fix(toolbox): persist R3 fanout to the Go engine ports 809x (was 808x Python) (ref #662)

The nft drop-in is what nftables.service re-applies at boot; pointing it at
the Go workers makes the #662 cutover survive a reboot. Rollback = 809x→808x.
Live /etc/nftables.d/zz-secubox-toolbox-wg-fanout.nft already updated + dry-run
validated (nft -c -f exit 0).

packages/secubox-toolbox-ng/cmd/sbxmitm/main.go

@@ -336,7 +336,16 @@ func (px *Proxy) mitmPipeline(tconn *tls.Conn, rawClient net.Conn, host, verdict
 	req.Header.Set("Accept-Encoding", "gzip")
 
 	// proxy upstream, inject into HTML bodies.
-	up := &http.Client{Timeout: 30 * time.Second}
+	//
+	// CheckRedirect: a MITM proxy must NOT follow 3xx itself — it relays the
+	// redirect to the client so the BROWSER follows it (correct URL bar, origin,
+	// cookie scope, method semantics). Go's http.Client follows by default, which
+	// would collapse a 301/302 into the final 200 under the original URL (wrong).
+	// Mirror mitmproxy's pass-through behaviour.
+	up := &http.Client{
+		Timeout:       30 * time.Second,
+		CheckRedirect: func(*http.Request, []*http.Request) error { return http.ErrUseLastResponse },
+	}
 	if dialHost != "" {
 		// Transparent: pin the TCP dial to the captured original-dst, do TLS with
 		// ServerName=host, verify the cert against host (verification stays ON).

packages/secubox-toolbox-ng/debian/changelog

@@ -1,3 +1,12 @@
+secubox-toolbox-ng (0.1.4-1~bookworm1) bookworm; urgency=medium
+
+  * proxy: do NOT follow upstream redirects — relay 3xx to the client so the
+    browser follows it (correct URL/origin/cookies). Go's default http.Client
+    followed them, collapsing 301/302 into a final 200 under the original URL.
+    (ref #662)
+
+ -- Gerald KERMA <devel@cybermind.fr>  Wed, 18 Jun 2026 20:10:00 +0000
+
 secubox-toolbox-ng (0.1.3-1~bookworm1) bookworm; urgency=medium
 
   * banner: inject into COMPRESSED HTML too. Pin upstream Accept-Encoding to gzip

packages/secubox-toolbox/nftables.d/secubox-toolbox-wg-fanout.nft

@@ -3,7 +3,12 @@
 #
 # REPLACES the prerouting rules from secubox-toolbox-wg.nft :
 #   iif wg-toolbox tcp dport 443 dnat ip to 10.99.1.1:8081  (single port)
-# with a round-robin numgen mapping to ports 8081..8084.
+# with a round-robin numgen mapping to ports 8091..8094.
+#
+# #662 CUTOVER (2026-06-18): the fanout now targets the Go MITM engine
+# (secubox-toolbox-ng-worker@{1..4}, transparent on 10.99.1.1:809%i) instead
+# of the Python mitmproxy workers (808%i). Rollback = change 809x → 808x below
+# and `nft -f` this file (the Python workers are kept warm for that).
 #
 # Why numgen inc and not jhash : nftables 1.0.6 (Debian bookworm) doesn't
 # support `jhash` in numgen yet (lands in 1.0.7+).  `inc` is round-robin
@@ -25,19 +30,20 @@ table inet wg-toolbox {
         # Phase 9 (#501) — 4-worker round-robin DNAT.  numgen returns
         # 0..3 ; the map sends each to one of the 4 worker ports on
         # 10.99.1.1.  Conntrack pins the choice for the whole flow.
+        # #662: ports are 809x (Go engine), was 808x (Python).
         iif "wg-toolbox" tcp dport 443 dnat ip to 10.99.1.1 \
             : numgen inc mod 4 map {
-                0 : 8081,
-                1 : 8082,
-                2 : 8083,
-                3 : 8084
+                0 : 8091,
+                1 : 8092,
+                2 : 8093,
+                3 : 8094
             }
         iif "wg-toolbox" tcp dport 80 dnat ip to 10.99.1.1 \
             : numgen inc mod 4 map {
-                0 : 8081,
-                1 : 8082,
-                2 : 8083,
-                3 : 8084
+                0 : 8091,
+                1 : 8092,
+                2 : 8093,
+                3 : 8094
             }
 
         # Phase 7 (#498) — DNS DNAT for legacy peer configs that hand out