netbird / haproxy setup

netbird | pfsync | haproxy | nginx | client

warningwarning

the trick is to use proto h2 for GRPC (mgmt and signal)

seems to work without additional headers (just forwardfor was enabled for kc)

not sure why there wasn’t a check for mgmt from the answer

setupsetup

defaults
    ...
    option forwardfor
    option http-server-close

frontend tcp
    mode tcp
    bind :10000
    default_backend netbird_signal_grpc

frontend http
    bind *:80 alpn h2,http/1.1
    http-response set-header Strict-Transport-Security "max-age=16000000;"

    acl host_netbird hdr(host) -i netbird.nethence.com
    redirect scheme https code 301 if host_netbird

# enforcing http/2
frontend https
    #bind *:443 ssl crt /etc/haproxy/certs/ alpn h2,http/1.1
    bind *:443 ssl crt /etc/haproxy/certs/ proto h2
    http-response set-header Strict-Transport-Security "max-age=16000000;"

    acl host_netbird        hdr(host) -i netbird.nethence.com
    acl netbird_mgmt_api        path_beg -i /api
    acl netbird_mgmt_grpc      path_beg -i /management
    acl netbird_signal_grpc  path_beg -i /signalexchange

    use_backend netbird_signal_grpc  if netbird_signal_grpc host_netbird
    use_backend netbird_mgmt_api        if netbird_mgmt_api host_netbird
    use_backend netbird_mgmt_grpc      if netbird_mgmt_grpc host_netbird
    use_backend netbird_dashboard      if host_netbird

# dnc-netbird
backend netbird_dashboard
    http-request set-header X-Forwarded-Proto https
    server netbird_dashboard 10.1.0.20:80 check

backend netbird_mgmt_api
    http-request set-header X-Forwarded-Proto https
    server netbird_mgmt_api 10.1.0.20:33073 check

backend netbird_mgmt_grpc
    http-request set-header X-Forwarded-Proto https
    server netbird_mgmt_grpc 10.1.0.20:33073 check proto h2

backend netbird_signal_grpc
    mode tcp
    server netbird_signal_grpc 10.1.0.20:10000

additional notesadditional notes

not working – we get 503s no matter what – this is why we use dnat from the outside and haproxy tcp mode from the inside (because of static name resolution pointing to it already)

frontend https
    bind *:10000 ssl crt /etc/haproxy/certs/ proto h2

    acl netbird_signal_grpc path_beg -i /signalexchange

    use_backend netbird_signal_grpc if netbird_signal_grpc host_netbird

backend netbird_signal_grpc
    http-request set-header X-Forwarded-Proto https
    server netbird_signal_grpc 10.1.0.20:10000 check proto h2

unused – we use 443 instead for mgmt api

    bind *:33073 ssl crt /etc/haproxy/certs/ proto h2

resourcesresources

https://github.com/netbirdio/netbird/issues/749

https://github.com/netbirdio/netbird/issues/536


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Licensed under MIT