How-to Guides
Run multiple services
Section titled “Run multiple services”nila-tunnel register -d app.test -p 3000 # frontendnila-tunnel register -d api.test -p 4000 # APInila-tunnel register -d llm.test -p 8000 # LLM gatewaynila-tunnel register -d ws.test -p 5000 # WebSocket servernila-tunnel startAll services share one proxy, one Root CA, one DNS resolver.
WebSocket services
Section titled “WebSocket services”No special configuration. Register like any HTTP service:
nila-tunnel register -d ws.test -p 5000The proxy detects Upgrade: websocket headers and switches to
bidirectional tunneling automatically. WebSocket connections are
excluded from request timeouts.
SSE streaming (LLM responses)
Section titled “SSE streaming (LLM responses)”SSE streams pass through without buffering:
nila-tunnel register -d sse.test -p 7000curl -Nsk https://sse.test:8443/events # events stream in real timeNo configuration needed — the proxy’s passthrough mode never buffers response bodies.
Per-path request timeouts
Section titled “Per-path request timeouts”Different paths can have different timeouts:
# LLM chat: 2 minutes (model inference is slow)nila-tunnel register -d ai.test -p 8000 --path /v1/chat --request-timeout 120000
# Health check: 5 secondsnila-tunnel register -d ai.test -p 8000 --path /health --request-timeout 5000Timeout in milliseconds. Returns 504 Gateway Timeout on expiry.
Paths are matched by longest prefix.
Hot-reload (register while running)
Section titled “Hot-reload (register while running)”Register or deregister services without restarting:
nila-tunnel register -d new.test -p 9000 # takes effect immediatelynila-tunnel deregister -d old.test # removed immediatelyThe proxy reloads configuration via SIGHUP — no downtime.
Machine-readable status for scripts
Section titled “Machine-readable status for scripts”nila-tunnel status --json | python3 -m json.toolOutput:
{ "running": true, "pid": 12345, "version": "0.8.1", "services": [ { "host": "app.test", "paths": [{ "path": "/", "target": "127.0.0.1:3000" }] } ]}Structured request logs
Section titled “Structured request logs”Request logs are written in JSONL format with API key masking:
nila-tunnel log requests --lines 5Sensitive headers (Authorization, X-Api-Key) are automatically masked:
Bearer sk-test123... → Bearer sk-te****123
Run in foreground (debugging)
Section titled “Run in foreground (debugging)”nila-tunnel start -FLogs go to stderr instead of the log file. Useful for debugging connection issues.
Clean URLs (ports 80/443)
Section titled “Clean URLs (ports 80/443)”nila-tunnel start --mode privileged# https://app.test/ instead of https://app.test:8443/Requires root. Without root, use high ports (8080/8443) — the default.
Diagnostics
Section titled “Diagnostics”nila-tunnel doctorChecks: Root CA presence and trust, DNS resolver, port availability, config file validity.
Uninstall completely
Section titled “Uninstall completely”nila-tunnel stopnila-tunnel uninstallRemoves: CA trust from keychain, DNS resolver, all certificates, config, logs, and data directory.