{
"token_expiry_seconds": 3600,
"secret": "supersecretvalue",
"host": "0.0.0.0",
"port": 8080,
"worker": 4,
"login_via_otp": false;
"log": {"type": "local"},
"stats: true,
"max_idle_per_host": 200,
"timezone": "Europe/Paris",
"ratelimit_auth": {
"burst": 10,
"block_delay": 500,
"requests_per_second": 10
},
"ratelimit_proxy": {
"burst": 10,
"block_delay": 500,
"requests_per_second": 10
},
"users": [
{
"username": "admin",
"password": "$argon2id$v=19$m=19456,t=2...",
"allow": ["192.168.1.0/24", "172.16.54.2"]
},
{
"username": "alice",
"password": "$argon2id$v=19$m=19456,t=2..."
}
]
}
Options Documentation
* All is Required.
token_expiry_seconds
1-31536000 (Max 5 Years)
Default: 3600
secret
Please generate a secure token (64 characters or more!)
Default: unset
login_via_otp
Enable or disable logging of OTP login attempts.
Valid values: true or false
Default: false
host
IP address where the server listens
Default: 0.0.0.0
timezone
A
timezone defines how a specific region offsets from UTC (Coordinated Universal Time).
you can select a timezone like
Europe/Paris,
UTC, or
America/New_York to properly convert and display timestamps in local time.
[ show all possible value ]
Default: Europe/Paris
port
Valid range: 1–65535
Default: 8080
worker
Number of CPUs available
Default: 4
log
type: local → do not use remote logging
type: loki → use Loki logging {"type": "loki", "host": "127.0.0.1:1234"}
type: http → get logs via HTTP {"type": "http", "max_writes_log": 10000}
Default: local
stats
boolean: true/false → do not use remote stats /adm/stats or proxyauth stats
Default: false
max_idle_per_host
int: 0-3000 → defines the maximum number of idle (keep-alive) connections that can be kept open per host. This helps optimize performance by reusing connections instead of opening new ones for each request, while also preventing excessive resource usage by limiting the number of unused open connections.
Default: 50
ratelimit_auth
request_per_seconds: 0 for disable the rate limit, Maximum number of authentication requests allowed per second from a single client.
burst: Number of extra requests allowed beyond the per-second rate before blocking is enforced.
block_delay: Time a client must wait (after exceeding limits) before sending new authentication
Default: Disabled
ratelimit_proxy
request_per_seconds: 0 for disable the rate limit, Maximum number of forward proxy requests allowed per second from a single client.
burst: Number of extra requests allowed beyond the per-second rate before blocking is enforced.
block_delay: Time a client must wait (after exceeding limits) before sending forward request inside ProxyAuth
Default: Disabled
users
Array of user objects for authentication.
Key username username to use with the /auth route to obtain a token
Key password password to use with the /auth route to obtain a token
Key allow – (optional) List of allowed IP addresses or CIDR blocks.
If provided, only requests from these IPs will be allowed to authenticate with this user.
• Example: "allow": ["192.168.1.0/24", "10.0.0.1"]
routes:
- prefix: "/redoc"
target: "http://127.0.0.1:8000/redoc"
secure: false
- prefix: "/api_test/openapi.json"
target: "http://localhost:8000/api_test/openapi.json"
secure: false
backends:
- http://localhost:8001/api_test/openapi.json
weight: 1
- http://localhost:8002/api_test/openapi.json
weight: 2
- prefix: "/api_test_default"
target: "http://localhost:8000/api_test_default"
username: ["admin", "alice1", "alice15", "alice30"]
- prefix: "/api_test_proxy"
target: "http://localhost:8000/api_test_proxy"
username: ["admin", "alice1", "alice15", "alice30"]
proxy: true
proxy_config: "http://127.0.0.1:8888"
- prefix: "/api_test_cert"
target: "https://localhost:8000/api_test_cert"
username: ["admin", "alice1", "alice15", "alice30"]
cert: {"file": "certificat.p12", "password": "1234"}
Options Documentation
prefix * Required
Defines the URL prefix to use when forwarding the original request to the target service.
target * Required
Specifies the destination URL or service that will receive the forwarded request.
backends
Defines a failover and load balancing mechanism by providing multiple backend targets (URLs or services).
The system supports automatic redirection in case of failure or downtime of a backend, ensuring fault tolerance and service continuity.
weight: Specifies the load balancing weight of each backend. The higher the weight, the more requests that backend will receive.
Example: if backend A has a weight of 3 and backend B has a weight of 1, A will receive approximately 75% of the traffic, and B 25%.
Note: Setting weight: -1 disables load balancing for that backend. However, the backend will still be used as a failover target if all active backends fail.
username
A list of allowed usernames authorized to access this route.
Default: unset.
secure
Determines whether the route requires authentication.
Set the secure key to true to require a token, or false to disable authentication.
Default: true
proxy
Enable or disable proxy forwarding.
Use true to need token for access this resource, false to no token need for access this route by
Default: false.
proxy_config
Configuration object for the proxy destination.
Key host [IP:PORT] or hostname of the proxy target.
Default: unset.
cert * Experimental
SSL/TLS certificate configuration:
Key file Path to the certificate file (e.g., certificate.p12).
Key password Password used to unlock the certificate.
Default: unset.
