Edge Proxy
Edge Proxy is an enterprise-only feature. It requires an active enterprise account with verified custom domains.
Edge Proxy lets you reverse-proxy traffic from a subdomain on your enterprise domain to any external upstream server. The edge handles TLS termination, header injection, and routing — you just configure the target.
How it works
https://api.your-domain.com → https://internal-staging:8080
- You create a proxy record — specifying a slug, domain, and target URL
- An etcd route is registered so the edge proxy knows where to forward traffic
- All HTTPS requests to
slug.domainare TLS-terminated at the edge and forwarded to the target - Responses flow back through the edge to the client
Key concepts
Slugs and domains
Every proxy maps a subdomain to an upstream:
- Slug — the subdomain part (e.g.
api,staging,dashboard) - Domain — must be a verified enterprise domain you own
- Target — the upstream URL to forward traffic to
Enterprise domains
Edge Proxy only works with enterprise domains. You must:
- Register and verify your domain via the Domains API
- Have an active enterprise account with domain grants
- DNS must point your domain to the Oblien edge
Headers
The edge proxy injects standard forwarding headers on every request:
| Header | Value |
|---|---|
X-Forwarded-For | Client's real IP address |
X-Forwarded-Proto | https (original protocol) |
Host | Original requested hostname |
Your upstream receives these headers and can use them for logging, rate limiting, or access control.
Proxy status
| Status | Edge route | DB record |
|---|---|---|
active | Yes — forwarding traffic | Yes |
disabled | No — route removed | Yes — preserved |
Disabling a proxy removes the edge route (traffic stops) but keeps the configuration. Re-enabling restores forwarding without recreating the record.
Creating a proxy
From the dashboard
- Go to Dashboard → Edge Proxy
- Click Create Proxy
- Enter a name, slug, your enterprise domain, and the target URL
- The proxy goes live immediately
From the SDK
const client = new Oblien({ clientId, clientSecret });
const { proxy } = await client.edgeProxy.create({
name: 'staging-api',
slug: 'staging-api',
domain: 'edge.example.com',
target: 'https://internal-staging.example.com:8080',
});
console.log(proxy.url); // https://staging-api.edge.example.comManaging proxies
// List all proxies
const { proxies } = await client.edgeProxy.list();
// Update the target URL
await client.edgeProxy.update(proxy.id, {
target: 'https://new-upstream.example.com',
});
// Disable / re-enable
await client.edgeProxy.disable(proxy.id);
await client.edgeProxy.enable(proxy.id);
// Delete
await client.edgeProxy.delete(proxy.id);Target restrictions
To prevent SSRF (Server-Side Request Forgery), the target URL is validated before the proxy is created. The following targets are blocked:
| Category | Blocked |
|---|---|
| Private IPs | 10.x.x.x, 172.16-31.x.x, 192.168.x.x |
| Loopback | 127.x.x.x, localhost, ::1 |
| Link-local | 169.254.x.x |
| Unspecified | 0.x.x.x |
| Platform domains | *.oblien.com |
Only http:// and https:// protocols are allowed. Other schemes (FTP, WebSocket, etc.) are rejected.
Limits
| Limit | Value |
|---|---|
| Proxies per user | 25 |
| Slug length | 3–63 characters |
| Domain length | Max 253 characters |
| Target URL length | Max 2048 characters |
| Slug format | Lowercase alphanumeric + hyphens, no leading/trailing hyphens |
API reference
See the Edge Proxy API for the full REST endpoint reference.