Inside the Engine

Technology & Architecture of L7 Admin Guard

Set up and use ZTNA without DevOps. A detailed walkthrough of the architectural concepts under the hood of L7 Admin Guard: from browser-level selective routing to zero-copy tunneling.

Why Classic Solutions Failed Us

Why Classic Solutions Failed Us

The quest to secure admin panel access for non-technical users broke down when using legacy tools:

VPN is Overkill

It forces all user traffic (including private media and downloads) through your network, is complex for non-developers, and managing fine-grained access lists (ACL) quickly turns into a nightmare.

Static IPs are Outdated

With 4G/5G, coworking spaces, and remote work, IP whitelists lack granularity, fail to provide user identity segmentations, and make access revocation slow and tedious.

File-based Gateways

Legacy tools like 3X-UI rely on file configurations. Every simple configuration change requires a full process reload, dropping active connections and frustrating users.

Heavy SSO/MITM Gateways

Reverse-proxies demand domain changes and execute TLS decryption (MITM). Onboarding temporary contractors becomes a chore of requesting emails and manually provisioning IdP credentials.

Three-Tier Architecture

Three-Tier Architecture

Our system moves authorization logic from the infrastructure layer directly to configuration rules.

Go Access Gateway

An 8 MB static binary with no external dependencies. Runs on raw Debian, receives instructions from the Control Plane, and caches state for complete autonomous offline operation.

Control Plane API

The configuration hub. Coordinates rules, issues certificates, and pushes configurations to edge nodes. Allows managing multiple gateways in different countries from a single control panel without restarting active sessions.

Browser Extension

A lightweight 38 KB extension with fully readable, open-source code. Intercepts only protected domains and routes them selectively via dynamically generated PAC files.

Engine Deep Dive

Engine Deep Dive

Designed like high-grade infrastructure, optimized for maximum speed and simplicity.

Zero Config Autonomy

No configuration files on edge nodes. The access gateway pulls rules from the Control Plane and caches them in a local state, allowing the node to boot offline if the network drops.

Automated Transport Security

All traffic between the browser and the gateway travels over a secure TLS tunnel. Edge nodes automatically request and renew certificates from Google Trust Services, Let's Encrypt, or ZeroSSL.

Smart DNS Core

An embedded caching DNS resolver routes requests via high-bandwidth datacenter backbones. This DNS optimization reduces TTFB (Time to First Byte) below standard home connection speeds.

TLS SNI Protection

Each device (user) receives a unique domain like DevID-user-v4.de.l7ag.run. Non-matching or missing SNI headers are rejected at the TLS layer, protecting the gateway node from scanning.

HTTP CONNECT (Zero MITM)

Operates as a transparent TCP tunnel. We never terminate the target website's TLS (traffic is not decrypted) or inspect the payload (zero-copy), guaranteeing absolute privacy and minimal CPU overhead.

In-Memory & BuntDB

Instead of heavy Redis instances, we use BuntDB. Rules are loaded into memory at startup, allowing connections to be authenticated without any database roundtrips.

Killer Feature: Runtime Rule Hot-Reload

Killer Feature: Runtime Rule Hot-Reload

Traditional access gateways drop active TCP sessions during reload. We implemented dynamic state application in runtime. If a developer is transferring a huge database dump and access expires, the admin extends it in the UI and the tunnel parameters update on the fly, without dropping a single byte.

Step 01

Active session

Access token is issued for 1 hour. Developer uploads a database dump.

Step 02

Approaching expiration

Token is about to expire, but the work is still in progress.

Step 03

Hot extension

Admin extends the TTL by 30 minutes in the panel UI with one click.

Step 04

Zero connection drop

The access gateway updates the tunnel TTL parameters on the fly. The transfer completes smoothly.

3 Clever Use Cases We Resolved

3 Clever Use Cases We Resolved

Selective browser-level routing solves more than just access permissions:

Site Migration without /etc/hosts

Instead of requesting QA or clients to edit system files with Administrator rights, we set a custom DNS override on a token. Toggle the extension on — see the staging server; off — see the live production site.

Localhost & Private IP Access

Easily share internal developer interfaces (like Caddy APIs listening on localhost:2019 or databases in a private subnet) without exposing them to the internet or configuring complex VPN subnets.

Internal DNS without Public Records

Map names like `grafana.company.internal` to internal ports in the L7 panel. Users connect instantly, while the domains remain completely invisible to the external DNS infrastructure.

Making Self-Hosted Accessible

Making Self-Hosted Accessible

We designed edge nodes to be easily deployable on any Linux hardware, even without command line experience.

1-Click Cloud Auto-Deploy

Enter your cloud API key (Hetzner, Vultr, DigitalOcean, Akamai, UpCloud) in the dashboard, select a location, and click deploy. Our Control Plane creates the server, provisions the access gateway, and sets up certificates automatically without your involvement.

One-Line CLI Installation

Run our simple installer on any server. It uses zstd stream decompression, creates a sandboxed system user, configures systemd, and sets up graceful self-updates.

# curl -fsS https://l7.run | sh -s -- -t TOKEN