[management, reverse proxy] Add reverse proxy feature (#5291)

* implement reverse proxy --------- Co-authored-by: Alisdair MacLeod <git@alisdairmacleod.co.uk> Co-authored-by: mlsmaycon <mlsmaycon@gmail.com> Co-authored-by: Eduard Gert <kontakt@eduardgert.de> Co-authored-by: Viktor Liu <viktor@netbird.io> Co-authored-by: Diego Noguês <diego.sure@gmail.com> Co-authored-by: Diego Noguês <49420+diegocn@users.noreply.github.com> Co-authored-by: Bethuel Mmbaga <bethuelmbaga12@gmail.com> Co-authored-by: Zoltan Papp <zoltan.pmail@gmail.com> Co-authored-by: Ashley Mensah <ashleyamo982@gmail.com>
2026-04-18 08:16:39 +00:00 · 2026-02-13 19:37:43 +01:00
parent edce11b34d
commit f53155562f
225 changed files with 35513 additions and 235 deletions
--- a/proxy/internal/flock/flock_other.go
+++ b/proxy/internal/flock/flock_other.go
@@ -0,0 +1,20 @@
+//go:build !unix
+
+package flock
+
+import (
+	"context"
+	"os"
+)
+
+// Lock is a no-op on non-Unix platforms. Returns (nil, nil) to indicate
+// that no lock was acquired; callers must treat a nil file as "proceed
+// without lock" rather than "lock held by someone else."
+func Lock(_ context.Context, _ string) (*os.File, error) {
+	return nil, nil //nolint:nilnil // intentional: nil file signals locking unsupported on this platform
+}
+
+// Unlock is a no-op on non-Unix platforms.
+func Unlock(_ *os.File) error {
+	return nil
+}
--- a/proxy/internal/flock/flock_test.go
+++ b/proxy/internal/flock/flock_test.go
@@ -0,0 +1,79 @@
+//go:build unix
+
+package flock
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestLockUnlock(t *testing.T) {
+	lockPath := filepath.Join(t.TempDir(), "test.lock")
+
+	f, err := Lock(context.Background(), lockPath)
+	require.NoError(t, err)
+	require.NotNil(t, f)
+
+	_, err = os.Stat(lockPath)
+	assert.NoError(t, err, "lock file should exist")
+
+	err = Unlock(f)
+	assert.NoError(t, err)
+}
+
+func TestUnlockNil(t *testing.T) {
+	err := Unlock(nil)
+	assert.NoError(t, err, "unlocking nil should be a no-op")
+}
+
+func TestLockRespectsContext(t *testing.T) {
+	lockPath := filepath.Join(t.TempDir(), "test.lock")
+
+	f1, err := Lock(context.Background(), lockPath)
+	require.NoError(t, err)
+	defer func() { require.NoError(t, Unlock(f1)) }()
+
+	ctx, cancel := context.WithTimeout(context.Background(), 300*time.Millisecond)
+	defer cancel()
+
+	_, err = Lock(ctx, lockPath)
+	assert.ErrorIs(t, err, context.DeadlineExceeded)
+}
+
+func TestLockBlocks(t *testing.T) {
+	lockPath := filepath.Join(t.TempDir(), "test.lock")
+
+	f1, err := Lock(context.Background(), lockPath)
+	require.NoError(t, err)
+
+	var wg sync.WaitGroup
+	wg.Add(1)
+
+	start := time.Now()
+	var elapsed time.Duration
+
+	go func() {
+		defer wg.Done()
+		f2, err := Lock(context.Background(), lockPath)
+		elapsed = time.Since(start)
+		assert.NoError(t, err)
+		if f2 != nil {
+			assert.NoError(t, Unlock(f2))
+		}
+	}()
+
+	// Hold the lock for 200ms, then release.
+	time.Sleep(200 * time.Millisecond)
+	require.NoError(t, Unlock(f1))
+
+	wg.Wait()
+	assert.GreaterOrEqual(t, elapsed, 150*time.Millisecond,
+		"Lock should have blocked for at least ~200ms")
+}
--- a/proxy/internal/flock/flock_unix.go
+++ b/proxy/internal/flock/flock_unix.go
@@ -0,0 +1,77 @@
+//go:build unix
+
+// Package flock provides best-effort advisory file locking using flock(2).
+//
+// This is used for cross-replica coordination (e.g. preventing duplicate
+// ACME requests). Note that flock(2) does NOT work reliably on NFS volumes:
+// on NFSv3 it depends on the NLM daemon, on NFSv4 Linux emulates it via
+// fcntl locks with different semantics. Callers must treat lock failures
+// as non-fatal and proceed without the lock.
+package flock
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"os"
+	"syscall"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+)
+
+const retryInterval = 100 * time.Millisecond
+
+// Lock acquires an exclusive advisory lock on the given file path.
+// It creates the lock file if it does not exist. The lock attempt
+// respects context cancellation by using non-blocking flock with polling.
+// The caller must call Unlock with the returned *os.File when done.
+func Lock(ctx context.Context, path string) (*os.File, error) {
+	f, err := os.OpenFile(path, os.O_CREATE|os.O_RDWR, 0o600)
+	if err != nil {
+		return nil, fmt.Errorf("open lock file %s: %w", path, err)
+	}
+
+	timer := time.NewTimer(retryInterval)
+	defer timer.Stop()
+
+	for {
+		if err := syscall.Flock(int(f.Fd()), syscall.LOCK_EX|syscall.LOCK_NB); err == nil {
+			return f, nil
+		} else if !errors.Is(err, syscall.EWOULDBLOCK) {
+			if cerr := f.Close(); cerr != nil {
+				log.Debugf("close lock file %s: %v", path, cerr)
+			}
+			return nil, fmt.Errorf("acquire lock on %s: %w", path, err)
+		}
+
+		select {
+		case <-ctx.Done():
+			if cerr := f.Close(); cerr != nil {
+				log.Debugf("close lock file %s: %v", path, cerr)
+			}
+			return nil, ctx.Err()
+		case <-timer.C:
+			timer.Reset(retryInterval)
+		}
+	}
+}
+
+// Unlock releases the lock and closes the file.
+func Unlock(f *os.File) error {
+	if f == nil {
+		return nil
+	}
+
+	defer func() {
+		if cerr := f.Close(); cerr != nil {
+			log.Debugf("close lock file: %v", cerr)
+		}
+	}()
+
+	if err := syscall.Flock(int(f.Fd()), syscall.LOCK_UN); err != nil {
+		return fmt.Errorf("release lock: %w", err)
+	}
+
+	return nil
+}