{"id":28506610,"url":"https://github.com/temporalio/s2s-proxy","last_synced_at":"2026-03-12T01:38:54.626Z","repository":{"id":280039735,"uuid":"818444364","full_name":"temporalio/s2s-proxy","owner":"temporalio","description":"s2s-proxy is a service that intercepts and forwards requests between two Temporal servers.","archived":false,"fork":false,"pushed_at":"2026-02-20T01:17:39.000Z","size":2298,"stargazers_count":11,"open_issues_count":8,"forks_count":8,"subscribers_count":5,"default_branch":"main","last_synced_at":"2026-02-20T02:26:22.933Z","etag":null,"topics":["go","multi-clusters","proxy","temporal"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/temporalio.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2024-06-21T21:50:19.000Z","updated_at":"2026-02-19T23:22:14.000Z","dependencies_parsed_at":"2025-04-17T16:33:15.688Z","dependency_job_id":"ea1eebc4-6c9c-49dc-b09f-4f0beebd08b2","html_url":"https://github.com/temporalio/s2s-proxy","commit_stats":null,"previous_names":["temporalio/s2s-proxy"],"tags_count":28,"template":false,"template_full_name":null,"purl":"pkg:github/temporalio/s2s-proxy","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/temporalio%2Fs2s-proxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/temporalio%2Fs2s-proxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/temporalio%2Fs2s-proxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/temporalio%2Fs2s-proxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/temporalio","download_url":"https://codeload.github.com/temporalio/s2s-proxy/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/temporalio%2Fs2s-proxy/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30412090,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-12T00:40:14.898Z","status":"ssl_error","status_checked_at":"2026-03-12T00:40:08.439Z","response_time":84,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["go","multi-clusters","proxy","temporal"],"created_at":"2025-06-08T20:06:02.512Z","updated_at":"2026-03-12T01:38:54.622Z","avatar_url":"https://github.com/temporalio.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# S2S-Proxy for Temporal\n\nA server-to-server proxy (s2s-proxy) is a service sitting between two Temporal servers. \nIt can be used to intercept service requests between two servers in a [multi-cluster setting](https://docs.temporal.io/self-hosted-guide/multi-cluster-replication). \nIt enables communication between two Temporal servers even if the servers are located in segregated networks. \nThe proxy can be customized with access control policies, such as defining allow lists for APIs and namespaces, \nto enhance security. Using multiplex mode allows one server to connect to another server unidirectionally unlike \na typical multi-cluster setup where both servers must expose an accessible endpoint.\n## Contributing\n\nSee [CONTRIBUTING.md](./CONTRIBUTING.md) for how to build and run locally, run tests, etc.\n\n## License\n\n[MIT License](https://github.com/temporalio/s2s-proxy/blob/main/LICENSE)\n\n*This project is intended for use as a binary only. Internal APIs are subject to change without warning!*\n\n## When should I use the S2S proxy?\nIf you have two Temporal clusters with identical security posture and permitted entities,\nyou can connect them using Temporal's existing multi-cluster support and a secure network provider.\nThe S2S-Proxy is useful for connecting Temporal clusters that should *not* share a network for some reason,\nor in cases where some translation is needed between the two clusters.\n\n### Basic translation \u0026 Migration cases\nWithin the same network, you can use the S2S-proxy as a simple way to rename a namespace and/or search attributes\nas it migrates into a different cluster. Configure the proxy in TCP mode with the two Temporal servers directly and\nspecify the namespace mapping between them.\n\n### Crossing WAN with Mux-mode\nBetween two different networks, a server operator can cooperate with a client to connect a cluster between a publicly\nexposed endpoint and the client's local Temporal Cluster, without ever exposing a port into the client deployment.\nSetting the S2S-Proxy in Mux mode allows you to pick from Server and Client settings, and only the Server mode requires\nan open port. The client connects to that port, handshakes with TLS, and then establishes a set of multiplexed sessions\nfor data transfer.\n\n## S2S-Proxy network setup\n```mermaid\narchitecture-beta\n\ngroup clusterA(cloud)[Cluster A]\nservice temporalA(server)[Temporal Cluster A] in clusterA\nservice s2sA(server)[S2S Proxy A] in clusterA\nservice s2sPortA(internet)[Cluster A proxy connection] in clusterA\n\n\ngroup clusterB(cloud)[Cluster B]\nservice temporalB(server)[Temporal Cluster B] in clusterB\nservice s2sB(server)[S2S Proxy B] in clusterB\nservice s2sPortB(internet)[Cluster B proxy connection] in clusterB\n\n%% Client connections\ntemporalA:T \u003c--\u003e B:s2sA\ns2sA:R \u003c--\u003e L:s2sPortA\n\n%% Cluster B connections\ntemporalB:T \u003c--\u003e B:s2sB\ns2sB:L \u003c--\u003e R:s2sPortB\n\n%% Client\u003c-\u003eCloud connections\ns2sPortB:L \u003c--\u003e R:s2sPortA\n```\n\n## Features\nThe S2S-Proxy attempts to make it much easier to connect Temporal Clusters that do not share a trusted network.\nHere's a short list of what it can do and how that helps you connect clusters.\n\n### Avoid opening ports with multiplexed connections on TCP-TLS\nThe S2S-proxy supports establishing a multiplexed connection with Yamux to a remote endpoint. The mux is hosted\non top of TCP-TLS using a key and cert pair, ensuring it identifies to the correctly configured S2S-Proxy on the\nremote side. The cluster containing the \"establishing\" proxy does not need any open ports, which simplifies \nthe network posture on the establishing side.\n\n### Enforce safety with Access Control Lists\nEach S2S-Proxy can be configured with an allowlist of valid APIs, which prevents untrusted commands from running\non the cluster it represents.\n\n### Translate namespaces and search attributes\nLocal and remote namespace names and search attributes can be renamed through the S2S-Proxy, to help a local\nnamespace confirm to what it should be on the remote. This skips the step of renaming the namespace by doing it\nin-flight as it migrates.\n\n### Adapt between different versions of Temporal\nWe will be keeping the Proxy updated with translations between modern versions of Temporal. The most notable \nrecent incompatibility between servers is the switch from GoGo protobufs to Go-GRPC's reference protobufs.\nGoGo protobuf allowed incomplete UTF-8 data inside of string objects, which is disallowed in Go-GRPC, which can\nbreak some connections between Temporal \u003c1.22 and Temporal \u003e1.22. The S2S-proxy will remove those UTF8 errors\nin-stream without the need to modify the data on the source Temporal deployment.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftemporalio%2Fs2s-proxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftemporalio%2Fs2s-proxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftemporalio%2Fs2s-proxy/lists"}