Fix Linux privileged mode HTTP/HTTPS traffic routing

- Replace single comprehensive TCP redirect with port-specific rules
- Route HTTP traffic (port 80) to HTTP proxy (port 8080)
- Route HTTPS traffic (port 443) to HTTPS proxy (port 8443)
- Update cleanup to remove both redirect rules
- Fixes 'Client sent HTTP request to HTTPS server' error

Co-authored-by: f0ssel <[email protected]>

Author: blink-so[bot]

namespace/linux.go

@@ -224,23 +224,32 @@ func (l *Linux) setupIptables() error {
 		return fmt.Errorf("failed to add NAT rule: %v", err)
 	}
 
-	// COMPREHENSIVE APPROACH: Intercept ALL TCP traffic from namespace
-	// Use PREROUTING on host to catch traffic after it exits namespace but before routing
-	// This ensures NO TCP traffic can bypass the proxy
-	cmd = exec.Command("iptables", "-t", "nat", "-A", "PREROUTING", "-i", l.vethHost, "-p", "tcp", "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", l.httpsProxyPort))
+	// Redirect HTTP traffic (port 80) to HTTP proxy (port 8080)
+	cmd = exec.Command("iptables", "-t", "nat", "-A", "PREROUTING", "-i", l.vethHost, "-p", "tcp", "--dport", "80", "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", l.httpProxyPort))
 	err = cmd.Run()
 	if err != nil {
-		return fmt.Errorf("failed to add comprehensive TCP redirect rule: %v", err)
+		return fmt.Errorf("failed to add HTTP redirect rule: %v", err)
 	}
 
-	l.logger.Debug("Comprehensive TCP jailing enabled", "interface", l.vethHost, "proxy_port", l.httpsProxyPort)
+	// Redirect HTTPS traffic (port 443) to HTTPS proxy (port 8443)
+	cmd = exec.Command("iptables", "-t", "nat", "-A", "PREROUTING", "-i", l.vethHost, "-p", "tcp", "--dport", "443", "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", l.httpsProxyPort))
+	err = cmd.Run()
+	if err != nil {
+		return fmt.Errorf("failed to add HTTPS redirect rule: %v", err)
+	}
+
+	l.logger.Debug("HTTP and HTTPS traffic redirection enabled", "interface", l.vethHost, "http_port", l.httpProxyPort, "https_port", l.httpsProxyPort)
 	return nil
 }
 
 // removeIptables removes iptables rules
 func (l *Linux) removeIptables() error {
-	// Remove comprehensive TCP redirect rule
-	cmd := exec.Command("iptables", "-t", "nat", "-D", "PREROUTING", "-i", l.vethHost, "-p", "tcp", "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", l.httpsProxyPort))
+	// Remove HTTP redirect rule
+	cmd := exec.Command("iptables", "-t", "nat", "-D", "PREROUTING", "-i", l.vethHost, "-p", "tcp", "--dport", "80", "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", l.httpProxyPort))
+	cmd.Run() // Ignore errors during cleanup
+
+	// Remove HTTPS redirect rule
+	cmd = exec.Command("iptables", "-t", "nat", "-D", "PREROUTING", "-i", l.vethHost, "-p", "tcp", "--dport", "443", "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", l.httpsProxyPort))
 	cmd.Run() // Ignore errors during cleanup
 
 	// Remove NAT rule
@@ -258,4 +267,4 @@ func (l *Linux) removeNamespace() error {
 		return fmt.Errorf("failed to remove namespace: %v", err)
 	}
 	return nil
-}
+}

proxy/proxy.go

@@ -364,12 +364,7 @@ func (p *Server) handleConnect(w http.ResponseWriter, r *http.Request) {
 
 	// Perform TLS handshake with the client using our certificates
 	p.logger.Debug("Starting TLS handshake", "hostname", hostname)
-	
-	// Create TLS config that forces HTTP/1.1 (disable HTTP/2 ALPN)
-	tlsConfig := p.tlsConfig.Clone()
-	tlsConfig.NextProtos = []string{"http/1.1"}
-	
-	tlsConn := tls.Server(conn, tlsConfig)
+	tlsConn := tls.Server(conn, p.tlsConfig)
 	err = tlsConn.Handshake()
 	if err != nil {
 		p.logger.Error("TLS handshake failed", "hostname", hostname, "error", err)