feat: refactor into a universal proxy architecture with single cli binary

Author: Itsusinn

Cargo.lock

@@ -1,3 +1,3 @@
 [workspace]
-members = ["h3proxy-lib", "h3proxy-cli", "h3client"]
+members = ["h3proxy-lib", "h3proxy-cli"]
 resolver = "2"

Cargo.toml

@@ -1,49 +1,89 @@
 use anyhow::{Context, Result};
-use clap::Parser;
+use clap::{Parser, Subcommand};
+use h3proxy_lib::client::{ClientConfig, ProxyClient};
 use h3proxy_lib::config::ProxyConfig;
 use h3proxy_lib::server::ProxyServer;
 use std::fs;
 use std::net::SocketAddr;
 
 #[derive(Parser, Debug)]
-#[command(author, version, about, long_about = None)]
-struct Args {
-    #[arg(short, long, default_value = "0.0.0.0:4433")]
-    listen: SocketAddr,
+#[command(author, version, about = "h3proxy - A universal HTTP/3 proxy platform", long_about = None)]
+struct Cli {
+    #[command(subcommand)]
+    command: Commands,
+}
+
+#[derive(Subcommand, Debug)]
+enum Commands {
+    /// Run the proxy server (inbound)
+    Server {
+        #[arg(short, long, default_value = "0.0.0.0:4433")]
+        listen: SocketAddr,
+
+        #[arg(short, long, default_value = "cert.pem")]
+        cert: String,
 
-    #[arg(short, long, default_value = "cert.pem")]
-    cert: String,
+        #[arg(short, long, default_value = "key.pem")]
+        key: String,
+    },
+    /// Run the proxy client (outbound test tunnel)
+    Client {
+        #[arg(short, long, default_value = "127.0.0.1:4433")]
+        proxy: SocketAddr,
 
-    #[arg(short, long, default_value = "key.pem")]
-    key: String,
+        #[arg(short, long, default_value = "https://example.com:443")]
+        target: String,
+
+        #[arg(short, long, default_value = "cert.pem")]
+        cert: String,
+    },
 }
 
 #[tokio::main]
 async fn main() -> Result<()> {
     tracing_subscriber::fmt::init();
-    let args = Args::parse();
+    let cli = Cli::parse();
+
+    match cli.command {
+        Commands::Server { listen, cert, key } => {
+            let cert_data = fs::read(&cert).with_context(|| format!("failed to read cert file: {}", cert))?;
+            let key_data = fs::read(&key).with_context(|| format!("failed to read key file: {}", key))?;
+
+            let certs: Vec<_> = rustls_pemfile::certs(&mut &*cert_data)
+                .collect::<Result<_, _>>()
+                .context("failed to parse certs")?;
 
-    let cert_data = fs::read(&args.cert).with_context(|| format!("failed to read cert file: {}", args.cert))?;
-    let key_data = fs::read(&args.key).with_context(|| format!("failed to read key file: {}", args.key))?;
+            let mut keys: Vec<_> = rustls_pemfile::private_key(&mut &*key_data)
+                .context("failed to parse key")?
+                .into_iter()
+                .collect();
+            let priv_key = keys.remove(0);
 
-    let certs: Vec<_> = rustls_pemfile::certs(&mut &*cert_data)
-        .collect::<Result<_, _>>()
-        .context("failed to parse certs")?;
+            let config = ProxyConfig {
+                listen_addr: listen,
+                cert_chain: certs,
+                priv_key,
+            };
 
-    let mut keys: Vec<_> = rustls_pemfile::private_key(&mut &*key_data)
-        .context("failed to parse key")?
-        .into_iter()
-        .collect();
-    let priv_key = keys.remove(0);
+            let server = ProxyServer::new(config);
+            server.serve().await?;
+        }
+        Commands::Client { proxy, target, cert } => {
+            let cert_data = fs::read(&cert).with_context(|| format!("failed to read cert file: {}", cert))?;
+            let certs: Vec<_> = rustls_pemfile::certs(&mut &*cert_data)
+                .collect::<Result<_, _>>()
+                .context("failed to parse certs")?;
 
-    let config = ProxyConfig {
-        listen_addr: args.listen,
-        cert_chain: certs,
-        priv_key,
-    };
+            let config = ClientConfig {
+                proxy_addr: proxy,
+                target_url: target,
+                root_certs: certs,
+            };
 
-    let server = ProxyServer::new(config);
-    server.serve().await?;
+            let client = ProxyClient::new(config);
+            client.run().await?;
+        }
+    }
 
     Ok(())
 }

h3client/Cargo.toml

@@ -0,0 +1,76 @@
+use anyhow::Result;
+use bytes::Buf;
+use h3_quinn::Connection;
+use http::Request;
+use quinn::Endpoint;
+use rustls_pki_types::CertificateDer;
+use std::{net::SocketAddr, sync::Arc};
+use tracing::info;
+
+pub struct ClientConfig {
+    pub proxy_addr: SocketAddr,
+    pub target_url: String,
+    pub root_certs: Vec<CertificateDer<'static>>,
+}
+
+pub struct ProxyClient {
+    config: ClientConfig,
+}
+
+impl ProxyClient {
+    pub fn new(config: ClientConfig) -> Self {
+        Self { config }
+    }
+
+    pub async fn run(&self) -> Result<()> {
+        let mut endpoint = Endpoint::client("0.0.0.0:0".parse()?)?;
+
+        let mut roots = rustls::RootCertStore::empty();
+        for c in self.config.root_certs.clone() {
+            roots.add(c)?;
+        }
+
+        let mut crypto = rustls::ClientConfig::builder_with_provider(Arc::new(rustls::crypto::ring::default_provider()))
+            .with_safe_default_protocol_versions()?
+            .with_root_certificates(roots)
+            .with_no_client_auth();
+        crypto.alpn_protocols = vec![b"h3".to_vec(), b"h3-29".to_vec()];
+
+        let client_config = quinn::ClientConfig::new(Arc::new(
+            quinn::crypto::rustls::QuicClientConfig::try_from(crypto)?
+        ));
+        endpoint.set_default_client_config(client_config);
+
+        let quinn_conn = endpoint.connect(self.config.proxy_addr, "localhost")?.await?;
+        info!("connected to proxy at {}", self.config.proxy_addr);
+
+        let h3_conn_wrapped = Connection::new(quinn_conn);
+        let (mut driver, mut send_request) = h3::client::new(h3_conn_wrapped).await?;
+        tokio::spawn(async move {
+            let _ = std::future::poll_fn(|cx| driver.poll_close(cx)).await;
+        });
+
+        let uri = self.config.target_url.parse::<http::Uri>()?;
+        let host = uri.host().unwrap_or("");
+        let port = uri.port_u16().unwrap_or(443);
+        let authority = format!("{}:{}", host, port);
+
+        let req = Request::builder()
+            .method("CONNECT")
+            .uri(self.config.target_url.clone())
+            .header("host", authority)
+            .body(())?;
+
+        info!("sending CONNECT request to {}", self.config.target_url);
+        let mut request_stream = send_request.send_request(req).await?;
+        let resp = request_stream.recv_response().await?;
+        info!("response status: {}", resp.status());
+
+        while let Some(chunk) = request_stream.recv_data().await? {
+            let bytes = chunk;
+            print!("{}", String::from_utf8_lossy(bytes.chunk()));
+        }
+
+        Ok(())
+    }
+}

h3client/src/main.rs

@@ -1,3 +1,4 @@
 pub mod config;
 pub mod server;
-pub mod handler;
+pub mod handler;
+pub mod client;

h3proxy-cli/src/main.rs

@@ -1 +1 @@
-{"rustc_fingerprint":17866707384158916766,"outputs":{"12855261153397992890":{"success":true,"status":"","code":0,"stdout":"rustc 1.93.1 (01f6ddf75 2026-02-11)\nbinary: rustc\ncommit-hash: 01f6ddf7588f42ae2d7eb0a2f21d44e8e96674cf\ncommit-date: 2026-02-11\nhost: x86_64-pc-windows-msvc\nrelease: 1.93.1\nLLVM version: 21.1.8\n","stderr":""},"10803282065846393305":{"success":true,"status":"","code":0,"stdout":"___.exe\nlib___.rlib\n___.dll\n___.dll\n___.lib\n___.dll\nC:\\Users\\iHsin\\.rustup\\toolchains\\stable-x86_64-pc-windows-msvc\npacked\n___\ndebug_assertions\npanic=\"unwind\"\nproc_macro\ntarget_abi=\"\"\ntarget_arch=\"x86_64\"\ntarget_endian=\"little\"\ntarget_env=\"msvc\"\ntarget_family=\"windows\"\ntarget_feature=\"cmpxchg16b\"\ntarget_feature=\"fxsr\"\ntarget_feature=\"sse\"\ntarget_feature=\"sse2\"\ntarget_feature=\"sse3\"\ntarget_has_atomic=\"128\"\ntarget_has_atomic=\"16\"\ntarget_has_atomic=\"32\"\ntarget_has_atomic=\"64\"\ntarget_has_atomic=\"8\"\ntarget_has_atomic=\"ptr\"\ntarget_os=\"windows\"\ntarget_pointer_width=\"64\"\ntarget_vendor=\"pc\"\nwindows\n","stderr":""}},"successes":{}}
+{"rustc_fingerprint":9493169903018013690,"outputs":{"17747080675513052775":{"success":true,"status":"","code":0,"stdout":"rustc 1.93.1 (01f6ddf75 2026-02-11)\nbinary: rustc\ncommit-hash: 01f6ddf7588f42ae2d7eb0a2f21d44e8e96674cf\ncommit-date: 2026-02-11\nhost: x86_64-pc-windows-msvc\nrelease: 1.93.1\nLLVM version: 21.1.8\n","stderr":""},"7971740275564407648":{"success":true,"status":"","code":0,"stdout":"___.exe\nlib___.rlib\n___.dll\n___.dll\n___.lib\n___.dll\nC:\\Users\\iHsin\\.rustup\\toolchains\\stable-x86_64-pc-windows-msvc\npacked\n___\ndebug_assertions\npanic=\"unwind\"\nproc_macro\ntarget_abi=\"\"\ntarget_arch=\"x86_64\"\ntarget_endian=\"little\"\ntarget_env=\"msvc\"\ntarget_family=\"windows\"\ntarget_feature=\"cmpxchg16b\"\ntarget_feature=\"fxsr\"\ntarget_feature=\"sse\"\ntarget_feature=\"sse2\"\ntarget_feature=\"sse3\"\ntarget_has_atomic=\"128\"\ntarget_has_atomic=\"16\"\ntarget_has_atomic=\"32\"\ntarget_has_atomic=\"64\"\ntarget_has_atomic=\"8\"\ntarget_has_atomic=\"ptr\"\ntarget_os=\"windows\"\ntarget_pointer_width=\"64\"\ntarget_vendor=\"pc\"\nwindows\n","stderr":""}},"successes":{}}