fix: ssh server doesnt offer ed-25519 hostkey (#1473)

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/workflows/build.yml

@@ -58,7 +58,7 @@ jobs:
       - name: Install tools
         run: |
           cargo install just
-          cargo install cargo-deny@^0.18
+          cargo install cargo-deny@0.18.3
           cargo install cargo-cyclonedx@^0.5
           mkdir cdx
           wget https://github.com/CycloneDX/cyclonedx-cli/releases/download/v0.27.2/${{ matrix.cyclonedx-build }} -O cyclonedx

Cargo.lock

@@ -197,13 +197,29 @@ version = "0.7.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7c02d123df017efcdfbd739ef81735b36c5ba83ec3c59c80a9d7ecc718f92e50"
 
+[[package]]
+name = "asn1-rs"
+version = "0.6.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5493c3bedbacf7fd7382c6346bbd66687d12bbaad3a89a2d2c303ee6cf20b048"
+dependencies = [
+ "asn1-rs-derive 0.5.1",
+ "asn1-rs-impl",
+ "displaydoc",
+ "nom",
+ "num-traits",
+ "rusticata-macros",
+ "thiserror 1.0.69",
+ "time",
+]
+
 [[package]]
 name = "asn1-rs"
 version = "0.7.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "56624a96882bb8c26d61312ae18cb45868e5a9992ea73c58e45c3101e56a1e60"
 dependencies = [
- "asn1-rs-derive",
+ "asn1-rs-derive 0.6.0",
  "asn1-rs-impl",
  "displaydoc",
  "nom",
@@ -213,6 +229,18 @@ dependencies = [
  "time",
 ]
 
+[[package]]
+name = "asn1-rs-derive"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "965c2d33e53cb6b267e148a4cb0760bc01f4904c1cd4bb4002a085bb016d1490"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.101",
+ "synstructure",
+]
+
 [[package]]
 name = "asn1-rs-derive"
 version = "0.6.0"
@@ -1059,13 +1087,27 @@ dependencies = [
  "zeroize",
 ]
 
+[[package]]
+name = "der-parser"
+version = "9.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5cd0a5c643689626bec213c4d8bd4d96acc8ffdb4ad4bb6bc16abf27d5f4b553"
+dependencies = [
+ "asn1-rs 0.6.2",
+ "displaydoc",
+ "nom",
+ "num-bigint",
+ "num-traits",
+ "rusticata-macros",
+]
+
 [[package]]
 name = "der-parser"
 version = "10.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "07da5016415d5a3c4dd39b11ed26f915f52fc4e0dc197d87908bc916e51bc1a6"
 dependencies = [
- "asn1-rs",
+ "asn1-rs 0.7.1",
  "displaydoc",
  "nom",
  "num-bigint",
@@ -2676,13 +2718,22 @@ dependencies = [
  "memchr",
 ]
 
+[[package]]
+name = "oid-registry"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a8d8034d9489cdaf79228eb9f6a3b8d7bb32ba00d6645ebd48eef4077ceb5bd9"
+dependencies = [
+ "asn1-rs 0.6.2",
+]
+
 [[package]]
 name = "oid-registry"
 version = "0.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "12f40cff3dde1b6087cc5d5f5d4d65712f34016a03ed60e9c08dcc392736b5b7"
 dependencies = [
- "asn1-rs",
+ "asn1-rs 0.7.1",
 ]
 
 [[package]]
@@ -3516,6 +3567,7 @@ dependencies = [
  "pem",
  "rustls-pki-types",
  "time",
+ "x509-parser 0.16.0",
  "yasna",
  "zeroize",
 ]
@@ -3756,9 +3808,9 @@ dependencies = [
 
 [[package]]
 name = "russh"
-version = "0.54.1"
+version = "0.54.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "de956421c15e2068e207578852cf1af4f24b32ede68ab3ae60d8489444ff31df"
+checksum = "00897b69ab623d39b396af89f1acbb775fb5a730f0db91833da297d5a6cd3f8d"
 dependencies = [
  "aes",
  "aws-lc-rs",
@@ -5476,7 +5528,7 @@ dependencies = [
 
 [[package]]
 name = "warpgate"
-version = "0.15.0"
+version = "0.16.0"
 dependencies = [
  "ansi_term",
  "anyhow",
@@ -5492,6 +5544,7 @@ dependencies = [
  "futures",
  "notify",
  "rcgen",
+ "reqwest",
  "rustls",
  "schemars",
  "sd-notify",
@@ -5515,7 +5568,7 @@ dependencies = [
 
 [[package]]
 name = "warpgate-admin"
-version = "0.15.0"
+version = "0.16.0"
 dependencies = [
  "anyhow",
  "async-trait",
@@ -5544,7 +5597,7 @@ dependencies = [
 
 [[package]]
 name = "warpgate-common"
-version = "0.15.0"
+version = "0.16.0"
 dependencies = [
  "anyhow",
  "argon2",
@@ -5583,12 +5636,12 @@ dependencies = [
  "uuid",
  "warpgate-sso",
  "webpki",
- "x509-parser",
+ "x509-parser 0.17.0",
 ]
 
 [[package]]
 name = "warpgate-core"
-version = "0.15.0"
+version = "0.16.0"
 dependencies = [
  "anyhow",
  "argon2",
@@ -5631,7 +5684,7 @@ dependencies = [
 
 [[package]]
 name = "warpgate-database-protocols"
-version = "0.15.0"
+version = "0.16.0"
 dependencies = [
  "bitflags 2.9.1",
  "bytes",
@@ -5644,7 +5697,7 @@ dependencies = [
 
 [[package]]
 name = "warpgate-db-entities"
-version = "0.15.0"
+version = "0.16.0"
 dependencies = [
  "bytes",
  "chrono",
@@ -5659,7 +5712,7 @@ dependencies = [
 
 [[package]]
 name = "warpgate-db-migrations"
-version = "0.15.0"
+version = "0.16.0"
 dependencies = [
  "chrono",
  "data-encoding",
@@ -5675,7 +5728,7 @@ dependencies = [
 
 [[package]]
 name = "warpgate-protocol-http"
-version = "0.15.0"
+version = "0.16.0"
 dependencies = [
  "anyhow",
  "async-trait",
@@ -5691,6 +5744,7 @@ dependencies = [
  "poem-openapi",
  "regex",
  "reqwest",
+ "rustls-pemfile",
  "sea-orm",
  "serde",
  "serde_json",
@@ -5709,7 +5763,7 @@ dependencies = [
 
 [[package]]
 name = "warpgate-protocol-mysql"
-version = "0.15.0"
+version = "0.16.0"
 dependencies = [
  "anyhow",
  "async-trait",
@@ -5737,7 +5791,7 @@ dependencies = [
 
 [[package]]
 name = "warpgate-protocol-postgres"
-version = "0.15.0"
+version = "0.16.0"
 dependencies = [
  "anyhow",
  "async-trait",
@@ -5759,7 +5813,7 @@ dependencies = [
 
 [[package]]
 name = "warpgate-protocol-ssh"
-version = "0.15.0"
+version = "0.16.0"
 dependencies = [
  "ansi_term",
  "anyhow",
@@ -5785,7 +5839,7 @@ dependencies = [
 
 [[package]]
 name = "warpgate-sso"
-version = "0.15.0"
+version = "0.16.0"
 dependencies = [
  "bytes",
  "data-encoding",
@@ -5803,7 +5857,7 @@ dependencies = [
 
 [[package]]
 name = "warpgate-web"
-version = "0.15.0"
+version = "0.16.0"
 dependencies = [
  "rust-embed",
  "serde",
@@ -6391,18 +6445,36 @@ dependencies = [
  "tap",
 ]
 
+[[package]]
+name = "x509-parser"
+version = "0.16.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fcbc162f30700d6f3f82a24bf7cc62ffe7caea42c0b2cba8bf7f3ae50cf51f69"
+dependencies = [
+ "asn1-rs 0.6.2",
+ "data-encoding",
+ "der-parser 9.0.0",
+ "lazy_static",
+ "nom",
+ "oid-registry 0.7.1",
+ "ring",
+ "rusticata-macros",
+ "thiserror 1.0.69",
+ "time",
+]
+
 [[package]]
 name = "x509-parser"
 version = "0.17.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4569f339c0c402346d4a75a9e39cf8dad310e287eef1ff56d4c68e5067f53460"
 dependencies = [
- "asn1-rs",
+ "asn1-rs 0.7.1",
  "data-encoding",
- "der-parser",
+ "der-parser 10.0.0",
  "lazy_static",
  "nom",
- "oid-registry",
+ "oid-registry 0.8.1",
  "rusticata-macros",
  "thiserror 2.0.12",
  "time",

Cargo.toml

@@ -24,7 +24,7 @@ bytes = { version = "1.4", default-features = false }
 data-encoding = { version = "2.3", default-features = false, features = ["alloc", "std"] }
 serde = { version = "1.0", features = ["derive"], default-features = false }
 serde_json = { version = "1.0", default-features = false }
-russh = { version = "0.54.1", features = ["des", "rsa", "aws-lc-rs"], default-features = false }
+russh = { version = "0.54.3", features = ["des", "rsa", "aws-lc-rs"], default-features = false }
 futures = { version = "0.3", default-features = false }
 tokio-stream = { version = "0.1.17", features = ["net"], default-features = false }
 tokio-rustls = { version = "0.26", default-features = false }
@@ -63,6 +63,15 @@ rand_core = { version = "0.6", features = ["std"], default-features = false }
 dialoguer = { version = "0.11", default-features = false, features = ["editor", "password"] }
 tokio = { version = "1.20", features = ["tracing", "signal", "macros", "rt-multi-thread", "io-util"], default-features = false }
 governor = { version = "0.10.0", default-features = false, features = ["std", "quanta", "jitter"] }
+rcgen = { version = "0.13", features = ["zeroize", "crypto", "aws_lc_rs", "pem", "x509-parser"], default-features = false }
+x509-parser = { version = "0.17.0", default-features = false }
+uuid = { version = "1.3", features = ["v4", "serde"], default-features = false }
+reqwest = { version = "0.12", features = [
+    "http2",                               # required for connecting to targets behind AWS ELB
+    "rustls-tls-native-roots-no-provider",
+    "stream",
+    "gzip",
+], default-features = false }
 
 [profile.release]
 lto = true

README.md

@@ -28,11 +28,11 @@
 
 ---
 
-Warpgate is a smart SSH, HTTPS, MySQL and PostgreSQL bastion host for Linux that doesn't need special client apps.
+Warpgate is a smart & fully transparent SSH, HTTPS, MySQL and PostgreSQL bastion host that doesn't require a client app or an SSH wrapper.
 
 * Set it up in your DMZ, add user accounts and easily assign them to specific hosts and URLs within the network.
 * Warpgate will record every session for you to view (live) and replay later through a built-in admin web UI.
-* Not a jump host - forwards your connections straight to the target instead.
+* Not a jump host - forwards connection straight to the target in a way that's fully transparent to the client.
 * Native 2FA and SSO support (TOTP & OpenID Connect)
 * Single binary with no dependencies.
 * Written in 100% safe Rust.

config-schema.json

@@ -19,7 +19,6 @@
       "default": {
         "certificate": "",
         "cookie_max_age": "1day",
-        "enable": false,
         "external_port": null,
         "key": "",
         "listen": "[::]:8888",
@@ -113,10 +112,6 @@
           "type": "string",
           "default": "1day"
         },
-        "enable": {
-          "type": "boolean",
-          "default": false
-        },
         "external_port": {
           "type": [
             "integer",

docker/Dockerfile

@@ -47,11 +47,10 @@ COPY --from=build /opt/warpgate/target/release/warpgate /usr/local/bin/warpgate
 
 VOLUME /data
 
-HEALTHCHECK CMD wget --no-verbose --tries=1 --no-check-certificate --spider http://localhost:8888/@warpgate/api/info || exit 1
+HEALTHCHECK CMD warpgate healthcheck
 
 ENV DOCKER=1
 
 USER warpgate
 ENTRYPOINT ["warpgate", "--config", "/data/warpgate.yaml"]
 CMD ["run"]
-

warpgate-common/src/config/mod.rs

@@ -226,9 +226,6 @@ pub struct SniCertificateConfig {
 
 #[derive(Debug, Deserialize, Serialize, Clone, JsonSchema)]
 pub struct HttpConfig {
-    #[serde(default = "_default_false")]
-    pub enable: bool,
-
     #[serde(default = "_default_http_listen")]
     pub listen: ListenEndpoint,
 
@@ -259,7 +256,6 @@ pub struct HttpConfig {
 impl Default for HttpConfig {
     fn default() -> Self {
         HttpConfig {
-            enable: false,
             listen: _default_http_listen(),
             external_port: None,
             certificate: "".to_owned(),

warpgate-common/src/types/listen_endpoint.rs

@@ -16,6 +16,10 @@ use crate::WarpgateError;
 pub struct ListenEndpoint(SocketAddr);
 
 impl ListenEndpoint {
+    pub fn address(&self) -> SocketAddr {
+        self.0
+    }
+
     pub fn addresses_to_listen_on(&self) -> Result<Vec<SocketAddr>, WarpgateError> {
         // For [::], explicitly return both addresses so that we are not affected
         // by the state of the ipv6only sysctl.

warpgate-protocol-http/Cargo.toml

@@ -16,12 +16,8 @@ http = { version = "1.0", default-features = false }
 once_cell = { version = "1.17", default-features = false }
 poem.workspace = true
 poem-openapi.workspace = true
-reqwest = { version = "0.12", features = [
-    "http2",                               # required for connecting to targets behind AWS ELB
-    "rustls-tls-native-roots-no-provider",
-    "stream",
-    "gzip",
-], default-features = false }
+reqwest.workspace = true
+rustls-pemfile.workspace = true
 sea-orm.workspace = true
 serde.workspace = true
 serde_json.workspace = true

warpgate-protocol-http/src/api/info.rs

@@ -124,11 +124,7 @@ impl Api {
                     } else {
                         None
                     },
-                    http: if config.store.http.enable {
-                        Some(config.store.http.external_port())
-                    } else {
-                        None
-                    },
+                    http: Some(config.store.http.external_port()),
                     mysql: if config.store.mysql.enable {
                         Some(config.store.mysql.external_port())
                     } else {

warpgate-protocol-ssh/src/keys.rs

@@ -47,7 +47,7 @@ pub fn generate_host_keys(config: &WarpgateConfig) -> Result<()> {
     Ok(())
 }
 
-pub fn load_host_keys(config: &WarpgateConfig) -> Result<PrivateKey, russh::keys::Error> {
+pub fn load_host_keys(config: &WarpgateConfig) -> Result<Vec<PrivateKey>, russh::keys::Error> {
     let path = get_keys_path(config);
     let mut keys = Vec::new();
 
@@ -55,8 +55,9 @@ pub fn load_host_keys(config: &WarpgateConfig) -> Result<PrivateKey, russh::keys
     keys.push(load_secret_key(key_path, None)?);
 
     let key_path = path.join("host-rsa");
+    keys.push(load_secret_key(key_path, None)?);
 
-    load_secret_key(key_path, None)
+    Ok(keys)
 }
 
 pub fn generate_client_keys(config: &WarpgateConfig) -> Result<()> {

warpgate-protocol-ssh/src/server/mod.rs

@@ -37,7 +37,7 @@ pub async fn run_server(services: Services, address: ListenEndpoint) -> Result<(
                     MethodKind::KeyboardInteractive,
                 ][..],
             ),
-            keys: vec![load_host_keys(&config)?],
+            keys: load_host_keys(&config)?,
             event_buffer_size: 100,
             nodelay: true,
             preferred: Preferred {

warpgate-protocol-ssh/src/server/session.rs

@@ -329,6 +329,16 @@ impl ServerSession {
         Ok(())
     }
 
+    /// Start connecting to the target if we aren't already.
+    ///
+    /// Timing of this call is important because if the client connection is
+    /// an interactive session *in principle* (e.g a normal interactive OpenSSH
+    /// session but maybe with some port forwards or agent)
+    /// Ideally, it needs to be called by the time we already have the interactive
+    /// channel open if we will ever have one to prevent bugs like
+    /// https://github.com/warp-tech/warpgate/issues/1286
+    /// where a PTY channel is required for the host key prompt, but we've connected
+    /// faster than the client could open one.
     pub async fn maybe_connect_remote(&mut self) -> Result<()> {
         match self.target.clone() {
             TargetSelection::None => {
@@ -1330,7 +1340,6 @@ impl ServerSession {
     async fn _agent_forward(&mut self, server_channel_id: ServerChannelId) -> Result<()> {
         let channel_id = self.map_channel(&server_channel_id)?;
         debug!(channel=%channel_id, "Requested Agent Forwarding");
-        let _ = self.maybe_connect_remote().await;
         self.send_command_and_wait(RCCommand::Channel(
             channel_id,
             ChannelOperation::AgentForward,

warpgate-web/package-lock.json

@@ -12,9 +12,9 @@
         "@cyclonedx/cyclonedx-npm": "^4.0.0",
         "@fontsource/poppins": "^5.2.6",
         "@fontsource/work-sans": "^5.2.6",
-        "@fortawesome/free-brands-svg-icons": "^6.7.2",
+        "@fortawesome/free-brands-svg-icons": "^7.0.0",
         "@fortawesome/free-regular-svg-icons": "^6.7.2",
-        "@fortawesome/free-solid-svg-icons": "^6.7.2",
+        "@fortawesome/free-solid-svg-icons": "^7.0.0",
         "@openapitools/openapi-generator-cli": "^2.21.4",
         "@otplib/plugin-base32-enc-dec": "^12.0.1",
         "@otplib/plugin-crypto-js": "^12.0.1",
@@ -809,18 +809,28 @@
       }
     },
     "node_modules/@fortawesome/free-brands-svg-icons": {
-      "version": "6.7.2",
-      "resolved": "https://registry.npmjs.org/@fortawesome/free-brands-svg-icons/-/free-brands-svg-icons-6.7.2.tgz",
-      "integrity": "sha512-zu0evbcRTgjKfrr77/2XX+bU+kuGfjm0LbajJHVIgBWNIDzrhpRxiCPNT8DW5AdmSsq7Mcf9D1bH0aSeSUSM+Q==",
+      "version": "7.0.0",
+      "resolved": "https://registry.npmjs.org/@fortawesome/free-brands-svg-icons/-/free-brands-svg-icons-7.0.0.tgz",
+      "integrity": "sha512-C8oY28gq/Qx/cHReJa2AunKJUHvUZDVoPlSTHtAvjriaNfi+5nugW4cx7yA/xN3f/nYkElw11gFBoJ2xUDDFgg==",
       "dev": true,
       "license": "(CC-BY-4.0 AND MIT)",
       "dependencies": {
-        "@fortawesome/fontawesome-common-types": "6.7.2"
+        "@fortawesome/fontawesome-common-types": "7.0.0"
       },
       "engines": {
         "node": ">=6"
       }
     },
+    "node_modules/@fortawesome/free-brands-svg-icons/node_modules/@fortawesome/fontawesome-common-types": {
+      "version": "7.0.0",
+      "resolved": "https://registry.npmjs.org/@fortawesome/fontawesome-common-types/-/fontawesome-common-types-7.0.0.tgz",
+      "integrity": "sha512-PGMrIYXLGA5K8RWy8zwBkd4vFi4z7ubxtet6Yn13Plf6krRTwPbdlCwlcfmoX0R7B4Z643QvrtHmdQ5fNtfFCg==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=6"
+      }
+    },
     "node_modules/@fortawesome/free-regular-svg-icons": {
       "version": "6.7.2",
       "resolved": "https://registry.npmjs.org/@fortawesome/free-regular-svg-icons/-/free-regular-svg-icons-6.7.2.tgz",
@@ -835,18 +845,28 @@
       }
     },
     "node_modules/@fortawesome/free-solid-svg-icons": {
-      "version": "6.7.2",
-      "resolved": "https://registry.npmjs.org/@fortawesome/free-solid-svg-icons/-/free-solid-svg-icons-6.7.2.tgz",
-      "integrity": "sha512-GsBrnOzU8uj0LECDfD5zomZJIjrPhIlWU82AHwa2s40FKH+kcxQaBvBo3Z4TxyZHIyX8XTDxsyA33/Vx9eFuQA==",
+      "version": "7.0.0",
+      "resolved": "https://registry.npmjs.org/@fortawesome/free-solid-svg-icons/-/free-solid-svg-icons-7.0.0.tgz",
+      "integrity": "sha512-njSLAllkOddYDCXgTFboXn54Oe5FcvpkWq+FoetOHR64PbN0608kM02Lze0xtISGpXgP+i26VyXRQA0Irh3Obw==",
       "dev": true,
       "license": "(CC-BY-4.0 AND MIT)",
       "dependencies": {
-        "@fortawesome/fontawesome-common-types": "6.7.2"
+        "@fortawesome/fontawesome-common-types": "7.0.0"
       },
       "engines": {
         "node": ">=6"
       }
     },
+    "node_modules/@fortawesome/free-solid-svg-icons/node_modules/@fortawesome/fontawesome-common-types": {
+      "version": "7.0.0",
+      "resolved": "https://registry.npmjs.org/@fortawesome/fontawesome-common-types/-/fontawesome-common-types-7.0.0.tgz",
+      "integrity": "sha512-PGMrIYXLGA5K8RWy8zwBkd4vFi4z7ubxtet6Yn13Plf6krRTwPbdlCwlcfmoX0R7B4Z643QvrtHmdQ5fNtfFCg==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=6"
+      }
+    },
     "node_modules/@humanfs/core": {
       "version": "0.19.1",
       "resolved": "https://registry.npmjs.org/@humanfs/core/-/core-0.19.1.tgz",

warpgate-web/package.json

@@ -21,9 +21,9 @@
     "@cyclonedx/cyclonedx-npm": "^4.0.0",
     "@fontsource/poppins": "^5.2.6",
     "@fontsource/work-sans": "^5.2.6",
-    "@fortawesome/free-brands-svg-icons": "^6.7.2",
+    "@fortawesome/free-brands-svg-icons": "^7.0.0",
     "@fortawesome/free-regular-svg-icons": "^6.7.2",
-    "@fortawesome/free-solid-svg-icons": "^6.7.2",
+    "@fortawesome/free-solid-svg-icons": "^7.0.0",
     "@openapitools/openapi-generator-cli": "^2.21.4",
     "@otplib/plugin-base32-enc-dec": "^12.0.1",
     "@otplib/plugin-crypto-js": "^12.0.1",

warpgate/Cargo.toml

@@ -18,7 +18,8 @@ dialoguer.workspace = true
 enum_dispatch.workspace = true
 futures.workspace = true
 notify = { version = "8.0", default-features = false, features = ["fsevent-sys"] }
-rcgen = { version = "0.13", features = ["zeroize", "crypto", "aws_lc_rs", "pem"], default-features = false }
+rcgen.workspace = true
+reqwest.workspace = true
 rustls.workspace = true
 serde_json.workspace = true
 serde_yaml = { version = "0.9", default-features = false }

warpgate/src/commands/check.rs

@@ -6,18 +6,16 @@ use crate::config::load_config;
 
 pub(crate) async fn command(cli: &crate::Cli) -> Result<()> {
     let config = load_config(&cli.config, true)?;
-    if config.store.http.enable {
-        TlsCertificateBundle::from_file(
-            config
-                .paths_relative_to
-                .join(&config.store.http.certificate),
-        )
+    TlsCertificateBundle::from_file(
+        config
+            .paths_relative_to
+            .join(&config.store.http.certificate),
+    )
+    .await
+    .with_context(|| "Checking HTTPS certificate".to_string())?;
+    TlsPrivateKey::from_file(config.paths_relative_to.join(&config.store.http.key))
         .await
-        .with_context(|| "Checking HTTPS certificate".to_string())?;
-        TlsPrivateKey::from_file(config.paths_relative_to.join(&config.store.http.key))
-            .await
-            .with_context(|| "Checking HTTPS key".to_string())?;
-    }
+        .with_context(|| "Checking HTTPS key".to_string())?;
     if config.store.mysql.enable {
         TlsCertificateBundle::from_file(
             config

warpgate/src/commands/healthcheck.rs

@@ -0,0 +1,27 @@
+use anyhow::{Context, Result};
+use tokio::time::timeout;
+
+use crate::config::load_config;
+
+pub(crate) async fn command(cli: &crate::Cli) -> Result<()> {
+    let config = load_config(&cli.config, true)?;
+
+    let url = format!(
+        "https://{}/@warpgate/api/info",
+        config.store.http.listen.address()
+    );
+
+    let client = reqwest::Client::builder()
+        .danger_accept_invalid_certs(true)
+        .use_rustls_tls()
+        .build()?;
+
+    let response = timeout(std::time::Duration::from_secs(5), client.get(&url).send())
+        .await
+        .context("Timeout")?
+        .context("Failed to send request")?;
+
+    response.error_for_status()?;
+
+    Ok(())
+}

warpgate/src/commands/mod.rs

@@ -1,6 +1,7 @@
 pub mod check;
 pub mod client_keys;
 mod common;
+pub mod healthcheck;
 pub mod recover_access;
 pub mod run;
 pub mod setup;

warpgate/src/commands/run.rs

@@ -60,6 +60,14 @@ pub(crate) async fn command(cli: &crate::Cli, enable_admin_token: bool) -> Resul
 
     let mut protocol_futures = futures::stream::FuturesUnordered::new();
 
+    protocol_futures.push(
+        run_protocol_server(
+            HTTPProtocolServer::new(&services).await?,
+            config.store.http.listen.clone(),
+        )
+        .boxed(),
+    );
+
     if config.store.ssh.enable {
         protocol_futures.push(
             run_protocol_server(
@@ -70,16 +78,6 @@ pub(crate) async fn command(cli: &crate::Cli, enable_admin_token: bool) -> Resul
         );
     }
 
-    if config.store.http.enable {
-        protocol_futures.push(
-            run_protocol_server(
-                HTTPProtocolServer::new(&services).await?,
-                config.store.http.listen.clone(),
-            )
-            .boxed(),
-        );
-    }
-
     if config.store.mysql.enable {
         protocol_futures.push(
             run_protocol_server(

warpgate/src/commands/setup.rs

@@ -74,13 +74,7 @@ pub(crate) async fn command(cli: &crate::Cli) -> Result<()> {
     );
 
     let theme = ColorfulTheme::default();
-    let mut store = WarpgateConfigStore {
-        http: HttpConfig {
-            enable: true,
-            ..Default::default()
-        },
-        ..Default::default()
-    };
+    let mut store = WarpgateConfigStore::default();
 
     // ---
 
@@ -138,7 +132,6 @@ pub(crate) async fn command(cli: &crate::Cli) -> Result<()> {
         }
     });
 
-    store.http.enable = true;
     if let Commands::UnattendedSetup { http_port, .. } = &cli.command {
         store.http.listen =
             ListenEndpoint::from(SocketAddr::new(Ipv6Addr::UNSPECIFIED.into(), *http_port));

warpgate/src/logging.rs

@@ -28,10 +28,10 @@ pub async fn init_logging(config: Option<&WarpgateConfig>, cli: &Cli) {
 
     let registry = tracing_subscriber::registry();
 
-    #[cfg(all(debug_assertions, feature = "tokio-console"))]
-    let console_layer = console_subscriber::spawn();
-    #[cfg(all(debug_assertions, feature = "tokio-console"))]
-    let registry = registry.with(console_layer);
+    // #[cfg(all(debug_assertions, feature = "tokio-console"))]
+    // let console_layer = console_subscriber::spawn();
+    // #[cfg(all(debug_assertions, feature = "tokio-console"))]
+    // let registry = registry.with(console_layer);
 
     let socket_layer = match config {
         Some(config) => Some(make_socket_logger_layer(config).await),

warpgate/src/main.rs

@@ -93,6 +93,8 @@ pub(crate) enum Commands {
     },
     /// Show version information
     Version,
+    /// Automatic healthcheck for running Warpgate in a container
+    Healthcheck,
 }
 
 async fn _main() -> Result<()> {
@@ -124,6 +126,7 @@ async fn _main() -> Result<()> {
         Commands::RecoverAccess { username } => {
             crate::commands::recover_access::command(&cli, username).await
         }
+        Commands::Healthcheck => crate::commands::healthcheck::command(&cli).await,
     }
 }