Deploy the proxy

The Rowsel proxy is packaged as a cloud-neutral OCI image. The same image runs on Docker, Kubernetes, AWS ECS/Fargate, GCP Cloud Run, Azure Container Apps, or a plain VM. It listens on port 8080, runs as a non-root user, and logs to stdout/stderr.

The proxy is a database execution boundary

The proxy accepts database credentials and SQL in the request path. It has no built-in authentication. Do not expose it directly to the public internet. Run it inside a private network, behind your own auth gateway, or reachable only by your app/backend. Keep query execution read-only until you have a write-permission model.

Docker

The image is published to Docker Hub:

docker run --rm -p 8080:8080 sdin99/rowsel-proxy:latest

Check it’s healthy:

curl -s http://localhost:8080/health
# {"status":"ok","data":{"service":"rowsel-proxy","status":"ok","version":"..."}}

The proxy is stateless for stateless requests, so you can run multiple replicas behind a load balancer.

Configuration

All configuration is via environment variables. Defaults are conservative so a mobile client can’t accidentally hold too many live database resources. Values are clamped at startup.

Variable	Default	Purpose
RUST_LOG	info	Log verbosity (tracing).
ROWSEL_REQUEST_BODY_LIMIT_BYTES	1048576	Max request body; larger returns HTTP 413.
ROWSEL_MAX_SESSIONS	32	Max concurrent live sessions.
ROWSEL_SESSION_IDLE_TIMEOUT_MS	600000	Idle session timeout.
ROWSEL_SESSION_MAX_LIFETIME_MS	1800000	Max session lifetime.
ROWSEL_SESSION_POOL_MAX_CONNECTIONS	2	Pool connections per session.
ROWSEL_SESSION_POOL_ACQUIRE_TIMEOUT_MS	3000	Pool acquire timeout.

Kubernetes

A minimal Deployment + ClusterIP Service. Expose it only inside the cluster (or behind an authenticated ingress) — never as a bare public route.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: rowsel-proxy
spec:
  replicas: 1
  selector:
    matchLabels: { app: rowsel-proxy }
  template:
    metadata:
      labels: { app: rowsel-proxy }
    spec:
      containers:
        - name: proxy
          image: sdin99/rowsel-proxy:latest
          ports: [{ containerPort: 8080, name: http }]
          readinessProbe:
            httpGet: { path: /health, port: http }
          livenessProbe:
            httpGet: { path: /health, port: http }
---
apiVersion: v1
kind: Service
metadata:
  name: rowsel-proxy
spec:
  selector: { app: rowsel-proxy }
  ports: [{ port: 8080, targetPort: http }]

Point the app’s proxy URL at the service, e.g. http://rowsel-proxy.<namespace>.svc.cluster.local:8080.

Reaching private databases

If the database isn’t directly reachable from the proxy, use an SSH tunnel: the proxy opens a short-lived local forward through a bastion host and connects through it. See the Proxy API reference for the tunnel request shape.