.. _configuration_server_http_proxy: http_proxy ========== This server provides a forward HTTP proxy, including plain HTTP forwarding, ``CONNECT`` tunneling and ``MASQUE CONNECT-UDP`` tunneling. The following common keys are supported: * :ref:`escaper ` * :ref:`auditor ` * :ref:`user_group ` * :ref:`shared_logger ` * :ref:`listen_in_worker ` * :ref:`tls_server ` * :ref:`tls ticketer ` * :ref:`tcp_sock_speed_limit ` * :ref:`ingress_network_filter ` * :ref:`dst_host_filter_set ` * :ref:`dst_port_filter ` * :ref:`tcp_copy_buffer_size ` * :ref:`tcp_copy_yield_size ` * :ref:`udp_relay_packet_size ` * :ref:`udp_relay_yield_count ` * :ref:`udp_relay_batch_count ` * :ref:`udp_relay_underlying_buffer_size ` * :ref:`tcp_misc_opts ` * :ref:`task_idle_check_interval ` * :ref:`task_idle_max_count ` * :ref:`flush_task_log_on_created ` * :ref:`flush_task_log_on_connected ` * :ref:`task_log_flush_interval ` * :ref:`extra_metrics_tags ` The authentication schemes supported by this server depend on the type of the configured user group. +-------------+---------------------------+-------------------+ |auth scheme |user group type |is supported | +=============+===========================+===================+ |Basic |hashed_user |yes | +-------------+---------------------------+-------------------+ |Negotiate |gss_api |not yet | +-------------+---------------------------+-------------------+ listen ------ **optional**, **type**: :external+values:ref:`tcp listen ` Listening configuration for this server. The instance count setting will be ignored if *listen_in_worker* is correctly enabled. **default**: not set .. versionadded:: 1.7.20 change listen config to be optional local_server_name ----------------- **optional**, **type**: :external+values:ref:`host ` | seq List of local server names. A request is treated as a local request when: - no local server name set The URL in the HTTP request header is relative - local server name has been set The method is not ``CONNECT`` and the server name in the ``Host`` header matches one of the configured local server names Set this if you want to enable support for Well-Known URIs. .. versionadded:: 1.11.5 .. _config_server_http_proxy_server_id: server_id --------- **optional**, **type**: :external+values:ref:`http server id ` Server ID. If set, the ``X-VEY-Remote-Connection-Info`` header is added to the response. **default**: not set auth_realm ---------- **optional**, **type**: :external+values:ref:`ascii str ` Authentication realm. **default**: proxy username_params --------------- **optional**, **type**: :ref:`username_params ` Allows the egress context to be populated from username parameters. This is mainly useful together with escapers that consume egress-path selection or egress-context values derived from the authenticated username. **default**: not set .. versionadded:: 1.13.0 .. _conf_server_http_proxy_tls_client: tls_client ---------- **optional**, **type**: :external+values:ref:`openssl tls client config ` TLS client parameters used for HTTPS-forward requests. **default**: set with default value ftp_client ---------- **optional**, **type**: :external+values:ref:`ftp client config ` FTP client configuration used for FTP-over-HTTP requests. **default**: set with default value req_header_recv_timeout ----------------------- **optional**, **type**: :external+values:ref:`humanize duration ` Maximum time to wait for the full request header after the client connection becomes readable. **default**: 30s .. _conf_server_http_proxy_rsp_header_recv_timeout: rsp_header_recv_timeout ----------------------- **optional**, **type**: :external+values:ref:`humanize duration ` Maximum time to wait after the full request is sent and before the full response header is received. **default**: 60s req_header_max_size ------------------- **optional**, **type**: :external+values:ref:`humanize usize ` Maximum request-header size. **default**: 64KiB rsp_header_max_size ------------------- **optional**, **type**: :external+values:ref:`humanize usize ` Maximum response-header size. **default**: 64KiB .. _config_server_http_proxy_log_uri_max_chars: log_uri_max_chars ----------------- **optional**, **type**: usize Maximum number of URI characters recorded in logs. If the user-level configuration also sets this value, the user-level setting takes precedence. See :ref:`user config option `. **default**: 1024 pipeline_size ------------- **optional**, **type**: :external+values:ref:`nonzero usize ` Pipeline depth for HTTP/1.0 and HTTP/1.1. **default**: 10 .. note:: We only pipeline requests with no body. pipeline_read_idle_timeout -------------------------- **optional**, **type**: :external+values:ref:`humanize duration ` Idle timeout for client-side idle HTTP connections. **default**: 5min no_early_error_reply -------------------- **optional**, **type**: bool If set to ``true``, no error response is sent before user authentication succeeds. In that case the connection is simply closed. **default**: false allow_custom_host ----------------- **optional**, **type**: bool Controls whether a custom ``Host`` header is allowed. If set to ``false``, the ``Host`` header must contain the same domain or IP address as the request line. **default**: true .. note:: ``vey-proxy`` does not require a ``Host`` header to be present, no matter how this option is set. drop_default_port_in_host ------------------------- **optional**, **type**: bool Controls whether the default port should be removed from the ``Host`` header before the request is sent upstream. The default ports are: - HTTP 80 - HTTPS 443 **default**: false .. versionadded:: 1.11.10 body_line_max_length -------------------- **optional**, **type**: int Maximum line length for lines in the HTTP body, such as trailer fields and chunk-size lines. **default**: 8192 http_forward_upstream_keepalive ------------------------------- **optional**, **type**: :external+values:ref:`http keepalive ` HTTP keepalive configuration at the server level. **default**: set with default value .. _config_server_http_proxy_http_forward_mark_upstream: http_forward_mark_upstream -------------------------- **optional**, **type**: bool If enabled, the ``X-VEY-Upstream-Id`` header is added to responses received from upstream, using the value of :ref:`server_id `. Responses generated locally do not contain this header. The loader rejects this option unless ``server_id`` is also set. **default**: false .. _config_server_http_proxy_echo_chained_info: echo_chained_info ----------------- **optional**, **type**: bool Controls whether custom response headers are added to expose chaining information about the direct upstream connection. The custom headers are: - X-VEY-Upstream-Addr - X-VEY-Outgoing-IP **default**: false untrusted_read_speed_limit -------------------------- **optional**, **type**: :external+values:ref:`tcp socket speed limit ` Enables untrusted reading of request bodies that do not yet have authentication information, and sets the corresponding read-rate limit. Use this if you need compatibility with buggy Java HTTP clients that do not handle ``407`` responses promptly. **default**: not set, which means untrusted read is disabled untrusted_read_limit -------------------- **deprecated** .. versionchanged:: 1.11.8 deprecated, use untrusted_read_speed_limit instead .. _config_server_http_proxy_egress_path_selection_header: egress_path_selection_header ---------------------------- **optional**, **type**: :external+values:ref:`http header name `, **alias**: path_selection_header HTTP header name whose value is used as the direct :ref:`number id ` path selection input. See :ref:`Egress Path Selection ` for how this value is consumed by escapers. **default**: not set .. _config_server_http_proxy_egress_context_headers: egress_context_headers ---------------------- **optional**, **type**: :external+values:ref:`http header name ` | seq HTTP header names copied into the egress context. These headers do not select an egress path directly. They are intended for helpers such as :ref:`comply_context `. **default**: not set .. versionadded:: 1.13.1 Example: .. code-block:: yaml - name: edge-http type: http_proxy listen: 0.0.0.0:8080 escaper: direct-egress user_group: corp-users username_params: exact_count: 2 egress_path_selection_header: X-Egress-Path egress_context_headers: - X-Egress-Upstream - X-Egress-Geo untrusted_read_speed_limit: shift_millis: 100 max_north: 64KiB .. _config_server_http_proxy_steal_forwarded_for: steal_forwarded_for ------------------- **optional**, **type**: bool Controls whether the ``Forwarded`` and ``X-Forwarded-For`` headers are removed from the client request. .. note:: To remove these headers from HTTPS traffic, TLS interception must be enabled and the corresponding option must also be set in the auditor's :ref:`h1 interception ` configuration. **default**: false