API Middleware & Reverse Proxy
The API middleware that puts you in control.
Drop aegis in front of any API. Add caching, rate limiting, security, and runtime controls — without touching your upstream.
client → [ aegis ] → upstream API
What is aegis
aegis sits between your clients and your upstream API, acting as a transparent reverse proxy. Every request passes through a configurable chain of middleware — only the modules you enable, in a strict, predictable order.
For operations teams, that means rate limiting, audit logging, and maintenance controls without a single code deploy. For security teams, it means request signing, content filtering, and sensitive field redaction at the network boundary.
At a glance
Middleware modules
Enable exactly the controls your deployment needs. Configure via YAML. Middleware executes in a strict, documented order on every request.
cache
Reduce upstream load with configurable response caching. Supports per-user cache keys and TTL-based expiry. Falls back to in-memory if Redis is unavailable.
rate_limiter
Enforce global or per-endpoint request rate limits using a sliding window. Protects your upstream from traffic spikes and runaway clients.
request_signing
Require HMAC-SHA256 signatures on incoming requests. Requests without a valid signature and timestamp are rejected before reaching your upstream.
content_blacklist
Block requests by file extension, MIME type, body size, or SHA-256 content hash. Enforce payload policies at the boundary, not in application code.
idempotency
Deduplicate mutation requests automatically. Retried POSTs, PUTs, and DELETEs return the original response instead of executing twice.
logger
Structured request and response logging to stdout, file, or SQLite. Sensitive fields are redacted by JSON path before they ever hit the log.
data_remapping
Rename or restructure JSON fields in request and response bodies in transit. Adapt payloads between API versions without modifying upstream code.
rewrite
Rewrite HTTP methods and paths before proxying. Wildcard pattern matching lets you reroute entire path prefixes with a single rule.
custom_response
Serve static or templated responses for matched routes without hitting your upstream. Useful for mocks, deprecation notices, and canary responses.
read_only
Block all mutating requests — POST, PUT, PATCH, DELETE — instantly via the admin CLI. No config change, no restart. Lift it just as fast.
profiler
coming soonSurface slow endpoints and high-latency requests without instrumenting your upstream. Identify bottlenecks at the proxy layer before they become incidents.
access_control
coming soonRestrict access by IP, geographic region, or network type. Block traffic from VPNs, Tor exit nodes, and datacenters — or allowlist only the regions you serve.
Operational control
aegis ships with a built-in admin interface. Flip your API into read-only mode, take it offline for maintenance, or check system health — all from the command line, all without touching your running process.
Read-only mode
Instantly block all write operations across your API. Ideal for maintenance windows, data migrations, or incident response.
$ aegis admin read-only on read-only mode enabled $ aegis admin read-only off read-only mode disabled
Maintenance mode
Take your API offline gracefully. All requests receive a configurable status code and message. Your upstream stays untouched.
$ aegis admin maintenance on \ -message "Back soon" \ -code 503 maintenance mode enabled
Health check
Built-in health endpoint reports aegis status and upstream reachability. Ready for Kubernetes probes or any load balancer health check.
GET /_aegis/health
{
"status": "ok",
"upstream": "reachable"
}
How it works
Every request flows through aegis in a fixed, deterministic order. Each enabled middleware runs in sequence — predictable, auditable, no surprises.
Client
HTTP request
[ aegis ]
1. maintenance_guard
2. read_only
3. request_signing
4. rewrite
5. rate_limiter
6. idempotency
7. cache
8. custom_response
9. content_blacklist
10. data_remapping
11. logger
12. proxy →
Upstream API
clean request
Only enabled modules run
Modules you haven't configured are skipped entirely. Zero overhead from unused features.
Consistent execution order
Middleware always runs in the same sequence regardless of config order. No execution surprises in production.
Safe license fallback
Without a valid license key, aegis starts but all middleware is disabled. A key issue never takes your API offline.
Deployment
aegis is a single statically linked binary. No runtime dependencies, no platform lock-in. Run it anywhere you run services today.
Binary
Drop it anywhere Go runs.
A single statically linked binary with no CGO dependencies. Copy it to a server, configure with a YAML file, run it. Works under systemd, as a daemon, or in any process manager you already use.
$ aegis --config /etc/aegis/aegis.yaml aegis listening on :8080
Docker
Container-native from day one.
Alpine-based image under 25 MB. Mount your config file, pass your license key as an environment variable, and start proxying. Kubernetes-ready with built-in liveness and readiness probe support via the health endpoint.
$ docker run -d \ -p 8080:8080 \ -v ./aegis.yaml:/etc/aegis/aegis.yaml \ -e AEGIS_LICENSE_KEY=your-key \ suprbdev/aegis
Redis is optional. aegis gracefully degrades to in-process memory for caching, rate limiting, and idempotency if Redis is unavailable or not configured.
Scale horizontally. Point multiple aegis instances at the same Redis to maintain consistent rate limiting and cache state across load-balanced deployments.
Get started
aegis is licensed per deployment. Get in touch to discuss pricing, use cases, and whether aegis is the right fit for your infrastructure.
Get in touch →