Minimal, self-hosted, 0-config alternative to ngrok. Caddy+OpenSSH+50 lines of Python.

Related tags

Networking SirTunnel
Overview

What is it?

If you have a webserver running on one computer (say your development laptop), and you want to expose it securely (ie HTTPS) via a public URL, SirTunnel allows you to easily do that.

How do you use it?

If you have:

  • A SirTunnel server instance listening on port 443 of example.com.
  • A copy of the sirtunnel.py script available on the PATH of the server.
  • An SSH server running on port 22 of example.com.
  • A webserver running on port 8080 of your laptop.

And you run the following command on your laptop:

ssh -tR 9001:localhost:8080 example.com sirtunnel.py sub1.example.com 9001

Now any requests to https://sub1.example.com will be proxied to your local webserver.

How does it work?

The command above does 2 things:

  1. It starts a standard remote SSH tunnel from the server port 9001 to local port 8080.
  2. It runs the command sirtunnel.py sub1.example.com 9001 on the server. The python script parses sub1.example.com 9001 and uses the Caddy API to reverse proxy sub1.example.com to port 9001 on the server. Caddy automatically retrieves an HTTPS cert for sub1.example.com.

Note: The -t is necessary so that doing CTRL-C on your laptop stops the sirtunnel.py command on the server, which allows it to clean up the tunnel on Caddy. Otherwise it would leave sirtunnel.py running and just kill your SSH tunnel locally.

How is it different?

There are a lot of solutions to this problem. In fact, I've made something of a hobby of maintaining a list of the ones I've found so far.

The main advantages of SirTunnel are:

  • Minimal. It leverages Caddy and whatever SSH server you already have running on your server. Other than that, it consists of a 50-line Python script on the server. That's it. Any time you spend learning to customize and configure it will be time well spent because you're learning Caddy and your SSH server.
  • 0-configuration. There is no configuration on the server side. Not even CLI arguments.
  • Essentially stateless. The only state is the certs (which is handled entirely by Caddy) and the tunnel mappings, which are ephemeral and controlled by the clients.
  • Automatic HTTPS certificate management. Some other solutions do this as well, so it's important but not unique.
  • No special client is required. You can use any standard SSH client that supports remote tunnels. Again, this is not a unique feature.

Running the server

Assuming you already have an ssh server running, getting the SirTunnel server going consists of simply downloading a copy of Caddy and running it with the provided config. Take a look at install.sh and run_server.sh for details.

Note: Caddy needs to bind to port 443, either by running as root (not recommended), setting the CAP_NET_BIND_SERVICE capability on the Caddy binary (what the install.sh script does), or changing caddy_config.json to bind to a different port (say 9000) and using something like iptables to forward to that port.

Future Features

SirTunnel is intended to be a minimal tool. As such, I'm unlikely to add many features moving forward. However, the simplicity makes it easier to modify for your needs. For example, see this fork which adds functionality to help multiple users avoid overwriting each others' tunnels:

https://github.com/matiboy/SirTunnel

Comments
  • More options to handle having several users

    More options to handle having several users

    Hi @anderspitman great job on this, love how it has no external dependencies and works smartly.

    As I installed this for my whole team to use, one issue that arose was people using existing subdomains, or even port on the server. So I created this fork with lots of ways to be alerted if you are about to override someone's tunnel (or fail to add your own).

    It should theoretically be fully backwards compatible as all arguments are optional and defaulting to not being used.

    Feel free to merge if you see value in this.

    Mat

    opened by matiboy 3
  • Server setup - digital ocean example

    Server setup - digital ocean example

    I'm hoping to run the server on a Digital Ocean droplet. Is the following a good plan?

    • Create a new droplet (let's assume I use my SSH key instead of password-based)
    • Create a dedicated sirtunnel user so I'm not running as root
    • Create an SSH keypair id_sirtunnel for this new user. The private key is what will be used by users/clients
    • Clone SirTunnel to the droplet, run the install.sh and then run_server.sh
    • Register a dedicated domain for this (let's say rarkinstunnel.com)
    • Configure a wildcard DNS entry for rarkinstunnel.com pointing to my droplet IP
    • ssh -i ~/.ssh/id_sirtunnel -tR 9001:localhost:8080 rarkinstunnel.com sirtunnel.py sub1.rarkinstunnel.com 9001

    Is that enough, including for Caddy to somehow fetch certs from LetsEncrypt for rarkinstunnel.com?

    BTW I'm not sure I understand the 9001 port, which I've copied directly from your example. Does that need to be unique for each different user/tunnel I wish to run?

    opened by rarkins 1
  • should ./caddy say caddy in run_server.sh ?

    should ./caddy say caddy in run_server.sh ?

    Overview

    Running ./run_server.sh on ubuntu 20.04 gives the following error

    ./run_server.sh: line 3: ./caddy: No such file or directory
    

    Source Code

    https://github.com/anderspitman/SirTunnel/blob/master/run_server.sh#L3

    Possible Solution

    Remove the ./ and replace ./caddy with caddy

    opened by melvincarvalho 1
  • Where do I need to run SirTunnel server instance and SSH server port 22?

    Where do I need to run SirTunnel server instance and SSH server port 22?

    Basically I have no idea what I'm doing.

    From the section How do you use it? I still don't really understand where should I run those command.

    let's say, I have a webserver running on PC and a Raspberry Pi.

    Can you please kindly elaborate where should I run

    • run_server.sh
    • SSH server running on port 22 of example.com

    And also do I need to have the PATH of sirtunnel.py in both Pi and PC?

    Many thanks

    opened by DableUTeeF 1
  • Invalid traversal path

    Invalid traversal path

    Caddy error when starting ssh script;

    request error{"error": "invalid traversal path at: config/apps/http/servers/sirtunnel/routes", "status_code": 500}

    caddy_config.json:

    {
      "apps": {
        "http": {
          "servers": {
            "[server_hostname]": {
              "listen": [":443"],
              "routes": [
              ]
            }
          }
        }
      }
    }
    
    opened by sheyabernstein 1
Owner
Anders Pitman
Anders Pitman
Get Your Localhost Online - Ngrok Alternative

Get Your Localhost Online - Ngrok Alternative

Azimjon Pulatov 442 Jan 4, 2023
wireguard-config-benchmark is a python script that benchmarks the download speeds for the connections defined in one or more wireguard config files

wireguard-config-benchmark is a python script that benchmarks the download speeds for the connections defined in one or more wireguard config files. If multiple configs are benchmarked it will output a file ranking them from fastest to slowest.

Sal 12 May 7, 2022
pyngrok is a Python wrapper for ngrok

pyngrok is a Python wrapper for ngrok that manages its own binary, making ngrok available via a convenient Python API.

Alex Laird 329 Dec 31, 2022
Simple self-hosted server to receive files from remote systems

Badtray This is a very simple self-hosted server to receive files from remote systems. This works similar to Bintray (RIP) and primarily designed to d

Alex Taradov 1 Nov 22, 2021
This will generate a very basic DHCP config with use of PHPIPAM systems.

phpipam-dhcp-config-generator This will generate a very basic DHCP config with use of PHPIPAM systems. Requirements PHPIPAM Custom Fields domain_name

null 1 Oct 24, 2021
This is simple script that changes the config register of a cisco router over serial so that you can reset the password

Cisco-router-config-bypass-tool- This is simple script that changes the config register of a cisco router over serial so that you can bypass the confi

James 1 Jan 2, 2022
Compare the contents of your hosted and proxy repositories for coordinate collisions

Nexus Repository Manager dependency/namespace confusion checker This repository contains a script to check if you have artifacts containing the same n

Sonatype Community 59 Mar 31, 2022
stellar-add-guest is a small tool to generate a new guest for Stellar Wireless (Enterprise mode) in OmniVista 2500 hosted on OmniSwitch with AOS Release 8

stellar-add-guest is a small tool to generate a new guest for Stellar Wireless (Enterprise mode) in OmniVista 2500 hosted on OmniSwitch with AOS Release 8.

BennyE 3 Jan 24, 2022
🔥 Minimal performant package to asynchronously make GET requests.

Minimal performant package to asynchronously make GET requests without any dependencies other than asyncio.

Yannick Perrenet 1 Jun 1, 2022
🐛 Self spreading Botnet based on Mirai C&C Arch, spreading through SSH and Telnet protocol.

HBot Self spreading Botnet based on Mirai C&C Arch, spreading through SSH and Telnet protocol. Modern script fullly written in python3. Warning. This

Ѵιcнч 137 Nov 14, 2022
🐛 SSH self spreading worm written in python3 to propagate a botnet.

Mirkat SSH self spreading worm written in python3 to propagate a botnet. Install tutorial. cd ./script && sh setup.sh Support me. ⚠️ If this reposito

Ѵιcнч 58 Nov 1, 2022
Medusa is a cross-platform agent compatible with both Python 3.8 and Python 2.7.

Medusa Medusa is a cross-platform agent compatible with both Python 3.8 and Python 2.7. Installation To install Medusa, you'll need Mythic installed o

Mythic Agents 123 Nov 9, 2022
ProtOSINT is a Python script that helps you investigate Protonmail accounts and ProtonVPN IP addresses

ProtOSINT ProtOSINT is a Python script that helps you investigate ProtonMail accounts and ProtonVPN IP addresses. Description This tool can help you i

pixelbubble 249 Dec 23, 2022
A Python tool used to automate the execution of the following tools : Nmap , Nikto and Dirsearch but also to automate the report generation during a Web Penetration Testing

?? WebMap A Python tool used to automate the execution of the following tools : Nmap , Nikto and Dirsearch but also to automate the report generation

Iliass Alami Qammouri 274 Jan 1, 2023
msgspec is a fast and friendly implementation of the MessagePack protocol for Python 3.8+

msgspec msgspec is a fast and friendly implementation of the MessagePack protocol for Python 3.8+. In addition to serialization/deserializat

Jim Crist-Harif 414 Jan 6, 2023
Light, simple RPC framework for Python

Agileutil是一个Python3 RPC框架。基于微服务架构,封装了rpc/http/orm/log等常用组件,提供了简洁的API,开发者可以很快上手,快速进行业务开发。

null 16 Nov 22, 2022
NetworkX is a Python package for the creation, manipulation, and study of the structure, dynamics, and functions of complex networks.

NetworkX is a Python package for the creation, manipulation, and study of the structure, dynamics, and functions of complex networks.

NetworkX 12k Jan 2, 2023
A Python library to ease the integration with the Beem Africa (SMS, AIRTIME, OTP, 2WAY-SMS, BPAY, USSD)

python-client A Python library to easy the integration with the Beem Africa SMS Gateway Features to be Implemented Airtime OTP SMS Two way SMS USSD Bp

Beem Africa 24 Oct 29, 2022
Python port of proxy-www (https://github.com/justjavac/proxy-www)

proxy-www.py Python port of proxy-www (https://github.com/justjavac/proxy-www). Implemented additional functionalities! How to install pip install pro

Minjun Kim (Lapis0875) 20 Dec 8, 2021