Documentation
¶
Index ¶
- Constants
- Variables
- func AccountIDFromContext(ctx context.Context) types.AccountID
- func DirectUpstreamFromContext(ctx context.Context) bool
- func WithAccountID(ctx context.Context, accountID types.AccountID) context.Context
- func WithDirectUpstream(ctx context.Context) context.Context
- func WithSkipTLSVerify(ctx context.Context) context.Context
- type ClientConfig
- type ClientDebugInfo
- type MultiTransport
- type NetBird
- func (n *NetBird) AddPeer(ctx context.Context, accountID types.AccountID, key ServiceKey, ...) error
- func (n *NetBird) ClientCount() int
- func (n *NetBird) GetClient(accountID types.AccountID) (*embed.Client, bool)
- func (n *NetBird) HasClient(accountID types.AccountID) bool
- func (n *NetBird) IdentityForIP(accountID types.AccountID, ip netip.Addr) (pubKey, fqdn string, ok bool)
- func (n *NetBird) ListClientsForDebug() map[types.AccountID]ClientDebugInfo
- func (n *NetBird) ListClientsForStartup() map[types.AccountID]*embed.Client
- func (n *NetBird) RemovePeer(ctx context.Context, accountID types.AccountID, key ServiceKey) error
- func (n *NetBird) RoundTrip(req *http.Request) (*http.Response, error)
- func (n *NetBird) ServiceCount(accountID types.AccountID) int
- func (n *NetBird) SetClientLifecycle(...)
- func (n *NetBird) StopAll(ctx context.Context) error
- type ServiceKey
Constants ¶
const ( EnvMaxIdleConns = "NB_PROXY_MAX_IDLE_CONNS" EnvMaxIdleConnsPerHost = "NB_PROXY_MAX_IDLE_CONNS_PER_HOST" EnvMaxConnsPerHost = "NB_PROXY_MAX_CONNS_PER_HOST" EnvIdleConnTimeout = "NB_PROXY_IDLE_CONN_TIMEOUT" EnvTLSHandshakeTimeout = "NB_PROXY_TLS_HANDSHAKE_TIMEOUT" EnvExpectContinueTimeout = "NB_PROXY_EXPECT_CONTINUE_TIMEOUT" EnvResponseHeaderTimeout = "NB_PROXY_RESPONSE_HEADER_TIMEOUT" EnvWriteBufferSize = "NB_PROXY_WRITE_BUFFER_SIZE" EnvReadBufferSize = "NB_PROXY_READ_BUFFER_SIZE" EnvDisableCompression = "NB_PROXY_DISABLE_COMPRESSION" EnvMaxInflight = "NB_PROXY_MAX_INFLIGHT" )
Environment variable names for tuning the backend HTTP transport.
Variables ¶
var ( // ErrNoAccountID is returned when a request context is missing the account ID. ErrNoAccountID = errors.New("no account ID in request context") // ErrNoPeerConnection is returned when no embedded client exists for the account. ErrNoPeerConnection = errors.New("no peer connection found") // ErrClientStartFailed is returned when the embedded client fails to start. ErrClientStartFailed = errors.New("client start failed") // ErrTooManyInflight is returned when the per-backend in-flight limit is reached. ErrTooManyInflight = errors.New("too many in-flight requests") )
Functions ¶
func AccountIDFromContext ¶
AccountIDFromContext retrieves the account ID from the context.
func DirectUpstreamFromContext ¶ added in v0.72.0
DirectUpstreamFromContext reports whether the context has been marked to bypass the embedded NetBird client.
func WithAccountID ¶
WithAccountID adds the account ID to the context.
func WithDirectUpstream ¶ added in v0.72.0
WithDirectUpstream marks the context so MultiTransport routes the request through its stdlib transport instead of the embedded NetBird roundtripper.
Types ¶
type ClientConfig ¶ added in v0.66.0
type ClientConfig struct {
MgmtAddr string
WGPort uint16
Performance embed.Performance
// BlockInbound mirrors embed.Options.BlockInbound. Set to true on the
// standalone proxy where the embedded client never accepts inbound;
// set to false on the private/embedded proxy so the engine creates
// the ACL manager and applies management's per-policy firewall rules
// (which is what gates per-account inbound listeners on the netstack).
BlockInbound bool
}
ClientConfig holds configuration for the embedded NetBird client.
type ClientDebugInfo ¶
type ClientDebugInfo struct {
AccountID types.AccountID
ServiceCount int
ServiceKeys []string
HasClient bool
CreatedAt time.Time
}
ClientDebugInfo contains debug information about a client.
type MultiTransport ¶ added in v0.72.0
type MultiTransport struct {
// contains filtered or unexported fields
}
MultiTransport dispatches each request to either the embedded NetBird http.RoundTripper or a stdlib http.Transport based on a per-request context flag set by the reverse-proxy rewrite step. When the flag is absent (the default for every existing target), requests follow the embedded NetBird path — current behaviour, preserved.
The stdlib branch is used when a target was configured with direct_upstream=true. It dials via the host's network stack, which is what private (`netbird proxy`) deployments and centralised proxies fronting host-reachable upstreams (public APIs, LAN services, localhost sidecars) want.
An embedded roundtripper is required. To run direct-only (no WG branch at all), construct the MultiTransport via NewDirectOnly.
func NewDirectOnly ¶ added in v0.72.0
func NewDirectOnly(logger *log.Logger) *MultiTransport
NewDirectOnly returns a MultiTransport with no embedded branch. Every request goes through the direct branch regardless of the per-request flag, so the embedded path can never be reached silently — wiring code that needs WG must use NewMultiTransport.
func NewMultiTransport ¶ added in v0.72.0
func NewMultiTransport(embedded http.RoundTripper, logger *log.Logger) *MultiTransport
NewMultiTransport wires both branches. embedded is the existing NetBird roundtripper and must not be nil — pass to NewDirectOnly for a MultiTransport that only ever uses the direct branch. The direct branches honour the same NB_PROXY_* tuning env vars as the embedded transport (see loadTransportConfig) plus a dial-timeout wrapper that respects types.WithDialTimeout.
func (*MultiTransport) RoundTrip ¶ added in v0.72.0
RoundTrip dispatches by reading the direct-upstream flag from the request context. When set, the request is forwarded via the stdlib transport, honouring the existing per-request skip-TLS-verify flag. Otherwise it goes through the embedded NetBird roundtripper.
type NetBird ¶
type NetBird struct {
// OnAddPeer, when set, is called after AddPeer completes for a new account
// (i.e. when a new client was actually created, not when an existing one
// was reused). The duration covers keygen + gRPC CreateProxyPeer + embed.New.
OnAddPeer func(d time.Duration, err error)
// contains filtered or unexported fields
}
NetBird provides an http.RoundTripper implementation backed by underlying NetBird connections. Clients are keyed by AccountID, allowing multiple services to share the same connection.
func NewNetBird ¶
func NewNetBird(ctx context.Context, proxyID, proxyAddr string, clientCfg ClientConfig, logger *log.Logger, notifier statusNotifier, mgmtClient managementClient) *NetBird
NewNetBird creates a new NetBird transport. Set clientCfg.WGPort to 0 for a random OS-assigned port. A fixed port only works with single-account deployments; multiple accounts will fail to bind the same port.
func (*NetBird) AddPeer ¶
func (n *NetBird) AddPeer(ctx context.Context, accountID types.AccountID, key ServiceKey, authToken string, serviceID types.ServiceID) error
AddPeer registers a service for an account. If the account doesn't have a client yet, one is created by authenticating with the management server using the provided token. Multiple services can share the same client.
func (*NetBird) ClientCount ¶
ClientCount returns the total number of active clients.
func (*NetBird) IdentityForIP ¶ added in v0.72.0
func (n *NetBird) IdentityForIP(accountID types.AccountID, ip netip.Addr) (pubKey, fqdn string, ok bool)
IdentityForIP resolves a tunnel IP to a peer identity local to the given account. Delegates to clientEntry.IdentityForIP. Returns ok=false when the account has no client or the IP is not in its peerstore.
func (*NetBird) ListClientsForDebug ¶
func (n *NetBird) ListClientsForDebug() map[types.AccountID]ClientDebugInfo
ListClientsForDebug returns information about all clients for debug purposes.
func (*NetBird) ListClientsForStartup ¶
ListClientsForStartup returns all embed.Client instances for health checks.
func (*NetBird) RemovePeer ¶
RemovePeer unregisters a service from an account. The client is only stopped when no services are using it anymore.
func (*NetBird) RoundTrip ¶
RoundTrip implements http.RoundTripper. It looks up the client for the account specified in the request context and uses it to dial the backend.
func (*NetBird) ServiceCount ¶ added in v0.67.0
ServiceCount returns the number of services registered for the given account. Returns 0 if the account has no client.
func (*NetBird) SetClientLifecycle ¶ added in v0.72.0
func (n *NetBird) SetClientLifecycle(ready func(ctx context.Context, accountID types.AccountID, client *embed.Client) any, stop func(accountID types.AccountID, state any))
SetClientLifecycle registers callbacks that run when an embedded client becomes ready and when its entry is torn down. The opaque value returned by ready is stored on the entry and handed back to stop on cleanup. Must be called before AddPeer. A nil pair leaves the outbound-only behaviour intact.
type ServiceKey ¶ added in v0.67.0
type ServiceKey string
ServiceKey uniquely identifies a service (HTTP reverse proxy or L4 service) that holds a reference to an embedded NetBird client. Callers should use the DomainServiceKey and L4ServiceKey constructors to avoid namespace collisions.
func DomainServiceKey ¶ added in v0.67.0
func DomainServiceKey(domain string) ServiceKey
DomainServiceKey returns a ServiceKey for an HTTP/TLS domain-based service.
func L4ServiceKey ¶ added in v0.67.0
func L4ServiceKey(id types.ServiceID) ServiceKey
L4ServiceKey returns a ServiceKey for an L4 service (TCP/UDP).
Source Files