http_rproxy

This server provides an HTTP reverse proxy.

This server terminates the client-side HTTP session locally and then forwards requests to configured upstream sites selected by the hosts match table.

The following common keys are supported:

The authentication schemes supported by this server depend on the type of the configured user group.

auth scheme

user group type

is supported

Basic

hashed_user

yes

Negotiate

gss_api

not yet

listen

optional, type: tcp listen

Listening configuration for this server.

The instance count setting will be ignored if listen_in_worker is correctly enabled.

default: not set

Added in version 1.7.20: change listen config to be optional

server_id

optional, type: http server id

Server ID. If set, the X-VEY-Remote-Connection-Info header is added to responses, and the value is also used in the Via header added to requests.

default: not set

auth_realm

optional, type: ascii str

Authentication realm.

default: vey-proxy

req_header_recv_timeout

optional, type: humanize duration

Maximum time to wait for the full request header after the client connection becomes readable.

default: 30s

rsp_header_recv_timeout

optional, type: humanize duration

Maximum time to wait after the full request is sent and before the full response header is received.

default: 60s

req_header_max_size

optional, type: humanize usize

Maximum request-header size.

default: 64KiB

rsp_header_max_size

optional, type: humanize usize

Maximum response-header size.

default: 64KiB

log_uri_max_chars

optional, type: usize

Maximum number of URI characters recorded in logs.

The user level config value will take effect if set, see this user config option.

default: 1024

pipeline_size

optional, type: nonzero usize

Pipeline depth for HTTP/1.0 and HTTP/1.1.

default: 10

Note

We only pipeline requests with no body.

pipeline_read_idle_timeout

optional, type: humanize duration

Idle timeout for client-side idle HTTP connections.

default: 5min

no_early_error_reply

optional, type: bool

If set to true, no error response is sent before user authentication succeeds. In that case the connection is simply closed.

default: false

body_line_max_length

optional, type: int

Maximum line length for lines in the HTTP body, such as trailer fields and chunk-size lines.

default: 8192

http_forward_upstream_keepalive

optional, type: http keepalive

HTTP keepalive configuration at the server level.

default: set with default value

untrusted_read_speed_limit

optional, type: tcp socket speed limit

Enables untrusted reading of request bodies that do not yet have authentication information, and sets the corresponding read-rate limit.

Use this if you need compatibility with buggy Java HTTP clients that do not handle 407 responses promptly.

default: not set, which means untrusted read is disabled

untrusted_read_limit

deprecated

Changed in version 1.11.8: deprecated, use untrusted_read_speed_limit instead

append_forwarded_for

optional, type: http forwarded header type

Controls whether the corresponding forwarding headers are appended to requests sent to the next proxy.

If you want to remove existing forwarded headers first, see steal_forwarded_for in http_proxy.

See the doc of supported escapers for detailed protocol info.

default: classic, which means X-Forwarded-* headers will be appended

enable_tls_server

optional, type: bool

Controls whether TLS is enabled for all local sites.

Requests to local sites without valid TLS server configuration are dropped.

default: false

global_tls_server

optional, type: rustls server config

Global TLS server configuration used when the matched local site does not set its own TLS server configuration.

default: not set

client_hello_recv_timeout

optional, type: humanize duration

Timeout for receiving the complete TLS ClientHello message.

default: 1s

hosts

required, type: host matched object <host>, alias: sites

Host-matching rules that define which hosts this reverse proxy should handle.

Example 1:

hosts:
  services:
    upstream: www.example.net

Example 2:

hosts:
  - exact_match:
      - www.example.net
      - example.net
    services:
      upstream: www.example.net
  - suffix_match: example.org
    set_default: true
    services:
      upstream: www.example.org

default: not set

Host

Configuration for each local host handled by this server.

tls_server

optional, type: rustls server config

TLS server configuration for this local site.

If not set, the global tls server config will be used.

default: not set

upstream

required, type: upstream str

Target upstream address. The default port is 80 and may be omitted.

tls_client

optional, type: openssl tls client config

TLS parameters for the local client side when HTTPS to the upstream is needed. If set to an empty map, the default configuration is used.

default: not set

tls_name

optional, type: tls name

TLS server name used to verify the upstream site’s certificate.

If not set, the host part of the upstream address will be used.

default: not set

Example

hosts:
  - exact_match:
      - www.example.net
      - example.net
    services:
      upstream: app.example.net:8080
  - suffix_match: example.org
    set_default: true
    services:
      upstream: app.example.org:8080
      tls_client: {}