HTTP(S)/WS(S)/TCP Tunnels to localhost using only SSH.

Overview

sish

An open source serveo/ngrok alternative.

Deploy

Builds are made automatically for each commit to the repo and are pushed to Dockerhub. Builds are tagged using a commit sha, branch name, tag, latest if released on main. You can find a list here. Each release builds separate sish binaries that can be downloaded from here for various OS/archs. Feel free to either use the automated binaries or to build your own. If you submit a PR, images are not built by default and will require a retag from a maintainer to be built.

  1. Pull the Docker image

    • docker pull antoniomika/sish:latest
  2. Run the image

    • docker run -itd --name sish \
        -v ~/sish/ssl:/ssl \
        -v ~/sish/keys:/keys \
        -v ~/sish/pubkeys:/pubkeys \
        --net=host antoniomika/sish:latest \
        --ssh-address=:22 \
        --http-address=:80 \
        --https-address=:443 \
        --https=true \
        --https-certificate-directory=/ssl \
        --authentication-keys-directory=/pubkeys \
        --private-key-location=/keys/ssh_key \
        --bind-random-ports=false
  3. SSH to your host to communicate with sish

    • ssh -p 2222 -R 80:localhost:8080 ssi.sh

Docker Compose

You can also use Docker Compose to setup your sish instance. This includes taking care of SSL via Let's Encrypt for you. This uses the adferrand/dnsrobocert container to handle issuing wildcard certifications over DNS. For more information on how to use this, head to that link above. Generally, you can deploy your service like so:

docker-compose -f deploy/docker-compose.yml up -d

The domain and DNS auth info in deploy/docker-compose.yml and deploy/le-config.yml should be updated to reflect your needs. You will also need to create a symlink that points to your domain's Let's Encrypt certificates like:

ln -s /etc/letsencrypt/live/<your domain>/fullchain.pem deploy/ssl/<your domain>.crt
ln -s /etc/letsencrypt/live/<your domain>/privkey.pem deploy/ssl/<your domain>.key

Careful: the symlinks need to point to /etc/letsencrypt, not a relative path. The symlinks will not resolve on the host filesystem, but they will resolve inside of the sish container because it mounts the letsencrypt files in /etc/letsencrypt, not ./letsencrypt.

I use these files in my deployment of ssi.sh and have included them here for consistency.

Google Cloud Platform

There is a tutorial for creating an instance in Google Cloud Platform with sish fully setup that can be found here. It can be accessed through Google Cloud Shell.

Open in Cloud Shell

How it works

SSH can normally forward local and remote ports. This service implements an SSH server that only handles forwarding and nothing else. The service supports multiplexing connections over HTTP/HTTPS with WebSocket support. Just assign a remote port as port 80 to proxy HTTP traffic and 443 to proxy HTTPS traffic. If you use any other remote port, the server will listen to the port for TCP connections, but only if that port is available.

You can choose your own subdomain instead of relying on a randomly assigned one by setting the --bind-random-subdomains option to false and then selecting a subdomain by prepending it to the remote port specifier:

ssh -p 2222 -R foo:80:localhost:8080 ssi.sh

If the selected subdomain is not taken, it will be assigned to your connection.

Supported forwarding types

HTTP forwarding

sish can forward any number of HTTP connections through SSH. It also provides logging the connections to the connected client that has forwarded the connection and a web interface to see full request and responses made to each forwarded connection. Each webinterface can be unique to the forwarded connection or use a unified access token. To make use of HTTP forwarding, ports [80, 443] are used to tell sish that a HTTP connection is being forwarded and that HTTP virtualhosting should be defined for the service. For example, let's say I'm developing a HTTP webservice on my laptop at port 8080 that uses websockets and I want to show one of my coworkers who is not near me. I can forward the connection like so:

ssh -R hereiam:80:localhost:8080 ssi.sh

And then share the link https://hereiam.ssi.sh with my coworker. They should be able to access the service seamlessly over HTTPS, with full websocket support working fine. Let's say hereiam.ssi.sh isn't available, then sish will generate a random subdomain and give that to me.

TCP forwarding

Any TCP based service can be used with sish for TCP and alias forwarding. TCP forwarding will establish a remote port on the server that you deploy sish to and will forward all connections to that port through the SSH connection and to your local device. For example, if I was to run a SSH server on my laptop with port 22 and want to be able to access it from anywhere at ssi.sh:2222, I can use an SSH command on my laptop like so to forward the connection:

ssh -R 2222:localhost:22 ssi.sh

I can use the forwarded connection to then access my laptop from anywhere:

ssh -p 2222 ssi.sh

TCP alias forwarding

Let's say instead I don't want the service to be accessible by the rest of the world, you can then use a TCP alias. A TCP alias is a type of forwarded TCP connection that only exists inside of sish. You can gain access to the alias by using SSH with the -W flag, which will forwarding the SSH process' stdin/stdout to the fowarded TCP connection. In combination with authentication, this will guarantee your remote service is safe from the rest of the world because you need to login to sish before you can access it. Changing the example above for this would mean running the following command on my laptop:

ssh -R mylaptop:22:localhost:22 ssi.sh

sish won't publish port 22 or 2222 to the rest of the world anymore, instead it'll retain a pointer saying that TCP connections made from within SSH after a user has authenticated to mylaptop:22 should be forwarded to the forwarded TCP tunnel. Then I can use the forwarded connection access my laptop from anywhere using:

ssh -o ProxyCommand="ssh -W %h:%p ssi.sh" mylaptop

Shorthand for which is this with newer SSH versions:

ssh -J ssi.sh mylaptop

Authentication

If you want to use this service privately, it supports both public key and password authentication. To enable authentication, set --authentication=true as one of your CLI options and be sure to configure --authentication-password or --authentication-keys-directory to your liking. The directory provided by --authentication-keys-directory is watched for changes and will reload the authorized keys automatically. The authorized cert index is regenerated on directory modification, so removed public keys will also automatically be removed. Files in this directory can either be single key per file, or multiple keys per file separated by newlines, similar to authorized_keys. Password auth can be disabled by setting --authentication-password="" as a CLI option.

One of my favorite ways of using this for authentication is like so:

[email protected]:~/sish/pubkeys# curl https://github.com/antoniomika.keys > antoniomika

This will load my public keys from GitHub, place them in the directory that sish is watching, and then load the pubkey. As soon as this command is run, I can SSH normally and it will authorize me.

Custom domains

sish supports allowing users to bring custom domains to the service, but SSH key auth is required to be enabled. To use this feature, you must setup TXT and CNAME/A records for the domain/subdomain you would like to use for your forwarded connection. The CNAME/A record must point to the domain or IP that is hosting sish. The TXT record must be be a key=val string that looks like:

sish=SSHKEYFINGERPRINT

Where SSHKEYFINGERPRINT is the fingerprint of the key used for logging into the server. You can set multiple TXT records and sish will check all of them to ensure at least one is a match. You can retrieve your key fingerprint by running:

ssh-keygen -lf ~/.ssh/id_rsa | awk '{print $2}'

If you trust the users connecting to sish and would like to allow any domain to be used with sish (bypassing verification), there are a few added flags to aid in this. This is especially useful when adding multiple wildcard certificates to sish in order to not need to automatically provision Let's Encrypt certs. To disable verfication, set --bind-any-host=true, which will allow and subdomain/domain combination to be used. To only allow subdomains of a certain subset of domains, you can set --bind-hosts to a comma separated list of domains that are allowed to be bound.

To add certficates for sish to use, configure the --https-certificate-directory flag to point to a dir that is accessible by sish. In the directory, sish will look for a combination of files that look like name.crt and name.key. name can be arbitrary in either case, it just needs to be unique to the cert and key pair to allow them to be loaded into sish.

Load balancing

sish can load balance any type of forwarded connection, but this needs to be enabled when starting sish using the --http-load-balancer, --tcp-load-balancer, and --alias-load-balancer flags. Let's say you have a few edge nodes (raspberry pis) that are running a service internally but you want to be able to balance load across these devices from the outside world. By enabling load balancing in sish, this happens automatically when a device with the same forwarded TCP port, alias, or HTTP subdomain connects to sish. Connections will then be evenly distributed to whatever nodes are connected to sish that match the forwarded connection.

Whitelisting IPs

Whitelisting IP ranges or countries is also possible. Whole CIDR ranges can be specified with the --whitelisted-ips option that accepts a comma-separated string like "192.30.252.0/22,185.199.108.0/22". If you want to whitelist a single IP, use the /32 range.

To whitelist countries, use --whitelisted-countries with a comma-separated string of countries in ISO format (for example, "pt" for Portugal). You'll also need to set --geodb to true.

DNS Setup

To use sish, you need to add a wildcard DNS record that is used for multiplexed subdomains. Adding an A record with * as the subdomain to the IP address of your server is the simplest way to achieve this configuration.

Demo - At this time, the demo instance has been set to require auth due to abuse

There is a demo service (and my private instance) currently running on ssi.sh that doesn't require any authentication. This service provides default logging (errors, connection IP/username, and pubkey fingerprint). I do not log any of the password authentication data or the data sent within the service/tunnels. My deploy uses the exact deploy steps that are listed above. This instance is for testing and educational purposes only. You can deploy this extremely easily on any host (Google Cloud Platform provides an always-free instance that this should run perfectly on). If the service begins to accrue a lot of traffic, I will enable authentication and then you can reach out to me to get your SSH key whitelisted (make sure it's on GitHub and you provide me with your GitHub username).

Notes

  1. This is by no means production ready in any way. This was hacked together and solves a fairly specific use case.
    • You can help it get production ready by submitting PRs/reviewing code/writing tests/etc
  2. This is a fairly simple implementation, I've intentionally cut corners in some places to make it easier to write.
  3. If you have any questions or comments, feel free to reach out via email [email protected] or on freenode IRC #sish

Upgrading to v1.0

There are numerous breaking changes in sish between pre-1.0 and post-1.0 versions. The largest changes are found in the mapping of command flags and configuration params. Those have changed drastically, but it should be easy to find the new counterpart. The other change is SSH keys that are supported for host key auth. sish continues to support most modern keys, but by default if a host key is not found, it will create an OpenSSH ED25519 key to use. Previous versions of sish would aes encrypt the pem block of this private key, but we have since moved to using the native OpenSSH private key format to allow for easy interop between OpenSSH tools. For this reason, you will either have to manually convert an AES encrypted key or generate a new one.

CLI Flags

sish is a command line utility that implements an SSH server that can handle HTTP(S)/WS(S)/TCP multiplexing, forwarding and load balancing.
It can handle multiple vhosting and reverse tunneling endpoints for a large number of clients.

Usage:
  sish [flags]

Flags:
      --admin-console                               Enable the admin console accessible at http(s)://domain/_sish/console?x-authorization=admin-console-token
  -j, --admin-console-token string                  The token to use for admin console access if it's enabled (default "S3Cr3tP4$$W0rD")
      --alias-load-balancer                         Enable the alias load balancer (multiple clients can bind the same alias)
      --append-user-to-subdomain                    Append the SSH user to the subdomain. This is useful in multitenant environments
      --append-user-to-subdomain-separator string   The token to use for separating username and subdomain selection in a virtualhost (default "-")
      --authentication                              Require authentication for the SSH service
  -k, --authentication-keys-directory string        Directory where public keys for public key authentication are stored.
                                                    sish will watch this directory and automatically load new keys and remove keys
                                                    from the authentication list (default "deploy/pubkeys/")
  -u, --authentication-password string              Password to use for ssh server password authentication (default "S3Cr3tP4$$W0rD")
      --banned-aliases string                       A comma separated list of banned aliases that users are unable to bind
  -o, --banned-countries string                     A comma separated list of banned countries. Applies to HTTP, TCP, and SSH connections
  -x, --banned-ips string                           A comma separated list of banned ips that are unable to access the service. Applies to HTTP, TCP, and SSH connections
  -b, --banned-subdomains string                    A comma separated list of banned subdomains that users are unable to bind (default "localhost")
      --bind-any-host                               Bind any host when accepting an HTTP listener
      --bind-hosts string                           A comma separated list of other hosts a user can bind. Requested hosts should be subdomains of a host in this list
      --bind-random-aliases                         Force bound alias tunnels to use random aliases instead of user provided ones (default true)
      --bind-random-aliases-length int              The length of the random alias to generate if a alias is unavailable or if random aliases are enforced (default 3)
      --bind-random-ports                           Force TCP tunnels to bind a random port, where the kernel will randomly assign it (default true)
      --bind-random-subdomains                      Force bound HTTP tunnels to use random subdomains instead of user provided ones (default true)
      --bind-random-subdomains-length int           The length of the random subdomain to generate if a subdomain is unavailable or if random subdomains are enforced (default 3)
      --cleanup-unbound                             Cleanup unbound (unforwarded) SSH connections after a set timeout (default true)
      --cleanup-unbound-timeout duration            Duration to wait before cleaning up an unbound (unforwarded) connection (default 5s)
  -c, --config string                               Config file (default "config.yml")
      --debug                                       Enable debugging information
  -d, --domain string                               The root domain for HTTP(S) multiplexing that will be appended to subdomains (default "ssi.sh")
      --force-requested-aliases                     Force the aliases used to be the one that is requested. Will fail the bind if it exists already
      --force-requested-ports                       Force the ports used to be the one that is requested. Will fail the bind if it exists already
      --force-requested-subdomains                  Force the subdomains used to be the one that is requested. Will fail the bind if it exists already
      --geodb                                       Use a geodb to verify country IP address association for IP filtering
  -h, --help                                        help for sish
  -i, --http-address string                         The address to listen for HTTP connections (default "localhost:80")
      --http-load-balancer                          Enable the HTTP load balancer (multiple clients can bind the same domain)
      --http-port-override int                      The port to use for http command output. This does not effect ports used for connecting, it's for cosmetic use only
      --https                                       Listen for HTTPS connections. Requires a correct --https-certificate-directory
  -t, --https-address string                        The address to listen for HTTPS connections (default "localhost:443")
  -s, --https-certificate-directory string          The directory containing HTTPS certificate files (name.crt and name.key). There can be many crt/key pairs (default "deploy/ssl/")
      --https-ondemand-certificate                  Enable retrieving certificates on demand via Let's Encrypt
      --https-ondemand-certificate-accept-terms     Accept the Let's Encrypt terms
      --https-ondemand-certificate-email string     The email to use with Let's Encrypt for cert notifications. Can be left blank
      --https-port-override int                     The port to use for https command output. This does not effect ports used for connecting, it's for cosmetic use only
      --idle-connection                             Enable connection idle timeouts for reads and writes (default true)
      --idle-connection-timeout duration            Duration to wait for activity before closing a connection for all reads and writes (default 5s)
      --load-templates                              Load HTML templates. This is required for admin/service consoles (default true)
      --load-templates-directory string             The directory and glob parameter for templates that should be loaded (default "templates/*")
      --localhost-as-all                            Enable forcing localhost to mean all interfaces for tcp listeners (default true)
      --log-to-client                               Enable logging HTTP and TCP requests to the client
      --log-to-file                                 Enable writing log output to file, specified by log-to-file-path
      --log-to-file-compress                        Enable compressing log output files
      --log-to-file-max-age int                     The maxium number of days to store log output in a file (default 28)
      --log-to-file-max-backups int                 The maxium number of rotated logs files to keep (default 3)
      --log-to-file-max-size int                    The maximum size of outputed log files in megabytes (default 500)
      --log-to-file-path string                     The file to write log output to (default "/tmp/sish.log")
      --log-to-stdout                               Enable writing log output to stdout (default true)
      --ping-client                                 Send ping requests to the underlying SSH client.
                                                    This is useful to ensure that SSH connections are kept open or close cleanly (default true)
      --ping-client-interval duration               Duration representing an interval to ping a client to ensure it is up (default 5s)
      --ping-client-timeout duration                Duration to wait for activity before closing a connection after sending a ping to a client (default 5s)
  -n, --port-bind-range string                      Ports or port ranges that sish will allow to be bound when a user attempts to use TCP forwarding (default "0,1024-65535")
  -l, --private-key-location string                 The location of the SSH server private key. sish will create a private key here if
                                                    it doesn't exist using the --private-key-passphrase to encrypt it if supplied (default "deploy/keys/ssh_key")
  -p, --private-key-passphrase string               Passphrase to use to encrypt the server private key (default "S3Cr3tP4$$phrAsE")
      --proxy-protocol                              Use the proxy-protocol while proxying connections in order to pass-on IP address and port information
      --proxy-protocol-listener                     Use the proxy-protocol to resolve ip addresses from user connections
      --proxy-protocol-policy string                What to do with the proxy protocol header. Can be use, ignore, reject, or require (default "use")
      --proxy-protocol-timeout duration             The duration to wait for the proxy proto header (default 200ms)
      --proxy-protocol-use-timeout                  Use a timeout for the proxy-protocol read
  -q, --proxy-protocol-version string               What version of the proxy protocol to use. Can either be 1, 2, or userdefined.
                                                    If userdefined, the user needs to add a command to SSH called proxyproto:version (ie proxyproto:1) (default "1")
      --redirect-root                               Redirect the root domain to the location defined in --redirect-root-location (default true)
  -r, --redirect-root-location string               The location to redirect requests to the root domain
                                                    to instead of responding with a 404 (default "https://github.com/antoniomika/sish")
      --service-console                             Enable the service console for each service and send the info to connected clients
  -m, --service-console-token string                The token to use for service console access. Auto generated if empty for each connected tunnel
  -a, --ssh-address string                          The address to listen for SSH connections (default "localhost:2222")
      --tcp-aliases                                 Enable the use of TCP aliasing
      --tcp-load-balancer                           Enable the TCP load balancer (multiple clients can bind the same port)
      --time-format string                          The time format to use for both HTTP and general log messages (default "2006/01/02 - 15:04:05")
      --verify-dns                                  Verify DNS information for hosts and ensure it matches a connecting users sha256 key fingerprint (default true)
      --verify-ssl                                  Verify SSL certificates made on proxied HTTP connections (default true)
  -v, --version                                     version for sish
  -y, --whitelisted-countries string                A comma separated list of whitelisted countries. Applies to HTTP, TCP, and SSH connections
  -w, --whitelisted-ips string                      A comma separated list of whitelisted ips. Applies to HTTP, TCP, and SSH connections
Issues
  • Help in use with SSLH, Advanced SSH, and ProxyJump, using the SISH Docker Image

    Help in use with SSLH, Advanced SSH, and ProxyJump, using the SISH Docker Image

    Hello!
         I wish to use sish with sslh and ProxyJumps, but I can't seem to figure out how to set this up; what I'd like to do is ssh into my Linode VPS, caught by sslh on ports 443 and 80, and using sish, jump to my Raspbery Pi 3 at home, then jump to my primary server, a laptop.
         Any help with setting such a system up will be greatly appreciated!

    opened by shadowrylander 57
  • Questions and bugs on the way to 1.0

    Questions and bugs on the way to 1.0

    Hi @antoniomika - your tool is great. But current release throwing me an error:

    2020/05/25 - 17:32:56 | Starting SSH service on address: localhost:2222
    2020/05/25 - 17:32:56 | ssh: invalid openssh private key format
    

    Getting this in latest docker and standalone binary. How to create correct keys and folder structure for new version?

    opened by andreasunterhuber 18
  • Not Working-just commit info in logs

    Not Working-just commit info in logs

    It is not working.

    When I execute ssh -p 2222 -R sync:80:localhost:8384 capcloud.live

    I get not. When I check logs I see.....

    Date: 2020-05-03T03:22:51Z Version: v1.0.0-rc Commit: 93028414cc94378b0d9177199608efce3090577d Date: 2020-05-03T03:22:51Z Version: v1.0.0-rc Commit: 93028414cc94378b0d9177199608efce3090577d Date: 2020-05-03T03:22:51Z Version: v1.0.0-rc Commit: 93028414cc94378b0d9177199608efce3090577d Date: 2020-05-03T03:22:51Z

    opened by capriciousduck 15
  • Update

    Update

    I see there were many updates to your app. Do I need to re-create my docker container to have any updated version?

    opened by capriciousduck 14
  • kex_exchange_identification: Connection closed by remote host

    kex_exchange_identification: Connection closed by remote host

    I'm evaluating replacement of existing ngrok, however I encounter error.

    Here is my testing environment

    1. Sish Server, which host sish service in Azure VM and start with command.
    sudo docker run -d --rm --name sish \
      -v `pwd`/ssl:/ssl \
      -v `pwd`/keys:/keys \
      -v `pwd`/pubkeys:/pubkeys \
      # also tried latest version
      --net=host antoniomika/sish:v1.0.10 \
      --ssh-address=:2222 \
      --http-address=:80 \
      --https-address=:443 \
      --https=true \
      --https-certificate-directory=/ssl \
      --authentication-keys-directory=/pubkeys \
      --private-key-location=/keys/ssh_key \
      --bind-random-ports=false \
      --domain=sish.jonasc.dev \
      --debug=true
    
    1. Target host, which simulate a client behind NAT. To compare ngrok and sish, I start ngrok.service and ssh command
    ssh -p 2222 -R localhost:22 sish.jonasc.dev
    
    The authenticity of host '[sish.jonasc.dev]:2222 ([138.91.40.243]:2222)' can't be established.
    ED25519 key fingerprint is SHA256:pI0c5nUORoAw4CUy4NcrMQlQJvpwcN316+AmJ5B7+Ew.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '[sish.jonasc.dev]:2222,[138.91.40.243]:2222' (ED25519) to the list of known hosts.
    Press Ctrl-C to close the session.
    
    The TCP port :22 is unavailable. Assigning a random port.
    Starting SSH Forwarding service for tcp:22. Forwarded connections can be accessed via the following methods:
    TCP: sish.jonasc.dev:41729
    
    1. My laptop, which I intend to ssh login from

    I can login via ngrok, however can't via sish.

    ssh -vvv -i ~/.ssh/id_rsa [email protected] -p 41729
    
    OpenSSH_8.1p1, LibreSSL 2.7.3
    debug1: Reading configuration data /Users/jonas/.ssh/config
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: /etc/ssh/ssh_config line 47: Applying options for *
    debug1: Connecting to sish.jonasc.dev port 41729.
    debug1: Connection established.
    debug1: identity file /Users/jonas/.ssh/id_rsa type 0
    debug1: identity file /Users/jonas/.ssh/id_rsa-cert type -1
    debug1: Local version string SSH-2.0-OpenSSH_8.1
    kex_exchange_identification: Connection closed by remote host
    

    I google similar error, however most of solution does not works to me. As I believe target host sshd configuration works for ngrok, and it should work for sish too. Could you light me what mistake I made? Thanks!

    bug 
    opened by JonasChengAsus 13
  • A Google Compute Engine setup guide

    A Google Compute Engine setup guide

    Hi, i've been trying to set this up on a GCE f1-micro vm, but i'm not quite sure how to go about that (I did try a few things in the dashboard thing, and i have been able to get it to start and bind to a port, but now i have issues configuring it, exposing the ssh server etc.), and I haven't been able to find any tutorials that use GCE, i'll probably be able to figure it out after staring at the documentation for a bit longer but a easy straight forward guide specifically with sish in mind would be nice :)

    Thanks!

    enhancement 
    opened by lmarianski 12
  • Connection to sish-host.com closed by remote host.

    Connection to sish-host.com closed by remote host.

    Hey, love the project and mostly working well! I have got the server up and running (currently on an AWS EC2 instance). I can connect to it from all of the following with a standard ssh -oStrictHostKeyChecking=no -p 2222 -R ben:80:localhost:80 sish-host.com

    • [x] Remote CentOS Server
    • [x] Windows PowerShell
    • [x] Local docker container (docker exec -it xxxxxxx sh)

    But the second I run this within a container (docker run or compose), it just fails. I've tried just about everything I could think of, but can't work it out. This is the ssh -v output

    debug1: Reading configuration data /etc/ssh/ssh_config
    Pseudo-terminal will not be allocated because stdin is not a terminal.
    debug1: Connecting to sish-host.com [99.99.99.99] port 2222.
    debug1: Connection established.
    debug1: identity file /root/.ssh/id_rsa type -1
    debug1: identity file /root/.ssh/id_rsa-cert type -1
    debug1: identity file /root/.ssh/id_dsa type -1
    debug1: identity file /root/.ssh/id_dsa-cert type -1
    debug1: identity file /root/.ssh/id_ecdsa type -1
    debug1: identity file /root/.ssh/id_ecdsa-cert type -1
    debug1: identity file /root/.ssh/id_ed25519 type -1
    debug1: identity file /root/.ssh/id_ed25519-cert type -1
    debug1: identity file /root/.ssh/id_xmss type -1
    debug1: identity file /root/.ssh/id_xmss-cert type -1
    debug1: Local version string SSH-2.0-OpenSSH_8.1
    debug1: Remote protocol version 2.0, remote software version Go
    debug1: no match: Go
    debug1: Authenticating to sish-host.com:2222 as 'root'
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: algorithm: [email protected]
    debug1: kex: host key algorithm: ssh-rsa
    debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
    debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
    debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
    debug1: Server host key: ssh-rsa SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    debug1: checking without port identifier
    Warning: Permanently added '[sish-host.com]:2222,[99.99.99.99]:2222' (RSA) to the list of known hosts.
    debug1: rekey out after 134217728 blocks
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: rekey in after 134217728 blocks
    debug1: Will attempt key: /root/.ssh/id_rsa
    debug1: Will attempt key: /root/.ssh/id_dsa
    debug1: Will attempt key: /root/.ssh/id_ecdsa
    debug1: Will attempt key: /root/.ssh/id_ed25519
    debug1: Will attempt key: /root/.ssh/id_xmss
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentication succeeded (none).
    Authenticated to sish-host.com ([99.99.99.99]:2222).
    debug1: Remote connections from ben:80 forwarded to local address localhost:80
    debug1: channel 0: new [client-session]
    debug1: Entering interactive session.
    debug1: pledge: network
    Press Ctrl-C to close the session.
    Starting SSH Fowarding service for http:80. Forwarded connections can be accessed via the
    following methods:
    HTTP: http://ben.sish-host.com:80
    HTTPS: https://ben.sish-host.com:443
    debug1: channel 0: free: client-session, nchannels 1
    debug1: fd 0 clearing O_NONBLOCK
    debug1: fd 2 clearing O_NONBLOCK
    Connection to sish-host.com closed by remote host.
    Transferred: sent 1700, received 1512 bytes, in 0.0 seconds
    Bytes per second: sent 42334.2, received 37652.5
    debug1: Exit status -1
    sish_1 exited with code 255
    

    This is the server-side

    15:44:05 Accepted SSH connection for: 44.44.44.44:58208
    15:44:05 Main Channel Info session
    15:44:05 Handling session for connection: &{session [] 0 0 32768 32768 0xc000162a10 true 0 0xc000205740 {0 0} 0xc0002056e0 false {0xc00014be40 2097152 0 false} 0xc000208f00 0xc000208f40 {0 0} 2097152 {0 0} false map[]}
    15:44:05 Main Request Info tcpip-forward true benP
    15:44:05 Error trying to write message to socket: read tcp 10.0.2.4:2222->44.44.44.44:58208: use of closed network connection
    15:44:05 Closed SSH connection for: 44.44.44.44:58208 user: root
    15:44:13 =======Start=========
    15:44:13 ===Goroutines=====
    15:44:13 10
    15:44:13 ===Listeners======
    15:44:13 [::]:2222 &{0xc0000cf500 {<nil> 0}}
    15:44:13 ===Clients========
    15:44:13 ===HTTP Clients===
    15:44:13 ========End==========
    

    Where 99.99.99.99 is sish on the EC2 server and 44.44.44.44 is my local IP.

    I have been using this as a basis https://github.com/jacobtomlinson/docker-serveo. It works fine with my serveo instance on the same 99.99.99.99 server. For the purposes of testing, I created a minimal Dockerfile, which is confirmed and working with Serveo, but not with sish.

    FROM alpine:3
    
    RUN apk --no-cache add openssh
    ENTRYPOINT ["ssh", "-v", "-oStrictHostKeyChecking=no", "-p", "2222", "-R", "ben:80:localhost:80", "sish-host.com"]
    

    Here are my sish params

          -sish.addr=:2222
          -sish.auth=false
          -sish.https=:443
          -sish.http=:80
          -sish.httpsenabled=true
          -sish.httpspems=/etc/letsencrypt/live/sish-host.com
          -sish.keysdir=/pubkeys
          -sish.password=""
          -sish.pkloc=/keys/ssh_key
          -sish.bindrandom=false
          -sish.domain=sish-host.com
          -sish.forcerandomsubdomain=false
          -sish.debug=true
    

    If I can do anything to support, please let me know. Thanks again!

    opened by BenHarris 11
  • Question: Using sish as a

    Question: Using sish as a "port forwarding slave"

    Hello there!

    Due to how my ISP has set up my broadband access, I can not do port-forwarding from my router - or, my type of connection in general. To be honest, I am not exactly sure what is preventing me from port-forwarding...but, I have to do with what I have. :)

    That is why I have been looking for a way to expose ports on my local homeserver to my server, to utilize NGINX as a reverse proxy to access them. So, I have a few questions:

    1. Can I run sish to forward only HTTP and TCP connections, so that I can NGINX to add my HTTPS certificates ontop?
    2. I would like to dedicate the subdomain home.ingwie.io to everything related to my homeserver and use subdomains to differenciate between the various things running on it. I am not aware if NGINX has wildcard support in server_name though - but, I wouldn't be surprised if it did. That way, I could run another instance of NGINX on my homeserver to handle subdomains (foo.home.ingwie.io for instance). What would be the flags I'd have to pass to sish to tell it that home.ingwie.io is the main domain to use?
    3. Do you know if any way to automate SSH tunnel setup? I am using an older Mac Mini server and I do have a general idea of how to set up launchd services to run commands much like systemd. What commands would I have to use to bring up a tunnel, shut it down or verify it's status?

    I am looking forward to your reply!

    Kind regards, Ingwie

    opened by IngwiePhoenix 11
  •  Api interface for ssh tunnel management

    Api interface for ssh tunnel management

    Suggested features: kill tunnel, list of active tunnels, number of active tunnels, info about specified tunnel (like in log - 2019/12/14 - 19:34:00 | host.com | 200 | 6.792909ms | ip | GET /api/v2/test) ,tunnel stats with bytes in/out , list of dropped tunnels with timestamp and reason

    opened by fork04 10
  • Use sish without docker

    Use sish without docker

    Hi Antoni,

    I'm not familiar with go and docker. Can you help me how to run sish without docker on *nix or windows?

    Thank you.

    opened by Varooneh 10
  • tcp forwarding on port 443 always be treated as https forwarding

    tcp forwarding on port 443 always be treated as https forwarding

    I'm trying to forwarding 443 port through tcp connection. It works fine for ports other than 443 (i.e. 8080). But for 443, the connection is always treated as http/https forwarding. I tried to disable https and changed its default port to other port than 443. None of those works. The relevant sish tags I'm using:

        --tcp-aliases=true \
        --bind-random-ports=false \
        --bind-random-aliases=false \
        `# http forwading` \
        --domain="mydomain.com" \
        --http-address=:80 \
        --bind-any-host=true \
        --bind-random-subdomains=false \
        --redirect-root=false \
        `# https forwading` \
        --https=false \
        --https-address=:1443 \
    

    Expose tcp to port 8080:

    ssh -p 2222 -R 8080:172.17.0.1:443 mydomain.com
    

    sish server log:

    2021/07/29 - 06:55:04 | TCP forwarding started: mydomain.com:8080 -> /tmp/20.96.12.202:1026:8080632507065 for client: 20.96.12.202:1026      
    

    Expose tcp to port 443:

    ssh -p 2222 -R 443:172.17.0.1:443 mydomain.com
    

    sish server log:

    2021/07/29 - 06:57:12 | HTTP forwarding started:
    http://nn9.mydomain.com -> /tmp/20.96.12.202:1027:443711539396 for client: 20.96.12.202:1027
    
    opened by laseryuan 1
  • Configuration Clarifications

    Configuration Clarifications

    Hello again Antonio, I'm sorry for polluting your 'Issues' section with what are more so questions than actual issues, but I wasn't sure where else to try to get an answer on a few things. If there would be a more appropriate place, let me know.

    Docker Tags: 'latest' vs 'main' What is the difference between the 2? My assumption is that 'latest' is the same build as the latest release on 'https://github.com/antoniomika/sish/releases' and that 'main' is a build including the latest commit on the Github. Is this correct? If so, would it be best to stick with 'latest'? If I go with 'main' could some of the configuration parameters and instructions on the main Github page be wrong/out-of-date? I assume all of the information on the Github page correspond only to the 'latest' build and therefore it will be safe to follow those instructions and use any of the listed configuration parameters without fear that they will be missing from the 'latest' build?

    Any Way to Attach to Container and Issue Commands? Is there any way to attach to my running sish docker container and get a shell that I can use to issue commands inside of the container (without interrupting sish)? As it is, if I attach to my container, I simply see the log data that is being output to stdout. I'm pretty new to Docker and I was hoping you might be able to give me a quick solution to accomplish this. I've messed around with it for far, far too long... The command I run to spin up my docker container (after I've stopped it for whatever reason) is the following (the '--no-deps' is because I never stop/disturb my letsencrypt container):

    docker-compose -f docker-compose.yml up -d --no-deps --build sish
    

    Timezone of sish Container and its Logs I've noticed that my sish container uses UTC as its time zone and not the time zone of my host system. I understand that this is normal for a docker container but I was hoping you could tell me if the including these last 2 lines in my 'volumes' section of my docker-compose file is the correct way to fix the problem:

    volumes:
      - ./letsencrypt:/etc/letsencrypt
      - ./pubkeys:/pubkeys
      - ./keys:/keys
      - ./ssl:/ssl
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    
    opened by lahma0 0
  • Rewrite Host header

    Rewrite Host header

    It should allow rewriting http Host header like ngrok does with param -host-header=example.com

    enhancement good first issue feature-request 
    opened by santicastro 2
  • Request auto close the ssh client if the requested domain is unavailable.

    Request auto close the ssh client if the requested domain is unavailable.

    image I use Docker to run the tunnel but when the requested domain is unavailable it cannot auto restart because the ssh didn't auto close. Please add this feature!

    question 
    opened by sonntuet1997 2
  • Cannot use root domain port

    Cannot use root domain port

    I cannot use the root domain port for my website, is there a way I can bind it with another port or disable it if possible ?

    question 
    opened by sonntuet1997 2
  • Enable authentication by default/automatically

    Enable authentication by default/automatically

    While looking at the readme again, i've realized that my current setup just doesn't need any kind of authentication. Looking again at the readme I think, that the provided docker command also has authentication disabled (it uses --authentication-keys-directory but not --authentication=true - i've copied the relevant args from the docker command and felt safe due to the --authentication-keys-directory).

    Ways to fix it:

    1. Leave authentication disabled by default but enable it when --authentication-keys-directory or --authentication-password is used
    • doesn't break anything
    • may create problems, when users rely on default pubkey directory
    1. Remove the --authentication flag and don't use default values for pubkey directory or password. If the user want's authentication he has to explicitly specify the directory or the password.
    • only breaks slightly (as the --authentication flag is now unknown and will throw an error)
    • One flag less to worry about
    • Users using the default pubkey directory are still insecure after upgrading (if they assumed that authentication was enabled by default or when they place keys in the directory)
    1. Enable authentication by default and (maybe) replace the --authentication flag by --disable-authentication to be more explicit.
    • breaks all unauthenticated setups (and all others when also changing the flag)
    • User has to explicitly make it insecure/public

    Option 3 is the safest option, but I wouldn't mind using option 2 to keep some backwards compability

    enhancement good first issue 
    opened by bibo38 1
  • Allow binding of paths

    Allow binding of paths

    Why?

    Mainly to provide an alternative way without the need for an Wildcard SSL certificate (as it's harder to automatically obtain via LE and dynamic certs may be problematic to use with an Reverse Proxy before sish).

    Design Idea

    ssh -R foo/bar:443:localhost:8080 ssi.sh should proxy https://foo.ssi.sh/bar/* to http://localhost:8080/*. Also this doesn't prevent anything, as using / in the subdomain is not really practical (as it breaks the URL).

    enhancement good first issue feature-request 
    opened by bibo38 5
  • Allow binding the Root/Base domain

    Allow binding the Root/Base domain

    Add the feature to allow binding the base domain (probably behind a flag).

    Example

    ssh -R :80:localhost:8080 ssi.sh should proxy http://localhost:8080/ to http://ssi.sh/

    Why?

    Basically because i usually only need one connection, it is shorter to drop the subdomain.

    enhancement good first issue feature-request 
    opened by bibo38 1
  • Add an example in the wiki for a standard non-Docker systemd script?

    Add an example in the wiki for a standard non-Docker systemd script?

    It would be nice to have an example standard non-Docker systemd script, for the benefit of those running this outside a container.

    enhancement good first issue 
    opened by srk 3
Releases(v1.1.7)
Transparent proxy server that works as a poor man's VPN. Forwards over ssh. Doesn't require admin. Works with Linux and MacOS. Supports DNS tunneling.

sshuttle: where transparent proxy meets VPN meets ssh As far as I know, sshuttle is the only program that solves the following common case: Your clien

null 7.2k Sep 23, 2021
proxychains - a tool that forces any TCP connection made by any given application to follow through proxy like TOR or any other SOCKS4, SOCKS5 or HTTP(S) proxy. Supported auth-types: "user/pass" for SOCKS4/5, "basic" for HTTP.

ProxyChains ver. 4.3.0 README ProxyChains is a UNIX program, that hooks network-related libc functions in dynamically linked programs via a preloaded

Adam Hamsik 3.8k Sep 23, 2021
The Pound program is a reverse proxy, load balancer and HTTPS front-end for Web server(s).

POUND - REVERSE-PROXY AND LOAD-BALANCER The Pound program is a reverse proxy, load balancer and HTTPS front-end for Web server(s). Pound was

MANDIANT 32 Sep 15, 2021
A modern reverse proxy for node

Redbird Reverse Proxy With built-in Cluster, HTTP2, LetsEncrypt and Docker support It should be easy and robust to handle dynamic virtual hosts, load

null 4.3k Sep 10, 2021
Official git repo for iodine dns tunnel

iodine - https://code.kryo.se/iodine This is a piece of software that lets you tunnel IPv4 data through a DNS server. This can be usable in different

Erik Ekman 3.9k Sep 21, 2021
A simple standalone reverse proxy that automatically enables server-push for assets related to a HTTP response.

http2-serverpush-proxy This is a reverse proxy that helps you to automatically make use of HTTP/2.0's server push mechanism for your static websites.

Ferdinand Mütsch 26 May 10, 2021
A simple standalone reverse proxy that automatically enables server-push for assets related to a HTTP response.

http2-serverpush-proxy This is a reverse proxy that helps you to automatically make use of HTTP/2.0's server push mechanism for your static websites.

Ferdinand Mütsch 26 May 10, 2021
A scalable overlay networking tool with a focus on performance, simplicity and security

What is Nebula? Nebula is a scalable overlay networking tool with a focus on performance, simplicity and security. It lets you seamlessly connect comp

Slack 7.8k Sep 17, 2021
The Cloud Native Application Proxy

Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy. Traefik integrates with your ex

Traefik Labs 35k Sep 17, 2021
The Cloud Native Application Proxy

Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy. Traefik integrates with your ex

Traefik Labs 35k Sep 17, 2021
Fast and secure standalone server for resizing and converting remote images

imgproxy imgproxy is a fast and secure standalone server for resizing and converting remote images. The main principles of imgproxy are simplicity, sp

imgproxy 5k Sep 23, 2021
Fast and secure standalone server for resizing and converting remote images

imgproxy imgproxy is a fast and secure standalone server for resizing and converting remote images. The main principles of imgproxy are simplicity, sp

imgproxy 5k Sep 15, 2021
🚨⚠️ UNMAINTAINED! ⚠️🚨 A simple PHP web proxy.

?? ⚠️ Warning: Deprecated/no longer maintained! ⚠️ ?? As of April 26th, 2020, miniProxy is no longer maintained, and no further changes will be made t

Josh Dick 822 Sep 15, 2021
Lightweight non-caching HTTP(S) proxy server

About microproxy is a lightweight non-caching HTTP/HTTPS proxy server. Main features Single executable with no external dependencies. Single simple co

Konstantin Sorokin 120 Sep 12, 2021
tinyproxy - a light-weight HTTP/HTTPS proxy daemon for POSIX operating systems

Tinyproxy Tinyproxy is a small, efficient HTTP/SSL proxy daemon released under the GNU General Public License. Tinyproxy is very useful in a small net

null 2.8k Sep 17, 2021
A Clash GUI Proxy For Windows Based On .NET 5

A .NET Framework based GUI Proxy For Windows

Clash .NET Framework 3.9k Sep 17, 2021
java proxy

scotty transporter Copyright (c) Tobias Zeising ([email protected]), Florian Fuchs ([email protected]) http://www.scotty-transporter.or

Tobias Zeising 44 Sep 12, 2021
Docker container for managing Nginx proxy hosts with a simple, powerful interface

This project comes as a pre-built docker image that enables you to easily forward to your websites running at home or otherwise, including free SSL, w

null 4.3k Sep 21, 2021
Web Proxy Application built on php-proxy library ready to be installed on your server

php-proxy-app Web Proxy Application built on php-proxy library ready to be installed on your server To Do List As of March 25, 2018: Plugin for facebo

null 628 Sep 20, 2021