Server Configuration Reference

Top-level configuration schema for the Elide HTTP server.

This module is the root of an elide serve configuration. It covers listeners, routing, forward proxying, TLS, the admin API, global middleware, and observability. Every field has a sane default so a minimal config only needs to specify what differs from the defaults.

Server block keys

The servers mapping uses the key as the server's identity. The key determines default listener and domain settings:

Domain key (contains ., no :): infers listen :443 and

domains { key } with auto-TLS. Examples: "example.com", "api.example.com".

Address key (starts with : or matches host:port): infers

listen { key }. Examples: ":8080", "0.0.0.0:3128".

Label key (anything else): no inference; listen and domains

must be set explicitly. Examples: "main", "internal".

Explicit listen or domains declarations always override inference.

Quick examples

Static site with auto-TLS (inferred from domain key):

pkl

amends "elide:serve/ElideServer.pkl"
servers {
  ["example.com"] {
    handler = new StaticFiles { root = "./dist"; spaFallback = true }
  }
}

Reverse proxy:

pkl

servers {
  ["api.example.com"] {
    handler = new ReverseProxy { upstreams { "backend:8080" } }
  }
}

Forward proxy with MITM:

pkl

servers {
  [":8080"] {
    proxy { mitm {}; recording {} }
  }
}

Mixed — serve files, reverse proxy an API, and forward proxy on one port:

pkl

servers {
  ["app.example.com"] {
    routes {
      new { match = "/api/**"; handler = new ReverseProxy { upstreams { "backend:9000" } } }
    }
    handler = new StaticFiles { root = "./dist"; spaFallback = true }
    proxy { mitm {}; recording {} }
  }
}

> This page is auto-generated from the PKL schema. See the Serve Guide for usage examples.

Serve Reference Pages

Page	Description
Handler Reference	Configuration reference for Elide server handlers
Middleware Reference	Configuration reference for Elide server middleware
TLS Configuration Reference	Configuration reference for TLS and certificate management
Listener Reference	Configuration reference for listener addresses and protocols
Route Reference	Configuration reference for route matching and dispatch
Network Configuration Reference	Configuration reference for network attachments
Tailscale Configuration Reference	Configuration reference for Tailscale integration
Tunnel Configuration Reference	Configuration reference for WireGuard tunnel bridging
DNS Configuration Reference	Configuration reference for DNS resolver settings
WebRTC Configuration Reference	Configuration reference for WebRTC listeners

Proxy Reference Pages

Page	Description
Proxy Configuration Reference	Configuration reference for the Elide forward proxy
MITM Configuration Reference	Configuration reference for MITM TLS interception
Access Control Reference	Configuration reference for proxy access control
Proxy Rules Reference	Configuration reference for proxy interception rules
Recording Configuration Reference	Configuration reference for proxy traffic recording

Type Re-exports

The root module re-exports types from sub-modules for convenience when amending ElideServer.pkl.

Type	Source
`Listen`	Listen.pkl
`Protocol`	Listen.pkl
`Route`	Route.pkl
`RouteMatch`	Route.pkl
`HttpMethod`	Route.pkl
`Handler`	Handler.pkl
`StaticFiles`	Handler.pkl
`ReverseProxy`	Handler.pkl
`Redirect`	Handler.pkl
`Cgi`	Handler.pkl
`Respond`	Handler.pkl
`Upstream`	Handler.pkl
`ProxyCache`	Handler.pkl
`Middleware`	Middleware.pkl
`Compress`	Middleware.pkl
`RateLimit`	Middleware.pkl
`Cors`	Middleware.pkl
`Headers`	Middleware.pkl
`BasicAuth`	Middleware.pkl
`RequestId`	Middleware.pkl
`AccessLog`	Middleware.pkl
`Rewrite`	Middleware.pkl
`BodyLimit`	Middleware.pkl
`TailscaleAuth`	Middleware.pkl
`ErrorPage`	Middleware.pkl
`JwtAuth`	Middleware.pkl
`JwtKey`	Middleware.pkl
`JwtAlgorithm`	Middleware.pkl
`SecurityHeaders`	Middleware.pkl
`IpFilter`	Middleware.pkl
`ConnectionLimit`	Middleware.pkl
`TlsConfig`	Tls.pkl
`CertStorage`	Tls.pkl
`OnDemandTls`	Tls.pkl
`ClientAuth`	Tls.pkl
`DnsConfig`	Dns.pkl
`TailscaleConfig`	Tailscale.pkl
`DiscoConfig`	Tailscale.pkl
`DataPlaneConfig`	Tailscale.pkl
`DerpConfig`	Tailscale.pkl
`TunnelConfig`	Tunnel.pkl
`NetworkConfig`	Network.pkl
`WireGuardConfig`	Network.pkl
`WebRtcListener`	Webrtc.pkl
`ContextMode`	Webrtc.pkl
`ProxyConfig`	Proxy.pkl
`MitmConfig`	Mitm.pkl
`AccessControl`	Access.pkl
`ProxyRule`	ProxyRule.pkl
`ProxyMatch`	ProxyRule.pkl
`RecordingConfig`	Recording.pkl

Shared Types

`ServerTransport`

Transport backend to use for accepting connections.

"auto" selects the best available backend for the current platform.

pkl

typealias ServerTransport = "auto" | "io_uring" | "kqueue" | "epoll" | "nio" | "iocp"

`LogLevel`

Severity level for structured log output. Messages below the configured level are discarded. Ordered most to least verbose: "trace", "debug", "info", "warn", "error".

pkl

typealias LogLevel = "trace" | "debug" | "info" | "warn" | "error"

`LogFormat`

Format for structured log output.

"json" — one JSON object per line (recommended for log pipelines)
"text" — compact single-line text
"pretty" — human-readable multiline output

pkl

typealias LogFormat = "json" | "text" | "pretty"

`Http3Policy`

HTTP/3 (QUIC) enablement policy.

"ifTls" (default): enable HTTP/3 transparently when TLS is configured;

disable silently otherwise.

"required": require HTTP/3 — the server refuses to start if TLS is not

configured.

"disabled": never enable HTTP/3, even when TLS is available.

pkl

typealias Http3Policy = "ifTls" | "required" | "disabled"

`ListenEntry`

Listener entry — either a full Listen object or a string shorthand.

"0.0.0.0:443" — address with default protocols new Listen { address = "0.0.0.0:443" } — full form

pkl

typealias ListenEntry = String | _listen.Listen

`UpstreamEntry`

Upstream entry — either a full Upstream object or a string shorthand.

"backend-1:8080" — address with default weight new Upstream { address = "backend-1:8080" } — full form

pkl

typealias UpstreamEntry = String | _handler.Upstream

`HandlerEntry`

Handler for the server block — either a full Handler, or a UInt status code shorthand.

new StaticFiles { root = "./dist" } — serve files new ReverseProxy { upstreams { "back:8080" } } — proxy upstream 404 — fixed status code

pkl

typealias HandlerEntry = UInt(isBetween(100, 599)) | _handler.Handler

---

Root Properties

These properties are set at the top level of the configuration file.

Field	Type	Default	Description
`global`	GlobalSettings	(empty)	Global settings applied to all server blocks. See `GlobalSettings` for
`servers`	Mapping?	`null`	Server blocks, keyed by domain, address, or label.
`tls`	TlsConfig	(empty)	TLS and certificate management configuration applied to all server
`networks`	Mapping?	`null`	Named network attachments (Tailscale, WireGuard, or both).
`devMode`	Boolean	`false`	Enable development mode. When `true`, the server injects a live-reload
`ktls`	Boolean	`false`	Enable kernel TLS (kTLS) offload. When `true`, the server hands off
`autoHttpsRedirect`	Boolean	`true`	Automatically redirect plain HTTP requests to HTTPS with a `301`
`admin`	AdminSettings	(empty)	Admin API for runtime introspection, metrics, and health probes.
`observability`	Observability	`new Observability {}`	Distributed tracing and telemetry (OpenTelemetry / W3C Trace Context).
`logging`	LoggingSettings	(empty)	Structured logging configuration (severity, format, access logs).

`global`

Global settings applied to all server blocks. See GlobalSettings for available fields (workers, connection limits, transport, keep-alive, DNS).

`servers`

Server blocks, keyed by domain, address, or label.

When null, a single implicit server block is used with default settings. See ServerBlock for per-block options and the module-level doc comment for key-inference rules.

pkl

servers {
  ["example.com"] {
    handler = new StaticFiles { root = "./dist" }
  }
  [":8080"] {
    proxy { mitm {}; recording {} }
  }
}

`tls`

TLS and certificate management configuration applied to all server blocks by default. Individual blocks can override specific fields via ServerBlock.tls. See TlsConfig for ACME, cert storage, OCSP stapling, and cipher-suite options.

`networks`

Named network attachments (Tailscale, WireGuard, or both).

Each entry is an independent tunnel with its own data plane, routing rules, and identity. The key is a human-readable name used in logs and metrics. See NetworkConfig for per-attachment options.

pkl

networks {
  ["production"] {
    tailscale { direct = true; authKey = env("TS_PROD_KEY") }
    tunnel { bridgeInbound = true }
  }
  ["office-vpn"] {
    wireguard { configFile = "./wg-office.conf" }
    tunnel { bridgeOutbound = true }
  }
}

`devMode`

Enable development mode. When true, the server injects a live-reload SSE endpoint and a companion