ARC2 Proxy
Scenarios & recipes Scenario

Recipe: hardened API gateway

No caching, strict TLS and WAF in front of a backend API.

When the proxy fronts an API rather than a website, the goal flips from caching to protection: keep responses fresh, lock TLS high, and screen aggressively.

# global
add_sql_injection_protection = true
add_rate_limiting = true
proxy_min_tls_version = "TLS_1_2"

[[proxy_rules]]
domain = "api.example.com"
forward_ipv4 = "10.0.0.9"
forward_port_https = 443
max_age_seconds = 0
rule_type = "Whitelist"
redirect_to_https = true
enable_sql_injection_protection = true
enable_compression = true
compression_flags = "br, gzip"

[[proxy_rules.disallowed_user_agents]]
user_agent = "sqlmap"
match_type = "Contains"

[[proxy_rules.disallowed_user_agents]]
user_agent = "nikto"
match_type = "Contains"
  • Zero cache lifetime — every response is fresh.
  • SQL-injection screening + rate limiting at the edge.
  • Known scanner user-agents blocked outright.
  • JSON still compressed for smaller, faster responses.
← Back to all documentation