inlets
Expose your local endpoints to the Internet
Intro
inlets combines a reverse proxy and websocket tunnels to expose your internal and development endpoints to the public Internet via an exit-node. An exit-node may be a 5-10 USD VPS or any other computer with an IPv4 IP address.
Why do we need this project? Similar tools such as ngrok or Argo Tunnel from Cloudflare are closed-source, have limits built-in, can work out expensive, and have limited support for arm/arm64. Ngrok is also often banned by corporate firewall policies meaning it can be unusable. Other open-source tunnel tools are designed to only set up a single static tunnel. inlets aims to dynamically bind and discover your local services to DNS entries with automated TLS certificates to a public IP address over a websocket tunnel.
When combined with SSL - inlets can be used with any corporate HTTP proxy which supports CONNECT.
Conceptual diagram for inlets
License & terms
Important
Developers wishing to use inlets within a corporate network are advised to seek approval from their administrators or management before using the tool. By downloading, using, or distributing inlets, you agree to the LICENSE terms & conditions. No warranty or liability is provided.
Who is behind this project?
inlets is brought to you by Alex Ellis. Alex is a CNCF Ambassador and the founder of OpenFaaS.
OpenFaaS® makes it easy for developers to deploy event-driven functions and microservices to Kubernetes without repetitive, boiler-plate coding. Package your code or an existing binary in a Docker image to get a highly scalable endpoint with auto-scaling and metrics. The project has around 19k GitHub stars, over 240 contributors and a growing number of end-users in production.
Backlog & goals
Completed
- automatically create endpoints on exit-node based upon client definitions
- multiplex sites on same port and websocket through the use of DNS / host entries
- link encryption using SSL over websockets (
wss://) - automatic reconnect
- authentication using service account or basic auth
- automatic TLS provisioning for endpoints using cert-magic
- configure staging or production LetsEncrypt issuer using HTTP01 challenge
- native multi-arch with ARMHF/ARM64 support
- Dockerfile and Kubernetes YAML files
- discover and implement
Servicetype ofLoadBalancerfor Kubernetes - inlets-operator - tunnelling websocket traffic in addition to HTTP(s)
- get a logo for the project
Stretch goals
- automatic configuration of DNS / A records
- configuration to run "exit-node" as serverless container with Azure ACI / AWS Fargate
- configure staging or production LetsEncrypt issuer using DNS01 challenge
Non-goals
-
tunnelling plain TCP traffic over the websocket
This use-case is covered by inlets-pro, ask me about early access to inlets-pro.
Status
Unlike HTTP 1.1 which follows a synchronous request/response model websockets use an asynchronous pub/sub model for sending and receiving messages. This presents a challenge for tunneling a synchronous protocol over an asynchronous bus.
inlets 2.0 introduces performance enhancements and leverages parts of the Kubernetes and Rancher API. It uses the same tunnelling packages that enable node-to-node communication in Rancher's k3s project. It is suitable for development and may be useful in production. Before deploying inlets into production, it is advised that you do adequate testing.
Feel free to open issues if you have comments, suggestions or contributions.
- The tunnel link is secured via
--tokenflag using a shared secret - The default configuration uses websockets without SSL
ws://, but to enable encryption you could enable SSLwss:// - A timeout for requests can be configured via args on the server
The upstream URL has to be configured on both server and client until a discovery or service advertisement mechanism is addedThe client can advertise upstream URLs, which it can serve- The tunnel transport is wrapped by default which strips CORS headers from responses, but you can disable it with the
--disable-transport-wrappingflag on the server
Related projects
Inlets is listed on the Cloud Native Landscape as a Service Proxy
- inlets - open-source L7 HTTP tunnel and reverse proxy
- inlets-pro - L4 TCP load-balancer
- inlets-operator - deep integration for inlets in Kubernetes, expose Service type LoadBalancer
- inletsctl - CLI tool to provision exit-nodes for use with inlets or inlets-pro
What are people saying about inlets?
You can share about inlets using
@inletsdev,#inletsdev, andhttps://inlets.dev.
inlets has trended on the front page of Hacker News twice.
- inlets 1.0 - 146 points, 48 comments
- inlets 2.0 - 218 points, 66 comments
Official tutorials:
- HTTPS for your local endpoints with inlets and Caddy - Alex Ellis
- Build a 10 USD Raspberry Pi Tunnel Gateway
- Get a LoadBalancer for your private Kubernetes cluster with inlets-operator - Alex Ellis
- Webhooks, great when you can get them - Alex Ellis
Community tutorials:
- The Awesomeness of Inlets by Ruan Bekker
- K8Spin - What does fit in a low resources namespace? Inlets
- Exposing Magnificent Image Classifier with inlets
- "Securely access external applications as Kubernetes Services, from your laptop or from any other host, using inlets"
- Setting up an EC2 Instance as an Inlets Exit Node
- Micro-tutorial inlets with KinD by Alex Ellis
- Using local services in Gitpod with inlets
Twitter:
- "I just transferred a 70Gb disk image from a NATed NAS to a remote NATed server with @alexellisuk inlets tunnels and a one-liner python web server" by Roman Dodin
- "Really amazed by inlets by @alexellisuk - "Up and running in 15min - I will be able to watch my #RaspberryPi servers running at home while staying on the beach ?♂️?????" by Florian Dambrine
- Testing an OAuth proxy by Vivek Singh
- inlets used at KubeCon to power a live IoT demo at a booth
- PR to support Risc-V by Carlos Eduardo
- Recommended by Michael Hausenblas for use with local Kubernetes
- 5 top facts about inlets by Alex Ellis
- "Cool! I hadn't heard of inlets until now, but I love the idea of exposing internal services this way. I've been using TOR to do this!" by Stephen Doskett, Tech Field Day
- "Learn how to set up HTTPS for your local endpoints with inlets, Caddy, and DigitalOcean thanks to @alexellisuk!" by @DigitalOcean
- "See how Inlets helped me to expose my local endpoints for my homelab that sits behind a Carrier-Grade NAT"
Note: add a PR to send your story or use-case, I'd love to hear from you.
See ADOPTERS.md for what companies are doing with inlets today.
Get started
You can install the CLI with a curl utility script, brew or by downloading the binary from the releases page. Once installed you'll get the inlets command.
Install the CLI
Note:
inletsis made available free-of-charge, but you can support its ongoing development through GitHub Sponsors ?
Utility script with curl:
# Install to local directory
curl -sLS https://get.inlets.dev