README

Cargo.lock

@@ -110,6 +110,42 @@ dependencies = [
  "windows-sys 0.59.0",
 ]
 
+[[package]]
+name = "aralez"
+version = "0.9.1"
+dependencies = [
+ "arc-swap",
+ "async-trait",
+ "axum",
+ "axum-server",
+ "base16ct",
+ "base64",
+ "dashmap",
+ "env_logger",
+ "futures",
+ "jsonwebtoken",
+ "lazy_static",
+ "log",
+ "mimalloc",
+ "notify",
+ "openssl",
+ "pingora",
+ "pingora-core",
+ "pingora-http",
+ "pingora-proxy",
+ "prometheus 0.14.0",
+ "rand 0.9.1",
+ "reqwest",
+ "rustls-pemfile",
+ "serde",
+ "serde_yaml 0.9.34+deprecated",
+ "sha2",
+ "tokio",
+ "tonic",
+ "urlencoding",
+ "x509-parser",
+]
+
 [[package]]
 name = "arc-swap"
 version = "1.7.1"
@@ -122,6 +158,45 @@ version = "0.7.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7c02d123df017efcdfbd739ef81735b36c5ba83ec3c59c80a9d7ecc718f92e50"
 
+[[package]]
+name = "asn1-rs"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "56624a96882bb8c26d61312ae18cb45868e5a9992ea73c58e45c3101e56a1e60"
+dependencies = [
+ "asn1-rs-derive",
+ "asn1-rs-impl",
+ "displaydoc",
+ "nom",
+ "num-traits",
+ "rusticata-macros",
+ "thiserror 2.0.12",
+ "time",
+]
+
+[[package]]
+name = "asn1-rs-derive"
+version = "0.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3109e49b1e4909e9db6515a30c633684d68cdeaa252f215214cb4fa1a5bfee2c"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.100",
+ "synstructure",
+]
+
+[[package]]
+name = "asn1-rs-impl"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7b18050c2cd6fe86c3a76584ef5e0baf286d038cda203eb6223df2cc413565f7"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.100",
+]
+
 [[package]]
 name = "async-stream"
 version = "0.3.6"
@@ -232,6 +307,26 @@ dependencies = [
  "tracing",
 ]
 
+[[package]]
+name = "axum-server"
+version = "0.7.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "495c05f60d6df0093e8fb6e74aa5846a0ad06abaf96d76166283720bf740f8ab"
+dependencies = [
+ "arc-swap",
+ "bytes",
+ "fs-err",
+ "http",
+ "http-body",
+ "hyper",
+ "hyper-util",
+ "openssl",
+ "pin-project-lite",
+ "tokio",
+ "tokio-openssl",
+ "tower-service",
+]
+
 [[package]]
 name = "backtrace"
 version = "0.3.74"
@@ -536,6 +631,26 @@ dependencies = [
  "parking_lot_core",
 ]
 
+[[package]]
+name = "data-encoding"
+version = "2.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2a2330da5de22e8a3cb63252ce2abb30116bf5265e89c0e01bc17015ce30a476"
+
+[[package]]
+name = "der-parser"
+version = "10.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "07da5016415d5a3c4dd39b11ed26f915f52fc4e0dc197d87908bc916e51bc1a6"
+dependencies = [
+ "asn1-rs",
+ "displaydoc",
+ "nom",
+ "num-bigint",
+ "num-traits",
+ "rusticata-macros",
+]
+
 [[package]]
 name = "deranged"
 version = "0.4.0"
@@ -707,6 +822,16 @@ dependencies = [
  "percent-encoding",
 ]
 
+[[package]]
+name = "fs-err"
+version = "3.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "88d7be93788013f265201256d58f04936a8079ad5dc898743aa20525f503b683"
+dependencies = [
+ "autocfg",
+ "tokio",
+]
+
 [[package]]
 name = "fsevent-sys"
 version = "4.1.0"
@@ -805,36 +930,6 @@ dependencies = [
  "slab",
 ]
 
-[[package]]
-name = "gazan"
-version = "0.1.0"
-dependencies = [
- "arc-swap",
- "async-trait",
- "axum",
- "base16ct",
- "base64",
- "dashmap",
- "env_logger",
- "futures",
- "jsonwebtoken",
- "log",
- "mimalloc",
- "notify",
- "pingora",
- "pingora-core",
- "pingora-http",
- "pingora-proxy",
- "rand 0.9.1",
- "reqwest",
- "serde",
- "serde_yaml 0.9.34+deprecated",
- "sha2",
- "tokio",
- "tonic",
- "urlencoding",
-]
-
 [[package]]
 name = "generic-array"
 version = "0.14.7"
@@ -1506,6 +1601,12 @@ version = "0.3.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6877bb514081ee2a7ff5ef9de3281f14a4dd4bceac4c09388074a6b5df8a139a"
 
+[[package]]
+name = "minimal-lexical"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a"
+
 [[package]]
 name = "miniz_oxide"
 version = "0.8.3"
@@ -1581,6 +1682,16 @@ dependencies = [
  "memoffset",
 ]
 
+[[package]]
+name = "nom"
+version = "7.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d273983c5a657a70a3e8f2a01329822f3b8c8172b73826411a55751e404a0a4a"
+dependencies = [
+ "memchr",
+ "minimal-lexical",
+]
+
 [[package]]
 name = "notify"
 version = "8.0.0"
@@ -1649,6 +1760,15 @@ dependencies = [
  "memchr",
 ]
 
+[[package]]
+name = "oid-registry"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "12f40cff3dde1b6087cc5d5f5d4d65712f34016a03ed60e9c08dcc392736b5b7"
+dependencies = [
+ "asn1-rs",
+]
+
 [[package]]
 name = "once_cell"
 version = "1.20.2"
@@ -1874,7 +1994,7 @@ dependencies = [
  "pingora-pool",
  "pingora-runtime",
  "pingora-timeout",
- "prometheus",
+ "prometheus 0.13.4",
  "rand 0.8.5",
  "regex",
  "serde",
@@ -2121,10 +2241,25 @@ dependencies = [
  "lazy_static",
  "memchr",
  "parking_lot",
- "protobuf",
+ "protobuf 2.28.0",
  "thiserror 1.0.69",
 ]
 
+[[package]]
+name = "prometheus"
+version = "0.14.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3ca5326d8d0b950a9acd87e6a3f94745394f62e4dae1b1ee22b2bc0c394af43a"
+dependencies = [
+ "cfg-if",
+ "fnv",
+ "lazy_static",
+ "memchr",
+ "parking_lot",
+ "protobuf 3.7.2",
+ "thiserror 2.0.12",
+]
+
 [[package]]
 name = "prost"
 version = "0.13.5"
@@ -2140,6 +2275,26 @@ version = "2.28.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "106dd99e98437432fed6519dedecfade6a06a73bb7b2a1e019fdd2bee5778d94"
 
+[[package]]
+name = "protobuf"
+version = "3.7.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d65a1d4ddae7d8b5de68153b48f6aa3bba8cb002b243dbdbc55a5afbc98f99f4"
+dependencies = [
+ "once_cell",
+ "protobuf-support",
+ "thiserror 1.0.69",
+]
+
+[[package]]
+name = "protobuf-support"
+version = "3.7.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3e36c2f31e0a47f9280fb347ef5e461ffcd2c52dd520d8e216b52f93b0b0d7d6"
+dependencies = [
+ "thiserror 1.0.69",
+]
+
 [[package]]
 name = "quote"
 version = "1.0.38"
@@ -2342,6 +2497,15 @@ version = "0.1.24"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "719b953e2095829ee67db738b3bfa9fa368c94900df327b3f07fe6e794d2fe1f"
 
+[[package]]
+name = "rusticata-macros"
+version = "4.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "faf0c4a6ece9950b9abdb62b1cfcf2a68b3b67a10ba445b3bb85be2a293d0632"
+dependencies = [
+ "nom",
+]
+
 [[package]]
 name = "rustix"
 version = "1.0.7"
@@ -2352,7 +2516,7 @@ dependencies = [
  "errno",
  "libc",
  "linux-raw-sys",
- "windows-sys 0.52.0",
+ "windows-sys 0.59.0",
 ]
 
 [[package]]
@@ -2719,7 +2883,7 @@ dependencies = [
  "getrandom 0.3.1",
  "once_cell",
  "rustix",
- "windows-sys 0.52.0",
+ "windows-sys 0.59.0",
 ]
 
 [[package]]
@@ -3543,6 +3707,23 @@ version = "0.5.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1e9df38ee2d2c3c5948ea468a8406ff0db0b29ae1ffde1bcf20ef305bcc95c51"
 
+[[package]]
+name = "x509-parser"
+version = "0.17.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4569f339c0c402346d4a75a9e39cf8dad310e287eef1ff56d4c68e5067f53460"
+dependencies = [
+ "asn1-rs",
+ "data-encoding",
+ "der-parser",
+ "lazy_static",
+ "nom",
+ "oid-registry",
+ "rusticata-macros",
+ "thiserror 2.0.12",
+ "time",
+]
+
 [[package]]
 name = "yaml-rust"
 version = "0.4.5"

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
-name = "gazan"
+name = "aralez"
-version = "0.1.0"
+version = "0.9.1"
 edition = "2021"
 
 [profile.release]
@@ -25,6 +25,7 @@ log = "0.4.27"
 futures = "0.3.31"
 notify = "8.0.0"
 axum = { version = "0.8.4" }
+axum-server = { version = "0.7.2", features = ["tls-openssl"] }
 reqwest = { version = "0.12.15", features = ["json", "native-tls-alpn"] }
 #reqwest = { version = "0.12.15", features = ["json", "rustls-tls"] }
 #reqwest = { version = "0.12.15", default-features = false, features = ["rustls-tls", "json"] }
@@ -40,4 +41,11 @@ urlencoding = "2.1.3"
 arc-swap = "1.7.1"
 #rustls = { version = "0.23.27", features = ["ring"] }
 mimalloc = { version = "0.1.46", default-features = false }
+prometheus = "0.14.0"
+lazy_static = "1.5.0"
+openssl = "0.10.72"
+x509-parser = "0.17.0"
+rustls-pemfile = "2.2.0"
+
+#openssl = "0.10.72"
 

METRICS.md

@@ -0,0 +1,120 @@
+# 📈 Aralez Prometheus Metrics Reference
+
+This document outlines Prometheus metrics for the [Aralez](https://github.com/sadoyan/aralez) reverse proxy.
+These metrics can be used for monitoring, alerting and performance analysis.
+
+Exposed to `http://config_address/metrics`
+
+By default `http://127.0.0.1:3000/metrics`
+
+# 📊 Example Grafana dashboard during stress test :
+
+![Aralez](https://netangels.net/utils/dash.png)
+
+---
+
+## 🛠️ Prometheus Metrics
+
+### 1. `aralez_requests_total`
+
+- **Type**: `Counter`
+- **Purpose**: Total amount requests served by Aralez.
+
+**PromQL example:**
+
+```promql
+rate(aralez_requests_total[5m])
+```
+
+---
+
+### 2. `aralez_errors_total`
+
+- **Type**: `Counter`
+- **Purpose**: Count of requests that resulted in an error.
+
+**PromQL example:**
+
+```promql
+rate(aralez_errors_total[5m])
+```
+
+---
+
+### 3. `aralez_responses_total{status="200"}`
+
+- **Type**: `CounterVec`
+- **Purpose**: Count of responses by HTTP status code.
+
+**PromQL example:**
+
+```promql
+rate(aralez_responses_total{status=~"5.."}[5m]) > 0
+```
+
+> Useful for alerting on 5xx errors.
+
+---
+
+### 4. `aralez_response_latency_seconds`
+
+- **Type**: `Histogram`
+- **Purpose**: Tracks the latency of responses in seconds.
+
+**Example bucket output:**
+
+```prometheus
+aralez_response_latency_seconds_bucket{le="0.01"}  15
+aralez_response_latency_seconds_bucket{le="0.1"}   120
+aralez_response_latency_seconds_bucket{le="0.25"}  245
+aralez_response_latency_seconds_bucket{le="0.5"}   500
+...
+aralez_response_latency_seconds_count  1023
+aralez_response_latency_seconds_sum    42.6
+```
+
+| Metric                  | Meaning                                                       |
+|-------------------------|---------------------------------------------------------------|
+| `bucket{le="0.1"} 120`  | 120 requests were ≤ 100ms                                     |
+| `bucket{le="0.25"} 245` | 245 requests were ≤ 250ms                                     |
+| `count`                 | Total number of observations (i.e., total responses measured) |
+| `sum`                   | Total time of all responses, in seconds                       |
+
+### 🔍 How to interpret:
+
+- `le` means “less than or equal to”.
+- `count` is total amount of observations.
+- `sum` is the total time (in seconds) of all responses.
+
+**PromQL examples:**
+
+🔹 **95th percentile latency**
+
+```promql
+histogram_quantile(0.95, rate(aralez_response_latency_seconds_bucket[5m]))
+
+```
+
+🔹 **Average latency**
+
+```promql
+rate(aralez_response_latency_seconds_sum[5m]) / rate(aralez_response_latency_seconds_count[5m])
+```
+
+---
+
+## ✅ Notes
+
+- Metrics are registered after the first served request.
+
+---
+✅ Summary of key metrics
+
+| Metric Name                           | Type       | What it Tells You         |
+|---------------------------------------|------------|---------------------------|
+| `aralez_requests_total`                | Counter    | Total requests served     |
+| `aralez_errors_total`                  | Counter    | Number of failed requests |
+| `aralez_responses_total{status="200"}` | CounterVec | Response status breakdown |
+| `aralez_response_latency_seconds`      | Histogram  | How fast responses are    |
+
+📘 *Last updated: May 2025*

README.md

@@ -1,38 +1,42 @@
-![Gazan](https://netangels.net/utils/gazan-white.jpg)
+![Aralez](https://netangels.net/utils/aralez-white.jpg)
 
-# Gazan - The beast-mode reverse proxy.
+# Aralez (Արալեզ), Reverse proxy and service mesh built on top of Cloudflare's Pingora
 
-Gazan is a Reverse proxy, service mesh based on Cloudflare's Pingora
+**What Aralez means?**
+<ins>Aralez = Արալեզ. Named after the legendary Armenian guardian spirit, winged dog-like creature, that descend upon fallen heroes to lick their wounds and resurrect them.</ins>.
 
-**What Gazan means?**
+Built on Rust, on top of **Cloudflare’s Pingora engine**, **Aralez** delivers world-class performance, security and scalability — right out of the box.
-<ins>Gazan = Գազան = beast / wild animal in Armenian / Often used as a synonym to something great.</ins>.
-
-Built on Rust, on top of **Cloudflare’s Pingora engine**, **Gazan** delivers world-class performance, security and scalability — right out of the box.
 
 ---
 
 ## 🔧 Key Features
 
-- **Dynamic Config Reloads** — Upstreams can be updated live via API, no restart required
+- **Dynamic Config Reloads** — Upstreams can be updated live via API, no restart required.
-- **TLS Termination** — Built-in OpenSSL support
+- **TLS Termination** — Built-in OpenSSL support.
-- **Upstreams TLS detection** — Gazan will automatically detect if upstreams uses secure connection
+- **Upstreams TLS detection** — Aralez will automatically detect if upstreams uses secure connection.
-- **Authentication** — Supports Basic Auth, API tokens, and JWT verification
+- **Authentication** — Supports Basic Auth, API tokens, and JWT verification.
+    - **Basic Auth**
+    - **API Key** via `x-api-key` header
+    - **JWT Auth**, with tokens issued by Aralez itself via `/jwt` API
+        - ⬇️ See below for examples and implementation details.
 - **Load Balancing Strategies**
     - Round-robin
     - Failover with health checks
     - Sticky sessions via cookies
-- **Unified Port** — Serve HTTP and WebSocket traffic over the same connection
+- **Unified Port** — Serve HTTP and WebSocket traffic over the same connection.
-- **Memory Safe** — Created purely on Rust
+- **Memory Safe** — Created purely on Rust.
-- **High Performance** — Built with [Pingora](https://github.com/cloudflare/pingora) and tokio for async I/O
+- **High Performance** — Built with [Pingora](https://github.com/cloudflare/pingora) and tokio for async I/O.
 
 ## 🌍 Highlights
 
-- ⚙️ **Upstream Providers:** Supports `file`-based static upstreams, dynamic service discovery via `Consul`.
+- ⚙️ **Upstream Providers:**
+    - `file` Upstreams are declared in config file.
+    - `consul` Upstreams are dynamically updated from Hashicorp Consul.
 - 🔁 **Hot Reloading:** Modify upstreams on the fly via `upstreams.yaml` — no restart needed.
 - 🔮 **Automatic WebSocket Support:** Zero config — connection upgrades are handled seamlessly.
-- 🔮 **Automatic GRPC Support:** Zero config, Requires `ssl` to proxy, gRPC is handled seamlessly.
+- 🔮 **Automatic GRPC Support:** Zero config, Requires `ssl` to proxy, gRPC handled seamlessly.
-- 🔮 **Upstreams Session Stickiness:** Enable/Disable Sticky sessions.
+- 🔮 **Upstreams Session Stickiness:** Enable/Disable Sticky sessions globally.
-- 🔐 **TLS Termination:** Fully supports TLS for incoming and upstream traffic.
+- 🔐 **TLS Termination:** Fully supports TLS for upstreams and downstreams.
 - 🛡️ **Built-in Authentication** Basic Auth, JWT, API key.
 - 🧠 **Header Injection:** Global and per-route header configuration.
 - 🧪 **Health Checks:** Pluggable health check methods for upstreams.
@@ -57,15 +61,28 @@ Built on Rust, on top of **Cloudflare’s Pingora engine**, **Gazan** delivers w
 
 ### 🔧 `main.yaml`
 
-- `proxy_address_http`: `0.0.0.0:6193` (HTTP listener)
+| Key                              | Example Value                        | Description                                                                                      |
-- `proxy_address_tls`: `0.0.0.0:6194` (TLS listener, optional)
+|----------------------------------|--------------------------------------|--------------------------------------------------------------------------------------------------|
-- `config_address`: `0.0.0.0:3000` (HTTP API for remote config push)
+| **threads**                      | 12                                   | Number of running daemon threads. Optional, defaults to 1                                        |
-- `upstreams_conf`: `etc/upstreams.yaml` (location of upstreams config)
+| **user**                         | aralez                               | Optional, Username for running aralez after dropping root privileges, requires to launch as root |
-- `log_level`: `info` (verbosity of logs)
+| **group**                        | aralez                               | Optional,Group for running aralez after dropping root privileges, requires to launch as root     |
-- `hc_method`: `HEAD`, `hc_interval`: `2s` (upstream health checks)
+| **daemon**                       | false                                | Run in background (boolean)                                                                      |
-- `user` Optional. Drop privileges to regular user. To bind to privileged ports. Requires to start as root.
+| **upstream_keepalive_pool_size** | 500                                  | Pool size for upstream keepalive connections                                                     |
-- `group` Optional. Drop privileges to regular group
+| **pid_file**                     | /tmp/aralez.pid                      | Path to PID file                                                                                 |
-- Other defaults: thread count, keep-alive pool size, etc.
+| **error_log**                    | /tmp/aralez_err.log                  | Path to error log file                                                                           |
+| **upgrade_sock**                 | /tmp/aralez.sock                     | Path to live upgrade socket file                                                                 |
+| **config_address**               | 0.0.0.0:3000                         | HTTP API address for pushing upstreams.yaml from remote location                                 |
+| **config_tls_address**           | 0.0.0.0:3001                         | HTTPS API address for pushing upstreams.yaml from remote location                                |
+| **config_tls_certificate**       | etc/server.crt                       | Certificate file path for API. Mandatory if proxy_address_tls is set, else optional              |
+| **config_tls_key_file**          | etc/key.pem                          | Private Key file path. Mandatory if proxy_address_tls is set, else optional                      |
+| **proxy_address_http**           | 0.0.0.0:6193                         | Aralez HTTP bind address                                                                         |
+| **proxy_address_tls**            | 0.0.0.0:6194                         | Aralez HTTPS bind address (Optional)                                                             |
+| **proxy_certificates**           | etc/certs/                           | The directory containing certificate and key files. In a format {NAME}.crt, {NAME}.key.          |
+| **upstreams_conf**               | etc/upstreams.yaml                   | The location of upstreams file                                                                   |
+| **log_level**                    | info                                 | Log level , possible values : info, warn, error, debug, trace, off                               |
+| **hc_method**                    | HEAD                                 | Healthcheck method (HEAD, GET, POST are supported) UPPERCASE                                     |
+| **hc_interval**                  | 2                                    | Interval for health checks in seconds                                                            |
+| **master_key**                   | 5aeff7f9-7b94-447c-af60-e8c488544a3e | Master key for working with API server and JWT Secret generation                                 |
 
 ### 🌐 `upstreams.yaml`
 
@@ -81,40 +98,40 @@ Built on Rust, on top of **Cloudflare’s Pingora engine**, **Gazan** delivers w
 
 ## 🛠 Installation
 
-Download the prebuilt binary for your architecture from releases section of [GitHub](https://github.com/sadoyan/gazan/releases) repo
+Download the prebuilt binary for your architecture from releases section of [GitHub](https://github.com/sadoyan/aralez/releases) repo
-Make the binary executable `chmod 755 ./gazan-VERSION` and run.
+Make the binary executable `chmod 755 ./aralez-VERSION` and run.
 
 File names:
 
-| File Name                | Description                                                   |
+| File Name                 | Description                                                   |
-|--------------------------|---------------------------------------------------------------|
+|---------------------------|---------------------------------------------------------------|
-| `gazan-x86_64-musl.gz`   | Static Linux x86_64 binary, without any system dependency     |
+| `aralez-x86_64-musl.gz`   | Static Linux x86_64 binary, without any system dependency     |
-| `gazan-x86_64-glibc.gz`  | Dynamic Linux x86_64 binary, with minimal system dependencies |
+| `aralez-x86_64-glibc.gz`  | Dynamic Linux x86_64 binary, with minimal system dependencies |
-| `gazan-aarch64-musl.gz`  | Static Linux ARM64 binary, without any system dependency      |
+| `aralez-aarch64-musl.gz`  | Static Linux ARM64 binary, without any system dependency      |
-| `gazan-aarch64-glibc.gz` | Dynamic Linux ARM64 binary, with minimal system dependencies  |
+| `aralez-aarch64-glibc.gz` | Dynamic Linux ARM64 binary, with minimal system dependencies  |
 
 ## 🔌 Running the Proxy
 
 ```bash
-./gazan -c path/to/main.yaml
+./aralez -c path/to/main.yaml
 ```
 
 ## 🔌 Systemd integration
 
 ```bash
-cat > /etc/systemd/system/gazan.service <<EOF
+cat > /etc/systemd/system/aralez.service <<EOF
 [Service]
 Type=forking
-PIDFile=/run/gazan.pid
+PIDFile=/run/aralez.pid
-ExecStart=/bin/gazan -d -c /etc/gazan.conf
+ExecStart=/bin/aralez -d -c /etc/aralez.conf
 ExecReload=kill -QUIT $MAINPID
-ExecReload=/bin/gazan -u -d -c /etc/gazan.conf
+ExecReload=/bin/aralez -u -d -c /etc/aralez.conf
 EOF
 ```
 
 ```bash
-systemctl enable gazan.service.
+systemctl enable aralez.service.
-systemctl restart gazan.service.
+systemctl restart aralez.service.
 ```
 
 ## 💡 Example
@@ -124,7 +141,7 @@ A sample `upstreams.yaml` entry:
 ```yaml
 provider: "file"
 sticky_sessions: false
-to_ssl: false
+to_https: false
 headers:
   - "Access-Control-Allow-Origin:*"
   - "Access-Control-Allow-Methods:POST, GET, OPTIONS"
@@ -156,7 +173,7 @@ myhost.mydomain.com:
 - Sticky sessions are disabled globally. This setting applies to all upstreams. If enabled all requests will be 301 redirected to HTTPS.
 - HTTP to HTTPS redirect disabled globally, but can be overridden by `to_https` setting per upstream.
 - Requests to `myhost.mydomain.com/` will be proxied to `127.0.0.1` and `127.0.0.2`.
-- Plain HTTP to `myhost.mydomain.com/foo` will get 301 redirect to configured TLS port of Gazan.
+- Plain HTTP to `myhost.mydomain.com/foo` will get 301 redirect to configured TLS port of Aralez.
 - Requests to `myhost.mydomain.com/foo` will be proxied to `127.0.0.4` and `127.0.0.5`.
 - SSL/TLS for upstreams is detected automatically, no need to set any config parameter.
     - Assuming the `127.0.0.5:8443` is SSL protected. The inner traffic will use TLS.
@@ -189,10 +206,11 @@ To enable TLS for A proxy server: Currently only OpenSSL is supported, working o
 
 ## 📡 Remote Config API
 
-You can push new `upstreams.yaml` over HTTP to `config_address` (`:3000` by default). Useful for CI/CD automation or remote config updates.
+Push new `upstreams.yaml` over HTTP to `config_address` (`:3000` by default). Useful for CI/CD automation or remote config updates.
+URL parameter. `key=MASTERKEY` is required. `MASTERKEY` is the value of `master_key` in the `main.yaml`
 
 ```bash
-curl -XPOST --data-binary @./etc/upstreams.txt 127.0.0.1:3000/conf
+curl -XPOST --data-binary @./etc/upstreams.txt 127.0.0.1:3000/conf?key=${MASTERKEY}
 ```
 
 ---
@@ -203,18 +221,18 @@ curl -XPOST --data-binary @./etc/upstreams.txt 127.0.0.1:3000/conf
 - Only one method can be active at a time.
 - `basic` : Standard HTTP Basic Authentication requests.
 - `apikey` : Authentication via `x-api-key` header, which should match the value in config.
-- `jwt`: JWT authentication implemented via `gazantoken=` url parameter. `/some/url?gazantoken=TOKEN`
+- `jwt`: JWT authentication implemented via `araleztoken=` url parameter. `/some/url?araleztoken=TOKEN`
 - `jwt`: JWT authentication implemented via `Authorization: Bearer <token>` header.
-    - To obtain JWT token, you should send **generate** request to built in api server's `/jwt` endpoint.
+    - To obtain JWT a token, you should send **generate** request to built in api server's `/jwt` endpoint.
-    - `masterkey`: should match configured `masterkey` in `main.yaml` and `upstreams.yaml`.
+    - `master_key`: should match configured `masterkey` in `main.yaml` and `upstreams.yaml`.
     - `owner` : Just a placeholder, can be anything.
     - `valid` : Time in minutes during which the generated token will be valid.
 
-**Example JWT token generateion request**
+**Example JWT token generation request**
 
 ```bash
 PAYLOAD='{
-    "masterkey": "910517d9-f9a1-48de-8826-dbadacbd84af-cb6f830e-ab16-47ec-9d8f-0090de732774",
+    "master_key": "910517d9-f9a1-48de-8826-dbadacbd84af-cb6f830e-ab16-47ec-9d8f-0090de732774",
     "owner": "valod",
     "valid": 10
 }'
@@ -234,7 +252,7 @@ curl -H "Authorization: Bearer ${TOK}" -H 'Host: myip.mydomain.com' http://127.0
 With URL parameter (Very useful if you want to generate and share temporary links)
 
 ```bash
-curl -H 'Host: myip.mydomain.com' "http://127.0.0.1:6193/?gazantoken=${TOK}`"
+curl -H 'Host: myip.mydomain.com' "http://127.0.0.1:6193/?araleztoken=${TOK}`"
 ```
 
 **Example Request with API Key**
@@ -264,4 +282,164 @@ curl  -u username:password -H 'Host: myip.mydomain.com' http://127.0.0.1:6193/
 - Transparent, fully automatic WebSocket upgrade support.
 - Transparent, fully automatic gRPC proxy.
 - Sticky session support.
-- HTTP2 ready.
+- HTTP2 ready.
+
+📊 Why Choose Aralez? – Feature Comparison
+
+| Feature                    | **Aralez**                                                           | **Nginx**                | **HAProxy**             | **Traefik**     |
+|----------------------------|----------------------------------------------------------------------|--------------------------|-------------------------|-----------------|
+| **Hot Reload**             | ✅ Yes (live, API/file)                                               | ⚠️ Reloads config        | ⚠️ Reloads config       | ✅ Yes (dynamic) |
+| **JWT Auth**               | ✅ Built-in                                                           | ❌ External scripts       | ❌ External Lua or agent | ⚠️ With plugins |
+| **WebSocket Support**      | ✅ Automatic                                                          | ⚠️ Manual config         | ✅ Yes                   | ✅ Yes           |
+| **gRPC Support**           | ✅ Automatic (no config)                                              | ⚠️ Manual + HTTP/2 + TLS | ⚠️ Complex setup        | ✅ Native        |
+| **TLS Termination**        | ✅ Built-in (OpenSSL)                                                 | ✅ Yes                    | ✅ Yes                   | ✅ Yes           |
+| **TLS Upstream Detection** | ✅ Automatic                                                          | ❌                        | ❌                       | ❌               |
+| **HTTP/2 Support**         | ✅ Automatic                                                          | ⚠️ Requires extra config | ⚠️ Requires build flags | ✅ Native        |
+| **Sticky Sessions**        | ✅ Cookie-based                                                       | ⚠️ In plus version only  | ✅                       | ✅               |
+| **Prometheus Metrics**     | ✅ [Built in](https://github.com/sadoyan/aralez/blob/main/METRICS.md) | ⚠️ With Lua or exporter  | ⚠️ With external script | ✅ Native        |
+| **Built With**             | 🦀 Rust                                                              | C                        | C                       | Go              |
+
+## 💡 Simple benchmark by [Oha](https://github.com/hatoo/oha)
+
+⚠️ These benchmarks use :
+
+- 3 async Rust echo servers on a local network with 1Gbit as upstreams.
+- A dedicated server for running **Aralez**
+- A dedicated server for running **Oha**
+- The following upstreams configuration.
+- 9 test URLs from simple `/` to nested up to 7 subpaths.
+
+```yaml
+  myhost.mydomain.com:
+    paths:
+      "/":
+        to_https: false
+        headers:
+          - "X-Proxy-From:Aralez"
+        servers:
+          - "192.168.211.211:8000"
+          - "192.168.211.212:8000"
+          - "192.168.211.213:8000"
+      "/ping":
+        to_https: false
+        headers:
+          - "X-Some-Thing:Yaaaaaaaaaaaaaaa"
+          - "X-Proxy-From:Aralez"
+        servers:
+          - "192.168.211.211:8000"
+          - "192.168.211.212:8000"
+```
+
+## 💡 Results reflect synthetic performance under optimal conditions.
+
+- CPU : Intel(R) Xeon(R) CPU E3-1270 v6 @ 3.80GHz
+- 300 : simultaneous connections
+- Duration : 10 Minutes
+- Binary : aralez-x86_64-glibc
+
+```
+Summary:
+  Success rate:	100.00%
+  Total:	600.0027 secs
+  Slowest:	0.2138 secs
+  Fastest:	0.0002 secs
+  Average:	0.0023 secs
+  Requests/sec:	129777.3838
+
+  Total data:	0 B
+  Size/request:	0 B
+  Size/sec:	0 B
+
+Response time histogram:
+  0.000 [1]        |
+  0.022 [77668026] |■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■
+  0.043 [190362]   |
+  0.064 [7908]     |
+  0.086 [319]      |
+  0.107 [4]        |
+  0.128 [0]        |
+  0.150 [0]        |
+  0.171 [0]        |
+  0.192 [0]        |
+  0.214 [4]        |
+
+Response time distribution:
+  10.00% in 0.0012 secs
+  25.00% in 0.0016 secs
+  50.00% in 0.0020 secs
+  75.00% in 0.0026 secs
+  90.00% in 0.0033 secs
+  95.00% in 0.0040 secs
+  99.00% in 0.0078 secs
+  99.90% in 0.0278 secs
+  99.99% in 0.0434 secs
+
+
+Details (average, fastest, slowest):
+  DNS+dialup:	0.0161 secs, 0.0002 secs, 0.0316 secs
+  DNS-lookup:	0.0000 secs, 0.0000 secs, 0.0000 secs
+
+Status code distribution:
+  [200] 77866624 responses
+
+Error distribution:
+  [158] aborted due to deadline
+```
+
+![Aralez](https://netangels.net/utils/glibc10.png)
+
+- CPU : Intel(R) Xeon(R) CPU E3-1270 v6 @ 3.80GHz
+- 300 : simultaneous connections
+- Duration : 10 Minutes
+- Binary : aralez-x86_64-musl
+
+```
+Summary:
+  Success rate:	100.00%
+  Total:	600.0021 secs
+  Slowest:	0.2182 secs
+  Fastest:	0.0002 secs
+  Average:	0.0024 secs
+  Requests/sec:	123870.5820
+
+  Total data:	0 B
+  Size/request:	0 B
+  Size/sec:	0 B
+
+Response time histogram:
+  0.000 [1]        |
+  0.022 [74254679] |■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■
+  0.044 [61400]    |
+  0.066 [5911]     |
+  0.087 [385]      |
+  0.109 [0]        |
+  0.131 [0]        |
+  0.153 [0]        |
+  0.175 [0]        |
+  0.196 [0]        |
+  0.218 [1]        |
+
+Response time distribution:
+  10.00% in 0.0012 secs
+  25.00% in 0.0016 secs
+  50.00% in 0.0021 secs
+  75.00% in 0.0028 secs
+  90.00% in 0.0037 secs
+  95.00% in 0.0045 secs
+  99.00% in 0.0077 secs
+  99.90% in 0.0214 secs
+  99.99% in 0.0424 secs
+
+
+Details (average, fastest, slowest):
+  DNS+dialup:	0.0066 secs, 0.0002 secs, 0.0210 secs
+  DNS-lookup:	0.0000 secs, 0.0000 secs, 0.0000 secs
+
+Status code distribution:
+  [200] 74322377 responses
+
+Error distribution:
+  [228] aborted due to deadline
+```
+
+![Aralez](https://netangels.net/utils/musl10.png)

etc/main.yaml

@@ -1,17 +1,19 @@
 # Main configuration file , applied on startup
 threads: 12 # Nubber of daemon threads default setting
-#user: pastor # Username for running gazan after dropping root privileges, requires program to start as root
+#user: pastor # Username for running aralez after dropping root privileges, requires program to start as root
-#group: pastor # Group for running gazan after dropping root privileges, requires program to start as root
+#group: pastor # Group for running aralez after dropping root privileges, requires program to start as root
 daemon: false # Run in background
 upstream_keepalive_pool_size: 500 # Pool size for upstream keepalive connections
-pid_file: /tmp/gazan.pid # Path to PID file
+pid_file: /tmp/aralez.pid # Path to PID file
-error_log: /tmp/gazan_err.log # Path to error log
+error_log: /tmp/aralez_err.log # Path to error log
-upgrade_sock: /tmp/gazan.sock # Path to socket file
+upgrade_sock: /tmp/aralez.sock # Path to socket file
 config_address: 0.0.0.0:3000 # HTTP API address for pushing upstreams.yaml from remote location
+config_tls_address: 0.0.0.0:3001 # HTTP TLS API address for pushing upstreams.yaml from remote location
+config_tls_certificate: etc/server.crt # Mandatory if config_tls_address is set
+config_tls_key_file: etc/key.pem # Mandatory if config_tls_address is set
 proxy_address_http: 0.0.0.0:6193 # Proxy HTTP bind address
 proxy_address_tls: 0.0.0.0:6194 # Optional, Proxy TLS bind address
-tls_certificate: etc/server.crt # Mandatory if proxy_address_tls is set
+proxy_certificates: etc/yoyo # Mandatory if proxy_address_tls set, should contain certificate and key files strictly in a format {NAME}.crt, {NAME}.key.
-tls_key_file: etc/key.pem # Mandatory if proxy_address_tls is set
 upstreams_conf: etc/upstreams.yaml # the location of upstreams file
 log_level: info # info, warn, error, debug, trace, off
 hc_method: HEAD # Healthcheck method (HEAD, GET, POST are supported) UPPERCASE

etc/stresstest.yaml

@@ -11,7 +11,7 @@ upstreams:
       "/":
         ssl: false
         headers:
-          - "X-Proxy-From:Gazan"
+          - "X-Proxy-From:Aralez"
         servers:
           - "192.168.221.213:8000"
           - "192.168.221.214:8000"

etc/upstreams.yaml

@@ -10,9 +10,9 @@ headers:
 authorization:
   type: "jwt"
   creds: "910517d9-f9a1-48de-8826-dbadacbd84af-cb6f830e-ab16-47ec-9d8f-0090de732774"
-#  name: "basic"
+#  type: "basic"
 #  creds: "user:Passw0rd"
-#  name: "apikey"
+#  type: "apikey"
 #  creds: "5ecbf799-1343-4e94-a9b5-e278af5cd313-56b45249-1839-4008-a450-a60dc76d2bae"
 consul: # If the provider is consul. Otherwise, ignored.
   servers:
@@ -57,4 +57,4 @@ upstreams:
           - "127.0.0.1:8000"
           - "127.0.0.2:8000"
           - "127.0.0.3:8000"
-          - "127.0.0.4:8000"
+          - "127.0.0.4:8000"

src/utils.rs

@@ -4,6 +4,8 @@ pub mod discovery;
 mod filewatch;
 pub mod healthcheck;
 pub mod jwt;
+pub mod metrics;
 pub mod parceyaml;
 pub mod structs;
+pub mod tls;
 pub mod tools;

src/utils/auth.rs

@@ -37,7 +37,7 @@ impl AuthValidator for ApiKeyAuth<'_> {
 impl AuthValidator for JwtAuth<'_> {
     fn validate(&self, session: &Session) -> bool {
         let jwtsecret = self.0;
-        if let Some(tok) = get_query_param(session, "gazantoken") {
+        if let Some(tok) = get_query_param(session, "araleztoken") {
             return check_jwt(tok.as_str(), jwtsecret);
         }
 

src/utils/discovery.rs

@@ -11,6 +11,9 @@ pub struct FromFileProvider {
 pub struct APIUpstreamProvider {
     pub address: String,
     pub masterkey: String,
+    pub tls_address: Option<String>,
+    pub tls_certificate: Option<String>,
+    pub tls_key_file: Option<String>,
 }
 
 pub struct ConsulProvider {
@@ -25,7 +28,7 @@ pub trait Discovery {
 #[async_trait]
 impl Discovery for APIUpstreamProvider {
     async fn start(&self, toreturn: Sender<Configuration>) {
-        webserver::run_server(self.address.clone(), self.masterkey.clone(), toreturn).await;
+        webserver::run_server(self, toreturn).await;
     }
 }
 

src/utils/healthcheck.rs

@@ -75,7 +75,7 @@ pub async fn hc2(upslist: Arc<UpstreamsDashMap>, fullist: Arc<UpstreamsDashMap>,
                 if first_run == 1 {
                     info!("Performing initial hatchecks and upstreams ssl detection");
                     clone_idmap_into(&totest, &idlist);
-                    info!("Gazan is up and ready to serve requests, the upstreams list is:");
+                    info!("Aralez is up and ready to serve requests, the upstreams list is:");
                     print_upstreams(&totest)
                 }
 

src/utils/metrics.rs

@@ -0,0 +1,87 @@
+use pingora_http::Version;
+use prometheus::{register_histogram, register_int_counter, register_int_counter_vec, Histogram, IntCounter, IntCounterVec};
+use std::time::Duration;
+
+pub struct MetricTypes {
+    pub method: String,
+    pub code: String,
+    pub latency: Duration,
+    pub version: Version,
+}
+lazy_static::lazy_static! {
+    pub static ref REQUEST_COUNT: IntCounter = register_int_counter!(
+        "aralez_requests_total",
+        "Total number of requests handled by Aralez"
+    ).unwrap();
+      pub static ref RESPONSE_CODES: IntCounterVec = register_int_counter_vec!(
+        "aralez_responses_total",
+        "Responses grouped by status code",
+        &["status"]
+    ).unwrap();
+    pub static ref REQUEST_LATENCY:  Histogram = register_histogram!(
+        "aralez_request_latency_seconds",
+        "Request latency in seconds",
+        vec![0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1.0, 2.5, 5.0]
+    ).unwrap();
+    pub static ref RESPONSE_LATENCY: Histogram = register_histogram!(
+        "aralez_response_latency_seconds",
+        "Response latency in seconds",
+        vec![0.01, 0.05, 0.1, 0.25, 0.5, 1.0, 2.0, 5.0]
+    ).unwrap();
+    pub static ref REQUESTS_BY_METHOD: IntCounterVec = register_int_counter_vec!(
+        "aralez_requests_by_method_total",
+        "Number of requests by HTTP method",
+        &["method"]
+    ).unwrap();
+    pub static ref REQUESTS_BY_VERSION: IntCounterVec = register_int_counter_vec!(
+        "aralez_requests_by_version_total",
+        "Number of requests by HTTP versions",
+        &["version"]
+    ).unwrap();
+    pub static ref ERROR_COUNT: IntCounter = register_int_counter!(
+        "aralez_errors_total",
+        "Total number of errors"
+    ).unwrap();
+}
+
+pub fn calc_metrics(metric_types: &MetricTypes) {
+    REQUEST_COUNT.inc();
+    let timer = REQUEST_LATENCY.start_timer();
+    timer.observe_duration();
+
+    let version_str = match &metric_types.version {
+        &Version::HTTP_11 => "HTTP/1.1",
+        &Version::HTTP_2 => "HTTP/2.0",
+        &Version::HTTP_3 => "HTTP/3.0",
+        &Version::HTTP_10 => "HTTP/1.0",
+        _ => "Unknown",
+    };
+    REQUESTS_BY_VERSION.with_label_values(&[&version_str]).inc();
+    RESPONSE_CODES.with_label_values(&[&metric_types.code.to_string()]).inc();
+    REQUESTS_BY_METHOD.with_label_values(&[&metric_types.method]).inc();
+    RESPONSE_LATENCY.observe(metric_types.latency.as_secs_f64());
+}
+/*
+pub fn calc_metrics(method: String, code: u16, latency: Duration) {
+    REQUEST_COUNT.inc();
+    let timer = REQUEST_LATENCY.start_timer();
+    timer.observe_duration();
+    RESPONSE_CODES.with_label_values(&[&code.to_string()]).inc();
+    REQUESTS_BY_METHOD.with_label_values(&[&method]).inc();
+    RESPONSE_LATENCY.observe(latency.as_secs_f64());
+}
+
+tokio::spawn(async move {
+    let mut interval = tokio::time::interval(std::time::Duration::from_secs(5));
+    loop {
+        interval.tick().await;
+
+        // read Pingora stats
+        let stats = pingora.get_stats();
+
+        // update Prometheus metrics accordingly
+        REQUEST_COUNT.set(stats.requests_total);
+        // ... etc
+    }
+});
+*/

src/utils/parceyaml.rs

@@ -14,7 +14,7 @@ pub fn load_configuration(d: &str, kind: &str) -> Option<Configuration> {
         typecfg: "".to_string(),
         extraparams: Extraparams {
             sticky_sessions: false,
-            to_ssl: None,
+            to_https: None,
             authentication: DashMap::new(),
         },
     };
@@ -57,7 +57,7 @@ pub fn load_configuration(d: &str, kind: &str) -> Option<Configuration> {
                 toreturn.headers.insert("GLOBAL_HEADERS".to_string(), global_headers);
 
                 toreturn.extraparams.sticky_sessions = parsed.sticky_sessions;
-                toreturn.extraparams.to_ssl = parsed.to_ssl;
+                toreturn.extraparams.to_https = parsed.to_https;
             }
             if let Some(auth) = &parsed.authorization {
                 let name = auth.get("type").unwrap().to_string();
@@ -150,5 +150,15 @@ pub fn parce_main_config(path: &str) -> AppConfig {
             }
         }
     };
+    // match cfo.config_tls_address.clone() {
+    //     Some(tls_cert) => {
+    //         if let Some((ip, port_str)) = tls_cert.split_once(':') {
+    //             if let Ok(port) = port_str.parse::<u16>() {
+    //                 cfo.local_tls_server = Option::from((ip.to_string(), port));
+    //             }
+    //         }
+    //     }
+    //     None => {}
+    // };
     cfo
 }

src/utils/structs.rs

@@ -17,7 +17,7 @@ pub struct ServiceMapping {
 #[derive(Clone, Debug)]
 pub struct Extraparams {
     pub sticky_sessions: bool,
-    pub to_ssl: Option<bool>,
+    pub to_https: Option<bool>,
     pub authentication: DashMap<String, Vec<String>>,
 }
 
@@ -31,7 +31,7 @@ pub struct Consul {
 pub struct Config {
     pub provider: String,
     pub sticky_sessions: bool,
-    pub to_ssl: Option<bool>,
+    pub to_https: Option<bool>,
     pub upstreams: Option<HashMap<String, HostConfig>>,
     pub globals: Option<HashMap<String, Vec<String>>>,
     pub headers: Option<Vec<String>>,
@@ -65,12 +65,16 @@ pub struct AppConfig {
     pub hc_method: String,
     pub upstreams_conf: String,
     pub log_level: String,
+    pub master_key: String,
     pub config_address: String,
     pub proxy_address_http: String,
-    pub master_key: String,
+    pub config_tls_address: Option<String>,
+    pub config_tls_certificate: Option<String>,
+    pub config_tls_key_file: Option<String>,
     pub proxy_address_tls: Option<String>,
     pub proxy_port_tls: Option<u16>,
-    pub tls_certificate: Option<String>,
+    // pub tls_certificate: Option<String>,
-    pub tls_key_file: Option<String>,
+    // pub tls_key_file: Option<String>,
     pub local_server: Option<(String, u16)>,
+    pub proxy_certificates: Option<String>,
 }

src/utils/tls.rs

@@ -0,0 +1,176 @@
+use openssl::ssl::{select_next_proto, AlpnError, NameType, SniError, SslAlert, SslContext, SslFiletype, SslMethod, SslRef};
+use rustls_pemfile::{read_one, Item};
+use serde::Deserialize;
+use std::collections::HashSet;
+use std::fs::File;
+use std::io::BufReader;
+use x509_parser::extensions::GeneralName;
+use x509_parser::nom::Err as NomErr;
+use x509_parser::prelude::*;
+
+#[derive(Clone, Deserialize, Debug)]
+pub struct CertificateConfig {
+    pub cert_path: String,
+    pub key_path: String,
+}
+
+#[derive(Debug)]
+struct CertificateInfo {
+    common_names: Vec<String>,
+    alt_names: Vec<String>,
+    ssl_context: SslContext,
+    #[allow(dead_code)]
+    cert_path: String, // Only used for logging
+    #[allow(dead_code)]
+    key_path: String, // Only used for logging
+}
+
+#[derive(Debug)]
+pub struct Certificates {
+    configs: Vec<CertificateInfo>,
+    pub default_cert_path: String,
+    pub default_key_path: String,
+}
+
+impl Certificates {
+    pub fn new(configs: &Vec<CertificateConfig>) -> Self {
+        let default_cert = configs.first().expect("atleast one TLS certificate required");
+        let mut cert_infos = Vec::new();
+        for config in configs {
+            cert_infos.push(
+                load_cert_info(&config.cert_path, &config.key_path)
+                    .unwrap_or_else(|| panic!("unable to load certificate info | public: {}, private: {}", &config.cert_path, &config.key_path)),
+            );
+        }
+        Self {
+            configs: cert_infos,
+            default_cert_path: default_cert.cert_path.clone(),
+            default_key_path: default_cert.key_path.clone(),
+        }
+    }
+
+    fn find_ssl_context(&self, server_name: &str) -> Option<&SslContext> {
+        for config in &self.configs {
+            // Exact name match
+            if config.common_names.contains(&server_name.to_string()) || config.alt_names.contains(&server_name.to_string()) {
+                return Some(&config.ssl_context);
+            }
+
+            // Wildcard match
+            for name in &config.common_names {
+                if name.starts_with("*.") && server_name.ends_with(&name[1..]) {
+                    return Some(&config.ssl_context);
+                }
+            }
+            for name in &config.alt_names {
+                if name.starts_with("*.") && server_name.ends_with(&name[1..]) {
+                    return Some(&config.ssl_context);
+                }
+            }
+        }
+        None
+    }
+
+    pub fn server_name_callback(&self, ssl_ref: &mut SslRef, ssl_alert: &mut SslAlert) -> Result<(), SniError> {
+        let server_name = ssl_ref.servername(NameType::HOST_NAME);
+        log::debug!("TLS connect: server_name = {:?}, ssl_ref = {:?}, ssl_alert = {:?}", server_name, ssl_ref, ssl_alert);
+        if let Some(name) = server_name {
+            match self.find_ssl_context(name) {
+                Some(ctx) => {
+                    ssl_ref.set_ssl_context(ctx).map_err(|_| SniError::ALERT_FATAL)?;
+                }
+                None => {
+                    log::debug!("No matching server name found");
+                }
+            }
+        }
+        Ok(())
+    }
+}
+
+fn load_cert_info(cert_path: &str, key_path: &str) -> Option<CertificateInfo> {
+    let mut common_names = HashSet::new();
+    let mut alt_names = HashSet::new();
+
+    let file = File::open(cert_path);
+    match file {
+        Err(e) => {
+            log::error!("Failed to open certificate file: {:?}", e);
+            return None;
+        }
+        Ok(file) => {
+            let mut reader = BufReader::new(file);
+            match read_one(&mut reader) {
+                Err(e) => {
+                    log::error!("Failed to decode PEM from certificate file: {:?}", e);
+                    return None;
+                }
+                Ok(leaf) => match leaf {
+                    Some(Item::X509Certificate(cert)) => match X509Certificate::from_der(&cert) {
+                        Err(NomErr::Error(e)) | Err(NomErr::Failure(e)) => {
+                            log::error!("Failed to parse certificate: {:?}", e);
+                            return None;
+                        }
+                        Err(_) => {
+                            log::error!("Unknown error while parsing certificate");
+                            return None;
+                        }
+                        Ok((_, x509)) => {
+                            let subject = x509.subject();
+                            for attr in subject.iter_common_name() {
+                                if let Ok(cn) = attr.as_str() {
+                                    common_names.insert(cn.to_string());
+                                }
+                            }
+
+                            if let Ok(Some(san)) = x509.subject_alternative_name() {
+                                for name in san.value.general_names.iter() {
+                                    if let GeneralName::DNSName(dns) = name {
+                                        let dns_string = dns.to_string();
+                                        if !common_names.contains(&dns_string) {
+                                            alt_names.insert(dns_string);
+                                        }
+                                    }
+                                }
+                            }
+                        }
+                    },
+                    _ => {
+                        log::error!("Failed to read certificate");
+                        return None;
+                    }
+                },
+            }
+        }
+    }
+
+    if let Ok(ssl_context) = create_ssl_context(cert_path, key_path) {
+        Some(CertificateInfo {
+            cert_path: cert_path.to_string(),
+            key_path: key_path.to_string(),
+            common_names: common_names.into_iter().collect(),
+            alt_names: alt_names.into_iter().collect(),
+            ssl_context,
+        })
+    } else {
+        log::error!("Failed to create SSL context from cert paths");
+        None
+    }
+}
+
+fn create_ssl_context(cert_path: &str, key_path: &str) -> Result<SslContext, Box<dyn std::error::Error>> {
+    let mut ctx = SslContext::builder(SslMethod::tls())?;
+
+    ctx.set_certificate_chain_file(cert_path)?;
+    ctx.set_private_key_file(key_path, SslFiletype::PEM)?;
+    ctx.set_alpn_select_callback(prefer_h2);
+    let built = ctx.build();
+    Ok(built)
+}
+
+pub fn prefer_h2<'a>(_ssl: &mut SslRef, alpn_in: &'a [u8]) -> Result<&'a [u8], AlpnError> {
+    match select_next_proto("\x02h2\x08http/1.1".as_bytes(), alpn_in) {
+        Some(p) => Ok(p),
+        _ => Err(AlpnError::NOACK),
+    }
+}

src/utils/tools.rs

@@ -1,9 +1,11 @@
 use crate::utils::structs::{UpstreamsDashMap, UpstreamsIdMap};
+use crate::utils::tls;
 use dashmap::DashMap;
 use sha2::{Digest, Sha256};
 use std::any::type_name;
-use std::collections::HashSet;
+use std::collections::{HashMap, HashSet};
 use std::fmt::Write;
+use std::fs;
 use std::sync::atomic::AtomicUsize;
 
 #[allow(dead_code)]
@@ -146,3 +148,33 @@ pub fn clone_idmap_into(original: &UpstreamsDashMap, cloned: &UpstreamsIdMap) {
         }
     }
 }
+
+pub fn listdir(dir: String) -> Vec<tls::CertificateConfig> {
+    let mut f = HashMap::new();
+    let mut certificate_configs: Vec<tls::CertificateConfig> = vec![];
+    let paths = fs::read_dir(dir).unwrap();
+    for path in paths {
+        let path_str = path.unwrap().path().to_str().unwrap().to_owned();
+        if path_str.ends_with(".crt") {
+            let name = path_str.replace(".crt", "");
+            let mut inner = vec![];
+            let domain = name.split("/").collect::<Vec<&str>>();
+            inner.push(name.clone() + ".crt");
+            inner.push(name.clone() + ".key");
+            f.insert(domain[domain.len() - 1].to_owned(), inner);
+            let y = tls::CertificateConfig {
+                cert_path: name.clone() + ".crt",
+                key_path: name.clone() + ".key",
+            };
+            certificate_configs.push(y);
+        }
+    }
+    for (_, v) in f.iter() {
+        let y = tls::CertificateConfig {
+            cert_path: v[0].clone(),
+            key_path: v[1].clone(),
+        };
+        certificate_configs.push(y);
+    }
+    certificate_configs
+}

src/web/bgservice.rs

@@ -34,6 +34,9 @@ impl BackgroundService for LB {
         let api_load = APIUpstreamProvider {
             address: self.config.config_address.clone(),
             masterkey: self.config.master_key.clone(),
+            tls_address: self.config.config_tls_address.clone(),
+            tls_certificate: self.config.config_tls_certificate.clone(),
+            tls_key_file: self.config.config_tls_key_file.clone(),
         };
         let tx_api = tx.clone();
         let _ = tokio::spawn(async move { api_load.start(tx_api).await });
@@ -57,7 +60,7 @@ impl BackgroundService for LB {
                             let current = self.extraparams.load_full();
                             let mut new = (*current).clone();
                             new.sticky_sessions = ss.extraparams.sticky_sessions;
-                            new.to_ssl = ss.extraparams.to_ssl;
+                            new.to_https = ss.extraparams.to_https;
                             new.authentication = ss.extraparams.authentication.clone();
                             self.extraparams.store(Arc::new(new));
                             self.headers.clear();

src/web/proxyhttp.rs

@@ -1,15 +1,19 @@
 use crate::utils::auth::authenticate;
+use crate::utils::metrics::*;
 use crate::utils::structs::{AppConfig, Extraparams, Headers, UpstreamsDashMap, UpstreamsIdMap};
 use crate::web::gethosts::GetHost;
 use arc_swap::ArcSwap;
 use async_trait::async_trait;
+use axum::body::Bytes;
 use log::{debug, warn};
 use pingora::http::{RequestHeader, ResponseHeader, StatusCode};
 use pingora::prelude::*;
+use pingora::ErrorSource::Upstream;
 use pingora_core::listeners::ALPN;
 use pingora_core::prelude::HttpPeer;
 use pingora_proxy::{ProxyHttp, Session};
 use std::sync::Arc;
+use tokio::time::Instant;
 
 pub struct LB {
     pub ump_upst: Arc<UpstreamsDashMap>,
@@ -24,6 +28,7 @@ pub struct Context {
     backend_id: String,
     to_https: bool,
     redirect_to: String,
+    start_time: Instant,
 }
 
 #[async_trait]
@@ -36,6 +41,7 @@ impl ProxyHttp for LB {
             backend_id: String::new(),
             to_https: false,
             redirect_to: String::new(),
+            start_time: Instant::now(),
         }
     }
     async fn request_filter(&self, session: &mut Session, _ctx: &mut Self::CTX) -> Result<bool> {
@@ -51,7 +57,6 @@ impl ProxyHttp for LB {
     }
     async fn upstream_peer(&self, session: &mut Session, ctx: &mut Self::CTX) -> Result<Box<HttpPeer>> {
         let host_name = return_header_host(&session);
-
         match host_name {
             Some(hostname) => {
                 // session.req_header_mut().headers.insert("X-Host-Name", host.to_string().parse().unwrap());
@@ -86,13 +91,13 @@ impl ProxyHttp for LB {
                             peer.options.verify_hostname = false;
                         }
                         // println!("{}, {}, alpn {}, h2 {:?}, to_https {}", hostname, address.as_str(), peer.options.alpn, is_h2, _to_https);
-                        if self.extraparams.load().to_ssl.unwrap_or(false) || to_https {
+                        if self.extraparams.load().to_https.unwrap_or(false) || to_https {
                             if let Some(stream) = session.stream() {
                                 if stream.get_ssl().is_none() {
                                     if let Some(addr) = session.server_addr() {
                                         if let Some((host, _)) = addr.to_string().split_once(':') {
                                             let uri = session.req_header().uri.path_and_query().map_or("/", |pq| pq.as_str());
-                                            let port = self.config.proxy_port_tls.unwrap_or(443);
+                                            let port = self.config.proxy_port_tls.unwrap_or(403);
                                             ctx.to_https = true;
                                             ctx.redirect_to = format!("https://{}:{}{}", host, port, uri);
                                         }
@@ -105,14 +110,26 @@ impl ProxyHttp for LB {
                         Ok(peer)
                     }
                     None => {
-                        warn!("Upstream not found. Host: {:?}, Path: {}", hostname, session.req_header().uri);
+                        session.respond_error_with_body(502, Bytes::from("502 Bad Gateway\n")).await.expect("Failed to send error");
-                        Ok(return_no_host(&self.config.local_server))
+                        Err(Box::new(Error {
+                            etype: HTTPStatus(502),
+                            esource: Upstream,
+                            retry: RetryType::Decided(false),
+                            cause: None,
+                            context: Option::from(ImmutStr::Static("Upstream not found")),
+                        }))
                     }
                 }
             }
             None => {
-                warn!("Upstream not found. Host: {:?}, Path: {}", host_name, session.req_header().uri);
+                session.respond_error_with_body(502, Bytes::from("502 Bad Gateway\n")).await.expect("Failed to send error");
-                Ok(return_no_host(&self.config.local_server))
+                Err(Box::new(Error {
+                    etype: HTTPStatus(502),
+                    esource: Upstream,
+                    retry: RetryType::Decided(false),
+                    cause: None,
+                    context: None,
+                }))
             }
         }
     }
@@ -142,22 +159,15 @@ impl ProxyHttp for LB {
         if self.extraparams.load().sticky_sessions {
             let backend_id = ctx.backend_id.clone();
             if let Some(bid) = self.ump_byid.get(&backend_id) {
-                // let _ = _upstream_response.insert_header("set-cookie", format!("backend {}", bid.0));
                 let _ = _upstream_response.insert_header("set-cookie", format!("backend_id={}; Path=/; Max-Age=600; HttpOnly; SameSite=Lax", bid.0));
             }
         }
-
         if ctx.to_https {
-            // println!("{} => {}", ctx.to_https, ctx.redirect_to);
             let mut redirect_response = ResponseHeader::build(StatusCode::MOVED_PERMANENTLY, None)?;
             redirect_response.insert_header("Location", ctx.redirect_to.clone())?;
             redirect_response.insert_header("Content-Length", "0")?;
             session.write_response_header(Box::new(redirect_response), false).await?;
-            // return Ok(());
-            // let response = session.write_response_header(Box::new(redirect_response), false).await?;
-            // return Ok(response);
         }
-
         match return_header_host(&session) {
             Some(host) => {
                 let path = session.req_header().uri.path();
@@ -190,6 +200,13 @@ impl ProxyHttp for LB {
     async fn logging(&self, session: &mut Session, _e: Option<&pingora::Error>, ctx: &mut Self::CTX) {
         let response_code = session.response_written().map_or(0, |resp| resp.status.as_u16());
         debug!("{}, response code: {response_code}", self.request_summary(session, ctx));
+        let m = &MetricTypes {
+            method: session.req_header().method.to_string(),
+            code: session.response_written().map(|resp| resp.status.as_str().to_owned()).unwrap_or("0".to_string()),
+            latency: ctx.start_time.elapsed(),
+            version: session.req_header().version,
+        };
+        calc_metrics(m);
     }
 }
 
@@ -210,9 +227,9 @@ fn return_header_host(session: &Session) -> Option<&str> {
     }
 }
 
-fn return_no_host(inp: &Option<(String, u16)>) -> Box<HttpPeer> {
+// fn return_no_host(inp: &Option<(String, u16)>) -> Box<HttpPeer> {
-    match inp {
+//     match inp {
-        Some(t) => Box::new(HttpPeer::new(t, false, String::new())),
+//         Some(t) => Box::new(HttpPeer::new(t, false, String::new())),
-        None => Box::new(HttpPeer::new(("0.0.0.0", 0), false, String::new())),
+//         None => Box::new(HttpPeer::new(("0.0.0.0", 0), false, String::new())),
-    }
+//     }
-}
+// }

src/web/start.rs

@@ -1,11 +1,15 @@
+// use rustls::crypto::ring::default_provider;
 use crate::utils::structs::Extraparams;
+use crate::utils::tls;
+use crate::utils::tools::listdir;
 use crate::web::proxyhttp::LB;
 use arc_swap::ArcSwap;
 use dashmap::DashMap;
 use log::info;
+use openssl::ssl::{SslAlert, SslRef};
+use pingora_core::listeners::tls::TlsSettings;
 use pingora_core::prelude::{background_service, Opt};
 use pingora_core::server::Server;
-// use rustls::crypto::ring::default_provider;
 use std::env;
 use std::sync::Arc;
 
@@ -24,7 +28,7 @@ pub fn run() {
     let hh_config = Arc::new(DashMap::new());
     let ec_config = Arc::new(ArcSwap::from_pointee(Extraparams {
         sticky_sessions: false,
-        to_ssl: None,
+        to_https: None,
         authentication: DashMap::new(),
     }));
 
@@ -77,13 +81,22 @@ pub fn run() {
     let bind_address_http = cfg.proxy_address_http.clone();
 
     let bind_address_tls = cfg.proxy_address_tls.clone();
+    // let foo = crate::utils::tls::build_ssl_context_builder();
     match bind_address_tls {
         Some(bind_address_tls) => {
             info!("Running TLS listener on :{}", bind_address_tls);
-            let cert_path = cfg.tls_certificate.clone().unwrap();
+            // let cert_path = cfg.tls_certificate.clone().unwrap();
-            let key_path = cfg.tls_key_file.clone().unwrap();
+            // let key_path = cfg.tls_key_file.clone().unwrap();
-            let mut tls_settings = pingora_core::listeners::tls::TlsSettings::intermediate(&cert_path, &key_path).unwrap();
+            // let mut tls_settings = tls::TlsSettings::intermediate(&cert_path, &key_path).unwrap();
+            // tls_settings.enable_h2();
+            // proxy.add_tls_with_settings(&bind_address_tls, None, tls_settings);
+
+            let certificate_configs = listdir(cfg.proxy_certificates.clone().unwrap());
+            let certificates = tls::Certificates::new(&certificate_configs);
+            let mut tls_settings = TlsSettings::intermediate(&certificates.default_cert_path, &certificates.default_key_path).expect("unable to load or parse cert/key");
             tls_settings.enable_h2();
+            tls_settings.set_servername_callback(move |ssl_ref: &mut SslRef, ssl_alert: &mut SslAlert| certificates.server_name_callback(ssl_ref, ssl_alert));
+            tls_settings.set_alpn_select_callback(tls::prefer_h2);
             proxy.add_tls_with_settings(&bind_address_tls, None, tls_settings);
         }
         None => {}
@@ -92,8 +105,5 @@ pub fn run() {
     proxy.add_tcp(bind_address_http.as_str());
     server.add_service(proxy);
     server.add_service(bg_srvc);
-    // let mut prometheus_service_http = Service::prometheus_http_service();
-    // prometheus_service_http.add_tcp("0.0.0.0:1234");
-    // server.add_service(prometheus_service_http);
     server.run_forever();
 }

src/web/webserver.rs

@@ -1,21 +1,26 @@
+use crate::utils::discovery::APIUpstreamProvider;
 use crate::utils::structs::Configuration;
 use axum::body::Body;
-use axum::extract::State;
+use axum::extract::{Query, State};
 use axum::http::{Response, StatusCode};
 use axum::response::IntoResponse;
-use axum::routing::{delete, get, head, post, put};
+use axum::routing::{get, post};
 use axum::{Json, Router};
+use axum_server::tls_openssl::OpenSSLConfig;
 use futures::channel::mpsc::Sender;
 use futures::SinkExt;
 use jsonwebtoken::{encode, EncodingKey, Header};
 use log::{error, info, warn};
+use prometheus::{gather, Encoder, TextEncoder};
 use serde::{Deserialize, Serialize};
+use std::collections::HashMap;
+use std::net::SocketAddr;
 use std::time::{Duration, SystemTime, UNIX_EPOCH};
 use tokio::net::TcpListener;
 
 #[derive(Deserialize)]
 struct InputKey {
-    masterkey: String,
+    master_key: String,
     owner: String,
     valid: u64,
 }
@@ -25,51 +30,66 @@ struct OutToken {
     token: String,
 }
 
-#[allow(unused_mut)]
+#[derive(Clone)]
-pub async fn run_server(bindaddress: String, masterkey: String, mut toreturn: Sender<Configuration>) {
+struct AppState {
-    let mut tr = toreturn.clone();
+    master_key: String,
-    let app = Router::new()
+    config_sender: Sender<Configuration>,
-        .route("/{*wildcard}", get(senderror))
+}
-        .route("/{*wildcard}", post(senderror))
-        .route("/{*wildcard}", put(senderror))
-        .route("/{*wildcard}", head(senderror))
-        .route("/{*wildcard}", delete(senderror))
-        .route("/jwt", post(jwt_gen))
-        .with_state(masterkey.clone())
-        .route(
-            "/conf",
-            post(|up: String| async move {
-                let serverlist = crate::utils::parceyaml::load_configuration(up.as_str(), "content");
 
-                match serverlist {
+#[allow(unused_mut)]
-                    Some(serverlist) => {
+pub async fn run_server(config: &APIUpstreamProvider, mut to_return: Sender<Configuration>) {
-                        let _ = tr.send(serverlist).await.unwrap();
+    let app_state = AppState {
-                        Response::builder().status(StatusCode::CREATED).body(Body::from("Config, conf file, updated!\n")).unwrap()
+        master_key: config.masterkey.clone(),
-                    }
+        config_sender: to_return.clone(),
-                    None => Response::builder()
+    };
-                        .status(StatusCode::INTERNAL_SERVER_ERROR)
+    let app = Router::new()
-                        .body(Body::from("Failed to parce config file!\n"))
+        // .route("/{*wildcard}", get(senderror))
-                        .unwrap(),
+        // .route("/{*wildcard}", post(senderror))
-                }
+        // .route("/{*wildcard}", put(senderror))
-            })
+        // .route("/{*wildcard}", head(senderror))
-            .with_state("state"),
+        // .route("/{*wildcard}", delete(senderror))
-        );
+        .route("/jwt", post(jwt_gen))
-    let listener = TcpListener::bind(bindaddress.clone()).await.unwrap();
+        .route("/conf", post(conf))
-    info!("Starting the API server on: {}", bindaddress);
+        .route("/metrics", get(metrics))
+        .with_state(app_state);
+
+    if let Some(value) = &config.tls_address {
+        let cf = OpenSSLConfig::from_pem_file(config.tls_certificate.clone().unwrap(), config.tls_key_file.clone().unwrap()).unwrap();
+        let addr: SocketAddr = value.parse().expect("Unable to parse socket address");
+        let tls_app = app.clone();
+        tokio::spawn(async move {
+            if let Err(e) = axum_server::bind_openssl(addr, cf).serve(tls_app.into_make_service()).await {
+                eprintln!("TLS server failed: {}", e);
+            }
+        });
+        info!("Starting the TLS API server on: {}", value);
+    }
+
+    let listener = TcpListener::bind(config.address.clone()).await.unwrap();
+    info!("Starting the API server on: {}", config.address);
     axum::serve(listener, app).await.unwrap();
 }
 
-#[allow(dead_code)]
+async fn conf(State(mut st): State<AppState>, Query(params): Query<HashMap<String, String>>, content: String) -> impl IntoResponse {
-async fn senderror() -> impl IntoResponse {
+    if let Some(s) = params.get("key") {
-    Response::builder().status(StatusCode::BAD_GATEWAY).body(Body::from("No live upstream found!\n")).unwrap()
+        if s.to_owned() == st.master_key.to_owned() {
+            if let Some(serverlist) = crate::utils::parceyaml::load_configuration(content.as_str(), "content") {
+                st.config_sender.send(serverlist).await.unwrap();
+                return Response::builder().status(StatusCode::OK).body(Body::from("Config, conf file, updated !\n")).unwrap();
+            } else {
+                return Response::builder().status(StatusCode::BAD_GATEWAY).body(Body::from("Failed to parse config!\n")).unwrap();
+            };
+        }
+    }
+    Response::builder().status(StatusCode::FORBIDDEN).body(Body::from("Access Denied !\n")).unwrap()
 }
 
-async fn jwt_gen(State(masterkey): State<String>, Json(payload): Json<InputKey>) -> (StatusCode, Json<OutToken>) {
+async fn jwt_gen(State(state): State<AppState>, Json(payload): Json<InputKey>) -> (StatusCode, Json<OutToken>) {
-    if payload.masterkey == masterkey {
+    if payload.master_key == state.master_key {
         let now = SystemTime::now() + Duration::from_secs(payload.valid * 60);
         let a = now.duration_since(UNIX_EPOCH).unwrap().as_secs();
         let claim = crate::utils::jwt::Claims { user: payload.owner, exp: a };
-        match encode(&Header::default(), &claim, &EncodingKey::from_secret(payload.masterkey.as_ref())) {
+        match encode(&Header::default(), &claim, &EncodingKey::from_secret(payload.master_key.as_ref())) {
             Ok(t) => {
                 let tok = OutToken { token: t };
                 info!("Generating token: {:?}", tok);
@@ -89,3 +109,28 @@ async fn jwt_gen(State(masterkey): State<String>, Json(payload): Json<InputKey>)
         (StatusCode::FORBIDDEN, Json(tok))
     }
 }
+
+async fn metrics() -> impl IntoResponse {
+    let metric_families = gather();
+    let encoder = TextEncoder::new();
+
+    let mut buffer = Vec::new();
+    if let Err(e) = encoder.encode(&metric_families, &mut buffer) {
+        // encoding error fallback
+        return Response::builder()
+            .status(StatusCode::INTERNAL_SERVER_ERROR)
+            .body(Body::from(format!("Failed to encode metrics: {}", e)))
+            .unwrap();
+    }
+
+    Response::builder()
+        .status(StatusCode::OK)
+        .header("Content-Type", encoder.format_type())
+        .body(Body::from(buffer))
+        .unwrap()
+}
+
+// #[allow(dead_code)]
+// async fn senderror() -> impl IntoResponse {
+//     Response::builder().status(StatusCode::BAD_GATEWAY).body(Body::from("No live upstream found!\n")).unwrap()
+// }