netbird / haproxy setup

netbird | pfsync | haproxy | nginx | client

warning

the trick is to use proto h2 for GRPC (mgmt and signal)

seems to work without additional headers (just forwardfor was enabled for kc)

not sure why there wasn’t a check for mgmt from the answer

setup

defaults
        ...
        option forwardfor
        option http-server-close

frontend tcp
        mode tcp
        bind :10000
        default_backend netbird_signal_grpc

frontend http
        bind *:80 alpn h2,http/1.1
        http-response set-header Strict-Transport-Security "max-age=16000000;"

        acl host_netbird hdr(host) -i netbird.nethence.com
        redirect scheme https code 301 if host_netbird

# enforcing http/2
frontend https
        #bind *:443 ssl crt /etc/haproxy/certs/ alpn h2,http/1.1
        bind *:443 ssl crt /etc/haproxy/certs/ proto h2
        http-response set-header Strict-Transport-Security "max-age=16000000;"

        acl host_netbird                hdr(host) -i netbird.nethence.com
        acl netbird_mgmt_api            path_beg -i /api
        acl netbird_mgmt_grpc           path_beg -i /management
        acl netbird_signal_grpc         path_beg -i /signalexchange

        use_backend netbird_signal_grpc         if netbird_signal_grpc host_netbird
        use_backend netbird_mgmt_api            if netbird_mgmt_api host_netbird
        use_backend netbird_mgmt_grpc           if netbird_mgmt_grpc host_netbird
        use_backend netbird_dashboard           if host_netbird

# dnc-netbird
backend netbird_dashboard
        http-request set-header X-Forwarded-Proto https
        server netbird_dashboard 10.1.0.20:80 check

backend netbird_mgmt_api
        http-request set-header X-Forwarded-Proto https
        server netbird_mgmt_api 10.1.0.20:33073 check

backend netbird_mgmt_grpc
        http-request set-header X-Forwarded-Proto https
        server netbird_mgmt_grpc 10.1.0.20:33073 check proto h2

backend netbird_signal_grpc
        mode tcp
        server netbird_signal_grpc 10.1.0.20:10000

additional notes

not working – we get 503s no matter what – this is why we use dnat from the outside and haproxy tcp mode from the inside (because of static name resolution pointing to it already)

frontend https
        bind *:10000 ssl crt /etc/haproxy/certs/ proto h2

        acl netbird_signal_grpc path_beg -i /signalexchange

        use_backend netbird_signal_grpc if netbird_signal_grpc host_netbird

backend netbird_signal_grpc
        http-request set-header X-Forwarded-Proto https
        server netbird_signal_grpc 10.1.0.20:10000 check proto h2

unused – we use 443 instead for mgmt api

        bind *:33073 ssl crt /etc/haproxy/certs/ proto h2

resources

https://github.com/netbirdio/netbird/issues/749

https://github.com/netbirdio/netbird/issues/536


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Licensed under MIT