http_proxy
This server provides a forward HTTP proxy, including plain HTTP forwarding, CONNECT tunneling
and MASQUE CONNECT-UDP tunneling.
The following common keys are supported:
The authentication schemes supported by this server depend on the type of the configured user group.
auth scheme |
user group type |
is supported |
|---|---|---|
Basic |
hashed_user |
yes |
Negotiate |
gss_api |
not yet |
listen
optional, type: tcp listen
Listening configuration for this server.
The instance count setting will be ignored if listen_in_worker is correctly enabled.
default: not set
Added in version 1.7.20: change listen config to be optional
local_server_name
optional, type: host | seq
List of local server names.
A request is treated as a local request when:
no local server name set
The URL in the HTTP request header is relative
local server name has been set
The method is not
CONNECTand the server name in theHostheader matches one of the configured local server names
Set this if you want to enable support for Well-Known URIs.
Added in version 1.11.5.
server_id
optional, type: http server id
Server ID. If set, the X-VEY-Remote-Connection-Info header is added to the
response.
default: not set
auth_realm
optional, type: ascii str
Authentication realm.
default: proxy
username_params
optional, type: username_params
Allows the egress context to be populated from username parameters.
This is mainly useful together with escapers that consume egress-path selection or egress-context values derived from the authenticated username.
default: not set
Added in version 1.13.0.
tls_client
optional, type: openssl tls client config
TLS client parameters used for HTTPS-forward requests.
default: set with default value
ftp_client
optional, type: ftp client config
FTP client configuration used for FTP-over-HTTP requests.
default: set with default value
req_header_recv_timeout
optional, type: humanize duration
Maximum time to wait for the full request header after the client connection becomes readable.
default: 30s
rsp_header_recv_timeout
optional, type: humanize duration
Maximum time to wait after the full request is sent and before the full response header is received.
default: 60s
req_header_max_size
optional, type: humanize usize
Maximum request-header size.
default: 64KiB
rsp_header_max_size
optional, type: humanize usize
Maximum response-header size.
default: 64KiB
log_uri_max_chars
optional, type: usize
Maximum number of URI characters recorded in logs.
If the user-level configuration also sets this value, the user-level setting takes precedence. See user config option.
default: 1024
pipeline_size
optional, type: nonzero usize
Pipeline depth for HTTP/1.0 and HTTP/1.1.
default: 10
Note
We only pipeline requests with no body.
pipeline_read_idle_timeout
optional, type: humanize duration
Idle timeout for client-side idle HTTP connections.
default: 5min
no_early_error_reply
optional, type: bool
If set to true, no error response is sent before user authentication
succeeds. In that case the connection is simply closed.
default: false
allow_custom_host
optional, type: bool
Controls whether a custom Host header is allowed. If set to false, the
Host header must contain the same domain or IP address as the request line.
default: true
Note
vey-proxy does not require a Host header to be present, no
matter how this option is set.
drop_default_port_in_host
optional, type: bool
Controls whether the default port should be removed from the Host header
before the request is sent upstream.
The default ports are:
HTTP 80
HTTPS 443
default: false
Added in version 1.11.10.
body_line_max_length
optional, type: int
Maximum line length for lines in the HTTP body, such as trailer fields and chunk-size lines.
default: 8192
http_forward_upstream_keepalive
optional, type: http keepalive
HTTP keepalive configuration at the server level.
default: set with default value
http_forward_mark_upstream
optional, type: bool
If enabled, the X-VEY-Upstream-Id header is added to responses received from
upstream, using the value of server_id.
Responses generated locally do not contain this header.
The loader rejects this option unless server_id is also set.
default: false
echo_chained_info
optional, type: bool
Controls whether custom response headers are added to expose chaining information about the direct upstream connection.
The custom headers are:
X-VEY-Upstream-Addr
X-VEY-Outgoing-IP
default: false
untrusted_read_speed_limit
optional, type: tcp socket speed limit
Enables untrusted reading of request bodies that do not yet have authentication information, and sets the corresponding read-rate limit.
Use this if you need compatibility with buggy Java HTTP clients that do not
handle 407 responses promptly.
default: not set, which means untrusted read is disabled
untrusted_read_limit
deprecated
Changed in version 1.11.8: deprecated, use untrusted_read_speed_limit instead
egress_path_selection_header
optional, type: http header name, alias: path_selection_header
HTTP header name whose value is used as the direct number id path selection input.
See Egress Path Selection for how this value is consumed by escapers.
default: not set
egress_context_headers
optional, type: http header name | seq
HTTP header names copied into the egress context.
These headers do not select an egress path directly. They are intended for helpers such as comply_context.
default: not set
Added in version 1.13.1.
Example:
- name: edge-http
type: http_proxy
listen: 0.0.0.0:8080
escaper: direct-egress
user_group: corp-users
username_params:
exact_count: 2
egress_path_selection_header: X-Egress-Path
egress_context_headers:
- X-Egress-Upstream
- X-Egress-Geo
untrusted_read_speed_limit:
shift_millis: 100
max_north: 64KiB
steal_forwarded_for
optional, type: bool
Controls whether the Forwarded and X-Forwarded-For headers are removed
from the client request.
Note
To remove these headers from HTTPS traffic, TLS interception must be enabled and the corresponding option must also be set in the auditor’s h1 interception configuration.
default: false