Documentation
Every setting, option, performance note and scenario for ARC2 Proxy — searchable and cross-referenced.
Showing all 73 articles
What is ARC2 Proxy?
A blazing-fast global reverse proxy: edge caching, automatic TLS, load balancing and a built-in WAF.
Add your first domain
Point DNS at the edge with a CNAME, then watch the certificate provision automatically.
How configuration is resolved
Defaults, the config file and the per-domain rules — and which one wins.
How edge caching works
Hit/miss, freshness, query strings and the difference between domain and path lifetimes.
add_caching
Master switch for the edge cache across the whole proxy.
true
max_age_seconds
Default cache lifetime for everything served under this domain.
ignore_query_string
Treat URLs that differ only by query string as the same cache entry.
true
paths
Restrict a rule so it only applies to specific URL paths.
path_rules
Per-path overrides of cache lifetime and allow/deny behaviour.
path
The URL path a path rule matches against.
match_type
How a path or user-agent string is compared: Equals, StartsWith, Contains, …
Purging the cache
Invalidate stale entries by exact URL, prefix, substring or whole domain.
Automatic TLS & HTTPS
Free Let's Encrypt certificates, automatic renewal, OCSP stapling and the version floor.
proxy_min_tls_version
Minimum TLS version the proxy will negotiate with clients.
TLS_1_3
lets_encrypt_contact_email
Contact address registered with the ACME account for certificate notices.
redirect_to_https
Send plain-HTTP visitors a redirect to the HTTPS URL.
false
https_only
Restrict load-balanced backends to their HTTPS ports only.
false
Load balancing & routing
Priority, weighted and performance routing across multiple backends with health checks.
routing_rules
Enable multi-backend load balancing for the domain.
routing_method
How requests are distributed: Priority, Weighted or Performance.
Priority
routing_locations
The backend pool — each entry is one upstream target.
primary
Marks a backend as the preferred primary in the pool.
priority
Ordering/weight of a backend within the pool.
enable_health_checks
Actively probe backends and remove unhealthy ones from rotation.
false
health_check_interval
How often each backend is probed.
health_check_path
The URL path probed to decide backend health.
forward_addr
Forward to a backend by hostname.
forward_ipv4
Forward to a backend by IPv4 address.
forward_ipv6
Forward to a backend by IPv6 address.
forward_port_http
Origin port used for plain-HTTP upstream connections.
forward_port_https
Origin port used for HTTPS upstream connections.
Security & the WAF
SQL-injection screening, user-agent blocking, allow/deny rules and rate limiting.
add_sql_injection_protection
Global master switch for SQL-injection screening.
false
enable_sql_injection_protection
Screen this domain's requests for SQL-injection payloads.
false
disallowed_user_agents
Block requests whose User-Agent matches a rule.
user_agent
The User-Agent string a block rule matches against.
rule_type
Whether a rule allow-lists (Whitelist) or deny-lists (Blacklist) its paths.
add_rate_limiting
Global rate limiter to absorb bursts and abuse.
true (prod) · false (dev)
Compression, minification & images
Shrink responses on the fly with Brotli/Gzip/Zstd, HTML minification and WebP transforms.
enable_compression
Compress responses for this domain before sending them.
true
compression_flags
Which compression algorithms to offer: gzip, deflate, br, zstd.
br
enable_minification
Strip whitespace/comments from responses before caching.
false
minification_flags
Which content types to minify (currently html).
html
enable_webp_transformation
Transparently re-encode images to WebP for supporting clients.
true
webp_transformation_min_age
Minimum cache age before an image is re-encoded to WebP.
21600
Performance & socket tuning
Buffers, Nagle, keep-alive, backlog, streaming and timeouts — what to touch and what to leave.
enable_streaming
Stream response bodies instead of buffering them in full.
true
nodelay
Disable Nagle's algorithm on client sockets (TCP_NODELAY).
true
proxy_nodelay
Disable Nagle's algorithm on upstream (origin) sockets.
true
nonblocking
Use non-blocking sockets (required for high concurrency).
true
recv_buffer_size
Override the kernel receive buffer size for sockets.
send_buffer_size
Override the kernel send buffer size for sockets.
max_backlog
Size of the kernel accept queue for pending connections.
tcp_keep_alive_seconds
Keep-alive timer for client connections.
ip_ttl
IP Time-To-Live (hop limit) set on outgoing packets.
proxy_keepalive_sec
Keep-alive duration for pooled upstream (origin) connections.
120
proxy_timeout
Timeout for upstream requests to the origin.
45
listening_address
Network interface the proxy binds to.
0.0.0.0
listening_port_http
Port for incoming plain-HTTP traffic.
80
listening_port_https
Port for incoming HTTPS traffic.
443
api_key
Shared secret guarding the proxy's internal management API.
logging_level
Verbosity floor for proxy logs.
error (prod) · debug (dev)
add_logging
Master switch for the logging subsystem.
true (prod) · false (dev)
add_request_logging
Log a line per HTTP request (access log).
false
enable_logging
Enable logging for this specific domain.
false
domain
The hostname a proxy rule applies to.
disable_default_body_limit
Remove the default request-body size cap.
false
backtracing
Capture backtraces on errors for diagnostics.
false (prod) · true (dev)
Recipe: static marketing site
Maximise cache hit ratio and shrink transfer for a mostly-static site.
Recipe: single-page app + API
Cache the static front-end hard, never cache the API, all under one domain.
Recipe: multi-backend failover
Active/standby across two origins with health checks for automatic failover.
Recipe: hardened API gateway
No caching, strict TLS and WAF in front of a backend API.
Recipe: high-traffic media site
Lean on WebP and long-lived caching to slash bandwidth on an image-heavy site.
No matches
Try a different term, or .