Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
tunnelmole
Advanced tools
Tunnelmole, an open source ngrok alternative. Instant public URLs for any http/https based application. Available as a command line application or as an NPM dependency for your code. Stable and maintained. Good test coverage. Works behind firewalls
Tunnelmole is a simple tool to give your locally running HTTP(s) servers a public URL. For example, you could get a public URL for
Getting a Public URL for the Tunnelmole Website, which is running locally
Tunnelmole has been compared to a similar tool known as ngrok
, but is open source.
If you are using the default configuration you will get a HTTPs URL for free.
Heres what you could do with your new public URL
There are a couple of ways to install Tunnelmole.
If you have NodeJS 16.10 or later, you can install Tunnelmole by running
sudo npm install -g tunnelmole
Alternatively, you can install a pre-built binary for your platform
Copy and paste the following into a terminal:
curl -O https://install.tunnelmole.com/n3d5g/install && sudo bash install
The script will detect your OS and install the right version.
I'd like to have the install script for Linux and Mac also working in Cygwin and Mingw. Let me know if you're willing to help test!.
The above binaries are generated with a combination of pkg and rollup.
To create your own, set up this repo and then run npm run build-all-bin
. Once that finishes, run the appropriately named binary for your OS from tmole-linux
, tmole-mac
or tmole.exe
(windows). Send the other ones to your friends running different OSes.
First, verify that the install went fine by running
tmole
This command should print the help and doesn't connect to any external services.
If instead you got an error and you installed with npm
, you probably have an older version of Node (lower than 16.10) installed. Check your NodeJS version with node --version
and then reinstall using one of the above copy/paste install commands to get the pre compiled binary for your platform. If you got an error and are running a supported NodeJS version, be sure to Raise an issue.
Now that you have a working installation:
tmole <port number>
, replacing <port number>
with your applications port number. For example, if your application listens on port 8080
, run tmole 8080
.Here's what it should look like
$ tmole 8080
http://evgtkh-ip-49-145-166-122.tunnelmole.net is forwarding to localhost:8080
https://evgtkh-ip-49-145-166-122.tunnelmole.net is forwarding to localhost:8080
Now, just go to either one of the URLs shown with your web browser. The URLs are public - this means you can also share them with collaborators and others over the internet.
Sometimes, it can be useful to have a domain that does not change frequently. To use a custom subdoman run
tmole 8080 as <yourdomain>.tunnelmole.net
.
If you are using the hosted service (which is the default) and you want to use a custom subdomain you'll need to purchase a subscription Learn More.
Otherwise, you can self host. To learn more go to the Tunnelmole Service GitHub repo.
To use Tunnelmole as a dependency for your project you need Node 16.10 or later.
Add Tunnelmole as a dependency with
npm install --save tunnelmole
First import tunnelmole
. Both ES and CommonJS modules are supported.
Importing tunnelmole
as an ES module
import { tunnelmole } from 'tunnelmole';
Importing tunnelmole
as a CommonJS module
const tunnelmole = require('tunnelmole/cjs');
Once the module is imported you can start tunnelmole with the code below, changing port 3000 to the port your application listens on if it is different.
const url = await tunnelmole({
port: 3000
});
// url = https://idsq6j-ip-157-211-195-169.tunnelmole.net
Tunnelmole will start in the background and you'll see output in the console log similar to the Tunnelmole command line application which will include the public URLs that now point to your application. The function is async
and won't block execution of the rest of your code.
If you want to use a custom subdomain, you could also pass the domain as an option.
const url = await tunnelmole({
port: 3000,
domain: '<your tunnelmole domain e.g. mysite.tunnelmole.net>'
});
// url = mydomain.tunnelmole.net
Again if you are using the hosted service (which is the default) and you want to use a custom subdomain you'll need to purchase a subscription Learn More.
Otherwise, you can self host. To learn more about this option go to the Tunnelmole Service GitHub repo.
To suppress the initial output with the URLs, set the environment variable TUNNELMOLE_QUIET_MODE=1
somewhere in your environment. This might be useful in a CI/CD environment or in other scripts.
Installing Tunnelmole as an NPM dependency will make the following executables available in your project:
node_modules/.bin/tmole
node_modules/.bin/tunnelmole
They both work identically to the Tunnelmole command line application.
You can run them manually in the same way as the command line application (for example node node_modules/.bin/tmole 3000
), but its far more convenient to integrate them with NPM scripts in package.json
. This way, you can automate starting your application and generating a public URL with a single command. For example:
{
"name": "myapp",
"version": "0.0.1",
"scripts": {
"start": "dist/index.js",
"start-public": "npm run start && tmole 3000"
}
}
In this example, npm run start-public
will simultaneously start your application and get tunnelmole to generate public URLs tunneling to port 3000. Replace port 3000 with the port your application listens on if it is different. You will see the public URLs in the command line output.
This allows you to start your application and get a public URL with a single command, instead of needing to run two commands in separate terminals.
To help improve the developer experience of Tunnelmole, some anonymized Telemetry data is collected by default.
For example
To disable the telemetery, add the variable TUNNELMOLE_TELEMETRY=0
to your environment.
On Linux and Mac, to opt out for a single run of Tunnelmole you could put this in front of the tmole
command, for example
TUNNELMOLE_TELEMETRY=0 tmole 80
To opt out by default:
export TUNNELMOLE_TELEMETRY=0
to your shells startup script, usually .bashrc
or .zshrc
but it will be different if you are not using bash or zsh as your shell. Then log out and back in to apply the changes.TUNNELMOLE_TELEMETRY=0
to your environment variables using the System utility https://www.computerhope.com/issues/ch000549.htm. Then restart your computer to apply the changes.To get more info on hacking Tunnelmole as well as debugging, contributing and more view the full README on GitHub.
This package is for the Tunnelmole client. The service is also open source and its possible to self host. Get the code at (https://github.com/robbie-cahill/tunnelmole-service/).
FAQs
Tunnelmole, an open source ngrok alternative. Instant public URLs for any http/https based application. Available as a command line application or as an NPM dependency for your code. Stable and maintained. Good test coverage. Works behind firewalls
We found that tunnelmole demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.