Quic Jobs (NOW HIRING)

Job Summary:
Proofpoint is a global leader in human- and agent-centric cybersecurity. They are seeking a Senior Proxy Engineer to design, build, and operate production-grade proxy infrastructure at scale, focusing on HTTP and related application-layer protocols while ensuring robust connection management and traffic shaping.
Responsibilities:
• Architect and implement high-performance forward, reverse, and transparent proxy systems in Go with clean separation between the connection layer, protocol layer, routing layer, and upstream layer
• Design proxy pipeline stages end-to-end: listener configuration, connection acceptance, TLS termination, protocol detection, virtual hosting, routing rule evaluation, request transformation, upstream selection, response streaming, and connection teardown
• Build robust connection lifecycle management: keep-alive handling, half-close semantics, graceful shutdown, drain periods, and connection migration for rolling deployments
• Implement traffic shaping primitives within the proxy: request hedging, retry budgets, timeout hierarchies (connect, first byte, total request), circuit breakers, and adaptive concurrency limits
• Design and maintain upstream connection pools with configurable keep-alive timeouts, max idle connections per host, connection health checks, and zero-downtime upstream replacement
• Own the header manipulation pipeline: request and response header rewriting, injection, removal, and normalisation with attention to correctness under HTTP/1.1 and HTTP/2 semantics
• Architect multi-tenant proxy configurations with per-tenant routing policies, rate limits, authentication schemes, and traffic isolation guarantees HTTP Protocol Engineering & Standards Compliance
• Maintain expert-level understanding of the core HTTP specification suite: RFC 9110 (HTTP Semantics), RFC 9112 (HTTP/1.1 Message Syntax), RFC 9113 (HTTP/2), RFC 9114 (HTTP/3), and RFC 9000 (QUIC)
• Implement correct HTTP/1.1 connection management: persistent connections, keep-alive negotiation, chunked transfer encoding, request pipelining, and trailer fields Implement full HTTP/2 support: stream multiplexing, flow control (stream and connection level), header compression via HPACK, server push, RST_STREAM handling, and SETTINGS negotiation
• Build HTTP/3 and QUIC proxying support: stream prioritisation, 0-RTT connection establishment, connection migration, and loss-recovery-aware flow control
• Implement cache-control semantics per RFC 9111: Vary header handling, conditional request support (ETags, If-Modified-Since, If-None-Match), surrogate-key invalidation, and stale-while-revalidate
• Handle HTTP edge cases defensively: malformed header detection, header field size limits, request smuggling mitigations (CL-TE and TE-CL desync), response splitting defences, and observer-invisible whitespace normalisation
• Support WebSocket upgrade flows with correct Upgrade/Connection header handling, frame proxying, bidirectional streaming, and Ping/Pong keepalive management
• Implement gRPC-over-HTTP/2 proxying: correct framing of length-prefixed messages, trailer handling for gRPC status codes, streaming RPC proxying, and gRPC-Web transcode
Qualifications:
Required:
• Expert command of HTTP and related application-layer protocols
• Deep experience architecting proxy systems
• Primary development fluency in Go
• Strong Lua scripting skills for runtime extensibility
• Full lifecycle ownership of proxy platform including protocol-level design and connection management
• Experience with TLS termination, request routing, traffic shaping, and upstream load balancing
• Experience with forward proxies, reverse proxies, API gateways, and protocol translators
• Familiarity with explicit HTTP proxying, transparent interception, SOCKS tunnelling, and CONNECT-based HTTPS proxying
• Expert-level understanding of the core HTTP specification suite: RFC 9110, RFC 9112, RFC 9113, RFC 9114, and RFC 9000
• Implementation of correct HTTP/1.1 connection management
• Full HTTP/2 support implementation
• Building HTTP/3 and QUIC proxying support
• Implementation of cache-control semantics per RFC 9111
• Defensive handling of HTTP edge cases
• Support for WebSocket upgrade flows
• Implementation of gRPC-over-HTTP/2 proxying
Preferred:
• Familiarity with OpenTelemetry for deep proxy observability
Company:
Proofpoint provides cloud-based email security, e-discovery, and compliance solutions for companies to protect sensitive business data. Founded in 2002, the company is headquartered in Sunnyvale, USA, with a team of 1001-5000 employees. The company is currently Late Stage.