{"id":42923508,"url":"https://github.com/in4it/roxprox","last_synced_at":"2026-01-30T18:04:30.800Z","repository":{"id":40263558,"uuid":"184762676","full_name":"in4it/roxprox","owner":"in4it","description":"Roxprox is a stateless envoy control plane with AWS Cloud Support","archived":false,"fork":false,"pushed_at":"2026-01-29T13:19:21.000Z","size":541,"stargazers_count":15,"open_issues_count":5,"forks_count":5,"subscribers_count":3,"default_branch":"master","last_synced_at":"2026-01-30T03:19:13.967Z","etag":null,"topics":["acme","aws","control-plane","ecs","envoy","fargate","kubernetes","letsencrypt"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/in4it.png","metadata":{"files":{"readme":"README-install.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2019-05-03T13:45:52.000Z","updated_at":"2025-11-12T14:50:09.000Z","dependencies_parsed_at":"2024-04-19T18:32:24.521Z","dependency_job_id":"46c494c7-b157-4206-8460-235730ba173e","html_url":"https://github.com/in4it/roxprox","commit_stats":null,"previous_names":["in4it/envoy-autocert"],"tags_count":42,"template":false,"template_full_name":null,"purl":"pkg:github/in4it/roxprox","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/in4it%2Froxprox","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/in4it%2Froxprox/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/in4it%2Froxprox/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/in4it%2Froxprox/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/in4it","download_url":"https://codeload.github.com/in4it/roxprox/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/in4it%2Froxprox/sbom","scorecard":{"id":486704,"data":{"date":"2025-08-11","repo":{"name":"github.com/in4it/roxprox","commit":"c3de3a0c7395cc501dae31aa1d0e48eb8982a074"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.7,"checks":[{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Code-Review","score":1,"reason":"Found 4/24 approved changesets -- score normalized to 1","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":0,"reason":"1 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: topLevel 'contents' permission set to 'write': .github/workflows/public-ecr.yml:12","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/public-ecr.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/in4it/roxprox/public-ecr.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/public-ecr.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/in4it/roxprox/public-ecr.yml/master?enable=pin","Warn: containerImage not pinned by hash: Dockerfile:4","Warn: containerImage not pinned by hash: Dockerfile:18: pin your Docker image by updating alpine:3.21.3 to alpine:3.21.3@sha256:a8560b36e8b8210634f77d9f7f9efd7ffa463e380b75e2e74aff4511df3ef88c","Warn: containerImage not pinned by hash: resources/access-log-server/Dockerfile:1: pin your Docker image by updating alpine:3.19.4 to alpine:3.19.4@sha256:7a85bf5dc56c949be827f84f9185161265c58f589bb8b2a6b6bb6d3076c1be21","Info:   0 out of   1 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   1 third-party GitHubAction dependencies pinned","Info:   0 out of   3 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/public-ecr.yml:14"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Vulnerabilities","score":8,"reason":"2 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GO-2022-0635","Warn: Project is vulnerable to: GO-2022-0646"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 16 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-19T17:59:53.173Z","repository_id":40263558,"created_at":"2025-08-19T17:59:53.173Z","updated_at":"2025-08-19T17:59:53.173Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28917033,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-30T16:37:38.804Z","status":"ssl_error","status_checked_at":"2026-01-30T16:37:37.878Z","response_time":66,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["acme","aws","control-plane","ecs","envoy","fargate","kubernetes","letsencrypt"],"created_at":"2026-01-30T18:03:56.361Z","updated_at":"2026-01-30T18:04:30.793Z","avatar_url":"https://github.com/in4it.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Install\n\n## Instructions for ECS deploy without terraform (see terraform instructions below)\n1. git clone this repository using `git clone https://github.com/in4it/roxprox.git` or download the files from [resources/ecs/](resources/ecs/)\n2. Create an S3 bucket and upload the configuration files. You can copy the example configuration file to proxy test.example.com:\n```\naws s3api create-bucket --bucket roxprox-configuration --region us-east-1 # add your organization name or a random string to make the s3 bucket unique\n```\nExample Configuration File ([mocky.yaml](resources/example-proxy/mocky.yaml)):\n```\napi: proxy.in4it.io/v1\nkind: rule\nmetadata:\n  name: simple-reverse-proxy\nspec:\n  conditions:\n    - hostname: test.example.com\n      prefix: /\n  actions:\n    - proxy:\n        hostname: www.mocky.io\n        port: 443\n```\nTo copy the example configuration file, to the s3 bucket, use the following command:\n```\naws s3 cp resources/example-proxy/mocky.yaml s3://roxprox-configuration/config/mocky.yaml\n```\nNote: you can find more configuration file options in the [README](README.md) \n\n3. Run the following commands to create an ECS cluster with roxprox (control plane) and envoy (data plane):\n\n```\nexport S3_BUCKET=\"roxprox-configuration\" # change the value of S3_BUCKET to your s3 bucket\n# IAM Execution Roles\naws iam create-role --role-name roxprox-execution-role --assume-role-policy-document '{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"ecs-tasks.amazonaws.com\"},\"Action\":\"sts:AssumeRole\"}]}'\naws iam attach-role-policy --role-name roxprox-execution-role --policy-arn arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy\nAWS_REGION=us-east-1 AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' --output text) envsubst \u003c resources/ecs/roxprox-executionrole.template.json \u003e roxprox-executionrole.json\naws iam put-role-policy --role-name roxprox-execution-role --policy-name roxprox-policy --policy-document file://roxprox-executionrole.json\n# IAM Task Roles\naws iam create-role --role-name roxprox-task-role --assume-role-policy-document '{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"ecs-tasks.amazonaws.com\"},\"Action\":\"sts:AssumeRole\"}]}'\nAWS_REGION=us-east-1 AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' --output text) envsubst \u003c resources/ecs/roxprox-taskrole.template.json \u003e roxprox-taskrole.json \naws iam put-role-policy --role-name roxprox-task-role --policy-name roxprox-policy --policy-document file://roxprox-taskrole.json\n# ECS Cluster\naws ecs create-cluster --cluster-name roxprox-example\n# Create SQS notification queue\naws sqs create-queue --queue-name \"${S3_BUCKET}-notifications\"\n```\n\n4. Register the ECS service. Make sure to change the S3 and AWS_REGION variables:\n```\naws ssm put-parameter --name envoy-config --type String --value $(cat resources/ecs/envoy-config.yaml |base64)\nS3_BUCKET=your-s3-bucket AWS_REGION=us-east-1 AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' --output text) envsubst \u003c resources/ecs/roxprox.template.json \u003e roxprox.json\naws logs create-log-group --log-group-name roxprox\n```\n5. Deploy the ECS service. Make sure to specify a subnet and security group (http proxy port is tcp port 10000):\n\n```\naws ecs register-task-definition --cli-input-json file://roxprox.json\naws ecs create-service --cluster roxprox-example --service-name roxprox --task-definition roxprox --desired-count 1 --network-configuration 'awsvpcConfiguration={subnets=[subnet-123],securityGroups=sg-123,assignPublicIp=ENABLED}' --launch-type FARGATE\n```\n\n* You can verify the task is launched in the ECS Console\n* The http proxy is available on port 10000. Make sure to open this port in the security group before testing.\n* If you're using the mocky.yaml test, try to curl the service on port 10000 with -H \"Host: test.example.com\"\n* You can either put a ALB/NLB in front, or integrate it within your internal VPC network \n\n## Cleanup\n```\nexport S3_BUCKET=\"roxprox-configuration\" change the value of S3_BUCKET to your s3 bucket\naws ecs update-service --cluster roxprox-example --service roxprox --desired-count 0\naws ecs delete-service --cluster roxprox-example --service roxprox\naws ecs deregister-task-definition --task-definition roxprox:1\naws ecs delete-cluster --cluster roxprox-example\naws iam delete-role-policy --role-name roxprox-execution-role --policy-name roxprox-policy\naws iam detach-role-policy --role-name roxprox-execution-role --policy-arn arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy\naws iam delete-role --role-name roxprox-execution-role\naws iam delete-role-policy --role-name roxprox-task-role --policy-name roxprox-policy\naws iam delete-role --role-name roxprox-task-role\naws logs delete-log-group --log-group-name roxprox\naws sqs delete-queue --queue-url \"${S3_BUCKET}-notifications\"\naws s3 rm s3://${S3_BUCKET}/config/mocky.yaml\naws s3api delete-bucket --bucket ${S3_BUCKET}\naws ssm delete-parameter --name envoy-config\n```\n\n## Roxprox install (using Terraform)\n\nThe best way to deploy roxprox+envoy to your infrastructure is by using our terraform module. You can download and install terraform from [https://developer.hashicorp.com/terraform/install](https://developer.hashicorp.com/terraform/install).\n\nOnce downloaded, create a new project directory, and create a proxy.tf file with the following contents:\n```\nmodule \"roxprox\" {\n  source                          = \"git@github.com:in4it/roxprox.git//terraform\"\n  envoy_release                   = \"v1.29.3\"\n  release                         = \"0.0.23\"\n  envoy_proxy_cpu                 = 512\n  envoy_proxy_memory              = 1024\n  loadbalancer                    = \"alb\"\n  loadbalancer_alb_cert           = \"example.com\"\n  control_plane_count             = 1\n  envoy_proxy_count               = 1\n  envoy_extra_target_group_arns   = [aws_lb_target_group.envoy-proxy-http-internal.id]\n  lb_subnets                      = []    # aws public subnet to use (pick 2)\n  subnets                         = []    # aws private subnet to use (typically corresponding private subnets in same AZ)\n  s3_bucket                       = \"roxprox-examplecom\" # s3 bucket will be created. config resides in config/\n  bucket_lb_logs                  = \"roxprox-examplecom\" # lb logs\n}\n```\n\nMake sure to have a TLS certificate configured for the domain name specified as \"loadbalancer_alb_cert\". Fill out the lb_subnets and subnets (public and private vpc subnets to use). Modify the s3 bucket name. Ssee next step to upload configuration. Make changes where desired, then apply the configuration:\n\n```\nterraform init\nterraform apply\n```\n\nThis will launch the roxprox and envoy container within a new ECS cluster, the s3 bucket, and add a loadbalancer pointing to the envoy instance.\n\nTo change the configuration, upload a configuration yaml file to the s3 bucket (change the bucket with your bucket name):\n```\naws s3 cp resources/example-proxy/mocky.yaml s3://roxprox-examplecom/config/mocky.yaml\n```\n\nTo test the installation, hit the newly created loadbalancer endpoint with curl or a browser. If you used the example, you can use curl:\n```\ncurl http://example.com -v -H \"Host: test.example.com\"\n```\n\n## Notes\n\n* No sensitive information is stored.\n* The configuration in your S3 bucket\n* The envoy config file is in the parameter store\n* TLS on the loadbalancer is enabled, encryption at rest of the configuration and s3 bucket can be configured\n* No cryptographic keys need to be rotated, you can use KMS as the key store\n* To verify container health, go to the ECS console and check whether the roxprox and envoy tasks are running. Use the logs in Cloudwatch Logs to see if no errors are present","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fin4it%2Froxprox","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fin4it%2Froxprox","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fin4it%2Froxprox/lists"}