Flow-based. Event-driven. Rust-native.
Like a dandelion carried by the wind, it follows direction yet defines its own.
Vane is a high-performance, flow-based network protocol engine written in Rust. It is designed to bridge the architectural gap between raw transport layer (L4) forwarding and complex application layer (L7) processing. Unlike traditional proxies that rely on static hierarchical configurations, Vane utilizes a dynamic, composable pipeline architecture that treats network connections as programmable flows.
Vane operates as a protocol funnel—connections enter at L4 (TCP/UDP), optionally pass through L4+ (TLS/QUIC inspection), and can terminate at any layer based on runtime flow decisions. HTTP is the primary application protocol at L7, with full support for HTTP/1.1, HTTP/2, HTTP/3, and WebSocket. The architecture is designed for extensibility to additional application protocols.
Vane abandons the traditional "virtual host" configuration model in favor of a decision-tree architecture known as the Flow Engine. Every connection operates within a pipeline composed of two distinct plugin types:
- Middleware: Intermediate logic units that inspect traffic, modify state, or perform side effects (e.g., protocol detection, rate limiting, variable injection). Middleware can branch execution paths based on runtime logic.
- Terminators: Final execution units that decide the fate of a connection (e.g., proxy to an upstream target, abort connection, or upgrade to a higher protocol layer).
Vane manages network traffic across three strictly defined architectural layers, allowing for precise control over the depth of packet inspection:
- L4 (Transport): Handles raw TCP streams and UDP datagrams. It provides high-performance switching based on IP stickiness, load balancing, and connection metadata.
- L4+ (Carrier): A specialized layer that handles encrypted protocols (TLS, QUIC). It can operate in two modes: transparent routing by extracting SNI, ALPN, and Connection IDs for passthrough forwarding, or full protocol termination to expose plaintext streams to L7.
- L7 (Application): The fully terminated layer where Vane acts as an HTTP server (HTTP/1.1, HTTP/2, HTTP/3). Here, the system utilizes a unified "Container" model to manipulate headers, bodies, and payloads using a full-duplex streaming engine.
“Two-Phase” in Vane is layer-dependent, not a single global mechanism.
- L4 (Transport): No Two-Phase model. Traffic is handled with single-pass, stateless forwarding and flow decisions.
- L4+ (Carrier): Two-Phase refers to UDP/QUIC fast–slow path separation. Initial packets go through deep inspection and routing (slow path). Once a session is established, subsequent packets are forwarded in O(1) via CID and IP stickiness (fast path).
- L7 (Application): Two-Phase represents a split request lifecycle. Upstream fetching is implemented as a terminator that decouples client and upstream protocols, enabling full-duplex HTTP any-to-any bridging (H1↔H2↔H3) with independent protocol negotiation on each side.
Traditional proxies are configured; Vane is programmed. Through its plugin system, Vane allows administrators to define logic flows (e.g., "If protocol is HTTP and source IP is X, then rate limit, otherwise upgrade to HTTP/3"). This logic is defined in declarative JSON, YAML, or TOML, but executes with the speed of compiled Rust code.
Vane provides a selectively extensible plugin model aligned with its Flow Engine architecture.
- Middleware (Extensible): Middleware is fully programmable and user-definable. It can be implemented internally for zero-latency execution or externally via HTTP webhooks, Unix Domain Sockets, or external binaries/scripts (Lua, Python, Bash, etc.). This enables custom logic such as authentication, policy decisions, logging, and dynamic flow control without recompiling the core.
- Terminators (Built-in Only): Terminators are tightly bound to physical network operations (proxying, protocol upgrades, connection termination). Due to their direct interaction with the data plane, they are currently provided only as built-in implementations and cannot be externalized.
Unlike proxies that treat UDP as a second-class citizen, Vane features a dedicated QUIC Carrier Engine. It includes custom virtual sockets, stream reassembly logic, and a specialized Muxer that allows the system to accept raw UDP packets, identify them as QUIC, and seamlessly transition them into a structured HTTP/3 application stream without losing context or performance.
- Zero-Copy Architecture: The internal data plane heavily utilizes Rust's ownership model and
Bytesabstractions to pass data between network layers without unnecessary memory allocation. On-demand extraction ensures that request headers and bodies are only loaded into memory when explicitly accessed via template resolution. - Full-Duplex Streaming: The upstream drivers are architected to handle large-scale data transfer (e.g., multi-gigabyte streams) asynchronously. Request and response paths are decoupled, preventing head-of-line blocking and deadlocks common in synchronous proxy implementations.
- Cross-Layer Context Continuity: Vane maintains a unified key–value context that persists across L4, L4+, and L7. Connection metadata such as source IP/port, transport details, and handshake-derived attributes are propagated upward and remain accessible at higher layers. This allows L7 template rendering (
{{ ... }}) and middleware logic to reference low-level connection and protocol state without re-parsing or breaking layer boundaries. - Stateful L4+ Routing: Vane can route encrypted traffic without terminating the secure session. At the L4+ layer, it routes TLS connections based on SNI and ALPN, and QUIC connections based on SNI by parsing ClientHello metadata, enabling certificate-less, zero-trust routing decisions.
- Hot-Swappable Configuration: All layers of the stack—from L4 listeners and TLS certificates to L7 application pipelines—support runtime reconfiguration. The system employs a "Keep-Last-Known-Good" strategy to ensure stability during updates.
MIT License © 2025 Canmi
✦ Polygon / Ethereum: 0x35D143d9DC624feC921a3925Fa84dea9d1DfDCAe
If you found this project helpful, consider supporting domain & server maintenance.