Skip to content

permanu/Dwaar

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

439 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Dwaar

The gateway for your applications. Pingora performance. Caddy simplicity.

Dwaar (द्वार — "gateway" in Hindi) is a high-performance reverse proxy built on Cloudflare Pingora with first-party analytics, automatic HTTPS, and a zero-cognitive-load config format.

Why Dwaar?

What you get Without Dwaar With Dwaar
Reverse proxy + auto TLS Caddy (~30 MB) Dwaar (~25 MB)
First-party analytics + Plausible (~200 MB) Included
Request logging + Custom scripts Included
Bot detection + fail2ban (~30 MB) Included
Total ~260+ MB, 3-4 services ~25 MB, 1 binary

Install

curl -fsSL https://dwaar.dev/install.sh | sh

No keys, no extra tooling. The installer detects your OS/arch, downloads the latest release, verifies the SHA-256 checksum, and — if cosign is installed — verifies the keyless Sigstore signature (no public key required). On Linux with systemd it also installs and enables a dwaar service; on macOS it installs a launchd agent.

# Pin a specific version
DWAAR_VERSION=0.3.23 curl -fsSL https://dwaar.dev/install.sh | sh

# Uninstall
curl -fsSL https://dwaar.dev/uninstall.sh | sh
Platform Binary
Linux x86_64 dwaar-linux-amd64
Linux ARM64 dwaar-linux-arm64
macOS ARM64 (Apple Silicon) dwaar-darwin-arm64

Intel Macs (x86_64) have no published binary — build from source (cargo build --release) or run the ARM binary via Rosetta 2. Docker images are at ghcr.io/permanu/dwaar.

See release signing for the full verification model, including the enterprise key-pinning path.

Quick Start

# Dwaarfile
example.com {
    proxy localhost:8080
    analytics on
}
dwaar

That's it. HTTPS is automatic. Analytics are injected. Requests are logged.

Features

  • Pingora engine — 5-10x nginx performance, ~5 MB base memory
  • Automatic HTTPS — Let's Encrypt + ZeroSSL, zero config
  • First-party analytics — Ad-blocker-proof, same-origin injection
  • Dwaarfile — Human-readable config, 3 lines for a working proxy, with glob imports (import apps/*.dwaar) for deploy-agent workflows
  • Admin API — JSON API for runtime config changes, no restarts
  • Docker integration — Auto-discover containers via labels
  • Plugin system — Native Rust plugins + WASM runtime
  • Request logging — 34+ fields per request, batch-written
  • Bot detection — User-agent + behavior analysis
  • Rate limiting — Per-IP, per-domain, configurable
  • Zero-downtime upgrades — Pingora's FD transfer, zero dropped connections
  • HTTP/3 streaming bridge — streaming H3 → H2 upstream with zero-copy chunk forwarding and a bounded per-host connection pool (100 concurrent H3 streams share ≤ 2 upstream TCP sockets)
  • v0.2.3 audit remediation — ~50 fixes: beacon HMAC auth, TLS hardening (OCSP SSRF blocklist, strict wildcard SNI, revoked-cert eviction), Prometheus label escaping, GeoIP hot reload

Architecture

Built on Pingora's ProxyHttp trait with a workspace split by runtime responsibility. The main proxy binary is dwaar-cli; the Kubernetes controller is a separate dwaar-ingress binary that talks to the proxy through the Admin API.

Pingora (engine)      → TLS, connection pooling, HTTP lifecycle
dwaar-cli             → process entry point and service wiring
dwaar-core            → ProxyHttp implementation, route table, handlers
dwaar-config          → Dwaarfile parser/compiler and hot reload
dwaar-tls             → ACME, certificate store, SNI, OCSP
dwaar-admin           → authenticated Admin API
dwaar-ingress         → Kubernetes Ingress controller, standalone binary
dwaar-grpc            → gRPC control fabric

Other workspace crates provide analytics, plugins, Docker discovery, GeoIP, and structured logging. See site/src/content/docs/architecture/crate-map.md for the full crate map.

Dwaarfile directives

reverse_proxy

Proxy HTTP/1 (or HTTP/2 with transport h2) requests to one or more backends.

api.example.com {
    reverse_proxy 10.0.0.1:3000 10.0.0.2:3000
}

grpc

Proxy gRPC traffic to a backend over HTTP/2 cleartext (h2c). TLS is terminated at Dwaar's public listener (auto-provisioned via ACME by default). The upstream connection speaks HTTP/2 cleartext by default. Use that only for loopback, same-pod, or otherwise trusted private links; if the backend is across an untrusted network, terminate upstream TLS or mTLS with reverse_proxy transport settings instead of relying on the grpc shortcut.

Trailers, gRPC status codes, streaming semantics, and bidirectional streams are preserved end-to-end.

grpc-staging.permanu.com {
    grpc 172.18.0.10:9090
}

For existing sites where you want to force h2c on a reverse_proxy upstream, the bare grpc marker still works as before:

api.example.com {
    grpc
    reverse_proxy backend:9090
}

Other directives

file_server, php_fastcgi, tls, header, redir, encode, rate_limit, ip_filter, respond, rewrite, uri, basicauth, forward_auth, cache, log, and more — see the Dwaarfile syntax guide.

License

Business Source License 1.1 — free to use, modify, and redistribute. Cannot be used to offer a competing commercial proxy, CDN, or analytics service. Converts to AGPL-3.0 after 10 years per release.

Commercial licensing available for organizations that need different terms. Contact: hello@permanu.com

Built by

Permanu — the team behind Deploy.

About

High-performance reverse proxy with built-in analytics, automatic HTTPS, and bot detection. Powered by Cloudflare Pingora. Configured in 3 lines. One binary replaces nginx + Plausible + fail2ban.

Topics

Resources

License

Code of conduct

Contributing

Security policy

Stars

8 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors