Make a WSTUNNEL full private with Auth

[verbal666]

Hi erebe.
Gosh! WStunnel is great 👏👏👏👏👏👍

One question:
can i make a tunnel full private?

I mean, i see in client options the

--http-upgrade-credentials <USER[:PASS]>
          Pass authorization header with basic auth credentials during the upgrade request.
          If you need more customization, you can use the http_headers option.

But it's not about internal WStunnel authentication.

The only way to make a tunnel private is setting the --restrict-http-upgrade-path-prefix and --http-upgrade-path-prefix both in server and client, right?

Just an example,
1- i set on HOST#1 a WSt server accepting connections on external/forwarded ip
2- i set on HOST#2 a WSt client listening to SOCKS5 connection to wss://HOST#1
All fine.

But what is someone else unknown knows/tries about my HOST#1 and set his clients HOST#unknown to point to my HOST#1 WSt server? unknown could take control of my tunnel? 🙄🙄🙄

Do i have to install a reverse proxy in front of WSt HOST#1 server? With my own acl controls before connecting to the tunnel?

Sorry if the question is "stupid" 😂, i'm new in wstunnel 🤷‍♀️🤷‍♀️🤷‍♀️

Thanks 👍

[verbal666]

Ok, sorry... that's documented, it's a FAQ 🤦‍♂️🤦‍♂️🤦‍♂️

  -r, --restrict-http-upgrade-path-prefix <RESTRICT_HTTP_UPGRADE_PATH_PREFIX>
          Server will only accept connection from if this specific path prefix is used during websocket upgrade.
          Useful if you specify in the client a custom path prefix, and you want the server to only allow this one.
          The path prefix act as a secret to authenticate clients
          Disabled by default. Accept all path prefix. Can be specified multiple time