Configuration

Ports

Before configuring a proxy, you need to bind a port to listen on. You can do this in the "Ports" section.

Taxy supports four types of ports:

Resetting a Port

Changing the port configuration does not affect existing connections. Old connections will continue to use the old configuration. To forcibly close existing connections, you can reset the port.

Proxies

Taxy supports four types of proxies:

Multiple ports can be bound to a proxy. However, it's not possible to bind TCP / TCP over TLS ports to an HTTP / HTTPS proxy and vice versa.

HTTP/2

Taxy supports HTTP/2 for HTTP and HTTPS proxies in both upstream and downstream connections. HTTP/2 is automatically negotiated if the client supports it. However, most web browsers will only use HTTP/2 if the connection is over TLS because they have no prior knowledge of the server's support for HTTP/2 without ALPN (Application-Layer Protocol Negotiation).

WebSocket

Taxy supports WebSocket (and HTTP upgrading) for HTTP and HTTPS proxies. You don't need to do anything special to enable WebSocket support.

Certificates

Server Certificates

For TCP over TLS and HTTPS proxy, Taxy requires a server certificate. There are three ways to install a server certificate:

  1. Generate a self-signed certificate
  2. Import a certificate from a file (PEM format only)
  3. Use ACME to automatically provision a certificate

Taxy will automatically search for a certificate from SNI (Server Name Indication) in the TLS client hello message.

Root Certificates

If your upstream server uses certificates not trusted by the system, you will need to add them to the root certificate store. Taxy automatically trusts all certificates signed by the root certificate, in addition to the system's root certificates.

Also, if you generate a self-signed certificate, Taxy will automatically generate a CA certificate and add it to the root certificate store.

ACME

Taxy supports automatic certificate provisioning using ACME (Automatic Certificate Management Environment). ACME is supported by many certificate authorities, such as Let's Encrypt, ZeroSSL, and Google Trust Services.

Taxy supports ACME v2 with HTTP challenge only. Make sure that TCP port 80 is open and accessible from the internet.

Configuration Files

Taxy uses TOML files for storing its configuration. The location of these files varies according to the operating system:

You can override the default location by setting the TAXY_CONFIG_DIR environment variable or the --config-dir command-line option.

If needed, these files can be edited manually. Note, however, that Taxy does not automatically detect changes made to the configuration files. To ensure any changes take effect, you must restart the server after editing a configuration file.

WebUI

Taxy includes a built-in WebUI. By default, it is served on localhost:46492. However, you can customize the port using the TAXY_WEBUI environment variable or the --webui command-line option. If you wish to disable the WebUI, set the TAXY_NO_WEBUI=1 environment variable or use the --no-webui command-line option.

WebUI uses Secure cookie attribute to store the session token. This means that the WebUI will only work over HTTPS, unless it is served on localhost (although certain browsers, like Safari, may deny this even on localhost). If you want to use the WebUI over HTTP, you can set the TAXY_INSECURE_WEBUI=1 environment variable or use the --insecure-webui command-line option. Note that this is not recommended.

Logging

Taxy logs to the standard output as its default setting. You can change this behavior by setting the TAXY_LOG, TAXY_ACCESS_LOG environment variable or using the --log, --access-log command-line option.

$ taxy start --log /var/log/taxy.log --access-log /var/log/taxy-access.log

If you want to adjust the log level, you can do so by setting the TAXY_LOG_LEVEL, TAXY_ACCESS_LOG_LEVEL environment variable or using the --log-level, --access-log-level command-line option.