Struct ProxyManager 

pub struct ProxyManager { /* private fields */ }

Manages proxy routing for agent-controlled services

The ProxyManager coordinates between the agent’s service lifecycle and the proxy crate’s routing/load balancing infrastructure. It supports:

• HTTP/HTTPS/WebSocket (L7): Multiple port listeners sharing the same ServiceRegistry for request matching and load balancing.
• TCP/UDP (L4): Standalone stream proxy listeners that forward raw connections/datagrams to backends via the StreamRegistry.

Implementations

impl ProxyManager

pub fn new( config: ProxyManagerConfig, registry: Arc<ServiceRegistry>, cert_manager: Option<Arc<CertManager>>, ) -> Self

Create a new ProxyManager with the given configuration, service registry, and optional certificate manager.

pub fn registry(&self) -> Arc<ServiceRegistry>

Get a reference to the service registry

pub fn load_balancer(&self) -> Arc<LoadBalancer>

Get a reference to the load balancer

pub fn active_connections(&self) -> u64

Get the number of currently active proxy connections.

pub fn cert_manager(&self) -> Option<&Arc<CertManager>>

Get a reference to the certificate manager (if configured)

pub fn set_stream_registry(&mut self, registry: Arc<StreamRegistry>)

Set the stream registry for L4 proxy integration (TCP/UDP)

pub fn with_stream_registry(self, registry: Arc<StreamRegistry>) -> Self

Builder pattern: add stream registry for L4 proxy integration

pub fn stream_registry(&self) -> Option<&Arc<StreamRegistry>>

Get the stream registry (if configured)

pub fn set_network_policy_checker(&mut self, checker: NetworkPolicyChecker)

Set the network policy checker for access control enforcement

pub fn with_network_policy_checker(self, checker: NetworkPolicyChecker) -> Self

Builder pattern: add network policy checker for access control enforcement

pub async fn listen_on(&self, port: u16, bind_ip: IpAddr) -> Result<()>

Start listening on a specific port bound to the given address.

If already listening on this port, skip. All port listeners share the same ServiceRegistry for request matching.

Errors

Returns an error if the proxy server cannot be started.

pub async fn listen_on_tls(&self, port: u16, bind_ip: IpAddr) -> Result<()>

Start an HTTPS listener on the given port using SniCertResolver for dynamic cert selection.

If already listening on this port, skip. Requires a CertManager to be configured; logs a warning and returns Ok(()) if not.

Errors

Returns an error if the HTTPS proxy server cannot be started.

pub async fn stop(&self)

Stop all proxy servers on all ports.

After signalling each server to shut down, waits up to 30 seconds for active connections to drain before returning.

pub async fn unbind(&self, port: u16)

Remove and shut down the listener on a specific port.

pub async fn ensure_ports_for_service( &self, spec: &ServiceSpec, overlay_ip: Option<IpAddr>, ) -> Result<()>

Scan a service’s endpoints and ensure the proxy is listening on all required ports.

• HTTP/HTTPS/WebSocket endpoints start an HTTP proxy listener.
• TCP endpoints bind a TcpListener and spawn a TcpStreamService.
• UDP endpoints bind a UdpSocket and spawn a UdpStreamService.

Bind address is determined by the expose type:

• Public endpoints bind to 0.0.0.0 (all interfaces).
• Internal endpoints bind to the overlay IP so they are only reachable from within the overlay network. If no overlay is available, internal endpoints bind to 127.0.0.1 (localhost only).

Errors

Returns an error if an HTTP/HTTPS listener cannot be started.

pub async fn add_service(&self, name: &str, spec: &ServiceSpec)

Add routes for a service based on its specification

This creates proxy routes for each endpoint defined in the ServiceSpec. HTTP/HTTPS/WebSocket endpoints get L7 routes via the ServiceRegistry. TCP/UDP endpoints are tracked but their L4 registration is handled by the ServiceManager::register_service_routes() method.

pub async fn remove_service(&self, name: &str)

Remove all routes, L4 listeners, and HTTP server handles for a service.

This performs a full cleanup of all proxy resources associated with the service:

• Removes L7 (HTTP/HTTPS/WebSocket) routes from the ServiceRegistry
• Unregisters TCP/UDP stream services from the StreamRegistry
• Removes port tracking for TCP/UDP listeners
• Shuts down HTTP proxy server handles that were exclusively owned by this service (only if no other service uses the same port)

pub async fn add_backend(&self, service: &str, addr: SocketAddr)

Add a single backend to a service

pub async fn remove_backend(&self, service: &str, addr: SocketAddr)

Remove a backend from a service

pub async fn update_backend_health( &self, service: &str, addr: SocketAddr, healthy: bool, )

Update the health status of a backend in the load balancer.

Delegates to LoadBalancer::mark_health so that unhealthy backends are skipped during selection.

pub async fn update_backends(&self, service: &str, addrs: Vec<SocketAddr>)

Update the backends for a service

This replaces all backends for the given service with the provided list. Each backend should be the address where the service replica is listening.

pub async fn route_count(&self) -> usize

Get the number of registered routes

pub async fn list_services(&self) -> Vec<String>

Get the list of registered service names

pub async fn has_service(&self, name: &str) -> bool

Check if a service has any registered endpoints