A lightweight, production-ready security middleware for Go applications — protecting your real servers behind a smart proxy with rate limiting, bot detection, brute force protection, and more.
| Feature | Description | |
|---|---|---|
| 🔁 | Reverse Proxy | Transparent upstream redirection with full control |
| 🤖 | Bot Detection | Identify and block automated traffic |
| 🔐 | Brute Force Protection | Prevent credential stuffing and login attacks |
| 🚦 | Rate Limiting | Strict per-API and per-endpoint request throttling |
| ✅ | Method Validation | Reject invalid or unexpected HTTP methods |
| 🌐 | IP Blocking | Block malicious or unwanted IP addresses |
| 🔑 | Authorization Checks | Enforce auth rules at the middleware level |
| 🍪 | Cookie Blocking | Intercept and block unwanted cookies |
| 🛑 | API Misuse Prevention | Detect and halt abusive API usage patterns |
| 📦 | Upstream Redirection | Route traffic to backend services seamlessly |
The middleware sits between the public internet and your real server. Your private server URLs stay completely hidden — only the public proxy is exposed. Even if someone tries to attack or guess your real APIs, they'll never reach them.
Attacker / Client
│
▼
┌─────────────────────┐
│ Public Server │ ← Rate limited, validated, protected
│ api.example.com │
└────────┬────────────┘
│ Only valid, trusted requests pass through
▼
┌─────────────────────┐
│ Private Server │ ← Real data, hidden URL, never exposed
│ internal_server/ │
└─────────────────────┘
🔒 The attacker only ever sees
https://server.com/api/get/user— neverhttps://private_server.com/get/user
open-source/
├── middleware/ # Core middleware logic
├── .gitignore
└── README.md- Go
v1.21+
git clone https://github.com/seriouscodehere/open-source.git
cd open-source/middleware
go mod tidygo run main.go⚙️ Full configuration options are documented in the
middleware/README.md
Public APIs like https://server.com/api/get/user map to completely different private routes like https://private_server.com/get/user — attackers can never guess or reverse-engineer the real endpoint.
Blocked IPs stored in JSON files for long-term tracking — including which IPs are blocked most frequently and which regions they originate from.
Whitelist specific IPs for sensitive routes like admin dashboards and internal APIs. Even if an admin route gets leaked, unauthorized IPs simply can't access it.
Enforce exact header and body structure on every request before it reaches the private server — required headers, allowed fields, body format validation, all configurable per route.
Contributions are welcome and appreciated!
- Fork the repository
- Create a new branch:
git checkout -b feature/your-feature - Commit your changes:
git commit -m 'Add your feature' - Push to the branch:
git push origin feature/your-feature - Open a Pull Request
Please make sure your code follows the existing style and includes relevant comments.
This project is open source and available under the MIT License.
If this project helped you, please consider giving it a ⭐ on GitHub — it means a lot!
Built with ❤️ by Sraraa