Technology & Architecture of L7 Admin Guard
Set up and use ZTNA without DevOps. A detailed walkthrough of the architectural concepts under the hood of L7 Admin Guard: from browser-level selective routing to zero-copy tunneling.
Why Classic Solutions Failed Us
The quest to secure admin panel access for non-technical users broke down when using legacy tools:
VPN is Overkill
It forces all user traffic (including private media and downloads) through your network, is complex for non-developers, and managing fine-grained access lists (ACL) quickly turns into a nightmare.
Static IPs are Outdated
With 4G/5G, coworking spaces, and remote work, IP whitelists lack granularity, fail to provide user identity segmentations, and make access revocation slow and tedious.
File-based Gateways
Legacy tools like 3X-UI rely on file configurations. Every simple configuration change requires a full process reload, dropping active connections and frustrating users.
Heavy SSO/MITM Gateways
Reverse-proxies demand domain changes and execute TLS decryption (MITM). Onboarding temporary contractors becomes a chore of requesting emails and manually provisioning IdP credentials.
Three-Tier Architecture
Our system moves authorization logic from the infrastructure layer directly to configuration rules.
Go Access Gateway
An 8 MB static binary with no external dependencies. Runs on raw Debian, receives instructions from the Control Plane, and caches state for complete autonomous offline operation.
Control Plane API
The configuration hub. Coordinates rules, issues certificates, and pushes configurations to edge nodes. Allows managing multiple gateways in different countries from a single control panel without restarting active sessions.
Browser Extension
A lightweight 38 KB extension with fully readable, open-source code. Intercepts only protected domains and routes them selectively via dynamically generated PAC files.
Engine Deep Dive
Designed like high-grade infrastructure, optimized for maximum speed and simplicity.
Zero Config Autonomy
No configuration files on edge nodes. The access gateway pulls rules from the Control Plane and caches them in a local state, allowing the node to boot offline if the network drops.
Automated Transport Security
All traffic between the browser and the gateway travels over a secure TLS tunnel. Edge nodes automatically request and renew certificates from Google Trust Services, Let's Encrypt, or ZeroSSL.
Smart DNS Core
An embedded caching DNS resolver routes requests via high-bandwidth datacenter backbones. This DNS optimization reduces TTFB (Time to First Byte) below standard home connection speeds.
TLS SNI Protection
Each device (user) receives a unique domain like DevID-user-v4.de.l7ag.run. Non-matching or missing SNI headers are rejected at the TLS layer, protecting the gateway node from scanning.
HTTP CONNECT (Zero MITM)
Operates as a transparent TCP tunnel. We never terminate the target website's TLS (traffic is not decrypted) or inspect the payload (zero-copy), guaranteeing absolute privacy and minimal CPU overhead.
In-Memory & BuntDB
Instead of heavy Redis instances, we use BuntDB. Rules are loaded into memory at startup, allowing connections to be authenticated without any database roundtrips.
Killer Feature: Runtime Rule Hot-Reload
Traditional access gateways drop active TCP sessions during reload. We implemented dynamic state application in runtime. If a developer is transferring a huge database dump and access expires, the admin extends it in the UI and the tunnel parameters update on the fly, without dropping a single byte.
Active session
Access token is issued for 1 hour. Developer uploads a database dump.
Approaching expiration
Token is about to expire, but the work is still in progress.
Hot extension
Admin extends the TTL by 30 minutes in the panel UI with one click.
Zero connection drop
The access gateway updates the tunnel TTL parameters on the fly. The transfer completes smoothly.
3 Clever Use Cases We Resolved
Selective browser-level routing solves more than just access permissions:
Site Migration without /etc/hosts
Instead of requesting QA or clients to edit system files with Administrator rights, we set a custom DNS override on a token. Toggle the extension on — see the staging server; off — see the live production site.
Localhost & Private IP Access
Easily share internal developer interfaces (like Caddy APIs listening on localhost:2019 or databases in a private subnet) without exposing them to the internet or configuring complex VPN subnets.
Internal DNS without Public Records
Map names like `grafana.company.internal` to internal ports in the L7 panel. Users connect instantly, while the domains remain completely invisible to the external DNS infrastructure.
Making Self-Hosted Accessible
We designed edge nodes to be easily deployable on any Linux hardware, even without command line experience.
1-Click Cloud Auto-Deploy
Enter your cloud API key (Hetzner, Vultr, DigitalOcean, Akamai, UpCloud) in the dashboard, select a location, and click deploy. Our Control Plane creates the server, provisions the access gateway, and sets up certificates automatically without your involvement.
One-Line CLI Installation
Run our simple installer on any server. It uses zstd stream decompression, creates a sandboxed system user, configures systemd, and sets up graceful self-updates.