Security

1. Zero-Knowledge Architecture

Lumos Gate is designed so that we never see, store, or have access to the traffic flowing through your proxy servers. Your HAProxy instances and agents run entirely on servers you own.

2. Authentication & Access Control

• Password hashing: All passwords are hashed using bcrypt with per-user salt. Plaintext passwords are never stored or logged.
• Session management: JWT-based sessions with periodic revalidation. Password changes invalidate all existing sessions within 5 minutes.
• Server tokens: Agent authentication tokens are stored as SHA-256 hashes. Only a prefix is shown in the dashboard. The full token is displayed once at creation.
• API keys: Prefixed with lmsk_, stored as SHA-256 hashes. Full key shown only once at creation.
• Rate limiting: Atomic Redis-based rate limiting on authentication endpoints prevents brute-force attacks.
• Email verification: Required before account activation. Cryptographically random tokens with expiration.

3. Encryption

• In transit: All connections use TLS 1.2+. Dashboard, API, and WebSocket connections are encrypted end-to-end. Agent-to-server communication uses WSS (WebSocket Secure).
• At rest: Database storage is encrypted at rest. Sensitive configuration values (tokens, API keys) are stored as cryptographic hashes.
• Agent configuration: Local agent config files are encrypted with AES-256-GCM. The encryption key is derived from the server token.
• SSL certificates: Let's Encrypt certificates are auto-provisioned via ACME HTTP-01 challenge. Private keys are stored only on your VPS, never transmitted to our servers.

4. Infrastructure Security

• Network isolation: Database and internal services are not publicly accessible. Only the dashboard, API, and WebSocket endpoints are exposed.
• DDoS protection: The dashboard is served behind enterprise-grade DDoS protection and WAF. Platform infrastructure IPs are not exposed.
• Minimal attack surface: Go binaries (agent + WS server) are statically compiled with minimal dependencies. No shell access or runtime code execution.
• Automated updates: Security patches are applied regularly. Infrastructure dependencies are kept up to date.

5. Agent Security

• Single binary: The agent is a single compiled Go binary (~10MB) with no external dependencies or interpreters.
• Config rollback: Before every HAProxy configuration change, a backup is created. If the reload fails, the previous config is automatically restored.
• Mutex serialization: All configuration writes and HAProxy reloads are serialized under a single mutex, preventing race conditions.
• Health monitoring: The agent monitors HAProxy every 10 seconds and automatically restarts it if a crash is detected.
• Reconnection: If the WebSocket connection drops, the agent automatically reconnects with exponential backoff and requests a full config sync.

6. WAF & Traffic Protection

• Lua-based WAF: WAF rules run as HAProxy Lua modules directly on your VPS. Rules are generated from your dashboard configuration and applied at the proxy layer.
• OWASP protection: Built-in rules for SQL injection, XSS, path traversal, and other common web attacks.
• IP blacklisting: Block specific IPs or CIDR ranges at the HAProxy level before requests reach your origin servers.
• Rate limiting: Per-domain rate limiting with configurable thresholds to prevent abuse and brute-force attacks.
• Bot protection: JavaScript challenge + HMAC cookie validation to distinguish real browsers from automated bots.

7. Data Minimization

We follow the principle of data minimization:

• We only collect data necessary to provide the Service (email, name, configuration).
• Metrics are stored in aggregate form (total requests, bandwidth) — not individual request logs.
• Password reset tokens are single-use and expire after 1 hour.
• Account deletion removes all associated data (servers, domains, WAF rules, metrics).
• Decommissioned servers are fully cleaned up within 1 hour.

8. Vulnerability Reporting

If you discover a security vulnerability in Lumos Gate, we encourage responsible disclosure. Please report it to:

• Security: [email protected]

We aim to acknowledge reports within 24 hours and provide an initial assessment within 72 hours. We do not currently operate a bug bounty program, but we appreciate and credit responsible disclosures.