feat: implement forwarder session termination

- Replace ReadString with ReadSlice to eliminate allocations
- Use bytes operations instead of strings
- Add FromBytes variant for in-memory parsing

.dockerignore

@@ -0,0 +1,32 @@
+.git/
+.github/
+.gitea/
+.gitignore
+
+.idea/
+*.swp
+*.swo
+*~
+
+tmp/
+*.log
+
+.env
+.env.*
+
+certs/
+id_rsa*
+*.pub
+
+README.md
+LICENSE.md
+*.md
+
+renovate.json
+renovate-config.js
+
+*_test.go
+testdata/
+
+app
+

.gitea/workflows/build.yml

@@ -5,14 +5,25 @@ on:
     branches:
       - main
       - staging
+    tags:
+      - 'v*'
+    paths:
+      - '**.go'
+      - 'go.mod'
+      - 'go.sum'
+      - 'Dockerfile'
+      - 'Dockerfile.*'
+      - '.dockerignore'
+      - '.gitea/workflows/build.yml'
 
 jobs:
-  build-and-push:
+  build-and-push-branches:
     runs-on: ubuntu-latest
+    if: github.ref_type == 'branch'
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -24,6 +35,17 @@ jobs:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
 
+      - name: Set version variables
+        id: vars
+        run: |
+          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
+            echo "VERSION=dev-main" >> $GITHUB_OUTPUT
+          else
+            echo "VERSION=dev-staging" >> $GITHUB_OUTPUT
+          fi
+          echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
+          echo "COMMIT=${{ github.sha }}" >> $GITHUB_OUTPUT
+
       - name: Build and push Docker image for main
         uses: docker/build-push-action@v6
         with:
@@ -32,6 +54,10 @@ jobs:
           tags: |
             git.fossy.my.id/${{ secrets.DOCKER_USERNAME }}/tunnel-please:latest
           platforms: linux/amd64,linux/arm64
+          build-args: |
+            VERSION=${{ steps.vars.outputs.VERSION }}
+            BUILD_DATE=${{ steps.vars.outputs.BUILD_DATE }}
+            COMMIT=${{ steps.vars.outputs.COMMIT }}
         if: github.ref == 'refs/heads/main'
 
       - name: Build and push Docker image for staging
@@ -42,4 +68,85 @@ jobs:
           tags: |
             git.fossy.my.id/${{ secrets.DOCKER_USERNAME }}/tunnel-please:staging
           platforms: linux/amd64,linux/arm64
+          build-args: |
+            VERSION=${{ steps.vars.outputs.VERSION }}
+            BUILD_DATE=${{ steps.vars.outputs.BUILD_DATE }}
+            COMMIT=${{ steps.vars.outputs.COMMIT }}
         if: github.ref == 'refs/heads/staging'
+
+  build-and-push-tags:
+    runs-on: ubuntu-latest
+    if: github.ref_type == 'tag' && startsWith(github.ref, 'refs/tags/v')
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          registry: git.fossy.my.id
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Extract version and determine release type
+        id: version
+        run: |
+          VERSION=${GITHUB_REF#refs/tags/v}
+          echo "VERSION=$VERSION" >> $GITHUB_OUTPUT
+          echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
+          echo "COMMIT=${{ github.sha }}" >> $GITHUB_OUTPUT
+          
+          if echo "$VERSION" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.]+)?$'; then
+            MAJOR=$(echo "$VERSION" | cut -d. -f1)
+            MINOR=$(echo "$VERSION" | cut -d. -f2)
+            
+            echo "MAJOR=$MAJOR" >> $GITHUB_OUTPUT
+            echo "MINOR=$MINOR" >> $GITHUB_OUTPUT
+            
+            if echo "$VERSION" | grep -q '-'; then
+              echo "IS_PRERELEASE=true" >> $GITHUB_OUTPUT
+              echo "ADDITIONAL_TAG=staging" >> $GITHUB_OUTPUT
+            else
+              echo "IS_PRERELEASE=false" >> $GITHUB_OUTPUT
+              echo "ADDITIONAL_TAG=latest" >> $GITHUB_OUTPUT
+            fi
+          else
+            echo "Invalid version format: $VERSION"
+            exit 1
+          fi
+
+      - name: Build and push Docker image for release
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          tags: |
+            git.fossy.my.id/${{ secrets.DOCKER_USERNAME }}/tunnel-please:v${{ steps.version.outputs.VERSION }}
+            git.fossy.my.id/${{ secrets.DOCKER_USERNAME }}/tunnel-please:v${{ steps.version.outputs.MAJOR }}.${{ steps.version.outputs.MINOR }}
+            git.fossy.my.id/${{ secrets.DOCKER_USERNAME }}/tunnel-please:v${{ steps.version.outputs.MAJOR }}
+            git.fossy.my.id/${{ secrets.DOCKER_USERNAME }}/tunnel-please:${{ steps.version.outputs.ADDITIONAL_TAG }}
+          platforms: linux/amd64,linux/arm64
+          build-args: |
+            VERSION=${{ steps.version.outputs.VERSION }}
+            BUILD_DATE=${{ steps.version.outputs.BUILD_DATE }}
+            COMMIT=${{ steps.version.outputs.COMMIT }}
+        if: steps.version.outputs.IS_PRERELEASE == 'false'
+
+      - name: Build and push Docker image for pre-release
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          tags: |
+            git.fossy.my.id/${{ secrets.DOCKER_USERNAME }}/tunnel-please:v${{ steps.version.outputs.VERSION }}
+            git.fossy.my.id/${{ secrets.DOCKER_USERNAME }}/tunnel-please:${{ steps.version.outputs.ADDITIONAL_TAG }}
+          platforms: linux/amd64,linux/arm64
+          build-args: |
+            VERSION=${{ steps.version.outputs.VERSION }}
+            BUILD_DATE=${{ steps.version.outputs.BUILD_DATE }}
+            COMMIT=${{ steps.version.outputs.COMMIT }}
+        if: steps.version.outputs.IS_PRERELEASE == 'true'

.gitea/workflows/renovate.yml

@@ -0,0 +1,21 @@
+name: renovate
+
+on:
+  schedule:
+    - cron: "0 0 * * *"
+  push:
+    branches:
+      - staging
+
+jobs:
+  renovate:
+    runs-on: ubuntu-latest
+    container: git.fossy.my.id/renovate-clanker/renovate:latest
+    steps:
+      - uses: actions/checkout@v6
+      - run: renovate
+        env:
+          RENOVATE_CONFIG_FILE: ${{ gitea.workspace }}/renovate-config.js
+          LOG_LEVEL: "debug"
+          RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }}
+          GITHUB_COM_TOKEN: ${{ secrets.COM_TOKEN }}

.github/workflows/sync-to-gitea.yml

@@ -0,0 +1,27 @@
+name: Sync to Gitea
+
+on:
+  push:
+    branches:
+      - '**'
+
+jobs:
+  sync:
+    runs-on: ubuntu-latest
+    if: |
+      github.repository == 'fossyy/tunnel-please' &&
+      !contains(github.event.head_commit.message, '[skip-gitea]')
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Push to Gitea
+        env:
+          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+          GITEA_URL: git.fossy.my.id
+        run: |
+          git remote add gitea https://${{ secrets.GITEA_USERNAME }}:${GITEA_TOKEN}@${GITEA_URL}/bagas/tunnel-please.git
+          git push gitea ${{ github.ref }} --force

.gitignore

@@ -3,3 +3,5 @@ id_rsa*
 .idea
 .env
 tmp
+certs
+app

Dockerfile

@@ -1,20 +1,59 @@
-FROM golang:1.24.4-alpine AS go_builder
+FROM golang:1.25.5-alpine AS go_builder
+
+ARG VERSION=dev
+ARG BUILD_DATE=unknown
+ARG COMMIT=unknown
+
+RUN apk update && apk upgrade && \
+    apk add --no-cache ca-certificates tzdata git && \
+    update-ca-certificates
 
 WORKDIR /src
+
+COPY go.mod go.sum ./
+
+RUN --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/go-build \
+    go mod download && go mod verify
+
 COPY . .
 
-RUN apk update && apk upgrade && apk add --no-cache ca-certificates tzdata
+RUN --mount=type=cache,target=/go/pkg/mod \
-RUN update-ca-certificates
+    --mount=type=cache,target=/root/.cache/go-build \
-RUN go build -o ./tmp/main
+    CGO_ENABLED=0 GOOS=linux \
+    go build -trimpath \
+    -ldflags="-w -s -X tunnel_pls/version.Version=${VERSION} -X tunnel_pls/version.BuildDate=${BUILD_DATE} -X tunnel_pls/version.Commit=${COMMIT}" \
+    -o /app/tunnel_pls \
+    .
+
+RUN adduser -D -u 10001 -g '' appuser && \
+    mkdir -p /app/certs/ssh /app/certs/tls && \
+    chown -R appuser:appuser /app
 
 FROM scratch
 
-WORKDIR /src
+ARG VERSION=dev
+ARG BUILD_DATE=unknown
+ARG COMMIT=unknown
 
 COPY --from=go_builder /usr/share/zoneinfo /usr/share/zoneinfo
 COPY --from=go_builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
-COPY --from=go_builder /src/tmp/main /src
+COPY --from=go_builder /etc/passwd /etc/passwd
+COPY --from=go_builder /etc/group /etc/group
+COPY --from=go_builder --chown=appuser:appuser /app /app
 
-ENV TZ Asia/Jakarta
+WORKDIR /app
 
-ENTRYPOINT ["./main"]
+USER appuser
+
+ENV TZ=Asia/Jakarta
+
+EXPOSE 2200 8080 8443
+
+LABEL org.opencontainers.image.title="Tunnel Please" \
+      org.opencontainers.image.description="SSH-based tunnel server" \
+      org.opencontainers.image.version="${VERSION}" \
+      org.opencontainers.image.revision="${COMMIT}" \
+      org.opencontainers.image.created="${BUILD_DATE}"
+
+ENTRYPOINT ["/app/tunnel_pls"]

README.md

@@ -6,7 +6,6 @@ A lightweight SSH-based tunnel server written in Go that enables secure TCP and
 
 - SSH interactive session with real-time command handling
 - Custom subdomain management for HTTP tunnels
-- Active connection control with drop functionality
 - Dual protocol support: HTTP and TCP tunnels
 - Real-time connection monitoring
 ## Requirements
@@ -14,6 +13,216 @@ A lightweight SSH-based tunnel server written in Go that enables secure TCP and
 - Go 1.18 or higher
 - Valid domain name for subdomain routing
 
+## Environment Variables
+
+The following environment variables can be configured in the `.env` file:
+
+| Variable | Description | Default | Required |
+|----------|-------------|---------|----------|
+| `DOMAIN` | Domain name for subdomain routing | `localhost` | No |
+| `PORT` | SSH server port | `2200` | No |
+| `HTTP_PORT` | HTTP server port | `8080` | No |
+| `HTTPS_PORT` | HTTPS server port | `8443` | No |
+| `TLS_ENABLED` | Enable TLS/HTTPS | `false` | No |
+| `TLS_REDIRECT` | Redirect HTTP to HTTPS | `false` | No |
+| `ACME_EMAIL` | Email for Let's Encrypt registration | `admin@<DOMAIN>` | No |
+| `CF_API_TOKEN` | Cloudflare API token for DNS-01 challenge | - | Yes (if auto-cert) |
+| `ACME_STAGING` | Use Let's Encrypt staging server | `false` | No |
+| `CORS_LIST` | Comma-separated list of allowed CORS origins | - | No |
+| `ALLOWED_PORTS` | Port range for TCP tunnels (e.g., 40000-41000) | `40000-41000` | No |
+| `BUFFER_SIZE` | Buffer size for io.Copy operations in bytes (4096-1048576) | `32768` | No |
+| `PPROF_ENABLED` | Enable pprof profiling server | `false` | No |
+| `PPROF_PORT` | Port for pprof server | `6060` | No |
+| `MODE` | Runtime mode: `standalone` (default, no gRPC/auth) or `node` (enable gRPC + auth) | `standalone` | No |
+| `GRPC_ADDRESS` | gRPC server address/host used in `node` mode | `localhost` | No |
+| `GRPC_PORT` | gRPC server port used in `node` mode | `8080` | No |
+| `NODE_TOKEN` | Authentication token sent to controller in `node` mode | - (required in `node`) | Yes (node mode) |
+
+**Note:** All environment variables now use UPPERCASE naming. The application includes sensible defaults for all variables, so you can run it without a `.env` file for basic functionality.
+
+### Automatic TLS Certificate Management
+
+The server supports automatic TLS certificate generation and renewal using [CertMagic](https://github.com/caddyserver/certmagic) with Cloudflare DNS-01 challenge. This is required for wildcard certificate support (`*.yourdomain.com`).
+
+**Certificate Storage:**
+- TLS certificates are stored in `certs/tls/` (relative to application directory)
+- User-provided certificates: `certs/tls/cert.pem` and `certs/tls/privkey.pem`
+- CertMagic automatic certificates: `certs/tls/certmagic/`
+- SSH keys are stored separately in `certs/ssh/`
+
+**How it works:**
+1. If user-provided certificates exist at `certs/tls/cert.pem` and `certs/tls/privkey.pem` and cover both `DOMAIN` and `*.DOMAIN`, they will be used
+2. If certificates are missing, expired, expiring within 30 days, or don't cover the required domains, CertMagic will automatically obtain new certificates from Let's Encrypt
+3. Certificates are automatically renewed before expiration
+4. User-provided certificates support hot-reload (changes detected every 30 seconds)
+
+**Cloudflare API Token Setup:**
+
+To use automatic certificate generation, you need a Cloudflare API token with the following permissions:
+
+1. Go to [Cloudflare Dashboard](https://dash.cloudflare.com/profile/api-tokens)
+2. Click "Create Token"
+3. Use "Create Custom Token" with these permissions:
+   - **Zone → Zone → Read** (for all zones or specific zone)
+   - **Zone → DNS → Edit** (for all zones or specific zone)
+4. Copy the token and set it as `CF_API_TOKEN` environment variable
+
+**Example configuration for automatic certificates:**
+```env
+DOMAIN=example.com
+TLS_ENABLED=true
+CF_API_TOKEN=your_cloudflare_api_token_here
+ACME_EMAIL=admin@example.com
+# ACME_STAGING=true  # Uncomment for testing to avoid rate limits
+```
+
+### SSH Key Auto-Generation
+
+The application will automatically generate a new 4096-bit RSA key pair at `certs/ssh/id_rsa` if it doesn't exist. This makes it easier to get started without manually creating SSH keys. SSH keys are stored separately from TLS certificates.
+
+### Memory Optimization
+
+The application uses a buffer pool with controlled buffer sizes to prevent excessive memory usage under high concurrent loads. The `BUFFER_SIZE` environment variable controls the size of buffers used for io.Copy operations:
+
+- **Default:** 32768 bytes (32 KB) - Good balance for most scenarios
+- **Minimum:** 4096 bytes (4 KB) - Lower memory usage, more CPU overhead
+- **Maximum:** 1048576 bytes (1 MB) - Higher throughput, more memory usage
+
+**Recommended settings based on load:**
+- **Low traffic (<100 concurrent):** `BUFFER_SIZE=32768` (default)
+- **High traffic (>100 concurrent):** `BUFFER_SIZE=16384` or `BUFFER_SIZE=8192`
+- **Very high traffic (>1000 concurrent):** `BUFFER_SIZE=8192` or `BUFFER_SIZE=4096`
+
+The buffer pool reuses buffers across connections, preventing memory fragmentation and reducing garbage collection pressure.
+
+### Profiling with pprof
+
+To enable profiling for performance analysis:
+
+1. Set `PPROF_ENABLED=true` in your `.env` file
+2. Optionally set `PPROF_PORT` to your desired port (default: 6060)
+3. Access profiling data at `http://localhost:6060/debug/pprof/`
+
+Common pprof endpoints:
+- `/debug/pprof/` - Index page with available profiles
+- `/debug/pprof/heap` - Memory allocation profile
+- `/debug/pprof/goroutine` - Stack traces of all current goroutines
+- `/debug/pprof/profile` - CPU profile (30-second sample by default)
+- `/debug/pprof/trace` - Execution trace
+
+Example usage with `go tool pprof`:
+```bash
+# Analyze CPU profile
+go tool pprof http://localhost:6060/debug/pprof/profile?seconds=30
+
+# Analyze memory heap
+go tool pprof http://localhost:6060/debug/pprof/heap
+```
+
+## Docker Deployment
+
+Three Docker Compose configurations are available for different deployment scenarios. Each configuration uses the image `git.fossy.my.id/bagas/tunnel-please:latest`.
+
+### Configuration Options
+
+#### 1. Root with Host Networking (RECOMMENDED)
+
+**File:** `docker-compose.root.yml`
+
+**Advantages:**
+- Full TCP port forwarding support (ports 40000-41000)
+- Direct binding to privileged ports (80, 443, 2200)
+- Best performance with no NAT overhead
+- Maximum flexibility for all tunnel types
+- No port mapping limitations
+
+**Use Case:** Production deployments where you need unrestricted TCP forwarding and maximum performance.
+
+**Deploy:**
+```bash
+docker-compose -f docker-compose.root.yml up -d
+```
+
+#### 2. Standard (HTTP/HTTPS Only)
+
+**File:** `docker-compose.standard.yml`
+
+**Advantages:**
+- Runs with unprivileged user (more secure)
+- Standard port mappings (2200, 80, 443)
+- Simple and predictable networking
+- TCP port forwarding disabled (`ALLOWED_PORTS=none`)
+
+**Use Case:** Deployments where you only need HTTP/HTTPS tunneling without custom TCP port forwarding.
+
+**Deploy:**
+```bash
+docker-compose -f docker-compose.standard.yml up -d
+```
+
+#### 3. Limited TCP Forwarding
+
+**File:** `docker-compose.tcp.yml`
+
+**Advantages:**
+- Runs with unprivileged user (more secure)
+- Standard port mappings (2200, 80, 443)
+- Limited TCP forwarding (ports 30000-31000)
+- Controlled port range exposure
+
+**Use Case:** Deployments where you need both HTTP/HTTPS tunneling and limited TCP forwarding within a specific port range.
+
+**Deploy:**
+```bash
+docker-compose -f docker-compose.tcp.yml up -d
+```
+
+### Quick Start
+
+1. **Choose your configuration** based on your requirements
+2. **Edit the environment variables** in the chosen compose file:
+   - `DOMAIN`: Your domain name (e.g., `example.com`)
+   - `ACME_EMAIL`: Your email for Let's Encrypt
+   - `CF_API_TOKEN`: Your Cloudflare API token (if using automatic TLS)
+3. **Deploy:**
+   ```bash
+   docker-compose -f docker-compose.root.yml up -d
+   ```
+4. **Check logs:**
+   ```bash
+   docker-compose -f docker-compose.root.yml logs -f
+   ```
+5. **Stop the service:**
+   ```bash
+   docker-compose -f docker-compose.root.yml down
+   ```
+
+### Volume Management
+
+All configurations use a named volume `certs` for persistent storage:
+- SSH keys: `/app/certs/ssh/`
+- TLS certificates: `/app/certs/tls/`
+
+To backup certificates:
+```bash
+docker run --rm -v tunnel_pls_certs:/data -v $(pwd):/backup alpine tar czf /backup/certs-backup.tar.gz -C /data .
+```
+
+To restore certificates:
+```bash
+docker run --rm -v tunnel_pls_certs:/data -v $(pwd):/backup alpine tar xzf /backup/certs-backup.tar.gz -C /data
+```
+
+### Recommendation
+
+**Use `docker-compose.root.yml`** for production deployments if you need:
+- Full TCP port forwarding capabilities
+- Any port range configuration
+- Direct port binding without mapping overhead
+- Maximum performance and flexibility
+
+This is the recommended configuration for most use cases as it provides the complete feature set without limitations.
+
 ## Contributing
 Contributions are welcome!
 

certs/cert.pem

@@ -1,26 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEWzCCA0OgAwIBAgIUDYTdEDHwVznxV/qnn0/WVlHNMZAwDQYJKoZIhvcNAQEL
-BQAwgZYxCzAJBgNVBAYTAklEMQ8wDQYDVQQIDAZCYW50ZW4xGjAYBgNVBAcMEVRh
-bmdlcmFuZyBTZWxhdGFuMRIwEAYDVQQKDAlGb3NzeSBMVFMxDjAMBgNVBAsMBUZv
-c3N5MRQwEgYDVQQDDAtmb3NzeS5teS5pZDEgMB4GCSqGSIb3DQEJARYRYmFnYXNA
-Zm9zc3kubXkuaWQwHhcNMjUwMjA3MTYyMTU1WhcNMjYwMjA3MTYyMTU1WjCBljEL
-MAkGA1UEBhMCSUQxDzANBgNVBAgMBkJhbnRlbjEaMBgGA1UEBwwRVGFuZ2VyYW5n
-IFNlbGF0YW4xEjAQBgNVBAoMCUZvc3N5IExUUzEOMAwGA1UECwwFRm9zc3kxFDAS
-BgNVBAMMC2Zvc3N5Lm15LmlkMSAwHgYJKoZIhvcNAQkBFhFiYWdhc0Bmb3NzeS5t
-eS5pZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMU3pCA0eP+VR2CA
-+p3p0BgKw33xCKQmQx52jnqNbvwW4NMMDc3mS6a+wb6QB6v0WLGMI1g22TtJPatx
-7dcy4PCSOCV9xJ2Yfq5HlQgDHYoyE+juy4/pGlMjo45thJ0yI8zOSzaz2esosP22
-XkfFwj7oVMXXPIY6UovcAlGU+DFtwVrNa76/esUwJs+7M3tBubjkpcal0wXR+SIX
-3fmw5v0YzKV8qLGMGOvX6+OyLQCx4r9gB0d+WOrT6EfrPfAzo07NKjzWG9aWl1rk
-Q+h0i38hke2MTFxId7za57L+NlXRjLo3ESbBF0hjYquTQOG3jx/UvWs+I1NEfsdu
-vj8beiMCAwEAAaOBnjCBmzAfBgNVHSMEGDAWgBT6nj69+I+GSdgScjfOqnVFzX7G
-aTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAs
-BgNVHREEJTAjgglsb2NhbGhvc3SCCTEyNy4wLjAuMYILKi5sb2NhbGhvc3QwHQYD
-VR0OBBYEFD9ci20pAUTRLVWxvVXjfE2GKwSAMA0GCSqGSIb3DQEBCwUAA4IBAQAT
-rkjU+GzQy9B3/nd/79N7ozK80ygzmnRnj3ou/bbqUHOIYQQgKM1cuN6zh57ovRh/
-u45s6pZUOUVN59POFUCvqUiOgsDkY/auXGbKtzzqzoZABuvm85ySd6zurOOx8tA5
-e7ArX1ppy3LgzSb+cXANvzYC9bCwp70w2YylMFhwHBAp5TXRVqsqG6jujD8GMLoS
-zDSDx8M6o8gqWmPQve7Saim9mgLJUvvCYBzvowuNjzZrJfAeGoIfLV127xCQiylm
-fzUQ1Ac6udldWm9scA32nteSQMWg2d1nW3RG1nRondp13WUkgGQ490/c97D3MKLt
-D1HB5dLIYkRVHVhCKHT1
------END CERTIFICATE-----

certs/localhost.direct.SS.crt

@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDjDCCAnSgAwIBAgIUPpuvw4ZdpnDBbwOZBt2ALfZykuYwDQYJKoZIhvcNAQEL
-BQAwPDELMAkGA1UEBhMCVUsxDzANBgNVBAgMBkxvbmRvbjEPMA0GA1UEBwwGTG9u
-ZG9uMQswCQYDVQQLDAJIUTAeFw0yNDExMTkxNjQxNTNaFw0zNDExMTcxNjQxNTNa
-MDwxCzAJBgNVBAYTAlVLMQ8wDQYDVQQIDAZMb25kb24xDzANBgNVBAcMBkxvbmRv
-bjELMAkGA1UECwwCSFEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDD
-L/aeaBzgkYxDNiQq7+nt6tKDfGnPDfBXunJlr1xbZfIVpJeDqwrNLWaZ0gtHci5E
-sHptIpu5/uTBFaFyZVH604etY/YHIsff7BT2y32OobJYiKy2lvAI3/IDR4TGeDgA
-HKryOwMcB5DheBVdeggxj36m8OjxhVADaiKp7BNXE2eqUqk8f2QpwqLQYe9UaU9r
-WSJllNHOFk+RH17YBDiyyQ8CD1Vf5HcVSmPItWOMQytHcSgy0DHVXQCde86mky8t
-8Ik74GeNrM6f+vWR4OfQ8dU2WSyTUE4c7czagkToheMX5fbbzWJkJcd2SD9wvyIk
-tOot0YiZGQAoOedtGSEnAgMBAAGjgYUwgYIwCQYDVR0TBAIwADALBgNVHQ8EBAMC
-BeAwSQYDVR0RBEIwQIIQbG9jYWxob3N0LmRpcmVjdIISKi5sb2NhbGhvc3QuZGly
-ZWN0ghhTUy5jZXJ0LmxvY2FsaG9zdC5kaXJlY3QwHQYDVR0OBBYEFKBVeirQGZ4D
-4AKVPd7LGfCF1wEZMA0GCSqGSIb3DQEBCwUAA4IBAQCRpvsc5DrQBo8yATmUS0OK
-xfUXfZR28u3xYY+qMHi+ngIVT2TKJ1yoBJezV6WwQLkcGdWacULvPYt3jCFUtaP7
-+hzfs5y1FssFsXDx+r3pQxYyE6BX3BhlrJPJhLRyG1siTTgN439Qu40/TsTzNgAT
-A9GbAro+W6+qA4H92mBlyfQEOBossID/Kk95uvDnQguUOp0ZBLgFNRfE6Ra9+yC+
-ufAOksYDrisPE6kZId0Ra4Ln/GmrIXKjjmLCitq2q2REC/70JSCnaJcBYeThSJLZ
-AZ24AF+JteakSJ8FEgRGxvSu0wdZfnMobNoelsjai1p5l5mCTiD8GH9sQCkslnp3
------END CERTIFICATE-----

certs/localhost.direct.SS.key

@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDDL/aeaBzgkYxD
-NiQq7+nt6tKDfGnPDfBXunJlr1xbZfIVpJeDqwrNLWaZ0gtHci5EsHptIpu5/uTB
-FaFyZVH604etY/YHIsff7BT2y32OobJYiKy2lvAI3/IDR4TGeDgAHKryOwMcB5Dh
-eBVdeggxj36m8OjxhVADaiKp7BNXE2eqUqk8f2QpwqLQYe9UaU9rWSJllNHOFk+R
-H17YBDiyyQ8CD1Vf5HcVSmPItWOMQytHcSgy0DHVXQCde86mky8t8Ik74GeNrM6f
-+vWR4OfQ8dU2WSyTUE4c7czagkToheMX5fbbzWJkJcd2SD9wvyIktOot0YiZGQAo
-OedtGSEnAgMBAAECggEASXibb2MnQ4zl7ELL+HGYb5sNpLrHJU5M4ujmuMn6jNjh
-+C2dbs2KYlMtpMcAweMD8Y0weDYnwiplNx0KSYJECpNnJehTqrn33J0EAyXz3CWX
-eWXxBUXpkp2hfoSEQSTth3VDD60Q7ZMXgRdvi2EtBmLKPNLADHGu/aoM5ENdwE9/
-E80X68E+MT2czOY/sEI/w2Tf/S2ZVOHRvFOsmvTLFlbiElWG8pmguajpJwdae7uX
-c5VD87b0oYicSUvaHe6xOCCyyeBVq06sWk+vh6Tzrw6K/B+q0SYvzXdrdsJxbzUD
-PvhVi9rf9AC1Ncb6lFOP2ZjGfqYQvfgGXKqaVxXWQQKBgQD8frATynMSeR15oERa
-+Maa7r3GlwWV3tkUblX7/FxBo9UhAsivnWZprccZR43YPowbWNeU3AQppf/YDxmx
-70/RVTCMjXPGyspSS2iFtcp+K2KnIZA4BuAG/s1EBrAUW2KrtaTaXgYu9usgb+Fq
-dJUEBDWrL59XXtQUwSM1laH0BwKBgQDF5Z31VY96xOS7flmolq8Ag+frSMH0G4np
-3nUnTlUkgpFXE5FkmUccbYZv9QialAVriBBUNANPDBQH4PRrNnX8Z6B2HJbpAy30
-II9jPMTNKnXT3RKFcJCamNkOQhT0sBAwm4gTsx+7gbpdZxinxH0Cr/08sfU4lbee
-EtMV/J1h4QKBgC4MLLBvS20jCW0U/WJZ3F6FC7cb87jRW2WOeb/q1ihiaIwMpezh
-F7xOJPFHS2cUgRi7qxVKyreNvor4tgbtTfEvSBtZ8LNgaGV5uyYncTZxUxyH0nVl
-S5X7AhRV4+bSg7ws9FOesiH+hgL0ZHe1qzeATQlbNgQJF0RxtKohD9ghAoGAcM0N
-WIZInoYUivreSEZ7wiNt0qNKSsZXukLfLGRuC72Q8r1opprn+cBEXRSirtmorT6F
-cDmlmS0dTdBgAaytXA4FXM23B2KUkw7sLHi7BOcq+nSM1hrvke+F6aapI0AoOkyt
-J+12LP8pJ4xYdWh+iUWfZzVYvcQ5QZUhVOsFGoECgYA9llKmc/cFaXrCr97g7ls8
-ZWW1kQKLawAv6+90dwECJl+zpyQN/TURyEfz6oFJDbNEL0xAAcm9thDah177Tq95
-pcHbVn/pAI4h4CLzM2ExSe8Ybvy6iPZaBiCVXq3ms1PK0EDyYLH1p3FZqm+UStZh
-/6fYspyivrQEivRK3jGuWA==
------END PRIVATE KEY-----

certs/privkey.pem

@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDFN6QgNHj/lUdg
-gPqd6dAYCsN98QikJkMedo56jW78FuDTDA3N5kumvsG+kAer9FixjCNYNtk7ST2r
-ce3XMuDwkjglfcSdmH6uR5UIAx2KMhPo7suP6RpTI6OObYSdMiPMzks2s9nrKLD9
-tl5HxcI+6FTF1zyGOlKL3AJRlPgxbcFazWu+v3rFMCbPuzN7Qbm45KXGpdMF0fki
-F935sOb9GMylfKixjBjr1+vjsi0AseK/YAdHfljq0+hH6z3wM6NOzSo81hvWlpda
-5EPodIt/IZHtjExcSHe82uey/jZV0Yy6NxEmwRdIY2Krk0Dht48f1L1rPiNTRH7H
-br4/G3ojAgMBAAECggEAATiJ23ZhS1++squ87jsgAfR+TYP8Kpv408u/43Ig5KgC
-ZnwPUWqvP2e0TLwyhMKwXxHMt2nITxQlSnyCXU/5nk07BYxkqhiwEni4Xo86YK+H
-rQXEnKFaSHdF6dNNIo+VZiark4adS9XgJp0fsn0LnON7GhBt72MvPW6auxH1HJIC
-rcjnzJu/KzTVrId9QNsEDl9cNRlHXuPSfohdq2o39PBKGDeDEDTvP9wHtasEF6oe
-uj1OH5fAxiXptT0Ln0Y8QeFe8R8Odul5mUXCgMOkKmHZPDxTq9ldCuPjrz15JfnS
-T3MecaWdvChpIP2WybjLstJy9qXTl0fhRkpJWpaVbQKBgQDu9puq64vZn0jak7ns
-bFbKPemFw7tiiwwnqyzqCTRddw1vETJN/MgpRWvc7d1Cvzs2+Z2kn0Cgpdw/30Ej
-VRHiE/d1rj+u33F6vGBUBccRue1t0UdFMFF/YnlNDRRnljQgx4N3mezzNE2RikR8
-jVp+jvWTSTgf3y4Hip1ffCSNtQKBgQDTRx1huSzUOed/36YLdnxP+AlV3L+c/EKU
-GItKZk2bqRlqgs6wcsNlVjveb9o9j6M5pg/lh5HaqJyhj8DYVnEdmXfcQJiUfIPh
-5802asIXQVBmL9rTMR34wsr/lzzK3k0KORqFcUdf2fDI/UQNpVUJvWQQY8fl2sVo
-zmp88JAPdwKBgQCLC6fsvn5ztMF5nffTX/7oUzosgYXpgyshcfMCgzSbJgkFFaaF
-xo7ZpPFsbmQO0KMuC/T0s02xrJEKAWgvnPJ48FFPgoK/yHiJiE8s1OfOordK7Tlh
-QwpI6w3WDcRPuhC++hi/YSuFIGv6QdA0ATQk7B5tA2/K69wmuztzMhM6+QKBgH5E
-LwQbRfZj0L20bKjHHA4y32loLz/j5upZLM2/DDyuN9lW6a28OJiUi90pHdXSxSsL
-2s5DUmDKiiloH0lrh9i3wlFobYe4Tp0xCoyuCucZCrK3gODcptvnlqhfu15GsuYc
-MIR1qcFYH7YO3qAFIiha/rVo3Ku7LmWvjyayInaLAoGAZ/dELEAcyhImf1HvtmBT
-qNg4uI6t/2fvHdoAeQkkGjEDWFTGEaMp0cJEbETPD68TwNh5dL/xUJibTwMbK+m5
-rdIA2oTZMkFtWubIvMCrD/J6E+8Pzl+eK+0C0axO/I29S4veORNGWvCtqdFICDgZ
-CluJ0NZFeMH8g8tgfI9HnHc=
------END PRIVATE KEY-----

docker-compose.root.yml

@@ -0,0 +1,37 @@
+version: '3.8'
+
+services:
+  tunnel-please:
+    image: git.fossy.my.id/bagas/tunnel-please:latest
+    container_name: tunnel-please-root
+    user: root
+    network_mode: host
+    restart: unless-stopped
+    volumes:
+      - certs:/app/certs
+    environment:
+      DOMAIN: example.com
+      PORT: 2200
+      HTTP_PORT: 8080
+      HTTPS_PORT: 8443
+      TLS_ENABLED: "true"
+      TLS_REDIRECT: "true"
+      ACME_EMAIL: admin@example.com
+      CF_API_TOKEN: your_cloudflare_api_token_here
+      ACME_STAGING: "false"
+      CORS_LIST: http://localhost:3000,https://example.com
+      ALLOWED_PORTS: 40000-41000
+      BUFFER_SIZE: 32768
+      PPROF_ENABLED: "false"
+      PPROF_PORT: 6060
+    healthcheck:
+      test: ["CMD", "/bin/sh", "-c", "netstat -tln | grep -q :2200"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 10s
+
+volumes:
+  certs:
+    driver: local
+

docker-compose.standard.yml

@@ -0,0 +1,39 @@
+version: '3.8'
+
+services:
+  tunnel-please:
+    image: git.fossy.my.id/bagas/tunnel-please:latest
+    container_name: tunnel-please-standard
+    restart: unless-stopped
+    ports:
+      - "2200:2200"
+      - "80:8080"
+      - "443:8443"
+    volumes:
+      - certs:/app/certs
+    environment:
+      DOMAIN: example.com
+      PORT: 2200
+      HTTP_PORT: 8080
+      HTTPS_PORT: 8443
+      TLS_ENABLED: "true"
+      TLS_REDIRECT: "true"
+      ACME_EMAIL: admin@example.com
+      CF_API_TOKEN: your_cloudflare_api_token_here
+      ACME_STAGING: "false"
+      CORS_LIST: http://localhost:3000,https://example.com
+      ALLOWED_PORTS: none
+      BUFFER_SIZE: 32768
+      PPROF_ENABLED: "false"
+      PPROF_PORT: 6060
+    healthcheck:
+      test: ["CMD", "/bin/sh", "-c", "netstat -tln | grep -q :2200"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 10s
+
+volumes:
+  certs:
+    driver: local
+

docker-compose.tcp.yml

@@ -0,0 +1,40 @@
+version: '3.8'
+
+services:
+  tunnel-please:
+    image: git.fossy.my.id/bagas/tunnel-please:latest
+    container_name: tunnel-please-tcp
+    restart: unless-stopped
+    ports:
+      - "2200:2200"
+      - "80:8080"
+      - "443:8443"
+      - "30000-31000:30000-31000"
+    volumes:
+      - certs:/app/certs
+    environment:
+      DOMAIN: example.com
+      PORT: 2200
+      HTTP_PORT: 8080
+      HTTPS_PORT: 8443
+      TLS_ENABLED: "true"
+      TLS_REDIRECT: "true"
+      ACME_EMAIL: admin@example.com
+      CF_API_TOKEN: your_cloudflare_api_token_here
+      ACME_STAGING: "false"
+      CORS_LIST: http://localhost:3000,https://example.com
+      ALLOWED_PORTS: 30000-31000
+      BUFFER_SIZE: 32768
+      PPROF_ENABLED: "false"
+      PPROF_PORT: 6060
+    healthcheck:
+      test: ["CMD", "/bin/sh", "-c", "netstat -tln | grep -q :2200"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 10s
+
+volumes:
+  certs:
+    driver: local
+

go.mod

@@ -1,10 +1,55 @@
 module tunnel_pls
 
-go 1.24.4
+go 1.25.5
 
 require (
+	git.fossy.my.id/bagas/tunnel-please-grpc v1.5.0
+	github.com/caddyserver/certmagic v0.25.0
+	github.com/charmbracelet/bubbles v0.21.0
+	github.com/charmbracelet/bubbletea v1.3.10
+	github.com/charmbracelet/lipgloss v1.1.0
 	github.com/joho/godotenv v1.5.1
-	golang.org/x/crypto v0.45.0
+	github.com/libdns/cloudflare v0.2.2
+	github.com/muesli/termenv v0.16.0
+	golang.org/x/crypto v0.46.0
+	google.golang.org/grpc v1.78.0
+	google.golang.org/protobuf v1.36.11
 )
 
-require golang.org/x/sys v0.38.0 // indirect
+require (
+	github.com/atotto/clipboard v0.1.4 // indirect
+	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
+	github.com/caddyserver/zerossl v0.1.3 // indirect
+	github.com/charmbracelet/colorprofile v0.4.1 // indirect
+	github.com/charmbracelet/x/ansi v0.11.3 // indirect
+	github.com/charmbracelet/x/cellbuf v0.0.14 // indirect
+	github.com/charmbracelet/x/term v0.2.2 // indirect
+	github.com/clipperhouse/displaywidth v0.6.2 // indirect
+	github.com/clipperhouse/stringish v0.1.1 // indirect
+	github.com/clipperhouse/uax29/v2 v2.3.0 // indirect
+	github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect
+	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
+	github.com/libdns/libdns v1.1.1 // indirect
+	github.com/lucasb-eyer/go-colorful v1.3.0 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mattn/go-localereader v0.0.1 // indirect
+	github.com/mattn/go-runewidth v0.0.19 // indirect
+	github.com/mholt/acmez/v3 v3.1.4 // indirect
+	github.com/miekg/dns v1.1.69 // indirect
+	github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 // indirect
+	github.com/muesli/cancelreader v0.2.2 // indirect
+	github.com/rivo/uniseg v0.4.7 // indirect
+	github.com/sahilm/fuzzy v0.1.1 // indirect
+	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
+	github.com/zeebo/blake3 v0.2.4 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	go.uber.org/zap v1.27.1 // indirect
+	go.uber.org/zap/exp v0.3.0 // indirect
+	golang.org/x/mod v0.31.0 // indirect
+	golang.org/x/net v0.48.0 // indirect
+	golang.org/x/sync v0.19.0 // indirect
+	golang.org/x/sys v0.39.0 // indirect
+	golang.org/x/text v0.32.0 // indirect
+	golang.org/x/tools v0.40.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20251222181119-0a764e51fe1b // indirect
+)

go.sum

@@ -1,13 +1,146 @@
+git.fossy.my.id/bagas/tunnel-please-grpc v1.3.0 h1:RhcBKUG41/om4jgN+iF/vlY/RojTeX1QhBa4p4428ec=
+git.fossy.my.id/bagas/tunnel-please-grpc v1.3.0/go.mod h1:fG+VkArdkceGB0bNA7IFQus9GetLAwdF5Oi4jdMlXtY=
+git.fossy.my.id/bagas/tunnel-please-grpc v1.4.0 h1:tpJSKjaSmV+vxxbVx6qnStjxFVXjj2M0rygWXxLb99o=
+git.fossy.my.id/bagas/tunnel-please-grpc v1.4.0/go.mod h1:fG+VkArdkceGB0bNA7IFQus9GetLAwdF5Oi4jdMlXtY=
+git.fossy.my.id/bagas/tunnel-please-grpc v1.5.0 h1:3xszIhck4wo9CoeRq9vnkar4PhY7kz9QrR30qj2XszA=
+git.fossy.my.id/bagas/tunnel-please-grpc v1.5.0/go.mod h1:Weh6ZujgWmT8XxD3Qba7sJ6r5eyUMB9XSWynqdyOoLo=
+github.com/atotto/clipboard v0.1.4 h1:EH0zSVneZPSuFR11BlR9YppQTVDbh5+16AmcJi4g1z4=
+github.com/atotto/clipboard v0.1.4/go.mod h1:ZY9tmq7sm5xIbd9bOK4onWV4S6X0u6GY7Vn0Yu86PYI=
+github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiErDT4WkJ2k=
+github.com/aymanbagabas/go-osc52/v2 v2.0.1/go.mod h1:uYgXzlJ7ZpABp8OJ+exZzJJhRNQ2ASbcXHWsFqH8hp8=
+github.com/aymanbagabas/go-udiff v0.2.0 h1:TK0fH4MteXUDspT88n8CKzvK0X9O2xu9yQjWpi6yML8=
+github.com/aymanbagabas/go-udiff v0.2.0/go.mod h1:RE4Ex0qsGkTAJoQdQQCA0uG+nAzJO/pI/QwceO5fgrA=
+github.com/caddyserver/certmagic v0.25.0 h1:VMleO/XA48gEWes5l+Fh6tRWo9bHkhwAEhx63i+F5ic=
+github.com/caddyserver/certmagic v0.25.0/go.mod h1:m9yB7Mud24OQbPHOiipAoyKPn9pKHhpSJxXR1jydBxA=
+github.com/caddyserver/zerossl v0.1.3 h1:onS+pxp3M8HnHpN5MMbOMyNjmTheJyWRaZYwn+YTAyA=
+github.com/caddyserver/zerossl v0.1.3/go.mod h1:CxA0acn7oEGO6//4rtrRjYgEoa4MFw/XofZnrYwGqG4=
+github.com/charmbracelet/bubbles v0.21.0 h1:9TdC97SdRVg/1aaXNVWfFH3nnLAwOXr8Fn6u6mfQdFs=
+github.com/charmbracelet/bubbles v0.21.0/go.mod h1:HF+v6QUR4HkEpz62dx7ym2xc71/KBHg+zKwJtMw+qtg=
+github.com/charmbracelet/bubbletea v1.3.10 h1:otUDHWMMzQSB0Pkc87rm691KZ3SWa4KUlvF9nRvCICw=
+github.com/charmbracelet/bubbletea v1.3.10/go.mod h1:ORQfo0fk8U+po9VaNvnV95UPWA1BitP1E0N6xJPlHr4=
+github.com/charmbracelet/colorprofile v0.4.1 h1:a1lO03qTrSIRaK8c3JRxJDZOvhvIeSco3ej+ngLk1kk=
+github.com/charmbracelet/colorprofile v0.4.1/go.mod h1:U1d9Dljmdf9DLegaJ0nGZNJvoXAhayhmidOdcBwAvKk=
+github.com/charmbracelet/lipgloss v1.1.0 h1:vYXsiLHVkK7fp74RkV7b2kq9+zDLoEU4MZoFqR/noCY=
+github.com/charmbracelet/lipgloss v1.1.0/go.mod h1:/6Q8FR2o+kj8rz4Dq0zQc3vYf7X+B0binUUBwA0aL30=
+github.com/charmbracelet/x/ansi v0.11.3 h1:6DcVaqWI82BBVM/atTyq6yBoRLZFBsnoDoX9GCu2YOI=
+github.com/charmbracelet/x/ansi v0.11.3/go.mod h1:yI7Zslym9tCJcedxz5+WBq+eUGMJT0bM06Fqy1/Y4dI=
+github.com/charmbracelet/x/cellbuf v0.0.14 h1:iUEMryGyFTelKW3THW4+FfPgi4fkmKnnaLOXuc+/Kj4=
+github.com/charmbracelet/x/cellbuf v0.0.14/go.mod h1:P447lJl49ywBbil/KjCk2HexGh4tEY9LH0/1QrZZ9rA=
+github.com/charmbracelet/x/exp/golden v0.0.0-20241011142426-46044092ad91 h1:payRxjMjKgx2PaCWLZ4p3ro9y97+TVLZNaRZgJwSVDQ=
+github.com/charmbracelet/x/exp/golden v0.0.0-20241011142426-46044092ad91/go.mod h1:wDlXFlCrmJ8J+swcL/MnGUuYnqgQdW9rhSD61oNMb6U=
+github.com/charmbracelet/x/term v0.2.2 h1:xVRT/S2ZcKdhhOuSP4t5cLi5o+JxklsoEObBSgfgZRk=
+github.com/charmbracelet/x/term v0.2.2/go.mod h1:kF8CY5RddLWrsgVwpw4kAa6TESp6EB5y3uxGLeCqzAI=
+github.com/clipperhouse/displaywidth v0.6.2 h1:ZDpTkFfpHOKte4RG5O/BOyf3ysnvFswpyYrV7z2uAKo=
+github.com/clipperhouse/displaywidth v0.6.2/go.mod h1:R+kHuzaYWFkTm7xoMmK1lFydbci4X2CicfbGstSGg0o=
+github.com/clipperhouse/stringish v0.1.1 h1:+NSqMOr3GR6k1FdRhhnXrLfztGzuG+VuFDfatpWHKCs=
+github.com/clipperhouse/stringish v0.1.1/go.mod h1:v/WhFtE1q0ovMta2+m+UbpZ+2/HEXNWYXQgCt4hdOzA=
+github.com/clipperhouse/uax29/v2 v2.3.0 h1:SNdx9DVUqMoBuBoW3iLOj4FQv3dN5mDtuqwuhIGpJy4=
+github.com/clipperhouse/uax29/v2 v2.3.0/go.mod h1:Wn1g7MK6OoeDT0vL+Q0SQLDz/KpfsVRgg6W7ihQeh4g=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f h1:Y/CXytFA4m6baUTXGLOoWe4PQhGxaX0KpnayAqC48p4=
+github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f/go.mod h1:vw97MGsxSvLiUE2X8qFplwetxpGLQrlU1Q9AUEIzCaM=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=
 github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
-golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc=
+github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
-golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
+github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
-golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
+github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
-golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
+github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
-golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
+github.com/libdns/cloudflare v0.2.2 h1:XWHv+C1dDcApqazlh08Q6pjytYLgR2a+Y3xrXFu0vsI=
-golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+github.com/libdns/cloudflare v0.2.2/go.mod h1:w9uTmRCDlAoafAsTPnn2nJ0XHK/eaUMh86DUk8BWi60=
-golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+github.com/libdns/libdns v1.1.1 h1:wPrHrXILoSHKWJKGd0EiAVmiJbFShguILTg9leS/P/U=
-golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+github.com/libdns/libdns v1.1.1/go.mod h1:4Bj9+5CQiNMVGf87wjX4CY3HQJypUHRuLvlsfsZqLWQ=
-golang.org/x/term v0.28.0 h1:/Ts8HFuMR2E6IP/jlo7QVLZHggjKQbhu/7H0LJFr3Gg=
+github.com/lucasb-eyer/go-colorful v1.3.0 h1:2/yBRLdWBZKrf7gB40FoiKfAWYQ0lqNcbuQwVHXptag=
-golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek=
+github.com/lucasb-eyer/go-colorful v1.3.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=
-golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-localereader v0.0.1 h1:ygSAOl7ZXTx4RdPYinUpg6W99U8jWvWi9Ye2JC/oIi4=
+github.com/mattn/go-localereader v0.0.1/go.mod h1:8fBrzywKY7BI3czFoHkuzRoWE9C+EiG4R1k4Cjx5p88=
+github.com/mattn/go-runewidth v0.0.19 h1:v++JhqYnZuu5jSKrk9RbgF5v4CGUjqRfBm05byFGLdw=
+github.com/mattn/go-runewidth v0.0.19/go.mod h1:XBkDxAl56ILZc9knddidhrOlY5R/pDhgLpndooCuJAs=
+github.com/mholt/acmez/v3 v3.1.4 h1:DyzZe/RnAzT3rpZj/2Ii5xZpiEvvYk3cQEN/RmqxwFQ=
+github.com/mholt/acmez/v3 v3.1.4/go.mod h1:L1wOU06KKvq7tswuMDwKdcHeKpFFgkppZy/y0DFxagQ=
+github.com/miekg/dns v1.1.69 h1:Kb7Y/1Jo+SG+a2GtfoFUfDkG//csdRPwRLkCsxDG9Sc=
+github.com/miekg/dns v1.1.69/go.mod h1:7OyjD9nEba5OkqQ/hB4fy3PIoxafSZJtducccIelz3g=
+github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 h1:ZK8zHtRHOkbHy6Mmr5D264iyp3TiX5OmNcI5cIARiQI=
+github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6/go.mod h1:CJlz5H+gyd6CUWT45Oy4q24RdLyn7Md9Vj2/ldJBSIo=
+github.com/muesli/cancelreader v0.2.2 h1:3I4Kt4BQjOR54NavqnDogx/MIoWBFa0StPA8ELUXHmA=
+github.com/muesli/cancelreader v0.2.2/go.mod h1:3XuTXfFS2VjM+HTLZY9Ak0l6eUKfijIfMUZ4EgX0QYo=
+github.com/muesli/termenv v0.16.0 h1:S5AlUN9dENB57rsbnkPyfdGuWIlkmzJjbFf0Tf5FWUc=
+github.com/muesli/termenv v0.16.0/go.mod h1:ZRfOIKPFDYQoDFF4Olj7/QJbW60Ol/kL1pU3VfY/Cnk=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
+github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
+github.com/sahilm/fuzzy v0.1.1 h1:ceu5RHF8DGgoi+/dR5PsECjCDH1BE3Fnmpo7aVXOdRA=
+github.com/sahilm/fuzzy v0.1.1/go.mod h1:VFvziUEIMCrT6A6tw2RFIXPXXmzXbOsSHF0DOI8ZK9Y=
+github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no=
+github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
+github.com/zeebo/assert v1.1.0 h1:hU1L1vLTHsnO8x8c9KAR5GmM5QscxHg5RNU5z5qbUWY=
+github.com/zeebo/assert v1.1.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0=
+github.com/zeebo/blake3 v0.2.4 h1:KYQPkhpRtcqh0ssGYcKLG1JYvddkEA8QwCM/yBqhaZI=
+github.com/zeebo/blake3 v0.2.4/go.mod h1:7eeQ6d2iXWRGF6npfaxl2CU+xy2Fjo2gxeyZGCRUjcE=
+github.com/zeebo/pcg v1.0.1 h1:lyqfGeWiv4ahac6ttHs+I5hwtH/+1mrhlCtVNQM2kHo=
+github.com/zeebo/pcg v1.0.1/go.mod h1:09F0S9iiKrwn9rlI5yjLkmrug154/YRW6KnnXVDM/l4=
+go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
+go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
+go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8=
+go.opentelemetry.io/otel v1.38.0/go.mod h1:zcmtmQ1+YmQM9wrNsTGV/q/uyusom3P8RxwExxkZhjM=
+go.opentelemetry.io/otel/metric v1.38.0 h1:Kl6lzIYGAh5M159u9NgiRkmoMKjvbsKtYRwgfrA6WpA=
+go.opentelemetry.io/otel/metric v1.38.0/go.mod h1:kB5n/QoRM8YwmUahxvI3bO34eVtQf2i4utNVLr9gEmI=
+go.opentelemetry.io/otel/sdk v1.38.0 h1:l48sr5YbNf2hpCUj/FoGhW9yDkl+Ma+LrVl8qaM5b+E=
+go.opentelemetry.io/otel/sdk v1.38.0/go.mod h1:ghmNdGlVemJI3+ZB5iDEuk4bWA3GkTpW+DOoZMYBVVg=
+go.opentelemetry.io/otel/sdk/metric v1.38.0 h1:aSH66iL0aZqo//xXzQLYozmWrXxyFkBJ6qT5wthqPoM=
+go.opentelemetry.io/otel/sdk/metric v1.38.0/go.mod h1:dg9PBnW9XdQ1Hd6ZnRz689CbtrUp0wMMs9iPcgT9EZA=
+go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJrmcNLE=
+go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs=
+go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
+go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
+go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
+go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
+go.uber.org/zap v1.27.1 h1:08RqriUEv8+ArZRYSTXy1LeBScaMpVSTBhCeaZYfMYc=
+go.uber.org/zap v1.27.1/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
+go.uber.org/zap/exp v0.3.0 h1:6JYzdifzYkGmTdRR59oYH+Ng7k49H9qVpWwNSsGJj3U=
+go.uber.org/zap/exp v0.3.0/go.mod h1:5I384qq7XGxYyByIhHm6jg5CHkGY0nsTfbDLgDDlgJQ=
+golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU=
+golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
+golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM8rJBtfilJ2qTU199MI=
+golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo=
+golang.org/x/mod v0.31.0 h1:HaW9xtz0+kOcWKwli0ZXy79Ix+UW/vOfmWI5QVd2tgI=
+golang.org/x/mod v0.31.0/go.mod h1:43JraMp9cGx1Rx3AqioxrbrhNsLl2l/iNAvuBkrezpg=
+golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU=
+golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY=
+golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
+golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
+golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.38.0 h1:PQ5pkm/rLO6HnxFR7N2lJHOZX6Kez5Y1gDSJla6jo7Q=
+golang.org/x/term v0.38.0/go.mod h1:bSEAKrOT1W+VSu9TSCMtoGEOUcKxOKgl3LE5QEF/xVg=
+golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=
+golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=
+golang.org/x/tools v0.40.0 h1:yLkxfA+Qnul4cs9QA3KnlFu0lVmd8JJfoq+E41uSutA=
+golang.org/x/tools v0.40.0/go.mod h1:Ik/tzLRlbscWpqqMRjyWYDisX8bG13FrdXp3o4Sr9lc=
+gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
+gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251222181119-0a764e51fe1b h1:Mv8VFug0MP9e5vUxfBcE3vUkV6CImK3cMNMIDFjmzxU=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251222181119-0a764e51fe1b/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ=
+google.golang.org/grpc v1.78.0 h1:K1XZG/yGDJnzMdd/uZHAkVqJE+xIDOcmdSFZkBUicNc=
+google.golang.org/grpc v1.78.0/go.mod h1:I47qjTo4OKbMkjA/aOOwxDIiPSBofUtQUI5EfpWvW7U=
+google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
+google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

internal/config/config.go

@@ -0,0 +1,35 @@
+package config
+
+import (
+	"log"
+	"os"
+	"strconv"
+
+	"github.com/joho/godotenv"
+)
+
+func init() {
+	if _, err := os.Stat(".env"); err == nil {
+		if err := godotenv.Load(".env"); err != nil {
+			log.Printf("Warning: Failed to load .env file: %s", err)
+		}
+	}
+}
+
+func Getenv(key, defaultValue string) string {
+	val := os.Getenv(key)
+	if val == "" {
+		val = defaultValue
+	}
+
+	return val
+}
+
+func GetBufferSize() int {
+	sizeStr := Getenv("BUFFER_SIZE", "32768")
+	size, err := strconv.Atoi(sizeStr)
+	if err != nil || size < 4096 || size > 1048576 {
+		return 32768
+	}
+	return size
+}

internal/grpc/client/client.go

@@ -0,0 +1,474 @@
+package client
+
+import (
+	"context"
+	"crypto/tls"
+	"errors"
+	"fmt"
+	"io"
+	"log"
+	"time"
+	"tunnel_pls/internal/config"
+	"tunnel_pls/types"
+
+	"tunnel_pls/session"
+
+	proto "git.fossy.my.id/bagas/tunnel-please-grpc/gen"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/credentials/insecure"
+	"google.golang.org/grpc/health/grpc_health_v1"
+	"google.golang.org/grpc/keepalive"
+	"google.golang.org/grpc/status"
+	"google.golang.org/protobuf/types/known/timestamppb"
+)
+
+type GrpcConfig struct {
+	Address             string
+	UseTLS              bool
+	InsecureSkipVerify  bool
+	Timeout             time.Duration
+	KeepAlive           bool
+	MaxRetries          int
+	KeepAliveTime       time.Duration
+	KeepAliveTimeout    time.Duration
+	PermitWithoutStream bool
+}
+
+type Client struct {
+	conn                       *grpc.ClientConn
+	config                     *GrpcConfig
+	sessionRegistry            session.Registry
+	eventService               proto.EventServiceClient
+	authorizeConnectionService proto.UserServiceClient
+	closing                    bool
+}
+
+func DefaultConfig() *GrpcConfig {
+	return &GrpcConfig{
+		Address:             "localhost:50051",
+		UseTLS:              false,
+		InsecureSkipVerify:  false,
+		Timeout:             10 * time.Second,
+		KeepAlive:           true,
+		MaxRetries:          3,
+		KeepAliveTime:       2 * time.Minute,
+		KeepAliveTimeout:    10 * time.Second,
+		PermitWithoutStream: false,
+	}
+}
+
+func New(config *GrpcConfig, sessionRegistry session.Registry) (*Client, error) {
+	if config == nil {
+		config = DefaultConfig()
+	} else {
+		defaults := DefaultConfig()
+		if config.Address == "" {
+			config.Address = defaults.Address
+		}
+		if config.Timeout == 0 {
+			config.Timeout = defaults.Timeout
+		}
+		if config.MaxRetries == 0 {
+			config.MaxRetries = defaults.MaxRetries
+		}
+		if config.KeepAliveTime == 0 {
+			config.KeepAliveTime = defaults.KeepAliveTime
+		}
+		if config.KeepAliveTimeout == 0 {
+			config.KeepAliveTimeout = defaults.KeepAliveTimeout
+		}
+	}
+
+	var opts []grpc.DialOption
+
+	if config.UseTLS {
+		tlsConfig := &tls.Config{
+			InsecureSkipVerify: config.InsecureSkipVerify,
+		}
+		creds := credentials.NewTLS(tlsConfig)
+		opts = append(opts, grpc.WithTransportCredentials(creds))
+	} else {
+		opts = append(opts, grpc.WithTransportCredentials(insecure.NewCredentials()))
+	}
+
+	if config.KeepAlive {
+		kaParams := keepalive.ClientParameters{
+			Time:                config.KeepAliveTime,
+			Timeout:             config.KeepAliveTimeout,
+			PermitWithoutStream: config.PermitWithoutStream,
+		}
+		opts = append(opts, grpc.WithKeepaliveParams(kaParams))
+	}
+
+	opts = append(opts,
+		grpc.WithDefaultCallOptions(
+			grpc.MaxCallRecvMsgSize(4*1024*1024),
+			grpc.MaxCallSendMsgSize(4*1024*1024),
+		),
+	)
+
+	conn, err := grpc.NewClient(config.Address, opts...)
+	if err != nil {
+		return nil, fmt.Errorf("failed to connect to gRPC server at %s: %w", config.Address, err)
+	}
+
+	eventService := proto.NewEventServiceClient(conn)
+	authorizeConnectionService := proto.NewUserServiceClient(conn)
+
+	return &Client{
+		conn:                       conn,
+		config:                     config,
+		sessionRegistry:            sessionRegistry,
+		eventService:               eventService,
+		authorizeConnectionService: authorizeConnectionService,
+	}, nil
+}
+
+func (c *Client) SubscribeEvents(ctx context.Context, identity, authToken string) error {
+	const (
+		baseBackoff = time.Second
+		maxBackoff  = 30 * time.Second
+	)
+
+	backoff := baseBackoff
+	wait := func() error {
+		if backoff <= 0 {
+			return nil
+		}
+		select {
+		case <-time.After(backoff):
+			return nil
+		case <-ctx.Done():
+			return ctx.Err()
+		}
+	}
+	growBackoff := func() {
+		backoff *= 2
+		if backoff > maxBackoff {
+			backoff = maxBackoff
+		}
+	}
+
+	for {
+		subscribe, err := c.eventService.Subscribe(ctx)
+		if err != nil {
+			if errors.Is(err, context.Canceled) || status.Code(err) == codes.Canceled || ctx.Err() != nil {
+				return err
+			}
+			if !c.isConnectionError(err) || status.Code(err) == codes.Unauthenticated {
+				return err
+			}
+			if err = wait(); err != nil {
+				return err
+			}
+			growBackoff()
+			log.Printf("Reconnect to controller within %v sec", backoff.Seconds())
+			continue
+		}
+
+		err = subscribe.Send(&proto.Node{
+			Type: proto.EventType_AUTHENTICATION,
+			Payload: &proto.Node_AuthEvent{
+				AuthEvent: &proto.Authentication{
+					Identity:  identity,
+					AuthToken: authToken,
+				},
+			},
+		})
+
+		if err != nil {
+			log.Println("Authentication failed to send to gRPC server:", err)
+			if c.isConnectionError(err) {
+				if err = wait(); err != nil {
+					return err
+				}
+				growBackoff()
+				continue
+			}
+			return err
+		}
+		log.Println("Authentication Successfully sent to gRPC server")
+		backoff = baseBackoff
+
+		if err = c.processEventStream(subscribe); err != nil {
+			if errors.Is(err, context.Canceled) || status.Code(err) == codes.Canceled || ctx.Err() != nil {
+				return err
+			}
+			if c.isConnectionError(err) {
+				log.Printf("Reconnect to controller within %v sec", backoff.Seconds())
+				if err = wait(); err != nil {
+					return err
+				}
+				growBackoff()
+				continue
+			}
+			return err
+		}
+	}
+}
+
+func (c *Client) processEventStream(subscribe grpc.BidiStreamingClient[proto.Node, proto.Events]) error {
+	for {
+		recv, err := subscribe.Recv()
+		if err != nil {
+			return err
+		}
+		switch recv.GetType() {
+		case proto.EventType_SLUG_CHANGE:
+			user := recv.GetSlugEvent().GetUser()
+			oldSlug := recv.GetSlugEvent().GetOld()
+			newSlug := recv.GetSlugEvent().GetNew()
+			var userSession *session.SSHSession
+			userSession, err = c.sessionRegistry.Get(types.SessionKey{
+				Id:   oldSlug,
+				Type: types.HTTP,
+			})
+			if err != nil {
+				errSend := subscribe.Send(&proto.Node{
+					Type: proto.EventType_SLUG_CHANGE_RESPONSE,
+					Payload: &proto.Node_SlugEventResponse{
+						SlugEventResponse: &proto.SlugChangeEventResponse{
+							Success: false,
+							Message: err.Error(),
+						},
+					},
+				})
+				if errSend != nil {
+					if c.isConnectionError(errSend) {
+						return errSend
+					}
+					log.Printf("non-connection send error for slug change failure: %v", errSend)
+				}
+				continue
+			}
+			err = c.sessionRegistry.Update(user, types.SessionKey{
+				Id:   oldSlug,
+				Type: types.HTTP,
+			}, types.SessionKey{
+				Id:   newSlug,
+				Type: types.HTTP,
+			})
+			if err != nil {
+				errSend := subscribe.Send(&proto.Node{
+					Type: proto.EventType_SLUG_CHANGE_RESPONSE,
+					Payload: &proto.Node_SlugEventResponse{
+						SlugEventResponse: &proto.SlugChangeEventResponse{
+							Success: false,
+							Message: err.Error(),
+						},
+					},
+				})
+				if errSend != nil {
+					if c.isConnectionError(errSend) {
+						return errSend
+					}
+					log.Printf("non-connection send error for slug change failure: %v", errSend)
+				}
+				continue
+			}
+			userSession.GetInteraction().Redraw()
+			err = subscribe.Send(&proto.Node{
+				Type: proto.EventType_SLUG_CHANGE_RESPONSE,
+				Payload: &proto.Node_SlugEventResponse{
+					SlugEventResponse: &proto.SlugChangeEventResponse{
+						Success: true,
+						Message: "",
+					},
+				},
+			})
+			if err != nil {
+				if c.isConnectionError(err) {
+					log.Printf("connection error sending slug change success: %v", err)
+					return err
+				}
+				log.Printf("non-connection send error for slug change success: %v", err)
+				continue
+			}
+		case proto.EventType_GET_SESSIONS:
+			sessions := c.sessionRegistry.GetAllSessionFromUser(recv.GetGetSessionsEvent().GetIdentity())
+			var details []*proto.Detail
+			for _, ses := range sessions {
+				detail := ses.Detail()
+				details = append(details, &proto.Detail{
+					Node:           config.Getenv("DOMAIN", "localhost"),
+					ForwardingType: detail.ForwardingType,
+					Slug:           detail.Slug,
+					UserId:         detail.UserID,
+					Active:         detail.Active,
+					StartedAt:      timestamppb.New(detail.StartedAt),
+				})
+			}
+			err = subscribe.Send(&proto.Node{
+				Type: proto.EventType_GET_SESSIONS,
+				Payload: &proto.Node_GetSessionsEvent{
+					GetSessionsEvent: &proto.GetSessionsResponse{
+						Details: details,
+					},
+				},
+			})
+			if err != nil {
+				if c.isConnectionError(err) {
+					log.Printf("connection error sending sessions success: %v", err)
+					return err
+				}
+				log.Printf("non-connection send error for sessions success: %v", err)
+				continue
+			}
+		case proto.EventType_TERMINATE_SESSION:
+			user := recv.GetTerminateSessionEvent().GetUser()
+			tunnelTypeRaw := recv.GetTerminateSessionEvent().GetTunnelType()
+			slug := recv.GetTerminateSessionEvent().GetSlug()
+
+			var userSession *session.SSHSession
+			var tunnelType types.TunnelType
+			if tunnelTypeRaw == proto.TunnelType_HTTP {
+				tunnelType = types.HTTP
+			} else if tunnelTypeRaw == proto.TunnelType_TCP {
+				tunnelType = types.TCP
+			} else {
+				err = subscribe.Send(&proto.Node{
+					Type: proto.EventType_TERMINATE_SESSION,
+					Payload: &proto.Node_TerminateSessionEventResponse{
+						TerminateSessionEventResponse: &proto.TerminateSessionEventResponse{
+							Success: false,
+							Message: "unknown tunnel type recived",
+						},
+					},
+				})
+				if err != nil {
+					if c.isConnectionError(err) {
+						log.Printf("connection error sending sessions success: %v", err)
+						return err
+					}
+					log.Printf("non-connection send error for sessions success: %v", err)
+				}
+				continue
+			}
+			userSession, err = c.sessionRegistry.GetWithUser(user, types.SessionKey{
+				Id:   slug,
+				Type: tunnelType,
+			})
+			if err != nil {
+				err = subscribe.Send(&proto.Node{
+					Type: proto.EventType_TERMINATE_SESSION,
+					Payload: &proto.Node_TerminateSessionEventResponse{
+						TerminateSessionEventResponse: &proto.TerminateSessionEventResponse{
+							Success: false,
+							Message: err.Error(),
+						},
+					},
+				})
+				if err != nil {
+					if c.isConnectionError(err) {
+						log.Printf("connection error sending sessions success: %v", err)
+						return err
+					}
+					log.Printf("non-connection send error for sessions success: %v", err)
+				}
+				continue
+			}
+			err = userSession.GetLifecycle().Close()
+			if err != nil {
+				err = subscribe.Send(&proto.Node{
+					Type: proto.EventType_TERMINATE_SESSION,
+					Payload: &proto.Node_TerminateSessionEventResponse{
+						TerminateSessionEventResponse: &proto.TerminateSessionEventResponse{
+							Success: false,
+							Message: err.Error(),
+						},
+					},
+				})
+				if err != nil {
+					if c.isConnectionError(err) {
+						log.Printf("connection error sending sessions success: %v", err)
+						return err
+					}
+					log.Printf("non-connection send error for sessions success: %v", err)
+				}
+				continue
+			}
+			err = subscribe.Send(&proto.Node{
+				Type: proto.EventType_TERMINATE_SESSION,
+				Payload: &proto.Node_TerminateSessionEventResponse{
+					TerminateSessionEventResponse: &proto.TerminateSessionEventResponse{
+						Success: true,
+						Message: "",
+					},
+				},
+			})
+			if err != nil {
+				if c.isConnectionError(err) {
+					log.Printf("connection error sending sessions success: %v", err)
+					return err
+				}
+				log.Printf("non-connection send error for sessions success: %v", err)
+				continue
+			}
+		default:
+			log.Printf("Unknown event type received: %v", recv.GetType())
+		}
+	}
+}
+
+func (c *Client) GetConnection() *grpc.ClientConn {
+	return c.conn
+}
+
+func (c *Client) AuthorizeConn(ctx context.Context, token string) (authorized bool, user string, err error) {
+	check, err := c.authorizeConnectionService.Check(ctx, &proto.CheckRequest{AuthToken: token})
+	if err != nil {
+		return false, "UNAUTHORIZED", err
+	}
+
+	if check.GetResponse() == proto.AuthorizationResponse_MESSAGE_TYPE_UNAUTHORIZED {
+		return false, "UNAUTHORIZED", nil
+	}
+	return true, check.GetUser(), nil
+}
+
+func (c *Client) Close() error {
+	if c.conn != nil {
+		log.Printf("Closing gRPC connection to %s", c.config.Address)
+		c.closing = true
+		return c.conn.Close()
+	}
+	return nil
+}
+
+func (c *Client) CheckServerHealth(ctx context.Context) error {
+	healthClient := grpc_health_v1.NewHealthClient(c.GetConnection())
+	resp, err := healthClient.Check(ctx, &grpc_health_v1.HealthCheckRequest{
+		Service: "",
+	})
+	if err != nil {
+		return fmt.Errorf("health check failed: %w", err)
+	}
+	if resp.Status != grpc_health_v1.HealthCheckResponse_SERVING {
+		return fmt.Errorf("server not serving: %v", resp.Status)
+	}
+	return nil
+}
+
+func (c *Client) GetConfig() *GrpcConfig {
+	return c.config
+}
+
+func (c *Client) isConnectionError(err error) bool {
+	if c.closing {
+		return false
+	}
+	if err == nil {
+		return false
+	}
+	if errors.Is(err, io.EOF) {
+		return true
+	}
+	switch status.Code(err) {
+	case codes.Unavailable, codes.Canceled, codes.DeadlineExceeded:
+		return true
+	default:
+		return false
+	}
+}

internal/key/key.go

@@ -0,0 +1,67 @@
+package key
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	"log"
+	"os"
+	"path/filepath"
+
+	"golang.org/x/crypto/ssh"
+)
+
+func GenerateSSHKeyIfNotExist(keyPath string) error {
+	if _, err := os.Stat(keyPath); err == nil {
+		log.Printf("SSH key already exists at %s", keyPath)
+		return nil
+	}
+
+	log.Printf("SSH key not found at %s, generating new key pair...", keyPath)
+
+	privateKey, err := rsa.GenerateKey(rand.Reader, 4096)
+	if err != nil {
+		return err
+	}
+
+	privateKeyPEM := &pem.Block{
+		Type:  "RSA PRIVATE KEY",
+		Bytes: x509.MarshalPKCS1PrivateKey(privateKey),
+	}
+
+	dir := filepath.Dir(keyPath)
+	if err := os.MkdirAll(dir, 0700); err != nil {
+		return err
+	}
+
+	privateKeyFile, err := os.OpenFile(keyPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
+	if err != nil {
+		return err
+	}
+	defer privateKeyFile.Close()
+
+	if err := pem.Encode(privateKeyFile, privateKeyPEM); err != nil {
+		return err
+	}
+
+	publicKey, err := ssh.NewPublicKey(&privateKey.PublicKey)
+	if err != nil {
+		return err
+	}
+
+	pubKeyPath := keyPath + ".pub"
+	pubKeyFile, err := os.OpenFile(pubKeyPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)
+	if err != nil {
+		return err
+	}
+	defer pubKeyFile.Close()
+
+	_, err = pubKeyFile.Write(ssh.MarshalAuthorizedKey(publicKey))
+	if err != nil {
+		return err
+	}
+
+	log.Printf("SSH key pair generated successfully at %s and %s", keyPath, pubKeyPath)
+	return nil
+}

internal/port/port.go

@@ -6,39 +6,50 @@ import (
 	"strconv"
 	"strings"
 	"sync"
-	"tunnel_pls/utils"
+	"tunnel_pls/internal/config"
 )
 
-type PortManager struct {
+type Manager interface {
+	AddPortRange(startPort, endPort uint16) error
+	GetUnassignedPort() (uint16, bool)
+	SetPortStatus(port uint16, assigned bool) error
+	GetPortStatus(port uint16) (bool, bool)
+}
+
+type manager struct {
 	mu          sync.RWMutex
 	ports       map[uint16]bool
 	sortedPorts []uint16
 }
 
-var Manager = PortManager{
+var Default Manager = &manager{
 	ports:       make(map[uint16]bool),
 	sortedPorts: []uint16{},
 }
 
 func init() {
-	rawRange := utils.Getenv("ALLOWED_PORTS")
+	rawRange := config.Getenv("ALLOWED_PORTS", "")
+	if rawRange == "" {
+		return
+	}
+
 	splitRange := strings.Split(rawRange, "-")
 	if len(splitRange) != 2 {
-		Manager.AddPortRange(30000, 31000)
+		return
-	} else {
+	}
+
 	start, err := strconv.ParseUint(splitRange[0], 10, 16)
 	if err != nil {
-			start = 30000
+		return
 	}
 	end, err := strconv.ParseUint(splitRange[1], 10, 16)
 	if err != nil {
-			end = 31000
+		return
-		}
-		Manager.AddPortRange(uint16(start), uint16(end))
 	}
+	_ = Default.AddPortRange(uint16(start), uint16(end))
 }
 
-func (pm *PortManager) AddPortRange(startPort, endPort uint16) error {
+func (pm *manager) AddPortRange(startPort, endPort uint16) error {
 	pm.mu.Lock()
 	defer pm.mu.Unlock()
 
@@ -57,7 +68,7 @@ func (pm *PortManager) AddPortRange(startPort, endPort uint16) error {
 	return nil
 }
 
-func (pm *PortManager) GetUnassignedPort() (uint16, bool) {
+func (pm *manager) GetUnassignedPort() (uint16, bool) {
 	pm.mu.Lock()
 	defer pm.mu.Unlock()
 
@@ -70,7 +81,7 @@ func (pm *PortManager) GetUnassignedPort() (uint16, bool) {
 	return 0, false
 }
 
-func (pm *PortManager) SetPortStatus(port uint16, assigned bool) error {
+func (pm *manager) SetPortStatus(port uint16, assigned bool) error {
 	pm.mu.Lock()
 	defer pm.mu.Unlock()
 
@@ -78,7 +89,7 @@ func (pm *PortManager) SetPortStatus(port uint16, assigned bool) error {
 	return nil
 }
 
-func (pm *PortManager) GetPortStatus(port uint16) (bool, bool) {
+func (pm *manager) GetPortStatus(port uint16) (bool, bool) {
 	pm.mu.RLock()
 	defer pm.mu.RUnlock()
 

internal/random/random.go

@@ -0,0 +1,18 @@
+package random
+
+import (
+	mathrand "math/rand"
+	"strings"
+	"time"
+)
+
+func GenerateRandomString(length int) string {
+	const charset = "abcdefghijklmnopqrstuvwxyz"
+	seededRand := mathrand.New(mathrand.NewSource(time.Now().UnixNano() + int64(mathrand.Intn(9999))))
+	var result strings.Builder
+	for i := 0; i < length; i++ {
+		randomIndex := seededRand.Intn(len(charset))
+		result.WriteString(string(charset[randomIndex]))
+	}
+	return result.String()
+}

main.go

@@ -1,24 +1,63 @@
 package main
 
 import (
+	"context"
+	"fmt"
 	"log"
+	"net/http"
+	_ "net/http/pprof"
 	"os"
+	"os/signal"
+	"strings"
+	"syscall"
+	"time"
+	"tunnel_pls/internal/config"
+	"tunnel_pls/internal/grpc/client"
+	"tunnel_pls/internal/key"
 	"tunnel_pls/server"
-	"tunnel_pls/utils"
+	"tunnel_pls/session"
+	"tunnel_pls/version"
 
 	"golang.org/x/crypto/ssh"
 )
 
 func main() {
+	if len(os.Args) > 1 && (os.Args[1] == "--version" || os.Args[1] == "-v") {
+		fmt.Println(version.GetVersion())
+		os.Exit(0)
+	}
+
 	log.SetOutput(os.Stdout)
 	log.SetFlags(log.LstdFlags | log.Lshortfile)
 
-	sshConfig := &ssh.ServerConfig{
+	log.Printf("Starting %s", version.GetVersion())
-		NoClientAuth:  true,
+
-		ServerVersion: "SSH-2.0-TunnlPls-1.0",
+	mode := strings.ToLower(config.Getenv("MODE", "standalone"))
+	isNodeMode := mode == "node"
+
+	pprofEnabled := config.Getenv("PPROF_ENABLED", "false")
+	if pprofEnabled == "true" {
+		pprofPort := config.Getenv("PPROF_PORT", "6060")
+		go func() {
+			pprofAddr := fmt.Sprintf("localhost:%s", pprofPort)
+			log.Printf("Starting pprof server on http://%s/debug/pprof/", pprofAddr)
+			if err := http.ListenAndServe(pprofAddr, nil); err != nil {
+				log.Printf("pprof server error: %v", err)
+			}
+		}()
 	}
 
-	privateBytes, err := os.ReadFile(utils.Getenv("ssh_private_key"))
+	sshConfig := &ssh.ServerConfig{
+		NoClientAuth:  true,
+		ServerVersion: fmt.Sprintf("SSH-2.0-TunnlPls-%s", version.GetShortVersion()),
+	}
+
+	sshKeyPath := "certs/ssh/id_rsa"
+	if err := key.GenerateSSHKeyIfNotExist(sshKeyPath); err != nil {
+		log.Fatalf("Failed to generate SSH key: %s", err)
+	}
+
+	privateBytes, err := os.ReadFile(sshKeyPath)
 	if err != nil {
 		log.Fatalf("Failed to load private key: %s", err)
 	}
@@ -29,6 +68,74 @@ func main() {
 	}
 
 	sshConfig.AddHostKey(private)
-	app := server.NewServer(sshConfig)
+	sessionRegistry := session.NewRegistry()
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	errChan := make(chan error, 2)
+	shutdownChan := make(chan os.Signal, 1)
+	signal.Notify(shutdownChan, os.Interrupt, syscall.SIGTERM)
+
+	var grpcClient *client.Client
+	if isNodeMode {
+		grpcHost := config.Getenv("GRPC_ADDRESS", "localhost")
+		grpcPort := config.Getenv("GRPC_PORT", "8080")
+		grpcAddr := fmt.Sprintf("%s:%s", grpcHost, grpcPort)
+		nodeToken := config.Getenv("NODE_TOKEN", "")
+		if nodeToken == "" {
+			log.Fatalf("NODE_TOKEN is required in node mode")
+		}
+
+		c, err := client.New(&client.GrpcConfig{
+			Address:            grpcAddr,
+			UseTLS:             false,
+			InsecureSkipVerify: false,
+			Timeout:            10 * time.Second,
+			KeepAlive:          true,
+			MaxRetries:         3,
+		}, sessionRegistry)
+		if err != nil {
+			log.Fatalf("failed to create grpc client: %v", err)
+		}
+		grpcClient = c
+
+		healthCtx, healthCancel := context.WithTimeout(ctx, 5*time.Second)
+		if err := grpcClient.CheckServerHealth(healthCtx); err != nil {
+			healthCancel()
+			log.Fatalf("gRPC health check failed: %v", err)
+		}
+		healthCancel()
+
+		go func() {
+			identity := config.Getenv("DOMAIN", "localhost")
+			if err := grpcClient.SubscribeEvents(ctx, identity, nodeToken); err != nil {
+				errChan <- fmt.Errorf("failed to subscribe to events: %w", err)
+			}
+		}()
+	}
+
+	go func() {
+		app, err := server.NewServer(sshConfig, sessionRegistry, grpcClient)
+		if err != nil {
+			errChan <- fmt.Errorf("failed to start server: %s", err)
+			return
+		}
 		app.Start()
+	}()
+
+	select {
+	case err := <-errChan:
+		log.Printf("error happen : %s", err)
+	case sig := <-shutdownChan:
+		log.Printf("received signal %s, shutting down", sig)
+	}
+
+	cancel()
+
+	if grpcClient != nil {
+		if err := grpcClient.Close(); err != nil {
+			log.Printf("failed to close grpc conn : %s", err)
+		}
+	}
 }

renovate-config.js

@@ -0,0 +1,8 @@
+module.exports = {
+    "endpoint": "https://git.fossy.my.id/api/v1",
+    "gitAuthor": "Renovate-Clanker <renovate-bot@fossy.my.id>",
+    "platform": "gitea",
+    "onboardingConfigFileName": "renovate.json",
+    "autodiscover": true,
+    "optimizeForDisabled": true,
+};

renovate.json

@@ -0,0 +1,19 @@
+{
+  "extends": [
+    "config:recommended"
+  ],
+  "packageRules": [
+    {
+      "matchUpdateTypes": [
+        "minor",
+        "patch",
+        "pin",
+        "digest"
+      ],
+      "automerge": true,
+      "baseBranchPatterns": [
+        "staging"
+      ]
+    }
+  ]
+}

server/handler.go

@@ -1,28 +0,0 @@
-package server
-
-import (
-	"log"
-	"net"
-	"tunnel_pls/session"
-
-	"golang.org/x/crypto/ssh"
-)
-
-func (s *Server) handleConnection(conn net.Conn) {
-	sshConn, chans, forwardingReqs, err := ssh.NewServerConn(conn, s.Config)
-	if err != nil {
-		log.Printf("failed to establish SSH connection: %v", err)
-		err := conn.Close()
-		if err != nil {
-			log.Printf("failed to close SSH connection: %v", err)
-			return
-		}
-		return
-	}
-
-	log.Println("SSH connection established:", sshConn.User())
-
-	session.New(sshConn, forwardingReqs, chans)
-
-	return
-}

server/header.go

@@ -4,7 +4,6 @@ import (
 	"bufio"
 	"bytes"
 	"fmt"
-	"strings"
 )
 
 type HeaderManager interface {
@@ -14,63 +13,169 @@ type HeaderManager interface {
 	Finalize() []byte
 }
 
-type ResponseHeaderFactory struct {
+type ResponseHeaderManager interface {
+	Get(key string) string
+	Set(key string, value string)
+	Remove(key string)
+	Finalize() []byte
+}
+
+type RequestHeaderManager interface {
+	Get(key string) string
+	Set(key string, value string)
+	Remove(key string)
+	Finalize() []byte
+	GetMethod() string
+	GetPath() string
+	GetVersion() string
+}
+
+type responseHeaderFactory struct {
 	startLine []byte
 	headers   map[string]string
 }
 
-type RequestHeaderFactory struct {
+type requestHeaderFactory struct {
-	Method    string
+	method    string
-	Path      string
+	path      string
-	Version   string
+	version   string
 	startLine []byte
 	headers   map[string]string
 }
 
-func NewRequestHeaderFactory(br *bufio.Reader) (*RequestHeaderFactory, error) {
+func NewRequestHeaderFactory(r interface{}) (RequestHeaderManager, error) {
-	header := &RequestHeaderFactory{
+	switch v := r.(type) {
-		headers: make(map[string]string),
+	case []byte:
+		return parseHeadersFromBytes(v)
+	case *bufio.Reader:
+		return parseHeadersFromReader(v)
+	default:
+		return nil, fmt.Errorf("unsupported type: %T", r)
+	}
+}
+
+func parseHeadersFromBytes(headerData []byte) (RequestHeaderManager, error) {
+	header := &requestHeaderFactory{
+		headers: make(map[string]string, 16),
 	}
 
-	startLine, err := br.ReadString('\n')
+	lineEnd := bytes.IndexByte(headerData, '\n')
-	if err != nil {
+	if lineEnd == -1 {
-		return nil, err
+		return nil, fmt.Errorf("invalid request: no newline found")
 	}
-	startLine = strings.TrimRight(startLine, "\r\n")
-	header.startLine = []byte(startLine)
 
-	parts := strings.Split(startLine, " ")
+	startLine := bytes.TrimRight(headerData[:lineEnd], "\r\n")
+	header.startLine = make([]byte, len(startLine))
+	copy(header.startLine, startLine)
+
+	parts := bytes.Split(startLine, []byte{' '})
 	if len(parts) < 3 {
 		return nil, fmt.Errorf("invalid request line")
 	}
 
-	header.Method = parts[0]
+	header.method = string(parts[0])
-	header.Path = parts[1]
+	header.path = string(parts[1])
-	header.Version = parts[2]
+	header.version = string(parts[2])
 
-	for {
+	remaining := headerData[lineEnd+1:]
-		line, err := br.ReadString('\n')
+
-		if err != nil {
+	for len(remaining) > 0 {
-			return nil, err
+		lineEnd = bytes.IndexByte(remaining, '\n')
+		if lineEnd == -1 {
+			lineEnd = len(remaining)
 		}
-		line = strings.TrimRight(line, "\r\n")
 
-		if line == "" {
+		line := bytes.TrimRight(remaining[:lineEnd], "\r\n")
+
+		if len(line) == 0 {
 			break
 		}
 
-		kv := strings.SplitN(line, ":", 2)
+		colonIdx := bytes.IndexByte(line, ':')
-		if len(kv) != 2 {
+		if colonIdx != -1 {
-			continue
+			key := bytes.TrimSpace(line[:colonIdx])
+			value := bytes.TrimSpace(line[colonIdx+1:])
+			header.headers[string(key)] = string(value)
 		}
-		header.headers[strings.TrimSpace(kv[0])] = strings.TrimSpace(kv[1])
+
+		if lineEnd == len(remaining) {
+			break
+		}
+		remaining = remaining[lineEnd+1:]
 	}
 
 	return header, nil
 }
 
-func NewResponseHeaderFactory(startLine []byte) *ResponseHeaderFactory {
+func parseHeadersFromReader(br *bufio.Reader) (RequestHeaderManager, error) {
-	header := &ResponseHeaderFactory{
+	header := &requestHeaderFactory{
+		headers: make(map[string]string, 16),
+	}
+
+	startLineBytes, err := br.ReadSlice('\n')
+	if err != nil {
+		if err == bufio.ErrBufferFull {
+			var startLine string
+			startLine, err = br.ReadString('\n')
+			if err != nil {
+				return nil, err
+			}
+			startLineBytes = []byte(startLine)
+		} else {
+			return nil, err
+		}
+	}
+
+	startLineBytes = bytes.TrimRight(startLineBytes, "\r\n")
+	header.startLine = make([]byte, len(startLineBytes))
+	copy(header.startLine, startLineBytes)
+
+	parts := bytes.Split(startLineBytes, []byte{' '})
+	if len(parts) < 3 {
+		return nil, fmt.Errorf("invalid request line")
+	}
+
+	header.method = string(parts[0])
+	header.path = string(parts[1])
+	header.version = string(parts[2])
+
+	for {
+		lineBytes, err := br.ReadSlice('\n')
+		if err != nil {
+			if err == bufio.ErrBufferFull {
+				var line string
+				line, err = br.ReadString('\n')
+				if err != nil {
+					return nil, err
+				}
+				lineBytes = []byte(line)
+			} else {
+				return nil, err
+			}
+		}
+
+		lineBytes = bytes.TrimRight(lineBytes, "\r\n")
+
+		if len(lineBytes) == 0 {
+			break
+		}
+
+		colonIdx := bytes.IndexByte(lineBytes, ':')
+		if colonIdx == -1 {
+			continue
+		}
+
+		key := bytes.TrimSpace(lineBytes[:colonIdx])
+		value := bytes.TrimSpace(lineBytes[colonIdx+1:])
+
+		header.headers[string(key)] = string(value)
+	}
+
+	return header, nil
+}
+
+func NewResponseHeaderFactory(startLine []byte) ResponseHeaderManager {
+	header := &responseHeaderFactory{
 		startLine: nil,
 		headers:   make(map[string]string),
 	}
@@ -96,19 +201,19 @@ func NewResponseHeaderFactory(startLine []byte) *ResponseHeaderFactory {
 	return header
 }
 
-func (resp *ResponseHeaderFactory) Get(key string) string {
+func (resp *responseHeaderFactory) Get(key string) string {
 	return resp.headers[key]
 }
 
-func (resp *ResponseHeaderFactory) Set(key string, value string) {
+func (resp *responseHeaderFactory) Set(key string, value string) {
 	resp.headers[key] = value
 }
 
-func (resp *ResponseHeaderFactory) Remove(key string) {
+func (resp *responseHeaderFactory) Remove(key string) {
 	delete(resp.headers, key)
 }
 
-func (resp *ResponseHeaderFactory) Finalize() []byte {
+func (resp *responseHeaderFactory) Finalize() []byte {
 	var buf bytes.Buffer
 
 	buf.Write(resp.startLine)
@@ -125,7 +230,7 @@ func (resp *ResponseHeaderFactory) Finalize() []byte {
 	return buf.Bytes()
 }
 
-func (req *RequestHeaderFactory) Get(key string) string {
+func (req *requestHeaderFactory) Get(key string) string {
 	val, ok := req.headers[key]
 	if !ok {
 		return ""
@@ -133,15 +238,27 @@ func (req *RequestHeaderFactory) Get(key string) string {
 	return val
 }
 
-func (req *RequestHeaderFactory) Set(key string, value string) {
+func (req *requestHeaderFactory) Set(key string, value string) {
 	req.headers[key] = value
 }
 
-func (req *RequestHeaderFactory) Remove(key string) {
+func (req *requestHeaderFactory) Remove(key string) {
 	delete(req.headers, key)
 }
 
-func (req *RequestHeaderFactory) Finalize() []byte {
+func (req *requestHeaderFactory) GetMethod() string {
+	return req.method
+}
+
+func (req *requestHeaderFactory) GetPath() string {
+	return req.path
+}
+
+func (req *requestHeaderFactory) GetVersion() string {
+	return req.version
+}
+
+func (req *requestHeaderFactory) Finalize() []byte {
 	var buf bytes.Buffer
 
 	buf.Write(req.startLine)

server/http.go

@@ -10,32 +10,63 @@ import (
 	"net"
 	"regexp"
 	"strings"
+	"time"
+	"tunnel_pls/internal/config"
 	"tunnel_pls/session"
-	"tunnel_pls/utils"
+	"tunnel_pls/types"
+
+	"golang.org/x/crypto/ssh"
 )
 
-type Interaction interface {
+type HTTPWriter interface {
-	SendMessage(message string)
+	io.Reader
+	io.Writer
+	GetRemoteAddr() net.Addr
+	GetWriter() io.Writer
+	AddResponseMiddleware(mw ResponseMiddleware)
+	AddRequestStartMiddleware(mw RequestMiddleware)
+	SetRequestHeader(header RequestHeaderManager)
+	GetRequestStartMiddleware() []RequestMiddleware
 }
-type CustomWriter struct {
+
-	RemoteAddr  net.Addr
+type customWriter struct {
+	remoteAddr net.Addr
 	writer     io.Writer
 	reader     io.Reader
 	headerBuf  []byte
 	buf        []byte
-	respHeader  *ResponseHeaderFactory
+	respHeader ResponseHeaderManager
-	reqHeader   *RequestHeaderFactory
+	reqHeader  RequestHeaderManager
-	interaction Interaction
 	respMW     []ResponseMiddleware
 	reqStartMW []RequestMiddleware
 	reqEndMW   []RequestMiddleware
 }
 
-func (cw *CustomWriter) SetInteraction(interaction Interaction) {
+func (cw *customWriter) GetRemoteAddr() net.Addr {
-	cw.interaction = interaction
+	return cw.remoteAddr
 }
 
-func (cw *CustomWriter) Read(p []byte) (int, error) {
+func (cw *customWriter) GetWriter() io.Writer {
+	return cw.writer
+}
+
+func (cw *customWriter) AddResponseMiddleware(mw ResponseMiddleware) {
+	cw.respMW = append(cw.respMW, mw)
+}
+
+func (cw *customWriter) AddRequestStartMiddleware(mw RequestMiddleware) {
+	cw.reqStartMW = append(cw.reqStartMW, mw)
+}
+
+func (cw *customWriter) SetRequestHeader(header RequestHeaderManager) {
+	cw.reqHeader = header
+}
+
+func (cw *customWriter) GetRequestStartMiddleware() []RequestMiddleware {
+	return cw.reqStartMW
+}
+
+func (cw *customWriter) Read(p []byte) (int, error) {
 	tmp := make([]byte, len(p))
 	read, err := cw.reader.Read(tmp)
 	if read == 0 && err != nil {
@@ -69,8 +100,7 @@ func (cw *CustomWriter) Read(p []byte) (int, error) {
 		}
 	}
 
-	headerReader := bufio.NewReader(bytes.NewReader(header))
+	reqhf, err := NewRequestHeaderFactory(header)
-	reqhf, err := NewRequestHeaderFactory(headerReader)
 	if err != nil {
 		return 0, err
 	}
@@ -92,13 +122,12 @@ func (cw *CustomWriter) Read(p []byte) (int, error) {
 	return n, nil
 }
 
-func NewCustomWriter(writer io.Writer, reader io.Reader, remoteAddr net.Addr) *CustomWriter {
+func NewCustomWriter(writer io.Writer, reader io.Reader, remoteAddr net.Addr) HTTPWriter {
-	return &CustomWriter{
+	return &customWriter{
-		RemoteAddr:  remoteAddr,
+		remoteAddr: remoteAddr,
 		writer:     writer,
 		reader:     reader,
 		buf:        make([]byte, 0, 4096),
-		interaction: nil,
 	}
 }
 
@@ -126,7 +155,7 @@ func isHTTPHeader(buf []byte) bool {
 	return true
 }
 
-func (cw *CustomWriter) Write(p []byte) (int, error) {
+func (cw *customWriter) Write(p []byte) (int, error) {
 	if cw.respHeader != nil && len(cw.buf) == 0 && len(p) >= 5 && string(p[0:5]) == "HTTP/" {
 		cw.respHeader = nil
 	}
@@ -183,18 +212,29 @@ func (cw *CustomWriter) Write(p []byte) (int, error) {
 	return len(p), nil
 }
 
-func (cw *CustomWriter) AddInteraction(interaction Interaction) {
-	cw.interaction = interaction
-}
-
 var redirectTLS = false
 
-func NewHTTPServer() error {
+type HTTPServer interface {
-	listener, err := net.Listen("tcp", ":80")
+	ListenAndServe() error
+	ListenAndServeTLS() error
+	handler(conn net.Conn)
+	handlerTLS(conn net.Conn)
+}
+type httpServer struct {
+	sessionRegistry session.Registry
+}
+
+func NewHTTPServer(sessionRegistry session.Registry) HTTPServer {
+	return &httpServer{sessionRegistry: sessionRegistry}
+}
+
+func (hs *httpServer) ListenAndServe() error {
+	httpPort := config.Getenv("HTTP_PORT", "8080")
+	listener, err := net.Listen("tcp", ":"+httpPort)
 	if err != nil {
 		return errors.New("Error listening: " + err.Error())
 	}
-	if utils.Getenv("tls_enabled") == "true" && utils.Getenv("tls_redirect") == "true" {
+	if config.Getenv("TLS_ENABLED", "false") == "true" && config.Getenv("TLS_REDIRECT", "false") == "true" {
 		redirectTLS = true
 	}
 	go func() {
@@ -209,13 +249,13 @@ func NewHTTPServer() error {
 				continue
 			}
 
-			go Handler(conn)
+			go hs.handler(conn)
 		}
 	}()
 	return nil
 }
 
-func Handler(conn net.Conn) {
+func (hs *httpServer) handler(conn net.Conn) {
 	defer func() {
 		err := conn.Close()
 		if err != nil && !errors.Is(err, net.ErrClosed) {
@@ -246,7 +286,7 @@ func Handler(conn net.Conn) {
 
 	if redirectTLS {
 		_, err = conn.Write([]byte("HTTP/1.1 301 Moved Permanently\r\n" +
-			fmt.Sprintf("Location: https://%s.%s/\r\n", slug, utils.Getenv("domain")) +
+			fmt.Sprintf("Location: https://%s.%s/\r\n", slug, config.Getenv("DOMAIN", "localhost")) +
 			"Content-Length: 0\r\n" +
 			"Connection: close\r\n" +
 			"\r\n"))
@@ -274,8 +314,11 @@ func Handler(conn net.Conn) {
 		return
 	}
 
-	sshSession, ok := session.Clients[slug]
+	sshSession, err := hs.sessionRegistry.Get(types.SessionKey{
-	if !ok {
+		Id:   slug,
+		Type: types.HTTP,
+	})
+	if err != nil {
 		_, err = conn.Write([]byte("HTTP/1.1 301 Moved Permanently\r\n" +
 			fmt.Sprintf("Location: https://tunnl.live/tunnel-not-found?slug=%s\r\n", slug) +
 			"Content-Length: 0\r\n" +
@@ -288,60 +331,65 @@ func Handler(conn net.Conn) {
 		return
 	}
 	cw := NewCustomWriter(conn, dstReader, conn.RemoteAddr())
-	cw.SetInteraction(sshSession.Interaction)
 	forwardRequest(cw, reqhf, sshSession)
 	return
 }
 
-func forwardRequest(cw *CustomWriter, initialRequest *RequestHeaderFactory, sshSession *session.SSHSession) {
+func forwardRequest(cw HTTPWriter, initialRequest RequestHeaderManager, sshSession *session.SSHSession) {
-	payload := sshSession.Forwarder.CreateForwardedTCPIPPayload(cw.RemoteAddr)
+	payload := sshSession.GetForwarder().CreateForwardedTCPIPPayload(cw.GetRemoteAddr())
-	channel, reqs, err := sshSession.Lifecycle.GetConnection().OpenChannel("forwarded-tcpip", payload)
+
-	if err != nil {
+	type channelResult struct {
-		log.Printf("Failed to open forwarded-tcpip channel: %v", err)
+		channel ssh.Channel
-		if closer, ok := cw.writer.(io.Closer); ok {
+		reqs    <-chan *ssh.Request
-			if closeErr := closer.Close(); closeErr != nil {
+		err     error
-				log.Printf("Failed to close connection: %v", closeErr)
-			}
-		}
-		return
 	}
+	resultChan := make(chan channelResult, 1)
 
 	go func() {
-		defer func() {
+		channel, reqs, err := sshSession.GetLifecycle().GetConnection().OpenChannel("forwarded-tcpip", payload)
-			if r := recover(); r != nil {
+		resultChan <- channelResult{channel, reqs, err}
-				log.Printf("Panic in request handler goroutine: %v", r)
-			}
 	}()
-		for req := range reqs {
+
-			if err := req.Reply(false, nil); err != nil {
+	var channel ssh.Channel
-				log.Printf("Failed to reply to request: %v", err)
+	var reqs <-chan *ssh.Request
+
+	select {
+	case result := <-resultChan:
+		if result.err != nil {
+			log.Printf("Failed to open forwarded-tcpip channel: %v", result.err)
+			sshSession.GetForwarder().WriteBadGatewayResponse(cw.GetWriter())
 			return
 		}
+		channel = result.channel
+		reqs = result.reqs
+	case <-time.After(5 * time.Second):
+		log.Printf("Timeout opening forwarded-tcpip channel")
+		sshSession.GetForwarder().WriteBadGatewayResponse(cw.GetWriter())
+		return
 	}
-	}()
+
+	go ssh.DiscardRequests(reqs)
 
 	fingerprintMiddleware := NewTunnelFingerprint()
-	forwardedForMiddleware := NewForwardedFor(cw.RemoteAddr)
+	forwardedForMiddleware := NewForwardedFor(cw.GetRemoteAddr())
 
-	cw.respMW = append(cw.respMW, fingerprintMiddleware)
+	cw.AddResponseMiddleware(fingerprintMiddleware)
-	cw.reqStartMW = append(cw.reqStartMW, forwardedForMiddleware)
+	cw.AddRequestStartMiddleware(forwardedForMiddleware)
-	cw.reqEndMW = nil
+	cw.SetRequestHeader(initialRequest)
-	cw.reqHeader = initialRequest
 
-	for _, m := range cw.reqStartMW {
+	for _, m := range cw.GetRequestStartMiddleware() {
-		err = m.HandleRequest(cw.reqHeader)
+		if err := m.HandleRequest(initialRequest); err != nil {
-		if err != nil {
 			log.Printf("Error handling request: %v", err)
 			return
 		}
 	}
 
-	_, err = channel.Write(initialRequest.Finalize())
+	_, err := channel.Write(initialRequest.Finalize())
 	if err != nil {
 		log.Printf("Failed to forward request: %v", err)
 		return
 	}
 
-	sshSession.Forwarder.HandleConnection(cw, channel, cw.RemoteAddr)
+	sshSession.GetForwarder().HandleConnection(cw, channel, cw.GetRemoteAddr())
 	return
 }

server/https.go

@@ -8,18 +8,20 @@ import (
 	"log"
 	"net"
 	"strings"
-	"tunnel_pls/session"
+	"tunnel_pls/internal/config"
-	"tunnel_pls/utils"
+	"tunnel_pls/types"
 )
 
-func NewHTTPSServer() error {
+func (hs *httpServer) ListenAndServeTLS() error {
-	cert, err := tls.LoadX509KeyPair(utils.Getenv("cert_loc"), utils.Getenv("key_loc"))
+	domain := config.Getenv("DOMAIN", "localhost")
+	httpsPort := config.Getenv("HTTPS_PORT", "8443")
+
+	tlsConfig, err := NewTLSConfig(domain)
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to initialize TLS config: %w", err)
 	}
 
-	config := &tls.Config{Certificates: []tls.Certificate{cert}}
+	ln, err := tls.Listen("tcp", ":"+httpsPort, tlsConfig)
-	ln, err := tls.Listen("tcp", ":443", config)
 	if err != nil {
 		return err
 	}
@@ -36,13 +38,13 @@ func NewHTTPSServer() error {
 				continue
 			}
 
-			go HandlerTLS(conn)
+			go hs.handlerTLS(conn)
 		}
 	}()
 	return nil
 }
 
-func HandlerTLS(conn net.Conn) {
+func (hs *httpServer) handlerTLS(conn net.Conn) {
 	defer func() {
 		err := conn.Close()
 		if err != nil {
@@ -88,8 +90,11 @@ func HandlerTLS(conn net.Conn) {
 		return
 	}
 
-	sshSession, ok := session.Clients[slug]
+	sshSession, err := hs.sessionRegistry.Get(types.SessionKey{
-	if !ok {
+		Id:   slug,
+		Type: types.HTTP,
+	})
+	if err != nil {
 		_, err = conn.Write([]byte("HTTP/1.1 301 Moved Permanently\r\n" +
 			fmt.Sprintf("Location: https://tunnl.live/tunnel-not-found?slug=%s\r\n", slug) +
 			"Content-Length: 0\r\n" +
@@ -102,7 +107,6 @@ func HandlerTLS(conn net.Conn) {
 		return
 	}
 	cw := NewCustomWriter(conn, dstReader, conn.RemoteAddr())
-	cw.SetInteraction(sshSession.Interaction)
 	forwardRequest(cw, reqhf, sshSession)
 	return
 }

server/middleware.go

@@ -5,11 +5,11 @@ import (
 )
 
 type RequestMiddleware interface {
-	HandleRequest(header *RequestHeaderFactory) error
+	HandleRequest(header RequestHeaderManager) error
 }
 
 type ResponseMiddleware interface {
-	HandleResponse(header *ResponseHeaderFactory, body []byte) error
+	HandleResponse(header ResponseHeaderManager, body []byte) error
 }
 
 type TunnelFingerprint struct{}
@@ -18,16 +18,11 @@ func NewTunnelFingerprint() *TunnelFingerprint {
 	return &TunnelFingerprint{}
 }
 
-func (h *TunnelFingerprint) HandleResponse(header *ResponseHeaderFactory, body []byte) error {
+func (h *TunnelFingerprint) HandleResponse(header ResponseHeaderManager, body []byte) error {
 	header.Set("Server", "Tunnel Please")
 	return nil
 }
 
-type RequestLogger struct {
-	interaction Interaction
-	remoteAddr  net.Addr
-}
-
 type ForwardedFor struct {
 	addr net.Addr
 }
@@ -36,7 +31,7 @@ func NewForwardedFor(addr net.Addr) *ForwardedFor {
 	return &ForwardedFor{addr: addr}
 }
 
-func (ff *ForwardedFor) HandleRequest(header *RequestHeaderFactory) error {
+func (ff *ForwardedFor) HandleRequest(header RequestHeaderManager) error {
 	host, _, err := net.SplitHostPort(ff.addr.String())
 	if err != nil {
 		return err

server/server.go

@@ -1,52 +1,58 @@
 package server
 
 import (
+	"context"
 	"fmt"
 	"log"
 	"net"
-	"net/http"
+	"tunnel_pls/internal/config"
-	"tunnel_pls/utils"
+	"tunnel_pls/internal/grpc/client"
+	"tunnel_pls/session"
 
 	"golang.org/x/crypto/ssh"
 )
 
 type Server struct {
-	Conn       *net.Listener
+	conn            *net.Listener
-	Config     *ssh.ServerConfig
+	config          *ssh.ServerConfig
-	HttpServer *http.Server
+	sessionRegistry session.Registry
+	grpcClient      *client.Client
 }
 
-func NewServer(config *ssh.ServerConfig) *Server {
+func NewServer(sshConfig *ssh.ServerConfig, sessionRegistry session.Registry, grpcClient *client.Client) (*Server, error) {
-	listener, err := net.Listen("tcp", fmt.Sprintf(":%s", utils.Getenv("port")))
+	listener, err := net.Listen("tcp", fmt.Sprintf(":%s", config.Getenv("PORT", "2200")))
 	if err != nil {
 		log.Fatalf("failed to listen on port 2200: %v", err)
-		return nil
+		return nil, err
 	}
-	if utils.Getenv("tls_enabled") == "true" {
+
-		go func() {
+	HttpServer := NewHTTPServer(sessionRegistry)
-			err = NewHTTPSServer()
+	err = HttpServer.ListenAndServe()
-			if err != nil {
-				log.Fatalf("failed to start https server: %v", err)
-			}
-			return
-		}()
-	}
-	go func() {
-		err = NewHTTPServer()
 	if err != nil {
 		log.Fatalf("failed to start http server: %v", err)
+		return nil, err
 	}
-	}()
+
+	if config.Getenv("TLS_ENABLED", "false") == "true" {
+		err = HttpServer.ListenAndServeTLS()
+		if err != nil {
+			log.Fatalf("failed to start https server: %v", err)
+			return nil, err
+		}
+	}
+
 	return &Server{
-		Conn:   &listener,
+		conn:            &listener,
-		Config: config,
+		config:          sshConfig,
-	}
+		sessionRegistry: sessionRegistry,
+		grpcClient:      grpcClient,
+	}, nil
 }
 
 func (s *Server) Start() {
 	log.Println("SSH server is starting on port 2200...")
 	for {
-		conn, err := (*s.Conn).Accept()
+		conn, err := (*s.conn).Accept()
 		if err != nil {
 			log.Printf("failed to accept connection: %v", err)
 			continue
@@ -55,3 +61,38 @@ func (s *Server) Start() {
 		go s.handleConnection(conn)
 	}
 }
+
+func (s *Server) handleConnection(conn net.Conn) {
+	sshConn, chans, forwardingReqs, err := ssh.NewServerConn(conn, s.config)
+	defer func(sshConn *ssh.ServerConn) {
+		err = sshConn.Close()
+		if err != nil {
+			log.Printf("failed to close SSH server: %v", err)
+		}
+	}(sshConn)
+
+	if err != nil {
+		log.Printf("failed to establish SSH connection: %v", err)
+		err := conn.Close()
+		if err != nil {
+			log.Printf("failed to close SSH connection: %v", err)
+			return
+		}
+		return
+	}
+	ctx := context.Background()
+	log.Println("SSH connection established:", sshConn.User())
+
+	user := "UNAUTHORIZED"
+	if s.grpcClient != nil {
+		_, u, _ := s.grpcClient.AuthorizeConn(ctx, sshConn.User())
+		user = u
+	}
+	sshSession := session.New(sshConn, forwardingReqs, chans, s.sessionRegistry, user)
+	err = sshSession.Start()
+	if err != nil {
+		log.Printf("SSH session ended with error: %v", err)
+		return
+	}
+	return
+}

server/tls.go

@@ -0,0 +1,336 @@
+package server
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"log"
+	"os"
+	"sync"
+	"time"
+	"tunnel_pls/internal/config"
+
+	"github.com/caddyserver/certmagic"
+	"github.com/libdns/cloudflare"
+)
+
+type TLSManager interface {
+	userCertsExistAndValid() bool
+	loadUserCerts() error
+	startCertWatcher()
+	initCertMagic() error
+	getTLSConfig() *tls.Config
+	getCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error)
+}
+
+type tlsManager struct {
+	domain      string
+	certPath    string
+	keyPath     string
+	storagePath string
+
+	userCert   *tls.Certificate
+	userCertMu sync.RWMutex
+
+	magic *certmagic.Config
+
+	useCertMagic bool
+}
+
+var globalTLSManager TLSManager
+var tlsManagerOnce sync.Once
+
+func NewTLSConfig(domain string) (*tls.Config, error) {
+	var initErr error
+
+	tlsManagerOnce.Do(func() {
+		certPath := "certs/tls/cert.pem"
+		keyPath := "certs/tls/privkey.pem"
+		storagePath := "certs/tls/certmagic"
+
+		tm := &tlsManager{
+			domain:      domain,
+			certPath:    certPath,
+			keyPath:     keyPath,
+			storagePath: storagePath,
+		}
+
+		if tm.userCertsExistAndValid() {
+			log.Printf("Using user-provided certificates from %s and %s", certPath, keyPath)
+			if err := tm.loadUserCerts(); err != nil {
+				initErr = fmt.Errorf("failed to load user certificates: %w", err)
+				return
+			}
+			tm.useCertMagic = false
+			tm.startCertWatcher()
+		} else {
+			if !isACMEConfigComplete() {
+				log.Printf("User certificates missing or invalid, and ACME configuration is incomplete")
+				log.Printf("To enable automatic certificate generation, set CF_API_TOKEN environment variable")
+				initErr = fmt.Errorf("no valid certificates found and ACME configuration is incomplete (CF_API_TOKEN is required)")
+				return
+			}
+
+			log.Printf("User certificates missing or don't cover %s and *.%s, using CertMagic", domain, domain)
+			if err := tm.initCertMagic(); err != nil {
+				initErr = fmt.Errorf("failed to initialize CertMagic: %w", err)
+				return
+			}
+			tm.useCertMagic = true
+		}
+
+		globalTLSManager = tm
+	})
+
+	if initErr != nil {
+		return nil, initErr
+	}
+
+	return globalTLSManager.getTLSConfig(), nil
+}
+
+func isACMEConfigComplete() bool {
+	cfAPIToken := config.Getenv("CF_API_TOKEN", "")
+	return cfAPIToken != ""
+}
+
+func (tm *tlsManager) userCertsExistAndValid() bool {
+	if _, err := os.Stat(tm.certPath); os.IsNotExist(err) {
+		log.Printf("Certificate file not found: %s", tm.certPath)
+		return false
+	}
+	if _, err := os.Stat(tm.keyPath); os.IsNotExist(err) {
+		log.Printf("Key file not found: %s", tm.keyPath)
+		return false
+	}
+
+	return ValidateCertDomains(tm.certPath, tm.domain)
+}
+
+func ValidateCertDomains(certPath, domain string) bool {
+	certPEM, err := os.ReadFile(certPath)
+	if err != nil {
+		log.Printf("Failed to read certificate: %v", err)
+		return false
+	}
+
+	block, _ := pem.Decode(certPEM)
+	if block == nil {
+		log.Printf("Failed to decode PEM block from certificate")
+		return false
+	}
+
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		log.Printf("Failed to parse certificate: %v", err)
+		return false
+	}
+
+	if time.Now().After(cert.NotAfter) {
+		log.Printf("Certificate has expired (NotAfter: %v)", cert.NotAfter)
+		return false
+	}
+
+	if time.Now().Add(30 * 24 * time.Hour).After(cert.NotAfter) {
+		log.Printf("Certificate expiring soon (NotAfter: %v), will use CertMagic for renewal", cert.NotAfter)
+		return false
+	}
+
+	var certDomains []string
+	if cert.Subject.CommonName != "" {
+		certDomains = append(certDomains, cert.Subject.CommonName)
+	}
+	certDomains = append(certDomains, cert.DNSNames...)
+
+	hasBase := false
+	hasWildcard := false
+	wildcardDomain := "*." + domain
+
+	for _, d := range certDomains {
+		if d == domain {
+			hasBase = true
+		}
+		if d == wildcardDomain {
+			hasWildcard = true
+		}
+	}
+
+	if !hasBase {
+		log.Printf("Certificate does not cover base domain: %s", domain)
+	}
+	if !hasWildcard {
+		log.Printf("Certificate does not cover wildcard domain: %s", wildcardDomain)
+	}
+
+	return hasBase && hasWildcard
+}
+
+func (tm *tlsManager) loadUserCerts() error {
+	cert, err := tls.LoadX509KeyPair(tm.certPath, tm.keyPath)
+	if err != nil {
+		return err
+	}
+
+	tm.userCertMu.Lock()
+	tm.userCert = &cert
+	tm.userCertMu.Unlock()
+
+	log.Printf("Loaded user certificates successfully")
+	return nil
+}
+
+func (tm *tlsManager) startCertWatcher() {
+	go func() {
+		var lastCertMod, lastKeyMod time.Time
+
+		if info, err := os.Stat(tm.certPath); err == nil {
+			lastCertMod = info.ModTime()
+		}
+		if info, err := os.Stat(tm.keyPath); err == nil {
+			lastKeyMod = info.ModTime()
+		}
+
+		ticker := time.NewTicker(30 * time.Second)
+		defer ticker.Stop()
+
+		for range ticker.C {
+			certInfo, certErr := os.Stat(tm.certPath)
+			keyInfo, keyErr := os.Stat(tm.keyPath)
+
+			if certErr != nil || keyErr != nil {
+				continue
+			}
+
+			if certInfo.ModTime().After(lastCertMod) || keyInfo.ModTime().After(lastKeyMod) {
+				log.Printf("Certificate files changed, reloading...")
+
+				if !ValidateCertDomains(tm.certPath, tm.domain) {
+					log.Printf("New certificates don't cover required domains")
+
+					if !isACMEConfigComplete() {
+						log.Printf("Cannot switch to CertMagic: ACME configuration is incomplete (CF_API_TOKEN is required)")
+						continue
+					}
+
+					log.Printf("Switching to CertMagic for automatic certificate management")
+					if err := tm.initCertMagic(); err != nil {
+						log.Printf("Failed to initialize CertMagic: %v", err)
+						continue
+					}
+					tm.useCertMagic = true
+					return
+				}
+
+				if err := tm.loadUserCerts(); err != nil {
+					log.Printf("Failed to reload certificates: %v", err)
+					continue
+				}
+
+				lastCertMod = certInfo.ModTime()
+				lastKeyMod = keyInfo.ModTime()
+				log.Printf("Certificates reloaded successfully")
+			}
+		}
+	}()
+}
+
+func (tm *tlsManager) initCertMagic() error {
+	if err := os.MkdirAll(tm.storagePath, 0700); err != nil {
+		return fmt.Errorf("failed to create cert storage directory: %w", err)
+	}
+
+	acmeEmail := config.Getenv("ACME_EMAIL", "admin@"+tm.domain)
+	cfAPIToken := config.Getenv("CF_API_TOKEN", "")
+	acmeStaging := config.Getenv("ACME_STAGING", "false") == "true"
+
+	if cfAPIToken == "" {
+		return fmt.Errorf("CF_API_TOKEN environment variable is required for automatic certificate generation")
+	}
+
+	cfProvider := &cloudflare.Provider{
+		APIToken: cfAPIToken,
+	}
+
+	storage := &certmagic.FileStorage{Path: tm.storagePath}
+
+	cache := certmagic.NewCache(certmagic.CacheOptions{
+		GetConfigForCert: func(cert certmagic.Certificate) (*certmagic.Config, error) {
+			return tm.magic, nil
+		},
+	})
+
+	magic := certmagic.New(cache, certmagic.Config{
+		Storage: storage,
+	})
+
+	acmeIssuer := certmagic.NewACMEIssuer(magic, certmagic.ACMEIssuer{
+		Email:  acmeEmail,
+		Agreed: true,
+		DNS01Solver: &certmagic.DNS01Solver{
+			DNSManager: certmagic.DNSManager{
+				DNSProvider: cfProvider,
+			},
+		},
+	})
+
+	if acmeStaging {
+		acmeIssuer.CA = certmagic.LetsEncryptStagingCA
+		log.Printf("Using Let's Encrypt staging server")
+	} else {
+		acmeIssuer.CA = certmagic.LetsEncryptProductionCA
+		log.Printf("Using Let's Encrypt production server")
+	}
+
+	magic.Issuers = []certmagic.Issuer{acmeIssuer}
+	tm.magic = magic
+
+	domains := []string{tm.domain, "*." + tm.domain}
+	log.Printf("Requesting certificates for: %v", domains)
+
+	ctx := context.Background()
+	if err := magic.ManageSync(ctx, domains); err != nil {
+		return fmt.Errorf("failed to obtain certificates: %w", err)
+	}
+
+	log.Printf("Certificates obtained successfully for %v", domains)
+	return nil
+}
+
+func (tm *tlsManager) getTLSConfig() *tls.Config {
+	return &tls.Config{
+		GetCertificate: tm.getCertificate,
+		MinVersion:     tls.VersionTLS13,
+		MaxVersion:     tls.VersionTLS13,
+
+		SessionTicketsDisabled: false,
+
+		CipherSuites: []uint16{
+			tls.TLS_AES_128_GCM_SHA256,
+			tls.TLS_CHACHA20_POLY1305_SHA256,
+		},
+
+		CurvePreferences: []tls.CurveID{
+			tls.X25519,
+		},
+
+		ClientAuth: tls.NoClientCert,
+		NextProtos: nil,
+	}
+}
+
+func (tm *tlsManager) getCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
+	if tm.useCertMagic {
+		return tm.magic.GetCertificate(hello)
+	}
+
+	tm.userCertMu.RLock()
+	defer tm.userCertMu.RUnlock()
+
+	if tm.userCert == nil {
+		return nil, fmt.Errorf("no certificate available")
+	}
+
+	return tm.userCert, nil
+}

session/forwarder/forwarder.go

@@ -8,18 +8,44 @@ import (
 	"log"
 	"net"
 	"strconv"
+	"sync"
+	"time"
+	"tunnel_pls/internal/config"
 	"tunnel_pls/session/slug"
 	"tunnel_pls/types"
 
 	"golang.org/x/crypto/ssh"
 )
 
+var bufferPool = sync.Pool{
+	New: func() interface{} {
+		bufSize := config.GetBufferSize()
+		return make([]byte, bufSize)
+	},
+}
+
+func copyWithBuffer(dst io.Writer, src io.Reader) (written int64, err error) {
+	buf := bufferPool.Get().([]byte)
+	defer bufferPool.Put(buf)
+	return io.CopyBuffer(dst, src, buf)
+}
+
 type Forwarder struct {
-	Listener      net.Listener
+	listener      net.Listener
-	TunnelType    types.TunnelType
+	tunnelType    types.TunnelType
-	ForwardedPort uint16
+	forwardedPort uint16
-	SlugManager   slug.Manager
+	slugManager   slug.Manager
-	Lifecycle     Lifecycle
+	lifecycle     Lifecycle
+}
+
+func NewForwarder(slugManager slug.Manager) *Forwarder {
+	return &Forwarder{
+		listener:      nil,
+		tunnelType:    "",
+		forwardedPort: 0,
+		slugManager:   slugManager,
+		lifecycle:     nil,
+	}
 }
 
 type Lifecycle interface {
@@ -42,7 +68,7 @@ type ForwardingController interface {
 }
 
 func (f *Forwarder) SetLifecycle(lifecycle Lifecycle) {
-	f.Lifecycle = lifecycle
+	f.lifecycle = lifecycle
 }
 
 func (f *Forwarder) AcceptTCPConnections() {
@@ -55,26 +81,52 @@ func (f *Forwarder) AcceptTCPConnections() {
 			log.Printf("Error accepting connection: %v", err)
 			continue
 		}
-		payload := f.CreateForwardedTCPIPPayload(conn.RemoteAddr())
+
-		channel, reqs, err := f.Lifecycle.GetConnection().OpenChannel("forwarded-tcpip", payload)
+		if err := conn.SetDeadline(time.Now().Add(5 * time.Second)); err != nil {
-		if err != nil {
+			log.Printf("Failed to set connection deadline: %v", err)
-			log.Printf("Failed to open forwarded-tcpip channel: %v", err)
 			if closeErr := conn.Close(); closeErr != nil {
 				log.Printf("Failed to close connection: %v", closeErr)
 			}
 			continue
 		}
 
+		payload := f.CreateForwardedTCPIPPayload(conn.RemoteAddr())
+
+		type channelResult struct {
+			channel ssh.Channel
+			reqs    <-chan *ssh.Request
+			err     error
+		}
+		resultChan := make(chan channelResult, 1)
+
 		go func() {
-			for req := range reqs {
+			channel, reqs, err := f.lifecycle.GetConnection().OpenChannel("forwarded-tcpip", payload)
-				err := req.Reply(false, nil)
+			resultChan <- channelResult{channel, reqs, err}
-				if err != nil {
-					log.Printf("Failed to reply to request: %v", err)
-					return
-				}
-			}
 		}()
-		go f.HandleConnection(conn, channel, conn.RemoteAddr())
+
+		select {
+		case result := <-resultChan:
+			if result.err != nil {
+				log.Printf("Failed to open forwarded-tcpip channel: %v", result.err)
+				if closeErr := conn.Close(); closeErr != nil {
+					log.Printf("Failed to close connection: %v", closeErr)
+				}
+				continue
+			}
+
+			if err := conn.SetDeadline(time.Time{}); err != nil {
+				log.Printf("Failed to clear connection deadline: %v", err)
+			}
+
+			go ssh.DiscardRequests(result.reqs)
+			go f.HandleConnection(conn, result.channel, conn.RemoteAddr())
+
+		case <-time.After(5 * time.Second):
+			log.Printf("Timeout opening forwarded-tcpip channel")
+			if closeErr := conn.Close(); closeErr != nil {
+				log.Printf("Failed to close connection: %v", closeErr)
+			}
+		}
 	}
 }
 
@@ -100,49 +152,50 @@ func (f *Forwarder) HandleConnection(dst io.ReadWriter, src ssh.Channel, remoteA
 
 	log.Printf("Handling new forwarded connection from %s", remoteAddr)
 
-	done := make(chan struct{}, 2)
+	var wg sync.WaitGroup
+	wg.Add(2)
 
 	go func() {
-		_, err := io.Copy(src, dst)
+		defer wg.Done()
+		_, err := copyWithBuffer(dst, src)
 		if err != nil && !errors.Is(err, io.EOF) && !errors.Is(err, net.ErrClosed) {
-			log.Printf("Error copying from conn.Reader to channel: %v", err)
+			log.Printf("Error copying src→dst: %v", err)
 		}
-		done <- struct{}{}
 	}()
 
 	go func() {
-		_, err := io.Copy(dst, src)
+		defer wg.Done()
+		_, err := copyWithBuffer(src, dst)
 		if err != nil && !errors.Is(err, io.EOF) && !errors.Is(err, net.ErrClosed) {
-			log.Printf("Error copying from channel to conn.Writer: %v", err)
+			log.Printf("Error copying dst→src: %v", err)
 		}
-		done <- struct{}{}
 	}()
 
-	<-done
+	wg.Wait()
 }
 
 func (f *Forwarder) SetType(tunnelType types.TunnelType) {
-	f.TunnelType = tunnelType
+	f.tunnelType = tunnelType
 }
 
 func (f *Forwarder) GetTunnelType() types.TunnelType {
-	return f.TunnelType
+	return f.tunnelType
 }
 
 func (f *Forwarder) GetForwardedPort() uint16 {
-	return f.ForwardedPort
+	return f.forwardedPort
 }
 
 func (f *Forwarder) SetForwardedPort(port uint16) {
-	f.ForwardedPort = port
+	f.forwardedPort = port
 }
 
 func (f *Forwarder) SetListener(listener net.Listener) {
-	f.Listener = listener
+	f.listener = listener
 }
 
 func (f *Forwarder) GetListener() net.Listener {
-	return f.Listener
+	return f.listener
 }
 
 func (f *Forwarder) WriteBadGatewayResponse(dst io.Writer) {
@@ -155,7 +208,7 @@ func (f *Forwarder) WriteBadGatewayResponse(dst io.Writer) {
 
 func (f *Forwarder) Close() error {
 	if f.GetListener() != nil {
-		return f.Listener.Close()
+		return f.listener.Close()
 	}
 	return nil
 }

session/handler.go

@@ -7,10 +7,9 @@ import (
 	"log"
 	"net"
 	portUtil "tunnel_pls/internal/port"
+	"tunnel_pls/internal/random"
 	"tunnel_pls/types"
 
-	"tunnel_pls/utils"
-
 	"golang.org/x/crypto/ssh"
 )
 
@@ -19,10 +18,28 @@ var blockedReservedPorts = []uint16{1080, 1433, 1521, 1900, 2049, 3306, 3389, 54
 func (s *SSHSession) HandleGlobalRequest(GlobalRequest <-chan *ssh.Request) {
 	for req := range GlobalRequest {
 		switch req.Type {
-		case "tcpip-forward":
+		case "shell", "pty-req":
-			s.HandleTCPIPForward(req)
+			err := req.Reply(true, nil)
+			if err != nil {
+				log.Println("Failed to reply to request:", err)
 				return
-		case "shell", "pty-req", "window-change":
+			}
+		case "window-change":
+			p := req.Payload
+			if len(p) < 16 {
+				log.Println("invalid window-change payload")
+				err := req.Reply(false, nil)
+				if err != nil {
+					log.Println("Failed to reply to request:", err)
+					return
+				}
+				return
+			}
+			cols := binary.BigEndian.Uint32(p[0:4])
+			rows := binary.BigEndian.Uint32(p[4:8])
+
+			s.interaction.SetWH(int(cols), int(rows))
+
 			err := req.Reply(true, nil)
 			if err != nil {
 				log.Println("Failed to reply to request:", err)
@@ -52,7 +69,7 @@ func (s *SSHSession) HandleTCPIPForward(req *ssh.Request) {
 			log.Println("Failed to reply to request:", err)
 			return
 		}
-		err = s.Lifecycle.Close()
+		err = s.lifecycle.Close()
 		if err != nil {
 			log.Printf("failed to close session: %v", err)
 		}
@@ -62,13 +79,12 @@ func (s *SSHSession) HandleTCPIPForward(req *ssh.Request) {
 	var rawPortToBind uint32
 	if err := binary.Read(reader, binary.BigEndian, &rawPortToBind); err != nil {
 		log.Println("Failed to read port from payload:", err)
-		s.Interaction.SendMessage(fmt.Sprintf("Port %d is already in use or restricted. Please choose a different port. (02) \r\n", rawPortToBind))
 		err := req.Reply(false, nil)
 		if err != nil {
 			log.Println("Failed to reply to request:", err)
 			return
 		}
-		err = s.Lifecycle.Close()
+		err = s.lifecycle.Close()
 		if err != nil {
 			log.Printf("failed to close session: %v", err)
 		}
@@ -76,13 +92,13 @@ func (s *SSHSession) HandleTCPIPForward(req *ssh.Request) {
 	}
 
 	if rawPortToBind > 65535 {
-		s.Interaction.SendMessage(fmt.Sprintf("Port %d is larger then allowed port of 65535. (02)\r\n", rawPortToBind))
+		log.Printf("Port %d is larger than allowed port of 65535", rawPortToBind)
 		err := req.Reply(false, nil)
 		if err != nil {
 			log.Println("Failed to reply to request:", err)
 			return
 		}
-		err = s.Lifecycle.Close()
+		err = s.lifecycle.Close()
 		if err != nil {
 			log.Printf("failed to close session: %v", err)
 		}
@@ -90,15 +106,14 @@ func (s *SSHSession) HandleTCPIPForward(req *ssh.Request) {
 	}
 
 	portToBind := uint16(rawPortToBind)
-
 	if isBlockedPort(portToBind) {
-		s.Interaction.SendMessage(fmt.Sprintf("Port %d is already in use or restricted. Please choose a different port. (02)\r\n", portToBind))
+		log.Printf("Port %d is blocked or restricted", portToBind)
 		err := req.Reply(false, nil)
 		if err != nil {
 			log.Println("Failed to reply to request:", err)
 			return
 		}
-		err = s.Lifecycle.Close()
+		err = s.lifecycle.Close()
 		if err != nil {
 			log.Printf("failed to close session: %v", err)
 		}
@@ -108,56 +123,50 @@ func (s *SSHSession) HandleTCPIPForward(req *ssh.Request) {
 	if portToBind == 80 || portToBind == 443 {
 		s.HandleHTTPForward(req, portToBind)
 		return
-	} else {
+	}
 	if portToBind == 0 {
-			unassign, success := portUtil.Manager.GetUnassignedPort()
+		unassign, success := portUtil.Default.GetUnassignedPort()
 		portToBind = unassign
 		if !success {
-				s.Interaction.SendMessage("No available port\r\n")
+			log.Println("No available port")
 			err := req.Reply(false, nil)
 			if err != nil {
 				log.Println("Failed to reply to request:", err)
 				return
 			}
-				err = s.Lifecycle.Close()
+			err = s.lifecycle.Close()
 			if err != nil {
 				log.Printf("failed to close session: %v", err)
 			}
 			return
 		}
-		} else if isUse, isExist := portUtil.Manager.GetPortStatus(portToBind); isExist && isUse {
+	} else if isUse, isExist := portUtil.Default.GetPortStatus(portToBind); isExist && isUse {
-			s.Interaction.SendMessage(fmt.Sprintf("Port %d is already in use or restricted. Please choose a different port. (03)\r\n", portToBind))
+		log.Printf("Port %d is already in use or restricted", portToBind)
 		err := req.Reply(false, nil)
 		if err != nil {
 			log.Println("Failed to reply to request:", err)
 			return
 		}
-			err = s.Lifecycle.Close()
+		err = s.lifecycle.Close()
 		if err != nil {
 			log.Printf("failed to close session: %v", err)
 		}
 		return
 	}
-		err := portUtil.Manager.SetPortStatus(portToBind, true)
+	err = portUtil.Default.SetPortStatus(portToBind, true)
 	if err != nil {
 		log.Println("Failed to set port status:", err)
 		return
 	}
-	}
+
 	s.HandleTCPForward(req, addr, portToBind)
 }
 
 func (s *SSHSession) HandleHTTPForward(req *ssh.Request, portToBind uint16) {
-	slug := generateUniqueSlug()
+	slug := random.GenerateRandomString(20)
-	if slug == "" {
+	key := types.SessionKey{Id: slug, Type: types.HTTP}
-		err := req.Reply(false, nil)
-		if err != nil {
-			log.Println("Failed to reply to request:", err)
-		}
-		return
-	}
 
-	if !registerClient(slug, s) {
+	if !s.registry.Register(key, s) {
 		log.Printf("Failed to register client with slug: %s", slug)
 		err := req.Reply(false, nil)
 		if err != nil {
@@ -170,7 +179,7 @@ func (s *SSHSession) HandleHTTPForward(req *ssh.Request, portToBind uint16) {
 	err := binary.Write(buf, binary.BigEndian, uint32(portToBind))
 	if err != nil {
 		log.Println("Failed to write port to buffer:", err)
-		unregisterClient(slug)
+		s.registry.Remove(key)
 		err = req.Reply(false, nil)
 		if err != nil {
 			log.Println("Failed to reply to request:", err)
@@ -179,16 +188,10 @@ func (s *SSHSession) HandleHTTPForward(req *ssh.Request, portToBind uint16) {
 	}
 	log.Printf("HTTP forwarding approved on port: %d", portToBind)
 
-	domain := utils.Getenv("domain")
-	protocol := "http"
-	if utils.Getenv("tls_enabled") == "true" {
-		protocol = "https"
-	}
-
 	err = req.Reply(true, buf.Bytes())
 	if err != nil {
 		log.Println("Failed to reply to request:", err)
-		unregisterClient(slug)
+		s.registry.Remove(key)
 		err = req.Reply(false, nil)
 		if err != nil {
 			log.Println("Failed to reply to request:", err)
@@ -196,22 +199,19 @@ func (s *SSHSession) HandleHTTPForward(req *ssh.Request, portToBind uint16) {
 		return
 	}
 
-	s.Forwarder.SetType(types.HTTP)
+	s.forwarder.SetType(types.HTTP)
-	s.Forwarder.SetForwardedPort(portToBind)
+	s.forwarder.SetForwardedPort(portToBind)
-	s.SlugManager.Set(slug)
+	s.slugManager.Set(slug)
-	s.Interaction.SendMessage("\033[H\033[2J")
+	s.lifecycle.SetStatus(types.RUNNING)
-	s.Interaction.ShowWelcomeMessage()
+	s.interaction.Start()
-	s.Interaction.SendMessage(fmt.Sprintf("Forwarding your traffic to %s://%s.%s\r\n", protocol, slug, domain))
-	s.Lifecycle.SetStatus(types.RUNNING)
-	s.Interaction.HandleUserInput()
 }
 
 func (s *SSHSession) HandleTCPForward(req *ssh.Request, addr string, portToBind uint16) {
 	log.Printf("Requested forwarding on %s:%d", addr, portToBind)
 	listener, err := net.Listen("tcp", fmt.Sprintf("0.0.0.0:%d", portToBind))
 	if err != nil {
-		s.Interaction.SendMessage(fmt.Sprintf("Port %d is already in use or restricted. Please choose a different port.\r\n", portToBind))
+		log.Printf("Port %d is already in use or restricted", portToBind)
-		if setErr := portUtil.Manager.SetPortStatus(portToBind, false); setErr != nil {
+		if setErr := portUtil.Default.SetPortStatus(portToBind, false); setErr != nil {
 			log.Printf("Failed to reset port status: %v", setErr)
 		}
 		err = req.Reply(false, nil)
@@ -219,18 +219,37 @@ func (s *SSHSession) HandleTCPForward(req *ssh.Request, addr string, portToBind
 			log.Println("Failed to reply to request:", err)
 			return
 		}
-		err = s.Lifecycle.Close()
+		err = s.lifecycle.Close()
 		if err != nil {
 			log.Printf("failed to close session: %v", err)
 		}
 		return
 	}
 
+	key := types.SessionKey{Id: fmt.Sprintf("%d", portToBind), Type: types.TCP}
+
+	if !s.registry.Register(key, s) {
+		log.Printf("Failed to register TCP client with id: %s", key.Id)
+		if setErr := portUtil.Default.SetPortStatus(portToBind, false); setErr != nil {
+			log.Printf("Failed to reset port status: %v", setErr)
+		}
+		if closeErr := listener.Close(); closeErr != nil {
+			log.Printf("Failed to close listener: %s", closeErr)
+		}
+		err = req.Reply(false, nil)
+		if err != nil {
+			log.Println("Failed to reply to request:", err)
+		}
+		_ = s.lifecycle.Close()
+		return
+	}
+
 	buf := new(bytes.Buffer)
 	err = binary.Write(buf, binary.BigEndian, uint32(portToBind))
 	if err != nil {
 		log.Println("Failed to write port to buffer:", err)
-		if setErr := portUtil.Manager.SetPortStatus(portToBind, false); setErr != nil {
+		s.registry.Remove(key)
+		if setErr := portUtil.Default.SetPortStatus(portToBind, false); setErr != nil {
 			log.Printf("Failed to reset port status: %v", setErr)
 		}
 		err = listener.Close()
@@ -245,7 +264,8 @@ func (s *SSHSession) HandleTCPForward(req *ssh.Request, addr string, portToBind
 	err = req.Reply(true, buf.Bytes())
 	if err != nil {
 		log.Println("Failed to reply to request:", err)
-		if setErr := portUtil.Manager.SetPortStatus(portToBind, false); setErr != nil {
+		s.registry.Remove(key)
+		if setErr := portUtil.Default.SetPortStatus(portToBind, false); setErr != nil {
 			log.Printf("Failed to reset port status: %v", setErr)
 		}
 		err = listener.Close()
@@ -256,34 +276,13 @@ func (s *SSHSession) HandleTCPForward(req *ssh.Request, addr string, portToBind
 		return
 	}
 
-	s.Forwarder.SetType(types.TCP)
+	s.forwarder.SetType(types.TCP)
-	s.Forwarder.SetListener(listener)
+	s.forwarder.SetListener(listener)
-	s.Forwarder.SetForwardedPort(portToBind)
+	s.forwarder.SetForwardedPort(portToBind)
-	s.Interaction.SendMessage("\033[H\033[2J")
+	s.slugManager.Set(key.Id)
-	s.Interaction.ShowWelcomeMessage()
+	s.lifecycle.SetStatus(types.RUNNING)
-	s.Interaction.SendMessage(fmt.Sprintf("Forwarding your traffic to tcp://%s:%d \r\n", utils.Getenv("domain"), s.Forwarder.GetForwardedPort()))
+	go s.forwarder.AcceptTCPConnections()
-	s.Lifecycle.SetStatus(types.RUNNING)
+	s.interaction.Start()
-	go s.Forwarder.AcceptTCPConnections()
-	s.Interaction.HandleUserInput()
-}
-
-func generateUniqueSlug() string {
-	maxAttempts := 5
-
-	for i := 0; i < maxAttempts; i++ {
-		slug := utils.GenerateRandomString(20)
-
-		clientsMutex.RLock()
-		_, exists := Clients[slug]
-		clientsMutex.RUnlock()
-
-		if !exists {
-			return slug
-		}
-	}
-
-	log.Println("Failed to generate unique slug after multiple attempts")
-	return ""
 }
 
 func readSSHString(reader *bytes.Reader) (string, error) {

session/interaction/constants.go

@@ -1,27 +0,0 @@
-package interaction
-
-const (
-	backspaceChar    = 8
-	deleteChar       = 127
-	enterChar        = 13
-	escapeChar       = 27
-	ctrlC            = 3
-	forwardSlash     = '/'
-	minPrintableChar = 32
-	maxPrintableChar = 126
-
-	minSlugLength = 3
-	maxSlugLength = 20
-
-	clearScreen    = "\033[H\033[2J"
-	clearLine      = "\033[K"
-	clearToLineEnd = "\r\033[K"
-	backspaceSeq   = "\b \b"
-
-	minBoxWidth  = 50
-	paddingRight = 4
-)
-
-var forbiddenSlugs = []string{
-	"ping",
-}

session/lifecycle/lifecycle.go

@@ -2,11 +2,10 @@ package lifecycle
 
 import (
 	"errors"
-	"fmt"
 	"io"
-	"log"
 	"net"
 	"time"
+
 	portUtil "tunnel_pls/internal/port"
 	"tunnel_pls/session/slug"
 	"tunnel_pls/types"
@@ -14,109 +13,105 @@ import (
 	"golang.org/x/crypto/ssh"
 )
 
-type Interaction interface {
-	SendMessage(string)
-}
-
 type Forwarder interface {
 	Close() error
 	GetTunnelType() types.TunnelType
 	GetForwardedPort() uint16
 }
 
-type Lifecycle struct {
+type SessionRegistry interface {
-	Status  types.Status
+	Remove(key types.SessionKey)
-	Conn    ssh.Conn
-	Channel ssh.Channel
-
-	Interaction      Interaction
-	Forwarder        Forwarder
-	SlugManager      slug.Manager
-	unregisterClient func(slug string)
 }
 
-func (l *Lifecycle) SetUnregisterClient(unregisterClient func(slug string)) {
+type Lifecycle struct {
-	l.unregisterClient = unregisterClient
+	status          types.Status
+	conn            ssh.Conn
+	channel         ssh.Channel
+	forwarder       Forwarder
+	sessionRegistry SessionRegistry
+	slugManager     slug.Manager
+	startedAt       time.Time
+	user            string
+}
+
+func NewLifecycle(conn ssh.Conn, forwarder Forwarder, slugManager slug.Manager, user string) *Lifecycle {
+	return &Lifecycle{
+		status:          types.INITIALIZING,
+		conn:            conn,
+		channel:         nil,
+		forwarder:       forwarder,
+		slugManager:     slugManager,
+		sessionRegistry: nil,
+		startedAt:       time.Now(),
+		user:            user,
+	}
+}
+
+func (l *Lifecycle) SetSessionRegistry(registry SessionRegistry) {
+	l.sessionRegistry = registry
 }
 
 type SessionLifecycle interface {
 	Close() error
-	WaitForRunningStatus()
 	SetStatus(status types.Status)
 	GetConnection() ssh.Conn
 	GetChannel() ssh.Channel
+	GetUser() string
 	SetChannel(channel ssh.Channel)
-	SetUnregisterClient(unregisterClient func(slug string))
+	SetSessionRegistry(registry SessionRegistry)
+	IsActive() bool
+	StartedAt() time.Time
+}
+
+func (l *Lifecycle) GetUser() string {
+	return l.user
 }
 
 func (l *Lifecycle) GetChannel() ssh.Channel {
-	return l.Channel
+	return l.channel
 }
 
 func (l *Lifecycle) SetChannel(channel ssh.Channel) {
-	l.Channel = channel
+	l.channel = channel
 }
 func (l *Lifecycle) GetConnection() ssh.Conn {
-	return l.Conn
+	return l.conn
 }
 func (l *Lifecycle) SetStatus(status types.Status) {
-	l.Status = status
+	l.status = status
-}
+	if status == types.RUNNING && l.startedAt.IsZero() {
-func (l *Lifecycle) WaitForRunningStatus() {
+		l.startedAt = time.Now()
-	timeout := time.After(3 * time.Second)
-	ticker := time.NewTicker(150 * time.Millisecond)
-	defer ticker.Stop()
-	frames := []string{"-", "\\", "|", "/"}
-	i := 0
-	for {
-		select {
-		case <-ticker.C:
-			l.Interaction.SendMessage(fmt.Sprintf("\rLoading %s", frames[i]))
-			i = (i + 1) % len(frames)
-			if l.Status == types.RUNNING {
-				l.Interaction.SendMessage("\r\033[K")
-				return
-			}
-		case <-timeout:
-			l.Interaction.SendMessage("\r\033[K")
-			l.Interaction.SendMessage("TCP/IP request not received in time.\r\nCheck your internet connection and confirm the server responds within 3000ms.\r\nEnsure you ran the correct command. For more details, visit https://tunnl.live.\r\n\r\n")
-			err := l.Close()
-			if err != nil {
-				log.Printf("failed to close session: %v", err)
-			}
-			log.Println("Timeout waiting for session to start running")
-			return
-		}
 	}
 }
 
 func (l *Lifecycle) Close() error {
-	err := l.Forwarder.Close()
+	err := l.forwarder.Close()
 	if err != nil && !errors.Is(err, net.ErrClosed) {
 		return err
 	}
 
-	if l.Channel != nil {
+	if l.channel != nil {
-		err := l.Channel.Close()
+		err := l.channel.Close()
 		if err != nil && !errors.Is(err, io.EOF) {
 			return err
 		}
 	}
 
-	if l.Conn != nil {
+	if l.conn != nil {
-		err := l.Conn.Close()
+		err := l.conn.Close()
 		if err != nil && !errors.Is(err, net.ErrClosed) {
 			return err
 		}
 	}
 
-	clientSlug := l.SlugManager.Get()
+	clientSlug := l.slugManager.Get()
-	if clientSlug != "" {
+	if clientSlug != "" && l.sessionRegistry.Remove != nil {
-		l.unregisterClient(clientSlug)
+		key := types.SessionKey{Id: clientSlug, Type: l.forwarder.GetTunnelType()}
+		l.sessionRegistry.Remove(key)
 	}
 
-	if l.Forwarder.GetTunnelType() == types.TCP {
+	if l.forwarder.GetTunnelType() == types.TCP {
-		err := portUtil.Manager.SetPortStatus(l.Forwarder.GetForwardedPort(), false)
+		err = portUtil.Default.SetPortStatus(l.forwarder.GetForwardedPort(), false)
 		if err != nil {
 			return err
 		}
@@ -124,3 +119,11 @@ func (l *Lifecycle) Close() error {
 
 	return nil
 }
+
+func (l *Lifecycle) IsActive() bool {
+	return l.status == types.RUNNING
+}
+
+func (l *Lifecycle) StartedAt() time.Time {
+	return l.startedAt
+}

session/registry.go

@@ -0,0 +1,309 @@
+package session
+
+import (
+	"fmt"
+	"sync"
+	"tunnel_pls/types"
+)
+
+type Key = types.SessionKey
+
+type Registry interface {
+	Get(key Key) (session *SSHSession, err error)
+	GetWithUser(user string, key Key) (session *SSHSession, err error)
+	Update(user string, oldKey, newKey Key) error
+	Register(key Key, session *SSHSession) (success bool)
+	Remove(key Key)
+	GetAllSessionFromUser(user string) []*SSHSession
+}
+type registry struct {
+	mu        sync.RWMutex
+	byUser    map[string]map[Key]*SSHSession
+	slugIndex map[Key]string
+}
+
+func NewRegistry() Registry {
+	return &registry{
+		byUser:    make(map[string]map[Key]*SSHSession),
+		slugIndex: make(map[Key]string),
+	}
+}
+
+func (r *registry) Get(key Key) (session *SSHSession, err error) {
+	r.mu.RLock()
+	defer r.mu.RUnlock()
+
+	userID, ok := r.slugIndex[key]
+	if !ok {
+		return nil, fmt.Errorf("session not found")
+	}
+
+	client, ok := r.byUser[userID][key]
+	if !ok {
+		return nil, fmt.Errorf("session not found")
+	}
+	return client, nil
+}
+
+func (r *registry) GetWithUser(user string, key Key) (session *SSHSession, err error) {
+	r.mu.RLock()
+	defer r.mu.RUnlock()
+
+	client, ok := r.byUser[user][key]
+	if !ok {
+		return nil, fmt.Errorf("session not found")
+	}
+	return client, nil
+}
+
+func (r *registry) Update(user string, oldKey, newKey Key) error {
+	if oldKey.Type != newKey.Type {
+		return fmt.Errorf("tunnel type cannot change")
+	}
+
+	if newKey.Type != types.HTTP {
+		return fmt.Errorf("non http tunnel cannot change slug")
+	}
+
+	if isForbiddenSlug(newKey.Id) {
+		return fmt.Errorf("this subdomain is reserved. Please choose a different one")
+	}
+
+	if !isValidSlug(newKey.Id) {
+		return fmt.Errorf("invalid subdomain. Follow the rules")
+	}
+
+	r.mu.Lock()
+	defer r.mu.Unlock()
+
+	if _, exists := r.slugIndex[newKey]; exists && newKey != oldKey {
+		return fmt.Errorf("someone already uses this subdomain")
+	}
+	client, ok := r.byUser[user][oldKey]
+	if !ok {
+		return fmt.Errorf("session not found")
+	}
+
+	delete(r.byUser[user], oldKey)
+	delete(r.slugIndex, oldKey)
+
+	client.slugManager.Set(newKey.Id)
+	r.slugIndex[newKey] = user
+
+	if r.byUser[user] == nil {
+		r.byUser[user] = make(map[Key]*SSHSession)
+	}
+	r.byUser[user][newKey] = client
+	return nil
+}
+
+func (r *registry) Register(key Key, session *SSHSession) (success bool) {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+
+	if _, exists := r.slugIndex[key]; exists {
+		return false
+	}
+
+	userID := session.lifecycle.GetUser()
+	if r.byUser[userID] == nil {
+		r.byUser[userID] = make(map[Key]*SSHSession)
+	}
+
+	r.byUser[userID][key] = session
+	r.slugIndex[key] = userID
+	return true
+}
+
+func (r *registry) GetAllSessionFromUser(user string) []*SSHSession {
+	r.mu.RLock()
+	defer r.mu.RUnlock()
+
+	m := r.byUser[user]
+	if len(m) == 0 {
+		return []*SSHSession{}
+	}
+
+	sessions := make([]*SSHSession, 0, len(m))
+	for _, s := range m {
+		sessions = append(sessions, s)
+	}
+	return sessions
+}
+
+func (r *registry) Remove(key Key) {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+
+	userID, ok := r.slugIndex[key]
+	if !ok {
+		return
+	}
+
+	delete(r.byUser[userID], key)
+	if len(r.byUser[userID]) == 0 {
+		delete(r.byUser, userID)
+	}
+	delete(r.slugIndex, key)
+}
+
+func isValidSlug(slug string) bool {
+	if len(slug) < minSlugLength || len(slug) > maxSlugLength {
+		return false
+	}
+
+	if slug[0] == '-' || slug[len(slug)-1] == '-' {
+		return false
+	}
+
+	for _, c := range slug {
+		if !isValidSlugChar(byte(c)) {
+			return false
+		}
+	}
+
+	return true
+}
+
+func isValidSlugChar(c byte) bool {
+	return (c >= 'a' && c <= 'z') || (c >= '0' && c <= '9') || c == '-'
+}
+
+func isForbiddenSlug(slug string) bool {
+	_, ok := forbiddenSlugs[slug]
+	return ok
+}
+
+var forbiddenSlugs = map[string]struct{}{
+	"ping":          {},
+	"staging":       {},
+	"admin":         {},
+	"root":          {},
+	"api":           {},
+	"www":           {},
+	"support":       {},
+	"help":          {},
+	"status":        {},
+	"health":        {},
+	"login":         {},
+	"logout":        {},
+	"signup":        {},
+	"register":      {},
+	"settings":      {},
+	"config":        {},
+	"null":          {},
+	"undefined":     {},
+	"example":       {},
+	"test":          {},
+	"dev":           {},
+	"system":        {},
+	"administrator": {},
+	"dashboard":     {},
+	"account":       {},
+	"profile":       {},
+	"user":          {},
+	"users":         {},
+	"auth":          {},
+	"oauth":         {},
+	"callback":      {},
+	"webhook":       {},
+	"webhooks":      {},
+	"static":        {},
+	"assets":        {},
+	"cdn":           {},
+	"mail":          {},
+	"email":         {},
+	"ftp":           {},
+	"ssh":           {},
+	"git":           {},
+	"svn":           {},
+	"blog":          {},
+	"news":          {},
+	"about":         {},
+	"contact":       {},
+	"terms":         {},
+	"privacy":       {},
+	"legal":         {},
+	"billing":       {},
+	"payment":       {},
+	"checkout":      {},
+	"cart":          {},
+	"shop":          {},
+	"store":         {},
+	"download":      {},
+	"uploads":       {},
+	"images":        {},
+	"img":           {},
+	"css":           {},
+	"js":            {},
+	"fonts":         {},
+	"public":        {},
+	"private":       {},
+	"internal":      {},
+	"external":      {},
+	"proxy":         {},
+	"cache":         {},
+	"debug":         {},
+	"metrics":       {},
+	"monitoring":    {},
+	"graphql":       {},
+	"rest":          {},
+	"rpc":           {},
+	"socket":        {},
+	"ws":            {},
+	"wss":           {},
+	"app":           {},
+	"apps":          {},
+	"mobile":        {},
+	"desktop":       {},
+	"embed":         {},
+	"widget":        {},
+	"docs":          {},
+	"documentation": {},
+	"wiki":          {},
+	"forum":         {},
+	"community":     {},
+	"feedback":      {},
+	"report":        {},
+	"abuse":         {},
+	"spam":          {},
+	"security":      {},
+	"verify":        {},
+	"confirm":       {},
+	"reset":         {},
+	"password":      {},
+	"recovery":      {},
+	"unsubscribe":   {},
+	"subscribe":     {},
+	"notifications": {},
+	"alerts":        {},
+	"messages":      {},
+	"inbox":         {},
+	"outbox":        {},
+	"sent":          {},
+	"draft":         {},
+	"trash":         {},
+	"archive":       {},
+	"search":        {},
+	"explore":       {},
+	"discover":      {},
+	"trending":      {},
+	"popular":       {},
+	"featured":      {},
+	"new":           {},
+	"latest":        {},
+	"top":           {},
+	"best":          {},
+	"hot":           {},
+	"random":        {},
+	"all":           {},
+	"any":           {},
+	"none":          {},
+	"true":          {},
+	"false":         {},
+}
+
+var (
+	minSlugLength = 3
+	maxSlugLength = 20
+)

session/session.go

@@ -1,23 +1,18 @@
 package session
 
 import (
-	"bytes"
+	"fmt"
 	"log"
-	"sync"
+	"time"
+	"tunnel_pls/internal/config"
 	"tunnel_pls/session/forwarder"
 	"tunnel_pls/session/interaction"
 	"tunnel_pls/session/lifecycle"
 	"tunnel_pls/session/slug"
-	"tunnel_pls/types"
 
 	"golang.org/x/crypto/ssh"
 )
 
-var (
-	clientsMutex sync.RWMutex
-	Clients      = make(map[string]*SSHSession)
-)
-
 type Session interface {
 	HandleGlobalRequest(ch <-chan *ssh.Request)
 	HandleTCPIPForward(req *ssh.Request)
@@ -26,106 +21,121 @@ type Session interface {
 }
 
 type SSHSession struct {
-	Lifecycle   lifecycle.SessionLifecycle
+	initialReq    <-chan *ssh.Request
-	Interaction interaction.Controller
+	sshReqChannel <-chan ssh.NewChannel
-	Forwarder   forwarder.ForwardingController
+	lifecycle     lifecycle.SessionLifecycle
-	SlugManager slug.Manager
+	interaction   interaction.Controller
-
+	forwarder     forwarder.ForwardingController
-	channelOnce sync.Once
+	slugManager   slug.Manager
+	registry      Registry
 }
 
-func New(conn *ssh.ServerConn, forwardingReq <-chan *ssh.Request, sshChan <-chan ssh.NewChannel) {
+func (s *SSHSession) GetLifecycle() lifecycle.SessionLifecycle {
+	return s.lifecycle
+}
+
+func (s *SSHSession) GetInteraction() interaction.Controller {
+	return s.interaction
+}
+
+func (s *SSHSession) GetForwarder() forwarder.ForwardingController {
+	return s.forwarder
+}
+
+func (s *SSHSession) GetSlugManager() slug.Manager {
+	return s.slugManager
+}
+
+func New(conn *ssh.ServerConn, forwardingReq <-chan *ssh.Request, sshChan <-chan ssh.NewChannel, sessionRegistry Registry, user string) *SSHSession {
 	slugManager := slug.NewManager()
-	forwarderManager := &forwarder.Forwarder{
+	forwarderManager := forwarder.NewForwarder(slugManager)
-		Listener:      nil,
+	interactionManager := interaction.NewInteraction(slugManager, forwarderManager)
-		TunnelType:    "",
+	lifecycleManager := lifecycle.NewLifecycle(conn, forwarderManager, slugManager, user)
-		ForwardedPort: 0,
-		SlugManager:   slugManager,
-	}
-	interactionManager := &interaction.Interaction{
-		CommandBuffer:   bytes.NewBuffer(make([]byte, 0, 20)),
-		InteractiveMode: false,
-		EditSlug:        "",
-		SlugManager:     slugManager,
-		Forwarder:       forwarderManager,
-		Lifecycle:       nil,
-	}
-	lifecycleManager := &lifecycle.Lifecycle{
-		Status:      "",
-		Conn:        conn,
-		Channel:     nil,
-		Interaction: interactionManager,
-		Forwarder:   forwarderManager,
-		SlugManager: slugManager,
-	}
 
 	interactionManager.SetLifecycle(lifecycleManager)
-	interactionManager.SetSlugModificator(updateClientSlug)
 	forwarderManager.SetLifecycle(lifecycleManager)
-	lifecycleManager.SetUnregisterClient(unregisterClient)
+	interactionManager.SetSessionRegistry(sessionRegistry)
+	lifecycleManager.SetSessionRegistry(sessionRegistry)
 
-	session := &SSHSession{
+	return &SSHSession{
-		Lifecycle:   lifecycleManager,
+		initialReq:    forwardingReq,
-		Interaction: interactionManager,
+		sshReqChannel: sshChan,
-		Forwarder:   forwarderManager,
+		lifecycle:     lifecycleManager,
-		SlugManager: slugManager,
+		interaction:   interactionManager,
+		forwarder:     forwarderManager,
+		slugManager:   slugManager,
+		registry:      sessionRegistry,
 	}
+}
 
-	for channel := range sshChan {
+type Detail struct {
+	ForwardingType string    `json:"forwarding_type,omitempty"`
+	Slug           string    `json:"slug,omitempty"`
+	UserID         string    `json:"user_id,omitempty"`
+	Active         bool      `json:"active,omitempty"`
+	StartedAt      time.Time `json:"started_at,omitempty"`
+}
+
+func (s *SSHSession) Detail() Detail {
+	return Detail{
+		ForwardingType: string(s.forwarder.GetTunnelType()),
+		Slug:           s.slugManager.Get(),
+		UserID:         s.lifecycle.GetUser(),
+		Active:         s.lifecycle.IsActive(),
+		StartedAt:      s.lifecycle.StartedAt(),
+	}
+}
+
+func (s *SSHSession) Start() error {
+	channel := <-s.sshReqChannel
 	ch, reqs, err := channel.Accept()
 	if err != nil {
 		log.Printf("failed to accept channel: %v", err)
-			continue
+		return err
 	}
-		session.channelOnce.Do(func() {
+	go s.HandleGlobalRequest(reqs)
-			session.Lifecycle.SetChannel(ch)
-			session.Interaction.SetChannel(ch)
-			session.Lifecycle.SetStatus(types.SETUP)
-			go session.HandleGlobalRequest(forwardingReq)
-			session.Lifecycle.WaitForRunningStatus()
-		})
 
-		go session.HandleGlobalRequest(reqs)
+	tcpipReq := s.waitForTCPIPForward()
+	if tcpipReq == nil {
+		_, err := ch.Write([]byte(fmt.Sprintf("Port forwarding request not received. Ensure you ran the correct command with -R flag. Example: ssh %s -p %s -R 80:localhost:3000", config.Getenv("DOMAIN", "localhost"), config.Getenv("PORT", "2200"))))
+		if err != nil {
+			return err
 		}
-	if err := session.Lifecycle.Close(); err != nil {
+		if err := s.lifecycle.Close(); err != nil {
 			log.Printf("failed to close session: %v", err)
 		}
-}
+		return fmt.Errorf("no forwarding Request")
-
-func updateClientSlug(oldSlug, newSlug string) bool {
-	clientsMutex.Lock()
-	defer clientsMutex.Unlock()
-
-	if _, exists := Clients[newSlug]; exists && newSlug != oldSlug {
-		return false
 	}
 
-	client, ok := Clients[oldSlug]
+	s.lifecycle.SetChannel(ch)
+	s.interaction.SetChannel(ch)
+
+	s.HandleTCPIPForward(tcpipReq)
+
+	if err := s.lifecycle.Close(); err != nil {
+		log.Printf("failed to close session: %v", err)
+		return err
+	}
+	return nil
+}
+
+func (s *SSHSession) waitForTCPIPForward() *ssh.Request {
+	select {
+	case req, ok := <-s.initialReq:
 		if !ok {
-		return false
+			log.Println("Forwarding request channel closed")
+			return nil
 		}
-
+		if req.Type == "tcpip-forward" {
-	delete(Clients, oldSlug)
+			return req
-	client.SlugManager.Set(newSlug)
+		}
-	Clients[newSlug] = client
+		if err := req.Reply(false, nil); err != nil {
-	return true
+			log.Printf("Failed to reply to request: %v", err)
-}
+		}
-
+		log.Printf("Expected tcpip-forward request, got: %s", req.Type)
-func registerClient(slug string, session *SSHSession) bool {
+		return nil
-	clientsMutex.Lock()
+	case <-time.After(500 * time.Millisecond):
-	defer clientsMutex.Unlock()
+		log.Println("No forwarding request received")
-
+		return nil
-	if _, exists := Clients[slug]; exists {
-		return false
 	}
-
-	Clients[slug] = session
-	return true
-}
-
-func unregisterClient(slug string) {
-	clientsMutex.Lock()
-	defer clientsMutex.Unlock()
-
-	delete(Clients, slug)
 }

session/slug/slug.go

@@ -1,7 +1,5 @@
 package slug
 
-import "sync"
-
 type Manager interface {
 	Get() string
 	Set(slug string)
@@ -9,24 +7,18 @@ type Manager interface {
 
 type manager struct {
 	slug string
-	slugMu sync.RWMutex
 }
 
 func NewManager() Manager {
 	return &manager{
 		slug: "",
-		slugMu: sync.RWMutex{},
 	}
 }
 
 func (s *manager) Get() string {
-	s.slugMu.RLock()
-	defer s.slugMu.RUnlock()
 	return s.slug
 }
 
 func (s *manager) Set(slug string) {
-	s.slugMu.Lock()
 	s.slug = slug
-	s.slugMu.Unlock()
 }

types/types.go

@@ -15,11 +15,10 @@ const (
 	TCP  TunnelType = "TCP"
 )
 
-type InteractionType string
+type SessionKey struct {
-
+	Id   string
-const (
+	Type TunnelType
-	Slug InteractionType = "SLUG"
+}
-)
 
 var BadGatewayResponse = []byte("HTTP/1.1 502 Bad Gateway\r\n" +
 	"Content-Length: 11\r\n" +

utils/utils.go

@@ -1,58 +0,0 @@
-package utils
-
-import (
-	"log"
-	"math/rand"
-	"os"
-	"strings"
-	"sync"
-	"time"
-
-	"github.com/joho/godotenv"
-)
-
-type Env struct {
-	value map[string]string
-	mu    sync.Mutex
-}
-
-var env *Env
-
-func init() {
-	env = &Env{value: map[string]string{}}
-}
-
-func GenerateRandomString(length int) string {
-	const charset = "abcdefghijklmnopqrstuvwxyz"
-	seededRand := rand.New(rand.NewSource(time.Now().UnixNano() + int64(rand.Intn(9999))))
-	var result strings.Builder
-	for i := 0; i < length; i++ {
-		randomIndex := seededRand.Intn(len(charset))
-		result.WriteString(string(charset[randomIndex]))
-	}
-	return result.String()
-}
-
-func Getenv(key string) string {
-	env.mu.Lock()
-	defer env.mu.Unlock()
-	if val, ok := env.value[key]; ok {
-		return val
-	}
-
-	if os.Getenv("HOSTNAME") == "" {
-		err := godotenv.Load(".env")
-		if err != nil {
-			log.Fatalf("Error loading .env file: %s", err)
-		}
-	}
-
-	val := os.Getenv(key)
-	env.value[key] = val
-
-	if val == "" {
-		panic("Asking for env: " + key + " but got nothing, please set your environment first")
-	}
-
-	return val
-}

version/version.go

@@ -0,0 +1,17 @@
+package version
+
+import "fmt"
+
+var (
+	Version   = "dev"
+	BuildDate = "unknown"
+	Commit    = "unknown"
+)
+
+func GetVersion() string {
+	return fmt.Sprintf("tunnel_pls %s (commit: %s, built: %s)", Version, Commit, BuildDate)
+}
+
+func GetShortVersion() string {
+	return Version
+}