A high-performance, enterprise-grade dual proxy suite for managing both egress and ingress traffic in data center environments with advanced eBPF acceleration, mTLS authentication, and hardware optimization.
MarchProxy is a next-generation dual proxy solution designed for enterprise data centers that need to control and monitor both egress traffic to the internet and ingress traffic from external clients. Built with a unique multi-tier performance architecture combining eBPF kernel programming, mTLS mutual authentication, hardware acceleration (XDP, AF_XDP, DPDK, SR-IOV), and enterprise-grade management capabilities.
- Dual Proxy Architecture: Complete solution with both egress (forward proxy) and ingress (reverse proxy) functionality
- Unmatched Performance: Multi-tier acceleration from standard networking → eBPF → XDP/AF_XDP → DPDK supporting 100+ Gbps throughput
- Enterprise Security: Built-in mTLS authentication, WAF, DDoS protection, XDP-based rate limiting, and comprehensive authentication (SAML, OAuth2, SCIM)
- Service-Centric: Designed for service-to-service communication with granular access control and cluster isolation
- mTLS by Default: Mutual TLS authentication with automated certificate management and ECC P-384 cryptography
- Production Ready: Comprehensive monitoring, centralized logging, automatic failover, and zero-downtime configuration updates
- Open Source + Enterprise: Community edition with core features, Enterprise edition with advanced acceleration and unlimited scaling
Get MarchProxy running in under 5 minutes with our comprehensive Docker Compose setup:
# Clone the repository
git clone https://github.com/marchproxy/marchproxy.git
cd marchproxy
# Start the complete stack (Manager + Proxy + Observability)
docker-compose up -d
# Verify all services are running
docker-compose ps
# Access the management interface
open http://localhost:8000
# Default credentials:
# Username: admin
# Password: changeme
# 2FA: Use any TOTP app to scan the QR codeWhat you get out of the box:
- ✅ Manager web interface with modern dashboard and mTLS certificate management
- ✅ High-performance proxy-egress (forward proxy) with eBPF acceleration
- ✅ High-performance proxy-ingress (reverse proxy) with load balancing
- ✅ Complete mTLS authentication with automated certificate generation
- ✅ PostgreSQL database with sample data
- ✅ Prometheus metrics collection for both proxies
- ✅ Grafana dashboards for monitoring
- ✅ ELK stack for centralized logging
- ✅ Jaeger for distributed tracing
- ✅ AlertManager for intelligent alerting
Quick Configuration Test:
# Generate mTLS certificates
docker-compose --profile tools run --rm cert-generator
# Test ingress proxy (reverse proxy)
curl http://localhost:80/
# Test ingress HTTPS with mTLS
curl --cert certs/client-cert.pem \
--key certs/client-key.pem \
--cacert certs/ca.pem \
-k https://localhost:443/
# Test egress proxy health
curl http://localhost:8081/healthz
# Test ingress proxy health
curl http://localhost:8082/healthz# Add Helm repository
helm repo add marchproxy https://charts.marchproxy.io
helm repo update
# Install MarchProxy
helm install marchproxy marchproxy/marchproxy \
--namespace marchproxy \
--create-namespace# Install the operator
kubectl apply -f https://raw.githubusercontent.com/marchproxy/marchproxy/main/operator/config/crd/marchproxy.yaml
kubectl apply -f https://raw.githubusercontent.com/marchproxy/marchproxy/main/operator/config/manager/manager.yaml
# Deploy MarchProxy instance
kubectl apply -f examples/simple-marchproxy.yaml- Features
- Architecture
- Quick Start
- Installation
- Configuration
- Performance
- Security
- Documentation
- Contributing
- License
- Support
- Dual Proxy Architecture: Both egress (forward) and ingress (reverse) proxy functionality
- High-Performance Proxies: Multi-protocol support (TCP, UDP, ICMP, HTTP/HTTPS, WebSocket, QUIC/HTTP3)
- mTLS Authentication: Mutual TLS with automated certificate management and ECC P-384 cryptography
- eBPF Acceleration: Kernel-level packet processing for maximum performance on both proxies
- Service-to-Service Mapping: Granular traffic routing and access control
- Multi-Cluster Support: Enterprise-grade cluster management and isolation
- Real-time Configuration: Hot-reload configuration without downtime
- Comprehensive Monitoring: Prometheus metrics, health checks, and observability for both proxies
- eBPF Fast-path: Programmable kernel-level packet filtering
- Hardware Acceleration: Optional DPDK, XDP, AF_XDP, and SR-IOV support
- Advanced Caching: Redis-backed and in-memory caching with multiple eviction policies
- Circuit Breaker: Automatic failure detection and recovery
- Content Compression: Gzip, Brotli, Zstandard, and Deflate support
- mTLS Mutual Authentication: Client certificate validation with ECC P-384 cryptography
- Certificate Management: Automated CA generation or upload existing certificate chains
- Multiple Auth Methods: Base64 tokens, JWT, 2FA/TOTP
- Enterprise Authentication: SAML, SCIM, OAuth2 (Google, Microsoft, etc.)
- TLS Management: Automatic certificate management via Infisical/Vault or manual upload
- Web Application Firewall: SQL injection, XSS, and command injection protection
- Rate Limiting & DDoS Protection: Advanced traffic shaping and attack mitigation
- Multi-Cluster Management: Unlimited clusters with separate API keys and configurations
- Advanced Authentication: SAML SSO, SCIM provisioning, OAuth2 integration
- Centralized Logging: Per-cluster syslog configuration and structured logging
- License Management: Integration with license.penguintech.io
- High Availability: Auto-scaling, load balancing, and fault tolerance
MarchProxy features a distributed dual proxy architecture optimized for both egress and ingress traffic management:
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ External │ │ Enterprise │ │ Data Center │
│ Clients │ │ Management │ │ Services │
└─────────┬───────┘ └─────────┬───────┘ └─────────┬───────┘
│ │ │
│ HTTPS/mTLS │ │ Egress
│ │ │
┌─────────▼─────────────────────────▼─────────────────────────▼─────────┐
│ MarchProxy Dual Proxy Cluster │
│ │
│ ┌─────────────────┐ ┌─────────────────────────────────┐ │
│ │ Manager │◄────────►│ Proxy Architecture │ │
│ │ (py4web/pydal) │ │ │ │
│ │ │ │ ┌─────────────┐ ┌─────────────┐│ │
│ │ • Web Dashboard │ │ │ Ingress │ │ Egress ││ │
│ │ • API Server │ │ │ (Reverse) │ │ (Forward) ││ │
│ │ • User Mgmt │ │ │ │ │ ││ │
│ │ • License Mgmt │ │ │ :80 (HTTP) │ │ :8080 (TCP) ││ │
│ │ • mTLS CA Mgmt │ │ │ :443 (TLS) │ │ :8081 (ADM) ││ │
│ │ • Cert Mgmt │ │ │ :8082 (ADM) │ │ ││ │
│ └─────────────────┘ │ │ │ │ ││ │
│ │ │ │ ┌─────────┐ │ │ ┌─────────┐ ││ │
│ │ │ │ │ mTLS │ │ │ │ mTLS │ ││ │
│ │ │ │ │ eBPF │ │ │ │ eBPF │ ││ │
│ │ │ │ │ XDP │ │ │ │ XDP │ ││ │
│ │ │ │ └─────────┘ │ │ └─────────┘ ││ │
│ │ │ └─────────────┘ └─────────────┘│ │
│ │ └─────────────────────────────────┘ │
│ │ │ │
│ ▼ ▼ │
│ ┌─────────────────┐ ┌─────────────────────────┐ │
│ │ PostgreSQL │ │ Observability │ │
│ │ Database │ │ │ │
│ │ │ │ • Prometheus/Grafana │ │
│ │ • Clusters │ │ • ELK Stack │ │
│ │ • Services │ │ • Jaeger Tracing │ │
│ │ • Mappings │ │ • AlertManager │ │
│ │ • Users │ │ • mTLS Metrics │ │
│ │ • Certificates │ │ • Dual Proxy Dashboards│ │
│ │ • Ingress Routes│ │ │ │
│ └─────────────────┘ └─────────────────────────┘ │
└──────────────────────────────────────────────────────────────────────┘
- Configuration Management: Centralized service and mapping configuration
- Multi-Cluster Support: Enterprise cluster isolation with separate API keys
- Authentication Hub: SAML, OAuth2, SCIM integration for enterprise SSO
- License Validation: Real-time license checking with license.penguintech.io
- TLS Certificate Authority: Self-signed CA generation and wildcard certificates
- Web Interface: Modern multi-page dashboard with real-time monitoring
- Multi-Tier Processing: Hardware → XDP → eBPF → Go application logic
- Protocol Support: TCP, UDP, ICMP, HTTP/HTTPS, WebSocket, QUIC/HTTP3
- Enterprise Rate Limiting: XDP-based packet-per-second rate limiting
- Advanced Security: WAF, DDoS protection, circuit breakers
- Zero-Copy Networking: AF_XDP for ultra-low latency packet processing
- Configuration Sync: Hot-reload configuration without connection drops
- Standard Networking: Traditional kernel socket processing (~1 Gbps)
- eBPF Acceleration: Programmable kernel-level packet filtering (~10 Gbps)
- XDP/AF_XDP: Driver-level processing and zero-copy I/O (~40 Gbps)
- DPDK/SR-IOV: Kernel bypass + hardware isolation (~100+ Gbps)
| Feature | Community | Enterprise |
|---|---|---|
| Proxy Instances | Up to 3 total (any combination of ingress/egress) | Unlimited* |
| Clusters | Single default | Multiple with isolation |
| Performance Tier | Standard + eBPF | + XDP/AF_XDP + DPDK |
| Rate Limiting | Basic application-level | + XDP-based HW acceleration |
| Authentication | Basic, 2FA, JWT | + SAML, SCIM, OAuth2 |
| TLS Management | Manual certificates | + Wildcard CA generation |
| Network Acceleration | eBPF fast-path | + SR-IOV, NUMA optimization |
| Web Application Firewall | Basic protection | + Advanced threat detection |
| Monitoring & Analytics | Prometheus metrics | + Advanced dashboards, alerting |
| Centralized Logging | Local logging | + Per-cluster syslog, ELK stack |
| Load Balancing | Round-robin | + Weighted, least-conn, geo-aware |
| Content Processing | Basic compression | + Brotli, Zstandard, smart caching |
| Circuit Breaker | Basic | + Advanced patterns, auto-recovery |
| Distributed Tracing | Basic | + OpenTelemetry integration |
| Support | Community forums | 24/7 enterprise support |
| License | AGPL v3 | Commercial license available |
*Based on license entitlements from license.penguintech.io
Community Edition:
- 3 total proxy instances maximum across all types
- Examples of valid configurations:
- 1 ingress + 2 egress proxies
- 2 ingress + 1 egress proxy
- 3 egress proxies (no ingress)
- 3 ingress proxies (no egress)
- All proxies share the same default cluster
Enterprise Edition:
- Unlimited proxy instances of both types
- Multiple clusters with separate quotas and isolation
- License determines specific limits per deployment
- CPU: 2 cores
- Memory: 4 GB RAM
- Storage: 10 GB available space
- Network: 1 Gbps network interface
- OS: Linux kernel 4.18+ (for eBPF support)
- CPU: 8+ cores
- Memory: 16+ GB RAM
- Storage: 100+ GB SSD
- Network: 10+ Gbps network interface
- OS: Ubuntu 20.04+ or RHEL 8+
curl -sSL https://raw.githubusercontent.com/marchproxy/marchproxy/main/docker-compose.yml | \
docker-compose -f - up -dhelm repo add marchproxy https://charts.marchproxy.io
helm install marchproxy marchproxy/marchproxykubectl apply -f https://github.com/marchproxy/marchproxy/releases/latest/download/operator.yamlCreate a service and mapping:
# Service definition
services:
- name: "web-backend"
ip_fqdn: "backend.internal.com"
collection: "web-services"
auth_type: "jwt"
cluster_id: 1
# Mapping definition
mappings:
- source_services: ["web-frontend"]
dest_services: ["web-backend"]
protocols: ["tcp", "http"]
ports: [80, 443]
auth_required: true
cluster_id: 1# Clone repository
git clone https://github.com/marchproxy/marchproxy.git
cd marchproxy
# Build manager
cd manager
pip install -r requirements.txt
# Build proxy
cd ../proxy
go build -o proxy ./cmd/proxy
# Run tests
cd ..
./test/run_tests.sh --allWe welcome contributions! Please see our Contributing Guide for details.
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
MarchProxy Community Edition is licensed under the GNU Affero General Public License v3.0.
License Highlights:
- Personal & Internal Use: Free under AGPL-3.0
- Commercial Use: Requires commercial license
- SaaS Deployment: Requires commercial license if providing as a service
Companies employing official contributors receive GPL-2.0 access to community features:
- Perpetual for Contributed Versions: GPL-2.0 rights to versions where the employee contributed remain valid permanently, even after the employee leaves the company
- Attribution Required: Employee must be credited in CONTRIBUTORS, AUTHORS, commit history, or release notes
- Future Versions: New versions released after employment ends require standard licensing
- Community Only: Enterprise features still require a commercial license
This exception rewards contributors by providing lasting fair use rights to their employers.
Enterprise features require a commercial license. Contact sales@marchproxy.io for licensing information.
- GitHub Issues: Bug reports and feature requests
- Discussions: Community Q&A and discussions
- 24/7 Support: Emergency response and critical issue resolution
- Professional Services: Implementation assistance and consulting
Made with ❤️ by the MarchProxy team