Skip to content
An open source serveo/ngrok alternative. HTTP(S)/WS(S)/TCP Tunnels to localhost using only SSH.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
.vscode Added the ability to request subdomains. Closes #4 Mar 22, 2019
.dockerignore Initial commit Feb 21, 2019
Dockerfile Updated go version Feb 26, 2019
cloudbuild.yaml Initial commit Feb 21, 2019
go.mod Initial commit Feb 21, 2019
handle.go Initial commit Feb 21, 2019
http.go Redirect root to a specific location Feb 23, 2019
main.go Added the ability to request subdomains. Closes #4 Mar 22, 2019
requests.go Added the ability to request subdomains. Closes #4 Mar 22, 2019
utils.go Added the ability to request subdomains. Closes #4 Mar 22, 2019


An open source serveo/ngrok alternative.


Builds are made automatically on Google Cloud Build and Dockerhub. Feel free to either use the automated binaries or to build your own. If you submit a PR and would like access to Google Cloud Build's output (including pre-made PR binaries), feel free to let me know.

  1. Pull the Docker image
    • docker pull antoniomika/sish:latest
  2. Run the image
    • docker run -itd --name sish \
        -v ~/sish/ssl:/ssl \
        -v ~/sish/keys:/keys \
        -v ~/sish/pubkeys:/pubkeys \
        --net=host antoniomika/sish:latest \
        -sish.addr=:22 \
        -sish.https=:443 \
        -sish.http=:80 \
        -sish.httpsenabled=true \
        -sish.httpspems=/ssl \
        -sish.keysdir=/pubkeys \
        -sish.pkloc=/keys/ssh_key \
  3. SSH to your host to communicate with sish
    • ssh -p 2222 -R 80:localhost:8080

How it works

SSH can normally forward local and remote ports. This service implements an SSH server that only does that and nothing else. The service supports multiplexing connections over HTTP/HTTPS with WebSocket support. Just assign a remote port as port 80 to proxy HTTP traffic and 443 to proxy HTTPS traffic. If you use any other remote port, the server will listen to the port for connections, but only if that port is available.


If you want to use this service privately, it supports both public key and password authentication. To enable authentication, set -sish.auth=true as one of your CLI options and be sure to configure -sish.password or -sish.keysdir to your liking. The directory provided by -sish.keysdir is watched for changes and will reload the authorized keys automatically. The authorized cert index is regenerated on directory modification, so removed public keys will also automatically be removed. Files in this directory can either be single key per file, or multiple keys per file separated by newlines, similar to authorized_keys. Password auth can be disabled by setting -sish.password="" as a CLI option.

One of my favorite ways of using this for authentication is like so:

sish@sish0:~/sish/pubkeys# curl > antoniomika

This will load my public keys from GitHub, place them in the directory that sish is watching, and then load the pubkey. As soon as this command is run, I can SSH normally and it will authorize me.


There is a demo service (and my private instance) currently running on that doesn't require any authentication. This service provides default logging (errors, connection IP/username, and pubkey fingerprint). I do not log any of the password authentication data or the data sent within the service/tunnels. My deploy uses the exact deploy steps that are listed above. This instance is for testing and educational purposes only. You can deploy this extremely easily on any host (Google Cloud Platform provides an always-free instance that this should run perfectly on). If the service begins to accrue a lot of traffic, I will enable authentication and then you can reach out to me to get your SSH key whitelisted (make sure it's on GitHub and you provide me with your GitHub username).


  1. This is by no means production ready in any way. This was hacked together and solves a fairly specific use case.
    • You can help it get production ready by submitting PRs/reviewing code/writing tests/etc
  2. This is a fairly simple implementation, I've intentionally cut corners in some places to make it easier to write.
  3. If you have any questions or comments, feel free to reach out via email or on freenode IRC #sish

CLI Flags

sh-3.2# ./sish -h
Usage of ./sish:
  -sish.addr string
        The address to listen for SSH connections (default "localhost:2222")
        Whether or not to require auth on the SSH service
  -sish.bannedsubdomains string
        A comma separated list of banned subdomains (default "localhost")
        Bind ports randomly (OS chooses) (default true)
  -sish.bindrange string
        Ports that are allowed to be bound (default "0,1024-65535")
        Whether or not to cleanup unbound (forwarded) SSH connections (default true)
        Whether or not to print debug information
  -sish.domain string
        The domain for HTTP(S) multiplexing (default "")
        Whether or not to force a random subdomain (default true)
  -sish.http string
        The address to listen for HTTP connections (default "localhost:80")
  -sish.https string
        The address to listen for HTTPS connections (default "localhost:443")
        Whether or not to listen for HTTPS connections
  -sish.httpspems string
        The location of pem files for HTTPS (fullchain.pem and privkey.pem) (default "ssl/")
  -sish.keysdir string
        Directory for public keys for pubkey auth (default "pubkeys/")
  -sish.password string
        Password to use for password auth (default "S3Cr3tP4$$W0rD")
  -sish.pkloc string
        SSH server private key (default "keys/ssh_key")
  -sish.pkpass string
        Passphrase to use for the server private key (default "S3Cr3tP4$$phrAsE")
        Whether or not to redirect the root domain (default true)
  -sish.redirectrootlocation string
        Where to redirect the root domain to (default "")
  -sish.subdomainlen int
        The length of the random subdomain to generate (default 3)
You can’t perform that action at this time.