Skip to content

Configuration Reference

Zion is configured via a single TOML file. Default path: ./zion.toml. Override with ZION_CONFIG env var.

All configuration is validated at startup. Invalid config produces actionable error messages and exits immediately.

[server]

KeyTypeDefaultDescription
listen_httpstringrequiredHTTP bind address (e.g. "0.0.0.0:80")
listen_httpsstringrequiredHTTPS bind address (e.g. "0.0.0.0:443")
rate_limit_rpsu320 (disabled)Max requests per IP per window
rate_limit_window_secsu641Rate limit window in seconds
max_connections_per_ipu32?nonePer-IP concurrent-connection cap, enforced at accept (before the TLS handshake)
trusted_proxiesstring[][]CIDRs whose inbound X-Forwarded-For is trusted for client-IP resolution
xff_modestring"append"Outbound XFF policy: "append", "rewrite" (strip inbound, emit one trusted entry), or "drop"
log_formatstring"text""text" or "json" (structured)

[tls]

KeyTypeDefaultDescription
cert_pathstringrequiredPath to PEM certificate chain
key_pathstringrequiredPath to PEM private key
hot_reloadbooltrueWatch cert directory for changes
min_versionstring"1.3"Minimum TLS version ("1.2" or "1.3")
alpnstring[]["h2", "http/1.1"]ALPN protocol negotiation list
sniSniCert[][]Per-domain certificate mappings
acmetablenoneAutomatic HTTPS via Let's Encrypt — see ACME
client_ca_pathstring?noneCA bundle used to verify client certs (mTLS)
client_authstring"none"mTLS client-auth mode ("none" disables mTLS)

[upstream.<name>]

KeyTypeDefaultDescription
urlstringurl or urls requiredSingle upstream URL (e.g. "http://127.0.0.1:8000")
urlsstring[][]Multiple upstream URLs (latency-routed); use instead of url
connect_timeout_msu643000TCP connect timeout in milliseconds
keepaliveusize64Max idle keepalive connections
tlsboolfalseUse HTTPS to connect to upstream
client_cert_path / client_key_pathstring?noneClient cert + key for mTLS from Zion to the upstream

Legacy format [upstreams] (flat key-value map of name to URL) is also supported.

[waf_profile.<name>]

KeyTypeDefaultDescription
modestring"balanced"Pattern set: "balanced" (~100, high-precision) or "aggressive" (~240, broad-recall)
max_body_mbu6410Maximum request body size in MB
max_depthusize10Maximum JSON nesting depth
max_string_lenusize1048576Maximum JSON string length (bytes)
deny_unknown_content_typesbooltrueReject content types not in allowed list
allowed_content_typesstring[]["application/json", "multipart/form-data"]Permitted content types
entropy_checkbooltrueEnable the Shannon-entropy gate on JSON string values
entropy_thresholdf646.5Bits/byte above which a JSON string value is flagged
streamingboolfalseScan request bodies chunk-by-chunk as they stream (fail-fast on first hit)

[cache_profile.<name>]

KeyTypeDefaultDescription
modestring"memory"Cache mode ("memory" or "none")
max_entriesusize10000Maximum cached entries; the LRU evicts at this cap. 0 caches nothing (every insert evicts first) — it is not "unlimited".
ttl_secondsu643600Time-to-live in seconds (default: 1 hour — a header-less origin response must not be frozen for a year; RFC 9111 §4.2.2 heuristic freshness).

[[route]]

KeyTypeDefaultDescription
pathstringrequiredURL path pattern (radix tree, supports {*rest})
upstreamstringrequiredName of upstream to forward to
modestring"standard"standard, sse_stream, static_cache, websocket
internal_onlyboolfalseRestrict to private/loopback IPs
waf_profilestringnoneName of WAF profile to apply
cache_profilestringnoneName of cache profile to apply
wafboolfalseLegacy: enable WAF with defaults
max_body_mbu6410Legacy: override body limit when waf = true

[[route]]cors

CORS is a per-route inline table (cors = { … } under [[route]]), not a top-level [cors] section — see CORS. Keys:

KeyTypeDefaultDescription
allowed_originsstring[][] (disabled)Allowed origins. ["*"] for any.
allowed_headersstring[]["Content-Type", "Authorization", "X-Requested-With"]Additional allowed headers
max_ageu6486400Pre-flight cache duration in seconds

Environment variables

VariableDescription
ZION_CONFIGConfig file path (default: ./zion.toml)

Released under the MIT License.