Fyntr Docs


Overview

Fyntr (/ˈfɪn.tər/) is a minimal forward proxy for constrained networks that keeps them responsive under bursty outbound TLS traffic. It runs as an HTTP CONNECT proxy with Deficit Round-Robin traffic shaping and optional threat-feed blocking. No server-side configuration, no inspection, and low baseline memory use.

Internals

  • Transparent CONNECT relay: Forwards TLS traffic E2E without termination or inspection.
  • Traffic shaping: Interleaves packets across active flows using Deficit Round-Robin (DRR).
  • Adaptive quantum tuning: Adjusts DRR quantum from observed packet-size statistics.
  • Threat detection: Checks CONNECT hosts and resolved addresses against local domain/IP feeds loaded at startup.
  • DoS guardrails: Caps request line/header sizes and per-flow queue buffering.
  • SOCKS5 support: Adds an optional no-auth SOCKS5 CONNECT listener with local DNS resolution.

Quick Start

Install the crates.io release and run it locally. Fyntr listens on port 9999 by default.

cargo install fyntr
fyntr

Or build from source:

cargo run --release

Configure your environment in a separate terminal:

export HTTPS_PROXY=http://127.0.0.1:9999

This affects aws-cli and many tools that use libcurl, including git, brew, and wget.

Verify the proxy:

curl https://example.com

If logging is enabled, you should also see a log entry showing the CONNECT target for that request.

Library Usage

Requires actix-rt and anyhow in your application's dependencies. For logging, add env_logger.

use fyntr::run;

#[actix_rt::main]
async fn main() -> anyhow::Result<()> {
    // Optional: to enable logging, set RUST_LOG (for example, RUST_LOG=info)
    // and uncomment the line below to initialize env_logger:
    // env_logger::init();

    let handle = run::server()
        .bind("127.0.0.1")
        .port(0) // 0 lets the OS pick an available port
        .max_connections(512)
        .background()
        .await?;

    println!("Fyntr listening on {}", handle.listen_addr());

    // ... run your app ...

    handle.shutdown().await?;
    Ok(())
}

Usage with Terraform

Example: AWS Provider

# Set environment variables
export HTTPS_PROXY=http://127.0.0.1:9999

# Standard usage
terraform apply

# Or use aws-vault wrapper
aws-vault exec my-profile -- terraform apply

Configuration Examples

These examples assume you installed the fyntr binary. If you are running from source, replace fyntr ... with cargo run --release -- ....

Set a higher connection limit

# CLI flags
fyntr --max-connections 2048

# Equivalent via environment variables
FYNTR_MAX_CONNECTIONS=2048 \
fyntr

Allow only explicit CONNECT ports

# CLI flags
fyntr --no-default-allow-port --allow-port 8443

# Equivalent via environment variables
FYNTR_NO_DEFAULT_ALLOW_PORT=true \
FYNTR_ALLOW_PORT=8443 \
fyntr

Detect CONNECT targets with threat feeds

fyntr \
  --threat-feed-file ./phishing-domains.txt \
  --threat-feed-file ./malicious-ips.txt \
  --threat-action block

Feeds can contain plain domain/IP lines or AdGuard-style rules such as ||example.com^ and ||1.2.3.4^. Domain entries and request hosts are normalized with IDNA ToASCII before matching.

Unsupported rules are skipped and reported in startup logs. Fyntr fails to start if no supported entries can be loaded.

Fyntr also warns on suspicious mixed-script Unicode hostname labels, such as Latin mixed with Cyrillic or Greek. These spoofing signals are warnings only and do not block traffic.

As a concrete example, Fyntr can use the AdGuard Home/Pi-hole and dnscrypt-proxy blocked names and IPs lists from curbengh/urlhaus-filter, which publishes URLHaus-based feeds.

# Download the dnscrypt-proxy blocked names/IPs feeds
wget https://malware-filter.gitlab.io/malware-filter/urlhaus-filter-dnscrypt-blocked-names.txt
wget https://malware-filter.gitlab.io/malware-filter/urlhaus-filter-dnscrypt-blocked-ips.txt
fyntr \
  --threat-feed-file ./urlhaus-filter-dnscrypt-blocked-ips.txt \
  --threat-feed-file ./urlhaus-filter-dnscrypt-blocked-names.txt \
  --threat-action block

Enable a SOCKS5 listener

fyntr --socks5-port 1080

The SOCKS5 listener supports CONNECT requests only, without authentication. DOMAINNAME targets are resolved locally by Fyntr. UDP ASSOCIATE, BIND, and SOCKS5 username/password authentication are not supported.

CLI Options

Server

OptionEnv varDefaultDescription
--bind <ADDR>FYNTR_BIND127.0.0.1Address/hostname to bind on, such as 127.0.0.1, ::1, localhost, or 0.0.0.0. Supports both IPv4 and IPv6. Binding to non-loopback interfaces without auth can expose the proxy on the network.
--port <PORT>FYNTR_PORT9999Port to listen on. Use 0 to auto-select an available port.
--socks5-bind <ADDR>FYNTR_SOCKS5_BINDsame as --bindOptional address/hostname for the SOCKS5 listener. Only used when --socks5-port is set.
--socks5-port <PORT>FYNTR_SOCKS5_PORTdisabledEnable a no-auth SOCKS5 CONNECT listener on this port.
--max-connections <MAX_CONNECTIONS>FYNTR_MAX_CONNECTIONS1000Maximum number of concurrent connections allowed. Set 0 for unlimited.
--idle-timeout <SECONDS>FYNTR_IDLE_TIMEOUT300Idle timeout for established connections. Set 0 to disable.

CONNECT Policy

OptionEnv varDefaultDescription
--no-default-allow-portFYNTR_NO_DEFAULT_ALLOW_PORTfalseDisable implicit 443 allowance. Only explicitly configured --allow-port values are permitted.
--allow-port <PORT>FYNTR_ALLOW_PORTimplicit 443 unless --no-default-allow-portAllowed destination port for CONNECT in the range 1-65535. Repeat flag or comma-separate to add more.
--deny-cidr <CIDR>FYNTR_DENY_CIDRInternal rangesCIDR ranges denied for CONNECT destination IPs. Repeat flag or comma-separate.
--allow-cidr <CIDR>FYNTR_ALLOW_CIDRnoneCIDR exceptions that are allowed even if they match denied internal ranges.
--allow-domain <DOMAIN>FYNTR_ALLOW_DOMAINnoneDomain/suffix allowlist for CONNECT targets. When a domain matches, addresses blocked by deny CIDRs are filtered out rather than causing the entire connection to fail. If all resolved addresses are blocked, the connection is denied.
--threat-feed-file <PATH>FYNTR_THREAT_FEED_FILEnoneLocal threat feed file with domain/IP entries to warn on or block. Repeat flag or comma-separate to load multiple feeds. The feed is loaded once at startup into an immutable in-memory index.
--threat-action <warn|block>FYNTR_THREAT_ACTIONwarnWarn on matching CONNECT targets, or reject them with 403 Forbidden when set to block.

--allow-domain applies only to CONNECT CIDR policy exceptions. It does not override threat feed matches.

Why Fyntr?

Cloud automation tools such as Terraform can spawn bursts of TCP connections that rapidly open and close, especially when managing many resources in parallel.

When many flows send data simultaneously, they can create short traffic spikes that overwhelm low-capacity routers, particularly consumer NAT devices. This can push CPU interrupt load too high and make the network feel unresponsive.

Rather than relying on connection pooling, Fyntr regulates traffic at the application layer.

Its scheduler uses DRR to distribute sending opportunities fairly across active flows, so bursts from many parallel connections get interleaved as queued chunks instead of firing all at once. As a result, Fyntr reduces bufferbloat-like queue buildup and thundering-herd-like traffic patterns.

This smoothing reduces CPU pressure on routers during connection storms. This matters most when scheduling overhead, rather than bandwidth, is the primary bottleneck.