dependabot[bot]
b2c73a40df
chore(deps): bump the prod-patch-updates group across 1 directory with 2 updates
...
Bumps the prod-patch-updates group with 2 updates in the / directory: [google.golang.org/grpc](https://github.com/grpc/grpc-go ) and software.sslmate.com/src/go-pkcs12.
Updates `google.golang.org/grpc` from 1.81.0 to 1.81.1
- [Release notes](https://github.com/grpc/grpc-go/releases )
- [Commits](https://github.com/grpc/grpc-go/compare/v1.81.0...v1.81.1 )
Updates `software.sslmate.com/src/go-pkcs12` from 0.7.0 to 0.7.1
---
updated-dependencies:
- dependency-name: google.golang.org/grpc
dependency-version: 1.81.1
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: prod-patch-updates
- dependency-name: software.sslmate.com/src/go-pkcs12
dependency-version: 0.7.1
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: prod-patch-updates
...
Signed-off-by: dependabot[bot] <support@github.com >
Former-commit-id: 69ed08222f
2026-06-04 17:21:44 +00:00
Owen Schwartz
a82942381b
Merge pull request #371 from fosrl/fix/go-deps-security-updates
...
Update golang.org/x modules for security fixes
Former-commit-id: 0169123d55
2026-06-04 10:19:31 -07:00
Marc Schäfer
fde46cb587
fix(nix): update Go module vendor hash
...
Former-commit-id: ac9852a3cb
2026-06-04 14:28:28 +02:00
Marc Schäfer
a8d91756ca
fix(deps): update golang.org/x modules for security fixes
...
Update golang.org/x/crypto, golang.org/x/net and golang.org/x/sys
to versions containing security fixes reported by Docker Scout.
Former-commit-id: f91deeede7
2026-06-04 12:53:53 +02:00
Owen Schwartz
2cd9ffc582
Merge pull request #362 from fosrl/ci/use-go-version-file
...
Use Go version specified in go.mod for CI tests
Former-commit-id: c168ddac90
2026-05-20 20:07:16 -07:00
Marc Schäfer
8d30a584b5
ci(test): use Go version from go.mod
...
Former-commit-id: 88d946c9b4
2026-05-21 02:42:59 +02:00
Owen Schwartz
936642cef9
Merge pull request #358 from cwiggs/feat/ci-go-test
...
feat(ci): run a go test before we build
Former-commit-id: c9be684b91
2026-05-20 14:51:17 -07:00
Owen Schwartz
9d060c2ac5
Merge pull request #361 from fosrl/dev
...
Housekeeping
Former-commit-id: 8f321365d5
2026-05-20 14:48:53 -07:00
Owen Schwartz
fba7943cd3
Merge pull request #349 from fosrl/issue-348
...
Refactor Docker client imports and container handling logic
Former-commit-id: 21e2a7b91f
2026-05-16 21:11:12 -07:00
Owen Schwartz
0d528abab8
Merge pull request #360 from fosrl/github-action-cosign
...
Upgrade cosign installer to v4.1.2 and pin cosign version
Former-commit-id: 2562bda187
2026-05-16 14:55:22 -07:00
Marc Schäfer
16cb83fd28
fix(security): update cosign to v3.0.6 and installer to 4.1.2
...
Former-commit-id: 8736f89291
2026-05-16 16:31:27 +02:00
Chris Wiggins
d5c3dedca6
feat(ci): run a go test before we build
...
Former-commit-id: 54a13b268e
2026-05-15 11:48:50 -06:00
Owen Schwartz
1de3076808
Merge pull request #353 from rinseaid/fix/x-forwarded-proto-tls
...
Fix X-Forwarded-Proto always set to "http" for TLS connections
Former-commit-id: 37aff0daa5
2026-05-13 20:54:06 -07:00
Owen Schwartz
b0f8589443
Delete .github/workflows/build-patched.yml
...
Former-commit-id: 55ca18a1db
2026-05-13 20:53:27 -07:00
rinseaid
a855047139
Add workflow to build patched image to ghcr.io/rinseaid/newt:patched
...
Former-commit-id: b6e2d61a18
2026-05-13 22:40:22 -04:00
rinseaid
79e21b7917
Fix X-Forwarded-Proto always set to "http" for TLS connections
...
httpConnCtx wraps *tls.Conn behind net.Conn, so Go's http.Server
cannot detect TLS via type assertion and r.TLS is always nil.
SetXForwarded() then always writes X-Forwarded-Proto: http.
Override using the isTLS context flag already set by ConnContext.
Former-commit-id: 817824bd6f
2026-05-13 22:38:35 -04:00
Owen
c9ac8fc28f
Remove test
...
Former-commit-id: efa1ecf61e
2026-05-11 18:04:51 -07:00
Owen
74acbad133
Update log message
...
Former-commit-id: d28c2aaa87
2026-05-11 10:34:30 -07:00
Marc Schäfer
8246eb1e36
refactor: update Docker client imports and adjust container handling logic
...
Signed-off-by: Marc Schäfer <git@marcschaeferger.de >
Former-commit-id: 0e2d7057b6
2026-05-10 10:50:38 +02:00
Marc Schäfer
9342546075
Merge pull request #312 from fosrl/dependabot/github_actions/softprops/action-gh-release-3.0.0
...
chore(deps): bump softprops/action-gh-release from 2.6.1 to 3.0.0
Former-commit-id: ae48df97c8
2026-05-09 15:57:52 +02:00
Marc Schäfer
0d26fb6de4
Merge pull request #313 from fosrl/dependabot/github_actions/aws-actions/configure-aws-credentials-6.1.0
...
chore(deps): bump aws-actions/configure-aws-credentials from 6.0.0 to 6.1.0
Former-commit-id: df125affe4
2026-05-09 15:57:40 +02:00
Marc Schäfer
9de90429d3
Merge pull request #314 from fosrl/dependabot/github_actions/docker/build-push-action-7.1.0
...
chore(deps): bump docker/build-push-action from 7.0.0 to 7.1.0
Former-commit-id: 848a23a535
2026-05-09 15:57:29 +02:00
Marc Schäfer
e167c35293
Merge pull request #315 from fosrl/dependabot/github_actions/actions/setup-go-6.4.0
...
chore(deps): bump actions/setup-go from 6.2.0 to 6.4.0
Former-commit-id: 1a1d58c4dc
2026-05-09 15:57:15 +02:00
Owen Schwartz
81a4f3fd27
Merge pull request #346 from fosrl/dev
...
Fix redirect
Former-commit-id: 0da8a29a61
1.12.5
2026-05-08 11:06:31 -07:00
Owen
5541f92d07
Bump version
...
Former-commit-id: a1218ab67a
2026-05-08 11:05:24 -07:00
Owen
74b4b7d76d
Merge branch 'main' into dev
...
Former-commit-id: bb84762b16
2026-05-08 11:05:07 -07:00
Owen
328b1aced3
Fix the redirect
...
Former-commit-id: 86155072de
2026-05-08 11:03:00 -07:00
Owen Schwartz
655cfa45fb
Merge pull request #345 from LaurenceJJones/investigate/https-permanent-redirect-loop
...
fix(http): populate Request.TLS for private HTTPS via httpConnCtx
Former-commit-id: 4a9a4c4eec
2026-05-08 09:48:22 -07:00
Owen Schwartz
b3e4964e52
Merge pull request #344 from LaurenceJJones/investigate/private-http-redirect-500
...
fix(http): Set host header based on in
Former-commit-id: 21c744fe84
2026-05-08 09:47:09 -07:00
Laurence
f871b5e324
fix(http): populate Request.TLS for private HTTPS via httpConnCtx
...
net/http only sets Request.TLS for *tls.Conn or conns implementing ConnectionState(). Our listener wrapped tls.Server in httpConnCtx with an embedded net.Conn, so TLS was never surfaced and r.TLS stayed nil. That triggered the HTTP→HTTPS permanent redirect on every request for HTTPS rules.
Add ConnectionState() on httpConnCtx delegating to the underlying TLS conn.
Add tests for TLS forwarding and plain TCP.
Former-commit-id: 146e7835eb
2026-05-08 15:17:31 +01:00
Laurence
85d51a300e
fix(http): Set host header based on in
...
fix https://github.com/fosrl/pangolin/issues/2952 issue by setting the incoming host header to the outgoing one by the reverse proxy, this was the default behaviour when using single proxy but now since we use more features it now rewrites the host header
Former-commit-id: 6aa94c0c2a
2026-05-08 13:45:50 +01:00
Owen Schwartz
cd9fb3d013
Merge pull request #342 from fosrl/dev
...
1.12.4
Former-commit-id: 542c70b326
1.12.4
2026-05-07 17:41:03 -07:00
Owen
6b42cac02d
Retry interval while we are disconnected
...
Former-commit-id: 663e98af60
2026-05-07 17:27:01 -07:00
Owen
d5f48f782f
Increase max attempts
...
Former-commit-id: 901ec71baf
2026-05-07 17:25:13 -07:00
Owen
cd5f5c079c
Merge branch 'main' into dev
...
Former-commit-id: 9bc0204f57
2026-05-07 17:24:34 -07:00
Daniel Snider
1f2d40c793
fix(ping): decouple data-plane recovery trigger from backoff ramp
...
The trigger condition that decides whether to fire the data-plane
recovery flow in startPingCheck was AND-ed with `currentInterval <
maxInterval`. That clause was meant to throttle the *backoff ramp*
(don't widen the interval past 6s), but it also gated the recovery
trigger itself — a conflation that became invisibly load-bearing
once commit 8161fa6 (March 2026) bumped the default pingInterval
from 3s to 15s while leaving maxInterval at 6s. Under the new
defaults `currentInterval` starts at 15s and `15 < 6` is permanently
false, so the recovery branch never executed. Pings just kept
failing and the failure counter climbed forever, with no
"Connection to server lost" log line and no newt/ping/request
emitted on the websocket. Real-world recovery only happened when
the underlying network came back fast enough that a periodic ping
naturally succeeded again — which doesn't happen if the WireGuard
state on either end has rotated, so users were left stuck until
they restarted newt.
This is the proximate cause of the user reports in
fosrl/newt#284 (and dups #310 , fosrl/pangolin#1004 ). Logs in
those issues all show ping-failure counters growing without ever
emitting "Connection to server lost", which is exactly the
fingerprint of this gate being false.
The fix is to extract the trigger decision into shouldFireRecovery
and remove currentInterval from it. Backoff is now computed in a
separate `if` in the caller, still gated by `currentInterval <
maxInterval` so the ramp is a no-op under default settings (which
is the existing behaviour, just no longer entangled with the
recovery trigger). Fixing the backoff ramp itself — making it
useful when pingInterval >= maxInterval — is a follow-up: the
priority is restoring recovery, not improving the dampening
schedule.
The new shouldFireRecovery helper is unit-tested. Its signature
intentionally omits currentInterval, so a future refactor that
re-introduces the interval-dependent gate would need to change
the function signature, which makes the historical bug harder
to reintroduce silently.
Former-commit-id: 1e77b09e3b
2026-05-07 16:57:31 -07:00
Owen
5e7cd9c0b9
Bump version
...
Former-commit-id: 74fd3f3aa3
2026-05-07 16:24:30 -07:00
Owen
a84bae3bc1
Attempt to fix nix issue
...
Former-commit-id: e8dc19a62b
2026-05-07 16:23:59 -07:00
Owen
34c5260e49
Fix not logging when rewriting nat
...
Former-commit-id: 9ff32b8a8b
2026-05-07 16:16:47 -07:00
dependabot[bot]
d16b856719
chore(deps): bump aquasecurity/trivy-action from 0.35.0 to 0.36.0
...
Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action ) from 0.35.0 to 0.36.0.
- [Release notes](https://github.com/aquasecurity/trivy-action/releases )
- [Commits](57a97c7e78...ed142fd067 )
---
updated-dependencies:
- dependency-name: aquasecurity/trivy-action
dependency-version: 0.36.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Former-commit-id: 9edaac9c11
2026-05-05 18:11:26 -07:00
dependabot[bot]
f1bb6c663d
chore(nix): fix hash for updated go dependencies
...
Former-commit-id: ced87b1d5e
2026-05-05 18:11:21 -07:00
dependabot[bot]
b09f67c377
chore(deps): bump the prod-minor-updates group across 1 directory with 4 updates
...
Bumps the prod-minor-updates group with 3 updates in the / directory: [golang.org/x/crypto](https://github.com/golang/crypto ), [golang.org/x/net](https://github.com/golang/net ) and [google.golang.org/grpc](https://github.com/grpc/grpc-go ).
Updates `golang.org/x/crypto` from 0.49.0 to 0.50.0
- [Commits](https://github.com/golang/crypto/compare/v0.49.0...v0.50.0 )
Updates `golang.org/x/net` from 0.52.0 to 0.53.0
- [Commits](https://github.com/golang/net/compare/v0.52.0...v0.53.0 )
Updates `golang.org/x/sys` from 0.42.0 to 0.43.0
- [Commits](https://github.com/golang/sys/compare/v0.42.0...v0.43.0 )
Updates `google.golang.org/grpc` from 1.80.0 to 1.81.0
- [Release notes](https://github.com/grpc/grpc-go/releases )
- [Commits](https://github.com/grpc/grpc-go/compare/v1.80.0...v1.81.0 )
---
updated-dependencies:
- dependency-name: golang.org/x/crypto
dependency-version: 0.50.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: prod-minor-updates
- dependency-name: golang.org/x/net
dependency-version: 0.53.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: prod-minor-updates
- dependency-name: golang.org/x/sys
dependency-version: 0.43.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: prod-minor-updates
- dependency-name: google.golang.org/grpc
dependency-version: 1.81.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: prod-minor-updates
...
Signed-off-by: dependabot[bot] <support@github.com >
Former-commit-id: 3aaebe64fb
2026-05-05 18:11:21 -07:00
Owen
46d4d6539a
Try to fix failover not working
...
Former-commit-id: 27f7ca6bb9
2026-05-05 11:40:39 -07:00
Owen
367e4b03fe
Update status code
...
Former-commit-id: 5090907307
2026-04-30 15:55:52 -07:00
Owen
07613ebe05
Fix incorrect redirect logic
...
Former-commit-id: a6533b3fa0
2026-04-29 21:11:07 -07:00
Owen Schwartz
81b6daceba
Merge pull request #336 from fosrl/dev
...
1.12.3
Former-commit-id: 57aa2e2e2c
1.12.3
2026-04-29 16:02:49 -07:00
Owen Schwartz
72a209c7ae
Merge pull request #334 from LaurenceJJones/private-http-websocket
...
enhance(http): Support websocket upgrades
Former-commit-id: 5724c516dc
2026-04-29 15:58:30 -07:00
Owen
72c58c721b
Add some test scripts for ws and move to testing/
...
Former-commit-id: b33c3b8849
2026-04-29 15:57:31 -07:00
Laurence
dd735555c4
Support websocket upgrades in private HTTP proxy
...
Preserve optional ResponseWriter interfaces through statusCapture so httputil.ReverseProxy can hijack upgraded websocket connections. Add a regression test covering websocket traffic through the HTTP handler path.
Former-commit-id: 8e19e475bf
2026-04-29 07:12:35 +01:00
Owen Schwartz
51d7558ec5
Merge pull request #333 from fosrl/dev
...
Dont block tcp for http unless there are targets
Former-commit-id: 9e92c42876
1.12.2
v1.12.2
2026-04-28 14:51:01 -07:00