https_proxy — Stealth HTTPS Forward Proxy

Features

Invisible by design

🔒

Automatic TLS

Certificates issued and auto-renewed via Let's Encrypt using TLS-ALPN-01. No port 80 listener needed.

👻

Stealth Mode

Non-proxy requests get an identical nginx-style 404. Proxy requests with bad auth get a standard 407 so real clients can authenticate.

🌐

HTTP/2 Support

Full HTTP/2 with extended CONNECT protocol (RFC 8441) for native browser proxy compatibility including Chrome and Firefox.

🔀

CONNECT Tunneling

Full HTTPS tunnel support via HTTP CONNECT with bidirectional streaming for proxying encrypted traffic.

➡️

HTTP Forwarding

Plain HTTP proxy requests forwarded transparently to upstream servers with proxy headers stripped.

👥

Multi-User Auth

Basic authentication with multiple username/password pairs. All configured in a simple YAML file.

🖥️

TUI Setup Wizard

Interactive terminal UI to generate your configuration file. No manual YAML editing required.

⚡

TCP Fast Open

Reduced latency on both inbound and outbound connections with TFO support on Linux and macOS.

⚙️

Systemd Service

Built-in install and uninstall commands generate a systemd unit file for seamless background operation.

How It Works

Every request goes through five gates

TLS Termination

All connections terminate TLS with a valid Let's Encrypt certificate (HTTP/1.1 and HTTP/2). ACME challenges are handled transparently.

Stealth Gate

Requests without an absolute URI or CONNECT method are treated as probes and receive a fake nginx 404.

Auth Gate

Proxy requests with missing or invalid credentials get a 407 with Proxy-Authenticate header, enabling browser auth prompts.

CONNECT Tunnel

Authenticated CONNECT requests become a TCP tunnel via HTTP upgrade with bidirectional byte copying.

HTTP Forward

Authenticated HTTP requests are forwarded upstream with proxy headers stripped and URIs rewritten.

Quick Start

Up and running in minutes

Terminal
# Build from source
cargo build --release

# Generate config interactively
./target/release/https_proxy setup

# Or copy the example config
cp config.example.yaml config.yaml

# Start the proxy
./target/release/https_proxy run

Usage
# Use as HTTPS proxy
curl --proxy https://alice:hunter2@proxy.example.com:443 https://httpbin.org/ip

# Probe the server directly — looks like nginx
curl https://proxy.example.com/
# => 404 Not Found (Server: nginx/1.24.0)

# Wrong credentials — 407 auth challenge (enables browser auth prompts)
curl --proxy https://wrong:creds@proxy.example.com:443 https://example.com
# => 407 Proxy Authentication Required

Architecture

Clean, modular Rust

ClientHTTPS

→

TLStls.rs

→

Stealthstealth.rs

→

Authauth.rs

→

Proxyproxy.rs

→

Targetupstream

Module	Role
`tls.rs`	ACME acceptor, automatic cert provisioning and renewal
`stealth.rs`	Detects proxy vs. normal requests; generates fake nginx responses
`auth.rs`	Validates Proxy-Authorization Basic credentials
`proxy.rs`	CONNECT tunneling and HTTP request forwarding
`config.rs`	YAML config loading and validation
`net.rs`	TCP listener with Fast Open, outbound connection helpers
`setup.rs`	Interactive TUI setup wizard
`service.rs`	Systemd service install and uninstall

Download

Prebuilt binaries — v0.3.0

🍎

macOS (ARM64)

Apple Silicon — M1, M2, M3, M4

Download .zip

https_proxy-v0.3.0-darwin-arm64.zip

🐧

Linux (x86_64)

GNU/Linux — AMD64 / Intel 64

Download .zip

https_proxy-v0.3.0-linux-amd64.zip