Getting started
Guide
How configuration is resolved
Defaults, the config file and the per-domain rules — and which one wins.
Every global option is optional. When a key is omitted the proxy falls back to a built-in default, and a few defaults differ between development and production builds so local runs are noisy and safe while production is quiet and locked-down.
Resolution order
- A value you set in the config wins.
- Otherwise the built-in default applies.
- For a handful of toggles the default depends on the build:
logging_level,add_logging,add_rate_limitingandbacktracing.
Global vs per-domain
Global toggles act as a master switch; the matching per-domain field decides whether the feature actually runs for that hostname. For example SQL-injection screening only happens when the global add_sql_injection_protection is on and the domain's enable_sql_injection_protection is true.
⚠️Dev vs prod defaults
In production
add_logging and add_rate_limiting default to on; in a debug build they default to off. Never assume a default — set the ones that matter explicitly.