Senate

Gateway

Reverse proxy routing, SSL, and custom domains

Gateway

The Gateway is Senate's reverse proxy layer, powered by Caddy. It handles routing, automatic HTTPS, load balancing, and custom domains.

Overview

Each machine runs its own Gateway instance that:

  • Routes traffic to services on that machine
  • Manages SSL certificates automatically
  • Provides health checking
  • Handles HTTP/2 and WebSocket connections

Architecture

Internet → Gateway (Caddy) → Service Containers

         Automatic SSL
         Route Matching
         Health Checks

Viewing Gateway Status

  1. Go to Machines
  2. Click on a machine
  3. Select the Gateway tab

You'll see:

  • Gateway running status
  • Configured routes
  • SSL certificate status
  • Upstream health

Routes

Routes define how incoming requests reach your services.

Automatic Routes

When you add a domain to a service, Senate creates a route automatically:

DomainTargetSSL
app.example.commyapp-xxx:3000Auto

Load Balancing

Load Balancing

When a service has multiple instances:

Domain → Gateway → Round Robin → Container 1
                              → Container 2
                              → Container 3

Load Balancing Policies

  • Round Robin (default): Even distribution
  • Least Connections: Route to least busy (Coming Soon)
  • IP Hash: Sticky sessions by client IP (Coming Soon)

Custom Gateway Configuration

Via UI

For advanced routing needs:

  1. Machine → Gateway tab
  2. Click Add Route
  3. Configure custom route

Custom Routes

Add routes not tied to services:

Use CaseConfiguration
Static redirectexample.com → www.example.com
Path routing/api/* → backend, /* → frontend
External proxyapi.example.com → external-service

WebSocket Support

Gateway handles WebSocket connections automatically:

  • Upgrade HTTP → WebSocket
  • Connection persistence
  • Proper header forwarding

HTTP/2

Enabled by default:

  • Server push support
  • Multiplexed connections
  • Header compression

Headers

Default Headers

Gateway adds:

  • X-Forwarded-For: Client IP
  • X-Forwarded-Proto: http/https
  • X-Real-IP: Original client IP

Troubleshooting

Route not working

  1. Check domain DNS points to correct IP
  2. Verify service is running
  3. Check container port matches route
  4. View Gateway logs

502 Bad Gateway

  1. Service container is not running
  2. Container port mismatch
  3. Container health check failing
  4. Service hasn't started yet

SSL redirect loop

  1. Check service handles HTTPS or sets proper headers
  2. Ensure X-Forwarded-Proto is respected
  3. Service should trust proxy headers

On this page

GatewayOverviewArchitectureViewing Gateway StatusRoutesAutomatic RoutesLoad BalancingLoad BalancingLoad Balancing PoliciesCustom Gateway ConfigurationVia UICustom RoutesWebSocket SupportHTTP/2HeadersDefault HeadersTroubleshootingRoute not working502 Bad GatewaySSL redirect loopRelated