fix(tunnel): stabilize concurrent stream handling

- Replace "Raw TCP listener" references with http.Server/hijack model
- Update architecture diagram and description
- Add testing section to AGENTS.md with test summary
- Update key patterns to match current code
- Fix file locations table (add e2e_test.go, reconstructed_conn.go)

.gitignore

@@ -1 +1,3 @@
 cover.html
+.DS_Store
+build

AGENTS.md

@@ -0,0 +1,86 @@
+# Conduit — Agent Guidelines
+
+## Project Overview
+
+Conduit is a self-hosted tunneling service (Go, single binary). A **server** (`conduit serve`) runs on a public host and routes incoming HTTP requests by subdomain to registered **tunnels**. A **client** (`conduit tunnel`) connects via WebSocket, receives forwarded traffic, and relays it to a local target using either an HTTP reverse-proxy or raw TCP dial.
+
+## Build & Test
+
+```bash
+# Build all platforms
+make build_local
+
+# Run tests
+make tests              # includes race detection + coverage
+
+# Lint
+golangci-lint run
+```
+
+Go 1.25+ is required (`go.mod`). Nix devshell provides Go, gopls, golangci-lint.
+
+## Architecture at a Glance
+
+```
+server/server.go        — net/http.Server, ServeHTTP routes by Host subdomain to tunnel or control API
+tunnel/tunnel.go        — Core Tunnel struct, WebSocket message loop, stream management
+tunnel/forwarder.go     — Forwarder interface; HTTP/HTTPS → HTTP forwarder, everything else → TCP
+tunnel/http_forwarder.go — httputil.ReverseProxy served over net.Pipe via multiConnListener
+tunnel/tcp_forwarder.go  — Direct net.Dial TCP forwarding
+tunnel/stream.go        — Stream interface (io.ReadWriteCloser + Source/Target)
+server/reconstructed_conn.go — Replays re-serialized headers + buffered body + raw conn after hijack
+store/store.go          — In-memory request/response recorder with pub/sub (SSE)
+web/web.go              — Local tunnel monitor (port 8181), SSE endpoint
+config/config.go        — Reflection-based config from struct tags → flags + env vars + client config file
+pkg/maps/map.go         — Generic sync.RWMutex-guarded map
+```
+
+## Code Conventions
+
+- **Go style**: standard `gofmt`, golangci-lint with `.golangci.toml`
+- **Comment style**: Title Case heading above logical blocks (see root `AGENTS.md`)
+- **Config**: add struct tags (`json`, `default`, `description`) to `ServerConfig` or `ClientConfig` — flags and env vars are auto-derived. Client config may also come from `./conduit.json` or `~/.config/conduit/config.json` for `server`, `api_key`, `log_level`, and `log_format` only.
+- **Logging**: use `logrus` (`log` alias); structured fields preferred
+- **Concurrency**: use `pkg/maps.Map` for shared maps; protect other shared state with `sync.Mutex`
+- **Error handling**: return errors up; log at command/entry-point level. Use `fmt.Errorf` with `%w` for wrapping
+
+## Key Patterns
+
+1. **ServeHTTP + Hijack for tunnel routing**: The server uses `net/http.Server` with a `ServeHTTP` handler. It inspects the `Host` header to determine routing. Control API requests are handled normally via `http.ResponseWriter`. Tunnel requests hijack the TCP connection, re-serialize the HTTP request, and forward it through the tunnel via `reconstructedConn`.
+2. **Reconstructed connection**: After hijack, `reconstructedConn` combines re-serialized request headers, buffered body data from the hijacked `bufio.ReadWriter`, and the raw connection into a single `io.Reader` so the tunnel client receives the complete request.
+3. **Forwarder abstraction**: `Forwarder` interface decouples tunnel transport from protocol handling. `NewForwarder` only uses `url.Parse` for `http://`/`https://` schemes; everything else (including parse failures like bare `host:port`) is treated as raw TCP. HTTP forwarder uses `net.Pipe` + `multiConnListener` to feed connections into a standard `http.Server`.
+4. **Context-threaded records**: Request records are attached to context in `RecordRequest` and retrieved in `RecordResponse` via the `ModifyResponse` hook.
+
+## Adding a New Forwarder
+
+1. Implement `tunnel.Forwarder` interface (`Type()`, `Initialize()`, `Start()`)
+2. Add a case in `tunnel.NewForwarder()` factory
+3. Add corresponding `ForwarderType` const
+
+## Testing
+
+E2E tests live in `e2e_test.go` at the project root. They spin up real servers, tunnels, and targets on random ports. `make tests` runs with `-race` and coverage enabled.
+
+```bash
+# Run all tests
+make tests
+
+# Run specific test
+ go test -v -run TestHTTPTunnelRoundTrip -count=1 ./...
+```
+
+16 tests covering: HTTP round-trip (GET/POST), TCP echo, large bodies (1MB resp / 512KB req), response quality (headers, content-type, content-length), error paths (404, 401, duplicate name), multi-tunnel routing, concurrency, and graceful shutdown.
+
+## File Locations
+
+| Concern | Files |
+|---------|-------|
+| CLI entry | `main.go`, `cmd/` |
+| Server | `server/` |
+| Tunneling | `tunnel/` |
+| Config | `config/` |
+| Storage | `store/` |
+| Web UI | `web/`, `web/pages/` |
+| Shared types | `types/` |
+| Utilities | `pkg/maps/` |
+| E2E tests | `e2e_test.go` |

Dockerfile

@@ -3,7 +3,7 @@ FROM alpine AS alpine
 RUN apk update && apk add --no-cache ca-certificates tzdata
 
 # Build Image
-FROM golang:1.24 AS build
+FROM golang:1.25 AS build
 
 # Create Package Directory
 RUN mkdir -p /opt/conduit

Makefile

@@ -30,6 +30,6 @@ clean:
 	rm -rf ./build
 
 tests:
-	SET_TEST=set_val go test -coverpkg=./... ./... -coverprofile=./cover.out
+	SET_TEST=set_val go test -race -coverpkg=./... ./... -coverprofile=./cover.out
 	go tool cover -html=./cover.out -o ./cover.html
 	rm ./cover.out

README.md

@@ -1,14 +1,143 @@
 # Conduit
 
-A lightweight tunneling service that enables secure connection forwarding through a remote server.
+A lightweight tunneling service that exposes local services to the internet through a public server — similar to ngrok, but self-hosted.
 
-**How:** Deploy Conduit on a public server (e.g., `https://conduit.example.com`) to create tunnels from local services to the internet. Simply point a tunnel to your local endpoint (such as `localhost:8000`) and assign it a custom subdomain identifier like `black-fox-123`. Your local service becomes instantly accessible at `https://black-fox-123.conduit.example.com`.
+Deploy Conduit on a public server (e.g., `https://conduit.example.com`), then create tunnels from your local machine. Point a tunnel at a local endpoint (e.g., `localhost:8000`) and it becomes accessible at a subdomain like `https://black-fox-123.conduit.example.com`.
 
-**Key Benefits:**
+![Example](https://gitea.va.reichard.io/evan/conduit/raw/branch/main/assets/example.gif)
 
-- Expose local development servers to the internet
+## Features
-- Share work-in-progress applications with clients or teammates
-- Test webhooks and external integrations
-- Bypass firewall restrictions for remote access
 
-Perfect for developers who need quick, temporary public access to local services without complex networking setup.
+- **HTTP & TCP tunneling** — automatically detected based on the target scheme
+- **Subdomain routing** — each tunnel gets a unique subdomain on the server
+- **Auto-generated tunnel names** — random `color-animal-number` names when none is provided
+- **Local tunnel monitor** — web UI on `:8181` with SSE-based live request/response inspection
+- **API key authentication** — simple shared-key auth between client and server
+- **Minimal footprint** — single binary, no external dependencies
+
+## Architecture
+
+```
+┌──────────────┐         WebSocket          ┌──────────────────┐
+│ conduit      │◄──────────────────────────► │ conduit          │
+│ tunnel       │    (control + streams)      │ serve            │
+│ (client)     │                             │ (public server)  │
+├──────────────┤                             ├──────────────────┤
+│ HTTP Fwd  or │                             │ http.Server      │
+│ TCP Fwd      │                             │ Subdomain router │
+├──────────────┤                             │ WS upgrade       │
+│ Tunnel       │                             └──────────────────┘
+│ Monitor :8181│
+└──────────────┘
+```
+
+The server uses `net/http.Server` to accept connections and inspects the HTTP `Host` header for routing. Requests to the base domain hit the control API; requests to subdomains are hijacked and forwarded over WebSocket to the matching tunnel client. The client then forwards traffic to the local target via either a reverse-proxy (HTTP) or direct TCP dial.
+
+## Quick Start
+
+### Prerequisites
+
+- Go 1.25+ (or Docker)
+
+### Build
+
+```bash
+# Local build (all platforms)
+make build_local
+
+# Docker
+make docker_build_local
+```
+
+### Server
+
+Run the server on a publicly accessible host:
+
+```bash
+conduit serve \
+  --server https://conduit.example.com \
+  --bind 0.0.0.0:8080 \
+  --api_key your-secret-key
+```
+
+Or with Docker:
+
+```bash
+docker run -p 8080:8080 \
+  -e CONDUIT_SERVER=https://conduit.example.com \
+  -e CONDUIT_API_KEY=your-secret-key \
+  conduit:latest
+```
+
+### Client
+
+Create a tunnel to expose a local service:
+
+```bash
+# HTTP tunnel (auto-generates name)
+conduit tunnel \
+  --server https://conduit.example.com \
+  --api_key your-secret-key \
+  --target http://localhost:8000
+
+# Named TCP tunnel
+conduit tunnel \
+  --server https://conduit.example.com \
+  --api_key your-secret-key \
+  --name my-service \
+  --target localhost:5432
+```
+
+The local tunnel monitor is available at `http://localhost:8181` for HTTP tunnels.
+
+## Configuration
+
+All options can be set via CLI flags or environment variables (`CONDUIT_` prefix):
+
+### Server (`conduit serve`)
+
+| Flag | Env Var | Default | Description |
+|------|---------|---------|-------------|
+| `--server` | `CONDUIT_SERVER` | `http://localhost:8080` | Public server address |
+| `--api_key` | `CONDUIT_API_KEY` | — | API key (required) |
+| `--bind` | `CONDUIT_BIND` | `0.0.0.0:8080` | Listen address |
+| `--log_level` | `CONDUIT_LOG_LEVEL` | `info` | Log level |
+| `--log_format` | `CONDUIT_LOG_FORMAT` | `text` | Log format (`text` or `json`) |
+
+### Client (`conduit tunnel`)
+
+| Flag | Env Var | Default | Description |
+|------|---------|---------|-------------|
+| `--server` | `CONDUIT_SERVER` | `http://localhost:8080` | Conduit server address |
+| `--api_key` | `CONDUIT_API_KEY` | — | API key (required) |
+| `--name` | `CONDUIT_NAME` | (auto-generated) | Tunnel subdomain name |
+| `--target` | `CONDUIT_TARGET` | — | Local target address (required) |
+| `--log_level` | `CONDUIT_LOG_LEVEL` | `info` | Log level |
+| `--log_format` | `CONDUIT_LOG_FORMAT` | `text` | Log format (`text` or `json`) |
+
+## Server API
+
+| Endpoint | Description |
+|----------|-------------|
+| `/_conduit/tunnel?tunnelName=<name>&apiKey=<key>` | WebSocket tunnel registration |
+| `/_conduit/info?apiKey=<key>` | JSON list of active tunnels |
+
+## Project Structure
+
+```
+├── cmd/             # Cobra CLI commands (root, serve, tunnel)
+├── config/          # Configuration parsing & logging setup
+├── server/          # HTTP server, subdomain routing, hijack + WebSocket upgrade
+├── tunnel/          # Tunnel, Stream, and Forwarder abstractions
+├── store/           # In-memory request/response recording for the monitor
+├── web/             # Local tunnel monitor HTTP server & SSE streaming
+├── types/           # Shared message types
+├── pkg/maps/        # Generic concurrent map
+├── build/           # Compiled binaries (gitignored in practice)
+├── Dockerfile       # Single-stage Docker build
+└── Makefile         # Build & release targets
+```
+
+## License
+
+See repository for license details.

client/client.go

@@ -1,159 +0,0 @@
-package client
-
-import (
-	"fmt"
-	"net"
-	"net/url"
-	"sync"
-
-	"github.com/gorilla/websocket"
-	log "github.com/sirupsen/logrus"
-	"reichard.io/conduit/config"
-	"reichard.io/conduit/types"
-)
-
-func NewTunnel(cfg *config.ClientConfig) (*Tunnel, error) {
-	// Parse Server URL
-	serverURL, err := url.Parse(cfg.ServerAddress)
-	if err != nil {
-		return nil, err
-	}
-
-	// Parse Scheme
-	var wsScheme string
-	switch serverURL.Scheme {
-	case "https":
-		wsScheme = "wss"
-	case "http":
-		wsScheme = "ws"
-	default:
-		return nil, fmt.Errorf("unsupported scheme: %s", serverURL.Scheme)
-	}
-
-	// Create Tunnel Name
-	if cfg.TunnelName == "" {
-		cfg.TunnelName = generateTunnelName()
-		log.Infof("tunnel name not provided; generated: %s", cfg.TunnelName)
-	}
-
-	// Connect Server WS
-	wsURL := fmt.Sprintf("%s://%s/_conduit/tunnel?tunnelName=%s&apiKey=%s", wsScheme, serverURL.Host, cfg.TunnelName, cfg.APIKey)
-	serverConn, _, err := websocket.DefaultDialer.Dial(wsURL, nil)
-	if err != nil {
-		return nil, fmt.Errorf("failed to connect: %v", err)
-	}
-
-	return &Tunnel{
-		name:       cfg.TunnelName,
-		target:     cfg.TunnelTarget,
-		serverURL:  serverURL,
-		serverConn: serverConn,
-		localConns: make(map[string]net.Conn),
-	}, nil
-
-}
-
-type Tunnel struct {
-	name      string
-	target    string
-	serverURL *url.URL
-
-	serverConn *websocket.Conn
-	localConns map[string]net.Conn
-	mu         sync.RWMutex
-}
-
-func (t *Tunnel) Start() error {
-	log.Infof("starting tunnel: %s.%s -> %s\n", t.name, t.serverURL.Hostname(), t.target)
-	defer t.serverConn.Close()
-
-	// Handle Messages
-	for {
-		// Read Message
-		var msg types.Message
-		err := t.serverConn.ReadJSON(&msg)
-		if err != nil {
-			log.Errorf("error reading from tunnel: %v", err)
-			break
-		}
-
-		switch msg.Type {
-		case types.MessageTypeData:
-			localConn, err := t.getLocalConn(msg.StreamID)
-			if err != nil {
-				log.Errorf("failed to get local connection: %v", err)
-				continue
-			}
-
-			// Write data to local connection
-			if _, err := localConn.Write(msg.Data); err != nil {
-				log.Errorf("error writing to local connection: %v", err)
-				localConn.Close()
-				t.mu.Lock()
-				delete(t.localConns, msg.StreamID)
-				t.mu.Unlock()
-			}
-
-		case types.MessageTypeClose:
-			t.mu.Lock()
-			if localConn, exists := t.localConns[msg.StreamID]; exists {
-				localConn.Close()
-				delete(t.localConns, msg.StreamID)
-			}
-			t.mu.Unlock()
-		}
-	}
-
-	return nil
-}
-
-func (t *Tunnel) getLocalConn(streamID string) (net.Conn, error) {
-	// Get Cached Connection
-	t.mu.RLock()
-	localConn, exists := t.localConns[streamID]
-	t.mu.RUnlock()
-	if exists {
-		return localConn, nil
-	}
-
-	// Initiate Connection & Cache
-	localConn, err := net.Dial("tcp", t.target)
-	if err != nil {
-		log.Errorf("failed to connect to %s: %v", t.target, err)
-		return nil, err
-	}
-	t.mu.Lock()
-	t.localConns[streamID] = localConn
-	t.mu.Unlock()
-
-	// Start Response Relay & Return Connection
-	go t.startResponseRelay(streamID, localConn)
-	return localConn, nil
-}
-
-func (t *Tunnel) startResponseRelay(streamID string, localConn net.Conn) {
-	defer func() {
-		t.mu.Lock()
-		delete(t.localConns, streamID)
-		t.mu.Unlock()
-		localConn.Close()
-	}()
-
-	buffer := make([]byte, 4096)
-	for {
-		n, err := localConn.Read(buffer)
-		if err != nil {
-			break
-		}
-
-		response := types.Message{
-			Type:     types.MessageTypeData,
-			StreamID: streamID,
-			Data:     buffer[:n],
-		}
-
-		if err := t.serverConn.WriteJSON(response); err != nil {
-			break
-		}
-	}
-}

cmd/serve.go

@@ -1,6 +1,8 @@
 package cmd
 
 import (
+	"context"
+
 	"reichard.io/conduit/config"
 	"reichard.io/conduit/server"
 
@@ -19,8 +21,11 @@ var serveCmd = &cobra.Command{
 			log.Fatal("failed to get server config:", err)
 		}
 
+		ctx, cancel := context.WithCancel(context.Background())
+		defer cancel()
+
 		// Create Server
-		srv, err := server.NewServer(cfg)
+		srv, err := server.NewServer(ctx, cfg)
 		if err != nil {
 			log.Fatal("failed to create server:", err)
 		}

cmd/tunnel.go

@@ -1,10 +1,18 @@
 package cmd
 
 import (
+	"context"
+	"os"
+	"os/signal"
+	"sync"
+	"syscall"
+
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
-	"reichard.io/conduit/client"
 	"reichard.io/conduit/config"
+	"reichard.io/conduit/store"
+	"reichard.io/conduit/tunnel"
+	"reichard.io/conduit/web"
 )
 
 var tunnelCmd = &cobra.Command{
@@ -17,17 +25,39 @@ var tunnelCmd = &cobra.Command{
 			log.Fatal("failed to get client config:", err)
 		}
 
+		var wg sync.WaitGroup
+		ctx, cancel := context.WithCancel(context.Background())
+		defer cancel()
+
+		// Create Tunnel Store
+		tunnelStore := store.NewTunnelStore(100)
+
+		// Create Forwarder
+		tunnelForwarder, err := tunnel.NewForwarder(cfg.TunnelTarget, tunnelStore)
+		if err != nil {
+			log.Fatal("failed to create tunnel forwarder:", err)
+		}
+		wg.Go(func() { tunnelForwarder.Start(ctx) })
+
 		// Create Tunnel
-		tunnel, err := client.NewTunnel(cfg)
+		tunnel, err := tunnel.NewClientTunnel(cfg, tunnelForwarder)
 		if err != nil {
 			log.Fatal("failed to create tunnel:", err)
 		}
+		wg.Go(func() { tunnel.Start(ctx) })
 
-		// Start Tunnel
+		// Create Server
-		log.Infof("creating TCP tunnel: %s -> %s", cfg.TunnelName, cfg.TunnelTarget)
+		webServer := web.NewWebServer(tunnelStore)
-		if err := tunnel.Start(); err != nil {
+		wg.Go(func() { webServer.Start(ctx) })
-			log.Fatal("failed to start tunnel:", err)
+
-		}
+		// Wait Interrupt
+		sigChan := make(chan os.Signal, 1)
+		signal.Notify(sigChan, os.Interrupt, syscall.SIGTERM)
+		<-sigChan
+
+		log.Println("Shutting Down...")
+		cancel()
+		wg.Wait()
 	},
 }
 

config/config.go

@@ -1,10 +1,12 @@
 package config
 
 import (
+	"encoding/json"
 	"errors"
 	"fmt"
 	"net/url"
 	"os"
+	"path/filepath"
 	"reflect"
 	"strings"
 
@@ -23,6 +25,8 @@ type ConfigDef struct {
 type BaseConfig struct {
 	ServerAddress string `json:"server" description:"Conduit server address" default:"http://localhost:8080"`
 	APIKey        string `json:"api_key" description:"API Key for the conduit API"`
+	LogLevel      string `json:"log_level" default:"info" description:"Log level"`
+	LogFormat     string `json:"log_format" default:"text" description:"Log format - text or json"`
 }
 
 func (c *BaseConfig) Validate() error {
@@ -35,6 +39,9 @@ func (c *BaseConfig) Validate() error {
 	if _, err := url.Parse(c.ServerAddress); err != nil {
 		return fmt.Errorf("server is invalid: %w", err)
 	}
+	if c.LogFormat != "text" && c.LogFormat != "json" {
+		return fmt.Errorf("log format must be 'text' or 'json'")
+	}
 	return nil
 }
 
@@ -64,37 +71,43 @@ func GetServerConfig(cmdFlags *pflag.FlagSet) (*ServerConfig, error) {
 
 	cfgValues := make(map[string]string)
 	for _, def := range defs {
-		cfgValues[def.Key] = getConfigValue(cmdFlags, def)
+		cfgValues[def.Key] = getConfigValue(cmdFlags, nil, def)
 	}
 
 	cfg := &ServerConfig{
-		BaseConfig: BaseConfig{
+		BaseConfig:  getBaseConfig(cfgValues),
-			ServerAddress: cfgValues["server"],
-			APIKey:        cfgValues["api_key"],
-		},
 		BindAddress: cfgValues["bind"],
 	}
 
+	// Initialize Logger
+	initLogger(cfg.BaseConfig)
+
 	return cfg, cfg.Validate()
 }
 
 func GetClientConfig(cmdFlags *pflag.FlagSet) (*ClientConfig, error) {
 	defs := GetConfigDefs[ClientConfig]()
 
+	// Load Client Config File
+	fileValues, err := getClientConfigFileValues()
+	if err != nil {
+		return nil, err
+	}
+
 	cfgValues := make(map[string]string)
 	for _, def := range defs {
-		cfgValues[def.Key] = getConfigValue(cmdFlags, def)
+		cfgValues[def.Key] = getConfigValue(cmdFlags, fileValues, def)
 	}
 
 	cfg := &ClientConfig{
-		BaseConfig: BaseConfig{
+		BaseConfig:   getBaseConfig(cfgValues),
-			ServerAddress: cfgValues["server"],
-			APIKey:        cfgValues["api_key"],
-		},
 		TunnelName:   cfgValues["name"],
 		TunnelTarget: cfgValues["target"],
 	}
 
+	// Initialize Logger
+	initLogger(cfg.BaseConfig)
+
 	return cfg, cfg.Validate()
 }
 
@@ -108,10 +121,45 @@ func GetVersion() string {
 	return version
 }
 
-func getConfigValue(cmdFlags *pflag.FlagSet, def ConfigDef) string {
+func getBaseConfig(cfgValues map[string]string) BaseConfig {
+	return BaseConfig{
+		ServerAddress: cfgValues["server"],
+		APIKey:        cfgValues["api_key"],
+		LogLevel:      cfgValues["log_level"],
+		LogFormat:     cfgValues["log_format"],
+	}
+}
+
+func getClientConfigFileValues() (map[string]string, error) {
+	path, err := findConfigFile()
+	if err != nil {
+		return nil, err
+	}
+	if path == "" {
+		return nil, nil
+	}
+
+	// Load Config File
+	values, err := loadConfigFile(path)
+	if err != nil {
+		return nil, err
+	}
+
+	// Keep Client File Settings Explicit - Tunnel name and target are intentionally
+	// not read from the config file because they should be provided per invocation.
+	clientValues := make(map[string]string)
+	for key, value := range values {
+		if isClientFileConfigKey(key) {
+			clientValues[key] = value
+		}
+	}
+	return clientValues, nil
+}
+
+func getConfigValue(cmdFlags *pflag.FlagSet, fileValues map[string]string, def ConfigDef) string {
 	// 1. Get Flags First
 	if cmdFlags != nil {
-		if val, err := cmdFlags.GetString(def.Key); err == nil && val != "" {
+		if val, err := cmdFlags.GetString(def.Key); err == nil && val != "" && val != def.Default {
 			return val
 		}
 	}
@@ -121,10 +169,65 @@ func getConfigValue(cmdFlags *pflag.FlagSet, def ConfigDef) string {
 		return envVal
 	}
 
-	// 3. Defaults Last
+	// 3. Config File Next
+	if fileValues != nil {
+		if val := fileValues[def.Key]; val != "" {
+			return val
+		}
+	}
+
+	// 4. Defaults Last
 	return def.Default
 }
 
+func findConfigFile() (string, error) {
+	// Check Project Config
+	localPath := "conduit.json"
+	if _, err := os.Stat(localPath); err == nil {
+		return localPath, nil
+	} else if !errors.Is(err, os.ErrNotExist) {
+		return "", err
+	}
+
+	// Check User Config
+	configDir, err := os.UserConfigDir()
+	if err != nil {
+		return "", nil
+	}
+	userPath := filepath.Join(configDir, "conduit", "config.json")
+	if _, err := os.Stat(userPath); err == nil {
+		return userPath, nil
+	} else if !errors.Is(err, os.ErrNotExist) {
+		return "", err
+	}
+
+	return "", nil
+}
+
+func loadConfigFile(path string) (map[string]string, error) {
+	// Read Config File
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return nil, err
+	}
+
+	// Decode Config File
+	values := make(map[string]string)
+	if err := json.Unmarshal(data, &values); err != nil {
+		return nil, fmt.Errorf("failed to parse config file %s: %w", path, err)
+	}
+	return values, nil
+}
+
+func isClientFileConfigKey(key string) bool {
+	switch key {
+	case "server", "api_key", "log_level", "log_format":
+		return true
+	default:
+		return false
+	}
+}
+
 func processFields(t reflect.Type, defs *[]ConfigDef) {
 	for i := 0; i < t.NumField(); i++ {
 		field := t.Field(i)

config/config_test.go

@@ -0,0 +1,144 @@
+package config
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/spf13/pflag"
+)
+
+func TestLoadConfigFile(t *testing.T) {
+	path := filepath.Join(t.TempDir(), "config.json")
+	if err := os.WriteFile(path, []byte(`{"server":"https://example.com","api_key":"secret"}`), 0o600); err != nil {
+		t.Fatal(err)
+	}
+
+	// Load Config File
+	values, err := loadConfigFile(path)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Verify Values
+	if values["server"] != "https://example.com" {
+		t.Fatalf("expected server from config file, got %q", values["server"])
+	}
+	if values["api_key"] != "secret" {
+		t.Fatalf("expected api_key from config file, got %q", values["api_key"])
+	}
+}
+
+func TestFindConfigFile(t *testing.T) {
+	workDir := t.TempDir()
+	configDir := t.TempDir()
+	oldDir, err := os.Getwd()
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		if err := os.Chdir(oldDir); err != nil {
+			t.Fatal(err)
+		}
+	}()
+	if err := os.Chdir(workDir); err != nil {
+		t.Fatal(err)
+	}
+	t.Setenv("XDG_CONFIG_HOME", configDir)
+
+	// Missing Config File
+	path, err := findConfigFile()
+	if err != nil {
+		t.Fatal(err)
+	}
+	if path != "" {
+		t.Fatalf("expected no config file, got %q", path)
+	}
+
+	// User Config File
+	userPath := filepath.Join(configDir, "conduit", "config.json")
+	if err := os.MkdirAll(filepath.Dir(userPath), 0o700); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.WriteFile(userPath, []byte(`{}`), 0o600); err != nil {
+		t.Fatal(err)
+	}
+	path, err = findConfigFile()
+	if err != nil {
+		t.Fatal(err)
+	}
+	if path != userPath {
+		t.Fatalf("expected user config file %q, got %q", userPath, path)
+	}
+
+	// Local Config File Precedence
+	localPath := "conduit.json"
+	if err := os.WriteFile(localPath, []byte(`{}`), 0o600); err != nil {
+		t.Fatal(err)
+	}
+	path, err = findConfigFile()
+	if err != nil {
+		t.Fatal(err)
+	}
+	if path != localPath {
+		t.Fatalf("expected local config file %q, got %q", localPath, path)
+	}
+}
+
+func TestGetConfigValuePriority(t *testing.T) {
+	def := ConfigDef{Key: "server", Env: "CONDUIT_SERVER", Default: "default"}
+	fileValues := map[string]string{"server": "file"}
+
+	// Config File Beats Default
+	if value := getConfigValue(nil, fileValues, def); value != "file" {
+		t.Fatalf("expected file value, got %q", value)
+	}
+
+	// Environment Beats Config File
+	t.Setenv("CONDUIT_SERVER", "env")
+	if value := getConfigValue(nil, fileValues, def); value != "env" {
+		t.Fatalf("expected env value, got %q", value)
+	}
+
+	// Flags Beat Environment
+	flags := pflag.NewFlagSet("test", pflag.ContinueOnError)
+	flags.String("server", "default", "server")
+	if err := flags.Set("server", "flag"); err != nil {
+		t.Fatal(err)
+	}
+	if value := getConfigValue(flags, fileValues, def); value != "flag" {
+		t.Fatalf("expected flag value, got %q", value)
+	}
+}
+
+func TestGetClientConfigFileValuesIgnoresTunnelSettings(t *testing.T) {
+	workDir := t.TempDir()
+	oldDir, err := os.Getwd()
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		if err := os.Chdir(oldDir); err != nil {
+			t.Fatal(err)
+		}
+	}()
+	if err := os.Chdir(workDir); err != nil {
+		t.Fatal(err)
+	}
+
+	// Write Local Config File
+	if err := os.WriteFile("conduit.json", []byte(`{"server":"https://example.com","api_key":"secret","name":"saved","target":"localhost:3000"}`), 0o600); err != nil {
+		t.Fatal(err)
+	}
+
+	values, err := getClientConfigFileValues()
+	if err != nil {
+		t.Fatal(err)
+	}
+	if values["server"] != "https://example.com" {
+		t.Fatalf("expected server from config file, got %q", values["server"])
+	}
+	if values["name"] != "" || values["target"] != "" {
+		t.Fatalf("expected tunnel settings to be ignored, got name=%q target=%q", values["name"], values["target"])
+	}
+}

config/logging.go

@@ -0,0 +1,61 @@
+package config
+
+import (
+	"fmt"
+	"runtime"
+	"strings"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+)
+
+func initLogger(cfg BaseConfig) {
+	// Parse Log Level
+	logLevel, err := log.ParseLevel(cfg.LogLevel)
+	if err != nil {
+		logLevel = log.InfoLevel
+	}
+	log.SetLevel(logLevel)
+
+	// Create Log Formatter
+	var logFormatter log.Formatter
+	switch cfg.LogFormat {
+	case "json":
+		log.SetReportCaller(true)
+		logFormatter = &log.JSONFormatter{
+			TimestampFormat:  time.RFC3339,
+			CallerPrettyfier: prettyCaller,
+		}
+	case "text":
+		logFormatter = &log.TextFormatter{
+			TimestampFormat: time.RFC3339,
+			FullTimestamp:   true,
+		}
+	}
+
+	log.SetFormatter(&utcFormatter{logFormatter})
+}
+
+func prettyCaller(f *runtime.Frame) (function string, file string) {
+	purgePrefix := "reichard.io/conduit/"
+
+	pathName := strings.Replace(f.Func.Name(), purgePrefix, "", 1)
+	parts := strings.Split(pathName, ".")
+
+	filepath, line := f.Func.FileLine(f.PC)
+	splitFilePath := strings.Split(filepath, "/")
+
+	fileName := fmt.Sprintf("%s/%s@%d", parts[0], splitFilePath[len(splitFilePath)-1], line)
+	functionName := strings.Replace(pathName, parts[0]+".", "", 1)
+
+	return functionName, fileName
+}
+
+type utcFormatter struct {
+	log.Formatter
+}
+
+func (cf utcFormatter) Format(e *log.Entry) ([]byte, error) {
+	e.Time = e.Time.UTC()
+	return cf.Formatter.Format(e)
+}

e2e_test.go

@@ -0,0 +1,864 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"strings"
+	"sync"
+	"testing"
+	"time"
+
+	"reichard.io/conduit/config"
+	"reichard.io/conduit/server"
+	"reichard.io/conduit/store"
+	"reichard.io/conduit/tunnel"
+	"reichard.io/conduit/web"
+)
+
+// ---------- Helpers ----------
+
+// startConduitServer creates and starts a conduit server on a random port.
+// Returns the server address (host:port) and a cancel func for teardown.
+func startConduitServer(t *testing.T, apiKey string) (string, context.CancelFunc) {
+	t.Helper()
+
+	// Find Free Port
+	port := getFreePort(t)
+	bindAddr := fmt.Sprintf("127.0.0.1:%d", port)
+	serverAddr := fmt.Sprintf("http://%s", bindAddr)
+
+	cfg := &config.ServerConfig{
+		BaseConfig: config.BaseConfig{
+			ServerAddress: serverAddr,
+			APIKey:        apiKey,
+			LogLevel:      "error",
+			LogFormat:     "text",
+		},
+		BindAddress: bindAddr,
+	}
+
+	ctx, cancel := context.WithCancel(context.Background())
+	srv, err := server.NewServer(ctx, cfg)
+	if err != nil {
+		cancel()
+		t.Fatalf("failed to create server: %v", err)
+	}
+
+	// Start Server in Background
+	errCh := make(chan error, 1)
+	go func() { errCh <- srv.Start() }()
+
+	// Wait for Server to Accept
+	waitForPort(t, bindAddr, 3*time.Second)
+
+	// Check Early Errors
+	select {
+	case err := <-errCh:
+		cancel()
+		t.Fatalf("server exited early: %v", err)
+	default:
+	}
+
+	return bindAddr, cancel
+}
+
+// startHTTPTarget creates a simple HTTP server that echoes request info.
+func startHTTPTarget(t *testing.T) (string, context.CancelFunc) {
+	t.Helper()
+
+	port := getFreePort(t)
+	addr := fmt.Sprintf("127.0.0.1:%d", port)
+
+	mux := http.NewServeMux()
+	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("X-Test-Header", "present")
+		w.WriteHeader(http.StatusOK)
+		fmt.Fprintf(w, "echo: %s %s", r.Method, r.URL.Path)
+	})
+	mux.HandleFunc("/health", func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte("ok"))
+	})
+	mux.HandleFunc("/post", func(w http.ResponseWriter, r *http.Request) {
+		body, _ := io.ReadAll(r.Body)
+		w.WriteHeader(http.StatusOK)
+		fmt.Fprintf(w, "received: %s", string(body))
+	})
+
+	srv := &http.Server{Addr: addr, Handler: mux}
+	ctx, cancel := context.WithCancel(context.Background())
+
+	go func() { srv.ListenAndServe() }()
+	go func() { <-ctx.Done(); srv.Close() }()
+
+	waitForPort(t, addr, 3*time.Second)
+
+	return addr, cancel
+}
+
+// startTCPEchoTarget creates a TCP server that echoes back whatever it receives.
+func startTCPEchoTarget(t *testing.T) (string, context.CancelFunc) {
+	t.Helper()
+
+	listener, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		t.Fatalf("failed to start tcp echo: %v", err)
+	}
+	addr := listener.Addr().String()
+
+	ctx, cancel := context.WithCancel(context.Background())
+
+	go func() {
+		<-ctx.Done()
+		listener.Close()
+	}()
+
+	go func() {
+		for {
+			conn, err := listener.Accept()
+			if err != nil {
+				return
+			}
+			go func(c net.Conn) {
+				defer c.Close()
+				io.Copy(c, c)
+			}(conn)
+		}
+	}()
+
+	return addr, cancel
+}
+
+// connectTunnel creates a conduit tunnel client and starts it.
+func connectTunnel(t *testing.T, serverAddr, targetAddr, tunnelName, apiKey string) context.CancelFunc {
+	t.Helper()
+
+	cfg := &config.ClientConfig{
+		BaseConfig: config.BaseConfig{
+			ServerAddress: fmt.Sprintf("http://%s", serverAddr),
+			APIKey:        apiKey,
+			LogLevel:      "error",
+			LogFormat:     "text",
+		},
+		TunnelName:   tunnelName,
+		TunnelTarget: targetAddr,
+	}
+
+	// Create Tunnel Store
+	tunnelStore := store.NewTunnelStore(100)
+
+	// Create Forwarder
+	forwarder, err := tunnel.NewForwarder(cfg.TunnelTarget, tunnelStore)
+	if err != nil {
+		t.Fatalf("failed to create forwarder: %v", err)
+	}
+
+	var wg sync.WaitGroup
+	ctx, cancel := context.WithCancel(context.Background())
+
+	// Start Forwarder
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		forwarder.Start(ctx)
+	}()
+
+	// Create & Start Tunnel
+	tun, err := tunnel.NewClientTunnel(cfg, forwarder)
+	if err != nil {
+		cancel()
+		t.Fatalf("failed to create tunnel: %v", err)
+	}
+
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		tun.Start(ctx)
+	}()
+
+	// Start Web Server
+	webServer := web.NewWebServer(tunnelStore)
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		webServer.Start(ctx)
+	}()
+
+	// Brief Settle Time
+	time.Sleep(100 * time.Millisecond)
+
+	cleanup := func() {
+		cancel()
+		wg.Wait()
+	}
+	return cleanup
+}
+
+// sendHTTPViaTunnel sends an HTTP request through the conduit server to a tunnel.
+func sendHTTPViaTunnel(t *testing.T, serverAddr, tunnelName, method, path, body string) *http.Response {
+	t.Helper()
+
+	url := fmt.Sprintf("http://%s%s", serverAddr, path)
+	var bodyReader io.Reader
+	if body != "" {
+		bodyReader = strings.NewReader(body)
+	}
+
+	req, err := http.NewRequest(method, url, bodyReader)
+	if err != nil {
+		t.Fatalf("failed to create request: %v", err)
+	}
+
+	// Route via Subdomain
+	req.Host = fmt.Sprintf("%s.%s", tunnelName, serverAddr)
+
+	client := &http.Client{
+		Timeout: 10 * time.Second,
+		Transport: &http.Transport{DisableKeepAlives: true},
+	}
+	resp, err := client.Do(req)
+	if err != nil {
+		t.Fatalf("request failed: %v", err)
+	}
+	return resp
+}
+
+func readBody(t *testing.T, resp *http.Response) string {
+	t.Helper()
+	defer resp.Body.Close()
+	b, err := io.ReadAll(resp.Body)
+	if err != nil {
+		t.Fatalf("failed to read body: %v", err)
+	}
+	return string(b)
+}
+
+func getFreePort(t *testing.T) int {
+	t.Helper()
+	l, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		t.Fatalf("failed to get free port: %v", err)
+	}
+	port := l.Addr().(*net.TCPAddr).Port
+	l.Close()
+	return port
+}
+
+func waitForPort(t *testing.T, addr string, timeout time.Duration) {
+	t.Helper()
+	deadline := time.Now().Add(timeout)
+	for time.Now().Before(deadline) {
+		conn, err := net.DialTimeout("tcp", addr, 100*time.Millisecond)
+		if err == nil {
+			conn.Close()
+			return
+		}
+		time.Sleep(25 * time.Millisecond)
+	}
+	t.Fatalf("port %s not ready after %s", addr, timeout)
+}
+
+// ---------- Tests ----------
+
+func TestHTTPTunnelRoundTrip(t *testing.T) {
+	apiKey := "test-key-http"
+
+	// Start Target HTTP Server
+	targetAddr, stopTarget := startHTTPTarget(t)
+	defer stopTarget()
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+	defer stopServer()
+
+	// Connect Tunnel
+	stopTunnel := connectTunnel(t, serverAddr, fmt.Sprintf("http://%s", targetAddr), "http-test", apiKey)
+	defer stopTunnel()
+
+	// GET /
+	resp := sendHTTPViaTunnel(t, serverAddr, "http-test", "GET", "/", "")
+	body := readBody(t, resp)
+
+	if resp.StatusCode != http.StatusOK {
+		t.Errorf("expected 200, got %d", resp.StatusCode)
+	}
+	if !strings.Contains(body, "echo: GET /") {
+		t.Errorf("unexpected body: %s", body)
+	}
+
+	// GET /health
+	resp = sendHTTPViaTunnel(t, serverAddr, "http-test", "GET", "/health", "")
+	body = readBody(t, resp)
+
+	if resp.StatusCode != http.StatusOK {
+		t.Errorf("expected 200, got %d", resp.StatusCode)
+	}
+	if body != "ok" {
+		t.Errorf("expected 'ok', got %q", body)
+	}
+}
+
+func TestHTTPTunnelPOST(t *testing.T) {
+	apiKey := "test-key-post"
+
+	// Start Target HTTP Server
+	targetAddr, stopTarget := startHTTPTarget(t)
+	defer stopTarget()
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+	defer stopServer()
+
+	// Connect Tunnel
+	stopTunnel := connectTunnel(t, serverAddr, fmt.Sprintf("http://%s", targetAddr), "post-test", apiKey)
+	defer stopTunnel()
+
+	// POST /post
+	resp := sendHTTPViaTunnel(t, serverAddr, "post-test", "POST", "/post", "hello world")
+	body := readBody(t, resp)
+
+	if resp.StatusCode != http.StatusOK {
+		t.Errorf("expected 200, got %d", resp.StatusCode)
+	}
+	if !strings.Contains(body, "received: hello world") {
+		t.Errorf("unexpected body: %s", body)
+	}
+}
+
+func TestUnknownTunnelReturns404(t *testing.T) {
+	apiKey := "test-key-404"
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+	defer stopServer()
+
+	// Request to Non-Existent Tunnel
+	resp := sendHTTPViaTunnel(t, serverAddr, "no-such-tunnel", "GET", "/", "")
+	body := readBody(t, resp)
+
+	if resp.StatusCode != http.StatusNotFound {
+		t.Errorf("expected 404, got %d", resp.StatusCode)
+	}
+	if !strings.Contains(body, "unknown tunnel") {
+		t.Errorf("expected 'unknown tunnel' error, got: %s", body)
+	}
+}
+
+func TestDuplicateTunnelNameRejected(t *testing.T) {
+	apiKey := "test-key-dup"
+
+	// Start Target HTTP Server
+	targetAddr, stopTarget := startHTTPTarget(t)
+	defer stopTarget()
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+	defer stopServer()
+
+	// Connect First Tunnel
+	stopTunnel1 := connectTunnel(t, serverAddr, fmt.Sprintf("http://%s", targetAddr), "dup-test", apiKey)
+	defer stopTunnel1()
+
+	// Attempt Duplicate — this should fail at WebSocket dial
+	cfg := &config.ClientConfig{
+		BaseConfig: config.BaseConfig{
+			ServerAddress: fmt.Sprintf("http://%s", serverAddr),
+			APIKey:        apiKey,
+			LogLevel:      "error",
+			LogFormat:     "text",
+		},
+		TunnelName:   "dup-test",
+		TunnelTarget: fmt.Sprintf("http://%s", targetAddr),
+	}
+
+	tunnelStore := store.NewTunnelStore(100)
+	forwarder, err := tunnel.NewForwarder(cfg.TunnelTarget, tunnelStore)
+	if err != nil {
+		t.Fatalf("failed to create forwarder: %v", err)
+	}
+
+	_, err = tunnel.NewClientTunnel(cfg, forwarder)
+	if err == nil {
+		t.Error("expected error for duplicate tunnel name, got nil")
+	}
+}
+
+func TestUnauthorizedControlAccess(t *testing.T) {
+	apiKey := "test-key-auth"
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+	defer stopServer()
+
+	// Request Info with Wrong API Key
+	url := fmt.Sprintf("http://%s/_conduit/info?apiKey=wrong-key", serverAddr)
+	req, _ := http.NewRequest("GET", url, nil)
+	req.Host = serverAddr
+
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		t.Fatalf("request failed: %v", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusUnauthorized {
+		t.Errorf("expected 401, got %d", resp.StatusCode)
+	}
+}
+
+func TestInfoEndpointListsTunnels(t *testing.T) {
+	apiKey := "test-key-info"
+
+	// Start Target HTTP Server
+	targetAddr, stopTarget := startHTTPTarget(t)
+	defer stopTarget()
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+	defer stopServer()
+
+	// Connect Tunnel
+	stopTunnel := connectTunnel(t, serverAddr, fmt.Sprintf("http://%s", targetAddr), "info-test", apiKey)
+	defer stopTunnel()
+
+	// Query Info Endpoint
+	url := fmt.Sprintf("http://%s/_conduit/info?apiKey=%s", serverAddr, apiKey)
+	req, _ := http.NewRequest("GET", url, nil)
+	req.Host = serverAddr
+
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		t.Fatalf("request failed: %v", err)
+	}
+	body := readBody(t, resp)
+
+	if resp.StatusCode != http.StatusOK {
+		t.Errorf("expected 200, got %d", resp.StatusCode)
+	}
+	if !strings.Contains(body, "info-test") {
+		t.Errorf("expected tunnel 'info-test' in response: %s", body)
+	}
+}
+
+func TestMultipleTunnelsRouteCorrectly(t *testing.T) {
+	apiKey := "test-key-multi"
+
+	// Start Two Separate Target Servers
+	target1Addr, stopTarget1 := startHTTPTarget(t)
+	defer stopTarget1()
+
+	port2 := getFreePort(t)
+	addr2 := fmt.Sprintf("127.0.0.1:%d", port2)
+	mux2 := http.NewServeMux()
+	mux2.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+		fmt.Fprint(w, "target-two")
+	})
+	srv2 := &http.Server{Addr: addr2, Handler: mux2}
+	go srv2.ListenAndServe()
+	defer srv2.Close()
+	waitForPort(t, addr2, 3*time.Second)
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+	defer stopServer()
+
+	// Connect Two Tunnels
+	stopTunnel1 := connectTunnel(t, serverAddr, fmt.Sprintf("http://%s", target1Addr), "multi-one", apiKey)
+	defer stopTunnel1()
+
+	stopTunnel2 := connectTunnel(t, serverAddr, fmt.Sprintf("http://%s", addr2), "multi-two", apiKey)
+	defer stopTunnel2()
+
+	// Request to First Tunnel
+	resp1 := sendHTTPViaTunnel(t, serverAddr, "multi-one", "GET", "/", "")
+	body1 := readBody(t, resp1)
+	if !strings.Contains(body1, "echo: GET /") {
+		t.Errorf("tunnel one unexpected body: %s", body1)
+	}
+
+	// Request to Second Tunnel
+	resp2 := sendHTTPViaTunnel(t, serverAddr, "multi-two", "GET", "/", "")
+	body2 := readBody(t, resp2)
+	if body2 != "target-two" {
+		t.Errorf("tunnel two expected 'target-two', got: %s", body2)
+	}
+}
+
+func TestServerGracefulShutdown(t *testing.T) {
+	apiKey := "test-key-shutdown"
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+
+	// Cancel Server
+	stopServer()
+
+	// Verify Port Is Closed
+	time.Sleep(200 * time.Millisecond)
+	conn, err := net.DialTimeout("tcp", serverAddr, 500*time.Millisecond)
+	if err == nil {
+		conn.Close()
+		t.Error("expected server port to be closed after shutdown")
+	}
+}
+
+// ---------- HTTP Response Quality Tests ----------
+
+func TestHTTPResponseHasProperHeaders(t *testing.T) {
+	apiKey := "test-key-headers"
+
+	// Start Target HTTP Server
+	targetAddr, stopTarget := startHTTPTarget(t)
+	defer stopTarget()
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+	defer stopServer()
+
+	// Connect Tunnel
+	stopTunnel := connectTunnel(t, serverAddr, fmt.Sprintf("http://%s", targetAddr), "hdr-test", apiKey)
+	defer stopTunnel()
+
+	// Send Request Through Tunnel
+	resp := sendHTTPViaTunnel(t, serverAddr, "hdr-test", "GET", "/", "")
+	defer resp.Body.Close()
+
+	// Verify Proper HTTP Semantics
+	if resp.Proto != "HTTP/1.1" {
+		t.Errorf("expected HTTP/1.1, got %s", resp.Proto)
+	}
+	if resp.Header.Get("X-Test-Header") != "present" {
+		t.Errorf("expected X-Test-Header: present, got %q", resp.Header.Get("X-Test-Header"))
+	}
+	if resp.ContentLength <= 0 && resp.TransferEncoding == nil {
+		t.Errorf("expected Content-Length or Transfer-Encoding, got neither")
+	}
+}
+
+func TestHTTPControlEndpointResponseQuality(t *testing.T) {
+	apiKey := "test-key-ctrl-quality"
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+	defer stopServer()
+
+	// 404 on Unknown Tunnel — Verify stdlib response format
+	resp := sendHTTPViaTunnel(t, serverAddr, "nope", "GET", "/", "")
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusNotFound {
+		t.Errorf("expected 404, got %d", resp.StatusCode)
+	}
+
+	// Content-Type Should Be Set by http.Error
+	ct := resp.Header.Get("Content-Type")
+	if !strings.Contains(ct, "text/plain") {
+		t.Errorf("expected text/plain Content-Type, got %q", ct)
+	}
+
+	// Content-Length Should Be Present
+	if resp.ContentLength <= 0 {
+		t.Errorf("expected positive Content-Length, got %d", resp.ContentLength)
+	}
+
+	// Info Endpoint — JSON response quality
+	url := fmt.Sprintf("http://%s/_conduit/info?apiKey=%s", serverAddr, apiKey)
+	req, _ := http.NewRequest("GET", url, nil)
+	req.Host = serverAddr
+
+	resp2, err := (&http.Client{Timeout: 5 * time.Second}).Do(req)
+	if err != nil {
+		t.Fatalf("info request failed: %v", err)
+	}
+	defer resp2.Body.Close()
+
+	if resp2.Header.Get("Content-Type") != "application/json" {
+		t.Errorf("expected application/json, got %q", resp2.Header.Get("Content-Type"))
+	}
+}
+
+// ---------- Large Body Tests ----------
+
+func TestHTTPLargeResponseBody(t *testing.T) {
+	apiKey := "test-key-large-resp"
+
+	// Start Target That Returns a Large Body
+	largeBody := strings.Repeat("A", 1024*1024) // 1 MB
+	port := getFreePort(t)
+	addr := fmt.Sprintf("127.0.0.1:%d", port)
+	mux := http.NewServeMux()
+	mux.HandleFunc("/large", func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte(largeBody))
+	})
+	srv := &http.Server{Addr: addr, Handler: mux}
+	go srv.ListenAndServe()
+	defer srv.Close()
+	waitForPort(t, addr, 3*time.Second)
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+	defer stopServer()
+
+	// Connect Tunnel
+	stopTunnel := connectTunnel(t, serverAddr, fmt.Sprintf("http://%s", addr), "large-resp", apiKey)
+	defer stopTunnel()
+
+	// Request Large Response
+	resp := sendHTTPViaTunnel(t, serverAddr, "large-resp", "GET", "/large", "")
+	body := readBody(t, resp)
+
+	if len(body) != len(largeBody) {
+		t.Errorf("expected %d bytes, got %d", len(largeBody), len(body))
+	}
+}
+
+func TestHTTPLargeRequestBody(t *testing.T) {
+	apiKey := "test-key-large-req"
+
+	// Start Target That Echoes Body Size
+	port := getFreePort(t)
+	addr := fmt.Sprintf("127.0.0.1:%d", port)
+	mux := http.NewServeMux()
+	mux.HandleFunc("/upload", func(w http.ResponseWriter, r *http.Request) {
+		data, _ := io.ReadAll(r.Body)
+		w.WriteHeader(http.StatusOK)
+		fmt.Fprintf(w, "size:%d", len(data))
+	})
+	srv := &http.Server{Addr: addr, Handler: mux}
+	go srv.ListenAndServe()
+	defer srv.Close()
+	waitForPort(t, addr, 3*time.Second)
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+	defer stopServer()
+
+	// Connect Tunnel
+	stopTunnel := connectTunnel(t, serverAddr, fmt.Sprintf("http://%s", addr), "large-req", apiKey)
+	defer stopTunnel()
+
+	// Send Large Request Body (512 KB)
+	largePayload := strings.Repeat("B", 512*1024)
+	resp := sendHTTPViaTunnel(t, serverAddr, "large-req", "POST", "/upload", largePayload)
+	body := readBody(t, resp)
+
+	expected := fmt.Sprintf("size:%d", len(largePayload))
+	if body != expected {
+		t.Errorf("expected %q, got %q", expected, body)
+	}
+}
+
+// ---------- TCP Tunnel Tests ----------
+
+func TestTCPTunnelEcho(t *testing.T) {
+	apiKey := "test-key-tcp"
+
+	// Start TCP Echo Server
+	tcpAddr, stopTCP := startTCPEchoTarget(t)
+	defer stopTCP()
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+	defer stopServer()
+
+	// Connect TCP Tunnel (bare host:port — the realistic way users would specify it)
+	stopTunnel := connectTunnel(t, serverAddr, tcpAddr, "tcp-test", apiKey)
+	defer stopTunnel()
+
+	// Send Raw HTTP Request Through Tunnel to TCP Echo
+	conn, err := net.DialTimeout("tcp", serverAddr, 5*time.Second)
+	if err != nil {
+		t.Fatalf("failed to connect: %v", err)
+	}
+	defer conn.Close()
+
+	// Write a Raw HTTP Request (the TCP echo will bounce it back)
+	reqLine := fmt.Sprintf("GET / HTTP/1.1\r\nHost: tcp-test.%s\r\n\r\n", serverAddr)
+	_, err = conn.Write([]byte(reqLine))
+	if err != nil {
+		t.Fatalf("failed to write: %v", err)
+	}
+
+	// Read Echoed Data
+	conn.SetReadDeadline(time.Now().Add(5 * time.Second))
+	buf := make([]byte, 4096)
+	n, err := conn.Read(buf)
+	if err != nil {
+		t.Fatalf("failed to read echo: %v", err)
+	}
+
+	response := string(buf[:n])
+	if !strings.Contains(response, "GET / HTTP/1.1") {
+		t.Errorf("expected echoed request, got: %q", response)
+	}
+}
+
+func TestTCPTunnelLargePayload(t *testing.T) {
+	apiKey := "test-key-tcp-large"
+
+	// Start TCP Echo Server
+	tcpAddr, stopTCP := startTCPEchoTarget(t)
+	defer stopTCP()
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+	defer stopServer()
+
+	// Connect TCP Tunnel (bare host:port)
+	stopTunnel := connectTunnel(t, serverAddr, tcpAddr, "tcp-large", apiKey)
+	defer stopTunnel()
+
+	// Connect and Send Large Payload
+	conn, err := net.DialTimeout("tcp", serverAddr, 5*time.Second)
+	if err != nil {
+		t.Fatalf("failed to connect: %v", err)
+	}
+	defer conn.Close()
+
+	// Route via Host Header Then Send 64 KB Payload
+	header := fmt.Sprintf("POST /data HTTP/1.1\r\nHost: tcp-large.%s\r\nContent-Length: 65536\r\n\r\n", serverAddr)
+	payload := header + strings.Repeat("X", 64*1024)
+
+	_, err = conn.Write([]byte(payload))
+	if err != nil {
+		t.Fatalf("failed to write: %v", err)
+	}
+
+	// Read All Echoed Data
+	conn.SetReadDeadline(time.Now().Add(5 * time.Second))
+	var received []byte
+	buf := make([]byte, 8192)
+	for len(received) < len(payload) {
+		n, err := conn.Read(buf)
+		if err != nil {
+			break
+		}
+		received = append(received, buf[:n]...)
+	}
+
+	if len(received) != len(payload) {
+		t.Errorf("expected %d bytes echoed, got %d", len(payload), len(received))
+	}
+}
+
+// ---------- Concurrency Tests ----------
+
+func TestConcurrentHTTPRequests(t *testing.T) {
+	apiKey := "test-key-concurrent"
+
+	// Start Target HTTP Server
+	targetAddr, stopTarget := startHTTPTarget(t)
+	defer stopTarget()
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+	defer stopServer()
+
+	// Connect Tunnel
+	stopTunnel := connectTunnel(t, serverAddr, fmt.Sprintf("http://%s", targetAddr), "conc-test", apiKey)
+	defer stopTunnel()
+
+	// Fire 20 Concurrent Requests
+	const numRequests = 20
+	var wg sync.WaitGroup
+	errors := make(chan string, numRequests)
+
+	for i := range numRequests {
+		wg.Add(1)
+		go func(idx int) {
+			defer wg.Done()
+			path := fmt.Sprintf("/item/%d", idx)
+			resp := sendHTTPViaTunnel(t, serverAddr, "conc-test", "GET", path, "")
+			body := readBody(t, resp)
+
+			expected := fmt.Sprintf("echo: GET %s", path)
+			if !strings.Contains(body, expected) {
+				errors <- fmt.Sprintf("request %d: expected %q, got %q", idx, expected, body)
+			}
+			if resp.StatusCode != http.StatusOK {
+				errors <- fmt.Sprintf("request %d: expected 200, got %d", idx, resp.StatusCode)
+			}
+		}(i)
+	}
+
+	wg.Wait()
+	close(errors)
+
+	for errMsg := range errors {
+		t.Error(errMsg)
+	}
+}
+
+func TestConcurrentMultiTunnelRequests(t *testing.T) {
+	apiKey := "test-key-conc-multi"
+
+	// Start Two Target Servers
+	target1Addr, stopTarget1 := startHTTPTarget(t)
+	defer stopTarget1()
+
+	port2 := getFreePort(t)
+	addr2 := fmt.Sprintf("127.0.0.1:%d", port2)
+	mux2 := http.NewServeMux()
+	mux2.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+		fmt.Fprintf(w, "server-two: %s", r.URL.Path)
+	})
+	srv2 := &http.Server{Addr: addr2, Handler: mux2}
+	go srv2.ListenAndServe()
+	defer srv2.Close()
+	waitForPort(t, addr2, 3*time.Second)
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+	defer stopServer()
+
+	// Connect Two Tunnels
+	stopTunnel1 := connectTunnel(t, serverAddr, fmt.Sprintf("http://%s", target1Addr), "cm-one", apiKey)
+	defer stopTunnel1()
+
+	stopTunnel2 := connectTunnel(t, serverAddr, fmt.Sprintf("http://%s", addr2), "cm-two", apiKey)
+	defer stopTunnel2()
+
+	// Fire Concurrent Requests to Both Tunnels
+	const perTunnel = 10
+	var wg sync.WaitGroup
+	errors := make(chan string, perTunnel*2)
+
+	for i := range perTunnel {
+		wg.Add(2)
+
+		// Requests to Tunnel One
+		go func(idx int) {
+			defer wg.Done()
+			path := fmt.Sprintf("/a/%d", idx)
+			resp := sendHTTPViaTunnel(t, serverAddr, "cm-one", "GET", path, "")
+			body := readBody(t, resp)
+			if !strings.Contains(body, fmt.Sprintf("echo: GET %s", path)) {
+				errors <- fmt.Sprintf("tunnel-one req %d: got %q", idx, body)
+			}
+		}(i)
+
+		// Requests to Tunnel Two
+		go func(idx int) {
+			defer wg.Done()
+			path := fmt.Sprintf("/b/%d", idx)
+			resp := sendHTTPViaTunnel(t, serverAddr, "cm-two", "GET", path, "")
+			body := readBody(t, resp)
+			if !strings.Contains(body, fmt.Sprintf("server-two: %s", path)) {
+				errors <- fmt.Sprintf("tunnel-two req %d: got %q", idx, body)
+			}
+		}(i)
+	}
+
+	wg.Wait()
+	close(errors)
+
+	for errMsg := range errors {
+		t.Error(errMsg)
+	}
+}

flake.lock

@@ -20,16 +20,16 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1758216857,
+        "lastModified": 1777578337,
-        "narHash": "sha256-h1BW2y7CY4LI9w61R02wPaOYfmYo82FyRqHIwukQ6SY=",
+        "narHash": "sha256-Ad49moKWeXtKBJNy2ebiTQUEgdLyvGmTeykAQ9xM+Z4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "d2ed99647a4b195f0bcc440f76edfa10aeb3b743",
+        "rev": "15f4ee454b1dce334612fa6843b3e05cf546efab",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-25.05",
+        "ref": "nixos-unstable",
         "repo": "nixpkgs",
         "type": "github"
       }

flake.nix

@@ -2,12 +2,18 @@
   description = "Development Environment";
 
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
     flake-utils.url = "github:numtide/flake-utils";
   };
 
-  outputs = { self, nixpkgs, flake-utils }:
+  outputs =
-    flake-utils.lib.eachDefaultSystem (system:
+    { self
+    , nixpkgs
+    , flake-utils
+    ,
+    }:
+    flake-utils.lib.eachDefaultSystem (
+      system:
       let
         pkgs = nixpkgs.legacyPackages.${system};
       in
@@ -15,6 +21,7 @@
         devShells.default = pkgs.mkShell {
           packages = with pkgs; [
             go
+            gopls
             golangci-lint
           ];
           shellHook = ''

go.mod

@@ -1,12 +1,14 @@
 module reichard.io/conduit
 
-go 1.24.4
+go 1.25.1
 
 require (
+	github.com/google/uuid v1.6.0 // indirect
 	github.com/gorilla/websocket v1.5.3 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/spf13/cobra v1.10.1 // indirect
 	github.com/spf13/pflag v1.0.9 // indirect
 	golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 // indirect
+	maragu.dev/gomponents v1.2.0 // indirect
 )

go.sum

@@ -1,6 +1,8 @@
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
 github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
@@ -20,3 +22,5 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+maragu.dev/gomponents v1.2.0 h1:H7/N5htz1GCnhu0HB1GasluWeU2rJZOYztVEyN61iTc=
+maragu.dev/gomponents v1.2.0/go.mod h1:oEDahza2gZoXDoDHhw8jBNgH+3UR5ni7Ur648HORydM=

pkg/maps/map.go

@@ -0,0 +1,53 @@
+package maps
+
+import (
+	"iter"
+	"sync"
+)
+
+type Map[K comparable, V any] struct {
+	items map[K]V
+	mu    sync.RWMutex
+}
+
+func New[K comparable, V any]() *Map[K, V] {
+	return &Map[K, V]{items: make(map[K]V)}
+}
+
+func (m *Map[K, V]) Get(key K) (V, bool) {
+	m.mu.RLock()
+	defer m.mu.RUnlock()
+	v, ok := m.items[key]
+	return v, ok
+}
+
+func (m *Map[K, V]) Set(key K, value V) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	m.items[key] = value
+}
+
+func (m *Map[K, V]) Delete(key K) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	delete(m.items, key)
+}
+
+func (m *Map[K, V]) HasKey(key K) bool {
+	m.mu.RLock()
+	defer m.mu.RUnlock()
+	_, ok := m.items[key]
+	return ok
+}
+
+func (m *Map[K, V]) Entries() iter.Seq2[K, V] {
+	return func(yield func(K, V) bool) {
+		m.mu.RLock()
+		defer m.mu.RUnlock()
+		for k, v := range m.items {
+			if !yield(k, v) {
+				return
+			}
+		}
+	}
+}

server/reconstructed_conn.go

@@ -0,0 +1,29 @@
+package server
+
+import (
+	"io"
+	"net"
+)
+
+var _ io.ReadWriteCloser = (*reconstructedConn)(nil)
+
+// reconstructedConn wraps a net.Conn and overrides Read to handle captured data.
+type reconstructedConn struct {
+	net.Conn
+	reader io.Reader
+}
+
+// Read reads from the reconstructed reader (prepended data + original conn).
+func (rc *reconstructedConn) Read(p []byte) (n int, err error) {
+	return rc.reader.Read(p)
+}
+
+// newReconstructedConn creates a reconstructed connection that replays the provided
+// readers in order before reading from the underlying connection.
+func newReconstructedConn(conn net.Conn, readers ...io.Reader) net.Conn {
+	allReaders := append(readers, conn)
+	return &reconstructedConn{
+		Conn:   conn,
+		reader: io.MultiReader(allReaders...),
+	}
+}

server/server.go

@@ -1,23 +1,21 @@
 package server
 
 import (
-	"bufio"
 	"bytes"
+	"context"
 	"encoding/json"
 	"errors"
 	"fmt"
-	"io"
-	"net"
 	"net/http"
 	"net/url"
 	"strings"
-	"sync"
+	"sync/atomic"
-	"time"
 
 	"github.com/gorilla/websocket"
 	log "github.com/sirupsen/logrus"
 	"reichard.io/conduit/config"
-	"reichard.io/conduit/types"
+	"reichard.io/conduit/pkg/maps"
+	"reichard.io/conduit/tunnel"
 )
 
 type InfoResponse struct {
@@ -30,22 +28,17 @@ type TunnelInfo struct {
 	Target string `json:"target"`
 }
 
-type TunnelConnection struct {
-	*websocket.Conn
-	name    string
-	streams map[string]chan []byte
-}
-
 type Server struct {
+	ctx  context.Context
 	host string
 	cfg  *config.ServerConfig
-	mu   sync.RWMutex
 
 	upgrader websocket.Upgrader
-	tunnels  map[string]*TunnelConnection
+	tunnels  *maps.Map[string, *tunnel.Tunnel]
+	streamID atomic.Uint64
 }
 
-func NewServer(cfg *config.ServerConfig) (*Server, error) {
+func NewServer(ctx context.Context, cfg *config.ServerConfig) (*Server, error) {
 	serverURL, err := url.Parse(cfg.ServerAddress)
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse server address: %v", err)
@@ -54,9 +47,10 @@ func NewServer(cfg *config.ServerConfig) (*Server, error) {
 	}
 
 	return &Server{
+		ctx:     ctx,
 		cfg:     cfg,
 		host:    serverURL.Host,
-		tunnels: make(map[string]*TunnelConnection),
+		tunnels: maps.New[string, *tunnel.Tunnel](),
 		upgrader: websocket.Upgrader{
 			CheckOrigin: func(r *http.Request) bool {
 				return true
@@ -66,38 +60,115 @@ func NewServer(cfg *config.ServerConfig) (*Server, error) {
 }
 
 func (s *Server) Start() error {
-	// Raw TCP Listener - This is necessary so we can conditionally either relay
+	// HTTP Server - Uses stdlib http.Server for proper HTTP response handling
-	// the raw TCP connection, or handle conduit control server API requests.
+	// including Content-Length, chunked encoding, and keep-alive semantics.
-	listener, err := net.Listen("tcp", s.cfg.BindAddress)
+	httpServer := &http.Server{
-	if err != nil {
+		Addr:    s.cfg.BindAddress,
+		Handler: s,
+	}
+
+	// Context Cancellation - Gracefully shut down when the context is cancelled.
+	go func() {
+		<-s.ctx.Done()
+		log.Info("conduit server shutting down")
+		httpServer.Close()
+	}()
+
+	// Start Server
+	log.Infof("conduit server listening on %s", s.cfg.BindAddress)
+	if err := httpServer.ListenAndServe(); err != nil && err != http.ErrServerClosed {
 		return err
 	}
-	defer listener.Close()
+	return nil
+}
 
-	// Start Listening
+func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	log.Infof("conduit server listening on %s", s.cfg.BindAddress)
+	// Get True Host
-	for {
+	if xff := r.Header.Get("X-Forwarded-For"); xff != "" {
-		conn, err := listener.Accept()
+		r.RemoteAddr = xff
+	}
+
+	// Validate Host
+	if !strings.Contains(r.Host, s.host) {
+		http.Error(w, fmt.Sprintf("unknown host: %s", r.Host), http.StatusBadRequest)
+		return
+	}
+
+	// Extract Subdomain
+	tunnelName := strings.TrimSuffix(strings.Replace(r.Host, s.host, "", 1), ".")
+	if strings.Count(tunnelName, ".") != 0 {
+		http.Error(w, fmt.Sprintf("cannot tunnel nested subdomains: %s", r.Host), http.StatusBadRequest)
+		return
+	}
+
+	// Handle Control Endpoints
+	if tunnelName == "" {
+		s.handleAsHTTP(w, r)
+		return
+	}
+
+	// Handle Tunnel Requests
+	s.handleTunnelRequest(w, r, tunnelName)
+}
+
+func (s *Server) handleTunnelRequest(w http.ResponseWriter, r *http.Request, tunnelName string) {
+	// Get Tunnel
+	conduitTunnel, exists := s.tunnels.Get(tunnelName)
+	if !exists {
+		http.Error(w, fmt.Sprintf("unknown tunnel: %s", tunnelName), http.StatusNotFound)
+		return
+	}
+
+	// Hijack Connection - Take over the raw TCP connection from the HTTP server
+	// so we can forward the full request (including body) through the tunnel.
+	hj, ok := w.(http.Hijacker)
+	if !ok {
+		http.Error(w, "hijack not supported", http.StatusInternalServerError)
+		return
+	}
+	conn, bufrw, err := hj.Hijack()
 	if err != nil {
-			log.Printf("error accepting connection: %v", err)
+		http.Error(w, fmt.Sprintf("hijack failed: %v", err), http.StatusInternalServerError)
-			continue
+		return
 	}
 
-		go s.handleRawConnection(conn)
+	// Re-Serialize Request Headers - The HTTP server already consumed the request
+	// from the connection. We re-serialize it so the tunnel client receives a
+	// complete HTTP request to forward to the local target.
+	var reqBuf bytes.Buffer
+	fmt.Fprintf(&reqBuf, "%s %s %s\r\n", r.Method, r.RequestURI, r.Proto)
+	fmt.Fprintf(&reqBuf, "Host: %s\r\n", r.Host)
+	_ = r.Header.Write(&reqBuf)
+	reqBuf.WriteString("\r\n")
+
+	// Reconstruct Connection - Combine re-serialized headers with any buffered
+	// body data (from the hijacked reader) and the raw connection.
+	reconstructedConn := newReconstructedConn(conn, &reqBuf, bufrw)
+
+	// Create Stream
+	streamID := fmt.Sprintf("stream_%d", s.streamID.Add(1))
+	tunnelStream := tunnel.NewStream(reconstructedConn, r.RemoteAddr, conduitTunnel.Source())
+
+	// Add Stream
+	if err := conduitTunnel.AddStream(tunnelStream, streamID); err != nil {
+		log.WithError(err).Error("failed to add stream")
+		conn.Close()
+		return
 	}
+
+	// Start Stream
+	conduitTunnel.StartStream(s.ctx, tunnelStream, streamID)
 }
 
 func (s *Server) getInfo(w http.ResponseWriter, _ *http.Request) {
 	// Get Tunnels
 	var allTunnels []TunnelInfo
-	s.mu.RLock()
+	for t, c := range s.tunnels.Entries() {
-	for t, c := range s.tunnels {
 		allTunnels = append(allTunnels, TunnelInfo{
 			Name:   t,
-			Target: c.RemoteAddr().String(),
+			Target: c.Source(),
 		})
 	}
-	s.mu.RUnlock()
 
 	// Create Response
 	d, err := json.MarshalIndent(InfoResponse{
@@ -105,126 +176,17 @@ func (s *Server) getInfo(w http.ResponseWriter, _ *http.Request) {
 		Version: config.GetVersion(),
 	}, "", "  ")
 	if err != nil {
+		log.WithError(err).Error("failed to marshal info")
 		w.WriteHeader(http.StatusInternalServerError)
 		return
 	}
 
 	// Send Response
 	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
 	_, _ = w.Write(d)
 }
 
-func (s *Server) proxyRawConnection(clientConn net.Conn, tunnelConn *TunnelConnection, dataReader io.Reader) {
-	defer clientConn.Close()
-
-	// Create Identifiers
-	streamID := fmt.Sprintf("stream_%d", time.Now().UnixNano())
-	responseChan := make(chan []byte, 100)
-
-	// Register Stream
-	s.mu.Lock()
-	if tunnelConn.streams == nil {
-		tunnelConn.streams = make(map[string]chan []byte)
-	}
-	tunnelConn.streams[streamID] = responseChan
-	s.mu.Unlock()
-
-	// Clean Up
-	defer func() {
-		s.mu.Lock()
-		delete(tunnelConn.streams, streamID)
-		close(responseChan)
-		s.mu.Unlock()
-
-		// Send Close
-		closeMsg := types.Message{
-			Type:     types.MessageTypeClose,
-			StreamID: streamID,
-		}
-		_ = tunnelConn.WriteJSON(closeMsg)
-	}()
-
-	// Read & Send Chunks
-	go func() {
-		buffer := make([]byte, 4096)
-		for {
-			n, err := dataReader.Read(buffer)
-			if err != nil {
-				return
-			}
-
-			if err := tunnelConn.WriteJSON(types.Message{
-				Type:     types.MessageTypeData,
-				StreamID: streamID,
-				Data:     buffer[:n],
-			}); err != nil {
-				return
-			}
-		}
-	}()
-
-	// Return Response Data
-	for data := range responseChan {
-		if _, err := clientConn.Write(data); err != nil {
-			break
-		}
-	}
-}
-
-func (s *Server) handleRawConnection(conn net.Conn) {
-	defer conn.Close()
-
-	// Capture Consumed Data - When determining where to route the request, we
-	// have to read the host headers. This requires reading from the buffer, so
-	// if we later decide to tunnel the TCP connection we need to reconstruct the
-	// data from the buffer.
-	var capturedData bytes.Buffer
-	teeReader := io.TeeReader(conn, &capturedData)
-	bufReader := bufio.NewReader(teeReader)
-
-	// Create HTTP Request & Writer
-	w := &connResponseWriter{conn: conn}
-	r, err := http.ReadRequest(bufReader)
-	if err != nil {
-		w.WriteHeader(http.StatusBadRequest)
-		return
-	}
-	defer r.Body.Close()
-
-	// Validate Host
-	if !strings.Contains(r.Host, s.host) {
-		w.WriteHeader(http.StatusBadRequest)
-		_, _ = fmt.Fprintf(w, "unknown host: %s", r.Host)
-		return
-	}
-
-	// Extract Subdomain
-	subdomain := strings.TrimSuffix(strings.Replace(r.Host, s.host, "", 1), ".")
-	if strings.Count(subdomain, ".") != 0 {
-		w.WriteHeader(http.StatusBadRequest)
-		_, _ = fmt.Fprintf(w, "cannot tunnel nested subdomains: %s", r.Host)
-		return
-	}
-
-	// Handle Control Endpoints
-	if subdomain == "" {
-		s.handleAsHTTP(w, r)
-		return
-	}
-
-	// Handle Tunnels
-	s.mu.RLock()
-	tunnelConn, exists := s.tunnels[subdomain]
-	s.mu.RUnlock()
-	if exists {
-		log.Infof("relaying %s to tunnel", subdomain)
-
-		// Reconstruct Data & Proxy Connection
-		allReader := io.MultiReader(&capturedData, r.Body)
-		s.proxyRawConnection(conn, tunnelConn, allReader)
-	}
-}
-
 func (s *Server) handleAsHTTP(w http.ResponseWriter, r *http.Request) {
 	// Authorize Control Endpoints
 	apiKey := r.URL.Query().Get("apiKey")
@@ -245,53 +207,17 @@ func (s *Server) handleAsHTTP(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
-func (s *Server) handleTunnelMessages(tunnel *TunnelConnection) {
-	for {
-		var msg types.Message
-		err := tunnel.ReadJSON(&msg)
-		if err != nil {
-			return
-		}
-
-		if msg.StreamID == "" {
-			log.Infof("tunnel %s missing streamID", tunnel.name)
-			continue
-		}
-
-		switch msg.Type {
-		case types.MessageTypeClose:
-			return
-		case types.MessageTypeData:
-			s.mu.RLock()
-			streamChan, exists := tunnel.streams[msg.StreamID]
-			if !exists {
-				log.Infof("stream %s does not exist", msg.StreamID)
-				s.mu.RUnlock()
-				continue
-			}
-
-			select {
-			case streamChan <- msg.Data:
-			case <-time.After(time.Second):
-				log.Warnf("stream %s channel full, dropping data", msg.StreamID)
-			}
-			s.mu.RUnlock()
-		}
-	}
-}
 func (s *Server) createTunnel(w http.ResponseWriter, r *http.Request) {
 	// Get Tunnel Name
 	tunnelName := r.URL.Query().Get("tunnelName")
 	if tunnelName == "" {
-		w.WriteHeader(http.StatusBadRequest)
+		http.Error(w, "Missing tunnelName parameter", http.StatusBadRequest)
-		_, _ = w.Write([]byte("Missing tunnelName parameter"))
 		return
 	}
 
 	// Validate Unique
-	if _, exists := s.tunnels[tunnelName]; exists {
+	if _, exists := s.tunnels.Get(tunnelName); exists {
-		w.WriteHeader(http.StatusConflict)
+		http.Error(w, "Tunnel already registered", http.StatusConflict)
-		_, _ = w.Write([]byte("Tunnel already registered"))
 		return
 	}
 
@@ -302,26 +228,14 @@ func (s *Server) createTunnel(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// Create & Cache TunnelConnection
+	// Create Tunnel
-	tunnel := &TunnelConnection{
+	conduitTunnel := tunnel.NewServerTunnel(tunnelName, wsConn)
-		Conn:    wsConn,
+	s.tunnels.Set(tunnelName, conduitTunnel)
-		name:    tunnelName,
-		streams: make(map[string]chan []byte),
-	}
-	s.mu.Lock()
-	s.tunnels[tunnelName] = tunnel
-	s.mu.Unlock()
-	log.Infof("tunnel established: %s", tunnelName)
 
-	// Keep connection alive and handle cleanup
+	// Start Tunnel - This is blocking
-	defer func() {
+	conduitTunnel.Start(s.ctx)
-		s.mu.Lock()
+
-		delete(s.tunnels, tunnelName)
+	// Cleanup Tunnel
-		s.mu.Unlock()
+	s.tunnels.Delete(tunnelName)
 	_ = wsConn.Close()
-		log.Infof("tunnel closed: %s", tunnelName)
-	}()
-
-	// Handle tunnel messages
-	s.handleTunnelMessages(tunnel)
 }

server/writer.go

@@ -1,48 +0,0 @@
-package server
-
-import (
-	"bufio"
-	"fmt"
-	"net"
-	"net/http"
-)
-
-var _ http.ResponseWriter = (*connResponseWriter)(nil)
-
-type connResponseWriter struct {
-	conn   net.Conn
-	header http.Header
-}
-
-func (f *connResponseWriter) Header() http.Header {
-	if f.header == nil {
-		f.header = make(http.Header)
-	}
-	return f.header
-}
-
-func (f *connResponseWriter) Write(data []byte) (int, error) {
-	return f.conn.Write(data)
-}
-
-func (f *connResponseWriter) WriteHeader(statusCode int) {
-	// Write Status
-	status := fmt.Sprintf("HTTP/1.1 %d %s\r\n", statusCode, http.StatusText(statusCode))
-	_, _ = f.conn.Write([]byte(status))
-
-	// Write Headers
-	for key, values := range f.header {
-		for _, value := range values {
-			_, _ = fmt.Fprintf(f.conn, "%s: %s\r\n", key, value)
-		}
-	}
-
-	// End Headers
-	_, _ = f.conn.Write([]byte("\r\n"))
-}
-
-func (f *connResponseWriter) Hijack() (net.Conn, *bufio.ReadWriter, error) {
-	// Return Raw Connection & ReadWriter
-	rw := bufio.NewReadWriter(bufio.NewReader(f.conn), bufio.NewWriter(f.conn))
-	return f.conn, rw, nil
-}

store/context.go

@@ -0,0 +1,18 @@
+package store
+
+import (
+	"context"
+)
+
+type contextKey struct{}
+
+var recordIDKey = contextKey{}
+
+func withRecord(ctx context.Context, rec *TunnelRecord) context.Context {
+	return context.WithValue(ctx, recordIDKey, rec)
+}
+
+func getRecord(ctx context.Context) (*TunnelRecord, bool) {
+	id, ok := ctx.Value(recordIDKey).(*TunnelRecord)
+	return id, ok
+}

store/record.go

@@ -0,0 +1,69 @@
+package store
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/url"
+	"time"
+
+	"github.com/google/uuid"
+)
+
+type TunnelRecord struct {
+	ID         uuid.UUID
+	Time       time.Time
+	URL        *url.URL
+	Method     string
+	Status     int
+	SourceAddr string
+
+	RequestHeaders  http.Header
+	RequestBodyType string
+	RequestBody     []byte
+
+	ResponseHeaders  http.Header
+	ResponseBodyType string
+	ResponseBody     []byte
+}
+
+func (tr *TunnelRecord) MarshalJSON() ([]byte, error) {
+	type Alias TunnelRecord
+	return json.Marshal(&struct {
+		*Alias
+		URL  string `json:"URL"`
+		Time string `json:"Time"`
+	}{
+		Alias: (*Alias)(tr),
+		URL:   tr.URL.String(),
+		Time:  tr.Time.Format(time.RFC3339),
+	})
+}
+
+func (tr *TunnelRecord) UnmarshalJSON(data []byte) error {
+	type Alias TunnelRecord
+	aux := &struct {
+		*Alias
+		URL  string `json:"URL"`
+		Time string `json:"Time"`
+	}{
+		Alias: (*Alias)(tr),
+	}
+
+	if err := json.Unmarshal(data, &aux); err != nil {
+		return err
+	}
+
+	parsedURL, err := url.Parse(aux.URL)
+	if err != nil {
+		return err
+	}
+	tr.URL = parsedURL
+
+	parsedTime, err := time.Parse(time.RFC3339, aux.Time)
+	if err != nil {
+		return err
+	}
+	tr.Time = parsedTime
+
+	return nil
+}

store/store.go

@@ -0,0 +1,219 @@
+package store
+
+import (
+	"bytes"
+	"errors"
+	"io"
+	"mime"
+	"net/http"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/google/uuid"
+)
+
+const (
+	defaultQueueSize = 100
+	maxQueueSize     = 100
+)
+
+var ErrRecordNotFound = errors.New("record not found")
+
+type OnEntryHandler func(record *TunnelRecord)
+
+type TunnelStore interface {
+	Get(before time.Time, count int) (results []*TunnelRecord, more bool)
+	Subscribe() <-chan *TunnelRecord
+	RecordTCP()
+	RecordRequest(req *http.Request, sourceAddress string)
+	RecordResponse(resp *http.Response) error
+}
+
+func NewTunnelStore(queueSize int) TunnelStore {
+	if queueSize <= 0 {
+		queueSize = defaultQueueSize
+	} else if queueSize > maxQueueSize {
+		queueSize = maxQueueSize
+	}
+
+	return &tunnelStoreImpl{queueSize: queueSize}
+}
+
+type tunnelStoreImpl struct {
+	orderedRecords []*TunnelRecord
+	queueSize      int
+	subs           []chan *TunnelRecord
+	mu             sync.Mutex
+}
+
+func (s *tunnelStoreImpl) Subscribe() <-chan *TunnelRecord {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	ch := make(chan *TunnelRecord, 100)
+
+	// Flush Existing & Subscribe
+	for _, r := range s.orderedRecords {
+		ch <- r
+	}
+	s.subs = append(s.subs, ch)
+
+	return ch
+}
+
+func (s *tunnelStoreImpl) Get(before time.Time, count int) ([]*TunnelRecord, bool) {
+	// Find First
+	start := -1
+	for i, r := range s.orderedRecords {
+		if r.Time.Before(before) {
+			start = i
+			break
+		}
+	}
+
+	// Not Found
+	if start == -1 {
+		return nil, false
+	}
+
+	// Subslice Records
+	end := min(start+count, len(s.orderedRecords))
+	results := s.orderedRecords[start:end]
+	more := end < len(s.orderedRecords)
+
+	return results, more
+}
+
+func (s *tunnelStoreImpl) RecordRequest(req *http.Request, sourceAddress string) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	url := *req.URL
+	rec := &TunnelRecord{
+		ID:              uuid.New(),
+		Time:            time.Now(),
+		URL:             &url,
+		Method:          req.Method,
+		SourceAddr:      sourceAddress,
+		RequestHeaders:  req.Header,
+		RequestBodyType: req.Header.Get("Content-Type"),
+	}
+
+	if bodyData, err := getRequestBody(req); err == nil {
+		rec.RequestBody = bodyData
+	}
+
+	// Add Record & Truncate
+	s.orderedRecords = append(s.orderedRecords, rec)
+	if len(s.orderedRecords) > s.queueSize {
+		s.orderedRecords = s.orderedRecords[len(s.orderedRecords)-s.queueSize:]
+	}
+
+	*req = *req.WithContext(withRecord(req.Context(), rec))
+}
+
+func (s *tunnelStoreImpl) RecordResponse(resp *http.Response) error {
+	rec, found := getRecord(resp.Request.Context())
+	if !found {
+		return ErrRecordNotFound
+	}
+
+	rec.Status = resp.StatusCode
+	rec.ResponseHeaders = resp.Header
+	rec.ResponseBodyType = resp.Header.Get("Content-Type")
+
+	if bodyData, err := getResponseBody(resp); err == nil {
+		rec.ResponseBody = bodyData
+	}
+
+	s.broadcast(rec)
+
+	return nil
+}
+
+func (s *tunnelStoreImpl) RecordTCP() {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	// TODO
+}
+
+func (s *tunnelStoreImpl) broadcast(record *TunnelRecord) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	// Send to Subscribers
+	active := s.subs[:0]
+	for _, ch := range s.subs {
+		select {
+		case ch <- record:
+			active = append(active, ch)
+		default:
+			close(ch)
+		}
+	}
+	s.subs = active
+}
+
+func getRequestBody(req *http.Request) ([]byte, error) {
+	if req.ContentLength == 0 || req.Body == nil || req.Body == http.NoBody {
+		return nil, nil
+	}
+
+	if !isTextContentType(req.Header.Get("Content-Type")) {
+		return nil, nil
+	}
+
+	// Read Body
+	bodyBytes, err := io.ReadAll(req.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	// Restore Body
+	req.Body = io.NopCloser(bytes.NewReader(bodyBytes))
+	return bodyBytes, nil
+}
+
+func getResponseBody(resp *http.Response) ([]byte, error) {
+	if resp.ContentLength == 0 || resp.Body == nil || resp.Body == http.NoBody {
+		return nil, nil
+	}
+
+	if !isTextContentType(resp.Header.Get("Content-Type")) {
+		return nil, nil
+	}
+
+	// Read Body
+	bodyBytes, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	// Restore Body
+	resp.Body = io.NopCloser(bytes.NewReader(bodyBytes))
+	return bodyBytes, nil
+}
+
+func isTextContentType(contentType string) bool {
+	mediaType, _, err := mime.ParseMediaType(contentType)
+	if err != nil {
+		return false
+	}
+
+	if strings.HasPrefix(mediaType, "text/") {
+		return true
+	}
+
+	switch mediaType {
+	case "application/json":
+		return true
+	case "application/xml":
+		return true
+	case "application/x-www-form-urlencoded":
+		return true
+	default:
+		return false
+	}
+}

tunnel/forwarder.go

@@ -0,0 +1,35 @@
+package tunnel
+
+import (
+	"context"
+	"net/url"
+
+	"reichard.io/conduit/store"
+)
+
+type ForwarderType int
+
+const (
+	ForwarderTCP ForwarderType = iota
+	ForwarderHTTP
+)
+
+type Forwarder interface {
+	Type() ForwarderType
+	Initialize(sourceAddress string) (Stream, error)
+	Start(context.Context) error
+}
+
+func NewForwarder(target string, tunnelStore store.TunnelStore) (Forwarder, error) {
+	// Only parse as URL for HTTP targets. Bare host:port (e.g., "127.0.0.1:5432")
+	// is not a valid URL and should be treated as a raw TCP target.
+	targetURL, err := url.Parse(target)
+	if err == nil {
+		switch targetURL.Scheme {
+		case "http", "https":
+			return newHTTPForwarder(targetURL, tunnelStore)
+		}
+	}
+
+	return newTCPForwarder(target, tunnelStore), nil
+}

tunnel/http_forwarder.go

@@ -0,0 +1,156 @@
+package tunnel
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"net/http"
+	"net/http/httputil"
+	"net/url"
+	"sync"
+
+	"reichard.io/conduit/store"
+)
+
+func newHTTPForwarder(targetURL *url.URL, tunnelStore store.TunnelStore) (Forwarder, error) {
+	return &httpConnBuilder{
+		multiConnListener: newMultiConnListener(),
+		tunnelStore:       tunnelStore,
+		targetURL:         targetURL,
+	}, nil
+}
+
+type httpConnBuilder struct {
+	multiConnListener *multiConnListener
+	tunnelStore       store.TunnelStore
+	targetURL         *url.URL
+}
+
+func (c *httpConnBuilder) Type() ForwarderType {
+	return ForwarderHTTP
+}
+
+func (c *httpConnBuilder) Start(ctx context.Context) error {
+	// Create Reverse Proxy Server
+	server := &http.Server{
+		ConnContext: func(ctx context.Context, c net.Conn) context.Context {
+			if wsConn, ok := c.(*wsConn); ok {
+				return context.WithValue(ctx, "sourceAddr", wsConn.sourceAddress)
+			}
+			return ctx
+		},
+		Handler: &httputil.ReverseProxy{
+			Director: func(req *http.Request) {
+				// Rewrite Request URL
+				req.Host = c.targetURL.Host
+				req.URL.Host = c.targetURL.Host
+				req.URL.Scheme = c.targetURL.Scheme
+
+				// Rewrite Referer
+				if referer := req.Header.Get("Referer"); referer != "" {
+					if refURL, err := url.Parse(referer); err == nil {
+						refURL.Host = c.targetURL.Host
+						refURL.Scheme = c.targetURL.Scheme
+						req.Header.Set("Referer", refURL.String())
+					}
+				}
+
+				// Extract Source Address & Record Request
+				sourceAddress, _ := req.Context().Value("sourceAddr").(string)
+				c.tunnelStore.RecordRequest(req, sourceAddress)
+			},
+			ModifyResponse: c.tunnelStore.RecordResponse,
+			ErrorHandler: func(w http.ResponseWriter, r *http.Request, err error) {
+				http.Error(w, fmt.Sprintf("Proxy error: %v", err), http.StatusBadGateway)
+			},
+		},
+	}
+
+	// Context & Cleanup
+	go func() {
+		<-ctx.Done()
+		server.Shutdown(ctx)
+		c.multiConnListener.Close()
+	}()
+
+	// Start HTTP Proxy
+	if err := server.Serve(c.multiConnListener); err != nil && err != http.ErrServerClosed {
+		return err
+	}
+	return nil
+}
+
+func (c *httpConnBuilder) Initialize(sourceAddress string) (Stream, error) {
+	clientConn, serverConn := net.Pipe()
+
+	if err := c.multiConnListener.addConn(&wsConn{serverConn, sourceAddress}); err != nil {
+		_ = clientConn.Close()
+		_ = serverConn.Close()
+		return nil, err
+	}
+
+	return &streamImpl{clientConn, sourceAddress, c.targetURL.String()}, nil
+}
+
+type multiConnListener struct {
+	connCh chan net.Conn
+	closed chan struct{}
+	once   sync.Once
+}
+
+func newMultiConnListener() *multiConnListener {
+	return &multiConnListener{
+		connCh: make(chan net.Conn, 100),
+		closed: make(chan struct{}),
+	}
+}
+
+func (l *multiConnListener) Accept() (net.Conn, error) {
+	select {
+	case conn := <-l.connCh:
+		if conn == nil {
+			return nil, fmt.Errorf("listener closed")
+		}
+		return conn, nil
+	case <-l.closed:
+		return nil, fmt.Errorf("listener closed")
+	}
+}
+
+func (l *multiConnListener) Close() error {
+	l.once.Do(func() {
+		close(l.closed)
+		// Drain any remaining connections
+		go func() {
+			for conn := range l.connCh {
+				if conn != nil {
+					conn.Close()
+				}
+			}
+		}()
+		close(l.connCh)
+	})
+	return nil
+}
+
+func (l *multiConnListener) Addr() net.Addr {
+	return &net.TCPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 0}
+}
+
+func (l *multiConnListener) addConn(conn net.Conn) error {
+	select {
+	case l.connCh <- conn:
+		return nil
+	case <-l.closed:
+		conn.Close()
+		return fmt.Errorf("listener is closed")
+	default:
+		conn.Close()
+		return fmt.Errorf("connection queue full")
+	}
+}
+
+type wsConn struct {
+	net.Conn
+	sourceAddress string
+}

tunnel/name.go

@@ -1,4 +1,4 @@
-package client
+package tunnel
 
 import (
 	"fmt"

tunnel/stream.go

@@ -0,0 +1,32 @@
+package tunnel
+
+import (
+	"io"
+	"net"
+)
+
+var _ Stream = (*streamImpl)(nil)
+
+type Stream interface {
+	io.ReadWriteCloser
+	Source() string
+	Target() string
+}
+
+func NewStream(conn net.Conn, source, target string) Stream {
+	return &streamImpl{conn, source, target}
+}
+
+type streamImpl struct {
+	net.Conn
+	source string
+	target string
+}
+
+func (s *streamImpl) Source() string {
+	return s.source
+}
+
+func (s *streamImpl) Target() string {
+	return s.target
+}

tunnel/tcp_forwarder.go

@@ -0,0 +1,37 @@
+package tunnel
+
+import (
+	"context"
+	"net"
+
+	"reichard.io/conduit/store"
+)
+
+func newTCPForwarder(target string, tunnelStore store.TunnelStore) Forwarder {
+	return &tcpConnBuilder{
+		target:      target,
+		tunnelStore: tunnelStore,
+	}
+}
+
+type tcpConnBuilder struct {
+	target      string
+	tunnelStore store.TunnelStore
+}
+
+func (l *tcpConnBuilder) Type() ForwarderType {
+	return ForwarderTCP
+}
+
+func (l *tcpConnBuilder) Initialize(sourceAddress string) (Stream, error) {
+	conn, err := net.Dial("tcp", l.target)
+	if err != nil {
+		return nil, err
+	}
+
+	return &streamImpl{conn, sourceAddress, l.target}, nil
+}
+
+func (l *tcpConnBuilder) Start(ctx context.Context) error {
+	return nil
+}

tunnel/tunnel.go

@@ -0,0 +1,227 @@
+package tunnel
+
+import (
+	"context"
+	"fmt"
+	"net/url"
+	"sync"
+
+	"github.com/gorilla/websocket"
+	log "github.com/sirupsen/logrus"
+	"reichard.io/conduit/config"
+	"reichard.io/conduit/pkg/maps"
+	"reichard.io/conduit/types"
+)
+
+// NewServerTunnel creates a new tunnel with name and websocket connection. The tunnel is
+// generally instantiated after an upgrade request from the server.
+func NewServerTunnel(name string, wsConn *websocket.Conn) *Tunnel {
+	return &Tunnel{
+		name:    name,
+		streams: maps.New[string, Stream](),
+		wsConn:  wsConn,
+	}
+}
+
+// NewClientTunnel creates a new tunnel with the provided configuration and forwarder. A
+// forwarder is effectively the protocol being forwarded. For example HTTP (Proxy), and TCP.
+func NewClientTunnel(cfg *config.ClientConfig, forwarder Forwarder) (*Tunnel, error) {
+	// Parse Server URL
+	serverURL, err := url.Parse(cfg.ServerAddress)
+	if err != nil {
+		return nil, err
+	}
+
+	// Parse Scheme
+	var wsScheme string
+	switch serverURL.Scheme {
+	case "https":
+		wsScheme = "wss"
+	case "http":
+		wsScheme = "ws"
+	default:
+		return nil, fmt.Errorf("unsupported scheme: %s", serverURL.Scheme)
+	}
+
+	// Create Tunnel Name
+	if cfg.TunnelName == "" {
+		cfg.TunnelName = generateTunnelName()
+		log.Infof("tunnel name not provided; generated: %s", cfg.TunnelName)
+	}
+
+	// Connect Server WS
+	wsURL := fmt.Sprintf("%s://%s/_conduit/tunnel?tunnelName=%s&apiKey=%s", wsScheme, serverURL.Host, cfg.TunnelName, cfg.APIKey)
+	serverConn, _, err := websocket.DefaultDialer.Dial(wsURL, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to connect: %v", err)
+	}
+
+	return &Tunnel{
+		name:      cfg.TunnelName,
+		wsConn:    serverConn,
+		streams:   maps.New[string, Stream](),
+		forwarder: forwarder,
+	}, nil
+}
+
+type Tunnel struct {
+	name      string
+	wsConn    *websocket.Conn
+	streams   *maps.Map[string, Stream]
+	forwarder Forwarder
+
+	mu sync.Mutex
+}
+
+func (t *Tunnel) Start(ctx context.Context) {
+	log.Infof("initiated tunnel %q with %s", t.name, t.wsConn.RemoteAddr().String())
+	defer log.Infof("closed tunnel %q with %s", t.name, t.wsConn.RemoteAddr().String())
+
+	// Start Message Receiver
+	for {
+		msg, err := t.readWSWithContext(ctx)
+		if err != nil {
+			return
+		}
+
+		// Validate Stream
+		if msg.StreamID == "" {
+			log.Warnf("tunnel %s missing streamID", t.name)
+			continue
+		}
+
+		// Get Stream
+		stream, err := t.getStream(ctx, msg.StreamID, msg.SourceAddr)
+		if err != nil {
+			if msg.Type != types.MessageTypeClose {
+				log.WithError(err).Errorf("failed to get stream %s", msg.StreamID)
+			}
+			continue
+		}
+
+		// Handle Messages
+		switch msg.Type {
+		case types.MessageTypeClose:
+			_ = t.closeStream(stream, msg.StreamID)
+		case types.MessageTypeData:
+			_, err = stream.Write(msg.Data)
+		}
+
+		// Log Error
+		if err != nil {
+			log.WithError(err).Errorf("failed to handle message %s", msg.StreamID)
+		}
+	}
+}
+
+func (t *Tunnel) readWSWithContext(ctx context.Context) (*types.Message, error) {
+	type result struct {
+		msg *types.Message
+		err error
+	}
+
+	resultChan := make(chan result, 1)
+	go func() {
+		var msg types.Message
+		err := t.wsConn.ReadJSON(&msg)
+		resultChan <- result{&msg, err}
+	}()
+
+	select {
+	case <-ctx.Done():
+		return nil, ctx.Err()
+	case result := <-resultChan:
+		return result.msg, result.err
+	}
+}
+
+func (t *Tunnel) AddStream(stream Stream, streamID string) error {
+	if t.streams.HasKey(streamID) {
+		return fmt.Errorf("stream %s already exists", streamID)
+	}
+	log.Infof("tunnel %q initiated stream with %s", t.name, stream.Source())
+	t.streams.Set(streamID, stream)
+	return nil
+}
+
+func (t *Tunnel) Source() string {
+	return t.wsConn.RemoteAddr().String()
+}
+
+func (t *Tunnel) StartStream(ctx context.Context, stream Stream, streamID string) error {
+	// Close Stream
+	defer t.closeStream(stream, streamID)
+
+	// Start Stream
+	for {
+		data, err := t.readStreamWithContext(ctx, stream)
+		if err != nil {
+			return err
+		}
+
+		if err := t.sendWS(&types.Message{
+			Type:       types.MessageTypeData,
+			StreamID:   streamID,
+			Data:       data,
+			SourceAddr: stream.Source(),
+		}); err != nil {
+			return err
+		}
+	}
+}
+
+func (t *Tunnel) closeStream(stream Stream, streamID string) error {
+	log.Infof("tunnel %q closed stream with %s", t.name, stream.Source())
+	t.streams.Delete(streamID)
+	return stream.Close()
+}
+
+func (t *Tunnel) getStream(ctx context.Context, streamID, sourceAddress string) (Stream, error) {
+	// Check Existing Stream
+	if stream, found := t.streams.Get(streamID); found {
+		return stream, nil
+	}
+
+	// Check Forwarder
+	if t.forwarder == nil {
+		return nil, fmt.Errorf("stream %s does not exist", streamID)
+	}
+
+	// Initialize Forwarder & Add Stream
+	stream, err := t.forwarder.Initialize(sourceAddress)
+	if err != nil {
+		return nil, err
+	}
+	if err := t.AddStream(stream, streamID); err != nil {
+		return nil, err
+	}
+	go t.StartStream(ctx, stream, streamID)
+	return stream, nil
+}
+
+func (t *Tunnel) readStreamWithContext(ctx context.Context, stream Stream) ([]byte, error) {
+	type result struct {
+		data []byte
+		err  error
+	}
+
+	resultChan := make(chan result, 1)
+	go func() {
+		buffer := make([]byte, 4096)
+		n, err := stream.Read(buffer)
+		resultChan <- result{buffer[:n], err}
+	}()
+
+	select {
+	case <-ctx.Done():
+		return nil, ctx.Err()
+	case result := <-resultChan:
+		return result.data, result.err
+	}
+}
+
+func (t *Tunnel) sendWS(msg *types.Message) error {
+	t.mu.Lock()
+	defer t.mu.Unlock()
+	return t.wsConn.WriteJSON(msg)
+}

types/message.go

@@ -10,5 +10,6 @@ const (
 type Message struct {
 	Type       MessageType `json:"type"`
 	StreamID   string      `json:"stream_id"`
+	SourceAddr string      `json:"source_addr"`
 	Data       []byte      `json:"data,omitempty"`
 }

web/pages/network.go

@@ -0,0 +1,231 @@
+package pages
+
+import (
+	g "maragu.dev/gomponents"
+	h "maragu.dev/gomponents/html"
+
+	_ "embed"
+)
+
+//go:embed networkScript.js
+var alpineScript string
+
+func NetworkPage() g.Node {
+	return h.Doctype(
+		h.HTML(
+			h.Head(
+				h.Script(g.Raw(alpineScript)),
+				h.Script(g.Attr("src", "//cdn.tailwindcss.com")),
+				h.Script(g.Attr("src", "//cdn.jsdelivr.net/npm/alpinejs@3.x.x/dist/cdn.min.js")),
+			),
+			h.Body(
+				h.Div(h.Class("bg-gray-900 text-gray-100"),
+					networkMonitor(),
+				),
+			),
+		),
+	)
+}
+
+func networkMonitor() g.Node {
+	return h.Div(
+		g.Attr("x-data", "networkMonitor()"),
+		h.Class("h-dvh flex flex-col"),
+
+		// Header
+		h.Div(
+			h.Class("bg-gray-800 border-b border-gray-700 px-4 py-2 flex items-center gap-4"),
+			h.H1(h.Class("text-lg font-semibold"), g.Text("Network")),
+			h.Button(
+				g.Attr("@click", "clear()"),
+				h.Class("px-3 py-1 bg-gray-700 hover:bg-gray-600 rounded text-sm"),
+				g.Text("Clear"),
+			),
+			h.Div(
+				h.Class("ml-auto text-sm text-gray-400"),
+				h.Span(g.Attr("x-text", "requests.length")),
+				g.Text(" requests"),
+			),
+		),
+
+		// Table
+		h.Div(
+			h.Class("flex-1 overflow-auto"),
+			h.Table(
+				h.Class("w-full text-sm"),
+				networkTableHeader(),
+				networkTableBody(),
+			),
+		),
+
+		// Details Panel
+		networkDetailsPanel(),
+	)
+}
+
+func networkTableHeader() g.Node {
+	return h.THead(
+		h.Class("bg-gray-800 sticky top-0 border-b border-gray-700"),
+		h.Tr(
+			h.Class("text-left"),
+			h.Th(h.Class("px-4 py-2 font-medium"), g.Text("Name")),
+			h.Th(h.Class("px-4 py-2 font-medium w-20"), g.Text("Method")),
+			h.Th(h.Class("px-4 py-2 font-medium w-20"), g.Text("Status")),
+			h.Th(h.Class("px-4 py-2 font-medium w-32"), g.Text("Type")),
+			h.Th(h.Class("px-4 py-2 font-medium w-32"), g.Text("Time")),
+		),
+	)
+}
+
+func networkTableBody() g.Node {
+	return h.TBody(
+		h.Template(
+			g.Attr("x-for", "req in requests"),
+			g.Attr(":key", "req.ID"),
+			h.Tr(
+				g.Attr("@click", "selected = req"),
+				g.Attr(":class", "selected?.ID === req.ID ? 'bg-blue-900' : 'hover:bg-gray-800'"),
+				h.Class("border-b border-gray-800 cursor-pointer"),
+				h.Td(
+					h.Class("px-4 py-2 truncate max-w-md"),
+					g.Attr("x-text", "req.URL?.Path || req.URL"),
+				),
+				h.Td(h.Class("px-4 py-2"), g.Attr("x-text", "req.Method")),
+				h.Td(
+					h.Class("px-4 py-2"),
+					h.Span(
+						g.Attr(":class", "statusColor(req.Status)"),
+						g.Attr("x-text", "req.Status || '-'"),
+					),
+				),
+				h.Td(
+					h.Class("px-4 py-2 text-gray-400"),
+					g.Attr("x-text", "req.ResponseBodyType || '-'"),
+				),
+				h.Td(
+					h.Class("px-4 py-2 text-gray-400"),
+					g.Attr("x-text", "formatTime(req.Time)"),
+				),
+			),
+		),
+	)
+}
+func networkDetailsPanel() g.Node {
+	return h.Div(
+		g.Attr("x-show", "selected"),
+		g.Attr("x-data", "{ activeTab: 'general' }"),
+		h.Class("fixed inset-0 bg-black bg-opacity-50 flex items-center justify-center z-50"),
+		g.Attr("@click.self", "selected = null"),
+		h.Div(
+			h.Class("bg-gray-800 rounded-lg shadow-xl w-3/4 h-3/4 flex flex-col"),
+			g.Attr("@click.stop", ""),
+			// Header
+			h.Div(
+				h.Class("flex items-center justify-between p-4 border-b border-gray-700"),
+				h.H2(
+					h.Class("text-lg font-semibold"),
+					g.Attr("x-text", "selected?.URL"),
+				),
+				h.Button(
+					g.Attr("@click", "selected = null"),
+					h.Class("text-gray-400 hover:text-gray-200"),
+					g.Text("X"),
+				),
+			),
+			// Tabs
+			h.Div(
+				h.Class("flex border-b border-gray-700"),
+				tab("general", "General"),
+				tab("request", "Request"),
+				tab("response", "Response"),
+			),
+			// Content
+			h.Div(
+				h.Class("flex-1 overflow-auto p-4"),
+				generalTabContent(),
+				requestTabContent(),
+				responseTabContent(),
+			),
+		),
+	)
+}
+
+func tab(name, label string) g.Node {
+	return h.Button(
+		g.Attr("@click", "activeTab = '"+name+"'"),
+		g.Attr(":class", "activeTab === '"+name+"' ? 'border-b-2 border-blue-500 text-blue-500' : 'text-gray-400 hover:text-gray-200'"),
+		h.Class("px-4 py-2 font-medium"),
+		g.Text(label),
+	)
+}
+
+func generalTabContent() g.Node {
+	return h.Div(
+		g.Attr("x-show", "activeTab === 'general'"),
+		h.Class("space-y-4"),
+		h.H3(h.Class("font-medium"), g.Text("Details")),
+		h.Div(
+			h.Class("text-sm space-y-1 text-gray-300"),
+			detailRow("URL:", "selected?.URL"),
+			detailRow("Source:", "selected?.SourceAddr"),
+			detailRow("Method:", "selected?.Method"),
+			detailRow("Status:", "selected?.Status"),
+		),
+	)
+}
+
+func requestTabContent() g.Node {
+	return h.Div(
+		g.Attr("x-show", "activeTab === 'request'"),
+		h.Class("space-y-4"),
+		h.H3(h.Class("font-medium"), g.Text("Headers")),
+		h.Div(
+			h.Class("text-sm space-y-1 text-gray-300 font-mono"),
+			h.Template(
+				g.Attr("x-for", "(values, key) in selected?.RequestHeaders"),
+				h.Div(
+					h.Span(h.Class("text-gray-500"), g.Attr("x-text", "key + ':'")),
+					g.Text(" "),
+					h.Span(g.Attr("x-text", "values.join(', ')")),
+				),
+			),
+		),
+		h.H3(h.Class("font-medium"), g.Text("Body")),
+		h.Pre(
+			h.Class("text-sm text-gray-300 font-mono bg-gray-900 p-3 rounded overflow-auto max-h-96"),
+			h.Code(g.Attr("x-text", "formatData(selected?.RequestBody)")),
+		),
+	)
+}
+
+func responseTabContent() g.Node {
+	return h.Div(
+		g.Attr("x-show", "activeTab === 'response'"),
+		h.Class("space-y-4"),
+		h.H3(h.Class("font-medium"), g.Text("Headers")),
+		h.Div(
+			h.Class("text-sm space-y-1 text-gray-300 font-mono mb-4"),
+			h.Template(
+				g.Attr("x-for", "(values, key) in selected?.ResponseHeaders"),
+				h.Div(
+					h.Span(h.Class("text-gray-500"), g.Attr("x-text", "key + ':'")),
+					g.Text(" "),
+					h.Span(g.Attr("x-text", "values.join(', ')")),
+				),
+			),
+		),
+		h.H3(h.Class("font-medium"), g.Text("Body")),
+		h.Pre(
+			h.Class("text-sm text-gray-300 font-mono bg-gray-900 p-3 rounded overflow-auto max-h-96"),
+			h.Code(g.Attr("x-text", "formatData(selected?.ResponseBody)")),
+		),
+	)
+}
+
+func detailRow(label, value string) g.Node {
+	return h.Div(
+		h.Span(h.Class("text-gray-500"), g.Text(label)),
+		g.Text(" "),
+		h.Span(g.Attr("x-text", value)),
+	)
+}

web/pages/networkScript.js

@@ -0,0 +1,47 @@
+function networkMonitor() {
+  return {
+    requests: [],
+    selected: null,
+
+    init() {
+      const es = new EventSource("/stream");
+      es.onmessage = (e) => {
+        const record = JSON.parse(e.data);
+        const foundIdx = this.requests.findIndex((r) => r.ID === record.ID);
+        if (foundIdx >= 0) {
+          this.requests[foundIdx] = record;
+        } else {
+          this.requests.unshift(record);
+        }
+      };
+    },
+
+    clear() {
+      this.requests = [];
+      this.selected = null;
+    },
+
+    statusColor(status) {
+      if (!status) return "text-gray-400";
+      if (status < 300) return "text-green-400";
+      if (status < 400) return "text-blue-400";
+      if (status < 500) return "text-yellow-400";
+      return "text-red-400";
+    },
+
+    formatTime(time) {
+      return new Date(time).toLocaleTimeString();
+    },
+  };
+}
+
+function formatData(base64Data) {
+  if (!base64Data) return "";
+  try {
+    const decoded = atob(base64Data);
+    const parsed = JSON.parse(decoded);
+    return JSON.stringify(parsed, null, 2);
+  } catch {
+    return atob(base64Data);
+  }
+}

web/web.go

@@ -0,0 +1,90 @@
+package web
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+
+	log "github.com/sirupsen/logrus"
+	"reichard.io/conduit/store"
+	"reichard.io/conduit/web/pages"
+)
+
+type WebServer struct {
+	store  store.TunnelStore
+	server *http.Server
+}
+
+func NewWebServer(store store.TunnelStore) *WebServer {
+	return &WebServer{store: store}
+}
+
+func (s *WebServer) Start(ctx context.Context) error {
+	log.Info("started tunnel monitor at :8181")
+	defer log.Info("stopped tunnel monitor")
+
+	rootMux := http.NewServeMux()
+	rootMux.HandleFunc("/", s.handleRoot)
+	rootMux.HandleFunc("/stream", s.handleStream)
+
+	s.server = &http.Server{
+		Addr:    ":8181",
+		Handler: rootMux,
+	}
+
+	// Context & Cleanup
+	go func() {
+		<-ctx.Done()
+		s.server.Shutdown(ctx)
+	}()
+
+	// Start Tunnel Monitor
+	if err := s.server.ListenAndServe(); err != nil && err != http.ErrServerClosed {
+		return err
+	}
+	return nil
+}
+
+func (s *WebServer) Stop(ctx context.Context) error {
+	if s.server == nil {
+		return nil
+	}
+	return s.server.Shutdown(ctx)
+}
+
+func (s *WebServer) handleStream(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "text/event-stream")
+	w.Header().Set("Cache-Control", "no-cache")
+	w.Header().Set("Connection", "keep-alive")
+
+	// Flusher Interface Upgrade
+	flusher, ok := w.(http.Flusher)
+	if !ok {
+		http.Error(w, "Streaming unsupported", http.StatusInternalServerError)
+		return
+	}
+
+	// Stream Data
+	ch := s.store.Subscribe()
+	done := r.Context().Done()
+
+	for {
+		select {
+		case record, ok := <-ch:
+			if !ok {
+				return
+			}
+			data, _ := json.Marshal(record)
+			_, _ = fmt.Fprintf(w, "data: %s\n\n", data)
+			flusher.Flush()
+		case <-done:
+			return
+		}
+	}
+}
+
+func (s *WebServer) handleRoot(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "text/html")
+	_ = pages.NetworkPage().Render(w)
+}