[HN Gopher] Show HN: Malai - securely share local TCP services (...
___________________________________________________________________
Show HN: Malai - securely share local TCP services (database/SSH)
with others
malai is a peer to peer network, and is a dead simple to share your
local development HTTP server, without setting up tunnels, dealing
with firewalls, or relying on cloud services. In malai 0.2.5, we
have added TCP support, which means you can expose any TCP service
to others using malai, without opening the TCP service related port
to Internet. With malai installed on both ends, any TCP service can
be securely tunneled over it. It can be used to secure your SSH
service, or securely share your database server. GitHub:
https://github.com/kulfi-project/kulfi (star us!) Would love
feedback, questions, or ideas -- thanks! PS: We have also added
`malai folder`, which lets you share (readonly) the content of a
folder with others.
Author : amitu
Score : 88 points
Date : 2025-05-27 14:34 UTC (8 hours ago)
(HTM) web link (malai.sh)
(TXT) w3m dump (malai.sh)
| mdaniel wrote:
| > In this case, you can visit kulfi://http-e9b1c82b43206c96173848
| ed0afad2fe633fdc8a02ba391a3d37, which is where the Talk App
| lives.
|
| What is the DNS story for this platform? Or are you intending to
| be kind of like a replacement for Syncthing where each endpoint
| has to explicitly approve the other and thus discovery is left as
| an exercise to the reader?
|
| Actually, even after further thought, I am still able to rename
| my peers in Syncthing, and unless one has to go to the dashboard
| for getting that Talk App link(? button?) all the time, it's been
| my experience that folks will always want aliases for ginormous
| hex strings
|
| ---
|
| p.s. you have some broken images in your Journey docs
| amitu wrote:
| Kulfi is a network (peer to peer) which support http/https even
| tcp can be sent over kulfi.
|
| Kulfi App is a web browser that talks kulfi protocol natively,
| so you can open kulfi://<id52> natively. malai is the server
| side part of this story, and can expose existing HTTP/TCP
| services over kulfi:// network.
|
| For DNS, here is my initial deign/thought:
| https://github.com/kulfi-project/kulfi/discussions/55
|
| For access control, we are working on a "what-to-do" service,
| which is an bunch HTTP/JSON APIs, that will be called by the
| malai (which runs on your server, or even as part of
| Django/Node/Golang once we wrap malai as a cffi library, and
| write corresponding Python/Node etc packages). You will be able
| to write the what-to-do in any framework you like, and we will
| maintain a general purpose open source what-to-do service.
| thm wrote:
| Don't we use Tailscale for this?
| haiku2077 wrote:
| Indeed.
|
| https://tailscale.com/kb/1312/serve
| Apreche wrote:
| Or ngrok, or Cloudflare Tunnel or
| https://github.com/anderspitman/awesome-tunneling
| danielbln wrote:
| I'm gonna add https://localhost.run as a contender.
| apitman wrote:
| It's on the list linked
| amitu wrote:
| Unlike tailscale/ngrok, malai is completely open source, does
| not rely on any company provided infrastructure (we have a http
| bridge to bridge http/tcp with http/kulfi at *.kulfi.site, but
| you can run your own http bridge), and once Kulfi app is ready,
| you will not need the bridge at all and Kulfi app (which is
| also basically a browser that speaks http(s) over kulfi along
| with http(s) over tcp) can talk kulfi protocol directly.
| aidenn0 wrote:
| Iroh requires relay servers; so wouldn't Malai need those?
| amitu wrote:
| Yes, we are currently using iroh provided relay servers.
| malai will soon connect with any relay server, so in future
| you can use ones provided by us, or run your own.
| hoistbypetard wrote:
| Among other clear differences, it looks like tailscale requires
| you to sign in with some cloud provider and Malai does not.
|
| I use and like tailscale for similar purposes, but I can see
| why some people might prefer to skip that aspect, especially.
| jarsj wrote:
| Awesome would love to use it.
| OJFord wrote:
| 'hehe, malai, wonder if they know' -- 'oh, kulfi, ok they
| definitely know' -- just a fun quirky name, or an analogy I'm
| missing?
| amitu wrote:
| malai: cream that forms on top of milk when it cools down, its
| a flavor of kulfi. kulfi: a milk based ice cream / desert.
| Nothing to do with networking etc, just a desert I enjoyed
| since childhood :-)
| srameshc wrote:
| Nice naming of your projects. It just caught my attention :).
| sky_fan wrote:
| malai also means mountain in my mother tongue Tamil and I am
| named as malai.
| OJFord wrote:
| Yep, just wondered if there was some analogy/joke like malai
| is the layer on top and kulfi is.. I don't know, the rod that
| connects A to B or something (that's nonsense, but that's why
| I was asking!)
|
| Anyway, project seems great and all, but I'll wait for pista.
| :)
| qudat wrote:
| Very cool! This is similar to a service we manage at
| https://tuns.sh that runs entirely as an SSH server.
|
| We love to see new ideas in this space since we think tunnels are
| great for prototyping and app development.
| thenthenthen wrote:
| Sorry, noob here: Can this traverse managed NAT and deep packet
| inspection?
| amitu wrote:
| We are using iroh[1] internally, so the question is does iroh
| support these things? The quickest way to answer this would be
| to test it. Can you help me with what kind of setup would be
| needed for me to test this?
|
| [1]: https://www.iroh.computer
| lxgr wrote:
| Sorry, but basic NAT traversal is an essential feature for
| any P2P network launched in at least the last 20 years, and
| as such doesn't seem like something you can just leave to
| lower layers or even ask your prospective users to figure out
| themselves.
| candiddevmike wrote:
| I read the readme and I don't quite understand the relationship
| between malai and kulfi, or what the "total cost" (what I need to
| know, what I need to install) of the stack is here.
| amitu wrote:
| Kulfi is the official name of the project, and the name of the
| "peer to peer internet" "id52/identity based internet", so
| kulfi net.
|
| Kulfi App is going to be a browser like Google Chrome,
| available on various app stores, and it will speak both http
| over tcp and http over kulfi. Kulfi app acts like client (but
| is also a server, so on your iPhone tomorrow you can install
| Kulfi, which will let you access any http over kulfi site, and
| also will run a web server which is exposed over kulfi net for
| others to access, so my Android phone's Kulfi browser can
| connect with the your iPhones Kulfi's web server, with no
| intermediary [1]).
|
| malai is ready now, and it is a Swiss army knife toolkit for
| working with kulfi net. Currently malai can expose a HTTP or
| TCP service over kulfi net.
|
| Malai also has a "http bridge" feature, which bridges any malai
| exposed http over kulfi service with the http over tcp, so
| people can use regular browsers to access malai exposed HTTP
| services.
|
| [1]: we are using https://www.iroh.computer/blog/iroh-dns, so
| their caveats apply.
| lxgr wrote:
| What's id52?
|
| I feel like I'm missing a lot of context to understand what's
| being shared here.
| immibis wrote:
| Kulfi red flags:
|
| Does the same thing as a bunch of other systems (e.g. Tor)
| without providing any comparison of what this one does better.
|
| Docs pages are TODO, certainly don't explain how it works.
|
| Website is "Copyright 2025 YourCompany, Inc."
|
| Discord link goes to something called "fastn" with apparently no
| relation to Kulfi.
| amitu wrote:
| fastn is an ingredient to kulfi project. fastn.com is a full
| stack programming language we (FifthTry, Inc, the company
| behind these) have built, and it is the web server that is
| going to be part of Kulfi app.
|
| The comparison posts, TODO, copyright etc we will do/fix when
| we get around to it. It's all open source, you can send PRs as
| well.
| tauoverpi wrote:
| How does fastn handle errors? Is is possible to perform the
| SQL query client side or does it prevent / add friction for
| such? Can I visit `/foo/";DROP%20TABLE%20users;/` or does it
| handle inputs properly?
| redleader55 wrote:
| A few more:
|
| No explanation of how it works
|
| Comments in this thread reveal a bunch of obscure components
| that also don't have much details.
| lxgr wrote:
| To be fair, assigning copyright to the reader is a good first
| step to build trust :)
| snihalani wrote:
| what problem does this solve over ngrok/tailserve?
| Ingon wrote:
| Looks very cool. Another self-hosted, open source, and private
| solution in this space is my own https://github.com/connet-
| dev/connet/
| apitman wrote:
| I maintain a list of tunneling solutions here:
| https://github.com/anderspitman/awesome-tunneling
|
| Usually my first question is what makes this different than the
| many existing options. Looks like the answer in this case is that
| it's p2p and built on iroh (which is built on QUIC), which I find
| interesting. Would love a PR on the list.
| hamburglar wrote:
| This desperately needs a "how the hell does this work" page for
| either malai or kulfi (preferably both) because the vibe I'm
| getting is "it's magic! Trust us and sign up for an account."
| p0w3n3d wrote:
| It's magic man-in-the-middle and we're the magicians here
| hamburglar wrote:
| I'm always wary when there's clearly some infrastructure
| required and it isn't clear how it gets paid for. What's the
| catch? What's between my bridge listener and my target, and
| what's their incentive to be there?
| nokun7 wrote:
| I use ngrok for exactly this type of functionality. Can someone
| clarify why would anyone need malai over ngrok?
___________________________________________________________________
(page generated 2025-05-27 23:00 UTC)