Secure Ephemeral
Tunnels
Secure, ephemeral reverse proxy tunnels for developers. Expose your local development server to the internet with a secure, time-limited URL. Perfect for testing webhooks, sharing work-in-progress with clients, quick demos, or developing APIs.
Get started in seconds
Expose your local development server to the internet with a secure, time-limited URL.
ssrok 3000ā Expose localhost:3000ssrok localhost:8080ā Custom host:portssrok 192.168.1.5:8000ā LAN serverEverything you need for
secure tunneling.
Fast, secure, and ephemeral ā ssrok gives you public URLs that auto-expire, with built-in rate limiting and optional password protection.
Architecture
How ssrok creates secure tunnels between your local server and the public internet
āāāāāāāāāāāāāāā WebSocket/yamux āāāāāāāāāāāāāāā HTTP āāāāāāāāāāāāāāā
ā Client ā āāāāāāāāāāāāāāāāāāāāāāāŗ ā Server ā āāāāāāāāāāāāāāŗ ā Visitor ā
ā (ssrok CLI) ā Token Required ā (:80) ā Token/Pass ā (Browser) ā
āāāāāāāā¬āāāāāāā āāāāāāāāāāāāāāā āāāāāāāāāāāāāāā
ā
āāāāā localhost:3000Client
Your machine running ssrok CLI
Server
ssrok server (your instance or ssrok.onrender.com)
Visitor
Anyone accessing your public URL
REST API
Create tunnels programmatically via the REST API for CI/CD pipelines and automated workflows.
Request
curl -X POST https://your-server.com/api/register \
-H "Content-Type: application/json" \
-d '{
"port": 3000,
"password": "optional",
"rate_limit": 60,
"use_tls": false,
"expires_in": "1h"
}'Response
{
"uuid": "abc123",
"url": "https://your-server.com/abc123",
"token": "xyz789",
"expires_in": "1h0m0s"
}Connect via WebSocket
wss://your-server.com/ws/abc123?token=xyz789
Request Fields
| Field | Type | Required | Description |
|---|---|---|---|
| port | int | Yes | Local port to tunnel |
| password | string | No | Optional password protection |
| rate_limit | int | No | Requests per minute (0=unlimited) |
| use_tls | bool | No | Enable TLS for local connection |
| expires_in | string | No | Duration (e.g. "1h", "30m") |
Security Features
- Token Authentication: Required for all connections to prevent unauthorized usage
- Password Protection: Optional SHA256 password protection for your public URLs
- Rate Limiting: Built-in DDoS prevention (default: 60 req/min/IP), fully configurable
- Brute Force Protection: IP banning after 5 failed authentication attempts (15 min ban)
- Audit Logging: Comprehensive logs for all security-critical events
Limitations
- 100MB Body Limit: Maximum allowed request body size (e.g. file uploads)
- Set-Cookie stripped: Cookie-based sessions will not persist immediately on the tunnel domain. Use JWT/Bearer tokens for API authentication
- Strict-Transport-Security (HSTS) stripped from responses
- Content-Security-Policy (CSP) stripped from responses
- X-Frame-Options & X-Xss-Protection stripped from responses
Environment Variables
| Variable | Default | Description |
|---|---|---|
| PORT | 80 | Server listen port |
| SSROK_SERVER | localhost | Public hostname |
| SSROK_ENABLE_TLS | false | Enable built-in TLS |
| REDIS_HOST | (none) | Redis host (optional) |
| REDIS_PORT | 6379 | Redis port |
Self-Hosting
Host your own ssrok server for complete control over your data and infrastructure
- 1Build the Server: Run `make build-server` to generate the ssrok-server binary
- 2Deploy: Upload the ssrok-server binary to your VPS or cloud server
- 3Run: Execute the binary on your server
- 4Configure: Set environment variables to match your domain
Ready to tunnel?
Install ssrok and start sharing your local servers in seconds.
Or use Homebrew: brew tap selcuksarikoz/ssrok && brew install ssrok