Commit Graph

862 Commits

Author SHA1 Message Date
Marc Schäfer
fde46cb587 fix(nix): update Go module vendor hash
Former-commit-id: ac9852a3cb
2026-06-04 14:28:28 +02:00
Marc Schäfer
a8d91756ca fix(deps): update golang.org/x modules for security fixes
Update golang.org/x/crypto, golang.org/x/net and golang.org/x/sys
to versions containing security fixes reported by Docker Scout.


Former-commit-id: f91deeede7
2026-06-04 12:53:53 +02:00
Owen Schwartz
2cd9ffc582 Merge pull request #362 from fosrl/ci/use-go-version-file
Use Go version specified in go.mod for CI tests

Former-commit-id: c168ddac90
2026-05-20 20:07:16 -07:00
Marc Schäfer
8d30a584b5 ci(test): use Go version from go.mod
Former-commit-id: 88d946c9b4
2026-05-21 02:42:59 +02:00
Owen Schwartz
936642cef9 Merge pull request #358 from cwiggs/feat/ci-go-test
feat(ci): run a go test before we build

Former-commit-id: c9be684b91
2026-05-20 14:51:17 -07:00
Owen Schwartz
9d060c2ac5 Merge pull request #361 from fosrl/dev
Housekeeping

Former-commit-id: 8f321365d5
2026-05-20 14:48:53 -07:00
Owen Schwartz
fba7943cd3 Merge pull request #349 from fosrl/issue-348
Refactor Docker client imports and container handling logic

Former-commit-id: 21e2a7b91f
2026-05-16 21:11:12 -07:00
Owen Schwartz
0d528abab8 Merge pull request #360 from fosrl/github-action-cosign
Upgrade cosign installer to v4.1.2 and pin cosign version

Former-commit-id: 2562bda187
2026-05-16 14:55:22 -07:00
Marc Schäfer
16cb83fd28 fix(security): update cosign to v3.0.6 and installer to 4.1.2
Former-commit-id: 8736f89291
2026-05-16 16:31:27 +02:00
Chris Wiggins
d5c3dedca6 feat(ci): run a go test before we build
Former-commit-id: 54a13b268e
2026-05-15 11:48:50 -06:00
Owen Schwartz
1de3076808 Merge pull request #353 from rinseaid/fix/x-forwarded-proto-tls
Fix X-Forwarded-Proto always set to "http" for TLS connections

Former-commit-id: 37aff0daa5
2026-05-13 20:54:06 -07:00
Owen Schwartz
b0f8589443 Delete .github/workflows/build-patched.yml
Former-commit-id: 55ca18a1db
2026-05-13 20:53:27 -07:00
rinseaid
a855047139 Add workflow to build patched image to ghcr.io/rinseaid/newt:patched
Former-commit-id: b6e2d61a18
2026-05-13 22:40:22 -04:00
rinseaid
79e21b7917 Fix X-Forwarded-Proto always set to "http" for TLS connections
httpConnCtx wraps *tls.Conn behind net.Conn, so Go's http.Server
cannot detect TLS via type assertion and r.TLS is always nil.
SetXForwarded() then always writes X-Forwarded-Proto: http.

Override using the isTLS context flag already set by ConnContext.


Former-commit-id: 817824bd6f
2026-05-13 22:38:35 -04:00
Owen
c9ac8fc28f Remove test
Former-commit-id: efa1ecf61e
2026-05-11 18:04:51 -07:00
Owen
74acbad133 Update log message
Former-commit-id: d28c2aaa87
2026-05-11 10:34:30 -07:00
Marc Schäfer
8246eb1e36 refactor: update Docker client imports and adjust container handling logic
Signed-off-by: Marc Schäfer <git@marcschaeferger.de>

Former-commit-id: 0e2d7057b6
2026-05-10 10:50:38 +02:00
Marc Schäfer
9342546075 Merge pull request #312 from fosrl/dependabot/github_actions/softprops/action-gh-release-3.0.0
chore(deps): bump softprops/action-gh-release from 2.6.1 to 3.0.0

Former-commit-id: ae48df97c8
2026-05-09 15:57:52 +02:00
Marc Schäfer
0d26fb6de4 Merge pull request #313 from fosrl/dependabot/github_actions/aws-actions/configure-aws-credentials-6.1.0
chore(deps): bump aws-actions/configure-aws-credentials from 6.0.0 to 6.1.0

Former-commit-id: df125affe4
2026-05-09 15:57:40 +02:00
Marc Schäfer
9de90429d3 Merge pull request #314 from fosrl/dependabot/github_actions/docker/build-push-action-7.1.0
chore(deps): bump docker/build-push-action from 7.0.0 to 7.1.0

Former-commit-id: 848a23a535
2026-05-09 15:57:29 +02:00
Marc Schäfer
e167c35293 Merge pull request #315 from fosrl/dependabot/github_actions/actions/setup-go-6.4.0
chore(deps): bump actions/setup-go from 6.2.0 to 6.4.0

Former-commit-id: 1a1d58c4dc
2026-05-09 15:57:15 +02:00
Owen Schwartz
81a4f3fd27 Merge pull request #346 from fosrl/dev
Fix redirect

Former-commit-id: 0da8a29a61
1.12.5
2026-05-08 11:06:31 -07:00
Owen
5541f92d07 Bump version
Former-commit-id: a1218ab67a
2026-05-08 11:05:24 -07:00
Owen
74b4b7d76d Merge branch 'main' into dev
Former-commit-id: bb84762b16
2026-05-08 11:05:07 -07:00
Owen
328b1aced3 Fix the redirect
Former-commit-id: 86155072de
2026-05-08 11:03:00 -07:00
Owen Schwartz
655cfa45fb Merge pull request #345 from LaurenceJJones/investigate/https-permanent-redirect-loop
fix(http): populate Request.TLS for private HTTPS via httpConnCtx

Former-commit-id: 4a9a4c4eec
2026-05-08 09:48:22 -07:00
Owen Schwartz
b3e4964e52 Merge pull request #344 from LaurenceJJones/investigate/private-http-redirect-500
fix(http): Set host header based on in

Former-commit-id: 21c744fe84
2026-05-08 09:47:09 -07:00
Laurence
f871b5e324 fix(http): populate Request.TLS for private HTTPS via httpConnCtx
net/http only sets Request.TLS for *tls.Conn or conns implementing ConnectionState(). Our listener wrapped tls.Server in httpConnCtx with an embedded net.Conn, so TLS was never surfaced and r.TLS stayed nil. That triggered the HTTP→HTTPS permanent redirect on every request for HTTPS rules.

Add ConnectionState() on httpConnCtx delegating to the underlying TLS conn.
Add tests for TLS forwarding and plain TCP.


Former-commit-id: 146e7835eb
2026-05-08 15:17:31 +01:00
Laurence
85d51a300e fix(http): Set host header based on in
fix https://github.com/fosrl/pangolin/issues/2952 issue by setting the incoming host header to the outgoing one by the reverse proxy, this was the default behaviour when using single proxy but now since we use more features it now rewrites the host header


Former-commit-id: 6aa94c0c2a
2026-05-08 13:45:50 +01:00
Owen Schwartz
cd9fb3d013 Merge pull request #342 from fosrl/dev
1.12.4

Former-commit-id: 542c70b326
1.12.4
2026-05-07 17:41:03 -07:00
Owen
6b42cac02d Retry interval while we are disconnected
Former-commit-id: 663e98af60
2026-05-07 17:27:01 -07:00
Owen
d5f48f782f Increase max attempts
Former-commit-id: 901ec71baf
2026-05-07 17:25:13 -07:00
Owen
cd5f5c079c Merge branch 'main' into dev
Former-commit-id: 9bc0204f57
2026-05-07 17:24:34 -07:00
Daniel Snider
1f2d40c793 fix(ping): decouple data-plane recovery trigger from backoff ramp
The trigger condition that decides whether to fire the data-plane
recovery flow in startPingCheck was AND-ed with `currentInterval <
maxInterval`. That clause was meant to throttle the *backoff ramp*
(don't widen the interval past 6s), but it also gated the recovery
trigger itself — a conflation that became invisibly load-bearing
once commit 8161fa6 (March 2026) bumped the default pingInterval
from 3s to 15s while leaving maxInterval at 6s. Under the new
defaults `currentInterval` starts at 15s and `15 < 6` is permanently
false, so the recovery branch never executed. Pings just kept
failing and the failure counter climbed forever, with no
"Connection to server lost" log line and no newt/ping/request
emitted on the websocket. Real-world recovery only happened when
the underlying network came back fast enough that a periodic ping
naturally succeeded again — which doesn't happen if the WireGuard
state on either end has rotated, so users were left stuck until
they restarted newt.

This is the proximate cause of the user reports in
fosrl/newt#284 (and dups #310, fosrl/pangolin#1004). Logs in
those issues all show ping-failure counters growing without ever
emitting "Connection to server lost", which is exactly the
fingerprint of this gate being false.

The fix is to extract the trigger decision into shouldFireRecovery
and remove currentInterval from it. Backoff is now computed in a
separate `if` in the caller, still gated by `currentInterval <
maxInterval` so the ramp is a no-op under default settings (which
is the existing behaviour, just no longer entangled with the
recovery trigger). Fixing the backoff ramp itself — making it
useful when pingInterval >= maxInterval — is a follow-up: the
priority is restoring recovery, not improving the dampening
schedule.

The new shouldFireRecovery helper is unit-tested. Its signature
intentionally omits currentInterval, so a future refactor that
re-introduces the interval-dependent gate would need to change
the function signature, which makes the historical bug harder
to reintroduce silently.


Former-commit-id: 1e77b09e3b
2026-05-07 16:57:31 -07:00
Owen
5e7cd9c0b9 Bump version
Former-commit-id: 74fd3f3aa3
2026-05-07 16:24:30 -07:00
Owen
a84bae3bc1 Attempt to fix nix issue
Former-commit-id: e8dc19a62b
2026-05-07 16:23:59 -07:00
Owen
34c5260e49 Fix not logging when rewriting nat
Former-commit-id: 9ff32b8a8b
2026-05-07 16:16:47 -07:00
dependabot[bot]
d16b856719 chore(deps): bump aquasecurity/trivy-action from 0.35.0 to 0.36.0
Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.35.0 to 0.36.0.
- [Release notes](https://github.com/aquasecurity/trivy-action/releases)
- [Commits](57a97c7e78...ed142fd067)

---
updated-dependencies:
- dependency-name: aquasecurity/trivy-action
  dependency-version: 0.36.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Former-commit-id: 9edaac9c11
2026-05-05 18:11:26 -07:00
dependabot[bot]
f1bb6c663d chore(nix): fix hash for updated go dependencies
Former-commit-id: ced87b1d5e
2026-05-05 18:11:21 -07:00
dependabot[bot]
b09f67c377 chore(deps): bump the prod-minor-updates group across 1 directory with 4 updates
Bumps the prod-minor-updates group with 3 updates in the / directory: [golang.org/x/crypto](https://github.com/golang/crypto), [golang.org/x/net](https://github.com/golang/net) and [google.golang.org/grpc](https://github.com/grpc/grpc-go).


Updates `golang.org/x/crypto` from 0.49.0 to 0.50.0
- [Commits](https://github.com/golang/crypto/compare/v0.49.0...v0.50.0)

Updates `golang.org/x/net` from 0.52.0 to 0.53.0
- [Commits](https://github.com/golang/net/compare/v0.52.0...v0.53.0)

Updates `golang.org/x/sys` from 0.42.0 to 0.43.0
- [Commits](https://github.com/golang/sys/compare/v0.42.0...v0.43.0)

Updates `google.golang.org/grpc` from 1.80.0 to 1.81.0
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](https://github.com/grpc/grpc-go/compare/v1.80.0...v1.81.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-version: 0.50.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-minor-updates
- dependency-name: golang.org/x/net
  dependency-version: 0.53.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-minor-updates
- dependency-name: golang.org/x/sys
  dependency-version: 0.43.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-minor-updates
- dependency-name: google.golang.org/grpc
  dependency-version: 1.81.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-minor-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
Former-commit-id: 3aaebe64fb
2026-05-05 18:11:21 -07:00
Owen
46d4d6539a Try to fix failover not working
Former-commit-id: 27f7ca6bb9
2026-05-05 11:40:39 -07:00
Owen
367e4b03fe Update status code
Former-commit-id: 5090907307
2026-04-30 15:55:52 -07:00
Owen
07613ebe05 Fix incorrect redirect logic
Former-commit-id: a6533b3fa0
2026-04-29 21:11:07 -07:00
Owen Schwartz
81b6daceba Merge pull request #336 from fosrl/dev
1.12.3

Former-commit-id: 57aa2e2e2c
1.12.3
2026-04-29 16:02:49 -07:00
Owen Schwartz
72a209c7ae Merge pull request #334 from LaurenceJJones/private-http-websocket
enhance(http): Support websocket upgrades

Former-commit-id: 5724c516dc
2026-04-29 15:58:30 -07:00
Owen
72c58c721b Add some test scripts for ws and move to testing/
Former-commit-id: b33c3b8849
2026-04-29 15:57:31 -07:00
Laurence
dd735555c4 Support websocket upgrades in private HTTP proxy
Preserve optional ResponseWriter interfaces through statusCapture so httputil.ReverseProxy can hijack upgraded websocket connections. Add a regression test covering websocket traffic through the HTTP handler path.


Former-commit-id: 8e19e475bf
2026-04-29 07:12:35 +01:00
Owen Schwartz
51d7558ec5 Merge pull request #333 from fosrl/dev
Dont block tcp for http unless there are targets

Former-commit-id: 9e92c42876
1.12.2 v1.12.2
2026-04-28 14:51:01 -07:00
Owen
ad8013ff77 Dont block tcp for http unless there are targets
Former-commit-id: 66c72bbe2e
2026-04-28 14:29:55 -07:00
Owen Schwartz
7315f381d7 Merge pull request #331 from fosrl/dev
Follow redirects by default for backward compat

Former-commit-id: ffd26f9a6d
1.12.1 v1.12.1
2026-04-28 10:13:49 -07:00