From a6533b3fa0b0af4d9080c813f1b91461bc38756d Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Wed, 29 Apr 2026 21:11:07 -0700
Subject: [PATCH] Fix incorrect redirect logic

---
 netstack2/http_handler.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/netstack2/http_handler.go b/netstack2/http_handler.go
index 5e44844..6f08d76 100644
--- a/netstack2/http_handler.go
+++ b/netstack2/http_handler.go
@@ -356,9 +356,9 @@ func (h *HTTPHandler) handleRequest(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// If the rule is plain HTTP but has a TLS certificate configured, redirect
-	// the client to the HTTPS equivalent of the requested URL.
-	if rule.Protocol == "http" && rule.TLSCert != "" && rule.TLSKey != "" {
+	// If the rule is HTTPS and a TLS certificate is configured, but the
+	// incoming request arrived over plain HTTP, redirect to HTTPS.
+	if rule.Protocol == "https" && rule.TLSCert != "" && rule.TLSKey != "" && r.TLS == nil {
 		host := r.Host
 		if host == "" {
 			host = r.URL.Host