From 817824bd6fee04b188e6c657de39e17b4d06f19f Mon Sep 17 00:00:00 2001 From: rinseaid Date: Wed, 13 May 2026 22:38:35 -0400 Subject: [PATCH 1/3] Fix X-Forwarded-Proto always set to "http" for TLS connections httpConnCtx wraps *tls.Conn behind net.Conn, so Go's http.Server cannot detect TLS via type assertion and r.TLS is always nil. SetXForwarded() then always writes X-Forwarded-Proto: http. Override using the isTLS context flag already set by ConnContext. --- netstack2/http_handler.go | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/netstack2/http_handler.go b/netstack2/http_handler.go index ece82e9..ba0495f 100644 --- a/netstack2/http_handler.go +++ b/netstack2/http_handler.go @@ -315,6 +315,13 @@ func (h *HTTPHandler) getProxy(target HTTPTarget) *httputil.ReverseProxy { // Director means the proxy does not append its own automatic // X-Forwarded-For entry, so the header is set exactly once. pr.SetXForwarded() + + // SetXForwarded derives X-Forwarded-Proto from pr.In.TLS, + // which is nil because httpConnCtx wraps *tls.Conn behind + // net.Conn. Override using the context flag set by ConnContext. + if isTLS, _ := pr.In.Context().Value(connTLSKey{}).(bool); isTLS { + pr.Out.Header.Set("X-Forwarded-Proto", "https") + } }, Transport: transport, } From b6e2d61a18a8d85f4e7f56bc56cdc44d94ada062 Mon Sep 17 00:00:00 2001 From: rinseaid Date: Wed, 13 May 2026 22:40:22 -0400 Subject: [PATCH 2/3] Add workflow to build patched image to ghcr.io/rinseaid/newt:patched --- .github/workflows/build-patched.yml | 34 +++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 .github/workflows/build-patched.yml diff --git a/.github/workflows/build-patched.yml b/.github/workflows/build-patched.yml new file mode 100644 index 0000000..bd6d330 --- /dev/null +++ b/.github/workflows/build-patched.yml @@ -0,0 +1,34 @@ +name: Build patched image + +on: + push: + branches: [fix/x-forwarded-proto-tls] + workflow_dispatch: + +permissions: + contents: read + packages: write + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - uses: docker/setup-qemu-action@v3 + + - uses: docker/setup-buildx-action@v3 + + - uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - uses: docker/build-push-action@v6 + with: + context: . + push: true + platforms: linux/amd64,linux/arm64 + build-args: VERSION=patched + tags: ghcr.io/rinseaid/newt:patched From 55ca18a1dbc4443c005031c4645d63794fb5e092 Mon Sep 17 00:00:00 2001 From: Owen Schwartz Date: Wed, 13 May 2026 20:53:27 -0700 Subject: [PATCH 3/3] Delete .github/workflows/build-patched.yml --- .github/workflows/build-patched.yml | 34 ----------------------------- 1 file changed, 34 deletions(-) delete mode 100644 .github/workflows/build-patched.yml diff --git a/.github/workflows/build-patched.yml b/.github/workflows/build-patched.yml deleted file mode 100644 index bd6d330..0000000 --- a/.github/workflows/build-patched.yml +++ /dev/null @@ -1,34 +0,0 @@ -name: Build patched image - -on: - push: - branches: [fix/x-forwarded-proto-tls] - workflow_dispatch: - -permissions: - contents: read - packages: write - -jobs: - build: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - - uses: docker/setup-qemu-action@v3 - - - uses: docker/setup-buildx-action@v3 - - - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - uses: docker/build-push-action@v6 - with: - context: . - push: true - platforms: linux/amd64,linux/arm64 - build-args: VERSION=patched - tags: ghcr.io/rinseaid/newt:patched