proxy

package

v0.72.2 Latest Latest Go to latest Published: Jun 6, 2026 License: BSD-3-Clause, AGPL-3.0 Imports: 18 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/netbirdio/netbird

Links

Open Source Insights

Documentation ¶

Index ¶

func IsTrustedProxy(ipStr string, trusted []netip.Prefix) bool
func ResolveClientIP(remoteAddr, xff string, trusted []netip.Prefix) netip.Addr
func WithCapturedData(ctx context.Context, data *CapturedData) context.Context
type CapturedData
- func CapturedDataFromContext(ctx context.Context) *CapturedData
- func NewCapturedData(requestID string) *CapturedData
type Mapping
type PathRewriteMode
type PathTarget
type ResponseOrigin
- func (o ResponseOrigin) String() string
type ReverseProxy
- func NewReverseProxy(transport http.RoundTripper, forwardedProto string, ...) *ReverseProxy

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func IsTrustedProxy ¶

func IsTrustedProxy(ipStr string, trusted []netip.Prefix) bool

IsTrustedProxy checks if the given IP string falls within any of the trusted prefixes.

func ResolveClientIP ¶

func ResolveClientIP(remoteAddr, xff string, trusted []netip.Prefix) netip.Addr

ResolveClientIP extracts the real client IP from X-Forwarded-For using the trusted proxy list. It walks the XFF chain right-to-left, skipping IPs that match trusted prefixes. The first untrusted IP is the real client.

If the trusted list is empty or remoteAddr is not trusted, it returns the remoteAddr IP directly (ignoring any forwarding headers).

func WithCapturedData ¶

func WithCapturedData(ctx context.Context, data *CapturedData) context.Context

WithCapturedData adds a CapturedData struct to the context.

Types ¶

type CapturedData ¶

type CapturedData struct {
	// contains filtered or unexported fields
}

CapturedData is a mutable struct that allows downstream handlers to pass data back up the middleware chain.

func CapturedDataFromContext ¶

func CapturedDataFromContext(ctx context.Context) *CapturedData

CapturedDataFromContext retrieves the CapturedData from context.

func NewCapturedData ¶ added in v0.67.0

func NewCapturedData(requestID string) *CapturedData

NewCapturedData creates a CapturedData with the given request ID.

func (*CapturedData) GetAccountID ¶ added in v0.67.0

func (c *CapturedData) GetAccountID() types.AccountID

GetAccountID returns the account ID.

func (*CapturedData) GetAuthMethod ¶

func (c *CapturedData) GetAuthMethod() string

GetAuthMethod returns the authentication method used.

func (*CapturedData) GetClientIP ¶

func (c *CapturedData) GetClientIP() netip.Addr

GetClientIP returns the resolved client IP.

func (*CapturedData) GetMetadata ¶ added in v0.69.0

func (c *CapturedData) GetMetadata() map[string]string

GetMetadata returns a copy of the metadata map.

func (*CapturedData) GetOrigin ¶

func (c *CapturedData) GetOrigin() ResponseOrigin

GetOrigin returns the response origin.

func (*CapturedData) GetRequestID ¶

func (c *CapturedData) GetRequestID() string

GetRequestID returns the request ID.

func (*CapturedData) GetServiceID ¶ added in v0.67.0

func (c *CapturedData) GetServiceID() types.ServiceID

GetServiceID returns the service ID.

func (*CapturedData) GetUserEmail ¶ added in v0.72.0

func (c *CapturedData) GetUserEmail() string

GetUserEmail returns the authenticated user's email address. Returns the empty string when the auth path didn't carry an email (e.g. non-OIDC schemes or legacy JWTs minted before the email claim).

func (*CapturedData) GetUserGroupNames ¶ added in v0.72.0

func (c *CapturedData) GetUserGroupNames() []string

GetUserGroupNames returns a copy of the authenticated user's group display names. Position i pairs with UserGroups[i]. May be shorter than UserGroups for tokens minted before names were resolvable; the consumer should fall back to ids for missing positions.

func (*CapturedData) GetUserGroups ¶ added in v0.72.0

func (c *CapturedData) GetUserGroups() []string

GetUserGroups returns a copy of the authenticated user's group memberships.

func (*CapturedData) GetUserID ¶

func (c *CapturedData) GetUserID() string

GetUserID returns the authenticated user ID.

func (*CapturedData) SetAccountID ¶ added in v0.67.0

func (c *CapturedData) SetAccountID(accountID types.AccountID)

SetAccountID sets the account ID.

func (*CapturedData) SetAuthMethod ¶

func (c *CapturedData) SetAuthMethod(method string)

SetAuthMethod sets the authentication method used.

func (*CapturedData) SetClientIP ¶

func (c *CapturedData) SetClientIP(ip netip.Addr)

SetClientIP sets the resolved client IP.

func (*CapturedData) SetMetadata ¶ added in v0.69.0

func (c *CapturedData) SetMetadata(key, value string)

SetMetadata sets a key-value pair in the metadata map.

func (*CapturedData) SetOrigin ¶

func (c *CapturedData) SetOrigin(origin ResponseOrigin)

SetOrigin sets the response origin.

func (*CapturedData) SetServiceID ¶ added in v0.67.0

func (c *CapturedData) SetServiceID(serviceID types.ServiceID)

SetServiceID sets the service ID.

func (*CapturedData) SetUserEmail ¶ added in v0.72.0

func (c *CapturedData) SetUserEmail(email string)

SetUserEmail records the authenticated user's email address. Used by policy-aware middlewares to stamp identity onto upstream requests (e.g. x-litellm-end-user-id) without a management round-trip.

func (*CapturedData) SetUserGroupNames ¶ added in v0.72.0

func (c *CapturedData) SetUserGroupNames(names []string)

SetUserGroupNames records the human-readable display names for the user's groups, ordered identically to UserGroups (positional pairing). Stamped onto upstream requests as X-NetBird-Groups so downstream services can read names rather than opaque ids.

func (*CapturedData) SetUserGroups ¶ added in v0.72.0

func (c *CapturedData) SetUserGroups(groups []string)

SetUserGroups records the authenticated user's group memberships so downstream policy-aware middlewares can authorise the request without an additional management round-trip. The auth middleware populates this from ValidateSessionResponse / ValidateTunnelPeerResponse and from the session JWT's groups claim on cookie-bearing requests.

func (*CapturedData) SetUserID ¶

func (c *CapturedData) SetUserID(userID string)

SetUserID sets the authenticated user ID.

type Mapping ¶

type Mapping struct {
	ID               types.ServiceID
	AccountID        types.AccountID
	Host             string
	Paths            map[string]*PathTarget
	PassHostHeader   bool
	RewriteRedirects bool
	// StripAuthHeaders are header names used for header-based auth.
	// These headers are stripped from requests before forwarding.
	StripAuthHeaders []string
	// contains filtered or unexported fields
}

Mapping describes how a domain is routed by the HTTP reverse proxy.

type PathRewriteMode ¶ added in v0.66.3

type PathRewriteMode int

PathRewriteMode controls how the request path is rewritten before forwarding.

const (
	// PathRewriteDefault strips the matched prefix and joins with the target path.
	PathRewriteDefault PathRewriteMode = iota
	// PathRewritePreserve keeps the full original request path as-is.
	PathRewritePreserve
)

type PathTarget ¶ added in v0.66.3

type PathTarget struct {
	URL            *url.URL
	SkipTLSVerify  bool
	RequestTimeout time.Duration
	PathRewrite    PathRewriteMode
	CustomHeaders  map[string]string
	// DirectUpstream selects the stdlib HTTP transport (host network stack)
	// over the embedded NetBird WireGuard client when forwarding requests
	// to this target. Default false → embedded client (existing behaviour).
	DirectUpstream bool
}

PathTarget holds a backend URL and per-target behavioral options.

type ResponseOrigin ¶

type ResponseOrigin int

ResponseOrigin indicates where a response was generated.

const (
	// OriginBackend means the response came from the backend service.
	OriginBackend ResponseOrigin = iota
	// OriginNoRoute means the proxy had no matching host or path.
	OriginNoRoute
	// OriginProxyError means the proxy failed to reach the backend.
	OriginProxyError
	// OriginAuth means the proxy intercepted the request for authentication.
	OriginAuth
)

func (ResponseOrigin) String ¶

func (o ResponseOrigin) String() string

type ReverseProxy ¶

type ReverseProxy struct {
	// contains filtered or unexported fields
}

func NewReverseProxy ¶

func NewReverseProxy(transport http.RoundTripper, forwardedProto string, trustedProxies []netip.Prefix, logger *log.Logger) *ReverseProxy

NewReverseProxy configures a new NetBird ReverseProxy. This is a wrapper around an httputil.ReverseProxy set to dynamically route requests based on internal mapping between requested URLs and targets. The internal mappings can be modified using the AddMapping and RemoveMapping functions.

func (*ReverseProxy) AddMapping ¶

func (p *ReverseProxy) AddMapping(m Mapping)

AddMapping registers a host-to-backend mapping for the reverse proxy.

func (*ReverseProxy) RemoveMapping ¶

func (p *ReverseProxy) RemoveMapping(m Mapping) bool

RemoveMapping removes the mapping for the given host and reports whether it existed.

func (*ReverseProxy) ServeHTTP ¶

func (p *ReverseProxy) ServeHTTP(w http.ResponseWriter, r *http.Request)

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL