Configuration Basics
Fluxheim uses TOML. Unknown fields are rejected, so spelling mistakes fail before restart.
Main shape
[server]
listen = ["0.0.0.0:8080"]
default_vhost = "site"
[[vhosts]]
name = "site"
hosts = ["example.com"]How config is organised
| Area | What belongs there |
|---|---|
server | Listeners, global limits, trusted proxy handling, and redirects. |
tls | Global TLS backend and compatibility policy. |
cache | Process-wide cache defaults and storage tiers. |
vhosts | Hostnames, routes, web roots, proxy settings, PHP, TLS, and access policy. |
metrics | Prometheus and export listeners for operational visibility. |
Route shape
[[vhosts.routes]]
name = "app"
path_prefix = "/app/"
methods = ["GET", "HEAD", "POST"]
max_request_body_bytes = "16MiB"
[vhosts.routes.proxy]
upstreams = ["127.0.0.1:3000"]A route has one matcher and one action. Exact paths win first, then longest prefixes, then regex routes when regex support is enabled, then one fallback route.
Safe habits
- Run
fluxheim --check-configbefore reloads. - Use one vhost per site or application boundary.
- Keep secrets in files, environment, or container secrets, not in public docs.
- Use route-level limits for uploads and expensive application paths.
- Keep admin and metrics listeners private.