# π‘οΈ WiseGate
*"You shall not pass!"* - A wise guardian for your network gates.
An efficient, secure reverse proxy written in Rust with built-in rate limiting and IP filtering capabilities.
## β¨ Features
- **π Efficient & Compact**: ~2.5MB binary, statically compiled
- **π Rate Limiting**: Per-IP sliding window algorithm
- **π« IP Filtering**: Block malicious IPs, validate proxy headers
- **βοΈ HTTP Method Filtering**: Block specific methods (PUT, DELETE, etc.)
- **π‘οΈ URL Pattern Blocking**: Block requests matching patterns (.php, .yaml, etc.)
- **π Real IP Extraction**: RFC 7239 compliant header parsing
- **π Structured Logging**: Human-readable or JSON format
- **π Graceful Shutdown**: Drain connections on SIGINT/SIGTERM
- **π Connection Limiting**: Prevent resource exhaustion
## π Quick Start
```bash
# Install
cargo install wisegate
# Run (permissive mode)
wisegate --listen 8080 --forward 9000
# Run (strict mode with proxy validation)
export CC_REVERSE_PROXY_IPS="192.168.1.100,10.0.0.1"
wisegate -l 8080 -f 9000
```
## βοΈ CLI Options
| `--listen` | `-l` | `8080` | Port to listen on |
| `--forward` | `-f` | `9000` | Port to forward to |
| `--bind` | `-b` | `0.0.0.0` | Bind address |
| `--verbose` | `-v` | | Debug logging |
| `--quiet` | `-q` | | Errors only |
| `--json-logs` | | | JSON log format |
## π§ Configuration
All configuration via environment variables:
| `CC_REVERSE_PROXY_IPS` | - | Trusted proxy IPs (enables strict mode) |
| `TRUSTED_PROXY_IPS_VAR` | - | Alternative variable name for proxy IPs |
| `BLOCKED_IPS` | - | Blocked client IPs |
| `BLOCKED_METHODS` | - | Blocked HTTP methods (returns 405) |
| `BLOCKED_PATTERNS` | - | Blocked URL patterns (returns 404) |
| `RATE_LIMIT_REQUESTS` | `100` | Max requests per window |
| `RATE_LIMIT_WINDOW_SECS` | `60` | Window duration in seconds |
| `PROXY_TIMEOUT_SECS` | `30` | Upstream request timeout |
| `MAX_BODY_SIZE_MB` | `100` | Max body size (0 = unlimited) |
| `MAX_CONNECTIONS` | `10000` | Max concurrent connections (0 = unlimited) |
### π Example Configuration
```bash
export CC_REVERSE_PROXY_IPS="192.168.1.100,10.0.0.1"
export BLOCKED_IPS="malicious.ip.here"
export BLOCKED_METHODS="PUT,DELETE,PATCH"
export BLOCKED_PATTERNS=".php,.yaml,wp-login"
export RATE_LIMIT_REQUESTS=100
export MAX_CONNECTIONS=5000
wisegate -l 8080 -f 9000
```
## π Security Modes
### Strict Mode (CC_REVERSE_PROXY_IPS set)
- β
Validates `x-forwarded-for` and `forwarded` headers
- β
Authenticates proxy IPs against allowlist
- β
Full IP filtering and rate limiting
- β
Injects `X-Real-IP` header
### Permissive Mode (no proxy IPs)
- β
Best-effort IP extraction from headers
- β
Method and pattern filtering still active
- β
Rate limiting when IP is available
## π Request Flow
```
Client β Load Balancer β π§ββοΈ WiseGate β Your Service
β
ββ π Check connection limit
ββ π Validate proxy headers (strict)
ββ βοΈ Check HTTP method
ββ πΊοΈ Check URL patterns
ββ ποΈ Extract client IP
ββ π« Check IP blocklist
ββ β±οΈ Apply rate limiting
ββ π Forward with X-Real-IP
```
## π Logging
```bash
# Human-readable (default)
wisegate -l 8080 -f 9000
# JSON format (for log aggregation)
wisegate -l 8080 -f 9000 --json-logs
# Debug level
wisegate -l 8080 -f 9000 -v
# Via RUST_LOG
RUST_LOG=debug wisegate -l 8080 -f 9000
```
## π οΈ Development
```bash
cargo build # Debug build
cargo build --release # Release build
cargo test # Run all tests
cargo clippy # Linting
cargo doc --no-deps # Generate docs
```
## π License
Apache License 2.0 - see [LICENSE](LICENSE).
---
**Made with β€οΈ and ancient wisdom β‘ for the Open Source Community**
*"All we have to decide is what to do with the traffic that is given to us."*