noxy 0.0.6

HTTP forward and reverse proxy with a pluggable tower middleware pipeline
Documentation

Noxy

The darkness your packets pass through.

An HTTP proxy with a pluggable middleware pipeline. Forward mode intercepts HTTPS via TLS MITM; reverse mode sits in front of a backend and forwards traffic directly. Built on top of tower, Noxy gives you full access to decoded HTTP requests and responses flowing through the proxy using standard tower Service and Layer abstractions -- including all existing tower-http middleware out of the box.

Features

  • Forward proxy -- CONNECT tunnel with TLS MITM, per-host certificate generation signed by a user-provided CA
  • Reverse proxy -- point Noxy at a fixed upstream and forward all incoming HTTP traffic directly -- no CONNECT, no CA, no client-side proxy configuration required
  • Multi-upstream routing -- route requests to different backends by path prefix, host, or custom predicates. Load balance across multiple backends with round-robin or random strategies.
  • Tower middleware pipeline -- plug in any tower Layer or Service to inspect and modify HTTP traffic. Works with tower-http layers (compression, tracing, CORS, etc.) and your own custom services. Use from_fn to create middleware from a simple async closure without boilerplate.
  • Built-in middleware -- traffic logging, header modification, URL rewriting, block list, latency injection, bandwidth throttling, fault injection, rate limiting, sliding window rate limiting, retry with exponential backoff and retry budget, circuit breaker, fixed responses, and TypeScript scripting
  • Redis backend -- optional Redis-backed state for rate limiting, sliding window, and circuit breaker middleware. Enables shared state across multiple proxy instances for horizontal scaling. Falls back to in-memory on Redis errors. (redis feature)
  • Conditional rules -- apply middleware only to requests matching a host, path, or HTTP method (supports glob patterns: *, **, ?, [a-z])
  • TOML config file -- configure the proxy and middleware rules declaratively
  • Upstream connection pooling -- reuses TLS connections to upstream servers across client tunnels. HTTP/2 connections are multiplexed; HTTP/1.1 connections are recycled from an idle pool.
  • HTTP/1.1 and HTTP/2 support (auto-negotiated via ALPN)
  • Streaming bodies -- middleware can process data as it arrives without buffering
  • Async I/O with Tokio and Hyper

Library Usage

Forward proxy (TLS MITM)

use std::time::Duration;
use noxy::Proxy;
use noxy::middleware::*;

let proxy = Proxy::builder()
    .ca_pem_files("ca-cert.pem", "ca-key.pem")?
    // Log all traffic with request/response bodies
    .http_layer(TrafficLogger::new().log_bodies(true))
    // Decode gzip/brotli/deflate/zstd response bodies
    .http_layer(ContentDecoder::new())
    // Add latency to every request
    .http_layer(LatencyInjector::fixed(Duration::from_millis(200)))
    // Limit bandwidth to 50 KB/s
    .http_layer(BandwidthThrottle::new(50 * 1024))
    // Global rate limit: 100 requests per second
    .http_layer(RateLimiter::global(100, Duration::from_secs(1)))
    // Per-host sliding window: 10 req/s per hostname
    .http_layer(SlidingWindow::per_host(10, Duration::from_secs(1)))
    // Retry 429/5xx responses up to 3 times with exponential backoff
    .http_layer(Retry::default().max_retries(3))
    // Trip circuit after 5 consecutive failures, recover in 30s
    .http_layer(CircuitBreaker::global(5, Duration::from_secs(30)))
    // Inject request/response headers
    .http_layer(
        ModifyHeaders::new()
            .set_request("x-proxy", "noxy")
            .remove_response("server"),
    )
    // Rewrite request paths
    .http_layer(UrlRewrite::path("/api/v1/{*rest}", "/v2/{rest}")?)
    // Block tracking domains
    .http_layer(BlockList::new().host("*.tracking.com")?)
    // 50% of requests to /flaky return 503
    .http_layer(FaultInjector::new().error_rate(0.5).when_path("/flaky"))
    // Glob pattern: add latency to all paths under /api/*/slow
    .http_layer(LatencyInjector::fixed(Duration::from_millis(500)).when_path_glob("/api/*/slow")?)
    // Return a fixed response for /health
    .http_layer(SetResponse::ok("ok").when_path("/health"))
    .build()?;

proxy.listen("127.0.0.1:8080").await?;

Reverse proxy

use noxy::Proxy;

let proxy = Proxy::builder()
    .reverse_proxy("http://localhost:3000")?
    .http_layer(my_tower_layer)
    .build()?;

proxy.listen("127.0.0.1:8080").await?;

Multi-upstream routing

use noxy::Proxy;
use noxy::middleware::Upstream;

let proxy = Proxy::builder()
    .reverse_proxy("http://default:3000")?
    // Route /api to a dedicated backend
    .route_prefix("/api", "http://api:8080")?
    // Load balance /static across two CDN nodes
    .route_prefix_balanced("/static", ["http://cdn1:9000", "http://cdn2:9000"])?
    // Custom predicate with full-flexibility API
    .route(
        |req| req.headers().contains_key("x-canary"),
        Upstream::new(["http://canary:8080"])?,
    )
    .build()?;

proxy.listen("127.0.0.1:8080").await?;

Any tower Layer<HttpService> works in both modes. The innermost service forwards requests to the upstream server; your layers wrap around it in an onion model and can inspect or modify requests before forwarding and responses after.

Custom middleware

Use http_middleware to create middleware from an async closure instead of implementing Layer + Service manually. The closure receives each request and a Next handle for forwarding it downstream:

use noxy::Proxy;

let proxy = Proxy::builder()
    .ca_pem_files("ca-cert.pem", "ca-key.pem")?
    .http_middleware(|mut req, next| async move {
        // Modify the request before forwarding
        req.headers_mut().insert("x-proxy", "noxy".parse().unwrap());

        // Forward to the next service (or upstream)
        let mut response = next.run(req).await?;

        // Modify the response before returning to the client
        response.headers_mut().insert("x-powered-by", "noxy".parse().unwrap());
        Ok(response)
    })
    .build()?;

proxy.listen("127.0.0.1:8080").await?;

Short-circuit without forwarding upstream by returning a response directly:

use noxy::Proxy;
use noxy::http::full_body;

let proxy = Proxy::builder()
    .reverse_proxy("http://localhost:3000")?
    .http_middleware(|req, _next| async move {
        if req.uri().path() == "/health" {
            return Ok(http::Response::new(full_body("ok")));
        }
        _next.run(req).await
    })
    .build()?;

For shared state across requests, capture an Arc in the closure:

use std::sync::{Arc, atomic::{AtomicU64, Ordering}};
use noxy::Proxy;

let counter = Arc::new(AtomicU64::new(0));
let c = counter.clone();

let proxy = Proxy::builder()
    .reverse_proxy("http://localhost:3000")?
    .http_middleware(move |req, next| {
        let c = c.clone();
        async move {
            c.fetch_add(1, Ordering::Relaxed);
            next.run(req).await
        }
    })
    .build()?;

The equivalent from_fn function works with http_layer for composability with Conditional and other layers:

use noxy::Proxy;
use noxy::middleware::from_fn;

let proxy = Proxy::builder()
    .ca_pem_files("ca-cert.pem", "ca-key.pem")?
    .http_layer(from_fn(|req, next| async move {
        next.run(req).await
    }))
    .build()?;

Installation

Pre-built binaries

Download a pre-built binary from the latest release:

Platform Architecture Download
Linux x86_64 noxy-x86_64-unknown-linux-gnu.tar.gz
Linux aarch64 noxy-aarch64-unknown-linux-gnu.tar.gz
macOS Apple Silicon noxy-aarch64-apple-darwin.tar.gz 
# Example: install on Linux x86_64
curl -L https://github.com/reu/noxy/releases/latest/download/noxy-x86_64-unknown-linux-gnu.tar.gz | tar xz
sudo mv noxy /usr/local/bin/

Cargo

cargo install noxy --features cli

Quick Start

Reverse proxy (simplest)

No certificates needed -- just point Noxy at a backend:

# Start noxy in front of a local service
noxy --upstream http://localhost:3000 --log

# Requests go directly to noxy, no proxy configuration needed
curl http://127.0.0.1:8080/api/users

Forward proxy (TLS MITM)

1. Generate a CA certificate

cargo run --features cli -- --generate

Or with OpenSSL:

openssl req -x509 -newkey rsa:2048 -keyout ca-key.pem -out ca-cert.pem -days 365 -nodes -subj "/CN=Noxy CA"

2. Run the proxy

cargo run --features cli

3. Make a request through the proxy

curl --proxy http://127.0.0.1:8080 --cacert ca-cert.pem https://example.com

Trusting the CA system-wide

Instead of passing --cacert every time, you can install ca-cert.pem into your OS or browser trust store. This lets any application use the proxy transparently.

Important: Only do this in development/testing environments. Remove the CA when you're done.

CLI

The CLI provides flags for common middleware without needing a config file.

Usage: noxy [OPTIONS]

Options:
      --config <CONFIG>        Path to TOML config file
      --cert <CERT>            Path to CA certificate PEM file [default: ca-cert.pem]
      --key <KEY>              Path to CA private key PEM file [default: ca-key.pem]
  -p, --port <PORT>            Port to listen on [default: 8080]
      --bind <BIND>            Bind address [default: 127.0.0.1]
      --generate               Generate a new CA cert+key pair and exit
      --upstream <URL>         Reverse proxy mode: forward all traffic to this upstream URL
      --tls-cert <PATH>        TLS cert for client-facing HTTPS (reverse proxy mode)
      --tls-key <PATH>         TLS key for client-facing HTTPS (reverse proxy mode)
      --log                    Enable traffic logging
      --log-bodies             Log request/response bodies (implies --log)
      --latency <LATENCY>      Add global latency (e.g., "200ms", "100ms..500ms")
      --bandwidth <BANDWIDTH>  Global bandwidth limit in bytes per second
      --rate-limit <RATE>              Global rate limit (e.g., "30/1s", "1500/60s"). Repeatable.
      --per-host-rate-limit <RATE>     Per-host rate limit (e.g., "10/1s"). Repeatable.
      --sliding-window <RATE>          Sliding window rate limit (e.g., "30/1s"). Repeatable.
      --per-host-sliding-window <RATE> Per-host sliding window (e.g., "10/1s"). Repeatable.
      --retry <N>                      Retry failed requests (429, 502, 503, 504) up to N times
      --retry-max-body <BYTES>         Max request body bytes captured for retry replay (default: 1048576)
      --retry-max-backoff <DURATION>   Max backoff delay for retry exponential backoff (default: 30s)
      --retry-budget <RATIO>           Max fraction of requests that can be retries (e.g., 0.2)
      --circuit-breaker <SPEC>         Circuit breaker (e.g., "5/30s" = trip after 5 failures, recover in 30s)
      --rewrite-path <SPEC>                Rewrite request path (e.g., "/old/{*rest}=/new/{rest}"). Repeatable.
      --rewrite-path-regex <SPEC>        Rewrite request path via regex (e.g., "/api/v\d+/(.*)=/latest/$1"). Repeatable.
      --block-host <PATTERN>             Block hosts matching a glob pattern. Repeatable.
      --block-path <PATTERN>             Block paths matching a glob pattern. Repeatable.
      --set-request-header <HEADER>     Set a request header (e.g., "x-proxy: noxy"). Repeatable.
      --remove-request-header <NAME>   Remove a request header. Repeatable.
      --set-response-header <HEADER>   Set a response header (e.g., "x-served-by: noxy"). Repeatable.
      --remove-response-header <NAME>  Remove a response header. Repeatable.
      --script <PATH>                  Path to a JS/TS middleware script (requires scripting feature)
      --script-max-body <BYTES>        Max bytes scripts may buffer for req/res body reads
      --redis-url <URL>                Redis URL for distributed middleware state (requires redis feature)
      --pool-max-idle <N>              Max idle connections per host (default: 8, 0 to disable)
      --pool-idle-timeout <DURATION>   Idle timeout for pooled connections (e.g., "90s")
      --accept-invalid-certs           Accept invalid upstream TLS certificates
  -h, --help                   Print help

# Log all traffic
noxy --log

# Log traffic including request/response bodies
noxy --log-bodies

# Add 200ms latency to every request
noxy --latency 200ms

# Add random latency between 100ms and 500ms
noxy --latency 100ms..500ms

# Limit bandwidth to 10 KB/s
noxy --bandwidth 10240

# Rate limit: 30 requests per second
noxy --rate-limit 30/1s

# Per-host rate limit: 10 requests per second per hostname
noxy --per-host-rate-limit 10/1s

# Multi-window rate limiting
noxy --rate-limit 30/1s --rate-limit 1500/60s

# Sliding window: hard-cap 30 requests per second
noxy --sliding-window 30/1s

# Per-host sliding window: 10 requests per second per hostname
noxy --per-host-sliding-window 10/1s

# Retry failed requests up to 3 times with exponential backoff
noxy --retry 3

# Circuit breaker: trip after 5 consecutive 5xx failures, recover after 30s
noxy --circuit-breaker 5/30s

# Rewrite request paths using matchit patterns
noxy --upstream http://localhost:3000 --rewrite-path "/api/v1/{*rest}=/v2/{rest}"

# Rewrite request paths using regex
noxy --upstream http://localhost:3000 --rewrite-path-regex "/api/v\d+/(.*)=/latest/$1"

# Block requests to tracking domains
noxy --block-host "*.tracking.com" --block-host "ads.example.com"

# Block requests to admin paths
noxy --block-path "/admin/*" --block-path "/debug/**"

# Add a request header to all proxied requests
noxy --set-request-header "x-proxy: noxy"

# Remove the Server response header
noxy --remove-response-header server

# Combine multiple flags
noxy --log --latency 200ms --bandwidth 10240

# Set upstream connection pool size per host (0 to disable)
noxy --pool-max-idle 16

# Set pool idle timeout
noxy --pool-idle-timeout 120s

# Accept invalid upstream certificates (e.g. self-signed)
noxy --accept-invalid-certs

# Custom port, bind address, and CA paths
noxy --port 9090 --bind 127.0.0.1 --cert my-ca.pem --key my-ca-key.pem

# Reverse proxy to a local backend
noxy --upstream http://localhost:3000 --log

# Reverse proxy to an HTTPS backend with rate limiting
noxy --upstream https://api.example.com --rate-limit 100/1s

# Reverse proxy with client-facing TLS
noxy --upstream http://localhost:3000 --tls-cert server.pem --tls-key server-key.pem

# Run a TypeScript middleware script (requires scripting feature)
noxy --upstream http://localhost:3000 --script middleware.ts

# Limit body bytes scripts may buffer when calling req.body()/res.body()
noxy --upstream http://localhost:3000 --script middleware.ts --script-max-body 262144

# Use Redis for distributed rate limiting across multiple proxy instances (requires redis feature)
noxy --upstream http://localhost:3000 --redis-url redis://localhost:6379 --rate-limit 100/1s

Config File

For conditional rules and more complex setups, use a TOML config file.

noxy --config proxy.toml

CLI flags override config file settings for global options (port, bind address, CA paths, etc.) and append additional unconditional rules.

Reverse proxy config

port = 8080
upstream = "http://localhost:3000"

# Optional: serve HTTPS to clients
# [tls]
# cert = "server.pem"
# key = "server-key.pem"

# Optional: use Redis for distributed middleware state (requires redis feature)
# [redis]
# url = "redis://localhost:6379"
# prefix = "noxy:"

[[rules]]
log = true

[[rules]]
rate_limit = { count = 100, window = "1s" }

Multi-upstream routing config

port = 8080
upstream = "http://default:3000"

# Route /api to a dedicated backend with rate limiting
[[rules]]
match = { path_prefix = "/api" }
upstream = "http://api:8080"
rate_limit = { count = 100, window = "1s" }

# Load balance /static across two CDN nodes
[[rules]]
match = { path_prefix = "/static" }
upstream = ["http://cdn1:9000", "http://cdn2:9000"]
balance = "round-robin"

# Random selection for /images
[[rules]]
match = { path_prefix = "/images" }
upstream = ["http://img1:9000", "http://img2:9000"]
balance = "random"

Forward proxy config

port = 8080

[ca]
cert = "ca-cert.pem"
key = "ca-key.pem"

# accept_invalid_upstream_certs = true
# pool_max_idle_per_host = 8
# pool_idle_timeout = "90s"

# Log all traffic
[[rules]]
log = true

# Log with request/response bodies
# [[rules]]
# log = { bodies = true }

# Add 200ms latency to API requests
[[rules]]
match = { path_prefix = "/api" }
latency = "200ms"

# Simulate slow downloads with random latency and bandwidth limit
[[rules]]
match = { path_prefix = "/downloads" }
latency = "50ms..200ms"
bandwidth = 10240

# Inject faults on a specific endpoint
[[rules]]
match = { path = "/flaky" }
fault = { error_rate = 0.5, abort_rate = 0.02 }

# Mock a health check endpoint
[[rules]]
match = { path = "/health" }
respond = { body = "ok" }

# Rate limit: 30 requests per second globally
[[rules]]
rate_limit = { count = 30, window = "1s" }

# Rate limit: 1500 requests per minute, per host, with burst of 100
[[rules]]
rate_limit = { count = 1500, window = "60s", burst = 100, per_host = true }

# Sliding window: hard-cap 10 requests per second (no burst, no smoothing)
[[rules]]
sliding_window = { count = 10, window = "1s" }

# Sliding window: per-host, 500 requests per minute
[[rules]]
sliding_window = { count = 500, window = "60s", per_host = true }

# Retry failed requests (429, 502, 503, 504) up to 3 times
[[rules]]
retry = { max_retries = 3, backoff = "1s", max_replay_body_bytes = 1048576 }

# Retry only 503s with custom statuses
[[rules]]
match = { path_prefix = "/api" }
retry = { max_retries = 5, backoff = "500ms", statuses = [503] }

# Retry with budget: at most 20% of requests can be retries (prevents retry storms)
[[rules]]
retry = { max_retries = 3, budget = 0.2, budget_window = "10s", budget_min_retries = 30 }

# Circuit breaker: trip after 5 consecutive 5xx failures, recover after 30s
[[rules]]
circuit_breaker = { threshold = 5, recovery = "30s" }

# Per-host circuit breaker with 2 half-open probes
[[rules]]
circuit_breaker = { threshold = 3, recovery = "10s", half_open_probes = 2, per_host = true }

# Circuit breaker with local cache to reduce Redis round-trips (Redis only)
[[rules]]
circuit_breaker = { threshold = 5, recovery = "30s", cache_ttl = "100ms" }

# Add a request header and strip a response header
[[rules]]
request_headers = { set = { "x-proxy" = "noxy" } }
response_headers = { remove = ["server"] }

# Add API version header to /api requests
[[rules]]
match = { path_prefix = "/api" }
request_headers = { set = { "x-api-version" = "2" } }

# Rewrite request paths using matchit patterns
[[rules]]
url_rewrite = { pattern = "/api/v1/{*rest}", replace = "/v2/{rest}" }

# Rewrite request paths using regex
[[rules]]
url_rewrite = { regex = "/api/v\\d+/(.*)", replace = "/latest/$1" }

# Block requests to tracking domains and admin paths
[[rules]]
block = { hosts = ["*.tracking.com", "ads.example.com"], paths = ["/admin/*"] }

# Block with custom status and body
[[rules]]
block = { hosts = ["internal.corp.com"], status = 404, body = "not found" }

# Run a TypeScript middleware script (requires scripting feature)
# [[rules]]
# script = { file = "middleware.ts" }

# Run a script with a shared V8 isolate across all connections
# [[rules]]
# match = { path_prefix = "/api" }
# script = { file = "api_middleware.ts", shared = true }

# Return 503 for all paths under /fail
[[rules]]
match = { path_prefix = "/fail" }
respond = { status = 503, body = "service unavailable" }

# Glob patterns in match conditions
# Match any subdomain of example.com
[[rules]]
match = { host = "*.example.com" }
latency = "100ms"

# Match any single-segment path under /api/
[[rules]]
match = { path = "/api/*/users" }
rate_limit = { count = 10, window = "1s" }

# Match all paths recursively under /static/
[[rules]]
match = { path = "/static/**" }
response_headers = { set = { "cache-control" = "public, max-age=86400" } }

# Match by HTTP method
[[rules]]
match = { methods = ["POST", "PUT", "DELETE"], path_prefix = "/api" }
rate_limit = { count = 10, window = "1s" }

Rules

Each rule has an optional match condition and one or more middleware configs. Rules without a match apply to all requests.

Field Description
name Stable identifier for Redis key scoping (e.g. "api-limiter"). When set, used instead of the rule's positional index so Redis state survives rule reordering. Must be unique and non-empty. Only relevant when [redis] is configured.
match { host = "*.example.com", path = "/api/*/users" }, { path_prefix = "/prefix" }, or { methods = ["GET", "POST"] }host and path support glob patterns (*, **, ?, [a-z]); methods filters by HTTP method (case-insensitive)
upstream "http://api:8080" or ["http://a:8080", "http://b:8080"] -- route matched requests to a different upstream
balance "round-robin" or "random" -- load balancing strategy for multi-upstream rules (default: round-robin)
url_rewrite { pattern = "/old/{*rest}", replace = "/new/{rest}" } or { regex = "/v\\d+/(.*)", replace = "/latest/$1" } -- rewrite request paths
block { hosts = ["*.tracking.com"], paths = ["/admin/*"] } -- optional status and body fields (default: 403 empty)
log true or { bodies = true }
latency "200ms", "1s", or "100ms..500ms" for random range
bandwidth Bytes per second throughput limit
fault { error_rate = 0.5, abort_rate = 0.02, error_status = 503 }
rate_limit { count = 30, window = "1s" } -- optional burst and per_host fields
sliding_window { count = 10, window = "1s" } -- hard-cap with no burst; optional per_host
retry { max_retries = 3, backoff = "1s" } -- retry on 429/502/503/504; optional statuses, max_replay_body_bytes, max_backoff, budget, budget_window, budget_min_retries
circuit_breaker { threshold = 5, recovery = "30s" } -- trips after consecutive 5xx failures; optional half_open_probes, per_host, and cache_ttl (Redis only, caches Closed/Open state locally)
request_headers { set = { "name" = "value" }, append = { "name" = "value" }, remove = ["name"] } -- modify request headers
response_headers { set = { "name" = "value" }, append = { "name" = "value" }, remove = ["name"] } -- modify response headers
respond { body = "ok", status = 200 } -- returns a fixed response without forwarding upstream
script { file = "middleware.ts" } -- optional shared = true and max_body_bytes = 1048576 (requires scripting feature)

Scripting Middleware

Write request/response manipulation logic in TypeScript or JavaScript. Scripts run in an embedded V8 engine via deno_core. Requires the scripting feature.

use noxy::Proxy;
use noxy::middleware::ScriptLayer;

let proxy = Proxy::builder()
    .ca_pem_files("ca-cert.pem", "ca-key.pem")?
    .http_layer(ScriptLayer::from_file("middleware.ts")?)
    .build();

The script exports a default async function that receives the request and a respond function to forward it upstream:

// middleware.ts
export default async function(req: Request, respond: Function) {
  // Add a header before forwarding
  req.headers.set("x-proxy", "noxy");

  // Forward to upstream
  const res = await respond(req);

  // Modify the response
  res.headers.set("x-intercepted", "true");

  return res;
}

Short-circuit responses without forwarding upstream:

export default async function(req: Request, respond: Function) {
  if (req.url === "/health") {
    return new Response("ok", { status: 200 });
  }
  return await respond(req);
}

Read request or response bodies (lazy -- only buffered if you call body()):

export default async function(req: Request, respond: Function) {
  const body = await req.body(); // Uint8Array
  console.log("Request size:", body.length);

  const res = await respond(req);
  const resBody = await res.body(); // Uint8Array

  return new Response(resBody, {
    status: res.status,
    headers: res.headers,
  });
}

By default, each connection gets its own V8 isolate, so global state in the script (like variables declared outside the handler) is scoped per connection. Use .shared() to reuse a single isolate across all connections:

// Per-connection (default) -- each connection gets a fresh isolate
ScriptLayer::from_file("middleware.ts")?

// Shared -- one isolate for all connections, global state is shared
ScriptLayer::from_file("middleware.ts")?.shared()

Limit script body buffering (applies to both req.body() and res.body()):

ScriptLayer::from_file("middleware.ts")?
    .max_body_bytes(256 * 1024)

Redis Backend

Stateful middleware (rate limiting, sliding window, circuit breaker) keeps state in-memory by default. For horizontal scaling across multiple proxy instances, enable the redis feature to share state via Redis.

cargo install noxy --features cli,redis

TOML config

[redis]
url = "redis://localhost:6379"
# prefix = "noxy:"    # optional key prefix (default: "noxy:")

[[rules]]
rate_limit = { count = 100, window = "1s" }

[[rules]]
circuit_breaker = { threshold = 5, recovery = "30s" }

When [redis] is configured, all rate_limit, sliding_window, and circuit_breaker rules automatically use Redis. If Redis becomes unreachable, each store transparently falls back to an in-memory store and logs a warning.

CLI

noxy --upstream http://localhost:3000 --redis-url redis://localhost:6379 --rate-limit 100/1s

Library API

use std::time::Duration;
use noxy::Proxy;
use noxy::middleware::{RedisConnection, RedisRateLimitStore, RateLimiter};

let conn = RedisConnection::open("redis://localhost:6379")?;
let store = RedisRateLimitStore::new(conn, 100.0, 100.0);  // rate=100/s, burst=100
let limiter = RateLimiter::with_store(store, |_| String::new());  // global key

let proxy = Proxy::builder()
    .reverse_proxy("http://localhost:3000")?
    .http_layer(limiter)
    .build()?;

All three stores follow the same pattern: RedisRateLimitStore, RedisSlidingWindowStore, and RedisCircuitBreakerStore each take a RedisConnection and embed an in-memory fallback internally.

How It Works

Noxy operates in two modes. Both feed traffic through the same tower middleware pipeline -- the difference is how connections are established.

Forward proxy (TLS MITM)

Normal HTTPS creates an encrypted tunnel between client and server -- nobody in the middle can read the traffic. Noxy breaks that tunnel into two separate TLS sessions and sits in between, with your middleware pipeline processing decoded HTTP traffic.

sequenceDiagram
    participant C as Client
    participant N as Noxy
    participant S as Server

    C->>N: CONNECT example.com:443
    N-->>C: 200 OK

    N->>S: TLS handshake (real cert verified)
    S-->>N: TLS established

    Note over N: Generate fake cert for<br/>example.com signed by CA

    C->>N: TLS handshake (fake cert)
    N-->>C: TLS established

    rect rgb(40, 40, 40)
        Note over C,S: TLS Session 1 ← Noxy → TLS Session 2

        C->>N: GET / HTTP/1.1
        Note over N: Tower middleware pipeline<br/>[Layer] → [Layer] → upstream
        N->>S: Forwarded request

        S-->>N: Response
        Note over N: upstream → [Layer] → [Layer]
        N-->>C: Modified response
    end

  1. HTTP CONNECT -- the client sends an unencrypted CONNECT example.com:443 request to the proxy. The proxy learns the target hostname from this plaintext request.

  2. Upstream TLS -- Noxy opens a real TLS connection to example.com, verifying the server's authentic certificate against Mozilla's root CAs.

  3. Fake certificate generation -- Noxy generates a TLS certificate for example.com signed by the user-provided CA, created on the fly per host.

  4. Client TLS -- Noxy performs a TLS handshake with the client using the fake certificate. The client accepts it because it trusts the CA.

  5. HTTP relay with middleware -- with both TLS sessions established, Hyper handles the HTTP connection on both sides. Each request from the client passes through your tower middleware pipeline before being forwarded upstream, and each response passes back through the pipeline before being sent to the client.

Reverse proxy

In reverse proxy mode, Noxy sits in front of a fixed upstream and forwards all incoming HTTP traffic directly. There is no CONNECT tunnel, no CA certificate, and no client-side proxy configuration -- clients talk to Noxy as if it were the real server.

sequenceDiagram
    participant C as Client
    participant N as Noxy
    participant S as Upstream (fixed)

    C->>N: GET /api/users HTTP/1.1
    Note over N: Tower middleware pipeline<br/>[Layer] → [Layer] → upstream
    N->>S: GET /api/users HTTP/1.1

    S-->>N: 200 OK
    Note over N: upstream → [Layer] → [Layer]
    N-->>C: 200 OK (modified)

  1. Direct HTTP -- the client sends a plain HTTP request to Noxy's address. No CONNECT, no proxy configuration, no certificate trust needed.

  2. Middleware pipeline -- the request passes through the tower middleware stack (rate limiting, logging, header injection, etc.), exactly the same pipeline used in forward mode.

  3. Upstream forwarding -- Noxy forwards the request to the configured upstream. The upstream can be HTTP or HTTPS -- Noxy handles TLS to the backend transparently.

  4. Response relay -- the upstream response passes back through the middleware stack and is returned to the client.

Optionally, Noxy can serve HTTPS to clients using a TLS certificate you provide (--tls-cert / --tls-key). This is independent of the upstream scheme -- you can terminate TLS at Noxy while forwarding to a plain HTTP backend, or chain TLS end-to-end.

sequenceDiagram
    participant C as Client
    participant N as Noxy (TLS)
    participant S as Upstream (HTTP)

    C->>N: TLS handshake (your cert)
    N-->>C: TLS established

    C->>N: GET /api/users HTTP/1.1
    Note over N: Middleware pipeline
    N->>S: GET /api/users HTTP/1.1 (plain)

    S-->>N: 200 OK
    N-->>C: 200 OK (over TLS)

Use cases

Sidecar proxy -- put Noxy in front of a microservice to add rate limiting, circuit breaking, retry, and logging without modifying the service itself:

noxy --upstream http://localhost:3000 \
     --rate-limit 100/1s \
     --circuit-breaker 5/30s \
     --retry 3 \
     --log

API gateway -- terminate TLS, route to multiple backends, and apply middleware:

noxy --upstream http://localhost:8080 \
     --tls-cert server.pem --tls-key server-key.pem \
     --set-request-header "x-forwarded-proto: https" \
     --remove-response-header server \
     --rate-limit 1000/60s

# Multi-backend gateway via config file
port = 443
bind = "127.0.0.1"
upstream = "http://web:3000"

[tls]
cert = "server.pem"
key = "server-key.pem"

[[rules]]
match = { path_prefix = "/api" }
upstream = "http://api:8080"
rate_limit = { count = 1000, window = "60s" }

[[rules]]
match = { path_prefix = "/static" }
upstream = ["http://cdn1:9000", "http://cdn2:9000"]
balance = "round-robin"

Testing and development -- inject faults, latency, or fixed responses in front of a real API to test client resilience:

# Simulate a flaky upstream
noxy --upstream https://api.example.com \
     --latency 200ms..800ms \
     --log-bodies

# Surgical fault injection via config file
port = 8080
upstream = "https://api.example.com"

[[rules]]
log = { bodies = true }

[[rules]]
match = { path = "/api/checkout" }
fault = { error_rate = 0.3, error_status = 503 }

[[rules]]
match = { path_prefix = "/api/search" }
latency = "500ms..2s"

[[rules]]
match = { path = "/api/health" }
respond = { body = '{"status": "ok"}' }

License

MIT