Animefu Tunnel Docs

Self-hosted public tunnels powered by zrok2, fronted by Caddy with automatic HTTPS for web apps and WSS for websocket apps.

HTTPS on share subdomains WSS for websocket clients Portal onboarding SSH / TCP / UDP private tunnels SOCKS and UDP private modes Raw :8080 hidden from the public internet

Endpoints

Quick start

zrok2 config set apiEndpoint https://zrok2.animefu.space
zrok2 enable <your-token>
zrok2 create name myapp
zrok2 share public http://127.0.0.1:3000 --name-selection public:myapp

Your app will be available at https://myapp.animefu.space/.

WebSocket apps

If your backend speaks websocket, clients should connect to:

wss://yourname.animefu.space/

Do not use public :8080. Plain HTTP redirects to HTTPS, and the raw dynamic frontend port is not publicly exposed.

Protocol support

Important: raw TCP/UDP/SSH are private-only on this deployment. They do not use public *.animefu.space hostnames. For browser traffic use HTTPS; for websocket traffic use WSS; for SSH and other socket protocols use zrok2 access private on the client side.

SSH tunneling

Animefu supports SSH tunneling through zrok private TCP tunnels. On the machine you want to reach:

zrok2 share private --backend-mode tcpTunnel localhost:22

On your client machine:

zrok2 access private --headless --bind 127.0.0.1:2222 <share-token>
ssh -p 2222 user@127.0.0.1

This same pattern works for databases and other raw TCP services by changing the target port.

Other private protocols

# Database example
zrok2 share private --backend-mode tcpTunnel localhost:5432
zrok2 access private --headless --bind 127.0.0.1:5432 <share-token>

# SOCKS example
zrok2 share private --backend-mode socks
zrok2 access private --headless --bind 127.0.0.1:1080 <share-token>

Reserved hostnames

System hostnames are intentionally not claimable as public share names. That includes docs and control-plane hosts like: