Manage HTTP container path rules with Reis (Flag Mode)
Path rules let you apply different access controls — basic authentication, rate limiting, IP allow / deny lists — to specific URL paths on an HTTP container. The longest matching path wins per request.
Path rules let you apply different access controls — basic authentication, rate limiting, IP allow / deny lists — to specific URL paths on an HTTP container. The longest matching path wins per request.
All path rule commands take --container <handle-or-id> to identify the parent HTTP container.
List path rules
reis pathrule:list --container my-apiShows handle, path, priority, and active controls for every rule on the container.
Show a single rule
reis pathrule:show --container my-api <rule-id>Use the ID returned by pathrule:list.
Create a rule with rate limiting
reis pathrule:create \
--container my-api \
--handle webhook \
--path /webhook \
--rate_limit_per_minute 60 \
--rate_limit_per_hour 1000The handle must be unique among active rules on the container (DNS-1123 compliant). The path must start with /.
Create a rule with basic authentication
reis pathrule:create \
--container my-api \
--handle admin-area \
--path /api/admin \
--basic_auth alice:s3cret \
--basic_auth bob:t0pSecr3tRepeat --basic_auth for multiple credentials. The format is username:password; passwords may contain colons (the first : is the delimiter).
Create a rule with IP allow / deny lists
reis pathrule:create \
--container my-api \
--handle internal-tools \
--path /internal \
--ip_allow 10.0.0.0/8 \
--ip_allow 192.168.0.0/16 \
--ip_deny 5.6.7.8Allow-list entries restrict access to the listed IPs / CIDR ranges. Deny-list entries block them. Repeat each flag for additional entries.
Combining controls
A single rule can enable multiple controls — combine the flags freely:
reis pathrule:create \
--container my-api \
--handle admin-area \
--path /api/admin \
--basic_auth alice:s3cret \
--rate_limit_per_minute 10 \
--ip_allow 10.0.0.0/8At least one control must be enabled — Reis fails fast if you pass only --handle and --path.
Update a rule
reis pathrule:update \
--container my-api <rule-id> \
--rate_limit_per_minute 120Only the fields you pass are changed. Fields not mentioned keep their current server-side value. Passing any --ip_allow, --ip_deny, or --basic_auth REPLACES the full list — there is no append.
Delete a rule
reis pathrule:delete --container my-api <rule-id>Add --force to skip the confirmation prompt. The rule is removed at the next deploy.
Billing note
Each enabled control on a rule bills at the same per-region rate as the corresponding container-wide control. A rule with both rate limiting and basic authentication counts as two control instances per region.