fix: DNAT and forward port 443 (HTTPS) to Caddy from WireGuard peers

ensure_service_dnat() only wired port 80 → cell-caddy, so HTTPS was silently dropped: no DNAT rule redirected 443 to the Caddy container, and the FORWARD chain had no ACCEPT for dport 443. Refactored the function to loop over both 80 and 443 so both are DNAT'd and forwarded. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-06 07:14:55 -04:00
parent 3e26186f85
commit 8da711e366
1 changed files with 17 additions and 16 deletions
@@ -569,7 +569,7 @@ def ensure_dns_dnat() -> bool:


 def ensure_service_dnat() -> bool:
-    """DNAT wg0:80 (scoped to WG server IP) → cell-caddy:80.
+    """DNAT wg0:80 and wg0:443 (scoped to WG server IP) → cell-caddy.

    Service DNS names resolve to the WG server IP. DNAT is scoped with -d {server_ip}
    so that cross-cell HTTP traffic destined for another cell passes through unmodified.
@@ -583,21 +583,22 @@ def ensure_service_dnat() -> bool:
        if not caddy_ip:
            logger.warning('ensure_service_dnat: cell-caddy not found')
            return False
-        dnat_check = ['-t', 'nat', '-C', 'PREROUTING', '-i', 'wg0', '-d', server_ip,
-                      '-p', 'tcp', '--dport', '80',
-                      '-j', 'DNAT', '--to-destination', f'{caddy_ip}:80']
-        dnat_add   = ['-t', 'nat', '-A', 'PREROUTING', '-i', 'wg0', '-d', server_ip,
-                      '-p', 'tcp', '--dport', '80',
-                      '-j', 'DNAT', '--to-destination', f'{caddy_ip}:80']
-        if _wg_exec(['iptables'] + dnat_check).returncode != 0:
-            _wg_exec(['iptables'] + dnat_add)
-        fwd_check = ['-C', 'FORWARD', '-i', 'wg0', '-o', 'eth0',
-                     '-p', 'tcp', '--dport', '80', '-j', 'ACCEPT']
-        fwd_add   = ['-I', 'FORWARD', '-i', 'wg0', '-o', 'eth0',
-                     '-p', 'tcp', '--dport', '80', '-j', 'ACCEPT']
-        if _wg_exec(['iptables'] + fwd_check).returncode != 0:
-            _wg_exec(['iptables'] + fwd_add)
-        logger.info(f'ensure_service_dnat: wg0:{server_ip}:80 → {caddy_ip}:80')
+        for port in ('80', '443'):
+            dnat_check = ['-t', 'nat', '-C', 'PREROUTING', '-i', 'wg0', '-d', server_ip,
+                          '-p', 'tcp', '--dport', port,
+                          '-j', 'DNAT', '--to-destination', f'{caddy_ip}:{port}']
+            dnat_add   = ['-t', 'nat', '-A', 'PREROUTING', '-i', 'wg0', '-d', server_ip,
+                          '-p', 'tcp', '--dport', port,
+                          '-j', 'DNAT', '--to-destination', f'{caddy_ip}:{port}']
+            if _wg_exec(['iptables'] + dnat_check).returncode != 0:
+                _wg_exec(['iptables'] + dnat_add)
+            fwd_check = ['-C', 'FORWARD', '-i', 'wg0', '-o', 'eth0',
+                         '-p', 'tcp', '--dport', port, '-j', 'ACCEPT']
+            fwd_add   = ['-I', 'FORWARD', '-i', 'wg0', '-o', 'eth0',
+                         '-p', 'tcp', '--dport', port, '-j', 'ACCEPT']
+            if _wg_exec(['iptables'] + fwd_check).returncode != 0:
+                _wg_exec(['iptables'] + fwd_add)
+        logger.info(f'ensure_service_dnat: wg0:{server_ip}:80+443 → {caddy_ip}')
        return True
    except Exception as e:
        logger.error(f'ensure_service_dnat: {e}')