earonesty/edge-tls-ws-bridge

★ 0RustAudience · ops devopsComplexity · 4/5ActiveLicenseSetup · moderate

Mindmap

mindmap
  root((edge-tls-ws-bridge))
    Inputs
      TCP clients
      TLS certificates
      Env vars
    Outputs
      WebSocket frames
      bridge_hello message
      start_tls upgrade
    Use Cases
      Run IMAP on Cloudflare Workers
      Bridge SMTP to edge runtime
      Expose legacy TCP service over HTTP
    Tech Stack
      Rust
      WebSocket
      TLS
      Docker

mindmap root((edge-tls-ws-bridge)) Inputs TCP clients TLS certificates Env vars Outputs WebSocket frames bridge_hello message start_tls upgrade Use Cases Run IMAP on Cloudflare Workers Bridge SMTP to edge runtime Expose legacy TCP service over HTTP Tech Stack Rust WebSocket TLS Docker

Things people build with this

USE CASE 1

Front a Cloudflare Worker so Apple Mail can connect to POP3S on port 995

USE CASE 2

Carry SMTP or IMAP traffic over a WebSocket into any HTTP-only edge runtime

USE CASE 3

Add STARTTLS upgrade support to a backend that only speaks WebSocket frames

USE CASE 4

Run a TLS-terminating TCP-to-WebSocket bridge under Docker or systemd

Tech stack

RustWebSocketTLSDocker

Getting it running

Difficulty · moderate Time to first run · 30min

You bring your own TLS cert and key files plus the backend WebSocket URL; the bridge does not issue certs and does not parse application protocols.

MIT, use, copy, modify, and ship for any purpose as long as the copyright notice stays.

In plain English

edge-tls-ws-bridge is a small networking program, written in Rust, that translates between two kinds of network connections. On one side it accepts ordinary TCP connections, with or without TLS encryption. On the other side it opens a WebSocket connection, which is a long lived link that runs over HTTP. Whatever bytes the TCP client sends get forwarded to the WebSocket, and bytes coming back from the WebSocket go to the TCP client. The README gives a concrete reason this is useful. Some hosting platforms, such as Cloudflare Workers, only let your code accept HTTP and WebSocket connections. But many existing programs, like email clients, expect to talk to a normal TCP socket using protocols such as POP3, IMAP, or SMTP. By running this bridge in front of a Cloudflare Worker, Apple Mail or Thunderbird can connect to port 995 with TLS, and the worker on the other end sees the raw bytes through a WebSocket. The bridge itself does not understand any application protocol. It just moves bytes. Configuration is done through environment variables. You set the backend WebSocket URL, the listen port, whether the listener is plain TCP or TLS, and paths to TLS certificate and key files if you are terminating TLS locally. There are also timeouts for the WebSocket handshake and idle connections, a heartbeat interval that sends WebSocket ping frames so the backend does not kill quiet sessions, and a buffer size cap. When a client connects, the bridge sends a small JSON control message called bridge_hello to the backend with the client IP, port, and TLS status, so the backend knows where the connection came from. There is also support for STARTTLS, where a plain text connection upgrades to TLS mid session. The backend, after handling the protocol level handshake itself, sends a start_tls JSON message and the bridge wraps the existing TCP stream in TLS. The README is explicit about what the bridge does not do: it does not parse any application protocol, does not handle HTTP, does not get TLS certificates for you, and does not share one WebSocket between many clients. Each TCP client gets its own backend WebSocket. The licence is MIT and the README includes Docker and systemd examples for running it in production.

Copy-paste prompts

Prompt 1

Configure earonesty/edge-tls-ws-bridge to listen on port 995 with TLS and forward to a Cloudflare Worker WebSocket URL

Prompt 2

Write a Cloudflare Worker that consumes the bridge_hello and start_tls JSON control messages from edge-tls-ws-bridge

Prompt 3

Add a Prometheus metrics endpoint to edge-tls-ws-bridge that exposes active client count and bytes forwarded

Prompt 4

Containerize edge-tls-ws-bridge with a distroless Rust image and a systemd unit for a Debian box

Open on GitHub → Explain another repo

Generated 2026-05-22 · Model: sonnet-4-6 · Verify against the repo before relying on details.