Configuration
Configuration schema for the self-hosted engine.
The engine configuration is YAML with environment overrides. This page documents the public CE surface because this product documentation is the public contract for self-hosted CE operators.
Environment overrides use the RSTREAM_ENGINE_ prefix. Double underscores represent nested separators. For example, RSTREAM_ENGINE_ENGINE__HOST maps to engine.host, and RSTREAM_ENGINE_TLS__LISTEN_ADDR maps to tls.listen_addr.
Use double underscores for nested keys in operational configuration. Single underscores remain part of field names such as log_level, listen_addr, cert_file, and token_jwt_secret.
Community Edition Schema
The CE top-level sections are engine, http, tls, certs, auth, metrics, and timeouts.
engine:
host: edge.example.com
log_level: info
http:
enabled: true
listen_addr: "[::]:80"
tls:
enabled: true
listen_addr: "[::]:443"
certs:
static:
enabled: true
cert_file: /etc/rstream/tls/cert.pem
key_file: /etc/rstream/tls/key.pem
auth:
jwt:
enabled: true
token_jwt_secret: "<read-from-env-in-production>"
metrics:
prometheus:
enabled: true
listen_addr: "127.0.0.1:9090"
path: /metrics
timeouts:
stream_request_seconds: 30
http_idle_seconds: 90Required Fields
| Field | Required | Notes |
|---|---|---|
engine.host | Yes | Base public hostname used for SNI parsing, Engine API, agent control channels, and tunnel host generation. Do not include a scheme or port. |
engine.log_level | Yes | debug, info, warn, or error. |
tls.enabled | Yes | CE requires the TLS listener. |
tls.listen_addr | Yes | Bind address for the TCP/TLS listener. |
certs.static.enabled | Yes | CE requires the static certificate provider. |
certs.static.cert_file | Yes | PEM certificate chain. |
certs.static.key_file | Yes | PEM private key matching the certificate. |
auth.jwt.enabled | Yes | CE requires JWT authentication. |
auth.jwt.token_jwt_secret | Yes | HS256 shared secret used to validate agent tokens. |
Field Reference
| Field | Type | Default behavior | Environment override |
|---|---|---|---|
engine.host | string | Required. | RSTREAM_ENGINE_ENGINE__HOST |
engine.log_level | string | Required; use info unless debugging. | RSTREAM_ENGINE_ENGINE__LOG_LEVEL |
http.enabled | boolean | Optional redirect listener. | RSTREAM_ENGINE_HTTP__ENABLED |
http.listen_addr | string | Required when http.enabled is true. | RSTREAM_ENGINE_HTTP__LISTEN_ADDR |
tls.enabled | boolean | Must be true in CE. | RSTREAM_ENGINE_TLS__ENABLED |
tls.listen_addr | string | Required. | RSTREAM_ENGINE_TLS__LISTEN_ADDR |
certs.static.enabled | boolean | Must be true in CE. | RSTREAM_ENGINE_CERTS__STATIC__ENABLED |
certs.static.cert_file | string | Required when static certs are enabled. | RSTREAM_ENGINE_CERTS__STATIC__CERT_FILE |
certs.static.key_file | string | Required when static certs are enabled. | RSTREAM_ENGINE_CERTS__STATIC__KEY_FILE |
auth.jwt.enabled | boolean | Must be true in CE. | RSTREAM_ENGINE_AUTH__JWT__ENABLED |
auth.jwt.token_jwt_secret | string | Required. Keep outside source-controlled YAML. | RSTREAM_ENGINE_AUTH__JWT__TOKEN_JWT_SECRET |
metrics.prometheus.enabled | boolean | Optional. | RSTREAM_ENGINE_METRICS__PROMETHEUS__ENABLED |
metrics.prometheus.listen_addr | string | Required when Prometheus is enabled. | RSTREAM_ENGINE_METRICS__PROMETHEUS__LISTEN_ADDR |
metrics.prometheus.path | string | Defaults to /metrics when empty. | RSTREAM_ENGINE_METRICS__PROMETHEUS__PATH |
metrics.prometheus.bearer_token | string | Required when the metrics listener binds to a non-loopback address. | RSTREAM_ENGINE_METRICS__PROMETHEUS__BEARER_TOKEN |
metrics.prometheus.shutdown_timeout_seconds | integer | Optional graceful shutdown timeout. | RSTREAM_ENGINE_METRICS__PROMETHEUS__SHUTDOWN_TIMEOUT_SECONDS |
timeouts.stream_request_seconds | integer | Optional timeout for stream request setup. | RSTREAM_ENGINE_TIMEOUTS__STREAM_REQUEST_SECONDS |
timeouts.http_idle_seconds | integer | Optional idle timeout for HTTP handling. | RSTREAM_ENGINE_TIMEOUTS__HTTP_IDLE_SECONDS |
JWT Authentication
CE validates HS256 JWTs with auth.jwt.token_jwt_secret. A valid token authenticates to the engine host itself; there is no project endpoint in CE.
Use a high-entropy secret, bounded token lifetimes with exp, and a normal secret rotation process. CE does not persist token records and does not call the hosted Control plane.
export RSTREAM_ENGINE_JWT_SECRET="$(openssl rand -base64 32)"
export RSTREAM_AGENT_TOKEN="$(
node <<'NODE'
const crypto = require("crypto");
const now = Math.floor(Date.now() / 1000);
const secret = process.env.RSTREAM_ENGINE_JWT_SECRET;
const b64 = (value) => Buffer.from(JSON.stringify(value)).toString("base64url");
const header = b64({ alg: "HS256", typ: "JWT" });
const payload = b64({ type: "pat", sub: "agent", iat: now, exp: now + 3600 });
const signature = crypto.createHmac("sha256", secret).update(`${header}.${payload}`).digest("base64url");
console.log(`${header}.${payload}.${signature}`);
NODE
)"Static TLS Provider
certs.static.cert_file and certs.static.key_file must point to files readable by the engine process. For CE, the certificate should include SANs for the base engine host and the tunnel wildcard:
DNS:edge.example.com
DNS:*.t.edge.example.comThe static provider reloads the certificate pair on a later TLS handshake when either file modification time changes. This allows an ACME sidecar to update the files without restarting the engine. Write renewed material to temporary files first, then rename both files into place so the engine never observes partially written PEM data.
Prometheus Metrics
Prometheus metrics are optional. When enabled, metrics.prometheus.listen_addr is required. The default path is /metrics when path is empty.
If the metrics listener binds to a non-loopback address, configure metrics.prometheus.bearer_token and make the scraper send:
Authorization: Bearer <metrics-token>This guard prevents accidental exposure when the listener is bound to 0.0.0.0 or [::] for container networking.
Configuration Contract
The public CE configuration contract is the schema documented on this page. Keep CE configuration limited to those fields. If configuration validation rejects an extra section, remove it and use the documented CE fields.
Use hosted rstream or contact rstream for a private deployment when the runtime must enforce managed project controls, certificate-backed authentication, browser-based access flows, network access policies, persisted operational history, or automatic certificate management.