chore(restructure): reorganize project layout

- Reorganize internal packages and overall project structure
- Update imports and wiring to match the new layout
- Separate HTTP parsing and streaming from the server package
- Separate middleware from the server package
- Separate session registry from the session package
- Move HTTP, HTTPS, and TCP servers to the transport package
- Session package no longer starts the TCP server directly
- Server package no longer starts HTTP/HTTPS servers on initialization
- Forwarder no longer handles accepting TCP requests
- Move session details to the types package
- HTTP/HTTPS initialization is now the responsibility of main

internal/grpc/client/client.go

@@ -8,10 +8,9 @@ import (
 	"log"
 	"time"
 	"tunnel_pls/internal/config"
+	"tunnel_pls/internal/registry"
 	"tunnel_pls/types"
 
-	"tunnel_pls/session"
-
 	proto "git.fossy.my.id/bagas/tunnel-please-grpc/gen"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
@@ -32,13 +31,13 @@ type Client interface {
 type client struct {
 	conn                       *grpc.ClientConn
 	address                    string
-	sessionRegistry            session.Registry
+	sessionRegistry            registry.Registry
 	eventService               proto.EventServiceClient
 	authorizeConnectionService proto.UserServiceClient
 	closing                    bool
 }
 
-func New(address string, sessionRegistry session.Registry) (Client, error) {
+func New(address string, sessionRegistry registry.Registry) (Client, error) {
 	var opts []grpc.DialOption
 
 	opts = append(opts, grpc.WithTransportCredentials(insecure.NewCredentials()))

internal/http/header/header.go

@@ -1,4 +1,4 @@
-package httpheader
+package header
 
 type ResponseHeader interface {
 	Value(key string) string

internal/http/header/parser.go

@@ -1,4 +1,4 @@
-package httpheader
+package header
 
 import (
 	"bufio"

internal/http/header/request.go

@@ -1,11 +1,11 @@
-package httpheader
+package header
 
 import (
 	"bufio"
 	"fmt"
 )
 
-func NewRequestHeader(r interface{}) (RequestHeader, error) {
+func NewRequest(r interface{}) (RequestHeader, error) {
 	switch v := r.(type) {
 	case []byte:
 		return parseHeadersFromBytes(v)

internal/http/header/response.go

@@ -1,11 +1,11 @@
-package httpheader
+package header
 
 import (
 	"bytes"
 	"fmt"
 )
 
-func NewResponseHeader(headerData []byte) (ResponseHeader, error) {
+func NewResponse(headerData []byte) (ResponseHeader, error) {
 	header := &responseHeader{
 		startLine: nil,
 		headers:   make(map[string]string, 16),

internal/http/stream/parser.go

@@ -0,0 +1,29 @@
+package stream
+
+import "bytes"
+
+func splitHeaderAndBody(data []byte, delimiterIdx int) ([]byte, []byte) {
+	headerByte := data[:delimiterIdx+len(DELIMITER)]
+	body := data[delimiterIdx+len(DELIMITER):]
+	return headerByte, body
+}
+
+func isHTTPHeader(buf []byte) bool {
+	lines := bytes.Split(buf, []byte("\r\n"))
+
+	startLine := string(lines[0])
+	if !requestLine.MatchString(startLine) && !responseLine.MatchString(startLine) {
+		return false
+	}
+
+	for _, line := range lines[1:] {
+		if len(line) == 0 {
+			break
+		}
+		colonIdx := bytes.IndexByte(line, ':')
+		if colonIdx <= 0 {
+			return false
+		}
+	}
+	return true
+}

internal/http/stream/reader.go

@@ -0,0 +1,50 @@
+package stream
+
+import (
+	"bytes"
+	"tunnel_pls/internal/http/header"
+)
+
+func (hs *http) Read(p []byte) (int, error) {
+	tmp := make([]byte, len(p))
+	read, err := hs.reader.Read(tmp)
+	if read == 0 && err != nil {
+		return 0, err
+	}
+
+	tmp = tmp[:read]
+
+	headerEndIdx := bytes.Index(tmp, DELIMITER)
+	if headerEndIdx == -1 {
+		return handleNoDelimiter(p, tmp, err)
+	}
+
+	headerByte, bodyByte := splitHeaderAndBody(tmp, headerEndIdx)
+
+	if !isHTTPHeader(headerByte) {
+		copy(p, tmp)
+		return read, nil
+	}
+
+	return hs.processHTTPRequest(p, headerByte, bodyByte)
+}
+
+func (hs *http) processHTTPRequest(p, headerByte, bodyByte []byte) (int, error) {
+	reqhf, err := header.NewRequest(headerByte)
+	if err != nil {
+		return 0, err
+	}
+
+	if err = hs.ApplyRequestMiddlewares(reqhf); err != nil {
+		return 0, err
+	}
+
+	hs.reqHeader = reqhf
+	combined := append(reqhf.Finalize(), bodyByte...)
+	return copy(p, combined), nil
+}
+
+func handleNoDelimiter(p, tmp []byte, err error) (int, error) {
+	copy(p, tmp)
+	return len(tmp), err
+}

internal/http/stream/stream.go

@@ -0,0 +1,103 @@
+package stream
+
+import (
+	"io"
+	"log"
+	"net"
+	"regexp"
+	"tunnel_pls/internal/http/header"
+	"tunnel_pls/internal/middleware"
+)
+
+var DELIMITER = []byte{0x0D, 0x0A, 0x0D, 0x0A}
+var requestLine = regexp.MustCompile(`^(GET|POST|PUT|DELETE|HEAD|OPTIONS|PATCH|TRACE|CONNECT) \S+ HTTP/\d\.\d$`)
+var responseLine = regexp.MustCompile(`^HTTP/\d\.\d \d{3} .+`)
+
+type HTTP interface {
+	io.ReadWriteCloser
+	CloseWrite() error
+	RemoteAddr() net.Addr
+	UseResponseMiddleware(mw middleware.ResponseMiddleware)
+	UseRequestMiddleware(mw middleware.RequestMiddleware)
+	SetRequestHeader(header header.RequestHeader)
+	RequestMiddlewares() []middleware.RequestMiddleware
+	ResponseMiddlewares() []middleware.ResponseMiddleware
+	ApplyResponseMiddlewares(resphf header.ResponseHeader, body []byte) error
+	ApplyRequestMiddlewares(reqhf header.RequestHeader) error
+}
+
+type http struct {
+	remoteAddr net.Addr
+	writer     io.Writer
+	reader     io.Reader
+	headerBuf  []byte
+	buf        []byte
+	respHeader header.ResponseHeader
+	reqHeader  header.RequestHeader
+	respMW     []middleware.ResponseMiddleware
+	reqMW      []middleware.RequestMiddleware
+}
+
+func New(writer io.Writer, reader io.Reader, remoteAddr net.Addr) HTTP {
+	return &http{
+		remoteAddr: remoteAddr,
+		writer:     writer,
+		reader:     reader,
+		buf:        make([]byte, 0, 4096),
+	}
+}
+
+func (hs *http) RemoteAddr() net.Addr {
+	return hs.remoteAddr
+}
+
+func (hs *http) UseResponseMiddleware(mw middleware.ResponseMiddleware) {
+	hs.respMW = append(hs.respMW, mw)
+}
+
+func (hs *http) UseRequestMiddleware(mw middleware.RequestMiddleware) {
+	hs.reqMW = append(hs.reqMW, mw)
+}
+
+func (hs *http) SetRequestHeader(header header.RequestHeader) {
+	hs.reqHeader = header
+}
+
+func (hs *http) RequestMiddlewares() []middleware.RequestMiddleware {
+	return hs.reqMW
+}
+
+func (hs *http) ResponseMiddlewares() []middleware.ResponseMiddleware {
+	return hs.respMW
+}
+
+func (hs *http) Close() error {
+	return hs.writer.(io.Closer).Close()
+}
+
+func (hs *http) CloseWrite() error {
+	if closer, ok := hs.writer.(interface{ CloseWrite() error }); ok {
+		return closer.CloseWrite()
+	}
+	return hs.Close()
+}
+
+func (hs *http) ApplyRequestMiddlewares(reqhf header.RequestHeader) error {
+	for _, m := range hs.RequestMiddlewares() {
+		if err := m.HandleRequest(reqhf); err != nil {
+			log.Printf("Error when applying request middleware: %v", err)
+			return err
+		}
+	}
+	return nil
+}
+
+func (hs *http) ApplyResponseMiddlewares(resphf header.ResponseHeader, bodyByte []byte) error {
+	for _, m := range hs.ResponseMiddlewares() {
+		if err := m.HandleResponse(resphf, bodyByte); err != nil {
+			log.Printf("Cannot apply middleware: %s\n", err)
+			return err
+		}
+	}
+	return nil
+}

internal/http/stream/writer.go

@@ -0,0 +1,88 @@
+package stream
+
+import (
+	"bytes"
+	"tunnel_pls/internal/http/header"
+)
+
+func (hs *http) Write(p []byte) (int, error) {
+	if hs.shouldBypassBuffering(p) {
+		hs.respHeader = nil
+	}
+
+	if hs.respHeader != nil {
+		return hs.writer.Write(p)
+	}
+
+	hs.buf = append(hs.buf, p...)
+
+	headerEndIdx := bytes.Index(hs.buf, DELIMITER)
+	if headerEndIdx == -1 {
+		return len(p), nil
+	}
+
+	return hs.processBufferedResponse(p, headerEndIdx)
+}
+
+func (hs *http) shouldBypassBuffering(p []byte) bool {
+	return hs.respHeader != nil && len(hs.buf) == 0 && len(p) >= 5 && string(p[0:5]) == "HTTP/"
+}
+
+func (hs *http) processBufferedResponse(p []byte, delimiterIdx int) (int, error) {
+	headerByte, bodyByte := splitHeaderAndBody(hs.buf, delimiterIdx)
+
+	if !isHTTPHeader(headerByte) {
+		return hs.writeRawBuffer()
+	}
+
+	if err := hs.processHTTPResponse(headerByte, bodyByte); err != nil {
+		return 0, err
+	}
+
+	hs.buf = nil
+	return len(p), nil
+}
+
+func (hs *http) writeRawBuffer() (int, error) {
+	_, err := hs.writer.Write(hs.buf)
+	length := len(hs.buf)
+	hs.buf = nil
+	if err != nil {
+		return 0, err
+	}
+	return length, nil
+}
+
+func (hs *http) processHTTPResponse(headerByte, bodyByte []byte) error {
+	resphf, err := header.NewResponse(headerByte)
+	if err != nil {
+		return err
+	}
+
+	if err = hs.ApplyResponseMiddlewares(resphf, bodyByte); err != nil {
+		return err
+	}
+
+	hs.respHeader = resphf
+	finalHeader := resphf.Finalize()
+
+	if err = hs.writeHeaderAndBody(finalHeader, bodyByte); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (hs *http) writeHeaderAndBody(header, bodyByte []byte) error {
+	if _, err := hs.writer.Write(header); err != nil {
+		return err
+	}
+
+	if len(bodyByte) > 0 {
+		if _, err := hs.writer.Write(bodyByte); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}

internal/middleware/forwardedfor.go

@@ -0,0 +1,23 @@
+package middleware
+
+import (
+	"net"
+	"tunnel_pls/internal/http/header"
+)
+
+type ForwardedFor struct {
+	addr net.Addr
+}
+
+func NewForwardedFor(addr net.Addr) *ForwardedFor {
+	return &ForwardedFor{addr: addr}
+}
+
+func (ff *ForwardedFor) HandleRequest(header header.RequestHeader) error {
+	host, _, err := net.SplitHostPort(ff.addr.String())
+	if err != nil {
+		return err
+	}
+	header.Set("X-Forwarded-For", host)
+	return nil
+}

internal/middleware/middleware.go

@@ -0,0 +1,13 @@
+package middleware
+
+import (
+	"tunnel_pls/internal/http/header"
+)
+
+type RequestMiddleware interface {
+	HandleRequest(header header.RequestHeader) error
+}
+
+type ResponseMiddleware interface {
+	HandleResponse(header header.ResponseHeader, body []byte) error
+}

internal/middleware/tunnelfingerprint.go

@@ -0,0 +1,16 @@
+package middleware
+
+import (
+	"tunnel_pls/internal/http/header"
+)
+
+type TunnelFingerprint struct{}
+
+func NewTunnelFingerprint() *TunnelFingerprint {
+	return &TunnelFingerprint{}
+}
+
+func (h *TunnelFingerprint) HandleResponse(header header.ResponseHeader, body []byte) error {
+	header.Set("Server", "Tunnel Please")
+	return nil
+}

internal/port/port.go

@@ -6,37 +6,37 @@ import (
 	"sync"
 )
 
-type Registry interface {
-	AddPortRange(startPort, endPort uint16) error
-	GetUnassignedPort() (uint16, bool)
-	SetPortStatus(port uint16, assigned bool) error
-	ClaimPort(port uint16) (claimed bool)
+type Port interface {
+	AddRange(startPort, endPort uint16) error
+	Unassigned() (uint16, bool)
+	SetStatus(port uint16, assigned bool) error
+	Claim(port uint16) (claimed bool)
 }
 
-type registry struct {
+type port struct {
 	mu          sync.RWMutex
 	ports       map[uint16]bool
 	sortedPorts []uint16
 }
 
-func New() Registry {
-	return &registry{
+func New() Port {
+	return &port{
 		ports:       make(map[uint16]bool),
 		sortedPorts: []uint16{},
 	}
 }
 
-func (pm *registry) AddPortRange(startPort, endPort uint16) error {
+func (pm *port) AddRange(startPort, endPort uint16) error {
 	pm.mu.Lock()
 	defer pm.mu.Unlock()
 
 	if startPort > endPort {
 		return fmt.Errorf("start port cannot be greater than end port")
 	}
-	for port := startPort; port <= endPort; port++ {
-		if _, exists := pm.ports[port]; !exists {
-			pm.ports[port] = false
-			pm.sortedPorts = append(pm.sortedPorts, port)
+	for index := startPort; index <= endPort; index++ {
+		if _, exists := pm.ports[index]; !exists {
+			pm.ports[index] = false
+			pm.sortedPorts = append(pm.sortedPorts, index)
 		}
 	}
 	sort.Slice(pm.sortedPorts, func(i, j int) bool {
@@ -45,19 +45,19 @@ func (pm *registry) AddPortRange(startPort, endPort uint16) error {
 	return nil
 }
 
-func (pm *registry) GetUnassignedPort() (uint16, bool) {
+func (pm *port) Unassigned() (uint16, bool) {
 	pm.mu.Lock()
 	defer pm.mu.Unlock()
 
-	for _, port := range pm.sortedPorts {
-		if !pm.ports[port] {
-			return port, true
+	for _, index := range pm.sortedPorts {
+		if !pm.ports[index] {
+			return index, true
 		}
 	}
 	return 0, false
 }
 
-func (pm *registry) SetPortStatus(port uint16, assigned bool) error {
+func (pm *port) SetStatus(port uint16, assigned bool) error {
 	pm.mu.Lock()
 	defer pm.mu.Unlock()
 
@@ -65,7 +65,7 @@ func (pm *registry) SetPortStatus(port uint16, assigned bool) error {
 	return nil
 }
 
-func (pm *registry) ClaimPort(port uint16) (claimed bool) {
+func (pm *port) Claim(port uint16) (claimed bool) {
 	pm.mu.Lock()
 	defer pm.mu.Unlock()
 

internal/registry/registry.go

@@ -0,0 +1,321 @@
+package registry
+
+import (
+	"fmt"
+	"sync"
+	"tunnel_pls/session/forwarder"
+	"tunnel_pls/session/interaction"
+	"tunnel_pls/session/lifecycle"
+	"tunnel_pls/session/slug"
+	"tunnel_pls/types"
+)
+
+type Key = types.SessionKey
+
+type Session interface {
+	Lifecycle() lifecycle.Lifecycle
+	Interaction() interaction.Interaction
+	Forwarder() forwarder.Forwarder
+	Slug() slug.Slug
+	Detail() *types.Detail
+}
+
+type Registry interface {
+	Get(key Key) (session Session, err error)
+	GetWithUser(user string, key Key) (session Session, err error)
+	Update(user string, oldKey, newKey Key) error
+	Register(key Key, session Session) (success bool)
+	Remove(key Key)
+	GetAllSessionFromUser(user string) []Session
+}
+type registry struct {
+	mu        sync.RWMutex
+	byUser    map[string]map[Key]Session
+	slugIndex map[Key]string
+}
+
+func NewRegistry() Registry {
+	return &registry{
+		byUser:    make(map[string]map[Key]Session),
+		slugIndex: make(map[Key]string),
+	}
+}
+
+func (r *registry) Get(key Key) (session Session, err error) {
+	r.mu.RLock()
+	defer r.mu.RUnlock()
+
+	userID, ok := r.slugIndex[key]
+	if !ok {
+		return nil, fmt.Errorf("Session not found")
+	}
+
+	client, ok := r.byUser[userID][key]
+	if !ok {
+		return nil, fmt.Errorf("Session not found")
+	}
+	return client, nil
+}
+
+func (r *registry) GetWithUser(user string, key Key) (session Session, err error) {
+	r.mu.RLock()
+	defer r.mu.RUnlock()
+
+	client, ok := r.byUser[user][key]
+	if !ok {
+		return nil, fmt.Errorf("Session not found")
+	}
+	return client, nil
+}
+
+func (r *registry) Update(user string, oldKey, newKey Key) error {
+	if oldKey.Type != newKey.Type {
+		return fmt.Errorf("tunnel type cannot change")
+	}
+
+	if newKey.Type != types.HTTP {
+		return fmt.Errorf("non http tunnel cannot change slug")
+	}
+
+	if isForbiddenSlug(newKey.Id) {
+		return fmt.Errorf("this subdomain is reserved. Please choose a different one")
+	}
+
+	if !isValidSlug(newKey.Id) {
+		return fmt.Errorf("invalid subdomain. Follow the rules")
+	}
+
+	r.mu.Lock()
+	defer r.mu.Unlock()
+
+	if _, exists := r.slugIndex[newKey]; exists && newKey != oldKey {
+		return fmt.Errorf("someone already uses this subdomain")
+	}
+	client, ok := r.byUser[user][oldKey]
+	if !ok {
+		return fmt.Errorf("Session not found")
+	}
+
+	delete(r.byUser[user], oldKey)
+	delete(r.slugIndex, oldKey)
+
+	client.Slug().Set(newKey.Id)
+	r.slugIndex[newKey] = user
+
+	if r.byUser[user] == nil {
+		r.byUser[user] = make(map[Key]Session)
+	}
+	r.byUser[user][newKey] = client
+	return nil
+}
+
+func (r *registry) Register(key Key, userSession Session) (success bool) {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+
+	if _, exists := r.slugIndex[key]; exists {
+		return false
+	}
+
+	userID := userSession.Lifecycle().User()
+	if r.byUser[userID] == nil {
+		r.byUser[userID] = make(map[Key]Session)
+	}
+
+	r.byUser[userID][key] = userSession
+	r.slugIndex[key] = userID
+	return true
+}
+
+func (r *registry) GetAllSessionFromUser(user string) []Session {
+	r.mu.RLock()
+	defer r.mu.RUnlock()
+
+	m := r.byUser[user]
+	if len(m) == 0 {
+		return []Session{}
+	}
+
+	sessions := make([]Session, 0, len(m))
+	for _, s := range m {
+		sessions = append(sessions, s)
+	}
+	return sessions
+}
+
+func (r *registry) Remove(key Key) {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+
+	userID, ok := r.slugIndex[key]
+	if !ok {
+		return
+	}
+
+	delete(r.byUser[userID], key)
+	if len(r.byUser[userID]) == 0 {
+		delete(r.byUser, userID)
+	}
+	delete(r.slugIndex, key)
+}
+
+func isValidSlug(slug string) bool {
+	if len(slug) < minSlugLength || len(slug) > maxSlugLength {
+		return false
+	}
+
+	if slug[0] == '-' || slug[len(slug)-1] == '-' {
+		return false
+	}
+
+	for _, c := range slug {
+		if !isValidSlugChar(byte(c)) {
+			return false
+		}
+	}
+
+	return true
+}
+
+func isValidSlugChar(c byte) bool {
+	return (c >= 'a' && c <= 'z') || (c >= '0' && c <= '9') || c == '-'
+}
+
+func isForbiddenSlug(slug string) bool {
+	_, ok := forbiddenSlugs[slug]
+	return ok
+}
+
+var forbiddenSlugs = map[string]struct{}{
+	"ping":          {},
+	"staging":       {},
+	"admin":         {},
+	"root":          {},
+	"api":           {},
+	"www":           {},
+	"support":       {},
+	"help":          {},
+	"status":        {},
+	"health":        {},
+	"login":         {},
+	"logout":        {},
+	"signup":        {},
+	"register":      {},
+	"settings":      {},
+	"config":        {},
+	"null":          {},
+	"undefined":     {},
+	"example":       {},
+	"test":          {},
+	"dev":           {},
+	"system":        {},
+	"administrator": {},
+	"dashboard":     {},
+	"account":       {},
+	"profile":       {},
+	"user":          {},
+	"users":         {},
+	"auth":          {},
+	"oauth":         {},
+	"callback":      {},
+	"webhook":       {},
+	"webhooks":      {},
+	"static":        {},
+	"assets":        {},
+	"cdn":           {},
+	"mail":          {},
+	"email":         {},
+	"ftp":           {},
+	"ssh":           {},
+	"git":           {},
+	"svn":           {},
+	"blog":          {},
+	"news":          {},
+	"about":         {},
+	"contact":       {},
+	"terms":         {},
+	"privacy":       {},
+	"legal":         {},
+	"billing":       {},
+	"payment":       {},
+	"checkout":      {},
+	"cart":          {},
+	"shop":          {},
+	"store":         {},
+	"download":      {},
+	"uploads":       {},
+	"images":        {},
+	"img":           {},
+	"css":           {},
+	"js":            {},
+	"fonts":         {},
+	"public":        {},
+	"private":       {},
+	"internal":      {},
+	"external":      {},
+	"proxy":         {},
+	"cache":         {},
+	"debug":         {},
+	"metrics":       {},
+	"monitoring":    {},
+	"graphql":       {},
+	"rest":          {},
+	"rpc":           {},
+	"socket":        {},
+	"ws":            {},
+	"wss":           {},
+	"app":           {},
+	"apps":          {},
+	"mobile":        {},
+	"desktop":       {},
+	"embed":         {},
+	"widget":        {},
+	"docs":          {},
+	"documentation": {},
+	"wiki":          {},
+	"forum":         {},
+	"community":     {},
+	"feedback":      {},
+	"report":        {},
+	"abuse":         {},
+	"spam":          {},
+	"security":      {},
+	"verify":        {},
+	"confirm":       {},
+	"reset":         {},
+	"password":      {},
+	"recovery":      {},
+	"unsubscribe":   {},
+	"subscribe":     {},
+	"notifications": {},
+	"alerts":        {},
+	"messages":      {},
+	"inbox":         {},
+	"outbox":        {},
+	"sent":          {},
+	"draft":         {},
+	"trash":         {},
+	"archive":       {},
+	"search":        {},
+	"explore":       {},
+	"discover":      {},
+	"trending":      {},
+	"popular":       {},
+	"featured":      {},
+	"new":           {},
+	"latest":        {},
+	"top":           {},
+	"best":          {},
+	"hot":           {},
+	"random":        {},
+	"all":           {},
+	"any":           {},
+	"none":          {},
+	"true":          {},
+	"false":         {},
+}
+
+var (
+	minSlugLength = 3
+	maxSlugLength = 20
+)

internal/transport/http.go

@@ -0,0 +1,40 @@
+package transport
+
+import (
+	"errors"
+	"log"
+	"net"
+	"tunnel_pls/internal/registry"
+)
+
+type httpServer struct {
+	handler *httpHandler
+	port    string
+}
+
+func NewHTTPServer(port string, sessionRegistry registry.Registry, redirectTLS bool) Transport {
+	return &httpServer{
+		handler: newHTTPHandler(sessionRegistry, redirectTLS),
+		port:    port,
+	}
+}
+
+func (ht *httpServer) Listen() (net.Listener, error) {
+	return net.Listen("tcp", ":"+ht.port)
+}
+
+func (ht *httpServer) Serve(listener net.Listener) error {
+	log.Printf("HTTP server is starting on port %s", ht.port)
+	for {
+		conn, err := listener.Accept()
+		if err != nil {
+			if errors.Is(err, net.ErrClosed) {
+				return err
+			}
+			log.Printf("Error accepting connection: %v", err)
+			continue
+		}
+
+		go ht.handler.handler(conn, false)
+	}
+}

internal/transport/httphandler.go

@@ -0,0 +1,227 @@
+package transport
+
+import (
+	"bufio"
+	"errors"
+	"fmt"
+	"log"
+	"net"
+	"net/http"
+	"strings"
+	"time"
+	"tunnel_pls/internal/config"
+	"tunnel_pls/internal/http/header"
+	"tunnel_pls/internal/http/stream"
+	"tunnel_pls/internal/middleware"
+	"tunnel_pls/internal/registry"
+	"tunnel_pls/types"
+
+	"golang.org/x/crypto/ssh"
+)
+
+type httpHandler struct {
+	sessionRegistry registry.Registry
+	redirectTLS     bool
+}
+
+func newHTTPHandler(sessionRegistry registry.Registry, redirectTLS bool) *httpHandler {
+	return &httpHandler{
+		sessionRegistry: sessionRegistry,
+		redirectTLS:     redirectTLS,
+	}
+}
+
+func (hh *httpHandler) redirect(conn net.Conn, status int, location string) error {
+	_, err := conn.Write([]byte(fmt.Sprintf("HTTP/1.1 %d Moved Permanently\r\n", status) +
+		fmt.Sprintf("Location: %s", location) +
+		"Content-Length: 0\r\n" +
+		"Connection: close\r\n" +
+		"\r\n"))
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func (hh *httpHandler) badRequest(conn net.Conn) error {
+	if _, err := conn.Write([]byte("HTTP/1.1 400 Bad Request\r\n\r\n")); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (hh *httpHandler) handler(conn net.Conn, isTLS bool) {
+	defer hh.closeConnection(conn)
+
+	dstReader := bufio.NewReader(conn)
+	reqhf, err := header.NewRequest(dstReader)
+	if err != nil {
+		log.Printf("Error creating request header: %v", err)
+		return
+	}
+
+	slug, err := hh.extractSlug(reqhf)
+	if err != nil {
+		_ = hh.badRequest(conn)
+		return
+	}
+
+	if hh.shouldRedirectToTLS(isTLS) {
+		_ = hh.redirect(conn, http.StatusMovedPermanently, fmt.Sprintf("Location: https://%s.%s/\r\n", slug, config.Getenv("DOMAIN", "localhost")))
+		return
+	}
+
+	if hh.handlePingRequest(slug, conn) {
+		return
+	}
+
+	sshSession, err := hh.getSession(slug)
+	if err != nil {
+		_ = hh.redirect(conn, http.StatusMovedPermanently, fmt.Sprintf("https://tunnl.live/tunnel-not-found?slug=%s\r\n", slug))
+		return
+	}
+
+	hw := stream.New(conn, dstReader, conn.RemoteAddr())
+	defer func(hw stream.HTTP) {
+		err = hw.Close()
+		if err != nil {
+			log.Printf("Error closing HTTP stream: %v", err)
+		}
+	}(hw)
+	hh.forwardRequest(hw, reqhf, sshSession)
+}
+
+func (hh *httpHandler) closeConnection(conn net.Conn) {
+	err := conn.Close()
+	if err != nil && !errors.Is(err, net.ErrClosed) {
+		log.Printf("Error closing connection: %v", err)
+	}
+}
+
+func (hh *httpHandler) extractSlug(reqhf header.RequestHeader) (string, error) {
+	host := strings.Split(reqhf.Value("Host"), ".")
+	if len(host) < 1 {
+		return "", errors.New("invalid host")
+	}
+	return host[0], nil
+}
+
+func (hh *httpHandler) shouldRedirectToTLS(isTLS bool) bool {
+	return !isTLS && hh.redirectTLS
+}
+
+func (hh *httpHandler) handlePingRequest(slug string, conn net.Conn) bool {
+	if slug != "ping" {
+		return false
+	}
+
+	_, err := conn.Write([]byte(
+		"HTTP/1.1 200 OK\r\n" +
+			"Content-Length: 0\r\n" +
+			"Connection: close\r\n" +
+			"Access-Control-Allow-Origin: *\r\n" +
+			"Access-Control-Allow-Methods: GET, HEAD, OPTIONS\r\n" +
+			"Access-Control-Allow-Headers: *\r\n" +
+			"\r\n",
+	))
+	if err != nil {
+		log.Println("Failed to write 200 OK:", err)
+	}
+	return true
+}
+
+func (hh *httpHandler) getSession(slug string) (registry.Session, error) {
+	sshSession, err := hh.sessionRegistry.Get(types.SessionKey{
+		Id:   slug,
+		Type: types.HTTP,
+	})
+	if err != nil {
+		return nil, err
+	}
+	return sshSession, nil
+}
+
+func (hh *httpHandler) forwardRequest(hw stream.HTTP, initialRequest header.RequestHeader, sshSession registry.Session) {
+	channel, err := hh.openForwardedChannel(hw, sshSession)
+	defer func() {
+		err = channel.Close()
+		if err != nil {
+			log.Printf("Error closing forwarded channel: %v", err)
+		}
+	}()
+	if err != nil {
+		log.Printf("Failed to establish channel: %v", err)
+		sshSession.Forwarder().WriteBadGatewayResponse(hw)
+		return
+	}
+	hh.setupMiddlewares(hw)
+
+	if err = hh.sendInitialRequest(hw, initialRequest, channel); err != nil {
+		log.Printf("Failed to forward initial request: %v", err)
+		return
+	}
+	sshSession.Forwarder().HandleConnection(hw, channel)
+}
+
+func (hh *httpHandler) openForwardedChannel(hw stream.HTTP, sshSession registry.Session) (ssh.Channel, error) {
+	payload := sshSession.Forwarder().CreateForwardedTCPIPPayload(hw.RemoteAddr())
+
+	type channelResult struct {
+		channel ssh.Channel
+		reqs    <-chan *ssh.Request
+		err     error
+	}
+
+	resultChan := make(chan channelResult, 1)
+
+	go func() {
+		channel, reqs, err := sshSession.Lifecycle().Connection().OpenChannel("forwarded-tcpip", payload)
+		select {
+		case resultChan <- channelResult{channel, reqs, err}:
+		default:
+			hh.cleanupUnusedChannel(channel, reqs)
+		}
+	}()
+
+	select {
+	case result := <-resultChan:
+		if result.err != nil {
+			return nil, result.err
+		}
+		go ssh.DiscardRequests(result.reqs)
+		return result.channel, nil
+	case <-time.After(5 * time.Second):
+		return nil, errors.New("timeout opening forwarded-tcpip channel")
+	}
+}
+
+func (hh *httpHandler) cleanupUnusedChannel(channel ssh.Channel, reqs <-chan *ssh.Request) {
+	if channel != nil {
+		if err := channel.Close(); err != nil {
+			log.Printf("Failed to close unused channel: %v", err)
+		}
+		go ssh.DiscardRequests(reqs)
+	}
+}
+
+func (hh *httpHandler) setupMiddlewares(hw stream.HTTP) {
+	fingerprintMiddleware := middleware.NewTunnelFingerprint()
+	forwardedForMiddleware := middleware.NewForwardedFor(hw.RemoteAddr())
+
+	hw.UseResponseMiddleware(fingerprintMiddleware)
+	hw.UseRequestMiddleware(forwardedForMiddleware)
+}
+
+func (hh *httpHandler) sendInitialRequest(hw stream.HTTP, initialRequest header.RequestHeader, channel ssh.Channel) error {
+	hw.SetRequestHeader(initialRequest)
+
+	if err := hw.ApplyRequestMiddlewares(initialRequest); err != nil {
+		return fmt.Errorf("error applying request middlewares: %w", err)
+	}
+
+	if _, err := channel.Write(initialRequest.Finalize()); err != nil {
+		return fmt.Errorf("error writing to channel: %w", err)
+	}
+
+	return nil
+}

internal/transport/https.go

@@ -0,0 +1,48 @@
+package transport
+
+import (
+	"crypto/tls"
+	"errors"
+	"log"
+	"net"
+	"tunnel_pls/internal/registry"
+)
+
+type https struct {
+	httpHandler *httpHandler
+	domain      string
+	port        string
+}
+
+func NewHTTPSServer(domain, port string, sessionRegistry registry.Registry, redirectTLS bool) Transport {
+	return &https{
+		httpHandler: newHTTPHandler(sessionRegistry, redirectTLS),
+		domain:      domain,
+		port:        port,
+	}
+}
+
+func (ht *https) Listen() (net.Listener, error) {
+	tlsConfig, err := NewTLSConfig(ht.domain)
+	if err != nil {
+		return nil, err
+	}
+
+	return tls.Listen("tcp", ":"+ht.port, tlsConfig)
+
+}
+func (ht *https) Serve(listener net.Listener) error {
+	log.Printf("HTTPS server is starting on port %s", ht.port)
+	for {
+		conn, err := listener.Accept()
+		if err != nil {
+			if errors.Is(err, net.ErrClosed) {
+				return err
+			}
+			log.Printf("Error accepting connection: %v", err)
+			continue
+		}
+
+		go ht.httpHandler.handler(conn, true)
+	}
+}

internal/transport/tcp.go

@@ -0,0 +1,66 @@
+package transport
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"log"
+	"net"
+
+	"golang.org/x/crypto/ssh"
+)
+
+type tcp struct {
+	port      uint16
+	forwarder forwarder
+}
+
+type forwarder interface {
+	CreateForwardedTCPIPPayload(origin net.Addr) []byte
+	OpenForwardedChannel(payload []byte) (ssh.Channel, <-chan *ssh.Request, error)
+	HandleConnection(dst io.ReadWriter, src ssh.Channel)
+}
+
+func NewTCPServer(port uint16, forwarder forwarder) Transport {
+	return &tcp{
+		port:      port,
+		forwarder: forwarder,
+	}
+}
+
+func (tt *tcp) Listen() (net.Listener, error) {
+	return net.Listen("tcp", fmt.Sprintf("0.0.0.0:%d", tt.port))
+}
+
+func (tt *tcp) Serve(listener net.Listener) error {
+	for {
+		conn, err := listener.Accept()
+		if err != nil {
+			if errors.Is(err, net.ErrClosed) {
+				return nil
+			}
+			log.Printf("Error accepting connection: %v", err)
+			continue
+		}
+		go tt.handleTcp(conn)
+	}
+}
+
+func (tt *tcp) handleTcp(conn net.Conn) {
+	defer func() {
+		err := conn.Close()
+		if err != nil {
+			log.Printf("Failed to close connection: %v", err)
+		}
+	}()
+	payload := tt.forwarder.CreateForwardedTCPIPPayload(conn.RemoteAddr())
+	channel, reqs, err := tt.forwarder.OpenForwardedChannel(payload)
+	if err != nil {
+		log.Printf("Failed to open forwarded-tcpip channel: %v", err)
+
+		return
+	}
+
+	go ssh.DiscardRequests(reqs)
+	tt.forwarder.HandleConnection(conn, channel)
+}

internal/transport/tls.go

@@ -0,0 +1,330 @@
+package transport
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"log"
+	"os"
+	"sync"
+	"time"
+	"tunnel_pls/internal/config"
+
+	"github.com/caddyserver/certmagic"
+	"github.com/libdns/cloudflare"
+)
+
+type TLSManager interface {
+	userCertsExistAndValid() bool
+	loadUserCerts() error
+	startCertWatcher()
+	initCertMagic() error
+	getTLSConfig() *tls.Config
+	getCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error)
+}
+
+type tlsManager struct {
+	domain      string
+	certPath    string
+	keyPath     string
+	storagePath string
+
+	userCert   *tls.Certificate
+	userCertMu sync.RWMutex
+
+	magic *certmagic.Config
+
+	useCertMagic bool
+}
+
+var globalTLSManager TLSManager
+var tlsManagerOnce sync.Once
+
+func NewTLSConfig(domain string) (*tls.Config, error) {
+	var initErr error
+
+	tlsManagerOnce.Do(func() {
+		certPath := "certs/tls/cert.pem"
+		keyPath := "certs/tls/privkey.pem"
+		storagePath := "certs/tls/certmagic"
+
+		tm := &tlsManager{
+			domain:      domain,
+			certPath:    certPath,
+			keyPath:     keyPath,
+			storagePath: storagePath,
+		}
+
+		if tm.userCertsExistAndValid() {
+			log.Printf("Using user-provided certificates from %s and %s", certPath, keyPath)
+			if err := tm.loadUserCerts(); err != nil {
+				initErr = fmt.Errorf("failed to load user certificates: %w", err)
+				return
+			}
+			tm.useCertMagic = false
+			tm.startCertWatcher()
+		} else {
+			if !isACMEConfigComplete() {
+				log.Printf("User certificates missing or invalid, and ACME configuration is incomplete")
+				log.Printf("To enable automatic certificate generation, set CF_API_TOKEN environment variable")
+				initErr = fmt.Errorf("no valid certificates found and ACME configuration is incomplete (CF_API_TOKEN is required)")
+				return
+			}
+
+			log.Printf("User certificates missing or don't cover %s and *.%s, using CertMagic", domain, domain)
+			if err := tm.initCertMagic(); err != nil {
+				initErr = fmt.Errorf("failed to initialize CertMagic: %w", err)
+				return
+			}
+			tm.useCertMagic = true
+		}
+
+		globalTLSManager = tm
+	})
+
+	if initErr != nil {
+		return nil, initErr
+	}
+
+	return globalTLSManager.getTLSConfig(), nil
+}
+
+func isACMEConfigComplete() bool {
+	cfAPIToken := config.Getenv("CF_API_TOKEN", "")
+	return cfAPIToken != ""
+}
+
+func (tm *tlsManager) userCertsExistAndValid() bool {
+	if _, err := os.Stat(tm.certPath); os.IsNotExist(err) {
+		log.Printf("Certificate file not found: %s", tm.certPath)
+		return false
+	}
+	if _, err := os.Stat(tm.keyPath); os.IsNotExist(err) {
+		log.Printf("Key file not found: %s", tm.keyPath)
+		return false
+	}
+
+	return ValidateCertDomains(tm.certPath, tm.domain)
+}
+
+func ValidateCertDomains(certPath, domain string) bool {
+	certPEM, err := os.ReadFile(certPath)
+	if err != nil {
+		log.Printf("Failed to read certificate: %v", err)
+		return false
+	}
+
+	block, _ := pem.Decode(certPEM)
+	if block == nil {
+		log.Printf("Failed to decode PEM block from certificate")
+		return false
+	}
+
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		log.Printf("Failed to parse certificate: %v", err)
+		return false
+	}
+
+	if time.Now().After(cert.NotAfter) {
+		log.Printf("Certificate has expired (NotAfter: %v)", cert.NotAfter)
+		return false
+	}
+
+	if time.Now().Add(30 * 24 * time.Hour).After(cert.NotAfter) {
+		log.Printf("Certificate expiring soon (NotAfter: %v), will use CertMagic for renewal", cert.NotAfter)
+		return false
+	}
+
+	var certDomains []string
+	if cert.Subject.CommonName != "" {
+		certDomains = append(certDomains, cert.Subject.CommonName)
+	}
+	certDomains = append(certDomains, cert.DNSNames...)
+
+	hasBase := false
+	hasWildcard := false
+	wildcardDomain := "*." + domain
+
+	for _, d := range certDomains {
+		if d == domain {
+			hasBase = true
+		}
+		if d == wildcardDomain {
+			hasWildcard = true
+		}
+	}
+
+	if !hasBase {
+		log.Printf("Certificate does not cover base domain: %s", domain)
+	}
+	if !hasWildcard {
+		log.Printf("Certificate does not cover wildcard domain: %s", wildcardDomain)
+	}
+
+	return hasBase && hasWildcard
+}
+
+func (tm *tlsManager) loadUserCerts() error {
+	cert, err := tls.LoadX509KeyPair(tm.certPath, tm.keyPath)
+	if err != nil {
+		return err
+	}
+
+	tm.userCertMu.Lock()
+	tm.userCert = &cert
+	tm.userCertMu.Unlock()
+
+	log.Printf("Loaded user certificates successfully")
+	return nil
+}
+
+func (tm *tlsManager) startCertWatcher() {
+	go func() {
+		var lastCertMod, lastKeyMod time.Time
+
+		if info, err := os.Stat(tm.certPath); err == nil {
+			lastCertMod = info.ModTime()
+		}
+		if info, err := os.Stat(tm.keyPath); err == nil {
+			lastKeyMod = info.ModTime()
+		}
+
+		ticker := time.NewTicker(30 * time.Second)
+		defer ticker.Stop()
+
+		for range ticker.C {
+			certInfo, certErr := os.Stat(tm.certPath)
+			keyInfo, keyErr := os.Stat(tm.keyPath)
+
+			if certErr != nil || keyErr != nil {
+				continue
+			}
+
+			if certInfo.ModTime().After(lastCertMod) || keyInfo.ModTime().After(lastKeyMod) {
+				log.Printf("Certificate files changed, reloading...")
+
+				if !ValidateCertDomains(tm.certPath, tm.domain) {
+					log.Printf("New certificates don't cover required domains")
+
+					if !isACMEConfigComplete() {
+						log.Printf("Cannot switch to CertMagic: ACME configuration is incomplete (CF_API_TOKEN is required)")
+						continue
+					}
+
+					log.Printf("Switching to CertMagic for automatic certificate management")
+					if err := tm.initCertMagic(); err != nil {
+						log.Printf("Failed to initialize CertMagic: %v", err)
+						continue
+					}
+					tm.useCertMagic = true
+					return
+				}
+
+				if err := tm.loadUserCerts(); err != nil {
+					log.Printf("Failed to reload certificates: %v", err)
+					continue
+				}
+
+				lastCertMod = certInfo.ModTime()
+				lastKeyMod = keyInfo.ModTime()
+				log.Printf("Certificates reloaded successfully")
+			}
+		}
+	}()
+}
+
+func (tm *tlsManager) initCertMagic() error {
+	if err := os.MkdirAll(tm.storagePath, 0700); err != nil {
+		return fmt.Errorf("failed to create cert storage directory: %w", err)
+	}
+
+	acmeEmail := config.Getenv("ACME_EMAIL", "admin@"+tm.domain)
+	cfAPIToken := config.Getenv("CF_API_TOKEN", "")
+	acmeStaging := config.Getenv("ACME_STAGING", "false") == "true"
+
+	if cfAPIToken == "" {
+		return fmt.Errorf("CF_API_TOKEN environment variable is required for automatic certificate generation")
+	}
+
+	cfProvider := &cloudflare.Provider{
+		APIToken: cfAPIToken,
+	}
+
+	storage := &certmagic.FileStorage{Path: tm.storagePath}
+
+	cache := certmagic.NewCache(certmagic.CacheOptions{
+		GetConfigForCert: func(cert certmagic.Certificate) (*certmagic.Config, error) {
+			return tm.magic, nil
+		},
+	})
+
+	magic := certmagic.New(cache, certmagic.Config{
+		Storage: storage,
+	})
+
+	acmeIssuer := certmagic.NewACMEIssuer(magic, certmagic.ACMEIssuer{
+		Email:  acmeEmail,
+		Agreed: true,
+		DNS01Solver: &certmagic.DNS01Solver{
+			DNSManager: certmagic.DNSManager{
+				DNSProvider: cfProvider,
+			},
+		},
+	})
+
+	if acmeStaging {
+		acmeIssuer.CA = certmagic.LetsEncryptStagingCA
+		log.Printf("Using Let's Encrypt staging server")
+	} else {
+		acmeIssuer.CA = certmagic.LetsEncryptProductionCA
+		log.Printf("Using Let's Encrypt production server")
+	}
+
+	magic.Issuers = []certmagic.Issuer{acmeIssuer}
+	tm.magic = magic
+
+	domains := []string{tm.domain, "*." + tm.domain}
+	log.Printf("Requesting certificates for: %v", domains)
+
+	ctx := context.Background()
+	if err := magic.ManageSync(ctx, domains); err != nil {
+		return fmt.Errorf("failed to obtain certificates: %w", err)
+	}
+
+	log.Printf("Certificates obtained successfully for %v", domains)
+	return nil
+}
+
+func (tm *tlsManager) getTLSConfig() *tls.Config {
+	return &tls.Config{
+		GetCertificate: tm.getCertificate,
+
+		MinVersion: tls.VersionTLS13,
+		MaxVersion: tls.VersionTLS13,
+
+		CurvePreferences: []tls.CurveID{
+			tls.X25519,
+		},
+
+		SessionTicketsDisabled: false,
+		ClientAuth:             tls.NoClientCert,
+	}
+}
+
+func (tm *tlsManager) getCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
+	if tm.useCertMagic {
+		return tm.magic.GetCertificate(hello)
+	}
+
+	tm.userCertMu.RLock()
+	defer tm.userCertMu.RUnlock()
+
+	if tm.userCert == nil {
+		return nil, fmt.Errorf("no certificate available")
+	}
+
+	return tm.userCert, nil
+}

internal/transport/transport.go

@@ -0,0 +1,10 @@
+package transport
+
+import (
+	"net"
+)
+
+type Transport interface {
+	Listen() (net.Listener, error)
+	Serve(listener net.Listener) error
+}

internal/version/version.go

@@ -0,0 +1,17 @@
+package version
+
+import "fmt"
+
+var (
+	Version   = "dev"
+	BuildDate = "unknown"
+	Commit    = "unknown"
+)
+
+func GetVersion() string {
+	return fmt.Sprintf("tunnel_pls %s (commit: %s, built: %s)", Version, Commit, BuildDate)
+}
+
+func GetShortVersion() string {
+	return Version
+}