From c9468dda02978d5585a938e317b0f45bbcdbfb1f Mon Sep 17 00:00:00 2001 From: Aiden McClelland Date: Mon, 16 Feb 2026 19:45:10 -0700 Subject: [PATCH] fix: include public gateways for IP-based addresses in vhost targets The server hostname vhost construction only collected private IPs, always setting public to empty. Public IP addresses (Ipv4/Ipv6 metadata with public=true) were never added to the vhost target's public gateway set, causing the vhost filter to reject public traffic for IP-based addresses. --- core/src/net/net_controller.rs | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/core/src/net/net_controller.rs b/core/src/net/net_controller.rs index 600c12ccb..c2624c5e4 100644 --- a/core/src/net/net_controller.rs +++ b/core/src/net/net_controller.rs @@ -236,13 +236,21 @@ impl NetServiceData { .flat_map(|ip_info| ip_info.subnets.iter().map(|s| s.addr())) .collect(); - // Server hostname vhosts (on assigned_ssl_port) — private only - if !server_private_ips.is_empty() { + // Collect public gateways from enabled public IP addresses + let server_public_gateways: BTreeSet = enabled_addresses + .iter() + .filter(|a| a.public && a.metadata.is_ip()) + .flat_map(|a| a.metadata.gateways()) + .cloned() + .collect(); + + // Server hostname vhosts (on assigned_ssl_port) + if !server_private_ips.is_empty() || !server_public_gateways.is_empty() { for hostname in ctrl.server_hostnames.iter().cloned() { vhosts.insert( (hostname, assigned_ssl_port), ProxyTarget { - public: BTreeSet::new(), + public: server_public_gateways.clone(), private: server_private_ips.clone(), acme: None, addr,