Plugin Ecosystem

51 Built-in Plugins

Authentication, rate limiting, AI/LLM, observability, transformation — every capability you need, built in and production-ready.

🔐 Authentication

mtls_auth

Priority: 100

Mutual TLS client certificate authentication. Validates client certificates against a trusted CA, checks CRL for revoked certs.

HTTPTCP

jwks_auth

Priority: 110

JWT validation using a remote JWKS endpoint. Caches public keys with configurable TTL. Supports RS256, ES256, RS512.

HTTPgRPC

jwt_auth

Priority: 115

Stateless JWT validation with a shared secret. HS256 support. Validates expiry, issuer, audience, and custom claims.

HTTPgRPCWebSocket

key_auth

Priority: 120

API key authentication via header or query parameter. Keys stored per consumer. Supports key rotation without downtime.

HTTPWebSocket

ldap_auth

Priority: 125

LDAP/Active Directory authentication. Bind-and-search flow with connection pooling. Group membership checks.

HTTP

basic_auth

Priority: 130

HTTP Basic Authentication. Credentials stored per consumer with bcrypt hashing. WWW-Authenticate header on 401 responses.

HTTP

hmac_auth

Priority: 135

HMAC request signing verification. Validates signature over request method, path, and timestamp. Prevents replay attacks with timestamp window.

HTTP

soap_ws_security

Priority: 140

WS-Security header validation for SOAP APIs. Supports UsernameToken and X.509 certificate tokens.

HTTP

🛡 Authorization

access_control

Priority: 200

Consumer-level access control lists. Grant or deny specific consumers access to specific routes or operations.

HTTPgRPC

ip_restriction

Priority: 50

IP allowlist and denylist with CIDR notation support. Applied before authentication for zero-cost blocking of unwanted sources.

HTTPTCPUDP

bot_detection

Priority: 60

User-agent pattern matching and behavioral heuristics to detect and block automated/bot traffic before it reaches backends.

HTTP

⏳ Rate Limiting

rate_limiting

Priority: 300

Token bucket rate limiting for HTTP. Per-consumer, per-IP, or global limits. Configurable window (second/minute/hour/day). Returns 429 with Retry-After header.

HTTPgRPC

ws_rate_limiting

Priority: 305

Rate limiting for WebSocket connections. Limits messages per second per connection or per consumer. Closes connection on sustained violation.

WebSocket

udp_rate_limiting

Priority: 310

UDP packet rate limiting per source IP. Sliding window counter with configurable burst allowance.

UDP

tcp_connection_throttle

Priority: 315

Limit maximum concurrent TCP connections per source IP or globally. Immediate RST on limit exceeded.

TCP

🤖 AI / LLM

ai_token_metrics

Priority: 400

Track prompt tokens, completion tokens, and total usage per LLM request. Export to Prometheus or structured logs for cost attribution and budgeting.

HTTPOpenAI API

ai_request_guard

Priority: 410

Model access control. Restrict which consumers can use which AI models. Enforce model allowlists and denylists at gateway level before requests reach providers.

HTTP

ai_rate_limiter

Priority: 420

Token-bucket rate limiting based on LLM token count rather than request count. Set per-consumer token budgets per minute, hour, or day to control API costs.

HTTP

ai_prompt_shield

Priority: 430

Prompt injection detection and content filtering. Block requests with forbidden patterns, jailbreak attempts, or PII before reaching LLM providers.

HTTPSecurity

🔄 Transformation

request_transformer

Priority: 500

Add, remove, or rename request headers. Modify query parameters. Set or override request body fields.

HTTPgRPC

response_transformer

Priority: 505

Add, remove, or modify response headers. Inject response body fields. Strip sensitive upstream headers before returning to clients.

HTTP

serverless_function

Priority: 510

Execute a serverless function as part of request processing. Call AWS Lambda, GCP Functions, or custom HTTP functions mid-pipeline.

HTTP

grpc_deadline

Priority: 515

Inject or enforce gRPC deadline headers. Prevent unbounded gRPC streams from consuming backend resources.

gRPC

response_caching

Priority: 520

In-memory response caching with TTL. Configurable cache key (path, headers, query params). Cache-Control header awareness.

HTTP

response_size_limiting

Priority: 525

Limit maximum response body size. Truncates or rejects oversized responses before streaming to clients.

HTTP

request_size_limiting

Priority: 530

Reject requests with bodies exceeding the configured maximum size. Returns 413 before the body is fully read.

HTTP

ws_message_size_limiting

Priority: 535

Limit WebSocket message frame size. Closes connection with 1009 code on frames exceeding the configured limit.

WebSocket

🏳 Routing / Protocol

grpc_method_router

Priority: 600

Route individual gRPC service methods to different upstreams. Override the default upstream per gRPC method or service.

gRPC

graphql

Priority: 605

GraphQL-aware request handling. Query complexity limits, introspection blocking, operation type filtering (query/mutation/subscription).

HTTP

cors

Priority: 610

Cross-Origin Resource Sharing. Configurable allowed origins, methods, headers. Preflight request handling with cache control.

HTTP

spec_expose

Priority: 50

Serve API specification documents (OpenAPI, WSDL, WADL) on a /specz sub-path. Unauthenticated endpoint that short-circuits before authentication.

HTTPgRPC

📊 Observability

stdout_logging

Priority: 700

Structured JSON access logging to stdout. Configurable fields: method, path, status, latency, upstream, consumer ID.

HTTPgRPC

http_logging

Priority: 705

POST structured log entries to an external HTTP log collector endpoint. Batching and retry on failure.

HTTP

tcp_logging

Priority: 710

Send log entries to a TCP log collector (e.g., Logstash). Persistent connection with reconnect on failure.

HTTP

loki_logging

Priority: 715

Ship structured logs to Grafana Loki. Label extraction for multi-tenant log routing and filtering.

HTTPgRPC

udp_logging

Priority: 720

Send log entries via UDP to a syslog or custom UDP collector. Fire-and-forget, no request latency impact.

HTTP

ws_logging

Priority: 725

Log WebSocket connection lifecycle events: open, close, error, message count, bytes transferred.

WebSocket

ws_frame_logging

Priority: 730

Log individual WebSocket frame contents. Configurable sampling rate. For debugging and audit purposes.

WebSocket

statsd_logging

Priority: 735

Emit request metrics via UDP StatsD protocol. Compatible with Datadog, InfluxDB, Telegraf, and standard StatsD collectors.

HTTPgRPC

prometheus_metrics

Priority: 740

Expose Prometheus-format metrics at /metrics. Request count, latency histograms, upstream health, connection pool stats, plugin execution times.

HTTPgRPCWebSocket

otel_tracing

Priority: 745

OpenTelemetry distributed tracing with OTLP export. Automatic span creation, upstream correlation, W3C trace context propagation.

HTTPgRPC

transaction_debugger

Priority: 750

Per-request debug traces showing every plugin execution, timing breakdowns, routing decisions, and upstream response details. Essential for troubleshooting.

HTTPgRPC

⚙ Request Control

correlation_id

Priority: 800

Generate or propagate a unique request ID. Inject as X-Correlation-ID header upstream and include in log entries for distributed tracing.

HTTPgRPC

request_termination

Priority: 810

Immediately terminate requests with a configurable status code and body. Useful for maintenance mode, staged rollouts, or A/B testing.

HTTP

body_validator

Priority: 820

JSON schema validation of request bodies. Reject malformed payloads before they reach backends. Configurable error response format.

HTTP

Configuration Examples

Plugin Config Reference

jwt_auth

yaml

- name: jwt_auth
  priority: 115
  config:
    secret: "${JWT_SECRET}"
    algorithm: HS256
    header: Authorization
    bearer_prefix: "Bearer "
    claims:
      iss: "my-auth-service"
      aud: "ferrum-edge"

rate_limiting

yaml

- name: rate_limiting
  priority: 300
  config:
    limit_by: consumer  # ip | global | consumer
    requests: 1000
    window: minute      # second | minute | hour | day
    error_code: 429
    error_message: "Rate limit exceeded"

key_auth

yaml

- name: key_auth
  priority: 120
  config:
    header: X-API-Key
    # OR use query param:
    # query_param: api_key
    hide_credentials: true

cors

yaml

- name: cors
  priority: 610
  config:
    origins:
      - "https://app.example.com"
      - "https://admin.example.com"
    methods: [GET, POST, PUT, DELETE, OPTIONS]
    headers: [Content-Type, Authorization]
    max_age: 3600
    credentials: true

prometheus_metrics

yaml

- name: prometheus_metrics
  priority: 740
  config:
    latency_buckets:
      - 0.005
      - 0.01
      - 0.025
      - 0.05
      - 0.1
      - 0.5
      - 1.0
    labels:
      - proxy_name
      - consumer_id
      - status_code

otel_tracing

yaml

- name: otel_tracing
  priority: 745
  config:
    endpoint: "http://otel-collector:4317"
    service_name: "ferrum-edge"
    propagation: w3c  # b3 | jaeger | w3c
    sample_rate: 1.0  # 0.0 to 1.0

ai_prompt_shield

yaml

- name: ai_prompt_shield
  priority: 430
  config:
    forbidden_patterns:
      - "ignore previous instructions"
      - "jailbreak"
      - "\\bSSN\\b"
    action: block  # block | sanitize | log
    error_code: 400
    error_message: "Request blocked by content policy"

ip_restriction

yaml

- name: ip_restriction
  priority: 50
  config:
    allow:
      - "10.0.0.0/8"
      - "192.168.1.100"
    # deny:  # use allow OR deny, not both
    #   - "203.0.113.0/24"
    error_code: 403

Need a Custom Plugin?

Write custom plugins in Rust and auto-discover them at build time. Full access to every request lifecycle hook.

Read the Plugin Development Guide →