Code review: terminal TLS MITM proxy in Rust (ratatui, tokio, rcgen, rustls)
โ Rust ๐ 2026-06-30 ๐ค surdeus ๐๏ธ 2I've been building Cogitator, a terminal-based TLS MITM intercepting
proxy in Rust, primarily as a learning project for both network security
and the language itself. Would appreciate any feedback on architecture
and Rust-specific decisions.
Core stack:
tokio 1(full) โ async runtime for the proxy coreratatui 0.26+crosstermโ TUI with 6 screensrcgen 0.13โ on-the-fly per-domain leaf certificate signingrustls 0.23+tokio-rustls 0.26+webpki-rootsโ TLS stackhyper 1.0+hyper-util+http-body-utilโ HTTP layerreqwest 0.12โ outbound requests (brotli/gzip/deflate)libloading+inventoryโ external.soplugin systemtracing+tracing-subscriber(json) โ structured logginghickory-clientโ DNS queries
Decisions I'm unsure about and would love feedback on:
- Coexisting the async proxy core with the synchronous ratatui event
loop viablock_in_place/spawn_blockingโ is there a cleaner
pattern for this? - Per-domain
TlsAcceptorcache behindArc<Mutex<HashMap>>โ
worth switching toDashMap? - Using
hyper 1.0directly alongsidereqwest 0.12(which uses
hyper internally) โ is there redundancy here worth cleaning up? SiteAnalyzertrait for DI in the proxy pipeline โ does this feel
idiomatic or over-engineered for this scale?
What it does:
- TLS MITM with ALPN/HTTP2, WebSocket interception (RFC 6455)
- Frozen mode โ pause live requests, edit headers/body, forward/drop
- Active scanner: SQLi (error-based), XSS (reflected/stored),
Path Traversal - Repeater, Intruder (Sniper/BatteringRam/Pitchfork/ClusterBomb),
BFS Spider - Plugin system with versioned ABI via
cogitator-plugin-apicrate
1 post - 1 participant
๐ท๏ธ Rust_feed