Features

Advanced request routing with multiple matching strategies and lock-free route caching.

• Path prefix, exact, and regex matching
• Host matching (exact and wildcard)
• Header presence/value matching
• HTTP method matching
• Query parameter matching
• Priority-based route evaluation
• Lock-free route caching with DashMap

14 load balancing algorithms with health-aware target selection.

• Round-robin - Equal distribution across backends
• Weighted - Proportional distribution by weight
• Least Connections - Fewest active connections
• Weighted Least Conn - Connection/weight ratio (weighted_least_conn.rs)
• Maglev - Google's consistent hashing, O(1) lookup (maglev.rs)
• Peak EWMA - Latency-based selection (peak_ewma.rs)
• Locality-Aware - Zone-preference routing (locality.rs)
• Deterministic Subset - Subset per proxy for large clusters (subset.rs)
• Power of Two Choices - Best of two random (p2c.rs)
• Consistent Hash - Ring-based affinity (consistent_hash.rs)
• Adaptive - Response time based (adaptive.rs)
• Least Tokens Queued - LLM workload optimization (least_tokens.rs)

Dynamic backend discovery from multiple sources.

• Static - Fixed backend list
• DNS A/AAAA - DNS record resolution with refresh
• DNS SRV - Service record lookup
• Consul - Consul service catalog integration
• Kubernetes - K8s service endpoints discovery
• File - File-watched backend list

Namespace and service-aware routing with hierarchical configuration.

• Per-scope route isolation (global → namespace → service)
• Scope-aware visibility rules
• Independent route matchers per scope
• Qualified ID resolution

Enterprise-grade TLS with SNI routing and hot certificate reload.

• SNI (Server Name Indication) based certificate selection
• Wildcard certificate matching
• mTLS client certificate verification (inbound)
• Certificate hot-reload (SIGHUP trigger)
• OCSP stapling support

Mutual TLS for secure backend connections in zero-trust architectures.

• Client certificate authentication - Present certificates to upstreams
• Custom CA verification - Verify upstream server certificates
• SNI configuration - Per-upstream Server Name Indication
• Certificate chain support - Include intermediate certificates
• Combined PEM files - Cert and key in single file

Flexible rate limiting with multiple keying strategies and actions.

• Per-route and per-client rate limiting
• Local in-memory limiting (Pingora-based)
• Distributed limiting via Redis (distributed_rate_limit.rs)
• Distributed limiting via Memcached (memcached_rate_limit.rs)
• Keying strategies: ClientIP, UserID, CustomHeader
• Actions: Reject (429), Delay, Allow
• Burst support with configurable max delay

OWASP CRS-compatible WAF with anomaly scoring and rule tuning.

• Multiple engines: ModSecurity, Coraza, Custom
• OWASP Core Rule Set (CRS) integration
• Paranoia levels 1-4 configuration
• Anomaly scoring system
• Rule exclusions and tuning
• Body inspection with content-type allowlist
• Audit logging with rule IDs

Geographic access control with multiple database support.

• MaxMind GeoLite2/GeoIP2 support (.mmdb)
• IP2Location database support (.bin)
• Country-based blocklist/allowlist
• Log-only mode for testing
• IP→Country caching with TTL
• Fail-open/fail-closed policies
• X-GeoIP-Country header injection

Safe request body decompression with ratio limits to prevent attacks.

• Zip bomb protection via decompression ratio limits
• Size limits for decompressed output
• Support for gzip, deflate, brotli
• Incremental ratio checking
• Statistics tracking

Extensible agent system for authentication, authorization, and custom processing.

• Unix Domain Socket transport
• gRPC transport support
• Per-agent queue isolation (semaphore-based)
• Circuit breaker per agent
• Timeouts with fail-open/fail-closed
• Request/response header mutation
• Request body streaming
• Audit metadata collection

Comprehensive logging with trace ID correlation and multiple formats.

• Access logs - Request/response with trace_id correlation
• Error logs - Errors with context
• Audit logs - Security events with rule IDs
• JSON format - Structured, queryable logs
• Combined Log Format - Apache/nginx compatible
• Fields: timestamp, trace_id, method, path, status, duration_ms, client_ip, route_id, upstream

OpenTelemetry-based distributed tracing with multiple backend support.

• W3C Trace Context header propagation
• OTLP export to Jaeger, Tempo, or compatible backends
• Configurable sampling rates
• Request lifecycle spans
• Semantic conventions compliance

Efficient trace ID generation with multiple format support.

• TinyFlake - 11-char Base58 ID (time-prefixed for sorting)
• UUID - Standard 36-char UUID format
• Header propagation (X-Trace-Id, X-Correlation-Id, X-Request-Id)

Prometheus-compatible metrics for monitoring and alerting.

• Per-route latency histograms
• Request counts by status code
• Upstream health status
• Circuit breaker state transitions
• Agent latencies and timeouts
• Rate limit enforcement outcomes
• Cache hit/miss rates

Pingora-based HTTP caching with stampede prevention.

• Cache key generation
• TTL calculation from Cache-Control
• LRU eviction management
• Cache lock for stampede prevention
• Per-route cache configuration
• In-memory and pluggable backends

Advanced eviction algorithms for hot-data caching.

• S3-FIFO + TinyLFU eviction
• Fast hot-data caching
• Configurable TTL per item
• Hit rate statistics
• Thread-safe concurrent access

High-performance static file delivery with zero-copy and compression.

• Range request support (206 Partial Content)
• Zero-copy serving via memory-mapped files (>10MB)
• On-the-fly gzip/brotli compression
• In-memory caching for small files (<1MB)
• Directory listing (configurable)
• SPA routing with fallback
• ETag and last-modified headers

RFC 6455 compliant WebSocket support with frame inspection.

• Frame-level parsing and validation
• Masking/unmasking support
• Per-frame agent inspection
• Configurable max frame size
• Bidirectional frame handling

Fire-and-forget request duplication for canary testing.

• Fire-and-forget duplication to shadow upstreams
• Sampling-based mirroring (percentage control)
• Header-based sampling
• Optional request body buffering
• Async execution (non-blocking)

Token-aware rate limiting for LLM workloads.

• Token-based rate limiting (tokens/minute)
• Multi-provider support: OpenAI, Anthropic, Generic
• Model-aware load balancing (LeastTokensQueued)
• Request body parsing for token estimation
• Burst token allocation

Active and passive health checking with multiple protocols.

• HTTP - GET request with expected status
• TCP - Connection test
• gRPC - gRPC health check protocol (grpc_health.rs)
• Configurable intervals and thresholds
• Response time averaging
• Passive health inference from failures

Scope-aware circuit breakers for cascading failure prevention.

• Per-upstream circuit breakers
• Scope-aware configuration (global/namespace/service)
• States: Closed, Open, Half-open
• Configurable failure/success thresholds
• Timeout for half-open state

Flexible configuration with human-friendly and machine-friendly formats.

• KDL - Primary human-friendly format (kdl/mod.rs)
• JSON - Programmatic/API use
• TOML - Alternative text format
• Extension auto-detection

Directory-based configuration with automatic merging.

• Load configs from directory with pattern matching
• Merge multiple config files
• Load order control
• Validate merged configuration

Comprehensive validation before config application.

• Schema compliance (JSONSchema)
• Referential integrity (routes → upstreams/filters/agents)
• Required fields presence
• Value ranges and format
• Network address validity
• Certificate/key accessibility

Atomic configuration updates without dropping connections.

• Zero-downtime config reloading
• SIGHUP signal trigger
• File change detection
• Validation before apply
• Atomic config swaps (ArcSwap)
• Graceful request draining
• Rollback on error

Version-aware configuration with compatibility checking.

• Current schema version: 1.0
• Compatibility checking on load
• Forward/backward compatibility warnings
• Minimum version enforcement

Hierarchical multi-tenancy with resource isolation.

• Hierarchical organization: Global → Namespace → Service
• Per-scope routes, upstreams, agents, filters
• Resource visibility rules
• Cross-scope resource export
• Scope-aware request routing

Composable filter pipeline with named instances.

• Filter types: Agent, RateLimit, Headers, Compress, Custom
• Named filter instances (reusable)
• Ordered filter pipeline
• Per-filter timeout and failure mode
• Phase-based execution (request/response)

Efficient connection reuse with configurable pool sizes.

• Configurable pool sizes per upstream
• Keep-alive timeout
• Max requests per connection
• Idle connection reuse

Full HTTP/2 support with request pipelining.

• HTTP/2 upstream connections
• HTTP/1.1 keepalive with automatic reuse
• Configurable per upstream

Minimal lock contention for high throughput.

• DashMap-based route cache
• Lock-free rate limiter pools
• Concurrent upstream pools
• Circuit breaker registry

Optimized memory usage with bounded resources.

• Bounded queues (all queues have max size)
• Memory-mapped file serving (zero-copy)
• Pre-computed compression for static files
• S3-FIFO + TinyLFU eviction