ProxyStack v14.2.0: A Complete Portable Web Stack for Windows

Introduction

Setting up a web development or production environment on Windows has traditionally been a fragmented experience. You need Apache or NGINX for reverse proxying, OpenSSL for certificates, Docker for containers, PostgreSQL for databases, and a collection of security tools to harden your stack. Each tool has its own installer, configuration format, and update mechanism.

ProxyStack eliminates this complexity by packaging everything into a single portable ZIP file. Extract it to any folder, run ProxyStackGUI.exe, and you have a fully functional web stack with a modern dark-themed GUI. No installation, no registry changes, no admin privileges required.

With the release of v14.2.0 (Phase 17 Complete), ProxyStack has evolved from a simple reverse proxy manager into a comprehensive security, compliance, and multi-server management platform with full Nginx support. This article takes an in-depth look at every major feature, the design decisions behind them, and how they work together to provide enterprise-grade infrastructure from a portable application.

The Problem We Solved

Windows developers and system administrators face a unique set of challenges that Linux users don't encounter. The ecosystem is fragmented: IIS handles some things, Apache handles others, and getting them to coexist requires careful port management. SSL certificate management on Windows is notoriously painful. Docker Desktop works but adds significant overhead. And security tooling? Most of it is built for Linux first, Windows second.

We identified several pain points that ProxyStack addresses:

• Installation fatigue — Every tool requires its own installer, PATH configuration, and service registration. ProxyStack requires zero installation.
• Configuration sprawl — Apache configs, SSL certs, Docker Compose files, database connection strings, and security policies are scattered across the filesystem. ProxyStack centralizes everything in one folder with one JSON config.
• Security as an afterthought — Most development stacks don't include security tooling. ProxyStack ships with OWASP compliance, WAF, security scanning, and Zero Trust built in.
• Compliance burden — Meeting SOC2, GDPR, PCI-DSS, or HIPAA requirements typically requires expensive third-party tools. ProxyStack includes evidence-based compliance reporting for all four frameworks.
• Portability — Moving a development environment between machines usually means hours of reconfiguration. ProxyStack runs from a USB drive if needed.

Architecture & Design

ProxyStack is built on .NET 8 with Windows Forms for the GUI. The choice of .NET 8 provides excellent performance, native Windows integration, and access to the full Windows API surface including DPAPI for encryption and certificate stores.

Design Principles

• Portable first — Everything runs from the application directory. No system-wide changes, no registry entries, no Windows services.
• Configuration as code — All settings live in proxystack.json. The GUI reads and writes this file. You can version-control it, share it via .psxt templates, or edit it directly.
• Security by default — Security headers are enabled out of the box. The WAF ships with 12 rules active. The compliance dashboard shows your security posture immediately.
• Offline capable — Internet is only needed for Let's Encrypt certificates, update checks, and SentinelAI. Everything else works offline.

Technology Stack

Runtime:        .NET 8 (Windows Forms)
Web Server:     Apache 2.4 (bundled)
SSL:            OpenSSL (bundled), win-acme (bundled)
Database:       PostgreSQL 14 (portable, optional)
Encryption:     Windows DPAPI (CurrentUser scope)
Certificates:   X509Certificate2 (.NET), OpenSSL CLI
Config Format:  JSON (proxystack.json, zero-trust.json, secrets.json)
Build:          dotnet publish -c Release -r win-x64

Core Infrastructure

Apache Reverse Proxy

At its core, ProxyStack manages a bundled Apache 2.4 instance. The GUI generates httpd.conf and vhosts.conf from your proxystack.json configuration. Each site can be a reverse proxy, a static file server, or a hybrid with per-path routing.

Key capabilities include TLS 1.2/1.3 with SNI for multi-domain support, WebSocket proxying via mod_proxy_wstunnel, SPA fallback for single-page applications, and automatic certificate path detection. When you add a site with SSL enabled but no cert paths, ProxyStack scans the certs/ folder for matching files based on domain name patterns.

App Runner

The Apps view manages backend processes with health checks and auto-restart. A unique feature is sub-processes: you can define multiple commands per app (e.g., npx supabase start as a sub-process alongside npm run dev). Sub-processes start before the main command and are killed together when the app stops. All commands auto-accept prompts via echo y | piping and npm_config_yes=true.

Docker & PostgreSQL

The Docker view provides full container lifecycle management: start, stop, restart, remove, logs, inspect, and exec. Docker Compose up/down is supported for multi-service deployments. One-click container templates cover 12 common services (NGINX, PostgreSQL, Redis, Node.js, etc.).

For PostgreSQL, ProxyStack offers a portable installation that doesn't require Docker. Click "Start PostgreSQL" and if it's not installed, a ~300 MB download begins with a progress bar. PostgreSQL runs from the postgres/ folder with data in postgres/data/. A built-in Database Console allows direct SQL queries from the GUI.

The Security Suite

Phase 11 transformed ProxyStack from a web stack manager into a comprehensive security platform. Six new sidebar views were added, each addressing a different aspect of application security:

OWASP Compliance in Depth

The OWASP Top 10 is the most widely recognized standard for web application security. ProxyStack's Compliance view maps each of the 10 categories to specific, measurable checks against your live configuration.

For example, A02: Cryptographic Failures checks whether TLS is enabled on all configured sites and whether certificate paths are valid. A03: Injection verifies that WAF rules for SQL injection, XSS, and command injection are active. A09: Logging Failures confirms that Apache access and error logging are enabled.

Each check produces a Pass or Fail result with a specific reason. The overall security score is calculated as a weighted average, giving more weight to critical categories like injection and access control. Results can be exported as CSV (for spreadsheets) or TXT (for documentation).

WAF: Request-Level Protection

The Web Application Firewall operates at the request level, inspecting incoming HTTP requests against a set of pattern-matching rules before they reach your backend applications.

The 12 Built-in Rules

Each rule targets a specific attack vector with carefully crafted regex patterns:

• SQL Injection — Detects UNION SELECT, OR 1=1, DROP TABLE, and other SQL injection patterns in query strings and request bodies
• XSS — Catches <script> tags, javascript: URIs, event handlers (onerror, onload), and other cross-site scripting vectors
• Path Traversal — Blocks ../ sequences, ..\ on Windows, and direct references to sensitive files like /etc/passwd
• Command Injection — Identifies shell metacharacters: semicolons, pipes, backticks, and $() command substitution
• SSRF — Prevents requests to internal metadata endpoints (169.254.169.254) and localhost references in parameters
• File Inclusion — Blocks php://, file://, data://, and other wrapper protocols used in local/remote file inclusion attacks
• XXE — Detects XML external entity declarations (<!ENTITY, SYSTEM) that could lead to data exfiltration
• HTTP Response Splitting — Catches \r\n sequences in headers that could inject additional HTTP responses
• Log Injection — Prevents newline injection in fields that end up in log files
• User-Agent Anomaly — Flags empty or suspicious user agent strings
• Scanner Detection — Identifies automated scanning tools like sqlmap, nikto, and nmap by their signatures
• Protocol Enforcement — Blocks non-standard HTTP methods (TRACE, TRACK) that can be used for cross-site tracing

Three Operating Modes

Detect Only is ideal for initial deployment: it logs all matches without blocking any requests, letting you tune rules and identify false positives. Block & Log is the recommended production mode: malicious requests are blocked and logged for review. Block Silent blocks without logging, useful for high-traffic environments where logging overhead is a concern.

ModSecurity Export

The WAF configuration can be exported as a ModSecurity-compatible .conf file. This means you can develop and test your WAF rules in ProxyStack's GUI, then deploy them to any Apache or NGINX server running ModSecurity in production.

Zero Trust: Beyond Perimeter Security

Traditional security models trust everything inside the network perimeter. Zero Trust assumes no implicit trust — every request must be authenticated and authorized, regardless of where it originates.

ProxyStack implements Zero Trust through three mechanisms:

1. Mutual TLS (mTLS)

Standard TLS only authenticates the server to the client. mTLS adds client authentication: the client must also present a valid certificate signed by a trusted CA. ProxyStack can generate the entire certificate chain:

• CA Certificate — RSA 4096-bit, 10-year validity, self-signed root CA for your organization
• Server Certificate — RSA 2048-bit, 2-year validity, signed by the CA. Automatically includes Subject Alternative Names (SANs) for all configured site domains, plus localhost and 127.0.0.1

The generated certificates use the .NET X509Certificate2 class for creation and validation, ensuring compatibility with the Windows certificate store.

2. Certificate Authentication Policies

Beyond just requiring a valid client certificate, you can define fine-grained policies that match specific certificate attributes. For example, you might allow only certificates with OU=Engineering to access your API, or restrict access to a specific client by SHA256 fingerprint. Five match types are supported: CN, OU, Issuer, Fingerprint, and SAN.

3. Network Segmentation

Define network zones with CIDR ranges, allowed ports, and traffic direction. This creates IP-based access control that segments your network into trusted zones. When exported to Apache configuration, these become <Location> blocks with Require ip directives.

Trust Score

The Trust Score (0–100) provides a quick visual indicator of your Zero Trust posture. It's calculated from six factors: mTLS enabled (+30), CA cert configured (+15), server cert configured (+15), client verification set to "require" (+15), auth policies defined (+15), and segmentation zones defined (+10). A score of 100 means you have a fully configured Zero Trust environment.

Secrets Management Done Right

Storing secrets securely is one of the most common challenges in application development. ProxyStack's Secrets Vault uses Windows DPAPI (Data Protection API) with the CurrentUser scope, which means:

• Secrets are encrypted with your Windows user credentials
• No master password to remember or manage
• Secrets can only be decrypted by the same user on the same machine
• The encryption key is managed by Windows and tied to your login credentials

This is the same encryption mechanism used by Chrome to store passwords and by Windows Credential Manager. It's battle-tested and requires no additional infrastructure.

Security-First UX

The vault is designed with security-conscious UX patterns:

• Reveal shows the secret for exactly 5 seconds, then automatically re-masks it
• Copy places the secret on the clipboard and automatically clears it after 30 seconds
• Rotate generates a new 32-character value using System.Security.Cryptography.RandomNumberGenerator
• Export .env generates a standard dotenv file for use in your applications

Eight categories help organize secrets: General, Database, API Key, OAuth, SSL/TLS, Cloud, Service, and Internal. The vault is backward compatible with the legacy secrets format from earlier ProxyStack versions.

Enterprise Compliance Reporting

Meeting compliance requirements is often the most time-consuming part of security work. ProxyStack automates the evidence-gathering process for four major frameworks:

SOC2 Type II (9 Controls)

Covers security, availability, and processing integrity. Checks include: access control policies, encryption at rest and in transit, logging and monitoring, incident response procedures, change management, and backup verification.

GDPR (6 Articles)

Focuses on data protection requirements from the EU General Data Protection Regulation. Checks include: data encryption (Article 32), access control (Article 25), audit logging (Article 30), data minimization, breach notification readiness, and right to erasure support.

PCI-DSS v4.0 (8 Requirements)

Addresses payment card industry security standards. Checks include: firewall configuration, default password changes, encryption of cardholder data, access restriction, unique ID assignment, physical security, regular testing, and security policy documentation.

HIPAA (5 Safeguards)

Covers health data protection requirements. Checks include: access controls (Administrative Safeguard), audit controls (Technical Safeguard), integrity controls, transmission security, and facility access controls (Physical Safeguard).

Each check evaluates your real configuration — it reads proxystack.json, checks file permissions, verifies TLS settings, and examines logging configuration. The evidence text shows exactly what was found, making reports useful for auditors.

Automated Security Scanning

The Security Scanner performs automated assessments that go beyond configuration checks. It actively probes your environment for vulnerabilities.

Quick Scan (11 checks) covers the essentials: TLS protocol versions, security header presence, directory permissions on sensitive files, secrets exposure in configuration, and basic network security. It completes in seconds and is designed for frequent use.

Full Scan (18 checks) adds deeper analysis: open network ports, Docker container security (privileged mode, exposed socket), database security (default passwords, remote access), and advanced configuration review. It takes longer but provides comprehensive coverage.

Each finding includes a severity level (Critical, High, Medium, Low), a description of the issue, and remediation guidance. Results are persisted to logs/security-scan.json for historical tracking and can be exported for reporting.

Auto-Update & Integrity

ProxyStack includes a built-in update system that ensures you're always running the latest version while preserving all your data.

The update process is designed for reliability:

1. The Dashboard fetches the update manifest from https://proxystack.iamvcholdings.com/api/updates/latest
2. Version comparison determines if an update is available
3. The update ZIP is downloaded with a progress bar
4. SHA256 hash verification ensures the download wasn't tampered with
5. ProxyStackUpdater.exe launches, waits for the GUI to exit, backs up current binaries, extracts new files, and restarts
6. If anything fails, automatic rollback restores from _update_backup/

User data is never overwritten: configuration files, certificates, logs, backups, database data, secrets, and site files are all preserved. The update checker also handles network edge cases: it accepts self-signed SSL certificates and falls back to HTTP if HTTPS fails, ensuring connectivity behind corporate proxies.

VirusTotal Verified

Transparency matters, especially for security software. Every ProxyStack release is submitted to VirusTotal for scanning by 70+ antivirus engines.

The v14.2.0 release scanned completely clean on the EXE (0 detections out of 71 engines). The DLL received a single detection from VirIT's generic heuristic scanner (Trojan.Win64.MSIL_Heur.A), which is a well-known false positive that flags most .NET assemblies. All other 67 engines report clean.

Full VirusTotal reports are linked on the download page for independent verification.

The Modern GUI

ProxyStack's GUI is a native Windows Forms application with a custom dark theme. The modern UI (default) uses a sidebar navigation pattern with 21 views, while the classic UI (via --classic flag) provides a traditional tabbed interface.

The sidebar views are organized by function:

• Infrastructure — Dashboard, Sites, Apps, PostgreSQL, Docker, Certificates
• Monitoring — Monitor, Observability
• Security — Security, Compliance, WAF, Scanner, Secrets Vault, Reports, Zero Trust
• Collaboration — SentinelAI, Team, Cluster
• Configuration — Advanced, Logs, Settings

Every view includes a console panel at the bottom that shows real-time log output, making it easy to monitor operations without switching to a separate log viewer.

Performance & Portability

ProxyStack is designed to be lightweight despite its feature set:

• Startup time — The GUI launches in under 2 seconds on modern hardware
• Memory usage — ~80 MB RAM for the GUI process (Apache and PostgreSQL are separate processes)
• Disk footprint — ~138 MB for the Full edition, ~98 MB for Lite
• No background services — Nothing runs when ProxyStack is closed (unless you enable auto-start)
• Fully portable — Copy the folder to a USB drive, another machine, or a cloud VM. All paths are relative.

The .psxt template system (v1.1) makes it easy to share complete stack configurations between team members. Templates bundle the configuration JSON along with base64-encoded SSL certificates, so a teammate can import a template and have an identical environment running in seconds.

What's Next

Phase 11 marks a major milestone for ProxyStack, but development continues. Phase 12 (Enterprise Scale & Operations) is planned to include:

• Multi-instance management for load-balanced deployments
• Centralized logging with log aggregation
• Advanced API gateway features (rate limiting per-key, request transformation)
• Expanded plugin ecosystem
• Performance benchmarking and optimization tools

Resources

• ProxyStack Homepage — Features, downloads, and changelog
• Full Documentation — Complete reference for all 21 documentation sections
• Getting Started Guide — From download to running proxy in 5 minutes
• FAQ — 30+ frequently asked questions across 9 categories
• SentinelAI — AI-powered endpoint security monitoring