Documentation

Configuration

The main configuration file is proxystack.json in the ProxyStack root folder.

Structure

{
  "settings": {
    "httpPort": 80,
    "httpsPort": 443,
    "serverAdmin": "admin@localhost",
    "environment": "development"
  },
  "sites": [...],
  "apps": [...],
  "security": {...},
  "sentinel": {...}
}

Settings File

GUI-specific settings are stored separately in proxystack.settings.json:

{
  "autoStartApache": true,
  "alertsEnabled": true,
  "slackWebhook": "https://hooks.slack.com/services/...",
  "alertEmail": "alerts@example.com"
}

Environment Profiles

Store profiles in profiles/ folder:

• profiles/proxystack.development.json
• profiles/proxystack.staging.json
• profiles/proxystack.production.json

Switch profiles from the Security tab using the Environment dropdown.

Site Configuration

Reverse Proxy Site

{
  "domain": "app.example.com",
  "proxy": {
    "target": "http://localhost:3000",
    "timeout": 60,
    "websocket": true
  },
  "ssl": {
    "enabled": true,
    "cert": "certs/app.example.com-crt.pem",
    "key": "certs/app.example.com-key.pem"
  },
  "redirectHttpToHttps": true
}

Static Site with SPA Fallback

{
  "domain": "static.example.com",
  "documentRoot": "sites/my-react-app/build",
  "spaFallback": true,
  "ssl": { "enabled": true, "cert": "...", "key": "..." }
}

Hybrid Site (Static + Proxy Routes)

{
  "domain": "hybrid.example.com",
  "documentRoot": "sites/frontend",
  "spaFallback": true,
  "proxyRoutes": [
    { "path": "/api", "target": "http://localhost:8000" },
    { "path": "/ws", "target": "ws://localhost:8001", "websocket": true }
  ],
  "ssl": { "enabled": true, "cert": "...", "key": "..." }
}

Site Fields

Field	Type	Description
domain	string	Primary domain name
aliases	string[]	Additional domain aliases
proxy	object	Main reverse proxy target
documentRoot	string	Static file directory
proxyRoutes	array	Per-path proxy routes
ssl	object	SSL certificate configuration
redirectHttpToHttps	bool	Auto-redirect HTTP to HTTPS
spaFallback	bool	Serve index.html for non-file routes

App Configuration

{
  "apps": [
    {
      "name": "My API",
      "command": "npm run dev",
      "workingDirectory": "apps/my-api",
      "port": 3000,
      "autoStart": true,
      "autoRestart": true,
      "subProcesses": [
        {
          "name": "Supabase",
          "command": "npx supabase start",
          "workingDirectory": null,
          "port": 54321,
          "autoStart": true
        }
      ]
    }
  ]
}

Sub-Processes

Field	Type	Description
name	string	Display name
command	string	Command to run
workingDirectory	string?	Working directory (inherits from parent if null)
port	int	Port the sub-process listens on (0 if N/A)
autoStart	bool	Start automatically with parent app

All commands are launched with echo y | piped to stdin and npm_config_yes=true set in the environment to auto-accept prompts. Sub-processes start before the main command and are killed together when the app is stopped.

SSL & Certificates

Let's Encrypt (Free Certificates)

1. Go to Certs tab
2. Click "Let's Encrypt"
3. Enter your domain and email
4. ProxyStack stops Apache, runs win-acme for HTTP-01 validation, then restarts Apache
5. Certificate files are saved to certs/

Self-Signed Certificates

Use the "Generate Self-Signed" option in the Certs tab. ProxyStack uses the bundled OpenSSL to create a certificate and key pair. Useful for local development.

Auto-Detection

When a site has SSL enabled but empty cert/key paths, ProxyStack automatically scans certs/ for matching files based on the domain name. Supported naming patterns:

• Cert: {domain}-crt.pem, {domain}-cert.pem, {domain}.crt, {domain}-fullchain.pem
• Key: {domain}-key.pem, {domain}.key, {domain}-privkey.pem
• Chain: {domain}-chain.pem, {domain}-chain-only.pem

Docker Integration

The Docker tab provides comprehensive container management (requires Docker Desktop).

Container Management

• View all containers (running and stopped) with status, ports, and image info
• Start, stop, restart, and remove containers
• View container logs with real-time streaming
• Inspect container details (full JSON configuration)
• Execute commands in running containers

Image Management

• Pull Docker images with progress indicators
• List local images with size and tag info
• Remove unused images

Docker Compose

• Compose Up/Down for multi-service deployments
• Select any docker-compose.yml file

Container Templates

One-click deploy for common services: NGINX, Apache, Caddy, PostgreSQL, MySQL, MongoDB, Redis, Node.js, Python, Go, Adminer, pgAdmin.

Resource Monitoring

Real-time CPU usage, memory consumption, network I/O, and disk usage per container.

Portable PostgreSQL

ProxyStack can manage a portable PostgreSQL instance without Docker.

First Time Setup

1. Click "Start PostgreSQL" in the Docker tab
2. If not installed, you'll be prompted to download (~300 MB)
3. PostgreSQL extracts to postgres/ automatically
4. Database initializes on first run

Paths

Path	Description
postgres/pgsql/bin/	PostgreSQL binaries
postgres/data/	Database data directory
postgres/data/log/	PostgreSQL logs

Database Console

Go to Advanced tab → Database Console. Enter connection details and execute SQL queries directly from the GUI.

Security Features

{
  "security": {
    "enableHSTS": true,
    "enableXFrameOptions": true,
    "enableXContentTypeOptions": true,
    "enableXXSSProtection": true,
    "ipWhitelist": ["192.168.1.0/24"],
    "ipBlacklist": ["10.0.0.5"]
  }
}

Security Headers

ProxyStack automatically adds security headers to all HTTPS responses: X-Content-Type-Options, X-Frame-Options, and Referrer-Policy. Additional headers (HSTS, XSS Protection) can be enabled in the Security tab.

IP Access Control

Configure IP whitelists and blacklists to restrict access to your sites.

Encrypted Secrets Vault

The Secrets & Tools tab provides an encrypted vault for storing sensitive values like API keys, database passwords, and tokens.

Auto-Start on Boot

Enable "Start ProxyStack with Windows" and "Auto-start Apache" in the Security tab to run ProxyStack as a background service.

OWASP Compliance Dashboard

The Compliance sidebar view provides automated checks against the OWASP Top 10 2025 standard.

How It Works

1. Navigate to the Compliance view in the sidebar
2. Click "Run Compliance Scan"
3. ProxyStack evaluates 10 categories (A01 through A10) against your live configuration
4. Each category shows Pass/Fail with a color-coded card
5. An overall Security Score (0–100) is calculated

OWASP Top 10 2025 Categories

ID	Category	What ProxyStack Checks
A01	Broken Access Control	IP whitelist/blacklist configuration
A02	Cryptographic Failures	TLS enabled on all sites, valid cert paths
A03	Injection	WAF rules for SQLi, XSS, command injection
A04	Insecure Design	Security headers (HSTS, X-Frame-Options, etc.)
A05	Security Misconfiguration	Default ports, directory listing, server tokens
A06	Vulnerable Components	Apache version, module inventory
A07	Auth Failures	API key auth enabled, team roles configured
A08	Data Integrity	Update verification (SHA256), backup configuration
A09	Logging Failures	Access/error logging enabled, log rotation
A10	SSRF	Proxy target validation, internal network restrictions

Exporting Reports

Click "Export Report" to save results as CSV or TXT. Reports include the score, each category's pass/fail status, and remediation suggestions.

Web Application Firewall (WAF)

The WAF sidebar view provides request filtering with 12 built-in rules and a custom rule editor.

Built-in Rules

Rule	Pattern	Severity
SQL Injection	UNION SELECT, OR 1=1, DROP TABLE, etc.	Critical
XSS (Cross-Site Scripting)	<script>, javascript:, onerror=, etc.	High
Path Traversal	../, ..\, /etc/passwd, etc.	High
Command Injection	; ls, | cat, && rm, backticks, etc.	Critical
SSRF	169.254.169.254, localhost in params, etc.	High
File Inclusion	php://, file://, data://, etc.	High
HTTP Response Splitting	\r\n in headers	Medium
XML External Entity (XXE)	<!ENTITY, SYSTEM, etc.	High
Log Injection	\n, \r in log-destined fields	Medium
User-Agent Anomaly	Empty or suspicious user agents	Low
Scanner Detection	sqlmap, nikto, nmap, etc.	Medium
Protocol Enforcement	Non-HTTP methods (TRACE, TRACK)	Low

WAF Modes

• Detect Only — Log matches but don't block requests
• Block & Log — Block matching requests and log them
• Block Silent — Block matching requests without logging

Custom Rules

Click "Add Custom Rule" to create rules with a name, regex pattern, and severity level. Custom rules are evaluated alongside built-in rules.

ModSecurity Export

Click "Export ModSecurity .conf" to generate a ModSecurity-compatible configuration file that can be used with any Apache or NGINX server.

Threat Dashboard

The bottom panel shows a real-time threat log with timestamp, source IP, matched rule, and action taken. Threats are color-coded by severity.

Security Scanner

The Scanner sidebar view performs automated security assessments of your ProxyStack configuration.

Scan Types

Type	Checks	Description
Quick Scan	11	Essential security checks: TLS, headers, permissions, secrets
Full Scan	18	Quick Scan + network ports, containers, database, advanced config

Check Categories

• TLS Configuration — Protocol versions, cipher suites, certificate validity
• Security Headers — HSTS, CSP, X-Frame-Options, Referrer-Policy
• Directory Permissions — Write access on config files, world-readable secrets
• Secrets Exposure — API keys in config, hardcoded passwords
• Network Ports — Unnecessary open ports, default credentials
• Container Security — Privileged containers, exposed Docker socket
• Database Security — Default passwords, remote access settings

Severity Levels

Each finding is classified as Critical (red), High (orange), Medium (yellow), or Low/Info (blue). The overall security score (0–100) is weighted by severity.

Results

Scan results are persisted to logs/security-scan.json and displayed in a scrollable list with severity icons and remediation guidance.

Secrets Vault Pro

The Secrets Vault sidebar view provides DPAPI-encrypted storage for sensitive values.

Encryption

All secrets are encrypted using Windows DPAPI (Data Protection API) with the CurrentUser scope. This means secrets can only be decrypted by the same Windows user account on the same machine. No master password is needed.

Categories

Category	Use Case
General	Miscellaneous secrets
Database	Connection strings, passwords
API Key	Third-party API keys
OAuth	Client IDs, client secrets, tokens
SSL/TLS	Certificate passphrases, PFX passwords
Cloud	AWS, Azure, GCP credentials
Service	Service account credentials
Internal	Internal system secrets

Security Features

• Reveal — Shows the secret value for 5 seconds, then auto-hides
• Copy — Copies to clipboard with automatic 30-second clear
• Rotate — Generates a new 32-character cryptographically random value
• Export .env — Exports all secrets as a .env file for use in applications

Storage

Secrets are stored in config/secrets.json as DPAPI-encrypted base64 strings. The file is safe to back up but cannot be decrypted on a different machine or user account.

Compliance Reporting

The Reports sidebar view generates evidence-based compliance reports against 4 major frameworks.

Supported Frameworks

Framework	Controls	Description
SOC2 Type II	9	Security, availability, processing integrity controls
GDPR	6	Data protection articles (encryption, access control, logging)
PCI-DSS v4.0	8	Payment card industry requirements (firewall, encryption, access)
HIPAA	5	Health data safeguards (access, audit, integrity, transmission)
All Frameworks	28	Runs all checks from all frameworks at once

How It Works

1. Select a framework from the dropdown (or "All Frameworks")
2. Click "Generate Report"
3. Each control is evaluated against your real configuration and files
4. Results show Pass/Fail/N/A with evidence text
5. A compliance score percentage is calculated

Export Options

• Export CSV — Spreadsheet-friendly format with all check details
• Export TXT — Formatted text report suitable for auditors

Zero Trust Security

The Zero Trust sidebar view implements mutual TLS (mTLS), certificate-based authentication, and network segmentation.

mTLS Configuration

1. Toggle "Enable mTLS" to activate mutual TLS
2. Set the CA certificate path, server certificate path, and server key path
3. Configure Client Cert Verification (require, optional, none)
4. Set Verify Depth (certificate chain depth, default: 2)

Certificate Generation

• Generate CA — Creates a self-signed CA certificate (RSA 4096-bit, 10-year validity) for signing client and server certificates
• Generate Server Cert — Creates a server certificate (RSA 2048-bit, 2-year validity) signed by the CA. Automatically adds Subject Alternative Names (SANs) for all configured site domains, plus localhost and 127.0.0.1

Authentication Policies

Define certificate-based authentication rules. Each policy specifies a match type and value:

Match Type	Description	Example
CN (Common Name)	Match the certificate's Common Name	api-client-01
OU (Org Unit)	Match the certificate's Organizational Unit	Engineering
Issuer	Match the certificate's issuer CN	ProxyStack CA
Fingerprint	Match the certificate's SHA256 fingerprint	AB:CD:EF:...
SAN (Subject Alt Name)	Match a Subject Alternative Name	client.example.com

Network Segmentation

Define network zones with CIDR ranges, allowed ports, and traffic direction (inbound/outbound/both). This creates IP-based access control rules in the Apache configuration.

Trust Score

A dynamic trust score (0–100) is calculated based on: mTLS enabled (+30), CA cert configured (+15), server cert configured (+15), client verification set to "require" (+15), auth policies defined (+15), segmentation zones defined (+10).

Apache Export

Click "Export Apache Config" to generate a .conf file with SSLVerifyClient, SSLRequire directives, and IP-based <Location> blocks for network segmentation.

Configuration File

All Zero Trust settings are persisted to config/zero-trust.json:

{
  "mTLS": {
    "enabled": true,
    "caCertPath": "certs/zero-trust-ca.pem",
    "serverCertPath": "certs/zero-trust-server.pem",
    "serverKeyPath": "certs/zero-trust-server-key.pem",
    "clientVerification": "require",
    "verifyDepth": 2
  },
  "authPolicies": [...],
  "segmentationZones": [...]
}

REST API v2.0 Reference

Enable the API from Security tab → "Enable REST API (port 9090)". 17 endpoints with CORS support, rate limiting (60 req/min), and API key authentication.

Endpoints

Method	Endpoint	Description
GET	/api/status	Apache status, version, uptime
GET	/api/config	Configuration summary (settings, site count, app count)
GET	/api/health	Health check for all services
GET	/api/version	ProxyStack version and API version
GET	/api/sites	List all configured sites
GET	/api/apps	List all configured apps
POST	/api/apache/start	Start Apache
POST	/api/apache/stop	Stop Apache
POST	/api/apache/restart	Restart Apache
GET	/api/monitoring/system	CPU, memory, disk usage
GET	/api/monitoring/services	Apache, PostgreSQL, License API status
GET	/api/plugins	List installed plugins
GET	/api/plugins/marketplace	List available marketplace plugins
GET	/api/docker/status	Docker container listing
GET	/api/cluster/info	Cluster ID, node count, primary node
GET	/api/cluster/nodes	List all cluster nodes with health status
POST	/api/config/sync	Receive config push from primary node (with backup)

Authentication

For production use, enable API key authentication in the Production tab. Include the header X-API-Key: your-key with all requests.

Usage Examples

# PowerShell
Invoke-RestMethod -Uri "http://localhost:9090/api/status"
Invoke-RestMethod -Uri "http://localhost:9090/api/apache/restart" -Method POST

# curl
curl http://localhost:9090/api/health
curl -X POST http://localhost:9090/api/apache/restart

# Node.js
const res = await fetch('http://localhost:9090/api/status');
const status = await res.json();

Error Handling

All endpoints return JSON. Errors include an error field. HTTP status codes: 200 (success), 401 (unauthorized), 404 (not found), 500 (internal error).

Alerts & Notifications

Supported Channels

Channel	Setup
Slack	Enter Slack Incoming Webhook URL in Security tab
Email	Configure SMTP settings in proxystack.settings.json

Alert Types

• Service Down — Sent when Apache, PostgreSQL, or an app stops responding
• Service Up — Sent when a service recovers
• SSL Expiry — Warning when certificates approach expiration

Cooldown

Default 5-minute cooldown prevents alert spam for flapping services. Each service has an independent cooldown timer.

Plugin Marketplace

Extend ProxyStack with 20 community plugins from the Plugin Marketplace (Advanced tab). Requires Pro license to install.

Available Plugins

Plugin	Version	Description
Auth Provider	1.2.0	OAuth2/OIDC authentication proxy
Rate Limiter Pro	2.0.0	Advanced rate limiting with Redis backend
Geo Blocker	1.1.0	Block/allow traffic by country (GeoIP2)
WAF Rules	1.0.0	Web Application Firewall rule packs
Metrics Exporter	1.3.0	Prometheus/Grafana metrics endpoint
Log Aggregator	1.0.0	Ship logs to ELK/Splunk/Datadog
SSL Manager	1.1.0	Auto SSL with Let's Encrypt + renewal
Load Balancer	2.1.0	Round-robin/weighted/sticky balancing
CORS Manager	1.0.0	Per-site CORS header configuration
IP Reputation	1.0.0	Block known malicious IPs (AbuseIPDB)
Uptime Monitor	1.2.0	HTTP/TCP uptime checks with alerts
Backup Scheduler	1.1.0	Automated config + cert backups to S3/Azure
DNS Manager	1.0.0	Cloudflare/Route53 DNS record management
Docker Compose	1.3.0	Deploy stacks from compose templates
Webhook Relay	1.0.0	Forward webhooks with retry + logging
Access Logger	1.1.0	Real-time access log analytics dashboard
Header Inspector	1.0.0	Debug request/response headers per site
Redirect Manager	1.2.0	301/302 redirect rules with regex support
Basic Auth	1.0.0	HTTP Basic Authentication per site/path
Health Dashboard	1.1.0	Aggregated health status for all services

Managing Plugins

1. Go to Advanced tab → Plugin Marketplace
2. Select a plugin and click "Install Plugin" (or install from ZIP/DLL file)
3. Installed plugins appear with green "Active" status
4. Click "Remove Plugin" to uninstall

Plugin Storage

Each installed plugin gets a directory under plugins/ with a plugin.json manifest containing name, version, description, and install date.

Cluster Management

The Cluster sidebar view enables multi-server management from a single dashboard. Requires Enterprise license.

Overview

Manage multiple ProxyStack instances (nodes) from one primary node. Each node runs its own REST API on port 9090, and the primary node pings remote nodes for health status.

Adding Nodes

1. Navigate to the Cluster view
2. Click "+ Add Node"
3. Enter the node name, API URL (e.g. http://192.168.1.100:9090), and role (secondary/standby/worker)
4. The node appears in the list and is pinged for health status

Node Roles

Role	Description
Primary	The current machine — always shown first, cannot be removed
Secondary	Active replica receiving config syncs
Standby	Passive replica for failover
Worker	Load-balanced worker node

Health Checks

Click "Health Check All" to ping every node's /api/status endpoint. Results show Online/Offline status, web server state (Nginx/Apache), and version. Auto-refresh runs every 30 seconds.

Config Sync

1. Select a remote node in the list
2. Click "Sync Config →"
3. Your local proxystack.json is pushed to the remote node via POST /api/config/sync
4. The remote node creates a timestamped backup before applying the new config

Auto-Failover

Enable "Auto-Failover" to monitor nodes every 15 seconds. After 3 consecutive failures on a primary node, ProxyStack automatically promotes a standby node and notifies it via POST /api/cluster/promote.

Blue-Green Deploy

Zero-downtime config deployment in 4 steps:

1. Push current config to all standby/secondary nodes
2. Wait for nodes to apply config (5s)
3. Health check all standby nodes
4. If healthy: swap roles (standby → primary, primary → standby). If unhealthy: rollback with no changes.

Manual Node Promotion

Select any remote node and click "Promote" to make it the new primary. All current primaries are demoted to secondary. The promoted node is notified via its API.

Configuration File

Cluster nodes are stored in config/cluster-nodes.json:

{
  "clusterId": "MY-PC",
  "updatedAt": "2026-02-12T...",
  "nodes": [
    { "Id": "a1b2c3d4", "Name": "web-server-2", "Url": "http://192.168.1.100:9090", "Role": "secondary" }
  ]
}

Cloud Deployment

Deploy ProxyStack CLI to cloud servers (AWS EC2, DigitalOcean, etc.) and manage them from the GUI Cluster view.

Automated Setup (cloud-init)

Use the cloud-init script as EC2 User Data for fully automated provisioning:

#!/bin/bash
curl -sL https://proxystack.iamvcholdings.com/cloud/setup.sh | sudo bash

This installs Nginx, ProxyStack CLI, configures UFW firewall (ports 22/80/443/9090), and sets up systemd services.

Manual Setup

1. SSH into your server
2. Download and extract:

   curl -sL https://proxystack.iamvcholdings.com/downloads/proxystack-cli-v14.2.1-linux-x64.tar.gz -o proxystack.tar.gz
   sudo mkdir -p /opt/proxystack
   sudo tar xzf proxystack.tar.gz -C /opt/proxystack
   sudo chmod +x /opt/proxystack/proxystack
   sudo ln -sf /opt/proxystack/proxystack /usr/local/bin/proxystack

3. Start the API server for cluster health checks:

   sudo proxystack serve --port 9090

4. Set up as a systemd service for persistence:

   sudo tee /etc/systemd/system/proxystack-api.service <<EOF
   [Unit]
   Description=ProxyStack API Server
   After=network.target nginx.service
   
   [Service]
   Type=simple
   ExecStart=/opt/proxystack/proxystack serve --port 9090
   WorkingDirectory=/opt/proxystack
   Restart=always
   RestartSec=5
   
   [Install]
   WantedBy=multi-user.target
   EOF
   sudo systemctl daemon-reload
   sudo systemctl enable proxystack-api
   sudo systemctl start proxystack-api

5. Add the node in the GUI: Cluster → + Add Node → enter http://YOUR_IP:9090

CLI serve Command

The proxystack serve command starts a lightweight HTTP API server that responds to cluster health checks from the GUI:

Endpoint	Method	Description
/api/status	GET	Node status (version, web server, hostname, uptime)
/api/health	GET	Simple health check
/api/config	GET	Current proxystack.json config
/api/sites	GET	Configured sites list
/api/cluster/info	GET	Cluster role, version, node count
/api/cluster/promote	POST	Receive promotion notification
/api/config/sync	POST	Receive config sync from primary

CLI Cloud Commands

Command	Description
proxystack cloud deploy <host>	Deploy ProxyStack to a remote server via SSH
proxystack cloud status <host>	Check remote node health and version
proxystack cloud setup-script	Print the cloud-init setup script for Ubuntu

Updating the CLI on Remote Nodes

To update a remote node to the latest version:

# SSH into the node
ssh ubuntu@YOUR_IP

# Download the latest version
curl -sL https://proxystack.iamvcholdings.com/downloads/proxystack-cli-v14.2.1-linux-x64.tar.gz -o /tmp/proxystack-update.tar.gz

# Stop the API service, extract, restart
sudo systemctl stop proxystack-api
sudo tar xzf /tmp/proxystack-update.tar.gz -C /opt/proxystack --overwrite
sudo chmod +x /opt/proxystack/proxystack
sudo systemctl start proxystack-api

# Verify
proxystack --version
curl -s http://localhost:9090/api/health

The update preserves your proxystack.json config. The API server restarts automatically via systemd.

Team & Roles

The Team tab supports multi-user access with role-based permissions.

User Roles

Role	Permissions
Admin	Full access to all features
Developer	Manage sites, apps, and configuration
Operator	Start/stop services, view logs
Viewer	Read-only access

Audit Log

All actions (site changes, config updates, service starts/stops) are recorded in the audit log with timestamp, user, action, and details. Stored in team.json.

GUI Views Overview

ProxyStack v14.2.1 has 21 sidebar views in the modern dark-themed GUI. Launch with --classic flag for the legacy tabbed interface.

#	View	Tier	Purpose
1	Dashboard	Free	Start/Stop Apache, status cards, quick actions, update checker with SHA256 verification
2	Sites	Free	Add/edit/remove domains, proxy targets, SSL settings, SPA fallback, per-path proxy routes
3	Apps	Free	Backend process manager with sub-processes, auto-restart, health checks
4	PostgreSQL	Free	Start/stop/restart PostgreSQL, database list, create/drop, SQL query runner
5	Docker	Free	Container management, Compose, image pull, container templates, resource monitoring
6	Certificates	Free	SSL certificate management, Let's Encrypt via win-acme, self-signed generation via OpenSSL
7	Monitor	Free	Real-time CPU/RAM/Disk metrics, service health checks, alert thresholds
8	Security	Free	Security headers, IP whitelist/blacklist, REST API toggle, auto-start, environment profiles
9	Compliance	Free	OWASP Top 10 2025 dashboard, 10 automated checks, security score 0–100, CSV/TXT export
10	WAF	Free	Web Application Firewall, 12 built-in rules, custom rules, 3 modes, ModSecurity export, threat log
11	Scanner	Free	Security Scanner, Quick (11) + Full (18) checks, severity breakdown, async with progress
12	Secrets Vault	Free	DPAPI-encrypted vault, 8 categories, auto-hide reveal, clipboard clear, rotation, .env export
13	Reports	Pro	Compliance Reporting: SOC2 (9), GDPR (6), PCI-DSS (8), HIPAA (5) = 28 checks, CSV/TXT export
14	Zero Trust	Enterprise	mTLS toggle, CA/server cert generation, cert auth policies, network segmentation, trust score
15	SentinelAI	Pro	Connect to SentinelAI dashboard, view agents, threats, launch Windows agent
16	Team	Pro	Multi-user RBAC (Admin/Developer/Operator/Viewer), audit log, .psxt template sharing
17	Observability	Pro	Request tracing, P50/P95/P99 latency, service dependency graph, performance profiling
18	Advanced	Free	Request rewriting, HTTP caching, API gateway, plugin marketplace (Pro to install), database console
19	Cluster	Enterprise	Multi-server node management, health checks, config sync, auto-refresh
20	Logs	Free	Apache access/error logs, per-site logs, log file viewer
21	Settings	Free	Application settings, theme toggle, auto-start configuration

Auto-Update System

ProxyStack includes a built-in update system that checks for new versions and applies updates while preserving your data.

Checking for Updates

1. Go to the Dashboard view
2. Click "Check for Updates"
3. ProxyStack fetches the update manifest from https://proxystack.iamvcholdings.com/api/updates/latest
4. If a newer version is available, the changelog and download button appear

Update Process

1. Click "Download & Install"
2. The update ZIP is downloaded with a progress bar
3. SHA256 hash is verified against the manifest to ensure integrity
4. ProxyStackUpdater.exe launches, waits for the GUI to exit
5. Updater backs up current binaries to _update_backup/
6. New files are extracted, preserving all user data
7. GUI restarts automatically

Preserved During Updates

The following files and folders are never overwritten:

• proxystack.json, proxystack.settings.json, team.json, plugins.json
• certs/, logs/, backups/, profiles/, sites/
• config/ (secrets, zero-trust settings, WAF rules)
• postgres/data/ (database data)

Rollback

If the update fails, the updater automatically restores from _update_backup/. You can also manually restore by copying the backup files back.

Network Resilience

The update checker accepts self-signed SSL certificates and falls back to HTTP if HTTPS fails, ensuring connectivity even behind corporate proxies or firewalls.

File Locations

File/Folder	Purpose
proxystack.json	Main configuration
proxystack.settings.json	GUI settings
team.json	Users and audit log
plugins.json	Installed plugins list
config/httpd.conf	Generated Apache config
config/vhosts.conf	Generated virtual hosts
config/zero-trust.json	Zero Trust mTLS, auth policies, segmentation zones
config/secrets.json	DPAPI-encrypted secrets vault
certs/	SSL certificates (including Zero Trust CA/server certs)
logs/	Apache and application logs
logs/security-scan.json	Security Scanner results
backups/	Configuration backups
profiles/	Environment profiles
sites/	Static site files
plugins/	Plugin configuration files
postgres/	Portable PostgreSQL (Full edition)
apache/	Bundled Apache binaries
win-acme/	Let's Encrypt ACME client
sentinel/	SentinelAI agent files

Troubleshooting

Apache won't start

• Check port conflict: netstat -ano | findstr :80
• Click "Validate" to check configuration
• Review logs/error.log
• Verify all certificate paths exist

Apache won't stop

• Run ProxyStackGUI.exe as Administrator
• Manual kill: taskkill /F /IM httpd.exe

Let's Encrypt fails

• Verify DNS points to this server: nslookup yourdomain.com
• Ensure port 80 is open in Windows Firewall
• Check for rate limiting (wait 1 hour)
• ProxyStack auto-stops Apache during validation; ensure no other process holds port 80

Docker not found

• Start Docker Desktop and wait 30-60 seconds
• Verify: docker --version and docker ps

PostgreSQL won't start

• Check port 5432: netstat -ano | findstr :5432
• Verify postgres/pgsql/bin/pg_ctl.exe exists
• Check postgres/data/log/ for errors

REST API not responding

• Ensure GUI is running with API enabled (Security tab)
• Check port 9090 is not blocked
• Test: curl http://localhost:9090/api/status

Logs Location

• Apache access log: logs/access.log
• Apache error log: logs/error.log
• Per-site logs: logs/{domain}-access.log, logs/{domain}-error.log
• PostgreSQL: postgres/data/log/