Synapse
Synapse is a high-performance reverse proxy and firewall built with Rust, featuring:
- XDP-based packet filtering for ultra-low latency protection at kernel level
- Multi-backend firewall with automatic fallback (XDP > nftables > iptables > userland)
- Dynamic access rules with automatic updates from Gen0Sec API
- JA4+ fingerprinting complete suite: JA4, JA4H, JA4T, JA4L, JA4S, JA4X
- Automatic TLS certificate management with ACME/Let's Encrypt (HTTP-01 and DNS-01)
- Threat intelligence integration with Gen0Sec API and Threat MMDB
- Content scanning with ClamAV integration for malware detection
- Advanced upstream routing with service discovery (file, Consul, Kubernetes)
- Weighted load balancing with hot-reloadable configuration
Linux Only
Synapse requires Linux with kernel 4.18+ and XDP/BPF support.
Quick Start
# Ubuntu install
curl -fSL https://raw.githubusercontent.com/gen0sec/synapse/refs/heads/main/install.sh | sh
# Run with config file
synapse -c /etc/synapse/config.yaml
# Set mode via environment variable (default: agent)
export MODE="proxy" # or "agent"
Modes
Synapse runs in two modes: Agent (default) and Proxy.
| Feature | Proxy | Agent |
|---|---|---|
| HTTP/HTTPS Reverse Proxy | Yes | No |
| TLS & ACME Certificates | Yes | No |
| Upstreams & Load Balancing | Yes | No |
| WAF, Rate Limiting, CAPTCHA | Yes | No |
| Content Scanning (ClamAV) | Yes | No |
| XDP Firewall & Access Rules | Yes | Yes |
| Threat Intelligence & GeoIP | Yes | Yes |
| JA4+ Fingerprinting | Full | Network-level |
| BPF Stats & TCP Fingerprinting | Yes | Yes |
| File/Syslog Logging | Yes | Yes |
Detailed Feature Comparison
| Feature | Proxy Mode | Agent Mode |
|---|---|---|
| HTTP/HTTPS Reverse Proxy | Full support | Not available |
| TLS Certificate Management | ACME & custom certificates | Not available |
| Upstreams & Load Balancing | File, Consul, Kubernetes | Not available |
| Hot-reloadable Upstreams | Zero-downtime updates | Not available |
| XDP Packet Filtering | Kernel-level filtering | Kernel-level filtering |
| Multi-Backend Firewall | XDP/nftables/iptables/userland | XDP/nftables/iptables/userland |
| Access Rules Enforcement | IP allow/block lists | IP allow/block lists |
| Dynamic Access Rules | Auto-updates from Gen0Sec API | Auto-updates from Gen0Sec API |
| BPF Statistics Collection | Packet processing metrics (XDP only) | Packet processing metrics (XDP only) |
| TCP Fingerprinting | SYN packet analysis | SYN packet analysis |
| JA4+ Fingerprinting | JA4, JA4H, JA4T, JA4L, JA4S, JA4X | JA4T, JA4L (network-level) |
| Wirefilter Expressions (WAF) | Advanced request filtering | Not available |
| Rate Limiting | Per-rule rate limits | Not available |
| Content Scanning (ClamAV) | Malware detection | Not available |
| CAPTCHA Protection | hCaptcha, reCAPTCHA, Turnstile | Not available |
| Threat Intelligence | Real-time MMDB + HTTP-level | Smart Lists (network-level) |
| GeoIP Databases | Country, ASN, City lookups | Via Smart Lists only |
| Redis Caching | Certificates, threat intel, validation | Not available |
| Access Log Sending | To Gen0Sec API | Not available |
| File/Syslog Logging | Rotating logs | Rotating logs |
| Multiple Network Interfaces | High availability setups | High availability setups |
Features
Multi-backend Firewall
- Automatic fallback - XDP/BPF > nftables > iptables > userland
- Dynamic access rules - Allow/block lists auto-updated from Gen0Sec API
- BPF map enforcement - Rules enforced at kernel level via XDP
- IPv4/IPv6 dual-stack - Separate rule sets, zero-downtime updates
- BPF statistics - Packet counters, dropped IP tracking (XDP only)
Threat Intelligence
- IP reputation scoring - Automatic scoring via Gen0Sec API
- Threat MMDB - Local MaxMind database for offline lookups (auto-updated)
- GeoIP MMDB - Country, ASN, and city-level geolocation (auto-updated)
- Bot detection - Advanced detection and mitigation
- Redis caching - Cached threat data for performance
JA4+ Fingerprinting
- JA4 - TLS client fingerprinting from ClientHello
- JA4H - HTTP header fingerprinting
- JA4T - TCP fingerprinting from SYN packet options
- JA4L - Latency fingerprinting from packet timing
- JA4S - TLS server fingerprinting from ServerHello
- JA4X - X.509 certificate fingerprinting
WAF (Wirefilter Expressions)
- Expression engine - Filter by request method, path, headers, and more
- Actions - Allow, block, or challenge based on expression matches
- Centralized management - Expressions fetched from Gen0Sec API
- Content scanning triggers - Define when to scan based on request characteristics
TLS Management
- ACME/Let's Encrypt - Automatic certificates with HTTP-01 and DNS-01 challenges
- Wildcard detection - Automatically uses DNS-01 for wildcard domains
- Custom certificates - Bring your own TLS certificates
- HTTPS enforcement - Force HTTPS with HTTP upgrade responses
- Expiration monitoring - Automatic renewal and manual trigger via API
Content Scanning
- ClamAV integration - Real-time malware detection
- Multipart/form scanning - Scans uploads and form data
- Wirefilter triggers - Advanced rules for when to scan
- Extension filtering - Skip specific file extensions
Architecture
Components
- Multi-Backend Firewall - XDP/nftables/iptables/userland packet filtering
- HTTP/TLS Servers - HTTP traffic handling and HTTPS connection management
- Internal Services Server - Unified server for CAPTCHA, ACME, and certificate management
- Reverse Proxy - Request forwarding to upstream services
- Upstreams Manager - Routing with service discovery, weighted load balancing, and hot-reloading
- Threat Intelligence - Gen0Sec API and Threat MMDB integration
- GeoIP Manager - Country, ASN, and city-level geolocation via MMDB
- Access Rules Engine - Dynamic IP allow/block lists with periodic API updates
- BPF Statistics Collector - Kernel-level packet processing tracking
- TCP Fingerprint Collector - SYN fingerprint extraction and analysis
- Fingerprint Engine - Complete JA4+ suite (JA4, JA4H, JA4T, JA4L, JA4S, JA4X)
- CAPTCHA Engine - Multi-provider CAPTCHA validation
- Content Scanner - ClamAV malware detection
- ACME Manager - HTTP-01 and DNS-01 certificate management
- File/Syslog Loggers - Rotating file-based and centralized syslog logging
- Event Queue - Unified batch processing for logs, statistics, and events
- Redis Cache - Certificates, threat intel, CAPTCHA, and content scan results
Performance
- Ultra-low latency - XDP filtering operates in kernel space
- High throughput - Rust-based implementation with async I/O
- Memory efficient - Minimal footprint with efficient caching
- Scalable - Multiple network interfaces and concurrent connections
Documentation
- Installation Guide - Get Synapse up and running
- Configuration - Complete configuration reference
- Daemon Mode - Run Synapse as a background service
- JA4+ Fingerprinting - Complete fingerprinting suite
- Testing Guide - Manual testing and validation