Skip to main content
The superglue Secure Gateway enables connections from superglue Cloud to data sources that aren’t publicly accessible. Deploy a lightweight agent in your private environment, and it establishes a secure outbound connection to superglue - no inbound firewall rules required.

Use Cases

  • On-premises servers behind corporate firewalls
  • Cloud VPCs (AWS, Azure, GCP) without public endpoints
  • Kubernetes clusters with internal-only services
  • Development environments and localhost
  • Any system that only allows outbound connections
Common data sources:
  • Internal REST APIs
  • Databases (MySQL, PostgreSQL) in private subnets
  • Windows file shares (SMB) on corporate networks
  • SFTP servers behind firewalls

How It Works

The gateway agent runs in your private environment and establishes an outbound WebSocket connection to superglue Cloud. When a tool needs to access a private system, superglue routes the request through the gateway. Secure Gateway Architecture Key benefits:
  • No inbound firewall rules required
  • All traffic encrypted via TLS
  • Agent only exposes explicitly configured targets
  • Credentials stay in your environment

Installation

Download Pre-built Binary

First, check your system architecture: 
uname -m
Then download the appropriate binary: 
curl -L https://downloads.superglue.cloud/superglue-gateway-linux-x86_64 -o superglue-gateway && chmod +x superglue-gateway

Build from Source

If you prefer to build from source (requires Go 1.21+): 
git clone https://github.com/superglue-ai/superglue.git
cd superglue/tunnel-agent
go build -o superglue-gateway .

Configuration

Create a config.yaml file with your settings: 
tunnel_id: "acme-corp"
server_url: "wss://api.superglue.cloud/ws/tunnels"
api_key: "sg_your_api_key_here"

targets:
  internal_api: "http://192.168.1.10:8080"

Configuration Options

FieldDescriptionRequired
tunnel_idUnique identifier for this gateway connection. Appears in superglue dashboard.Yes
server_urlsuperglue WebSocket endpoint. Use wss://api.superglue.cloud/ws/tunnels for hosted.Yes
api_keyAPI key from your superglue dashboardYes
targetsMap of target names to addresses. Each target becomes selectable in the UI.Yes

Getting an API Key

  1. Log in to your superglue dashboard
  2. Go to Settings > API Keys
  3. Click Create API Key
  4. Copy the key and add it to your config.yaml

Running the Agent

Manual Start

./superglue-gateway -config /path/to/config.yaml

Run in Background

To run the agent in the background so it persists after closing your terminal: 
nohup ./superglue-gateway -config config.yaml > gateway.log 2>&1 &
Check if running: pgrep -a superglue-gateway. Check logs: tail -f gateway.log. Stop: pkill superglue-gateway.

Run as a systemd Service (Linux)

  1. Create a service file /etc/systemd/system/superglue-gateway.service:
[Unit]
Description=superglue Gateway Agent
After=network.target

[Service]
Type=simple
User=superglue
WorkingDirectory=/opt/superglue-gateway
ExecStart=/opt/superglue-gateway/superglue-gateway -config /opt/superglue-gateway/config.yaml
Restart=always
RestartSec=5

[Install]
WantedBy=multi-user.target
  1. Enable and start the service:
sudo systemctl daemon-reload
sudo systemctl enable superglue-gateway
sudo systemctl start superglue-gateway
  1. Check status:
sudo systemctl status superglue-gateway
sudo journalctl -u superglue-gateway -f

Run in AWS (EC2 / ECS)

For AWS VPC access, deploy the agent on an EC2 instance or ECS task within the VPC: 
# Check your architecture first
uname -m  # x86_64 or aarch64

# Download the correct binary (x86_64 for most EC2, arm64 for Graviton)
curl -L https://downloads.superglue.cloud/superglue-gateway-linux-x86_64 -o superglue-gateway && chmod +x superglue-gateway

# Or for ARM/Graviton instances:
# curl -L https://downloads.superglue.cloud/superglue-gateway-linux-arm64 -o superglue-gateway && chmod +x superglue-gateway

./superglue-gateway -config config.yaml
The agent only needs outbound HTTPS (port 443) access to api.superglue.cloud.

Set up your Private System in Superglue Dashboard

Once your gateway agent is running and connected:
  1. Go to Systems in your superglue dashboard
  2. Click Add System and select Private System
  3. Select your connected gateway from the list
  4. Choose the target endpoint you want to use
  5. Configure authentication (API keys, etc.) if needed
  6. Add documentation for the system
  7. Save the system
If no gateways appear in the list, verify that:
  • The gateway agent is running and connected
  • The API key is valid
  • The tunnel_id matches what you expect

Troubleshooting

Gateway won’t connect

  • Verify your API key is correct
  • Check that outbound WebSocket connections (port 443) are allowed
  • Ensure the server_url is correct for your superglue instance

Target connection fails

  • Verify the target address is reachable from the gateway host
  • Check firewall rules / security groups between the gateway and target
  • Test connectivity: nc -zv <target-host> <port>

Connection drops frequently

  • Check network stability between gateway and superglue cloud
  • Review gateway logs for specific error messages
  • Ensure no proxy/firewall is terminating idle connections

Security Considerations

  • The gateway only exposes explicitly configured targets
  • All traffic is encrypted via TLS (WebSocket Secure)
  • The gateway initiates outbound connections only (no inbound ports needed)
  • API keys should be kept secure and rotated periodically
  • Consider running the gateway with minimal privileges
  • In AWS, use IAM roles and security groups to restrict gateway access