SSH tunnel & reverse proxy

SSH tunnel (recommended)

On the remote server, bind StarkLite to localhost:

starklite /var/www/app/db.sqlite --bind-localhost --port 6500 --readonly --expire 1h

From your local machine, forward a local port to the remote one:

ssh -N -L 6500:127.0.0.1:6500 [email protected]

Then open http://127.0.0.1:6500 in your browser. The connection is encrypted by SSH end-to-end, and no port is exposed publicly.

Nginx reverse proxy with TLS

If you need public access, terminate TLS in front of StarkLite. Run StarkLite bound to localhost:

starklite /data/db.sqlite --bind-localhost --port 6500 --idle-timeout 30m

Nginx config:

server {
  listen 443 ssl http2;
  server_name sl.example.com;

  ssl_certificate     /etc/letsencrypt/live/sl.example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/sl.example.com/privkey.pem;

  location / {
    proxy_pass         http://127.0.0.1:6500;
    proxy_set_header   Host              $host;
    proxy_set_header   X-Real-IP         $remote_addr;
    proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header   X-Forwarded-Proto $scheme;
    proxy_read_timeout 5m;
  }
}

StarkLite honors X-Forwarded-For and X-Real-IP for its login rate limiter — set them in the proxy so the limit applies per client, not per proxy.

Caddy reverse proxy

sl.example.com {
  reverse_proxy 127.0.0.1:6500
}

systemd unit (optional)

For repeat use on a server, a oneshot systemd unit makes a 1-hour session reproducible:

[Unit]
Description=StarkLite temporary session

[Service]
Type=simple
User=appro
ExecStart=/usr/local/bin/starklite /var/www/app/db.sqlite \
  --bind-localhost --port 6500 --readonly \
  --expire 1h --idle-timeout 15m
Restart=no