常见问题
以下是关于 SSLcat 的常见问题解答,如果您有其他问题,请随时联系我们。
general
SSLcat is an open-source enterprise-grade SSL reverse proxy server written in Go. It bundles nginx + Caddy + Web UI + GitOps into a single binary: Let's Encrypt auto-issuance and renewal, smart domain routing, load balancing, WAF, Docker / Runner app hosting, and a modern Web admin panel. From v2.1 it also ships a built-in MCP server so Claude / Cursor and other AI clients can call its tools directly.
MCP (Model Context Protocol) is an open protocol that connects AI clients to external tools. From v2.1 SSLcat itself is an MCP server, and as of v2.3.0-rc1 it exposes 22 tools (site / cert / proxy route CRUD, upstream health check, long-running task queries, and `error_log_list` / `error_log_tail` for inspecting recent errors) plus 5 resources (redacted current config, runtime metrics snapshot, access log tail, error log sources, error log content). Drop a token into Claude Desktop / Cursor / Cherry Studio / Continue.dev and the AI can list sites, issue certificates, change routes and inspect access / error logs — destructive actions still go through a two-phase confirmation.
One-liner on macOS / Linux: `curl -fsSL https://raw.githubusercontent.com/xurenlu/sslcat/main/install.sh | bash`. You can also grab binaries from the GitHub Releases page (linux-amd64 / linux-arm64 / darwin-arm64 / darwin-amd64). Full docs live under `docs/` and on the website.
Yes. SSLcat integrates Let's Encrypt (ACME). Adding a domain triggers automatic issuance, and certificates are renewed 30 days before expiry with zero downtime. Both HTTP-01 and DNS-01 challenges are supported; DNS-01 plus AWS Route53 (and other providers) means you can issue wildcard certificates like `*.example.com`.
Versus nginx: SSLcat ships a Web admin panel, automatic SSL, GitOps deployment, real-time monitoring and AI-driven security out of the box — no more hand-edited config files. Versus Caddy: SSLcat offers 6 load-balancing algorithms, multi-user management, Docker image and Runner deployment, an API token system, WebSocket-based live log streaming, and from v2.1 the built-in MCP integration.
Full HTTP/1.1, HTTP/2 and HTTP/3 (QUIC), with enforced TLS 1.3. Long-lived WebSocket and SSE connections receive special handling, and long ACME tasks use heartbeats, write-timeout exemptions and per-domain concurrency isolation so they cannot drag each other down.
Six algorithms are built in (round-robin, weighted round-robin, least-conn, IP hash, random, fastest-response), combined with TCP health checks and session stickiness. You can attach a list of weighted backends at the route level on a single domain.
Add SSLcat as a Git remote, then run `git push sslcat main` to deploy — Dokku/Heroku style. The Runner deployment entry is layered: upload a directory, upload a binary, pull a Docker image directly, build from `git push`, or use a template. All paths converge on the same unified Runner spec (env vars, ports, mounts, start command).
Runner is SSLcat's built-in app hosting layer. It can run Docker containers, run uploaded binaries, run images built from `git push`, or deploy from templates. When SSLcat itself restarts it only reconciles Runner container state — it never restarts your business containers, so production traffic is never accidentally bounced.
WAF rule matching (request body scanning is capped at 1 MB to keep memory bounded), DDoS protection, anti-brute-force, IP / UA / TLS fingerprint block- and whitelisting, fine-grained API tokens, TOTP MFA, audit logs, config version management, and an Isolation Forest based AI anomaly detector with online training, JSON model persistence and real-traffic inference.
Prefer the built-in reset command: `sslcat users password -username admin -new-password 'NewStrongPass123!'`. From a source tree you can also run: `go run tools/cmd/reset_password/main.go admin 'NewStrongPass123!'`.
From v2.0.0-rc22 onward you can also reset via one-time recovery code. To generate a bcrypt hash manually with Ruby: install bcrypt with `gem install bcrypt`, then run `SSL_PASS='NewStrongPass123!' ruby -rbcrypt -e 'puts BCrypt::Password.create(ENV.fetch("SSL_PASS"), cost: 10)'`.
With Python: `python3 -m pip install bcrypt`, then `SSL_PASS='NewStrongPass123!' python3 -c 'import bcrypt, os; print(bcrypt.hashpw(os.environ["SSL_PASS"].encode(), bcrypt.gensalt(rounds=10)).decode())'`.
Write the hash to `admin.password_file` (commonly `/opt/sslcat/data/admin.pass` or `./data/admin.pass`) with mode `600`. Password-file recovery usually does not require restarting SSLcat — the next login reads the new hash.
`http://<your-host>:8080/sslcat-panel/`, default account `admin`, default password `admin*9527` (change it on first login). The admin URL prefix and the management port are both configurable.
Yes. SSLcat issues wildcard certificates such as `*.example.com` via the Let's Encrypt DNS-01 challenge. Wildcard domains are forced onto DNS-01 automatically and pair with AWS Route53 and other DNS providers for verification.
Add a domain, target host and port under "Sites" in the admin panel. To add multiple backends enable `load_balancer_enabled`, pick the algorithm (round_robin / least_conn / ip_hash etc.), turn on health checks and list the backends. You can also edit the JSON config directly (SSLcat uses JSON, not YAML).
Yes. The v2.0 line keeps hardening production paths: atomic writes for certs, keys, config versions, tokens and sessions; idempotent Stop / Close on every component; safer upstream caching under concurrency; high-throughput WAF; rock-solid HTTP/2 / HTTP/3 / WebSocket long-lived connections. Recent tuning brought idle-state CPU from 50–100% down to <1% and multi-Runner setups by about 97%.
1) Enable MCP: `sslcat mcp enable`. 2) Create a token: `sslcat mcp token create --name claude-desktop --scopes read,site:write,cert:write`. The plaintext token is shown only once — store it safely. 3) Configure Claude Desktop with the Streamable HTTP endpoint (default `https://your-domain/sslcat-panel/mcp/stream`) and the bearer token. See `docs/mcp-client-setup.md` for full configs covering Cursor, Cherry Studio, Continue.dev and curl debugging.
Yes. Every destructive tool uses two-phase confirmation: the first call returns a dry-run preview with impact info (e.g. `cert_delete` flags whether the cert is referenced by a proxy rule and how many days are left; `proxy_route_delete` lists prefixes and backends) plus a 60-second TTL `confirm_token`. The AI must pass that token back in the `confirm` argument of a second call to actually execute. Tokens are bound to (token_name, tool, args hash), so they cannot be reused across tools or arguments.
An Isolation Forest is built into SSLcat. A `RequestSampler` extracts features from each real request into a 5,000-slot ring buffer; training pulls samples straight from the ring and persists the forest as JSON under `${data_dir}/ml/isolation_forest.json` (auto-loaded on next start). Inferences land in a 200-slot ring buffer, so the admin panel's "Recent detections" tab reflects real traffic, not hard-coded mock data.
Linux (all major distros), macOS and Windows; both amd64 and arm64 binaries are published. We recommend running SSLcat under systemd on Linux for production.
Minimum: 512 MB RAM, 100 MB disk. Recommended: 2 GB RAM, 1 GB disk. Building from source requires Go 1.21+.
All of them. WebSocket is forwarded transparently to the upstream; SSE on HTTP/2 / HTTP/3 is tuned so write timeouts cannot kill long-running streams; PHP sites work through a FastCGI backend.
The admin panel reads logs with bounded tailing (large log files never get pulled into memory). You can also tail the configured log file directly. Via MCP, AI clients can fetch the tail with a resource like `sslcat://logs/access?since=10m&domain=foo.com&limit=200`.
SSLcat targets Let's Encrypt out of the box — a free public CA that exists to make HTTPS the default. You can still upload commercial certificates via `cert_upload`; SSLcat validates PEM parsing, cert/key pairing and CN/SAN coverage.
1) `sslcat doctor --json` runs a one-shot self-check across config, ports, cert directory, site roots, upstreams and MCP token state. 2) `sslcat status --json` prints version, listen params, and site / cert / MCP summary. 3) Read the SSLcat error log and `${data_dir}/mcp_audit.YYYYMMDD.log`, or let AI read them via the MCP `error_log_list` / `error_log_tail` tools (covers SSLcat itself plus every proxy / static / php site). 4) `sslcat proxy health-check --domain foo.com --include-routes --json` probes the main backend and every PathPrefixRule backend in parallel. 5) The server exposes its version via the `X-App-Version` / `X-Server-Version` response headers so you can confirm which image is actually serving traffic.
v2.2.0-rc1 adds CLI ops commands: `sslcat status [--json]` (runtime summary), `sslcat doctor [--json]` (self-check across config / ports / certs / site roots / upstreams / MCP tokens), `sslcat site list/add/update/delete/enable/disable` (CRUD for static and PHP sites — delete requires explicit `--yes`), and `sslcat proxy health-check [--domain] [--include-routes] [--json]` (TCP probe). Global `-config` can be placed before the subcommand. v2.3.0-rc1 adds MCP tools `error_log_list` and `error_log_tail`, plus resources `sslcat://logs/error-sources` and `sslcat://logs/error{?id,kind,domain,since,keyword,limit,max_bytes}` so AI clients can list and read recent errors from SSLcat itself and from individual sites. Under the hood `internal/mcp/logview` is a bounded log reader (defaults to the last 1 MB, max 4 MB) so large log files cannot block the request path.
Already shipped: full MCP integration P1–P5 (v2.1.0), CLI ops and self-check commands (v2.2.0-rc1), MCP error log reading plus the bounded log reader (v2.3.0-rc1). Planned: Kubernetes integration, multi-cluster support, advanced caching strategies, a plugin system, and a GraphQL API.
MIT. Code, issues and releases all live on GitHub: https://github.com/xurenlu/sslcat . Issues, PRs and additional use cases under `docs/` are very welcome.
没有找到您要的答案?
如果您有其他问题或需要技术支持,请通过以下方式联系我们:
📧 邮箱: xurenlu@gmail.com
💬 GitHub Issues:github.com/xurenlu/sslcat/issues