Skip to content

smpio/fwd-proxy

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
.github/workflows
.github/workflows
 
 
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
main.go
main.go
 
 

Repository files navigation

fwd-proxy

Simple HTTP forward proxy in Go with basic SSRF protections.

Features

  • Accepts incoming HTTP requests and forwards them to a target URL.
  • Supports methods: GET, POST, PUT, PATCH, DELETE, HEAD.
  • Reads target from query parameter url or header X-Target-URL.
  • Blocks localhost, private, link-local, multicast, and other reserved IP ranges.
  • Rejects unsupported methods and hop-by-hop headers.
  • Leaves X-Forwarded-For untouched.

Requirements

  • Go 1.26.1 or newer (as declared in go.mod).

Run

go run .

The server listens on :8080 by default.

To start on a custom port:

go run . -port 9090

To require an auth token in X-Fwd-Authorization:

go run . -auth-token 'my-secret-token'

Usage

Send a request to the proxy and provide the destination URL:

curl "http://localhost:8080/?url=https://httpbin.org/get"

You can also pass the target in a header:

curl -H "X-Target-URL: https://httpbin.org/anything" "http://localhost:8080/"

If started with -auth-token, include the auth header:

curl \
  -H "X-Fwd-Authorization: my-secret-token" \
  -H "X-Target-URL: https://httpbin.org/get" \
  "http://localhost:8080/"

Forward a JSON POST body:

curl -X POST \
  -H "Content-Type: application/json" \
  -H "X-Target-URL: https://httpbin.org/post" \
  -d '{"hello":"world"}' \
  "http://localhost:8080/"

Response behavior

  • Upstream response status code is preserved.
  • Upstream response body is streamed back to the client.
  • Hop-by-hop headers are stripped from both request and response.

Security notes

  • Only http and https target schemes are allowed.
  • Target URLs with userinfo (user:pass@host) are rejected.
  • localhost and .localhost hosts are blocked.
  • Direct IP targets are validated against blocked ranges.
  • DNS-resolved IPs are validated before dialing.
  • Maximum incoming request body size is 10 MiB.

These checks help reduce SSRF risk but do not replace network-level egress controls.

Configuration

Configuration is defined in main.go constants and CLI flags:

  • -port CLI flag (default 8080)
  • -auth-token CLI flag (default empty, disabled)
  • FWD_PROXY_AUTH_TOKEN env var (used when -auth-token is not set)
  • maxRequestBody (default 10 MiB)
  • upstreamTimeout (default 30s)

Development

go test ./...

No tests are currently included.

About

Simple HTTP forward proxy in Go with basic SSRF protections

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages