docs: update for 1.4

docs/content/cli/forwarder_pac_eval.md

@@ -90,11 +90,27 @@ Syntax:
 - File: `/path/to/file.pac`
 - Embed: `data:base64,<base64 encoded data>`
 
+### `--http-dial-attempts` {#http-dial-attempts}
+
+* Environment variable: `FORWARDER_HTTP_DIAL_ATTEMPTS`
+* Value Format: `<int>`
+* Default value: `3`
+
+The number of attempts to dial the network address.
+
+### `--http-dial-backoff` {#http-dial-backoff}
+
+* Environment variable: `FORWARDER_HTTP_DIAL_BACKOFF`
+* Value Format: `<duration>`
+* Default value: `1s`
+
+The amount of time to wait between dial attempts.
+
 ### `--http-dial-timeout` {#http-dial-timeout}
 
 * Environment variable: `FORWARDER_HTTP_DIAL_TIMEOUT`
 * Value Format: `<duration>`
-* Default value: `30s`
+* Default value: `25s`
 
 The maximum amount of time a dial will wait for a connect to complete.
 With or without a timeout, the operating system may impose its own earlier timeout.

docs/content/cli/forwarder_pac_server.md

@@ -80,6 +80,26 @@ For https and h2 protocols, if TLS certificate is not specified, the server will
 
 The amount of time allowed to read request headers.
 
+### `--read-limit` {#read-limit}
+
+* Environment variable: `FORWARDER_READ_LIMIT`
+* Value Format: `<bandwidth>`
+* Default value: `0`
+
+Global read rate limit in bytes per second i.e.
+how many bytes per second you can receive from a proxy.
+Accepts binary format (e.g.
+1.5Ki, 1Mi, 3.6Gi).
+
+### `--shutdown-timeout` {#shutdown-timeout}
+
+* Environment variable: `FORWARDER_SHUTDOWN_TIMEOUT`
+* Value Format: `<duration>`
+* Default value: `30s`
+
+The maximum amount of time to wait for the server to drain connections before closing.
+Zero means no limit.
+
 ### `--tls-cert-file` {#tls-cert-file}
 
 * Environment variable: `FORWARDER_TLS_CERT_FILE`
@@ -113,6 +133,17 @@ Syntax:
 - File: `/path/to/file.pac`
 - Embed: `data:base64,<base64 encoded data>`
 
+### `--write-limit` {#write-limit}
+
+* Environment variable: `FORWARDER_WRITE_LIMIT`
+* Value Format: `<bandwidth>`
+* Default value: `0`
+
+Global write rate limit in bytes per second i.e.
+how many bytes per second you can send to proxy.
+Accepts binary format (e.g.
+1.5Ki, 1Mi, 3.6Gi).
+
 ## Proxy options
 
 ### `-p, --pac` {#pac}
@@ -176,11 +207,27 @@ Syntax:
 - File: `/path/to/file.pac`
 - Embed: `data:base64,<base64 encoded data>`
 
+### `--http-dial-attempts` {#http-dial-attempts}
+
+* Environment variable: `FORWARDER_HTTP_DIAL_ATTEMPTS`
+* Value Format: `<int>`
+* Default value: `3`
+
+The number of attempts to dial the network address.
+
+### `--http-dial-backoff` {#http-dial-backoff}
+
+* Environment variable: `FORWARDER_HTTP_DIAL_BACKOFF`
+* Value Format: `<duration>`
+* Default value: `1s`
+
+The amount of time to wait between dial attempts.
+
 ### `--http-dial-timeout` {#http-dial-timeout}
 
 * Environment variable: `FORWARDER_HTTP_DIAL_TIMEOUT`
 * Value Format: `<duration>`
-* Default value: `30s`
+* Default value: `25s`
 
 The maximum amount of time a dial will wait for a connect to complete.
 With or without a timeout, the operating system may impose its own earlier timeout.

docs/content/cli/forwarder_run.md

@@ -86,6 +86,25 @@ The name value in Via header is extended with a random string to avoid collision
 The server protocol.
 For https and h2 protocols, if TLS certificate is not specified, the server will use a self-signed certificate.
 
+### `--proxy-protocol-listener` {#proxy-protocol-listener}
+
+* Environment variable: `FORWARDER_PROXY_PROTOCOL_LISTENER`
+* Value Format: `<value>`
+* Default value: `false`
+
+The PROXY protocol is used to correctly read the client's IP address.
+When enabled the proxy will expect the client to send the PROXY protocol header before the actual request.
+PROXY protocol version 1 and 2 are supported.
+
+### `--proxy-protocol-read-header-timeout` {#proxy-protocol-read-header-timeout}
+
+* Environment variable: `FORWARDER_PROXY_PROTOCOL_READ_HEADER_TIMEOUT`
+* Value Format: `<duration>`
+* Default value: `5s`
+
+The amount of time to wait for PROXY protocol header.
+Zero means no limit.
+
 ### `--read-header-timeout` {#read-header-timeout}
 
 * Environment variable: `FORWARDER_READ_HEADER_TIMEOUT`
@@ -105,6 +124,15 @@ how many bytes per second you can receive from a proxy.
 Accepts binary format (e.g.
 1.5Ki, 1Mi, 3.6Gi).
 
+### `--shutdown-timeout` {#shutdown-timeout}
+
+* Environment variable: `FORWARDER_SHUTDOWN_TIMEOUT`
+* Value Format: `<duration>`
+* Default value: `30s`
+
+The maximum amount of time to wait for the server to drain connections before closing.
+Zero means no limit.
+
 ### `--tls-cert-file` {#tls-cert-file}
 
 * Environment variable: `FORWARDER_TLS_CERT_FILE`
@@ -279,6 +307,23 @@ Syntax:
 - File: `/path/to/file.pac`
 - Embed: `data:base64,<base64 encoded data>`
 
+### `--mitm-cache-size` {#mitm-cache-size}
+
+* Environment variable: `FORWARDER_MITM_CACHE_SIZE`
+* Value Format: `<size>`
+* Default value: `1024`
+
+Maximum number of certificates to cache.
+If the cache is full, the least recently used certificate is removed.
+
+### `--mitm-cache-ttl` {#mitm-cache-ttl}
+
+* Environment variable: `FORWARDER_MITM_CACHE_TTL`
+* Value Format: `<duration>`
+* Default value: `6h0m0s`
+
+Expiration time of the cached certificates.
+
 ### `--mitm-cakey-file` {#mitm-cakey-file}
 
 * Environment variable: `FORWARDER_MITM_CAKEY_FILE`
@@ -356,11 +401,41 @@ Syntax:
 - File: `/path/to/file.pac`
 - Embed: `data:base64,<base64 encoded data>`
 
+### `--connect-to` {#connect-to}
+
+* Environment variable: `FORWARDER_CONNECT_TO`
+* Value Format: `<HOST1:PORT1:HOST2:PORT2>,...`
+
+For a request to the given HOST1:PORT1 pair, connect to HOST2:PORT2 instead.
+This option is suitable to direct requests at a specific server, e.g.
+at a specific cluster node in a cluster of servers.
+This option is only used to establish the network connection and does not work when request is routed using an upstream proxy.
+It does NOT affect the hostname/port that is used for TLS/SSL (e.g.
+SNI, certificate verification) or for the application protocols.
+HOST1 and PORT1 may be the empty string, meaning any host/port.
+HOST2 and PORT2 may also be the empty string, meaning use the request's original host/port.
+
+### `--http-dial-attempts` {#http-dial-attempts}
+
+* Environment variable: `FORWARDER_HTTP_DIAL_ATTEMPTS`
+* Value Format: `<int>`
+* Default value: `3`
+
+The number of attempts to dial the network address.
+
+### `--http-dial-backoff` {#http-dial-backoff}
+
+* Environment variable: `FORWARDER_HTTP_DIAL_BACKOFF`
+* Value Format: `<duration>`
+* Default value: `1s`
+
+The amount of time to wait between dial attempts.
+
 ### `--http-dial-timeout` {#http-dial-timeout}
 
 * Environment variable: `FORWARDER_HTTP_DIAL_TIMEOUT`
 * Value Format: `<duration>`
-* Default value: `30s`
+* Default value: `25s`
 
 The maximum amount of time a dial will wait for a connect to complete.
 With or without a timeout, the operating system may impose its own earlier timeout.
@@ -445,6 +520,37 @@ The maximum amount of time to wait for the next request before closing connectio
 
 The amount of time allowed to read request headers.
 
+### `--api-read-limit` {#api-read-limit}
+
+* Environment variable: `FORWARDER_API_READ_LIMIT`
+* Value Format: `<bandwidth>`
+* Default value: `0`
+
+Global read rate limit in bytes per second i.e.
+how many bytes per second you can receive from a proxy.
+Accepts binary format (e.g.
+1.5Ki, 1Mi, 3.6Gi).
+
+### `--api-shutdown-timeout` {#api-shutdown-timeout}
+
+* Environment variable: `FORWARDER_API_SHUTDOWN_TIMEOUT`
+* Value Format: `<duration>`
+* Default value: `30s`
+
+The maximum amount of time to wait for the server to drain connections before closing.
+Zero means no limit.
+
+### `--api-write-limit` {#api-write-limit}
+
+* Environment variable: `FORWARDER_API_WRITE_LIMIT`
+* Value Format: `<bandwidth>`
+* Default value: `0`
+
+Global write rate limit in bytes per second i.e.
+how many bytes per second you can send to proxy.
+Accepts binary format (e.g.
+1.5Ki, 1Mi, 3.6Gi).
+
 ## Logging options
 
 ### `--log-file` {#log-file}

docs/content/cli/forwarder_test_httpbin.md

@@ -56,6 +56,26 @@ For https and h2 protocols, if TLS certificate is not specified, the server will
 
 The amount of time allowed to read request headers.
 
+### `--read-limit` {#read-limit}
+
+* Environment variable: `FORWARDER_READ_LIMIT`
+* Value Format: `<bandwidth>`
+* Default value: `0`
+
+Global read rate limit in bytes per second i.e.
+how many bytes per second you can receive from a proxy.
+Accepts binary format (e.g.
+1.5Ki, 1Mi, 3.6Gi).
+
+### `--shutdown-timeout` {#shutdown-timeout}
+
+* Environment variable: `FORWARDER_SHUTDOWN_TIMEOUT`
+* Value Format: `<duration>`
+* Default value: `30s`
+
+The maximum amount of time to wait for the server to drain connections before closing.
+Zero means no limit.
+
 ### `--tls-cert-file` {#tls-cert-file}
 
 * Environment variable: `FORWARDER_TLS_CERT_FILE`
@@ -89,6 +109,17 @@ Syntax:
 - File: `/path/to/file.pac`
 - Embed: `data:base64,<base64 encoded data>`
 
+### `--write-limit` {#write-limit}
+
+* Environment variable: `FORWARDER_WRITE_LIMIT`
+* Value Format: `<bandwidth>`
+* Default value: `0`
+
+Global write rate limit in bytes per second i.e.
+how many bytes per second you can send to proxy.
+Accepts binary format (e.g.
+1.5Ki, 1Mi, 3.6Gi).
+
 ## Logging options
 
 ### `--log-file` {#log-file}

docs/content/config/forwarder_pac_eval.yaml

@@ -46,12 +46,22 @@
 # - Embed: data:base64,<base64 encoded data>
 #cacert-file: 
 
+# http-dial-attempts <int>
+#
+# The number of attempts to dial the network address.
+#http-dial-attempts: 3
+
+# http-dial-backoff <duration>
+#
+# The amount of time to wait between dial attempts.
+#http-dial-backoff: 1s
+
 # http-dial-timeout <duration>
 #
 # The maximum amount of time a dial will wait for a connect to complete. With or
 # without a timeout, the operating system may impose its own earlier timeout.
 # For instance, TCP timeouts are often around 3 minutes.
-#http-dial-timeout: 30s
+#http-dial-timeout: 25s
 
 # http-idle-conn-timeout <duration>
 #

docs/content/config/forwarder_pac_server.yaml

@@ -28,6 +28,18 @@
 # The amount of time allowed to read request headers.
 #read-header-timeout: 1m0s
 
+# read-limit <bandwidth>
+#
+# Global read rate limit in bytes per second i.e. how many bytes per second you
+# can receive from a proxy. Accepts binary format (e.g. 1.5Ki, 1Mi, 3.6Gi).
+#read-limit: 0
+
+# shutdown-timeout <duration>
+#
+# The maximum amount of time to wait for the server to drain connections before
+# closing. Zero means no limit.
+#shutdown-timeout: 30s
+
 # tls-cert-file <path or base64>
 #
 # TLS certificate to use if the server protocol is https or h2. 
@@ -52,6 +64,12 @@
 # - Embed: data:base64,<base64 encoded data>
 #tls-key-file: 
 
+# write-limit <bandwidth>
+#
+# Global write rate limit in bytes per second i.e. how many bytes per second you
+# can send to proxy. Accepts binary format (e.g. 1.5Ki, 1Mi, 3.6Gi).
+#write-limit: 0
+
 # --- Proxy options ---
 
 # pac <path or URL>
@@ -100,12 +118,22 @@
 # - Embed: data:base64,<base64 encoded data>
 #cacert-file: 
 
+# http-dial-attempts <int>
+#
+# The number of attempts to dial the network address.
+#http-dial-attempts: 3
+
+# http-dial-backoff <duration>
+#
+# The amount of time to wait between dial attempts.
+#http-dial-backoff: 1s
+
 # http-dial-timeout <duration>
 #
 # The maximum amount of time a dial will wait for a connect to complete. With or
 # without a timeout, the operating system may impose its own earlier timeout.
 # For instance, TCP timeouts are often around 3 minutes.
-#http-dial-timeout: 30s
+#http-dial-timeout: 25s
 
 # http-idle-conn-timeout <duration>
 #