Latin: "doorkeeper" — the person who stands at the door, decides who enters, and announces visitors.
Ostiarius is the public-facing reverse proxy component of Limen. It terminates TLS, routes traffic via YARP, and enforces per-route authentication (Ed25519 JWT verification, revocation polling).
Ostiarius is automatically deployed by Limentinus on nodes with the proxy role. You don't need to manage it manually.
- YARP-based reverse proxy — hostname routing from Limen config
- Automatic TLS via LettuceEncrypt-Archon (ACME/Let's Encrypt)
- Resource authentication — Ed25519 JWT verify + revocation cache; password, magic-link, SSO flows
- Identity headers — injects
X-Limen-User-*headers to upstream services - Config via WebSocket — auto-reconnecting control channel to Limen
.NET 10 / ASP.NET Core • NativeAOT • YARP • NSec.Cryptography (Ed25519)
See the Limen design spec.