Aralez — Reverse Proxy built on Cloudflare's Pingora

What is Aralez?

Aralez = Արալեզ — Named after the legendary Armenian guardian spirit, a winged dog-like creature that descends upon fallen heroes to lick their wounds and resurrect them.

Built on Rust, on top of Cloudflare’s Pingora engine, Aralez delivers world-class performance, security and scalability — right out of the box.

Support the project:

🔧 Key Features

📡

Remote Config API

Upstreams can be updated live via API — no restart required.

🔄

Dynamic Config Reloads

Upstreams are automatically reloaded on config file change — no restart required.

🔒

TLS Termination

Automatic certificate loading from folder, without a restart.

🔮

Zero-Config Protocols

Automatic WebSocket, gRPC, HTTP/2 and SSL upstream detection — zero configuration needed.

🛡️

Built-in Authentication

Basic Auth, API Key via x-api-key header, and JWT verification with token issuance.

⚖️

Load Balancing

Round-robin, failover with health checks, and sticky sessions via cookies.

📈

Prometheus Metrics

Built-in metrics endpoint for monitoring, alerting, and performance analysis.

⏱️

Built-in Rate Limiter

Per virtualhost and per-path rate limiting. Path limits override global limits.

☸️

Kubernetes & Consul

Dynamic pod discovery and health-checked routing via Consul and Kubernetes integration.

🦀

Memory Safe

Created purely in Rust with Pingora and tokio for async I/O and high performance.

📁 File Structure

.
├── main.yaml           # Main configuration loaded at startup
├── upstreams.yaml      # Watched config with upstream mappings
├── etc/
│   ├── server.crt      # TLS certificate (required if using TLS)
│   └── key.pem         # TLS private key

🔄 Hot Reload

Changes to upstreams.yaml are applied immediately.
No need to restart the proxy — just save the file.
If consul provider is chosen, upstreams will be periodically updated from Consul’s API.

🔐 TLS Support

To enable TLS for a proxy server (currently only OpenSSL is supported):

Set proxy_address_tls in main.yaml
Provide tls_certificate and tls_key_file

📡 Remote Config API

Push new upstreams.yaml over HTTP to config_address (:3000 by default). Useful for CI/CD automation or remote config updates. The URL parameter key=MASTERKEY is required — its value matches master_key in main.yaml.

curl -XPOST --data-binary @./etc/upstreams.txt 127.0.0.1:3000/conf?key=${MASTERKEY}

📃 License

Apache License Version 2.0

🧠 Notes

Uses Pingora under the hood for efficiency and flexibility.
Designed for edge proxying, internal routing, or hybrid cloud scenarios.
Transparent, fully automatic WebSocket upgrade support.
Transparent, fully automatic gRPC proxy.
Sticky session support.
HTTP/2 ready.

Aralez (Արալեզ) — The Reverse Proxy