wisegate 0.8.0

A high-performance, secure reverse proxy with rate limiting and IP filtering
Documentation

πŸ›‘οΈ WiseGate

"You shall not pass!" - A wise guardian for your network gates.

An efficient, secure reverse proxy written in Rust with built-in rate limiting and IP filtering capabilities.

✨ Features

  • πŸš€ Efficient & Compact: ~2.5MB binary, statically compiled
  • πŸ“Š Rate Limiting: Per-IP sliding window algorithm
  • 🚫 IP Filtering: Block malicious IPs, validate proxy headers
  • βš”οΈ HTTP Method Filtering: Block specific methods (PUT, DELETE, etc.)
  • πŸ›‘οΈ URL Pattern Blocking: Block requests matching patterns (.php, .yaml, etc.)
  • 🌐 Real IP Extraction: RFC 7239 compliant header parsing
  • πŸ“ Structured Logging: Human-readable or JSON format
  • πŸ”„ Graceful Shutdown: Drain connections on SIGINT/SIGTERM
  • πŸ”’ Connection Limiting: Prevent resource exhaustion

πŸš€ Quick Start

# Install
cargo install wisegate

# Run (permissive mode)
wisegate --listen 8080 --forward 9000

# Run (strict mode with proxy validation)
export CC_REVERSE_PROXY_IPS="192.168.1.100,10.0.0.1"
wisegate -l 8080 -f 9000

βš™οΈ CLI Options

Option Short Default Description
--listen -l 8080 Port to listen on
--forward -f 9000 Port to forward to
--bind -b 0.0.0.0 Bind address
--verbose -v Debug logging
--quiet -q Errors only
--json-logs JSON log format

πŸ”§ Configuration

All configuration via environment variables:

Variable Default Description
CC_REVERSE_PROXY_IPS - Trusted proxy IPs (enables strict mode)
TRUSTED_PROXY_IPS_VAR - Alternative variable name for proxy IPs
BLOCKED_IPS - Blocked client IPs
BLOCKED_METHODS - Blocked HTTP methods (returns 405)
BLOCKED_PATTERNS - Blocked URL patterns (returns 404)
RATE_LIMIT_REQUESTS 100 Max requests per window
RATE_LIMIT_WINDOW_SECS 60 Window duration in seconds
PROXY_TIMEOUT_SECS 30 Upstream request timeout
MAX_BODY_SIZE_MB 100 Max body size (0 = unlimited)
MAX_CONNECTIONS 10000 Max concurrent connections (0 = unlimited)

πŸ“‹ Example Configuration

export CC_REVERSE_PROXY_IPS="192.168.1.100,10.0.0.1"
export BLOCKED_IPS="malicious.ip.here"
export BLOCKED_METHODS="PUT,DELETE,PATCH"
export BLOCKED_PATTERNS=".php,.yaml,wp-login"
export RATE_LIMIT_REQUESTS=100
export MAX_CONNECTIONS=5000

wisegate -l 8080 -f 9000

πŸ” Security Modes

Strict Mode (CC_REVERSE_PROXY_IPS set)

  • βœ… Validates x-forwarded-for and forwarded headers
  • βœ… Authenticates proxy IPs against allowlist
  • βœ… Full IP filtering and rate limiting
  • βœ… Injects X-Real-IP header

Permissive Mode (no proxy IPs)

  • βœ… Best-effort IP extraction from headers
  • βœ… Method and pattern filtering still active
  • βœ… Rate limiting when IP is available

πŸ” Request Flow

Client β†’ Load Balancer β†’ πŸ§™β€β™‚οΈ WiseGate β†’ Your Service
                              β”‚
                              β”œβ”€ πŸ”’ Check connection limit
                              β”œβ”€ πŸ” Validate proxy headers (strict)
                              β”œβ”€ βš”οΈ Check HTTP method
                              β”œβ”€ πŸ—ΊοΈ Check URL patterns
                              β”œβ”€ πŸ‘οΈ Extract client IP
                              β”œβ”€ 🚫 Check IP blocklist
                              β”œβ”€ ⏱️ Apply rate limiting
                              └─ πŸ“‹ Forward with X-Real-IP

πŸ“ Logging

# Human-readable (default)
wisegate -l 8080 -f 9000

# JSON format (for log aggregation)
wisegate -l 8080 -f 9000 --json-logs

# Debug level
wisegate -l 8080 -f 9000 -v

# Via RUST_LOG
RUST_LOG=debug wisegate -l 8080 -f 9000

πŸ“¦ Using as a Library

WiseGate's core functionality is available as a separate crate wisegate-core for integration into your own projects:

[dependencies]
wisegate-core = "0.8"

use wisegate_core::{
    ConfigProvider, RateLimiter, RateLimitConfig, RateLimitCleanupConfig,
    ProxyConfig, request_handler, ip_filter, rate_limiter
};
use std::sync::Arc;
use std::time::Duration;

// Implement your own configuration provider
struct MyConfig {
    rate_limit: RateLimitConfig,
    proxy: ProxyConfig,
    // ... your fields
}

impl ConfigProvider for MyConfig {
    fn rate_limit_config(&self) -> &RateLimitConfig { &self.rate_limit }
    fn proxy_config(&self) -> &ProxyConfig { &self.proxy }
    // ... implement other methods
}

// Use the components
let limiter = RateLimiter::new();
let config = Arc::new(MyConfig::new());
let http_client = reqwest::Client::new();

// Full request handling pipeline
let response = request_handler::handle_request(
    req, host, port, limiter, config, http_client
).await;

// Or use individual components
let is_blocked = ip_filter::is_ip_blocked("192.168.1.1", &config);
let allowed = rate_limiter::check_rate_limit(&limiter, "192.168.1.1", &config).await;

πŸ› οΈ Development

cargo build                  # Debug build
cargo build --release        # Release build
cargo test                   # Run all tests
cargo test -p wisegate-core  # Test core library only
cargo clippy                 # Linting
cargo doc --no-deps          # Generate docs

πŸ“ License

Apache License 2.0 - see LICENSE.

Made with ❀️ and ancient wisdom ⚑ for the Open Source Community

"All we have to decide is what to do with the traffic that is given to us."