From a19f0acfb92da14351847210c928570619ac1845 Mon Sep 17 00:00:00 2001 From: Owen Date: Fri, 10 Apr 2026 17:21:54 -0400 Subject: [PATCH] Working --- server/lib/ip.ts | 34 ++++++++++++++++--- server/lib/rebuildClientAssociations.ts | 8 ++--- server/routers/newt/buildConfiguration.ts | 2 +- .../siteResource/updateSiteResource.ts | 4 +-- 4 files changed, 36 insertions(+), 12 deletions(-) diff --git a/server/lib/ip.ts b/server/lib/ip.ts index 96ea04873..fce15692c 100644 --- a/server/lib/ip.ts +++ b/server/lib/ip.ts @@ -5,6 +5,7 @@ import config from "@server/lib/config"; import z from "zod"; import logger from "@server/logger"; import semver from "semver"; +import { getValidCertificatesForDomains } from "#private/lib/certificates"; interface IPRange { start: bigint; @@ -594,14 +595,14 @@ export type HTTPTarget = { scheme: "http" | "https"; }; -export function generateSubnetProxyTargetV2( +export async function generateSubnetProxyTargetV2( siteResource: SiteResource, clients: { clientId: number; pubKey: string | null; subnet: string | null; }[] -): SubnetProxyTargetV2 | undefined { +): Promise { if (clients.length === 0) { logger.debug( `No clients have access to site resource ${siteResource.siteResourceId}, skipping target generation.` @@ -672,6 +673,30 @@ export function generateSubnetProxyTargetV2( return; } // also push a match for the alias address + let tlsCert: string | undefined; + let tlsKey: string | undefined; + + if (siteResource.ssl && siteResource.alias) { + try { + const certs = await getValidCertificatesForDomains( + new Set([siteResource.alias]), + true + ); + if (certs.length > 0 && certs[0].certFile && certs[0].keyFile) { + tlsCert = certs[0].certFile; + tlsKey = certs[0].keyFile; + } else { + logger.warn( + `No valid certificate found for SSL site resource ${siteResource.siteResourceId} with domain ${siteResource.alias}` + ); + } + } catch (err) { + logger.error( + `Failed to retrieve certificate for site resource ${siteResource.siteResourceId} domain ${siteResource.alias}: ${err}` + ); + } + } + target = { sourcePrefixes: [], destPrefix: `${siteResource.aliasAddress}/32`, @@ -679,7 +704,7 @@ export function generateSubnetProxyTargetV2( portRange, disableIcmp, resourceId: siteResource.siteResourceId, - protocol: siteResource.mode, // will be either http or https, + protocol: siteResource.ssl ? "https" : "http", httpTargets: [ { destAddr: siteResource.destination, @@ -687,8 +712,7 @@ export function generateSubnetProxyTargetV2( scheme: siteResource.scheme } ], - // tlsCert: "", - // tlsKey: "" + ...(tlsCert && tlsKey ? { tlsCert, tlsKey } : {}) }; } diff --git a/server/lib/rebuildClientAssociations.ts b/server/lib/rebuildClientAssociations.ts index 8459ce249..7c69ff71c 100644 --- a/server/lib/rebuildClientAssociations.ts +++ b/server/lib/rebuildClientAssociations.ts @@ -661,7 +661,7 @@ async function handleSubnetProxyTargetUpdates( ); if (addedClients.length > 0) { - const targetToAdd = generateSubnetProxyTargetV2( + const targetToAdd = await generateSubnetProxyTargetV2( siteResource, addedClients ); @@ -698,7 +698,7 @@ async function handleSubnetProxyTargetUpdates( ); if (removedClients.length > 0) { - const targetToRemove = generateSubnetProxyTargetV2( + const targetToRemove = await generateSubnetProxyTargetV2( siteResource, removedClients ); @@ -1164,7 +1164,7 @@ async function handleMessagesForClientResources( } for (const resource of resources) { - const target = generateSubnetProxyTargetV2(resource, [ + const target = await generateSubnetProxyTargetV2(resource, [ { clientId: client.clientId, pubKey: client.pubKey, @@ -1241,7 +1241,7 @@ async function handleMessagesForClientResources( } for (const resource of resources) { - const target = generateSubnetProxyTargetV2(resource, [ + const target = await generateSubnetProxyTargetV2(resource, [ { clientId: client.clientId, pubKey: client.pubKey, diff --git a/server/routers/newt/buildConfiguration.ts b/server/routers/newt/buildConfiguration.ts index 35d52816e..5e79804b7 100644 --- a/server/routers/newt/buildConfiguration.ts +++ b/server/routers/newt/buildConfiguration.ts @@ -168,7 +168,7 @@ export async function buildClientConfigurationForNewtClient( ) ); - const resourceTarget = generateSubnetProxyTargetV2( + const resourceTarget = await generateSubnetProxyTargetV2( resource, resourceClients ); diff --git a/server/routers/siteResource/updateSiteResource.ts b/server/routers/siteResource/updateSiteResource.ts index bb0239478..89949e9a8 100644 --- a/server/routers/siteResource/updateSiteResource.ts +++ b/server/routers/siteResource/updateSiteResource.ts @@ -634,11 +634,11 @@ export async function handleMessagingForUpdatedSiteResource( // Only update targets on newt if destination changed if (destinationChanged || portRangesChanged) { - const oldTarget = generateSubnetProxyTargetV2( + const oldTarget = await generateSubnetProxyTargetV2( existingSiteResource, mergedAllClients ); - const newTarget = generateSubnetProxyTargetV2( + const newTarget = await generateSubnetProxyTargetV2( updatedSiteResource, mergedAllClients );