netbird / haproxy setup

netbird | pfsync | haproxy | nginx | client

warning

the trick is to use grpc_pass for mgmt and signal

seems to work without additional headers (just forwardfor was enabled for kc)

not sure why there wasn’t a check for mgmt from the answer

setup

global
    ...
        # clear-text internally - no need for those
        #ca-base /etc/ssl/certs
        #crt-base /etc/ssl/private

defaults
        ...
        option forwardfor
        option http-server-close

frontend tcp
        mode tcp
        bind :10000
        default_backend netbird_signal_grpc

frontend http
        bind *:80 alpn h2,http/1.1
        http-response set-header Strict-Transport-Security "max-age=16000000;"

        acl host_netbird hdr(host) -i netbird.demo.nethence.com
        redirect scheme https code 301 if host_netbird

# enforcing http/2
frontend https
        #bind *:443 ssl crt /etc/haproxy/certs/ alpn h2,http/1.1
        bind *:443 ssl crt /etc/haproxy/certs/ proto h2
        http-response set-header Strict-Transport-Security "max-age=16000000;"

        acl host_netbird                hdr(host) -i netbird.demo.nethence.com
        acl netbird_mgmt_api            path_beg -i /api
        acl netbird_mgmt_grpc           path_beg -i /management
        acl netbird_signal_grpc         path_beg -i /signalexchange

        use_backend netbird_signal_grpc         if netbird_signal_grpc host_netbird
        use_backend netbird_mgmt_api            if netbird_mgmt_api host_netbird
        use_backend netbird_mgmt_grpc           if netbird_mgmt_grpc host_netbird
        use_backend netbird_dashboard           if host_netbird

# dnc-netbird
backend netbird_dashboard
        http-request set-header X-Forwarded-Proto https
        server netbird_dashboard 10.1.0.20:80 check

backend netbird_mgmt_api
        http-request set-header X-Forwarded-Proto https
        server netbird_mgmt_api 10.1.0.20:33073 check

backend netbird_mgmt_grpc
        http-request set-header X-Forwarded-Proto https
        server netbird_mgmt_grpc 10.1.0.20:33073 check proto h2

backend netbird_signal_grpc
        mode tcp
        server netbird_signal_grpc 10.1.0.20:10000

additional notes

not working – we get 503s no matter what – this is why we use dnat from the outside and haproxy tcp mode from the inside (because of static name resolution pointing to it already)

frontend https
        bind *:10000 ssl crt /etc/haproxy/certs/ proto h2

        acl netbird_signal_grpc         path_beg -i /signalexchange

        use_backend netbird_signal_grpc         if netbird_signal_grpc host_netbird

backend netbird_signal_grpc
        http-request set-header X-Forwarded-Proto https
        server netbird_signal_grpc 10.1.0.20:10000 check proto h2

unused – we use 443 instead for mgmt api

        bind *:33073 ssl crt /etc/haproxy/certs/ proto h2

resources

https://github.com/netbirdio/netbird/issues/749


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Copyright © 2024 Pierre-Philipp Braun