From 7e9f18bf24962fe213cbf04e04afbae58f12fcc8 Mon Sep 17 00:00:00 2001 From: Owen Date: Mon, 22 Dec 2025 21:57:14 -0500 Subject: [PATCH 1/3] Update migration to allow all ports --- server/setup/scriptsPg/1.14.0.ts | 4 ++-- server/setup/scriptsSqlite/1.14.0.ts | 8 +++++--- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/server/setup/scriptsPg/1.14.0.ts b/server/setup/scriptsPg/1.14.0.ts index 7ccded5a..c396df0c 100644 --- a/server/setup/scriptsPg/1.14.0.ts +++ b/server/setup/scriptsPg/1.14.0.ts @@ -60,11 +60,11 @@ export default async function migration() { ); await db.execute( - sql`ALTER TABLE "siteResources" ADD COLUMN "tcpPortRangeString" varchar;` + sql`ALTER TABLE "siteResources" ADD COLUMN "tcpPortRangeString" varchar NOT NULL DEFAULT '*';` ); await db.execute( - sql`ALTER TABLE "siteResources" ADD COLUMN "udpPortRangeString" varchar;` + sql`ALTER TABLE "siteResources" ADD COLUMN "udpPortRangeString" varchar NOT NULL DEFAULT '*';` ); await db.execute( diff --git a/server/setup/scriptsSqlite/1.14.0.ts b/server/setup/scriptsSqlite/1.14.0.ts index a4883b8f..9559519a 100644 --- a/server/setup/scriptsSqlite/1.14.0.ts +++ b/server/setup/scriptsSqlite/1.14.0.ts @@ -73,16 +73,18 @@ export default async function migration() { ).run(); db.prepare( - `ALTER TABLE 'siteResources' ADD 'tcpPortRangeString' text;` + `ALTER TABLE 'siteResources' ADD 'tcpPortRangeString' text DEFAULT '*' NOT NULL;` ).run(); db.prepare( - `ALTER TABLE 'siteResources' ADD 'udpPortRangeString' text;` + `ALTER TABLE 'siteResources' ADD 'udpPortRangeString' text DEFAULT '*' NOT NULL;` ).run(); db.prepare( - `ALTER TABLE 'siteResources' ADD 'disableIcmp' integer;` + `ALTER TABLE 'siteResources' ADD 'disableIcmp' integer NOT NULL DEFAULT false;` ).run(); + + })(); db.pragma("foreign_keys = ON"); From 729c2adb3feccbb5c2408f04ba8828f7e3dcf2aa Mon Sep 17 00:00:00 2001 From: Owen Date: Tue, 23 Dec 2025 15:24:26 -0500 Subject: [PATCH 2/3] Dont allow maintence page on remote nodes --- server/lib/traefik/getTraefikConfig.ts | 7 ++++--- server/private/lib/traefik/getTraefikConfig.ts | 2 +- server/private/routers/hybrid.ts | 3 ++- .../settings/resources/proxy/[niceId]/general/page.tsx | 2 +- 4 files changed, 8 insertions(+), 6 deletions(-) diff --git a/server/lib/traefik/getTraefikConfig.ts b/server/lib/traefik/getTraefikConfig.ts index e5bf3881..06754ffa 100644 --- a/server/lib/traefik/getTraefikConfig.ts +++ b/server/lib/traefik/getTraefikConfig.ts @@ -41,9 +41,10 @@ type TargetWithSite = Target & { export async function getTraefikConfig( exitNodeId: number, siteTypes: string[], - filterOutNamespaceDomains = false, - generateLoginPageRouters = false, - allowRawResources = true + filterOutNamespaceDomains = false, // UNUSED BUT USED IN PRIVATE + generateLoginPageRouters = false, // UNUSED BUT USED IN PRIVATE + allowRawResources = true, + allowMaintenancePage = true, // UNUSED BUT USED IN PRIVATE ): Promise { // Get resources with their targets and sites in a single optimized query // Start from sites on this exit node, then join to targets and resources diff --git a/server/private/lib/traefik/getTraefikConfig.ts b/server/private/lib/traefik/getTraefikConfig.ts index 62c60696..63c8750b 100644 --- a/server/private/lib/traefik/getTraefikConfig.ts +++ b/server/private/lib/traefik/getTraefikConfig.ts @@ -464,7 +464,7 @@ export async function getTraefikConfig( } } - if (showMaintenancePage) { + if (showMaintenancePage && allowMaintenancePage) { const maintenanceServiceName = `${key}-maintenance-service`; const maintenanceRouterName = `${key}-maintenance-router`; const rewriteMiddlewareName = `${key}-maintenance-rewrite`; diff --git a/server/private/routers/hybrid.ts b/server/private/routers/hybrid.ts index 009b2fe1..bbc0e0c8 100644 --- a/server/private/routers/hybrid.ts +++ b/server/private/routers/hybrid.ts @@ -247,7 +247,8 @@ hybridRouter.get( ["newt", "local", "wireguard"], // Allow them to use all the site types true, // But don't allow domain namespace resources false, // Dont include login pages, - true // allow raw resources + true, // allow raw resources + false // dont generate maintenance page ); return response(res, { diff --git a/src/app/[orgId]/settings/resources/proxy/[niceId]/general/page.tsx b/src/app/[orgId]/settings/resources/proxy/[niceId]/general/page.tsx index 897c5d00..7cf9339b 100644 --- a/src/app/[orgId]/settings/resources/proxy/[niceId]/general/page.tsx +++ b/src/app/[orgId]/settings/resources/proxy/[niceId]/general/page.tsx @@ -189,7 +189,7 @@ function MaintenanceSectionForm({ name="maintenanceModeEnabled" render={({ field }) => { const isDisabled = - isSecurityFeatureDisabled(); + isSecurityFeatureDisabled() || resource.http === false; return ( From ca89c5feca158ac8f40da8609e20e9369a1b2cd6 Mon Sep 17 00:00:00 2001 From: Owen Date: Tue, 23 Dec 2025 16:02:52 -0500 Subject: [PATCH 3/3] Reorder when the redirect gets in there --- .../private/lib/traefik/getTraefikConfig.ts | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/server/private/lib/traefik/getTraefikConfig.ts b/server/private/lib/traefik/getTraefikConfig.ts index 63c8750b..18410e62 100644 --- a/server/private/lib/traefik/getTraefikConfig.ts +++ b/server/private/lib/traefik/getTraefikConfig.ts @@ -358,18 +358,6 @@ export async function getTraefikConfig( } } - if (resource.ssl) { - config_output.http.routers![routerName + "-redirect"] = { - entryPoints: [ - config.getRawConfig().traefik.http_entrypoint - ], - middlewares: [redirectHttpsMiddlewareName], - service: serviceName, - rule: rule, - priority: priority - }; - } - let tls = {}; if (!privateConfig.getRawPrivateConfig().flags.use_pangolin_dns) { const domainParts = fullDomain.split("."); @@ -435,6 +423,18 @@ export async function getTraefikConfig( } } + if (resource.ssl) { + config_output.http.routers![routerName + "-redirect"] = { + entryPoints: [ + config.getRawConfig().traefik.http_entrypoint + ], + middlewares: [redirectHttpsMiddlewareName], + service: serviceName, + rule: rule, + priority: priority + }; + } + const availableServers = targets.filter((target) => { if (!target.enabled) return false;