Skip to content

Secure Gateway

The superglue Secure Gateway enables connections from superglue Cloud to data sources that aren’t publicly accessible. Deploy a lightweight agent in your private environment, and it establishes a secure outbound connection to superglue - no inbound firewall rules required.

  • On-premises servers behind corporate firewalls
  • Cloud VPCs (AWS, Azure, GCP) without public endpoints
  • Kubernetes clusters with internal-only services
  • Development environments and localhost
  • Any system that only allows outbound connections

Common data sources:

  • Internal REST APIs
  • Databases (PostgreSQL, MSSQL, MongoDB) in private subnets
  • Windows file shares (SMB) on corporate networks
  • SFTP servers behind firewalls

The gateway agent runs in your private environment and establishes an outbound WebSocket connection to superglue Cloud. When a tool needs to access a private system, superglue routes the request through the gateway.

Secure Gateway Architecture

Key benefits:

  • No inbound firewall rules required
  • All traffic encrypted via TLS
  • Agent only exposes explicitly configured targets
  • Credentials stay in your environment

First, check your system architecture:

Terminal window
uname -m

Then download the appropriate binary:

Terminal window
superglue-gateway && chmod +x superglue-gateway ```
</TabItem>
<TabItem label="Linux arm64 (AWS Graviton)">
```bash curl -L https://downloads.superglue.cloud/superglue-gateway-linux-arm64 -o
superglue-gateway && chmod +x superglue-gateway ```
</TabItem>
<TabItem label="Windows (x86_64)">
```powershell Invoke-WebRequest -Uri
https://downloads.superglue.cloud/superglue-gateway-windows.exe -OutFile superglue-gateway.exe

If you prefer to build from source (requires Go 1.21+):

Terminal window
git clone https://github.com/superglue-ai/superglue.git
cd superglue/tunnel-agent
go build -o superglue-gateway .

Create a config.yaml file with your settings:

tunnel_id: "acme-corp"
server_url: "wss://api.superglue.cloud/ws/tunnels"
api_key: "sg_your_api_key_here"
targets:
internal_api: "192.168.1.10:8080"
Field Description Required
tunnel_id Unique identifier for this gateway connection. Appears in superglue dashboard. Yes
server_url superglue WebSocket endpoint. Use wss://api.superglue.cloud/ws/tunnels for hosted. Yes
api_key API key from your superglue dashboard Yes
targets Map of target names to host:port addresses. Each target becomes selectable in the UI. Yes
  1. Log in to your superglue dashboard
  2. Go to Settings > API Keys
  3. Click Create API Key
  4. Copy the key and add it to your config.yaml
bash ./superglue-gateway -config /path/to/config.yaml

For troubleshooting connection issues, run with the -debug flag to enable verbose logging:

bash ./superglue-gateway -config /path/to/config.yaml -debug

Debug mode shows:

  • WebSocket connection status and handshake details
  • Incoming tunnel requests with target information
  • Data channel establishment
  • TCP connection attempts to local targets
  • SMB protocol messages (when connecting to Windows shares)
  • Bytes transferred through the tunnel

To run the agent in the background so it persists after closing your terminal:

Terminal window
nohup ./superglue-gateway -config config.yaml > gateway.log 2>&1 &

Check if running: pgrep -a superglue-gateway. Check logs: tail -f gateway.log. Stop: pkill superglue-gateway.

  1. Create a service file /etc/systemd/system/superglue-gateway.service:
[Unit]
Description=superglue Gateway Agent
After=network.target
[Service]
Type=simple
User=superglue
WorkingDirectory=/opt/superglue-gateway
ExecStart=/opt/superglue-gateway/superglue-gateway -config /opt/superglue-gateway/config.yaml
Restart=always
RestartSec=5
[Install]
WantedBy=multi-user.target
  1. Enable and start the service:
Terminal window
sudo systemctl daemon-reload
sudo systemctl enable superglue-gateway
sudo systemctl start superglue-gateway
  1. Check status:
Terminal window
sudo systemctl status superglue-gateway
sudo journalctl -u superglue-gateway -f
  1. Install NSSM (Non-Sucking Service Manager):
Terminal window
nssm install SuperglueGateway C:\superglue\superglue-gateway.exe -config C:\superglue\config.yaml
nssm start SuperglueGateway
  1. Check status:
Terminal window
nssm status SuperglueGateway
  1. View logs:
Terminal window
nssm get SuperglueGateway AppStdout

For AWS VPC access, deploy the agent on an EC2 instance or ECS task within the VPC:

Terminal window
# Check your architecture first
uname -m # x86_64 or aarch64
# Download the correct binary (x86_64 for most EC2, arm64 for Graviton)
curl -L https://downloads.superglue.cloud/superglue-gateway-linux-x86_64 -o superglue-gateway && chmod +x superglue-gateway
# Or for ARM/Graviton instances:
# curl -L https://downloads.superglue.cloud/superglue-gateway-linux-arm64 -o superglue-gateway && chmod +x superglue-gateway
./superglue-gateway -config config.yaml

The agent only needs outbound HTTPS (port 443) access to api.superglue.cloud.

Set up your Private System in Superglue Dashboard

Section titled “Set up your Private System in Superglue Dashboard”

Once your gateway agent is running and connected:

  1. Go to Systems in your superglue dashboard
  2. Click Add System and select Private System
  3. Select your connected gateway from the list
  4. Choose the target endpoint you want to use
  5. Configure authentication (API keys, etc.) if needed
  6. Add documentation for the system
  7. Save the system
  • Verify your API key is correct
  • Check that outbound WebSocket connections (port 443) are allowed
  • Ensure the server_url is correct for your superglue instance
  • Verify the target address is reachable from the gateway host
  • Check firewall rules / security groups between the gateway and target
  • Test connectivity: nc -zv <target-host> <port>
  • Check network stability between gateway and superglue cloud
  • Review gateway logs for specific error messages
  • Ensure no proxy/firewall is terminating idle connections
  • The gateway only exposes explicitly configured targets
  • All traffic is encrypted via TLS (WebSocket Secure)
  • The gateway initiates outbound connections only (no inbound ports needed)
  • API keys should be kept secure and rotated periodically
  • Consider running the gateway with minimal privileges
  • In AWS, use IAM roles and security groups to restrict gateway access