Skip to main content

Raw ports vs HTTPS proxies

Proxies terminate TLS and route HTTP by domain — perfect for web apps and APIs. But a Postgres database, an SSH daemon, a game server, or any other protocol that isn’t HTTP needs a raw transport-layer port instead. expose opens a raw TCP or UDP port on the machine’s public proxy and forwards it straight to a port inside the VM. No TLS termination, no HTTP parsing — just packets. 
myapp.boxd.sh:48211  ->  your machine, port 5432 (Postgres)
The public port is allocated for you from the 40000–60000 range. The endpoint is the machine’s existing DNS name (name.boxd.sh, which resolves to the proxy IP) on that allocated port.

Expose a port

boxd expose myapp 5432

exposed myapp.boxd.sh:48211 -> 5432 (tcp)
Anything listening on 5432 inside the VM is now reachable at myapp.boxd.sh:48211. For example, a Postgres client: 
psql -h myapp.boxd.sh -p 48211 -U postgres

Protocols

A forward is TCP by default. Use --udp for UDP, or pass both flags to serve TCP and UDP on the same allocated public port: 
boxd expose myapp 5432            # TCP (default)
boxd expose myapp 9999 --udp      # UDP
boxd expose myapp 7777 --tcp --udp  # both, one public port
Re-running expose for a port you’ve already exposed keeps the same public port and just updates the protocol set.

List and remove

boxd expose --list                # all your exposed ports
boxd expose myapp 5432 --remove   # remove a forward, free the public port

myapp.boxd.sh:48211 -> 5432 (tcp)
myapp.boxd.sh:51005 -> 7777 (udp + tcp)

Limits

  • Up to 3 forwarded ports per VM. Each allocated public port serves one inside-VM port (in one or both protocols). Remove one before exposing a fourth.
  • Owner-only. Only the machine’s owner can expose, list, or remove its forwards.
  • Forwards persist across reboots and are removed automatically when the VM is destroyed.
expose is for non-HTTP traffic. If you’re serving a website or HTTP API, use an HTTPS proxy instead — you get TLS and a clean https://name.boxd.sh URL for free.

Surfaces

expose works the same from every surface: 
boxd expose myapp 5432                     # laptop CLI
ssh boxd.sh expose myapp 5432              # SSH CLI
boxd expose 5432                           # in-VM CLI (current VM); or `boxd expose other 5432`
See the CLI reference for the full flag list.