diff --git a/AGENTS.md b/AGENTS.md new file mode 100644 index 0000000..0cd5098 --- /dev/null +++ b/AGENTS.md @@ -0,0 +1,156 @@ +# AGENTS.md + +Guidance for LLM agents (and humans) working on this project. + +## Project Overview + +A memory-safe reverse proxy built with Rust/axum that replaces vulnerable nginx +installations. Terminates TLS, routes requests by Host header to upstream +services, enforces rate limits, and injects proxy headers. See `README.md` and +`docs/architecture/` for full details. + +## Build & Run + +```bash +cargo build # debug build +cargo build --release # release build +cargo test # run all tests (unit + integration) +cargo test -- --nocapture # run tests with stdout visible +cargo clippy # lint +reverse-proxy --config config.toml # run (defaults to /etc/reverse-proxy/config.toml) +reverse-proxy --validate --config config.toml # validate config only +``` + +For a static binary with no libc dependency: + +```bash +cargo build --release --target x86_64-unknown-linux-musl +``` + +## Project Structure + +``` +src/ +├── main.rs # Entry point, server startup, listener binding +├── cli.rs # CLI parsing (clap), config loading, validation +├── lib.rs # Library root, module declarations +├── config/ +│ ├── static_config.rs # StaticConfig — immutable, requires restart +│ ├── dynamic_config.rs# DynamicConfig — hot-reloadable via ArcSwap +│ ├── validation.rs # Config validation rules (called at startup and reload) +│ └── test_fixtures.rs # Test config generation helpers +├── proxy/ +│ ├── handler.rs # Core reverse proxy handler (forward requests to upstream) +│ ├── headers.rs # Proxy header injection (X-Real-IP, X-Forwarded-For, etc.) +│ ├── body_limit.rs # Request body size limiting middleware +│ ├── error.rs # Error response types (502, 504, 429, etc.) +│ └── mod.rs # Router construction, client creation +├── tls/ +│ ├── acceptor.rs # TLS acceptor setup (manual + ACME) +│ ├── acme.rs # ACME certificate provisioning via rustls-acme +│ ├── config.rs # TLS ServerConfig construction, cipher suites +│ └── redirect.rs # HTTP → HTTPS 301 redirect listener +├── rate_limit/ +│ ├── mod.rs # Rate limiting middleware, eviction task +│ └── bucket.rs # Token bucket implementation (IPv4 /32, IPv6 /64) +├── admin/ +│ ├── socket.rs # Unix domain socket admin API (reload, status) +│ └── mod.rs +├── health.rs # Health check endpoint on localhost:9900 +├── logging/ +│ ├── mod.rs # Logging init (file + stdout, ANSI disabled) +│ └── format.rs # Structured log format (REQUEST, RATE_LIMIT, etc.) +├── server.rs # HTTPS listener serving with ALPN detection +├── shutdown.rs # Graceful shutdown (SIGTERM, SIGINT) + SIGHUP reload +└── utils.rs # Shared utilities +``` + +## Key Architecture Concepts + +- **StaticConfig vs DynamicConfig**: Static config (bind addresses, TLS, + ports) requires a restart. Dynamic config (sites, rate limits, body limits) + can be reloaded at runtime via SIGHUP or admin socket, using `ArcSwap` for + lock-free reads. +- **Multi-listener**: `[[listeners]]` in TOML — each listener has its own bind + address, TLS config, and site routing. Sites are collected into a global + routing table at runtime. +- **Edge proxy model**: The proxy is the edge — X-Forwarded-For is replaced + (not appended), X-Real-IP is set from the connection's remote address. +- **No `/health` on public listener**: Health checking is localhost:9900 only. + The main listener does not intercept any paths. +- **HTTP/2 client-facing only**: ALPN detects h2 vs http/1.1. Upstream + connections are always HTTP/1.1. +- **IPv6 rate limiting**: IPv6 addresses are normalized to /64 prefixes so + addresses within the same /64 share a token bucket. + +## Config Format + +TOML. See `docs/architecture/config.md` for full schema. Key validation rules: + +- `bind_addr` must be explicit (no `0.0.0.0`) unless `allow_wildcard_bind` is + enabled via config or `--allow-wildcard-bind` CLI flag (OR logic) +- Site `host` values must be unique across all listeners +- `upstream` must be in `host:port` format (e.g., `gitea:3000`, `127.0.0.1:3000`) +- ACME mode requires `acme_domains` (non-empty) and `acme_contact` (valid + `mailto:` URI) +- Manual mode requires `cert_path` and `key_path` pointing to readable files +- `rate_limit.requests_per_second` and `rate_limit.burst` must be > 0 +- `body.limit_bytes` must be > 0 +- `http_port` must be 0 (disabled) or 1–65535; `https_port` must be 1–65535 +- `health_check_port` must not conflict with any listener's http_port or + https_port on the same bind address + +## Testing + +Tests use `rcgen` for self-signed certificate generation and `reqwest` for +HTTP client requests. Integration tests are in `tests/integration_test.rs` +with helpers in `tests/helpers/`. + +```bash +cargo test # all tests +cargo test --test integration # integration tests only +cargo test --lib # unit tests only +``` + +## Code Style + +- No comments unless explicitly requested +- Error handling uses `anyhow` for application code and `thiserror` for + library error types +- Structured logging with `tracing` — always `with_ansi(false)` +- Config types implement `serde::Deserialize` for TOML parsing +- All network operations use `tokio` async runtime + +## Deployment Files + +`deploy/` contains production-ready deployment configs: + +- `Dockerfile` — multi-stage build (rust:alpine → alpine) +- `docker-compose.yml` — complete setup with Gitea example +- `reverse-proxy.service` — systemd unit file with security hardening +- `fail2ban/` — filter and jail config for rate limit log parsing + +See `deploy/README.md` for step-by-step setup instructions. + +## Common Modifications + +### Adding a new site + +Add a `[[listeners.sites]]` entry to config and reload: + +```bash +echo "reload" | socat - UNIX-CONNECT:/run/reverse-proxy/admin.sock +``` + +### Changing rate limits + +Update `[rate_limit]` in config and reload (no restart needed). + +### Changing bind address or TLS config + +These are in StaticConfig — require a full process restart. + +### Adding per-site timeouts + +Set `upstream_connect_timeout_secs` and `upstream_request_timeout_secs` on a +site definition. Defaults are 5s connect, 60s request. \ No newline at end of file diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..bef0d02 --- /dev/null +++ b/LICENSE @@ -0,0 +1,219 @@ +Dual Licensing: MIT OR Apache-2.0 + +You may use this software under either of the following licenses: + +=== MIT License === + +MIT License + +Copyright (c) 2026 alkdev + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. + +=== Apache License, Version 2.0 === + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to the Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by the Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement You may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work on an "AS IS" + BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + Copyright 2026 alkdev + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..de037e1 --- /dev/null +++ b/README.md @@ -0,0 +1,414 @@ +# reverse-proxy + +A memory-safe reverse proxy built with Rust and axum, designed to replace +vulnerable nginx installations for TLS-terminated host-based routing. + +## Why + +nginx's C codebase has a long history of memory corruption vulnerabilities, and +the discovery rate is accelerating. CVE-2026-42945 ("NGINX Rift") is an +unauthenticated RCE via the `rewrite` module with a public PoC and active +exploitation — and 6 of 7 recent nginx CVEs are memory corruption bugs that +Rust eliminates by construction. + +This proxy targets a specific use case: TLS termination, host-based routing, +and request forwarding to upstream services. It is not a general-purpose web +server or load balancer. + +## Features + +- **TLS termination** — ACME (Let's Encrypt) with automatic provisioning and + renewal, or manual certificates +- **HTTP/2** — ALPN-based protocol detection on the client-facing side; upstream + connections use HTTP/1.1 +- **Multi-site routing** — host-based routing to multiple upstream services from + a single process +- **Multiple listeners** — dedicated-IP (one IP per domain) or shared-IP + (SAN certificate) deployment models +- **Rate limiting** — per-IP token bucket with fail2ban-compatible structured + logging (IPv6 rate limited per /64 prefix) +- **Proxy headers** — X-Real-IP, X-Forwarded-For (edge proxy model), X-Forwarded-Proto +- **Hot config reload** — SIGHUP or admin Unix domain socket with success/failure + feedback +- **Health check** — localhost-only endpoint on a separate port (default: 9900) +- **HTTP → HTTPS redirect** — per-listener redirect on port 80 +- **Graceful shutdown** — SIGTERM with in-flight request drain +- **systemd integration** — `Type=notify` with `sd_notify` +- **Container-ready** — Docker deployment with health check and fail2ban volume + mount +- **Restricted cipher suites** — ECDHE-AES-GCM for TLS 1.2, all TLS 1.3 suites + (matching nginx scope) + +## Quick Start + +### Build + +```bash +cargo build --release +``` + +Produces a static binary at `target/release/reverse-proxy`. For a fully static +binary (no libc dependency), build with the `x86_64-unknown-linux-musl` target. + +### Minimal Config + +Create `/etc/reverse-proxy/config.toml`: + +```toml +health_check_port = 9900 + +[logging] +level = "info" +format = "text" + +[rate_limit] +requests_per_second = 10 +burst = 20 + +[body] +limit_bytes = 104857600 + +[[listeners]] +bind_addr = "0.0.0.0" + +[listeners.tls] +mode = "acme" +acme_domains = ["example.com"] +acme_cache_dir = "/var/lib/reverse-proxy/acme-cache" +acme_directory = "staging" +acme_contact = "mailto:admin@example.com" + +[[listeners.sites]] +host = "example.com" +upstream = "127.0.0.1:8080" +``` + +> **Note:** `bind_addr = "0.0.0.0"` requires the `--allow-wildcard-bind` flag or +> `allow_wildcard_bind = true` in config. This is intentional — see +> [Explicit bind address](#explicit-bind-address). + +### Run + +```bash +reverse-proxy --config /etc/reverse-proxy/config.toml +``` + +Or with Docker (see [Deployment](#deployment)). + +### Validate Config + +```bash +reverse-proxy --config /etc/reverse-proxy/config.toml --validate +``` + +## Configuration + +Configuration uses TOML and is split into **static** (requires restart) and +**dynamic** (hot-reloadable) sections. + +### Static Config (requires restart) + +| Field | Default | Description | +|-------|---------|-------------| +| `listeners` | (required) | TLS listener definitions | +| `allow_wildcard_bind` | `false` | Allow `0.0.0.0` bind addresses | +| `health_check_port` | `9900` | Local health check port (`0` to disable) | +| `admin_socket_path` | `/run/reverse-proxy/admin.sock` | Admin Unix socket (empty string to disable) | +| `shutdown_timeout_secs` | `30` | Graceful shutdown timeout | +| `logging.level` | `"info"` | Log level | +| `logging.format` | `"text"` | Log format (`"text"` or `"json"`) | +| `logging.log_file_path` | (not set) | Path to log file for fail2ban | + +### Dynamic Config (hot-reloadable via SIGHUP or admin socket) + +| Field | Default | Description | +|-------|---------|-------------| +| `sites[].host` | (required) | Hostname to match | +| `sites[].upstream` | (required) | Upstream `host:port` address | +| `sites[].upstream_scheme` | `"http"` | Upstream protocol (`"http"` or `"https"`) | +| `sites[].upstream_connect_timeout_secs` | `5` | TCP connect timeout | +| `sites[].upstream_request_timeout_secs` | `60` | Full request timeout | +| `rate_limit.requests_per_second` | (required) | Per-IP request rate | +| `rate_limit.burst` | (required) | Burst capacity | +| `body.limit_bytes` | (required) | Max request body size | + +### TLS Modes + +**ACME** (automatic Let's Encrypt certificates): + +```toml +[[listeners]] +bind_addr = "203.0.113.10" + +[listeners.tls] +mode = "acme" +acme_domains = ["git.example.com", "example.com"] +acme_cache_dir = "/var/lib/reverse-proxy/acme-cache" +acme_directory = "production" +acme_contact = "mailto:admin@example.com" + +[[listeners.sites]] +host = "git.example.com" +upstream = "gitea:3000" + +[[listeners.sites]] +host = "example.com" +upstream = "app:8080" +``` + +**Manual** (bring your own certificates): + +```toml +[[listeners]] +bind_addr = "203.0.113.11" + +[listeners.tls] +mode = "manual" +cert_path = "/etc/ssl/example.com/fullchain.pem" +key_path = "/etc/ssl/example.com/privkey.pem" + +[[listeners.sites]] +host = "example.com" +upstream = "127.0.0.1:8080" +``` + +### Explicit Bind Address + +By default, `bind_addr` must be an explicit IP address. `0.0.0.0` is rejected +to prevent accidental exposure. For container deployments where the proxy binds +inside the container and Docker handles port publishing, enable wildcard binding +with either: + +- Config: `allow_wildcard_bind = true` +- CLI: `--allow-wildcard-bind` + +Either source enables it (OR logic, not AND). + +## Deployment + +### Docker + +```yaml +services: + reverse-proxy: + build: . + container_name: reverse-proxy + restart: unless-stopped + ports: + - "203.0.113.10:80:80" + - "203.0.113.10:443:443" + volumes: + - /etc/reverse-proxy/config.toml:/etc/reverse-proxy/config.toml:ro + - /var/lib/reverse-proxy/acme-cache:/var/lib/reverse-proxy/acme-cache + - /var/log/reverse-proxy:/var/log/reverse-proxy + - /run/reverse-proxy:/run/reverse-proxy + networks: + - proxy-net + healthcheck: + test: ["CMD", "wget", "-q", "--spider", "http://127.0.0.1:9900/health"] + interval: 30s + timeout: 5s + retries: 3 +``` + +Container config must set `allow_wildcard_bind = true` and bind to `0.0.0.0`. + +See [`deploy/docker-compose.yml`](deploy/docker-compose.yml) for a complete +example including Gitea and PostgreSQL. + +### systemd + +Install the binary and service file: + +```bash +cp target/release/reverse-proxy /usr/local/bin/ +cp deploy/reverse-proxy.service /etc/systemd/system/ +``` + +Create config at `/etc/reverse-proxy/config.toml`, then: + +```bash +systemctl enable --now reverse-proxy +``` + +See [`deploy/reverse-proxy.service`](deploy/reverse-proxy.service) for the +unit file with security hardening options. + +### fail2ban + +Install the filter and jail config: + +```bash +cp deploy/fail2ban/filter.d/reverse-proxy.conf /etc/fail2ban/filter.d/ +cp deploy/fail2ban/jail.d/reverse-proxy.conf /etc/fail2ban/jail.d/ +systemctl restart fail2ban +``` + +The filter matches `RATE_LIMIT` log lines from the proxy's structured log +output. The jail bans IPs after 10 rate-limited requests within 60 seconds +(adjust `maxretry` and `findtime` to taste). + +Rate-limited requests produce log lines like: + +``` +RATE_LIMIT client_ip=203.0.113.50 host=git.example.com path=/login status=429 +``` + +For Docker deployments, mount the log directory so fail2ban on the host can +read it: + +```yaml +volumes: + - /var/log/reverse-proxy:/var/log/reverse-proxy +``` + +Enable file logging in config: + +```toml +[logging] +log_file_path = "/var/log/reverse-proxy/access.log" +``` + +## Admin Socket + +The admin Unix domain socket supports two commands: + +```bash +# Reload config +echo "reload" | socat - UNIX-CONNECT:/run/reverse-proxy/admin.sock + +# Check status +echo "status" | socat - UNIX-CONNECT:/run/reverse-proxy/admin.sock +``` + +Responses are newline-terminated JSON: + +```json +{"status":"ok"} +{"status":"ok","uptime_secs":1234,"sites":2} +{"status":"error","message":"config validation failed: ..."} +``` + +Config can also be reloaded with `kill -SIGHUP $(pidof reverse-proxy)`, but +SIGHUP provides no feedback on success or failure. + +## Health Check + +```bash +curl http://127.0.0.1:9900/health +``` + +Returns `200 OK` with an empty body. Bound to localhost only — not exposed on +public ports. + +## Architecture + +``` + ┌────────────────────────────────────┐ + │ reverse-proxy (Rust/axum) │ +config.toml ──────► │ StaticConfig + DynamicConfig │ + │ (ArcSwap for hot-reload) │ + │ │ + │ ┌─ Listener 1 ─────────────────┐ │ + bind_addr:80 ───► │ │ HTTP → 301 redirect │ │ + │ └────────────────────────────────┘ │ + │ │ + bind_addr:443 ───► │ │ TLS listener (tokio-rustls) │ │ + │ │ ├─ ACME or Manual TLS config │ │ + │ │ └─ axum router (per-listener) │ │ + │ │ ├─ Host → global site lookup │ │ + │ │ ├─ Rate limiting, headers │ │ + │ │ └─ Proxy to upstream │ │ + │ └────────────────────────────────┘ │ + │ │ + │ /health → 200 OK (port 9900) │ + │ Admin socket (Unix domain) │ + └────────────────────────────────────┘ +``` + +For full architecture documentation, see [`docs/architecture/`](docs/architecture/). + +## Project Structure + +``` +src/ +├── main.rs # Entry point, server startup +├── cli.rs # CLI argument parsing +├── lib.rs # Library root +├── config/ +│ ├── static_config.rs # Immutable startup configuration +│ ├── dynamic_config.rs# Hot-reloadable runtime configuration +│ └── validation.rs # Config validation rules +├── proxy/ +│ ├── handler.rs # Core reverse proxy handler +│ ├── headers.rs # Proxy header injection +│ ├── body_limit.rs # Request body size limiting +│ └── error.rs # Error response types +├── tls/ +│ ├── acceptor.rs # TLS acceptor setup +│ ├── acme.rs # ACME certificate provisioning +│ ├── config.rs # TLS configuration +│ └── redirect.rs # HTTP → HTTPS redirect +├── rate_limit/ +│ ├── mod.rs # Rate limiting middleware +│ └── bucket.rs # Token bucket implementation +├── admin/ +│ ├── socket.rs # Unix domain socket admin API +│ └── mod.rs +├── health.rs # Health check endpoint +├── logging/ +│ ├── mod.rs # Logging initialization +│ └── format.rs # Structured log formatting +├── server.rs # HTTPS listener serving +├── shutdown.rs # Graceful shutdown handling +└── utils.rs # Shared utilities + +deploy/ +├── Dockerfile +├── docker-compose.yml +├── reverse-proxy.service +└── fail2ban/ + ├── filter.d/reverse-proxy.conf + └── jail.d/reverse-proxy.conf + +docs/ +├── architecture/ # Full architecture documentation +│ ├── overview.md +│ ├── proxy.md +│ ├── tls.md +│ ├── config.md +│ ├── operations.md +│ └── decisions/ # Architecture Decision Records (ADRs) +└── research/ + └── threat-landscape.md +``` + +## Why Rust + +6 of 7 recent nginx CVEs are memory corruption bugs (buffer overflows, +use-after-free, out-of-bounds reads) — the exact class of bugs Rust eliminates +by construction. Combined with rustls (pure Rust TLS, no OpenSSL dependency), +this proxy provides a fundamentally safer baseline than nginx. + +Rust does not eliminate logic bugs. Rate limiting, header injection prevention, +and access control still require careful implementation. But it eliminates the +entire category of vulnerabilities that make nginx's C codebase a persistent +attack surface. + +See [`docs/research/threat-landscape.md`](docs/research/threat-landscape.md) +for the full vulnerability analysis that motivated this project. + +## License + +Licensed under either of + +- Apache License, Version 2.0 + ([http://www.apache.org/licenses/LICENSE-2.0](http://www.apache.org/licenses/LICENSE-2.0)) +- MIT License + ([http://opensource.org/licenses/MIT](http://opensource.org/licenses/MIT)) + +at your option. + +Unless you explicitly state otherwise, any contribution intentionally submitted +for inclusion in this project by you, as defined in the Apache-2.0 license, shall +be dual licensed as above, without any additional terms or conditions. \ No newline at end of file diff --git a/deploy/README.md b/deploy/README.md new file mode 100644 index 0000000..f588941 --- /dev/null +++ b/deploy/README.md @@ -0,0 +1,305 @@ +# Deployment + +Step-by-step setup guides for running reverse-proxy. + +## Docker Deployment (Recommended) + +This is the easiest way to get started and provides container-level isolation +as a defense-in-depth measure. + +### 1. Build the image + +```bash +cd /path/to/reverse-proxy +docker build -t reverse-proxy . +``` + +### 2. Create directories on the host + +```bash +sudo mkdir -p /etc/reverse-proxy +sudo mkdir -p /var/lib/reverse-proxy/acme-cache +sudo mkdir -p /var/log/reverse-proxy +sudo mkdir -p /run/reverse-proxy +``` + +### 3. Create the config file + +Create `/etc/reverse-proxy/config.toml`. For a basic single-domain setup with +Let's Encrypt: + +```toml +allow_wildcard_bind = true +health_check_port = 9900 + +[logging] +level = "info" +format = "text" +log_file_path = "/var/log/reverse-proxy/access.log" + +[rate_limit] +requests_per_second = 10 +burst = 20 + +[body] +limit_bytes = 104857600 + +[[listeners]] +bind_addr = "0.0.0.0" +http_port = 80 +https_port = 443 + +[listeners.tls] +mode = "acme" +acme_domains = ["yourdomain.example.com"] +acme_cache_dir = "/var/lib/reverse-proxy/acme-cache" +acme_directory = "production" +acme_contact = "mailto:admin@yourdomain.example.com" + +[[listeners.sites]] +host = "yourdomain.example.com" +upstream = "your-backend:8080" +``` + +**Important:** Replace `yourdomain.example.com` with your actual domain and +`your-backend:8080` with your upstream service address. For initial testing, +use `acme_directory = "staging"` to avoid Let's Encrypt rate limits. + +### 4. Set up Docker Compose + +Copy and customize `docker-compose.yml`: + +```bash +cp deploy/docker-compose.yml /opt/reverse-proxy/docker-compose.yml +``` + +Edit the compose file to: +- Replace `203.0.113.10` with your server's public IP +- Update upstream service definitions to match your infrastructure +- Adjust the `DB_PASSWORD` environment variable (use Docker secrets or `.env` + file, never commit real passwords) + +### 5. Start the proxy + +```bash +cd /opt/reverse-proxy +docker compose up -d +``` + +### 6. Verify + +```bash +# Check container health +docker compose ps + +# Test health endpoint (from the host) +curl -s http://127.0.0.1:9900/health + +# Check logs +docker compose logs reverse-proxy + +# Test TLS +curl -v https://yourdomain.example.com/ +``` + +### 7. Set up fail2ban + +If you want automated IP banning for rate limit violations: + +```bash +sudo cp deploy/fail2ban/filter.d/reverse-proxy.conf /etc/fail2ban/filter.d/ +sudo cp deploy/fail2ban/jail.d/reverse-proxy.conf /etc/fail2ban/jail.d/ +sudo systemctl restart fail2ban +``` + +Verify fail2ban is watching the logs: + +```bash +sudo fail2ban-client status reverse-proxy +``` + +## Bare Metal / systemd Deployment + +For running directly on a host without Docker. + +### 1. Build + +```bash +cargo build --release +# For a fully static binary (no libc dependency): +# cargo build --release --target x86_64-unknown-linux-musl +``` + +### 2. Install + +```bash +sudo cp target/release/reverse-proxy /usr/local/bin/ +sudo cp deploy/reverse-proxy.service /etc/systemd/system/ +``` + +### 3. Create config and directories + +```bash +sudo mkdir -p /etc/reverse-proxy +sudo mkdir -p /var/lib/reverse-proxy/acme-cache +sudo mkdir -p /var/log/reverse-proxy +sudo mkdir -p /run/reverse-proxy +``` + +Create `/etc/reverse-proxy/config.toml` (see example configs in the main +README). With a bare metal deployment, use the server's actual IP as +`bind_addr` instead of `0.0.0.0`: + +```toml +# Single-domain bare metal example +health_check_port = 9900 + +[logging] +level = "info" +format = "text" +log_file_path = "/var/log/reverse-proxy/access.log" + +[rate_limit] +requests_per_second = 10 +burst = 20 + +[body] +limit_bytes = 104857600 + +[[listeners]] +bind_addr = "203.0.113.10" +http_port = 80 +https_port = 443 + +[listeners.tls] +mode = "acme" +acme_domains = ["yourdomain.example.com"] +acme_cache_dir = "/var/lib/reverse-proxy/acme-cache" +acme_directory = "production" +acme_contact = "mailto:admin@yourdomain.example.com" + +[[listeners.sites]] +host = "yourdomain.example.com" +upstream = "127.0.0.1:3000" +``` + +### 4. Start + +```bash +sudo systemctl daemon-reload +sudo systemctl enable --now reverse-proxy +``` + +### 5. Verify + +```bash +# Check service status +systemctl status reverse-proxy + +# Test health endpoint +curl -s http://127.0.0.1:9900/health + +# Check logs +journalctl -u reverse-proxy -f +``` + +### 6. Reload config + +```bash +# Via SIGHUP (no feedback) +sudo kill -SIGHUP $(pidof reverse-proxy) + +# Via admin socket (returns success/failure JSON) +echo "reload" | socat - UNIX-CONNECT:/run/reverse-proxy/admin.sock + +# Check status +echo "status" | socat - UNIX-CONNECT:/run/reverse-proxy/admin.sock +``` + +## Multi-Domain Setup + +### Shared IP with SAN certificate + +One IP, one listener, multiple domains on a single Let's Encrypt SAN certificate: + +```toml +[[listeners]] +bind_addr = "203.0.113.10" + +[listeners.tls] +mode = "acme" +acme_domains = ["git.example.com", "www.example.com"] +acme_cache_dir = "/var/lib/reverse-proxy/acme-cache" +acme_directory = "production" +acme_contact = "mailto:admin@example.com" + +[[listeners.sites]] +host = "git.example.com" +upstream = "127.0.0.1:3000" + +[[listeners.sites]] +host = "www.example.com" +upstream = "127.0.0.1:8080" +``` + +### Dedicated IP per domain + +Multiple listeners, each with its own IP and certificate: + +```toml +[[listeners]] +bind_addr = "203.0.113.10" + +[listeners.tls] +mode = "acme" +acme_domains = ["git.example.com"] +acme_cache_dir = "/var/lib/reverse-proxy/acme-cache-git" +acme_directory = "production" +acme_contact = "mailto:admin@example.com" + +[[listeners.sites]] +host = "git.example.com" +upstream = "127.0.0.1:3000" + +[[listeners]] +bind_addr = "203.0.113.11" + +[listeners.tls] +mode = "manual" +cert_path = "/etc/ssl/www.example.com/fullchain.pem" +key_path = "/etc/ssl/www.example.com/privkey.pem" + +[[listeners.sites]] +host = "www.example.com" +upstream = "127.0.0.1:8080" +``` + +## HTTPS Upstream + +If your upstream service uses TLS, set `upstream_scheme = "https"`: + +```toml +[[listeners.sites]] +host = "secure.example.com" +upstream = "10.0.0.5:8443" +upstream_scheme = "https" +``` + +The proxy validates upstream TLS certificates using the system's native +certificate store. + +## Security Notes + +- The proxy binds to explicit IP addresses by default. `0.0.0.0` is rejected + unless `--allow-wildcard-bind` or `allow_wildcard_bind = true` is set. + This prevents accidental exposure on unintended interfaces. +- The health check endpoint binds to `127.0.0.1` only and is never exposed on + public ports. +- The admin socket should be protected by file permissions. It defaults to + `/run/reverse-proxy/admin.sock`. +- Rate limiting is global per-IP (IPv4: /32, IPv6: /64) in the current + version. Per-site rate limits may be added later. +- All log output disables ANSI escape codes for fail2ban and container + compatibility. +- The `Server` header is stripped from upstream responses and not added by the + proxy, reducing server fingerprinting. \ No newline at end of file