opentunnel-cli 1.0.9 → 1.0.11

package/README.md

@@ -9,6 +9,7 @@
 - [As a Client](#-as-a-client) - Expose your local ports
 - [As a Server](#-as-a-server) - Host your own tunnel server
 - [Authentication](#-authentication) - Secure your server
+- [IP Access Control](#-ip-access-control) - Allow/deny IPs and CIDR ranges
 - [Configuration File](#-configuration-file) - opentunnel.yml reference
   - [Environment Variables](#environment-variables) - Docker-style ${VAR:-default} syntax
 - [Commands Reference](#-commands-reference)
@@ -232,6 +233,11 @@ SSL/TLS:
   --email <email>             Email for Let's Encrypt
   --production                Use Let's Encrypt production (not staging)
   --cloudflare-token <token>  Cloudflare API token for DNS-01 challenge
+
+IP Access Control:
+  --ip-mode <mode>            Access mode: all, allowlist, denylist (default: all)
+  --ip-allow <ips>            Comma-separated IPs/CIDRs to allow
+  --ip-deny <ips>             Comma-separated IPs/CIDRs to deny
 ```
 
 ## Server Modes
@@ -311,6 +317,60 @@ server:
 
 ---
 
+# 🛡️ IP Access Control
+
+Control which IP addresses can connect to your server. By default, all IPs are allowed.
+
+## Access Modes
+
+| Mode | Description |
+|------|-------------|
+| `all` | Allow all IPs (default) |
+| `allowlist` | Only allow IPs in the allow list |
+| `denylist` | Deny IPs in the deny list, allow others |
+
+## Command Line
+
+```bash
+# Only allow specific IPs/ranges
+opentunnel server -d --domain example.com --ip-mode allowlist --ip-allow "192.168.1.0/24,10.0.0.1"
+
+# Deny specific IPs
+opentunnel server -d --domain example.com --ip-mode denylist --ip-deny "1.2.3.4,5.6.7.0/24"
+```
+
+## Configuration File
+
+```yaml
+server:
+  domain: example.com
+  token: ${AUTH_TOKEN}
+  ipAccess:
+    mode: allowlist                       # all, allowlist, or denylist
+    allowList:
+      - 192.168.1.0/24                    # Allow entire subnet
+      - 10.0.0.1                          # Allow single IP
+      - 172.16.0.0/16                     # Allow another range
+```
+
+```yaml
+server:
+  domain: example.com
+  ipAccess:
+    mode: denylist
+    denyList:
+      - 1.2.3.4                           # Block single IP
+      - 5.6.7.0/24                        # Block entire subnet
+```
+
+## Supported Formats
+
+- Single IP: `192.168.1.1`
+- CIDR notation: `192.168.1.0/24` (256 addresses)
+- IPv6: `::1`, `2001:db8::/32`
+
+---
+
 # 📄 Configuration File
 
 Create `opentunnel.yml` in your project directory.

package/dist/cli/index.js

@@ -67,13 +67,13 @@ function loadEnvFile() {
                     value = value.slice(1, -1);
                 }
                 // Only set if not already defined in environment
-                if (process.env[key] === undefined) {
+                if (process.env[key] === undefined)
                     process.env[key] = value;
-                }
             }
         }
     }
 }
+;
 // Docker-style environment variable substitution
 // Supports: ${VAR}, ${VAR:-default}, ${VAR:=default}
 function substituteEnvVars(content) {
@@ -81,19 +81,17 @@ function substituteEnvVars(content) {
     const pattern = /\$\{([^}:]+)(?:(:[-=])([^}]*))?\}/g;
     return content.replace(pattern, (match, varName, operator, defaultValue) => {
         const envValue = process.env[varName];
-        if (operator === ":-" || operator === ":=") {
-            // Use default if variable is unset or empty
+        if (operator === ":-" || operator === ":=")
             return (envValue !== undefined && envValue !== "") ? envValue : (defaultValue || "");
-        }
         // Just ${VAR} - return value or empty string
         return envValue || "";
     });
 }
+;
 // Load and parse config file with environment variable substitution
 function loadConfig(configPath) {
-    if (!fs.existsSync(configPath)) {
+    if (!fs.existsSync(configPath))
         return null;
-    }
     // Load .env file first
     loadEnvFile();
     // Read and substitute environment variables
@@ -101,12 +99,13 @@ function loadConfig(configPath) {
     content = substituteEnvVars(content);
     return (0, yaml_1.parse)(content);
 }
+;
 const program = new commander_1.Command();
 program
     .name("opentunnel")
     .alias("ot")
     .description("Expose local ports to the internet via custom domains or ngrok")
-    .version("1.0.0");
+    .version("1.0.11");
 // Helper function to build WebSocket URL from domain
 // User only provides base domain (e.g., fjrg2007.com), system handles the rest
 // Note: --insecure flag only affects certificate verification, not the protocol
@@ -166,7 +165,7 @@ program
             token: options.token,
             reconnect: true,
             silent: true,
-            rejectUnauthorized: !insecure,
+            rejectUnauthorized: !insecure
         });
         await client.connect();
         spinner.text = "Creating tunnel...";
@@ -200,18 +199,16 @@ program
                 publicUrl = result.publicUrl;
                 usedInsecure = true;
             }
-            else {
+            else
                 throw firstErr;
-            }
         }
         spinner.succeed("Tunnel established!");
         console.log("");
         console.log(chalk_1.default.cyan(`  OpenTunnel ${chalk_1.default.gray(`(via ${serverDisplayName})`)}`));
         console.log(chalk_1.default.gray("  ─────────────────────────────────────────"));
         console.log(`  ${chalk_1.default.white("Status:")}    ${chalk_1.default.green("● Online")}`);
-        if (usedInsecure && !options.insecure) {
+        if (usedInsecure && !options.insecure)
             console.log(`  ${chalk_1.default.white("Security:")} ${chalk_1.default.yellow("⚠ Insecure (self-signed cert)")}`);
-        }
         console.log(`  ${chalk_1.default.white("Protocol:")}  ${chalk_1.default.yellow(options.protocol.toUpperCase())}`);
         console.log(`  ${chalk_1.default.white("Local:")}     ${chalk_1.default.gray(`${options.host}:${port}`)}`);
         console.log(`  ${chalk_1.default.white("Public:")}    ${chalk_1.default.green(publicUrl)}`);
@@ -335,7 +332,7 @@ program
             subdomain,
             serverUrl,
             token: options.token,
-            insecure: true,
+            insecure: true
         });
     }
     catch (error) {
@@ -365,7 +362,7 @@ program
             localPort: parseInt(port),
             remotePort: options.remotePort ? parseInt(options.remotePort) : undefined,
             authtoken: options.token,
-            region: options.region,
+            region: options.region
         });
         return;
     }
@@ -379,7 +376,7 @@ program
             remotePort: options.remotePort ? parseInt(options.remotePort) : undefined,
             serverUrl,
             token: options.token,
-            insecure: options.insecure,
+            insecure: options.insecure
         });
         return;
     }
@@ -402,7 +399,7 @@ program
         domain,
         basePath: "op",
         tunnelPortRange: { min: 10000, max: 20000 },
-        selfSignedHttps: { enabled: true },
+        selfSignedHttps: { enabled: true }
     });
     try {
         await server.start();
@@ -417,7 +414,7 @@ program
             remotePort: options.remotePort ? parseInt(options.remotePort) : undefined,
             serverUrl,
             token: options.token,
-            insecure: true,
+            insecure: true
         });
     }
     catch (error) {
@@ -451,7 +448,7 @@ program
             localHost: "localhost",
             localPort: parseInt(port),
             subdomain: options.subdomain,
-            authtoken: options.token,
+            authtoken: options.token
         });
     }
     else {
@@ -462,7 +459,7 @@ program
             subdomain: options.subdomain,
             serverUrl,
             token: options.token,
-            insecure: options.insecure,
+            insecure: options.insecure
         });
     }
 });
@@ -486,6 +483,9 @@ program
     .option("--production", "Use Let's Encrypt production (default: staging)")
     .option("--cloudflare-token <token>", "Cloudflare API token for DNS-01 challenge")
     .option("--duckdns-token <token>", "DuckDNS token for dynamic DNS updates")
+    .option("--ip-mode <mode>", "IP access mode: all, allowlist, denylist (default: all)")
+    .option("--ip-allow <ips>", "Comma-separated IPs/CIDRs to allow (e.g., 192.168.1.0/24,10.0.0.1)")
+    .option("--ip-deny <ips>", "Comma-separated IPs/CIDRs to deny")
     .option("-d, --detach", "Run server in background (detached mode)")
     .action(async (options) => {
     // Load config from opentunnel.yml if exists (with env variable substitution)
@@ -493,9 +493,8 @@ program
     let fileConfig = {};
     try {
         const parsed = loadConfig(configPath);
-        if (parsed?.server && parsed.server.domain) {
+        if (parsed?.server && parsed.server.domain)
             fileConfig = parsed.server;
-        }
     }
     catch (err) {
         // Ignore parse errors, use CLI options
@@ -518,6 +517,9 @@ program
         production: options.production,
         cloudflareToken: options.cloudflareToken,
         duckdnsToken: options.duckdnsToken,
+        ipMode: options.ipMode || fileConfig.ipAccess?.mode || "all",
+        ipAllow: options.ipAllow || fileConfig.ipAccess?.allowList?.join(","),
+        ipDeny: options.ipDeny || fileConfig.ipAccess?.denyList?.join(","),
         detach: options.detach,
     };
     // Detached mode - run in background
@@ -562,6 +564,12 @@ program
             args.push("--cloudflare-token", mergedOptions.cloudflareToken);
         if (mergedOptions.duckdnsToken)
             args.push("--duckdns-token", mergedOptions.duckdnsToken);
+        if (mergedOptions.ipMode && mergedOptions.ipMode !== "all")
+            args.push("--ip-mode", mergedOptions.ipMode);
+        if (mergedOptions.ipAllow)
+            args.push("--ip-allow", mergedOptions.ipAllow);
+        if (mergedOptions.ipDeny)
+            args.push("--ip-deny", mergedOptions.ipDeny);
         const out = fsAsync.openSync(logFile, "a");
         const err = fsAsync.openSync(logFile, "a");
         const child = spawn(process.execPath, [process.argv[1], ...args], {
@@ -611,6 +619,12 @@ program
             enabled: mergedOptions.https !== false,
         };
     }
+    // Build IP access config
+    const ipAccessConfig = mergedOptions.ipMode !== "all" ? {
+        mode: mergedOptions.ipMode,
+        allowList: mergedOptions.ipAllow ? mergedOptions.ipAllow.split(",").map((ip) => ip.trim()) : undefined,
+        denyList: mergedOptions.ipDeny ? mergedOptions.ipDeny.split(",").map((ip) => ip.trim()) : undefined,
+    } : undefined;
     const server = new TunnelServer({
         port: parseInt(mergedOptions.port),
         publicPort: mergedOptions.publicPort ? parseInt(mergedOptions.publicPort) : undefined,
@@ -624,10 +638,11 @@ program
         auth: mergedOptions.authTokens
             ? { required: true, tokens: mergedOptions.authTokens.split(",") }
             : undefined,
+        ipAccess: ipAccessConfig,
         https: httpsConfig,
         selfSignedHttps: selfSignedHttpsConfig,
         autoHttps: autoHttpsConfig,
-        autoDns: detectDnsConfig(mergedOptions),
+        autoDns: detectDnsConfig(mergedOptions)
     });
     // Helper function to auto-detect DNS provider
     function detectDnsConfig(opts) {
@@ -642,7 +657,7 @@ program
                 cloudflareToken: opts.cloudflareToken,
                 createRecords: false,
                 deleteOnClose: false,
-                setupWildcard: true,
+                setupWildcard: true
             };
         }
         if (opts.duckdnsToken || isDuckDnsDomain) {
@@ -652,7 +667,7 @@ program
                 duckdnsToken: opts.duckdnsToken,
                 createRecords: false,
                 deleteOnClose: false,
-                setupWildcard: false,
+                setupWildcard: false
             };
         }
         return undefined;
@@ -700,9 +715,8 @@ program
             fs.unlinkSync(pidFile);
             console.log(chalk_1.default.yellow(`Server was not running (stale PID file removed)`));
         }
-        else {
+        else
             console.log(chalk_1.default.red(`Failed to stop server: ${err.message}`));
-        }
     }
 });
 // Logs command
@@ -732,9 +746,8 @@ program
                 console.log(fs.readFileSync(logFile, "utf-8"));
             });
         }
-        else {
+        else
             spawn("tail", ["-f", "-n", options.lines, logFile], { stdio: "inherit" });
-        }
     }
     else {
         const content = fs.readFileSync(logFile, "utf-8");
@@ -1194,9 +1207,8 @@ program
         .filter(f => f.startsWith(".opentunnel-") && f.endsWith(".pid"));
     // Also include the server PID
     const serverPidFile = ".opentunnel.pid";
-    if (fs.existsSync(path.join(process.cwd(), serverPidFile))) {
+    if (fs.existsSync(path.join(process.cwd(), serverPidFile)))
         pidFiles.push(serverPidFile);
-    }
     if (pidFiles.length === 0) {
         console.log(chalk_1.default.yellow("No tunnels running"));
         return;
@@ -1216,17 +1228,15 @@ program
                 fs.unlinkSync(pidPath);
                 console.log(chalk_1.default.yellow(`  - ${name} was not running (cleaned up)`));
             }
-            else {
+            else
                 console.log(chalk_1.default.red(`  ✗ Failed to stop ${name}: ${err.message}`));
-            }
         }
     }
     // Clean up log files
     const logFiles = fs.readdirSync(process.cwd())
         .filter(f => f.startsWith("opentunnel") && f.endsWith(".log"));
-    if (logFiles.length > 0) {
+    if (logFiles.length > 0)
         console.log(chalk_1.default.gray(`\nLog files preserved: ${logFiles.join(", ")}`));
-    }
     console.log(chalk_1.default.green("\nAll tunnels stopped"));
 });
 // PS command - list running tunnel processes
@@ -1236,8 +1246,7 @@ program
     .action(async () => {
     const fs = await Promise.resolve().then(() => __importStar(require("fs")));
     const path = await Promise.resolve().then(() => __importStar(require("path")));
-    const pidFiles = fs.readdirSync(process.cwd())
-        .filter(f => f.startsWith(".opentunnel") && f.endsWith(".pid"));
+    const pidFiles = fs.readdirSync(process.cwd()).filter(f => f.startsWith(".opentunnel") && f.endsWith(".pid"));
     if (pidFiles.length === 0) {
         console.log(chalk_1.default.yellow("No tunnels running"));
         console.log(chalk_1.default.gray("Start tunnels with: opentunnel up -d"));
@@ -1327,13 +1336,13 @@ program
                     method,
                     url,
                     headers: req.headers,
-                    body: body || undefined,
+                    body: body || undefined
                 },
                 server: {
                     port,
                     timestamp,
-                    uptime: process.uptime(),
-                },
+                    uptime: process.uptime()
+                }
             };
             res.writeHead(200, {
                 "Content-Type": "application/json",
@@ -1377,10 +1386,8 @@ program
         const specific = `.test-server-${options.port}.pid`;
         pidFiles = fs.existsSync(path.join(process.cwd(), specific)) ? [specific] : [];
     }
-    else {
-        pidFiles = fs.readdirSync(process.cwd())
-            .filter(f => f.startsWith(".test-server-") && f.endsWith(".pid"));
-    }
+    else
+        pidFiles = fs.readdirSync(process.cwd()).filter(f => f.startsWith(".test-server-") && f.endsWith(".pid"));
     if (pidFiles.length === 0) {
         console.log(chalk_1.default.yellow("No test servers running"));
         return;
@@ -1443,6 +1450,7 @@ async function runTunnelInBackgroundFromConfig(name, protocol, port, options) {
     fs.writeFileSync(pidFile, String(child.pid));
     console.log(chalk_1.default.green(`  ✓ ${name}: started (PID: ${child.pid})`));
 }
+;
 async function startTunnelsFromConfig(tunnels, serverUrl, token, insecure) {
     const spinner = (0, ora_1.default)("Connecting to server...").start();
     const client = new TunnelClient_1.TunnelClient({
@@ -1517,6 +1525,7 @@ async function startTunnelsFromConfig(tunnels, serverUrl, token, insecure) {
         process.exit(1);
     }
 }
+;
 async function runTunnelInBackground(command, port, options) {
     const { spawn } = await Promise.resolve().then(() => __importStar(require("child_process")));
     const fs = await Promise.resolve().then(() => __importStar(require("fs")));
@@ -1594,6 +1603,7 @@ async function runTunnelInBackground(command, port, options) {
     console.log(chalk_1.default.gray(`Stop with:  kill ${child.pid}`));
     console.log(chalk_1.default.gray(`Check:      tail -f ${logFile}`));
 }
+;
 async function createTunnel(options) {
     const spinner = (0, ora_1.default)("Connecting to server...").start();
     const client = new TunnelClient_1.TunnelClient({
@@ -1653,6 +1663,7 @@ async function createTunnel(options) {
         process.exit(1);
     }
 }
+;
 async function createNgrokTunnel(options) {
     const spinner = (0, ora_1.default)("Starting ngrok...").start();
     const client = new NgrokClient_1.NgrokClient({
@@ -1703,6 +1714,7 @@ async function createNgrokTunnel(options) {
         process.exit(1);
     }
 }
+;
 function printTunnelInfo(info) {
     console.log("");
     console.log(chalk_1.default.cyan(`  OpenTunnel ${chalk_1.default.gray(`(via ${info.provider})`)}`));
@@ -1716,5 +1728,6 @@ function printTunnelInfo(info) {
     console.log(chalk_1.default.gray("  Press Ctrl+C to close the tunnel"));
     console.log("");
 }
+;
 program.parse();
 //# sourceMappingURL=index.js.map