Merge pull request #331 from fosrl/dev

Follow redirects by default for backward compat

healthcheck/healthcheck.go

@@ -47,7 +47,7 @@ type Config struct {
 	Interval           int               `json:"hcInterval"`          // in seconds
 	UnhealthyInterval  int               `json:"hcUnhealthyInterval"` // in seconds
 	Timeout            int               `json:"hcTimeout"`           // in seconds
-	FollowRedirects    bool              `json:"hcFollowRedirects"`
+	FollowRedirects    *bool             `json:"hcFollowRedirects"`
 	Headers            map[string]string `json:"hcHeaders"`
 	Method             string            `json:"hcMethod"`
 	Status             int               `json:"hcStatus"` // HTTP status code
@@ -202,7 +202,9 @@ func (m *Monitor) addTargetUnsafe(config Config) error {
 		cancel: cancel,
 		client: &http.Client{
 			CheckRedirect: func() func(*http.Request, []*http.Request) error {
-				if !config.FollowRedirects {
+				// Default to following redirects if not explicitly configured
+				followRedirects := config.FollowRedirects == nil || *config.FollowRedirects
+				if !followRedirects {
 					return func(req *http.Request, via []*http.Request) error {
 						return http.ErrUseLastResponse
 					}
@@ -250,7 +252,7 @@ func (m *Monitor) RemoveTarget(id int) error {
 
 	// Notify callback of status change
 	if m.callback != nil {
-		go m.callback(m.GetTargets())
+		go m.callback(m.getAllTargetsUnsafe())
 	}
 
 	logger.Info("Successfully removed target %d", id)
@@ -283,7 +285,7 @@ func (m *Monitor) RemoveTargets(ids []int) error {
 
 	// Notify callback of status change if any targets were removed
 	if len(notFound) != len(ids) && m.callback != nil {
-		go m.callback(m.GetTargets())
+		go m.callback(m.getAllTargetsUnsafe())
 	}
 
 	if len(notFound) > 0 {
@@ -583,7 +585,7 @@ func (m *Monitor) DisableTarget(id int) error {
 
 		// Notify callback of status change
 		if m.callback != nil {
-			go m.callback(m.GetTargets())
+			go m.callback(m.getAllTargetsUnsafe())
 		}
 	} else {
 		logger.Debug("Target %d is already disabled", id)

main.go

@@ -542,7 +542,7 @@ func runNewtMain(ctx context.Context) {
 	if telErr != nil {
 		logger.Warn("Telemetry init failed: %v", telErr)
 	}
-	if tel != nil {
+	if tel != nil && (metricsEnabled || pprofEnabled) {
 		// Admin HTTP server (exposes /metrics when Prometheus exporter is enabled)
 		logger.Debug("Starting metrics server on %s", tcfg.AdminAddr)
 		mux := http.NewServeMux()

netstack2/handlers.go

@@ -152,10 +152,18 @@ func (h *TCPHandler) handleTCPConn(netstackConn *gonet.TCPConn, id stack.Transpo
 		srcAddr, _ := netip.ParseAddr(srcIP)
 		dstAddr, _ := netip.ParseAddr(dstIP)
 		rule := h.proxyHandler.subnetLookup.Match(srcAddr, dstAddr, dstPort, tcp.ProtocolNumber)
-		if rule != nil && rule.Protocol != "" {
-			logger.Info("TCP Forwarder: Routing %s:%d -> %s:%d to HTTP handler (%s)",
-				srcIP, srcPort, dstIP, dstPort, rule.Protocol)
-			h.proxyHandler.httpHandler.HandleConn(netstackConn, rule)
+		if rule != nil {
+			if rule.Protocol != "" {
+				logger.Info("TCP Forwarder: Routing %s:%d -> %s:%d to HTTP handler (%s)",
+					srcIP, srcPort, dstIP, dstPort, rule.Protocol)
+				h.proxyHandler.httpHandler.HandleConn(netstackConn, rule)
+			} else {
+				// A matching HTTP rule exists but has no protocol configured —
+				// do not fall through to the raw TCP handler; drop the connection.
+				logger.Info("TCP Forwarder: Dropping %s:%d -> %s:%d (HTTP rule matched but no protocol set)",
+					srcIP, srcPort, dstIP, dstPort)
+				netstackConn.Close()
+			}
 			return
 		}
 	}

netstack2/http_handler.go

@@ -185,7 +185,7 @@ func (h *HTTPHandler) Start() error {
 		}
 	}()
 
-	logger.Info("HTTP handler: ready — routing determined per SubnetRule on ports 80/443")
+	logger.Debug("HTTP handler: ready — routing determined per SubnetRule on ports 80/443")
 	return nil
 }
 
@@ -276,10 +276,10 @@ func (h *HTTPHandler) getProxy(target HTTPTarget) *httputil.ReverseProxy {
 		Scheme: scheme,
 		Host:   fmt.Sprintf("%s:%d", target.DestAddr, target.DestPort),
 	}
-	insecureTransport := (*http.Transport)(nil)
+	var transport http.RoundTripper = http.DefaultTransport
 	if target.Scheme == "https" {
 		// Allow self-signed certificates on downstream HTTPS targets.
-		insecureTransport = &http.Transport{
+		transport = &http.Transport{
 			TLSClientConfig: &tls.Config{
 				InsecureSkipVerify: true, //nolint:gosec // downstream self-signed certs are a supported configuration
 			},
@@ -296,7 +296,7 @@ func (h *HTTPHandler) getProxy(target HTTPTarget) *httputil.ReverseProxy {
 			// X-Forwarded-For entry, so the header is set exactly once.
 			pr.SetXForwarded()
 		},
-		Transport: insecureTransport,
+		Transport: transport,
 	}
 
 	proxy.ErrorHandler = func(w http.ResponseWriter, r *http.Request, err error) {
@@ -336,6 +336,19 @@ func (h *HTTPHandler) handleRequest(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	// If the rule is plain HTTP but has a TLS certificate configured, redirect
+	// the client to the HTTPS equivalent of the requested URL.
+	if rule.Protocol == "http" && rule.TLSCert != "" && rule.TLSKey != "" {
+		host := r.Host
+		if host == "" {
+			host = r.URL.Host
+		}
+		httpsURL := "https://" + host + r.RequestURI
+		logger.Info("HTTP handler: redirecting %s %s -> %s (TLS cert present)", r.Method, r.URL.RequestURI(), httpsURL)
+		http.Redirect(w, r, httpsURL, http.StatusMovedPermanently)
+		return
+	}
+
 	target := rule.HTTPTargets[0]
 	scheme := target.Scheme
 	logger.Info("HTTP handler: %s %s -> %s://%s:%d",

network/interface.go

@@ -120,7 +120,7 @@ func configureDarwin(interfaceName string, ip net.IP, ipNet *net.IPNet) error {
 	prefix, _ := ipNet.Mask.Size()
 	ipStr := fmt.Sprintf("%s/%d", ip.String(), prefix)
 
-	cmd := exec.Command("ifconfig", interfaceName, "inet", ipStr, ip.String(), "alias")
+	cmd := exec.Command("/sbin/ifconfig", interfaceName, "inet", ipStr, ip.String(), "alias")
 	logger.Info("Running command: %v", cmd)
 
 	out, err := cmd.CombinedOutput()
@@ -129,7 +129,7 @@ func configureDarwin(interfaceName string, ip net.IP, ipNet *net.IPNet) error {
 	}
 
 	// Bring up the interface
-	cmd = exec.Command("ifconfig", interfaceName, "up")
+	cmd = exec.Command("/sbin/ifconfig", interfaceName, "up")
 	logger.Info("Running command: %v", cmd)
 
 	out, err = cmd.CombinedOutput()