# Simple Proxy Server

This implementation addresses a challenge of TLS termination within development Kubernetes environments that leverage self-signed certificates for secure communication. 
It is a lightweight HTTP proxy server built with Axum that forwards all requests to a configurable target URL.

## Security Considerations

⚠️ **Important Security Warnings**:

- **TLS Certificate Validation Disabled**: The proxy accepts invalid/self-signed certificates, making it vulnerable to man-in-the-middle attacks
- **Development/Testing Only**: This proxy is not intended for production use
- **No Authentication**: No authentication or authorization mechanisms
- **Permissive CORS**: Allows cross-origin requests from any domain
- **Unfiltered Forwarding**: All requests are forwarded without validation or sanitization

> As a safety precaution, this crate is not published to crates.io. You must build from source.

## Features

- **Flexible Configuration**: Environment variable and .env file support for easy setup
- **Full HTTP Support**: Forwards all HTTP methods (GET, POST, PUT, DELETE, etc.)
- **Header Preservation**: Maintains request and response headers (filtering out hop-by-hop headers)
- **Body Forwarding**: Preserves request and response bodies
- **Self-Signed Certificate Support**: Accepts invalid/self-signed TLS certificates
- **Error Handling**: Comprehensive error handling with proper HTTP status codes
- **Logging**: Built-in tracing for request monitoring
- **CORS Support**: Includes permissive CORS headers

## Configuration

The proxy server supports flexible configuration through environment variables and a `.env` file.

### Environment Variables

- `PROXY_TARGET`: The target URL to proxy requests to (default: `https://machine.127.0.0.1.sslip.io`)
- `PROXY_BIND_ADDR`: The address and port to bind the server to (default: `127.0.0.1:3030`)

### .env File Support

The application automatically loads configuration from a `.env` file in the project root:

```env
PROXY_TARGET=https://your-target-server.com
PROXY_BIND_ADDR=127.0.0.1:3030
```

To change the configuration:
1. Create or edit the `.env` file in the project root
2. Set the desired values for `PROXY_TARGET` and/or `PROXY_BIND_ADDR`
3. Restart the application

You can also set these environment variables directly in your shell or deployment environment.

## Building

```bash
# Check compilation
cargo check

# Build release version
cargo build --release

# Run in development mode
cargo run
```

## Running

The server listens on `127.0.0.1:3030` by default (configurable via `PROXY_BIND_ADDR`).

```bash
# Start the proxy server (uses .env file if present)
cargo run

# Or with environment variables
PROXY_TARGET=https://your-target.com PROXY_BIND_ADDR=0.0.0.0:8080 cargo run

# The server will output:
# Simple proxy server starting on http://127.0.0.1:3030
# Proxying requests to: https://machine.127.0.0.1.sslip.io
```

### Configuration Priority

Environment variables are loaded in the following order (later sources override earlier ones):
1. Default values (hardcoded in the application)
2. `.env` file (if present)
3. System environment variables

## Usage Examples

Once running, you can send requests to the proxy server:

```bash
# GET request
curl http://127.0.0.1:3030/

# POST request with JSON data
curl -X POST http://127.0.0.1:3030/ \
  -H "Content-Type: application/json" \
  -d '{"key": "value"}'

# Any path will be forwarded
curl http://127.0.0.1:3030/api/health
curl http://127.0.0.1:3030/some/path
```

All requests will be forwarded to the configured target URL while preserving:
- HTTP method
- Request path and query parameters
- Headers (except hop-by-hop headers)
- Request body

## Logging

The server uses structured logging via `tracing`. Set the `RUST_LOG` environment variable to control log levels:

```bash
# Debug level logging
RUST_LOG=debug cargo run

# Info level (default)
RUST_LOG=info cargo run

# Only errors
RUST_LOG=error cargo run
```

## TLS/Certificate Handling

The proxy is configured to accept self-signed and invalid TLS certificates from the target server. This is accomplished using the `danger_accept_invalid_certs(true)` setting in the reqwest client configuration.

This feature allows the proxy to connect to:
- Servers with self-signed certificates
- Servers with expired certificates
- Servers with certificates that don't match the hostname
- Development/testing environments with invalid certificates

**⚠️ Security Warning**: This setting disables certificate validation, which makes the connection vulnerable to man-in-the-middle attacks. Only use this for development, testing, or trusted network environments.

## Architecture

- **Framework**: Axum web framework
- **HTTP Client**: reqwest with rustls-tls
- **Async Runtime**: Tokio
- **Logging**: tracing with tracing-subscriber

## Testing

The project includes unit tests for proxy functionality.

### Running Tests

```bash
# Run all tests
cargo test
```