Skip to main content
Every machine gets a domain at name.boxd.sh. The boxd proxy terminates TLS and forwards HTTP requests to your machine. 
https://myapp.boxd.sh  ->  your machine, port 8000 (default)

​
Getting started

nginx is pre-installed and configured on port 8000, but disabled by default. Start it: 
ssh boxd.sh exec myapp -- sudo systemctl start nginx
Visit https://myapp.boxd.sh — you will see a welcome page.

​
Running your own app

Any process that listens on the proxy’s target port (8000 by default) is reachable via HTTPS. No configuration needed. 
# Python
ssh boxd.sh exec myapp -- python3 -m http.server 8000

# Go
ssh boxd.sh exec myapp -- "/home/boxd/app/server -port 8000"
Node.js is not pre-installed. Install it first: sudo apt install -y nodejs npm or use nvm.

​
Changing the port

The default proxy forwards to port 8000, but you can change it: 
# From outside
ssh boxd.sh proxy set-port --vm=myapp --port=3000

# From inside the VM
boxd proxy set-port --port=3000

# Auto-detect the listening port
boxd proxy set-port --port=auto

​
Subdomain proxies

Create additional subdomains pointing to different ports: 
# api.myapp.boxd.sh -> port 3001
ssh boxd.sh proxy new api --vm=myapp --port=3001

# List all proxies
ssh boxd.sh proxy list --vm=myapp

# Remove a proxy
ssh boxd.sh proxy delete api --vm=myapp

​
WebSockets

WebSocket connections work transparently. The proxy detects the Upgrade: websocket header and forwards the connection.

​
Non-HTTP traffic

The HTTPS proxy only speaks HTTP — it terminates TLS and routes by domain. To reach a database, an SSH daemon, a game server, or any other raw protocol, expose a raw TCP/UDP port instead: 
ssh boxd.sh expose myapp 5432          # myapp.boxd.sh:<allocated-port> -> :5432 in the VM
See Port forwarding.

​
HTTP to HTTPS

Plain HTTP requests to http://name.boxd.sh are redirected to HTTPS automatically. HSTS headers are included in the response.

​
DNS

A DNS record is created automatically when your machine boots. The record has a 60-second TTL. 
myapp.boxd.sh  ->  A record  ->  proxy's public IP
Every machine’s domain points at the proxy’s shared public IP. The proxy routes HTTPS by SNI (the domain in the TLS handshake) and SSH by the machine’s dedicated port — so the same IP fronts every VM.