Security
Built-in security features.
TLS 1.3 Encryption
All connections use TLS 1.3 with modern cipher suites:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
No legacy protocols (TLS 1.0, 1.1, 1.2) are supported.
Token-Based Authentication
Every client must authenticate with a secret token:
- Token is configured on the server (
--token) - Client stores token in
~/.drip/config.yaml - Token is transmitted securely over TLS
- Generate secure tokens:
openssl rand -hex 32
IP Access Control
Restrict tunnel access by IP address:
- Whitelist: Only allow specific IPs or CIDR ranges
- Blacklist: Block specific IPs or CIDR ranges
- Supports both IPv4 and IPv6
Example:
bash
drip http 3000 --allow-ip 192.168.1.0/24 --deny-ip 192.168.1.100Rate Limiting
Server-side protection against abuse:
- 10 tunnel registrations per IP per minute (default)
- Maximum 10 tunnels per IP (default)
- Maximum 1000 total tunnels (default)
Rate limit errors return: "rate limit exceeded, try again later"
No Data Storage
Drip doesn't store or log your traffic:
- No request/response logging
- No analytics or tracking
- Traffic flows directly between client and server
- No third-party services involved
Subdomain Validation
Subdomains are validated to prevent abuse:
- Length: 3-63 characters
- Characters: lowercase letters, numbers, hyphens
- Cannot start or end with hyphen
- Reserved names blocked (www, api, admin, etc.)
Connection Security
- TCP_NODELAY enabled for low latency
- TCP keep-alive with 30-second intervals
- Read/write buffers: 256 KB each
- Graceful shutdown with 2-second timeout
Server Hardening
When running as a systemd service:
ini
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true