sendnrw/netbird
2
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2026-04-18 00:06:38 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
07e59b2708d8d1f94aedbb012f6ab4232a39e6f5
netbird/shared/management/proto/proxy_service.proto
Viktor Liu 07e59b2708 Add reverse proxy header security and forwarding 
- Rewrite Host header to backend target (configurable via pass_host_header per mapping)
- Strip and set X-Forwarded-For/X-Real-IP from direct connection (trust boundary)
- Set X-Forwarded-Host and X-Forwarded-Proto headers
- Strip nb_session cookie and session_token query param before forwarding
- Add --forwarded-proto flag (auto/http/https) for proto detection
- Fix OIDC redirect hardcoded https scheme
- Add pass_host_header to proto, API, and management model
2026-02-08 15:00:35 +08:00

163 lines
4.0 KiB
Protocol Buffer
Raw Blame History

syntax = "proto3";
package management;
option go_package = "/proto";
import "google/protobuf/timestamp.proto";
// ProxyService - Management is the SERVER, Proxy is the CLIENT
// Proxy initiates connection to management
service ProxyService {
rpc GetMappingUpdate(GetMappingUpdateRequest) returns (stream GetMappingUpdateResponse);
rpc SendAccessLog(SendAccessLogRequest) returns (SendAccessLogResponse);
rpc Authenticate(AuthenticateRequest) returns (AuthenticateResponse);
rpc SendStatusUpdate(SendStatusUpdateRequest) returns (SendStatusUpdateResponse);
rpc CreateProxyPeer(CreateProxyPeerRequest) returns (CreateProxyPeerResponse);
rpc GetOIDCURL(GetOIDCURLRequest) returns (GetOIDCURLResponse);
}
// GetMappingUpdateRequest is sent to initialise a mapping stream.
message GetMappingUpdateRequest {
string proxy_id = 1;
string version = 2;
google.protobuf.Timestamp started_at = 3;
string address = 4;
}
// GetMappingUpdateResponse contains zero or more ProxyMappings.
// No mappings may be sent to test the liveness of the Proxy.
// Mappings that are sent should be interpreted by the Proxy appropriately.
message GetMappingUpdateResponse {
repeated ProxyMapping mapping = 1;
}
enum ProxyMappingUpdateType {
UPDATE_TYPE_CREATED = 0;
UPDATE_TYPE_MODIFIED = 1;
UPDATE_TYPE_REMOVED = 2;
}
message PathMapping {
string path = 1;
string target = 2;
}
message Authentication {
string session_key = 1;
int64 max_session_age_seconds = 2;
bool password = 3;
bool pin = 4;
bool oidc = 5;
}
message ProxyMapping {
ProxyMappingUpdateType type = 1;
string id = 2;
string account_id = 3;
string domain = 4;
repeated PathMapping path = 5;
string auth_token = 6;
Authentication auth = 7;
// When true, the original Host header from the client request is passed
// through to the backend instead of being rewritten to the backend's address.
bool pass_host_header = 8;
}
// SendAccessLogRequest consists of one or more AccessLogs from a Proxy.
message SendAccessLogRequest {
AccessLog log = 1;
}
// SendAccessLogResponse is intentionally empty to allow for future expansion.
message SendAccessLogResponse {}
message AccessLog {
google.protobuf.Timestamp timestamp = 1;
string log_id = 2;
string account_id = 3;
string service_id = 4;
string host = 5;
string path = 6;
int64 duration_ms = 7;
string method = 8;
int32 response_code = 9;
string source_ip = 10;
string auth_mechanism = 11;
string user_id = 12;
bool auth_success = 13;
}
message AuthenticateRequest {
string id = 1;
string account_id = 2;
oneof request {
PasswordRequest password = 3;
PinRequest pin = 4;
}
}
message PasswordRequest {
string password = 1;
}
message PinRequest {
string pin = 1;
}
message AuthenticateResponse {
bool success = 1;
string session_token = 2;
}
enum ProxyStatus {
PROXY_STATUS_PENDING = 0;
PROXY_STATUS_ACTIVE = 1;
PROXY_STATUS_TUNNEL_NOT_CREATED = 2;
PROXY_STATUS_CERTIFICATE_PENDING = 3;
PROXY_STATUS_CERTIFICATE_FAILED = 4;
PROXY_STATUS_ERROR = 5;
}
// SendStatusUpdateRequest is sent by the proxy to update its status
message SendStatusUpdateRequest {
string reverse_proxy_id = 1;
string account_id = 2;
ProxyStatus status = 3;
bool certificate_issued = 4;
optional string error_message = 5;
}
// SendStatusUpdateResponse is intentionally empty to allow for future expansion
message SendStatusUpdateResponse {}
// CreateProxyPeerRequest is sent by the proxy to create a peer connection
// The token is a one-time authentication token sent via ProxyMapping
message CreateProxyPeerRequest {
string reverse_proxy_id = 1;
string account_id = 2;
string token = 3;
string wireguard_public_key = 4;
}
// CreateProxyPeerResponse contains the result of peer creation
message CreateProxyPeerResponse {
bool success = 1;
optional string error_message = 2;
}
message GetOIDCURLRequest {
string id = 1;
string account_id = 2;
string redirect_url = 3;
}
message GetOIDCURLResponse {
string url = 1;
}
Reference in New Issue View Git Blame Copy Permalink