fix: small conflicts

1. validate domain only for proxy urls
2. use registered target cluster for custom domain extraction

.dockerignore

@@ -0,0 +1,6 @@
+.env
+.env.*
+*.pem
+*.key
+*.crt
+*.p12

.github/workflows/check-license-dependencies.yml

@@ -23,7 +23,7 @@ jobs:
 
       - name: Check for problematic license dependencies
         run: |
-          echo "Checking for dependencies on management/, signal/, and relay/ packages..."
+          echo "Checking for dependencies on management/, signal/, relay/, and proxy/ packages..."
           echo ""
 
           # Find all directories except the problematic ones and system dirs
@@ -31,7 +31,7 @@ jobs:
           while IFS= read -r dir; do
             echo "=== Checking $dir ==="
             # Search for problematic imports, excluding test files
-            RESULTS=$(grep -r "github.com/netbirdio/netbird/\(management\|signal\|relay\)" "$dir" --include="*.go" 2>/dev/null | grep -v "_test.go" | grep -v "test_" | grep -v "/test/" || true)
+            RESULTS=$(grep -r "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\)" "$dir" --include="*.go" 2>/dev/null | grep -v "_test.go" | grep -v "test_" | grep -v "/test/" || true)
             if [ -n "$RESULTS" ]; then
               echo "❌ Found problematic dependencies:"
               echo "$RESULTS"
@@ -39,11 +39,11 @@ jobs:
             else
               echo "✓ No problematic dependencies found"
             fi
-          done < <(find . -maxdepth 1 -type d -not -name "." -not -name "management" -not -name "signal" -not -name "relay" -not -name ".git*" | sort)
+          done < <(find . -maxdepth 1 -type d -not -name "." -not -name "management" -not -name "signal" -not -name "relay" -not -name "proxy" -not -name ".git*" | sort)
 
           echo ""
           if [ $FOUND_ISSUES -eq 1 ]; then
-            echo "❌ Found dependencies on management/, signal/, or relay/ packages"
+            echo "❌ Found dependencies on management/, signal/, relay/, or proxy/ packages"
             echo "These packages are licensed under AGPLv3 and must not be imported by BSD-licensed code"
             exit 1
           else
@@ -88,7 +88,7 @@ jobs:
               IMPORTERS=$(go list -json -deps ./... 2>/dev/null | jq -r "select(.Imports[]? == \"$package\") | .ImportPath")
 
               # Check if any importer is NOT in management/signal/relay
-              BSD_IMPORTER=$(echo "$IMPORTERS" | grep -v "github.com/netbirdio/netbird/\(management\|signal\|relay\)" | head -1)
+              BSD_IMPORTER=$(echo "$IMPORTERS" | grep -v "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\)" | head -1)
 
               if [ -n "$BSD_IMPORTER" ]; then
                 echo "❌ $package ($license) is imported by BSD-licensed code: $BSD_IMPORTER"

.github/workflows/golang-test-darwin.yml

@@ -43,5 +43,5 @@ jobs:
         run: git --no-pager diff --exit-code
 
       - name: Test
-        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -tags=devcert -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 $(go list ./... | grep -v /management)
+        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -tags=devcert -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy)
 

.github/workflows/golang-test-freebsd.yml

@@ -46,6 +46,5 @@ jobs:
             time go test -timeout 1m -failfast ./client/iface/...
             time go test -timeout 1m -failfast ./route/...
             time go test -timeout 1m -failfast ./sharedsock/...
-            time go test -timeout 1m -failfast ./signal/...
             time go test -timeout 1m -failfast ./util/...
             time go test -timeout 1m -failfast ./version/...

.github/workflows/golang-test-linux.yml

@@ -144,7 +144,7 @@ jobs:
         run: git --no-pager diff --exit-code
 
       - name: Test
-        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -tags devcert -exec 'sudo' -timeout 10m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay)
+        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -tags devcert -exec 'sudo' -timeout 10m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy)
 
   test_client_on_docker:
     name: "Client (Docker) / Unit"
@@ -204,7 +204,7 @@ jobs:
             sh -c ' \
               apk update; apk add --no-cache \
                 ca-certificates iptables ip6tables dbus dbus-dev libpcap-dev build-base; \
-              go test -buildvcs=false -tags devcert -v -timeout 10m -p 1 $(go list -buildvcs=false ./... | grep -v -e /management -e /signal -e /relay -e /client/ui -e /upload-server)
+              go test -buildvcs=false -tags devcert -v -timeout 10m -p 1 $(go list -buildvcs=false ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /client/ui -e /upload-server)
             '
 
   test_relay:
@@ -261,6 +261,53 @@ jobs:
             -exec 'sudo' \
             -timeout 10m -p 1 ./relay/... ./shared/relay/...
 
+  test_proxy:
+    name: "Proxy / Unit"
+    needs: [build-cache]
+    strategy:
+      fail-fast: false
+      matrix:
+        arch: [ '386','amd64' ]
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: "go.mod"
+          cache: false
+
+      - name: Install dependencies
+        run: sudo apt update && sudo apt install -y gcc-multilib g++-multilib libc6-dev-i386
+
+      - name: Get Go environment
+        run: |
+          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV
+
+      - name: Cache Go modules
+        uses: actions/cache/restore@v4
+        with:
+          path: |
+            ${{ env.cache }}
+            ${{ env.modcache }}
+          key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-gotest-cache-
+
+      - name: Install modules
+        run: go mod tidy
+
+      - name: check git status
+        run: git --no-pager diff --exit-code
+
+      - name: Test
+        run: |
+          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
+          go test -timeout 10m -p 1 ./proxy/...
+
   test_signal:
     name: "Signal / Unit"
     needs: [build-cache]

.github/workflows/golang-test-windows.yml

@@ -63,7 +63,7 @@ jobs:
       - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOMODCACHE=${{ env.cache }}
       - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOCACHE=${{ env.modcache }}
       - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe mod tidy
-      - run: echo "files=$(go list ./... | ForEach-Object { $_ } | Where-Object { $_ -notmatch '/management' } | Where-Object { $_ -notmatch '/relay' } | Where-Object { $_ -notmatch '/signal' })" >> $env:GITHUB_ENV
+      - run: echo "files=$(go list ./... | ForEach-Object { $_ } | Where-Object { $_ -notmatch '/management' } | Where-Object { $_ -notmatch '/relay' } | Where-Object { $_ -notmatch '/signal' } | Where-Object { $_ -notmatch '/proxy' })" >> $env:GITHUB_ENV
 
       - name: test
         run: PsExec64 -s -w ${{ github.workspace }} cmd.exe /c "C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe test -tags=devcert -timeout 10m -p 1 ${{ env.files }} > test-out.txt 2>&1"

.github/workflows/golangci-lint.yml

@@ -20,7 +20,7 @@ jobs:
         uses: codespell-project/actions-codespell@v2
         with:
           ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe,cros,ans
-          skip: go.mod,go.sum
+          skip: go.mod,go.sum,**/proxy/web/**
   golangci:
     strategy:
       fail-fast: false

.github/workflows/release.yml

@@ -9,7 +9,7 @@ on:
   pull_request:
 
 env:
-  SIGN_PIPE_VER: "v0.1.0"
+  SIGN_PIPE_VER: "v0.1.1"
   GORELEASER_VER: "v2.3.2"
   PRODUCT_NAME: "NetBird"
   COPYRIGHT: "NetBird GmbH"

client/cmd/login.go

@@ -282,13 +282,9 @@ func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *profileman
 	}
 	defer authClient.Close()
 
-	needsLogin := false
-
-	err, isAuthError := authClient.Login(ctx, "", "")
-	if isAuthError {
-		needsLogin = true
-	} else if err != nil {
-		return fmt.Errorf("login check failed: %v", err)
+	needsLogin, err := authClient.IsLoginRequired(ctx)
+	if err != nil {
+		return fmt.Errorf("check login required: %v", err)
 	}
 
 	jwtToken := ""

client/embed/embed.go

@@ -31,6 +31,14 @@ var (
 	ErrConfigNotInitialized = errors.New("config not initialized")
 )
 
+// PeerConnStatus is a peer's connection status.
+type PeerConnStatus = peer.ConnStatus
+
+const (
+	// PeerStatusConnected indicates the peer is in connected state.
+	PeerStatusConnected = peer.StatusConnected
+)
+
 // Client manages a netbird embedded client instance.
 type Client struct {
 	deviceName string

client/firewall/nftables/router_linux.go

@@ -483,7 +483,12 @@ func (r *router) DeleteRouteRule(rule firewall.Rule) error {
 	}
 
 	if nftRule.Handle == 0 {
-		return fmt.Errorf("route rule %s has no handle", ruleKey)
+		log.Warnf("route rule %s has no handle, removing stale entry", ruleKey)
+		if err := r.decrementSetCounter(nftRule); err != nil {
+			log.Warnf("decrement set counter for stale rule %s: %v", ruleKey, err)
+		}
+		delete(r.rules, ruleKey)
+		return nil
 	}
 
 	if err := r.deleteNftRule(nftRule, ruleKey); err != nil {
@@ -660,13 +665,32 @@ func (r *router) AddNatRule(pair firewall.RouterPair) error {
 	}
 
 	if err := r.conn.Flush(); err != nil {
-		// TODO: rollback ipset counter
-		return fmt.Errorf("insert rules for %s: %v", pair.Destination, err)
+		r.rollbackRules(pair)
+		return fmt.Errorf("insert rules for %s: %w", pair.Destination, err)
 	}
 
 	return nil
 }
 
+// rollbackRules cleans up unflushed rules and their set counters after a flush failure.
+func (r *router) rollbackRules(pair firewall.RouterPair) {
+	keys := []string{
+		firewall.GenKey(firewall.ForwardingFormat, pair),
+		firewall.GenKey(firewall.PreroutingFormat, pair),
+		firewall.GenKey(firewall.PreroutingFormat, firewall.GetInversePair(pair)),
+	}
+	for _, key := range keys {
+		rule, ok := r.rules[key]
+		if !ok {
+			continue
+		}
+		if err := r.decrementSetCounter(rule); err != nil {
+			log.Warnf("rollback set counter for %s: %v", key, err)
+		}
+		delete(r.rules, key)
+	}
+}
+
 // addNatRule inserts a nftables rule to the conn client flush queue
 func (r *router) addNatRule(pair firewall.RouterPair) error {
 	sourceExp, err := r.applyNetwork(pair.Source, nil, true)
@@ -928,18 +952,30 @@ func (r *router) addLegacyRouteRule(pair firewall.RouterPair) error {
 func (r *router) removeLegacyRouteRule(pair firewall.RouterPair) error {
 	ruleKey := firewall.GenKey(firewall.ForwardingFormat, pair)
 
-	if rule, exists := r.rules[ruleKey]; exists {
-		if err := r.conn.DelRule(rule); err != nil {
-			return fmt.Errorf("remove legacy forwarding rule %s -> %s: %v", pair.Source, pair.Destination, err)
-		}
-
-		log.Debugf("removed legacy forwarding rule %s -> %s", pair.Source, pair.Destination)
-
-		delete(r.rules, ruleKey)
+	rule, exists := r.rules[ruleKey]
+	if !exists {
+		return nil
+	}
 
+	if rule.Handle == 0 {
+		log.Warnf("legacy forwarding rule %s has no handle, removing stale entry", ruleKey)
 		if err := r.decrementSetCounter(rule); err != nil {
-			return fmt.Errorf("decrement set counter: %w", err)
+			log.Warnf("decrement set counter for stale rule %s: %v", ruleKey, err)
 		}
+		delete(r.rules, ruleKey)
+		return nil
+	}
+
+	if err := r.conn.DelRule(rule); err != nil {
+		return fmt.Errorf("remove legacy forwarding rule %s -> %s: %w", pair.Source, pair.Destination, err)
+	}
+
+	log.Debugf("removed legacy forwarding rule %s -> %s", pair.Source, pair.Destination)
+
+	delete(r.rules, ruleKey)
+
+	if err := r.decrementSetCounter(rule); err != nil {
+		return fmt.Errorf("decrement set counter: %w", err)
 	}
 
 	return nil
@@ -1329,65 +1365,89 @@ func (r *router) RemoveNatRule(pair firewall.RouterPair) error {
 		return fmt.Errorf(refreshRulesMapError, err)
 	}
 
+	var merr *multierror.Error
+
 	if pair.Masquerade {
 		if err := r.removeNatRule(pair); err != nil {
-			return fmt.Errorf("remove prerouting rule: %w", err)
+			merr = multierror.Append(merr, fmt.Errorf("remove prerouting rule: %w", err))
 		}
 
 		if err := r.removeNatRule(firewall.GetInversePair(pair)); err != nil {
-			return fmt.Errorf("remove inverse prerouting rule: %w", err)
+			merr = multierror.Append(merr, fmt.Errorf("remove inverse prerouting rule: %w", err))
 		}
 	}
 
 	if err := r.removeLegacyRouteRule(pair); err != nil {
-		return fmt.Errorf("remove legacy routing rule: %w", err)
+		merr = multierror.Append(merr, fmt.Errorf("remove legacy routing rule: %w", err))
 	}
 
+	// Set counters are decremented in the sub-methods above before flush. If flush fails,
+	// counters will be off until the next successful removal or refresh cycle.
 	if err := r.conn.Flush(); err != nil {
-		// TODO: rollback set counter
-		return fmt.Errorf("remove nat rules rule %s: %v", pair.Destination, err)
+		merr = multierror.Append(merr, fmt.Errorf("flush remove nat rules %s: %w", pair.Destination, err))
 	}
 
-	return nil
+	return nberrors.FormatErrorOrNil(merr)
 }
 
 func (r *router) removeNatRule(pair firewall.RouterPair) error {
 	ruleKey := firewall.GenKey(firewall.PreroutingFormat, pair)
 
-	if rule, exists := r.rules[ruleKey]; exists {
-		if err := r.conn.DelRule(rule); err != nil {
-			return fmt.Errorf("remove prerouting rule %s -> %s: %v", pair.Source, pair.Destination, err)
-		}
-
-		log.Debugf("removed prerouting rule %s -> %s", pair.Source, pair.Destination)
-
-		delete(r.rules, ruleKey)
-
-		if err := r.decrementSetCounter(rule); err != nil {
-			return fmt.Errorf("decrement set counter: %w", err)
-		}
-	} else {
+	rule, exists := r.rules[ruleKey]
+	if !exists {
 		log.Debugf("prerouting rule %s not found", ruleKey)
+		return nil
+	}
+
+	if rule.Handle == 0 {
+		log.Warnf("prerouting rule %s has no handle, removing stale entry", ruleKey)
+		if err := r.decrementSetCounter(rule); err != nil {
+			log.Warnf("decrement set counter for stale rule %s: %v", ruleKey, err)
+		}
+		delete(r.rules, ruleKey)
+		return nil
+	}
+
+	if err := r.conn.DelRule(rule); err != nil {
+		return fmt.Errorf("remove prerouting rule %s -> %s: %w", pair.Source, pair.Destination, err)
+	}
+
+	log.Debugf("removed prerouting rule %s -> %s", pair.Source, pair.Destination)
+
+	delete(r.rules, ruleKey)
+
+	if err := r.decrementSetCounter(rule); err != nil {
+		return fmt.Errorf("decrement set counter: %w", err)
 	}
 
 	return nil
 }
 
-// refreshRulesMap refreshes the rule map with the latest rules. this is useful to avoid
-// duplicates and to get missing attributes that we don't have when adding new rules
+// refreshRulesMap rebuilds the rule map from the kernel. This removes stale entries
+// (e.g. from failed flushes) and updates handles for all existing rules.
 func (r *router) refreshRulesMap() error {
+	var merr *multierror.Error
+	newRules := make(map[string]*nftables.Rule)
 	for _, chain := range r.chains {
 		rules, err := r.conn.GetRules(chain.Table, chain)
 		if err != nil {
-			return fmt.Errorf("list rules: %w", err)
+			merr = multierror.Append(merr, fmt.Errorf("list rules for chain %s: %w", chain.Name, err))
+			// preserve existing entries for this chain since we can't verify their state
+			for k, v := range r.rules {
+				if v.Chain != nil && v.Chain.Name == chain.Name {
+					newRules[k] = v
+				}
+			}
+			continue
 		}
 		for _, rule := range rules {
 			if len(rule.UserData) > 0 {
-				r.rules[string(rule.UserData)] = rule
+				newRules[string(rule.UserData)] = rule
 			}
 		}
 	}
-	return nil
+	r.rules = newRules
+	return nberrors.FormatErrorOrNil(merr)
 }
 
 func (r *router) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error) {
@@ -1629,20 +1689,34 @@ func (r *router) DeleteDNATRule(rule firewall.Rule) error {
 	}
 
 	var merr *multierror.Error
+	var needsFlush bool
+
 	if dnatRule, exists := r.rules[ruleKey+dnatSuffix]; exists {
-		if err := r.conn.DelRule(dnatRule); err != nil {
+		if dnatRule.Handle == 0 {
+			log.Warnf("dnat rule %s has no handle, removing stale entry", ruleKey+dnatSuffix)
+			delete(r.rules, ruleKey+dnatSuffix)
+		} else if err := r.conn.DelRule(dnatRule); err != nil {
 			merr = multierror.Append(merr, fmt.Errorf("delete dnat rule: %w", err))
+		} else {
+			needsFlush = true
 		}
 	}
 
 	if masqRule, exists := r.rules[ruleKey+snatSuffix]; exists {
-		if err := r.conn.DelRule(masqRule); err != nil {
+		if masqRule.Handle == 0 {
+			log.Warnf("snat rule %s has no handle, removing stale entry", ruleKey+snatSuffix)
+			delete(r.rules, ruleKey+snatSuffix)
+		} else if err := r.conn.DelRule(masqRule); err != nil {
 			merr = multierror.Append(merr, fmt.Errorf("delete snat rule: %w", err))
+		} else {
+			needsFlush = true
 		}
 	}
 
-	if err := r.conn.Flush(); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf(flushError, err))
+	if needsFlush {
+		if err := r.conn.Flush(); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf(flushError, err))
+		}
 	}
 
 	if merr == nil {
@@ -1757,16 +1831,25 @@ func (r *router) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Proto
 
 	ruleID := fmt.Sprintf("inbound-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
 
-	if rule, exists := r.rules[ruleID]; exists {
-		if err := r.conn.DelRule(rule); err != nil {
-			return fmt.Errorf("delete inbound DNAT rule %s: %w", ruleID, err)
-		}
-		if err := r.conn.Flush(); err != nil {
-			return fmt.Errorf("flush delete inbound DNAT rule: %w", err)
-		}
-		delete(r.rules, ruleID)
+	rule, exists := r.rules[ruleID]
+	if !exists {
+		return nil
 	}
 
+	if rule.Handle == 0 {
+		log.Warnf("inbound DNAT rule %s has no handle, removing stale entry", ruleID)
+		delete(r.rules, ruleID)
+		return nil
+	}
+
+	if err := r.conn.DelRule(rule); err != nil {
+		return fmt.Errorf("delete inbound DNAT rule %s: %w", ruleID, err)
+	}
+	if err := r.conn.Flush(); err != nil {
+		return fmt.Errorf("flush delete inbound DNAT rule: %w", err)
+	}
+	delete(r.rules, ruleID)
+
 	return nil
 }
 

client/firewall/nftables/router_linux_test.go

@@ -18,6 +18,7 @@ import (
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/test"
 	"github.com/netbirdio/netbird/client/iface"
+	"github.com/netbirdio/netbird/client/internal/acl/id"
 )
 
 const (
@@ -719,3 +720,137 @@ func deleteWorkTable() {
 		}
 	}
 }
+
+func TestRouter_RefreshRulesMap_RemovesStaleEntries(t *testing.T) {
+	if check() != NFTABLES {
+		t.Skip("nftables not supported on this system")
+	}
+
+	workTable, err := createWorkTable()
+	require.NoError(t, err)
+	defer deleteWorkTable()
+
+	r, err := newRouter(workTable, ifaceMock, iface.DefaultMTU)
+	require.NoError(t, err)
+	require.NoError(t, r.init(workTable))
+	defer func() { require.NoError(t, r.Reset()) }()
+
+	// Add a real rule to the kernel
+	ruleKey, err := r.AddRouteFiltering(
+		nil,
+		[]netip.Prefix{netip.MustParsePrefix("192.168.1.0/24")},
+		firewall.Network{Prefix: netip.MustParsePrefix("10.0.0.0/24")},
+		firewall.ProtocolTCP,
+		nil,
+		&firewall.Port{Values: []uint16{80}},
+		firewall.ActionAccept,
+	)
+	require.NoError(t, err)
+	t.Cleanup(func() {
+		require.NoError(t, r.DeleteRouteRule(ruleKey))
+	})
+
+	// Inject a stale entry with Handle=0 (simulates store-before-flush failure)
+	staleKey := "stale-rule-that-does-not-exist"
+	r.rules[staleKey] = &nftables.Rule{
+		Table:    r.workTable,
+		Chain:    r.chains[chainNameRoutingFw],
+		Handle:   0,
+		UserData: []byte(staleKey),
+	}
+
+	require.Contains(t, r.rules, staleKey, "stale entry should be in map before refresh")
+
+	err = r.refreshRulesMap()
+	require.NoError(t, err)
+
+	assert.NotContains(t, r.rules, staleKey, "stale entry should be removed after refresh")
+
+	realRule, ok := r.rules[ruleKey.ID()]
+	assert.True(t, ok, "real rule should still exist after refresh")
+	assert.NotZero(t, realRule.Handle, "real rule should have a valid handle")
+}
+
+func TestRouter_DeleteRouteRule_StaleHandle(t *testing.T) {
+	if check() != NFTABLES {
+		t.Skip("nftables not supported on this system")
+	}
+
+	workTable, err := createWorkTable()
+	require.NoError(t, err)
+	defer deleteWorkTable()
+
+	r, err := newRouter(workTable, ifaceMock, iface.DefaultMTU)
+	require.NoError(t, err)
+	require.NoError(t, r.init(workTable))
+	defer func() { require.NoError(t, r.Reset()) }()
+
+	// Inject a stale entry with Handle=0
+	staleKey := "stale-route-rule"
+	r.rules[staleKey] = &nftables.Rule{
+		Table:    r.workTable,
+		Chain:    r.chains[chainNameRoutingFw],
+		Handle:   0,
+		UserData: []byte(staleKey),
+	}
+
+	// DeleteRouteRule should not return an error for stale handles
+	err = r.DeleteRouteRule(id.RuleID(staleKey))
+	assert.NoError(t, err, "deleting a stale rule should not error")
+	assert.NotContains(t, r.rules, staleKey, "stale entry should be cleaned up")
+}
+
+func TestRouter_AddNatRule_WithStaleEntry(t *testing.T) {
+	if check() != NFTABLES {
+		t.Skip("nftables not supported on this system")
+	}
+
+	manager, err := Create(ifaceMock, iface.DefaultMTU)
+	require.NoError(t, err)
+	require.NoError(t, manager.Init(nil))
+	t.Cleanup(func() {
+		require.NoError(t, manager.Close(nil))
+	})
+
+	pair := firewall.RouterPair{
+		ID:          "staletest",
+		Source:      firewall.Network{Prefix: netip.MustParsePrefix("100.100.100.1/32")},
+		Destination: firewall.Network{Prefix: netip.MustParsePrefix("100.100.200.0/24")},
+		Masquerade:  true,
+	}
+
+	rtr := manager.router
+
+	// First add succeeds
+	err = rtr.AddNatRule(pair)
+	require.NoError(t, err)
+	t.Cleanup(func() {
+		require.NoError(t, rtr.RemoveNatRule(pair))
+	})
+
+	// Corrupt the handle to simulate stale state
+	natRuleKey := firewall.GenKey(firewall.PreroutingFormat, pair)
+	if rule, exists := rtr.rules[natRuleKey]; exists {
+		rule.Handle = 0
+	}
+	inverseKey := firewall.GenKey(firewall.PreroutingFormat, firewall.GetInversePair(pair))
+	if rule, exists := rtr.rules[inverseKey]; exists {
+		rule.Handle = 0
+	}
+
+	// Adding the same rule again should succeed despite stale handles
+	err = rtr.AddNatRule(pair)
+	assert.NoError(t, err, "AddNatRule should succeed even with stale entries")
+
+	// Verify rules exist in kernel
+	rules, err := rtr.conn.GetRules(rtr.workTable, rtr.chains[chainNameManglePrerouting])
+	require.NoError(t, err)
+
+	found := 0
+	for _, rule := range rules {
+		if len(rule.UserData) > 0 && string(rule.UserData) == natRuleKey {
+			found++
+		}
+	}
+	assert.Equal(t, 1, found, "NAT rule should exist in kernel")
+}

client/firewall/uspfilter/conntrack/tcp.go

@@ -115,6 +115,17 @@ func (t *TCPConnTrack) IsTombstone() bool {
 	return t.tombstone.Load()
 }
 
+// IsSupersededBy returns true if this connection should be replaced by a new one
+// carrying the given flags. Tombstoned connections are always superseded; TIME-WAIT
+// connections are superseded by a pure SYN (a new connection attempt for the same
+// four-tuple, as contemplated by RFC 1122 §4.2.2.13 and RFC 6191).
+func (t *TCPConnTrack) IsSupersededBy(flags uint8) bool {
+	if t.tombstone.Load() {
+		return true
+	}
+	return flags&TCPSyn != 0 && flags&TCPAck == 0 && TCPState(t.state.Load()) == TCPStateTimeWait
+}
+
 // SetTombstone safely marks the connection for deletion
 func (t *TCPConnTrack) SetTombstone() {
 	t.tombstone.Store(true)
@@ -169,7 +180,7 @@ func (t *TCPTracker) updateIfExists(srcIP, dstIP netip.Addr, srcPort, dstPort ui
 	conn, exists := t.connections[key]
 	t.mutex.RUnlock()
 
-	if exists {
+	if exists && !conn.IsSupersededBy(flags) {
 		t.updateState(key, conn, flags, direction, size)
 		return key, uint16(conn.DNATOrigPort.Load()), true
 	}
@@ -241,7 +252,7 @@ func (t *TCPTracker) IsValidInbound(srcIP, dstIP netip.Addr, srcPort, dstPort ui
 	conn, exists := t.connections[key]
 	t.mutex.RUnlock()
 
-	if !exists || conn.IsTombstone() {
+	if !exists || conn.IsSupersededBy(flags) {
 		return false
 	}
 

client/firewall/uspfilter/conntrack/tcp_test.go

@@ -485,6 +485,261 @@ func TestTCPAbnormalSequences(t *testing.T) {
 	})
 }
 
+// TestTCPPortReuseTombstone verifies that a new connection on a port with a
+// tombstoned (closed) conntrack entry is properly tracked. Without the fix,
+// updateIfExists treats tombstoned entries as live, causing track() to skip
+// creating a new connection. The subsequent SYN-ACK then fails IsValidInbound
+// because the entry is tombstoned, and the response packet gets dropped by ACL.
+func TestTCPPortReuseTombstone(t *testing.T) {
+	srcIP := netip.MustParseAddr("100.64.0.1")
+	dstIP := netip.MustParseAddr("100.64.0.2")
+	srcPort := uint16(12345)
+	dstPort := uint16(80)
+
+	t.Run("Outbound port reuse after graceful close", func(t *testing.T) {
+		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
+		defer tracker.Close()
+
+		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
+
+		// Establish and gracefully close a connection (server-initiated close)
+		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
+
+		// Server sends FIN
+		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
+		require.True(t, valid)
+
+		// Client sends FIN-ACK
+		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
+
+		// Server sends final ACK
+		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
+		require.True(t, valid)
+
+		// Connection should be tombstoned
+		conn := tracker.connections[key]
+		require.NotNil(t, conn, "old connection should still be in map")
+		require.True(t, conn.IsTombstone(), "old connection should be tombstoned")
+
+		// Now reuse the same port for a new connection
+		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPSyn, 100)
+
+		// The old tombstoned entry should be replaced with a new one
+		newConn := tracker.connections[key]
+		require.NotNil(t, newConn, "new connection should exist")
+		require.False(t, newConn.IsTombstone(), "new connection should not be tombstoned")
+		require.Equal(t, TCPStateSynSent, newConn.GetState())
+
+		// SYN-ACK for the new connection should be valid
+		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn|TCPAck, 100)
+		require.True(t, valid, "SYN-ACK for new connection on reused port should be accepted")
+		require.Equal(t, TCPStateEstablished, newConn.GetState())
+
+		// Data transfer should work
+		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 100)
+		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPPush|TCPAck, 500)
+		require.True(t, valid, "data should be allowed on new connection")
+	})
+
+	t.Run("Outbound port reuse after RST", func(t *testing.T) {
+		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
+		defer tracker.Close()
+
+		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
+
+		// Establish and RST a connection
+		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
+		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPRst|TCPAck, 0)
+		require.True(t, valid)
+
+		conn := tracker.connections[key]
+		require.True(t, conn.IsTombstone(), "RST connection should be tombstoned")
+
+		// Reuse the same port
+		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPSyn, 100)
+
+		newConn := tracker.connections[key]
+		require.NotNil(t, newConn)
+		require.False(t, newConn.IsTombstone())
+		require.Equal(t, TCPStateSynSent, newConn.GetState())
+
+		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn|TCPAck, 100)
+		require.True(t, valid, "SYN-ACK should be accepted after RST tombstone")
+	})
+
+	t.Run("Inbound port reuse after close", func(t *testing.T) {
+		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
+		defer tracker.Close()
+
+		clientIP := srcIP
+		serverIP := dstIP
+		clientPort := srcPort
+		serverPort := dstPort
+		key := ConnKey{SrcIP: clientIP, DstIP: serverIP, SrcPort: clientPort, DstPort: serverPort}
+
+		// Inbound connection: client SYN → server SYN-ACK → client ACK
+		tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPSyn, nil, 100, 0)
+		tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPSyn|TCPAck, 100)
+		tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPAck, nil, 100, 0)
+
+		conn := tracker.connections[key]
+		require.Equal(t, TCPStateEstablished, conn.GetState())
+
+		// Server-initiated close to reach Closed/tombstoned:
+		// Server FIN (opposite dir) → CloseWait
+		tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPFin|TCPAck, 100)
+		require.Equal(t, TCPStateCloseWait, conn.GetState())
+		// Client FIN-ACK (same dir as conn) → LastAck
+		tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPFin|TCPAck, nil, 100, 0)
+		require.Equal(t, TCPStateLastAck, conn.GetState())
+		// Server final ACK (opposite dir) → Closed → tombstoned
+		tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPAck, 100)
+
+		require.True(t, conn.IsTombstone())
+
+		// New inbound connection on same ports
+		tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPSyn, nil, 100, 0)
+
+		newConn := tracker.connections[key]
+		require.NotNil(t, newConn)
+		require.False(t, newConn.IsTombstone())
+		require.Equal(t, TCPStateSynReceived, newConn.GetState())
+
+		// Complete handshake: server SYN-ACK, then client ACK
+		tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPSyn|TCPAck, 100)
+		tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPAck, nil, 100, 0)
+		require.Equal(t, TCPStateEstablished, newConn.GetState())
+	})
+
+	t.Run("Late ACK on tombstoned connection is harmless", func(t *testing.T) {
+		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
+		defer tracker.Close()
+
+		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
+
+		// Establish and close via passive close (server-initiated FIN → Closed → tombstoned)
+		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
+		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0) // CloseWait
+		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)  // LastAck
+		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)        // Closed
+
+		conn := tracker.connections[key]
+		require.True(t, conn.IsTombstone())
+
+		// Late ACK should be rejected (tombstoned)
+		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
+		require.False(t, valid, "late ACK on tombstoned connection should be rejected")
+
+		// Late outbound ACK should not create a new connection (not a SYN)
+		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
+		require.True(t, tracker.connections[key].IsTombstone(), "late outbound ACK should not replace tombstoned entry")
+	})
+}
+
+func TestTCPPortReuseTimeWait(t *testing.T) {
+	srcIP := netip.MustParseAddr("100.64.0.1")
+	dstIP := netip.MustParseAddr("100.64.0.2")
+	srcPort := uint16(12345)
+	dstPort := uint16(80)
+
+	t.Run("Outbound port reuse during TIME-WAIT (active close)", func(t *testing.T) {
+		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
+		defer tracker.Close()
+
+		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
+
+		// Establish connection
+		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
+
+		// Active close: client (outbound initiator) sends FIN first
+		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
+		conn := tracker.connections[key]
+		require.Equal(t, TCPStateFinWait1, conn.GetState())
+
+		// Server ACKs the FIN
+		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
+		require.True(t, valid)
+		require.Equal(t, TCPStateFinWait2, conn.GetState())
+
+		// Server sends its own FIN
+		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
+		require.True(t, valid)
+		require.Equal(t, TCPStateTimeWait, conn.GetState())
+
+		// Client sends final ACK (TIME-WAIT stays, not tombstoned)
+		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
+		require.False(t, conn.IsTombstone(), "TIME-WAIT should not be tombstoned")
+
+		// New outbound SYN on the same port (port reuse during TIME-WAIT)
+		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPSyn, 100)
+
+		// Per RFC 1122/6191, new SYN during TIME-WAIT should start a new connection
+		newConn := tracker.connections[key]
+		require.NotNil(t, newConn, "new connection should exist")
+		require.False(t, newConn.IsTombstone(), "new connection should not be tombstoned")
+		require.Equal(t, TCPStateSynSent, newConn.GetState(), "new connection should be in SYN-SENT")
+
+		// SYN-ACK for new connection should be valid
+		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn|TCPAck, 100)
+		require.True(t, valid, "SYN-ACK for new connection should be accepted")
+		require.Equal(t, TCPStateEstablished, newConn.GetState())
+	})
+
+	t.Run("Inbound SYN during TIME-WAIT falls through to normal tracking", func(t *testing.T) {
+		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
+		defer tracker.Close()
+
+		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
+
+		// Establish outbound connection and close via active close → TIME-WAIT
+		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
+		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
+		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
+		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
+		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
+
+		conn := tracker.connections[key]
+		require.Equal(t, TCPStateTimeWait, conn.GetState())
+
+		// Inbound SYN on same ports during TIME-WAIT: IsValidInbound returns false
+		// so the filter falls through to ACL check + TrackInbound (which creates
+		// a new connection via track() → updateIfExists skips TIME-WAIT for SYN)
+		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn, 0)
+		require.False(t, valid, "inbound SYN during TIME-WAIT should fail conntrack validation")
+
+		// Simulate what the filter does next: TrackInbound via the normal path
+		tracker.TrackInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn, nil, 100, 0)
+
+		// The new inbound connection uses the inverted key (dst→src becomes src→dst in track)
+		invertedKey := ConnKey{SrcIP: dstIP, DstIP: srcIP, SrcPort: dstPort, DstPort: srcPort}
+		newConn := tracker.connections[invertedKey]
+		require.NotNil(t, newConn, "new inbound connection should be tracked")
+		require.Equal(t, TCPStateSynReceived, newConn.GetState())
+		require.False(t, newConn.IsTombstone())
+	})
+
+	t.Run("Late retransmit during TIME-WAIT still allowed", func(t *testing.T) {
+		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
+		defer tracker.Close()
+
+		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
+
+		// Establish and active close → TIME-WAIT
+		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
+		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
+		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
+		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
+		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
+
+		conn := tracker.connections[key]
+		require.Equal(t, TCPStateTimeWait, conn.GetState())
+
+		// Late ACK retransmits during TIME-WAIT should still be accepted
+		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
+		require.True(t, valid, "retransmitted ACK during TIME-WAIT should be accepted")
+	})
+}
+
 func TestTCPTimeoutHandling(t *testing.T) {
 	// Create tracker with a very short timeout for testing
 	shortTimeout := 100 * time.Millisecond

client/firewall/uspfilter/log/log.go

@@ -5,6 +5,8 @@ import (
 	"context"
 	"fmt"
 	"io"
+	"os"
+	"strconv"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -16,9 +18,18 @@ const (
 	maxBatchSize         = 1024 * 16
 	maxMessageSize       = 1024 * 2
 	defaultFlushInterval = 2 * time.Second
-	logChannelSize       = 1000
+	defaultLogChanSize   = 1000
 )
 
+func getLogChannelSize() int {
+	if v := os.Getenv("NB_USPFILTER_LOG_BUFFER"); v != "" {
+		if n, err := strconv.Atoi(v); err == nil && n > 0 {
+			return n
+		}
+	}
+	return defaultLogChanSize
+}
+
 type Level uint32
 
 const (
@@ -69,7 +80,7 @@ type Logger struct {
 func NewFromLogrus(logrusLogger *log.Logger) *Logger {
 	l := &Logger{
 		output:     logrusLogger.Out,
-		msgChannel: make(chan logMessage, logChannelSize),
+		msgChannel: make(chan logMessage, getLogChannelSize()),
 		shutdown:   make(chan struct{}),
 		bufPool: sync.Pool{
 			New: func() any {

client/iface/device/device_filter.go

@@ -29,8 +29,9 @@ type PacketFilter interface {
 type FilteredDevice struct {
 	tun.Device
 
-	filter PacketFilter
-	mutex  sync.RWMutex
+	filter    PacketFilter
+	mutex     sync.RWMutex
+	closeOnce sync.Once
 }
 
 // newDeviceFilter constructor function
@@ -40,6 +41,20 @@ func newDeviceFilter(device tun.Device) *FilteredDevice {
 	}
 }
 
+// Close closes the underlying tun device exactly once.
+// wireguard-go's netTun.Close() panics on double-close due to a bare close(channel),
+// and multiple code paths can trigger Close on the same device.
+func (d *FilteredDevice) Close() error {
+	var err error
+	d.closeOnce.Do(func() {
+		err = d.Device.Close()
+	})
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
 // Read wraps read method with filtering feature
 func (d *FilteredDevice) Read(bufs [][]byte, sizes []int, offset int) (n int, err error) {
 	if n, err = d.Device.Read(bufs, sizes, offset); err != nil {

client/iface/device/device_netstack.go

@@ -82,7 +82,9 @@ func (t *TunNetstackDevice) create() (WGConfigurer, error) {
 	t.configurer = configurer.NewUSPConfigurer(t.device, t.name, t.bind.ActivityRecorder())
 	err = t.configurer.ConfigureInterface(t.key, t.port)
 	if err != nil {
-		_ = tunIface.Close()
+		if cErr := tunIface.Close(); cErr != nil {
+			log.Debugf("failed to close tun device: %v", cErr)
+		}
 		return nil, fmt.Errorf("error configuring interface: %s", err)
 	}
 

client/iface/netstack/tun.go

@@ -66,7 +66,7 @@ func (t *NetStackTun) Create() (tun.Device, *netstack.Net, error) {
 		}
 	}()
 
-	return nsTunDev, tunNet, nil
+	return t.tundev, tunNet, nil
 }
 
 func (t *NetStackTun) Close() error {

client/internal/engine.go

@@ -28,6 +28,7 @@ import (
 	"github.com/netbirdio/netbird/client/firewall"
 	firewallManager "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface"
+	nbnetstack "github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/internal/acl"
@@ -543,11 +544,12 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)
 	// monitor WireGuard interface lifecycle and restart engine on changes
 	e.wgIfaceMonitor = NewWGIfaceMonitor()
 	e.shutdownWg.Add(1)
+	wgIfaceName := e.wgInterface.Name()
 
 	go func() {
 		defer e.shutdownWg.Done()
 
-		if shouldRestart, err := e.wgIfaceMonitor.Start(e.ctx, e.wgInterface.Name()); shouldRestart {
+		if shouldRestart, err := e.wgIfaceMonitor.Start(e.ctx, wgIfaceName); shouldRestart {
 			log.Infof("WireGuard interface monitor: %s, restarting engine", err)
 			e.triggerClientRestart()
 		} else if err != nil {
@@ -1922,7 +1924,7 @@ func (e *Engine) triggerClientRestart() {
 }
 
 func (e *Engine) startNetworkMonitor() {
-	if !e.config.NetworkMonitor {
+	if !e.config.NetworkMonitor || nbnetstack.IsEnabled() {
 		log.Infof("Network monitor is disabled, not starting")
 		return
 	}

client/internal/networkmonitor/monitor.go

@@ -14,7 +14,6 @@ import (
 	"github.com/cenkalti/backoff/v4"
 	log "github.com/sirupsen/logrus"
 
-	"github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
 )
 
@@ -38,11 +37,6 @@ func New() *NetworkMonitor {
 
 // Listen begins monitoring network changes. When a change is detected, this function will return without error.
 func (nw *NetworkMonitor) Listen(ctx context.Context) (err error) {
-	if netstack.IsEnabled() {
-		log.Debugf("Network monitor: skipping in netstack mode")
-		return nil
-	}
-
 	nw.mu.Lock()
 	if nw.cancel != nil {
 		nw.mu.Unlock()

go.mod

@@ -69,7 +69,7 @@ require (
 	github.com/mdlayher/socket v0.5.1
 	github.com/miekg/dns v1.1.59
 	github.com/mitchellh/hashstructure/v2 v2.0.2
-	github.com/netbirdio/management-integrations/integrations v0.0.0-20260122111742-a6f99668844f
+	github.com/netbirdio/management-integrations/integrations v0.0.0-20260210160626-df4b180c7b25
 	github.com/netbirdio/signal-dispatcher/dispatcher v0.0.0-20250805121659-6b4ac470ca45
 	github.com/oapi-codegen/runtime v1.1.2
 	github.com/okta/okta-sdk-golang/v2 v2.18.0

go.sum

@@ -406,8 +406,8 @@ github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944 h1:TDtJKmM6S
 github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944/go.mod h1:sHA6TRxjQ6RLbnI+3R4DZo2Eseg/iKiPRfNmcuNySVQ=
 github.com/netbirdio/ice/v4 v4.0.0-20250908184934-6202be846b51 h1:Ov4qdafATOgGMB1wbSuh+0aAHcwz9hdvB6VZjh1mVMI=
 github.com/netbirdio/ice/v4 v4.0.0-20250908184934-6202be846b51/go.mod h1:ZSIbPdBn5hePO8CpF1PekH2SfpTxg1PDhEwtbqZS7R8=
-github.com/netbirdio/management-integrations/integrations v0.0.0-20260122111742-a6f99668844f h1:CTBf0je/FpKr2lVSMZLak7m8aaWcS6ur4SOfhSSazFI=
-github.com/netbirdio/management-integrations/integrations v0.0.0-20260122111742-a6f99668844f/go.mod h1:y7CxagMYzg9dgu+masRqYM7BQlOGA5Y8US85MCNFPlY=
+github.com/netbirdio/management-integrations/integrations v0.0.0-20260210160626-df4b180c7b25 h1:iwAq/Ncaq0etl4uAlVsbNBzC1yY52o0AmY7uCm2AMTs=
+github.com/netbirdio/management-integrations/integrations v0.0.0-20260210160626-df4b180c7b25/go.mod h1:y7CxagMYzg9dgu+masRqYM7BQlOGA5Y8US85MCNFPlY=
 github.com/netbirdio/service v0.0.0-20240911161631-f62744f42502 h1:3tHlFmhTdX9axERMVN63dqyFqnvuD+EMJHzM7mNGON8=
 github.com/netbirdio/service v0.0.0-20240911161631-f62744f42502/go.mod h1:CIMRFEJVL+0DS1a3Nx06NaMn4Dz63Ng6O7dl0qH0zVM=
 github.com/netbirdio/signal-dispatcher/dispatcher v0.0.0-20250805121659-6b4ac470ca45 h1:ujgviVYmx243Ksy7NdSwrdGPSRNE3pb8kEDSpH0QuAQ=

infrastructure_files/getting-started.sh

@@ -91,16 +91,17 @@ read_reverse_proxy_type() {
   echo "  [3] Nginx Proxy Manager (generates config + instructions)" > /dev/stderr
   echo "  [4] External Caddy (generates Caddyfile snippet)" > /dev/stderr
   echo "  [5] Other/Manual (displays setup documentation)" > /dev/stderr
+  echo "  [6] Traefik TCP Proxy (single port 443 + STUN)" > /dev/stderr
   echo "" > /dev/stderr
-  echo -n "Enter choice [0-5] (default: 0): " > /dev/stderr
+  echo -n "Enter choice [0-6] (default: 0): " > /dev/stderr
   read -r CHOICE < /dev/tty
 
   if [[ -z "$CHOICE" ]]; then
     CHOICE="0"
   fi
 
-  if [[ ! "$CHOICE" =~ ^[0-5]$ ]]; then
-    echo "Invalid choice. Please enter a number between 0 and 5." > /dev/stderr
+  if [[ ! "$CHOICE" =~ ^[0-6]$ ]]; then
+    echo "Invalid choice. Please enter a number between 0 and 6." > /dev/stderr
     read_reverse_proxy_type
     return
   fi
@@ -140,6 +141,35 @@ read_traefik_certresolver() {
   return 0
 }
 
+read_traefik_tcp_acme_email() {
+  echo "" > /dev/stderr
+  echo "Enter your email for Let's Encrypt certificate notifications." > /dev/stderr
+  echo -n "Email address: " > /dev/stderr
+  read -r EMAIL < /dev/tty
+  if [[ -z "$EMAIL" ]]; then
+    echo "Email is required for Let's Encrypt." > /dev/stderr
+    read_traefik_tcp_acme_email
+    return
+  fi
+  echo "$EMAIL"
+  return 0
+}
+
+read_enable_proxy() {
+  echo "" > /dev/stderr
+  echo "Do you want to enable the NetBird Proxy service?" > /dev/stderr
+  echo "The proxy exposes internal NetBird network resources to the internet." > /dev/stderr
+  echo -n "Enable proxy? [y/N]: " > /dev/stderr
+  read -r CHOICE < /dev/tty
+
+  if [[ "$CHOICE" =~ ^[Yy]$ ]]; then
+    echo "true"
+  else
+    echo "false"
+  fi
+  return 0
+}
+
 read_port_binding_preference() {
   echo "" > /dev/stderr
   echo "Should container ports be bound to localhost only (127.0.0.1)?" > /dev/stderr
@@ -206,6 +236,30 @@ wait_management() {
   return 0
 }
 
+wait_management_traefik() {
+  set +e
+  echo -n "Waiting for Management server to become ready"
+  counter=1
+  while true; do
+    # Check the embedded IdP endpoint through Traefik
+    if curl -sk -f -o /dev/null "$NETBIRD_HTTP_PROTOCOL://$NETBIRD_DOMAIN/oauth2/.well-known/openid-configuration" 2>/dev/null; then
+      break
+    fi
+    if [[ $counter -eq 60 ]]; then
+      echo ""
+      echo "Taking too long. Checking logs..."
+      $DOCKER_COMPOSE_COMMAND logs --tail=20 traefik
+      $DOCKER_COMPOSE_COMMAND logs --tail=20 management
+    fi
+    echo -n " ."
+    sleep 2
+    counter=$((counter + 1))
+  done
+  echo " done"
+  set -e
+  return 0
+}
+
 wait_management_direct() {
   set +e
   local upstream_host=$(get_upstream_host)
@@ -246,10 +300,12 @@ initialize_default_values() {
 
   # Docker images
   CADDY_IMAGE="caddy"
-  DASHBOARD_IMAGE="netbirdio/dashboard:latest"
+  #DASHBOARD_IMAGE="netbirdio/dashboard:latest"
+  DASHBOARD_IMAGE="netbirdio/dashboard:pr-552"
   SIGNAL_IMAGE="netbirdio/signal:latest"
   RELAY_IMAGE="netbirdio/relay:latest"
-  MANAGEMENT_IMAGE="netbirdio/management:latest"
+  MANAGEMENT_IMAGE="netbirdio/management:latest"  
+  PROXY_IMAGE=""
 
   # Reverse proxy configuration
   REVERSE_PROXY_TYPE="0"
@@ -263,6 +319,14 @@ initialize_default_values() {
   RELAY_HOST_PORT="8084"
   BIND_LOCALHOST_ONLY="true"
   EXTERNAL_PROXY_NETWORK=""
+
+  # Traefik TCP proxy configuration
+  TRAEFIK_IMAGE="traefik:v3.6"
+  TRAEFIK_TCP_ACME_EMAIL=""
+
+  # NetBird Proxy configuration
+  ENABLE_PROXY="false"
+  PROXY_TOKEN=""
   return 0
 }
 
@@ -293,8 +357,17 @@ configure_reverse_proxy() {
     TRAEFIK_CERTRESOLVER=$(read_traefik_certresolver)
   fi
 
+  # Handle Traefik TCP proxy prompts
+  if [[ "$REVERSE_PROXY_TYPE" == "6" ]]; then
+    TRAEFIK_TCP_ACME_EMAIL=$(read_traefik_tcp_acme_email)
+
+    # Prompt for NetBird Proxy configuration
+    ENABLE_PROXY=$(read_enable_proxy)
+    # Note: PROXY_TOKEN will be auto-generated after Management starts
+  fi
+
   # Handle port binding for external proxy options (2-5)
-  if [[ "$REVERSE_PROXY_TYPE" -ge 2 ]]; then
+  if [[ "$REVERSE_PROXY_TYPE" -ge 2 && "$REVERSE_PROXY_TYPE" -le 5 ]]; then
     BIND_LOCALHOST_ONLY=$(read_port_binding_preference)
   fi
 
@@ -313,7 +386,7 @@ check_existing_installation() {
     echo "Generated files already exist, if you want to reinitialize the environment, please remove them first."
     echo "You can use the following commands:"
     echo "  $DOCKER_COMPOSE_COMMAND down --volumes # to remove all containers and volumes"
-    echo "  rm -f docker-compose.yml Caddyfile dashboard.env management.json relay.env nginx-netbird.conf caddyfile-netbird.txt npm-advanced-config.txt"
+    echo "  rm -f docker-compose.yml Caddyfile dashboard.env management.json relay.env nginx-netbird.conf caddyfile-netbird.txt npm-advanced-config.txt proxy.env"
     echo "Be aware that this will remove all data from the database, and you will have to reconfigure the dashboard."
     exit 1
   fi
@@ -347,6 +420,15 @@ generate_configuration_files() {
     5)
       render_docker_compose_exposed_ports > docker-compose.yml
       ;;
+    6)
+      render_docker_compose_traefik_tcp > docker-compose.yml
+      if [[ "$ENABLE_PROXY" == "true" ]]; then
+        # Create placeholder proxy.env so docker-compose can validate
+        # This will be overwritten with the actual token after Management starts
+        echo "# Placeholder - will be updated with token after Management starts" > proxy.env
+        echo "NB_PROXY_TOKEN=placeholder" >> proxy.env
+      fi
+      ;;
     *)
       echo "Invalid reverse proxy type: $REVERSE_PROXY_TYPE" > /dev/stderr
       exit 1
@@ -402,6 +484,50 @@ start_services_and_show_instructions() {
     echo ""
     echo "NetBird containers are running. Configure NPM as shown above, then access:"
     echo "  $NETBIRD_HTTP_PROTOCOL://$NETBIRD_DOMAIN"
+  elif [[ "$REVERSE_PROXY_TYPE" == "6" ]]; then
+    # Traefik TCP Proxy - two-phase startup if proxy is enabled
+    echo -e "$MSG_STARTING_SERVICES"
+
+    if [[ "$ENABLE_PROXY" == "true" ]]; then
+      # Phase 1: Start core services (without proxy)
+      echo "Starting core services..."
+      $DOCKER_COMPOSE_COMMAND up -d traefik dashboard signal relay management
+
+      sleep 3
+      wait_management_traefik
+
+      # Phase 2: Create proxy token and start proxy
+      echo ""
+      echo "Creating proxy access token..."
+      # Use docker exec with bash to run the token command directly
+      # (bypassing the entrypoint which adds 'management' as first arg)
+      PROXY_TOKEN=$($DOCKER_COMPOSE_COMMAND exec -T management \
+        bash -c '/go/bin/netbird-mgmt token create --name "default-proxy" --config /etc/netbird/management.json' 2>/dev/null | grep "^Token:" | awk '{print $2}')
+
+      if [[ -z "$PROXY_TOKEN" ]]; then
+        echo "ERROR: Failed to create proxy token. Check management logs." > /dev/stderr
+        $DOCKER_COMPOSE_COMMAND logs --tail=20 management
+        exit 1
+      fi
+
+      echo "Proxy token created successfully."
+
+      # Generate proxy.env with the token
+      render_proxy_env > proxy.env
+
+      # Start proxy service
+      echo "Starting proxy service..."
+      $DOCKER_COMPOSE_COMMAND up -d proxy
+    else
+      # No proxy - start all services at once
+      $DOCKER_COMPOSE_COMMAND up -d
+
+      sleep 3
+      wait_management_traefik
+    fi
+
+    echo -e "$MSG_DONE"
+    print_post_setup_instructions
   else
     # External proxies (nginx, external Caddy, other) - need manual config first
     print_post_setup_instructions
@@ -547,6 +673,29 @@ EOF
   return 0
 }
 
+render_proxy_env() {
+  cat <<EOF
+# NetBird Proxy Configuration
+NB_PROXY_DEBUG_LOGS=false
+# Use internal Docker network to connect to management (avoids hairpin NAT issues)
+NB_PROXY_MANAGEMENT_ADDRESS=http://management:80
+# Allow insecure gRPC connection to management (required for internal Docker network)
+NB_PROXY_ALLOW_INSECURE=true
+# Public URL where this proxy is reachable (used for cluster registration)
+NB_PROXY_DOMAIN=$NETBIRD_DOMAIN
+NB_PROXY_ADDRESS=:8443
+NB_PROXY_TOKEN=$PROXY_TOKEN
+NB_PROXY_CERTIFICATE_DIRECTORY=/certs
+NB_PROXY_ACME_CERTIFICATES=true
+NB_PROXY_ACME_CHALLENGE_TYPE=tls-alpn-01
+NB_PROXY_OIDC_CLIENT_ID=netbird-proxy
+NB_PROXY_OIDC_ENDPOINT=$NETBIRD_HTTP_PROTOCOL://$NETBIRD_DOMAIN/oauth2
+NB_PROXY_OIDC_SCOPES=openid,profile,email
+NB_PROXY_FORWARDED_PROTO=https
+EOF
+  return 0
+}
+
 render_docker_compose() {
   cat <<EOF
 services:
@@ -736,7 +885,18 @@ $(if [[ -n "$tls_labels" ]]; then echo "      - traefik.http.routers.netbird-rel
 
   # Management (includes embedded IdP)
   management:
+$(if [[ "$ENABLE_PROXY" == "true" ]]; then
+cat <<MGMT_BUILD
+    build:
+      context: ..
+      dockerfile: management/Dockerfile.multistage
+    pull_policy: build
+MGMT_BUILD
+else
+cat <<MGMT_IMAGE
     image: $MANAGEMENT_IMAGE
+MGMT_IMAGE
+fi)
     container_name: netbird-management
     restart: unless-stopped
     networks: [$network_name]
@@ -1115,6 +1275,258 @@ EOF
   return 0
 }
 
+render_docker_compose_traefik_tcp() {
+  # Generate proxy service section if enabled
+  local proxy_service=""
+  local proxy_volumes=""
+  local proxy_tcp_labels=""
+  if [[ "$ENABLE_PROXY" == "true" ]]; then
+    proxy_service="
+  # NetBird Proxy - exposes internal resources to the internet
+  proxy:
+    build:
+      context: ../
+      dockerfile: proxy/Dockerfile
+    # Always rebuild to pick up code changes during testing
+    pull_policy: build
+    #image: $PROXY_IMAGE
+    container_name: netbird-proxy
+    # Hairpin NAT fix: route domain back to traefik's static IP within Docker
+    extra_hosts:
+      - \"$NETBIRD_DOMAIN:172.30.0.10\"
+    restart: unless-stopped
+    networks: [netbird]
+    depends_on:
+      - signal
+    env_file:
+      - ./proxy.env
+    volumes:
+      - netbird_proxy_certs:/certs
+    labels:
+      # TCP passthrough for any unmatched domain (proxy handles its own TLS)
+      - traefik.enable=true
+      - traefik.tcp.routers.proxy-passthrough.entrypoints=websecure
+      - traefik.tcp.routers.proxy-passthrough.rule=HostSNI(\`*\`)
+      - traefik.tcp.routers.proxy-passthrough.tls.passthrough=true
+      - traefik.tcp.routers.proxy-passthrough.service=proxy-tls
+      - traefik.tcp.routers.proxy-passthrough.priority=1
+      - traefik.tcp.services.proxy-tls.loadbalancer.server.port=8443
+    logging:
+      driver: \"json-file\"
+      options:
+        max-size: \"500m\"
+        max-file: \"2\"
+"
+    proxy_volumes="
+  netbird_proxy_certs:"
+  fi
+
+  cat <<EOF
+services:
+  # Traefik - single port 443 entry point with TLS termination  
+  traefik:
+    image: $TRAEFIK_IMAGE
+    container_name: netbird-traefik
+    restart: unless-stopped
+    networks:
+      netbird:
+        ipv4_address: 172.30.0.10
+    ports:
+      - '443:443'
+    volumes:
+      - netbird_traefik_data:/data
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    command:
+      # Logging
+      - --log.level=INFO
+      - --accesslog=true
+      # Docker provider
+      - --providers.docker=true
+      - --providers.docker.exposedbydefault=false
+      - --providers.docker.network=netbird
+      # Entrypoints
+      - --entrypoints.websecure.address=:443
+      - --entrypoints.websecure.allowACMEByPass=true
+      # Disable timeouts for long-lived gRPC streams
+      - --entrypoints.websecure.transport.respondingtimeouts.readtimeout=0s
+      - --entrypoints.websecure.transport.respondingtimeouts.writetimeout=0s
+      - --entrypoints.websecure.transport.respondingtimeouts.idletimeout=0s
+      # Let's Encrypt ACME
+      - --certificatesresolvers.letsencrypt.acme.email=$TRAEFIK_TCP_ACME_EMAIL
+      - --certificatesresolvers.letsencrypt.acme.storage=/data/acme.json
+      - --certificatesresolvers.letsencrypt.acme.tlschallenge=true
+      # gRPC transport settings (disable response timeout for long-lived streams)
+      - --serverstransport.forwardingtimeouts.responseheadertimeout=0s
+      - --serverstransport.forwardingtimeouts.idleconntimeout=0s
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "500m"
+        max-file: "2"
+
+  # UI dashboard
+  dashboard:
+    image: $DASHBOARD_IMAGE
+    container_name: netbird-dashboard
+    restart: unless-stopped
+    networks: [netbird]
+    env_file:
+      - ./dashboard.env
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.netbird-dashboard.entrypoints=websecure
+      - traefik.http.routers.netbird-dashboard.rule=Host(\`$NETBIRD_DOMAIN\`)
+      - traefik.http.routers.netbird-dashboard.tls=true
+      - traefik.http.routers.netbird-dashboard.tls.certresolver=letsencrypt
+      - traefik.http.routers.netbird-dashboard.service=dashboard
+      - traefik.http.routers.netbird-dashboard.priority=1
+      - traefik.http.services.dashboard.loadbalancer.server.port=80
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "500m"
+        max-file: "2"
+
+  # Signal
+  signal:
+    image: $SIGNAL_IMAGE
+    container_name: netbird-signal
+    restart: unless-stopped
+    networks: [netbird]
+    labels:
+      - traefik.enable=true
+      # Signal WebSocket
+      - traefik.http.routers.netbird-signal-ws.entrypoints=websecure
+      - traefik.http.routers.netbird-signal-ws.rule=Host(\`$NETBIRD_DOMAIN\`) && PathPrefix(\`/ws-proxy/signal\`)
+      - traefik.http.routers.netbird-signal-ws.tls=true
+      - traefik.http.routers.netbird-signal-ws.tls.certresolver=letsencrypt
+      - traefik.http.routers.netbird-signal-ws.service=signal-ws
+      - traefik.http.routers.netbird-signal-ws.priority=100
+      - traefik.http.services.signal-ws.loadbalancer.server.port=80
+      # Signal gRPC
+      - traefik.http.routers.netbird-signal-grpc.entrypoints=websecure
+      - traefik.http.routers.netbird-signal-grpc.rule=Host(\`$NETBIRD_DOMAIN\`) && PathPrefix(\`/signalexchange.SignalExchange/\`)
+      - traefik.http.routers.netbird-signal-grpc.tls=true
+      - traefik.http.routers.netbird-signal-grpc.tls.certresolver=letsencrypt
+      - traefik.http.routers.netbird-signal-grpc.service=signal-grpc
+      - traefik.http.routers.netbird-signal-grpc.priority=100
+      - traefik.http.services.signal-grpc.loadbalancer.server.port=10000
+      - traefik.http.services.signal-grpc.loadbalancer.server.scheme=h2c
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "500m"
+        max-file: "2"
+
+  # Relay (includes embedded STUN server)
+  relay:
+    image: $RELAY_IMAGE
+    container_name: netbird-relay
+    restart: unless-stopped
+    networks: [netbird]
+    ports:
+      - '$NETBIRD_STUN_PORT:$NETBIRD_STUN_PORT/udp'
+    env_file:
+      - ./relay.env
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.netbird-relay.entrypoints=websecure
+      - traefik.http.routers.netbird-relay.rule=Host(\`$NETBIRD_DOMAIN\`) && PathPrefix(\`/relay\`)
+      - traefik.http.routers.netbird-relay.tls=true
+      - traefik.http.routers.netbird-relay.tls.certresolver=letsencrypt
+      - traefik.http.routers.netbird-relay.service=relay
+      - traefik.http.routers.netbird-relay.priority=100
+      - traefik.http.services.relay.loadbalancer.server.port=80
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "500m"
+        max-file: "2"
+
+  # Management (includes embedded IdP)
+  management:
+$(if [[ "$ENABLE_PROXY" == "true" ]]; then
+cat <<MGMT_BUILD
+    build:
+      context: ..
+      dockerfile: management/Dockerfile.multistage
+    pull_policy: build    
+MGMT_BUILD
+else
+cat <<MGMT_IMAGE
+    image: $MANAGEMENT_IMAGE
+MGMT_IMAGE
+fi)
+    container_name: netbird-management
+    restart: unless-stopped
+    networks: [netbird]
+    volumes:
+      - netbird_management:/var/lib/netbird
+      - ./management.json:/etc/netbird/management.json
+    command: [
+      "--port", "80",
+      "--log-file", "console",
+      "--log-level", "info",
+      "--disable-anonymous-metrics=false",
+      "--single-account-mode-domain=netbird.selfhosted",
+      "--dns-domain=netbird.selfhosted",
+      "--idp-sign-key-refresh-enabled",
+    ]
+    labels:
+      - traefik.enable=true
+      # Management API
+      - traefik.http.routers.netbird-api.entrypoints=websecure
+      - traefik.http.routers.netbird-api.rule=Host(\`$NETBIRD_DOMAIN\`) && PathPrefix(\`/api\`)
+      - traefik.http.routers.netbird-api.tls=true
+      - traefik.http.routers.netbird-api.tls.certresolver=letsencrypt
+      - traefik.http.routers.netbird-api.service=management
+      - traefik.http.routers.netbird-api.priority=100
+      # Management WebSocket
+      - traefik.http.routers.netbird-mgmt-ws.entrypoints=websecure
+      - traefik.http.routers.netbird-mgmt-ws.rule=Host(\`$NETBIRD_DOMAIN\`) && PathPrefix(\`/ws-proxy/management\`)
+      - traefik.http.routers.netbird-mgmt-ws.tls=true
+      - traefik.http.routers.netbird-mgmt-ws.tls.certresolver=letsencrypt
+      - traefik.http.routers.netbird-mgmt-ws.service=management
+      - traefik.http.routers.netbird-mgmt-ws.priority=100
+      # Management gRPC
+      - traefik.http.routers.netbird-mgmt-grpc.entrypoints=websecure
+      - traefik.http.routers.netbird-mgmt-grpc.rule=Host(\`$NETBIRD_DOMAIN\`) && PathPrefix(\`/management.ManagementService/\`)
+      - traefik.http.routers.netbird-mgmt-grpc.tls=true
+      - traefik.http.routers.netbird-mgmt-grpc.tls.certresolver=letsencrypt
+      - traefik.http.routers.netbird-mgmt-grpc.service=management-grpc
+      - traefik.http.routers.netbird-mgmt-grpc.priority=100
+      # OAuth2 (embedded IdP)
+      - traefik.http.routers.netbird-oauth2.entrypoints=websecure
+      - traefik.http.routers.netbird-oauth2.rule=Host(\`$NETBIRD_DOMAIN\`) && PathPrefix(\`/oauth2\`)
+      - traefik.http.routers.netbird-oauth2.tls=true
+      - traefik.http.routers.netbird-oauth2.tls.certresolver=letsencrypt
+      - traefik.http.routers.netbird-oauth2.service=management
+      - traefik.http.routers.netbird-oauth2.priority=100
+      # Services
+      - traefik.http.services.management.loadbalancer.server.port=80
+      - traefik.http.services.management-grpc.loadbalancer.server.port=80
+      - traefik.http.services.management-grpc.loadbalancer.server.scheme=h2c
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "500m"
+        max-file: "2"
+${proxy_service}
+volumes:
+  netbird_traefik_data:
+  netbird_management:${proxy_volumes}
+
+networks:
+  netbird:
+    driver: bridge
+    ipam:
+      config:
+        - subnet: 172.30.0.0/24
+          gateway: 172.30.0.1
+EOF
+  return 0
+}
+
 render_npm_advanced_config() {
   local upstream_host=$(get_upstream_host)
   local relay_addr="${upstream_host}:${RELAY_HOST_PORT}"
@@ -1424,6 +1836,36 @@ print_manual_instructions() {
   return 0
 }
 
+print_traefik_tcp_instructions() {
+  echo ""
+  echo "$MSG_SEPARATOR"
+  echo "  TRAEFIK TCP PROXY SETUP"
+  echo "$MSG_SEPARATOR"
+  echo ""
+  echo "This configuration uses Traefik as a single entry point on port 443."
+  echo "Traefik handles TLS termination with Let's Encrypt and routes to services."
+  echo ""
+  echo "Open ports:"
+  echo "  - 443/tcp  (HTTPS - all NetBird services)"
+  echo "  - $NETBIRD_STUN_PORT/udp  (STUN - required for NAT traversal)"
+  echo ""
+  echo "Generated files:"
+  echo "  - docker-compose.yml    (container definitions with Traefik labels)"
+  if [[ "$ENABLE_PROXY" == "true" ]]; then
+    echo "  - proxy.env             (NetBird Proxy configuration)"
+    echo ""
+    echo "NetBird Proxy:"
+    echo "  The proxy service is enabled and will be built from source."
+    echo "  Any domain NOT matching $NETBIRD_DOMAIN will be passed through to the proxy."
+    echo "  The proxy handles its own TLS certificates via ACME TLS-ALPN-01 challenge."
+    echo "  Point your proxy domains (CNAMEs) to this server's IP address."
+  fi
+  echo ""
+  echo "You can access the NetBird dashboard at $NETBIRD_HTTP_PROTOCOL://$NETBIRD_DOMAIN"
+  echo "Follow the onboarding steps to set up your NetBird instance."
+  return 0
+}
+
 print_post_setup_instructions() {
   case "$REVERSE_PROXY_TYPE" in
     0)
@@ -1444,6 +1886,9 @@ print_post_setup_instructions() {
     5)
       print_manual_instructions
       ;;
+    6)
+      print_traefik_tcp_instructions
+      ;;
     *)
       echo "Unknown reverse proxy type: $REVERSE_PROXY_TYPE" > /dev/stderr
       ;;

management/Dockerfile.multistage

@@ -0,0 +1,17 @@
+FROM golang:1.25-bookworm AS builder
+WORKDIR /app
+
+# Install build dependencies
+RUN apt-get update && apt-get install -y gcc libc6-dev && rm -rf /var/lib/apt/lists/*
+
+COPY go.mod go.sum ./
+RUN go mod download
+
+COPY . .
+RUN CGO_ENABLED=1 GOOS=linux go build -ldflags="-s -w" -o netbird-mgmt ./management
+
+FROM ubuntu:24.04
+RUN apt update && apt install -y ca-certificates && rm -fr /var/cache/apt
+ENTRYPOINT [ "/go/bin/netbird-mgmt","management"]
+CMD ["--log-file", "console"]
+COPY --from=builder /app/netbird-mgmt /go/bin/netbird-mgmt

management/cmd/token.go

@@ -67,6 +67,7 @@ func withTokenStore(cmd *cobra.Command, fn func(ctx context.Context, s store.Sto
 		return fmt.Errorf("init log: %w", err)
 	}
 
+	//nolint
 	ctx := context.WithValue(cmd.Context(), hook.ExecutionContextKey, hook.SystemSource)
 
 	config, err := loadMgmtConfig(ctx, nbconfig.MgmtConfigPath)
@@ -108,11 +109,11 @@ func tokenCreateRun(cmd *cobra.Command, _ []string) error {
 			return fmt.Errorf("save token: %w", err)
 		}
 
-		fmt.Println("Token created successfully!")
-		fmt.Printf("Token: %s\n", generated.PlainToken)
-		fmt.Println()
-		fmt.Println("IMPORTANT: Save this token now. It will not be shown again.")
-		fmt.Printf("Token ID: %s\n", generated.ID)
+		fmt.Println("Token created successfully!")                                 //nolint:forbidigo
+		fmt.Printf("Token: %s\n", generated.PlainToken)                            //nolint:forbidigo
+		fmt.Println()                                                              //nolint:forbidigo
+		fmt.Println("IMPORTANT: Save this token now. It will not be shown again.") //nolint:forbidigo
+		fmt.Printf("Token ID: %s\n", generated.ID)                                 //nolint:forbidigo
 
 		return nil
 	})
@@ -126,7 +127,7 @@ func tokenListRun(cmd *cobra.Command, _ []string) error {
 		}
 
 		if len(tokens) == 0 {
-			fmt.Println("No proxy access tokens found.")
+			fmt.Println("No proxy access tokens found.") //nolint:forbidigo
 			return nil
 		}
 
@@ -174,7 +175,7 @@ func tokenRevokeRun(cmd *cobra.Command, args []string) error {
 			return fmt.Errorf("revoke token: %w", err)
 		}
 
-		fmt.Printf("Token %s revoked successfully.\n", tokenID)
+		fmt.Printf("Token %s revoked successfully.\n", tokenID) //nolint:forbidigo
 		return nil
 	})
 }

management/internals/modules/peers/manager_mock.go

@@ -162,3 +162,17 @@ func (mr *MockManagerMockRecorder) SetNetworkMapController(networkMapController
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetNetworkMapController", reflect.TypeOf((*MockManager)(nil).SetNetworkMapController), networkMapController)
 }
+
+// CreateProxyPeer mocks base method.
+func (m *MockManager) CreateProxyPeer(ctx context.Context, accountID string, peerKey string, cluster string) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "CreateProxyPeer", ctx, accountID, peerKey, cluster)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// CreateProxyPeer indicates an expected call of CreateProxyPeer.
+func (mr *MockManagerMockRecorder) CreateProxyPeer(ctx, accountID, peerKey, cluster interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateProxyPeer", reflect.TypeOf((*MockManager)(nil).CreateProxyPeer), ctx, accountID, peerKey, cluster)
+}

management/internals/modules/reverseproxy/domain/domain.go

@@ -0,0 +1,17 @@
+package domain
+
+type Type string
+
+const (
+	TypeFree   Type = "free"
+	TypeCustom Type = "custom"
+)
+
+type Domain struct {
+	ID            string `gorm:"unique;primaryKey;autoIncrement"`
+	Domain        string `gorm:"unique"` // Domain records must be unique, this avoids domain reuse across accounts.
+	AccountID     string `gorm:"index"`
+	TargetCluster string // The proxy cluster this domain should be validated against
+	Type          Type   `gorm:"-"`
+	Validated     bool
+}

management/internals/modules/reverseproxy/domain/interface.go

@@ -0,0 +1,12 @@
+package domain
+
+import (
+	"context"
+)
+
+type Manager interface {
+	GetDomains(ctx context.Context, accountID, userID string) ([]*Domain, error)
+	CreateDomain(ctx context.Context, accountID, userID, domainName, targetCluster string) (*Domain, error)
+	DeleteDomain(ctx context.Context, accountID, userID, domainID string) error
+	ValidateDomain(ctx context.Context, accountID, userID, domainID string)
+}

management/internals/modules/reverseproxy/domain/manager/api.go

@@ -1,10 +1,12 @@
-package domain
+package manager
 
 import (
 	"encoding/json"
 	"net/http"
 
 	"github.com/gorilla/mux"
+
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/domain"
 	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/shared/management/http/api"
 	"github.com/netbirdio/netbird/shared/management/http/util"
@@ -26,11 +28,11 @@ func RegisterEndpoints(router *mux.Router, manager Manager) {
 	router.HandleFunc("/domains/{domainId}/validate", h.triggerCustomDomainValidation).Methods("GET", "OPTIONS")
 }
 
-func domainTypeToApi(t domainType) api.ReverseProxyDomainType {
+func domainTypeToApi(t domain.Type) api.ReverseProxyDomainType {
 	switch t {
-	case TypeCustom:
+	case domain.TypeCustom:
 		return api.ReverseProxyDomainTypeCustom
-	case TypeFree:
+	case domain.TypeFree:
 		return api.ReverseProxyDomainTypeFree
 	}
 	// By default return as a "free" domain as that is more restrictive.
@@ -38,7 +40,7 @@ func domainTypeToApi(t domainType) api.ReverseProxyDomainType {
 	return api.ReverseProxyDomainTypeFree
 }
 
-func domainToApi(d *Domain) api.ReverseProxyDomain {
+func domainToApi(d *domain.Domain) api.ReverseProxyDomain {
 	resp := api.ReverseProxyDomain{
 		Domain:    d.Domain,
 		Id:        d.ID,
@@ -58,7 +60,7 @@ func (h *handler) getAllDomains(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	domains, err := h.manager.GetDomains(r.Context(), userAuth.AccountId)
+	domains, err := h.manager.GetDomains(r.Context(), userAuth.AccountId, userAuth.UserId)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -85,7 +87,7 @@ func (h *handler) createCustomDomain(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	domain, err := h.manager.CreateDomain(r.Context(), userAuth.AccountId, req.Domain, req.TargetCluster)
+	domain, err := h.manager.CreateDomain(r.Context(), userAuth.AccountId, userAuth.UserId, req.Domain, req.TargetCluster)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -107,7 +109,7 @@ func (h *handler) deleteCustomDomain(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if err := h.manager.DeleteDomain(r.Context(), userAuth.AccountId, domainID); err != nil {
+	if err := h.manager.DeleteDomain(r.Context(), userAuth.AccountId, userAuth.UserId, domainID); err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
@@ -128,7 +130,7 @@ func (h *handler) triggerCustomDomainValidation(w http.ResponseWriter, r *http.R
 		return
 	}
 
-	go h.manager.ValidateDomain(userAuth.AccountId, domainID)
+	go h.manager.ValidateDomain(r.Context(), userAuth.AccountId, userAuth.UserId, domainID)
 
 	w.WriteHeader(http.StatusAccepted)
 }

management/internals/modules/reverseproxy/domain/manager/manager.go

@@ -1,40 +1,29 @@
-package domain
+package manager
 
 import (
 	"context"
 	"fmt"
 	"net"
-	"net/url"
 	"strings"
 
-	"github.com/netbirdio/netbird/management/server/types"
 	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/domain"
+	"github.com/netbirdio/netbird/management/server/permissions"
+	"github.com/netbirdio/netbird/management/server/permissions/modules"
+	"github.com/netbirdio/netbird/management/server/permissions/operations"
+	"github.com/netbirdio/netbird/management/server/types"
+	"github.com/netbirdio/netbird/shared/management/status"
 )
 
-type domainType string
-
-const (
-	TypeFree   domainType = "free"
-	TypeCustom domainType = "custom"
-)
-
-type Domain struct {
-	ID            string     `gorm:"unique;primaryKey;autoIncrement"`
-	Domain        string     `gorm:"unique"` // Domain records must be unique, this avoids domain reuse across accounts.
-	AccountID     string     `gorm:"index"`
-	TargetCluster string     // The proxy cluster this domain should be validated against
-	Type          domainType `gorm:"-"`
-	Validated     bool
-}
-
 type store interface {
 	GetAccount(ctx context.Context, accountID string) (*types.Account, error)
 
-	GetCustomDomain(ctx context.Context, accountID string, domainID string) (*Domain, error)
+	GetCustomDomain(ctx context.Context, accountID string, domainID string) (*domain.Domain, error)
 	ListFreeDomains(ctx context.Context, accountID string) ([]string, error)
-	ListCustomDomains(ctx context.Context, accountID string) ([]*Domain, error)
-	CreateCustomDomain(ctx context.Context, accountID string, domainName string, targetCluster string, validated bool) (*Domain, error)
-	UpdateCustomDomain(ctx context.Context, accountID string, d *Domain) (*Domain, error)
+	ListCustomDomains(ctx context.Context, accountID string) ([]*domain.Domain, error)
+	CreateCustomDomain(ctx context.Context, accountID string, domainName string, targetCluster string, validated bool) (*domain.Domain, error)
+	UpdateCustomDomain(ctx context.Context, accountID string, d *domain.Domain) (*domain.Domain, error)
 	DeleteCustomDomain(ctx context.Context, accountID string, domainID string) error
 }
 
@@ -43,28 +32,38 @@ type proxyURLProvider interface {
 }
 
 type Manager struct {
-	store            store
-	validator        Validator
-	proxyURLProvider proxyURLProvider
+	store              store
+	validator          domain.Validator
+	proxyURLProvider   proxyURLProvider
+	permissionsManager permissions.Manager
 }
 
-func NewManager(store store, proxyURLProvider proxyURLProvider) Manager {
+func NewManager(store store, proxyURLProvider proxyURLProvider, permissionsManager permissions.Manager) Manager {
 	return Manager{
 		store:            store,
 		proxyURLProvider: proxyURLProvider,
-		validator: Validator{
-			resolver: net.DefaultResolver,
+		validator: domain.Validator{
+			Resolver: net.DefaultResolver,
 		},
+		permissionsManager: permissionsManager,
 	}
 }
 
-func (m Manager) GetDomains(ctx context.Context, accountID string) ([]*Domain, error) {
+func (m Manager) GetDomains(ctx context.Context, accountID, userID string) ([]*domain.Domain, error) {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Read)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return nil, status.NewPermissionDeniedError()
+	}
+
 	domains, err := m.store.ListCustomDomains(ctx, accountID)
 	if err != nil {
 		return nil, fmt.Errorf("list custom domains: %w", err)
 	}
 
-	var ret []*Domain
+	var ret []*domain.Domain
 
 	// Add connected proxy clusters as free domains.
 	// The cluster address itself is the free domain base (e.g., "eu.proxy.netbird.io").
@@ -75,30 +74,37 @@ func (m Manager) GetDomains(ctx context.Context, accountID string) ([]*Domain, e
 	}).Debug("getting domains with proxy allow list")
 
 	for _, cluster := range allowList {
-		ret = append(ret, &Domain{
+		ret = append(ret, &domain.Domain{
 			Domain:    cluster,
 			AccountID: accountID,
-			Type:      TypeFree,
+			Type:      domain.TypeFree,
 			Validated: true,
 		})
 	}
 
 	// Add custom domains.
-	for _, domain := range domains {
-		ret = append(ret, &Domain{
-			ID:            domain.ID,
-			Domain:        domain.Domain,
+	for _, d := range domains {
+		ret = append(ret, &domain.Domain{
+			ID:            d.ID,
+			Domain:        d.Domain,
 			AccountID:     accountID,
-			TargetCluster: domain.TargetCluster,
-			Type:          TypeCustom,
-			Validated:     domain.Validated,
+			TargetCluster: d.TargetCluster,
+			Type:          domain.TypeCustom,
+			Validated:     d.Validated,
 		})
 	}
 
 	return ret, nil
 }
 
-func (m Manager) CreateDomain(ctx context.Context, accountID, domainName, targetCluster string) (*Domain, error) {
+func (m Manager) CreateDomain(ctx context.Context, accountID, userID, domainName, targetCluster string) (*domain.Domain, error) {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Create)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return nil, status.NewPermissionDeniedError()
+	}
 
 	// Verify the target cluster is in the available clusters
 	allowList := m.proxyURLAllowList()
@@ -126,7 +132,15 @@ func (m Manager) CreateDomain(ctx context.Context, accountID, domainName, target
 	return d, nil
 }
 
-func (m Manager) DeleteDomain(ctx context.Context, accountID, domainID string) error {
+func (m Manager) DeleteDomain(ctx context.Context, accountID, userID, domainID string) error {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Delete)
+	if err != nil {
+		return status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return status.NewPermissionDeniedError()
+	}
+
 	if err := m.store.DeleteCustomDomain(ctx, accountID, domainID); err != nil {
 		// TODO: check for "no records" type error. Because that is a success condition.
 		return fmt.Errorf("delete domain from store: %w", err)
@@ -134,7 +148,22 @@ func (m Manager) DeleteDomain(ctx context.Context, accountID, domainID string) e
 	return nil
 }
 
-func (m Manager) ValidateDomain(accountID, domainID string) {
+func (m Manager) ValidateDomain(ctx context.Context, accountID, userID, domainID string) {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Create)
+	if err != nil {
+		log.WithFields(log.Fields{
+			"accountID": accountID,
+			"domainID":  domainID,
+		}).WithError(err).Error("validate domain")
+		return
+	}
+	if !ok {
+		log.WithFields(log.Fields{
+			"accountID": accountID,
+			"domainID":  domainID,
+		}).WithError(err).Error("validate domain")
+	}
+
 	log.WithFields(log.Fields{
 		"accountID": accountID,
 		"domainID":  domainID,
@@ -193,57 +222,19 @@ func (m Manager) ValidateDomain(accountID, domainID string) {
 }
 
 // proxyURLAllowList retrieves a list of currently connected proxies and
-// their URLs (as reported by the proxy servers). It performs some clean
-// up on those URLs to attempt to retrieve domain names as we would
-// expect to see them in a validation check.
+// their URLs
 func (m Manager) proxyURLAllowList() []string {
 	var reverseProxyAddresses []string
 	if m.proxyURLProvider != nil {
 		reverseProxyAddresses = m.proxyURLProvider.GetConnectedProxyURLs()
 	}
-	var allowedProxyURLs []string
-	for _, addr := range reverseProxyAddresses {
-		if addr == "" {
-			continue
-		}
-		host := extractHostFromAddress(addr)
-		if host != "" {
-			allowedProxyURLs = append(allowedProxyURLs, host)
-		}
-	}
-	return allowedProxyURLs
-}
-
-// extractHostFromAddress extracts the hostname from an address string.
-// It handles both URL format (https://host:port) and plain hostname (host or host:port).
-func extractHostFromAddress(addr string) string {
-	// If it looks like a URL with a scheme, parse it
-	if strings.Contains(addr, "://") {
-		proxyUrl, err := url.Parse(addr)
-		if err != nil {
-			log.WithError(err).Debugf("failed to parse proxy URL %s", addr)
-			return ""
-		}
-		host, _, err := net.SplitHostPort(proxyUrl.Host)
-		if err != nil {
-			return proxyUrl.Host
-		}
-		return host
-	}
-
-	// Otherwise treat as hostname or host:port
-	host, _, err := net.SplitHostPort(addr)
-	if err != nil {
-		// No port, use as-is
-		return addr
-	}
-	return host
+	return reverseProxyAddresses
 }
 
 // DeriveClusterFromDomain determines the proxy cluster for a given domain.
 // For free domains (those ending with a known cluster suffix), the cluster is extracted from the domain.
-// For custom domains, the cluster is determined by looking up the CNAME target.
-func (m Manager) DeriveClusterFromDomain(ctx context.Context, domain string) (string, error) {
+// For custom domains, the cluster is determined by checking the registered custom domain's target cluster.
+func (m Manager) DeriveClusterFromDomain(ctx context.Context, accountID, domain string) (string, error) {
 	allowList := m.proxyURLAllowList()
 	if len(allowList) == 0 {
 		return "", fmt.Errorf("no proxy clusters available")
@@ -253,10 +244,36 @@ func (m Manager) DeriveClusterFromDomain(ctx context.Context, domain string) (st
 		return cluster, nil
 	}
 
-	cluster, valid := m.validator.ValidateWithCluster(ctx, domain, allowList)
+	customDomains, err := m.store.ListCustomDomains(ctx, accountID)
+	if err != nil {
+		return "", fmt.Errorf("list custom domains: %w", err)
+	}
+
+	targetCluster, valid := extractClusterFromCustomDomains(domain, customDomains)
 	if valid {
-		return cluster, nil
+		return targetCluster, nil
 	}
 
 	return "", fmt.Errorf("domain %s does not match any available proxy cluster", domain)
 }
+
+func extractClusterFromCustomDomains(domain string, customDomains []*domain.Domain) (string, bool) {
+	for _, customDomain := range customDomains {
+		if strings.HasSuffix(domain, "."+customDomain.Domain) {
+			return customDomain.TargetCluster, true
+		}
+	}
+	return "", false
+}
+
+// ExtractClusterFromFreeDomain extracts the cluster address from a free domain.
+// Free domains have the format: <name>.<nonce>.<cluster> (e.g., myapp.abc123.eu.proxy.netbird.io)
+// It matches the domain suffix against available clusters and returns the matching cluster.
+func ExtractClusterFromFreeDomain(domain string, availableClusters []string) (string, bool) {
+	for _, cluster := range availableClusters {
+		if strings.HasSuffix(domain, "."+cluster) {
+			return cluster, true
+		}
+	}
+	return "", false
+}

management/internals/modules/reverseproxy/domain/validator.go

@@ -13,15 +13,15 @@ type resolver interface {
 }
 
 type Validator struct {
-	resolver resolver
+	Resolver resolver
 }
 
-// NewValidator initializes a validator with a specific DNS resolver.
-// If a Validator is used without specifying a resolver, then it will
+// NewValidator initializes a validator with a specific DNS Resolver.
+// If a Validator is used without specifying a Resolver, then it will
 // use the net.DefaultResolver.
 func NewValidator(resolver resolver) *Validator {
 	return &Validator{
-		resolver: resolver,
+		Resolver: resolver,
 	}
 }
 
@@ -39,8 +39,8 @@ func (v *Validator) IsValid(ctx context.Context, domain string, accept []string)
 // ValidateWithCluster validates a custom domain and returns the matched cluster address.
 // Returns the cluster address and true if valid, or empty string and false if invalid.
 func (v *Validator) ValidateWithCluster(ctx context.Context, domain string, accept []string) (string, bool) {
-	if v.resolver == nil {
-		v.resolver = net.DefaultResolver
+	if v.Resolver == nil {
+		v.Resolver = net.DefaultResolver
 	}
 
 	lookupDomain := "validation." + domain
@@ -50,7 +50,7 @@ func (v *Validator) ValidateWithCluster(ctx context.Context, domain string, acce
 		"acceptList":   accept,
 	}).Debug("looking up CNAME for domain validation")
 
-	cname, err := v.resolver.LookupCNAME(ctx, lookupDomain)
+	cname, err := v.Resolver.LookupCNAME(ctx, lookupDomain)
 	if err != nil {
 		log.WithFields(log.Fields{
 			"domain":       domain,
@@ -86,15 +86,3 @@ func (v *Validator) ValidateWithCluster(ctx context.Context, domain string, acce
 	}).Warn("domain CNAME does not match any accepted cluster")
 	return "", false
 }
-
-// ExtractClusterFromFreeDomain extracts the cluster address from a free domain.
-// Free domains have the format: <name>.<nonce>.<cluster> (e.g., myapp.abc123.eu.proxy.netbird.io)
-// It matches the domain suffix against available clusters and returns the matching cluster.
-func ExtractClusterFromFreeDomain(domain string, availableClusters []string) (string, bool) {
-	for _, cluster := range availableClusters {
-		if strings.HasSuffix(domain, "."+cluster) {
-			return cluster, true
-		}
-	}
-	return "", false
-}

management/internals/modules/reverseproxy/interface.go

@@ -1,5 +1,7 @@
 package reverseproxy
 
+//go:generate go run github.com/golang/mock/mockgen -package reverseproxy -destination=interface_mock.go -source=./interface.go -build_flags=-mod=mod
+
 import (
 	"context"
 )

management/internals/modules/reverseproxy/interface_mock.go

@@ -0,0 +1,225 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: ./interface.go
+
+// Package reverseproxy is a generated GoMock package.
+package reverseproxy
+
+import (
+	context "context"
+	reflect "reflect"
+
+	gomock "github.com/golang/mock/gomock"
+)
+
+// MockManager is a mock of Manager interface.
+type MockManager struct {
+	ctrl     *gomock.Controller
+	recorder *MockManagerMockRecorder
+}
+
+// MockManagerMockRecorder is the mock recorder for MockManager.
+type MockManagerMockRecorder struct {
+	mock *MockManager
+}
+
+// NewMockManager creates a new mock instance.
+func NewMockManager(ctrl *gomock.Controller) *MockManager {
+	mock := &MockManager{ctrl: ctrl}
+	mock.recorder = &MockManagerMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockManager) EXPECT() *MockManagerMockRecorder {
+	return m.recorder
+}
+
+// CreateService mocks base method.
+func (m *MockManager) CreateService(ctx context.Context, accountID, userID string, service *Service) (*Service, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "CreateService", ctx, accountID, userID, service)
+	ret0, _ := ret[0].(*Service)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// CreateService indicates an expected call of CreateService.
+func (mr *MockManagerMockRecorder) CreateService(ctx, accountID, userID, service interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateService", reflect.TypeOf((*MockManager)(nil).CreateService), ctx, accountID, userID, service)
+}
+
+// DeleteService mocks base method.
+func (m *MockManager) DeleteService(ctx context.Context, accountID, userID, serviceID string) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "DeleteService", ctx, accountID, userID, serviceID)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// DeleteService indicates an expected call of DeleteService.
+func (mr *MockManagerMockRecorder) DeleteService(ctx, accountID, userID, serviceID interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteService", reflect.TypeOf((*MockManager)(nil).DeleteService), ctx, accountID, userID, serviceID)
+}
+
+// GetAccountServices mocks base method.
+func (m *MockManager) GetAccountServices(ctx context.Context, accountID string) ([]*Service, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetAccountServices", ctx, accountID)
+	ret0, _ := ret[0].([]*Service)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetAccountServices indicates an expected call of GetAccountServices.
+func (mr *MockManagerMockRecorder) GetAccountServices(ctx, accountID interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetAccountServices", reflect.TypeOf((*MockManager)(nil).GetAccountServices), ctx, accountID)
+}
+
+// GetAllServices mocks base method.
+func (m *MockManager) GetAllServices(ctx context.Context, accountID, userID string) ([]*Service, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetAllServices", ctx, accountID, userID)
+	ret0, _ := ret[0].([]*Service)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetAllServices indicates an expected call of GetAllServices.
+func (mr *MockManagerMockRecorder) GetAllServices(ctx, accountID, userID interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetAllServices", reflect.TypeOf((*MockManager)(nil).GetAllServices), ctx, accountID, userID)
+}
+
+// GetGlobalServices mocks base method.
+func (m *MockManager) GetGlobalServices(ctx context.Context) ([]*Service, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetGlobalServices", ctx)
+	ret0, _ := ret[0].([]*Service)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetGlobalServices indicates an expected call of GetGlobalServices.
+func (mr *MockManagerMockRecorder) GetGlobalServices(ctx interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetGlobalServices", reflect.TypeOf((*MockManager)(nil).GetGlobalServices), ctx)
+}
+
+// GetService mocks base method.
+func (m *MockManager) GetService(ctx context.Context, accountID, userID, serviceID string) (*Service, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetService", ctx, accountID, userID, serviceID)
+	ret0, _ := ret[0].(*Service)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetService indicates an expected call of GetService.
+func (mr *MockManagerMockRecorder) GetService(ctx, accountID, userID, serviceID interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetService", reflect.TypeOf((*MockManager)(nil).GetService), ctx, accountID, userID, serviceID)
+}
+
+// GetServiceByID mocks base method.
+func (m *MockManager) GetServiceByID(ctx context.Context, accountID, serviceID string) (*Service, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetServiceByID", ctx, accountID, serviceID)
+	ret0, _ := ret[0].(*Service)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetServiceByID indicates an expected call of GetServiceByID.
+func (mr *MockManagerMockRecorder) GetServiceByID(ctx, accountID, serviceID interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetServiceByID", reflect.TypeOf((*MockManager)(nil).GetServiceByID), ctx, accountID, serviceID)
+}
+
+// GetServiceIDByTargetID mocks base method.
+func (m *MockManager) GetServiceIDByTargetID(ctx context.Context, accountID, resourceID string) (string, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetServiceIDByTargetID", ctx, accountID, resourceID)
+	ret0, _ := ret[0].(string)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetServiceIDByTargetID indicates an expected call of GetServiceIDByTargetID.
+func (mr *MockManagerMockRecorder) GetServiceIDByTargetID(ctx, accountID, resourceID interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetServiceIDByTargetID", reflect.TypeOf((*MockManager)(nil).GetServiceIDByTargetID), ctx, accountID, resourceID)
+}
+
+// ReloadAllServicesForAccount mocks base method.
+func (m *MockManager) ReloadAllServicesForAccount(ctx context.Context, accountID string) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "ReloadAllServicesForAccount", ctx, accountID)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// ReloadAllServicesForAccount indicates an expected call of ReloadAllServicesForAccount.
+func (mr *MockManagerMockRecorder) ReloadAllServicesForAccount(ctx, accountID interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReloadAllServicesForAccount", reflect.TypeOf((*MockManager)(nil).ReloadAllServicesForAccount), ctx, accountID)
+}
+
+// ReloadService mocks base method.
+func (m *MockManager) ReloadService(ctx context.Context, accountID, serviceID string) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "ReloadService", ctx, accountID, serviceID)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// ReloadService indicates an expected call of ReloadService.
+func (mr *MockManagerMockRecorder) ReloadService(ctx, accountID, serviceID interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReloadService", reflect.TypeOf((*MockManager)(nil).ReloadService), ctx, accountID, serviceID)
+}
+
+// SetCertificateIssuedAt mocks base method.
+func (m *MockManager) SetCertificateIssuedAt(ctx context.Context, accountID, serviceID string) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "SetCertificateIssuedAt", ctx, accountID, serviceID)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// SetCertificateIssuedAt indicates an expected call of SetCertificateIssuedAt.
+func (mr *MockManagerMockRecorder) SetCertificateIssuedAt(ctx, accountID, serviceID interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetCertificateIssuedAt", reflect.TypeOf((*MockManager)(nil).SetCertificateIssuedAt), ctx, accountID, serviceID)
+}
+
+// SetStatus mocks base method.
+func (m *MockManager) SetStatus(ctx context.Context, accountID, serviceID string, status ProxyStatus) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "SetStatus", ctx, accountID, serviceID, status)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// SetStatus indicates an expected call of SetStatus.
+func (mr *MockManagerMockRecorder) SetStatus(ctx, accountID, serviceID, status interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetStatus", reflect.TypeOf((*MockManager)(nil).SetStatus), ctx, accountID, serviceID, status)
+}
+
+// UpdateService mocks base method.
+func (m *MockManager) UpdateService(ctx context.Context, accountID, userID string, service *Service) (*Service, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "UpdateService", ctx, accountID, userID, service)
+	ret0, _ := ret[0].(*Service)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// UpdateService indicates an expected call of UpdateService.
+func (mr *MockManagerMockRecorder) UpdateService(ctx, accountID, userID, service interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateService", reflect.TypeOf((*MockManager)(nil).UpdateService), ctx, accountID, userID, service)
+}

management/internals/modules/reverseproxy/manager/api.go

@@ -9,7 +9,7 @@ import (
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs"
 	accesslogsmanager "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs/manager"
-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/domain"
+	domainmanager "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/domain/manager"
 	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/shared/management/http/api"
 	"github.com/netbirdio/netbird/shared/management/http/util"
@@ -21,21 +21,21 @@ type handler struct {
 }
 
 // RegisterEndpoints registers all service HTTP endpoints.
-func RegisterEndpoints(manager reverseproxy.Manager, domainManager domain.Manager, accessLogsManager accesslogs.Manager, router *mux.Router) {
+func RegisterEndpoints(manager reverseproxy.Manager, domainManager domainmanager.Manager, accessLogsManager accesslogs.Manager, router *mux.Router) {
 	h := &handler{
 		manager: manager,
 	}
 
-	domainRouter := router.PathPrefix("/services").Subrouter()
-	domain.RegisterEndpoints(domainRouter, domainManager)
+	domainRouter := router.PathPrefix("/reverse-proxies").Subrouter()
+	domainmanager.RegisterEndpoints(domainRouter, domainManager)
 
 	accesslogsmanager.RegisterEndpoints(router, accessLogsManager)
 
-	router.HandleFunc("/services", h.getAllServices).Methods("GET", "OPTIONS")
-	router.HandleFunc("/services", h.createService).Methods("POST", "OPTIONS")
-	router.HandleFunc("/services/{serviceId}", h.getService).Methods("GET", "OPTIONS")
-	router.HandleFunc("/services/{serviceId}", h.updateService).Methods("PUT", "OPTIONS")
-	router.HandleFunc("/services/{serviceId}", h.deleteService).Methods("DELETE", "OPTIONS")
+	router.HandleFunc("/reverse-proxies/services", h.getAllServices).Methods("GET", "OPTIONS")
+	router.HandleFunc("/reverse-proxies/services", h.createService).Methods("POST", "OPTIONS")
+	router.HandleFunc("/reverse-proxies/services/{serviceId}", h.getService).Methods("GET", "OPTIONS")
+	router.HandleFunc("/reverse-proxies/services/{serviceId}", h.updateService).Methods("PUT", "OPTIONS")
+	router.HandleFunc("/reverse-proxies/services/{serviceId}", h.deleteService).Methods("DELETE", "OPTIONS")
 }
 
 func (h *handler) getAllServices(w http.ResponseWriter, r *http.Request) {

management/internals/modules/reverseproxy/manager/manager.go

@@ -23,7 +23,7 @@ const unknownHostPlaceholder = "unknown"
 
 // ClusterDeriver derives the proxy cluster from a domain.
 type ClusterDeriver interface {
-	DeriveClusterFromDomain(ctx context.Context, domain string) (string, error)
+	DeriveClusterFromDomain(ctx context.Context, accountID, domain string) (string, error)
 }
 
 type managerImpl struct {
@@ -31,18 +31,16 @@ type managerImpl struct {
 	accountManager     account.Manager
 	permissionsManager permissions.Manager
 	proxyGRPCServer    *nbgrpc.ProxyServiceServer
-	tokenStore         *nbgrpc.OneTimeTokenStore
 	clusterDeriver     ClusterDeriver
 }
 
 // NewManager creates a new service manager.
-func NewManager(store store.Store, accountManager account.Manager, permissionsManager permissions.Manager, proxyGRPCServer *nbgrpc.ProxyServiceServer, tokenStore *nbgrpc.OneTimeTokenStore, clusterDeriver ClusterDeriver) reverseproxy.Manager {
+func NewManager(store store.Store, accountManager account.Manager, permissionsManager permissions.Manager, proxyGRPCServer *nbgrpc.ProxyServiceServer, clusterDeriver ClusterDeriver) reverseproxy.Manager {
 	return &managerImpl{
 		store:              store,
 		accountManager:     accountManager,
 		permissionsManager: permissionsManager,
 		proxyGRPCServer:    proxyGRPCServer,
-		tokenStore:         tokenStore,
 		clusterDeriver:     clusterDeriver,
 	}
 }
@@ -139,9 +137,10 @@ func (m *managerImpl) CreateService(ctx context.Context, accountID, userID strin
 
 	var proxyCluster string
 	if m.clusterDeriver != nil {
-		proxyCluster, err = m.clusterDeriver.DeriveClusterFromDomain(ctx, service.Domain)
+		proxyCluster, err = m.clusterDeriver.DeriveClusterFromDomain(ctx, accountID, service.Domain)
 		if err != nil {
 			log.WithError(err).Warnf("could not derive cluster from domain %s, updates will broadcast to all proxy servers", service.Domain)
+			return nil, status.Errorf(status.PreconditionFailed, "could not derive cluster from domain %s: %v", service.Domain, err)
 		}
 	}
 
@@ -187,11 +186,6 @@ func (m *managerImpl) CreateService(ctx context.Context, accountID, userID strin
 		return nil, err
 	}
 
-	token, err := m.tokenStore.GenerateToken(accountID, service.ID, 5*time.Minute)
-	if err != nil {
-		return nil, fmt.Errorf("failed to generate authentication token: %w", err)
-	}
-
 	m.accountManager.StoreEvent(ctx, userID, service.ID, accountID, activity.ServiceCreated, service.EventMeta())
 
 	err = m.replaceHostByLookup(ctx, accountID, service)
@@ -199,7 +193,7 @@ func (m *managerImpl) CreateService(ctx context.Context, accountID, userID strin
 		return nil, fmt.Errorf("failed to replace host by lookup for service %s: %w", service.ID, err)
 	}
 
-	m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Create, token, m.proxyGRPCServer.GetOIDCValidationConfig()), service.ProxyCluster)
+	m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Create, "", m.proxyGRPCServer.GetOIDCValidationConfig()), service.ProxyCluster)
 
 	m.accountManager.UpdateAccountPeers(ctx, accountID)
 
@@ -245,7 +239,7 @@ func (m *managerImpl) UpdateService(ctx context.Context, accountID, userID strin
 			}
 
 			if m.clusterDeriver != nil {
-				newCluster, err := m.clusterDeriver.DeriveClusterFromDomain(ctx, service.Domain)
+				newCluster, err := m.clusterDeriver.DeriveClusterFromDomain(ctx, accountID, service.Domain)
 				if err != nil {
 					log.WithError(err).Warnf("could not derive cluster from domain %s", service.Domain)
 				}
@@ -293,22 +287,17 @@ func (m *managerImpl) UpdateService(ctx context.Context, accountID, userID strin
 		return nil, fmt.Errorf("failed to replace host by lookup for service %s: %w", service.ID, err)
 	}
 
-	token, err := m.tokenStore.GenerateToken(accountID, service.ID, 5*time.Minute)
-	if err != nil {
-		return nil, fmt.Errorf("failed to generate authentication token: %w", err)
-	}
-
+	oidcCfg := m.proxyGRPCServer.GetOIDCValidationConfig()
 	switch {
 	case domainChanged && oldCluster != service.ProxyCluster:
-		m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Delete, "", m.proxyGRPCServer.GetOIDCValidationConfig()), oldCluster)
-		m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Create, token, m.proxyGRPCServer.GetOIDCValidationConfig()), service.ProxyCluster)
+		m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Delete, "", oidcCfg), oldCluster)
+		m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Create, "", oidcCfg), service.ProxyCluster)
 	case !service.Enabled && serviceEnabledChanged:
-		m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Delete, "", m.proxyGRPCServer.GetOIDCValidationConfig()), service.ProxyCluster)
+		m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Delete, "", oidcCfg), service.ProxyCluster)
 	case service.Enabled && serviceEnabledChanged:
-		m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Create, token, m.proxyGRPCServer.GetOIDCValidationConfig()), service.ProxyCluster)
+		m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Create, "", oidcCfg), service.ProxyCluster)
 	default:
-		m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Update, "", m.proxyGRPCServer.GetOIDCValidationConfig()), service.ProxyCluster)
-
+		m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Update, "", oidcCfg), service.ProxyCluster)
 	}
 	m.accountManager.UpdateAccountPeers(ctx, accountID)
 
@@ -497,6 +486,9 @@ func (m *managerImpl) GetAccountServices(ctx context.Context, accountID string)
 func (m *managerImpl) GetServiceIDByTargetID(ctx context.Context, accountID string, resourceID string) (string, error) {
 	target, err := m.store.GetServiceTargetByTargetID(ctx, store.LockingStrengthNone, accountID, resourceID)
 	if err != nil {
+		if s, ok := status.FromError(err); ok && s.Type() == status.NotFound {
+			return "", nil
+		}
 		return "", fmt.Errorf("failed to get service target by resource ID: %w", err)
 	}
 

management/internals/server/boot.go

@@ -94,7 +94,7 @@ func (s *BaseServer) EventStore() activity.Store {
 
 func (s *BaseServer) APIHandler() http.Handler {
 	return Create(s, func() http.Handler {
-		httpAPIHandler, err := nbhttp.NewAPIHandler(context.Background(), s.AccountManager(), s.NetworksManager(), s.ResourcesManager(), s.RoutesManager(), s.GroupsManager(), s.GeoLocationManager(), s.AuthManager(), s.Metrics(), s.IntegratedValidator(), s.ProxyController(), s.PermissionsManager(), s.PeersManager(), s.SettingsManager(), s.ZonesManager(), s.RecordsManager(), s.NetworkMapController(), s.IdpManager(), s.ReverseProxyManager(), s.ReverseProxyDomainManager(), s.AccessLogsManager(), s.ReverseProxyGRPCServer())
+		httpAPIHandler, err := nbhttp.NewAPIHandler(context.Background(), s.AccountManager(), s.NetworksManager(), s.ResourcesManager(), s.RoutesManager(), s.GroupsManager(), s.GeoLocationManager(), s.AuthManager(), s.Metrics(), s.IntegratedValidator(), s.ProxyController(), s.PermissionsManager(), s.PeersManager(), s.SettingsManager(), s.ZonesManager(), s.RecordsManager(), s.NetworkMapController(), s.IdpManager(), s.ReverseProxyManager(), s.ReverseProxyDomainManager(), s.AccessLogsManager(), s.ReverseProxyGRPCServer(), s.Config.ReverseProxy.TrustedHTTPProxies)
 		if err != nil {
 			log.Fatalf("failed to create API handler: %v", err)
 		}

management/internals/server/modules.go

@@ -9,7 +9,7 @@ import (
 	"github.com/netbirdio/management-integrations/integrations"
 	"github.com/netbirdio/netbird/management/internals/modules/peers"
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/domain"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/domain/manager"
 	nbreverseproxy "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/manager"
 	"github.com/netbirdio/netbird/management/internals/modules/zones"
 	zonesManager "github.com/netbirdio/netbird/management/internals/modules/zones/manager"
@@ -192,13 +192,13 @@ func (s *BaseServer) RecordsManager() records.Manager {
 
 func (s *BaseServer) ReverseProxyManager() reverseproxy.Manager {
 	return Create(s, func() reverseproxy.Manager {
-		return nbreverseproxy.NewManager(s.Store(), s.AccountManager(), s.PermissionsManager(), s.ReverseProxyGRPCServer(), s.ProxyTokenStore(), s.ReverseProxyDomainManager())
+		return nbreverseproxy.NewManager(s.Store(), s.AccountManager(), s.PermissionsManager(), s.ReverseProxyGRPCServer(), s.ReverseProxyDomainManager())
 	})
 }
 
-func (s *BaseServer) ReverseProxyDomainManager() *domain.Manager {
-	return Create(s, func() *domain.Manager {
-		m := domain.NewManager(s.Store(), s.ReverseProxyGRPCServer())
+func (s *BaseServer) ReverseProxyDomainManager() *manager.Manager {
+	return Create(s, func() *manager.Manager {
+		m := manager.NewManager(s.Store(), s.ReverseProxyGRPCServer(), s.PermissionsManager())
 		return &m
 	})
 }

management/internals/server/server.go

@@ -217,6 +217,7 @@ func (s *BaseServer) Stop() error {
 		_ = s.certManager.Listener().Close()
 	}
 	s.GRPCServer().Stop()
+	s.ReverseProxyGRPCServer().Close()
 	if s.proxyAuthClose != nil {
 		s.proxyAuthClose()
 		s.proxyAuthClose = nil

management/internals/shared/grpc/proxy.go

@@ -3,18 +3,19 @@ package grpc
 import (
 	"context"
 	"crypto/hmac"
+	"crypto/rand"
 	"crypto/sha256"
 	"encoding/base64"
 	"encoding/hex"
 	"errors"
 	"fmt"
-	"net"
 	"net/url"
 	"strings"
 	"sync"
 	"time"
 
 	"github.com/coreos/go-oidc/v3/oidc"
+	"github.com/netbirdio/netbird/shared/management/domain"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/oauth2"
 	"google.golang.org/grpc/codes"
@@ -81,7 +82,17 @@ type ProxyServiceServer struct {
 	oidcConfig ProxyOIDCConfig
 
 	// TODO: use database to store these instead?
-	pkceVerifiers sync.Map
+	// pkceVerifiers stores PKCE code verifiers keyed by OAuth state.
+	// Entries expire after pkceVerifierTTL to prevent unbounded growth.
+	pkceVerifiers     sync.Map
+	pkceCleanupCancel context.CancelFunc
+}
+
+const pkceVerifierTTL = 10 * time.Minute
+
+type pkceEntry struct {
+	verifier  string
+	createdAt time.Time
 }
 
 // proxyConnection represents a connected proxy
@@ -92,19 +103,47 @@ type proxyConnection struct {
 	sendChan chan *proto.ProxyMapping
 	ctx      context.Context
 	cancel   context.CancelFunc
-	mu       sync.RWMutex
 }
 
 // NewProxyServiceServer creates a new proxy service server.
 func NewProxyServiceServer(accessLogMgr accesslogs.Manager, tokenStore *OneTimeTokenStore, oidcConfig ProxyOIDCConfig, peersManager peers.Manager, usersManager users.Manager) *ProxyServiceServer {
-	return &ProxyServiceServer{
-		updatesChan:      make(chan *proto.ProxyMapping, 100),
-		accessLogManager: accessLogMgr,
-		oidcConfig:       oidcConfig,
-		tokenStore:       tokenStore,
-		peersManager:     peersManager,
-		usersManager:     usersManager,
+	ctx, cancel := context.WithCancel(context.Background())
+	s := &ProxyServiceServer{
+		updatesChan:       make(chan *proto.ProxyMapping, 100),
+		accessLogManager:  accessLogMgr,
+		oidcConfig:        oidcConfig,
+		tokenStore:        tokenStore,
+		peersManager:      peersManager,
+		usersManager:      usersManager,
+		pkceCleanupCancel: cancel,
 	}
+	go s.cleanupPKCEVerifiers(ctx)
+	return s
+}
+
+// cleanupPKCEVerifiers periodically removes expired PKCE verifiers.
+func (s *ProxyServiceServer) cleanupPKCEVerifiers(ctx context.Context) {
+	ticker := time.NewTicker(pkceVerifierTTL)
+	defer ticker.Stop()
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case <-ticker.C:
+			now := time.Now()
+			s.pkceVerifiers.Range(func(key, value any) bool {
+				if entry, ok := value.(pkceEntry); ok && now.Sub(entry.createdAt) > pkceVerifierTTL {
+					s.pkceVerifiers.Delete(key)
+				}
+				return true
+			})
+		}
+	}
+}
+
+// Close stops background goroutines.
+func (s *ProxyServiceServer) Close() {
+	s.pkceCleanupCancel()
 }
 
 func (s *ProxyServiceServer) SetProxyManager(manager reverseproxy.Manager) {
@@ -128,12 +167,9 @@ func (s *ProxyServiceServer) GetMappingUpdate(req *proto.GetMappingUpdateRequest
 	}
 
 	proxyAddress := req.GetAddress()
-	log.WithFields(log.Fields{
-		"proxy_id": proxyID,
-		"address":  proxyAddress,
-		"version":  req.GetVersion(),
-		"started":  req.GetStartedAt().AsTime(),
-	}).Info("Proxy connected")
+	if !isProxyAddressValid(proxyAddress) {
+		return status.Errorf(codes.InvalidArgument, "proxy address is invalid")
+	}
 
 	connCtx, cancel := context.WithCancel(ctx)
 	conn := &proxyConnection{
@@ -150,7 +186,7 @@ func (s *ProxyServiceServer) GetMappingUpdate(req *proto.GetMappingUpdateRequest
 	log.WithFields(log.Fields{
 		"proxy_id":      proxyID,
 		"address":       proxyAddress,
-		"cluster_addr":  extractClusterAddr(proxyAddress),
+		"cluster_addr":  proxyAddress,
 		"total_proxies": len(s.GetConnectedProxies()),
 	}).Info("Proxy registered in cluster")
 	defer func() {
@@ -161,8 +197,7 @@ func (s *ProxyServiceServer) GetMappingUpdate(req *proto.GetMappingUpdateRequest
 	}()
 
 	if err := s.sendSnapshot(ctx, conn); err != nil {
-		log.Errorf("Failed to send snapshot to proxy %s: %v", proxyID, err)
-		return err
+		return fmt.Errorf("send snapshot to proxy %s: %w", proxyID, err)
 	}
 
 	errChan := make(chan error, 2)
@@ -170,7 +205,7 @@ func (s *ProxyServiceServer) GetMappingUpdate(req *proto.GetMappingUpdateRequest
 
 	select {
 	case err := <-errChan:
-		return err
+		return fmt.Errorf("send update to proxy %s: %w", proxyID, err)
 	case <-connCtx.Done():
 		return connCtx.Err()
 	}
@@ -184,17 +219,31 @@ func (s *ProxyServiceServer) sendSnapshot(ctx context.Context, conn *proxyConnec
 		return fmt.Errorf("get services from store: %w", err)
 	}
 
-	proxyClusterAddr := extractClusterAddr(conn.address)
+	if !isProxyAddressValid(conn.address) {
+		return fmt.Errorf("proxy address is invalid")
+	}
 
+	var filtered []*reverseproxy.Service
 	for _, service := range services {
 		if !service.Enabled {
 			continue
 		}
-
-		if service.ProxyCluster != "" && proxyClusterAddr != "" && service.ProxyCluster != proxyClusterAddr {
+		if service.ProxyCluster == "" || service.ProxyCluster != conn.address {
 			continue
 		}
+		filtered = append(filtered, service)
+	}
 
+	if len(filtered) == 0 {
+		if err := conn.stream.Send(&proto.GetMappingUpdateResponse{
+			InitialSyncComplete: true,
+		}); err != nil {
+			return fmt.Errorf("send snapshot completion: %w", err)
+		}
+		return nil
+	}
+
+	for i, service := range filtered {
 		// Generate one-time authentication token for each service in the snapshot
 		// Tokens are not persistent on the proxy, so we need to generate new ones on reconnection
 		token, err := s.tokenStore.GenerateToken(service.AccountID, service.ID, 5*time.Minute)
@@ -202,7 +251,7 @@ func (s *ProxyServiceServer) sendSnapshot(ctx context.Context, conn *proxyConnec
 			log.WithFields(log.Fields{
 				"service": service.Name,
 				"account": service.AccountID,
-			}).WithError(err).Error("Failed to generate auth token for snapshot")
+			}).WithError(err).Error("failed to generate auth token for snapshot")
 			continue
 		}
 
@@ -214,29 +263,23 @@ func (s *ProxyServiceServer) sendSnapshot(ctx context.Context, conn *proxyConnec
 					s.GetOIDCValidationConfig(),
 				),
 			},
+			InitialSyncComplete: i == len(filtered)-1,
 		}); err != nil {
-			log.WithError(err).Error("Failed to send proxy mapping")
-			continue
+			log.WithFields(log.Fields{
+				"domain":  service.Domain,
+				"account": service.AccountID,
+			}).WithError(err).Error("failed to send proxy mapping")
+			return fmt.Errorf("send proxy mapping: %w", err)
 		}
 	}
 
 	return nil
 }
 
-// extractClusterAddr extracts the host from a proxy address URL.
-func extractClusterAddr(addr string) string {
-	if addr == "" {
-		return ""
-	}
-	u, err := url.Parse(addr)
-	if err != nil {
-		return addr
-	}
-	host := u.Host
-	if h, _, err := net.SplitHostPort(host); err == nil {
-		return h
-	}
-	return host
+// isProxyAddressValid validates a proxy address
+func isProxyAddressValid(addr string) bool {
+	_, err := domain.ValidateDomains([]string{addr})
+	return err == nil
 }
 
 // sender handles sending messages to proxy
@@ -245,7 +288,6 @@ func (s *ProxyServiceServer) sender(conn *proxyConnection, errChan chan<- error)
 		select {
 		case msg := <-conn.sendChan:
 			if err := conn.stream.Send(&proto.GetMappingUpdateResponse{Mapping: []*proto.ProxyMapping{msg}}); err != nil {
-				log.Errorf("Failed to send message to proxy %s: %v", conn.proxyID, err)
 				errChan <- err
 				return
 			}
@@ -286,21 +328,26 @@ func (s *ProxyServiceServer) SendAccessLog(ctx context.Context, req *proto.SendA
 
 	if err := s.accessLogManager.SaveAccessLog(ctx, logEntry); err != nil {
 		log.WithContext(ctx).Errorf("failed to save access log: %v", err)
-		return nil, status.Errorf(codes.Internal, "failed to save access log: %v", err)
+		return nil, status.Errorf(codes.Internal, "save access log: %v", err)
 	}
 
 	return &proto.SendAccessLogResponse{}, nil
 }
 
 // SendServiceUpdate broadcasts a service update to all connected proxy servers.
-// Management should call this when services are created/updated/removed
+// Management should call this when services are created/updated/removed.
+// For create/update operations a unique one-time auth token is generated per
+// proxy so that every replica can independently authenticate with management.
 func (s *ProxyServiceServer) SendServiceUpdate(update *proto.ProxyMapping) {
-	// Send it to all connected proxy servers
 	log.Debugf("Broadcasting service update to all connected proxy servers")
 	s.connectedProxies.Range(func(key, value interface{}) bool {
 		conn := value.(*proxyConnection)
+		msg := s.perProxyMessage(update, conn.proxyID)
+		if msg == nil {
+			return true
+		}
 		select {
-		case conn.sendChan <- update:
+		case conn.sendChan <- msg:
 			log.Debugf("Sent service update with id %s to proxy server %s", update.Id, conn.proxyID)
 		default:
 			log.Warnf("Failed to send service update to proxy server %s (channel full)", conn.proxyID)
@@ -368,6 +415,8 @@ func (s *ProxyServiceServer) removeFromCluster(clusterAddr, proxyID string) {
 
 // SendServiceUpdateToCluster sends a service update to all proxy servers in a specific cluster.
 // If clusterAddr is empty, broadcasts to all connected proxy servers (backward compatibility).
+// For create/update operations a unique one-time auth token is generated per
+// proxy so that every replica can independently authenticate with management.
 func (s *ProxyServiceServer) SendServiceUpdateToCluster(update *proto.ProxyMapping, clusterAddr string) {
 	if clusterAddr == "" {
 		s.SendServiceUpdate(update)
@@ -385,8 +434,12 @@ func (s *ProxyServiceServer) SendServiceUpdateToCluster(update *proto.ProxyMappi
 		proxyID := key.(string)
 		if connVal, ok := s.connectedProxies.Load(proxyID); ok {
 			conn := connVal.(*proxyConnection)
+			msg := s.perProxyMessage(update, proxyID)
+			if msg == nil {
+				return true
+			}
 			select {
-			case conn.sendChan <- update:
+			case conn.sendChan <- msg:
 				log.Debugf("Sent service update with id %s to proxy %s in cluster %s", update.Id, proxyID, clusterAddr)
 			default:
 				log.Warnf("Failed to send service update to proxy %s in cluster %s (channel full)", proxyID, clusterAddr)
@@ -396,6 +449,42 @@ func (s *ProxyServiceServer) SendServiceUpdateToCluster(update *proto.ProxyMappi
 	})
 }
 
+// perProxyMessage returns a copy of update with a fresh one-time token for
+// create/update operations. For delete operations the original message is
+// returned unchanged because proxies do not need to authenticate for removal.
+// Returns nil if token generation fails (the proxy should be skipped).
+func (s *ProxyServiceServer) perProxyMessage(update *proto.ProxyMapping, proxyID string) *proto.ProxyMapping {
+	if update.Type == proto.ProxyMappingUpdateType_UPDATE_TYPE_REMOVED || update.AccountId == "" {
+		return update
+	}
+
+	token, err := s.tokenStore.GenerateToken(update.AccountId, update.Id, 5*time.Minute)
+	if err != nil {
+		log.Warnf("Failed to generate token for proxy %s: %v", proxyID, err)
+		return nil
+	}
+
+	msg := shallowCloneMapping(update)
+	msg.AuthToken = token
+	return msg
+}
+
+// shallowCloneMapping creates a shallow copy of a ProxyMapping, reusing the
+// same slice/pointer fields. Only scalar fields that differ per proxy (AuthToken)
+// should be set on the copy.
+func shallowCloneMapping(m *proto.ProxyMapping) *proto.ProxyMapping {
+	return &proto.ProxyMapping{
+		Type:             m.Type,
+		Id:               m.Id,
+		AccountId:        m.AccountId,
+		Domain:           m.Domain,
+		Path:             m.Path,
+		Auth:             m.Auth,
+		PassHostHeader:   m.PassHostHeader,
+		RewriteRedirects: m.RewriteRedirects,
+	}
+}
+
 // GetAvailableClusters returns information about all connected proxy clusters.
 func (s *ProxyServiceServer) GetAvailableClusters() []ClusterInfo {
 	clusterCounts := make(map[string]int)
@@ -426,8 +515,8 @@ func (s *ProxyServiceServer) GetAvailableClusters() []ClusterInfo {
 func (s *ProxyServiceServer) Authenticate(ctx context.Context, req *proto.AuthenticateRequest) (*proto.AuthenticateResponse, error) {
 	service, err := s.reverseProxyManager.GetServiceByID(ctx, req.GetAccountId(), req.GetId())
 	if err != nil {
-		// TODO: log the error
-		return nil, status.Errorf(codes.FailedPrecondition, "failed to get service from store: %v", err)
+		log.WithContext(ctx).Debugf("failed to get service from store: %v", err)
+		return nil, status.Errorf(codes.FailedPrecondition, "get service from store: %v", err)
 	}
 
 	var authenticated bool
@@ -437,8 +526,7 @@ func (s *ProxyServiceServer) Authenticate(ctx context.Context, req *proto.Authen
 	case *proto.AuthenticateRequest_Pin:
 		auth := service.Auth.PinAuth
 		if auth == nil || !auth.Enabled {
-			// TODO: log
-			// Break here and use the default authenticated == false.
+			log.WithContext(ctx).Debugf("PIN authentication attempted but not enabled for service %s", req.GetId())
 			break
 		}
 		err = argon2id.Verify(v.Pin.GetPin(), auth.Pin)
@@ -456,8 +544,7 @@ func (s *ProxyServiceServer) Authenticate(ctx context.Context, req *proto.Authen
 	case *proto.AuthenticateRequest_Password:
 		auth := service.Auth.PasswordAuth
 		if auth == nil || !auth.Enabled {
-			// TODO: log
-			// Break here and use the default authenticated == false.
+			log.WithContext(ctx).Debugf("password authentication attempted but not enabled for service %s", req.GetId())
 			break
 		}
 		err = argon2id.Verify(v.Password.GetPassword(), auth.Password)
@@ -484,8 +571,8 @@ func (s *ProxyServiceServer) Authenticate(ctx context.Context, req *proto.Authen
 			proxyauth.DefaultSessionExpiry,
 		)
 		if err != nil {
-			log.WithError(err).Error("Failed to sign session token")
-			authenticated = false
+			log.WithContext(ctx).WithError(err).Error("failed to sign session token")
+			return nil, status.Errorf(codes.Internal, "sign session token: %v", err)
 		}
 	}
 
@@ -516,8 +603,8 @@ func (s *ProxyServiceServer) SendStatusUpdate(ctx context.Context, req *proto.Se
 
 	if certificateIssued {
 		if err := s.reverseProxyManager.SetCertificateIssuedAt(ctx, accountID, serviceID); err != nil {
-			log.WithContext(ctx).WithError(err).Error("Failed to set certificate issued timestamp")
-			return nil, status.Errorf(codes.Internal, "failed to update certificate timestamp: %v", err)
+			log.WithContext(ctx).WithError(err).Error("failed to set certificate issued timestamp")
+			return nil, status.Errorf(codes.Internal, "update certificate timestamp: %v", err)
 		}
 		log.WithFields(log.Fields{
 			"service_id": serviceID,
@@ -528,8 +615,8 @@ func (s *ProxyServiceServer) SendStatusUpdate(ctx context.Context, req *proto.Se
 	internalStatus := protoStatusToInternal(protoStatus)
 
 	if err := s.reverseProxyManager.SetStatus(ctx, accountID, serviceID, internalStatus); err != nil {
-		log.WithContext(ctx).WithError(err).Error("Failed to set service status")
-		return nil, status.Errorf(codes.Internal, "failed to update service status: %v", err)
+		log.WithContext(ctx).WithError(err).Error("failed to update service status")
+		return nil, status.Errorf(codes.Internal, "update service status: %v", err)
 	}
 
 	log.WithFields(log.Fields{
@@ -591,7 +678,7 @@ func (s *ProxyServiceServer) CreateProxyPeer(ctx context.Context, req *proto.Cre
 		return &proto.CreateProxyPeerResponse{
 			Success:      false,
 			ErrorMessage: strPtr("authentication failed: invalid or expired token"),
-		}, status.Errorf(codes.Unauthenticated, "token validation failed: %v", err)
+		}, status.Errorf(codes.Unauthenticated, "token validation: %v", err)
 	}
 
 	err := s.peersManager.CreateProxyPeer(ctx, accountID, key, cluster)
@@ -599,11 +686,11 @@ func (s *ProxyServiceServer) CreateProxyPeer(ctx context.Context, req *proto.Cre
 		log.WithFields(log.Fields{
 			"service_id": serviceID,
 			"account_id": accountID,
-		}).WithError(err).Error("CreateProxyPeer: failed to create proxy peer")
+		}).WithError(err).Error("failed to create proxy peer")
 		return &proto.CreateProxyPeerResponse{
 			Success:      false,
-			ErrorMessage: strPtr(fmt.Sprintf("failed to create proxy peer: %v", err)),
-		}, status.Errorf(codes.Internal, "failed to create proxy peer: %v", err)
+			ErrorMessage: strPtr(fmt.Sprintf("create proxy peer: %v", err)),
+		}, status.Errorf(codes.Internal, "create proxy peer: %v", err)
 	}
 
 	return &proto.CreateProxyPeerResponse{
@@ -619,14 +706,13 @@ func strPtr(s string) *string {
 func (s *ProxyServiceServer) GetOIDCURL(ctx context.Context, req *proto.GetOIDCURLRequest) (*proto.GetOIDCURLResponse, error) {
 	redirectURL, err := url.Parse(req.GetRedirectUrl())
 	if err != nil {
-		// TODO: log
-		return nil, status.Errorf(codes.InvalidArgument, "failed to parse redirect url: %v", err)
+		return nil, status.Errorf(codes.InvalidArgument, "parse redirect url: %v", err)
 	}
 	// Validate redirectURL against known service endpoints to avoid abuse of OIDC redirection.
 	services, err := s.reverseProxyManager.GetAccountServices(ctx, req.GetAccountId())
 	if err != nil {
-		// TODO: log
-		return nil, status.Errorf(codes.FailedPrecondition, "failed to get services from store: %v", err)
+		log.WithContext(ctx).Errorf("failed to get account services: %v", err)
+		return nil, status.Errorf(codes.FailedPrecondition, "get account services: %v", err)
 	}
 	var found bool
 	for _, service := range services {
@@ -636,14 +722,14 @@ func (s *ProxyServiceServer) GetOIDCURL(ctx context.Context, req *proto.GetOIDCU
 		}
 	}
 	if !found {
-		// TODO: log
+		log.WithContext(ctx).Debugf("OIDC redirect URL %q does not match any service domain", redirectURL.Hostname())
 		return nil, status.Errorf(codes.FailedPrecondition, "service not found in store")
 	}
 
 	provider, err := oidc.NewProvider(ctx, s.oidcConfig.Issuer)
 	if err != nil {
-		// TODO: log
-		return nil, status.Errorf(codes.FailedPrecondition, "failed to create OIDC provider: %v", err)
+		log.WithContext(ctx).Errorf("failed to create OIDC provider: %v", err)
+		return nil, status.Errorf(codes.FailedPrecondition, "create OIDC provider: %v", err)
 	}
 
 	scopes := s.oidcConfig.Scopes
@@ -651,13 +737,23 @@ func (s *ProxyServiceServer) GetOIDCURL(ctx context.Context, req *proto.GetOIDCU
 		scopes = []string{oidc.ScopeOpenID, "profile", "email"}
 	}
 
+	// Generate a random nonce to ensure each OIDC request gets a unique state.
+	// Without this, multiple requests to the same URL would generate the same state
+	// but different PKCE verifiers, causing the later verifier to overwrite the earlier one.
+	nonce := make([]byte, 16)
+	if _, err := rand.Read(nonce); err != nil {
+		return nil, status.Errorf(codes.Internal, "generate nonce: %v", err)
+	}
+	nonceB64 := base64.URLEncoding.EncodeToString(nonce)
+
 	// Using an HMAC here to avoid redirection state being modified.
-	// State format: base64(redirectURL)|hmac
-	hmacSum := s.generateHMAC(redirectURL.String())
-	state := fmt.Sprintf("%s|%s", base64.URLEncoding.EncodeToString([]byte(redirectURL.String())), hmacSum)
+	// State format: base64(redirectURL)|nonce|hmac(redirectURL|nonce)
+	payload := redirectURL.String() + "|" + nonceB64
+	hmacSum := s.generateHMAC(payload)
+	state := fmt.Sprintf("%s|%s|%s", base64.URLEncoding.EncodeToString([]byte(redirectURL.String())), nonceB64, hmacSum)
 
 	codeVerifier := oauth2.GenerateVerifier()
-	s.pkceVerifiers.Store(state, codeVerifier)
+	s.pkceVerifiers.Store(state, pkceEntry{verifier: codeVerifier, createdAt: time.Now()})
 
 	return &proto.GetOIDCURLResponse{
 		Url: (&oauth2.Config{
@@ -698,18 +794,24 @@ func (s *ProxyServiceServer) ValidateState(state string) (verifier, redirectURL
 	if !ok {
 		return "", "", errors.New("no verifier for state")
 	}
-	verifier, ok = v.(string)
+	entry, ok := v.(pkceEntry)
 	if !ok {
 		return "", "", errors.New("invalid verifier for state")
 	}
+	if time.Since(entry.createdAt) > pkceVerifierTTL {
+		return "", "", errors.New("PKCE verifier expired")
+	}
+	verifier = entry.verifier
 
+	// State format: base64(redirectURL)|nonce|hmac(redirectURL|nonce)
 	parts := strings.Split(state, "|")
-	if len(parts) != 2 {
+	if len(parts) != 3 {
 		return "", "", errors.New("invalid state format")
 	}
 
 	encodedURL := parts[0]
-	providedHMAC := parts[1]
+	nonce := parts[1]
+	providedHMAC := parts[2]
 
 	redirectURLBytes, err := base64.URLEncoding.DecodeString(encodedURL)
 	if err != nil {
@@ -717,10 +819,11 @@ func (s *ProxyServiceServer) ValidateState(state string) (verifier, redirectURL
 	}
 	redirectURL = string(redirectURLBytes)
 
-	expectedHMAC := s.generateHMAC(redirectURL)
+	payload := redirectURL + "|" + nonce
+	expectedHMAC := s.generateHMAC(payload)
 
 	if !hmac.Equal([]byte(providedHMAC), []byte(expectedHMAC)) {
-		return "", "", fmt.Errorf("invalid state signature")
+		return "", "", errors.New("invalid state signature")
 	}
 
 	return verifier, redirectURL, nil
@@ -833,6 +936,7 @@ func (s *ProxyServiceServer) ValidateSession(ctx context.Context, req *proto.Val
 			"domain": domain,
 			"error":  err.Error(),
 		}).Debug("ValidateSession: service not found")
+		//nolint:nilerr
 		return &proto.ValidateSessionResponse{
 			Valid:        false,
 			DeniedReason: "service_not_found",
@@ -845,6 +949,7 @@ func (s *ProxyServiceServer) ValidateSession(ctx context.Context, req *proto.Val
 			"domain": domain,
 			"error":  err.Error(),
 		}).Error("ValidateSession: decode public key")
+		//nolint:nilerr
 		return &proto.ValidateSessionResponse{
 			Valid:        false,
 			DeniedReason: "invalid_service_config",
@@ -857,6 +962,7 @@ func (s *ProxyServiceServer) ValidateSession(ctx context.Context, req *proto.Val
 			"domain": domain,
 			"error":  err.Error(),
 		}).Debug("ValidateSession: invalid session token")
+		//nolint:nilerr
 		return &proto.ValidateSessionResponse{
 			Valid:        false,
 			DeniedReason: "invalid_token",
@@ -870,6 +976,7 @@ func (s *ProxyServiceServer) ValidateSession(ctx context.Context, req *proto.Val
 			"user_id": userID,
 			"error":   err.Error(),
 		}).Debug("ValidateSession: user not found")
+		//nolint:nilerr
 		return &proto.ValidateSessionResponse{
 			Valid:        false,
 			DeniedReason: "user_not_found",
@@ -883,6 +990,7 @@ func (s *ProxyServiceServer) ValidateSession(ctx context.Context, req *proto.Val
 			"user_account":    user.AccountID,
 			"service_account": service.AccountID,
 		}).Debug("ValidateSession: user account mismatch")
+		//nolint:nilerr
 		return &proto.ValidateSessionResponse{
 			Valid:        false,
 			DeniedReason: "account_mismatch",
@@ -895,6 +1003,7 @@ func (s *ProxyServiceServer) ValidateSession(ctx context.Context, req *proto.Val
 			"user_id": userID,
 			"error":   err.Error(),
 		}).Debug("ValidateSession: access denied")
+		//nolint:nilerr
 		return &proto.ValidateSessionResponse{
 			Valid:        false,
 			UserId:       user.Id,

management/internals/shared/grpc/proxy_group_access_test.go

@@ -29,19 +29,19 @@ func (m *mockReverseProxyManager) GetGlobalServices(ctx context.Context) ([]*rev
 }
 
 func (m *mockReverseProxyManager) GetAllServices(ctx context.Context, accountID, userID string) ([]*reverseproxy.Service, error) {
-	return nil, nil
+	return []*reverseproxy.Service{}, nil
 }
 
 func (m *mockReverseProxyManager) GetService(ctx context.Context, accountID, userID, reverseProxyID string) (*reverseproxy.Service, error) {
-	return nil, nil
+	return &reverseproxy.Service{}, nil
 }
 
 func (m *mockReverseProxyManager) CreateService(ctx context.Context, accountID, userID string, rp *reverseproxy.Service) (*reverseproxy.Service, error) {
-	return nil, nil
+	return &reverseproxy.Service{}, nil
 }
 
 func (m *mockReverseProxyManager) UpdateService(ctx context.Context, accountID, userID string, rp *reverseproxy.Service) (*reverseproxy.Service, error) {
-	return nil, nil
+	return &reverseproxy.Service{}, nil
 }
 
 func (m *mockReverseProxyManager) DeleteService(ctx context.Context, accountID, userID, reverseProxyID string) error {
@@ -65,7 +65,7 @@ func (m *mockReverseProxyManager) ReloadService(ctx context.Context, accountID,
 }
 
 func (m *mockReverseProxyManager) GetServiceByID(ctx context.Context, accountID, reverseProxyID string) (*reverseproxy.Service, error) {
-	return nil, nil
+	return &reverseproxy.Service{}, nil
 }
 
 func (m *mockReverseProxyManager) GetServiceIDByTargetID(_ context.Context, _, _ string) (string, error) {
@@ -120,7 +120,7 @@ func TestValidateUserGroupAccess(t *testing.T) {
 				"user1": {Id: "user1", AccountID: "account1"},
 			},
 			expectErr:    true,
-			expectErrMsg: "reverse proxy not found",
+			expectErrMsg: "service not found",
 		},
 		{
 			name:   "proxy exists in different account - not accessible",
@@ -133,7 +133,7 @@ func TestValidateUserGroupAccess(t *testing.T) {
 				"user1": {Id: "user1", AccountID: "account1"},
 			},
 			expectErr:    true,
-			expectErrMsg: "reverse proxy not found",
+			expectErrMsg: "service not found",
 		},
 		{
 			name:   "no bearer auth configured - same account allows access",
@@ -260,7 +260,7 @@ func TestValidateUserGroupAccess(t *testing.T) {
 				"user1": {Id: "user1", AccountID: "account1"},
 			},
 			expectErr:    true,
-			expectErrMsg: "get account reverse proxies",
+			expectErrMsg: "get account services",
 		},
 		{
 			name:   "multiple proxies in account - finds correct one",
@@ -366,7 +366,7 @@ func TestGetAccountProxyByDomain(t *testing.T) {
 				},
 			}
 
-			proxy, err := server.getAccountProxyByDomain(context.Background(), tt.accountID, tt.domain)
+			proxy, err := server.getAccountServiceByDomain(context.Background(), tt.accountID, tt.domain)
 
 			if tt.expectErr {
 				require.Error(t, err)

management/internals/shared/grpc/proxy_test.go

@@ -0,0 +1,232 @@
+package grpc
+
+import (
+	"crypto/rand"
+	"encoding/base64"
+	"strings"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/netbirdio/netbird/shared/management/proto"
+)
+
+// registerFakeProxy adds a fake proxy connection to the server's internal maps
+// and returns the channel where messages will be received.
+func registerFakeProxy(s *ProxyServiceServer, proxyID, clusterAddr string) chan *proto.ProxyMapping {
+	ch := make(chan *proto.ProxyMapping, 10)
+	conn := &proxyConnection{
+		proxyID:  proxyID,
+		address:  clusterAddr,
+		sendChan: ch,
+	}
+	s.connectedProxies.Store(proxyID, conn)
+
+	proxySet, _ := s.clusterProxies.LoadOrStore(clusterAddr, &sync.Map{})
+	proxySet.(*sync.Map).Store(proxyID, struct{}{})
+
+	return ch
+}
+
+func drainChannel(ch chan *proto.ProxyMapping) *proto.ProxyMapping {
+	select {
+	case msg := <-ch:
+		return msg
+	case <-time.After(time.Second):
+		return nil
+	}
+}
+
+func TestSendServiceUpdateToCluster_UniqueTokensPerProxy(t *testing.T) {
+	tokenStore := NewOneTimeTokenStore(time.Hour)
+	defer tokenStore.Close()
+
+	s := &ProxyServiceServer{
+		tokenStore:  tokenStore,
+		updatesChan: make(chan *proto.ProxyMapping, 100),
+	}
+
+	const cluster = "proxy.example.com"
+	const numProxies = 3
+
+	channels := make([]chan *proto.ProxyMapping, numProxies)
+	for i := range numProxies {
+		id := "proxy-" + string(rune('a'+i))
+		channels[i] = registerFakeProxy(s, id, cluster)
+	}
+
+	update := &proto.ProxyMapping{
+		Type:      proto.ProxyMappingUpdateType_UPDATE_TYPE_CREATED,
+		Id:        "service-1",
+		AccountId: "account-1",
+		Domain:    "test.example.com",
+		Path: []*proto.PathMapping{
+			{Path: "/", Target: "http://10.0.0.1:8080/"},
+		},
+	}
+
+	s.SendServiceUpdateToCluster(update, cluster)
+
+	tokens := make([]string, numProxies)
+	for i, ch := range channels {
+		msg := drainChannel(ch)
+		require.NotNil(t, msg, "proxy %d should receive a message", i)
+		assert.Equal(t, update.Domain, msg.Domain)
+		assert.Equal(t, update.Id, msg.Id)
+		assert.NotEmpty(t, msg.AuthToken, "proxy %d should have a non-empty token", i)
+		tokens[i] = msg.AuthToken
+	}
+
+	// All tokens must be unique
+	tokenSet := make(map[string]struct{})
+	for i, tok := range tokens {
+		_, exists := tokenSet[tok]
+		assert.False(t, exists, "proxy %d got duplicate token", i)
+		tokenSet[tok] = struct{}{}
+	}
+
+	// Each token must be independently consumable
+	for i, tok := range tokens {
+		err := tokenStore.ValidateAndConsume(tok, "account-1", "service-1")
+		assert.NoError(t, err, "proxy %d token should validate successfully", i)
+	}
+}
+
+func TestSendServiceUpdateToCluster_DeleteNoToken(t *testing.T) {
+	tokenStore := NewOneTimeTokenStore(time.Hour)
+	defer tokenStore.Close()
+
+	s := &ProxyServiceServer{
+		tokenStore:  tokenStore,
+		updatesChan: make(chan *proto.ProxyMapping, 100),
+	}
+
+	const cluster = "proxy.example.com"
+	ch1 := registerFakeProxy(s, "proxy-a", cluster)
+	ch2 := registerFakeProxy(s, "proxy-b", cluster)
+
+	update := &proto.ProxyMapping{
+		Type:      proto.ProxyMappingUpdateType_UPDATE_TYPE_REMOVED,
+		Id:        "service-1",
+		AccountId: "account-1",
+		Domain:    "test.example.com",
+	}
+
+	s.SendServiceUpdateToCluster(update, cluster)
+
+	msg1 := drainChannel(ch1)
+	msg2 := drainChannel(ch2)
+	require.NotNil(t, msg1)
+	require.NotNil(t, msg2)
+
+	// Delete operations should not generate tokens
+	assert.Empty(t, msg1.AuthToken)
+	assert.Empty(t, msg2.AuthToken)
+
+	// No tokens should have been created
+	assert.Equal(t, 0, tokenStore.GetTokenCount())
+}
+
+func TestSendServiceUpdate_UniqueTokensPerProxy(t *testing.T) {
+	tokenStore := NewOneTimeTokenStore(time.Hour)
+	defer tokenStore.Close()
+
+	s := &ProxyServiceServer{
+		tokenStore:  tokenStore,
+		updatesChan: make(chan *proto.ProxyMapping, 100),
+	}
+
+	// Register proxies in different clusters (SendServiceUpdate broadcasts to all)
+	ch1 := registerFakeProxy(s, "proxy-a", "cluster-a")
+	ch2 := registerFakeProxy(s, "proxy-b", "cluster-b")
+
+	update := &proto.ProxyMapping{
+		Type:      proto.ProxyMappingUpdateType_UPDATE_TYPE_CREATED,
+		Id:        "service-1",
+		AccountId: "account-1",
+		Domain:    "test.example.com",
+	}
+
+	s.SendServiceUpdate(update)
+
+	msg1 := drainChannel(ch1)
+	msg2 := drainChannel(ch2)
+	require.NotNil(t, msg1)
+	require.NotNil(t, msg2)
+
+	assert.NotEmpty(t, msg1.AuthToken)
+	assert.NotEmpty(t, msg2.AuthToken)
+	assert.NotEqual(t, msg1.AuthToken, msg2.AuthToken, "tokens must be unique per proxy")
+
+	// Both tokens should validate
+	assert.NoError(t, tokenStore.ValidateAndConsume(msg1.AuthToken, "account-1", "service-1"))
+	assert.NoError(t, tokenStore.ValidateAndConsume(msg2.AuthToken, "account-1", "service-1"))
+}
+
+// generateState creates a state using the same format as GetOIDCURL.
+func generateState(s *ProxyServiceServer, redirectURL string) string {
+	nonce := make([]byte, 16)
+	_, _ = rand.Read(nonce)
+	nonceB64 := base64.URLEncoding.EncodeToString(nonce)
+
+	payload := redirectURL + "|" + nonceB64
+	hmacSum := s.generateHMAC(payload)
+	return base64.URLEncoding.EncodeToString([]byte(redirectURL)) + "|" + nonceB64 + "|" + hmacSum
+}
+
+func TestOAuthState_NeverTheSame(t *testing.T) {
+	s := &ProxyServiceServer{
+		oidcConfig: ProxyOIDCConfig{
+			HMACKey: []byte("test-hmac-key"),
+		},
+	}
+
+	redirectURL := "https://app.example.com/callback"
+
+	// Generate 100 states for the same redirect URL
+	states := make(map[string]bool)
+	for i := 0; i < 100; i++ {
+		state := generateState(s, redirectURL)
+
+		// State must have 3 parts: base64(url)|nonce|hmac
+		parts := strings.Split(state, "|")
+		require.Equal(t, 3, len(parts), "state must have 3 parts")
+
+		// State must be unique
+		require.False(t, states[state], "state %d is a duplicate", i)
+		states[state] = true
+	}
+}
+
+func TestValidateState_RejectsOldTwoPartFormat(t *testing.T) {
+	s := &ProxyServiceServer{
+		oidcConfig: ProxyOIDCConfig{
+			HMACKey: []byte("test-hmac-key"),
+		},
+	}
+
+	// Old format had only 2 parts: base64(url)|hmac
+	s.pkceVerifiers.Store("base64url|hmac", pkceEntry{verifier: "test", createdAt: time.Now()})
+
+	_, _, err := s.ValidateState("base64url|hmac")
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "invalid state format")
+}
+
+func TestValidateState_RejectsInvalidHMAC(t *testing.T) {
+	s := &ProxyServiceServer{
+		oidcConfig: ProxyOIDCConfig{
+			HMACKey: []byte("test-hmac-key"),
+		},
+	}
+
+	// Store with tampered HMAC
+	s.pkceVerifiers.Store("dGVzdA==|nonce|wrong-hmac", pkceEntry{verifier: "test", createdAt: time.Now()})
+
+	_, _, err := s.ValidateState("dGVzdA==|nonce|wrong-hmac")
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "invalid state signature")
+}

management/server/account_test.go

@@ -27,6 +27,8 @@ import (
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/update_channel"
 	"github.com/netbirdio/netbird/management/internals/modules/peers"
 	ephemeral_manager "github.com/netbirdio/netbird/management/internals/modules/peers/ephemeral/manager"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
+	reverseproxymanager "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/manager"
 	"github.com/netbirdio/netbird/management/internals/modules/zones"
 	"github.com/netbirdio/netbird/management/internals/server/config"
 	nbAccount "github.com/netbirdio/netbird/management/server/account"
@@ -1800,6 +1802,14 @@ func TestAccount_Copy(t *testing.T) {
 				Address:   "172.12.6.1/24",
 			},
 		},
+		Services: []*reverseproxy.Service{
+			{
+				ID:        "service1",
+				Name:      "test-service",
+				AccountID: "account1",
+				Targets:   []*reverseproxy.Target{},
+			},
+		},
 		NetworkMapCache: &types.NetworkMapBuilder{},
 	}
 	account.InitOnce()
@@ -3112,6 +3122,8 @@ func createManager(t testing.TB) (*DefaultAccountManager, *update_channel.PeersU
 		return nil, nil, err
 	}
 
+	manager.SetServiceManager(reverseproxymanager.NewManager(store, manager, permissionsManager, nil, nil))
+
 	return manager, updateManager, nil
 }
 

management/server/group_test.go

@@ -703,7 +703,7 @@ func TestGroupAccountPeersUpdate(t *testing.T) {
 	t.Run("saving group linked to network router", func(t *testing.T) {
 		permissionsManager := permissions.NewManager(manager.Store)
 		groupsManager := groups.NewManager(manager.Store, permissionsManager, manager)
-		resourcesManager := resources.NewManager(manager.Store, permissionsManager, groupsManager, manager)
+		resourcesManager := resources.NewManager(manager.Store, permissionsManager, groupsManager, manager, manager.reverseProxyManager)
 		routersManager := routers.NewManager(manager.Store, permissionsManager, manager)
 		networksManager := networks.NewManager(manager.Store, permissionsManager, resourcesManager, routersManager, manager)
 

management/server/http/handler.go

@@ -4,23 +4,28 @@ import (
 	"context"
 	"fmt"
 	"net/http"
+	"net/netip"
 	"os"
 	"strconv"
 	"time"
 
 	"github.com/gorilla/mux"
-	"github.com/netbirdio/netbird/management/server/types"
 	"github.com/rs/cors"
 	log "github.com/sirupsen/logrus"
 
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/domain/manager"
+
+	"github.com/netbirdio/netbird/management/server/types"
+
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs"
-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/domain"
 	reverseproxymanager "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/manager"
+
 	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
 	idpmanager "github.com/netbirdio/netbird/management/server/idp"
 
 	"github.com/netbirdio/management-integrations/integrations"
+
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map"
 	"github.com/netbirdio/netbird/management/internals/modules/zones"
 	zonesManager "github.com/netbirdio/netbird/management/internals/modules/zones/manager"
@@ -32,6 +37,8 @@ import (
 	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
 	"github.com/netbirdio/netbird/management/server/permissions"
 
+	"github.com/netbirdio/netbird/management/server/http/handlers/proxy"
+
 	nbpeers "github.com/netbirdio/netbird/management/internals/modules/peers"
 	"github.com/netbirdio/netbird/management/server/auth"
 	"github.com/netbirdio/netbird/management/server/geolocation"
@@ -45,7 +52,6 @@ import (
 	"github.com/netbirdio/netbird/management/server/http/handlers/networks"
 	"github.com/netbirdio/netbird/management/server/http/handlers/peers"
 	"github.com/netbirdio/netbird/management/server/http/handlers/policies"
-	"github.com/netbirdio/netbird/management/server/http/handlers/proxy"
 	"github.com/netbirdio/netbird/management/server/http/handlers/routes"
 	"github.com/netbirdio/netbird/management/server/http/handlers/setup_keys"
 	"github.com/netbirdio/netbird/management/server/http/handlers/users"
@@ -67,7 +73,7 @@ const (
 )
 
 // NewAPIHandler creates the Management service HTTP API handler registering all the available endpoints.
-func NewAPIHandler(ctx context.Context, accountManager account.Manager, networksManager nbnetworks.Manager, resourceManager resources.Manager, routerManager routers.Manager, groupsManager nbgroups.Manager, LocationManager geolocation.Geolocation, authManager auth.Manager, appMetrics telemetry.AppMetrics, integratedValidator integrated_validator.IntegratedValidator, proxyController port_forwarding.Controller, permissionsManager permissions.Manager, peersManager nbpeers.Manager, settingsManager settings.Manager, zManager zones.Manager, rManager records.Manager, networkMapController network_map.Controller, idpManager idpmanager.Manager, reverseProxyManager reverseproxy.Manager, reverseProxyDomainManager *domain.Manager, reverseProxyAccessLogsManager accesslogs.Manager, proxyGRPCServer *nbgrpc.ProxyServiceServer) (http.Handler, error) {
+func NewAPIHandler(ctx context.Context, accountManager account.Manager, networksManager nbnetworks.Manager, resourceManager resources.Manager, routerManager routers.Manager, groupsManager nbgroups.Manager, LocationManager geolocation.Geolocation, authManager auth.Manager, appMetrics telemetry.AppMetrics, integratedValidator integrated_validator.IntegratedValidator, proxyController port_forwarding.Controller, permissionsManager permissions.Manager, peersManager nbpeers.Manager, settingsManager settings.Manager, zManager zones.Manager, rManager records.Manager, networkMapController network_map.Controller, idpManager idpmanager.Manager, reverseProxyManager reverseproxy.Manager, reverseProxyDomainManager *manager.Manager, reverseProxyAccessLogsManager accesslogs.Manager, proxyGRPCServer *nbgrpc.ProxyServiceServer, trustedHTTPProxies []netip.Prefix) (http.Handler, error) {
 
 	// Register bypass paths for unauthenticated endpoints
 	if err := bypass.AddBypassPath("/api/instance"); err != nil {
@@ -173,7 +179,7 @@ func NewAPIHandler(ctx context.Context, accountManager account.Manager, networks
 
 	// Register OAuth callback handler for proxy authentication
 	if proxyGRPCServer != nil {
-		oauthHandler := proxy.NewAuthCallbackHandler(proxyGRPCServer)
+		oauthHandler := proxy.NewAuthCallbackHandler(proxyGRPCServer, trustedHTTPProxies)
 		oauthHandler.RegisterEndpoints(router)
 	}
 

management/server/http/handlers/peers/peers_handler.go

@@ -152,6 +152,11 @@ func (h *Handler) getPeer(ctx context.Context, accountID, peerID, userID string,
 		return
 	}
 
+	if peer.ProxyMeta.Embedded {
+		util.WriteError(ctx, status.Errorf(status.InvalidArgument, "not allowed to read peer"), w)
+		return
+	}
+
 	settings, err := h.accountManager.GetAccountSettings(ctx, accountID, activity.SystemInitiator)
 	if err != nil {
 		util.WriteError(ctx, err, w)
@@ -319,6 +324,9 @@ func (h *Handler) GetAllPeers(w http.ResponseWriter, r *http.Request) {
 	grpsInfoMap := groups.ToGroupsInfoMap(grps, len(peers))
 	respBody := make([]*api.PeerBatch, 0, len(peers))
 	for _, peer := range peers {
+		if peer.ProxyMeta.Embedded {
+			continue
+		}
 		respBody = append(respBody, toPeerListItemResponse(peer, grpsInfoMap[peer.ID], dnsDomain, 0))
 	}
 

management/server/http/handlers/proxy/auth.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"net"
 	"net/http"
+	"net/netip"
 	"net/url"
 	"strings"
 	"time"
@@ -21,12 +22,13 @@ import (
 
 // AuthCallbackHandler handles OAuth callbacks for proxy authentication.
 type AuthCallbackHandler struct {
-	proxyService *nbgrpc.ProxyServiceServer
-	rateLimiter  *middleware.APIRateLimiter
+	proxyService   *nbgrpc.ProxyServiceServer
+	rateLimiter    *middleware.APIRateLimiter
+	trustedProxies []netip.Prefix
 }
 
 // NewAuthCallbackHandler creates a new OAuth callback handler.
-func NewAuthCallbackHandler(proxyService *nbgrpc.ProxyServiceServer) *AuthCallbackHandler {
+func NewAuthCallbackHandler(proxyService *nbgrpc.ProxyServiceServer, trustedProxies []netip.Prefix) *AuthCallbackHandler {
 	rateLimiterConfig := &middleware.RateLimiterConfig{
 		RequestsPerMinute: 10,
 		Burst:             15,
@@ -35,8 +37,9 @@ func NewAuthCallbackHandler(proxyService *nbgrpc.ProxyServiceServer) *AuthCallba
 	}
 
 	return &AuthCallbackHandler{
-		proxyService: proxyService,
-		rateLimiter:  middleware.NewAPIRateLimiter(rateLimiterConfig),
+		proxyService:   proxyService,
+		rateLimiter:    middleware.NewAPIRateLimiter(rateLimiterConfig),
+		trustedProxies: trustedProxies,
 	}
 }
 
@@ -46,7 +49,7 @@ func (h *AuthCallbackHandler) RegisterEndpoints(router *mux.Router) {
 }
 
 func (h *AuthCallbackHandler) handleCallback(w http.ResponseWriter, r *http.Request) {
-	clientIP := getClientIP(r)
+	clientIP := h.resolveClientIP(r)
 	if !h.rateLimiter.Allow(clientIP) {
 		log.WithField("client_ip", clientIP).Warn("OAuth callback rate limit exceeded")
 		http.Error(w, "Too many requests. Please try again later.", http.StatusTooManyRequests)
@@ -149,23 +152,57 @@ func extractUserIDFromToken(ctx context.Context, provider *oidc.Provider, config
 	return claims.Subject
 }
 
-// getClientIP extracts the client IP address from the request.
-func getClientIP(r *http.Request) string {
-	if xff := r.Header.Get("X-Forwarded-For"); xff != "" {
-		if idx := strings.Index(xff, ","); idx != -1 {
-			return strings.TrimSpace(xff[:idx])
+// resolveClientIP extracts the real client IP from the request.
+// When trustedProxies is non-empty and the direct peer is trusted,
+// it walks X-Forwarded-For right-to-left skipping trusted IPs.
+// Otherwise it returns RemoteAddr directly.
+func (h *AuthCallbackHandler) resolveClientIP(r *http.Request) string {
+	remoteIP := extractHost(r.RemoteAddr)
+
+	if len(h.trustedProxies) == 0 || !isTrustedProxy(remoteIP, h.trustedProxies) {
+		return remoteIP
+	}
+
+	xff := r.Header.Get("X-Forwarded-For")
+	if xff == "" {
+		return remoteIP
+	}
+
+	parts := strings.Split(xff, ",")
+	for i := len(parts) - 1; i >= 0; i-- {
+		ip := strings.TrimSpace(parts[i])
+		if ip == "" {
+			continue
+		}
+		if !isTrustedProxy(ip, h.trustedProxies) {
+			return ip
 		}
-		return xff
 	}
 
-	if xri := r.Header.Get("X-Real-IP"); xri != "" {
-		return xri
+	// All IPs in XFF are trusted; return the leftmost as best guess.
+	if first := strings.TrimSpace(parts[0]); first != "" {
+		return first
 	}
+	return remoteIP
+}
 
-	// Fall back to RemoteAddr
-	host, _, err := net.SplitHostPort(r.RemoteAddr)
+func extractHost(remoteAddr string) string {
+	host, _, err := net.SplitHostPort(remoteAddr)
 	if err != nil {
-		return r.RemoteAddr
+		return remoteAddr
 	}
 	return host
 }
+
+func isTrustedProxy(ipStr string, trusted []netip.Prefix) bool {
+	addr, err := netip.ParseAddr(ipStr)
+	if err != nil {
+		return false
+	}
+	for _, prefix := range trusted {
+		if prefix.Contains(addr) {
+			return true
+		}
+	}
+	return false
+}

management/server/http/handlers/proxy/auth_callback_integration_test.go

@@ -19,7 +19,7 @@ import (
 	"github.com/stretchr/testify/require"
 
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
-	accesslogs "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs"
 	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/management/server/types"
@@ -161,8 +161,8 @@ func (m *testAccessLogManager) SaveAccessLog(_ context.Context, _ *accesslogs.Ac
 	return nil
 }
 
-func (m *testAccessLogManager) GetAllAccessLogs(_ context.Context, _, _ string) ([]*accesslogs.AccessLogEntry, error) {
-	return nil, nil
+func (m *testAccessLogManager) GetAllAccessLogs(_ context.Context, _, _ string, _ *accesslogs.AccessLogFilter) ([]*accesslogs.AccessLogEntry, int64, error) {
+	return nil, 0, nil
 }
 
 func setupAuthCallbackTest(t *testing.T) *testSetup {
@@ -200,7 +200,7 @@ func setupAuthCallbackTest(t *testing.T) *testSetup {
 
 	proxyService.SetProxyManager(&testServiceManager{store: testStore})
 
-	handler := NewAuthCallbackHandler(proxyService)
+	handler := NewAuthCallbackHandler(proxyService, nil)
 
 	router := mux.NewRouter()
 	handler.RegisterEndpoints(router)
@@ -382,7 +382,7 @@ func (m *testServiceManager) ReloadService(_ context.Context, _, _ string) error
 }
 
 func (m *testServiceManager) GetGlobalServices(ctx context.Context) ([]*reverseproxy.Service, error) {
-	return m.store.GetReverseProxies(ctx, store.LockingStrengthNone)
+	return m.store.GetServices(ctx, store.LockingStrengthNone)
 }
 
 func (m *testServiceManager) GetServiceByID(ctx context.Context, accountID, proxyID string) (*reverseproxy.Service, error) {

management/server/http/handlers/proxy/auth_test.go

@@ -3,6 +3,7 @@ package proxy
 import (
 	"net/http"
 	"net/http/httptest"
+	"net/netip"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -12,7 +13,7 @@ import (
 )
 
 func TestAuthCallbackHandler_RateLimiting(t *testing.T) {
-	handler := NewAuthCallbackHandler(&nbgrpc.ProxyServiceServer{})
+	handler := NewAuthCallbackHandler(&nbgrpc.ProxyServiceServer{}, nil)
 	require.NotNil(t, handler.rateLimiter, "Rate limiter should be initialized")
 
 	req := httptest.NewRequest(http.MethodGet, "/callback?state=test&code=test", nil)
@@ -54,7 +55,7 @@ func TestAuthCallbackHandler_RateLimiting(t *testing.T) {
 }
 
 func TestAuthCallbackHandler_RateLimitInHandleCallback(t *testing.T) {
-	handler := NewAuthCallbackHandler(&nbgrpc.ProxyServiceServer{})
+	handler := NewAuthCallbackHandler(&nbgrpc.ProxyServiceServer{}, nil)
 	testIP := "10.0.0.50"
 
 	handler.rateLimiter.Reset(testIP)
@@ -75,46 +76,76 @@ func TestAuthCallbackHandler_RateLimitInHandleCallback(t *testing.T) {
 	})
 }
 
-func TestGetClientIP(t *testing.T) {
+func TestResolveClientIP(t *testing.T) {
+	trusted := []netip.Prefix{
+		netip.MustParsePrefix("10.0.0.0/8"),
+		netip.MustParsePrefix("172.16.0.0/12"),
+	}
+
 	tests := []struct {
 		name          string
 		remoteAddr    string
 		xForwardedFor string
-		xRealIP       string
+		trustedProxy  []netip.Prefix
 		expectedIP    string
 	}{
 		{
-			name:       "extract from RemoteAddr",
-			remoteAddr: "192.168.1.100:12345",
-			expectedIP: "192.168.1.100",
+			name:          "no trusted proxies returns RemoteAddr",
+			remoteAddr:    "203.0.113.50:9999",
+			xForwardedFor: "1.2.3.4",
+			trustedProxy:  nil,
+			expectedIP:    "203.0.113.50",
 		},
 		{
-			name:          "extract from X-Forwarded-For single IP",
-			remoteAddr:    "10.0.0.1:54321",
-			xForwardedFor: "203.0.113.195",
-			expectedIP:    "203.0.113.195",
+			name:          "untrusted RemoteAddr ignores XFF",
+			remoteAddr:    "203.0.113.50:9999",
+			xForwardedFor: "1.2.3.4, 10.0.0.1",
+			trustedProxy:  trusted,
+			expectedIP:    "203.0.113.50",
 		},
 		{
-			name:          "extract from X-Forwarded-For multiple IPs",
-			remoteAddr:    "10.0.0.1:54321",
-			xForwardedFor: "203.0.113.195, 70.41.3.18, 150.172.238.178",
-			expectedIP:    "203.0.113.195",
+			name:          "trusted RemoteAddr with single client in XFF",
+			remoteAddr:    "10.0.0.1:5000",
+			xForwardedFor: "203.0.113.50",
+			trustedProxy:  trusted,
+			expectedIP:    "203.0.113.50",
 		},
 		{
-			name:       "extract from X-Real-IP",
-			remoteAddr: "10.0.0.1:54321",
-			xRealIP:    "198.51.100.42",
-			expectedIP: "198.51.100.42",
+			name:          "trusted RemoteAddr walks past trusted entries in XFF",
+			remoteAddr:    "10.0.0.1:5000",
+			xForwardedFor: "203.0.113.50, 10.0.0.2, 172.16.0.5",
+			trustedProxy:  trusted,
+			expectedIP:    "203.0.113.50",
 		},
 		{
-			name:          "X-Forwarded-For takes precedence over X-Real-IP",
-			remoteAddr:    "10.0.0.1:54321",
-			xForwardedFor: "203.0.113.195",
-			xRealIP:       "198.51.100.42",
-			expectedIP:    "203.0.113.195",
+			name:         "trusted RemoteAddr with empty XFF falls back to RemoteAddr",
+			remoteAddr:   "10.0.0.1:5000",
+			trustedProxy: trusted,
+			expectedIP:   "10.0.0.1",
 		},
 		{
-			name:       "handle RemoteAddr without port",
+			name:          "all XFF IPs trusted returns leftmost",
+			remoteAddr:    "10.0.0.1:5000",
+			xForwardedFor: "10.0.0.2, 172.16.0.1, 10.0.0.3",
+			trustedProxy:  trusted,
+			expectedIP:    "10.0.0.2",
+		},
+		{
+			name:          "XFF with whitespace",
+			remoteAddr:    "10.0.0.1:5000",
+			xForwardedFor: " 203.0.113.50 , 10.0.0.2 ",
+			trustedProxy:  trusted,
+			expectedIP:    "203.0.113.50",
+		},
+		{
+			name:          "multi-hop with mixed trust",
+			remoteAddr:    "10.0.0.1:5000",
+			xForwardedFor: "8.8.8.8, 203.0.113.50, 172.16.0.1",
+			trustedProxy:  trusted,
+			expectedIP:    "203.0.113.50",
+		},
+		{
+			name:       "RemoteAddr without port",
 			remoteAddr: "192.168.1.100",
 			expectedIP: "192.168.1.100",
 		},
@@ -122,24 +153,22 @@ func TestGetClientIP(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
+			handler := NewAuthCallbackHandler(&nbgrpc.ProxyServiceServer{}, tt.trustedProxy)
+
 			req := httptest.NewRequest(http.MethodGet, "/test", nil)
 			req.RemoteAddr = tt.remoteAddr
-
 			if tt.xForwardedFor != "" {
 				req.Header.Set("X-Forwarded-For", tt.xForwardedFor)
 			}
-			if tt.xRealIP != "" {
-				req.Header.Set("X-Real-IP", tt.xRealIP)
-			}
 
-			ip := getClientIP(req)
-			assert.Equal(t, tt.expectedIP, ip, "Extracted IP should match expected")
+			ip := handler.resolveClientIP(req)
+			assert.Equal(t, tt.expectedIP, ip)
 		})
 	}
 }
 
 func TestAuthCallbackHandler_RateLimiterConfiguration(t *testing.T) {
-	handler := NewAuthCallbackHandler(&nbgrpc.ProxyServiceServer{})
+	handler := NewAuthCallbackHandler(&nbgrpc.ProxyServiceServer{}, nil)
 
 	require.NotNil(t, handler.rateLimiter, "Rate limiter should be initialized")
 

management/server/http/middleware/auth_middleware.go

@@ -11,6 +11,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	"go.opentelemetry.io/otel/metric"
 
+	"github.com/netbirdio/management-integrations/integrations"
 	serverauth "github.com/netbirdio/netbird/management/server/auth"
 	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/management/server/http/middleware/bypass"
@@ -130,8 +131,10 @@ func (m *AuthMiddleware) checkJWTFromRequest(r *http.Request, authHeaderParts []
 	}
 
 	if impersonate, ok := r.URL.Query()["account"]; ok && len(impersonate) == 1 {
-		userAuth.AccountId = impersonate[0]
-		userAuth.IsChild = ok
+		if integrations.IsValidChildAccount(ctx, userAuth.UserId, userAuth.AccountId, impersonate[0]) {
+			userAuth.AccountId = impersonate[0]
+			userAuth.IsChild = true
+		}
 	}
 
 	// Email is now extracted in ToUserAuth (from claims or userinfo endpoint)
@@ -207,8 +210,10 @@ func (m *AuthMiddleware) checkPATFromRequest(r *http.Request, authHeaderParts []
 	}
 
 	if impersonate, ok := r.URL.Query()["account"]; ok && len(impersonate) == 1 {
-		userAuth.AccountId = impersonate[0]
-		userAuth.IsChild = ok
+		if integrations.IsValidChildAccount(r.Context(), userAuth.UserId, userAuth.AccountId, impersonate[0]) {
+			userAuth.AccountId = impersonate[0]
+			userAuth.IsChild = true
+		}
 	}
 
 	return nbcontext.SetUserAuthInRequest(r, userAuth), nil

management/server/http/middleware/auth_middleware_test.go

@@ -627,15 +627,14 @@ func TestAuthMiddleware_Handler_Child(t *testing.T) {
 			},
 		},
 		{
-			name:       "Valid PAT Token accesses child",
+			name:       "PAT Token with account param ignored in public version",
 			path:       "/test?account=xyz",
 			authHeader: "Token " + PAT,
 			expectedUserAuth: &nbauth.UserAuth{
-				AccountId:      "xyz",
+				AccountId:      accountID,
 				UserId:         userID,
 				Domain:         testAccount.Domain,
 				DomainCategory: testAccount.DomainCategory,
-				IsChild:        true,
 				IsPAT:          true,
 			},
 		},
@@ -652,15 +651,14 @@ func TestAuthMiddleware_Handler_Child(t *testing.T) {
 		},
 
 		{
-			name:       "Valid JWT Token with child",
+			name:       "JWT Token with account param ignored in public version",
 			path:       "/test?account=xyz",
 			authHeader: "Bearer " + JWT,
 			expectedUserAuth: &nbauth.UserAuth{
-				AccountId:      "xyz",
+				AccountId:      accountID,
 				UserId:         userID,
 				Domain:         testAccount.Domain,
 				DomainCategory: testAccount.DomainCategory,
-				IsChild:        true,
 			},
 		},
 	}

management/server/http/testing/testing_tools/channel/channel.go

@@ -10,6 +10,10 @@ import (
 	"github.com/stretchr/testify/assert"
 
 	"github.com/netbirdio/management-integrations/integrations"
+	accesslogsmanager "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs/manager"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/domain/manager"
+	reverseproxymanager "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/manager"
+	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
 
 	zonesManager "github.com/netbirdio/netbird/management/internals/modules/zones/manager"
 	recordsManager "github.com/netbirdio/netbird/management/internals/modules/zones/records/manager"
@@ -86,6 +90,14 @@ func BuildApiBlackBoxWithDBState(t testing_tools.TB, sqlFile string, expectedPee
 		t.Fatalf("Failed to create manager: %v", err)
 	}
 
+	accessLogsManager := accesslogsmanager.NewManager(store, permissionsManager, nil)
+	proxyTokenStore := nbgrpc.NewOneTimeTokenStore(1 * time.Minute)
+	proxyServiceServer := nbgrpc.NewProxyServiceServer(accessLogsManager, proxyTokenStore, nbgrpc.ProxyOIDCConfig{}, peersManager, userManager)
+	domainManager := manager.NewManager(store, proxyServiceServer, permissionsManager)
+	reverseProxyManager := reverseproxymanager.NewManager(store, am, permissionsManager, proxyServiceServer, domainManager)
+	proxyServiceServer.SetProxyManager(reverseProxyManager)
+	am.SetServiceManager(reverseProxyManager)
+
 	// @note this is required so that PAT's validate from store, but JWT's are mocked
 	authManager := serverauth.NewManager(store, "", "", "", "", []string{}, false)
 	authManagerMock := &serverauth.MockManager{
@@ -102,7 +114,7 @@ func BuildApiBlackBoxWithDBState(t testing_tools.TB, sqlFile string, expectedPee
 	customZonesManager := zonesManager.NewManager(store, am, permissionsManager, "")
 	zoneRecordsManager := recordsManager.NewManager(store, am, permissionsManager)
 
-	apiHandler, err := http2.NewAPIHandler(context.Background(), am, networksManagerMock, resourcesManagerMock, routersManagerMock, groupsManagerMock, geoMock, authManagerMock, metrics, validatorMock, proxyController, permissionsManager, peersManager, settingsManager, customZonesManager, zoneRecordsManager, networkMapController, nil, nil, nil, nil, nil)
+	apiHandler, err := http2.NewAPIHandler(context.Background(), am, networksManagerMock, resourcesManagerMock, routersManagerMock, groupsManagerMock, geoMock, authManagerMock, metrics, validatorMock, proxyController, permissionsManager, peersManager, settingsManager, customZonesManager, zoneRecordsManager, networkMapController, nil, reverseProxyManager, nil, nil, nil, nil)
 	if err != nil {
 		t.Fatalf("Failed to create API handler: %v", err)
 	}

management/server/networks/manager_test.go

@@ -29,7 +29,7 @@ func Test_GetAllNetworksReturnsNetworks(t *testing.T) {
 	permissionsManager := permissions.NewManager(s)
 	groupsManager := groups.NewManagerMock()
 	routerManager := routers.NewManagerMock()
-	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am)
+	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am, nil)
 	manager := NewManager(s, permissionsManager, resourcesManager, routerManager, &am)
 
 	networks, err := manager.GetAllNetworks(ctx, accountID, userID)
@@ -52,7 +52,7 @@ func Test_GetAllNetworksReturnsPermissionDenied(t *testing.T) {
 	permissionsManager := permissions.NewManager(s)
 	groupsManager := groups.NewManagerMock()
 	routerManager := routers.NewManagerMock()
-	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am)
+	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am, nil)
 	manager := NewManager(s, permissionsManager, resourcesManager, routerManager, &am)
 
 	networks, err := manager.GetAllNetworks(ctx, accountID, userID)
@@ -75,7 +75,7 @@ func Test_GetNetworkReturnsNetwork(t *testing.T) {
 	permissionsManager := permissions.NewManager(s)
 	groupsManager := groups.NewManagerMock()
 	routerManager := routers.NewManagerMock()
-	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am)
+	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am, nil)
 	manager := NewManager(s, permissionsManager, resourcesManager, routerManager, &am)
 
 	networks, err := manager.GetNetwork(ctx, accountID, userID, networkID)
@@ -98,7 +98,7 @@ func Test_GetNetworkReturnsPermissionDenied(t *testing.T) {
 	permissionsManager := permissions.NewManager(s)
 	groupsManager := groups.NewManagerMock()
 	routerManager := routers.NewManagerMock()
-	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am)
+	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am, nil)
 	manager := NewManager(s, permissionsManager, resourcesManager, routerManager, &am)
 
 	network, err := manager.GetNetwork(ctx, accountID, userID, networkID)
@@ -123,7 +123,7 @@ func Test_CreateNetworkSuccessfully(t *testing.T) {
 	permissionsManager := permissions.NewManager(s)
 	groupsManager := groups.NewManagerMock()
 	routerManager := routers.NewManagerMock()
-	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am)
+	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am, nil)
 	manager := NewManager(s, permissionsManager, resourcesManager, routerManager, &am)
 
 	createdNetwork, err := manager.CreateNetwork(ctx, userID, network)
@@ -148,7 +148,7 @@ func Test_CreateNetworkFailsWithPermissionDenied(t *testing.T) {
 	permissionsManager := permissions.NewManager(s)
 	groupsManager := groups.NewManagerMock()
 	routerManager := routers.NewManagerMock()
-	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am)
+	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am, nil)
 	manager := NewManager(s, permissionsManager, resourcesManager, routerManager, &am)
 
 	createdNetwork, err := manager.CreateNetwork(ctx, userID, network)
@@ -171,7 +171,7 @@ func Test_DeleteNetworkSuccessfully(t *testing.T) {
 	permissionsManager := permissions.NewManager(s)
 	groupsManager := groups.NewManagerMock()
 	routerManager := routers.NewManagerMock()
-	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am)
+	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am, nil)
 	manager := NewManager(s, permissionsManager, resourcesManager, routerManager, &am)
 
 	err = manager.DeleteNetwork(ctx, accountID, userID, networkID)
@@ -193,7 +193,7 @@ func Test_DeleteNetworkFailsWithPermissionDenied(t *testing.T) {
 	permissionsManager := permissions.NewManager(s)
 	groupsManager := groups.NewManagerMock()
 	routerManager := routers.NewManagerMock()
-	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am)
+	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am, nil)
 	manager := NewManager(s, permissionsManager, resourcesManager, routerManager, &am)
 
 	err = manager.DeleteNetwork(ctx, accountID, userID, networkID)
@@ -218,7 +218,7 @@ func Test_UpdateNetworkSuccessfully(t *testing.T) {
 	permissionsManager := permissions.NewManager(s)
 	groupsManager := groups.NewManagerMock()
 	routerManager := routers.NewManagerMock()
-	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am)
+	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am, nil)
 	manager := NewManager(s, permissionsManager, resourcesManager, routerManager, &am)
 
 	updatedNetwork, err := manager.UpdateNetwork(ctx, userID, network)
@@ -245,7 +245,7 @@ func Test_UpdateNetworkFailsWithPermissionDenied(t *testing.T) {
 	permissionsManager := permissions.NewManager(s)
 	groupsManager := groups.NewManagerMock()
 	routerManager := routers.NewManagerMock()
-	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am)
+	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am, nil)
 	manager := NewManager(s, permissionsManager, resourcesManager, routerManager, &am)
 
 	updatedNetwork, err := manager.UpdateNetwork(ctx, userID, network)

management/server/networks/resources/manager_test.go

@@ -4,8 +4,10 @@ import (
 	"context"
 	"testing"
 
+	"github.com/golang/mock/gomock"
 	"github.com/stretchr/testify/require"
 
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
 	"github.com/netbirdio/netbird/management/server/groups"
 	"github.com/netbirdio/netbird/management/server/mock_server"
 	"github.com/netbirdio/netbird/management/server/networks/resources/types"
@@ -28,7 +30,9 @@ func Test_GetAllResourcesInNetworkReturnsResources(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	manager := NewManager(store, permissionsManager, groupsManager, &am)
+	ctrl := gomock.NewController(t)
+	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
+	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)
 
 	resources, err := manager.GetAllResourcesInNetwork(ctx, accountID, userID, networkID)
 	require.NoError(t, err)
@@ -49,7 +53,9 @@ func Test_GetAllResourcesInNetworkReturnsPermissionDenied(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	manager := NewManager(store, permissionsManager, groupsManager, &am)
+	ctrl := gomock.NewController(t)
+	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
+	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)
 
 	resources, err := manager.GetAllResourcesInNetwork(ctx, accountID, userID, networkID)
 	require.Error(t, err)
@@ -69,7 +75,9 @@ func Test_GetAllResourcesInAccountReturnsResources(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	manager := NewManager(store, permissionsManager, groupsManager, &am)
+	ctrl := gomock.NewController(t)
+	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
+	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)
 
 	resources, err := manager.GetAllResourcesInAccount(ctx, accountID, userID)
 	require.NoError(t, err)
@@ -89,7 +97,9 @@ func Test_GetAllResourcesInAccountReturnsPermissionDenied(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	manager := NewManager(store, permissionsManager, groupsManager, &am)
+	ctrl := gomock.NewController(t)
+	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
+	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)
 
 	resources, err := manager.GetAllResourcesInAccount(ctx, accountID, userID)
 	require.Error(t, err)
@@ -112,7 +122,9 @@ func Test_GetResourceInNetworkReturnsResources(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	manager := NewManager(store, permissionsManager, groupsManager, &am)
+	ctrl := gomock.NewController(t)
+	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
+	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)
 
 	resource, err := manager.GetResource(ctx, accountID, userID, networkID, resourceID)
 	require.NoError(t, err)
@@ -134,7 +146,9 @@ func Test_GetResourceInNetworkReturnsPermissionDenied(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	manager := NewManager(store, permissionsManager, groupsManager, &am)
+	ctrl := gomock.NewController(t)
+	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
+	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)
 
 	resources, err := manager.GetResource(ctx, accountID, userID, networkID, resourceID)
 	require.Error(t, err)
@@ -161,7 +175,10 @@ func Test_CreateResourceSuccessfully(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	manager := NewManager(store, permissionsManager, groupsManager, &am)
+	ctrl := gomock.NewController(t)
+	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
+	reverseProxyManager.EXPECT().ReloadAllServicesForAccount(gomock.Any(), resource.AccountID).Return(nil).AnyTimes()
+	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)
 
 	createdResource, err := manager.CreateResource(ctx, userID, resource)
 	require.NoError(t, err)
@@ -187,7 +204,9 @@ func Test_CreateResourceFailsWithPermissionDenied(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	manager := NewManager(store, permissionsManager, groupsManager, &am)
+	ctrl := gomock.NewController(t)
+	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
+	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)
 
 	createdResource, err := manager.CreateResource(ctx, userID, resource)
 	require.Error(t, err)
@@ -214,7 +233,9 @@ func Test_CreateResourceFailsWithInvalidAddress(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	manager := NewManager(store, permissionsManager, groupsManager, &am)
+	ctrl := gomock.NewController(t)
+	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
+	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)
 
 	createdResource, err := manager.CreateResource(ctx, userID, resource)
 	require.Error(t, err)
@@ -240,7 +261,9 @@ func Test_CreateResourceFailsWithUsedName(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	manager := NewManager(store, permissionsManager, groupsManager, &am)
+	ctrl := gomock.NewController(t)
+	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
+	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)
 
 	createdResource, err := manager.CreateResource(ctx, userID, resource)
 	require.Error(t, err)
@@ -270,7 +293,10 @@ func Test_UpdateResourceSuccessfully(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	manager := NewManager(store, permissionsManager, groupsManager, &am)
+	ctrl := gomock.NewController(t)
+	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
+	reverseProxyManager.EXPECT().ReloadAllServicesForAccount(gomock.Any(), accountID).Return(nil).AnyTimes()
+	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)
 
 	updatedResource, err := manager.UpdateResource(ctx, userID, resource)
 	require.NoError(t, err)
@@ -302,7 +328,9 @@ func Test_UpdateResourceFailsWithResourceNotFound(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	manager := NewManager(store, permissionsManager, groupsManager, &am)
+	ctrl := gomock.NewController(t)
+	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
+	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)
 
 	updatedResource, err := manager.UpdateResource(ctx, userID, resource)
 	require.Error(t, err)
@@ -332,7 +360,9 @@ func Test_UpdateResourceFailsWithNameInUse(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	manager := NewManager(store, permissionsManager, groupsManager, &am)
+	ctrl := gomock.NewController(t)
+	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
+	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)
 
 	updatedResource, err := manager.UpdateResource(ctx, userID, resource)
 	require.Error(t, err)
@@ -361,7 +391,9 @@ func Test_UpdateResourceFailsWithPermissionDenied(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	manager := NewManager(store, permissionsManager, groupsManager, &am)
+	ctrl := gomock.NewController(t)
+	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
+	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)
 
 	updatedResource, err := manager.UpdateResource(ctx, userID, resource)
 	require.Error(t, err)
@@ -383,7 +415,10 @@ func Test_DeleteResourceSuccessfully(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	manager := NewManager(store, permissionsManager, groupsManager, &am)
+	ctrl := gomock.NewController(t)
+	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
+	reverseProxyManager.EXPECT().GetServiceIDByTargetID(gomock.Any(), accountID, resourceID).Return("", nil).AnyTimes()
+	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)
 
 	err = manager.DeleteResource(ctx, accountID, userID, networkID, resourceID)
 	require.NoError(t, err)
@@ -404,7 +439,9 @@ func Test_DeleteResourceFailsWithPermissionDenied(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	manager := NewManager(store, permissionsManager, groupsManager, &am)
+	ctrl := gomock.NewController(t)
+	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
+	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)
 
 	err = manager.DeleteResource(ctx, accountID, userID, networkID, resourceID)
 	require.Error(t, err)

management/server/peer.go

@@ -221,6 +221,10 @@ func (am *DefaultAccountManager) UpdatePeer(ctx context.Context, accountID, user
 			return err
 		}
 
+		if peer.ProxyMeta.Embedded {
+			return fmt.Errorf("not allowed to update peer")
+		}
+
 		settings, err = transaction.GetAccountSettings(ctx, store.LockingStrengthNone, accountID)
 		if err != nil {
 			return err

management/server/store/sql_store.go

@@ -1100,7 +1100,7 @@ func (s *SqlStore) getAccountGorm(ctx context.Context, accountID string) (*types
 		Preload("NetworkRouters").
 		Preload("NetworkResources").
 		Preload("Onboarding").
-		Preload("ReverseProxies").
+		Preload("Services.Targets").
 		Take(&account, idQueryCondition, accountID)
 	if result.Error != nil {
 		log.WithContext(ctx).Errorf("error when getting account %s from the store: %s", accountID, result.Error)
@@ -5132,9 +5132,10 @@ func (s *SqlStore) applyAccessLogFilters(query *gorm.DB, filter accesslogs.Acces
 	}
 
 	if filter.Status != nil {
-		if *filter.Status == "success" {
+		switch *filter.Status {
+		case "success":
 			query = query.Where("status_code >= ? AND status_code < ?", 200, 400)
-		} else if *filter.Status == "failed" {
+		case "failed":
 			query = query.Where("status_code < ? OR status_code >= ?", 200, 400)
 		}
 	}

management/server/store/sqlstore_bench_test.go

@@ -20,6 +20,7 @@ import (
 	"github.com/stretchr/testify/assert"
 
 	nbdns "github.com/netbirdio/netbird/dns"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
 	resourceTypes "github.com/netbirdio/netbird/management/server/networks/resources/types"
 	routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
 	networkTypes "github.com/netbirdio/netbird/management/server/networks/types"
@@ -263,7 +264,7 @@ func setupBenchmarkDB(b testing.TB) (*SqlStore, func(), string) {
 		&types.Policy{}, &types.PolicyRule{}, &route.Route{},
 		&nbdns.NameServerGroup{}, &posture.Checks{}, &networkTypes.Network{},
 		&routerTypes.NetworkRouter{}, &resourceTypes.NetworkResource{},
-		&types.AccountOnboarding{},
+		&types.AccountOnboarding{}, &reverseproxy.Service{}, &reverseproxy.Target{},
 	}
 
 	for i := len(models) - 1; i >= 0; i-- {

management/server/types/account.go

@@ -974,6 +974,11 @@ func (a *Account) Copy() *Account {
 		networkResources = append(networkResources, resource.Copy())
 	}
 
+	services := []*reverseproxy.Service{}
+	for _, service := range a.Services {
+		services = append(services, service.Copy())
+	}
+
 	return &Account{
 		Id:                     a.Id,
 		CreatedBy:              a.CreatedBy,
@@ -995,6 +1000,7 @@ func (a *Account) Copy() *Account {
 		Networks:               nets,
 		NetworkRouters:         networkRouters,
 		NetworkResources:       networkResources,
+		Services:               services,
 		Onboarding:             a.Onboarding,
 		NetworkMapCache:        a.NetworkMapCache,
 		nmapInitOnce:           a.nmapInitOnce,

management/server/types/networkmap_golden_test.go

@@ -16,6 +16,7 @@ import (
 	"github.com/stretchr/testify/require"
 
 	"github.com/netbirdio/netbird/dns"
+	"github.com/netbirdio/netbird/management/internals/modules/zones"
 	resourceTypes "github.com/netbirdio/netbird/management/server/networks/resources/types"
 	routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
 	networkTypes "github.com/netbirdio/netbird/management/server/networks/types"
@@ -70,7 +71,7 @@ func TestGetPeerNetworkMap_Golden(t *testing.T) {
 	resourcePolicies := account.GetResourcePoliciesMap()
 	routers := account.GetResourceRoutersMap()
 
-	legacyNetworkMap := account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, nil, validatedPeersMap, resourcePolicies, routers, nil, nil, account.GetActiveGroupUsers(), nil, nil)
+	legacyNetworkMap := account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, []*zones.Zone{}, validatedPeersMap, resourcePolicies, routers, nil, account.GetActiveGroupUsers())
 	normalizeAndSortNetworkMap(legacyNetworkMap)
 	legacyJSON, err := json.MarshalIndent(toNetworkMapJSON(legacyNetworkMap), "", "  ")
 	require.NoError(t, err, "error marshaling legacy network map to JSON")
@@ -115,7 +116,7 @@ func BenchmarkGetPeerNetworkMap(b *testing.B) {
 	b.Run("old builder", func(b *testing.B) {
 		for range b.N {
 			for _, peerID := range peerIDs {
-				_ = account.GetPeerNetworkMap(ctx, peerID, dns.CustomZone{}, nil, validatedPeersMap, nil, nil, nil, nil, account.GetActiveGroupUsers(), nil, nil)
+				_ = account.GetPeerNetworkMap(ctx, peerID, dns.CustomZone{}, []*zones.Zone{}, validatedPeersMap, nil, nil, nil, account.GetActiveGroupUsers())
 			}
 		}
 	})
@@ -177,7 +178,7 @@ func TestGetPeerNetworkMap_Golden_WithNewPeer(t *testing.T) {
 	resourcePolicies := account.GetResourcePoliciesMap()
 	routers := account.GetResourceRoutersMap()
 
-	legacyNetworkMap := account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, nil, validatedPeersMap, resourcePolicies, routers, nil, nil, account.GetActiveGroupUsers(), nil, nil)
+	legacyNetworkMap := account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, []*zones.Zone{}, validatedPeersMap, resourcePolicies, routers, nil, account.GetActiveGroupUsers())
 	normalizeAndSortNetworkMap(legacyNetworkMap)
 	legacyJSON, err := json.MarshalIndent(toNetworkMapJSON(legacyNetworkMap), "", "  ")
 	require.NoError(t, err, "error marshaling legacy network map to JSON")
@@ -240,7 +241,7 @@ func BenchmarkGetPeerNetworkMap_AfterPeerAdded(b *testing.B) {
 	b.Run("old builder after add", func(b *testing.B) {
 		for i := 0; i < b.N; i++ {
 			for _, testingPeerID := range peerIDs {
-				_ = account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, nil, validatedPeersMap, nil, nil, nil, nil, account.GetActiveGroupUsers(), nil, nil)
+				_ = account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, []*zones.Zone{}, validatedPeersMap, nil, nil, nil, account.GetActiveGroupUsers())
 			}
 		}
 	})
@@ -317,7 +318,7 @@ func TestGetPeerNetworkMap_Golden_WithNewRoutingPeer(t *testing.T) {
 	resourcePolicies := account.GetResourcePoliciesMap()
 	routers := account.GetResourceRoutersMap()
 
-	legacyNetworkMap := account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, nil, validatedPeersMap, resourcePolicies, routers, nil, nil, account.GetActiveGroupUsers(), nil, nil)
+	legacyNetworkMap := account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, []*zones.Zone{}, validatedPeersMap, resourcePolicies, routers, nil, account.GetActiveGroupUsers())
 	normalizeAndSortNetworkMap(legacyNetworkMap)
 	legacyJSON, err := json.MarshalIndent(toNetworkMapJSON(legacyNetworkMap), "", "  ")
 	require.NoError(t, err, "error marshaling legacy network map to JSON")
@@ -402,7 +403,7 @@ func BenchmarkGetPeerNetworkMap_AfterRouterPeerAdded(b *testing.B) {
 	b.Run("old builder after add", func(b *testing.B) {
 		for i := 0; i < b.N; i++ {
 			for _, testingPeerID := range peerIDs {
-				_ = account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, nil, validatedPeersMap, nil, nil, nil, nil, account.GetActiveGroupUsers(), nil, nil)
+				_ = account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, []*zones.Zone{}, validatedPeersMap, nil, nil, nil, account.GetActiveGroupUsers())
 			}
 		}
 	})
@@ -458,7 +459,7 @@ func TestGetPeerNetworkMap_Golden_WithDeletedPeer(t *testing.T) {
 	resourcePolicies := account.GetResourcePoliciesMap()
 	routers := account.GetResourceRoutersMap()
 
-	legacyNetworkMap := account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, nil, validatedPeersMap, resourcePolicies, routers, nil, nil, account.GetActiveGroupUsers(), nil, nil)
+	legacyNetworkMap := account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, []*zones.Zone{}, validatedPeersMap, resourcePolicies, routers, nil, account.GetActiveGroupUsers())
 	normalizeAndSortNetworkMap(legacyNetworkMap)
 	legacyJSON, err := json.MarshalIndent(toNetworkMapJSON(legacyNetworkMap), "", "  ")
 	require.NoError(t, err, "error marshaling legacy network map to JSON")
@@ -537,7 +538,7 @@ func TestGetPeerNetworkMap_Golden_WithDeletedRouterPeer(t *testing.T) {
 	resourcePolicies := account.GetResourcePoliciesMap()
 	routers := account.GetResourceRoutersMap()
 
-	legacyNetworkMap := account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, nil, validatedPeersMap, resourcePolicies, routers, nil, nil, account.GetActiveGroupUsers(), nil, nil)
+	legacyNetworkMap := account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, []*zones.Zone{}, validatedPeersMap, resourcePolicies, routers, nil, account.GetActiveGroupUsers())
 	normalizeAndSortNetworkMap(legacyNetworkMap)
 	legacyJSON, err := json.MarshalIndent(toNetworkMapJSON(legacyNetworkMap), "", "  ")
 	require.NoError(t, err, "error marshaling legacy network map to JSON")
@@ -597,7 +598,7 @@ func BenchmarkGetPeerNetworkMap_AfterPeerDeleted(b *testing.B) {
 	b.Run("old builder after delete", func(b *testing.B) {
 		for i := 0; i < b.N; i++ {
 			for _, testingPeerID := range peerIDs {
-				_ = account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, nil, validatedPeersMap, nil, nil, nil, nil, account.GetActiveGroupUsers(), nil, nil)
+				_ = account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, []*zones.Zone{}, validatedPeersMap, nil, nil, nil, account.GetActiveGroupUsers())
 			}
 		}
 	})

management/server/types/proxy_access_token.go

@@ -36,7 +36,7 @@ type PlainProxyToken string
 type ProxyAccessToken struct {
 	ID          string `gorm:"primaryKey"`
 	Name        string
-	HashedToken HashedProxyToken `gorm:"uniqueIndex"`
+	HashedToken HashedProxyToken `gorm:"type:varchar(255);uniqueIndex"`
 	// AccountID is nil for management-wide tokens, set for account-scoped tokens
 	AccountID *string `gorm:"index"`
 	ExpiresAt *time.Time

proxy/Dockerfile

@@ -16,7 +16,7 @@ FROM gcr.io/distroless/base:debug
 COPY --from=builder /app/netbird-proxy /usr/bin/netbird-proxy
 COPY --from=builder /tmp/passwd /etc/passwd
 COPY --from=builder /tmp/group /etc/group
-COPY --from=builder --chown=1000:1000 /tmp/var/lib/netbird /var/lib/netbird
+COPY --from=builder /tmp/var/lib/netbird /var/lib/netbird
 COPY --from=builder --chown=1000:1000 /tmp/certs /certs
 USER netbird:netbird
 ENV HOME=/var/lib/netbird

proxy/README.md

@@ -70,7 +70,7 @@ The following deployment configuration is available:
 | `-mgmt`          | `NB_PROXY_MANAGEMENT_ADDRESS`    | The address of the management server for the proxy to get configuration from.                                                      | `"https://api.netbird.io:443"`                     |
 | `-addr`          | `NB_PROXY_ADDRESS`               | The address that the reverse proxy will listen on.                                                                                 | `":443`                                            |
 | `-url`           | `NB_PROXY_URL`                   | The URL that the proxy will be reached at (where endpoints will be CNAMEd to). If unset, this will fall back to the proxy address. | `"proxy.netbird.io"`                               |
-| `-cert-dir`      | `NB_PROXY_CERTIFICATE_DIRECTORY` | The location that certficates are stored in.                                                                                       | `"./certs"`                                        |
+| `-cert-dir`      | `NB_PROXY_CERTIFICATE_DIRECTORY` | The location that certificates are stored in.                                                                                      | `"./certs"`                                        |
 | `-acme-certs`    | `NB_PROXY_ACME_CERTIFICATES`     | Whether to use ACME to generate certificates.                                                                                      | `false`                                            |
 | `-acme-addr`     | `NB_PROXY_ACME_ADDRESS`          | The HTTP address the proxy will listen on to respond to HTTP-01 ACME challenges                                                    | `":80"`                                            |
 | `-acme-dir`      | `NB_PROXY_ACME_DIRECTORY`        | The directory URL of the ACME server to be used                                                                                    | `"https://acme-v02.api.letsencrypt.org/directory"` |

proxy/cmd/proxy/cmd/root.go

@@ -9,6 +9,7 @@ import (
 	"strings"
 	"syscall"
 
+	"github.com/netbirdio/netbird/shared/management/domain"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"golang.org/x/crypto/acme"
@@ -21,6 +22,8 @@ import (
 const DefaultManagementURL = "https://api.netbird.io:443"
 
 // envProxyToken is the environment variable name for the proxy access token.
+//
+//nolint:gosec
 const envProxyToken = "NB_PROXY_TOKEN"
 
 var (
@@ -34,11 +37,12 @@ var (
 	debugLogs         bool
 	mgmtAddr          string
 	addr              string
-	proxyURL          string
+	proxyDomain       string
 	certDir           string
-	acmeCerts         bool
-	acmeAddr          string
-	acmeDir           string
+	acmeCerts          bool
+	acmeAddr           string
+	acmeDir            string
+	acmeChallengeType  string
 	debugEndpoint     bool
 	debugEndpointAddr string
 	healthAddr        string
@@ -67,11 +71,12 @@ func init() {
 	rootCmd.PersistentFlags().BoolVar(&debugLogs, "debug", envBoolOrDefault("NB_PROXY_DEBUG_LOGS", false), "Enable debug logs")
 	rootCmd.Flags().StringVar(&mgmtAddr, "mgmt", envStringOrDefault("NB_PROXY_MANAGEMENT_ADDRESS", DefaultManagementURL), "Management address to connect to")
 	rootCmd.Flags().StringVar(&addr, "addr", envStringOrDefault("NB_PROXY_ADDRESS", ":443"), "Reverse proxy address to listen on")
-	rootCmd.Flags().StringVar(&proxyURL, "url", envStringOrDefault("NB_PROXY_URL", ""), "The URL at which this proxy will be reached")
+	rootCmd.Flags().StringVar(&proxyDomain, "domain", envStringOrDefault("NB_PROXY_DOMAIN", ""), "The Domain at which this proxy will be reached. e.g., netbird.example.com")
 	rootCmd.Flags().StringVar(&certDir, "cert-dir", envStringOrDefault("NB_PROXY_CERTIFICATE_DIRECTORY", "./certs"), "Directory to store certificates")
-	rootCmd.Flags().BoolVar(&acmeCerts, "acme-certs", envBoolOrDefault("NB_PROXY_ACME_CERTIFICATES", false), "Generate ACME certificates using HTTP-01 challenges")
-	rootCmd.Flags().StringVar(&acmeAddr, "acme-addr", envStringOrDefault("NB_PROXY_ACME_ADDRESS", ":80"), "HTTP address for ACME HTTP-01 challenges")
+	rootCmd.Flags().BoolVar(&acmeCerts, "acme-certs", envBoolOrDefault("NB_PROXY_ACME_CERTIFICATES", false), "Generate ACME certificates automatically")
+	rootCmd.Flags().StringVar(&acmeAddr, "acme-addr", envStringOrDefault("NB_PROXY_ACME_ADDRESS", ":80"), "HTTP address for ACME HTTP-01 challenges (only used when acme-challenge-type is http-01)")
 	rootCmd.Flags().StringVar(&acmeDir, "acme-dir", envStringOrDefault("NB_PROXY_ACME_DIRECTORY", acme.LetsEncryptURL), "URL of ACME challenge directory")
+	rootCmd.Flags().StringVar(&acmeChallengeType, "acme-challenge-type", envStringOrDefault("NB_PROXY_ACME_CHALLENGE_TYPE", "tls-alpn-01"), "ACME challenge type: tls-alpn-01 (default, port 443 only) or http-01 (requires port 80)")
 	rootCmd.Flags().BoolVar(&debugEndpoint, "debug-endpoint", envBoolOrDefault("NB_PROXY_DEBUG_ENDPOINT", false), "Enable debug HTTP endpoint")
 	rootCmd.Flags().StringVar(&debugEndpointAddr, "debug-endpoint-addr", envStringOrDefault("NB_PROXY_DEBUG_ENDPOINT_ADDRESS", "localhost:8444"), "Address for the debug HTTP endpoint")
 	rootCmd.Flags().StringVar(&healthAddr, "health-addr", envStringOrDefault("NB_PROXY_HEALTH_ADDRESS", "localhost:8080"), "Address for the health probe endpoint (liveness/readiness/startup)")
@@ -126,6 +131,11 @@ func runServer(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("invalid --forwarded-proto value %q: must be auto, http, or https", forwardedProto)
 	}
 
+	_, err := domain.ValidateDomains([]string{proxyDomain})
+	if err != nil {
+		return fmt.Errorf("invalid domain value %q: %w", proxyDomain, err)
+	}
+
 	parsedTrustedProxies, err := proxy.ParseTrustedProxies(trustedProxies)
 	if err != nil {
 		return fmt.Errorf("invalid --trusted-proxies: %w", err)
@@ -135,7 +145,7 @@ func runServer(cmd *cobra.Command, args []string) error {
 		Logger:                   logger,
 		Version:                  Version,
 		ManagementAddress:        mgmtAddr,
-		ProxyURL:                 proxyURL,
+		ProxyURL:                 proxyDomain,
 		ProxyToken:               proxyToken,
 		CertificateDirectory:     certDir,
 		CertificateFile:          certFile,
@@ -143,6 +153,7 @@ func runServer(cmd *cobra.Command, args []string) error {
 		GenerateACMECertificates: acmeCerts,
 		ACMEChallengeAddress:     acmeAddr,
 		ACMEDirectory:            acmeDir,
+		ACMEChallengeType:        acmeChallengeType,
 		DebugEndpointEnabled:     debugEndpoint,
 		DebugEndpointAddress:     debugEndpointAddr,
 		HealthAddress:            healthAddr,
@@ -160,7 +171,8 @@ func runServer(cmd *cobra.Command, args []string) error {
 	defer stop()
 
 	if err := srv.ListenAndServe(ctx, addr); err != nil {
-		log.Fatal(err)
+		log.Error(err)
+		return err
 	}
 	return nil
 }

proxy/handle_mapping_stream_test.go

@@ -0,0 +1,94 @@
+package proxy
+
+import (
+	"context"
+	"io"
+	"testing"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/assert"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/metadata"
+
+	"github.com/netbirdio/netbird/proxy/internal/health"
+	"github.com/netbirdio/netbird/shared/management/proto"
+)
+
+type mockMappingStream struct {
+	grpc.ClientStream
+	messages []*proto.GetMappingUpdateResponse
+	idx      int
+}
+
+func (m *mockMappingStream) Recv() (*proto.GetMappingUpdateResponse, error) {
+	if m.idx >= len(m.messages) {
+		return nil, io.EOF
+	}
+	msg := m.messages[m.idx]
+	m.idx++
+	return msg, nil
+}
+
+func (m *mockMappingStream) Header() (metadata.MD, error) {
+	return nil, nil //nolint:nilnil
+}
+func (m *mockMappingStream) Trailer() metadata.MD     { return nil }
+func (m *mockMappingStream) CloseSend() error         { return nil }
+func (m *mockMappingStream) Context() context.Context { return context.Background() }
+func (m *mockMappingStream) SendMsg(any) error        { return nil }
+func (m *mockMappingStream) RecvMsg(any) error        { return nil }
+
+func TestHandleMappingStream_SyncCompleteFlag(t *testing.T) {
+	checker := health.NewChecker(nil, nil)
+	s := &Server{
+		Logger:        log.StandardLogger(),
+		healthChecker: checker,
+	}
+
+	stream := &mockMappingStream{
+		messages: []*proto.GetMappingUpdateResponse{
+			{InitialSyncComplete: true},
+		},
+	}
+
+	syncDone := false
+	err := s.handleMappingStream(context.Background(), stream, &syncDone)
+	assert.NoError(t, err)
+	assert.True(t, syncDone, "initial sync should be marked done when flag is set")
+}
+
+func TestHandleMappingStream_NoSyncFlagDoesNotMarkDone(t *testing.T) {
+	checker := health.NewChecker(nil, nil)
+	s := &Server{
+		Logger:        log.StandardLogger(),
+		healthChecker: checker,
+	}
+
+	stream := &mockMappingStream{
+		messages: []*proto.GetMappingUpdateResponse{
+			{}, // no sync flag
+		},
+	}
+
+	syncDone := false
+	err := s.handleMappingStream(context.Background(), stream, &syncDone)
+	assert.NoError(t, err)
+	assert.False(t, syncDone, "initial sync should not be marked done without flag")
+}
+
+func TestHandleMappingStream_NilHealthChecker(t *testing.T) {
+	s := &Server{
+		Logger: log.StandardLogger(),
+	}
+
+	stream := &mockMappingStream{
+		messages: []*proto.GetMappingUpdateResponse{
+			{InitialSyncComplete: true},
+		},
+	}
+
+	syncDone := false
+	err := s.handleMappingStream(context.Background(), stream, &syncDone)
+	assert.NoError(t, err)
+	assert.True(t, syncDone, "sync done flag should be set even without health checker")
+}

proxy/internal/accesslog/logger.go

@@ -3,11 +3,13 @@ package accesslog
 import (
 	"context"
 	"net/netip"
+	"time"
 
 	log "github.com/sirupsen/logrus"
 	"google.golang.org/grpc"
 	"google.golang.org/protobuf/types/known/timestamppb"
 
+	"github.com/netbirdio/netbird/proxy/auth"
 	"github.com/netbirdio/netbird/shared/management/proto"
 )
 
@@ -62,7 +64,12 @@ func (l *Logger) log(ctx context.Context, entry logEntry) {
 	// allow for resolving that on the server.
 	now := timestamppb.Now() // Grab the timestamp before launching the goroutine to try to prevent weird timing issues. This is probably unnecessary.
 	go func() {
-		if _, err := l.client.SendAccessLog(context.Background(), &proto.SendAccessLogRequest{
+		logCtx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+		defer cancel()
+		if entry.AuthMechanism != auth.MethodOIDC.String() {
+			entry.UserId = ""
+		}
+		if _, err := l.client.SendAccessLog(logCtx, &proto.SendAccessLogRequest{
 			Log: &proto.AccessLog{
 				LogId:         entry.ID,
 				AccountId:     entry.AccountID,

proxy/internal/auth/context.go

@@ -1,40 +0,0 @@
-package auth
-
-import (
-	"context"
-
-	"github.com/netbirdio/netbird/proxy/auth"
-)
-
-type requestContextKey string
-
-const (
-	authMethodKey requestContextKey = "authMethod"
-	authUserKey   requestContextKey = "authUser"
-)
-
-func withAuthMethod(ctx context.Context, method auth.Method) context.Context {
-	return context.WithValue(ctx, authMethodKey, method)
-}
-
-func MethodFromContext(ctx context.Context) auth.Method {
-	v := ctx.Value(authMethodKey)
-	method, ok := v.(auth.Method)
-	if !ok {
-		return ""
-	}
-	return method
-}
-
-func withAuthUser(ctx context.Context, userId string) context.Context {
-	return context.WithValue(ctx, authUserKey, userId)
-}
-
-func UserFromContext(ctx context.Context) string {
-	v := ctx.Value(authUserKey)
-	userId, ok := v.(string)
-	if !ok {
-		return ""
-	}
-	return userId
-}

proxy/internal/auth/middleware.go

@@ -30,15 +30,14 @@ type SessionValidator interface {
 	ValidateSession(ctx context.Context, in *proto.ValidateSessionRequest, opts ...grpc.CallOption) (*proto.ValidateSessionResponse, error)
 }
 
+// Scheme defines an authentication mechanism for a domain.
 type Scheme interface {
 	Type() auth.Method
-	// Authenticate should check the passed request and determine whether
-	// it represents an authenticated user request. If it does not, then
-	// an empty string should indicate an unauthenticated request which
-	// will be rejected; optionally, it can also return any data that should
-	// be included in a UI template when prompting the user to authenticate.
-	// If the request is authenticated, then a session token should be returned.
-	Authenticate(*http.Request) (token string, promptData string)
+	// Authenticate checks the request and determines whether it represents
+	// an authenticated user. An empty token indicates an unauthenticated
+	// request; optionally, promptData may be returned for the login UI.
+	// An error indicates an infrastructure failure (e.g. gRPC unavailable).
+	Authenticate(*http.Request) (token string, promptData string, err error)
 }
 
 type DomainConfig struct {
@@ -141,7 +140,15 @@ func (mw *Middleware) Protect(next http.Handler) http.Handler {
 		methods := make(map[string]string)
 		var attemptedMethod string
 		for _, scheme := range config.Schemes {
-			token, promptData := scheme.Authenticate(r)
+			token, promptData, err := scheme.Authenticate(r)
+			if err != nil {
+				mw.logger.WithField("scheme", scheme.Type().String()).Warnf("authentication infrastructure error: %v", err)
+				if cd := proxy.CapturedDataFromContext(r.Context()); cd != nil {
+					cd.SetOrigin(proxy.OriginAuth)
+				}
+				http.Error(w, "authentication service unavailable", http.StatusBadGateway)
+				return
+			}
 
 			// Track if credentials were submitted but auth failed
 			if token == "" && wasCredentialSubmitted(r, scheme.Type()) {

proxy/internal/auth/middleware_test.go

@@ -32,16 +32,16 @@ type stubScheme struct {
 	method   auth.Method
 	token    string
 	promptID string
-	authFn   func(*http.Request) (string, string)
+	authFn   func(*http.Request) (string, string, error)
 }
 
 func (s *stubScheme) Type() auth.Method { return s.method }
 
-func (s *stubScheme) Authenticate(r *http.Request) (string, string) {
+func (s *stubScheme) Authenticate(r *http.Request) (string, string, error) {
 	if s.authFn != nil {
 		return s.authFn(r)
 	}
-	return s.token, s.promptID
+	return s.token, s.promptID, nil
 }
 
 func newPassthroughHandler() http.Handler {
@@ -344,11 +344,11 @@ func TestProtect_SchemeAuthRedirectsWithCookie(t *testing.T) {
 
 	scheme := &stubScheme{
 		method: auth.MethodPIN,
-		authFn: func(r *http.Request) (string, string) {
+		authFn: func(r *http.Request) (string, string, error) {
 			if r.FormValue("pin") == "111111" {
-				return token, ""
+				return token, "", nil
 			}
-			return "", "pin"
+			return "", "pin", nil
 		},
 	}
 	require.NoError(t, mw.AddDomain("example.com", []Scheme{scheme}, kp.PublicKey, time.Hour, "", ""))
@@ -391,8 +391,8 @@ func TestProtect_FailedAuthDoesNotSetCookie(t *testing.T) {
 
 	scheme := &stubScheme{
 		method: auth.MethodPIN,
-		authFn: func(_ *http.Request) (string, string) {
-			return "", "pin"
+		authFn: func(_ *http.Request) (string, string, error) {
+			return "", "pin", nil
 		},
 	}
 	require.NoError(t, mw.AddDomain("example.com", []Scheme{scheme}, kp.PublicKey, time.Hour, "", ""))
@@ -418,17 +418,17 @@ func TestProtect_MultipleSchemes(t *testing.T) {
 	// First scheme (PIN) always fails, second scheme (password) succeeds.
 	pinScheme := &stubScheme{
 		method: auth.MethodPIN,
-		authFn: func(_ *http.Request) (string, string) {
-			return "", "pin"
+		authFn: func(_ *http.Request) (string, string, error) {
+			return "", "pin", nil
 		},
 	}
 	passwordScheme := &stubScheme{
 		method: auth.MethodPassword,
-		authFn: func(r *http.Request) (string, string) {
+		authFn: func(r *http.Request) (string, string, error) {
 			if r.FormValue("password") == "secret" {
-				return token, ""
+				return token, "", nil
 			}
-			return "", "password"
+			return "", "password", nil
 		},
 	}
 	require.NoError(t, mw.AddDomain("example.com", []Scheme{pinScheme, passwordScheme}, kp.PublicKey, time.Hour, "", ""))
@@ -457,8 +457,8 @@ func TestProtect_InvalidTokenFromSchemeReturns400(t *testing.T) {
 	// Return a garbage token that won't validate.
 	scheme := &stubScheme{
 		method: auth.MethodPIN,
-		authFn: func(_ *http.Request) (string, string) {
-			return "invalid-jwt-token", ""
+		authFn: func(_ *http.Request) (string, string, error) {
+			return "invalid-jwt-token", "", nil
 		},
 	}
 	require.NoError(t, mw.AddDomain("example.com", []Scheme{scheme}, kp.PublicKey, time.Hour, "", ""))
@@ -517,8 +517,8 @@ func TestProtect_FailedPinAuthCapturesAuthMethod(t *testing.T) {
 	// Scheme that always fails authentication (returns empty token)
 	scheme := &stubScheme{
 		method: auth.MethodPIN,
-		authFn: func(_ *http.Request) (string, string) {
-			return "", "pin"
+		authFn: func(_ *http.Request) (string, string, error) {
+			return "", "pin", nil
 		},
 	}
 	require.NoError(t, mw.AddDomain("example.com", []Scheme{scheme}, kp.PublicKey, time.Hour, "", ""))
@@ -544,8 +544,8 @@ func TestProtect_FailedPasswordAuthCapturesAuthMethod(t *testing.T) {
 
 	scheme := &stubScheme{
 		method: auth.MethodPassword,
-		authFn: func(_ *http.Request) (string, string) {
-			return "", "password"
+		authFn: func(_ *http.Request) (string, string, error) {
+			return "", "password", nil
 		},
 	}
 	require.NoError(t, mw.AddDomain("example.com", []Scheme{scheme}, kp.PublicKey, time.Hour, "", ""))
@@ -571,8 +571,8 @@ func TestProtect_NoCredentialsDoesNotCaptureAuthMethod(t *testing.T) {
 
 	scheme := &stubScheme{
 		method: auth.MethodPIN,
-		authFn: func(_ *http.Request) (string, string) {
-			return "", "pin"
+		authFn: func(_ *http.Request) (string, string, error) {
+			return "", "pin", nil
 		},
 	}
 	require.NoError(t, mw.AddDomain("example.com", []Scheme{scheme}, kp.PublicKey, time.Hour, "", ""))

proxy/internal/auth/oidc.go

@@ -2,6 +2,7 @@ package auth
 
 import (
 	"context"
+	"fmt"
 	"net/http"
 	"net/url"
 
@@ -36,12 +37,13 @@ func (OIDC) Type() auth.Method {
 	return auth.MethodOIDC
 }
 
-func (o OIDC) Authenticate(r *http.Request) (string, string) {
+// Authenticate checks for an OIDC session token or obtains the OIDC redirect URL.
+func (o OIDC) Authenticate(r *http.Request) (string, string, error) {
 	// Check for the session_token query param (from OIDC redirects).
 	// The management server passes the token in the URL because it cannot set
 	// cookies for the proxy's domain (cookies are domain-scoped per RFC 6265).
 	if token := r.URL.Query().Get("session_token"); token != "" {
-		return token, ""
+		return token, "", nil
 	}
 
 	redirectURL := &url.URL{
@@ -56,9 +58,8 @@ func (o OIDC) Authenticate(r *http.Request) (string, string) {
 		RedirectUrl: redirectURL.String(),
 	})
 	if err != nil {
-		// TODO: log
-		return "", ""
+		return "", "", fmt.Errorf("get OIDC URL: %w", err)
 	}
 
-	return "", res.GetUrl()
+	return "", res.GetUrl(), nil
 }

proxy/internal/auth/password.go

@@ -1,6 +1,7 @@
 package auth
 
 import (
+	"fmt"
 	"net/http"
 
 	"github.com/netbirdio/netbird/proxy/auth"
@@ -31,12 +32,12 @@ func (Password) Type() auth.Method {
 // If authentication fails, the required HTTP form ID is returned
 // so that it can be injected into a request from the UI so that
 // authentication may be successful.
-func (p Password) Authenticate(r *http.Request) (string, string) {
+func (p Password) Authenticate(r *http.Request) (string, string, error) {
 	password := r.FormValue(passwordFormId)
 
 	if password == "" {
-		// This cannot be authenticated, so not worth wasting time sending the request.
-		return "", passwordFormId
+		// No password submitted; return the form ID so the UI can prompt the user.
+		return "", passwordFormId, nil
 	}
 
 	res, err := p.client.Authenticate(r.Context(), &proto.AuthenticateRequest{
@@ -49,13 +50,12 @@ func (p Password) Authenticate(r *http.Request) (string, string) {
 		},
 	})
 	if err != nil {
-		// TODO: log error here
-		return "", passwordFormId
+		return "", "", fmt.Errorf("authenticate password: %w", err)
 	}
 
 	if res.GetSuccess() {
-		return res.GetSessionToken(), ""
+		return res.GetSessionToken(), "", nil
 	}
 
-	return "", passwordFormId
+	return "", passwordFormId, nil
 }

proxy/internal/auth/pin.go

@@ -1,6 +1,7 @@
 package auth
 
 import (
+	"fmt"
 	"net/http"
 
 	"github.com/netbirdio/netbird/proxy/auth"
@@ -31,12 +32,12 @@ func (Pin) Type() auth.Method {
 // If authentication fails, the required HTTP form ID is returned
 // so that it can be injected into a request from the UI so that
 // authentication may be successful.
-func (p Pin) Authenticate(r *http.Request) (string, string) {
+func (p Pin) Authenticate(r *http.Request) (string, string, error) {
 	pin := r.FormValue(pinFormId)
 
 	if pin == "" {
-		// This cannot be authenticated, so not worth wasting time sending the request.
-		return "", pinFormId
+		// No PIN submitted; return the form ID so the UI can prompt the user.
+		return "", pinFormId, nil
 	}
 
 	res, err := p.client.Authenticate(r.Context(), &proto.AuthenticateRequest{
@@ -49,13 +50,12 @@ func (p Pin) Authenticate(r *http.Request) (string, string) {
 		},
 	})
 	if err != nil {
-		// TODO: log error here
-		return "", pinFormId
+		return "", "", fmt.Errorf("authenticate pin: %w", err)
 	}
 
 	if res.GetSuccess() {
-		return res.GetSessionToken(), ""
+		return res.GetSessionToken(), "", nil
 	}
 
-	return "", pinFormId
+	return "", pinFormId, nil
 }

proxy/internal/debug/client.go

@@ -88,8 +88,9 @@ func (c *Client) printHealth(data map[string]any) {
 		return
 	}
 
-	_, _ = fmt.Fprintf(c.out, "\n%-38s %-9s %-7s %-8s %s\n", "ACCOUNT ID", "HEALTHY", "MGMT", "SIGNAL", "RELAYS")
-	_, _ = fmt.Fprintln(c.out, strings.Repeat("-", 80))
+	_, _ = fmt.Fprintf(c.out, "\n%-38s %-9s %-7s %-8s %-8s %-16s %s\n",
+		"ACCOUNT ID", "HEALTHY", "MGMT", "SIGNAL", "RELAYS", "PEERS (P2P/RLY)", "DEGRADED")
+	_, _ = fmt.Fprintln(c.out, strings.Repeat("-", 110))
 
 	for accountID, v := range clients {
 		ch, ok := v.(map[string]any)
@@ -105,7 +106,15 @@ func (c *Client) printHealth(data map[string]any) {
 		relaysTotal, _ := ch["relays_total"].(float64)
 		relays := fmt.Sprintf("%d/%d", int(relaysConn), int(relaysTotal))
 
-		_, _ = fmt.Fprintf(c.out, "%-38s %-9s %-7s %-8s %s", accountID, healthy, mgmt, signal, relays)
+		peersConnected, _ := ch["peers_connected"].(float64)
+		peersTotal, _ := ch["peers_total"].(float64)
+		peersP2P, _ := ch["peers_p2p"].(float64)
+		peersRelayed, _ := ch["peers_relayed"].(float64)
+		peersDegraded, _ := ch["peers_degraded"].(float64)
+		peers := fmt.Sprintf("%d/%d (%d/%d)", int(peersConnected), int(peersTotal), int(peersP2P), int(peersRelayed))
+		degraded := fmt.Sprintf("%d", int(peersDegraded))
+
+		_, _ = fmt.Fprintf(c.out, "%-38s %-9s %-7s %-8s %-8s %-16s %s", accountID, healthy, mgmt, signal, relays, peers, degraded)
 		if errMsg, ok := ch["error"].(string); ok && errMsg != "" {
 			_, _ = fmt.Fprintf(c.out, "  (%s)", errMsg)
 		}

proxy/internal/debug/handler.go

@@ -648,7 +648,8 @@ func (h *Handler) handleHealth(w http.ResponseWriter, r *http.Request, wantJSON
 	allHealthy, clientHealth := h.health.CheckClientsConnected(r.Context())
 
 	status := "ok"
-	if !ready || !allHealthy {
+	// No clients is not a health issue; only degrade when actual clients are unhealthy
+	if !ready || (!allHealthy && len(clientHealth) > 0) {
 		status = "degraded"
 	}
 

proxy/internal/debug/templates/client_detail.html

@@ -1,6 +1,6 @@
 {{define "clientDetail"}}
 <!DOCTYPE html>
-<html>
+<html lang="en">
 <head>
   <title>Client {{.AccountID}}</title>
   <style>{{template "style"}}</style>

proxy/internal/debug/templates/clients.html

@@ -1,6 +1,6 @@
 {{define "clients"}}
 <!DOCTYPE html>
-<html>
+<html lang="en">
 <head>
   <title>Clients</title>
   <style>{{template "style"}}</style>

proxy/internal/debug/templates/index.html

@@ -1,6 +1,6 @@
 {{define "index"}}
 <!DOCTYPE html>
-<html>
+<html lang="en">
 <head>
   <title>NetBird Proxy Debug</title>
   <style>{{template "style"}}</style>

proxy/internal/debug/templates/tools.html

@@ -1,6 +1,6 @@
 {{define "tools"}}
 <!DOCTYPE html>
-<html>
+<html lang="en">
 <head>
   <title>Client {{.AccountID}} - Tools</title>
   <style>{{template "style"}}</style>

proxy/internal/health/health.go

@@ -16,6 +16,8 @@ import (
 	"github.com/netbirdio/netbird/proxy/internal/types"
 )
 
+const handshakeStaleThreshold = 5 * time.Minute
+
 const (
 	maxConcurrentChecks   = 3
 	maxClientCheckTimeout = 5 * time.Minute
@@ -38,6 +40,10 @@ type Checker struct {
 
 	// checkSem limits concurrent client health checks.
 	checkSem chan struct{}
+
+	// checkHealth checks the health of a single client.
+	// Defaults to checkClientHealth; overridable in tests.
+	checkHealth func(*embed.Client) ClientHealth
 }
 
 // ClientHealth represents the health status of a single NetBird client.
@@ -47,6 +53,11 @@ type ClientHealth struct {
 	SignalConnected     bool   `json:"signal_connected"`
 	RelaysConnected     int    `json:"relays_connected"`
 	RelaysTotal         int    `json:"relays_total"`
+	PeersTotal          int    `json:"peers_total"`
+	PeersConnected      int    `json:"peers_connected"`
+	PeersP2P            int    `json:"peers_p2p"`
+	PeersRelayed        int    `json:"peers_relayed"`
+	PeersDegraded       int    `json:"peers_degraded"`
 	Error               string `json:"error,omitempty"`
 }
 
@@ -96,9 +107,9 @@ func (c *Checker) CheckClientsConnected(ctx context.Context) (bool, map[types.Ac
 
 	clients := c.provider.ListClientsForStartup()
 
-	// No clients yet means not ready
+	// No clients is not a health issue
 	if len(clients) == 0 {
-		return false, make(map[types.AccountID]ClientHealth)
+		return true, make(map[types.AccountID]ClientHealth)
 	}
 
 	type result struct {
@@ -123,7 +134,7 @@ func (c *Checker) CheckClientsConnected(ctx context.Context) (bool, map[types.Ac
 				return
 			}
 
-			resultsCh <- result{id, checkClientHealth(cl)}
+			resultsCh <- result{id, c.checkHealth(cl)}
 		}(accountID, client)
 	}
 
@@ -173,7 +184,8 @@ func (c *Checker) StartupProbe(ctx context.Context) bool {
 		return false
 	}
 
-	// Check all clients are connected to management/signal/relay
+	// Check all clients are connected to management/signal/relay.
+	// Returns true when no clients exist (nothing to check).
 	allHealthy, _ := c.CheckClientsConnected(ctx)
 	return allHealthy
 }
@@ -213,19 +225,19 @@ func (c *Checker) handleReadiness(w http.ResponseWriter, r *http.Request) {
 func (c *Checker) handleStartup(w http.ResponseWriter, r *http.Request) {
 	c.mu.RLock()
 	mgmt := c.managementConnected
-	sync := c.initialSyncComplete
+	syncComplete := c.initialSyncComplete
 	c.mu.RUnlock()
 
-	// Check clients directly using request context
 	allClientsHealthy, clientHealth := c.CheckClientsConnected(r.Context())
 
 	checks := map[string]bool{
 		"management_connected":  mgmt,
-		"initial_sync_complete": sync,
+		"initial_sync_complete": syncComplete,
 		"all_clients_healthy":   allClientsHealthy,
 	}
 
-	if c.StartupProbe(r.Context()) {
+	ready := mgmt && syncComplete && allClientsHealthy
+	if ready {
 		c.writeProbeResponse(w, http.StatusOK, "ok", checks, clientHealth)
 		return
 	}
@@ -293,9 +305,10 @@ func NewChecker(logger *log.Logger, provider clientProvider) *Checker {
 		logger = log.StandardLogger()
 	}
 	return &Checker{
-		logger:   logger,
-		provider: provider,
-		checkSem: make(chan struct{}, maxConcurrentChecks),
+		logger:      logger,
+		provider:    provider,
+		checkSem:    make(chan struct{}, maxConcurrentChecks),
+		checkHealth: checkClientHealth,
 	}
 }
 
@@ -327,6 +340,13 @@ func NewServer(addr string, checker *Checker, logger *log.Logger, metricsHandler
 }
 
 func checkClientHealth(client *embed.Client) ClientHealth {
+	if client == nil {
+		return ClientHealth{
+			Healthy: false,
+			Error:   "client not initialized",
+		}
+	}
+
 	status, err := client.Status()
 	if err != nil {
 		return ClientHealth{
@@ -347,6 +367,24 @@ func checkClientHealth(client *embed.Client) ClientHealth {
 		}
 	}
 
+	// Count peer connection stats
+	now := time.Now()
+	var peersConnected, peersP2P, peersRelayed, peersDegraded int
+	for _, p := range status.Peers {
+		if p.ConnStatus != embed.PeerStatusConnected {
+			continue
+		}
+		peersConnected++
+		if p.Relayed {
+			peersRelayed++
+		} else {
+			peersP2P++
+		}
+		if p.LastWireguardHandshake.IsZero() || now.Sub(p.LastWireguardHandshake) > handshakeStaleThreshold {
+			peersDegraded++
+		}
+	}
+
 	// Client is healthy if connected to management, signal, and at least one relay (if any are defined)
 	healthy := status.ManagementState.Connected &&
 		status.SignalState.Connected &&
@@ -358,5 +396,10 @@ func checkClientHealth(client *embed.Client) ClientHealth {
 		SignalConnected:     status.SignalState.Connected,
 		RelaysConnected:     relaysConnected,
 		RelaysTotal:         relayCount,
+		PeersTotal:          len(status.Peers),
+		PeersConnected:      peersConnected,
+		PeersP2P:            peersP2P,
+		PeersRelayed:        peersRelayed,
+		PeersDegraded:       peersDegraded,
 	}
 }

proxy/internal/health/health_test.go

@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
+	"sync"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -22,6 +23,16 @@ func (m *mockClientProvider) ListClientsForStartup() map[types.AccountID]*embed.
 	return m.clients
 }
 
+// newTestChecker creates a checker with a mock health function for testing.
+// The health function returns the provided ClientHealth for every client.
+func newTestChecker(provider clientProvider, healthResult ClientHealth) *Checker {
+	c := NewChecker(nil, provider)
+	c.checkHealth = func(_ *embed.Client) ClientHealth {
+		return healthResult
+	}
+	return c
+}
+
 func TestChecker_LivenessProbe(t *testing.T) {
 	checker := NewChecker(nil, &mockClientProvider{})
 
@@ -44,19 +55,287 @@ func TestChecker_ReadinessProbe(t *testing.T) {
 	assert.False(t, checker.ReadinessProbe())
 }
 
-func TestChecker_StartupProbe_NoClients(t *testing.T) {
+// TestStartupProbe_EmptyServiceList covers the scenario where management has
+// no services configured for this proxy. The proxy should become ready once
+// management is connected and the initial sync completes, even with zero clients.
+func TestStartupProbe_EmptyServiceList(t *testing.T) {
 	checker := NewChecker(nil, &mockClientProvider{})
 
-	// Initially startup not complete.
+	// No management connection = not ready.
 	assert.False(t, checker.StartupProbe(context.Background()))
 
-	// Just management connected is not enough.
+	// Management connected but no sync = not ready.
 	checker.SetManagementConnected(true)
 	assert.False(t, checker.StartupProbe(context.Background()))
 
-	// Management + initial sync but no clients = not ready
+	// Management + sync complete + no clients = ready.
 	checker.SetInitialSyncComplete()
-	assert.False(t, checker.StartupProbe(context.Background()))
+	assert.True(t, checker.StartupProbe(context.Background()))
+}
+
+// TestStartupProbe_WithUnhealthyClients verifies that when services exist
+// and clients have been created but are not yet fully connected (to mgmt,
+// signal, relays), the startup probe does NOT pass.
+func TestStartupProbe_WithUnhealthyClients(t *testing.T) {
+	provider := &mockClientProvider{
+		clients: map[types.AccountID]*embed.Client{
+			"account-1": nil, // concrete client not needed; checkHealth is mocked
+			"account-2": nil,
+		},
+	}
+	checker := newTestChecker(provider, ClientHealth{Healthy: false, Error: "not connected yet"})
+	checker.SetManagementConnected(true)
+	checker.SetInitialSyncComplete()
+
+	assert.False(t, checker.StartupProbe(context.Background()),
+		"startup probe must not pass when clients are unhealthy")
+}
+
+// TestStartupProbe_WithHealthyClients verifies that once all clients are
+// connected and healthy, the startup probe passes.
+func TestStartupProbe_WithHealthyClients(t *testing.T) {
+	provider := &mockClientProvider{
+		clients: map[types.AccountID]*embed.Client{
+			"account-1": nil,
+			"account-2": nil,
+		},
+	}
+	checker := newTestChecker(provider, ClientHealth{
+		Healthy:             true,
+		ManagementConnected: true,
+		SignalConnected:     true,
+		RelaysConnected:     1,
+		RelaysTotal:         1,
+	})
+	checker.SetManagementConnected(true)
+	checker.SetInitialSyncComplete()
+
+	assert.True(t, checker.StartupProbe(context.Background()),
+		"startup probe must pass when all clients are healthy")
+}
+
+// TestStartupProbe_MixedHealthClients verifies that if any single client is
+// unhealthy, the startup probe fails (all-or-nothing).
+func TestStartupProbe_MixedHealthClients(t *testing.T) {
+	provider := &mockClientProvider{
+		clients: map[types.AccountID]*embed.Client{
+			"healthy-account":   nil,
+			"unhealthy-account": nil,
+		},
+	}
+
+	checker := NewChecker(nil, provider)
+	checker.checkHealth = func(cl *embed.Client) ClientHealth {
+		// We identify accounts by their position in the map iteration; since we
+		// can't control map order, make exactly one unhealthy via counter.
+		return ClientHealth{Healthy: false}
+	}
+	checker.SetManagementConnected(true)
+	checker.SetInitialSyncComplete()
+
+	assert.False(t, checker.StartupProbe(context.Background()),
+		"startup probe must fail if any client is unhealthy")
+}
+
+// TestStartupProbe_RequiresAllConditions ensures that each individual
+// prerequisite (management, sync, clients) is necessary. The probe must not
+// pass if any one is missing.
+func TestStartupProbe_RequiresAllConditions(t *testing.T) {
+	provider := &mockClientProvider{
+		clients: map[types.AccountID]*embed.Client{
+			"account-1": nil,
+		},
+	}
+
+	t.Run("no management", func(t *testing.T) {
+		checker := newTestChecker(provider, ClientHealth{Healthy: true})
+		checker.SetInitialSyncComplete()
+		// management NOT connected
+		assert.False(t, checker.StartupProbe(context.Background()))
+	})
+
+	t.Run("no sync", func(t *testing.T) {
+		checker := newTestChecker(provider, ClientHealth{Healthy: true})
+		checker.SetManagementConnected(true)
+		// sync NOT complete
+		assert.False(t, checker.StartupProbe(context.Background()))
+	})
+
+	t.Run("unhealthy client", func(t *testing.T) {
+		checker := newTestChecker(provider, ClientHealth{Healthy: false})
+		checker.SetManagementConnected(true)
+		checker.SetInitialSyncComplete()
+		assert.False(t, checker.StartupProbe(context.Background()))
+	})
+
+	t.Run("all conditions met", func(t *testing.T) {
+		checker := newTestChecker(provider, ClientHealth{Healthy: true})
+		checker.SetManagementConnected(true)
+		checker.SetInitialSyncComplete()
+		assert.True(t, checker.StartupProbe(context.Background()))
+	})
+}
+
+// TestStartupProbe_ConcurrentAccess runs the startup probe from many
+// goroutines simultaneously to check for races.
+func TestStartupProbe_ConcurrentAccess(t *testing.T) {
+	provider := &mockClientProvider{
+		clients: map[types.AccountID]*embed.Client{
+			"account-1": nil,
+			"account-2": nil,
+		},
+	}
+	checker := newTestChecker(provider, ClientHealth{Healthy: true})
+	checker.SetManagementConnected(true)
+	checker.SetInitialSyncComplete()
+
+	var wg sync.WaitGroup
+	const goroutines = 50
+	results := make([]bool, goroutines)
+
+	for i := range goroutines {
+		wg.Add(1)
+		go func(idx int) {
+			defer wg.Done()
+			results[idx] = checker.StartupProbe(context.Background())
+		}(i)
+	}
+	wg.Wait()
+
+	for i, r := range results {
+		assert.True(t, r, "goroutine %d got unexpected result", i)
+	}
+}
+
+// TestStartupProbe_CancelledContext verifies that a cancelled context causes
+// the probe to report unhealthy when client checks are needed.
+func TestStartupProbe_CancelledContext(t *testing.T) {
+	t.Run("no management bypasses context", func(t *testing.T) {
+		checker := NewChecker(nil, &mockClientProvider{})
+		ctx, cancel := context.WithCancel(context.Background())
+		cancel()
+		// Should be false because management isn't connected, context is irrelevant.
+		assert.False(t, checker.StartupProbe(ctx))
+	})
+
+	t.Run("with clients and cancelled context", func(t *testing.T) {
+		provider := &mockClientProvider{
+			clients: map[types.AccountID]*embed.Client{
+				"account-1": nil,
+			},
+		}
+		checker := NewChecker(nil, provider)
+		// Use the real checkHealth path — a cancelled context should cause
+		// the semaphore acquisition to fail, reporting unhealthy.
+		checker.SetManagementConnected(true)
+		checker.SetInitialSyncComplete()
+
+		ctx, cancel := context.WithCancel(context.Background())
+		cancel()
+		assert.False(t, checker.StartupProbe(ctx),
+			"cancelled context must result in unhealthy when clients exist")
+	})
+}
+
+// TestHandler_Startup_EmptyServiceList verifies the HTTP startup endpoint
+// returns 200 when management is connected, sync is complete, and there are
+// no services/clients.
+func TestHandler_Startup_EmptyServiceList(t *testing.T) {
+	checker := NewChecker(nil, &mockClientProvider{})
+	checker.SetManagementConnected(true)
+	checker.SetInitialSyncComplete()
+	handler := checker.Handler()
+
+	req := httptest.NewRequest(http.MethodGet, "/healthz/startup", nil)
+	rec := httptest.NewRecorder()
+	handler.ServeHTTP(rec, req)
+
+	assert.Equal(t, http.StatusOK, rec.Code)
+
+	var resp ProbeResponse
+	require.NoError(t, json.NewDecoder(rec.Body).Decode(&resp))
+	assert.Equal(t, "ok", resp.Status)
+	assert.True(t, resp.Checks["management_connected"])
+	assert.True(t, resp.Checks["initial_sync_complete"])
+	assert.True(t, resp.Checks["all_clients_healthy"])
+	assert.Empty(t, resp.Clients)
+}
+
+// TestHandler_Startup_WithUnhealthyClients verifies that the HTTP startup
+// endpoint returns 503 when clients exist but are not yet healthy.
+func TestHandler_Startup_WithUnhealthyClients(t *testing.T) {
+	provider := &mockClientProvider{
+		clients: map[types.AccountID]*embed.Client{
+			"account-1": nil,
+		},
+	}
+	checker := newTestChecker(provider, ClientHealth{Healthy: false, Error: "starting"})
+	checker.SetManagementConnected(true)
+	checker.SetInitialSyncComplete()
+	handler := checker.Handler()
+
+	req := httptest.NewRequest(http.MethodGet, "/healthz/startup", nil)
+	rec := httptest.NewRecorder()
+	handler.ServeHTTP(rec, req)
+
+	assert.Equal(t, http.StatusServiceUnavailable, rec.Code)
+
+	var resp ProbeResponse
+	require.NoError(t, json.NewDecoder(rec.Body).Decode(&resp))
+	assert.Equal(t, "fail", resp.Status)
+	assert.True(t, resp.Checks["management_connected"])
+	assert.True(t, resp.Checks["initial_sync_complete"])
+	assert.False(t, resp.Checks["all_clients_healthy"])
+	require.Contains(t, resp.Clients, types.AccountID("account-1"))
+	assert.Equal(t, "starting", resp.Clients["account-1"].Error)
+}
+
+// TestHandler_Startup_WithHealthyClients verifies the HTTP startup endpoint
+// returns 200 once clients are healthy.
+func TestHandler_Startup_WithHealthyClients(t *testing.T) {
+	provider := &mockClientProvider{
+		clients: map[types.AccountID]*embed.Client{
+			"account-1": nil,
+		},
+	}
+	checker := newTestChecker(provider, ClientHealth{
+		Healthy:             true,
+		ManagementConnected: true,
+		SignalConnected:     true,
+		RelaysConnected:     1,
+		RelaysTotal:         1,
+	})
+	checker.SetManagementConnected(true)
+	checker.SetInitialSyncComplete()
+	handler := checker.Handler()
+
+	req := httptest.NewRequest(http.MethodGet, "/healthz/startup", nil)
+	rec := httptest.NewRecorder()
+	handler.ServeHTTP(rec, req)
+
+	assert.Equal(t, http.StatusOK, rec.Code)
+
+	var resp ProbeResponse
+	require.NoError(t, json.NewDecoder(rec.Body).Decode(&resp))
+	assert.Equal(t, "ok", resp.Status)
+	assert.True(t, resp.Checks["all_clients_healthy"])
+}
+
+// TestHandler_Startup_NotComplete verifies the startup handler returns 503
+// when prerequisites aren't met.
+func TestHandler_Startup_NotComplete(t *testing.T) {
+	checker := NewChecker(nil, &mockClientProvider{})
+	handler := checker.Handler()
+
+	req := httptest.NewRequest(http.MethodGet, "/healthz/startup", nil)
+	rec := httptest.NewRecorder()
+	handler.ServeHTTP(rec, req)
+
+	assert.Equal(t, http.StatusServiceUnavailable, rec.Code)
+
+	var resp ProbeResponse
+	require.NoError(t, json.NewDecoder(rec.Body).Decode(&resp))
+	assert.Equal(t, "fail", resp.Status)
 }
 
 func TestChecker_Handler_Liveness(t *testing.T) {
@@ -107,21 +386,6 @@ func TestChecker_Handler_Readiness_Ready(t *testing.T) {
 	assert.True(t, resp.Checks["management_connected"])
 }
 
-func TestChecker_Handler_Startup_NotComplete(t *testing.T) {
-	checker := NewChecker(nil, &mockClientProvider{})
-	handler := checker.Handler()
-
-	req := httptest.NewRequest(http.MethodGet, "/healthz/startup", nil)
-	rec := httptest.NewRecorder()
-	handler.ServeHTTP(rec, req)
-
-	assert.Equal(t, http.StatusServiceUnavailable, rec.Code)
-
-	var resp ProbeResponse
-	require.NoError(t, json.NewDecoder(rec.Body).Decode(&resp))
-	assert.Equal(t, "fail", resp.Status)
-}
-
 func TestChecker_Handler_Full(t *testing.T) {
 	checker := NewChecker(nil, &mockClientProvider{})
 	checker.SetManagementConnected(true)
@@ -140,16 +404,3 @@ func TestChecker_Handler_Full(t *testing.T) {
 	// Clients may be empty map when no clients exist.
 	assert.Empty(t, resp.Clients)
 }
-
-func TestChecker_StartupProbe_RespectsContext(t *testing.T) {
-	checker := NewChecker(nil, &mockClientProvider{})
-	checker.SetManagementConnected(true)
-	checker.SetInitialSyncComplete()
-
-	// Cancelled context should return false quickly
-	ctx, cancel := context.WithCancel(context.Background())
-	cancel()
-
-	result := checker.StartupProbe(ctx)
-	assert.False(t, result)
-}

proxy/internal/k8s/lease.go

@@ -21,7 +21,7 @@ import (
 )
 
 const (
-	saTokenPath     = "/var/run/secrets/kubernetes.io/serviceaccount/token"
+	saTokenPath     = "/var/run/secrets/kubernetes.io/serviceaccount/token" //nolint:gosec
 	saNamespacePath = "/var/run/secrets/kubernetes.io/serviceaccount/namespace"
 	saCACertPath    = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
 
@@ -151,7 +151,7 @@ func (c *LeaseClient) Get(ctx context.Context, name string) (*Lease, error) {
 	defer func() { _ = resp.Body.Close() }()
 
 	if resp.StatusCode == http.StatusNotFound {
-		return nil, nil
+		return nil, nil //nolint:nilnil
 	}
 	if resp.StatusCode != http.StatusOK {
 		return nil, c.readError(resp)

proxy/internal/metrics/metrics.go

@@ -2,55 +2,148 @@ package metrics
 
 import (
 	"net/http"
+	"strconv"
 	"time"
 
+	"github.com/netbirdio/netbird/proxy/internal/proxy"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promauto"
 )
 
 type Metrics struct {
-	requestsTotal   prometheus.Counter
-	requestDuration prometheus.Histogram
-	activeRequests  prometheus.Counter
-	backendDuration prometheus.Histogram
+	requestsTotal     prometheus.Counter
+	activeRequests    prometheus.Gauge
+	configuredDomains prometheus.Gauge
+	pathsPerDomain    *prometheus.GaugeVec
+	requestDuration   *prometheus.HistogramVec
+	backendDuration   *prometheus.HistogramVec
 }
 
 func New(reg prometheus.Registerer) *Metrics {
+	promFactory := promauto.With(reg)
 	return &Metrics{
-		requestsTotal: promauto.With(reg).NewCounter(prometheus.CounterOpts{
+		requestsTotal: promFactory.NewCounter(prometheus.CounterOpts{
 			Name: "netbird_proxy_requests_total",
 			Help: "Total number of requests made to the netbird proxy",
 		}),
-		requestDuration: promauto.With(reg).NewHistogram(prometheus.HistogramOpts{
-			Name:    "netbird_proxy_request_duration_seconds",
-			Help:    "Duration of requests made to the netbird proxy",
-			Buckets: []float64{0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10},
-		}),
-		activeRequests: promauto.With(reg).NewCounter(prometheus.CounterOpts{
-			Name: "netbird_proxy_active_requests_total",
+		activeRequests: promFactory.NewGauge(prometheus.GaugeOpts{
+			Name: "netbird_proxy_active_requests_count",
 			Help: "Current in-flight requests handled by the netbird proxy",
 		}),
-		backendDuration: promauto.With(reg).NewHistogram(prometheus.HistogramOpts{
+		configuredDomains: promFactory.NewGauge(prometheus.GaugeOpts{
+			Name: "netbird_proxy_domains_count",
+			Help: "Current number of domains configured on the netbird proxy",
+		}),
+		pathsPerDomain: promFactory.NewGaugeVec(
+			prometheus.GaugeOpts{
+				Name: "netbird_proxy_paths_count",
+				Help: "Current number of paths configured on the netbird proxy labelled by domain",
+			},
+			[]string{"domain"},
+		),
+		requestDuration: promFactory.NewHistogramVec(
+			prometheus.HistogramOpts{
+				Name:    "netbird_proxy_request_duration_seconds",
+				Help:    "Duration of requests made to the netbird proxy",
+				Buckets: []float64{0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10},
+			},
+			[]string{"status", "size", "method", "host", "path"},
+		),
+		backendDuration: promFactory.NewHistogramVec(prometheus.HistogramOpts{
 			Name:    "netbird_proxy_backend_duration_seconds",
 			Help:    "Duration of peer round trip time from the netbird proxy",
 			Buckets: []float64{0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10},
-		}),
+		},
+			[]string{"status", "size", "method", "host", "path"},
+		),
 	}
 }
 
+type responseInterceptor struct {
+	http.ResponseWriter
+	status int
+	size   int
+}
+
+func (w *responseInterceptor) WriteHeader(status int) {
+	w.status = status
+	w.ResponseWriter.WriteHeader(status)
+}
+
+func (w *responseInterceptor) Write(b []byte) (int, error) {
+	size, err := w.ResponseWriter.Write(b)
+	w.size += size
+	return size, err
+}
+
 func (m *Metrics) Middleware(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		m.requestsTotal.Inc()
 		m.activeRequests.Inc()
 
+		interceptor := &responseInterceptor{ResponseWriter: w}
+
 		start := time.Now()
-		next.ServeHTTP(w, r)
+		next.ServeHTTP(interceptor, r)
+		duration := time.Since(start)
 
 		m.activeRequests.Desc()
-		m.requestDuration.Observe(time.Since(start).Seconds())
+		m.requestDuration.With(prometheus.Labels{
+			"status": strconv.Itoa(interceptor.status),
+			"size":   strconv.Itoa(interceptor.size),
+			"method": r.Method,
+			"host":   r.Host,
+			"path":   r.URL.Path,
+		}).Observe(duration.Seconds())
 	})
 }
 
-func (m *Metrics) CompleteRoundTrip(t time.Duration) {
-	m.backendDuration.Observe(t.Seconds())
+type roundTripperFunc func(*http.Request) (*http.Response, error)
+
+func (f roundTripperFunc) RoundTrip(r *http.Request) (*http.Response, error) {
+	return f(r)
+}
+
+func (m *Metrics) RoundTripper(next http.RoundTripper) http.RoundTripper {
+	return roundTripperFunc(func(req *http.Request) (*http.Response, error) {
+		labels := prometheus.Labels{
+			"method": req.Method,
+			"host":   req.Host,
+			// Fill potentially empty labels with default values to avoid cardinality issues.
+			"path":   "/",
+			"status": "0",
+			"size":   "0",
+		}
+		if req.URL != nil {
+			labels["path"] = req.URL.Path
+		}
+
+		start := time.Now()
+		res, err := next.RoundTrip(req)
+		duration := time.Since(start)
+
+		// Not all labels will be available if there was an error.
+		if res != nil {
+			labels["status"] = strconv.Itoa(res.StatusCode)
+			labels["size"] = strconv.Itoa(int(res.ContentLength))
+		}
+
+		m.backendDuration.With(labels).Observe(duration.Seconds())
+
+		return res, err
+	})
+}
+
+func (m *Metrics) AddMapping(mapping proxy.Mapping) {
+	m.configuredDomains.Inc()
+	m.pathsPerDomain.With(prometheus.Labels{
+		"domain": mapping.Host,
+	}).Set(float64(len(mapping.Paths)))
+}
+
+func (m *Metrics) RemoveMapping(mapping proxy.Mapping) {
+	m.configuredDomains.Dec()
+	m.pathsPerDomain.With(prometheus.Labels{
+		"domain": mapping.Host,
+	}).Set(0)
 }

proxy/internal/metrics/metrics_test.go

@@ -0,0 +1,64 @@
+package metrics_test
+
+import (
+	"net/http"
+	"net/url"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/netbirdio/netbird/proxy/internal/metrics"
+	"github.com/prometheus/client_golang/prometheus"
+)
+
+type testRoundTripper struct {
+	response *http.Response
+	err      error
+}
+
+func (t *testRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	return t.response, t.err
+}
+
+func TestMetrics_RoundTripper(t *testing.T) {
+	testResponse := http.Response{
+		StatusCode: http.StatusOK,
+		Body:       http.NoBody,
+	}
+
+	tests := map[string]struct {
+		roundTripper http.RoundTripper
+		request      *http.Request
+		response     *http.Response
+		err          error
+	}{
+		"ok": {
+			roundTripper: &testRoundTripper{response: &testResponse},
+			request:      &http.Request{Method: "GET", URL: &url.URL{Path: "/foo"}},
+			response:     &testResponse,
+		},
+		"nil url": {
+			roundTripper: &testRoundTripper{response: &testResponse},
+			request:      &http.Request{Method: "GET", URL: nil},
+			response:     &testResponse,
+		},
+		"nil response": {
+			roundTripper: &testRoundTripper{response: nil},
+			request:      &http.Request{Method: "GET", URL: &url.URL{Path: "/foo"}},
+		},
+	}
+
+	m := metrics.New(prometheus.NewRegistry())
+
+	for name, test := range tests {
+		t.Run(name, func(t *testing.T) {
+			rt := m.RoundTripper(test.roundTripper)
+			res, err := rt.RoundTrip(test.request)
+			if diff := cmp.Diff(test.err, err); diff != "" {
+				t.Errorf("Incorrect error (-want +got):\n%s", diff)
+			}
+			if diff := cmp.Diff(test.response, res); diff != "" {
+				t.Errorf("Incorrect response (-want +got):\n%s", diff)
+			}
+		})
+	}
+}

proxy/internal/proxy/reverseproxy.go

@@ -86,7 +86,7 @@ func (p *ReverseProxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		ErrorHandler: proxyErrorHandler,
 	}
 	if result.rewriteRedirects {
-		rp.ModifyResponse = p.rewriteLocationFunc(result.url, result.matchedPath, r)
+		rp.ModifyResponse = p.rewriteLocationFunc(result.url, result.matchedPath, r) //nolint:bodyclose
 	}
 	rp.ServeHTTP(w, r.WithContext(ctx))
 }

proxy/internal/proxy/reverseproxy_test.go

@@ -558,7 +558,7 @@ func TestRewriteLocationFunc(t *testing.T) {
 	}
 	run := func(p *ReverseProxy, matchedPath string, inReq *http.Request, location string) (*http.Response, error) {
 		t.Helper()
-		modifyResp := p.rewriteLocationFunc(target, matchedPath, inReq)
+		modifyResp := p.rewriteLocationFunc(target, matchedPath, inReq) //nolint:bodyclose
 		resp := &http.Response{Header: http.Header{}}
 		if location != "" {
 			resp.Header.Set("Location", location)
@@ -568,7 +568,7 @@ func TestRewriteLocationFunc(t *testing.T) {
 	}
 
 	t.Run("rewrites Location pointing to backend", func(t *testing.T) {
-		resp, err := run(newProxy("https"), "", newReq("https://public.example.com/page"),
+		resp, err := run(newProxy("https"), "", newReq("https://public.example.com/page"), //nolint:bodyclose
 			"http://backend.internal:8080/login")
 
 		require.NoError(t, err)
@@ -576,7 +576,7 @@ func TestRewriteLocationFunc(t *testing.T) {
 	})
 
 	t.Run("does not rewrite Location pointing to other host", func(t *testing.T) {
-		resp, err := run(newProxy("https"), "", newReq("https://public.example.com/"),
+		resp, err := run(newProxy("https"), "", newReq("https://public.example.com/"), //nolint:bodyclose
 			"https://other.example.com/path")
 
 		require.NoError(t, err)
@@ -584,7 +584,7 @@ func TestRewriteLocationFunc(t *testing.T) {
 	})
 
 	t.Run("does not rewrite relative Location", func(t *testing.T) {
-		resp, err := run(newProxy("https"), "", newReq("https://public.example.com/"),
+		resp, err := run(newProxy("https"), "", newReq("https://public.example.com/"), //nolint:bodyclose
 			"/dashboard")
 
 		require.NoError(t, err)
@@ -592,7 +592,7 @@ func TestRewriteLocationFunc(t *testing.T) {
 	})
 
 	t.Run("re-adds stripped path prefix", func(t *testing.T) {
-		resp, err := run(newProxy("https"), "/api", newReq("https://public.example.com/api/users"),
+		resp, err := run(newProxy("https"), "/api", newReq("https://public.example.com/api/users"), //nolint:bodyclose
 			"http://backend.internal:8080/users")
 
 		require.NoError(t, err)
@@ -600,7 +600,7 @@ func TestRewriteLocationFunc(t *testing.T) {
 	})
 
 	t.Run("uses resolved proto for scheme", func(t *testing.T) {
-		resp, err := run(newProxy("auto"), "", newReq("http://public.example.com/"),
+		resp, err := run(newProxy("auto"), "", newReq("http://public.example.com/"), //nolint:bodyclose
 			"http://backend.internal:8080/path")
 
 		require.NoError(t, err)
@@ -608,14 +608,14 @@ func TestRewriteLocationFunc(t *testing.T) {
 	})
 
 	t.Run("no-op when Location header is empty", func(t *testing.T) {
-		resp, err := run(newProxy("https"), "", newReq("https://public.example.com/"), "")
+		resp, err := run(newProxy("https"), "", newReq("https://public.example.com/"), "") //nolint:bodyclose
 
 		require.NoError(t, err)
 		assert.Empty(t, resp.Header.Get("Location"))
 	})
 
 	t.Run("does not prepend root path prefix", func(t *testing.T) {
-		resp, err := run(newProxy("https"), "/", newReq("https://public.example.com/login"),
+		resp, err := run(newProxy("https"), "/", newReq("https://public.example.com/login"), //nolint:bodyclose
 			"http://backend.internal:8080/login")
 
 		require.NoError(t, err)
@@ -625,7 +625,7 @@ func TestRewriteLocationFunc(t *testing.T) {
 	// --- Edge cases: query parameters and fragments ---
 
 	t.Run("preserves query parameters", func(t *testing.T) {
-		resp, err := run(newProxy("https"), "", newReq("https://public.example.com/"),
+		resp, err := run(newProxy("https"), "", newReq("https://public.example.com/"), //nolint:bodyclose
 			"http://backend.internal:8080/login?redirect=%2Fdashboard&lang=en")
 
 		require.NoError(t, err)
@@ -633,7 +633,7 @@ func TestRewriteLocationFunc(t *testing.T) {
 	})
 
 	t.Run("preserves fragment", func(t *testing.T) {
-		resp, err := run(newProxy("https"), "", newReq("https://public.example.com/"),
+		resp, err := run(newProxy("https"), "", newReq("https://public.example.com/"), //nolint:bodyclose
 			"http://backend.internal:8080/docs#section-2")
 
 		require.NoError(t, err)
@@ -641,7 +641,7 @@ func TestRewriteLocationFunc(t *testing.T) {
 	})
 
 	t.Run("preserves query parameters and fragment together", func(t *testing.T) {
-		resp, err := run(newProxy("https"), "", newReq("https://public.example.com/"),
+		resp, err := run(newProxy("https"), "", newReq("https://public.example.com/"), //nolint:bodyclose
 			"http://backend.internal:8080/search?q=test&page=1#results")
 
 		require.NoError(t, err)
@@ -649,7 +649,7 @@ func TestRewriteLocationFunc(t *testing.T) {
 	})
 
 	t.Run("preserves query parameters with path prefix re-added", func(t *testing.T) {
-		resp, err := run(newProxy("https"), "/api", newReq("https://public.example.com/api/search"),
+		resp, err := run(newProxy("https"), "/api", newReq("https://public.example.com/api/search"), //nolint:bodyclose
 			"http://backend.internal:8080/search?q=hello")
 
 		require.NoError(t, err)
@@ -659,7 +659,7 @@ func TestRewriteLocationFunc(t *testing.T) {
 	// --- Edge cases: slash handling ---
 
 	t.Run("no double slash when matchedPath has trailing slash", func(t *testing.T) {
-		resp, err := run(newProxy("https"), "/api/", newReq("https://public.example.com/api/users"),
+		resp, err := run(newProxy("https"), "/api/", newReq("https://public.example.com/api/users"), //nolint:bodyclose
 			"http://backend.internal:8080/users")
 
 		require.NoError(t, err)
@@ -667,7 +667,7 @@ func TestRewriteLocationFunc(t *testing.T) {
 	})
 
 	t.Run("backend redirect to root with path prefix", func(t *testing.T) {
-		resp, err := run(newProxy("https"), "/app", newReq("https://public.example.com/app/"),
+		resp, err := run(newProxy("https"), "/app", newReq("https://public.example.com/app/"), //nolint:bodyclose
 			"http://backend.internal:8080/")
 
 		require.NoError(t, err)
@@ -675,7 +675,7 @@ func TestRewriteLocationFunc(t *testing.T) {
 	})
 
 	t.Run("backend redirect to root with trailing-slash path prefix", func(t *testing.T) {
-		resp, err := run(newProxy("https"), "/app/", newReq("https://public.example.com/app/"),
+		resp, err := run(newProxy("https"), "/app/", newReq("https://public.example.com/app/"), //nolint:bodyclose
 			"http://backend.internal:8080/")
 
 		require.NoError(t, err)
@@ -683,7 +683,7 @@ func TestRewriteLocationFunc(t *testing.T) {
 	})
 
 	t.Run("preserves trailing slash on redirect path", func(t *testing.T) {
-		resp, err := run(newProxy("https"), "", newReq("https://public.example.com/"),
+		resp, err := run(newProxy("https"), "", newReq("https://public.example.com/"), //nolint:bodyclose
 			"http://backend.internal:8080/path/")
 
 		require.NoError(t, err)
@@ -691,7 +691,7 @@ func TestRewriteLocationFunc(t *testing.T) {
 	})
 
 	t.Run("backend redirect to bare root", func(t *testing.T) {
-		resp, err := run(newProxy("https"), "", newReq("https://public.example.com/page"),
+		resp, err := run(newProxy("https"), "", newReq("https://public.example.com/page"), //nolint:bodyclose
 			"http://backend.internal:8080/")
 
 		require.NoError(t, err)
@@ -701,7 +701,7 @@ func TestRewriteLocationFunc(t *testing.T) {
 	// --- Edge cases: host/port matching ---
 
 	t.Run("does not rewrite when backend host matches but port differs", func(t *testing.T) {
-		resp, err := run(newProxy("https"), "", newReq("https://public.example.com/"),
+		resp, err := run(newProxy("https"), "", newReq("https://public.example.com/"), //nolint:bodyclose
 			"http://backend.internal:9090/other")
 
 		require.NoError(t, err)
@@ -712,7 +712,7 @@ func TestRewriteLocationFunc(t *testing.T) {
 	t.Run("rewrites when redirect omits default port matching target", func(t *testing.T) {
 		// Target is backend.internal:8080, redirect is to backend.internal (no port).
 		// These are different authorities, so should NOT rewrite.
-		resp, err := run(newProxy("https"), "", newReq("https://public.example.com/"),
+		resp, err := run(newProxy("https"), "", newReq("https://public.example.com/"), //nolint:bodyclose
 			"http://backend.internal/path")
 
 		require.NoError(t, err)
@@ -725,7 +725,7 @@ func TestRewriteLocationFunc(t *testing.T) {
 		// Per RFC 3986, these are the same authority.
 		target443, _ := url.Parse("https://heise.de:443")
 		p := newProxy("https")
-		modifyResp := p.rewriteLocationFunc(target443, "", newReq("https://public.example.com/"))
+		modifyResp := p.rewriteLocationFunc(target443, "", newReq("https://public.example.com/")) //nolint:bodyclose
 		resp := &http.Response{Header: http.Header{}}
 		resp.Header.Set("Location", "https://heise.de/path")
 
@@ -739,7 +739,7 @@ func TestRewriteLocationFunc(t *testing.T) {
 	t.Run("rewrites when target has :80 but redirect omits it for http", func(t *testing.T) {
 		target80, _ := url.Parse("http://backend.local:80")
 		p := newProxy("http")
-		modifyResp := p.rewriteLocationFunc(target80, "", newReq("http://public.example.com/"))
+		modifyResp := p.rewriteLocationFunc(target80, "", newReq("http://public.example.com/")) //nolint:bodyclose
 		resp := &http.Response{Header: http.Header{}}
 		resp.Header.Set("Location", "http://backend.local/path")
 
@@ -753,7 +753,7 @@ func TestRewriteLocationFunc(t *testing.T) {
 	t.Run("rewrites when redirect has :443 but target omits it", func(t *testing.T) {
 		targetNoPort, _ := url.Parse("https://heise.de")
 		p := newProxy("https")
-		modifyResp := p.rewriteLocationFunc(targetNoPort, "", newReq("https://public.example.com/"))
+		modifyResp := p.rewriteLocationFunc(targetNoPort, "", newReq("https://public.example.com/")) //nolint:bodyclose
 		resp := &http.Response{Header: http.Header{}}
 		resp.Header.Set("Location", "https://heise.de:443/path")
 
@@ -767,7 +767,7 @@ func TestRewriteLocationFunc(t *testing.T) {
 	t.Run("does not conflate non-default ports", func(t *testing.T) {
 		target8443, _ := url.Parse("https://backend.internal:8443")
 		p := newProxy("https")
-		modifyResp := p.rewriteLocationFunc(target8443, "", newReq("https://public.example.com/"))
+		modifyResp := p.rewriteLocationFunc(target8443, "", newReq("https://public.example.com/")) //nolint:bodyclose
 		resp := &http.Response{Header: http.Header{}}
 		resp.Header.Set("Location", "https://backend.internal/path")
 
@@ -781,7 +781,7 @@ func TestRewriteLocationFunc(t *testing.T) {
 	// --- Edge cases: encoded paths ---
 
 	t.Run("preserves percent-encoded path segments", func(t *testing.T) {
-		resp, err := run(newProxy("https"), "", newReq("https://public.example.com/"),
+		resp, err := run(newProxy("https"), "", newReq("https://public.example.com/"), //nolint:bodyclose
 			"http://backend.internal:8080/path%20with%20spaces/file%2Fname")
 
 		require.NoError(t, err)
@@ -793,7 +793,7 @@ func TestRewriteLocationFunc(t *testing.T) {
 	})
 
 	t.Run("preserves encoded query parameters with path prefix", func(t *testing.T) {
-		resp, err := run(newProxy("https"), "/v1", newReq("https://public.example.com/v1/"),
+		resp, err := run(newProxy("https"), "/v1", newReq("https://public.example.com/v1/"), //nolint:bodyclose
 			"http://backend.internal:8080/redirect?url=http%3A%2F%2Fexample.com")
 
 		require.NoError(t, err)

proxy/internal/proxy/trustedproxy_test.go

@@ -25,7 +25,7 @@ func TestIsTrustedProxy(t *testing.T) {
 		{"IP within /24 prefix", "192.168.1.100", trusted, true},
 		{"IP outside all prefixes", "203.0.113.50", trusted, false},
 		{"boundary IP just outside prefix", "192.168.2.1", trusted, false},
-		{"unparseable IP", "not-an-ip", trusted, false},
+		{"unparsable IP", "not-an-ip", trusted, false},
 		{"IPv6 in trusted range", "fd00::1", trusted, true},
 		{"IPv6 outside range", "2001:db8::1", trusted, false},
 		{"empty string", "", trusted, false},

proxy/internal/roundtrip/netbird.go

@@ -55,8 +55,6 @@ type managementClient interface {
 	CreateProxyPeer(ctx context.Context, req *proto.CreateProxyPeerRequest, opts ...grpc.CallOption) (*proto.CreateProxyPeerResponse, error)
 }
 
-type backendMetricRecorder func(duration time.Duration)
-
 // NetBird provides an http.RoundTripper implementation
 // backed by underlying NetBird connections.
 // Clients are keyed by AccountID, allowing multiple domains to share the same connection.
@@ -72,8 +70,6 @@ type NetBird struct {
 	clients        map[types.AccountID]*clientEntry
 	initLogOnce    sync.Once
 	statusNotifier statusNotifier
-
-	recordBackendDuration backendMetricRecorder
 }
 
 // ClientDebugInfo contains debug information about a client.
@@ -220,7 +216,7 @@ func (n *NetBird) AddPeer(ctx context.Context, accountID types.AccountID, d doma
 			if errors.Is(err, context.DeadlineExceeded) {
 				n.logger.WithFields(log.Fields{
 					"account_id": accountID,
-				}).Debug("netbird client start timed out, will retry on first request")
+				}).Warn("netbird client start timed out, will retry on first request")
 			} else {
 				n.logger.WithFields(log.Fields{
 					"account_id": accountID,
@@ -279,6 +275,7 @@ func (n *NetBird) RemovePeer(ctx context.Context, accountID types.AccountID, d d
 	entry, exists := n.clients[accountID]
 	if !exists {
 		n.clientsMux.Unlock()
+		n.logger.WithField("account_id", accountID).Debug("remove peer: account not found")
 		return nil
 	}
 
@@ -286,6 +283,10 @@ func (n *NetBird) RemovePeer(ctx context.Context, accountID types.AccountID, d d
 	domInfo, domainExists := entry.domains[d]
 	if !domainExists {
 		n.clientsMux.Unlock()
+		n.logger.WithFields(log.Fields{
+			"account_id": accountID,
+			"domain":     d,
+		}).Debug("remove peer: domain not registered")
 		return nil
 	}
 
@@ -379,10 +380,6 @@ func (n *NetBird) RoundTrip(req *http.Request) (*http.Response, error) {
 	resp, err := transport.RoundTrip(req)
 	duration := time.Since(start)
 
-	if n.recordBackendDuration != nil {
-		n.recordBackendDuration(duration)
-	}
-
 	if err != nil {
 		n.logger.Debugf("roundtrip: method=%s host=%s url=%s account=%s duration=%s err=%v",
 			req.Method, req.Host, req.URL.String(), accountID, duration.Truncate(time.Millisecond), err)
@@ -491,20 +488,19 @@ func (n *NetBird) ListClientsForStartup() map[types.AccountID]*embed.Client {
 // NewNetBird creates a new NetBird transport. Set wgPort to 0 for a random
 // OS-assigned port. A fixed port only works with single-account deployments;
 // multiple accounts will fail to bind the same port.
-func NewNetBird(mgmtAddr, proxyID, proxyAddr string, wgPort int, logger *log.Logger, notifier statusNotifier, mgmtClient managementClient, metric backendMetricRecorder) *NetBird {
+func NewNetBird(mgmtAddr, proxyID, proxyAddr string, wgPort int, logger *log.Logger, notifier statusNotifier, mgmtClient managementClient) *NetBird {
 	if logger == nil {
 		logger = log.StandardLogger()
 	}
 	return &NetBird{
-		mgmtAddr:              mgmtAddr,
-		proxyID:               proxyID,
-		proxyAddr:             proxyAddr,
-		wgPort:                wgPort,
-		logger:                logger,
-		clients:               make(map[types.AccountID]*clientEntry),
-		statusNotifier:        notifier,
-		mgmtClient:            mgmtClient,
-		recordBackendDuration: metric,
+		mgmtAddr:       mgmtAddr,
+		proxyID:        proxyID,
+		proxyAddr:      proxyAddr,
+		wgPort:         wgPort,
+		logger:         logger,
+		clients:        make(map[types.AccountID]*clientEntry),
+		statusNotifier: notifier,
+		mgmtClient:     mgmtClient,
 	}
 }
 

proxy/internal/roundtrip/netbird_test.go

@@ -23,7 +23,7 @@ func (m *mockMgmtClient) CreateProxyPeer(_ context.Context, _ *proto.CreateProxy
 // mockNetBird creates a NetBird instance for testing without actually connecting.
 // It uses an invalid management URL to prevent real connections.
 func mockNetBird() *NetBird {
-	return NewNetBird("http://invalid.test:9999", "test-proxy", "localhost", 0, nil, nil, &mockMgmtClient{}, nil)
+	return NewNetBird("http://invalid.test:9999", "test-proxy", "invalid.test", 0, nil, nil, &mockMgmtClient{})
 }
 
 func TestNetBird_AddPeer_CreatesClientForNewAccount(t *testing.T) {
@@ -235,7 +235,7 @@ func TestNetBird_RoundTrip_RequiresAccountIDInContext(t *testing.T) {
 	require.NoError(t, err)
 
 	// RoundTrip should fail because no account ID in context.
-	_, err = nb.RoundTrip(req)
+	_, err = nb.RoundTrip(req) //nolint:bodyclose
 	require.ErrorIs(t, err, ErrNoAccountID)
 }
 
@@ -249,7 +249,7 @@ func TestNetBird_RoundTrip_RequiresExistingClient(t *testing.T) {
 	req = req.WithContext(WithAccountID(req.Context(), accountID))
 
 	// RoundTrip should fail because no client for this account.
-	_, err = nb.RoundTrip(req)
+	_, err = nb.RoundTrip(req) //nolint:bodyclose // Error case, no response body
 	assert.Error(t, err)
 	assert.Contains(t, err.Error(), "no peer connection found for account")
 }

proxy/management_integration_test.go

@@ -0,0 +1,548 @@
+package proxy
+
+import (
+	"context"
+	"crypto/ed25519"
+	"errors"
+	"crypto/rand"
+	"encoding/base64"
+	"net"
+	"sync"
+	"sync/atomic"
+	"testing"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
+
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs"
+	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
+	"github.com/netbirdio/netbird/management/server/store"
+	"github.com/netbirdio/netbird/management/server/types"
+	"github.com/netbirdio/netbird/management/server/users"
+	"github.com/netbirdio/netbird/proxy/internal/auth"
+	"github.com/netbirdio/netbird/proxy/internal/proxy"
+	proxytypes "github.com/netbirdio/netbird/proxy/internal/types"
+	"github.com/netbirdio/netbird/shared/management/proto"
+)
+
+// integrationTestSetup contains all real components for testing.
+type integrationTestSetup struct {
+	store        store.Store
+	proxyService *nbgrpc.ProxyServiceServer
+	grpcServer   *grpc.Server
+	grpcAddr     string
+	cleanup      func()
+	services     []*reverseproxy.Service
+}
+
+func setupIntegrationTest(t *testing.T) *integrationTestSetup {
+	t.Helper()
+
+	ctx := context.Background()
+
+	// Create real SQLite store
+	testStore, cleanup, err := store.NewTestStoreFromSQL(ctx, "", t.TempDir())
+	require.NoError(t, err)
+
+	// Create test account
+	testAccount := &types.Account{
+		Id:                     "test-account-1",
+		Domain:                 "test.com",
+		DomainCategory:         "private",
+		IsDomainPrimaryAccount: true,
+		CreatedAt:              time.Now(),
+	}
+	require.NoError(t, testStore.SaveAccount(ctx, testAccount))
+
+	// Generate session keys for reverse proxies
+	pub, priv, err := ed25519.GenerateKey(rand.Reader)
+	require.NoError(t, err)
+	pubKey := base64.StdEncoding.EncodeToString(pub)
+	privKey := base64.StdEncoding.EncodeToString(priv)
+
+	// Create test services in the store
+	services := []*reverseproxy.Service{
+		{
+			ID:        "rp-1",
+			AccountID: "test-account-1",
+			Name:      "Test App 1",
+			Domain:    "app1.test.proxy.io",
+			Targets: []*reverseproxy.Target{{
+				Path:       strPtr("/"),
+				Host:       "10.0.0.1",
+				Port:       8080,
+				Protocol:   "http",
+				TargetId:   "peer1",
+				TargetType: "peer",
+				Enabled:    true,
+			}},
+			Enabled:           true,
+			ProxyCluster:      "test.proxy.io",
+			SessionPrivateKey: privKey,
+			SessionPublicKey:  pubKey,
+		},
+		{
+			ID:        "rp-2",
+			AccountID: "test-account-1",
+			Name:      "Test App 2",
+			Domain:    "app2.test.proxy.io",
+			Targets: []*reverseproxy.Target{{
+				Path:       strPtr("/"),
+				Host:       "10.0.0.2",
+				Port:       8080,
+				Protocol:   "http",
+				TargetId:   "peer2",
+				TargetType: "peer",
+				Enabled:    true,
+			}},
+			Enabled:           true,
+			ProxyCluster:      "test.proxy.io",
+			SessionPrivateKey: privKey,
+			SessionPublicKey:  pubKey,
+		},
+	}
+
+	for _, svc := range services {
+		require.NoError(t, testStore.CreateService(ctx, svc))
+	}
+
+	// Create real token store
+	tokenStore := nbgrpc.NewOneTimeTokenStore(5 * time.Minute)
+
+	// Create real users manager
+	usersManager := users.NewManager(testStore)
+
+	// Create real proxy service server with minimal config
+	oidcConfig := nbgrpc.ProxyOIDCConfig{
+		Issuer:   "https://fake-issuer.example.com",
+		ClientID: "test-client",
+		HMACKey:  []byte("test-hmac-key"),
+	}
+
+	proxyService := nbgrpc.NewProxyServiceServer(
+		&testAccessLogManager{},
+		tokenStore,
+		oidcConfig,
+		nil,
+		usersManager,
+	)
+
+	// Use store-backed service manager
+	svcMgr := &storeBackedServiceManager{store: testStore, tokenStore: tokenStore}
+	proxyService.SetProxyManager(svcMgr)
+
+	// Start real gRPC server
+	lis, err := net.Listen("tcp", "127.0.0.1:0")
+	require.NoError(t, err)
+
+	grpcServer := grpc.NewServer()
+	proto.RegisterProxyServiceServer(grpcServer, proxyService)
+
+	go func() {
+		if err := grpcServer.Serve(lis); err != nil {
+			t.Logf("gRPC server error: %v", err)
+		}
+	}()
+
+	return &integrationTestSetup{
+		store:        testStore,
+		proxyService: proxyService,
+		grpcServer:   grpcServer,
+		grpcAddr:     lis.Addr().String(),
+		services:     services,
+		cleanup: func() {
+			grpcServer.GracefulStop()
+			cleanup()
+		},
+	}
+}
+
+// testAccessLogManager provides access log storage for testing.
+type testAccessLogManager struct{}
+
+func (m *testAccessLogManager) SaveAccessLog(_ context.Context, _ *accesslogs.AccessLogEntry) error {
+	return nil
+}
+
+func (m *testAccessLogManager) GetAllAccessLogs(_ context.Context, _, _ string, _ *accesslogs.AccessLogFilter) ([]*accesslogs.AccessLogEntry, int64, error) {
+	return nil, 0, nil
+}
+
+// storeBackedServiceManager reads directly from the real store.
+type storeBackedServiceManager struct {
+	store      store.Store
+	tokenStore *nbgrpc.OneTimeTokenStore
+}
+
+func (m *storeBackedServiceManager) GetAllServices(ctx context.Context, accountID, userID string) ([]*reverseproxy.Service, error) {
+	return m.store.GetAccountServices(ctx, store.LockingStrengthNone, accountID)
+}
+
+func (m *storeBackedServiceManager) GetService(ctx context.Context, accountID, userID, serviceID string) (*reverseproxy.Service, error) {
+	return m.store.GetServiceByID(ctx, store.LockingStrengthNone, accountID, serviceID)
+}
+
+func (m *storeBackedServiceManager) CreateService(_ context.Context, _, _ string, _ *reverseproxy.Service) (*reverseproxy.Service, error) {
+	return nil, errors.New("not implemented")
+}
+
+func (m *storeBackedServiceManager) UpdateService(_ context.Context, _, _ string, _ *reverseproxy.Service) (*reverseproxy.Service, error) {
+	return nil, errors.New("not implemented")
+}
+
+func (m *storeBackedServiceManager) DeleteService(ctx context.Context, accountID, userID, serviceID string) error {
+	return nil
+}
+
+func (m *storeBackedServiceManager) SetCertificateIssuedAt(ctx context.Context, accountID, serviceID string) error {
+	return nil
+}
+
+func (m *storeBackedServiceManager) SetStatus(ctx context.Context, accountID, serviceID string, status reverseproxy.ProxyStatus) error {
+	return nil
+}
+
+func (m *storeBackedServiceManager) ReloadAllServicesForAccount(ctx context.Context, accountID string) error {
+	return nil
+}
+
+func (m *storeBackedServiceManager) ReloadService(ctx context.Context, accountID, serviceID string) error {
+	return nil
+}
+
+func (m *storeBackedServiceManager) GetGlobalServices(ctx context.Context) ([]*reverseproxy.Service, error) {
+	return m.store.GetAccountServices(ctx, store.LockingStrengthNone, "test-account-1")
+}
+
+func (m *storeBackedServiceManager) GetServiceByID(ctx context.Context, accountID, serviceID string) (*reverseproxy.Service, error) {
+	return m.store.GetServiceByID(ctx, store.LockingStrengthNone, accountID, serviceID)
+}
+
+func (m *storeBackedServiceManager) GetAccountServices(ctx context.Context, accountID string) ([]*reverseproxy.Service, error) {
+	return m.store.GetAccountServices(ctx, store.LockingStrengthNone, accountID)
+}
+
+func (m *storeBackedServiceManager) GetServiceIDByTargetID(ctx context.Context, accountID string, targetID string) (string, error) {
+	return "", nil
+}
+
+func strPtr(s string) *string {
+	return &s
+}
+
+func TestIntegration_ProxyConnection_HappyPath(t *testing.T) {
+	setup := setupIntegrationTest(t)
+	defer setup.cleanup()
+
+	conn, err := grpc.NewClient(setup.grpcAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
+	require.NoError(t, err)
+	defer conn.Close()
+
+	client := proto.NewProxyServiceClient(conn)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	stream, err := client.GetMappingUpdate(ctx, &proto.GetMappingUpdateRequest{
+		ProxyId: "test-proxy-1",
+		Version: "test-v1",
+		Address: "https://test.proxy.io",
+	})
+	require.NoError(t, err)
+
+	// Receive all mappings from the snapshot - server sends each mapping individually
+	mappingsByID := make(map[string]*proto.ProxyMapping)
+	for i := 0; i < 2; i++ {
+		msg, err := stream.Recv()
+		require.NoError(t, err)
+		for _, m := range msg.GetMapping() {
+			mappingsByID[m.GetId()] = m
+		}
+	}
+
+	// Should receive 2 mappings total
+	assert.Len(t, mappingsByID, 2, "Should receive 2 reverse proxy mappings")
+
+	rp1 := mappingsByID["rp-1"]
+	require.NotNil(t, rp1)
+	assert.Equal(t, "app1.test.proxy.io", rp1.GetDomain())
+	assert.Equal(t, "test-account-1", rp1.GetAccountId())
+	assert.Equal(t, proto.ProxyMappingUpdateType_UPDATE_TYPE_CREATED, rp1.GetType())
+	assert.NotEmpty(t, rp1.GetAuthToken(), "Should have auth token for peer creation")
+
+	rp2 := mappingsByID["rp-2"]
+	require.NotNil(t, rp2)
+	assert.Equal(t, "app2.test.proxy.io", rp2.GetDomain())
+}
+
+func TestIntegration_ProxyConnection_SendsClusterAddress(t *testing.T) {
+	setup := setupIntegrationTest(t)
+	defer setup.cleanup()
+
+	conn, err := grpc.NewClient(setup.grpcAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
+	require.NoError(t, err)
+	defer conn.Close()
+
+	client := proto.NewProxyServiceClient(conn)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	clusterAddress := "https://test.proxy.io"
+
+	stream, err := client.GetMappingUpdate(ctx, &proto.GetMappingUpdateRequest{
+		ProxyId: "test-proxy-cluster",
+		Version: "test-v1",
+		Address: clusterAddress,
+	})
+	require.NoError(t, err)
+
+	// Receive all mappings - server sends each mapping individually
+	mappings := make([]*proto.ProxyMapping, 0)
+	for i := 0; i < 2; i++ {
+		msg, err := stream.Recv()
+		require.NoError(t, err)
+		mappings = append(mappings, msg.GetMapping()...)
+	}
+
+	// Should receive the 2 mappings matching the cluster
+	assert.Len(t, mappings, 2, "Should receive mappings for the cluster")
+
+	for _, mapping := range mappings {
+		t.Logf("Received mapping: id=%s domain=%s", mapping.GetId(), mapping.GetDomain())
+	}
+}
+
+func TestIntegration_ProxyConnection_Reconnect_ReceivesSameConfig(t *testing.T) {
+	setup := setupIntegrationTest(t)
+	defer setup.cleanup()
+
+	conn, err := grpc.NewClient(setup.grpcAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
+	require.NoError(t, err)
+	defer conn.Close()
+
+	client := proto.NewProxyServiceClient(conn)
+
+	clusterAddress := "https://test.proxy.io"
+	proxyID := "test-proxy-reconnect"
+
+	// Helper to receive all mappings from a stream
+	receiveMappings := func(stream proto.ProxyService_GetMappingUpdateClient, count int) []*proto.ProxyMapping {
+		var mappings []*proto.ProxyMapping
+		for i := 0; i < count; i++ {
+			msg, err := stream.Recv()
+			require.NoError(t, err)
+			mappings = append(mappings, msg.GetMapping()...)
+		}
+		return mappings
+	}
+
+	// First connection
+	ctx1, cancel1 := context.WithTimeout(context.Background(), 5*time.Second)
+	stream1, err := client.GetMappingUpdate(ctx1, &proto.GetMappingUpdateRequest{
+		ProxyId: proxyID,
+		Version: "test-v1",
+		Address: clusterAddress,
+	})
+	require.NoError(t, err)
+
+	firstMappings := receiveMappings(stream1, 2)
+	cancel1()
+
+	time.Sleep(100 * time.Millisecond)
+
+	// Second connection (simulating reconnect)
+	ctx2, cancel2 := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel2()
+
+	stream2, err := client.GetMappingUpdate(ctx2, &proto.GetMappingUpdateRequest{
+		ProxyId: proxyID,
+		Version: "test-v1",
+		Address: clusterAddress,
+	})
+	require.NoError(t, err)
+
+	secondMappings := receiveMappings(stream2, 2)
+
+	// Should receive the same mappings
+	assert.Equal(t, len(firstMappings), len(secondMappings),
+		"Should receive same number of mappings on reconnect")
+
+	firstIDs := make(map[string]bool)
+	for _, m := range firstMappings {
+		firstIDs[m.GetId()] = true
+	}
+
+	for _, m := range secondMappings {
+		assert.True(t, firstIDs[m.GetId()],
+			"Mapping %s should be present in both connections", m.GetId())
+	}
+}
+
+func TestIntegration_ProxyConnection_ReconnectDoesNotDuplicateState(t *testing.T) {
+	setup := setupIntegrationTest(t)
+	defer setup.cleanup()
+
+	conn, err := grpc.NewClient(setup.grpcAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
+	require.NoError(t, err)
+	defer conn.Close()
+
+	client := proto.NewProxyServiceClient(conn)
+
+	// Use real auth middleware and proxy to verify idempotency
+	logger := log.New()
+	logger.SetLevel(log.WarnLevel)
+
+	authMw := auth.NewMiddleware(logger, nil)
+	proxyHandler := proxy.NewReverseProxy(nil, "auto", nil, logger)
+
+	clusterAddress := "https://test.proxy.io"
+	proxyID := "test-proxy-idempotent"
+
+	var addMappingCalls atomic.Int32
+
+	applyMappings := func(mappings []*proto.ProxyMapping) {
+		for _, mapping := range mappings {
+			if mapping.GetType() == proto.ProxyMappingUpdateType_UPDATE_TYPE_CREATED {
+				addMappingCalls.Add(1)
+
+				// Apply to real auth middleware (idempotent)
+				err := authMw.AddDomain(
+					mapping.GetDomain(),
+					nil,
+					"",
+					0,
+					mapping.GetAccountId(),
+					mapping.GetId(),
+				)
+				require.NoError(t, err)
+
+				// Apply to real proxy (idempotent)
+				proxyHandler.AddMapping(proxy.Mapping{
+					Host:      mapping.GetDomain(),
+					ID:        mapping.GetId(),
+					AccountID: proxytypes.AccountID(mapping.GetAccountId()),
+				})
+			}
+		}
+	}
+
+	// Helper to receive and apply all mappings
+	receiveAndApply := func(stream proto.ProxyService_GetMappingUpdateClient) {
+		for i := 0; i < 2; i++ {
+			msg, err := stream.Recv()
+			require.NoError(t, err)
+			applyMappings(msg.GetMapping())
+		}
+	}
+
+	// First connection
+	ctx1, cancel1 := context.WithTimeout(context.Background(), 5*time.Second)
+	stream1, err := client.GetMappingUpdate(ctx1, &proto.GetMappingUpdateRequest{
+		ProxyId: proxyID,
+		Version: "test-v1",
+		Address: clusterAddress,
+	})
+	require.NoError(t, err)
+
+	receiveAndApply(stream1)
+	cancel1()
+
+	firstCallCount := addMappingCalls.Load()
+	t.Logf("First connection: applied %d mappings", firstCallCount)
+
+	time.Sleep(100 * time.Millisecond)
+
+	// Second connection
+	ctx2, cancel2 := context.WithTimeout(context.Background(), 5*time.Second)
+	stream2, err := client.GetMappingUpdate(ctx2, &proto.GetMappingUpdateRequest{
+		ProxyId: proxyID,
+		Version: "test-v1",
+		Address: clusterAddress,
+	})
+	require.NoError(t, err)
+
+	receiveAndApply(stream2)
+	cancel2()
+
+	time.Sleep(100 * time.Millisecond)
+
+	// Third connection
+	ctx3, cancel3 := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel3()
+
+	stream3, err := client.GetMappingUpdate(ctx3, &proto.GetMappingUpdateRequest{
+		ProxyId: proxyID,
+		Version: "test-v1",
+		Address: clusterAddress,
+	})
+	require.NoError(t, err)
+
+	receiveAndApply(stream3)
+
+	totalCalls := addMappingCalls.Load()
+	t.Logf("After three connections: total applied %d mappings", totalCalls)
+
+	// Should have called addMapping 6 times (2 mappings x 3 connections)
+	// But internal state is NOT duplicated because auth and proxy use maps keyed by domain/host
+	assert.Equal(t, int32(6), totalCalls, "Should have 6 total calls (2 mappings x 3 connections)")
+}
+
+func TestIntegration_ProxyConnection_MultipleProxiesReceiveUpdates(t *testing.T) {
+	setup := setupIntegrationTest(t)
+	defer setup.cleanup()
+
+	clusterAddress := "https://test.proxy.io"
+
+	var wg sync.WaitGroup
+	var mu sync.Mutex
+	receivedByProxy := make(map[string]int)
+
+	for i := 1; i <= 3; i++ {
+		wg.Add(1)
+		go func(proxyNum int) {
+			defer wg.Done()
+
+			conn, err := grpc.NewClient(setup.grpcAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
+			require.NoError(t, err)
+			defer conn.Close()
+
+			client := proto.NewProxyServiceClient(conn)
+
+			ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+			defer cancel()
+
+			proxyID := "test-proxy-" + string(rune('A'+proxyNum-1))
+
+			stream, err := client.GetMappingUpdate(ctx, &proto.GetMappingUpdateRequest{
+				ProxyId: proxyID,
+				Version: "test-v1",
+				Address: clusterAddress,
+			})
+			require.NoError(t, err)
+
+			// Receive all mappings - server sends each mapping individually
+			count := 0
+			for i := 0; i < 2; i++ {
+				msg, err := stream.Recv()
+				require.NoError(t, err)
+				count += len(msg.GetMapping())
+			}
+
+			mu.Lock()
+			receivedByProxy[proxyID] = count
+			mu.Unlock()
+		}(i)
+	}
+
+	wg.Wait()
+
+	for proxyID, count := range receivedByProxy {
+		assert.Equal(t, 2, count, "Proxy %s should receive 2 mappings", proxyID)
+	}
+}

proxy/server.go

@@ -61,6 +61,7 @@ type Server struct {
 	debug         *http.Server
 	healthServer  *health.Server
 	healthChecker *health.Checker
+	meter         *metrics.Metrics
 
 	// Mostly used for debugging on management.
 	startTime time.Time
@@ -76,6 +77,9 @@ type Server struct {
 	GenerateACMECertificates bool
 	ACMEChallengeAddress     string
 	ACMEDirectory            string
+	// ACMEChallengeType specifies the ACME challenge type: "http-01" or "tls-alpn-01".
+	// Defaults to "tls-alpn-01" if not specified.
+	ACMEChallengeType string
 	// CertLockMethod controls how ACME certificate locks are coordinated
 	// across replicas. Default: CertLockAuto (detect environment).
 	CertLockMethod   acme.CertLockMethod
@@ -151,7 +155,7 @@ func (s *Server) ListenAndServe(ctx context.Context, addr string) (err error) {
 
 	// Start up metrics gathering
 	reg := prometheus.NewRegistry()
-	meter := metrics.New(reg)
+	s.meter = metrics.New(reg)
 
 	// The very first thing to do should be to connect to the Management server.
 	// Without this connection, the Proxy cannot do anything.
@@ -199,37 +203,43 @@ func (s *Server) ListenAndServe(ctx context.Context, addr string) (err error) {
 
 	// Initialize the netbird client, this is required to build peer connections
 	// to proxy over.
-	s.netbird = roundtrip.NewNetBird(s.ManagementAddress, s.ID, s.ProxyURL, s.WireguardPort, s.Logger, s, s.mgmtClient, meter.CompleteRoundTrip)
+	s.netbird = roundtrip.NewNetBird(s.ManagementAddress, s.ID, s.ProxyURL, s.WireguardPort, s.Logger, s, s.mgmtClient)
 
 	// When generating ACME certificates, start a challenge server.
 	tlsConfig := &tls.Config{}
 	if s.GenerateACMECertificates {
-		s.Logger.WithField("acme_server", s.ACMEDirectory).Debug("ACME certificates enabled, configuring certificate manager")
-		s.acme = acme.NewManager(s.CertificateDirectory, s.ACMEDirectory, s, s.Logger, s.CertLockMethod)
-		s.http = &http.Server{
-			Addr:    s.ACMEChallengeAddress,
-			Handler: s.acme.HTTPHandler(nil),
+		// Default to TLS-ALPN-01 challenge if not specified
+		if s.ACMEChallengeType == "" {
+			s.ACMEChallengeType = "tls-alpn-01"
 		}
-		go func() {
-			if err := s.http.ListenAndServe(); err != nil && !errors.Is(err, http.ErrServerClosed) {
-				s.Logger.WithError(err).Error("ACME HTTP-01 challenge server failed")
+		s.Logger.WithFields(log.Fields{
+			"acme_server":    s.ACMEDirectory,
+			"challenge_type": s.ACMEChallengeType,
+		}).Debug("ACME certificates enabled, configuring certificate manager")
+		s.acme = acme.NewManager(s.CertificateDirectory, s.ACMEDirectory, s, s.Logger, s.CertLockMethod)
+
+		// Only start HTTP server for HTTP-01 challenge type
+		if s.ACMEChallengeType == "http-01" {
+			s.http = &http.Server{
+				Addr:    s.ACMEChallengeAddress,
+				Handler: s.acme.HTTPHandler(nil),
 			}
-		}()
+			go func() {
+				if err := s.http.ListenAndServe(); err != nil && !errors.Is(err, http.ErrServerClosed) {
+					s.Logger.WithError(err).Error("ACME HTTP-01 challenge server failed")
+				}
+			}()
+		}
 		tlsConfig = s.acme.TLSConfig()
 
-		// If the ProxyURL is not set, then fallback to the server address.
-		// Hopefully that should give at least something that we can use.
-		// If it doesn't, then autocert probably won't work correctly.
-		if s.ProxyURL == "" {
-			s.ProxyURL, _, _ = net.SplitHostPort(addr)
-		}
 		// ServerName needs to be set to allow for ACME to work correctly
 		// when using CNAME URLs to access the proxy.
 		tlsConfig.ServerName = s.ProxyURL
 
 		s.Logger.WithFields(log.Fields{
-			"ServerName": s.ProxyURL,
-		}).Debug("started ACME challenge server")
+			"ServerName":     s.ProxyURL,
+			"challenge_type": s.ACMEChallengeType,
+		}).Debug("ACME certificate manager configured")
 	} else {
 		s.Logger.Debug("ACME certificates disabled, using static certificates with file watching")
 		certPath := filepath.Join(s.CertificateDirectory, s.CertificateFile)
@@ -245,7 +255,7 @@ func (s *Server) ListenAndServe(ctx context.Context, addr string) (err error) {
 	}
 
 	// Configure the reverse proxy using NetBird's HTTP Client Transport for proxying.
-	s.proxy = proxy.NewReverseProxy(s.netbird, s.ForwardedProto, s.TrustedProxies, s.Logger)
+	s.proxy = proxy.NewReverseProxy(s.meter.RoundTripper(s.netbird), s.ForwardedProto, s.TrustedProxies, s.Logger)
 
 	// Configure the authentication middleware with session validator for OIDC group checks.
 	s.auth = auth.NewMiddleware(s.Logger, s.mgmtClient)
@@ -292,7 +302,7 @@ func (s *Server) ListenAndServe(ctx context.Context, addr string) (err error) {
 	// Start the reverse proxy HTTPS server.
 	s.https = &http.Server{
 		Addr:      addr,
-		Handler:   meter.Middleware(accessLog.Middleware(web.AssetHandler(s.auth.Protect(s.proxy)))),
+		Handler:   s.meter.Middleware(accessLog.Middleware(web.AssetHandler(s.auth.Protect(s.proxy)))),
 		TLSConfig: tlsConfig,
 	}
 
@@ -502,17 +512,22 @@ func (s *Server) handleMappingStream(ctx context.Context, mappingClient proto.Pr
 						}).Error("Error adding new mapping, ignoring this mapping and continuing processing")
 					}
 				case proto.ProxyMappingUpdateType_UPDATE_TYPE_MODIFIED:
-					s.updateMapping(ctx, mapping)
+					if err := s.updateMapping(ctx, mapping); err != nil {
+						s.Logger.WithFields(log.Fields{
+							"service_id": mapping.GetId(),
+							"domain":     mapping.GetDomain(),
+						}).Errorf("failed to update mapping: %v", err)
+					}
 				case proto.ProxyMappingUpdateType_UPDATE_TYPE_REMOVED:
 					s.removeMapping(ctx, mapping)
 				}
 			}
 			s.Logger.Debug("Processing mapping update completed")
 
-			// After the first mapping sync, mark the initial sync complete.
-			// Client health is checked directly in the startup probe.
-			if !*initialSyncDone && s.healthChecker != nil {
-				s.healthChecker.SetInitialSyncComplete()
+			if !*initialSyncDone && msg.GetInitialSyncComplete() {
+				if s.healthChecker != nil {
+					s.healthChecker.SetInitialSyncComplete()
+				}
 				*initialSyncDone = true
 				s.Logger.Info("Initial mapping sync complete")
 			}
@@ -536,11 +551,14 @@ func (s *Server) addMapping(ctx context.Context, mapping *proto.ProxyMapping) er
 	// Pass the mapping through to the update function to avoid duplicating the
 	// setup, currently update is simply a subset of this function, so this
 	// separation makes sense...to me at least.
-	s.updateMapping(ctx, mapping)
+	if err := s.updateMapping(ctx, mapping); err != nil {
+		s.removeMapping(ctx, mapping)
+		return fmt.Errorf("update mapping for domain %q: %w", d, err)
+	}
 	return nil
 }
 
-func (s *Server) updateMapping(ctx context.Context, mapping *proto.ProxyMapping) {
+func (s *Server) updateMapping(ctx context.Context, mapping *proto.ProxyMapping) error {
 	// Very simple implementation here, we don't touch the existing peer
 	// connection or any existing TLS configuration, we simply overwrite
 	// the auth and proxy mappings.
@@ -559,10 +577,11 @@ func (s *Server) updateMapping(ctx context.Context, mapping *proto.ProxyMapping)
 
 	maxSessionAge := time.Duration(mapping.GetAuth().GetMaxSessionAgeSeconds()) * time.Second
 	if err := s.auth.AddDomain(mapping.GetDomain(), schemes, mapping.GetAuth().GetSessionKey(), maxSessionAge, mapping.GetAccountId(), mapping.GetId()); err != nil {
-		s.Logger.WithField("domain", mapping.GetDomain()).WithError(err).Error("Auth setup failed, refusing to serve domain without authentication")
-		return
+		return fmt.Errorf("auth setup for domain %s: %w", mapping.GetDomain(), err)
 	}
 	s.proxy.AddMapping(s.protoToMapping(mapping))
+	s.meter.AddMapping(s.protoToMapping(mapping))
+	return nil
 }
 
 func (s *Server) removeMapping(ctx context.Context, mapping *proto.ProxyMapping) {
@@ -580,6 +599,7 @@ func (s *Server) removeMapping(ctx context.Context, mapping *proto.ProxyMapping)
 	}
 	s.auth.RemoveDomain(mapping.GetDomain())
 	s.proxy.RemoveMapping(s.protoToMapping(mapping))
+	s.meter.RemoveMapping(s.protoToMapping(mapping))
 }
 
 func (s *Server) protoToMapping(mapping *proto.ProxyMapping) proxy.Mapping {
@@ -594,8 +614,8 @@ func (s *Server) protoToMapping(mapping *proto.ProxyMapping) proxy.Mapping {
 				"domain":     mapping.GetDomain(),
 				"path":       pathMapping.GetPath(),
 				"target":     pathMapping.GetTarget(),
-				"error":      err,
-			}).Error("Error parsing target URL for path, this path will be ignored but other paths will still be configured")
+			}).WithError(err).Error("failed to parse target URL for path, skipping")
+			continue
 		}
 		paths[pathMapping.GetPath()] = targetURL
 	}

proxy/web/src/ErrorPage.tsx

@@ -44,7 +44,7 @@ export function ErrorPage({ code, title, message, proxy = true, destination = tr
         </Button>
         <Button
           variant="secondary"
-          onClick={() => window.open("https://docs.netbird.io", "_blank")}
+          onClick={() => window.open("https://docs.netbird.io", "_blank", "noopener,noreferrer")}
         >
           <BookText size={16} />
           Documentation

proxy/web/web.go

@@ -109,7 +109,7 @@ func ServeHTTP(w http.ResponseWriter, r *http.Request, data any, statusCode ...i
 	if err := tmpl.Execute(&buf, struct {
 		Data template.JS
 	}{
-		Data: template.JS(dataJSON),
+		Data: template.JS(dataJSON), //nolint:gosec
 	}); err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return

shared/management/http/api/openapi.yml

@@ -7030,7 +7030,7 @@ paths:
           "$ref": "#/components/responses/not_found"
         '500':
           "$ref": "#/components/responses/internal_error"
-  /api/services/domains/{domainId}:
+  /api/reverse-proxies/domains/{domainId}:
     delete:
       summary: Delete a Custom domain
       description: Delete an existing service custom domain
@@ -7058,7 +7058,7 @@ paths:
           "$ref": "#/components/responses/not_found"
         '500':
           "$ref": "#/components/responses/internal_error"
-  /api/services/domains/{domainId}/validate:
+  /api/reverse-proxies/domains/{domainId}/validate:
     get:
       summary: Validate a custom domain
       description: Trigger domain ownership validation for a custom domain

shared/management/proto/proxy_service.pb.go

@@ -209,6 +209,9 @@ type GetMappingUpdateResponse struct {
 	unknownFields protoimpl.UnknownFields
 
 	Mapping []*ProxyMapping `protobuf:"bytes,1,rep,name=mapping,proto3" json:"mapping,omitempty"`
+	// initial_sync_complete is set on the last message of the initial snapshot.
+	// The proxy uses this to signal that startup is complete.
+	InitialSyncComplete bool `protobuf:"varint,2,opt,name=initial_sync_complete,json=initialSyncComplete,proto3" json:"initial_sync_complete,omitempty"`
 }
 
 func (x *GetMappingUpdateResponse) Reset() {
@@ -250,6 +253,13 @@ func (x *GetMappingUpdateResponse) GetMapping() []*ProxyMapping {
 	return nil
 }
 
+func (x *GetMappingUpdateResponse) GetInitialSyncComplete() bool {
+	if x != nil {
+		return x.InitialSyncComplete
+	}
+	return false
+}
+
 type PathMapping struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -1484,222 +1494,225 @@ var file_proxy_service_proto_rawDesc = []byte{
 	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74,
 	0x61, 0x6d, 0x70, 0x52, 0x09, 0x73, 0x74, 0x61, 0x72, 0x74, 0x65, 0x64, 0x41, 0x74, 0x12, 0x18,
 	0x0a, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x22, 0x4e, 0x0a, 0x18, 0x47, 0x65, 0x74, 0x4d,
-	0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x52, 0x65, 0x73, 0x70,
-	0x6f, 0x6e, 0x73, 0x65, 0x12, 0x32, 0x0a, 0x07, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x18,
-	0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x18, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65,
-	0x6e, 0x74, 0x2e, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52,
-	0x07, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x22, 0x39, 0x0a, 0x0b, 0x50, 0x61, 0x74, 0x68,
-	0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x12, 0x0a, 0x04, 0x70, 0x61, 0x74, 0x68, 0x18,
-	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x70, 0x61, 0x74, 0x68, 0x12, 0x16, 0x0a, 0x06, 0x74,
-	0x61, 0x72, 0x67, 0x65, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x74, 0x61, 0x72,
-	0x67, 0x65, 0x74, 0x22, 0xaa, 0x01, 0x0a, 0x0e, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69,
-	0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x1f, 0x0a, 0x0b, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f,
-	0x6e, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x73, 0x65, 0x73,
-	0x73, 0x69, 0x6f, 0x6e, 0x4b, 0x65, 0x79, 0x12, 0x35, 0x0a, 0x17, 0x6d, 0x61, 0x78, 0x5f, 0x73,
-	0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x61, 0x67, 0x65, 0x5f, 0x73, 0x65, 0x63, 0x6f, 0x6e,
-	0x64, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x03, 0x52, 0x14, 0x6d, 0x61, 0x78, 0x53, 0x65, 0x73,
-	0x73, 0x69, 0x6f, 0x6e, 0x41, 0x67, 0x65, 0x53, 0x65, 0x63, 0x6f, 0x6e, 0x64, 0x73, 0x12, 0x1a,
-	0x0a, 0x08, 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08,
-	0x52, 0x08, 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x12, 0x10, 0x0a, 0x03, 0x70, 0x69,
-	0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x03, 0x70, 0x69, 0x6e, 0x12, 0x12, 0x0a, 0x04,
-	0x6f, 0x69, 0x64, 0x63, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x52, 0x04, 0x6f, 0x69, 0x64, 0x63,
-	0x22, 0xe0, 0x02, 0x0a, 0x0c, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e,
-	0x67, 0x12, 0x36, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32,
-	0x22, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x50, 0x72, 0x6f,
-	0x78, 0x79, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x54,
-	0x79, 0x70, 0x65, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18,
-	0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x1d, 0x0a, 0x0a, 0x61, 0x63, 0x63,
-	0x6f, 0x75, 0x6e, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x61,
-	0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x49, 0x64, 0x12, 0x16, 0x0a, 0x06, 0x64, 0x6f, 0x6d, 0x61,
-	0x69, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e,
-	0x12, 0x2b, 0x0a, 0x04, 0x70, 0x61, 0x74, 0x68, 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x17,
-	0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x50, 0x61, 0x74, 0x68,
-	0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x04, 0x70, 0x61, 0x74, 0x68, 0x12, 0x1d, 0x0a,
-	0x0a, 0x61, 0x75, 0x74, 0x68, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x06, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x09, 0x61, 0x75, 0x74, 0x68, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x2e, 0x0a, 0x04,
-	0x61, 0x75, 0x74, 0x68, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x6d, 0x61, 0x6e,
-	0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69,
-	0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x04, 0x61, 0x75, 0x74, 0x68, 0x12, 0x28, 0x0a, 0x10,
-	0x70, 0x61, 0x73, 0x73, 0x5f, 0x68, 0x6f, 0x73, 0x74, 0x5f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72,
-	0x18, 0x08, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0e, 0x70, 0x61, 0x73, 0x73, 0x48, 0x6f, 0x73, 0x74,
-	0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x2b, 0x0a, 0x11, 0x72, 0x65, 0x77, 0x72, 0x69, 0x74,
-	0x65, 0x5f, 0x72, 0x65, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x73, 0x18, 0x09, 0x20, 0x01, 0x28,
-	0x08, 0x52, 0x10, 0x72, 0x65, 0x77, 0x72, 0x69, 0x74, 0x65, 0x52, 0x65, 0x64, 0x69, 0x72, 0x65,
-	0x63, 0x74, 0x73, 0x22, 0x3f, 0x0a, 0x14, 0x53, 0x65, 0x6e, 0x64, 0x41, 0x63, 0x63, 0x65, 0x73,
-	0x73, 0x4c, 0x6f, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x27, 0x0a, 0x03, 0x6c,
-	0x6f, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67,
-	0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4c, 0x6f, 0x67, 0x52,
-	0x03, 0x6c, 0x6f, 0x67, 0x22, 0x17, 0x0a, 0x15, 0x53, 0x65, 0x6e, 0x64, 0x41, 0x63, 0x63, 0x65,
-	0x73, 0x73, 0x4c, 0x6f, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0xa0, 0x03,
-	0x0a, 0x09, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4c, 0x6f, 0x67, 0x12, 0x38, 0x0a, 0x09, 0x74,
-	0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a,
-	0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66,
-	0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x74, 0x69, 0x6d, 0x65,
-	0x73, 0x74, 0x61, 0x6d, 0x70, 0x12, 0x15, 0x0a, 0x06, 0x6c, 0x6f, 0x67, 0x5f, 0x69, 0x64, 0x18,
-	0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x6c, 0x6f, 0x67, 0x49, 0x64, 0x12, 0x1d, 0x0a, 0x0a,
-	0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09,
-	0x52, 0x09, 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x49, 0x64, 0x12, 0x1d, 0x0a, 0x0a, 0x73,
-	0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x09, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x49, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x68, 0x6f,
-	0x73, 0x74, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x68, 0x6f, 0x73, 0x74, 0x12, 0x12,
-	0x0a, 0x04, 0x70, 0x61, 0x74, 0x68, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x70, 0x61,
-	0x74, 0x68, 0x12, 0x1f, 0x0a, 0x0b, 0x64, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d,
-	0x73, 0x18, 0x07, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0a, 0x64, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f,
-	0x6e, 0x4d, 0x73, 0x12, 0x16, 0x0a, 0x06, 0x6d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x18, 0x08, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x06, 0x6d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x12, 0x23, 0x0a, 0x0d, 0x72,
-	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x5f, 0x63, 0x6f, 0x64, 0x65, 0x18, 0x09, 0x20, 0x01,
-	0x28, 0x05, 0x52, 0x0c, 0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x43, 0x6f, 0x64, 0x65,
-	0x12, 0x1b, 0x0a, 0x09, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x5f, 0x69, 0x70, 0x18, 0x0a, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x08, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x49, 0x70, 0x12, 0x25, 0x0a,
-	0x0e, 0x61, 0x75, 0x74, 0x68, 0x5f, 0x6d, 0x65, 0x63, 0x68, 0x61, 0x6e, 0x69, 0x73, 0x6d, 0x18,
-	0x0b, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x61, 0x75, 0x74, 0x68, 0x4d, 0x65, 0x63, 0x68, 0x61,
-	0x6e, 0x69, 0x73, 0x6d, 0x12, 0x17, 0x0a, 0x07, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18,
-	0x0c, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x75, 0x73, 0x65, 0x72, 0x49, 0x64, 0x12, 0x21, 0x0a,
-	0x0c, 0x61, 0x75, 0x74, 0x68, 0x5f, 0x73, 0x75, 0x63, 0x63, 0x65, 0x73, 0x73, 0x18, 0x0d, 0x20,
-	0x01, 0x28, 0x08, 0x52, 0x0b, 0x61, 0x75, 0x74, 0x68, 0x53, 0x75, 0x63, 0x63, 0x65, 0x73, 0x73,
-	0x22, 0xb6, 0x01, 0x0a, 0x13, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74,
-	0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x1d, 0x0a, 0x0a, 0x61, 0x63, 0x63, 0x6f,
-	0x75, 0x6e, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x61, 0x63,
-	0x63, 0x6f, 0x75, 0x6e, 0x74, 0x49, 0x64, 0x12, 0x39, 0x0a, 0x08, 0x70, 0x61, 0x73, 0x73, 0x77,
-	0x6f, 0x72, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x6d, 0x61, 0x6e, 0x61,
-	0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x50, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x52,
-	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x48, 0x00, 0x52, 0x08, 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f,
-	0x72, 0x64, 0x12, 0x2a, 0x0a, 0x03, 0x70, 0x69, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32,
-	0x16, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x50, 0x69, 0x6e,
-	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x48, 0x00, 0x52, 0x03, 0x70, 0x69, 0x6e, 0x42, 0x09,
-	0x0a, 0x07, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x2d, 0x0a, 0x0f, 0x50, 0x61, 0x73,
-	0x73, 0x77, 0x6f, 0x72, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1a, 0x0a, 0x08,
-	0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08,
-	0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x22, 0x1e, 0x0a, 0x0a, 0x50, 0x69, 0x6e, 0x52,
-	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x70, 0x69, 0x6e, 0x18, 0x01, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x03, 0x70, 0x69, 0x6e, 0x22, 0x55, 0x0a, 0x14, 0x41, 0x75, 0x74, 0x68,
-	0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
-	0x12, 0x18, 0x0a, 0x07, 0x73, 0x75, 0x63, 0x63, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28,
-	0x08, 0x52, 0x07, 0x73, 0x75, 0x63, 0x63, 0x65, 0x73, 0x73, 0x12, 0x23, 0x0a, 0x0d, 0x73, 0x65,
-	0x73, 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x0c, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x22,
-	0xf3, 0x01, 0x0a, 0x17, 0x53, 0x65, 0x6e, 0x64, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x55, 0x70,
-	0x64, 0x61, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x73,
-	0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x09, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x49, 0x64, 0x12, 0x1d, 0x0a, 0x0a, 0x61, 0x63,
-	0x63, 0x6f, 0x75, 0x6e, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09,
-	0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x49, 0x64, 0x12, 0x2f, 0x0a, 0x06, 0x73, 0x74, 0x61,
-	0x74, 0x75, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x17, 0x2e, 0x6d, 0x61, 0x6e, 0x61,
-	0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x53, 0x74, 0x61, 0x74,
-	0x75, 0x73, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x2d, 0x0a, 0x12, 0x63, 0x65,
-	0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x69, 0x73, 0x73, 0x75, 0x65, 0x64,
-	0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x11, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
-	0x61, 0x74, 0x65, 0x49, 0x73, 0x73, 0x75, 0x65, 0x64, 0x12, 0x28, 0x0a, 0x0d, 0x65, 0x72, 0x72,
-	0x6f, 0x72, 0x5f, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09,
-	0x48, 0x00, 0x52, 0x0c, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65,
-	0x88, 0x01, 0x01, 0x42, 0x10, 0x0a, 0x0e, 0x5f, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x5f, 0x6d, 0x65,
-	0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x1a, 0x0a, 0x18, 0x53, 0x65, 0x6e, 0x64, 0x53, 0x74, 0x61,
-	0x74, 0x75, 0x73, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
-	0x65, 0x22, 0xb8, 0x01, 0x0a, 0x16, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x50, 0x72, 0x6f, 0x78,
-	0x79, 0x50, 0x65, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1d, 0x0a, 0x0a,
-	0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
-	0x52, 0x09, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x49, 0x64, 0x12, 0x1d, 0x0a, 0x0a, 0x61,
-	0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x09, 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x49, 0x64, 0x12, 0x14, 0x0a, 0x05, 0x74, 0x6f,
-	0x6b, 0x65, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x74, 0x6f, 0x6b, 0x65, 0x6e,
-	0x12, 0x30, 0x0a, 0x14, 0x77, 0x69, 0x72, 0x65, 0x67, 0x75, 0x61, 0x72, 0x64, 0x5f, 0x70, 0x75,
-	0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x12,
-	0x77, 0x69, 0x72, 0x65, 0x67, 0x75, 0x61, 0x72, 0x64, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b,
-	0x65, 0x79, 0x12, 0x18, 0x0a, 0x07, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x18, 0x05, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x07, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x22, 0x6f, 0x0a, 0x17,
-	0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x50, 0x65, 0x65, 0x72, 0x52,
-	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x73, 0x75, 0x63, 0x63, 0x65,
-	0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x73, 0x75, 0x63, 0x63, 0x65, 0x73,
-	0x73, 0x12, 0x28, 0x0a, 0x0d, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x5f, 0x6d, 0x65, 0x73, 0x73, 0x61,
-	0x67, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x0c, 0x65, 0x72, 0x72, 0x6f,
-	0x72, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x88, 0x01, 0x01, 0x42, 0x10, 0x0a, 0x0e, 0x5f,
-	0x65, 0x72, 0x72, 0x6f, 0x72, 0x5f, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x65, 0x0a,
-	0x11, 0x47, 0x65, 0x74, 0x4f, 0x49, 0x44, 0x43, 0x55, 0x52, 0x4c, 0x52, 0x65, 0x71, 0x75, 0x65,
-	0x73, 0x74, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02,
-	0x69, 0x64, 0x12, 0x1d, 0x0a, 0x0a, 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x5f, 0x69, 0x64,
-	0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x49,
-	0x64, 0x12, 0x21, 0x0a, 0x0c, 0x72, 0x65, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x5f, 0x75, 0x72,
-	0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x72, 0x65, 0x64, 0x69, 0x72, 0x65, 0x63,
-	0x74, 0x55, 0x72, 0x6c, 0x22, 0x26, 0x0a, 0x12, 0x47, 0x65, 0x74, 0x4f, 0x49, 0x44, 0x43, 0x55,
-	0x52, 0x4c, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x72,
-	0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x75, 0x72, 0x6c, 0x22, 0x55, 0x0a, 0x16,
-	0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x52,
-	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e,
-	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x12, 0x23,
-	0x0a, 0x0d, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18,
-	0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x54, 0x6f,
-	0x6b, 0x65, 0x6e, 0x22, 0x8c, 0x01, 0x0a, 0x17, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65,
-	0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12,
-	0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x05,
-	0x76, 0x61, 0x6c, 0x69, 0x64, 0x12, 0x17, 0x0a, 0x07, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x69, 0x64,
-	0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x75, 0x73, 0x65, 0x72, 0x49, 0x64, 0x12, 0x1d,
-	0x0a, 0x0a, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x65, 0x6d, 0x61, 0x69, 0x6c, 0x18, 0x03, 0x20, 0x01,
-	0x28, 0x09, 0x52, 0x09, 0x75, 0x73, 0x65, 0x72, 0x45, 0x6d, 0x61, 0x69, 0x6c, 0x12, 0x23, 0x0a,
-	0x0d, 0x64, 0x65, 0x6e, 0x69, 0x65, 0x64, 0x5f, 0x72, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x18, 0x04,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x64, 0x65, 0x6e, 0x69, 0x65, 0x64, 0x52, 0x65, 0x61, 0x73,
-	0x6f, 0x6e, 0x2a, 0x64, 0x0a, 0x16, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x4d, 0x61, 0x70, 0x70, 0x69,
-	0x6e, 0x67, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x54, 0x79, 0x70, 0x65, 0x12, 0x17, 0x0a, 0x13,
-	0x55, 0x50, 0x44, 0x41, 0x54, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x43, 0x52, 0x45, 0x41,
-	0x54, 0x45, 0x44, 0x10, 0x00, 0x12, 0x18, 0x0a, 0x14, 0x55, 0x50, 0x44, 0x41, 0x54, 0x45, 0x5f,
-	0x54, 0x59, 0x50, 0x45, 0x5f, 0x4d, 0x4f, 0x44, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x01, 0x12,
-	0x17, 0x0a, 0x13, 0x55, 0x50, 0x44, 0x41, 0x54, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x52,
-	0x45, 0x4d, 0x4f, 0x56, 0x45, 0x44, 0x10, 0x02, 0x2a, 0xc8, 0x01, 0x0a, 0x0b, 0x50, 0x72, 0x6f,
-	0x78, 0x79, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x18, 0x0a, 0x14, 0x50, 0x52, 0x4f, 0x58,
-	0x59, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x50, 0x45, 0x4e, 0x44, 0x49, 0x4e, 0x47,
-	0x10, 0x00, 0x12, 0x17, 0x0a, 0x13, 0x50, 0x52, 0x4f, 0x58, 0x59, 0x5f, 0x53, 0x54, 0x41, 0x54,
-	0x55, 0x53, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x56, 0x45, 0x10, 0x01, 0x12, 0x23, 0x0a, 0x1f, 0x50,
-	0x52, 0x4f, 0x58, 0x59, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x54, 0x55, 0x4e, 0x4e,
-	0x45, 0x4c, 0x5f, 0x4e, 0x4f, 0x54, 0x5f, 0x43, 0x52, 0x45, 0x41, 0x54, 0x45, 0x44, 0x10, 0x02,
-	0x12, 0x24, 0x0a, 0x20, 0x50, 0x52, 0x4f, 0x58, 0x59, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53,
-	0x5f, 0x43, 0x45, 0x52, 0x54, 0x49, 0x46, 0x49, 0x43, 0x41, 0x54, 0x45, 0x5f, 0x50, 0x45, 0x4e,
-	0x44, 0x49, 0x4e, 0x47, 0x10, 0x03, 0x12, 0x23, 0x0a, 0x1f, 0x50, 0x52, 0x4f, 0x58, 0x59, 0x5f,
-	0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x43, 0x45, 0x52, 0x54, 0x49, 0x46, 0x49, 0x43, 0x41,
-	0x54, 0x45, 0x5f, 0x46, 0x41, 0x49, 0x4c, 0x45, 0x44, 0x10, 0x04, 0x12, 0x16, 0x0a, 0x12, 0x50,
-	0x52, 0x4f, 0x58, 0x59, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x45, 0x52, 0x52, 0x4f,
-	0x52, 0x10, 0x05, 0x32, 0xfc, 0x04, 0x0a, 0x0c, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x53, 0x65, 0x72,
-	0x76, 0x69, 0x63, 0x65, 0x12, 0x5f, 0x0a, 0x10, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69,
-	0x6e, 0x67, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x12, 0x23, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67,
-	0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67,
-	0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x24, 0x2e,
+	0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x22, 0x82, 0x01, 0x0a, 0x18, 0x47, 0x65, 0x74,
+	0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x52, 0x65, 0x73,
+	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x32, 0x0a, 0x07, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67,
+	0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x18, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d,
+	0x65, 0x6e, 0x74, 0x2e, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67,
+	0x52, 0x07, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x32, 0x0a, 0x15, 0x69, 0x6e, 0x69,
+	0x74, 0x69, 0x61, 0x6c, 0x5f, 0x73, 0x79, 0x6e, 0x63, 0x5f, 0x63, 0x6f, 0x6d, 0x70, 0x6c, 0x65,
+	0x74, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x13, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x61,
+	0x6c, 0x53, 0x79, 0x6e, 0x63, 0x43, 0x6f, 0x6d, 0x70, 0x6c, 0x65, 0x74, 0x65, 0x22, 0x39, 0x0a,
+	0x0b, 0x50, 0x61, 0x74, 0x68, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x12, 0x0a, 0x04,
+	0x70, 0x61, 0x74, 0x68, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x70, 0x61, 0x74, 0x68,
+	0x12, 0x16, 0x0a, 0x06, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x06, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x22, 0xaa, 0x01, 0x0a, 0x0e, 0x41, 0x75, 0x74,
+	0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x1f, 0x0a, 0x0b, 0x73,
+	0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x0a, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x4b, 0x65, 0x79, 0x12, 0x35, 0x0a, 0x17,
+	0x6d, 0x61, 0x78, 0x5f, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x61, 0x67, 0x65, 0x5f,
+	0x73, 0x65, 0x63, 0x6f, 0x6e, 0x64, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x03, 0x52, 0x14, 0x6d,
+	0x61, 0x78, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x41, 0x67, 0x65, 0x53, 0x65, 0x63, 0x6f,
+	0x6e, 0x64, 0x73, 0x12, 0x1a, 0x0a, 0x08, 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x18,
+	0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x12,
+	0x10, 0x0a, 0x03, 0x70, 0x69, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x03, 0x70, 0x69,
+	0x6e, 0x12, 0x12, 0x0a, 0x04, 0x6f, 0x69, 0x64, 0x63, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x52,
+	0x04, 0x6f, 0x69, 0x64, 0x63, 0x22, 0xe0, 0x02, 0x0a, 0x0c, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x4d,
+	0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x36, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x0e, 0x32, 0x22, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e,
+	0x74, 0x2e, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x55, 0x70,
+	0x64, 0x61, 0x74, 0x65, 0x54, 0x79, 0x70, 0x65, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x0e,
+	0x0a, 0x02, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x1d,
+	0x0a, 0x0a, 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x09, 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x49, 0x64, 0x12, 0x16, 0x0a,
+	0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64,
+	0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x12, 0x2b, 0x0a, 0x04, 0x70, 0x61, 0x74, 0x68, 0x18, 0x05, 0x20,
+	0x03, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74,
+	0x2e, 0x50, 0x61, 0x74, 0x68, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x04, 0x70, 0x61,
+	0x74, 0x68, 0x12, 0x1d, 0x0a, 0x0a, 0x61, 0x75, 0x74, 0x68, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e,
+	0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x61, 0x75, 0x74, 0x68, 0x54, 0x6f, 0x6b, 0x65,
+	0x6e, 0x12, 0x2e, 0x0a, 0x04, 0x61, 0x75, 0x74, 0x68, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32,
+	0x1a, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x41, 0x75, 0x74,
+	0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x04, 0x61, 0x75, 0x74,
+	0x68, 0x12, 0x28, 0x0a, 0x10, 0x70, 0x61, 0x73, 0x73, 0x5f, 0x68, 0x6f, 0x73, 0x74, 0x5f, 0x68,
+	0x65, 0x61, 0x64, 0x65, 0x72, 0x18, 0x08, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0e, 0x70, 0x61, 0x73,
+	0x73, 0x48, 0x6f, 0x73, 0x74, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x2b, 0x0a, 0x11, 0x72,
+	0x65, 0x77, 0x72, 0x69, 0x74, 0x65, 0x5f, 0x72, 0x65, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x73,
+	0x18, 0x09, 0x20, 0x01, 0x28, 0x08, 0x52, 0x10, 0x72, 0x65, 0x77, 0x72, 0x69, 0x74, 0x65, 0x52,
+	0x65, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x73, 0x22, 0x3f, 0x0a, 0x14, 0x53, 0x65, 0x6e, 0x64,
+	0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4c, 0x6f, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
+	0x12, 0x27, 0x0a, 0x03, 0x6c, 0x6f, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x15, 0x2e,
+	0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x41, 0x63, 0x63, 0x65, 0x73,
+	0x73, 0x4c, 0x6f, 0x67, 0x52, 0x03, 0x6c, 0x6f, 0x67, 0x22, 0x17, 0x0a, 0x15, 0x53, 0x65, 0x6e,
+	0x64, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4c, 0x6f, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
+	0x73, 0x65, 0x22, 0xa0, 0x03, 0x0a, 0x09, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4c, 0x6f, 0x67,
+	0x12, 0x38, 0x0a, 0x09, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x18, 0x01, 0x20,
+	0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f,
+	0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52,
+	0x09, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x12, 0x15, 0x0a, 0x06, 0x6c, 0x6f,
+	0x67, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x6c, 0x6f, 0x67, 0x49,
+	0x64, 0x12, 0x1d, 0x0a, 0x0a, 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x5f, 0x69, 0x64, 0x18,
+	0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x49, 0x64,
+	0x12, 0x1d, 0x0a, 0x0a, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x04,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x49, 0x64, 0x12,
+	0x12, 0x0a, 0x04, 0x68, 0x6f, 0x73, 0x74, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x68,
+	0x6f, 0x73, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x70, 0x61, 0x74, 0x68, 0x18, 0x06, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x04, 0x70, 0x61, 0x74, 0x68, 0x12, 0x1f, 0x0a, 0x0b, 0x64, 0x75, 0x72, 0x61, 0x74,
+	0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x73, 0x18, 0x07, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0a, 0x64, 0x75,
+	0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x73, 0x12, 0x16, 0x0a, 0x06, 0x6d, 0x65, 0x74, 0x68,
+	0x6f, 0x64, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x6d, 0x65, 0x74, 0x68, 0x6f, 0x64,
+	0x12, 0x23, 0x0a, 0x0d, 0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x5f, 0x63, 0x6f, 0x64,
+	0x65, 0x18, 0x09, 0x20, 0x01, 0x28, 0x05, 0x52, 0x0c, 0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
+	0x65, 0x43, 0x6f, 0x64, 0x65, 0x12, 0x1b, 0x0a, 0x09, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x5f,
+	0x69, 0x70, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65,
+	0x49, 0x70, 0x12, 0x25, 0x0a, 0x0e, 0x61, 0x75, 0x74, 0x68, 0x5f, 0x6d, 0x65, 0x63, 0x68, 0x61,
+	0x6e, 0x69, 0x73, 0x6d, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x61, 0x75, 0x74, 0x68,
+	0x4d, 0x65, 0x63, 0x68, 0x61, 0x6e, 0x69, 0x73, 0x6d, 0x12, 0x17, 0x0a, 0x07, 0x75, 0x73, 0x65,
+	0x72, 0x5f, 0x69, 0x64, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x75, 0x73, 0x65, 0x72,
+	0x49, 0x64, 0x12, 0x21, 0x0a, 0x0c, 0x61, 0x75, 0x74, 0x68, 0x5f, 0x73, 0x75, 0x63, 0x63, 0x65,
+	0x73, 0x73, 0x18, 0x0d, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0b, 0x61, 0x75, 0x74, 0x68, 0x53, 0x75,
+	0x63, 0x63, 0x65, 0x73, 0x73, 0x22, 0xb6, 0x01, 0x0a, 0x13, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e,
+	0x74, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x0e, 0x0a,
+	0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x1d, 0x0a,
+	0x0a, 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x09, 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x49, 0x64, 0x12, 0x39, 0x0a, 0x08,
+	0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b,
+	0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x50, 0x61, 0x73, 0x73,
+	0x77, 0x6f, 0x72, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x48, 0x00, 0x52, 0x08, 0x70,
+	0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x12, 0x2a, 0x0a, 0x03, 0x70, 0x69, 0x6e, 0x18, 0x04,
+	0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e,
+	0x74, 0x2e, 0x50, 0x69, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x48, 0x00, 0x52, 0x03,
+	0x70, 0x69, 0x6e, 0x42, 0x09, 0x0a, 0x07, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x2d,
+	0x0a, 0x0f, 0x50, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
+	0x74, 0x12, 0x1a, 0x0a, 0x08, 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x18, 0x01, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x22, 0x1e, 0x0a,
+	0x0a, 0x50, 0x69, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x70,
+	0x69, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x70, 0x69, 0x6e, 0x22, 0x55, 0x0a,
+	0x14, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x73,
+	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x73, 0x75, 0x63, 0x63, 0x65, 0x73, 0x73,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x73, 0x75, 0x63, 0x63, 0x65, 0x73, 0x73, 0x12,
+	0x23, 0x0a, 0x0d, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e,
+	0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x54,
+	0x6f, 0x6b, 0x65, 0x6e, 0x22, 0xf3, 0x01, 0x0a, 0x17, 0x53, 0x65, 0x6e, 0x64, 0x53, 0x74, 0x61,
+	0x74, 0x75, 0x73, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
+	0x12, 0x1d, 0x0a, 0x0a, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x49, 0x64, 0x12,
+	0x1d, 0x0a, 0x0a, 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x09, 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x49, 0x64, 0x12, 0x2f,
+	0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x17,
+	0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x50, 0x72, 0x6f, 0x78,
+	0x79, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12,
+	0x2d, 0x0a, 0x12, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x69,
+	0x73, 0x73, 0x75, 0x65, 0x64, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x11, 0x63, 0x65, 0x72,
+	0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x49, 0x73, 0x73, 0x75, 0x65, 0x64, 0x12, 0x28,
+	0x0a, 0x0d, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x5f, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x18,
+	0x05, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x0c, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x4d, 0x65,
+	0x73, 0x73, 0x61, 0x67, 0x65, 0x88, 0x01, 0x01, 0x42, 0x10, 0x0a, 0x0e, 0x5f, 0x65, 0x72, 0x72,
+	0x6f, 0x72, 0x5f, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x1a, 0x0a, 0x18, 0x53, 0x65,
+	0x6e, 0x64, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x52, 0x65,
+	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0xb8, 0x01, 0x0a, 0x16, 0x43, 0x72, 0x65, 0x61, 0x74,
+	0x65, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x50, 0x65, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
+	0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18,
+	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x49, 0x64,
+	0x12, 0x1d, 0x0a, 0x0a, 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x02,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x49, 0x64, 0x12,
+	0x14, 0x0a, 0x05, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05,
+	0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x30, 0x0a, 0x14, 0x77, 0x69, 0x72, 0x65, 0x67, 0x75, 0x61,
+	0x72, 0x64, 0x5f, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x04, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x12, 0x77, 0x69, 0x72, 0x65, 0x67, 0x75, 0x61, 0x72, 0x64, 0x50, 0x75,
+	0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x18, 0x0a, 0x07, 0x63, 0x6c, 0x75, 0x73, 0x74,
+	0x65, 0x72, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65,
+	0x72, 0x22, 0x6f, 0x0a, 0x17, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x50, 0x72, 0x6f, 0x78, 0x79,
+	0x50, 0x65, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x18, 0x0a, 0x07,
+	0x73, 0x75, 0x63, 0x63, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x73,
+	0x75, 0x63, 0x63, 0x65, 0x73, 0x73, 0x12, 0x28, 0x0a, 0x0d, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x5f,
+	0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52,
+	0x0c, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x88, 0x01, 0x01,
+	0x42, 0x10, 0x0a, 0x0e, 0x5f, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x5f, 0x6d, 0x65, 0x73, 0x73, 0x61,
+	0x67, 0x65, 0x22, 0x65, 0x0a, 0x11, 0x47, 0x65, 0x74, 0x4f, 0x49, 0x44, 0x43, 0x55, 0x52, 0x4c,
+	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x1d, 0x0a, 0x0a, 0x61, 0x63, 0x63, 0x6f, 0x75,
+	0x6e, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x61, 0x63, 0x63,
+	0x6f, 0x75, 0x6e, 0x74, 0x49, 0x64, 0x12, 0x21, 0x0a, 0x0c, 0x72, 0x65, 0x64, 0x69, 0x72, 0x65,
+	0x63, 0x74, 0x5f, 0x75, 0x72, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x72, 0x65,
+	0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x55, 0x72, 0x6c, 0x22, 0x26, 0x0a, 0x12, 0x47, 0x65, 0x74,
+	0x4f, 0x49, 0x44, 0x43, 0x55, 0x52, 0x4c, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12,
+	0x10, 0x0a, 0x03, 0x75, 0x72, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x75, 0x72,
+	0x6c, 0x22, 0x55, 0x0a, 0x16, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x53, 0x65, 0x73,
+	0x73, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x64,
+	0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x6f, 0x6d,
+	0x61, 0x69, 0x6e, 0x12, 0x23, 0x0a, 0x0d, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x74,
+	0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x73, 0x65, 0x73, 0x73,
+	0x69, 0x6f, 0x6e, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x22, 0x8c, 0x01, 0x0a, 0x17, 0x56, 0x61, 0x6c,
+	0x69, 0x64, 0x61, 0x74, 0x65, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x73, 0x70,
+	0x6f, 0x6e, 0x73, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x18, 0x01, 0x20,
+	0x01, 0x28, 0x08, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x12, 0x17, 0x0a, 0x07, 0x75, 0x73,
+	0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x75, 0x73, 0x65,
+	0x72, 0x49, 0x64, 0x12, 0x1d, 0x0a, 0x0a, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x65, 0x6d, 0x61, 0x69,
+	0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x75, 0x73, 0x65, 0x72, 0x45, 0x6d, 0x61,
+	0x69, 0x6c, 0x12, 0x23, 0x0a, 0x0d, 0x64, 0x65, 0x6e, 0x69, 0x65, 0x64, 0x5f, 0x72, 0x65, 0x61,
+	0x73, 0x6f, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x64, 0x65, 0x6e, 0x69, 0x65,
+	0x64, 0x52, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x2a, 0x64, 0x0a, 0x16, 0x50, 0x72, 0x6f, 0x78, 0x79,
+	0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x54, 0x79, 0x70,
+	0x65, 0x12, 0x17, 0x0a, 0x13, 0x55, 0x50, 0x44, 0x41, 0x54, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45,
+	0x5f, 0x43, 0x52, 0x45, 0x41, 0x54, 0x45, 0x44, 0x10, 0x00, 0x12, 0x18, 0x0a, 0x14, 0x55, 0x50,
+	0x44, 0x41, 0x54, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x4d, 0x4f, 0x44, 0x49, 0x46, 0x49,
+	0x45, 0x44, 0x10, 0x01, 0x12, 0x17, 0x0a, 0x13, 0x55, 0x50, 0x44, 0x41, 0x54, 0x45, 0x5f, 0x54,
+	0x59, 0x50, 0x45, 0x5f, 0x52, 0x45, 0x4d, 0x4f, 0x56, 0x45, 0x44, 0x10, 0x02, 0x2a, 0xc8, 0x01,
+	0x0a, 0x0b, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x18, 0x0a,
+	0x14, 0x50, 0x52, 0x4f, 0x58, 0x59, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x50, 0x45,
+	0x4e, 0x44, 0x49, 0x4e, 0x47, 0x10, 0x00, 0x12, 0x17, 0x0a, 0x13, 0x50, 0x52, 0x4f, 0x58, 0x59,
+	0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x56, 0x45, 0x10, 0x01,
+	0x12, 0x23, 0x0a, 0x1f, 0x50, 0x52, 0x4f, 0x58, 0x59, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53,
+	0x5f, 0x54, 0x55, 0x4e, 0x4e, 0x45, 0x4c, 0x5f, 0x4e, 0x4f, 0x54, 0x5f, 0x43, 0x52, 0x45, 0x41,
+	0x54, 0x45, 0x44, 0x10, 0x02, 0x12, 0x24, 0x0a, 0x20, 0x50, 0x52, 0x4f, 0x58, 0x59, 0x5f, 0x53,
+	0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x43, 0x45, 0x52, 0x54, 0x49, 0x46, 0x49, 0x43, 0x41, 0x54,
+	0x45, 0x5f, 0x50, 0x45, 0x4e, 0x44, 0x49, 0x4e, 0x47, 0x10, 0x03, 0x12, 0x23, 0x0a, 0x1f, 0x50,
+	0x52, 0x4f, 0x58, 0x59, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x43, 0x45, 0x52, 0x54,
+	0x49, 0x46, 0x49, 0x43, 0x41, 0x54, 0x45, 0x5f, 0x46, 0x41, 0x49, 0x4c, 0x45, 0x44, 0x10, 0x04,
+	0x12, 0x16, 0x0a, 0x12, 0x50, 0x52, 0x4f, 0x58, 0x59, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53,
+	0x5f, 0x45, 0x52, 0x52, 0x4f, 0x52, 0x10, 0x05, 0x32, 0xfc, 0x04, 0x0a, 0x0c, 0x50, 0x72, 0x6f,
+	0x78, 0x79, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x5f, 0x0a, 0x10, 0x47, 0x65, 0x74,
+	0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x12, 0x23, 0x2e,
 	0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x47, 0x65, 0x74, 0x4d, 0x61,
-	0x70, 0x70, 0x69, 0x6e, 0x67, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f,
-	0x6e, 0x73, 0x65, 0x30, 0x01, 0x12, 0x54, 0x0a, 0x0d, 0x53, 0x65, 0x6e, 0x64, 0x41, 0x63, 0x63,
-	0x65, 0x73, 0x73, 0x4c, 0x6f, 0x67, 0x12, 0x20, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d,
-	0x65, 0x6e, 0x74, 0x2e, 0x53, 0x65, 0x6e, 0x64, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4c, 0x6f,
-	0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x21, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67,
-	0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x65, 0x6e, 0x64, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73,
-	0x4c, 0x6f, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x51, 0x0a, 0x0c, 0x41,
-	0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x1f, 0x2e, 0x6d, 0x61,
-	0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74,
-	0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x20, 0x2e, 0x6d,
-	0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e,
-	0x74, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x5d,
-	0x0a, 0x10, 0x53, 0x65, 0x6e, 0x64, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x55, 0x70, 0x64, 0x61,
-	0x74, 0x65, 0x12, 0x23, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e,
-	0x53, 0x65, 0x6e, 0x64, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65,
-	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x24, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65,
+	0x70, 0x70, 0x69, 0x6e, 0x67, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65,
+	0x73, 0x74, 0x1a, 0x24, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e,
+	0x47, 0x65, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65,
+	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x30, 0x01, 0x12, 0x54, 0x0a, 0x0d, 0x53, 0x65,
+	0x6e, 0x64, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4c, 0x6f, 0x67, 0x12, 0x20, 0x2e, 0x6d, 0x61,
+	0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x65, 0x6e, 0x64, 0x41, 0x63, 0x63,
+	0x65, 0x73, 0x73, 0x4c, 0x6f, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x21, 0x2e,
+	0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x65, 0x6e, 0x64, 0x41,
+	0x63, 0x63, 0x65, 0x73, 0x73, 0x4c, 0x6f, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
+	0x12, 0x51, 0x0a, 0x0c, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x65,
+	0x12, 0x1f, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x41, 0x75,
+	0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
+	0x74, 0x1a, 0x20, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x41,
+	0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f,
+	0x6e, 0x73, 0x65, 0x12, 0x5d, 0x0a, 0x10, 0x53, 0x65, 0x6e, 0x64, 0x53, 0x74, 0x61, 0x74, 0x75,
+	0x73, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x12, 0x23, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65,
 	0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x65, 0x6e, 0x64, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x55,
-	0x70, 0x64, 0x61, 0x74, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x5a, 0x0a,
-	0x0f, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x50, 0x65, 0x65, 0x72,
-	0x12, 0x22, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x43, 0x72,
-	0x65, 0x61, 0x74, 0x65, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x50, 0x65, 0x65, 0x72, 0x52, 0x65, 0x71,
-	0x75, 0x65, 0x73, 0x74, 0x1a, 0x23, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e,
-	0x74, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x50, 0x65, 0x65,
-	0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x4b, 0x0a, 0x0a, 0x47, 0x65, 0x74,
-	0x4f, 0x49, 0x44, 0x43, 0x55, 0x52, 0x4c, 0x12, 0x1d, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65,
-	0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x47, 0x65, 0x74, 0x4f, 0x49, 0x44, 0x43, 0x55, 0x52, 0x4c, 0x52,
-	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1e, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d,
-	0x65, 0x6e, 0x74, 0x2e, 0x47, 0x65, 0x74, 0x4f, 0x49, 0x44, 0x43, 0x55, 0x52, 0x4c, 0x52, 0x65,
-	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x5a, 0x0a, 0x0f, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61,
-	0x74, 0x65, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x22, 0x2e, 0x6d, 0x61, 0x6e, 0x61,
-	0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x53,
-	0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x23, 0x2e,
-	0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x56, 0x61, 0x6c, 0x69, 0x64,
-	0x61, 0x74, 0x65, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
-	0x73, 0x65, 0x42, 0x08, 0x5a, 0x06, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72,
-	0x6f, 0x74, 0x6f, 0x33,
+	0x70, 0x64, 0x61, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x24, 0x2e, 0x6d,
+	0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x65, 0x6e, 0x64, 0x53, 0x74,
+	0x61, 0x74, 0x75, 0x73, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
+	0x73, 0x65, 0x12, 0x5a, 0x0a, 0x0f, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x50, 0x72, 0x6f, 0x78,
+	0x79, 0x50, 0x65, 0x65, 0x72, 0x12, 0x22, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65,
+	0x6e, 0x74, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x50, 0x65,
+	0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x23, 0x2e, 0x6d, 0x61, 0x6e, 0x61,
+	0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x50, 0x72, 0x6f,
+	0x78, 0x79, 0x50, 0x65, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x4b,
+	0x0a, 0x0a, 0x47, 0x65, 0x74, 0x4f, 0x49, 0x44, 0x43, 0x55, 0x52, 0x4c, 0x12, 0x1d, 0x2e, 0x6d,
+	0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x47, 0x65, 0x74, 0x4f, 0x49, 0x44,
+	0x43, 0x55, 0x52, 0x4c, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1e, 0x2e, 0x6d, 0x61,
+	0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x47, 0x65, 0x74, 0x4f, 0x49, 0x44, 0x43,
+	0x55, 0x52, 0x4c, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x5a, 0x0a, 0x0f, 0x56,
+	0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x22,
+	0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x56, 0x61, 0x6c, 0x69,
+	0x64, 0x61, 0x74, 0x65, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65,
+	0x73, 0x74, 0x1a, 0x23, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e,
+	0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x52,
+	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x08, 0x5a, 0x06, 0x2f, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (

shared/management/proto/proxy_service.proto

@@ -39,6 +39,9 @@ message GetMappingUpdateRequest {
 // Mappings that are sent should be interpreted by the Proxy appropriately.
 message GetMappingUpdateResponse {
   repeated ProxyMapping mapping = 1;
+  // initial_sync_complete is set on the last message of the initial snapshot.
+  // The proxy uses this to signal that startup is complete.
+  bool initial_sync_complete = 2;
 }
 
 enum ProxyMappingUpdateType {