v0.4.0

What's New

Traffic Logging (--log-file)

Capture all HTTP/HTTPS traffic to JSON Lines format for audit and forensics:

rustgate --mitm --log-file /tmp/traffic.jsonl

• JSON Lines format with full HTTP metadata, headers, body
• Automatic credential redaction: sensitive headers (Authorization, Cookie, API keys) and query parameter values are redacted by default
• Bodies logged as UTF-8 or base64 (binary), with truncation flag for uncaptured bodies
• Upstream target info (scheme, host, port) stored for accurate replay
• Log files created with 0o600 permissions + symlink rejection
• Works standalone or combined with --intercept

Request Replay (replay subcommand)

Resend captured traffic for testing, debugging, or regression analysis:

rustgate replay --log-file /tmp/traffic.jsonl
rustgate replay --log-file /tmp/traffic.jsonl --target https://staging.example.com
rustgate replay --log-file /tmp/traffic.jsonl --delay 100

• HTTPS support via TLS
• --target override with strict scheme validation (http/https only)
• Safe header allowlist when retargeting (strips credentials, vendor tokens)
• Redacted headers and truncated bodies automatically skipped
• Content-Length recomputed from actual body

Security Hardening

• Query parameter values redacted in logged URIs
• Header logging uses allowlist (not denylist) — unknown headers redacted
• Log file permissions enforced on existing files (not just creation)
• Replay target validation: rejects malformed URIs, unsupported schemes
• Pending entry expiry: 300s age-based with synthetic failure records
• Upstream failure paths flush pending log entries

Full Changelog: v0.3.0...v0.4.0

v0.3.0

What's New

TUI Request/Response Interceptor (Burp-style)

New --intercept flag for interactive HTTP/HTTPS traffic inspection:

rustgate --mitm --intercept

• Forward (f) — Send request/response as-is
• Drop (d) — Block requests or suppress responses
• Edit (e) — Inline text editor for headers and body (Ctrl+S to save)
• Toggle (space) — Enable/disable interception at runtime
• Quit (q) — Exit TUI, proxy continues in passthrough mode

Design Highlights

• Streaming-safe: only buffers bodies with explicit Content-Length <= 10MB
• Buffered marker prevents streaming body corruption
• Bounded backpressure channel (16 items) with block_in_place
• TUI disconnect → automatic passthrough fallback
• Binary body detection (edit disabled for non-UTF-8)
• No-op edit detection (preserves original bytes exactly)
• Hop-by-hop headers re-stripped after every edit
• Framing headers recomputed only on actual body change
• Response drop returns 444 + Connection:close (non-retryable)
• Method/URI edits intentionally ignored (upstream already resolved)

C2 Improvements (from v0.2.0)

All C2 security hardening from v0.2.0 is included (22 adversarial review rounds).

Full Changelog: v0.2.0...v0.3.0

v0.2.0

What's New

C2 Client/Server Mode

RustGate now includes a WebSocket-based C2 tunneling system for security research:

• rustgate server — mTLS-authenticated WebSocket server with operator console
• rustgate client — Connects to server, receives commands, creates tunnels
• rustgate gen-client-cert — Generate mTLS client certificates

Tunnel Types

• SOCKS5 Proxy — Operator opens a SOCKS5 listener on the client, traffic relayed through the server to targets
• Reverse TCP Tunnel — Server binds a local port, forwards connections back to client's local service (e.g., SSH)

Security Guardrails

• Mutual TLS authentication (separate CA per deployment, --ca-dir required)
• SHA-256 certificate fingerprint session identity
• Operator-authorized tunnel IDs with command-specific acknowledgements (SocksReady, ReverseTunnelReady)
• Channel ID parity validation with duplicate rejection
• Handshake timeouts + concurrency limiting
• Session eviction with shutdown signaling
• Per-tunnel lifecycle management
• Bounded timeouts on all async connect/readiness paths
• Reverse tunnel listeners bound to loopback only
• Partial CA state detection (fail-closed)
• Research-only warning banner

Other Changes

• Removed Japanese section from README
• Updated crate description and keywords

Full Changelog: v0.1.0...v0.2.0

v0.1.1

RustGate v0.1.1

Documentation-focused patch release.

Changed

• Added an English-only crates.io README (README.crates-io.md)
• Updated package metadata to use README.crates-io.md
• Kept repository README bilingual with English-first structure and Japanese section at the end

Why this release

• Improves first impression and readability for global users on crates.io
• Keeps Japanese documentation available in the repository

v0.1.0 — Initial Release

RustGate v0.1.0

Initial public release of RustGate-Proxy.

Highlights

• HTTP proxy forwarding with hop-by-hop header stripping
• CONNECT tunneling for HTTPS passthrough
• Optional MITM mode with TLS interception
• Dynamic CA-signed certificate generation and in-memory cert cache
• Root CA auto-generation/loading in ~/.rustgate/
• Request/response customization via RequestHandler
• IPv6 CONNECT target support
• CLI + library distribution (rustgate)

Safety notes

• Query parameters are redacted from logs
• Non-loopback bind emits a startup warning
• MITM features must be used only with explicit consent