{"id":48754765,"url":"https://github.com/fabriziosalmi/zion","last_synced_at":"2026-04-15T01:00:59.608Z","repository":{"id":350945420,"uuid":"1208626023","full_name":"fabriziosalmi/zion","owner":"fabriziosalmi","description":"High-performance TLS reverse proxy with built-in WAF, written in Rust.","archived":false,"fork":false,"pushed_at":"2026-04-12T22:23:43.000Z","size":24448,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2026-04-13T00:53:08.421Z","etag":null,"topics":["edge","edge-computing","edge-gateway","reverse-proxy","rust","rustls","rustls-pemfile","server-name-indication","tls","tls-certificate","tokio","waf","web-application-firewall","web-application-security"],"latest_commit_sha":null,"homepage":"https://fabriziosalmi.github.io/zion/","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fabriziosalmi.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-12T14:40:19.000Z","updated_at":"2026-04-12T22:23:51.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/fabriziosalmi/zion","commit_stats":null,"previous_names":["fabriziosalmi/zion"],"tags_count":7,"template":false,"template_full_name":null,"purl":"pkg:github/fabriziosalmi/zion","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fabriziosalmi%2Fzion","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fabriziosalmi%2Fzion/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fabriziosalmi%2Fzion/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fabriziosalmi%2Fzion/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fabriziosalmi","download_url":"https://codeload.github.com/fabriziosalmi/zion/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fabriziosalmi%2Fzion/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31821685,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-14T18:05:02.291Z","status":"ssl_error","status_checked_at":"2026-04-14T18:05:01.765Z","response_time":153,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["edge","edge-computing","edge-gateway","reverse-proxy","rust","rustls","rustls-pemfile","server-name-indication","tls","tls-certificate","tokio","waf","web-application-firewall","web-application-security"],"created_at":"2026-04-13T00:52:19.857Z","updated_at":"2026-04-15T01:00:59.572Z","avatar_url":"https://github.com/fabriziosalmi.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Zion Edge Gateway\n\n[![CI](https://github.com/fabriziosalmi/zion/actions/workflows/ci.yml/badge.svg)](https://github.com/fabriziosalmi/zion/actions/workflows/ci.yml)\n[![Version](https://img.shields.io/github/v/release/fabriziosalmi/zion?include_prereleases\u0026color=blue\u0026label=release)](https://github.com/fabriziosalmi/zion/releases)\n[![License](https://img.shields.io/github/license/fabriziosalmi/zion)](https://github.com/fabriziosalmi/zion/blob/master/LICENSE)\n[![Performance](https://img.shields.io/badge/Performance-233k%20req%2Fs-success?style=flat\u0026color=brightgreen)](https://github.com/fabriziosalmi/zion/tree/master/benchmarks)\n[![WAF](https://img.shields.io/badge/WAF-Zero%20Regex-orange)](https://github.com/fabriziosalmi/zion/blob/master/src/waf.rs)\n\nHigh-performance TLS reverse proxy with built-in WAF, written in Rust.\n\n## Performance\n\n### Native Benchmark (Apple M4, Rust backend, 5 runs x 10s, c=100)\n\n| Endpoint | Median req/s | Best Run | CV% | Errors |\n|----------|-------------|----------|-----|--------|\n| HTML SSR 5KB | **233,170** | 235,370 | 1.1% | 0 |\n| CSS 3KB (cached) | **209,573** | 215,408 | 3.4% | 0 |\n| Cache Hit JS 4KB (RAM) | **195,318** | 207,521 | 7.1% | 0 |\n| TLS Proxy API GET 1KB | **106,505** | 107,189 | 2.1% | 0 |\n| WAF POST JSON | **103,206** | 103,547 | 0.5% | 0 |\n| JS 4KB (no cache) | **102,892** | 104,135 | 1.3% | 0 |\n| PNG 8KB (no cache) | **99,496** | 101,290 | 1.7% | 0 |\n| WOFF2 16KB (no cache) | **83,870** | 86,242 | 2.5% | 0 |\n| SQLi blocked | Yes (400) | -- | -- | -- |\n| XSS blocked | Yes (400) | -- | -- | -- |\n\n**Peak**: 233K req/s HTML (TLS 1.3 e2e) -- 210K cache hit -- 107K API proxy -- 103K WAF POST (CV 0.5%)\n\nReproduce: `bash benchmarks/bench-native.sh`\n\n### Fair Comparison with nginx (Docker, 1 CPU, 256 MB)\n\n| Endpoint | nginx 1.27 | Zion TLS | Zion WAF | Zion Full | Best Delta | Errors |\n|---|---|---|---|---|---|---|\n| API GET (1KB) | 29,404 | 27,517 | 27,438 | 27,537 | -6.3% | 0 |\n| HTML (5KB) | 25,657 | 52,581 | 53,016 | 53,368 | **+108.0%** | 0 |\n| JS (4KB) | 23,152 | 18,165 | 18,037 | 32,366 | **+39.8%** | 0 |\n| PNG (8KB) | 17,409 | 13,411 | 14,345 | 24,770 | **+42.3%** | 0 |\n| WAF POST | 27,772 | 26,173 | 25,653 | 26,909 | -3.1% | 0 |\n| CSS cached | 27,436 | 16,800 | 14,949 | 25,111 | -8.5% | 0 |\n\nFull methodology: `bash benchmarks/bench-scientific.sh` (5 runs, CI95).\n\n\u003cdetails\u003e\n\u003csummary\u003eThroughput Matrix (Apple M4, Go backend, TLS 1.3, wrk)\u003c/summary\u003e\n\nPayload x concurrency grid -- measures end-to-end TLS throughput. These numbers use the Go backend (lower ceiling than Rust backend above).\n\n| Mode | Payload | c=1 | c=10 | c=100 |\n|---|---|---|---|---|\n| **Dynamic** (Go backend) | 1 MB | 2,067 | 3,491 | 3,138 |\n| | 10 MB | 323 | 406 | 203 |\n| | 100 MB | 9,334 | 22,758 | 18,865 |\n| **Static** (uncached proxy) | 1 MB | 14,328 | 35,543 | 46,416 |\n| | 10 MB | 11,889 | 41,116 | 53,144 |\n| | 100 MB | 15,669 | 46,118 | 39,295 |\n| **Cached RAM** (L1+L2) | 1 MB | 30,247 | 88,181 | **140,301** |\n| | 10 MB | 33,781 | 80,246 | 123,936 |\n| | 100 MB | 36,067 | 90,091 | 96,706 |\n\n\u003c/details\u003e\n\n## Features\n\n**Core Proxy**\n- TLS 1.3 termination (rustls + hardware crypto: AES-NI, AES-CE)\n- HTTP/2 upstream multiplexing (hyper-rustls ALPN negotiation)\n- Multi-SNI with per-domain certificates and FNV hash lookup\n- Zero-downtime TLS and QUIC hot-reload (ArcSwap + watch channels)\n- Session tickets + 0-RTT early data with method gating (425 Too Early, RFC 8470)\n- ACME auto-renewal via `instant-acme` (HTTP-01, `--features acme`)\n- JWT/OIDC authentication gate (`--features auth`)\n- HTTP/1.1, HTTP/2, HTTP/3 QUIC (`--features http3`)\n- WebSocket proxy (HTTP Upgrade + bidirectional pipe, TLS-to-upstream)\n- SSE streaming proxy (zero-buffer)\n\n**Cache**\n- Two-level RAM cache: L1 thread-local (~5ns, O(1) LRU) + L2 DashMap (~30ns)\n- L1/L2 generation-based coherence (no stale data after update)\n- Request coalescing (singleflight): N concurrent cache misses = 1 upstream fetch\n- Thread-local route lookup cache (FNV hash, ~5ns hot path)\n- Connection pool pre-warming at startup\n\n**WAF (Zero-Regex, O(N) Single-Pass)**\n- Aho-Corasick scanner: 192 patterns, 14 categories (SQLi, XSS, CMDi, SSRF, NoSQL, deserialization, GraphQL, LDAP, XXE, SSTI, CRLF, Log4Shell)\n- Shannon entropy analysis (detect obfuscated payloads)\n- simd-json structural validation (depth + string length limits)\n- Content-Type strict validation with delimiter enforcement\n- Body size enforcement, DELETE body inspection\n- Iterative normalization (URL-decode, SQL comments, JSON unicode)\n\n**Security**\n- HSTS (2-year, includeSubDomains, preload), X-Content-Type-Options, X-Frame-Options\n- Referrer-Policy, Permissions-Policy, per-route CSP\n- Server header stripped, hop-by-hop headers stripped (RFC 7230)\n- URI length limit (8 KB path+query), method whitelist (7 methods)\n- Per-IP rate limiting (lock-free atomic, configurable window)\n- CORS with FNV O(1) origin lookup, case-insensitive (RFC 6454)\n- TLS handshake timeout (10s), connection timeout (1h for H2/WS/SSE)\n- Header bomb prevention (64 headers, 16 KB buffer)\n\n**Observability**\n- `/healthz`, `/readyz` inline fast-path (~1us, bypasses full pipeline)\n- `/metrics` Prometheus text format (lock-free sharded counters, differential histogram)\n- `X-Request-ID` (stack-buffer, zero-alloc) + W3C `traceparent` propagation\n- Structured logging (text or JSON)\n\n**Operations**\n- Config validation at startup (fail fast, validates all profile references)\n- Graceful drain on shutdown (30s timeout, semaphore-tracked)\n- Upstream health checking (30s interval, EWMA latency, gray failure detection)\n- Bootstrap auto-detection (CPU cores, RAM, L1d cache, AES-NI/NEON, kernel features)\n- TCP tuning: TCP_NODELAY, TCP_DEFER_ACCEPT, TCP_FASTOPEN, TCP_QUICKACK, TCP_CORK, SO_BUSY_POLL\n- SO_REUSEPORT, sys_membarrier, io_uring multishot accept (Linux)\n- `target-cpu=native` build optimization, PGO build script included\n- systemd unit file + Docker HEALTHCHECK\n\n## Quick Start\n\n```bash\n# Build\ncargo build --release\n\n# With optional features\ncargo build --release --features \"acme,auth,http3\"\n\n# Linux: io_uring multishot accept (kernel 5.19+)\ncargo build --release --features io-uring-accept\n\n# Run\nZION_CONFIG=zion.toml ./target/release/zion\n```\n\n## Configuration\n\n```toml\n[server]\nlisten_http = \"0.0.0.0:80\"\nlisten_https = \"0.0.0.0:443\"\n\n[tls]\ncert_path = \"/etc/ssl/zion/tls.crt\"\nkey_path = \"/etc/ssl/zion/tls.key\"\n\n[upstreams]\nbackend = \"http://127.0.0.1:8000\"\nfrontend = \"http://127.0.0.1:3000\"\n\n[[route]]\npath = \"/api/{*rest}\"\nupstream = \"backend\"\nwaf = true\n\n[[route]]\npath = \"/_next/static/{*rest}\"\nupstream = \"frontend\"\nmode = \"static_cache\"\n\n[[route]]\npath = \"/{*rest}\"\nupstream = \"frontend\"\n```\n\nSee [zion.example.toml](zion.example.toml) for the full configuration reference.\n\n## Architecture\n\n```\nClient -\u003e TLS 1.3 -\u003e Security Gates -\u003e Radix Router -\u003e WAF Pipeline -\u003e Proxy/Cache -\u003e Upstream\n                         |                                |\n                    URI limit                  Aho-Corasick (192 patterns)\n                    Method whitelist           Entropy analysis\n                    Rate limiter              simd-json validation\n                    CORS pre-flight           Depth/size limits\n```\n\n17 modules, ~8,600 lines of Rust. See [architecture docs](https://fabriziosalmi.github.io/zion/guide/architecture) for the full module map and request lifecycle.\n\n## Benchmarking\n\n```bash\n# Native scientific benchmark (8 endpoints x 5 runs, ~8 min)\nbash benchmarks/bench-native.sh\n\n# Payload x concurrency matrix (36 cells, ~15 min)\nbash benchmarks/bench-matrix.sh\n\n# Quick validation (~2 min)\nbash benchmarks/bench-matrix.sh --quick\n\n# Docker comparison vs nginx (5 runs, CI95)\nbash benchmarks/bench-scientific.sh\n\n# PGO optimized build (+10-20%)\nbash benchmarks/bench-pgo.sh\n```\n\nResults saved to `benchmarks/bench-history.json` with automatic delta comparison.\n\n## Testing\n\n```bash\n# Unit tests (154)\ncargo test\n\n# Integration tests (19 -- requires running Zion + backend)\n# 1. cd benchmarks/backend \u0026\u0026 cargo run --release \u0026\n# 2. ZION_CONFIG=tests/zion-test.toml ./target/release/zion \u0026\n# 3. Run:\ncargo test --test integration -- --ignored --test-threads=1\n```\n\n## Changelog\n\nSee [CHANGELOG.md](CHANGELOG.md) for the full release history.\n\n## License\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffabriziosalmi%2Fzion","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffabriziosalmi%2Fzion","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffabriziosalmi%2Fzion/lists"}