sish
SHA-256Open source SSH tunneling for HTTP(S), WS(S), TCP, aliases, and SNI. Self-host ngrok/serveo alternative using plain SSH.
Smart Download
Download Download Version
v2.22.1 · 12.8 MB
Expose local services over SSH with zero config — no client needed, full control.
Core Features
- No custom client, uses native SSH command
- HTTP/HTTPS/WebSocket/TCP tunnel support
- Private TCP aliases accessible only via authenticated SSH
- SNI proxy for TLS routing without termination
- Optional load balancing for HTTP/TCP/SNI
What It Can't Do
- •Self-hosting requires a public IP and domain, and ports 80/443 (or custom). 2. HTTP tunnels use random subdomains by default; specify a fixed name with -R myapp:80:... . 3. Private TCP aliases require SSH proxy jump; manage keys carefully. 4. UDP forwarding is not supported — only TCP.
Use Cases
- Share a local web app instantly over HTTPS
- Expose a TCP service to a fixed or random external port
- Create private TCP aliases only reachable through authenticated SSH
- Route TLS traffic by SNI to multiple backends without termination
Detailed Introduction
sish is an SSH server that forwards and multiplexes connections. Users connect with standard SSH commands, no custom client needed. It supports public and private tunnels, HTTP(S), WebSocket(S), TCP forwarding, TCP aliases, SNI-based routing, and optional load balancing. Designed for production self-hosting with Docker and binary releases. Perfect for exposing local services securely or sharing apps over HTTPS.
Troubleshooting & FAQ (1)
TroubleshootingHow to prevent sish from closing idle WebSocket connections after 60 seconds?
Sish enforces an idle connection timeout (default 60s) on WebSocket connections. If your application sends real data but sish doesn't recognize it as non-idle, the connection will be closed. Solutions: (1) Disable the timeout completely with --idle-connection=false. (2) Set a higher timeout (e.g., --idle-connection-timeout=1h). (3) Implement a client-side heartbeat or ping command over the WebSocket to keep the connection active, which is the recommended long-term approach.
Tags
Getting Started
Download installer
Click the button above to download the installer for your system
Install the software
Double-click the downloaded installer and follow the prompts
Step 1: Try the managed service: `ssh -R 80:localhost:8080 tuns.sh`
Step 2: Self-host with Docker: pull image, prepare directories for SSL/keys/pubkeys
Step 3: Run container with --net=host, configure domain and ports
- Step 1: Try the managed service: `ssh -R 80:localhost:8080 tuns.sh`
- Step 2: Self-host with Docker: pull image, prepare directories for SSL/keys/pubkeys
- Step 3: Run container with --net=host, configure domain and ports
SHA-256 checksum verified
Checksum extracted from GitHub official Release page
SHA256 Checksum
76a75d58ba98beaa663762d72683290d428ebc2216419c98508ad7cedf5e2275This checksum is extracted from the GitHub Release page. Verify file integrity after download.
All SHA-256 checksums on this platform are extracted from the project's official GitHub Release page, without any modification. You can independently verify them on the GitHub Releases page.
Open Source Transparency
View GitHub SourceUninstall Info
For Docker: `docker stop sish && docker rm sish` then delete ~/sish directory. For binary: just remove the executable and config.
No Extra Dependencies
Ready to use after download. No additional runtime required.
Having issues? Check the FAQ below
1 FAQ
Similar Projects
code-server
Run VS Code in your browser, on any device with a consistent development environment.
traefik
Traefik is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy.
pocketbase
PocketBase is an open source Go backend that includes embedded SQLite with realtime subscriptions, built-in file & user management, admin dashboard UI, and simple REST API. Can be used as standalone app or Go framework.