pkg-proxy/config.example.yaml

# Proxy server configuration
# Copy to config.yaml and modify as needed

# Server listen address
listen: ":8080"

# Public URL where this proxy is accessible
# Used for rewriting package metadata URLs
base_url: "http://localhost:8080"

# Artifact storage configuration
storage:
  # Storage backend URL
  # Supported schemes:
  #   - file:///path/to/dir - Local filesystem (default)
  #   - s3://bucket-name - Amazon S3
  #   - s3://bucket?endpoint=http://localhost:9000 - S3-compatible (MinIO)
  #
  # For S3, configure credentials via environment variables:
  #   AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION
  url: ""

  # Local filesystem path (used when url is empty)
  # Deprecated: Use url with file:// scheme instead
  path: "./cache/artifacts"

  # Maximum cache size (e.g., "10GB", "500MB")
  # When exceeded, least recently used artifacts are evicted
  # Empty or "0" means unlimited
  max_size: ""

  # Redirect cached artifact downloads to presigned storage URLs (HTTP 302)
  # instead of streaming through the proxy. Only effective for S3 and Azure.
  # Leave disabled if clients reach the proxy through an authenticating gateway,
  # since presigned URLs bypass it.
  direct_serve: false

  # How long presigned URLs remain valid (e.g. "5m", "1h"). Default: "15m".
  direct_serve_ttl: "15m"

  # Public base URL to substitute into presigned URLs. Set this when the
  # proxy reaches storage at an internal address (127.0.0.1, a Docker
  # service name) but clients must use a public hostname. Only scheme and
  # host are used; the signed path and query are preserved. For S3/MinIO
  # the reverse proxy at this address must forward requests with the
  # internal Host header or the SigV4 signature will not validate.
  # direct_serve_base_url: "https://minio.example.com"

# Database configuration
database:
  # Database driver: "sqlite" (default) or "postgres"
  driver: "sqlite"

  # SQLite database file path (used when driver is "sqlite")
  path: "./cache/proxy.db"

  # PostgreSQL connection URL (used when driver is "postgres")
  # Example: "postgres://user:password@localhost:5432/proxy?sslmode=disable"
  url: ""

# Logging configuration
log:
  # Minimum log level: "debug", "info", "warn", "error"
  level: "info"

  # Log format: "text" or "json"
  format: "text"

# Ecosystem support - routes and upstream repositories
#
# This section is optional, since 'include_default' in each section
# defaults to 'true' and the route map will be populated with all of
# the default routes if no configuration is provided.
ecosystem:
  cargo:
    include_default: true
    # the default route for crates.io
    # route:
    #   - path: /cargo
    #     upstream:
    #       - name: crates.io
    #         index: https://index.crates.io
    #         crates: https://static.crates.io/crates
  composer:
    include_default: true
    # the default route for packagist.org
    # route:
    #   - path: /composer
    #     upstream:
    #       - name: packagist.org
    #         upstream: https://packagist.org
    #         repository: https://repo.packagist.org
  conan:
    include_default: true
    # the default route for conan.io
    # route:
    #   - path: /conan
    #     upstream:
    #       - name: conan.io
    #         upstream: https://center.conan.io
  conda:
    include_default: true
    # the default route for anaconda.org
    # route:
    #   - path: /conda
    #     upstream:
    #       - name: anaconda.org
    #         upstream: https://conda.anaconda.org
  cran:
    include_default: true
    # the default route for r-project.org
    # route:
    #   - path: /cran
    #     upstream:
    #       - name: r-project.org
    #         upstream: https://cloud.r-project.org
  debian:
    include_default: true
    # the default route for debian.org
    # route:
    #   - path: /debian
    #     upstream:
    #       - name: debian.org
    #         upstream: http://deb.debian.org/debian
  gem:
    include_default: true
    # the default route for rubygems.org
    # route:
    #   - path: /gem
    #     upstream:
    #       - name: rubygems.org
    #         upstream: https://rubygems.org
  go:
    include_default: true
    # the default route for golang.org
    # route:
    #   - path: /go
    #     upstream:
    #       - name: golang.org
    #         upstream: https://proxy.golang.org
  hex:
    include_default: true
    # the default route for hex.pm
    # route:
    #   - path: /hex
    #     upstream:
    #       - name: hex.pm
    #         upstream: https://repo.hex.pm
  maven:
    include_default: true
    # the default route for maven.org
    # route:
    #   - path: /maven
    #     upstream:
    #       - name: maven.org
    #         upstream: https://repo1.maven.org/maven2
  npm:
    include_default: true
    # the default route for npmjs.org
    # route:
    #   - path: /npm
    #     upstream:
    #       - name: npmjs.org
    #         upstream: https://registry.npmjs.org
  nuget:
    include_default: true
    # the default route for nuget.org
    # route:
    #   - path: /nuget
    #     upstream:
    #       - name: nuget.org
    #         upstream: https://api.nuget.org
  oci:
    include_default: true
    # the default route for docker.io
    # route:
    #   - path: /v2
    #     upstream:
    #       - name: docker.io
    #         registry: https://registry-1.docker.io
    #         auth: https://auth.docker.io
  pub:
    include_default: true
    # the default route for pub.dev
    # route:
    #   - path: /pub
    #     upstream:
    #       - name: pub.dev
    #         upstream: https://pub.dev
  pypi:
    include_default: true
    # the default route for pypi.org
    # route:
    #   - path: /pypi
    #     upstream:
    #       - name: pypi.org
    #         index: https://pypi.org
    #         files_host: files.pythonhosted.org
  rpm:
    include_default: true
    # the default route for fedoraproject.org
    # route:
    #   - path: /rpm
    #     upstream:
    #       - name: fedoraproject.org
    #         upstream: https://dl.fedoraproject.org/pub/fedora/linux

# Upstream registry URLs and authentication
upstream:
  # npm registry URL
  npm: "https://registry.npmjs.org"

  # Cargo sparse index URL
  cargo: "https://index.crates.io"

  # Cargo crate download URL
  cargo_download: "https://static.crates.io/crates"

  # Authentication for upstream registries
  # Keys are URL prefixes matched against request URLs.
  # Values can reference environment variables using ${VAR_NAME} syntax.
  #
  # Supported auth types:
  #   - bearer: Authorization header with Bearer token
  #   - basic: Authorization header with Basic auth (username:password)
  #   - header: Custom header name and value
  auth:
    # Example: npm with bearer token
    # "https://registry.npmjs.org":
    #   type: bearer
    #   token: "${NPM_TOKEN}"

    # Example: GitHub npm registry
    # "https://npm.pkg.github.com":
    #   type: bearer
    #   token: "${GITHUB_TOKEN}"

    # Example: PyPI with basic auth
    # "https://pypi.org":
    #   type: basic
    #   username: "__token__"
    #   password: "${PYPI_TOKEN}"

    # Example: Custom header for private registry
    # "https://maven.mycompany.com":
    #   type: header
    #   header_name: "X-Auth-Token"
    #   header_value: "${MAVEN_TOKEN}"

# Version cooldown configuration
# Hides package versions published too recently, giving the community time
# to spot malicious releases before they're pulled into projects.
# Supported durations: "7d" (days), "48h" (hours), "30m" (minutes), "0" (disabled)
cooldown:
  # Global default cooldown for all ecosystems
  # default: "3d"

  # Per-ecosystem overrides
  # ecosystems:
  #   npm: "7d"
  #   cargo: "0"

  # Per-package overrides (keyed by PURL)
  # packages:
  #   "pkg:npm/lodash": "0"
  #   "pkg:npm/@babel/core": "14d"
Add sqlx with SQLite default and PostgreSQL option Replace raw database/sql with jmoiron/sqlx for cleaner query handling. Support both SQLite (default) and PostgreSQL as configurable backends. Configuration via: - CLI flags: -database-driver, -database-path, -database-url - Environment: PROXY_DATABASE_DRIVER, PROXY_DATABASE_PATH, PROXY_DATABASE_URL - Config file: database.driver, database.path, database.url Tests run against both databases when PROXY_DATABASE_URL is set. 2026-01-29 16:06:56 +00:00			`# Proxy server configuration`
			`# Copy to config.yaml and modify as needed`

			`# Server listen address`
			`listen: ":8080"`

			`# Public URL where this proxy is accessible`
			`# Used for rewriting package metadata URLs`
			`base_url: "http://localhost:8080"`

			`# Artifact storage configuration`
			`storage:`
Add gocloud.dev/blob for S3 and filesystem storage Replace custom filesystem storage with gocloud.dev/blob for unified storage backend support. Supported backends: - file:///path/to/dir - Local filesystem (default) - s3://bucket-name - Amazon S3 - s3://bucket?endpoint=http://localhost:9000 - S3-compatible (MinIO) Configuration via: - CLI flag: -storage-url - Environment: PROXY_STORAGE_URL - Config file: storage.url The old storage.path config is deprecated but still supported. 2026-01-29 16:13:16 +00:00			`# Storage backend URL`
			`# Supported schemes:`
			`# - file:///path/to/dir - Local filesystem (default)`
			`# - s3://bucket-name - Amazon S3`
			`# - s3://bucket?endpoint=http://localhost:9000 - S3-compatible (MinIO)`
			`#`
			`# For S3, configure credentials via environment variables:`
			`# AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION`
			`url: ""`

			`# Local filesystem path (used when url is empty)`
			`# Deprecated: Use url with file:// scheme instead`
Add sqlx with SQLite default and PostgreSQL option Replace raw database/sql with jmoiron/sqlx for cleaner query handling. Support both SQLite (default) and PostgreSQL as configurable backends. Configuration via: - CLI flags: -database-driver, -database-path, -database-url - Environment: PROXY_DATABASE_DRIVER, PROXY_DATABASE_PATH, PROXY_DATABASE_URL - Config file: database.driver, database.path, database.url Tests run against both databases when PROXY_DATABASE_URL is set. 2026-01-29 16:06:56 +00:00			`path: "./cache/artifacts"`

			`# Maximum cache size (e.g., "10GB", "500MB")`
			`# When exceeded, least recently used artifacts are evicted`
			`# Empty or "0" means unlimited`
			`max_size: ""`

Add direct-serve via presigned storage URLs When storage.direct_serve is enabled and the backend supports it (S3, Azure), cached artifact downloads return a 302 redirect to a presigned URL instead of streaming bytes through the proxy. Falls back to streaming when the backend can't sign (fileblob, local filesystem) or signing fails. Adds the azureblob driver so azblob:// storage URLs work. Cache-hit accounting already happened before io.Copy so redirects are counted correctly; the metrics calls are pulled into a helper so both paths share them. Closes #96 2026-04-27 12:04:38 +01:00			`# Redirect cached artifact downloads to presigned storage URLs (HTTP 302)`
			`# instead of streaming through the proxy. Only effective for S3 and Azure.`
			`# Leave disabled if clients reach the proxy through an authenticating gateway,`
			`# since presigned URLs bypass it.`
			`direct_serve: false`

			`# How long presigned URLs remain valid (e.g. "5m", "1h"). Default: "15m".`
			`direct_serve_ttl: "15m"`

Add storage.direct_serve_base_url to override presigned URL host When the proxy reaches storage at an internal address (127.0.0.1, a Docker service name) the presigned URLs it generates point there too, which is useless to external clients. This adds an optional base URL that replaces the scheme and host of signed URLs before they're returned, keeping the signed path and query intact. 2026-04-27 12:14:37 +01:00			`# Public base URL to substitute into presigned URLs. Set this when the`
			`# proxy reaches storage at an internal address (127.0.0.1, a Docker`
			`# service name) but clients must use a public hostname. Only scheme and`
			`# host are used; the signed path and query are preserved. For S3/MinIO`
			`# the reverse proxy at this address must forward requests with the`
			`# internal Host header or the SigV4 signature will not validate.`
			`# direct_serve_base_url: "https://minio.example.com"`

Add sqlx with SQLite default and PostgreSQL option Replace raw database/sql with jmoiron/sqlx for cleaner query handling. Support both SQLite (default) and PostgreSQL as configurable backends. Configuration via: - CLI flags: -database-driver, -database-path, -database-url - Environment: PROXY_DATABASE_DRIVER, PROXY_DATABASE_PATH, PROXY_DATABASE_URL - Config file: database.driver, database.path, database.url Tests run against both databases when PROXY_DATABASE_URL is set. 2026-01-29 16:06:56 +00:00			`# Database configuration`
			`database:`
			`# Database driver: "sqlite" (default) or "postgres"`
			`driver: "sqlite"`

			`# SQLite database file path (used when driver is "sqlite")`
			`path: "./cache/proxy.db"`

			`# PostgreSQL connection URL (used when driver is "postgres")`
			`# Example: "postgres://user:password@localhost:5432/proxy?sslmode=disable"`
			`url: ""`

			`# Logging configuration`
			`log:`
			`# Minimum log level: "debug", "info", "warn", "error"`
			`level: "info"`

			`# Log format: "text" or "json"`
			`format: "text"`

WIP 2026-04-19 07:27:30 -04:00			`# Ecosystem support - routes and upstream repositories`
			`#`
			`# This section is optional, since 'include_default' in each section`
			`# defaults to 'true' and the route map will be populated with all of`
			`# the default routes if no configuration is provided.`
			`ecosystem:`
			`cargo:`
			`include_default: true`
			`# the default route for crates.io`
			`# route:`
			`# - path: /cargo`
			`# upstream:`
			`# - name: crates.io`
			`# index: https://index.crates.io`
			`# crates: https://static.crates.io/crates`
			`composer:`
			`include_default: true`
			`# the default route for packagist.org`
			`# route:`
			`# - path: /composer`
			`# upstream:`
			`# - name: packagist.org`
			`# upstream: https://packagist.org`
			`# repository: https://repo.packagist.org`
			`conan:`
			`include_default: true`
			`# the default route for conan.io`
			`# route:`
			`# - path: /conan`
			`# upstream:`
			`# - name: conan.io`
			`# upstream: https://center.conan.io`
			`conda:`
			`include_default: true`
			`# the default route for anaconda.org`
			`# route:`
			`# - path: /conda`
			`# upstream:`
			`# - name: anaconda.org`
			`# upstream: https://conda.anaconda.org`
			`cran:`
			`include_default: true`
			`# the default route for r-project.org`
			`# route:`
			`# - path: /cran`
			`# upstream:`
			`# - name: r-project.org`
			`# upstream: https://cloud.r-project.org`
			`debian:`
			`include_default: true`
			`# the default route for debian.org`
			`# route:`
			`# - path: /debian`
			`# upstream:`
			`# - name: debian.org`
			`# upstream: http://deb.debian.org/debian`
			`gem:`
			`include_default: true`
			`# the default route for rubygems.org`
			`# route:`
			`# - path: /gem`
			`# upstream:`
			`# - name: rubygems.org`
			`# upstream: https://rubygems.org`
			`go:`
			`include_default: true`
			`# the default route for golang.org`
			`# route:`
			`# - path: /go`
			`# upstream:`
			`# - name: golang.org`
			`# upstream: https://proxy.golang.org`
			`hex:`
			`include_default: true`
			`# the default route for hex.pm`
			`# route:`
			`# - path: /hex`
			`# upstream:`
			`# - name: hex.pm`
			`# upstream: https://repo.hex.pm`
			`maven:`
			`include_default: true`
			`# the default route for maven.org`
			`# route:`
			`# - path: /maven`
			`# upstream:`
			`# - name: maven.org`
			`# upstream: https://repo1.maven.org/maven2`
			`npm:`
			`include_default: true`
			`# the default route for npmjs.org`
			`# route:`
			`# - path: /npm`
			`# upstream:`
			`# - name: npmjs.org`
			`# upstream: https://registry.npmjs.org`
			`nuget:`
			`include_default: true`
			`# the default route for nuget.org`
			`# route:`
			`# - path: /nuget`
			`# upstream:`
			`# - name: nuget.org`
			`# upstream: https://api.nuget.org`
			`oci:`
			`include_default: true`
			`# the default route for docker.io`
			`# route:`
			`# - path: /v2`
			`# upstream:`
			`# - name: docker.io`
			`# registry: https://registry-1.docker.io`
			`# auth: https://auth.docker.io`
			`pub:`
			`include_default: true`
			`# the default route for pub.dev`
			`# route:`
			`# - path: /pub`
			`# upstream:`
			`# - name: pub.dev`
			`# upstream: https://pub.dev`
			`pypi:`
			`include_default: true`
			`# the default route for pypi.org`
			`# route:`
			`# - path: /pypi`
			`# upstream:`
			`# - name: pypi.org`
			`# index: https://pypi.org`
			`# files_host: files.pythonhosted.org`
			`rpm:`
			`include_default: true`
			`# the default route for fedoraproject.org`
			`# route:`
			`# - path: /rpm`
			`# upstream:`
			`# - name: fedoraproject.org`
			`# upstream: https://dl.fedoraproject.org/pub/fedora/linux`

Add auth pass-through for upstream registries Configure authentication per URL prefix in config: upstream: auth: "https://registry.npmjs.org": type: bearer token: "${NPM_TOKEN}" Supports bearer tokens, basic auth, and custom headers. Credentials can reference environment variables with ${VAR_NAME} syntax. The longest matching URL prefix wins when multiple patterns match. 2026-01-29 16:33:09 +00:00			`# Upstream registry URLs and authentication`
Add sqlx with SQLite default and PostgreSQL option Replace raw database/sql with jmoiron/sqlx for cleaner query handling. Support both SQLite (default) and PostgreSQL as configurable backends. Configuration via: - CLI flags: -database-driver, -database-path, -database-url - Environment: PROXY_DATABASE_DRIVER, PROXY_DATABASE_PATH, PROXY_DATABASE_URL - Config file: database.driver, database.path, database.url Tests run against both databases when PROXY_DATABASE_URL is set. 2026-01-29 16:06:56 +00:00			`upstream:`
			`# npm registry URL`
			`npm: "https://registry.npmjs.org"`

			`# Cargo sparse index URL`
			`cargo: "https://index.crates.io"`

			`# Cargo crate download URL`
			`cargo_download: "https://static.crates.io/crates"`
Add auth pass-through for upstream registries Configure authentication per URL prefix in config: upstream: auth: "https://registry.npmjs.org": type: bearer token: "${NPM_TOKEN}" Supports bearer tokens, basic auth, and custom headers. Credentials can reference environment variables with ${VAR_NAME} syntax. The longest matching URL prefix wins when multiple patterns match. 2026-01-29 16:33:09 +00:00
			`# Authentication for upstream registries`
			`# Keys are URL prefixes matched against request URLs.`
			`# Values can reference environment variables using ${VAR_NAME} syntax.`
			`#`
			`# Supported auth types:`
			`# - bearer: Authorization header with Bearer token`
			`# - basic: Authorization header with Basic auth (username:password)`
			`# - header: Custom header name and value`
			`auth:`
			`# Example: npm with bearer token`
			`# "https://registry.npmjs.org":`
			`# type: bearer`
			`# token: "${NPM_TOKEN}"`

			`# Example: GitHub npm registry`
			`# "https://npm.pkg.github.com":`
			`# type: bearer`
			`# token: "${GITHUB_TOKEN}"`

			`# Example: PyPI with basic auth`
			`# "https://pypi.org":`
			`# type: basic`
			`# username: "__token__"`
			`# password: "${PYPI_TOKEN}"`

			`# Example: Custom header for private registry`
			`# "https://maven.mycompany.com":`
			`# type: header`
			`# header_name: "X-Auth-Token"`
			`# header_value: "${MAVEN_TOKEN}"`
Add version cooldown to filter recently published packages Hides package versions published too recently from metadata responses, giving the community time to spot malicious releases. Configurable per-ecosystem and per-package with duration overrides. Supported for npm, PyPI, pub.dev, and Composer. 2026-03-04 19:00:31 +00:00
			`# Version cooldown configuration`
			`# Hides package versions published too recently, giving the community time`
			`# to spot malicious releases before they're pulled into projects.`
			`# Supported durations: "7d" (days), "48h" (hours), "30m" (minutes), "0" (disabled)`
			`cooldown:`
			`# Global default cooldown for all ecosystems`
			`# default: "3d"`

			`# Per-ecosystem overrides`
			`# ecosystems:`
			`# npm: "7d"`
			`# cargo: "0"`

			`# Per-package overrides (keyed by PURL)`
			`# packages:`
			`# "pkg:npm/lodash": "0"`
			`# "pkg:npm/@babel/core": "14d"`