title: API Documentation description: Complete REST API reference for Charon. Includes endpoints for proxy hosts, certificates, security, and more.
API Documentation
Charon REST API documentation. All endpoints return JSON and use standard HTTP status codes.
Base URL
http://localhost:8080/api/v1
Authentication
π§ Authentication is not yet implemented. All endpoints are currently public.
Future authentication will use JWT tokens:
Authorization: Bearer <token>
Response Format
Success Response
{
"uuid": "550e8400-e29b-41d4-a716-446655440000",
"name": "Example",
"created_at": "2025-01-18T10:00:00Z"
}
Error Response
{
"error": "Resource not found",
"code": 404
}
Status Codes
| Code | Description |
|---|---|
| 200 | Success |
| 201 | Created |
| 204 | No Content (successful deletion) |
| 400 | Bad Request (validation error) |
| 404 | Not Found |
| 500 | Internal Server Error |
Endpoints
Metrics (Prometheus)
Expose internal counters for scraping.
GET /metrics
No authentication required. Primary WAF metrics:
charon_waf_requests_total
charon_waf_blocked_total
charon_waf_monitored_total
Health Check
Check API health status.
GET /health
Response 200:
{
"status": "ok"
}
Security Suite (Cerberus)
Status
GET /security/status
Returns enabled flag plus modes for each module.
Get Global Security Config
GET /security/config
Response 200 (no config yet): { "config": null }
Upsert Global Security Config
POST /security/config
Content-Type: application/json
Request Body (example):
{
"name": "default",
"enabled": true,
"admin_whitelist": "198.51.100.10,203.0.113.0/24",
"crowdsec_mode": "local",
"waf_mode": "monitor",
"waf_rules_source": "owasp-crs-local"
}
Response 200: { "config": { ... } }
Security Considerations:
Webhook URLs configured in security settings are validated to prevent Server-Side Request Forgery (SSRF) attacks. The following destinations are blocked:
- Private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
- Cloud metadata endpoints (169.254.169.254)
- Loopback addresses (127.0.0.0/8)
- Link-local addresses
Error Response:
{
"error": "Invalid webhook URL: URL resolves to a private IP address (blocked for security)"
}
Example Valid URL:
{
"webhook_url": "https://webhook.example.com/receive"
}
Enable Cerberus
POST /security/enable
Payload (optional break-glass token):
{ "break_glass_token": "abcd1234" }
Disable Cerberus
POST /security/disable
Payload (required if not localhost):
{ "break_glass_token": "abcd1234" }
Generate Break-Glass Token
POST /security/breakglass/generate
Response 200: { "token": "plaintext-token-once" }
List Security Decisions
GET /security/decisions?limit=50
Response 200: { "decisions": [ ... ] }
Create Manual Decision
POST /security/decisions
Content-Type: application/json
Payload:
{ "ip": "203.0.113.5", "action": "block", "details": "manual temporary block" }
List Rulesets
GET /security/rulesets
Response 200: { "rulesets": [ ... ] }
Upsert Ruleset
POST /security/rulesets
Content-Type: application/json
Payload:
{
"name": "owasp-crs-quick",
"source_url": "https://example.com/owasp-crs.txt",
"mode": "owasp",
"content": "# raw rules"
}
Response 200: { "ruleset": { ... } }
Delete Ruleset
DELETE /security/rulesets/:id
Response 200: { "deleted": true }
Application URL Endpoints
Validate Application URL
Validates that a URL is properly formatted for use as the application's public URL.
POST /settings/validate-url
Content-Type: application/json
Authorization: Bearer <admin-token>
Request Body:
{
"url": "https://charon.example.com"
}
Required Fields:
url(string) - The URL to validate
Response 200 (Valid URL):
{
"valid": true,
"normalized": "https://charon.example.com"
}
Response 200 (Valid with Warning):
{
"valid": true,
"normalized": "http://charon.example.com",
"warning": "Using http:// instead of https:// is not recommended for production environments"
}
Response 400 (Invalid URL):
{
"valid": false,
"error": "URL must start with http:// or https:// and cannot include path components"
}
Response 403:
{
"error": "Admin access required"
}
Validation Rules:
- URL must start with
http://orhttps:// - URL cannot include path components (e.g.,
/admin) - Trailing slashes are automatically removed
- Port numbers are allowed (e.g.,
:8080) - Warning is returned if using
http://(insecure)
Examples:
# Valid HTTPS URL
curl -X POST http://localhost:8080/api/v1/settings/validate-url \
-H "Content-Type: application/json" \
-d '{"url": "https://charon.example.com"}'
# Valid with port
curl -X POST http://localhost:8080/api/v1/settings/validate-url \
-H "Content-Type: application/json" \
-d '{"url": "https://charon.example.com:8443"}'
# Invalid - no protocol
curl -X POST http://localhost:8080/api/v1/settings/validate-url \
-H "Content-Type: application/json" \
-d '{"url": "charon.example.com"}'
# Invalid - includes path
curl -X POST http://localhost:8080/api/v1/settings/validate-url \
-H "Content-Type: application/json" \
-d '{"url": "https://charon.example.com/admin"}'
Preview User Invite URL
Generates a preview of the invite URL that would be sent to a user, without actually creating the invitation.
POST /users/preview-invite-url
Content-Type: application/json
Authorization: Bearer <admin-token>
Request Body:
{
"email": "newuser@example.com"
}
Required Fields:
email(string) - Email address for the preview
Response 200 (Configured):
{
"preview_url": "https://charon.example.com/accept-invite?token=SAMPLE_TOKEN_PREVIEW",
"base_url": "https://charon.example.com",
"is_configured": true,
"email": "newuser@example.com",
"warning": false,
"warning_message": ""
}
Response 200 (Not Configured):
{
"preview_url": "http://localhost:8080/accept-invite?token=SAMPLE_TOKEN_PREVIEW",
"base_url": "http://localhost:8080",
"is_configured": false,
"email": "newuser@example.com",
"warning": true,
"warning_message": "Application URL not configured. The invite link may not be accessible from external networks."
}
Response 400:
{
"error": "email is required"
}
Response 403:
{
"error": "Admin access required"
}
Field Descriptions:
preview_url- Complete invite URL with sample tokenbase_url- The base URL being used (configured or fallback)is_configured- Whether Application URL is configured in settingsemail- Email address from the request (echoed back)warning- Boolean indicating if there's a configuration warningwarning_message- Human-readable warning (empty if no warning)
Use Cases:
- Pre-flight check: Verify invite URLs before creating users
- Configuration validation: Confirm Application URL is set correctly
- UI preview: Show users what invite link will look like
- Testing: Validate invite flow without creating actual invitations
Examples:
# Preview invite URL
curl -X POST http://localhost:8080/api/v1/users/preview-invite-url \
-H "Content-Type: application/json" \
-d '{"email": "admin@example.com"}'
# Response when configured:
{
"preview_url": "https://charon.example.com/accept-invite?token=SAMPLE_TOKEN_PREVIEW",
"base_url": "https://charon.example.com",
"is_configured": true,
"email": "admin@example.com",
"warning": false,
"warning_message": ""
}
JavaScript Example:
const previewInvite = async (email) => {
const response = await fetch('http://localhost:8080/api/v1/users/preview-invite-url', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Authorization': 'Bearer <admin-token>'
},
body: JSON.stringify({ email })
});
const data = await response.json();
if (data.warning) {
console.warn(data.warning_message);
console.log('Configure Application URL in System Settings');
} else {
console.log('Invite URL:', data.preview_url);
}
};
previewInvite('newuser@example.com');
Python Example:
import requests
def preview_invite(email, api_base='http://localhost:8080/api/v1'):
response = requests.post(
f'{api_base}/users/preview-invite-url',
headers={'Content-Type': 'application/json'},
json={'email': email}
)
data = response.json()
if data.get('warning'):
print(f"Warning: {data['warning_message']}")
else:
print(f"Invite URL: {data['preview_url']}")
return data
preview_invite('admin@example.com')
Resend User Invite
Resend an invitation email to a pending user. Generates a new invite token and sends it to the user's email address.
POST /users/:id/resend-invite
Authorization: Bearer <admin-token>
Parameters:
id(path) - User ID (numeric)
Response 200:
{
"email_sent": true,
"invite_url": "https://charon.example.com/accept-invite?token=abc123...",
"expires_at": "2026-01-31T12:00:00Z"
}
Response 400:
{
"error": "User is not in pending status"
}
Response 403:
{
"error": "Admin access required"
}
Response 404:
{
"error": "User not found"
}
Use Cases:
- User didn't receive the original invitation email
- Invite token has expired and needs renewal
- User lost or deleted the invitation email
Example:
curl -X POST http://localhost:8080/api/v1/users/42/resend-invite \
-H "Authorization: Bearer <admin-token>"
JavaScript Example:
const resendInvite = async (userId) => {
const response = await fetch(`http://localhost:8080/api/v1/users/${userId}/resend-invite`, {
method: 'POST',
headers: {
'Authorization': 'Bearer <admin-token>'
}
});
const data = await response.json();
if (data.email_sent) {
console.log('Invitation resent successfully');
} else {
console.log('New invite created, but email could not be sent');
console.log('Invite URL:', data.invite_url);
}
return data;
};
resendInvite(42);
Test URL Connectivity
Test if a URL is reachable from the server with comprehensive SSRF (Server-Side Request Forgery) protection.
POST /settings/test-url
Content-Type: application/json
Authorization: Bearer <admin-token>
Request Body:
{
"url": "https://api.example.com"
}
Required Fields:
url(string) - The URL to test for connectivity
Response 200 (Reachable):
{
"reachable": true,
"latency": 145,
"message": "URL is reachable",
"error": ""
}
Response 200 (Unreachable):
{
"reachable": false,
"latency": 0,
"message": "",
"error": "connection timeout after 5s"
}
Response 400 (Invalid URL):
{
"error": "invalid URL format"
}
Response 403 (Security Block):
{
"error": "URL resolves to a private IP address (blocked for security)",
"details": "SSRF protection: private IP ranges are not allowed"
}
Response 403 (Admin Required):
{
"error": "Admin access required"
}
Field Descriptions:
reachable- Boolean indicating if the URL is accessiblelatency- Response time in milliseconds (0 if unreachable)message- Success message describing the resulterror- Error message if the test failed (empty on success)
Security Features:
This endpoint implements comprehensive SSRF protection:
- DNS Resolution Validation - Resolves hostname with 3-second timeout
- Private IP Blocking - Blocks 13+ CIDR ranges:
- RFC 1918 private networks (
10.0.0.0/8,172.16.0.0/12,192.168.0.0/16) - Loopback addresses (
127.0.0.0/8,::1/128) - Link-local addresses (
169.254.0.0/16,fe80::/10) - IPv6 Unique Local Addresses (
fc00::/7) - Multicast and other reserved ranges
- RFC 1918 private networks (
- Cloud Metadata Protection - Blocks AWS (
169.254.169.254) and GCP (metadata.google.internal) metadata endpoints - Controlled HTTP Request - HEAD request with 5-second timeout
- Limited Redirects - Maximum 2 redirects allowed
- Admin-Only Access - Requires authenticated admin user
Use Cases:
- Webhook validation: Verify webhook endpoints before saving
- Application URL testing: Confirm configured URLs are reachable
- Integration setup: Test external service connectivity
- Health checks: Verify upstream service availability
Examples:
# Test a public URL
curl -X POST http://localhost:8080/api/v1/settings/test-url \
-H "Content-Type: application/json" \
-H "Authorization: Bearer <admin-token>" \
-d '{"url": "https://api.github.com"}'
# Response:
{
"reachable": true,
"latency": 152,
"message": "URL is reachable",
"error": ""
}
# Attempt to test a private IP (blocked)
curl -X POST http://localhost:8080/api/v1/settings/test-url \
-H "Content-Type: application/json" \
-H "Authorization: Bearer <admin-token>" \
-d '{"url": "http://192.168.1.1"}'
# Response:
{
"error": "URL resolves to a private IP address (blocked for security)",
"details": "SSRF protection: private IP ranges are not allowed"
}
JavaScript Example:
const testURL = async (url) => {
const response = await fetch('http://localhost:8080/api/v1/settings/test-url', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Authorization': 'Bearer <admin-token>'
},
body: JSON.stringify({ url })
});
const data = await response.json();
if (data.reachable) {
console.log(`β ${url} is reachable (${data.latency}ms)`);
} else {
console.error(`β ${url} failed: ${data.error}`);
}
return data;
};
testURL('https://api.example.com');
Python Example:
import requests
def test_url(url, api_base='http://localhost:8080/api/v1'):
response = requests.post(
f'{api_base}/settings/test-url',
headers={
'Content-Type': 'application/json',
'Authorization': 'Bearer <admin-token>'
},
json={'url': url}
)
data = response.json()
if response.status_code == 403:
print(f"Security block: {data.get('error')}")
elif data.get('reachable'):
print(f"β {url} is reachable ({data['latency']}ms)")
else:
print(f"β {url} failed: {data['error']}")
return data
test_url('https://api.github.com')
Security Considerations:
- Only admin users can access this endpoint
- Private IPs and cloud metadata endpoints are always blocked
- DNS rebinding attacks are prevented by resolving before the HTTP request
- Request timeouts prevent slowloris-style attacks
- Limited redirects prevent redirect loops and excessive resource consumption
- Consider rate limiting this endpoint in production environments
SSL Certificates
List All Certificates
GET /certificates
Response 200:
[
{
"id": 1,
"uuid": "cert-uuid-123",
"name": "My Custom Cert",
"provider": "custom",
"domains": "example.com, www.example.com",
"expires_at": "2026-01-01T00:00:00Z",
"created_at": "2025-01-01T10:00:00Z"
}
]
Upload Certificate
POST /certificates/upload
Content-Type: multipart/form-data
Request Body:
name(required) - Certificate namecertificate_file(required) - Certificate file (.crt or .pem)key_file(required) - Private key file (.key or .pem)
Response 201:
{
"id": 1,
"uuid": "cert-uuid-123",
"name": "My Custom Cert",
"provider": "custom",
"domains": "example.com"
}
Delete Certificate
Delete a certificate. Requires that the certificate is not currently in use by any proxy hosts.
DELETE /certificates/:id
Parameters:
id(path) - Certificate ID (numeric)
Response 200:
{
"message": "certificate deleted"
}
Response 400:
{
"error": "invalid id"
}
Response 409:
{
"error": "certificate is in use by one or more proxy hosts"
}
Response 500:
{
"error": "failed to delete certificate"
}
Note: A backup is automatically created before deletion. The certificate files are removed from disk along with the database record.
Proxy Hosts
List All Proxy Hosts
GET /proxy-hosts
Response 200:
[
{
"uuid": "550e8400-e29b-41d4-a716-446655440000",
"domain": "example.com, www.example.com",
"forward_scheme": "http",
"forward_host": "localhost",
"forward_port": 8080,
"ssl_forced": false,
"http2_support": true,
"hsts_enabled": false,
"hsts_subdomains": false,
"block_exploits": true,
"websocket_support": false,
"enabled": true,
"enable_standard_headers": true,
"remote_server_id": null,
"created_at": "2025-01-18T10:00:00Z",
"updated_at": "2025-01-18T10:00:00Z"
}
]
Get Proxy Host
GET /proxy-hosts/:uuid
Parameters:
uuid(path) - Proxy host UUID
Response 200:
{
"uuid": "550e8400-e29b-41d4-a716-446655440000",
"domain": "example.com",
"forward_scheme": "https",
"forward_host": "backend.internal",
"forward_port": 9000,
"ssl_forced": true,
"websocket_support": false,
"enabled": true,
"enable_standard_headers": true,
"created_at": "2025-01-18T10:00:00Z",
"updated_at": "2025-01-18T10:00:00Z"
}
Response 404:
{
"error": "Proxy host not found"
}
Create Proxy Host
POST /proxy-hosts
Content-Type: application/json
Request Body:
{
"domain": "new.example.com",
"forward_scheme": "http",
"forward_host": "localhost",
"forward_port": 3000,
"ssl_forced": false,
"http2_support": true,
"hsts_enabled": false,
"hsts_subdomains": false,
"block_exploits": true,
"websocket_support": false,
"enabled": true,
"enable_standard_headers": true,
"remote_server_id": null
}
Required Fields:
domain- Domain name(s), comma-separatedforward_host- Target hostname or IPforward_port- Target port number
Optional Fields:
forward_scheme- Default:"http"ssl_forced- Default:falsehttp2_support- Default:truehsts_enabled- Default:falsehsts_subdomains- Default:falseblock_exploits- Default:truewebsocket_support- Default:falseenabled- Default:trueenable_standard_headers- Default:true(for new hosts),false(for existing hosts migrated from older versions)- When
true: Adds X-Real-IP, X-Forwarded-Proto, X-Forwarded-Host, X-Forwarded-Port headers - When
false: Old behavior (headers only added for WebSocket or application-specific needs)
- When
remote_server_id- Default:null
Response 201:
{
"uuid": "550e8400-e29b-41d4-a716-446655440001",
"domain": "new.example.com",
"forward_scheme": "http",
"forward_host": "localhost",
"enable_standard_headers": true,
"forward_port": 3000,
"created_at": "2025-01-18T10:05:00Z",
"updated_at": "2025-01-18T10:05:00Z"
}
Response 400:
{
"error": "domain is required"
}
Update Proxy Host
PUT /proxy-hosts/:uuid
Content-Type: application/json
Parameters:
uuid(path) - Proxy host UUID
Request Body: (all fields optional)
{
"domain": "updated.example.com",
"forward_port": 8081,
"ssl_forced": true
}
Response 200:
{
"uuid": "550e8400-e29b-41d4-a716-446655440000",
"domain": "updated.example.com",
"forward_port": 8081,
"ssl_forced": true,
"updated_at": "2025-01-18T10:10:00Z"
}
Delete Proxy Host
DELETE /proxy-hosts/:uuid
Parameters:
uuid(path) - Proxy host UUID
Response 204: No content
Response 404:
{
"error": "Proxy host not found"
}
Remote Servers
List All Remote Servers
GET /remote-servers
Query Parameters:
enabled(optional) - Filter by enabled status (trueorfalse)
Response 200:
[
{
"uuid": "660e8400-e29b-41d4-a716-446655440000",
"name": "Docker Registry",
"provider": "docker",
"host": "registry.local",
"port": 5000,
"reachable": true,
"last_checked": "2025-01-18T09:55:00Z",
"enabled": true,
"created_at": "2025-01-18T09:00:00Z",
"updated_at": "2025-01-18T09:55:00Z"
}
]
Get Remote Server
GET /remote-servers/:uuid
Parameters:
uuid(path) - Remote server UUID
Response 200:
{
"uuid": "660e8400-e29b-41d4-a716-446655440000",
"name": "Docker Registry",
"provider": "docker",
"host": "registry.local",
"port": 5000,
"reachable": true,
"enabled": true
}
Create Remote Server
POST /remote-servers
Content-Type: application/json
Request Body:
{
"name": "Production API",
"provider": "generic",
"host": "api.prod.internal",
"port": 8080,
"enabled": true
}
Required Fields:
name- Server namehost- Hostname or IPport- Port number
Optional Fields:
provider- One of:generic,docker,kubernetes,aws,gcp,azure(default:generic)enabled- Default:true
Response 201:
{
"uuid": "660e8400-e29b-41d4-a716-446655440001",
"name": "Production API",
"provider": "generic",
"host": "api.prod.internal",
"port": 8080,
"reachable": false,
"enabled": true,
"created_at": "2025-01-18T10:15:00Z"
}
Update Remote Server
PUT /remote-servers/:uuid
Content-Type: application/json
Request Body: (all fields optional)
{
"name": "Updated Name",
"port": 8081,
"enabled": false
}
Response 200:
{
"uuid": "660e8400-e29b-41d4-a716-446655440000",
"name": "Updated Name",
"port": 8081,
"enabled": false,
"updated_at": "2025-01-18T10:20:00Z"
}
Delete Remote Server
DELETE /remote-servers/:uuid
Response 204: No content
Test Remote Server Connection
Test connectivity to a remote server.
POST /remote-servers/:uuid/test
Parameters:
uuid(path) - Remote server UUID
Response 200:
{
"reachable": true,
"address": "registry.local:5000",
"timestamp": "2025-01-18T10:25:00Z"
}
Response 200 (unreachable):
{
"reachable": false,
"address": "offline.server:8080",
"error": "connection timeout",
"timestamp": "2025-01-18T10:25:00Z"
}
Note: This endpoint updates the reachable and last_checked fields on the remote server.
Live Logs & Notifications
Stream Live Logs (WebSocket)
Connect to a WebSocket stream of live security logs. This endpoint uses WebSocket protocol for real-time bidirectional communication.
GET /api/v1/logs/live
Upgrade: websocket
Query Parameters:
level(optional) - Filter by log level. Values:debug,info,warn,errorsource(optional) - Filter by log source. Values:cerberus,waf,crowdsec,acl
WebSocket Connection:
const ws = new WebSocket('ws://localhost:8080/api/v1/logs/live?source=cerberus&level=error');
ws.onmessage = (event) => {
const logEntry = JSON.parse(event.data);
console.log(logEntry);
};
ws.onerror = (error) => {
console.error('WebSocket error:', error);
};
ws.onclose = () => {
console.log('Connection closed');
};
Message Format:
Each message received from the WebSocket is a JSON-encoded LogEntry:
{
"level": "error",
"message": "WAF blocked request from 203.0.113.42",
"timestamp": "2025-12-09T10:30:45Z",
"source": "waf",
"fields": {
"ip": "203.0.113.42",
"rule_id": "942100",
"request_uri": "/api/users?id=1' OR '1'='1",
"severity": "CRITICAL"
}
}
Field Descriptions:
level- Log severity:debug,info,warn,errormessage- Human-readable log messagetimestamp- ISO 8601 timestamp (RFC3339 format)source- Component that generated the log (e.g.,cerberus,waf,crowdsec)fields- Additional structured data specific to the event type
Connection Lifecycle:
- Server sends a ping every 30 seconds to keep connection alive
- Client should respond to pings or connection may timeout
- Server closes connection if client stops reading
- Client can close connection by calling
ws.close()
Error Handling:
- If upgrade fails, returns HTTP 400 with error message
- Authentication required (when auth is implemented)
- Rate limiting applies (when rate limiting is implemented)
Example: Filter for critical WAF events only
const ws = new WebSocket('ws://localhost:8080/api/v1/logs/live?source=waf&level=error');
Get Notification Settings
Retrieve current security notification settings.
GET /api/v1/security/notifications/settings
Response 200:
{
"enabled": true,
"min_log_level": "warn",
"notify_waf_blocks": true,
"notify_acl_denials": true,
"notify_rate_limit_hits": false,
"webhook_url": "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXX",
"email_recipients": "admin@example.com,security@example.com"
}
Field Descriptions:
enabled- Master toggle for all notificationsmin_log_level- Minimum severity to trigger notifications. Values:debug,info,warn,errornotify_waf_blocks- Send notifications for WAF blocking eventsnotify_acl_denials- Send notifications for ACL denial eventsnotify_rate_limit_hits- Send notifications for rate limit violationswebhook_url(optional) - URL to POST webhook notifications (Discord, Slack, etc.)email_recipients(optional) - Comma-separated list of email addresses
Response 404:
{
"error": "Notification settings not configured"
}
Update Notification Settings
Update security notification settings. All fields are optionalβonly provided fields are updated.
PUT /api/v1/security/notifications/settings
Content-Type: application/json
Request Body:
{
"enabled": true,
"min_log_level": "error",
"notify_waf_blocks": true,
"notify_acl_denials": false,
"notify_rate_limit_hits": false,
"webhook_url": "https://discord.com/api/webhooks/123456789/abcdefgh",
"email_recipients": "alerts@example.com"
}
Security Considerations:
Webhook URLs are validated to prevent SSRF attacks. Blocked destinations:
- Private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
- Cloud metadata endpoints (169.254.169.254)
- Loopback addresses (127.0.0.0/8)
- Link-local addresses
Error Response:
{
"error": "Invalid webhook URL: URL resolves to a private IP address (blocked for security)"
}
All fields optional:
enabled(boolean) - Enable/disable all notificationsmin_log_level(string) - Must be one of:debug,info,warn,errornotify_waf_blocks(boolean) - Toggle WAF block notificationsnotify_acl_denials(boolean) - Toggle ACL denial notificationsnotify_rate_limit_hits(boolean) - Toggle rate limit notificationswebhook_url(string) - Webhook endpoint URLemail_recipients(string) - Comma-separated email addresses
Response 200:
{
"message": "Settings updated successfully"
}
Response 400:
{
"error": "Invalid min_log_level. Must be one of: debug, info, warn, error"
}
Response 500:
{
"error": "Failed to update settings"
}
Example: Enable notifications for critical errors only
curl -X PUT http://localhost:8080/api/v1/security/notifications/settings \
-H "Content-Type: application/json" \
-d '{
"enabled": true,
"min_log_level": "error",
"notify_waf_blocks": true,
"webhook_url": "https://hooks.slack.com/services/YOUR/WEBHOOK/URL"
}'
Webhook Payload Format:
When notifications are triggered, Charon sends a POST request to the configured webhook URL:
{
"event_type": "waf_block",
"severity": "error",
"timestamp": "2025-12-09T10:30:45Z",
"message": "WAF blocked SQL injection attempt",
"details": {
"ip": "203.0.113.42",
"rule_id": "942100",
"request_uri": "/api/users?id=1' OR '1'='1",
"user_agent": "curl/7.68.0"
}
}
Import Workflow
Check Import Status
Check if there's an active import session.
GET /import/status
Response 200 (no session):
{
"has_pending": false
}
Response 200 (active session):
{
"has_pending": true,
"session": {
"uuid": "770e8400-e29b-41d4-a716-446655440000",
"filename": "Caddyfile",
"state": "reviewing",
"created_at": "2025-01-18T10:30:00Z",
"updated_at": "2025-01-18T10:30:00Z"
}
}
Get Import Preview
Get preview of hosts to be imported (only available when session state is reviewing).
GET /import/preview
Response 200:
{
"hosts": [
{
"domain": "example.com",
"forward_host": "localhost",
"forward_port": 8080,
"forward_scheme": "http"
},
{
"domain": "api.example.com",
"forward_host": "backend",
"forward_port": 9000,
"forward_scheme": "https"
}
],
"conflicts": [
"example.com already exists"
],
"errors": []
}
Response 404:
{
"error": "No active import session"
}
Upload Caddyfile
Upload a Caddyfile for import.
POST /import/upload
Content-Type: application/json
Request Body:
{
"content": "example.com {\n reverse_proxy localhost:8080\n}",
"filename": "Caddyfile"
}
Required Fields:
content- Caddyfile content
Optional Fields:
filename- Original filename (default:"Caddyfile")
Response 201:
{
"session": {
"uuid": "770e8400-e29b-41d4-a716-446655440000",
"filename": "Caddyfile",
"state": "parsing",
"created_at": "2025-01-18T10:35:00Z"
}
}
Response 400:
{
"error": "content is required"
}
Upload Multiple Caddyfiles
Upload multiple Caddyfiles in a single request. Useful for importing configurations from multiple site files.
POST /import/upload-multi
Content-Type: application/json
Request Body:
{
"files": [
{
"filename": "example.com.Caddyfile",
"content": "example.com {\n reverse_proxy localhost:8080\n}"
},
{
"filename": "api.example.com.Caddyfile",
"content": "api.example.com {\n reverse_proxy localhost:9000\n}"
}
]
}
Required Fields:
files- Array of file objects (minimum 1)filename(string, required) - Original filenamecontent(string, required) - Caddyfile content
Response 200:
{
"hosts": [
{
"domain": "example.com",
"forward_host": "localhost",
"forward_port": 8080,
"forward_scheme": "http"
},
{
"domain": "api.example.com",
"forward_host": "localhost",
"forward_port": 9000,
"forward_scheme": "http"
}
],
"conflicts": [],
"errors": [],
"warning": ""
}
Response 400 (validation error):
{
"error": "files is required and must contain at least one file"
}
Response 400 (parse error with warning):
{
"error": "Caddyfile uses file_server which is not supported for import",
"warning": "file_server directive detected - static file serving is not supported"
}
TypeScript Example:
interface CaddyFile {
filename: string;
content: string;
}
const uploadCaddyfilesMulti = async (files: CaddyFile[]): Promise<ImportPreview> => {
const { data } = await client.post<ImportPreview>('/import/upload-multi', { files });
return data;
};
// Usage
const files = [
{ filename: 'site1.Caddyfile', content: 'site1.com { reverse_proxy :8080 }' },
{ filename: 'site2.Caddyfile', content: 'site2.com { reverse_proxy :9000 }' }
];
const preview = await uploadCaddyfilesMulti(files);
Commit Import
Commit the import after resolving conflicts.
POST /import/commit
Content-Type: application/json
Request Body:
{
"session_uuid": "770e8400-e29b-41d4-a716-446655440000",
"resolutions": {
"example.com": "overwrite",
"api.example.com": "keep"
}
}
Required Fields:
session_uuid- Active import session UUIDresolutions- Map of domain to resolution strategy
Resolution Strategies:
"keep"- Keep existing configuration, skip import"overwrite"- Replace existing with imported configuration"skip"- Same as keep
Response 200:
{
"imported": 2,
"skipped": 1,
"failed": 0
}
Response 400:
{
"error": "Invalid session or unresolved conflicts"
}
Cancel Import
Cancel an active import session.
DELETE /import/cancel?session_uuid=770e8400-e29b-41d4-a716-446655440000
Query Parameters:
session_uuid- Active import session UUID
Response 204: No content
Rate Limiting
π§ Rate limiting is not yet implemented.
Future rate limits:
- 100 requests per minute per IP
- 1000 requests per hour per IP
Pagination
π§ Pagination is not yet implemented.
Future pagination:
GET /proxy-hosts?page=1&per_page=20
Filtering and Sorting
π§ Advanced filtering is not yet implemented.
Future filtering:
GET /proxy-hosts?enabled=true&sort=created_at&order=desc
Webhooks
π§ Webhooks are not yet implemented.
Future webhook events:
proxy_host.createdproxy_host.updatedproxy_host.deletedremote_server.unreachableimport.completed
SDKs
No official SDKs yet. The API follows REST conventions and can be used with any HTTP client.
JavaScript/TypeScript Example
const API_BASE = 'http://localhost:8080/api/v1';
// List proxy hosts
const hosts = await fetch(`${API_BASE}/proxy-hosts`).then(r => r.json());
// Create proxy host
const newHost = await fetch(`${API_BASE}/proxy-hosts`, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
domain: 'example.com',
forward_host: 'localhost',
forward_port: 8080
})
}).then(r => r.json());
// Test remote server
const testResult = await fetch(`${API_BASE}/remote-servers/${uuid}/test`, {
method: 'POST'
}).then(r => r.json());
Python Example
import requests
API_BASE = 'http://localhost:8080/api/v1'
# List proxy hosts
hosts = requests.get(f'{API_BASE}/proxy-hosts').json()
# Create proxy host
new_host = requests.post(f'{API_BASE}/proxy-hosts', json={
'domain': 'example.com',
'forward_host': 'localhost',
'forward_port': 8080
}).json()
# Test remote server
test_result = requests.post(f'{API_BASE}/remote-servers/{uuid}/test').json()
Support
For API issues or questions:
- GitHub Issues: https://github.com/Wikid82/charon/issues
- Discussions: https://github.com/Wikid82/charon/discussions