Self-Hosted
Run the rstream engine in private infrastructure.
Self-hosted deployments run the rstream engine in infrastructure you operate. This is useful when the edge entrypoint, certificates, logs, metrics, network policy, or data path must stay under your operational control.
The public self-hosted binary documented here is Community Edition, rstream-engine-ce. It is a single-process edge runtime that terminates TLS, authenticates agents with local JWT validation, keeps live client and tunnel state in memory, and forwards traffic to connected agents.
Self-hosted CE is an engine deployment, not the hosted rstream Control plane. It has no projects, workspaces, plans, billing model, dashboard provisioning, or managed credential records. Agents and SDKs connect directly to the configured engine host, authenticate with a JWT signed by your engine secret, and create tunnels against that engine.
Runtime Model
engine.host is the public base hostname of the engine. In CE, the same base host is used for the agent control channel and for the Engine HTTP API. Published tunnel hostnames live under .t.<engine-host>.
| Hostname form | Purpose |
|---|---|
edge.example.com | Base engine host. Agents connect here with ALPN rstrm/1; the Engine API is also served here. |
<label>.t.edge.example.com | Published tunnel hostname. The label is generated by the engine unless the agent or SDK requests a stable label. |
DNS must route the base host and the tunnel wildcard to the engine:
edge.example.com A/AAAA <engine-public-ip>
*.t.edge.example.com CNAME edge.example.comThe hosted project-endpoint resolution model is not part of the CE runtime contract. CE agents use the base engine host directly.
Community Edition Scope
CE supports the TCP/TLS engine listener, an optional HTTP redirect listener, static TLS certificates, JWT agent authentication, Prometheus metrics, and bytestream tunnels. Published HTTP and TLS tunnels are supported over the TCP/TLS listener. Private bytestream tunnels are supported.
Use hosted rstream or contact rstream for a private deployment when the runtime must enforce managed project controls, certificate-backed authentication, browser-based access flows, network access policies, persisted operational history, or automatic certificate management.
Static TLS certificate files are reloaded automatically on later TLS handshakes when the certificate or key file changes. This makes CE compatible with an ACME sidecar or deploy hook that writes renewed material into a shared volume.
Related Pages
Deployment covers DNS, TLS, ports, and Compose shape. Configuration documents the CE configuration surface. Operations covers health checks, metrics, certificate rotation, upgrades, and troubleshooting.
For a complete runnable deployment, see Self-Host rstream Engine CE with Docker Compose.