Added predefined tunnel functionality, allowing users to define multiple tunnels in the configuration file and start them by name, including the following improvements:
- Added --all flag to start all configured tunnels
- Added parameterless start command to list available tunnels
- Support configuration of multiple tunnel types (http, https, tcp)
- Support advanced configurations such as subdomains, transport protocols, and IP allowlists
refactor(deployments): Refactor Docker deployment configuration
Removed old Dockerfile and Compose configurations, added new deployment files:
- Removed .env.example and old Docker build files
- Added Caddy reverse proxy configuration file
- Added two deployment modes: standard and Caddy reverse proxy
- Added detailed server configuration example files
docs: Update documentation to include tunnel configuration and deployment guide
Updated Chinese and English README documents:
- Added usage instructions and configuration examples for predefined tunnels
- Expanded server deployment section to include direct TLS and reverse proxy modes
- Added server configuration reference table with detailed configuration item descriptions
- Added specific configuration methods for Caddy and Nginx reverse proxies
Add .goreleaser.yaml configuration file to automate building and releasing multi-platform binaries, supporting operating systems such as darwin, freebsd, linux, windows, and architectures including 386, arm, amd64, arm64, mips, with cross-compilation settings and release configurations.
Added --transport parameter to allow users to select transport protocol type:
- auto: automatically choose based on server address (default)
- tcp: direct TLS 1.3 connection
- wss: WebSocket over TLS (CDN-friendly)
Also updated client connector to support WebSocket transport, and added server-side discovery endpoint to query supported transport protocols.
Add the --auth parameter to enable proxy authentication for HTTP and HTTPS tunnels, supporting password verification and session management.
- Add --auth flag in CLI to set proxy authentication password
- Implement server-side authentication handling and login page
- Support Cookie-based session management and validation
- Add protocol message definitions related to authentication
Rename denyIPs field to denyNets, supporting blacklist configuration with CIDR ranges. Now supports both individual IP addresses and CIDR subnet masks as deny rules, with IPv4 automatically converted to /32 and IPv6 to /128, using the Contains method for more flexible subnet matching.
- Add Validate method to ServerConfig to validate port ranges, domain format, TCP port ranges, and other configuration items
- Add configuration validation logic in server.go to ensure valid configuration before server startup
- Improve channel naming in TCP connections for better code readability
- Enhance data copying mechanism with context cancellation support to avoid resource leaks
- Add private network definitions for secure validation of trusted proxy headers
fix(proxy): Strengthen client IP extraction security and fix error handling
- Trust X-Forwarded-For and X-Real-IP headers only when requests originate from private/loopback networks
- Define RFC 1918 and other private network ranges for proxy header validation
- Add JSON serialization error handling in TCP connections to prevent data loss
- Fix context handling logic in pipe callbacks
- Optimize error handling mechanism for data connection responses
refactor(config): Improve client configuration validation and error handling
- Add Validate method to ClientConfig to verify server address format and port validity
- Change configuration validation from simple checks to full validation function calls
- Provide more detailed error messages to help users correctly configure server address formats
- Implement IP whitelist/blacklist access control mechanism
- Add --allow-ip and --deny-ip command-line arguments to configure IP access rules
- Support CIDR format for IP range configuration
- Enable IP access control in HTTP, HTTPS, and TCP tunnels
- Add IP access check logic to server-side proxy handling
- Update documentation to explain how to use IP access control
- Synchronously delete corresponding Prometheus metrics when removing IP records
- Update metric values when the number of IP tunnels changes
- Ensure accuracy and real-time nature of the tunnelsByIP metric
Added the prometheus/client_golang dependency to support metrics collection, and refactored the proxy processor's homepage.
It uses modern CSS styles and responsive design, and adds code copy functionality.
BREAKING CHANGE: Removed session selection-related methods and the large buffer feature of the buffer pool in TCP connection groups.
- Add a new `server config` command to display server configuration.
- Supports displaying the full token via the --full flag.
- Add the metrics-token configuration option for monitoring access control.
- Integrate Prometheus metrics monitoring system
- Add the /metrics endpoint to provide monitoring data in Prometheus format.
- Add detailed metric collection for tunnels, connections, traffic, etc.
- Add a link to the metrics endpoint on the homepage
refactor: Refactor the token display logic to support full display options.
- Refactor the token mask logic in the configuration display
- Supports controlling the token display method via the configFull flag.
build: Update dependency versions
- Updated github.com/spf13/cobra from v1.10.1 to v1.10.2
- Updated golang.org/x/crypto from v0.45.0 to v0.46.0
- Updated golang.org/x/net from v0.47.0 to v0.48.0
- Update golang.org/x/sys from v0.38.0 to v0.39.0
- Added several new indirect dependency packages, including Prometheus-related components.
- Update the versions of several existing dependency packages.
A CAS loop is used to implement atomic operations on the global tunnel counter, avoiding race conditions.
Add a rollback mechanism to ensure that the occupied counter resources are properly released when registration fails.
Concurrency safety for IP rate limiting is achieved by using atomic operations and locks in combination.
Add appropriate resource rollback logic at each faulty branch to prevent resource leaks.
- Removed the manual performance optimization configuration in main.go and replaced it with a new tuning module.
- Add patterned GC tuning in server.go and tunnel_runner.go
- Updated yamux configuration to a unified optimized configuration to improve throughput.
- Implement connection pool preheating function to eliminate cold start delay.
- Optimize session selection using a min-heap, reducing the time complexity from O(n) to O(log n).
- Add a bufio.Reader pool and a buffer pool to reduce memory allocation.
- Implement a fragmented lock manager to improve performance under high concurrency.
- Adjust heartbeat and timeout configurations to suit high-throughput scenarios
BREAKING CHANGE: Manual GC tuning configuration has been removed; automatic tuning mode is now used.
- Reduce inspection intervals and cooling times to improve response speed
- Added burst load handling mechanism to support batch expansion.
- Introduced the GetSessionStats method to retrieve detailed statistics for each session.
- Create data sessions concurrently to accelerate scaling.
- Added a ping loop keep-alive mechanism for each session.
feat(server): Enhance tunnel management and security restrictions
- Implement IP-based tunnel number and registration frequency limits
- Add a rate limiter to prevent malicious registration behavior.
- Improved shutdown process to ensure proper exit of cleanup coroutines.
- Introduce atomic operations to tunnel connections to improve concurrency performance
- Track client IP addresses for access control
perf(server): Improves HTTP request processing performance and resource reuse.
- Use sync.Pool to reuse bufio.Writer to reduce GC pressure.
- Enable TCP_NODELAY to improve response speed
- Adjust HTTP server timeout configuration to balance performance and security
refactor(proxy): Optimizes the stream open timeout control logic
- Use context to control timeouts and avoid goroutine leaks.
- Ensure that established connections are properly closed upon timeout.
docs(test): Upgrade one-click test scripts to Go test service
- Replace Python's built-in server with a high-performance Go implementation
- Update dependency checks: Use Go instead of Python 3
- Enhanced startup log output for easier debugging
chore(shared): Enhances the security and consistency of the ID generator.
- Remove the timestamp fallback scheme and uniformly adopt crypto/rand.
- Added TryGenerateID to provide a non-panic error handling method.
- Define the maximum frame size explicitly and add comments to explain it.
style(frame): Reduce memory allocation and optimize read performance
- Use an array on the stack instead of heap allocation to read the frame header.
- Reduced maximum frame size from 10MB to 1MB to decrease DoS risk.
Persist the assigned subdomain after first connect so reconnects reuse it.
Allow reserving a specific TCP port when the subdomain is tcp-<port> to prevent port drift.
When processing HTTP streams, support for buffered readers has been added for WebSocket upgrade requests.
This ensures that data not fully read before connection switching is not lost. The forwarding logic for the Host header has also been optimized.
Add the X-Forwarded-Host header to preserve the original host information.
In the ServeHTTP processing logic, CONNECT requests are no longer processed, and a 405 status code is returned when such a request is received.
The method was flagged as not allowed. The original handleConnect implementation code was also removed.
- Added handling for the HTTP CONNECT method, supporting HTTPS tunneling proxies.
- Introducing connQueueListener to hand over HTTP connections to standard http.Server handling.
- Optimized Connection struct fields and lifecycle management logic
- Remove redundant comments and streamline some response writing logic
- Upgrade the golang.org/x/net dependency version to support new features.
- Enhanced HTTP request parsing stability and improved error logging methods.
- Adjusted the TCP listener startup process to integrate HTTP/2 configuration support.
- Improve the connection closing mechanism to avoid resource leakage issues.
The data connection processing logic was refactored, and a successful response was sent in advance before upgrading to a yamux session.
Redundant DataConnection structures and related management methods were removed. Adjustments were also made.
In ConnectionGroup, the session selection logic prioritizes using non-primary sessions for data transmission.
Only fall back to the main session when no data session is available, in order to improve forwarding efficiency and stability.
- Added support for parsing the --address/-a and --server/-s parameters.
- At startup, attempt to load the server address from the configuration file.
- Wait and retrieve runtime information for the daemon (such as the URL).
- Optimized UI display: Shows forwarding address, server address, and access link.
- Supports centering the generated tunnel URL information in the terminal.
- Added the utility functions parseFlagValue and waitForDaemonInfo for parameter parsing and status waiting.
- Introduce pooled tunnel sessions (TunnelID/DataConnect) on client/server
- Proxy HTTP/HTTPS via raw HTTP over yamux streams; pipe TCP streams directly
- Move UI/stats into internal/shared; refactor CLI tunnel helpers; drop msgpack/hpack legacy
Move the initialization of the mutex lock after the structure is created to ensure that the condition variable can correctly reference the mutex lock instance.
This can avoid potential race conditions and improve code readability.
A new FlowControl frame type has been added for backpressure control between the client and server, and SafeFrame has been introduced.
Frame resource management has been encapsulated to ensure that frame data is correctly returned to the memory pool after use. The frame processing logic has also been optimized.
The way frame.Release() is called improves code security and maintainability.
feat(client): Implements queue pressure monitoring and flow control signal sending functions.
Add the `monitorQueuePressure` method to periodically check the length of the `dataFrameQueue`, and trigger an alarm when the queue usage exceeds a threshold.
Automatically send flow control commands to the server to pause or resume writing, preventing data backlog and connection interruptions caused by slow consumption speed.
feat(server): Supports receiving and responding to flow control requests from clients.
The `handleFlowControl` and `sendWithBackpressure` methods have been added to enable backpressure control of received data frames on the server side.
By blocking the sending process using a condition variable until the client releases the pause state, connection stability is ensured under high load.
refactor(client): Reduces redundant resource release operations during frame processing.
Use SafeFrame to manage frame lifecycles uniformly, replacing manual frame.Release() with defer sf.Close() in multiple frame handlers.
This avoids the risk of memory leaks caused by unreleased abnormal paths.
perf(client): Shorten the shutdown timeout to speed up resource reclamation.
The forced shutdown wait time in the tunnel runner and connector has been adjusted from 5 seconds and 3 seconds to 2 seconds to improve the program exit response speed.
- Adjust the delayed formatting function to prioritize checking if the delay is 0 to avoid displaying errors.
- When the delay is less than 1 millisecond, it is displayed in microseconds to improve the precision of the expression.
feat (constants): Shorten heart rate intervals and timeouts to improve response speed.
- Adjust HeartbeatInterval from 5 seconds to 2 seconds
- Adjust HeartbeatTimeout from 15 seconds to 6 seconds
- Improve the sensitivity of heartbeat detection between the client and the server
A new recovery package has been added, containing Recoverer and PanicMetrics, for capturing panics in goroutines.
It records stack trace information and provides statistical metrics. This mechanism is also integrated into the TCP connector and listener.
Enhance service stability and observability.
