Overview

Synapse is a high-performance reverse proxy and firewall built with Rust, featuring:

• XDP-based packet filtering for ultra-low latency protection at kernel level
• Multi-backend firewall with automatic fallback (XDP > nftables > iptables > userland)
• Dynamic access rules with automatic updates from Gen0Sec API
• JA4+ fingerprinting complete suite: JA4, JA4H, JA4T, JA4TS, JA4L, JA4LS, JA4S, JA4X with header forwarding
• Automatic TLS certificate management with ACME/Let's Encrypt (HTTP-01 and DNS-01)
• Threat intelligence integration with Gen0Sec API and Threat MMDB
• Content scanning with ClamAV integration for malware detection
• Advanced upstream routing with service discovery (file, Consul, Kubernetes)
• Weighted load balancing with hot-reloadable configuration

Linux & Windows. Linux: kernel 4.18+ with XDP/BPF. Windows: Server 2019+ / Windows 11+ with optional eBPF for Windows.

Quick Start

Linux

# Ubuntu install
curl -fSL https://raw.githubusercontent.com/gen0sec/synapse/refs/heads/main/install.sh | sh

# Run with config file
synapse -c /etc/synapse/config.yaml

# Run with terminal TUI
synapse -c /etc/synapse/config.yaml --terminal

Windows

# Run directly
synapse.exe -c C:\ProgramData\synapse\config.yaml

# Install as Windows Service
synapse.exe --service install

# Start/stop/reload service
sc start synapse
sc stop synapse
sc control synapse paramchange   # reload config

# Uninstall service
synapse.exe --service uninstall

# Run with terminal TUI
synapse.exe -c config.yaml --mode agent --terminal

More installation methods

Ansible

git clone https://github.com/gen0sec/synapse.git
cd synapse/moat/ansible
cp hosts.example hosts
# Edit hosts and add your server details
ansible-playbook playbook.yml -e gen0sec_api_token=your_key_here

Features: Debian/Ubuntu + RedHat/CentOS/Fedora, optional ClamAV/Redis/Fail2Ban. More details.

Kubernetes

helm repo add gen0sec https://helm.gen0sec.com
helm install synapse-stack

More details.

Killercoda Playground

curl -sSL https://raw.githubusercontent.com/gen0sec/synapse/main/scenarios/synapse-operator/synapse.sh | bash -s -- --api-key <YOUR_API_KEY>

Docker

# Required capabilities
--cap-add=SYS_ADMIN --cap-add=BPF --cap-add=NET_ADMIN

Modes

Synapse runs in two modes: Agent (default) and Proxy.

Feature	Proxy	Agent
HTTP/HTTPS Reverse Proxy	✅	❌
TLS & ACME Certificates	✅	❌
Upstreams & Load Balancing	✅	❌
WAF, Rate Limiting, CAPTCHA	✅	❌
Content Scanning (ClamAV)	✅	❌
XDP Firewall & Access Rules	✅	✅
Threat Intelligence & GeoIP	✅	✅
JA4+ Fingerprinting	✅ Full (11 headers)	✅ Network-level
BPF Stats & TCP Fingerprinting	✅	✅
Terminal TUI (ratatui)	✅	✅
File/Syslog/ETW Logging	✅	✅
Windows Support	✅ Agent mode	✅
Windows Service (SCM)	✅	✅

Detailed feature comparison

Feature	Proxy Mode	Agent Mode
HTTP/HTTPS Reverse Proxy	✅ Full support	❌ Not available
TLS Certificate Management	✅ ACME & custom certificates	❌ Not available
Upstreams & Load Balancing	✅ File, Consul, Kubernetes	❌ Not available
Hot-reloadable Upstreams	✅ Zero-downtime updates	❌ Not available
XDP Packet Filtering	✅ Kernel-level filtering	✅ Kernel-level filtering
Multi-Backend Firewall	✅ XDP/nftables/iptables/userland	✅ XDP/nftables/iptables/userland
Access Rules Enforcement	✅ IP allow/block lists	✅ IP allow/block lists
Dynamic Access Rules	✅ Auto-updates from Gen0Sec API	✅ Auto-updates from Gen0Sec API
BPF Statistics Collection	✅ Packet processing metrics (XDP only)	✅ Packet processing metrics (XDP only)
TCP Fingerprinting	✅ SYN packet analysis	✅ SYN packet analysis
JA4+ Fingerprinting	✅ JA4, JA4H, JA4T, JA4TS, JA4L, JA4LS, JA4S, JA4X	✅ JA4T, JA4TS, JA4L, JA4LS (network-level)
Fingerprint Forwarding	✅ 11 X-JA4* headers to origin	❌ Not available
Wirefilter Expressions (WAF)	✅ Advanced request filtering	❌ Not available
Rate Limiting	✅ Per-rule rate limits	❌ Not available
Content Scanning (ClamAV)	✅ Malware detection	❌ Not available
CAPTCHA Protection	✅ hCaptcha, reCAPTCHA, Turnstile	❌ Not available
Threat Intelligence	✅ Real-time MMDB + HTTP-level	✅ Smart Lists (network-level)
GeoIP Databases	✅ Country, ASN, City lookups	⚠️ Via Smart Lists only
Internal Services Server	✅ ACME, CAPTCHA endpoints	❌ Not available
Redis Caching	✅ Certificates, threat intel, validation	❌ Not available
Access Log Sending	✅ To Gen0Sec API	❌ Not available
Terminal TUI (ratatui)	✅ Embedded + standalone	✅ Embedded + standalone
File/Syslog Logging	✅ Rotating logs (Linux: syslog)	✅ Rotating logs (Linux: syslog)
ETW Logging	✅ (Windows only)	✅ (Windows only)
Windows Service (SCM)	✅ install/uninstall/start/stop	✅ install/uninstall/start/stop
Windows eBPF/XDP	✅ Via eBPF for Windows	✅ Via eBPF for Windows
Multiple Network Interfaces	✅ High availability setups	✅ High availability setups
Multi-threaded Runtime	✅ Default	⚠️ Single-threaded default

Agent mode (default)

Standalone agent focused on access rules enforcement without HTTP/HTTPS proxy. Ideal for network-level protection where you don't need request proxying.

mode: "agent"  # default, can be omitted

# Set via environment variable
export MODE="agent"

Use cases:

• Network-level firewall protection without proxying
• Access rules enforcement at the edge
• Kernel-level IP blocking without HTTP overhead
• Integration with existing reverse proxies or load balancers

Proxy mode

Full-featured reverse proxy with HTTP/HTTPS support, forwarding requests to upstream servers while applying access rules and threat intelligence at the kernel level.

mode: "proxy"

proxy:
  address_http: "0.0.0.0:80"
  address_tls: "0.0.0.0:443"
  upstream:
    conf: "/etc/synapse/upstreams.yaml"

# Set via environment variable
export MODE="proxy"

Configuration

Synapse supports three configuration methods (highest to lowest priority):

1. YAML Configuration File - via config.yaml (example)
2. Command Line Arguments - override specific settings via CLI flags
3. Environment Variables - export API_KEY="your-key"

CLI Options

Flag	Description	Default
-c, --config <PATH>	Path to configuration file (YAML)	-
--security-rules-config <PATH>	Security rules file (fallback without API key)	security_rules.yaml
-i, --iface <NAME>	Network interface for XDP	eth0
--ifaces <LIST>	Additional interfaces (comma-separated, overrides --iface)	-
--log-level <LEVEL>	Log level (error, warn, info, debug, trace)	info
--disable-xdp	Disable XDP packet filtering	false
--redis-url <URL>	Redis connection URL	redis://127.0.0.1/0
--redis-prefix <PREFIX>	Redis namespace prefix	ax:synapse
--captcha-site-key <KEY>	CAPTCHA site key	-
--captcha-secret-key <KEY>	CAPTCHA secret key	-
--captcha-jwt-secret <KEY>	JWT secret for CAPTCHA tokens	-
--captcha-provider <PROVIDER>	CAPTCHA provider (hcaptcha, recaptcha, turnstile)	-
--captcha-token-ttl <SECS>	CAPTCHA token TTL	7200
--captcha-cache-ttl <SECS>	CAPTCHA cache TTL	300
--proxy-protocol-enabled	Enable PROXY protocol	false
--proxy-protocol-timeout <MS>	PROXY protocol timeout	1000
-d, --daemon	Run as daemon (Linux) or Windows service	false
--service <CMD>	Windows service: install or uninstall	-
--terminal	Enable ratatui TUI (embedded or standalone)	false
--daemon-pid-file <PATH>	PID file path (Linux only)	/var/run/synapse.pid
--daemon-working-dir <PATH>	Daemon working directory	/
--daemon-user <USER>	Run daemon as user (Linux only)	-
--daemon-group <GROUP>	Run daemon as group (Linux only)	-
--clear-certificate <DOMAIN>	Clear certificate from filesystem and Redis	-

Feature Toggles

Feature	YAML Path	Environment Variable	Default
BPF Statistics	logging.bpf_stats.enabled	BPF_STATS_ENABLED	true
TCP Fingerprinting	logging.tcp_fingerprint.enabled	TCP_FINGERPRINT_ENABLED	true
Content Scanning	proxy.content_scanning.enabled	CONTENT_SCANNING_ENABLED	false
CAPTCHA Protection	(enabled when keys are set)	CAPTCHA_SITE_KEY, CAPTCHA_SECRET_KEY	disabled
ACME (Auto TLS)	proxy.acme.enabled	ACME_ENABLED	false
Internal Services	proxy.internal_services.enabled	INTERNAL_SERVICES_ENABLED	true
PROXY Protocol	proxy.protocol.enabled	PROXY_PROTOCOL_ENABLED	false
File Logging	logging.file_logging_enabled	LOGGING_FILE_ENABLED	false
Syslog (Linux)	logging.syslog.enabled	LOGGING_SYSLOG_ENABLED	false
ETW (Windows)	logging.etw.enabled	LOGGING_ETW_ENABLED	false
Log Sending (API)	platform.log_sending_enabled	LOG_SENDING_ENABLED	true
XDP Firewall	firewall.disable_xdp	FIREWALL_DISABLE_XDP	false (XDP enabled)

Environment variables reference

# Application mode
export MODE="proxy"  # or "agent"

# Redis configuration
export REDIS_URL="redis://127.0.0.1/0"
export REDIS_PREFIX="ax:synapse"

# Network configuration
export NETWORK_IFACE="eth0"
export NETWORK_IFACES="eth0,eth1"  # Multiple interfaces (comma-separated)
export NETWORK_IP_VERSION="both"  # ipv4, ipv6, or both
export FIREWALL_MODE="auto"  # auto, xdp, nftables, iptables, none
export FIREWALL_DISABLE_XDP="false"

# Gen0Sec Platform configuration
export API_KEY="your-api-key"
export BASE_URL="https://api.gen0sec.com/v1"
export LOG_SENDING_ENABLED="true"

# CAPTCHA configuration
export CAPTCHA_SITE_KEY="your-site-key"
export CAPTCHA_SECRET_KEY="your-secret-key"
export CAPTCHA_JWT_SECRET="your-jwt-secret"
export CAPTCHA_PROVIDER="turnstile"
export CAPTCHA_TOKEN_TTL="7200"
export CAPTCHA_CACHE_TTL="300"

# Content scanning
export CONTENT_SCANNING_ENABLED="true"
export CLAMAV_SERVER="localhost:3310"
export CONTENT_MAX_FILE_SIZE="10485760"
export CONTENT_SCAN_CONTENT_TYPES="text/html,application/x-www-form-urlencoded,multipart/form-data"
export CONTENT_SKIP_EXTENSIONS=".jpg,.png,.gif"
export CONTENT_SCAN_EXPRESSION="http.request.method eq \"POST\" or http.request.method eq \"PUT\""

# Internal services configuration
export INTERNAL_SERVICES_ENABLED="true"
export INTERNAL_SERVICES_PORT="9180"
export INTERNAL_SERVICES_BIND_IP="127.0.0.1"

# PROXY protocol configuration
export PROXY_PROTOCOL_ENABLED="true"
export PROXY_PROTOCOL_TIMEOUT="1000"

# Daemon mode
export DAEMON_ENABLED="false"
export DAEMON_PID_FILE="/var/run/synapse.pid"
export DAEMON_WORKING_DIRECTORY="/"
export DAEMON_USER="root"
export DAEMON_GROUP="root"
export DAEMON_CHOWN_PID_FILE="true"

# Logging
export LOGGING_LEVEL="info"
export LOGGING_FILE_ENABLED="true"
export LOGGING_DIRECTORY="/var/log/synapse"
export LOGGING_MAX_FILE_SIZE="104857600"
export LOGGING_FILE_COUNT="10"
export LOGGING_SYSLOG_ENABLED="false"
export LOGGING_SYSLOG_FACILITY="daemon"
export LOGGING_SYSLOG_IDENTIFIER="synapse"

For a complete list, see ENVIRONMNET_VARS.md.

Feature configuration examples

BPF Statistics - Kernel-level packet processing statistics (requires XDP)

logging:
  bpf_stats:
    enabled: true
    log_interval_secs: 60
    enable_dropped_ip_events: true
    dropped_ip_events_interval_secs: 30

BPF_STATS_ENABLED=true BPF_STATS_LOG_INTERVAL=60

TCP Fingerprinting - TCP SYN packet fingerprints for behavioral analysis

logging:
  tcp_fingerprint:
    enabled: true
    log_interval_secs: 60
    enable_fingerprint_events: true
    fingerprint_events_interval_secs: 30
    min_packet_count: 3
    min_connection_duration_secs: 1

TCP_FINGERPRINT_ENABLED=true TCP_FINGERPRINT_LOG_INTERVAL=60

Content Scanning - ClamAV-based malware detection

proxy:
  content_scanning:
    enabled: true
    clamav_server: "localhost:3310"
    max_file_size: 10485760  # 10MB

CONTENT_SCANNING_ENABLED=true CLAMAV_SERVER=localhost:3310

CAPTCHA Protection - hCaptcha, reCAPTCHA, or Turnstile

proxy:
  captcha:
    site_key: "your-site-key"
    secret_key: "your-secret-key"
    jwt_secret: "your-jwt-secret"
    provider: "turnstile"  # hcaptcha, recaptcha, turnstile
    token_ttl: 7200
    cache_ttl: 300

CAPTCHA_SITE_KEY=... CAPTCHA_SECRET_KEY=... CAPTCHA_PROVIDER=turnstile

ACME (Auto TLS) - Automatic Let's Encrypt certificates

proxy:
  acme:
    enabled: true
    port: 9180
    email: "admin@example.com"
    storage_path: "/var/lib/synapse/acme"
    storage_type: "redis"  # or "file"
    development: false

ACME_ENABLED=true ACME_EMAIL=admin@example.com ACME_STORAGE_TYPE=redis

GeoIP Databases - Country, ASN, and city-level geolocation

proxy:
  geoip:
    refresh_secs: 28800  # 8 hours
    country: { url: "https://git.io/GeoLite2-Country.mmdb", path: "/var/lib/synapse" }
    asn: { url: "https://git.io/GeoLite2-ASN.mmdb", path: "/var/lib/synapse" }
    city: { url: "https://git.io/GeoLite2-City.mmdb", path: "/var/lib/synapse" }

GEOIP_COUNTRY_URL=... GEOIP_COUNTRY_PATH=/var/lib/synapse GEOIP_REFRESH_SECS=28800

Threat Intelligence - Threat MMDB for real-time protection

platform:
  threat:
    url: "https://download.gen0sec.com/v1"
    path: "/var/lib/synapse"
    refresh_secs: 300  # 5 minutes

THREAT_MMDB_URL=https://download.gen0sec.com/v1 THREAT_MMDB_PATH=/var/lib/synapse

Firewall & Network - Backend mode and interface configuration

firewall:
  mode: "auto"  # auto, xdp, nftables, iptables, none
  disable_xdp: false
network:
  iface: "eth0"
  ifaces: ["eth0", "eth1"]  # overrides iface
  ip_version: "both"  # ipv4, ipv6, both

FIREWALL_MODE=auto NETWORK_IFACE=eth0 NETWORK_IP_VERSION=both

Logging - File, syslog (Linux), and ETW (Windows)

logging:
  level: "info"  # error, warn, info, debug, trace
  file_logging_enabled: true
  log_directory: "/var/log/synapse"  # Windows: C:\ProgramData\synapse\logs
  max_log_size: 104857600  # 100MB
  log_file_count: 10
  # Linux: syslog
  syslog:
    enabled: false
    facility: "daemon"
    identifier: "synapse"
  # Windows: ETW (Event Tracing for Windows)
  etw:
    enabled: false  # Events emitted to ETW provider "Gen0Sec.Synapse"

LOGGING_LEVEL=info LOGGING_FILE_ENABLED=true LOGGING_DIRECTORY=/var/log/synapse
LOGGING_ETW_ENABLED=true  # Windows only

Log files created: error.log, app.log, access.log (with automatic rotation and gzip compression).

Platform (Gen0Sec API) - API integration and log sending

platform:
  api_key: "your-api-key"
  base_url: "https://api.gen0sec.com/v1"
  log_sending_enabled: true
  include_response_body: true
  max_body_size: 1048576  # 1MB

API_KEY=your-api-key LOG_SENDING_ENABLED=true

Internal Services - CAPTCHA verification, ACME challenges server

proxy:
  internal_services:
    enabled: true
    port: 9180
    bind_ip: "127.0.0.1"

INTERNAL_SERVICES_ENABLED=true INTERNAL_SERVICES_PORT=9180

Endpoints:

• GET /health - Health check
• POST /cgi-bin/captcha/verify - CAPTCHA verification
• GET /.well-known/acme-challenge/* - ACME HTTP-01 challenges
• GET /cert/expiration - Check all certificate expiration status
• GET /cert/expiration/:domain - Check specific certificate status
• POST /cert/renew/:domain - Manually trigger certificate renewal

Upstreams configuration

Synapse supports advanced upstream routing via a separate configuration file with hot-reloading. See UPSTREAMS_CONFIG.md for complete documentation.

Features: multiple service discovery providers (file, Consul, Kubernetes), global configuration, internal paths, per-path rate limits/headers/timeouts, weighted load balancing, and zero-downtime updates.

Basic example (file provider):

provider: "file"
config:
  https_proxy_enabled: false
  sticky_sessions: true
  global_rate_limit: 100
  global_request_headers:
    - "X-Proxy-From:Synapse"
  global_response_headers:
    - "Access-Control-Allow-Origin:*"

internal_paths:
  "/cgi-bin/captcha/verify":
    rate_limit: 200
    servers:
      - "127.0.0.1:9180"

upstreams:
  example.com:
    certificate: "example.com"
    acme:
      challenge_type: "dns-01"  # or "http-01" (default)
      email: "admin@example.com"
      wildcard: true
    paths:
      "/":
        rate_limit: 200
        force_https: true
        ssl_enabled: true
        request_headers:
          - "Host: api.example.com"
        connection_timeout: 30
        read_timeout: 120
        write_timeout: 30
        idle_timeout: 60
        servers:
          - "127.0.0.1:8000"
          - address: "127.0.0.1:8001"
            weight: 3
          - address: "127.0.0.1:8002"
            weight: 2

Kubernetes service discovery

provider: "kubernetes"
config:
  sticky_sessions: true
  global_rate_limit: 300

kubernetes:
  servers:
    - "https://k8s-api.example.com:6443"
  tokenpath: "/var/run/secrets/kubernetes.io/serviceaccount/token"
  services:
    - upstream: "http://my-service.default.svc.cluster.local:8080"
      hostname: "api.example.com"
      path: "/"
      rate_limit: 500

Consul service discovery

provider: "consul"
config:
  sticky_sessions: true
  global_rate_limit: 200

consul:
  servers:
    - "consul1.example.com:8500"
    - "consul2.example.com:8500"
  token: "your-consul-token"
  services:
    - upstream: "http://service-name.service.consul:8080"
      hostname: "api.example.com"
      path: "/"
      rate_limit: 500

Example files: file | kubernetes | consul

Configuration reload

Synapse supports runtime configuration reload:

# Linux: SIGHUP signal
kill -HUP $(cat /var/run/synapse.pid)

# Windows: Service control ParamChange event
sc control synapse paramchange

Hot-reloadable settings:

Setting	Config Path	Notes
Log level	logging.level	Switches log verbosity instantly
Log sending	platform.log_sending_enabled	Enable/disable API log sending
API key	platform.api_key	Update platform credentials
Base URL	platform.base_url	Change API endpoint
Include response body	platform.include_response_body	Toggle body capture in access logs
Max body size	platform.max_body_size	Adjust body size limit for logs
Upstreams	proxy.upstream.conf	Re-reads upstreams YAML file
Security rules	Local file or API	Re-fetches access rules and WAF rules
GeoIP databases	proxy.geoip.*	Re-downloads MMDB files

Settings that require restart:

Setting	Config Path	Reason
Listen addresses	proxy.address_http, proxy.address_tls	Port bindings set at startup
Network interface	network.iface, network.ifaces	XDP attached at startup
Firewall mode	firewall.mode, firewall.disable_xdp	BPF programs loaded at startup
Runtime threads	multi_thread, worker_threads	Tokio runtime created at startup
Daemon settings	daemon.*	Process daemonization is one-time
Redis connection	proxy.redis.*	Connection pool created at startup
CAPTCHA config	proxy.captcha.*	Provider initialized once (write-once)
Content scanning	proxy.content_scanning.*	Scanner initialized once (write-once)
Certificate paths	proxy.certificates	Loaded at startup
ACME settings	proxy.acme.*	ACME manager created at startup
Internal services	proxy.internal_services.*	Server bound at startup
BPF stats intervals	logging.bpf_stats.*	Task timers set at spawn time
TCP fingerprint intervals	logging.tcp_fingerprint.*	Task timers set at spawn time
File logging config	logging.file_logging_enabled, logging.log_directory	Log appenders built at startup
Syslog config	logging.syslog.*	Syslog appender built at startup (Linux)
ETW config	logging.etw.*	ETW provider registered at startup (Windows)
IP version	network.ip_version	BPF filter compiled at startup
PROXY protocol	proxy.protocol.*	Listener configured at startup

Features

Multi-backend firewall

• Automatic fallback - XDP/BPF > nftables > iptables > userland
• Dynamic access rules - Allow/block lists auto-updated from Gen0Sec API
• BPF map enforcement - Rules enforced at kernel level via XDP
• IPv4/IPv6 dual-stack - Separate rule sets, zero-downtime updates
• BPF statistics - Packet counters, dropped IP tracking (XDP only)

Threat intelligence

• IP reputation scoring - Automatic scoring via Gen0Sec API
• Threat MMDB - Local MaxMind database for offline lookups (auto-updated)
• GeoIP MMDB - Country, ASN, and city-level geolocation (auto-updated)
• Bot detection - Advanced detection and mitigation
• Redis caching - Cached threat data for performance

JA4+ fingerprinting

Full JA4+ suite with fingerprint forwarding to origin servers via X-JA4* headers:

Fingerprint	Header	Description	Mode
JA4	X-JA4, X-JA4-Raw	TLS ClientHello fingerprint	Proxy
JA4H	X-JA4H	HTTP header fingerprint	Proxy
JA4T	X-JA4T, X-JA4T-Hash	TCP SYN fingerprint (client)	Both
JA4TS	X-JA4TS, X-JA4TS-Hash	TCP SYN-ACK fingerprint (server)	Proxy
JA4L	X-JA4L	Client-to-server latency/distance	Both
JA4LS	X-JA4LS	Server-to-client latency/distance	Both
JA4S	X-JA4S	TLS ServerHello fingerprint	Proxy
JA4X	X-JA4X	X.509 certificate fingerprint	Proxy

Enable forwarding in upstreams.yaml:

config:
  forward_fingerprints: true

JA4L distance calculation: distance = ja4l_rtt × 0.128 miles/µs ÷ propagation_factor

WAF (Wirefilter expressions)

• Expression engine - Filter by request method, path, headers, and more
• Actions - Allow, block, or challenge based on expression matches
• Centralized management - Expressions fetched from Gen0Sec API
• Content scanning triggers - Define when to scan based on request characteristics

TLS management

• ACME/Let's Encrypt - Automatic certificates with HTTP-01 and DNS-01 challenges
• Wildcard detection - Automatically uses DNS-01 for wildcard domains
• Custom certificates - Bring your own TLS certificates
• HTTPS enforcement - Force HTTPS with HTTP upgrade responses
• Expiration monitoring - Automatic renewal and manual trigger via API

Content scanning

• ClamAV integration - Real-time malware detection
• Multipart/form scanning - Scans uploads and form data
• Wirefilter triggers - Advanced rules for when to scan
• Extension filtering - Skip specific file extensions

Requirements

Linux

Requirement	Minimum	Recommended	Notes
Kernel	4.18+	5.4+	XDP support required
glibc	2.31+	2.35+	For binary releases
Architecture	x86_64	x86_64, aarch64	ARM64 supported
Memory	128 MB	512 MB+	Depends on traffic
Disk	100 MB	500 MB+	For logs and MMDB files

Windows

Requirement	Minimum	Notes
OS	Server 2022 / Windows 11	x86_64 only
eBPF for Windows	v1.1.0+	Optional, for XDP/eBPF packet filtering
Test Signing	Enabled	Required for eBPF kernel driver (bcdedit /set testsigning on)

Dependencies

Dependency	Required	Purpose
libbpf	Linux only	eBPF program loading
Redis	Proxy mode	Caching, certificate store
ClamAV	Optional	Content scanning
eBPF for Windows	Optional	Windows XDP/eBPF support

Tested platforms

Windows:

Platform	Version	Status	Notes
Windows Server	2022+	✅ Tested	Agent mode, Windows Service, eBPF/XDP
Windows	11+	✅ Tested	Agent mode, terminal TUI

Linux:

Distribution	Version	Status	Notes
Ubuntu	24.04 LTS	✅ Tested	Recommended
Ubuntu	22.04 LTS	✅ Tested	Fully supported
Ubuntu	20.04 LTS	✅ Tested	All features, glibc 2.31
Ubuntu	18.04 LTS	✅ Tested	All features, kernel 4.15→5.4 HWE
Ubuntu	16.04 LTS	⚠️ Limited	iptables backend only (no XDP)
Debian	12 (Bookworm)	✅ Tested	Fully supported
Debian	11 (Bullseye)	✅ Compatible	glibc 2.31
RHEL/Rocky/Alma	9.x	✅ Tested	Fully supported
RHEL/CentOS	8.x	⚠️ Compatible	Kernel 4.18
Fedora	39+	✅ Compatible	Latest kernel
Amazon Linux	2023	✅ Compatible	AWS optimized

Kernel feature requirements

Feature	Required For	Check Command
XDP	Packet filtering	grep XDP /boot/config-$(uname -r)
BPF	eBPF programs	grep BPF /boot/config-$(uname -r)
BTF	BPF Type Format	ls /sys/kernel/btf/vmlinux

Architecture

• Multi-Backend Firewall - XDP/nftables/iptables/userland packet filtering
• HTTP/TLS Servers - HTTP traffic handling and HTTPS connection management
• Internal Services Server - Unified server for CAPTCHA, ACME, and certificate management
• Reverse Proxy - Request forwarding to upstream services
• Upstreams Manager - Routing with service discovery, weighted load balancing, and hot-reloading
• Threat Intelligence - Gen0Sec API and Threat MMDB integration
• GeoIP Manager - Country, ASN, and city-level geolocation via MMDB
• Access Rules Engine - Dynamic IP allow/block lists with periodic API updates
• BPF Statistics Collector - Kernel-level packet processing tracking
• TCP Fingerprint Collector - SYN fingerprint extraction and analysis
• Fingerprint Engine - Complete JA4+ suite (JA4, JA4H, JA4T, JA4L, JA4S, JA4X)
• CAPTCHA Engine - Multi-provider CAPTCHA validation
• Content Scanner - ClamAV malware detection
• ACME Manager - HTTP-01 and DNS-01 certificate management
• Terminal TUI - Real-time ratatui dashboard for fingerprints, traffic, and threats
• File/Syslog/ETW Loggers - Rotating files, syslog (Linux), ETW (Windows)
• Windows Service - SCM integration with install/uninstall/start/stop/reload
• Event Queue - Unified batch processing for logs, statistics, and events
• Redis Cache - Certificates, threat intel, CAPTCHA, and content scan results

Performance

• Ultra-low latency - XDP filtering operates in kernel space
• High throughput - Rust-based implementation with async I/O
• Memory efficient - Minimal footprint with efficient caching
• Scalable - Multiple network interfaces and concurrent connections

Thank you!

Cloudflare for Pingora and Wirefilter Aralaz for Aralez