Skip to main content

Built for production traffic

Every tunnel session runs inside its own ephemeral virtual machine, all traffic is encrypted in transit, and credentials never have to appear on the command line.

  • SSH encrypted
  • Dedicated VM
  • Ephemeral
  • MIT licensed

Encrypted channel

The tunnel opens a single outbound SSH connection from your machine to a TestingBot edge endpoint. All test traffic (HTTP, HTTPS, WebSocket, SSE) is multiplexed over that SSH connection.

Inbound ports on your network are not required. The tunnel only initiates outbound connections to ports 443 (HTTPS) and 22 (SSH) on *.testingbot.com.

Dedicated VM lifecycle

Every tunnel session provisions a dedicated virtual machine in the TestingBot cloud. The VM exists only for the lifetime of your tunnel.

01
Provision
A fresh VM is allocated when your tunnel starts.
02
Use
Only your account (or your team if --shared) can route traffic.
03
Teardown
The VM is destroyed when the tunnel shuts down. No state persists.

VMs are not reused between accounts. There is no cross-tenant traffic on the tunnel VM.

Certificates and SSL bumping

By default, the tunnel performs SSL interception (also called SSL bumping) for outbound HTTPS so that the cloud browser can validate certificates seamlessly. The TestingBot CA used for bumping is preinstalled on every cloud VM and device.

For apps that pin certificates, you have two options:

Trust the TB CA

Download the certificate and add it to your app's trust store.

Disable bumping

Start the tunnel with --nobump and HTTPS is forwarded transparently with no decryption.

Credential handling

Your TestingBot key and secret authenticate the tunnel against the TestingBot grid. Treat them like passwords.

The tunnel accepts credentials from three sources, in order of precedence:

  1. Positional arguments on the command line.
  2. Environment variables: TESTINGBOT_KEY and TESTINGBOT_SECRET.
  3. A .testingbot file in your $HOME directory.

For CI pipelines and shared machines, prefer the environment-variable approach so credentials never appear in shell history, process lists or build logs. See the CLI reference for the full list.

Metrics endpoint

The tunnel exposes a Prometheus-compatible metrics endpoint on port 8003 by default. The endpoint is unauthenticated unless you set --metrics-auth user:password (or TESTINGBOT_METRICS_AUTH).

If you run the tunnel on a machine reachable from outside your network, enable metrics auth or move the endpoint to a non-routable interface with a firewall rule. See the monitoring guide.

Data residency

Test traffic flowing through the tunnel is routed via TestingBot edge endpoints in the EU. No traffic is stored after the tunnel ends. For specific data-residency or compliance information, please see the TestingBot trust center.

Was this page helpful?

Looking for More Help?

Have questions or need more information?
You can reach us via the following channels:

TestingBot