Secure Gateway
The superglue Secure Gateway enables connections from superglue Cloud to data sources that aren’t publicly accessible. Deploy a lightweight agent in your private environment, and it establishes a secure outbound connection to superglue - no inbound firewall rules required.
Use Cases
Section titled “Use Cases”- On-premises servers behind corporate firewalls
- Cloud VPCs (AWS, Azure, GCP) without public endpoints
- Kubernetes clusters with internal-only services
- Development environments and localhost
- Any system that only allows outbound connections
Common data sources:
- Internal REST APIs
- Databases (PostgreSQL, MSSQL, MongoDB) in private subnets
- Windows file shares (SMB) on corporate networks
- SFTP servers behind firewalls
How It Works
Section titled “How It Works”The gateway agent runs in your private environment and establishes an outbound WebSocket connection to superglue Cloud. When a tool needs to access a private system, superglue routes the request through the gateway.

Key benefits:
- No inbound firewall rules required
- All traffic encrypted via TLS
- Agent only exposes explicitly configured targets
- Credentials stay in your environment
Installation
Section titled “Installation”Download Pre-built Binary
Section titled “Download Pre-built Binary”First, check your system architecture:
uname -mThen download the appropriate binary:
superglue-gateway && chmod +x superglue-gateway ```</TabItem><TabItem label="Linux arm64 (AWS Graviton)">```bash curl -L https://downloads.superglue.cloud/superglue-gateway-linux-arm64 -osuperglue-gateway && chmod +x superglue-gateway ```</TabItem><TabItem label="Windows (x86_64)">```powershell Invoke-WebRequest -Urihttps://downloads.superglue.cloud/superglue-gateway-windows.exe -OutFile superglue-gateway.exeBuild from Source
Section titled “Build from Source”If you prefer to build from source (requires Go 1.21+):
git clone https://github.com/superglue-ai/superglue.gitcd superglue/tunnel-agentgo build -o superglue-gateway .Configuration
Section titled “Configuration”Create a config.yaml file with your settings:
tunnel_id: "acme-corp"server_url: "wss://api.superglue.cloud/ws/tunnels"api_key: "sg_your_api_key_here"
targets: internal_api: "192.168.1.10:8080"tunnel_id: "aws-prod"server_url: "wss://api.superglue.cloud/ws/tunnels"api_key: "sg_your_api_key_here"
targets: # Private ALB or internal service internal_alb: "internal-alb-123456.us-east-1.elb.amazonaws.com:80"tunnel_id: "acme-corp"server_url: "wss://api.superglue.cloud/ws/tunnels"api_key: "sg_your_api_key_here"
targets: postgres: "192.168.1.50:5432"tunnel_id: "acme-corp"server_url: "wss://api.superglue.cloud/ws/tunnels"api_key: "sg_your_api_key_here"
targets: mssql: "192.168.1.50:1433" # Or for Azure SQL: # azure_sql: "myserver.database.windows.net:1433"tunnel_id: "acme-corp"server_url: "wss://api.superglue.cloud/ws/tunnels"api_key: "sg_your_api_key_here"
targets: sftp_server: "192.168.1.60:22"tunnel_id: "acme-corp"server_url: "wss://api.superglue.cloud/ws/tunnels"api_key: "sg_your_api_key_here"
targets: file_share: "192.168.1.100:445"tunnel_id: "acme-corp"server_url: "wss://api.superglue.cloud/ws/tunnels"api_key: "sg_your_api_key_here"
# You can expose multiple targets through a single gatewaytargets: internal_api: "192.168.1.10:8080" postgres: "192.168.1.50:5432" file_share: "192.168.1.100:445"Configuration Options
Section titled “Configuration Options”| Field | Description | Required |
|---|---|---|
tunnel_id |
Unique identifier for this gateway connection. Appears in superglue dashboard. | Yes |
server_url |
superglue WebSocket endpoint. Use wss://api.superglue.cloud/ws/tunnels for hosted. |
Yes |
api_key |
API key from your superglue dashboard | Yes |
targets |
Map of target names to host:port addresses. Each target becomes selectable in the UI. |
Yes |
Getting an API Key
Section titled “Getting an API Key”- Log in to your superglue dashboard
- Go to Settings > API Keys
- Click Create API Key
- Copy the key and add it to your
config.yaml
Running the Agent
Section titled “Running the Agent”Manual Start
Section titled “Manual Start”bash ./superglue-gateway -config /path/to/config.yaml powershell .\superglue-gateway.exe -config C:\path\to\config.yaml
Debug Mode
Section titled “Debug Mode”For troubleshooting connection issues, run with the -debug flag to enable verbose logging:
bash ./superglue-gateway -config /path/to/config.yaml -debug
powershell .\superglue-gateway.exe -config C:\path\to\config.yaml -debug
Debug mode shows:
- WebSocket connection status and handshake details
- Incoming tunnel requests with target information
- Data channel establishment
- TCP connection attempts to local targets
- SMB protocol messages (when connecting to Windows shares)
- Bytes transferred through the tunnel
Run in Background
Section titled “Run in Background”To run the agent in the background so it persists after closing your terminal:
nohup ./superglue-gateway -config config.yaml > gateway.log 2>&1 &Check if running: pgrep -a superglue-gateway. Check logs: tail -f gateway.log. Stop: pkill superglue-gateway.
Run as a systemd Service (Linux)
Section titled “Run as a systemd Service (Linux)”- Create a service file
/etc/systemd/system/superglue-gateway.service:
[Unit]Description=superglue Gateway AgentAfter=network.target
[Service]Type=simpleUser=superglueWorkingDirectory=/opt/superglue-gatewayExecStart=/opt/superglue-gateway/superglue-gateway -config /opt/superglue-gateway/config.yamlRestart=alwaysRestartSec=5
[Install]WantedBy=multi-user.target- Enable and start the service:
sudo systemctl daemon-reloadsudo systemctl enable superglue-gatewaysudo systemctl start superglue-gateway- Check status:
sudo systemctl status superglue-gatewaysudo journalctl -u superglue-gateway -fRun as a Windows Service
Section titled “Run as a Windows Service”- Install NSSM (Non-Sucking Service Manager):
nssm install SuperglueGateway C:\superglue\superglue-gateway.exe -config C:\superglue\config.yamlnssm start SuperglueGateway- Check status:
nssm status SuperglueGateway- View logs:
nssm get SuperglueGateway AppStdoutRun in AWS (EC2 / ECS)
Section titled “Run in AWS (EC2 / ECS)”For AWS VPC access, deploy the agent on an EC2 instance or ECS task within the VPC:
# Check your architecture firstuname -m # x86_64 or aarch64
# Download the correct binary (x86_64 for most EC2, arm64 for Graviton)curl -L https://downloads.superglue.cloud/superglue-gateway-linux-x86_64 -o superglue-gateway && chmod +x superglue-gateway
# Or for ARM/Graviton instances:# curl -L https://downloads.superglue.cloud/superglue-gateway-linux-arm64 -o superglue-gateway && chmod +x superglue-gateway
./superglue-gateway -config config.yamlThe agent only needs outbound HTTPS (port 443) access to api.superglue.cloud.
Set up your Private System in Superglue Dashboard
Section titled “Set up your Private System in Superglue Dashboard”Once your gateway agent is running and connected:
- Go to Systems in your superglue dashboard
- Click Add System and select Private System
- Select your connected gateway from the list
- Choose the target endpoint you want to use
- Configure authentication (API keys, etc.) if needed
- Add documentation for the system
- Save the system
Troubleshooting
Section titled “Troubleshooting”Gateway won’t connect
Section titled “Gateway won’t connect”- Verify your API key is correct
- Check that outbound WebSocket connections (port 443) are allowed
- Ensure the
server_urlis correct for your superglue instance
Target connection fails
Section titled “Target connection fails”- Verify the target address is reachable from the gateway host
- Check firewall rules / security groups between the gateway and target
- Test connectivity:
nc -zv <target-host> <port>
Connection drops frequently
Section titled “Connection drops frequently”- Check network stability between gateway and superglue cloud
- Review gateway logs for specific error messages
- Ensure no proxy/firewall is terminating idle connections
Security Considerations
Section titled “Security Considerations”- The gateway only exposes explicitly configured targets
- All traffic is encrypted via TLS (WebSocket Secure)
- The gateway initiates outbound connections only (no inbound ports needed)
- API keys should be kept secure and rotated periodically
- Consider running the gateway with minimal privileges
- In AWS, use IAM roles and security groups to restrict gateway access