mmatczuk / go-http-tunnel Goto Github PK

Hi, thanks for the repo!

I am using v1.1 release. This is what I set in the tunnel.xml:

  interval: 100ms
  multiplier: 1
  max_interval: 100ms
  max_time: 0

This is what the program prints:

  interval: 100ms
  multiplier: 1
  max_interval: 100ms
  max_time: 15m0s

I have to workaround it with:

  interval: 100ms
  multiplier: 1
  max_interval: 100ms
  max_time: 999999h

Wonder how to set the max time to 0?

Server CLI should start a separate HTTP listener and provide a REST api to inspect and manage subscriptions.

• I 'm home, my home ip is dynamic. please help me.

I'm having issues with long lived connections:

• the server sometimes receives connection requests from clients that are reportedly already connected, and reject them.
• when the server restarts, some clients do not try to connect again.

I debugged the issue and found out that once the client is connected to the server this connection is kept open waiting for a user to connect to the server. If the connection dies without notifying the client or server, they would keep listening to dead connections.

If the server believes that a dead connection belonging to an id is open it would reject new (valid) connections from that id.

A client may keep listening to a dead connection forever, effectively preventing the client to retry and open a fresh connection.

My workaround was to turn on TCP keepalive for the client connection, and to let the server ping (http ping) the existing client connection when a connection request with an already connected id is received.

Currently the README is a bit misleading as it states that the code is BSD licensed.

Docker makes dev life easy. Please consider adding one. An example one based on your repo, github.com/osiloke/docker-tunneld

Currently running tunneld needs to get certification and key files provided.
I'd like to run tunneld as a service, so it would be awesome if there's a way to run the binary without passing extra attributes.

Is it currently possible to subscribe a particular client to url path?

Let's say i have 2 clients and 1 server.

client 1 should be responsible for responses to server:80/client1/query
client 2 should be responsible for responses to server:80/client2/query

Is this doable?

i tried changing the client tunnel endpoint to a path based on their "id" but that didn't work.

Hello
I can't connect to tunneld. I have error:
"msg certificate error err ptls: expecting 1 peer certificate, got 0"
Both client and server are on Windows. Both have certs files and files looks ok (I also tried files from tunnel\testdata directory).
Any idea what can cause the problem?

....

does it make any sense to implement a hidden compression schema?

If you think this is needed vote by adding 👍 thanks!

I'm unable to get access to a machine running PFSense over HTTPS. I get the following error in the Tunnel Client:

http: proxy error: x509: certificate signed by unknown authority

The odd thing is I have a NAS on the same network that uses HTTPS too and that one I'm able to reach just fine. Both have self-signed certificates, so I expect to get the Warning in the browser, but after proceeding beyond that warning, the PFSense one fails with a HTTP 502 error and I get that message in the Tunnel Client. The NAS one is just fine.

Any ideas? I already have insecure_skip_verify: true in the client config.

for host entry, if i use mytestroute.routetome.org does the whole thing have to be setup with DNS to point to my server? Or should I just be able to point routetome.org to my server, and then when I use the address https://mytestroute.routetome.org it will know where to send that particular subdomain request based on the host entry in my client .yml file?

This looks like a cool project, but having issues getting it to route right now. I have routetome.org setup with DNS pointing to my DO server, but not the sub-domain.

Was hoping this was a bit more like ngrok as far as subdomains on the fly. If any of you folks know how to get that setup using this project it would be totally great. More than happy to donate to an open source project like this as well.

I have been experiencing some issues when the Internet state changes (with connectivity to without connectivity)... apparently the client doesn't reconnect to server. A single restart on any side recovers the tunnel.

Any insights?

Basically, i want to run 1 proxy and n clients.
But I am unaware of the clients at start-up.

Can I start the server in a goroutine and call subscribe on that server at a later time?

Hello. I've a client that after 15 minutes disconnects. In the client I don't see any log. This is what I see in the server:

2018/03/13 10:17:26 level 2 action open listener identifier UJ72CAB-5LW5RVP-STCEAVM-TSJ2DSV-OM3PPAK-HY3Q5CL-L7Z2NNB-LRGQ7AB addr [::]:121
2018/03/13 10:17:26 level 2 action open listener identifier UJ72CAB-5LW5RVP-STCEAVM-TSJ2DSV-OM3PPAK-HY3Q5CL-L7Z2NNB-LRGQ7AB addr [::]:122
2018/03/13 10:17:26 level 2 action open listener identifier UJ72CAB-5LW5RVP-STCEAVM-TSJ2DSV-OM3PPAK-HY3Q5CL-L7Z2NNB-LRGQ7AB addr [::]:123
2018/03/13 10:17:26 level 2 action open listener identifier UJ72CAB-5LW5RVP-STCEAVM-TSJ2DSV-OM3PPAK-HY3Q5CL-L7Z2NNB-LRGQ7AB addr [::]:124
2018/03/13 10:17:26 level 2 action set registry item identifier UJ72CAB-5LW5RVP-STCEAVM-TSJ2DSV-OM3PPAK-HY3Q5CL-L7Z2NNB-LRGQ7AB
2018/03/13 10:17:26 level 1 action connected addr 80.174.238.86:60705 identifier UJ72CAB-5LW5RVP-STCEAVM-TSJ2DSV-OM3PPAK-HY3Q5CL-L7Z2NNB-LRGQ7AB
2018/03/13 10:18:03 level 2 action proxy conn identifier UJ72CAB-5LW5RVP-STCEAVM-TSJ2DSV-OM3PPAK-HY3Q5CL-L7Z2NNB-LRGQ7AB ctrlMsg &{proxy [::]:121 tcp }
2018/03/13 10:18:04 level 3 action transferred bytes 5089 dir user to client dst UJ72CAB-5LW5RVP-STCEAVM-TSJ2DSV-OM3PPAK-HY3Q5CL-L7Z2NNB-LRGQ7AB src 89.246.69.218:63109
2018/03/13 10:18:04 level 3 action transferred bytes 7910 dir client to user dst 89.246.69.218:63109 src UJ72CAB-5LW5RVP-STCEAVM-TSJ2DSV-OM3PPAK-HY3Q5CL-L7Z2NNB-LRGQ7AB
2018/03/13 10:18:04 level 2 action proxy conn done identifier UJ72CAB-5LW5RVP-STCEAVM-TSJ2DSV-OM3PPAK-HY3Q5CL-L7Z2NNB-LRGQ7AB ctrlMsg &{proxy [::]:121 tcp }
2018/03/13 10:18:31 level 2 action proxy conn identifier UJ72CAB-5LW5RVP-STCEAVM-TSJ2DSV-OM3PPAK-HY3Q5CL-L7Z2NNB-LRGQ7AB ctrlMsg &{proxy [::]:121 tcp }
2018/03/13 10:18:33 level 3 action transferred bytes 5224 dir user to client dst UJ72CAB-5LW5RVP-STCEAVM-TSJ2DSV-OM3PPAK-HY3Q5CL-L7Z2NNB-LRGQ7AB src 89.246.69.218:63113
2018/03/13 10:18:33 level 3 action transferred bytes 8062 dir client to user dst 89.246.69.218:63113 src UJ72CAB-5LW5RVP-STCEAVM-TSJ2DSV-OM3PPAK-HY3Q5CL-L7Z2NNB-LRGQ7AB
2018/03/13 10:18:33 level 2 action proxy conn done identifier UJ72CAB-5LW5RVP-STCEAVM-TSJ2DSV-OM3PPAK-HY3Q5CL-L7Z2NNB-LRGQ7AB ctrlMsg &{proxy [::]:121 tcp }
2018/03/13 10:34:14 level 1 action disconnected identifier UJ72CAB-5LW5RVP-STCEAVM-TSJ2DSV-OM3PPAK-HY3Q5CL-L7Z2NNB-LRGQ7AB
2018/03/13 10:34:14 level 2 action clear registry item identifier UJ72CAB-5LW5RVP-STCEAVM-TSJ2DSV-OM3PPAK-HY3Q5CL-L7Z2NNB-LRGQ7AB
2018/03/13 10:34:14 level 2 action close listener identifier UJ72CAB-5LW5RVP-STCEAVM-TSJ2DSV-OM3PPAK-HY3Q5CL-L7Z2NNB-LRGQ7AB addr [::]:121
2018/03/13 10:34:14 level 2 action close listener identifier UJ72CAB-5LW5RVP-STCEAVM-TSJ2DSV-OM3PPAK-HY3Q5CL-L7Z2NNB-LRGQ7AB addr [::]:122
2018/03/13 10:34:14 level 2 action close listener identifier UJ72CAB-5LW5RVP-STCEAVM-TSJ2DSV-OM3PPAK-HY3Q5CL-L7Z2NNB-LRGQ7AB addr [::]:123
2018/03/13 10:34:14 level 2 action close listener identifier UJ72CAB-5LW5RVP-STCEAVM-TSJ2DSV-OM3PPAK-HY3Q5CL-L7Z2NNB-LRGQ7AB addr [::]:124
2018/03/13 10:34:14 level 2 action listener closed identifier UJ72CAB-5LW5RVP-STCEAVM-TSJ2DSV-OM3PPAK-HY3Q5CL-L7Z2NNB-LRGQ7AB addr [::]:124
2018/03/13 10:34:14 level 2 action listener closed identifier UJ72CAB-5LW5RVP-STCEAVM-TSJ2DSV-OM3PPAK-HY3Q5CL-L7Z2NNB-LRGQ7AB addr [::]:121
2018/03/13 10:34:14 level 2 action listener closed identifier UJ72CAB-5LW5RVP-STCEAVM-TSJ2DSV-OM3PPAK-HY3Q5CL-L7Z2NNB-LRGQ7AB addr [::]:122
2018/03/13 10:34:14 level 2 action listener closed identifier UJ72CAB-5LW5RVP-STCEAVM-TSJ2DSV-OM3PPAK-HY3Q5CL-L7Z2NNB-LRGQ7AB addr [::]:123

I tried with backoff: max_time: 0 but there was no difference.

Thanks!

Hello sir can you please give me release for 32 bit ubuntu .whe i try to make it have errors

go-http-tunnel# make
cannot find package "/root/go-http-tunnel" in any of:
/root/go/src//root/go-http-tunnel (from $GOROOT)
/root/goworkspace/src//root/go-http-tunnel (from $GOPATH)
cannot find package "/root/go-http-tunnel/cmd/tunnel" in any of:
/root/go/src//root/go-http-tunnel/cmd/tunnel (from $GOROOT)
/root/goworkspace/src//root/go-http-tunnel/cmd/tunnel (from $GOPATH)
cannot find package "/root/go-http-tunnel/cmd/tunneld" in any of:
/root/go/src//root/go-http-tunnel/cmd/tunneld (from $GOROOT)
/root/goworkspace/src//root/go-http-tunnel/cmd/tunneld (from $GOPATH)
cannot find package "/root/go-http-tunnel/id" in any of:
/root/go/src//root/go-http-tunnel/id (from $GOROOT)
/root/goworkspace/src//root/go-http-tunnel/id (from $GOPATH)
cannot find package "/root/go-http-tunnel/log" in any of:
/root/go/src//root/go-http-tunnel/log (from $GOROOT)
/root/goworkspace/src//root/go-http-tunnel/log (from $GOPATH)
cannot find package "/root/go-http-tunnel/proto" in any of:
/root/go/src//root/go-http-tunnel/proto (from $GOROOT)
/root/goworkspace/src//root/go-http-tunnel/proto (from $GOPATH)
cannot find package "/root/go-http-tunnel/tunnelmock" in any of:
/root/go/src//root/go-http-tunnel/tunnelmock (from $GOROOT)
/root/goworkspace/src/_/root/go-http-tunnel/tunnelmock (from $GOPATH)
make: ineffassign: Command not found
make: *** [.check-ineffassign] Error 127

Is there a way to see which and how many clients are connected?

In a client TCP Proxy, when a local connection is closed the function call transfer(local, r, ...) does not return, effectively preventing the local connection to be properly closed.

To reproduce:

1. Create a TCP tunnel
2. Connect to the tunnel
3. Close the tunnel connection
4. invoke:

lsof -i -a -p `pidof tunnel`

At least one connection marked CLOSED_WAIT is present.

A quick and dirty solution would be to close the response reader after the local connection dies:

From 736802f154da59e23b4f1d89baafa49a1f579815 Mon Sep 17 00:00:00 2001
From: Riccardo Gori <[email protected]>
Date: Tue, 14 Nov 2017 16:07:31 +0100
Subject: [PATCH] Properly close proxy connection

---
 tcpproxy.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tcpproxy.go b/tcpproxy.go
index f7dc199..d72bb76 100644
--- a/tcpproxy.go
+++ b/tcpproxy.go
@@ -104,6 +104,7 @@ func (p *TCPProxy) Proxy(w io.Writer, r io.ReadCloser, msg *proto.ControlMessage
 			"dst", msg.ForwardedBy,
 			"src", target,
 		))
+		r.Close()
 		close(done)
 	}()
 
-- 
2.9.5

Would it be an idea to allow https traffic to pass trough the proxy. This way the "operator" can't see the traffic. And you could still find the host from the handshake.

Currently, i have setup a reverse tunnel through AWS but i am getting really low upload/download speeds. No more than 400kbps when my network speed when my network speed is around 80Mbps.
i moved my server in another network to test if the problem is from actually from localhost, AWS or from go-http-tunnel, but that's not the case.

The only thing that is left is that my ISP limits my connection, apart from blocking all ports. Is there any solution for that through go-http-tunnel?

configuration error: failed to parse file ".tunnel/tunnel.yml": yaml: line 1: did not find expected key
with config
server_addr: "185.2.2.137:4443"
insecure_skip_verify: true
tunnels: ...

./tunnel -version
3d03804

Hey,

The readme mentions "Client management and eviction" under features, but I can't find any details on how to do that, could you perhaps point me in the right direction?

Thanks!

Hello!
I love this tool but I don't like that much how the CLI interact with the daemon, I was using ngrok and its CLI is a bit more powerful.

I would like to propose some improvement that I would like to implement or maybe they are already there and I am not able to find them:

• We should set up a configuration file for the CLI with a default location like ~/.tunnelctl/something to configure the tunneld target with client keys and so on. We can probably implement something like the profiles for the aws-cli
• When we have that I would like to be able to start a tunnel via cli like `tunnel start --subdomain my 8080 (This will start my*.what.you.have* and it will forward port 8080)
• If you don't specify a subdomain we can start a random one

I think this will cover a bit better some use cases, for example, I would like to use it during integration testing and the configuration file based interaction is not very comfortable.

Let me know

If you think this is needed vote by adding 👍 thanks!

Create bin release for x86 (linux / windows)

I get this error: io error: Put http://localhost/login: http2: unsupported scheme .. what could be the problem?

I have implemented go-http-tunnel on my two local machines. one is as client & another one is as Server. I successfully configured server & client side both & don't get any error & on client side I get message : "level 1 action handshake addr <SERVER_IP:5223>" & on server side retrieve message of Client connected with my client Id , but now issue is How can i access my server machine from Client?. Please Guide me for that.

Below are screenshots of my server side configuration & Client Side Configuration respectively:

1. Server Side CLI screenshot :

2. Client Side CLI screenshot :

Below is code of my tunnel.yml file configured :

server_addr: 192.168.0.121:5223
tunnels:
mihir:
proto: http
addr: localhost:3001
host: mihir.mytunnel.com
ssh:
proto: tcp
addr: 192.168.0.5:22
remote_addr: 0.0.0.0:22

Rewrite the HTTP Host header to this value

It would be nice to have an option to specify alternate ports that the server listens on for http and https requests.

Adding HOTP on server, will allow a client to detect if there was a prior rogue connection from a client with stolen certs.

Can you use this behind an authenticate proxy in the same way you'd use it behind a nat? For example, on windows, will it respect the HTTP_PROXY and HTTPS_PROXY environment variables?

I have a custom embedded device running the tunnel client with the following config:

server_addr: SERVER_IP:5223
tunnels:
webui:
proto: http
addr: https://localhost:10001
host: MY_DOMAIN

When I run it and try to hit MY_DOMAIN, the tunnel client logs spit out
"http: proxy error: x509: failed to load system roots and no roots provided"

any ideas?

• Should be generic
• Can migrate state changes logging to common function

Hey there!! thanks for the great tool!! I am really loving it😃😃
My question is, is the connection between the tunnel client and the tunnel server secured (encrypted) and if yes then how? I mean using which certificates and key? and if the server uses the self-signed certificate for the purpose, is it possible that someone could MITM my connection?

First off: awesome project. Really cool to see an open-source alternative to ngrok.

I'm running into #26 on MacOS, which can be solved by building from master.
Since the build process is not documented and I'm not that familiar with Go, I cannot build the app myself.

This issue is really blocking, because I cannot use the application.
When will there be a new release so I can use it?

Cheers.

EDIT: I added the fake ssh config from the README.md to make it work.

What are your thoughts on allowing multiple clients to start a tunnel for the same host?

The use case I have in mind, is running the same application in two different environments (AWS, DigitalOcean) and randomly route to one or the other. Of course, we could add smarter load balancing functionality, but wanted to hear if this was something you’d consider.

Here’s what needs to change for a very quick and dirty example:

diff --git a/registry.go b/registry.go
index 98fead8..9b1f94d 100644
--- a/registry.go
+++ b/registry.go
@@ -6,8 +6,10 @@ package tunnel
 
 import (
 	"fmt"
+	"math/rand"
 	"net"
 	"sync"
+	"time"
 
 	"github.com/mmatczuk/go-http-tunnel/id"
 	"github.com/mmatczuk/go-http-tunnel/log"
@@ -33,7 +35,7 @@ type hostInfo struct {
 
 type registry struct {
 	items  map[id.ID]*RegistryItem
-	hosts  map[string]*hostInfo
+	hosts  map[string]map[id.ID]*hostInfo
 	mu     sync.RWMutex
 	logger log.Logger
 }
@@ -45,7 +47,7 @@ func newRegistry(logger log.Logger) *registry {
 
 	return &registry{
 		items:  make(map[id.ID]*RegistryItem),
-		hosts:  make(map[string]*hostInfo),
+		hosts:  make(map[string]map[id.ID]*hostInfo),
 		logger: logger,
 	}
 }
@@ -87,8 +89,20 @@ func (r *registry) Subscriber(hostPort string) (id.ID, *Auth, bool) {
 	if !ok {
 		return id.ID{}, nil, false
 	}
+	if len(h) == 0 {
+		return id.ID{}, nil, false
+	}
+
+	keys := []id.ID{}
+	for k := range h {
+		keys = append(keys, k)
+	}
+
+	rnd := rand.New(rand.NewSource(time.Now().UnixNano()))
+	n := rnd.Intn(len(h))
+	key := keys[n]
 
-	return h.identifier, h.auth, ok
+	return h[key].identifier, h[key].auth, ok
 }
 
 // Unsubscribe removes client from registry and returns it's RegistryItem.
@@ -141,16 +155,18 @@ func (r *registry) set(i *RegistryItem, identifier id.ID) error {
 			if h.Auth != nil && h.Auth.User == "" {
 				return fmt.Errorf("missing auth user")
 			}
-			if _, ok := r.hosts[trimPort(h.Host)]; ok {
-				return fmt.Errorf("host %q is occupied", h.Host)
-			}
 		}
 
 		for _, h := range i.Hosts {
-			r.hosts[trimPort(h.Host)] = &hostInfo{
+			hosts, found := r.hosts[trimPort(h.Host)]
+			if !found {
+				hosts = make(map[id.ID]*hostInfo)
+			}
+			hosts[identifier] = &hostInfo{
 				identifier: identifier,
 				auth:       h.Auth,
 			}
+			r.hosts[trimPort(h.Host)] = hosts
 		}
 	}
 
@@ -176,7 +192,14 @@ func (r *registry) clear(identifier id.ID) *RegistryItem {
 
 	if i.Hosts != nil {
 		for _, h := range i.Hosts {
-			delete(r.hosts, trimPort(h.Host))
+			peers := r.hosts[trimPort(h.Host)]
+			if len(peers) == 1 {
+				delete(r.hosts, trimPort(h.Host))
+			} else {
+				delete(peers, identifier)
+				r.hosts[trimPort(h.Host)] = peers
+			}
+
 		}
 	}
 

I am having the following error message on the client side when trying to access the local app from public on a browser.

proxy HTTP level 0 msg failed to read request ctrlMsg &{proxy http .... hostname:port} err EOF

[It is a bokeh app. The app is receiving the traffics but I am not getting any display in the website]

I am facing a weird issue. My tunnel.yaml file is as below :-

server_addr: example.com:5223
tunnels:
      now:
        proto: http
        addr: http://127.0.0.1:8080
        host: me.example.com

On server side -httpAddr is set to :8000. When I access the site from the browsers as http://me.example.com:8000 it works fine. However, when I reload the site I get a 302 from the site and I am redirected to http://127.0.0.1:8080. The actual site does not seem to issue the 302. It seems like go-http-tunnel is issuing that for some reason. If I goto some other url and come back to the same url I do not get the 302; it is only when I hit the same url twice consecutively I get the 302. If I change the addr: to say https://google.com then I do not see this issue.

Can this library work with TCP forwarding for SSH similar to ngrok. I was unable to find any documentation regarding this.

please provide linux/mips (32bit) binary

As a go-http-tunnel administrator, I'd like to have a command line argument that would give me a list of the registered tunnel clients at that time, and their IP addresses (if possible), and any other statistics like time connected, etc.

Ex:

tunneld --liveClients

would return something like

Registered As                                 IP Address              Time Connected
---------------------------------------------------------------------------------------------
smarthome.mysupertunnel.com                   208.12.243.22           4 m 2 w 3 d 6 h 22 min
sprinklers.mysupertunnel.com                  208.12.243.22           4 m 2 w 3 d 5 h 43 min
gamestation.mysupertunnel.com                 128.54.177.191          2 w 1 d 22 h 17 min
superfluous.mysupertunnel.com                 98.245.32.7             1 h 22 min

Something like that.

Hi, I encounter a problem while starting tunnel.exe under Windows.

My configuration is the following (I've hidden the IP address and real domain name for security reasons).

server_addr: 1.2.3.4:443
insecure_skip_verify: true
tunnels:
  webui:
    proto: http
    addr: localhost:8080
    host: myserver.mydomain.com

When I execute the client command I encounter the following error.

.\tunnel.exe -config .\tunnel.yml start webui
2017/07/12 19:40:18 config server_addr: 1.2.3.4:443
insecure_skip_verify: true
tls_crt: client.crt
tls_key: client.key
backoff:
  interval: 500ms
  multiplier: 1.5
  max_interval: 1m0s
  max_time: 15m0s
tunnels:
  webui:
    proto: http
    addr: http://localhost:8080
    host: myserver.mydomain.com

panic: Empty localAddrMap

goroutine 1 [running]:
github.com/mmatczuk/go-http-tunnel.NewMultiTCPProxy(0xc042163aa0, 0x8c7da0, 0xc042164100, 0x2)
        /home/mmatczuk/projects/tunnel/src/github.com/mmatczuk/go-http-tunnel/tcpproxy.go:48 +0x168
main.proxy(0xc04206da40, 0x8c8e60, 0xc04211d500, 0x2)
        /home/mmatczuk/projects/tunnel/src/github.com/mmatczuk/go-http-tunnel/cmd/tunnel/tunnel.go:164 +0x60c
main.main()
        /home/mmatczuk/projects/tunnel/src/github.com/mmatczuk/go-http-tunnel/cmd/tunnel/tunnel.go:104 +0x79a

Do you know what's the problem here ?

Thanks

This is just an idea of course, but it would be very interesting to provide a "migration path" for people that use koding/tunnel and want to try this project.

(Ideally one would just change the import, much like SQL adapters... But of course the API might not be exactly compatible)

I was wondering if there is any easy way to deploy the server to my heroku instance?

Hi!

Interesting in trying out this tunnel, but i cannot get it to work. I have followed everything explain in the README.MD file. Running this from the latest releases, have tried both the linux binary and the windows binary.

Generated server and client keys. As a last resort i tried to connect locally to make sure there wasnt a network issue.

Server output:

` ______ __ __________________ __ __
/ / / / / / / / __ \ / / ______ ____ ___ / /
/ / / __ \ / // / / / / / / // / / / / / / __ / __ / _ / /
/ // / // / / __ / / / / / / / / // // / / / / / / / / /
_/_/ // // // // // _/_,// /// //_/_/
github.com/mmatczuk/go-http-tunnel

2018/02/02 17:44:15 level 1 action start addr [::]:5223
2018/02/02 17:44:15 level 1 action start http addr :80
2018/02/02 17:44:15 level 1 action start https addr :443`

Client output (http):
2018/02/02` 17:45:32 config server_addr: 127.0.0.1:80
tls_crt: client.crt
tls_key: client.key
root_ca: ""
backoff:
interval: 500ms
multiplier: 1.5
max_interval: 1m0s
max_time: 15m0s
tunnels:
webui:
proto: http
addr: http://127.0.0.1:8080
host: webui.my-tunnel-host.com

2018/02/02 17:45:32 level 1 action start
2018/02/02 17:45:32 level 1 action dial network tcp addr 127.0.0.1:80
2018/02/02 17:45:32 level 0 msg dial failed network tcp addr 127.0.0.1:80 err tls: oversized record received with length 20527
2018/02/02 17:45:32 level 1 action backoff sleep 660.522566ms
2018/02/02 17:45:32 level 1 action dial network tcp addr 127.0.0.1:80
2018/02/02 17:45:32 level 0 msg dial failed network tcp addr 127.0.0.1:80 err tls: oversized record received with length 20527`

Changing the config to use 443 instead of 80:
2018/02/02 17:48:59 config server_addr: 127.0.0.1:443
tls_crt: client.crt
tls_key: client.key
root_ca: ""
backoff:
interval: 500ms
multiplier: 1.5
max_interval: 1m0s
max_time: 15m0s
tunnels:
webui:
proto: http
addr: http://127.0.0.1:8080
host: webui.my-tunnel-host.com

2018/02/02 17:48:59 level 1 action start
2018/02/02 17:48:59 level 1 action dial network tcp addr 127.0.0.1:443
2018/02/02 17:49:09 level 1 action disconnected
2018/02/02 17:49:09 level 1 action dial network tcp addr 127.0.0.1:443`

Here's the config file:
server_addr: 127.0.0.1:443
tunnels:
webui:
proto: http
addr: 127.0.0.1:8080
host: webui.my-tunnel-host.com
ssh:
proto: tcp
addr: 192.168.0.5:22
remote_addr: 0.0.0.0:22

Firewall has added exceptions, so I'm lost here. Any help would be appreciated