If there is one thing that I have considered a flaw in computing, it's that there have been few ways for inexperienced developers and users to use one simple system which allowed them to circumvent their host based firewall, their network IDS, their edge based UTM and the OS security assumptions around localhost being a protected, private interface. The value of a point and click system to expose these directly to the internet and a domain that serves as a collection point for them can not be understated.
If a service is bonding only to ::1, and not 0.0.0.0 or your current routable ip it's explicitly deciding that it shouldn't be accessible from beyond the local computer. And in a lot of cases, it's right even if it doesn't explain why exactly. When exactly did we decide local port forwarding was too hard even for technical people? Or, I dunno, servers?
I think I just heard many system administrators collectively clutching their chests in pain.
If inexperienced devs and users could suddenly drop their pants at will, imagine the mayhem that would occur if experienced devs with malicious intent were set loose in that environment? You can't pretend they don't exist - in fact, it's better to assume everyone who's not you is out to utterly destroy your data ASAP. Some would argue don't even trust yourself.
Those firewalls, ids, utms and assumptions are pretty much the only thing protecting inexperienced users from themselves.
I think, if you have a system administrator, you're not the target audience for localtunnel. This is for home users who don't understand how to get their computer+router+apartment building's switch+etc to cooperate in getting them a public route.
Maybe they should just make it bind to a port below 1024, so it requires root/Administrator privileges to run. Then, if you are your own sysadmin, you can let yourself in--and if someone else is, you'll have to take it up with them.
The real barrier to entry is the point between "cheap" and "free"--especially when first learning. For me, that was when I was 10/11. No chance of getting hold of a credit card to get a "cheap web host or VPS." I could only experiment with what my computer was willing to do on its own.
Heroku's almost the right thing for this, I think, though it still requires a credit card to sign up fully (it doesn't technically, but it does to enable free add-ons, so without a credit card you don't get, say, database persistence.) Obviously, Heroku is geared for adult developers--or, more specifically, to start-ups that Heroku hopes will become monsters dependent on Heroku's stack.
What would be perfect is a service like Heroku, but specifically for people learning to code; maybe something joined-at-the-hip with an online coding-school website. When you attend a real CS program, you get access to the labs and mainframes to test your programs on--where's the online version of that?
So, anything like this already exist? Or should I build it?
I just think of a 10-11 year old putting their personal--or their family's--computer straight onto the public web with some random hacked-together code, and it makes me feel very nervous. What are the chances they are going to understand all the security implications? Pretty low, I think.
On the other hand, no one ever learned much by always taking the perfectly safe path. And who am I to judge whether people are "ready" for the Web? It's the old freedom vs. security argument.
Amazon does provide a free tier of EC2, which is great for tinkering around. But it takes a certain amount of knowledge to get one working as a web server. A tutorial, or a project that makes it easier, might be a good place to start.
>>I think I just heard many system administrators collectively clutching their chests in pain.
I was trained to do this by reflex. Anytime you expose anything on your network, not matter what it is, without some layer of security between you and the internet, you're asking for trouble.
Whether this is a warranted reaction or not, I don't know. I'm pretty sure its from spending too much time hanging out with hackers and sys admins. It's just locked in my brain not to doing something like this - ever.
It's completely impossible to develop for Twilio, Facebook, and many other public APIs without putting your work on the public internet. If you want to develop for a public API in a native GUI text editor, tunneling through your firewall is the only way to do it.
Abstracting away all the firewalls and IP addresses and stuff is really convenient. Restrictions aren't always put in place for a good reason, increasingly they are just a function of IP address scarcity.
(disclaimer: I created https://pagekite.net/ which is one of localtunnel's competitors)
and yet when the service binds to localhost instead of a local, private routable address that clearly exists as you're tunneling to the internet, it has said "hey, look, whatever im doing i dont want any other computer anywhere to be able to connect. localhost is identical on everything explicitly so it has zero chance of routing. Why not open tunnels to whatever routable private ip you have up?
And while a bit toung in cheek, i'm not too aware of this whole ip address scarcity thing. I've got a decent chunk of a /29, if you could use a /48 or ten for your local networks just ask! Or would it be tough to squeeze down to only 18,446,744,073,709,551,616 local addresses?
Binding to localhost by default is good security hygene, a "closed by default" strategy, which doesn't necessarily mean you never intend to expose that server ever.
Tools like PageKite and localtunnel are completely in line with that philosophy, nothing is exposed to the outside world until you explicitly request it and then only the named service you chose (as opposed to whatever is on the port or god forbid everything listening on a particular IP). I personally feel more secure temporarily exposing a server using PageKite than I would if my router had been reconfigured to always allow traffic through on particular ports - it's a lot easier to turn PageKite off than it is to go reconfigure my router every time I am done testing.
Convenient security is good security, because it is more likely to be used correctly.
IPv6... well, good luck with that. :-) Aside from how few western ISPs offer IPv6 service, consider the fact that the majority of our devices are mobile these days. My laptop changes networks and IPs many times a day and I still like being able to run a visible server on it. Configuring plain IPv4 or IPv6 to do that elegantly is decidedly nontrivial.
I think you missed the sarcasm and irony that was fairly evident in his comment. However, perhaps we can expect a user who can gem install something to have an acceptable level of awareness of the security implications of such a tool?
> However, perhaps we can expect a user who can gem install something to have an acceptable level of awareness of the security implications of such a tool?
No, we can not. From both personal experience (developers can be dumb as bricks and know nothing outside their specific knowledge domain) and good security practices (you don't trust the user, even if they say they're good for it).
And yes I hope it was just sarcasm I missed, but that's why I had to ask.
Can you elaborate on why you equate this localtunnel to "removing all security" ?
I haven't tried it, but it seems to forward a single port that's running service X that I want to make available on the net.
Any way whatsoever of fulfilling that need (no matter if it's one button click or setting up a separate VM for that service) would involve making a hole in all relevant firewalls and making the (possibly buggy) service X available to everyone.
Is the user goal of "making service X available to everyone" bad in itself?
When you allow public connections to a service running on a machine, security for that entire machine now largely depends on that service. Are you 100% sure that your copy of Apache or Nginx is patched up to date? That the web app you just coded up won't allow arbitrary command execution? That the OS has no local privilege escalation vulnerabilities?
If you are using a web host or VPS, the risk is limited to the code you're testing. You could lose the whole machine and it's no big deal.
But if you've exposed your personal machine--with all your documents, files, settings, etc.--then you've got a lot more to lose if a bad guy gets in. Worst case is a rootkit install that collects all your passwords and sends them out.
The primary use case is for web applications which will eventually run on public servers. So yes, it is a good thing for people to be able to easily simulate having their software run on a public server. It's also necessary if you're writing something that receives events from other APIs like Twilio.
I have tried a variety of different services that provide this but I have decided that I like the newer https://ngrok.com/ service more. I have had some major difficulties with localtunnel on my mac in the past.
Hi zek, glad you like ngrok! Progrium and I have been talking about combining efforts recently. I'm going to be extracting out the tunneling component of ngrok into a library that will be used by both ngrok and a new version of localtunnel which will have all of the stability (and features like tcp tunenling and custom hostnames) that you enjoy with ngrok.
You'll still want to use ngrok if you want to do any traffic inspection or request replays.
Lastly, I have some new features coming up for ngrok including the ability for it to auto-update without your intervention so that I can push features more rapidly without bothering everyone to update every other day. I've open sourced the code to do it as a separate library (https://github.com/inconshreveable/go-update), and I'll be writing a blog post about the techniques necessary to make it work. Stay tuned!
Hey, quick question: is there a way to make ngrok preserve the Hostname it passes to my local machine? E.g. we're using virtualhosts and I need the requests to hit my local host with the correct hostname.
Ngrok will pass the same hostname that it received from the public request, so something like example.ngrok.com. If you use the -subdomain flag, then it will always be the same hostname. I'm not entirely sure I answered your question, so if that didn't help, feel free to email me and we'll get it sorted out: alan at ngrok dot com
At first glance it looks like ngrok supports Windows without Ruby or Python, which I really appreciate. Not sure why that market (Win w/o Ruby/Python) has been completely ignored so far. But it seems like a strong selling point. Thanks guys! signup
You can roll your own localtunnel too if you want. I was working on a shopify app earlier this year and needed a consistent URL to test with. I wrote a tutorial on how to do this here: https://neil.quora.com/Roll-Your-Own-LocalTunnel-With-Nginx
I've been using them instead of localtunnel, and the experience is much nicer. I had a recent problem where localtunnel just flat out wouldn't work for me, so I didn't have a choice but to switch.
Runscope can do this with the Passageway feature. It also has traffic inspector, request editor and the ability to do shared requests https://www.runscope.com/
I've created http://openport.be for the same reason.
The website still needs some work but check out the client code from https://github.com/jandebleser/openport-it
(It works on all debian platforms including rasbian for the raspberry pi).
You can share all ports and share are restarted after a reboot.
Yes, two things conspire to seeing it multiple times; First new people join HN and think "Hmm, this would be interesting to that group" and post it, and second, some people who count karma say "Hmm, that got some good karma back <whenever> I'll post it again." There are some automated controls on the second case and not really any control on the first case.
Both cases provide interesting information, in the first case things that every new person posts are generally pretty widely interesting. In the second case it is interesting to see reputation manipulation through gaming. Some people see a "score" and are compelled to "win."
To expand on this, if you want to do pretty much any development on a Mac, you are going to want to install Xcode and the Xcode Command Line tools - as that'll allow anything else you want to run to build.
+1 for ngrok. It is more recently updated. Some would say it is easier more flexible for the rest of us. This is a recent blog post about it: http://www.elcoderino.com/tag/ngrok/
This is particularly great news for me. I live with firewalls both at work and at home. Now I can reach through into my linux machine over the web using something like tty.js - Thank you very much for improving the development and documentation. I am just a hobbyist web developer and I'm sure there are many others like me who will benefit from the combination of both projects.
My tool, PuPHPet [0], can replace the need for this.
If you have a DigitalOcean account, you can have a 100% copy of your dev environment running on DO within 2 minutes of `$ vagrant up`... and as soon as you want it removed you would simply `$ vagrant destroy`!
I recently launched http://www.ultrahook.com which is similar but focused on webhook tunneling only. It provides persistent hosnames and communicates over HTTP
Localtunnel and PageKite overlap, but the focus of the two projects is actually very different. Localtunnel is just for quick one-off tests. Although PageKite can do that as well, our (I am the author) real goal was to make self-hosting easy for folks who don't necessarily have full control over their networking infrastructure or are using primarily mobile devices.
The two projects started at roughly the same time though, in fact I think localtunnel predates PageKite by a few months.
If a service is bonding only to ::1, and not 0.0.0.0 or your current routable ip it's explicitly deciding that it shouldn't be accessible from beyond the local computer. And in a lot of cases, it's right even if it doesn't explain why exactly. When exactly did we decide local port forwarding was too hard even for technical people? Or, I dunno, servers?