Removed Dockerfile, put content to README

fix: Fix global rate limit and 4xx limit fallback in upstream config log

.gitignore

@@ -7,6 +7,8 @@
 *.sh
 /docs/
 /docs
+etc/
+etc
 /target/
 *.iml
 .idea/
@@ -21,3 +23,4 @@ crashlytics.properties
 crashlytics-build.properties
 /target
 /z_shpo
+Makefile

Cargo.toml

@@ -11,7 +11,7 @@ panic = "abort"
 strip = true
 
 [dependencies]
-tokio = { version = "1.52.1", features = ["full"] }
+tokio = { version = "1.52.3", features = ["full"] }
 pingora = { version = "0.8.0", features = ["lb", "openssl"] } # openssl, rustls, boringssl
 serde = { version = "1.0.228", features = ["derive"] }
 dashmap = "7.0.0-rc2"
@@ -20,31 +20,33 @@ pingora-proxy = "0.8.0"
 pingora-http = "0.8.0"
 pingora-limits = "0.8.0"
 async-trait = "0.1.89"
-env_logger = "0.11.10"
+log = "0.4.30"
-log = "0.4.29"
 futures = "0.3.32"
-notify = "9.0.0-rc.3"
+notify = "9.0.0-rc.4"
 axum = { version = "0.8.9" }
-reqwest = { version = "0.13.2", features = ["json", "stream", "blocking"] }
+reqwest = { version = "0.13.4", features = ["json", "stream", "blocking"] }
 serde_yml = "0.0.12"
 rand = "0.10.1"
 base64 = "0.22.1"
-jsonwebtoken = { version = "10.3.0", default-features = false, features = ["use_pem", "rust_crypto"] }
+jsonwebtoken = { version = "10.4.0", default-features = false, features = ["use_pem", "rust_crypto"] }
-tonic = "0.14.5"
+tonic = "0.14.6"
 sha2 = { version = "0.11.0-rc.5", default-features = false }
 base16ct = { version = "1.0.0", features = ["alloc"] }
 urlencoding = "2.1.3"
 arc-swap = "1.9.1"
-mimalloc = { version = "0.1.50", default-features = false }
 prometheus = "0.14.0"
 x509-parser = "0.18.1"
 rustls-pemfile = "2.2.0"
-tower-http = { version = "0.6.8", features = ["fs"] }
+tower-http = { version = "0.6.11", features = ["fs"] }
 privdrop = "0.5.6"
 ctrlc = "3.5.2"
-serde_json = "1.0.149"
+serde_json = "1.0.150"
 subtle = "2.6.1"
-moka = { version = "0.12.1", features = ["sync"] }
+moka = { version = "0.12.15", features = ["sync"] }
 ahash = "0.8.12"
 instant-acme = "0.8.5"
-rcgen = "0.14.7"
+rcgen = "0.14.8"
+log4rs = "1.4.0"
+#mimalloc = { version = "0.1.52", default-features = false }
+tikv-jemallocator = "0.7.0"
+tikv-jemalloc-ctl = { version = "0.7.0", features = ["stats"] }

README.md

@@ -2,7 +2,7 @@
 
 ---
 
-# Aralez (Արալեզ),
+# Aralez (Արալեզ)
 
 ### **Reverse proxy built on top of Cloudflare's Pingora**
 
@@ -19,65 +19,39 @@ Built on Rust, on top of **Cloudflare’s Pingora engine**, **Aralez** delivers
 
 ---
 
-## 🔧 Key Features
+## Key Features
 
 - **Dynamic Config Reloads** — Upstreams can be updated live via API, no restart required.
-- **TLS Termination** — Built-in OpenSSL support.
+- **Autoload of certificates** — Automatically loads new/changed certificates from a folder, without a restart.
-    - **Automatic loading of certificates** — Automatically reads and loads certificates from a folder, without a restart.
+- **Let’s Encrypt Certificates** — Ordering and renewal of SSL/TLS certificates via the HTTP-01 challenge.
 - **Upstreams TLS detection** — Aralez will automatically detect if upstreams uses secure connection.
-- **Built in rate limiter** — Limit requests to server, by setting up upper limit for requests per seconds, per virtualhost.
+- **Built in rate limiter** — Globar or route limit requests to upstreams.
-    - **Global rate limiter** — Set rate limit for all virtualhosts.
-    - **Per path rate limiter** — Set rate limit for specific paths. Path limits will override global limits.
 - **Authentication** — Supports Basic Auth, API tokens, and JWT verification.
     - **Basic Auth**
     - **API Key** via `x-api-key` header
     - **JWT Auth**, with tokens issued by Aralez itself via `/jwt` API
-        - ⬇️ See below for examples and implementation details.
+    - **Forward Auth**, Sends requests to an authentication server.
-- **Load Balancing Strategies**
+- **Load Balancing** Round-robin, health checks, optional sticky sessions.
-    - Round-robin
-    - Failover with health checks
-    - Sticky sessions via cookies
-- **Unified Port** — Serve HTTP and WebSocket traffic over the same connection.
 - **Built in file server** — Build in minimalistic file server for serving static files, should be added as upstreams for public access.
-- **Memory Safe** — Created purely on Rust.
+- **Upstream Providers:**
-- **High Performance** — Built with [Pingora](https://github.com/cloudflare/pingora) and tokio for async I/O.
-
-## 🌍 Highlights
-
-- ⚙️ **Upstream Providers:**
     - `file` Upstreams are declared in config file.
     - `consul` Upstreams are dynamically updated from Hashicorp Consul.
-- 🔁 **Hot Reloading:** Modify upstreams on the fly via `upstreams.yaml` — no restart needed.
+    - `kubernetes` Upstreams are dynamically updated from kubernetes api server.
-- 🔮 **Automatic WebSocket Support:** Zero config — connection upgrades are handled seamlessly.
+- **Auto WebSocket Support:** WS connection upgrades are handled automatically.
-- 🔮 **Automatic GRPC Support:** Zero config, Requires `ssl` to proxy, gRPC handled seamlessly.
+- **Auto gRPC Support:** gRPC detected and handled automatically.
-- 🔮 **Upstreams Session Stickiness:** Enable/Disable Sticky sessions globally.
+- **Header Injection:** Global and per-route server/client headers injection.
-- 🔐 **TLS Termination:** Fully supports TLS for upstreams and downstreams.
+- **Remote Config Push:** Lightweight HTTP API to update configs from CI/CD or other systems.
-- 🛡️ **Built-in Authentication** Basic Auth, JWT, API key.
+- **Memory Safe** — 100% Rust.
-- 🧠 **Header Injection:** Global and per-route header configuration.
+- **High Performance** — Built with [Pingora](https://github.com/cloudflare/pingora) and tokio for async I/O.
-- 🧪 **Health Checks:** Pluggable health check methods for upstreams.
-- 🛰️ **Remote Config Push:** Lightweight HTTP API to update configs from CI/CD or other systems.
 
 ---
 
-## 📁 File Structure
+## Configuration Overview
 
-```
+### `main.yaml`
-.
-├── main.yaml           # Main configuration loaded at startup
-├── upstreams.yaml      # Watched config with upstream mappings
-├── etc/
-│   ├── server.crt      # TLS certificate (required if using TLS)
-│   └── key.pem         # TLS private key
-```
-
----
-
-## 🛠 Configuration Overview
-
-### 🔧 `main.yaml`
 
 | Key                              | Example Value            | Description                                                                                        |
-|----------------------------------|--------------------------------------|----------------------------------------------------------------------------------------------------|
+|----------------------------------|--------------------------|----------------------------------------------------------------------------------------------------|
 | **threads**                      | 12                       | Number of running daemon threads. Optional, defaults to 1                                          |
 | **runuser**                      | aralez                   | Optional, Username for running aralez after dropping root privileges, requires to launch as root   |
 | **rungroup**                     | aralez                   | Optional,Group for running aralez after dropping root privileges, requires to launch as root       |
@@ -87,35 +61,24 @@ Built on Rust, on top of **Cloudflare’s Pingora engine**, **Aralez** delivers
 | **error_log**                    | /tmp/aralez_err.log      | Path to error log file                                                                             |
 | **upgrade_sock**                 | /tmp/aralez.sock         | Path to live upgrade socket file                                                                   |
 | **config_address**               | 0.0.0.0:3000             | HTTP API address for pushing upstreams.yaml from remote location                                   |
-| **config_tls_address**           | 0.0.0.0:3001                         | HTTPS API address for pushing upstreams.yaml from remote location                                  |
-| **config_tls_certificate**       | etc/server.crt                       | Certificate file path for API. Mandatory if proxy_address_tls is set, else optional                |
 | **proxy_tls_grade**              | (high, medium, unsafe)   | Grade of TLS ciphers, for easy configuration. High matches Qualys SSL Labs A+ (defaults to medium) |
 | **config_tls_key_file**          | etc/key.pem              | Private Key file path. Mandatory if proxy_address_tls is set, else optional                        |
 | **proxy_address_http**           | 0.0.0.0:6193             | Aralez HTTP bind address                                                                           |
 | **proxy_address_tls**            | 0.0.0.0:6194             | Aralez HTTPS bind address (Optional)                                                               |
-| **proxy_certificates**           | etc/certs/                           | The directory containing certificate and key files. In a format {NAME}.crt, {NAME}.key.            |
+| **proxy_configs**                | etc/                     | The top directory of config files                                                                  |
 | **upstreams_conf**               | etc/upstreams.yaml       | The location of upstreams file                                                                     |
 | **log_level**                    | info                     | Log level , possible values : info, warn, error, debug, trace, off                                 |
+| **log_file**                     | /full/path/to/aralez.log | Optional, the location of log file. If thi entry does not exist logs will be emitted to stdout.    |
 | **hc_method**                    | HEAD                     | Healthcheck method (HEAD, GET, POST are supported) UPPERCASE                                       |
 | **hc_interval**                  | 2                        | Interval for health checks in seconds                                                              |
-| **master_key**                   | 5aeff7f9-7b94-447c-af60-e8c488544a3e | Master key for working with API server and JWT Secret generation                                   |
+| **master_key**                   | Random long string       | Master key for working with API server and JWT Secret generation                                   |
 | **file_server_folder**           | /some/local/folder       | Optional, local folder to serve                                                                    |
 | **file_server_address**          | 127.0.0.1:3002           | Optional, Local address for file server. Can set as upstream for public access                     |
 | **config_api_enabled**           | true                     | Boolean to enable/disable remote config push capability                                            |
 
-### 🌐 `upstreams.yaml`
-
-- `provider`: `file` or `consul`
-- File-based upstreams define:
-    - Hostnames and routing paths
-    - Backend servers (load-balanced)
-    - Optional request headers, specific to this upstream
-- Global headers (e.g., CORS) apply to all proxied responses
-- Optional authentication (Basic, API Key, JWT)
-
 ---
 
-## 🛠 Installation
+## Installation
 
 Download the prebuilt binary for your architecture from releases section of [GitHub](https://github.com/sadoyan/aralez/releases) repo
 Make the binary executable `chmod 755 ./aralez-VERSION` and run.
@@ -123,76 +86,102 @@ Make the binary executable `chmod 755 ./aralez-VERSION` and run.
 File names:
 
 | File Name                       | Description                                                                |
-|---------------------------------|--------------------------------------------------------------------------|
+|---------------------------------|----------------------------------------------------------------------------|
 | `aralez-x86_64-musl.gz`         | Static Linux x86_64 binary, without any system dependency                  |
 | `aralez-x86_64-glibc.gz`        | Dynamic Linux x86_64 binary, with minimal system dependencies              |
 | `aralez-x86_64-compat-musl.gz`  | Static Linux x86_64 binary, compatible with old pre Haswell CPUs           |
 | `aralez-x86_64-compat-glibc.gz` | Dynamic Linux x86_64 binary, compatible with old pre Haswell CPUs          |
 | `aralez-aarch64-musl.gz`        | Static Linux ARM64 binary, without any system dependency                   |
 | `aralez-aarch64-glibc.gz`       | Dynamic Linux ARM64 binary, with minimal system dependencies               |
-| `sadoyan/aralez`                | Docker image on Debian 13 slim (https://hub.docker.com/r/sadoyan/aralez) |
+| `sadoyan/aralez`                | Docker image on Debian 13 slim (<https://hub.docker.com/r/sadoyan/aralez>) |
+
+## About binaries
+
+**glibc** builds are in general faster, but have few, basic, Glibc dependencies:
+
+**musl** builds are 100% portable, static compiled binaries and have zero system dependencies.
+In general musl builds have a little less performance.
+
+The most intensive tests shows 107k-110k requests per second on **Glibc** binaries against 97k-100k **Musl** ones.
+
+For running **Aralez** on very old hardware, CPUs prior Haswell, (launched before 2013) use `aralez-x86_64-compat-*.gz`
+For getting the best performance on newer hardware use `aralez-x86_64-*.gz`.
 
 **Via docker**
 
 ```shell
-docker run -d \
+docker run -d -v /path/to/config:/etc/aralez:rw -p 80:80 -p 443:443 sadoyan/aralez
-  -v /local/path/to/config:/etc/aralez:ro \
-  -p 80:80 \
-  -p 443:443 \
-  sadoyan/aralez
 ```
 
-## 💡 Note
+**Dockerfile :**
 
-In general **glibc** builds are working faster, but have few, basic, system dependencies for example :
+```dockerfile
+FROM debian:trixie-slim
 
-```
+RUN apt-get update && apt-get install -y ca-certificates curl net-tools iputils-ping
-	linux-vdso.so.1 (0x00007ffeea33b000)
+RUN apt-get clean && rm -rf /var/lib/apt/lists/*
-	libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f09e7377000)
+
-	libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f09e6320000)
+COPY aralez /usr/local/bin/aralez
-	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f09e613f000)
+
-	/lib64/ld-linux-x86-64.so.2 (0x00007f09e73b1000)
+RUN chmod +x /usr/local/bin/aralez
+RUN mkdir -p /etc/aralez/certs/upstreams
+
+WORKDIR /etc/aralez
+
+ENTRYPOINT ["/usr/local/bin/aralez", "-c", "/etc/aralez/main.yaml"]
 ```
 
-These are common to any Linux systems, so the binary should work on almost any Linux system.
+## Running the Proxy
-
-**musl** builds are 100% portable, static compiled binaries and have zero system depencecies.
-In general musl builds have a little less performance.
-The most intensive tests shows 107k-110k requests per second on **Glibc** binaries against 97k-100k **Musl** ones.
-
-## 🔌 Running the Proxy
 
 ```bash
 ./aralez -c path/to/main.yaml
 ```
 
-## 🔌 Systemd integration
+## Systemd integration
+
+Assuming Aralez in installed in `/opt/aralez` folder
 
 ```bash
 cat > /etc/systemd/system/aralez.service <<EOF
+[Unit]
+Description=meilisearch
+Documentation=https://github.com/sadoyan/aralez
+Wants=network-online.target
+After=network-online.target
+
 [Service]
-Type=forking
+WorkingDirectory = /opt/aralez/
-PIDFile=/run/aralez.pid
+ExecReload=/bin/kill -HUP 
-ExecStart=/bin/aralez -d -c /etc/aralez.conf
+ExecStart=/opt/aralez/aralez -c /opt/aralez/proxyconfigs/main.yaml
-ExecReload=kill -QUIT $MAINPID
+KillMode=process
-ExecReload=/bin/aralez -u -d -c /etc/aralez.conf
+KillSignal=SIGINT
+LimitNOFILE=infinity
+LimitNPROC=infinity
+Restart=on-failure
+RestartSec=2
+StartLimitBurst=3
+StartLimitIntervalSec=10
+TasksMax=infinity
+
+[Install]
+WantedBy=multi-user.target
 EOF
 ```
 
 ```bash
+systemctl daemon-reload
 systemctl enable aralez.service.
 systemctl restart aralez.service.
 ```
 
-## 💡 Example
+## Example upstreams config
-
-A sample `upstreams.yaml` entry:
 
 ```yaml
 provider: "file"
-sticky_sessions: false
+sticky_sessions: 8600
 to_https: false
-rate_limit: 10
+rate_limit: 20
+x4xx_limit: 20
 server_headers:
   - "X-Forwarded-Proto:https"
   - "X-Forwarded-Port:443"
@@ -200,13 +189,11 @@ client_headers:
   - "Access-Control-Allow-Origin:*"
   - "Access-Control-Allow-Methods:POST, GET, OPTIONS"
   - "Access-Control-Max-Age:86400"
-authorization:
-  type: "jwt"
-  creds: "910517d9-f9a1-48de-8826-dbadacbd84af-cb6f830e-ab16-47ec-9d8f-0090de732774"
 myhost.mydomain.com:
   paths:
     "/":
-      rate_limit: 20
+      rate_limit: 10
+      x4xx_limit: 10
       to_https: false
       server_headers:
         - "X-Something-Else:Foobar"
@@ -219,6 +206,9 @@ myhost.mydomain.com:
         - "127.0.0.2:8000"
     "/foo":
       to_https: true
+      authorization:
+        type: "jwt"
+        data: "266463d1-210a-4787-9a81-4aacb37a8723"
       client_headers:
         - "X-Another-Header:Hohohohoho"
       servers:
@@ -228,21 +218,32 @@ myhost.mydomain.com:
       healthcheck: false
       servers:
         - "127.0.0.1:8001"
+DEFAULT:
+  paths:
+    "/":
+      servers:
+        - "127.0.0.1:3000"
 ```
 
 **This means:**
 
-- Sticky sessions are disabled globally. This setting applies to all upstreams. If enabled all requests will be 301 redirected to HTTPS.
+- Sticky sessions are enabled globally. This setting applies to all upstreams. If enabled the value will be set for `Max-Age=` cookie.
 - HTTP to HTTPS redirect disabled globally, but can be overridden by `to_https` setting per upstream.
 - All upstreams will receive custom headers : `X-Forwarded-Proto:https` and `X-Forwarded-Port:443`
 - Additionally, myhost.mydomain.com with path `/` will receive custom headers : `X-Another-Header:Hohohohoho` and `X-Something-Else:Foobar`
-- Requests to each hosted domains will be limited to 10 requests per second per virtualhost.
+- Requests with response 4xx to each hosted domains will be limited to 20 requests per second per virtualhost.
+    - Requests limits are calculated per requester ip plus requested virtualhost.
+    - If the requester exceeds the limit it will receive `429 Too Many Requests` error.
+    - Optional. Rate limiter will be disabled if the parameter is entirely removed from config.
+- Requests to each hosted domains will be limited to 20 requests per second per virtualhost.
     - Requests limits are calculated per requester ip plus requested virtualhost.
     - If the requester exceeds the limit it will receive `429 Too Many Requests` error.
     - Optional. Rate limiter will be disabled if the parameter is entirely removed from config.
 - Requests to `myhost.mydomain.com/` will be limited to 20 requests per second.
+- Requests with 4xx responses to `myhost.mydomain.com/` will be limited to 10 requests per second.
 - Requests to `myhost.mydomain.com/` will be proxied to `127.0.0.1` and `127.0.0.2`.
 - Plain HTTP to `myhost.mydomain.com/foo` will get 301 redirect to configured TLS port of Aralez.
+- `myhost.mydomain.com/foo` will require authentication with JWT token, signed by `266463d1-210a-4787-9a81-4aacb37a8723`.
 - Requests to `myhost.mydomain.com/foo` will be proxied to `127.0.0.4` and `127.0.0.5`.
 - Requests to `myhost.mydomain.com/.well-known/acme-challenge` will be proxied to `127.0.0.1:8001`, but healthcheks are disabled.
 - SSL/TLS for upstreams is detected automatically, no need to set any config parameter.
@@ -251,30 +252,31 @@ myhost.mydomain.com:
 - Global headers (CORS for this case) will be injected to all upstreams.
 - Additional headers will be injected into the request for `myhost.mydomain.com`.
 - You can choose any path, deep nested paths are supported, the best match chosen.
-- All requests to servers will require JWT token authentication (You can comment out the authorization to disable it),
+- `DEFAULT` catch up everything else and proxy to `127.0.0.1:3000`
-    - Firs parameter specifies the mechanism of authorisation `jwt`
+    - This is a special upstream and in order to do the catch-up jub it must be **DEFAULT** all capitals
-    - Second is the secret key for validating `jwt` tokens
 
 ---
 
-## 🔄 Hot Reload
+## Hot Reload
 
-- Changes to `upstreams.yaml` are applied immediately.
+- Changes to `upstreams.yaml` are applied immediately on save without restart .
-- No need to restart the proxy — just save the file.
+- If `consul` or `kubernetes` provider is chosen, upstreams will be periodically update from API.
-- If `consul` provider is chosen, upstreams will be periodically update from Consul's API.
 
 ---
 
-## 🔐 TLS Support
+## TLS Support
 
-To enable TLS for A proxy server: Currently only OpenSSL is supported, working on Boringssl and Rustls
+To enable TLS for the proxy server.
 
-1. Set `proxy_address_tls` in `main.yaml`
+- Set `proxy_address_tls` in `main.yaml`
-2. Provide `tls_certificate` and `tls_key_file`
+- Provide at least on  `tls_certificate/tls_key_file` pair.
+    - First pair is required to create the TLS listener.
+    - This pair can be anything, even self-signed with dummy domain.
+    - After getting normal certificate it can be deleted
 
 ---
 
-## 📡 Remote Config API
+## Remote Config API
 
 Push new `upstreams.yaml` over HTTP to `config_address` (`:3000` by default). Useful for CI/CD automation or remote config updates.
 URL parameter. `key=MASTERKEY` is required. `MASTERKEY` is the value of `master_key` in the `main.yaml`
@@ -285,7 +287,7 @@ curl -XPOST --data-binary @./etc/upstreams.txt 127.0.0.1:3000/conf?key=${MASTERK
 
 ---
 
-## 🔐 Authentication (Optional)
+## Authentication (Optional)
 
 - Adds authentication to all requests.
 - Only one method can be active at a time.
@@ -339,13 +341,13 @@ curl  -u username:password -H 'Host: myip.mydomain.com' http://127.0.0.1:6193/
 
 ```
 
-## 📃 License
+## License
 
 [Apache License Version 2.0](https://www.apache.org/licenses/LICENSE-2.0)
 
 ---
 
-## 🧠 Notes
+## Notes
 
 - Uses Pingora under the hood for efficiency and flexibility.
 - Designed for edge proxying, internal routing, or hybrid cloud scenarios.
@@ -354,37 +356,42 @@ curl  -u username:password -H 'Host: myip.mydomain.com' http://127.0.0.1:6193/
 - Sticky session support.
 - HTTP2 ready.
 
-### 🧩 Summary Table: Feature Comparison
+### Summary Table: Feature Comparison
 
 | Feature / Proxy    | **Aralez** |  **Nginx**  | **HAProxy** | **Traefik** | **Caddy**  | **Envoy** |
-|----------------------------------|:-----------------:|:---------------------------:|:-----------------:|:--------------------------------:|:---------------:|:---------------:|
+|--------------------|:----------:|:-----------:|:-----------:|:-----------:|:----------:|:---------:|
-| **Hot Reload (Zero Downtime)**   |  ✅ **Automatic**  | ⚙️ Manual (graceful reload) |     ⚙️ Manual     |           ✅ Automatic            |   ✅ Automatic   |   ✅ Automatic   |
+| **Reload**         |   ✅ Hot    |  ⚙️ Manual  |  ⚙️ Manual  |    ✅ Hot    |   ✅ Hot    |   ✅ Hot   |
-| **Auto Cert Reload (from disk)** |  ✅ **Automatic**  |            ❌ No             |       ❌ No        | ✅ Automatic (Let's Encrypt only) |   ✅ Automatic   |    ⚙️ Manual    |
+| **Cert load**      |   ✅ Hot    |  ❌ Reload   |  ❌ Reload   |    ✅ Yes    |   ✅ Yes    |  ⚙️ No ?  |
-| **Auth: Basic / API Key / JWT**  |  ✅ **Built-in**   |        ⚙️ Basic only        |   ⚙️ Basic only   |          ✅ Config-based          | ✅ Config-based  | ✅ Config-based  |
+| **Authentication** |   ✅ Yes    | ⚙️ Limited  | ⚙️ Limited  |    ✅ Yes    |   ✅ Yes    |   ✅ Yes   |
-| **TLS / HTTP2 Termination**      |  ✅ **Automatic**  |      ⚙️ Manual config       | ⚙️ Manual config  |           ✅ Automatic            |   ✅ Automatic   |   ✅ Automatic   |
+| **HTTP2**          |   ✅ Yes    |  ⚙️ Manual  |  ⚙️ Manual  |    ✅ Yes    |   ✅ Yes    |   ✅ Yes   |
-| **Built-in A+ TLS Grades**       |  ✅ **Automatic**  |      ⚙️ Manual tuning       |     ⚙️ Manual     |            ⚙️ Manual             |   ✅ Automatic   |    ⚙️ Manual    |
+| **TLS Grades**     |   ✅ Yes    |  ⚙️ Manual  |  ⚙️ Manual  |  ⚙️ Manual  |   ✅ Yes    | ⚙️ Manual |
-| **gRPC Proxy**                   | ✅ **Zero-Config** |       ⚙️ Manual setup       |     ⚙️ Manual     |         ⚙️ Needs config          | ⚙️ Needs config | ⚙️ Needs config |
+| **gRPC**           |   ✅ Auto   |  ⚙️ Manual  |  ⚙️ Manual  |  ⚙️ Manual  | ⚙️ Manual  | ⚙️ Manual |
-| **SSL Proxy**                    | ✅ **Zero-Config** |          ⚙️ Manual          |     ⚙️ Manual     |           ✅ Automatic            |   ✅ Automatic   |   ✅ Automatic   |
+| **SSL Proxy**      |   ✅ Auto   |  ⚙️ Manual  |  ⚙️ Manual  |    ✅ Yes    |   ✅ Yes    |   ✅ Yes   |
-| **HTTP/2 Proxy**                 | ✅ **Zero-Config** |      ⚙️ Manual enable       | ⚙️ Manual enable  |           ✅ Automatic            |   ✅ Automatic   |   ✅ Automatic   |
+| **HTTP/2**         |   ✅ Auto   |  ⚙️ Manual  |  ⚙️ Manual  |    ✅ Yes    |   ✅ Yes    |   ✅ Yes   |
-| **WebSocket Proxy**              | ✅ **Zero-Config** |      ⚙️ Manual upgrade      | ⚙️ Manual upgrade |           ✅ Automatic            |   ✅ Automatic   |   ✅ Automatic   |
+| **WebSocket**      |   ✅ Auto   |  ⚙️ Manual  |  ⚙️ Manual  |    ✅ Yes    |   ✅ Yes    |   ✅ Yes   |
-| **Sticky Sessions**              |  ✅ **Built-in**   |       ⚙️ Config-based       |  ⚙️ Config-based  |           ✅ Automatic            |   ⚙️ Limited    | ✅ Config-based  |
+| **Sticky Session** |   ✅ Yes    |    ❌ No     |   ⚙️ Yes    |    ✅ Yes    | ⚙️ Limited | ✅ Manual  |
-| **Prometheus Metrics**           |  ✅ **Built-in**   |    ⚙️ External exporter     |    ✅ Built-in     |            ✅ Built-in            |   ✅ Built-in    |   ✅ Built-in    |
+| **Prometheus**     |   ✅ Yes    | ⚙️ External |    ✅ Yes    |    ✅ Yes    |   ✅ Yes    |   ✅ Yes   |
-| **Consul Integration**           |     ✅ **Yes**     |            ❌ No             |  ⚙️ Via DNS only  |              ✅ Yes               |      ❌ No       |      ✅ Yes      |
+| **Consul**         |   ✅ Yes    |    ❌ No     |  ⚙️DNS API  |    ✅ Yes    |    ❌ No    |   ✅ Yes   |
-| **Kubernetes Integration**       |     ✅ **Yes**     |   ⚙️ Needs ingress setup    |    ⚙️ External    |              ✅ Yes               |   ⚙️ Limited    |      ✅ Yes      |
+| **Kubernetes**     |   ✅ Yes    | ⚙️ Ingress  | ⚙️ External |    ✅ Yes    | ⚙️ Limited |   ✅ Yes   |
-| **Request Limiter**              |     ✅ **Yes**     |       ✅ Config-based        |  ✅ Config-based   |          ✅ Config-based          | ✅ Config-based  | ✅ Config-based  |
+| **Limiter**        |   ✅ Yes    |    ✅ Yes    |    ✅ Yes    |    ✅ Yes    |   ✅ Yes    |   ✅ Yes   |
-| **Serve Static Files**           |     ✅ **Yes**     |            ✅ Yes            |     ⚙️ Basic      |           ✅ Automatic            |   ✅ Automatic   |      ❌ No       |
+| **Static Files**   |   ✅ Yes    |    ✅ Yes    |  ⚙️ Lua ?   |    ✅ Yes    |   ✅ Yes    |   ❌ No    |
-| **Upstream Health Checks**       |  ✅ **Automatic**  |      ⚙️ Manual config       | ⚙️ Manual config  |           ✅ Automatic            |   ✅ Automatic   |   ✅ Automatic   |
+| **Health Checks**  |   ✅ Yes    |  ⚙️ Manual  |  ⚙️ Manual  |    ✅ Yes    |   ✅ Yes    |   ✅ Yes   |
-| **Built With**                   |    🦀 **Rust**    |              C              |         C         |                Go                |       Go        |       C++       |
+| **Built With**     |    Rust    |      C      |      C      |     Go      |     Go     |    C++    |
 
 ---
 
-✅ **Automatic / Zero-Config** – Works immediately, no setup required  
+✅ **Auto** – Automatically detected and loaded  
-⚙️ **Manual / Config-based** – Requires explicit configuration or modules  
+✅ **Hot** – Works immediately, no reload/restart is required  
+✅ **Yes** – Works immediately, no setup required  
+⚙️ **Manual** – Requires explicit configuration or modules  
+⚙️ **Reload** – Reload or restart is required  
+⚙️ **Limited** – Support is limited to certain features  
+⚙️ **External** – Requires an external module  
 ❌ **No** – Not supported
 
-## 💡 Simple benchmark by [Oha](https://github.com/hatoo/oha)
+## Simple benchmark by [Oha](https://github.com/hatoo/oha)
 
-⚠️ These benchmarks use :
+**These benchmarks use :**
 
 - 3 async Rust echo servers on a local network with 1Gbit as upstreams.
 - A dedicated server for running **Aralez**
@@ -413,7 +420,7 @@ curl  -u username:password -H 'Host: myip.mydomain.com' http://127.0.0.1:6193/
           - "192.168.211.212:8000"
 ```
 
-## 💡 Results reflect synthetic performance under optimal conditions.
+## Results reflect synthetic performance under optimal conditions.
 
 - CPU : Intel(R) Xeon(R) CPU E3-1270 v6 @ 3.80GHz
 - 300 : simultaneous connections
@@ -527,7 +534,7 @@ Error distribution:
 
 ![Aralez](https://netangels.net/utils/musl10.png)
 
-## 🚀 Aralez, Nginx, Traefik performance benchmark
+## Aralez, Nginx, Traefik performance benchmark
 
 This benchmark is done on 4 servers. With CPU Intel(R) Xeon(R) E-2174G CPU @ 3.80GHz, 64 GB RAM.
 
@@ -543,3 +550,9 @@ The results show requests per second performed by Load balancer. You can see 3 b
 2. Requests to via http2 to SSL endpoint.
 3. Mixed workload with plain http1.1 and htt2 SSL.
 
+## Links
+
+- [**Documentation**](https://aralez.rs) : The manual you should read
+- [**Downloads**](https://github.com/sadoyan/aralez/releases) : Binary downloads
+- [**Issues**](https://github.com/sadoyan/aralez/issues) : Issues and requests 
+

etc/main.yaml

@@ -1,7 +1,7 @@
 # Main configuration file, applied on startup
 threads: 12 # Number of daemon threads default setting
-runuser: aralez # Username for running aralez after dropping root privileges, requires program to start as root
+#runuser: pastor # Username for running aralez after dropping root privileges, requires program to start as root
-rungroup: aralez # Group for running aralez after dropping root privileges, requires program to start as root
+#rungroup: pastor # Group for running aralez after dropping root privileges, requires program to start as root
 daemon: false # Run in background
 upstream_keepalive_pool_size: 500 # Pool size for upstream keepalive connections
 pid_file: /tmp/aralez.pid # Path to PID file
@@ -11,12 +11,13 @@ config_api_enabled: true # Boolean to enable/disable remote config push capabili
 config_address: 0.0.0.0:3000 # HTTP API address for pushing upstreams.yaml from remote location
 proxy_address_http: 0.0.0.0:6193 # Proxy HTTP bind address
 proxy_address_tls: 0.0.0.0:6194 # Optional, Proxy TLS bind address
-proxy_configs: /opt/aralez/etc # Mandatory if proxy_address_tls set, should contain a certificate and key files strictly in a format {NAME}.crt, {NAME}.key.
+proxy_configs: /opt/Rust/Projects/asyncweb/etc # Mandatory if proxy_address_tls set, should contain a certificate and key files strictly in a format {NAME}.crt, {NAME}.key.
-proxy_tls_grade: a+ # Grade of TLS suite for proxy (a+, a, b, c, unsafe), matching grades of Qualys SSL Labs
+proxy_tls_grade: high # Grade of TLS suite for proxy (high, medium, unsafe), matching grades of Qualys SSL Labs
-upstreams_conf: /opt/aralez/etc/upstreams.yaml # the location of upstreams file
+upstreams_conf: /opt/Rust/Projects/asyncweb/etc/upstreams.yaml # the location of upstreams file
-file_server_folder: /opt/storage # Optional, local folder to serve
+#file_server_folder: /opt/storage # Optional, local folder to serve
-file_server_address: 127.0.0.1:3002 # Optional, Local address for file server. Can set as upstream for public access.
+#file_server_address: 127.0.0.1:3002 # Optional, Local address for file server. Can set as upstream for public access.
 log_level: info # info, warn, error, debug, trace, off
+log_file: /tmp/aralez.log # Optional, the location of log file. If this entry does not exist logs will be emitted to stdout.
 hc_method: HEAD # Healthcheck method (HEAD, GET, POST are supported) UPPERCASE
 hc_interval: 2 #Interval for health checks in seconds
-master_key: 910517d9-f9a1-48de-8826-dbadacbd84af-cb6f830e-ab16-47ec-9d8f-0090de732774 # Mater key for working with API server and JWT Secret
+#master_key: 910517d9-f9a1-48de-8826-dbadacbd84af-cb6f830e-ab16-47ec-9d8f-0090de732774 # Mater key for working with API server and JWT Secret

etc/upstreams.yaml

@@ -1,8 +1,9 @@
 # The file under watch and hot reload, changes are applied immediately, no need to restart or reload.
 provider: "file" # "file" "consul" "kubernetes"
-sticky_sessions: false
+sticky_sessions: 8600
 to_https: false
-rate_limit: 100
+rate_limit: 300
+x4xx_limit: 200
 server_headers:
   - "X-Forwarded-Proto:https"
   - "X-Forwarded-Port:443"
@@ -62,6 +63,7 @@ upstreams:
     paths:
       "/":
         rate_limit: 200
+        x4xx_limit: 100
         to_https: false
         client_headers:
           - "X-Proxy-From:Aralez"

src/main.rs

@@ -1,9 +1,12 @@
+use tikv_jemallocator::Jemalloc;
+
 mod tls;
 mod utils;
 mod web;
 
 #[global_allocator]
-static GLOBAL: mimalloc::MiMalloc = mimalloc::MiMalloc;
+static ALLOC: Jemalloc = Jemalloc;
+// static GLOBAL: mimalloc::MiMalloc = mimalloc::MiMalloc;
 // pub static A: CountingAllocator = CountingAllocator;
 
 fn main() {

src/tls/acme/order.rs

@@ -25,7 +25,7 @@ pub async fn order(domain: &str, credsfile: &str, certs_dir: String) -> Result<S
     let crt = certs_dir.clone() + "/" + domain + ".crt";
     let key = certs_dir.clone() + "/" + domain + ".key";
 
-    if let None = DOMAINS.get(domain) {
+    if DOMAINS.get(domain).is_none() {
         DOMAINS.insert(domain.to_string(), true);
         let mut newlist: Vec<String> = Vec::new();
         for item in DOMAINS.iter() {
@@ -40,15 +40,12 @@ pub async fn order(domain: &str, credsfile: &str, certs_dir: String) -> Result<S
         }
     }
 
-    let _ = match cert_expiry(crt.as_str()) {
+    if let Ok(expiry) = cert_expiry(crt.as_str()) {
-        Ok(expiry) => {
         let now = std::time::SystemTime::now().duration_since(std::time::UNIX_EPOCH)?.as_secs();
         if expiry > now + 30 * 24 * 3600 {
             // println!("Fresh certificate exists. Not renewing !");
             return Ok("Fresh certificate exists. Not renewing ! \n".to_string());
         }
-        }
-        Err(_) => {}
     };
 
     let account = get_account(credsfile).await?;
@@ -73,7 +70,7 @@ pub async fn order(domain: &str, credsfile: &str, certs_dir: String) -> Result<S
     let private_key = KeyPair::generate()?;
     let signing_request = params.serialize_request(&private_key)?;
     let csr_der = signing_request.der();
-    order.finalize_csr(&csr_der).await?;
+    order.finalize_csr(csr_der).await?;
 
     // poll for certificate
     let cert_chain_pem = order.poll_certificate(&RetryPolicy::default()).await?;

src/tls/grades.rs

@@ -16,17 +16,17 @@ const CIPHERS: CipherSuite = CipherSuite {
 
 #[derive(Debug)]
 pub enum TlsGrade {
-    HIGH,
+    High,
-    MEDIUM,
+    Medium,
-    LEGACY,
+    Legacy,
 }
 
 impl TlsGrade {
     pub fn from_str(s: &str) -> Option<Self> {
         match s.to_ascii_lowercase().as_str() {
-            "high" => Some(TlsGrade::HIGH),
+            "high" => Some(TlsGrade::High),
-            "medium" => Some(TlsGrade::MEDIUM),
+            "medium" => Some(TlsGrade::Medium),
-            "unsafe" => Some(TlsGrade::LEGACY),
+            "unsafe" => Some(TlsGrade::Legacy),
             _ => None,
         }
     }
@@ -41,22 +41,22 @@ pub fn prefer_h2<'a>(_ssl: &mut SslRef, alpn_in: &'a [u8]) -> Result<&'a [u8], A
 pub fn set_tsl_grade(tls_settings: &mut TlsSettings, grade: &str) {
     let config_grade = TlsGrade::from_str(grade);
     match config_grade {
-        Some(TlsGrade::HIGH) => {
+        Some(TlsGrade::High) => {
             let _ = tls_settings.set_min_proto_version(Some(SslVersion::TLS1_2));
             // let _ = tls_settings.set_max_proto_version(Some(SslVersion::TLS1_3));
             let _ = tls_settings.set_cipher_list(CIPHERS.high);
             // let _ = tls_settings.set_ciphersuites(CIPHERS.high);
             let _ = tls_settings.set_cipher_list(CIPHERS.high);
-            info!("TLS grade: {:?}, => HIGH", tls_settings.options());
+            info!("TLS grade: {:?}, => High", tls_settings.options());
         }
-        Some(TlsGrade::MEDIUM) => {
+        Some(TlsGrade::Medium) => {
             let _ = tls_settings.set_min_proto_version(Some(SslVersion::TLS1));
             let _ = tls_settings.set_cipher_list(CIPHERS.medium);
             // let _ = tls_settings.set_ciphersuites(CIPHERS.medium);
             let _ = tls_settings.set_cipher_list(CIPHERS.medium);
-            info!("TLS grade: {:?}, => MEDIUM", tls_settings.options());
+            info!("TLS grade: {:?}, => Medium", tls_settings.options());
         }
-        Some(TlsGrade::LEGACY) => {
+        Some(TlsGrade::Legacy) => {
             let _ = tls_settings.set_min_proto_version(Some(SslVersion::SSL3));
             let _ = tls_settings.set_cipher_list(CIPHERS.legacy);
             // let _ = tls_settings.set_ciphersuites(CIPHERS.legacy);
@@ -64,12 +64,12 @@ pub fn set_tsl_grade(tls_settings: &mut TlsSettings, grade: &str) {
             warn!("TLS grade: {:?}, => UNSAFE", tls_settings.options());
         }
         None => {
-            // Defaults to MEDIUM
+            // Defaults to Medium
             let _ = tls_settings.set_min_proto_version(Some(SslVersion::TLS1));
             let _ = tls_settings.set_cipher_list(CIPHERS.medium);
             // let _ = tls_settings.set_ciphersuites(CIPHERS.medium);
             let _ = tls_settings.set_cipher_list(CIPHERS.medium);
-            warn!("TLS grade is not detected defaulting top MEDIUM");
+            warn!("TLS grade is not detected defaulting top Medium");
         }
     }
 }

src/tls/load.rs

@@ -60,7 +60,7 @@ impl Certificates {
             }
         }
         Some(Self {
-            name_map: name_map,
+            name_map,
             configs: cert_infos,
             default_cert_path: default_cert.cert_path.clone(),
             default_key_path: default_cert.key_path.clone(),
@@ -93,7 +93,7 @@ impl Certificates {
         if let Some(name) = server_name {
             match self.find_ssl_context(name) {
                 Some(ctx) => {
-                    ssl_ref.set_ssl_context(&*ctx).map_err(|_| SniError::ALERT_FATAL)?;
+                    ssl_ref.set_ssl_context(&ctx).map_err(|_| SniError::ALERT_FATAL)?;
                 }
                 None => {
                     log::debug!("No matching server name found");

src/utils/auth.rs

@@ -1,21 +1,17 @@
-use crate::utils::jwt::check_jwt;
+use crate::utils::jwt::{check_jwt, JWT_TOKEN};
-// use reqwest::Client;
+use crate::utils::structs::InnerAuth;
 use axum::http::StatusCode;
 use base64::engine::general_purpose::STANDARD;
 use base64::Engine;
-use pingora_proxy::Session;
-use std::collections::HashMap;
-use std::sync::{Arc, LazyLock};
-use subtle::ConstantTimeEq;
-use urlencoding::decode;
-
-// use pingora::http::{RequestHeader, ResponseHeader, StatusCode};
 use pingora::http::RequestHeader;
-// --------------------------------- //
 use pingora_core::connectors::http::Connector;
 use pingora_core::upstreams::peer::HttpPeer;
 use pingora_http::ResponseHeader;
-// --------------------------------- //
+use pingora_proxy::Session;
+use std::collections::HashMap;
+use std::sync::LazyLock;
+use subtle::ConstantTimeEq;
+use urlencoding::decode;
 
 #[async_trait::async_trait]
 trait AuthValidator {
@@ -23,7 +19,7 @@ trait AuthValidator {
 }
 struct BasicAuth<'a>(&'a str);
 struct ApiKeyAuth<'a>(&'a str);
-struct JwtAuth<'a>(&'a str);
+struct JwtAuth();
 struct ForwardAuth<'a>(&'a str);
 
 pub static AUTH_CONNECTOR: LazyLock<Connector> = LazyLock::new(|| Connector::new(None));
@@ -153,9 +149,9 @@ impl AuthValidator for ForwardAuth<'_> {
 impl AuthValidator for BasicAuth<'_> {
     async fn validate(&self, session: &mut Session) -> bool {
         if let Some(header) = session.get_header("authorization") {
-            if let Some(h) = header.to_str().ok() {
+            if let Ok(h) = header.to_str() {
                 if let Some((_, val)) = h.split_once(' ') {
-                    if let Some(decoded) = STANDARD.decode(val).ok() {
+                    if let Ok(decoded) = STANDARD.decode(val) {
                         if decoded.as_slice().ct_eq(self.0.as_bytes()).into() {
                             return true;
                         }
@@ -171,7 +167,7 @@ impl AuthValidator for BasicAuth<'_> {
 impl AuthValidator for ApiKeyAuth<'_> {
     async fn validate(&self, session: &mut Session) -> bool {
         if let Some(header) = session.get_header("x-api-key") {
-            if let Some(h) = header.to_str().ok() {
+            if let Ok(h) = header.to_str() {
                 return h.as_bytes().ct_eq(self.0.as_bytes()).into();
             }
         }
@@ -180,17 +176,18 @@ impl AuthValidator for ApiKeyAuth<'_> {
 }
 
 #[async_trait::async_trait]
-impl AuthValidator for JwtAuth<'_> {
+impl AuthValidator for JwtAuth {
     async fn validate(&self, session: &mut Session) -> bool {
-        let jwtsecret = self.0;
+        if let Some(jwtsecret) = JWT_TOKEN.clone() {
             if let Some(tok) = get_query_param(session, "araleztoken") {
-            return check_jwt(tok.as_str(), jwtsecret);
+                return check_jwt(tok.as_str(), jwtsecret.as_ref());
             }
             if let Some(auth_header) = session.get_header("authorization") {
                 if let Ok(header_str) = auth_header.to_str() {
                     if let Some((scheme, token)) = header_str.split_once(' ') {
                         if scheme.eq_ignore_ascii_case("bearer") {
-                        return check_jwt(token, jwtsecret);
+                            return check_jwt(token, jwtsecret.as_ref());
+                        }
                     }
                 }
             }
@@ -199,14 +196,14 @@ impl AuthValidator for JwtAuth<'_> {
     }
 }
 
-pub async fn authenticate(auth_type: &Arc<str>, credentials: &Arc<str>, session: &mut Session) -> bool {
+pub async fn authenticate(auth: &InnerAuth, session: &mut Session) -> bool {
-    match &**auth_type {
+    match &*auth.auth_type {
-        "basic" => BasicAuth(credentials).validate(session).await,
+        "basic" => BasicAuth(&*auth.auth_cred).validate(session).await,
-        "apikey" => ApiKeyAuth(credentials).validate(session).await,
+        "apikey" => ApiKeyAuth(&*auth.auth_cred).validate(session).await,
-        "jwt" => JwtAuth(credentials).validate(session).await,
+        "jwt" => JwtAuth().validate(session).await,
-        "forward" => ForwardAuth(credentials).validate(session).await,
+        "forward" => ForwardAuth(&*auth.auth_cred).validate(session).await,
         _ => {
-            log::warn!("Unsupported authentication mechanism : {}", auth_type);
+            log::warn!("Unsupported authentication mechanism : {}", &*auth.auth_type);
             false
         }
     }
@@ -227,6 +224,7 @@ pub fn get_query_param(session: &mut Session, key: &str) -> Option<String> {
     params.get(key).and_then(|v| decode(v).ok()).map(|s| s.to_string())
 }
 
+#[allow(clippy::needless_return)]
 fn split_host_port(addr: &str, tls: bool) -> Option<(&str, u16, bool, &str)> {
     match addr.split_once(':') {
         Some((h, p)) => match p.parse::<u16>() {

src/utils/discovery.rs

@@ -9,12 +9,10 @@ use std::sync::Arc;
 pub struct APIUpstreamProvider {
     pub config_api_enabled: bool,
     pub address: String,
-    pub masterkey: String,
+    pub masterkey: Option<String>,
     pub certs_dir: String,
     pub config_dir: String,
-    // pub tls_address: Option<String>,
+    pub upstreams_file: String,
-    // pub tls_certificate: Option<String>,
-    // pub tls_key_file: Option<String>,
     pub file_server_address: Option<String>,
     pub file_server_folder: Option<String>,
     pub current_upstreams: Arc<UpstreamsDashMap>,

src/utils/filewatch.rs

@@ -37,18 +37,13 @@ pub async fn start(fp: String, mut toreturn: Sender<Configuration>) {
         match event {
             Ok(e) => match e.kind {
                 EventKind::Modify(ModifyKind::Data(_)) | EventKind::Create(..) | EventKind::Remove(..) => {
-                    if e.paths[0].to_str().unwrap().ends_with("yaml") {
+                    if e.paths[0].to_str().unwrap().ends_with("yaml") && start.elapsed() > Duration::from_secs(2) {
-                        if start.elapsed() > Duration::from_secs(2) {
                         start = Instant::now();
                         // info!("Config File changed :=> {:?}", e);
                         let snd = load_configuration(file_path, "filepath").await.0;
-                            match snd {
+                        if let Some(snd) = snd {
-                                Some(snd) => {
                             toreturn.send(snd).await.unwrap();
                         }
-                                None => {}
-                            }
-                        }
                     }
                 }
                 _ => (),

src/utils/healthcheck.rs

@@ -52,16 +52,15 @@ async fn build_upstreams(fullist: &UpstreamsDashMap, method: &str, client: &Clie
             let path = path_entry.key();
             let mut innervec = Vec::new();
 
-            for (_, upstream) in path_entry.value().0.iter().enumerate() {
+            for upstream in path_entry.value().0.iter() {
-                let tls = detect_tls(&upstream.address.to_string(), &upstream.port, &client).await;
+                let tls = if upstream.healthcheck.unwrap_or(true) {
-                let is_h2 = matches!(tls.1, Some(Version::HTTP_2));
+                    detect_tls(upstream.address.as_ref(), &upstream.port, client).await
-
-                let link = if tls.0 {
-                    format!("https://{}:{}{}", upstream.address, upstream.port, path)
                 } else {
-                    format!("http://{}:{}{}", upstream.address, upstream.port, path)
+                    (false, None)
                 };
 
+                let is_h2 = matches!(tls.1, Some(Version::HTTP_2));
+
                 let mut scheme = InnerMap {
                     address: upstream.address.clone(),
                     port: upstream.port,
@@ -69,13 +68,20 @@ async fn build_upstreams(fullist: &UpstreamsDashMap, method: &str, client: &Clie
                     is_http2: is_h2,
                     to_https: upstream.to_https,
                     rate_limit: upstream.rate_limit,
+                    x4xx_limit: upstream.x4xx_limit,
                     healthcheck: upstream.healthcheck,
                     redirect_to: upstream.redirect_to.clone(),
                     authorization: upstream.authorization.clone(),
                 };
 
                 if scheme.healthcheck.unwrap_or(true) {
-                    let resp = http_request(&link, method, "", &client).await;
+                    let link = if tls.0 {
+                        format!("https://{}:{}{}", upstream.address, upstream.port, path)
+                    } else {
+                        format!("http://{}:{}{}", upstream.address, upstream.port, path)
+                    };
+
+                    let resp = http_request(&link, method, "", client).await;
                     if resp.0 {
                         if resp.1 {
                             scheme.is_http2 = is_h2; // could be adjusted further
@@ -109,12 +115,12 @@ async fn http_request(url: &str, method: &str, payload: &str, client: &Client) -
         }
     }
 
-    match send_request(&client, method, url, payload).await {
+    match send_request(client, method, url, payload).await {
         Some(response) => {
             let status = response.status().as_u16();
             ((99..499).contains(&status), false)
         }
-        None => (ping_grpc(&url).await, true),
+        None => (ping_grpc(url).await, true),
     }
 }
 
@@ -128,13 +134,9 @@ pub async fn ping_grpc(addr: &str) -> bool {
 
 async fn detect_tls(ip: &str, port: &u16, client: &Client) -> (bool, Option<Version>) {
     let https_url = format!("https://{}:{}", ip, port);
-    match client.get(&https_url).send().await {
+    if let Ok(response) = client.get(&https_url).send().await {
-        Ok(response) => {
-            // println!("{} => {:?} (HTTPS)", https_url, response.version());
         return (true, Some(response.version()));
     }
-        _ => {}
-    }
     let http_url = format!("http://{}:{}", ip, port);
     match client.get(&http_url).send().await {
         Ok(response) => {

src/utils/httpclient.rs

@@ -23,11 +23,8 @@ pub async fn for_consul(url: String, token: Option<String>, conf: &GlobalService
     let upstreams: DashMap<Arc<str>, (Vec<Arc<InnerMap>>, AtomicUsize)> = DashMap::new();
     let endpoints: Vec<ConsulService> = resp.json().await.ok()?;
     for subsets in endpoints {
-        // let addr = subsets.tagged_addresses.get("lan_ipv4").unwrap().address.clone();
-        // let prt = subsets.tagged_addresses.get("lan_ipv4").unwrap().port.clone();
         let addr = subsets.tagged_addresses.get("lan_ipv4").unwrap().address.clone();
-        let prt = subsets.tagged_addresses.get("lan_ipv4").unwrap().port.clone();
+        let prt = subsets.tagged_addresses.get("lan_ipv4").unwrap().port;
-        // let redirect_link = conf.redirect_to.as_ref().map(|www| Arc::from(www.as_str()));
         let to_add = Arc::from(InnerMap {
             address: Arc::from(&*addr),
             port: prt,
@@ -35,13 +32,14 @@ pub async fn for_consul(url: String, token: Option<String>, conf: &GlobalService
             is_http2: false,
             to_https: conf.to_https.unwrap_or(false),
             rate_limit: conf.rate_limit,
+            x4xx_limit: conf.x4xx_limit,
             redirect_to: None,
             healthcheck: None,
             authorization: None,
         });
         inner_vec.push(to_add);
     }
-    match_path(&conf, &upstreams, inner_vec.clone());
+    match_path(conf, &upstreams, inner_vec);
     Some(upstreams)
 }
 
@@ -66,11 +64,12 @@ pub async fn for_kuber(url: &str, token: &str, conf: &GlobalServiceMapping) -> O
                         // let redirect_link = conf.redirect_to.as_ref().map(|www| Arc::from(www.as_str()));
                         let to_add = Arc::from(InnerMap {
                             address: Arc::from(addr.ip.clone()),
-                            port: port.port.clone(),
+                            port: port.port,
                             is_ssl: false,
                             is_http2: false,
                             to_https: conf.to_https.unwrap_or(false),
                             rate_limit: conf.rate_limit,
+                            x4xx_limit: conf.x4xx_limit,
                             healthcheck: None,
                             redirect_to: None,
                             authorization: None,
@@ -78,7 +77,7 @@ pub async fn for_kuber(url: &str, token: &str, conf: &GlobalServiceMapping) -> O
                         inner_vec.push(to_add);
                     }
                 }
-                match_path(&conf, &upstreams, inner_vec.clone());
+                match_path(conf, &upstreams, inner_vec.clone());
             }
         }
     }

src/utils/jwt.rs

@@ -4,8 +4,9 @@ use jsonwebtoken::{decode, Algorithm, DecodingKey, Validation};
 use moka::sync::Cache;
 use moka::Expiry;
 use serde::{Deserialize, Serialize};
+use std::env;
 use std::hash::{Hash, Hasher};
-use std::sync::LazyLock;
+use std::sync::{Arc, LazyLock};
 use std::time::{Duration, Instant, SystemTime};
 
 #[derive(Debug, Serialize, Deserialize)]
@@ -23,6 +24,11 @@ struct Expired {
 
 static JWT_VALIDATION: LazyLock<Validation> = LazyLock::new(|| Validation::new(Algorithm::HS256));
 
+pub static JWT_TOKEN: LazyLock<Option<Arc<str>>> = LazyLock::new(|| match env::var("JWT_KEY") {
+    Ok(key) if !key.is_empty() => Some(Arc::from(key.as_str())),
+    _ => None,
+});
+
 static JWT_CACHE: LazyLock<Cache<u64, u64>> = LazyLock::new(|| Cache::builder().max_capacity(100_000).expire_after(JwtExpiry).build());
 struct JwtExpiry;
 impl Expiry<u64, u64> for JwtExpiry {

src/utils/kuberconsul.rs

@@ -52,12 +52,13 @@ pub struct ConsulTaggedAddress {
     #[serde(rename = "Port")]
     pub port: u16,
 }
+#[allow(clippy::type_complexity)]
 pub fn list_to_upstreams(lt: Option<DashMap<Arc<str>, (Vec<Arc<InnerMap>>, AtomicUsize)>>, upstreams: &UpstreamsDashMap, i: &GlobalServiceMapping) {
     if let Some(list) = lt {
         match upstreams.get(&*i.hostname.clone()) {
             Some(upstr) => {
                 for (k, v) in list {
-                    upstr.value().insert(Arc::from(k.to_owned()), v);
+                    upstr.value().insert(k.to_owned(), v);
                 }
             }
             None => {
@@ -134,7 +135,7 @@ impl ServiceDiscovery for KubernetesDiscovery {
                             }
                             let url = format!("https://{}/api/v1/namespaces/{}/endpoints/{}", server, namespace, service.hostname);
                             // let url = format!("https://{}/api/v1/namespaces/{}/endpoints?labelSelector=app", server, namespace);
-                            let list = httpclient::for_kuber(&*url, &*token, &service).await;
+                            let list = httpclient::for_kuber(&url, &token, &service).await;
                             // println!("{:?}", list);
                             list_to_upstreams(list, &upstreams, &service);
                         }
@@ -209,7 +210,7 @@ impl ServiceDiscovery for ConsulDiscovery {
     }
 }
 async fn clone_compare(upstreams: &UpstreamsDashMap, prev_upstreams: &UpstreamsDashMap, config: &Arc<Configuration>) -> Option<Configuration> {
-    if !compare_dashmaps(&upstreams, &prev_upstreams) {
+    if !compare_dashmaps(upstreams, prev_upstreams) {
         let tosend: Configuration = Configuration {
             upstreams: Default::default(),
             client_headers: config.client_headers.clone(),
@@ -219,9 +220,9 @@ async fn clone_compare(upstreams: &UpstreamsDashMap, prev_upstreams: &UpstreamsD
             typecfg: config.typecfg.clone(),
             extraparams: config.extraparams.clone(),
         };
-        clone_dashmap_into(&upstreams, &prev_upstreams);
+        clone_dashmap_into(upstreams, prev_upstreams);
-        clone_dashmap_into(&upstreams, &tosend.upstreams);
+        clone_dashmap_into(upstreams, &tosend.upstreams);
-        print_upstreams(&tosend.upstreams);
+        print_upstreams(&tosend.upstreams, &tosend.extraparams);
         return Some(tosend);
     };
     None

src/utils/metrics.rs

@@ -1,9 +1,11 @@
 use pingora_http::Method;
 use pingora_http::StatusCode;
 use pingora_http::Version;
-use prometheus::{register_histogram, register_int_counter, register_int_counter_vec, Histogram, IntCounter, IntCounterVec};
+use prometheus::{register_histogram, register_int_counter, register_int_counter_vec, register_int_gauge, Histogram, IntCounter, IntCounterVec, IntGauge};
 use std::sync::Arc;
+use std::sync::LazyLock;
 use std::time::Duration;
+use tikv_jemalloc_ctl::{epoch, stats};
 
 pub struct MetricTypes {
     pub method: Method,
@@ -13,27 +15,28 @@ pub struct MetricTypes {
     pub version: Version,
 }
 
-use std::sync::LazyLock;
+pub static OPEN_FILES: LazyLock<IntGauge> = LazyLock::new(|| register_int_gauge!("aralez_open_files", "Number of open file descriptors").unwrap());
-
+pub static MEMORY_USAGE: LazyLock<IntGauge> = LazyLock::new(|| register_int_gauge!("aralez_memory_bytes", "Total memory allocated in bytes").unwrap());
+pub static ACTIVE_SESSIONS: LazyLock<IntGauge> = LazyLock::new(|| register_int_gauge!("aralez_active_sessions", "Current number of active sessions").unwrap());
 pub static REQUEST_COUNT: LazyLock<IntCounter> = LazyLock::new(|| register_int_counter!("aralez_requests_total", "Total number of requests handled by Aralez").unwrap());
 
 pub static RESPONSE_CODES: LazyLock<IntCounterVec> =
     LazyLock::new(|| register_int_counter_vec!("aralez_responses_total", "Responses grouped by status code", &["status"]).unwrap());
 
-pub static REQUEST_LATENCY: LazyLock<Histogram> = LazyLock::new(|| {
+// pub static RESPONSE_LATENCY: LazyLock<Histogram> = LazyLock::new(|| {
-    register_histogram!(
+//     register_histogram!(
-        "aralez_request_latency_seconds",
+//         "aralez_response_latency_seconds",
-        "Request latency in seconds",
+//         "Response latency in seconds",
-        vec![0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1.0, 2.5, 5.0]
+//         vec![0.01, 0.05, 0.1, 0.25, 0.5, 1.0, 2.0, 5.0]
-    )
+//     )
-    .unwrap()
+//     .unwrap()
-});
+// });
 
 pub static RESPONSE_LATENCY: LazyLock<Histogram> = LazyLock::new(|| {
     register_histogram!(
         "aralez_response_latency_seconds",
         "Response latency in seconds",
-        vec![0.01, 0.05, 0.1, 0.25, 0.5, 1.0, 2.0, 5.0]
+        vec![0.001, 0.005, 0.01, 0.025, 0.05, 0.075, 0.1, 0.25, 0.5, 1.0, 2.0, 5.0]
     )
     .unwrap()
 });
@@ -49,19 +52,25 @@ pub static REQUESTS_BY_VERSION: LazyLock<IntCounterVec> =
 
 pub fn calc_metrics(metric_types: &MetricTypes) {
     REQUEST_COUNT.inc();
-    let timer = REQUEST_LATENCY.start_timer();
+    let version_str = match metric_types.version {
-    timer.observe_duration();
+        Version::HTTP_11 => "HTTP/1.1",
-
+        Version::HTTP_2 => "HTTP/2.0",
-    let version_str = match &metric_types.version {
+        Version::HTTP_3 => "HTTP/3.0",
-        &Version::HTTP_11 => "HTTP/1.1",
+        Version::HTTP_10 => "HTTP/1.0",
-        &Version::HTTP_2 => "HTTP/2.0",
-        &Version::HTTP_3 => "HTTP/3.0",
-        &Version::HTTP_10 => "HTTP/1.0",
         _ => "Unknown",
     };
-    REQUESTS_BY_VERSION.with_label_values(&[&version_str]).inc();
+    REQUESTS_BY_VERSION.with_label_values(&[version_str]).inc();
     RESPONSE_CODES.with_label_values(&[metric_types.code.unwrap_or(StatusCode::GONE).as_str()]).inc();
-    REQUESTS_BY_METHOD.with_label_values(&[&metric_types.method]).inc();
+    REQUESTS_BY_METHOD.with_label_values(&[metric_types.method.as_str()]).inc();
     REQUESTS_BY_UPSTREAM.with_label_values(&[metric_types.upstream.as_ref()]).inc();
     RESPONSE_LATENCY.observe(metric_types.latency.as_secs_f64());
 }
+
+pub fn get_memory_usage() -> usize {
+    epoch::mib().unwrap().advance().unwrap(); // refresh stats
+    stats::allocated::mib().unwrap().read().unwrap() // bytes allocated
+}
+
+pub fn get_open_files() -> usize {
+    std::fs::read_dir("/proc/self/fd").map(|dir| dir.count()).unwrap_or(0)
+}

src/utils/parceyaml.rs

@@ -3,25 +3,62 @@ use crate::utils::state::{is_first_run, mark_not_first_run};
 use crate::utils::structs::*;
 use crate::utils::tools::{clone_dashmap, clone_dashmap_into, print_upstreams};
 use dashmap::DashMap;
+use log::LevelFilter;
 use log::{error, info, warn};
+use log4rs::{
+    append::{console::ConsoleAppender, file::FileAppender},
+    config::{Appender, Config as Log4rsConfig, Root},
+    encode::pattern::PatternEncoder,
+};
 use std::collections::HashMap;
 use std::path::Path;
 use std::sync::atomic::AtomicUsize;
 use std::sync::{Arc, LazyLock};
 use std::{env, fs};
 
-pub static DOMAINS: LazyLock<DashMap<String, bool>> = LazyLock::new(|| DashMap::new());
+pub static DOMAINS: LazyLock<DashMap<String, bool>> = LazyLock::new(DashMap::new);
 
 pub async fn load_configuration(d: &str, kind: &str) -> (Option<Configuration>, String) {
     let mut conf_files = Vec::new();
     let yaml_data = match kind {
-        "filepath" => match fs::read_to_string(d) {
+        "filepath" => {
-            Ok(data) => {
+            let mut data = String::new();
+            let mut last_error = None;
+            for _ in 0..5 {
+                match fs::read_to_string(d) {
+                    Ok(content) => {
+                        if !content.trim().is_empty() {
+                            data = content;
+                            break;
+                        }
+                    }
+                    Err(e) => {
+                        error!("Config read failed, retrying...");
+                        last_error = Some(e);
+                    }
+                }
+                tokio::time::sleep(std::time::Duration::from_millis(10)).await;
+            }
+            if data.is_empty() {
+                let err_msg = match last_error {
+                    Some(e) => {
+                        error!("Reading: {}: {:?}", d, e);
+                        e.to_string()
+                    }
+                    None => {
+                        error!("Reading: {}: File is empty after retries", d);
+                        "File is empty".to_string()
+                    }
+                };
+                warn!("Running with empty upstreams list, update it via API");
+                return (None, err_msg);
+            }
+
             let mut confdir = Path::new(d).parent().unwrap().to_path_buf();
             let mut autocfg = Path::new(d).parent().unwrap().to_path_buf();
 
             autocfg.push("autoconfigs");
-                if !fs::metadata(autocfg.clone()).is_ok() {
+            if fs::metadata(autocfg.clone()).is_err() {
                 fs::create_dir_all(autocfg.clone()).ok();
             }
             autocfg.push("domains.json");
@@ -60,12 +97,6 @@ pub async fn load_configuration(d: &str, kind: &str) -> (Option<Configuration>,
             info!("Reading upstreams from {}", d);
             data
         }
-            Err(e) => {
-                error!("Reading: {}: {:?}", d, e);
-                warn!("Running with empty upstreams list, update it via API");
-                return (None, e.to_string());
-            }
-        },
         "content" => {
             info!("Reading upstreams from API post body");
             d.to_string()
@@ -79,6 +110,7 @@ pub async fn load_configuration(d: &str, kind: &str) -> (Option<Configuration>,
     let mut parsed: Config = match serde_yml::from_str(&yaml_data) {
         Ok(cfg) => cfg,
         Err(e) => {
+            println!("================================================");
             error!("Failed to parse upstreams file: {}", e);
             return (None, e.to_string());
         }
@@ -130,6 +162,7 @@ async fn populate_headers_and_auth(config: &mut Configuration, parsed: &Config)
             }
         }
     }
+
     let global_headers: DashMap<Arc<str>, Vec<(String, Arc<str>)>> = DashMap::new();
     global_headers.insert(Arc::from("/"), ch);
     config.client_headers.insert(Arc::from("GLOBAL_CLIENT_HEADERS"), global_headers);
@@ -148,6 +181,7 @@ async fn populate_headers_and_auth(config: &mut Configuration, parsed: &Config)
     config.extraparams.to_https = parsed.to_https;
     config.extraparams.sticky_sessions = parsed.sticky_sessions;
     config.extraparams.rate_limit = parsed.rate_limit;
+    config.extraparams.x4xx_limit = parsed.x4xx_limit;
 
     if let Some(rate) = &parsed.rate_limit {
         info!("Applied Global Rate Limit : {} request per second", rate);
@@ -156,7 +190,7 @@ async fn populate_headers_and_auth(config: &mut Configuration, parsed: &Config)
     if let Some(pa) = &parsed.authorization {
         let y: InnerAuth = InnerAuth {
             auth_type: Arc::from(pa.auth_type.clone()),
-            auth_cred: Arc::from(pa.auth_cred.clone()),
+            auth_cred: Arc::from(pa.auth_cred.clone().unwrap_or_default()),
         };
         config.extraparams.authentication = Some(Arc::from(y));
     }
@@ -185,10 +219,11 @@ async fn populate_file_upstreams(config: &mut Configuration, parsed: &Config) {
                     if let Some(pa) = &path_config.authorization {
                         let y: InnerAuth = InnerAuth {
                             auth_type: Arc::from(pa.auth_type.clone()),
-                            auth_cred: Arc::from(pa.auth_cred.clone()),
+                            auth_cred: Arc::from(pa.auth_cred.clone().unwrap_or_default()),
                         };
                         path_auth = Some(Arc::from(y));
                     }
+
                     let redirect_link = path_config.redirect_to.as_ref().map(|www| Arc::from(www.as_str()));
                     if let Some((ip, port_str)) = server.split_once(':') {
                         if let Ok(port) = port_str.parse::<u16>() {
@@ -199,6 +234,7 @@ async fn populate_file_upstreams(config: &mut Configuration, parsed: &Config) {
                                 is_http2: false,
                                 to_https: path_config.to_https.unwrap_or(false),
                                 rate_limit: path_config.rate_limit,
+                                x4xx_limit: path_config.x4xx_limit,
                                 healthcheck: path_config.healthcheck,
                                 redirect_to: redirect_link,
                                 authorization: path_auth,
@@ -222,15 +258,20 @@ async fn populate_file_upstreams(config: &mut Configuration, parsed: &Config) {
             clone_dashmap_into(&r, &config.upstreams);
         }
         info!("Upstream Config:");
-        print_upstreams(&config.upstreams);
+        print_upstreams(&config.upstreams, &config.extraparams);
     }
 }
 pub fn parce_main_config(path: &str) -> AppConfig {
     let data = fs::read_to_string(path).unwrap();
     let reply = DashMap::new();
-    let cfg: HashMap<String, String> = serde_yml::from_str(&*data).expect("Failed to parse main config file");
+    let cfg: HashMap<String, String> = serde_yml::from_str(&data).expect("Failed to parse main config file");
-    let mut cfo: AppConfig = serde_yml::from_str(&*data).expect("Failed to parse main config file");
+    let mut cfo: AppConfig = serde_yml::from_str(&data).expect("Failed to parse main config file");
-    log_builder(&cfo);
+
+    if let Ok(jwt_key) = env::var("JWT_KEY") {
+        cfo.master_key = Some(jwt_key);
+    };
+
+    log_builder(&cfo, &cfo.log_file);
     cfo.hc_method = cfo.hc_method.to_uppercase();
     for (k, v) in cfg {
         reply.insert(k.to_string(), v.to_string());
@@ -240,14 +281,6 @@ pub fn parce_main_config(path: &str) -> AppConfig {
             cfo.local_server = Option::from((ip.to_string(), port));
         }
     }
-    // if let Some(tlsport_cfg) = cfo.proxy_address_tls.clone() {
-    //     if let Some((_, port_str)) = tlsport_cfg.split_once(':') {
-    //         if let Ok(port) = port_str.parse::<u16>() {
-    //             cfo.proxy_port_tls = Some(port);
-    //         }
-    //     }
-    // };
-
     if let Some(tlsport_cfg) = cfo.proxy_address_tls.clone() {
         if let Some((_, port_str)) = tlsport_cfg.split_once(':') {
             cfo.proxy_port_tls = Some(port_str.to_string());
@@ -289,25 +322,6 @@ fn parce_tls_grades(what: Option<String>) -> Option<String> {
     }
 }
 
-fn log_builder(conf: &AppConfig) {
-    let log_level = conf.log_level.clone();
-    unsafe {
-        match log_level.as_str() {
-            "info" => env::set_var("RUST_LOG", "info"),
-            "error" => env::set_var("RUST_LOG", "error"),
-            "warn" => env::set_var("RUST_LOG", "warn"),
-            "debug" => env::set_var("RUST_LOG", "debug"),
-            "trace" => env::set_var("RUST_LOG", "trace"),
-            "off" => env::set_var("RUST_LOG", "off"),
-            _ => {
-                println!("Error reading log level, defaulting to: INFO");
-                env::set_var("RUST_LOG", "info")
-            }
-        }
-    }
-    env_logger::builder().init();
-}
-
 pub fn build_headers(path_config: &Option<Vec<String>>, _config: &Configuration, hl: &mut Vec<(String, Arc<str>)>) {
     if let Some(headers) = &path_config {
         for header in headers {
@@ -317,3 +331,35 @@ pub fn build_headers(path_config: &Option<Vec<String>>, _config: &Configuration,
         }
     }
 }
+
+fn log_builder(conf: &AppConfig, location: &Option<String>) {
+    let log_level = match conf.log_level.as_str() {
+        "info" => LevelFilter::Info,
+        "error" => LevelFilter::Error,
+        "warn" => LevelFilter::Warn,
+        "debug" => LevelFilter::Debug,
+        "trace" => LevelFilter::Trace,
+        "off" => LevelFilter::Off,
+        _ => {
+            println!("Error reading log level, defaulting to: INFO");
+            LevelFilter::Info
+        }
+    };
+    // let pattern = "{d(%Y-%m-%d %H:%M:%S)} {l} {t} - {m}{n}";
+    let pattern = "{d(%Y-%m-%d %H:%M:%S)} {l} {t} - {m}\n";
+    if let Some(location) = location {
+        let file = FileAppender::builder().encoder(Box::new(PatternEncoder::new(pattern))).build(location).unwrap();
+        let config = Log4rsConfig::builder()
+            .appender(Appender::builder().build("file", Box::new(file)))
+            .build(Root::builder().appender("file").build(log_level))
+            .unwrap();
+        log4rs::init_config(config).unwrap();
+    } else {
+        let stdout = ConsoleAppender::builder().encoder(Box::new(PatternEncoder::new(pattern))).build();
+        let config = Log4rsConfig::builder()
+            .appender(Appender::builder().build("stdout", Box::new(stdout)))
+            .build(Root::builder().appender("stdout").build(log_level))
+            .unwrap();
+        log4rs::init_config(config).unwrap();
+    }
+}

src/utils/structs.rs

@@ -14,9 +14,10 @@ pub type Headers = DashMap<Arc<str>, DashMap<Arc<str>, Vec<(String, Arc<str>)>>>
 #[derive(Clone, Debug, Default)]
 pub struct Extraparams {
     pub to_https: Option<bool>,
-    pub sticky_sessions: bool,
+    pub sticky_sessions: Option<u64>,
     pub authentication: Option<Arc<InnerAuth>>,
     pub rate_limit: Option<isize>,
+    pub x4xx_limit: Option<u32>,
 }
 
 #[derive(Debug, Default, Clone, Serialize, Deserialize)]
@@ -25,8 +26,9 @@ pub struct GlobalServiceMapping {
     pub hostname: String,
     pub path: Option<String>,
     pub to_https: Option<bool>,
-    pub sticky_sessions: Option<bool>,
+    pub sticky_sessions: Option<u64>,
     pub rate_limit: Option<isize>,
+    pub x4xx_limit: Option<u32>,
     pub client_headers: Option<Vec<String>>,
     pub server_headers: Option<Vec<String>>,
 }
@@ -48,7 +50,7 @@ pub struct Consul {
 pub struct Config {
     pub provider: String,
     pub to_https: Option<bool>,
-    pub sticky_sessions: bool,
+    pub sticky_sessions: Option<u64>,
     #[serde(default)]
     pub upstreams: Option<HashMap<String, HostConfig>>,
     #[serde(default)]
@@ -65,28 +67,30 @@ pub struct Config {
     pub kubernetes: Option<Kubernetes>,
     #[serde(default)]
     pub rate_limit: Option<isize>,
+    pub x4xx_limit: Option<u32>,
 }
 
 #[derive(Debug, Default, Serialize, Deserialize)]
 pub struct HostConfig {
     pub paths: HashMap<String, PathConfig>,
     pub rate_limit: Option<isize>,
+    pub x4xx_limit: Option<u32>,
 }
 #[derive(Debug, Default, Serialize, Deserialize, Clone)]
 pub struct Auth {
     #[serde(rename = "type")]
     pub auth_type: String,
     #[serde(rename = "data")]
-    pub auth_cred: String,
+    pub auth_cred: Option<String>,
 }
 #[derive(Debug, Default, Serialize, Deserialize)]
 pub struct PathConfig {
     pub servers: Vec<String>,
     pub to_https: Option<bool>,
-    pub sticky_sessions: Option<bool>,
     pub client_headers: Option<Vec<String>>,
     pub server_headers: Option<Vec<String>>,
     pub rate_limit: Option<isize>,
+    pub x4xx_limit: Option<u32>,
     pub healthcheck: Option<bool>,
     pub redirect_to: Option<String>,
     pub authorization: Option<Auth>,
@@ -108,7 +112,7 @@ pub struct AppConfig {
     pub hc_method: String,
     pub upstreams_conf: String,
     pub log_level: String,
-    pub master_key: String,
+    pub master_key: Option<String>,
     pub config_address: String,
     pub proxy_address_http: String,
     pub config_api_enabled: bool,
@@ -125,15 +129,16 @@ pub struct AppConfig {
     pub file_server_folder: Option<String>,
     pub runuser: Option<String>,
     pub rungroup: Option<String>,
+    pub log_file: Option<String>,
 }
 
-#[derive(Debug, Default, Clone, PartialEq, Eq)]
+#[derive(Debug, Default, Clone, PartialEq, Eq, Hash)]
 pub struct InnerAuth {
     pub auth_type: Arc<str>,
     pub auth_cred: Arc<str>,
 }
 
-#[derive(Debug, Clone, PartialEq, Eq)]
+#[derive(Debug, Clone, PartialEq, Eq, Hash)]
 pub struct InnerMap {
     pub address: Arc<str>,
     pub port: u16,
@@ -141,6 +146,7 @@ pub struct InnerMap {
     pub is_http2: bool,
     pub to_https: bool,
     pub rate_limit: Option<isize>,
+    pub x4xx_limit: Option<u32>,
     pub healthcheck: Option<bool>,
     pub redirect_to: Option<Arc<str>>,
     pub authorization: Option<Arc<InnerAuth>>,
@@ -156,6 +162,7 @@ impl InnerMap {
             is_http2: Default::default(),
             to_https: Default::default(),
             rate_limit: Default::default(),
+            x4xx_limit: Default::default(),
             healthcheck: Default::default(),
             redirect_to: Default::default(),
             authorization: Default::default(),
@@ -171,6 +178,7 @@ pub struct InnerMapForJson {
     pub is_http2: bool,
     pub to_https: bool,
     pub rate_limit: Option<isize>,
+    pub x4xx_limit: Option<u32>,
     pub healthcheck: Option<bool>,
 }
 #[derive(Debug, Default, Serialize, Deserialize)]

src/utils/tools.rs

@@ -1,6 +1,6 @@
 use crate::tls::load;
 use crate::tls::load::CertificateConfig;
-use crate::utils::structs::{InnerMap, InnerMapForJson, UpstreamSnapshotForJson, UpstreamsDashMap, UpstreamsIdMap};
+use crate::utils::structs::{InnerMap, InnerMapForJson, Extraparams, UpstreamSnapshotForJson, UpstreamsDashMap, UpstreamsIdMap};
 use dashmap::DashMap;
 use log::{error, info};
 use notify::{event::ModifyKind, Config, EventKind, RecommendedWatcher, RecursiveMode, Watcher};
@@ -20,30 +20,30 @@ use std::sync::Arc;
 use std::time::{Duration, Instant};
 use std::{fs, process, thread, time};
 
-#[allow(dead_code)]
+pub fn print_upstreams(upstreams: &UpstreamsDashMap, extraparams: &Extraparams) {
-pub fn print_upstreams(upstreams: &UpstreamsDashMap) {
+    let mut out = String::new();
     for host_entry in upstreams.iter() {
-        let hostname = host_entry.key();
+        writeln!(out, "Hostname: {}", host_entry.key()).unwrap();
-        println!("Hostname: {}", hostname);
-
         for path_entry in host_entry.value().iter() {
-            let path = path_entry.key();
+            writeln!(out, "    Path: {}", path_entry.key()).unwrap();
-            println!("    Path: {}", path);
             for f in path_entry.value().0.clone() {
-                println!(
+                writeln!(
-                    "        IP: {}, Port: {}, SSL: {}, H2: {}, To HTTPS: {}, Rate Limit: {}",
+                    out,
+                    "        IP: {}, Port: {}, SSL: {}, H2: {}, To HTTPS: {}, Rate Limit: {}, 4xx Limit: {}",
                     f.address,
                     f.port,
                     f.is_ssl,
                     f.is_http2,
                     f.to_https,
-                    f.rate_limit.unwrap_or(0)
+                    f.rate_limit.unwrap_or(extraparams.rate_limit.unwrap_or(0)),
-                );
+                    f.x4xx_limit.unwrap_or(extraparams.x4xx_limit.unwrap_or(0))
+                )
+                .unwrap();
             }
         }
     }
+    info!("\n{}", out.trim_end());
 }
-
 #[allow(dead_code)]
 pub fn typeoff<T>(_: T) {
     let to = type_name::<T>();
@@ -101,47 +101,32 @@ pub fn clone_dashmap_into(original: &UpstreamsDashMap, cloned: &UpstreamsDashMap
 }
 
 pub fn compare_dashmaps(map1: &UpstreamsDashMap, map2: &UpstreamsDashMap) -> bool {
-    let keys1: HashSet<_> = map1.iter().map(|entry| entry.key().clone()).collect();
+    if map1.len() != map2.len() {
-    let keys2: HashSet<_> = map2.iter().map(|entry| entry.key().clone()).collect();
-    if keys1 != keys2 {
         return false;
     }
     for entry1 in map1.iter() {
-        let hostname = entry1.key();
+        let Some(inner_map2) = map2.get(entry1.key()) else {
-        let inner_map1 = entry1.value();
-        let Some(inner_map2) = map2.get(hostname) else {
             return false;
         };
-        let inner_keys1: HashSet<_> = inner_map1.iter().map(|e| e.key().clone()).collect();
+        let inner_map1 = entry1.value();
-        let inner_keys2: HashSet<_> = inner_map2.iter().map(|e| e.key().clone()).collect();
+        if inner_map1.len() != inner_map2.len() {
-        if inner_keys1 != inner_keys2 {
             return false;
         }
         for path_entry in inner_map1.iter() {
-            let path = path_entry.key();
+            let Some(entry2) = inner_map2.get(path_entry.key()) else {
-            let (vec1, _counter1) = path_entry.value();
+                return false;
-            let Some(entry2) = inner_map2.get(path) else {
-                return false; // Path exists in map1 but not in map2
             };
-            let (vec2, _counter2) = entry2.value();
+            let (vec1, _) = path_entry.value();
-
+            let (vec2, _) = entry2.value();
             if vec1.len() != vec2.len() {
                 return false;
             }
-            for item in vec1.iter() {
+            let set1: HashSet<_> = vec1.iter().collect();
-                let count1 = vec1.iter().filter(|&x| x == item).count();
+            let set2: HashSet<_> = vec2.iter().collect();
-                let count2 = vec2.iter().filter(|&x| x == item).count();
+            if set1 != set2 {
-                if count1 != count2 {
                 return false;
             }
         }
-
-            // let set1: HashSet<_> = vec1.iter().collect();
-            // let set2: HashSet<_> = vec2.iter().collect();
-            // if set1 != set2 {
-            //     return false;
-            // }
-        }
     }
     true
 }
@@ -150,7 +135,7 @@ pub fn merge_headers(target: &DashMap<Arc<str>, Vec<(String, Arc<str>)>>, source
     for entry in source.iter() {
         let global_key = entry.key().clone();
         let global_values = entry.value().clone();
-        let mut target_entry = target.entry(global_key).or_insert_with(Vec::new);
+        let mut target_entry = target.entry(global_key).or_default();
         target_entry.extend(global_values);
     }
 }
@@ -168,13 +153,14 @@ pub fn clone_idmap_into(original: &UpstreamsDashMap, cloned: &UpstreamsIdMap) {
                 let mut id = String::new();
                 write!(
                     &mut id,
-                    "{}:{}:{}:{}:{}:{}:{}:{:?}",
+                    "{}:{}:{}:{}:{}:{}:{}:{}:{:?}",
                     outer_entry.key(),
                     x.address,
                     x.port,
                     x.is_http2,
                     x.to_https,
                     x.rate_limit.unwrap_or_default(),
+                    x.x4xx_limit.unwrap_or_default(),
                     x.healthcheck.unwrap_or_default(),
                     x.authorization
                 )
@@ -193,13 +179,13 @@ pub fn clone_idmap_into(original: &UpstreamsDashMap, cloned: &UpstreamsIdMap) {
                     is_http2: false,
                     to_https: false,
                     rate_limit: None,
+                    x4xx_limit: None,
                     healthcheck: None,
                     redirect_to: None,
                     authorization: None,
                 };
                 cloned.insert(id, Arc::from(to_add));
-                cloned.insert(hh, Arc::from(x.to_owned()));
+                cloned.insert(hh, x.to_owned());
-                // println!("CLONNED  :===========> {:?}", cloned);
             }
             new_inner_map.insert(path.clone(), new_vec);
         }
@@ -268,14 +254,14 @@ pub fn drop_priv(user: String, group: String, http_addr: String, tls_addr: Optio
     thread::sleep(time::Duration::from_millis(10));
     loop {
         thread::sleep(time::Duration::from_millis(10));
-        if port_is_available(http_addr.clone()) {
+        if TcpListener::bind(&http_addr).is_err() {
             break;
         }
     }
     if let Some(tls_addr) = tls_addr {
         loop {
             thread::sleep(time::Duration::from_millis(10));
-            if port_is_available(tls_addr.clone()) {
+            if TcpListener::bind(&tls_addr).is_err() {
                 break;
             }
         }
@@ -287,25 +273,15 @@ pub fn drop_priv(user: String, group: String, http_addr: String, tls_addr: Optio
     }
 }
 
-fn port_is_available(addr: String) -> bool {
-    match TcpListener::bind(addr) {
-        Ok(_) => false,
-        Err(_) => true,
-    }
-}
-
 pub fn check_priv(addr: &str) {
     let port = SocketAddr::from_str(addr).map(|sa| sa.port()).unwrap();
-    match port < 1024 {
+    if port < 1024 {
-        true => {
         let meta = std::fs::metadata("/proc/self").map(|m| m.uid()).unwrap();
         if meta != 0 {
             error!("Running on privileged port requires to start as ROOT");
             process::exit(1)
         }
     }
-        false => {}
-    }
 }
 
 #[allow(dead_code)]
@@ -330,6 +306,7 @@ pub fn upstreams_to_json(upstreams: &UpstreamsDashMap) -> serde_json::Result<Str
                             is_http2: a.is_http2,
                             to_https: a.to_https,
                             rate_limit: a.rate_limit,
+                            x4xx_limit: a.x4xx_limit,
                             healthcheck: a.healthcheck,
                         })
                         .collect(),
@@ -397,7 +374,7 @@ pub fn prepend(prefix: &str, val: &Option<Arc<str>>, uri: &str, port: &str) -> O
         let mut buf = String::with_capacity(32);
         buf.push_str(prefix);
         buf.push_str(s);
-        buf.push_str(":");
+        buf.push(':');
         buf.push_str(port);
         buf.push_str(uri);
         buf

src/web/bgservice.rs

@@ -32,19 +32,20 @@ impl BackgroundService for LB {
                 let file_load = FromFileProvider {
                     path: self.config.upstreams_conf.clone(),
                 };
-                let _ = tokio::spawn(async move { file_load.start(tx).await });
+                // let _ = tokio::spawn(async move { file_load.start(tx).await });
+                drop(tokio::spawn(async move { file_load.start(tx).await }));
             }
             "kubernetes" => {
                 info!("Running Kubernetes discovery, requested type is: {}", config.typecfg);
                 let cf = Arc::from(config);
                 let kuber_load = KubernetesProvider { config: cf.clone() };
-                let _ = tokio::spawn(async move { kuber_load.start(tx).await });
+                drop(tokio::spawn(async move { kuber_load.start(tx).await }));
             }
             "consul" => {
                 info!("Running Consul discovery, requested type is: {}", config.typecfg);
                 let cf = Arc::from(config);
                 let consul_load = ConsulProvider { config: cf.clone() };
-                let _ = tokio::spawn(async move { consul_load.start(tx).await });
+                drop(tokio::spawn(async move { consul_load.start(tx).await }));
             }
             _ => {
                 error!("Unknown discovery type: {}", config.typecfg);
@@ -57,7 +58,8 @@ impl BackgroundService for LB {
         let api_load = APIUpstreamProvider {
             address: self.config.config_address.clone(),
             masterkey: self.config.master_key.clone(),
-            config_api_enabled: self.config.config_api_enabled.clone(),
+            config_api_enabled: self.config.config_api_enabled,
+            upstreams_file: self.config.upstreams_conf.clone(),
             // certs_dir: self.config.proxy_certificates.clone().unwrap_or_else(|| "/tmp".to_string()),
             config_dir: confdir.clone(),
             certs_dir: certdir.clone(),
@@ -71,14 +73,16 @@ impl BackgroundService for LB {
         };
         // let crtdir = api_load.certs_dir.clone();
         // let tx_api = tx.clone();
-        let _ = tokio::spawn(async move { api_load.start(tx_api).await });
+        drop(tokio::spawn(async move { api_load.start(tx_api).await }));
 
         let uu = self.ump_upst.clone();
         let ff = self.ump_full.clone();
         let im = self.ump_byid.clone();
         let (hc_method, hc_interval) = (self.config.hc_method.clone(), self.config.hc_interval);
-        let _ = tokio::spawn(async move { healthcheck::hc2(uu, ff, im, (&*hc_method.to_string(), hc_interval.to_string().parse().unwrap())).await });
+        drop(tokio::spawn(async move {
-        let _ = tokio::spawn(async move { refresh_order(certdir, confdir).await });
+            healthcheck::hc2(uu, ff, im, (&*hc_method.to_string(), hc_interval.to_string().parse().unwrap())).await
+        }));
+        drop(tokio::spawn(async move { refresh_order(certdir, confdir).await }));
 
         loop {
             tokio::select! {
@@ -86,8 +90,7 @@ impl BackgroundService for LB {
                     break;
                 }
                 val = rx.next() => {
-                    match val {
+                    if let Some(ss) = val {
-                        Some(ss) => {
                         clone_dashmap_into(&ss.upstreams, &self.ump_full);
                         clone_dashmap_into(&ss.upstreams, &self.ump_upst);
                         let current = self.extraparams.load_full();
@@ -96,10 +99,10 @@ impl BackgroundService for LB {
                         new.sticky_sessions = ss.extraparams.sticky_sessions;
                         new.authentication = ss.extraparams.authentication.clone();
                         new.rate_limit = ss.extraparams.rate_limit;
+                        new.x4xx_limit = ss.extraparams.x4xx_limit;
                         self.extraparams.store(Arc::new(new));
                         self.client_headers.clear();
                         self.server_headers.clear();
-
                         for entry in ss.upstreams.iter() {
                             let global_key = entry.key().clone();
                             let client_global_values = DashMap::new();
@@ -111,7 +114,6 @@ impl BackgroundService for LB {
                             server_target_entry.extend(server_global_values);
                             self.server_headers.insert(server_target_entry.key().to_owned(), server_target_entry.value().to_owned());
                         }
-
                         for path in ss.client_headers.iter() {
                             let path_key = path.key().clone();
                             let path_headers = path.value().clone();
@@ -122,7 +124,6 @@ impl BackgroundService for LB {
                                 }
                             }
                         }
-
                         for path in ss.server_headers.iter() {
                             let path_key = path.key().clone();
                             let path_headers = path.value().clone();
@@ -133,10 +134,6 @@ impl BackgroundService for LB {
                                 }
                             }
                         }
-                            // info!("Upstreams list is changed, updating to:");
-                            // print_upstreams(&self.ump_full);
-                        }
-                        None => {}
                     }
                 }
             }

src/web/gethosts.rs

@@ -19,9 +19,6 @@ pub trait GetHost {
 }
 #[async_trait]
 impl GetHost for LB {
-    // fn get_upstreams(&self) -> Arc<UpstreamsDashMap> {
-    //     self.ump_full.clone()
-    // }
     fn get_host(&self, peer: &str, path: &str, backend_id: Option<&str>) -> Option<Arc<InnerMap>> {
         if let Some(b) = backend_id {
             if let Some(bb) = self.ump_byid.get(b) {

src/web/proxyhttp.rs

@@ -7,27 +7,27 @@ use async_trait::async_trait;
 use axum::body::Bytes;
 use dashmap::DashMap;
 use log::{debug, error, warn};
+use moka::sync::Cache;
 use pingora::http::{RequestHeader, ResponseHeader, StatusCode};
 use pingora::prelude::*;
 use pingora::ErrorSource::Upstream;
 use pingora_core::listeners::ALPN;
 use pingora_core::prelude::HttpPeer;
-// use pingora_core::protocols::TcpKeepalive;
 use pingora_limits::rate::Rate;
 use pingora_proxy::{ProxyHttp, Session};
-// use prometheus::{register_int_counter, IntCounter};
 use sha2::{Digest, Sha256};
 use std::cell::RefCell;
 use std::fmt::Write;
+use std::net::IpAddr;
 use std::sync::{Arc, LazyLock};
 use std::time::Duration;
 use tokio::time::Instant;
 
-// static RATE_LIMITER: Lazy<Rate> = Lazy::new(|| Rate::new(Duration::from_secs(1)));
+static REVERSE_STORE: LazyLock<DashMap<String, String>> = LazyLock::new(DashMap::new);
-// static REVERSE_STORE: Lazy<DashMap<String, String>> = Lazy::new(|| DashMap::new());
-static REVERSE_STORE: LazyLock<DashMap<String, String>> = LazyLock::new(|| DashMap::new());
 thread_local! {static IP_BUFFER: RefCell<String> = RefCell::new(String::with_capacity(50));}
 pub static RATE_LIMITER: LazyLock<Rate> = LazyLock::new(|| Rate::new(Duration::from_secs(1)));
+pub static REQUESTS_4XX: LazyLock<Cache<IpAddr, u32>> = LazyLock::new(|| Cache::builder().time_to_live(Duration::from_secs(1)).build());
+pub static LOCALHOST: LazyLock<Arc<str>> = LazyLock::new(|| Arc::from("localhost"));
 
 #[derive(Clone)]
 pub struct LB {
@@ -42,13 +42,12 @@ pub struct LB {
 
 pub struct Context {
     backend_id: Option<String>,
-    sticky_sessions: bool,
-    // redirect_to: Option<String>,
     start_time: Instant,
     hostname: Option<Arc<str>>,
     upstream_peer: Option<Arc<InnerMap>>,
     extraparams: arc_swap::Guard<Arc<Extraparams>>,
     client_headers: Option<Vec<(String, Arc<str>)>>,
+    x4xx_limit: Option<u32>,
 }
 
 #[async_trait]
@@ -57,20 +56,20 @@ impl ProxyHttp for LB {
     fn new_ctx(&self) -> Self::CTX {
         Context {
             backend_id: None,
-            sticky_sessions: false,
-            // redirect_to: None,
             start_time: Instant::now(),
             hostname: None,
             upstream_peer: None,
             extraparams: self.extraparams.load(),
             client_headers: None,
+            x4xx_limit: None,
         }
     }
     async fn request_filter(&self, session: &mut Session, _ctx: &mut Self::CTX) -> Result<bool> {
+        ACTIVE_SESSIONS.inc();
         let hostname = return_header_host_from_upstream(session, &self.ump_upst);
         _ctx.hostname = hostname;
         let mut backend_id = None;
-        if _ctx.extraparams.sticky_sessions {
+        if let Some(_) = _ctx.extraparams.sticky_sessions {
             if let Some(cookies) = session.req_header().headers.get("cookie") {
                 if let Ok(cookie_str) = cookies.to_str() {
                     if let Some(pos) = cookie_str.find("backend_id=") {
@@ -89,13 +88,28 @@ impl ProxyHttp for LB {
                     None => return Ok(false),
                     Some(ref innermap) => {
                         if let Some(auth) = _ctx.extraparams.authentication.as_ref().or(innermap.authorization.as_ref()) {
-                            if !authenticate(&auth.auth_type, &auth.auth_cred, session).await {
+                            if !authenticate(&auth, session).await {
                                 let _ = session.respond_error(401).await;
                                 warn!("Forbidden: {:?}, {}", session.client_addr(), session.req_header().uri.path());
                                 return Ok(true);
                             }
                         }
-
+                        if let Some(rate) = innermap.x4xx_limit.or(_ctx.extraparams.x4xx_limit) {
+                            _ctx.x4xx_limit = innermap.x4xx_limit;
+                            let rate_key = session.client_addr().and_then(|addr| addr.as_inet()).map(|inet| inet.ip());
+                            if let Some(rk) = rate_key {
+                                let count = REQUESTS_4XX.get(&rk).unwrap_or(0);
+                                if count > rate {
+                                    let header = ResponseHeader::build(429, None)?;
+                                    session.set_keepalive(None);
+                                    session.write_response_header(Box::new(header), true).await?;
+                                    if let (Some(oi), Some(oa)) = (&_ctx.hostname, rate_key) {
+                                        warn!("Limit 4XX: {}-rps exceed on {} from {} path {}", rate, oi, oa, session.req_header().uri.path());
+                                    }
+                                    return Ok(true);
+                                }
+                            }
+                        }
                         if let Some(rate) = innermap.rate_limit.or(_ctx.extraparams.rate_limit) {
                             let rate_key = session.client_addr().and_then(|addr| addr.as_inet()).map(|inet| inet.ip());
                             let curr_window_requests = RATE_LIMITER.observe(&rate_key, 1);
@@ -103,7 +117,9 @@ impl ProxyHttp for LB {
                                 let header = ResponseHeader::build(429, None)?;
                                 session.set_keepalive(None);
                                 session.write_response_header(Box::new(header), true).await?;
-                                debug!("Rate limited: {:?}, {}", rate_key, rate);
+                                if let (Some(oi), Some(oa)) = (&_ctx.hostname, rate_key) {
+                                    warn!("Limit: {}-rps exceed on {} from {}", rate, oi, oa);
+                                }
                                 return Ok(true);
                             }
                         }
@@ -132,8 +148,8 @@ impl ProxyHttp for LB {
                                         s.push_str("https://");
                                         s.push_str(host);
                                         if port != "443" {
-                                            s.push_str(":");
+                                            s.push(':');
-                                            s.push_str(&port);
+                                            s.push_str(port);
                                         }
                                         s.push_str(uri);
                                         let mut resp = ResponseHeader::build(StatusCode::MOVED_PERMANENTLY, None)?;
@@ -165,22 +181,7 @@ impl ProxyHttp for LB {
                         peer.options.verify_cert = false;
                         peer.options.verify_hostname = false;
                     }
-                    /*
+                    if let Some(_) = ctx.extraparams.sticky_sessions {
-                    Experimental optionsv
-                    The following TCP optimizations were tested but caused performance degrade under heavy load:
-                    peer.options.tcp_keepalive = Some(TcpKeepalive {
-                        idle: Duration::from_secs(60),
-                        interval: Duration::from_secs(10),
-                        count: 5,
-                        user_timeout: Duration::from_secs(30),
-                    });
-
-                    peer.options.idle_timeout = Some(Duration::from_secs(300));
-                    peer.options.tcp_recv_buf = Some(128 * 1024);
-                    End of experimental options
-                    */
-
-                    if ctx.extraparams.sticky_sessions {
                         let mut s = String::with_capacity(64);
                         write!(
                             &mut s,
@@ -196,7 +197,6 @@ impl ProxyHttp for LB {
                         )
                         .unwrap_or(());
                         ctx.backend_id = Some(s);
-                        ctx.sticky_sessions = true;
                     }
                     Ok(peer)
                 }
@@ -229,15 +229,11 @@ impl ProxyHttp for LB {
     }
 
     async fn upstream_request_filter(&self, session: &mut Session, upstream_request: &mut RequestHeader, ctx: &mut Self::CTX) -> Result<()> {
-        // if let Some(hostname) = ctx.hostname.as_deref() {
+        if let Some(ip) = session.client_addr().and_then(|a| a.as_inet()).map(|i| i.ip()) {
-        //     upstream_request.insert_header("Host", hostname)?;
-        // }
-
-        if let Some(client_ip) = session.client_addr() {
             IP_BUFFER.with(|buffer| {
                 let mut buf = buffer.borrow_mut();
                 buf.clear();
-                write!(buf, "{}", client_ip).unwrap_or(());
+                write!(buf, "{}", ip).unwrap_or(());
                 upstream_request.append_header("X-Forwarded-For", buf.as_str()).unwrap_or(false);
             });
         }
@@ -260,7 +256,7 @@ impl ProxyHttp for LB {
         Ok(())
     }
     async fn response_filter(&self, _session: &mut Session, _upstream_response: &mut ResponseHeader, ctx: &mut Self::CTX) -> Result<()> {
-        if ctx.sticky_sessions {
+        if let Some(val) = ctx.extraparams.sticky_sessions {
             if let Some(bid) = &ctx.backend_id {
                 let tt = if let Some(existing) = REVERSE_STORE.get(bid) {
                     existing.value().clone()
@@ -278,7 +274,11 @@ impl ProxyHttp for LB {
                 let mut buf = String::with_capacity(80);
                 buf.push_str("backend_id=");
                 buf.push_str(&tt);
-                buf.push_str("; Path=/; Max-Age=600; HttpOnly; SameSite=Lax");
+                buf.push_str("; Path=/; Max-Age=");
+                buf.push_str(&val.to_string());
+                buf.push_str("; HttpOnly; SameSite=Lax");
+                // buf.push_str("; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax");
+                // println!("{}", buf);
                 let _ = _upstream_response.insert_header("set-cookie", buf.as_str());
             }
         }
@@ -288,9 +288,6 @@ impl ProxyHttp for LB {
                 _upstream_response.append_header(k.clone(), v.as_ref())?;
             }
         }
-
-        // session.set_keepalive(Some(300));
-        // println!("session.get_keepalive: {:?}", session.get_keepalive());
         Ok(())
     }
 
@@ -302,10 +299,18 @@ impl ProxyHttp for LB {
             code: session.response_written().map(|resp| resp.status),
             latency: ctx.start_time.elapsed(),
             version: session.req_header().version,
-            // upstream: ctx.hostname.clone().unwrap_or(Arc::from("localhost")),
+            upstream: ctx.hostname.take().unwrap_or_else(|| LOCALHOST.clone()),
-            upstream: ctx.hostname.take().unwrap_or_else(|| Arc::from("localhost")),
         };
         calc_metrics(m);
+        ACTIVE_SESSIONS.dec();
+        if let Some(_) = ctx.x4xx_limit.or(ctx.extraparams.x4xx_limit) {
+            if 400 <= response_code && response_code <= 499 {
+                if let Some(ip) = session.client_addr().and_then(|a| a.as_inet()).map(|i| i.ip()) {
+                    let current = REQUESTS_4XX.get(&ip).unwrap_or(0);
+                    REQUESTS_4XX.insert(ip, current + 1);
+                }
+            }
+        }
     }
 }
 
@@ -316,5 +321,6 @@ fn return_header_host_from_upstream(session: &Session, ump_upst: &UpstreamsDashM
         let h = session.req_header().headers.get("host")?.to_str().ok()?;
         h.split_once(':').map_or(h, |(host, _)| host)
     };
-    ump_upst.get(host_str).map(|entry| entry.key().clone())
+
+    ump_upst.get(host_str).or_else(|| ump_upst.get("DEFAULT")).map(|entry| entry.key().clone())
 }

src/web/start.rs

@@ -15,10 +15,10 @@ use pingora_core::prelude::{background_service, Opt};
 use pingora_core::server::Server;
 use std::sync::mpsc::{channel, Receiver, Sender};
 use std::sync::Arc;
-use std::thread;
+use std::{fs, thread};
 pub fn run() {
     // default_provider().install_default().expect("Failed to install rustls crypto provider");
-    let parameters = Some(Opt::parse_args()).unwrap();
+    let parameters = Opt::parse_args();
     let file = parameters.conf.clone().unwrap();
     let maincfg = crate::utils::parceyaml::parce_main_config(file.as_str());
 
@@ -33,9 +33,10 @@ pub fn run() {
 
     let ec_config = Arc::new(ArcSwap::from_pointee(Extraparams {
         to_https: None,
-        sticky_sessions: false,
+        sticky_sessions: None,
         authentication: None,
         rate_limit: None,
+        x4xx_limit: None,
     }));
 
     let cfg = Arc::new(maincfg);
@@ -60,12 +61,14 @@ pub fn run() {
 
     check_priv(bind_address_http.as_str());
 
-    match bind_address_tls {
+    if let Some(bind_address_tls) = bind_address_tls {
-        Some(bind_address_tls) => {
         check_priv(bind_address_tls.as_str());
         let (tx, rx): (Sender<Vec<CertificateConfig>>, Receiver<Vec<CertificateConfig>>) = channel();
-            // let certs_path = cfg.proxy_certificates.clone().unwrap();
         let certs_path = cfg.proxy_configs.clone().unwrap() + "/certificates";
+
+        if fs::metadata(certs_path.clone()).is_err() {
+            fs::create_dir_all(certs_path.clone()).unwrap();
+        }
         thread::spawn(move || {
             watch_folder(certs_path, tx).unwrap();
         });
@@ -91,17 +94,12 @@ pub fn run() {
         thread::spawn(move || {
             while let Ok(new_configs) = rx.recv() {
                 let new_certs = load::Certificates::new(&new_configs, grade.as_str());
-                    match new_certs {
+                if let Some(new_certs) = new_certs {
-                        Some(new_certs) => {
                     certs_for_watcher.store(Arc::new(new_certs));
-                        }
-                        None => {}
                 };
             }
         });
     }
-        None => {}
-    }
     info!("Running HTTP listener on :{}", bind_address_http.as_str());
     proxy.add_tcp(bind_address_http.as_str());
     server.add_service(proxy);

src/web/webserver.rs

@@ -1,27 +1,25 @@
-// use std::net::SocketAddr;
 use crate::tls::acme::order::CHALLENGES;
-// use axum_server::tls_openssl::OpenSSLConfig;
 use crate::tls::acme::{account, order};
 use crate::utils::discovery::APIUpstreamProvider;
 use crate::utils::jwt::Claims;
+use crate::utils::metrics::{get_memory_usage, get_open_files, MEMORY_USAGE, OPEN_FILES};
 use crate::utils::structs::{Config, Configuration, UpstreamsDashMap};
 use crate::utils::tools::{upstreams_liveness_json, upstreams_to_json};
 use axum::body::Body;
 use axum::extract::{Query, State};
-use axum::http::{header::HeaderMap, Response, StatusCode};
+use axum::http::{Response, StatusCode};
 use axum::response::IntoResponse;
 use axum::routing::{any, get, post};
 use axum::{Json, Router};
 use futures::channel::mpsc::Sender;
 use futures::SinkExt;
 use jsonwebtoken::{encode, EncodingKey, Header};
-use log::{error, info, warn};
+use log::{debug, error, info, warn};
 use prometheus::{gather, Encoder, TextEncoder};
 use serde::Serialize;
 use std::collections::HashMap;
 use std::sync::Arc;
 use std::time::{Duration, SystemTime, UNIX_EPOCH};
-use subtle::ConstantTimeEq;
 use tokio::net::TcpListener;
 use tower_http::services::ServeDir;
 
@@ -32,9 +30,10 @@ struct OutToken {
 
 #[derive(Clone)]
 struct AppState {
-    master_key: String,
+    master_key: Option<String>,
     cert_creds: String,
     certs_dir: String,
+    upstreams_file: String,
     config_sender: Sender<Configuration>,
     config_api_enabled: bool,
     current_upstreams: Arc<UpstreamsDashMap>,
@@ -48,18 +47,14 @@ pub async fn run_server(config: &APIUpstreamProvider, mut to_return: Sender<Conf
         master_key: config.masterkey.clone(),
         cert_creds: credsfile,
         certs_dir: config.certs_dir.clone(),
+        upstreams_file: config.upstreams_file.clone(),
         config_sender: to_return.clone(),
-        config_api_enabled: config.config_api_enabled.clone(),
+        config_api_enabled: config.config_api_enabled,
         current_upstreams: upstreams_curr,
         full_upstreams: upstreams_full,
     };
     let app = Router::new()
         // .route("/{*wildcard}", get(senderror))
-        // .route("/{*wildcard}", post(senderror))
-        // .route("/{*wildcard}", put(senderror))
-        // .route("/{*wildcard}", head(senderror))
-        // .route("/{*wildcard}", delete(senderror))
-        // .nest_service("/static", static_files)
         .route("/jwt", post(jwt_gen))
         .route("/acme_create", any(acme_create))
         .route("/acme_order/{*domain}", any(acme_order))
@@ -68,24 +63,11 @@ pub async fn run_server(config: &APIUpstreamProvider, mut to_return: Sender<Conf
         .route("/metrics", get(metrics))
         .route("/status", get(status))
         .with_state(app_state);
-
-    // if let Some(value) = &config.tls_address {
-    //     let cf = OpenSSLConfig::from_pem_file(config.tls_certificate.clone().unwrap(), config.tls_key_file.clone().unwrap()).unwrap();
-    //     let addr: SocketAddr = value.parse().expect("Unable to parse socket address");
-    //     let tls_app = app.clone();
-    //     tokio::spawn(async move {
-    //         if let Err(e) = axum_server::bind_openssl(addr, cf).serve(tls_app.into_make_service()).await {
-    //             eprintln!("TLS server failed: {}", e);
-    //         }
-    //     });
-    //     info!("Starting the TLS API server on: {}", value);
-    // }
-
     if let (Some(address), Some(folder)) = (&config.file_server_address, &config.file_server_folder) {
         let static_files = ServeDir::new(folder);
         let static_serve: Router = Router::new().fallback_service(static_files);
         let static_listen = TcpListener::bind(address).await.unwrap();
-        let _ = tokio::spawn(async move { axum::serve(static_listen, static_serve).await.unwrap() });
+        drop(tokio::spawn(async move { axum::serve(static_listen, static_serve).await.unwrap() }));
     }
 
     let listener = TcpListener::bind(config.address.clone()).await.unwrap();
@@ -93,37 +75,45 @@ pub async fn run_server(config: &APIUpstreamProvider, mut to_return: Sender<Conf
     axum::serve(listener, app).await.unwrap();
 }
 
-async fn conf(State(st): State<AppState>, Query(params): Query<HashMap<String, String>>, headers: HeaderMap, content: String) -> impl IntoResponse {
+async fn conf(State(st): State<AppState>, Query(params): Query<HashMap<String, String>>, content: String) -> impl IntoResponse {
     if !st.config_api_enabled {
         return Response::builder().status(StatusCode::FORBIDDEN).body(Body::from("Config API is disabled !\n")).unwrap();
     }
-    // if let Some(s) = headers.get("x-api-key").and_then(|v| v.to_str().ok()).or(params.get("key").map(|s| s.as_str())) {
+
-    if key_authorization(&headers, &params, &st.master_key) {
     let strcontent = content.as_str();
     let parsed = serde_yml::from_str::<Config>(strcontent);
     match parsed {
         Ok(_) => {
-                let _ = tokio::spawn(async move { apply_config(content.as_str(), st).await });
+            if let Some(_) = params.get("save") {
-                return Response::builder().status(StatusCode::OK).body(Body::from("Accepted! Applying in background\n")).unwrap();
+                drop(tokio::spawn(async move { apply_config(content.as_str(), st, true).await }));
+            } else {
+                drop(tokio::spawn(async move { apply_config(content.as_str(), st, false).await }));
+            }
+            Response::builder().status(StatusCode::OK).body(Body::from("Accepted! Applying in background\n")).unwrap()
         }
         Err(err) => {
             error!("Failed to parse upstreams file: {}", err);
-                return Response::builder().status(StatusCode::BAD_GATEWAY).body(Body::from(format!("Failed: {}\n", err))).unwrap();
+            Response::builder().status(StatusCode::BAD_GATEWAY).body(Body::from(format!("Failed: {}\n", err))).unwrap()
         }
     }
-    }
-    Response::builder().status(StatusCode::FORBIDDEN).body(Body::from("Access Denied !\n")).unwrap()
 }
 
-async fn apply_config(content: &str, mut st: AppState) {
+async fn apply_config(content: &str, mut st: AppState, save: bool) {
     let sl = crate::utils::parceyaml::load_configuration(content, "content").await;
     if let Some(serverlist) = sl.0 {
+        if save {
+            info!("Saving new upstreams to: {}", st.upstreams_file);
+            if let Err(err) = std::fs::write(&st.upstreams_file, content) {
+                error!("Error saving to: {} : {}", st.upstreams_file, err);
+            }
+        }
         let _ = st.config_sender.send(serverlist).await;
     }
 }
 
 async fn jwt_gen(State(state): State<AppState>, Json(payload): Json<Claims>) -> (StatusCode, Json<OutToken>) {
-    if payload.master_key == state.master_key {
+    if let Some(master_key) = &state.master_key {
+        if &payload.master_key == master_key {
             let now = SystemTime::now() + Duration::from_secs(payload.exp * 60);
             let expire = now.duration_since(UNIX_EPOCH).unwrap_or_default().as_secs();
 
@@ -136,7 +126,7 @@ async fn jwt_gen(State(state): State<AppState>, Json(payload): Json<Claims>) ->
             match encode(&Header::default(), &claim, &EncodingKey::from_secret(payload.master_key.as_ref())) {
                 Ok(t) => {
                     let tok = OutToken { token: t };
-                info!("Generating token: {:?}", tok.token);
+                    debug!("Generating token: {:?}", tok.token);
                     (StatusCode::CREATED, Json(tok))
                 }
                 Err(e) => {
@@ -152,9 +142,19 @@ async fn jwt_gen(State(state): State<AppState>, Json(payload): Json<Claims>) ->
             warn!("Unauthorised JWT generate request: {:?}", tok);
             (StatusCode::FORBIDDEN, Json(tok))
         }
+    } else {
+        let tok = OutToken {
+            token: "ERROR Getting JWT_KEY environment variable".to_string(),
+        };
+        error!("ERROR Getting JWT_KEY environment variable");
+        (StatusCode::INTERNAL_SERVER_ERROR, Json(tok))
+    }
 }
 
 async fn metrics() -> impl IntoResponse {
+    MEMORY_USAGE.set(get_memory_usage() as i64);
+    OPEN_FILES.set(get_open_files() as i64);
+
     let metric_families = gather();
     let encoder = TextEncoder::new();
     let mut buffer = Vec::new();
@@ -172,8 +172,9 @@ async fn metrics() -> impl IntoResponse {
         .unwrap()
 }
 
+#[allow(clippy::needless_return)]
 async fn status(State(st): State<AppState>, Query(params): Query<HashMap<String, String>>) -> impl IntoResponse {
-    if let Some(_) = params.get("live") {
+    if params.contains_key("live") {
         let r = upstreams_liveness_json(&st.full_upstreams, &st.current_upstreams);
         return Response::builder()
             .status(StatusCode::OK)
@@ -181,7 +182,7 @@ async fn status(State(st): State<AppState>, Query(params): Query<HashMap<String,
             .body(Body::from(format!("{}", r)))
             .unwrap();
     }
-    if let Some(_) = params.get("all") {
+    if params.contains_key("all") {
         let resp = upstreams_to_json(&st.current_upstreams);
         match resp {
             Ok(j) => {
@@ -201,16 +202,13 @@ async fn status(State(st): State<AppState>, Query(params): Query<HashMap<String,
     }
     Response::builder()
         .status(StatusCode::INTERNAL_SERVER_ERROR)
-        .body(Body::from(format!("{}", "Parameter mismatch")))
+        .body(Body::from("Parameter mismatch"))
         .unwrap()
 }
 
-async fn acme_create(State(state): State<AppState>, Query(params): Query<HashMap<String, String>>, headers: HeaderMap) -> impl IntoResponse {
+#[allow(clippy::needless_return)]
-    if !key_authorization(&headers, &params, &state.master_key) {
+async fn acme_create(State(state): State<AppState>) -> impl IntoResponse {
-        return Response::builder().status(StatusCode::FORBIDDEN).body(Body::from("Access Denied !\n")).unwrap();
+    match account::load_or_create(state.cert_creds.as_str()).await {
-    }
-
-    let _ = match account::load_or_create(state.cert_creds.as_str()).await {
         Ok(txt) => {
             return Response::builder()
                 .status(StatusCode::OK)
@@ -226,18 +224,10 @@ async fn acme_create(State(state): State<AppState>, Query(params): Query<HashMap
         }
     };
 }
-async fn acme_order(
+#[allow(clippy::needless_return)]
-    State(state): State<AppState>,
+async fn acme_order(State(state): State<AppState>, axum::extract::Path(domain): axum::extract::Path<String>) -> impl IntoResponse {
-    axum::extract::Path(domain): axum::extract::Path<String>,
-    Query(params): Query<HashMap<String, String>>,
-    headers: HeaderMap,
-) -> impl IntoResponse {
-    if !key_authorization(&headers, &params, &state.master_key) {
-        return Response::builder().status(StatusCode::FORBIDDEN).body(Body::from("Access Denied !\n")).unwrap();
-    }
-
     let domain_clean = domain.trim_matches('/');
-    let _ = match order::order(domain_clean, state.cert_creds.as_str(), state.certs_dir).await {
+    match order::order(domain_clean, state.cert_creds.as_str(), state.certs_dir).await {
         Ok(txt) => {
             return Response::builder()
                 .status(StatusCode::OK)
@@ -275,11 +265,4 @@ pub async fn http01_challenge(axum::extract::Path(token): axum::extract::Path<St
         .unwrap()
 }
 
-fn key_authorization(headers: &HeaderMap, params: &HashMap<String, String>, masterkey: &str) -> bool {
+// -- ⚝ by Dave -- in NeoVim ⚝ --
-    if let Some(s) = headers.get("x-api-key").and_then(|v| v.to_str().ok()).or(params.get("key").map(|s| s.as_str())) {
-        if s.as_bytes().ct_eq(masterkey.as_bytes()).into() {
-            return true;
-        }
-    }
-    false
-}