About j8a

j8a is a modern TLS 1.3 reverse proxy server designed as a lightweight API gateway for REST APIs. It is built in Go and operates as a secure intermediary that forwards client requests to backend upstream services. Key features include high performance handling around 5,000 POST requests per second, TLS 1.2 and 1.3 termination with an A+ SSLLabs rating, and automatic certificate renewal using ACME. It offers zero-downtime operation and observability through API request tracing with correlation IDs for upstream microservices. Built-in application performance monitoring logs CPU and memory usage on a daily basis. j8a is suitable for developers and organizations needing a simple, secure, and fast reverse proxy to expose REST APIs, enforce TLS encryption, and route traffic to backend services. It ships as a minimal Docker image with no known vulnerabilities and supports multiplatform builds. Licensed under Apache 2.0, j8a is designed for easy deployment in containerized environments and integrates with modern CI/C

s

Published by

simonmittag

Visit View Profile

README.md

View on GitHub

What is j8a?

j8a [ dʒʌbbʌ ] is a modern TLS 1.3 reverse proxy server designed as a lightweight API gateway for REST APIs.

What's new?

v1.1.3 (23/04/2025)

upgraded to github.com/lestrrat-go/jwx/v3, retired older dependencies.

v1.1.2 (17/04/2025)

Update to Go 1.24
Update to goreleaser 2.8 and multiplatform docker build
Bumped several dependencies

CVEs

🛡️ J8a v1.1.3 has zero reported CVEs as of 23/04/2025. If you are a security researcher, the project team would like to hear from you.

Trivy

λ trivy image simonmittag/j8a:v1.1.3
2025-04-23T01:09:26+10:00       INFO    [gobinary] Detecting vulnerabilities...

Report Summary
┌────────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│                 Target                 │   Type   │ Vulnerabilities │ Secrets │
├────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ simonmittag/j8a:v1.1.3 (alpine 3.21.3) │  alpine  │        0        │    -    │
├────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ j8a                                    │ gobinary │        0        │    -    │
└────────────────────────────────────────┴──────────┴─────────────────┴─────────┘

Docker Scout

λ docker scout cves simonmittag/j8a:v1.1.3
    ✓ Indexed 56 packages
    ✓ No vulnerable package detected

                    │       Analyzed Image         
────────────────────┼──────────────────────────────
  Target            │  simonmittag/j8a:v1.1.3      
    digest          │  54aae504c670                
    platform        │ linux/arm64                  
    vulnerabilities │    0C     0H     0M     0L   
    size            │ 9.2 MB                       
    packages        │ 56

Features

Fast! 5k POST req/s traffic.
Secure. TLS1.2, TLS/1.3 termination w/ A+ SSLLabs rating.
Zero downtime. Auto-renew certs using ACME RFC 8555.
Observable. API request tracing w/ correlation ID for upstream microservices.
APM. CPU, memory logging built-in. Daily TLS health and validity check for your full certificate chain.
JWT token validation with full JWK(S) support for RFC 7519.
HTTP/1.1 and HTTP/2 support w/ upstream <> downstream protocol translation.
Websocket Support for RFC 6455
Docker native

Up and running

Docker

docker pull simonmittag/j8a &&
  docker run -e J8ACFG_YML -p443:443 simonmittag/j8a

Homebrew

brew tap simonmittag/cli && 
  brew install j8a && 
  j8a

Golang

go install github.com/simonmittag/j8a/cmd/j8a@latest &&
  j8a

Usage

J8a runs from the cli. The process will attempt to load its configuration from the environment variable J8ACFG_YML, a specified config file, or the default config file j8acfg.yml (in that order). You can validate the config using the -o flag without actually starting the server, which is useful for ci/cd pipelines. In validate mode, the process successfully exits with 0, or -1 in case of failure.

Commandline Options

λ j8a -h
j8a[v1.0.1] Goodde da lodia!
Usage: j8a [-c] [-o] | [-v] | [-h]
  -c string
        config file location (default "j8acfg.yml").
  -h    print usage instructions.
  -o    validate config file, then exit.
  -v    print version.

Examples

Validate Server Configuration supplied as myconfig.yml

λ j8a -c myconfig.yml -o
6:25PM INF hostName determined hostName=MacBook-Pro-16.local
6:25PM INF version determined version=v1.0.1
6:25PM INF srvID determined srvID=c91cda8c
...

Start Server With Configuration supplied as myconfig.yml

λ j8a -c myconfig.yml 
6:25PM INF hostName determined hostName=MacBook-Pro-16.local
6:25PM INF version determined version=v1.0.1
6:25PM INF srvID determined srvID=c91cda8c
...

Start Server With Configuration supplied via J8ACFG_YML

J8ACFG_YML="---
            connection:
              downstream:
                http:
                  port: 80
            routes:
              - path: "/todos"
                resource: jsonplaceholder
            resources:
              jsonplaceholder:
                - url:
                    scheme: https
                    host: jsonplaceholder.typicode.com
                    port: 443" j8a

Contributions

The j8a team is looking for and welcomes all contributors. Everyone interacting with the project's codebase, issue trackers, chat rooms and mailing lists is expected to follow the code of conduct

Release Cycle

Now that 1.0 is reached, we usually release 3/4 minor versions per year.
Bug-fixes (e.g. 1.0.1, 1.0.2) are released as needed (no additional features are delivered in those versions, bug-fixes only).
Each version is supported until the next one is released (e.g. 1.1.x will be supported until 1.2.0 is out).

We use Semantic Versioning.

j8a