Deployment

The community edition engine runs as a single process named rstream-engine-ce. It reads configuration from a YAML file specified by --config (or -c) or by the RSTREAM_ENGINE_CONFIG environment variable.

The engine requires TLS and a certificate provider. In the community edition build, certificate management is static: a certificate file and key file must be provided. Automatic certificate management is not available in this build.

Authentication also requires configuration. The community edition build supports the JWT backend and requires a shared secret for token verification.

At runtime, the public engine.host value is used for SNI parsing and tunnel hostname generation. The TLS listener accepts control-channel sessions from rstream clients and downstream traffic for published tunnels. When HTTP redirect support is enabled, the HTTP listener is a separate entrypoint.

Minimal community edition configuration

The minimal configuration for a community edition deployment includes an engine host, TLS listener address, static certificate files, and JWT authentication:

engine:
  host: "engine.example.com"
  log_level: "info"
tls:
  enabled: true
  listen_addr: ":443"
certs:
  static:
    enabled: true
    cert_file: "/etc/rstream/tls.crt"
    key_file: "/etc/rstream/tls.key"
auth:
  jwt:
    enabled: true
    token_jwt_secret: "<secret>"

Enterprise deployment notes

Enterprise builds extend the engine with additional configuration sections, including QUIC and DTLS listeners, identity provider integration, event storage, GeoIP support, and package distribution.