Production-grade L3/L4/L7 reverse proxy in Go. Built for game server infrastructure — DDoS protection, protocol validation, bandwidth quotas, and a full REST API.
RouteX fills the gap between HAProxy's complexity and Nginx's limitations — purpose-built for game servers, DDoS protection, and modern API-driven infrastructure.
| Feature | RouteX | HAProxy | Traefik | Caddy |
|---|---|---|---|---|
| Layer | L3/L4/L7 | L4/L7 | L7 | L7 |
| UDP Proxying | ✅ Native | ✅ | ❌ | |
| Game Protocol Detection | ✅ MC Java/Bedrock, FiveM, GMod | ❌ | ❌ | ❌ |
| L7 Behavioral Scoring | ✅ Auto-ban by threat score | ❌ | ❌ | ❌ |
| Connection Cycling Detection | ✅ Sliding window per IP | ❌ | ❌ | ❌ |
| iptables Rate Limiting | ✅ Kernel-level PPS/SYN/RST/connlimit | ❌ L7 only | ❌ | ❌ |
| Bandwidth Quotas | ✅ Hourly/Daily/Weekly/Monthly | ❌ | ❌ | ❌ |
| ACL (Whitelist/Blacklist) | ✅ Global + Per-proxy, live API | ✅ Extensive | ✅ Middleware | ❌ |
| Load Balancing | ✅ 5 algorithms | ✅ 10+ algorithms | ✅ Round-robin | ✅ Round-robin |
| Health Checks | ✅ Active TCP probes | ✅ Active + Passive | ✅ | ✅ |
| Metrics Format | Prometheus + InfluxDB + CSV + JSON | Prometheus (exporter) | Prometheus + OTEL | Prometheus |
| REST API | ✅ 46+ endpoints, API-key auth, dashboard-ready | ✅ Dashboard | ✅ Admin API | |
| YAML Config | ✅ Simple, flat structure | Custom DSL | YAML/TOML/KV | Caddyfile/JSON |
| Hot Reload | ✅ Per-proxy, zero downtime | ✅ | ✅ Graceful | |
| TLS Termination | ✅ Full | ✅ Auto Let's Encrypt | ✅ Auto Let's Encrypt | |
| HTTP L7 Routing | ❌ L4 only | ✅ Full | ✅ Full | ✅ Full |
| PROXY Protocol | ❌ | ✅ | ✅ | ✅ |
| DNS-based Discovery | ❌ | ✅ | ✅ Docker/Swarm/K8s | ❌ |
| Web UI | ❌ REST API only | ✅ Stats page | ✅ Dashboard | ❌ |
| Let's Encrypt | ❌ | ❌ | ✅ | ✅ Auto |
| Maturity | New (2026) | 20+ years | 9 years | 10 years |
| Best For | Game servers, DDoS protection, API-driven infra | HTTP-heavy, enterprise | Cloud-native, containers | Simple web servers |
✅ Game server hosting — built-in Minecraft/FiveM/GMod protocol validation catches bot attacks that generic proxies miss.
✅ DDoS mitigation — layered defense: iptables drops volumetrics at kernel level, L7 catches slow/app-layer attacks.
✅ API-driven infrastructure — 46+ REST endpoints for full programmatic control, including proxy CRUD, live stats, and historical time-series for building dashboards. No config file editing needed at runtime.
✅ Bandwidth-constrained environments — enforce hourly/daily/monthly quotas with auto-suspension. Perfect for metered hosting.
❌ HTTP/HTTPS web servers — use Caddy (simple) or Nginx. RouteX is L4, it doesn't parse HTTP.
❌ Kubernetes ingress — use Traefik. RouteX doesn't have native K8s service discovery.
❌ Enterprise HTTP routing — use HAProxy. RouteX doesn't do header rewriting, cookie persistence, or URL-based routing.
git clone https://github.com/AnAverageBeing/RouteX-Reverse-Proxy.git
cd RouteX-Reverse-Proxy
make build
make run# Health check (no auth)
curl http://localhost:9000/api/health
# List proxies (needs API key)
curl -H "X-API-Key: pk_admin_xxxxxxxxxxxx" http://localhost:9000/api/proxies
# Prometheus metrics
curl -H "X-API-Key: pk_admin_xxxxxxxxxxxx" "http://localhost:9000/metrics?format=prometheus"Full documentation: anaveragebeing.github.io/pingless-studios-docs/routex/
| Section | Description |
|---|---|
| Getting Started | Overview, installation, quick start, FAQ |
| Global Config | Every global setting explained |
| Proxy Config | Every per-proxy field with use cases |
| API Reference | All 46+ endpoints documented |
| API.md (in repo) | Complete REST API reference with request/response examples |
1. Global ACL ──► 2. Per-Proxy ACL ──► 3. iptables Rate Limits ──► 4. L7 Engine ──► 5. Bandwidth Quota
| Layer | Type | Where | What It Catches |
|---|---|---|---|
| Global ACL | IP allow/deny | Go | Known bad IPs before any proxy |
| Per-Proxy ACL | IP allow/deny | Go | Service-specific access control |
| TCP/UDP PPS | Packet rate | iptables | Volumetric floods |
| SYN Rate | Connection rate | iptables | SYN floods |
| Connlimit | Connection count | iptables | Connection exhaustion |
| Fragment Drop | Packet filter | iptables | Teardrop/fragmentation attacks |
| Invalid TCP State | State filter | iptables | Spoofed/blind attacks |
| TTL/Packet Size | Packet filter | iptables | Anomalous packet detection |
| Slow Connection | Handshake timeout | Go L7 | Slowloris, R.U.D.Y. |
| Payload Rate Limit | Token bucket | Go L7 | App-layer floods after accept |
| Connection Cycling | Sliding window | Go L7 | Rapid open/close abuse |
| Payload Inspection | Byte matching | Go L7 | Invalid game protocol handshakes |
| Amplification | Ratio check | Go L7 | DNS/NTP reflection |
| Behavioral Scoring | Per-IP scoring | Go L7 | Multi-vector coordinated attacks |
| Bandwidth Quota | Byte counting | Go | Usage overage, cost control |
| Algorithm | Best For |
|---|---|
| Round-Robin | Simple, predictable distribution |
| Least-Conn | Long-lived connections (game servers) |
| IP-Hash | Stable session affinity |
| Weighted | Heterogeneous backends |
| Random | Basic load spreading |
- Prometheus, InfluxDB, CSV, JSON — all from one
/metricsendpoint - SQLite persistence with configurable retention
- Per-connection access logging (accept, close, bytes, duration)
- L7 event stream — queryable via API with search and limits
Full CRUD for proxies (create/update/delete/enable/disable via API), upstreams, ACL rules, iptables rules, L7 bans, bandwidth, and system config. Live + historical (SQLite-backed) per-proxy stats, a one-call /api/overview for dashboard landing pages, and API-key authentication with scoped permissions.
📖 Full endpoint reference with examples: docs/API.md
# Automated (recommended)
sudo bash install.sh /opt/routexSupports: Debian, Ubuntu, RHEL, CentOS, Rocky, Alma, Fedora, Amazon Linux, Arch, Manjaro, Alpine.
Installs: System dependencies → Go 1.22+ → Builds binary → systemd service → Firewall check.
RouteX uses a simple flat YAML structure. No nested wrappers, no confusing indirection.
# configs/proxies/minimal.yaml
name: "my-tcp-proxy"
enabled: true
origin-ip: "0.0.0.0"
origin-port: "8080"
dest-ip: "10.0.0.1"
dest-port: "9090"
protocol: "tcp"
one-to-one: truename: "minecraft-main"
enabled: true
origin-ip: "0.0.0.0"
origin-port: "25565:25575"
dest-ip: "10.0.0.1, 10.0.0.2"
dest-port: "35565:35575"
one-to-one: true
protocol: "tcp-udp"
load_balancing:
algorithm: "least-conn"
sticky_sessions: true
sticky_ttl: 3600
rate_limits:
tcp_pps_per_ip: 500
new_conns_per_sec_per_ip: 20
max_simultaneous_conns_per_ip: 10
drop_fragmented_packets: true
tcp_syn_rate_per_ip: 10
tcp_invalid_state_drop: true
l7_protection:
enabled: true
payload_inspection:
enabled: true
mode: "minecraft-java"
behavioral_scoring:
enabled: true
ban_threshold: 100
ban_duration: 300s
acl:
default_action: "allow"
rules:
- action: "deny"
cidr: "10.0.0.0/8"
bandwidth:
enabled: true
daily_limit: 107374182400
suspend_on_limit: trueRouteX/
├── cmd/routex/main.go # Entry point
├── configs/
│ ├── global.yaml # Cross-cutting settings
│ └── proxies/ # One file per proxy instance
├── internal/
│ ├── acl/ # IP whitelist/blacklist engine
│ ├── api/ # Chi router, middleware, 36 endpoints
│ ├── bandwidth/ # Tracker + quota management
│ ├── config/ # YAML loading, validation, file watcher
│ ├── health/ # Active TCP probes
│ ├── iptables/ # Rule builder, validator, manager
│ ├── l7/ # Protocol detection, token bucket, scoring
│ ├── lb/ # 5 algorithms, sticky sessions
│ ├── metrics/ # SQLite store, collector, multi-format API
│ └── proxy/ # TCP/UDP engines, port mapping, draining
├── .github/ # Issue templates, PR template
├── LICENSE # MIT
├── CONTRIBUTING.md # Development guide
├── SECURITY.md # Vulnerability reporting
├── CODE_OF_CONDUCT.md # Community standards
├── Makefile
└── README.md
- Documentation: pingless-studios-docs/routex
- Issues: GitHub Issues
- Discussions: GitHub Discussions
- Discord: PingLess Studios
- Security: See SECURITY.md
Made with ❤️ by PingLess Studios