fyntr 0.3.1

A minimal forward proxy to tame bursty outbound traffic
Documentation

GitHub License Release Version Crates.io Version

About

Fyntr (/ˈfɪn.tər/) is a minimal forward proxy that smooths bursts of outbound TLS traffic, stabilizing connections on constrained networks. No server-side changes required, no auth, no inspection.

Fyntr starts with a small memory profile right after startup (~1-2MB peak memory footprint on macOS via /usr/bin/time -l, and ~1MB private memory on Windows) and uses an actor-driven scheduler to relay traffic transparently, making bursty workloads more stable and reliable without terminating TLS.

Internals

  • Traffic shaping: Prevents burst congestion by interleaving packets via Deficit Round-Robin (DRR) scheduling.
  • Adaptive quantum tuning: Optimizes quantum size via packet size statistics to reduce latency spikes and improve throughput.
  • FD limit guard: Validates file descriptor limits against max connection settings.
  • DoS guardrails: Caps request line/header sizes and per-flow queue buffering to suppress memory growth.

Quick Start

  1. Install and run Fyntr:

    Install the crates.io release and run it locally (defaults to port 9999).

    cargo install fyntr
fyntr

    Or build from source:

    cargo run --release

    Override defaults via CLI flags or env vars:

    cargo run --release -- --port 8080 --max-connections 512

# Or use environment variables
FYNTR_PORT=8080 FYNTR_MAX_CONNECTIONS=512 cargo run --release

    By default, Fyntr caps concurrent connections at 1000 (set 0 for unlimited).

  2. Configure Your Environment:

    Export the following environment variables in a separate terminal.

    export HTTPS_PROXY=http://127.0.0.1:9999

    This configuration affects not only aws-cli but also various tools that use libcurl, including git, brew, wget, and more.

  3. Verify It Works:

    You can test the connection with a simple curl command.

    curl https://ifconfig.me

Library Usage

Requires actix-rt and anyhow in your application's dependencies. For logging, add env_logger (optional but recommended).

use fyntr::run;

#[actix_rt::main]
async fn main() -> anyhow::Result<()> {
    // Optional: enables logs via RUST_LOG (e.g., RUST_LOG=info).
    env_logger::init();

    let handle = run::server()
        .bind("127.0.0.1")
        .port(0) // 0 lets the OS pick an available port
        .max_connections(512)
        .background()
        .await?;

    println!("Fyntr listening on {}", handle.listen_addr());

    // ... run your app ...

    handle.shutdown().await?;
    Ok(())
}

CLI Options

Server

Option Env var Default Description
--bind <ADDR> FYNTR_BIND 127.0.0.1 Address/hostname to bind on (e.g. 127.0.0.1, ::1, localhost, 0.0.0.0). Supports both IPv4 and IPv6. Binding to non-loopback interfaces without auth can expose the proxy on the network.
--port <PORT> FYNTR_PORT 9999 Port to listen on (use 0 to auto-select an available port).
--max-connections <MAX_CONNECTIONS> FYNTR_MAX_CONNECTIONS 1000 Maximum number of concurrent connections allowed (set 0 for unlimited).

CONNECT Policy

Option Env var Default Description
--no-default-allow-port FYNTR_NO_DEFAULT_ALLOW_PORT false Disable implicit 443 allowance. Only explicitly configured --allow-port values are permitted.
--allow-port <PORT> FYNTR_ALLOW_PORT implicit 443 unless --no-default-allow-port Allowed destination port for CONNECT in the range 1-65535 (repeat flag or comma-separate to add more).
--deny-cidr <CIDR> FYNTR_DENY_CIDR Internal ranges CIDR ranges denied for CONNECT destination IPs (repeat flag or comma-separate).
--allow-cidr <CIDR> FYNTR_ALLOW_CIDR none CIDR exceptions that are allowed even if they match denied internal ranges.
--allow-domain <DOMAIN> FYNTR_ALLOW_DOMAIN none Domain/suffix allowlist for CONNECT targets. When a domain matches, addresses blocked by deny CIDRs are filtered out rather than causing the entire connection to fail. If all resolved addresses are blocked, the connection is denied.

Why Fyntr?

Cloud automation tools such as Terraform spawn bursts of TCP connections that rapidly open and close.

When many flows send data simultaneously, they can create short traffic spikes that overwhelm low-capacity routers, especially consumer NAT devices. This can cause CPU interrupts to be too high and make the network feel unresponsive.

Rather than relying on connection pooling, Fyntr regulates the traffic itself. Its scheduler uses DRR to distribute sending opportunities across active flows fairly, so packet bursts from many parallel flows get interleaved instead of letting them fire all at once.

This smoothing reduces CPU pressure on routers during connection storms. This effect is most critical when scheduling overhead, rather than bandwidth, is the primary bottleneck.

Limitations

In certain environments, upload throughput can be reduced due to DRR scheduling, depending on network conditions.

Usage with Terraform

Example: AWS Provider

# Set environment variables
export HTTPS_PROXY=http://127.0.0.1:9999

# Standard usage
terraform apply

# Or use aws-vault wrapper
aws-vault exec my-profile -- terraform apply