Reverse Proxy Routes
Publish a service that Temps does not deploy by mapping its hostname to an upstream host:port. Temps validates the destination, protects managed domains from accidental overrides, updates the live Pingora route table, and records every mutation in the audit log.
What is a reverse proxy route
A reverse proxy route is for an unmanaged service that already runs on your server or private network. Examples include a sidecar from another Docker Compose stack, an object-storage console, or a legacy application on a fixed port.
Use a normal Temps project domain for applications that Temps builds and deploys. Use a reverse proxy route only when Temps should forward traffic without managing the upstream lifecycle.
Each route stores:
| Field | Purpose |
|---|---|
| Domain | Public hostname matched by HTTP Host or TLS SNI |
| Upstream | Validated literal address and port |
| Type | http for TLS termination or tls for SNI passthrough |
| Override intent | Whether the route may replace a Temps-managed hostname |
Route mutations use the authenticated load-balancer API, so your token needs the load-balancer write permission.
Create a route
Set the API URL and token without placing the token directly in shell history, then add the route:
export TEMPS_API_URL=https://your-temps-instance.com
export TEMPS_API_TOKEN="$TEMPS_TOKEN"
temps route add --domain status.yourdomain.com --upstream upstream.yourdomain.com:9300
--domain has the short form -d, --upstream has -u, and --type has -t. The upstream must include a port. Wrap IPv6 literals in brackets before the port.
The CLI normalizes the hostname before sending it to the server. The server rejects invalid domains, overlapping wildcard routes, unsafe destinations, and collisions that you have not explicitly acknowledged.
Choose HTTP or TLS
| Type | Proxy behavior | Certificate owner |
|---|---|---|
http | Temps terminates TLS and routes by the HTTP Host header | Temps needs a certificate for the route hostname |
tls | Temps routes by SNI without terminating TLS | The upstream presents and manages its certificate |
HTTP is the default:
temps route add -d status.yourdomain.com -u upstream.yourdomain.com:9300 --type http
After creating an HTTP route, provision or import its certificate with the temps domain commands. A TLS route needs no certificate in Temps:
temps route add -d database.yourdomain.com -u upstream.yourdomain.com:9443 --type tls
Route private upstreams
Private and loopback upstreams require an explicit acknowledgement because the route can expose an internal service to public traffic:
temps route add \
-d sentry.yourdomain.com \
-u 127.0.0.1:9300 \
--allow-private-upstream
The flag permits loopback, RFC 1918, and IPv6 ULA destinations. It does not permit link-local, cloud-metadata, unspecified, broadcast, multicast, documentation, benchmarking, or other non-global special-purpose ranges.
Temps resolves hostname upstreams when you create the route, validates every result, and stores a validated literal address. The proxy does not re-resolve an operator-supplied hostname after the SSRF check.
Inspect and delete routes
temps route list
temps route list --json
temps route show --domain status.yourdomain.com
temps route show --domain status.yourdomain.com --json
temps route rm --domain status.yourdomain.com --yes
list also accepts the alias ls; delete accepts rm. Deletion requires --yes, so a script cannot remove a route without an explicit confirmation flag.
Limits and safety rules
- Temps-managed project, environment, deployment, and internal hostnames take precedence over a custom route.
- Use
--force-overrideonly when you deliberately want the custom route to replace a managed hostname. Temps stores this acknowledgement with the route so it survives route-table reloads. - Wildcard overlaps are rejected instead of relying on ambiguous match order.
- Direct database writes do not bypass destination checks; the route loader repeats literal-address validation before activating a route.
- The first command set supports add, list, show, and delete. Update, enable, and disable commands are not available yet.