fix: include public gateways for IP-based addresses in vhost targets

The server hostname vhost construction only collected private IPs, always setting public to empty. Public IP addresses (Ipv4/Ipv6 metadata with public=true) were never added to the vhost target's public gateway set, causing the vhost filter to reject public traffic for IP-based addresses.
2026-03-26 02:11:53 +00:00 · 2026-02-16 19:45:10 -07:00
parent 6a1b1627c5
commit c9468dda02
1 changed files with 11 additions and 3 deletions
--- a/core/src/net/net_controller.rs
+++ b/core/src/net/net_controller.rs
@@ -236,13 +236,21 @@ impl NetServiceData {
                        .flat_map(|ip_info| ip_info.subnets.iter().map(|s| s.addr()))
                        .collect();

-                    // Server hostname vhosts (on assigned_ssl_port) — private only
-                    if !server_private_ips.is_empty() {
+                    // Collect public gateways from enabled public IP addresses
+                    let server_public_gateways: BTreeSet<GatewayId> = enabled_addresses
+                        .iter()
+                        .filter(|a| a.public && a.metadata.is_ip())
+                        .flat_map(|a| a.metadata.gateways())
+                        .cloned()
+                        .collect();
+
+                    // Server hostname vhosts (on assigned_ssl_port)
+                    if !server_private_ips.is_empty() || !server_public_gateways.is_empty() {
                        for hostname in ctrl.server_hostnames.iter().cloned() {
                            vhosts.insert(
                                (hostname, assigned_ssl_port),
                                ProxyTarget {
-                                    public: BTreeSet::new(),
+                                    public: server_public_gateways.clone(),
                                    private: server_private_ips.clone(),
                                    acme: None,
                                    addr,