Lumos Gate Docs

Introduction

Hide your origin server IPs behind affordable DDoS-protected VPS instances. Self-hosted alternative to Cloudflare with HAProxy, WAF, and auto SSL.

What is Lumos Gate?

Lumos Gate is a self-hosted reverse proxy platform that turns affordable, DDoS-protected VPS instances into powerful shield servers. Your origin server IPs stay completely hidden behind these shields, protecting them from direct attacks while providing enterprise-grade traffic filtering.

The core idea is simple: instead of paying hundreds of dollars per month for commercial DDoS protection, you deploy an affordable VPS with included DDoS protection, install the Lumos Gate agent, and route your traffic through it.

How It Works

All incoming traffic hits your shield VPS first. HAProxy handles the proxying, the WAF filters malicious requests, SSL certificates are provisioned automatically, and clean traffic is forwarded to your origin servers over a secure connection.

LayerComponentRole
1. InternetVisitor's browserRequest hits your domain's DNS, which points to the shield VPS IP
2. Shield VPSHAProxy + WAF + SSL + Lumos AgentDDoS protection at network level, WAF filters application attacks, SSL terminates here
3. Origin ServerYour real serverReceives only clean, filtered traffic. IP address never exposed to the internet

When an attacker tries to target your infrastructure, they only see the shield VPS IP. Your origin server IP is never exposed in DNS records, HTTP headers, or anywhere else. The shield VPS absorbs volumetric attacks at the network level (handled by your VPS provider's DDoS protection), while the Lumos WAF filters application-layer attacks.

Tip: For maximum origin protection, you should also configure your origin firewall to only accept traffic from your shield VPS IPs. This prevents attackers from bypassing the proxy even if they discover your origin IP through other means.

Key Features

  • Origin IP Protection -- Your real server IPs are never revealed. Traffic is proxied through shield VPS with DDoS protection included. Combine with origin firewall rules for defense in depth.

  • Automatic SSL -- Enable SSL on any domain and Let's Encrypt certificates are provisioned and renewed automatically via ACME HTTP-01 challenge. No manual configuration needed.

  • Web Application Firewall -- Per-domain WAF rules powered by HAProxy Lua modules. Includes IP blacklisting, rate limiting, OWASP pattern matching, and custom rules.

  • Bot Protection -- JavaScript challenge with HMAC cookie verification and bad bot user-agent blocking. Stops automated abuse without affecting real users.

  • DNS Failover -- Automatic failover when a shield server goes down. Primary server fails, DNS switches to secondary, and recovers automatically when the primary comes back.

  • Real-Time Config Push -- Domain and WAF changes are pushed to agents instantly via WebSocket. No polling, no delays. Edit a domain in the dashboard and the change is live within seconds.

  • Multi-Server Support -- Assign a single domain to multiple shield servers for redundancy. If one goes down, others keep serving traffic.

  • Lightweight Agent -- The agent is a single ~10MB binary. It manages HAProxy, provisions SSL certificates, generates WAF rules, and reports metrics back to the dashboard. See Agent CLI for management commands.

  • Existing HAProxy Detection -- Already running HAProxy? The agent detects your existing configuration and lets you import managed sites into the Lumos dashboard via the Detected Sites feature.

Architecture Overview

The platform consists of three main components:

Dashboard -- The web interface where you manage servers, domains, WAF rules, and view analytics. Config changes are pushed to agents in real time.

WebSocket Server -- The central hub that maintains persistent connections with all agents. It pushes config updates to agents, collects metrics and status reports, drives the DNS failover scheduler, and runs the billing cycle.

Agent -- Installed on each shield VPS. A single lightweight binary (~10MB) that manages HAProxy configuration, provisions SSL certificates, generates WAF rules, monitors HAProxy health, and reports metrics. See Agent CLI for details.

Config changes propagate from the dashboard to your shield servers within seconds. For a deeper look at how these components interact, see the Architecture page.

Who Is Lumos Gate For?

  • SaaS operators who need DDoS protection without the cost of Cloudflare Enterprise or AWS Shield Advanced
  • Game server hosts who want to hide their origin IPs from players and attackers
  • Web agencies managing dozens of client sites that need affordable, per-site protection
  • Privacy-conscious operators who prefer self-hosted solutions over third-party proxies that inspect their traffic
  • Anyone running HAProxy who wants a dashboard, automatic SSL, WAF, and real-time analytics on top of it

Next Steps

  • Get started now -- The Quick Start guide walks you through protecting your first server in under 5 minutes.
  • Choose a VPS -- Review VPS Providers for recommended DDoS-protected hosting with pricing and specs.
  • Understand the architecture -- For a deep dive into how the system works under the hood, see the Architecture reference.
  • Check OS compatibility -- See Supported Operating Systems to confirm your VPS meets the requirements.
  • Review plans -- Check Plans for feature limits and Credits for how billing works.

On this page

What is Lumos Gate?
How It Works
Key Features
Architecture Overview
Who Is Lumos Gate For?
Next Steps