Kids Proxy - A transparent HTTP/HTTPS interception proxy with embedded DNS server for home network parental controls, powered by Open Policy Agent.
KProxy sits between your home devices and the internet, providing intelligent, policy-based access control:
- Block inappropriate content with time-based restrictions
- Track and limit screen time by category (entertainment, educational, etc.)
- Bypass sensitive sites (banking) to avoid MITM issues
- Block advertisements at the DNS level like Pi-hole
- Configure with code using declarative Rego policies
Unlike traditional parental controls, KProxy uses policy-as-code with OPA, giving you full control over access rules through version-controlled configuration files instead of databases or GUIs.
β¨ Policy-Based Control - Define access rules in declarative Rego code
π Time-Based Restrictions - Allow access only during specific hours
π Usage Tracking & Limits - Track and limit daily usage by category
π HTTPS Interception - Transparent TLS termination with dynamic certificates
π Embedded DNS Server - Single-point configuration for network clients
π« Ad Blocking - Block ad domains like Pi-hole
π¦ Bypass Sensitive Sites - Avoid MITM on banking and critical services
π Prometheus Metrics - Built-in observability and monitoring
ποΈ Redis Storage - Fast, scalable operational data storage
# 1. Install dependencies
sudo apt-get install redis-server # or: brew install redis
sudo systemctl start redis
# 2. Clone and build
git clone https://github.com/goodtune/kproxy.git
cd kproxy
make build
# 3. Generate CA certificates
sudo make generate-ca
# 4. Install to system paths
sudo make install
# 5. Configure
sudo mkdir -p /etc/kproxy/policies
sudo cp configs/config.example.yaml /etc/kproxy/config.yaml
sudo cp policies/*.rego /etc/kproxy/policies/
# 6. Edit your policies
sudo nano /etc/kproxy/policies/config.rego
# 7. Enable and start service
sudo systemctl enable kproxy
sudo systemctl start kproxyπ Complete Documentation - Architecture, setup, configuration
π Policy Tutorial - Step-by-step guide to writing policies:
- Start with "block everything"
- Allow specific services (Google, Gmail, etc.)
- Time-based restrictions by device/subnet
- Bypass banking sites
- Block advertisement domains
π CA Installation Guide - Install root CA on your devices:
- Windows, macOS, Linux
- iOS, Android, Chrome OS
- Firefox (all platforms)
βοΈ Development Guide - For contributors
βββββββββββ ββββββββββββ
β Device ββββββ DNS Query βββββββββββ DNS β
βββββββββββ β Server β
β ββββββ¬ββββββ
β β
β ββββββΌββββββ ββββββββββββ
β β Policy ββββββββ OPA β
β HTTP/HTTPS Request β Engine β β Engine β
β ββββββ¬ββββββ ββββββββββββ
βββββββββββ Facts: IP, MAC, β
β Proxy β domain, time, usage Decision:
β Server βββββββββββββββββββββββββββAllow/Block
ββββββ¬βββββ
β
β
Internet
- Go gathers facts: Client IP/MAC, domain, time, current usage
- OPA evaluates policies: Written in Rego (declarative policy language)
- Go enforces decisions: Allow, block, or track usage
Configuration lives in code (policies/*.rego), not in a database. This means:
- β Version control your policies with Git
- β
Test policies with
opa test - β Change rules without modifying application code
- β Declarative: describe what, not how
# /etc/kproxy/policies/config.rego
package kproxy.config
devices := {
"kids-ipad": {
"name": "Kids iPad",
"identifiers": ["aa:bb:cc:dd:ee:ff"], # MAC address
"profile": "child"
}
}
profiles := {
"child": {
"time_restrictions": {
"after-school": {
"days": [1, 2, 3, 4, 5], # Monday-Friday
"start_hour": 15, # 3 PM
"end_hour": 18 # 6 PM
}
},
"rules": [
{
"id": "allow-educational",
"domains": ["*.khanacademy.org", "*.wikipedia.org"],
"action": "allow",
"priority": 10
},
{
"id": "block-social",
"domains": ["*.tiktok.com", "*.snapchat.com"],
"action": "block",
"priority": 20
}
],
"usage_limits": {
"entertainment": {
"daily_minutes": 60,
"domains": ["*.youtube.com", "*.netflix.com"]
}
},
"default_action": "block"
}
}
# Bypass banking sites (no MITM)
global_bypass_domains := [
".wellsfargo.com",
".bankofamerica.com",
"ocsp.*.com" # Certificate validation
]This policy:
- β Allows educational sites for kids
- β Blocks social media
- β° Restricts access to 3-6 PM on weekdays
- π Limits entertainment to 60 min/day
- π¦ Bypasses banking sites (no interception)
Learn more: Policy Tutorial
- Linux server (or Docker/VM) with network routing capability
- Go 1.21+ for building from source
- Redis for operational data storage
- Root/sudo access for binding to privileged ports (DNS 53, HTTP 80, HTTPS 443)
-
Point DNS to KProxy server IP
- Option A: Configure router DHCP (recommended - applies to all devices)
- Option B: Set DNS manually per device
-
Install root CA certificate
- Required for HTTPS interception
- See CA Installation Guide
# Build
make build
# Run tests
make test
# Test OPA policies
opa test policies/ -v
# Run linter
make lint
# Generate CA certificates
sudo make generate-caPrometheus metrics available at :9090/metrics:
curl http://kproxy-server:9090/metricsKey metrics:
kproxy_dns_queries_total- DNS queries by device/actionkproxy_requests_total- HTTP/HTTPS requestskproxy_blocked_requests_total- Blocked requestskproxy_usage_minutes_consumed_total- Usage by categorykproxy_certificates_generated_total- Certificate generation
Structured logs (zerolog):
sudo journalctl -u kproxy -fsudo make install
sudo systemctl enable kproxy
sudo systemctl start kproxydocker run -d \
--name kproxy \
-p 53:53/udp -p 53:53/tcp \
-p 80:80 -p 443:443 \
-p 9090:9090 \
-v /etc/kproxy:/etc/kproxy \
--cap-add=NET_BIND_SERVICE \
kproxy:latest| Component | Purpose |
|---|---|
| DNS Server | Routes domains to proxy or internet |
| HTTP/HTTPS Proxy | Intercepts web traffic with TLS termination |
| Policy Engine | Gathers facts and queries OPA |
| OPA Engine | Evaluates Rego policies |
| Certificate Authority | Generates TLS certificates on-demand |
| Redis Storage | Stores usage data and DHCP leases |
| Metrics Server | Prometheus endpoint |
Redis stores operational data only:
usage_sessions- Active usage trackingdaily_usage- Time consumed per device/categorydhcp_leases- DHCP IP assignments
All configuration (devices, profiles, rules) lives in Rego policies, not the database.
Open Policy Agent decouples policy from code:
Traditional approach:
Config (DB) β Hardcoded logic (Go) β Decision
KProxy approach:
Facts (Go) + Policies (Rego) β OPA β Decision
Benefits:
- Declarative - Describe what should happen, not how
- Testable -
opa testvalidates policies - Versionable - Git for policy history
- Flexible - Change rules without code changes
- Auditable - Clear separation of concerns
Parental Controls:
- Block social media during homework hours
- Limit YouTube to 1 hour per day
- Allow only educational sites for young children
Network Security:
- Block known malicious domains
- Prevent access to inappropriate content
- Log all HTTPS requests for audit
Ad Blocking:
- Block advertisement domains at DNS level
- Faster than browser-based ad blockers
- Works network-wide
Development/Testing:
- Intercept HTTPS for debugging
- Test certificate handling
- Inspect encrypted traffic
β Keep the CA private key secure:
sudo chmod 600 /etc/kproxy/ca/root-ca.key
sudo chown root:root /etc/kproxy/ca/root-ca.keyβ Bypass sensitive sites:
global_bypass_domains := [
".wellsfargo.com",
".bankofamerica.com",
"ocsp.*.com" # Certificate validation
]β Restrict policy write access:
sudo chmod 700 /etc/kproxy/policiesβ Firewall metrics endpoint:
# Only allow from monitoring network
sudo ufw allow from 192.168.1.0/24 to any port 9090Contributions welcome! Please:
- Fork the repository
- Create a feature branch
- Make your changes
- Add tests (Go + OPA policy tests)
- Submit a pull request
See CLAUDE.md for development guidelines.
MIT License - See LICENSE file for details.
- Open Policy Agent - Policy engine
- miekg/dns - DNS library
- Redis - Data storage
- Prometheus - Metrics
- zerolog - Structured logging
- GitHub: github.com/goodtune/kproxy
- Documentation: docs/README.md
- Policy Tutorial: docs/policy-tutorial.md
- CA Installation: docs/ca-installation.md
- OPA Docs: openpolicyagent.org/docs
- Rego Playground: play.openpolicyagent.org
- Issues: github.com/goodtune/kproxy/issues
- Discussions: github.com/goodtune/kproxy/discussions
Note: KProxy is designed for home network parental controls and legitimate network monitoring. Always respect privacy and comply with legal requirements in your jurisdiction. Only install the CA certificate on devices you own or have explicit permission to monitor.