Make your web services go online securely, in less than 5 minutes.

Without requiring any public IP addresses, using SocketXP reverse proxy TLS tunnels.

With the emergence of microservices architecture, more and more micro web services are popping out of monolithic applications each day. These microservices are all not colocated in a single server in a single facility but distributed across different servers in different regions. Some services are run in-house while some are run in the cloud (public or private). Some services are developed in-house while some are subscribed services offered by online SaaS vendors such as GitHub, DockerHub, Salesforce, and payment gateways such as Stripe, Paypal etc.

When these distributed web services in different geographic locations need to talk to each other over the internet, they need to have a public IP address to establish the communication channel between them. Public IP addresses cost roughly $30 or more per year. More importantly, you want to expose only a specific TCP port on which a specific microservice is running, to the internet using this public IP. So you might need a separate server to configure this public IP with and run your web service instance. Buying a new server costs more money.

Configuring port forwarding on your gateway router is the other option available but it requires configuration knowledge specific to the router manufacturer. In some cases, the router’s software may not let users perform port forwarding or change the NAT configurations. Even if the router does permit, If you are not skilled enough to configure the gateway router, you may end up messing up the router configuration, leaving a door wide open for hackers from the internet to sneak in to your local network and local servers. Bottom line, both, fetching a public IP address and/or configuring port forwarding on your gateway router are costly, tricky and risky adventures.

You might ask, “So what options do we have then ?”. The simple answer to your question is SocketXP.

SocketXP is a simple, robust and secure reverse-proxy service that can wire up your web applications and web services behind NAT and firewall to go online, in less than 5 minutes. No, it doesn’t require a public IP and the need to alter your gateway router configuration. SocketXP solves the problem using secure reverse proxy TLS tunnels.

SocketXP is a cloud based SaaS service that runs the SocketXP reverse proxy tunneling gateway in Google Cloud Platform. Using a secure, lightweight SocketXP agent that runs on your local server alongside your micro web service, SocketXP establishes a secure TLS tunnel to your web service. SocketXP cloud gateway also creates a secure public endpoint for the tunnel with SSL(TLS) enabled( a https URL). Any publicly run web services can now talk to your privately run web service using the secure TLS tunnel public endpoint. The SocketXP public endpoint (URL) created could be a sub-domain of “” domain or it could be a white-label domain that you own.

SocketXP Reverse Proxy TLS tunnels

Advantages of SocketXP:

  • No need to buy a public IP address
  • No need to alter your gateway router configuration
  • No need to move your web service to a new server
  • Your web service(s) exposed to the public internet could run alongside other unexposed web services in the same server.
  • Uses TLS tunnel, providing full data protection through end-to-end SSL encryption.
  • Setting up a SocketXP TLS tunnel is simple, straight-forward and easy.

How to setup SocketXP TLS Tunnels :

In the following sections, I’ll show you how to configure and set up a secure TLS reverse proxy tunnel in less than 5 minutes.

Sign Up and Get your Authentication Token:

First, go to SocketXP portal and sign up there to get your unique auth token. You need the auth token to authenticate the SocketXP agent, you are about to download, with the SocketXP Cloud Gateway.

Download, Install and Login to SocketXP:

Follow the instructions here to download and install SocketXP agents for Windows, Mac, or ARM processor. Here in this example, I’ll show you how to download and install the Linux x86–64 version of SocketXP agent.

$ curl -O && chmod +wx socketxp && sudo mv socketxp /usr/local/bin

Now that the installation is complete, we need to register and authenticate the downloaded agent with the SocketXP Cloud Gateway. Let’s login using the auth token retrieved from the SocketXP portal in the previous step.

$ socketxp login “eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1NDk1MTg0MDAsImlkIjoiZ2FuZXNodmVscmFqYW5AZ21ha6K208n0.cB2uYevpH4lWIQGQUJdQ0eiEDqS8OiP_YOiqernnui3rjjadfadsfsfas34”

Successfully registered the SocketXP agent with the SocketXP Cloud Gateway using the token provided.

Configure a TLS tunnel:

For this illustration, let’s take a simple Node.js web application providing REST API services to other web services as an example.

The Node.js web application runs on a local server in the local network with IP address and listens on TCP port 5000. We want to take this Node.js web service online using SocketXP.

Next, let’s request SocketXP to create a public TLS tunnel endpoint for the Node.js web service using the “connect” command.

$ socketxp connect — tls-pass-through — white-label-domain “”

Public URL ->

The “ — tls-pass-through” flag in the above command tells SocketXP to create an end-to-end TLS tunnel using the white-label domain “” owned by us.

The public URL generated is still a sub-domain of “”. We could access the web service using this public URL but we’ll get certificate mismatch warnings. We could potentially access the service by adding an exception to the certificate warning. But let’s not do that. That’s not our intention. So let’s go to our DNS service provider (GoDaddy) who manages our white-label domain “” and add a DNS CNAME record pointing “” to “

Accessing the online web service:

Now we could access the Node.js REST API service securely from anywhere in the internet using the public TLS tunnel endpoint “

Accessing the web service public endpoint using postman


The example above assumes that we have already obtained a valid SSL certificate and SSL key for the white-label domain, “”. It could be a Self-Signed Certificate or a one obtained from a Certificate Issuing Authority such as Verisign,, GoDaddy etc. Moreover, the example above assumes that the Node.js web service uses the SSL certificate and key to run its web service instance (a HTTPS server). How you could obtain a SSL certificate and key, and use it in your web service application is beyond the scope of this article.

Read more about SocketXP Solution here:



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ganesh Velrajan

Ganesh Velrajan

Ganesh Velrajan is the founder of Ampas Labs Inc. Learn more about our SSH Remote Access Solutions at and