Introducing PunkProxy v5

PunkProxy is our high-performance HTTP gateway and reverse proxy. It sits at the edge between clients and your backends and gives you domain-level routing, automatic SSL/TLS, and a REST API to manage it all.

What it does

• Domain-level routing — Send traffic to different backends by domain.
• Automatic SSL/TLS — Built-in ACME client (e.g. Let’s Encrypt) for cert provisioning and renewal.
• HTTP/3, HTTP/2, HTTP/1.1 — Multi-protocol support including QUIC.
• JA3 fingerprinting — TLS fingerprinting for client identification and security.
• Control plane API — REST API for zones, destinations, certificates, and settings; Swagger at /swagger/index.html.
• Cluster support — Designed for distributed deployments with shared state (PostgreSQL, Valkey).
• Prometheus metrics — Metrics endpoint for monitoring.
• GeoIP — Optional MaxMind GeoIP integration.

Planned: file caching, IP/GEO blocking, Coraza WAF, rate limiting, and more.

Quick start

With Docker and Docker Compose, clone the repo, set ACME_EMAIL (and optionally MaxMind env vars), and run docker-compose up -d. You get the proxy on 9880/9443 and the control plane on 8088. For production, use prod-docker-compose.yml.

License

PunkProxy is under FSL-1.1-ALv2 (Functional Source License): internal use, non-commercial use, and professional services are allowed; competing commercial products are not. After 2 years from release, the code becomes Apache 2.0.

gitlab.com/punksky/proxy/punkproxy