-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathllms.txt
More file actions
214 lines (170 loc) · 8.63 KB
/
llms.txt
File metadata and controls
214 lines (170 loc) · 8.63 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
# SBproxy
> The reverse proxy and AI gateway, unified. One binary, one config file. Apache 2.0.
Most teams run nginx or Traefik for HTTP traffic, then route AI requests through a separate LiteLLM or Portkey instance. SBproxy handles both in a single Go binary. One config file covers your entire traffic layer.
## Key Facts
- Written in Go, pure binary (CGO_ENABLED=0)
- 203+ native LLM providers (OpenAI, Anthropic, Google, Mistral, Cohere, and more)
- Caddy-style plugin architecture with `init()` registration
- 18-layer compiled handler chain per origin (compiled once, zero per-request allocation)
- Apache License 2.0
## Documentation
### Website (sbproxy.dev/docs)
- Getting Started: https://sbproxy.dev/docs/quick-start
- Core Concepts: https://sbproxy.dev/docs/core-concepts
- Your First Proxy: https://sbproxy.dev/docs/your-first-proxy
- Your First AI Gateway: https://sbproxy.dev/docs/your-first-ai-gateway
- Migrate from LiteLLM: https://sbproxy.dev/docs/replace-litellm
- AI Guardrails: https://sbproxy.dev/docs/guardrails
- CLI Reference: https://sbproxy.dev/docs/cli-reference
- Full Docs: https://sbproxy.dev/docs
### Repo docs
- Architecture: https://github.com/soapbucket/sbproxy/blob/main/docs/architecture.md
- Comparison: https://github.com/soapbucket/sbproxy/blob/main/docs/comparison.md
- Providers: https://github.com/soapbucket/sbproxy/blob/main/docs/providers.md
- Troubleshooting: https://github.com/soapbucket/sbproxy/blob/main/docs/troubleshooting.md
- Upgrade Guide: https://github.com/soapbucket/sbproxy/blob/main/docs/upgrade.md
- Examples Index: https://github.com/soapbucket/sbproxy/blob/main/docs/examples.md
- Changelog: https://github.com/soapbucket/sbproxy/blob/main/CHANGELOG.md
- Examples: https://github.com/soapbucket/sbproxy/tree/main/examples
## Quick Start
```bash
go install github.com/soapbucket/sbproxy/cmd/sbproxy@latest
```
Minimal config (sb.yml):
```yaml
proxy:
http_bind_port: 8080
origins:
"api.example.com":
action:
type: proxy
url: https://test.sbproxy.dev
```
```bash
sbproxy serve -f sb.yml
curl -H "Host: api.example.com" http://localhost:8080/echo
```
## AI Gateway
Unified OpenAI-compatible API across all providers:
```yaml
origins:
"ai.example.com":
action:
type: ai_proxy
providers:
- name: openai
api_key: ${OPENAI_API_KEY}
models: [gpt-4o, gpt-4o-mini]
- name: anthropic
api_key: ${ANTHROPIC_API_KEY}
models: [claude-sonnet-4-20250514]
default_model: gpt-4o-mini
routing:
strategy: fallback_chain
```
Routing strategies: fallback_chain, round_robin, weighted, cost_optimized, latency, semantic.
## Configuration Model
Top-level keys in sb.yml:
- `proxy:` - global settings (ports, TLS)
- `origins:` - per-hostname routing. Map of hostname to origin config.
Each origin has sibling fields (NOT nested inside action):
- `action` - what to do: proxy, ai_proxy, static, redirect, echo, loadbalancer, websocket, grpc, graphql, mcp, a2a
- `authentication` - who can access: api_key, basic_auth, bearer_token, jwt, forward, digest
- `policies` - rules: rate_limiting, ip_filtering, waf, ddos_protection, csrf, expression (CEL), security_headers
- `transforms` - response body transforms: json_projection, html, markdown, template, lua_json, and 15+ more
- `request_modifiers` / `response_modifiers` - modify inbound/outbound (headers, URL, body)
- `response_cache` - HTTP caching with TTL, stale-while-revalidate, stale-if-error
- `forward_rules` - path-based routing to inline origins
- `on_request` / `on_response` - lifecycle callbacks (sync or async)
- `compression` - gzip, brotli, zstd
- `cors` - CORS configuration
- `error_pages` - custom error pages with Mustache templates
- `session_config` - cookie-based sessions
- `variables` - user-defined template variables
## Actions
| Type | Description |
|------|-------------|
| proxy | Reverse proxy to upstream URL |
| ai_proxy | AI gateway with 203+ providers, model routing, fallback chains |
| static | Static response (JSON or text) |
| redirect | HTTP redirect (301/302) |
| echo | Echo request as JSON (debugging) |
| loadbalancer | 10 algorithms: round-robin, weighted, least-connections, IP hash, URI hash, header hash, cookie hash, random, weighted random, first |
| websocket | WebSocket proxy |
| grpc | gRPC and gRPC-Web proxy |
| graphql | GraphQL-aware proxy |
| mcp | Model Context Protocol server |
| a2a | Agent-to-Agent protocol |
## Authentication Types
| Type | Description |
|------|-------------|
| api_key | X-API-Key header or query parameter |
| basic_auth | HTTP Basic (RFC 7617) |
| bearer_token | Authorization: Bearer tokens |
| jwt | JWT validation (HS256, RS256, ES256) with JWKS |
| forward | Delegate to external auth service |
| digest | HTTP Digest auth |
## Policies
| Type | Description |
|------|-------------|
| rate_limiting | 4 algorithms: sliding window, fixed window, token bucket, leaky bucket. Local + Redis backends. |
| ip_filtering | Allowlist/blocklist with CIDR notation. Supports IPv4 and IPv6. |
| waf | OWASP CRS with paranoia levels 1-4 |
| ddos_protection | Automatic DDoS mitigation |
| csrf | Cross-site request forgery protection |
| expression | CEL expressions for custom access control |
| security_headers | HSTS, X-Frame-Options, CSP, and more |
| bot_detection | TLS fingerprinting and behavioral analysis |
| threat_protection | SQL injection, XSS, path traversal, SSRF detection |
| http_message_signatures | RFC 9421 HTTP message signatures |
## Transforms
| Type | Description |
|------|-------------|
| json_projection | Select, rename, and reshape JSON fields |
| json_schema | Validate response against JSON Schema |
| html | HTML transformation |
| markdown | Convert HTML to Markdown |
| html_to_markdown | HTML to Markdown conversion |
| css | CSS transformation |
| javascript | JavaScript transformation |
| template | Mustache/Go template rendering |
| lua_json | Lua scripting for JSON manipulation |
| encoding | Base64, hex, URL encoding/decoding |
| format_convert | Convert between JSON, XML, YAML, CSV |
| normalize | Normalize response structure |
| replace_strings | String find and replace |
| sse_chunking | Server-Sent Events chunking |
| payload_limit | Limit response body size |
| optimize_html | Minify and optimize HTML |
| discard | Discard the response body |
## Scripting
Two engines:
- **CEL**: compiled, microsecond evaluation. Headers: `request.headers["x-role"]` (bracket notation, hyphens preserved). Utility functions: sha256, hmacSHA256, uuid, now, IP functions.
- **Lua**: interpreted, full scripting. Function: `function modify_json(data, ctx) return data end`. sb.* module: logging, base64, JSON, crypto, time, UUID.
Nine context namespaces: request, session, origin, server, vars, features, client, ctx, response.
Note: Mustache templates use different header normalization than CEL. Templates: `{{ request.headers.x_api_key }}` (underscores). CEL: `request.headers["x-api-key"]` (hyphens).
## Observability
- Prometheus metrics with AI-specific namespace (tokens, latency, TTFT, cache hits, guardrail triggers)
- 4 pre-built Grafana dashboards with alert rules
- OpenTelemetry tracing
- Structured logging (stderr, ClickHouse)
## Plugin System
Five extension points:
- `plugin.ActionHandler` - `plugin.RegisterAction(name, factory)`
- `plugin.AuthProvider` - `plugin.RegisterAuth(name, factory)`
- `plugin.PolicyEnforcer` - `plugin.RegisterPolicy(name, factory)`
- `plugin.TransformHandler` - `plugin.RegisterTransform(name, factory)`
- `plugin.RequestEnricher` - `plugin.RegisterEnricher(instance)`
## Enterprise (SBproxy Cloud)
Enterprise features at https://cloud.sbproxy.dev include:
**AI Intelligence:** Cost-optimized routing, semantic routing, LLM-as-a-Judge evaluation, quality-based routing, AI guardrails (prompt injection, jailbreak, PII, toxicity, topic filter), semantic caching, budget enforcement, virtual keys with RBAC, conversation memory, orchestration pipelines.
**Agent Infrastructure:** AI-Native API Management (OpenAPI to MCP), AI Traffic Mesh (distributed guardrails), agent discovery registry, MCP tool gateway (RBAC, audit), trace hierarchy for agent debugging.
**Security:** OAuth 2.0 (authorization code, client credentials, introspection), geo-blocking (MaxMind), advanced threat detection, PII detection and redaction, SSO.
**Traffic Management:** Canary deployments, traffic shadowing, A/B testing, API versioning (URL, header, query), traffic capture.
**Platform:** WASM plugin runtime, secrets management, cloud dashboard, audit logging.
## Links
- Source: https://github.com/soapbucket/sbproxy
- Website: https://sbproxy.dev
- Docs: https://sbproxy.dev/docs
- Docker: ghcr.io/soapbucket/sbproxy
- License: Apache 2.0