feat: implement IP allowlisting for tunnels

apps/cli/config.toml.example

@@ -7,6 +7,7 @@ local_port = 3000
 local_host = "localhost"
 subdomain = "my-app"
 custom_domain = "app.example.com"
+ip_allowlist = ["1.2.3.4/32"]
 
 [tunnel.api]
 protocol = "http"

apps/cli/src/client.ts

@@ -22,6 +22,7 @@ export class OutRayClient {
   private forceTakeover = false;
   private reconnectAttempts = 0;
   private lastPongReceived = Date.now();
+  private ipAllowlist?: string[];
   private noLog: boolean;
   private readonly PING_INTERVAL_MS = 25000; // 25 seconds
   private readonly PONG_TIMEOUT_MS = 10000; // 10 seconds to wait for pong
@@ -32,6 +33,7 @@ export class OutRayClient {
     apiKey?: string,
     subdomain?: string,
     customDomain?: string,
+    ipAllowlist?: string[],
     noLog: boolean = false,
   ) {
     this.localPort = localPort;
@@ -41,6 +43,7 @@ export class OutRayClient {
     this.customDomain = customDomain;
     this.requestedSubdomain = subdomain;
     this.noLog = noLog;
+    this.ipAllowlist = ipAllowlist;
   }
 
   public start(): void {
@@ -99,6 +102,7 @@ export class OutRayClient {
       subdomain: this.subdomain,
       customDomain: this.customDomain,
       forceTakeover: this.forceTakeover,
+      ipAllowlist: this.ipAllowlist,
     });
     this.ws?.send(handshake);
   }
@@ -213,7 +217,7 @@ export class OutRayClient {
         if (!this.noLog) {
           console.log(
             chalk.dim("←") +
-              ` ${chalk.bold(message.method)} ${message.path} ${statusColor(statusCode)} ${chalk.dim(`${duration}ms`)}`,
+            ` ${chalk.bold(message.method)} ${message.path} ${statusColor(statusCode)} ${chalk.dim(`${duration}ms`)}`,
           );
         }
 
@@ -238,7 +242,7 @@ export class OutRayClient {
       if (!this.noLog) {
         console.log(
           chalk.dim("←") +
-            ` ${chalk.bold(message.method)} ${message.path} ${chalk.red("502")} ${chalk.dim(`${duration}ms`)} ${chalk.red(err.message)}`,
+          ` ${chalk.bold(message.method)} ${message.path} ${chalk.red("502")} ${chalk.dim(`${duration}ms`)} ${chalk.red(err.message)}`,
         );
       }
 

apps/cli/src/index.ts

@@ -308,6 +308,7 @@ async function handleStartFromConfig(
         apiKey,
         tunnel.localHost,
         tunnel.remotePort,
+        tunnel.ipAllowlist
       );
     } else if (tunnel.protocol === "udp") {
       client = new UDPTunnelClient(
@@ -316,6 +317,7 @@ async function handleStartFromConfig(
         apiKey,
         tunnel.localHost,
         tunnel.remotePort,
+        tunnel.ipAllowlist
       );
     } else {
       client = new OutRayClient(
@@ -324,6 +326,7 @@ async function handleStartFromConfig(
         apiKey,
         tunnel.subdomain,
         tunnel.customDomain,
+        tunnel.ipAllowlist
       );
     }
 
@@ -385,6 +388,7 @@ function printHelp() {
     chalk.cyan("  --no-logs              Disable tunnel request logs"),
   );
   console.log(chalk.cyan("  --dev                  Use dev environment"));
+  console.log(chalk.cyan("  --ip <ip/cidr>         Allow IP or CIDR (repeatable)"));
   console.log(chalk.cyan("  -v, --version          Show version"));
   console.log(chalk.cyan("  -h, --help             Show this help message"));
 }
@@ -630,6 +634,22 @@ async function main() {
   // Handle --no-logs flag to disable tunnel request logs
   const noLogs = remainingArgs.includes("--no-logs");
 
+  // Handle --ip flag for IP allowlisting (repeatable)
+  const ipAllowlist: string[] = [];
+  for (let i = 0; i < remainingArgs.length; i++) {
+    const arg = remainingArgs[i];
+
+    if (arg === "--ip" && remainingArgs[i + 1]) {
+      ipAllowlist.push(remainingArgs[i + 1]);
+      i++;
+    } else if (arg.startsWith("--ip=")) {
+      const value = arg.split("=")[1];
+      if (value) {
+        ipAllowlist.push(value);
+      }
+    }
+  }
+
   // Load and validate config
   let config = configManager.load();
 
@@ -705,7 +725,8 @@ async function main() {
       apiKey,
       "localhost",
       remotePort,
-      noLogs,
+      ipAllowlist,
+      noLogs
     );
   } else if (tunnelProtocol === "udp") {
     client = new UDPTunnelClient(
@@ -714,7 +735,8 @@ async function main() {
       apiKey,
       "localhost",
       remotePort,
-      noLogs,
+      ipAllowlist,
+      noLogs
     );
   } else {
     client = new OutRayClient(
@@ -723,7 +745,8 @@ async function main() {
       apiKey,
       subdomain,
       customDomain,
-      noLogs,
+      ipAllowlist,
+      noLogs
     );
   }
 

apps/cli/src/tcp-client.ts

@@ -21,6 +21,7 @@ export class TCPTunnelClient {
   private shouldReconnect = true;
   private assignedPort: number | null = null;
   private connections = new Map<string, net.Socket>();
+  private ipAllowlist?: string[];
   private noLog: boolean;
 
   constructor(
@@ -29,6 +30,7 @@ export class TCPTunnelClient {
     apiKey?: string,
     localHost: string = "localhost",
     remotePort?: number,
+    ipAllowlist?: string[],
     noLog: boolean = false,
   ) {
     this.localPort = localPort;
@@ -37,6 +39,7 @@ export class TCPTunnelClient {
     this.apiKey = apiKey;
     this.remotePort = remotePort;
     this.noLog = noLog;
+    this.ipAllowlist = ipAllowlist;
   }
 
   public start(): void {
@@ -90,6 +93,7 @@ export class TCPTunnelClient {
       apiKey: this.apiKey,
       protocol: "tcp" as TunnelProtocol,
       remotePort: this.remotePort,
+      ipAllowlist: this.ipAllowlist,
     });
     this.ws?.send(handshake);
   }

apps/cli/src/toml-config.ts

@@ -13,6 +13,7 @@ export interface TunnelConfig {
   custom_domain?: string;
   remote_port?: number;
   org?: string;
+  ip_allowlist?: string[];
 }
 
 export interface GlobalConfig {
@@ -33,6 +34,7 @@ export interface ParsedTunnelConfig {
   customDomain?: string;
   remotePort?: number;
   org?: string;
+  ipAllowlist?: string[];
 }
 
 const portSchema = Joi.number().integer().min(1).max(65535).required();
@@ -61,6 +63,7 @@ const tunnelConfigSchema = Joi.object({
   custom_domain: Joi.string().hostname().optional(),
   remote_port: Joi.number().integer().min(1).max(65535).optional(),
   org: Joi.string().optional(),
+  ip_allowlist: Joi.array().items(Joi.string()).optional(),
 }).custom((value: TunnelConfig, helpers: Joi.CustomHelpers) => {
   const protocol = value.protocol;
 
@@ -146,18 +149,18 @@ export class TomlConfigParser {
             }
           }
 
-            if (fieldName) {
-              const fieldDisplayName = fieldName.replace(/_/g, " ");
-              const fullPath = detail.path.join(".");
-
-              if (message.includes(`"${fullPath}"`)) {
-                message = message.replace(`"${fullPath}"`, fieldDisplayName);
-              } else if (message.includes(fieldName)) {
-                message = message.replace(new RegExp(fieldName, "g"), fieldDisplayName);
-              }
+          if (fieldName) {
+            const fieldDisplayName = fieldName.replace(/_/g, " ");
+            const fullPath = detail.path.join(".");
+
+            if (message.includes(`"${fullPath}"`)) {
+              message = message.replace(`"${fullPath}"`, fieldDisplayName);
+            } else if (message.includes(fieldName)) {
+              message = message.replace(new RegExp(fieldName, "g"), fieldDisplayName);
             }
+          }
 
-            message = message.replace(/^"/, "").replace(/"$/, "");
+          message = message.replace(/^"/, "").replace(/"$/, "");
 
           if (tunnelName && typeof tunnelName === "string") {
             const capitalizedMessage = message.charAt(0).toUpperCase() + message.slice(1);
@@ -189,6 +192,7 @@ export class TomlConfigParser {
         customDomain: tunnel.custom_domain,
         remotePort: tunnel.remote_port,
         org: tunnel.org || globalConfig?.org,
+        ipAllowlist: tunnel.ip_allowlist,
       });
     }
 

apps/cli/src/types.ts

@@ -8,6 +8,7 @@ export interface OpenTunnelMessage {
   forceTakeover?: boolean;
   protocol?: TunnelProtocol;
   remotePort?: number; // For TCP/UDP: the port to expose on the server
+  ipAllowlist?: string[]; // List of allowed IPs or CIDR ranges
 }
 
 export interface TunnelOpenedMessage {

apps/cli/src/udp-client.ts

@@ -16,6 +16,7 @@ export class UDPTunnelClient {
   private shouldReconnect = true;
   private assignedPort: number | null = null;
   private socket: dgram.Socket | null = null;
+  private ipAllowlist?: string[];
   private noLog: boolean;
 
   constructor(
@@ -24,6 +25,7 @@ export class UDPTunnelClient {
     apiKey?: string,
     localHost: string = "localhost",
     remotePort?: number,
+    ipAllowlist?: string[],
     noLog: boolean = false,
   ) {
     this.localPort = localPort;
@@ -32,6 +34,7 @@ export class UDPTunnelClient {
     this.apiKey = apiKey;
     this.remotePort = remotePort;
     this.noLog = noLog;
+    this.ipAllowlist = ipAllowlist;
   }
 
   public start(): void {
@@ -87,6 +90,7 @@ export class UDPTunnelClient {
       apiKey: this.apiKey,
       protocol: "udp" as TunnelProtocol,
       remotePort: this.remotePort,
+      ipAllowlist: this.ipAllowlist,
     });
     this.ws?.send(handshake);
   }

apps/tunnel/package.json

@@ -5,12 +5,14 @@
   "scripts": {
     "dev": "tsx watch src/server.ts",
     "build": "tsup && cp src/offline.html src/bandwidth_exceeded.html dist/",
-    "start": "node dist/server.js"
+    "start": "node dist/server.js",
+    "test": "vitest run"
   },
   "dependencies": {
-    "pg": "^8.13.1",
     "dotenv": "^17.2.3",
     "ioredis": "^5.4.1",
+    "ip-range-check": "^0.2.0",
+    "pg": "^8.13.1",
     "ws": "^8.18.0"
   },
   "devDependencies": {
@@ -19,6 +21,7 @@
     "@types/ws": "^8.5.13",
     "tsup": "^8.5.1",
     "tsx": "^4.19.2",
-    "typescript": "^5.7.2"
+    "typescript": "^5.7.2",
+    "vitest": "^4.0.17"
   }
-}
+}

apps/tunnel/src/core/HTTPProxy.ts

@@ -5,6 +5,7 @@ import { TunnelRouter } from "./TunnelRouter";
 import { getBandwidthKey, generateId } from "../../../../shared/utils";
 import { logger, requestCaptureLogger } from "../lib/tigerdata";
 import { LogManager } from "./LogManager";
+import { IpGuard } from "../lib/IpGuard";
 
 export class HTTPProxy {
   private router: TunnelRouter;
@@ -52,6 +53,16 @@ export class HTTPProxy {
       });
 
       const metadata = this.router.getTunnelMetadata(tunnelId);
+
+      if (metadata?.ipAllowlist && metadata.ipAllowlist.length > 0) {
+        const clientIp = this.getClientIp(req);
+        if (!IpGuard.isAllowed(clientIp, metadata.ipAllowlist)) {
+          res.writeHead(403, { "Content-Type": "text/html" });
+          res.end("<h1>403 Forbidden</h1><p>Access denied by IP Allowlist.</p>");
+          return;
+        }
+      }
+
       const redis = this.router.getRedis();
       const bandwidthKey =
         metadata?.organizationId && redis
@@ -149,7 +160,7 @@ export class HTTPProxy {
         if (metadata.fullCaptureEnabled) {
           const captureId = generateId("capture");
           const maxBodySize = 1024 * 1024; // 1MB limit
-          
+
           // Prepare request body (truncate if too large)
           let requestBody: string | null = null;
           let requestBodySize = bodyBuffer.length;
@@ -202,27 +213,12 @@ export class HTTPProxy {
   }
 
   private getClientIp(req: IncomingMessage): string {
-    let ip =
+    const rawIp =
       (req.headers["x-forwarded-for"] as string) ||
       req.socket.remoteAddress ||
       "0.0.0.0";
 
-    // Handle comma-separated list in x-forwarded-for
-    if (ip.includes(",")) {
-      ip = ip.split(",")[0].trim();
-    }
-
-    // Handle IPv4-mapped IPv6 addresses
-    if (ip.startsWith("::ffff:")) {
-      ip = ip.substring(7);
-    }
-
-    // Handle localhost IPv6
-    if (ip === "::1") {
-      ip = "127.0.0.1";
-    }
-
-    return ip;
+    return IpGuard.normalizeIp(rawIp);
   }
 
   private getOfflineHtml(tunnelId: string): string {