v1.0.0-beta0 · Apache 2.0 · by vBlackOut
GitHub 📦 Official Crates 🖥️ Demo 💬 Community
Documentation

ProxyAuth
Authenticate. Protect. Forward.

A blazing-fast authentication gateway built in Rust. Encrypts tokens with ChaCha20 + HMAC-BLAKE3, supports TOTP, CSRF protection, Redis multi-node sync, and handles 180,000+ req/s under load.

🦀 Rust Apache 2.0 ChaCha20 + BLAKE3 Argon2id Redis SSO TOTP CSRF
📝 Changelog 💬 Community 🖥️ Demo UI v1.0.0 🧩 Browser Extension 🤖 IA Service 📦 Official Crates 🐍 ppauth (Python)
180k+
req / sec
1.0.0
latest beta
Argon2
password hash

Overview #

🔐
Token Security
ChaCha20 + HMAC-BLAKE3. Tokens never stored raw.
Ultra Fast
180,000+ req/s. Built for production workloads in Rust.
🔑
Native SSO
GPG key export lets multiple instances share encryption.
🛡️
Password Hashing
Argon2id with auto-generated salts.
🚦
Rate Limiting
Per-route and per-user rate limiting on all endpoints.
🗺️
Flexible Routes
YAML routes with filters, load balancing and failover.
  1. Improve the security of your tokens with ChaCha20 + HMAC-BLAKE3.
  2. Accelerate backend development — auth handled at the proxy layer.
  3. Ultra-fast token verification 🚀 with LMDB + memory caching.
  4. Written in Rust 🦀 for memory safety and performance.
  5. Native SSO via GPG key export — multiple instances share token encryption.

Installation #

⚠️
Security NoticeProxyAuth generates its cryptographic secret randomly at build time. Never run a pre-built container from Docker Hub. Always build it yourself.

Auto Install via cURL

bash
# Latest stable version
$ curl -fsSL https://proxyauth.app/sh/install | bash

# Latest beta version
$ curl -fsSL https://proxyauth.app/sh/beta-install | bash

# Specific version (must be >= 0.5.6)
$ curl -fsSL https://proxyauth.app/sh/install@0.7.0 | bash

# Check service status
$ sudo systemctl status proxyauth

Docker Installation

bash
# Clone the Docker project
$ git clone https://git.proxyauth.app/ProxyAuth/Docker ProxyAuth && cd ProxyAuth/latest

# Set correct permissions (proxyauth user inside container)
$ sudo chown 1000:1000 config/config.json config/routes.yml

# Build and start
$ docker compose build && docker compose up -d

Uninstall #

bash
# Remove ProxyAuth, users, config and all files
$ curl -fsSL https://proxyauth.app/sh/uninstall | bash

CLI Commands #

ℹ️
The token ID in stats is not the real token — it's only a reference identifier. The real token is never stored.

proxyauth stats

bash
# Show stats via cURL (admin token is in /etc/proxyauth/config/config.json)
$ curl -k -H 'X-Auth-Token: [YOUR_TOKEN_ADMIN]' https://127.0.0.1:8080/adm/stats
json -- response
[
  {
    "user": "admin",
    "tokens": [
      {
        "token_id":    "QzK=8S*lx9A@gebUZBB%m$a5+uo@lPx*F+d2QdCssbA+sl(R",
        "count":       1,
        "delivery_at": "2025-05-28T18:18:02.251295314Z",
        "expire_at":   "2025-05-28T19:17:47Z"
      }
    ]
  }
]

Server Configuration #

📁
Config path: /etc/proxyauth/config/config.json (versions ≥ 0.5.6).
json -- /etc/proxyauth/config/config.json
💡 click a key 
{
  "token_expiry_seconds":   3600,
  "secret":                 "supersecretvalue",
  "host":                   "0.0.0.0",
  "port":                   8080,
  "worker":                 4,
  "num_instances":          2,
  "login_via_otp":          false,
  "tls":                    true,
  "stats":                  true,
  "max_idle_per_host":      200,
  "timezone":               "Europe/Paris",
  "redis":                  "redis://redis_server:6379",
  "session_cookie":         false,
  "max_age_session_cookie": 3600,
  "cors_origins": [
    "https://127.0.0.1",
    "https://demo.proxyauth.app"
  ],
  "log": {
    "type": "local"
  },
  "ratelimit_auth": {
    "burst":               10,
    "block_delay":         500,
    "requests_per_second": 10
  },
  "ratelimit_proxy": {
    "burst":               10,
    "block_delay":         500,
    "requests_per_second": 10
  },
  "users": [
    {
      "username": "admin",
      "password": "$argon2id$v=19$m=19456,t=2...",
      "allow":    ["192.168.1.0/24", "172.16.54.2"],
      "roles":    ["Administrator", "read", "write"]
    },
    {
      "username": "alice",
      "password": "$argon2id$v=19$m=19456,t=2...",
      "roles":    ["User", "read", "write"]
    }
  ]
}

Configuration Reference

token_expiry_secondsrequired
Duration in seconds before a token expires.
Range1 – 31 536 000 (max 5 years)
Default: 3600
secretrequired
Cryptographic signing secret for token encryption. Generate a secure random value of 64 characters or more.
Default: unset
host
IP address where the server listens for incoming connections.
Default: 0.0.0.0
port
Listening port.
Range1 – 65535
Default: 8080
worker
Number of worker threads per instance. Should match the number of available CPU cores.
Default: 4
num_instances
Number of ProxyAuth instances to launch. Each instance runs independently with its own worker threads.
Total concurrencynum_instances × worker
Example4 instances × 4 workers = 16 concurrent workers
Default: 2
tls
Enable or disable HTTPS/TLS listening.
Valuestrue | false
Default: false
login_via_otp
Enable or disable TOTP/OTP-based login.
Valuestrue | false
Default: false
timezone
IANA timezone used for token timestamps. All possible values →
ExamplesEurope/Paris   UTC   America/New_York
Default: Europe/Paris
session_cookie
Enables automatic setting of the session token as a Set-Cookie header after successful authentication. Allows seamless frontend integration without manual token handling.
Cookie flagsSecure   HttpOnly   SameSite=Strict
NoteOnly sent over HTTPS.
Default: false
max_age_session_cookie
Lifetime of the session cookie when session_cookie is enabled.
Range60 – 31 536 000 (1 minute to 1 year)
Example86400 = 24 hours
Default: 3600 (1 hour)
cors_origins
List of allowed origins for Cross-Origin Resource Sharing (CORS). CORS headers are applied dynamically based on the request Origin header.
TypeArray of strings — scheme + host, optional port
Example["https://127.0.0.1", "https://demo.proxyauth.app"]
Default: [] (CORS disabled)
redisnew
Enables multi-node synchronization of revoked tokens via Redis. Allows full SSO behavior across different services. Redis acts only as a sync bus — LMDB remains the source of truth.
Node behaviourEach node publishes token actions, stores expiry timestamps, and periodically pulls Redis updates into LMDB and RAM.
Example"redis://redis_server:6379"
Default: unset
max_idle_per_host
Maximum number of idle (keep-alive) connections kept open per host. Optimizes performance by reusing connections while preventing excessive resource usage.
Range0 – 3000
Default: 50
stats
Enable or disable token usage statistics.
Access viaGET /adm/stats  |  proxyauth stats CLI
Default: false
log
Logging destination configuration.
{"type":"local"}Local logging only, no remote output.
{"type":"loki","host":"127.0.0.1:1234"}Send structured logs to Grafana Loki.
{"type":"http","max_writes_log":10000}Expose logs via HTTP endpoint.
Default: {"type":"local"}
ratelimit_auth
Rate limiting applied to the /auth authentication endpoint.
requests_per_secondMax auth requests per second per client. Set 0 to disable.
burstExtra requests allowed beyond the per-second rate before blocking is enforced.
block_delayTime in milliseconds a client must wait after exceeding limits before retrying.
Default: disabled
ratelimit_proxy
Rate limiting applied to proxy forwarding routes. Same structure as ratelimit_auth.
requests_per_secondMax forward requests per second per client. Set 0 to disable.
burstExtra requests allowed before blocking is enforced.
block_delayWait time in milliseconds before the client can retry forwarding.
Default: disabled
users
Array of user objects for authentication.
usernameUsername used with the /auth route to obtain a token.
passwordArgon2id hashed password used with the /auth route.
allow (optional)List of allowed IP addresses or CIDR blocks. Only matching IPs can authenticate as this user. Example: ["192.168.1.0/24", "10.0.0.1"]
roles (optional)Array of roles injected into the x-user-roles HTTP header on each proxied request. Example: ["Administrator", "write", "read"]

Routes Configuration #

File: /etc/proxyauth/config/routes.yml

yaml -- /etc/proxyauth/config/routes.yml
💡 click a key 
routes:

  # Public route — no token required, path locked to exact target
  - prefix:      "/redoc"
    target:      "http://127.0.0.1:8000/redoc"
    secure:      false
    secure_path: true
    filters:
      default_allow: false
      allow:
        - field:   method
          pattern: "^GET$"
        - field:   path
          pattern: "^/redoc(?:/.*)?$"

  # Load-balanced route with weighted backends
  - prefix: "/api_test/openapi.json"
    target: "http://localhost:8000/api_test/openapi.json"
    secure: false
    backends:
      - url:    "http://localhost:8001/api_test/openapi.json"
        weight: 1
      - url:    "http://localhost:8002/api_test/openapi.json"
        weight: 2

  # Secured route — specific users + method/path/query filters
  - prefix:   "/api_test_default"
    target:   "http://localhost:8000/api_test_default"
    username: ["admin", "alice1", "alice15", "alice30"]
    filters:
      default_allow: false
      allow:
        - field:   method
          pattern: "^(?:GET|POST)$"
        - field:   path
          pattern: "^/api_test_default(?:/.*)?$"

  # Forward through another proxy, with header ACL
  - prefix:       "/api_test_proxy"
    target:       "http://localhost:8000/api_test_proxy"
    username:     ["admin", "alice1"]
    proxy:        true
    proxy_config: "http://127.0.0.1:8888"
    filters:
      default_allow: false
      allow:
        - field:   header
          name:    "^X-API-Key$"
          pattern: "^[0-9a-f]{32}$"

  # mTLS forwarding with PKCS#12 certificate + JSON body filter
  - prefix:   "/api_test_cert"
    target:   "https://localhost:8000/api_test_cert"
    username: ["admin"]
    cert:
      file:     "certificat.p12"
      password: "1234"
    filters:
      default_allow: false
      allow:
        - field:   method
          pattern: "^POST$"
        - field:   body_json
          key:     status
          pattern: "^active$"

Route Options Reference

prefixrequired
Defines the URL prefix used to match incoming requests and forward them to the target service.
targetrequired
Specifies the destination URL or service that will receive the forwarded request.
secure
Determines whether the route requires a valid authentication token.
trueToken is required to access this route.
falseRoute is public — no token needed.
Default: true
secure_path
Forces all requests to be forwarded strictly to the exact target URL, ignoring the request sub-path. Prevents sub-path traversal and external redirects.
ExampleTarget http://localhost:8000/api/endpoint
/api/endpoint/other still forwarded to http://localhost:8000/api/endpoint
Default: false
usernameoptional
A list of allowed usernames authorized to access this route. If unset, all authenticated users may access it.
Example["admin", "alice"]
Default: unset (all users allowed)
backendsoptional
Defines load balancing and failover by providing multiple backend targets.
urlURL of the backend service.
weightLoad balancing weight. Higher = more traffic. e.g. weight 3 vs 1 = 75%/25%.
weight: -1Disables load balancing for this backend — used as failover only if all active backends fail.
proxy
Enable forwarding through another HTTP proxy before reaching the final target.
Valuestrue | false
Default: false
proxy_configoptional
Address of the intermediate HTTP proxy.
Formathttp://host:port
Default: unset
certexperimental
SSL/TLS client certificate configuration for mTLS forwarding (PKCS#12).
filePath to the .p12 certificate file. Example: certificate.p12
passwordPassword used to unlock the certificate.
Default: unset
filters
filters

Defines allow/deny rules evaluated before forwarding. All allow conditions must match for the request to pass. A matching deny rule blocks immediately.

default_allow boolean
Sets the default behaviour when no rule matches.
true = allow by default  |  false = deny by default
allow list
List of condition objects. All listed conditions must match for the request to be permitted.
Condition fields — value for field
method Matches the HTTP method (GET, POST, PUT, DELETE…)
patternRegex tested against the method string. example^GET$ — allow only GET requests
path Matches the request URI path (without query string)
patternRegex tested against the path. example^/api/v[0-9]+/users$
header Matches a specific HTTP request header
nameRegex tested against the header name. patternRegex tested against the header value. examplename: ^X-API-Key$   pattern: ^[0-9a-f]{32}$
query Matches a URL query string parameter
nameRegex tested against the parameter name. patternRegex tested against the parameter value. examplename: ^token$   pattern: ^[0-9a-f-]{36}$
body_raw Matches the raw request body as plain text or binary
patternRegex tested against the entire body content. example(?i)DROP\s+TABLE — detect SQL injection attempts
body_json Matches a specific value inside a JSON request body
keyTop-level JSON key to extract (dot notation not supported). patternRegex tested against the extracted value. examplekey: status   pattern: ^active$

Keystore Export / Import #

Share cryptographic keys across multiple ProxyAuth instances for multi-service SSO.

⚠️
Root required. Run the export command as root.
bash -- export
$ sudo proxyauth sync export
# Output: Key export successful

# Two files are created in the current directory:
$ ls -al
-rw-r--r-- 1 root root  488 14 juin 18:55 data.pgp
-rw-r--r-- 1 root root 1885 14 juin 18:55 key.asc
bash -- import on new instance
# Create the import directory
$ mkdir -p /etc/proxyauth/import

# Set permissions for the proxyauth user
$ sudo chown proxyauth:proxyauth \
    /etc/proxyauth/import/data.gpg \
    /etc/proxyauth/import/key.asc

Once keys are imported, both instances share the same encryption — tokens are valid across services.

Credential Route #

Authenticate and receive an encrypted token.

POST[host:port]/auth
HeaderContent-Type: application/json
Body{"username": "<string>", "password": "<string>"}
NoteRate limiting configurable via ratelimit_auth
bash
# Default: admin / admin123 — change in config.json
$ curl -k -X POST https://127.0.0.1:8080/auth \
    -H "Content-Type: application/json" \
    -d '{"username": "admin", "password": "admin123"}'
http
HTTP/1.1 200 OK
content-type:          application/json
x-ratelimit-remaining: 4
x-ratelimit-limit:     5

{
  "expires_at": "2025-04-27 09:37:05",
  "token":      "85l19fN5l+DKozxk29xeMtw2PgH/aNnVAgEJLxNo8M7xs..."
}
http
HTTP/1.1 429 Too Many Requests
x-ratelimit-remaining: 0
x-ratelimit-limit:     5
x-ratelimit-after:     6
retry-after:           6

Too many requests, retry in 6s
sequenceDiagram autonumber participant C as Client participant P as ProxyAuth C->>+P: POST /auth {"username":"user","password":"pass"} P->>+P: Verify credentials (Argon2id) P-->>-C: {"expires_at":"…", "token":"4GJeCUwOzILd…"}

TOTP Mechanism #

POST[host:port]/adm/auth/totp/get
HeaderContent-Type: application/json
Body{"username": "<string>", "password": "<string>"}
bash
$ curl -k -X POST https://127.0.0.1:8080/adm/auth/totp/get \
    -H "Content-Type: application/json" \
    -d '{"username": "admin", "password": "admin123"}'
json
{
  "otpauth_uri": "otpauth://totp/ProxyAuth%3Aadmin?secret=4DX6B7CVQ...&issuer=ProxyAuth",
  "otpkey":      "4DX6B7CVQ24LHNIDBENSZI54Q2RTPC7D4AFNRPKHX7VCW3T6IVGQ"
}

ppauth-cli (Python)

bash
$ pip install ppauth
$ ppauth-cli registry otp \
    --host         127.0.0.1 \
    --port         8080 \
    --username     admin \
    --password     admin123 \
    --no-tls-verify

Forward Route #

ALLhttps://[host:port]/[prefix]
HeaderAuthorization: Bearer <your_token>
NoteRoute must have secure: true in routes.yml (default)
bash
$ curl -k -X GET https://127.0.0.1:8080/api_test \
    -H "Authorization: Bearer YOUR_TOKEN_HERE"

Scenario 1 — Valid Token

sequenceDiagram autonumber participant C as Client participant P as ProxyAuth participant A as API/Service C->>+P: Authorization: Bearer <token> P->>+P: Verify token (LMDB + memory) P->>+A: Forward original request (no token) A-->>-P: Response P-->>-C: Response

Scenario 2 — Invalid / Expired Token

sequenceDiagram autonumber participant C as Client participant P as ProxyAuth participant A as API/Service C->>+P: Authorization: Bearer <expired_token> P->>+P: Verify token FAIL P-->>-C: 401 Invalid Token Note over A: No upstream request made

Forward via Other Proxy #

ℹ️
Enable with proxy: true and set proxy_config in routes.yml.
sequenceDiagram autonumber participant C as Client participant P as ProxyAuth participant P2 as Other Proxy participant A as API/Service C->>+P: Authorization: Bearer <token> P->>+P: Verify token P->>+P2: Forward request P2->>+A: Forward A-->>-P2: Response P2-->>-P: Response P-->>-C: Response

HTTPS / PKCS#12 Forwarding #

🧪
Experimental — available since v0.6.21. Not tested in all environments.

Forward requests to HTTPS/TLS services using a client certificate (PKCS#12 / .p12). Configure via the cert key in routes.yml.

HTTPS Forwarding #

ℹ️
Requires a valid certificate (Let's Encrypt or other trusted CA) on the target service.
sequenceDiagram autonumber participant C as Client participant P as ProxyAuth participant A as HTTPS Service C->>+P: HTTPS request with Bearer token P->>+P: Verify token P->>+A: Forward over HTTPS A-->>-P: Response P-->>-C: Response

Return Block Error #

Applies when session_cookie: true. Errors are embedded in HTML comments for programmatic parsing.

html -- error block format
<!-- BEGIN_BLOCK_ERROR -->
<!--
  <div id="error_display" class="col-lg-5">
    {{ error }}
  </div>
-->
<!-- END_BLOCK_ERROR -->

Scenario 1 — Valid token: 200/204 — no error block included.

Scenario 2 — Invalid/expired token: 401 — error block included with the actual message replacing {"{{ error }}"}.

CSRF Protection #

Applies when session_cookie: true. ProxyAuth injects CSRF tokens server-side — any {"{{ csrf_token }}"} in proxied HTML is replaced automatically.

HTML Form

html
<form method="POST" action="/orders/create">
  <input type="hidden" name="csrf_token" value="{{ csrf_token }}">
  <input type="text"   name="item"       required>
  <button type="submit">Create order</button>
</form>

JavaScript (fetch)

javascript
// Read the injected token from the DOM
const csrf = document.querySelector('input[name="csrf_token"]')?.value;

// Include it in the request body
const body = new URLSearchParams({ csrf_token: csrf, data: "test" });
fetch("/api/write", {
  method:  "POST",
  headers: { "Content-Type": "application/x-www-form-urlencoded" },
  body,
});
sequenceDiagram autonumber participant B as Browser participant P as ProxyAuth participant S as App/Service B->>+P: GET /form (HTML with csrf_token placeholder) P-->>-B: 200 HTML (token injected) B->>+P: POST /submit (csrf_token=VALID) P->>+S: Forward request S-->>-P: 200 OK P-->>-B: 200 OK B->>+P: POST /submit (missing/invalid token) P-->>-B: 403 Forbidden Note over S: No upstream call made

Logs via Loki #

Integrate with Grafana Loki for real-time log visualization. Add to config.json:

json
{
  "log": {
    "type": "loki",
    "host": "127.0.0.1:5000"
  }
}

Sample Grafana dashboard: github.com/ProxyAuth/Grafana

Changelog #

v1.0.0-beta0 latest
  • [ADD]Redis multi-node token sync for full SSO
  • [ADD]CSRF token injection and validation
  • [ADD]Session cookie support
  • [PERF]180,000+ requests/second under load
v0.8.13
  • [FIX]Update base32 handling
v0.8.12
  • [CLEAN]Remove unused dependencies
v0.8.11
  • [FIX]Fix sorted key inside config.json after reboot
v0.8.10
  • [FIX]Nginx bad Host header returning 400
  • [SEC]CVE update: sequoia-opengpg ≥ 2.1, tracing-subscriber ≥ 0.3.20
v0.8.8
  • [ADD]Auto-reload TLS certificates for external server
  • [ADD]~354 tests, ~50% code coverage
  • [FIX]Better logs
v0.8.7
  • [ADD]Route Prefix Reordering: Longest to Shortest Match
  • [ADD]Canonicalize URL
  • [ADD]ACL route filters
  • [ADD]Allow methods in routes.yml
  • [ADD]preserve_prefix in routes.yml
  • [ADD]secure_path in routes.yml
v0.8.6
  • [FIX]CORS Options for OTP registry
  • [ADD]Forward x-user header to backends
  • [ADD]csrf_token validate-generate
  • [ADD]Control cache routes
  • [FIX]Fix rules routes
v0.8.5 / v0.8.4
  • [ADD]Cookie session
  • [ADD]max_age_session_cookie
  • [ADD]CORS support
  • [FIX]Rate limit behavior
  • [MOVE]Timezone to token::security
  • [ADD]ProxyAuth now supports auth via session_token cookie and Authorization: Bearer
v0.8.3
  • [MULTI]Database (multi-instance Docker) to RAM sync every 15 seconds
v0.8.2
  • [ADD]x-user-roles header injection
  • [ADD]Initial implementation of token revocation
v0.8.1
  • [ADD]Option max_connections
  • [ADD]Option pending_connections_limit
  • [ADD]Option socket_listen
  • [ADD]Option keep_alive
  • [ADD]Option client_timeout
  • [ADD]Option num_instances
  • [OPT]XOR Algorithm transform hash (+30% better)
v0.8.0
  • [SEC]IP restriction per user for authentication (optional)
  • [SEC]Change HMAC-SHA256 to HMAC-BLAKE3 (speed ~+50%)
  • [PERF]Caching HMAC-BLAKE3 key for better performance
  • [PERF]Optimized Ahasher type for CLIENT_POOL / PROXY_POOL
v0.7.13
  • [ADD]Nix-Shell support
  • [ADD]rustfmt edition
  • [FIX]Minor timezone issue
  • [FIX]Minor deprecated method .timestamp()
v0.7.12
  • [ADD]TOTP Login mechanism
  • [ADD]Command --version
  • [FIX]Logging bug when loading config on startup
  • [FIX]Possible disable log on option
  • [PERF]Better performance loadbalancer
v0.7.4
  • [ADD]Export/import keystores for multi-service cryptographic integration
  • [SEC]Rewrite all headers from original requests, replace server name
v0.7.3
  • [ADD]Export build parameters for GPG multi-service integration
  • [ADD]New cryptographic build export generated by GPG file
v0.7.2
  • [ADD]Better proxy logs
  • [ADD]Token ID random over timestamp
  • [ADD]Reuse client cache
v0.7.1
  • [ADD]Failover to backup backends if primary route is unreachable
  • [ADD]Timezone support when creating tokens
  • [ADD]expire_at and delivery_at fields in token stats
v0.6.21
  • [FIX]Design improved, proxy functionality restored
  • [FIX]Rate limiting now applied per route and per user
v0.6.9
  • [CLEAN]Clean all compiler warnings
  • [ADD]😅 Sorry for deploying so many versions in such a short time
v0.6.8
  • [ADD]Download default config from proxyauth.app
  • [ADD]Check build version status via proxyauth.app to detect invalid or yanked versions
v0.6.5
  • [PERF]Complete rewrite of proxy architecture
  • [DISABLED]Proxy forwarding via routes.yml (temporarily)
  • [DISABLED]Certificate-based forwarding in routes.yml (temporarily)
  • [ADD]HTTPS forwarding when valid certificates are present
  • [ADD]Disable/Enable/Redirect logs on Loki/local
  • [ADD]Disable/Enable stats
  • [ADD]Disable/Enable ratelimit
  • [PERF]~600k HTTPS requests/sec on server hardware
v0.6.1 – v0.6.3
  • [OPT]Optimized configuration
v0.6.0
  • [ADD]HTTP/2, HTTPS only, auto-generate certs in /etc/proxyauth/certs/
v0.5.34
  • [REBUILD]Rebuild all proxy conception
v0.5.28
  • [BUG]Fix load configuration ratelimit when key is unset or requests_per_seconds is 0
v0.5.23 – v0.5.27
  • [PERF]Improve performance ~1 million requests per second
v0.5.22
  • [SEC]Rotate random params
v0.5.21
  • [SEC]Better security hash token ID
v0.5.20
  • [OPT]Better performance
v0.5.19
  • [FIX]ratelimit not detecting configuration
v0.5.17
  • [FIX]Launch cmd proxyauth stats for user
v0.5.15
  • [FIX]cmd cli stats for routes /adm/stats
v0.5.14
  • [ADD]Clear project /adm/stats
v0.5.12 – v0.5.13
  • [ADD]Route Admin /adm/stats
  • [ADD]New CLI command proxyauth stats to display token usage statistics
  • [ADD]Token usage stats per user
v0.5.11
  • [ADD]Token usage stats per user
v0.5.10
  • [ADD]Improved rate limit configuration for proxy routes and the /auth endpoint
v0.5.9
  • [UPDATE]Launching Actix Web with rate limiting. Modes: NO_RATELIMIT_AUTH, NO_RATELIMIT_PROXY, RATELIMIT_GLOBAL_ON/OFF
v0.5.8
  • [BUG]Default launch now correctly uses HTTPS/TLS
v0.5.7
  • [FIX]Improved installation script
  • [ADD]Clearer explanation of rate limiting (wait time in milliseconds)
v0.5.6
  • [FIX]Better compatibility with Alpine and other Linux distributions
v0.5.5
  • [ADD]New 'prepare' command
  • [ADD]Program now launches as root and creates/uses the 'proxyauth' user to write in /etc/proxyauth
v0.5.4
  • [ADD]Create configuration file automatically from GitHub repo
v0.5.3
  • [FIX]Replace host label with app to improve log display in Loki
v0.5.2
  • [ADD]Integration log for Loki/Grafana
v0.5.0
  • [ADD]Experimental feature: forward on HTTPS requests
v0.4.2
  • [BUG]Minor bug over message proxy
v0.4.1
  • [ADD]Possible config proxy on file routes.yml
v0.4.0
  • [ADD]Rate limiting over routes /auth
  • [ADD]Auto Argon2 for encrypting password in config.json
v0.3.5
  • [SEC]Improved security and re-checking of factor if it exceeds the defined limit
  • [SEC]Use SHA-256 instead of SHA-1
  • [SEC]Add HMAC SHA-256 over ChaCha20 AED
v0.3.4
  • [REFACTO]Moved the utils method into security
  • [ADD]Enhanced hash security
v0.3.3
  • [FIX]Bug with rate limiting when anonymous user makes requests to unsecured routes
  • [ADD]Better logging / error handling when token encryption fails — triggers warning log with source IP
v0.3.2
  • [ADD]Improved log messages
  • [ADD]Applied rate limiting only on proxy routes, not on /refresh_token
  • [ADD]ulimit setting in Docker configuration for better performance
v0.3.1
  • [ADD]delay_block setting in the config file
v0.3.0
  • [ADD]Rate limiting per request and per user
v0.2.1
  • [FIX]Bug related to date handling
  • [ADD]Added logging via tracing
v0.2.0
  • [ADD]Improved user check via index
  • [ADD]Improved the /auth route algorithm
  • [ADD]Added Dockerfile and docker-compose.yml (built from rust:alpine)
  • [BUG]Date checking issue still present
v0.1.0
  • [ADD]Implemented ChaCha20/SHA1/ROTATE algorithm for token handling
  • [ADD]Implemented request forwarding routes
  • [ADD]Added configuration files: routes.yml and config.json
  • [ADD]Worker execution count handling

Dependencies #

📦
Dependencies are loaded dynamically from the ProxyAuth crates API.