Pux is a lightweight, asynchronous TCP protocol multiplexer written in Rust. It listens on a single port and forwards incoming connections to protocol-specific backend services by detecting the protocol in real time.
Supports:
- π§ Protocol detection: HTTP, HTTPS (via TLS), SSH, RDP
- π Non-blocking, concurrent handling with
tokio - π Deep protocol inspection (no reliance on port numbers)
- π¦ Easy to configure with command-line arguments
- π§Ύ Logging via
tracing
When a client connects to pux, the multiplexer:
- Peeks into the first packet sent by the client.
- Detects the protocol using pattern-based and TLS-based heuristics.
- Forwards the connection (including the already-received bytes) to the corresponding backend.
- Pipes traffic bidirectionally for the life of the connection.
βββββββββββββββ
β Client β
βββββββ¬ββββββββ
β
TCP Connection to pux Port 5500 (or any, 443?)
β
βΌ
βββββββββββββββββ
β Pux β
β (Multiplexer) |
βββββββ¬ββββββββββ
ββββββββββββββββ¬βββββββββββββββ¬βββββββββββββββ¬βββββββββββββββ
β β β β β
βΌ βΌ βΌ βΌ βΌ
SSH HTTPS HTTP RDP Unknown
"SSH-" TLS Hello GET/POST... RDP SYN Fallback
banner w/ SNI Methods Packet
β β β β
βΌ βΌ βΌ βΌ
127.0.0.1:22 127.0.0.1:443 127.0.0.1:80 192.168.1.2:3389
SSH HTTPS HTTP RDP
Server Server Server Server
cargo build --release./pux \
--listen 0.0.0.0:9999 \
--http 127.0.0.1:8080 \
--https 127.0.0.1:8443 \
--ssh 127.0.0.1:2222 \
--rdp 127.0.0.1:3389Only the protocols you specify will be enabled. At least one backend is required.
| Option | Description | Required |
|---|---|---|
--listen |
Address and port to listen on | β Yes |
--fallback |
Fallback Backend (for undetected/unknown protocol) | Optional |
--http |
Backend for HTTP clients | Optional |
--https |
Backend for HTTPS (TLS) clients | Optional |
--ssh |
Backend for SSH clients | Optional |
--rdp |
Backend for RDP clients | Optional |
β At least one backend must be configured.
Run Pux on the default RDP port (3389) and forward SSH, HTTP, or RDP clients to their correct backend automatically.
Try with curl, ssh, or an RDP client pointed at your mux port:
curl http://localhost:9999
ssh -p 9999 user@localhostPux doesnβt terminate TLS or SSH; it simply forwards traffic after protocol detection. That means end-to-end encryption is preserved.
MIT
Pux = Protocol muxer. Short, fast, and to the point β like the tool itself.