NekoGuard is a reverse proxy implemented in Rust designed to protect backend services from automated bot traffic. It achieves this by forcing clients to solve a Proof-of-Work (PoW) challenge before their requests are proxied to the upstream server.
- Proof-of-Work Verification: Clients must compute a SHA-256 hash that meets a predefined difficulty target before access is granted.
- Asynchronous Architecture: Built on
hyperandtokiofor efficient, non-blocking request handling. - IP Whitelisting: Supports permanent access for specific IP addresses via the
NG_WHITELISTenvironment variable. - Session Management: Uses
DashMapfor concurrent storage of temporary access sessions. - Embedded Assets: Serves necessary frontend challenge files directly from the binary.
- Request Interception: Incoming HTTP requests are intercepted.
- Authentication Check: The system verifies the
X-Real-IPagainst the permanent whitelist or current active sessions. - Challenge Generation: If unauthenticated, the client is served a challenge page.
- Client-Side Computation: The client's browser performs the work to find a nonce that satisfies the PoW requirement.
- Validation: Upon receiving a valid POST submission, the client's IP is granted access for a set duration (default 30 minutes).
- Proxying: Authenticated traffic is proxied to the destination specified in the
X-Upstreamheader.
NG_WHITELIST: A comma-separated list of IP addresses allowed to bypass the challenge (e.g.,127.0.0.1,10.0.0.1).
- Port: 3000
- Difficulty: 16 bits
- Challenge TTL: 5 minutes
- Access TTL: 30 minutes