Overview
Fyntr (/ˈfɪn.tər/) is a minimal forward proxy for constrained networks that keeps them responsive under bursty outbound TLS traffic. It runs as an HTTP CONNECT proxy with Deficit Round-Robin traffic shaping and optional threat-feed blocking. No server-side configuration, no inspection, and low baseline memory use.
Internals
- Transparent CONNECT relay: Forwards TLS traffic E2E without termination or inspection.
- Traffic shaping: Interleaves packets across active flows using Deficit Round-Robin (DRR).
- Adaptive quantum tuning: Adjusts DRR quantum from observed packet-size statistics.
- Threat detection: Checks CONNECT hosts and resolved addresses against local domain/IP feeds loaded at startup.
- DoS guardrails: Caps request line/header sizes and per-flow queue buffering.
- SOCKS5 support: Adds an optional no-auth SOCKS5 CONNECT listener with local DNS resolution.
Quick Start
Install the crates.io release and run it locally. Fyntr listens on port 9999 by default.
cargo install fyntr
fyntr
Or build from source:
cargo run --release
Configure your environment in a separate terminal:
export HTTPS_PROXY=http://127.0.0.1:9999
This affects aws-cli and many tools that use libcurl, including git, brew, and wget.
Verify the proxy:
curl https://example.com
If logging is enabled, you should also see a log entry showing the CONNECT target for that request.
Library Usage
Requires actix-rt and anyhow in your application's dependencies.
For logging, add env_logger.
use fyntr::run;
#[actix_rt::main]
async fn main() -> anyhow::Result<()> {
// Optional: to enable logging, set RUST_LOG (for example, RUST_LOG=info)
// and uncomment the line below to initialize env_logger:
// env_logger::init();
let handle = run::server()
.bind("127.0.0.1")
.port(0) // 0 lets the OS pick an available port
.max_connections(512)
.background()
.await?;
println!("Fyntr listening on {}", handle.listen_addr());
// ... run your app ...
handle.shutdown().await?;
Ok(())
}
Usage with Terraform
Example: AWS Provider
# Set environment variables
export HTTPS_PROXY=http://127.0.0.1:9999
# Standard usage
terraform apply
# Or use aws-vault wrapper
aws-vault exec my-profile -- terraform apply
Configuration Examples
These examples assume you installed the fyntr binary.
If you are running from source, replace fyntr ... with cargo run --release -- ....
Set a higher connection limit
# CLI flags
fyntr --max-connections 2048
# Equivalent via environment variables
FYNTR_MAX_CONNECTIONS=2048 \
fyntr
Allow only explicit CONNECT ports
# CLI flags
fyntr --no-default-allow-port --allow-port 8443
# Equivalent via environment variables
FYNTR_NO_DEFAULT_ALLOW_PORT=true \
FYNTR_ALLOW_PORT=8443 \
fyntr
Detect CONNECT targets with threat feeds
fyntr \
--threat-feed-file ./phishing-domains.txt \
--threat-feed-file ./malicious-ips.txt \
--threat-action block
Feeds can contain plain domain/IP lines or AdGuard-style rules such as ||example.com^ and ||1.2.3.4^.
Domain entries and request hosts are normalized with IDNA ToASCII before matching.
Unsupported rules are skipped and reported in startup logs. Fyntr fails to start if no supported entries can be loaded.
Fyntr also warns on suspicious mixed-script Unicode hostname labels, such as Latin mixed with Cyrillic or Greek. These spoofing signals are warnings only and do not block traffic.
As a concrete example, Fyntr can use the AdGuard Home/Pi-hole and dnscrypt-proxy blocked names and IPs lists from curbengh/urlhaus-filter, which publishes URLHaus-based feeds.
# Download the dnscrypt-proxy blocked names/IPs feeds
wget https://malware-filter.gitlab.io/malware-filter/urlhaus-filter-dnscrypt-blocked-names.txt
wget https://malware-filter.gitlab.io/malware-filter/urlhaus-filter-dnscrypt-blocked-ips.txt
fyntr \
--threat-feed-file ./urlhaus-filter-dnscrypt-blocked-ips.txt \
--threat-feed-file ./urlhaus-filter-dnscrypt-blocked-names.txt \
--threat-action block
Enable a SOCKS5 listener
fyntr --socks5-port 1080
The SOCKS5 listener supports CONNECT requests only, without authentication.
DOMAINNAME targets are resolved locally by Fyntr.
UDP ASSOCIATE, BIND, and SOCKS5 username/password authentication are not supported.
CLI Options
Server
| Option | Env var | Default | Description |
|---|---|---|---|
--bind <ADDR> | FYNTR_BIND | 127.0.0.1 | Address/hostname to bind on, such as 127.0.0.1, ::1, localhost, or 0.0.0.0. Supports both IPv4 and IPv6. Binding to non-loopback interfaces without auth can expose the proxy on the network. |
--port <PORT> | FYNTR_PORT | 9999 | Port to listen on. Use 0 to auto-select an available port. |
--socks5-bind <ADDR> | FYNTR_SOCKS5_BIND | same as --bind | Optional address/hostname for the SOCKS5 listener. Only used when --socks5-port is set. |
--socks5-port <PORT> | FYNTR_SOCKS5_PORT | disabled | Enable a no-auth SOCKS5 CONNECT listener on this port. |
--max-connections <MAX_CONNECTIONS> | FYNTR_MAX_CONNECTIONS | 1000 | Maximum number of concurrent connections allowed. Set 0 for unlimited. |
--idle-timeout <SECONDS> | FYNTR_IDLE_TIMEOUT | 300 | Idle timeout for established connections. Set 0 to disable. |
CONNECT Policy
| Option | Env var | Default | Description |
|---|---|---|---|
--no-default-allow-port | FYNTR_NO_DEFAULT_ALLOW_PORT | false | Disable implicit 443 allowance. Only explicitly configured --allow-port values are permitted. |
--allow-port <PORT> | FYNTR_ALLOW_PORT | implicit 443 unless --no-default-allow-port | Allowed destination port for CONNECT in the range 1-65535. Repeat flag or comma-separate to add more. |
--deny-cidr <CIDR> | FYNTR_DENY_CIDR | Internal ranges | CIDR ranges denied for CONNECT destination IPs. Repeat flag or comma-separate. |
--allow-cidr <CIDR> | FYNTR_ALLOW_CIDR | none | CIDR exceptions that are allowed even if they match denied internal ranges. |
--allow-domain <DOMAIN> | FYNTR_ALLOW_DOMAIN | none | Domain/suffix allowlist for CONNECT targets. When a domain matches, addresses blocked by deny CIDRs are filtered out rather than causing the entire connection to fail. If all resolved addresses are blocked, the connection is denied. |
--threat-feed-file <PATH> | FYNTR_THREAT_FEED_FILE | none | Local threat feed file with domain/IP entries to warn on or block. Repeat flag or comma-separate to load multiple feeds. The feed is loaded once at startup into an immutable in-memory index. |
--threat-action <warn|block> | FYNTR_THREAT_ACTION | warn | Warn on matching CONNECT targets, or reject them with 403 Forbidden when set to block. |
--allow-domainapplies only to CONNECT CIDR policy exceptions. It does not override threat feed matches.
Why Fyntr?
Cloud automation tools such as Terraform can spawn bursts of TCP connections that rapidly open and close, especially when managing many resources in parallel.
When many flows send data simultaneously, they can create short traffic spikes that overwhelm low-capacity routers, particularly consumer NAT devices. This can push CPU interrupt load too high and make the network feel unresponsive.
Rather than relying on connection pooling, Fyntr regulates traffic at the application layer.
Its scheduler uses DRR to distribute sending opportunities fairly across active flows, so bursts from many parallel connections get interleaved as queued chunks instead of firing all at once. As a result, Fyntr reduces bufferbloat-like queue buildup and thundering-herd-like traffic patterns.
This smoothing reduces CPU pressure on routers during connection storms. This matters most when scheduling overhead, rather than bandwidth, is the primary bottleneck.