apisix/docs/en/latest/stream-proxy.md

---
title: Stream Proxy
---

<!--
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements.  See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License.  You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
-->

TCP is the protocol for many popular applications and services, such as LDAP, MySQL, and RTMP. UDP (User Datagram Protocol) is the protocol for many popular non-transactional applications, such as DNS, syslog, and RADIUS.

APISIX can dynamically load balancing TCP/UDP proxy. In Nginx world, we call TCP/UDP proxy to stream proxy, we followed this statement.

## How to enable stream proxy?

Setting the `stream_proxy` option in `conf/config.yaml`, specify a list of addresses that require dynamic proxy.
By default, no stream proxy is enabled.

```yaml
apisix:
  stream_proxy: # TCP/UDP proxy
    tcp: # TCP proxy address list
      - 9100
      - "127.0.0.1:9101"
    udp: # UDP proxy address list
      - 9200
      - "127.0.0.1:9211"
```

If you need to enable both HTTP and stream proxy, set the `only` to false:

```yaml
apisix:
  stream_proxy: # TCP/UDP proxy
    only: false
    tcp: # TCP proxy address list
      - 9100
```

## How to set route?

Here is a mini example:

```shell
curl http://127.0.0.1:9080/apisix/admin/stream_routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
    "remote_addr": "127.0.0.1",
    "upstream": {
        "nodes": {
            "127.0.0.1:1995": 1
        },
        "type": "roundrobin"
    }
}'
```

It means APISIX will proxy the request to `127.0.0.1:1995` which the client remote address is `127.0.0.1`.

For more use cases, please take a look at [test case](https://github.com/apache/apisix/blob/master/t/stream-node/sanity.t).

## More route match options

And we can add more options to match a route.

Here is an example:

```shell
curl http://127.0.0.1:9080/apisix/admin/stream_routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
    "server_addr": "127.0.0.1",
    "server_port": 2000,
    "upstream": {
        "nodes": {
            "127.0.0.1:1995": 1
        },
        "type": "roundrobin"
    }
}'
```

It means APISIX will proxy the request to `127.0.0.1:1995` which the server address is `127.0.0.1` and the server port is equal to `2000`.

Read [Admin API's Stream Route section](./admin-api.md#stream-route) for the complete options list.

## Accept TLS over TCP

APISIX can accept TLS over TCP.

First of all, we need to enable TLS for the TCP address:

```yaml
apisix:
  stream_proxy: # TCP/UDP proxy
    tcp: # TCP proxy address list
      - addr: 9100
        tls: true
```

Second, we need to configure certificate for the given SNI.
See [Admin API's SSL section](./admin-api.md#ssl) for how to do.

Third, we need to configure a stream route to match and proxy it to the upstream:

```shell
curl http://127.0.0.1:9080/apisix/admin/stream_routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
    "remote_addr": "127.0.0.1",
    "upstream": {
        "nodes": {
            "127.0.0.1:1995": 1
        },
        "type": "roundrobin"
    }
}'
```

When the connection is TLS over TCP, we can use the SNI to match a route, like:

```shell
curl http://127.0.0.1:9080/apisix/admin/stream_routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
    "sni": "a.test.com",
    "upstream": {
        "nodes": {
            "127.0.0.1:5991": 1
        },
        "type": "roundrobin"
    }
}'
```

In this case, a connection handshaked with SNI `a.test.com` will be proxied to `127.0.0.1:5991`.
docs: Added title to markdown under `docs` (#3685) 2021-02-26 21:40:08 +08:00			`---`
			`title: Stream Proxy`
			`---`

license: add ASF header. (#743) 2019-10-31 09:27:28 +08:00			`<!--`
			`#`
			`# Licensed to the Apache Software Foundation (ASF) under one or more`
			`# contributor license agreements. See the NOTICE file distributed with`
			`# this work for additional information regarding copyright ownership.`
			`# The ASF licenses this file to You under the Apache License, Version 2.0`
			`# (the "License"); you may not use this file except in compliance with`
			`# the License. You may obtain a copy of the License at`
			`#`
			`# http://www.apache.org/licenses/LICENSE-2.0`
			`#`
			`# Unless required by applicable law or agreed to in writing, software`
			`# distributed under the License is distributed on an "AS IS" BASIS,`
			`# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`# See the License for the specific language governing permissions and`
			`# limitations under the License.`
			`#`
			`-->`

feature: support dynamic stream(TCP/UDP) proxy in apisix. (#501) * feature: support stream in apisix. * doc: added new feature in README. * CLI and added more doc. 2019-09-12 13:27:18 +08:00			`TCP is the protocol for many popular applications and services, such as LDAP, MySQL, and RTMP. UDP (User Datagram Protocol) is the protocol for many popular non-transactional applications, such as DNS, syslog, and RADIUS.`

feat(stream): accept tls over tcp (#4409) 2021-06-11 17:23:16 +08:00			`APISIX can dynamically load balancing TCP/UDP proxy. In Nginx world, we call TCP/UDP proxy to stream proxy, we followed this statement.`
feature: support dynamic stream(TCP/UDP) proxy in apisix. (#501) * feature: support stream in apisix. * doc: added new feature in README. * CLI and added more doc. 2019-09-12 13:27:18 +08:00
docs: improve stream route/proxy (#4389) Signed-off-by: spacewander <spacewanderlzx@gmail.com> 2021-06-09 09:12:51 +08:00			`## How to enable stream proxy?`
feature: support dynamic stream(TCP/UDP) proxy in apisix. (#501) * feature: support stream in apisix. * doc: added new feature in README. * CLI and added more doc. 2019-09-12 13:27:18 +08:00
			Setting the `stream_proxy` option in `conf/config.yaml`, specify a list of addresses that require dynamic proxy.
feat(stream): accept tls over tcp (#4409) 2021-06-11 17:23:16 +08:00			`By default, no stream proxy is enabled.`
feature: support dynamic stream(TCP/UDP) proxy in apisix. (#501) * feature: support stream in apisix. * doc: added new feature in README. * CLI and added more doc. 2019-09-12 13:27:18 +08:00
doc: fix some doc styles for files in doc/ (#1475) 2020-04-20 09:07:42 +08:00			```yaml
feature: support dynamic stream(TCP/UDP) proxy in apisix. (#501) * feature: support stream in apisix. * doc: added new feature in README. * CLI and added more doc. 2019-09-12 13:27:18 +08:00			`apisix:`
fix: invalid links in markdown files (#3712) 2021-03-02 17:12:21 +08:00			`stream_proxy: # TCP/UDP proxy`
			`tcp: # TCP proxy address list`
feature: support dynamic stream(TCP/UDP) proxy in apisix. (#501) * feature: support stream in apisix. * doc: added new feature in README. * CLI and added more doc. 2019-09-12 13:27:18 +08:00			`- 9100`
docs: fix stream proxy example (#2819) fix #2808 2020-11-23 11:18:40 +08:00			`- "127.0.0.1:9101"`
fix: invalid links in markdown files (#3712) 2021-03-02 17:12:21 +08:00			`udp: # UDP proxy address list`
feature: support dynamic stream(TCP/UDP) proxy in apisix. (#501) * feature: support stream in apisix. * doc: added new feature in README. * CLI and added more doc. 2019-09-12 13:27:18 +08:00			`- 9200`
docs: fix stream proxy example (#2819) fix #2808 2020-11-23 11:18:40 +08:00			`- "127.0.0.1:9211"`
feature: support dynamic stream(TCP/UDP) proxy in apisix. (#501) * feature: support stream in apisix. * doc: added new feature in README. * CLI and added more doc. 2019-09-12 13:27:18 +08:00			```

change: enable stream proxy only by default (#4580) Signed-off-by: spacewander <spacewanderlzx@gmail.com> 2021-07-14 10:33:36 +08:00			If you need to enable both HTTP and stream proxy, set the `only` to false:

			```yaml
			`apisix:`
			`stream_proxy: # TCP/UDP proxy`
			`only: false`
			`tcp: # TCP proxy address list`
			`- 9100`
			```

feature: support dynamic stream(TCP/UDP) proxy in apisix. (#501) * feature: support stream in apisix. * doc: added new feature in README. * CLI and added more doc. 2019-09-12 13:27:18 +08:00			`## How to set route?`

			`Here is a mini example:`

			```shell
Revert "refactor: separate admin and proxy port in default config (#2802)" (#2871) This reverts commit b13f16744541bfbd02ae87814f77eb5893e2d859. Co-authored-by: Vinci Xu <277040271@qq.com> 2020-11-28 19:05:14 +08:00			`curl http://127.0.0.1:9080/apisix/admin/stream_routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '`
feature: support dynamic stream(TCP/UDP) proxy in apisix. (#501) * feature: support stream in apisix. * doc: added new feature in README. * CLI and added more doc. 2019-09-12 13:27:18 +08:00			`{`
			`"remote_addr": "127.0.0.1",`
			`"upstream": {`
			`"nodes": {`
			`"127.0.0.1:1995": 1`
			`},`
			`"type": "roundrobin"`
			`}`
			`}'`
			```

			It means APISIX will proxy the request to `127.0.0.1:1995` which the client remote address is `127.0.0.1`.

fix: invalid links in markdown files (#3712) 2021-03-02 17:12:21 +08:00			`For more use cases, please take a look at [test case](https://github.com/apache/apisix/blob/master/t/stream-node/sanity.t).`
feature: support dynamic stream(TCP/UDP) proxy in apisix. (#501) * feature: support stream in apisix. * doc: added new feature in README. * CLI and added more doc. 2019-09-12 13:27:18 +08:00
docs: improve stream route/proxy (#4389) Signed-off-by: spacewander <spacewanderlzx@gmail.com> 2021-06-09 09:12:51 +08:00			`## More route match options`
doc: added new example to `stream-proxy`. (#520) * doc: added new example to `stream-proxy`. * doc: new doc about `mqtt-proxy`. 2019-09-16 13:03:26 +08:00
docs: improve stream route/proxy (#4389) Signed-off-by: spacewander <spacewanderlzx@gmail.com> 2021-06-09 09:12:51 +08:00			`And we can add more options to match a route.`

			`Here is an example:`
doc: added new example to `stream-proxy`. (#520) * doc: added new example to `stream-proxy`. * doc: new doc about `mqtt-proxy`. 2019-09-16 13:03:26 +08:00
			```shell
Revert "refactor: separate admin and proxy port in default config (#2802)" (#2871) This reverts commit b13f16744541bfbd02ae87814f77eb5893e2d859. Co-authored-by: Vinci Xu <277040271@qq.com> 2020-11-28 19:05:14 +08:00			`curl http://127.0.0.1:9080/apisix/admin/stream_routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '`
doc: added new example to `stream-proxy`. (#520) * doc: added new example to `stream-proxy`. * doc: new doc about `mqtt-proxy`. 2019-09-16 13:03:26 +08:00			`{`
			`"server_addr": "127.0.0.1",`
			`"server_port": 2000,`
			`"upstream": {`
			`"nodes": {`
			`"127.0.0.1:1995": 1`
			`},`
			`"type": "roundrobin"`
			`}`
			`}'`
			```

feat(stream): accept tls over tcp (#4409) 2021-06-11 17:23:16 +08:00			It means APISIX will proxy the request to `127.0.0.1:1995` which the server address is `127.0.0.1` and the server port is equal to `2000`.
docs: improve stream route/proxy (#4389) Signed-off-by: spacewander <spacewanderlzx@gmail.com> 2021-06-09 09:12:51 +08:00
			`Read [Admin API's Stream Route section](./admin-api.md#stream-route) for the complete options list.`
feat(stream): accept tls over tcp (#4409) 2021-06-11 17:23:16 +08:00
			`## Accept TLS over TCP`

			`APISIX can accept TLS over TCP.`

			`First of all, we need to enable TLS for the TCP address:`

			```yaml
			`apisix:`
			`stream_proxy: # TCP/UDP proxy`
			`tcp: # TCP proxy address list`
			`- addr: 9100`
			`tls: true`
			```

			`Second, we need to configure certificate for the given SNI.`
			`See [Admin API's SSL section](./admin-api.md#ssl) for how to do.`

			`Third, we need to configure a stream route to match and proxy it to the upstream:`

			```shell
			`curl http://127.0.0.1:9080/apisix/admin/stream_routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '`
			`{`
			`"remote_addr": "127.0.0.1",`
			`"upstream": {`
			`"nodes": {`
			`"127.0.0.1:1995": 1`
			`},`
			`"type": "roundrobin"`
			`}`
			`}'`
			```
feat(stream): match route with SNI (#4433) Signed-off-by: spacewander <spacewanderlzx@gmail.com> 2021-06-17 09:29:45 +08:00
			`When the connection is TLS over TCP, we can use the SNI to match a route, like:`

			```shell
			`curl http://127.0.0.1:9080/apisix/admin/stream_routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '`
			`{`
			`"sni": "a.test.com",`
			`"upstream": {`
			`"nodes": {`
			`"127.0.0.1:5991": 1`
			`},`
			`"type": "roundrobin"`
			`}`
			`}'`
			```

			In this case, a connection handshaked with SNI `a.test.com` will be proxied to `127.0.0.1:5991`.