Skip to content

uky007/RustGate-Proxy

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
.github
.github
 
 
src
src
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
CHANGELOG.md
CHANGELOG.md
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
LICENSE
LICENSE
 
 
README.crates-io.md
README.crates-io.md
 
 
README.md
README.md
 
 

Repository files navigation

RustGate

Crates.io docs.rs License: MIT

MITM-capable HTTP/HTTPS proxy written in Rust. It can be used both as a CLI tool and as a library (crate: rustgate-proxy, lib: rustgate).

Features

  • HTTP Proxy - Forwards plain HTTP requests (with hop-by-hop header stripping)
  • CONNECT Tunneling - HTTPS passthrough via bidirectional byte relay
  • MITM Mode - TLS termination for HTTPS interception and inspection
  • Dynamic Certificate Generation - Per-domain CA-signed cert generation with caching
  • CA Certificate Management - Auto-generates and stores root CA in ~/.rustgate/ on first run (private key set to 0600)
  • Request/Response Rewriting - Hook mechanism via the RequestHandler trait
  • IPv6 Support - Correctly handles CONNECT targets like [::1]:443
  • Security Considerations - Masks query parameters in logs and warns on non-loopback bind

Architecture

Client ──TCP──> RustGate Proxy ──TCP/TLS──> Upstream Server
                    |
              +-----+-----+
              | HTTP Router |
              +-----+------+
           +--------+--------+
           v        v        v
      HTTP Forward CONNECT   CONNECT
        (Plain)   (Tunnel)   (MITM)
                 Passthrough TLS Termination

Installation

From crates.io

cargo install rustgate-proxy

Build from source

git clone https://github.com/uky007/RustGate-Proxy.git
cd RustGate-Proxy
cargo build --release

Usage

Basic (passthrough mode)

# Default: starts on 127.0.0.1:8080
rustgate

# Custom port
rustgate --port 9090

MITM mode (TLS interception)

rustgate --mitm

On first startup, a CA certificate is generated at ~/.rustgate/ca.pem.

CLI options

Usage: rustgate [OPTIONS]

Options:
      --host <HOST>  Listen address [default: 127.0.0.1]
  -p, --port <PORT>  Listen port [default: 8080]
      --mitm         Enable MITM mode (TLS interception)
  -h, --help         Print help

Log level

Controlled with the RUST_LOG environment variable:

RUST_LOG=rustgate=debug rustgate --mitm
RUST_LOG=rustgate=trace rustgate --mitm

Quick verification

HTTP proxy

curl -x http://localhost:8080 http://httpbin.org/get

HTTPS passthrough

curl -x http://localhost:8080 https://httpbin.org/get

MITM (TLS interception)

Send an HTTPS request with the CA certificate:

curl --cacert ~/.rustgate/ca.pem -x http://localhost:8080 https://httpbin.org/get

If you install the CA certificate into your OS trust store, --cacert is no longer needed:

# macOS
sudo security add-trusted-cert -d -r trustRoot \
  -k /Library/Keychains/System.keychain ~/.rustgate/ca.pem

# Ubuntu/Debian
sudo cp ~/.rustgate/ca.pem /usr/local/share/ca-certificates/rustgate.crt
sudo update-ca-certificates

Use as a library

Crate name is rustgate-proxy; library name is rustgate.

[dependencies]
rustgate-proxy = "0.1"

Custom handler

Implement RequestHandler to inspect or modify requests and responses passing through the proxy:

use rustgate::handler::{BoxBody, RequestHandler};
use hyper::{Request, Response};

struct MyHandler;

impl RequestHandler for MyHandler {
    fn handle_request(&self, req: &mut Request<BoxBody>) {
        req.headers_mut()
            .insert("X-Proxied-By", "RustGate".parse().unwrap());
    }

    fn handle_response(&self, res: &mut Response<BoxBody>) {
        res.headers_mut()
            .insert("X-Proxy", "RustGate".parse().unwrap());
    }
}

Embed the proxy server

use rustgate::cert::CertificateAuthority;
use rustgate::handler::LoggingHandler;
use rustgate::proxy::{handle_connection, ProxyState};
use std::sync::Arc;
use tokio::net::TcpListener;

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let ca = Arc::new(CertificateAuthority::new().await?);
    let state = Arc::new(ProxyState {
        ca,
        mitm: true,
        handler: Arc::new(LoggingHandler),
    });

    let listener = TcpListener::bind("127.0.0.1:8080").await?;
    loop {
        let (stream, addr) = listener.accept().await?;
        let state = state.clone();
        tokio::spawn(handle_connection(stream, addr, state));
    }
}

Public modules

Module Description
rustgate::proxy ProxyState, handle_connection, parse_host_port
rustgate::cert CertificateAuthority, CertifiedKey
rustgate::tls make_tls_acceptor, connect_tls_upstream
rustgate::handler RequestHandler trait, LoggingHandler, BoxBody
rustgate::error ProxyError, Result

File layout

src/
├── lib.rs        # Library entry point (exports modules)
├── main.rs       # CLI entry point
├── proxy.rs      # Proxy handlers (HTTP forward + CONNECT + MITM)
├── cert.rs       # CA management and dynamic certificate generation
├── tls.rs        # TLS termination and upstream TLS connection
├── handler.rs    # RequestHandler trait definition
└── error.rs      # Error type definitions
tests/
└── integration_test.rs  # Integration tests

Notes

  • Use MITM features only with consent from all parties involved. Unauthorized interception may violate laws.
  • Authentication and access control are not implemented. Binding to non-loopback addresses (0.0.0.0, ::, LAN IP, public IP, etc.) can expose the proxy on your network. RustGate warns at startup when binding to non-loopback addresses. Use trusted networks only, or restrict access with firewalls.
  • This tool is intended for security testing, debugging, and educational use.

License

MIT

Japanese (日本語)

RustGate は Rust 製の MITM 対応 HTTP/HTTPS プロキシです。CLI ツールとしてもライブラリとしても利用できます。

機能

  • HTTP プロキシ - 平文 HTTP リクエストを転送(hop-by-hop ヘッダ除去対応)
  • CONNECT トンネリング - HTTPS 通信を双方向バイトコピーでパススルー
  • MITM モード - TLS 終端による HTTPS 通信の傍受・閲覧
  • 動的証明書生成 - ドメインごとの CA 署名証明書を自動生成(キャッシュ付き)
  • CA 証明書管理 - 初回起動時に ~/.rustgate/ へルート CA を自動生成・保存(秘密鍵は 0600
  • リクエスト/レスポンス改変 - RequestHandler トレイトによるフック機構
  • IPv6 対応 - [::1]:443 形式の CONNECT ターゲットを正しく処理
  • セキュリティ配慮 - ログ出力時にクエリパラメータをマスク、非ループバック bind 時に警告

インストール

cargo install rustgate-proxy

ソースからビルド

git clone https://github.com/uky007/RustGate-Proxy.git
cd RustGate-Proxy
cargo build --release

アーキテクチャ

Client ──TCP──> RustGate Proxy ──TCP/TLS──> Upstream Server
                    |
              +-----+-----+
              | HTTP判定   |
              +-----+------+
           +--------+--------+
           v        v        v
        HTTP転送  CONNECT   CONNECT
        (平文)   (トンネル)  (MITM)
                  パススルー  TLS終端

使い方

# デフォルト: 127.0.0.1:8080
rustgate

# ポート指定
rustgate --port 9090

# MITM モード
rustgate --mitm

初回起動時に ~/.rustgate/ca.pem が生成されます。MITM 利用時は必要に応じて OS の信頼ストアに追加してください。

CLI オプション

Usage: rustgate [OPTIONS]

Options:
      --host <HOST>  リッスンアドレス [default: 127.0.0.1]
  -p, --port <PORT>  リッスンポート [default: 8080]
      --mitm         MITM モード(TLS 傍受)を有効化
  -h, --help         Print help

ログレベル

環境変数 RUST_LOG で制御できます:

RUST_LOG=rustgate=debug rustgate --mitm
RUST_LOG=rustgate=trace rustgate --mitm

動作確認

HTTP プロキシ:

curl -x http://localhost:8080 http://httpbin.org/get

HTTPS パススルー:

curl -x http://localhost:8080 https://httpbin.org/get

MITM(TLS 傍受):

curl --cacert ~/.rustgate/ca.pem -x http://localhost:8080 https://httpbin.org/get

OS の信頼ストアに CA 証明書を追加すれば --cacert は不要です:

# macOS
sudo security add-trusted-cert -d -r trustRoot \
  -k /Library/Keychains/System.keychain ~/.rustgate/ca.pem

# Ubuntu/Debian
sudo cp ~/.rustgate/ca.pem /usr/local/share/ca-certificates/rustgate.crt
sudo update-ca-certificates

ライブラリ利用

[dependencies]
rustgate-proxy = "0.1"

公開ライブラリ名は rustgate です(crate 名は rustgate-proxy)。

カスタムハンドラ

use rustgate::handler::{BoxBody, RequestHandler};
use hyper::{Request, Response};

struct MyHandler;

impl RequestHandler for MyHandler {
    fn handle_request(&self, req: &mut Request<BoxBody>) {
        req.headers_mut()
            .insert("X-Proxied-By", "RustGate".parse().unwrap());
    }

    fn handle_response(&self, res: &mut Response<BoxBody>) {
        res.headers_mut()
            .insert("X-Proxy", "RustGate".parse().unwrap());
    }
}

プロキシサーバーの組み込み

use rustgate::cert::CertificateAuthority;
use rustgate::handler::LoggingHandler;
use rustgate::proxy::{handle_connection, ProxyState};
use std::sync::Arc;
use tokio::net::TcpListener;

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let ca = Arc::new(CertificateAuthority::new().await?);
    let state = Arc::new(ProxyState {
        ca,
        mitm: true,
        handler: Arc::new(LoggingHandler),
    });

    let listener = TcpListener::bind("127.0.0.1:8080").await?;
    loop {
        let (stream, addr) = listener.accept().await?;
        let state = state.clone();
        tokio::spawn(handle_connection(stream, addr, state));
    }
}

公開モジュール

モジュール 説明
rustgate::proxy ProxyState, handle_connection, parse_host_port
rustgate::cert CertificateAuthority, CertifiedKey
rustgate::tls make_tls_acceptor, connect_tls_upstream
rustgate::handler RequestHandler トレイト, LoggingHandler, BoxBody
rustgate::error ProxyError, Result

ファイル構成

src/
├── lib.rs        # ライブラリエントリポイント(モジュール公開)
├── main.rs       # CLI エントリポイント
├── proxy.rs      # プロキシハンドラ(HTTP転送 + CONNECT + MITM)
├── cert.rs       # CA証明書管理、動的証明書生成
├── tls.rs        # TLS終端、upstream TLS接続
├── handler.rs    # RequestHandler トレイト定義
└── error.rs      # エラー型定義
tests/
└── integration_test.rs  # 統合テスト

注意事項

  • MITM 機能は通信当事者全員の同意を得たうえで使用してください。
  • 認証・アクセス制御は未実装です。0.0.0.0:: で bind するとネットワーク公開される可能性があります。
  • 本ツールはセキュリティテスト、デバッグ、教育目的での利用を想定しています。

About

MITM-capable HTTP/HTTPS proxy in Rust for debugging, testing, and traffic inspection.

crates.io/crates/rustgate-proxy

Topics

rust tunnel http https proxy crates mitmproxy

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 2

v0.1.1 Latest
Mar 1, 2026
+ 1 release

Packages

 
 
 

Contributors

Languages