The VEY project is designed for building enterprise-oriented general-purpose proxy solutions, including but not limited to forward proxies, reverse proxies (WIP), load balancers (TBD), and NAT traversal services (WIP).
This project is a fork of the G3 project by its creator.
If you are migrating an existing G3 deployment, see Migration from G3 to VEY.
The VEY project consists of multiple applications, each with its own subdirectory for code, documentation, and related assets.
In addition to the application directories, the repository also includes several shared directories:
- doc contains project-level documentation.
- sphinx contains the sources used to generate HTML reference documentation for each application.
- scripts contains helper scripts, including coverage and packaging utilities.
A feature-rich general-purpose proxy daemon. It centers on forward-proxy workloads, while also supporting transparent proxying, TCP and TLS stream proxying, selective reverse-proxy features, traffic inspection, and policy-driven request handling.
- High-performance async Rust implementation
- HTTP/1 and SOCKS5 forward proxy support, plus SNI proxy and TCP TPROXY
- Proxy chaining and multiple egress-route selection methods, including custom selection agents
- TCP/TLS stream proxying and basic HTTP reverse-proxy support
- TLS based on OpenSSL, BoringSSL, AWS-LC, AWS-LC-FIPS, Tongsuo, or rustls
- TLS interception, decrypted-traffic export, and HTTP/1, HTTP/2, IMAP, and SMTP inspection
- ICAP integration for common application-layer inspection workflows
- Rich authentication, ACL, rate-limit, and per-user policy controls
- Detailed metrics and logging for ingress, egress, user, and user-site dimensions
- Graceful reload plus flexible load-balancing and failover behavior
README | User Guide | Reference Doc
A StatsD-compatible metrics ingestion, aggregation, and forwarding service. It can receive metrics from application daemons, normalize or aggregate them through a modular pipeline, and export the results to downstream systems such as Graphite, OpenTSDB, or InfluxDB.
A work-in-progress general-purpose reverse proxy and gateway daemon. It is designed as a programmable gateway framework for multiple frontend and upstream protocols. The current implementation supports TLS- and keyless-related traffic handling.
A benchmark tool that supports:
- HTTP: HTTP/1.1, HTTP/2, HTTP/3
- WebSocket
- TLS Handshake
- DNS: UDP, TCP, DNS over TLS, DNS over HTTP, DNS over QUIC, DNS over HTTP/3
- Thrift RPC
- Cloudflare Keyless
A tool for generating root CA, intermediate CA, TLS server, TLS client, TLCP server, and TLCP client certificates.
A dynamic certificate generator for vey-proxy.
An IP geolocation lookup service for vey-proxy GeoIP support.
A server implementation of the Cloudflare Keyless SSL protocol. It allows TLS edge services to delegate private-key operations to a dedicated backend service, making it easier to centralize key handling and integrate with OpenSSL-based hardware acceleration.
See Target Platforms.
See Dev-Setup.
See Standards.
Prebuilt packages are available on cloudsmith.
That said, building packages yourself is still recommended. See Build and Package for details.
See Long-Term Support.
See Contributing for details.
See Code of Conduct for details.
Please report security issues by opening a draft security advisory on GitHub.
Please do not create a public GitHub issue.
This project is licensed under the Apache-2.0 License.