Otoroshi
DOCS

Custom HTTP Listeners

starting from v16.18.0, otoroshi introduce the custom http listeners feature. While this feature can seems to be a little dull, it is actually quite powerful and can unlock a whole new world of capabilities.

Custom HTTP Listeners is the ability to run new HTTP listeners on any port you want, with the protocols and tls settings you want, either statically from the otoroshi config. file or dynamically from specific new entities. Those listeners are capable of routing your traffic like the standard otoroshi listener but they are also capable of scoping the traffic to only certains routes or route plugins that are bound to one or more specific listeners.

HTTP Listener config.

by default, the configuration of an http listener look like the following

{
  "enabled": true, // is the listener enabled
  "exclusive": false, // the the exclusive listeners section
  "tls": true, // is TLS enabled ?
  "http1": true, // is HTTP/1.1 enabled
  "http2": true, // is H2 enabled
  "http3": false, // is H3 enabled
  "h2c": false,  // is H2C enabled
  "port": 7890,  // the port on which the listener listens
  "exposedPort": 7890, // the exposed port (containers, public cloud, etc ...)
  "host": "0.0.0.0", // the host on which the listener listens
  "accessLog": false, // is the access log enabled
  "clientAuth": "None" // do we want mTLS (values are None, Want, Need) ?
}

all the values here are the default ones.

this config. can be used as is from the otoroshi config. file (see the How does is work section) or embedded in the HttpListener entity (see the How does is work section).

Exclusive listeners

exclusive listener is a special kind of listener (marked with the exclusive flag) that can only handle routes or plugin routes that are bound to it. It can be quite handy to handle traffic for special routes, or privates routes that can be accessible only to certain people. When a listener is not exclusive, all the routes without a bound listener can be served from it.

Static HTTP listeners

you can start an http listener right from the otoroshi config. file. To do so, just add an http listener config. at otoroshi.http-listeners. You can also provide the full HTTP listener json formatted config. array in the OTOROSHI_HTTP_LISTENERS env. variable.

those listeners will start at otoroshi startup, as soon as the admin extensions are started.

static listeners MUST have an id field sor routes and plugins can be bound to it

Dynamic HTTP Listeners

you can also defined dynamic http listeners from otoroshi admin. API or otoroshi admin. backoffice.

the API is available at http://otoroshi-api.oto.tools:8080/apis/http-listeners.extensions.otoroshi.io/v1/http-listeners/:id. As soon as you create a new entity, the corresponding listener will be started. If you modify it, the listener will be restarted. If you delete it the listener will be stopped.

for instance if we want to create an H2 only listener for some private routes on port 7892, then we could do

curl -X POST 'http://otoroshi-api.oto.tools:8080/apis/http-listeners.extensions.otoroshi.io/v1/http-listeners/private_h2_listener' \
  -u admin-api-apikey-id:admin-api-apikey-secret \
  --data name=private_h2_listener \
  --data config.port=7892 \
  --data config.exposedPort=7892 \
  --data config.exclusive=true \
  --data config.http1=false

a few seconds later, a log will be shown in the otoroshi logs like

if we want to stop it, we could do something like

curl -X PATCH 'http://otoroshi-api.oto.tools:8080/apis/http-listeners.extensions.otoroshi.io/v1/http-listeners/private_h2_listener' \
  -u admin-api-apikey-id:admin-api-apikey-secret \
  --data config.enabled=false

a few seconds later, a log will be shown in the otoroshi logs like

or delete it like 

curl -X DELETE 'http://otoroshi-api.oto.tools:8080/apis/http-listeners.extensions.otoroshi.io/v1/http-listeners/private_h2_listener' \
  -u admin-api-apikey-id:admin-api-apikey-secret

Bind a route to a specific HTTP Listener

with http listeners, a new property is available on Routes. The property bound_listeners is an array of values corresponding to the http listeners id. As soon as a route is bound to one or more http listeners, it will only be routed on those listeners.

for instance, the following route in only accessible from the http listener with id static-1. The standard http listener will no be able to route it.

{
  "_loc": {
    "tenant": "default",
    "teams": [
      "default"
    ]
  },
  "id": "route_6ee30dc0a-0871-4ab2-9b37-db939c36c418",
  "name": "my api",
  "description": "my api",
  "tags": [],
  "metadata": {
    "created_at": "2024-04-24T11:51:41.330+02:00"
  },
  "enabled": true,
  "debug_flow": false,
  "export_reporting": false,
  "capture": false,
  "groups": [
    "default"
  ],
  "bound_listeners": ["static-1"],
  "frontend": {
    "domains": [
      "myapi.oto.tools"
    ],
    "strip_path": true,
    "exact": false,
    "headers": {},
    "query": {},
    "methods": []
  },
  "backend": {
    "targets": [
      {
        "id": "request.otoroshi.io",
        "hostname": "request.otoroshi.io",
        "port": 443,
        "tls": true,
        "weight": 1,
        "predicate": {
          "type": "AlwaysMatch"
        },
        "protocol": "HTTP/1.1",
        "ip_address": null
      }
    ],
    "root": "",
    "rewrite": false,
    "load_balancing": {
      "type": "RoundRobin"
    }
  },
  "backend_ref": null,
  "plugins": [],
  "kind": "Route"
}

Bind a plugin to a specific HTTP Listener

if you need something more subtle, it is also possible to apply plugins only on specific listeners. For instance in the following route, the apikey plugin will only be applied from the static-1 listener

{
  "_loc": {
    "tenant": "default",
    "teams": [
      "default"
    ]
  },
  "id": "route_6ee30dc0a-0871-4ab2-9b37-db939c36c418",
  "name": "my api",
  "description": "my api",
  "tags": [],
  "metadata": {
    "created_at": "2024-04-24T11:51:41.330+02:00"
  },
  "enabled": true,
  "debug_flow": false,
  "export_reporting": false,
  "capture": false,
  "groups": [
    "default"
  ],
  "bound_listeners": [],
  "frontend": {
    "domains": [
      "myapi.oto.tools"
    ],
    "strip_path": true,
    "exact": false,
    "headers": {},
    "query": {},
    "methods": []
  },
  "backend": {
    "targets": [
      {
        "id": "request.otoroshi.io",
        "hostname": "request.otoroshi.io",
        "port": 443,
        "tls": true,
        "weight": 1,
        "predicate": {
          "type": "AlwaysMatch"
        },
        "protocol": "HTTP/1.1",
        "ip_address": null
      }
    ],
    "root": "",
    "rewrite": false,
    "load_balancing": {
      "type": "RoundRobin"
    }
  },
  "backend_ref": null,
  "plugins": [
    {
      "enabled": true,
      "debug": false,
      "plugin": "cp:otoroshi.next.plugins.ApikeyCalls",
      "include": [],
      "exclude": [],
      "config": {},
      "bound_listeners": ["static-1"],
      "plugin_index": {
        "validate_access": 0,
        "transform_request": 0,
        "match_route": 0
      }
    },
    {
      "enabled": true,
      "debug": false,
      "plugin": "cp:otoroshi.next.plugins.OverrideHost",
      "include": [],
      "exclude": [],
      "config": {},
      "bound_listeners": [],
      "plugin_index": {
        "transform_request": 1
      }
    }
  ],
  "kind": "Route"
}

Next: How to’s