Working

2026-04-11 21:56:45 +00:00 · 2026-04-10 17:21:54 -04:00
parent 510931e7d6
commit a19f0acfb9
4 changed files with 36 additions and 12 deletions
--- a/server/lib/ip.ts
+++ b/server/lib/ip.ts
@@ -5,6 +5,7 @@ import config from "@server/lib/config";
 import z from "zod";
 import logger from "@server/logger";
 import semver from "semver";
+import { getValidCertificatesForDomains } from "#private/lib/certificates";

 interface IPRange {
    start: bigint;
@@ -594,14 +595,14 @@ export type HTTPTarget = {
    scheme: "http" | "https";
 };

-export function generateSubnetProxyTargetV2(
+export async function generateSubnetProxyTargetV2(
    siteResource: SiteResource,
    clients: {
        clientId: number;
        pubKey: string | null;
        subnet: string | null;
    }[]
-): SubnetProxyTargetV2 | undefined {
+): Promise<SubnetProxyTargetV2 | undefined> {
    if (clients.length === 0) {
        logger.debug(
            `No clients have access to site resource ${siteResource.siteResourceId}, skipping target generation.`
@@ -672,6 +673,30 @@ export function generateSubnetProxyTargetV2(
            return;
        }
        // also push a match for the alias address
+        let tlsCert: string | undefined;
+        let tlsKey: string | undefined;
+
+        if (siteResource.ssl && siteResource.alias) {
+            try {
+                const certs = await getValidCertificatesForDomains(
+                    new Set([siteResource.alias]),
+                    true
+                );
+                if (certs.length > 0 && certs[0].certFile && certs[0].keyFile) {
+                    tlsCert = certs[0].certFile;
+                    tlsKey = certs[0].keyFile;
+                } else {
+                    logger.warn(
+                        `No valid certificate found for SSL site resource ${siteResource.siteResourceId} with domain ${siteResource.alias}`
+                    );
+                }
+            } catch (err) {
+                logger.error(
+                    `Failed to retrieve certificate for site resource ${siteResource.siteResourceId} domain ${siteResource.alias}: ${err}`
+                );
+            }
+        }
+
        target = {
            sourcePrefixes: [],
            destPrefix: `${siteResource.aliasAddress}/32`,
@@ -679,7 +704,7 @@ export function generateSubnetProxyTargetV2(
            portRange,
            disableIcmp,
            resourceId: siteResource.siteResourceId,
-            protocol: siteResource.mode, // will be either http or https,
+            protocol: siteResource.ssl ? "https" : "http",
            httpTargets: [
                {
                    destAddr: siteResource.destination,
@@ -687,8 +712,7 @@ export function generateSubnetProxyTargetV2(
                    scheme: siteResource.scheme
                }
            ],
-            // tlsCert: "",
-            // tlsKey: ""
+            ...(tlsCert && tlsKey ? { tlsCert, tlsKey } : {})
        };
    }

--- a/server/lib/rebuildClientAssociations.ts
+++ b/server/lib/rebuildClientAssociations.ts
@@ -661,7 +661,7 @@ async function handleSubnetProxyTargetUpdates(
        );

        if (addedClients.length > 0) {
-            const targetToAdd = generateSubnetProxyTargetV2(
+            const targetToAdd = await generateSubnetProxyTargetV2(
                siteResource,
                addedClients
            );
@@ -698,7 +698,7 @@ async function handleSubnetProxyTargetUpdates(
        );

        if (removedClients.length > 0) {
-            const targetToRemove = generateSubnetProxyTargetV2(
+            const targetToRemove = await generateSubnetProxyTargetV2(
                siteResource,
                removedClients
            );
@@ -1164,7 +1164,7 @@ async function handleMessagesForClientResources(
            }

            for (const resource of resources) {
-                const target = generateSubnetProxyTargetV2(resource, [
+                const target = await generateSubnetProxyTargetV2(resource, [
                    {
                        clientId: client.clientId,
                        pubKey: client.pubKey,
@@ -1241,7 +1241,7 @@ async function handleMessagesForClientResources(
            }

            for (const resource of resources) {
-                const target = generateSubnetProxyTargetV2(resource, [
+                const target = await generateSubnetProxyTargetV2(resource, [
                    {
                        clientId: client.clientId,
                        pubKey: client.pubKey,
--- a/server/routers/newt/buildConfiguration.ts
+++ b/server/routers/newt/buildConfiguration.ts
@@ -168,7 +168,7 @@ export async function buildClientConfigurationForNewtClient(
                )
            );

-        const resourceTarget = generateSubnetProxyTargetV2(
+        const resourceTarget = await generateSubnetProxyTargetV2(
            resource,
            resourceClients
        );
--- a/server/routers/siteResource/updateSiteResource.ts
+++ b/server/routers/siteResource/updateSiteResource.ts
@@ -634,11 +634,11 @@ export async function handleMessagingForUpdatedSiteResource(

        // Only update targets on newt if destination changed
        if (destinationChanged || portRangesChanged) {
-            const oldTarget = generateSubnetProxyTargetV2(
+            const oldTarget = await generateSubnetProxyTargetV2(
                existingSiteResource,
                mergedAllClients
            );
-            const newTarget = generateSubnetProxyTargetV2(
+            const newTarget = await generateSubnetProxyTargetV2(
                updatedSiteResource,
                mergedAllClients
            );