Documentation

Traffic Policies

Control tunnel traffic with policy-based IP filtering, header transforms, endpoint-level rate limits, and security audit logs.

What Traffic Policies Do

  • Allow or deny source CIDR ranges before forwarding to local services.
  • Set/add/remove request and response headers in a deterministic order.
  • Apply rate limits by IP, API key, or user with temporary block windows.
  • Log policy mutations and blocked requests to admin activity for auditability.

Admin Setup Flow

  1. Open /admin/policies.
  2. Select the target user from the left list.
  3. Create either a Global policy or an Endpoint policy linked to one tunnel.
  4. Add IP rules, header rules, and optional rate limit settings.
  5. Enable policy and test through tunnel URL.
  6. Review events in admin logs (search by TRAFFIC_POLICY_* actions).

Policy Precedence

Endpoint policy is evaluated first for a tunnel.

If no enabled endpoint policy exists, the latest enabled global policy for the user is applied.

Rate-Limit Behavior

  • requests_per_window + burst_requests defines total allowed hits per window.
  • When exceeded, requests are blocked for block_seconds and return 429.
  • Retry-After is set when available.
  • Key mode can be ip, api_key, or user.

Audit Actions You Can Filter

TRAFFIC_POLICY_CREATETRAFFIC_POLICY_UPDATETRAFFIC_POLICY_DELETETRAFFIC_POLICY_IP_RULE_CREATETRAFFIC_POLICY_IP_RULE_UPDATETRAFFIC_POLICY_IP_RULE_DELETETRAFFIC_POLICY_HEADER_RULE_CREATETRAFFIC_POLICY_HEADER_RULE_UPDATETRAFFIC_POLICY_HEADER_RULE_DELETETRAFFIC_POLICY_RATE_LIMIT_UPSERTTRAFFIC_POLICY_RATE_LIMIT_DELETETRAFFIC_POLICY_BLOCK_IPTRAFFIC_POLICY_BLOCK_RATE_LIMIT

Validation Limits (Current)

  • Policy name: 1 to 120 chars.
  • Rule priority: 1 to 100000.
  • Rate-limit window: 1 to 86400 seconds.
  • Rate-limit block duration: 1 to 86400 seconds.
  • Header names: letters, numbers, dashes only.

FAQ

Who can manage traffic policies?

Traffic policies are managed by admins from /admin/policies and applied to selected user tunnels globally or per endpoint.

Which policy runs if both global and endpoint policies exist?

Endpoint policy takes precedence. If no endpoint policy exists for a tunnel, the latest enabled global policy is used.

What happens when a request is blocked?

Blocked requests return 403 for IP-rule blocks or 429 for rate-limit blocks, and an admin activity audit record is written.

Do blocked-request logs flood admin activity?

No. Runtime blocked-request audit logs are deduplicated for 60 seconds per policy/tunnel/IP/path/method key.

Next

CLI Flags GuideWebhook GuidesBack to Docs Home