SNI-multiplexed routes for mcr.svc.mcp.metacircular.net on all three
listeners: L7 web on :443, L4 API on :8443, L4 gRPC on :9443.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
When backend_tls=true, the h2 transport was verifying the backend's
TLS certificate. This fails when the backend address is an IP (no
IP SANs) or uses a self-signed cert. Backend connections are to
trusted internal services — skip verification. Also change rift
metrics port to 9091 to avoid conflict with exod on 9090.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Rift-specific config routes metacrypt.svc.mcp.metacircular.net across
three listeners: L7 TLS-terminating to metacrypt-web on :443, L4
passthrough to API on :8443, and L4 passthrough to gRPC on :9443.
Docker compose uses host networking for direct port binding. Includes
self-signed cert generation script for initial L7 deployment. Updates
example config with metrics section and Unix socket for gRPC admin.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Rate limiting: per-source-IP connection rate limiter in the firewall layer
with configurable limit and sliding window. Blocklisted IPs are rejected
before rate limit evaluation to avoid wasting quota. Unix socket: the gRPC
admin API can now listen on a Unix domain socket (no TLS required), secured
by file permissions (0600), as a simpler alternative for local-only access.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Rewrite README with project overview and quick start. Add RUNBOOK with
operational procedures and incident playbooks. Fix Dockerfile for Go 1.25
with version injection. Add docker-compose.yml. Clean up golangci.yaml
for mc-proxy. Add server tests (10) covering the full proxy pipeline with
TCP echo backends, and grpcserver tests (13) covering all admin API RPCs
with bufconn and write-through DB verification.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Rename proto/gen directories from mc-proxy to mc_proxy for valid protobuf
package naming. Add CLI status subcommand for querying running instance
health via gRPC. Add systemd backup service/timer and backup pruning
script. Add buf.yaml and proto-lint Makefile target. Add shutdown_timeout
config field.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Layer 4 TLS SNI proxy with global firewall (IP/CIDR/GeoIP blocking),
per-listener route tables, bidirectional TCP relay with half-close
propagation, and a gRPC admin API (routes, firewall, status) with
TLS/mTLS support.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
