# gnix a simple stupid reverse proxy ## Features - Simple to configure (see below) - Handles connection upgrades correctly by default (websocket, etc.) - TLS support - _TODO: h2; match on uris; connection pools_ ## Quick Start Run the binary with the a path to the configuration as the first argument. The configuration file is written in YAML and could look like this: ```toml # Both the 'http' and 'https' sections are optional http: # the value for 'bind' can either be a string or a list of strings bind: [ "127.0.0.1:8080", "[::1]:8080" ] https: bind: "127.0.0.1:8443" tls_cert: "ssl/cert.pem" tls_key: "ssl/key.pem" # only accepts pkcs8 for now # this is a lookup table from hostnames to a list of filters # in this case, requests for `testdomain.local` are forwarded to 127.0.0.1:3000 hosts: "testdomain.local": !proxy { backend: "127.0.0.1:8000" } "192.168.178.39": !proxy { backend: "127.0.0.1:8000" } "localhost": !files root: "/home/muffin/videos" index: true ``` ## Reference - **section `http`** - `bind`: string or list of strings with addresses to listen on. - **section `https`** - `bind`: string or list of strings with addresses to listen on. - `tls_cert`: path to the SSL certificate. (Sometimes called `fullchain.pem`) - `tls_key`: path to the SSL key. (Often called `key.pem` or `privkey.pem`) - **section `limits`** - Note: Make sure you do not exceed the maximum file descriptor limit on your platform. - `max_incoming_connections` number of maximum incoming (downstream) connections. excess connections are rejected. Default: 512 - `max_outgoing_connections` number of maximum outgoing (upstream) connections. excess connections are rejected. Default: 256 - **section `hosts`** - A map from hostname (a string) to a _filter_ or a list of _filters_ - `watch_config`: boolean if to watch the configuration file for changes and apply them accordingly. Default: true (Note: This will watch the entire parent directory of the config since most editors first move the file. Currently any change will trigger a reload. TODO) ### Filters - **filter `proxy`** - Forwards the request as-is to some other server. `x-forwarded-proto` and `x-forwarded-for` headers are injected into the request. Connection upgrades are handled by direct forwarding of network traffic. - `backend`: socket address (string) to the backend server - **filter `files`** - Provides a simple built-in fileserver. The server handles `accept-ranges`. The `content-type` header is inferred from the file extension and falls back to `application/octet-stream`. If a directory is requested `index.html` will be served or else when indexing is enabled, `index.banner.html` will be prepended to the response. - `root`: root directory to be served (string) - `index`: enables directory indexing (boolean) - **filter `http_basic_auth`** - Filters requests via HTTP Basic Authentification. Unauthorized clients will be challenged on every request. - `realm`: string that does essentially nothing - `valid`: list of valid logins (string) in the format `:` (password in plain text). TODO: hashing ## License AGPL-3.0-only; see [COPYING](./COPYING)