Skip to content

packer: do not query http if https works#94

Closed
oliverpool wants to merge 1 commit intogokrazy:mainfrom
oliverpool:skip-http
Closed

packer: do not query http if https works#94
oliverpool wants to merge 1 commit intogokrazy:mainfrom
oliverpool:skip-http

Conversation

@oliverpool
Copy link
Contributor

@oliverpool oliverpool commented Sep 13, 2025

Similar to #78 and #79:

  • my own application listens on port 80
  • gokrazy is managed via https (on port 443)
  • I set the gokrazy http port to 8080 (but it should be disabled ideally)

Currently when I try to make an update and nothing is listening on port 80, I get:

> gok update
2025/09/13 14:40:01 Using certificate /home/user/.config/gokrazy/hosts/gokrazy/cert.pem
[done] in 0.01s
2025/09/13 14:40:01 probing url for https: Get "http://gokrazy": dial tcp 192.168.1.124:80: connect: connection refused

I don't really understand why http is probed, if I want to update via https. At least it should check against to custom port 8080.

In this PR, I propose to probe directly on the https endpoint instead (but this part of the code seems to be quite subtle, and maybe I did something wrong).

@stapelberg
Copy link
Contributor

stapelberg commented Oct 3, 2025

With commit 9a95191, I have added a first test for the 'gok update' code path. It’s using a fake HTTP server right now, but I want to switch that to using running the test instance in a VM, and then we can test switching a running instance to TLS and similar.

stapelberg added a commit that referenced this pull request Nov 29, 2025
@stapelberg
integration: start QEMU VM for 'gok update' test
89fe81c 
related to #94
stapelberg added a commit to stapelberg/tools that referenced this pull request Nov 29, 2025
@stapelberg
integration: start QEMU VM for 'gok update' test
d588a72 
related to gokrazy#94
stapelberg added a commit that referenced this pull request Nov 29, 2025
@stapelberg
packer: use HTTPS client despite -insecure (post-update) (+test)
91c487c 
While adding the integration test for
https://gokrazy.org/userguide/tls-for-untrusted-networks/,
I noticed that the packer does not actually successfully complete
the initial HTTPS deployment (where -insecure is used).
After writing the image to disk and rebooting, the packer was stuck at:

device not yet reachable: Get "https://localhost:9080/": http:
server gave HTTP response to HTTPS client

related to #94
stapelberg added a commit that referenced this pull request Dec 9, 2025
@stapelberg
packer: do not check for HTTP→HTTPS redirect
ba6a893 
This check was broken: it tried to construct a http URL
by changing the updateBaseUrl schema instead of constructing
such a URL based on the configured HTTPPort.

I also don’t think this check is useful:
HTTPS will be used for updates regardless of the check.
Even if an attacker intercepted HTTP traffic and removed the redirect,
that has no bearing on the update, so why bother checking.

One thing the check (implicitly) did is the required fallback
on initial installation when --insecure is specified.
We now solve that by falling back from HTTPS to HTTP explicitly
(only when --insecure is specified, of course).

related to #94
@stapelberg
Copy link
Contributor

stapelberg commented Dec 9, 2025

I have fixed this issue in commit ba6a893 instead. As you suspected when you said this code is subtle, there was more to it: the initial deployment with the --insecure flag relies on the fallback (see my commit message).

@stapelberg stapelberg closed this Dec 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@oliverpool @stapelberg