Files
s1d3sw1ped 1cc94f2c99
Format / gofmt (push) Failing after 27s
CI / Build (push) Successful in 51s
CI / Go Tests (push) Failing after 21s
initial commit
2026-06-06 07:54:44 -05:00

4.2 KiB

Helix Proxy

A pure-Go reverse proxy with embedded web UI. Supports proxy hosts, TCP/UDP streams, redirections, dead hosts, certificates (Let's Encrypt + custom), access lists, audit, and more. Single static binary. Single built-in admin (no multi-user registration; defaults to "password", first login forces a change which is then bcrypt-hashed and stored in the DB).

Key features / differences from traditional setups:

  • Entirely replaces nginx: pure Go reverse proxy (http) + TCP/UDP stream proxy engine. No nginx binary, no config files on disk for routing, live updates.
  • Single binary: the modern Svelte SPA UI is built and embedded (//go:embed) into the Go executable.
  • Storage: default is a single data/db.bolt (cwd-relative, bbolt embedded).
  • No magic paths: everything defaults to paths relative to the process CWD (data/db.bolt, data/www/, data/certs/, ...). All overridable with env vars (DATA_DIR, WWW_DIR, etc.).
  • www/html lives in data/ by default (single volume tree).

Quick start (binary)

make          # builds UI (placeholder) + Go binary with embed
./helix-proxy
# Admin UI + API on :81
# Proxy on :8080 (or 80/443 when you have perms / run in docker)

Visit http://localhost:81

Data (db, certs, logs, www html) lives in ./data relative to where you ran the binary.

docker compose up -d
# or
docker build -t helix-proxy:dev .
docker run -p 81:81 -v $PWD/data:/app/data --workdir /app helix-proxy:dev

PUID/PGID + DISABLE_IPV6 example (see docker-compose.yml for full):

# user: "0:0"  # root to allow chown+drop inside
environment:
  - PUID=1000
  - PGID=1000
  - DISABLE_IPV6=1
  # PUID_NO_DROP=1  # for low ports (80/443) + PUID: do chown as root but do not drop (stay root to bind low ports; default with PUID drops to non-root after chown, so use high ports or NET_BIND_SERVICE cap or run without PUID for low ports)

Binary auto-chowns data tree (if started root) then drops privs (unless PUID_NO_DROP); umask support via UMASK env. Files 0600, dirs 0755. Note: privilege drop happens early (before listeners); low-port binds require either root (with PUID_NO_DROP), capabilities, high ports in config, or external setuid wrapper.

See docker-compose.yml for full example (exposes 80/81/443, volume for data/).

Paths (all overridable)

  • data/db.bolt (or DATA_DIR)
  • data/certs/, data/logs/, data/letsencrypt-acme-challenge/
  • data/www/ (default site / custom html; WWW_DIR or HTML_DIR)
  • etc.

Status

Core features implemented and verified:

  • cwd-relative + env-overridable paths/storage (single data/db.bolt primary via bbolt)
  • pure-Go engine: proxy hosts (full: locations, advanced_config parser, ssl_forced, block_exploits, websocket, hsts, caching w/ HIT/MISS, access lists, custom certs, LE), streams (tcp/udp +ssl term), redirection hosts (full forward_http_code/preservePath/scheme + CRUD), dead hosts (per-dead custom content + CRUD)
  • certificates: custom PEM (meta keys compat) + full Let's Encrypt issuance/renewal via lego (http-01). In PROXY_MODE=development all LE certs are self-signed test certs (domain-based sim tricks removed).
  • single admin (defaults to "password"; first login forces change; hashed + stored in DB; no registration or multi-user)
  • audit (userId=1), settings (default_site + letsencrypt_email etc)
  • live reload on all CRUD, dual https/http + SNI, embedded Svelte SPA (full tabs, pickers, edits)
  • single binary (go build embeds UI after make ui-build), docker multi-stage + full PUID/PGID/umask
  • no nginx, no .conf files, no external processes for proxying

LE note: for real certs use a public DNS domain pointing at your server (port 80/http reachable). By default (production), real LE http-01 is used. Set PROXY_MODE=development and all letsencrypt cert requests will produce self-signed test certs instead (for dev/testing; see TESTING.md). Real LE will be used otherwise (requires valid email, port 80 reachable etc).

Development

  • make ui-build (once real Svelte UI added to ui/)
  • make
  • make docker

Contributions / v2 features: open an issue or just ask to implement the next piece (advanced config, full certs with lego, streams, full Svelte UI, SQL backend, etc.).