Automic VaultAutomic Vault

brew

Install ghostunnel with Homebrew, Nix

Simple SSL/TLS proxy with mutual authentication. Version 1.11.0 via Homebrew; verified 2026-07-02.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install ghostunnel

local Homebrew formula metadata

Linux

Nixverified · 92%
nix profile install nixpkgs#ghostunnel

nixpkgs package indexes · pkgs/by-name/gh/ghostunnel/package.nix · source: api.github.com

overview

Package summary

Simple SSL/TLS proxy with mutual authentication

Commands and aliases

  • ghostunnel

history

Project history and usage

Ghostunnel is a Go TLS proxy for placing mutual TLS in front of services that do not speak TLS themselves.

Project history

The Ghostunnel repository was created in 2015 and its first GitHub release, v1.0.0, was published in 2016. Its README frames the project as a simple TLS proxy with mutual authentication for securing non-TLS backend applications.

The project evolved around two complementary modes: server mode terminates TLS and forwards to an insecure backend, while client mode accepts local insecure connections and forwards them to a TLS-secured service. Over time the README grew to document certificate reloads, ACME, PKCS#11, macOS Keychain, Windows Certificate Store, SPIFFE Workload API, Prometheus metrics, systemd and launchd socket activation, and Windows service management.

Adoption history

Ghostunnel's adoption sits in security and operations teams that need a small proxy rather than a full service mesh or general reverse proxy. Official materials point users to GitHub releases and Docker Hub, and the project documents Linux, macOS, Windows, and other Go-supported Unix systems.

How it is used

Practitioners use Ghostunnel to wrap legacy TCP services with mutual TLS, add client-certificate authorization, run local TLS clients for remote services, reload short-lived certificates, expose metrics, and deploy the proxy under a service manager.

Why package nerds care

Package nerds care about Ghostunnel because it packages a focused security boundary as one executable: install it, provide certificates, and put mTLS in front of a service without rewriting the application.

Timeline

  • 2015: GitHub repository created.
  • 2016: v1.0.0 initial release published.
  • 2020s: Documentation covers OPA policies, SPIFFE identities, hardware-backed keys, certificate reloads, metrics, and service-manager deployment.

Related projects

  • Ghostunnel is adjacent to stunnel, OpenSSL tooling, mkcert, cfssl, SPIFFE, Open Policy Agent, systemd, launchd, and Docker-based deployment workflows.

security posture

Risk level: green

narrow executable package without higher-risk signals.

Risk classifier

green risk · low confidence · appliance

Why

  • narrow executable package without higher-risk signals

Signals

  • metadata:no-higher-risk-signals

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Build metadata lists 1 build dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

executables

Installed executables

CommandKindExposureNote
ghostunnelcliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version1.11.0
manager updated2026-07-02
local dataok
upstreamcurrent
latest detectedv1.11.0

https://github.com/ghostunnel/ghostunnel

  • okNo freshness warnings were generated.

install metadata

Package metadata

Package keybrew:ghostunnel
Version1.11.0
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/ghostunnel
Homepagehttps://ghostunnel.dev/
Repositoryhttps://github.com/ghostunnel/ghostunnel
Upstream docshttps://ghostunnel.dev/docs/getting-started
LicenseApache-2.0
Source archivehttps://github.com/ghostunnel/ghostunnel/archive/refs/tags/v1.11.0.tar.gz
Last updated2026-07-02T08:01:22Z
Pulseupdated
Build dependenciesgo
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Nameghostunnel
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Nix95%

ghostunnel

nix profile install nixpkgs#ghostunnel
  • normalized package name match
  • Matched by: Ghostunnel
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/gh/ghostunnel/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment