-
-
Notifications
You must be signed in to change notification settings - Fork 309
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
31 changed files
with
3,658 additions
and
585 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
name: docs | ||
on: | ||
push: | ||
branches: | ||
- main | ||
jobs: | ||
docs: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v3 | ||
- name: Set outputs | ||
id: vars | ||
run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT | ||
- uses: actions/setup-go@v4 | ||
with: | ||
go-version: '1.21' | ||
- name: build docs site | ||
run: make ssg | ||
- name: publish to pgs | ||
uses: picosh/pgs-action@v3 | ||
with: | ||
user: hey | ||
key: ${{ secrets.PRIVATE_KEY }} | ||
src: './public/' | ||
project: "sish-${{ steps.vars.outputs.sha_short }}" | ||
promote: "sish-prod" | ||
retain: "sish-" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -2,3 +2,5 @@ deploy/ | |
dist/ | ||
sish | ||
__debug_bin | ||
docs/public/* | ||
!docs/public/.gitkeep |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
clean: | ||
rm -rf ./docs/public/* | ||
echo "" > ./docs/public/.gitkeep | ||
.PHONY: clean | ||
|
||
ssg: | ||
go run ./docs/cmd | ||
cp ./docs/static/* ./docs/public | ||
.PHONY: ssg | ||
|
||
docs: ssg | ||
rsync -vr ./docs/public/ [email protected]:/sish-local | ||
.PHONY: docs | ||
|
||
dev: | ||
go run main.go --http-address localhost:3000 --domain testing.ssi.sh | ||
.PHONY: dev |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,86 @@ | ||
package main | ||
|
||
import ( | ||
"github.com/picosh/pdocs" | ||
) | ||
|
||
func main() { | ||
pager := pdocs.Pager("./docs/posts") | ||
sitemap := []*pdocs.Sitemap{ | ||
{Text: "Marketing", Href: "/", Page: pager("marketing.md")}, | ||
{ | ||
Text: "Getting Started", | ||
Href: "/getting-started", | ||
Page: pager("getting-started.md"), | ||
Children: []*pdocs.Sitemap{ | ||
{Text: "Managed"}, | ||
{Text: "Docker"}, | ||
{Text: "Docker Compose"}, | ||
{Text: "Google Cloud Platform"}, | ||
{Text: "Authentication"}, | ||
{Text: "DNS Setup"}, | ||
}, | ||
}, | ||
{ | ||
Text: "How it Works", | ||
Href: "/how-it-works", | ||
Page: pager("how-it-works.md"), | ||
Children: []*pdocs.Sitemap{ | ||
{Text: "Port Forward"}, | ||
{Text: "Traditional VPN"}, | ||
{Text: "sish Public"}, | ||
{Text: "sish Private"}, | ||
{Text: "Additional Details"}, | ||
}, | ||
}, | ||
{ | ||
Text: "Forwarding Types", | ||
Href: "/forwarding-types", | ||
Page: pager("forwarding-types.md"), | ||
Children: []*pdocs.Sitemap{ | ||
{Text: "HTTP"}, | ||
{Text: "TCP"}, | ||
{Text: "TCP Alias"}, | ||
{Text: "SNI"}, | ||
}, | ||
}, | ||
{ | ||
Text: "Cheatsheet", | ||
Href: "/cheatsheet", | ||
Page: pager("cheatsheet.md"), | ||
Children: []*pdocs.Sitemap{ | ||
{Text: "HTTPS public access"}, | ||
{Text: "HTTPS private access"}, | ||
{Text: "Websocket"}, | ||
{Text: "TCP public access"}, | ||
{Text: "TCP private access"}, | ||
}, | ||
}, | ||
{Text: "CLI", Href: "/cli", Page: pager("cli.md")}, | ||
{ | ||
Text: "Advanced", | ||
Href: "/advanced", | ||
Page: pager("advanced.md"), | ||
Children: []*pdocs.Sitemap{ | ||
{Text: "Choose your own subdomain"}, | ||
{Text: "Websocket Support"}, | ||
{Text: "Allowlist IPs"}, | ||
{Text: "Custom Domains"}, | ||
{Text: "Load Balancing"}, | ||
}, | ||
}, | ||
{Text: "FAQ", Href: "/faq", Page: pager("faq.md")}, | ||
} | ||
|
||
config := &pdocs.DocConfig{ | ||
Sitemap: sitemap, | ||
Out: "./docs/public", | ||
Tmpl: "./docs/tmpl", | ||
PageTmpl: "post.page.tmpl", | ||
} | ||
|
||
err := config.GenSite() | ||
if err != nil { | ||
panic(err) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,81 @@ | ||
--- | ||
title: Advanced | ||
description: How to customize sish | ||
keywords: [sish, advanced, custom, domains, load, balancing, allowlist, ip] | ||
--- | ||
|
||
## Choose your own subdomain | ||
|
||
You can choose your own subdomain instead of relying on a randomly assigned one | ||
by setting the `--bind-random-subdomains` option to `false` and then selecting a | ||
subdomain by prepending it to the remote port specifier: | ||
|
||
`ssh -p 2222 -R foo:80:localhost:8080 tuns.sh` | ||
|
||
If the selected subdomain is not taken, it will be assigned to your connection. | ||
|
||
## Websocket Support | ||
|
||
The service supports multiplexing connections over HTTP/HTTPS with WebSocket | ||
support. Just assign a remote port as port `80` to proxy HTTP traffic and `443` | ||
to proxy HTTPS traffic. If you use any other remote port, the server will listen | ||
to the port for TCP connections, but only if that port is available. | ||
|
||
## Allowlist IPs | ||
|
||
Whitelisting IP ranges or countries is also possible. Whole CIDR ranges can be | ||
specified with the `--whitelisted-ips` option that accepts a comma-separated | ||
string like "192.30.252.0/22,185.199.108.0/22". If you want to whitelist a | ||
single IP, use the `/32` range. | ||
|
||
To whitelist countries, use `--whitelisted-countries` with a comma-separated | ||
string of countries in ISO format (for example, "pt" for Portugal). You'll also | ||
need to set `--geodb` to `true`. | ||
|
||
## Custom domains | ||
|
||
sish supports allowing users to bring custom domains to the service, but SSH key | ||
auth is required to be enabled. To use this feature, you must setup TXT and | ||
CNAME/A records for the domain/subdomain you would like to use for your | ||
forwarded connection. The CNAME/A record must point to the domain or IP that is | ||
hosting sish. The TXT record must be be a `key=val` string that looks like: | ||
|
||
```text | ||
sish=SSHKEYFINGERPRINT | ||
``` | ||
|
||
Where `SSHKEYFINGERPRINT` is the fingerprint of the key used for logging into | ||
the server. You can set multiple TXT records and sish will check all of them to | ||
ensure at least one is a match. You can retrieve your key fingerprint by | ||
running: | ||
|
||
```bash | ||
ssh-keygen -lf ~/.ssh/id_rsa | awk '{print $2}' | ||
``` | ||
|
||
If you trust the users connecting to sish and would like to allow any domain to | ||
be used with sish (bypassing verification), there are a few added flags to aid | ||
in this. This is especially useful when adding multiple wildcard certificates to | ||
sish in order to not need to automatically provision Let's Encrypt certs. To | ||
disable verfication, set `--bind-any-host=true`, which will allow and | ||
subdomain/domain combination to be used. To only allow subdomains of a certain | ||
subset of domains, you can set `--bind-hosts` to a comma separated list of | ||
domains that are allowed to be bound. | ||
|
||
To add certficates for sish to use, configure the | ||
`--https-certificate-directory` flag to point to a dir that is accessible by | ||
sish. In the directory, sish will look for a combination of files that look like | ||
`name.crt` and `name.key`. `name` can be arbitrary in either case, it just needs | ||
to be unique to the cert and key pair to allow them to be loaded into sish. | ||
|
||
## Load balancing | ||
|
||
sish can load balance any type of forwarded connection, but this needs to be | ||
enabled when starting sish using the `--http-load-balancer`, | ||
`--tcp-load-balancer`, and `--alias-load-balancer` flags. Let's say you have a | ||
few edge nodes (raspberry pis) that are running a service internally but you | ||
want to be able to balance load across these devices from the outside world. By | ||
enabling load balancing in sish, this happens automatically when a device with | ||
the same forwarded TCP port, alias, or HTTP subdomain connects to sish. | ||
Connections will then be evenly distributed to whatever nodes are connected to | ||
sish that match the forwarded connection. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
--- | ||
title: Cheatsheet | ||
description: sish usage reference | ||
keywords: [sish, reference, cheatsheet] | ||
--- | ||
|
||
[More info about forwarding types](/forwarding-types) | ||
|
||
## HTTPS public access | ||
|
||
[More info](/forwarding-types#http) | ||
|
||
- Eric has a web server running on `localhost:3000` | ||
- Eric wants to share with anyone | ||
- Tony wants to access it | ||
|
||
Eric sets up remote forward: | ||
|
||
```bash | ||
ssh -R 80:localhost:3000 tuns.sh | ||
``` | ||
|
||
## HTTPS private access | ||
|
||
- Eric has a web server running on `localhost:3000` | ||
- Eric only wants to share with Tony | ||
- Tony wants to access it | ||
|
||
Eric sets up remote forward: | ||
|
||
```bash | ||
ssh -R private:80:localhost:3000 tuns.sh | ||
``` | ||
|
||
Tony sets up local forward: | ||
|
||
```bash | ||
ssh -L 3000:private:80 tuns.sh | ||
``` | ||
|
||
## Websocket | ||
|
||
```bash | ||
ssh -R 443:localhost:443 tuns.sh | ||
``` | ||
|
||
## TCP public access | ||
|
||
```bash | ||
ssh -R 2222:localhost:22 tuns.sh | ||
``` | ||
|
||
I can use the forwarded connection to then access my laptop from anywhere: | ||
|
||
```bash | ||
ssh -p 2222 tuns.sh | ||
``` | ||
|
||
## TCP private access | ||
|
||
[Setup a TCP alias](/forwarding-types#tcp-alias) |
Oops, something went wrong.