Direct Mode (Recommended)
Drip server handles TLS directly on port 443.
Overview
In direct mode, Drip handles TLS termination itself. This is the simplest setup and recommended for most users.
Step 1: Get SSL Certificate
bash
sudo certbot certonly --manual --preferred-challenges dns \
-d "*.tunnel.example.com" -d "tunnel.example.com"Certificates are saved to:
- Certificate:
/etc/letsencrypt/live/tunnel.example.com/fullchain.pem - Private key:
/etc/letsencrypt/live/tunnel.example.com/privkey.pem
Step 2: Start Server
bash
drip-server \
--port 443 \
--domain tunnel.example.com \
--tls-cert /etc/letsencrypt/live/tunnel.example.com/fullchain.pem \
--tls-key /etc/letsencrypt/live/tunnel.example.com/privkey.pem \
--token YOUR_SECRET_TOKENServer Flags
| Flag | Description | Default |
|---|---|---|
-p, --port | Server listening port | 8443 |
--public-port | Port shown in URLs (for reverse proxy) | same as --port |
-d, --domain | Server domain | tunnel.localhost |
-t, --token | Authentication token | (required) |
--tls-cert | Path to TLS certificate | (required) |
--tls-key | Path to TLS private key | (required) |
--tcp-port-min | Minimum TCP tunnel port | 20000 |
--tcp-port-max | Maximum TCP tunnel port | 20100 |
--metrics-token | Token for /metrics and /stats endpoints | (optional) |
--debug | Enable debug logging | false |
--pprof | Enable pprof profiling on specified port | (disabled) |
Environment Variables
All flags can be set via environment variables:
| Variable | Description |
|---|---|
DRIP_PORT | Server port |
DRIP_PUBLIC_PORT | Public port for URLs |
DRIP_DOMAIN | Server domain |
DRIP_TOKEN | Authentication token |
DRIP_TLS_CERT | TLS certificate path |
DRIP_TLS_KEY | TLS private key path |
DRIP_TCP_PORT_MIN | Min TCP port |
DRIP_TCP_PORT_MAX | Max TCP port |
DRIP_METRICS_TOKEN | Metrics endpoint token |
DRIP_PPROF_PORT | Pprof profiling port |
Server Endpoints
| Endpoint | Purpose | Auth Required |
|---|---|---|
/health | Health check (returns 200 OK) | No |
/stats | Server statistics (JSON) | Yes (metrics-token) |
/metrics | Prometheus metrics | Yes (metrics-token) |
Rate Limiting
The server enforces rate limits to prevent abuse:
- 10 tunnel registrations per IP per minute
- 10 tunnels maximum per IP
- 1000 tunnels maximum total
TLS Configuration
Drip uses TLS 1.3 exclusively with modern cipher suites:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
Legacy TLS versions (1.0, 1.1, 1.2) are not supported.