fix: WinBox tunnel bind address, port range, and proxy support

- Bind tunnel listeners to 0.0.0.0 instead of 127.0.0.1 so tunnels
  are reachable through reverse proxies and container networks
- Reduce port range to 49000-49004 (5 concurrent tunnels)
- Derive WinBox URI host from request Host header instead of
  hardcoding 127.0.0.1, enabling use behind reverse proxies
- Add README security warning about default encryption keys

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jason Staack
2026-03-12 19:03:53 -05:00
parent acf1790bed
commit c2eea6847f
6 changed files with 28 additions and 8 deletions

View File

@@ -65,7 +65,7 @@ func (m *Manager) OpenTunnel(deviceID, tenantID, userID, remoteAddr string) (*Op
return nil, err
}
ln, err := net.Listen("tcp", fmt.Sprintf("127.0.0.1:%d", port))
ln, err := net.Listen("tcp", fmt.Sprintf("0.0.0.0:%d", port))
if err != nil {
m.portPool.Release(port)
return nil, fmt.Errorf("failed to listen on port %d: %w", port, err)

View File

@@ -54,7 +54,7 @@ func (pp *PortPool) Release(port int) {
}
func canBind(port int) bool {
ln, err := net.Listen("tcp", fmt.Sprintf("127.0.0.1:%d", port))
ln, err := net.Listen("tcp", fmt.Sprintf("0.0.0.0:%d", port))
if err != nil {
return false
}

View File

@@ -71,7 +71,7 @@ func TestPortPool_ConcurrentAccess(t *testing.T) {
func TestPortPool_BindVerification(t *testing.T) {
// Occupy a port, then verify Allocate skips it
ln, err := net.Listen("tcp", "127.0.0.1:49050")
ln, err := net.Listen("tcp", "0.0.0.0:49050")
require.NoError(t, err)
defer ln.Close()