Show HN: Malai – securely share local TCP services (database/SSH) with others

malai.sh

116 points by amitu 3 days ago

malai is a peer to peer network, and is a dead simple to share your local development HTTP server, without setting up tunnels, dealing with firewalls, or relying on cloud services.

In malai 0.2.5, we have added TCP support, which means you can expose any TCP service to others using malai, without opening the TCP service related port to Internet. With malai installed on both ends, any TCP service can be securely tunneled over it.

It can be used to secure your SSH service, or securely share your database server.

GitHub: https://github.com/kulfi-project/kulfi (star us!)

Would love feedback, questions, or ideas — thanks!

PS: We have also added `malai folder`, which lets you share (readonly) the content of a folder with others.

mdaniel 3 days ago

> In this case, you can visit kulfi://http-e9b1c82b43206c96173848ed0afad2fe633fdc8a02ba391a3d37, which is where the Talk App lives.

What is the DNS story for this platform? Or are you intending to be kind of like a replacement for Syncthing where each endpoint has to explicitly approve the other and thus discovery is left as an exercise to the reader?

Actually, even after further thought, I am still able to rename my peers in Syncthing, and unless one has to go to the dashboard for getting that Talk App link(? button?) all the time, it's been my experience that folks will always want aliases for ginormous hex strings

---

p.s. you have some broken images in your Journey docs

  • amitu 3 days ago

    Kulfi is a network (peer to peer) which support http/https even tcp can be sent over kulfi.

    Kulfi App is a web browser that talks kulfi protocol natively, so you can open kulfi://<id52> natively. malai is the server side part of this story, and can expose existing HTTP/TCP services over kulfi:// network.

    For DNS, here is my initial deign/thought: https://github.com/kulfi-project/kulfi/discussions/55

    For access control, we are working on a "what-to-do" service, which is an bunch HTTP/JSON APIs, that will be called by the malai (which runs on your server, or even as part of Django/Node/Golang once we wrap malai as a cffi library, and write corresponding Python/Node etc packages). You will be able to write the what-to-do in any framework you like, and we will maintain a general purpose open source what-to-do service.

hamburglar 2 days ago

This desperately needs a “how the hell does this work” page for either malai or kulfi (preferably both) because the vibe I’m getting is “it’s magic! Trust us and sign up for an account.”

  • amitu 17 hours ago

    We are using iroh, so you can start with https://www.iroh.computer/blog/iroh-dns, and checkout their docs to understand how iroh itself works.

    The malai stuff is relative not very interesting (we write some HTTP/TCP services/proxies that forward their calls over iroh connection, and write the other side to bridge back to HTTP/tcp). Code should help, or come to our discord: https://malai.sh/discord/ (currently it will say fastn, we are in the process of changing it to FifthTry server or something, we do not want to maintain multiple discord servers, and thinking of putting all FifthTry open source stuff on a single discord server).

  • p0w3n3d 2 days ago

    It's magic man-in-the-middle and we're the magicians here

    • hamburglar 2 days ago

      I’m always wary when there’s clearly some infrastructure required and it isn’t clear how it gets paid for. What’s the catch? What’s between my bridge listener and my target, and what’s their incentive to be there?

tkj922 a day ago

This is insane. I dug and the site led me to another site, which led me to another site, which is supposedly a video conferencing suite. All code is skeleton, e.g. how on earth is that supposed to work?

-- import: fastn

-- fastn.package: lets-talk-template.fifthtry.site

-- fastn.dependency: lets-talk.fifthtry.site provided-via: lets-talk-template.fifthtry.site/lets-talk

-- fastn.dependency: design-system.fifthtry.site provided-via: lets-talk-template.fifthtry.site/ds

-- fastn.dependency: lets-auth.fifthtry.site

-- fastn.app: Lets Auth App mount-point: /-/auth/ package: lets-auth.fifthtry.site

-- fastn.app: Lets Talk App mount-point: / package: lets-talk.fifthtry.site

  • amitu 17 hours ago

    Looks like you got sucked into the fastn world. It's an open source full stack web development programming language we have created: fastn.com. We are building some fastn powered full stack, reusable apps, that you can plug in any fastn powered website at https://github.com/fifthtry-community.

    The website, kulfi.app and malai.sh, and fastn.com itself, and FifthTry.com as well are all built using fastn.

    • tkj922 9 hours ago

      Yes indeed I got intrigued because this is borderline between scam and legit with indicators towards both. I will admit my mistake if proven wrong, but for the time being, I argue that this kulfi thing is a rip off of the iroh socket PoC/example that you seem to not fully understand how and why works

immibis 3 days ago

Kulfi red flags:

Does the same thing as a bunch of other systems (e.g. Tor) without providing any comparison of what this one does better.

Docs pages are TODO, certainly don't explain how it works.

Website is "Copyright 2025 YourCompany, Inc."

Discord link goes to something called "fastn" with apparently no relation to Kulfi.

  • redleader55 2 days ago

    A few more:

    No explanation of how it works

    Comments in this thread reveal a bunch of obscure components that also don't have much details.

  • barbazoo 2 days ago

    Vibe coding tools need a post step to fix all the templating issues like wrong links, wrong names, etc.

  • amitu 3 days ago

    fastn is an ingredient to kulfi project. fastn.com is a full stack programming language we (FifthTry, Inc, the company behind these) have built, and it is the web server that is going to be part of Kulfi app.

    The comparison posts, TODO, copyright etc we will do/fix when we get around to it. It's all open source, you can send PRs as well.

    • tauoverpi 2 days ago

      How does fastn handle errors? Is is possible to perform the SQL query client side or does it prevent / add friction for such? Can I visit `/foo/";DROP%20TABLE%20users;/` or does it handle inputs properly?

    • immibis 2 days ago

      It sounds a lot like you're trying to reinvent things that already exist for the purpose of having them be your intellectual property, so you can convince everyone to use your thing instead of the free thing, and possibly rugpull them later. Embrace, extend, extinguish!

  • lxgr 2 days ago

    To be fair, assigning copyright to the reader is a good first step to build trust :)

OJFord 3 days ago

'hehe, malai, wonder if they know' -- 'oh, kulfi, ok they definitely know' -- just a fun quirky name, or an analogy I'm missing?

  • amitu 3 days ago

    malai: cream that forms on top of milk when it cools down, its a flavor of kulfi. kulfi: a milk based ice cream / desert. Nothing to do with networking etc, just a desert I enjoyed since childhood :-)

    • sky_fan 3 days ago

      malai also means mountain in my mother tongue Tamil and I am named as malai.

    • srameshc 3 days ago

      Nice naming of your projects. It just caught my attention :).

    • OJFord 2 days ago

      Yep, just wondered if there was some analogy/joke like malai is the layer on top and kulfi is.. I don't know, the rod that connects A to B or something (that's nonsense, but that's why I was asking!)

      Anyway, project seems great and all, but I'll wait for pista. :)

      • amitu 17 hours ago

        Since its built in Rust, we can call it rus(t)-malai also :-)

replwoacause a day ago

Malai website says it is created by FifthTry. On the FifthTry website is says you are backed by Y Combinator: https://www.ycombinator.com/companies/fifthtry

But it doesn’t seem to have anything to do with the current company? Are you a Notion-like editor still? Because the editor section of the site says “coming soon” even though your YC page says you were in the Winter 2021 batch. I guess I’m not really clear on any of this and how it relates to Malai.

  • amitu 17 hours ago

    So let's see, I am Amit Upadhyay, I am the (solo) founder and CEO of FifthTry, which is YC W21 company (we also have some other seed investment). We started with a documentation tool, the Notion like you mentioned, caveat: it was not WYSWYG, it was always based on a "language". The language was initially called ftd (FifthTry Document), and eventually fastn.com. fastn started as markdown++, but became a full stack web development language. We moved from being just a documentation tool to general purpose website building tool. FifthTry.com is now a hosting solution for fastn powered websites and webapps.

    fastn is done in Rust, and has relatively small foot print. It is language, compiler, package manager, web server, wasm runner, all in one, and technically can run on say a mobile device, on a "Amazon Fire Stick" like mini TV module, you webcam and so on. fastn is probably the only web server you can run on those devices (not yet tested, but it should be).

    The issue is those web servers do not have public IPs (nor should they, as that can expose them to security risks), so we are building a peer to peer network, an identity based network, so you do not have to have accessible IP/port to access the web service.

    The network we are calling Kulfi net, and malai is a network toolkit for kulfi net, it exposes various services (TCP/HTTP) over kulfi net.

    Kulfi itself is going to be a browser, that can talk kulfi protocol natively (as currently we need a "http bridge", eg kulfi.site that we are running, or you can install malai and run on your server).

    Kulfi "browser", will also come with fastn built in, so you can run a web server on your phone and someone else can access that web server from another phone, talking http over kulfi protocol, and we can get near ideal networking solution (no intermediary, no need for public IP, etc).

    Does this make sense?

    • replwoacause 16 hours ago

      Yes it does, thanks for explaining.

      • tkj922 8 hours ago

        I think I see what you did there in your comment, but it needs testing

nokun7 2 days ago

I use ngrok for exactly this type of functionality. Can someone clarify why would anyone need malai over ngrok?

snihalani 2 days ago

what problem does this solve over ngrok/tailserve?

  • amitu 17 hours ago

    It's open source. Or not depending on any company[1]. The overall malai/kulfi project is quite different than these projects, malai itself can be compared with these two maybe.

    [1]: we are built on top of https://www.iroh.computer so their caveats apply, and while we do run a http-over-kulfi over http-over-tcp bridge, you do not have to use it, you can run your own, and soon when kulfi browser is ready, you will not need the bridge. Checkout this work in progress kulfi browser: https://www.youtube.com/watch?v=qw_GmbtxCHw

    • tkj922 8 hours ago

      Given that I just clicked a link on HN leading to a YT video that has 3 views somehow tells me, that I reached the end of Internet and should revert to watching cats. But I wish you all the best, really

ryao 2 days ago

> It can be used to secure your SSH service, or securely share your database server.

SSH is one of the most secure network daemons ever devised. This is not to say that there is never any need to harden SSH, but given that people usually secure services behind SSH, I find the words “secure your SSH service” strange.

That said, I am no stranger to bastion/jump hosts, but those usually involve accessing one ssh host through another ssh host.

  • amitu 17 hours ago

    You are on the right track, this is bastion like setup, but without needing another ssh host. This is one layer on top of SSH, so all SSH security applies for ssh over kulfi, but you get extra benefits like not having to expose SSH port to public, or not having guessable identifier (the IP address).

candiddevmike 3 days ago

I read the readme and I don't quite understand the relationship between malai and kulfi, or what the "total cost" (what I need to know, what I need to install) of the stack is here.

  • amitu 3 days ago

    Kulfi is the official name of the project, and the name of the "peer to peer internet" "id52/identity based internet", so kulfi net.

    Kulfi App is going to be a browser like Google Chrome, available on various app stores, and it will speak both http over tcp and http over kulfi. Kulfi app acts like client (but is also a server, so on your iPhone tomorrow you can install Kulfi, which will let you access any http over kulfi site, and also will run a web server which is exposed over kulfi net for others to access, so my Android phone's Kulfi browser can connect with the your iPhones Kulfi's web server, with no intermediary [1]).

    malai is ready now, and it is a Swiss army knife toolkit for working with kulfi net. Currently malai can expose a HTTP or TCP service over kulfi net.

    Malai also has a "http bridge" feature, which bridges any malai exposed http over kulfi service with the http over tcp, so people can use regular browsers to access malai exposed HTTP services.

    [1]: we are using https://www.iroh.computer/blog/iroh-dns, so their caveats apply.

    • lxgr 2 days ago

      What's id52?

      I feel like I'm missing a lot of context to understand what's being shared here.

qudat 3 days ago

Very cool! This is similar to a service we manage at https://tuns.sh that runs entirely as an SSH server.

We love to see new ideas in this space since we think tunnels are great for prototyping and app development.

thenthenthen 3 days ago

Sorry, noob here: Can this traverse managed NAT and deep packet inspection?

  • amitu 3 days ago

    We are using iroh[1] internally, so the question is does iroh support these things? The quickest way to answer this would be to test it. Can you help me with what kind of setup would be needed for me to test this?

    [1]: https://www.iroh.computer

    • throwaway314155 2 days ago

      Did you vibe code this or something? How could you not know...?

    • CGamesPlay 2 days ago

      Yes, Iroh supports this through a variety of hole-punching means as well as via public relay servers.

    • lxgr 2 days ago

      Sorry, but basic NAT traversal is an essential feature for any P2P network launched in at least the last 20 years, and as such doesn’t seem like something you can just leave to lower layers or even ask your prospective users to figure out themselves.

nilinswap 2 days ago

This is pretty awesome.

jarsj 3 days ago

Awesome would love to use it.

devrandoom 2 days ago

Feedback: This crowd likes technical docs. These docs are nothing like that, and raise more questions than they answer.

apitman 2 days ago

I maintain a list of tunneling solutions here: https://github.com/anderspitman/awesome-tunneling

Usually my first question is what makes this different than the many existing options. Looks like the answer in this case is that it's p2p and built on iroh (which is built on QUIC), which I find interesting. Would love a PR on the list.

thm 3 days ago

Don't we use Tailscale for this?

  • amitu 3 days ago

    Unlike tailscale/ngrok, malai is completely open source, does not rely on any company provided infrastructure (we have a http bridge to bridge http/tcp with http/kulfi at *.kulfi.site, but you can run your own http bridge), and once Kulfi app is ready, you will not need the bridge at all and Kulfi app (which is also basically a browser that speaks http(s) over kulfi along with http(s) over tcp) can talk kulfi protocol directly.

    • aidenn0 3 days ago

      Iroh requires relay servers; so wouldn't Malai need those?

      • amitu 3 days ago

        Yes, we are currently using iroh provided relay servers. malai will soon connect with any relay server, so in future you can use ones provided by us, or run your own.

  • hoistbypetard 3 days ago

    Among other clear differences, it looks like tailscale requires you to sign in with some cloud provider and Malai does not.

    I use and like tailscale for similar purposes, but I can see why some people might prefer to skip that aspect, especially.