Getting Started

Learn how to use sish


We have a managed service and three officially supported self-hosting deployments for sish.

Here are the guides related to self-hosting sish.

# Managed

The easiest way to get started with using sish is to use our managed service at tuns.sh. This service manages sish for you so you don't have to go through the process of setting sish up yourself.

# DNS

To use sish, you need to add a wildcard DNS record that is used for multiplexed subdomains. Adding an A record with * as the subdomain to the IP address of your server is the simplest way to achieve this configuration.

For the purposes of our guides, we will use tuns.sh as our domain.

# Docker Compose

You can use Docker Compose to setup your sish instance. This includes taking care of SSL via Let's Encrypt for you. This uses the adferrand/dnsrobocert container to handle issuing wildcard certifications over DNS. For more information on how to use this, head to that link above.

We use sish/deploy in our deployment of tuns.sh and are using them for this guide.

Clone the sish repo:

1git clone git@github.com:antoniomika/sish.git

Then copy the sish/deploy folder:

1cp -R sish/deploy ~/sish

Edit ~/sish/docker-compose.yml and ~/sish/le-config.yml file with your domain and DNS auth info.

Then, create a symlink that points to your domain's Let's Encrypt certificates like:

1ln -s /etc/letsencrypt/live/<your domain>/fullchain.pem deploy/ssl/<your domain>.crt
2ln -s /etc/letsencrypt/live/<your domain>/privkey.pem deploy/ssl/<your domain>.key

Careful: the symlinks need to point to /etc/letsencrypt, not a relative path. The symlinks will not resolve on the host filesystem, but they will resolve inside of the sish container because it mounts the letsencrypt files in /etc/letsencrypt, not ./letsencrypt.

Finally, you can deploy your service like so:

1docker-compose -f deploy/docker-compose.yml up -d

SSH to your host to communicate with sish

1ssh -p 2222 -R 80:localhost:8080 tuns.sh

# Docker

Find our latest releases.

Pull the Docker image

1docker pull antoniomika/sish:latest

Create folders to host your keys

1mkdir -p ~/sish/ssl ~/sish/keys ~/sish/pubkeys

Copy your public keys to pubkeys

1cp ~/.ssh/id_ed25519.pub ~/sish/pubkeys

Run the image

 1docker run -itd --name sish \
 2  -v ~/sish/ssl:/ssl \
 3  -v ~/sish/keys:/keys \
 4  -v ~/sish/pubkeys:/pubkeys \
 5  --net=host antoniomika/sish:latest \
 6  --ssh-address=:2222 \
 7  --http-address=:80 \
 8  --https-address=:443 \
 9  --https=true \
10  --https-certificate-directory=/ssl \
11  --authentication-keys-directory=/pubkeys \
12  --private-keys-directory=/keys \
13  --bind-random-ports=false \
14  --domain=tuns.sh

SSH to your host to communicate with sish

1ssh -p 2222 -R 80:localhost:8080 tuns.sh

# Google Cloud Platform

There is a tutorial for creating an instance in Google Cloud Platform with sish fully setup that can be found here. It can be accessed through Google Cloud Shell.

Open in Cloud Shell

# Authentication

If you want to use this service privately, it supports both public key and password authentication. To enable authentication, set --authentication=true as one of your CLI options and be sure to configure --authentication-password or --authentication-keys-directory to your liking. The directory provided by --authentication-keys-directory is watched for changes and will reload the authorized keys automatically. The authorized cert index is regenerated on directory modification, so removed public keys will also automatically be removed. Files in this directory can either be single key per file, or multiple keys per file separated by newlines, similar to authorized_keys. Password auth can be disabled by setting --authentication-password="" as a CLI option.

One of my favorite ways of using this for authentication is like so:

1sish@sish0:~/sish/pubkeys# curl https://github.com/antoniomika.keys > antoniomika

This will load my public keys from GitHub, place them in the directory that sish is watching, and then load the pubkey. As soon as this command is run, I can SSH normally and it will authorize me.

<< PREV
Sitemap
NEXT >>
How it Works
Home
Sitemap
Getting Started
How it Works
Forwarding Types
Cheatsheet
CLI
Advanced
FAQ