72 Commits

Author	SHA1	Message	Date
Viktor Liu	780e9f57a5	Improve mgmt backoff	2026-02-09 01:51:53 +08:00
mlsmaycon	a8db73285b	add issued time log and CT timestamp logs	2026-02-08 18:13:50 +01:00
Viktor Liu	3b43c00d12	Use unique static path for auth assets to avoid collision with routes	2026-02-09 01:10:50 +08:00
Viktor Liu	3630ebb3ae	Add option to rewrite redirects	2026-02-09 00:44:47 +08:00
Viktor Liu	260c46df04	Fix broken auth redirect	2026-02-09 00:02:54 +08:00
Viktor Liu	7b6294b624	Refuse to service a service if auth setup failed	2026-02-08 23:24:43 +08:00
Viktor Liu	156d0b1fef	Fix duplicate path	2026-02-08 21:41:32 +08:00
Viktor Liu	6a64d4e4dd	Remove test deployment specs	2026-02-08 21:13:22 +08:00
Viktor Liu	51e63c246b	Add health status to debug	2026-02-08 21:04:46 +08:00
mlsmaycon	99e6b1eda4	attempt to trigger ssl before first request ... 1. When AddDomain() is called (when proxy receives a new mapping), it now spawns a goroutine to prefetch the certificate 2. prefetchCertificate() creates a synthetic tls.ClientHelloInfo and calls GetCertificate() to trigger the ACME flow 3. The certificate is cached by autocert.DirCache, so subsequent real requests will use the cached cert 4. If the cert is already cached (e.g., proxy restart), GetCertificate just returns it without making ACME requests	2026-02-08 10:59:36 +01:00
Viktor Liu	3883b2fb41	Fix netbird_test.go	2026-02-08 17:49:03 +08:00
Viktor Liu	ed58659a01	Set forwarded headers from trusted proxies only	2026-02-08 17:49:03 +08:00
Viktor Liu	5190923c70	Improve logging requests	2026-02-08 17:49:03 +08:00
Viktor Liu	7c647dd160	Add peer firewall to the receiving peer	2026-02-08 17:49:03 +08:00
Viktor Liu	07e59b2708	Add reverse proxy header security and forwarding ... - Rewrite Host header to backend target (configurable via pass_host_header per mapping) - Strip and set X-Forwarded-For/X-Real-IP from direct connection (trust boundary) - Set X-Forwarded-Host and X-Forwarded-Proto headers - Strip nb_session cookie and session_token query param before forwarding - Add --forwarded-proto flag (auto/http/https) for proto detection - Fix OIDC redirect hardcoded https scheme - Add pass_host_header to proto, API, and management model	2026-02-08 15:00:35 +08:00
Viktor Liu	0a3a9f977d	Add proxy <-> management authentication	2026-02-08 14:33:27 +08:00
pascal	f797d2d9cb	fix cert dir name in docker file	2026-02-05 15:46:07 +01:00
Eduard Gert	4433f44a12	Add some other errors	2026-02-05 14:30:55 +01:00
Eduard Gert	7504e718d7	Add better error page	2026-02-05 14:00:51 +01:00
Viktor Liu	9b0387e7ee	Add /cert dir	2026-02-05 19:22:31 +08:00
pascal	e366fe340e	add log when listener is ready	2026-02-04 23:32:19 +01:00
pascal	b01809f8e3	use logger	2026-02-04 23:10:01 +01:00
pascal	790ef39187	log on debug	2026-02-04 22:43:40 +01:00
pascal	3af16cf333	add trace logs	2026-02-04 22:26:29 +01:00
pascal	096d4ac529	rewrite peer creation and network map calc [WIP]	2026-02-04 20:01:00 +01:00
Alisdair MacLeod	8fafde614a	Merge remote-tracking branch 'origin/prototype/reverse-proxy' into prototype/reverse-proxy	2026-02-04 16:52:42 +00:00
Alisdair MacLeod	694ae13418	add stateless proxy sessions	2026-02-04 16:52:35 +00:00
Eduard Gert	b5b7dd4f53	Add other error pages	2026-02-04 17:12:26 +01:00
Viktor Liu	476785b122	Remove health check addr override	2026-02-04 22:32:46 +08:00
Viktor Liu	907677f835	Set readiness false on disconnect right away	2026-02-04 22:28:53 +08:00
Viktor Liu	7d844b9410	Add health checks	2026-02-04 22:18:45 +08:00
Eduard Gert	eeabc64a73	Merge remote-tracking branch 'origin/prototype/reverse-proxy' into prototype/reverse-proxy	2026-02-04 15:11:33 +01:00
Eduard Gert	5da2b0fdcc	Add error page	2026-02-04 15:11:22 +01:00
Alisdair MacLeod	a0005a604e	fix minor potential security issues with OIDC	2026-02-04 12:25:19 +00:00
Alisdair MacLeod	28f3354ffa	Merge remote-tracking branch 'origin/prototype/reverse-proxy' into prototype/reverse-proxy ... # Conflicts: # management/internals/modules/reverseproxy/reverseproxy.go # management/internals/server/boot.go # management/internals/shared/grpc/proxy.go # proxy/internal/auth/middleware.go # shared/management/proto/proxy_service.pb.go # shared/management/proto/proxy_service.proto # shared/management/proto/proxy_service_grpc.pb.go	2026-02-04 11:56:04 +00:00
Alisdair MacLeod	562923c600	management OIDC implementation using pkce	2026-02-04 11:51:46 +00:00
Viktor Liu	ca33849f31	Use a 1:1 mapping of netbird client to netbird account ... - Add debug endpoint for monitoring netbird clients - Add types package with AccountID type - Refactor netbird roundtrip to key clients by AccountID - Multiple domains can share the same client per account - Add status notifier for tunnel connection updates - Add OIDC flags to CLI - Add tests for netbird client management	2026-02-04 14:48:20 +08:00
Eduard Gert	733ea77c5c	Add proxy auth ui	2026-02-03 19:05:55 +01:00
pascal	bffb25bea7	add status confirmation for certs and tunnel creation	2026-02-03 16:58:14 +01:00
Alisdair MacLeod	5243481316	get OIDC configuration from proxy flags/env	2026-02-03 12:10:23 +00:00
Alisdair MacLeod	30cfc22cb6	correct proto and proxy authentication for oidc	2026-02-03 09:01:39 +00:00
Alisdair MacLeod	a73ee47557	ignore ports when performing proxy mapping lookups	2026-02-02 14:39:13 +00:00
Alisdair MacLeod	30572fe1b8	add domain validation using values from proxies	2026-02-02 09:53:49 +00:00
Alisdair MacLeod	3a6f364b03	use a defined logger ... this should avoid issues with the embedded client also attempting to use the same global logger	2026-01-30 16:31:32 +00:00
Alisdair MacLeod	f882c36e0a	simplify authentication	2026-01-30 14:08:52 +00:00
Alisdair MacLeod	e95cfa1a00	add support for some basic authentication methods	2026-01-29 16:34:52 +00:00
pascal	0d480071b6	pass accountID	2026-01-29 14:47:22 +01:00
pascal	8e0b7b6c25	add api for access log events	2026-01-29 14:27:57 +01:00
Alisdair MacLeod	7d74904d62	add roundtripper debug log	2026-01-29 12:03:14 +00:00
Alisdair MacLeod	760ac5e07d	use the netbird client transport directly	2026-01-29 11:11:28 +00:00