SSLcat Logo

SSLcat

FeaturesQuick StartDocumentationFAQPartnersGitHub
Download
v2.3.0-rc1

Automatic SSL, finally effortless

One binary = auto certs + smart reverse proxy + built-in MCP for AI ops + CLI self-check

SSLcat packs nginx, Caddy, a Web UI and GitOps into a single Go binary: automatic Let's Encrypt renewal, 6 load-balancing algorithms, WAF with AI anomaly detection. From v2.1 it ships a built-in MCP server; v2.2 adds `sslcat status / doctor` one-shot self-check and CLI site management; v2.3 lets AI read error logs from SSLcat itself and every proxied site.

Get Started FreeView Documentation
Automatic SSL CertificatesSmart Reverse ProxyWAF & AI Security
SSLcat Web 管理面板 - 访问统计 / Access Statistics dashboard
curl -fsSL https://raw.githubusercontent.com/xurenlu/sslcat/main/install.sh | bash # Start with the default config sslcat --port 8080

Auto SSL + Smart Reverse Proxy + AI Ops (built-in MCP)

SSLcat packs nginx, Caddy, a Web UI and GitOps into a single Go binary: automatic Let's Encrypt renewal, 6 load-balancing algorithms, WAF with AI anomaly detection. From v2.1 it ships a built-in MCP server; v2.2 adds `sslcat status / doctor` one-shot self-check and CLI site management; v2.3 lets AI read error logs from SSLcat itself and every proxied site.

🛡️

Automatic SSL Certificates

Let's Encrypt auto-issuance and renewal, HTTP-01 and DNS-01 challenges, wildcard support, AWS Route53 integration

🌐

Smart Reverse Proxy

Domain routing with 6 load-balancing algorithms (round-robin, least-conn, IP hash, etc.), health checks and session stickiness

🔒

WAF & AI Security

WAF rules, DDoS protection, IP / UA / TLS fingerprint blocking, anti-brute-force, plus an Isolation Forest anomaly detector

💻

Modern Web UI

React-based dashboard with multi-user RBAC, audit log, config version management and WebSocket live log streaming

🌐

GitOps Deployment

Deploy with git push (Dokku/Heroku style). The unified Runner spec handles uploaded dirs, binaries, Docker images and templates

🛡️

Built-in MCP (AI Ops)

SSLcat itself is an MCP server: 22 tools + 5 resources, including error_log_list / error_log_tail so AI can read error logs while troubleshooting

⌨️

CLI Ops & Self-Check

`sslcat status` prints a runtime summary, `sslcat doctor` self-checks config / ports / certs / upstreams / MCP, and `sslcat site` + `proxy health-check` plug into scripts and monitoring

🌐

HTTP/3 & TLS 1.3

Native HTTP/1.1, HTTP/2 and HTTP/3 (QUIC); enforced TLS 1.3; stable long-lived WebSocket / SSE connections

💻

Fast and Lean

Recent tuning achieved ~97% CPU reduction; hot reload, atomic writes, upstream caching and compression out of the box

Architecture & Flow

An animated walkthrough of SSLcat: SSL termination, smart reverse proxy, WAF with AI anomaly detection, automatic certificate issuance and renewal, the GitOps / Runner deployment pipeline, and how the built-in MCP server exposes all of this to AI clients

InternetClients / VisitorsNormal & Attack TrafficLet's EncryptACME Certificate Issuance/RenewalSSLcatTLS Termination · WAF · Reverse ProxyACME Client (Auto Request/Renewal)Backend Service ClusterAPI-1API-2WebNormal TrafficBlockedACME Request / CertificateNormal Business Traffic → Reverse Proxy to BackendMalicious/Abnormal Traffic → WAF Detection & Blocking

The diagram above shows how SSLcat acts as an SSL termination and reverse proxy, automatically managing certificates and protecting backend services

Quick Start

Get HTTPS online in three steps, then hand routine ops over to AI

One-liner install (macOS / Linux)

Download the official install script — it picks the right architecture for you

curl -fsSL https://raw.githubusercontent.com/xurenlu/sslcat/main/install.sh | bash # Start with the default config sslcat --port 8080

Or grab a binary from GitHub Releases

Builds for linux-amd64 / linux-arm64 / darwin-arm64 / darwin-amd64

# Example: linux-amd64 curl -fsSL -o sslcat.tgz \ https://github.com/xurenlu/sslcat/releases/latest/download/sslcat_linux-amd64.tar.gz tar -xzf sslcat.tgz && sudo ./install-sslcat.sh

Log in to the admin panel

Open the panel, add your domain and the certificate is issued automatically

# Open http://localhost:8080/sslcat-panel/ # Default credentials username: admin password: admin*9527

Plug AI in (optional, v2.1+)

Enable MCP, mint a token and let Claude / Cursor run ops directly

# Enable the MCP server sslcat mcp enable # Create a token with read + write scopes sslcat mcp token create --name claude-desktop --scopes read,site:write,cert:write # Streamable HTTP endpoint (also shown in the admin panel's MCP page) https://your-domain/sslcat-panel/mcp/stream
查看所有版本查看文档