Telegram Cloudflare Worker based on TCP socket docs Forked from Flowseal/tg-ws-proxy (Banned on GitHub)
-
Added
dstvalidation before opening TCP connections -
Added hostname normalization using
trim()andtoLowerCase() -
Blocked malformed or potentially unsafe values:
- URLs with protocols (
://) - paths and slashes
- query/hash characters
- whitespace and control characters
- URLs with protocols (
-
Added strict hostname validation
-
Added strict IPv4 validation
- Added sequential TCP write queue to prevent concurrent
writer.write()race conditions - Added centralized
cleanup()logic for deterministic teardown - Added protection against double-close and repeated cleanup calls
- Added proper
releaseLock()handling for both reader and writer - Added explicit WebSocket
errorhandling - Added additional socket state checks before
send()andclose()
- Reused a global
TextEncoderinstance to reduce allocations - Added fast-path handling for
Uint8Array - Added support for generic typed arrays using
ArrayBuffer.isView() - Reduced unnecessary async listener overhead
- Reduced promise churn and dangling operations
- Improved behavior under Cloudflare Workers Free plan runtime limits
- Wrapped
connect()intry/catch - Improved TCP read loop shutdown behavior
- Removed duplicated teardown logic scattered across handlers
- Removed dangling event listeners during cleanup
The transport protocol behavior itself was not changed:
- WebSocket <-> TCP bridge logic remains identical
- Raw TCP mode is preserved
- No automatic TLS was added
- Port
443behavior remains unchanged - Existing clients remain compatible