Automatic SSL, finally effortless
One binary = auto certs + smart reverse proxy + built-in MCP for AI ops + CLI self-check
SSLcat packs nginx, Caddy, a Web UI and GitOps into a single Go binary: automatic Let's Encrypt renewal, 6 load-balancing algorithms, WAF with AI anomaly detection. From v2.1 it ships a built-in MCP server; v2.2 adds `sslcat status / doctor` one-shot self-check and CLI site management; v2.3 lets AI read error logs from SSLcat itself and every proxied site.

curl -fsSL https://raw.githubusercontent.com/xurenlu/sslcat/main/install.sh | bash
# Start with the default config
sslcat --port 8080Auto SSL + Smart Reverse Proxy + AI Ops (built-in MCP)
SSLcat packs nginx, Caddy, a Web UI and GitOps into a single Go binary: automatic Let's Encrypt renewal, 6 load-balancing algorithms, WAF with AI anomaly detection. From v2.1 it ships a built-in MCP server; v2.2 adds `sslcat status / doctor` one-shot self-check and CLI site management; v2.3 lets AI read error logs from SSLcat itself and every proxied site.
Automatic SSL Certificates
Let's Encrypt auto-issuance and renewal, HTTP-01 and DNS-01 challenges, wildcard support, AWS Route53 integration
Smart Reverse Proxy
Domain routing with 6 load-balancing algorithms (round-robin, least-conn, IP hash, etc.), health checks and session stickiness
WAF & AI Security
WAF rules, DDoS protection, IP / UA / TLS fingerprint blocking, anti-brute-force, plus an Isolation Forest anomaly detector
Modern Web UI
React-based dashboard with multi-user RBAC, audit log, config version management and WebSocket live log streaming
GitOps Deployment
Deploy with git push (Dokku/Heroku style). The unified Runner spec handles uploaded dirs, binaries, Docker images and templates
Built-in MCP (AI Ops)
SSLcat itself is an MCP server: 22 tools + 5 resources, including error_log_list / error_log_tail so AI can read error logs while troubleshooting
CLI Ops & Self-Check
`sslcat status` prints a runtime summary, `sslcat doctor` self-checks config / ports / certs / upstreams / MCP, and `sslcat site` + `proxy health-check` plug into scripts and monitoring
HTTP/3 & TLS 1.3
Native HTTP/1.1, HTTP/2 and HTTP/3 (QUIC); enforced TLS 1.3; stable long-lived WebSocket / SSE connections
Fast and Lean
Recent tuning achieved ~97% CPU reduction; hot reload, atomic writes, upstream caching and compression out of the box
Architecture & Flow
An animated walkthrough of SSLcat: SSL termination, smart reverse proxy, WAF with AI anomaly detection, automatic certificate issuance and renewal, the GitOps / Runner deployment pipeline, and how the built-in MCP server exposes all of this to AI clients
The diagram above shows how SSLcat acts as an SSL termination and reverse proxy, automatically managing certificates and protecting backend services
Quick Start
Get HTTPS online in three steps, then hand routine ops over to AI
One-liner install (macOS / Linux)
Download the official install script — it picks the right architecture for you
curl -fsSL https://raw.githubusercontent.com/xurenlu/sslcat/main/install.sh | bash
# Start with the default config
sslcat --port 8080Or grab a binary from GitHub Releases
Builds for linux-amd64 / linux-arm64 / darwin-arm64 / darwin-amd64
# Example: linux-amd64
curl -fsSL -o sslcat.tgz \
https://github.com/xurenlu/sslcat/releases/latest/download/sslcat_linux-amd64.tar.gz
tar -xzf sslcat.tgz && sudo ./install-sslcat.shLog in to the admin panel
Open the panel, add your domain and the certificate is issued automatically
# Open
http://localhost:8080/sslcat-panel/
# Default credentials
username: admin
password: admin*9527Plug AI in (optional, v2.1+)
Enable MCP, mint a token and let Claude / Cursor run ops directly
# Enable the MCP server
sslcat mcp enable
# Create a token with read + write scopes
sslcat mcp token create --name claude-desktop --scopes read,site:write,cert:write
# Streamable HTTP endpoint (also shown in the admin panel's MCP page)
https://your-domain/sslcat-panel/mcp/stream