Try to add redirect

netstack2/handlers.go

@@ -152,10 +152,18 @@ func (h *TCPHandler) handleTCPConn(netstackConn *gonet.TCPConn, id stack.Transpo
 		srcAddr, _ := netip.ParseAddr(srcIP)
 		dstAddr, _ := netip.ParseAddr(dstIP)
 		rule := h.proxyHandler.subnetLookup.Match(srcAddr, dstAddr, dstPort, tcp.ProtocolNumber)
-		if rule != nil && rule.Protocol != "" {
-			logger.Info("TCP Forwarder: Routing %s:%d -> %s:%d to HTTP handler (%s)",
-				srcIP, srcPort, dstIP, dstPort, rule.Protocol)
-			h.proxyHandler.httpHandler.HandleConn(netstackConn, rule)
+		if rule != nil {
+			if rule.Protocol != "" {
+				logger.Info("TCP Forwarder: Routing %s:%d -> %s:%d to HTTP handler (%s)",
+					srcIP, srcPort, dstIP, dstPort, rule.Protocol)
+				h.proxyHandler.httpHandler.HandleConn(netstackConn, rule)
+			} else {
+				// A matching HTTP rule exists but has no protocol configured —
+				// do not fall through to the raw TCP handler; drop the connection.
+				logger.Info("TCP Forwarder: Dropping %s:%d -> %s:%d (HTTP rule matched but no protocol set)",
+					srcIP, srcPort, dstIP, dstPort)
+				netstackConn.Close()
+			}
 			return
 		}
 	}

netstack2/http_handler.go

@@ -336,6 +336,19 @@ func (h *HTTPHandler) handleRequest(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	// If the rule is plain HTTP but has a TLS certificate configured, redirect
+	// the client to the HTTPS equivalent of the requested URL.
+	if rule.Protocol == "http" && rule.TLSCert != "" && rule.TLSKey != "" {
+		host := r.Host
+		if host == "" {
+			host = r.URL.Host
+		}
+		httpsURL := "https://" + host + r.RequestURI
+		logger.Info("HTTP handler: redirecting %s %s -> %s (TLS cert present)", r.Method, r.URL.RequestURI(), httpsURL)
+		http.Redirect(w, r, httpsURL, http.StatusMovedPermanently)
+		return
+	}
+
 	target := rule.HTTPTargets[0]
 	scheme := target.Scheme
 	logger.Info("HTTP handler: %s %s -> %s://%s:%d",