SSH tunnel & reverse proxy
SSH tunnel (recommended)
On the remote server, bind StarkLite to localhost:
starklite /var/www/app/db.sqlite --bind-localhost --port 6500 --readonly --expire 1h
From your local machine, forward a local port to the remote one:
ssh -N -L 6500:127.0.0.1:6500 [email protected]
Then open http://127.0.0.1:6500 in your browser. The connection is encrypted by SSH end-to-end, and no port is exposed publicly.
Nginx reverse proxy with TLS
If you need public access, terminate TLS in front of StarkLite. Run StarkLite bound to localhost:
starklite /data/db.sqlite --bind-localhost --port 6500 --idle-timeout 30m
Nginx config:
server {
listen 443 ssl http2;
server_name sl.example.com;
ssl_certificate /etc/letsencrypt/live/sl.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sl.example.com/privkey.pem;
location / {
proxy_pass http://127.0.0.1:6500;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 5m;
}
}
StarkLite honors X-Forwarded-For and X-Real-IP for its login rate limiter — set them in the proxy so the limit applies per client, not per proxy.
Caddy reverse proxy
sl.example.com {
reverse_proxy 127.0.0.1:6500
}
systemd unit (optional)
For repeat use on a server, a oneshot systemd unit makes a 1-hour session reproducible:
[Unit] Description=StarkLite temporary session [Service] Type=simple User=appro ExecStart=/usr/local/bin/starklite /var/www/app/db.sqlite \ --bind-localhost --port 6500 --readonly \ --expire 1h --idle-timeout 15m Restart=no