geoffsee/simple-proxy
1
0
Fork 0
mirror of https://github.com/seemueller-io/simple-proxy.git synced 2025-09-08 22:56:47 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
simple-proxy/README.md

4.9 KiB
Raw Permalink Blame History

Simple Proxy Server

This implementation addresses a challenge of TLS termination within development Kubernetes environments that leverage self-signed certificates for secure communication. It is a lightweight HTTP proxy server built with Axum that forwards all requests to a configurable target URL.

Security Considerations

⚠️ Important Security Warnings:

  • TLS Certificate Validation Disabled: The proxy accepts invalid/self-signed certificates, making it vulnerable to man-in-the-middle attacks
  • Development/Testing Only: This proxy is not intended for production use
  • No Authentication: No authentication or authorization mechanisms
  • Permissive CORS: Allows cross-origin requests from any domain
  • Unfiltered Forwarding: All requests are forwarded without validation or sanitization

As a safety precaution, this crate is not published to crates.io. You must build from source.

Features

  • Flexible Configuration: Environment variable and .env file support for easy setup
  • Full HTTP Support: Forwards all HTTP methods (GET, POST, PUT, DELETE, etc.)
  • Header Preservation: Maintains request and response headers (filtering out hop-by-hop headers)
  • Body Forwarding: Preserves request and response bodies
  • Self-Signed Certificate Support: Accepts invalid/self-signed TLS certificates
  • Error Handling: Comprehensive error handling with proper HTTP status codes
  • Logging: Built-in tracing for request monitoring
  • CORS Support: Includes permissive CORS headers

Configuration

The proxy server supports flexible configuration through environment variables and a .env file.

Environment Variables

  • PROXY_TARGET: The target URL to proxy requests to (default: https://machine.127.0.0.1.sslip.io)
  • PROXY_BIND_ADDR: The address and port to bind the server to (default: 127.0.0.1:3030)

.env File Support

The application automatically loads configuration from a .env file in the project root:

PROXY_TARGET=https://your-target-server.com
PROXY_BIND_ADDR=127.0.0.1:3030

To change the configuration:

  1. Create or edit the .env file in the project root
  2. Set the desired values for PROXY_TARGET and/or PROXY_BIND_ADDR
  3. Restart the application

You can also set these environment variables directly in your shell or deployment environment.

Building

# Check compilation
cargo check

# Build release version
cargo build --release

# Run in development mode
cargo run

Running

The server listens on 127.0.0.1:3030 by default (configurable via PROXY_BIND_ADDR).

# Start the proxy server (uses .env file if present)
cargo run

# Or with environment variables
PROXY_TARGET=https://your-target.com PROXY_BIND_ADDR=0.0.0.0:8080 cargo run

# The server will output:
# Simple proxy server starting on http://127.0.0.1:3030
# Proxying requests to: https://machine.127.0.0.1.sslip.io

Configuration Priority

Environment variables are loaded in the following order (later sources override earlier ones):

  1. Default values (hardcoded in the application)
  2. .env file (if present)
  3. System environment variables

Usage Examples

Once running, you can send requests to the proxy server:

# GET request
curl http://127.0.0.1:3030/

# POST request with JSON data
curl -X POST http://127.0.0.1:3030/ \
  -H "Content-Type: application/json" \
  -d '{"key": "value"}'

# Any path will be forwarded
curl http://127.0.0.1:3030/api/health
curl http://127.0.0.1:3030/some/path

All requests will be forwarded to the configured target URL while preserving:

  • HTTP method
  • Request path and query parameters
  • Headers (except hop-by-hop headers)
  • Request body

Logging

The server uses structured logging via tracing. Set the RUST_LOG environment variable to control log levels:

# Debug level logging
RUST_LOG=debug cargo run

# Info level (default)
RUST_LOG=info cargo run

# Only errors
RUST_LOG=error cargo run

TLS/Certificate Handling

The proxy is configured to accept self-signed and invalid TLS certificates from the target server. This is accomplished using the danger_accept_invalid_certs(true) setting in the reqwest client configuration.

This feature allows the proxy to connect to:

  • Servers with self-signed certificates
  • Servers with expired certificates
  • Servers with certificates that don't match the hostname
  • Development/testing environments with invalid certificates

⚠️ Security Warning: This setting disables certificate validation, which makes the connection vulnerable to man-in-the-middle attacks. Only use this for development, testing, or trusted network environments.

Architecture

  • Framework: Axum web framework
  • HTTP Client: reqwest with rustls-tls
  • Async Runtime: Tokio
  • Logging: tracing with tracing-subscriber

Testing

The project includes unit tests for proxy functionality.

Running Tests

# Run all tests
cargo test