Skip to content
Huginn Proxy Huginn Proxy

Configuration reference

Configuration is a single TOML file passed as the only CLI argument. There is no hot reload for the full config (TLS certificates may reload when configured to watch files).

Top-level sections

Section titled “Top-level sections”
SectionPurpose
listenBind addresses, TCP backlog
backendsUpstream pool (HTTP version hint per backend)
routesPrefix → backend, fingerprint toggle, rewrites, per-route rate limits
preserve_hostWhether to forward the original Host header
tlsCertificates, ALPN, cipher suites, mTLS client auth, session resumption
fingerprintEnable TLS / HTTP/2 / TCP SYN fingerprint extraction
loggingLog level and format
timeoutConnect, idle, shutdown, TLS handshake, connection handling, keep-alive
securityGlobal connection cap, IP filter, global rate limit, security headers
telemetryMetrics and health port
headersGlobal request/response header add/remove

Listen

Section titled “Listen”
  • addrs: list of socket addresses (IPv4 and/or IPv6).
  • tcp_backlog: listen queue depth (default is high for production-style workloads).

Backends

Section titled “Backends”

Each [[backends]] entry has an address and optional http_version (http11, http2, or preserve negotiation).

Routes

Section titled “Routes”

Each [[routes]] entry includes:

  • prefix: path prefix to match
  • backend: must match a configured backend address
  • fingerprinting: enable or disable TLS + HTTP/2 fingerprint headers for this route
  • force_new_connection: bypass backend connection pooling when true
  • replace_path: strip / rewrite options (see Routing)
  • Optional nested [routes.rate_limit] and [routes.headers]

TLS ([tls])

Section titled “TLS ([tls])”

Server certificate and key paths, ALPN list, optional file watch interval, TLS version bounds, cipher suites, curves, and client certificate trust for mTLS. Session resumption can be tuned (TLS 1.2 cache size, etc.).

Limitations: one certificate material per process in typical setups; no per-SNI multi-cert vhost story in this beta.

Fingerprint ([fingerprint])

Section titled “Fingerprint ([fingerprint])”
  • tls_enabled, http_enabled, tcp_enabled: toggles
  • max_capture: cap for HTTP/2 capture buffer (default in the tens of KiB range)

TCP SYN requires ebpf-tcp at build time and the agent. See eBPF TCP setup.

Timeouts ([timeout])

Section titled “Timeouts ([timeout])”

Separate knobs for connect, idle, graceful shutdown, TLS handshake, overall connection handling, and HTTP/1.1 keep-alive. HTTP/2 uses persistent connections; keep-alive does not apply the same way.

Telemetry ([telemetry])

Section titled “Telemetry ([telemetry])”

metrics_port enables a separate HTTP server for /health, /ready, /live, and /metrics. See Telemetry.

Headers ([headers])

Section titled “Headers ([headers])”

Optional global request / response add and remove lists. Distinct from per-route header rules under [[routes]].