Features

Traffic Management

• Can proxy any HTTP(s) service (APIs, webapps, websocket, etc) (routes, engine)
• Can proxy any TCP service (app, database, etc) (TCP services)
• Can proxy any gRPC service (using a netty listener), also gRPC-Web support (HTTP listeners)
• Can proxy any GraphQL service (proxy, query composition, and schema-first backend) (GraphQL composer)
• Full WebSocket support with message validation, transformation, and mirroring
• End-to-end HTTP/1.1 support
• End-to-end HTTP/2 support (including H2C cleartext) (Netty server)
• End-to-end HTTP/3 support (QUIC) (HTTP/3)
• Multiple load balancing options: (backends)
  • Round Robin
  • Random
  • Sticky (cookie-based session affinity)
  • IP Address Hash
  • Best Response Time
  • Weighted Best Response Time
  • Least Connections
  • Power of Two Random Choices
  • Header Hash (consistent hashing on a request header)
  • Cookie Hash (consistent hashing on a cookie value)
  • Query Hash (consistent hashing on a query parameter)
• Backend Failover targets support (backends)
• Distributed in-flight request limiting (built-in plugins)
• Distributed rate limiting (built-in plugins)
• Per-IP, per-API key, per-route, and custom throttling and quotas (built-in plugins)
• Request and response bandwidth throttling
• Request and response body size limiting
• Traffic mirroring to secondary backends (built-in plugins)
• Traffic capture (GoReplay format) (engine)
• Canary deployments (percentage-based and time-controlled)
• Relay routing across network zones (relay routing)
• Tunnels for easier network exposition (TCP, UDP, WebSocket-based) (tunnels)
• Custom error templates (error templates)

Routing

• Router can support tens of thousands of concurrent routes (engine)
• Router supports path parameter extraction (with regex validation) (engine)
• Routing based on: (routes)
  • HTTP method
  • hostname (exact, wildcard)
  • path (exact, prefix, wildcard)
  • header values (exact, regex, wildcard)
  • query param values (exact, regex, wildcard)
  • cookie values
• Full URL rewriting (backends)
• Path stripping (routes)
• Target predicates (route to specific backends based on geolocation, cloud region, datacenter, rack, etc) (backends)

Routes customization

• Over 200 built-in middlewares (plugins) covering: (built-in plugins)
  • circuit breakers (with configurable thresholds) (circuit breaker)
  • automatic retries (with exponential backoff)
  • response caching (built-in plugins)
  • gzip and brotli compression (gzip, brotli)
  • request and response headers manipulation (input, output)
  • request and response cookies manipulation (input, output)
  • CORS handling (CORS)
  • body transformation (jq, regex, XML/JSON conversion, SOAP) (built-in plugins)
  • query string transformation (built-in plugins)
  • GraphQL composition (GraphQL composer)
  • HTML patching (built-in plugins)
  • redirection (built-in plugins)
  • maintenance and build modes (built-in plugins)
  • static responses and mocks (built-in plugins)
  • etc
• Support middlewares compiled to WASM (using Extism) (WASM plugins, WASM usage)
• Support Open Policy Agent policies for traffic control (via WASM) (WASM usage)
• Visual workflow engine for building complex processing pipelines (workflows, workflow editor)
• Write your own custom middlewares: (create plugins)
  • in Scala deployed as jar files
  • in whatever language you want that can be compiled to WASM (WASM how-to)

Security

• Coraza Web Application Firewall (WAF) with OWASP Core Rule Set support (WAF how-to)
• IP address allow and block lists (with CIDR support) (built-in plugins)
• Domain name allow and block lists (built-in plugins)
• Fail2Ban-style automatic IP banning (built-in plugins)
• Geolocation-based access control (MaxMind, IPStack) (built-in plugins)
• Time-restricted access control
• Log4Shell and React2Shell vulnerability detection (built-in plugins)
• Security headers injection (HSTS, CSP, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options)
• security.txt endpoint (RFC 9116)
• robots.txt handling

API security

• Access management with API keys and quotas (API keys, how-to)
• Multiple API key extraction methods (header, query param, cookie, bearer token, basic auth, JWT) (API keys)
• Automatic API key secrets rotation (API keys)
• Mandatory tags and metadata validation on API keys
• HTTPS and TLS (TLS)
• End-to-end mTLS calls (mTLS how-to)
• Routing constraints and restrictions
• Public/private path separation
• JWT token validation and manipulation (JWT verifiers, how-to)
  • Multiple validators on the same route
  • JWE (encrypted JWT) support
  • JWT signing
• HMAC request signing and validation (Otoroshi protocol)
• Biscuit token extraction and validation (datalog-based authorization) (built-in plugins)
• OpenFGA fine-grained authorization (built-in plugins)
• Role-based access control (RBAC) (built-in plugins)
• Context validation (JSON path-based claims validation) (built-in plugins)

Monitoring and observability

• Active health checks (with customizable healthy/unhealthy status codes and regex body checks) (backends)
• Route state for the last 90 days
• Calls tracing using W3C Trace Context (built-in plugins)
• Real-time traffic metrics (monitoring)
• Prometheus metrics export (monitoring)
• OpenTelemetry metrics and logs export (OTLP) (OpenTelemetry)
• Datadog, StatsD metrics export (monitoring)
• Export alerts and events to external systems: (data exporters, events and analytics)
  • Elasticsearch (how-to)
  • Apache Kafka (how-to)
  • Apache Pulsar
  • Webhook (HTTP)
  • File
  • S3
  • Mailer (Mailgun, Mailjet, Sendgrid, generic SMTP) (how-to)
  • Console / Logger
  • Splunk
  • Datadog
  • New Relic
  • GoReplay (file and S3)
  • TCP / UDP / Syslog
  • JMS
  • WASM-based custom exporter (WASM usage)
  • Workflow-based custom exporter (workflows)
• GreenScore: ecological scoring of API routes based on efficiency rules (GreenScore)

Services discovery

• Through DNS
• Through Eureka (internal and external) (how-to)
• Through Kubernetes API (namespace scanning) (Kubernetes)
• Through custom Otoroshi protocol (self-registration) (Otoroshi protocol)
• Through Tailscale network (how-to)

Authentication

• OAuth 2.0/2.1 authentication (with PKCE support) (auth modules)
• OpenID Connect (OIDC) authentication (auth modules, Keycloak how-to)
• LDAP authentication (with nested groups) (auth modules, LDAP how-to)
• JWT authentication (auth modules)
• OAuth 1.0a authentication (how-to)
• SAML V2 authentication (auth modules)
• Basic authentication (username/password) (auth modules)
• WebAuthn / FIDO2 passwordless authentication
• Auth0 passwordless flow (Auth0 how-to)
• WASM-based custom authentication (auth modules, WASM usage)
• Internal users management (Otoroshi admins)
• Multi-authentication module chaining (auth modules)
• Client credentials OAuth2 flow with token endpoint (how-to)

Secret vaults support (secrets management)

• Environment variables
• Hashicorp Vault
• Azure Key Vault
• AWS Secrets Manager
• Google Cloud Secret Manager
• Alibaba Cloud Secret Manager
• Kubernetes Secrets
• Izanami (v1)
• Infisical
• Spring Cloud Config
• HTTP (generic endpoint)
• Local (file-based)
• Extensible via admin extensions

Certificates management (PKI, certificates)

• Dynamic TLS certificates store (TLS)
• Dynamic TLS termination (TLS how-to)
• Internal PKI (PKI)
  • generate self-signed certificates/CAs
  • generate/sign certificates/CAs/sub-CAs
  • AIA (Authority Information Access)
  • OCSP responder
  • import P12/certificate bundles
• ACME / Let's Encrypt support (Let's Encrypt how-to)
• On-the-fly certificate generation based on a CA certificate without request loss
• JWKS exposition for public key pairs (PKI)
• Default certificate
• Customize mTLS trusted CAs in the TLS handshake (mTLS how-to)
• Tailscale certificates integration (how-to)

Clustering (clustering)

• Based on a control plane / data plane pattern
• Encrypted communication between nodes
• Backup capabilities allowing data planes to start without control plane (improved resilience)
• Relay routing to forward traffic across network zones (relay routing)
• Distributed web authentication across nodes (sessions management)

Static content and backends

• Serve static files from local filesystem (built-in plugins)
• Serve static files from Amazon S3 (built-in plugins)
• Serve static files from ZIP archives (ZIP backend how-to)
• Echo backend for debugging (built-in plugins)
• Static response / mock backends (built-in plugins)

Administration UI

• Manage and organize all resources
• Secured user access with authentication module (auth modules)
• Audited user actions (events and analytics)
• Dynamic changes at runtime without full reload
• Test your routes without any external tools
• Visual workflow designer with step-by-step debugger (workflow editor)
• Extensible via admin extensions (custom entities, routes, frontend modules)

Kubernetes integration (Kubernetes)

• Standard Ingress controller
• Custom Ingress controller with CRD support
  • Manage Otoroshi resources from Kubernetes
• Validation of resources via admission webhook
• Kubernetes Gateway API support (Gateway API)
• Sidecar injection for service mesh
• Bidirectional TLS certificate synchronization (Kubernetes secrets <-> Otoroshi certificates)

Dynamic HTTP listeners (topic, entity)

• Create and manage additional HTTP listeners on custom ports
• Multi-protocol support (HTTP/1.1, HTTP/2, HTTP/3, H2C)
• Dynamic configuration without restart
• TLS and mTLS support per listener

Infrastructure as Code / GitOps

• Remote Catalogs: declarative entity management from trusted external sources (topic, entity)
  • Supported sources:
    • GitHub (including GitHub Enterprise)
    • GitLab (including self-hosted)
    • Bitbucket Cloud
    • Generic Git repositories (HTTPS and SSH)
    • Amazon S3 (and S3-compatible storage)
    • HTTP endpoints
    • Consul KV
    • Local filesystem
      • with possible pre-deploy sync command
  • Full reconciliation engine (create, update, delete) with desired state convergence
  • Automatic deployment via scheduled polling (fixed interval or cron expression)
  • Webhook-triggered deployment from GitHub, GitLab, and Bitbucket push events
  • Dry-run mode to preview changes before applying
  • Undeploy to cleanly remove all entities managed by a catalog
  • Support for JSON and YAML entity definitions (including multi-document YAML)
  • Deploy listing files for fine-grained control over which files to import
  • Route plugins for programmatic deployment (single, batch, webhook)
• otoroshictl CLI tool
  • Sync configuration with Otoroshi clusters
  • Push-based IaC, very similar to what kubectl apply can do

Storage backends (setup)

• Redis (via Lettuce)
• PostgreSQL (via Reactive PG)
• Cassandra
• In-memory (with file persistence)
• S3
• HTTP

Organize

• Multi-organizations (organizations)
• Multi-teams (teams)
• Routes groups (service groups)

Developers portal

• Using Daikoku (dev portal)