Remove unused HTTPS proxy server

- Remove separate HTTPS proxy server since TLS termination handles both HTTP/HTTPS
- Clean up HTTPS-related fields from proxy Server struct and Config
- Remove httpsProxyPort from all namespace implementations
- Update proxy to use single HTTP server with TLS termination
- Remove forwardHTTPSRequest method and use forwardHTTPRequest for all traffic
- Add UserInfo to jail Config to fix namespace configuration
- Simplify codebase by eliminating duplicate functionality

Co-authored-by: f0ssel <[email protected]>

Author: blink-so[bot]

cli/cli.go

@@ -135,6 +135,7 @@ func Run(ctx context.Context, config Config, args []string) error {
 		Auditor:      auditor,
 		CertManager:  certManager,
 		Logger:       logger,
+		UserInfo:     userInfo,
 		Unprivileged: config.Unprivileged,
 	})
 	if err != nil {

jail

@@ -20,6 +20,7 @@ type Config struct {
 	Auditor      audit.Auditor
 	CertManager  tls.Manager
 	Logger       *slog.Logger
+	UserInfo     namespace.UserInfo
 	Unprivileged bool
 }
 
@@ -41,23 +42,22 @@ func New(ctx context.Context, config Config) (*Jail, error) {
 	// Create proxy server
 	proxyServer := proxy.NewProxyServer(proxy.Config{
 		HTTPPort:   8080,
-		HTTPSPort:  8443,
-		Auditor:    config.Auditor,
 		RuleEngine: config.RuleEngine,
+		Auditor:    config.Auditor,
 		Logger:     config.Logger,
 		TLSConfig:  tlsConfig,
 	})
 
-	// Create commander
+	// Create namespace
 	commander, err := newNamespaceCommander(namespace.Config{
-		Logger:         config.Logger,
-		HttpProxyPort:  8080,
-		HttpsProxyPort: 8443,
-		TlsConfigDir:   configDir,
-		CACertPath:     caCertPath,
+		Logger:        config.Logger,
+		HttpProxyPort: 8080,
+		TlsConfigDir:  configDir,
+		CACertPath:    caCertPath,
+		UserInfo:      config.UserInfo,
 	}, config.Unprivileged)
 	if err != nil {
-		return nil, fmt.Errorf("failed to create commander: %v", err)
+		return nil, fmt.Errorf("failed to create namespace commander: %v", err)
 	}
 
 	// Create cancellable context for jail

jail.go

@@ -7,39 +7,34 @@ import (
 	"log/slog"
 	"os"
 	"os/exec"
-	"syscall"
 	"time"
 )
 
 // Linux implements jail.Commander using Linux network namespaces
-type Linux struct {
-	namespace      string
-	vethHost       string // Host-side veth interface name for iptables rules
-	logger         *slog.Logger
-	procAttr       *syscall.SysProcAttr
-	commandEnv     []string
-	httpProxyPort  int
-	httpsProxyPort int
-	tlsConfigDir   string
-	caCertPath     string
-	userInfo       UserInfo
+type LinuxNetNamespace struct {
+	logger        *slog.Logger
+	namespace     string
+	vethHost      string // Host-side veth interface name for iptables rules
+	commandEnv    []string
+	httpProxyPort int
+	tlsConfigDir  string
+	caCertPath    string
+	userInfo      UserInfo
 }
 
-// NewLinux creates a new Linux network jail instance
-func NewLinux(config Config) (*Linux, error) {
-	return &Linux{
-		namespace:      newNamespaceName(),
-		logger:         config.Logger,
-		httpProxyPort:  config.HttpProxyPort,
-		httpsProxyPort: config.HttpsProxyPort,
-		tlsConfigDir:   config.TlsConfigDir,
-		caCertPath:     config.CACertPath,
-		userInfo:       config.UserInfo,
+func NewLinux(config Config) (*LinuxNetNamespace, error) {
+	return &LinuxNetNamespace{
+		logger:        config.Logger,
+		namespace:     newNamespaceName(),
+		httpProxyPort: config.HttpProxyPort,
+		tlsConfigDir:  config.TlsConfigDir,
+		caCertPath:    config.CACertPath,
+		userInfo:      config.UserInfo,
 	}, nil
 }
 
-// Setup creates network namespace and configures iptables rules
-func (l *Linux) Start() error {
+// Start creates network namespace and configures iptables rules
+func (l *LinuxNetNamespace) Start() error {
 	l.logger.Debug("Setup called")
 
 	// Setup DNS configuration BEFORE creating namespace
@@ -76,19 +71,12 @@ func (l *Linux) Start() error {
 		"LOGNAME": l.userInfo.Username,
 	})
 
-	l.procAttr = &syscall.SysProcAttr{
-		Credential: &syscall.Credential{
-			Uid: uint32(l.userInfo.Uid),
-			Gid: uint32(l.userInfo.Gid),
-		},
-	}
-
 	l.logger.Debug("Setup completed successfully")
 	return nil
 }
 
 // Command returns an exec.Cmd configured to run within the network namespace
-func (l *Linux) Command(command []string) *exec.Cmd {
+func (l *LinuxNetNamespace) Command(command []string) *exec.Cmd {
 	l.logger.Debug("Command called", "command", command)
 
 	// Create command with ip netns exec
@@ -104,14 +92,11 @@ func (l *Linux) Command(command []string) *exec.Cmd {
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
 
-	// Use prepared process attributes from Open method
-	cmd.SysProcAttr = l.procAttr
-
 	return cmd
 }
 
-// Cleanup removes the network namespace and iptables rules
-func (l *Linux) Close() error {
+// Close removes the network namespace and iptables rules
+func (l *LinuxNetNamespace) Close() error {
 	// Remove iptables rules
 	err := l.removeIptables()
 	if err != nil {
@@ -138,7 +123,7 @@ func (l *Linux) Close() error {
 }
 
 // createNamespace creates a new network namespace
-func (l *Linux) createNamespace() error {
+func (l *LinuxNetNamespace) createNamespace() error {
 	cmd := exec.Command("ip", "netns", "add", l.namespace)
 	err := cmd.Run()
 	if err != nil {
@@ -148,12 +133,12 @@ func (l *Linux) createNamespace() error {
 }
 
 // setupNetworking configures networking within the namespace
-func (l *Linux) setupNetworking() error {
+func (l *LinuxNetNamespace) setupNetworking() error {
 	// Create veth pair with short names (Linux interface names limited to 15 chars)
 	// Generate unique ID to avoid conflicts
 	uniqueID := fmt.Sprintf("%d", time.Now().UnixNano()%10000000) // 7 digits max
-	vethHost := fmt.Sprintf("veth_h_%s", uniqueID)                // veth_h_1234567 = 14 chars
-	vethNetJail := fmt.Sprintf("veth_n_%s", uniqueID)             // veth_n_1234567 = 14 chars
+	vethHost := fmt.Sprintf("veth_h_%s", uniqueID)     // veth_h_1234567 = 14 chars
+	vethNetJail := fmt.Sprintf("veth_n_%s", uniqueID) // veth_n_1234567 = 14 chars
 
 	// Store veth interface name for iptables rules
 	l.vethHost = vethHost
@@ -184,7 +169,7 @@ func (l *Linux) setupNetworking() error {
 // setupDNS configures DNS resolution for the namespace
 // This ensures reliable DNS resolution by using public DNS servers
 // instead of relying on the host's potentially complex DNS configuration
-func (l *Linux) setupDNS() error {
+func (l *LinuxNetNamespace) setupDNS() error {
 	// Always create namespace-specific resolv.conf with reliable public DNS servers
 	// This avoids issues with systemd-resolved, Docker DNS, and other complex setups
 	netnsEtc := fmt.Sprintf("/etc/netns/%s", l.namespace)
@@ -212,7 +197,7 @@ options timeout:2 attempts:2
 }
 
 // setupIptables configures iptables rules for comprehensive TCP traffic interception
-func (l *Linux) setupIptables() error {
+func (l *LinuxNetNamespace) setupIptables() error {
 	// Enable IP forwarding
 	cmd := exec.Command("sysctl", "-w", "net.ipv4.ip_forward=1")
 	cmd.Run() // Ignore error
@@ -237,7 +222,7 @@ func (l *Linux) setupIptables() error {
 }
 
 // removeIptables removes iptables rules
-func (l *Linux) removeIptables() error {
+func (l *LinuxNetNamespace) removeIptables() error {
 	// Remove comprehensive TCP redirect rule
 	cmd := exec.Command("iptables", "-t", "nat", "-D", "PREROUTING", "-i", l.vethHost, "-p", "tcp", "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", l.httpProxyPort))
 	cmd.Run() // Ignore errors during cleanup
@@ -250,11 +235,11 @@ func (l *Linux) removeIptables() error {
 }
 
 // removeNamespace removes the network namespace
-func (l *Linux) removeNamespace() error {
+func (l *LinuxNetNamespace) removeNamespace() error {
 	cmd := exec.Command("ip", "netns", "del", l.namespace)
 	err := cmd.Run()
 	if err != nil {
 		return fmt.Errorf("failed to remove namespace: %v", err)
 	}
 	return nil
-}
+}

namespace/linux.go

@@ -26,7 +26,6 @@ type MacOSNetJail struct {
 	commandEnv     []string
 	procAttr       *syscall.SysProcAttr
 	httpProxyPort  int
-	httpsProxyPort int
 	tlsConfigDir   string
 	caCertPath     string
 	userInfo       UserInfo
@@ -39,14 +38,13 @@ func NewMacOS(config Config) (*MacOSNetJail, error) {
 	mainRulesPath := fmt.Sprintf("/tmp/%s_main.pf", ns)
 
 	return &MacOSNetJail{
-		pfRulesPath:    pfRulesPath,
-		mainRulesPath:  mainRulesPath,
-		logger:         config.Logger,
-		httpProxyPort:  config.HttpProxyPort,
-		httpsProxyPort: config.HttpsProxyPort,
-		tlsConfigDir:   config.TlsConfigDir,
-		caCertPath:     config.CACertPath,
-		userInfo:       config.UserInfo,
+		pfRulesPath:   pfRulesPath,
+		mainRulesPath: mainRulesPath,
+		logger:        config.Logger,
+		httpProxyPort: config.HttpProxyPort,
+		tlsConfigDir:  config.TlsConfigDir,
+		caCertPath:    config.CACertPath,
+		userInfo:      config.UserInfo,
 	}, nil
 }
 

namespace/macos.go

@@ -12,12 +12,11 @@ type Commander interface {
 }
 
 type Config struct {
-	Logger         *slog.Logger
-	HttpProxyPort  int
-	HttpsProxyPort int
-	TlsConfigDir   string
-	CACertPath     string
-	UserInfo       UserInfo
+	Logger        *slog.Logger
+	HttpProxyPort int
+	TlsConfigDir  string
+	CACertPath    string
+	UserInfo      UserInfo
 }
 
 type UserInfo struct {

namespace/namespace.go

@@ -8,23 +8,21 @@ import (
 )
 
 type Unprivileged struct {
-	logger         *slog.Logger
-	commandEnv     []string
-	httpProxyPort  int
-	httpsProxyPort int
-	tlsConfigDir   string
-	caCertPath     string
-	userInfo       UserInfo
+	logger        *slog.Logger
+	commandEnv    []string
+	httpProxyPort int
+	tlsConfigDir  string
+	caCertPath    string
+	userInfo      UserInfo
 }
 
 func NewUnprivileged(config Config) (*Unprivileged, error) {
 	return &Unprivileged{
-		logger:         config.Logger,
-		httpProxyPort:  config.HttpProxyPort,
-		httpsProxyPort: config.HttpsProxyPort,
-		tlsConfigDir:   config.TlsConfigDir,
-		caCertPath:     config.CACertPath,
-		userInfo:       config.UserInfo,
+		logger:        config.Logger,
+		httpProxyPort: config.HttpProxyPort,
+		tlsConfigDir:  config.TlsConfigDir,
+		caCertPath:    config.CACertPath,
+		userInfo:      config.UserInfo,
 	}, nil
 }