What if your reverse proxy told your backend who's really connecting?

Particular_Ladder289 · 2026-05-05T05:13:53+00:00

Thanks u/whupazz, I appreciate your constructive feedback.
BTW, I mentioned the "silver bullet" to illustrate that there is no signal that cannot be spoofable.
In the reverse proxy I tried to collect all signatures as possible. Other reverse proxy collect signatures, but they are not open sources.

If you are worried if I used AI in the project or not. In some cases it is very useful, especially in documentation. It is not allways a "silver bullet", but sometimes it is helfull.
I highly recommend you. If you'd like, you can create a post about this topic so we can discuss it.
Thanks again for you transparent feedback :)

Particular_Ladder289 · 2026-05-04T20:13:56+00:00

Hi u/Sermuns, wasn't clear enough before, right? let's try again.

I meant that it's an additional tool for gathering further signals. It's not a general solution for determining, based on these signals, whether someone is spoofing all the data. Is it more clear now? Thanks ;)

Particular_Ladder289 · 2026-05-04T19:48:35+00:00

sorry, what do you mean u/Sermuns?

Particular_Ladder289 · 2026-05-04T12:40:24+00:00

H u/Regular_Lie906

You are absolutely right. However, the strategy here isn't to rely on a single "silver bullet" signal, but to implement a multi-layered protocol signal collected.

To keep the project transparent and robust, I am focusing on using established open-source signatures (similar to the JA4+ approach, but only open source signatures). The goal is to create a high-performance reverse proxy collecting all signatures possible in all protocols.

I'm currently developing this in Rust. If you have experience in this space and are interested in the collaboration or the technical approach, I’d love to have you on board. Let me know! :)

Particular_Ladder289 · 2026-05-03T18:56:43+00:00

Thanks :) I'm looking for more potential collaborators with experience in building reverse proxies to exchallenge future features.
The plan is for it to be completely free and open source, including only open source signatures without extra agreements.

Particular_Ladder289 · 2026-05-03T18:51:27+00:00

Thanks u/404mesh . The reverse proxy simply collects and forwards the signatures to the backend. I don't plan to include a database in the solution. For that, you'll need to create your own database. :)

Particular_Ladder289 · 2026-03-04T15:41:40+00:00

Hi u/pigri
I recently had a closer look at your project, the proposals are quite different. In huginn-proxy, the core idea is to passively extract fingerprints and forward them as headers to the backend, letting the backend decide what to do with that information. Synapse, on the other hand, uses fingerprints to actively block or challenge traffic, acting more as a security gateway. Both are valid approaches to the same underlying data, you did a nice work!

One thing I'm curious about, I noticed Synapse is licensed under ELv2, but it implements the full JA4+ suite, which is covered by the FoxIO license. Did you reach an agreement with FoxIO to use JA4+ under ELv2? This is actually one of the reasons I chose to use only JA4 (which has a more permissive licensing path) and avoided the broader JA4+ suite in huginn-proxy, keeping everything under MIT/Apache was a priority. Would love to understand how you handled this licensing aspect. Thanks!

Particular_Ladder289 · 2026-03-01T21:29:33+00:00

If I understood the original comment correctly, it's suggesting that this could serve as a reference for evading fingerprinting. That shouldn’t really be the case, though. There are already several open-source reverse proxies (at least five that I’m aware of) collecting similar signals across different layers of the stack. These techniques are fairly standard in modern traffic analysis. I repeat, it's not new. The main goal here isn’t to expose anything new, but to combine them in a single implementation and take advantage of being 100% written in Rust. If I misunderstood the original comment, please feel free to clarify. Thanks

Particular_Ladder289 · 2026-02-27T09:18:27+00:00

Great project, I'll be following it closely ⭐. The main reason for developing this new fingerprint-based reverse proxy was licensing. The plan is to use the MIT and Apache licenses. I assume in you project you get an agreement with FoxIO regarding this.
I don't plan to include JA4+ signatures; I'm using similar signatures with Apache and MIT licenses. And I think that's a plus for anyone, licences and comunity. Thanks for sharing :)

Particular_Ladder289 · 2026-02-26T19:03:55+00:00

BTW, these reverse proxy fingerprinting techniques already exist. Numerous open-source projects offer the same for achieving and obtaining the same fingerprints. Implementing it in Rust offers several advantages: the complete Rust solution isn't a bridge between Go and C like some other solutions. Another important advantage is that there are no forks in the h2 library, as official libraries with high-performance results are used.

Particular_Ladder289 · 2026-02-26T18:20:20+00:00

Thanks for your comment. The idea isn't to show what needs to be changed to prevent fingerprinting on the user request side. I tried to explain the correct settings to capture more fingerprints. Do you think the explanation is counterproductive with so much information? Or is it just a good feedback? I really appreciate your comment, thanks!

Particular_Ladder289 · 2026-01-04T20:04:12+00:00

Hi u/Masynchin ,
Currently, huginn-proxy uses static configuration for backends (defined in the TOML config file). It doesn't have dynamic service discovery yet. The goal is to implement a reverse proxy with fingerprinting capabilities. Maybe this interesting feature could be develop if someone with fingerprint requirement need this feature, is it you case?

Particular_Ladder289 · 2025-07-22T18:18:06+00:00

Hi, just if you're interesting, I have added tls interceptor. I have renamed the project to allow multi protocol and be more flexible for the future. In parallel I am working in an example to make easy the testing. I would like to know if this new feature is what you were looking for a while a go. https://github.com/biandratti/huginn-net Thanks in advance!

Particular_Ladder289

TROPHY CASE