Advanced uses
Connecting to SSH via the HTTPS port
In some networks, outbound connections to 22 (or 2222) may be blocked by the operator. In Sandhole, it's possible to get around this with the --connect-ssh-on-https-port option.
Once your administrator has configured it, you can then expose your services with:
ssh -R example:80:localhost:3000 sandhole.com -p 443
Custom domains
You can also use your custom domains with Sandhole. For this, you'll need your SSH key's fingerprint and control over your domain's DNS.
For the former, you can run ssh-keygen -lf /path/to/private/key and take note of the second field - it will look something like:
SHA256:bwf4FDtNeZzFv8xHBzHJwRpDRxssCll8w2tCHFC9n1o
Then, add the following entries to your DNS (assuming that your custom domain is my.domain.net):
| Type | Domain | Data |
|---|---|---|
| CNAME | my.domain.net | sandhole.com |
| TXT | _sandhole.my.domain.net | SHA256:bwf4FDtNeZzFv8xHBzHJwRpDRxssCll8w2tCHFC9n1o |
This instructs your DNS to redirect requests to Sandhole, and tells Sandhole to authorize your SSH key for the given domain, respectively.
If you need to use multiple keys for the same domain, simply add a TXT record for each one.
Then, expose your service at the given domain:
ssh -R my.domain.net:80:localhost:3000 sandhole.com -p 2222
HTTPS support
If your administrator has configured ACME support, you don't need any extra steps. HTTPS will be automatically provisioned for your custom domain.
However, if you require DNS challenges for your domain's certification for any reason, and your administrator is running dnsrobocert, you can simply set another DNS entry:
| Type | Domain | Data |
|---|---|---|
| CNAME | _acme-challenge.my.domain.net | _acme-challenge.my.domain.net.sandhole.com |
This lets dnsrobocert manage the ACME challenge for you, as long as the admin updates its configuration.