warp-tech/warpgate: Smart SSH, HTTPS and MySQL bastion that needs no client-side software

mirror of https://github.com/warp-tech/warpgate.git synced 2026-01-12 00:54:13 +08:00

Smart SSH, HTTPS and MySQL bastion that needs no client-side software

bastion bastion-host https https-proxy infrastructure mysql mysql-proxy proxy rust ssh ssh-server starred-repo starred-warp-tech-repo

Find a file

Jose Luis Gonzalez Calvo 08722341af fix: modify GEX parameters in SSH key exchange configuration so that it uses 2048 bits (#1659 )		2026-01-07 16:40:51 +01:00
.cargo	reproducible build test	2025-03-21 23:47:06 +01:00
.github	Bump actions/download-artifact from 6.0.0 to 7.0.0 (#1641 )	2026-01-04 00:07:21 +01:00
.well-known	Create funding-manifest-urls	2024-10-17 11:21:22 +02:00
docker	feat(cli): add support for setting config path through env (#1650 )	2026-01-05 17:26:57 +01:00
helm/warpgate	Create the admin user by default even if unattended-setup not called (#1620 )	2025-12-26 12:18:19 +01:00
tests	Add JSON log output format for easier log processing (#1609 )	2025-12-30 23:56:32 +01:00
warpgate	feat(cli): add support for setting config path through env (#1650 )	2026-01-05 17:26:57 +01:00
warpgate-admin	Bump version: 0.19.0 → 0.19.1	2026-01-05 15:15:57 +01:00
warpgate-common	Bump version: 0.19.0 → 0.19.1	2026-01-05 15:15:57 +01:00
warpgate-core	Bump version: 0.19.0 → 0.19.1	2026-01-05 15:15:57 +01:00
warpgate-database-protocols	Bump version: 0.19.0 → 0.19.1	2026-01-05 15:15:57 +01:00
warpgate-db-entities	Bump version: 0.19.0 → 0.19.1	2026-01-05 15:15:57 +01:00
warpgate-db-migrations	Bump version: 0.19.0 → 0.19.1	2026-01-05 15:15:57 +01:00
warpgate-ldap	LDAP user sync (#1603 )	2025-12-26 21:14:00 +01:00
warpgate-protocol-http	bump rust dependencies (#1658 )	2026-01-07 11:11:25 +01:00
warpgate-protocol-mysql	Bump version: 0.19.0 → 0.19.1	2026-01-05 15:15:57 +01:00
warpgate-protocol-postgres	Bump version: 0.19.0 → 0.19.1	2026-01-05 15:15:57 +01:00
warpgate-protocol-ssh	fix: modify GEX parameters in SSH key exchange configuration so that it uses 2048 bits (#1659 )	2026-01-07 16:40:51 +01:00
warpgate-sso	Bump version: 0.19.0 → 0.19.1	2026-01-05 15:15:57 +01:00
warpgate-tls	Bump version: 0.19.0 → 0.19.1	2026-01-05 15:15:57 +01:00
warpgate-web	Correctly naturally sort all relevant lists in the UI (#1656 )	2026-01-07 11:11:16 +01:00
.all-contributorsrc	add justinforlenza as a contributor for code (#1651 )	2026-01-05 17:28:28 +01:00
.bumpversion.cfg	Bump version: 0.19.0 → 0.19.1	2026-01-05 15:15:57 +01:00
.dockerignore	lint & format	2025-12-17 18:51:45 +01:00
.flake8	added e2e tests	2022-08-14 12:36:49 +02:00
.gitignore	SBOMs (#1289 )	2025-03-20 16:11:14 +01:00
Cargo.lock	bump rust dependencies (#1658 )	2026-01-07 11:11:25 +01:00
Cargo.toml	LDAP user sync (#1603 )	2025-12-26 21:14:00 +01:00
clippy.toml	added cranky and removed all .unwrap() usages	2022-07-23 21:31:35 +02:00
config-schema.json	Add JSON log output format for easier log processing (#1609 )	2025-12-30 23:56:32 +01:00
Cranky.toml	fixed #974 - make securing files optional (#1636 )	2026-01-01 20:51:22 +01:00
Cross.toml	build updates	2022-11-22 00:52:43 +01:00
deny.toml	remove dependency on the deprecated rustls-pemfile (#1615 )	2025-12-18 16:06:51 +01:00
justfile	fixed #1356 - generate config schema (#1357 )	2025-06-03 00:37:25 +02:00
LICENSE	Update LICENSE	2022-04-14 11:14:56 +02:00
README.md	add justinforlenza as a contributor for code (#1651 )	2026-01-05 17:28:28 +01:00
rust-toolchain	LDAP user sync (#1603 )	2025-12-26 21:14:00 +01:00
rustfmt.toml	sorted imports	2022-07-15 20:27:33 +02:00
SECURITY.md	Update SECURITY.md	2025-04-10 22:17:40 -07:00
sonar-project.properties	added e2e tests	2022-08-14 12:36:49 +02:00

README.md

Warpgate is a smart & fully transparent SSH, HTTPS, MySQL and PostgreSQL bastion host that doesn't require a client app or an SSH wrapper.

Set it up in your DMZ, add user accounts and easily assign them to specific hosts and URLs within the network.
Warpgate will record every session for you to view (live) and replay later through a built-in admin web UI.
Not a jump host - forwards connection straight to the target in a way that's fully transparent to the client.
Native 2FA and SSO support (TOTP & OpenID Connect)
Single binary with no dependencies.
Written in 100% safe Rust.

Getting started & downloads

See the Getting started docs page (or Getting started on Docker).
Release / beta binaries
Nightly builds

How is Warpgate different from a jump host / VPN / Teleport?

Warpgate	SSH jump host	VPN	Teleport
✅ Precise 1:1 assignment between users and services	(Usually) full access to the network behind the jump host	(Usually) full access to the network	✅ Precise 1:1 assignment between users and services
✅ No custom client needed	Jump host config needed	✅ No custom client needed	Custom client required
✅ 2FA out of the box	🟡 2FA possible with additional PAM plugins	🟡 Depends on the provider	✅ 2FA out of the box
✅ SSO out of the box	🟡 SSO possible with additional PAM plugins	🟡 Depends on the provider	Paid
✅ Command-level audit	🟡 Connection-level audit on the jump host, no secure audit on the target if root access is given	No secure audit on the target if root access is given	✅ Command-level audit
✅ Full session recording	No secure recording possible on the target if root access is given	No secure recording possible on the target if root access is given	✅ Full session recording
✅ Non-interactive connections	🟡 Non-interactive connections are possible if the clients supports jump hosts natively	✅ Non-interactive connections	Non-interactive connections require using an SSH client wrapper or running a tunnel
✅ Self-hosted, you own the data	✅ Self-hosted, you own the data	🟡 Depends on the provider	SaaS

Reporting security issues

Please use GitHub's vulnerability reporting system.

Project Status

The project is ready for production.

How it works

Warpgate is a service that you deploy on the bastion/DMZ host, which will accept SSH, HTTPS, MySQL and PostgreSQL connections and provide an (optional) web admin UI.

Run warpgate setup to interactively generate a config file, including port bindings. See Getting started for details.

It receives connections with specifically formatted credentials, authenticates the user locally, connects to the target itself, and then connects both parties together while (optionally) recording the session.

When connecting through HTTPS, Warpgate presents a selection of available targets, and will then proxy all traffic in a session to the selected target. You can switch between targets at any time.

You manage the target and user lists and assign them to each other through the admin UI, and the session history is stored in an SQLite database (default: in /var/lib/warpgate).

You can also use the admin web interface to view the live session list, review session recordings, logs and more.

Contributing / building from source

You'll need Rust, NodeJS and NPM
Clone the repo
Just is used to run tasks - install it: cargo install just
Install the admin UI deps: just npm install
Build the frontend: just npm run build
Build Warpgate: cargo build (optionally --release)

The binary is in target/{debug|release}.

Tech stack

Rust 🦀
- HTTP: poem-web
- Database: SQLite via sea-orm + sqlx
- SSH: russh
Typescript
- Svelte
- Bootstrap

Backend API

Warpgate admin and user facing APIs use autogenerated OpenAPI schemas and SDKs. To update the SDKs after changing the query/response structures, run just openapi-all.

Contributors ✨

Thanks goes to these wonderful people (emoji key):

_Eugeny 💻	_{Spencer Heywood} 💻	_{Andreas Piening} 💻	_Niklas 💻	_Nooblord 💻	_{Shea Smith} 💻	_samtoxie 💻
_{Skyler Lewis} 💻	_{Mohammed Noureldin} 💻	_{Mourad Maatoug} 💻	_Justin 💻

This project follows the all-contributors specification. Contributions of any kind welcome!