Configuration
Reference for main.yaml and upstreams.yaml
main.yaml — Startup Parameters
| Key | Example Value | Description |
|---|---|---|
| threads | 12 | Number of running daemon threads. Optional, defaults to 1 |
| runuser | aralez | Optional. Username for running aralez after dropping root privileges (requires launch as root) |
| rungroup | aralez | Optional. Group for running aralez after dropping root privileges (requires launch as root) |
| daemon | false | Run in background (boolean) |
| upstream_keepalive_pool_size | 500 | Pool size for upstream keepalive connections |
| pid_file | /tmp/aralez.pid | Path to PID file |
| config_address | 0.0.0.0:3000 | HTTP API address for pushing upstreams.yaml from remote location |
| proxy_tls_grade | high, medium, unsafe | Grade of TLS ciphers. high matches Qualys SSL Labs A+ (defaults to medium) |
| proxy_address_http | 0.0.0.0:6193 | Aralez HTTP bind address |
| proxy_address_tls | 0.0.0.0:6194 | Aralez HTTPS bind address (Optional) |
| proxy_configs | /etc/aralez/ | Direcotry containing configuration files, must be writeable by user aralez |
| upstreams_conf | /etc/aralez/upstreams.yaml | Location of the upstreams file |
| access_log | access | Configure access logging. Values: access, error |
| log_level | info | Log level: info, warn, error, debug, trace, off |
| log_file | /full/path/to/aralez.log | Optional, the location of log file. If thi entry does not exist logs will be emitted to stdout. |
| hc_method | HEAD | Healthcheck method: HEAD, GET, POST (UPPERCASE) |
| hc_interval | 2 | Interval for health checks in seconds |
| file_server_folder | /some/local/folder | Optional. Local folder to serve |
| file_server_address | 127.0.0.1:3002 | Optional. Local address for file server |
| config_api_enabled | true | Enable/disable remote config push capability |
| tcp_keepalive_idle | 60 | Optional. Seconds of inactivity before the kernel starts sending keepalive probes to a downstream client |
| tcp_keepalive_interval | 10 (Default if tcp_keepalive_idle is set) | Optional. Seconds between individual keepalive probes if the client does not respond |
| tcp_keepalive_count | 5 (Default if tcp_keepalive_idle is set) | Optional. Number of unanswered probes before the kernel declares the connection dead and closes it |
upstreams.yaml — Upstream Mappings
provider:fileorconsul- File-based upstreams define hostnames, routing paths, backend servers, optional request headers
- Global headers (e.g. CORS) apply to all proxied responses
- Optional authentication (Basic, API Key, JWT)
Example: File Provider
A sample upstreams.yaml entry:
provider: "file"
sticky_sessions: 86000
to_https: false
rate_limit: 20
x4xx_limit: 10
server_headers:
- "X-Forwarded-Proto:https"
- "X-Forwarded-Port:443"
client_headers:
- "Access-Control-Allow-Origin:*"
- "Access-Control-Allow-Methods:POST, GET, OPTIONS"
- "Access-Control-Max-Age:86400"
myhost.mydomain.com:
paths:
"/":
rate_limit: 20
x4xx_limit: 10
to_https: false
server_headers:
- "X-Something-Else:Foobar"
- "X-Another-Header:Hohohohoho"
client_headers:
- "X-Some-Thing:Yaaaaaaaaaaaaaaa"
- "X-Proxy-From:Hopaaaaaaaaaaaar"
servers:
- "127.0.0.1:8000"
- "127.0.0.2:8000"
"/foo":
to_https: true
authorization:
type: "jwt"
data: "266463d1-210a-4787-9a81-4aacb37a8723"
client_headers:
- "X-Another-Header:Hohohohoho"
servers:
- "127.0.0.4:8443"
- "127.0.0.5:8443"
"/.well-known/acme-challenge":
healthcheck: false
servers:
- "127.0.0.1:8001"
DEFAULT:
paths:
"/":
servers:
- "127.0.0.1:3000"
This means:
- Sticky sessions are enabled globally. This setting applies to all upstreams. If enabled the value withh be set for
Max-Age=cookie. - HTTP to HTTPS redirect disabled globally, but can be overridden by
to_httpssetting per upstream. - All upstreams will receive custom headers :
X-Forwarded-Proto:httpsandX-Forwarded-Port:443 - Additionally, myhost.mydomain.com with path
/will receive custom headers :X-Another-Header:HohohohohoandX-Something-Else:Foobar - Requests with response 4xx to each hosted domains will be limited to 20 requests per second per virtualhost.
- Requests limits are calculated per requester ip plus requested virtualhost.
- If the requester exceeds the limit it will receive
429 Too Many Requestserror. - Optional. Rate limiter will be disabled if the parameter is entirely removed from config.
- Requests to each hosted domains will be limited to 20 requests per second per virtualhost.
- Requests limits are calculated per requester ip plus requested virtualhost.
- If the requester exceeds the limit it will receive
429 Too Many Requestserror. - Optional. Rate limiter will be disabled if the parameter is entirely removed from config.
- Requests to
myhost.mydomain.com/will be limited to 20 requests per second. - Requests with 4xx responses to
myhost.mydomain.com/will be limited to 10 requests per second. - Requests to
myhost.mydomain.com/will be proxied to127.0.0.1and127.0.0.2. - Plain HTTP to
myhost.mydomain.com/foowill get 301 redirect to configured TLS port of Aralez. myhost.mydomain.com/foowill require authentication with JWT token, signed by266463d1-210a-4787-9a81-4aacb37a8723.- Requests to
myhost.mydomain.com/foowill be proxied to127.0.0.4and127.0.0.5. - Requests to
myhost.mydomain.com/.well-known/acme-challengewill be proxied to127.0.0.1:8001, but healthcheks are disabled. - SSL/TLS for upstreams is detected automatically, no need to set any config parameter.
- Assuming the
127.0.0.5:8443is SSL protected. The inner traffic will use TLS. - Self-signed certificates are silently accepted.
- Assuming the
- Global headers (CORS for this case) will be injected to all upstreams.
- Additional headers will be injected into the request for
myhost.mydomain.com. - You can choose any path, deep nested paths are supported, the best match chosen.
DEFAULTcatch up everything else and proxy to127.0.0.1:3000- This is a special upstream and in order to do the catch-up jub it must be DEFAULT all capitals
Since Version v.0.86.1 upstream config can be split to multiple files. Aralez will scan conf.d subdirectory in configuration directory and include all yaml files.
Naming of files is not matter, it just needs to have extension .yaml . The content of file is similar to upstreams.yaml file with some minor differences .
- This is per host config file , so no global parameters whould be included
hostnameis the top level item in.yamlfile- Each file can contain one or multiple hosts.
- All valid host level parameters from
upstreams.yamlare also valid here. - In case of conflicting configuration parameters split file wins.
- If multiple split files contains the same host, the last applied wins.
- Files are applied in alphabetical order.
- Split files are read only is there is at least one configured upstream in main
upstreams.yaml. Ifupstreams.yamlcontains no upstreams at all, split files will be ignored.
Example: Split file
some.example.com:
paths:
"/":
rate_limit: 100
to_https: false
server_headers:
- "Y-Proxy-Server-From:Aralez"
client_headers:
- "Access-Control-Allow-Origin:*"
- "Access-Control-Allow-Methods:POST, GET, OPTIONS"
- "Access-Control-Max-Age:86400"
- "Strict-Transport-Security:max-age=31536000; includeSubDomains; preload"
authorization:
type: "basic"
data: "admin:admin"
servers:
- "127.0.0.1:8000"
- "127.0.0.2:8000"
other.example.com:
paths:
"/":
redirect_to: "https://some.example.com:6194"
healthcheck: false
servers:
- "127.0.0.3:8000"
Example: Kubernetes & Consul Provider
provider: "kubernetes" # or "consul"
sticky_sessions: false
to_https: false
rate_limit: 100
server_headers:
- "X-Forwarded-Proto:https"
- "X-Forwarded-Port:443"
client_headers:
- "Access-Control-Allow-Origin:*"
- "Access-Control-Allow-Methods:POST, GET, OPTIONS"
- "Access-Control-Max-Age:86400"
consul:
servers:
- "http://consul1:8500"
services:
- hostname: "nconsul"
upstream: "nginx-consul-NginX-health"
path: "/one"
client_headers:
- "X-Some-Thing:Yaaaaaaaaaaaaaaa"
- "X-Proxy-From:Aralez"
rate_limit: 1
to_https: false
- hostname: "nconsul"
upstream: "nginx-consul-NginX-health"
path: "/"
token: "8e2db809-845b-45e1-8b47-2c8356a09da0-a4370955-18c2-4d6e-a8f8-ffcc0b47be81"
kubernetes:
servers:
- "172.16.0.11:5443"
services:
- hostname: "api-service"
path: "/"
upstream: "api-service"
- hostname: "api-service"
upstream: "console-service"
path: "/one"
client_headers:
- "X-Some-Thing:Yaaaaaaaaaaaaaaa"
- "X-Proxy-From:Aralez"
rate_limit: 100
to_https: false
- hostname: "api-service"
upstream: "feed-service"
path: "/two"
- hostname: "websocket-service"
upstream: "websocket-service"
path: "/"
tokenpath: "/opt/Rust/Projects/asyncweb/etc/kubetoken.txt"
Mandatory Fields (Consul & Kubernetes)
- hostname: "api-service"
upstream: "api-service"
Where hostname is the Host header to access the service and upstream is the service name in Consul or Kubernetes.
Optional Fields
| Field | Description |
|---|---|
| path | URL path to proxy to upstreams |
| client_headers | List of additional response headers |
| server_headers | List of additional request headers for upstreams |
| rate_limit | Rate limiter, number of requests per second |
| to_https | Redirect to HTTPS |
Consul-only
token: "8e2db809-..."
Consul auth token — mandatory if Consul auth is enabled.
servers:
- "http://consul1:8500"
List of Consul servers — mandatory for Consul.
Kubernetes-only
tokenpath: "/opt/Rust/Projects/asyncweb/etc/kubetoken.txt"
For development only. Defaults to /var/run/secrets/kubernetes.io/serviceaccount/token. Remove for production.
servers:
- "172.16.0.11:5443"
Defaults to environment variables KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT_HTTPS. For development only — delete for production use.