feat: add web proxy target allowlist support via NEXAVPN_ALWAYS_ALLOW_WEB_PROXY_IPS environment variable

Add alwaysAllowWebProxyTargets function to parse comma-separated IPs from NEXAVPN_ALWAYS_ALLOW_WEB_PROXY_IPS environment variable with deduplication. Update mergeProfileAllowedIPs to accept webProxyTargets parameter and merge them into profile allowed IPs using /32 routes. Add WebProxyTargets field to wireguard.Peer struct and populate it in BuildSyncBundle and device enrollment/policy application
2026-03-18 09:39:40 +01:00
parent d1940e6f28
commit ab7275059f
5 changed files with 71 additions and 5 deletions
--- a/backend/internal/gateway/repository.go
+++ b/backend/internal/gateway/repository.go
@@ -4,6 +4,8 @@ import (
 	"context"
 	"encoding/json"
 	"net/netip"
+	"os"
+	"strings"

 	"github.com/google/uuid"
 	"github.com/jackc/pgx/v5/pgxpool"
@@ -118,12 +120,35 @@ func (r *PGRepository) BuildSyncBundle(ctx context.Context, gatewayID uuid.UUID)
 			return wireguard.GatewayBundle{}, err
 		}
 		peer.DeviceID = deviceID.String()
+		peer.WebProxyTargets = alwaysAllowWebProxyTargets()
 		bundle.Peers = append(bundle.Peers, peer)
 	}

 	return bundle, rows.Err()
 }

+func alwaysAllowWebProxyTargets() []string {
+	raw := os.Getenv("NEXAVPN_ALWAYS_ALLOW_WEB_PROXY_IPS")
+	if strings.TrimSpace(raw) == "" {
+		return nil
+	}
+
+	seen := make(map[string]struct{})
+	targets := make([]string, 0)
+	for _, part := range strings.Split(raw, ",") {
+		value := strings.TrimSpace(part)
+		if value == "" {
+			continue
+		}
+		if _, ok := seen[value]; ok {
+			continue
+		}
+		seen[value] = struct{}{}
+		targets = append(targets, value)
+	}
+	return targets
+}
+
 func (r *PGRepository) Update(ctx context.Context, gatewayID uuid.UUID, input UpdateRequest) (Gateway, error) {
 	row := r.db.QueryRow(ctx, `
 		update gateways