http_proxy

This server provides a forward HTTP proxy, including plain HTTP forwarding, CONNECT tunneling and MASQUE CONNECT-UDP tunneling.

The following common keys are supported:

The authentication schemes supported by this server depend on the type of the configured user group.

auth scheme

user group type

is supported

Basic

hashed_user

yes

Negotiate

gss_api

not yet

listen

optional, type: tcp listen

Listening configuration for this server.

The instance count setting will be ignored if listen_in_worker is correctly enabled.

default: not set

Added in version 1.7.20: change listen config to be optional

local_server_name

optional, type: host | seq

List of local server names.

A request is treated as a local request when:

  • no local server name set

    The URL in the HTTP request header is relative

  • local server name has been set

    The method is not CONNECT and the server name in the Host header matches one of the configured local server names

Set this if you want to enable support for Well-Known URIs.

Added in version 1.11.5.

server_id

optional, type: http server id

Server ID. If set, the X-VEY-Remote-Connection-Info header is added to the response.

default: not set

auth_realm

optional, type: ascii str

Authentication realm.

default: proxy

username_params

optional, type: username_params

Allows the egress context to be populated from username parameters.

This is mainly useful together with escapers that consume egress-path selection or egress-context values derived from the authenticated username.

default: not set

Added in version 1.13.0.

tls_client

optional, type: openssl tls client config

TLS client parameters used for HTTPS-forward requests.

default: set with default value

ftp_client

optional, type: ftp client config

FTP client configuration used for FTP-over-HTTP requests.

default: set with default value

req_header_recv_timeout

optional, type: humanize duration

Maximum time to wait for the full request header after the client connection becomes readable.

default: 30s

rsp_header_recv_timeout

optional, type: humanize duration

Maximum time to wait after the full request is sent and before the full response header is received.

default: 60s

req_header_max_size

optional, type: humanize usize

Maximum request-header size.

default: 64KiB

rsp_header_max_size

optional, type: humanize usize

Maximum response-header size.

default: 64KiB

log_uri_max_chars

optional, type: usize

Maximum number of URI characters recorded in logs.

If the user-level configuration also sets this value, the user-level setting takes precedence. See user config option.

default: 1024

pipeline_size

optional, type: nonzero usize

Pipeline depth for HTTP/1.0 and HTTP/1.1.

default: 10

Note

We only pipeline requests with no body.

pipeline_read_idle_timeout

optional, type: humanize duration

Idle timeout for client-side idle HTTP connections.

default: 5min

no_early_error_reply

optional, type: bool

If set to true, no error response is sent before user authentication succeeds. In that case the connection is simply closed.

default: false

allow_custom_host

optional, type: bool

Controls whether a custom Host header is allowed. If set to false, the Host header must contain the same domain or IP address as the request line.

default: true

Note

vey-proxy does not require a Host header to be present, no matter how this option is set.

drop_default_port_in_host

optional, type: bool

Controls whether the default port should be removed from the Host header before the request is sent upstream.

The default ports are:

  • HTTP 80

  • HTTPS 443

default: false

Added in version 1.11.10.

body_line_max_length

optional, type: int

Maximum line length for lines in the HTTP body, such as trailer fields and chunk-size lines.

default: 8192

http_forward_upstream_keepalive

optional, type: http keepalive

HTTP keepalive configuration at the server level.

default: set with default value

http_forward_mark_upstream

optional, type: bool

If enabled, the X-VEY-Upstream-Id header is added to responses received from upstream, using the value of server_id. Responses generated locally do not contain this header.

The loader rejects this option unless server_id is also set.

default: false

echo_chained_info

optional, type: bool

Controls whether custom response headers are added to expose chaining information about the direct upstream connection.

The custom headers are:

  • X-VEY-Upstream-Addr

  • X-VEY-Outgoing-IP

default: false

untrusted_read_speed_limit

optional, type: tcp socket speed limit

Enables untrusted reading of request bodies that do not yet have authentication information, and sets the corresponding read-rate limit.

Use this if you need compatibility with buggy Java HTTP clients that do not handle 407 responses promptly.

default: not set, which means untrusted read is disabled

untrusted_read_limit

deprecated

Changed in version 1.11.8: deprecated, use untrusted_read_speed_limit instead

egress_path_selection_header

optional, type: http header name, alias: path_selection_header

HTTP header name whose value is used as the direct number id path selection input.

See Egress Path Selection for how this value is consumed by escapers.

default: not set

egress_context_headers

optional, type: http header name | seq

HTTP header names copied into the egress context.

These headers do not select an egress path directly. They are intended for helpers such as comply_context.

default: not set

Added in version 1.13.1.

Example:

- name: edge-http
  type: http_proxy
  listen: 0.0.0.0:8080
  escaper: direct-egress
  user_group: corp-users
  username_params:
    exact_count: 2
  egress_path_selection_header: X-Egress-Path
  egress_context_headers:
    - X-Egress-Upstream
    - X-Egress-Geo
  untrusted_read_speed_limit:
    shift_millis: 100
    max_north: 64KiB

steal_forwarded_for

optional, type: bool

Controls whether the Forwarded and X-Forwarded-For headers are removed from the client request.

Note

To remove these headers from HTTPS traffic, TLS interception must be enabled and the corresponding option must also be set in the auditor’s h1 interception configuration.

default: false