🔒 Secure Site Proxy
A secure, self-hosted web proxy with authentication, rate limiting, and caching capabilities.
✨ Features
- 🔐 Secure Authentication - Username/password protection with session management
- 🚦 Rate Limiting - Prevent abuse with configurable request limits
- 💾 Memory Caching - Intelligent caching for improved performance
- 🛡️ SSRF Protection - Comprehensive blocking of private networks and internal services
- 🔄 Content Rewriting - Automatic URL rewriting for seamless proxied browsing
- ⏱️ Session Management - Secure session handling with automatic expiration
- 🐳 Docker Support - Easy deployment with Docker and Docker Compose
- 📊 Statistics API - Monitor cache usage and performance
🚀 Quick Start
Prerequisites
- Docker and Docker Compose (recommended)
- OR Go 1.21+ for manual build
Option 1: Docker Compose (Recommended)
# 1. Clone the repository
git clone https://github.com/xofine/siteproxy.git
cd siteproxy
# 2. Create and configure environment file
cp .env.example .env
nano .env # Edit AUTH_PASSWORD and SESSION_SECRET
# 3. Deploy
docker-compose up -d
# 4. Check logs
docker-compose logs -f
# 5. Access the service
# Open http://localhost:8080 in your browser
Option 2: Manual Build
# 1. Clone and configure
git clone https://github.com/xofine/siteproxy.git
cd siteproxy
cp .env.example .env
nano .env
# 2. Build
go mod init siteproxy
go build -o siteproxy .
# 3. Run
./siteproxy
# 4. Access
# Open http://localhost:8080 in your browser
⚙️ Configuration
All configuration is done through environment variables in the .env file.
Authentication Settings
AUTH_USERNAME=admin # Login username
AUTH_PASSWORD=your_secure_password_here # Login password (CHANGE THIS!)
SESSION_SECRET=random_64_char_string # Session encryption key
SESSION_TIMEOUT=30m # Session expiration time
Security Settings
RATE_LIMIT_REQUESTS=100 # Max requests per window
RATE_LIMIT_WINDOW=1m # Rate limit time window
MAX_RESPONSE_SIZE=52428800 # Max response size (50MB)
Proxy Settings
ALLOWED_SCHEMES=http,https # Allowed URL schemes
USER_AGENT=Mozilla/5.0... # User agent for requests
Blacklist Configuration
# Domain blacklist (supports wildcards)
BLOCKED_DOMAINS=localhost,127.0.0.1,0.0.0.0,*.local,internal,metadata.google.internal,169.254.169.254
# CIDR blacklist (private networks)
BLOCKED_CIDRS=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16,::1/128,fc00::/7,fe80::/10,100.64.0.0/10
Cache Settings
CACHE_ENABLED=true # Enable/disable caching
CACHE_MAX_SIZE=104857600 # Max cache size (100MB)
CACHE_TTL=1h # Cache entry TTL
Server Settings
PORT=8080 # Server port
🔒 Security Best Practices
Essential Security Measures
-
Change Default Credentials
# Generate strong password openssl rand -base64 32 -
Use Strong Session Secret
# Generate random session secret openssl rand -hex 32 -
Deploy Behind HTTPS
- Use Nginx, Caddy, or Traefik as reverse proxy
- Enable SSL/TLS certificates (Let's Encrypt)
-
Use Cloudflare Access
- Add additional authentication layer
- Protect against DDoS attacks
- Hide origin server IP
-
Network Isolation
- Deploy in isolated Docker network
- Use firewall rules to restrict access
- Disable unnecessary ports
Example Nginx Configuration
server {
listen 443 ssl http2;
server_name proxy.yourdomain.com;
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;
location / {
proxy_pass http://localhost:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
📊 API Endpoints
Public Endpoints
GET /login- Login pagePOST /login- Submit credentialsGET /health- Health check endpoint
Protected Endpoints (Require Authentication)
GET /- Main proxy interfaceGET /proxy?url=<target>- Proxy request to target URLGET /stats- Cache statistics (JSON)GET /logout- Logout and clear session
Statistics Response Example
{
"entries": 42,
"size": 15728640
}
🏗️ Architecture
┌─────────────┐
│ Browser │
└──────┬──────┘
│
▼
┌─────────────────┐
│ Cloudflare │ (Optional)
│ Access │
└──────┬──────────┘
│
▼
┌─────────────────┐
│ SiteProxy │
│ ┌───────────┐ │
│ │ Auth │ │
│ ├───────────┤ │
│ │ Rate │ │
│ │ Limiter │ │
│ ├───────────┤ │
│ │ Validator │ │
│ ├───────────┤ │
│ │ Cache │ │
│ ├───────────┤ │
│ │ Proxy │ │
│ └───────────┘ │
└──────┬──────────┘
│
▼
┌─────────────────┐
│ Target Website │
└─────────────────┘
🛠️ Development
Project Structure
siteproxy/
├── main.go # Application entry point
├── auth/
│ ├── middleware.go # Authentication middleware
│ └── session.go # Session management
├── proxy/
│ ├── handler.go # Proxy request handler
│ ├── index.go # Main page handler
│ └── stats.go # Statistics handler
├── security/
│ ├── ratelimit.go # Rate limiting
│ └── validator.go # URL validation and SSRF protection
├── cache/
│ └── cache.go # Memory cache implementation
├── config/
│ └── config.go # Configuration loader
├── static/ # Static files (if any)
├── .env.example # Example environment variables
├── Dockerfile # Docker build configuration
├── docker-compose.yml # Docker Compose configuration
├── go.mod # Go module definition
└── README.md # This file
Running Tests
# Run all tests
go test ./...
# Run with coverage
go test -cover ./...
# Run with race detector
go test -race ./...
Building for Production
# Build optimized binary
CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -ldflags="-s -w" -o siteproxy .
# Build for different platforms
GOOS=darwin GOARCH=amd64 go build -o siteproxy-darwin-amd64
GOOS=linux GOARCH=amd64 go build -o siteproxy-linux-amd64
GOOS=windows GOARCH=amd64 go build -o siteproxy-windows-amd64.exe
🐛 Troubleshooting
Common Issues
1. "Unauthorized" error after login
- Check if SESSION_SECRET is set correctly
- Clear browser cookies and try again
- Verify AUTH_USERNAME and AUTH_PASSWORD in .env
2. "Rate limit exceeded" error
- Increase RATE_LIMIT_REQUESTS in .env
- Increase RATE_LIMIT_WINDOW for longer time window
- Wait for the rate limit window to reset
3. "Invalid or blocked URL" error
- Check if target domain is in BLOCKED_DOMAINS
- Verify target IP is not in private network range
- Ensure URL starts with http:// or https://
4. Cache not working
- Verify CACHE_ENABLED=true in .env
- Check CACHE_MAX_SIZE is sufficient
- Review /stats endpoint for cache statistics
5. Docker container won't start
- Check if port 8080 is already in use
- Verify .env file exists and is properly formatted
- Check Docker logs:
docker-compose logs
Debug Mode
Enable verbose logging:
# Add to .env
LOG_LEVEL=debug
# Or run with environment variable
LOG_LEVEL=debug ./siteproxy
📝 Changelog
v1.0.0 (2024-01-XX)
- Initial release
- Basic proxy functionality
- Authentication system
- Rate limiting
- Memory caching
- SSRF protection
- Docker support
🤝 Contributing
Contributions are welcome! Please follow these guidelines:
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
Code Style
- Follow standard Go formatting (
gofmt) - Add comments for exported functions
- Write tests for new features
- Update documentation as needed
📄 License
This project is licensed under the MIT License - see the LICENSE file for details.
⚠️ Disclaimer
This tool is provided for legitimate use only. Users are responsible for:
- Complying with applicable laws and regulations
- Respecting target website terms of service
- Not using for malicious purposes
- Ensuring proper authorization before proxying content
The authors are not responsible for misuse of this software.
🙏 Acknowledgments
- Built with Go standard library
- Inspired by various open-source proxy projects
- Security best practices from OWASP
📧 Support
- Issues: GitHub Issues
- Discussions: GitHub Discussions
- Security: Report security issues to security@yourdomain.com
🔗 Links