High-performance reverse proxy with passive fingerprinting capabilities powered by Huginn Net.
Huginn Proxy is a reverse proxy built in Rust that combines traditional load balancing and request forwarding with advanced passive fingerprinting capabilities. It leverages the Huginn Net fingerprinting libraries to extract TLS (JA4) and HTTP/2 (Akamai) fingerprints from client connections, injecting them as headers for downstream services.
Note: This project is currently in active development.
cargo build --releaseCreate config.toml:
listen = "0.0.0.0:7000"
backends = [
{ address = "backend:8080", http_version = "preserve" }
]
routes = [
{ prefix = "/", backend = "backend:8080" }
]
[tls]
cert_path = "/path/to/cert.pem"
key_path = "/path/to/key.pem"
alpn = ["h2", "http/1.1"]
[fingerprint]
tls_enabled = true
http_enabled = truegit clone https://github.com/biandratti/huginn-proxy.git
cd huginn-proxy
cargo build --releasedocker build -t huginn-proxy .
docker run -v /path/to/config.toml:/config.toml huginn-proxy /config.toml- HTTP/1.x & HTTP/2 - Full support for both protocol versions
- Load Balancing - Round-robin load balancing across multiple backends
- Path-based Routing - Route matching with prefix support
- TLS Termination - Server-side TLS with ALPN, certificate hot reload (single certificate per configuration)
- Passive Fingerprinting - Automatic TLS (JA4) and HTTP/2 (Akamai) fingerprint extraction
- X-Forwarded- Headers* - Automatic injection of proxy forwarding headers
- High Performance - Built on Tokio and Hyper
- Easy Deployment - Single binary, Docker-ready
Fingerprints are automatically extracted and injected as headers:
- TLS (JA4):
x-huginn-net-ja4- Extracted from all TLS connections using huginn-net-tls - HTTP/2 (Akamai):
x-huginn-net-akamai- Extracted from HTTP/2 connections only using huginn-net-http
Examples:
x-huginn-net-ja4: t13d1516h2_8afaf4b9491c_00_0403040303030103010302_01
x-huginn-net-akamai: 1:65536,2:0,3:1000,4:6291456,6:262144|15663105|0|m,p,a,s
See JA4 specification and Blackhat EU 2017 for details.
The proxy automatically injects standard X-Forwarded-* headers to inform backends about the original client request:
- X-Forwarded-For: Client IP address (appended if already present)
- X-Forwarded-Host: Original Host header value
- X-Forwarded-Port: Client port number
- X-Forwarded-Proto: Protocol used (
httporhttps)
These headers always override any client-provided values to prevent spoofing.
listen = "0.0.0.0:7000"
backends = [
{ address = "backend-a:8080", http_version = "preserve" },
{ address = "backend-b:8080", http_version = "preserve" }
]
routes = [
{ prefix = "/api", backend = "backend-a:8080", fingerprinting = true },
{ prefix = "/static", backend = "backend-b:8080", fingerprinting = false }
]
[tls]
cert_path = "/path/to/cert.pem"
key_path = "/path/to/key.pem"
alpn = ["h2", "http/1.1"]See examples/docker-compose.yml for a complete setup with TLS termination, multiple backends, and path-based routing.
- Fingerprinting Overhead: ~2.2% (minimal impact)
- Concurrent Connections: Handles thousands of concurrent connections
- Latency: Sub-millisecond overhead for fingerprint extraction
See benches/README.md for detailed benchmark results from development environment.
See ROADMAP.md for a detailed list of planned features and upcoming phases.
- Huginn Net - Multi-protocol passive fingerprinting library
- huginn-net-tls - JA4 TLS fingerprinting
- huginn-net-http - HTTP/2 Akamai fingerprinting
Dual-licensed under MIT or Apache 2.0.
Huginn Proxy uses the Huginn Net fingerprinting libraries:
- JA4: TLS fingerprinting follows the JA4 specification by FoxIO, LLC
- Akamai HTTP/2: HTTP/2 fingerprinting follows the Blackhat EU 2017 specification
Contributions are welcome! Please see our contributing guidelines for details.
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}