Merge branch 'master' of ssh://git.daplie.com/Daplie/goldilocks.js

2017-11-07 20:52:53 +00:00 · 2017-11-07 20:52:53 +00:00 · 35016cd124
commit 35016cd124
parent cec4f1ee95 4b2e6b1600
17 changed files with 637 additions and 422 deletions
--- a/5
+++ b/5
@ -1,3 +1,8 @@
 v1.1.4 - Improved responsiveness to config updates
  * changed which TCP/UDP ports are bound to on config update
  * update tunnel server settings on config update
  * update socks5 setting on config update
 v1.1.3 - Better late than never... here's some stuff we've got
  * fixed (probably) network settings not being readable
  * supports timeouts in loopback check
--- a/lib/admin/config.js
+++ b/lib/admin/config.js
@ -174,6 +174,14 @@ var mdnsSchema = {
  }
 };
 var tunnelSvrSchema = {
  type: 'object'
 , properties: {
    servernames: { type: 'array', items: { type: 'string' }}
  , secret:      { type: 'string' }
  }
 };
 var ddnsSchema = {
  type: 'object'
 , properties: {
@ -223,6 +231,7 @@ var mainSchema = {
  , ddns:   ddnsSchema
  , socks5: socks5Schema
  , device: deviceSchema
  , tunnel_server: tunnelSvrSchema
  }
 , additionalProperties: false
 };
--- a/lib/ddns/index.js
+++ b/lib/ddns/index.js
@ -5,6 +5,7 @@ module.exports.create = function (deps, conf) {
  var network = deps.PromiseA.promisifyAll(deps.recase.camelCopy(require('network')));
  var loopback = require('./loopback').create(deps, conf);
  var dnsCtrl = require('./dns-ctrl').create(deps, conf);
  var tunnelClients = require('./tunnel-client-manager').create(deps, conf);
  var equal = require('deep-equal');
  var loopbackDomain;
@ -44,7 +45,7 @@ module.exports.create = function (deps, conf) {
  async function startTunnel(tunnelSession, mod, domainList) {
    try {
      var dnsSession = await getSession(mod.tokenId);
-      var tunnelDomain = await deps.tunnelClients.start(tunnelSession || dnsSession, domainList);
+      var tunnelDomain = await tunnelClients.start(tunnelSession || dnsSession, domainList);
      var addrList;
      try {
@ -82,12 +83,12 @@ module.exports.create = function (deps, conf) {
    tunnelActive = true;
  }
  async function disconnectTunnels() {
-    deps.tunnelClients.disconnect();
+    tunnelClients.disconnect();
    tunnelActive = false;
    await Promise.resolve();
  }
  async function checkTunnelTokens() {
-    var oldTokens = deps.tunnelClients.current();
+    var oldTokens = tunnelClients.current();
    var newTokens = await iterateAllModules(function checkTokens(mod, domainList) {
      if (mod.type !== 'dns@oauth3.org') { return null; }
@ -103,7 +104,7 @@ module.exports.create = function (deps, conf) {
      }
    });
-    await Promise.all(Object.values(oldTokens).map(deps.tunnelClients.remove));
+    await Promise.all(Object.values(oldTokens).map(tunnelClients.remove));
    if (!newTokens.length) { return; }
--- a/lib/ddns/tunnel-client-manager.js
+++ b/lib/ddns/tunnel-client-manager.js
@ -6,6 +6,52 @@ module.exports.create = function (deps, config) {
  var activeTunnels = {};
  var activeDomains = {};
  var customNet = {
    createConnection: function (opts, cb) {
      console.log('[gl.tunnel] creating connection');
      // here "reader" means the socket that looks like the connection being accepted
      // here "writer" means the remote-looking part of the socket that driving the connection
      var writer;
      function usePair(err, reader) {
        if (err) {
          process.nextTick(function () {
            writer.emit('error', err);
          });
          return;
        }
        var wrapOpts = Object.assign({localAddress: '127.0.0.2', localPort: 'tunnel-0'}, opts);
        wrapOpts.firstChunk = opts.data;
        wrapOpts.hyperPeek = !!opts.data;
        // Also override the remote and local address info. We use `defineProperty` because
        // otherwise we run into problems of setting properties with only getters defined.
        Object.defineProperty(reader, 'remoteAddress', { value: wrapOpts.remoteAddress });
        Object.defineProperty(reader, 'remotePort',    { value: wrapOpts.remotePort });
        Object.defineProperty(reader, 'remoteFamiliy', { value: wrapOpts.remoteFamiliy });
        Object.defineProperty(reader, 'localAddress',  { value: wrapOpts.localAddress });
        Object.defineProperty(reader, 'localPort',     { value: wrapOpts.localPort });
        Object.defineProperty(reader, 'localFamiliy',  { value: wrapOpts.localFamiliy });
        deps.tcp.handler(reader, wrapOpts);
        process.nextTick(function () {
          // this cb will cause the stream to emit its (actually) first data event
          // (even though it already gave a peek into that first data chunk)
          console.log('[tunnel] callback, data should begin to flow');
          cb();
        });
      }
      // We used to use `stream-pair` for non-tls connections, but there are places
      // that require properties/functions to be present on the socket that aren't
      // present on a JSStream so it caused problems.
      writer = require('socket-pair').create(usePair);
      return writer;
    }
  };
  function fillData(data) {
    if (typeof data === 'string') {
      data = { jwt: data };
@ -70,7 +116,7 @@ module.exports.create = function (deps, config) {
      // get the promise that should tell us more about if it worked or not.
      activeTunnels[data.tunnelUrl] = stunnel.connect({
        stunneld: data.tunnelUrl
-      , net: deps.tunnel.net
+      , net: customNet
        // NOTE: the ports here aren't that important since we are providing a custom
        // `net.createConnection` that doesn't actually use the port. What is important
        // is that any services we are interested in are listed in this object and have
--- a/lib/goldilocks.js
+++ b/lib/goldilocks.js
@ -1,303 +0,0 @@
 'use strict';
 module.exports.create = function (deps, config) {
  console.log('config', config);
  //var PromiseA = global.Promise;
  var PromiseA = require('bluebird');
  var listeners = require('./servers').listeners;
  var domainUtils = require('./domain-utils');
  var modules;
  var addrProperties = [
    'remoteAddress'
  , 'remotePort'
  , 'remoteFamily'
  , 'localAddress'
  , 'localPort'
  , 'localFamily'
  ];
  function nameMatchesDomains(name, domainList) {
    return domainList.some(function (pattern) {
      return domainUtils.match(pattern, name);
    });
  }
  function loadModules() {
    modules = {};
    modules.tls  = require('./modules/tls').create(deps, config, tcpHandler);
    modules.http = require('./modules/http').create(deps, config, modules.tls.middleware);
  }
  function checkTcpProxy(conn, opts) {
    var proxied = false;
    // TCP Proxying (ie forwarding based on domain name not incoming port) only works for
    // TLS wrapped connections, so if the opts don't give us a servername or don't tell us
    // this is the decrypted side of a TLS connection we can't handle it here.
    if (!opts.servername || !opts.encrypted) { return proxied; }
    function proxy(mod) {
      // First thing we need to add to the connection options is where to proxy the connection to
      var newConnOpts = domainUtils.separatePort(mod.address || '');
      newConnOpts.port = newConnOpts.port || mod.port;
      newConnOpts.host = newConnOpts.host || mod.host || 'localhost';
      // Then we add all of the connection address information. We need to prefix all of the
      // properties with '_' so we can provide the information to any connection `createConnection`
      // implementation but not have the default implementation try to bind the same local port.
      addrProperties.forEach(function (name) {
        newConnOpts['_' + name] = opts[name] || opts['_'+name] || conn[name] || conn['_'+name];
      });
      deps.proxy(conn, newConnOpts);
      return true;
    }
    proxied = config.domains.some(function (dom) {
      if (!dom.modules || !Array.isArray(dom.modules.tcp)) { return false; }
      if (!nameMatchesDomains(opts.servername, dom.names)) { return false; }
      return dom.modules.tcp.some(function (mod) {
        if (mod.type !== 'proxy') { return false; }
        return proxy(mod);
      });
    });
    proxied = proxied || config.tcp.modules.some(function (mod) {
      if (mod.type !== 'proxy') { return false; }
      if (!nameMatchesDomains(opts.servername, mod.domains)) { return false; }
      return proxy(mod);
    });
    return proxied;
  }
  // opts = { servername, encrypted, peek, data, remoteAddress, remotePort }
  function peek(conn, firstChunk, opts) {
    if (!modules) {
      loadModules();
    }
    opts.firstChunk = firstChunk;
    conn.__opts = opts;
    // TODO port/service-based routing can do here
    // TLS byte 1 is handshake and byte 6 is client hello
    if (0x16 === firstChunk[0]/* && 0x01 === firstChunk[5]*/) {
      modules.tls.emit('connection', conn);
      return;
    }
    // This doesn't work with TLS, but now that we know this isn't a TLS connection we can
    // unshift the first chunk back onto the connection for future use. The unshift should
    // happen after any listeners are attached to it but before any new data comes in.
    if (!opts.hyperPeek) {
      process.nextTick(function () {
        conn.unshift(firstChunk);
      });
    }
    // Connection is not TLS, check for HTTP next.
    if (firstChunk[0] > 32 && firstChunk[0] < 127) {
      var firstStr = firstChunk.toString();
      if (/HTTP\//i.test(firstStr)) {
        modules.http.emit('connection', conn);
        return;
      }
    }
    console.warn('failed to identify protocol from first chunk', firstChunk);
    conn.destroy();
  }
  function tcpHandler(conn, opts) {
    function getProp(name) {
      return opts[name] || opts['_'+name] || conn[name] || conn['_'+name];
    }
    opts = opts || {};
    var logName = getProp('remoteAddress') + ':' + getProp('remotePort') + ' -> ' +
                  getProp('localAddress')  + ':' + getProp('localPort');
    console.log('[tcpHandler]', logName, 'connection started - encrypted: ' + (opts.encrypted || false));
    var start = Date.now();
    conn.on('timeout', function () {
      console.log('[tcpHandler]', logName, 'connection timed out', (Date.now()-start)/1000);
    });
    conn.on('end', function () {
      console.log('[tcpHandler]', logName, 'connection ended', (Date.now()-start)/1000);
    });
    conn.on('close', function () {
      console.log('[tcpHandler]', logName, 'connection closed', (Date.now()-start)/1000);
    });
    if (checkTcpProxy(conn, opts)) { return; }
    // XXX PEEK COMMENT XXX
    // TODO we can have our cake and eat it too
    // we can skip the need to wrap the TLS connection twice
    // because we've already peeked at the data,
    // but this needs to be handled better before we enable that
    // (because it creates new edge cases)
    if (opts.hyperPeek) {
      console.log('hyperpeek');
      peek(conn, opts.firstChunk, opts);
      return;
    }
    function onError(err) {
      console.error('[error] socket errored peeking -', err);
      conn.destroy();
    }
    conn.once('error', onError);
    conn.once('data', function (chunk) {
      conn.removeListener('error', onError);
      peek(conn, chunk, opts);
    });
  }
  function udpHandler(port, msg) {
    if (!Array.isArray(config.udp.modules)) {
      return;
    }
    var socket = require('dgram').createSocket('udp4');
    config.udp.modules.forEach(function (mod) {
      if (mod.type !== 'forward') {
        console.warn('found bad DNS module', mod);
        return;
      }
      if (mod.ports.indexOf(port) < 0) {
        return;
      }
      var dest = require('./domain-utils').separatePort(mod.address || '');
      dest.port = dest.port || mod.port;
      dest.host = dest.host || mod.host || 'localhost';
      socket.send(msg, dest.port, dest.host);
    });
  }
  function createTcpForwarder(mod) {
    var dest = require('./domain-utils').separatePort(mod.address || '');
    dest.port = dest.port || mod.port;
    dest.host = dest.host || mod.host || 'localhost';
    return function (conn) {
      var newConnOpts = {};
      addrProperties.forEach(function (name) {
        newConnOpts['_'+name] = conn[name];
      });
      deps.proxy(conn, Object.assign(newConnOpts, dest));
    };
  }
  deps.tunnel = deps.tunnel || {};
  deps.tunnel.net = {
    createConnection: function (opts, cb) {
      console.log('[gl.tunnel] creating connection');
      // here "reader" means the socket that looks like the connection being accepted
      // here "writer" means the remote-looking part of the socket that driving the connection
      var writer;
      var wrapOpts = {};
      function usePair(err, reader) {
        if (err) {
          process.nextTick(function () {
            writer.emit('error', err);
          });
          return;
        }
        // this has the normal net/tcp stuff plus our custom stuff
        // opts = { address, port,
        //          hostname, servername, tls, encrypted, data, localAddress, localPort, remoteAddress, remotePort, remoteFamily }
        Object.keys(opts).forEach(function (key) {
          wrapOpts[key] = opts[key];
          try {
            reader[key] = opts[key];
          } catch(e) {
            // can't set real socket getters, like remoteAddr
          }
        });
        // A few more extra specialty options
        wrapOpts.localAddress = wrapOpts.localAddress || '127.0.0.2'; // TODO use the tunnel's external address
        wrapOpts.localPort = wrapOpts.localPort || 'tunnel-0';
        try {
          reader._remoteAddress = wrapOpts.remoteAddress;
          reader._remotePort = wrapOpts.remotePort;
          reader._remoteFamily = wrapOpts.remoteFamily;
          reader._localAddress = wrapOpts.localAddress;
          reader._localPort = wrapOpts.localPort;
          reader._localFamily = wrapOpts.localFamily;
        } catch(e) {
        }
        tcpHandler(reader, wrapOpts);
        process.nextTick(function () {
          // this cb will cause the stream to emit its (actually) first data event
          // (even though it already gave a peek into that first data chunk)
          console.log('[tunnel] callback, data should begin to flow');
          cb();
        });
      }
      wrapOpts.firstChunk = opts.data;
      wrapOpts.hyperPeek = !!opts.data;
      // We used to use `stream-pair` for non-tls connections, but there are places
      // that require properties/functions to be present on the socket that aren't
      // present on a JSStream so it caused problems.
      writer = require('socket-pair').create(usePair);
      return writer;
    }
  };
  deps.tunnelClients = require('./tunnel-client-manager').create(deps, config);
  deps.tunnelServer = require('./tunnel-server-manager').create(deps, config);
  var listenPromises = [];
  var tcpPortMap = {};
  config.tcp.bind.filter(Number).forEach(function (port) {
    tcpPortMap[port] = true;
  });
  (config.tcp.modules || []).forEach(function (mod) {
    if (mod.type === 'forward') {
      var forwarder = createTcpForwarder(mod);
      mod.ports.forEach(function (port) {
        if (!tcpPortMap[port]) {
          console.log("forwarding port", port, "that wasn't specified in bind");
        } else {
          delete tcpPortMap[port];
        }
        listenPromises.push(listeners.tcp.add(port, forwarder));
      });
    }
    else if (mod.type !== 'proxy') {
      console.warn('unknown TCP module specified', mod);
    }
  });
  var portList = Object.keys(tcpPortMap).map(Number).sort();
  portList.forEach(function (port) {
    listenPromises.push(listeners.tcp.add(port, tcpHandler));
  });
  if (config.udp.bind) {
    config.udp.bind.forEach(function (port) {
      listenPromises.push(listeners.udp.add(port, udpHandler.bind(port)));
    });
  }
  if (!config.mdns.disabled) {
    require('./mdns').start(deps, config, portList[0]);
  }
  return PromiseA.all(listenPromises);
 };
--- a/lib/mdns.js
+++ b/lib/mdns.js
@ -2,6 +2,7 @@
 var PromiseA = require('bluebird');
 var queryName = '_cloud._tcp.local';
 var dnsSuite = require('dns-suite');
 function createResponse(name, ownerIds, packet, ttl, mainPort) {
  var rpacket = {
@ -85,20 +86,19 @@ function createResponse(name, ownerIds, packet, ttl, mainPort) {
    });
  });
-  return require('dns-suite').DNSPacket.write(rpacket);
+  return dnsSuite.DNSPacket.write(rpacket);
 }
-module.exports.start = function (deps, config, mainPort) {
+module.exports.create = function (deps, config) {
-  var socket = require('dgram').createSocket({ type: 'udp4', reuseAddr: true });
+  var socket;
  var dns = require('dns-suite');
  var nextBroadcast = -1;
-  socket.on('message', function (message, rinfo) {
+  function handlePacket(message, rinfo) {
    // console.log('Received %d bytes from %s:%d', message.length, rinfo.address, rinfo.port);
    var packet;
    try {
-      packet = dns.DNSPacket.parse(message);
+      packet = dnsSuite.DNSPacket.parse(message);
    }
    catch (er) {
      // `dns-suite` actually errors on a lot of the packets floating around in our network,
@ -108,16 +108,12 @@ module.exports.start = function (deps, config, mainPort) {
    }
    // Only respond to queries.
-    if (packet.header.qr !== 0) {
+    if (packet.header.qr !== 0) {  return; }
      return;
    }
    // Only respond if they were asking for cloud devices.
-    if (packet.question.length !== 1 || packet.question[0].name !== queryName) {
+    if (packet.question.length !== 1)           { return; }
-      return;
+    if (packet.question[0].name !== queryName)  { return; }
-    }
+    if (packet.question[0].typeName !== 'PTR')  { return; }
-    if (packet.question[0].typeName !== 'PTR' || packet.question[0].className !== 'IN' ) {
+    if (packet.question[0].className !== 'IN' ) { return; }
      return;
    }
    var proms = [
      deps.storage.mdnsId.get()
@ -131,7 +127,7 @@ module.exports.start = function (deps, config, mainPort) {
    ];
    PromiseA.all(proms).then(function (results) {
-      var resp = createResponse(results[0], results[1], packet, config.mdns.ttl, mainPort);
+      var resp = createResponse(results[0], results[1], packet, config.mdns.ttl, deps.tcp.mainPort);
      var now = Date.now();
      if (now > nextBroadcast) {
        socket.send(resp, config.mdns.port, config.mdns.broadcast);
@ -140,7 +136,14 @@ module.exports.start = function (deps, config, mainPort) {
        socket.send(resp, rinfo.port, rinfo.address);
      }
    });
-  });
+  }
  function start() {
    socket = require('dgram').createSocket({ type: 'udp4', reuseAddr: true });
    socket.on('message', handlePacket);
    return new Promise(function (resolve, reject) {
      socket.once('error', reject);
      socket.bind(config.mdns.port, function () {
        var addr = this.address();
@ -153,5 +156,48 @@ module.exports.start = function (deps, config, mainPort) {
        // much more difficult for someone to use us as part of a DDoS attack by
        // spoofing the UDP address a request came from.
        socket.setTTL(1);
        socket.removeListener('error', reject);
        resolve();
      });
    });
  }
  function stop() {
    return new Promise(function (resolve, reject) {
      socket.once('error', reject);
      socket.close(function () {
        socket.removeListener('error', reject);
        socket = null;
        resolve();
      });
    });
  }
  function updateConf() {
    var promise;
    if (config.mdns.disabled) {
      if (socket) {
        promise = stop();
      }
    } else {
      if (!socket) {
        promise = start();
      } else if (socket.address().port !== config.mdns.port) {
        promise = stop().then(start);
      } else {
        // Can't check membership, so just add the current broadcast address to make sure
        // it's set. If it's already set it will throw an exception (at least on linux).
        try {
          socket.addMembership(config.mdns.broadcast);
        } catch (e) {}
        promise = Promise.resolve();
      }
    }
  }
  updateConf();
  return {
    updateConf
  };
 };
--- a/lib/servers.js
+++ b/lib/servers.js
@ -10,20 +10,16 @@ module.exports.addTcpListener = function (port, handler) {
    if (stat) {
      if (stat._closing) {
-        module.exports.destroyTcpListener(port);
+        stat.server.destroy();
-      }
+      } else {
-      else if (handler !== stat.handler) {
+        // We're already listening on the port, so we only have 2 options. We can either
-
+        // replace the handler or reject with an error. (Though neither is really needed
-        // we'll replace the current listener
+        // if the handlers are the same). Until there is reason to do otherwise we are
        // opting for the replacement.
        stat.handler = handler;
        resolve();
        return;
      }
      else {
        // this exact listener is already open
        resolve();
        return;
      }
    }
    var enableDestroy = require('server-destroy');
@ -34,7 +30,7 @@ module.exports.addTcpListener = function (port, handler) {
    stat = serversMap[port] = {
      server: server
    , handler: handler
-    , _closing: null
+    , _closing: false
    };
    // Add .destroy so we can close all open connections. Better if added before listen
@ -66,14 +62,24 @@ module.exports.addTcpListener = function (port, handler) {
    });
  });
 };
-module.exports.closeTcpListener = function (port) {
+module.exports.closeTcpListener = function (port, timeout) {
  return new PromiseA(function (resolve) {
    var stat = serversMap[port];
    if (!stat) {
      resolve();
      return;
    }
-    stat.server.once('close', resolve);
+    stat._closing = true;
    var timeoutId;
    if (timeout) {
      timeoutId = setTimeout(() => stat.server.destroy(), timeout);
    }
    stat.server.once('close', function () {
      clearTimeout(timeoutId);
      resolve();
    });
    stat.server.close();
  });
 };
@ -84,7 +90,9 @@ module.exports.destroyTcpListener = function (port) {
  }
 };
 module.exports.listTcpListeners = function () {
-  return Object.keys(serversMap).map(Number).filter(Boolean);
+  return Object.keys(serversMap).map(Number).filter(function (port) {
    return port && !serversMap[port]._closing;
  });
 };
--- a/lib/socks5-server.js
+++ b/lib/socks5-server.js
@ -63,15 +63,29 @@ module.exports.create = function (deps, config) {
    });
  }
-  if (config.socks5 && config.socks5.enabled) {
+  var configEnabled = false;
  function updateConf() {
    var wanted = config.socks5 && config.socks5.enabled;
    if (configEnabled && !wanted) {
      stop().catch(function (err) {
        console.error('failed to stop socks5 proxy on config change', err);
      });
      configEnabled = false;
    }
    if (wanted && !configEnabled) {
      start(config.socks5.port).catch(function (err) {
        console.error('failed to start Socks5 proxy', err);
      });
      configEnabled = true;
    }
  }
  process.nextTick(updateConf);
  return {
-    curState: curState
+    curState
-  , start: start
+  , start
-  , stop: stop
+  , stop
  , updateConf
  };
 };
--- a/lib/modules/http.js
+++ b/lib/modules/http.js
@ -1,6 +1,6 @@
 'use strict';
-module.exports.create = function (deps, conf, greenlockMiddleware) {
+module.exports.create = function (deps, conf, tcpMods) {
  var PromiseA = require('bluebird');
  var statAsync = PromiseA.promisify(require('fs').stat);
  var domainMatches = require('../domain-utils').match;
@ -162,8 +162,8 @@ module.exports.create = function (deps, conf, greenlockMiddleware) {
      return false;
    }
-    if (deps.tunnelServer.isClientDomain(separatePort(headers.host).host)) {
+    if (deps.stunneld.isClientDomain(separatePort(headers.host).host)) {
-      deps.tunnelServer.handleClientConn(conn);
+      deps.stunneld.handleClientConn(conn);
      process.nextTick(function () {
        conn.unshift(opts.firstChunk);
        conn.resume();
@ -172,7 +172,7 @@ module.exports.create = function (deps, conf, greenlockMiddleware) {
    }
    if (!acmeServer) {
-      acmeServer = require('http').createServer(greenlockMiddleware);
+      acmeServer = require('http').createServer(tcpMods.tls.middleware);
    }
    return emitConnection(acmeServer, conn, opts);
  }
@ -214,8 +214,8 @@ module.exports.create = function (deps, conf, greenlockMiddleware) {
      return emitConnection(adminServer, conn, opts);
    }
-    if (deps.tunnelServer.isAdminDomain(host)) {
+    if (deps.stunneld.isAdminDomain(host)) {
-      deps.tunnelServer.handleAdminConn(conn);
+      deps.stunneld.handleAdminConn(conn);
      process.nextTick(function () {
        conn.unshift(opts.firstChunk);
        conn.resume();
@ -241,7 +241,7 @@ module.exports.create = function (deps, conf, greenlockMiddleware) {
      res.statusCode = 502;
      res.setHeader('Connection', 'close');
      res.setHeader('Content-Type', 'text/html');
-      res.end(require('../proxy-conn').getRespBody(err, conf.debug));
+      res.end(tcpMods.proxy.getRespBody(err, conf.debug));
    });
    proxyServer = http.createServer(function (req, res) {
@ -292,7 +292,7 @@ module.exports.create = function (deps, conf, greenlockMiddleware) {
    newConnOpts.remoteAddress = opts.address || conn.remoteAddress;
    newConnOpts.remotePort    = opts.port    || conn.remotePort;
-    deps.proxy(conn, newConnOpts, opts.firstChunk);
+    tcpMods.proxy(conn, newConnOpts, opts.firstChunk);
  }
  function checkProxy(mod, conn, opts, headers) {
--- a/lib/tcp/index.js
+++ b/lib/tcp/index.js
@ -0,0 +1,240 @@
 'use strict';
 module.exports.create = function (deps, config) {
  console.log('config', config);
  var listeners = require('../servers').listeners.tcp;
  var domainUtils = require('../domain-utils');
  var modules;
  var addrProperties = [
    'remoteAddress'
  , 'remotePort'
  , 'remoteFamily'
  , 'localAddress'
  , 'localPort'
  , 'localFamily'
  ];
  function nameMatchesDomains(name, domainList) {
    return domainList.some(function (pattern) {
      return domainUtils.match(pattern, name);
    });
  }
  function proxy(mod, conn, opts) {
    // First thing we need to add to the connection options is where to proxy the connection to
    var newConnOpts = domainUtils.separatePort(mod.address || '');
    newConnOpts.port = newConnOpts.port || mod.port;
    newConnOpts.host = newConnOpts.host || mod.host || 'localhost';
    // Then we add all of the connection address information. We need to prefix all of the
    // properties with '_' so we can provide the information to any connection `createConnection`
    // implementation but not have the default implementation try to bind the same local port.
    addrProperties.forEach(function (name) {
      newConnOpts['_' + name] = opts[name] || opts['_'+name] || conn[name] || conn['_'+name];
    });
    modules.proxy(conn, newConnOpts);
    return true;
  }
  function checkTcpProxy(conn, opts) {
    var proxied = false;
    // TCP Proxying (ie routing based on domain name [vs local port]) only works for
    // TLS wrapped connections, so if the opts don't give us a servername or don't tell us
    // this is the decrypted side of a TLS connection we can't handle it here.
    if (!opts.servername || !opts.encrypted) { return proxied; }
    proxied = config.domains.some(function (dom) {
      if (!dom.modules || !Array.isArray(dom.modules.tcp)) { return false; }
      if (!nameMatchesDomains(opts.servername, dom.names)) { return false; }
      return dom.modules.tcp.some(function (mod) {
        if (mod.type !== 'proxy') { return false; }
        return proxy(mod, conn, opts);
      });
    });
    proxied = proxied || config.tcp.modules.some(function (mod) {
      if (mod.type !== 'proxy') { return false; }
      if (!nameMatchesDomains(opts.servername, mod.domains)) { return false; }
      return proxy(mod, conn, opts);
    });
    return proxied;
  }
  function checkTcpForward(conn, opts) {
    // TCP forwarding (ie routing connections based on local port) requires the local port
    if (!conn.localPort) { return false; }
    return config.tcp.modules.some(function (mod) {
      if (mod.type !== 'forward')                { return false; }
      if (mod.ports.indexOf(conn.localPort) < 0) { return false; }
      return proxy(mod, conn, opts);
    });
  }
  // opts = { servername, encrypted, peek, data, remoteAddress, remotePort }
  function peek(conn, firstChunk, opts) {
    opts.firstChunk = firstChunk;
    conn.__opts = opts;
    // TODO port/service-based routing can do here
    // TLS byte 1 is handshake and byte 6 is client hello
    if (0x16 === firstChunk[0]/* && 0x01 === firstChunk[5]*/) {
      modules.tls.emit('connection', conn);
      return;
    }
    // This doesn't work with TLS, but now that we know this isn't a TLS connection we can
    // unshift the first chunk back onto the connection for future use. The unshift should
    // happen after any listeners are attached to it but before any new data comes in.
    if (!opts.hyperPeek) {
      process.nextTick(function () {
        conn.unshift(firstChunk);
      });
    }
    // Connection is not TLS, check for HTTP next.
    if (firstChunk[0] > 32 && firstChunk[0] < 127) {
      var firstStr = firstChunk.toString();
      if (/HTTP\//i.test(firstStr)) {
        modules.http.emit('connection', conn);
        return;
      }
    }
    console.warn('failed to identify protocol from first chunk', firstChunk);
    conn.destroy();
  }
  function tcpHandler(conn, opts) {
    function getProp(name) {
      return opts[name] || opts['_'+name] || conn[name] || conn['_'+name];
    }
    opts = opts || {};
    var logName = getProp('remoteAddress') + ':' + getProp('remotePort') + ' -> ' +
                  getProp('localAddress')  + ':' + getProp('localPort');
    console.log('[tcpHandler]', logName, 'connection started - encrypted: ' + (opts.encrypted || false));
    var start = Date.now();
    conn.on('timeout', function () {
      console.log('[tcpHandler]', logName, 'connection timed out', (Date.now()-start)/1000);
    });
    conn.on('end', function () {
      console.log('[tcpHandler]', logName, 'connection ended', (Date.now()-start)/1000);
    });
    conn.on('close', function () {
      console.log('[tcpHandler]', logName, 'connection closed', (Date.now()-start)/1000);
    });
    if (checkTcpForward(conn, opts)) { return; }
    if (checkTcpProxy(conn, opts))   { return; }
    // XXX PEEK COMMENT XXX
    // TODO we can have our cake and eat it too
    // we can skip the need to wrap the TLS connection twice
    // because we've already peeked at the data,
    // but this needs to be handled better before we enable that
    // (because it creates new edge cases)
    if (opts.hyperPeek) {
      console.log('hyperpeek');
      peek(conn, opts.firstChunk, opts);
      return;
    }
    function onError(err) {
      console.error('[error] socket errored peeking -', err);
      conn.destroy();
    }
    conn.once('error', onError);
    conn.once('data', function (chunk) {
      conn.removeListener('error', onError);
      peek(conn, chunk, opts);
    });
  }
  modules = {};
  modules.tcpHandler = tcpHandler;
  modules.proxy = require('./proxy-conn').create(deps, config);
  modules.tls   = require('./tls').create(deps, config, modules);
  modules.http  = require('./http').create(deps, config, modules);
  function updateListeners() {
    var current = listeners.list();
    var wanted = config.tcp.bind;
    if (!Array.isArray(wanted)) { wanted = []; }
    wanted = wanted.map(Number).filter((port) => port > 0 && port < 65356);
    var closeProms = current.filter(function (port) {
      return wanted.indexOf(port) < 0;
    }).map(function (port) {
      return listeners.close(port, 1000);
    });
    // We don't really need to filter here since listening on the same port with the
    // same handler function twice is basically a no-op.
    var openProms = wanted.map(function (port) {
      return listeners.add(port, tcpHandler);
    });
    return Promise.all(closeProms.concat(openProms));
  }
  var mainPort;
  function updateConf() {
    updateListeners().catch(function (err) {
      console.error('Error updating TCP listeners to match bind configuration');
      console.error(err);
    });
    var unforwarded = {};
    config.tcp.bind.forEach(function (port) {
      unforwarded[port] = true;
    });
    config.tcp.modules.forEach(function (mod) {
      if (['forward', 'proxy'].indexOf(mod.type) < 0) {
        console.warn('unknown TCP module type specified', JSON.stringify(mod));
      }
      if (mod.type !== 'forward') { return; }
      mod.ports.forEach(function (port) {
        if (!unforwarded[port]) {
          console.warn('trying to forward TCP port ' + port + ' multiple times or it is unbound');
        } else {
          delete unforwarded[port];
        }
      });
    });
    // Not really sure what we can reasonably do to prevent this. At least not without making
    // our configuration validation more complicated.
    if (!Object.keys(unforwarded).length) {
      console.warn('no bound TCP ports are not being forwarded, admin interface will be inaccessible');
    }
    // If we are listening on port 443 make that the main port we respond to mDNS queries with
    // otherwise choose the lowest number port we are bound to but not forwarding.
    if (unforwarded['443']) {
      mainPort = 443;
    } else {
      mainPort = Object.keys(unforwarded).map(Number).sort((a, b) => a - b)[0];
    }
  }
  updateConf();
  var result =  {
    updateConf
  , handler: tcpHandler
  };
  Object.defineProperty(result, 'mainPort', {enumerable: true, get: () => mainPort});
  return result;
 };
--- a/lib/tcp/proxy-conn.js
+++ b/lib/tcp/proxy-conn.js
@ -32,7 +32,7 @@ module.exports.getRespBody = getRespBody;
 module.exports.sendBadGateway = sendBadGateway;
 module.exports.create = function (deps, config) {
-  return function proxy(conn, newConnOpts, firstChunk, decrypt) {
+  function proxy(conn, newConnOpts, firstChunk, decrypt) {
    var connected = false;
    newConnOpts.allowHalfOpen = true;
    var newConn = deps.net.createConnection(newConnOpts, function () {
@ -73,5 +73,9 @@ module.exports.create = function (deps, config) {
    newConn.on('close', function () {
      conn.destroy();
    });
-  };
+  }
  proxy.getRespBody = getRespBody;
  proxy.sendBadGateway = sendBadGateway;
  return proxy;
 };
--- a/lib/modules/tls.js
+++ b/lib/modules/tls.js
@ -1,6 +1,6 @@
 'use strict';
-module.exports.create = function (deps, config, netHandler) {
+module.exports.create = function (deps, config, tcpMods) {
  var path = require('path');
  var tls = require('tls');
  var parseSni = require('sni');
@ -208,7 +208,7 @@ module.exports.create = function (deps, config, netHandler) {
  var terminateServer = tls.createServer(terminatorOpts, function (socket) {
    console.log('(post-terminated) tls connection, addr:', extractSocketProp(socket, 'remoteAddress'));
-    netHandler(socket, {
+    tcpMods.tcpHandler(socket, {
      servername: socket.servername
    , encrypted: true
      // remoteAddress... ugh... https://github.com/nodejs/node/issues/8854
@ -232,7 +232,7 @@ module.exports.create = function (deps, config, netHandler) {
    newConnOpts.remoteAddress = opts.address || extractSocketProp(socket, 'remoteAddress');
    newConnOpts.remotePort    = opts.port    || extractSocketProp(socket, 'remotePort');
-    deps.proxy(socket, newConnOpts, opts.firstChunk, function () {
+    tcpMods.proxy(socket, newConnOpts, opts.firstChunk, function () {
      // This function is called in the event of a connection error and should decrypt
      // the socket so the proxy module can send a 502 HTTP response.
      var tlsOpts = localhostCerts.mergeTlsOptions('localhost.daplie.me', {isServer: true});
@ -291,8 +291,8 @@ module.exports.create = function (deps, config, netHandler) {
      return;
    }
-    if (deps.tunnelServer.isClientDomain(opts.servername)) {
+    if (deps.stunneld.isClientDomain(opts.servername)) {
-      deps.tunnelServer.handleClientConn(socket);
+      deps.stunneld.handleClientConn(socket);
      if (!opts.hyperPeek) {
        process.nextTick(function () {
          socket.unshift(opts.firstChunk);
--- a/lib/tunnel-server-manager.js
+++ b/lib/tunnel-server-manager.js
@ -1,26 +1,10 @@
 'use strict';
-module.exports.create = function (deps, config) {
+function httpsTunnel(servername, conn) {
  if (!config.tunnelServer || !Array.isArray(config.tunnelServer.servernames) || !config.tunnelServer.secret) {
    return {
      isAdminDomain:  function () { return false; }
    , isClientDomain: function () { return false; }
    };
  }
  var tunnelOpts = Object.assign({}, config.tunnelServer);
  // This function should not be called because connections to the admin domains
  // should already be decrypted, and connections to non-client domains should never
  // be given to us in the first place.
  tunnelOpts.httpsTunnel = function (servername, conn) {
  console.error('tunnel server received encrypted connection to', servername);
  conn.end();
-  };
+}
-  tunnelOpts.httpsInvalid = tunnelOpts.httpsTunnel;
+function handleHttp(servername, conn) {
  // This function should not be called because ACME challenges should be handled
  // before admin domain connections are given to us, and the only non-encrypted
  // client connections that should be given to us are ACME challenges.
  tunnelOpts.handleHttp = function (servername, conn) {
  console.error('tunnel server received un-encrypted connection to', servername);
  conn.end([
    'HTTP/1.1 404 Not Found'
@ -31,31 +15,117 @@ module.exports.create = function (deps, config) {
  , ''
  , 'Not Found'
  ].join('\r\n'));
-  };
+}
-  tunnelOpts.handleInsecureHttp = tunnelOpts.handleHttp;
+function rejectNonWebsocket(req, res) {
  var tunnelServer = require('stunneld').create(tunnelOpts);
  var httpServer = require('http').createServer(function (req, res) {
  // status code 426 = Upgrade Required
  res.statusCode = 426;
  res.setHeader('Content-Type', 'application/json');
-    res.end(JSON.stringify({error: {
+  res.send({error: { message: 'Only websockets accepted for tunnel server' }});
-      message: 'Only websockets accepted for tunnel server'
+}
-    }}));
+
-  });
+var defaultConfig = {
-  var wsServer = new (require('ws').Server)({ server: httpServer });
+  servernames: []
-  wsServer.on('connection', tunnelServer.ws);
+, secret: null
 };
 var tunnelFuncs = {
  // These functions should not be called because connections to the admin domains
  // should already be decrypted, and connections to non-client domains should never
  // be given to us in the first place.
  httpsTunnel:  httpsTunnel
 , httpsInvalid: httpsTunnel
  // These function should not be called because ACME challenges should be handled
  // before admin domain connections are given to us, and the only non-encrypted
  // client connections that should be given to us are ACME challenges.
 , handleHttp:         handleHttp
 , handleInsecureHttp: handleHttp
 };
 module.exports.create = function (deps, config) {
  var equal = require('deep-equal');
  var enableDestroy = require('server-destroy');
  var currentOpts = Object.assign({}, defaultConfig);
  var httpServer, wsServer, stunneld;
  function start() {
    if (httpServer || wsServer || stunneld) {
      throw new Error('trying to start already started tunnel server');
    }
    httpServer = require('http').createServer(rejectNonWebsocket);
    enableDestroy(httpServer);
    wsServer = new (require('ws').Server)({ server: httpServer });
    var tunnelOpts = Object.assign({}, tunnelFuncs, currentOpts);
    stunneld = require('stunneld').create(tunnelOpts);
    wsServer.on('connection', stunneld.ws);
  }
  function stop() {
    if (!httpServer || !wsServer || !stunneld) {
      throw new Error('trying to stop unstarted tunnel server (or it got into semi-initialized state');
    }
    wsServer.close();
    wsServer = null;
    httpServer.destroy();
    httpServer = null;
    // Nothing to close here, just need to set it to null to allow it to be garbage-collected.
    stunneld = null;
  }
  function updateConf() {
    var newOpts = Object.assign({}, defaultConfig, config.tunnelServer);
    if (!Array.isArray(newOpts.servernames)) {
      newOpts.servernames = [];
    }
    var trimmedOpts = {
      servernames: newOpts.servernames.slice().sort()
    , secret:      newOpts.secret
    };
    if (equal(trimmedOpts, currentOpts)) {
      return;
    }
    currentOpts = trimmedOpts;
    // Stop what's currently running, then if we are still supposed to be running then we
    // can start it again with the updated options. It might be possible to make use of
    // the existing http and ws servers when the config changes, but I'm not sure what
    // state the actions needed to close all existing connections would put them in.
    if (httpServer || wsServer || stunneld) {
      stop();
    }
    if (currentOpts.servernames.length && currentOpts.secret) {
      start();
    }
  }
  process.nextTick(updateConf);
  return {
    isAdminDomain: function (domain) {
-      return config.tunnelServer.servernames.indexOf(domain) !== -1;
+      return currentOpts.servernames.indexOf(domain) !== -1;
    }
  , handleAdminConn: function (conn) {
-      httpServer.emit('connection', conn);
+      if (!httpServer) {
        console.error(new Error('handleAdminConn called with no active tunnel server'));
        conn.end();
      } else {
        return httpServer.emit('connection', conn);
      }
    }
-  , isClientDomain: tunnelServer.isClientDomain
+  , isClientDomain: function (domain) {
-  , handleClientConn: tunnelServer.tcp
+      if (!stunneld) { return false; }
      return stunneld.isClientDomain(domain);
    }
  , handleClientConn: function (conn) {
      if (!stunneld) {
        console.error(new Error('handleClientConn called with no active tunnel server'));
        conn.end();
      } else {
        return stunneld.tcp(conn);
      }
    }
  , updateConf
  };
 };
--- a/lib/udp.js
+++ b/lib/udp.js
@ -0,0 +1,57 @@
 'use strict';
 module.exports.create = function (deps, config) {
  var listeners = require('./servers').listeners.udp;
  function packetHandler(port, msg) {
    if (!Array.isArray(config.udp.modules)) {
      return;
    }
    var socket = require('dgram').createSocket('udp4');
    config.udp.modules.forEach(function (mod) {
      if (mod.type !== 'forward') {
        // To avoid logging bad modules every time we get a UDP packet we assign a warned
        // property to the module (non-enumerable so it won't be saved to the config or
        // show up in the API).
        if (!mod.warned) {
          console.warn('found bad DNS module', mod);
          Object.defineProperty(mod, 'warned', {value: true, enumerable: false});
        }
        return;
      }
      if (mod.ports.indexOf(port) < 0) {
        return;
      }
      var dest = require('./domain-utils').separatePort(mod.address || '');
      dest.port = dest.port || mod.port;
      dest.host = dest.host || mod.host || 'localhost';
      socket.send(msg, dest.port, dest.host);
    });
  }
  function updateListeners() {
    var current = listeners.list();
    var wanted = config.udp.bind;
    if (!Array.isArray(wanted)) { wanted = []; }
    wanted = wanted.map(Number).filter((port) => port > 0 && port < 65356);
    current.forEach(function (port) {
      if (wanted.indexOf(port) < 0) {
        listeners.close(port);
      }
    });
    wanted.forEach(function (port) {
      if (current.indexOf(port) < 0) {
        listeners.add(port, packetHandler.bind(port));
      }
    });
  }
  updateListeners();
  return {
    updateConf: updateListeners
  };
 };
--- a/lib/worker.js
+++ b/lib/worker.js
@ -48,13 +48,15 @@ function create(conf) {
  modules = {
    storage:  require('./storage').create(deps, conf)
  , proxy:    require('./proxy-conn').create(deps, conf)
  , socks5:   require('./socks5-server').create(deps, conf)
  , ddns:     require('./ddns').create(deps, conf)
  , mdns:     require('./mdns').create(deps, conf)
  , udp:      require('./udp').create(deps, conf)
  , tcp:      require('./tcp').create(deps, conf)
  , stunneld: require('./tunnel-server-manager').create(deps, config)
  };
  Object.assign(deps, modules);
  require('./goldilocks.js').create(deps, conf);
  process.removeListener('message', create);
  process.on('message', update);
 }
--- a/package-lock.json
+++ b/package-lock.json
@ -448,7 +448,11 @@
      "integrity": "sha1-l4hXRCxEdJ5CBmE+N5RiBYJqvYA="
    },
    "dns-suite": {
-      "version": "git+https://git@git.daplie.com/Daplie/dns-suite#950867c452323da776c050363b22d8f06a8ed414"
+      "version": "git+https://git@git.daplie.com/Daplie/dns-suite#6352cf4b516d94f0283c9c7cd024431bf974f049",
      "requires": {
        "bluebird": "3.5.0",
        "hexdump.js": "1.0.5"
      }
    },
    "duplexer2": {
      "version": "0.1.4",
@ -820,6 +824,11 @@
        "sntp": "1.0.9"
      }
    },
    "hexdump.js": {
      "version": "1.0.5",
      "resolved": "https://registry.npmjs.org/hexdump.js/-/hexdump.js-1.0.5.tgz",
      "integrity": "sha1-xbxlSoIvAzjzEX5fXzVgZd6HmDQ="
    },
    "hmac-drbg": {
      "version": "1.0.1",
      "resolved": "https://registry.npmjs.org/hmac-drbg/-/hmac-drbg-1.0.1.tgz",
@ -2077,7 +2086,7 @@
      }
    },
    "stunnel": {
-      "version": "git+https://git.daplie.com/Daplie/node-tunnel-client.git#cad0e561fbea5c5dbbf5fc10ed95833dd3573ebc",
+      "version": "git+https://git.daplie.com/Daplie/node-tunnel-client.git#114847e31abe9a0c5f0598b892dd98b37fe9622e",
      "requires": {
        "bluebird": "3.5.0",
        "commander": "2.9.0",
@ -2089,7 +2098,7 @@
      }
    },
    "stunneld": {
-      "version": "git+https://git.daplie.com/Daplie/node-tunnel-server.git#54ca2782dde84b3d2c61a3257f7d859b7012ea59",
+      "version": "git+https://git.daplie.com/Daplie/node-tunnel-server.git#ae91fd5049251ed1f9fcd6806d7b9872454c67db",
      "requires": {
        "bluebird": "3.5.0",
        "cluster-store": "2.0.6",
@ -2099,8 +2108,15 @@
        "localhost.daplie.me-certificates": "1.3.5",
        "redirect-https": "1.1.4",
        "sni": "1.0.0",
-        "tunnel-packer": "1.3.0",
+        "tunnel-packer": "1.4.0",
        "ws": "2.3.1"
      },
      "dependencies": {
        "tunnel-packer": {
          "version": "1.4.0",
          "resolved": "https://registry.npmjs.org/tunnel-packer/-/tunnel-packer-1.4.0.tgz",
          "integrity": "sha512-99GYAtKnbMVd87hQMxiR/Pq62jOWzOH/K6EOs87nU6U4p5uso+fZyYuO+upb+hhonXuNI/sZR/ByVxPFrnzMog=="
        }
      }
    },
    "terminal-forms.js": {
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
  "name": "goldilocks",
-  "version": "1.1.3",
+  "version": "1.1.4",
  "description": "The node.js webserver that's just right, Greenlock (HTTPS/TLS/SSL via ACME/Let's Encrypt) and tunneling (RVPN) included.",
  "main": "bin/goldilocks.js",
  "repository": {