Features

Traffic Management

• Can proxy any HTTP(s) service (apis, webapps, websocket, etc)
• Can proxy any TCP service (app, database, etc)
• Can proxy any GRPC service
• Multiple load-balancing options:
  • RoundRobin
  • Random, Sticky
  • Ip address hash
  • Best Response Time
• Distributed in-flight request limiting
• Distributed rate limiting
• End-to-end HTTP/1.1 support
• End-to-end H2 support
• End-to-end H3 support
• Traffic mirroring
• Traffic capture
• Canary deployments
• Relay routing
• Tunnels for easier network exposition
• Error templates

Routing

• Router can support ten of thousands of concurrent routes
• Router support path params extraction (can be regex validated)
• Routing based on
  • method
  • hostname (exact, wildcard)
  • path (exact, wildcard)
  • header values (exact, regex, wildcard)
  • query param values (exact, regex, wildcard)
• Support full url rewriting

Routes customization

• Dozens of built-in middlewares (policies/plugins)
  • circuit breakers
  • automatic retries
  • buffering
  • gzip
  • headers manipulation
  • cors
  • body transformation
  • graphql gateway
  • etc
• Support middlewares compiled to WASM (using extism)
• Support Open Policy Agent policies for traffic control
• Write your own custom middlewares
  • in scala deployed as jar files
  • in whatever language you want that can be compiled to WASM

Routes Monitoring

• Active healthchecks
• Route state for the last 90 days
• Calls tracing using W3C trace context
• Export alerts and events to external database
  • file
  • S3
  • elastic
  • pulsar
  • kafka
  • webhook
  • mailer
  • logger
• Real-time traffic metrics
• Real-time traffic metrics (Datadog, Prometheus, StatsD)

Services discovery

• through DNS
• through Eureka 2
• through Kubernetes API
• through custom otoroshi protocol

API security

• Access management with apikeys and quotas
• Automatic apikeys secrets rotation
• HTTPS and TLS
• End-to-end mTLS calls
• Routing constraints
• Routing restrictions
• JWT tokens validation and manipulation
  • can support multiple validator on the same routes

Administration UI

• Manage and organize all resources
• Secured users access with Authentication module
• Audited users actions
• Dynamic changes at runtime without full reload
• Test your routes without any external tools

Webapp authentication and security

• OAuth2.0/2.1 authentication
• OpenID Connect (OIDC) authentication
• LDAP authentication
• JWT authentication
• OAuth 1.0a authentication
• SAML V2 authentication
• Internal users management
• Secret vaults support
  • Environment variables
  • Hashicorp Vault
  • Azure key vault
  • AWS secret manager
  • Google secret manager
  • Kubernetes secrets
  • Izanami
  • Spring Cloud Config
  • Http
  • Local

Certificates management

• Dynamic TLS certificates store
• Dynamic TLS termination
• Internal PKI
  • generate self signed certificates/CAs
  • generate/sign certificates/CAs/subCAs
  • AIA
  • OCSP responder
  • import P12/certificate bundles
• ACME / Let’s Encrypt support
• On-the-fly certificate generation based on a CA certificate without request loss
• JWKS exposition for public keypair
• Default certificate
• Customize mTLS trusted CAs in the TLS handshake

Clustering

• based on a control plane/data plane pattern
• encrypted communication
• backup capabilities to allow data plane to start without control plane reachable to improve resilience
• relay routing to forward traffic from one network zone to others
• distributed web authentication accross nodes

Performances and testing

• Chaos engineering
• Horizontal Scalability or clustering
• Canary testing
• Http client in UI
• Request debugging
• Traffic capture

Kubernetes integration

• Standard Ingress controller
• Custom Ingress controller
  • Manage Otoroshi resources from Kubernetes
• Validation of resources via webhook
• Service Mesh for easy service-to-service communication (based on Kubernetes sidecars)

Organize

• multi-organizations
• multi-teams
• routes groups

Developpers portal

• Using Daikoku