Gateway Transport

The proxy's HTTP client for upstream connections supports connection pooling, mTLS, HTTP/2, TLS session caching, and SOCKS5 proxy — configurable per-upstream.

Configuration

upstreams:
  - name: myapi
    type: http
    tool_prefix: api
    base_url: https://api.internal
    openapi:
      source: https://api.internal/openapi.yaml
    transport:
      timeout: 30s
      max_idle_conns: 100
      max_idle_conns_per_host: 10
      idle_conn_timeout: 90s
      tls:
        ca_cert: /etc/certs/ca.crt
        client_cert: /etc/certs/client.crt
        client_key: /etc/certs/client.key
        insecure_skip_verify: false
      http2: true

Connection pooling

Field	Default	Description
`max_idle_conns`	100	Maximum idle connections across all hosts
`max_idle_conns_per_host`	10	Maximum idle connections per host
`idle_conn_timeout`	90s	How long idle connections are kept open
`timeout`	30s	Total request timeout (including response body read)

TLS / mTLS

Configure per-upstream TLS for one-way TLS or mutual TLS (mTLS):

transport:
  tls:
    ca_cert: /etc/certs/ca.crt        # custom CA for upstream
    client_cert: /etc/certs/client.crt # mTLS client cert
    client_key: /etc/certs/client.key  # mTLS client key
    server_name: api.internal          # override SNI
    insecure_skip_verify: false        # never set true in production

Certificate files are read at startup. Rotate certs by updating the files and triggering a config reload — no restart required.

HTTP/2

transport:
  http2: true    # enable HTTP/2 for this upstream (default: false)

HTTP/2 is negotiated via ALPN. The upstream must support it.

TLS session caching

TLS session tickets are cached automatically when HTTP/2 or persistent connections are used. This reduces TLS handshake overhead for high-throughput upstreams.

SOCKS5 proxy

transport:
  proxy:
    url: socks5://proxy.internal:1080
    username: ${PROXY_USER}
    password: ${PROXY_PASS}

All upstream connections for this upstream will be routed through the SOCKS5 proxy.

Per-upstream defaults

Each upstream has its own independent HTTP client. Transport settings from one upstream do not affect others.

MCP transports

The proxy itself also exposes MCP over two transports (configured under server):

Transport	Description
`streamable-http`	HTTP with streaming responses (MCP default)
`sse`	Server-Sent Events for clients that prefer SSE

server:
  port: 8080
  transport:
    - streamable-http
    - sse