[tunnel] Add /ping endpoint and latency-based endpoint selection

Add a lightweight /ping endpoint to the tunnelproxy HTTP/3 server for
latency probing without authentication overhead. Update the latency
selector to make a full HTTP/3 round-trip to /ping instead of only
measuring QUIC handshake time, giving a more representative latency
measurement for endpoint selection.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: dilyevsky

pkg/cmd/tunnel/cmd.go

@@ -64,6 +64,8 @@ var (
 	tunnelNodeForceConflicts bool
 	// noTUI disables the TUI interface.
 	noTUI bool
+	// endpointSelection is the endpoint selection strategy.
+	endpointSelection string
 )
 
 var createCmd = &cobra.Command{
@@ -323,6 +325,8 @@ func init() {
 	tunnelRunCmd.Flags().StringVar(&healthAddr, "health-addr", ":8080", "Listen address for health endpoint (default: :8080).")
 	tunnelRunCmd.Flags().StringVar(&metricsAddr, "metrics-addr", ":8081", "Listen address for metrics endpoint (default: :8081).")
 	tunnelRunCmd.Flags().BoolVar(&noTUI, "no-tui", false, "Disable TUI interface.")
+	tunnelRunCmd.Flags().StringVar(&endpointSelection, "endpoint-selection", "latency",
+		"Endpoint selection strategy: 'latency' (default) or 'random'")
 
 	tunnelCmd.AddCommand(createCmd)
 	tunnelCmd.AddCommand(getCmd)

pkg/cmd/tunnel/run.go

@@ -42,6 +42,7 @@ import (
 	"github.com/apoxy-dev/apoxy/pkg/net/dns"
 	"github.com/apoxy-dev/apoxy/pkg/tunnel"
 	"github.com/apoxy-dev/apoxy/pkg/tunnel/connection"
+	"github.com/apoxy-dev/apoxy/pkg/tunnel/endpointselect"
 
 	configv1alpha1 "github.com/apoxy-dev/apoxy/api/config/v1alpha1"
 	corev1alpha "github.com/apoxy-dev/apoxy/api/core/v1alpha"
@@ -105,6 +106,9 @@ type tunnelNodeReconciler struct {
 	tunMu            sync.RWMutex
 	tunDialerWorkers []*tunConn
 
+	// Endpoint selector for choosing tunnel server addresses.
+	endpointSelector endpointselect.Selector
+
 	// Dial parameters protected by dialMu
 	dialMu     sync.RWMutex
 	tunnelUID  uuid.UUID
@@ -140,6 +144,20 @@ var tunnelRunCmd = &cobra.Command{
 			preserveDefaultGwDsts = append(preserveDefaultGwDsts, dst)
 		}
 
+		// Parse and create endpoint selector.
+		strategy, err := endpointselect.ParseStrategy(endpointSelection)
+		if err != nil {
+			return fmt.Errorf("unable to parse endpoint selection strategy: %w", err)
+		}
+		selectorOpts := []endpointselect.Option{}
+		if insecureSkipVerify {
+			selectorOpts = append(selectorOpts, endpointselect.WithInsecureSkipVerify(true))
+		}
+		selector, err := endpointselect.NewSelector(strategy, selectorOpts...)
+		if err != nil {
+			return fmt.Errorf("unable to create endpoint selector: %w", err)
+		}
+
 		cmd.SilenceUsage = true
 
 		cfg, err := config.Load()
@@ -173,9 +191,10 @@ var tunnelRunCmd = &cobra.Command{
 		}
 
 		tun := &tunnelNodeReconciler{
-			scheme: scheme,
-			cfg:    cfg,
-			a3y:    a3y,
+			scheme:           scheme,
+			cfg:              cfg,
+			a3y:              a3y,
+			endpointSelector: selector,
 
 			tunDialerWorkers: make([]*tunConn, 0),
 		}
@@ -412,9 +431,18 @@ func (t *tunnelNodeReconciler) reconcile(ctx context.Context, req ctrl.Request)
 			return ctrl.Result{
 				RequeueAfter: time.Second,
 			}, nil
+		} else if len(tunnelNode.Status.Addresses) == 1 {
+			srvAddr = tunnelNode.Status.Addresses[0]
 		} else {
-			// TODO: Pick unused address at random if available.
-			srvAddr = tunnelNode.Status.Addresses[rand.Intn(len(tunnelNode.Status.Addresses))]
+			// Use endpoint selector to choose the best endpoint.
+			selected, err := t.endpointSelector.Select(ctx, tunnelNode.Status.Addresses)
+			if err != nil {
+				log.Warn("Endpoint selection failed, using random",
+					slog.Any("error", err))
+				srvAddr = tunnelNode.Status.Addresses[rand.Intn(len(tunnelNode.Status.Addresses))]
+			} else {
+				srvAddr = selected
+			}
 		}
 	} else {
 		apiServerHost := "localhost"

pkg/tunnel/endpointselect/latency.go

@@ -0,0 +1,235 @@
+package endpointselect
+
+import (
+	"context"
+	"crypto/tls"
+	"errors"
+	"fmt"
+	"log/slog"
+	"net"
+	"net/http"
+	"sort"
+	"sync"
+	"time"
+
+	"github.com/quic-go/quic-go"
+	"github.com/quic-go/quic-go/http3"
+)
+
+const (
+	// DefaultProbeTimeout is the default timeout for each endpoint probe.
+	DefaultProbeTimeout = 3 * time.Second
+	// DefaultMaxConcurrent is the default maximum number of concurrent probes.
+	DefaultMaxConcurrent = 10
+)
+
+// Option configures a LatencySelector.
+type Option func(*latencyOptions)
+
+type latencyOptions struct {
+	probeTimeout  time.Duration
+	maxConcurrent int
+	insecureSkip  bool
+}
+
+// WithProbeTimeout sets the timeout for each endpoint probe.
+func WithProbeTimeout(timeout time.Duration) Option {
+	return func(o *latencyOptions) {
+		o.probeTimeout = timeout
+	}
+}
+
+// WithMaxConcurrent sets the maximum number of concurrent probes.
+func WithMaxConcurrent(max int) Option {
+	return func(o *latencyOptions) {
+		o.maxConcurrent = max
+	}
+}
+
+// WithInsecureSkipVerify sets whether to skip TLS certificate verification.
+func WithInsecureSkipVerify(skip bool) Option {
+	return func(o *latencyOptions) {
+		o.insecureSkip = skip
+	}
+}
+
+// LatencySelector selects endpoints based on QUIC handshake latency.
+type LatencySelector struct {
+	opts latencyOptions
+}
+
+// NewLatencySelector creates a new LatencySelector.
+func NewLatencySelector(opts ...Option) *LatencySelector {
+	options := latencyOptions{
+		probeTimeout:  DefaultProbeTimeout,
+		maxConcurrent: DefaultMaxConcurrent,
+	}
+	for _, opt := range opts {
+		opt(&options)
+	}
+	return &LatencySelector{opts: options}
+}
+
+// Select returns the endpoint with the lowest latency.
+func (s *LatencySelector) Select(ctx context.Context, endpoints []string) (string, error) {
+	addr, _, err := s.SelectWithResults(ctx, endpoints)
+	return addr, err
+}
+
+// SelectWithResults returns the endpoint with the lowest latency along with all probe results.
+func (s *LatencySelector) SelectWithResults(ctx context.Context, endpoints []string) (string, []ProbeResult, error) {
+	if len(endpoints) == 0 {
+		return "", nil, errors.New("no endpoints provided")
+	}
+	if len(endpoints) == 1 {
+		return endpoints[0], []ProbeResult{{
+			Addr:     endpoints[0],
+			ProbedAt: time.Now(),
+		}}, nil
+	}
+
+	results := s.probeAll(ctx, endpoints)
+
+	// Sort by latency (errors go to the end).
+	sort.Slice(results, func(i, j int) bool {
+		// Errors go to the end.
+		if results[i].Error != nil && results[j].Error != nil {
+			return false
+		}
+		if results[i].Error != nil {
+			return false
+		}
+		if results[j].Error != nil {
+			return true
+		}
+		return results[i].Latency < results[j].Latency
+	})
+
+	// Find the first successful result.
+	for _, r := range results {
+		if r.Error == nil {
+			slog.Info("Selected endpoint based on latency",
+				slog.String("addr", r.Addr),
+				slog.Duration("latency", r.Latency))
+			return r.Addr, results, nil
+		}
+	}
+
+	// All probes failed - return error with details.
+	return "", results, errors.New("all endpoint probes failed")
+}
+
+// probeAll probes all endpoints concurrently and returns the results.
+func (s *LatencySelector) probeAll(ctx context.Context, endpoints []string) []ProbeResult {
+	results := make([]ProbeResult, len(endpoints))
+	var wg sync.WaitGroup
+
+	// Semaphore to limit concurrent probes.
+	sem := make(chan struct{}, s.opts.maxConcurrent)
+
+	for i, endpoint := range endpoints {
+		wg.Add(1)
+		go func(idx int, addr string) {
+			defer wg.Done()
+
+			// Acquire semaphore.
+			select {
+			case sem <- struct{}{}:
+				defer func() { <-sem }()
+			case <-ctx.Done():
+				results[idx] = ProbeResult{
+					Addr:     addr,
+					Error:    ctx.Err(),
+					ProbedAt: time.Now(),
+				}
+				return
+			}
+
+			results[idx] = s.probe(ctx, addr)
+		}(i, endpoint)
+	}
+
+	wg.Wait()
+	return results
+}
+
+// probe measures the round-trip latency to a single endpoint by making
+// an HTTP/3 request to the /ping endpoint.
+func (s *LatencySelector) probe(ctx context.Context, addr string) ProbeResult {
+	result := ProbeResult{
+		Addr:     addr,
+		ProbedAt: time.Now(),
+	}
+
+	probeCtx, cancel := context.WithTimeout(ctx, s.opts.probeTimeout)
+	defer cancel()
+
+	// Extract hostname from address for TLS ServerName.
+	serverName := "proxy"
+	if host, _, err := net.SplitHostPort(addr); err == nil && net.ParseIP(host) == nil {
+		serverName = host
+	}
+
+	tlsConfig := &tls.Config{
+		ServerName:         serverName,
+		NextProtos:         []string{http3.NextProtoH3},
+		InsecureSkipVerify: s.opts.insecureSkip,
+	}
+
+	quicConfig := &quic.Config{
+		EnableDatagrams:   true,
+		InitialPacketSize: 1350,
+	}
+
+	start := time.Now()
+
+	// Dial QUIC connection.
+	qConn, err := quic.DialAddr(probeCtx, addr, tlsConfig, quicConfig)
+	if err != nil {
+		result.Error = err
+		slog.Debug("Endpoint probe failed (QUIC dial)",
+			slog.String("addr", addr),
+			slog.Any("error", err))
+		return result
+	}
+	defer qConn.CloseWithError(0, "probe complete")
+
+	// Make HTTP/3 request to /ping endpoint.
+	tr := &http3.Transport{EnableDatagrams: true}
+	hConn := tr.NewClientConn(qConn)
+
+	req, err := http.NewRequestWithContext(probeCtx, "GET", "https://proxy/ping", nil)
+	if err != nil {
+		result.Error = err
+		slog.Debug("Endpoint probe failed (request creation)",
+			slog.String("addr", addr),
+			slog.Any("error", err))
+		return result
+	}
+
+	resp, err := hConn.RoundTrip(req)
+	if err != nil {
+		result.Error = err
+		slog.Debug("Endpoint probe failed (HTTP/3 request)",
+			slog.String("addr", addr),
+			slog.Any("error", err))
+		return result
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		result.Error = fmt.Errorf("ping returned status %d", resp.StatusCode)
+		slog.Debug("Endpoint probe failed (bad status)",
+			slog.String("addr", addr),
+			slog.Int("status", resp.StatusCode))
+		return result
+	}
+
+	result.Latency = time.Since(start)
+
+	slog.Debug("Endpoint probe succeeded",
+		slog.String("addr", addr),
+		slog.Duration("latency", result.Latency))
+
+	return result
+}

pkg/tunnel/endpointselect/random.go

@@ -0,0 +1,37 @@
+package endpointselect
+
+import (
+	"context"
+	"errors"
+	"math/rand"
+	"time"
+)
+
+// RandomSelector selects a random endpoint from the list.
+type RandomSelector struct{}
+
+// NewRandomSelector creates a new RandomSelector.
+func NewRandomSelector() *RandomSelector {
+	return &RandomSelector{}
+}
+
+// Select returns a random endpoint from the list.
+func (s *RandomSelector) Select(ctx context.Context, endpoints []string) (string, error) {
+	addr, _, err := s.SelectWithResults(ctx, endpoints)
+	return addr, err
+}
+
+// SelectWithResults returns a random endpoint along with a single result entry.
+func (s *RandomSelector) SelectWithResults(ctx context.Context, endpoints []string) (string, []ProbeResult, error) {
+	if len(endpoints) == 0 {
+		return "", nil, errors.New("no endpoints provided")
+	}
+
+	selected := endpoints[rand.Intn(len(endpoints))]
+	result := []ProbeResult{{
+		Addr:     selected,
+		ProbedAt: time.Now(),
+	}}
+
+	return selected, result, nil
+}