1```text
2sish is a command line utility that implements an SSH server that can handle HTTP(S)/WS(S)/TCP multiplexing, forwarding and load balancing.
3It can handle multiple vhosting and reverse tunneling endpoints for a large number of clients.
4
5Usage:
6 sish [flags]
7
8Flags:
9 --admin-console Enable the admin console accessible at http(s)://domain/_sish/console?x-authorization=admin-console-token
10 -j, --admin-console-token string The token to use for admin console access if it's enabled
11 --alias-load-balancer Enable the alias load balancer (multiple clients can bind the same alias)
12 --append-user-to-subdomain Append the SSH user to the subdomain. This is useful in multitenant environments
13 --append-user-to-subdomain-separator string The token to use for separating username and subdomain selection in a virtualhost (default "-")
14 --authentication Require authentication for the SSH service (default true)
15 --authentication-key-request-timeout duration Duration to wait for a response from the authentication key request (default 5s)
16 --authentication-key-request-url string A url to validate public keys for public key authentication.
17 sish will make an HTTP POST request to this URL with a JSON body containing an
18 OpenSSH 'authorized key' formatted public key, username,
19 and ip address. E.g.:
20 {"auth_key": string, "user": string, "remote_addr": string}
21 A response with status code 200 indicates approval of the auth key
22 -k, --authentication-keys-directory string Directory where public keys for public key authentication are stored.
23 sish will watch this directory and automatically load new keys and remove keys
24 from the authentication list (default "deploy/pubkeys/")
25 --authentication-keys-directory-watch-interval duration The interval to poll for filesystem changes for SSH keys (default 200ms)
26 -u, --authentication-password string Password to use for SSH server password authentication
27 --banned-aliases string A comma separated list of banned aliases that users are unable to bind
28 -o, --banned-countries string A comma separated list of banned countries. Applies to HTTP, TCP, and SSH connections
29 -x, --banned-ips string A comma separated list of banned ips that are unable to access the service. Applies to HTTP, TCP, and SSH connections
30 -b, --banned-subdomains string A comma separated list of banned subdomains that users are unable to bind (default "localhost")
31 --bind-any-host Allow binding any host when accepting an HTTP listener
32 --bind-hosts string A comma separated list of other hosts a user can bind. Requested hosts should be subdomains of a host in this list
33 --bind-http-auth Allow binding http auth on a forwarded host (default true)
34 --bind-http-path Allow binding specific paths on a forwarded host (default true)
35 --bind-random-aliases Force bound alias tunnels to use random aliases instead of user provided ones (default true)
36 --bind-random-aliases-length int The length of the random alias to generate if a alias is unavailable or if random aliases are enforced (default 3)
37 --bind-random-ports Force TCP tunnels to bind a random port, where the kernel will randomly assign it (default true)
38 --bind-random-subdomains Force bound HTTP tunnels to use random subdomains instead of user provided ones (default true)
39 --bind-random-subdomains-length int The length of the random subdomain to generate if a subdomain is unavailable or if random subdomains are enforced (default 3)
40 --bind-root-domain Allow binding the root domain when accepting an HTTP listener
41 --bind-wildcards Allow binding wildcards when accepting an HTTP listener
42 --cleanup-unauthed Cleanup unauthed SSH connections after a set timeout (default true)
43 --cleanup-unauthed-timeout duration Duration to wait before cleaning up an unauthed connection (default 5s)
44 --cleanup-unbound Cleanup unbound (unforwarded) SSH connections after a set timeout
45 --cleanup-unbound-timeout duration Duration to wait before cleaning up an unbound (unforwarded) connection (default 5s)
46 -c, --config string Config file (default "config.yml")
47 --debug Enable debugging information
48 --debug-interval duration Duration to wait between each debug loop output if debug is true (default 2s)
49 -d, --domain string The root domain for HTTP(S) multiplexing that will be appended to subdomains (default "ssi.sh")
50 --force-all-https Redirect all requests to the https server
51 --force-https Allow indiviual binds to request for https to be enforced
52 --force-requested-aliases Force the aliases used to be the one that is requested. Will fail the bind if it exists already
53 --force-requested-ports Force the ports used to be the one that is requested. Will fail the bind if it exists already
54 --force-requested-subdomains Force the subdomains used to be the one that is requested. Will fail the bind if it exists already
55 --force-tcp-address Force the address used for the TCP interface to be the one defined by --tcp-address
56 --geodb Use a geodb to verify country IP address association for IP filtering
57 -h, --help help for sish
58 -i, --http-address string The address to listen for HTTP connections (default "localhost:80")
59 --http-load-balancer Enable the HTTP load balancer (multiple clients can bind the same domain)
60 --http-port-override int The port to use for http command output. This does not affect ports used for connecting, it's for cosmetic use only
61 --http-request-port-override int The port to use for http requests. Will default to 80, then http-port-override. Otherwise will use this value
62 --https Listen for HTTPS connections. Requires a correct --https-certificate-directory
63 -t, --https-address string The address to listen for HTTPS connections (default "localhost:443")
64 -s, --https-certificate-directory string The directory containing HTTPS certificate files (name.crt and name.key). There can be many crt/key pairs (default "deploy/ssl/")
65 --https-certificate-directory-watch-interval duration The interval to poll for filesystem changes for HTTPS certificates (default 200ms)
66 --https-ondemand-certificate Enable retrieving certificates on demand via Let's Encrypt
67 --https-ondemand-certificate-accept-terms Accept the Let's Encrypt terms
68 --https-ondemand-certificate-email string The email to use with Let's Encrypt for cert notifications. Can be left blank
69 --https-port-override int The port to use for https command output. This does not affect ports used for connecting, it's for cosmetic use only
70 --https-request-port-override int The port to use for https requests. Will default to 443, then https-port-override. Otherwise will use this value
71 --idle-connection Enable connection idle timeouts for reads and writes (default true)
72 --idle-connection-timeout duration Duration to wait for activity before closing a connection for all reads and writes (default 5s)
73 --load-templates Load HTML templates. This is required for admin/service consoles (default true)
74 --load-templates-directory string The directory and glob parameter for templates that should be loaded (default "templates/*")
75 --localhost-as-all Enable forcing localhost to mean all interfaces for tcp listeners (default true)
76 --log-to-client Enable logging HTTP and TCP requests to the client
77 --log-to-file Enable writing log output to file, specified by log-to-file-path
78 --log-to-file-compress Enable compressing log output files
79 --log-to-file-max-age int The maxium number of days to store log output in a file (default 28)
80 --log-to-file-max-backups int The maxium number of rotated logs files to keep (default 3)
81 --log-to-file-max-size int The maximum size of outputed log files in megabytes (default 500)
82 --log-to-file-path string The file to write log output to (default "/tmp/sish.log")
83 --log-to-stdout Enable writing log output to stdout (default true)
84 --ping-client Send ping requests to the underlying SSH client.
85 This is useful to ensure that SSH connections are kept open or close cleanly (default true)
86 --ping-client-interval duration Duration representing an interval to ping a client to ensure it is up (default 5s)
87 --ping-client-timeout duration Duration to wait for activity before closing a connection after sending a ping to a client (default 5s)
88 -n, --port-bind-range string Ports or port ranges that sish will allow to be bound when a user attempts to use TCP forwarding (default "0,1024-65535")
89 -p, --private-key-passphrase string Passphrase to use to encrypt the server private key (default "S3Cr3tP4$$phrAsE")
90 -l, --private-keys-directory string The location of other SSH server private keys. sish will add these as valid auth methods for SSH. Note, these need to be unencrypted OR use the private-key-passphrase (default "deploy/keys")
91 --proxy-protocol Use the proxy-protocol while proxying connections in order to pass-on IP address and port information
92 --proxy-protocol-listener Use the proxy-protocol to resolve ip addresses from user connections
93 --proxy-protocol-policy string What to do with the proxy protocol header. Can be use, ignore, reject, or require (default "use")
94 --proxy-protocol-timeout duration The duration to wait for the proxy proto header (default 200ms)
95 --proxy-protocol-use-timeout Use a timeout for the proxy-protocol read
96 -q, --proxy-protocol-version string What version of the proxy protocol to use. Can either be 1, 2, or userdefined.
97 If userdefined, the user needs to add a command to SSH called proxyproto=version (ie proxyproto=1) (default "1")
98 --redirect-root Redirect the root domain to the location defined in --redirect-root-location (default true)
99 -r, --redirect-root-location string The location to redirect requests to the root domain
100 to instead of responding with a 404 (default "https://github.com/antoniomika/sish")
101 --rewrite-host-header Force rewrite the host header if the user provides host-header=host.com (default true)
102 --service-console Enable the service console for each service and send the info to connected clients
103 --service-console-max-content-length int The max content length before we stop reading the response body (default -1)
104 -m, --service-console-token string The token to use for service console access. Auto generated if empty for each connected tunnel
105 --sni-load-balancer Enable the SNI load balancer (multiple clients can bind the same SNI domain/port)
106 --sni-proxy Enable the use of SNI proxying
107 --sni-proxy-https Enable the use of SNI proxying on the HTTPS port
108 -a, --ssh-address string The address to listen for SSH connections (default "localhost:2222")
109 --strip-http-path Strip the http path from the forward (default true)
110 --tcp-address string The address to listen for TCP connections
111 --tcp-aliases Enable the use of TCP aliasing
112 --tcp-aliases-allowed-users any Enable setting allowed users to access tcp aliases.
113 Can provide tcp-aliases-allowed-users in the ssh command set to a comma separated list of ssh fingerprints that can access an alias.
114 Provide any for all.
115 --tcp-load-balancer Enable the TCP load balancer (multiple clients can bind the same port)
116 --time-format string The time format to use for both HTTP and general log messages (default "2006/01/02 - 15:04:05")
117 --verify-dns Verify DNS information for hosts and ensure it matches a connecting users sha256 key fingerprint (default true)
118 --verify-ssl Verify SSL certificates made on proxied HTTP connections (default true)
119 -v, --version version for sish
120 -y, --whitelisted-countries string A comma separated list of whitelisted countries. Applies to HTTP, TCP, and SSH connections
121 -w, --whitelisted-ips string A comma separated list of whitelisted ips. Applies to HTTP, TCP, and SSH connections