[HN Gopher] Pgrok - Poor Man's Ngrok
___________________________________________________________________
Pgrok - Poor Man's Ngrok
Author : joe2010xtmf
Score : 199 points
Date : 2023-03-12 12:23 UTC (10 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| Bluecobra wrote:
| > This is intended for small teams that need to expose the local
| development environment to the public internet
|
| As someone who has to manage enterprise firewalls, this is a
| nightmare from a security perspective. I'm more than happy to
| host some project in a DMZ. I have already had some devs skirt
| our security policies with ngrok rather than simply talk to us
| about their needs. I can't say I'm a fan of punching permanent
| holes into a firewall like this.
| mukesh610 wrote:
| Not exactly sure how streamlined your security process is, but
| for some orgs it is a red tape roller coaster to even get one
| TCP port open.
|
| Anyways, you could also block all traffic to ngrok servers just
| to ensure your Dev teams aren't skirting around your firewall.
| Bluecobra wrote:
| Yeah I get it, but everyone needs to be responsible for
| security as well. Look what happened with Lastpass. I can
| totally see someone doing something silly like exposing a
| device with default creds like a MySQL db on a production
| box, then forgetting about it and getting a new job a year
| later.
|
| I do block proxies like this, but it's hard to block every
| little thing.
| alexnewman wrote:
| I remember when I believed in bastions and DMZ. Many
| companies have given up on this due to the fact that it can
| only be enforced by policy and not by tech
| IceWreck wrote:
| Ngrok is just one company tho, there are thousands of ways.
| Wireguard or nebula can be selfhosted and another server with
| an actual port open will forward traffic. People can use
| SSH's reverse port forwarding too.
|
| Or you can use cloudflared or another one of ngrok's
| competitors.
| capableweb wrote:
| > > This is intended for _small teams_
|
| > As someone who has to manage _enterprise firewalls_
|
| Clearly not intended for you, as the quoted part tells you
| outright who it is intended for.
| Bluecobra wrote:
| I think it's a bit naive to believe that would stop someone
| from using this. Some new employee literally tried to install
| a CD crack on a work computer for some game just the other
| day.
| ako wrote:
| There are many small teams within large enterprises, one does
| not exclude the other...
| Timon3 wrote:
| I understand your perspective, it's absolutely right to insist
| on security in a corporate environment. I have also seen the
| other side as a developer and saw it happen a number of times.
| Understanding why it seems tempting to developers is probably
| the best way to fully get rid of it (although you might be
| doing so already, probably no way to fully get rid of the
| problem). The reasons I've seen usually were:
|
| - Undocumented or unknown processes. Many enterprises have a
| discoverability problem regarding almost all information, and
| as somebody that frequently required some special support for
| my work, it often took shockingly long to find a person who
| knew how to find the information in the respective intranet.
| It's important that not only are the services available, they
| also must be discoverable and known.
|
| - Complicated processes. A portion of developers that require
| these services are using them for the first time, or have used
| them without fully understanding and considering the
| implications. If the process for requesting support is too
| complicated (e.g. requiring a form where you either require
| very detailed information without assistance on how to find it,
| or - the worst case - a form with fields where the people
| responsible say "oh, just fill it with random stuff to keep
| going") it will make some people choose the less secure way to
| get going with work.
|
| - Long processes. If a developer wants to use such a service
| and it takes weeks to months to receive support (e.g. overload
| of tickets, or the only person responsible is on vacation) it
| sometimes leaves little to no choice.
|
| But again, definitely not advocating for circumventing
| security!
| nickjj wrote:
| Has anyone tried this for a free ngrok alternative that works
| with HTTPS, doesn't require setting up a server and has no rate
| limit within reason? https://developers.cloudflare.com/pages/how-
| to/preview-with-...
|
| Based on the page it looks like you can install Cloudflare's CLI
| and then run `cloudflared tunnel --url http://localhost:3000`,
| and you'll get back a URL to visit such as https://seasonal-deck-
| organisms-sf.trycloudflare.com. Looks like it supports being able
| to associate it with a custom domain too so you can have
| repeatable URLs.
| hummus_bae wrote:
| [dead]
| Hawxy wrote:
| Yep! We use this to test our webhook integrations locally.
| Works great.
| SamEdosa wrote:
| I recently changed over to cloudflare from ngrok. I followed
| this guide https://vitobotta.com/2022/02/27/free-ngrok-
| alternative-with...
| orf wrote:
| Yes, I use this a lot and it's fantastic. Works pretty
| flawlessly, is fast and super simple to set up.
| wahnfrieden wrote:
| it's only free for websites. if you are primarily an API, you
| have to pay (or wait for them to terminate your account) and it
| is EXPENSIVE.
|
| the free tier also has subpar networking in many parts of the
| world. make sure you don't care about those markets.
|
| edit: here are the terms of use:
|
| 2.8 Limitation on Serving Non-HTML Content
|
| The Services are offered primarily as a platform to cache and
| serve web pages and websites. Unless explicitly included as
| part of a Paid Service purchased by you, you agree to use the
| Services solely for the purpose of (i) serving web pages as
| viewed through a web browser or other functionally equivalent
| applications, including rendering Hypertext Markup Language
| (HTML) or other functional equivalents, and (ii) serving web
| APIs subject to the restrictions set forth in this Section 2.8.
| Use of the Services for serving video or a disproportionate
| percentage of pictures, audio files, or other non-HTML content
| is prohibited, unless purchased separately as part of a Paid
| Service or expressly allowed under our Supplemental Terms for a
| specific Service. If we determine you have breached this
| Section 2.8, we may immediately suspend or restrict your use of
| the Services, or limit End User access to certain of your
| resources through the Services.
| FragenAntworten wrote:
| I can't find any information about the API/website pricing
| differences on Cloudflare's website, but I'd like to know
| more - do you have a link or know where I should look?
| schemescape wrote:
| Last time I checked, if you want to use a custom domain, your
| domain needed to be managed by Cloudflare.
| Felminor wrote:
| Yeah configureed it yesterday.
|
| Would have suggested it as an alternative if you wouldn't asked
| for it
| capableweb wrote:
| I guess the biggest (and only?) drawback is that it
| (presumably) requires a Cloudflare account to use. So if you're
| living in Iran, Syria, Lebanon (and some more) you're out of
| luck as you cannot have an account with Cloudflare then.
|
| Otherwise it looks like a nice offering for sure.
| radec wrote:
| It doesn't appear to require an account. I just gave it a
| try, installed the deb, typed that one line command and it
| just worked. No idea if it would work in those countries
| though, I only tried it in a US location.
| minouye wrote:
| Yes, here's a nice description of how to setup:
|
| https://twitter.com/wesbos/status/1634310926219333642
| ithkuil wrote:
| https://tailscale.com/blog/introducing-tailscale-funnel/ is
| free for personal use
| Eun wrote:
| funnel is still in alpha stage, you have to join the waitlist
| to be added to the testers, could take a long time...
| ithkuil wrote:
| There is an invite code on a public tweet by bradfitz:
|
| https://twitter.com/bradfitz/status/1593767530082226176
| [deleted]
| return_to_monke wrote:
| also, for a lot of use cases (eg accessing your home-hosted
| stuff, on the go) simply tailscale, even without funnel, is
| fine
| paxys wrote:
| Not quite the same thing. Setting up a Tailscale network and
| installing/running the VPN client on your laptop takes an
| order of magnitude more work and system access than just
| running a script to open a local HTTP port (which is how
| ngrok, pgrok, Cloudflare Tunnels etc operate). The use cases
| are very different.
| PLG88 wrote:
| So is zrok - https://zrok.io/. Also fully open source, can
| self-host and has an option for 'private share'.
| jeroenhd wrote:
| I've personally used TOR as a quick and dirty way to expose a
| service through NATs.
|
| Doesn't do HTTPS, but the protocol has a security layer built
| in already.
|
| I'm sure using this in a corporate environment will get you
| some strange looks from your sysadmin, but for my personal
| setup it works quite well.
| [deleted]
| Eun wrote:
| I don't see a usecase where a non dev should expose some local
| resource to the internet. These people don't run local
| webservers, nor know how they work.
|
| ngrok is a developer tool. I don't see why marketing a dev tool
| to non devs is a good idea, maybe somebody can explain?
| [deleted]
| remexre wrote:
| What makes this seem like a non-developer tool? You need a
| server you control, you need to mess with YAML files,
| "configure Caddy" is one step that's assumed to be easy, etc.
| pcthrowaway wrote:
| From their docs:
|
| Why? Stable subdomains and SSO are two things too expensive.
|
| Why not just pick one from the Awesome Tunneling? Think
| broader. Not everyone is a dev who knows about server
| operations. For people working as community managers, sales,
| and PMs, booting up something locally could already be a
| stretch and requiring them to understand how to set up and
| fix server problems is a waste of team's productivity.
|
| Copy, paste, and run is the best UX for everyone.
| Eun wrote:
| It says literally:
|
| > Not everyone is a dev who knows about server operations.
| For people working as community managers, sales, and PMs,
| booting up something locally could already be a stretch and
| requiring them to understand how to set up and fix server
| problems is a waste of team's productivity.
| remexre wrote:
| Oh, I read that as "you can send the links to community
| managers, sales, and PMs rather than making them run the
| app locally," since that's like, the main usecase.
| Eun wrote:
| Ah could also be, but the whole sentence was like this:
|
| > Why not just pick one from the Awesome Tunneling? Think
| broader. Not everyone is a dev...
|
| So I read this as targeting non devs.
|
| I think every other alternative from that list also
| supports common usable links.
| yjftsjthsd-h wrote:
| I've heard of people wanting remote access to things like Plex
| or security cameras hosted in their basement. Usually via VPN,
| but I could see someone using this kind of thing.
| [deleted]
| ytwySXpMbS wrote:
| In a couple places grok is typoed as gork
| joe2010xtmf wrote:
| Thanks! will fix!
| johnstonnorth wrote:
| Don't think I've ever seen an alternative to ngrok that includes
| their "Inspection Interface" - that is such a useful feature for
| debugging.
| groestl wrote:
| I was under the impression that pgrok was unmaintained until now,
| to the extend that I was looking for alternatives. Did I miss
| something?
| prettyStandard wrote:
| I'm on mobile so it's hard browse the repo, but it looks like
| the initial commit was 4 days ago. So I think this would be a
| different project with the same name.
|
| https://github.com/pgrok/pgrok/commit/1f57713c323ea494780590...
| groestl wrote:
| I see.. it's bit confusing, since there's an existing project
| in the same space (https://github.com/jerson/pgrok). It's
| even linked on the project above via the awesome
| https://github.com/anderspitman/awesome-tunneling list, I
| don't know why this is necessary.
| jeroenhd wrote:
| For one, this seems to integrate with OIDC setups, which
| makes it easier to use it with existing company credentials
| (rather than manage accounts for every tool you use).
|
| The naming conflict is unfortunate. At least the old
| repository is archived, but it'd still be better if this
| tool could be renamed IMO, especially since it's so new.
| dr_faustus wrote:
| We've used https://github.com/antoniomika/sish quite
| successfully. It's very easy to setup with docker compose and
| even supports letsencrypt wildcard certificates.
| antoniomika wrote:
| Thanks for posting! I'd suggest this to anyone that wants a
| stateless setup method which uses standard SSH key/password
| auth. sish also has support for internal tunnels (hidden from
| the world and accessible with local/remote SSH forwards), SNI
| tunnels (zero trust TLS tunnels), TCP, and of course
| HTTP(S)/WS. Also does request inspection ala actual ngrok :)
|
| Disclaimer: I'm the author and have done tunneling for years
| eliben wrote:
| I recently wrote about how ngrok-like functionality is easily
| implemented in Go via SSH port forwarding:
| https://eli.thegreenplace.net/2022/ssh-port-forwarding-with-...
| joe2010xtmf wrote:
| A multi-tenant HTTP reverse tunnel solution through SSH remote
| port forwarding.
| Felminor wrote:
| Great thing about k8s: you can expose all your dev env needs
| super fast and easy.
|
| And adding a dex or so upfront is also super easy.
|
| If you are a small company and need this regularly try to take a
| look at managed k8s.
|
| It will be worth it
| t43562 wrote:
| I find it quite amusing that I read the pgrok and ngrok websites
| (at least the front page) and cannot understand what the hell
| either of them do.
|
| It's like they can do almost anything...what exactly? .... well
| whatever you can think of.....er like what?
|
| You can open localhost to the internet.......?????????? Sorry?
|
| Anyhow if anyone would care to put me out of my misery by
| explaining a bit I'd be grateful.
| mfkp wrote:
| Let's say you're running a local development server on
| localhost:3000
|
| If you want to share this with someone not on your computer, it
| will proxy through a real domain name that someone else can
| access remotely.
| [deleted]
| shortrounddev wrote:
| Proxies HTTP requests from a temporary server with a public
| domain record to a localhost server. Useful for some
| development environments, and also if you don't feel like
| dealing with networking in docker. At one company I worked at,
| we ran everything through vagrant and running ngrok was easier
| than a junior java engineer learning anything about networking.
| stavros wrote:
| Why do projects that are meant to be lightweight use Postgres
| instead of SQLite? The latter is much easier to deploy (you,
| well, just don't need to), and does 99% of what anyone needs, and
| definitely 100% of what small projects need.
| throwawaaarrgh wrote:
| Like everything in life, "it depends."
|
| If what you need can suffice with SQLite, then Postgres will
| work too.
|
| If you're running an app on a VM, running Postgres on it too is
| easy and isn't "big". It's easy to install and set up, and
| you're set up for all the features you may want later. Plus you
| avoid having to refactor for a different database later on.
|
| If you're running your app in a serverless context, or on a
| PaaS/SaaS, etc, then SQLite might be easier. But maybe you want
| horizontal scalability with a shared dataset and then you're
| back at Postgres.
|
| Just picking one thing "because everybody does" or "because
| it's lightweight" or "it works in most cases" etc aren't good
| reasons to pick technology. Look at your actual application,
| make a list of pros and cons, and choose based on your
| situation, not the cargo cult answer from the HN hive mind.
| stavros wrote:
| Except I have to install Postgres and create a user for it,
| which I don't have to do with SQLite.
| lxgr wrote:
| A project using Postgres vs. SQLite can make the difference
| between being able to run a single Docker container or having
| to use Docker Compose.
|
| Nothing big, but I do appreciate being able to trial a tool
| or service on a test machine with a simple `docker run`.
| jeroenhd wrote:
| I use Postgres in my personal projects because I have a server
| (with backups etc.) running anyway. Since this project also has
| OIDC authentication, I imagine the target audience may already
| be running a PG server?
|
| Going by
| https://github.com/pgrok/pgrok/blob/main/internal/database/d...
| I don't think adding SQLite support should be that difficult.
| The ORM used (gorm) has SQLite support already.
|
| Edit: this seems to be intentional to keep maintenance cost
| down: https://github.com/pgrok/pgrok/pull/11
| indymike wrote:
| It looks like this may be a great place to use SQLite instead
| of Postgres because of the requirement to run this on a single
| server.
| capableweb wrote:
| Cargo culting. If you never used SQLite, anytime you need a
| database you use whatever you've used before without shopping
| around or considering if what you're about to use is right.
| stavros wrote:
| I guess... That's too bad, this project looks great but
| having to install/connect Postgres is putting me off
| installing it.
| capableweb wrote:
| Yeah, in better news though, it seems to be using gorm
| which has different drivers available
| (https://gorm.io/docs/connecting_to_the_database.html),
| SQLite being one of them. So unless they are doing
| something postgres specific, should be relatively easy to
| switch it out.
| PLG88 wrote:
| If you want a similar project which 'just works' then
| consider using zrok. Its fully opensource which you can
| self-host or use the free hosted version - https://zrok.io/
| pizza wrote:
| Hang on a second- this project looks to be assuming that the
| db will be remote and over the internet. Even the SQLite
| official document recommends people to use PostresSQL in that
| scenario [0]:
|
| _> Generally, if your data is separated from the application
| by a network, you want to use a client/server database. This
| is due to the fact that the database engine acts as a
| bandwidth-reducing filter on the database traffic ... Use a
| client/server database engine. PostgreSQL is an excellent
| choice._
|
| [0] https://www.sqlite.org/useovernet.html
| capableweb wrote:
| No, the project has two parts. One server and one client.
| The client obviously runs on a different host than the
| server, but nothing in the architecture says that the
| server and the db has to run on different hosts.
|
| You can also see that the pgrokd.yml config example is
| connecting to the database via localhost, so running on the
| same machine as "pgrokd" (the server part of pgrok).
| pizza wrote:
| My mistake it looks as though the desiderata was single
| client/server db backend in the first place, and remote
| db was just an added bonus of that -
| https://github.com/pgrok/pgrok/pull/11
| paxys wrote:
| Small projects can still need to expand beyond a single server
| or have zero-downtime deploys.
___________________________________________________________________
(page generated 2023-03-12 23:01 UTC)