Files
netbird/proxy/internal/tcp/bench_test.go
Maycon Santos 7aebdd69dd [management, client, proxy] add expose NetBird-only services over tunnel peers (#6226)
Adds a new "private" service mode for the reverse proxy: services reachable exclusively over the embedded WireGuard tunnel, gated by per-peer group membership instead of operator auth schemes.

Wire contract
- ProxyMapping.private (field 13): the proxy MUST call ValidateTunnelPeer and fail closed; operator schemes are bypassed.
- ProxyCapabilities.private (4) + supports_private_service (5): capability gate. Management never streams private mappings to proxies that don't claim the capability; the broadcast path applies the same filter via filterMappingsForProxy.
- ValidateTunnelPeer RPC: resolves an inbound tunnel IP to a peer, checks the peer's groups against service.AccessGroups, and mints a session JWT on success. checkPeerGroupAccess fails closed when a private service has empty AccessGroups.
- ValidateSession/ValidateTunnelPeer responses now carry peer_group_ids + peer_group_names so the proxy can authorise policy-aware middlewares without an extra management round-trip.
- ProxyInboundListener + SendStatusUpdate.inbound_listener: per-account inbound listener state surfaced to dashboards.
- PathTargetOptions.direct_upstream (11): bypass the embedded NetBird client and dial the target via the proxy host's network stack for upstreams reachable without WireGuard.

Data model
- Service.Private (bool) + Service.AccessGroups ([]string, JSON- serialised). Validate() rejects bearer auth on private services. Copy() deep-copies AccessGroups. pgx getServices loads the columns.
- DomainConfig.Private threaded into the proxy auth middleware. Request handler routes private services through forwardWithTunnelPeer and returns 403 on validation failure.
- Account-level SynthesizePrivateServiceZones (synthetic DNS) and injectPrivateServicePolicies (synthetic ACL) gate on len(svc.AccessGroups) > 0.

Proxy
- /netbird proxy --private (embedded mode) flag; Config.Private in proxy/lifecycle.go.
- Per-account inbound listener (proxy/inbound.go) binding HTTP/HTTPS on the embedded NetBird client's WireGuard tunnel netstack.
- proxy/internal/auth/tunnel_cache: ValidateTunnelPeer response cache with single-flight de-duplication and per-account eviction.
- Local peerstore short-circuit: when the inbound IP isn't in the account roster, deny fast without an RPC.
- proxy/server.go reports SupportsPrivateService=true and redacts the full ProxyMapping JSON from info logs (auth_token + header-auth hashed values now only at debug level).

Identity forwarding
- ValidateSessionJWT returns user_id, email, method, groups, group_names. sessionkey.Claims carries Email + Groups + GroupNames so the proxy can stamp identity onto upstream requests without an extra management round-trip on every cookie-bearing request.
- CapturedData carries userEmail / userGroups / userGroupNames; the proxy stamps X-NetBird-User and X-NetBird-Groups on r.Out from the authenticated identity (strips client-supplied values first to prevent spoofing).
- AccessLog.UserGroups: access-log enrichment captures the user's group memberships at write time so the dashboard can render group context without reverse-resolving stale memberships.

OpenAPI/dashboard surface
- ReverseProxyService gains private + access_groups; ReverseProxyCluster gains private + supports_private. ReverseProxyTarget target_type enum gains "cluster". ServiceTargetOptions gains direct_upstream. ProxyAccessLog gains user_groups.
2026-05-25 17:41:50 +02:00

134 lines
3.1 KiB
Go

package tcp
import (
"bytes"
"crypto/tls"
"io"
"net"
"testing"
)
// BenchmarkPeekClientHello_TLS measures the overhead of peeking at a real
// TLS ClientHello and extracting the SNI. This is the per-connection cost
// added to every TLS connection on the main listener.
func BenchmarkPeekClientHello_TLS(b *testing.B) {
// Pre-generate a ClientHello by capturing what crypto/tls sends.
clientConn, serverConn := net.Pipe()
go func() {
tlsConn := tls.Client(clientConn, &tls.Config{
ServerName: "app.example.com",
InsecureSkipVerify: true, //nolint:gosec
})
_ = tlsConn.Handshake()
}()
var hello []byte
buf := make([]byte, 16384)
n, _ := serverConn.Read(buf)
hello = make([]byte, n)
copy(hello, buf[:n])
clientConn.Close()
serverConn.Close()
b.ResetTimer()
b.ReportAllocs()
for b.Loop() {
r := bytes.NewReader(hello)
conn := &readerConn{Reader: r}
sni, wrapped, _, err := PeekClientHello(conn)
if err != nil {
b.Fatal(err)
}
if sni != "app.example.com" {
b.Fatalf("unexpected SNI: %q", sni)
}
// Simulate draining the peeked bytes (what the HTTP server would do).
_, _ = io.Copy(io.Discard, wrapped)
}
}
// BenchmarkPeekClientHello_NonTLS measures peek overhead for non-TLS
// connections that hit the fast non-handshake exit path.
func BenchmarkPeekClientHello_NonTLS(b *testing.B) {
httpReq := []byte("GET / HTTP/1.1\r\nHost: example.com\r\n\r\n")
b.ResetTimer()
b.ReportAllocs()
for b.Loop() {
r := bytes.NewReader(httpReq)
conn := &readerConn{Reader: r}
_, wrapped, _, err := PeekClientHello(conn)
if err != nil {
b.Fatal(err)
}
_, _ = io.Copy(io.Discard, wrapped)
}
}
// BenchmarkPeekedConn_Read measures the read overhead of the peekedConn
// wrapper compared to a plain connection read. The peeked bytes use
// io.MultiReader which adds one indirection per Read call.
func BenchmarkPeekedConn_Read(b *testing.B) {
data := make([]byte, 4096)
peeked := make([]byte, 512)
buf := make([]byte, 1024)
b.ResetTimer()
b.ReportAllocs()
for b.Loop() {
r := bytes.NewReader(data)
conn := &readerConn{Reader: r}
pc := newPeekedConn(conn, peeked)
for {
_, err := pc.Read(buf)
if err != nil {
break
}
}
}
}
// BenchmarkExtractSNI measures just the in-memory SNI parsing cost,
// excluding I/O.
func BenchmarkExtractSNI(b *testing.B) {
clientConn, serverConn := net.Pipe()
go func() {
tlsConn := tls.Client(clientConn, &tls.Config{
ServerName: "app.example.com",
InsecureSkipVerify: true, //nolint:gosec
})
_ = tlsConn.Handshake()
}()
buf := make([]byte, 16384)
n, _ := serverConn.Read(buf)
payload := make([]byte, n-tlsRecordHeaderLen)
copy(payload, buf[tlsRecordHeaderLen:n])
clientConn.Close()
serverConn.Close()
b.ResetTimer()
b.ReportAllocs()
for b.Loop() {
sni := extractSNI(payload)
if sni != "app.example.com" {
b.Fatalf("unexpected SNI: %q", sni)
}
}
}
// readerConn wraps an io.Reader as a net.Conn for benchmarking.
// Only Read is functional; all other methods are no-ops.
type readerConn struct {
io.Reader
net.Conn
}
func (c *readerConn) Read(b []byte) (int, error) {
return c.Reader.Read(b)
}