Kyle Isom
498f040cbe
Proto: Route message gains mode, tls_cert, tls_key, backend_tls,
send_proxy_protocol fields. ListenerStatus gains proxy_protocol.
Generated code regenerated with protoc v29.5.
gRPC server: AddRoute validates mode ("l4"/"l7", defaults to "l4"),
requires tls_cert/tls_key for L7 routes, persists all fields via
write-through. ListRoutes returns full route info. GetStatus
includes proxy_protocol on listener status.
Client package: Route struct expanded with Mode, TLSCert, TLSKey,
BackendTLS, SendProxyProtocol. AddRoute signature changed to accept
a Route struct instead of individual hostname/backend strings.
ListenerStatus gains ProxyProtocol. ListRoutes maps all proto fields.
mcproxyctl: routes add gains --mode, --tls-cert, --tls-key,
--backend-tls, --send-proxy-protocol flags. routes list displays
mode and option tags for each route.
New tests: add L7 route via gRPC with field round-trip verification,
L7 route missing cert/key (InvalidArgument), invalid mode rejection,
default-to-L4 backward compatibility, proxy_protocol in status.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
mc-proxy
mc-proxy is a Layer 4 TLS SNI proxy and router for Metacircular Dynamics services. It reads the SNI hostname from incoming TLS ClientHello messages and proxies the raw TCP stream to the matched backend. It does not terminate TLS.
A global firewall (IP, CIDR, GeoIP country blocking) is evaluated before any routing decision. Blocked connections receive a TCP RST with no further information.
Quick Start
# Build
make mc-proxy
# Run locally (creates srv/ with example config on first run)
make devserver
# Full CI pipeline: vet → lint → test → build
make all
Configuration
Copy the example config and edit it:
cp mc-proxy.toml.example /srv/mc-proxy/mc-proxy.toml
See ARCHITECTURE.md for the full configuration reference.
Key sections:
[database]— SQLite database path (required)[[listeners]]— TCP ports to bind and their route tables (seeds DB on first run)[grpc]— optional gRPC admin API with TLS/mTLS[firewall]— global blocklist (IP, CIDR, GeoIP country)[proxy]— connect timeout, idle timeout, shutdown timeout
CLI Commands
| Command | Purpose |
|---|---|
mc-proxy server -c <config> |
Start the proxy |
mc-proxy status -c <config> |
Query a running instance's health via gRPC |
mc-proxy snapshot -c <config> |
Create a database backup (VACUUM INTO) |
Deployment
See RUNBOOK.md for operational procedures.
# Install on a Linux host
sudo deploy/scripts/install.sh
# Or build and run as a container
make docker
docker run -v /srv/mc-proxy:/srv/mc-proxy mc-proxy server -c /srv/mc-proxy/mc-proxy.toml
Design
mc-proxy intentionally omits a REST API and web frontend. The gRPC admin API is the sole management interface. This is an intentional departure from the Metacircular engineering standards — mc-proxy is pre-auth infrastructure and a minimal attack surface is prioritized over interface breadth.
See ARCHITECTURE.md for the full system specification.
License
Proprietary. Metacircular Dynamics.