tunnel-rb 0.1.0

data/lib/tunnel_rb/client.rb

@@ -0,0 +1,195 @@
+# frozen_string_literal: true
+
+require "socket"
+require "json"
+require "openssl"
+
+module TunnelRb
+  class Client
+    TCP_KEEPALIVE_IDLE = 60
+    TCP_KEEPALIVE_INTERVAL = 30
+    TCP_KEEPALIVE_PROBES = 3
+
+    CONNECT_TIMEOUT = 5
+    RECONNECT_INITIAL_DELAY = 1
+    RECONNECT_MAX_DELAY = 30
+
+    LOCAL_UNREACHABLE_ERRORS = [
+      Errno::ECONNREFUSED,
+      Errno::EHOSTUNREACH,
+      Errno::ENETUNREACH,
+      Errno::ETIMEDOUT,
+      SocketError
+    ].freeze
+
+    def initialize(server_host:, server_port:, local_host: "localhost", local_port:, tls: false, tls_ca: nil, tls_verify: false)
+      @server_host = server_host
+      @server_port = server_port
+      @local_host = local_host
+      @local_port = local_port
+      @tls = tls
+      @tls_ca = tls_ca
+      @tls_verify = tls_verify
+      @token = nil
+      @session_mutex = Mutex.new
+      @tls_session = nil
+      @ssl_context = build_ssl_context if @tls
+    end
+
+    def start
+      attempt = 0
+      loop do
+        connect_and_run { attempt = 0 }
+      rescue Interrupt
+        puts "\n[Tunnel] Shutting down..."
+        break
+      rescue => e
+        delay = [RECONNECT_INITIAL_DELAY * (2**attempt), RECONNECT_MAX_DELAY].min
+        attempt += 1
+        puts "[Tunnel] Disconnected: #{e.message}. Reconnecting in #{delay}s..."
+        sleep delay
+      end
+    ensure
+      @control_socket&.close
+    end
+
+    private
+
+    def connect_and_run
+      @control_socket = open_tcp(@server_host, @server_port)
+      enable_tcp_keepalive(@control_socket)
+
+      payload = { action: "register" }
+      payload[:token] = @token if @token
+      @control_socket.puts(payload.to_json)
+
+      response = read_json(@control_socket, "registration response")
+      raise "Registration failed: #{response['error']}" if response["status"] != "ok"
+
+      @token = response["token"]
+      transport = @tls ? "TLS" : "TCP"
+      puts "\n🚀 [Tunnel] Ready! #{response['url']} -> #{@local_host}:#{@local_port} (server: #{transport})\n\n"
+
+      yield if block_given?
+
+      loop do
+        command = read_json(@control_socket, "command")
+
+        case command["action"]
+        when "ping"
+          @control_socket.puts({ action: "pong" }.to_json)
+        when "new_connection"
+          Thread.new { handle_data_connection(command["conn_id"]) }
+        end
+      end
+    end
+
+    def handle_data_connection(conn_id)
+      server_sock =
+        begin
+          open_tcp(@server_host, @server_port)
+        rescue => e
+          warn "[Tunnel] Failed to open data connection to server: #{e.message}"
+          return
+        end
+
+      server_sock.puts({ action: "bind", conn_id: conn_id }.to_json)
+
+      begin
+        local_sock = open_tcp(@local_host, @local_port, tls: false)
+      rescue *LOCAL_UNREACHABLE_ERRORS => e
+        respond_bad_gateway(server_sock, e)
+        return
+      end
+
+      t1 = Thread.new { proxy_stream(server_sock, local_sock) }
+      t2 = Thread.new { proxy_stream(local_sock, server_sock) }
+      t1.join
+      t2.join
+    ensure
+      server_sock&.close
+      local_sock&.close
+    end
+
+    def open_tcp(host, port, tls: @tls)
+      tcp = Socket.tcp(host, port, connect_timeout: CONNECT_TIMEOUT)
+      tcp.setsockopt(:TCP, :TCP_NODELAY, true) rescue nil
+      return tcp unless tls
+
+      ssl = OpenSSL::SSL::SSLSocket.new(tcp, @ssl_context)
+      ssl.hostname = host
+      cached_session = @session_mutex.synchronize { @tls_session }
+      ssl.session = cached_session if cached_session
+      ssl.sync_close = true
+      ssl.connect
+      ssl.post_connection_check(host) if @ssl_context.verify_mode == OpenSSL::SSL::VERIFY_PEER
+      ssl
+    end
+
+    def build_ssl_context
+      ctx = OpenSSL::SSL::SSLContext.new
+      ctx.min_version = OpenSSL::SSL::TLS1_3_VERSION
+
+      ctx.session_cache_mode = OpenSSL::SSL::SSLContext::SESSION_CACHE_CLIENT
+      ctx.session_new_cb = proc do |_ssl, session|
+        @session_mutex.synchronize { @tls_session = session }
+      end
+
+      if @tls_ca
+        ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
+        ctx.ca_file = @tls_ca
+      elsif @tls_verify
+        ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
+        store = OpenSSL::X509::Store.new
+        store.set_default_paths
+        ctx.cert_store = store
+      else
+        ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
+      end
+      ctx
+    end
+
+    def read_json(socket, what)
+      line = socket.gets
+      raise "Server closed connection while waiting for #{what}" if line.nil?
+
+      JSON.parse(line)
+    rescue JSON::ParserError => e
+      raise "Invalid #{what} from server: #{e.message}"
+    end
+
+    def respond_bad_gateway(server_sock, error)
+      body = "Local service #{@local_host}:#{@local_port} is not reachable: #{error.message}\n"
+      server_sock.write(
+        "HTTP/1.1 502 Bad Gateway\r\n" \
+        "Connection: close\r\n" \
+        "Content-Type: text/plain; charset=utf-8\r\n" \
+        "Content-Length: #{body.bytesize}\r\n" \
+        "\r\n" \
+        "#{body}"
+      )
+    rescue IOError, SystemCallError
+    end
+
+    def enable_tcp_keepalive(socket)
+      io = socket.respond_to?(:to_io) ? socket.to_io : socket
+      io.setsockopt(:SOCKET, :SO_KEEPALIVE, true)
+      if defined?(Socket::TCP_KEEPIDLE)
+        io.setsockopt(:TCP, :TCP_KEEPIDLE, TCP_KEEPALIVE_IDLE)
+        io.setsockopt(:TCP, :TCP_KEEPINTVL, TCP_KEEPALIVE_INTERVAL)
+        io.setsockopt(:TCP, :TCP_KEEPCNT, TCP_KEEPALIVE_PROBES)
+      elsif defined?(Socket::TCP_KEEPALIVE)
+        io.setsockopt(:TCP, :TCP_KEEPALIVE, TCP_KEEPALIVE_IDLE)
+      end
+    rescue StandardError => e
+      warn "TCP keepalive not configured: #{e.message}"
+    end
+
+    def proxy_stream(source, destination)
+      IO.copy_stream(source, destination)
+    rescue IOError, SystemCallError
+    ensure
+      destination.close_write rescue nil
+    end
+  end
+end

data/lib/tunnel_rb/server/client.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+require "json"
+require "thread"
+
+module TunnelRb
+  class Server
+    # Server-side view of a connected tunnel client. Owns the control socket
+    # and per-connection state (read buffer, ping bookkeeping, write mutex).
+    class Client
+      attr_reader :subdomain, :socket, :token, :read_buffer
+      attr_accessor :missed_pongs, :pong_received
+
+      def initialize(subdomain:, socket:, token:)
+        @subdomain = subdomain
+        @socket = socket
+        @token = token
+        @write_mutex = Mutex.new
+        @read_buffer = String.new(encoding: Encoding::ASCII_8BIT)
+        @missed_pongs = 0
+        @pong_received = true
+      end
+
+      def send_message(payload)
+        @write_mutex.synchronize { @socket.puts(payload.to_json) }
+      end
+    end
+  end
+end

data/lib/tunnel_rb/server/client_registry.rb

@@ -0,0 +1,96 @@
+# frozen_string_literal: true
+
+require "set"
+require "thread"
+
+require_relative "client"
+
+module TunnelRb
+  class Server
+    # Thread-safe in-memory registry of connected clients keyed by subdomain,
+    # with a reverse index for O(1) lookup by socket.
+    class ClientRegistry
+      def initialize
+        @clients = {}             # subdomain -> Client
+        @socket_to_subdomain = {} # control_socket -> subdomain
+        @mutex = Mutex.new
+      end
+
+      # Registers a new client. If a client with the same subdomain is already
+      # connected, returns the old socket so the caller can close it outside
+      # the registry's mutex.
+      def register(subdomain, socket, token)
+        old_socket = nil
+        client = nil
+        @mutex.synchronize do
+          old = @clients[subdomain]
+          if old && old.socket != socket
+            @socket_to_subdomain.delete(old.socket)
+            old_socket = old.socket
+          end
+          client = Client.new(subdomain: subdomain, socket: socket, token: token)
+          @clients[subdomain] = client
+          @socket_to_subdomain[socket] = subdomain
+        end
+        [client, old_socket]
+      end
+
+      # Removes a client identified by socket. Returns the subdomain it was
+      # registered under, or nil if the socket was already gone (e.g. replaced
+      # by a reconnect).
+      def forget(socket)
+        @mutex.synchronize { forget_unlocked(socket) }
+      end
+
+      def lookup(subdomain)
+        @mutex.synchronize { @clients[subdomain] }
+      end
+
+      def lookup_by_socket(socket)
+        @mutex.synchronize do
+          sub = @socket_to_subdomain[socket]
+          sub && @clients[sub]
+        end
+      end
+
+      # Snapshot of currently registered control sockets, for IO.select.
+      def sockets
+        @mutex.synchronize { @socket_to_subdomain.keys }
+      end
+
+      # Yields each Client under the registry mutex. Block must not block on
+      # I/O; collect work and execute it after the iteration.
+      def each_client(&block)
+        @mutex.synchronize { @clients.each_value(&block) }
+      end
+
+      def active_subdomains
+        @mutex.synchronize { @clients.keys.to_set }
+      end
+
+      def size
+        @mutex.synchronize { @clients.size }
+      end
+
+      # Atomically tags many clients for removal and returns their sockets.
+      # Used by the ping loop to evict unresponsive peers without holding the
+      # mutex while closing sockets.
+      def forget_many(sockets)
+        @mutex.synchronize do
+          sockets.each { |s| forget_unlocked(s) }
+        end
+      end
+
+      private
+
+      def forget_unlocked(socket)
+        sub = @socket_to_subdomain.delete(socket)
+        return nil unless sub
+
+        client = @clients[sub]
+        @clients.delete(sub) if client && client.socket == socket
+        sub
+      end
+    end
+  end
+end

data/lib/tunnel_rb/server/control_server.rb

@@ -0,0 +1,244 @@
+# frozen_string_literal: true
+
+require "json"
+require "socket"
+
+require_relative "thread_pool"
+require_relative "socket_helpers"
+require_relative "tls"
+
+module TunnelRb
+  class Server
+    # Owns the control plane: port 7777 listener, handshake handler, the
+    # IO.select-based read loop that consumes pong/disconnect events, and
+    # the ping loop that evicts unresponsive clients.
+    class ControlServer
+      PING_INTERVAL = 30 # seconds; keeps NAT mappings alive
+      PONG_MISSES = 3
+      HANDSHAKE_POOL_SIZE = 64
+      HANDSHAKE_QUEUE_SIZE = 64
+      READ_CHUNK = 4096
+      LINE_MAX = 16 * 1024 # drop clients that send oversized lines without \n
+      SELECT_TIMEOUT = 1.0
+      IDLE_SLEEP = 0.5 # when no clients are connected
+
+      def initialize(port:, domain:, registry:, token_store:, pending_connections:, logger:, url_port: nil, tls_context: nil)
+        @port = port
+        @domain = domain
+        @url_port = url_port
+        @registry = registry
+        @token_store = token_store
+        @pending_connections = pending_connections
+        @tls_context = tls_context
+        @logger = logger
+
+        @pool = ThreadPool.new(HANDSHAKE_POOL_SIZE, max_queue: HANDSHAKE_QUEUE_SIZE)
+        @stopping = false
+        @server = nil
+      end
+
+      def tls?
+        !@tls_context.nil?
+      end
+
+      # Blocking accept loop. Returns when stop is called.
+      def start
+        tcp_server = TCPServer.new("0.0.0.0", @port)
+        @server = tls? ? TLS.wrap_listener(tcp_server, @tls_context) : tcp_server
+        @logger.info "🎧 Control server listening for clients on #{@port}"
+
+        loop do
+          socket = @server.accept
+          @pool.submit { handle_connection(socket) }
+        rescue IOError, Errno::EBADF
+          break if @stopping
+
+          raise
+        end
+      end
+
+      # IO.select over all registered control sockets. One thread serves all
+      # clients, so the count of long-lived ping/pong loops doesn't grow with
+      # the number of registered tunnels.
+      def read_loop
+        until @stopping
+          sockets = @registry.sockets
+          if sockets.empty?
+            sleep IDLE_SLEEP
+            next
+          end
+
+          begin
+            readable, = IO.select(sockets, nil, nil, SELECT_TIMEOUT)
+          rescue IOError, Errno::EBADF
+            # A socket was closed (e.g. shutdown) while we were waiting on it.
+            # Drop it from our snapshot and re-loop to rebuild the set.
+            next
+          end
+          next unless readable
+
+          readable.each { |socket| handle_readable(socket) }
+        end
+      end
+
+      def ping_loop
+        while interruptible_sleep(PING_INTERVAL)
+          tick_pings
+        end
+      end
+
+      def stop
+        @stopping = true
+        @server&.close rescue nil
+        @pool.shutdown
+        @registry.sockets.each { |s| s.close rescue nil }
+      end
+
+      private
+
+      # Sleeps in 1-second slices so stop() is observed quickly. Returns
+      # false when @stopping flips during the sleep.
+      def interruptible_sleep(total)
+        total.times do
+          return false if @stopping
+
+          sleep 1
+        end
+        !@stopping
+      end
+
+      def handle_connection(socket)
+        # SSLServer defers the handshake (start_immediately = false), so we run
+        # it here in the worker thread rather than blocking the accept loop.
+        socket.accept if tls?
+
+        SocketHelpers.enable_tcp_nodelay(socket)
+
+        line = socket.gets
+        return socket.close rescue nil unless line
+
+        request = JSON.parse(line)
+
+        case request["action"]
+        when "register"
+          handle_registration(socket, request)
+        when "bind"
+          @pending_connections.deliver(request["conn_id"], socket)
+        else
+          socket.close rescue nil
+        end
+      rescue => e
+        @logger.warn "❌ Tunnel connection error: #{e.message}"
+        socket.close rescue nil
+      end
+
+      def handle_registration(control_socket, request)
+        @token_store.cleanup_expired
+
+        reused = false
+        subdomain =
+          if request["token"] && (existing = @token_store.resolve(request["token"]))
+            @token_store.revoke(request["token"])
+            reused = true
+            existing
+          else
+            @token_store.generate_subdomain
+          end
+
+        token = @token_store.issue(subdomain)
+        client, old_socket = @registry.register(subdomain, control_socket, token)
+        old_socket.close rescue nil if old_socket
+
+        authority = @url_port ? "#{subdomain}.#{@domain}:#{@url_port}" : "#{subdomain}.#{@domain}"
+        url = "https://#{authority}"
+        SocketHelpers.enable_tcp_keepalive(control_socket)
+        client.send_message(status: "ok", url: url, token: token)
+
+        @logger.info(reused ? "✅ Tunnel reconnected: #{url}" : "✅ Tunnel registered: #{url}")
+      end
+
+      def handle_readable(socket)
+        client = @registry.lookup_by_socket(socket)
+        # Socket already removed (e.g. ping_loop closed it); drop it.
+        return disconnect(socket, log: false) unless client
+
+        buffer = client.read_buffer
+
+        # Drain in a loop: a TLS socket can hold decrypted bytes that IO.select
+        # never surfaces (readiness is at the TCP layer, but a full TLS record
+        # may already be buffered). read_nonblock works for plain and TLS
+        # sockets alike, unlike recv_nonblock which SSLSocket does not support.
+        loop do
+          chunk = socket.read_nonblock(READ_CHUNK, exception: false)
+          case chunk
+          when :wait_readable, :wait_writable
+            break # nothing more to read right now
+          when nil
+            return disconnect(socket)
+          when ""
+            break
+          end
+
+          buffer << chunk
+        end
+
+        while (idx = buffer.index("\n"))
+          line = buffer.slice!(0, idx + 1)
+          process_line(client, line)
+        end
+
+        # No newline yet but buffer keeps growing => slowloris. Drop the client.
+        if buffer.bytesize > LINE_MAX
+          @logger.warn "control buffer overflow on #{client.subdomain}, disconnecting"
+          disconnect(socket)
+        end
+      rescue IOError, SystemCallError, OpenSSL::SSL::SSLError
+        disconnect(socket)
+      end
+
+      def process_line(client, line)
+        message = JSON.parse(line) rescue return
+        return unless message["action"] == "pong"
+
+        client.pong_received = true
+        client.missed_pongs = 0
+      end
+
+      def disconnect(socket, log: true)
+        subdomain = @registry.forget(socket)
+        socket.close rescue nil
+        @logger.info "🔴 Tunnel #{subdomain} disconnected" if log && subdomain
+      end
+
+      def tick_pings
+        to_close = []
+        to_ping = []
+
+        @registry.each_client do |client|
+          unless client.pong_received
+            client.missed_pongs += 1
+            if client.missed_pongs >= PONG_MISSES
+              to_close << client.socket
+              next
+            end
+          end
+
+          client.pong_received = false
+          to_ping << client
+        end
+
+        to_close.each do |socket|
+          sub = @registry.forget(socket)
+          @logger.warn "⚠️  Tunnel #{sub} unresponsive (#{PONG_MISSES} missed pongs), closing control channel" if sub
+          socket.close rescue nil
+        end
+
+        to_ping.each do |client|
+          client.send_message(action: "ping")
+        rescue IOError, SystemCallError
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/tunnel_rb/server/http_request.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+require "timeout"
+
+module TunnelRb
+  class Server
+    # Reads the request line and headers from a browser socket, injects
+    # X-Forwarded-* headers, and returns the parsed Host plus the raw bytes
+    # ready to forward to the tunneled backend.
+    module HttpRequest
+      Timeout = Class.new(StandardError)
+
+      DEFAULT_TIMEOUT = 5
+
+      module_function
+
+      def read(socket, client_ip:, timeout: DEFAULT_TIMEOUT)
+        buffer = +""
+        host = nil
+
+        ::Timeout.timeout(timeout) do
+          while (line = socket.gets)
+            if line.strip.empty?
+              buffer << "X-Forwarded-For: #{client_ip}\r\n"
+              buffer << "X-Forwarded-Proto: https\r\n"
+              buffer << "\r\n"
+              break
+            end
+
+            next if line.match?(/^X-Forwarded-/i)
+
+            buffer << line
+            if (match = line.match(/^Host:\s+([^\r\n]+)/i))
+              host = match[1]
+            end
+          end
+        end
+
+        [host, buffer]
+      rescue ::Timeout::Error
+        raise Timeout
+      end
+    end
+  end
+end

data/lib/tunnel_rb/server/logger.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module TunnelRb
+  class Server
+    # Small wrapper around stdout/stderr so call sites stay short and tests
+    # can swap in a StringIO. Existing emoji-decorated strings pass through
+    # unchanged.
+    class Logger
+      def initialize(out: $stdout, err: $stderr)
+        @out = out
+        @err = err
+      end
+
+      def info(message)
+        @out.puts(message)
+      end
+
+      def warn(message)
+        @err.puts(message)
+      end
+    end
+  end
+end

data/lib/tunnel_rb/server/pending_connections.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+require "thread"
+
+module TunnelRb
+  class Server
+    # Coordination between the public-request thread (which generates a
+    # conn_id and asks the tunneled client for a fresh data socket) and the
+    # control connection where the tunneled client eventually 'bind's that
+    # socket. The public side registers a Queue, the control side delivers into
+    # it.
+    class PendingConnections
+      def initialize
+        @pending = {}
+        @mutex = Mutex.new
+      end
+
+      def register(conn_id)
+        queue = Queue.new
+        @mutex.synchronize { @pending[conn_id] = queue }
+        queue
+      end
+
+      # Public side cleans up its slot whether it consumed the data socket
+      # or timed out.
+      def close(conn_id)
+        @mutex.synchronize { @pending.delete(conn_id) }
+      end
+
+      # Control side hands a freshly-bound data socket to whichever public
+      # request is waiting. If nobody is waiting (e.g. browser closed first),
+      # the socket is closed.
+      def deliver(conn_id, socket)
+        queue = @mutex.synchronize { @pending.delete(conn_id) }
+        if queue
+          queue.push(socket)
+        else
+          socket.close rescue nil
+        end
+      end
+    end
+  end
+end