Proxy Rules Reference

Proxy interception rules.

Rules are evaluated in declaration order against the target URL (the URL the client is trying to reach, not the proxy's own address). The first matching rule wins — subsequent rules are not evaluated for that request. Requests that match no rule fall through to the default action ("allow").

Rules can block, record, or modify traffic declaratively. For programmable interception with JavaScript handlers, use the elide:proxy JS API instead of (or in addition to) these declarative rules.

Example — block ads and record API traffic:

pkl

rules {
  new { match = "*.doubleclick.net"; action = "block" }
  new { match { host = "api.example.com"; path = "/v1/**" }; action = "record" }
}

> This page is auto-generated from the PKL schema. See the guide for usage examples.

Types

`HttpMethod`

Standard HTTP request methods used for rule matching.

pkl

typealias HttpMethod = "GET" | "POST" | "PUT" | "DELETE" | "PATCH" | "HEAD" | "OPTIONS" | "TRACE"

`RuleAction`

Action to take when a request matches a rule.

"allow" — forward to upstream unmodified (default, zero overhead)
"block" — reject with an error response; no upstream connection is made
"record" — forward and capture the full request/response for inspector

viewing (implies MITM for HTTPS targets; see RecordingConfig)

"modify" — apply requestHeaders/responseHeaders transformations

before forwarding or returning

pkl

typealias RuleAction = "allow" | "block" | "record" | "modify"

---

`ProxyMatch`

Match conditions for a proxy rule.

All non-null fields are ANDed together: every specified field must match for the rule to fire. Omitting a field (leaving it null) means "match any value" for that dimension. An empty ProxyMatch {} matches all requests.

Field	Type	Default	Description
`host`	String?	`null`	Hostname or glob pattern to match against the request's target host.
`path`	String?	`null`	URL path pattern to match. matches a single path segment; `*`
`port`	UInt?	`null`	Destination port number. When `null`, matches any port.
`protocol`	("http" \	"https")?	`null`	Protocol to match. When `null`, matches both HTTP and HTTPS.
`methods`	Listing?	`null`	HTTP methods to match. When `null`, matches all methods. When set,

`host`

Hostname or glob pattern to match against the request's target host.

pkl

host = "*.example.com"
host = "api.stripe.com"

`path`

URL path pattern to match. matches a single path segment; * matches zero or more segments.

pkl

path = "/api/**"
path = "/v1/users/*"

`methods`

HTTP methods to match. When null, matches all methods. When set, only requests using one of the listed methods match this rule.

pkl

methods { "GET"; "HEAD" }

---

`HeaderOps`

Header mutation operations applied to requests or responses.

Operations are applied in order: set, then add, then remove.

pkl

requestHeaders {
  set { ["X-Forwarded-For"] = "10.0.0.1" }
  remove { "Cookie" }
}

Field	Type	Default	Description
`set`	Mapping	(empty)	Headers to set unconditionally. If a header already exists, its value
`add`	Mapping	(empty)	Headers to append. If the header already exists, the new value is
`remove`	Listing	(empty)	Header names to remove. Matching is case-insensitive. If the header

`set`

Headers to set unconditionally. If a header already exists, its value is overwritten. If it does not exist, it is added.

`add`

Headers to append. If the header already exists, the new value is added as an additional header line (preserving the original).

`remove`

Header names to remove. Matching is case-insensitive. If the header does not exist, the entry is silently ignored.

---

`BlockResponse`

Custom HTTP response returned to the client when a rule blocks a request.

When omitted from a "block" rule, a default 403 Forbidden response with an empty body is sent.

pkl

blockResponse {
  status = 451
  body = "Blocked by policy"
}

Field	Type	Default	Description
`status`	UInt	`403`	HTTP status code for the block response. Default: `403`.
`body`	String?	`null`	Response body text sent to the client. When `null`, an empty body
`contentType`	String	`"text/plain; charset=utf-8"`	Value of the `Content-Type` response header. Default:

`body`

Response body text sent to the client. When null, an empty body is returned.

`contentType`

Value of the Content-Type response header. Default: "text/plain; charset=utf-8".

---

`ProxyRule`

A proxy rule that pairs match conditions with an action and optional transformations. Rules are defined inside ProxyConfig.rules and evaluated in declaration order.

pkl

new {
  label = "Block ad trackers"
  match = "*.doubleclick.net"
  action = "block"
}

Field	Type	Default	Description
`match`	(String \	ProxyMatch)	(required)	Conditions that select which requests this rule applies to. Accepts
`action`	RuleAction	`"allow"`	Action to take on matched requests. See `RuleAction` for the full
`blockResponse`	BlockResponse?	`null`	Custom HTTP response returned when `action` is `"block"`. Ignored for
`requestHeaders`	HeaderOps?	`null`	Header mutations applied to the outgoing request before it is forwarded
`responseHeaders`	HeaderOps?	`null`	Header mutations applied to the upstream response before it is
`mitm`	Boolean?	`null`	Per-rule override for the global MITM interception setting (see
`label`	String?	`null`	Human-readable label for this rule, displayed in the inspector UI and

`match`

Conditions that select which requests this rule applies to. Accepts either a hostname glob string (shorthand) or a full ProxyMatch object for multi-dimensional matching.

pkl

match = "*.ads.example.com"
match { host = "api.stripe.com"; path = "/v1/**" }

`action`

Action to take on matched requests. See RuleAction for the full list of actions. Default: "allow".

`blockResponse`

Custom HTTP response returned when action is "block". Ignored for other actions. When omitted, a default 403 Forbidden with an empty body is sent. See BlockResponse for customization options.

`requestHeaders`

Header mutations applied to the outgoing request before it is forwarded upstream. Only effective for "allow", "record", and "modify" actions — ignored for "block". See HeaderOps for set/add/remove operations.

`responseHeaders`

Header mutations applied to the upstream response before it is returned to the client. Ignored for "block" actions. See HeaderOps for set/add/remove operations.

`mitm`

Per-rule override for the global MITM interception setting (see MitmConfig). true forces MITM for matching HTTPS requests even if the host is globally excluded. false disables MITM even if globally included. null (default) inherits the global setting.

`label`

Human-readable label for this rule, displayed in the inspector UI and emitted in log messages. Has no effect on rule evaluation.

---