πŸΊπŸ”€ WolfProxy

High-Performance Reverse Proxy

Overview

WolfProxy is a high-performance reverse proxy server built in Rust that reads and uses nginx configuration files directly. It's a drop-in replacement for nginx with built-in firewall, load balancing, monitoring, and automatic SSL/TLS support.

Β© 2026 Wolf Software Systems Ltd β€” GitHub Repository

πŸ“‹

Drop-in nginx Replacement

Reads nginx sites-enabled configuration directly. No config rewrite needed.

πŸ”

Automatic SSL/TLS

Picks up SSL certificates from nginx config automatically. Let's Encrypt, custom certs β€” just works.

πŸ›‘οΈ

Built-in Firewall

Automatic IP blocking for TLS abuse, path traversal, and rate limiting. Enabled by default.

βš–οΈ

Load Balancing

Full upstream support: Round Robin, Weighted, IP Hash, Least Connections, Random.

❀️

Health Checking

Automatic backend health monitoring with configurable thresholds and failure recovery.

πŸ“Š

Monitoring Dashboard

Built-in web interface on port 5001 for real-time upstream status, traffic, and health metrics.

🌐

HTTP/1.1 & HTTP/2

Full protocol support with SNI for multiple SSL domains on a single IP.

⚑

Fast & Lightweight

Built in Rust for maximum performance with minimal memory footprint.

Quick Install

Install WolfProxy with a single command:

bash 
curl -sL https://raw.githubusercontent.com/wolfsoftwaresystemsltd/wolfproxy/main/setup.sh | sudo bash

What the Installer Does

  1. Detects your package manager (apt, dnf, yum, pacman, zypper)
  2. Installs build dependencies automatically
  3. Installs Rust via rustup if not already present
  4. Clones the repository to /opt/wolfproxy
  5. Builds WolfProxy in release mode
  6. Creates the systemd service
  7. Creates default configuration at /opt/wolfproxy/wolfproxy.toml

After Installation

bash
# View status
sudo systemctl status wolfproxy

# View logs
journalctl -u wolfproxy -f

Upgrading

Re-run the installer to upgrade. Your wolfproxy.toml configuration is automatically backed up and restored:

bash 
curl -sL https://raw.githubusercontent.com/wolfsoftwaresystemsltd/wolfproxy/main/setup.sh | sudo bash

Configuration

WolfProxy uses a simple TOML configuration file (wolfproxy.toml):

toml
[server]
host = "0.0.0.0"
http_port = 80
https_port = 443

[nginx]
config_dir = "/etc/nginx"
auto_reload = false

[monitoring]
enabled = true
port = 5001
username = "admin"
password = "admin"

The nginx configuration is read from:

  • {config_dir}/sites-enabled/ β€” Site configuration files
  • {config_dir}/conf.d/*.conf β€” Additional configuration files

Example nginx Configuration

WolfProxy reads standard nginx configuration like this:

nginx
upstream backend {
    ip_hash;
    server 10.0.10.105 max_fails=3 fail_timeout=360s;
    server 10.0.10.102 max_fails=3 fail_timeout=360s;
    server 10.0.10.103 max_fails=3 fail_timeout=360s;
}

server {
    listen 80;
    listen [::]:80;
    server_name example.com;

    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    location / {
        proxy_pass http://backend;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
    }
}

Supported nginx Directives

Server Block

Directive Description
listen Port and SSL configuration
server_name Virtual host names
root Document root
index Index files
error_page Custom error pages
ssl_certificate / ssl_certificate_key SSL certificates
include Include other config files
gzip Compression (header support)

Location Block

Directive Description
location Path matching (prefix, exact =, regex ~, case-insensitive ~*, priority ^~)
proxy_pass Reverse proxy to backend or upstream
proxy_set_header Set headers for backend
proxy_http_version HTTP version for backend
proxy_connect_timeout Backend connection timeout
root / alias Static file serving
try_files Try multiple files
return Return status codes or redirects
rewrite URL rewriting
deny / allow Access control
add_header Add response headers

Upstream Block

Directive Description
upstream Define backend server groups
server Backend server with weight, max_fails, fail_timeout, backup, down
ip_hash Sticky sessions
least_conn Least connections balancing
keepalive Connection pooling

Load Balancing

WolfProxy supports multiple load balancing algorithms:

Algorithm Directive Description
Round Robin (default) Distributes requests evenly across servers
Weighted Round Robin weight=N Higher-weight servers get more requests
IP Hash ip_hash Sticky sessions β€” same client always hits same server
Least Connections least_conn Routes to the server with fewest active connections
Random β€” Random server selection

Firewall (Auto-Ban)

WolfProxy includes a built-in firewall that automatically detects and blocks malicious IPs. No configuration needed β€” it's enabled by default.

What Gets Blocked

  • TLS abuse (failed handshakes, invalid certificates)
  • Path traversal attempts (../)
  • Excessive 4xx errors
  • Rate limit violations

Blocked IPs are banned for 10 minutes by default. Bans expire automatically.

How It Works

  1. Pre-TLS blocking: Blocked IPs are rejected at the TCP level before the TLS handshake, saving CPU
  2. Automatic cleanup: Expired bans and stale trackers are cleaned up every 60 seconds
  3. Memory-safe: Hard caps prevent memory exhaustion (max 10,000 blocked IPs, 50,000 tracked IPs)
  4. Localhost exempt: 127.0.0.1 / ::1 are never blocked

Configuration

toml
[firewall]
enabled = true                # Enable/disable the firewall
window_secs = 60              # Time window for counting violations
ban_duration_secs = 600       # Ban duration (10 minutes)
tls_failure_threshold = 100   # TLS failures before ban
bad_request_threshold = 50    # 4xx errors before ban
rate_limit = 1000             # Max requests per window per IP
traversal_threshold = 3       # Path traversal attempts before ban
πŸ’‘ To disable: Set enabled = false in the [firewall] section.

Monitoring Dashboard

WolfProxy includes a built-in monitoring dashboard at http://your-server:5001/.

Features

  • Real-time stats: Uptime, total requests, data in/out
  • Upstream monitoring: View all backend servers with their status (UP/DOWN)
  • Health metrics: Active connections, request counts, failure counts per server
  • Traffic by upstream: Request counts per upstream group
  • Load balancing info: Shows load balancing method per upstream group
  • Auto-refresh: Dashboard updates every 5 seconds
  • JSON API: Available at /stats for programmatic access
  • Settings page: Change username/password via web interface at /settings

Configuration

toml
[monitoring]
enabled = true       # Enable/disable the monitoring server
port = 5001          # Port for the monitoring interface
username = "admin"   # HTTP Basic Auth username
password = "admin"   # HTTP Basic Auth password
⚠️ Security: The monitoring dashboard is protected with HTTP Basic Authentication. Change the default credentials in production!

Migration from nginx

Switching from nginx to WolfProxy is straightforward:

bash 
# Step 1: Stop nginx
sudo systemctl stop nginx

# Step 2: Install WolfProxy
curl -sL https://raw.githubusercontent.com/wolfsoftwaresystemsltd/wolfproxy/main/setup.sh | sudo bash

# Step 3: Start WolfProxy
sudo systemctl start wolfproxy

# Step 4: Verify your sites are working

# Step 5: Disable nginx, enable WolfProxy
sudo systemctl disable nginx
sudo systemctl enable wolfproxy

WolfProxy reads your existing nginx configuration from /etc/nginx/sites-enabled/ β€” no config changes needed.

WordPress Behind WolfProxy

When running WordPress behind WolfProxy (or any reverse proxy), you may encounter:

  • "Cookies are blocked or not supported by your browser" login errors
  • Redirect loops
  • Mixed content warnings
  • Session issues

WordPress wp-config.php Settings

Add these lines to your wp-config.php:

php
// Fix for reverse proxy
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
    $_SERVER['HTTPS'] = 'on';
}
if (isset($_SERVER['HTTP_X_FORWARDED_HOST'])) {
    $_SERVER['HTTP_HOST'] = $_SERVER['HTTP_X_FORWARDED_HOST'];
}

Recommended nginx Configuration for WordPress

nginx
location / {
    proxy_pass http://backend;
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_http_version 1.1;
    proxy_set_header Connection "";
}

Systemd Service

bash
# Start / stop
sudo systemctl start wolfproxy
sudo systemctl stop wolfproxy

# Enable on boot
sudo systemctl enable wolfproxy

# Check status
sudo systemctl status wolfproxy

# View logs
journalctl -u wolfproxy -f

Installation Paths

Path Description
/opt/wolfproxy/target/release/wolfproxy Binary
/opt/wolfproxy/wolfproxy.toml Configuration
/etc/systemd/system/wolfproxy.service Systemd service file