End-to-end TLS for public-domain tunnels, without trusting the relay

TL;DR I built portal-tunnel, expose a local server with a public HTTPS URL, without trusting the relay. It combines SNI passthrough, relay-backed keyless signing, and a built‑in TLS self‑probe that detects relay‑side TLS termination. Overview On the web, it is surprisingly hard to get both public-domain convenience and strong end-to-end security at the same time. This is because serving a public domain requires someone to terminate TLS for that domain, which typically pulls that party into your trust boundary. This trade-off becomes more significant in a permissionless relay network, where relays are run by untrusted parties. Portal is designed around a different goal: to preserve the familiar “open a URL in a browser” experience, while avoiding giving the relay full visibility into tenant traffic. Problem Most tunnel systems solve this trade-off in one of three ways. Terminate TLS at the relay ( Ngrok, Cloudflare Tunnel ) This is the most common design, used by many hosted tunnel and