Proxy Configuration

Configure the Opswald proxy for your deployment needs, from simple Docker containers to production Kubernetes clusters.

Environment Variables

Required

Variable	Description	Example
`OPSWALD_API_KEY`	Your Opswald API key	`ops_abc123...`
`OPSWALD_API_URL`	Opswald API endpoint	`https://api.opswald.com`

Optional

Variable	Default	Description
`PORT`	`8080`	HTTP server port
`HOST`	`0.0.0.0`	Bind address
`LOG_LEVEL`	`info`	Log level: debug, info, warn, error
`PROXY_TIMEOUT`	`120000`	Request timeout in milliseconds
`BATCH_SIZE`	`100`	Events batched per API call
`FLUSH_INTERVAL`	`5000`	Auto-flush interval in milliseconds
`REDIS_URL`	-	Redis for caching (optional)
`HEALTH_CHECK_PATH`	`/health`	Health check endpoint
`METRICS_PATH`	`/metrics`	Prometheus metrics endpoint

Docker Deployment

Basic Setup

docker run -d \
  --name opswald-proxy \
  -p 8080:8080 \
  -e OPSWALD_API_KEY=your-key \
  -e OPSWALD_API_URL=https://api.opswald.com \
  opswald/proxy:latest

Production Setup

docker run -d \
  --name opswald-proxy \
  --restart unless-stopped \
  -p 8080:8080 \
  -e OPSWALD_API_KEY=your-key \
  -e OPSWALD_API_URL=https://api.opswald.com \
  -e LOG_LEVEL=warn \
  -e PROXY_TIMEOUT=60000 \
  -e BATCH_SIZE=200 \
  -e REDIS_URL=redis://redis:6379 \
  --memory=512m \
  --cpus=1.0 \
  opswald/proxy:latest

Docker Compose

version: '3.8'
services:
  opswald-proxy:
    image: opswald/proxy:latest
    ports:
      - "8080:8080"
    environment:
      OPSWALD_API_KEY: ${OPSWALD_API_KEY}
      OPSWALD_API_URL: https://api.opswald.com
      LOG_LEVEL: info
      REDIS_URL: redis://redis:6379
    depends_on:
      - redis
    restart: unless-stopped
    deploy:
      resources:
        limits:
          memory: 512M
          cpus: '1.0'
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8080/health"]
      interval: 30s
      timeout: 10s
      retries: 3

  redis:
    image: redis:7-alpine
    ports:
      - "6379:6379"
    restart: unless-stopped
    deploy:
      resources:
        limits:
          memory: 128M

Kubernetes Deployment

ConfigMap

apiVersion: v1
kind: ConfigMap
metadata:
  name: opswald-proxy-config
  namespace: opswald
data:
  OPSWALD_API_URL: "https://api.opswald.com"
  LOG_LEVEL: "info"
  BATCH_SIZE: "200"
  FLUSH_INTERVAL: "5000"
  PROXY_TIMEOUT: "120000"

Secret

apiVersion: v1
kind: Secret
metadata:
  name: opswald-proxy-secret
  namespace: opswald
type: Opaque
stringData:
  OPSWALD_API_KEY: "your-opswald-api-key"

Deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: opswald-proxy
  namespace: opswald
  labels:
    app: opswald-proxy
spec:
  replicas: 3
  selector:
    matchLabels:
      app: opswald-proxy
  template:
    metadata:
      labels:
        app: opswald-proxy
    spec:
      containers:
      - name: proxy
        image: opswald/proxy:latest
        ports:
        - containerPort: 8080
          name: http
        envFrom:
        - configMapRef:
            name: opswald-proxy-config
        - secretRef:
            name: opswald-proxy-secret
        resources:
          requests:
            cpu: 100m
            memory: 256Mi
          limits:
            cpu: 1000m
            memory: 512Mi
        livenessProbe:
          httpGet:
            path: /health
            port: 8080
          initialDelaySeconds: 30
          periodSeconds: 30
        readinessProbe:
          httpGet:
            path: /health
            port: 8080
          initialDelaySeconds: 10
          periodSeconds: 5
        securityContext:
          allowPrivilegeEscalation: false
          runAsNonRoot: true
          runAsUser: 1001
          capabilities:
            drop:
            - ALL

Service

apiVersion: v1
kind: Service
metadata:
  name: opswald-proxy-service
  namespace: opswald
spec:
  selector:
    app: opswald-proxy
  ports:
  - name: http
    port: 8080
    targetPort: 8080
  type: LoadBalancer

Ingress

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: opswald-proxy-ingress
  namespace: opswald
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/proxy-body-size: "10m"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
spec:
  tls:
  - hosts:
    - proxy.yourcompany.com
    secretName: opswald-proxy-tls
  rules:
  - host: proxy.yourcompany.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: opswald-proxy-service
            port:
              number: 8080

Load Balancer Configuration

NGINX

upstream opswald_proxy {
    least_conn;
    server 10.0.1.10:8080 max_fails=3 fail_timeout=30s;
    server 10.0.1.11:8080 max_fails=3 fail_timeout=30s;
    server 10.0.1.12:8080 max_fails=3 fail_timeout=30s;
}

server {
    listen 443 ssl http2;
    server_name proxy.yourcompany.com;

    ssl_certificate /etc/ssl/certs/proxy.yourcompany.com.crt;
    ssl_certificate_key /etc/ssl/private/proxy.yourcompany.com.key;

    # Increase timeouts for long-running LLM requests
    proxy_read_timeout 300s;
    proxy_connect_timeout 10s;
    proxy_send_timeout 300s;

    # Increase body size for large requests
    client_max_body_size 10M;

    location / {
        proxy_pass http://opswald_proxy;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Health check exclusion
        if ($request_uri = "/health") {
            access_log off;
        }
    }

    # Dedicated health check endpoint
    location /health {
        proxy_pass http://opswald_proxy;
        access_log off;
    }

    # Metrics endpoint (restrict access)
    location /metrics {
        allow 10.0.0.0/8;
        deny all;
        proxy_pass http://opswald_proxy;
    }
}

TLS/SSL Configuration

Self-Signed Certificate (Development)

# Generate private key
openssl genrsa -out proxy.key 2048

# Generate certificate signing request
openssl req -new -key proxy.key -out proxy.csr \
  -subj "/C=US/ST=CA/L=San Francisco/O=YourCompany/CN=proxy.yourcompany.com"

# Generate self-signed certificate
openssl x509 -req -in proxy.csr -signkey proxy.key -out proxy.crt -days 365

Let’s Encrypt (Production)

# Install certbot
apt-get install certbot python3-certbot-nginx

# Get certificate
certbot --nginx -d proxy.yourcompany.com

# Auto-renewal
echo "0 12 * * * /usr/bin/certbot renew --quiet" | crontab -

High Availability Setup

Multiple Proxy Instances

apiVersion: apps/v1
kind: Deployment
metadata:
  name: opswald-proxy-ha
spec:
  replicas: 5  # Multiple instances
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 1
      maxSurge: 2
  template:
    spec:
      topologySpreadConstraints:
      - maxSkew: 1
        topologyKey: kubernetes.io/hostname
        whenUnsatisfiable: DoNotSchedule
        labelSelector:
          matchLabels:
            app: opswald-proxy
      containers:
      - name: proxy
        image: opswald/proxy:latest
        # ... rest of container spec

Redis for Shared State

apiVersion: v1
kind: ConfigMap
metadata:
  name: redis-config
data:
  redis.conf: |
    maxmemory 256mb
    maxmemory-policy allkeys-lru
    save ""
    appendonly yes
    appendfsync everysec
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: redis
spec:
  serviceName: redis
  replicas: 3
  template:
    spec:
      containers:
      - name: redis
        image: redis:7-alpine
        command: ["redis-server", "/etc/redis/redis.conf"]
        volumeMounts:
        - name: config
          mountPath: /etc/redis
        - name: data
          mountPath: /data
      volumes:
      - name: config
        configMap:
          name: redis-config
  volumeClaimTemplates:
  - metadata:
      name: data
    spec:
      accessModes: ["ReadWriteOnce"]
      resources:
        requests:
          storage: 10Gi

Monitoring Configuration

Prometheus Metrics

The proxy exposes metrics at /metrics:

global:
  scrape_interval: 15s

scrape_configs:
- job_name: 'opswald-proxy'
  static_configs:
  - targets: ['opswald-proxy:8080']
  metrics_path: /metrics
  scrape_interval: 30s

Key Metrics

Metric	Type	Description
`opswald_requests_total`	Counter	Total HTTP requests
`opswald_request_duration_seconds`	Histogram	Request duration
`opswald_llm_tokens_total`	Counter	Total tokens processed
`opswald_llm_cost_total`	Counter	Total cost in cents
`opswald_errors_total`	Counter	Total errors by type
`opswald_batch_events`	Histogram	Events per batch

Security Configuration

API Token Validation

# Validate proxy tokens
curl -H "X-Opswald-Key: your-token" \
     http://localhost:8080/v1/validate

Request Filtering

Set filtering headers:

# Content filtering
export X_OPSWALD_FILTER_INPUT=truncate
export X_OPSWALD_FILTER_OUTPUT=hash
export X_OPSWALD_FILTER_PII=redact

Network Security

# network-policy.yaml (Kubernetes)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: opswald-proxy-policy
spec:
  podSelector:
    matchLabels:
      app: opswald-proxy
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: production
  egress:
  - to: []
    ports:
    - protocol: TCP
      port: 443  # HTTPS to Opswald API
    - protocol: TCP
      port: 53   # DNS
  - to:
    - namespaceSelector:
        matchLabels:
          name: redis
    ports:
    - protocol: TCP
      port: 6379

Troubleshooting

Common Issues

Connection Refused

# Check if proxy is running
curl http://localhost:8080/health

# Check logs
docker logs opswald-proxy

High Latency

# Check proxy metrics
curl http://localhost:8080/metrics | grep duration

# Increase timeout
export PROXY_TIMEOUT=300000

Rate Limiting

# Check rate limit headers
curl -I \
  -H "X-Opswald-Key: your-token" \
  http://localhost:8080/openai/v1/chat/completions

Log Analysis

# Parse JSON logs
docker logs opswald-proxy 2>&1 | jq '.level, .msg, .duration'

# Monitor real-time
docker logs -f opswald-proxy | grep ERROR

Health Checks

# Basic health
curl http://localhost:8080/health

# Detailed health with metrics
curl http://localhost:8080/health?detailed=true