http_rproxy

This server provides http reverse proxy.

The following common keys are supported:

• escaper

• auditor

• user_group

• shared_logger

• listen_in_worker

• tls ticketer

• tcp_sock_speed_limit

• ingress_network_filter

• tcp_copy_buffer_size

• tcp_copy_yield_size

• tcp_misc_opts

• task_idle_check_interval

• task_idle_max_count

• flush_task_log_on_created

• flush_task_log_on_connected

• task_log_flush_interval

• extra_metrics_tags

The auth scheme supported by the server is determined by the type of the specified user group.

auth scheme	user group type	is supported
Basic	hashed_user	yes
Negotiate	gss_api	not yet

listen

optional, type: tcp listen

Set the listen config for this server.

The instance count setting will be ignored if listen_in_worker is correctly enabled.

default: not set

Added in version 1.7.20: change listen config to be optional

server_id

optional, type: http server id

Set the server id. If set, the header X-BD-Remote-Connection-Info will be added to response, and it will also be used in the Via header added to request.

default: not set

auth_realm

optional, type: ascii str

Set the auth realm.

default: proxy

req_header_recv_timeout

optional, type: humanize duration

Set the max time to wait a full request header after the client connection become readable.

default: 30s

rsp_header_recv_timeout

optional, type: humanize duration

Set the max time duration after the full request sent and before receive of the whole response header.

default: 60s

req_header_max_size

optional, type: humanize usize

Set the max request header size.

default: 64KiB

rsp_header_max_size

optional, type: humanize usize

Set the max response header size.

default: 64KiB

log_uri_max_chars

optional, type: usize

Set the max number of characters of uri should be logged in logs.

The user level config value will take effect if set, see this user config option.

default: 1024

pipeline_size

optional, type: nonzero usize

Set the pipeline size for HTTP 1.0/1.1.

default: 10

Note

We only pipeline requests with no body.

pipeline_read_idle_timeout

optional, type: humanize duration

Set the idle timeout of the client side IDLE http connections.

default: 5min

no_early_error_reply

optional, type: bool

Set to true if no error reply should be sent out before user auth succeeded, the connection will be just closed in such case.

default: false

body_line_max_length

optional, type: int

Set the max line length for lines (trailer and chunk size) in http body.

default: 8192

http_forward_upstream_keepalive

optional, type: http keepalive

Set http keepalive config at server level.

default: set with default value

untrusted_read_speed_limit

optional, type: tcp socket speed limit

Enable untrusted read of the body of requests with no auth info, and set the read rate limit.

Set this if you need to be compatible with buggy java http clients which won’t handle the 407 error response in time.

default: not set, which means untrusted read is disabled

untrusted_read_limit

deprecated

Changed in version 1.11.8: deprecated, use untrusted_read_speed_limit instead

append_forwarded_for

optional, type: http forwarded header type

Set if we should append a corresponding forwarded header to the request send out to the next proxy.

See steal_forwarded_for config option in http_proxy for more info if you want to delete existing forwarded headers.

See the doc of supported escapers for detailed protocol info.

default: classic, which means X-Forwarded-* headers will be appended

enable_tls_server

optional, type: bool

Set whether tls is enabled for all local sites.

Requests to local sites without valid tls server config will be dropped.

default: false

global_tls_server

optional, type: rustls server config

Set global TLS server config on the server. This will be used if no tls server config set on the matched local site.

default: not set

client_hello_recv_timeout

optional, type: humanize duration

Set the timeout value for the receive of the complete TLS ClientHello message.

default: 1s

hosts

required, type: host matched object <host>

Set the hosts we should handle based on host match rules.

Example 1:

hosts:
  services:
    upstream: www.example.net

Example 2:

hosts:
  - exact_match:
      - www.example.net
      - example.net
    services:
      upstream: www.example.net
  - child_match: example.org
    set_default: true
    services:
      upstream: www.example.org

default: not set

Host

This is the config for each local host on this server.

tls_server

optional, type: rustls server config

Set TLS server config for this local site.

If not set, the global tls server config will be used.

default: not set

upstream

required, type: upstream str

Set the target upstream address. The default port is 80 which can be omitted.

tls_client

optional, type: openssl tls client config

Set TLS parameters for this local TLS client if https is needed. If set to empty map, a default config is used.

default: not set

tls_name

optional, type: tls name

Set the tls server name to verify tls certificate of the upstream site.

If not set, the host part of the upstream address will be used.

default: not set