npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@serve.zone/remoteingress

v4.1.0

Published

Edge ingress tunnel for DcRouter - accepts incoming TCP connections at network edge and tunnels them to DcRouter SmartProxy preserving client IP via PROXY protocol v1.

Downloads

847

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

losslesslossless

Keywords

remote accessingress tunnelnetwork edgePROXY protocolmultiplexed tunnelTCP proxyTLS tunnelserve.zone stackTypeScriptRustSmartProxy

Readme

@serve.zone/remoteingress

Edge ingress tunnel for DcRouter — accepts incoming TCP connections at the network edge and tunnels them over a single encrypted TLS connection to a DcRouter SmartProxy instance, preserving the original client IP via PROXY protocol v1.

Issue Reporting and Security

For reporting bugs, issues, or security vulnerabilities, please visit community.foss.global/. This is the central community hub for all issue reporting. Developers who sign and comply with our contribution agreement and go through identification can also get a code.foss.global/ account to submit Pull Requests directly.

Install

pnpm install @serve.zone/remoteingress

🏗️ Architecture

@serve.zone/remoteingress uses a Hub/Edge topology with a high-performance Rust core and a TypeScript API surface:

┌─────────────────────┐          TLS Tunnel           ┌─────────────────────┐
│   Network Edge      │  ◄══════════════════════════►  │   Private Cluster   │
│                     │   (multiplexed frames +        │                     │
│  RemoteIngressEdge  │    shared-secret auth)         │  RemoteIngressHub   │
│  Accepts client TCP │                                │  Forwards to        │
│  connections on     │                                │  SmartProxy on      │
│  hub-assigned ports │                                │  local ports        │
└─────────────────────┘                                └─────────────────────┘
        ▲                                                       │
        │  TCP from end users                                   ▼
   Internet                                             DcRouter / SmartProxy

| Component | Role | |-----------|------| | RemoteIngressEdge | Deployed at the network edge (e.g. a VPS or cloud instance). Listens on ports assigned by the hub, accepts raw TCP connections, and multiplexes them over a single TLS tunnel to the hub. Ports are hot-reloadable — the hub can change them at runtime. | | RemoteIngressHub | Deployed alongside DcRouter/SmartProxy in a private cluster. Accepts edge connections, demuxes streams, and forwards each to SmartProxy with a PROXY protocol v1 header so the real client IP is preserved. Controls which ports each edge listens on. | | Rust Binary (remoteingress-bin) | The performance-critical networking core. Managed via @push.rocks/smartrust RustBridge IPC — you never interact with it directly. Cross-compiled for linux/amd64 and linux/arm64. |

✨ Key Features

  • 🔒 TLS-encrypted tunnel between edge and hub (auto-generated self-signed cert or bring your own)
  • 🔀 Multiplexed streams — thousands of client connections flow over a single tunnel
  • 🌐 PROXY protocol v1 — SmartProxy sees the real client IP, not the tunnel IP
  • 🔑 Shared-secret authentication — edges must present valid credentials to connect
  • 🎫 Connection tokens — encode all connection details into a single opaque string
  • 📡 STUN-based public IP discovery — the edge automatically discovers its public IP via Cloudflare STUN
  • 🔄 Auto-reconnect with exponential backoff if the tunnel drops
  • 🎛️ Dynamic port configuration — the hub assigns listen ports per edge and can hot-reload them at runtime via FRAME_CONFIG frames
  • 📣 Event-driven — both Hub and Edge extend EventEmitter for real-time monitoring
  • Rust core — all frame encoding, TLS, and TCP proxying happen in native code for maximum throughput

🚀 Usage

Both classes are imported from the package and communicate with the Rust binary under the hood. All you need to do is configure and start them.

Setting Up the Hub (Private Cluster Side)

import { RemoteIngressHub } from '@serve.zone/remoteingress';

const hub = new RemoteIngressHub();

// Listen for events
hub.on('edgeConnected', ({ edgeId }) => {
  console.log(`Edge ${edgeId} connected`);
});
hub.on('edgeDisconnected', ({ edgeId }) => {
  console.log(`Edge ${edgeId} disconnected`);
});
hub.on('streamOpened', ({ edgeId, streamId }) => {
  console.log(`Stream ${streamId} opened from edge ${edgeId}`);
});
hub.on('streamClosed', ({ edgeId, streamId }) => {
  console.log(`Stream ${streamId} closed from edge ${edgeId}`);
});

// Start the hub — it will listen for incoming edge TLS connections
await hub.start({
  tunnelPort: 8443,        // port edges connect to (default: 8443)
  targetHost: '127.0.0.1', // SmartProxy host to forward streams to (default: 127.0.0.1)
});

// Register which edges are allowed to connect, including their listen ports
await hub.updateAllowedEdges([
  {
    id: 'edge-nyc-01',
    secret: 'supersecrettoken1',
    listenPorts: [80, 443],        // ports the edge should listen on
    stunIntervalSecs: 300,         // STUN discovery interval (default: 300)
  },
  {
    id: 'edge-fra-02',
    secret: 'supersecrettoken2',
    listenPorts: [443, 8080],
  },
]);

// Dynamically update ports for a connected edge — changes are pushed instantly
await hub.updateAllowedEdges([
  {
    id: 'edge-nyc-01',
    secret: 'supersecrettoken1',
    listenPorts: [80, 443, 8443],  // added port 8443 — edge picks it up in real time
  },
]);

// Check status at any time
const status = await hub.getStatus();
console.log(status);
// {
//   running: true,
//   tunnelPort: 8443,
//   connectedEdges: [
//     { edgeId: 'edge-nyc-01', connectedAt: 1700000000, activeStreams: 12 }
//   ]
// }

// Graceful shutdown
await hub.stop();

Setting Up the Edge (Network Edge Side)

The edge can be configured in two ways: with an opaque connection token (recommended) or with explicit config fields.

Option A: Connection Token (Recommended)

A single token encodes all connection details — ideal for provisioning edges at scale:

import { RemoteIngressEdge } from '@serve.zone/remoteingress';

const edge = new RemoteIngressEdge();

edge.on('tunnelConnected', () => console.log('Tunnel established'));
edge.on('tunnelDisconnected', () => console.log('Tunnel lost — will auto-reconnect'));
edge.on('publicIpDiscovered', ({ ip }) => console.log(`Public IP: ${ip}`));
edge.on('portsAssigned', ({ listenPorts }) => console.log(`Listening on ports: ${listenPorts}`));
edge.on('portsUpdated', ({ listenPorts }) => console.log(`Ports updated: ${listenPorts}`));

// Single token contains hubHost, hubPort, edgeId, and secret
await edge.start({
  token: 'eyJoIjoiaHViLmV4YW1wbGUuY29tIiwicCI6ODQ0MywiZSI6ImVkZ2UtbnljLTAxIiwicyI6InN1cGVyc2VjcmV0dG9rZW4xIn0',
});

Option B: Explicit Config

import { RemoteIngressEdge } from '@serve.zone/remoteingress';

const edge = new RemoteIngressEdge();

edge.on('tunnelConnected', () => console.log('Tunnel established'));
edge.on('tunnelDisconnected', () => console.log('Tunnel lost — will auto-reconnect'));
edge.on('publicIpDiscovered', ({ ip }) => console.log(`Public IP: ${ip}`));
edge.on('portsAssigned', ({ listenPorts }) => console.log(`Listening on ports: ${listenPorts}`));
edge.on('portsUpdated', ({ listenPorts }) => console.log(`Ports updated: ${listenPorts}`));

await edge.start({
  hubHost: 'hub.example.com',  // hostname or IP of the hub
  hubPort: 8443,               // must match hub's tunnelPort (default: 8443)
  edgeId: 'edge-nyc-01',       // unique edge identifier
  secret: 'supersecrettoken1', // must match the hub's allowed edge secret
});

// Check status at any time
const edgeStatus = await edge.getStatus();
console.log(edgeStatus);
// {
//   running: true,
//   connected: true,
//   publicIp: '203.0.113.42',
//   activeStreams: 5,
//   listenPorts: [80, 443]
// }

// Graceful shutdown
await edge.stop();

🎫 Connection Tokens

Connection tokens let you distribute a single opaque string instead of four separate config values. The hub operator generates the token; the edge operator just pastes it in.

import { encodeConnectionToken, decodeConnectionToken } from '@serve.zone/remoteingress';

// Hub side: generate a token for a new edge
const token = encodeConnectionToken({
  hubHost: 'hub.example.com',
  hubPort: 8443,
  edgeId: 'edge-nyc-01',
  secret: 'supersecrettoken1',
});
console.log(token);
// => 'eyJoIjoiaHViLmV4YW1wbGUuY29tIiwi...'

// Edge side: inspect a token (optional — start() does this automatically)
const data = decodeConnectionToken(token);
console.log(data);
// {
//   hubHost: 'hub.example.com',
//   hubPort: 8443,
//   edgeId: 'edge-nyc-01',
//   secret: 'supersecrettoken1'
// }

Tokens are base64url-encoded (URL-safe, no padding) — safe to pass as environment variables, CLI arguments, or store in config files.

📖 API Reference

RemoteIngressHub

| Method / Property | Description | |-------------------|-------------| | start(config?) | Spawns the Rust binary and starts the tunnel listener. Config: { tunnelPort?: number, targetHost?: string } | | stop() | Gracefully shuts down the hub and kills the Rust process. | | updateAllowedEdges(edges) | Dynamically update which edges are authorized and what ports they listen on. Each edge: { id: string, secret: string, listenPorts?: number[], stunIntervalSecs?: number }. If ports change for a connected edge, the update is pushed immediately via a FRAME_CONFIG frame. | | getStatus() | Returns current hub status including connected edges and active stream counts. | | running | boolean — whether the Rust binary is alive. |

Events: edgeConnected, edgeDisconnected, streamOpened, streamClosed

RemoteIngressEdge

| Method / Property | Description | |-------------------|-------------| | start(config) | Spawns the Rust binary and connects to the hub. Accepts { token: string } or IEdgeConfig. Listen ports are received from the hub during handshake. | | stop() | Gracefully shuts down the edge and kills the Rust process. | | getStatus() | Returns current edge status including connection state, public IP, listen ports, and active streams. | | running | boolean — whether the Rust binary is alive. |

Events: tunnelConnected, tunnelDisconnected, publicIpDiscovered, portsAssigned, portsUpdated

Token Utilities

| Function | Description | |----------|-------------| | encodeConnectionToken(data) | Encodes IConnectionTokenData into a base64url token string. | | decodeConnectionToken(token) | Decodes a token back into IConnectionTokenData. Throws on malformed or incomplete tokens. |

Interfaces

interface IHubConfig {
  tunnelPort?: number;   // default: 8443
  targetHost?: string;   // default: '127.0.0.1'
}

interface IEdgeConfig {
  hubHost: string;
  hubPort?: number;      // default: 8443
  edgeId: string;
  secret: string;
}

interface IConnectionTokenData {
  hubHost: string;
  hubPort: number;
  edgeId: string;
  secret: string;
}

🔌 Wire Protocol

The tunnel uses a custom binary frame protocol over TLS:

[stream_id: 4 bytes BE][type: 1 byte][length: 4 bytes BE][payload: N bytes]

| Frame Type | Value | Direction | Purpose | |------------|-------|-----------|---------| | OPEN | 0x01 | Edge → Hub | Open a new stream; payload is PROXY v1 header | | DATA | 0x02 | Edge → Hub | Client data flowing upstream | | CLOSE | 0x03 | Edge → Hub | Client closed the connection | | DATA_BACK | 0x04 | Hub → Edge | Response data flowing downstream | | CLOSE_BACK | 0x05 | Hub → Edge | Upstream (SmartProxy) closed the connection | | CONFIG | 0x06 | Hub → Edge | Runtime configuration update (e.g. port changes); payload is JSON |

Max payload size per frame: 16 MB. Stream IDs are 32-bit unsigned integers.

Handshake Sequence

  1. Edge opens a TLS connection to the hub
  2. Edge sends: EDGE <edgeId> <secret>\n
  3. Hub verifies credentials (constant-time comparison) and responds with JSON: {"listenPorts":[...],"stunIntervalSecs":300}\n
  4. Edge starts TCP listeners on the assigned ports
  5. Frame protocol begins — OPEN/DATA/CLOSE frames flow in both directions
  6. Hub can push CONFIG frames at any time to update the edge's listen ports

💡 Example Scenarios

1. Expose a Private Kubernetes Cluster to the Internet

Deploy an Edge on a public VPS, point your DNS to the VPS IP. The Edge tunnels all traffic to the Hub running inside the cluster, which hands it off to SmartProxy/DcRouter. Your cluster stays fully private — no public-facing ports needed.

2. Multi-Region Edge Ingress

Run multiple Edges in different geographic regions (NYC, Frankfurt, Tokyo) all connecting to a single Hub. Use GeoDNS to route users to their nearest Edge. The Hub sees the real client IPs via PROXY protocol regardless of which edge they connected through.

3. Secure API Exposure

Your backend runs on a private network with no direct internet access. An Edge on a minimal cloud instance acts as the only public entry point. TLS tunnel + shared-secret auth ensure only your authorized Edge can forward traffic.

4. Token-Based Edge Provisioning

Generate connection tokens on the hub side and distribute them to edge operators. Each edge only needs a single token string to connect — no manual configuration of host, port, ID, and secret.

// Hub operator generates token
const token = encodeConnectionToken({
  hubHost: 'hub.prod.example.com',
  hubPort: 8443,
  edgeId: 'edge-tokyo-01',
  secret: 'generated-secret-abc123',
});
// Send `token` to the edge operator via secure channel

// Edge operator starts with just the token
const edge = new RemoteIngressEdge();
await edge.start({ token });

5. Dynamic Port Management

The hub controls which ports each edge listens on. Ports can be changed at runtime without restarting the edge — the hub pushes a CONFIG frame and the edge hot-reloads its TCP listeners.

// Initially assign ports 80 and 443
await hub.updateAllowedEdges([
  { id: 'edge-nyc-01', secret: 'secret', listenPorts: [80, 443] },
]);

// Later, add port 8080 — the connected edge picks it up instantly
await hub.updateAllowedEdges([
  { id: 'edge-nyc-01', secret: 'secret', listenPorts: [80, 443, 8080] },
]);

License and Legal Information

This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the LICENSE file.

Please note: The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.

Trademarks

This project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH or third parties, and are not included within the scope of the MIT license granted herein.

Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines or the guidelines of the respective third-party owners, and any usage must be approved in writing. Third-party trademarks used herein are the property of their respective owners and used only in a descriptive manner, e.g. for an implementation of an API or similar.

Company Information

Task Venture Capital GmbH Registered at District Court Bremen HRB 35230 HB, Germany

For any legal inquiries or further information, please contact us via email at [email protected].

By using this repository, you acknowledge that you have read this section, agree to comply with its terms, and understand that the licensing of the code does not imply endorsement by Task Venture Capital GmbH of any derivative works.