{"id":21703658,"url":"https://github.com/bokysan/socketace","last_synced_at":"2025-04-12T15:12:40.297Z","repository":{"id":65198002,"uuid":"300020729","full_name":"bokysan/socketace","owner":"bokysan","description":"Your ultimate connection proxy. Proxy connections over websockets / UDP / DNS. Wrap connections in SSL/TLS. Auto-connect over best possible channel. ","archived":false,"fork":false,"pushed_at":"2023-02-25T03:18:39.000Z","size":306,"stargazers_count":26,"open_issues_count":2,"forks_count":5,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-04-12T15:12:33.782Z","etag":null,"topics":["dns","golang","proxy","socket","sockets","socks5","ssh","ssl","tcp","tcp-socket","tls","tunnel","websocket","websocket-server","websockets","wrapper"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bokysan.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-09-30T18:41:22.000Z","updated_at":"2025-03-18T13:50:50.000Z","dependencies_parsed_at":"2024-06-19T02:43:22.390Z","dependency_job_id":"b6758f2e-fa92-4db1-8faf-ae64476d6a6a","html_url":"https://github.com/bokysan/socketace","commit_stats":{"total_commits":65,"total_committers":2,"mean_commits":32.5,"dds":0.0461538461538461,"last_synced_commit":"94278d4d4fbe11b6c237fcf5b8ad1b40db5a730c"},"previous_names":[],"tags_count":13,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bokysan%2Fsocketace","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bokysan%2Fsocketace/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bokysan%2Fsocketace/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bokysan%2Fsocketace/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bokysan","download_url":"https://codeload.github.com/bokysan/socketace/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248586245,"owners_count":21128998,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dns","golang","proxy","socket","sockets","socks5","ssh","ssl","tcp","tcp-socket","tls","tunnel","websocket","websocket-server","websockets","wrapper"],"created_at":"2024-11-25T21:34:25.062Z","updated_at":"2025-04-12T15:12:40.276Z","avatar_url":"https://github.com/bokysan.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# SocketAce \n\n![Build status](https://github.com/bokysan/socketace/workflows/Build%20and%20release/badge.svg) [![Latest commit](https://img.shields.io/github/last-commit/bokysan/socketace)](https://github.com/bokysan/socketace/commits/master) [![Latest release](https://img.shields.io/github/v/release/bokysan/socketace?sort=semver\u0026Label=Latest%20release)](https://github.com/bokysan/socketace/releases) [![Docker image size](https://img.shields.io/docker/image-size/boky/socketace?sort=semver)](https://hub.docker.com/r/boky/socketace/) [![Docker Pulls](https://img.shields.io/docker/pulls/boky/socketace.svg)](https://hub.docker.com/r/boky/socketace/) [![License](https://img.shields.io/github/license/bokysan/socketace)](https://github.com/bokysan/socketace/blob/master/LICENSE) [![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fbokysan%2Fsocketace.svg?type=shield)](https://app.fossa.com/projects/git%2Bgithub.com%2Fbokysan%2Fsocketace?ref=badge_shield) [![Go Report Card](https://goreportcard.com/badge/github.com/bokysan/socketace)](https://goreportcard.com/report/github.com/bokysan/socketace) ![Go version](https://img.shields.io/github/go-mod/go-version/bokysan/socketace)\n\n\n**Your ultimate connection tunnel.** TCP websocket tunnel. TLS sockets tunnel. Serial connection socket tunnel. One \nexecutable for the client and the server. Multiple platforms supported. Written in [go](https://golang.org).\n\nEver had an issue with restrictive firewalls? Well, this tool will help out. Socketace allows you to tunnel *multiple* \nconnections through:\n- sockets\n- TLS-encrypted sockets (direct replacement for [stunnel](https://www.stunnel.org/))\n- websockets\n- TLS-encrypted websockets\n\nSocketace is mainly meant for restricted environments where the firewall won't allow you to open an SSH connection or\neven won't allow any other traffic other than on port 80 and 443. Socketace is also able to tunnel the connection\nthrough HTTP (websockets) so even firewalls that do deep packet inspection / proxy ports 80 and 443 should work fine.\n\nUnlike other solutions which use [`HTTP CONNECT`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/CONNECT) to\nestablish connection, `socketace` will actually overlay the TCP over HTTP.\n\n**DISCLAIMER:** Please note that you are using socketace at your own risk.\n\nSocketAce will use *one pyhiscal connection* and overlay multiple *logical connections* within that connection:\n\n```\n\n +-----------+ +-----------+\n | | | |\n | | | |\n | | | |\n | | +-------------------------------------+ | |\n localhost:1234 -----| | | MULTIPLEXED (SECURE) CONNECTION VIA | | | ----- 1.2.3.4:5555\n | | +-------------------------------------+ | |\n | | | simple sockets (TCP or Unix) | | |\n | SOCKETACE | | TLS-encrypted sockets (TCP or Unix) | | SOCKETACE |\n std. input/output --| |---| packet sockets (UDP or UnixPacket) |---| | ----- /var/some/other.sock\n | CLIENT | | websockets on plain HTTP | | SERVER |\n | | | websockets on TLS-encrpyted HTTPS | | |\n | | | standard input/output | | |\n /var/unix.sock -----| | | DNS server | | | -- SOCKS PROXY\n | | +-------------------------------------+ | |\n | | | |\n | | | |\n | | | |\n +-----------+ +-----------+\n```\n\nThis allows you to do wild combinations, such as:\n- listen on a local TCP socket, forward connection via SSH + standard in/out to remote server \n (e.g. `rsync -essh` works)\n- listen on a local TCP socket, wrap the connection TLS and forward to a service on a remote server \n (i.e. replicate what `stunnel` does) \n- listen on a local standard in/out, forward to remote service via websocket\n (i.e. \"expose ssh via websockets\")\n- listen on a TCP socket, forward to a local UNIX socket\n (i.e. to expose a UNIX-only service to Windows-based machines)\n\n## Contents\n\n1. [Rationale](#rationale)\n1. [Installation](#installation)\n 1. [Install using docker](#install-using-docker)\n 1. [Install using brew](#install-using-brew)\n 1. [Install on Linux using a package manager](#install-on-linux-using-a-package-manager)\n 1. [Manual install](#manual-install)\n1. [Usage](#usage)\n 1. [Name](#name)\n 1. [Synopsis](#synopsis)\n 1. [Description](#description)\n 1. [Examples](#examples)\n1. [Caveats](#caveats)\n 1. [Connecting to a secure (TLS-enabled) service](#connecting-to-a-secure-tls-enabled-service)\n1. [TO-DO](#to-do)\n1. [Similar projects](#similar-projects)\n\n## Rationale\n\nThere are several use cases where SocektAce might come in handy:\n\n- **Encrypting connections** If your protocol does not support encryption, you can simply\n wrap the connection with SocketAce and pass it over the Internet. \n\n- **Restrictive firewalls** Sometimes you might find yourself behind a quite restrictive \n firewall. The firewall might:\n - let through only specific ports (80, 443)\n - use deep packet inspection and block non-HTTP / non-HTTPs traffic\n \n- **Expose Unix sockets as TCP streams** If your service is only available as a Unix socket,\n you can use SocketAce to expose it on a host and access it from other (even Windows) servers\n \n## Installation\n\nThis software uses [goreleaser](https://goreleaser.com/) and [buildx](https://docs.docker.com/buildx/working-with-buildx/)\nto create software distribution. There are several ways to install it:\n\n### Install using docker\n\nThe simplest way to use SOCKETACE is by referencing a pre-build [docker image](https://hub.docker.com/repository/docker/boky/socketace), \ne.g.\n\n```shell script\ndocker run --rm -it boky/socketace\n```\n\n### Install using brew\n\n```shell script\nbrew tap bokysan/socketace https://github.com/bokysan/socketace-brew.git\nbrew install socketace\n```\n\n### Install on Linux using a package manager\n\nThe build system provides RPM, DEB and APK packages:\n\n1. Go to [Releases](https://github.com/bokysan/socketace/releases) page.\n2. Download the version appropriate for your system.\n3. Execute install for your distribution, e.g. `dpkg -i \u003cpackage\u003e.deb`\n\n\n### Manual install\n\nTo install manually:\n\n1. Go to [Releases](https://github.com/bokysan/socketace/releases) page.\n2. Download the version appropriate for your system into `$HOME/bin` or similar.\n\n\n## Usage\n\n### Name\n\n**socketace** - A tool for tunneling connections over the internet\n \n### Synopsis\n\nFor the server:\n\n```\nsocketace server \n [--help] \n [-v[v[v[v[v[v]]]]]]\n [-c|--config \u003cyaml-config-file\u003e]\n [-l|--log-file \u003clog-file\u003e]\n [-f|--log-format text|json]\n [-C|--log-color yes|no|true|false|auto]\n [--log-full-timestamp]\n [--log-report-caller]\n```\n\nFor the client:\n```\nsocketace client\n [--help] \n [-v[v[v[v[v[v]]]]]]\n [-c|--config \u003cyaml-config-file\u003e]\n [-l|--log-file \u003clog-file\u003e]\n [-f|--log-format text|json]\n [-C|--log-color yes|no|true|false|auto]\n [--log-full-timestamp]\n [--log-report-caller]\n [--ca-certificate \u003cstring\u003e | --ca-certificate-file=\u003cfile\u003e]\n [--certificate \u003cstring\u003e | --certificate-file=\u003cfile\u003e]\n [--private-key \u003cstring\u003e | --private-key-file=\u003cfile\u003e]\n [--private-key-password \u003cstring\u003e | --private-key-password-program=\u003cstring\u003e]\n [-k|--insecure]\n [-s|--secure]\n [-l|--listen \u003cstring\u003e]...\n [-u|--upstream \u003cstring\u003e...\n```\n\n### Description\n\nSocketAce can proxy multiple protocol across a single connection. You need to pick the\nright protocol when setting up a connection on the client.\n\n#### Server\n\nThe server can listen on multiple ports / protocols at the same time. To configure\nthe server, you need to set up:\n- [Upstreams](#channels)\n- [Severs](#servers)\n\n##### Channels\n\nYou may configure the channels in the YAML `channels` section. They define the external services that will be accessible \nthrough this server setup.\n\n```yaml\nserver:\n channels:\n - name: \u003cservice-name\u003e\n address: \u003caddress\u003e\n ...\n```\n\nYou may define multiple channels (upstreams). Each channel needs the following properties:\n\n- `name` is the unique name given to this upstream server. This is then referenced later\n on in the `servers` section and on the client. A good example would be `ssh`, `web`, `oracle` etc.\n- `address` is the address of the upstream. For `tcp` this is the host and the port, e.g. `tcp://127.0.0.1:22`,\n `tcp://www.google.com:80` or `tcp://[::1]:8080`, `unix:///var/sock/app.sock`, `unixpacket:///var/sock/app.sock`.\n \n##### Servers\n \nAt this stage, the following \"kinds\" (protocols) are supported: `websocket`, `tcp`, `stdin` and `unix`, `unixpacket`,\n`udp`, `dns+udp` and `dns+tcp`. To configure the server, add it to the `servers` section of the configuration.\n\n```yaml\nserver:\n servers:\n - address: \u003caddress\u003e\n [channels: [list of channels]]\n [caCertificate: \u003cca-certificate\u003e]\n [caCertificateFile: \u003cca-file\u003e]\n [certificate: \u003ccertificate\u003e]\n [certificateFile: \u003ccertificate-file\u003e]\n [privateKey: \u003cprivate-key\u003e]\n [privateKeyFile: \u003cprivate-key-file\u003e]\n [privateKeyPassword: \u003cprivate-key-password\u003e]\n [privateKeyPasswordProgram: \u003cprivate-key-password-program\u003e]\n [ ... other server-specific configuration ... ]\n```\n\nWhere:\n\n- `address` is the type of server and listening location. Can be `http`, `https`, `tcp`, `tcp+tls`, `stdin`\n `stdin+tls`, `unix` or `unix+tls`, `udp`, `unixpacket`, `dns+udp` and `dns+tcp`.\n - Always use a valid url, e.g. `tcp://0.0.0.0:5000`, `https://0.0.0.0:8900`.\n - Address type will define the listening server style, e.g.\n - `http` and `https` will start an HTTP / websocket server, \n - `tcp` and `unix` will start a standard socket server,\n - `udp` and `unixgram` will start a packet socket server,\n - `stdin` will start a stream on standard input/output.\n - `stdin` and `stdin+tls` listen to stdin/stdout. As expected, only one `stdin` server can be configured. This allows\n you to use SocketAce via `ssh` (like [rsync over `ssh`](https://en.wikipedia.org/wiki/Rsync)) or any other service\n which can stream via standard input and output (e.g. via `telnet` or `netcat` or even serial connection).\n - TLS-secured tunnels will need the certificate info.\n - You can also listen on a non-secured channel (e.g. HTTP) and provide certificate info. If provided, server will\n support the `StartTLS` command, which executes TLS handshake after connecting. Especially useful if you're proxying\n the connection over an existing HTTP server.\n- `channels` defines a list of upstream channels that this connection proxies. If not defined, all channels are \n proxied.\n- Define `caCertificate` or `caCertificateFile` if you want to use mutual (client and server) certificate\n authentication. When defined, the server will accept client connections only if signed by the given CA certificate. \n- `certificate` or `certificateFile` is the server's certificate. Needed for `tls` connections. If provided for non-TLS\n connections, server will suggest to the client to switch to secure communication via `StartTLS`. \n- `privateKey`, `privateKeyFile`, `privateKeyPassword` and `privateKeyPasswordProgram` should be pretty \n self-explanatory. They must be defined when `certificate` is set up. \n\n###### HTTP and HTTPS (websocket) server\n\nConfigure SocketAce to listen for HTTP or HTTPS requests. Example configuration is as follows:\n\n```yaml\nserver:\n servers:\n # Setup a HTTP websocket server, answering at http://192.168.1.1:8000/ws/all\n - address: http://192.168.1.1:8000\n endpoints:\n - endpoint: /ws/all\n\n # Setup a HTTP websocket server, secured by StartTLS. This allows you to proxy\n # secure SocketAce connections over plain :80 HTTP connection\n - address: http://192.168.1.1:8000\n endpoints:\n - endpoint: /ws/all\n certificateFile: cert.pem\n privateKeyFile: privatekey.pem\n privateKeyPassword: test1234\n\n # Setup a HTTPS websocket server, answering at http://192.168.1.1:8443/ws/ssh\n - address: http://192.168.1.1:8000\n endpoints:\n - channels: [ 'ssh' ]\n endpoint: /ws/ssh\n certificateFile: cert.pem\n privateKeyFile: privatekey.pem\n privateKeyPassword: test1234\n```\n\nAdditional options are as follows:\n- `endpoints` defines the list of URLs the server should listen to.\n For example `/ws/all` or `/my/secret/connection`. You may listen on multiple URLs.\n\n###### TCP socket and TLS socket server\n\nConfigure SocketAce to listen on an unecrypted or encrypted socket. Example configuration is as follows:\n\n```yaml\nserver:\n servers:\n # Simple socket proxy. No security. Expose all channels.\n - address: tcp://192.168.1.1:9000\n # Simple socket proxy. Secure by directly encrypting the socket.\n - address: tcp+tls://192.168.1.1:9443\n certificateFile: cert.pem\n privateKeyFile: privatekey.pem\n privateKeyPassword: test1234\n```\n\nTCP and TLS sockets require no additional options.\n\n###### UDP socket server\n\nConfigure SocketAce to listen on an unecrypted UDP socket. Example configuration is as follows:\n\n```yaml\nserver:\n servers:\n # Simple UDP proxy. Secured by StartTLS.\n - address: udp://127.0.0.1:9992\n certificateFile: cert.pem\n privateKeyFile: privatekey.pem\n privateKeyPassword: test1234\n```\n\n###### Standard input/output server\n\nSokcetAce can also listen on standard input/output. This allows you to carry the SocketAce connection\nover alternative means (e.g. via SSH, TELNET or serial ports). As long as you can then pipe it to a\nstandard input / output, you're good to go. *Notice that this option may be used only once.* \n\n```yaml\nserver:\n servers:\n # Simple socket proxy listening on stdin/stdout.\n - address: \"stdin://\"\n```\n\n```yaml\nserver:\n servers:\n # Simple socket proxy listening on stdin/stdout. Secured by StartTLS.\n - address: \"stdin://\"\n certificateFile: cert.pem\n privateKeyFile: privatekey.pem\n privateKeyPassword: test1234\n```\n\n###### DNS server\n\nSocketAce may be proxied over DNS server. It works similar to [iodine](https://github.com/yarrick/iodine) (in fact,\nmuch of the code was referenced from there) but carries a SocketAce connection instead. Gone is the shared-secret\npassword and SocketAce security is used in stead. *Note that it might be a good idea to use mutual TLS authentication\nwith public DNS servers.*\n\n```yaml\nserver:\n servers:\n # UDP DNS server for SocketAce-over-DNS Secured by StartTLS.\n - address: \"dns+udp://192.168.8.1:53\"\n domain: \"example.org\"\n certificateFile: cert.pem\n privateKeyFile: privatekey.pem\n privateKeyPassword: test1234\n - address: \"dns+tcp://192.168.8.1:53\"\n domain: \"example.org\"\n certificateFile: cert.pem\n privateKeyFile: privatekey.pem\n privateKeyPassword: test1234\n```\n\nThe `domain` represents the listening domain. You will need to make your server an authorative nameserver for\nthis domain. Check the [iodine](https://github.com/yarrick/iodine)'s tutorial on how to do this if you are not certain.\n\n\n#### Client\n\nClient configuration is a bit simpler and can be done via a config file or via a command line. Basically, only\ntwo options are important:\n\n- `--upstream \u003curl\u003e` may be specified multiple times. Defines a list of upstream servers that the client will \n try to connect to. The format is `\u003cprotocol\u003e[://\u003chost|path\u003e]`. Protocol may be any of the following: `tcp`, \n `tcp+tls`, `stdin`, `stdin+tls`, `unix`, `unix+tls`, `http`, `https`, `unixgram`, `udp` or `dns`. Examples:\n - `tcp://127.0.0.1:9995` to connect to a socket server on `localhost` on `9995` \n - `udp://127.0.0.1:9993` to connect to a UDP server on `localhost` on `9993` \n - `tcp+tls://127.0.0.1:9995` to connect to a TLS-encrypted socket server on `localhost` on `9995` \n - `dns://example.org` connect via auto-detected DNS servers, try connecting directly first\n - `dns://example.org?dns=1.1.1.1,1.0.0.1\u0026direct=false` connect via provided DNS servers \n - `stdin` to connect to server through standard input / output\n- `--listen \u003cchannel\u003e~\u003clisten-url\u003e[~\u003cforward-url\u003e]` will open a listening socket on the client. \n - `channel` name must be the same as defined on the server. \n - `listen-url` is the protocol and the host/path to listen on. Protocol may be `tcp`, `unix` and `stdin` \n - `foward-url` is the optional direct address of the service. If specified, the client will try to connect\n to this service directly first and, failing that, start going through upstream services.\n \n### Examples\n\n#### Server setup\n\nThe easiest way to set up a server is with a YAML file. The `examples` directory contains a configuration which\nprovides different server setups.\n\n#### Client setup\n\n##### Use socketace as a simple telnet client \n\n```shell script\nsocketace client -k --upstream tcp+tls://server.example.com:80 --upstream https://server.example.com/proxy --listen smtp~stdin://\n```\n\n##### Use socketace to SSH to your server from anywhere\n\n```shell script\nssh localhost -o ProxyCommand='socketace client --upstream http://127.0.0.1:9999/ws/all --listen ssh~stdin://'\n```\n\n##### Use socketace to proxy IMAP and SMTP\n\n```shell script\nsocketace client -e tcp+tls://server.example.com:80 --listen imap~tcp://127.0.0.1:143 --listen imap~tcp://127.0.0.2:587\n```\n\n##### Use socketace to gradually try different connection methods, by the order of throughoutput\n\nIf you configure your SSH `ProxyCommand` like the following, you should be able to connect to your SSH server even\nin the most restrictive environments. SocketAce will try to connect to the server in decreasing order of preference\nthrough different connection tunnels. The first one to succeeed will establish the connection.\n\n```shell script\nsocketace client \\\n --upstream udp://server.example.com:8000 \\ # Try UDP first...\n --upstream tcp://server.example.com:8443 \\ # ...then try TCP\n --upstream http://server.example.com/socketace \\ # ...then try HTTP\n --upstream https://server.example.com/socketace \\ # ...then try HTTPS\n --upstream dns://server.example.com \\ # ...finally try over DNS\n --listen ssh~stdin://\n```\n\n\n## Caveats\n\n### Connecting to a secure (TLS-enabled) service\n\nIf you are trying to proxy a connection to a secure service, you will most likely run into certificate errors. E.g.\n\nIf you configure your server with the following:\n\n```yaml\nserver:\n channels:\n - name: google\n address: tcp://www.google.com:443\n servers:\n # Simple socket proxy. No security.\n - address: tcp://127.0.0.1:9995\n```\n\n...and start the server like this:\n\n```shell script\nsocketace server -c config.yml\n```\n\n...and start the client like this:\n\n```shell script\nsocketace client --upstream tcp://localhost:9995 --listen google~tcp://127.0.0.1:9898\n```\n\nThen this will produce a certificate error:\n\n```shell script\ncurl https://localhost:9898\n```\n\nYou need to supply the correct host name (either by overriding your hostfile or supplying the host name, if possible).\nWith `curl`, this is trivial:\n\n```shell script\ncurl -H \"Host: www.google.com\" https://localhost:9898\n```\n\n## TO-DO\n\nThere's still some things to be done. If anybody's willing to pick up issues, pull\nrequests are welcome:\n- add functionality similar to [sslh](https://github.com/yrutschle/sslh) to be able to \"hide\" the proxy and share the \n port with other services\n- add proxying of UDP connections\n- document the SOCKS proxy option and add tests\n- add support for TUN (and TAP?) connections\n \n## Similar projects\n\nThere's [Chisel](https://github.com/jpillora/chisel) which tries to achieve about the same goal, but goes about it \nin a bit of a different way.\n\n## License\n[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fbokysan%2Fsocketace.svg?type=large)](https://app.fossa.com/projects/git%2Bgithub.com%2Fbokysan%2Fsocketace?ref=badge_large)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbokysan%2Fsocketace","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbokysan%2Fsocketace","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbokysan%2Fsocketace/lists"}