Features
Traffic Management
- Can proxy any HTTP(s) service (apis, webapps, websocket, etc)
- Can proxy any TCP service (app, database, etc)
- Can proxy any GRPC service
- Multiple load-balancing options:
- RoundRobin
- Random, Sticky
- Ip address hash
- Best Response Time
- Distributed in-flight request limiting
- Distributed rate limiting
- End-to-end HTTP/1.1 support
- End-to-end H2 support
- End-to-end H3 support
- Traffic mirroring
- Traffic capture
- Canary deployments
- Relay routing
- Tunnels for easier network exposition
- Error templates
Routing
- Router can support ten of thousands of concurrent routes
- Router support path params extraction (can be regex validated)
- Routing based on
- method
- hostname (exact, wildcard)
- path (exact, wildcard)
- header values (exact, regex, wildcard)
- query param values (exact, regex, wildcard)
- Support full url rewriting
Routes customization
- Dozens of built-in middlewares (policies/plugins)
- circuit breakers
- automatic retries
- buffering
- gzip
- headers manipulation
- cors
- body transformation
- graphql gateway
- etc
- Support middlewares compiled to WASM (using extism)
- Support Open Policy Agent policies for traffic control
- Write your own custom middlewares
- in scala deployed as jar files
- in whatever language you want that can be compiled to WASM
Routes Monitoring
- Active healthchecks
- Route state for the last 90 days
- Calls tracing using W3C trace context
- Export alerts and events to external database
- file
- S3
- elastic
- pulsar
- kafka
- webhook
- mailer
- logger
- Real-time traffic metrics
- Real-time traffic metrics (Datadog, Prometheus, StatsD)
Services discovery
- through DNS
- through Eureka 2
- through Kubernetes API
- through custom otoroshi protocol
API security
- Access management with apikeys and quotas
- Automatic apikeys secrets rotation
- HTTPS and TLS
- End-to-end mTLS calls
- Routing constraints
- Routing restrictions
- JWT tokens validation and manipulation
- can support multiple validator on the same routes
Administration UI
- Manage and organize all resources
- Secured users access with Authentication module
- Audited users actions
- Dynamic changes at runtime without full reload
- Test your routes without any external tools
Webapp authentication and security
- OAuth2.0/2.1 authentication
- OpenID Connect (OIDC) authentication
- LDAP authentication
- JWT authentication
- OAuth 1.0a authentication
- SAML V2 authentication
- Internal users management
- Secret vaults support
- Environment variables
- Hashicorp Vault
- Azure key vault
- AWS secret manager
- Google secret manager
- Kubernetes secrets
- Izanami
- Spring Cloud Config
- Http
- Local
Certificates management
- Dynamic TLS certificates store
- Dynamic TLS termination
- Internal PKI
- generate self signed certificates/CAs
- generate/sign certificates/CAs/subCAs
- AIA
- OCSP responder
- import P12/certificate bundles
- ACME / Let’s Encrypt support
- On-the-fly certificate generation based on a CA certificate without request loss
- JWKS exposition for public keypair
- Default certificate
- Customize mTLS trusted CAs in the TLS handshake
Clustering
- based on a control plane/data plane pattern
- encrypted communication
- backup capabilities to allow data plane to start without control plane reachable to improve resilience
- relay routing to forward traffic from one network zone to others
- distributed web authentication accross nodes
Performances and testing
- Chaos engineering
- Horizontal Scalability or clustering
- Canary testing
- Http client in UI
- Request debugging
- Traffic capture
Kubernetes integration
- Standard Ingress controller
- Custom Ingress controller
- Manage Otoroshi resources from Kubernetes
- Validation of resources via webhook
- Service Mesh for easy service-to-service communication (based on Kubernetes sidecars)
Organize
- multi-organizations
- multi-teams
- routes groups
Developpers portal
- Using Daikoku