Download
Ghostunnel is a simple TLS proxy with mutual authentication support for securing non-TLS backend applications. Ghostunnel supports two modes, client mode and server mode. Ghostunnel in server mode runs in front of a backend server and accepts TLS-secured connections, which are then proxied to the (insecure) backend. A backend can be a TCP domain/port or a UNIX domain socket. Ghostunnel in client mode accepts (insecure) connections through a TCP or UNIX domain socket and proxies them to a TLS-secured service. In other words, ghostunnel is a replacement for stunnel. Ghostunnel is developed primarily for Linux and Darwin (macOS), although it should run on any UNIX system that exposes SO_REUSEPORT, including FreeBSD, OpenBSD and NetBSD. Ghostunnel also supports running on Windows, though with a reduced feature set.
Features
- Ghostunnel enforces mutual authentication by requiring a valid client certificate for all connections
- Ghostunnel can reload certificates at runtime without dropping existing connections
- In server mode, Ghostunnel can optionally obtain and automatically renew a public TLS certificate via the ACME protocol
- Ghostunnel has a built-in status feature that can be used to collect metrics and monitor a running instance
- We have put some thought into making Ghostunnel secure by default and prevent accidental misconfiguration
- Emphasis on security
Project Samples
