Skip to content
Klutch.sh Docs

Deploying sish

Introduction

sish is an open-source SSH tunneling service that lets you expose local servers to the internet, similar to ngrok but fully self-hosted. Written in Go, sish provides HTTP(S) and TCP tunneling through standard SSH connections, making it easy to share local development servers, demo applications, or access services behind NAT.

Using only SSH, sish requires no special client software - standard OpenSSH works perfectly. This makes it accessible from any system with SSH capabilities and eliminates the need for proprietary clients or accounts.

Key highlights of sish:

  • SSH-Based: Uses standard SSH for all tunneling - no special clients needed
  • HTTP/HTTPS Tunnels: Expose local web servers with automatic HTTPS
  • TCP Tunnels: Forward arbitrary TCP ports
  • Custom Subdomains: Request specific subdomains for your tunnels
  • Authentication: SSH key-based authentication for security
  • WebSocket Support: Full WebSocket proxying for real-time applications
  • Load Balancing: Multiple clients can share the same subdomain
  • Rate Limiting: Configurable limits to prevent abuse
  • Let’s Encrypt: Automatic HTTPS certificate provisioning
  • Prometheus Metrics: Built-in observability
  • Lightweight: Minimal resource footprint
  • Open Source: MIT licensed

This guide walks through deploying sish on Klutch.sh using Docker, configuring the service, and setting up tunnels for your local applications.

Why Deploy sish on Klutch.sh

Deploying sish on Klutch.sh provides several advantages for tunneling:

Simplified Deployment: Klutch.sh automatically detects your Dockerfile and builds sish without complex orchestration. Push to GitHub, and your tunnel server deploys automatically.

Persistent Storage: Attach persistent volumes for SSH keys and configuration. Your setup survives container restarts.

HTTPS by Default: Klutch.sh provides automatic SSL certificates for your tunnel endpoint.

GitHub Integration: Connect your configuration repository directly from GitHub. Updates trigger automatic redeployments.

Custom Domains: Use your own domain for professional tunnel URLs.

Scalable Resources: Handle multiple concurrent tunnels with appropriate resources.

Always-On Availability: Your tunnel server runs 24/7, ready for connections.

Prerequisites

Before deploying sish on Klutch.sh, ensure you have:

  • A Klutch.sh account
  • A GitHub account with a repository for your sish configuration
  • Basic familiarity with Docker and SSH concepts
  • SSH key pairs for authentication
  • A custom domain (recommended for proper subdomain tunneling)
  • DNS control for wildcard subdomains

Understanding sish Architecture

sish operates as an SSH server with tunneling capabilities:

SSH Server: Accepts SSH connections and establishes tunnels based on port forwarding requests.

HTTP Router: Routes incoming HTTP requests to appropriate tunnels based on hostname.

TCP Forwarder: Forwards TCP connections on allocated ports to tunnel clients.

Certificate Manager: Handles Let’s Encrypt certificate provisioning for HTTPS.

Preparing Your Repository

To deploy sish on Klutch.sh, create a GitHub repository with your configuration.

Repository Structure

sish-deploy/
├── Dockerfile
├── .dockerignore
└── README.md

Creating the Dockerfile

Create a Dockerfile in the root of your repository:

FROM antoniomika/sish:latest


# The application is configured via command-line flags and environment variables
# Configuration happens through Klutch.sh settings


# Create directories
RUN mkdir -p /data /keys


# Expose ports
# SSH server
EXPOSE 2222
# HTTP
EXPOSE 80
# HTTPS
EXPOSE 443


# Default entrypoint handles configuration

Creating the .dockerignore File

Create a .dockerignore file:

.git
.github
*.md
LICENSE
.gitignore
*.log
.DS_Store

Environment Variables Reference

VariableRequiredDescription
SISH_SSH_ADDRESSNoSSH listen address (default: :2222)
SISH_HTTP_ADDRESSNoHTTP listen address (default: :80)
SISH_HTTPS_ADDRESSNoHTTPS listen address (default: :443)
SISH_DOMAINYesPrimary domain for tunnels
SISH_PRIVATE_KEY_PASSPHRASENoPassphrase for SSH host key
SISH_AUTHENTICATIONNoEnable SSH key authentication
SISH_AUTHENTICATION_KEYS_DIRECTORYNoDirectory for authorized keys

Deploying sish on Klutch.sh

Once your repository is prepared, follow these steps to deploy sish:

    Configure DNS

    Before deployment, configure DNS for your domain:

    1. Add an A record pointing your domain to your Klutch.sh app IP
    2. Add a wildcard A record (*.yourdomain.com) for subdomain tunnels

    Push Your Repository to GitHub

    Initialize your repository and push to GitHub:

    Terminal window
    git init
    git add Dockerfile .dockerignore README.md
    git commit -m "Initial sish deployment configuration"
    git remote add origin https://github.com/yourusername/sish-deploy.git
    git push -u origin main

    Create a New Project on Klutch.sh

    Navigate to the Klutch.sh dashboard and create a new project. Give it a descriptive name like “sish” or “tunnel-server”.

    Create a New App

    Within your project, create a new app. Connect your GitHub account if you haven’t already, then select the repository containing your sish Dockerfile.

    Configure Network Ports

    sish requires multiple ports:

    • Port 2222: SSH server (TCP)
    • Port 80: HTTP traffic
    • Port 443: HTTPS traffic

    Configure these in your deployment settings.

    Set Environment Variables

    In the environment variables section, configure sish:

    VariableValue
    SISH_DOMAINtunnel.yourdomain.com
    SISH_SSH_ADDRESS:2222
    SISH_HTTP_ADDRESS:80
    SISH_HTTPS_ADDRESS:443
    SISH_AUTHENTICATIONtrue

    Attach Persistent Volumes

    Add volumes for persistent data:

    Mount PathRecommended SizePurpose
    /data1 GBSSL certificates and data
    /keys100 MBSSH host keys and authorized keys

    Deploy Your Application

    Click Deploy to start the build process. Klutch.sh will:

    • Build the container image
    • Attach the persistent volumes
    • Start the sish server
    • Provision SSL certificates

    Generate SSH Host Key

    On first run, sish generates an SSH host key. For persistent keys, create one manually:

    Terminal window
    ssh-keygen -t ed25519 -f /keys/ssh_key -N ""

    Configure Authorized Keys

    For authenticated access, add public keys to /keys/authorized_keys.

    Verify Deployment

    Test SSH connectivity:

    Terminal window
    ssh -p 2222 tunnel.yourdomain.com

Using sish Tunnels

HTTP Tunnel

Expose a local web server:

Terminal window
# Expose local port 3000 with random subdomain
ssh -R 80:localhost:3000 -p 2222 tunnel.yourdomain.com


# Request specific subdomain
ssh -R myapp:80:localhost:3000 -p 2222 tunnel.yourdomain.com

Your local server is now accessible at https://myapp.tunnel.yourdomain.com

TCP Tunnel

Forward a TCP port:

Terminal window
# Forward local port 5432 (PostgreSQL)
ssh -R 0:localhost:5432 -p 2222 tunnel.yourdomain.com

sish will assign a random port and display it in the connection output.

Multiple Tunnels

Create multiple tunnels in one connection:

Terminal window
ssh -R web:80:localhost:3000 \
    -R api:80:localhost:8080 \
    -p 2222 tunnel.yourdomain.com

Persistent Connections

For reliable tunnels, use autossh:

Terminal window
autossh -M 0 -f -N \
    -R myapp:80:localhost:3000 \
    -p 2222 tunnel.yourdomain.com

Configuration Options

Authentication

Enable SSH key authentication:

SISH_AUTHENTICATION=true
SISH_AUTHENTICATION_KEYS_DIRECTORY=/keys

Add authorized public keys to /keys/authorized_keys.

Rate Limiting

Configure rate limits:

SISH_HTTP_REQUEST_LIMIT=60
SISH_HTTP_REQUEST_LIMIT_DURATION=60s

Custom Subdomains

Allow or restrict subdomain patterns:

SISH_BANNED_SUBDOMAINS=admin,api,www
SISH_FORCE_RANDOM_SUBDOMAINS=false

Production Best Practices

Security Recommendations

  • Enable Authentication: Require SSH key authentication
  • Restrict Subdomains: Ban sensitive subdomain names
  • Rate Limiting: Prevent abuse with request limits
  • Key Rotation: Periodically rotate SSH host keys

Monitoring

  • Prometheus Metrics: Enable metrics endpoint for monitoring
  • Logging: Configure appropriate log levels
  • Connection Tracking: Monitor active tunnels

Backup Strategy

  1. SSH Keys: Back up /keys directory
  2. Authorized Keys: Keep authorized_keys in version control
  3. Configuration: Document all settings

Troubleshooting Common Issues

Cannot Connect via SSH

Symptoms: SSH connection is refused or times out.

Solutions:

  • Verify port 2222 is accessible
  • Check SSH host key is generated
  • Verify network configuration

Tunnels Not Accessible

Symptoms: HTTP tunnels return errors.

Solutions:

  • Verify DNS wildcard is configured
  • Check SSL certificate provisioning
  • Ensure local service is running

Subdomain Already Taken

Symptoms: Requested subdomain is unavailable.

Solutions:

  • Use a different subdomain
  • Check if another tunnel is using it
  • Enable force random subdomains

Additional Resources

Conclusion

Deploying sish on Klutch.sh gives you a self-hosted tunnel service with automatic builds, persistent storage, and secure HTTPS access. The combination of sish’s SSH-based tunneling and Klutch.sh’s deployment simplicity means you can expose local services without third-party dependencies.

With HTTP, HTTPS, and TCP tunnel support, sish handles development sharing, demonstrations, and remote access scenarios. The standard SSH interface means any device with SSH can create tunnels without special software.

Whether you’re sharing development work with clients or accessing services behind NAT, sish on Klutch.sh provides the reliable foundation for self-hosted tunneling.