, "/debug/clients/")
+	parts := strings.SplitN(rest, "/", 2)
+	accountID := types.AccountID(parts[0])
+
+	if len(parts) == 1 {
+		h.handleClientStatus(w, r, accountID, wantJSON)
+		return true
+	}
+
+	switch parts[1] {
+	case "syncresponse":
+		h.handleClientSyncResponse(w, r, accountID, wantJSON)
+	case "tools":
+		h.handleClientTools(w, r, accountID)
+	case "pingtcp":
+		h.handlePingTCP(w, r, accountID)
+	case "loglevel":
+		h.handleLogLevel(w, r, accountID)
+	case "start":
+		h.handleClientStart(w, r, accountID)
+	case "stop":
+		h.handleClientStop(w, r, accountID)
+	default:
+		return false
+	}
+	return true
+}
+
+type failedDomain struct {
+	Domain string
+	Error  string
+}
+
+type indexData struct {
+	Version             string
+	Uptime              string
+	ClientCount         int
+	TotalDomains        int
+	CertsTotal          int
+	CertsReady          int
+	CertsPending        int
+	CertsFailed         int
+	CertsPendingDomains []string
+	CertsReadyDomains   []string
+	CertsFailedDomains  []failedDomain
+	Clients             []clientData
+}
+
+type clientData struct {
+	AccountID string
+	Domains   string
+	Age       string
+	Status    string
+}
+
+func (h *Handler) handleIndex(w http.ResponseWriter, _ *http.Request, wantJSON bool) {
+	clients := h.provider.ListClientsForDebug()
+	sortedIDs := sortedAccountIDs(clients)
+
+	totalDomains := 0
+	for _, info := range clients {
+		totalDomains += info.DomainCount
+	}
+
+	var certsTotal, certsReady, certsPending, certsFailed int
+	var certsPendingDomains, certsReadyDomains []string
+	var certsFailedDomains map[string]string
+	if h.certStatus != nil {
+		certsTotal = h.certStatus.TotalDomains()
+		certsPendingDomains = h.certStatus.PendingDomains()
+		certsReadyDomains = h.certStatus.ReadyDomains()
+		certsFailedDomains = h.certStatus.FailedDomains()
+		certsReady = len(certsReadyDomains)
+		certsPending = len(certsPendingDomains)
+		certsFailed = len(certsFailedDomains)
+	}
+
+	if wantJSON {
+		clientsJSON := make([]map[string]interface{}, 0, len(clients))
+		for _, id := range sortedIDs {
+			info := clients[id]
+			clientsJSON = append(clientsJSON, map[string]interface{}{
+				"account_id":   info.AccountID,
+				"domain_count": info.DomainCount,
+				"domains":      info.Domains,
+				"has_client":   info.HasClient,
+				"created_at":   info.CreatedAt,
+				"age":          time.Since(info.CreatedAt).Round(time.Second).String(),
+			})
+		}
+		resp := map[string]interface{}{
+			"version":       version.NetbirdVersion(),
+			"uptime":        time.Since(h.startTime).Round(time.Second).String(),
+			"client_count":  len(clients),
+			"total_domains": totalDomains,
+			"certs_total":   certsTotal,
+			"certs_ready":   certsReady,
+			"certs_pending": certsPending,
+			"certs_failed":  certsFailed,
+			"clients":       clientsJSON,
+		}
+		if len(certsPendingDomains) > 0 {
+			resp["certs_pending_domains"] = certsPendingDomains
+		}
+		if len(certsReadyDomains) > 0 {
+			resp["certs_ready_domains"] = certsReadyDomains
+		}
+		if len(certsFailedDomains) > 0 {
+			resp["certs_failed_domains"] = certsFailedDomains
+		}
+		h.writeJSON(w, resp)
+		return
+	}
+
+	sortedFailed := make([]failedDomain, 0, len(certsFailedDomains))
+	for d, e := range certsFailedDomains {
+		sortedFailed = append(sortedFailed, failedDomain{Domain: d, Error: e})
+	}
+	slices.SortFunc(sortedFailed, func(a, b failedDomain) int {
+		return cmp.Compare(a.Domain, b.Domain)
+	})
+
+	data := indexData{
+		Version:             version.NetbirdVersion(),
+		Uptime:              time.Since(h.startTime).Round(time.Second).String(),
+		ClientCount:         len(clients),
+		TotalDomains:        totalDomains,
+		CertsTotal:          certsTotal,
+		CertsReady:          certsReady,
+		CertsPending:        certsPending,
+		CertsFailed:         certsFailed,
+		CertsPendingDomains: certsPendingDomains,
+		CertsReadyDomains:   certsReadyDomains,
+		CertsFailedDomains:  sortedFailed,
+		Clients:             make([]clientData, 0, len(clients)),
+	}
+
+	for _, id := range sortedIDs {
+		info := clients[id]
+		domains := info.Domains.SafeString()
+		if domains == "" {
+			domains = "-"
+		}
+		status := "No client"
+		if info.HasClient {
+			status = "Active"
+		}
+		data.Clients = append(data.Clients, clientData{
+			AccountID: string(info.AccountID),
+			Domains:   domains,
+			Age:       time.Since(info.CreatedAt).Round(time.Second).String(),
+			Status:    status,
+		})
+	}
+
+	h.renderTemplate(w, "index", data)
+}
+
+type clientsData struct {
+	Uptime  string
+	Clients []clientData
+}
+
+func (h *Handler) handleListClients(w http.ResponseWriter, _ *http.Request, wantJSON bool) {
+	clients := h.provider.ListClientsForDebug()
+	sortedIDs := sortedAccountIDs(clients)
+
+	if wantJSON {
+		clientsJSON := make([]map[string]interface{}, 0, len(clients))
+		for _, id := range sortedIDs {
+			info := clients[id]
+			clientsJSON = append(clientsJSON, map[string]interface{}{
+				"account_id":   info.AccountID,
+				"domain_count": info.DomainCount,
+				"domains":      info.Domains,
+				"has_client":   info.HasClient,
+				"created_at":   info.CreatedAt,
+				"age":          time.Since(info.CreatedAt).Round(time.Second).String(),
+			})
+		}
+		h.writeJSON(w, map[string]interface{}{
+			"uptime":       time.Since(h.startTime).Round(time.Second).String(),
+			"client_count": len(clients),
+			"clients":      clientsJSON,
+		})
+		return
+	}
+
+	data := clientsData{
+		Uptime:  time.Since(h.startTime).Round(time.Second).String(),
+		Clients: make([]clientData, 0, len(clients)),
+	}
+
+	for _, id := range sortedIDs {
+		info := clients[id]
+		domains := info.Domains.SafeString()
+		if domains == "" {
+			domains = "-"
+		}
+		status := "No client"
+		if info.HasClient {
+			status = "Active"
+		}
+		data.Clients = append(data.Clients, clientData{
+			AccountID: string(info.AccountID),
+			Domains:   domains,
+			Age:       time.Since(info.CreatedAt).Round(time.Second).String(),
+			Status:    status,
+		})
+	}
+
+	h.renderTemplate(w, "clients", data)
+}
+
+type clientDetailData struct {
+	AccountID string
+	ActiveTab string
+	Content   string
+}
+
+func (h *Handler) handleClientStatus(w http.ResponseWriter, r *http.Request, accountID types.AccountID, wantJSON bool) {
+	client, ok := h.provider.GetClient(accountID)
+	if !ok {
+		http.Error(w, "Client not found: "+string(accountID), http.StatusNotFound)
+		return
+	}
+
+	fullStatus, err := client.Status()
+	if err != nil {
+		http.Error(w, "Error getting status: "+err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	// Parse filter parameters
+	query := r.URL.Query()
+	statusFilter := query.Get("filter-by-status")
+	connectionTypeFilter := query.Get("filter-by-connection-type")
+
+	var prefixNamesFilter []string
+	var prefixNamesFilterMap map[string]struct{}
+	if names := query.Get("filter-by-names"); names != "" {
+		prefixNamesFilter = strings.Split(names, ",")
+		prefixNamesFilterMap = make(map[string]struct{})
+		for _, name := range prefixNamesFilter {
+			prefixNamesFilterMap[strings.ToLower(strings.TrimSpace(name))] = struct{}{}
+		}
+	}
+
+	var ipsFilterMap map[string]struct{}
+	if ips := query.Get("filter-by-ips"); ips != "" {
+		ipsFilterMap = make(map[string]struct{})
+		for _, ip := range strings.Split(ips, ",") {
+			ipsFilterMap[strings.TrimSpace(ip)] = struct{}{}
+		}
+	}
+
+	pbStatus := nbstatus.ToProtoFullStatus(fullStatus)
+	overview := nbstatus.ConvertToStatusOutputOverview(
+		pbStatus,
+		false,
+		version.NetbirdVersion(),
+		statusFilter,
+		prefixNamesFilter,
+		prefixNamesFilterMap,
+		ipsFilterMap,
+		connectionTypeFilter,
+		"",
+	)
+
+	if wantJSON {
+		h.writeJSON(w, map[string]interface{}{
+			"account_id": accountID,
+			"status":     overview.FullDetailSummary(),
+		})
+		return
+	}
+
+	data := clientDetailData{
+		AccountID: string(accountID),
+		ActiveTab: "status",
+		Content:   overview.FullDetailSummary(),
+	}
+
+	h.renderTemplate(w, "clientDetail", data)
+}
+
+func (h *Handler) handleClientSyncResponse(w http.ResponseWriter, _ *http.Request, accountID types.AccountID, wantJSON bool) {
+	client, ok := h.provider.GetClient(accountID)
+	if !ok {
+		http.Error(w, "Client not found: "+string(accountID), http.StatusNotFound)
+		return
+	}
+
+	syncResp, err := client.GetLatestSyncResponse()
+	if err != nil {
+		http.Error(w, "Error getting sync response: "+err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	if syncResp == nil {
+		http.Error(w, "No sync response available for client: "+string(accountID), http.StatusNotFound)
+		return
+	}
+
+	opts := protojson.MarshalOptions{
+		EmitUnpopulated: true,
+		UseProtoNames:   true,
+		Indent:          "  ",
+		AllowPartial:    true,
+	}
+
+	jsonBytes, err := opts.Marshal(syncResp)
+	if err != nil {
+		http.Error(w, "Error marshaling sync response: "+err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	if wantJSON {
+		w.Header().Set("Content-Type", "application/json")
+		_, _ = w.Write(jsonBytes)
+		return
+	}
+
+	data := clientDetailData{
+		AccountID: string(accountID),
+		ActiveTab: "syncresponse",
+		Content:   string(jsonBytes),
+	}
+
+	h.renderTemplate(w, "clientDetail", data)
+}
+
+type toolsData struct {
+	AccountID string
+}
+
+func (h *Handler) handleClientTools(w http.ResponseWriter, _ *http.Request, accountID types.AccountID) {
+	_, ok := h.provider.GetClient(accountID)
+	if !ok {
+		http.Error(w, "Client not found: "+string(accountID), http.StatusNotFound)
+		return
+	}
+
+	data := toolsData{
+		AccountID: string(accountID),
+	}
+
+	h.renderTemplate(w, "tools", data)
+}
+
+func (h *Handler) handlePingTCP(w http.ResponseWriter, r *http.Request, accountID types.AccountID) {
+	client, ok := h.provider.GetClient(accountID)
+	if !ok {
+		h.writeJSON(w, map[string]interface{}{"error": "client not found"})
+		return
+	}
+
+	host := r.URL.Query().Get("host")
+	portStr := r.URL.Query().Get("port")
+	if host == "" || portStr == "" {
+		h.writeJSON(w, map[string]interface{}{"error": "host and port parameters required"})
+		return
+	}
+
+	port, err := strconv.Atoi(portStr)
+	if err != nil || port < 1 || port > 65535 {
+		h.writeJSON(w, map[string]interface{}{"error": "invalid port"})
+		return
+	}
+
+	timeout := defaultPingTimeout
+	if t := r.URL.Query().Get("timeout"); t != "" {
+		if d, err := time.ParseDuration(t); err == nil {
+			timeout = d
+		}
+	}
+
+	ctx, cancel := context.WithTimeout(r.Context(), timeout)
+	defer cancel()
+
+	address := fmt.Sprintf("%s:%d", host, port)
+	start := time.Now()
+
+	conn, err := client.Dial(ctx, "tcp", address)
+	if err != nil {
+		h.writeJSON(w, map[string]interface{}{
+			"success": false,
+			"host":    host,
+			"port":    port,
+			"error":   err.Error(),
+		})
+		return
+	}
+	if err := conn.Close(); err != nil {
+		h.logger.Debugf("close tcp ping connection: %v", err)
+	}
+
+	latency := time.Since(start)
+	h.writeJSON(w, map[string]interface{}{
+		"success":    true,
+		"host":       host,
+		"port":       port,
+		"latency_ms": latency.Milliseconds(),
+		"latency":    formatDuration(latency),
+	})
+}
+
+func (h *Handler) handleLogLevel(w http.ResponseWriter, r *http.Request, accountID types.AccountID) {
+	client, ok := h.provider.GetClient(accountID)
+	if !ok {
+		h.writeJSON(w, map[string]interface{}{"error": "client not found"})
+		return
+	}
+
+	level := r.URL.Query().Get("level")
+	if level == "" {
+		h.writeJSON(w, map[string]interface{}{"error": "level parameter required (trace, debug, info, warn, error)"})
+		return
+	}
+
+	if err := client.SetLogLevel(level); err != nil {
+		h.writeJSON(w, map[string]interface{}{
+			"success": false,
+			"error":   err.Error(),
+		})
+		return
+	}
+
+	h.writeJSON(w, map[string]interface{}{
+		"success": true,
+		"level":   level,
+	})
+}
+
+const clientActionTimeout = 30 * time.Second
+
+func (h *Handler) handleClientStart(w http.ResponseWriter, r *http.Request, accountID types.AccountID) {
+	client, ok := h.provider.GetClient(accountID)
+	if !ok {
+		h.writeJSON(w, map[string]interface{}{"error": "client not found"})
+		return
+	}
+
+	ctx, cancel := context.WithTimeout(r.Context(), clientActionTimeout)
+	defer cancel()
+
+	if err := client.Start(ctx); err != nil {
+		h.writeJSON(w, map[string]interface{}{
+			"success": false,
+			"error":   err.Error(),
+		})
+		return
+	}
+
+	h.writeJSON(w, map[string]interface{}{
+		"success": true,
+		"message": "client started",
+	})
+}
+
+func (h *Handler) handleClientStop(w http.ResponseWriter, r *http.Request, accountID types.AccountID) {
+	client, ok := h.provider.GetClient(accountID)
+	if !ok {
+		h.writeJSON(w, map[string]interface{}{"error": "client not found"})
+		return
+	}
+
+	ctx, cancel := context.WithTimeout(r.Context(), clientActionTimeout)
+	defer cancel()
+
+	if err := client.Stop(ctx); err != nil {
+		h.writeJSON(w, map[string]interface{}{
+			"success": false,
+			"error":   err.Error(),
+		})
+		return
+	}
+
+	h.writeJSON(w, map[string]interface{}{
+		"success": true,
+		"message": "client stopped",
+	})
+}
+
+func (h *Handler) handleHealth(w http.ResponseWriter, r *http.Request, wantJSON bool) {
+	if !wantJSON {
+		http.Redirect(w, r, "/debug", http.StatusSeeOther)
+		return
+	}
+
+	uptime := time.Since(h.startTime).Round(10 * time.Millisecond).String()
+
+	ready := h.health.ReadinessProbe()
+	allHealthy, clientHealth := h.health.CheckClientsConnected(r.Context())
+
+	status := "ok"
+	// No clients is not a health issue; only degrade when actual clients are unhealthy
+	if !ready || (!allHealthy && len(clientHealth) > 0) {
+		status = "degraded"
+	}
+
+	var certsTotal, certsReady, certsPending, certsFailed int
+	var certsPendingDomains, certsReadyDomains []string
+	var certsFailedDomains map[string]string
+	if h.certStatus != nil {
+		certsTotal = h.certStatus.TotalDomains()
+		certsPendingDomains = h.certStatus.PendingDomains()
+		certsReadyDomains = h.certStatus.ReadyDomains()
+		certsFailedDomains = h.certStatus.FailedDomains()
+		certsReady = len(certsReadyDomains)
+		certsPending = len(certsPendingDomains)
+		certsFailed = len(certsFailedDomains)
+	}
+
+	resp := map[string]any{
+		"status":               status,
+		"uptime":               uptime,
+		"management_connected": ready,
+		"all_clients_healthy":  allHealthy,
+		"certs_total":          certsTotal,
+		"certs_ready":          certsReady,
+		"certs_pending":        certsPending,
+		"certs_failed":         certsFailed,
+		"clients":              clientHealth,
+	}
+	if len(certsPendingDomains) > 0 {
+		resp["certs_pending_domains"] = certsPendingDomains
+	}
+	if len(certsReadyDomains) > 0 {
+		resp["certs_ready_domains"] = certsReadyDomains
+	}
+	if len(certsFailedDomains) > 0 {
+		resp["certs_failed_domains"] = certsFailedDomains
+	}
+	h.writeJSON(w, resp)
+}
+
+func (h *Handler) renderTemplate(w http.ResponseWriter, name string, data interface{}) {
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	tmpl := h.getTemplates()
+	if tmpl == nil {
+		http.Error(w, "Templates not loaded", http.StatusInternalServerError)
+		return
+	}
+	if err := tmpl.ExecuteTemplate(w, name, data); err != nil {
+		h.logger.Errorf("execute template %s: %v", name, err)
+		http.Error(w, "Template error", http.StatusInternalServerError)
+	}
+}
+
+func (h *Handler) writeJSON(w http.ResponseWriter, v interface{}) {
+	w.Header().Set("Content-Type", "application/json")
+	enc := json.NewEncoder(w)
+	enc.SetIndent("", "  ")
+	if err := enc.Encode(v); err != nil {
+		h.logger.Errorf("encode JSON response: %v", err)
+	}
+}

proxy/internal/debug/templates/base.html

@@ -0,0 +1,101 @@
+{{define "style"}}
+body {
+    font-family: monospace;
+    margin: 20px;
+    background: #1a1a1a;
+    color: #eee;
+}
+a {
+    color: #6cf;
+}
+h1, h2, h3 {
+    color: #fff;
+}
+.info {
+    color: #aaa;
+}
+table {
+    border-collapse: collapse;
+    margin: 10px 0;
+}
+th, td {
+    border: 1px solid #444;
+    padding: 8px;
+    text-align: left;
+}
+th {
+    background: #333;
+}
+.nav {
+    margin-bottom: 20px;
+}
+.nav a {
+    margin-right: 15px;
+    padding: 8px 16px;
+    background: #333;
+    text-decoration: none;
+    border-radius: 4px;
+}
+.nav a.active {
+    background: #6cf;
+    color: #000;
+}
+pre {
+    background: #222;
+    padding: 15px;
+    border-radius: 4px;
+    overflow-x: auto;
+    white-space: pre-wrap;
+}
+input, select, textarea {
+    background: #333;
+    color: #eee;
+    border: 1px solid #555;
+    padding: 8px;
+    border-radius: 4px;
+    font-family: monospace;
+}
+input:focus, select:focus, textarea:focus {
+    outline: none;
+    border-color: #6cf;
+}
+button {
+    background: #6cf;
+    color: #000;
+    border: none;
+    padding: 8px 16px;
+    border-radius: 4px;
+    cursor: pointer;
+    font-family: monospace;
+}
+button:hover {
+    background: #5be;
+}
+button:disabled {
+    background: #555;
+    color: #888;
+    cursor: not-allowed;
+}
+.form-group {
+    margin-bottom: 15px;
+}
+.form-group label {
+    display: block;
+    margin-bottom: 5px;
+    color: #aaa;
+}
+.form-row {
+    display: flex;
+    gap: 10px;
+    align-items: flex-end;
+}
+.result {
+    margin-top: 20px;
+}
+.success {
+    color: #5f5;
+}
+.error {
+    color: #f55;
+}
+{{end}}

proxy/internal/debug/templates/client_detail.html

@@ -0,0 +1,19 @@
+{{define "clientDetail"}}
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <title>Client {{.AccountID}}</title>
+  <style>{{template "style"}}</style>
+</head>
+<body>
+  <h1>Client: {{.AccountID}}</h1>
+  <div class="nav">
+    <a href="/debug">&larr; Back</a>
+    <a href="/debug/clients/{{.AccountID}}/tools"{{if eq .ActiveTab "tools"}} class="active"{{end}}>Tools</a>
+    <a href="/debug/clients/{{.AccountID}}"{{if eq .ActiveTab "status"}} class="active"{{end}}>Status</a>
+    <a href="/debug/clients/{{.AccountID}}/syncresponse"{{if eq .ActiveTab "syncresponse"}} class="active"{{end}}>Sync Response</a>
+  </div>
+  <pre>{{.Content}}</pre>
+</body>
+</html>
+{{end}}

proxy/internal/debug/templates/clients.html

@@ -0,0 +1,33 @@
+{{define "clients"}}
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <title>Clients</title>
+  <style>{{template "style"}}</style>
+</head>
+<body>
+  <h1>All Clients</h1>
+  <p class="info">Uptime: {{.Uptime}} | <a href="/debug">&larr; Back</a></p>
+  {{if .Clients}}
+  <table>
+    <tr>
+      <th>Account ID</th>
+      <th>Domains</th>
+      <th>Age</th>
+      <th>Status</th>
+    </tr>
+    {{range .Clients}}
+    <tr>
+      <td><a href="/debug/clients/{{.AccountID}}/tools">{{.AccountID}}</a></td>
+      <td>{{.Domains}}</td>
+      <td>{{.Age}}</td>
+      <td>{{.Status}}</td>
+    </tr>
+    {{end}}
+  </table>
+  {{else}}
+  <p>No clients connected</p>
+  {{end}}
+</body>
+</html>
+{{end}}

proxy/internal/debug/templates/index.html

@@ -0,0 +1,58 @@
+{{define "index"}}
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <title>NetBird Proxy Debug</title>
+  <style>{{template "style"}}</style>
+</head>
+<body>
+  <h1>NetBird Proxy Debug</h1>
+  <p class="info">Version: {{.Version}} | Uptime: {{.Uptime}}</p>
+  <h2>Certificates: {{.CertsReady}} ready, {{.CertsPending}} pending, {{.CertsFailed}} failed ({{.CertsTotal}} total)</h2>
+  {{if .CertsReadyDomains}}
+  <details>
+    <summary>Ready domains ({{.CertsReady}})</summary>
+    <ul>{{range .CertsReadyDomains}}<li>{{.}}</li>{{end}}</ul>
+  </details>
+  {{end}}
+  {{if .CertsPendingDomains}}
+  <details open>
+    <summary>Pending domains ({{.CertsPending}})</summary>
+    <ul>{{range .CertsPendingDomains}}<li>{{.}}</li>{{end}}</ul>
+  </details>
+  {{end}}
+  {{if .CertsFailedDomains}}
+  <details open>
+    <summary>Failed domains ({{.CertsFailed}})</summary>
+    <ul>{{range .CertsFailedDomains}}<li>{{.Domain}}: {{.Error}}</li>{{end}}</ul>
+  </details>
+  {{end}}
+  <h2>Clients ({{.ClientCount}}) | Domains ({{.TotalDomains}})</h2>
+  {{if .Clients}}
+  <table>
+    <tr>
+      <th>Account ID</th>
+      <th>Domains</th>
+      <th>Age</th>
+      <th>Status</th>
+    </tr>
+    {{range .Clients}}
+    <tr>
+      <td><a href="/debug/clients/{{.AccountID}}/tools">{{.AccountID}}</a></td>
+      <td>{{.Domains}}</td>
+      <td>{{.Age}}</td>
+      <td>{{.Status}}</td>
+    </tr>
+    {{end}}
+  </table>
+  {{else}}
+  <p>No clients connected</p>
+  {{end}}
+  <h2>Endpoints</h2>
+  <ul>
+    <li><a href="/debug/clients">/debug/clients</a> - all clients detail</li>
+  </ul>
+  <p class="info">Add ?format=json or /json suffix for JSON output</p>
+</body>
+</html>
+{{end}}

proxy/internal/debug/templates/tools.html

@@ -0,0 +1,142 @@
+{{define "tools"}}
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <title>Client {{.AccountID}} - Tools</title>
+  <style>{{template "style"}}</style>
+</head>
+<body>
+  <h1>Client: {{.AccountID}}</h1>
+  <div class="nav">
+    <a href="/debug">&larr; Back</a>
+    <a href="/debug/clients/{{.AccountID}}/tools" class="active">Tools</a>
+    <a href="/debug/clients/{{.AccountID}}">Status</a>
+    <a href="/debug/clients/{{.AccountID}}/syncresponse">Sync Response</a>
+  </div>
+
+  <h2>Client Control</h2>
+  <div class="form-row">
+    <div class="form-group">
+      <span>&nbsp;</span>
+      <button onclick="startClient()">Start</button>
+    </div>
+    <div class="form-group">
+      <span>&nbsp;</span>
+      <button onclick="stopClient()">Stop</button>
+    </div>
+  </div>
+  <div id="client-result" class="result"></div>
+
+  <h2>Log Level</h2>
+  <div class="form-row">
+    <div class="form-group">
+      <label for="log-level">Level</label>
+      <select id="log-level" style="width: 120px;">
+        <option value="trace">trace</option>
+        <option value="debug">debug</option>
+        <option value="info">info</option>
+        <option value="warn" selected>warn</option>
+        <option value="error">error</option>
+      </select>
+    </div>
+    <div class="form-group">
+      <span>&nbsp;</span>
+      <button onclick="setLogLevel()">Set Level</button>
+    </div>
+  </div>
+  <div id="log-result" class="result"></div>
+
+  <h2>TCP Ping</h2>
+  <div class="form-row">
+    <div class="form-group">
+      <label for="tcp-host">Host</label>
+      <input type="text" id="tcp-host" placeholder="100.0.0.1 or hostname.netbird.cloud" style="width: 300px;">
+    </div>
+    <div class="form-group">
+      <label for="tcp-port">Port</label>
+      <input type="number" id="tcp-port" placeholder="80" style="width: 80px;">
+    </div>
+    <div class="form-group">
+      <span>&nbsp;</span>
+      <button onclick="doTcpPing()">Connect</button>
+    </div>
+  </div>
+  <div id="tcp-result" class="result"></div>
+
+  <script>
+    const accountID = "{{.AccountID}}";
+
+    async function startClient() {
+        const resultDiv = document.getElementById('client-result');
+        resultDiv.innerHTML = '<span class="info">Starting client...</span>';
+        try {
+            const resp = await fetch('/debug/clients/' + accountID + '/start');
+            const data = await resp.json();
+            if (data.success) {
+                resultDiv.innerHTML = '<span class="success">✓ ' + data.message + '</span>';
+            } else {
+                resultDiv.innerHTML = '<span class="error">✗ ' + data.error + '</span>';
+            }
+        } catch (e) {
+            resultDiv.innerHTML = '<span class="error">Error: ' + e.message + '</span>';
+        }
+    }
+
+    async function stopClient() {
+        const resultDiv = document.getElementById('client-result');
+        resultDiv.innerHTML = '<span class="info">Stopping client...</span>';
+        try {
+            const resp = await fetch('/debug/clients/' + accountID + '/stop');
+            const data = await resp.json();
+            if (data.success) {
+                resultDiv.innerHTML = '<span class="success">✓ ' + data.message + '</span>';
+            } else {
+                resultDiv.innerHTML = '<span class="error">✗ ' + data.error + '</span>';
+            }
+        } catch (e) {
+            resultDiv.innerHTML = '<span class="error">Error: ' + e.message + '</span>';
+        }
+    }
+
+    async function setLogLevel() {
+        const level = document.getElementById('log-level').value;
+        const resultDiv = document.getElementById('log-result');
+        resultDiv.innerHTML = '<span class="info">Setting log level...</span>';
+        try {
+            const resp = await fetch('/debug/clients/' + accountID + '/loglevel?level=' + level);
+            const data = await resp.json();
+            if (data.success) {
+                resultDiv.innerHTML = '<span class="success">✓ Log level set to: ' + data.level + '</span>';
+            } else {
+                resultDiv.innerHTML = '<span class="error">✗ ' + data.error + '</span>';
+            }
+        } catch (e) {
+            resultDiv.innerHTML = '<span class="error">Error: ' + e.message + '</span>';
+        }
+    }
+
+    async function doTcpPing() {
+        const host = document.getElementById('tcp-host').value;
+        const port = document.getElementById('tcp-port').value;
+        if (!host || !port) {
+            alert('Host and port required');
+            return;
+        }
+        const resultDiv = document.getElementById('tcp-result');
+        resultDiv.innerHTML = '<span class="info">Connecting...</span>';
+        try {
+            const resp = await fetch('/debug/clients/' + accountID + '/pingtcp?host=' + encodeURIComponent(host) + '&port=' + port);
+            const data = await resp.json();
+            if (data.success) {
+                resultDiv.innerHTML = '<span class="success">✓ ' + data.host + ':' + data.port + ' connected in ' + data.latency + '</span>';
+            } else {
+                resultDiv.innerHTML = '<span class="error">✗ ' + data.host + ':' + data.port + ': ' + data.error + '</span>';
+            }
+        } catch (e) {
+            resultDiv.innerHTML = '<span class="error">Error: ' + e.message + '</span>';
+        }
+    }
+  </script>
+</body>
+</html>
+{{end}}