sish

sish is a lightweight, self‑hosted reverse proxy designed to expose local services over the public internet, functioning as an open‑source alternative to commercial tunneling tools like Serveo and ngrok. At its core, the application listens for inbound SSH connections on a configurable port (default 2222) and accepts reverse tunnel requests. Once a client establishes an SSH session, sish forwards HTTP traffic from the remote domain to a local port specified by the tunnel command, effectively creating a public URL that proxies requests back to the developer’s machine. This architecture keeps the exposure minimal—only the SSH port needs to be reachable from the outside, while all other traffic is routed through authenticated tunnels.

Key Features

• SSH‑based tunneling: Uses the ubiquitous SSH protocol, eliminating the need for custom clients or ports other than 22/2222.
• Dynamic domain assignment: Supports per‑tunnel custom domains or subdomains, allowing developers to expose services under friendly URLs.
• Public key authentication: Only hosts with registered SSH public keys can create tunnels, ensuring secure access control.
• HTTP/HTTPS support: Forwards both plain HTTP and TLS traffic, with optional automatic certificate handling via Let’s Encrypt.
• Web interface & API: Provides a minimal UI for monitoring active tunnels and an HTTP API for programmatic control.

Technical Stack

sish is written in Go (Golang), leveraging the language’s native concurrency model and efficient networking libraries. The server is a single binary with no external runtime dependencies, making it trivial to distribute and compile for various architectures. It relies on the golang.org/x/crypto/ssh package for SSH handling and the standard library’s net/http for proxying. Optional TLS termination is handled by Go’s crypto/tls package, with support for ACME/Let’s Encrypt via the golang.org/x/crypto/acme/autocert package. No external database is required; configuration and state are persisted in local JSON/YAML files, making the deployment footprint minimal.

Deployment & Infrastructure

Because sish is a self‑contained binary, it can run on any Linux distribution that supports Go binaries, including Alpine, Debian, and even Windows via WSL. For production use, it is recommended to run the binary behind a reverse proxy such as Nginx or Caddy that terminates TLS and forwards the SSH port. Containerization is straightforward: a minimal Dockerfile can expose ports 22 (SSH) and any custom HTTP port, and the image can be orchestrated with Docker Compose or Kubernetes. Horizontal scaling is limited by the single‑process nature of the server; however, multiple instances can be load‑balanced at the network level if a developer needs to handle many concurrent tunnels.

Integration & Extensibility

sish exposes a RESTful API that allows external tools to create, list, and delete tunnels programmatically. The API supports JSON payloads for specifying the local target port, remote domain, and optional TLS configuration. Webhooks can be configured to notify third‑party services when a tunnel is established or closed, enabling automated CI/CD workflows. While the core application has no plugin system per se, its modular Go codebase makes it straightforward for contributors to add features such as rate limiting, custom authentication backends, or advanced logging.

Developer Experience

The configuration is intentionally simple: a pubkeys directory holds SSH public keys, and command‑line flags control the listening address, domain, and logging verbosity. Documentation is hosted at https://docs.ssi.sh, providing a concise reference for the API and deployment guidelines. The open‑source community around sish is active on GitHub, with frequent issue discussions and pull requests. Because the project is written in Go, developers familiar with the language can contribute quickly, and the binary’s small size (≈15 MB) simplifies distribution.

Use Cases

• Local development: Expose a local web server to external collaborators for UI reviews or testing on mobile devices.
• CI/CD pipelines: Spin up a temporary tunnel during automated tests to validate webhook integrations or OAuth callbacks.
• IoT device debugging: Allow remote access to a device’s local service without exposing the entire network.
• Internal tooling: Provide secure, temporary URLs for internal dashboards or APIs during maintenance windows.

Advantages

sish offers a free, privacy‑respecting alternative to proprietary tunneling services. Its reliance on SSH means it can traverse most firewalls without additional configuration, and the lack of a central server eliminates data‑collection concerns. The Go implementation delivers low latency and high throughput, while the small binary footprint keeps resource usage minimal. Licensing under an open‑source license ensures that developers can host and modify the tool without commercial constraints, making it ideal for teams that require full control over their exposure mechanisms.