mirror of
https://github.com/netbirdio/netbird.git
synced 2026-05-21 08:09:55 +00:00
167ee08e14
Adds a new "private" service mode for the reverse proxy: services reachable exclusively over the embedded WireGuard tunnel, gated by per-peer group membership instead of operator auth schemes. Wire contract - ProxyMapping.private (field 13): the proxy MUST call ValidateTunnelPeer and fail closed; operator schemes are bypassed. - ProxyCapabilities.private (4) + supports_private_service (5): capability gate. Management never streams private mappings to proxies that don't claim the capability; the broadcast path applies the same filter via filterMappingsForProxy. - ValidateTunnelPeer RPC: resolves an inbound tunnel IP to a peer, checks the peer's groups against service.AccessGroups, and mints a session JWT on success. checkPeerGroupAccess fails closed when a private service has empty AccessGroups. - ValidateSession/ValidateTunnelPeer responses now carry peer_group_ids + peer_group_names so the proxy can authorise policy-aware middlewares without an extra management round-trip. - ProxyInboundListener + SendStatusUpdate.inbound_listener: per-account inbound listener state surfaced to dashboards. - PathTargetOptions.direct_upstream (11): bypass the embedded NetBird client and dial the target via the proxy host's network stack for upstreams reachable without WireGuard. Data model - Service.Private (bool) + Service.AccessGroups ([]string, JSON- serialised). Validate() rejects bearer auth on private services. Copy() deep-copies AccessGroups. pgx getServices loads the columns. - DomainConfig.Private threaded into the proxy auth middleware. Request handler routes private services through forwardWithTunnelPeer and returns 403 on validation failure. - Account-level SynthesizePrivateServiceZones (synthetic DNS) and injectPrivateServicePolicies (synthetic ACL) gate on len(svc.AccessGroups) > 0. Proxy - /netbird proxy --private (embedded mode) flag; Config.Private in proxy/lifecycle.go. - Per-account inbound listener (proxy/inbound.go) binding HTTP/HTTPS on the embedded NetBird client's WireGuard tunnel netstack. - proxy/internal/auth/tunnel_cache: ValidateTunnelPeer response cache with single-flight de-duplication and per-account eviction. - Local peerstore short-circuit: when the inbound IP isn't in the account roster, deny fast without an RPC. - proxy/server.go reports SupportsPrivateService=true and redacts the full ProxyMapping JSON from info logs (auth_token + header-auth hashed values now only at debug level). Identity forwarding - ValidateSessionJWT returns user_id, email, method, groups, group_names. sessionkey.Claims carries Email + Groups + GroupNames so the proxy can stamp identity onto upstream requests without an extra management round-trip on every cookie-bearing request. - CapturedData carries userEmail / userGroups / userGroupNames; the proxy stamps X-NetBird-User and X-NetBird-Groups on r.Out from the authenticated identity (strips client-supplied values first to prevent spoofing). - AccessLog.UserGroups: access-log enrichment captures the user's group memberships at write time so the dashboard can render group context without reverse-resolving stale memberships. OpenAPI/dashboard surface - ReverseProxyService gains private + access_groups; ReverseProxyCluster gains private + supports_private. ReverseProxyTarget target_type enum gains "cluster". ServiceTargetOptions gains direct_upstream. ProxyAccessLog gains user_groups.
134 lines
3.1 KiB
Go
134 lines
3.1 KiB
Go
package tcp
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/tls"
|
|
"io"
|
|
"net"
|
|
"testing"
|
|
)
|
|
|
|
// BenchmarkPeekClientHello_TLS measures the overhead of peeking at a real
|
|
// TLS ClientHello and extracting the SNI. This is the per-connection cost
|
|
// added to every TLS connection on the main listener.
|
|
func BenchmarkPeekClientHello_TLS(b *testing.B) {
|
|
// Pre-generate a ClientHello by capturing what crypto/tls sends.
|
|
clientConn, serverConn := net.Pipe()
|
|
go func() {
|
|
tlsConn := tls.Client(clientConn, &tls.Config{
|
|
ServerName: "app.example.com",
|
|
InsecureSkipVerify: true, //nolint:gosec
|
|
})
|
|
_ = tlsConn.Handshake()
|
|
}()
|
|
|
|
var hello []byte
|
|
buf := make([]byte, 16384)
|
|
n, _ := serverConn.Read(buf)
|
|
hello = make([]byte, n)
|
|
copy(hello, buf[:n])
|
|
clientConn.Close()
|
|
serverConn.Close()
|
|
|
|
b.ResetTimer()
|
|
b.ReportAllocs()
|
|
|
|
for b.Loop() {
|
|
r := bytes.NewReader(hello)
|
|
conn := &readerConn{Reader: r}
|
|
sni, wrapped, _, err := PeekClientHello(conn)
|
|
if err != nil {
|
|
b.Fatal(err)
|
|
}
|
|
if sni != "app.example.com" {
|
|
b.Fatalf("unexpected SNI: %q", sni)
|
|
}
|
|
// Simulate draining the peeked bytes (what the HTTP server would do).
|
|
_, _ = io.Copy(io.Discard, wrapped)
|
|
}
|
|
}
|
|
|
|
// BenchmarkPeekClientHello_NonTLS measures peek overhead for non-TLS
|
|
// connections that hit the fast non-handshake exit path.
|
|
func BenchmarkPeekClientHello_NonTLS(b *testing.B) {
|
|
httpReq := []byte("GET / HTTP/1.1\r\nHost: example.com\r\n\r\n")
|
|
|
|
b.ResetTimer()
|
|
b.ReportAllocs()
|
|
|
|
for b.Loop() {
|
|
r := bytes.NewReader(httpReq)
|
|
conn := &readerConn{Reader: r}
|
|
_, wrapped, _, err := PeekClientHello(conn)
|
|
if err != nil {
|
|
b.Fatal(err)
|
|
}
|
|
_, _ = io.Copy(io.Discard, wrapped)
|
|
}
|
|
}
|
|
|
|
// BenchmarkPeekedConn_Read measures the read overhead of the peekedConn
|
|
// wrapper compared to a plain connection read. The peeked bytes use
|
|
// io.MultiReader which adds one indirection per Read call.
|
|
func BenchmarkPeekedConn_Read(b *testing.B) {
|
|
data := make([]byte, 4096)
|
|
peeked := make([]byte, 512)
|
|
buf := make([]byte, 1024)
|
|
|
|
b.ResetTimer()
|
|
b.ReportAllocs()
|
|
|
|
for b.Loop() {
|
|
r := bytes.NewReader(data)
|
|
conn := &readerConn{Reader: r}
|
|
pc := newPeekedConn(conn, peeked)
|
|
for {
|
|
_, err := pc.Read(buf)
|
|
if err != nil {
|
|
break
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
// BenchmarkExtractSNI measures just the in-memory SNI parsing cost,
|
|
// excluding I/O.
|
|
func BenchmarkExtractSNI(b *testing.B) {
|
|
clientConn, serverConn := net.Pipe()
|
|
go func() {
|
|
tlsConn := tls.Client(clientConn, &tls.Config{
|
|
ServerName: "app.example.com",
|
|
InsecureSkipVerify: true, //nolint:gosec
|
|
})
|
|
_ = tlsConn.Handshake()
|
|
}()
|
|
|
|
buf := make([]byte, 16384)
|
|
n, _ := serverConn.Read(buf)
|
|
payload := make([]byte, n-tlsRecordHeaderLen)
|
|
copy(payload, buf[tlsRecordHeaderLen:n])
|
|
clientConn.Close()
|
|
serverConn.Close()
|
|
|
|
b.ResetTimer()
|
|
b.ReportAllocs()
|
|
|
|
for b.Loop() {
|
|
sni := extractSNI(payload)
|
|
if sni != "app.example.com" {
|
|
b.Fatalf("unexpected SNI: %q", sni)
|
|
}
|
|
}
|
|
}
|
|
|
|
// readerConn wraps an io.Reader as a net.Conn for benchmarking.
|
|
// Only Read is functional; all other methods are no-ops.
|
|
type readerConn struct {
|
|
io.Reader
|
|
net.Conn
|
|
}
|
|
|
|
func (c *readerConn) Read(b []byte) (int, error) {
|
|
return c.Reader.Read(b)
|
|
}
|