Chain Engine
Chain Policies
Configure Chain Engine startup validation, auth, health checks, fallback, retry, and bandwidth behavior.
Policies decide how a saved chain behaves at runtime.
Balanced Policy
The default policy is policy-balanced.
| Setting | Default |
|---|---|
| Name | Balanced |
| Startup validation | Disabled |
| Require auth | Disabled |
| Expected status | 200 |
| Request timeout | 20 seconds |
| Connect timeout | 12 seconds |
| Health check interval | 20 seconds |
| Failure threshold | 3 |
| Retry budget | 1 |
| Fallback enabled | Enabled |
The default Balanced policy cannot be deleted.
Policies that are in use cannot be deleted. This keeps running or saved chains from pointing at a missing policy.
Policy Fields
| Field | Use |
|---|---|
| Startup validation | Probe routes before accepting runtime startup as healthy. |
| Require auth | Protect the local runtime endpoint with Basic proxy authentication. |
| Auth username/password | Credentials local clients must present when runtime auth is enabled. |
| Probe URL | Target used for health checks. |
| Expected status codes | Successful statuses for probes. |
| Request timeout | Whole request timeout for forwarded requests. |
| Connect timeout | Dial and tunnel timeout. |
| Health interval | How often routes are probed. |
| Failure threshold | Consecutive failures before route health changes. |
| Retry budget | Number of alternate route attempts when fallback is enabled. |
| Fallback enabled | Allows fallback routes when the primary route fails. |
| Bandwidth limit | Optional runtime traffic cap in megabytes. |
Runtime Behavior Controlled By Policy
| Feature | Detail |
|---|---|
| Startup validation | Can require a route to pass probes before the runtime is considered healthy. |
| Degraded runtime | If primary validation fails but fallback works, the runtime can start in a degraded state. |
| Retry budget | Limits how many fallback route attempts can be made for a request. |
| Failure threshold | Determines when a route becomes unhealthy after repeated health probe failures. |
| Basic proxy auth | Uses local Basic auth and a ZeroTrace Chain Runtime challenge realm. |
| Bandwidth limit | Stops forwarding when the cap is reached and records a bandwidth notice/error. |
When To Customize
| Need | Change |
|---|---|
| Require local clients to authenticate | Enable auth and set username/password. |
| Target-specific health | Set a target-specific probe URL and expected statuses. |
| Faster failure detection | Lower timeout and failure threshold. |
| More conservative operation | Increase timeout or failure threshold. |
| Hard traffic cap | Set bandwidth limit. |
Do not use a probe URL that only works from your normal IP if the point is to validate proxy-chain exit behavior.