exosys / enforcegate-vx
· secure web gateway
Enforce.
Filter. Control.
— EnforceGate vX: Self-Hosted Secure Web Gateway for Linux
EnforceGate vX secures your network with URL filtering, access control, and automated threat blocking — deployed as a self-hosted virtual appliance on your existing infrastructure. No proprietary hardware, no per-seat fees, no cloud dependency. Managed from the CLI and automated via REST API.
Early Access
ESXi · Hyper-V · KVM · Docker
Self-hosted
# check engine status
admin@xeg01:~# egctl status
● enforcegate-vx.service — active
(running)
Engine: vX-2026.01 (rev 20260301)
Connector: v2026.01 (squid/6.14) [UP]
ACL rules: 1,247 loaded
Uptime: 14d 06h 12m 27s
Threat Intel Rules: loaded with serial:260324000022 (updated 20m ago)
# tail the policy enforcement log
admin@xeg01:~# egctl log --follow --filter DENY
2026-03-17 09:41:08 DENY 192.168.1.42
malware-c2.ru [threat/botnet]
2026-03-17 09:39:22 DENY 192.168.1.55
phishing-kit.xyz [threat/phish]
2026-03-17 08:22:42 DENY 192.168.1.99
trojan-metasploit [threat/trojan]
# reload policies without restart
admin@xeg01:~# egctl policy reload
✓ 15 policies successfully reloaded
admin@xeg01:~#
architecture
How EnforceGate vX
processes your traffic.
It runs on commodity x86-64 hardware — self-hosted on your own infrastructure, no proprietary appliances required.
features
Everything you need
to secure your network.
URL filtering, access control, threat blocking, and audit logging — in a single self-hosted appliance. Operated from the CLI, automated via the REST API, and built to integrate with your existing stack.
url filtering
HTTP/HTTPS URL Filtering
Intercept and inspect all web traffic via Squid proxy. Enforce category-based and
custom-rule policies at scale.
$ egctl policy list --all
access control
ACL Engine
Define policies with IP ranges, domain wildcards, regex patterns, and
time-based rules with your favorite editor.
$ vim rules.d/90-denyurlshort.acls
network access control
Enterprise
NAC Integration
Authenticate and authorise network endpoints before granting access. Seamlessly integrates with
Active Directory, RADIUS and LDAP.
$ egctl nac status
threat mitigation
Standard
Enterprise
Threat Intelligence Feeds
Hourly-refreshed domains and HTTP Headers blocklists. Blocks C2 beacons,
sensible data exfiltration, and phishing sites.
$ egctl threats feed verify
--show-hash
captive portal
Captive Portal
Redirect suspicious or policy-violating users to a configurable captive portal page.
Full branding support via templates.
$ egctl portal status --extensive
operations
Zero-Downtime Reloads
Push policy and ACL updates live without breaking connections. Hot-reload applies
thousands of changes in a few seconds only.
$ egctl policy reload --confirm
observability
Enterprise
Structured Audit Logs & SIEM
Every enforcement decision and admin action is logged in structured JSON with a
tamper-evident chain. Export in CEF or LEEF format, stream via syslog, or push to Splunk, Graylog, or
any SIEM.
$ egctl log export --format cef
--since 1h
installation
Deploy the appliance,
own the CLI.
Runs on VMware vSphere, Hyper-V, Linux KVM, or Docker. All operations are performed through
egctl.
00
Download the appliance package
Log in to the Exosys software download portal and download both the archive
and its signature file.
EnforceGate-vX-2026.01.0380beta1-docker-x64.tar.bz2
EnforceGate-vX-2026.01.0380beta1-docker-x64.tar.bz2.sig
01
Verify the package signature
Verify the release signature with cosign before
unpacking. Never deploy an image you haven't verified.
$ cosign verify-blob EnforceGate-vX-2026.01.0380beta1-docker-x64.tar.bz2
\
--signature EnforceGate-vX-2026.01.0380beta1-docker-x64.tar.bz2.sig \
--certificate-identity security@exosys.ch \
--certificate-oidc-issuer https://accounts.exosys.ch
--signature EnforceGate-vX-2026.01.0380beta1-docker-x64.tar.bz2.sig \
--certificate-identity security@exosys.ch \
--certificate-oidc-issuer https://accounts.exosys.ch
02
Unpack the archive
Extract to a directory of your choosing. The archive contains the Docker image
files, a
docker-compose.yml, and a default configuration.$ mkdir -p /srv/enforcegate
$ tar -xjf EnforceGate-vX-2026.01.0380beta1-docker-x64.tar.bz2 \
-C /srv/enforcegate --strip-components=1
-C /srv/enforcegate --strip-components=1
03
Import the Docker images
Load the engine, portal, and squid-connector images using docker load.
$ for f in /srv/enforcegate/images/*.tar.gz; \
do docker load -i "$f"; done
do docker load -i "$f"; done
04
Start with Docker Compose
Start the appliance using Docker Compose.
$ docker compose -f /srv/enforcegate/docker-compose.yml up -d
05
Bootstrap the config & register your key
Generate a baseline configuration.
$ egctl config init --output /srv/enforcegate/etc/config/
06
Load policies & verify
Apply your ACLs and policies, then confirm the engine is enforcing correctly.
$ egctl policy reload
$ egctl status
# log in to exosys.ch/support/software/downloads
# and download the archive and its signature file
$ cosign verify-blob EnforceGate-vX-2026.01.0380beta1-docker-x64.tar.bz2 \
--signature EnforceGate-vX-2026.01.0380beta1-docker-x64.tar.bz2.sig \
--certificate-identity security@exosys.ch
\
--certificate-oidc-issuer https://accounts.exosys.ch
Verified OK
$ mkdir -p /srv/enforcegate && \
tar -xjf EnforceGate-vX-2026.01.0380beta1-docker-x64.tar.bz2 \
-C /srv/enforcegate --strip-components=1
$ docker load -i /srv/enforcegate/images/enforcegate-engine-2026.01.0380beta1.tar.gz
Loaded image: exosys/enforcegate-engine:2026.01.0380beta1
$ docker load -i /srv/enforcegate/images/enforcegate-portal-2026.01.0380beta1.tar.gz
Loaded image: exosys/enforcegate-portal:2026.01.0380beta1
$ docker load -i /srv/enforcegate/images/enforcegate-squid-connector-2026.01.0380beta1.tar.gz
Loaded image: exosys/enforcegate-squid-connector:2026.01.0380beta1
$ docker compose -f /srv/enforcegate/docker-compose.yml up -d
[+] Running 3/3
✔ Container enforcegate-engine Started
✔ Container enforcegate-portal Started
✔ Container enforcegate-squid-connector Started
$ egctl config init --output /srv/enforcegate/etc/config/
✓ wrote /etc/eg/components.yaml
✓ wrote /etc/eg/policies.yaml
✓ wrote /etc/eg/acls.d/default.yaml
$ egctl policy reload --brief
✓ 2,187,440 rules loaded
$ egctl show-status
EnforceGate Engine Status: UP
EnforceGate Database Status: UP
EnforceGate API Status: UP
$
policies & acls
Plain-text rules.
Instant enforcement.
Policies are simple .acls files living in
/opt/enforcegate/etc/rules.d/.
Name them with a numeric prefix — lower numbers win. One
cgacls policy reload and they're live.
/opt/enforcegate/etc/rules.d/90-denyurlshort.acls
DENY
# deny url shortening domains
deny-urlshortening-domains: {
match-domain-list: /usr/var/enforcegate/lists/urlshorts.txt
action: deny
description: Access to URL shortening services is not permitted
}
how it works
policy nameUnique identifier — used
in logs and audit trails.
match-domain-listPoints to a flat
text file — one domain per line. Evaluated against the request hostname.
action: denyBlocks the request
immediately. User is redirected to the captive portal if enabled.
descriptionMessage shown on the
captive portal block page. Human-readable.
/opt/enforcegate/etc/rules.d/10-allowswissdomains.acls
PERMIT
# Allow websites with .ch gtld
allow-swissdomains: {
match-uri-regex: ^(https?:\/\/)?[^\/]+[.]ch
action: permit
description: swiss
domain names ending with .ch
}
how it works
match-uri-regexMatches the full URI
against a POSIX extended regular expression. Supports
http and https.
action: permitAllows the request to
pass through without modification, regardless of other rules.
precedence 10-Evaluated
before the
90-denyurlshort file — explicit allows always take priority.
/opt/enforcegate/etc/rules.d/50-redirectsocial.acls
REDIRECT
# Redirect social media to captive portal during work hours
restrict-social-media: {
match-domain-list: /usr/var/enforcegate/lists/socialmedia.txt
action: redirect
description: Social media is restricted during business hours
}
how it works
action: redirectSends the user to the
configured captive portal URL instead of blocking silently.
match-domain-listEvaluated against
the request hostname. One domain per line in the referenced file.
descriptionDisplayed verbatim on the
captive portal landing page so users understand the restriction.
Precedence-based evaluation. Files are processed in ascending numeric order.
A
10-allow*.acls rule is always evaluated before a
90-deny*.acls rule —
making override behaviour explicit and auditable.
EnforceGate operates deny-all by default: anything not explicitly permitted is blocked.
# verify file checksums before loading
$ egctl policy verify rules.d/
✓ 10-allowswissdomains.acls sha256:e4b2a1...
✓ 50-redirectsocial.acls sha256:7f3c8d...
✓ 90-denyurlshort.acls sha256:a92fe1...
# load and validate all rules files
$ egctl policy reload
Reading rules.d/10-allowswissdomains.acls OK
Reading rules.d/50-redirectsocial.acls OK
Reading rules.d/90-denyurlshort.acls OK
Validating 3 policies... OK
Writing to database... OK
# signal the engine to apply new policies
$ egctl engine reload
Signaling engine reload... OK
$
editions
Pick the right build
for your infrastructure.
EnforceGate vX ships in three editions — from a lightweight single-node deployment for small teams to a multi-node cluster with threat intelligence feeds for large-scale environments.
|
Lite
Tech Savvy Users
|
Standard
Recommended
|
Enterprise
Enterprise Features
|
|
|---|---|---|---|
| filtering | |||
| HTTP/HTTPS URL filtering | ✓ | ✓ | ✓ |
| ACL rules | 1,000 | 10,000 | 100,000 |
| Policy management | Basic | Full | Full |
| Squid connector | ✓ | ✓ | ✓ |
| network access control (NAC) | |||
| Captive portal | ✓ | ✓ | ✓ |
| Active Directory | ✕ | ✕ | ✓ |
| LDAP | ✕ | ✕ | ✓ |
| RADIUS | ✕ | ✕ | ✓ |
| management | |||
| CLI | ✓ | ✓ | ✓ |
| Web GUI | ✕ | ✓ | ✓ |
| REST API | ✓ | ✓ | ✓ |
| deployment | |||
| Node topology | Single | Single | Multi-node |
| Hypervisors | Docker | Docker · VMware · Hyper-V · KVM | Docker · VMware · Hyper-V · KVM |
| Throughput | 10 Gbps+†1 | 10 Gbps+†1 | 10 Gbps+†1 |
| Hardware | x86_64 | x86_64 | x86_64 |
| security | |||
| Threat intelligence feeds | ✕ | ✓ | ✓ |
| Zero-day feed | ✕ | ✕ | ✓ |
| SIEM export | ✕ | ✕ | ✓ |
| support | |||
| Support tier | Community†2 | Standard | Priority + SLA |
| pricing — annual subscription | |||
| Annual license†3 | USD 199 / yr | USD 495 / yr | |
| †1 Throughput depends on hardware specifications, hypervisor configuration, and network topology. Actual performance may vary by installation. | |||
| †2 Community support is provided through a shared support space where users can ask questions, share configurations, and help each other. No response time is guaranteed, however this space is actively monitored by the Exosys development team. | |||
| †3 Prices are for an annual subscription license. The software is fully operational throughout the active subscription period. Once the subscription expires, the product can no longer be used. | |||
Open Beta · Starting Soon
Get early access
to EnforceGate vX.
Open to IT and security teams of all sizes — from solo sysadmins to enterprise engineering teams. If you manage network security, EnforceGate vX is built for you. Register and we'll send an invite when your slot opens.
✓ Free of charge — no credit card required
✓ Full access to the vX engine, egctl CLI & REST API
✓ Direct channel to the engineering team
✓ Priority support during the beta window
✓ Shape features before GA release
register for access
Something went wrong — please try again.
No spam. No commitment. Invite-only. Unsubscribe anytime.
You're on the list.
We'll email
get started
Your network.
Your rules.
Self-hosted. No proprietary hardware. No per-seat fees. Full audit trail from day one.