requestrepo.com

<img src="https://i.imgur.com/RIl2c1C.png" width="420">

A tool for analyzing HTTP, DNS, and SMTP requests with custom DNS records and response files.

Features

• Multi-protocol logging: Capture HTTP, DNS, and SMTP requests in real-time
• Custom DNS records: Create A, AAAA, CNAME, and TXT records for your subdomain
• Custom response files: Define custom HTTP responses with headers and body
• Real-time updates: WebSocket-based live request streaming
• Auto-TLS: Automatic HTTPS certificates via Let's Encrypt (DNS-01 for domains, HTTP-01 for IP addresses)
• IP Geolocation: Country detection for incoming requests (via DB-IP)
• Request sharing: Share individual requests via secure tokens
• Admin authentication: Optional password protection for session creation
• No external dependencies: In-memory cache with LRU eviction (no Redis required)

Quick Start

Run RequestRepo with Docker:

docker run -d \
  --name requestrepo \
  -p 80:80 -p 443:443 -p 53:53/udp -p 53:53/tcp -p 25:25 \
  -e JWT_SECRET=your-secret-key-min-32-chars \
  -e DOMAIN=yourdomain.com \
  -e SERVER_IP=your.server.ip \
  -e TLS_ENABLED=true \
  -e ACME_EMAIL=admin@yourdomain.com \
  -v requestrepo-certs:/app/certs \
  ghcr.io/adrgs/requestrepo:latest

This starts all services: HTTP (80), HTTPS (443), DNS (53), SMTP (25).

Using Docker Compose

Production (Pull from Registry)

git clone --depth 1 https://github.com/adrgs/requestrepo.git
cd requestrepo
cp .env.example .env  # Edit .env with your settings

# Use production image from ghcr.io
docker compose -f docker-compose.yml up -d

Development (Build Locally)

git clone https://github.com/adrgs/requestrepo.git
cd requestrepo
cp .env.example .env

# Build and run locally (uses docker-compose.override.yml automatically)
docker compose up -d --build

This starts all services:

• HTTP server on port 80
• HTTPS server on port 443 (with auto-TLS)
• DNS server on port 53
• SMTP server on port 25

DNS Configuration

For DNS logging to work, configure your domain's nameserver to point to your server.

Root Domain Setup

Dedicate the entire domain to requestrepo (e.g., requestrepo.com):

| Record Type | Name | Value | | ----------- | ----- | ----------------: | | NS | @ | ns1.example.com | | A | ns1 | <SERVER_IP> |

Subdomain Setup

Run requestrepo on a subdomain (e.g., rr.example.com):

| Record Type | Name | Value | | ----------- | ----- | ----------------: | | NS | rr | ns1.example.com | | A | ns1 | <SERVER_IP> |

For subdomain setups behind a reverse proxy, ensure:

1. The Host header is preserved
2. WebSocket support is enabled for /api/v2/ws

IP Geolocation

The Docker image includes the DB-IP country database by default. For local development without Docker, download manually:

mkdir -p ip2country/vendor
curl -o ip2country/vendor/dbip-country-lite.csv.gz \
  "https://download.db-ip.com/free/dbip-country-lite-$(date +%Y-%m).csv.gz"

Development

Prerequisites

• Rust 1.75+
• Bun 1.0+
• Docker (optional, for deployment)

Installation

make install

Starting Services

# Start backend (Rust)
make start-backend

# Start frontend (React/Vite)
make start-frontend

Available Commands

| Command | Description | |---------|-------------| | make install | Install all dependencies and git hooks | | make start-backend | Start Rust backend server | | make start-frontend | Start React development server | | make build | Build Rust backend (release mode) | | make test | Run all tests | | make lint | Run linters (clippy + eslint) | | make format | Format code (rustfmt + prettier) | | make docker-build | Build Docker image | | make docker-up | Start Docker containers | | make docker-down | Stop Docker containers |

Architecture

requestrepo/
├── src/                 # Rust backend
│   ├── cache/          # In-memory LRU cache
│   ├── certs/          # TLS/ACME certificate management
│   ├── dns/            # DNS server
│   ├── http/           # HTTP/HTTPS server + REST API
│   ├── smtp/           # SMTP server
│   └── utils/          # JWT, config, helpers
├── frontend/           # React frontend
│   ├── src/
│   │   ├── components/ # UI components
│   │   ├── pages/      # Page components
│   │   ├── stores/     # Zustand state stores
│   │   └── hooks/      # Custom React hooks
│   └── ...
└── ip2country/         # IP geolocation database

Environment Variables

See .env.example for all available options.

| Variable | Required | Default | Description | |----------|----------|---------|-------------| | JWT_SECRET | Yes | - | Secret key for JWT signing (min 32 chars) | | DOMAIN | Yes | - | Base domain (e.g., requestrepo.com) | | SERVER_IP | Yes | - | Public IP for DNS responses | | ADMIN_TOKEN | No | - | Password for session creation | | TLS_ENABLED | No | false | Enable HTTPS with Let's Encrypt | | ACME_EMAIL | No | - | Email for Let's Encrypt (required if TLS enabled) | | IP_CERT_ENABLED | No | false | Enable IP address TLS certificates (HTTP-01) | | IP_CERT_CHECK_HOURS | No | 6 | How often to check IP cert expiry (hours) | | IP_CERT_RENEWAL_HOURS | No | 96 | Renew IP cert when fewer than this many hours remain | | HTTP_PORT | No | 80 | HTTP server port | | HTTPS_PORT | No | 443 | HTTPS server port | | DNS_PORT | No | 53 | DNS server port | | SMTP_PORT | No | 25 | SMTP server port | | SENTRY_DSN_BACKEND | No | - | Sentry DSN for backend error tracking | | SENTRY_DSN_FRONTEND | No | - | Sentry DSN for frontend error tracking | | CACHE_MAX_MEMORY_PCT | No | 0.7 | Max cache memory as % of container limit | | MAX_SUBDOMAIN_SIZE_MB | No | 10 | Max storage per subdomain | | MAX_REQUEST_BODY_MB | No | 10 | Max HTTP request body size | | SESSION_RATE_LIMIT | No | 10 | Max sessions per IP per window | | SESSION_RATE_WINDOW_SECS | No | 60 | Rate limit window in seconds | | ALLOW_ALL_HEADERS | No | false | Allow dangerous headers (e.g., Service-Worker-Allowed) | | RUST_LOG | No | info | Log level (trace, debug, info, warn, error) |

Interface

Security Acknowledgments

Thank you to the following researchers for responsibly disclosing security issues:

• debsec - LFI via improper path handling
• JaGoTu - DoS via unrestricted file upload
• m0z - LFI via session subdomain
• Jorian - Session hijacking via Service-Worker-Allowed header
• aisafe.io - Insecure JWT_SECRET default allowing token forgery

Contributing

Please read CONTRIBUTING.md for details on our code of conduct and the process for submitting pull requests.

License

If you find this project useful, please consider giving it a star on GitHub.