Commit Graph

874 Commits

Author SHA1 Message Date
Owen Schwartz
62dc2d3e96 Merge pull request #365 from fosrl/dependabot/github_actions/actions/stale-10.3.0
chore(deps): bump actions/stale from 10.2.0 to 10.3.0

Former-commit-id: 7127740219
2026-06-04 10:58:00 -07:00
Owen Schwartz
7d84393dd0 Merge pull request #370 from immanuwell/fix/docker-fetch-duplicate-log-and-reliable-ping-dead-code
fix: remove duplicate wrong error log in socket/fetch and dead code in reliablePing
Former-commit-id: 4c56a2d02c
2026-06-04 10:57:04 -07:00
Owen Schwartz
02fc8b0684 Merge pull request #351 from fosrl/dependabot/github_actions/aws-actions/configure-aws-credentials-6.1.1
chore(deps): bump aws-actions/configure-aws-credentials from 6.1.0 to 6.1.1

Former-commit-id: 4b81b34eae
2026-06-04 10:53:51 -07:00
dependabot[bot]
9f014b19f8 chore(deps): bump actions/stale from 10.2.0 to 10.3.0
Bumps [actions/stale](https://github.com/actions/stale) from 10.2.0 to 10.3.0.
- [Release notes](https://github.com/actions/stale/releases)
- [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md)
- [Commits](b5d41d4e1d...eb5cf3af3a)

---
updated-dependencies:
- dependency-name: actions/stale
  dependency-version: 10.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Former-commit-id: eca54190b0
2026-06-04 17:53:38 +00:00
Owen Schwartz
1f80280384 Merge pull request #350 from fosrl/dependabot/github_actions/sigstore/cosign-installer-4.1.2
chore(deps): bump sigstore/cosign-installer from 4.1.1 to 4.1.2

Former-commit-id: f922155843
2026-06-04 10:51:36 -07:00
Owen Schwartz
66714adb0a Merge pull request #356 from fosrl/dependabot/go_modules/prod-patch-updates-d9ad24fc58
chore(deps): bump the prod-patch-updates group across 1 directory with 2 updates

Former-commit-id: 1f16708a05
2026-06-04 10:51:28 -07:00
dependabot[bot]
a868719459 chore(nix): fix hash for updated go dependencies
Former-commit-id: 88c1c2e0b5
2026-06-04 17:22:48 +00:00
dependabot[bot]
b2c73a40df chore(deps): bump the prod-patch-updates group across 1 directory with 2 updates
Bumps the prod-patch-updates group with 2 updates in the / directory: [google.golang.org/grpc](https://github.com/grpc/grpc-go) and software.sslmate.com/src/go-pkcs12.


Updates `google.golang.org/grpc` from 1.81.0 to 1.81.1
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](https://github.com/grpc/grpc-go/compare/v1.81.0...v1.81.1)

Updates `software.sslmate.com/src/go-pkcs12` from 0.7.0 to 0.7.1

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-version: 1.81.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: prod-patch-updates
- dependency-name: software.sslmate.com/src/go-pkcs12
  dependency-version: 0.7.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: prod-patch-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
Former-commit-id: 69ed08222f
2026-06-04 17:21:44 +00:00
Owen Schwartz
a82942381b Merge pull request #371 from fosrl/fix/go-deps-security-updates
Update golang.org/x modules for security fixes

Former-commit-id: 0169123d55
2026-06-04 10:19:31 -07:00
Marc Schäfer
fde46cb587 fix(nix): update Go module vendor hash
Former-commit-id: ac9852a3cb
2026-06-04 14:28:28 +02:00
Marc Schäfer
a8d91756ca fix(deps): update golang.org/x modules for security fixes
Update golang.org/x/crypto, golang.org/x/net and golang.org/x/sys
to versions containing security fixes reported by Docker Scout.


Former-commit-id: f91deeede7
2026-06-04 12:53:53 +02:00
immanuwell
763ef3726e fix: remove duplicate wrong error log in socket/fetch handler and dead code in reliablePing
Former-commit-id: d57b7ccb53
2026-05-30 21:55:46 +04:00
Owen Schwartz
2cd9ffc582 Merge pull request #362 from fosrl/ci/use-go-version-file
Use Go version specified in go.mod for CI tests

Former-commit-id: c168ddac90
2026-05-20 20:07:16 -07:00
Marc Schäfer
8d30a584b5 ci(test): use Go version from go.mod
Former-commit-id: 88d946c9b4
2026-05-21 02:42:59 +02:00
Owen Schwartz
936642cef9 Merge pull request #358 from cwiggs/feat/ci-go-test
feat(ci): run a go test before we build

Former-commit-id: c9be684b91
2026-05-20 14:51:17 -07:00
Owen Schwartz
9d060c2ac5 Merge pull request #361 from fosrl/dev
Housekeeping

Former-commit-id: 8f321365d5
2026-05-20 14:48:53 -07:00
Owen Schwartz
fba7943cd3 Merge pull request #349 from fosrl/issue-348
Refactor Docker client imports and container handling logic

Former-commit-id: 21e2a7b91f
2026-05-16 21:11:12 -07:00
dependabot[bot]
f41e15fcb3 chore(deps): bump sigstore/cosign-installer from 4.1.1 to 4.1.2
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 4.1.1 to 4.1.2.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](https://github.com/sigstore/cosign-installer/compare/v4.1.1...6f9f17788090df1f26f669e9d70d6ae9567deba6)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-version: 4.1.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Former-commit-id: 24f5d55cce
2026-05-16 21:57:19 +00:00
Owen Schwartz
0d528abab8 Merge pull request #360 from fosrl/github-action-cosign
Upgrade cosign installer to v4.1.2 and pin cosign version

Former-commit-id: 2562bda187
2026-05-16 14:55:22 -07:00
Marc Schäfer
16cb83fd28 fix(security): update cosign to v3.0.6 and installer to 4.1.2
Former-commit-id: 8736f89291
2026-05-16 16:31:27 +02:00
Chris Wiggins
d5c3dedca6 feat(ci): run a go test before we build
Former-commit-id: 54a13b268e
2026-05-15 11:48:50 -06:00
Owen Schwartz
1de3076808 Merge pull request #353 from rinseaid/fix/x-forwarded-proto-tls
Fix X-Forwarded-Proto always set to "http" for TLS connections

Former-commit-id: 37aff0daa5
2026-05-13 20:54:06 -07:00
Owen Schwartz
b0f8589443 Delete .github/workflows/build-patched.yml
Former-commit-id: 55ca18a1db
2026-05-13 20:53:27 -07:00
rinseaid
a855047139 Add workflow to build patched image to ghcr.io/rinseaid/newt:patched
Former-commit-id: b6e2d61a18
2026-05-13 22:40:22 -04:00
rinseaid
79e21b7917 Fix X-Forwarded-Proto always set to "http" for TLS connections
httpConnCtx wraps *tls.Conn behind net.Conn, so Go's http.Server
cannot detect TLS via type assertion and r.TLS is always nil.
SetXForwarded() then always writes X-Forwarded-Proto: http.

Override using the isTLS context flag already set by ConnContext.


Former-commit-id: 817824bd6f
2026-05-13 22:38:35 -04:00
Owen
c9ac8fc28f Remove test
Former-commit-id: efa1ecf61e
2026-05-11 18:04:51 -07:00
Owen
74acbad133 Update log message
Former-commit-id: d28c2aaa87
2026-05-11 10:34:30 -07:00
dependabot[bot]
7ff795b6bb chore(deps): bump aws-actions/configure-aws-credentials
Bumps [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials) from 6.1.0 to 6.1.1.
- [Release notes](https://github.com/aws-actions/configure-aws-credentials/releases)
- [Changelog](https://github.com/aws-actions/configure-aws-credentials/blob/main/CHANGELOG.md)
- [Commits](ec61189d14...d979d5b3a7)

---
updated-dependencies:
- dependency-name: aws-actions/configure-aws-credentials
  dependency-version: 6.1.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Former-commit-id: 820978ae6f
2026-05-11 14:36:15 +00:00
Marc Schäfer
8246eb1e36 refactor: update Docker client imports and adjust container handling logic
Signed-off-by: Marc Schäfer <git@marcschaeferger.de>

Former-commit-id: 0e2d7057b6
2026-05-10 10:50:38 +02:00
Marc Schäfer
9342546075 Merge pull request #312 from fosrl/dependabot/github_actions/softprops/action-gh-release-3.0.0
chore(deps): bump softprops/action-gh-release from 2.6.1 to 3.0.0

Former-commit-id: ae48df97c8
2026-05-09 15:57:52 +02:00
Marc Schäfer
0d26fb6de4 Merge pull request #313 from fosrl/dependabot/github_actions/aws-actions/configure-aws-credentials-6.1.0
chore(deps): bump aws-actions/configure-aws-credentials from 6.0.0 to 6.1.0

Former-commit-id: df125affe4
2026-05-09 15:57:40 +02:00
Marc Schäfer
9de90429d3 Merge pull request #314 from fosrl/dependabot/github_actions/docker/build-push-action-7.1.0
chore(deps): bump docker/build-push-action from 7.0.0 to 7.1.0

Former-commit-id: 848a23a535
2026-05-09 15:57:29 +02:00
Marc Schäfer
e167c35293 Merge pull request #315 from fosrl/dependabot/github_actions/actions/setup-go-6.4.0
chore(deps): bump actions/setup-go from 6.2.0 to 6.4.0

Former-commit-id: 1a1d58c4dc
2026-05-09 15:57:15 +02:00
Owen Schwartz
81a4f3fd27 Merge pull request #346 from fosrl/dev
Fix redirect

Former-commit-id: 0da8a29a61
1.12.5
2026-05-08 11:06:31 -07:00
Owen
5541f92d07 Bump version
Former-commit-id: a1218ab67a
2026-05-08 11:05:24 -07:00
Owen
74b4b7d76d Merge branch 'main' into dev
Former-commit-id: bb84762b16
2026-05-08 11:05:07 -07:00
Owen
328b1aced3 Fix the redirect
Former-commit-id: 86155072de
2026-05-08 11:03:00 -07:00
Owen Schwartz
655cfa45fb Merge pull request #345 from LaurenceJJones/investigate/https-permanent-redirect-loop
fix(http): populate Request.TLS for private HTTPS via httpConnCtx

Former-commit-id: 4a9a4c4eec
2026-05-08 09:48:22 -07:00
Owen Schwartz
b3e4964e52 Merge pull request #344 from LaurenceJJones/investigate/private-http-redirect-500
fix(http): Set host header based on in

Former-commit-id: 21c744fe84
2026-05-08 09:47:09 -07:00
Laurence
f871b5e324 fix(http): populate Request.TLS for private HTTPS via httpConnCtx
net/http only sets Request.TLS for *tls.Conn or conns implementing ConnectionState(). Our listener wrapped tls.Server in httpConnCtx with an embedded net.Conn, so TLS was never surfaced and r.TLS stayed nil. That triggered the HTTP→HTTPS permanent redirect on every request for HTTPS rules.

Add ConnectionState() on httpConnCtx delegating to the underlying TLS conn.
Add tests for TLS forwarding and plain TCP.


Former-commit-id: 146e7835eb
2026-05-08 15:17:31 +01:00
Laurence
85d51a300e fix(http): Set host header based on in
fix https://github.com/fosrl/pangolin/issues/2952 issue by setting the incoming host header to the outgoing one by the reverse proxy, this was the default behaviour when using single proxy but now since we use more features it now rewrites the host header


Former-commit-id: 6aa94c0c2a
2026-05-08 13:45:50 +01:00
Owen Schwartz
cd9fb3d013 Merge pull request #342 from fosrl/dev
1.12.4

Former-commit-id: 542c70b326
1.12.4
2026-05-07 17:41:03 -07:00
Owen
6b42cac02d Retry interval while we are disconnected
Former-commit-id: 663e98af60
2026-05-07 17:27:01 -07:00
Owen
d5f48f782f Increase max attempts
Former-commit-id: 901ec71baf
2026-05-07 17:25:13 -07:00
Owen
cd5f5c079c Merge branch 'main' into dev
Former-commit-id: 9bc0204f57
2026-05-07 17:24:34 -07:00
Daniel Snider
1f2d40c793 fix(ping): decouple data-plane recovery trigger from backoff ramp
The trigger condition that decides whether to fire the data-plane
recovery flow in startPingCheck was AND-ed with `currentInterval <
maxInterval`. That clause was meant to throttle the *backoff ramp*
(don't widen the interval past 6s), but it also gated the recovery
trigger itself — a conflation that became invisibly load-bearing
once commit 8161fa6 (March 2026) bumped the default pingInterval
from 3s to 15s while leaving maxInterval at 6s. Under the new
defaults `currentInterval` starts at 15s and `15 < 6` is permanently
false, so the recovery branch never executed. Pings just kept
failing and the failure counter climbed forever, with no
"Connection to server lost" log line and no newt/ping/request
emitted on the websocket. Real-world recovery only happened when
the underlying network came back fast enough that a periodic ping
naturally succeeded again — which doesn't happen if the WireGuard
state on either end has rotated, so users were left stuck until
they restarted newt.

This is the proximate cause of the user reports in
fosrl/newt#284 (and dups #310, fosrl/pangolin#1004). Logs in
those issues all show ping-failure counters growing without ever
emitting "Connection to server lost", which is exactly the
fingerprint of this gate being false.

The fix is to extract the trigger decision into shouldFireRecovery
and remove currentInterval from it. Backoff is now computed in a
separate `if` in the caller, still gated by `currentInterval <
maxInterval` so the ramp is a no-op under default settings (which
is the existing behaviour, just no longer entangled with the
recovery trigger). Fixing the backoff ramp itself — making it
useful when pingInterval >= maxInterval — is a follow-up: the
priority is restoring recovery, not improving the dampening
schedule.

The new shouldFireRecovery helper is unit-tested. Its signature
intentionally omits currentInterval, so a future refactor that
re-introduces the interval-dependent gate would need to change
the function signature, which makes the historical bug harder
to reintroduce silently.


Former-commit-id: 1e77b09e3b
2026-05-07 16:57:31 -07:00
Owen
5e7cd9c0b9 Bump version
Former-commit-id: 74fd3f3aa3
2026-05-07 16:24:30 -07:00
Owen
a84bae3bc1 Attempt to fix nix issue
Former-commit-id: e8dc19a62b
2026-05-07 16:23:59 -07:00
Owen
34c5260e49 Fix not logging when rewriting nat
Former-commit-id: 9ff32b8a8b
2026-05-07 16:16:47 -07:00
dependabot[bot]
d16b856719 chore(deps): bump aquasecurity/trivy-action from 0.35.0 to 0.36.0
Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.35.0 to 0.36.0.
- [Release notes](https://github.com/aquasecurity/trivy-action/releases)
- [Commits](57a97c7e78...ed142fd067)

---
updated-dependencies:
- dependency-name: aquasecurity/trivy-action
  dependency-version: 0.36.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Former-commit-id: 9edaac9c11
2026-05-05 18:11:26 -07:00