http_rproxy
This server provides an HTTP reverse proxy.
This server terminates the client-side HTTP session locally and then forwards
requests to configured upstream sites selected by the hosts match table.
The following common keys are supported:
The authentication schemes supported by this server depend on the type of the configured user group.
auth scheme |
user group type |
is supported |
|---|---|---|
Basic |
hashed_user |
yes |
Negotiate |
gss_api |
not yet |
listen
optional, type: tcp listen
Listening configuration for this server.
The instance count setting will be ignored if listen_in_worker is correctly enabled.
default: not set
Added in version 1.7.20: change listen config to be optional
server_id
optional, type: http server id
Server ID. If set, the X-VEY-Remote-Connection-Info header is added to
responses, and the value is also used in the Via header added to requests.
default: not set
auth_realm
optional, type: ascii str
Authentication realm.
default: vey-proxy
req_header_recv_timeout
optional, type: humanize duration
Maximum time to wait for the full request header after the client connection becomes readable.
default: 30s
rsp_header_recv_timeout
optional, type: humanize duration
Maximum time to wait after the full request is sent and before the full response header is received.
default: 60s
req_header_max_size
optional, type: humanize usize
Maximum request-header size.
default: 64KiB
rsp_header_max_size
optional, type: humanize usize
Maximum response-header size.
default: 64KiB
log_uri_max_chars
optional, type: usize
Maximum number of URI characters recorded in logs.
The user level config value will take effect if set, see this user config option.
default: 1024
pipeline_size
optional, type: nonzero usize
Pipeline depth for HTTP/1.0 and HTTP/1.1.
default: 10
Note
We only pipeline requests with no body.
pipeline_read_idle_timeout
optional, type: humanize duration
Idle timeout for client-side idle HTTP connections.
default: 5min
no_early_error_reply
optional, type: bool
If set to true, no error response is sent before user authentication
succeeds. In that case the connection is simply closed.
default: false
body_line_max_length
optional, type: int
Maximum line length for lines in the HTTP body, such as trailer fields and chunk-size lines.
default: 8192
http_forward_upstream_keepalive
optional, type: http keepalive
HTTP keepalive configuration at the server level.
default: set with default value
untrusted_read_speed_limit
optional, type: tcp socket speed limit
Enables untrusted reading of request bodies that do not yet have authentication information, and sets the corresponding read-rate limit.
Use this if you need compatibility with buggy Java HTTP clients that do not
handle 407 responses promptly.
default: not set, which means untrusted read is disabled
untrusted_read_limit
deprecated
Changed in version 1.11.8: deprecated, use untrusted_read_speed_limit instead
append_forwarded_for
optional, type: http forwarded header type
Controls whether the corresponding forwarding headers are appended to requests sent to the next proxy.
If you want to remove existing forwarded headers first, see
steal_forwarded_for in
http_proxy.
See the doc of supported escapers for detailed protocol info.
default: classic, which means X-Forwarded-* headers will be appended
enable_tls_server
optional, type: bool
Controls whether TLS is enabled for all local sites.
Requests to local sites without valid TLS server configuration are dropped.
default: false
global_tls_server
optional, type: rustls server config
Global TLS server configuration used when the matched local site does not set its own TLS server configuration.
default: not set
client_hello_recv_timeout
optional, type: humanize duration
Timeout for receiving the complete TLS ClientHello message.
default: 1s
hosts
required, type: host matched object <host>, alias: sites
Host-matching rules that define which hosts this reverse proxy should handle.
Example 1:
hosts:
services:
upstream: www.example.net
Example 2:
hosts:
- exact_match:
- www.example.net
- example.net
services:
upstream: www.example.net
- suffix_match: example.org
set_default: true
services:
upstream: www.example.org
default: not set
Host
Configuration for each local host handled by this server.
tls_server
optional, type: rustls server config
TLS server configuration for this local site.
If not set, the global tls server config will be used.
default: not set
upstream
required, type: upstream str
Target upstream address. The default port is 80 and may be omitted.
tls_client
optional, type: openssl tls client config
TLS parameters for the local client side when HTTPS to the upstream is needed. If set to an empty map, the default configuration is used.
default: not set
tls_name
optional, type: tls name
TLS server name used to verify the upstream site’s certificate.
If not set, the host part of the upstream address will be used.
default: not set
Example
hosts:
- exact_match:
- www.example.net
- example.net
services:
upstream: app.example.net:8080
- suffix_match: example.org
set_default: true
services:
upstream: app.example.org:8080
tls_client: {}