Expand description
Network filtering proxy for the nono sandbox.
nono-proxy provides three proxy modes:
-
CONNECT tunnel (
connect) - Host-filtered HTTPS tunnelling. The proxy validates the target host against an allowlist and CIDR deny ranges, then establishes a raw TCP tunnel. -
Reverse proxy (
reverse) - Credential injection for API calls. Requests arrive athttp://127.0.0.1:<port>/<service>/..., the proxy injects the real API credential and forwards to the upstream. -
External proxy (
external) - Enterprise proxy passthrough. CONNECT requests are chained through a corporate proxy with the default deny list enforced as a floor.
The proxy runs unsandboxed in the supervisor process. The sandboxed
child can only reach localhost:<port> via NetworkMode::ProxyOnly.
Re-exports§
pub use config::ProxyConfig;pub use error::ProxyError;pub use error::Result;pub use server::start;pub use server::ProxyHandle;
Modules§
- audit
- Audit logging for proxy requests.
- config
- Proxy configuration types.
- connect
- HTTP CONNECT tunnel handler (Mode 1 — Host Filtering).
- credential
- Credential loading and management for reverse proxy mode.
- error
- Error types for the nono-proxy crate.
- external
- External proxy passthrough handler (Mode 3 — Enterprise).
- filter
- Async host filtering wrapping the library’s
HostFilter. - reverse
- Reverse proxy handler (Mode 2 — Credential Injection).
- server
- Proxy server: TCP listener, connection dispatch, and lifecycle.
- token
- Session token generation and validation.