better param parsing

Rachel's edits to index.html to make information easier to understand.

.gitignore

@@ -1,4 +1,19 @@
 node_modules.*
+*.*.sw*
+etc/acme/
+bin/node
+bin/npm
+bin/npx
+bin/telebit
+bin/telebitd
+bin/telebit_uninstall
+usr/share/dist/Library/LaunchDaemons/cloud.telebit.remote.plist
+usr/share/dist/etc/skel/Library/LaunchAgents/cloud.telebit.remote.plist
+usr/share/dist/etc/systemd/system/telebit.service
+usr/share/dist/etc/skel/.config/systemd/user/telebit.service
+./etc/
+./include/
+./share/
 
 # Logs
 logs

LICENSE

@@ -1,198 +1,38 @@
-                                 Apache License
-                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
+Copyright 2016 AJ ONeal
 
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+This is open source software; you can redistribute it and/or modify it under the
+terms of either:
 
-   1. Definitions.
+   a) the "MIT License"
+   b) the "Apache-2.0 License"
 
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
+MIT License
 
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
+   Permission is hereby granted, free of charge, to any person obtaining a copy
+   of this software and associated documentation files (the "Software"), to deal
+   in the Software without restriction, including without limitation the rights
+   to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+   copies of the Software, and to permit persons to whom the Software is
+   furnished to do so, subject to the following conditions:
 
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
+   The above copyright notice and this permission notice shall be included in all
+   copies or substantial portions of the Software.
 
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+   OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+   SOFTWARE.
 
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by Licensor and
-      subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute must
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
-
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
-
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-
-   9. Accepting Warranty or Additional Liability. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
-
-   END OF TERMS AND CONDITIONS
-
-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "{}"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-
-   Copyright {yyyy} {name of copyright owner}
+Apache-2.0 License Summary
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
    You may obtain a copy of the License at
 
-       http://www.apache.org/licenses/LICENSE-2.0
+     http://www.apache.org/licenses/LICENSE-2.0
 
    Unless required by applicable law or agreed to in writing, software
    distributed under the License is distributed on an "AS IS" BASIS,

README.md

@@ -1,105 +1,356 @@
-<!-- BANNER_TPL_BEGIN -->
+# Telebit&trade; Remote | a [Root](https://rootprojects.org) project
 
-About Daplie: We're taking back the Internet!
---------------
+Because friends don't let friends localhost&trade;
 
-Down with Google, Apple, and Facebook!
+| **Telebit Remote**
+| [Telebit Relay](https://git.coolaj86.com/coolaj86/telebit-relay.js)
+| [sclient](https://telebit.cloud/sclient)
+|
 
-We're re-decentralizing the web and making it read-write again - one home cloud system at a time.
+<img align="center" src="https://git.coolaj86.com/coolaj86/telebit.js/raw/branch/master/usr/share/docs/terminal-example-1.png">
 
-Tired of serving the Empire? Come join the Rebel Alliance:
+Break out of localhost.
+=======
 
-<a href="mailto:jobs@daplie.com">jobs@daplie.com</a> | [Invest in Daplie on Wefunder](https://daplie.com/invest/) | [Pre-order Cloud](https://daplie.com/preorder/), The World's First Home Server for Everyone
+If you need to get bits from here to there, Telebit gets the job done.
 
-<!-- BANNER_TPL_END -->
+Install Telebit Remote on any device - your laptop, raspberry pi, whatever -
+and now you can access that device from anywhere, even securely in a web browser.
 
-# stunnel.js
+How does it work?
+It's a net server that uses a relay to allow multiplexed incoming connections
+on any external port.
 
-A client that works in combination with [stunneld.js](https://github.com/Daplie/node-tunnel-server)
-to allow you to serve http and https from any computer, anywhere through a secure tunnel.
+Features
+--------
+
+* [x] Show your mom the web app you're working on
+* [x] Access your Raspberry Pi from behind a firewall
+* [x] Watch Netflix without region restrictions while traveling
+* [x] SSH over HTTPS on networks with restricted ports or protocols
+* [x] Access your wife's laptop while she's on a flight
+
+Examples
+========
+
+You do this:
+
+    curl -fsSL https://get.telebit.io | bash
+
+You get this:
+
+    ~/telebit http 3000
+    > Forwarding lucky-duck-42.telebit.cloud => localhost:3000
+
+    ~/telebit http ~/sites/example.com/
+    > Serving ~/sites/example.com/ as lucky-duck-42.telebit.cloud
+
+And this:
+
+    ~/telebit tcp 5050
+    > Forwarding telebit.cloud:1337 => localhost:5050
+
+And even this:
+
+    ~/telebit ssh auto
+    > Forwarding ssh telebit.cloud -p 1337 => localhost:22
+    > Forwarding ssh+https (openssl proxy) => localhost:22
+
+No privileged ports. No sudo. End-to-end encryption.
+
+Fastest way to test a site, share a file, and pair over ssh.
+
+Install
+=======
+
+Mac & Linux
+-----------
+
+Open Terminal and run this install script:
+
+```
+curl -fsSL https://get.telebit.io | bash
+```
+
+<!--
+```
+bash <( curl -fsSL https://get.telebit.io )
+```
+
+<small>
+Note: **fish**, **zsh**, and other **non-bash** users should do this
+
+```
+curl -fsSL https://get.telebit.io/ > get.sh; bash get.sh
+```
+</small>
+-->
+
+What does the installer do?
+
+  * install Telebit Remote to `~/Applications/telebit/`
+  * symlink the executable to `~/telebit` for convenience
+  * create the appropriate system launcher file
+    * `/etc/systemd/system/telebit.service`
+    * `~/Library/LaunchAgents/cloud.telebit.remote.plist`
+  * create local user config
+    * `~/.config/telebit/telebit.yml`
+    * `~/.local/share/telebit`
+
+Of course, feel free to inspect it before you run it: `curl -fsSL https://get.telebit.io`
+
+**You can customize the installation**:
+
+```bash
+export NODEJS_VER=v10.2                   # v10.2 is tested working, but we can test other versions
+export TELEBIT_VERSION=master             # git tag or branch to install from
+export TELEBIT_USERSPACE=no               # install as a system service (launchd, systemd only)
+export TELEBIT_PATH=/opt/telebit
+export TELEBIT_USER=telebit
+export TELEBIT_GROUP=telebit
+curl -fsSL https://get.telebit.io/ | bash
+```
+
+That will change the bundled version of node.js is bundled with Telebit Relay
+and the path to which Telebit Relay installs.
+
+Windows & Node.js
+-----------------
+
+1. Install [node.js](https://nodejs.org)
+2. Open _Node.js_
+2. Run the command `npm install -g telebit`
+2. Copy the example daemon config to your user folder `.config/telebit/telebitd.yml` (such as `/Users/John/.config/telebit/telebitd.yml`)
+2. Copy the example remote config to your user folder `.config/telebit/telebit.yml` (such as `/Users/John/.config/telebit/telebit.yml`)
+2. Change the email address
+2. Run `npx telebit init` and follow the instructions
+2. Run `npx telebit list`
+
+**Note**: Use node.js **v10.2.1**
+
+(there are specific bugs in each of
+v8.x,
+[v9.x](https://github.com/nodejs/node/issues/20241),
+v10.0,
+and v10.3
+that each cause telebit to crash)
+
+Remote Usage
+============
+
+```
+# commands
+telebit <command>
+
+# domain and port control
+telebit <service> <handler> [servername] [options ...]
+```
+
+Examples:
+
+```
+telebit status                          # whether enabled or disabled
+telebit enable                          # disallow incoming connections
+telebit disable                         # allow incoming connections
+telebit restart                         # kill daemon and allow system launcher to restart it
+
+telebit list                            # list rules for servernames and ports
+
+                       ################
+                       #     HTTP     #
+                       ################
+
+telebit http <handler> [servername] [opts]
+
+telebit http none                       # remove all https handlers
+telebit http 3000                       # forward all https traffic to port 3000
+telebit http /module/path               # load a node module to handle all https traffic
+
+telebit http none example.com           # remove https handler from example.com
+telebit http 3001 example.com           # forward https traffic for example.com to port 3001
+telebit http /module/path example.com   # forward https traffic for example.com to port 3001
+
+
+                       ################
+                       #     TCP      #
+                       ################
+
+telebit tcp <handler> [servername] [opts]
+
+telebit tcp none                        # remove all tcp handlers
+telebit tcp 5050                        # forward all tcp to port 5050
+telebit tcp /module/path                # handle all tcp with a node module
+
+telebit tcp none 6565                   # remove tcp handler from external port 6565
+telebit tcp 5050 6565                   # forward external port 6565 to local 5050
+telebit tcp /module/path 6565           # handle external port 6565 with a node module
+
+telebit ssh disable                     # disable ssh access
+telebit ssh 22                          # port-forward all ssh connections to port 22
+
+telebit save                            # save http and tcp configuration changes
+```
+
+### Using SSH
+
+SSH over HTTPS
+```
+ssh -o ProxyCommand='openssl s_client -connect %h:443 -servername %h -quiet' lucky-duck-42.telebit.cloud
+```
+
+SSH over non-standard port
+```
+ssh lucky-duck-42.telebit.cloud -p 3031
+```
+
+Daemon Usage (non-global)
+============
+
+```bash
+~/Applications/bin/node ~/Applications/bin/telebitd.js --config ~/.config/telebit/telebitd.yml
+```
+
+Options
+
+`~/.config/telebit/telebitd.yml:`
+```
+email: 'jon@example.com'          # must be valid (for certificate recovery and security alerts)
+agree_tos: true                   # agree to the Telebit, Greenlock, and Let's Encrypt TOSes
+relay: wss://telebit.cloud        # a Telebit Relay instance
+community_member: true            # receive infrequent relevant but non-critical updates
+telemetry: true                   # contribute to project telemetric data
+secret: ''                        # Secret with which to sign Tokens for authorization
+#token: ''                         # A signed Token for authorization
+ssh_auto: 22                      # forward ssh-looking packets, from any connection, to port 22
+servernames:                      # servernames that will be forwarded here
+  example.com: {}
+```
+
+Choosing A Relay
+================
+
+You can create a free or paid account at <https://telebit.cloud>
+or you can run [Telebit Relay](https://git.coolaj86.com/coolaj86/telebitd.js)
+open source on a VPS (Vultr, Digital Ocean)
+or your Raspberry Pi at home (with port-forwarding).
+
+Only connect to Telebit Relays that you trust.
+
+<!--
+## Important Defaults
+
+The default behaviors work great for newbies,
+but can be confusing or annoying to experienced networking veterans.
+
+See the **Advanced Configuration** section below for more details.
+
+```
+redirect:
+  example.com/foo: /bar
+  '*': whatever.com/
+vhost:                            # securely serve local sites from this path (or false)
+  example.com: /srv/example.com   # (uses template string, i.e. /var/www/:hostname/public)
+  '*': /srv/www/:hostname
+reverse_proxy: /srv/
+  example.com: 3000
+  '*': 3000
+terminate_tls:
+  'example.com': 3000
+  '*': 3000
+tls:
+  'example.com': 8443
+  '*': 8443
+port_forward:
+  2020: 2020
+  '*': 4040
+
+greenlock:
+  store: le-store-certbot         # certificate storage plugin
+  config_dir: etc/acme            # directory for ssl certificates
+```
+
+Using Telebit with node.js
+--------------------------
+
+Telebit has two parts:
+  * the local server
+  * the relay service
+
+This repository is for the local server, which you run on the computer or device that you would like to access.
+
+This is the portion that runs on your computer
+You will need both Telebit (this, telebit.js) and a Telebit Relay
+(such as [telebitd.js](https://git.coolaj86.com/coolaj86/telebitd.js)).
+
+You can **integrate telebit.js into your existing codebase** or use the **standalone CLI**.
 
 * CLI
-* Library
+* Node.js Library
+* Browser Library
 
-CLI
-===
+Telebit CLI
+-----------
 
-Installs as `stunnel.js` with the alias `jstunnel`
-(for those that regularly use `stunnel` but still like commandline completion).
+Installs Telebit Remote as `telebit`
+(for those that regularly use `telebit` but still like commandline completion).
 
 ### Install
 
 ```bash
-npm install -g stunnel
-```
-
-### Usage with OAuth3.org
-
-Daplie's OAuth3.org tunnel service is in Beta.
-
-**Terms of Service**: The Software and Services shall be used for Good, not Evil.
-Examples of good: education, business, pleasure. Examples of evil: crime, abuse, extortion.
-
-```bash
-stunnel.js --agree-tos --email john@example.com --locals http:*:4080,https:*:8443 --device
+npm install -g telebit
 ```
 
 ```bash
-stunnel.js \
-  --agree-tos --email <EMAIL> \
-  --locals <List of <SCHEME>:<EXTERNAL_DOMAINNAME>:<INTERNAL_PORT>> \
-  --device [HOSTNAME] \
-  --domains [Comma-separated list of domains to attach to device] \
-  --oauth3-url <Tunnel Service OAuth3 URL>
+npm install -g 'https://git.coolaj86.com/coolaj86/telebit.js.git#v1'
 ```
 
-### Advanced Usage (DIY)
+Or if you want to bow down to the kings of the centralized dictator-net:
 
-How to use `stunnel.js` with your own instance of `stunneld.js`:
+How to use Telebit Remote with your own instance of Telebit Relay:
 
 ```bash
-stunnel.js \
+telebitd \
   --locals <<external domain name>> \
-  --stunneld wss://<<tunnel domain>>:<<tunnel port>> \
+  --relay wss://<<tunnel domain>>:<<tunnel port>> \
   --secret <<128-bit hex key>>
 ```
 
 ```bash
-stunnel.js --locals john.example.com --stunneld wss://tunnel.example.com:443 --secret abc123
+telebitd --locals john.example.com --relay wss://tunnel.example.com:443 --secret abc123
 ```
 
 ```bash
-stunnel.js \
+telebitd \
   --locals <<protocol>>:<<external domain name>>:<<local port>> \
-  --stunneld wss://<<tunnel domain>>:<<tunnel port>> \
+  --relay wss://<<tunnel domain>>:<<tunnel port>> \
   --secret <<128-bit hex key>>
 ```
 
 ```bash
-stunnel.js \
+telebitd \
   --locals http:john.example.com:3000,https:john.example.com \
-  --stunneld wss://tunnel.example.com:443 \
+  --relay wss://tunnel.example.com:443 \
   --secret abc123
 ```
 
 ```
---secret          the same secret used by stunneld (used for authentication)
+--secret          the same secret used by the Telebit Relay (for authentication)
 --locals          comma separated list of <proto>:<servername>:<port> to which
                   incoming http and https should be forwarded
---stunneld        the domain or ip address at which you are running stunneld.js
--k, --insecure    ignore invalid ssl certificates from stunneld
+--relay        the domain or ip address at which you are running Telebit Relay
+-k, --insecure    ignore invalid ssl certificates from relay
 ```
 
-Library
+Node.js Library
 =======
 
 ### Example
 
 ```javascript
-var stunnel = require('stunnel');
+var Telebit = require('telebit');
 
-stunnel.connect({
-  stunneld: 'wss://tunnel.example.com'
+Telebit.connect({
+  relay: 'wss://tunnel.example.com'
 , token: '...'
 , locals: [
     // defaults to sending http to local port 80 and https to local port 443
@@ -139,52 +390,142 @@ local handler and the tunnel handler.
 You could do a little magic like this:
 
 ```js
-var Dup = {
-  write: function (chunk, encoding, cb) {
-    this.__my_socket.write(chunk, encoding);
-    cb();
-  }
-, read: function (size) {
-    var x = this.__my_socket.read(size);
-    if (x) { this.push(x); }
-  }
-};
-
-stunnel.connect({
+Telebit.connect({
   // ...
 , net: {
   createConnection: function (info, cb) {
     // data is the hello packet / first chunk
     // info = { data, servername, port, host, remoteAddress: { family, address, port } }
 
-    var myDuplex = new (require('stream').Duplex)();
-    var myDuplex2 = new (require('stream').Duplex)();
+    var streamPair = require('stream-pair');
+
+    // here "reader" means the socket that looks like the connection being accepted
+    var writer = streamPair.create();
+    // here "writer" means the remote-looking part of the socket that driving the connection
+    var reader = writer.other;
     // duplex = { write, push, end, events: [ 'readable', 'data', 'error', 'end' ] };
 
-    myDuplex2.__my_socket = myDuplex;
-    myDuplex2._write = Dup.write;
-    myDuplex2._read = Dup.read;
-
-    myDuplex.__my_socket = myDuplex2;
-    myDuplex._write = Dup.write;
-    myDuplex._read = Dup.read;
-
-    myDuplex.remoteFamily = info.remoteFamily;
-    myDuplex.remoteAddress = info.remoteAddress;
-    myDuplex.remotePort = info.remotePort;
+    reader.remoteFamily = info.remoteFamily;
+    reader.remoteAddress = info.remoteAddress;
+    reader.remotePort = info.remotePort;
 
     // socket.local{Family,Address,Port}
-    myDuplex.localFamily = 'IPv4';
-    myDuplex.localAddress = '127.0.01';
-    myDuplex.localPort = info.port;
+    reader.localFamily = 'IPv4';
+    reader.localAddress = '127.0.01';
+    reader.localPort = info.port;
 
-    httpsServer.emit('connection', myDuplex);
+    httpsServer.emit('connection', reader);
 
     if (cb) {
       process.nextTick(cb);
     }
 
-    return myDuplex2;
+    return writer;
   }
 });
 ```
+
+Advanced Configuration
+======================
+
+There is no configuration for these yet,
+but we believe it is important to add them.
+
+### http to https
+
+By default http connections are redirected to https.
+
+If for some reason you need raw access to unencrypted http
+you'll need to set it manually.
+
+Proposed configuration:
+
+```
+insecure_http:
+  proxy: true         # add X-Forward-* headers
+  port: 3000          # connect to port 3000
+  hostnames:          # only these hostnames will be left insecure
+    - example.com
+```
+
+**Note**: In the future unencrypted connections will only be allowed
+on self-hosted and paid-hosted Telebit Relays. We don't want the
+legal liability of transmitting your data in the clear, thanks. :p
+
+### TLS Termination (Secure SSL decryption)
+
+Telebit is designed for end-to-end security.
+
+For convenience the Telebit Remote client uses Greenlock to handle all
+HTTPS connections and then connect to a local webserver with the correct proxy headers.
+
+However, if you want to handle the encrypted connection directly, you can:
+
+Proposed Configuration:
+
+```
+tls:
+  example.com: 3000   # specific servername
+  '*': 3000           # all servernames
+  '!': 3000           # missing servername
+```
+
+TODO
+====
+
+Install for user
+  * https://wiki.archlinux.org/index.php/Systemd/User
+  * https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html
+    * `sudo launchctl load -w ~/Library/LaunchAgents/cloud.telebit.remote`
+    * https://serverfault.com/questions/194832/how-to-start-stop-restart-launchd-services-from-the-command-line
+-->
+
+Check Logs
+==========
+
+**Linux**:
+
+```
+SYSTEMD_LOG_LEVEL=debug journalctl -xef --user-unit=telebit
+```
+
+**macOS**:
+
+```
+tail -f ~/local/share/telebit/var/log/info.log
+```
+
+```
+tail -f ~/.local/share/telebit/var/log/error.log
+```
+
+Uninstall
+=======
+
+**Linux**:
+
+```
+systemctl --user disable telebit; systemctl --user stop telebit
+rm -f ~/.config/systemd/user/telebit.service
+rm -rf ~/telebit ~/Applications/telebit
+rm -rf ~/.config/telebit ~/.local/share/telebit
+```
+
+**macOS**:
+
+```
+launchctl unload -w ~/Library/LaunchAgents/cloud.telebit.remote.plist
+rm -f ~/Library/LaunchAgents/cloud.telebit.remote.plist
+rm -rf ~/telebit ~/Applications/telebit
+rm -rf ~/.config/telebit ~/.local/share/telebit
+```
+
+Browser Library
+=======
+
+This is implemented with websockets, so you should be able to
+
+LICENSE
+=======
+
+Copyright 2016-2018+ AJ ONeal

TODO.md

@@ -1,6 +0,0 @@
-TODO
-
-  * [*] Work with Secure WebSockets
-  * [ ] Hijack HTTPS connection directly (without WebSockets)
-  * [p] Raw TCP (for transporting https once, not twice) (partial)
-  * [ ] Let's Encrypt Support (for connecting to a plain http server locally)

bin/stunnel.js

@@ -1,200 +0,0 @@
-#!/usr/bin/env node
-(function () {
-'use strict';
-
-var pkg = require('../package.json');
-
-var program = require('commander');
-var url = require('url');
-var stunnel = require('../wsclient.js');
-
-function collectProxies(val, memo) {
-  var vals = val.split(/,/g);
-
-  function parseProxy(location) {
-    // john.example.com
-    // https:3443
-    // http:john.example.com:3000
-    // http://john.example.com:3000
-    var parts = location.split(':');
-    var dual = false;
-    if (1 === parts.length) {
-      // john.example.com -> :john.example.com:0
-      parts[1] = parts[0];
-
-      parts[0] = '';
-      parts[2] = 0;
-
-      dual = true;
-    }
-    else if (2 === parts.length) {
-      // https:3443 -> https:*:3443
-      parts[2] = parts[1];
-
-      parts[1] = '*';
-    }
-
-    parts[0] = parts[0].toLowerCase();
-    parts[1] = parts[1].toLowerCase().replace(/(\/\/)?/, '') || '*';
-    parts[2] = parseInt(parts[2], 10) || 0;
-    if (!parts[2]) {
-      // TODO grab OS list of standard ports?
-      if (!parts[0] || 'http' === parts[0]) {
-        parts[2] = 80;
-      }
-      else if ('https' === parts[0]) {
-        parts[2] = 443;
-      }
-      else {
-        throw new Error("port must be specified - ex: tls:*:1337");
-      }
-    }
-
-    memo.push({
-      protocol: parts[0] || 'https'
-    , hostname: parts[1]
-    , port: parts[2] || 443
-    });
-
-    if (dual) {
-      memo.push({
-        protocol: 'http'
-      , hostname: parts[1]
-      , port: 80
-      });
-    }
-  }
-
-  vals.map(function (val) {
-    return parseProxy(val);
-  });
-
-  return memo;
-}
-
-program
-  .version(pkg.version)
-  //.command('jsurl <url>')
-  .arguments('<url>')
-  .action(function (url) {
-    program.url = url;
-  })
-  .option('-k --insecure', 'Allow TLS connections to stunneld without valid certs (rejectUnauthorized: false)')
-  .option('--locals <LIST>', 'comma separated list of <proto>:<port> to which matching incoming http and https should forward (reverse proxy). Ex: https:8443,smtps:8465', collectProxies, [ ]) // --reverse-proxies
-  .option('--domains <LIST>', 'comma separated list of domain names to set to the tunnel (to caputer a specific protocol to a specific local port use the format https:example.com:1337 instead). Ex: example.com,example.net', collectProxies, [ ])
-  .option('--device [HOSTNAME]', 'Tunnel all domains associated with this device instead of specific domainnames. Use with --locals <proto>:*:<port>. Ex: macbook-pro.local (the output of `hostname`)')
-  .option('--stunneld <URL>', 'the domain (or ip address) at which you are running stunneld.js (the proxy)') // --proxy
-  .option('--secret <STRING>', 'the same secret used by stunneld (used for JWT authentication)')
-  .option('--token <STRING>', 'a pre-generated token for use with stunneld (instead of generating one with --secret)')
-  .option('--agree-tos', 'agree to the Daplie Terms of Service (requires user validation)')
-  .option('--email <EMAIL>', 'email address (or cloud address) for user validation')
-  .option('--oauth3-url <URL>', 'Cloud Authentication to use (default: https://oauth3.org)')
-  .parse(process.argv)
-  ;
-
-function connectTunnel() {
-  program.net = {
-    createConnection: function (info, cb) {
-      // data is the hello packet / first chunk
-      // info = { data, servername, port, host, remoteFamily, remoteAddress, remotePort }
-      var net = require('net');
-      // socket = { write, push, end, events: [ 'readable', 'data', 'error', 'end' ] };
-      var socket = net.createConnection({ port: info.port, host: info.host }, cb);
-      return socket;
-    }
-  };
-
-  program.locals.forEach(function (proxy) {
-    console.log('[local proxy]', proxy.protocol + '://' + proxy.hostname + ':' + proxy.port);
-  });
-
-  stunnel.connect({
-    stunneld: program.stunneld
-  , locals: program.locals
-  , services: program.services
-  , net: program.net
-  , insecure: program.insecure
-  , token: program.token
-  });
-}
-
-function rawTunnel() {
-  program.stunneld = program.stunneld || 'wss://tunnel.daplie.com';
-
-  if (!(program.secret || program.token)) {
-    console.error("You must use --secret or --token with --stunneld");
-    process.exit(1);
-    return;
-  }
-
-  var jwt = require('jsonwebtoken');
-  var tokenData = {
-    domains: null
-  };
-  var location = url.parse(program.stunneld);
-
-  if (!location.protocol || /\./.test(location.protocol)) {
-    program.stunneld = 'wss://' + program.stunneld;
-    location = url.parse(program.stunneld);
-  }
-  program.stunneld = location.protocol + '//' + location.hostname + (location.port ? ':' + location.port : '');
-
-  tokenData.domains = Object.keys(domainsMap).filter(Boolean);
-
-  program.token = program.token || jwt.sign(tokenData, program.secret);
-
-  connectTunnel();
-}
-
-function daplieTunnel() {
-  //var OAUTH3 = require('oauth3.js');
-  var Oauth3Cli = require('oauth3.js/bin/oauth3.js');
-  require('oauth3.js/oauth3.tunnel.js');
-  return Oauth3Cli.login({
-    email: program.email
-  , providerUri: program.oauth3Url
-  }).then(function (oauth3) {
-    var data = { device: null, domains: [] };
-    var domains = Object.keys(domainsMap).filter(Boolean);
-    if (program.device) {
-      // TODO use device API to select device by id
-      data.device = { hostname: program.device };
-      if (true === program.device) {
-        data.device.hostname = require('os').hostname();
-        console.log("Using device hostname '" + data.device.hostname + "'");
-      }
-    }
-    if (domains.length) {
-      data.domains = domains;
-    }
-    return oauth3.api('tunnel.token', { data: data }).then(function (results) {
-      var token = new Buffer(results.jwt.split('.')[1], 'base64').toString('utf8');
-      console.log('tunnel token issued:');
-      console.log(token);
-      program.token = results.jwt;
-      program.stunneld = results.tunnelUrl || ('wss://' + token.aud + '/');
-
-      connectTunnel();
-    });
-  });
-}
-
-var domainsMap = {};
-
-program.locals = program.locals.concat(program.domains);
-program.locals.forEach(function (proxy) {
-  domainsMap[proxy.hostname] = true;
-});
-if (domainsMap.hasOwnProperty('*')) {
-  //delete domainsMap['*'];
-  domainsMap['*'] = false;
-}
-
-if (!(program.secret || program.token) && !program.stunneld) {
-  daplieTunnel();
-}
-else {
-  rawTunnel();
-}
-
-}());

bin/telebit-remote.js

@@ -0,0 +1,812 @@
+#!/usr/bin/env node
+(function () {
+'use strict';
+
+var pkg = require('../package.json');
+var os = require('os');
+
+//var url = require('url');
+var fs = require('fs');
+var path = require('path');
+var http = require('http');
+//var https = require('https');
+var YAML = require('js-yaml');
+var TOML = require('toml');
+var TPLS = TOML.parse(fs.readFileSync(path.join(__dirname, "../lib/en-us.toml"), 'utf8'));
+/*
+if ('function' !== typeof TOML.stringify) {
+  TOML.stringify = require('json2toml');
+}
+*/
+var recase = require('recase').create({});
+var camelCopy = recase.camelCopy.bind(recase);
+//var snakeCopy = recase.snakeCopy.bind(recase);
+
+var urequest = require('@coolaj86/urequest');
+var common = require('../lib/cli-common.js');
+
+var argv = process.argv.slice(2);
+
+var argIndex = argv.indexOf('--config');
+if (-1 === argIndex) {
+  argIndex = argv.indexOf('-c');
+}
+var confpath;
+var useTty;
+var state = {};
+if (-1 === argIndex) {
+  argIndex = argv.indexOf('-c');
+}
+if (-1 !== argIndex) {
+  confpath = argv.splice(argIndex, 2)[1];
+}
+argIndex = argv.indexOf('--tty');
+if (-1 !== argIndex) {
+  useTty = argv.splice(argIndex, 1);
+}
+
+function help() {
+  var keys = Object.keys(TPLS.help).filter(function (key) {
+    return 'remote' !== key;
+  });
+  var key = keys.filter(function (key) {
+    return -1 !== process.argv.indexOf(key);
+  })[0] || 'remote';
+  console.info(TPLS.help[key].replace(/{version}/g, pkg.version));
+}
+
+var verstr = [ pkg.name + ' remote v' + pkg.version ];
+if (!confpath) {
+  confpath = path.join(os.homedir(), '.config/telebit/telebit.yml');
+  verstr.push('(--config \'' + confpath.replace(new RegExp('^' + os.homedir()), '~') + '\')');
+}
+
+if ([ '-h', '--help', 'help' ].some(function (arg) {
+  return -1 !== argv.indexOf(arg);
+})) {
+  help();
+  process.exit(0);
+}
+if (!confpath || /^--/.test(confpath)) {
+  help();
+  process.exit(1);
+}
+
+function askForConfig(state, mainCb) {
+  var fs = require('fs');
+  var ttyname = '/dev/tty';
+  var stdin = useTty ? fs.createReadStream(ttyname, {
+    fd: fs.openSync(ttyname, fs.constants.O_RDONLY | fs.constants.O_NOCTTY)
+  }) : process.stdin;
+  var readline = require('readline');
+  var rl = readline.createInterface({
+    input: stdin
+  , output: process.stdout
+    // https://github.com/nodejs/node/issues/21771
+    // https://github.com/nodejs/node/issues/21319
+  , terminal: !/^win/i.test(os.platform()) && !useTty
+  });
+  state._useTty = useTty;
+
+  // NOTE: Use of setTimeout
+  // We're using setTimeout just to make the user experience a little
+  // nicer, as if we're doing something inbetween steps, so that it
+  // is a smooth rather than jerky experience.
+  // >= 300ms is long enough to become distracted and change focus (a full blink, time for an idea to form as a thought)
+  // <= 100ms is shorter than normal human reaction time (ability to place events chronologically, which happened first)
+  // ~ 150-250ms is the sweet spot for most humans (long enough to notice change and not be jarred, but stay on task)
+  var firstSet = [
+    function askEmail(cb) {
+      if (state.config.email) { cb(); return; }
+      console.info(TPLS.remote.setup.email);
+      // TODO attempt to read email from npmrc or the like?
+      rl.question('email: ', function (email) {
+        email = /@/.test(email) && email.trim();
+        if (!email) { askEmail(cb); return; }
+        state.config.email = email.trim();
+        state.config.agreeTos = true;
+        console.info("");
+        setTimeout(cb, 250);
+      });
+    }
+  , function askRelay(cb) {
+      function checkRelay(relay) {
+        // TODO parse and check https://{{relay}}/.well-known/telebit.cloud/directives.json
+        if (!relay) { relay = 'telebit.cloud'; }
+        relay = relay.trim();
+        var urlstr = common.parseUrl(relay) + common.apiDirectory;
+        urequest({ url: urlstr, json: true }, function (err, resp, body) {
+          if (err) {
+            console.error("[Network Error] Failed to retrieve '" + urlstr + "'");
+            console.error(err);
+            askRelay(cb);
+            return;
+          }
+          if (200 !== resp.statusCode || (Buffer.isBuffer(body) || 'object' !== typeof body) || !body.api_host) {
+            console.warn("===================");
+            console.warn("      WARNING      ");
+            console.warn("===================");
+            console.warn("");
+            console.warn("[" + resp.statusCode + "] '" + urlstr + "'");
+            console.warn("This server does not describe a current telebit version (but it may still work).");
+            console.warn("");
+            console.warn(body);
+          } else if (body && body.pair_request) {
+            state._can_pair = true;
+          }
+          state.config.relay = relay;
+          cb();
+        });
+      }
+
+      if (state.config.relay) { checkRelay(state.config.relay); return; }
+      console.info("");
+      console.info("");
+      console.info("What relay will you be using? (press enter for default)");
+      console.info("");
+      rl.question('relay [default: telebit.cloud]: ', checkRelay);
+    }
+  , function checkRelay(cb) {
+      nextSet = [];
+      if ('telebit.cloud' !== state.config.relay) {
+        nextSet = nextSet.concat(standardSet);
+      }
+      if (!state._can_pair) {
+        nextSet = nextSet.concat(fossSet);
+      }
+      cb();
+    }
+  ];
+  var standardSet = [
+    // There are questions that we need to aks in the CLI
+    // if we can't guarantee that they are being asked in the web interface
+    function askAgree(cb) {
+      if (state.config.agreeTos) { cb(); return; }
+      console.info("");
+      console.info("");
+      console.info("Do you accept the terms of service for each and all of the following?");
+      console.info("");
+      console.info("\tTelebit - End-to-End Encrypted Relay");
+      console.info("\tGreenlock - Automated HTTPS");
+      console.info("\tLet's Encrypt - TLS Certificates");
+      console.info("");
+      console.info("Type 'y' or 'yes' to accept these Terms of Service.");
+      console.info("");
+      rl.question('agree to all? [y/N]: ', function (resp) {
+        resp = resp.trim();
+        if (!/^y(es)?$/i.test(resp) && 'true' !== resp) {
+          throw new Error("You didn't accept the Terms of Service... not sure what to do...");
+        }
+        state.config.agreeTos = true;
+        console.info("");
+        setTimeout(cb, 250);
+      });
+    }
+  , function askUpdates(cb) {
+      // required means transactional, security alerts, mandatory updates
+      var options = [ 'newsletter', 'important', 'required' ];
+      if (-1 !== options.indexOf(state._updates)) { cb(); return; }
+      console.info("");
+      console.info("");
+      console.info("What updates would you like to receive? (" + options.join(',') + ")");
+      console.info("");
+      rl.question('messages (default: important): ', function (updates) {
+        state._updates = (updates || '').trim().toLowerCase();
+        if (!state._updates) { state._updates = 'important'; }
+        if (-1 === options.indexOf(state._updates)) { askUpdates(cb); return; }
+
+        if ('newsletter' === state._updates) {
+          state.config.newsletter = true;
+          state.config.communityMember = true;
+        } else if ('important' === state._updates) {
+          state.config.communityMember = true;
+        }
+
+        setTimeout(cb, 250);
+      });
+    }
+  , function askTelemetry(cb) {
+      if (state.config.telemetry) { cb(); return; }
+      console.info("");
+      console.info("");
+      console.info("Contribute project telemetry data? (press enter for default [yes])");
+      console.info("");
+      rl.question('telemetry [Y/n]: ', function (telemetry) {
+        if (!telemetry || /^y(es)?$/i.test(telemetry)) {
+          state.config.telemetry = true;
+        }
+        setTimeout(cb, 250);
+      });
+    }
+  ];
+  var fossSet = [
+    function askTokenOrSecret(cb) {
+      if (state._can_pair || state.token || state.config.token
+        || state.secret || state.config.secret) { cb(); return; }
+      console.info("");
+      console.info("");
+      console.info("What's your authorization for '" + state.config.relay + "'?");
+      console.info("");
+      // TODO check .well-known to learn supported token types
+      console.info("Currently supported:");
+      console.info("");
+      console.info("\tToken (JWT format)");
+      console.info("\tShared Secret (HMAC hex)");
+      //console.info("\tPrivate key (hex)");
+      console.info("");
+      rl.question('auth: ', function (resp) {
+        var jwt = require('jsonwebtoken');
+        resp = (resp || '').trim();
+        try {
+          jwt.decode(resp);
+          state.config.token = resp;
+        } catch(e) {
+          // is not jwt
+        }
+        if (!state.config.token) {
+          resp = resp.toLowerCase();
+          if (resp === Buffer.from(resp, 'hex').toString('hex')) {
+            state.config.secret = resp;
+          }
+        }
+        if (!state.config.token && !state.config.secret) {
+          askTokenOrSecret(cb);
+          return;
+        }
+        setTimeout(cb, 250);
+      });
+    }
+  , function askServernames(cb) {
+      if (!state.config.secret || state.config._servernames) { cb(); return; }
+      console.info("");
+      console.info("");
+      console.info("What servername(s) will you be relaying here?");
+      console.info("(use a comma-separated list such as example.com,example.net)");
+      console.info("");
+      rl.question('domain(s): ', function (resp) {
+        resp = (resp || '').trim().split(/,/g);
+        if (!resp.length) { askServernames(); return; }
+        // TODO validate the domains
+        state.config._servernames = resp;
+        setTimeout(cb, 250);
+      });
+    }
+  , function askPorts(cb) {
+      if (!state.config.secret || state.config._ports) { cb(); return; }
+      console.info("");
+      console.info("");
+      console.info("What tcp port(s) will you be relaying here?");
+      console.info("(use a comma-separated list such as 2222,5050)");
+      console.info("");
+      rl.question('port(s) [default:none]: ', function (resp) {
+        resp = (resp || '').trim().split(/,/g);
+        if (!resp.length) { askPorts(); return; }
+        // TODO validate the domains
+        state.config._ports = resp;
+        setTimeout(cb, 250);
+      });
+    }
+  ];
+  var nextSet = firstSet;
+
+  function next() {
+    var q = nextSet.shift();
+    if (!q) {
+      // https://github.com/nodejs/node/issues/21319
+      if (useTty) { try { stdin.push(null); } catch(e) { /*ignore*/ } }
+      rl.close();
+      if (useTty) { try { stdin.close(); } catch(e) { /*ignore*/ } }
+      mainCb(null, state);
+      return;
+    }
+    q(next);
+  }
+
+  next();
+}
+
+var utils = {
+  request: function request(opts, fn) {
+    if (!opts) { opts = {}; }
+    var service = opts.service || 'config';
+    var req = http.request({
+      socketPath: state._ipc.path
+    , method: opts.method || 'GET'
+    , path: '/rpc/' + service
+    }, function (resp) {
+      var body = '';
+
+      function finish() {
+        if (200 !== resp.statusCode) {
+          console.warn(resp.statusCode);
+          console.warn(body || ('get' + service + ' failed'));
+          //cb(new Error("not okay"), body);
+          return;
+        }
+
+        if (!body) { fn(null, null); return; }
+
+        try {
+          body = JSON.parse(body);
+        } catch(e) {
+          // ignore
+        }
+
+        fn(null, body);
+      }
+
+      if (resp.headers['content-length']) {
+        resp.on('data', function (chunk) {
+          body += chunk.toString();
+        });
+        resp.on('end', function () {
+          finish();
+        });
+      } else {
+        finish();
+      }
+    });
+    req.on('error', function (err) {
+      // ENOENT - never started, cleanly exited last start, or creating socket at a different path
+      // ECONNREFUSED - leftover socket just needs to be restarted
+      if ('ENOENT' === err.code || 'ECONNREFUSED' === err.code) {
+        if (opts._taketwo) {
+          console.error("Either the telebit service was not already (and could not be started) or its socket could not be written to.");
+          console.error(err);
+          return;
+        }
+        require('../usr/share/install-launcher.js').install({ env: process.env }, function (err) {
+          if (err) { fn(err); return; }
+          opts._taketwo = true;
+          setTimeout(function () {
+            utils.request(opts, fn);
+          }, 2500);
+        });
+        return;
+      }
+      if ('ENOTSOCK' === err.code) {
+        console.error(err);
+        return;
+      }
+      console.error(err);
+      return;
+    });
+    req.end();
+  }
+, putConfig: function putConfig(service, args, fn) {
+    var req = http.request({
+      socketPath: state._ipc.path
+    , method: 'POST'
+    , path: '/rpc/' + service + '?_body=' + encodeURIComponent(JSON.stringify(args))
+    }, function (resp) {
+
+      function finish() {
+        if ('function' === typeof fn) {
+          fn(null, resp);
+          return;
+        }
+
+        console.info("");
+        if (200 !== resp.statusCode) {
+          console.warn("'" + service + "' may have failed."
+           + " Consider peaking at the logs either with 'journalctl -xeu telebit' or /opt/telebit/var/log/error.log");
+          console.warn(resp.statusCode, body);
+          //cb(new Error("not okay"), body);
+          return;
+        }
+
+        if (!body) {
+          console.info("👌");
+          return;
+        }
+
+        try {
+          body = JSON.parse(body);
+        } catch(e) {
+          // ignore
+        }
+
+        if ("AWAIT_AUTH" === body.code) {
+          console.info(body.message);
+        } else if ("CONFIG" === body.code) {
+          delete body.code;
+          //console.info(TOML.stringify(body));
+          console.info(YAML.safeDump(body));
+        } else {
+          if ('http' === body.module) {
+            // TODO we'll support slingshot-ing in the future
+            if (String(body.local) === String(parseInt(body.local, 10))) {
+              console.info('> Forwarding https://' + body.remote + ' => localhost:' + body.local);
+            } else {
+              console.info('> Serving ' + body.local + ' as https://' + body.remote);
+            }
+          } else if ('tcp' === body.module) {
+              console.info('> Forwarding ' + state.config.relay + ':' + body.remote + ' => localhost:' + body.local);
+          } else if ('ssh' === body.module) {
+              //console.info('> Forwarding ' + state.config.relay + ' -p ' + JSON.stringify(body) + ' => localhost:' + body.local);
+              console.info('> Forwarding ssh+https (openssl proxy) => localhost:' + body.local);
+          } else {
+            console.info(JSON.stringify(body, null, 2));
+          }
+          console.info();
+        }
+      }
+
+      var body = '';
+      if (resp.headers['content-length']) {
+        resp.on('data', function (chunk) {
+          body += chunk.toString();
+        });
+        resp.on('end', function () {
+          finish();
+        });
+      } else {
+        finish();
+      }
+    });
+    req.on('error', function (err) {
+      console.error('Put Config Error:');
+      console.error(err);
+      return;
+    });
+    req.end();
+  }
+};
+
+// Two styles:
+//     http 3000
+//     http modulename
+function makeRpc(key) {
+  if (key !== argv[0]) {
+    return false;
+  }
+  utils.putConfig(argv[0], argv.slice(1));
+  return true;
+}
+
+function packConfig(config) {
+  return Object.keys(config).map(function (key) {
+    var val = config[key];
+    if ('undefined' === val) {
+      throw new Error("'undefined' used as a string value");
+    }
+    if ('undefined' === typeof val) {
+      //console.warn('[DEBUG]', key, 'is present but undefined');
+      return;
+    }
+    if (val && 'object' === typeof val && !Array.isArray(val)) {
+      val = JSON.stringify(val);
+    }
+    return key + ':' + val; // converts arrays to strings with ,
+  });
+}
+
+function getToken(err, state) {
+  if (err) {
+    console.error("Error while initializing config [init]:");
+    throw err;
+  }
+  state.relay = state.config.relay;
+
+  // { _otp, config: {} }
+  common.api.token(state, {
+    error: function (err/*, next*/) {
+      console.error("[Error] common.api.token:");
+      console.error(err);
+      return;
+    }
+  , directory: function (dir, next) {
+      //console.log('[directory] Telebit Relay Discovered:');
+      //console.log(dir);
+      state._apiDirectory = dir;
+      next();
+    }
+  , tunnelUrl: function (tunnelUrl, next) {
+      //console.log('[tunnelUrl] Telebit Relay Tunnel Socket:', tunnelUrl);
+      state.wss = tunnelUrl;
+      next();
+    }
+  , requested: function (authReq, next) {
+      //console.log("[requested] Pairing Requested");
+      state.config._otp = state.config._otp = authReq.otp;
+
+      if (!state.config.token && state._can_pair) {
+        console.info("");
+        console.info("==============================================");
+        console.info("                 Hey, Listen!                 ");
+        console.info("==============================================");
+        console.info("                                              ");
+        console.info("  GO CHECK YOUR EMAIL!                        ");
+        console.info("                                              ");
+        console.info("  DEVICE PAIR CODE:     0000                  ".replace(/0000/g, state.config._otp));
+        console.info("                                              ");
+        console.info("==============================================");
+        console.info("");
+      }
+
+      next();
+    }
+  , connect: function (pretoken, next) {
+      //console.log("[connect] Enabling Pairing Locally...");
+      state.config.pretoken = pretoken;
+      state._connecting = true;
+
+      // TODO use php-style object querification
+      utils.putConfig('config', packConfig(state.config), function (err/*, body*/) {
+        if (err) {
+          state._error = err;
+          console.error("Error while initializing config [connect]:");
+          console.error(err);
+          return;
+        }
+        console.info(TPLS.remote.waiting.replace(/{email}/, state.config.email));
+        next();
+      });
+    }
+  , offer: function (token, next) {
+      //console.log("[offer] Pairing Enabled by Relay");
+      state.config.token = token;
+      if (state._error) {
+        return;
+      }
+      state._connecting = true;
+      try {
+        require('jsonwebtoken').decode(token);
+        //console.log(require('jsonwebtoken').decode(token));
+      } catch(e) {
+        console.warn("[warning] could not decode token");
+      }
+      utils.putConfig('config', packConfig(state.config), function (err/*, body*/) {
+        if (err) {
+          state._error = err;
+          console.error("Error while initializing config [offer]:");
+          console.error(err);
+          return;
+        }
+        //console.log("Pairing Enabled Locally");
+        next();
+      });
+    }
+  , granted: function (_, next) {
+      //console.log("[grant] Pairing complete!");
+      next();
+    }
+  , end: function () {
+      utils.putConfig('enable', [], function (err) {
+        if (err) { console.error(err); return; }
+        console.info(TPLS.remote.success);
+
+        // workaround for https://github.com/nodejs/node/issues/21319
+        if (state._useTty) {
+          setTimeout(function () {
+            console.info(TPLS.remote.next_steps);
+            process.exit(0);
+          }, 0.5 * 1000);
+          return;
+        }
+        // end workaround
+
+        parseCli(state);
+      });
+    }
+  });
+}
+
+function parseCli(/*state*/) {
+  var special = [
+    'false', 'none', 'off', 'disable'
+  , 'true', 'auto', 'on', 'enable'
+  ];
+  if (-1 !== argv.indexOf('init')) {
+    utils.putConfig('list', []/*, function (err) {
+    }*/);
+    return;
+  }
+
+  if ([ 'ssh', 'http', 'tcp' ].some(function (key) {
+    if (key !== argv[0]) {
+      return false;
+    }
+    if (argv[1]) {
+      if (String(argv[1]) === String(parseInt(argv[1], 10))) {
+        // looks like a port
+        argv[1] = parseInt(argv[1], 10);
+      } else if (/\/|\\/.test(argv[1])) {
+        // looks like a path
+        argv[1] = path.resolve(argv[1]);
+        // TODO make a default assignment here
+      } else if (-1 === special.indexOf(argv[1])) {
+        console.error("Not sure what you meant by '" + argv[1] + "'.");
+        console.error("Remember: paths should begin with ." + path.sep + ", like '." + path.sep + argv[1] + "'");
+        return true;
+      }
+      utils.putConfig(argv[0], argv.slice(1));
+      return true;
+    }
+    return true;
+  })) {
+    return;
+  }
+
+  if ([ 'status', 'enable', 'disable', 'restart', 'list', 'save' ].some(makeRpc)) {
+    return;
+  }
+
+  help();
+  process.exit(11);
+}
+
+function handleConfig(err, config) {
+  //console.log('CONFIG');
+  //console.log(config);
+  state.config = config;
+  var verstrd = [ pkg.name + ' daemon v' + state.config.version ];
+  if (state.config.version && state.config.version !== pkg.version) {
+    console.info(verstr.join(' '), verstrd.join(' '));
+  } else {
+    console.info(verstr.join(' '));
+  }
+
+  if (err) { console.error(err); process.exit(101); return; }
+
+  //
+  // check for init first, before anything else
+  // because it has arguments that may help in
+  // the next steps
+  //
+  if (-1 !== argv.indexOf('init')) {
+    parsers.init(argv, getToken);
+    return;
+  }
+
+  if (!state.config.relay || !state.config.token) {
+    if (!state.config.relay) {
+      state.config.relay = 'telebit.cloud';
+    }
+
+    //console.log("question the user?", Date.now());
+    askForConfig(state, function (err, state) {
+      // no errors actually get passed, so this is just future-proofing
+      if (err) { throw err; }
+
+      if (!state.config.token && state._can_pair) {
+        state.config._otp = common.otp();
+      }
+
+      //console.log("done questioning:", Date.now());
+      if (!state.token && !state.config.token) {
+        getToken(err, state);
+      } else {
+        parseCli(state);
+      }
+    });
+    return;
+  }
+
+  //console.log("no questioning:");
+  parseCli(state);
+}
+
+function parseConfig(err, text) {
+  try {
+    state._clientConfig = JSON.parse(text || '{}');
+  } catch(e1) {
+    try {
+      state._clientConfig = YAML.safeLoad(text || '{}');
+    } catch(e2) {
+      try {
+        state._clientConfig = TOML.parse(text || '');
+      } catch(e3) {
+        console.error(e1.message);
+        console.error(e2.message);
+        process.exit(1);
+        return;
+      }
+    }
+  }
+
+  state._clientConfig = camelCopy(state._clientConfig || {}) || {};
+  common._init(
+    // make a default working dir and log dir
+    state._clientConfig.root || path.join(os.homedir(), '.local/share/telebit')
+  , (state._clientConfig.root && path.join(state._clientConfig.root, 'etc'))
+      || path.resolve(common.DEFAULT_CONFIG_PATH, '..')
+  );
+  state._ipc = common.pipename(state._clientConfig, true);
+
+  if (!Object.keys(state._clientConfig).length) {
+    console.info('(' + state._ipc.comment + ": " + state._ipc.path + ')');
+    console.info("");
+  }
+
+  if ((err && 'ENOENT' === err.code) || !Object.keys(state._clientConfig).length) {
+    if (!err || 'ENOENT' === err.code) {
+      //console.warn("Empty config file. Run 'telebit init' to configure.\n");
+    } else {
+      console.warn("Couldn't load config:\n\n\t" + err.message + "\n");
+    }
+  }
+
+  utils.request({ service: 'config' }, handleConfig);
+}
+
+var parsers = {
+  init: function (argv, parseCb) {
+    var answers = {};
+    var boolish = [ '--advanced' ];
+    if ('init' !== argv[0]) {
+      throw new Error("init must be the first argument");
+    }
+    argv.shift();
+
+    // init --foo bar
+    argv.forEach(function (arg, i) {
+      if (!/^--/.test(arg)) { return; }
+      if (-1 !== boolish.indexOf(arg)) {
+        answers['_' + arg.replace(/^--/, '')] = true;
+      }
+      if (/^-/.test(argv[i + 1])) {
+        throw new Error(argv[i + 1] + ' requires an argument');
+      }
+      answers[arg] = argv[i + 1];
+    });
+
+    // init foo:bar
+    argv.forEach(function (arg) {
+      if (/^--/.test(arg)) { return; }
+      var parts = arg.split(/:/g);
+      if (2 !== parts.length) {
+        throw new Error("bad option to init: '" + arg + "'");
+      }
+      if (answers[parts[0]]) {
+        throw new Error("duplicate key to init '" + parts[0] + "'");
+      }
+      answers[parts[0]] = parts[1];
+    });
+
+    if (answers.relay) {
+      console.info("using --relay " + answers.relay);
+    }
+    // things that aren't straight-forward copy-over
+    if (!answers.advanced && !answers.relay) {
+      answers.relay = 'telebit.cloud';
+    }
+    if (Array.isArray(common._NOTIFICATIONS[answers.update])) {
+      common._NOTIFICATIONS[answers.update].forEach(function (name) {
+        state.config[name] = true;
+      });
+    }
+    if (answers.servernames) {
+      state.config._servernames = answers.servernames;
+    }
+    if (answers.ports) {
+      state.config._ports = answers.ports;
+    }
+
+    // things that are straight-forward copy-over
+    common.CONFIG_KEYS.forEach(function (key) {
+      if ('true' === answers[key]) { answers[key] = true; }
+      if ('false' === answers[key]) { answers[key] = false; }
+      if ('null' === answers[key]) { answers[key] = null; }
+      if ('undefined' === answers[key]) { delete answers[key]; }
+      if ('undefined' !== typeof answers[key]) {
+        state.config[key] = answers[key];
+      }
+    });
+
+    askForConfig(state, function (err, state) {
+      if (err) { parseCb(err); return; }
+
+      if (!state.config.token && state._can_pair) {
+        state.config._otp = common.otp();
+      }
+
+      argv.unshift('init');
+      parseCb(null, state);
+    });
+  }
+};
+
+fs.readFile(confpath, 'utf8', parseConfig);
+
+}());

bin/telebit.js

@@ -0,0 +1,36 @@
+#!/usr/bin/env node
+(function () {
+'use strict';
+
+//
+// node telebit daemon arg1 arg2
+//
+if ('daemon' === process.argv[2]) {
+  require('./telebitd.js');
+  return;
+}
+
+//
+// sclient proxies
+//
+if ('sclient' === process.argv[2]) {
+  process.argv.splice(1,1);
+  return;
+}
+if ('rsync' === process.argv[2]) {
+  require('sclient/bin/sclient.js');
+  return;
+}
+if ('ssh' === process.argv[2] && /[\w-]+\.[a-z]{2,}/i.test(process.argv[3])) {
+  process.argv.splice(1,1,'sclient');
+  process.argv.splice(2,1,'ssh');
+  require('sclient/bin/sclient.js');
+  return;
+}
+
+//
+// telebit remote
+//
+require('./telebit-remote.js');
+
+}());

client.js

@@ -1,112 +0,0 @@
-'use strict';
-
-var net = require('net');
-var jwt = require('jsonwebtoken');
-var sni = require('sni');
-// TODO ask oauth3.org where to connect
-// TODO reconnect on disconnect
-
-// Assumption: will not get next tcp packet unless previous packet succeeded
-//var services = { 'ssh': 22, 'http': 80, 'https': 443 };
-var services = { 'ssh': 22, 'http': 4080, 'https': 8443 };
-var hostname = 'aj.daplie.me'; // 'test.hellabit.com'
-
-function addrToId(address) {
-  return address.family + ',' + address.address + ',' + address.port;
-}
-
-/*
-function socketToAddr(socket) {
-  return { family: socket.remoteFamily, address: socket.remoteAddress, port: socket.remotePort };
-}
-
-function socketToId(socket) {
-  return addrToId(socketToAddr(socket));
-}
-*/
-
-var tunneler = net.connect({ port: 5443 , host: hostname }, function () {
-  var token = jwt.sign({ name: hostname }, 'shhhhh');
-  var localclients = {};
-
-  setInterval(function () {
-    console.log('');
-    console.log('localclients.length:', Object.keys(localclients).length);
-    console.log('');
-  }, 5000);
-
-  tunneler.write(token);
-
-  // BaaS / Backendless / noBackend / horizon.io
-  // user authentication
-  // a place to store data
-  // file management
-  // Synergy Teamwork Paradigm = Jabberwocky
-  var pack = require('tunnel-packer').pack;
-
-  function onMessage(opts) {
-    var id = addrToId(opts);
-    var service = 'https';
-    var port = services[service];
-    var lclient;
-
-    if (opts.data.byteLength < 20) {
-      if ('|__ERROR__|' === opts.data.toString('utf8')
-        || '|__END__|' === opts.data.toString('utf8')) {
-
-        console.log("end '" + opts.address + "'");
-        if (localclients[id]) {
-          localclients[id].end();
-          delete localclients[id];
-        }
-        return;
-      }
-    }
-
-    if (localclients[id]) {
-      console.log("received data from '" + opts.address + "'", opts.data.byteLength);
-      localclients[id].write(opts.data);
-      return;
-    }
-
-    var servername = sni(opts.data);
-
-    if (!servername) {
-      console.warn("no servername found for '" + id + "'");
-      tunneler.write(pack(opts, Buffer.from('|__ERROR__|')));
-      return;
-    }
-
-    console.log("servername: '" + servername + "'");
-
-    lclient = localclients[id] = net.createConnection({ port: port, host: '127.0.0.1' }, function () {
-
-      lclient.on('data', function (chunk) {
-        console.log("client '" + opts.address + "' sent ", chunk.byteLength, "bytes");
-        tunneler.write(pack(opts, chunk));
-      });
-      lclient.on('error', function (err) {
-        console.error('client Error');
-        console.error(err);
-        delete localclients[id];
-        tunneler.write(pack(opts, Buffer.from('|__ERROR__|')));
-      });
-      lclient.on('end', function () {
-        console.log('client End');
-        delete localclients[id];
-        tunneler.write(pack(opts, Buffer.from('|__END__|')));
-      });
-
-      console.log('received data', opts.data.byteLength);
-      lclient.write(opts.data);
-    });
-  }
-
-  var machine = require('tunnel-packer').create({ onMessage: onMessage });
-
-  tunneler.on('data', machine.fns.addChunk);
-
-  tunneler.on('end', function () {
-    console.log('end');
-  });
-});

examples/telebit.full.yml

@@ -0,0 +1,20 @@
+email: 'jon@example.com'        # must be valid (for certificate recovery and security alerts)
+agree_tos: true                 # agree to the Telebit, Greenlock, and Let's Encrypt TOSes
+community_member: true          # receive infrequent relevant updates
+telemetry: true                 # contribute to project telemetric data
+relay: telebit.cloud            # Which Telebit Relay to use
+#secret: ''                      # Shared Secret with Telebit Relay for authorization
+#token: ''                       # Token created by Telebit Relay for authorization
+ssh_auto: 22                    # forward ssh-looking packets, from any connection, to port 22
+servernames:                    # hostnames that direct to the Telebit Relay admin console
+  example.com:
+    handler: 3000
+  example.net:
+    handler: /path/to/module
+ports:
+  5050:
+    handler: 54321
+greenlock:
+  version: 'draft-11'
+  server: 'https://acme-staging-v02.api.letsencrypt.org/directory'
+  config_dir: '/opt/telebit/etc/acme.staging/'

examples/telebit.minimal.yml

@@ -0,0 +1,7 @@
+email: 'jon@example.com'        # must be valid (for certificate recovery and security alerts)
+agree_tos: true                 # agree to the Telebit, Greenlock, and Let's Encrypt TOSes
+community_member: true          # receive infrequent relevant updates
+telemetry: true                 # contribute to project telemetric data
+relay: telebit.cloud            # Which Telebit Relay to use
+#secret: ''                      # Shared Secret with Telebit Relay for authorization
+#token: ''                       # Token created by Telebit Relay for authorization

httpsclient.js

@@ -1,13 +0,0 @@
-'use strict';
-
-var request = require('request');
-
-function run(copts) {
-  var tunnelUrl = 'https://tunnel.daplie.com/?access_token=' + copts.token;
-  request.get(tunnelUrl, { rejectUnauthorized: false }, function (err, resp) {
-    console.log('resp.body');
-    console.log(resp.body);
-  });
-}
-
-module.exports.connect = run;

lib/cli-common.js

@@ -0,0 +1,310 @@
+'use strict';
+
+module.exports.debug = (-1 !== (process.env.NODE_DEBUG||'').split(/\s+/g).indexOf('telebit'));
+var common = module.exports;
+
+var path = require('path');
+var url = require('url');
+var fs = require('fs');
+var mkdirp = require('mkdirp');
+var os = require('os');
+var homedir = os.homedir();
+var urequest = require('@coolaj86/urequest');
+
+common._NOTIFICATIONS = {
+  'newsletter': [ 'newsletter', 'communityMember' ]
+, 'important': [ 'communityMember' ]
+};
+common.CONFIG_KEYS = [
+  'newsletter'
+, 'communityMember'
+, 'telemetry'
+, 'sshAuto'
+, 'email'
+, 'agreeTos'
+, 'relay'
+, 'token'
+, 'pretoken'
+, 'secret'
+];
+//, '_servernames' // list instead of object
+//, '_ports'       // list instead of object
+//, '_otp'         // otp should not be saved
+//, '_token'       // temporary token
+
+common.getPort = function (config, cb) {
+  var portfile = path.resolve(config.sock || common.DEFAULT_SOCK_PATH, '..', 'telebit.port');
+  if (cb) {
+    return fs.readFile(portfile, 'utf8', function (err, text) {
+      cb(err, parseInt((text||'').trim(), 10) || null);
+    });
+  } else {
+    try {
+      return parseInt(fs.readFileSync(portfile, 'utf8').trim(), 10) || null;
+    } catch(e) {
+      return null;
+    }
+  }
+};
+common.setPort = function (config, num, cb) {
+  var portfile = path.resolve(config.sock || common.DEFAULT_SOCK_PATH, '..', 'telebit.port');
+  var numstr = (num || '').toString();
+  if (cb) {
+    return fs.writeFile(portfile, numstr, 'utf8', function (err) {
+      cb(err);
+    });
+  } else {
+    try {
+      return fs.writeFileSync(portfile, numstr, 'utf8');
+    } catch(e) {
+      return null;
+    }
+  }
+};
+common.removePort = function (config, cb) {
+  var portfile = path.resolve(config.sock || common.DEFAULT_SOCK_PATH, '..', 'telebit.port');
+  if (cb) {
+    return fs.unlink(portfile, function (err, text) {
+      cb(err, (text||'').trim());
+    });
+  } else {
+    try {
+      return fs.unlinkSync(portfile);
+    } catch(e) {
+      return null;
+    }
+  }
+};
+common.pipename = function (config) {
+  var _ipc = {
+    path: (config.sock || common.DEFAULT_SOCK_PATH)
+  , comment: (/^win/i.test(os.platform()) ? 'windows pipe' : 'unix socket')
+  , type: (/^win/i.test(os.platform()) ? 'pipe' : 'socket')
+  };
+  if ('pipe' === _ipc.type) {
+    // https://docs.microsoft.com/en-us/windows/desktop/ipc/pipe-names
+    // Allows all characters accept backslash as part of the name
+    _ipc.path = '\\\\.\\pipe\\' + _ipc.path.replace(/\\/g, '/');
+  }
+  return _ipc;
+};
+common.DEFAULT_SOCK_PATH = path.join(homedir, '.local/share/telebit/var/run', 'telebit.sock');
+common.DEFAULT_CONFIG_PATH = path.join(homedir, '.config/telebit', 'telebitd.yml');
+
+common.parseUrl = function (hostname) {
+  var location = url.parse(hostname);
+  if (!location.protocol || /\./.test(location.protocol)) {
+    hostname = 'https://' + hostname;
+    location = url.parse(hostname);
+  }
+  hostname = location.hostname + (location.port ? ':' + location.port : '');
+  hostname = location.protocol.replace(/https?/, 'https') + '//' + hostname + location.pathname;
+  return hostname;
+};
+common.parseHostname = function (hostname) {
+  var location = url.parse(hostname);
+  if (!location.protocol || /\./.test(location.protocol)) {
+    hostname = 'https://' + hostname;
+    location = url.parse(hostname);
+  }
+  //hostname = location.hostname + (location.port ? ':' + location.port : '');
+  //hostname = location.protocol.replace(/https?/, 'https') + '//' + hostname + location.pathname;
+  return location.hostname;
+};
+
+common.apiDirectory = '_apis/telebit.cloud/index.json';
+
+common.otp = function getOtp() {
+  return Math.round(Math.random() * 9999).toString().padStart(4, '0');
+};
+common.signToken = function (state) {
+  var jwt = require('jsonwebtoken');
+  var tokenData = {
+    domains: Object.keys(state.config.servernames || {}).filter(function (name) {
+      return /\./.test(name);
+    })
+  , ports: Object.keys(state.config.ports || {}).filter(function (port) {
+      port = parseInt(port, 10);
+      return port > 0 && port <= 65535;
+    })
+  , aud: state._relayUrl
+  , iss: Math.round(Date.now() / 1000)
+  };
+
+  return jwt.sign(tokenData, state.config.secret);
+};
+common.api = {};
+common.api.directory = function (state, next) {
+  state._relayUrl = common.parseUrl(state.relay);
+  urequest({ url: state._relayUrl + common.apiDirectory, json: true }, function (err, resp, dir) {
+    if (!dir) { dir = { api_host: ':hostname', tunnel: { method: "wss", pathname: "" } }; }
+    state._apiDirectory = dir;
+    next(err, dir);
+  });
+};
+common.api._parseWss = function (state, dir) {
+  if (!dir || !dir.api_host) {
+    dir = { api_host: ':hostname', tunnel: { method: "wss", pathname: "" } };
+  }
+  state._relayHostname = common.parseHostname(state.relay);
+  return dir.tunnel.method + '://' + dir.api_host.replace(/:hostname/g, state._relayHostname) + dir.tunnel.pathname;
+};
+common.api.wss = function (state, cb) {
+  common.api.directory(state, function (err, dir) {
+    cb(err, common.api._parseWss(state, dir));
+  });
+};
+common.api.token = function (state, handlers) {
+  common.api.directory(state, function (err, dir) {
+    // directory, requested, connect, tunnelUrl, offer, granted, end
+    function afterDir() {
+      if (common.debug) { console.log('[debug] after dir'); }
+      state.wss = common.api._parseWss(state, dir);
+
+      handlers.tunnelUrl(state.wss, function () {
+        if (common.debug) { console.log('[debug] after tunnelUrl'); }
+        if (state.config.secret /* && !state.config.token */) {
+          state.config._token = common.signToken(state);
+        }
+        state.token = state.token || state.config.token || state.config._token;
+        if (state.token) {
+          if (common.debug) { console.log('[debug] token via token or secret'); }
+          // { token, pretoken }
+          handlers.connect(state.token, function () {
+            handlers.end(null, function () {});
+          });
+          return;
+        }
+
+        // backwards compat (TODO remove)
+        if (err || !dir || !dir.pair_request) {
+          if (common.debug) { console.log('[debug] no dir, connect'); }
+          handlers.error(new Error("No token found or generated, and no pair_request api found."));
+          return;
+        }
+
+        // TODO sign token with own private key, including public key and thumbprint
+        //      (much like ACME JOSE account)
+        var otp = state.config._otp; // common.otp();
+        var authReq = {
+          subject: state.config.email
+        , subject_scheme: 'mailto'
+          // TODO create domains list earlier
+        , scope: (state.config._servernames || Object.keys(state.config.servernames || {}))
+            .concat(state.config._ports || Object.keys(state.config.ports || {})).join(',')
+        , otp: otp
+        , hostname: os.hostname()
+          // Used for User-Agent
+        , os_type: os.type()
+        , os_platform: os.platform()
+        , os_release: os.release()
+        , os_arch: os.arch()
+        };
+        var pairRequestUrl = url.resolve('https://' + dir.api_host.replace(/:hostname/g, state._relayHostname), dir.pair_request.pathname);
+        var req = {
+          url: pairRequestUrl
+        , method: dir.pair_request.method
+        , json: authReq
+        };
+        var firstReq = true;
+        var firstReady = true;
+
+        function gotoNext(req) {
+          if (common.debug) { console.log('[debug] gotoNext called'); }
+          if (common.debug) { console.log(req); }
+          urequest(req, function (err, resp, body) {
+            if (err) {
+              if (common.debug) { console.log('[debug] gotoNext error'); }
+              err._request = req;
+              err._hint = '[telebitd.js] pair request';
+              handlers.error(err, function () {});
+              return;
+            }
+
+            function checkLocation() {
+              if (common.debug) { console.log('[debug] checkLocation'); }
+              if (common.debug) { console.log(body); }
+              // pending, try again
+              if ('pending' === body.status && resp.headers.location) {
+                if (common.debug) { console.log('[debug] pending'); }
+                setTimeout(gotoNext, 2 * 1000, { url: resp.headers.location, json: true });
+                return;
+              }
+
+              if ('ready' === body.status) {
+                if (common.debug) { console.log('[debug] ready'); }
+                if (firstReady) {
+                  if (common.debug) { console.log('[debug] first ready'); }
+                  firstReady = false;
+                  state.token = body.access_token;
+                  state.config.token = state.token;
+                  handlers.offer(body.access_token, function () {
+                    /*ignore*/
+                  });
+                }
+                setTimeout(gotoNext, 2 * 1000, req);
+                return;
+              }
+
+              if ('complete' === body.status) {
+                if (common.debug) { console.log('[debug] complete'); }
+                handlers.granted(null, function () {
+                  handlers.end(null, function () {});
+                });
+                return;
+              }
+
+              if (common.debug) { console.log('[debug] bad status'); }
+              var err = new Error("Bad State:" + body.status);
+              err._request = req;
+              handlers.error(err, function () {});
+            }
+
+            if (firstReq) {
+              if (common.debug) { console.log('[debug] first req'); }
+              handlers.requested(authReq, function () {
+                handlers.connect(body.access_token || body.jwt, function () {
+                  var err;
+                  if (!resp.headers.location) {
+                    err = new Error("bad authentication request response");
+                    err._resp = resp.toJSON();
+                    handlers.error(err, function () {});
+                    return;
+                  }
+                  setTimeout(gotoNext, 2 * 1000, { url: resp.headers.location, json: true });
+                });
+              });
+              firstReq = false;
+              return;
+            } else {
+              if (common.debug) { console.log('[debug] other req'); }
+              checkLocation();
+            }
+          });
+        }
+
+        gotoNext(req);
+
+      });
+    }
+
+    if (dir && dir.api_host) {
+      handlers.directory(dir, afterDir);
+    } else {
+      // backwards compat
+      dir = { api_host: ':hostname', tunnel: { method: "wss", pathname: "" } };
+      afterDir();
+    }
+  });
+
+};
+
+common._init = function (rootpath, confpath) {
+  try {
+    mkdirp.sync(path.join(rootpath, 'var', 'log'));
+    mkdirp.sync(path.join(rootpath, 'var', 'run'));
+    mkdirp.sync(path.join(confpath));
+  } catch(e) {
+    console.error(e);
+  }
+};

lib/en-us.toml

@@ -0,0 +1,493 @@
+[help]
+
+remote = "telebit remote v{version}
+
+Telebit Remote is the T-Rex long-arm of the Internet. UNSTOPPABLE!
+
+Using reliable HTTPS tunneling to establishing peer-to-peer connections,
+Telebit is empowering the next generation of tinkerers. Access your devices.
+Share your stuff. Be UNSTOPPABLE! (Join us at https://rootprojects.org)
+
+Usage:
+
+        telebit [flags] <command> [arguments]
+        ex: telebit http ~/Public
+
+The flags are:
+
+        --config <path> specify config file (default is ~/.config/telebit/telebit.yml)
+        --json        output json instead of text, if available
+        -h,--help     display this menu (or sub-command menus)
+
+The commands are:
+
+        status        show status and configuration info
+
+        http          access files, folders, and local apps via https (secure)
+        ssh           enable remote access to this device with ssh-over-https
+        ssh (client)  access devices via ssh-over-https (telebit, stunnel, openssl, etc)
+        tcp           forward tcp locally
+
+        enable        turn on remote access and sharing
+        disable       turn off remote access and sharing
+
+        activate      start and register the telebit service
+        disable       stop and unregister the telebit service
+
+        config (doc)  config file format and settings
+        client (doc)  vpn, ftp, rsync, scp, ssh-proxy, sclient
+
+Use \"telebit help [command]\" for more information about a command, including flags.
+
+Additional help topics:
+
+        daemon        telebit daemon secure background service
+        relay         telebit secure relay, hosted, and self-hosting options
+
+Copyright 2015-2018 AJ ONeal https://telebit.cloud MPL-2.0 Licensed (RAWR!)"
+
+client = "telebit client v{version}
+
+        ftp           secure ftp file transfer between devices
+        rsync         rsync over https and proxy commands
+        scp           scp over https and proxy commands
+        sclient       use the sclient emebbed within telebit
+        ssh-proxy     ssh over https and proxy commands
+        vpn (client)  home network access and private web browsing via socks5
+
+Use \"telebit help [command]\" for more information about a command, including flags.
+
+Copyright 2015-2018 AJ ONeal https://telebit.cloud MPL-2.0 Licensed (RAWR!)"
+
+status = "usage: telebit status
+
+'telebit status' shows details about the current connections (or lack thereof).
+
+Example:
+
+        Status: RAWR! (uptime: 45 minutes)
+
+        Forwarding ssh+https://jon.telebit.io => localhost:22
+        Forwarding https://client.jon.telebit.io => localhost:3000
+        Serving https://public.jon.telebit.io from ~/Public
+        Syncing ~/shared => home.jon.telebit.io:shared
+
+        Relay: https://telebit.cloud
+        Launcher: user
+
+Additional help topics: enable, disable"
+
+enable = "Enable Telebit - Re-enable and accept incoming connections
+
+usage: telebit enable
+
+        enable                Re-enable incoming connections for https, ssh, etc"
+
+disable = "Disable Telebit - Reject https, ssh, and tcp connections
+
+usage: telebit disable
+
+        disable               (Temporarily) reject incoming connections for https,
+                              ssh, etc without deleting the current configuration.
+
+                              Perists on restart, but can be re-enabled remotely
+                              (with your authorization only)."
+
+activate = "Activate Telebit - Start telebit (if not running) and register a launcher
+
+Usage:
+
+        telebit activate [flags]
+        ex: telebit activate --launcher none
+
+The flags may be exactly one of:
+
+        --no-launcher uregister any launchers (start manually)
+        --user-launcher (default) register an unprivileged launcher (start on login)
+        --system-launcher register with the system launcher (start on boot)
+
+Note: telebit relies on the system launcher to recover from certain error conditions"
+
+deactivate = "Deactivate Telebit - Unregister userspace (or system) launcher and stop
+
+Usage:
+
+        telebit deactivate [flags]
+        ex: telebit deactivate --keep alive
+
+The flags are:
+
+        --keep-launcher stop telebit without unregistering the launcher
+        --keep-alive unregister launcher without stopping"
+
+http = "Telebit HTTP - The UNSTOPPABLE way to share files, folders, and local apps.
+
+usage: telebit http <path/port/none> [subdomain]
+
+        http <DIR> [subdomain]          serve a file, folder, or node express app
+        ex: telebit http ~/Public pub   ex: securely host ~/Public as pub.johndoe.telebit.io
+
+        http <PORT> [subdomain]         forward all https traffic to a local app
+        ex: telebit http 3000 app       ex: publicize localhost:3000 as app.johndoe.telebit.io
+
+        http none [subdomain]           remove secure http access for (any or all) subdomain(s)
+        ex: telebit http none           ex: remove all https access
+
+Use cases:
+
+        - Lazy man's AirDrop (works for lazy women too!)
+        - Testing dev sites on a phone
+        - Sharing indie music and movies with friends"
+
+ssh = "Telebit SSH - The UNSTOPPABLE way to remote into your devices.
+
+usage: telebit ssh <auto|port|none>
+
+All https traffic will be inspected to see if it looks like ssh Once enabled all traffic that looks
+
+        ssh auto                        Make ssh Just Work™ (on port 22)
+
+        ssh <port>                      forward ssh traffic to non-standard port
+        ex: telebit ssh 22              ex: explicitly forward ssh-looking packets to localhost:22
+
+        ssh none                        Disables ssh tunneling
+
+Telebit SSH Client
+
+usage: telebit ssh <remote> [ssh flags and options]
+
+This is just a shortcut for \"ssh\", with all ssh-over-https options turned on.
+
+        ssh <remote>                    Make ssh Just Work™ (over https)
+        ex: telebit ssh jon.telebit.io  ex:
+
+\"telebit help ssh-proxy\" for more info
+
+Use cases:
+
+        - Access your home computer from work.
+        - Access your work computer from home.
+        - Good ol' fashioned screen/tmux style pair programming"
+
+ssh-proxy = "Proxying SSH over HTTPS
+
+Wrapping SSH in HTTPS makes it accessible anywhere and also makes it routable.
+Whether inside a harsh network environment or even if hindered by a poorly
+configured firewall, once wrapped in tls, ssh becomes UNSTOPPABLE.
+
+Usage:
+        telebit ssh <remote> [ssh flags and options]
+
+Example:
+
+        telebit ssh jon.telebit.io
+
+It is NOT at all neccessary to use \"telebit ssh\", it's just a convenience.
+Wanna know why, and the alternatives? Keep reading!
+
+## History
+
+When TLS sends an encrypted packet over the network it begins with a handshake
+which shows the things like the tls version and the host SERVERNAME unencrypted
+so that the remote server can respond with the correct certificate.
+
+SSH was created well before TLS and has a completely different header. The good
+news is that, unlike some other early internet protocols, it does have a header
+with its name and version, but it doesn't have anything to identify the server.
+
+##  Telebit + SSH
+
+Here's why:
+
+When you're running ssh through an https tunnel (as telebit does) you
+can't just use \"ssh me.example.com\" to get in. You have to tell ssh that you
+want to use an https tunnel. Using \"telebit ssh\" as a client will specify
+all of the correct ssh options.
+
+However, when you want to connect to ssh over https, you either have to pass
+the correct arguments or modify your ~/.ssh/config to use \"openssl s_client\".
+
+We explain the different configurations below:
+
+## SSH + openssl
+
+The configuration that's most likely to work with what's already installed on
+your machine is this:
+
+        Host jon.telebit.io
+          ProxyCommand openssl s_client -quiet -connect %h:443 -servername %h
+
+Or you would call ssh directly, like this:
+
+        ssh jon.telebit.io -o ProxyCommand=\"openssl s_client -quiet -connect %h:443 -servername %h\"
+
+It's rather simple, but it looks quite daunting.
+
+## SSH + sclient
+
+Because that looks a little hairy, we created \"sclient\", so that the example
+could look a bit more digestible:
+
+        Host jon.telebit.io
+          ProxyCommand sclient %h
+
+Or
+
+        ssh jon.telebit.io -o ProxyCommand=\"sclient %h\"
+
+## Inverse SSH Tunnel (same as stunnel)
+
+The commands above instruct ssh to open a pipe into openssl or sclient. If we
+instead want to connect ssh to a local tunnel, it looks like this:
+
+        Host jon.telebit.io
+          Hostname localhost
+          Port 3000
+          HostKeyAlias jon.telebit.io
+          CheckHostIP no
+          RequestTTY force
+
+Or
+
+        ssh localhost -p 3000 -t -o CheckHostIP=no -o HostKeyAlias=jon.telebit.io
+
+## See also
+
+    telebit ftp
+    telebit vpn"
+
+tcp = "Telebit TCP - Seemless connectivity to LEGACY apps.
+Use 'telebit http' instead, where possible (including for ssh).
+
+usage: telebit tcp <path/port/none>
+
+        tcp <local> [remote]          forward tcp to <local> from <remote>
+        ex: telebit tcp 5050 6565     ex: forward tcp port 6565 locally to port 5050
+
+        tcp <path> [remote]           show ftp-style directory listing
+        ex: telebit tcp ~/Public      ex: show listing of ~/Public
+
+        tcp none [remote]             disable tcp access for [remote] port
+        ex: telebit tcp none 6565     ex: remove access to port 6565
+
+Use cases:
+
+        - Debugging plain TCP when troubleshooting a legacy app
+        - You can't install a secure client (like telebit, sclient, openssl, or stunnel)
+
+See also sclient <https://telebit.cloud/sclient> for connecting to legacy apps
+with telebit-upscaled secure https access."
+
+scp = "Telebit (Client) scp
+
+See \"telebit rsync\"."
+
+rsync = "Telebit (Client) rsync - Sync files to or from another computer
+
+Sync files and directories from one computer to another.
+
+Usage:
+
+        telebit rsync [flags] <src> <dst> [arguments]
+        ex: telebit rsync -av home.jon.telebit.cloud:shared/ ~/shared/ --exclude=tmp
+
+This is not a full implementation of rsync, but rather a convenience wrapper
+around rsync which passes the correct options to ssh for https tunneling.
+
+Due to the way telebit wraps rsync, all flags which take an argumnt must
+go after the source and destination paths / addresses.
+
+See also: telebit help ssh-proxy"
+
+vpn = "Telebit (Client) vpn - Use with Firefox for UNSTOPPABLE web browsing
+
+This provides a very easy-to-use, lightweight VPN known as Socks5 that can be
+used directly by Firefox and Chrome without requiring administrator privileges.
+
+Usage:
+
+        telebit vpn --socks5 <port> <remote>
+        ex: telebit vpn --socks5 6789 home.jon.telebit.io
+
+The flags are:
+
+        --socks5 <port> You MUST specify the socks5 port
+
+Firefox Configuration:
+
+        Firefox -> Preferences
+        Advanced -> Network
+        Connection -> Settings
+
+        Manual proxy configuration:
+
+        SOCKS Host: localhost
+        Port: 6789
+        SOCKS v5
+
+Just like a full vpn client, it routes your IP traffic places through the VPN
+server (which in this case is another one of your telebit devices), but only
+for traffic in the configured browser. You can still access school and office
+resources in the other browser (and other applications) the need to switch a
+full VPN on and off.
+
+As will all other telebit functionality, this use https tunneling and will not
+be disrupted by unfavorable network conditions.
+
+Use cases:
+
+        - Watch your US Netflix using your home IP while traveling abroad.
+        - Log into your router as if from inside your home network.
+        - Disregard poorly configured web proxies at school or work.
+
+See also: telebit help ssh-proxy"
+
+ftp = "Telebit (Client) Secure FTP
+
+Alias of \"telebit rsync\"
+
+The original FTP was superseded by sftp and then rsync a few decades ago,
+however, sometimes we refer to its successors, generically, as \"FTP\"
+(just like you might say \"hang up\" the phone).
+
+## History
+
+FTP is a legacy of the 1970s. It served its purpose well on local networks, but
+was extremely dangerous on the Internet due to its lack of security and various
+vulnerabilities. On some legacy systems it remains an easy target to steal
+passwords and load viruses onto computers.
+
+Although very few systems have ftp installed today (thank goodness), almost every
+computer comes with rsync already installed and ready to go.
+
+Use \"telebit rsync\" instead."
+
+daemon = "telebit daemon v{version}
+
+Usage:
+
+        telebit daemon --config <path>
+        ex: telebit daemon --config ~/.config/telebit/telebitd.yml
+
+Additional help topics:
+
+        config    config file format and settings
+        remote    telebit cli remote control
+
+Copyright 2015-2018 https://telebit.cloud MPL-2.0 Licensed"
+
+config = "Telebit Config (docs)
+
+There are TWO config files:
+
+        remote    ~/.config/telebit/telebit.yml
+
+        daemon    ~/.config/telebit/telebitd.yml
+
+### Remote Config
+
+This only specifies the ipc - socket path (dir), address, or pipe name.
+All other options are handled by the daemon.
+
+    ipc: /Users/aj/.local/share/telebit/var/run/
+
+### Daemon Config
+
+    relay: telebit.cloud            the relay to use
+    secret: null                    HMAC secret for self-hosted relay
+    email: jon@example.com          the email to authenticate
+    agree_tos: true                 agree to Telebit, Greenlock, & Let's Encrypt, ToS
+    community_member: true          get rare but relevant community updates
+    telemetry: true                 contribute to project telemetry
+    servernames:
+      example.com:                  don't reject https traffic for example.com
+        wildcard: true              allow assignment to subdomains
+        handler: ~/Public           whether to use a static server by path or app by port
+      home.example.com:
+        wildcard: true
+        handler: 3000
+    ssh_auto: 22                    forward ssh-ish traffic to port 22
+
+See also: telebit help relay"
+
+sclient = "sclient
+
+Usage:
+
+        sclient [flags] <remote> [local]
+        ex: sclient whatever.com:443 localhost:3000
+        ex: sclient whatever.com -
+        ex: printf \"GET / HTTP/1.1\\n\\n\" | sclient whatever.com
+
+sclient is a standalane tls unwrapper. For convenience it's bundled with telebit
+as the passthru subcommand \"telebit sclient\" and functions exactly the name.
+
+        telebit sclient [flags] <remote> [local]
+        ex: printf \"GET / HTTP/1.1\\n\\n\" | telebit sclient whatever.com
+
+See https://telebit.cloud/sclient/"
+
+relay = "Telebit Relay
+
+We envision a future with better routers capable of providing reliable Internet
+connectivity, and trusted peers bridging the gaps between unfavorable network
+conditions.
+
+We plan to always run telebit.cloud as a relay-as-a-service for convenience,
+but it is our hope that, if your network conditions permit, you will also run
+your own telebit relay for your friends, family, and yourself.
+
+See https://git.coolaj86.com/coolaj86/telebit-relay.js"
+
+in-n-out = "Telebit Secret Menu
+
+The secret flags are:
+
+        --profile <name>            Use config files, sockets, and pipes with this name.
+                                    For debugging and development. (default: telbit, telebitd)
+        --set-profile <name>        Switch from the default profile
+        --address <path|host:port>  Use explicit socket path (or address) or pipe name
+                                    Overrides \"--profile\""
+
+[remote]
+version = "telebit remote v{version}"
+
+code = "
+==============================================
+                 Hey, Listen!
+==============================================
+
+  GO CHECK YOUR EMAIL!
+
+  DEVICE PAIR CODE:     0000
+
+==============================================
+"
+
+waiting = "waiting for you to check your email..."
+
+success = "Success"
+
+next_steps = "Some fun things to try first:
+
+    ~/telebit http ~/Public
+    ~/telebit tcp 5050
+    ~/telebit ssh auto
+
+Press any key to continue...
+"
+
+[remote.setup]
+
+email = "Welcome!
+
+By using Telebit you agree to:
+
+      [x] Accept the Telebit™ terms of service
+      [x] Accept the Let's Encrypt™ terms of service
+
+Enter your email to agree and login/create your account:
+"
+
+[daemon]
+version = "telebit daemon v{version}"

lib/handlers/local-app-error.js

@@ -0,0 +1,19 @@
+'use strict';
+
+module.exports = function (opts) {
+  console.log("Could not connect");
+  var socket = opts.socket;
+  var handler = opts.handler;
+  var http = require('http');
+  var server = http.createServer(function (req, res) {
+    console.log('responding to thing');
+    res.statusCode = 500;
+    res.setHeader('Content-Type', 'text/html');
+    res.end("<html>"
+      + "<head><title>Couldn't Connect</title></head>"
+      + "<body>Could not connect to localhost:" + handler + "</body>"
+    + "</html>");
+  });
+  //server.emit('connection', socket);
+  socket.end("Could not connect to localhost:" + handler);
+};

lib/html/css/main.css

@@ -0,0 +1,31 @@
+
+
+
+body {
+    font-family: Source Sans Pro, sans-serif;
+    font-size: 18px;
+    color: #1a1a1a;
+    letter-spacing: -0.022222222em;
+    line-height: 1.33;
+    margin: 0;
+    text-align: center;
+    padding: 2em 0 2em 0;
+}
+
+code {}
+
+code, pre {
+    font-family: Source Code Pro, monospace;
+}
+
+.code-block {
+    text-align: left;
+    display: inline-block;
+}
+
+span.logo {
+    font-size: 1.666em;
+    font-weight: bold;
+}
+
+p {margin-bottom: 0.5em;margin-top: 1.5em;}

lib/html/index.html

@@ -0,0 +1,95 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>Telebit</title>
+    <meta charset="utf-8">
+    <link href="./css/main.css" rel="stylesheet">
+    <style>
+      @font-face {
+        font-family: 'Source Sans Pro';
+        font-style: normal;
+        font-display: block;
+        font-weight: 400;
+        src: local('Source Sans Pro Regular'), local('SourceSansPro-Regular'), url(./fonts/6xK3dSBYKcSV-LCoeQqfX1RYOo3qOK7l.woff2) format('woff2');
+        unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
+      }
+      @font-face {
+        font-family: 'Source Sans Pro';
+        font-style: normal;
+        font-weight: 700;
+        font-display: block;
+        src: local('Source Sans Pro Bold'), local('SourceSansPro-Bold'), url(./fonts/6xKydSBYKcSV-LCoeQqfX1RYOo3ig4vwlxdu.woff2) format('woff2');
+        unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
+      }
+      @font-face {
+        font-family: 'Source Code Pro';
+        font-style: normal;
+        font-weight: 400;
+        src: local('Source Code Pro'), local('SourceCodePro-Regular'), url(./fonts/HI_SiYsKILxRpg3hIP6sJ7fM7PqlPevW.woff2) format('woff2');
+        unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
+      }
+    </style>
+    <link rel="preload" href="./fonts/6xKydSBYKcSV-LCoeQqfX1RYOo3ig4vwlxdu.woff2" as="font" crossorigin="anonymous">
+    <link rel="preload" href="./fonts/6xK3dSBYKcSV-LCoeQqfX1RYOo3qOK7l.woff2" as="font" crossorigin="anonymous">
+    <link rel="preload" href="./fonts/HI_SiYsKILxRpg3hIP6sJ7fM7PqlPevW.woff2" as="font" crossorigin="anonymous">
+
+  </head>
+  <body>
+    <script>document.body.hidden = true;</script>
+  <!-- let's define our SVG that we will use later -->
+    <svg width="0" height="0" viewBox="0 0 24 24">
+      <defs>
+        <g id="svg-lock">
+          <path d="M0 0h24v24H0z" fill="none"/>
+          <path d="M18 8h-1V6c0-2.76-2.24-5-5-5S7 3.24 7 6v2H6c-1.1 0-2 .9-2 2v10c0 1.1.9 2 2 2h12c1.1 0 2-.9 2-2V10c0-1.1-.9-2-2-2zm-6 9c-1.1 0-2-.9-2-2s.9-2 2-2 2 .9 2 2-.9 2-2 2zm3.1-9H8.9V6c0-1.71 1.39-3.1 3.1-3.1 1.71 0 3.1 1.39 3.1 3.1v2z"/>
+        </g>
+      </defs>
+    </svg>
+    <span class="logo">Telebit</span>
+    <h1>Welcome Home <!-- as in 127.0.0.1, y'know ;) --></h1>
+    <div>Go ahead and bookmark this page. It's yours now.</div>
+
+    <div>
+      <h2>You've claimed <span class="js-servername">{{servername}}</span></h2>
+      <p>Here are some ways you can use Telebit via Terminal or other Command Line Interface:</p>
+      <div class="code-block">
+	      <br />
+        <pre><code>~/telebit ssh auto            # allows you to connect to your computer with <br />                                ssh-over-https from a different computer</span></code></pre>
+        <pre><code>~/telebit http ~/Public            # serve a public folder
+~/telebit http 3000                # forward all https traffic to localhost:3000
+~/telebit http none                # remove all https handlers</code></pre>
+      </div>
+    </div>
+    <p>And remember you can <em>always</em> tunnel <strong>SSH over HTTPS</strong>,
+      even while you're using it for something else:</p>
+  <p>&nbsp;</p>
+  
+    <details>
+    <p><summary><strong>Here are some examples for those of you that want to access files and folders remotely.  </strong></summary></p>
+    <p><strong>This function allows you to connect one computer to another computer you also have SSH on.</strong></p>
+      <div class="code-block"><pre><code>~/telebit ssh <span class="js-servername">{{servername}}</span></code></pre>
+      	<br>
+    		- or -
+    		<pre><code>ssh -o ProxyCommand='<a href="https://telebit.cloud/sclient">sclient</a> %h' <span class="js-servername">{{servername}}</span></code></pre>
+    		- or -
+    		<pre><code>proxy_cmd='openssl s_client -connect %h:443 -servername %h -quiet'
+ssh -o ProxyCommand="$proxy_cmd" <span class="js-servername">{{servername}}</span></code></pre>
+			</div>
+    <pre><code>ssh -o ProxyCommand='openssl s_client -connect %h:443 -servername %h -quiet' <span class="js-servername">{{servername}}</span></code></pre>
+    </details>
+    <!--div class="js-port" hidden>
+      <h2>You've claimed port <span class="js-serviceport">{{serviceport}}</span></h2>
+      <p>Here's some ways you can use it:</p>
+      <div class="code-block"><pre><code>telebit tcp 3000                 # forward all tcp traffic to localhost:3000
+telebit tcp /path/to/module      # handle incoming tcp traffic with a node module
+telebit tcp none                 # remove all tcp handlers</code></pre>
+      </div>
+      <p>You can <em>always</em> use this port for <strong>SSH</strong>, even while you're using it for something else:</p>
+      <div class="code-block"><pre><code>telebit ssh 22
+
+ssh <span class="js-servername">{{servername}}</span> -p <span class="js-serviceport">{{serviceport}}</span></code></pre></div>
+    </div -->
+
+    <script src="js/app.js"></script>
+  </body>
+</html>

lib/html/js/app.js

@@ -0,0 +1,49 @@
+(function () {
+'use strict';
+
+document.body.hidden = false;
+
+var hash = window.location.hash.replace(/^[\/#?]+/, '');
+var query = window.location.search;
+
+function parseQuery(search) {
+    var args = search.substring(1).split('&');
+    var argsParsed = {};
+    var i, arg, kvp, key, value;
+
+    for (i=0; i < args.length; i++) {
+
+        arg = args[i];
+
+        if (-1 === arg.indexOf('=')) {
+
+            argsParsed[decodeURIComponent(arg).trim()] = true;
+
+        } else {
+
+            kvp = arg.split('=');
+            key = decodeURIComponent(kvp[0]).trim();
+            value = decodeURIComponent(kvp[1]).trim();
+            argsParsed[key] = value;
+
+        }
+    }
+
+    return argsParsed;
+}
+
+document.querySelectorAll('.js-servername').forEach(function ($el) {
+  $el.innerText = window.location.host;
+});
+
+console.log(parseQuery(hash));
+console.log(parseQuery(query));
+var port = parseQuery(hash).serviceport || parseQuery(query).serviceport;
+if (port) {
+  document.querySelector('.js-port').hidden = false;
+  document.querySelectorAll('.js-serviceport').forEach(function ($el) {
+    $el.innerText = port;
+  });
+}
+
+}());

lib/remote.js

@@ -0,0 +1,583 @@
+(function () {
+'use strict';
+
+var PromiseA;
+try {
+  PromiseA = require('bluebird');
+} catch(e) {
+  PromiseA = global.Promise;
+}
+var WebSocket = require('ws');
+var sni = require('sni');
+var Packer = require('proxy-packer');
+var os = require('os');
+var EventEmitter = require('events').EventEmitter;
+
+function timeoutPromise(duration) {
+  return new PromiseA(function (resolve) {
+    setTimeout(resolve, duration);
+  });
+}
+
+function TelebitRemote(state) {
+  // jshint latedef:false
+
+  if (!(this instanceof TelebitRemote)) {
+    return new TelebitRemote(state);
+  }
+  EventEmitter.call(this);
+  var me = this;
+  var priv = {};
+
+  //var defaultHttpTimeout = (2 * 60);
+  //var activityTimeout = state.activityTimeout || (defaultHttpTimeout - 5) * 1000;
+  var activityTimeout = 6 * 1000;
+  var pongTimeout = state.pongTimeout || 10*1000;
+  // Allow the tunnel client to be created with no token. This will prevent the connection from
+  // being established initialy and allows the caller to use `.append` for the first token so
+  // they can get a promise that will provide feedback about invalid tokens.
+  priv.tokens = [];
+  var auth;
+  if(!state.sortingHat) {
+    state.sortingHat = "./sorting-hat.js";
+  }
+  if (state.token) {
+    if ('undefined' === state.token) {
+      throw new Error("passed string 'undefined' as token");
+    }
+    priv.tokens.push(state.token);
+  }
+
+  var wstunneler;
+  var authenticated = false;
+  var authsent = false;
+  var initialConnect = true;
+
+  priv.localclients = {};
+  var pausedClients = [];
+  var clientHandlers = {
+    add: function (conn, cid, tun) {
+      priv.localclients[cid] = conn;
+      console.info("[connect] new client '" + tun.name + ":" + tun.serviceport + "' for  '" + cid + "'"
+        + "(" + clientHandlers.count() + " clients)");
+
+      conn.tunnelCid = cid;
+      if (tun.data) {
+        conn.tunnelRead = tun.data.byteLength;
+      } else {
+        conn.tunnelRead = 0;
+      }
+      conn.tunnelWritten = 0;
+
+      conn.on('data', function onLocalData(chunk) {
+        //var chunk = conn.read();
+        if (conn.tunnelClosing) {
+          console.warn("[onLocalData] received data for '"+cid+"' over socket after connection was ended");
+          return;
+        }
+        // This value is bytes written to the tunnel (ie read from the local connection)
+        conn.tunnelWritten += chunk.byteLength;
+
+        // If we have a lot of buffered data waiting to be sent over the websocket we want to slow
+        // down the data we are getting to send over. We also want to pause all active connections
+        // if any connections are paused to make things more fair so one connection doesn't get
+        // stuff waiting for all other connections to finish because it tried writing near the border.
+        var bufSize = sendMessage(Packer.packHeader(tun, chunk));
+        // Sending 2 messages instead of copying the buffer
+        var bufSize2 = sendMessage(chunk);
+        if (pausedClients.length || (bufSize + bufSize2) > 1024*1024) {
+          // console.log('[onLocalData] paused connection', cid, 'to allow websocket to catch up');
+          conn.pause();
+          pausedClients.push(conn);
+        }
+      });
+
+      var sentEnd = false;
+      conn.on('end', function onLocalEnd() {
+        //console.info("[onLocalEnd] connection '" + cid + "' ended, will probably close soon");
+        conn.tunnelClosing = true;
+        if (!sentEnd) {
+          sendMessage(Packer.packHeader(tun, null, 'end'));
+          sentEnd = true;
+        }
+      });
+      conn.on('error', function onLocalError(err) {
+        console.info("[onLocalError] connection '" + cid + "' errored:", err);
+        if (!sentEnd) {
+          var packBody = true;
+          sendMessage(Packer.packHeader(tun, {message: err.message, code: err.code}, 'error', packBody));
+          sentEnd = true;
+        }
+      });
+      conn.on('close', function onLocalClose(hadErr) {
+        delete priv.localclients[cid];
+        console.log('[onLocalClose] closed "' + cid + '" read:'+conn.tunnelRead+', wrote:'+conn.tunnelWritten+' (' + clientHandlers.count() + ' clients)');
+        if (!sentEnd) {
+          sendMessage(Packer.packHeader(tun, null, hadErr && 'error' || 'end'));
+          sentEnd = true;
+        }
+      });
+    }
+
+  , write: function (cid, opts) {
+      var conn = priv.localclients[cid];
+      if (!conn) {
+        return false;
+      }
+      //console.log("[=>] received data from '" + cid + "' =>", opts.data.byteLength);
+
+      if (conn.tunnelClosing) {
+        console.warn("[onmessage] received data for '"+cid+"' over socket after connection was ended");
+        return true;
+      }
+
+      conn.write(opts.data);
+      // It might seem weird to increase the "read" value in a function named `write`, but this
+      // is bytes read from the tunnel and written to the local connection.
+      conn.tunnelRead += opts.data.byteLength;
+
+      if (!conn.remotePaused && conn.bufferSize > 1024*1024) {
+        var packBody = true;
+        sendMessage(Packer.packHeader(opts, conn.tunnelRead, 'pause', packBody));
+        conn.remotePaused = true;
+
+        conn.once('drain', function () {
+          var packBody = true;
+          sendMessage(Packer.packHeader(opts, conn.tunnelRead, 'resume', packBody));
+          conn.remotePaused = false;
+        });
+      }
+      return true;
+    }
+
+  , closeSingle: function (cid) {
+      if (!priv.localclients[cid]) {
+        return;
+      }
+
+      //console.log('[closeSingle]', cid);
+      PromiseA.resolve().then(function () {
+        var conn = priv.localclients[cid];
+        conn.tunnelClosing = true;
+        conn.end();
+
+        // If no data is buffered for writing then we don't need to wait for it to drain.
+        if (!conn.bufferSize) {
+          return timeoutPromise(500);
+        }
+        // Otherwise we want the connection to be able to finish, but we also want to impose
+        // a time limit for it to drain, since it shouldn't have more than 1MB buffered.
+        return new PromiseA(function (resolve) {
+          var timeoutId = setTimeout(resolve, 60*1000);
+          conn.once('drain', function () {
+            clearTimeout(timeoutId);
+            setTimeout(resolve, 500);
+          });
+        });
+      }).then(function () {
+        if (priv.localclients[cid]) {
+          console.warn('[closeSingle]', cid, 'connection still present after calling `end`');
+          priv.localclients[cid].destroy();
+          return timeoutPromise(500);
+        }
+      }).then(function () {
+        if (priv.localclients[cid]) {
+          console.error('[closeSingle]', cid, 'connection still present after calling `destroy`');
+          delete priv.localclients[cid];
+        }
+      }).catch(function (err) {
+        console.error('[closeSingle] failed to close connection', cid, err.toString());
+        delete priv.localclients[cid];
+      });
+    }
+  , closeAll: function () {
+      console.log('[closeAll]');
+      Object.keys(priv.localclients).forEach(function (cid) {
+        clientHandlers.closeSingle(cid);
+      });
+    }
+
+  , count: function () {
+      return Object.keys(priv.localclients).length;
+    }
+  };
+
+  var pendingCommands = {};
+  function sendMessage(msg) {
+    // There is a chance that this occurred after the websocket was told to close
+    // and before it finished, in which case we don't need to log the error.
+    if (wstunneler.readyState !== wstunneler.CLOSING) {
+        wstunneler.send(msg, {binary: true});
+        return wstunneler.bufferedAmount;
+    }
+  }
+  function sendCommand(name) {
+    var id = Math.ceil(1e9 * Math.random());
+    var cmd = [id, name].concat(Array.prototype.slice.call(arguments, 1));
+    if (state.debug) { console.log('[DEBUG] command sending', cmd); }
+
+    var packBody = true;
+    sendMessage(Packer.packHeader(null, cmd, 'control', packBody));
+    setTimeout(function () {
+      if (pendingCommands[id]) {
+        console.warn('command', name, id, 'timed out');
+        pendingCommands[id]({
+          message: 'response not received in time'
+        , code: 'E_TIMEOUT'
+        });
+      }
+    }, pongTimeout);
+
+    return new PromiseA(function (resolve, reject) {
+      pendingCommands[id] = function (err, result) {
+        delete pendingCommands[id];
+        if (err) {
+          reject(err);
+        } else {
+          resolve(result);
+        }
+      };
+    });
+  }
+
+  function noHandler(cmd) {
+    console.warn("[telebit] state.handlers['" + cmd[1] + "'] not set");
+    console.warn(cmd[2]);
+  }
+
+  var connCallback;
+
+  function hyperPeek(tun) {
+    var m;
+    var str;
+    if (tun.data) {
+      if ('http' === tun.service) {
+        str = tun.data.toString();
+        m = str.match(/(?:^|[\r\n])Host: ([^\r\n]+)[\r\n]*/im);
+        tun._name = tun._hostname = (m && m[1].toLowerCase() || '').split(':')[0];
+      }
+      else if ('https' === tun.service || 'tls' === tun.service) {
+        tun._name = tun._servername = sni(tun.data);
+      } else {
+        tun._name = '';
+      }
+    }
+  }
+
+  var packerHandlers = {
+    oncontrol: function (opts) {
+      var cmd, err;
+      try {
+        cmd = JSON.parse(opts.data.toString());
+      } catch (err) {}
+      if (!Array.isArray(cmd) || typeof cmd[0] !== 'number') {
+        console.warn('received bad command "' + opts.data.toString() + '"');
+        return;
+      }
+
+      if (cmd[0] < 0) {
+        var cb = pendingCommands[-cmd[0]];
+        if (!cb) {
+          console.warn('received response for unknown request:', cmd);
+        } else {
+          cb.apply(null, cmd.slice(1));
+        }
+        return;
+      }
+
+      if (cmd[0] === 0) {
+        console.warn('received dis-associated error from server', cmd[1]);
+        if (connCallback) {
+          connCallback(cmd[1]);
+        }
+        return;
+      }
+
+      if (cmd[1] === 'hello') {
+        if (state.debug) { console.log('[DEBUG] hello received'); }
+        if (auth) {
+          authsent = true;
+          sendCommand('auth', auth).catch(function (err) { console.error('1', err); });
+        }
+        priv.tokens.forEach(function (jwtoken) {
+          if (state.debug) { console.log('[DEBUG] send token'); }
+          authsent = true;
+          sendCommand('add_token', jwtoken)
+            .catch(function (err) {
+              console.error('failed re-adding token', jwtoken, 'after reconnect', err);
+              // Not sure if we should do something like remove the token here. It worked
+              // once or it shouldn't have stayed in the list, so it's less certain why
+              // it would have failed here.
+            });
+        });
+        if (connCallback) {
+          connCallback();
+        }
+        // TODO: handle the versions and commands provided by 'hello' - isn't super important
+        // yet since there is only one version and set of commands.
+        err = null;
+      } else if (cmd[1] === 'grant') {
+        authenticated = true;
+        if (state.handlers[cmd[1]]) {
+          state.handlers[cmd[1]](cmd[2]);
+        } else {
+          noHandler(cmd);
+        }
+        return;
+      } else if (cmd[1] === 'access_token') {
+        authenticated = true;
+        if (state.handlers[cmd[1]]) {
+          state.handlers[cmd[1]](cmd[2]);
+        } else {
+          noHandler(cmd);
+        }
+        return;
+      } else {
+        err = { message: 'unknown command "'+cmd[1]+'"', code: 'E_UNKNOWN_COMMAND' };
+      }
+
+      var packBody = true;
+      sendMessage(Packer.packHeader(null, [-cmd[0], err], 'control', packBody));
+    }
+
+  , onconnection: function (tun) {
+      var cid = tun._id = Packer.addrToId(tun);
+
+      // this data should have been gathered already as part of the proxy protocol
+      // but if it's available again here we can double check
+      hyperPeek(tun);
+
+      // TODO use readable streams instead
+      wstunneler._socket.pause();
+      require(state.sortingHat).assign(state, tun, function (err, conn) {
+        if (err) {
+          err.message = err.message.replace(/:tun_id/, tun._id);
+          packerHandlers._onConnectError(cid, tun, err);
+          return;
+        }
+        clientHandlers.add(conn, cid, tun);
+        if (tun.data) { conn.write(tun.data); }
+        wstunneler._socket.resume();
+      });
+    }
+
+  , onmessage: function (tun) {
+      var cid = tun._id = Packer.addrToId(tun);
+      var handled;
+
+      hyperPeek(tun);
+
+      handled = clientHandlers.write(cid, tun);
+
+      // quasi backwards compat
+      if (!handled) { console.log("[debug] did not get 'connection' event"); packerHandlers.onconnection(tun); }
+    }
+
+  , onpause: function (opts) {
+      var cid = Packer.addrToId(opts);
+      if (priv.localclients[cid]) {
+        console.log("[TunnelPause] pausing '"+cid+"', remote received", opts.data.toString(), 'of', priv.localclients[cid].tunnelWritten, 'sent');
+        priv.localclients[cid].manualPause = true;
+        priv.localclients[cid].pause();
+      } else {
+        console.log('[TunnelPause] remote tried pausing finished connection', cid);
+        // Often we have enough latency that we've finished sending before we're told to pause, so
+        // don't worry about sending back errors, since we won't be sending data over anyway.
+        // var packBody = true;
+        // sendMessage(Packer.packHeader(opts, {message: 'no matching connection', code: 'E_NO_CONN'}, 'error', packBody));
+      }
+    }
+  , onresume: function (opts) {
+      var cid = Packer.addrToId(opts);
+      if (priv.localclients[cid]) {
+        console.log("[TunnelResume] resuming '"+cid+"', remote received", opts.data.toString(), 'of', priv.localclients[cid].tunnelWritten, 'sent');
+        priv.localclients[cid].manualPause = false;
+        priv.localclients[cid].resume();
+      } else {
+        console.log('[TunnelResume] remote tried resuming finished connection', cid);
+        // var packBody = true;
+        // sendMessage(Packer.packHeader(opts, {message: 'no matching connection', code: 'E_NO_CONN'}, 'error', packBody));
+      }
+    }
+
+  , onend: function (opts) {
+      var cid = Packer.addrToId(opts);
+      //console.log("[end] '" + cid + "'");
+      clientHandlers.closeSingle(cid);
+    }
+  , onerror: function (opts) {
+      var cid = Packer.addrToId(opts);
+      //console.log("[error] '" + cid + "'", opts.code || '', opts.message);
+      clientHandlers.closeSingle(cid);
+    }
+
+  , _onConnectError: function (cid, opts, err) {
+      console.info("[_onConnectError] opening '" + cid + "' failed because " + err.message);
+      sendMessage(Packer.packHeader(opts, null, 'error'));
+    }
+  };
+
+  priv.timeoutId = null;
+  priv.lastActivity = Date.now();
+  priv.refreshTimeout = function refreshTimeout() {
+    priv.lastActivity = Date.now();
+  };
+  priv.checkTimeout = function checkTimeout() {
+    if (!wstunneler) {
+      console.warn('checkTimeout called when websocket already closed');
+      return;
+    }
+    // Determine how long the connection has been "silent", ie no activity.
+    var silent = Date.now() - priv.lastActivity;
+
+    // If we have had activity within the last activityTimeout then all we need to do is
+    // call this function again at the soonest time when the connection could be timed out.
+    if (silent < activityTimeout) {
+      priv.timeoutId = setTimeout(priv.checkTimeout, activityTimeout-silent);
+    }
+
+    // Otherwise we check to see if the pong has also timed out, and if not we send a ping
+    // and call this function again when the pong will have timed out.
+    else if (silent < activityTimeout + pongTimeout) {
+      //console.log('DEBUG: pinging tunnel server');
+      try {
+        wstunneler.ping();
+      } catch (err) {
+        console.warn('failed to ping tunnel server', err);
+      }
+      priv.timeoutId = setTimeout(priv.checkTimeout, pongTimeout);
+    }
+
+    // Last case means the ping we sent before didn't get a response soon enough, so we
+    // need to close the websocket connection.
+    else {
+      console.info('[info] closing due to connection timeout');
+      wstunneler.close(1000, 'connection timeout');
+    }
+  };
+
+  me.destroy = function destroy() {
+    console.info('[info] destroy()');
+    try {
+      //wstunneler.close(1000, 're-connect');
+      wstunneler._socket.destroy();
+    } catch(e) {
+      // ignore
+    }
+  };
+  me.connect = function connect() {
+    if (!priv.tokens.length && state.config.email) {
+      auth = TelebitRemote._tokenFromState(state);
+    }
+    priv.timeoutId = null;
+    var machine = Packer.create(packerHandlers);
+
+    console.info("[telebit:lib/remote.js] [connect] '" + (state.wss || state.relay) + "'");
+    var tunnelUrl = (state.wss || state.relay).replace(/\/$/, '') + '/'; // + auth;
+    wstunneler = new WebSocket(tunnelUrl, { rejectUnauthorized: !state.insecure });
+    // XXXXXX
+    wstunneler.on('open', function () {
+      console.info("[telebit:lib/remote.js] [open] connected to '" + (state.wss || state.relay) + "'");
+      me.emit('connect');
+      priv.refreshTimeout();
+      priv.timeoutId = setTimeout(priv.checkTimeout, activityTimeout);
+      wstunneler._socket.on('drain', function () {
+        // the websocket library has it's own buffer apart from node's socket buffer, but that one
+        // is much more difficult to watch, so we watch for the lower level buffer to drain and
+        // then check to see if the upper level buffer is still too full to write to. Note that
+        // the websocket library buffer has something to do with compression, so I'm not requiring
+        // that to be 0 before we start up again.
+        if (wstunneler.bufferedAmount > 128*1024) {
+          return;
+        }
+
+        pausedClients.forEach(function (conn) {
+          if (!conn.manualPause) {
+            // console.log('resuming connection', conn.tunnelCid, 'now the websocket has caught up');
+            conn.resume();
+          }
+        });
+        pausedClients.length = 0;
+      });
+      initialConnect = false;
+    });
+    wstunneler.on('close', function () {
+      console.info("[info] [closing] received close signal from relay");
+      clearTimeout(priv.timeoutId);
+      clientHandlers.closeAll();
+
+      var error = new Error('websocket connection closed before response');
+      error.code = 'E_CONN_CLOSED';
+      Object.keys(pendingCommands).forEach(function (id) {
+        pendingCommands[id](error);
+      });
+      if (connCallback) {
+        connCallback(error);
+      }
+
+      me.emit('close');
+    });
+    wstunneler.on('error', function (err) {
+      me.emit('error', err);
+    });
+
+    // Our library will automatically handle sending the pong respose to ping requests.
+    wstunneler.on('ping', priv.refreshTimeout);
+    wstunneler.on('pong', function () {
+      //console.log('DEBUG received pong');
+      priv.refreshTimeout();
+    });
+    wstunneler.on('message', function (data, flags) {
+      priv.refreshTimeout();
+      if (data.error || '{' === data[0]) {
+        console.log(data);
+        return;
+      }
+      machine.fns.addChunk(data, flags);
+    });
+  };
+  me.end = function() {
+    priv.tokens.length = 0;
+    if (priv.timeoutId) {
+      clearTimeout(priv.timeoutId);
+      priv.timeoutId = null;
+    }
+    console.info('[info] closing due to tr.end()');
+    wstunneler.close(1000, 're-connect');
+    wstunneler.on('close', function () {
+      me.emit('end');
+    });
+  };
+}
+
+TelebitRemote.prototype = EventEmitter.prototype;
+TelebitRemote._tokenFromState = function (state) {
+  return {
+    subject: state.config.email
+  , subject_scheme: 'mailto'
+    // TODO create domains list earlier
+  , scope: Object.keys(state.config.servernames || {}).join(',')
+  , otp: state.otp
+  , hostname: os.hostname()
+    // Used for User-Agent
+  , os_type: os.type()
+  , os_platform: os.platform()
+  , os_release: os.release()
+  , os_arch: os.arch()
+  };
+};
+
+TelebitRemote.create = function (opts) {
+  return new TelebitRemote(opts);
+};
+TelebitRemote.createConnection = function (opts, cb) {
+  var tunnel = TelebitRemote.create(opts);
+  tunnel.connect(opts);
+  tunnel.once('connect', cb);
+  return tunnel;
+};
+TelebitRemote.connect = TelebitRemote.createConnection;
+
+module.exports.TelebitRemote = TelebitRemote;
+
+}());

lib/sorting-hat.js

@@ -0,0 +1,576 @@
+'use strict';
+
+var os = require('os');
+var path = require('path');
+var fs = require('fs');
+
+module.exports.print = function (config) {
+  var services = { https: {}, http: {}, tcp: {} };
+  // Note: the remote needs to know:
+  //   what servernames to forward
+  //   what ports to forward
+  //   what udp ports to forward
+  //   redirect http to https automatically
+  //   redirect www to nowww automatically
+  if (config.http) {
+    Object.keys(config.http).forEach(function (hostname) {
+      if ('*' === hostname) {
+        config.servernames.forEach(function (servername) {
+          services.https[servername] = config.http[hostname];
+          services.http[servername] = 'redirect-https';
+        });
+        return;
+      }
+      services.https[hostname] = config.http[hostname];
+      services.http[hostname] = 'redirect-https';
+    });
+  }
+  /*
+  Object.keys(config.localPorts).forEach(function (port) {
+    var proto = config.localPorts[port];
+    if (!proto) { return; }
+    if ('http' === proto) {
+      config.servernames.forEach(function (servername) {
+        services.http[servername] = port;
+      });
+      return;
+    }
+    if ('https' === proto) {
+      config.servernames.forEach(function (servername) {
+        services.https[servername] = port;
+      });
+      return;
+    }
+    if (true === proto) { proto = 'tcp'; }
+    if ('tcp' !== proto) { throw new Error("unsupported protocol '" + proto + "'"); }
+  //services[proxy.protocol]['*'] = proxy.port;
+  //services[proxy.protocol][proxy.hostname] = proxy.port;
+    services[proto]['*'] = port;
+  });
+  */
+
+  Object.keys(services).forEach(function (protocol) {
+    var subServices = services[protocol];
+    Object.keys(subServices).forEach(function (hostname) {
+      console.info('[local proxy]', protocol + '://' + hostname + ' => ' + subServices[hostname]);
+    });
+  });
+  console.info('');
+};
+
+module.exports.assign = function (state, tun, cb) {
+  //console.log('first message from', tun);
+  var net = state.net || require('net');
+
+  function trySsh(tun, cb) {
+    // https://security.stackexchange.com/questions/43231/plausibly-deniable-ssh-does-it-make-sense?rq=1
+    // https://tools.ietf.org/html/rfc4253#section-4.2
+    var sshPort;
+    if (-1 !== ['true', 'enable', 'auto', 'on'].indexOf(state.config.sshAuto)) {
+      sshPort = 22;
+    } else {
+      sshPort = parseInt(state.config.sshAuto, 10);
+    }
+    if (!sshPort || 'SSH-2.0-' !== tun.data.slice(0, 8).toString()) {
+      cb(null, false);
+      return;
+    }
+    getNetConn(sshPort, cb);
+  }
+
+  var handlers = {};
+  handlers.http = function (socket) {
+    if (!state.greenlock) {
+      state.greenlock = require('greenlock').create(state.greenlockConfig);
+    }
+    if (!state.httpRedirectServer) {
+      state.redirectHttps = require('redirect-https')();
+      state.httpRedirectServer = require('http').createServer(state.greenlock.middleware(state.redirectHttps));
+    }
+    state.httpRedirectServer.emit('connection', socket);
+    process.nextTick(function () { socket.resume(); });
+  };
+  handlers.https = function (tlsSocket) {
+    console.log('Encrypted', tlsSocket.encrypted, tlsSocket.remoteAddress, tlsSocket.remotePort);
+    if (!state.defaultHttpServer) {
+      state._finalHandler = require('finalhandler');
+      state._serveStatic = require('serve-static');
+      state._defaultServe = state._serveStatic(path.join(__dirname, 'html'));
+      state.defaultHttpServer = require('http').createServer(function (req, res) {
+        // TODO serve api
+        state._defaultServe(req, res, state._finalHandler(req, res));
+      });
+    }
+    state.defaultHttpServer.emit('connection', tlsSocket);
+    process.nextTick(function () { tlsSocket.resume(); });
+  };
+
+  function getNetConn(port, cb) {
+    var netOpts = {
+      port: port
+    , host: '127.0.0.1'
+
+    , servername: tun.name
+    , name: tun.name
+    , serviceport: tun.serviceport
+    , data: tun.data
+    , remoteFamily: tun.family
+    , remoteAddress: tun.address
+    , remotePort: tun.port
+    };
+    var conn = net.createConnection(netOpts, function () {
+      // this will happen before 'data' or 'readable' is triggered
+      // We use the data from the netOpts object so that the createConnection function has
+      // the oppurtunity of removing/changing it if it wants/needs to handle it differently.
+      cb(null, conn);
+      cb = function () {}; // for error events
+    });
+    conn.on('error', function (err) {
+      cb(err);
+    });
+  }
+
+  function redirectHttp(cb) {
+    var socketPair = require('socket-pair');
+    var conn = socketPair.create(function (err, other) {
+      if (err) { cb(err); return; }
+      handlers.http(other);
+      cb(null, conn);
+    });
+    //if (tun.data) { conn.write(tun.data); }
+    return conn;
+  }
+
+  function errorTcp(conf, cb) {
+    var socketPair = require('socket-pair');
+    var conn = socketPair.create(function (err, other) {
+      if (err) { cb(err); return; }
+
+      cb(null, conn);
+
+      other.write("\n" +
+      [ "[Telebit Error Server]"
+      , "Could not load '" + conf.handler + "' as a module, file, or directory."
+      ].join("\n") + "\n\n");
+      other.end();
+    });
+    //if (tun.data) { conn.write(tun.data); }
+    return conn;
+  }
+  function fileDirTcp(opts, cb) {
+    var socketPair = require('socket-pair');
+    var conn = socketPair.create(function (err, other) {
+      if (err) { cb(err); return; }
+
+      if (opts.stat.isFile()) {
+        fs.createReadStream(opts.config.handler).pipe(other);
+      } else {
+        fs.readdir(opts.config.handler, function (err, nodes) {
+          other.write('\n' + nodes.join('\n') + '\n\n');
+          other.end();
+        });
+      }
+      cb(null, conn);
+    });
+    //if (tun.data) { conn.write(tun.data); }
+    return conn;
+  }
+  function echoTcp(cb) {
+    var socketPair = require('socket-pair');
+    var conn = socketPair.create(function (err, other) {
+      if (err) { cb(err); return; }
+
+      other.on('data', function (chunk) {
+        other.write(chunk);
+      });
+
+      other.on('end', function () {
+        other.end();
+      });
+
+      cb(null, conn);
+
+      other.write("\n" +
+      [ "[Telebit Echo Server] v1.0"
+      , "To configure tcp run the following:"
+      , "\ttelebit tcp <port number or module name>"
+      , "\tex: telebit tcp 5050"
+      , "\tex: telebit tcp /path/to/module"
+      , "\tex: telebit tcp none"
+      ].join("\n") + "\n\n");
+    });
+    //if (tun.data) { conn.write(tun.data); }
+    return conn;
+  }
+
+  function defineProps(other, tun) {
+    Object.defineProperty(other, 'remoteFamily', {
+      enumerable: false,
+      configurable: true,
+      get: function() {
+        return tun.family;
+      }
+    });
+    Object.defineProperty(other, 'remoteAddress', {
+      enumerable: false,
+      configurable: true,
+      get: function() {
+        return tun.address;
+      }
+    });
+    Object.defineProperty(other, 'remotePort', {
+      enumerable: false,
+      configurable: true,
+      get: function() {
+        return parseInt(tun.port);
+      }
+    });
+    Object.defineProperty(other, 'localPort', {
+      enumerable: false,
+      configurable: true,
+      get: function() {
+        return parseInt(tun.serviceport);
+      }
+    });
+  }
+
+  function invokeTcpHandler(conf, socket, tun, id, cb) {
+    var conn;
+    if (parseInt(conf.handler, 10)) {
+      getNetConn(conf.handler, cb);
+      return conn;
+    }
+
+    var handle = tun.port;
+    var handler;
+    var handlerpath = conf.handler;
+    var homedir = os.homedir();
+    var localshare = path.join(homedir, '.local/share/telebit/apps');
+
+    if (/^~/.test(handlerpath)) {
+      handlerpath = path.join(homedir, handlerpath.replace(/^~(\/?)/, ''));
+    }
+
+    try {
+      handler = require(handlerpath);
+      console.info("Handling '" + handle + ":" + id + "' with '" + handlerpath + "'");
+    } catch(e1) {
+      try {
+        handler = require(path.join(localshare, handlerpath));
+        console.info("Handling '" + handle + ":" + id + "' with '" + handlerpath + "'");
+      } catch(e2) {
+        console.error("Failed to require('" + handlerpath + "'):", e1.message);
+        console.error("Failed to require('" + path.join(localshare, handlerpath) + "'):", e2.message);
+        console.warn("Trying static and index handlers for '" + handle + ":" + id + "'");
+        handler = null;
+        // fallthru
+      }
+    }
+
+    if (handler) {
+      var socketPair = require('socket-pair');
+      conn = socketPair.create(function (err, other) {
+        handler(other, tun, id);
+        cb(null, conn);
+      });
+      return conn;
+    }
+
+    fs.access(conf.handler, fs.constants.R_OK, function (err1) {
+      fs.stat(conf.handler, function (err2, stat) {
+        if ((err1 || err2) || !(stat.isFile() || stat.isDirectory())) {
+          errorTcp(conf, cb);
+          return;
+        }
+        fileDirTcp({ config: conf, stat: stat }, cb);
+      });
+    });
+  }
+  var handlerservers = {};
+  function invokeHandler(conf, tlsSocket, tun, id) {
+    if (parseInt(conf.handler, 10)) {
+      // TODO http-proxy with proper headers and ws support
+      getNetConn(conf.handler, function (err, conn) {
+        process.nextTick(function () { tlsSocket.resume(); });
+        if (err) {
+          require('./handlers/local-app-error.js')({ handler: conf.handler, socket: tlsSocket });
+          return;
+        }
+        console.info("Port-Forwarding '" + (tun.name || tun.serviceport) + "' to '" + conf.handler + "'");
+        conn.pipe(tlsSocket);
+        tlsSocket.pipe(conn);
+      });
+      return;
+    }
+    var handle = tun.name || tun.port;
+    var handler;
+    var handlerpath = conf.handler;
+    var homedir = os.homedir();
+    var localshare = path.join(homedir, '.local/share/telebit/apps');
+    var http = require('http');
+
+    // 1. No modification handlerpath may be an aboslute path
+    // 2. it may be relative to a user home directory
+    // 3. it may be relative to a user ~/local/share
+
+    tlsSocket._tun = tun;
+    tlsSocket._id = id;
+    if (handlerservers[conf.handler]) {
+      handlerservers[conf.handler].emit('connection', tlsSocket);
+      process.nextTick(function () { tlsSocket.resume(); });
+      return;
+    }
+
+    if (/^~/.test(handlerpath)) {
+      // TODO have the telebit remote tell which user is running
+      handlerpath = path.join(homedir, handlerpath.replace(/^~(\/?)/, ''));
+    }
+
+    try {
+      handler = require(handlerpath);
+      console.info("Trying to handle '" + handle + ":" + id + "' with '" + handlerpath + "'");
+    } catch(e1) {
+      try {
+        handler = require(path.join(localshare, handlerpath));
+        console.info("Skip. (couldn't require('" + handlerpath + "'):", e1.message + ")");
+        console.info("Trying to handle '" + handle + ":" + id + "' with '" + handlerpath + "'");
+      } catch(e2) {
+        console.info("Skip. (couldn't require('" + path.join(localshare, handlerpath) + "'):", e2.message + ")");
+        console.info("Last chance! (using static and index handlers for '" + handle + ":" + id + "')");
+        handler = null;
+        // fallthru
+      }
+    }
+
+    if (handler) {
+      handlerservers[conf.handler] = http.createServer(handler);
+      handlerservers[conf.handler].emit('connection', tlsSocket);
+      process.nextTick(function () { tlsSocket.resume(); });
+      return;
+    }
+
+    fs.access(conf.handler, fs.constants.R_OK, function (err1) {
+      fs.stat(conf.handler, function (err2, stat) {
+        if (err1 || err2) {
+          // TODO handle errors
+          handlers.https(tlsSocket, tun, id);
+          return;
+        }
+        var isFile = stat.isFile();
+        state._finalHandler = require('finalhandler');
+        state._serveStatic = require('serve-static');
+        state._serveIndex = require('serve-index');
+        var serveIndex;
+        var serveStatic;
+        var dlStatic;
+        if (isFile) {
+          serveStatic = state._serveStatic(path.dirname(conf.handler), { dotfiles: 'allow', index: [ 'index.html' ] });
+          dlStatic = state._serveStatic(path.dirname(conf.handler), { acceptRanges: false, dotfiles: 'allow', index: [ 'index.html' ] });
+          serveIndex = function (req, res, next) { next(); };
+          isFile = path.basename(conf.handler);
+        } else {
+          serveStatic = state._serveStatic(conf.handler, { dotfiles: 'allow', index: [ 'index.html' ] });
+          dlStatic = state._serveStatic(conf.handler, { acceptRanges: false, dotfiles: 'allow', index: [ 'index.html' ] });
+          serveIndex = state._serveIndex(conf.handler, {
+            hidden: true, icons: true
+          , template: require('serve-tpl-attachment')({ privatefiles: 'ignore' })
+          });
+        }
+        handler = function (req, res) {
+          var qIndex = req.url.indexOf('?');
+          var fIndex;
+          var fname;
+          if (-1 === qIndex) {
+            qIndex = req.url.length;
+          }
+          req.querystring = req.url.substr(qIndex);
+          req.url = req.url.substr(0, qIndex);
+          req.query = require('querystring').parse(req.querystring.substr(1));
+          if (isFile) {
+            req.url = '/' + isFile;
+          }
+          //console.log('[req.query]', req.url, req.query);
+          if (req.query.download) {
+            fIndex = req.url.lastIndexOf('/');
+            fname = req.url.substr(fIndex + 1);
+            res.setHeader('Content-Disposition', 'attachment; filename="'+decodeURIComponent(fname)+'"');
+            res.setHeader('Content-Type', 'application/octet-stream');
+            dlStatic(req, res, function () {
+              serveIndex(req, res, state._finalHandler(req, res));
+            });
+          } else {
+            serveStatic(req, res, function () {
+              serveIndex(req, res, state._finalHandler(req, res));
+            });
+          }
+        };
+        handlerservers[conf.handler] = http.createServer(handler);
+        handlerservers[conf.handler].emit('connection', tlsSocket);
+        process.nextTick(function () { tlsSocket.resume(); });
+      });
+    });
+  }
+
+  function terminateTls(tun, cb) {
+    var socketPair = require('socket-pair');
+    var conn = socketPair.create(function (err, other) {
+      if (err) { cb(err); return; }
+
+      //console.log('[hit tcp connection]', other.remoteFamily, other.remoteAddress, other.remotePort, other.localPort);
+      defineProps(other, tun);
+      //console.log('[hit tcp connection]', other.remoteFamily, other.remoteAddress, other.remotePort, other.localPort);
+
+      if (!state.greenlock) {
+        state.greenlock = require('greenlock').create(state.greenlockConfig);
+      }
+
+      if (!state.terminatorServer) {
+        state.terminatorServer = require('tls').createServer(state.greenlock.tlsOptions, function (tlsSocket) {
+          var Packer = require('proxy-packer');
+          var addr = Packer.socketToAddr(tlsSocket);
+          var id = Packer.addrToId(addr);
+
+          defineProps(tlsSocket, addr);
+          //console.log('[hit tls server]', tlsSocket.remoteFamily, tlsSocket.remoteAddress, tlsSocket.remotePort, tlsSocket.localPort);
+          //console.log(addr);
+          var conf = state.servernames[tlsSocket.servername];
+          tlsSocket.once('data', function (firstChunk) {
+            tlsSocket.pause();
+            //tlsSocket.unshift(firstChunk);
+            tlsSocket._handle.onread(firstChunk.length, firstChunk);
+
+            trySsh({ data: firstChunk }, function (err, conn) {
+              if (conn) {
+                conn.pipe(tlsSocket);
+                tlsSocket.pipe(conn);
+                return;
+              }
+
+              if (!conf || !conf.handler || 'none' === conf.handler) {
+                console.log('https default handler');
+                handlers.https(tlsSocket);
+                return;
+              }
+
+              //console.log('https invokeHandler');
+              invokeHandler(conf, tlsSocket, tun, id);
+            });
+          });
+        });
+      }
+
+      //console.log('[hit tcp connection]', other.remoteFamily, other.remoteAddress, other.remotePort, other.localPort);
+      state.terminatorServer.emit('connection', other);
+      cb(null, conn);
+    });
+    //if (tun.data) { conn.write(tun.data); }
+    return conn;
+  }
+
+  var handled;
+
+  if (!tun.name && !tun.serviceport) {
+    console.log('tun:\n',tun);
+    //console.warn(tun.data.toString());
+    cb(new Error("No routing information for ':tun_id'. Missing both 'name' and 'serviceport'."));
+    return;
+  }
+
+  if ('http' === tun.service || 'https' === tun.service) {
+    if (!tun.name) {
+      cb(new Error("No routing information for ':tun_id'. Service '" + tun.service + "' is missing 'name'."));
+      return;
+    }
+  }
+
+  if ('http' === tun.service) {
+    // TODO match *.example.com
+    handled = Object.keys(state.servernames).some(function (sn) {
+      if (sn !== tun.name) { return; }
+
+      console.log('Found config match for PLAIN', tun.name);
+      if (!state.servernames[sn]) { return; }
+
+      if (false === state.servernames[sn].terminate) {
+        cb(new Error("insecure http not supported yet"));
+        return true;
+      }
+
+      console.log('Redirecting HTPTP for', tun.name);
+      redirectHttp(cb);
+      return true;
+    });
+    if (!handled) {
+      redirectHttp(cb);
+    }
+    return;
+  }
+
+  if ('https' === tun.service) {
+    // TODO match *.example.com
+    handled = Object.keys(state.servernames).some(function (sn) {
+      if (sn !== tun.name) { return; }
+
+      console.log('Found config match for TLS', tun.name);
+      if (!state.servernames[sn]) { return; }
+
+      if (false === state.servernames[sn].terminate) {
+        cb(new Error("insecure http not supported yet"));
+        return true;
+      }
+
+      console.log('Terminating TLS for', tun.name);
+      terminateTls(tun, cb);
+      return true;
+    });
+    if (!handled) {
+      terminateTls(tun, cb);
+    }
+    return;
+  }
+
+  if ('tcp' === tun.service) {
+    trySsh(tun, function (err, conn) {
+      if (conn) { cb(null, conn); return; }
+      // TODO add TCP handlers
+      var conf = state.ports[tun.serviceport];
+      if (!conf || !conf.handler || 'none' === conf.handler) {
+        console.log('Using echo server for tcp');
+        echoTcp(cb);
+        return;
+      }
+
+      var Packer = require('proxy-packer');
+      //var addr = Packer.socketToAddr(conn);
+      var id = Packer.addrToId(tun);
+      invokeTcpHandler(conf, conn, tun, id, cb);
+    });
+    return;
+  }
+
+  console.warn("Unknown service '" + tun.service + "'");
+
+  /*
+  var portList = state.services[service];
+  var port;
+  port = portList[tun.name];
+  if (!port) {
+    // Check for any wildcard domains, sorted longest to shortest so the one with the
+    // biggest natural match will be found first.
+    Object.keys(portList).filter(function (pattern) {
+      return pattern[0] === '*' && pattern.length > 1;
+    }).sort(function (a, b) {
+      return b.length - a.length;
+    }).some(function (pattern) {
+      var subPiece = pattern.slice(1);
+      if (subPiece === tun.name.slice(-subPiece.length)) {
+        port = portList[pattern];
+        return true;
+      }
+    });
+  }
+  if (!port) {
+    port = portList['*'];
+  }
+  */
+};

lib/updater.js

@@ -0,0 +1,141 @@
+'use strict';
+
+module.exports = function (pkg) {
+  function checkUpgrade() {
+    var https = require('https');
+
+    function getFile(url, cb) {
+      https.get(url, function (resp) {
+        var str = '';
+        resp.on('data', function (chunk) {
+          //var chunk = conn.read();
+          str += chunk.toString('utf8');
+        });
+        resp.on('end', function () {
+          cb(null, str);
+        });
+        resp.on('error', function (err) {
+          // ignore
+          cb(err);
+        });
+      }).on('error', function (err) {
+        // ignore
+        cb(err);
+      });
+    }
+
+    function isNewer(latest, myPkg) {
+      //console.log('sort result:', sortLatest(latest, myPkg));
+      return sortLatest(latest, myPkg) < 0;
+    }
+    function sortLatest(latest, myPkg) {
+      var m = /^(v)?(\d+)\.(\d+)\.(\d+)(.*)/.exec(latest);
+      var n = /^(v)?(\d+)\.(\d+)\.(\d+)(.*)/.exec(myPkg);
+      //console.log('m', m);
+      //console.log('n', n);
+      if (!m) {
+        if (!n) {
+          return 0;
+        }
+        return 1;
+      } else if (!n) {
+        return -1;
+      }
+
+      if (parseInt(m[2], 10) > parseInt(n[2], 10)) {
+        return -1;
+      } else if (parseInt(m[2], 10) === parseInt(n[2], 10)) {
+        if (parseInt(m[3], 10) > parseInt(n[3], 10)) {
+          return -1;
+        } else if (parseInt(m[3], 10) === parseInt(n[3], 10)) {
+          if (parseInt(m[4], 10) > parseInt(n[4], 10)) {
+            return -1;
+          } else if (parseInt(m[4], 10) === parseInt(n[4], 10)) {
+            // lex sorting
+            if (m[5] > n[5]) {
+              return -1;
+            } else if (m[5] === n[5]) {
+              return 0;
+            } else {
+              return 1;
+            }
+          } else {
+            return 1;
+          }
+        } else {
+          return 1;
+        }
+      } else {
+        return 1;
+      }
+    }
+
+    getFile("https://telebit.cloud/dist/index.tab", function (err, tab) {
+      if (err) { /*ignore*/ return; }
+      if (tab) { tab = tab && tab.toString() || ''; }
+      var versions = [];
+      var lines = tab.split(/[\r\n]/g);
+      var headers = lines.shift().split(/\t/g);
+      var chan = 'prod';
+      var next;
+      lines.forEach(function (line) {
+        var tsv = {};
+        var fields = line.split(/\t/g);
+        fields.forEach(function (value, i) {
+          tsv[headers[i]] = value;
+        });
+        versions.push(tsv);
+      });
+      // find matching version
+      versions.some(function (v) {
+        if (('v' + pkg.version) === v.version) {
+          chan = v.channel;
+          return true;
+        }
+      });
+      // find first (most recent) version in channel
+      versions.some(function (v) {
+        if (chan === v.channel) {
+          next = v;
+          return true;
+        }
+      });
+      if (!next || !isNewer(next.version, pkg.version)) {
+        //console.log('DEBUG can\'t upgrade from', pkg.version, 'in channel', chan);
+        return;
+      }
+      console.log('Upgrade Available: ' + next.version + ' in \'' + next.channel + '\'channel');
+      getFile("https://telebit.cloud/dist/upgrade.js", function (err, script) {
+        if (err) { /*ignore*/ return; }
+        var os = require('os');
+        var fs = require('fs');
+        var path = require('path');
+        var scriptname = 'telebit-upgrade-' + Math.round(Math.random() * 99999) + '.js';
+        var pathname = path.join(os.tmpdir(), scriptname);
+        fs.writeFile(pathname, script, function (err) {
+          if (err) { /*ignore*/ return; }
+          // console.log('DEBUG wrote', pathname);
+          //var str =
+          require(pathname)({
+            package: pkg
+          , root: path.resolve(__dirname, '..')
+          , latest: next
+          , channel: chan
+          }, function () {
+            // console.log('upgrade complete');
+          });
+          //console.log(str);
+        });
+      });
+    });
+  }
+
+  var _interval = setInterval(checkUpgrade, 2 * 60 * 60 * 1000);
+  process.nextTick(function () {
+    checkUpgrade();
+  });
+
+  return function cancel() {
+    clearInterval(_interval);
+  };
+};

package.json

@@ -1,19 +1,23 @@
 {
-  "name": "stunnel",
-  "version": "0.9.2",
-  "description": "A pure-JavaScript tunnel client for http and https similar to localtunnel.me, but uses TLS (SSL) with ServerName Indication (SNI) over https to work even in harsh network conditions such as in student dorms and behind HOAs, corporate firewalls, public libraries, airports, airplanes, etc. Can also tunnel tls and plain tcp.",
-  "main": "wsclient.js",
+  "name": "telebit",
+  "version": "0.20.8",
+  "description": "Break out of localhost. Connect to any device from anywhere over any tcp port or securely in a browser. A secure tunnel. A poor man's reverse VPN.",
+  "main": "lib/remote.js",
+  "files": [
+    "bin",
+    "lib",
+    "usr"
+  ],
   "bin": {
-    "jstunnel": "bin/stunnel.js",
-    "stunnel.js": "bin/stunnel.js",
-    "stunnel-js": "bin/stunnel.js"
+    "telebit": "bin/telebit.js",
+    "telebitd": "bin/telebitd.js"
   },
   "scripts": {
     "test": "echo \"Error: no test specified\" && exit 1"
   },
   "repository": {
     "type": "git",
-    "url": "git+ssh://git@git.daplie.com/Daplie/node-tunnel-client.git"
+    "url": "https://git.coolaj86.com/coolaj86/telebit.js.git"
   },
   "keywords": [
     "cli",
@@ -32,6 +36,9 @@
     "tunnel",
     "localtunnel",
     "localtunnel.me",
+    "underpass",
+    "ngrok",
+    "ngrok.io",
     "proxy",
     "reverse",
     "reverse-proxy",
@@ -42,15 +49,34 @@
   "author": "AJ ONeal <coolaj86@gmail.com> (https://coolaj86.com/)",
   "license": "(MIT OR Apache-2.0)",
   "bugs": {
-    "url": "https://git.daplie.com/Daplie/node-tunnel-client/issues"
+    "url": "https://git.coolaj86.com/coolaj86/telebit.js/issues"
   },
-  "homepage": "https://git.daplie.com/Daplie/node-tunnel-client#readme",
+  "homepage": "https://git.coolaj86.com/coolaj86/telebit.js#readme",
   "dependencies": {
-    "commander": "^2.9.0",
-    "oauth3.js": "git+https://git.daplie.com/OAuth3/oauth3.js.git#v1",
+    "@coolaj86/urequest": "^1.3.5",
+    "finalhandler": "^1.1.1",
+    "greenlock": "^2.3.1",
+    "js-yaml": "^3.11.0",
     "jsonwebtoken": "^7.1.9",
+    "mkdirp": "^0.5.1",
+    "proxy-packer": "^2.0.2",
+    "ps-list": "^5.0.0",
+    "recase": "^1.0.4",
+    "redirect-https": "^1.1.5",
+    "sclient": "^1.4.1",
+    "serve-index": "^1.9.1",
+    "serve-static": "^1.13.2",
+    "serve-tpl-attachment": "^1.0.4",
     "sni": "^1.0.0",
-    "tunnel-packer": "^1.1.0",
-    "ws": "^1.1.1"
+    "socket-pair": "^1.0.3",
+    "toml": "^0.4.1",
+    "ws": "^6.0.0"
+  },
+  "trulyOptionalDependencies": {
+    "bluebird": "^3.5.1"
+  },
+  "enginesStrict": true,
+  "engines": {
+    "node": "10.2.1 10.4 10.6"
   }
 }

snippets/ws.js

@@ -1,19 +0,0 @@
-(function () {
-'use strict';
-
-var WebSocket = require('ws');
-var jwt = require('jsonwebtoken');
-var hostname = 'example.daplie.me';
-var token = jwt.sign({ name: hostname }, 'shhhhh');
-var url = 'wss://stunnel.hellabit.com:3000/?access_token=' + token;
-var wstunneler = new WebSocket(url, { rejectUnauthorized: false });
-
-wstunneler.on('open', function () {
-  console.log('open');
-});
-
-wstunneler.on('error', function (err) {
-  console.error(err.toString());
-});
-
-}());

tests/README.md

@@ -0,0 +1,21 @@
+There are a number of conditions and whatnot that must be tested in more-or-less real-world conditions.
+
+telebit init                    // fresh install
+telebit init                    // after install complete
+
+telebit http 3000               // have an app listening on localhost:3000
+telebit http 4545               // do not have an app listening
+
+telebit http ./path/to/site
+telebit http ./path/to/dir
+telebit http ./path/to/file
+telebit http ./doesnt/exist
+
+telebit ssh auto                // do have ssh listening on localhost:22
+telebit ssh 4545                // do have ssh listenening
+
+telebit tcp 3000                // have an echo server listening on localhost:3000
+telebit tcp 4545                // no server listening
+
+telebit tcp ./path/to/file
+telebit tcp ./path/to/dir

tests/echo.js

@@ -0,0 +1,27 @@
+'use strict';
+
+var net = require('net');
+var server = net.createServer(function (conn) {
+  function echo(chunk) {
+    conn.write(chunk);
+    if (chunk.length <= 10 && /\b(q|quit|end|cancel)\b/i.test(chunk.toString('utf8'))) {
+      conn.end();
+      conn.removeListener('data', echo);
+    }
+  }
+  conn.on('data', echo);
+  // NOTE: early versions of telebit do not support a 'connection' event
+  // and therefore will say hello after the first message from the client
+  conn.write(
+    "[Echo Server] Hello! I'm an echo server.\n"
+  + "[Echo Server] I try to be your friend but when I see things like q|quit|end|cancel, I give up.\n"
+  );
+});
+server.on('error', function (err) {
+  console.error("[echo server]");
+  console.error(err);
+});
+server.listen(process.argv[2] || 3000, function () {
+  console.info("Listening on", this.address());
+  console.info('ctrl+c to cancel');
+});

tests/pair-request.js

@@ -0,0 +1,37 @@
+'use strict';
+
+var email = 'jon@example.com';
+var pin = Math.round(Math.random() * 999999).toString().padStart(6, '0'); // '321654'
+
+console.log('Pair Code:', pin);
+
+var urequest = require('@coolaj86/urequest');
+var req =  {
+  url: 'https://api.telebit.ppl.family/api/telebit.cloud/pair_request'
+, method: 'POST'
+, headers: { 'cOntEnt-tYpE': 'application/json;charset=utf-8' }
+, json: {
+    subject: email
+  , subject_scheme: 'mailto'
+  , scope: ''
+  , otp: pin
+  , hostname: "User's Macbook Pro"
+  , os_type: 'Linux'
+  , os_platform: 'linux'
+  , os_release: '4.4.0-116-generic'
+  , os_arch: 'x64'
+  }
+};
+urequest(req, function (err, resp, body) {
+  if (err) {
+    console.error(err);
+    return;
+  }
+  console.log('Location:', resp.headers.location);
+  console.log('Body:');
+  console.log(body);
+  /*
+  { jwt: '...'
+  }
+   */
+});

tests/pair-state.js

@@ -0,0 +1,22 @@
+'use strict';
+
+var stateUrl = 'https://api.telebit.ppl.family/api/telebit.cloud/pair_state/bca27428719e9c67805359f1';
+
+var urequest = require('@coolaj86/urequest');
+var req =  {
+  url: stateUrl
+, method: 'GET'
+, json: true
+};
+urequest(req, function (err, resp, body) {
+  if (err) {
+    console.error(err);
+    return;
+  }
+  console.log('Done:');
+  console.log(body);
+  /*
+   body.status = 'ready' | 'pending' | 'complete' | 'invalid'
+   body.access_token // only in 'ready' state
+   */
+});

tests/windows-pipe.js

@@ -0,0 +1,20 @@
+'use strict';
+
+var os = require('os');
+var net = require('net');
+var ipc = {
+  path: /^win/.test(os.platform()) ? '\\\\.\\pipe\\X:/name/of/pipe' : (__dirname + '/tmp.sock')
+};
+var oldUmask = process.umask(0x0000);
+var server = net.createServer();
+
+server.listen({
+  path: ipc.path || null
+, host: 'localhost'
+, port: ipc.port || null
+, writeableAll: true
+, readableAll: true
+}, function () {
+  process.umask(oldUmask);
+  console.log("Listening on", this.address());
+});

tests/windows-spawn-pipe.js

@@ -0,0 +1,22 @@
+'use strict';
+
+var path = require('path');
+var spawn = require('child_process').spawn;
+var args = [
+  path.join(__dirname, 'windows-pipe.js')
+];
+var subprocess = spawn(
+  'node'
+, args
+, { detached: true
+  , stdio: [ 'ignore', process.stdout, process.stderr ]
+  }
+);
+//console.log('[debug]', vars.telebitNode, args.join(' '));
+subprocess.unref();
+subprocess.on('error', function (_err) {
+  console.error(_err);
+});
+subprocess.on('exit', function (code, signal) {
+  console.error('' + code + ' ' + signal + ' failure to launch');
+});

usr/share/dist/Library/LaunchDaemons/cloud.telebit.remote.plist.tpl

@@ -0,0 +1,61 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>Label</key>
+	<string>Telebit Remote</string>
+	<key>ProgramArguments</key>
+	<array>
+		<string>{TELEBIT_NODE}</string>
+		<string>{TELEBITD_JS}</string>
+		<string>daemon</string>
+		<string>--config</string>
+		<string>{TELEBITD_CONFIG}</string>
+	</array>
+	<key>EnvironmentVariables</key>
+	<dict>
+		<key>TELEBIT_PATH</key>
+		<string>{TELEBIT_PATH}</string>
+		<key>NODE_PATH</key>
+		<string>{NODE_PATH}</string>
+		<key>NPM_CONFIG_PREFIX</key>
+		<string>{NPM_CONFIG_PREFIX}</string>
+	</dict>
+
+	<key>UserName</key>
+	<string>{TELEBIT_USER}</string>
+	<key>GroupName</key>
+	<string>{TELEBIT_GROUP}</string>
+	<key>InitGroups</key>
+	<true/>
+
+	<key>RunAtLoad</key>
+	<true/>
+	<key>KeepAlive</key>
+	<true/>
+	<!--dict>
+		<key>Crashed</key>
+		<true/>
+		<key>NetworkState</key>
+		<true/>
+		<key>SuccessfulExit</key>
+		<false/>
+	</dict-->
+
+	<key>SoftResourceLimits</key>
+	<dict>
+		<key>NumberOfFiles</key>
+		<integer>8192</integer>
+	</dict>
+	<key>HardResourceLimits</key>
+	<dict/>
+
+	<key>WorkingDirectory</key>
+	<string>{TELEBIT_PATH}</string>
+
+	<key>StandardErrorPath</key>
+	<string>{TELEBIT_LOG_DIR}/telebit.log</string>
+	<key>StandardOutPath</key>
+	<string>{TELEBIT_LOG_DIR}/telebit.log</string>
+</dict>
+</plist>

usr/share/dist/bin/telebit.tpl

@@ -0,0 +1,2 @@
+#!/bin/bash
+{TELEBIT_NODE} {TELEBIT_JS} "$@"

usr/share/dist/bin/telebitd.tpl

@@ -0,0 +1,2 @@
+#!/bin/bash
+{TELEBIT_NODE} {TELEBITD_JS} daemon "$@"

usr/share/dist/etc/skel/.config/systemd/user/telebit.service.tpl

@@ -0,0 +1,64 @@
+# Pre-req
+# sudo adduser telebit --home {TELEBIT_PATH}
+# sudo mkdir -p {TELEBIT_PATH}/
+# sudo chown -R {TELEBIT_USER}:{TELEBIT_GROUP} {TELEBIT_PATH}/
+
+[Unit]
+Description=Telebit Remote
+Documentation=https://git.coolaj86.com/coolaj86/telebit.js/
+; After=network-online.target
+; Wants=network-online.target systemd-networkd-wait-online.service
+
+[Service]
+# Restart on crash (bad signal), and also on 'clean' failure (error exit code)
+# Allow up to 3 restarts within 10 seconds
+# (it's unlikely that a user or properly-running script will do this)
+Restart=always
+StartLimitInterval=10
+StartLimitBurst=3
+
+# User and group the process will run as
+;User={TELEBIT_USER}
+;Group={TELEBIT_GROUP}
+
+WorkingDirectory={TELEBIT_PATH}
+# custom directory cannot be set and will be the place where this exists, not the working directory
+ExecStart={TELEBIT_NODE} {TELEBITD_JS} daemon --config {TELEBITD_CONFIG}
+ExecReload=/bin/kill -USR1 $MAINPID
+
+# Limit the number of file descriptors and processes; see `man systemd.exec` for more limit settings.
+# Unmodified, this is not expected to use more than this.
+;LimitNOFILE=1048576    # no issues yet, but disabled just in case
+;LimitNPROC=64          # doesn't work on some systems
+
+# Use private /tmp and /var/tmp, which are discarded after this stops.
+PrivateTmp=true
+# Use a minimal /dev
+;PrivateDevices=true
+# Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
+ProtectHome=true
+# Make /usr, /boot, /etc and possibly some more folders read-only.
+ProtectSystem=full
+# ... except for a few because we want a place for config, logs, etc
+# This merely retains r/w access rights, it does not add any new.
+# Must still be writable on the host!
+ReadWriteDirectories={TELEBIT_RW_DIRS}
+
+# Note: in v231 and above ReadWritePaths has been renamed to ReadWriteDirectories
+; ReadWritePaths={TELEBIT_RW_DIRS}
+
+# The following additional security directives only work with systemd v229 or later.
+# They further retrict privileges that can be gained.
+# Note that you may have to add capabilities required by any plugins in use.
+;CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+;AmbientCapabilities=CAP_NET_BIND_SERVICE
+NoNewPrivileges=true
+
+# Caveat: Some features may need additional capabilities.
+# For example an "upload" may need CAP_LEASE
+; CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_LEASE
+; AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_LEASE
+; NoNewPrivileges=true
+
+[Install]
+WantedBy=multi-user.target

usr/share/dist/etc/skel/Library/LaunchAgents/cloud.telebit.remote.plist.tpl

@@ -0,0 +1,70 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>Label</key>
+	<string>Telebit Remote</string>
+
+	<key>ProgramArguments</key>
+	<array>
+		<string>{TELEBIT_NODE}</string>
+		<string>{TELEBITD_JS}</string>
+		<string>daemon</string>
+		<string>--config</string>
+		<string>{TELEBITD_CONFIG}</string>
+	</array>
+
+	<key>EnvironmentVariables</key>
+	<dict>
+		<key>TELEBIT_PATH</key>
+		<string>{TELEBIT_PATH}</string>
+		<key>NODE_PATH</key>
+		<string>{NODE_PATH}</string>
+		<key>NPM_CONFIG_PREFIX</key>
+		<string>{NPM_CONFIG_PREFIX}</string>
+	</dict>
+
+	<!--
+	:: LaunchDaemon Only ::
+	<key>UserName</key>
+	<string>{TELEBIT_USER}</string>
+	<key>GroupName</key>
+	<string>{TELEBIT_GROUP}</string>
+	<key>InitGroups</key>
+	<true/>
+	-->
+
+	<key>RunAtLoad</key>
+	<true/>
+	<key>KeepAlive</key>
+	<true/>
+	<!--
+	<dict>
+		<key>Crashed</key>
+		<true/>
+		<key>NetworkState</key>
+		<true/>
+		<key>SuccessfulExit</key>
+		<false/>
+	</dict>
+  -->
+
+  <!--
+	<key>SoftResourceLimits</key>
+	<dict>
+		<key>NumberOfFiles</key>
+		<integer>8192</integer>
+	</dict>
+	<key>HardResourceLimits</key>
+	<dict/>
+  -->
+
+	<key>WorkingDirectory</key>
+	<string>{TELEBIT_PATH}</string>
+
+	<key>StandardErrorPath</key>
+	<string>{TELEBIT_LOG_DIR}/telebit.log</string>
+	<key>StandardOutPath</key>
+	<string>{TELEBIT_LOG_DIR}/telebit.log</string>
+</dict>
+</plist>

usr/share/dist/etc/systemd/system/telebit.service.tpl

@@ -0,0 +1,67 @@
+# Pre-req
+# sudo adduser telebit --home {TELEBIT_PATH}
+# sudo mkdir -p {TELEBIT_PATH}/
+# sudo chown -R {TELEBIT_USER}:{TELEBIT_GROUP} {TELEBIT_PATH}/
+
+[Unit]
+Description=Telebit Remote
+Documentation=https://git.coolaj86.com/coolaj86/telebit.js/
+After=network-online.target
+Wants=network-online.target systemd-networkd-wait-online.service
+
+[Service]
+# Restart on crash (bad signal), and also on 'clean' failure (error exit code)
+# Allow up to 3 restarts within 10 seconds
+# (it's unlikely that a user or properly-running script will do this)
+Restart=always
+StartLimitInterval=10
+StartLimitBurst=3
+
+# User and group the process will run as
+User={TELEBIT_USER}
+Group={TELEBIT_GROUP}
+
+WorkingDirectory={TELEBIT_PATH}
+# custom directory cannot be set and will be the place where this exists, not the working directory
+ExecStart={TELEBIT_NODE} {TELEBITD_JS} daemon --config {TELEBITD_CONFIG}
+ExecReload=/bin/kill -USR1 $MAINPID
+
+# Limit the number of file descriptors and processes; see `man systemd.exec` for more limit settings.
+# Unmodified, this is not expected to use more than this.
+LimitNOFILE=1048576
+LimitNPROC=64
+
+# Use private /tmp and /var/tmp, which are discarded after this stops.
+PrivateTmp=true
+# Use a minimal /dev
+PrivateDevices=true
+# Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
+ProtectHome=true
+# Make /usr, /boot, /etc and possibly some more folders read-only.
+ProtectSystem=full
+# ... except for a few because we want a place for config, logs, etc
+# This merely retains r/w access rights, it does not add any new.
+# Must still be writable on the host!
+ReadWriteDirectories={TELEBIT_RW_DIRS}
+
+# Note: in v231 and above ReadWritePaths has been renamed to ReadWriteDirectories
+; ReadWritePaths={TELEBIT_RW_DIRS}
+
+# The following additional security directives only work with systemd v229 or later.
+# They further retrict privileges that can be gained.
+# Note that you may have to add capabilities required by any plugins in use.
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+NoNewPrivileges=true
+
+# Caveat: Some features may need additional capabilities.
+# For example an "upload" may need CAP_LEASE
+; CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_LEASE
+; AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_LEASE
+; NoNewPrivileges=true
+
+[Install]
+# For system-level service
+;WantedBy=multi-user.target
+# For userspace service
+WantedBy=default.target

usr/share/install-launcher.js

@@ -0,0 +1,448 @@
+'use strict';
+
+//var fs = require('fs');
+var os = require('os');
+var mkdirp = require('mkdirp');
+var exec = require('child_process').exec;
+var path = require('path');
+
+var Launcher = module.exports;
+Launcher._killAll = function (fn) {
+  var psList = require('ps-list');
+  psList().then(function (procs) {
+    procs.forEach(function (proc) {
+      if ('node' === proc.name && /\btelebitd\b/i.test(proc.cmd)) {
+        console.log(proc);
+        process.kill(proc.pid);
+        return true;
+      }
+    });
+    // Two things:
+    // 1) wait to see if the process dies
+    // 2) wait to give time for the socket to connect
+    setTimeout(function () {
+      if (fn) { fn(null); return; }
+    }, 1.75 * 1000);
+  });
+};
+Launcher._getError = function getError(err, stderr) {
+  if (err) { return err; }
+  if (stderr) {
+    err = new Error(stderr);
+    err.code = 'ELAUNCHER';
+    return err;
+  }
+};
+Launcher._detect = function (things, fn) {
+  if (things.launcher) {
+    if ('string' === typeof things.launcher) {
+      fn(null, things.launcher);
+      return;
+    }
+    if ('function' === typeof things.launcher) {
+      things.launcher(things);
+      return;
+    }
+  }
+
+  // could have used "command-exists" but I'm trying to stay low-dependency
+  // os.platform(), os.type()
+  if (!/^win/i.test(os.platform())) {
+    if (/^darwin/i.test(os.platform())) {
+      exec('command -v launchctl', things._execOpts, function (err, stdout, stderr) {
+        err = Launcher._getError(err, stderr);
+        fn(err, 'launchctl');
+      });
+    } else {
+      exec('command -v systemctl', things._execOpts, function (err, stdout, stderr) {
+        err = Launcher._getError(err, stderr);
+        fn(err, 'systemctl');
+      });
+    }
+  } else {
+    // https://stackoverflow.com/questions/17908789/how-to-add-an-item-to-registry-to-run-at-startup-without-uac
+    // wininit? regedit? SCM?
+    // REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "My App" /t REG_SZ /F /D "C:\MyAppPath\MyApp.exe"
+    // https://www.microsoft.com/developerblog/2015/11/09/reading-and-writing-to-the-windows-registry-in-process-from-node-js/
+    // https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/reg-add
+    // https://social.msdn.microsoft.com/Forums/en-US/5b318f44-281e-4098-8dee-3ba8435fa391/add-registry-key-for-autostart-of-app-in-ice?forum=quebectools
+    // utils.elevate
+    // https://github.com/CatalystCode/windows-registry-node
+    exec('where reg.exe', things._execOpts, function (err, stdout, stderr) {
+      //console.log((stdout||'').trim());
+      if (stderr) {
+        console.error(stderr);
+      }
+      fn(err, 'reg.exe');
+    });
+  }
+};
+Launcher.install = function (things, fn) {
+  if (!fn) { fn = function (err) { if (err) { console.error(err); } }; }
+  things = things || {};
+  // in some future version we can take this file out
+  // and accept process.env from things
+  var installLauncher = require('./template-launcher');
+
+  // Right now this is just for npm install -g and npx
+  if (things.env) {
+    things.env.PATH = things.env.PATH || process.env.PATH;
+  } else {
+    things.env = process.env;
+  }
+  things.argv = things.argv || process.argv;
+  things._execOpts = { windowsHide: true, env: things.env };
+  var telebitRoot = path.join(__dirname, '../..');
+  var vars = {
+    telebitPath: telebitRoot
+  , telebitUser: os.userInfo().username
+  , telebitGroup: (/^darwin/i.test(os.platform()) ? 'staff' : os.userInfo().username)
+  , telebitRwDirs: [
+      telebitRoot
+    , path.join(os.homedir(), '.config/telebit')
+    , path.join(os.homedir(), '.local/share/telebit')
+    ]
+  , telebitNode: (things.argv[0]||'').replace(/\.exe/i, '') // path.join(telebitRoot, 'bin/node')
+  , telebitBin: path.join(telebitRoot, 'bin/telebit')
+  , telebitdBin: path.join(telebitRoot, 'bin/telebitd')
+  , telebitJs: path.join(telebitRoot, 'bin/telebit.js')
+  , telebitdJs: path.join(telebitRoot, 'bin/telebitd.js')
+  , telebitConfig: path.join(os.homedir(), '.config/telebit/telebit.yml')
+  , telebitdConfig: path.join(os.homedir(), '.config/telebit/telebitd.yml')
+  , TELEBIT_LOG_DIR: path.join(os.homedir(), '.local/share/telebit/var/log')
+  , TELEBIT_SOCK_DIR: path.join(os.homedir(), '.local/share/telebit/var/run')
+  };
+  vars.telebitBinTpl = path.join(telebitRoot, 'usr/share/dist/bin/telebit.tpl');
+  vars.telebitNpm = path.resolve(vars.telebitNode, '../npm');
+  vars.nodePath = path.resolve(vars.telebitNode, '../../lib/node_modules');
+  vars.npmConfigPrefix = path.resolve(vars.telebitNode, '..', '..');
+  vars.userspace = (!things.telebitUser || (things.telebitUser === os.userInfo().username)) ? true : false;
+  if (-1 === vars.telebitRwDirs.indexOf(vars.npmConfigPrefix)) {
+    vars.telebitRwDirs.push(vars.npmConfigPrefix);
+  }
+  vars.telebitRwDirs = vars.telebitRwDirs.join(' ');
+  var launchers = {
+    'node': function () {
+      var fs = require('fs');
+      var spawn = require('child_process').spawn;
+      var logpath = path.join(os.homedir(), '.local/share/telebit/var/log');
+      try {
+        mkdirp.sync(logpath);
+      } catch(e) {
+        if (fn) { fn(e); return; }
+        return;
+      }
+      var stdout = fs.openSync(path.join(logpath, 'info.log'), 'a');
+      var stderr = fs.openSync(path.join(logpath, 'error.log'), 'a');
+
+      var killed = 0;
+      var err;
+      var args = [
+        path.join(telebitRoot, 'bin/telebitd.js')
+      , 'daemon'
+      , '--config'
+      , vars.telebitdConfig
+      ];
+      var subprocess = spawn(
+        vars.telebitNode
+      , args
+      , { detached: true
+        , stdio: [ 'ignore', stdout, stderr ]
+        }
+      );
+      //console.log('[debug]', vars.telebitNode, args.join(' '));
+      subprocess.unref();
+      subprocess.on('error', function (_err) {
+        err = _err;
+        killed += 1;
+      });
+      subprocess.on('exit', function (code, signal) {
+        if (!err) { err = new Error('' + code + ' ' + signal + ' failure to launch'); }
+        killed += 1;
+      });
+
+      // Two things:
+      // 1) wait to see if the process dies
+      // 2) wait to give time for the socket to connect
+      setTimeout(function () {
+        if (fn) { fn(err); return; }
+      }, 1.75 * 1000);
+      return;
+    }
+  , 'launchctl': function () {
+      var launcher = path.join(os.homedir(), 'Library/LaunchAgents/cloud.telebit.remote.plist');
+      try {
+        mkdirp.sync(path.join(os.homedir(), 'Library/LaunchAgents'));
+        installLauncher.sync({
+            file: {
+              tpl: vars.telebitBinTpl
+            , launcher: path.join(vars.telebitPath, 'bin/telebit')
+            , executable: true
+          }
+        , vars: vars
+        });
+        installLauncher({
+          file: {
+              tpl: path.join(vars.telebitPath, 'usr/share/dist/etc/skel/Library/LaunchAgents/cloud.telebit.remote.plist.tpl')
+            , launcher: launcher
+            }
+          , vars: vars
+        });
+        var launcherstr = (vars.userspace ? "" : "sudo ") + "launchctl ";
+        var execstr = launcherstr + "unload -w " + launcher;
+        exec(execstr, things._execOpts, function (/*err, stdout, stderr*/) {
+          // we probably only need to skip the stderr (saying that it can't stop something that isn't started)
+          //err = Launcher._getError(err, stderr);
+          //if (err) { fn(err); return; }
+          //console.log((stdout||'').trim());
+          //console.log('unload worked?');
+          execstr = launcherstr + "load -w " + launcher;
+          exec(execstr, things._execOpts, function (err, stdout, stderr) {
+            err = Launcher._getError(err, stderr);
+            if (err) { fn(err); return; }
+            //console.log((stdout||'').trim());
+            //console.log('load worked?');
+            setTimeout(function () {
+              fn(null);
+            }, 1.25 * 1000);
+          });
+        });
+      } catch(e) {
+        console.error("'" + launcher + "' error:");
+        console.error(e);
+        if (fn) { fn(e); return; }
+      }
+    }
+   , 'systemctl': function () {
+      var launcher = path.join(os.homedir(), '.config/systemd/user/telebit.service');
+      var launchername = 'telebit.service';
+      try {
+        mkdirp.sync(path.join(os.homedir(), '.config/systemd/user'));
+        installLauncher({
+          file: {
+            tpl: path.join(vars.telebitPath, 'usr/share/dist/etc/skel/.config/systemd/user/telebit.service.tpl')
+          , launcher: launcher
+          }
+        , vars: vars
+        }, function () {
+          // IMPORTANT
+          // It's a dangerous to go alone, take this:
+          // SYSTEMD_LOG_LEVEL=debug journalctl -xef --user-unit=telebit
+          // (makes debugging systemd issues not "easy" per se, but possible)
+          var launcherstr = (vars.userspace ? "" : "sudo ") + "systemctl " + (vars.userspace ? "--user " : "");
+          var execstr = launcherstr + "daemon-reload";
+          exec(execstr, things._execOpts, function (err, stdout, stderr) {
+            err = Launcher._getError(err, stderr);
+            if (err) { fn(err); return; }
+            //console.log((stdout||'').trim());
+            var execstr = launcherstr + "enable " + launchername;
+            exec(execstr, things._execOpts, function (err, stdout, stderr) {
+              err = Launcher._getError(err, stderr && !/Created symlink/i.test(stderr) && stderr || '');
+              if (err) { fn(err); return; }
+              //console.log((stdout||'').trim());
+              var execstr = launcherstr + "restart " + launchername;
+              exec(execstr, things._execOpts, function (err, stdout, stderr) {
+                err = Launcher._getError(err, stderr);
+                if (err) { fn(err); return; }
+                //console.log((stdout||'').trim());
+                setTimeout(function () {
+                  var execstr = launcherstr + "status " + launchername;
+                  exec(execstr, things._execOpts, function (err, stdout, stderr) {
+                    err = Launcher._getError(err, stderr);
+                    if (err) { fn(err); return; }
+                    if (!/active.*running/i.test(stdout)) {
+                      err = new Error("systemd failed to start '" + launchername + "'");
+                    }
+                    if (err) { fn(err); return; }
+                    //console.log((stdout||'').trim());
+                    fn(null);
+                  });
+                }, 1.25 * 1000);
+              });
+            });
+          });
+        });
+      } catch(e) {
+        console.error("'" + launcher + "' error:");
+        console.error(e);
+        if (fn) { fn(e); return; }
+      }
+    }
+  , 'reg.exe': function () {
+      if (!vars.userspace) {
+        console.warn("sysetm-level, privileged services are not yet supported on windows");
+      }
+      vars.telebitNode += '.exe';
+      var cmd = 'reg.exe add "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"'
+        + ' /V "Telebit" /t REG_SZ /D '
+        + '"' + things.argv[0] + ' /c '  // something like C:\\Program Files (x64)\nodejs\node.exe
+        + [ path.join(__dirname, 'bin/telebitd.js')
+          , 'daemon'
+          , '--config'
+          , path.join(os.homedir(), '.config/telebit/telebitd.yml')
+          ].join(' ')
+        + '" /F'
+        ;
+      exec(cmd, things._execOpts, function (err, stdout, stderr) {
+        err = Launcher._getError(err, stderr);
+        if (err) { fn(err); return; }
+        // need to start it for the first time ourselves
+        run(null, 'node');
+      });
+    }
+  };
+
+  function run(err, launcher) {
+    if (err) {
+      console.error("No luck with '" + launcher + "', trying a child process instead...");
+      console.error(err);
+      launcher = 'node';
+    }
+
+    if (launchers[launcher]) {
+      // console.log('Launching with launcher ' + launcher);
+      mkdirp.sync(path.join(vars.telebitPath, 'bin'));
+      mkdirp.sync(vars.TELEBIT_LOG_DIR);
+      mkdirp.sync(vars.TELEBIT_SOCK_DIR);
+      launchers[launcher]();
+      return;
+    } else {
+      console.error("No launcher handler for '" + launcher+ "'");
+    }
+  }
+
+  things._vars = vars;
+  things._userspace = vars.userspace;
+  Launcher._detect(things, run);
+};
+Launcher.uninstall = function (things, fn) {
+  if (!fn) { fn = function (err) { if (err) { console.error(err); } }; }
+  things = things || {};
+
+  // Right now this is just for npm install -g and npx
+  if (things.env) {
+    things.env.PATH = things.env.PATH || process.env.PATH;
+  } else {
+    things.env = process.env;
+  }
+  things.argv = things.argv || process.argv;
+  things._execOpts = { windowsHide: true, env: things.env };
+  var vars = {
+    telebitUser: os.userInfo().username
+  };
+  vars.userspace = (!things.telebitUser || (things.telebitUser === os.userInfo().username)) ? true : false;
+  var launchers = {
+    'node': function () {
+      Launcher._killAll(fn);
+    }
+  , 'launchctl': function () {
+      var launcher = path.join(os.homedir(), 'Library/LaunchAgents/cloud.telebit.remote.plist');
+      try {
+        var launcherstr = (vars.userspace ? "" : "sudo ") + "launchctl ";
+        var execstr = launcherstr + "unload -w " + launcher;
+        exec(execstr, things._execOpts, function (err, stdout, stderr) {
+          // we probably only need to skip the stderr (saying that it can't stop something that isn't started)
+          //err = Launcher._getError(err, stderr);
+          //if (err) { fn(err); return; }
+          //console.log((stdout||'').trim());
+          //console.log('unload worked?');
+          err = Launcher._getError(err, stderr);
+          if (err) { fn(err); return; }
+          //console.log((stdout||'').trim());
+          //console.log('load worked?');
+          setTimeout(function () {
+            fn(null);
+          }, 1.25 * 1000);
+        });
+      } catch(e) {
+        console.error("'" + launcher + "' error (uninstall):");
+        console.error(e);
+        if (fn) { fn(e); return; }
+      }
+    }
+   , 'systemctl': function () {
+      var launcher = path.join(os.homedir(), '.config/systemd/user/telebit.service');
+      var launchername = 'telebit.service';
+      try {
+        mkdirp.sync(path.join(os.homedir(), '.config/systemd/user'));
+        // IMPORTANT
+        // It's a dangerous to go alone, take this:
+        // SYSTEMD_LOG_LEVEL=debug journalctl -xef --user-unit=telebit
+        // (makes debugging systemd issues not "easy" per se, but possible)
+        var launcherstr = (vars.userspace ? "" : "sudo ") + "systemctl " + (vars.userspace ? "--user " : "");
+        var execstr = launcherstr + "disable " + launchername;
+        exec(execstr, things._execOpts, function (err, stdout, stderr) {
+          err = Launcher._getError(err, stderr && !/Removed symlink/i.test(stderr) && stderr || '');
+          if (err) { fn(err); return; }
+          //console.log((stdout||'').trim());
+          var execstr = launcherstr + "stop " + launchername;
+          exec(execstr, things._execOpts, function (err, stdout, stderr) {
+            err = Launcher._getError(err, stderr);
+            if (err) { fn(err); return; }
+            //console.log((stdout||'').trim());
+            setTimeout(function () {
+              var execstr = launcherstr + "status " + launchername;
+              exec(execstr, things._execOpts, function (err, stdout, stderr) {
+                err = Launcher._getError(err, stderr);
+                if (err) { fn(err); return; }
+                if (!/inactive.*dead/i.test(stdout)) {
+                  err = new Error("systemd failed to stop '" + launchername + "'");
+                }
+                if (err) { fn(err); return; }
+                //console.log((stdout||'').trim());
+                fn(null);
+              });
+            }, 1.25 * 1000);
+          });
+        });
+      } catch(e) {
+        console.error("'" + launcher + "' error:");
+        console.error(e);
+        if (fn) { fn(e); return; }
+      }
+    }
+  , 'reg.exe': function () {
+      if (!vars.userspace) {
+        console.warn("sysetm-level, privileged services are not yet supported on windows");
+      }
+      var cmd = 'reg.exe add "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"'
+        + ' /V "Telebit" /F'
+        ;
+      exec(cmd, things._execOpts, function (err, stdout, stderr) {
+        err = Launcher._getError(err, stderr);
+        if (err) { fn(err); return; }
+        // need to start it for the first time ourselves
+        kill(null, 'node');
+      });
+    }
+  };
+
+  function kill(err, launcher) {
+    if (err) {
+      console.error("No luck with '" + launcher + "', trying a process.kill() instead...");
+      console.error(err);
+      launcher = 'node';
+    }
+
+    if (launchers[launcher]) {
+      launchers[launcher]();
+      return;
+    } else {
+      console.error("No launcher handler (uninstall) for '" + launcher + "'");
+    }
+  }
+
+  things._vars = vars;
+  things._userspace = vars.userspace;
+  Launcher._detect(things, kill);
+};
+
+if (module === require.main) {
+  Launcher.install({
+    argv: process.argv
+  , env: process.env
+  }, function (err) {
+    if (err) { console.error(err); return; }
+    console.log("Telebit launched, or so it seems.");
+  });
+}

usr/share/install.sh

@@ -0,0 +1,85 @@
+#!/bin/bash
+#<pre><code>
+
+# This script does exactly 3 things for 1 good reason:
+#
+# What this does:
+#
+#   1. Detects either curl or wget and wraps them in helpers
+#   2. Exports the helpers for the real installer
+#   3. Downloads and runs the real installer
+#
+# Why
+#
+#   1. 'curl <smth> | bash -- some args here` breaks interactive input
+#       See https://stackoverflow.com/questions/16854041/bash-read-is-being-skipped-when-run-from-curl-pipe
+#
+#   2.  It also has practical risks of running a partially downloaded script, which could be dangeresque
+#       See https://news.ycombinator.com/item?id=12767636
+
+set -e
+set -u
+
+###############################
+#                             #
+#         http_get            #
+# boilerplate for curl / wget #
+#                             #
+###############################
+
+# See https://git.coolaj86.com/coolaj86/snippets/blob/master/bash/http-get.sh
+
+export _my_http_get=""
+export _my_http_opts=""
+export _my_http_out=""
+
+detect_http_get()
+{
+  set +e
+  if type -p curl >/dev/null 2>&1; then
+    _my_http_get="curl"
+    _my_http_opts="-fsSL"
+    _my_http_out="-o"
+  elif type -p wget >/dev/null 2>&1; then
+    _my_http_get="wget"
+    _my_http_opts="--quiet"
+    _my_http_out="-O"
+  else
+    echo "Aborted, could not find curl or wget"
+    return 7
+  fi
+  set -e
+}
+
+http_get()
+{
+  $_my_http_get $_my_http_opts $_my_http_out "$2" "$1"
+  touch "$2"
+}
+
+http_bash()
+{
+  local _http_bash_url=$1
+  local _http_bash_args=${2:-}
+  local _http_bash_tmp=$(mktemp)
+  $_my_http_get $_my_http_opts $_my_http_out "$_http_bash_tmp" "$_http_bash_url"
+  bash "$_http_bash_tmp" $_http_bash_args; rm "$_http_bash_tmp"
+}
+
+detect_http_get
+export -f http_get
+export -f http_bash
+
+###############################
+##       END HTTP_GET        ##
+###############################
+
+if [ -n "${TELEBIT_VERSION:-}" ]; then
+  echo 'TELEBIT_VERSION='${TELEBIT_VERSION}
+fi
+export TELEBIT_VERSION=${TELEBIT_VERSION:-master}
+if [ -e "usr/share/install_helper.sh" ]; then
+  bash usr/share/install_helper.sh "$@"
+else
+  http_bash https://git.coolaj86.com/coolaj86/telebit.js/raw/branch/$TELEBIT_VERSION/usr/share/install_helper.sh "$@"
+fi

usr/share/install_helper.sh

@@ -0,0 +1,574 @@
+#!/bin/bash
+#<pre><code>
+
+# What does this do.. and why?
+# (and why is it so complicated?)
+#
+# What this does
+#
+#   1. Sets some vars and asks some questions
+#   2. Installs everything into a single place
+#      (inculding deps like node.js, with the correct version)
+#   3. Depending on OS, creates a user for the service
+#   4. Depending on OS, register with system launcher
+#
+# Why
+#
+#   So that you can get a fully configured, running product,
+#   with zero manual configuration in a matter of seconds -
+#   and have an uninstall that's just as easy.
+#
+# Why so complicated?
+#
+#  To support nuance differences between various versions of
+#  Linux, macOS, and Android, including whether it's being
+#  installed with user privileges, as root, wit a system user
+#  system daemon launcher, etc. Also, this is designed to be
+#  reusable with many apps and services, so it's very variabled...
+
+set -e
+set -u
+
+### http_bash exported by get.sh
+
+TELEBIT_DEBUG=${TELEBIT_DEBUG:-}
+
+# NOTE: On OS X logname works from a pipe, but on Linux it does not
+my_logname=$(who am i </dev/tty | awk '{print $1}')
+#my_logname=${my_logname:-$(logname)}
+#my_logname=${my_logname:-$SUDO_USER}
+if [ -n "$my_logname" ] && [ "$my_logname" != "$(id -u -n)" ]; then
+  echo "WARNING:"
+  echo "    You are logged in as '$(logname)' but acting as '$(id -u -n)'."
+  echo "    If the installation is not successful please log in as '$(id -u -n)' directly."
+  sleep 3
+fi
+
+if [ -n "${TELEBIT_DEBUG:-}" ]; then
+  echo 'TELEBIT_DEBUG='${TELEBIT_DEBUG}
+fi
+if [ -n "${TELEBIT_PATH:-}" ]; then
+  echo 'TELEBIT_PATH='${TELEBIT_PATH}
+fi
+if [ -n "${TELEBIT_USERSPACE:-}" ]; then
+  echo 'TELEBIT_USERSPACE='${TELEBIT_USERSPACE}
+fi
+if [ -n "${TELEBIT_USER:-}" ]; then
+  echo 'TELEBIT_USER='${TELEBIT_USER}
+fi
+if [ -n "${TELEBIT_GROUP:-}" ]; then
+  echo 'TELEBIT_GROUP='${TELEBIT_GROUP}
+fi
+TELEBIT_VERSION=${TELEBIT_VERSION:-master}
+TELEBIT_USERSPACE=${TELEBIT_USERSPACE:-no}
+my_email=${1:-}
+my_relay=${2:-}
+my_servernames=${3:-}
+my_secret=${4:-}
+
+cur_user="$(id -u -n)"
+TELEBIT_USER="${TELEBIT_USER:-$cur_user}"
+
+cur_group="$(id -g -n)"
+TELEBIT_GROUP="${TELEBIT_GROUP:-$cur_group}"
+
+my_app_pkg_name="cloud.telebit.remote"
+my_app="telebit"
+my_daemon="telebitd"
+my_bin="telebit.js"
+my_name="Telebit Remote"
+my_repo="telebit.js"
+my_root=${my_root:-} # todo better install script
+soft_sudo_cmd="sudo"
+soft_sudo_cmde="sudo "
+exec 3<>/dev/tty
+read_cmd="read -u 3"
+# TODO detect if rsync is available and use rsync -a (more portable)
+rsync_cmd="cp -pPR"
+
+set +e
+my_edit=$(basename "${EDITOR:-}")
+if [ -z "$my_edit" ]; then
+  my_edit=$(basename "$(type -p edit)")
+fi
+if [ -z "$my_edit" ]; then
+  my_edit=$(basename "$(type -p nano)")
+fi
+if [ -z "$my_edit" ]; then
+  my_edit=$(basename "$(type -p vim)")
+fi
+if [ -z "$my_edit" ]; then
+  my_edit=$(basename "$(type -p vi)")
+fi
+if [ -z "$my_edit" ]; then
+  my_edit="nano"
+fi
+set -e
+
+if [ "root" == $(whoami) ] || [ 0 == $(id -u) ]; then
+  soft_sudo_cmd=" "
+  soft_sudo_cmde=""
+fi
+
+echo ""
+
+TELEBIT_REAL_PATH=${TELEBIT_PATH:-}
+
+if [ $(id -u) -ne 0 ] && [ "$TELEBIT_USER" == "$cur_user" ]; then
+  TELEBIT_USERSPACE="yes"
+  if [ -z "${TELEBIT_REAL_PATH:-}" ]; then
+    TELEBIT_REAL_PATH=$HOME/Applications/$my_app
+  fi
+else
+  TELEBIT_USERSPACE="no"
+  if [ -z "${TELEBIT_REAL_PATH:-}" ]; then
+    TELEBIT_REAL_PATH=/opt/$my_app
+  fi
+fi
+TELEBIT_PATH="$TELEBIT_REAL_PATH"
+TELEBIT_TMP="$TELEBIT_REAL_PATH"
+# this works slightly differently between bsd (macOS) and gnu mktemp
+# bsd requires the Xes for templates while GNU uses them literally
+my_tmp="$(mktemp -d -t telebit.XXXXXXXX)"
+#TELEBIT_TMP="$my_tmp/telebit"
+
+echo "Installing $my_name to '$TELEBIT_REAL_PATH'"
+# v10.2+ has much needed networking fixes, but breaks ursa.
+# v9.x has severe networking bugs.
+# v8.x has working ursa, but requires tls workarounds"
+# v10.13 seems to work for me locally (new greenlock)
+NODEJS_VER="${NODEJS_VER:-v10.13}"
+export NODEJS_VER
+export NODE_PATH="$TELEBIT_TMP/lib/node_modules"
+export NPM_CONFIG_PREFIX="$TELEBIT_TMP"
+# this comes last for security
+export PATH="$PATH:$TELEBIT_REAL_PATH/bin"
+sleep 0.25
+real_sudo_cmd=$soft_sudo_cmd
+real_sudo_cmde=$soft_sudo_cmde
+
+set +e
+mkdir -p $my_tmp "$TELEBIT_REAL_PATH" "$TELEBIT_REAL_PATH/etc" "$TELEBIT_REAL_PATH/var/log" 2>/dev/null && \
+  chown -R $(id -u -n):$(id -g -n) $my_tmp "$TELEBIT_REAL_PATH" 2>/dev/null
+if [ $? -eq 0 ]; then
+  soft_sudo_cmd=" "
+  soft_sudo_cmde=""
+else
+  $soft_sudo_cmd mkdir -p $my_tmp "$TELEBIT_REAL_PATH" "$TELEBIT_REAL_PATH/etc" "$TELEBIT_REAL_PATH/var/log"
+  $soft_sudo_cmd chown -R $(id -u -n):$(id -g -n) $my_tmp "$TELEBIT_REAL_PATH"
+fi
+set -e
+
+
+if [ -n "${TELEBIT_DEBUG}" ]; then
+  echo "  - installing node.js runtime to '$TELEBIT_REAL_PATH'..."
+  http_bash https://git.coolaj86.com/coolaj86/node-installer.sh/raw/branch/master/install.sh --no-dev-deps
+else
+  echo -n "."
+  #bash -c 'while true; do echo -n "."; sleep 2; done' 2>/dev/null &
+  #_my_pid=$!
+  http_bash https://git.coolaj86.com/coolaj86/node-installer.sh/raw/branch/master/install.sh --no-dev-deps >/dev/null 2>/dev/null
+  #kill $_my_pid >/dev/null 2>/dev/null
+fi
+
+#
+# TODO create "upgrade" script and run that instead
+#
+
+my_node="$TELEBIT_REAL_PATH/bin/node"
+tmp_node="$TELEBIT_TMP/bin/node"
+my_npm="$my_node $TELEBIT_TMP/bin/npm"
+tmp_npm="$tmp_node $TELEBIT_TMP/bin/npm"
+
+#https://git.coolaj86.com/coolaj86/telebit.js.git
+#https://git.coolaj86.com/coolaj86/telebit.js/archive/:tree:.tar.gz
+#https://git.coolaj86.com/coolaj86/telebit.js/archive/:tree:.zip
+set +e
+my_unzip=$(type -p unzip)
+my_tar=$(type -p tar)
+# TODO extract to temporary directory, configure, copy etc, replace
+if [ -n "$my_unzip" ]; then
+  rm -f $my_tmp/$my_app-$TELEBIT_VERSION.zip
+  if [ -n "${TELEBIT_DEBUG}" ]; then
+    echo "  - installing telebit zip to '$TELEBIT_REAL_PATH'"
+  fi
+  echo -n "."
+  #bash -c 'while true; do echo -n "."; sleep 2; done' 2>/dev/null &
+  #_my_pid=$!
+  http_get https://git.coolaj86.com/coolaj86/$my_repo/archive/$TELEBIT_VERSION.zip $my_tmp/$my_app-$TELEBIT_VERSION.zip
+  #kill $_my_pid >/dev/null 2>/dev/null
+  # -o means overwrite, and there is no option to strip
+  $my_unzip -o $my_tmp/$my_app-$TELEBIT_VERSION.zip -d $my_tmp/ >/dev/null
+  $rsync_cmd  $my_tmp/$my_repo/* $TELEBIT_TMP/ > /dev/null
+  rm -rf $my_tmp/$my_repo
+elif [ -n "$my_tar" ]; then
+  rm -f $my_tmp/$my_app-$TELEBIT_VERSION.tar.gz
+  if [ -n "${TELEBIT_DEBUG}" ]; then
+    echo "  - installing telebit tar.gz to '$TELEBIT_REAL_PATH'"
+  fi
+  echo -n "."
+  #bash -c 'while true; do echo -n "."; sleep 2; done' 2>/dev/null &
+  #_my_pid=$!
+  http_get https://git.coolaj86.com/coolaj86/$my_repo/archive/$TELEBIT_VERSION.tar.gz $my_tmp/$my_app-$TELEBIT_VERSION.tar.gz
+  #kill $_my_pid >/dev/null 2>/dev/null
+  $my_tar -xzf $my_tmp/$my_app-$TELEBIT_VERSION.tar.gz --strip 1 -C $TELEBIT_TMP/ >/dev/null
+else
+  echo "Neither tar nor unzip found. Abort."
+  exit 13
+fi
+set -e
+
+#
+# TODO create slim packages that contain all the deps on each os and cpu
+#
+pushd $TELEBIT_TMP >/dev/null
+  if [ -n "${TELEBIT_DEBUG}" ]; then
+    echo "  - installing telebit npm dependencies to '$TELEBIT_REAL_PATH'..."
+  else
+    echo -n "."
+  fi
+  set +e
+  $tmp_npm install >/dev/null 2>/dev/null &
+  tmp_npm_pid=$!
+  while [ -n "$tmp_npm_pid" ]; do
+    sleep 2
+    echo -n "."
+    kill -s 0 $tmp_npm_pid >/dev/null 2>/dev/null || tmp_npm_pid=""
+  done
+  set -e
+  echo -n "."
+  $tmp_npm install >/dev/null 2>/dev/null
+  # ursa is now an entirely optional dependency for key generation
+  # but very much needed on ARM devices
+  $tmp_npm install ursa >/dev/null 2>/dev/null || true
+popd >/dev/null
+
+if [ -n "${TELEBIT_DEBUG}" ]; then
+  echo "  - configuring telebit..."
+  echo ""
+fi
+
+###############################################
+#
+# TODO convert to node script
+#
+# Now that node is installed and the telebit
+# packeage is downloaded, everything can be
+# run from node, except things requiring sudo
+#
+###############################################
+
+# telebit remote
+echo '#!/bin/bash' > "$TELEBIT_TMP/bin/$my_app"
+echo "$my_node $TELEBIT_REAL_PATH/bin/$my_bin "'"$@"' >> "$TELEBIT_TMP/bin/$my_app"
+chmod a+x "$TELEBIT_TMP/bin/$my_app"
+
+# telebit daemon
+echo '#!/bin/bash' > "$TELEBIT_TMP/bin/$my_daemon"
+echo "$my_node $TELEBIT_REAL_PATH/bin/$my_daemon.js daemon "'"$@"' >> "$TELEBIT_TMP/bin/$my_daemon"
+chmod a+x "$TELEBIT_TMP/bin/$my_daemon"
+
+# Create uninstall script based on the install script variables
+cat << EOF > $TELEBIT_TMP/bin/${my_app}_uninstall
+#!/bin/bash
+set -x
+if [ "$(type -p launchctl)" ]; then
+  sudo launchctl unload -w /Library/LaunchDaemons/${my_app_pkg_name}.plist
+  sudo rm -f /Library/LaunchDaemons/${my_app_pkg_name}.plist
+
+  launchctl unload -w $HOME/Library/LaunchAgents/${my_app_pkg_name}.plist
+  rm -f $HOME/Library/LaunchAgents/${my_app_pkg_name}.plist
+fi
+if [ "$(type -p systemctl)" ]; then
+  systemctl --user disable $my_app >/dev/null
+  systemctl --user stop $my_app
+  rm -f $HOME/.config/systemd/user/$my_app.service
+
+  sudo systemctl disable $my_app >/dev/null
+  sudo systemctl stop $my_app
+  sudo rm -f /etc/systemd/system/$my_app.service
+fi
+sudo rm -rf $TELEBIT_REAL_PATH /usr/local/bin/$my_app
+sudo rm -rf $TELEBIT_REAL_PATH /usr/local/bin/$my_daemon
+rm -rf $HOME/.config/$my_app $HOME/.local/share/$my_app
+EOF
+chmod a+x $TELEBIT_TMP/bin/${my_app}_uninstall
+
+#set +e
+#if type -p setcap >/dev/null 2>&1; then
+#  #echo "Setting permissions to allow $my_app to run on port 80 and port 443 without sudo or root"
+#  echo "    > ${real_sudo_cmde}setcap cap_net_bind_service=+ep $TELEBIT_REAL_PATH/bin/node"
+#  $real_sudo_cmd setcap cap_net_bind_service=+ep $TELEBIT_REAL_PATH/bin/node
+#fi
+#set -e
+
+my_skip=""
+set +e
+# TODO for macOS https://apple.stackexchange.com/questions/286749/how-to-add-a-user-from-the-command-line-in-macos
+# TODO do stuff for groups too
+# TODO add ending $
+if type -p dscl >/dev/null 2>/dev/null; then
+  if [ -n "$(dscl . list /users | grep ^$TELEBIT_USER)" ] && [ -n "$(dscl . list /groups | grep ^$TELEBIT_GROUP)" ]; then
+    my_skip="yes"
+  fi
+elif [ -n "$(cat $my_root/etc/passwd | grep $TELEBIT_USER)" ] && [ -n "$(cat $my_root/etc/group | grep $TELEBIT_GROUP)" ]; then
+  my_skip="yes"
+fi
+
+if [ -z "$my_skip" ]; then
+  if type -p adduser >/dev/null 2>/dev/null; then
+    $real_sudo_cmd adduser --home $TELEBIT_REAL_PATH --gecos '' --disabled-password $TELEBIT_USER >/dev/null 2>&1
+    #TELEBIT_USER=$my_app_name
+    TELEBIT_GROUP=$TELEBIT_USER
+  elif [ -n "$(cat /etc/passwd | grep www-data:)" ]; then
+    # Linux (Ubuntu)
+    TELEBIT_USER=www-data
+    TELEBIT_GROUP=www-data
+  elif [ -n "$(cat /etc/passwd | grep _www:)" ]; then
+    # Mac
+    TELEBIT_USER=_www
+    TELEBIT_GROUP=_www
+  else
+    # Unsure
+    TELEBIT_USER=$(id -u -n) # $(whoami)
+    TELEBIT_GROUP=$(id -g -n)
+  fi
+fi
+set -e
+
+export TELEBIT_USER
+export TELEBIT_GROUP
+export TELEBIT_PATH
+export TELEBIT_CONFIG=$HOME/.config/$my_app/$my_app.yml
+# TODO check both expected sock paths in client by default
+if [ "yes" == "$TELEBIT_USERSPACE" ]; then
+  TELEBIT_TMP_CONFIGD=$HOME/.config/$my_app/$my_daemon.yml
+  TELEBITD_CONFIG=$HOME/.config/$my_app/$my_daemon.yml
+  TELEBIT_LOG_DIR=${TELEBIT_LOG_DIR:-$HOME/.local/share/$my_app/var/log/}
+  TELEBIT_SOCK_DIR=${TELEBIT_SOCK_DIR:-$HOME/.local/share/$my_app/var/run/}
+  TELEBIT_SOCK=${TELEBIT_SOCK:-$HOME/.local/share/$my_app/var/run/$my_app.sock}
+else
+  TELEBIT_TMP_CONFIGD=$TELEBIT_TMP/etc/$my_daemon.yml
+  TELEBITD_CONFIG=$TELEBIT_REAL_PATH/etc/$my_daemon.yml
+  TELEBIT_LOG_DIR=${TELEBIT_LOG_DIR:-$TELEBIT_REAL_PATH/var/log/}
+  TELEBIT_SOCK_DIR=${TELEBIT_SOCK_DIR:-$TELEBIT_REAL_PATH/var/run/}
+  TELEBIT_SOCK=${TELEBIT_SOCK:-$TELEBIT_REAL_PATH/var/run/$my_app.sock}
+fi
+export TELEBITD_CONFIG
+export TELEBIT_SOCK
+export TELEBIT_NODE=$TELEBIT_REAL_PATH/bin/node
+export TELEBIT_NPM=$TELEBIT_REAL_PATH/bin/npm
+export TELEBIT_BIN=$TELEBIT_REAL_PATH/bin/telebit
+export TELEBITD_BIN=$TELEBIT_REAL_PATH/bin/telebitd
+export TELEBIT_JS=$TELEBIT_REAL_PATH/bin/telebit.js
+export TELEBITD_JS=$TELEBIT_REAL_PATH/bin/telebitd.js
+export TELEBIT_LOG_DIR
+export TELEBIT_SOCK_DIR
+export NODE_PATH="$TELEBIT_REAL_PATH/lib/node_modules"
+export NPM_CONFIG_PREFIX="$TELEBIT_REAL_PATH"
+
+$my_node $TELEBIT_TMP/usr/share/template-launcher.js
+
+# TODO don't create this in TMP_PATH if it exists in TELEBIT_REAL_PATH
+mkdir -p "$(dirname $TELEBIT_TMP_CONFIGD)"
+if [ ! -e "$TELEBITD_CONFIG" ]; then
+
+  echo "sock: $TELEBIT_SOCK" >> "$TELEBIT_TMP_CONFIGD"
+  echo "root: $TELEBIT_REAL_PATH" >> "$TELEBIT_TMP_CONFIGD"
+  cat $TELEBIT_REAL_PATH/usr/share/$my_daemon.tpl.yml >> "$TELEBIT_TMP_CONFIGD"
+
+fi
+
+mkdir -p "$(dirname $TELEBIT_CONFIG)"
+if [ ! -e "$TELEBIT_CONFIG" ]; then
+
+  echo "sock: $TELEBIT_SOCK" >> "$TELEBIT_CONFIG"
+
+fi
+
+
+
+# TODO
+# Backup final directory, if it exists
+# Move everything over to final directory
+# Restore config files, if they exist
+# rewrite system service file with real variables
+
+# This should only affect non-USERSPACE installs
+#echo "${soft_sudo_cmde}chown -R $TELEBIT_USER '$TELEBIT_REAL_PATH'
+$soft_sudo_cmd mkdir -p $TELEBIT_LOG_DIR
+$soft_sudo_cmd mkdir -p $TELEBIT_SOCK_DIR
+$soft_sudo_cmd chown -R $TELEBIT_USER "$TELEBIT_REAL_PATH"
+
+# $HOME/.config/systemd/user/
+# %h/.config/telebit/telebit.yml
+if [ -n "${TELEBIT_DEBUG}" ]; then
+  echo "  - adding $my_app as a system service"
+fi
+# TODO detect with type -p
+my_system_launcher=""
+my_app_launchd_service=""
+if [ -d "/Library/LaunchDaemons" ]; then
+  my_system_launcher="launchd"
+  my_sudo_cmde="$real_sudo_cmde"
+  my_sudo_cmd="$real_sudo_cmd"
+
+
+  if [ "yes" == "$TELEBIT_USERSPACE" ]; then
+    my_app_launchd_service_skel="etc/skel/Library/LaunchAgents/${my_app_pkg_name}.plist"
+    my_app_launchd_service="$HOME/Library/LaunchAgents/${my_app_pkg_name}.plist"
+    if [ -n "${TELEBIT_DEBUG}" ]; then
+      echo "    > $rsync_cmd $TELEBIT_REAL_PATH/usr/share/dist/$my_app_launchd_service $my_app_launchd_service"
+    fi
+    mkdir -p $HOME/Library/LaunchAgents
+    $rsync_cmd "$TELEBIT_REAL_PATH/usr/share/dist/$my_app_launchd_service_skel" "$my_app_launchd_service"
+
+    if [ -n "${TELEBIT_DEBUG}" ]; then
+      echo "    > chown $(id -u -n):$(id -g -n) $my_app_launchd_service"
+    fi
+    chown $(id -u -n):$(id -g -n) "$my_app_launchd_service"
+    my_sudo_cmd=""
+    my_sudo_cmde=""
+
+    if [ -n "${TELEBIT_DEBUG}" ]; then
+      echo "    > launchctl unload -w $my_app_launchd_service >/dev/null 2>/dev/null"
+    fi
+    launchctl unload -w "$my_app_launchd_service" >/dev/null 2>/dev/null
+  else
+    my_app_launchd_service_skel="usr/share/dist/Library/LaunchDaemons/${my_app_pkg_name}.plist"
+    my_app_launchd_service="$my_root/Library/LaunchDaemons/${my_app_pkg_name}.plist"
+    echo "    > ${real_sudo_cmde}$rsync_cmd $TELEBIT_REAL_PATH/usr/share/dist/$my_app_launchd_service $my_app_launchd_service"
+    $real_sudo_cmd $rsync_cmd "$TELEBIT_REAL_PATH/usr/share/dist/$my_app_launchd_service_skel" "$my_app_launchd_service"
+
+    echo "    > ${real_sudo_cmde}chown root:wheel $my_app_launchd_service"
+    $real_sudo_cmd chown root:wheel "$my_app_launchd_service"
+
+    echo "    > ${real_sudo_cmde}launchctl unload -w $my_app_launchd_service >/dev/null 2>/dev/null"
+    $real_sudo_cmd launchctl unload -w "$my_app_launchd_service" >/dev/null 2>/dev/null
+  fi
+
+elif [ -d "$my_root/etc/systemd/system" ]; then
+  my_system_launcher="systemd"
+
+  if [ "yes" == "$TELEBIT_USERSPACE" ]; then
+    if [ -n "${TELEBIT_DEBUG}" ]; then
+      echo "    > $rsync_cmd $TELEBIT_REAL_PATH/usr/share/dist/etc/skel/.config/systemd/user/$my_app.service $HOME/.config/systemd/user/$my_app.service"
+    fi
+    mkdir -p $HOME/.config/systemd/user
+    $rsync_cmd "$TELEBIT_REAL_PATH/usr/share/dist/etc/skel/.config/systemd/user/$my_app.service" "$HOME/.config/systemd/user/$my_app.service"
+  else
+    echo "    > ${real_sudo_cmde}$rsync_cmd $TELEBIT_REAL_PATH/usr/share/dist/etc/systemd/system/$my_app.service /etc/systemd/system/$my_app.service"
+    $real_sudo_cmd $rsync_cmd "$TELEBIT_REAL_PATH/usr/share/dist/etc/systemd/system/$my_app.service" "/etc/systemd/system/$my_app.service"
+  fi
+fi
+
+sleep 1
+
+###############################
+# Actually Launch the Service #
+###############################
+if [ -n "${TELEBIT_DEBUG}" ]; then
+  echo ""
+fi
+if [ "launchd" == "$my_system_launcher" ]; then
+
+  if [ "yes" == "$TELEBIT_USERSPACE" ]; then
+    if [ -n "${TELEBIT_DEBUG}" ]; then
+      echo "  > launchctl load -w $my_app_launchd_service"
+    else
+      echo -n "."
+    fi
+    launchctl load -w "$my_app_launchd_service"
+  else
+    echo "  > ${real_sudo_cmde}launchctl load -w $my_app_launchd_service"
+    $real_sudo_cmd launchctl load -w "$my_app_launchd_service"
+  fi
+  sleep 2; # give it time to start
+
+elif [ "systemd" == "$my_system_launcher" ]; then
+
+  if [ "yes" == "$TELEBIT_USERSPACE" ]; then
+    # https://wiki.archlinux.org/index.php/Systemd/User
+    # sudo loginctl enable-linger username
+
+    if [ -n "${TELEBIT_DEBUG}" ]; then
+      echo "    > systemctl --user enable $my_app"
+    else
+      echo -n "."
+    fi
+    set +e
+    if systemctl --user daemon-reload; then
+      # enable also puts success output to stderr... why?
+      systemctl --user enable $my_app >/dev/null 2>/dev/null
+      #echo "    > systemctl --user enable systemd-tmpfiles-setup.service systemd-tmpfiles-clean.timer"
+      #systemctl --user enable systemd-tmpfiles-setup.service systemd-tmpfiles-clean.timer
+      if [ -n "${TELEBIT_DEBUG}" ]; then
+        echo "    > systemctl --user start $my_app"
+      fi
+      systemctl --user stop $my_app >/dev/null 2>/dev/null
+      systemctl --user start $my_app >/dev/null
+
+      sleep 2; # give it time to start
+      _is_running=$(systemctl --user status --no-pager $my_app 2>/dev/null | grep "active.*running")
+      if [ -z "$_is_running" ]; then
+        echo "Something went wrong:"
+        systemctl --user status --no-pager $my_app
+      fi
+    else
+      echo "libpam-systemd is missing, which is required on Linux to register Telebit with the user launcher."
+      echo "sudo apt-get install -y libpam-systemd"
+      sudo apt-get install -y libpam-systemd
+    fi
+    set -e
+    echo -n "."
+  else
+
+    $real_sudo_cmd systemctl daemon-reload
+    echo "    > ${real_sudo_cmde}systemctl enable $my_app"
+    $real_sudo_cmd systemctl enable $my_app >/dev/null
+    echo "    > ${real_sudo_cmde}systemctl start $my_app"
+    $real_sudo_cmd systemctl daemon-reload
+    $real_sudo_cmd systemctl restart $my_app
+    sleep 2; # give it time to start
+    $real_sudo_cmd systemctl status --no-pager $my_app
+  fi
+
+else
+
+  echo "Run the service manually (we couldn't detect your system service to do that automatically):"
+  echo ""
+  echo "    $TELEBITD_BIN --config $TELEBITD_CONFIG"
+  echo "    ~/$my_app --config $TELEBIT_CONFIG"
+
+fi
+
+# NOTE: ln -sf *should* replace an existing link... but sometimes it doesn't, hence rm -f
+if [ "yes" == "$TELEBIT_USERSPACE" ]; then
+  if [ -n "${TELEBIT_DEBUG}" ]; then
+    echo "    > ${real_sudo_cmde}ln -sf $TELEBIT_REAL_PATH/bin/$my_app /usr/local/bin/$my_app"
+  fi
+  rm -f /usr/local/bin/$my_app 2>/dev/null || true
+  ln -sf $TELEBIT_REAL_PATH/bin/$my_app /usr/local/bin/$my_app 2>/dev/null || true
+else
+  echo "    > ${real_sudo_cmde}ln -sf $TELEBIT_REAL_PATH/bin/$my_app /usr/local/bin/$my_app"
+  rm -f /usr/local/bin/$my_app 2>/dev/null || \
+    $real_sudo_cmd rm -f /usr/local/bin/$my_app
+  ln -sf $TELEBIT_REAL_PATH/bin/$my_app /usr/local/bin/$my_app 2>/dev/null || \
+    $real_sudo_cmd ln -sf $TELEBIT_REAL_PATH/bin/$my_app /usr/local/bin/$my_app
+  # telebitd
+  echo "    > ${real_sudo_cmde}ln -sf $TELEBIT_REAL_PATH/bin/$my_daemon /usr/local/bin/$my_daemon"
+  rm -f $TELEBIT_REAL_PATH/bin/$my_daemon || $real_sudo_cmd rm -f $TELEBIT_REAL_PATH/bin/$my_daemon
+  ln -sf $TELEBIT_REAL_PATH/bin/$my_daemon /usr/local/bin/$my_daemon || \
+    $real_sudo_cmd ln -sf $TELEBIT_REAL_PATH/bin/$my_daemon /usr/local/bin/$my_daemon
+fi
+rm -f $HOME/$my_app; ln -s $TELEBIT_REAL_PATH/bin/$my_app $HOME/
+
+
+if [ -n "${TELEBIT_DEBUG}" ]; then
+  echo "  > telebit init --tty"
+  echo ""
+fi
+sleep 0.25
+
+echo ""
+$TELEBIT_REAL_PATH/bin/node $TELEBIT_REAL_PATH/bin/telebit.js init --tty

usr/share/install_launcher.sh

@@ -0,0 +1,46 @@
+echo ""
+echo ""
+echo "=============================================="
+echo "            Launcher Configuration            "
+echo "=============================================="
+echo ""
+
+my_stopper=""
+if [ "systemd" == "$my_system_launcher" ]; then
+
+  my_stopper="${real_sudo_cmde}systemctl stop $my_app"
+  echo "Edit the config and restart, if desired:"
+  echo ""
+  echo "    ${real_sudo_cmde}$my_edit $TELEBITD_CONFIG"
+  echo "    ${real_sudo_cmde}systemctl restart $my_app"
+  echo ""
+  echo "Or disabled the service and start manually:"
+  echo ""
+  echo "    ${real_sudo_cmde}systemctl stop $my_app"
+  echo "    ${real_sudo_cmde}systemctl disable $my_app"
+  echo "    $my_daemon --config $TELEBITD_CONFIG"
+
+elif [ "launchd" == "$my_system_launcher" ]; then
+
+  my_stopper="${real_sudo_cmde}launchctl unload $my_app_launchd_service"
+  echo "Edit the config and restart, if desired:"
+  echo ""
+  echo "    ${real_sudo_cmde}$my_edit $TELEBITD_CONFIG"
+  echo "    ${real_sudo_cmde}launchctl unload $my_app_launchd_service"
+  echo "    ${real_sudo_cmde}launchctl load -w $my_app_launchd_service"
+  echo ""
+  echo "Or disabled the service and start manually:"
+  echo ""
+  echo "    ${real_sudo_cmde}launchctl unload -w $my_app_launchd_service"
+  echo "    $my_daemon --config $TELEBITD_CONFIG"
+
+else
+
+  my_stopper="not started"
+  echo ""
+  echo "Run the service manually (we couldn't detect your system service to do that automatically):"
+  echo ""
+  echo "    $my_daemon --config $TELEBITD_CONFIG"
+  echo "    $my_app --config $TELEBIT_CONFIG"
+
+fi

usr/share/telebitd.tpl.yml

@@ -0,0 +1,5 @@
+#agree_tos: true                 # agree to the Telebit, Greenlock, and Let's Encrypt TOSes
+community_member: true          # receive infrequent relevant updates
+telemetry: true                 # contribute to project telemetric data
+newsletter: false               # contribute to project telemetric data
+ssh_auto: false                 # forward ssh-looking packets, from any connection, to port 22

usr/share/template-launcher.js

@@ -0,0 +1,97 @@
+'use strict';
+
+var path = require('path');
+var fs = require('fs');
+var os = require('os');
+
+module.exports = function (opts, fn) {
+  // TODO make async version
+  try {
+    module.exports.sync(opts);
+  } catch(e) {
+    if (fn) { fn(e); }
+  }
+
+  if (fn) { fn(null); }
+};
+module.exports.sync = function (opts) {
+  var f = opts.file;
+  var vars = opts.vars;
+  var text = fs.readFileSync(f.tpl, 'utf8')
+    .replace(/{TELEBIT_PATH}/g, vars.telebitPath || '{TELEBIT_PATH}')
+    .replace(/{TELEBIT_NODE}/g, vars.telebitNode || '{TELEBIT_NODE}')
+    .replace(/{NODE_PATH}/g, vars.nodePath || '{NODE_PATH}')
+    .replace(/{NPM_CONFIG_PREFIX}/g, vars.npmConfigPrefix || '{NPM_CONFIG_PREFIX}')
+    .replace(/{TELEBIT_NPM}/g, vars.telebitNpm || '{TELEBIT_NPM}')
+    .replace(/{TELEBIT_BIN}/g, vars.telebitBin || '{TELEBIT_BIN}')
+    .replace(/{TELEBITD_BIN}/g, vars.telebitdBin || '{TELEBITD_BIN}')
+    .replace(/{TELEBIT_JS}/g, vars.telebitJs || '{TELEBIT_JS}')
+    .replace(/{TELEBITD_JS}/g, vars.telebitdJs || '{TELEBITD_JS}')
+    .replace(/{TELEBIT_USER}/g, vars.telebitUser || '{TELEBIT_USER}')
+    .replace(/{TELEBIT_GROUP}/g, vars.telebitGroup || '{TELEBIT_GROUP}')
+    .replace(/{TELEBIT_RW_DIRS}/g, vars.telebitRwDirs || '{TELEBIT_RW_DIRS}')
+    .replace(/{TELEBIT_CONFIG}/g, vars.telebitConfig || '{TELEBIT_CONFIG}')
+    .replace(/{TELEBITD_CONFIG}/g, vars.telebitdConfig || '{TELEBITD_CONFIG}')
+    .replace(/{TELEBIT_LOG_DIR}/g, vars.TELEBIT_LOG_DIR || '{TELEBIT_LOG_DIR}')
+    .replace(/{TELEBIT_SOCK_DIR}/g, vars.TELEBIT_LOG_DIR || '{TELEBIT_SOCK_DIR}')
+    ;
+  fs.writeFileSync(f.launcher, text, 'utf8');
+  if (f.executable && !/^win/i.test(os.platform())) {
+    // TODO not sure if chmod works on windows
+    fs.chmodSync(f.launcher, parseInt('755', 8));
+  }
+};
+
+function run() {
+  var files = [
+    { tpl: (process.env.TELEBIT_SERVICE_TPL || path.join(__dirname, 'dist/etc/systemd/system/telebit.service.tpl'))
+    , launcher: (process.env.TELEBIT_SERVICE || path.join(__dirname, 'dist/etc/systemd/system/telebit.service'))
+    }
+  , { tpl: (process.env.TELEBIT_USER_SERVICE_TPL || path.join(__dirname, 'dist/etc/skel/.config/systemd/user/telebit.service.tpl'))
+    , launcher: (process.env.TELEBIT_USER_SERVICE || path.join(__dirname, 'dist/etc/skel/.config/systemd/user/telebit.service'))
+    }
+  , { tpl: (process.env.TELEBIT_PLIST_TPL || path.join(__dirname, 'dist/Library/LaunchDaemons/cloud.telebit.remote.plist.tpl'))
+    , launcher: (process.env.TELEBIT_PLIST || path.join(__dirname, 'dist/Library/LaunchDaemons/cloud.telebit.remote.plist'))
+    }
+  , { tpl: (process.env.TELEBIT_USER_PLIST_TPL || path.join(__dirname, 'dist/etc/skel/Library/LaunchAgents/cloud.telebit.remote.plist.tpl'))
+    , launcher: (process.env.TELEBIT_USER_PLIST || path.join(__dirname, 'dist/etc/skel/Library/LaunchAgents/cloud.telebit.remote.plist'))
+    }
+  ];
+
+  files.forEach(function (f) {
+    var telebitRoot = path.resolve(__dirname, '../..');
+    var vars = {
+      telebitPath: process.env.TELEBIT_PATH || telebitRoot
+    , telebitNode: process.env.TELEBIT_NODE || process.argv[0] || path.resolve(telebitRoot, 'bin/node')
+    , telebitBin: process.env.TELEBIT_BIN || path.resolve(telebitRoot, 'bin/telebit')
+    , telebitdBin: process.env.TELEBITD_BIN || path.resolve(telebitRoot, 'bin/telebitd')
+    , telebitJs: process.env.TELEBIT_JS || path.resolve(telebitRoot, 'bin/telebit.js')
+    , telebitdJs: process.env.TELEBITD_JS || path.resolve(telebitRoot, 'bin/telebitd.js')
+    , telebitRwDirs: [
+        (process.env.TELEBIT_PATH || path.resolve(__dirname, '../..'))
+      , path.join(os.homedir(), '.config/telebit')
+      , path.join(os.homedir(), '.local/share/telebit')
+      ]
+    , telebitUser: process.env.TELEBIT_USER || os.userInfo().username
+    , telebitGroup: process.env.TELEBIT_GROUP || ('darwin' === os.platform() ? 'staff' : os.userInfo().username)
+    , telebitConfig: process.env.TELEBIT_CONFIG || path.join(os.homedir(), '.config/telebit/telebit.yml')
+    , telebitdConfig: process.env.TELEBITD_CONFIG || path.join(os.homedir(), '.config/telebit/telebitd.yml')
+    , TELEBIT_LOG_DIR: process.env.TELEBIT_LOG_DIR || path.join(os.homedir(), '.local/share/telebit/var/log')
+    };
+    vars.telebitNpm = process.env.TELEBIT_NPM || path.resolve(vars.telebitNode, '../npm');
+    vars.nodePath = process.env.NODE_PATH || path.resolve(vars.telebitNode, '../../lib/node_modules');
+    vars.npmConfigPrefix = process.env.NPM_CONFIG_PREFIX || path.resolve(vars.telebitNode, '..', '..');
+    if (-1 === vars.telebitRwDirs.indexOf(vars.npmConfigPrefix)) {
+      vars.telebitRwDirs.push(vars.npmConfigPrefix);
+    }
+    vars.telebitRwDirs = vars.telebitRwDirs.join(' ');
+    module.exports({
+      file: f
+    , vars: vars
+    });
+  });
+}
+
+if (module === require.main) {
+  run();
+}

wsclient.js

@@ -1,241 +0,0 @@
-(function () {
-'use strict';
-
-var WebSocket = require('ws');
-var sni = require('sni');
-var Packer = require('tunnel-packer');
-var authenticated = false;
-
-function run(copts) {
-  // TODO pair with hostname / sni
-  copts.services = {};
-  copts.locals.forEach(function (proxy) {
-    //program.services = { 'ssh': 22, 'http': 80, 'https': 443 };
-    copts.services[proxy.protocol] = proxy.port;
-  });
-
-  var tunnelUrl = copts.stunneld.replace(/\/$/, '') + '/?access_token=' + copts.token;
-  var wstunneler;
-  var localclients = {};
-  // BaaS / Backendless / noBackend / horizon.io
-  // user authentication
-  // a place to store data
-  // file management
-  // Synergy Teamwork Paradigm = Jabberwocky
-  var handlers = {
-    onmessage: function (opts) {
-      var net = copts.net || require('net');
-      var cid = Packer.addrToId(opts);
-      var service = opts.service;
-      var port = copts.services[service];
-      var servername;
-      var str;
-      var m;
-
-      authenticated = true;
-
-      if (localclients[cid]) {
-        //console.log("[=>] received data from '" + cid + "' =>", opts.data.byteLength);
-        localclients[cid].write(opts.data);
-        return;
-      }
-      else if ('http' === service) {
-        str = opts.data.toString();
-        m = str.match(/(?:^|[\r\n])Host: ([^\r\n]+)[\r\n]*/im);
-        servername = (m && m[1].toLowerCase() || '').split(':')[0];
-      }
-      else if ('https' === service) {
-        servername = sni(opts.data);
-      }
-      else {
-        handlers._onLocalError(cid, opts, new Error("unsupported service '" + service + "'"));
-        return;
-      }
-
-      if (!servername) {
-        console.info("[error] missing servername for '" + cid + "'", opts.data.byteLength);
-        //console.warn(opts.data.toString());
-        wstunneler.send(Packer.pack(opts, null, 'error'), { binary: true });
-        return;
-      }
-
-      console.info("[connect] new client '" + cid + "' for '" + servername + "' (" + (handlers._numClients() + 1) + " clients)");
-
-      console.log('port', port, opts.port, service, copts.services);
-      localclients[cid] = net.createConnection({
-        port: port
-      , host: '127.0.0.1'
-
-      , servername: servername
-      , data: opts.data
-      , remoteFamily: opts.family
-      , remoteAddress: opts.address
-      , remotePort: opts.port
-      }, function () {
-        //console.log("[=>] first packet from tunneler to '" + cid + "' as '" + opts.service + "'", opts.data.byteLength);
-        // this will happen before 'data' is triggered
-        localclients[cid].write(opts.data);
-      });
-      // 'data'
-      /*
-      localclients[cid].on('data', function (chunk) {
-        //console.log("[<=] local '" + opts.service + "' sent to '" + cid + "' <= ", chunk.byteLength, "bytes");
-        //console.log(JSON.stringify(chunk.toString()));
-        wstunneler.send(Packer.pack(opts, chunk), { binary: true });
-      });
-      //*/
-      ///*
-      localclients[cid].on('readable', function (size) {
-        var chunk;
-
-        if (!localclients[cid]) {
-          console.error("[error] localclients[cid]", cid);
-          return;
-        }
-        if (!localclients[cid].read) {
-          console.error("[error] localclients[cid].read", cid);
-          console.log(localclients[cid]);
-          return;
-        }
-
-        do {
-          chunk = localclients[cid].read(size);
-          //console.log("[<=] local '" + opts.service + "' sent to '" + cid + "' <= ", chunk.byteLength, "bytes");
-          //console.log(JSON.stringify(chunk.toString()));
-          if (chunk) {
-            wstunneler.send(Packer.pack(opts, chunk), { binary: true });
-          }
-        } while (chunk);
-      });
-      //*/
-      localclients[cid].on('error', function (err) {
-        handlers._onLocalError(cid, opts, err);
-      });
-      localclients[cid].on('end', function () {
-        console.info("[end] closing client '" + cid + "' for '" + servername + "' (" + (handlers._numClients() - 1) + " clients)");
-        handlers._onLocalClose(cid, opts);
-      });
-    }
-  , onend: function (opts) {
-      var cid = Packer.addrToId(opts);
-      //console.log("[end] '" + cid + "'");
-      handlers._onend(cid);
-    }
-  , onerror: function (opts) {
-      var cid = Packer.addrToId(opts);
-      //console.log("[error] '" + cid + "'", opts.code || '', opts.message);
-      handlers._onend(cid);
-    }
-  , _onend: function (cid) {
-      console.log('[_onend]');
-      if (localclients[cid]) {
-        try {
-          localclients[cid].end();
-        } catch(e) {
-          // ignore
-        }
-      }
-      delete localclients[cid];
-    }
-  , _onLocalClose: function (cid, opts, err) {
-      console.log('[_onLocalClose]');
-      try {
-        wstunneler.send(Packer.pack(opts, null, err && 'error' || 'end'), { binary: true });
-      } catch(e) {
-        // ignore
-      }
-      delete localclients[cid];
-    }
-  , _onLocalError: function (cid, opts, err) {
-      console.info("[error] closing '" + cid + "' because '" + err.message + "' (" + (handlers._numClients() - 1) + " clients)");
-      handlers._onLocalClose(cid, opts, err);
-    }
-  , _numClients: function () {
-      return Object.keys(localclients).length;
-    }
-  };
-  var wsHandlers = {
-    onOpen: function () {
-      console.info("[open] connected to '" + copts.stunneld + "'");
-    }
-
-  , retry: true
-  , closeClients: function () {
-      console.log('[close clients]');
-      Object.keys(localclients).forEach(function (cid) {
-        try {
-          localclients[cid].end();
-        } catch(e) {
-          // ignore
-        }
-        delete localclients[cid];
-      });
-    }
-
-  , onClose: function () {
-    console.log('ON CLOSE');
-      if (!authenticated) {
-        console.info('[close] failed on first attempt... check authentication.');
-      }
-      else if (wsHandlers.retry) {
-        console.info('[retry] disconnected and waiting...');
-        setTimeout(run, 5000, copts);
-      }
-      else {
-        console.info('[close] closing tunnel to exit...');
-      }
-
-      process.removeListener('exit', wsHandlers.onExit);
-      process.removeListener('SIGINT', wsHandlers.onExit);
-      wsHandlers.closeClients();
-    }
-
-  , onError: function (err) {
-      console.error("[tunnel error] " + err.message);
-      console.error(err);
-    }
-
-  , onExit: function () {
-      console.log('[wait] closing wstunneler...');
-      wsHandlers.retry = false;
-      wsHandlers.closeClients();
-      try {
-        wstunneler.close();
-      } catch(e) {
-        console.error("[error] wstunneler.close()");
-        console.error(e);
-        // ignore
-      }
-    }
-  };
-  var machine = require('tunnel-packer').create(handlers);
-
-  console.info("[connect] '" + copts.stunneld + "'");
-
-  wstunneler = new WebSocket(tunnelUrl, { rejectUnauthorized: !copts.insecure });
-  wstunneler.on('open', wsHandlers.onOpen);
-  wstunneler.on('message', function (data, flags) {
-    if (data.error || '{' === data[0]) {
-      console.log(data);
-      return;
-    }
-    machine.fns.addChunk(data, flags);
-  });
-  wstunneler.on('close', wsHandlers.onClose);
-  wstunneler.on('error', wsHandlers.onError);
-  process.on('beforeExit', function (x) {
-    console.log('[beforeExit] event loop closing?', x);
-  });
-  process.on('exit', function (x) {
-    console.log('[exit] loop closed', x);
-    //wsHandlers.onExit(x);
-  });
-  process.on('SIGINT', function (x) {
-    console.log('SIGINT');
-    wsHandlers.onExit(x);
-  });
-}
-
-module.exports.connect = run;
-
-}());