GhostSSH Lightweight SSH-over-HTTPS proxy for secure and firewall-friendly remote access
GhostSSH is a lightweight tool that enables SSH access over secure WebSocket (WSS) connections. It allows you to connect to remote machines even when direct SSH traffic (port 22) is blocked, by tunneling it through standard HTTPS infrastructure.
In many environments — such as corporate networks, cloud platforms, or public Wi-Fi — only HTTP/HTTPS traffic is allowed. GhostSSH works by upgrading HTTP connections to WebSockets and streaming SSH data through them, enabling real-time, bidirectional communication without modifying the existing SSH server.
Instead of acting as a traditional HTTP proxy, GhostSSH creates a persistent tunnel:
- The client exposes a local TCP port for SSH
- Data is forwarded over a secure WebSocket (WSS) connection
- The server bridges this to the local SSH daemon (
sshd) - Responses are streamed back instantly
This makes GhostSSH behave like a raw TCP tunnel over WebSocket (WSS) using HTTPS infrastructure.
GhostSSH is:
- Lightweight — minimal dependencies
- Real-time — full-duplex streaming
- Firewall-friendly — runs over HTTPS (port 443)
- Transparent — works with standard SSH clients
It does not replace SSH or require changes to the SSH server—only provides a flexible transport layer on top.
Run the GhostSSH server on your machine (where sshd is running):
./bin/ghost-linux-amd64 server --port 7777
NOTE: Make sure SSH is running on port 22 (or specify using
--ssh)
Since GhostSSH uses WebSockets over HTTP, you can expose it using ngrok:
ngrok http 7777
Copy the generated HTTPS URL (e.g., https://xxxxx.ngrok-free.dev)
On the client machine, connect to the server using the ngrok URL:
./bin/ghost-linux-amd64 client \
--connect https://your-ngrok-url.ngrok-free.dev \
--port 8888This creates a local TCP port (8888) for SSH access
Now use standard SSH to connect:
ssh ankush@localhost -p 8888
You are now connected to the remote machine through GhostSSH!
SSH Client (localhost:8888)
↓
GhostSSH Client
↓ (WSS over HTTPS via ngrok)
GhostSSH Server
↓
sshd (localhost:22)
- ngrok is used only to expose the server publicly
- GhostSSH itself handles the tunneling over WebSocket (WSS)
- Works in restricted networks where only HTTPS (port 443) is allowed
Note: The project is in its inital phase recommended to build for linux amd64 or WSL
makeOutput:
bin/ghost-linux-amd64
make staticOutput:
bin/ghost-linux-amd64-static
This build uses musl and produces a fully static binary that works across most Linux distributions.
make muslOutput:
bin/ghost-linux-amd64-musl
Note: TLS support is currently disabled in the Windows build.
make winOutput:
bin/ghost-windows-amd64.exe
Everyone is welcome to contribute if you want to learn low-level network programming this can be helpful. Please make a different branch before any pull request.