rust-rpxy/config-example.toml at develop · junkurihara/rust-rpxy · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
########################################
#                                      #
#       rust-rxpy configuration        #
#                                      #
########################################
###################################
#         Global settings         #
###################################
# Both or either one of http/https ports must be specified
# Port for plaintext http
listen_port = 8080
# Port for https
listen_port_tls = 8443

# Optional. Bind to a specific IPv4 address or addresses. [default: 0.0.0.0]
# Duplicate addresses are silently ignored.
# Single address:
# listen_address_v4 = '0.0.0.0'
# Multiple addresses (bind to specific interfaces, '0.0.0.0' MUST NOT be included in the list if multiple addresses are specified):
# listen_address_v4 = ['192.168.1.1', '10.0.0.1']

# Optional. Bind to a specific IPv6 address or addresses.
# If omitted and listen_ipv6 = true, bind to '[::]'.
# If omitted and listen_ipv6 = false or undefined, IPv6 is disabled.
# Duplicate addresses are silently ignored.
# Single address:
# listen_address_v6 = '[::]'
# Multiple addresses (bind to specific interfaces, '::' MUST NOT be included in the list if multiple addresses are specified):
# listen_address_v6 = ['::1', 'fe80::1']

# Optional. Enable IPv6 listening on '[::]' when listen_address_v6 is not specified.
# [default: false]
listen_ipv6 = false

# Optional. If you listen on a custom port like 8443 but redirect with firewall to 443
# When you specify this, the server uses this port in an "Alt-SVC" header for e.g. indicating support for HTTP/3 and also sends a redirection response 301 with specified port to the client for plaintext http request
# Otherwise, the server sends Alt-SVC and 301 with the same port as `listen_port_tls`.
# https_redirection_port = 443

# Optional for h2 and http1.1
tcp_listen_backlog = 1024

# Optional for h2
max_concurrent_streams = 100

# Optional. Counted in total for http1.1, 2, 3
max_clients = 512

# Optional: App that serves all plaintext http request by referring to HOSTS or request header
# except for configured application.
# Note that this is only for http.
# Note that nothing is served for requests via https since secure channel cannot be
# established for non-configured server_name, and they are always rejected by checking SNI.
default_app = 'another_localhost'

###################################
#         Backend settings        #
###################################
[apps]

######################################################################
## Registering a backend app served by a domain name "localhost"
[apps.localhost]
server_name = 'localhost' # Domain name

# Optional: TLS setting. if https_port is specified and tls is true above, this must be given.
# https_redirection can be specified only when both http_port and https_port are specified. If not explicitly specified, it is true by default.
# if only https_port is given, https_redirection must not be specified.
tls = { https_redirection = true, tls_cert_path = '/certs/server.crt', tls_cert_key_path = '/certs/server.key' } # for docker volume mounted certs
#tls = { https_redirection = true, tls_cert_path = './server.crt', tls_cert_key_path = './server.key' }          # for local
#tls = { https_redirection = true, tls_cert_path = './server.crt', tls_cert_key_path = './server.key', client_ca_cert_path = './client_cert.ca.crt' }          # for local with client_cert

## TODO
# allowhosts = ['127.0.0.1', '::1', '192.168.10.0/24'] # TODO
# denyhosts = ['*'] # TODO

# default destination if "path" is not specified
[[apps.localhost.reverse_proxy]]
# List of destinations to send data to. At this point, round-robin is used for load-balancing if multiple URLs are specified.
upstream = [
  { location = 'www.yahoo.com', tls = true },
  { location = 'www.yahoo.co.jp', tls = true },
]
load_balance = "round_robin" # or "random" or "sticky" (sticky session) or "primary_backup" or "none" (default)
                             # "none": fix to the first upstream. When health_check is enabled, picks the first healthy one.
                             # "primary_backup": always routes to the first healthy upstream; requires health_check to be enabled.
upstream_options = [
  "keep_original_host",   # [default] do not overwrite HOST value with upstream hostname (like 192.168.xx.x seen from rpxy), which is prior to "set_upstream_host" if both are specified.
  "force_http2_upstream", # mutually exclusive with "force_http11_upstream"
]

# Optional: Active health check. Periodically probes upstream servers and removes unhealthy ones from the load balancing pool.
# Simplest form — TCP connect check with default settings (interval=10s, timeout=5s, unhealthy_threshold=3, healthy_threshold=2):
# health_check = true
# Full configuration:
# [apps.localhost.reverse_proxy.health_check]
# type = "tcp"              # "tcp" (default) or "http"
# interval = 10             # seconds between checks [default: 10]
# timeout = 5               # seconds per check attempt [default: 5] (must be < interval)
# unhealthy_threshold = 3   # consecutive failures to mark unhealthy [default: 3]
# healthy_threshold = 2     # consecutive successes to mark healthy again [default: 2]
# # HTTP-specific options (only when type = "http"):
# path = "/healthz"         # required for type = "http"; must start with "/"
# expected_status = 200     # expected HTTP status code [default: 200]

# Non-default destination in "localhost" app, which is routed by "path"
[[apps.localhost.reverse_proxy]]
path = '/maps'
# For request path starting with "/maps",
# this configuration results that any path like "/maps/org/any.ext" is mapped to "/replacing/path1/org/any.ext"
# by replacing "/maps" with "/replacing/path1" for routing to the locations given in upstream array
# Note that unless "replace_path" is specified, the "path" is always preserved.
# "replace_path" must be start from "/" (root path)
replace_path = "/replacing/path1"
upstream = [
  { location = 'www.bing.com', tls = true },
  { location = 'www.bing.co.jp', tls = true },
]
load_balance = "random" # or "round_robin" or "sticky" (sticky session) or "none" (fix to the first one, default)
upstream_options = [
  "upgrade_insecure_requests",
  "force_http11_upstream",
  "set_upstream_host",        # overwrite HOST value with upstream hostname (like www.yahoo.com)
  "forwarded_header"          # add Forwarded header (by default, this is not added. However, if the incoming request has Forwarded header, it would be preserved and updated)
]
######################################################################

######################################################################
# Another application backend servied by different domain name
[apps.another_localhost]
server_name = 'localhost.localdomain'
reverse_proxy = [{ upstream = [{ location = 'www.google.com', tls = true }] }]
######################################################################

######################################################################
# ACME enabled example. ACME will be used to get a certificate for the server_name with ACME tls-alpn-01 protocol.
# Note that acme option must be specified in the experimental section.
[apps.localhost_with_acme]
server_name = 'kubernetes.docker.internal'
reverse_proxy = [{ upstream = [{ location = 'example.com', tls = true }] }]
tls = { https_redirection = true, acme = true }

###################################
#      Experimental settings      #
###################################
[experimental]
# Highly recommend not to be true. If true, you ignore RFC. if not specified, it is always false.
# This might be required to be true when a certificate is used by multiple backend hosts, especially in case where a TLS connection is re-used.
# We should note that this strongly depends on the client implementation.
ignore_sni_consistency = false

# Force connection handling timeout regardless of the connection status, i.e., idle or not.
# 0 represents an infinite timeout. [default: 0]
# Note that idel and header read timeouts are always specified independently of this.
connection_handling_timeout = 0 # sec

# If this specified, h3 is enabled
[experimental.h3]
alt_svc_max_age = 3600             # sec
request_max_body_size = 65536      # bytes
max_concurrent_connections = 10000
max_concurrent_bidistream = 100
max_concurrent_unistream = 100
max_idle_timeout = 10              # secs. 0 represents an infinite timeout.
# WARNING: If a peer or its network path malfunctions or acts maliciously, an infinite idle timeout can result in permanently hung futures!

# If this specified, file cache feature is enabled
[experimental.cache]
cache_dir = './cache'                # optional. default is "./cache" relative to the current working directory
max_cache_entry = 1000               # optional. default is 1k
max_cache_each_size = 65535          # optional. default is 64k
max_cache_each_size_on_memory = 4096 # optional. default is 4k if 0, it is always file cache.

# ACME settings. Unless specified, ACME is disabled.
[experimental.acme]
dir_url = "https://localhost:14000/dir" # optional. default is "https://acme-v02.api.letsencrypt.org/directory"
email = "test@example.com"
registry_path = "./acme_registry"       # optional. default is "./acme_registry" relative to the current working directory

# HAProxy PROXY Protocol v1/v2 inbound receive (requires `proxy-protocol` feature).
# This is enabled when [experimental.tcp_recv_proxy_protocol] and its required field `trusted_proxies` are specified. Unless specified, this is disabled.
# When enabled, rpxy expects to receive a PROXY header at the beginning of each TCP connection, which is sent by an upstream L4 proxy (e.g. rpxy-l4) to recover the original client's source IP/port.
# Then, rpxy parses the PROXY header sent by an upstream L4 proxy (e.g. rpxy-l4) to recover the original client's source IP/port.
# SECURITY WARNING: When configured, ALL TCP connections must originate from a listed trusted proxy.
# PROXY headers are not authenticated — restrict access with firewall rules.
# [experimental.tcp_recv_proxy_protocol]
# trusted_proxies = ["127.0.0.1/32", "10.0.0.0/8"]  # required, non-empty CIDR list. IPv4 and/or IPv6. Example: ["127.0.0.1/32", "::1/128"]
# timeout = 50  # optional, milliseconds. Default 50ms. 0 = fallback to 5s (not recommended).