## Summary
Adds an optional **HTTPS mode for the Prometheus `/metrics` endpoint**,
and bundles three supporting improvements that surfaced while building
and testing it: more reliable `libmicrohttpd` detection, a fix for slow
`turnserver` startup on macOS, and expanded/robust Prometheus tests.
## Changes
### 1. Optional HTTPS for the Prometheus exporter
The exporter previously served `/metrics` over plain HTTP only. It can
now optionally serve over HTTPS via libmicrohttpd's TLS support.
- `--prometheus-tls` — serve the metrics endpoint over HTTPS instead of
HTTP.
- `--prometheus-cert <file>` / `--prometheus-key <file>` — PEM cert/key
for the endpoint; default to the server's own `--cert` / `--pkey` when
unset.
`start_prometheus_server()` loads the cert/key into memory, enables
`MHD_USE_TLS`, and passes `MHD_OPTION_HTTPS_MEM_CERT/KEY`. If TLS is
requested but no cert/key can be loaded (or libmicrohttpd lacks TLS
support), it logs an error and does not start. The startup log now notes
the `(http)`/`(https)` scheme. `docs/Prometheus.md` documents the new
flags.
*(`src/apps/relay/prom_server.c`, `mainrelay.c`, `mainrelay.h`,
`docs/Prometheus.md`)*
### 2. Reliable `libmicrohttpd` detection in `configure`
The autotools `configure` probed libmicrohttpd with a bare `cc
-lmicrohttpd` link test (no include/lib paths), so it failed to find
Homebrew-installed libmicrohttpd on macOS and silently disabled
Prometheus — even though OpenSSL/libevent (also Homebrew) were found via
pkg-config. `configure` now detects libmicrohttpd via `pkg-config` first
(matching how libssl/libevent are already detected), falling back to the
bare link probe on platforms without a `.pc` file. `./configure && make`
now builds the exporter on macOS without manual `CFLAGS`/`LDFLAGS`.
*(`configure`)*
### 3. Faster `turnserver` startup on macOS
macOS lacks `pthread_barrier_*`, so the thread-startup rendezvous in
`netengine.c` degraded to a flat `sleep(5)` — adding ~5s to every
startup (and it was racy: threads proceeded even if setup took longer
than the fixed sleep). Replaced the shim with a real portable barrier
built on a mutex + condition variable, behind a unified macro API:
**native `pthread_barrier` is still used on Linux**, the portable
barrier is used only where it is unavailable. The previous racy
`sched_yield()` spin-wait fallback is removed as well.
*(`src/apps/relay/netengine.c`)*
### 4. Prometheus test coverage + robustness
`examples/run_tests_prom.sh` now also covers the HTTPS endpoint
(explicit cert/key, cert/key inherited from `--cert`/`--pkey`, and a
negative test that an unreadable cert keeps the endpoint down, including
a check that the TLS endpoint rejects plaintext HTTP). Readiness is now
detected by polling the endpoint / server log instead of fixed `sleep`
intervals, making the suite both faster (~70s → ~2s) and less flaky.
*(`examples/run_tests_prom.sh`)*
## New flags
| Flag | Description |
|---|---|
| `--prometheus-tls` | Serve `/metrics` over HTTPS. Requires
libmicrohttpd built with TLS support. |
| `--prometheus-cert <file>` | PEM certificate for the HTTPS endpoint
(default: the server's `--cert`). |
| `--prometheus-key <file>` | PEM private key for the HTTPS endpoint
(default: the server's `--pkey`). |
## Validation
- **macOS** (portable-barrier path): `clang-format` clean, 10/10 unit
tests, and `run_tests.sh` / `run_tests_conf.sh` /
`run_tests_multiplex_peer.sh` / `run_tests_prom.sh` all pass. Exporter
now reachable at startup `t=0` (was `t=5`).
- **Linux** (Docker, native-`pthread_barrier` path): clean build, 9/9
unit tests, and all four system-test suites pass (TCP/TLS/UDP/DTLS).
---------
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Pavel Punsky
53f3ed9104