pproxy is a lightweight, configurable reverse proxy written in Rust, built on top of Pingora — a high-performance async proxy framework developed by Cloudflare.
- Reverse proxy with per-host and per-domain configuration
- TLS support with custom certificates
- Header injection and proxy header overrides
- User-Agent, GeoIP, and ISP filtering
- IP-based allow/deny rules
- URL rewrite and redirect rules
- Built-in WAF integration (blocklists + Geo API)
- Optional host monitoring (wake/suspend for machines that do not need to be running at all times)
Configuration is defined in a TOML file and loaded at startup.
app_log_level = "info"
all_log_level = "warn"
static_files_path = "/opt/systemd/pproxy/static"app_log_level: Logging level for application-specific logsall_log_level: Global log filtering levelstatic_files_path: Path to static assets (if used)
[control]
listen = "0.0.0.0:5050"- Exposes a control/monitor interface (e.g.
/control/<monitor>)
[waf]
# blocklist_url = "http://..."
geo_cache_file_path = "/opt/systemd/pproxy/geo_cache"
geo_api_url = "https://api.iplocation.net?ip="blocklist_url: Optional external blocklistgeo_api_url: GeoIP lookup endpointgeo_cache_file_path: Local cache for GeoIP results
[hosts."0.0.0.0:443"]
tls = true- Defines a listening address and port
tls: Enables TLS termination
[hosts."0.0.0.0:443".servers."example.com"]
upstream = "192.168.0.10:8000"
upstream_tls = false
cert_path = "/etc/letsencrypt/live/example.com/fullchain.pem"
key_path = "/etc/letsencrypt/live/example.com/privkey.pem"upstream: Target backendupstream_tls: Use HTTPS to upstreamcert_path,key_path: TLS certificate files
user_agent_blocklist = ["facebook", "scapy"]
geo_fence_country_allowlist = ["SK", "CZ", "GB"]
geo_fence_isp_blocklist = ["Amazon Data Services UK"]- Block requests by User-Agent
- Allow only specific countries
- Block specific ISPs
[hosts."0.0.0.0:443".servers."example.com".headers]
X-Frame-Options = "SAMEORIGIN"proxy_headers = { "Connection" = "upgrade" }redirect_rules = [
{ pattern = "example.com", new = "new-example.com" }
]rewrite_rules = [
{ pattern = "path", new = "newpath" }
]ip_rules = [
{ source = "Direct", subnet = "192.168.0.0/21", action = "Allow" },
{ source = "Direct", subnet = "0.0.0.0/0", action = "Deny" }
]source:DirectorForwardedaction:AlloworDeny- Evaluated in order
[monitors.test]
suspend_timeout = 300[monitors.test.commands]
check_command = "ping ..."
wake_command = "wakeonlan ..."
suspend_command = "ssh ... suspend"
status_command = "ssh ..."- Automatically suspends inactive upstream machines
- Wakes them on incoming requests
- Accessible via control interface
- TOML tables are used for complex structures like headers
- Inline tables are supported but limited to single-line definitions
HashSetfields are represented as TOML arrays