From 5ffbcbf8ceee25c6e7b42ecce74b6632f9dc483c Mon Sep 17 00:00:00 2001
From: Jacek Chmielewski <jacek@defguard.net>
Date: Mon, 19 Jan 2026 18:08:10 +0100
Subject: [PATCH 1/4] wip send cookie keys via protos

---
 crates/defguard_proxy_manager/src/lib.rs | 30 +++++++++++++++---------
 proto                                    |  2 +-
 2 files changed, 20 insertions(+), 12 deletions(-)

diff --git a/crates/defguard_proxy_manager/src/lib.rs b/crates/defguard_proxy_manager/src/lib.rs
index ea4ffef294..006c30613f 100644
--- a/crates/defguard_proxy_manager/src/lib.rs
+++ b/crates/defguard_proxy_manager/src/lib.rs
@@ -35,7 +35,7 @@ use defguard_core::{
 use defguard_mail::Mail;
 use defguard_proto::proxy::{
     AuthCallbackResponse, AuthInfoResponse, CoreError, CoreRequest, CoreResponse, DerPayload,
-    InitialSetupInfo, core_request, core_response, proxy_client::ProxyClient,
+    InitialInfo, InitialSetupInfo, core_request, core_response, proxy_client::ProxyClient,
     proxy_setup_client::ProxySetupClient,
 };
 use defguard_version::{
@@ -376,16 +376,7 @@ impl ProxyServer {
             let interceptor = ClientVersionInterceptor::new(Version::parse(VERSION)?);
             let mut client = ProxyClient::with_interceptor(endpoint.connect_lazy(), interceptor);
             let (tx, rx) = mpsc::unbounded_channel();
-            let mut request = tonic::Request::new(UnboundedReceiverStream::new(rx));
-            let config = server_config();
-
-            // Derive proxy cookie key from core secret to avoid transmitting it.
-            let proxy_cookie_key = Key::derive_from(config.secret_key.expose_secret().as_bytes());
-            request.metadata_mut().insert_bin(
-                COOKIE_KEY_HEADER,
-                MetadataValue::from_bytes(proxy_cookie_key.master()),
-            );
-            let response = match client.bidi(request).await {
+            let response = match client.bidi(UnboundedReceiverStream::new(rx)).await {
                 Ok(response) => response,
                 Err(err) => {
                     match err.code() {
@@ -435,6 +426,23 @@ impl ProxyServer {
 
             info!("Connected to proxy at {}", endpoint.uri());
             let mut resp_stream = response.into_inner();
+
+            // Derive proxy cookie key from core secret to avoid transmitting it.
+            let config = server_config();
+            let proxy_cookie_key = Key::derive_from(config.secret_key.expose_secret().as_bytes());
+			error!("### KEY: {:?}", proxy_cookie_key.master());
+            // request.metadata_mut().insert_bin(
+            //     COOKIE_KEY_HEADER,
+            //     MetadataValue::from_bytes(proxy_cookie_key.master()),
+            // );
+			let initial_info = InitialInfo {
+				private_cookies_key: proxy_cookie_key.master().to_vec(),
+			};
+			let req = CoreResponse {
+				id: 0,
+				payload: Some(core_response::Payload::InitialInfo(initial_info)),
+			};
+			let _ = tx.send(req);
             self.message_loop(tx, tx_set.wireguard.clone(), &mut resp_stream)
                 .await?;
         }
diff --git a/proto b/proto
index 161c6c6776..c0cfe8b1a1 160000
--- a/proto
+++ b/proto
@@ -1 +1 @@
-Subproject commit 161c6c677662130924e8bac0c16421b8ed085d33
+Subproject commit c0cfe8b1a1f43ba4cead0e092f1f482d80925f3f

From 2cae9197584ef44f0adf1a17412720b4ee3c0300 Mon Sep 17 00:00:00 2001
From: Jacek Chmielewski <jacek@defguard.net>
Date: Tue, 20 Jan 2026 10:45:00 +0100
Subject: [PATCH 2/4] cleanup

---
 crates/defguard_proxy_manager/src/lib.rs | 23 ++++++++---------------
 1 file changed, 8 insertions(+), 15 deletions(-)

diff --git a/crates/defguard_proxy_manager/src/lib.rs b/crates/defguard_proxy_manager/src/lib.rs
index 006c30613f..228e92ec77 100644
--- a/crates/defguard_proxy_manager/src/lib.rs
+++ b/crates/defguard_proxy_manager/src/lib.rs
@@ -58,7 +58,6 @@ use tokio::{
 use tokio_stream::wrappers::UnboundedReceiverStream;
 use tonic::{
     Code, Streaming,
-    metadata::MetadataValue,
     transport::{Certificate, ClientTlsConfig, Endpoint},
 };
 
@@ -73,7 +72,6 @@ extern crate tracing;
 const TEN_SECS: Duration = Duration::from_secs(10);
 const PROXY_AFTER_SETUP_CONNECT_DELAY: Duration = Duration::from_secs(1);
 static VERSION_ZERO: Version = Version::new(0, 0, 0);
-static COOKIE_KEY_HEADER: &str = "dg-cookie-key-bin";
 
 #[derive(Debug, PartialEq, Eq, Clone, Copy)]
 pub(crate) enum Scheme {
@@ -430,19 +428,14 @@ impl ProxyServer {
             // Derive proxy cookie key from core secret to avoid transmitting it.
             let config = server_config();
             let proxy_cookie_key = Key::derive_from(config.secret_key.expose_secret().as_bytes());
-			error!("### KEY: {:?}", proxy_cookie_key.master());
-            // request.metadata_mut().insert_bin(
-            //     COOKIE_KEY_HEADER,
-            //     MetadataValue::from_bytes(proxy_cookie_key.master()),
-            // );
-			let initial_info = InitialInfo {
-				private_cookies_key: proxy_cookie_key.master().to_vec(),
-			};
-			let req = CoreResponse {
-				id: 0,
-				payload: Some(core_response::Payload::InitialInfo(initial_info)),
-			};
-			let _ = tx.send(req);
+            let initial_info = InitialInfo {
+                private_cookies_key: proxy_cookie_key.master().to_vec(),
+            };
+            let req = CoreResponse {
+                id: 0,
+                payload: Some(core_response::Payload::InitialInfo(initial_info)),
+            };
+            let _ = tx.send(req);
             self.message_loop(tx, tx_set.wireguard.clone(), &mut resp_stream)
                 .await?;
         }

From b7053ca85c5517b1fe774ff480e3f871d532fa09 Mon Sep 17 00:00:00 2001
From: Jacek Chmielewski <jacek@defguard.net>
Date: Tue, 20 Jan 2026 10:45:22 +0100
Subject: [PATCH 3/4] new protos

---
 proto | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/proto b/proto
index c0cfe8b1a1..ec48aca943 160000
--- a/proto
+++ b/proto
@@ -1 +1 @@
-Subproject commit c0cfe8b1a1f43ba4cead0e092f1f482d80925f3f
+Subproject commit ec48aca9438e7cdcb4fcdb01ce6dcb5dac7f8dd3

From c9875cc86dad3758b22609fcade08b24fd01c933 Mon Sep 17 00:00:00 2001
From: Jacek Chmielewski <jacek@defguard.net>
Date: Tue, 20 Jan 2026 10:56:22 +0100
Subject: [PATCH 4/4] style, comments

---
 crates/defguard_proxy_manager/src/lib.rs | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/crates/defguard_proxy_manager/src/lib.rs b/crates/defguard_proxy_manager/src/lib.rs
index 228e92ec77..6057dea7be 100644
--- a/crates/defguard_proxy_manager/src/lib.rs
+++ b/crates/defguard_proxy_manager/src/lib.rs
@@ -425,17 +425,19 @@ impl ProxyServer {
             info!("Connected to proxy at {}", endpoint.uri());
             let mut resp_stream = response.into_inner();
 
-            // Derive proxy cookie key from core secret to avoid transmitting it.
+            // Derive proxy cookie key from core secret to avoid transmitting it over gRPC.
             let config = server_config();
             let proxy_cookie_key = Key::derive_from(config.secret_key.expose_secret().as_bytes());
+
+            // Send initial info with private cookies key.
             let initial_info = InitialInfo {
                 private_cookies_key: proxy_cookie_key.master().to_vec(),
             };
-            let req = CoreResponse {
+            let _ = tx.send(CoreResponse {
                 id: 0,
                 payload: Some(core_response::Payload::InitialInfo(initial_info)),
-            };
-            let _ = tx.send(req);
+            });
+
             self.message_loop(tx, tx_set.wireguard.clone(), &mut resp_stream)
                 .await?;
         }