Manage HTTP container path rules with Reis (YAML Mode)
Declare path rules in YAML alongside the rest of your infrastructure. The pathrule kind targets an existing HTTP container by handle.
Declare path rules in YAML alongside the rest of your infrastructure. The pathrule kind targets an existing HTTP container by handle.
YAML structure
kind: pathrule
container: my-api
handle: admin-area
path: /api/admin
priority: 100
basicauthenabled: true
basic_auth:
- username: alice
password: s3cret
ratelimitingenabled: true
ratelimitingrequestsperminute: 60
ipwhitelistenabled: true
ipwhitelist:
- 10.0.0.0/8| Field | Required | Description |
|---|---|---|
container | yes | Handle (or UUID) of the HTTP container the rule belongs to. |
handle | yes | Unique among active rules on the container. DNS-1123 compliant. |
path | yes | URL prefix the rule applies to. Must start with /. |
priority | no | Tiebreaker for equal-length prefix matches. Higher wins. Default 0. |
basicauthenabled | no | Turn on HTTP basic authentication for this path. |
basic_auth | no | List of {username, password} pairs. Implies basicauthenabled: true. |
ratelimitingenabled | no | Turn on per-IP rate limiting for this path. |
ratelimitingrequestspersecond | no | Maximum requests per second per IP. |
ratelimitingrequestsperminute | no | Maximum requests per minute per IP. |
ratelimitingrequestsperhour | no | Maximum requests per hour per IP. |
ipwhitelistenabled | no | Restrict access to the listed IPs. |
ipwhitelist | no | List of IP addresses or CIDR ranges. |
ipblacklistenabled | no | Block the listed IPs. |
ipblacklist | no | List of IP addresses or CIDR ranges. |
At least one control (basic auth, rate limiting, IP allow-list, or IP deny-list) must be enabled — the apply step fails otherwise.
Multi-rule file
Combine multiple rules and the parent container in a single file using the YAML document separator. Apply order is top-to-bottom, so declare the container first:
kind: container
type: http
project: production
handle: my-api
name: Public API
image: ghcr.io/myorg/api:latest
regions:
- falkenstein-1
workload:
cpu: "500"
memory: "256"
port: 8080
---
kind: pathrule
container: my-api
handle: admin-area
path: /api/admin
basicauthenabled: true
basic_auth:
- username: alice
password: s3cret
---
kind: pathrule
container: my-api
handle: webhook
path: /webhook
ratelimitingenabled: true
ratelimitingrequestsperminute: 60Apply:
reis apply -f infrastructure.ymlHow matching works
Per request, the longest matching path wins. A rule on /api/admin/users takes precedence over a rule on /api/admin for any request whose URL starts with /api/admin/users. If two rules tie on path length, the higher priority wins.
A path rule's controls fully override the container-wide settings for the same control type on that path — there is no merge. For example, if the container has rate limiting at 1000 / minute and a rule has rate limiting at 60 / minute, requests to that path are capped at 60 / minute (not 1000, not 1060).
Updating an existing rule
Re-apply the same YAML with changed fields. Reis looks up the rule on the container by handle and updates it in place. Removing a rule is done via reis pathrule:delete — the YAML apply step does not delete rules implicitly.
Billing note
Each enabled control on each rule bills at the same per-region rate as the corresponding container-wide control. A rule with two enabled controls counts as two instances per region.