shade-proxy
| Crates.io | shade-proxy |
| lib.rs | shade-proxy |
| version | 1.0.1 |
| created_at | 2025-11-01 00:32:13.864752+00 |
| updated_at | 2025-11-01 00:52:46.082318+00 |
| description | SHADE: Simple Host Attestation & Dynamic Enrollment with TCP proxy |
| homepage | https://github.com/pbootly/SHADE |
| repository | https://github.com/pbootly/SHADE |
| max_upload_size | |
| id | 1911068 |
| size | 147,283 |
Matthew Thomas (pbootly)
documentation
https://docs.rs/shade
README
SHADE
Simple Host Attestation & Dynamic Enrollment
SHADE is a generalized proxy for protecting services via simple node attestation using IP addresses. It is managed with a CLI tool to create, add, revoke, and validate certificates.
⚡ Features
- Generate and manage client keypairs
- Register keys with optional expiration
- Revoke keys or certificates
- Store and validate edge node IPs
- Transparent TCP proxy with attestation
+-----------------+
| Client/Edge |
| Node |────────────────────────────────────────────┐
+-----------------+ │
| │
| Register public key │
v │
+-----------------+ │
| SHADE HTTP | │
| Server | │
| (Registration & | │
| Key Storage) | │
+-----------------+ │
| │
| Stores client IP upon successful registration │
v │
+-----------------+ │
| SHADE TCP | │
| Proxy | │
| (IP Validation) |◄────────────────IP─────────────────────────┘
+-----------------+
|
| Allows traffic for registered IP
v
+-----------------+
| Protected |
| Service |
+-----------------+
Installation & Usage
Start the server
By default, shade-proxy server runs for testing on 127.0.0.1 using the default configuration:
shade-proxy server
For production - specify a configuration file with the -c flag:
shade-proxy -c example_config.yaml server
Key registration
Generate a client keypair (with access to shade socket):
shade-proxy gen-keys
Register the keypair (with access to shade socket):
shade-proxy register-key --private-key "K4H8FURo0WnWM24y3I5sSN+0aECmS1CceK2i8PACeyE="
Optionally, add expiration date:
shade-proxy register-key --private-key "K4H8FURo0WnWM24y3I5sSN+0aECmS1CceK2i8PACeyE=" --expires-at "2025-12-31T23:59:59Z"
Host registration
On an edge node - register the host
shade-proxy register-host --public-key "hUQ1JHW1noXPZKXHidDgikT4iWC1/wEj+LR8gAPYGgE="
Administrative commands
- List registered certificates
shade-proxy list-keys
- Revoke a certificate
shade-proxy revoke-cert --id "<UUID>"
- Validate configuration
shade-proxy validate
E2E demo (e2e.sh)
#!/usr/bin/env bash
set -euo pipefail
fail() { echo "$1"; exit 1; }
# Build the SHADE binary
cargo build || fail "Build failed"
SHADE="shade-proxy -c ./example_config.yaml"
# Generate a keypair
keys=$($SHADE gen-keys)
public_key=$(echo "$keys" | jq -r .public)
private_key=$(echo "$keys" | jq -r .private)
# Register the private key
$SHADE register-key --private-key "$private_key"
# List keys
$SHADE list-keys
# Register host
$SHADE register-host --public-key "$public_key" --url "http://localhost:3000"
# List hosts
$SHADE list-hosts