EpicEric
diff --git a/‎.github/workflows/validate.yml
+1-1 b/‎.github/workflows/validate.yml
+1-1
diff --git a/‎Cargo.lock
+21-2 b/‎Cargo.lock
+21-2
diff --git a/‎Cargo.toml
+1 b/‎Cargo.toml
+1
diff --git a/‎justfile
+3 b/‎justfile
+3
diff --git a/‎src/addressing.rs
+15-23 b/‎src/addressing.rs
+15-23
diff --git a/‎src/admin.rs
+1-2 b/‎src/admin.rs
+1-2
diff --git a/‎src/lib.rs
+27-11 b/‎src/lib.rs
+27-11
diff --git a/‎src/login.rs
+3-5 b/‎src/login.rs
+3-5
diff --git a/‎src/ssh.rs
+17-2 b/‎src/ssh.rs
+17-2
@@ -36,7 +36,7 @@ jobs:
       - name: Run Clippy
         run: |
           rustup component add clippy
-          cargo clippy -- -D warnings
+          cargo clippy --all-targets -- -D warnings
   build-msrv:
     name: Build on MSRV
     runs-on: ubuntu-latest
 
@@ -62,6 +62,7 @@ axum = { version = "0.8.1", features = ["macros", "ws"] }
 futures-util = "0.3.31"
 insta = { version = "1.42.1", features = ["yaml"] }
 mockall = "0.13.1"
+nix = "0.29.0"
 regex = "1.11.1"
 tokio-tungstenite = "0.26.2"
 tower = "0.5.2"
 
@@ -12,3 +12,6 @@ book:
 
 cli:
   to-html --no-prompt "cargo run --quiet -- --help" > cli.html
+
+clippy:
+  cargo clippy --all-targets --fix --allow-dirty && cargo fmt --all
@@ -481,11 +481,7 @@ mod address_delegator_tests {
         .fingerprint(HashAlg::Sha256);
         let mut mock = MockResolver::new();
         mock.expect_has_txt_record_for_fingerprint()
-            .with(
-                eq("_some_prefix"),
-                eq("some.address"),
-                eq(fingerprint.clone()),
-            )
+            .with(eq("_some_prefix"), eq("some.address"), eq(fingerprint))
             .return_const(true);
         mock.expect_has_cname_record_for_domain()
             .once()
@@ -525,11 +521,7 @@ mod address_delegator_tests {
         .fingerprint(HashAlg::Sha256);
         let mut mock = MockResolver::new();
         mock.expect_has_txt_record_for_fingerprint()
-            .with(
-                eq("_some_prefix"),
-                eq("some.address"),
-                eq(fingerprint.clone()),
-            )
+            .with(eq("_some_prefix"), eq("some.address"), eq(fingerprint))
             .return_const(true);
         let delegator = AddressDelegator::new(AddressDelegatorData {
             resolver: mock,
@@ -599,7 +591,7 @@ mod address_delegator_tests {
         .fingerprint(HashAlg::Sha256);
         let mut mock = MockResolver::new();
         mock.expect_has_txt_record_for_fingerprint()
-            .with(eq("_some_prefix"), eq("something"), eq(fingerprint.clone()))
+            .with(eq("_some_prefix"), eq("something"), eq(fingerprint))
             .return_const(false);
         let delegator = AddressDelegator::new(AddressDelegatorData {
             resolver: mock,
@@ -1067,95 +1059,95 @@ mod address_delegator_tests {
             .get_http_address(
                 "a1",
                 &None,
-                &Some(f1.clone()),
+                &Some(f1),
                 &"127.0.0.1:12301".parse::<SocketAddr>().unwrap(),
             )
             .await;
         let address2_f1_a1_u0 = delegator
             .get_http_address(
                 "a1",
                 &None,
-                &Some(f1.clone()),
+                &Some(f1),
                 &"127.0.0.1:12302".parse::<SocketAddr>().unwrap(),
             )
             .await;
         let address3_f2_a1_u0 = delegator
             .get_http_address(
                 "a1",
                 &None,
-                &Some(f2.clone()),
+                &Some(f2),
                 &"127.0.0.1:12303".parse::<SocketAddr>().unwrap(),
             )
             .await;
         let address4_f1_a2_u0 = delegator
             .get_http_address(
                 "a2",
                 &None,
-                &Some(f1.clone()),
+                &Some(f1),
                 &"127.0.0.1:12304".parse::<SocketAddr>().unwrap(),
             )
             .await;
         let address5_f1_a1_u1 = delegator
             .get_http_address(
                 "a1",
                 &Some("u1".into()),
-                &Some(f1.clone()),
+                &Some(f1),
                 &"127.0.0.1:12305".parse::<SocketAddr>().unwrap(),
             )
             .await;
         let address6_f1_a1_u1 = delegator
             .get_http_address(
                 "a1",
                 &Some("u1".into()),
-                &Some(f1.clone()),
+                &Some(f1),
                 &"127.0.0.1:12306".parse::<SocketAddr>().unwrap(),
             )
             .await;
         let address7_f2_a1_u1 = delegator
             .get_http_address(
                 "a1",
                 &Some("u1".into()),
-                &Some(f2.clone()),
+                &Some(f2),
                 &"127.0.0.1:12307".parse::<SocketAddr>().unwrap(),
             )
             .await;
         let address8_f1_a2_u1 = delegator
             .get_http_address(
                 "a2",
                 &Some("u1".into()),
-                &Some(f1.clone()),
+                &Some(f1),
                 &"127.0.0.1:12308".parse::<SocketAddr>().unwrap(),
             )
             .await;
         let address9_f1_a1_u2 = delegator
             .get_http_address(
                 "a1",
                 &Some("u2".into()),
-                &Some(f1.clone()),
+                &Some(f1),
                 &"127.0.0.1:12309".parse::<SocketAddr>().unwrap(),
             )
             .await;
         let address10_f1_a1_u2 = delegator
             .get_http_address(
                 "a1",
                 &Some("u2".into()),
-                &Some(f1.clone()),
+                &Some(f1),
                 &"127.0.0.1:12310".parse::<SocketAddr>().unwrap(),
             )
             .await;
         let address11_f2_a1_u2 = delegator
             .get_http_address(
                 "a1",
                 &Some("u2".into()),
-                &Some(f2.clone()),
+                &Some(f2),
                 &"127.0.0.1:12311".parse::<SocketAddr>().unwrap(),
             )
             .await;
         let address12_f1_a2_u2 = delegator
             .get_http_address(
                 "a2",
                 &Some("u2".into()),
-                &Some(f1.clone()),
+                &Some(f1),
                 &"127.0.0.1:12312".parse::<SocketAddr>().unwrap(),
             )
             .await;
 
@@ -203,8 +203,7 @@ impl AdminState {
             // If this is not a pseudo-terminal, show some information on how to allocate one
             let text = Text::from(vec![
                 Line::from(
-                    "PTY not detected! Make sure to connect with \"ssh -t ... admin\" instead."
-                        .red(),
+                    r#"PTY not detected! Make sure to connect with "ssh -t" instead."#.red(),
                 ),
                 Line::from("Press Ctrl-C to close this connection."),
             ]);
 
@@ -48,7 +48,7 @@ use tokio::{
     io::AsyncWriteExt,
     net::{TcpListener, TcpStream},
     pin,
-    time::sleep,
+    time::{sleep, timeout},
 };
 use tokio_rustls::LazyConfigAcceptor;
 use tokio_util::sync::CancellationToken;
@@ -186,6 +186,8 @@ pub async fn entrypoint(config: ApplicationConfig) -> anyhow::Result<()> {
         )
         .into());
     }
+    let http_request_timeout = config.http_request_timeout.map(Into::into);
+    let tcp_connection_timeout = config.tcp_connection_timeout.map(Into::into);
     // Initialize crypto and credentials
     rustls::crypto::aws_lc_rs::default_provider()
         .install_default()
@@ -309,7 +311,7 @@ pub async fn entrypoint(config: ApplicationConfig) -> anyhow::Result<()> {
         Arc::clone(&tcp_connections),
         Arc::clone(&telemetry),
         Arc::clone(&ip_filter),
-        config.tcp_connection_timeout.map(Into::into),
+        tcp_connection_timeout,
         config.disable_tcp_logs,
     ));
     // Add TCP handler service as a listener for TCP port updates.
@@ -492,8 +494,8 @@ pub async fn entrypoint(config: ApplicationConfig) -> anyhow::Result<()> {
         },
         // Always use aliasing channels instead of tunneling channels.
         proxy_type: ProxyType::Aliasing,
-        http_request_timeout: config.http_request_timeout.map(Into::into),
-        websocket_timeout: config.tcp_connection_timeout.map(Into::into),
+        http_request_timeout,
+        websocket_timeout: tcp_connection_timeout,
         disable_http_logs: config.disable_http_logs,
         _phantom_data: PhantomData,
     });
@@ -530,7 +532,7 @@ pub async fn entrypoint(config: ApplicationConfig) -> anyhow::Result<()> {
             .unproxied_connection_timeout
             .map(Into::into)
             .unwrap_or(config.idle_connection_timeout.into()),
-        tcp_connection_timeout: config.tcp_connection_timeout.map(Into::into),
+        tcp_connection_timeout,
     });
 
     // HTTP handler
@@ -562,8 +564,8 @@ pub async fn entrypoint(config: ApplicationConfig) -> anyhow::Result<()> {
             },
             // Always use tunneling channels.
             proxy_type: ProxyType::Tunneling,
-            http_request_timeout: config.http_request_timeout.map(Into::into),
-            websocket_timeout: config.tcp_connection_timeout.map(Into::into),
+            http_request_timeout,
+            websocket_timeout: tcp_connection_timeout,
             disable_http_logs: config.disable_http_logs,
             _phantom_data: PhantomData,
         });
@@ -593,7 +595,14 @@ pub async fn entrypoint(config: ApplicationConfig) -> anyhow::Result<()> {
                 tokio::spawn(async move {
                     let server = http1::Builder::new();
                     let conn = server.serve_connection(io, service).with_upgrades();
-                    let _ = conn.await;
+                    match tcp_connection_timeout {
+                        Some(duration) => {
+                            let _ = timeout(duration, conn).await;
+                        }
+                        None => {
+                            let _ = conn.await;
+                        }
+                    }
                 });
             }
         })
@@ -626,8 +635,8 @@ pub async fn entrypoint(config: ApplicationConfig) -> anyhow::Result<()> {
             },
             // Always use tunneling channels.
             proxy_type: ProxyType::Tunneling,
-            http_request_timeout: config.http_request_timeout.map(Into::into),
-            websocket_timeout: config.tcp_connection_timeout.map(Into::into),
+            http_request_timeout,
+            websocket_timeout: tcp_connection_timeout,
             disable_http_logs: config.disable_http_logs,
             _phantom_data: PhantomData,
         });
@@ -694,7 +703,14 @@ pub async fn entrypoint(config: ApplicationConfig) -> anyhow::Result<()> {
                                             TokioIo::new(stream),
                                             service,
                                         );
-                                        let _ = conn.await;
+                                        match tcp_connection_timeout {
+                                            Some(duration) => {
+                                                let _ = timeout(duration, conn).await;
+                                            }
+                                            None => {
+                                                let _ = conn.await;
+                                            }
+                                        }
                                     }
                                     Err(err) => {
                                         warn!(
 
@@ -232,8 +232,7 @@ mod api_login_tests {
         let listener = TcpListener::bind("127.0.0.1:28011").await.unwrap();
         let jh = tokio::spawn(async move { axum::serve(listener, app).await.unwrap() });
 
-        let api_login =
-            ApiLogin::new("http://localhost:28011/authentication".into(), mock).unwrap();
+        let api_login = ApiLogin::new("http://localhost:28011/authentication", mock).unwrap();
         assert!(
             api_login
                 .authenticate(&AuthenticationRequest {
@@ -270,8 +269,7 @@ mod api_login_tests {
         let listener = TcpListener::bind("127.0.0.1:28012").await.unwrap();
         let jh = tokio::spawn(async move { axum::serve(listener, app).await.unwrap() });
 
-        let api_login =
-            ApiLogin::new("http://localhost:28012/authentication".into(), mock).unwrap();
+        let api_login = ApiLogin::new("http://localhost:28012/authentication", mock).unwrap();
         assert!(
             !api_login
                 .authenticate(&AuthenticationRequest {
@@ -357,7 +355,7 @@ mod api_login_tests {
         });
 
         let api_login =
-            ApiLogin::new("https://localhost:28013/secure_authentication".into(), mock).unwrap();
+            ApiLogin::new("https://localhost:28013/secure_authentication", mock).unwrap();
         assert!(
             api_login
                 .authenticate(&AuthenticationRequest {
 
@@ -1692,6 +1692,7 @@ impl Handler for ServerHandler {
                         proxy_handler(req, peer, fingerprint, Arc::clone(&proxy_data))
                     });
                     let io = TokioIo::new(channel.into_stream());
+                    let tcp_connection_timeout = self.server.tcp_connection_timeout;
                     match self.auth_data {
                         // Serve HTTP for unauthed user, then add disconnection timeout if this is the last proxy connection
                         AuthenticatedData::None { ref proxy_count } => {
@@ -1705,7 +1706,14 @@ impl Handler for ServerHandler {
                             tokio::spawn(async move {
                                 let server = auto::Builder::new(TokioExecutor::new());
                                 let conn = server.serve_connection_with_upgrades(io, service);
-                                let _ = conn.await;
+                                match tcp_connection_timeout {
+                                    Some(duration) => {
+                                        let _ = timeout(duration, conn).await;
+                                    }
+                                    None => {
+                                        let _ = conn.await;
+                                    }
+                                }
                                 if proxy_count.fetch_sub(1, Ordering::AcqRel) == 1 {
                                     *timeout_handle.lock().await =
                                         Some(DroppableHandle(tokio::spawn(async move {
@@ -1720,7 +1728,14 @@ impl Handler for ServerHandler {
                             tokio::spawn(async move {
                                 let server = auto::Builder::new(TokioExecutor::new());
                                 let conn = server.serve_connection_with_upgrades(io, service);
-                                let _ = conn.await;
+                                match tcp_connection_timeout {
+                                    Some(duration) => {
+                                        let _ = timeout(duration, conn).await;
+                                    }
+                                    None => {
+                                        let _ = conn.await;
+                                    }
+                                }
                             });
                         }
                     }