{"id":18825381,"url":"https://github.com/outsystems/cloud-connector","last_synced_at":"2026-03-04T10:00:26.112Z","repository":{"id":65195459,"uuid":"517310832","full_name":"OutSystems/cloud-connector","owner":"OutSystems","description":"OutSystems Cloud Connector","archived":false,"fork":false,"pushed_at":"2026-03-02T12:00:04.000Z","size":7739,"stargazers_count":18,"open_issues_count":1,"forks_count":6,"subscribers_count":19,"default_branch":"main","last_synced_at":"2026-03-02T15:50:33.694Z","etag":null,"topics":["global-routing-and-security","odc","sdlc-snyk-container-scan-exempt","snyk-global-routing","ssdlc-rules"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/OutSystems.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2022-07-24T11:56:56.000Z","updated_at":"2026-03-02T12:00:06.000Z","dependencies_parsed_at":"2026-03-02T14:01:43.154Z","dependency_job_id":null,"html_url":"https://github.com/OutSystems/cloud-connector","commit_stats":null,"previous_names":[],"tags_count":26,"template":false,"template_full_name":null,"purl":"pkg:github/OutSystems/cloud-connector","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OutSystems%2Fcloud-connector","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OutSystems%2Fcloud-connector/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OutSystems%2Fcloud-connector/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OutSystems%2Fcloud-connector/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/OutSystems","download_url":"https://codeload.github.com/OutSystems/cloud-connector/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OutSystems%2Fcloud-connector/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30078306,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-04T08:01:56.766Z","status":"ssl_error","status_checked_at":"2026-03-04T08:00:42.919Z","response_time":59,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["global-routing-and-security","odc","sdlc-snyk-container-scan-exempt","snyk-global-routing","ssdlc-rules"],"created_at":"2024-11-08T00:59:16.781Z","updated_at":"2026-03-04T10:00:26.094Z","avatar_url":"https://github.com/OutSystems.png","language":"Go","readme":"\u003ch1 align=\"center\"\u003e\n\u003cimg src=\"images/cloud-connector-icon.png\" /\u003e\n\nOutSystems Cloud Connector\n\u003c/h2\u003e\n\n![MIT][s0]\n\n[s0]: https://img.shields.io/badge/license-MIT-blue.svg\n\n## \u003ca name=\"table-of-contents\"\u003e\u003c/a\u003e Table of Contents\n\n1. [Overview](#overview)\n1. [Install](#install)\n    * [Binary](#binary)\n    * [Docker](#docker)\n    * [Firewall setup](#firewall-setup)\n1. [Usage](#usage)\n    * [Logging](#logging)\n1. [Detailed options](#detailed-options)\n1. [License](#license)\n\n## 1. \u003ca name=\"overview\"\u003e\u003c/a\u003e Overview \u003csmall\u003e\u003csup\u003e[Top ▲](#table-of-contents)\u003c/sup\u003e\u003c/small\u003e\n\nUsing the OutSystems Cloud Connector (`outsystemscc`) you can connect the apps running in your [OutSystems Developer Cloud (ODC)](https://www.outsystems.com/low-code-platform/developer-cloud/) organization to private data and private services (\"endpoints\") that aren't accessible by the internet. `outsystemscc` is an open-source project written in Go.\n\nYou run `outsystemscc` on a system in your private network—an on-premise network, a private cloud, or the public cloud—to establish a secure tunnel between your endpoints and the Private Gateway. Your apps can then access the endpoints through the Private Gateway, the server component you activate for each stage of your ODC organization [using the ODC Portal](https://www.outsystems.com/goto/secure-gateways). Common use cases include accessing data through a private REST API service and making requests to internal services (SMTP, SMB, NFS,..)\n\n`outsystemscc` creates a fast TCP/UDP tunnel, with transport over HTTP via WebSockets, secured via SSH using ECDSA with SHA256 keys. The connection is established to either the built-in domain for the stage (for example `\u003corganization\u003e.outsystems.app`) or a custom domain configured for the stage (for example `example.com`). In both cases, the connection is over TLS and always encrypted with a valid X.509 certificate.\n\nThe following diagram is an example of a ODC customer setup for a Private Gateway active on two stages.\n\n![Private gateways diagram](images/private-gateways-diag.png \"Private gateways diagram\")\n\nYou see how to create a tunnel to the endpoints as in this diagram in the [Usage](#usage) section.\n\nTo learn more about the cloud-native architecture of ODC go to the [ODC documentation site](https://success.outsystems.com/Documentation/Project_Neo/Cloud-native_architecture_of_OutSystems_Developer_Cloud).\n\n## 2. \u003ca name=\"install\"\u003e\u003c/a\u003e Install \u003csmall\u003e\u003csup\u003e[Top ▲](#table-of-contents)\u003c/sup\u003e\u003c/small\u003e\n\n_Minimum system requirement per `outsystemscc` instance: 2 GB RAM, 2x 1GHz+ CPU._\n\nTo install, use either the binary or Docker option. Run the binary on Linux, or use the Docker image on any OS that supports Docker. Running `outsystemscc` as a Docker image offers several advantages if your system supports it:\n\n* You always run the latest release. You don't need to reinstall each new release.\n* You can run `outsystemscc` on any Linux/Windows(within a WSL environment) system that supports Docker:\n    * For example, if you are using Windows, you can run `outsystemscc` within Windows Subsystem for Linux (WSL), where you can pull and run the Docker image directly from the WSL environment.\n* Without additional configuration `outsystemscc` starts with the Docker daemon on system boot.\n* For advanced use cases, you can use Kubernetes for orchestration.\n\nAfter install, ensure you configure the firewall for the private network(s) correctly. For more information, see [Firewall setup](#firewall-setup) section.\n\n### \u003ca name=\"binary\"\u003e\u003c/a\u003e Binary\n\nDownload the latest release from the [releases page](https://github.com/OutSystems/cloud-connector/releases/latest). There are precompiled binaries available for Linux on i386 (32-bit), amd64 (64-bit), and arm64 (64-bit). You can run the binary on any Windows version that supports [WSL](https://docs.microsoft.com/en-us/windows/wsl/).\n\n⚠️ **Note**: Some antivirus software may incorrectly flag the `outsystemscc` binary as malicious. This is a known false positive. If your organization’s security policies permit, you can safely proceed by adding an exception in your antivirus software.\n\nTo install, unzip/untar the package and then copy the binary to the desired location. For example:\n\n    tar -zxvf outsystemscc_1.0.0_linux_amd64.tar.gz\n    mv outsystemscc $HOME/.local/bin\n    outsystemscc --help\n\nYou may want to configure the binary to run as a service so it can start on system boot. See the documentation of your Linux distribution for detail on how to do this.\n\n`outsystemscc` doesn't require root permissions to run.\n\n### \u003ca name=\"docker\"\u003e\u003c/a\u003e Docker\n\nRun the Docker image directly from the OutSystems GitHub container registry:\n\n    docker run --rm -it ghcr.io/outsystems/outsystemscc --help\n\nTo enhance the resilience of `outsystemscc` consider running the Docker container in detached mode and configuring it to restart automatically in case of failures. This can be achieved by adding the `-d` flag and the `--restart=on-failure:\u003cn\u003e` option, where `\u003cn\u003e` is the maximum number of restart attempts. For example:\n\n    docker run -d --restart=on-failure:3 ghcr.io/outsystems/outsystemscc:latest --help\n\nThe `-d` flag runs the Docker container in detached mode, setting it to run in the background. The `--restart=on-failure` option ensures that the container will automatically restart up to `\u003cn\u003e` times if it exits with a non-zero status. For more information, see the [Docker run reference](https://docs.docker.com/engine/reference/run/).\n\nIf you're running the container on a runtime where you need to specify the command line or override the entrypoint (for example on Azure Container Instances or AWS Fargate):\n\n    docker run --rm -it --entrypoint /app/outsystemscc ghcr.io/outsystems/outsystemscc --help\n\n### \u003ca name=\"firewall-setup\"\u003e\u003c/a\u003e Firewall setup\n\n`outsystemscc` requires only outbound access to the internet in the private network(s) in which it's running.\n\nYou can restrict outbound internet connectivity (via a NAT Gateway, for example) by a firewall. For a Layer 7 firewall, you should allow outbound connections to the built-in domain (for example `\u003corganization\u003e.outsystems.app`) and any custom domains configured for the stage (for example `example.com`). For a Layer 4 firewall, you must open firewall rules to all [CloudFront IP ranges](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/LocationsOfEdgeServers.html) for port 443.\n\nIf the network requires outbound traffic to route through a proxy, you specify that using the `--proxy` option.\n\n\u003e :bulb: There may be a dedicated person or team at your organization responsible for administering network firewalls. If so, you may want to contact them for help with the process.\n\n\n## 3. \u003ca name=\"usage\"\u003e\u003c/a\u003e Usage \u003csmall\u003e\u003csup\u003e[Top ▲](#table-of-contents)\u003c/sup\u003e\u003c/small\u003e\n\nThe examples below use the binary command, `outsystemscc`. If you are using Docker, replace the command with `docker run --rm -it ghcr.io/outsystems/outsystemscc:latest` or a custom command as outlined in [Docker](#docker) section. \n\nAfter using `outsystemscc` to connect one or more endpoints, you have a list of connected endpoint(s) of the form `secure-gateway:\u003cport\u003e`. You or a member of your team can use these addresses directly in app development in ODC Studio or in developing external libraries using custom code.\n\n\u003e :information_source: cloud-connector supports connecting to endpoints both over TLS/SSL and without TLS/SSL. Currently only certificates signed by a verified Certificate Authority (CA) are supported.\n\nAfter successfully activating the private gateway for a stage in the ODC Portal, the following screen displays:\n\n![Private gateways in ODC Portal](images/activate-private-gateway-pl.png \"Private gateways in ODC Portal\")\n\n\u003e :information_source: Please note: As of version 2.0.0, there are two different Address URLs: one for newer versions of Cloud Connector, and one for versions before version v2.0.0. Take care to use the correct Address, and if updating to a newer version of Cloud Connector from a version prior to 2.0.0, please change your URL.\n\n\u003e :information_source: Please note: For environments using proxy configurations, use version 2.0.3+ for full backward compatibility with v1.x proxy behavior. Versions 2.0.0-2.0.2 have a known issue with proxy handling that has been resolved in 2.0.3+.\n\n\u003e :information_source: Make sure to copy the Token and save it in a safe location. For security reasons, you won't be able to access it again after you close or refresh the page.\n\nUse the **Token** and **Address** to form the `outsystemscc` command to run. For example:\n\n    outsystemscc \\\n      --header \"token: N2YwMDIxZTEtNGUzNS1jNzgzLTRkYjAtYjE2YzRkZGVmNjcy\" \\\n      https://organization.outsystems.app/sg_6c23a5b4-b718-4634-a503-f22aed17d4e7 \\\n      R:8081:192.168.0.3:8393\n\nIn this example, you create a tunnel to the endpoint `192.168.0.3:8393`, a REST API service running on IP address `192.168.0.3`. The endpoint is available to consume by apps running in the connected stage at `secure-gateway:8081`.\n\n\u003e :bulb: If you want to run `outsystemscc` on Azure Container Instances, [see the FAQs](FAQ.md#how-do-i-run-outsystemscc-on-azure-container-instances) for specific guidance.\n\nYou can create a tunnel to connect multiple endpoints to the same Private Gateway. To do this, run multiple instances of `outsystemscc` or pass in multiple remotes (`R:\u003clocal-port\u003e:\u003cremote-host\u003e:\u003cremote-port\u003e`) to the same instance. In the latter case, for example:\n\n    outsystemscc \\\n      --header \"token: N2YwMDIxZTEtNGUzNS1jNzgzLTRkYjAtYjE2YzRkZGVmNjcy\" \\\n      https://organization.outsystems.app/sg_6c23a5b4-b718-4634-a503-f22aed17d4e7 \\\n      R:8081:192.168.0.3:8393 R:8082:192.168.0.4:587\n\nIn the above example you create a tunnel to connect two endpoints. One, as before, `192.168.0.3:8393`, a REST API service running on IP address `192.168.0.3`. The endpoint is available for use by apps running in the connected stage at `secure-gateway:8081`. Second, `192.168.0.4:587`, an SMTP server running on `192.168.0.4`, another IP in the internal address range. The endpoint is available for use by apps running in the connected stage at `secure-gateway:8082`.\n\nYou can create a tunnel to any endpoint that's in the internal address range and so is network accessible over TCP or UDP from the system on which `outsystemscc` is run. If the connection is over UDP, add `/udp` to the end of the remote port.\n\nTo learn more about using connected endpoints in app development go to the [ODC documentation site](https://www.outsystems.com/goto/secure-gateways). Be sure to share the list of connected endpoint(s) of the form `secure-gateway:\u003cport\u003e` and any associated swagger specification file(s) with members of your team responsible developing apps in ODC Studio.\n\nYou can also use the connected endpoint(s) in custom code development using the External Libraries feature, see the [External Libraries SDK documentation](https://www.outsystems.com/goto/external-logic-private-gateway) for guidance.\n\n### \u003ca name=\"logging\"\u003e\u003c/a\u003e Logging\n\nBy default, `outsystemscc` logs timestamped information about the connection status and \nlatency to stdout. For example:\n\n    2022/11/10 12:14:42 client: Connecting to ws://organization.outsystems.app/sg_6c23a5b4-b718-4634-a503-f22aed17d4e7:80\n    2022/11/10 12:14:42 client: Connected (Latency 733.439µs)\n\nYou can redirect this output to a file for retention purposes. For example:\n\n    outsystemscc \\\n      --header \"token: N2YwMDIxZTEtNGUzNS1jNzgzLTRkYjAtYjE2YzRkZGVmNjcy\" \\\n      https://organization.outsystems.app/sg_6c23a5b4-b718-4634-a503-f22aed17d4e7 \\\n      R:8081:10.0.0.1:8393 \\ \n      \u003e\u003e outsystemscc_log\n\nIf your organization uses a centralized log management product, see its documentation about how to redirect the log output.\n\n## 4. \u003ca name=\"detailed-options\"\u003e\u003c/a\u003e Detailed options \u003csmall\u003e\u003csup\u003e[Top ▲](#table-of-contents)\u003c/sup\u003e\u003c/small\u003e\n\n\n Keep remaining options with the default unless your network topology requires you to modify them.\n\n    Usage: outsystemscc [options] \u003cserver\u003e \u003cremote\u003e [remote] [remote] ...\n\n    \u003cserver\u003e is the URL to the server. Use the Address displayed on ODC Portal.\n\n    \u003cremote\u003es are remote connections tunneled through the server, each of\n    which come in the form:\n\n        R:\u003clocal-port\u003e:\u003cremote-host\u003e:\u003cremote-port\u003e\n\n    which does reverse port forwarding, sharing \u003cremote-host\u003e:\u003cremote-port\u003e\n    from the client to the server's \u003clocal-port\u003e.\n\n        example remotes\n\n        R:8081:192.168.0.3:8393\n        R:8082:192.168.0.4:587\n\n        See https://github.com/OutSystems/cloud-connector for examples in context.\n        \n    Options:\n\n        --keepalive, An optional keepalive interval. Since the underlying\n        transport is HTTP, in many instances we'll be traversing through\n        proxies, often these proxies will close idle connections. You must\n        specify a time with a unit, for example '5s' or '2m'. Defaults\n        to '25s' (set to 0s to disable).\n\n        --max-retry-count, Maximum number of times to retry before exiting.\n        Defaults to unlimited.\n\n        --max-retry-interval, Maximum wait time before retrying after a\n        disconnection. Defaults to 5 minutes.\n\n        --proxy, An optional HTTP CONNECT or SOCKS5 proxy which will be\n        used to reach the server. Authentication can be specified\n        inside the URL.\n        For example, http://admin:password@my-server.com:8081\n                or: socks://admin:password@my-server.com:1080\n\n        --header, Set a custom header in the form \"HeaderName: HeaderContent\". \n        Use the Token displayed on ODC Portal in using token as HeaderName.\n        \n        --pid Generate pid file in current working directory\n\n        -v, Enable verbose logging\n\n        --help, This help text\n\n    Signals:\n        The outsystemscc process is listening for:\n        a SIGUSR2 to print process stats, and\n        a SIGHUP to short-circuit the client reconnect timer\n\n## 5. \u003ca name=\"license\"\u003e\u003c/a\u003e License \u003csmall\u003e\u003csup\u003e[Top ▲](#table-of-contents)\u003c/sup\u003e\u003c/small\u003e\n\n[MIT](https://github.com/outsystems/cloud-connector/blob/master/LICENSE) © OutSystems","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foutsystems%2Fcloud-connector","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Foutsystems%2Fcloud-connector","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foutsystems%2Fcloud-connector/lists"}