Owen Schwartz
62dc2d3e96
Merge pull request #365 from fosrl/dependabot/github_actions/actions/stale-10.3.0
...
chore(deps): bump actions/stale from 10.2.0 to 10.3.0
Former-commit-id: 7127740219
2026-06-04 10:58:00 -07:00
Owen Schwartz
7d84393dd0
Merge pull request #370 from immanuwell/fix/docker-fetch-duplicate-log-and-reliable-ping-dead-code
...
fix: remove duplicate wrong error log in socket/fetch and dead code in reliablePing
Former-commit-id: 4c56a2d02c
2026-06-04 10:57:04 -07:00
Owen Schwartz
02fc8b0684
Merge pull request #351 from fosrl/dependabot/github_actions/aws-actions/configure-aws-credentials-6.1.1
...
chore(deps): bump aws-actions/configure-aws-credentials from 6.1.0 to 6.1.1
Former-commit-id: 4b81b34eae
2026-06-04 10:53:51 -07:00
dependabot[bot]
9f014b19f8
chore(deps): bump actions/stale from 10.2.0 to 10.3.0
...
Bumps [actions/stale](https://github.com/actions/stale ) from 10.2.0 to 10.3.0.
- [Release notes](https://github.com/actions/stale/releases )
- [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md )
- [Commits](b5d41d4e1d...eb5cf3af3a )
---
updated-dependencies:
- dependency-name: actions/stale
dependency-version: 10.3.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Former-commit-id: eca54190b0
2026-06-04 17:53:38 +00:00
Owen Schwartz
1f80280384
Merge pull request #350 from fosrl/dependabot/github_actions/sigstore/cosign-installer-4.1.2
...
chore(deps): bump sigstore/cosign-installer from 4.1.1 to 4.1.2
Former-commit-id: f922155843
2026-06-04 10:51:36 -07:00
Owen Schwartz
66714adb0a
Merge pull request #356 from fosrl/dependabot/go_modules/prod-patch-updates-d9ad24fc58
...
chore(deps): bump the prod-patch-updates group across 1 directory with 2 updates
Former-commit-id: 1f16708a05
2026-06-04 10:51:28 -07:00
dependabot[bot]
a868719459
chore(nix): fix hash for updated go dependencies
...
Former-commit-id: 88c1c2e0b5
2026-06-04 17:22:48 +00:00
dependabot[bot]
b2c73a40df
chore(deps): bump the prod-patch-updates group across 1 directory with 2 updates
...
Bumps the prod-patch-updates group with 2 updates in the / directory: [google.golang.org/grpc](https://github.com/grpc/grpc-go ) and software.sslmate.com/src/go-pkcs12.
Updates `google.golang.org/grpc` from 1.81.0 to 1.81.1
- [Release notes](https://github.com/grpc/grpc-go/releases )
- [Commits](https://github.com/grpc/grpc-go/compare/v1.81.0...v1.81.1 )
Updates `software.sslmate.com/src/go-pkcs12` from 0.7.0 to 0.7.1
---
updated-dependencies:
- dependency-name: google.golang.org/grpc
dependency-version: 1.81.1
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: prod-patch-updates
- dependency-name: software.sslmate.com/src/go-pkcs12
dependency-version: 0.7.1
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: prod-patch-updates
...
Signed-off-by: dependabot[bot] <support@github.com >
Former-commit-id: 69ed08222f
2026-06-04 17:21:44 +00:00
Owen Schwartz
a82942381b
Merge pull request #371 from fosrl/fix/go-deps-security-updates
...
Update golang.org/x modules for security fixes
Former-commit-id: 0169123d55
2026-06-04 10:19:31 -07:00
Marc Schäfer
fde46cb587
fix(nix): update Go module vendor hash
...
Former-commit-id: ac9852a3cb
2026-06-04 14:28:28 +02:00
Marc Schäfer
a8d91756ca
fix(deps): update golang.org/x modules for security fixes
...
Update golang.org/x/crypto, golang.org/x/net and golang.org/x/sys
to versions containing security fixes reported by Docker Scout.
Former-commit-id: f91deeede7
2026-06-04 12:53:53 +02:00
immanuwell
763ef3726e
fix: remove duplicate wrong error log in socket/fetch handler and dead code in reliablePing
...
Former-commit-id: d57b7ccb53
2026-05-30 21:55:46 +04:00
Owen Schwartz
2cd9ffc582
Merge pull request #362 from fosrl/ci/use-go-version-file
...
Use Go version specified in go.mod for CI tests
Former-commit-id: c168ddac90
2026-05-20 20:07:16 -07:00
Marc Schäfer
8d30a584b5
ci(test): use Go version from go.mod
...
Former-commit-id: 88d946c9b4
2026-05-21 02:42:59 +02:00
Owen Schwartz
936642cef9
Merge pull request #358 from cwiggs/feat/ci-go-test
...
feat(ci): run a go test before we build
Former-commit-id: c9be684b91
2026-05-20 14:51:17 -07:00
Owen Schwartz
9d060c2ac5
Merge pull request #361 from fosrl/dev
...
Housekeeping
Former-commit-id: 8f321365d5
2026-05-20 14:48:53 -07:00
Owen Schwartz
fba7943cd3
Merge pull request #349 from fosrl/issue-348
...
Refactor Docker client imports and container handling logic
Former-commit-id: 21e2a7b91f
2026-05-16 21:11:12 -07:00
dependabot[bot]
f41e15fcb3
chore(deps): bump sigstore/cosign-installer from 4.1.1 to 4.1.2
...
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer ) from 4.1.1 to 4.1.2.
- [Release notes](https://github.com/sigstore/cosign-installer/releases )
- [Commits](https://github.com/sigstore/cosign-installer/compare/v4.1.1...6f9f17788090df1f26f669e9d70d6ae9567deba6 )
---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
dependency-version: 4.1.2
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Former-commit-id: 24f5d55cce
2026-05-16 21:57:19 +00:00
Owen Schwartz
0d528abab8
Merge pull request #360 from fosrl/github-action-cosign
...
Upgrade cosign installer to v4.1.2 and pin cosign version
Former-commit-id: 2562bda187
2026-05-16 14:55:22 -07:00
Marc Schäfer
16cb83fd28
fix(security): update cosign to v3.0.6 and installer to 4.1.2
...
Former-commit-id: 8736f89291
2026-05-16 16:31:27 +02:00
Chris Wiggins
d5c3dedca6
feat(ci): run a go test before we build
...
Former-commit-id: 54a13b268e
2026-05-15 11:48:50 -06:00
Owen Schwartz
1de3076808
Merge pull request #353 from rinseaid/fix/x-forwarded-proto-tls
...
Fix X-Forwarded-Proto always set to "http" for TLS connections
Former-commit-id: 37aff0daa5
2026-05-13 20:54:06 -07:00
Owen Schwartz
b0f8589443
Delete .github/workflows/build-patched.yml
...
Former-commit-id: 55ca18a1db
2026-05-13 20:53:27 -07:00
rinseaid
a855047139
Add workflow to build patched image to ghcr.io/rinseaid/newt:patched
...
Former-commit-id: b6e2d61a18
2026-05-13 22:40:22 -04:00
rinseaid
79e21b7917
Fix X-Forwarded-Proto always set to "http" for TLS connections
...
httpConnCtx wraps *tls.Conn behind net.Conn, so Go's http.Server
cannot detect TLS via type assertion and r.TLS is always nil.
SetXForwarded() then always writes X-Forwarded-Proto: http.
Override using the isTLS context flag already set by ConnContext.
Former-commit-id: 817824bd6f
2026-05-13 22:38:35 -04:00
Owen
c9ac8fc28f
Remove test
...
Former-commit-id: efa1ecf61e
2026-05-11 18:04:51 -07:00
Owen
74acbad133
Update log message
...
Former-commit-id: d28c2aaa87
2026-05-11 10:34:30 -07:00
dependabot[bot]
7ff795b6bb
chore(deps): bump aws-actions/configure-aws-credentials
...
Bumps [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials ) from 6.1.0 to 6.1.1.
- [Release notes](https://github.com/aws-actions/configure-aws-credentials/releases )
- [Changelog](https://github.com/aws-actions/configure-aws-credentials/blob/main/CHANGELOG.md )
- [Commits](ec61189d14...d979d5b3a7 )
---
updated-dependencies:
- dependency-name: aws-actions/configure-aws-credentials
dependency-version: 6.1.1
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Former-commit-id: 820978ae6f
2026-05-11 14:36:15 +00:00
Marc Schäfer
8246eb1e36
refactor: update Docker client imports and adjust container handling logic
...
Signed-off-by: Marc Schäfer <git@marcschaeferger.de >
Former-commit-id: 0e2d7057b6
2026-05-10 10:50:38 +02:00
Marc Schäfer
9342546075
Merge pull request #312 from fosrl/dependabot/github_actions/softprops/action-gh-release-3.0.0
...
chore(deps): bump softprops/action-gh-release from 2.6.1 to 3.0.0
Former-commit-id: ae48df97c8
2026-05-09 15:57:52 +02:00
Marc Schäfer
0d26fb6de4
Merge pull request #313 from fosrl/dependabot/github_actions/aws-actions/configure-aws-credentials-6.1.0
...
chore(deps): bump aws-actions/configure-aws-credentials from 6.0.0 to 6.1.0
Former-commit-id: df125affe4
2026-05-09 15:57:40 +02:00
Marc Schäfer
9de90429d3
Merge pull request #314 from fosrl/dependabot/github_actions/docker/build-push-action-7.1.0
...
chore(deps): bump docker/build-push-action from 7.0.0 to 7.1.0
Former-commit-id: 848a23a535
2026-05-09 15:57:29 +02:00
Marc Schäfer
e167c35293
Merge pull request #315 from fosrl/dependabot/github_actions/actions/setup-go-6.4.0
...
chore(deps): bump actions/setup-go from 6.2.0 to 6.4.0
Former-commit-id: 1a1d58c4dc
2026-05-09 15:57:15 +02:00
Owen Schwartz
81a4f3fd27
Merge pull request #346 from fosrl/dev
...
Fix redirect
Former-commit-id: 0da8a29a61
1.12.5
2026-05-08 11:06:31 -07:00
Owen
5541f92d07
Bump version
...
Former-commit-id: a1218ab67a
2026-05-08 11:05:24 -07:00
Owen
74b4b7d76d
Merge branch 'main' into dev
...
Former-commit-id: bb84762b16
2026-05-08 11:05:07 -07:00
Owen
328b1aced3
Fix the redirect
...
Former-commit-id: 86155072de
2026-05-08 11:03:00 -07:00
Owen Schwartz
655cfa45fb
Merge pull request #345 from LaurenceJJones/investigate/https-permanent-redirect-loop
...
fix(http): populate Request.TLS for private HTTPS via httpConnCtx
Former-commit-id: 4a9a4c4eec
2026-05-08 09:48:22 -07:00
Owen Schwartz
b3e4964e52
Merge pull request #344 from LaurenceJJones/investigate/private-http-redirect-500
...
fix(http): Set host header based on in
Former-commit-id: 21c744fe84
2026-05-08 09:47:09 -07:00
Laurence
f871b5e324
fix(http): populate Request.TLS for private HTTPS via httpConnCtx
...
net/http only sets Request.TLS for *tls.Conn or conns implementing ConnectionState(). Our listener wrapped tls.Server in httpConnCtx with an embedded net.Conn, so TLS was never surfaced and r.TLS stayed nil. That triggered the HTTP→HTTPS permanent redirect on every request for HTTPS rules.
Add ConnectionState() on httpConnCtx delegating to the underlying TLS conn.
Add tests for TLS forwarding and plain TCP.
Former-commit-id: 146e7835eb
2026-05-08 15:17:31 +01:00
Laurence
85d51a300e
fix(http): Set host header based on in
...
fix https://github.com/fosrl/pangolin/issues/2952 issue by setting the incoming host header to the outgoing one by the reverse proxy, this was the default behaviour when using single proxy but now since we use more features it now rewrites the host header
Former-commit-id: 6aa94c0c2a
2026-05-08 13:45:50 +01:00
Owen Schwartz
cd9fb3d013
Merge pull request #342 from fosrl/dev
...
1.12.4
Former-commit-id: 542c70b326
1.12.4
2026-05-07 17:41:03 -07:00
Owen
6b42cac02d
Retry interval while we are disconnected
...
Former-commit-id: 663e98af60
2026-05-07 17:27:01 -07:00
Owen
d5f48f782f
Increase max attempts
...
Former-commit-id: 901ec71baf
2026-05-07 17:25:13 -07:00
Owen
cd5f5c079c
Merge branch 'main' into dev
...
Former-commit-id: 9bc0204f57
2026-05-07 17:24:34 -07:00
Daniel Snider
1f2d40c793
fix(ping): decouple data-plane recovery trigger from backoff ramp
...
The trigger condition that decides whether to fire the data-plane
recovery flow in startPingCheck was AND-ed with `currentInterval <
maxInterval`. That clause was meant to throttle the *backoff ramp*
(don't widen the interval past 6s), but it also gated the recovery
trigger itself — a conflation that became invisibly load-bearing
once commit 8161fa6 (March 2026) bumped the default pingInterval
from 3s to 15s while leaving maxInterval at 6s. Under the new
defaults `currentInterval` starts at 15s and `15 < 6` is permanently
false, so the recovery branch never executed. Pings just kept
failing and the failure counter climbed forever, with no
"Connection to server lost" log line and no newt/ping/request
emitted on the websocket. Real-world recovery only happened when
the underlying network came back fast enough that a periodic ping
naturally succeeded again — which doesn't happen if the WireGuard
state on either end has rotated, so users were left stuck until
they restarted newt.
This is the proximate cause of the user reports in
fosrl/newt#284 (and dups #310 , fosrl/pangolin#1004 ). Logs in
those issues all show ping-failure counters growing without ever
emitting "Connection to server lost", which is exactly the
fingerprint of this gate being false.
The fix is to extract the trigger decision into shouldFireRecovery
and remove currentInterval from it. Backoff is now computed in a
separate `if` in the caller, still gated by `currentInterval <
maxInterval` so the ramp is a no-op under default settings (which
is the existing behaviour, just no longer entangled with the
recovery trigger). Fixing the backoff ramp itself — making it
useful when pingInterval >= maxInterval — is a follow-up: the
priority is restoring recovery, not improving the dampening
schedule.
The new shouldFireRecovery helper is unit-tested. Its signature
intentionally omits currentInterval, so a future refactor that
re-introduces the interval-dependent gate would need to change
the function signature, which makes the historical bug harder
to reintroduce silently.
Former-commit-id: 1e77b09e3b
2026-05-07 16:57:31 -07:00
Owen
5e7cd9c0b9
Bump version
...
Former-commit-id: 74fd3f3aa3
2026-05-07 16:24:30 -07:00
Owen
a84bae3bc1
Attempt to fix nix issue
...
Former-commit-id: e8dc19a62b
2026-05-07 16:23:59 -07:00
Owen
34c5260e49
Fix not logging when rewriting nat
...
Former-commit-id: 9ff32b8a8b
2026-05-07 16:16:47 -07:00
dependabot[bot]
d16b856719
chore(deps): bump aquasecurity/trivy-action from 0.35.0 to 0.36.0
...
Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action ) from 0.35.0 to 0.36.0.
- [Release notes](https://github.com/aquasecurity/trivy-action/releases )
- [Commits](57a97c7e78...ed142fd067 )
---
updated-dependencies:
- dependency-name: aquasecurity/trivy-action
dependency-version: 0.36.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Former-commit-id: 9edaac9c11
2026-05-05 18:11:26 -07:00