Redesign secure telnet port configuration for TLS proxy architecture

- SecureTelnetPort is now display-only (shown on website, not bound)
- Added SecureTelnetLocalPort for internal binding (where TLS proxy forwards)
- Updated connection detection to check SecureTelnetLocalPort
- This allows proper stunnel4/HAProxy integration:
  * TLS proxy binds to public SecureTelnetPort (e.g., 33334)
  * TLS proxy forwards to SecureTelnetLocalPort (e.g., 9998)
  * Game binds to SecureTelnetLocalPort on localhost only
  * Connections via SecureTelnetLocalPort show as 'TLS' on online page

Author: MorquinDevlar

_datafiles/config.yaml

@@ -384,10 +384,17 @@ Network:
   #   ports by separating them with commas. For example, [33333, 33334, 33335]
   TelnetPort: [33333, 44444]
   # - SecureTelnetPort -
-  #   Localhost-only ports for secure telnet connections (e.g., TLS proxy forwarding).
-  #   Like LocalPort but shown on website. Multiple ports supported: [33334, 33335]
-  #   Set to [0] to disable.
+  #   Display-only: External ports where users connect via TLS proxy (e.g., stunnel4).
+  #   These ports are shown on the website but NOT bound by the game server.
+  #   Example: [33334] if stunnel4 listens on port 33334
+  #   Set to [0] to disable display.
   SecureTelnetPort: [0]
+  # - SecureTelnetLocalPort -
+  #   Internal port where TLS proxy forwards secure connections (localhost only).
+  #   Game server binds to this port to receive forwarded TLS connections.
+  #   Example: 9998 if stunnel4 forwards to localhost:9998
+  #   Set to 0 to disable.
+  SecureTelnetLocalPort: 0
   # - LocalPort -
   #   A port that can only be accessed via localhost, but will not limit based on connection count
   LocalPort: 9999

internal/configs/config.network.go

@@ -1,12 +1,13 @@
 package configs
 
 type Network struct {
-	MaxTelnetConnections ConfigInt         `yaml:"MaxTelnetConnections"` // Maximum number of telnet connections to accept
-	TelnetPort           ConfigSliceString `yaml:"TelnetPort"`           // One or more Ports used to accept telnet connections
-	SecureTelnetPort     ConfigSliceString `yaml:"SecureTelnetPort"`     // One or more Ports used to accept secure telnet connections
-	LocalPort            ConfigInt         `yaml:"LocalPort"`            // Port used for admin connections, localhost only
-	HttpPort             ConfigInt         `yaml:"HttpPort"`             // Port used for web requests
-	HttpsPort            ConfigInt         `yaml:"HttpsPort"`            // Port used for web https requests
+	MaxTelnetConnections  ConfigInt         `yaml:"MaxTelnetConnections"`  // Maximum number of telnet connections to accept
+	TelnetPort            ConfigSliceString `yaml:"TelnetPort"`            // One or more Ports used to accept telnet connections
+	SecureTelnetPort      ConfigSliceString `yaml:"SecureTelnetPort"`      // Display-only: external ports where users connect via TLS
+	SecureTelnetLocalPort ConfigInt         `yaml:"SecureTelnetLocalPort"` // Internal port where TLS proxy forwards to (localhost only)
+	LocalPort             ConfigInt         `yaml:"LocalPort"`             // Port used for admin connections, localhost only
+	HttpPort              ConfigInt         `yaml:"HttpPort"`              // Port used for web requests
+	HttpsPort             ConfigInt         `yaml:"HttpsPort"`             // Port used for web https requests
 	HttpsRedirect        ConfigBool        `yaml:"HttpsRedirect"`        // If true, http traffic will be redirected to https
 	AfkSeconds           ConfigInt         `yaml:"AfkSeconds"`           // How long until a player is marked as afk?
 	MaxIdleSeconds       ConfigInt         `yaml:"MaxIdleSeconds"`       // How many seconds a player can go without a command in game before being kicked.

internal/users/userrecord.go

@@ -625,19 +625,15 @@ func (u *UserRecord) GetOnlineInfo() OnlineInfo {
 	if connections.IsWebsocket(u.connectionId) {
 		connectionType = "Web"
 	} else {
-		// Check if connected through a secure telnet port
+		// Check if connected through the secure telnet local port (where TLS proxy forwards)
 		port := connections.GetConnectionPort(u.connectionId)
 		networkConfig := configs.GetNetworkConfig()
 
 		// Debug logging
-		mudlog.Debug("Connection type check", "connectionId", u.connectionId, "port", port, "securePorts", networkConfig.SecureTelnetPort)
+		mudlog.Debug("Connection type check", "connectionId", u.connectionId, "port", port, "secureLocalPort", networkConfig.SecureTelnetLocalPort)
 
-		for _, securePortStr := range networkConfig.SecureTelnetPort {
-			securePort, _ := strconv.Atoi(securePortStr)
-			if securePort > 0 && port == securePort {
-				connectionType = "TLS"
-				break
-			}
+		if networkConfig.SecureTelnetLocalPort > 0 && port == int(networkConfig.SecureTelnetLocalPort) {
+			connectionType = "TLS"
 		}
 	}
 

main.go

@@ -271,13 +271,11 @@ func main() {
 		TelnetListenOnPort(`127.0.0.1`, int(c.Network.LocalPort), &wg, 0)
 	}
 
-	// Secure telnet ports - same as LocalPort but tracked differently
-	for _, port := range c.Network.SecureTelnetPort {
-		if p, err := strconv.Atoi(port); err == nil && p > 0 {
-			mudlog.Info("Telnet", "stage", "Listening on secure port (localhost only)", "port", p)
-			// Same as LocalPort - localhost only, no connection limit
-			TelnetListenOnPort(`127.0.0.1`, p, &wg, 0)
-		}
+	// Secure telnet local port - where TLS proxy forwards to
+	if c.Network.SecureTelnetLocalPort > 0 {
+		mudlog.Info("Telnet", "stage", "Listening on secure local port (localhost only)", "port", c.Network.SecureTelnetLocalPort)
+		// Same as LocalPort - localhost only, no connection limit
+		TelnetListenOnPort(`127.0.0.1`, int(c.Network.SecureTelnetLocalPort), &wg, 0)
 	}
 
 	go worldManager.InputWorker(workerShutdownChan, &wg)