Piko: An Open-Source Ngrok Alternative for Production Traffic and Kubernetes

Introduction

Piko is an open-source reverse proxy that offers a secure way to connect to services that are not publicly publicly routable, a technique known as tunneling. Designed as an alternative to Ngrok, Piko focuses on serving production traffic and simplifying hosting, especially on Kubernetes. It enables your upstream services to open outbound-only connections (tunnels) to the Piko server, which then forwards incoming traffic to your services via these established connections.

Piko's core design goals include being built for production traffic, running as a cluster of nodes for fault tolerance, horizontal scaling, and zero-downtime deployments. It is also engineered for simple hosting behind an HTTP(S) load balancer on Kubernetes, making it a robust solution for exposing services in customer networks, BYOC environments, or connecting to user devices.

Installation

To get started with Piko, please refer to the official Getting Started guide in the project's Wiki. This guide provides detailed instructions on how to set up and run Piko.

Examples

Piko allows upstream services to listen for traffic on specific endpoints. It manages routing incoming connections and requests to an upstream service listening on the target endpoint, load balancing requests if multiple upstreams are available. No static configuration is required, as upstreams can listen on any endpoint they choose.

You can open an upstream listener using the Piko agent, which supports both HTTP and TCP upstreams. For example, to listen on endpoint my-endpoint and forward traffic to localhost:3000:

# HTTP listener.
$ piko agent http my-endpoint 3000

# TCP listener.
$ piko agent tcp my-endpoint 3000

The Go SDK also allows you to listen directly from your application using a standard net.Listener.

HTTP(S) Proxying

Piko acts as a transparent HTTP(S) reverse proxy. Incoming HTTP(S) requests identify the target endpoint using either the Host header or the x-piko-endpoint header. If Piko is hosted with a wildcard domain like *.piko.example.com, a request to foo.piko.example.com will be routed to an upstream listening on endpoint foo. Alternatively, you can use the x-piko-endpoint header, for instance, x-piko-endpoint: foo, if Piko is hosted at a fixed domain like piko.example.com.

TCP Proxying

Piko supports proxying TCP traffic. For TCP, you typically use either Piko forward or the Go SDK to map a local TCP port to the target endpoint. Piko forward listens on a local TCP port and forwards connections to the configured upstream endpoint via the Piko server.

For example, to listen on port 3000 and forward connections to endpoint my-endpoint:

piko forward 3000 my-endpoint

Unlike HTTP, raw TCP connections do not inherently identify the target endpoint, necessitating the use of Piko forward or the Go SDK to establish the connection to the correct endpoint.

Why Use Piko?

Piko stands out as a powerful open-source solution for secure tunneling and reverse proxying, offering a compelling alternative to services like Ngrok. Its key advantages include:

Production Readiness: Built to handle production traffic, Piko servers can run as a cluster of nodes, providing fault tolerance, horizontal scaling, and support for zero-downtime deployments. It includes observability features like a Prometheus endpoint, access logging, and a status API.
Simple Kubernetes Hosting: Piko is designed for easy deployment on Kubernetes, supporting StatefulSets, gradual rollouts, and integration with HTTP load balancers or Kubernetes Gateways. This simplifies managing and scaling your tunneling infrastructure.
Flexible Tunneling: It allows services to run anywhere as long as they can open an outbound connection to the Piko server, eliminating the need for public routes to your upstream services.
Dynamic Endpoint Management: Upstreams can dynamically listen on any endpoint without static configuration, providing flexibility and ease of use.