Proxy
Kamal uses kamal-proxy to provide gapless deployments. It runs on ports 80 and 443 and forwards requests to the application container.
The proxy is configured in the root configuration under proxy
. These are
options that are set when deploying the application, not when booting the proxy.
They are application-specific, so they are not shared when multiple applications run on the same proxy.
proxy:
Hosts
The hosts that will be used to serve the app. The proxy will only route requests to this host to your app.
If no hosts are set, then all requests will be forwarded, except for matching requests for other apps deployed on that server that do have a host set.
Specify one of host
or hosts
.
host: foo.example.com
hosts:
- foo.example.com
- bar.example.com
App port
The port the application container is exposed on.
Defaults to 80:
app_port: 3000
SSL
kamal-proxy can provide automatic HTTPS for your application via Let’s Encrypt.
This requires that we are deploying to one server and the host option is set. The host value must point to the server we are deploying to, and port 443 must be open for the Let’s Encrypt challenge to succeed.
If you set ssl
to true
, kamal-proxy
will stop forwarding headers to your app,
unless you explicitly set forward_headers: true
Defaults to false
:
ssl: true
Custom SSL certificate
In some cases, using Let’s Encrypt for automatic certificate management is not an option, for example if you are running from more than one host.
Or you may already have SSL certificates issued by a different Certificate Authority (CA).
Kamal supports loading custom SSL certificates directly from secrets. You should
pass a hash mapping the certificate_pem
and private_key_pem
to the secret names.
ssl:
certificate_pem: CERTIFICATE_PEM
private_key_pem: PRIVATE_KEY_PEM
Notes
- If the certificate or key is missing or invalid, deployments will fail.
- Always handle SSL certificates and private keys securely. Avoid hard-coding them in source control.
SSL redirect
By default, kamal-proxy will redirect all HTTP requests to HTTPS when SSL is enabled.
If you prefer that HTTP traffic is passed through to your application (along with
HTTPS traffic), you can disable this redirect by setting ssl_redirect: false
:
ssl_redirect: false
Forward headers
Whether to forward the X-Forwarded-For
and X-Forwarded-Proto
headers.
If you are behind a trusted proxy, you can set this to true
to forward the headers.
By default, kamal-proxy will not forward the headers if the ssl
option is set to true
, and
will forward them if it is set to false
.
forward_headers: true
Response timeout
How long to wait for requests to complete before timing out, defaults to 30 seconds:
response_timeout: 10
Path-based routing
For applications that split their traffic to different services based on the request path, you can use path-based routing to mount services under different path prefixes.
path_prefix: '/api'
By default, the path prefix will be stripped from the request before it is forwarded upstream. So in the example above, a request to /api/users/123 will be forwarded to web-1 as /users/123. To instead forward the request with the original path (including the prefix), specify –strip-path-prefix=false
strip_path_prefix: false
Healthcheck
When deploying, the proxy will by default hit /up
once every second until we hit
the deploy timeout, with a 5-second timeout for each request.
Once the app is up, the proxy will stop hitting the healthcheck endpoint.
healthcheck:
interval: 3
path: /health
timeout: 3
Buffering
Whether to buffer request and response bodies in the proxy.
By default, buffering is enabled with a max request body size of 1GB and no limit for response size.
You can also set the memory limit for buffering, which defaults to 1MB; anything larger than that is written to disk.
buffering:
requests: true
responses: true
max_request_body: 40_000_000
max_response_body: 0
memory: 2_000_000
Logging
Configure request logging for the proxy.
You can specify request and response headers to log.
By default, Cache-Control
, Last-Modified
, and User-Agent
request headers are logged:
logging:
request_headers:
- Cache-Control
- X-Forwarded-Proto
response_headers:
- X-Request-ID
- X-Request-Start
Enabling/disabling the proxy on roles
The proxy is enabled by default on the primary role but can be disabled by
setting proxy: false
in the primary role’s configuration.
servers:
web:
hosts:
- ...
proxy: false
It is disabled by default on all other roles but can be enabled by setting
proxy: true
or providing a proxy configuration for that role.
servers:
web:
hosts:
- ...
web2:
hosts:
- ...
proxy: true