2026-01-29 16:06:56 +00:00
|
|
|
# Proxy server configuration
|
|
|
|
|
# Copy to config.yaml and modify as needed
|
|
|
|
|
|
|
|
|
|
# Server listen address
|
|
|
|
|
listen: ":8080"
|
|
|
|
|
|
|
|
|
|
# Public URL where this proxy is accessible
|
|
|
|
|
# Used for rewriting package metadata URLs
|
|
|
|
|
base_url: "http://localhost:8080"
|
|
|
|
|
|
|
|
|
|
# Artifact storage configuration
|
|
|
|
|
storage:
|
2026-01-29 16:13:16 +00:00
|
|
|
# Storage backend URL
|
|
|
|
|
# Supported schemes:
|
|
|
|
|
# - file:///path/to/dir - Local filesystem (default)
|
|
|
|
|
# - s3://bucket-name - Amazon S3
|
|
|
|
|
# - s3://bucket?endpoint=http://localhost:9000 - S3-compatible (MinIO)
|
|
|
|
|
#
|
|
|
|
|
# For S3, configure credentials via environment variables:
|
|
|
|
|
# AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION
|
|
|
|
|
url: ""
|
|
|
|
|
|
|
|
|
|
# Local filesystem path (used when url is empty)
|
|
|
|
|
# Deprecated: Use url with file:// scheme instead
|
2026-01-29 16:06:56 +00:00
|
|
|
path: "./cache/artifacts"
|
|
|
|
|
|
|
|
|
|
# Maximum cache size (e.g., "10GB", "500MB")
|
|
|
|
|
# When exceeded, least recently used artifacts are evicted
|
|
|
|
|
# Empty or "0" means unlimited
|
|
|
|
|
max_size: ""
|
|
|
|
|
|
2026-04-27 12:04:38 +01:00
|
|
|
# Redirect cached artifact downloads to presigned storage URLs (HTTP 302)
|
|
|
|
|
# instead of streaming through the proxy. Only effective for S3 and Azure.
|
|
|
|
|
# Leave disabled if clients reach the proxy through an authenticating gateway,
|
|
|
|
|
# since presigned URLs bypass it.
|
|
|
|
|
direct_serve: false
|
|
|
|
|
|
|
|
|
|
# How long presigned URLs remain valid (e.g. "5m", "1h"). Default: "15m".
|
|
|
|
|
direct_serve_ttl: "15m"
|
|
|
|
|
|
2026-04-27 12:14:37 +01:00
|
|
|
# Public base URL to substitute into presigned URLs. Set this when the
|
|
|
|
|
# proxy reaches storage at an internal address (127.0.0.1, a Docker
|
|
|
|
|
# service name) but clients must use a public hostname. Only scheme and
|
|
|
|
|
# host are used; the signed path and query are preserved. For S3/MinIO
|
|
|
|
|
# the reverse proxy at this address must forward requests with the
|
|
|
|
|
# internal Host header or the SigV4 signature will not validate.
|
|
|
|
|
# direct_serve_base_url: "https://minio.example.com"
|
|
|
|
|
|
2026-01-29 16:06:56 +00:00
|
|
|
# Database configuration
|
|
|
|
|
database:
|
|
|
|
|
# Database driver: "sqlite" (default) or "postgres"
|
|
|
|
|
driver: "sqlite"
|
|
|
|
|
|
|
|
|
|
# SQLite database file path (used when driver is "sqlite")
|
|
|
|
|
path: "./cache/proxy.db"
|
|
|
|
|
|
|
|
|
|
# PostgreSQL connection URL (used when driver is "postgres")
|
|
|
|
|
# Example: "postgres://user:password@localhost:5432/proxy?sslmode=disable"
|
|
|
|
|
url: ""
|
|
|
|
|
|
|
|
|
|
# Logging configuration
|
|
|
|
|
log:
|
|
|
|
|
# Minimum log level: "debug", "info", "warn", "error"
|
|
|
|
|
level: "info"
|
|
|
|
|
|
|
|
|
|
# Log format: "text" or "json"
|
|
|
|
|
format: "text"
|
|
|
|
|
|
2026-01-29 16:33:09 +00:00
|
|
|
# Upstream registry URLs and authentication
|
2026-01-29 16:06:56 +00:00
|
|
|
upstream:
|
|
|
|
|
# npm registry URL
|
|
|
|
|
npm: "https://registry.npmjs.org"
|
|
|
|
|
|
2026-05-22 18:05:20 +02:00
|
|
|
# Maven repository URL (used by /maven endpoint)
|
|
|
|
|
maven: "https://repo1.maven.org/maven2"
|
|
|
|
|
|
|
|
|
|
# Gradle Plugin Portal Maven URL (fallback for plugin marker artifacts)
|
|
|
|
|
gradle_plugin_portal: "https://plugins.gradle.org/m2"
|
|
|
|
|
|
2026-01-29 16:06:56 +00:00
|
|
|
# Cargo sparse index URL
|
|
|
|
|
cargo: "https://index.crates.io"
|
|
|
|
|
|
|
|
|
|
# Cargo crate download URL
|
|
|
|
|
cargo_download: "https://static.crates.io/crates"
|
2026-01-29 16:33:09 +00:00
|
|
|
|
|
|
|
|
# Authentication for upstream registries
|
|
|
|
|
# Keys are URL prefixes matched against request URLs.
|
|
|
|
|
# Values can reference environment variables using ${VAR_NAME} syntax.
|
|
|
|
|
#
|
|
|
|
|
# Supported auth types:
|
|
|
|
|
# - bearer: Authorization header with Bearer token
|
|
|
|
|
# - basic: Authorization header with Basic auth (username:password)
|
|
|
|
|
# - header: Custom header name and value
|
|
|
|
|
auth:
|
|
|
|
|
# Example: npm with bearer token
|
|
|
|
|
# "https://registry.npmjs.org":
|
|
|
|
|
# type: bearer
|
|
|
|
|
# token: "${NPM_TOKEN}"
|
|
|
|
|
|
|
|
|
|
# Example: GitHub npm registry
|
|
|
|
|
# "https://npm.pkg.github.com":
|
|
|
|
|
# type: bearer
|
|
|
|
|
# token: "${GITHUB_TOKEN}"
|
|
|
|
|
|
|
|
|
|
# Example: PyPI with basic auth
|
|
|
|
|
# "https://pypi.org":
|
|
|
|
|
# type: basic
|
|
|
|
|
# username: "__token__"
|
|
|
|
|
# password: "${PYPI_TOKEN}"
|
|
|
|
|
|
|
|
|
|
# Example: Custom header for private registry
|
|
|
|
|
# "https://maven.mycompany.com":
|
|
|
|
|
# type: header
|
|
|
|
|
# header_name: "X-Auth-Token"
|
|
|
|
|
# header_value: "${MAVEN_TOKEN}"
|
2026-03-04 19:00:31 +00:00
|
|
|
|
2026-05-04 12:15:16 +02:00
|
|
|
# Gradle HttpBuildCache configuration
|
|
|
|
|
gradle:
|
|
|
|
|
build_cache:
|
|
|
|
|
# Set to true to disable PUT uploads (read-only cache mode)
|
|
|
|
|
read_only: false
|
|
|
|
|
|
|
|
|
|
# Maximum accepted Gradle cache upload body size
|
|
|
|
|
# Required and must be > 0
|
|
|
|
|
max_upload_size: "100MB"
|
|
|
|
|
|
|
|
|
|
# Evict entries older than this age (set to "0" to disable age-based eviction)
|
|
|
|
|
max_age: "168h"
|
|
|
|
|
|
|
|
|
|
# Cap total Gradle cache size; oldest entries are deleted first
|
|
|
|
|
# ("0" disables size-based eviction)
|
|
|
|
|
# max_size: "20GB"
|
|
|
|
|
|
|
|
|
|
# How often eviction runs when max_age or max_size is set
|
|
|
|
|
sweep_interval: "10m"
|
|
|
|
|
|
Add storage backend probe to /health (closes #73) (#119)
* config: add Health.StorageProbeInterval
* metrics: add proxy_health_probe_failures_total counter
* server: add storageProbe with happy-path test
* server: add storageProbe failure-mode tests
* server: add healthCache with TTL, single-flight, transition logging
* server: wire storage probe into /health
* server: update TestHealthEndpoint for JSON; wire healthCache into newTestServer
Also fix Windows file-locking issue in storageProbe: close the reader
explicitly before Delete so the file handle is released prior to os.Remove.
* server: clean up stale comment in storageProbe
* docs: document storage health probe and new metric
* docs: regenerate Swagger for /health JSON response
* server: simplify rc.Close error handling in storageProbe
* server: defer probe cleanup so size/open/read/verify failures don't leak objects
Previously, storageProbe only called Delete on the success path. Any
failure between Store and the final Delete (size mismatch, Open error,
mid-stream read failure, content mismatch) left the probe object orphaned
in the storage backend. With caching disabled and Kubernetes-rate probing,
the leak could accumulate noticeably on backends like S3.
Use a named return + defer to attempt Delete after every successful Store.
The earlier-step failure remains the primary error; Delete failure only
surfaces as step="delete" when nothing else went wrong. Add a table-driven
test that asserts cleanup runs for each non-delete failure path.
Reported by Copilot on #119.
* config: validate health.storage_probe_interval in Config.Validate
The new duration field was only validated at use time in newHealthCache.
The existing codebase already validates other duration fields
(MetadataTTL, DirectServeTTL, Gradle.MaxAge, Gradle.SweepInterval) in
Config.Validate() so misconfiguration fails fast at startup with a
config-key-specific error.
Match that pattern. The parse-at-use code in newHealthCache stays as
a safety net, mirroring the MetadataTTL precedent.
Reported by Copilot on #119.
* docs: lowercase "counter" in metrics table for consistency
Other rows in the table use lowercase type names (counter/gauge/histogram).
Match that style.
Reported by Copilot on #119.
* docs: include size-check step in /health probe description
The probe is write → size-check → read → verify → delete; the
architecture note was missing the size-check step.
Reported by Copilot on #119.
* server: address andrew's review on #119
- Drop unused callerCtx parameter from healthCache.Check (Check is now
parameter-less; the comment-only "accepted for symmetry" justification
wasn't carrying its weight).
- Emit "storage": {"status": "skipped"} on DB short-circuit instead of
omitting the key, so monitors expecting a fixed key set keep working.
- Reject negative storage_probe_interval at config validation time
(previously parsed and silently behaved like "0").
- Extract HealthConfig.Validate to keep Config.Validate under the
gocognit threshold and match the existing GradleBuildCacheConfig pattern.
- README Health Check section: note that /health is intended as a
readiness probe rather than a liveness probe (Check holds a mutex
for up to the 10s probe timeout).
- cmd/proxy/main.go godoc: column-align the new env var with the
surrounding Gradle entries.
Reported by andrew on #119.
2026-05-22 14:14:01 +03:00
|
|
|
# Health endpoint configuration.
|
|
|
|
|
health:
|
|
|
|
|
# Minimum time between storage backend probes.
|
|
|
|
|
# The /health endpoint runs a write/read/verify/delete round-trip
|
|
|
|
|
# against the configured storage backend and caches the result for
|
|
|
|
|
# this interval. Set to "0" to probe on every request.
|
|
|
|
|
# Default: "30s".
|
|
|
|
|
storage_probe_interval: "30s"
|
|
|
|
|
|
2026-03-04 19:00:31 +00:00
|
|
|
# Version cooldown configuration
|
|
|
|
|
# Hides package versions published too recently, giving the community time
|
|
|
|
|
# to spot malicious releases before they're pulled into projects.
|
|
|
|
|
# Supported durations: "7d" (days), "48h" (hours), "30m" (minutes), "0" (disabled)
|
|
|
|
|
cooldown:
|
|
|
|
|
# Global default cooldown for all ecosystems
|
|
|
|
|
# default: "3d"
|
|
|
|
|
|
|
|
|
|
# Per-ecosystem overrides
|
|
|
|
|
# ecosystems:
|
|
|
|
|
# npm: "7d"
|
|
|
|
|
# cargo: "0"
|
|
|
|
|
|
|
|
|
|
# Per-package overrides (keyed by PURL)
|
|
|
|
|
# packages:
|
|
|
|
|
# "pkg:npm/lodash": "0"
|
|
|
|
|
# "pkg:npm/@babel/core": "14d"
|
