Configuration

The engine configuration is provided as YAML and can be overridden by environment variables. Both community and enterprise builds share a common core schema and then diverge with additional sections in enterprise builds.

Environment overrides use the RSTREAM_ENGINE_ prefix. Keys are lowercased and mapped to dot paths. Double underscores represent nested separators.

For example, RSTREAM_ENGINE_CONFIG selects the YAML file, RSTREAM_ENGINE_ENGINE__HOST overrides engine.host, and RSTREAM_ENGINE_TLS__LISTEN_ADDR overrides tls.listen_addr.

Community edition sections

The community edition top-level sections are engine, tls, certs, auth, metrics, limits, and timeouts.

The engine section contains host and log_level. Listener sections use enabled and listen_addr. Certificate configuration supports a static provider with cert_file and key_file. Authentication supports the JWT backend with token_jwt_secret. Prometheus metrics are configured under metrics.prometheus.

Enterprise edition sections

Enterprise builds add sections including quic, dtls, ech, idp, events, geoip, and packages.

The enterprise-only surface also carries the configuration required for runtime cryptographic policies such as Encrypted Client Hello and the additional listener families used by QUIC and DTLS. A shared postgresql.url can be reused by auth, events, and packages modules when a module-specific PostgreSQL URL is not provided.

Limits and timeouts

Limits include bandwidth limits per plan and tunnel count limits per plan. Timeouts include stream request and HTTP idle timeouts.