Common questions about ProxyStack, configuration, SSL, Docker, and more.
ProxyStack is a portable Windows web stack that bundles Apache (TLS reverse proxy), an app runner, Docker management, PostgreSQL, SSL certificate management, OWASP compliance, WAF, security scanner, secrets vault, compliance reporting, Zero Trust mTLS, SentinelAI integration, a plugin marketplace (20 plugins), REST API v2.0 (17 endpoints), and multi-server cluster management into a single portable ZIP. It provides a modern dark-themed GUI with 21 sidebar views for managing all aspects of your web infrastructure. No installation required — extract and run.
ProxyStack runs on Windows 10 and Windows 11. It requires .NET 8 Runtime (included in the portable ZIP). The GUI is a native Windows Forms application.
ProxyStack is available in two editions: Full (~138 MB, includes PostgreSQL) and Lite (~98 MB, without PostgreSQL). Contact IAMVC Holdings, LLC for licensing information.
No. ProxyStack is fully portable. Extract the ZIP to any folder and run ProxyStackGUI.exe. All configuration, certificates, logs, and data are stored within the ProxyStack folder. You can move it to a USB drive or another machine.
Full Edition includes everything: Apache, PostgreSQL, win-acme, OpenSSL, SentinelAI agent, templates, and documentation. Lite Edition is the same but without the bundled PostgreSQL binaries (you can still auto-download PostgreSQL from the GUI if needed).
Click "Check for Updates" on the Dashboard. If a new version is available, click "Download & Install". The updater automatically preserves your configuration, certificates, logs, backups, and other user data while updating binaries and system files.
ProxyStack generates Apache virtual host configurations from your proxystack.json settings. Each site can be a reverse proxy (forwarding to a backend like Node.js, Python, etc.), a static file server, or a hybrid of both. Apache handles TLS termination, WebSocket proxying, and HTTP/HTTPS routing.
Yes. Add multiple sites in the Sites tab, each with its own domain and proxy target. ProxyStack generates separate virtual hosts for each domain. You can also define per-path proxy routes within a single site (e.g., /api goes to one backend, /ws goes to another).
Yes. Enable the WebSocket option on any site or proxy route. ProxyStack configures Apache's mod_proxy_wstunnel with proper upgrade headers for WebSocket connections.
Yes. Set both a documentRoot and proxyRoutes on a site. Static files are served from the document root, while specific paths are proxied to backends. Enable spaFallback for single-page applications that need index.html served for all non-file routes.
Common causes: (1) Port 80 or 443 is already in use by another application — check with netstat -ano | findstr :80. (2) Configuration error — click "Validate" in the GUI. (3) Missing or invalid SSL certificate paths. Check the Dashboard console and logs/error.log for details.
Go to the Certs tab, click "Let's Encrypt", enter your domain and email. ProxyStack uses the bundled win-acme ACME client to request a certificate via HTTP-01 validation. Apache is automatically stopped during validation (to free port 80) and restarted after.
Yes. The Certs tab has a "Generate Self-Signed" option that uses the bundled OpenSSL to create a certificate and key pair. Self-signed certs are useful for local development but will show browser warnings.
ProxyStack automatically detects matching certificate files in the certs/ folder based on the domain name. If it finds files like yourdomain.com-crt.pem and yourdomain.com-key.pem, it fills in the paths automatically and saves them to your configuration.
Certificates are stored in the certs/ folder within your ProxyStack directory. Win-acme generates PEM files named {domain}-crt.pem, {domain}-key.pem, and {domain}-chain.pem.
Win-acme creates a scheduled task for automatic renewal. You can also manually renew from the Certs tab. ProxyStack monitors certificate expiry dates and shows warnings in the Dashboard when certificates are approaching expiration.
The Apps tab lets you define backend applications (Node.js, Python, Go, etc.) that ProxyStack manages. You specify the command, working directory, and port. ProxyStack can auto-start apps, auto-restart on crash, and manage sub-processes.
Sub-processes are additional commands that run alongside your main app. For example, you might run npx supabase start as a sub-process alongside npm run dev. Sub-processes start before the main command and stop together when the app is stopped. All commands auto-accept prompts.
Yes. Define as many apps as you need in the Apps tab. Each runs as a separate process with its own working directory and port. ProxyStack tracks all running processes and provides start/stop controls for each.
No. Docker integration is optional. If Docker Desktop is installed and running, ProxyStack can manage containers, images, Compose projects, and networks through the Docker tab. Without Docker, all other features work normally.
Click "Start PostgreSQL" in the Docker tab. If PostgreSQL isn't installed, ProxyStack auto-downloads it (~300 MB) with a progress bar. PostgreSQL runs portably from the postgres/ folder — no system-wide installation needed. Data is stored in postgres/data/.
Yes. Go to the Advanced tab and open the Database Console. Enter your connection details (host, port, database, user) and execute SQL queries directly from the GUI. Results are displayed in a table format.
All configuration is stored in proxystack.json in the ProxyStack root folder. This file defines sites, apps, security settings, and SentinelAI configuration. You can edit it directly or use the GUI.
The auto-updater preserves: proxystack.json, proxystack.settings.json, certs/, logs/, backups/, profiles/, sites/, team.json, plugins.json, and postgres/data/. Only system binaries and templates are updated.
Click "Backup" on the Dashboard. ProxyStack creates a timestamped backup in the backups/ folder containing your configuration, settings, and team data. You can also manually copy proxystack.json.
Yes. Store profiles in the profiles/ folder (e.g., proxystack.development.json, proxystack.production.json). Switch between profiles from the Security tab's Environment dropdown.
ProxyStack includes: HSTS headers, X-Frame-Options, X-Content-Type-Options, XSS protection headers, IP whitelist/blacklist, REST API authentication, team-based access control (Admin, Developer, Operator, Viewer roles), DPAPI-encrypted secrets vault with 8 categories, OWASP Top 10 2025 compliance dashboard, Web Application Firewall with 12 built-in rules, security scanner (29 checks), compliance reporting for SOC2/GDPR/PCI-DSS/HIPAA (28 controls), Zero Trust mTLS with certificate auth policies and network segmentation, and SentinelAI integration for endpoint security.
Yes. Enable it from the Security tab ("Enable REST API on port 9090"). Endpoints include: /api/status, /api/health, /api/config, /api/sites, /api/apps, /api/apache/start, /api/apache/stop, /api/apache/restart. API key authentication is available for production use.
ProxyStack includes a SentinelAI tab that connects to your SentinelAI dashboard for real-time security monitoring. You can view agents, threats, and security status directly from the ProxyStack GUI. The SentinelAI Windows agent can also be launched from ProxyStack.
ProxyStack can send alerts via Slack webhooks and email (SMTP) when services go down or health checks fail. Configure alert channels in the Security tab. Alerts have a 5-minute cooldown to prevent spam from flapping services.
The Compliance sidebar view runs 10 automated checks against the OWASP Top 10 2025 standard. It evaluates your live configuration for broken access control, cryptographic failures, injection vulnerabilities, insecure design, security misconfiguration, vulnerable components, authentication failures, data integrity, logging failures, and SSRF. Each category shows Pass/Fail with a color-coded card, and an overall security score (0–100) is calculated. Export results as CSV or TXT.
The WAF sidebar view provides request filtering with 12 built-in rules covering SQL injection, XSS, path traversal, command injection, SSRF, file inclusion, XXE, and more. Choose from 3 modes: Detect Only (log but don't block), Block & Log (block and record), or Block Silent (block without logging). You can add custom rules with regex patterns. The threat dashboard shows real-time blocked requests. Export your ruleset as a ModSecurity .conf file for use on any Apache or NGINX server.
Quick Scan runs 11 essential checks: TLS configuration, security headers, directory permissions, secrets exposure, and more. Full Scan adds 7 more checks covering network ports, container security, database security, and advanced configuration. Each finding is classified by severity (Critical, High, Medium, Low) and includes remediation guidance. Results are saved to logs/security-scan.json.
Currently, scans are triggered manually from the GUI. You can use the REST API endpoint or a Windows Scheduled Task to automate scans if needed.
The Secrets Vault uses Windows DPAPI (Data Protection API) with the CurrentUser scope. Secrets are encrypted with your Windows user credentials and can only be decrypted by the same user on the same machine. No master password is needed. The vault supports 8 categories (General, Database, API Key, OAuth, SSL/TLS, Cloud, Service, Internal), auto-hides revealed values after 5 seconds, and auto-clears the clipboard after 30 seconds.
Yes. Click "Export .env" to generate a standard .env file with all your secrets in KEY=value format. You can also use the "Rotate" button to generate a new 32-character cryptographically random value for any secret.
The Reports sidebar view supports 4 frameworks: SOC2 Type II (9 controls), GDPR (6 articles), PCI-DSS v4.0 (8 requirements), and HIPAA (5 safeguards). Select "All Frameworks" to run all 28 checks at once. Each check evaluates your real configuration and provides evidence text. Export reports as CSV or formatted TXT for auditors.
The reports provide evidence-based results showing what was checked, the pass/fail status, and the evidence found. While they serve as a strong starting point for compliance documentation, a formal audit may require additional evidence and attestation from a qualified auditor.
The Zero Trust sidebar view implements mutual TLS (mTLS), where both the server and client present certificates to authenticate each other. This goes beyond standard TLS where only the server is authenticated. ProxyStack can generate a CA certificate (RSA 4096-bit, 10yr) and server certificates (RSA 2048-bit, 2yr) with automatic Subject Alternative Names from your configured domains.
You can define rules that match specific certificate attributes: Common Name (CN), Organizational Unit (OU), Issuer, SHA256 Fingerprint, or Subject Alternative Name (SAN). Only clients whose certificates match at least one policy are granted access. This allows fine-grained access control based on certificate identity.
Network segmentation zones define IP-based access control rules. Each zone specifies a name, CIDR range (e.g., 192.168.1.0/24), allowed ports, and traffic direction (inbound, outbound, or both). These are exported as Apache <Location> blocks with Require ip directives.
The Trust Score (0–100) is a dynamic metric that reflects how well your Zero Trust configuration is set up. Points are awarded for: mTLS enabled (+30), CA cert configured (+15), server cert configured (+15), client verification set to "require" (+15), auth policies defined (+15), and segmentation zones defined (+10).
ProxyStack has a Plugin Marketplace in the Advanced tab. Plugins extend functionality with features like authentication middleware, caching layers, rate limiting, and more. Install, configure, and manage plugins from the GUI.
Yes. The Advanced tab includes API versioning (/v1, /v2), path prefix routing, per-version rate limiting, request/response header rewriting, and URL rewriting rules.
The Observability tab provides request tracing, performance metrics, and a service dependency graph showing how your sites and backends are connected. Metrics can be exported via the Metrics Exporter plugin.
Yes. The Team tab supports multiple users with role-based access control: Admin (full access), Developer (manage sites/apps), Operator (start/stop services), and Viewer (read-only). All actions are logged in an audit trail.