Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Advanced options

There are multiple options that you can pass to Sandhole when requesting a remote forwarding, such as via OpenSSH’s CLI. You can also combine them by passing them in a single command, separated by spaces. Here is a list of the options with examples:

allowed-fingerprints

This option requires certain SSH key fingerprints for aliasing. See “Restricting access to local forwardings”.

ssh -p 2222 -R my.tunnel:3000:localhost:2000 sandhole.com.br allowed-fingerprints=SHA256:GehKyA21BBK6eJCouziacUmqYDNl8BPMGG0CTtLSrbQ,SHA256:bwf4FDtNeZzFv8xHBzHJwRpDRxssCll8w2tCHFC9n1o

force-https

This option forces proxied HTTP requests to be redirected to HTTPS.

ssh -p 2222 -R my.tunnel:80:localhost:8080 sandhole.com.br force-https

host

This option tells Sandhole to modify the Host header in proxied HTTP requests to use the provided host.

ssh -p 2222 -R my.tunnel:80:localhost:8080 sandhole.com.br host=some.host

http2

This option tells Sandhole to serve HTTP/2 instead of HTTP/1.1 for your service. This option only works over HTTPS, so you may want to also set force-https.

ssh -p 2222 -R my.tunnel:80:localhost:8080 sandhole.com.br http2 force-https

ip-allowlist / ip-blocklist

These options allow you to limit the IP ranges for incoming proxy/alias connections.

ssh -p 2222 -R website.com:80:localhost:3000 sandhole.com.br ip-allowlist=10.0.0.0/8,20ff::/16 ip-blocklist=10.1.0.0/16

pool

This option allows you to reduce the maximum number of connections created for each of your handlers. It must not be larger than the server’s --pool-size option.

ssh -p 2222 -R my.tunnel:80:localhost:8080 sandhole.com.br pool=16

sni-proxy

This option tells Sandhole that it should use your provided TLS backend. This guarantees that Sandhole cannot see unencrypted traffic. This option only works over HTTPS, so you may want to also set force-https.

ssh -p 2222 -R my.tunnel:80:localhost:8080 sandhole.com.br sni-proxy force-https

tcp-alias

This option forces an HTTP remote forwarding request to be an alias instead of a proxy. See “Enforcing aliasing”.

ssh -p 2222 -R my.tunnel:80:localhost:8080 sandhole.com.br tcp-alias