[HELP] Is it possible to access gRPC as vdir

[johnny15243]

What happened?
I tried to get Netbird running.
I started with the advanced installation.
After configuring the vdir for proxy, have the following errors

[2024-11-06 17:00:48.902245] [router:vdir-http] [origin:127.0.0.1] [client <clientIP>] POST /management.ManagementService/GetServerKey 521

[2024-11-06 17:00:48.902348] [router:vdir-http] [origin:127.0.0.1] [client <clientIP>] POST /management.ManagementService/GetServerKey 502

If i use the vdir as proxy target, and call uri. No errors appear

Here is my Configuration

{
    "ProxyType": 1,
    "RootOrMatchingDomain": "",
    "MatchingDomainAlias": [],
    "ActiveOrigins": [
        {
            "OriginIpOrDomain": "127.0.0.1:8081",
            "RequireTLS": false,
            "SkipCertValidations": false,
            "SkipWebSocketOriginCheck": true,
            "Weight": 1,
            "MaxConn": 0
        }
    ],
    "InactiveOrigins": [],
    "UseStickySession": true,
    "UseActiveLoadBalance": false,
    "Disabled": false,
    "BypassGlobalTLS": false,
    "VirtualDirectories": [
        {
            "MatchingPath": "/api/",
            "Domain": "127.0.0.1:33073/api/",
            "RequireTLS": false,
            "SkipCertValidations": false,
            "Disabled": false
        },
        {
            "MatchingPath": "/signalexchange.SignalExchange/",
            "Domain": "127.0.0.1:10000/signalexchange.SignalExchange/",
            "RequireTLS": true,
            "SkipCertValidations": true,
            "Disabled": false
        },
        {
            "MatchingPath": "/management.ManagementService/",
            "Domain": "127.0.0.1:33073/management.ManagementService/",
            "RequireTLS": true,
            "SkipCertValidations": true,
            "Disabled": false
        }
    ],
    "UserDefinedHeaders": [],
    "RequestHostOverwrite": "",
    "HSTSMaxAge": 31536000,
    "EnablePermissionPolicyHeader": false,
    "PermissionPolicy": {
        "accelerometer": [
            ""
        ],
        "ambient_light_sensor": [
            ""
        ],
        "autoplay": [
            ""
        ],
        "battery": [
            ""
        ],
        "camera": [
            ""
        ],
        "cross_origin_isolated": [
            ""
        ],
        "display_capture": [
            ""
        ],
        "document_domain": [
            ""
        ],
        "encrypted_media": [
            ""
        ],
        "execution_while_not_rendered": [
            ""
        ],
        "execution_while_out_of_viewport": [
            ""
        ],
        "fullscreen": [
            ""
        ],
        "geolocation": [
            ""
        ],
        "gyroscope": [
            ""
        ],
        "keyboard_map": [
            ""
        ],
        "magnetometer": [
            ""
        ],
        "microphone": [
            ""
        ],
        "midi": [
            ""
        ],
        "navigation_override": [
            ""
        ],
        "payment": [
            ""
        ],
        "picture_in_picture": [
            ""
        ],
        "publickey_credentials_get": [
            ""
        ],
        "screen_wake_lock": [
            ""
        ],
        "sync_xhr": [
            ""
        ],
        "usb": [
            ""
        ],
        "web_share": [
            ""
        ],
        "xr_spatial_tracking": [
            ""
        ],
        "clipboard_read": [
            ""
        ],
        "clipboard_write": [
            ""
        ],
        "gamepad": [
            ""
        ],
        "speaker_selection": [
            ""
        ],
        "conversion_measurement": [
            ""
        ],
        "focus_without_user_activation": [
            ""
        ],
        "hid": [
            ""
        ],
        "idle_detection": [
            ""
        ],
        "interest_cohort": [
            ""
        ],
        "serial": [
            ""
        ],
        "sync_script": [
            ""
        ],
        "trust_token_redemption": [
            ""
        ],
        "unload": [
            ""
        ],
        "window_placement": [
            ""
        ],
        "vertical_scroll": [
            ""
        ]
    },
    "DisableHopByHopHeaderRemoval": false,
    "RequireBasicAuth": false,
    "BasicAuthCredentials": [],
    "BasicAuthExceptionRules": [],
    "UseSSOIntercept": false,
    "RequireRateLimit": false,
    "RateLimit": 1000,
    "AccessFilterUUID": "default",
    "DefaultSiteOption": 0,
    "DefaultSiteValue": ""
}

Describe the networking setup you are using
Here are some example, commonly asked questions from our maintainers:

• Are you using the docker build of Zoraxy? [yes (with docker setup & networking config attach) /no]
• Your Zoraxy version? 3.1.2 & 3.1.1R3
• Are you using Cloudflare? no
• Are your system hosted under a NAT router? yes

Additional context
Add any other context or screenshots about the feature request here.
The following uri-Path are gRPC-Services and normally called via h2c [http2] within caddy
/management.ManagementService/
and
/signalexchange.SignalExchange/

[tobychui]

@johnny15243 I guess gRPC service you are running do not support vdir or have an invalid base URL (or similar) setting.

To be exact, vdir rule share the same reverse proxy router object as proxy rules but with automatic rewrites on the path name. Zoraxy will rewrite the hostname automatically on vdir requests (i.e. yourdomain.com/vdir/myresources -> upstream_ip:port/myresources), in this case, I guess there is a misconfiguration in your upstream gRPC server or your gRPC server do not support such path rewrite.

[johnny15243]

@tobychui Thanks for the response :-)

First. The path rewrite is no problem. If i add the path to the proxy target, it appends it.
So it works fine. See

{
"MatchingPath": "/api/",
"Domain": "127.0.0.1:33073/api/",
"RequireTLS": false,
"SkipCertValidations": false,
"Disabled": false
},

To day i scanned the packets via tcpdump.

tcpdump -i lo -A -q '(tcp port 33073) or (udp port 33073)'

I recognized that the request is done via h2 (http2 with tls).
But the target needs a communication via h2c (http2 without tls).
Http1 is also not allowed via gRPC.
Is this a feature you can add?

Here is a caddy.conf-sample for netbird.

netbird.example.net {
	reverse_proxy /* netbird-dash:80
	reverse_proxy /signalexchange.SignalExchange/* h2c://netbird-signal
	reverse_proxy /api/* netbird-mgmt
	reverse_proxy /management.ManagementService/* h2c://netbird-mgmt
	header * {
		Strict-Transport-Security "max-age=3600; includeSubDomains; preload"
		X-Content-Type-Options "nosniff"
		X-Frame-Options "DENY"
		X-XSS-Protection "1; mode=block"
		-Server
		Referrer-Policy strict-origin-when-cross-origin
	}
}

[fuad00]

@johnny15243 any update on this? I really want to try netbird with zoraxy

[johnny15243]

@fuad00

Yes. I was able to bring it up running.
You have two options.

1. Selfsign a certificate and mount it to netbird.
2. ( I use a wildcard certificate ) Copy the certificate from zoraxy folder to your netbird.

After copying and mounting the certificate you have to tell the netbird containers a few commands.

Later this day I'll paste my netbird docker-compose file and a instruction.

[johnny15243]

@faud
Please excuse my late response.

Here ist my Konfiguration:

version: "3"
services:
  #UI dashboard
  dashboard:
    image: netbirdio/dashboard:latest
    restart: unless-stopped
    ports:
      - 127.0.0.1:8081:80
      - 127.0.0.1:8443:443
    environment:
      # Endpoints
      - NETBIRD_MGMT_API_ENDPOINT=https://<MY-URL>:443
      - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://<MY-URL>:443
      # OIDC
      - AUTH_AUDIENCE=<SECRET>
      - AUTH_CLIENT_ID=<SECRET>
      - AUTH_CLIENT_SECRET=
      - AUTH_AUTHORITY=<AUTHELIA-URL>
      - USE_AUTH0=false
      - AUTH_SUPPORTED_SCOPES=openid profile email offline_access api
      - AUTH_REDIRECT_URI=/auth
      - AUTH_SILENT_REDIRECT_URI=/silent-auth
      - NETBIRD_TOKEN_SOURCE=accessToken
      # SSL
      - NGINX_SSL_PORT=443
      # Letsencrypt
      - LETSENCRYPT_DOMAIN=
      - LETSENCRYPT_EMAIL=
    volumes:
      - netbird-letsencrypt:/etc/letsencrypt:ro
    extra_hosts:
      - "host.docker.internal:host-gateway"
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
  # Signal
  signal:
    image: netbirdio/signal:latest
    restart: unless-stopped
    volumes:
      - netbird-signal:/var/lib/netbird
      - netbird-letsencrypt:/etc/letsencrypt:ro
    ports:
      - 8082:80
      - 127.0.0.1:10001:10000 
  #      # port and command for Let's Encrypt validation
  #      - 443:443
    command: ["--cert-file", "/etc/letsencrypt/<MY-URL>.pem", "--cert-key", "/etc/letsencrypt/<MY-URL>.key", "--log-file", "console", "--log-level","debug"]
    extra_hosts:
      - "host.docker.internal:host-gateway"
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
  # Relay
  relay:
    image: netbirdio/relay:latest
    restart: unless-stopped
    environment:
    - NB_LOG_LEVEL=info
    - NB_LISTEN_ADDRESS=:33080
    - NB_EXPOSED_ADDRESS=<MY-URL>:33080
    # todo: change to a secure secret
    - NB_AUTH_SECRET=<SECRET>
    ports:
      - "127.0.0.1:33081:33080"
    extra_hosts:
      - "host.docker.internal:host-gateway"
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"

  # Management
  management:
    image: netbirdio/management:latest
    restart: unless-stopped
    depends_on:
      - dashboard
    volumes:
      - netbird-mgmt:/var/lib/netbird
      - netbird-letsencrypt:/etc/letsencrypt:ro
      - ./management.json:/etc/netbird/management.json
    ports:
#      - 9443:443 #API port
      - 127.0.0.1:33073:443 
  #    # command for Let's Encrypt validation without dashboard container
  #    command: ["--letsencrypt-domain", "", "--log-file", "console"]
    extra_hosts:
      - "host.docker.internal:host-gateway"
    command: [
      "--port", "443",
      "--log-file", "console",
      "--log-level", "debug",
      "--disable-anonymous-metrics=false",
#      "--single-account-mode-domain=<MY-URL>",
      "--dns-domain=netbird.selfhosted",
      "--disable-single-account-mode"
      ]
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
    environment:
      - NETBIRD_STORE_ENGINE_POSTGRES_DSN=

  # Coturn
  coturn:
    image: coturn/coturn:latest
    restart: unless-stopped
    #domainname: <MY-URL> # only needed when TLS is enabled
    extra_hosts:
      - "host.docker.internal:host-gateway"
    volumes:
      - ./turnserver.conf:/etc/turnserver.conf:ro
    #      - ./privkey.pem:/etc/coturn/private/privkey.pem:ro
    #      - ./cert.pem:/etc/coturn/certs/cert.pem:ro
    network_mode: host
    command:
      - -c /etc/turnserver.conf
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
volumes:
  netbird-mgmt:
  netbird-signal:
  netbird-letsencrypt:

I hope it may helps you.