Merge pull request #23 from sadoyan/dev

New features, 4xx counter
2026-05-30 03:44:06 +08:00 · 2026-05-22 16:57:07 +02:00 · 2026-05-22 16:56:33 +02:00 · 2026-05-22 16:52:27 +02:00 · 2026-05-22 16:47:40 +02:00 · 2026-05-21 18:34:46 +02:00
18 changed files with 498 additions and 283 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -21,3 +21,4 @@ crashlytics.properties
 crashlytics-build.properties
 /target
 /z_shpo
 Makefile
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -60,6 +60,15 @@ version = "0.2.21"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "683d7910e743518b0e34f1186f92494becacb047c7b6bf616c96772180fef923"
 [[package]]
 name = "android_system_properties"
 version = "0.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "819e7219dbd41043ac279b19830f2efc897156490d7fd6ea916720117ee66311"
 dependencies = [
 "libc",
 ]
 [[package]]
 name = "anstream"
 version = "1.0.0"
@@ -128,11 +137,11 @@ dependencies = [
 "base64",
 "ctrlc",
 "dashmap",
 "env_logger",
 "futures",
 "instant-acme",
 "jsonwebtoken",
 "log",
 "log4rs",
 "mimalloc",
 "moka",
 "notify",
@@ -517,7 +526,9 @@ version = "0.4.44"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c673075a2e0e5f4a1dde27ce9dee1ea4558c7ffe648f576438a20ca1d2acc4b0"
 dependencies = [
 "iana-time-zone",
 "num-traits",
 "windows-link",
 ]
 [[package]]
@@ -895,6 +906,34 @@ dependencies = [
 "syn 2.0.117",
 ]
 [[package]]
 name = "derive_more"
 version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d751e9e49156b02b44f9c1815bcb94b984cdcc4396ecc32521c739452808b134"
 dependencies = [
 "derive_more-impl",
 ]
 [[package]]
 name = "derive_more-impl"
 version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "799a97264921d8623a957f6c3b9011f3b5492f557bbb7a5a19b7fa6d06ba8dcb"
 dependencies = [
 "proc-macro2",
 "quote",
 "rustc_version",
 "syn 2.0.117",
 "unicode-xid",
 ]
 [[package]]
 name = "destructure_traitobject"
 version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3c877555693c14d2f84191cfd3ad8582790fc52b5e2274b40b59cf5f5cea25c7"
 [[package]]
 name = "digest"
 version = "0.10.7"
@@ -1020,29 +1059,6 @@ dependencies = [
 "cfg-if",
 ]
 [[package]]
 name = "env_filter"
 version = "1.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "32e90c2accc4b07a8456ea0debdc2e7587bdd890680d71173a15d4ae604f6eef"
 dependencies = [
 "log",
 "regex",
 ]
 [[package]]
 name = "env_logger"
 version = "0.11.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0621c04f2196ac3f488dd583365b9c09be011a4ab8b9f37248ffcc8f6198b56a"
 dependencies = [
 "anstream",
 "anstyle",
 "env_filter",
 "jiff",
 "log",
 ]
 [[package]]
 name = "equivalent"
 version = "1.0.2"
@@ -1463,6 +1479,12 @@ version = "1.0.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "df3b46402a9d5adb4c86a0cf463f42e19994e3ee891101b1841f30a545cb49a9"
 [[package]]
 name = "humantime"
 version = "2.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "135b12329e5e3ce057a9f972339ea52bc954fe1e9358ef27f95e89716fbc5424"
 [[package]]
 name = "hybrid-array"
 version = "0.4.11"
@@ -1549,6 +1571,30 @@ dependencies = [
 "windows-registry",
 ]
 [[package]]
 name = "iana-time-zone"
 version = "0.1.65"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e31bc9ad994ba00e440a8aa5c9ef0ec67d5cb5e5cb0cc7f8b744a35b389cc470"
 dependencies = [
 "android_system_properties",
 "core-foundation-sys",
 "iana-time-zone-haiku",
 "js-sys",
 "log",
 "wasm-bindgen",
 "windows-core",
 ]
 [[package]]
 name = "iana-time-zone-haiku"
 version = "0.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f31827a206f56af32e590ba56d5d2d085f558508192593743f16b2306495269f"
 dependencies = [
 "cc",
 ]
 [[package]]
 name = "icu_collections"
 version = "2.2.0"
@@ -1750,30 +1796,6 @@ version = "1.0.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8f42a60cbdf9a97f5d2305f08a87dc4e09308d1276d28c869c684d7777685682"
 [[package]]
 name = "jiff"
 version = "0.2.24"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f00b5dbd620d61dfdcb6007c9c1f6054ebd75319f163d886a9055cec1155073d"
 dependencies = [
 "jiff-static",
 "log",
 "portable-atomic",
 "portable-atomic-util",
 "serde_core",
 ]
 [[package]]
 name = "jiff-static"
 version = "0.2.24"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e000de030ff8022ea1da3f466fbb0f3a809f5e51ed31f6dd931c35181ad8e6d7"
 dependencies = [
 "proc-macro2",
 "quote",
 "syn 2.0.117",
 ]
 [[package]]
 name = "jni"
 version = "0.22.4"
@@ -1976,6 +1998,44 @@ name = "log"
 version = "0.4.29"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5e5032e24019045c762d3c0f28f5b6b8bbf38563a65908389bf7978758920897"
 dependencies = [
 "serde_core",
 ]
 [[package]]
 name = "log-mdc"
 version = "0.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a94d21414c1f4a51209ad204c1776a3d0765002c76c6abcb602a6f09f1e881c7"
 [[package]]
 name = "log4rs"
 version = "1.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3e947bb896e702c711fccc2bf02ab2abb6072910693818d1d6b07ee2b9dfd86c"
 dependencies = [
 "anyhow",
 "arc-swap",
 "chrono",
 "derive_more",
 "fnv",
 "humantime",
 "libc",
 "log",
 "log-mdc",
 "mock_instant",
 "parking_lot",
 "rand 0.9.4",
 "serde",
 "serde-value",
 "serde_json",
 "serde_yaml",
 "thiserror 2.0.18",
 "thread-id",
 "typemap-ors",
 "unicode-segmentation",
 "winapi",
 ]
 [[package]]
 name = "lru"
@@ -2066,6 +2126,12 @@ dependencies = [
 "windows-sys 0.61.2",
 ]
 [[package]]
 name = "mock_instant"
 version = "0.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "dce6dd36094cac388f119d2e9dc82dc730ef91c32a6222170d630e5414b956e6"
 [[package]]
 name = "moka"
 version = "0.12.15"
@@ -2372,6 +2438,15 @@ dependencies = [
 "vcpkg",
 ]
 [[package]]
 name = "ordered-float"
 version = "2.10.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "68f19d67e5a2795c94e73e0bb1cc1a7edeb2e28efd39e2e1c9b7a40c1108b11c"
 dependencies = [
 "num-traits",
 ]
 [[package]]
 name = "p256"
 version = "0.13.2"
@@ -2777,15 +2852,6 @@ version = "1.13.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c33a9471896f1c69cecef8d20cbe2f7accd12527ce60845ff44c153bb2a21b49"
 [[package]]
 name = "portable-atomic-util"
 version = "0.2.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c2a106d1259c23fac8e543272398ae0e3c0b8d33c88ed73d0cc71b0f1d902618"
 dependencies = [
 "portable-atomic",
 ]
 [[package]]
 name = "potential_utf"
 version = "0.1.5"
@@ -3452,6 +3518,16 @@ dependencies = [
 "serde_derive",
 ]
 [[package]]
 name = "serde-value"
 version = "0.7.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f3a1a3341211875ef120e117ea7fd5228530ae7e7036a779fdc9117be6b3282c"
 dependencies = [
 "ordered-float",
 "serde",
 ]
 [[package]]
 name = "serde_core"
 version = "1.0.228"
@@ -3816,6 +3892,16 @@ dependencies = [
 "syn 2.0.117",
 ]
 [[package]]
 name = "thread-id"
 version = "5.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2010d27add3f3240c1fef7959f46c814487b216baee662af53be645ba7831c07"
 dependencies = [
 "libc",
 "windows-sys 0.61.2",
 ]
 [[package]]
 name = "thread_local"
 version = "1.1.9"
@@ -4119,6 +4205,15 @@ version = "0.2.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e421abadd41a4225275504ea4d6566923418b7f05506fbc9c0fe86ba7396114b"
 [[package]]
 name = "typemap-ors"
 version = "1.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a68c24b707f02dd18f1e4ccceb9d49f2058c2fb86384ef9972592904d7a28867"
 dependencies = [
 "unsafe-any-ors",
 ]
 [[package]]
 name = "typenum"
 version = "1.20.0"
@@ -4137,12 +4232,27 @@ version = "1.0.24"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e6e4313cd5fcd3dad5cafa179702e2b244f760991f45397d14d4ebf38247da75"
 [[package]]
 name = "unicode-segmentation"
 version = "1.13.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9629274872b2bfaf8d66f5f15725007f635594914870f65218920345aa11aa8c"
 [[package]]
 name = "unicode-xid"
 version = "0.2.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ebc1c04c71510c7f702b52b7c350734c9ff1295c464a03335b00bb84fc54f853"
 [[package]]
 name = "unsafe-any-ors"
 version = "1.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e0a303d30665362d9680d7d91d78b23f5f899504d4f08b3c4cf08d055d87c0ad"
 dependencies = [
 "destructure_traitobject",
 ]
 [[package]]
 name = "unsafe-libyaml"
 version = "0.2.11"
@@ -4388,6 +4498,22 @@ dependencies = [
 "rustls-pki-types",
 ]
 [[package]]
 name = "winapi"
 version = "0.3.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
 dependencies = [
 "winapi-i686-pc-windows-gnu",
 "winapi-x86_64-pc-windows-gnu",
 ]
 [[package]]
 name = "winapi-i686-pc-windows-gnu"
 version = "0.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
 [[package]]
 name = "winapi-util"
 version = "0.1.11"
@@ -4397,6 +4523,47 @@ dependencies = [
 "windows-sys 0.61.2",
 ]
 [[package]]
 name = "winapi-x86_64-pc-windows-gnu"
 version = "0.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
 [[package]]
 name = "windows-core"
 version = "0.62.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b8e83a14d34d0623b51dce9581199302a221863196a1dde71a7663a4c2be9deb"
 dependencies = [
 "windows-implement",
 "windows-interface",
 "windows-link",
 "windows-result",
 "windows-strings",
 ]
 [[package]]
 name = "windows-implement"
 version = "0.60.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "053e2e040ab57b9dc951b72c264860db7eb3b0200ba345b4e4c3b14f67855ddf"
 dependencies = [
 "proc-macro2",
 "quote",
 "syn 2.0.117",
 ]
 [[package]]
 name = "windows-interface"
 version = "0.59.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3f316c4a2570ba26bbec722032c4099d8c8bc095efccdc15688708623367e358"
 dependencies = [
 "proc-macro2",
 "quote",
 "syn 2.0.117",
 ]
 [[package]]
 name = "windows-link"
 version = "0.2.1"
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -20,7 +20,6 @@ pingora-proxy = "0.8.0"
 pingora-http = "0.8.0"
 pingora-limits = "0.8.0"
 async-trait = "0.1.89"
 env_logger = "0.11.10"
 log = "0.4.29"
 futures = "0.3.32"
 notify = "9.0.0-rc.4"
@@ -48,3 +47,4 @@ moka = { version = "0.12.15", features = ["sync"] }
 ahash = "0.8.12"
 instant-acme = "0.8.5"
 rcgen = "0.14.7"
 log4rs = "1.4.0"
--- a/13
+++ b/13
@@ -0,0 +1,13 @@
 FROM debian:trixie-slim
 RUN apt-get update && apt-get install -y ca-certificates curl net-tools iputils-ping
 RUN apt-get clean && rm -rf /var/lib/apt/lists/*
 COPY aralez /usr/local/bin/aralez
 RUN chmod +x /usr/local/bin/aralez
 RUN mkdir -p /etc/aralez/certs/upstreams
 WORKDIR /etc/aralez
 ENTRYPOINT ["/usr/local/bin/aralez", "-c", "/etc/aralez/main.yaml"]
--- a/23
+++ b/23
@@ -1,23 +0,0 @@
 update:
 	cargo update --verbose
 features:
 	cargo features
 checkup:
 	cargo clippy --workspace --all-targets --all-features -- -D warnings
 	cargo check --workspace --all-targets --all-features
 fix:
 	cargo fix
 fix-all:
 	cargo fix --all
 	cargo clippy --workspace --all-targets --all-features --fix
 test:
 	cargo test --workspace --all-targets --all-features
 .PHONY: update features checkup fix fix-all test
 # -- ⚝ by Dave -- in NeoVim ⚝ --
--- a/README.md
+++ b/README.md
@@ -22,8 +22,8 @@ Built on Rust, on top of **Cloudflare’s Pingora engine**, **Aralez** delivers
 ## Key Features
 - **Dynamic Config Reloads** — Upstreams can be updated live via API, no restart required.
- **Yes loading of certificates** — Auto load certificates from a folder, without a restart.
+- **Autoload of certificates** — Automatically loads new/changed certificates from a folder, without a restart.
- **Let’s Encrypt Certificates** — Yes ordering and renewal of SSL/TLS certificates via the HTTP-01 challenge
+- **Let’s Encrypt Certificates** — Ordering and renewal of SSL/TLS certificates via the HTTP-01 challenge.
 - **Upstreams TLS detection** — Aralez will automatically detect if upstreams uses secure connection.
 - **Built in rate limiter** — Globar or route limit requests to upstreams.
 - **Authentication** — Supports Basic Auth, API tokens, and JWT verification.
@@ -37,8 +37,8 @@ Built on Rust, on top of **Cloudflare’s Pingora engine**, **Aralez** delivers
    - `file` Upstreams are declared in config file.
    - `consul` Upstreams are dynamically updated from Hashicorp Consul.
    - `kubernetes` Upstreams are dynamically updated from kubernetes api server.
- **Yes WebSocket Support:** WS connection upgrades are handled automatically.
+- **Auto WebSocket Support:** WS connection upgrades are handled automatically.
- **Yes gRPC Support:** gRPC detected and handled automatically.
+- **Auto gRPC Support:** gRPC detected and handled automatically.
 - **Header Injection:** Global and per-route server/client headers injection.
 - **Remote Config Push:** Lightweight HTTP API to update configs from CI/CD or other systems.
 - **Memory Safe** — 100% Rust.
@@ -51,7 +51,7 @@ Built on Rust, on top of **Cloudflare’s Pingora engine**, **Aralez** delivers
 ### `main.yaml`
 | Key                              | Example Value            | Description                                                                                        |
-|----------------------------------|------------------------|----------------------------------------------------------------------------------------------------|
+|----------------------------------|--------------------------|----------------------------------------------------------------------------------------------------|
 | **threads**                      | 12                       | Number of running daemon threads. Optional, defaults to 1                                          |
 | **runuser**                      | aralez                   | Optional, Username for running aralez after dropping root privileges, requires to launch as root   |
 | **rungroup**                     | aralez                   | Optional,Group for running aralez after dropping root privileges, requires to launch as root       |
@@ -68,6 +68,7 @@ Built on Rust, on top of **Cloudflare’s Pingora engine**, **Aralez** delivers
 | **proxy_configs**                | etc/                     | The top directory of config files                                                                  |
 | **upstreams_conf**               | etc/upstreams.yaml       | The location of upstreams file                                                                     |
 | **log_level**                    | info                     | Log level , possible values : info, warn, error, debug, trace, off                                 |
 | **log_file**                     | /full/path/to/aralez.log | Optional, the location of log file. If thi entry does not exist logs will be emitted to stdout.    |
 | **hc_method**                    | HEAD                     | Healthcheck method (HEAD, GET, POST are supported) UPPERCASE                                       |
 | **hc_interval**                  | 2                        | Interval for health checks in seconds                                                              |
 | **master_key**                   | Random long string       | Master key for working with API server and JWT Secret generation                                   |
@@ -109,11 +110,7 @@ For getting the best performance on newer hardware use `aralez-x86_64-*.gz`.
 **Via docker**
 ```shell
-docker run -d \
+docker run -d -v /path/to/config:/etc/aralez:rw -p 80:80 -p 443:443 sadoyan/aralez
  -v /local/path/to/config:/etc/aralez:ro \
  -p 80:80 \
  -p 443:443 \
  sadoyan/aralez
 ```
 ## Running the Proxy
@@ -163,9 +160,10 @@ systemctl restart aralez.service.
 ```yaml
 provider: "file"
-sticky_sessions: false
+sticky_sessions: 8600
 to_https: false
-rate_limit: 10
+rate_limit: 20
 x4xx_limit: 20
 server_headers:
  - "X-Forwarded-Proto:https"
  - "X-Forwarded-Port:443"
@@ -176,7 +174,8 @@ client_headers:
 myhost.mydomain.com:
  paths:
    "/":
-      rate_limit: 20
+      rate_limit: 10
      x4xx_limit: 10
      to_https: false
      server_headers:
        - "X-Something-Else:Foobar"
@@ -210,15 +209,20 @@ DEFAULT:
 **This means:**
- Sticky sessions are disabled globally. This setting applies to all upstreams. If enabled all requests will be 301 redirected to HTTPS.
+- Sticky sessions are enabled globally. This setting applies to all upstreams. If enabled the value withh be set for `Max-Age=` cookie.
 - HTTP to HTTPS redirect disabled globally, but can be overridden by `to_https` setting per upstream.
 - All upstreams will receive custom headers : `X-Forwarded-Proto:https` and `X-Forwarded-Port:443`
 - Additionally, myhost.mydomain.com with path `/` will receive custom headers : `X-Another-Header:Hohohohoho` and `X-Something-Else:Foobar`
- Requests to each hosted domains will be limited to 10 requests per second per virtualhost.
+- Requests with response 4xx to each hosted domains will be limited to 20 requests per second per virtualhost.
    - Requests limits are calculated per requester ip plus requested virtualhost.
    - If the requester exceeds the limit it will receive `429 Too Many Requests` error.
    - Optional. Rate limiter will be disabled if the parameter is entirely removed from config.
 - Requests to each hosted domains will be limited to 20 requests per second per virtualhost.
    - Requests limits are calculated per requester ip plus requested virtualhost.
    - If the requester exceeds the limit it will receive `429 Too Many Requests` error.
    - Optional. Rate limiter will be disabled if the parameter is entirely removed from config.
 - Requests to `myhost.mydomain.com/` will be limited to 20 requests per second.
 - Requests with 4xx responses to `myhost.mydomain.com/` will be limited to 10 requests per second.
 - Requests to `myhost.mydomain.com/` will be proxied to `127.0.0.1` and `127.0.0.2`.
 - Plain HTTP to `myhost.mydomain.com/foo` will get 301 redirect to configured TLS port of Aralez.
 - `myhost.mydomain.com/foo` will require authentication with JWT token, signed by `266463d1-210a-4787-9a81-4aacb37a8723`.
@@ -230,10 +234,8 @@ DEFAULT:
 - Global headers (CORS for this case) will be injected to all upstreams.
 - Additional headers will be injected into the request for `myhost.mydomain.com`.
 - You can choose any path, deep nested paths are supported, the best match chosen.
 - All requests to servers will require JWT token authentication (You can comment out the authorization to disable it),
    - Firs parameter specifies the mechanism of authorisation `jwt`
    - Second is the secret key for validating `jwt` tokens
 - `DEFAULT` catch up everything else and proxy to `127.0.0.1:3000`
    - This is a special upstream and in order to do the catch-up jub it must be **DEFAULT** all capitals
 ---
--- a/src/utils/auth.rs
+++ b/src/utils/auth.rs
@@ -1,21 +1,17 @@
-use crate::utils::jwt::check_jwt;
+use crate::utils::jwt::{check_jwt, JWT_TOKEN};
-// use reqwest::Client;
+use crate::utils::structs::InnerAuth;
 use axum::http::StatusCode;
 use base64::engine::general_purpose::STANDARD;
 use base64::Engine;
 use pingora_proxy::Session;
 use std::collections::HashMap;
 use std::sync::{Arc, LazyLock};
 use subtle::ConstantTimeEq;
 use urlencoding::decode;
 // use pingora::http::{RequestHeader, ResponseHeader, StatusCode};
 use pingora::http::RequestHeader;
 // --------------------------------- //
 use pingora_core::connectors::http::Connector;
 use pingora_core::upstreams::peer::HttpPeer;
 use pingora_http::ResponseHeader;
-// --------------------------------- //
+use pingora_proxy::Session;
 use std::collections::HashMap;
 use std::sync::LazyLock;
 use subtle::ConstantTimeEq;
 use urlencoding::decode;
 #[async_trait::async_trait]
 trait AuthValidator {
@@ -23,7 +19,7 @@ trait AuthValidator {
 }
 struct BasicAuth<'a>(&'a str);
 struct ApiKeyAuth<'a>(&'a str);
-struct JwtAuth<'a>(&'a str);
+struct JwtAuth();
 struct ForwardAuth<'a>(&'a str);
 pub static AUTH_CONNECTOR: LazyLock<Connector> = LazyLock::new(|| Connector::new(None));
@@ -180,17 +176,18 @@ impl AuthValidator for ApiKeyAuth<'_> {
 }
 #[async_trait::async_trait]
-impl AuthValidator for JwtAuth<'_> {
+impl AuthValidator for JwtAuth {
    async fn validate(&self, session: &mut Session) -> bool {
-        let jwtsecret = self.0;
+        if let Some(jwtsecret) = JWT_TOKEN.clone() {
            if let Some(tok) = get_query_param(session, "araleztoken") {
-            return check_jwt(tok.as_str(), jwtsecret);
+                return check_jwt(tok.as_str(), jwtsecret.as_ref());
            }
            if let Some(auth_header) = session.get_header("authorization") {
                if let Ok(header_str) = auth_header.to_str() {
                    if let Some((scheme, token)) = header_str.split_once(' ') {
                        if scheme.eq_ignore_ascii_case("bearer") {
-                        return check_jwt(token, jwtsecret);
+                            return check_jwt(token, jwtsecret.as_ref());
                        }
                    }
                }
            }
@@ -199,14 +196,14 @@ impl AuthValidator for JwtAuth<'_> {
    }
 }
-pub async fn authenticate(auth_type: &Arc<str>, credentials: &Arc<str>, session: &mut Session) -> bool {
+pub async fn authenticate(auth: &InnerAuth, session: &mut Session) -> bool {
-    match &**auth_type {
+    match &*auth.auth_type {
-        "basic" => BasicAuth(credentials).validate(session).await,
+        "basic" => BasicAuth(&*auth.auth_cred).validate(session).await,
-        "apikey" => ApiKeyAuth(credentials).validate(session).await,
+        "apikey" => ApiKeyAuth(&*auth.auth_cred).validate(session).await,
-        "jwt" => JwtAuth(credentials).validate(session).await,
+        "jwt" => JwtAuth().validate(session).await,
-        "forward" => ForwardAuth(credentials).validate(session).await,
+        "forward" => ForwardAuth(&*auth.auth_cred).validate(session).await,
        _ => {
-            log::warn!("Unsupported authentication mechanism : {}", auth_type);
+            log::warn!("Unsupported authentication mechanism : {}", &*auth.auth_type);
            false
        }
    }
--- a/src/utils/discovery.rs
+++ b/src/utils/discovery.rs
@@ -9,13 +9,10 @@ use std::sync::Arc;
 pub struct APIUpstreamProvider {
    pub config_api_enabled: bool,
    pub address: String,
-    pub masterkey: String,
+    pub masterkey: Option<String>,
    pub certs_dir: String,
    pub config_dir: String,
    pub upstreams_file: String,
    // pub tls_address: Option<String>,
    // pub tls_certificate: Option<String>,
    // pub tls_key_file: Option<String>,
    pub file_server_address: Option<String>,
    pub file_server_folder: Option<String>,
    pub current_upstreams: Arc<UpstreamsDashMap>,
--- a/src/utils/healthcheck.rs
+++ b/src/utils/healthcheck.rs
@@ -69,6 +69,7 @@ async fn build_upstreams(fullist: &UpstreamsDashMap, method: &str, client: &Clie
                    is_http2: is_h2,
                    to_https: upstream.to_https,
                    rate_limit: upstream.rate_limit,
                    x4xx_limit: upstream.x4xx_limit,
                    healthcheck: upstream.healthcheck,
                    redirect_to: upstream.redirect_to.clone(),
                    authorization: upstream.authorization.clone(),
--- a/src/utils/httpclient.rs
+++ b/src/utils/httpclient.rs
@@ -32,6 +32,7 @@ pub async fn for_consul(url: String, token: Option<String>, conf: &GlobalService
            is_http2: false,
            to_https: conf.to_https.unwrap_or(false),
            rate_limit: conf.rate_limit,
            x4xx_limit: conf.x4xx_limit,
            redirect_to: None,
            healthcheck: None,
            authorization: None,
@@ -68,6 +69,7 @@ pub async fn for_kuber(url: &str, token: &str, conf: &GlobalServiceMapping) -> O
                            is_http2: false,
                            to_https: conf.to_https.unwrap_or(false),
                            rate_limit: conf.rate_limit,
                            x4xx_limit: conf.x4xx_limit,
                            healthcheck: None,
                            redirect_to: None,
                            authorization: None,
--- a/src/utils/jwt.rs
+++ b/src/utils/jwt.rs
@@ -4,8 +4,9 @@ use jsonwebtoken::{decode, Algorithm, DecodingKey, Validation};
 use moka::sync::Cache;
 use moka::Expiry;
 use serde::{Deserialize, Serialize};
 use std::env;
 use std::hash::{Hash, Hasher};
-use std::sync::LazyLock;
+use std::sync::{Arc, LazyLock};
 use std::time::{Duration, Instant, SystemTime};
 #[derive(Debug, Serialize, Deserialize)]
@@ -23,6 +24,11 @@ struct Expired {
 static JWT_VALIDATION: LazyLock<Validation> = LazyLock::new(|| Validation::new(Algorithm::HS256));
 pub static JWT_TOKEN: LazyLock<Option<Arc<str>>> = LazyLock::new(|| match env::var("JWT_KEY") {
    Ok(key) if !key.is_empty() => Some(Arc::from(key.as_str())),
    _ => None,
 });
 static JWT_CACHE: LazyLock<Cache<u64, u64>> = LazyLock::new(|| Cache::builder().max_capacity(100_000).expire_after(JwtExpiry).build());
 struct JwtExpiry;
 impl Expiry<u64, u64> for JwtExpiry {
--- a/src/utils/parceyaml.rs
+++ b/src/utils/parceyaml.rs
@@ -3,7 +3,13 @@ use crate::utils::state::{is_first_run, mark_not_first_run};
 use crate::utils::structs::*;
 use crate::utils::tools::{clone_dashmap, clone_dashmap_into, print_upstreams};
 use dashmap::DashMap;
 use log::LevelFilter;
 use log::{error, info, warn};
 use log4rs::{
    append::{console::ConsoleAppender, file::FileAppender},
    config::{Appender, Config as Log4rsConfig, Root},
    encode::pattern::PatternEncoder,
 };
 use std::collections::HashMap;
 use std::path::Path;
 use std::sync::atomic::AtomicUsize;
@@ -79,6 +85,7 @@ pub async fn load_configuration(d: &str, kind: &str) -> (Option<Configuration>,
    let mut parsed: Config = match serde_yml::from_str(&yaml_data) {
        Ok(cfg) => cfg,
        Err(e) => {
            println!("================================================");
            error!("Failed to parse upstreams file: {}", e);
            return (None, e.to_string());
        }
@@ -130,6 +137,7 @@ async fn populate_headers_and_auth(config: &mut Configuration, parsed: &Config)
            }
        }
    }
    let global_headers: DashMap<Arc<str>, Vec<(String, Arc<str>)>> = DashMap::new();
    global_headers.insert(Arc::from("/"), ch);
    config.client_headers.insert(Arc::from("GLOBAL_CLIENT_HEADERS"), global_headers);
@@ -148,6 +156,7 @@ async fn populate_headers_and_auth(config: &mut Configuration, parsed: &Config)
    config.extraparams.to_https = parsed.to_https;
    config.extraparams.sticky_sessions = parsed.sticky_sessions;
    config.extraparams.rate_limit = parsed.rate_limit;
    config.extraparams.x4xx_limit = parsed.x4xx_limit;
    if let Some(rate) = &parsed.rate_limit {
        info!("Applied Global Rate Limit : {} request per second", rate);
@@ -156,7 +165,7 @@ async fn populate_headers_and_auth(config: &mut Configuration, parsed: &Config)
    if let Some(pa) = &parsed.authorization {
        let y: InnerAuth = InnerAuth {
            auth_type: Arc::from(pa.auth_type.clone()),
-            auth_cred: Arc::from(pa.auth_cred.clone()),
+            auth_cred: Arc::from(pa.auth_cred.clone().unwrap_or_default()),
        };
        config.extraparams.authentication = Some(Arc::from(y));
    }
@@ -185,10 +194,11 @@ async fn populate_file_upstreams(config: &mut Configuration, parsed: &Config) {
                    if let Some(pa) = &path_config.authorization {
                        let y: InnerAuth = InnerAuth {
                            auth_type: Arc::from(pa.auth_type.clone()),
-                            auth_cred: Arc::from(pa.auth_cred.clone()),
+                            auth_cred: Arc::from(pa.auth_cred.clone().unwrap_or_default()),
                        };
                        path_auth = Some(Arc::from(y));
                    }
                    let redirect_link = path_config.redirect_to.as_ref().map(|www| Arc::from(www.as_str()));
                    if let Some((ip, port_str)) = server.split_once(':') {
                        if let Ok(port) = port_str.parse::<u16>() {
@@ -199,6 +209,7 @@ async fn populate_file_upstreams(config: &mut Configuration, parsed: &Config) {
                                is_http2: false,
                                to_https: path_config.to_https.unwrap_or(false),
                                rate_limit: path_config.rate_limit,
                                x4xx_limit: path_config.x4xx_limit,
                                healthcheck: path_config.healthcheck,
                                redirect_to: redirect_link,
                                authorization: path_auth,
@@ -230,7 +241,12 @@ pub fn parce_main_config(path: &str) -> AppConfig {
    let reply = DashMap::new();
    let cfg: HashMap<String, String> = serde_yml::from_str(&data).expect("Failed to parse main config file");
    let mut cfo: AppConfig = serde_yml::from_str(&data).expect("Failed to parse main config file");
-    log_builder(&cfo);
+
    if let Ok(jwt_key) = env::var("JWT_KEY") {
        cfo.master_key = Some(jwt_key);
    };
    log_builder(&cfo, &cfo.log_file);
    cfo.hc_method = cfo.hc_method.to_uppercase();
    for (k, v) in cfg {
        reply.insert(k.to_string(), v.to_string());
@@ -240,14 +256,6 @@ pub fn parce_main_config(path: &str) -> AppConfig {
            cfo.local_server = Option::from((ip.to_string(), port));
        }
    }
    // if let Some(tlsport_cfg) = cfo.proxy_address_tls.clone() {
    //     if let Some((_, port_str)) = tlsport_cfg.split_once(':') {
    //         if let Ok(port) = port_str.parse::<u16>() {
    //             cfo.proxy_port_tls = Some(port);
    //         }
    //     }
    // };
    if let Some(tlsport_cfg) = cfo.proxy_address_tls.clone() {
        if let Some((_, port_str)) = tlsport_cfg.split_once(':') {
            cfo.proxy_port_tls = Some(port_str.to_string());
@@ -289,25 +297,6 @@ fn parce_tls_grades(what: Option<String>) -> Option<String> {
    }
 }
 fn log_builder(conf: &AppConfig) {
    let log_level = conf.log_level.clone();
    unsafe {
        match log_level.as_str() {
            "info" => env::set_var("RUST_LOG", "info"),
            "error" => env::set_var("RUST_LOG", "error"),
            "warn" => env::set_var("RUST_LOG", "warn"),
            "debug" => env::set_var("RUST_LOG", "debug"),
            "trace" => env::set_var("RUST_LOG", "trace"),
            "off" => env::set_var("RUST_LOG", "off"),
            _ => {
                println!("Error reading log level, defaulting to: INFO");
                env::set_var("RUST_LOG", "info")
            }
        }
    }
    env_logger::builder().init();
 }
 pub fn build_headers(path_config: &Option<Vec<String>>, _config: &Configuration, hl: &mut Vec<(String, Arc<str>)>) {
    if let Some(headers) = &path_config {
        for header in headers {
@@ -317,3 +306,34 @@ pub fn build_headers(path_config: &Option<Vec<String>>, _config: &Configuration,
        }
    }
 }
 fn log_builder(conf: &AppConfig, location: &Option<String>) {
    let log_level = match conf.log_level.as_str() {
        "info" => LevelFilter::Info,
        "error" => LevelFilter::Error,
        "warn" => LevelFilter::Warn,
        "debug" => LevelFilter::Debug,
        "trace" => LevelFilter::Trace,
        "off" => LevelFilter::Off,
        _ => {
            println!("Error reading log level, defaulting to: INFO");
            LevelFilter::Info
        }
    };
    let pattern = "{d(%Y-%m-%d %H:%M:%S)} {l} {t} - {m}{n}";
    if let Some(location) = location {
        let file = FileAppender::builder().encoder(Box::new(PatternEncoder::new(pattern))).build(location).unwrap();
        let config = Log4rsConfig::builder()
            .appender(Appender::builder().build("file", Box::new(file)))
            .build(Root::builder().appender("file").build(log_level))
            .unwrap();
        log4rs::init_config(config).unwrap();
    } else {
        let stdout = ConsoleAppender::builder().encoder(Box::new(PatternEncoder::new(pattern))).build();
        let config = Log4rsConfig::builder()
            .appender(Appender::builder().build("stdout", Box::new(stdout)))
            .build(Root::builder().appender("stdout").build(log_level))
            .unwrap();
        log4rs::init_config(config).unwrap();
    }
 }
--- a/src/utils/structs.rs
+++ b/src/utils/structs.rs
@@ -14,9 +14,10 @@ pub type Headers = DashMap<Arc<str>, DashMap<Arc<str>, Vec<(String, Arc<str>)>>>
 #[derive(Clone, Debug, Default)]
 pub struct Extraparams {
    pub to_https: Option<bool>,
-    pub sticky_sessions: bool,
+    pub sticky_sessions: Option<u64>,
    pub authentication: Option<Arc<InnerAuth>>,
    pub rate_limit: Option<isize>,
    pub x4xx_limit: Option<u32>,
 }
 #[derive(Debug, Default, Clone, Serialize, Deserialize)]
@@ -25,8 +26,9 @@ pub struct GlobalServiceMapping {
    pub hostname: String,
    pub path: Option<String>,
    pub to_https: Option<bool>,
-    pub sticky_sessions: Option<bool>,
+    pub sticky_sessions: Option<u64>,
    pub rate_limit: Option<isize>,
    pub x4xx_limit: Option<u32>,
    pub client_headers: Option<Vec<String>>,
    pub server_headers: Option<Vec<String>>,
 }
@@ -48,7 +50,7 @@ pub struct Consul {
 pub struct Config {
    pub provider: String,
    pub to_https: Option<bool>,
-    pub sticky_sessions: bool,
+    pub sticky_sessions: Option<u64>,
    #[serde(default)]
    pub upstreams: Option<HashMap<String, HostConfig>>,
    #[serde(default)]
@@ -65,28 +67,30 @@ pub struct Config {
    pub kubernetes: Option<Kubernetes>,
    #[serde(default)]
    pub rate_limit: Option<isize>,
    pub x4xx_limit: Option<u32>,
 }
 #[derive(Debug, Default, Serialize, Deserialize)]
 pub struct HostConfig {
    pub paths: HashMap<String, PathConfig>,
    pub rate_limit: Option<isize>,
    pub x4xx_limit: Option<u32>,
 }
 #[derive(Debug, Default, Serialize, Deserialize, Clone)]
 pub struct Auth {
    #[serde(rename = "type")]
    pub auth_type: String,
    #[serde(rename = "data")]
-    pub auth_cred: String,
+    pub auth_cred: Option<String>,
 }
 #[derive(Debug, Default, Serialize, Deserialize)]
 pub struct PathConfig {
    pub servers: Vec<String>,
    pub to_https: Option<bool>,
    pub sticky_sessions: Option<bool>,
    pub client_headers: Option<Vec<String>>,
    pub server_headers: Option<Vec<String>>,
    pub rate_limit: Option<isize>,
    pub x4xx_limit: Option<u32>,
    pub healthcheck: Option<bool>,
    pub redirect_to: Option<String>,
    pub authorization: Option<Auth>,
@@ -108,7 +112,7 @@ pub struct AppConfig {
    pub hc_method: String,
    pub upstreams_conf: String,
    pub log_level: String,
-    pub master_key: String,
+    pub master_key: Option<String>,
    pub config_address: String,
    pub proxy_address_http: String,
    pub config_api_enabled: bool,
@@ -125,6 +129,7 @@ pub struct AppConfig {
    pub file_server_folder: Option<String>,
    pub runuser: Option<String>,
    pub rungroup: Option<String>,
    pub log_file: Option<String>,
 }
 #[derive(Debug, Default, Clone, PartialEq, Eq, Hash)]
@@ -141,6 +146,7 @@ pub struct InnerMap {
    pub is_http2: bool,
    pub to_https: bool,
    pub rate_limit: Option<isize>,
    pub x4xx_limit: Option<u32>,
    pub healthcheck: Option<bool>,
    pub redirect_to: Option<Arc<str>>,
    pub authorization: Option<Arc<InnerAuth>>,
@@ -156,6 +162,7 @@ impl InnerMap {
            is_http2: Default::default(),
            to_https: Default::default(),
            rate_limit: Default::default(),
            x4xx_limit: Default::default(),
            healthcheck: Default::default(),
            redirect_to: Default::default(),
            authorization: Default::default(),
@@ -171,6 +178,7 @@ pub struct InnerMapForJson {
    pub is_http2: bool,
    pub to_https: bool,
    pub rate_limit: Option<isize>,
    pub x4xx_limit: Option<u32>,
    pub healthcheck: Option<bool>,
 }
 #[derive(Debug, Default, Serialize, Deserialize)]
--- a/src/utils/tools.rs
+++ b/src/utils/tools.rs
@@ -20,30 +20,30 @@ use std::sync::Arc;
 use std::time::{Duration, Instant};
 use std::{fs, process, thread, time};
 #[allow(dead_code)]
 pub fn print_upstreams(upstreams: &UpstreamsDashMap) {
    let mut out = String::new();
    for host_entry in upstreams.iter() {
-        let hostname = host_entry.key();
+        writeln!(out, "Hostname: {}", host_entry.key()).unwrap();
        println!("Hostname: {}", hostname);
        for path_entry in host_entry.value().iter() {
-            let path = path_entry.key();
+            writeln!(out, "    Path: {}", path_entry.key()).unwrap();
            println!("    Path: {}", path);
            for f in path_entry.value().0.clone() {
-                println!(
+                writeln!(
-                    "        IP: {}, Port: {}, SSL: {}, H2: {}, To HTTPS: {}, Rate Limit: {}",
+                    out,
                    "        IP: {}, Port: {}, SSL: {}, H2: {}, To HTTPS: {}, Rate Limit: {}, 4xx Limit: {}",
                    f.address,
                    f.port,
                    f.is_ssl,
                    f.is_http2,
                    f.to_https,
-                    f.rate_limit.unwrap_or(0)
+                    f.rate_limit.unwrap_or(0),
-                );
+                    f.x4xx_limit.unwrap_or(0)
                )
                .unwrap();
            }
        }
    }
    info!("\n{}", out.trim_end());
 }
 #[allow(dead_code)]
 pub fn typeoff<T>(_: T) {
    let to = type_name::<T>();
@@ -153,13 +153,14 @@ pub fn clone_idmap_into(original: &UpstreamsDashMap, cloned: &UpstreamsIdMap) {
                let mut id = String::new();
                write!(
                    &mut id,
-                    "{}:{}:{}:{}:{}:{}:{}:{:?}",
+                    "{}:{}:{}:{}:{}:{}:{}:{}:{:?}",
                    outer_entry.key(),
                    x.address,
                    x.port,
                    x.is_http2,
                    x.to_https,
                    x.rate_limit.unwrap_or_default(),
                    x.x4xx_limit.unwrap_or_default(),
                    x.healthcheck.unwrap_or_default(),
                    x.authorization
                )
@@ -178,13 +179,13 @@ pub fn clone_idmap_into(original: &UpstreamsDashMap, cloned: &UpstreamsIdMap) {
                    is_http2: false,
                    to_https: false,
                    rate_limit: None,
                    x4xx_limit: None,
                    healthcheck: None,
                    redirect_to: None,
                    authorization: None,
                };
                cloned.insert(id, Arc::from(to_add));
                cloned.insert(hh, x.to_owned());
                // println!("CLONNED  :===========> {:?}", cloned);
            }
            new_inner_map.insert(path.clone(), new_vec);
        }
@@ -305,6 +306,7 @@ pub fn upstreams_to_json(upstreams: &UpstreamsDashMap) -> serde_json::Result<Str
                            is_http2: a.is_http2,
                            to_https: a.to_https,
                            rate_limit: a.rate_limit,
                            x4xx_limit: a.x4xx_limit,
                            healthcheck: a.healthcheck,
                        })
                        .collect(),
--- a/src/web/bgservice.rs
+++ b/src/web/bgservice.rs
@@ -99,6 +99,7 @@ impl BackgroundService for LB {
                        new.sticky_sessions = ss.extraparams.sticky_sessions;
                        new.authentication = ss.extraparams.authentication.clone();
                        new.rate_limit = ss.extraparams.rate_limit;
                        new.x4xx_limit = ss.extraparams.x4xx_limit;
                        self.extraparams.store(Arc::new(new));
                        self.client_headers.clear();
                        self.server_headers.clear();
--- a/src/web/proxyhttp.rs
+++ b/src/web/proxyhttp.rs
@@ -7,6 +7,7 @@ use async_trait::async_trait;
 use axum::body::Bytes;
 use dashmap::DashMap;
 use log::{debug, error, warn};
 use moka::sync::Cache;
 use pingora::http::{RequestHeader, ResponseHeader, StatusCode};
 use pingora::prelude::*;
 use pingora::ErrorSource::Upstream;
@@ -17,6 +18,7 @@ use pingora_proxy::{ProxyHttp, Session};
 use sha2::{Digest, Sha256};
 use std::cell::RefCell;
 use std::fmt::Write;
 use std::net::IpAddr;
 use std::sync::{Arc, LazyLock};
 use std::time::Duration;
 use tokio::time::Instant;
@@ -24,6 +26,7 @@ use tokio::time::Instant;
 static REVERSE_STORE: LazyLock<DashMap<String, String>> = LazyLock::new(DashMap::new);
 thread_local! {static IP_BUFFER: RefCell<String> = RefCell::new(String::with_capacity(50));}
 pub static RATE_LIMITER: LazyLock<Rate> = LazyLock::new(|| Rate::new(Duration::from_secs(1)));
 pub static REQUESTS_4XX: LazyLock<Cache<IpAddr, u32>> = LazyLock::new(|| Cache::builder().time_to_live(Duration::from_secs(1)).build());
 pub static LOCALHOST: LazyLock<Arc<str>> = LazyLock::new(|| Arc::from("localhost"));
 #[derive(Clone)]
@@ -39,12 +42,12 @@ pub struct LB {
 pub struct Context {
    backend_id: Option<String>,
    sticky_sessions: bool,
    start_time: Instant,
    hostname: Option<Arc<str>>,
    upstream_peer: Option<Arc<InnerMap>>,
    extraparams: arc_swap::Guard<Arc<Extraparams>>,
    client_headers: Option<Vec<(String, Arc<str>)>>,
    x4xx_limit: Option<u32>,
 }
 #[async_trait]
@@ -53,12 +56,12 @@ impl ProxyHttp for LB {
    fn new_ctx(&self) -> Self::CTX {
        Context {
            backend_id: None,
            sticky_sessions: false,
            start_time: Instant::now(),
            hostname: None,
            upstream_peer: None,
            extraparams: self.extraparams.load(),
            client_headers: None,
            x4xx_limit: None,
        }
    }
    async fn request_filter(&self, session: &mut Session, _ctx: &mut Self::CTX) -> Result<bool> {
@@ -66,7 +69,7 @@ impl ProxyHttp for LB {
        let hostname = return_header_host_from_upstream(session, &self.ump_upst);
        _ctx.hostname = hostname;
        let mut backend_id = None;
-        if _ctx.extraparams.sticky_sessions {
+        if let Some(_) = _ctx.extraparams.sticky_sessions {
            if let Some(cookies) = session.req_header().headers.get("cookie") {
                if let Ok(cookie_str) = cookies.to_str() {
                    if let Some(pos) = cookie_str.find("backend_id=") {
@@ -85,13 +88,28 @@ impl ProxyHttp for LB {
                    None => return Ok(false),
                    Some(ref innermap) => {
                        if let Some(auth) = _ctx.extraparams.authentication.as_ref().or(innermap.authorization.as_ref()) {
-                            if !authenticate(&auth.auth_type, &auth.auth_cred, session).await {
+                            if !authenticate(&auth, session).await {
                                let _ = session.respond_error(401).await;
                                warn!("Forbidden: {:?}, {}", session.client_addr(), session.req_header().uri.path());
                                return Ok(true);
                            }
                        }
-
+                        if let Some(rate) = innermap.x4xx_limit.or(_ctx.extraparams.x4xx_limit) {
                            _ctx.x4xx_limit = innermap.x4xx_limit;
                            let rate_key = session.client_addr().and_then(|addr| addr.as_inet()).map(|inet| inet.ip());
                            if let Some(rk) = rate_key {
                                let count = REQUESTS_4XX.get(&rk).unwrap_or(0);
                                if count > rate {
                                    let header = ResponseHeader::build(429, None)?;
                                    session.set_keepalive(None);
                                    session.write_response_header(Box::new(header), true).await?;
                                    if let (Some(oi), Some(oa)) = (&_ctx.hostname, rate_key) {
                                        warn!("Limit 4XX: {}-rps exceed on {} from {}", rate, oi, oa);
                                    }
                                    return Ok(true);
                                }
                            }
                        }
                        if let Some(rate) = innermap.rate_limit.or(_ctx.extraparams.rate_limit) {
                            let rate_key = session.client_addr().and_then(|addr| addr.as_inet()).map(|inet| inet.ip());
                            let curr_window_requests = RATE_LIMITER.observe(&rate_key, 1);
@@ -99,7 +117,9 @@ impl ProxyHttp for LB {
                                let header = ResponseHeader::build(429, None)?;
                                session.set_keepalive(None);
                                session.write_response_header(Box::new(header), true).await?;
-                                debug!("Rate limited: {:?}, {}", rate_key, rate);
+                                if let (Some(oi), Some(oa)) = (&_ctx.hostname, rate_key) {
                                    warn!("Limit: {}-rps exceed on {} from {}", rate, oi, oa);
                                }
                                return Ok(true);
                            }
                        }
@@ -161,7 +181,7 @@ impl ProxyHttp for LB {
                        peer.options.verify_cert = false;
                        peer.options.verify_hostname = false;
                    }
-                    if ctx.extraparams.sticky_sessions {
+                    if let Some(_) = ctx.extraparams.sticky_sessions {
                        let mut s = String::with_capacity(64);
                        write!(
                            &mut s,
@@ -177,7 +197,6 @@ impl ProxyHttp for LB {
                        )
                        .unwrap_or(());
                        ctx.backend_id = Some(s);
                        ctx.sticky_sessions = true;
                    }
                    Ok(peer)
                }
@@ -237,7 +256,7 @@ impl ProxyHttp for LB {
        Ok(())
    }
    async fn response_filter(&self, _session: &mut Session, _upstream_response: &mut ResponseHeader, ctx: &mut Self::CTX) -> Result<()> {
-        if ctx.sticky_sessions {
+        if let Some(val) = ctx.extraparams.sticky_sessions {
            if let Some(bid) = &ctx.backend_id {
                let tt = if let Some(existing) = REVERSE_STORE.get(bid) {
                    existing.value().clone()
@@ -255,7 +274,11 @@ impl ProxyHttp for LB {
                let mut buf = String::with_capacity(80);
                buf.push_str("backend_id=");
                buf.push_str(&tt);
-                buf.push_str("; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax");
+                buf.push_str("; Path=/; Max-Age=");
                buf.push_str(&val.to_string());
                buf.push_str("; HttpOnly; SameSite=Lax");
                // buf.push_str("; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax");
                // println!("{}", buf);
                let _ = _upstream_response.insert_header("set-cookie", buf.as_str());
            }
        }
@@ -280,6 +303,14 @@ impl ProxyHttp for LB {
        };
        calc_metrics(m);
        ACTIVE_SESSIONS.dec();
        if let Some(_) = ctx.x4xx_limit.or(ctx.extraparams.x4xx_limit) {
            if 400 <= response_code && response_code <= 499 {
                if let Some(ip) = session.client_addr().and_then(|a| a.as_inet()).map(|i| i.ip()) {
                    let current = REQUESTS_4XX.get(&ip).unwrap_or(0);
                    REQUESTS_4XX.insert(ip, current + 1);
                }
            }
        }
    }
 }
--- a/src/web/start.rs
+++ b/src/web/start.rs
@@ -33,9 +33,10 @@ pub fn run() {
    let ec_config = Arc::new(ArcSwap::from_pointee(Extraparams {
        to_https: None,
-        sticky_sessions: false,
+        sticky_sessions: None,
        authentication: None,
        rate_limit: None,
        x4xx_limit: None,
    }));
    let cfg = Arc::new(maincfg);
--- a/src/web/webserver.rs
+++ b/src/web/webserver.rs
@@ -8,7 +8,7 @@ use crate::utils::structs::{Config, Configuration, UpstreamsDashMap};
 use crate::utils::tools::{upstreams_liveness_json, upstreams_to_json};
 use axum::body::Body;
 use axum::extract::{Query, State};
-use axum::http::{header::HeaderMap, Response, StatusCode};
+use axum::http::{Response, StatusCode};
 use axum::response::IntoResponse;
 use axum::routing::{any, get, post};
 use axum::{Json, Router};
@@ -21,7 +21,6 @@ use serde::Serialize;
 use std::collections::HashMap;
 use std::sync::Arc;
 use std::time::{Duration, SystemTime, UNIX_EPOCH};
 use subtle::ConstantTimeEq;
 use tokio::net::TcpListener;
 use tower_http::services::ServeDir;
@@ -32,7 +31,7 @@ struct OutToken {
 #[derive(Clone)]
 struct AppState {
-    master_key: String,
+    master_key: Option<String>,
    cert_creds: String,
    certs_dir: String,
    upstreams_file: String,
@@ -95,13 +94,11 @@ pub async fn run_server(config: &APIUpstreamProvider, mut to_return: Sender<Conf
    axum::serve(listener, app).await.unwrap();
 }
-async fn conf(State(st): State<AppState>, Query(params): Query<HashMap<String, String>>, headers: HeaderMap, content: String) -> impl IntoResponse {
+async fn conf(State(st): State<AppState>, Query(params): Query<HashMap<String, String>>, content: String) -> impl IntoResponse {
    if !st.config_api_enabled {
        return Response::builder().status(StatusCode::FORBIDDEN).body(Body::from("Config API is disabled !\n")).unwrap();
    }
    // if let Some(s) = headers.get("x-api-key").and_then(|v| v.to_str().ok()).or(params.get("key").map(|s| s.as_str())) {
    if key_authorization(&headers, &params, &st.master_key) {
    let strcontent = content.as_str();
    let parsed = serde_yml::from_str::<Config>(strcontent);
    match parsed {
@@ -111,17 +108,14 @@ async fn conf(State(st): State<AppState>, Query(params): Query<HashMap<String, S
            } else {
                drop(tokio::spawn(async move { apply_config(content.as_str(), st, false).await }));
            }
-                // apply_config(content.as_str(), st).await;
+            Response::builder().status(StatusCode::OK).body(Body::from("Accepted! Applying in background\n")).unwrap()
                return Response::builder().status(StatusCode::OK).body(Body::from("Accepted! Applying in background\n")).unwrap();
        }
        Err(err) => {
            error!("Failed to parse upstreams file: {}", err);
-                return Response::builder().status(StatusCode::BAD_GATEWAY).body(Body::from(format!("Failed: {}\n", err))).unwrap();
+            Response::builder().status(StatusCode::BAD_GATEWAY).body(Body::from(format!("Failed: {}\n", err))).unwrap()
        }
    }
 }
    Response::builder().status(StatusCode::FORBIDDEN).body(Body::from("Access Denied !\n")).unwrap()
 }
 async fn apply_config(content: &str, mut st: AppState, save: bool) {
    let sl = crate::utils::parceyaml::load_configuration(content, "content").await;
@@ -137,7 +131,8 @@ async fn apply_config(content: &str, mut st: AppState, save: bool) {
 }
 async fn jwt_gen(State(state): State<AppState>, Json(payload): Json<Claims>) -> (StatusCode, Json<OutToken>) {
-    if payload.master_key == state.master_key {
+    if let Some(master_key) = &state.master_key {
        if &payload.master_key == master_key {
            let now = SystemTime::now() + Duration::from_secs(payload.exp * 60);
            let expire = now.duration_since(UNIX_EPOCH).unwrap_or_default().as_secs();
@@ -166,6 +161,13 @@ async fn jwt_gen(State(state): State<AppState>, Json(payload): Json<Claims>) ->
            warn!("Unauthorised JWT generate request: {:?}", tok);
            (StatusCode::FORBIDDEN, Json(tok))
        }
    } else {
        let tok = OutToken {
            token: "ERROR Getting JWT_KEY environment variable".to_string(),
        };
        error!("ERROR Getting JWT_KEY environment variable");
        (StatusCode::INTERNAL_SERVER_ERROR, Json(tok))
    }
 }
 async fn metrics() -> impl IntoResponse {
@@ -221,11 +223,7 @@ async fn status(State(st): State<AppState>, Query(params): Query<HashMap<String,
 }
 #[allow(clippy::needless_return)]
-async fn acme_create(State(state): State<AppState>, Query(params): Query<HashMap<String, String>>, headers: HeaderMap) -> impl IntoResponse {
+async fn acme_create(State(state): State<AppState>) -> impl IntoResponse {
    if !key_authorization(&headers, &params, &state.master_key) {
        return Response::builder().status(StatusCode::FORBIDDEN).body(Body::from("Access Denied !\n")).unwrap();
    }
    match account::load_or_create(state.cert_creds.as_str()).await {
        Ok(txt) => {
            return Response::builder()
@@ -243,16 +241,7 @@ async fn acme_create(State(state): State<AppState>, Query(params): Query<HashMap
    };
 }
 #[allow(clippy::needless_return)]
-async fn acme_order(
+async fn acme_order(State(state): State<AppState>, axum::extract::Path(domain): axum::extract::Path<String>) -> impl IntoResponse {
    State(state): State<AppState>,
    axum::extract::Path(domain): axum::extract::Path<String>,
    Query(params): Query<HashMap<String, String>>,
    headers: HeaderMap,
 ) -> impl IntoResponse {
    if !key_authorization(&headers, &params, &state.master_key) {
        return Response::builder().status(StatusCode::FORBIDDEN).body(Body::from("Access Denied !\n")).unwrap();
    }
    let domain_clean = domain.trim_matches('/');
    match order::order(domain_clean, state.cert_creds.as_str(), state.certs_dir).await {
        Ok(txt) => {
@@ -292,13 +281,13 @@ pub async fn http01_challenge(axum::extract::Path(token): axum::extract::Path<St
        .unwrap()
 }
-fn key_authorization(headers: &HeaderMap, params: &HashMap<String, String>, masterkey: &str) -> bool {
+// fn key_authorization(headers: &HeaderMap, params: &HashMap<String, String>, masterkey: &str) -> bool {
-    if let Some(s) = headers.get("x-api-key").and_then(|v| v.to_str().ok()).or(params.get("key").map(|s| s.as_str())) {
+//     if let Some(s) = headers.get("x-api-key").and_then(|v| v.to_str().ok()).or(params.get("key").map(|s| s.as_str())) {
-        if s.as_bytes().ct_eq(masterkey.as_bytes()).into() {
+//         if s.as_bytes().ct_eq(masterkey.as_bytes()).into() {
-            return true;
+//             return true;
-        }
+//         }
-    }
+//     }
-    false
+//     false
-}
+// }
 // -- ⚝ by Dave -- in NeoVim ⚝ --
Author	SHA1	Message	Date
Ara Sadoyan	faf840d102	Merge pull request #23 from sadoyan/dev New features, 4xx counter	2026-05-22 16:57:07 +02:00
Ara Sadoyan	d74883e16e	New features, 4xx counter	2026-05-22 16:56:33 +02:00
Ara Sadoyan	d95bbfcd1a	Merge pull request #22 from sadoyan/dev - Changed sticky session value from bool to u32, corresponding to `Max-Age=` of cookie - Added counter and rate limiter for 4xx requests - Changed config for JWT authorization. The `data` property is removed.	2026-05-22 16:52:27 +02:00
Ara Sadoyan	d301f7225f	New features, 4xx counter	2026-05-22 16:47:40 +02:00
Ara Sadoyan	df02e523e4	cleanups	2026-05-21 18:34:46 +02:00
Ara Sadoyan	2f5def5c3c	Changed sticky session from bool to Option<u64>	2026-05-20 21:09:23 +02:00
Ara Sadoyan	1727a2b5e7	deleted some comments	2026-05-20 17:17:04 +02:00
Ara Sadoyan	4bbedee27b	JWT auth read and caches KEY from system env.	2026-05-19 15:26:05 +02:00
Ara Sadoyan	37ef118861	Dockerfile #21	2026-05-19 11:48:12 +02:00
Ara Sadoyan	00062b00da	Removed authentication from API server, JWT master key as environment variable	2026-05-18 20:38:30 +02:00
Ara Sadoyan	2ce290abcf	README update	2026-05-15 18:32:58 +02:00
Ara Sadoyan	2380f83d8e	Added log to file option.	2026-05-15 16:00:57 +02:00
Ara Sadoyan	3965a1de93	README typo	2026-05-14 10:54:27 +02:00
Ara Sadoyan	7bc8294c22	README typo	2026-05-14 10:53:42 +02:00