bagas/tunnel-please
Public Access
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

staging #46

Merged
bagas merged 8 commits from staging into main 2025-12-28 13:19:25 +00:00
Conversation 0 Commits 8 Files Changed 13 +19 -12
6 changed files with 19 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit c3a469be64 - Show all commits

2
.dockerignore
View File

@@ -28,3 +28,5 @@ renovate-config.js
*_test.go
testdata/
app

1
.gitignore vendored
View File

@@ -4,3 +4,4 @@ id_rsa*
.env
tmp
certs
app

6
Dockerfile
View File

@@ -22,7 +22,9 @@ RUN --mount=type=cache,target=/go/pkg/mod \
-o /app/tunnel_pls \
.
RUN adduser -D -u 10001 -g '' appuser
RUN adduser -D -u 10001 -g '' appuser && \
mkdir -p /app/certs/ssh /app/certs/tls && \
chown -R appuser:appuser /app
FROM scratch
@@ -30,7 +32,7 @@ COPY --from=go_builder /usr/share/zoneinfo /usr/share/zoneinfo
COPY --from=go_builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=go_builder /etc/passwd /etc/passwd
COPY --from=go_builder /etc/group /etc/group
COPY --from=go_builder /app/tunnel_pls /app/tunnel_pls
COPY --from=go_builder --chown=appuser:appuser /app /app
WORKDIR /app

14
README.md
View File

@@ -24,13 +24,9 @@ The following environment variables can be configured in the `.env` file:
| `PORT` | SSH server port | `2200` | No |
| `TLS_ENABLED` | Enable TLS/HTTPS | `false` | No |
| `TLS_REDIRECT` | Redirect HTTP to HTTPS | `false` | No |
| `CERT_LOC` | Path to TLS certificate | `certs/cert.pem` | No |
| `KEY_LOC` | Path to TLS private key | `certs/privkey.pem` | No |
| `CERT_STORAGE_PATH` | Path for CertMagic certificate storage | `certs/certmagic` | No |
| `ACME_EMAIL` | Email for Let's Encrypt registration | `admin@<DOMAIN>` | No |
| `CF_API_TOKEN` | Cloudflare API token for DNS-01 challenge | - | Yes (if auto-cert) |
| `ACME_STAGING` | Use Let's Encrypt staging server | `false` | No |
| `SSH_PRIVATE_KEY` | Path to SSH private key (auto-generated if missing) | `certs/id_rsa` | No |
| `CORS_LIST` | Comma-separated list of allowed CORS origins | - | No |
| `ALLOWED_PORTS` | Port range for TCP tunnels (e.g., 40000-41000) | `40000-41000` | No |
| `BUFFER_SIZE` | Buffer size for io.Copy operations in bytes (4096-1048576) | `32768` | No |
@@ -43,8 +39,14 @@ The following environment variables can be configured in the `.env` file:
The server supports automatic TLS certificate generation and renewal using [CertMagic](https://github.com/caddyserver/certmagic) with Cloudflare DNS-01 challenge. This is required for wildcard certificate support (`*.yourdomain.com`).
**Certificate Storage:**
- TLS certificates are stored in `certs/tls/` (relative to application directory)
- User-provided certificates: `certs/tls/cert.pem` and `certs/tls/privkey.pem`
- CertMagic automatic certificates: `certs/tls/certmagic/`
- SSH keys are stored separately in `certs/ssh/`
**How it works:**
1. If user-provided certificates (`CERT_LOC`, `KEY_LOC`) exist and cover both `DOMAIN` and `*.DOMAIN`, they will be used
1. If user-provided certificates exist at `certs/tls/cert.pem` and `certs/tls/privkey.pem` and cover both `DOMAIN` and `*.DOMAIN`, they will be used
2. If certificates are missing, expired, expiring within 30 days, or don't cover the required domains, CertMagic will automatically obtain new certificates from Let's Encrypt
3. Certificates are automatically renewed before expiration
4. User-provided certificates support hot-reload (changes detected every 30 seconds)
@@ -71,7 +73,7 @@ ACME_EMAIL=admin@example.com
### SSH Key Auto-Generation
If the SSH private key specified in `SSH_PRIVATE_KEY` doesn't exist, the application will automatically generate a new 4096-bit RSA key pair at the specified location. This makes it easier to get started without manually creating SSH keys.
The application will automatically generate a new 4096-bit RSA key pair at `certs/ssh/id_rsa` if it doesn't exist. This makes it easier to get started without manually creating SSH keys. SSH keys are stored separately from TLS certificates.
### Memory Optimization

2
main.go
View File

@@ -33,7 +33,7 @@ func main() {
ServerVersion: "SSH-2.0-TunnlPls-1.0",
}
sshKeyPath := utils.Getenv("SSH_PRIVATE_KEY", "certs/id_rsa")
sshKeyPath := "certs/ssh/id_rsa"
if err := utils.GenerateSSHKeyIfNotExist(sshKeyPath); err != nil {
log.Fatalf("Failed to generate SSH key: %s", err)
}

6
server/tls.go
View File

@@ -37,9 +37,9 @@ func NewTLSConfig(domain string) (*tls.Config, error) {
var initErr error
tlsManagerOnce.Do(func() {
certPath := utils.Getenv("CERT_LOC", "certs/cert.pem")
keyPath := utils.Getenv("KEY_LOC", "certs/privkey.pem")
storagePath := utils.Getenv("CERT_STORAGE_PATH", "certs/certmagic")
certPath := "certs/tls/cert.pem"
keyPath := "certs/tls/privkey.pem"
storagePath := "certs/tls/certmagic"
tm := &TLSManager{
domain: domain,