ProxyAuth

  • Lastest version 0.8.8
  • License: Apache 2.0
  • Author: Vladimir SOUCHET (vBlackOut)

Getting Started

ProxyAuth secures backend through a fast authentication gateway. It encrypts tokens using ChaCha20 + HMAC-BLAKE3, with config-defined secrets. It features built-in rate limiting (on proxy and auth routes) and uses Argon2 with auto-generated salts for secure password hashing. The service is extremely fast, handling 180,000+ requests per second under load.

Motivation
  1. ProxyAuth to improve the security of your tokens.
  2. Accelerate your backend development and gain better security insights with ProxyAuth.
  3. ProxyAuth performs ultra-fast token verification. 🚀
  4. ProxyAuth is written in Rust! 🦀
  5. ProxyAuth is native SSO via export key GPG
    (multi instance possible decrypt the same token user)
This is a simplified diagram. It might not be fully accurate, but it represents the general idea.

Build/Install

⚠️ Danger

To ensure better security, I cannot deliver the container, as ProxyAuth generates the cryptographic secret randomly during the build.
Building it yourself is very important. (Do not run any container pulled from Docker Hub, Bitbucket, or any other public cloud).

Auto Build/Install via curl (build/install and create the configuration)

// latest stable version
$curl -fsSL https://proxyauth.app/sh/install | bash
// latest beta version
$curl -fsSL https://proxyauth.app/sh/beta-install | bash
// automaticaly launch proxyauth show status on systemd
$sudo systemctl status proxyauth
// use a specific version with @x.x.x (must be >= 0.5.6) versions lower than 0.5.6 are not supported.
$curl -fsSL https://proxyauth.app/sh/install@0.7.0 | bash

Use Docker (you don't need to install rust on your local machine)

// clone the project
$git clone https://github.com/ProxyAuth/Docker ProxyAuth && cd ProxyAuth/latest
// ⚠️ important: Ensure correct permissions on the configuration file owned by the proxyauth user inside the container.
$sudo chown 1000:1000 config/config.json config/routes.yml
// build & launch proxyauth inside docker container
$docker compose build && docker compose up -d

Uninstall

Uninstall all file ProxyAuth, User/config ect...

$curl -fsSL https://proxyauth.app/sh/uninstall | bash

CLI command

proxyauth stats

Notice

The token ID isn't the real token, it's just a way to reference it.
The real token is private and securely handled — it is never stored.

Used to display token usage statistics. In previous versions, it was possible to revoke a specific token ID.
Example: The user "admin" has used the token ID "AVzjugA=yY!$#..." a total of 2 times.


curl give stats

The admin token is in /etc/proxyauth/config/config.json (automatically created at launch).
// show stats
$curl -k -H 'X-Auth-Token: [YOUR_TOKEN_ADMIN]' https://127.0.0.1:8080/adm/stats
response
[
  {
    "user": "admin",
    "tokens": [
      {
        "token_id": "QzK=8S*lx9A@gebUZBB%m$a5+uo@lPx*F+d2QdCssbA+sl(R",
        "count": 1,
        "delivery_at": "2025-05-28T18:18:02.251295314Z",
        "expire_at": "2025-05-28T19:17:47Z"
      }
    ]
  }
]

Export / Import of Keystore (Multi-Service Support)

For cryptographic keystore export and import across multiple services

⚠️ Notice

Root privileges are required to execute this command.

$sudo proxyauth sync export
// result
Key export successful
// After running this command, you will find both files in the same directory you are currently in.
$ls -al
// result
-rw-r--r-- 1 root root 488 14 juin 18:55 data.pgp
-rw-r--r-- 1 root root 1885 14 juin 18:55 key.asc

After placing the data.gpg and key.asc files inside /etc/proxyauth/import, make sure the directory exists. If it doesn't, create it using: mkdir -p /etc/proxyauth/import

Ensure the correct file permissions are configured on your new instance.
sudo chown proxyauth:proxyauth /etc/proxyauth/import/data.gpg \
                               /etc/proxyauth/import/key.asc

Once the keys are placed in the target ProxyAuth directory, both instances will use the same encryption, ensuring seamless compatibility.
Using Docker is easier: with a registry, you can deploy the same image anywhere.

Configuration Server

Notice

Configuration Path: ProxyAuth stores its configuration in /etc/proxyauth/config/ (version >= 0.5.6)
Please install via (curl or docker)


File config.json

Complete file: /etc/proxyauth/config/config.json 
{
  "token_expiry_seconds": 3600,
  "secret": "supersecretvalue",
  "host": "0.0.0.0",
  "port": 8080,
  "worker": 4,
  "login_via_otp": false,
  "log": {"type": "local"},
  "stats: true,
  "tls": true,
  "max_idle_per_host": 200,
  "timezone": "Europe/Paris",
  "redis": "redis://redis_server:6379",
  "session_cookie": false,
  "max_age_session_cookie": 3600,
  "ratelimit_auth": {
    "burst": 10,
    "block_delay": 500,
    "requests_per_second": 10
  },
  "ratelimit_proxy": {
    "burst": 10,
    "block_delay": 500,
    "requests_per_second": 10
  },
  "users": [
    {
      "username": "admin",
      "password": "$argon2id$v=19$m=19456,t=2...",
      "allow": ["192.168.1.0/24", "172.16.54.2"],
      "roles": ["Administrator", "read", "write"]
    },
    {
      "username": "alice",
      "password": "$argon2id$v=19$m=19456,t=2...",
      "roles": ["User", "read", "write"]
    }
  ]
}

Options Documentation

token_expiry_seconds
1-31536000 (Max 5 Years)
Default: 3600
secret
Please generate a secure token (64 characters or more!)
Default: unset
login_via_otp
Enable or disable logging of OTP login attempts.
Valid values: true or false
Default: false
host
IP address where the server listens
Default: 0.0.0.0
timezone
A timezone defines how a specific region offsets from UTC (Coordinated Universal Time).
you can select a timezone like Europe/Paris, UTC, or America/New_York to properly convert and display timestamps in local time.
[ show all possible value ]
Default: Europe/Paris
port
Valid range: 1–65535
Default: 8080
session_cookie
Enables automatic setting of the session token as a Set-Cookie header after successful authentication. This allows seamless integration with frontend dashboards without requiring manual token handling.
Type: boolean
Default: false
Note: The cookie is only sent over HTTPS and includes the flags Secure, HttpOnly, and SameSite=Strict.
max_age_session_cookie
Defines the lifetime (in seconds) of the session cookie issued when session_cookie is enabled.
Type: integer
Default: 3600 (1 hour)
Range: 60 – 31536000 (1 minute to 1 year)
• Example: "max_age_session_cookie": 86400
cors_origins
List of allowed origins for Cross-Origin Resource Sharing (CORS). Requests from these origins will receive appropriate Access-Control-Allow-* headers in responses.
Type: Array of strings – each string must be a valid origin (scheme + host, optionally port).
Default: [] (CORS disabled)
• Example: "cors_origins": ["https://127.0.0.1", "https://demo.proxyauth.app"]
Note: CORS headers are applied dynamically based on the request Origin header.
redis * New
Enables multi-node synchronization of revoked tokens using Redis. When enabled:
  • Each ProxyAuth node publishes token actions to Redis (e.g. {token_id}_action)
  • Expiration timestamp is stored in token:{token_id}
  • A propagation counter {token_id}_count is incremented
  • Every node periodically pulls Redis updates into LMDB and RAM
This allows full SSO behavior between different services (e.g. APIs and dashboards) with shared token logic. Redis acts only as a sync bus — LMDB remains the source of truth.
worker
Number of CPUs available
Default: 4
num_instances
Defines the number of ProxyAuth instances to launch. Combined with the worker setting, this allows horizontal scaling on multi-core systems. Each instance runs independently and handles its own worker threads.
Default: 2
Note: Total concurrency = num_instances × worker.
• Example: num_instances: 4 with worker: 4 results in 16 concurrent workers.
log
type: local → do not use remote logging
type: loki → use Loki logging {"type": "loki", "host": "127.0.0.1:1234"}
type: http → get logs via HTTP {"type": "http", "max_writes_log": 10000}
Default: local
stats
boolean: true/false → do not use remote stats /adm/stats or proxyauth stats
Default: false
tls
boolean: true/false → You can enable or disable listening on the HTTPS protocol./div>
Default: false
max_idle_per_host
int: 0-3000 → defines the maximum number of idle (keep-alive) connections that can be kept open per host. This helps optimize performance by reusing connections instead of opening new ones for each request, while also preventing excessive resource usage by limiting the number of unused open connections.
Default: 50
ratelimit_auth
request_per_seconds: 0 for disable the rate limit, Maximum number of authentication requests allowed per second from a single client.
burst: Number of extra requests allowed beyond the per-second rate before blocking is enforced.
block_delay: Time a client must wait (after exceeding limits) before sending new authentication
Default: Disabled
ratelimit_proxy
request_per_seconds: 0 for disable the rate limit, Maximum number of forward proxy requests allowed per second from a single client.
burst: Number of extra requests allowed beyond the per-second rate before blocking is enforced.
block_delay: Time a client must wait (after exceeding limits) before sending forward request inside ProxyAuth
Default: Disabled
users
Array of user objects for authentication.
Key username – Username to use with the /auth route to obtain a token.
Key password – Password to use with the /auth route to obtain a token.
Key allow(optional) List of allowed IP addresses or CIDR blocks. If provided, only requests from these IPs will be allowed to authenticate with this user.
• Example: "allow": ["192.168.1.0/24", "10.0.0.1"]
Key roles(optional) Array of roles assigned to the user. These roles are injected into the HTTP header x-user-roles on each proxied request, allowing backends to implement role-based access control.
• Example: "roles": ["Administrator", "write", "read"]


Configuration Routes

Options Documentation

Configuration Routes

Complete file: /etc/proxyauth/config/routes.yml 
routes:
  - prefix: "/redoc"
    target: "http://127.0.0.1:8000/redoc"
    secure: false
    secure_path: true
    filters:
        default_allow: false
        allow:
          # Allow only GET requests
          - field: method
            pattern: ^GET$
          # Path must start with /redoc exactly
          - field: path
            pattern: ^/redoc(?:/.*)?$

  - prefix: "/api_test/openapi.json"
    target: "http://localhost:8000/api_test/openapi.json"
    secure: false
    backends:
      - http://localhost:8001/api_test/openapi.json
        weight: 1
      - http://localhost:8002/api_test/openapi.json
        weight: 2
    filters:
        default_allow: false
        allow:
          # Require ?token= (generic UUID pattern)
          - field: query
            name: ^token$
            pattern: ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$

  - prefix: "/api_test_default"
    target: "http://localhost:8000/api_test_default"
    username: ["admin", "alice1", "alice15", "alice30"]
    filters:
        default_allow: false
        allow:
          # Allow only GET or POST
          - field: method
            pattern: ^(?:GET|POST)$
          # Path must be under /api_test_default
          - field: path
            pattern: ^/api_test_default(?:/.*)?$
          # Optional: require a version query param like ?v=1 or ?v=1.2.3
          - field: query
            name: ^v$
            pattern: ^\d+(?:\.\d+){0,2}$

  - prefix: "/api_test_proxy"
    target: "http://localhost:8000/api_test_proxy"
    username: ["admin", "alice1", "alice15", "alice30"]
    proxy: true
    proxy_config: "http://127.0.0.1:8888"
    filters:
        default_allow: false
        allow:
          # Require an X-API-Key header of 32 hex chars
          - field: header
            name: ^X-API-Key$
            pattern: ^[0-9a-f]{32}$

  - prefix: "/api_test_cert"
    target: "https://localhost:8000/api_test_cert"
    username: ["admin", "alice1", "alice15", "alice30"]
    cert: { file: "certificat.p12", password: "1234" }
    filters:
        default_allow: false
        allow:
          # Only POST with JSON { "status": "active" }
          - field: method
            pattern: ^POST$
          - field: body_json
            key: status
            pattern: ^active$

Options Documentation

prefix * Required
Defines the URL prefix to use when forwarding the original request to the target service.
target * Required
Specifies the destination URL or service that will receive the forwarded request.
backends
Defines a failover and load balancing mechanism by providing multiple backend targets (URLs or services). The system supports automatic redirection in case of failure or downtime of a backend, ensuring fault tolerance and service continuity.
weight: Specifies the load balancing weight of each backend. The higher the weight, the more requests that backend will receive.
Example: if backend A has a weight of 3 and backend B has a weight of 1, A will receive approximately 75% of the traffic, and B 25%.

Note: Setting weight: -1 disables load balancing for that backend. However, the backend will still be used as a failover target if all active backends fail.
username
A list of allowed usernames authorized to access this route.
Default: unset.
secure
Determines whether the route requires authentication.
Set the secure key to true to require a token, or false to disable authentication.
Default: true
proxy
Enable or disable proxy forwarding.
Use true to need token for access this resource, false to no token need for access this route by
Default: false.
proxy_config
Configuration object for the proxy destination.
Key host [IP:PORT] or hostname of the proxy target.
Default: unset.
cert * Experimental
SSL/TLS certificate configuration:
Key file Path to the certificate file (e.g., certificate.p12).
Key password Password used to unlock the certificate.
Default: unset.
secure_path
Forces all requests to be forwarded strictly to the exact target endpoint defined for this route. When secure_path is enabled, the request path is ignored, and the destination will always be the exact target URL configured. This prevents any attempt to redirect or access subpaths, query parameters, or external resources.
Example:
If target is http://localhost:8000/api/endpoint and secure_path is enabled:
- Request to /api/endpoint → forwarded to http://localhost:8000/api/endpoint
- Request to /api/endpoint/other → still forwarded to http://localhost:8000/api/endpoint
- Request to /api/endpoint?param=123 → still forwarded to http://localhost:8000/api/endpoint?param=123
Default: false
filters
Defines allow/deny rules for incoming requests using regular expressions. Filters are evaluated before the request is forwarded to the target service. If a request matches a deny rule, it is blocked immediately. For allow rules, all listed conditions must match for the request to be accepted.
Structure:
  • default_allow: (boolean) Sets whether requests are allowed by default (true) or denied unless matching an allow rule (false).
  • allow: (list) List of conditions that must match for the request to be permitted.
Condition fields (value for field):
  • method: Matches the HTTP method (GET, POST, PUT, DELETE, etc.).
    pattern: Regex tested against the method string.
    Example: ^GET$ (allow only GET requests)
  • path: Matches the request path (URI without query string).
    pattern: Regex tested against the path.
    Example: ^/api/v[0-9]+/users$
  • header: Matches a specific HTTP header.
    name: Regex for the header name.
    pattern: Regex for the header value.
    Example: name: ^X-API-Key$, pattern: ^[0-9a-f]{32}$
  • query: Matches a query string parameter.
    name: Regex for the parameter name.
    pattern: Regex for the parameter value.
    Example: name: ^token$, pattern: ^[0-9a-f-]{36}$
  • body_raw: Matches the raw request body as plain text or binary.
    pattern: Regex tested against the entire body.
    Example: (?i)DROP\\s+TABLE (detect SQL injection attempts)
  • body_json: Matches a value inside a JSON body.
    key: The JSON key path (dot notation not supported; top-level keys only).
    pattern: Regex tested against the extracted value.
    Example: key: status, pattern: ^active$

Credential Route

ProxyAuth authenticate route for give token.

METHOD POST
URL [host:port]/auth
HEADER Content-Type: application/json
PARAMS { "username": <string>, "password": <string> }
  1. Rate limiting can be configured here via the ratelimit field in config.json."
SHOW EXEMPLE
// default login is admin and admin123 change this in config.json
$curl -k -X POST https://127.0.0.1:8080/auth -H "Content-Type: application/json" -d '{"username": "admin", "password": "admin123"}'
// Header
HTTP/1.1 200 OK
content-length: 191
x-ratelimit-remaining: 4
x-ratelimit-limit: 5
content-type: application/json
date: Sun, 27 Apr 2025 07:29:21 GMT
// Response body
{"expires_at":"2025-04-27 09:37:05","token":"85l19fN5l+DKozxk29xeMtw2PgH/aNnVAgEJLxNo8M7xsumcO1cxS1BsfsUQIg+EXdV1vpxQMSNpiPPymBvfGUx2ufPT1jK7JVT9Aw3amQTOs5k8oBs+Qh6EbKHJsyohcioACLP9MWQ/DHhb"}
// Header
HTTP/1.1 429 Too Many Requests
content-length: 30
x-ratelimit-remaining: 0
x-ratelimit-limit: 5
x-ratelimit-after: 6
retry-after: 6
content-type: text/plain; charset=utf-8
date: Sun, 27 Apr 2025 07:29:21 GMT
// Response body
Too many requests, retry in 6s
Send Login/password for give token
This route returns an expiration date and a different token on each call.
sequenceDiagram autonumber participant C as Client participant P as ProxyAuth C->>+P: POST https://[host:port]/auth
-H "Content-Type: application/json"
-d {"username": "user", "password": "pass"} P->>+P: Check credential P->>+C: return json format
{"expires_at":"2025-04-12 16:15:20","token":"4GJeCUwOzILd..."}

Integrated TOTP mechanism

Multiple mechanisms are available to generate and provide a TOTP QR code.

METHOD POST
URL [host:port]/adm/auth/totp/get
HEADER Content-Type: application/json
PARAMS { "username": <string>, "password": <string> }
SHOW EXEMPLE
// default login is admin and admin123 change this in config.json
$curl -k -X POST https://127.0.0.1:8080/adm/auth/totp/get -H "Content-Type: application/json" -d '{"username": "admin", "password": "admin123"}'
// Header
HTTP/1.1 200 OK
content-length: 227
content-type: application/json
date: Sun, 27 Apr 2025 07:29:21 GMT
// Response body
{"otpauth_uri":"otpauth://totp/ProxyAuth%3Aadmin?secret=4DX6B7CVQ24LHNIDBENSZI54Q2RTPC7D4AFNRPKHX7VCW3T6IVGQ&issuer=ProxyAuth&algorithm=SHA512&digits=6&period=30","otpkey":"4DX6B7CVQ24LHNIDBENSZI54Q2RTPC7D4AFNRPKHX7VCW3T6IVGQ"}

Use ppauth-cli

ppauth-cli is a command-line tool to interact with ProxyAuth useful for quick TOTP setup and API calls from the terminal.

A faster and developer-friendly method for quickly registering TOTP and calling APIs ideal for sysadmins and DevOps workflows.

INSTALL
$pip install ppauth
$ppauth-cli registry otp --host 127.0.0.1 --port 8080 --username admin --password admin123 --no-tls-verify
Show return

Return Block Error

(for session_cookie: true)


ProxyAuth can return error information inside a dedicated block. Errors are wrapped between <!-- BEGIN_BLOCK_ERROR --> and <!-- END_BLOCK_ERROR -->. The block is commented out, so it will not affect the visible page, but can be parsed by scripts, clients, or monitoring tools.

Specification

  • Delimiters: <!-- BEGIN_BLOCK_ERROR --> and <!-- END_BLOCK_ERROR -->
  • Content: HTML snippet containing the error placeholder {{ error }}
  • Commented out: does not affect page rendering, only for programmatic extraction
<!-- BEGIN_BLOCK_ERROR -->
<!--
    <div id="error_display" class="col-lg-5">
      {{ error }}
    </div>
    -->
<!-- END_BLOCK_ERROR -->

Scenarios

Scenario 1 — Valid token
• Status: 200/204 (success).
• No error block is included.
• Normal content is returned.

Scenario 2 — Invalid or expired token
• Status: 401 (Unauthorized) (TOTP no valid / Credential no correct).
• Error block is included in the HTML response.
• Example: After ProxyAuth detects an error, the content between BEGIN_BLOCK_ERROR and END_BLOCK_ERROR is replaced with the actual error message.:

<!-- BEGIN_BLOCK_ERROR -->
    <div id="error_display" class="col-lg-5">
      Invalid or expired token.
    </div>
<!-- END_BLOCK_ERROR -->

Client Usage

ProxyAuth can scan the HTML for the delimiters and extract the error message from the block. This provides a consistent way to detect and process authentication errors without altering the user-facing page.

CSRF Protection

(for session_cookie: true)


ProxyAuth protects state-changing requests against CSRF (Cross-Site Request Forgery) by injecting a per-session (or per-request) CSRF token into proxied HTML pages. Any occurrence of the placeholder {{ csrf_token }} in the HTML is replaced server-side by ProxyAuth with a valid token. You must send this token back on write operations (POST/PUT/PATCH/DELETE) either via an HTML form field or from JavaScript.

Specification

  • Placeholder: {{ csrf_token }} (replaced by ProxyAuth in HTML before reaching the browser).
  • Transport: Send the token as a form field named csrf_token, or include it in the request body/params from JavaScript.
  • No cookies: The CSRF token is not read from cookies; it must be explicitly included in the request payload.
  • Validation: ProxyAuth verifies the token on state-changing requests. Invalid/missing tokens are rejected.
  • Lifecycle: Tokens are scoped to the authenticated session. If configured, tokens can be single-use and invalidated after validation; expired tokens are periodically purged.
<!-- Example injection point in a proxied HTML page -->
<form method="POST" action="/profile/update">
  <input type="hidden" name="csrf_token" value="{{ csrf_token }}">
  <input type="text" name="display_name" required>
  <button type="submit">Save</button>
</form>

HTML Form Usage

Place the token in a hidden field named csrf_token. ProxyAuth will replace the placeholder with a concrete token value before the page is served.

<form method="POST" action="/orders/create">
  <input type="hidden" name="csrf_token" value="{{ csrf_token }}">
  <input type="text" name="item" required>
  <input type="number" name="qty" min="1" value="1" required>
  <button type="submit">Create order</button>
</form>

JavaScript Usage

Read the injected token from the DOM and include it in your request payload. Recommended for application/x-www-form-urlencoded or JSON bodies as a csrf_token field.

<script>
  // Option A: token rendered into a hidden input
  const csrf = document.querySelector('input[name="csrf_token"]')?.value;

  // POST with application/x-www-form-urlencoded
  const body = new URLSearchParams({ csrf_token: csrf, data: "test" });
  fetch("/api/write", {
    method: "POST",
    headers: { "Content-Type": "application/x-www-form-urlencoded" },
    body
  }).then(r => r.ok ? r.json() : Promise.reject(r));

  // Option B: token rendered into a JS variable (if you prefer)
  // <script>window.CSRF="{{ csrf_token }}";</script>
  // fetch("/api/write", { ... body: JSON.stringify({ csrf_token: window.CSRF, ... }) })
</script>

Avoid storing the token in localStorage. Prefer ephemeral DOM scope. If you render it into JS, keep it on window only as long as needed.

Scenarios

Scenario 1 — Valid CSRF token
• Request: POST/PUT/PATCH/DELETE with a valid csrf_token parameter.
• Status: 2xx (success). The request is forwarded to the target service.

Scenario 2 — Missing/invalid/expired CSRF token
• Status: 403 (Forbidden). The request is blocked by ProxyAuth; no upstream call is made.
• Optional body: an error message or an error block for programmatic parsing.

sequenceDiagram autonumber participant B as Browser participant P as ProxyAuth participant S as App/Service B->>+P: GET /form (HTML with {{ csrf_token }}) P-->>-B: 200 HTML ({{ csrf_token }} replaced) B->>+P: POST /submit (csrf_token=VALID,...) P->>+S: Forward request S-->>-P: 200 OK P-->>-B: 200 OK B->>+P: POST /submit (missing/invalid csrf_token) P-->>-B: 403 Forbidden (CSRF validation failed) Note over S: No upstream call

Security Notes

  • Include the token only on write operations; GETs should remain side-effect free.
  • Validate Origin/Referer headers on the server when possible.
  • Do not expose the token through URLs that may be logged by intermediaries unless strictly necessary.
  • If configured for single-use, a token becomes invalid after a successful validation; stale tokens should be purged periodically.

Forward Route

ProxyAuth forwards your original request to the target after validating the token.

METHOD ALL
URL https://[host:port]/[prefix]
HEADER "Authorization: Bearer <your_token>"
  1. If the secure option is set to true in your routes.yml configuration, then the route will be secured
  2. Rate limiting can be configured here via the ratelimit field in config.json."
SHOW EXEMPLE
// use route in routes.yml
$curl -k -X GET https://127.0.0.1:8080/api_test -H "Authorization: Bearer YOUR_TOKEN_HERE"
Scenario 1 send a valid token.
sequenceDiagram autonumber participant C as Client participant P as ProxyAuth participant A as API/Service C->>+P: Send token Header
-X POST https://[host:port]/api -H "Content-Type: application/json"
-H "Authorization: Bearer UmbC0ZgATdXE..." -d {"data": "test"} P->>+P: Check token send by client P->>+A: Forward original request
POST http://[host_target]/api_test
-H "Content-Type: application/json"
-d {"data": "test"} A-->>-P: Response P-->>-C: Response


Scenario 2 send a invalid token/expired.
sequenceDiagram autonumber participant C as Client participant P as ProxyAuth participant E as API/Service C->>+P: Send token Header
-H "Authorization: Bearer UmbC0ZgATdXE..." P->>+P: Check token send by client P-->>-C: Invalid Token Note over E: No external request made

Forward route via other proxy

Notice

ProxyAuth allows you to forward your request through another proxy to access your target destination.


sequenceDiagram autonumber participant C as Client participant P as ProxyAuth participant P2 as Other Proxy participant A as API/Service C->>+P: Send token Header
-X POST https://[host:port]/api -H "Content-Type: application/json"
-H "Authorization: Bearer UmbC0ZgATdXE..." -d {"data": "test"} P->>+P: Check token send by client P->>+P2: Forward original request
POST http://[host_target]/api_test
-H "Content-Type: application/json"
-d {"data": "test"} P2-->>+A: Forward A->>-P2: Response P2->>P: Response P-->>-C: Response

Forwarding with HTTPS Certificate (PKCS#12 / .p12) (UNTESTED)

⚠️ TESTING [Version 0.6.21]

ProxyAuth enables forwarding of HTTPS requests in order to securely access a remote machine.


sequenceDiagram autonumber participant C as Client participant P as ProxyAuth participant A as HTTPS/TLS
API/Service C->>+P: Send token Header
-X POST https://[host:port]/api -H "Content-Type: application/json"
-H "Authorization: Bearer UmbC0ZgATdXE..." -d {"data": "test"} P->>+P: Check token send by client P->>+A: Forward original https over https request
POST https://[host_target]/api_test
-H "Content-Type: application/json"
-d {"data": "test"} A-->>-P: Response P-->>-C: Response

Forwarding with HTTPS [Works Now]

Notice

You need a valid Let's Encrypt or other trusted certificate for the redirection to work correctly.

sequenceDiagram autonumber participant C as Client participant P as ProxyAuth participant A as HTTPS/TLS
API/Service C->>+P: Send token Header
-X POST https://[host:port]/api -H "Content-Type: application/json"
-H "Authorization: Bearer UmbC0ZgATdXE..." -d {"data": "test"} P->>+P: Check token send by client P->>+A: Forward original https over https request
POST https://[host_target]/api_test
-H "Content-Type: application/json"
-d {"data": "test"} A-->>-P: Response P-->>-C: Response

Logs via Loki


Add this line to your config.json file to enable Loki mode, then follow the instructions in the Grafana interface.
"log": {"type": "loki", host:"127.0.0.1:5000"}
 Integrate Loki with Grafana to customize your graph dashboards. Enjoy show small configuration for demo grafana
small dashboard grafana

Changelog #back to top

You can find the version history (CHANGELOG.md)

Changelog


                        -----------------------------------------------------------------------------------------
                        Version 0.8.8
                        -----------------------------------------------------------------------------------------
                            Add auto reload TLS certificat for externe server
                            Add ~ 354 tests +/- 50% coverage
                            better logs


                        -----------------------------------------------------------------------------------------
                        Version 0.8.7
                        -----------------------------------------------------------------------------------------
                            Route Prefix Reordering: Longest to Shortest Match
                            Canonicalize url
                            Add filters for ACL Routes protection
                            Allow methods in routes.yml
                            preserve_prefix in routes.yml
                            secure_path in routes.yml


                        -----------------------------------------------------------------------------------------
                        Version 0.8.6
                        -----------------------------------------------------------------------------------------
                            FIX CORS Options for OTP registry
                            forward "x-user" for backends
                            csrf_token validate-generate
                            control cache routes
                            Fix rules routes

                        -----------------------------------------------------------------------------------------
                        Version 0.8.5
                        -----------------------------------------------------------------------------------------
                            [Add] cookie session
                            [Add] max_age_session_cookie
                            [Add] Cors Support
                            [FIX] ratelimit
                            [Move] timezone to token::security
                            [NEW] ProxyAuth supports now both authentication via
                                  - Cookie session_token
                                  - Header Authorization: Bearer

                        -----------------------------------------------------------------------------------------
                        Version 0.8.4
                        -----------------------------------------------------------------------------------------
                            [Add] cookie session
                            [Add] max_age_session_cookie
                            [Add] Cors Support
                            [FIX] ratelimit
                            [Move] timezone to token::security
                            [NEW] ProxyAuth supports now both authentication via
                                  - Cookie session_token
                                  - Header Authorization: Bearer

                        -----------------------------------------------------------------------------------------
                        Version 0.8.3
                        -----------------------------------------------------------------------------------------
                            [Multi-Instance] database (multi instance Docker) to RAM sync every 15 seconds

                        -----------------------------------------------------------------------------------------
                        Version 0.8.2
                        -----------------------------------------------------------------------------------------
                            [Add] 'x-user-roles' in Header / Initial implementation of token revocation

                        -----------------------------------------------------------------------------------------
                        Version 0.8.1
                        -----------------------------------------------------------------------------------------
                            [Add] options max_connections
                            [Add] options pending_connections_limit
                            [Add] options socket_listen
                            [Add] options keep_alive
                            [Add] options client_timeout
                            [Add] options num_instances
                            [Optimisation] XOR Algorithm transforme hash (+ 30% better)

                        -----------------------------------------------------------------------------------------
                        Version 0.8.0
                        -----------------------------------------------------------------------------------------
                            [SECURITY] Add restricted by ip per user for authentication method (optionnal)
                            [SECURITY/PERF+] Change HMAC-SHA256 to HMAC-Blake3 (Speed ~ +50%)
                            [SECURITY/PERF+] Caching KEY HMAC-Blake3 for better performance not call every time
                            [PERF+] Optimized Ahasher type for CLIENT_POOL/PROXY_POOL

                        -----------------------------------------------------------------------------------------
                        Version 0.7.13
                        -----------------------------------------------------------------------------------------
                            [ADD] Nix-Shell
                            [ADD] rustfmt edition
                            [FIX] minor problem TimeZone
                            [FIX] minor deprecated method .timestamp()

                        -----------------------------------------------------------------------------------------
                        Version 0.7.12
                        -----------------------------------------------------------------------------------------
                            [ADD] TOTP Login mechanism
                            [ADD] Add command --version for show version
                            [FIX] logging bug when loading config on startup
                            [FIX] Possible disable log on option
                            [PERF] better performance loadbalancer

                        -----------------------------------------------------------------------------------------
                        Version 0.7.4
                        -----------------------------------------------------------------------------------------
                            [ADD] Support for exporting and importing keystores for multi-service
                                  cryptographic integration change libs for oppenssl.
                            [SECURITY] Rewrite all headers from original requests and replace the server name.

                        -----------------------------------------------------------------------------------------
                        Version 0.7.3
                        -----------------------------------------------------------------------------------------
                            [ADD] Export build parameters as part of the GPG multi-service integration.
                            [ADD] New cryptographic build export for multi-service integration generated by GPG File.

                        -----------------------------------------------------------------------------------------
                        Version 0.7.2
                        -----------------------------------------------------------------------------------------
                            [ADD] Better Logs Proxy
                            [ADD] token ID random over timestamp
                            [ADD] reuse client Cache

                        -----------------------------------------------------------------------------------------
                        Version 0.7.1
                        -----------------------------------------------------------------------------------------
                            [ADD] Failover to backup backends if the primary route is unreachable.
                            [ADD] Timezone support when creating tokens.
                            [ADD] Token stats now include expire_at and delivery_at fields.

                        -----------------------------------------------------------------------------------------
                        Version 0.6.21
                        -----------------------------------------------------------------------------------------
                            [FIX] The design has been improved. Proxy functionality is restored. Rate limiting
                                  is now applied per route and per user.

                        -----------------------------------------------------------------------------------------
                        Version 0.6.9
                        -----------------------------------------------------------------------------------------
                            [CLEANCODE] Clean all warning.

                            PS: I'm tired, going to sleep now 🙂 Sorry for deploying so many versions
                                in such a short time but it's better to keep improving, it's not finished yet...

                        -----------------------------------------------------------------------------------------
                        Version 0.6.8
                        -----------------------------------------------------------------------------------------
                            [ADD] Download default config from proxyauth.app
                                  Check build version status via proxyauth.app to detect invalid or yanked versions.
                                  Allows blocking specific versions during the build process if marked as such.

                        -----------------------------------------------------------------------------------------
                        Version 0.6.5
                        -----------------------------------------------------------------------------------------
                            [PERF] Complete rewrite of proxy architecture.
                            [DISABLED] Proxy forwarding via `routes.yml`.
                            [DISABLED] Certificate-based forwarding in `routes.yml` rules.
                            [WORKING] HTTPS forwarding if valid certificates are present.
                            [WORKING] Token validation: invalid/expired tokens are properly handled.
                            [WORKING] HTTP request forwarding is operational.
                            [WORKING] `User-Agent` header rewritten to `ProxyAuth`.
                            [WORKING] Disable/Enable/Redirect logs on loki/local
                            [WORKING] Disable/Enable stats on cmd proxyauth stats
                            [WORKING] Disable/Enable ratelimit over /auth or your rules routes...
                            [ULTRA FAST] Achieves ~ 600k HTTPS requests per second on server hardware.

                        -----------------------------------------------------------------------------------------
                        Version 0.6.1-0.6.3
                        -----------------------------------------------------------------------------------------
                            [TEST] Optimized Configuration.

                        -----------------------------------------------------------------------------------------
                        Version 0.6.0
                        -----------------------------------------------------------------------------------------
                            [ADD] H2 / use HTTPS only / generate certs in /etc/proxyauth/certs/

                        -----------------------------------------------------------------------------------------
                        Version 0.5.34
                        -----------------------------------------------------------------------------------------
                            [REBUILD] Rebuild all proxy conception.

                        -----------------------------------------------------------------------------------------
                        Version 0.5.28
                        -----------------------------------------------------------------------------------------
                            [BUGFIX] Load configuration ratelimit possible disable if key si unset or
                                     request_per_seconds is 0.

                        -----------------------------------------------------------------------------------------
                        Version 0.5.23-0.5.27
                        -----------------------------------------------------------------------------------------
                            [PERF] Improve performance ~ 1 Millions requests per seconds

                        -----------------------------------------------------------------------------------------
                        Version 0.5.22
                        -----------------------------------------------------------------------------------------
                            [Security] Rotate random params

                        -----------------------------------------------------------------------------------------
                        Version 0.5.21
                        -----------------------------------------------------------------------------------------
                            [Security] Better security hash token ID

                        -----------------------------------------------------------------------------------------
                        Version 0.5.20
                        -----------------------------------------------------------------------------------------
                            [Optimized] Better performance

                        -----------------------------------------------------------------------------------------
                        Version 0.5.19
                        -----------------------------------------------------------------------------------------
                            [FIX] ratelimit no detect configuration

                        -----------------------------------------------------------------------------------------
                        Version 0.5.17
                        -----------------------------------------------------------------------------------------
                            [FIX] FIX launch cmd proxyauth stats for user

                        -----------------------------------------------------------------------------------------
                        Version 0.5.15
                        -----------------------------------------------------------------------------------------
                            [FIX] cmd cli stats for routes /adm/stats

                        -----------------------------------------------------------------------------------------
                        Version 0.5.14
                        -----------------------------------------------------------------------------------------
                            [ADD] clear project /adm/stats

                        -----------------------------------------------------------------------------------------
                        Version 0.5.13
                        -----------------------------------------------------------------------------------------
                            [ADD] Route Admin /adm/stats

                        -----------------------------------------------------------------------------------------
                        Version 0.5.12
                        -----------------------------------------------------------------------------------------
                            [ADD] New CLI command `proxyauth stats` to display token usage statistics

                        -----------------------------------------------------------------------------------------
                        Version 0.5.11
                        -----------------------------------------------------------------------------------------
                            [ADD] Token usage stats per user

                        -----------------------------------------------------------------------------------------
                        Version 0.5.10
                        -----------------------------------------------------------------------------------------
                            [ADD] Improved rate limit configuration for proxy routes and the /auth authentication endpoint.

                        -----------------------------------------------------------------------------------------
                        Version 0.5.9
                        -----------------------------------------------------------------------------------------
                            [UPDATE] Launching Actix Web with rate limiting enabled.
                                     Available modes: NO_RATELIMIT_AUTH, NO_RATELIMIT_PROXY,
                                                      RATELIMIT_GLOBAL_ON, RATELIMIT_GLOBAL_OFF.

                        -----------------------------------------------------------------------------------------
                        Version 0.5.8
                        -----------------------------------------------------------------------------------------
                            [BUGFIX] Default launch now correctly uses HTTPS/TLS

                        -----------------------------------------------------------------------------------------
                        Version 0.5.7
                        -----------------------------------------------------------------------------------------
                            [FIX] Improved installation script
                            [ADD] Clearer explanation of rate limiting (wait time in milliseconds)

                        -----------------------------------------------------------------------------------------
                        Version 0.5.6
                        -----------------------------------------------------------------------------------------
                            [FIX] Better compatibility with Alpine and other Linux distributions

                        -----------------------------------------------------------------------------------------
                        Version 0.5.5
                        -----------------------------------------------------------------------------------------
                            [ADD] Introduced new 'prepare' command
                            [ADD] Program now launches as root and creates/uses the 'proxyauth' user to write in /etc/proxyauth
                            [TODO] Documentation is coming to explain this setup
                            [NOTE] First-time usage: run `sudo proxyauth prepare` before launching the app

                        -----------------------------------------------------------------------------------------
                        Version 0.5.4
                        -----------------------------------------------------------------------------------------
                            [ADD] create automatically the file configuration use github repo.

                        -----------------------------------------------------------------------------------------
                        Version 0.5.3
                        -----------------------------------------------------------------------------------------
                            [FIX] Replace host label with app to improve log display in Loki.

                        -----------------------------------------------------------------------------------------
                        Version 0.5.2
                        -----------------------------------------------------------------------------------------
                            [ADD] integration log for loki/Grafana.

                        -----------------------------------------------------------------------------------------
                        Version 0.5.0
                        -----------------------------------------------------------------------------------------
                            [ADD] Experimental feacture forward on https requests.


                        -----------------------------------------------------------------------------------------
                        Version 0.4.2
                        -----------------------------------------------------------------------------------------
                            [FIX] Minor bug over message proxy


                        -----------------------------------------------------------------------------------------
                        Version 0.4.1
                        -----------------------------------------------------------------------------------------
                            [ADD] possible config proxy on file routes.yml


                        -----------------------------------------------------------------------------------------
                        Version 0.4.0
                        -----------------------------------------------------------------------------------------
                            [ADD] ratelimit over routes /auth.
                            [ADD] use auto Argo2 for encrypt passsword in config.json

                        -----------------------------------------------------------------------------------------
                        Version 0.3.5
                        -----------------------------------------------------------------------------------------
                            [SECURITY] Improved security and re-checking of the factor if it exceeds the defined limit.
                            [SECURITY] Use of SHA-256 instead of SHA-1.
                            [SECURITY] Add HMAC SHA-256 over CHACHA20 AED

                        -----------------------------------------------------------------------------------------
                        Version 0.3.4
                        -----------------------------------------------------------------------------------------
                            [REFACTO] Moved the utils method into security.
                            [ADD] Enhanced hash security.

                        -----------------------------------------------------------------------------------------
                        Version 0.3.3
                        -----------------------------------------------------------------------------------------
                            [FIX] Bug with rate limiting when an anonymous user makes requests to unsecured routes (docs, etc.).
                            [ADD] Better logging / error handling when token encryption fails
                                  triggers a warning log message with the source IP.

                        -----------------------------------------------------------------------------------------
                        Version 0.3.2
                        -----------------------------------------------------------------------------------------
                            [ADD] Improved log messages.
                            [ADD] Applied rate limiting only on proxy routes and not on /refresh_token.
                            [ADD] ulimit setting in Docker configuration for better performance.

                        -----------------------------------------------------------------------------------------
                        Version 0.3.1
                        -----------------------------------------------------------------------------------------
                            [ADD] delay_block setting in the config file.

                        -----------------------------------------------------------------------------------------
                        Version 0.3.0
                        -----------------------------------------------------------------------------------------
                            [ADD] Rate limiting per request and per user.

                        -----------------------------------------------------------------------------------------
                        Version 0.2.1
                        -----------------------------------------------------------------------------------------
                            [FIX] Bug related to date handling.
                            [ADD] Added logging via tracing.

                        -----------------------------------------------------------------------------------------
                        Version 0.2.0
                        -----------------------------------------------------------------------------------------
                            Improved user check — users are now checked via an index.
                            [BUG] Date checking issue still present.
                            Improved the /auth route algorithm.
                            Added Dockerfile and docker-compose.yml, built from rust:alpine.

                        -----------------------------------------------------------------------------------------
                        Version 0.1.0
                        -----------------------------------------------------------------------------------------
                            Implemented CHACHA20/SHA1/ROTATE algorithm for token handling.
                            Implemented request forwarding routes.
                            Added configuration files: routes.yml and config.json.
                            [BUG] Date checking issue to be fixed.
                            Added worker execution count handling.
                            [TODO] Improve user checking (ID inside chacha20)
                            (Performance improvement: no need to iterate through all users).

Dependancies Libs

Chargement...