Forwarding Types

The various forwarding types sish supports


# HTTP

sish can forward any number of HTTP connections through SSH. It also provides logging the connections to the connected client that has forwarded the connection and a web interface to see full request and responses made to each forwarded connection. Each webinterface can be unique to the forwarded connection or use a unified access token. To make use of HTTP forwarding, ports [80, 443] are used to tell sish that a HTTP connection is being forwarded and that HTTP virtualhosting should be defined for the service. For example, let's say I'm developing a HTTP webservice on my laptop at port 8080 that uses websockets and I want to show one of my coworkers who is not near me. I can forward the connection like so:

1ssh -R hereiam:80:localhost:8080 tuns.sh

And then share the link https://hereiam.tuns.sh with my coworker. They should be able to access the service seamlessly over HTTPS, with full websocket support working fine. Let's say hereiam.tuns.sh isn't available, then sish will generate a random subdomain and give that to me.

# TCP

Any TCP based service can be used with sish for TCP and alias forwarding. TCP forwarding will establish a remote port on the server that you deploy sish to and will forward all connections to that port through the SSH connection and to your local device. For example, if I was to run a SSH server on my laptop with port 22 and want to be able to access it from anywhere at tuns.sh:2222, I can use an SSH command on my laptop like so to forward the connection:

1ssh -R 2222:localhost:22 tuns.sh

I can use the forwarded connection to then access my laptop from anywhere:

1ssh -p 2222 tuns.sh

# TCP Alias

Let's say instead I don't want the service to be accessible by the rest of the world, you can then use a TCP alias. A TCP alias is a type of forwarded TCP connection that only exists inside of sish. You can gain access to the alias by using SSH with the -W flag, which will forwarding the SSH process' stdin/stdout to the fowarded TCP connection. In combination with authentication, this will guarantee your remote service is safe from the rest of the world because you need to login to sish before you can access it. Changing the example above for this would mean running the following command on my laptop:

1ssh -R mylaptop:22:localhost:22 tuns.sh

sish won't publish port 22 or 2222 to the rest of the world anymore, instead it'll retain a pointer saying that TCP connections made from within SSH after a user has authenticated to mylaptop:22 should be forwarded to the forwarded TCP tunnel. Then I can use the forwarded connection access my laptop from anywhere using:

1ssh -o ProxyCommand="ssh -W %h:%p tuns.sh" mylaptop

Shorthand for which is this with newer SSH versions:

1ssh -J tuns.sh mylaptop

You can also use TCP aliases with any port you would like. If for example you wanted to use an alias with port 80 or 443 (default to a HTTP tunnel), provide the command tcp-alias=true to the ssh command:

1ssh -R service:80:localhost:80 tuns.sh tcp-alias=true

Aliases can be accessed on a different computer using SSH local forwards also. For the above, I could use:

1ssh -L 80:service:80 tuns.sh

to then access the forwarded server service at localhost:80 on the client side of the computer I am on.

# SNI

Sometimes, you may have multiple TCP services running on the same port. If these services support SNI, you can have sish route TLS connections to different backends based on the SNI name provided. For example, I have two webservices (servers) and I want to offload TLS to each without sish offloading SSL. This can be achieved by disabling sish's internal HTTPS service (you won't be able to use the service console for this however). Then, I can start a ssh connection from each server like so:

From server A

1ssh -R servera.example.com:443:localhost:443 tuns.sh sni-proxy=true

From server B

1ssh -R serverb.example.com:443:localhost:443 tuns.sh sni-proxy=true

As long as server{a,b}.example.com points to where sish is hosted and a user can bind those hosts, TLS connections to servera.example.com:443 will be forwarded to server A and TLS connections to serverb.example.com:443 will be forwarded to server B. It is then up to each server to complete the TLS handshake and the subsequent request.

<< PREV
How it Works
NEXT >>
Cheatsheet
Home
Sitemap
Getting Started
How it Works
Forwarding Types
Cheatsheet
CLI
Advanced
FAQ