Manage HTTP container path rules with Reis (Flag Mode)

Path rules let you apply different access controls — basic authentication, rate limiting, IP allow / deny lists — to specific URL paths on an HTTP container. The longest matching path wins per request.

Updated 1 Jul 20262 min read

Path rules let you apply different access controls — basic authentication, rate limiting, IP allow / deny lists — to specific URL paths on an HTTP container. The longest matching path wins per request.

All path rule commands take --container <handle-or-id> to identify the parent HTTP container.

List path rules

reis pathrule:list --container my-api

Shows handle, path, priority, and active controls for every rule on the container.

Show a single rule

reis pathrule:show --container my-api <rule-id>

Use the ID returned by pathrule:list.

Create a rule with rate limiting

reis pathrule:create \
  --container my-api \
  --handle webhook \
  --path /webhook \
  --rate_limit_per_minute 60 \
  --rate_limit_per_hour 1000

The handle must be unique among active rules on the container (DNS-1123 compliant). The path must start with /.

Create a rule with basic authentication

reis pathrule:create \
  --container my-api \
  --handle admin-area \
  --path /api/admin \
  --basic_auth alice:s3cret \
  --basic_auth bob:t0pSecr3t

Repeat --basic_auth for multiple credentials. The format is username:password; passwords may contain colons (the first : is the delimiter).

Create a rule with IP allow / deny lists

reis pathrule:create \
  --container my-api \
  --handle internal-tools \
  --path /internal \
  --ip_allow 10.0.0.0/8 \
  --ip_allow 192.168.0.0/16 \
  --ip_deny 5.6.7.8

Allow-list entries restrict access to the listed IPs / CIDR ranges. Deny-list entries block them. Repeat each flag for additional entries.

Combining controls

A single rule can enable multiple controls — combine the flags freely:

reis pathrule:create \
  --container my-api \
  --handle admin-area \
  --path /api/admin \
  --basic_auth alice:s3cret \
  --rate_limit_per_minute 10 \
  --ip_allow 10.0.0.0/8

At least one control must be enabled — Reis fails fast if you pass only --handle and --path.

Update a rule

reis pathrule:update \
  --container my-api <rule-id> \
  --rate_limit_per_minute 120

Only the fields you pass are changed. Fields not mentioned keep their current server-side value. Passing any --ip_allow, --ip_deny, or --basic_auth REPLACES the full list — there is no append.

Delete a rule

reis pathrule:delete --container my-api <rule-id>

Add --force to skip the confirmation prompt. The rule is removed at the next deploy.

Billing note

Each enabled control on a rule bills at the same per-region rate as the corresponding container-wide control. A rule with both rate limiting and basic authentication counts as two control instances per region.

See also