Flow-based. Event-driven. Rust-native.
Like a dandelion carried by the wind, it follows direction yet defines its own.
Vane is a high-performance, flow-based reverse proxy and network protocol engine written in Rust. It is designed to bridge the architectural gap between raw transport layer (L4) forwarding and complex application layer (L7) processing. Unlike traditional reverse proxies that rely on static hierarchical configurations, Vane utilizes a dynamic, composable pipeline architecture that treats network connections as programmable flows.
Vane abandons the traditional "virtual host" configuration model in favor of a decision-tree architecture known as the Flow Engine. Every connection operates within a pipeline composed of two distinct plugin types:
- Middleware: Intermediate logic units that inspect traffic, modify state, or perform side effects (e.g., protocol detection, rate limiting, variable injection). Middleware can branch execution paths based on runtime logic.
- Terminators: Final execution units that decide the fate of a connection (e.g., proxy to an upstream target, abort connection, or upgrade to a higher protocol layer).
Vane manages network traffic across three strictly defined architectural layers, allowing for precise control over the depth of packet inspection:
- L4 (Transport): Handles raw TCP streams and UDP datagrams. It provides high-performance switching based on IP stickiness, load balancing, and connection metadata.
- L4+ (Carrier): A specialized state where Vane inspects encrypted or complex protocols (TLS, QUIC) without terminating the secure session. It can extract SNI, ALPN, and Connection IDs to make routing decisions before determining whether to forward the encrypted stream or terminate it.
- L7 (Application): The fully terminated layer where Vane acts as a server (HTTP/1.1, HTTP/2, HTTP/3). Here, the system utilizes a unified "Container" model to manipulate headers, bodies, and payloads using a full-duplex streaming engine.
“Two-Phase” in Vane is layer-dependent, not a single global mechanism.
- L4 (Transport): No Two-Phase model. Traffic is handled with single-pass, stateless forwarding and flow decisions.
- L4+ (Carrier): Two-Phase refers to UDP/QUIC fast–slow path separation. Initial packets go through deep inspection and routing (slow path). Once a session is established, subsequent packets are forwarded in O(1) via CID and IP stickiness (fast path).
- L7 (Application): Two-Phase represents a split request lifecycle. Upstream fetching is modeled as a middleware (
FetchUpstream), allowing modification both before the request is sent upstream and after the response returns. This decouples upstream and downstream protocols and enables full-duplex HTTP any-to-any bridging (H1/H2/H3).
Traditional proxies are configured; Vane is programmed. Through its plugin system, Vane allows administrators to define logic flows (e.g., "If protocol is HTTP and source IP is X, then rate limit, otherwise upgrade to HTTP/3"). This logic is defined in declarative JSON, YAML, or TOML, but executes with the speed of compiled Rust code.
Vane provides a selectively extensible plugin model aligned with its Flow Engine architecture.
- Middleware (Extensible): Middleware is fully programmable and user-definable. It can be implemented internally for zero-latency execution or externally via HTTP webhooks, Unix Domain Sockets, or external binaries/scripts (Lua, Python, Bash, etc.). This enables custom logic such as authentication, policy decisions, logging, and dynamic flow control without recompiling the core.
- Terminators (Built-in Only): Terminators are tightly bound to physical network operations (proxying, protocol upgrades, connection termination). Due to their direct interaction with the data plane, they are currently provided only as built-in implementations and cannot be externalized.
Unlike proxies that treat UDP as a second-class citizen, Vane features a dedicated QUIC Carrier Engine. It includes custom virtual sockets, stream reassembly logic, and a specialized Muxer that allows the system to accept raw UDP packets, identify them as QUIC, and seamlessly transition them into a structured HTTP/3 application stream without losing context or performance.
- Zero-Copy Architecture: The internal data plane heavily utilizes Rust's ownership model and
Bytesabstractions to pass data between network layers without unnecessary memory allocation. Features like "Lazy Buffering" ensure that payloads are only loaded into memory when explicitly requested by a plugin. - Full-Duplex Streaming: The upstream drivers are architected to handle large-scale data transfer (e.g., multi-gigabyte streams) asynchronously. Request and response paths are decoupled, preventing head-of-line blocking and deadlocks common in synchronous proxy implementations.
- Cross-Layer Context Continuity: Vane maintains a unified key–value context that persists across L4, L4+, and L7. Connection metadata such as source IP/port, transport details, and handshake-derived attributes are propagated upward and remain accessible at higher layers. This allows L7 template rendering (
{{ ... }}) and middleware logic to reference low-level connection and protocol state without re-parsing or breaking layer boundaries. - Stateful L4+ Routing: Vane can route encrypted traffic without terminating the secure session. At the L4+ layer, it routes TLS connections based on SNI and ALPN, and QUIC connections based on SNI by parsing handshake metadata (including fragmented ClientHello data), enabling certificate-less, zero-trust routing decisions.
- Hot-Swappable Configuration: All layers of the stack—from L4 listeners and TLS certificates to L7 application pipelines—support runtime reconfiguration. The system employs a "Keep-Last-Known-Good" strategy to ensure stability during updates.
MIT License © 2025 Canmi
✦ Polygon / Ethereum: 0x35D143d9DC624feC921a3925Fa84dea9d1DfDCAe
If you found this project helpful, consider supporting domain & server maintenance.