Merge pull request #1 from Whispergate/dev

[0.2.0] Native Cloud Support

Author: Lavender-exe

README.md

@@ -7,6 +7,10 @@ InfraGuard sits between the internet and your C2 teamserver, validating every in
 ![Mythic Callbacks Xenon](/images/xenon_callback.png)
 ![InfraGuard Dashboard](/images/infraguard_dashboard.png)
 
+## Architecture
+
+![Architecture Diagram](/images/InfraGuard%20Infrastructure%20Diagram.drawio.png)
+
 ## Features
 
 - **Multi-domain proxying** -- proxy multiple domains simultaneously, each with independent C2 profiles, upstreams, and rules
@@ -25,6 +29,7 @@ InfraGuard sits between the internet and your C2 teamserver, validating every in
 - **Webhook alerts** -- built-in plugins for Discord (embeds), Slack (Block Kit), and generic webhook (Rocket.Chat, Mattermost, Teams)
 - **Plugin system** -- event-driven architecture with `on_event` hooks, per-plugin config, event filtering (only_blocked, min_score, domain include/exclude)
 - **Backend config generation** -- generate Nginx, Caddy, or Apache configs with full operator customization (TLS, IP filtering, header checks, aliases, custom headers)
+- **Edge proxies** -- lightweight Cloudflare Worker and AWS Lambda for domain fronting through CDN infrastructure, edge country blocking, and host rewriting
 - **Docker deployment** -- Dockerfile + docker-compose with optional Let's Encrypt, GeoIP downloader, and PwnDrop payload server
 - **GeoIP support** -- all three GeoLite2 databases (City, ASN, Country) with Docker auto-download
 - **Self-signed TLS fallback** -- auto-generates certificates when configured paths don't exist
@@ -637,6 +642,56 @@ When running with `infraguard dashboard`, the following REST API is available:
 
 All API endpoints require an `Authorization: Bearer <token>` header when `auth_token` is configured.
 
+## Cloudflare Worker Deployment
+
+InfraGuard includes a lightweight Cloudflare Worker that acts as an edge reverse proxy, providing domain fronting through Cloudflare's CDN.
+
+```
+Internet → [Cloudflare Edge Worker] → [InfraGuard Server on VPS] → [C2 Teamserver]
+```
+
+From a network observer's perspective, all traffic goes to Cloudflare's IPs -- your server is never exposed.
+
+```bash
+cd workers/infraguard-edge
+npm install -g wrangler
+wrangler login
+
+# Edit wrangler.toml with your InfraGuard backend URL and domains
+npx wrangler deploy
+```
+
+The Worker handles:
+- **Domain fronting** -- traffic appears to go to Cloudflare
+- **Edge country blocking** -- drop requests from banned countries at the edge
+- **Host rewriting** -- map Cloudflare domains to C2 profile Host headers
+- **Client IP injection** -- `X-Real-IP` / `X-Forwarded-For` with the real client IP
+
+See [workers/infraguard-edge/README.md](workers/infraguard-edge/README.md) for full configuration.
+
+## AWS Lambda Deployment
+
+InfraGuard also includes an AWS Lambda edge proxy for domain fronting through CloudFront or Lambda Function URLs.
+
+```bash
+cd workers/infraguard-lambda
+
+# Deploy with SAM CLI
+sam build
+sam deploy --guided \
+  --parameter-overrides \
+    InfraGuardBackend=https://your-server:443 \
+    AllowedHosts=cdn.example.com \
+    BlockedCountries=CN,RU,KP
+```
+
+Supports three deployment modes:
+- **Lambda Function URL** -- standalone HTTPS endpoint, simplest setup
+- **CloudFront + Lambda@Edge** -- full CDN with global edge distribution
+- **API Gateway + Lambda** -- HTTP API endpoint
+
+Zero external dependencies (stdlib only). See [workers/infraguard-lambda/README.md](workers/infraguard-lambda/README.md) for full configuration.
+
 ## Docker Deployment
 
 ### Quick start
@@ -680,7 +735,7 @@ Requirements for Let's Encrypt:
 # Download all three GeoLite2 databases (City, ASN, Country)
 docker compose --profile geoip up geoip-update
 
-# Then start normally — databases are mounted at /app/geoip/
+# Then start normally - databases are mounted at /app/geoip/
 docker compose up -d proxy dashboard
 ```
 
@@ -768,6 +823,7 @@ infraguard/
 | Anti-replay | SQLite hash | In-memory with configurable window |
 | Drop actions | redirect, reset, proxy | redirect, reset, proxy, tarpit |
 | TLS management | Manual only | Auto self-signed + Let's Encrypt integration |
+| Edge deployment | None | Cloudflare Worker + AWS Lambda edge proxies with domain fronting |
 | Deployment | Manual | Docker Compose with health checks |
 | Logging | Custom colored output | Structured JSON (structlog) |
 | Async | Tornado callbacks | Native async/await (ASGI + uvicorn) |

config/pwndrop.ini

@@ -3,7 +3,7 @@
 ;
 ; NOTE: The [setup] section below is consumed on FIRST RUN only.
 ; PwnDrop will automatically remove it from this file after creating
-; the admin account. This is normal — do not add it back, or you'll
+; the admin account. This is normal - do not add it back, or you'll
 ; see "already exists" errors on restart.
 
 [pwndrop]

images/InfraGuard Infrastructure Diagram.drawio

@@ -42,7 +42,7 @@ async def health_check(request: Request) -> Response:
     @asynccontextmanager
     async def lifespan(app: Starlette):
         await db.connect()
-        # Start plugins (isolated — one failure doesn't stop others)
+        # Start plugins (isolated - one failure doesn't stop others)
         for p in plugins:
             try:
                 await p.on_startup()

images/InfraGuard Infrastructure Diagram.drawio.png

@@ -1,9 +1,9 @@
-"""Content route resolver — matches request URIs to content delivery backends.
+"""Content route resolver - matches request URIs to content delivery backends.
 
 Supports three pattern types:
-- Exact:  ``/file.exe`` — string equality
-- Prefix: ``/downloads/*`` — startswith, captures remainder after prefix
-- Regex:  ``~^/d/[a-f0-9]+`` — leading ``~`` indicates regex
+- Exact:  ``/file.exe`` - string equality
+- Prefix: ``/downloads/*`` - startswith, captures remainder after prefix
+- Regex:  ``~^/d/[a-f0-9]+`` - leading ``~`` indicates regex
 """
 
 from __future__ import annotations

images/infraguard_icon.svg

@@ -114,7 +114,7 @@ def _build_filters(self) -> list:
     def _build_fingerprint_filters(self) -> list:
         """Build a filter chain WITHOUT ProfileFilter and ReplayFilter.
 
-        Used for content route conditional delivery — catches bots and
+        Used for content route conditional delivery - catches bots and
         scanners without requiring C2 profile conformance.
         """
         pc = self.config.pipeline
@@ -302,7 +302,7 @@ async def _handle_content_route(
                 filter_score = fp_result.total_score
 
                 if filter_score >= content_config.conditional.score_threshold:
-                    # Scanner/bot detected — serve decoy or redirect
+                    # Scanner/bot detected - serve decoy or redirect
                     log.info(
                         "content_blocked",
                         domain=route.domain,

infraguard/core/app.py

@@ -105,7 +105,7 @@ def resolve_tls_paths(
         log.info("tls_loaded", cert=str(cert_path))
         return str(cert_path), str(key_path)
 
-    # Certs not found — generate self-signed
+    # Certs not found - generate self-signed
     domain = domains[0] if domains else "localhost"
     log.warning(
         "tls_certs_not_found",

infraguard/core/content_router.py

@@ -65,7 +65,7 @@ def __init__(
             except Exception:
                 log.exception("geoip_load_error", type="country", path=country_db)
 
-        # ASN DB (separate — provides ASN + org)
+        # ASN DB (separate - provides ASN + org)
         if asn_db and Path(asn_db).exists():
             try:
                 self._asn_reader = maxminddb.open_database(asn_db)