cors: add Private Network Access support for BYOC deployments

birdayz · birdayz · commit 6a79ea40e94a · 2026-02-03T19:47:02.000+01:00
Chrome's Private Network Access (PNA) blocks requests from public
origins to private network addresses. This breaks BYOC deployments
where users access cloud.redpanda.com but their split-tunnel VPN
routes Console traffic to private IP space (e.g., 100.64.0.0/10).

Switch from go-chi/cors to rs/cors which has native AllowPrivateNetwork
support. Add server.allowPrivateNetwork config option to enable it.

Refs: CIAINFRA-2284
diff --git a/backend/go.mod b/backend/go.mod
@@ -24,7 +24,6 @@ require (
 	github.com/fxamacker/cbor/v2 v2.9.0
 	github.com/getkin/kin-openapi v0.133.0
 	github.com/go-chi/chi/v5 v5.2.3
-	github.com/go-chi/cors v1.2.2
 	github.com/go-git/go-billy/v5 v5.6.2
 	github.com/go-git/go-git/v5 v5.16.3
 	github.com/go-viper/mapstructure/v2 v2.4.0
@@ -48,6 +47,7 @@ require (
 	github.com/redpanda-data/common-go/net v0.1.1-0.20240429123545-4da3d2b371f7
 	github.com/redpanda-data/common-go/rpadmin v0.2.0
 	github.com/redpanda-data/common-go/rpsr v0.1.2
+	github.com/rs/cors v1.11.1
 	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1
 	github.com/stretchr/testify v1.11.1
 	github.com/testcontainers/testcontainers-go v0.38.0
diff --git a/backend/go.sum b/backend/go.sum
@@ -162,8 +162,6 @@ github.com/gliderlabs/ssh v0.3.8 h1:a4YXD1V7xMF9g5nTkdfnja3Sxy1PVDCj1Zg4Wb8vY6c=
 github.com/gliderlabs/ssh v0.3.8/go.mod h1:xYoytBv1sV0aL3CavoDuJIQNURXkkfPA/wxQ1pL1fAU=
 github.com/go-chi/chi/v5 v5.2.3 h1:WQIt9uxdsAbgIYgid+BpYc+liqQZGMHRaUwp0JUcvdE=
 github.com/go-chi/chi/v5 v5.2.3/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
-github.com/go-chi/cors v1.2.2 h1:Jmey33TE+b+rB7fT8MUy1u0I4L+NARQlK6LhzKPSyQE=
-github.com/go-chi/cors v1.2.2/go.mod h1:sSbTewc+6wYHBBCW7ytsFSn836hqM7JxpglAy2Vzc58=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=
 github.com/go-git/go-billy/v5 v5.6.2 h1:6Q86EsPXMa7c3YZ3aLAQsMA0VlWmy43r6FHqa/UNbRM=
@@ -422,6 +420,8 @@ github.com/rodaine/protogofakeit v0.1.1 h1:ZKouljuRM3A+TArppfBqnH8tGZHOwM/pjvtXe
 github.com/rodaine/protogofakeit v0.1.1/go.mod h1:pXn/AstBYMaSfc1/RqH3N82pBuxtWgejz1AlYpY1mI0=
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
+github.com/rs/cors v1.11.1 h1:eU3gRzXLRK57F5rKMGMZURNdIG4EoAmX8k94r9wXWHA=
+github.com/rs/cors v1.11.1/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU=
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 h1:lZUw3E0/J3roVtGQ+SCrUrg3ON6NgVqpn3+iol9aGu4=
diff --git a/backend/pkg/api/middlewares_test.go b/backend/pkg/api/middlewares_test.go
@@ -14,6 +14,7 @@ import (
 	"net/http/httptest"
 	"testing"
 
+	"github.com/rs/cors"
 	"github.com/stretchr/testify/require"
 )
 
@@ -40,3 +41,38 @@ func TestCreateHSTSHeaderMiddleware(t *testing.T) {
 		})
 	}
 }
+
+func TestCORSPrivateNetworkAccess(t *testing.T) {
+	// Test that rs/cors AllowPrivateNetwork option correctly handles
+	// Chrome's Private Network Access preflight requests for BYOC deployments.
+	for _, enabled := range []bool{true, false} {
+		t.Run(fmt.Sprintf("AllowPrivateNetwork=%t", enabled), func(t *testing.T) {
+			c := cors.New(cors.Options{
+				AllowedOrigins:      []string{"https://cloud.redpanda.com"},
+				AllowedMethods:      []string{"GET", "POST", "OPTIONS"},
+				AllowedHeaders:      []string{"*"},
+				AllowPrivateNetwork: enabled,
+			})
+
+			handler := c.Handler(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+				w.Write([]byte("ok"))
+			}))
+
+			// Simulate Chrome PNA preflight request
+			req := httptest.NewRequest(http.MethodOptions, "/", http.NoBody)
+			req.Header.Set("Origin", "https://cloud.redpanda.com")
+			req.Header.Set("Access-Control-Request-Method", "GET")
+			req.Header.Set("Access-Control-Request-Private-Network", "true")
+
+			rec := httptest.NewRecorder()
+			handler.ServeHTTP(rec, req)
+
+			val := rec.Header().Get("Access-Control-Allow-Private-Network")
+			if enabled {
+				require.Equal(t, "true", val, "expected PNA header for BYOC deployments")
+			} else {
+				require.Empty(t, val, "should not set PNA header when disabled")
+			}
+		})
+	}
+}
diff --git a/backend/pkg/api/routes.go b/backend/pkg/api/routes.go
@@ -21,12 +21,12 @@ import (
 	"github.com/cloudhut/common/rest"
 	"github.com/go-chi/chi/v5"
 	chimiddleware "github.com/go-chi/chi/v5/middleware"
-	"github.com/go-chi/cors"
 	"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 	commoninterceptor "github.com/redpanda-data/common-go/api/interceptor"
 	"github.com/redpanda-data/common-go/api/metrics"
+	"github.com/rs/cors"
 	connectgateway "go.vallahaye.net/connect-gateway"
 	"google.golang.org/protobuf/encoding/protojson"
 
@@ -523,19 +523,23 @@ func (api *API) routes() *chi.Mux {
 	baseRouter.Use(recoverer.Wrap)
 	baseRouter.Use(chimiddleware.RealIP)
 	baseRouter.Use(basePath.Wrap)
-	baseRouter.Use(cors.Handler(cors.Options{
-		AllowOriginFunc: func(r *http.Request, _ string) bool {
+	// AllowPrivateNetwork enables Chrome's Private Network Access support for BYOC
+	// deployments where browsers access cloud.redpanda.com but VPN routes traffic
+	// to private IP addresses.
+	baseRouter.Use(cors.New(cors.Options{
+		AllowOriginRequestFunc: func(r *http.Request, _ string) bool {
 			isAllowed := checkOriginFn(r)
 			if !isAllowed {
 				api.Logger.Debug("CORS check failed", slog.String("request_origin", r.Header.Get("Origin")))
 			}
 			return isAllowed
 		},
-		AllowedMethods:   []string{"GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"},
-		AllowedHeaders:   []string{"*"},
-		AllowCredentials: true,
-		MaxAge:           300, // Maximum value not ignored by any of major browsers
-	}))
+		AllowedMethods:      []string{"GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"},
+		AllowedHeaders:      []string{"*"},
+		AllowCredentials:    true,
+		MaxAge:              300, // Maximum value not ignored by any of major browsers
+		AllowPrivateNetwork: api.Cfg.REST.AllowPrivateNetwork,
+	}).Handler)
 
 	// Fork a new router so that we can inject middlewares that are specific to the Connect API
 	baseRouter.Group(func(router chi.Router) {
diff --git a/backend/pkg/config/server.go b/backend/pkg/config/server.go
@@ -27,6 +27,14 @@ type Server struct {
 	// CSRF-attacks.
 	AllowedOrigins []string `yaml:"allowedOrigins"`
 
+	// AllowPrivateNetwork enables Chrome's Private Network Access preflight handling.
+	// When enabled, the server responds with Access-Control-Allow-Private-Network: true
+	// for CORS preflight requests that include Access-Control-Request-Private-Network.
+	// This is required for BYOC deployments where browsers access a public origin
+	// (e.g., cloud.redpanda.com) but traffic routes to private IP addresses via VPN.
+	// See: https://developer.chrome.com/blog/private-network-access-preflight
+	AllowPrivateNetwork bool `yaml:"allowPrivateNetwork"`
+
 	// Debug allows to configure the pprof debug handler options.
 	Debug DebugConfig `yaml:"debug"`
 }
