# Warpgate — Transparent SSH, HTTPS, and Database Bastion > A smart bastion host written in Rust that provides transparent SSH, HTTPS, MySQL, and PostgreSQL proxying with built-in authentication and session recording. ## Install Save in your project root: # Warpgate — Transparent SSH, HTTPS, and Database Bastion ## Quick Use ```bash # Download the latest binary for your platform from GitHub releases # Initialize configuration: warpgate setup # Start the server: warpgate run # Connect via SSH through the bastion: ssh user:target-host@warpgate-host -p 2222 ``` ## Introduction Warpgate is a smart bastion host and privileged access management (PAM) tool written in Rust. It acts as a transparent proxy for SSH, HTTPS, MySQL, and PostgreSQL connections, requiring no additional client-side software. Users connect to Warpgate using their standard tools, and it forwards the connection to the target after authentication. ## What Warpgate Does - Proxies SSH connections transparently — no agent or special client needed - Proxies HTTPS traffic with SNI-based routing to internal web applications - Proxies MySQL and PostgreSQL connections with credential injection - Records SSH sessions with full terminal replay capability - Provides a web-based admin UI for managing targets, users, and audit logs ## Architecture Overview Warpgate is a single Rust binary that listens on configurable ports for SSH, HTTPS, MySQL, and PostgreSQL protocols. For SSH, it implements a full SSH server that authenticates the user, then opens a client connection to the target host. For HTTPS, it performs TLS termination and reverse-proxies to backends. Database proxying intercepts the authentication handshake and injects stored credentials. All sessions are logged to a SQLite database with optional terminal recordings. ## Self-Hosting & Configuration - Download a prebuilt binary or build from source with cargo - Run warpgate setup to generate the initial configuration and admin credentials - Configure targets (SSH hosts, HTTPS endpoints, databases) in the YAML config file - TLS certificates can be auto-provisioned via built-in ACME (Let's Encrypt) support - Authentication supports passwords, SSH keys, SSO via OpenID Connect, or TOTP 2FA ## Key Features - Zero client-side software required for SSH, HTTPS, and database access - Built-in session recording and audit trail with web-based replay - OpenID Connect SSO integration for enterprise identity providers - Automatic TLS certificate management via ACME - Single static binary with embedded web UI, no runtime dependencies ## Comparison with Similar Tools - **Teleport** — feature-rich PAM platform; Warpgate is lighter and simpler to deploy - **Boundary (HashiCorp)** — identity-aware proxy; Warpgate adds HTTPS and database proxying - **Apache Guacamole** — browser-based remote desktop; Warpgate focuses on SSH and protocol proxying - **sshuttle** — VPN-over-SSH tool; Warpgate is a bastion proxy with audit capabilities - **StrongDM** — commercial PAM; Warpgate is free, open source, and self-hosted ## FAQ **Q: Do users need to install anything on their machines?** A: No. Users connect with their standard SSH client, web browser, or database client. **Q: Can I use it as a reverse proxy for web apps?** A: Yes. Warpgate can proxy HTTPS traffic to internal web services with automatic TLS. **Q: How are database credentials handled?** A: Credentials for target databases are stored in Warpgate's configuration. Users authenticate to Warpgate, which then injects the real credentials when connecting to the target. **Q: Does it support Kubernetes access?** A: Warpgate supports SSH and HTTPS proxying which can be used with kubectl via an HTTPS proxy. Native Kubernetes API proxying is a planned feature. ## Sources - https://github.com/warp-tech/warpgate - https://github.com/warp-tech/warpgate#readme --- Source: https://tokrepo.com/en/workflows/asset-6221a99b Author: AI Open Source