octo-proxy's Introduction

🐙 Octo-Proxy

Octo-proxy or octo is simple TCP & TLS Proxy with mutual authentication and traffic mirroring/shadowing support.

Feature

Accept TCP connection and forward/mirror it to TCP
Accept TCP connection and forward/mirror it to TLS (w/ mTLS)
Accept TLS (w/ mTLS) connection and forward/mirror it to TCP
Accept TLS (w/ mTLS) connection and forward/mirror it to TLS (w/ mTLS)
Support for multiple targets, accessed in random order (load balancer)
Reload configuration or certificate without dropping connection
Expose metrics that can be consumed by prometheus

Usage

Run octo with ad-hoc command

octo-proxy -listener 127.0.0.1:8080 -target 127.0.0.1:80

Run with -debug to get a more verbose log output.

Run Octo as TCP Proxy with metrics on port 9123

// config.yaml
servers:
- name: web-proxy
  listener:
    host: 127.0.0.1
    port: 8080
  targets:
    - host: 127.0.0.1
      port: 80
    - host: 127.0.0.1
      port: 81

metrics:
  host: 0.0.0.0
  port: 9123

octo -config config.yaml

Run Octo as TLS Proxy w/ mTLS

// config.yaml
servers:
- name: web-proxy
  listener:
    host: 0.0.0.0
    port: 8080
    tls:
      mode: mutual
      caCert: /tmp/ca-cert.pem
      cert: /tmp/cert.pem
      key: /tmp/cert-key.pem
  targets:
    - host: 127.0.0.1
      port: 80

metrics:
  host: 0.0.0.0
  port: 9123

octo-proxy -config config.yaml

Run Octo as TLS Proxy and Mirror traffic to other backend

// config.yaml
servers:
- name: web-proxy
  listener:
    host: 0.0.0.0
    port: 8080
    tls:
      mode: simple
      cert: /tmp/cert.pem
      key: /tmp/cert-key.pem
  targets:
    - host: 127.0.0.1
      port: 80
  mirror:
    host: 172.16.0.1
    port: 80

octo-proxy -config config.yaml

See all configuration in CONFIGURATION.md

Reloading Octo-proxy

After changing configuration or certificates, send signal SIGUSR1 or SIGUSR2 to octo-proxy process. Configuration will be reloaded if the configuration is valid.

Octo-proxy use SO_REUSEPORT to binding the listener, so every reload triggered octo-proxy will create new listener and drop old listener after new listener created, by using this approach octo-proxy can minimize dropped connection when reload triggered.

Monitoring

Metrics are configured through the metrics section in the config file and are served under the /metrics path of the configured host and port.

LICENSE

octo-proxy's People

Contributors

Stargazers

Watchers

octo-proxy's Issues

add port forward and support json file configruation

hi，this project is so cool.
but it's not support json file configruation and port forward , dose any plan to add this ？

Add some topics to the GitHub description

Very nice project, clean and simple! I had some trouble finding it though, hence I would recommend adding some topics to the GitHub description. tcp mtls, proxy and reverse-proxy come to mind.

Certificate revocation list

Hi,

I am looking into octo-proxy and so far it looks great!

One thing that come to me while looking at it is that it appears to have no interface for certificate revocation list. With service being exposed and using mTLS as the authorization and authentication layer of clients, it would a lot of sense to provide a way to revoke/close access to a client that have valid (not expired) certificate issued by the CA that both ends trusted.

Would that be something you'd consider adding?

Recommend Projects

nothinux / octo-proxy Goto Github PK