A single Go binary. No daemons to babysit, no Docker, no reverse proxy config files.
Generates a local CA, installs it into your system keychain once. Every domain gets a signed cert. Green lock, always.
ECDSA P-256One command to start. proxysh manages /etc/hosts, cert generation, and the LaunchAgent. Nothing to hand-edit.
Auto-start on loginRaw TCP hijacking means WS connections work without any special proxy config. Next.js, Vite, Remix — all fine.
Full duplexOne flag and your local port is live at a public URL. Password protection and TTL expiry included.
--port 3000Add and remove domains without restarting anything. The daemon swaps its route table atomically.
Zero downtimeCommit a .proxysh.yaml to your repo. Every developer gets the same HTTPS setup without any manual steps.
YAMLRun the install script and then proxysh start. A local CA is generated, trusted by your system, and the daemon is registered as a LaunchAgent. One sudo prompt. Done forever.
Run proxysh up myapp 3000. A TLS cert is issued for myapp.test, /etc/hosts is updated, and the route is live. The daemon hot-reloads — no restart needed.
Visit https://myapp.test. Green padlock. No warnings. Port 443 → 8443 via a pf rule so the daemon never needs root after setup.
Run proxysh share --port 3000. A tunnel connects to the relay server and you get a unique public URL like swift-river-4271.proxysh.show.
proxysh start
Generate CA, install trust, start daemon
proxysh up <name> <port>
Add https://<name>.test → localhost:<port>
proxysh down <name>
Remove a .test domain mapping
proxysh list
List all active domains and their status
proxysh share --port 3000
Create a public URL for a local port
proxysh logs -f
Follow the proxy daemon log in real time
proxysh stop
Stop the daemon
proxysh doctor
Run health checks on your setup
Installs to ~/.local/bin — no sudo required.
Free forever. Open source. No account, no cloud dependency, no telemetry.