CLI

How use sish's CLI


  1```text
  2sish is a command line utility that implements an SSH server that can handle HTTP(S)/WS(S)/TCP multiplexing, forwarding and load balancing.
  3It can handle multiple vhosting and reverse tunneling endpoints for a large number of clients.
  4
  5Usage:
  6  sish [flags]
  7
  8Flags:
  9      --admin-console                                           Enable the admin console accessible at http(s)://domain/_sish/console?x-authorization=admin-console-token
 10  -j, --admin-console-token string                              The token to use for admin console access if it's enabled
 11      --alias-load-balancer                                     Enable the alias load balancer (multiple clients can bind the same alias)
 12      --append-user-to-subdomain                                Append the SSH user to the subdomain. This is useful in multitenant environments
 13      --append-user-to-subdomain-separator string               The token to use for separating username and subdomain selection in a virtualhost (default "-")
 14      --authentication                                          Require authentication for the SSH service (default true)
 15      --authentication-key-request-timeout duration             Duration to wait for a response from the authentication key request (default 5s)
 16      --authentication-key-request-url string                   A url to validate public keys for public key authentication.
 17                                                                sish will make an HTTP POST request to this URL with a JSON body containing an
 18                                                                OpenSSH 'authorized key' formatted public key, username,
 19                                                                and ip address. E.g.:
 20                                                                {"auth_key": string, "user": string, "remote_addr": string}
 21                                                                A response with status code 200 indicates approval of the auth key
 22  -k, --authentication-keys-directory string                    Directory where public keys for public key authentication are stored.
 23                                                                sish will watch this directory and automatically load new keys and remove keys
 24                                                                from the authentication list (default "deploy/pubkeys/")
 25      --authentication-keys-directory-watch-interval duration   The interval to poll for filesystem changes for SSH keys (default 200ms)
 26  -u, --authentication-password string                          Password to use for SSH server password authentication
 27      --banned-aliases string                                   A comma separated list of banned aliases that users are unable to bind
 28  -o, --banned-countries string                                 A comma separated list of banned countries. Applies to HTTP, TCP, and SSH connections
 29  -x, --banned-ips string                                       A comma separated list of banned ips that are unable to access the service. Applies to HTTP, TCP, and SSH connections
 30  -b, --banned-subdomains string                                A comma separated list of banned subdomains that users are unable to bind (default "localhost")
 31      --bind-any-host                                           Allow binding any host when accepting an HTTP listener
 32      --bind-hosts string                                       A comma separated list of other hosts a user can bind. Requested hosts should be subdomains of a host in this list
 33      --bind-http-auth                                          Allow binding http auth on a forwarded host (default true)
 34      --bind-http-path                                          Allow binding specific paths on a forwarded host (default true)
 35      --bind-random-aliases                                     Force bound alias tunnels to use random aliases instead of user provided ones (default true)
 36      --bind-random-aliases-length int                          The length of the random alias to generate if a alias is unavailable or if random aliases are enforced (default 3)
 37      --bind-random-ports                                       Force TCP tunnels to bind a random port, where the kernel will randomly assign it (default true)
 38      --bind-random-subdomains                                  Force bound HTTP tunnels to use random subdomains instead of user provided ones (default true)
 39      --bind-random-subdomains-length int                       The length of the random subdomain to generate if a subdomain is unavailable or if random subdomains are enforced (default 3)
 40      --bind-root-domain                                        Allow binding the root domain when accepting an HTTP listener
 41      --bind-wildcards                                          Allow binding wildcards when accepting an HTTP listener
 42      --cleanup-unauthed                                        Cleanup unauthed SSH connections after a set timeout (default true)
 43      --cleanup-unauthed-timeout duration                       Duration to wait before cleaning up an unauthed connection (default 5s)
 44      --cleanup-unbound                                         Cleanup unbound (unforwarded) SSH connections after a set timeout
 45      --cleanup-unbound-timeout duration                        Duration to wait before cleaning up an unbound (unforwarded) connection (default 5s)
 46  -c, --config string                                           Config file (default "config.yml")
 47      --debug                                                   Enable debugging information
 48      --debug-interval duration                                 Duration to wait between each debug loop output if debug is true (default 2s)
 49  -d, --domain string                                           The root domain for HTTP(S) multiplexing that will be appended to subdomains (default "ssi.sh")
 50      --force-all-https                                         Redirect all requests to the https server
 51      --force-https                                             Allow indiviual binds to request for https to be enforced
 52      --force-requested-aliases                                 Force the aliases used to be the one that is requested. Will fail the bind if it exists already
 53      --force-requested-ports                                   Force the ports used to be the one that is requested. Will fail the bind if it exists already
 54      --force-requested-subdomains                              Force the subdomains used to be the one that is requested. Will fail the bind if it exists already
 55      --force-tcp-address                                       Force the address used for the TCP interface to be the one defined by --tcp-address
 56      --geodb                                                   Use a geodb to verify country IP address association for IP filtering
 57  -h, --help                                                    help for sish
 58  -i, --http-address string                                     The address to listen for HTTP connections (default "localhost:80")
 59      --http-load-balancer                                      Enable the HTTP load balancer (multiple clients can bind the same domain)
 60      --http-port-override int                                  The port to use for http command output. This does not affect ports used for connecting, it's for cosmetic use only
 61      --http-request-port-override int                          The port to use for http requests. Will default to 80, then http-port-override. Otherwise will use this value
 62      --https                                                   Listen for HTTPS connections. Requires a correct --https-certificate-directory
 63  -t, --https-address string                                    The address to listen for HTTPS connections (default "localhost:443")
 64  -s, --https-certificate-directory string                      The directory containing HTTPS certificate files (name.crt and name.key). There can be many crt/key pairs (default "deploy/ssl/")
 65      --https-certificate-directory-watch-interval duration     The interval to poll for filesystem changes for HTTPS certificates (default 200ms)
 66      --https-ondemand-certificate                              Enable retrieving certificates on demand via Let's Encrypt
 67      --https-ondemand-certificate-accept-terms                 Accept the Let's Encrypt terms
 68      --https-ondemand-certificate-email string                 The email to use with Let's Encrypt for cert notifications. Can be left blank
 69      --https-port-override int                                 The port to use for https command output. This does not affect ports used for connecting, it's for cosmetic use only
 70      --https-request-port-override int                         The port to use for https requests. Will default to 443, then https-port-override. Otherwise will use this value
 71      --idle-connection                                         Enable connection idle timeouts for reads and writes (default true)
 72      --idle-connection-timeout duration                        Duration to wait for activity before closing a connection for all reads and writes (default 5s)
 73      --load-templates                                          Load HTML templates. This is required for admin/service consoles (default true)
 74      --load-templates-directory string                         The directory and glob parameter for templates that should be loaded (default "templates/*")
 75      --localhost-as-all                                        Enable forcing localhost to mean all interfaces for tcp listeners (default true)
 76      --log-to-client                                           Enable logging HTTP and TCP requests to the client
 77      --log-to-file                                             Enable writing log output to file, specified by log-to-file-path
 78      --log-to-file-compress                                    Enable compressing log output files
 79      --log-to-file-max-age int                                 The maxium number of days to store log output in a file (default 28)
 80      --log-to-file-max-backups int                             The maxium number of rotated logs files to keep (default 3)
 81      --log-to-file-max-size int                                The maximum size of outputed log files in megabytes (default 500)
 82      --log-to-file-path string                                 The file to write log output to (default "/tmp/sish.log")
 83      --log-to-stdout                                           Enable writing log output to stdout (default true)
 84      --ping-client                                             Send ping requests to the underlying SSH client.
 85                                                                This is useful to ensure that SSH connections are kept open or close cleanly (default true)
 86      --ping-client-interval duration                           Duration representing an interval to ping a client to ensure it is up (default 5s)
 87      --ping-client-timeout duration                            Duration to wait for activity before closing a connection after sending a ping to a client (default 5s)
 88  -n, --port-bind-range string                                  Ports or port ranges that sish will allow to be bound when a user attempts to use TCP forwarding (default "0,1024-65535")
 89  -p, --private-key-passphrase string                           Passphrase to use to encrypt the server private key (default "S3Cr3tP4$$phrAsE")
 90  -l, --private-keys-directory string                           The location of other SSH server private keys. sish will add these as valid auth methods for SSH. Note, these need to be unencrypted OR use the private-key-passphrase (default "deploy/keys")
 91      --proxy-protocol                                          Use the proxy-protocol while proxying connections in order to pass-on IP address and port information
 92      --proxy-protocol-listener                                 Use the proxy-protocol to resolve ip addresses from user connections
 93      --proxy-protocol-policy string                            What to do with the proxy protocol header. Can be use, ignore, reject, or require (default "use")
 94      --proxy-protocol-timeout duration                         The duration to wait for the proxy proto header (default 200ms)
 95      --proxy-protocol-use-timeout                              Use a timeout for the proxy-protocol read
 96  -q, --proxy-protocol-version string                           What version of the proxy protocol to use. Can either be 1, 2, or userdefined.
 97                                                                If userdefined, the user needs to add a command to SSH called proxyproto=version (ie proxyproto=1) (default "1")
 98      --redirect-root                                           Redirect the root domain to the location defined in --redirect-root-location (default true)
 99  -r, --redirect-root-location string                           The location to redirect requests to the root domain
100                                                                to instead of responding with a 404 (default "https://github.com/antoniomika/sish")
101      --rewrite-host-header                                     Force rewrite the host header if the user provides host-header=host.com (default true)
102      --service-console                                         Enable the service console for each service and send the info to connected clients
103      --service-console-max-content-length int                  The max content length before we stop reading the response body (default -1)
104  -m, --service-console-token string                            The token to use for service console access. Auto generated if empty for each connected tunnel
105      --sni-load-balancer                                       Enable the SNI load balancer (multiple clients can bind the same SNI domain/port)
106      --sni-proxy                                               Enable the use of SNI proxying
107      --sni-proxy-https                                         Enable the use of SNI proxying on the HTTPS port
108  -a, --ssh-address string                                      The address to listen for SSH connections (default "localhost:2222")
109      --strip-http-path                                         Strip the http path from the forward (default true)
110      --tcp-address string                                      The address to listen for TCP connections
111      --tcp-aliases                                             Enable the use of TCP aliasing
112      --tcp-aliases-allowed-users any                           Enable setting allowed users to access tcp aliases.
113                                                                Can provide tcp-aliases-allowed-users in the ssh command set to a comma separated list of ssh fingerprints that can access an alias.
114                                                                Provide any for all.
115      --tcp-load-balancer                                       Enable the TCP load balancer (multiple clients can bind the same port)
116      --time-format string                                      The time format to use for both HTTP and general log messages (default "2006/01/02 - 15:04:05")
117      --verify-dns                                              Verify DNS information for hosts and ensure it matches a connecting users sha256 key fingerprint (default true)
118      --verify-ssl                                              Verify SSL certificates made on proxied HTTP connections (default true)
119  -v, --version                                                 version for sish
120  -y, --whitelisted-countries string                            A comma separated list of whitelisted countries. Applies to HTTP, TCP, and SSH connections
121  -w, --whitelisted-ips string                                  A comma separated list of whitelisted ips. Applies to HTTP, TCP, and SSH connections
<< PREV
Cheatsheet
NEXT >>
Advanced
Home
Sitemap
Getting Started
How it Works
Forwarding Types
Cheatsheet
CLI
Advanced
FAQ