Skip to main content

nono_proxy/
lib.rs

1//! Network filtering proxy for the nono sandbox.
2//!
3//! `nono-proxy` provides three proxy modes:
4//!
5//! 1. **CONNECT tunnel** (`connect`) - Host-filtered HTTPS tunnelling.
6//!    The proxy validates the target host against an allowlist and CIDR
7//!    deny ranges, then establishes a raw TCP tunnel.
8//!
9//! 2. **Reverse proxy** (`reverse`) - Credential injection for API calls.
10//!    Requests arrive at `http://127.0.0.1:<port>/<service>/...`, the proxy
11//!    injects the real API credential and forwards to the upstream.
12//!
13//! 3. **External proxy** (`external`) - Enterprise proxy passthrough.
14//!    CONNECT requests are chained through a corporate proxy with the
15//!    default deny list enforced as a floor.
16//!
17//! The proxy runs **unsandboxed** in the supervisor process. The sandboxed
18//! child can only reach `localhost:<port>` via `NetworkMode::ProxyOnly`.
19
20pub mod audit;
21pub mod config;
22pub mod connect;
23pub mod credential;
24pub mod error;
25pub mod external;
26pub mod filter;
27pub mod reverse;
28pub mod server;
29pub mod token;
30
31pub use config::ProxyConfig;
32pub use error::{ProxyError, Result};
33pub use server::{start, ProxyHandle};