Gazan, Reverse proxy, service mesh based on Cloudflare's Pingora

Built on Rust, on top of Cloudflare’s battle-tested Pingora engine, Gazan delivers world-class performance, security, and scalability — right out of the box.

Pingora powers millions of requests per second at Cloudflare’s edge, and now you can harness its core in your own infrastructure. This project brings that power into a lean and flexible reverse proxy with dynamic upstream configuration and automatic websocket support.

---

🌍 Highlights

• ⚙️ Upstream Providers: Supports file-based static upstreams, dynamic service discovery via Consul, and upcoming Kubernetes integration
• 🔁 Hot Reloading: Modify upstreams on the fly via upstreams.yaml — no restart needed
• 🔮 Automatic WebSocket Support: No special config required — connection upgrades are handled seamlessly
• 🔐 TLS Termination: Fully supports TLS for incoming and upstream traffic
• 🛡️ Built-in Auth Support: (Basic and API Key ready)
• 🧠 CORS & Header Injection: Global and per-route header configuration
• 🧪 Health Checks: Pluggable health check methods for upstreams
• 🛰️ Remote Config Push: Lightweight HTTP API to update configs from CI/CD or other systems

---

📁 File Structure

.
├── main.yaml           # Main configuration loaded at startup
├── upstreams.yaml      # Watched config with upstream mappings
├── etc/
│   ├── server.crt      # TLS certificate (required if using TLS)
│   └── key.pem         # TLS private key

---

🛠 Configuration Overview

🔧 main.yaml

• proxy_address_http: 0.0.0.0:6193 (HTTP listener)
• proxy_address_tls: 0.0.0.0:6194 (TLS listener, optional)
• config_address: 0.0.0.0:3000 (HTTP API for remote config push)
• upstreams_conf: etc/upstreams.yaml (location of upstreams config)
• log_level: info (verbosity of logs)
• hc_method: HEAD, hc_interval: 2s (upstream health checks)
• Other defaults: thread count, keep-alive pool size, etc.

🌐 upstreams.yaml

• provider: file or consul
• File-based upstreams define:
  • Hostnames and routing paths
  • Backend servers (load-balanced)
  • Optional request headers
  • Optional TLS for upstreams
• Global headers (e.g., CORS) apply to all proxied responses
• Optional authentication (Basic, API Key) — currently commented for example

---

🔌 Running the Proxy

./gazan -c path/to/main.yaml

Replace APP_BINARY with your compiled binary.

---

💡 Example

A sample upstreams.yaml entry:

myhost.mydomain.com:
  paths:
    "/":
      ssl: false
      headers:
        - "X-Some-Thing:Yaaaaaaaaaaaaaaa"
        - "X-Proxy-From:Hopaaaaaaaaaaaar"
      servers:
        - "127.0.0.1:8000"
        - "127.0.0.2:8000"

This means:

• Requests to myhost.mydomain.com/ will be load balanced to those servers.
• You can choose any path, deep nested paths are supported, the best match will be chosen
• Additional headers will be injected into the request.
• TLS is disabled for upstreams (but can be enabled).

---

🔄 Hot Reload

• Changes to upstreams.yaml are applied immediately.
• No need to restart the proxy — just save the file.

---

🔐 TLS Support

To enable TLS for Proxy server: Currently only OpenSSL is supported, working on Boringssl and Rustls

1. Set proxy_address_tls in main.yaml
2. Provide tls_certificate and tls_key_file

---

📡 Remote Config API

You can push new upstreams.yaml over HTTP to config_address (:3000 by default). Useful for CI/CD automation or remote config updates.

curl -XPOST --data-binary @./etc/upstreams.txt 127.0.0.1:3000/conf

---

📃 License

The product is distributed under Apache License Version 2.0

---

🧠 Notes

• Uses Pingora under the hood for efficiency and flexibility.
• Designed for edge proxying, internal routing, or hybrid cloud scenarios.
• Transparent, fully automatic WebSocket upgrade support.