Getting Started

Learn how to use sish

We have a managed service and three officially supported self-hosting deployments for sish.

Here are the guides related to self-hosting sish.

# Managed

The easiest way to get started with using sish is to use our managed service at This service manages sish for you so you don't have to go through the process of setting sish up yourself.


To use sish, you need to add a wildcard DNS record that is used for multiplexed subdomains. Adding an A record with * as the subdomain to the IP address of your server is the simplest way to achieve this configuration.

For the purposes of our guides, we will use as our domain.

# Docker Compose

You can use Docker Compose to setup your sish instance. This includes taking care of SSL via Let's Encrypt for you. This uses the adferrand/dnsrobocert container to handle issuing wildcard certifications over DNS. For more information on how to use this, head to that link above.

We use sish/deploy in our deployment of and are using them for this guide.

Clone the sish repo:

1git clone

Then copy the sish/deploy folder:

1cp -R sish/deploy ~/sish

Edit ~/sish/docker-compose.yml and ~/sish/le-config.yml file with your domain and DNS auth info.

Then, create a symlink that points to your domain's Let's Encrypt certificates like:

1ln -s /etc/letsencrypt/live/<your domain>/fullchain.pem deploy/ssl/<your domain>.crt
2ln -s /etc/letsencrypt/live/<your domain>/privkey.pem deploy/ssl/<your domain>.key

Careful: the symlinks need to point to /etc/letsencrypt, not a relative path. The symlinks will not resolve on the host filesystem, but they will resolve inside of the sish container because it mounts the letsencrypt files in /etc/letsencrypt, not ./letsencrypt.

Finally, you can deploy your service like so:

1docker-compose -f deploy/docker-compose.yml up -d

SSH to your host to communicate with sish

1ssh -p 2222 -R 80:localhost:8080

# Docker

Find our latest releases.

Pull the Docker image

1docker pull antoniomika/sish:latest

Create folders to host your keys

1mkdir -p ~/sish/ssl ~/sish/keys ~/sish/pubkeys

Copy your public keys to pubkeys

1cp ~/.ssh/ ~/sish/pubkeys

Run the image

 1docker run -itd --name sish \
 2  -v ~/sish/ssl:/ssl \
 3  -v ~/sish/keys:/keys \
 4  -v ~/sish/pubkeys:/pubkeys \
 5  --net=host antoniomika/sish:latest \
 6  --ssh-address=:2222 \
 7  --http-address=:80 \
 8  --https-address=:443 \
 9  --https=true \
10  --https-certificate-directory=/ssl \
11  --authentication-keys-directory=/pubkeys \
12  --private-keys-directory=/keys \
13  --bind-random-ports=false \

SSH to your host to communicate with sish

1ssh -p 2222 -R 80:localhost:8080

# Google Cloud Platform

There is a tutorial for creating an instance in Google Cloud Platform with sish fully setup that can be found here. It can be accessed through Google Cloud Shell.

Open in Cloud Shell

# Authentication

If you want to use this service privately, it supports both public key and password authentication. To enable authentication, set --authentication=true as one of your CLI options and be sure to configure --authentication-password or --authentication-keys-directory to your liking. The directory provided by --authentication-keys-directory is watched for changes and will reload the authorized keys automatically. The authorized cert index is regenerated on directory modification, so removed public keys will also automatically be removed. Files in this directory can either be single key per file, or multiple keys per file separated by newlines, similar to authorized_keys. Password auth can be disabled by setting --authentication-password="" as a CLI option.

One of my favorite ways of using this for authentication is like so:

1sish@sish0:~/sish/pubkeys# curl > antoniomika

This will load my public keys from GitHub, place them in the directory that sish is watching, and then load the pubkey. As soon as this command is run, I can SSH normally and it will authorize me.

How it Works
Getting Started
How it Works
Forwarding Types