[lapser]

I'm assuming the bore server would have to be listening on all ports right? Doesn't that cause risk as all ports (or lots of them anyway) are open?

Also, seems like it'd be trivial to add TLS termination. I've used ngrok for it's TLS termination when developing GH Webhook listeners.

[ekzhang]

Good question. No, the bore server only listens on ports dynamically when it gets a new connection. It cleans up connections as well. This is managed by Rust’s ownership system. Could you also clarify what the specific risk is of opening ports?

Bore has an explicit design goal of being easy to deploy yourself. Unfortunately adding TLS termination would necessitate setup steps like creating a wildcard certificate and uploading it. It also requires additional configuration options, since TLS termination is on top of HTTP, but bore only proxies TCP directly and is unaware of HTTP. This is by design.

[lapser]

> Could you also clarify what the specific risk is of opening ports?

I guess I was meant from a firewall perspective. I understand the ports won't be listening but any potential firewall will not be able to block the port unless you have some integration to dynamically get the firewall to open and close ports on demand.

[remram]

The number of open ports doesn't matter, if they all point to the same service.