🔐 Uroniyx Quantum-Safe Gateway — Live End-to-End Journey

The SAME app is reachable through two edges. This page reports honestly about whichever one you loaded it from.

🖥️ Live event log — everything on this page reports here

1

Your browser → AWS NLB → Gateway   checking…

TLS 1.3 handshake is negotiated end-to-end between your browser and the gateway. A PQC-capable client gets the hybrid group; a legacy client falls back to classical — served either way.

2

AWS NLB — Layer-4 passthrough

The load balancer forwards raw TCP. It never terminates TLS, so the quantum-safe handshake reaches the gateway intact (an L7 ALB would break this).

3

Gateway terminates TLS  NGINX 1.27 + OpenSSL 3.5

Certificates: ML-DSA-65 (post-quantum)ECDSA P-256 (for browsers) Routes by path: / → frontend/api/ → backend/grafana/ → dashboards

4

Gateway → application   plain HTTP (inside cluster)

Your apps keep speaking what they always spoke. The gateway injects the TLS facts as headers so apps can see them:

5

Backend responds   checking…

Response returns along the same path, encrypted quantum-safe back to the browser.

📡 Live cluster view — the pods behind this page

not loaded yet

⚡ High availability — 100 parallel connections

Fires 100 parallel requests through the NLB and tallies which gateway replicas and backend pods served them, with zero failures expected.

not run yet

💥 Chaos drill — kill the gateway pod serving YOU, live

Deletes the exact gateway pod behind your connection (via a demo-only API), then for ~60s: keeps firing requests AND watches the cluster — you'll see the pod go Terminating, a new pod ID appear, turn Running, while requests keep succeeding. That is zero-drop failover.

not run yet

🕰️ Before vs After — the HNDL attack

“Harvest Now, Decrypt Later”: an adversary records encrypted traffic today and decrypts it once a quantum computer can break classical key exchange. Same apps, two edges:

BEFORE — legacy edge (how these apps were exposed until now)

Classical TLS only: KEX X25519 / P-256ECDSA certTLS 1.2 allowed — every session key exchange is breakable by a future quantum computer. Recorded ciphertext = future plaintext.

AFTER — this page (Uroniyx gateway in front, apps untouched)

Hybrid post-quantum: KEX X25519MLKEM768ML-DSA-65 + ECDSA certsTLS 1.3 only — an attacker must break both X25519 and ML-KEM-768. Recorded traffic stays secret. HNDL neutralized.

📦 The "enterprise app": live data from the backend

loading…

🔎 Raw /api/journey response (backend echo of gateway headers)

loading…

Facts shown are live per-request: hop 1 reads the X-PQC-Group response header the gateway adds; hop 4/5 read what the backend actually received. If you connect with a classical-only client, hop 1 will honestly show the classical group — the gateway cannot (and nothing can) upgrade a client that doesn't speak PQC; it protects every client that does.