wisegate 0.7.1

A high-performance, secure reverse proxy with rate limiting and IP filtering
Documentation

πŸ›‘οΈ WiseGate

"You shall not pass!" - A wise guardian for your network gates.

An efficient, secure reverse proxy written in Rust with built-in rate limiting and IP filtering capabilities.

✨ Features

  • πŸš€ Efficient & Compact: ~2.5MB binary, statically compiled
  • πŸ“Š Rate Limiting: Per-IP sliding window algorithm
  • 🚫 IP Filtering: Block malicious IPs, validate proxy headers
  • βš”οΈ HTTP Method Filtering: Block specific methods (PUT, DELETE, etc.)
  • πŸ›‘οΈ URL Pattern Blocking: Block requests matching patterns (.php, .yaml, etc.)
  • 🌐 Real IP Extraction: RFC 7239 compliant header parsing
  • πŸ“ Structured Logging: Human-readable or JSON format
  • πŸ”„ Graceful Shutdown: Drain connections on SIGINT/SIGTERM
  • πŸ”’ Connection Limiting: Prevent resource exhaustion

πŸš€ Quick Start

# Install
cargo install wisegate

# Run (permissive mode)
wisegate --listen 8080 --forward 9000

# Run (strict mode with proxy validation)
export CC_REVERSE_PROXY_IPS="192.168.1.100,10.0.0.1"
wisegate -l 8080 -f 9000

βš™οΈ CLI Options

Option Short Default Description
--listen -l 8080 Port to listen on
--forward -f 9000 Port to forward to
--bind -b 0.0.0.0 Bind address
--verbose -v Debug logging
--quiet -q Errors only
--json-logs JSON log format

πŸ”§ Configuration

All configuration via environment variables:

Variable Default Description
CC_REVERSE_PROXY_IPS - Trusted proxy IPs (enables strict mode)
TRUSTED_PROXY_IPS_VAR - Alternative variable name for proxy IPs
BLOCKED_IPS - Blocked client IPs
BLOCKED_METHODS - Blocked HTTP methods (returns 405)
BLOCKED_PATTERNS - Blocked URL patterns (returns 404)
RATE_LIMIT_REQUESTS 100 Max requests per window
RATE_LIMIT_WINDOW_SECS 60 Window duration in seconds
PROXY_TIMEOUT_SECS 30 Upstream request timeout
MAX_BODY_SIZE_MB 100 Max body size (0 = unlimited)
MAX_CONNECTIONS 10000 Max concurrent connections (0 = unlimited)

πŸ“‹ Example Configuration

export CC_REVERSE_PROXY_IPS="192.168.1.100,10.0.0.1"
export BLOCKED_IPS="malicious.ip.here"
export BLOCKED_METHODS="PUT,DELETE,PATCH"
export BLOCKED_PATTERNS=".php,.yaml,wp-login"
export RATE_LIMIT_REQUESTS=100
export MAX_CONNECTIONS=5000

wisegate -l 8080 -f 9000

πŸ” Security Modes

Strict Mode (CC_REVERSE_PROXY_IPS set)

  • βœ… Validates x-forwarded-for and forwarded headers
  • βœ… Authenticates proxy IPs against allowlist
  • βœ… Full IP filtering and rate limiting
  • βœ… Injects X-Real-IP header

Permissive Mode (no proxy IPs)

  • βœ… Best-effort IP extraction from headers
  • βœ… Method and pattern filtering still active
  • βœ… Rate limiting when IP is available

πŸ” Request Flow

Client β†’ Load Balancer β†’ πŸ§™β€β™‚οΈ WiseGate β†’ Your Service
                              β”‚
                              β”œβ”€ πŸ”’ Check connection limit
                              β”œβ”€ πŸ” Validate proxy headers (strict)
                              β”œβ”€ βš”οΈ Check HTTP method
                              β”œβ”€ πŸ—ΊοΈ Check URL patterns
                              β”œβ”€ πŸ‘οΈ Extract client IP
                              β”œβ”€ 🚫 Check IP blocklist
                              β”œβ”€ ⏱️ Apply rate limiting
                              └─ πŸ“‹ Forward with X-Real-IP

πŸ“ Logging

# Human-readable (default)
wisegate -l 8080 -f 9000

# JSON format (for log aggregation)
wisegate -l 8080 -f 9000 --json-logs

# Debug level
wisegate -l 8080 -f 9000 -v

# Via RUST_LOG
RUST_LOG=debug wisegate -l 8080 -f 9000

πŸ› οΈ Development

cargo build              # Debug build
cargo build --release    # Release build
cargo test               # Run all tests
cargo clippy             # Linting
cargo doc --no-deps      # Generate docs

πŸ“ License

Apache License 2.0 - see LICENSE.

Made with ❀️ and ancient wisdom ⚑ for the Open Source Community

"All we have to decide is what to do with the traffic that is given to us."