Moat - Reverse Proxy & Firewall

Moat is a high-performance reverse proxy and firewall built with Rust, designed for ultra-low latency protection at the kernel level.

Key Features

• XDP-based packet filtering - Ultra-low latency protection at kernel level
• Dynamic access rules - Automatic updates from Arxignis API
• JA4+ fingerprinting - Complete suite: JA4, JA4H, JA4T, JA4L, JA4S, and JA4X
• Automatic TLS management - ACME/Let's Encrypt integration
• CAPTCHA protection - Support for hCaptcha, reCAPTCHA, and Cloudflare Turnstile
• Content scanning - ClamAV integration for malware detection
• PROXY protocol support - Preserve client IP through load balancers
• Redis-backed caching - For certificates, threat intelligence, and validation
• Flexible configuration - YAML files, command line, or environment variables

Quick Start

Docker Run

docker run --cap-add=SYS_ADMIN --cap-add=BPF --cap-add=NET_ADMIN \
  moat --iface eth0 \
  --arxignis-api-key="your-key" \
  --upstream "http://127.0.0.1:8081"

With Health Checks

docker run --cap-add=SYS_ADMIN --cap-add=BPF --cap-add=NET_ADMIN \
  -e AX_SERVER_HEALTH_CHECK_ENABLED=true \
  -e AX_SERVER_HEALTH_CHECK_PORT=0.0.0.0:8080 \
  -p 8080:8080 \
  moat --iface eth0 --arxignis-api-key="your-key" \
  --upstream "http://127.0.0.1:8081"

Configuration Methods

Moat supports three configuration methods with the following priority (highest to lowest):

1. YAML Configuration File - Comprehensive configuration via config.yaml
2. Command Line Arguments - Override specific settings via CLI flags
3. Environment Variables - Set configuration via AX_* prefixed variables

Documentation

• Installation Guide - Get Moat up and running
• Configuration - Complete configuration reference
• Daemon Mode - Run Moat as a background service
• JA4+ Fingerprinting - Complete fingerprinting suite
• Testing Guide - Manual testing and validation

Architecture

Components

• XDP Filter - Kernel-space packet filtering using eBPF
• HTTP Server - Handles ACME challenges, HTTP traffic, and health checks
• TLS Server - Manages HTTPS connections and certificate handling
• Reverse Proxy - Forwards requests to upstream services
• Threat Intelligence - Integrates with Arxignis API
• Access Rules Engine - Dynamic IP allow/block lists
• BPF Statistics Collector - Tracks packet processing at kernel level
• TCP Fingerprint Collector - Extracts TCP SYN fingerprints
• Fingerprint Engine - Complete JA4+ suite
• CAPTCHA Engine - Validates CAPTCHA responses
• Content Scanner - ClamAV integration
• PROXY Protocol Handler - Preserves client IP addresses
• Redis Cache - Stores certificates and threat intelligence

Performance

• Ultra-low latency - XDP filtering operates in kernel space
• High throughput - Rust-based implementation with async I/O
• Memory efficient - Minimal memory footprint with efficient caching
• Scalable - Supports multiple network interfaces and concurrent connections

Requirements

System Requirements

• Linux kernel 4.18+ (for XDP support)
• BPF support - Required for packet filtering
• Network capabilities - SYS_ADMIN, BPF, NET_ADMIN for Docker deployments
• Redis - For caching and certificate store
• ClamAV - For content scanning (optional)

Need Help?

• 💬 Join our Discord community
• 📧 Contact support
• 🐛 Report issues