studio/proxy
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: initial sunbeam-proxy implementation

Browse Source 
Custom Pingora-based edge proxy for the Sunbeam infrastructure stack.

- HTTPS termination: mkcert file-based (local dev) or rustls-acme ACME (production)
- Host-prefix routing with path-based sub-routing (auth virtual host)
- HTTP→HTTPS redirect, WebSocket passthrough
- cert-manager HTTP-01 challenge routing via Kubernetes Ingress watcher
- TLS cert auto-reload via K8s Secret watcher
- JSON structured audit logging (tracing-subscriber)
- OpenTelemetry OTLP stub (disabled by default)
- Multi-stage Dockerfile: musl static binary on chainguard/static distroless image

Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt>
This commit is contained in:
Sienna Meridian Satterwhite
2026-03-10 23:38:19 +00:00
commit 6ec0f78a5b
13 changed files with 5042 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

67
dev.toml Normal file
View File

@@ -0,0 +1,67 @@
# Local dev config for running sunbeam-proxy directly on macOS.
#
# Uses non-privileged ports (8080/8443) and a mkcert cert for localhost.
# Certs are generated once with:
# mkcert -cert-file certs/tls.crt -key-file certs/tls.key localhost 127.0.0.1
#
# Run with:
# SUNBEAM_CONFIG=dev.toml RUST_LOG=info cargo run
#
# Then test:
# curl -v http://localhost:8080/ # → 301 to https
# curl -vk https://localhost:8443/ -H "Host: docs.localhost" # → 502 (backend unreachable, routing works)
# curl -vk https://localhost:8443/.well-known/acme-challenge/test # → 404 (no active challenge)
[listen]
http = "0.0.0.0:8080"
https = "0.0.0.0:8443"
[tls]
cert_path = "certs/tls.crt"
key_path = "certs/tls.key"
[telemetry]
otlp_endpoint = ""
# Dummy routes that mirror production — backends won't be reachable locally
# but routing, TLS termination, and redirect logic are fully exercised.
[[routes]]
host_prefix = "docs"
backend = "http://127.0.0.1:9001"
websocket = true
[[routes]]
host_prefix = "meet"
backend = "http://127.0.0.1:9002"
websocket = true
[[routes]]
host_prefix = "drive"
backend = "http://127.0.0.1:9003"
[[routes]]
host_prefix = "mail"
backend = "http://127.0.0.1:9004"
[[routes]]
host_prefix = "chat"
backend = "http://127.0.0.1:9005"
websocket = true
[[routes]]
host_prefix = "people"
backend = "http://127.0.0.1:9006"
[[routes]]
host_prefix = "src"
backend = "http://127.0.0.1:9007"
websocket = true
[[routes]]
host_prefix = "auth"
backend = "http://127.0.0.1:9008"
[[routes]]
host_prefix = "s3"
backend = "http://127.0.0.1:9009"