alkdev/reverse-proxy
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9a2352e61c954745dc0946c057600578dd96b8e2
reverse-proxy/docs/architecture/decisions/010-multi-site-phase1.md
glm-5.1 7efc142406 Expand architecture: multi-site Phase 1, multi-domain TLS, fix review issues 
Promote multi-site support from Phase 2 to Phase 1 (ADR-010): the proxy
must support git.alk.dev and alk.dev from initial release. Add multi-domain
TLS configuration (ADR-011): acme_domains array replaces acme_domain string,
single SAN certificate via rustls-acme.

Key changes:
- ADR-010: Multi-site in Phase 1 — avoids config format migration later
- ADR-011: Multi-domain TLS — single SAN cert, acme_domains Vec<String>
- ADR-002: Updated rationale for multi-site (one upstream per domain)
- overview.md: Phase 1 now includes multi-site, alk.dev pass-through,
  dual licensing (MIT OR Apache-2.0), real IP removed
- config.md: acme_domain → acme_domains, TOML example shows both sites,
  validation adds unique host check, real IP replaced with 203.0.113.10
- tls.md: Multi-domain SNI section moved from Future to current, manual
  mode uses ResolvesServerCert for SNI mapping, TOML header fixed
- proxy.md: Updated for multi-site, removed single-domain language
- operations.md: RFC 5737 documentation IPs, clarified rate limit eviction
  semantics (distinct scan interval vs eviction age)
- open-questions.md: OQ-05 resolved (single bind_addr sufficient), new
  OQ-07 (per-site TLS overrides)

Review fixes:
- acme_domains (plural) consistently used across all docs and diagram
- ADR-011 clearly scopes acme_domain as previous design
- Inline decision rationale extracted: tls.md hot-reload → ADR-004 ref,
  config.md static/dynamic → ADR-008 ref
- TOML section headers consistent (server.tls)
2026-06-11 08:50:03 +00:00

3.2 KiB
Raw Blame History

ADR-010: Multi-Site Support in Phase 1

Status

Accepted

Context

The original architecture phased multi-site support into Phase 2, treating Phase 1 as a single-domain replacement for nginx serving only git.alk.dev. This was based on the assumption that only one domain needed proxying initially.

However, alk.dev (the bare domain) will need proxying in the near future. While alk.dev is a simple case — proxying to a Deno/Fresh container with no special requirements — the proxy must support multiple sites from day one. The config format, routing logic, and TLS certificate provisioning all need multi-site awareness.

Additionally, api.alk.dev is explicitly out of scope (it runs its own HTTP/2+ server natively), but the proxy must not prevent future sites from being added.

The cost of deferring multi-site is high: we'd need a config format migration, routing logic rewrite, and TLS cert management changes later. Supporting multi-site from the start costs very little — the config format just uses an array of sites (which it already does), host-based routing is trivial in axum, and rustls-acme supports multi-domain certificates natively.

Decision

Move multi-site support from Phase 2 into Phase 1. The proxy supports multiple sites from the initial release:

  • [[sites]] array in config (already the planned format)
  • Host-based routing via axum's Host extractor (already the planned approach)
  • Multi-domain ACME certificate provisioning via rustls-acme
  • Each site maps a hostname to an upstream address

Phase 1 scope becomes:

  1. Multi-site reverse proxy with TLS termination
  2. ACME certificate management (multi-domain)
  3. HTTP → HTTPS redirect
  4. Rate limiting, logging, health check, graceful shutdown
  5. Systemd integration

Phase 2 scope shifts to operational hardening:

  1. Per-site rate limits and body limits
  2. Per-site upstream timeouts
  3. Metrics endpoint (Prometheus-compatible)
  4. Connection limits and timeouts
  5. Log rotation

Phase 3 remains future enhancements.

Rationale

  • The config format already uses [[sites]] — no format change needed
  • Host-based routing is the natural axum pattern and was already planned
  • rustls-acme accepts Vec<domain> — multi-domain is its default usage
  • The cost of adding multi-site later (config migration, routing rewrite, cert management changes) far exceeds the cost of supporting it now (zero additional complexity)
  • alk.dev is confirmed as a near-term need, not a hypothetical
  • The proxy's value proposition is being a memory-safe reverse proxy for our infrastructure, which has multiple domains

Consequences

Positive:

  • No config format migration needed later
  • alk.dev can be added to the config without code changes
  • TLS cert management handles multiple domains from the start
  • Eliminates an entire phase of work

Negative:

  • Slightly more testing surface (must verify correct routing with multiple sites)
  • Must test multi-domain ACME provisioning (not just single-domain)
  • Wildcard or fallback site behavior needs to be defined (addressed in OQ-07)

References

Reference in New Issue View Git Blame Copy Permalink