docs: update README and AGENTS.md to reflect http.Server refactor

- Replace "Raw TCP listener" references with http.Server/hijack model
- Update architecture diagram and description
- Add testing section to AGENTS.md with test summary
- Update key patterns to match current code
- Fix file locations table (add e2e_test.go, reconstructed_conn.go)

AGENTS.md

@@ -0,0 +1,86 @@
+# Conduit — Agent Guidelines
+
+## Project Overview
+
+Conduit is a self-hosted tunneling service (Go, single binary). A **server** (`conduit serve`) runs on a public host and routes incoming HTTP requests by subdomain to registered **tunnels**. A **client** (`conduit tunnel`) connects via WebSocket, receives forwarded traffic, and relays it to a local target using either an HTTP reverse-proxy or raw TCP dial.
+
+## Build & Test
+
+```bash
+# Build all platforms
+make build_local
+
+# Run tests
+make tests              # includes coverage
+
+# Lint
+golangci-lint run
+```
+
+Go 1.25+ is required (`go.mod`). Nix devshell provides Go, gopls, golangci-lint.
+
+## Architecture at a Glance
+
+```
+server/server.go        — net/http.Server, ServeHTTP routes by Host subdomain to tunnel or control API
+tunnel/tunnel.go        — Core Tunnel struct, WebSocket message loop, stream management
+tunnel/forwarder.go     — Forwarder interface; HTTP/HTTPS → HTTP forwarder, everything else → TCP
+tunnel/http_forwarder.go — httputil.ReverseProxy served over net.Pipe via multiConnListener
+tunnel/tcp_forwarder.go  — Direct net.Dial TCP forwarding
+tunnel/stream.go        — Stream interface (io.ReadWriteCloser + Source/Target)
+server/reconstructed_conn.go — Replays re-serialized headers + buffered body + raw conn after hijack
+store/store.go          — In-memory request/response recorder with pub/sub (SSE)
+web/web.go              — Local tunnel monitor (port 8181), SSE endpoint
+config/config.go        — Reflection-based config from struct tags → flags + env vars
+pkg/maps/map.go         — Generic sync.RWMutex-guarded map
+```
+
+## Code Conventions
+
+- **Go style**: standard `gofmt`, golangci-lint with `.golangci.toml`
+- **Comment style**: Title Case heading above logical blocks (see root `AGENTS.md`)
+- **Config**: add struct tags (`json`, `default`, `description`) to `ServerConfig` or `ClientConfig` — flags and env vars are auto-derived
+- **Logging**: use `logrus` (`log` alias); structured fields preferred
+- **Concurrency**: use `pkg/maps.Map` for shared maps; protect other shared state with `sync.Mutex`
+- **Error handling**: return errors up; log at command/entry-point level. Use `fmt.Errorf` with `%w` for wrapping
+
+## Key Patterns
+
+1. **ServeHTTP + Hijack for tunnel routing**: The server uses `net/http.Server` with a `ServeHTTP` handler. It inspects the `Host` header to determine routing. Control API requests are handled normally via `http.ResponseWriter`. Tunnel requests hijack the TCP connection, re-serialize the HTTP request, and forward it through the tunnel via `reconstructedConn`.
+2. **Reconstructed connection**: After hijack, `reconstructedConn` combines re-serialized request headers, buffered body data from the hijacked `bufio.ReadWriter`, and the raw connection into a single `io.Reader` so the tunnel client receives the complete request.
+3. **Forwarder abstraction**: `Forwarder` interface decouples tunnel transport from protocol handling. `NewForwarder` only uses `url.Parse` for `http://`/`https://` schemes; everything else (including parse failures like bare `host:port`) is treated as raw TCP. HTTP forwarder uses `net.Pipe` + `multiConnListener` to feed connections into a standard `http.Server`.
+4. **Context-threaded records**: Request records are attached to context in `RecordRequest` and retrieved in `RecordResponse` via the `ModifyResponse` hook.
+
+## Adding a New Forwarder
+
+1. Implement `tunnel.Forwarder` interface (`Type()`, `Initialize()`, `Start()`)
+2. Add a case in `tunnel.NewForwarder()` factory
+3. Add corresponding `ForwarderType` const
+
+## Testing
+
+E2E tests live in `e2e_test.go` at the project root. They spin up real servers, tunnels, and targets on random ports.
+
+```bash
+# Run all tests
+make tests
+
+# Run specific test
+ go test -v -run TestHTTPTunnelRoundTrip -count=1 ./...
+```
+
+16 tests covering: HTTP round-trip (GET/POST), TCP echo, large bodies (1MB resp / 512KB req), response quality (headers, content-type, content-length), error paths (404, 401, duplicate name), multi-tunnel routing, concurrency, and graceful shutdown.
+
+## File Locations
+
+| Concern | Files |
+|---------|-------|
+| CLI entry | `main.go`, `cmd/` |
+| Server | `server/` |
+| Tunneling | `tunnel/` |
+| Config | `config/` |
+| Storage | `store/` |
+| Web UI | `web/`, `web/pages/` |
+| Shared types | `types/` |
+| Utilities | `pkg/maps/` |
+| E2E tests | `e2e_test.go` |

README.md

@@ -1,18 +1,143 @@
 # Conduit
 
-A lightweight tunneling service that enables secure connection forwarding through a remote server.
+A lightweight tunneling service that exposes local services to the internet through a public server — similar to ngrok, but self-hosted.
 
-**How:** Deploy Conduit on a public server (e.g., `https://conduit.example.com`) to create tunnels from local services to the internet. Simply point a tunnel to your local endpoint (such as `localhost:8000`) and assign it a custom subdomain identifier like `black-fox-123`. Your local service becomes instantly accessible at `https://black-fox-123.conduit.example.com`.
-
-**Key Benefits:**
-
-- Expose local development servers to the internet
-- Share work-in-progress applications with clients or teammates
-- Test webhooks and external integrations
-- Bypass firewall restrictions for remote access
-
-Perfect for developers who need quick, temporary public access to local services without complex networking setup.
-
-### Example
+Deploy Conduit on a public server (e.g., `https://conduit.example.com`), then create tunnels from your local machine. Point a tunnel at a local endpoint (e.g., `localhost:8000`) and it becomes accessible at a subdomain like `https://black-fox-123.conduit.example.com`.
 
 ![Example](https://gitea.va.reichard.io/evan/conduit/raw/branch/main/assets/example.gif)
+
+## Features
+
+- **HTTP & TCP tunneling** — automatically detected based on the target scheme
+- **Subdomain routing** — each tunnel gets a unique subdomain on the server
+- **Auto-generated tunnel names** — random `color-animal-number` names when none is provided
+- **Local tunnel monitor** — web UI on `:8181` with SSE-based live request/response inspection
+- **API key authentication** — simple shared-key auth between client and server
+- **Minimal footprint** — single binary, no external dependencies
+
+## Architecture
+
+```
+┌──────────────┐         WebSocket          ┌──────────────────┐
+│ conduit      │◄──────────────────────────► │ conduit          │
+│ tunnel       │    (control + streams)      │ serve            │
+│ (client)     │                             │ (public server)  │
+├──────────────┤                             ├──────────────────┤
+│ HTTP Fwd  or │                             │ http.Server      │
+│ TCP Fwd      │                             │ Subdomain router │
+├──────────────┤                             │ WS upgrade       │
+│ Tunnel       │                             └──────────────────┘
+│ Monitor :8181│
+└──────────────┘
+```
+
+The server uses `net/http.Server` to accept connections and inspects the HTTP `Host` header for routing. Requests to the base domain hit the control API; requests to subdomains are hijacked and forwarded over WebSocket to the matching tunnel client. The client then forwards traffic to the local target via either a reverse-proxy (HTTP) or direct TCP dial.
+
+## Quick Start
+
+### Prerequisites
+
+- Go 1.25+ (or Docker)
+
+### Build
+
+```bash
+# Local build (all platforms)
+make build_local
+
+# Docker
+make docker_build_local
+```
+
+### Server
+
+Run the server on a publicly accessible host:
+
+```bash
+conduit serve \
+  --server https://conduit.example.com \
+  --bind 0.0.0.0:8080 \
+  --api_key your-secret-key
+```
+
+Or with Docker:
+
+```bash
+docker run -p 8080:8080 \
+  -e CONDUIT_SERVER=https://conduit.example.com \
+  -e CONDUIT_API_KEY=your-secret-key \
+  conduit:latest
+```
+
+### Client
+
+Create a tunnel to expose a local service:
+
+```bash
+# HTTP tunnel (auto-generates name)
+conduit tunnel \
+  --server https://conduit.example.com \
+  --api_key your-secret-key \
+  --target http://localhost:8000
+
+# Named TCP tunnel
+conduit tunnel \
+  --server https://conduit.example.com \
+  --api_key your-secret-key \
+  --name my-service \
+  --target localhost:5432
+```
+
+The local tunnel monitor is available at `http://localhost:8181` for HTTP tunnels.
+
+## Configuration
+
+All options can be set via CLI flags or environment variables (`CONDUIT_` prefix):
+
+### Server (`conduit serve`)
+
+| Flag | Env Var | Default | Description |
+|------|---------|---------|-------------|
+| `--server` | `CONDUIT_SERVER` | `http://localhost:8080` | Public server address |
+| `--api_key` | `CONDUIT_API_KEY` | — | API key (required) |
+| `--bind` | `CONDUIT_BIND` | `0.0.0.0:8080` | Listen address |
+| `--log_level` | `CONDUIT_LOG_LEVEL` | `info` | Log level |
+| `--log_format` | `CONDUIT_LOG_FORMAT` | `text` | Log format (`text` or `json`) |
+
+### Client (`conduit tunnel`)
+
+| Flag | Env Var | Default | Description |
+|------|---------|---------|-------------|
+| `--server` | `CONDUIT_SERVER` | `http://localhost:8080` | Conduit server address |
+| `--api_key` | `CONDUIT_API_KEY` | — | API key (required) |
+| `--name` | `CONDUIT_NAME` | (auto-generated) | Tunnel subdomain name |
+| `--target` | `CONDUIT_TARGET` | — | Local target address (required) |
+| `--log_level` | `CONDUIT_LOG_LEVEL` | `info` | Log level |
+| `--log_format` | `CONDUIT_LOG_FORMAT` | `text` | Log format (`text` or `json`) |
+
+## Server API
+
+| Endpoint | Description |
+|----------|-------------|
+| `/_conduit/tunnel?tunnelName=<name>&apiKey=<key>` | WebSocket tunnel registration |
+| `/_conduit/info?apiKey=<key>` | JSON list of active tunnels |
+
+## Project Structure
+
+```
+├── cmd/             # Cobra CLI commands (root, serve, tunnel)
+├── config/          # Configuration parsing & logging setup
+├── server/          # HTTP server, subdomain routing, hijack + WebSocket upgrade
+├── tunnel/          # Tunnel, Stream, and Forwarder abstractions
+├── store/           # In-memory request/response recording for the monitor
+├── web/             # Local tunnel monitor HTTP server & SSE streaming
+├── types/           # Shared message types
+├── pkg/maps/        # Generic concurrent map
+├── build/           # Compiled binaries (gitignored in practice)
+├── Dockerfile       # Single-stage Docker build
+└── Makefile         # Build & release targets
+```
+
+## License
+
+See repository for license details.

e2e_test.go

@@ -0,0 +1,864 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"strings"
+	"sync"
+	"testing"
+	"time"
+
+	"reichard.io/conduit/config"
+	"reichard.io/conduit/server"
+	"reichard.io/conduit/store"
+	"reichard.io/conduit/tunnel"
+	"reichard.io/conduit/web"
+)
+
+// ---------- Helpers ----------
+
+// startConduitServer creates and starts a conduit server on a random port.
+// Returns the server address (host:port) and a cancel func for teardown.
+func startConduitServer(t *testing.T, apiKey string) (string, context.CancelFunc) {
+	t.Helper()
+
+	// Find Free Port
+	port := getFreePort(t)
+	bindAddr := fmt.Sprintf("127.0.0.1:%d", port)
+	serverAddr := fmt.Sprintf("http://%s", bindAddr)
+
+	cfg := &config.ServerConfig{
+		BaseConfig: config.BaseConfig{
+			ServerAddress: serverAddr,
+			APIKey:        apiKey,
+			LogLevel:      "error",
+			LogFormat:     "text",
+		},
+		BindAddress: bindAddr,
+	}
+
+	ctx, cancel := context.WithCancel(context.Background())
+	srv, err := server.NewServer(ctx, cfg)
+	if err != nil {
+		cancel()
+		t.Fatalf("failed to create server: %v", err)
+	}
+
+	// Start Server in Background
+	errCh := make(chan error, 1)
+	go func() { errCh <- srv.Start() }()
+
+	// Wait for Server to Accept
+	waitForPort(t, bindAddr, 3*time.Second)
+
+	// Check Early Errors
+	select {
+	case err := <-errCh:
+		cancel()
+		t.Fatalf("server exited early: %v", err)
+	default:
+	}
+
+	return bindAddr, cancel
+}
+
+// startHTTPTarget creates a simple HTTP server that echoes request info.
+func startHTTPTarget(t *testing.T) (string, context.CancelFunc) {
+	t.Helper()
+
+	port := getFreePort(t)
+	addr := fmt.Sprintf("127.0.0.1:%d", port)
+
+	mux := http.NewServeMux()
+	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("X-Test-Header", "present")
+		w.WriteHeader(http.StatusOK)
+		fmt.Fprintf(w, "echo: %s %s", r.Method, r.URL.Path)
+	})
+	mux.HandleFunc("/health", func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte("ok"))
+	})
+	mux.HandleFunc("/post", func(w http.ResponseWriter, r *http.Request) {
+		body, _ := io.ReadAll(r.Body)
+		w.WriteHeader(http.StatusOK)
+		fmt.Fprintf(w, "received: %s", string(body))
+	})
+
+	srv := &http.Server{Addr: addr, Handler: mux}
+	ctx, cancel := context.WithCancel(context.Background())
+
+	go func() { srv.ListenAndServe() }()
+	go func() { <-ctx.Done(); srv.Close() }()
+
+	waitForPort(t, addr, 3*time.Second)
+
+	return addr, cancel
+}
+
+// startTCPEchoTarget creates a TCP server that echoes back whatever it receives.
+func startTCPEchoTarget(t *testing.T) (string, context.CancelFunc) {
+	t.Helper()
+
+	listener, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		t.Fatalf("failed to start tcp echo: %v", err)
+	}
+	addr := listener.Addr().String()
+
+	ctx, cancel := context.WithCancel(context.Background())
+
+	go func() {
+		<-ctx.Done()
+		listener.Close()
+	}()
+
+	go func() {
+		for {
+			conn, err := listener.Accept()
+			if err != nil {
+				return
+			}
+			go func(c net.Conn) {
+				defer c.Close()
+				io.Copy(c, c)
+			}(conn)
+		}
+	}()
+
+	return addr, cancel
+}
+
+// connectTunnel creates a conduit tunnel client and starts it.
+func connectTunnel(t *testing.T, serverAddr, targetAddr, tunnelName, apiKey string) context.CancelFunc {
+	t.Helper()
+
+	cfg := &config.ClientConfig{
+		BaseConfig: config.BaseConfig{
+			ServerAddress: fmt.Sprintf("http://%s", serverAddr),
+			APIKey:        apiKey,
+			LogLevel:      "error",
+			LogFormat:     "text",
+		},
+		TunnelName:   tunnelName,
+		TunnelTarget: targetAddr,
+	}
+
+	// Create Tunnel Store
+	tunnelStore := store.NewTunnelStore(100)
+
+	// Create Forwarder
+	forwarder, err := tunnel.NewForwarder(cfg.TunnelTarget, tunnelStore)
+	if err != nil {
+		t.Fatalf("failed to create forwarder: %v", err)
+	}
+
+	var wg sync.WaitGroup
+	ctx, cancel := context.WithCancel(context.Background())
+
+	// Start Forwarder
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		forwarder.Start(ctx)
+	}()
+
+	// Create & Start Tunnel
+	tun, err := tunnel.NewClientTunnel(cfg, forwarder)
+	if err != nil {
+		cancel()
+		t.Fatalf("failed to create tunnel: %v", err)
+	}
+
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		tun.Start(ctx)
+	}()
+
+	// Start Web Server
+	webServer := web.NewWebServer(tunnelStore)
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		webServer.Start(ctx)
+	}()
+
+	// Brief Settle Time
+	time.Sleep(100 * time.Millisecond)
+
+	cleanup := func() {
+		cancel()
+		wg.Wait()
+	}
+	return cleanup
+}
+
+// sendHTTPViaTunnel sends an HTTP request through the conduit server to a tunnel.
+func sendHTTPViaTunnel(t *testing.T, serverAddr, tunnelName, method, path, body string) *http.Response {
+	t.Helper()
+
+	url := fmt.Sprintf("http://%s%s", serverAddr, path)
+	var bodyReader io.Reader
+	if body != "" {
+		bodyReader = strings.NewReader(body)
+	}
+
+	req, err := http.NewRequest(method, url, bodyReader)
+	if err != nil {
+		t.Fatalf("failed to create request: %v", err)
+	}
+
+	// Route via Subdomain
+	req.Host = fmt.Sprintf("%s.%s", tunnelName, serverAddr)
+
+	client := &http.Client{
+		Timeout: 10 * time.Second,
+		Transport: &http.Transport{DisableKeepAlives: true},
+	}
+	resp, err := client.Do(req)
+	if err != nil {
+		t.Fatalf("request failed: %v", err)
+	}
+	return resp
+}
+
+func readBody(t *testing.T, resp *http.Response) string {
+	t.Helper()
+	defer resp.Body.Close()
+	b, err := io.ReadAll(resp.Body)
+	if err != nil {
+		t.Fatalf("failed to read body: %v", err)
+	}
+	return string(b)
+}
+
+func getFreePort(t *testing.T) int {
+	t.Helper()
+	l, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		t.Fatalf("failed to get free port: %v", err)
+	}
+	port := l.Addr().(*net.TCPAddr).Port
+	l.Close()
+	return port
+}
+
+func waitForPort(t *testing.T, addr string, timeout time.Duration) {
+	t.Helper()
+	deadline := time.Now().Add(timeout)
+	for time.Now().Before(deadline) {
+		conn, err := net.DialTimeout("tcp", addr, 100*time.Millisecond)
+		if err == nil {
+			conn.Close()
+			return
+		}
+		time.Sleep(25 * time.Millisecond)
+	}
+	t.Fatalf("port %s not ready after %s", addr, timeout)
+}
+
+// ---------- Tests ----------
+
+func TestHTTPTunnelRoundTrip(t *testing.T) {
+	apiKey := "test-key-http"
+
+	// Start Target HTTP Server
+	targetAddr, stopTarget := startHTTPTarget(t)
+	defer stopTarget()
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+	defer stopServer()
+
+	// Connect Tunnel
+	stopTunnel := connectTunnel(t, serverAddr, fmt.Sprintf("http://%s", targetAddr), "http-test", apiKey)
+	defer stopTunnel()
+
+	// GET /
+	resp := sendHTTPViaTunnel(t, serverAddr, "http-test", "GET", "/", "")
+	body := readBody(t, resp)
+
+	if resp.StatusCode != http.StatusOK {
+		t.Errorf("expected 200, got %d", resp.StatusCode)
+	}
+	if !strings.Contains(body, "echo: GET /") {
+		t.Errorf("unexpected body: %s", body)
+	}
+
+	// GET /health
+	resp = sendHTTPViaTunnel(t, serverAddr, "http-test", "GET", "/health", "")
+	body = readBody(t, resp)
+
+	if resp.StatusCode != http.StatusOK {
+		t.Errorf("expected 200, got %d", resp.StatusCode)
+	}
+	if body != "ok" {
+		t.Errorf("expected 'ok', got %q", body)
+	}
+}
+
+func TestHTTPTunnelPOST(t *testing.T) {
+	apiKey := "test-key-post"
+
+	// Start Target HTTP Server
+	targetAddr, stopTarget := startHTTPTarget(t)
+	defer stopTarget()
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+	defer stopServer()
+
+	// Connect Tunnel
+	stopTunnel := connectTunnel(t, serverAddr, fmt.Sprintf("http://%s", targetAddr), "post-test", apiKey)
+	defer stopTunnel()
+
+	// POST /post
+	resp := sendHTTPViaTunnel(t, serverAddr, "post-test", "POST", "/post", "hello world")
+	body := readBody(t, resp)
+
+	if resp.StatusCode != http.StatusOK {
+		t.Errorf("expected 200, got %d", resp.StatusCode)
+	}
+	if !strings.Contains(body, "received: hello world") {
+		t.Errorf("unexpected body: %s", body)
+	}
+}
+
+func TestUnknownTunnelReturns404(t *testing.T) {
+	apiKey := "test-key-404"
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+	defer stopServer()
+
+	// Request to Non-Existent Tunnel
+	resp := sendHTTPViaTunnel(t, serverAddr, "no-such-tunnel", "GET", "/", "")
+	body := readBody(t, resp)
+
+	if resp.StatusCode != http.StatusNotFound {
+		t.Errorf("expected 404, got %d", resp.StatusCode)
+	}
+	if !strings.Contains(body, "unknown tunnel") {
+		t.Errorf("expected 'unknown tunnel' error, got: %s", body)
+	}
+}
+
+func TestDuplicateTunnelNameRejected(t *testing.T) {
+	apiKey := "test-key-dup"
+
+	// Start Target HTTP Server
+	targetAddr, stopTarget := startHTTPTarget(t)
+	defer stopTarget()
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+	defer stopServer()
+
+	// Connect First Tunnel
+	stopTunnel1 := connectTunnel(t, serverAddr, fmt.Sprintf("http://%s", targetAddr), "dup-test", apiKey)
+	defer stopTunnel1()
+
+	// Attempt Duplicate — this should fail at WebSocket dial
+	cfg := &config.ClientConfig{
+		BaseConfig: config.BaseConfig{
+			ServerAddress: fmt.Sprintf("http://%s", serverAddr),
+			APIKey:        apiKey,
+			LogLevel:      "error",
+			LogFormat:     "text",
+		},
+		TunnelName:   "dup-test",
+		TunnelTarget: fmt.Sprintf("http://%s", targetAddr),
+	}
+
+	tunnelStore := store.NewTunnelStore(100)
+	forwarder, err := tunnel.NewForwarder(cfg.TunnelTarget, tunnelStore)
+	if err != nil {
+		t.Fatalf("failed to create forwarder: %v", err)
+	}
+
+	_, err = tunnel.NewClientTunnel(cfg, forwarder)
+	if err == nil {
+		t.Error("expected error for duplicate tunnel name, got nil")
+	}
+}
+
+func TestUnauthorizedControlAccess(t *testing.T) {
+	apiKey := "test-key-auth"
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+	defer stopServer()
+
+	// Request Info with Wrong API Key
+	url := fmt.Sprintf("http://%s/_conduit/info?apiKey=wrong-key", serverAddr)
+	req, _ := http.NewRequest("GET", url, nil)
+	req.Host = serverAddr
+
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		t.Fatalf("request failed: %v", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusUnauthorized {
+		t.Errorf("expected 401, got %d", resp.StatusCode)
+	}
+}
+
+func TestInfoEndpointListsTunnels(t *testing.T) {
+	apiKey := "test-key-info"
+
+	// Start Target HTTP Server
+	targetAddr, stopTarget := startHTTPTarget(t)
+	defer stopTarget()
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+	defer stopServer()
+
+	// Connect Tunnel
+	stopTunnel := connectTunnel(t, serverAddr, fmt.Sprintf("http://%s", targetAddr), "info-test", apiKey)
+	defer stopTunnel()
+
+	// Query Info Endpoint
+	url := fmt.Sprintf("http://%s/_conduit/info?apiKey=%s", serverAddr, apiKey)
+	req, _ := http.NewRequest("GET", url, nil)
+	req.Host = serverAddr
+
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		t.Fatalf("request failed: %v", err)
+	}
+	body := readBody(t, resp)
+
+	if resp.StatusCode != http.StatusOK {
+		t.Errorf("expected 200, got %d", resp.StatusCode)
+	}
+	if !strings.Contains(body, "info-test") {
+		t.Errorf("expected tunnel 'info-test' in response: %s", body)
+	}
+}
+
+func TestMultipleTunnelsRouteCorrectly(t *testing.T) {
+	apiKey := "test-key-multi"
+
+	// Start Two Separate Target Servers
+	target1Addr, stopTarget1 := startHTTPTarget(t)
+	defer stopTarget1()
+
+	port2 := getFreePort(t)
+	addr2 := fmt.Sprintf("127.0.0.1:%d", port2)
+	mux2 := http.NewServeMux()
+	mux2.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+		fmt.Fprint(w, "target-two")
+	})
+	srv2 := &http.Server{Addr: addr2, Handler: mux2}
+	go srv2.ListenAndServe()
+	defer srv2.Close()
+	waitForPort(t, addr2, 3*time.Second)
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+	defer stopServer()
+
+	// Connect Two Tunnels
+	stopTunnel1 := connectTunnel(t, serverAddr, fmt.Sprintf("http://%s", target1Addr), "multi-one", apiKey)
+	defer stopTunnel1()
+
+	stopTunnel2 := connectTunnel(t, serverAddr, fmt.Sprintf("http://%s", addr2), "multi-two", apiKey)
+	defer stopTunnel2()
+
+	// Request to First Tunnel
+	resp1 := sendHTTPViaTunnel(t, serverAddr, "multi-one", "GET", "/", "")
+	body1 := readBody(t, resp1)
+	if !strings.Contains(body1, "echo: GET /") {
+		t.Errorf("tunnel one unexpected body: %s", body1)
+	}
+
+	// Request to Second Tunnel
+	resp2 := sendHTTPViaTunnel(t, serverAddr, "multi-two", "GET", "/", "")
+	body2 := readBody(t, resp2)
+	if body2 != "target-two" {
+		t.Errorf("tunnel two expected 'target-two', got: %s", body2)
+	}
+}
+
+func TestServerGracefulShutdown(t *testing.T) {
+	apiKey := "test-key-shutdown"
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+
+	// Cancel Server
+	stopServer()
+
+	// Verify Port Is Closed
+	time.Sleep(200 * time.Millisecond)
+	conn, err := net.DialTimeout("tcp", serverAddr, 500*time.Millisecond)
+	if err == nil {
+		conn.Close()
+		t.Error("expected server port to be closed after shutdown")
+	}
+}
+
+// ---------- HTTP Response Quality Tests ----------
+
+func TestHTTPResponseHasProperHeaders(t *testing.T) {
+	apiKey := "test-key-headers"
+
+	// Start Target HTTP Server
+	targetAddr, stopTarget := startHTTPTarget(t)
+	defer stopTarget()
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+	defer stopServer()
+
+	// Connect Tunnel
+	stopTunnel := connectTunnel(t, serverAddr, fmt.Sprintf("http://%s", targetAddr), "hdr-test", apiKey)
+	defer stopTunnel()
+
+	// Send Request Through Tunnel
+	resp := sendHTTPViaTunnel(t, serverAddr, "hdr-test", "GET", "/", "")
+	defer resp.Body.Close()
+
+	// Verify Proper HTTP Semantics
+	if resp.Proto != "HTTP/1.1" {
+		t.Errorf("expected HTTP/1.1, got %s", resp.Proto)
+	}
+	if resp.Header.Get("X-Test-Header") != "present" {
+		t.Errorf("expected X-Test-Header: present, got %q", resp.Header.Get("X-Test-Header"))
+	}
+	if resp.ContentLength <= 0 && resp.TransferEncoding == nil {
+		t.Errorf("expected Content-Length or Transfer-Encoding, got neither")
+	}
+}
+
+func TestHTTPControlEndpointResponseQuality(t *testing.T) {
+	apiKey := "test-key-ctrl-quality"
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+	defer stopServer()
+
+	// 404 on Unknown Tunnel — Verify stdlib response format
+	resp := sendHTTPViaTunnel(t, serverAddr, "nope", "GET", "/", "")
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusNotFound {
+		t.Errorf("expected 404, got %d", resp.StatusCode)
+	}
+
+	// Content-Type Should Be Set by http.Error
+	ct := resp.Header.Get("Content-Type")
+	if !strings.Contains(ct, "text/plain") {
+		t.Errorf("expected text/plain Content-Type, got %q", ct)
+	}
+
+	// Content-Length Should Be Present
+	if resp.ContentLength <= 0 {
+		t.Errorf("expected positive Content-Length, got %d", resp.ContentLength)
+	}
+
+	// Info Endpoint — JSON response quality
+	url := fmt.Sprintf("http://%s/_conduit/info?apiKey=%s", serverAddr, apiKey)
+	req, _ := http.NewRequest("GET", url, nil)
+	req.Host = serverAddr
+
+	resp2, err := (&http.Client{Timeout: 5 * time.Second}).Do(req)
+	if err != nil {
+		t.Fatalf("info request failed: %v", err)
+	}
+	defer resp2.Body.Close()
+
+	if resp2.Header.Get("Content-Type") != "application/json" {
+		t.Errorf("expected application/json, got %q", resp2.Header.Get("Content-Type"))
+	}
+}
+
+// ---------- Large Body Tests ----------
+
+func TestHTTPLargeResponseBody(t *testing.T) {
+	apiKey := "test-key-large-resp"
+
+	// Start Target That Returns a Large Body
+	largeBody := strings.Repeat("A", 1024*1024) // 1 MB
+	port := getFreePort(t)
+	addr := fmt.Sprintf("127.0.0.1:%d", port)
+	mux := http.NewServeMux()
+	mux.HandleFunc("/large", func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte(largeBody))
+	})
+	srv := &http.Server{Addr: addr, Handler: mux}
+	go srv.ListenAndServe()
+	defer srv.Close()
+	waitForPort(t, addr, 3*time.Second)
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+	defer stopServer()
+
+	// Connect Tunnel
+	stopTunnel := connectTunnel(t, serverAddr, fmt.Sprintf("http://%s", addr), "large-resp", apiKey)
+	defer stopTunnel()
+
+	// Request Large Response
+	resp := sendHTTPViaTunnel(t, serverAddr, "large-resp", "GET", "/large", "")
+	body := readBody(t, resp)
+
+	if len(body) != len(largeBody) {
+		t.Errorf("expected %d bytes, got %d", len(largeBody), len(body))
+	}
+}
+
+func TestHTTPLargeRequestBody(t *testing.T) {
+	apiKey := "test-key-large-req"
+
+	// Start Target That Echoes Body Size
+	port := getFreePort(t)
+	addr := fmt.Sprintf("127.0.0.1:%d", port)
+	mux := http.NewServeMux()
+	mux.HandleFunc("/upload", func(w http.ResponseWriter, r *http.Request) {
+		data, _ := io.ReadAll(r.Body)
+		w.WriteHeader(http.StatusOK)
+		fmt.Fprintf(w, "size:%d", len(data))
+	})
+	srv := &http.Server{Addr: addr, Handler: mux}
+	go srv.ListenAndServe()
+	defer srv.Close()
+	waitForPort(t, addr, 3*time.Second)
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+	defer stopServer()
+
+	// Connect Tunnel
+	stopTunnel := connectTunnel(t, serverAddr, fmt.Sprintf("http://%s", addr), "large-req", apiKey)
+	defer stopTunnel()
+
+	// Send Large Request Body (512 KB)
+	largePayload := strings.Repeat("B", 512*1024)
+	resp := sendHTTPViaTunnel(t, serverAddr, "large-req", "POST", "/upload", largePayload)
+	body := readBody(t, resp)
+
+	expected := fmt.Sprintf("size:%d", len(largePayload))
+	if body != expected {
+		t.Errorf("expected %q, got %q", expected, body)
+	}
+}
+
+// ---------- TCP Tunnel Tests ----------
+
+func TestTCPTunnelEcho(t *testing.T) {
+	apiKey := "test-key-tcp"
+
+	// Start TCP Echo Server
+	tcpAddr, stopTCP := startTCPEchoTarget(t)
+	defer stopTCP()
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+	defer stopServer()
+
+	// Connect TCP Tunnel (bare host:port — the realistic way users would specify it)
+	stopTunnel := connectTunnel(t, serverAddr, tcpAddr, "tcp-test", apiKey)
+	defer stopTunnel()
+
+	// Send Raw HTTP Request Through Tunnel to TCP Echo
+	conn, err := net.DialTimeout("tcp", serverAddr, 5*time.Second)
+	if err != nil {
+		t.Fatalf("failed to connect: %v", err)
+	}
+	defer conn.Close()
+
+	// Write a Raw HTTP Request (the TCP echo will bounce it back)
+	reqLine := fmt.Sprintf("GET / HTTP/1.1\r\nHost: tcp-test.%s\r\n\r\n", serverAddr)
+	_, err = conn.Write([]byte(reqLine))
+	if err != nil {
+		t.Fatalf("failed to write: %v", err)
+	}
+
+	// Read Echoed Data
+	conn.SetReadDeadline(time.Now().Add(5 * time.Second))
+	buf := make([]byte, 4096)
+	n, err := conn.Read(buf)
+	if err != nil {
+		t.Fatalf("failed to read echo: %v", err)
+	}
+
+	response := string(buf[:n])
+	if !strings.Contains(response, "GET / HTTP/1.1") {
+		t.Errorf("expected echoed request, got: %q", response)
+	}
+}
+
+func TestTCPTunnelLargePayload(t *testing.T) {
+	apiKey := "test-key-tcp-large"
+
+	// Start TCP Echo Server
+	tcpAddr, stopTCP := startTCPEchoTarget(t)
+	defer stopTCP()
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+	defer stopServer()
+
+	// Connect TCP Tunnel (bare host:port)
+	stopTunnel := connectTunnel(t, serverAddr, tcpAddr, "tcp-large", apiKey)
+	defer stopTunnel()
+
+	// Connect and Send Large Payload
+	conn, err := net.DialTimeout("tcp", serverAddr, 5*time.Second)
+	if err != nil {
+		t.Fatalf("failed to connect: %v", err)
+	}
+	defer conn.Close()
+
+	// Route via Host Header Then Send 64 KB Payload
+	header := fmt.Sprintf("POST /data HTTP/1.1\r\nHost: tcp-large.%s\r\nContent-Length: 65536\r\n\r\n", serverAddr)
+	payload := header + strings.Repeat("X", 64*1024)
+
+	_, err = conn.Write([]byte(payload))
+	if err != nil {
+		t.Fatalf("failed to write: %v", err)
+	}
+
+	// Read All Echoed Data
+	conn.SetReadDeadline(time.Now().Add(5 * time.Second))
+	var received []byte
+	buf := make([]byte, 8192)
+	for len(received) < len(payload) {
+		n, err := conn.Read(buf)
+		if err != nil {
+			break
+		}
+		received = append(received, buf[:n]...)
+	}
+
+	if len(received) != len(payload) {
+		t.Errorf("expected %d bytes echoed, got %d", len(payload), len(received))
+	}
+}
+
+// ---------- Concurrency Tests ----------
+
+func TestConcurrentHTTPRequests(t *testing.T) {
+	apiKey := "test-key-concurrent"
+
+	// Start Target HTTP Server
+	targetAddr, stopTarget := startHTTPTarget(t)
+	defer stopTarget()
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+	defer stopServer()
+
+	// Connect Tunnel
+	stopTunnel := connectTunnel(t, serverAddr, fmt.Sprintf("http://%s", targetAddr), "conc-test", apiKey)
+	defer stopTunnel()
+
+	// Fire 20 Concurrent Requests
+	const numRequests = 20
+	var wg sync.WaitGroup
+	errors := make(chan string, numRequests)
+
+	for i := range numRequests {
+		wg.Add(1)
+		go func(idx int) {
+			defer wg.Done()
+			path := fmt.Sprintf("/item/%d", idx)
+			resp := sendHTTPViaTunnel(t, serverAddr, "conc-test", "GET", path, "")
+			body := readBody(t, resp)
+
+			expected := fmt.Sprintf("echo: GET %s", path)
+			if !strings.Contains(body, expected) {
+				errors <- fmt.Sprintf("request %d: expected %q, got %q", idx, expected, body)
+			}
+			if resp.StatusCode != http.StatusOK {
+				errors <- fmt.Sprintf("request %d: expected 200, got %d", idx, resp.StatusCode)
+			}
+		}(i)
+	}
+
+	wg.Wait()
+	close(errors)
+
+	for errMsg := range errors {
+		t.Error(errMsg)
+	}
+}
+
+func TestConcurrentMultiTunnelRequests(t *testing.T) {
+	apiKey := "test-key-conc-multi"
+
+	// Start Two Target Servers
+	target1Addr, stopTarget1 := startHTTPTarget(t)
+	defer stopTarget1()
+
+	port2 := getFreePort(t)
+	addr2 := fmt.Sprintf("127.0.0.1:%d", port2)
+	mux2 := http.NewServeMux()
+	mux2.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+		fmt.Fprintf(w, "server-two: %s", r.URL.Path)
+	})
+	srv2 := &http.Server{Addr: addr2, Handler: mux2}
+	go srv2.ListenAndServe()
+	defer srv2.Close()
+	waitForPort(t, addr2, 3*time.Second)
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+	defer stopServer()
+
+	// Connect Two Tunnels
+	stopTunnel1 := connectTunnel(t, serverAddr, fmt.Sprintf("http://%s", target1Addr), "cm-one", apiKey)
+	defer stopTunnel1()
+
+	stopTunnel2 := connectTunnel(t, serverAddr, fmt.Sprintf("http://%s", addr2), "cm-two", apiKey)
+	defer stopTunnel2()
+
+	// Fire Concurrent Requests to Both Tunnels
+	const perTunnel = 10
+	var wg sync.WaitGroup
+	errors := make(chan string, perTunnel*2)
+
+	for i := range perTunnel {
+		wg.Add(2)
+
+		// Requests to Tunnel One
+		go func(idx int) {
+			defer wg.Done()
+			path := fmt.Sprintf("/a/%d", idx)
+			resp := sendHTTPViaTunnel(t, serverAddr, "cm-one", "GET", path, "")
+			body := readBody(t, resp)
+			if !strings.Contains(body, fmt.Sprintf("echo: GET %s", path)) {
+				errors <- fmt.Sprintf("tunnel-one req %d: got %q", idx, body)
+			}
+		}(i)
+
+		// Requests to Tunnel Two
+		go func(idx int) {
+			defer wg.Done()
+			path := fmt.Sprintf("/b/%d", idx)
+			resp := sendHTTPViaTunnel(t, serverAddr, "cm-two", "GET", path, "")
+			body := readBody(t, resp)
+			if !strings.Contains(body, fmt.Sprintf("server-two: %s", path)) {
+				errors <- fmt.Sprintf("tunnel-two req %d: got %q", idx, body)
+			}
+		}(i)
+	}
+
+	wg.Wait()
+	close(errors)
+
+	for errMsg := range errors {
+		t.Error(errMsg)
+	}
+}

flake.lock

@@ -20,11 +20,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1760038930,
-        "narHash": "sha256-Oncbh0UmHjSlxO7ErQDM3KM0A5/Znfofj2BSzlHLeVw=",
+        "lastModified": 1777578337,
+        "narHash": "sha256-Ad49moKWeXtKBJNy2ebiTQUEgdLyvGmTeykAQ9xM+Z4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "0b4defa2584313f3b781240b29d61f6f9f7e0df3",
+        "rev": "15f4ee454b1dce334612fa6843b3e05cf546efab",
         "type": "github"
       },
       "original": {

flake.nix

@@ -6,8 +6,14 @@
     flake-utils.url = "github:numtide/flake-utils";
   };
 
-  outputs = { self, nixpkgs, flake-utils }:
-    flake-utils.lib.eachDefaultSystem (system:
+  outputs =
+    { self
+    , nixpkgs
+    , flake-utils
+    ,
+    }:
+    flake-utils.lib.eachDefaultSystem (
+      system:
       let
         pkgs = nixpkgs.legacyPackages.${system};
       in
@@ -15,6 +21,7 @@
         devShells.default = pkgs.mkShell {
           packages = with pkgs; [
             go
+            gopls
             golangci-lint
           ];
           shellHook = ''

pkg/maps/map.go

@@ -42,6 +42,8 @@ func (m *Map[K, V]) HasKey(key K) bool {
 
 func (m *Map[K, V]) Entries() iter.Seq2[K, V] {
 	return func(yield func(K, V) bool) {
+		m.mu.RLock()
+		defer m.mu.RUnlock()
 		for k, v := range m.items {
 			if !yield(k, v) {
 				return

server/raw_http_response_writer.go

@@ -1,48 +0,0 @@
-package server
-
-import (
-	"bufio"
-	"fmt"
-	"net"
-	"net/http"
-)
-
-var _ http.ResponseWriter = (*rawHTTPResponseWriter)(nil)
-
-type rawHTTPResponseWriter struct {
-	conn   net.Conn
-	header http.Header
-}
-
-func (f *rawHTTPResponseWriter) Header() http.Header {
-	if f.header == nil {
-		f.header = make(http.Header)
-	}
-	return f.header
-}
-
-func (f *rawHTTPResponseWriter) Write(data []byte) (int, error) {
-	return f.conn.Write(data)
-}
-
-func (f *rawHTTPResponseWriter) WriteHeader(statusCode int) {
-	// Write Status
-	status := fmt.Sprintf("HTTP/1.1 %d %s\r\n", statusCode, http.StatusText(statusCode))
-	_, _ = f.conn.Write([]byte(status))
-
-	// Write Headers
-	for key, values := range f.header {
-		for _, value := range values {
-			_, _ = fmt.Fprintf(f.conn, "%s: %s\r\n", key, value)
-		}
-	}
-
-	// End Headers
-	_, _ = f.conn.Write([]byte("\r\n"))
-}
-
-func (f *rawHTTPResponseWriter) Hijack() (net.Conn, *bufio.ReadWriter, error) {
-	// Return Raw Connection & ReadWriter
-	rw := bufio.NewReadWriter(bufio.NewReader(f.conn), bufio.NewWriter(f.conn))
-	return f.conn, rw, nil
-}

server/reconstructed_conn.go

@@ -1,7 +1,6 @@
 package server
 
 import (
-	"bytes"
 	"io"
 	"net"
 )
@@ -14,17 +13,17 @@ type reconstructedConn struct {
 	reader io.Reader
 }
 
-// Read reads from the reconstructed reader (captured data + original conn).
+// Read reads from the reconstructed reader (prepended data + original conn).
 func (rc *reconstructedConn) Read(p []byte) (n int, err error) {
 	return rc.reader.Read(p)
 }
 
-// newReconstructedConn creates a reconstructed connection that replays captured data
-// before reading from the original connection.
-func newReconstructedConn(conn net.Conn, capturedData *bytes.Buffer) net.Conn {
-	allReader := io.MultiReader(capturedData, conn)
+// newReconstructedConn creates a reconstructed connection that replays the provided
+// readers in order before reading from the underlying connection.
+func newReconstructedConn(conn net.Conn, readers ...io.Reader) net.Conn {
+	allReaders := append(readers, conn)
 	return &reconstructedConn{
 		Conn:   conn,
-		reader: allReader,
+		reader: io.MultiReader(allReaders...),
 	}
 }

server/server.go

@@ -1,14 +1,11 @@
 package server
 
 import (
-	"bufio"
 	"bytes"
 	"context"
 	"encoding/json"
 	"errors"
 	"fmt"
-	"io"
-	"net"
 	"net/http"
 	"net/url"
 	"strings"
@@ -62,25 +59,104 @@ func NewServer(ctx context.Context, cfg *config.ServerConfig) (*Server, error) {
 }
 
 func (s *Server) Start() error {
-	// Raw TCP Listener - This is necessary so we can conditionally either relay
-	// the raw TCP connection, or handle conduit control server API requests.
-	listener, err := net.Listen("tcp", s.cfg.BindAddress)
-	if err != nil {
+	// HTTP Server - Uses stdlib http.Server for proper HTTP response handling
+	// including Content-Length, chunked encoding, and keep-alive semantics.
+	httpServer := &http.Server{
+		Addr:    s.cfg.BindAddress,
+		Handler: s,
+	}
+
+	// Context Cancellation - Gracefully shut down when the context is cancelled.
+	go func() {
+		<-s.ctx.Done()
+		log.Info("conduit server shutting down")
+		httpServer.Close()
+	}()
+
+	// Start Server
+	log.Infof("conduit server listening on %s", s.cfg.BindAddress)
+	if err := httpServer.ListenAndServe(); err != nil && err != http.ErrServerClosed {
 		return err
 	}
-	defer listener.Close()
+	return nil
+}
 
-	// Start Listening
-	log.Infof("conduit server listening on %s", s.cfg.BindAddress)
-	for {
-		conn, err := listener.Accept()
-		if err != nil {
-			log.WithError(err).Error("error accepting connection")
-			continue
-		}
-
-		go s.handleRawConnection(conn)
+func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	// Get True Host
+	if xff := r.Header.Get("X-Forwarded-For"); xff != "" {
+		r.RemoteAddr = xff
 	}
+
+	// Validate Host
+	if !strings.Contains(r.Host, s.host) {
+		http.Error(w, fmt.Sprintf("unknown host: %s", r.Host), http.StatusBadRequest)
+		return
+	}
+
+	// Extract Subdomain
+	tunnelName := strings.TrimSuffix(strings.Replace(r.Host, s.host, "", 1), ".")
+	if strings.Count(tunnelName, ".") != 0 {
+		http.Error(w, fmt.Sprintf("cannot tunnel nested subdomains: %s", r.Host), http.StatusBadRequest)
+		return
+	}
+
+	// Handle Control Endpoints
+	if tunnelName == "" {
+		s.handleAsHTTP(w, r)
+		return
+	}
+
+	// Handle Tunnel Requests
+	s.handleTunnelRequest(w, r, tunnelName)
+}
+
+func (s *Server) handleTunnelRequest(w http.ResponseWriter, r *http.Request, tunnelName string) {
+	// Get Tunnel
+	conduitTunnel, exists := s.tunnels.Get(tunnelName)
+	if !exists {
+		http.Error(w, fmt.Sprintf("unknown tunnel: %s", tunnelName), http.StatusNotFound)
+		return
+	}
+
+	// Hijack Connection - Take over the raw TCP connection from the HTTP server
+	// so we can forward the full request (including body) through the tunnel.
+	hj, ok := w.(http.Hijacker)
+	if !ok {
+		http.Error(w, "hijack not supported", http.StatusInternalServerError)
+		return
+	}
+	conn, bufrw, err := hj.Hijack()
+	if err != nil {
+		http.Error(w, fmt.Sprintf("hijack failed: %v", err), http.StatusInternalServerError)
+		return
+	}
+
+	// Re-Serialize Request Headers - The HTTP server already consumed the request
+	// from the connection. We re-serialize it so the tunnel client receives a
+	// complete HTTP request to forward to the local target.
+	var reqBuf bytes.Buffer
+	fmt.Fprintf(&reqBuf, "%s %s %s\r\n", r.Method, r.RequestURI, r.Proto)
+	fmt.Fprintf(&reqBuf, "Host: %s\r\n", r.Host)
+	_ = r.Header.Write(&reqBuf)
+	reqBuf.WriteString("\r\n")
+
+	// Reconstruct Connection - Combine re-serialized headers with any buffered
+	// body data (from the hijacked reader) and the raw connection.
+	reconstructedConn := newReconstructedConn(conn, &reqBuf, bufrw)
+
+	// Create Stream
+	streamID := fmt.Sprintf("stream_%d", time.Now().UnixNano())
+	tunnelStream := tunnel.NewStream(reconstructedConn, r.RemoteAddr, conduitTunnel.Source())
+
+	// Add Stream
+	if err := conduitTunnel.AddStream(tunnelStream, streamID); err != nil {
+		log.WithError(err).Error("failed to add stream")
+		conn.Close()
+		return
+	}
+
+	// Start Stream
+	conduitTunnel.StartStream(tunnelStream, streamID)
 }
 
 func (s *Server) getInfo(w http.ResponseWriter, _ *http.Request) {
@@ -110,79 +186,6 @@ func (s *Server) getInfo(w http.ResponseWriter, _ *http.Request) {
 	_, _ = w.Write(d)
 }
 
-func (s *Server) handleRawConnection(conn net.Conn) {
-	defer conn.Close()
-
-	// Capture Consumed Data - When determining where to route the request, we
-	// have to read the host headers. This requires reading from the buffer, so
-	// if we later decide to tunnel the TCP connection we need to reconstruct the
-	// data from the buffer.
-	var capturedData bytes.Buffer
-	teeReader := io.TeeReader(conn, &capturedData)
-	bufReader := bufio.NewReader(teeReader)
-
-	// Create HTTP Request & Writer
-	w := &rawHTTPResponseWriter{conn: conn}
-	r, err := http.ReadRequest(bufReader)
-	if err != nil {
-		w.WriteHeader(http.StatusBadRequest)
-		return
-	}
-	defer r.Body.Close()
-
-	// Validate Host
-	if !strings.Contains(r.Host, s.host) {
-		w.WriteHeader(http.StatusBadRequest)
-		_, _ = fmt.Fprintf(w, "unknown host: %s", r.Host)
-		return
-	}
-
-	// Extract Subdomain
-	tunnelName := strings.TrimSuffix(strings.Replace(r.Host, s.host, "", 1), ".")
-	if strings.Count(tunnelName, ".") != 0 {
-		w.WriteHeader(http.StatusBadRequest)
-		_, _ = fmt.Fprintf(w, "cannot tunnel nested subdomains: %s", r.Host)
-		return
-	}
-
-	// Get True Host
-	remoteHost := conn.RemoteAddr().String()
-	if xff := r.Header.Get("X-Forwarded-For"); xff != "" {
-		remoteHost = xff
-	}
-	r.RemoteAddr = remoteHost
-
-	// Handle Control Endpoints
-	if tunnelName == "" {
-		s.handleAsHTTP(w, r)
-		return
-	}
-
-	// Handle Tunnels
-	conduitTunnel, exists := s.tunnels.Get(tunnelName)
-	if !exists {
-		w.WriteHeader(http.StatusNotFound)
-		_, _ = fmt.Fprintf(w, "unknown tunnel: %s", tunnelName)
-		return
-	}
-
-	// Create Stream
-	reconstructedConn := newReconstructedConn(conn, &capturedData)
-	streamID := fmt.Sprintf("stream_%d", time.Now().UnixNano())
-	tunnelStream := tunnel.NewStream(reconstructedConn, r.RemoteAddr, conduitTunnel.Source())
-
-	// Add Stream
-	if err := conduitTunnel.AddStream(tunnelStream, streamID); err != nil {
-		w.WriteHeader(http.StatusInternalServerError)
-		_, _ = fmt.Fprintf(w, "failed to add stream: %v", err)
-		log.WithError(err).Error("failed to add stream")
-		return
-	}
-
-	// Start Stream
-	conduitTunnel.StartStream(tunnelStream, streamID)
-}
-
 func (s *Server) handleAsHTTP(w http.ResponseWriter, r *http.Request) {
 	// Authorize Control Endpoints
 	apiKey := r.URL.Query().Get("apiKey")
@@ -207,15 +210,13 @@ func (s *Server) createTunnel(w http.ResponseWriter, r *http.Request) {
 	// Get Tunnel Name
 	tunnelName := r.URL.Query().Get("tunnelName")
 	if tunnelName == "" {
-		w.WriteHeader(http.StatusBadRequest)
-		_, _ = w.Write([]byte("Missing tunnelName parameter"))
+		http.Error(w, "Missing tunnelName parameter", http.StatusBadRequest)
 		return
 	}
 
 	// Validate Unique
 	if _, exists := s.tunnels.Get(tunnelName); exists {
-		w.WriteHeader(http.StatusConflict)
-		_, _ = w.Write([]byte("Tunnel already registered"))
+		http.Error(w, "Tunnel already registered", http.StatusConflict)
 		return
 	}
 

tunnel/forwarder.go

@@ -21,23 +21,15 @@ type Forwarder interface {
 }
 
 func NewForwarder(target string, tunnelStore store.TunnelStore) (Forwarder, error) {
-	// Get Target URL
+	// Only parse as URL for HTTP targets. Bare host:port (e.g., "127.0.0.1:5432")
+	// is not a valid URL and should be treated as a raw TCP target.
 	targetURL, err := url.Parse(target)
-	if err != nil {
-		return nil, err
-	}
-
-	// Get Connection Builder
-	var forwarder Forwarder
-	switch targetURL.Scheme {
-	case "http", "https":
-		forwarder, err = newHTTPForwarder(targetURL, tunnelStore)
-		if err != nil {
-			return nil, err
+	if err == nil {
+		switch targetURL.Scheme {
+		case "http", "https":
+			return newHTTPForwarder(targetURL, tunnelStore)
 		}
-	default:
-		forwarder = newTCPForwarder(target, tunnelStore)
 	}
 
-	return forwarder, nil
+	return newTCPForwarder(target, tunnelStore), nil
 }