Readme update

Added configurable rate limiter
Enable/Disable config API from config
2026-04-30 23:08:40 +08:00 · 2025-07-09 15:22:38 +02:00 · 2025-07-09 15:01:20 +02:00 · 2025-07-04 15:06:05 +02:00 · 2025-07-02 19:00:05 +02:00 · 2025-07-02 18:29:14 +02:00
22 changed files with 1482 additions and 446 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -110,6 +110,44 @@ dependencies = [
 "windows-sys 0.59.0",
 ]
 [[package]]
 name = "aralez"
 version = "0.9.1"
 dependencies = [
 "arc-swap",
 "async-trait",
 "axum",
 "axum-server",
 "base16ct",
 "base64",
 "dashmap",
 "env_logger",
 "futures",
 "jsonwebtoken",
 "lazy_static",
 "log",
 "mimalloc",
 "notify",
 "once_cell",
 "pingora",
 "pingora-core",
 "pingora-http",
 "pingora-limits",
 "pingora-proxy",
 "prometheus 0.14.0",
 "rand 0.9.1",
 "reqwest",
 "rustls-pemfile",
 "serde",
 "serde_yaml 0.9.34+deprecated",
 "sha2",
 "tokio",
 "tonic",
 "tower-http",
 "urlencoding",
 "x509-parser",
 ]
 [[package]]
 name = "arc-swap"
 version = "1.7.1"
@@ -122,6 +160,45 @@ version = "0.7.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7c02d123df017efcdfbd739ef81735b36c5ba83ec3c59c80a9d7ecc718f92e50"
 [[package]]
 name = "asn1-rs"
 version = "0.7.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "56624a96882bb8c26d61312ae18cb45868e5a9992ea73c58e45c3101e56a1e60"
 dependencies = [
 "asn1-rs-derive",
 "asn1-rs-impl",
 "displaydoc",
 "nom",
 "num-traits",
 "rusticata-macros",
 "thiserror 2.0.12",
 "time",
 ]
 [[package]]
 name = "asn1-rs-derive"
 version = "0.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3109e49b1e4909e9db6515a30c633684d68cdeaa252f215214cb4fa1a5bfee2c"
 dependencies = [
 "proc-macro2",
 "quote",
 "syn 2.0.100",
 "synstructure",
 ]
 [[package]]
 name = "asn1-rs-impl"
 version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7b18050c2cd6fe86c3a76584ef5e0baf286d038cda203eb6223df2cc413565f7"
 dependencies = [
 "proc-macro2",
 "quote",
 "syn 2.0.100",
 ]
 [[package]]
 name = "async-stream"
 version = "0.3.6"
@@ -232,6 +309,26 @@ dependencies = [
 "tracing",
 ]
 [[package]]
 name = "axum-server"
 version = "0.7.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "495c05f60d6df0093e8fb6e74aa5846a0ad06abaf96d76166283720bf740f8ab"
 dependencies = [
 "arc-swap",
 "bytes",
 "fs-err",
 "http",
 "http-body",
 "hyper",
 "hyper-util",
 "openssl",
 "pin-project-lite",
 "tokio",
 "tokio-openssl",
 "tower-service",
 ]
 [[package]]
 name = "backtrace"
 version = "0.3.74"
@@ -506,9 +603,9 @@ dependencies = [
 [[package]]
 name = "crypto-common"
-version = "0.2.0-rc.2"
+version = "0.2.0-rc.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "170d71b5b14dec99db7739f6fc7d6ec2db80b78c3acb77db48392ccc3d8a9ea0"
+checksum = "8a23fa214dea9efd4dacee5a5614646b30216ae0f05d4bb51bafb50e9da1c5be"
 dependencies = [
 "hybrid-array",
 ]
@@ -536,6 +633,26 @@ dependencies = [
 "parking_lot_core",
 ]
 [[package]]
 name = "data-encoding"
 version = "2.9.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2a2330da5de22e8a3cb63252ce2abb30116bf5265e89c0e01bc17015ce30a476"
 [[package]]
 name = "der-parser"
 version = "10.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "07da5016415d5a3c4dd39b11ed26f915f52fc4e0dc197d87908bc916e51bc1a6"
 dependencies = [
 "asn1-rs",
 "displaydoc",
 "nom",
 "num-bigint",
 "num-traits",
 "rusticata-macros",
 ]
 [[package]]
 name = "deranged"
 version = "0.4.0"
@@ -569,12 +686,12 @@ dependencies = [
 [[package]]
 name = "digest"
-version = "0.11.0-pre.10"
+version = "0.11.0-rc.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6c478574b20020306f98d61c8ca3322d762e1ff08117422ac6106438605ea516"
+checksum = "460dd7f37e4950526b54a5a6b1f41b6c8e763c58eb9a8fc8fc05ba5c2f44ca7b"
 dependencies = [
 "block-buffer 0.11.0-rc.4",
- "crypto-common 0.2.0-rc.2",
+ "crypto-common 0.2.0-rc.3",
 ]
 [[package]]
@@ -707,6 +824,16 @@ dependencies = [
 "percent-encoding",
 ]
 [[package]]
 name = "fs-err"
 version = "3.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "88d7be93788013f265201256d58f04936a8079ad5dc898743aa20525f503b683"
 dependencies = [
 "autocfg",
 "tokio",
 ]
 [[package]]
 name = "fsevent-sys"
 version = "4.1.0"
@@ -805,36 +932,6 @@ dependencies = [
 "slab",
 ]
 [[package]]
 name = "gazan"
 version = "0.1.0"
 dependencies = [
 "arc-swap",
 "async-trait",
 "axum",
 "base16ct",
 "base64",
 "dashmap",
 "env_logger",
 "futures",
 "jsonwebtoken",
 "log",
 "mimalloc",
 "notify",
 "pingora",
 "pingora-core",
 "pingora-http",
 "pingora-proxy",
 "rand 0.9.1",
 "reqwest",
 "serde",
 "serde_yaml 0.9.34+deprecated",
 "sha2",
 "tokio",
 "tonic",
 "urlencoding",
 ]
 [[package]]
 name = "generic-array"
 version = "0.14.7"
@@ -984,6 +1081,12 @@ dependencies = [
 "pin-project-lite",
 ]
 [[package]]
 name = "http-range-header"
 version = "0.4.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9171a2ea8a68358193d15dd5d70c1c10a2afc3e7e4c5bc92bc9f025cebd7359c"
 [[package]]
 name = "httparse"
 version = "1.9.5"
@@ -1074,21 +1177,28 @@ dependencies = [
 [[package]]
 name = "hyper-util"
-version = "0.1.10"
+version = "0.1.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "df2dcfbe0677734ab2f3ffa7fa7bfd4706bfdc1ef393f2ee30184aed67e631b4"
+checksum = "dc2fdfdbff08affe55bb779f33b053aa1fe5dd5b54c257343c17edfa55711bdb"
 dependencies = [
 "base64",
 "bytes",
 "futures-channel",
 "futures-core",
 "futures-util",
 "http",
 "http-body",
 "hyper",
 "ipnet",
 "libc",
 "percent-encoding",
 "pin-project-lite",
 "socket2",
 "system-configuration",
 "tokio",
 "tower-service",
 "tracing",
 "windows-registry",
 ]
 [[package]]
@@ -1276,6 +1386,16 @@ version = "2.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "469fb0b9cefa57e3ef31275ee7cacb78f2fdca44e4765491884a2b119d4eb130"
 [[package]]
 name = "iri-string"
 version = "0.7.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "dbc5ebe9c3a1a7a5127f920a418f7585e9e758e911d0466ed004f393b0e380b2"
 dependencies = [
 "memchr",
 "serde",
 ]
 [[package]]
 name = "is_terminal_polyfill"
 version = "1.70.1"
@@ -1374,15 +1494,15 @@ checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe"
 [[package]]
 name = "libc"
-version = "0.2.169"
+version = "0.2.174"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b5aba8db14291edd000dfcc4d620c7ebfb122c613afb886ca8803fa4e128a20a"
+checksum = "1171693293099992e19cddea4e8b849964e9846f4acee11b3948bcc337be8776"
 [[package]]
 name = "libmimalloc-sys"
-version = "0.1.42"
+version = "0.1.43"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ec9d6fac27761dabcd4ee73571cdb06b7022dc99089acbe5435691edffaac0f4"
+checksum = "bf88cd67e9de251c1781dbe2f641a1a3ad66eaae831b8a2c38fbdc5ddae16d4d"
 dependencies = [
 "cc",
 "libc",
@@ -1493,9 +1613,9 @@ dependencies = [
 [[package]]
 name = "mimalloc"
-version = "0.1.46"
+version = "0.1.47"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "995942f432bbb4822a7e9c3faa87a695185b0d09273ba85f097b54f4e458f2af"
+checksum = "b1791cbe101e95af5764f06f20f6760521f7158f69dbf9d6baf941ee1bf6bc40"
 dependencies = [
 "libmimalloc-sys",
 ]
@@ -1506,6 +1626,22 @@ version = "0.3.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6877bb514081ee2a7ff5ef9de3281f14a4dd4bceac4c09388074a6b5df8a139a"
 [[package]]
 name = "mime_guess"
 version = "2.0.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f7c44f8e672c00fe5308fa235f821cb4198414e1c77935c1ab6948d3fd78550e"
 dependencies = [
 "mime",
 "unicase",
 ]
 [[package]]
 name = "minimal-lexical"
 version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a"
 [[package]]
 name = "miniz_oxide"
 version = "0.8.3"
@@ -1581,6 +1717,16 @@ dependencies = [
 "memoffset",
 ]
 [[package]]
 name = "nom"
 version = "7.1.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d273983c5a657a70a3e8f2a01329822f3b8c8172b73826411a55751e404a0a4a"
 dependencies = [
 "memchr",
 "minimal-lexical",
 ]
 [[package]]
 name = "notify"
 version = "8.0.0"
@@ -1649,6 +1795,15 @@ dependencies = [
 "memchr",
 ]
 [[package]]
 name = "oid-registry"
 version = "0.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "12f40cff3dde1b6087cc5d5f5d4d65712f34016a03ed60e9c08dcc392736b5b7"
 dependencies = [
 "asn1-rs",
 ]
 [[package]]
 name = "once_cell"
 version = "1.20.2"
@@ -1874,7 +2029,7 @@ dependencies = [
 "pingora-pool",
 "pingora-runtime",
 "pingora-timeout",
- "prometheus",
+ "prometheus 0.13.4",
 "rand 0.8.5",
 "regex",
 "serde",
@@ -1932,6 +2087,15 @@ dependencies = [
 "crc32fast",
 ]
 [[package]]
 name = "pingora-limits"
 version = "0.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a719a8cb5558ca06bd6076c97b8905d500ea556da89e132ba53d4272844f95b9"
 dependencies = [
 "ahash",
 ]
 [[package]]
 name = "pingora-load-balancing"
 version = "0.5.0"
@@ -2121,10 +2285,25 @@ dependencies = [
 "lazy_static",
 "memchr",
 "parking_lot",
- "protobuf",
+ "protobuf 2.28.0",
 "thiserror 1.0.69",
 ]
 [[package]]
 name = "prometheus"
 version = "0.14.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3ca5326d8d0b950a9acd87e6a3f94745394f62e4dae1b1ee22b2bc0c394af43a"
 dependencies = [
 "cfg-if",
 "fnv",
 "lazy_static",
 "memchr",
 "parking_lot",
 "protobuf 3.7.2",
 "thiserror 2.0.12",
 ]
 [[package]]
 name = "prost"
 version = "0.13.5"
@@ -2140,6 +2319,26 @@ version = "2.28.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "106dd99e98437432fed6519dedecfade6a06a73bb7b2a1e019fdd2bee5778d94"
 [[package]]
 name = "protobuf"
 version = "3.7.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d65a1d4ddae7d8b5de68153b48f6aa3bba8cb002b243dbdbc55a5afbc98f99f4"
 dependencies = [
 "once_cell",
 "protobuf-support",
 "thiserror 1.0.69",
 ]
 [[package]]
 name = "protobuf-support"
 version = "3.7.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3e36c2f31e0a47f9280fb347ef5e461ffcd2c52dd520d8e216b52f93b0b0d7d6"
 dependencies = [
 "thiserror 1.0.69",
 ]
 [[package]]
 name = "quote"
 version = "1.0.38"
@@ -2248,15 +2447,14 @@ checksum = "2b15c43186be67a4fd63bee50d0303afffcef381492ebe2c5d87f324e1b8815c"
 [[package]]
 name = "reqwest"
-version = "0.12.15"
+version = "0.12.20"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d19c46a6fdd48bc4dab94b6103fccc55d34c67cc0ad04653aad4ea2a07cd7bbb"
+checksum = "eabf4c97d9130e2bf606614eb937e86edac8292eaa6f422f995d7e8de1eb1813"
 dependencies = [
 "base64",
 "bytes",
 "encoding_rs",
 "futures-core",
 "futures-util",
 "h2",
 "http",
 "http-body",
@@ -2265,29 +2463,26 @@ dependencies = [
 "hyper-rustls",
 "hyper-tls",
 "hyper-util",
 "ipnet",
 "js-sys",
 "log",
 "mime",
 "native-tls",
 "once_cell",
 "percent-encoding",
 "pin-project-lite",
- "rustls-pemfile",
+ "rustls-pki-types",
 "serde",
 "serde_json",
 "serde_urlencoded",
 "sync_wrapper",
 "system-configuration",
 "tokio",
 "tokio-native-tls",
 "tower",
 "tower-http",
 "tower-service",
 "url",
 "wasm-bindgen",
 "wasm-bindgen-futures",
 "web-sys",
 "windows-registry",
 ]
 [[package]]
@@ -2342,6 +2537,15 @@ version = "0.1.24"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "719b953e2095829ee67db738b3bfa9fa368c94900df327b3f07fe6e794d2fe1f"
 [[package]]
 name = "rusticata-macros"
 version = "4.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "faf0c4a6ece9950b9abdb62b1cfcf2a68b3b67a10ba445b3bb85be2a293d0632"
 dependencies = [
 "nom",
 ]
 [[package]]
 name = "rustix"
 version = "1.0.7"
@@ -2352,7 +2556,7 @@ dependencies = [
 "errno",
 "libc",
 "linux-raw-sys",
- "windows-sys 0.52.0",
+ "windows-sys 0.59.0",
 ]
 [[package]]
@@ -2545,13 +2749,13 @@ dependencies = [
 [[package]]
 name = "sha2"
-version = "0.11.0-pre.5"
+version = "0.11.0-rc.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "19b4241d1a56954dce82cecda5c8e9c794eef6f53abe5e5216bac0a0ea71ffa7"
+checksum = "aa1d2e6b3cc4e43a8258a9a3b17aa5dfd2cc5186c7024bba8a64aa65b2c71a59"
 dependencies = [
 "cfg-if",
 "cpufeatures",
- "digest 0.11.0-pre.10",
+ "digest 0.11.0-rc.0",
 ]
 [[package]]
@@ -2598,9 +2802,9 @@ checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67"
 [[package]]
 name = "socket2"
-version = "0.5.8"
+version = "0.5.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c970269d99b64e60ec3bd6ad27270092a5394c4e309314b18ae3fe575695fbe8"
+checksum = "e22376abed350d73dd1cd119b57ffccad95b4e585a7cda43e286245ce23c0678"
 dependencies = [
 "libc",
 "windows-sys 0.52.0",
@@ -2719,7 +2923,7 @@ dependencies = [
 "getrandom 0.3.1",
 "once_cell",
 "rustix",
- "windows-sys 0.52.0",
+ "windows-sys 0.59.0",
 ]
 [[package]]
@@ -2840,9 +3044,9 @@ dependencies = [
 [[package]]
 name = "tokio"
-version = "1.45.0"
+version = "1.45.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2513ca694ef9ede0fb23fe71a4ee4107cb102b9dc1930f6d0fd77aae068ae165"
+checksum = "75ef51a33ef1da925cea3e4eb122833cb377c61439ca401b770f54902b806779"
 dependencies = [
 "backtrace",
 "bytes",
@@ -2937,9 +3141,9 @@ dependencies = [
 [[package]]
 name = "tonic"
-version = "0.13.0"
+version = "0.13.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "85839f0b32fd242bb3209262371d07feda6d780d16ee9d2bc88581b89da1549b"
+checksum = "7e581ba15a835f4d9ea06c55ab1bd4dce26fc53752c69a04aac00703bfb49ba9"
 dependencies = [
 "async-trait",
 "axum",
@@ -2983,6 +3187,34 @@ dependencies = [
 "tracing",
 ]
 [[package]]
 name = "tower-http"
 version = "0.6.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "adc82fd73de2a9722ac5da747f12383d2bfdb93591ee6c58486e0097890f05f2"
 dependencies = [
 "bitflags 2.8.0",
 "bytes",
 "futures-core",
 "futures-util",
 "http",
 "http-body",
 "http-body-util",
 "http-range-header",
 "httpdate",
 "iri-string",
 "mime",
 "mime_guess",
 "percent-encoding",
 "pin-project-lite",
 "tokio",
 "tokio-util",
 "tower",
 "tower-layer",
 "tower-service",
 "tracing",
 ]
 [[package]]
 name = "tower-layer"
 version = "0.3.3"
@@ -3283,29 +3515,29 @@ checksum = "76840935b766e1b0a05c0066835fb9ec80071d4c09a16f6bd5f7e655e3c14c38"
 [[package]]
 name = "windows-registry"
-version = "0.4.0"
+version = "0.5.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4286ad90ddb45071efd1a66dfa43eb02dd0dfbae1545ad6cc3c51cf34d7e8ba3"
+checksum = "b3bab093bdd303a1240bb99b8aba8ea8a69ee19d34c9e2ef9594e708a4878820"
 dependencies = [
 "windows-link",
 "windows-result",
 "windows-strings",
 "windows-targets 0.53.0",
 ]
 [[package]]
 name = "windows-result"
-version = "0.3.2"
+version = "0.3.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c64fd11a4fd95df68efcfee5f44a294fe71b8bc6a91993e2791938abcc712252"
+checksum = "56f42bd332cc6c8eac5af113fc0c1fd6a8fd2aa08a0119358686e5160d0586c6"
 dependencies = [
 "windows-link",
 ]
 [[package]]
 name = "windows-strings"
-version = "0.3.1"
+version = "0.4.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "87fa48cc5d406560701792be122a10132491cff9d0aeb23583cc2dcafc847319"
+checksum = "56e6c93f3a0c3b36176cb1327a4958a0353d5d166c2a35cb268ace15e91d3b57"
 dependencies = [
 "windows-link",
 ]
@@ -3361,29 +3593,13 @@ dependencies = [
 "windows_aarch64_gnullvm 0.52.6",
 "windows_aarch64_msvc 0.52.6",
 "windows_i686_gnu 0.52.6",
- "windows_i686_gnullvm 0.52.6",
+ "windows_i686_gnullvm",
 "windows_i686_msvc 0.52.6",
 "windows_x86_64_gnu 0.52.6",
 "windows_x86_64_gnullvm 0.52.6",
 "windows_x86_64_msvc 0.52.6",
 ]
 [[package]]
 name = "windows-targets"
 version = "0.53.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b1e4c7e8ceaaf9cb7d7507c974735728ab453b67ef8f18febdd7c11fe59dca8b"
 dependencies = [
 "windows_aarch64_gnullvm 0.53.0",
 "windows_aarch64_msvc 0.53.0",
 "windows_i686_gnu 0.53.0",
 "windows_i686_gnullvm 0.53.0",
 "windows_i686_msvc 0.53.0",
 "windows_x86_64_gnu 0.53.0",
 "windows_x86_64_gnullvm 0.53.0",
 "windows_x86_64_msvc 0.53.0",
 ]
 [[package]]
 name = "windows_aarch64_gnullvm"
 version = "0.48.5"
@@ -3396,12 +3612,6 @@ version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "32a4622180e7a0ec044bb555404c800bc9fd9ec262ec147edd5989ccd0c02cd3"
 [[package]]
 name = "windows_aarch64_gnullvm"
 version = "0.53.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "86b8d5f90ddd19cb4a147a5fa63ca848db3df085e25fee3cc10b39b6eebae764"
 [[package]]
 name = "windows_aarch64_msvc"
 version = "0.48.5"
@@ -3414,12 +3624,6 @@ version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "09ec2a7bb152e2252b53fa7803150007879548bc709c039df7627cabbd05d469"
 [[package]]
 name = "windows_aarch64_msvc"
 version = "0.53.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c7651a1f62a11b8cbd5e0d42526e55f2c99886c77e007179efff86c2b137e66c"
 [[package]]
 name = "windows_i686_gnu"
 version = "0.48.5"
@@ -3432,24 +3636,12 @@ version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8e9b5ad5ab802e97eb8e295ac6720e509ee4c243f69d781394014ebfe8bbfa0b"
 [[package]]
 name = "windows_i686_gnu"
 version = "0.53.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c1dc67659d35f387f5f6c479dc4e28f1d4bb90ddd1a5d3da2e5d97b42d6272c3"
 [[package]]
 name = "windows_i686_gnullvm"
 version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0eee52d38c090b3caa76c563b86c3a4bd71ef1a819287c19d586d7334ae8ed66"
 [[package]]
 name = "windows_i686_gnullvm"
 version = "0.53.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9ce6ccbdedbf6d6354471319e781c0dfef054c81fbc7cf83f338a4296c0cae11"
 [[package]]
 name = "windows_i686_msvc"
 version = "0.48.5"
@@ -3462,12 +3654,6 @@ version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "240948bc05c5e7c6dabba28bf89d89ffce3e303022809e73deaefe4f6ec56c66"
 [[package]]
 name = "windows_i686_msvc"
 version = "0.53.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "581fee95406bb13382d2f65cd4a908ca7b1e4c2f1917f143ba16efe98a589b5d"
 [[package]]
 name = "windows_x86_64_gnu"
 version = "0.48.5"
@@ -3480,12 +3666,6 @@ version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "147a5c80aabfbf0c7d901cb5895d1de30ef2907eb21fbbab29ca94c5b08b1a78"
 [[package]]
 name = "windows_x86_64_gnu"
 version = "0.53.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2e55b5ac9ea33f2fc1716d1742db15574fd6fc8dadc51caab1c16a3d3b4190ba"
 [[package]]
 name = "windows_x86_64_gnullvm"
 version = "0.48.5"
@@ -3498,12 +3678,6 @@ version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "24d5b23dc417412679681396f2b49f3de8c1473deb516bd34410872eff51ed0d"
 [[package]]
 name = "windows_x86_64_gnullvm"
 version = "0.53.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0a6e035dd0599267ce1ee132e51c27dd29437f63325753051e71dd9e42406c57"
 [[package]]
 name = "windows_x86_64_msvc"
 version = "0.48.5"
@@ -3516,12 +3690,6 @@ version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec"
 [[package]]
 name = "windows_x86_64_msvc"
 version = "0.53.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "271414315aff87387382ec3d271b52d7ae78726f5d44ac98b4f4030c91880486"
 [[package]]
 name = "wit-bindgen-rt"
 version = "0.33.0"
@@ -3543,6 +3711,23 @@ version = "0.5.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1e9df38ee2d2c3c5948ea468a8406ff0db0b29ae1ffde1bcf20ef305bcc95c51"
 [[package]]
 name = "x509-parser"
 version = "0.17.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4569f339c0c402346d4a75a9e39cf8dad310e287eef1ff56d4c68e5067f53460"
 dependencies = [
 "asn1-rs",
 "data-encoding",
 "der-parser",
 "lazy_static",
 "nom",
 "oid-registry",
 "rusticata-macros",
 "thiserror 2.0.12",
 "time",
 ]
 [[package]]
 name = "yaml-rust"
 version = "0.4.5"
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
-name = "gazan"
+name = "aralez"
-version = "0.1.0"
+version = "0.9.1"
 edition = "2021"
 [profile.release]
@@ -11,7 +11,7 @@ panic = "abort"
 strip = true
 [dependencies]
-tokio = { version = "1.45.0", features = ["full"] }
+tokio = { version = "1.45.1", features = ["full"] }
 #pingora = { version = "0.5.0", features = ["lb", "rustls"] } # openssl, rustls, boringssl
 pingora = { version = "0.5.0", features = ["lb", "openssl"] } # openssl, rustls, boringssl
 serde = { version = "1.0.219", features = ["derive"] }
@@ -19,13 +19,16 @@ dashmap = "7.0.0-rc2"
 pingora-core = "0.5.0"
 pingora-proxy = "0.5.0"
 pingora-http = "0.5.0"
 pingora-limits = "0.5.0"
 #pingora-pool = "0.5.0"
 async-trait = "0.1.88"
 env_logger = "0.11.8"
 log = "0.4.27"
 futures = "0.3.31"
 notify = "8.0.0"
 axum = { version = "0.8.4" }
-reqwest = { version = "0.12.15", features = ["json", "native-tls-alpn"] }
+axum-server = { version = "0.7.2", features = ["tls-openssl"] }
 reqwest = { version = "0.12.20", features = ["json", "native-tls-alpn"] }
 #reqwest = { version = "0.12.15", features = ["json", "rustls-tls"] }
 #reqwest = { version = "0.12.15", default-features = false, features = ["rustls-tls", "json"] }
@@ -33,11 +36,19 @@ serde_yaml = "0.9.34-deprecated"
 rand = "0.9.0"
 base64 = "0.22.1"
 jsonwebtoken = "9.3.1"
-tonic = "0.13.0"
+tonic = "0.13.1"
-sha2 = { version = "0.11.0-pre.5", default-features = false }
+sha2 = { version = "0.11.0-rc.0", default-features = false }
 base16ct = { version = "0.2.0", features = ["alloc"] }
 urlencoding = "2.1.3"
 arc-swap = "1.7.1"
 #rustls = { version = "0.23.27", features = ["ring"] }
-mimalloc = { version = "0.1.46", default-features = false }
+mimalloc = { version = "0.1.47", default-features = false }
 prometheus = "0.14.0"
 lazy_static = "1.5.0"
 #openssl = "0.10.73"
 x509-parser = "0.17.0"
 rustls-pemfile = "2.2.0"
 tower-http = { version = "0.6.6", features = ["fs"] }
 once_cell = "1.20.2"
--- a/METRICS.md
+++ b/METRICS.md
@@ -0,0 +1,120 @@
 # 📈 Aralez Prometheus Metrics Reference
 This document outlines Prometheus metrics for the [Aralez](https://github.com/sadoyan/aralez) reverse proxy.
 These metrics can be used for monitoring, alerting and performance analysis.
 Exposed to `http://config_address/metrics`
 By default `http://127.0.0.1:3000/metrics`
 # 📊 Example Grafana dashboard during stress test :
 ![Aralez](https://netangels.net/utils/dash.png)
 ---
 ## 🛠️ Prometheus Metrics
 ### 1. `aralez_requests_total`
 - **Type**: `Counter`
 - **Purpose**: Total amount requests served by Aralez.
 **PromQL example:**
 ```promql
 rate(aralez_requests_total[5m])
 ```
 ---
 ### 2. `aralez_errors_total`
 - **Type**: `Counter`
 - **Purpose**: Count of requests that resulted in an error.
 **PromQL example:**
 ```promql
 rate(aralez_errors_total[5m])
 ```
 ---
 ### 3. `aralez_responses_total{status="200"}`
 - **Type**: `CounterVec`
 - **Purpose**: Count of responses by HTTP status code.
 **PromQL example:**
 ```promql
 rate(aralez_responses_total{status=~"5.."}[5m]) > 0
 ```
 > Useful for alerting on 5xx errors.
 ---
 ### 4. `aralez_response_latency_seconds`
 - **Type**: `Histogram`
 - **Purpose**: Tracks the latency of responses in seconds.
 **Example bucket output:**
 ```prometheus
 aralez_response_latency_seconds_bucket{le="0.01"}  15
 aralez_response_latency_seconds_bucket{le="0.1"}   120
 aralez_response_latency_seconds_bucket{le="0.25"}  245
 aralez_response_latency_seconds_bucket{le="0.5"}   500
 ...
 aralez_response_latency_seconds_count  1023
 aralez_response_latency_seconds_sum    42.6
 ```
 | Metric                  | Meaning                                                       |
 |-------------------------|---------------------------------------------------------------|
 | `bucket{le="0.1"} 120`  | 120 requests were ≤ 100ms                                     |
 | `bucket{le="0.25"} 245` | 245 requests were ≤ 250ms                                     |
 | `count`                 | Total number of observations (i.e., total responses measured) |
 | `sum`                   | Total time of all responses, in seconds                       |
 ### 🔍 How to interpret:
 - `le` means “less than or equal to”.
 - `count` is total amount of observations.
 - `sum` is the total time (in seconds) of all responses.
 **PromQL examples:**
 🔹 **95th percentile latency**
 ```promql
 histogram_quantile(0.95, rate(aralez_response_latency_seconds_bucket[5m]))
 ```
 🔹 **Average latency**
 ```promql
 rate(aralez_response_latency_seconds_sum[5m]) / rate(aralez_response_latency_seconds_count[5m])
 ```
 ---
 ## ✅ Notes
 - Metrics are registered after the first served request.
 ---
 ✅ Summary of key metrics
 | Metric Name                           | Type       | What it Tells You         |
 |---------------------------------------|------------|---------------------------|
 | `aralez_requests_total`                | Counter    | Total requests served     |
 | `aralez_errors_total`                  | Counter    | Number of failed requests |
 | `aralez_responses_total{status="200"}` | CounterVec | Response status breakdown |
 | `aralez_response_latency_seconds`      | Histogram  | How fast responses are    |
 📘 *Last updated: May 2025*
--- a/README.md
+++ b/README.md
@@ -1,38 +1,45 @@
-![Gazan](https://netangels.net/utils/gazan-white.jpg)
+![Aralez](https://netangels.net/utils/aralez-white.jpg)
-# Gazan - The beast-mode reverse proxy.
+# Aralez (Արալեզ), Reverse proxy and service mesh built on top of Cloudflare's Pingora
-Gazan is a Reverse proxy, service mesh based on Cloudflare's Pingora
+What Aralez means ?
 **Aralez = Արալեզ** <ins>.Named after the legendary Armenian guardian spirit, winged dog-like creature, that descend upon fallen heroes to lick their wounds and resurrect them.</ins>.
-**What Gazan means?**
+Built on Rust, on top of **Cloudflare’s Pingora engine**, **Aralez** delivers world-class performance, security and scalability — right out of the box.
 <ins>Gazan = Գազան = beast / wild animal in Armenian / Often used as a synonym to something great.</ins>.
 Built on Rust, on top of **Cloudflare’s Pingora engine**, **Gazan** delivers world-class performance, security and scalability — right out of the box.
 ---
 ## 🔧 Key Features
- **Dynamic Config Reloads** — Upstreams can be updated live via API, no restart required
+- **Dynamic Config Reloads** — Upstreams can be updated live via API, no restart required.
- **TLS Termination** — Built-in OpenSSL support
+- **TLS Termination** — Built-in OpenSSL support.
- **Upstreams TLS detection** — Gazan will automatically detect if upstreams uses secure connection
+    - **Automatic load of certificates** — Automatically reads and loads certificates from a folder, without a restart.
- **Authentication** — Supports Basic Auth, API tokens, and JWT verification
+- **Upstreams TLS detection** — Aralez will automatically detect if upstreams uses secure connection.
 - **Built in rate limiter** — Limit requests to server, by setting up upper limit for requests per seconds, per virtualhost.
 - **Authentication** — Supports Basic Auth, API tokens, and JWT verification.
    - **Basic Auth**
    - **API Key** via `x-api-key` header
    - **JWT Auth**, with tokens issued by Aralez itself via `/jwt` API
        - ⬇️ See below for examples and implementation details.
 - **Load Balancing Strategies**
    - Round-robin
    - Failover with health checks
    - Sticky sessions via cookies
- **Unified Port** — Serve HTTP and WebSocket traffic over the same connection
+- **Unified Port** — Serve HTTP and WebSocket traffic over the same connection.
- **Memory Safe** — Created purely on Rust
+- **Built in file server** — Build in minimalistic file server for serving static files, should be added as upstreams for public access.
- **High Performance** — Built with [Pingora](https://github.com/cloudflare/pingora) and tokio for async I/O
+- **Memory Safe** — Created purely on Rust.
 - **High Performance** — Built with [Pingora](https://github.com/cloudflare/pingora) and tokio for async I/O.
 ## 🌍 Highlights
- ⚙️ **Upstream Providers:** Supports `file`-based static upstreams, dynamic service discovery via `Consul`.
+- ⚙️ **Upstream Providers:**
    - `file` Upstreams are declared in config file.
    - `consul` Upstreams are dynamically updated from Hashicorp Consul.
 - 🔁 **Hot Reloading:** Modify upstreams on the fly via `upstreams.yaml` — no restart needed.
 - 🔮 **Automatic WebSocket Support:** Zero config — connection upgrades are handled seamlessly.
- 🔮 **Automatic GRPC Support:** Zero config, Requires `ssl` to proxy, gRPC is handled seamlessly.
+- 🔮 **Automatic GRPC Support:** Zero config, Requires `ssl` to proxy, gRPC handled seamlessly.
- 🔮 **Upstreams Session Stickiness:** Enable/Disable Sticky sessions.
+- 🔮 **Upstreams Session Stickiness:** Enable/Disable Sticky sessions globally.
- 🔐 **TLS Termination:** Fully supports TLS for incoming and upstream traffic.
+- 🔐 **TLS Termination:** Fully supports TLS for upstreams and downstreams.
 - 🛡️ **Built-in Authentication** Basic Auth, JWT, API key.
 - 🧠 **Header Injection:** Global and per-route header configuration.
 - 🧪 **Health Checks:** Pluggable health check methods for upstreams.
@@ -57,15 +64,31 @@ Built on Rust, on top of **Cloudflare’s Pingora engine**, **Gazan** delivers w
 ### 🔧 `main.yaml`
- `proxy_address_http`: `0.0.0.0:6193` (HTTP listener)
+| Key                              | Example Value                        | Description                                                                                      |
- `proxy_address_tls`: `0.0.0.0:6194` (TLS listener, optional)
+|----------------------------------|--------------------------------------|--------------------------------------------------------------------------------------------------|
- `config_address`: `0.0.0.0:3000` (HTTP API for remote config push)
+| **threads**                      | 12                                   | Number of running daemon threads. Optional, defaults to 1                                        |
- `upstreams_conf`: `etc/upstreams.yaml` (location of upstreams config)
+| **user**                         | aralez                               | Optional, Username for running aralez after dropping root privileges, requires to launch as root |
- `log_level`: `info` (verbosity of logs)
+| **group**                        | aralez                               | Optional,Group for running aralez after dropping root privileges, requires to launch as root     |
- `hc_method`: `HEAD`, `hc_interval`: `2s` (upstream health checks)
+| **daemon**                       | false                                | Run in background (boolean)                                                                      |
- `user` Optional. Drop privileges to regular user. To bind to privileged ports. Requires to start as root.
+| **upstream_keepalive_pool_size** | 500                                  | Pool size for upstream keepalive connections                                                     |
- `group` Optional. Drop privileges to regular group
+| **pid_file**                     | /tmp/aralez.pid                      | Path to PID file                                                                                 |
- Other defaults: thread count, keep-alive pool size, etc.
+| **error_log**                    | /tmp/aralez_err.log                  | Path to error log file                                                                           |
 | **upgrade_sock**                 | /tmp/aralez.sock                     | Path to live upgrade socket file                                                                 |
 | **config_address**               | 0.0.0.0:3000                         | HTTP API address for pushing upstreams.yaml from remote location                                 |
 | **config_tls_address**           | 0.0.0.0:3001                         | HTTPS API address for pushing upstreams.yaml from remote location                                |
 | **config_tls_certificate**       | etc/server.crt                       | Certificate file path for API. Mandatory if proxy_address_tls is set, else optional              |
 | **config_tls_key_file**          | etc/key.pem                          | Private Key file path. Mandatory if proxy_address_tls is set, else optional                      |
 | **proxy_address_http**           | 0.0.0.0:6193                         | Aralez HTTP bind address                                                                         |
 | **proxy_address_tls**            | 0.0.0.0:6194                         | Aralez HTTPS bind address (Optional)                                                             |
 | **proxy_certificates**           | etc/certs/                           | The directory containing certificate and key files. In a format {NAME}.crt, {NAME}.key.          |
 | **upstreams_conf**               | etc/upstreams.yaml                   | The location of upstreams file                                                                   |
 | **log_level**                    | info                                 | Log level , possible values : info, warn, error, debug, trace, off                               |
 | **hc_method**                    | HEAD                                 | Healthcheck method (HEAD, GET, POST are supported) UPPERCASE                                     |
 | **hc_interval**                  | 2                                    | Interval for health checks in seconds                                                            |
 | **master_key**                   | 5aeff7f9-7b94-447c-af60-e8c488544a3e | Master key for working with API server and JWT Secret generation                                 |
 | **file_server_folder**           | /some/local/folder                   | Optional, local folder to serve                                                                  |
 | **file_server_address**          | 127.0.0.1:3002                       | Optional, Local address for file server. Can set as upstream for public access                   |
 | **config_api_enabled**           | true                                 | Boolean to enable/disable remote config push capability                                          |
 ### 🌐 `upstreams.yaml`
@@ -81,40 +104,58 @@ Built on Rust, on top of **Cloudflare’s Pingora engine**, **Gazan** delivers w
 ## 🛠 Installation
-Download the prebuilt binary for your architecture from releases section of [GitHub](https://github.com/sadoyan/gazan/releases) repo
+Download the prebuilt binary for your architecture from releases section of [GitHub](https://github.com/sadoyan/aralez/releases) repo
-Make the binary executable `chmod 755 ./gazan-VERSION` and run.
+Make the binary executable `chmod 755 ./aralez-VERSION` and run.
 File names:
-| File Name                | Description                                                   |
+| File Name                 | Description                                                   |
-|--------------------------|---------------------------------------------------------------|
+|---------------------------|---------------------------------------------------------------|
-| `gazan-x86_64-musl.gz`   | Static Linux x86_64 binary, without any system dependency     |
+| `aralez-x86_64-musl.gz`   | Static Linux x86_64 binary, without any system dependency     |
-| `gazan-x86_64-glibc.gz`  | Dynamic Linux x86_64 binary, with minimal system dependencies |
+| `aralez-x86_64-glibc.gz`  | Dynamic Linux x86_64 binary, with minimal system dependencies |
-| `gazan-aarch64-musl.gz`  | Static Linux ARM64 binary, without any system dependency      |
+| `aralez-aarch64-musl.gz`  | Static Linux ARM64 binary, without any system dependency      |
-| `gazan-aarch64-glibc.gz` | Dynamic Linux ARM64 binary, with minimal system dependencies  |
+| `aralez-aarch64-glibc.gz` | Dynamic Linux ARM64 binary, with minimal system dependencies  |
 ## 💡 Note
 In general **glibc** builds are working faster, but have few, basic, system dependencies for example :
 ```
 	linux-vdso.so.1 (0x00007ffeea33b000)
 	libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f09e7377000)
 	libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f09e6320000)
 	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f09e613f000)
 	/lib64/ld-linux-x86-64.so.2 (0x00007f09e73b1000)
 ```
 These are common to any Linux systems, so the binary should work on almost any Linux system.
 **musl** builds are 100% portable, static compiled binaries and have zero system depencecies.
 In general musl builds have a little less performance.
 The most intensive tests shows 107k-110k requests per second on **Glibc** binaries against 97k-100k **Musl** ones.
 ## 🔌 Running the Proxy
 ```bash
-./gazan -c path/to/main.yaml
+./aralez -c path/to/main.yaml
 ```
 ## 🔌 Systemd integration
 ```bash
-cat > /etc/systemd/system/gazan.service <<EOF
+cat > /etc/systemd/system/aralez.service <<EOF
 [Service]
 Type=forking
-PIDFile=/run/gazan.pid
+PIDFile=/run/aralez.pid
-ExecStart=/bin/gazan -d -c /etc/gazan.conf
+ExecStart=/bin/aralez -d -c /etc/aralez.conf
 ExecReload=kill -QUIT $MAINPID
-ExecReload=/bin/gazan -u -d -c /etc/gazan.conf
+ExecReload=/bin/aralez -u -d -c /etc/aralez.conf
 EOF
 ```
 ```bash
-systemctl enable gazan.service.
+systemctl enable aralez.service.
-systemctl restart gazan.service.
+systemctl restart aralez.service.
 ```
 ## 💡 Example
@@ -123,18 +164,20 @@ A sample `upstreams.yaml` entry:
 ```yaml
 provider: "file"
-stickysessions: false
+sticky_sessions: false
-globals:
+to_https: false
-  headers:
+rate_limit: 10
-    - "Access-Control-Allow-Origin:*"
+headers:
-    - "Access-Control-Allow-Methods:POST, GET, OPTIONS"
+  - "Access-Control-Allow-Origin:*"
-    - "Access-Control-Max-Age:86400"
+  - "Access-Control-Allow-Methods:POST, GET, OPTIONS"
-  authorization:
+  - "Access-Control-Max-Age:86400"
-    - "jwt"
+authorization:
-    - "910517d9-f9a1-48de-8826-dbadacbd84af-cb6f830e-ab16-47ec-9d8f-0090de732774"
+  type: "jwt"
  creds: "910517d9-f9a1-48de-8826-dbadacbd84af-cb6f830e-ab16-47ec-9d8f-0090de732774"
 myhost.mydomain.com:
  paths:
    "/":
      to_https: false
      headers:
        - "X-Some-Thing:Yaaaaaaaaaaaaaaa"
        - "X-Proxy-From:Hopaaaaaaaaaaaar"
@@ -142,6 +185,7 @@ myhost.mydomain.com:
        - "127.0.0.1:8000"
        - "127.0.0.2:8000"
    "/foo":
      to_https: true
      headers:
        - "X-Another-Header:Hohohohoho"
      servers:
@@ -151,15 +195,21 @@ myhost.mydomain.com:
 **This means:**
- Sticky sessions are disabled globally. This setting applies to all upstreams.
+- Sticky sessions are disabled globally. This setting applies to all upstreams. If enabled all requests will be 301 redirected to HTTPS.
 - HTTP to HTTPS redirect disabled globally, but can be overridden by `to_https` setting per upstream.
 - Requests to each hosted domains will be limited to 10 requests per second per virtualhost.
    - Requests limits are calculated per requester ip plus requested virtualhost.
    - If the requester exceeds the limit it will receive `429 Too Many Requests` error.
    - Optional. Rate limiter will be disabled if the parameter is entirely removed from config.
 - Requests to `myhost.mydomain.com/` will be proxied to `127.0.0.1` and `127.0.0.2`.
 - Plain HTTP to `myhost.mydomain.com/foo` will get 301 redirect to configured TLS port of Aralez.
 - Requests to `myhost.mydomain.com/foo` will be proxied to `127.0.0.4` and `127.0.0.5`.
 - SSL/TLS for upstreams is detected automatically, no need to set any config parameter.
    - Assuming the `127.0.0.5:8443` is SSL protected. The inner traffic will use TLS.
-    - Self signed certificates are silently accepted.
+    - Self-signed certificates are silently accepted.
- Global headers (CORS for this case) will be injected to all upstreams
+- Global headers (CORS for this case) will be injected to all upstreams.
 - Additional headers will be injected into the request for `myhost.mydomain.com`.
- You can choose any path, deep nested paths are supported, the best match is chosen.
+- You can choose any path, deep nested paths are supported, the best match chosen.
 - All requests to servers will require JWT token authentication (You can comment out the authorization to disable it),
    - Firs parameter specifies the mechanism of authorisation `jwt`
    - Second is the secret key for validating `jwt` tokens
@@ -185,10 +235,11 @@ To enable TLS for A proxy server: Currently only OpenSSL is supported, working o
 ## 📡 Remote Config API
-You can push new `upstreams.yaml` over HTTP to `config_address` (`:3000` by default). Useful for CI/CD automation or remote config updates.
+Push new `upstreams.yaml` over HTTP to `config_address` (`:3000` by default). Useful for CI/CD automation or remote config updates.
 URL parameter. `key=MASTERKEY` is required. `MASTERKEY` is the value of `master_key` in the `main.yaml`
 ```bash
-curl -XPOST --data-binary @./etc/upstreams.txt 127.0.0.1:3000/conf
+curl -XPOST --data-binary @./etc/upstreams.txt 127.0.0.1:3000/conf?key=${MASTERKEY}
 ```
 ---
@@ -199,18 +250,18 @@ curl -XPOST --data-binary @./etc/upstreams.txt 127.0.0.1:3000/conf
 - Only one method can be active at a time.
 - `basic` : Standard HTTP Basic Authentication requests.
 - `apikey` : Authentication via `x-api-key` header, which should match the value in config.
- `jwt`: JWT authentication implemented via `gazantoken=` url parameter. `/some/url?gazantoken=TOKEN`
+- `jwt`: JWT authentication implemented via `araleztoken=` url parameter. `/some/url?araleztoken=TOKEN`
 - `jwt`: JWT authentication implemented via `Authorization: Bearer <token>` header.
-    - To obtain JWT token, you should send **generate** request to built in api server's `/jwt` endpoint.
+    - To obtain JWT a token, you should send **generate** request to built in api server's `/jwt` endpoint.
-    - `masterkey`: should match configured `masterkey` in `main.yaml` and `upstreams.yaml`.
+    - `master_key`: should match configured `masterkey` in `main.yaml` and `upstreams.yaml`.
    - `owner` : Just a placeholder, can be anything.
    - `valid` : Time in minutes during which the generated token will be valid.
-**Example JWT token generateion request**
+**Example JWT token generation request**
 ```bash
 PAYLOAD='{
-    "masterkey": "910517d9-f9a1-48de-8826-dbadacbd84af-cb6f830e-ab16-47ec-9d8f-0090de732774",
+    "master_key": "910517d9-f9a1-48de-8826-dbadacbd84af-cb6f830e-ab16-47ec-9d8f-0090de732774",
    "owner": "valod",
    "valid": 10
 }'
@@ -230,7 +281,7 @@ curl -H "Authorization: Bearer ${TOK}" -H 'Host: myip.mydomain.com' http://127.0
 With URL parameter (Very useful if you want to generate and share temporary links)
 ```bash
-curl -H 'Host: myip.mydomain.com' "http://127.0.0.1:6193/?gazantoken=${TOK}`"
+curl -H 'Host: myip.mydomain.com' "http://127.0.0.1:6193/?araleztoken=${TOK}`"
 ```
 **Example Request with API Key**
@@ -261,3 +312,163 @@ curl  -u username:password -H 'Host: myip.mydomain.com' http://127.0.0.1:6193/
 - Transparent, fully automatic gRPC proxy.
 - Sticky session support.
 - HTTP2 ready.
 📊 Why Choose Aralez? – Feature Comparison
 | Feature                    | **Aralez**                                                           | **Nginx**                | **HAProxy**             | **Traefik**     |
 |----------------------------|----------------------------------------------------------------------|--------------------------|-------------------------|-----------------|
 | **Hot Reload**             | ✅ Yes (live, API/file)                                               | ⚠️ Reloads config        | ⚠️ Reloads config       | ✅ Yes (dynamic) |
 | **JWT Auth**               | ✅ Built-in                                                           | ❌ External scripts       | ❌ External Lua or agent | ⚠️ With plugins |
 | **WebSocket Support**      | ✅ Automatic                                                          | ⚠️ Manual config         | ✅ Yes                   | ✅ Yes           |
 | **gRPC Support**           | ✅ Automatic (no config)                                              | ⚠️ Manual + HTTP/2 + TLS | ⚠️ Complex setup        | ✅ Native        |
 | **TLS Termination**        | ✅ Built-in (OpenSSL)                                                 | ✅ Yes                    | ✅ Yes                   | ✅ Yes           |
 | **TLS Upstream Detection** | ✅ Automatic                                                          | ❌                        | ❌                       | ❌               |
 | **HTTP/2 Support**         | ✅ Automatic                                                          | ⚠️ Requires extra config | ⚠️ Requires build flags | ✅ Native        |
 | **Sticky Sessions**        | ✅ Cookie-based                                                       | ⚠️ In plus version only  | ✅                       | ✅               |
 | **Prometheus Metrics**     | ✅ [Built in](https://github.com/sadoyan/aralez/blob/main/METRICS.md) | ⚠️ With Lua or exporter  | ⚠️ With external script | ✅ Native        |
 | **Built With**             | 🦀 Rust                                                              | C                        | C                       | Go              |
 ## 💡 Simple benchmark by [Oha](https://github.com/hatoo/oha)
 ⚠️ These benchmarks use :
 - 3 async Rust echo servers on a local network with 1Gbit as upstreams.
 - A dedicated server for running **Aralez**
 - A dedicated server for running **Oha**
 - The following upstreams configuration.
 - 9 test URLs from simple `/` to nested up to 7 subpaths.
 ```yaml
  myhost.mydomain.com:
    paths:
      "/":
        to_https: false
        headers:
          - "X-Proxy-From:Aralez"
        servers:
          - "192.168.211.211:8000"
          - "192.168.211.212:8000"
          - "192.168.211.213:8000"
      "/ping":
        to_https: false
        headers:
          - "X-Some-Thing:Yaaaaaaaaaaaaaaa"
          - "X-Proxy-From:Aralez"
        servers:
          - "192.168.211.211:8000"
          - "192.168.211.212:8000"
 ```
 ## 💡 Results reflect synthetic performance under optimal conditions.
 - CPU : Intel(R) Xeon(R) CPU E3-1270 v6 @ 3.80GHz
 - 300 : simultaneous connections
 - Duration : 10 Minutes
 - Binary : aralez-x86_64-glibc
 ```
 Summary:
  Success rate:	100.00%
  Total:	600.0027 secs
  Slowest:	0.2138 secs
  Fastest:	0.0002 secs
  Average:	0.0023 secs
  Requests/sec:	129777.3838
  Total data:	0 B
  Size/request:	0 B
  Size/sec:	0 B
 Response time histogram:
  0.000 [1]        |
  0.022 [77668026] |■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■
  0.043 [190362]   |
  0.064 [7908]     |
  0.086 [319]      |
  0.107 [4]        |
  0.128 [0]        |
  0.150 [0]        |
  0.171 [0]        |
  0.192 [0]        |
  0.214 [4]        |
 Response time distribution:
  10.00% in 0.0012 secs
  25.00% in 0.0016 secs
  50.00% in 0.0020 secs
  75.00% in 0.0026 secs
  90.00% in 0.0033 secs
  95.00% in 0.0040 secs
  99.00% in 0.0078 secs
  99.90% in 0.0278 secs
  99.99% in 0.0434 secs
 Details (average, fastest, slowest):
  DNS+dialup:	0.0161 secs, 0.0002 secs, 0.0316 secs
  DNS-lookup:	0.0000 secs, 0.0000 secs, 0.0000 secs
 Status code distribution:
  [200] 77866624 responses
 Error distribution:
  [158] aborted due to deadline
 ```
 ![Aralez](https://netangels.net/utils/glibc10.png)
 - CPU : Intel(R) Xeon(R) CPU E3-1270 v6 @ 3.80GHz
 - 300 : simultaneous connections
 - Duration : 10 Minutes
 - Binary : aralez-x86_64-musl
 ```
 Summary:
  Success rate:	100.00%
  Total:	600.0021 secs
  Slowest:	0.2182 secs
  Fastest:	0.0002 secs
  Average:	0.0024 secs
  Requests/sec:	123870.5820
  Total data:	0 B
  Size/request:	0 B
  Size/sec:	0 B
 Response time histogram:
  0.000 [1]        |
  0.022 [74254679] |■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■
  0.044 [61400]    |
  0.066 [5911]     |
  0.087 [385]      |
  0.109 [0]        |
  0.131 [0]        |
  0.153 [0]        |
  0.175 [0]        |
  0.196 [0]        |
  0.218 [1]        |
 Response time distribution:
  10.00% in 0.0012 secs
  25.00% in 0.0016 secs
  50.00% in 0.0021 secs
  75.00% in 0.0028 secs
  90.00% in 0.0037 secs
  95.00% in 0.0045 secs
  99.00% in 0.0077 secs
  99.90% in 0.0214 secs
  99.99% in 0.0424 secs
 Details (average, fastest, slowest):
  DNS+dialup:	0.0066 secs, 0.0002 secs, 0.0210 secs
  DNS-lookup:	0.0000 secs, 0.0000 secs, 0.0000 secs
 Status code distribution:
  [200] 74322377 responses
 Error distribution:
  [228] aborted due to deadline
 ```
 ![Aralez](https://netangels.net/utils/musl10.png)
--- a/etc/main.yaml
+++ b/etc/main.yaml
@@ -1,18 +1,23 @@
 # Main configuration file , applied on startup
 threads: 12 # Nubber of daemon threads default setting
-#user: pastor # Username for running gazan after dropping root privileges, requires program to start as root
+#user: aralez # Username for running aralez after dropping root privileges, requires program to start as root
-#group: pastor # Group for running gazan after dropping root privileges, requires program to start as root
+#group: aralez # Group for running aralez after dropping root privileges, requires program to start as root
 daemon: false # Run in background
 upstream_keepalive_pool_size: 500 # Pool size for upstream keepalive connections
-pid_file: /tmp/gazan.pid # Path to PID file
+pid_file: /tmp/aralez.pid # Path to PID file
-error_log: /tmp/gazan_err.log # Path to error log
+error_log: /tmp/aralez_err.log # Path to error log
-upgrade_sock: /tmp/gazan.sock # Path to socket file
+upgrade_sock: /tmp/aralez.sock # Path to socket file
 config_api_enabled: true # Boolean to enable/disable remote config push capability.
 config_address: 0.0.0.0:3000 # HTTP API address for pushing upstreams.yaml from remote location
 config_tls_address: 0.0.0.0:3001 # HTTP TLS API address for pushing upstreams.yaml from remote location
 config_tls_certificate: etc/server.crt # Mandatory if config_tls_address is set
 config_tls_key_file: etc/key.pem # Mandatory if config_tls_address is set
 proxy_address_http: 0.0.0.0:6193 # Proxy HTTP bind address
 proxy_address_tls: 0.0.0.0:6194 # Optional, Proxy TLS bind address
-tls_certificate: etc/server.crt # Mandatory if proxy_address_tls is set
+proxy_certificates: etc/certificates # Mandatory if proxy_address_tls set, should contain certificate and key files strictly in a format {NAME}.crt, {NAME}.key.
 tls_key_file: etc/key.pem # Mandatory if proxy_address_tls is set
 upstreams_conf: etc/upstreams.yaml # the location of upstreams file
 #file_server_folder: /some/path # Optional, local folder to serve
 #file_server_address: 127.0.0.1:3002 # Optional, Local address for file server. Can set as upstream for public access.
 log_level: info # info, warn, error, debug, trace, off
 hc_method: HEAD # Healthcheck method (HEAD, GET, POST are supported) UPPERCASE
 hc_interval: 2 #Interval for health checks in seconds
--- a/etc/stresstest.yaml
+++ b/etc/stresstest.yaml
@@ -11,7 +11,7 @@ upstreams:
      "/":
        ssl: false
        headers:
-          - "X-Proxy-From:Gazan"
+          - "X-Proxy-From:Aralez"
        servers:
          - "192.168.221.213:8000"
          - "192.168.221.214:8000"
--- a/etc/upstreams.yaml
+++ b/etc/upstreams.yaml
@@ -1,37 +1,35 @@
-# The file is under watch and hot reload , changes are applied immediately, no need to restart or reload
+# The file under watch and hot reload, changes are applied immediately, no need to restart or reload.
 provider: "file" # consul
-stickysessions: true
+sticky_sessions: false
-globals:
+to_ssl: false
-  headers: # Global headers, appended for all upstreams and all paths.
+#rate_limit: 100
-    - "Access-Control-Allow-Origin:*"
+headers:
-    - "Access-Control-Allow-Methods:POST, GET, OPTIONS"
+  - "Access-Control-Allow-Origin:*"
-    - "Access-Control-Max-Age:86400"
+  - "Access-Control-Allow-Methods:POST, GET, OPTIONS"
-    - "X-Custom-Header:Something Special"
+  - "Access-Control-Max-Age:86400"
-#  authorization: #  Optional, only one of auth methods below can be active at a time
+  - "X-Custom-Header:Something Special"
-#    - "basic"
+authorization:
-#    - "gazan:Gazanpass1234"
+  type: "jwt"
-#    - "apikey"
+  creds: "910517d9-f9a1-48de-8826-dbadacbd84af-cb6f830e-ab16-47ec-9d8f-0090de732774"
-#    - "5a28cc4c-ce10-4ff1-824e-743c38835f5c"
+#  type: "basic"
-#    - "jwt"
+#  creds: "user:Passw0rd"
-#    - "910517d9-f9a1-48de-8826-dbadacbd84af-cb6f830e-ab16-47ec-9d8f-0090de732774"
+#  type: "apikey"
-consul: # If the provider is consul. Otherwise ignored
+#  creds: "5ecbf799-1343-4e94-a9b5-e278af5cd313-56b45249-1839-4008-a450-a60dc76d2bae"
 consul: # If the provider is consul. Otherwise, ignored.
  servers:
    - "http://master1:8500"
    - "http://192.168.22.1:8500"
-    - "http://master1.digitai.local:8500"
+    - "http://master1.foo.local:8500"
-  services: # proxy: The hostname to access proxy server, real : The real service name in Consul
+  services: # proxy: The hostname to access the proxy server, real : The real service name in Consul database.
    - proxy: "proxy-frontend-dev-frontend-srv"
      real: "frontend-dev-frontend-srv"
  #    - proxy: "proxy-gateway-test-gateway-srv"
  #      real: "gateway-test-gateway-srv"
  #    - proxy: "proxy-backoffice-dev-backoffice-srv"
  #      real: "backoffice-dev-backoffice-srv"
  token: "8e2db809-845b-45e1-8b47-2c8356a09da0-a4370955-18c2-4d6e-a8f8-ffcc0b47be81" # Consul server access token, If Consul auth is enabled
-upstreams: # If provider is files. Otherwise ignored
+upstreams:
-  myip.netangels.net: # Hostname, or header host to access the upstream
+  myip.mydomain.com:
-    paths: # URL path(s) for current upstream, closest match wins
+    paths:
      "/":
-        headers: # Custom headers, set only for this Host and Path
+        to_https: false
        headers:
          - "X-Proxy-From:Gazan"
        servers: # List of upstreams HOST:PORT
          - "127.0.0.1:8000"
@@ -39,6 +37,7 @@ upstreams: # If provider is files. Otherwise ignored
          - "127.0.0.3:8000"
          - "127.0.0.4:8000"
      "/ping":
        to_https: true
        headers:
          - "X-Some-Thing:Yaaaaaaaaaaaaaaa"
          - "X-Proxy-From:Gazan"
@@ -48,7 +47,7 @@ upstreams: # If provider is files. Otherwise ignored
      "/draw":
        servers:
          - "192.168.1.1:8000"
-  polo.netangels.net:
+  polo.mydomain.com:
    paths:
      "/":
        headers:
@@ -60,36 +59,3 @@ upstreams: # If provider is files. Otherwise ignored
          - "127.0.0.2:8000"
          - "127.0.0.3:8000"
          - "127.0.0.4:8000"
  glop.netangels.net:
    paths:
      "/":
        headers:
          - "X-Hopar-From:Hopaaaaaaaaaaaar"
        servers:
          - "192.168.1.10:8000"
          - "192.168.1.1:8000"
  apt.netangels.net:
    paths:
      "/":
        servers:
          - "apt.netangels.net:443"
  test.netangels.net:
    paths:
      "/":
        servers:
          - "myip.netangels.net:80"
  127.0.0.1:
    paths:
      "/":
        servers:
          - "192.168.1.5:8080"
  127.0.0.2:
    paths:
      "/":
        servers:
          - "10.0.55.171:3000"
  localpost:
    paths:
      "/":
        servers:
          - "127.0.0.1:9000"
--- a/src/utils.rs
+++ b/src/utils.rs
@@ -4,6 +4,8 @@ pub mod discovery;
 mod filewatch;
 pub mod healthcheck;
 pub mod jwt;
 pub mod metrics;
 pub mod parceyaml;
 pub mod structs;
 pub mod tls;
 pub mod tools;
--- a/src/utils/auth.rs
+++ b/src/utils/auth.rs
@@ -37,7 +37,7 @@ impl AuthValidator for ApiKeyAuth<'_> {
 impl AuthValidator for JwtAuth<'_> {
    fn validate(&self, session: &Session) -> bool {
        let jwtsecret = self.0;
-        if let Some(tok) = get_query_param(session, "gazantoken") {
+        if let Some(tok) = get_query_param(session, "araleztoken") {
            return check_jwt(tok.as_str(), jwtsecret);
        }
--- a/src/utils/consul.rs
+++ b/src/utils/consul.rs
@@ -109,7 +109,7 @@ async fn consul_request(url: String, whitelist: Option<Vec<ServiceMapping>>, tok
    Some(upstreams)
 }
-async fn get_by_http(url: String, token: Option<String>) -> Option<DashMap<String, (Vec<(String, u16, bool, bool)>, AtomicUsize)>> {
+async fn get_by_http(url: String, token: Option<String>) -> Option<DashMap<String, (Vec<(String, u16, bool, bool, bool)>, AtomicUsize)>> {
    let client = reqwest::Client::new();
    let mut headers = HeaderMap::new();
    if let Some(token) = token {
@@ -118,7 +118,7 @@ async fn get_by_http(url: String, token: Option<String>) -> Option<DashMap<Strin
    let to = Duration::from_secs(1);
    let u = client.get(url).timeout(to).send();
    let mut values = Vec::new();
-    let upstreams: DashMap<String, (Vec<(String, u16, bool, bool)>, AtomicUsize)> = DashMap::new();
+    let upstreams: DashMap<String, (Vec<(String, u16, bool, bool, bool)>, AtomicUsize)> = DashMap::new();
    match u.await {
        Ok(r) => {
            let jason = r.json::<Vec<Service>>().await;
@@ -127,7 +127,7 @@ async fn get_by_http(url: String, token: Option<String>) -> Option<DashMap<Strin
                    for service in whitelist {
                        let addr = service.tagged_addresses.get("lan_ipv4").unwrap().address.clone();
                        let prt = service.tagged_addresses.get("lan_ipv4").unwrap().port.clone();
-                        let to_add = (addr, prt, false, false);
+                        let to_add = (addr, prt, false, false, false);
                        values.push(to_add);
                    }
                }
--- a/src/utils/discovery.rs
+++ b/src/utils/discovery.rs
@@ -9,8 +9,14 @@ pub struct FromFileProvider {
    pub path: String,
 }
 pub struct APIUpstreamProvider {
    pub config_api_enabled: bool,
    pub address: String,
    pub masterkey: String,
    pub tls_address: Option<String>,
    pub tls_certificate: Option<String>,
    pub tls_key_file: Option<String>,
    pub file_server_address: Option<String>,
    pub file_server_folder: Option<String>,
 }
 pub struct ConsulProvider {
@@ -25,7 +31,7 @@ pub trait Discovery {
 #[async_trait]
 impl Discovery for APIUpstreamProvider {
    async fn start(&self, toreturn: Sender<Configuration>) {
-        webserver::run_server(self.address.clone(), self.masterkey.clone(), toreturn).await;
+        webserver::run_server(self, toreturn).await;
    }
 }
--- a/src/utils/healthcheck.rs
+++ b/src/utils/healthcheck.rs
@@ -20,13 +20,13 @@ pub async fn hc2(upslist: Arc<UpstreamsDashMap>, fullist: Arc<UpstreamsDashMap>,
                for val in fclone.iter() {
                    let host = val.key();
                    let inner = DashMap::new();
-                    let mut _scheme: (String, u16, bool, bool) = ("".to_string(), 0, false, false);
+                    let mut _scheme: (String, u16, bool, bool, bool) = ("".to_string(), 0, false, false, false);
                    for path_entry in val.value().iter() {
                        // let inner = DashMap::new();
                        let path = path_entry.key();
                        let mut innervec= Vec::new();
                        for k in path_entry.value().0 .iter().enumerate() {
-                            let (ip, port, _ssl, _version) = k.1;
+                            let (ip, port, _ssl, _version, _redir) = k.1;
                            let mut _link = String::new();
                            let tls = detect_tls(ip, port).await;
                            let mut is_h2 = false;
@@ -52,13 +52,13 @@ pub async fn hc2(upslist: Arc<UpstreamsDashMap>, fullist: Arc<UpstreamsDashMap>,
                            // }else {
                            //     _scheme = (ip.to_string(), *port, false);
                            // }
-                            _scheme = (ip.to_string(), *port, tls.0, is_h2);
+                            _scheme = (ip.to_string(), *port, tls.0, is_h2, *_redir);
                            // let link = format!("{}{}:{}{}", _pref, ip, port, path);
                            let resp = http_request(_link.as_str(), params.0, "").await;
                            match resp.0 {
                                true => {
                                    if resp.1 {
-                                        _scheme = (ip.to_string(), *port, tls.0, true);
+                                        _scheme = (ip.to_string(), *port, tls.0, true,  *_redir);
                                    }
                                    innervec.push(_scheme.clone());
                                }
@@ -75,7 +75,8 @@ pub async fn hc2(upslist: Arc<UpstreamsDashMap>, fullist: Arc<UpstreamsDashMap>,
                if first_run == 1 {
                    info!("Performing initial hatchecks and upstreams ssl detection");
                    clone_idmap_into(&totest, &idlist);
-                    info!("Gazan is up and ready to serve requests");
+                    info!("Aralez is up and ready to serve requests, the upstreams list is:");
                    print_upstreams(&totest)
                }
                first_run+=1;
--- a/src/utils/metrics.rs
+++ b/src/utils/metrics.rs
@@ -0,0 +1,87 @@
 use pingora_http::Version;
 use prometheus::{register_histogram, register_int_counter, register_int_counter_vec, Histogram, IntCounter, IntCounterVec};
 use std::time::Duration;
 pub struct MetricTypes {
    pub method: String,
    pub code: String,
    pub latency: Duration,
    pub version: Version,
 }
 lazy_static::lazy_static! {
    pub static ref REQUEST_COUNT: IntCounter = register_int_counter!(
        "aralez_requests_total",
        "Total number of requests handled by Aralez"
    ).unwrap();
      pub static ref RESPONSE_CODES: IntCounterVec = register_int_counter_vec!(
        "aralez_responses_total",
        "Responses grouped by status code",
        &["status"]
    ).unwrap();
    pub static ref REQUEST_LATENCY:  Histogram = register_histogram!(
        "aralez_request_latency_seconds",
        "Request latency in seconds",
        vec![0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1.0, 2.5, 5.0]
    ).unwrap();
    pub static ref RESPONSE_LATENCY: Histogram = register_histogram!(
        "aralez_response_latency_seconds",
        "Response latency in seconds",
        vec![0.01, 0.05, 0.1, 0.25, 0.5, 1.0, 2.0, 5.0]
    ).unwrap();
    pub static ref REQUESTS_BY_METHOD: IntCounterVec = register_int_counter_vec!(
        "aralez_requests_by_method_total",
        "Number of requests by HTTP method",
        &["method"]
    ).unwrap();
    pub static ref REQUESTS_BY_VERSION: IntCounterVec = register_int_counter_vec!(
        "aralez_requests_by_version_total",
        "Number of requests by HTTP versions",
        &["version"]
    ).unwrap();
    pub static ref ERROR_COUNT: IntCounter = register_int_counter!(
        "aralez_errors_total",
        "Total number of errors"
    ).unwrap();
 }
 pub fn calc_metrics(metric_types: &MetricTypes) {
    REQUEST_COUNT.inc();
    let timer = REQUEST_LATENCY.start_timer();
    timer.observe_duration();
    let version_str = match &metric_types.version {
        &Version::HTTP_11 => "HTTP/1.1",
        &Version::HTTP_2 => "HTTP/2.0",
        &Version::HTTP_3 => "HTTP/3.0",
        &Version::HTTP_10 => "HTTP/1.0",
        _ => "Unknown",
    };
    REQUESTS_BY_VERSION.with_label_values(&[&version_str]).inc();
    RESPONSE_CODES.with_label_values(&[&metric_types.code.to_string()]).inc();
    REQUESTS_BY_METHOD.with_label_values(&[&metric_types.method]).inc();
    RESPONSE_LATENCY.observe(metric_types.latency.as_secs_f64());
 }
 /*
 pub fn calc_metrics(method: String, code: u16, latency: Duration) {
    REQUEST_COUNT.inc();
    let timer = REQUEST_LATENCY.start_timer();
    timer.observe_duration();
    RESPONSE_CODES.with_label_values(&[&code.to_string()]).inc();
    REQUESTS_BY_METHOD.with_label_values(&[&method]).inc();
    RESPONSE_LATENCY.observe(latency.as_secs_f64());
 }
 tokio::spawn(async move {
    let mut interval = tokio::time::interval(std::time::Duration::from_secs(5));
    loop {
        interval.tick().await;
        // read Pingora stats
        let stats = pingora.get_stats();
        // update Prometheus metrics accordingly
        REQUEST_COUNT.set(stats.requests_total);
        // ... etc
    }
 });
 */
--- a/src/utils/parceyaml.rs
+++ b/src/utils/parceyaml.rs
@@ -13,8 +13,10 @@ pub fn load_configuration(d: &str, kind: &str) -> Option<Configuration> {
        consul: None,
        typecfg: "".to_string(),
        extraparams: Extraparams {
-            stickysessions: false,
+            sticky_sessions: false,
            to_https: None,
            authentication: DashMap::new(),
            rate_limit: None,
        },
    };
    toreturn.upstreams = UpstreamsDashMap::new();
@@ -46,24 +48,25 @@ pub fn load_configuration(d: &str, kind: &str) -> Option<Configuration> {
        Ok(parsed) => {
            let global_headers = DashMap::new();
            let mut hl = Vec::new();
-            if let Some(globals) = &parsed.globals {
+            if let Some(headers) = &parsed.headers {
-                for headers in globals.get("headers").iter().by_ref() {
+                for header in headers.iter() {
-                    for header in headers.iter() {
+                    if let Some((key, val)) = header.split_once(':') {
-                        if let Some((key, val)) = header.split_once(':') {
+                        hl.push((key.to_string(), val.to_string()));
                            hl.push((key.to_string(), val.to_string()));
                        }
                    }
                }
                global_headers.insert("/".to_string(), hl);
                toreturn.headers.insert("GLOBAL_HEADERS".to_string(), global_headers);
-                toreturn.extraparams.stickysessions = parsed.stickysessions;
+                toreturn.extraparams.sticky_sessions = parsed.sticky_sessions;
-                let cfg = DashMap::new();
+                toreturn.extraparams.to_https = parsed.to_https;
-                if let Some(k) = globals.get("authorization") {
+                toreturn.extraparams.rate_limit = parsed.rate_limit;
-                    cfg.insert("authorization".to_string(), k.to_owned());
+            }
-                    toreturn.extraparams.authentication = cfg;
+            if let Some(auth) = &parsed.authorization {
-                } else {
+                let name = auth.get("type").unwrap().to_string();
-                    toreturn.extraparams.authentication = DashMap::new();
+                let creds = auth.get("creds").unwrap().to_string();
-                }
+                let val: Vec<String> = vec![name, creds];
                toreturn.extraparams.authentication.insert("authorization".to_string(), val);
            } else {
                toreturn.extraparams.authentication = DashMap::new();
            }
            match parsed.provider.as_str() {
                "file" => {
@@ -86,8 +89,9 @@ pub fn load_configuration(d: &str, kind: &str) -> Option<Configuration> {
                                for server in path_config.servers {
                                    if let Some((ip, port_str)) = server.split_once(':') {
                                        if let Ok(port) = port_str.parse::<u16>() {
-                                            // server_list.push((ip.to_string(), port, path_config.ssl));
+                                            // let to_https = matches!(path_config.to_https, Some(true));
-                                            server_list.push((ip.to_string(), port, true, false));
+                                            let to_https = path_config.to_https.unwrap_or(false);
                                            server_list.push((ip.to_string(), port, true, false, to_https));
                                        }
                                    }
                                }
@@ -139,5 +143,12 @@ pub fn parce_main_config(path: &str) -> AppConfig {
            cfo.local_server = Option::from((ip.to_string(), port));
        }
    }
    if let Some(tlsport_cfg) = cfo.proxy_address_tls.clone() {
        if let Some((_, port_str)) = tlsport_cfg.split_once(':') {
            if let Ok(port) = port_str.parse::<u16>() {
                cfo.proxy_port_tls = Some(port);
            }
        }
    };
    cfo
 }
--- a/src/utils/structs.rs
+++ b/src/utils/structs.rs
@@ -3,8 +3,9 @@ use serde::{Deserialize, Serialize};
 use std::collections::HashMap;
 use std::sync::atomic::AtomicUsize;
-pub type UpstreamsDashMap = DashMap<String, DashMap<String, (Vec<(String, u16, bool, bool)>, AtomicUsize)>>;
+pub type InnerMap = (String, u16, bool, bool, bool);
-pub type UpstreamsIdMap = DashMap<String, (String, u16, bool, bool)>;
+pub type UpstreamsDashMap = DashMap<String, DashMap<String, (Vec<InnerMap>, AtomicUsize)>>;
 pub type UpstreamsIdMap = DashMap<String, InnerMap>;
 pub type Headers = DashMap<String, DashMap<String, Vec<(String, String)>>>;
 #[derive(Debug, Clone, Serialize, Deserialize)]
@@ -15,8 +16,10 @@ pub struct ServiceMapping {
 #[derive(Clone, Debug)]
 pub struct Extraparams {
-    pub stickysessions: bool,
+    pub sticky_sessions: bool,
    pub to_https: Option<bool>,
    pub authentication: DashMap<String, Vec<String>>,
    pub rate_limit: Option<isize>,
 }
 #[derive(Clone, Debug, Serialize, Deserialize)]
@@ -28,21 +31,28 @@ pub struct Consul {
 #[derive(Debug, Serialize, Deserialize)]
 pub struct Config {
    pub provider: String,
-    pub stickysessions: bool,
+    pub sticky_sessions: bool,
    pub to_https: Option<bool>,
    pub upstreams: Option<HashMap<String, HostConfig>>,
    pub globals: Option<HashMap<String, Vec<String>>>,
    pub headers: Option<Vec<String>>,
    pub authorization: Option<HashMap<String, String>>,
    pub consul: Option<Consul>,
    pub rate_limit: Option<isize>,
 }
 #[derive(Debug, Serialize, Deserialize)]
 pub struct HostConfig {
    pub paths: HashMap<String, PathConfig>,
    pub rate_limit: Option<isize>,
 }
 #[derive(Debug, Serialize, Deserialize)]
 pub struct PathConfig {
    pub servers: Vec<String>,
    pub to_https: Option<bool>,
    pub headers: Option<Vec<String>>,
    pub rate_limit: Option<isize>,
 }
 #[derive(Debug)]
 pub struct Configuration {
@@ -59,11 +69,17 @@ pub struct AppConfig {
    pub hc_method: String,
    pub upstreams_conf: String,
    pub log_level: String,
    pub master_key: String,
    pub config_address: String,
    pub proxy_address_http: String,
-    pub master_key: String,
+    pub config_api_enabled: bool,
    pub config_tls_address: Option<String>,
    pub config_tls_certificate: Option<String>,
    pub config_tls_key_file: Option<String>,
    pub proxy_address_tls: Option<String>,
-    pub tls_certificate: Option<String>,
+    pub proxy_port_tls: Option<u16>,
    pub tls_key_file: Option<String>,
    pub local_server: Option<(String, u16)>,
    pub proxy_certificates: Option<String>,
    pub file_server_address: Option<String>,
    pub file_server_folder: Option<String>,
 }
--- a/src/utils/tls.rs
+++ b/src/utils/tls.rs
@@ -0,0 +1,193 @@
 use dashmap::DashMap;
 use log::error;
 use pingora::tls::ssl::{select_next_proto, AlpnError, NameType, SniError, SslAlert, SslContext, SslFiletype, SslMethod, SslRef};
 use rustls_pemfile::{read_one, Item};
 use serde::Deserialize;
 use std::collections::HashSet;
 use std::fs::File;
 use std::io::BufReader;
 // use tokio::time::Instant;
 use x509_parser::extensions::GeneralName;
 use x509_parser::nom::Err as NomErr;
 use x509_parser::prelude::*;
 #[derive(Clone, Deserialize, Debug)]
 pub struct CertificateConfig {
    pub cert_path: String,
    pub key_path: String,
 }
 #[derive(Debug)]
 struct CertificateInfo {
    common_names: Vec<String>,
    alt_names: Vec<String>,
    ssl_context: SslContext,
    #[allow(dead_code)]
    cert_path: String, // Only used for logging
    #[allow(dead_code)]
    key_path: String, // Only used for logging
 }
 #[derive(Debug)]
 pub struct Certificates {
    configs: Vec<CertificateInfo>,
    name_map: DashMap<String, SslContext>,
    pub default_cert_path: String,
    pub default_key_path: String,
 }
 impl Certificates {
    pub fn new(configs: &Vec<CertificateConfig>) -> Option<Self> {
        let default_cert = configs.first().expect("At least one TLS certificate required");
        let mut cert_infos = Vec::new();
        let name_map: DashMap<String, SslContext> = DashMap::new();
        for config in configs {
            let cert_info = load_cert_info(&config.cert_path, &config.key_path);
            match cert_info {
                Some(cert) => {
                    for name in &cert.common_names {
                        name_map.insert(name.clone(), cert.ssl_context.clone());
                    }
                    for name in &cert.alt_names {
                        name_map.insert(name.clone(), cert.ssl_context.clone());
                    }
                    cert_infos.push(cert)
                }
                None => {
                    error!("Unable to load certificate info | public: {}, private: {}", &config.cert_path, &config.key_path);
                    return None;
                }
            }
        }
        Some(Self {
            name_map: name_map,
            configs: cert_infos,
            default_cert_path: default_cert.cert_path.clone(),
            default_key_path: default_cert.key_path.clone(),
        })
    }
    fn find_ssl_context(&self, server_name: &str) -> Option<SslContext> {
        if let Some(ctx) = self.name_map.get(server_name) {
            return Some(ctx.clone());
        }
        for config in &self.configs {
            for name in &config.common_names {
                if name.starts_with("*.") && server_name.ends_with(&name[1..]) {
                    return Some(config.ssl_context.clone());
                }
            }
            for name in &config.alt_names {
                if name.starts_with("*.") && server_name.ends_with(&name[1..]) {
                    return Some(config.ssl_context.clone());
                }
            }
        }
        None
    }
    pub fn server_name_callback(&self, ssl_ref: &mut SslRef, ssl_alert: &mut SslAlert) -> Result<(), SniError> {
        let server_name = ssl_ref.servername(NameType::HOST_NAME);
        log::debug!("TLS connect: server_name = {:?}, ssl_ref = {:?}, ssl_alert = {:?}", server_name, ssl_ref, ssl_alert);
        // let start_time = Instant::now();
        if let Some(name) = server_name {
            match self.find_ssl_context(name) {
                Some(ctx) => {
                    ssl_ref.set_ssl_context(&*ctx).map_err(|_| SniError::ALERT_FATAL)?;
                }
                None => {
                    log::debug!("No matching server name found");
                }
            }
        }
        // println!("Context  ==> {:?} <==", start_time.elapsed());
        Ok(())
    }
 }
 fn load_cert_info(cert_path: &str, key_path: &str) -> Option<CertificateInfo> {
    let mut common_names = HashSet::new();
    let mut alt_names = HashSet::new();
    let file = File::open(cert_path);
    match file {
        Err(e) => {
            log::error!("Failed to open certificate file: {:?}", e);
            return None;
        }
        Ok(file) => {
            let mut reader = BufReader::new(file);
            match read_one(&mut reader) {
                Err(e) => {
                    log::error!("Failed to decode PEM from certificate file: {:?}", e);
                    return None;
                }
                Ok(leaf) => match leaf {
                    Some(Item::X509Certificate(cert)) => match X509Certificate::from_der(&cert) {
                        Err(NomErr::Error(e)) | Err(NomErr::Failure(e)) => {
                            log::error!("Failed to parse certificate: {:?}", e);
                            return None;
                        }
                        Err(_) => {
                            log::error!("Unknown error while parsing certificate");
                            return None;
                        }
                        Ok((_, x509)) => {
                            let subject = x509.subject();
                            for attr in subject.iter_common_name() {
                                if let Ok(cn) = attr.as_str() {
                                    common_names.insert(cn.to_string());
                                }
                            }
                            if let Ok(Some(san)) = x509.subject_alternative_name() {
                                for name in san.value.general_names.iter() {
                                    if let GeneralName::DNSName(dns) = name {
                                        let dns_string = dns.to_string();
                                        if !common_names.contains(&dns_string) {
                                            alt_names.insert(dns_string);
                                        }
                                    }
                                }
                            }
                        }
                    },
                    _ => {
                        log::error!("Failed to read certificate");
                        return None;
                    }
                },
            }
        }
    }
    if let Ok(ssl_context) = create_ssl_context(cert_path, key_path) {
        Some(CertificateInfo {
            cert_path: cert_path.to_string(),
            key_path: key_path.to_string(),
            common_names: common_names.into_iter().collect(),
            alt_names: alt_names.into_iter().collect(),
            ssl_context,
        })
    } else {
        log::error!("Failed to create SSL context from cert paths");
        None
    }
 }
 fn create_ssl_context(cert_path: &str, key_path: &str) -> Result<SslContext, Box<dyn std::error::Error>> {
    let mut ctx = SslContext::builder(SslMethod::tls())?;
    ctx.set_certificate_chain_file(cert_path)?;
    ctx.set_private_key_file(key_path, SslFiletype::PEM)?;
    ctx.set_alpn_select_callback(prefer_h2);
    let built = ctx.build();
    Ok(built)
 }
 pub fn prefer_h2<'a>(_ssl: &mut SslRef, alpn_in: &'a [u8]) -> Result<&'a [u8], AlpnError> {
    match select_next_proto("\x02h2\x08http/1.1".as_bytes(), alpn_in) {
        Some(p) => Ok(p),
        _ => Err(AlpnError::NOACK),
    }
 }
--- a/src/utils/tools.rs
+++ b/src/utils/tools.rs
@@ -1,10 +1,17 @@
 use crate::utils::structs::{UpstreamsDashMap, UpstreamsIdMap};
 use crate::utils::tls;
 use crate::utils::tls::CertificateConfig;
 use dashmap::DashMap;
 use log::{error, info};
 use notify::{event::ModifyKind, Config, EventKind, RecommendedWatcher, RecursiveMode, Watcher};
 use sha2::{Digest, Sha256};
 use std::any::type_name;
-use std::collections::HashSet;
+use std::collections::{HashMap, HashSet};
 use std::fmt::Write;
 use std::fs;
 use std::sync::atomic::AtomicUsize;
 use std::sync::mpsc::{channel, Sender};
 use std::time::{Duration, Instant};
 #[allow(dead_code)]
 pub fn print_upstreams(upstreams: &UpstreamsDashMap) {
@@ -16,8 +23,8 @@ pub fn print_upstreams(upstreams: &UpstreamsDashMap) {
            let path = path_entry.key();
            println!(" Path: {}", path);
-            for (ip, port, ssl, vers) in path_entry.value().0.clone() {
+            for (ip, port, ssl, vers, to_https) in path_entry.value().0.clone() {
-                println!("    ===> IP: {}, Port: {}, SSL: {}, H2: {}", ip, port, ssl, vers);
+                println!("    ===> IP: {}, Port: {}, SSL: {}, H2: {}, To HTTPS: {}", ip, port, ssl, vers, to_https);
            }
        }
    }
@@ -139,10 +146,67 @@ pub fn clone_idmap_into(original: &UpstreamsDashMap, cloned: &UpstreamsIdMap) {
                let hash = hasher.finalize();
                let hex_hash = base16ct::lower::encode_string(&hash);
                let hh = hex_hash[0..50].to_string();
-                cloned.insert(id, (hh.clone(), 0000, false, false));
+                cloned.insert(id, (hh.clone(), 0000, false, false, false));
                cloned.insert(hh, x.to_owned());
            }
            new_inner_map.insert(path.clone(), new_vec);
        }
    }
 }
 pub fn listdir(dir: String) -> Vec<tls::CertificateConfig> {
    let mut f = HashMap::new();
    let mut certificate_configs: Vec<tls::CertificateConfig> = vec![];
    let paths = fs::read_dir(dir).unwrap();
    for path in paths {
        let path_str = path.unwrap().path().to_str().unwrap().to_owned();
        if path_str.ends_with(".crt") {
            let name = path_str.replace(".crt", "");
            let mut inner = vec![];
            let domain = name.split("/").collect::<Vec<&str>>();
            inner.push(name.clone() + ".crt");
            inner.push(name.clone() + ".key");
            f.insert(domain[domain.len() - 1].to_owned(), inner);
            let y = CertificateConfig {
                cert_path: name.clone() + ".crt",
                key_path: name.clone() + ".key",
            };
            certificate_configs.push(y);
        }
    }
    for (_, v) in f.iter() {
        let y = CertificateConfig {
            cert_path: v[0].clone(),
            key_path: v[1].clone(),
        };
        certificate_configs.push(y);
    }
    certificate_configs
 }
 pub fn watch_folder(path: String, sender: Sender<Vec<CertificateConfig>>) -> notify::Result<()> {
    let (tx, rx) = channel();
    let mut watcher = RecommendedWatcher::new(tx, Config::default())?;
    watcher.watch(path.as_ref(), RecursiveMode::Recursive)?;
    info!("Watching for certificates in : {}", path);
    let certificate_configs = listdir(path.clone());
    sender.send(certificate_configs)?;
    let mut start = Instant::now();
    loop {
        match rx.recv_timeout(Duration::from_secs(1)) {
            Ok(Ok(event)) => match &event.kind {
                EventKind::Modify(ModifyKind::Data(_)) | EventKind::Create(_) | EventKind::Remove(_) => {
                    if start.elapsed() > Duration::from_secs(1) {
                        start = Instant::now();
                        let certificate_configs = listdir(path.clone());
                        sender.send(certificate_configs)?;
                        info!("Certificate changed: {:?}, {:?}", event.kind, event.paths);
                    }
                }
                _ => {}
            },
            Ok(Err(e)) => error!("Watch error: {:?}", e),
            Err(_) => {}
        }
    }
 }
--- a/src/web/bgservice.rs
+++ b/src/web/bgservice.rs
@@ -30,10 +30,18 @@ impl BackgroundService for LB {
        let _ = tokio::spawn(async move { file_load.start(tx_file).await });
        let _ = tokio::spawn(async move { consul_load.start(tx_consul).await });
        // let _ = tokio::spawn(tls::watch_certs(self.config.proxy_certificates.clone().unwrap(), self.cert_tx.clone()));
        // let _ = tokio::spawn(tls::watch_certs(self.config.proxy_certificates.clone().unwrap(), self.cert_tx.clone())).await;
        let api_load = APIUpstreamProvider {
            address: self.config.config_address.clone(),
            masterkey: self.config.master_key.clone(),
            config_api_enabled: self.config.config_api_enabled.clone(),
            tls_address: self.config.config_tls_address.clone(),
            tls_certificate: self.config.config_tls_certificate.clone(),
            tls_key_file: self.config.config_tls_key_file.clone(),
            file_server_address: self.config.file_server_address.clone(),
            file_server_folder: self.config.file_server_folder.clone(),
        };
        let tx_api = tx.clone();
        let _ = tokio::spawn(async move { api_load.start(tx_api).await });
@@ -56,8 +64,10 @@ impl BackgroundService for LB {
                            clone_dashmap_into(&ss.upstreams, &self.ump_upst);
                            let current = self.extraparams.load_full();
                            let mut new = (*current).clone();
-                            new.stickysessions = ss.extraparams.stickysessions;
+                            new.sticky_sessions = ss.extraparams.sticky_sessions;
                            new.to_https = ss.extraparams.to_https;
                            new.authentication = ss.extraparams.authentication.clone();
                            new.rate_limit = ss.extraparams.rate_limit;
                            self.extraparams.store(Arc::new(new));
                            self.headers.clear();
@@ -79,8 +89,8 @@ impl BackgroundService for LB {
                                    }
                                }
                            }
-                            info!("Upstreams list is changed, updating to:");
+                            // info!("Upstreams list is changed, updating to:");
-                            print_upstreams(&self.ump_full);
+                            // print_upstreams(&self.ump_full);
                        }
                        None => {}
                    }
--- a/src/web/gethosts.rs
+++ b/src/web/gethosts.rs
@@ -1,15 +1,16 @@
 use crate::utils::structs::InnerMap;
 use crate::web::proxyhttp::LB;
 use async_trait::async_trait;
 use std::sync::atomic::Ordering;
 #[async_trait]
 pub trait GetHost {
-    fn get_host(&self, peer: &str, path: &str, backend_id: Option<&str>) -> Option<(String, u16, bool, bool)>;
+    fn get_host(&self, peer: &str, path: &str, backend_id: Option<&str>) -> Option<InnerMap>;
    fn get_header(&self, peer: &str, path: &str) -> Option<Vec<(String, String)>>;
 }
 #[async_trait]
 impl GetHost for LB {
-    fn get_host(&self, peer: &str, path: &str, backend_id: Option<&str>) -> Option<(String, u16, bool, bool)> {
+    fn get_host(&self, peer: &str, path: &str, backend_id: Option<&str>) -> Option<InnerMap> {
        if let Some(b) = backend_id {
            if let Some(bb) = self.ump_byid.get(b) {
                // println!("BIB :===> {:?}", Some(bb.value()));
@@ -19,7 +20,7 @@ impl GetHost for LB {
        let host_entry = self.ump_upst.get(peer)?;
        let mut current_path = path.to_string();
-        let mut best_match: Option<(String, u16, bool, bool)> = None;
+        let mut best_match: Option<InnerMap> = None;
        loop {
            if let Some(entry) = host_entry.get(&current_path) {
                let (servers, index) = entry.value();
--- a/src/web/proxyhttp.rs
+++ b/src/web/proxyhttp.rs
@@ -1,17 +1,24 @@
 use crate::utils::auth::authenticate;
 use crate::utils::metrics::*;
 use crate::utils::structs::{AppConfig, Extraparams, Headers, UpstreamsDashMap, UpstreamsIdMap};
 use crate::web::gethosts::GetHost;
 use arc_swap::ArcSwap;
 use async_trait::async_trait;
 use axum::body::Bytes;
 use log::{debug, warn};
-use pingora::http::RequestHeader;
+use once_cell::sync::Lazy;
 use pingora::http::{RequestHeader, ResponseHeader, StatusCode};
 use pingora::prelude::*;
 use pingora::ErrorSource::Upstream;
 use pingora_core::listeners::ALPN;
 use pingora_core::prelude::HttpPeer;
-use pingora_http::ResponseHeader;
+use pingora_limits::rate::Rate;
 use pingora_proxy::{ProxyHttp, Session};
 use std::sync::Arc;
 use std::time::Duration;
 use tokio::time::Instant;
 #[derive(Clone)]
 pub struct LB {
    pub ump_upst: Arc<UpstreamsDashMap>,
    pub ump_full: Arc<UpstreamsDashMap>,
@@ -23,15 +30,27 @@ pub struct LB {
 pub struct Context {
    backend_id: String,
    to_https: bool,
    redirect_to: String,
    start_time: Instant,
    hostname: Option<String>,
 }
 // Rate limiter
 static RATE_LIMITER: Lazy<Rate> = Lazy::new(|| Rate::new(Duration::from_secs(1)));
 // max request per second per client
 // static MAX_REQ_PER_SEC: isize = 1;
 #[async_trait]
 impl ProxyHttp for LB {
    // type CTX = ();
    // fn new_ctx(&self) -> Self::CTX {}
    type CTX = Context;
    fn new_ctx(&self) -> Self::CTX {
-        Context { backend_id: String::new() }
+        Context {
            backend_id: String::new(),
            to_https: false,
            redirect_to: String::new(),
            start_time: Instant::now(),
            hostname: None,
        }
    }
    async fn request_filter(&self, session: &mut Session, _ctx: &mut Self::CTX) -> Result<bool> {
        if let Some(auth) = self.extraparams.load().authentication.get("authorization") {
@@ -42,21 +61,36 @@ impl ProxyHttp for LB {
                return Ok(true);
            }
        };
-        // if session.req_header().uri.path().starts_with("/denied") {
+
-        //     let _ = session.respond_error(403).await;
+        let hostname = return_header_host(&session);
-        //     warn!("Forbidden: {:?}, {}", session.client_addr(), session.req_header().uri.path().to_string());
+        _ctx.hostname = hostname.clone();
-        //     return Ok(true);
+        if let Some(rate) = self.extraparams.load().rate_limit {
-        // };
+            match hostname {
                None => return Ok(false),
                Some(host) => {
                    let curr_window_requests = RATE_LIMITER.observe(&host, 1);
                    if curr_window_requests > rate {
                        let mut header = ResponseHeader::build(429, None).unwrap();
                        header.insert_header("X-Rate-Limit-Limit", rate.to_string()).unwrap();
                        header.insert_header("X-Rate-Limit-Remaining", "0").unwrap();
                        header.insert_header("X-Rate-Limit-Reset", "1").unwrap();
                        session.set_keepalive(None);
                        session.write_response_header(Box::new(header), true).await?;
                        debug!("Rate limited: {:?}, {}", session.client_addr(), rate);
                        return Ok(true);
                    }
                }
            };
        }
        Ok(false)
    }
-    async fn upstream_peer(&self, session: &mut Session, _ctx: &mut Self::CTX) -> Result<Box<HttpPeer>> {
+    async fn upstream_peer(&self, session: &mut Session, ctx: &mut Self::CTX) -> Result<Box<HttpPeer>> {
-        let host_name = return_header_host(&session);
+        // let host_name = return_header_host(&session);
-
+        match ctx.hostname.as_ref() {
        match host_name {
            Some(hostname) => {
                // session.req_header_mut().headers.insert("X-Host-Name", host.to_string().parse().unwrap());
                let mut backend_id = None;
-                if self.extraparams.load().stickysessions {
+
                if self.extraparams.load().sticky_sessions {
                    if let Some(cookies) = session.req_header().headers.get("cookie") {
                        if let Ok(cookie_str) = cookies.to_str() {
                            for cookie in cookie_str.split(';') {
@@ -73,43 +107,63 @@ impl ProxyHttp for LB {
                let ddr = self.get_host(hostname, hostname, backend_id);
                match ddr {
-                    Some((address, port, ssl, is_h2)) => {
+                    Some((address, port, ssl, is_h2, to_https)) => {
                        let mut peer = Box::new(HttpPeer::new((address.clone(), port.clone()), ssl, String::new()));
                        // if session.is_http2() {
                        if is_h2 {
                            peer.options.alpn = ALPN::H2;
                        }
                        if ssl {
-                            peer.sni = hostname.to_string();
+                            peer.sni = hostname.clone();
                            peer.options.verify_cert = false;
                            peer.options.verify_hostname = false;
                        }
-                        // info!(
+
-                        //     "upstream peer: hostname {}, address{}, alpn {}, h2 {:?}",
+                        if self.extraparams.load().to_https.unwrap_or(false) || to_https {
-                        //     hostname,
+                            if let Some(stream) = session.stream() {
-                        //     address.as_str(),
+                                if stream.get_ssl().is_none() {
-                        //     peer.options.alpn,
+                                    if let Some(addr) = session.server_addr() {
-                        //     is_h2
+                                        if let Some((host, _)) = addr.to_string().split_once(':') {
-                        // );
+                                            let uri = session.req_header().uri.path_and_query().map_or("/", |pq| pq.as_str());
-                        _ctx.backend_id = format!("{}:{}:{}", address.clone(), port.clone(), ssl);
+                                            let port = self.config.proxy_port_tls.unwrap_or(403);
                                            ctx.to_https = true;
                                            ctx.redirect_to = format!("https://{}:{}{}", host, port, uri);
                                        }
                                    }
                                }
                            }
                        }
                        ctx.backend_id = format!("{}:{}:{}", address.clone(), port.clone(), ssl);
                        Ok(peer)
                    }
                    None => {
-                        warn!("Upstream not found. Host: {:?}, Path: {}", hostname, session.req_header().uri);
+                        session.respond_error_with_body(502, Bytes::from("502 Bad Gateway\n")).await.expect("Failed to send error");
-                        Ok(return_no_host(&self.config.local_server))
+                        Err(Box::new(Error {
                            etype: HTTPStatus(502),
                            esource: Upstream,
                            retry: RetryType::Decided(false),
                            cause: None,
                            context: Option::from(ImmutStr::Static("Upstream not found")),
                        }))
                    }
                }
            }
            None => {
-                warn!("Upstream not found. Host: {:?}, Path: {}", host_name, session.req_header().uri);
+                session.respond_error_with_body(502, Bytes::from("502 Bad Gateway\n")).await.expect("Failed to send error");
-                Ok(return_no_host(&self.config.local_server))
+                Err(Box::new(Error {
                    etype: HTTPStatus(502),
                    esource: Upstream,
                    retry: RetryType::Decided(false),
                    cause: None,
                    context: None,
                }))
            }
        }
    }
-    async fn upstream_request_filter(&self, _session: &mut Session, _upstream_request: &mut RequestHeader, _ctx: &mut Self::CTX) -> Result<()> {
+    async fn upstream_request_filter(&self, session: &mut Session, _upstream_request: &mut RequestHeader, _ctx: &mut Self::CTX) -> Result<()> {
-        let clientip = _session.client_addr();
+        match session.client_addr() {
        match clientip {
            Some(ip) => {
                let inet = ip.as_inet();
                match inet {
@@ -128,20 +182,30 @@ impl ProxyHttp for LB {
        Ok(())
    }
-    async fn response_filter(&self, _session: &mut Session, _upstream_response: &mut ResponseHeader, _ctx: &mut Self::CTX) -> Result<()> {
+    // async fn request_body_filter(&self, _session: &mut Session, _body: &mut Option<Bytes>, _end_of_stream: bool, _ctx: &mut Self::CTX) -> Result<()>
    // where
    //     Self::CTX: Send + Sync,
    // {
    //     Ok(())
    // }
    async fn response_filter(&self, session: &mut Session, _upstream_response: &mut ResponseHeader, ctx: &mut Self::CTX) -> Result<()> {
        // _upstream_response.insert_header("X-Proxied-From", "Fooooooooooooooo").unwrap();
-        if self.extraparams.load().stickysessions {
+        if self.extraparams.load().sticky_sessions {
-            let backend_id = _ctx.backend_id.clone();
+            let backend_id = ctx.backend_id.clone();
            if let Some(bid) = self.ump_byid.get(&backend_id) {
                // let _ = _upstream_response.insert_header("set-cookie", format!("backend {}", bid.0));
                let _ = _upstream_response.insert_header("set-cookie", format!("backend_id={}; Path=/; Max-Age=600; HttpOnly; SameSite=Lax", bid.0));
            }
        }
-
+        if ctx.to_https {
-        let host_name = return_header_host(&_session);
+            let mut redirect_response = ResponseHeader::build(StatusCode::MOVED_PERMANENTLY, None)?;
-        match host_name {
+            redirect_response.insert_header("Location", ctx.redirect_to.clone())?;
            redirect_response.insert_header("Content-Length", "0")?;
            session.write_response_header(Box::new(redirect_response), false).await?;
        }
        // match return_header_host(&session) {
        match ctx.hostname.as_ref() {
            Some(host) => {
-                let path = _session.req_header().uri.path();
+                let path = session.req_header().uri.path();
                let host_header = host;
                let split_header = host_header.split_once(':');
                match split_header {
@@ -165,35 +229,36 @@ impl ProxyHttp for LB {
            }
            None => {}
        }
        session.set_keepalive(Some(300));
        Ok(())
    }
    async fn logging(&self, session: &mut Session, _e: Option<&pingora::Error>, ctx: &mut Self::CTX) {
        let response_code = session.response_written().map_or(0, |resp| resp.status.as_u16());
        debug!("{}, response code: {response_code}", self.request_summary(session, ctx));
        let m = &MetricTypes {
            method: session.req_header().method.to_string(),
            code: session.response_written().map(|resp| resp.status.as_str().to_owned()).unwrap_or("0".to_string()),
            latency: ctx.start_time.elapsed(),
            version: session.req_header().version,
        };
        calc_metrics(m);
    }
 }
-fn return_header_host(session: &Session) -> Option<&str> {
+fn return_header_host(session: &Session) -> Option<String> {
    if session.is_http2() {
        match session.req_header().uri.host() {
-            Some(host) => Option::from(host),
+            Some(host) => Option::from(host.to_string()),
            None => None,
        }
    } else {
        match session.req_header().headers.get("host") {
            Some(host) => {
                let header_host = host.to_str().unwrap().splitn(2, ':').collect::<Vec<&str>>();
-                Option::from(header_host[0])
+                Option::from(header_host[0].to_string())
            }
            None => None,
        }
    }
 }
 fn return_no_host(inp: &Option<(String, u16)>) -> Box<HttpPeer> {
    match inp {
        Some(t) => Box::new(HttpPeer::new(t, false, String::new())),
        None => Box::new(HttpPeer::new(("0.0.0.0", 0), false, String::new())),
    }
 }
--- a/src/web/start.rs
+++ b/src/web/start.rs
@@ -1,13 +1,19 @@
 // use rustls::crypto::ring::default_provider;
 use crate::utils::structs::Extraparams;
 use crate::utils::tls;
 use crate::utils::tls::CertificateConfig;
 use crate::utils::tools::*;
 use crate::web::proxyhttp::LB;
 use arc_swap::ArcSwap;
 use dashmap::DashMap;
 use log::info;
 use pingora::tls::ssl::{SslAlert, SslRef};
 use pingora_core::listeners::tls::TlsSettings;
 use pingora_core::prelude::{background_service, Opt};
 use pingora_core::server::Server;
-// use rustls::crypto::ring::default_provider;
+use std::sync::mpsc::{channel, Receiver, Sender};
 use std::env;
 use std::sync::Arc;
 use std::{env, thread};
 pub fn run() {
    // default_provider().install_default().expect("Failed to install rustls crypto provider");
@@ -22,32 +28,24 @@ pub fn run() {
    let ff_config = Arc::new(DashMap::new());
    let im_config = Arc::new(DashMap::new());
    let hh_config = Arc::new(DashMap::new());
    let ec_config = Arc::new(ArcSwap::from_pointee(Extraparams {
-        stickysessions: false,
+        sticky_sessions: false,
        to_https: None,
        authentication: DashMap::new(),
        rate_limit: None,
    }));
    let cfg = Arc::new(maincfg);
    let lb = LB {
-        ump_upst: uf_config.clone(),
+        ump_upst: uf_config,
-        ump_full: ff_config.clone(),
+        ump_full: ff_config,
-        ump_byid: im_config.clone(),
+        ump_byid: im_config,
        config: cfg.clone(),
-        headers: hh_config.clone(),
+        headers: hh_config,
-        extraparams: ec_config.clone(),
+        extraparams: ec_config,
    };
    let bg = LB {
        ump_upst: uf_config.clone(),
        ump_full: ff_config.clone(),
        ump_byid: im_config.clone(),
        config: cfg.clone(),
        headers: hh_config.clone(),
        extraparams: ec_config.clone(),
    };
    // env_logger::Env::new();
    // env_logger::init();
    let log_level = cfg.log_level.clone();
    unsafe {
@@ -64,26 +62,49 @@ pub fn run() {
            }
        }
    }
-    env_logger::builder()
+    env_logger::builder().init();
        // .format_timestamp(None)
        // .format_module_path(false)
        // .format_source_path(false)
        // .format_target(false)
        .init();
-    let bg_srvc = background_service("bgsrvc", bg);
+    let bg_srvc = background_service("bgsrvc", lb.clone());
-    let mut proxy = pingora_proxy::http_proxy_service(&server.configuration, lb);
+    let mut proxy = pingora_proxy::http_proxy_service(&server.configuration, lb.clone());
    let bind_address_http = cfg.proxy_address_http.clone();
    let bind_address_tls = cfg.proxy_address_tls.clone();
    match bind_address_tls {
        Some(bind_address_tls) => {
-            info!("Running TLS listener on :{}", bind_address_tls);
+            let (tx, rx): (Sender<Vec<CertificateConfig>>, Receiver<Vec<CertificateConfig>>) = channel();
-            let cert_path = cfg.tls_certificate.clone().unwrap();
+            let certs_path = cfg.proxy_certificates.clone().unwrap();
-            let key_path = cfg.tls_key_file.clone().unwrap();
+            thread::spawn(move || {
-            let mut tls_settings = pingora_core::listeners::tls::TlsSettings::intermediate(&cert_path, &key_path).unwrap();
+                watch_folder(certs_path, tx).unwrap();
-            tls_settings.enable_h2();
+            });
            let certificate_configs = rx.recv().unwrap();
            let first_set = tls::Certificates::new(&certificate_configs).unwrap_or_else(|| panic!("Unable to load initial certificate info"));
            let certificates = Arc::new(ArcSwap::from_pointee(first_set));
            let certs_for_callback = certificates.clone();
            let certs_for_watcher = certificates.clone();
            let new_certs = tls::Certificates::new(&certificate_configs);
            certs_for_watcher.store(Arc::new(new_certs.unwrap()));
            let mut tls_settings =
                TlsSettings::intermediate(&certs_for_callback.load().default_cert_path, &certs_for_callback.load().default_key_path).expect("unable to load or parse cert/key");
            tls_settings.set_servername_callback(move |ssl_ref: &mut SslRef, ssl_alert: &mut SslAlert| certs_for_callback.load().server_name_callback(ssl_ref, ssl_alert));
            tls_settings.set_alpn_select_callback(tls::prefer_h2);
            proxy.add_tls_with_settings(&bind_address_tls, None, tls_settings);
            let certs_for_watcher = certificates.clone();
            thread::spawn(move || {
                while let Ok(new_configs) = rx.recv() {
                    let new_certs = tls::Certificates::new(&new_configs);
                    match new_certs {
                        Some(new_certs) => {
                            certs_for_watcher.store(Arc::new(new_certs));
                            info!("Reload TLS certificates from {}", cfg.proxy_certificates.clone().unwrap())
                        }
                        None => {}
                    };
                }
            });
        }
        None => {}
    }
@@ -91,8 +112,5 @@ pub fn run() {
    proxy.add_tcp(bind_address_http.as_str());
    server.add_service(proxy);
    server.add_service(bg_srvc);
    // let mut prometheus_service_http = Service::prometheus_http_service();
    // prometheus_service_http.add_tcp("0.0.0.0:1234");
    // server.add_service(prometheus_service_http);
    server.run_forever();
 }
--- a/src/web/webserver.rs
+++ b/src/web/webserver.rs
@@ -1,21 +1,27 @@
 use crate::utils::discovery::APIUpstreamProvider;
 use crate::utils::structs::Configuration;
 use axum::body::Body;
-use axum::extract::State;
+use axum::extract::{Query, State};
 use axum::http::{Response, StatusCode};
 use axum::response::IntoResponse;
-use axum::routing::{delete, get, head, post, put};
+use axum::routing::{get, post};
 use axum::{Json, Router};
 use axum_server::tls_openssl::OpenSSLConfig;
 use futures::channel::mpsc::Sender;
 use futures::SinkExt;
 use jsonwebtoken::{encode, EncodingKey, Header};
 use log::{error, info, warn};
 use prometheus::{gather, Encoder, TextEncoder};
 use serde::{Deserialize, Serialize};
 use std::collections::HashMap;
 use std::net::SocketAddr;
 use std::time::{Duration, SystemTime, UNIX_EPOCH};
 use tokio::net::TcpListener;
 use tower_http::services::ServeDir;
 #[derive(Deserialize)]
 struct InputKey {
-    masterkey: String,
+    master_key: String,
    owner: String,
    valid: u64,
 }
@@ -25,51 +31,84 @@ struct OutToken {
    token: String,
 }
-#[allow(unused_mut)]
+#[derive(Clone)]
-pub async fn run_server(bindaddress: String, masterkey: String, mut toreturn: Sender<Configuration>) {
+struct AppState {
-    let mut tr = toreturn.clone();
+    master_key: String,
-    let app = Router::new()
+    config_sender: Sender<Configuration>,
-        .route("/{*wildcard}", get(senderror))
+    config_api_enabled: bool,
-        .route("/{*wildcard}", post(senderror))
+}
        .route("/{*wildcard}", put(senderror))
        .route("/{*wildcard}", head(senderror))
        .route("/{*wildcard}", delete(senderror))
        .route("/jwt", post(jwt_gen))
        .with_state(masterkey.clone())
        .route(
            "/conf",
            post(|up: String| async move {
                let serverlist = crate::utils::parceyaml::load_configuration(up.as_str(), "content");
-                match serverlist {
+#[allow(unused_mut)]
-                    Some(serverlist) => {
+pub async fn run_server(config: &APIUpstreamProvider, mut to_return: Sender<Configuration>) {
-                        let _ = tr.send(serverlist).await.unwrap();
+    let app_state = AppState {
-                        Response::builder().status(StatusCode::CREATED).body(Body::from("Config, conf file, updated!\n")).unwrap()
+        master_key: config.masterkey.clone(),
-                    }
+        config_sender: to_return.clone(),
-                    None => Response::builder()
+        config_api_enabled: config.config_api_enabled.clone(),
-                        .status(StatusCode::INTERNAL_SERVER_ERROR)
+    };
-                        .body(Body::from("Failed to parce config file!\n"))
+
-                        .unwrap(),
+    let app = Router::new()
-                }
+        // .route("/{*wildcard}", get(senderror))
-            })
+        // .route("/{*wildcard}", post(senderror))
-            .with_state("state"),
+        // .route("/{*wildcard}", put(senderror))
-        );
+        // .route("/{*wildcard}", head(senderror))
-    let listener = TcpListener::bind(bindaddress.clone()).await.unwrap();
+        // .route("/{*wildcard}", delete(senderror))
-    info!("Starting the API server on: {}", bindaddress);
+        // .nest_service("/static", static_files)
        .route("/jwt", post(jwt_gen))
        .route("/conf", post(conf))
        .route("/metrics", get(metrics))
        .with_state(app_state);
    if let Some(value) = &config.tls_address {
        let cf = OpenSSLConfig::from_pem_file(config.tls_certificate.clone().unwrap(), config.tls_key_file.clone().unwrap()).unwrap();
        let addr: SocketAddr = value.parse().expect("Unable to parse socket address");
        let tls_app = app.clone();
        tokio::spawn(async move {
            if let Err(e) = axum_server::bind_openssl(addr, cf).serve(tls_app.into_make_service()).await {
                eprintln!("TLS server failed: {}", e);
            }
        });
        info!("Starting the TLS API server on: {}", value);
    }
    if let (Some(address), Some(folder)) = (&config.file_server_address, &config.file_server_folder) {
        let static_files = ServeDir::new(folder);
        let static_serve: Router = Router::new().fallback_service(static_files);
        let static_listen = TcpListener::bind(address).await.unwrap();
        let _ = tokio::spawn(async move { axum::serve(static_listen, static_serve).await.unwrap() });
    }
    let listener = TcpListener::bind(config.address.clone()).await.unwrap();
    info!("Starting the API server on: {}", config.address);
    axum::serve(listener, app).await.unwrap();
 }
-#[allow(dead_code)]
+async fn conf(State(mut st): State<AppState>, Query(params): Query<HashMap<String, String>>, content: String) -> impl IntoResponse {
-async fn senderror() -> impl IntoResponse {
+    if !st.config_api_enabled {
-    Response::builder().status(StatusCode::BAD_GATEWAY).body(Body::from("No live upstream found!\n")).unwrap()
+        return Response::builder()
            .status(StatusCode::FORBIDDEN)
            .body(Body::from("Config remote API is disabled !\n"))
            .unwrap();
    }
    if let Some(s) = params.get("key") {
        if s.to_owned() == st.master_key {
            if let Some(serverlist) = crate::utils::parceyaml::load_configuration(content.as_str(), "content") {
                st.config_sender.send(serverlist).await.unwrap();
                return Response::builder().status(StatusCode::OK).body(Body::from("Config, conf file, updated !\n")).unwrap();
            } else {
                return Response::builder().status(StatusCode::BAD_GATEWAY).body(Body::from("Failed to parse config!\n")).unwrap();
            };
        }
    }
    Response::builder().status(StatusCode::FORBIDDEN).body(Body::from("Access Denied !\n")).unwrap()
 }
-async fn jwt_gen(State(masterkey): State<String>, Json(payload): Json<InputKey>) -> (StatusCode, Json<OutToken>) {
+async fn jwt_gen(State(state): State<AppState>, Json(payload): Json<InputKey>) -> (StatusCode, Json<OutToken>) {
-    if payload.masterkey == masterkey {
+    if payload.master_key == state.master_key {
        let now = SystemTime::now() + Duration::from_secs(payload.valid * 60);
        let a = now.duration_since(UNIX_EPOCH).unwrap().as_secs();
        let claim = crate::utils::jwt::Claims { user: payload.owner, exp: a };
-        match encode(&Header::default(), &claim, &EncodingKey::from_secret(payload.masterkey.as_ref())) {
+        match encode(&Header::default(), &claim, &EncodingKey::from_secret(payload.master_key.as_ref())) {
            Ok(t) => {
                let tok = OutToken { token: t };
                info!("Generating token: {:?}", tok);
@@ -89,3 +128,28 @@ async fn jwt_gen(State(masterkey): State<String>, Json(payload): Json<InputKey>)
        (StatusCode::FORBIDDEN, Json(tok))
    }
 }
 async fn metrics() -> impl IntoResponse {
    let metric_families = gather();
    let encoder = TextEncoder::new();
    let mut buffer = Vec::new();
    if let Err(e) = encoder.encode(&metric_families, &mut buffer) {
        // encoding error fallback
        return Response::builder()
            .status(StatusCode::INTERNAL_SERVER_ERROR)
            .body(Body::from(format!("Failed to encode metrics: {}", e)))
            .unwrap();
    }
    Response::builder()
        .status(StatusCode::OK)
        .header("Content-Type", encoder.format_type())
        .body(Body::from(buffer))
        .unwrap()
 }
 // #[allow(dead_code)]
 // async fn senderror() -> impl IntoResponse {
 //     Response::builder().status(StatusCode::BAD_GATEWAY).body(Body::from("No live upstream found!\n")).unwrap()
 // }
Author	SHA1	Message	Date
Ara Sadoyan	21e1276ff5	Readme update	2025-07-09 15:22:38 +02:00
Ara Sadoyan	8463cdabbc	Added configurable rate limiter	2025-07-09 15:01:20 +02:00
Ara Sadoyan	d0e4b52ce6	Enable/Disable config API from config	2025-07-04 15:06:05 +02:00
Ara Sadoyan	b552d24497	README	2025-07-02 19:00:05 +02:00
Ara Sadoyan	2e33d692bb	Added optional minimal file server	2025-07-02 18:29:14 +02:00
Ara Sadoyan	e586967830	Code cleanup, nothing special	2025-06-30 18:24:25 +02:00
Ara Sadoyan	8d4e434d6a	Dynamic load of SSL certificates from disk.	2025-06-19 18:32:44 +02:00
Ara Sadoyan	60b7b3aa7a	README	2025-06-16 13:42:30 +02:00
Ara Sadoyan	569db8e18d	Project rename. Load multiple certificates from folder.	2025-06-16 13:32:05 +02:00
Ara Sadoyan	4126249bcd	Project rename. Load multiple certificates from folder.	2025-06-16 13:29:13 +02:00
Ara Sadoyan	0779f97277	README Update	2025-06-09 18:12:25 +02:00
Ara Sadoyan	b047331e6a	README Update	2025-06-09 18:11:44 +02:00
Ara Sadoyan	a341fa30db	Add TLS to API server	2025-06-09 18:06:16 +02:00
Ara Sadoyan	9d604d62e7	METRICS.md update	2025-06-07 15:51:23 +02:00
Ara Sadoyan	4a21700552	README update	2025-06-07 11:47:29 +02:00
Ara Sadoyan	f0157b6e8f	README update	2025-06-07 11:38:07 +02:00
Ara Sadoyan	1370396ae8	README update	2025-06-07 10:56:31 +02:00
Ara Sadoyan	64ef4e14af	README update	2025-06-07 10:11:39 +02:00
Ara Sadoyan	ffc2bab79f	API server changes, improvements	2025-06-06 19:30:51 +02:00
Ara Sadoyan	8e05794784	Metrics exporter for Prometheus	2025-05-28 21:24:22 +02:00
Ara Sadoyan	423c7afa90	Metrics exporter for Prometheus	2025-05-28 21:23:10 +02:00
Ara Sadoyan	78a084380a	Name and config changes	2025-05-28 14:54:01 +02:00
Ara Sadoyan	ada2032732	http to https redirect cleanup	2025-05-26 18:30:42 +02:00
Ara Sadoyan	a89592bd07	http to https redirect cleanup	2025-05-26 16:24:15 +02:00
Ara Sadoyan	2a93bc2cd6	http to https redirect cleanup	2025-05-26 12:42:01 +02:00
Ara Sadoyan	d38588a299	http to https redirect	2025-05-25 11:19:28 +02:00
Ara Sadoyan	3e93920a0d	Some type changes	2025-05-21 16:49:37 +02:00