Removed Dockerfile, put content to README

fix: Fix global rate limit and 4xx limit fallback in upstream config log

.gitignore

@@ -7,6 +7,8 @@
 *.sh
 /docs/
 /docs
+etc/
+etc
 /target/
 *.iml
 .idea/

Cargo.lock

@@ -142,7 +142,6 @@ dependencies = [
  "jsonwebtoken",
  "log",
  "log4rs",
- "mimalloc",
  "moka",
  "notify",
  "pingora",
@@ -161,6 +160,8 @@ dependencies = [
  "serde_yml",
  "sha2 0.11.0",
  "subtle",
+ "tikv-jemalloc-ctl",
+ "tikv-jemallocator",
  "tokio",
  "tonic",
  "tower-http",
@@ -359,6 +360,15 @@ version = "1.8.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2af50177e190e07a26ab74f8b1efbfe2ef87da2116221318cb1c2e82baf7de06"
 
+[[package]]
+name = "bit-vec"
+version = "0.9.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b71798fca2c1fe1086445a7258a4bc81e6e49dcd24c8d0dd9a1e57395b603f51"
+dependencies = [
+ "serde",
+]
+
 [[package]]
 name = "bitflags"
 version = "1.3.2"
@@ -1938,15 +1948,6 @@ version = "0.2.16"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b6d2cec3eae94f9f509c767b45932f1ada8350c4bdb85af2fcab4a3c14807981"
 
-[[package]]
-name = "libmimalloc-sys"
-version = "0.1.47"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2d1eacfa31c33ec25e873c136ba5669f00f9866d0688bea7be4d3f7e43067df6"
-dependencies = [
- "cc",
-]
-
 [[package]]
 name = "libyml"
 version = "0.0.5"
@@ -1995,9 +1996,9 @@ dependencies = [
 
 [[package]]
 name = "log"
-version = "0.4.29"
+version = "0.4.30"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5e5032e24019045c762d3c0f28f5b6b8bbf38563a65908389bf7978758920897"
+checksum = "616ec5685824bcc94416c6d4a7a446eea774a31efd7062c8480ba6fd06d7a6e5"
 dependencies = [
  "serde_core",
 ]
@@ -2073,15 +2074,6 @@ dependencies = [
  "autocfg",
 ]
 
-[[package]]
-name = "mimalloc"
-version = "0.1.50"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b3627c4272df786b9260cabaa46aec1d59c93ede723d4c3ef646c503816b0640"
-dependencies = [
- "libmimalloc-sys",
-]
-
 [[package]]
 name = "mime"
 version = "0.3.17"
@@ -2494,6 +2486,12 @@ dependencies = [
  "windows-link",
 ]
 
+[[package]]
+name = "paste"
+version = "1.0.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "57c0d7b74b563b49d38dae00a0c37d4d6de9b432382b2892f0574ddcae73fd0a"
+
 [[package]]
 name = "pem"
 version = "3.0.6"
@@ -3147,9 +3145,9 @@ checksum = "63b8176103e19a2643978565ca18b50549f6101881c443590420e4dc998a3c69"
 
 [[package]]
 name = "rcgen"
-version = "0.14.7"
+version = "0.14.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "10b99e0098aa4082912d4c649628623db6aba77335e4f4569ff5083a6448b32e"
+checksum = "57f6d249aad744e274e682777a50283a225a32705394ee6d5fcc01efa25e4055"
 dependencies = [
  "aws-lc-rs",
  "pem",
@@ -3200,9 +3198,9 @@ checksum = "dc897dd8d9e8bd1ed8cdad82b5966c3e0ecae09fb1907d58efaa013543185d0a"
 
 [[package]]
 name = "reqwest"
-version = "0.13.3"
+version = "0.13.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "62e0021ea2c22aed41653bc7e1419abb2c97e038ff2c33d0e1309e49a97deec0"
+checksum = "219c5811de6525e5416c7d5d53bb656d3afdbc6c5af816e0802bcfa42dbdc1c3"
 dependencies = [
  "base64",
  "bytes",
@@ -3550,9 +3548,9 @@ dependencies = [
 
 [[package]]
 name = "serde_json"
-version = "1.0.149"
+version = "1.0.150"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "83fc039473c5595ace860d8c4fafa220ff474b3fc6bfdb4293327f1a37e94d86"
+checksum = "e8014e44b4736ed0538adeecded0fce2a272f22dc9578a7eb6b2d9993c74cfb9"
 dependencies = [
  "itoa",
  "memchr",
@@ -3921,6 +3919,37 @@ dependencies = [
  "trackable",
 ]
 
+[[package]]
+name = "tikv-jemalloc-ctl"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3a184c43b8ab2f41df2733b55556e3f5f632f4aeaa205b1bb018f574b7f5f142"
+dependencies = [
+ "libc",
+ "paste",
+ "tikv-jemalloc-sys",
+]
+
+[[package]]
+name = "tikv-jemalloc-sys"
+version = "0.7.1+5.3.1-0-g81034ce1f1373e37dc865038e1bc8eeecf559ce8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1a2825c78386b4ae0314074867860ba9577875de945f05992c38815cbec327f0"
+dependencies = [
+ "cc",
+ "libc",
+]
+
+[[package]]
+name = "tikv-jemallocator"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "249f09e49ab1609436f34c776e84231bead18d6a955f119f939bdc1d847561bd"
+dependencies = [
+ "libc",
+ "tikv-jemalloc-sys",
+]
+
 [[package]]
 name = "time"
 version = "0.3.47"
@@ -4111,9 +4140,9 @@ dependencies = [
 
 [[package]]
 name = "tower-http"
-version = "0.6.10"
+version = "0.6.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "68d6fdd9f81c2819c9a8b0e0cd91660e7746a8e6ea2ba7c6b2b057985f6bcb51"
+checksum = "4cfcf7e2740e6fc6d4d688b4ef00650406bb94adf4731e43c096c3a19fe40840"
 dependencies = [
  "bitflags 2.11.1",
  "bytes",
@@ -4891,10 +4920,11 @@ checksum = "fdd20c5420375476fbd4394763288da7eb0cc0b8c11deed431a91562af7335d3"
 
 [[package]]
 name = "yasna"
-version = "0.5.2"
+version = "0.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e17bb3549cc1321ae1296b9cdc2698e2b6cb1992adfa19a8c72e5b7a738f44cd"
+checksum = "b5f6765e852b9b4dc8e2a76843e4d64d1cea8e79bcde0b6901aea8e7c7f08282"
 dependencies = [
+ "bit-vec",
  "time",
 ]
 

Cargo.toml

@@ -20,11 +20,11 @@ pingora-proxy = "0.8.0"
 pingora-http = "0.8.0"
 pingora-limits = "0.8.0"
 async-trait = "0.1.89"
-log = "0.4.29"
+log = "0.4.30"
 futures = "0.3.32"
 notify = "9.0.0-rc.4"
 axum = { version = "0.8.9" }
-reqwest = { version = "0.13.3", features = ["json", "stream", "blocking"] }
+reqwest = { version = "0.13.4", features = ["json", "stream", "blocking"] }
 serde_yml = "0.0.12"
 rand = "0.10.1"
 base64 = "0.22.1"
@@ -34,17 +34,19 @@ sha2 = { version = "0.11.0-rc.5", default-features = false }
 base16ct = { version = "1.0.0", features = ["alloc"] }
 urlencoding = "2.1.3"
 arc-swap = "1.9.1"
-mimalloc = { version = "0.1.50", default-features = false }
 prometheus = "0.14.0"
 x509-parser = "0.18.1"
 rustls-pemfile = "2.2.0"
-tower-http = { version = "0.6.10", features = ["fs"] }
+tower-http = { version = "0.6.11", features = ["fs"] }
 privdrop = "0.5.6"
 ctrlc = "3.5.2"
-serde_json = "1.0.149"
+serde_json = "1.0.150"
 subtle = "2.6.1"
 moka = { version = "0.12.15", features = ["sync"] }
 ahash = "0.8.12"
 instant-acme = "0.8.5"
-rcgen = "0.14.7"
+rcgen = "0.14.8"
 log4rs = "1.4.0"
+#mimalloc = { version = "0.1.52", default-features = false }
+tikv-jemallocator = "0.7.0"
+tikv-jemalloc-ctl = { version = "0.7.0", features = ["stats"] }

README.md

@@ -110,11 +110,25 @@ For getting the best performance on newer hardware use `aralez-x86_64-*.gz`.
 **Via docker**
 
 ```shell
-docker run -d \
+docker run -d -v /path/to/config:/etc/aralez:rw -p 80:80 -p 443:443 sadoyan/aralez
-  -v /local/path/to/config:/etc/aralez:ro \
+```
-  -p 80:80 \
+
-  -p 443:443 \
+**Dockerfile :**
-  sadoyan/aralez
+
+```dockerfile
+FROM debian:trixie-slim
+
+RUN apt-get update && apt-get install -y ca-certificates curl net-tools iputils-ping
+RUN apt-get clean && rm -rf /var/lib/apt/lists/*
+
+COPY aralez /usr/local/bin/aralez
+
+RUN chmod +x /usr/local/bin/aralez
+RUN mkdir -p /etc/aralez/certs/upstreams
+
+WORKDIR /etc/aralez
+
+ENTRYPOINT ["/usr/local/bin/aralez", "-c", "/etc/aralez/main.yaml"]
 ```
 
 ## Running the Proxy
@@ -125,7 +139,7 @@ docker run -d \
 
 ## Systemd integration
 
-Assuming Arales in installed in `/opt/aralez` folder
+Assuming Aralez in installed in `/opt/aralez` folder
 
 ```bash
 cat > /etc/systemd/system/aralez.service <<EOF
@@ -164,9 +178,10 @@ systemctl restart aralez.service.
 
 ```yaml
 provider: "file"
-sticky_sessions: false
+sticky_sessions: 8600
 to_https: false
-rate_limit: 10
+rate_limit: 20
+x4xx_limit: 20
 server_headers:
   - "X-Forwarded-Proto:https"
   - "X-Forwarded-Port:443"
@@ -177,7 +192,8 @@ client_headers:
 myhost.mydomain.com:
   paths:
     "/":
-      rate_limit: 20
+      rate_limit: 10
+      x4xx_limit: 10
       to_https: false
       server_headers:
         - "X-Something-Else:Foobar"
@@ -211,15 +227,20 @@ DEFAULT:
 
 **This means:**
 
-- Sticky sessions are disabled globally. This setting applies to all upstreams. If enabled all requests will be 301 redirected to HTTPS.
+- Sticky sessions are enabled globally. This setting applies to all upstreams. If enabled the value will be set for `Max-Age=` cookie.
 - HTTP to HTTPS redirect disabled globally, but can be overridden by `to_https` setting per upstream.
 - All upstreams will receive custom headers : `X-Forwarded-Proto:https` and `X-Forwarded-Port:443`
 - Additionally, myhost.mydomain.com with path `/` will receive custom headers : `X-Another-Header:Hohohohoho` and `X-Something-Else:Foobar`
-- Requests to each hosted domains will be limited to 10 requests per second per virtualhost.
+- Requests with response 4xx to each hosted domains will be limited to 20 requests per second per virtualhost.
+    - Requests limits are calculated per requester ip plus requested virtualhost.
+    - If the requester exceeds the limit it will receive `429 Too Many Requests` error.
+    - Optional. Rate limiter will be disabled if the parameter is entirely removed from config.
+- Requests to each hosted domains will be limited to 20 requests per second per virtualhost.
     - Requests limits are calculated per requester ip plus requested virtualhost.
     - If the requester exceeds the limit it will receive `429 Too Many Requests` error.
     - Optional. Rate limiter will be disabled if the parameter is entirely removed from config.
 - Requests to `myhost.mydomain.com/` will be limited to 20 requests per second.
+- Requests with 4xx responses to `myhost.mydomain.com/` will be limited to 10 requests per second.
 - Requests to `myhost.mydomain.com/` will be proxied to `127.0.0.1` and `127.0.0.2`.
 - Plain HTTP to `myhost.mydomain.com/foo` will get 301 redirect to configured TLS port of Aralez.
 - `myhost.mydomain.com/foo` will require authentication with JWT token, signed by `266463d1-210a-4787-9a81-4aacb37a8723`.
@@ -231,10 +252,8 @@ DEFAULT:
 - Global headers (CORS for this case) will be injected to all upstreams.
 - Additional headers will be injected into the request for `myhost.mydomain.com`.
 - You can choose any path, deep nested paths are supported, the best match chosen.
-- All requests to servers will require JWT token authentication (You can comment out the authorization to disable it),
-    - Firs parameter specifies the mechanism of authorisation `jwt`
-    - Second is the secret key for validating `jwt` tokens
 - `DEFAULT` catch up everything else and proxy to `127.0.0.1:3000`
+    - This is a special upstream and in order to do the catch-up jub it must be **DEFAULT** all capitals
 
 ---
 

etc/main.yaml

@@ -1,7 +1,7 @@
 # Main configuration file, applied on startup
 threads: 12 # Number of daemon threads default setting
-runuser: aralez # Username for running aralez after dropping root privileges, requires program to start as root
+#runuser: pastor # Username for running aralez after dropping root privileges, requires program to start as root
-rungroup: aralez # Group for running aralez after dropping root privileges, requires program to start as root
+#rungroup: pastor # Group for running aralez after dropping root privileges, requires program to start as root
 daemon: false # Run in background
 upstream_keepalive_pool_size: 500 # Pool size for upstream keepalive connections
 pid_file: /tmp/aralez.pid # Path to PID file
@@ -11,12 +11,13 @@ config_api_enabled: true # Boolean to enable/disable remote config push capabili
 config_address: 0.0.0.0:3000 # HTTP API address for pushing upstreams.yaml from remote location
 proxy_address_http: 0.0.0.0:6193 # Proxy HTTP bind address
 proxy_address_tls: 0.0.0.0:6194 # Optional, Proxy TLS bind address
-proxy_configs: /opt/aralez/etc # Mandatory if proxy_address_tls set, should contain a certificate and key files strictly in a format {NAME}.crt, {NAME}.key.
+proxy_configs: /opt/Rust/Projects/asyncweb/etc # Mandatory if proxy_address_tls set, should contain a certificate and key files strictly in a format {NAME}.crt, {NAME}.key.
-proxy_tls_grade: a+ # Grade of TLS suite for proxy (a+, a, b, c, unsafe), matching grades of Qualys SSL Labs
+proxy_tls_grade: high # Grade of TLS suite for proxy (high, medium, unsafe), matching grades of Qualys SSL Labs
-upstreams_conf: /opt/aralez/etc/upstreams.yaml # the location of upstreams file
+upstreams_conf: /opt/Rust/Projects/asyncweb/etc/upstreams.yaml # the location of upstreams file
-file_server_folder: /opt/storage # Optional, local folder to serve
+#file_server_folder: /opt/storage # Optional, local folder to serve
-file_server_address: 127.0.0.1:3002 # Optional, Local address for file server. Can set as upstream for public access.
+#file_server_address: 127.0.0.1:3002 # Optional, Local address for file server. Can set as upstream for public access.
 log_level: info # info, warn, error, debug, trace, off
+log_file: /tmp/aralez.log # Optional, the location of log file. If this entry does not exist logs will be emitted to stdout.
 hc_method: HEAD # Healthcheck method (HEAD, GET, POST are supported) UPPERCASE
 hc_interval: 2 #Interval for health checks in seconds
-master_key: 910517d9-f9a1-48de-8826-dbadacbd84af-cb6f830e-ab16-47ec-9d8f-0090de732774 # Mater key for working with API server and JWT Secret
+#master_key: 910517d9-f9a1-48de-8826-dbadacbd84af-cb6f830e-ab16-47ec-9d8f-0090de732774 # Mater key for working with API server and JWT Secret

etc/upstreams.yaml

@@ -1,8 +1,9 @@
 # The file under watch and hot reload, changes are applied immediately, no need to restart or reload.
 provider: "file" # "file" "consul" "kubernetes"
-sticky_sessions: false
+sticky_sessions: 8600
 to_https: false
-rate_limit: 100
+rate_limit: 300
+x4xx_limit: 200
 server_headers:
   - "X-Forwarded-Proto:https"
   - "X-Forwarded-Port:443"
@@ -62,6 +63,7 @@ upstreams:
     paths:
       "/":
         rate_limit: 200
+        x4xx_limit: 100
         to_https: false
         client_headers:
           - "X-Proxy-From:Aralez"

src/main.rs

@@ -1,9 +1,12 @@
+use tikv_jemallocator::Jemalloc;
+
 mod tls;
 mod utils;
 mod web;
 
 #[global_allocator]
-static GLOBAL: mimalloc::MiMalloc = mimalloc::MiMalloc;
+static ALLOC: Jemalloc = Jemalloc;
+// static GLOBAL: mimalloc::MiMalloc = mimalloc::MiMalloc;
 // pub static A: CountingAllocator = CountingAllocator;
 
 fn main() {

src/utils/auth.rs

@@ -1,21 +1,17 @@
-use crate::utils::jwt::check_jwt;
+use crate::utils::jwt::{check_jwt, JWT_TOKEN};
-// use reqwest::Client;
+use crate::utils::structs::InnerAuth;
 use axum::http::StatusCode;
 use base64::engine::general_purpose::STANDARD;
 use base64::Engine;
-use pingora_proxy::Session;
-use std::collections::HashMap;
-use std::sync::{Arc, LazyLock};
-use subtle::ConstantTimeEq;
-use urlencoding::decode;
-
-// use pingora::http::{RequestHeader, ResponseHeader, StatusCode};
 use pingora::http::RequestHeader;
-// --------------------------------- //
 use pingora_core::connectors::http::Connector;
 use pingora_core::upstreams::peer::HttpPeer;
 use pingora_http::ResponseHeader;
-// --------------------------------- //
+use pingora_proxy::Session;
+use std::collections::HashMap;
+use std::sync::LazyLock;
+use subtle::ConstantTimeEq;
+use urlencoding::decode;
 
 #[async_trait::async_trait]
 trait AuthValidator {
@@ -23,7 +19,7 @@ trait AuthValidator {
 }
 struct BasicAuth<'a>(&'a str);
 struct ApiKeyAuth<'a>(&'a str);
-struct JwtAuth<'a>(&'a str);
+struct JwtAuth();
 struct ForwardAuth<'a>(&'a str);
 
 pub static AUTH_CONNECTOR: LazyLock<Connector> = LazyLock::new(|| Connector::new(None));
@@ -180,17 +176,18 @@ impl AuthValidator for ApiKeyAuth<'_> {
 }
 
 #[async_trait::async_trait]
-impl AuthValidator for JwtAuth<'_> {
+impl AuthValidator for JwtAuth {
     async fn validate(&self, session: &mut Session) -> bool {
-        let jwtsecret = self.0;
+        if let Some(jwtsecret) = JWT_TOKEN.clone() {
             if let Some(tok) = get_query_param(session, "araleztoken") {
-            return check_jwt(tok.as_str(), jwtsecret);
+                return check_jwt(tok.as_str(), jwtsecret.as_ref());
             }
             if let Some(auth_header) = session.get_header("authorization") {
                 if let Ok(header_str) = auth_header.to_str() {
                     if let Some((scheme, token)) = header_str.split_once(' ') {
                         if scheme.eq_ignore_ascii_case("bearer") {
-                        return check_jwt(token, jwtsecret);
+                            return check_jwt(token, jwtsecret.as_ref());
+                        }
                     }
                 }
             }
@@ -199,14 +196,14 @@ impl AuthValidator for JwtAuth<'_> {
     }
 }
 
-pub async fn authenticate(auth_type: &Arc<str>, credentials: &Arc<str>, session: &mut Session) -> bool {
+pub async fn authenticate(auth: &InnerAuth, session: &mut Session) -> bool {
-    match &**auth_type {
+    match &*auth.auth_type {
-        "basic" => BasicAuth(credentials).validate(session).await,
+        "basic" => BasicAuth(&*auth.auth_cred).validate(session).await,
-        "apikey" => ApiKeyAuth(credentials).validate(session).await,
+        "apikey" => ApiKeyAuth(&*auth.auth_cred).validate(session).await,
-        "jwt" => JwtAuth(credentials).validate(session).await,
+        "jwt" => JwtAuth().validate(session).await,
-        "forward" => ForwardAuth(credentials).validate(session).await,
+        "forward" => ForwardAuth(&*auth.auth_cred).validate(session).await,
         _ => {
-            log::warn!("Unsupported authentication mechanism : {}", auth_type);
+            log::warn!("Unsupported authentication mechanism : {}", &*auth.auth_type);
             false
         }
     }

src/utils/discovery.rs

@@ -9,13 +9,10 @@ use std::sync::Arc;
 pub struct APIUpstreamProvider {
     pub config_api_enabled: bool,
     pub address: String,
-    pub masterkey: String,
+    pub masterkey: Option<String>,
     pub certs_dir: String,
     pub config_dir: String,
     pub upstreams_file: String,
-    // pub tls_address: Option<String>,
-    // pub tls_certificate: Option<String>,
-    // pub tls_key_file: Option<String>,
     pub file_server_address: Option<String>,
     pub file_server_folder: Option<String>,
     pub current_upstreams: Arc<UpstreamsDashMap>,

src/utils/healthcheck.rs

@@ -53,15 +53,14 @@ async fn build_upstreams(fullist: &UpstreamsDashMap, method: &str, client: &Clie
             let mut innervec = Vec::new();
 
             for upstream in path_entry.value().0.iter() {
-                let tls = detect_tls(upstream.address.as_ref(), &upstream.port, client).await;
+                let tls = if upstream.healthcheck.unwrap_or(true) {
-                let is_h2 = matches!(tls.1, Some(Version::HTTP_2));
+                    detect_tls(upstream.address.as_ref(), &upstream.port, client).await
-
-                let link = if tls.0 {
-                    format!("https://{}:{}{}", upstream.address, upstream.port, path)
                 } else {
-                    format!("http://{}:{}{}", upstream.address, upstream.port, path)
+                    (false, None)
                 };
 
+                let is_h2 = matches!(tls.1, Some(Version::HTTP_2));
+
                 let mut scheme = InnerMap {
                     address: upstream.address.clone(),
                     port: upstream.port,
@@ -69,12 +68,19 @@ async fn build_upstreams(fullist: &UpstreamsDashMap, method: &str, client: &Clie
                     is_http2: is_h2,
                     to_https: upstream.to_https,
                     rate_limit: upstream.rate_limit,
+                    x4xx_limit: upstream.x4xx_limit,
                     healthcheck: upstream.healthcheck,
                     redirect_to: upstream.redirect_to.clone(),
                     authorization: upstream.authorization.clone(),
                 };
 
                 if scheme.healthcheck.unwrap_or(true) {
+                    let link = if tls.0 {
+                        format!("https://{}:{}{}", upstream.address, upstream.port, path)
+                    } else {
+                        format!("http://{}:{}{}", upstream.address, upstream.port, path)
+                    };
+
                     let resp = http_request(&link, method, "", client).await;
                     if resp.0 {
                         if resp.1 {

src/utils/httpclient.rs

@@ -32,6 +32,7 @@ pub async fn for_consul(url: String, token: Option<String>, conf: &GlobalService
             is_http2: false,
             to_https: conf.to_https.unwrap_or(false),
             rate_limit: conf.rate_limit,
+            x4xx_limit: conf.x4xx_limit,
             redirect_to: None,
             healthcheck: None,
             authorization: None,
@@ -68,6 +69,7 @@ pub async fn for_kuber(url: &str, token: &str, conf: &GlobalServiceMapping) -> O
                             is_http2: false,
                             to_https: conf.to_https.unwrap_or(false),
                             rate_limit: conf.rate_limit,
+                            x4xx_limit: conf.x4xx_limit,
                             healthcheck: None,
                             redirect_to: None,
                             authorization: None,

src/utils/jwt.rs

@@ -4,8 +4,9 @@ use jsonwebtoken::{decode, Algorithm, DecodingKey, Validation};
 use moka::sync::Cache;
 use moka::Expiry;
 use serde::{Deserialize, Serialize};
+use std::env;
 use std::hash::{Hash, Hasher};
-use std::sync::LazyLock;
+use std::sync::{Arc, LazyLock};
 use std::time::{Duration, Instant, SystemTime};
 
 #[derive(Debug, Serialize, Deserialize)]
@@ -23,6 +24,11 @@ struct Expired {
 
 static JWT_VALIDATION: LazyLock<Validation> = LazyLock::new(|| Validation::new(Algorithm::HS256));
 
+pub static JWT_TOKEN: LazyLock<Option<Arc<str>>> = LazyLock::new(|| match env::var("JWT_KEY") {
+    Ok(key) if !key.is_empty() => Some(Arc::from(key.as_str())),
+    _ => None,
+});
+
 static JWT_CACHE: LazyLock<Cache<u64, u64>> = LazyLock::new(|| Cache::builder().max_capacity(100_000).expire_after(JwtExpiry).build());
 struct JwtExpiry;
 impl Expiry<u64, u64> for JwtExpiry {

src/utils/kuberconsul.rs

@@ -222,7 +222,7 @@ async fn clone_compare(upstreams: &UpstreamsDashMap, prev_upstreams: &UpstreamsD
         };
         clone_dashmap_into(upstreams, prev_upstreams);
         clone_dashmap_into(upstreams, &tosend.upstreams);
-        print_upstreams(&tosend.upstreams);
+        print_upstreams(&tosend.upstreams, &tosend.extraparams);
         return Some(tosend);
     };
     None

src/utils/metrics.rs

@@ -5,6 +5,7 @@ use prometheus::{register_histogram, register_int_counter, register_int_counter_
 use std::sync::Arc;
 use std::sync::LazyLock;
 use std::time::Duration;
+use tikv_jemalloc_ctl::{epoch, stats};
 
 pub struct MetricTypes {
     pub method: Method,
@@ -14,18 +15,28 @@ pub struct MetricTypes {
     pub version: Version,
 }
 
+pub static OPEN_FILES: LazyLock<IntGauge> = LazyLock::new(|| register_int_gauge!("aralez_open_files", "Number of open file descriptors").unwrap());
+pub static MEMORY_USAGE: LazyLock<IntGauge> = LazyLock::new(|| register_int_gauge!("aralez_memory_bytes", "Total memory allocated in bytes").unwrap());
 pub static ACTIVE_SESSIONS: LazyLock<IntGauge> = LazyLock::new(|| register_int_gauge!("aralez_active_sessions", "Current number of active sessions").unwrap());
-
 pub static REQUEST_COUNT: LazyLock<IntCounter> = LazyLock::new(|| register_int_counter!("aralez_requests_total", "Total number of requests handled by Aralez").unwrap());
 
 pub static RESPONSE_CODES: LazyLock<IntCounterVec> =
     LazyLock::new(|| register_int_counter_vec!("aralez_responses_total", "Responses grouped by status code", &["status"]).unwrap());
 
+// pub static RESPONSE_LATENCY: LazyLock<Histogram> = LazyLock::new(|| {
+//     register_histogram!(
+//         "aralez_response_latency_seconds",
+//         "Response latency in seconds",
+//         vec![0.01, 0.05, 0.1, 0.25, 0.5, 1.0, 2.0, 5.0]
+//     )
+//     .unwrap()
+// });
+
 pub static RESPONSE_LATENCY: LazyLock<Histogram> = LazyLock::new(|| {
     register_histogram!(
         "aralez_response_latency_seconds",
         "Response latency in seconds",
-        vec![0.01, 0.05, 0.1, 0.25, 0.5, 1.0, 2.0, 5.0]
+        vec![0.001, 0.005, 0.01, 0.025, 0.05, 0.075, 0.1, 0.25, 0.5, 1.0, 2.0, 5.0]
     )
     .unwrap()
 });
@@ -54,3 +65,12 @@ pub fn calc_metrics(metric_types: &MetricTypes) {
     REQUESTS_BY_UPSTREAM.with_label_values(&[metric_types.upstream.as_ref()]).inc();
     RESPONSE_LATENCY.observe(metric_types.latency.as_secs_f64());
 }
+
+pub fn get_memory_usage() -> usize {
+    epoch::mib().unwrap().advance().unwrap(); // refresh stats
+    stats::allocated::mib().unwrap().read().unwrap() // bytes allocated
+}
+
+pub fn get_open_files() -> usize {
+    std::fs::read_dir("/proc/self/fd").map(|dir| dir.count()).unwrap_or(0)
+}

src/utils/parceyaml.rs

@@ -11,18 +11,49 @@ use log4rs::{
     encode::pattern::PatternEncoder,
 };
 use std::collections::HashMap;
-use std::fs;
 use std::path::Path;
 use std::sync::atomic::AtomicUsize;
 use std::sync::{Arc, LazyLock};
+use std::{env, fs};
 
 pub static DOMAINS: LazyLock<DashMap<String, bool>> = LazyLock::new(DashMap::new);
 
 pub async fn load_configuration(d: &str, kind: &str) -> (Option<Configuration>, String) {
     let mut conf_files = Vec::new();
     let yaml_data = match kind {
-        "filepath" => match fs::read_to_string(d) {
+        "filepath" => {
-            Ok(data) => {
+            let mut data = String::new();
+            let mut last_error = None;
+            for _ in 0..5 {
+                match fs::read_to_string(d) {
+                    Ok(content) => {
+                        if !content.trim().is_empty() {
+                            data = content;
+                            break;
+                        }
+                    }
+                    Err(e) => {
+                        error!("Config read failed, retrying...");
+                        last_error = Some(e);
+                    }
+                }
+                tokio::time::sleep(std::time::Duration::from_millis(10)).await;
+            }
+            if data.is_empty() {
+                let err_msg = match last_error {
+                    Some(e) => {
+                        error!("Reading: {}: {:?}", d, e);
+                        e.to_string()
+                    }
+                    None => {
+                        error!("Reading: {}: File is empty after retries", d);
+                        "File is empty".to_string()
+                    }
+                };
+                warn!("Running with empty upstreams list, update it via API");
+                return (None, err_msg);
+            }
+
             let mut confdir = Path::new(d).parent().unwrap().to_path_buf();
             let mut autocfg = Path::new(d).parent().unwrap().to_path_buf();
 
@@ -66,12 +97,6 @@ pub async fn load_configuration(d: &str, kind: &str) -> (Option<Configuration>,
             info!("Reading upstreams from {}", d);
             data
         }
-            Err(e) => {
-                error!("Reading: {}: {:?}", d, e);
-                warn!("Running with empty upstreams list, update it via API");
-                return (None, e.to_string());
-            }
-        },
         "content" => {
             info!("Reading upstreams from API post body");
             d.to_string()
@@ -85,6 +110,7 @@ pub async fn load_configuration(d: &str, kind: &str) -> (Option<Configuration>,
     let mut parsed: Config = match serde_yml::from_str(&yaml_data) {
         Ok(cfg) => cfg,
         Err(e) => {
+            println!("================================================");
             error!("Failed to parse upstreams file: {}", e);
             return (None, e.to_string());
         }
@@ -136,6 +162,7 @@ async fn populate_headers_and_auth(config: &mut Configuration, parsed: &Config)
             }
         }
     }
+
     let global_headers: DashMap<Arc<str>, Vec<(String, Arc<str>)>> = DashMap::new();
     global_headers.insert(Arc::from("/"), ch);
     config.client_headers.insert(Arc::from("GLOBAL_CLIENT_HEADERS"), global_headers);
@@ -154,6 +181,7 @@ async fn populate_headers_and_auth(config: &mut Configuration, parsed: &Config)
     config.extraparams.to_https = parsed.to_https;
     config.extraparams.sticky_sessions = parsed.sticky_sessions;
     config.extraparams.rate_limit = parsed.rate_limit;
+    config.extraparams.x4xx_limit = parsed.x4xx_limit;
 
     if let Some(rate) = &parsed.rate_limit {
         info!("Applied Global Rate Limit : {} request per second", rate);
@@ -162,7 +190,7 @@ async fn populate_headers_and_auth(config: &mut Configuration, parsed: &Config)
     if let Some(pa) = &parsed.authorization {
         let y: InnerAuth = InnerAuth {
             auth_type: Arc::from(pa.auth_type.clone()),
-            auth_cred: Arc::from(pa.auth_cred.clone()),
+            auth_cred: Arc::from(pa.auth_cred.clone().unwrap_or_default()),
         };
         config.extraparams.authentication = Some(Arc::from(y));
     }
@@ -191,10 +219,11 @@ async fn populate_file_upstreams(config: &mut Configuration, parsed: &Config) {
                     if let Some(pa) = &path_config.authorization {
                         let y: InnerAuth = InnerAuth {
                             auth_type: Arc::from(pa.auth_type.clone()),
-                            auth_cred: Arc::from(pa.auth_cred.clone()),
+                            auth_cred: Arc::from(pa.auth_cred.clone().unwrap_or_default()),
                         };
                         path_auth = Some(Arc::from(y));
                     }
+
                     let redirect_link = path_config.redirect_to.as_ref().map(|www| Arc::from(www.as_str()));
                     if let Some((ip, port_str)) = server.split_once(':') {
                         if let Ok(port) = port_str.parse::<u16>() {
@@ -205,6 +234,7 @@ async fn populate_file_upstreams(config: &mut Configuration, parsed: &Config) {
                                 is_http2: false,
                                 to_https: path_config.to_https.unwrap_or(false),
                                 rate_limit: path_config.rate_limit,
+                                x4xx_limit: path_config.x4xx_limit,
                                 healthcheck: path_config.healthcheck,
                                 redirect_to: redirect_link,
                                 authorization: path_auth,
@@ -228,7 +258,7 @@ async fn populate_file_upstreams(config: &mut Configuration, parsed: &Config) {
             clone_dashmap_into(&r, &config.upstreams);
         }
         info!("Upstream Config:");
-        print_upstreams(&config.upstreams);
+        print_upstreams(&config.upstreams, &config.extraparams);
     }
 }
 pub fn parce_main_config(path: &str) -> AppConfig {
@@ -236,6 +266,11 @@ pub fn parce_main_config(path: &str) -> AppConfig {
     let reply = DashMap::new();
     let cfg: HashMap<String, String> = serde_yml::from_str(&data).expect("Failed to parse main config file");
     let mut cfo: AppConfig = serde_yml::from_str(&data).expect("Failed to parse main config file");
+
+    if let Ok(jwt_key) = env::var("JWT_KEY") {
+        cfo.master_key = Some(jwt_key);
+    };
+
     log_builder(&cfo, &cfo.log_file);
     cfo.hc_method = cfo.hc_method.to_uppercase();
     for (k, v) in cfg {
@@ -287,27 +322,6 @@ fn parce_tls_grades(what: Option<String>) -> Option<String> {
     }
 }
 
-/*
-fn log_builder1(conf: &AppConfig) {
-    let log_level = conf.log_level.clone();
-    unsafe {
-        match log_level.as_str() {
-            "info" => env::set_var("RUST_LOG", "info"),
-            "error" => env::set_var("RUST_LOG", "error"),
-            "warn" => env::set_var("RUST_LOG", "warn"),
-            "debug" => env::set_var("RUST_LOG", "debug"),
-            "trace" => env::set_var("RUST_LOG", "trace"),
-            "off" => env::set_var("RUST_LOG", "off"),
-            _ => {
-                println!("Error reading log level, defaulting to: INFO");
-                env::set_var("RUST_LOG", "info")
-            }
-        }
-    }
-    env_logger::builder().init();
-}
-*/
-
 pub fn build_headers(path_config: &Option<Vec<String>>, _config: &Configuration, hl: &mut Vec<(String, Arc<str>)>) {
     if let Some(headers) = &path_config {
         for header in headers {
@@ -331,7 +345,8 @@ fn log_builder(conf: &AppConfig, location: &Option<String>) {
             LevelFilter::Info
         }
     };
-    let pattern = "{d(%Y-%m-%d %H:%M:%S)} {l} {t} - {m}{n}";
+    // let pattern = "{d(%Y-%m-%d %H:%M:%S)} {l} {t} - {m}{n}";
+    let pattern = "{d(%Y-%m-%d %H:%M:%S)} {l} {t} - {m}\n";
     if let Some(location) = location {
         let file = FileAppender::builder().encoder(Box::new(PatternEncoder::new(pattern))).build(location).unwrap();
         let config = Log4rsConfig::builder()

src/utils/structs.rs

@@ -14,9 +14,10 @@ pub type Headers = DashMap<Arc<str>, DashMap<Arc<str>, Vec<(String, Arc<str>)>>>
 #[derive(Clone, Debug, Default)]
 pub struct Extraparams {
     pub to_https: Option<bool>,
-    pub sticky_sessions: bool,
+    pub sticky_sessions: Option<u64>,
     pub authentication: Option<Arc<InnerAuth>>,
     pub rate_limit: Option<isize>,
+    pub x4xx_limit: Option<u32>,
 }
 
 #[derive(Debug, Default, Clone, Serialize, Deserialize)]
@@ -25,8 +26,9 @@ pub struct GlobalServiceMapping {
     pub hostname: String,
     pub path: Option<String>,
     pub to_https: Option<bool>,
-    pub sticky_sessions: Option<bool>,
+    pub sticky_sessions: Option<u64>,
     pub rate_limit: Option<isize>,
+    pub x4xx_limit: Option<u32>,
     pub client_headers: Option<Vec<String>>,
     pub server_headers: Option<Vec<String>>,
 }
@@ -48,7 +50,7 @@ pub struct Consul {
 pub struct Config {
     pub provider: String,
     pub to_https: Option<bool>,
-    pub sticky_sessions: bool,
+    pub sticky_sessions: Option<u64>,
     #[serde(default)]
     pub upstreams: Option<HashMap<String, HostConfig>>,
     #[serde(default)]
@@ -65,28 +67,30 @@ pub struct Config {
     pub kubernetes: Option<Kubernetes>,
     #[serde(default)]
     pub rate_limit: Option<isize>,
+    pub x4xx_limit: Option<u32>,
 }
 
 #[derive(Debug, Default, Serialize, Deserialize)]
 pub struct HostConfig {
     pub paths: HashMap<String, PathConfig>,
     pub rate_limit: Option<isize>,
+    pub x4xx_limit: Option<u32>,
 }
 #[derive(Debug, Default, Serialize, Deserialize, Clone)]
 pub struct Auth {
     #[serde(rename = "type")]
     pub auth_type: String,
     #[serde(rename = "data")]
-    pub auth_cred: String,
+    pub auth_cred: Option<String>,
 }
 #[derive(Debug, Default, Serialize, Deserialize)]
 pub struct PathConfig {
     pub servers: Vec<String>,
     pub to_https: Option<bool>,
-    pub sticky_sessions: Option<bool>,
     pub client_headers: Option<Vec<String>>,
     pub server_headers: Option<Vec<String>>,
     pub rate_limit: Option<isize>,
+    pub x4xx_limit: Option<u32>,
     pub healthcheck: Option<bool>,
     pub redirect_to: Option<String>,
     pub authorization: Option<Auth>,
@@ -108,7 +112,7 @@ pub struct AppConfig {
     pub hc_method: String,
     pub upstreams_conf: String,
     pub log_level: String,
-    pub master_key: String,
+    pub master_key: Option<String>,
     pub config_address: String,
     pub proxy_address_http: String,
     pub config_api_enabled: bool,
@@ -142,6 +146,7 @@ pub struct InnerMap {
     pub is_http2: bool,
     pub to_https: bool,
     pub rate_limit: Option<isize>,
+    pub x4xx_limit: Option<u32>,
     pub healthcheck: Option<bool>,
     pub redirect_to: Option<Arc<str>>,
     pub authorization: Option<Arc<InnerAuth>>,
@@ -157,6 +162,7 @@ impl InnerMap {
             is_http2: Default::default(),
             to_https: Default::default(),
             rate_limit: Default::default(),
+            x4xx_limit: Default::default(),
             healthcheck: Default::default(),
             redirect_to: Default::default(),
             authorization: Default::default(),
@@ -172,6 +178,7 @@ pub struct InnerMapForJson {
     pub is_http2: bool,
     pub to_https: bool,
     pub rate_limit: Option<isize>,
+    pub x4xx_limit: Option<u32>,
     pub healthcheck: Option<bool>,
 }
 #[derive(Debug, Default, Serialize, Deserialize)]

src/utils/tools.rs

@@ -1,6 +1,6 @@
 use crate::tls::load;
 use crate::tls::load::CertificateConfig;
-use crate::utils::structs::{InnerMap, InnerMapForJson, UpstreamSnapshotForJson, UpstreamsDashMap, UpstreamsIdMap};
+use crate::utils::structs::{InnerMap, InnerMapForJson, Extraparams, UpstreamSnapshotForJson, UpstreamsDashMap, UpstreamsIdMap};
 use dashmap::DashMap;
 use log::{error, info};
 use notify::{event::ModifyKind, Config, EventKind, RecommendedWatcher, RecursiveMode, Watcher};
@@ -20,7 +20,7 @@ use std::sync::Arc;
 use std::time::{Duration, Instant};
 use std::{fs, process, thread, time};
 
-pub fn print_upstreams(upstreams: &UpstreamsDashMap) {
+pub fn print_upstreams(upstreams: &UpstreamsDashMap, extraparams: &Extraparams) {
     let mut out = String::new();
     for host_entry in upstreams.iter() {
         writeln!(out, "Hostname: {}", host_entry.key()).unwrap();
@@ -29,13 +29,14 @@ pub fn print_upstreams(upstreams: &UpstreamsDashMap) {
             for f in path_entry.value().0.clone() {
                 writeln!(
                     out,
-                    "        IP: {}, Port: {}, SSL: {}, H2: {}, To HTTPS: {}, Rate Limit: {}",
+                    "        IP: {}, Port: {}, SSL: {}, H2: {}, To HTTPS: {}, Rate Limit: {}, 4xx Limit: {}",
                     f.address,
                     f.port,
                     f.is_ssl,
                     f.is_http2,
                     f.to_https,
-                    f.rate_limit.unwrap_or(0)
+                    f.rate_limit.unwrap_or(extraparams.rate_limit.unwrap_or(0)),
+                    f.x4xx_limit.unwrap_or(extraparams.x4xx_limit.unwrap_or(0))
                 )
                 .unwrap();
             }
@@ -152,13 +153,14 @@ pub fn clone_idmap_into(original: &UpstreamsDashMap, cloned: &UpstreamsIdMap) {
                 let mut id = String::new();
                 write!(
                     &mut id,
-                    "{}:{}:{}:{}:{}:{}:{}:{:?}",
+                    "{}:{}:{}:{}:{}:{}:{}:{}:{:?}",
                     outer_entry.key(),
                     x.address,
                     x.port,
                     x.is_http2,
                     x.to_https,
                     x.rate_limit.unwrap_or_default(),
+                    x.x4xx_limit.unwrap_or_default(),
                     x.healthcheck.unwrap_or_default(),
                     x.authorization
                 )
@@ -177,6 +179,7 @@ pub fn clone_idmap_into(original: &UpstreamsDashMap, cloned: &UpstreamsIdMap) {
                     is_http2: false,
                     to_https: false,
                     rate_limit: None,
+                    x4xx_limit: None,
                     healthcheck: None,
                     redirect_to: None,
                     authorization: None,
@@ -303,6 +306,7 @@ pub fn upstreams_to_json(upstreams: &UpstreamsDashMap) -> serde_json::Result<Str
                             is_http2: a.is_http2,
                             to_https: a.to_https,
                             rate_limit: a.rate_limit,
+                            x4xx_limit: a.x4xx_limit,
                             healthcheck: a.healthcheck,
                         })
                         .collect(),

src/web/bgservice.rs

@@ -99,6 +99,7 @@ impl BackgroundService for LB {
                         new.sticky_sessions = ss.extraparams.sticky_sessions;
                         new.authentication = ss.extraparams.authentication.clone();
                         new.rate_limit = ss.extraparams.rate_limit;
+                        new.x4xx_limit = ss.extraparams.x4xx_limit;
                         self.extraparams.store(Arc::new(new));
                         self.client_headers.clear();
                         self.server_headers.clear();

src/web/proxyhttp.rs

@@ -7,6 +7,7 @@ use async_trait::async_trait;
 use axum::body::Bytes;
 use dashmap::DashMap;
 use log::{debug, error, warn};
+use moka::sync::Cache;
 use pingora::http::{RequestHeader, ResponseHeader, StatusCode};
 use pingora::prelude::*;
 use pingora::ErrorSource::Upstream;
@@ -17,6 +18,7 @@ use pingora_proxy::{ProxyHttp, Session};
 use sha2::{Digest, Sha256};
 use std::cell::RefCell;
 use std::fmt::Write;
+use std::net::IpAddr;
 use std::sync::{Arc, LazyLock};
 use std::time::Duration;
 use tokio::time::Instant;
@@ -24,6 +26,7 @@ use tokio::time::Instant;
 static REVERSE_STORE: LazyLock<DashMap<String, String>> = LazyLock::new(DashMap::new);
 thread_local! {static IP_BUFFER: RefCell<String> = RefCell::new(String::with_capacity(50));}
 pub static RATE_LIMITER: LazyLock<Rate> = LazyLock::new(|| Rate::new(Duration::from_secs(1)));
+pub static REQUESTS_4XX: LazyLock<Cache<IpAddr, u32>> = LazyLock::new(|| Cache::builder().time_to_live(Duration::from_secs(1)).build());
 pub static LOCALHOST: LazyLock<Arc<str>> = LazyLock::new(|| Arc::from("localhost"));
 
 #[derive(Clone)]
@@ -39,12 +42,12 @@ pub struct LB {
 
 pub struct Context {
     backend_id: Option<String>,
-    sticky_sessions: bool,
     start_time: Instant,
     hostname: Option<Arc<str>>,
     upstream_peer: Option<Arc<InnerMap>>,
     extraparams: arc_swap::Guard<Arc<Extraparams>>,
     client_headers: Option<Vec<(String, Arc<str>)>>,
+    x4xx_limit: Option<u32>,
 }
 
 #[async_trait]
@@ -53,12 +56,12 @@ impl ProxyHttp for LB {
     fn new_ctx(&self) -> Self::CTX {
         Context {
             backend_id: None,
-            sticky_sessions: false,
             start_time: Instant::now(),
             hostname: None,
             upstream_peer: None,
             extraparams: self.extraparams.load(),
             client_headers: None,
+            x4xx_limit: None,
         }
     }
     async fn request_filter(&self, session: &mut Session, _ctx: &mut Self::CTX) -> Result<bool> {
@@ -66,7 +69,7 @@ impl ProxyHttp for LB {
         let hostname = return_header_host_from_upstream(session, &self.ump_upst);
         _ctx.hostname = hostname;
         let mut backend_id = None;
-        if _ctx.extraparams.sticky_sessions {
+        if let Some(_) = _ctx.extraparams.sticky_sessions {
             if let Some(cookies) = session.req_header().headers.get("cookie") {
                 if let Ok(cookie_str) = cookies.to_str() {
                     if let Some(pos) = cookie_str.find("backend_id=") {
@@ -85,13 +88,28 @@ impl ProxyHttp for LB {
                     None => return Ok(false),
                     Some(ref innermap) => {
                         if let Some(auth) = _ctx.extraparams.authentication.as_ref().or(innermap.authorization.as_ref()) {
-                            if !authenticate(&auth.auth_type, &auth.auth_cred, session).await {
+                            if !authenticate(&auth, session).await {
                                 let _ = session.respond_error(401).await;
                                 warn!("Forbidden: {:?}, {}", session.client_addr(), session.req_header().uri.path());
                                 return Ok(true);
                             }
                         }
-
+                        if let Some(rate) = innermap.x4xx_limit.or(_ctx.extraparams.x4xx_limit) {
+                            _ctx.x4xx_limit = innermap.x4xx_limit;
+                            let rate_key = session.client_addr().and_then(|addr| addr.as_inet()).map(|inet| inet.ip());
+                            if let Some(rk) = rate_key {
+                                let count = REQUESTS_4XX.get(&rk).unwrap_or(0);
+                                if count > rate {
+                                    let header = ResponseHeader::build(429, None)?;
+                                    session.set_keepalive(None);
+                                    session.write_response_header(Box::new(header), true).await?;
+                                    if let (Some(oi), Some(oa)) = (&_ctx.hostname, rate_key) {
+                                        warn!("Limit 4XX: {}-rps exceed on {} from {} path {}", rate, oi, oa, session.req_header().uri.path());
+                                    }
+                                    return Ok(true);
+                                }
+                            }
+                        }
                         if let Some(rate) = innermap.rate_limit.or(_ctx.extraparams.rate_limit) {
                             let rate_key = session.client_addr().and_then(|addr| addr.as_inet()).map(|inet| inet.ip());
                             let curr_window_requests = RATE_LIMITER.observe(&rate_key, 1);
@@ -99,7 +117,9 @@ impl ProxyHttp for LB {
                                 let header = ResponseHeader::build(429, None)?;
                                 session.set_keepalive(None);
                                 session.write_response_header(Box::new(header), true).await?;
-                                debug!("Rate limited: {:?}, {}", rate_key, rate);
+                                if let (Some(oi), Some(oa)) = (&_ctx.hostname, rate_key) {
+                                    warn!("Limit: {}-rps exceed on {} from {}", rate, oi, oa);
+                                }
                                 return Ok(true);
                             }
                         }
@@ -161,7 +181,7 @@ impl ProxyHttp for LB {
                         peer.options.verify_cert = false;
                         peer.options.verify_hostname = false;
                     }
-                    if ctx.extraparams.sticky_sessions {
+                    if let Some(_) = ctx.extraparams.sticky_sessions {
                         let mut s = String::with_capacity(64);
                         write!(
                             &mut s,
@@ -177,7 +197,6 @@ impl ProxyHttp for LB {
                         )
                         .unwrap_or(());
                         ctx.backend_id = Some(s);
-                        ctx.sticky_sessions = true;
                     }
                     Ok(peer)
                 }
@@ -210,11 +229,11 @@ impl ProxyHttp for LB {
     }
 
     async fn upstream_request_filter(&self, session: &mut Session, upstream_request: &mut RequestHeader, ctx: &mut Self::CTX) -> Result<()> {
-        if let Some(client_ip) = session.client_addr() {
+        if let Some(ip) = session.client_addr().and_then(|a| a.as_inet()).map(|i| i.ip()) {
             IP_BUFFER.with(|buffer| {
                 let mut buf = buffer.borrow_mut();
                 buf.clear();
-                write!(buf, "{}", client_ip).unwrap_or(());
+                write!(buf, "{}", ip).unwrap_or(());
                 upstream_request.append_header("X-Forwarded-For", buf.as_str()).unwrap_or(false);
             });
         }
@@ -237,7 +256,7 @@ impl ProxyHttp for LB {
         Ok(())
     }
     async fn response_filter(&self, _session: &mut Session, _upstream_response: &mut ResponseHeader, ctx: &mut Self::CTX) -> Result<()> {
-        if ctx.sticky_sessions {
+        if let Some(val) = ctx.extraparams.sticky_sessions {
             if let Some(bid) = &ctx.backend_id {
                 let tt = if let Some(existing) = REVERSE_STORE.get(bid) {
                     existing.value().clone()
@@ -255,7 +274,11 @@ impl ProxyHttp for LB {
                 let mut buf = String::with_capacity(80);
                 buf.push_str("backend_id=");
                 buf.push_str(&tt);
-                buf.push_str("; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax");
+                buf.push_str("; Path=/; Max-Age=");
+                buf.push_str(&val.to_string());
+                buf.push_str("; HttpOnly; SameSite=Lax");
+                // buf.push_str("; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax");
+                // println!("{}", buf);
                 let _ = _upstream_response.insert_header("set-cookie", buf.as_str());
             }
         }
@@ -280,6 +303,14 @@ impl ProxyHttp for LB {
         };
         calc_metrics(m);
         ACTIVE_SESSIONS.dec();
+        if let Some(_) = ctx.x4xx_limit.or(ctx.extraparams.x4xx_limit) {
+            if 400 <= response_code && response_code <= 499 {
+                if let Some(ip) = session.client_addr().and_then(|a| a.as_inet()).map(|i| i.ip()) {
+                    let current = REQUESTS_4XX.get(&ip).unwrap_or(0);
+                    REQUESTS_4XX.insert(ip, current + 1);
+                }
+            }
+        }
     }
 }
 

src/web/start.rs

@@ -33,9 +33,10 @@ pub fn run() {
 
     let ec_config = Arc::new(ArcSwap::from_pointee(Extraparams {
         to_https: None,
-        sticky_sessions: false,
+        sticky_sessions: None,
         authentication: None,
         rate_limit: None,
+        x4xx_limit: None,
     }));
 
     let cfg = Arc::new(maincfg);

src/web/webserver.rs

@@ -1,14 +1,13 @@
-// use std::net::SocketAddr;
 use crate::tls::acme::order::CHALLENGES;
-// use axum_server::tls_openssl::OpenSSLConfig;
 use crate::tls::acme::{account, order};
 use crate::utils::discovery::APIUpstreamProvider;
 use crate::utils::jwt::Claims;
+use crate::utils::metrics::{get_memory_usage, get_open_files, MEMORY_USAGE, OPEN_FILES};
 use crate::utils::structs::{Config, Configuration, UpstreamsDashMap};
 use crate::utils::tools::{upstreams_liveness_json, upstreams_to_json};
 use axum::body::Body;
 use axum::extract::{Query, State};
-use axum::http::{header::HeaderMap, Response, StatusCode};
+use axum::http::{Response, StatusCode};
 use axum::response::IntoResponse;
 use axum::routing::{any, get, post};
 use axum::{Json, Router};
@@ -21,7 +20,6 @@ use serde::Serialize;
 use std::collections::HashMap;
 use std::sync::Arc;
 use std::time::{Duration, SystemTime, UNIX_EPOCH};
-use subtle::ConstantTimeEq;
 use tokio::net::TcpListener;
 use tower_http::services::ServeDir;
 
@@ -32,7 +30,7 @@ struct OutToken {
 
 #[derive(Clone)]
 struct AppState {
-    master_key: String,
+    master_key: Option<String>,
     cert_creds: String,
     certs_dir: String,
     upstreams_file: String,
@@ -57,11 +55,6 @@ pub async fn run_server(config: &APIUpstreamProvider, mut to_return: Sender<Conf
     };
     let app = Router::new()
         // .route("/{*wildcard}", get(senderror))
-        // .route("/{*wildcard}", post(senderror))
-        // .route("/{*wildcard}", put(senderror))
-        // .route("/{*wildcard}", head(senderror))
-        // .route("/{*wildcard}", delete(senderror))
-        // .nest_service("/static", static_files)
         .route("/jwt", post(jwt_gen))
         .route("/acme_create", any(acme_create))
         .route("/acme_order/{*domain}", any(acme_order))
@@ -70,19 +63,6 @@ pub async fn run_server(config: &APIUpstreamProvider, mut to_return: Sender<Conf
         .route("/metrics", get(metrics))
         .route("/status", get(status))
         .with_state(app_state);
-
-    // if let Some(value) = &config.tls_address {
-    //     let cf = OpenSSLConfig::from_pem_file(config.tls_certificate.clone().unwrap(), config.tls_key_file.clone().unwrap()).unwrap();
-    //     let addr: SocketAddr = value.parse().expect("Unable to parse socket address");
-    //     let tls_app = app.clone();
-    //     tokio::spawn(async move {
-    //         if let Err(e) = axum_server::bind_openssl(addr, cf).serve(tls_app.into_make_service()).await {
-    //             eprintln!("TLS server failed: {}", e);
-    //         }
-    //     });
-    //     info!("Starting the TLS API server on: {}", value);
-    // }
-
     if let (Some(address), Some(folder)) = (&config.file_server_address, &config.file_server_folder) {
         let static_files = ServeDir::new(folder);
         let static_serve: Router = Router::new().fallback_service(static_files);
@@ -95,13 +75,11 @@ pub async fn run_server(config: &APIUpstreamProvider, mut to_return: Sender<Conf
     axum::serve(listener, app).await.unwrap();
 }
 
-async fn conf(State(st): State<AppState>, Query(params): Query<HashMap<String, String>>, headers: HeaderMap, content: String) -> impl IntoResponse {
+async fn conf(State(st): State<AppState>, Query(params): Query<HashMap<String, String>>, content: String) -> impl IntoResponse {
     if !st.config_api_enabled {
         return Response::builder().status(StatusCode::FORBIDDEN).body(Body::from("Config API is disabled !\n")).unwrap();
     }
-    // if let Some(s) = headers.get("x-api-key").and_then(|v| v.to_str().ok()).or(params.get("key").map(|s| s.as_str())) {
 
-    if key_authorization(&headers, &params, &st.master_key) {
     let strcontent = content.as_str();
     let parsed = serde_yml::from_str::<Config>(strcontent);
     match parsed {
@@ -111,17 +89,14 @@ async fn conf(State(st): State<AppState>, Query(params): Query<HashMap<String, S
             } else {
                 drop(tokio::spawn(async move { apply_config(content.as_str(), st, false).await }));
             }
-                // apply_config(content.as_str(), st).await;
+            Response::builder().status(StatusCode::OK).body(Body::from("Accepted! Applying in background\n")).unwrap()
-                return Response::builder().status(StatusCode::OK).body(Body::from("Accepted! Applying in background\n")).unwrap();
         }
         Err(err) => {
             error!("Failed to parse upstreams file: {}", err);
-                return Response::builder().status(StatusCode::BAD_GATEWAY).body(Body::from(format!("Failed: {}\n", err))).unwrap();
+            Response::builder().status(StatusCode::BAD_GATEWAY).body(Body::from(format!("Failed: {}\n", err))).unwrap()
         }
     }
 }
-    Response::builder().status(StatusCode::FORBIDDEN).body(Body::from("Access Denied !\n")).unwrap()
-}
 
 async fn apply_config(content: &str, mut st: AppState, save: bool) {
     let sl = crate::utils::parceyaml::load_configuration(content, "content").await;
@@ -137,7 +112,8 @@ async fn apply_config(content: &str, mut st: AppState, save: bool) {
 }
 
 async fn jwt_gen(State(state): State<AppState>, Json(payload): Json<Claims>) -> (StatusCode, Json<OutToken>) {
-    if payload.master_key == state.master_key {
+    if let Some(master_key) = &state.master_key {
+        if &payload.master_key == master_key {
             let now = SystemTime::now() + Duration::from_secs(payload.exp * 60);
             let expire = now.duration_since(UNIX_EPOCH).unwrap_or_default().as_secs();
 
@@ -166,9 +142,19 @@ async fn jwt_gen(State(state): State<AppState>, Json(payload): Json<Claims>) ->
             warn!("Unauthorised JWT generate request: {:?}", tok);
             (StatusCode::FORBIDDEN, Json(tok))
         }
+    } else {
+        let tok = OutToken {
+            token: "ERROR Getting JWT_KEY environment variable".to_string(),
+        };
+        error!("ERROR Getting JWT_KEY environment variable");
+        (StatusCode::INTERNAL_SERVER_ERROR, Json(tok))
+    }
 }
 
 async fn metrics() -> impl IntoResponse {
+    MEMORY_USAGE.set(get_memory_usage() as i64);
+    OPEN_FILES.set(get_open_files() as i64);
+
     let metric_families = gather();
     let encoder = TextEncoder::new();
     let mut buffer = Vec::new();
@@ -221,11 +207,7 @@ async fn status(State(st): State<AppState>, Query(params): Query<HashMap<String,
 }
 
 #[allow(clippy::needless_return)]
-async fn acme_create(State(state): State<AppState>, Query(params): Query<HashMap<String, String>>, headers: HeaderMap) -> impl IntoResponse {
+async fn acme_create(State(state): State<AppState>) -> impl IntoResponse {
-    if !key_authorization(&headers, &params, &state.master_key) {
-        return Response::builder().status(StatusCode::FORBIDDEN).body(Body::from("Access Denied !\n")).unwrap();
-    }
-
     match account::load_or_create(state.cert_creds.as_str()).await {
         Ok(txt) => {
             return Response::builder()
@@ -243,16 +225,7 @@ async fn acme_create(State(state): State<AppState>, Query(params): Query<HashMap
     };
 }
 #[allow(clippy::needless_return)]
-async fn acme_order(
+async fn acme_order(State(state): State<AppState>, axum::extract::Path(domain): axum::extract::Path<String>) -> impl IntoResponse {
-    State(state): State<AppState>,
-    axum::extract::Path(domain): axum::extract::Path<String>,
-    Query(params): Query<HashMap<String, String>>,
-    headers: HeaderMap,
-) -> impl IntoResponse {
-    if !key_authorization(&headers, &params, &state.master_key) {
-        return Response::builder().status(StatusCode::FORBIDDEN).body(Body::from("Access Denied !\n")).unwrap();
-    }
-
     let domain_clean = domain.trim_matches('/');
     match order::order(domain_clean, state.cert_creds.as_str(), state.certs_dir).await {
         Ok(txt) => {
@@ -292,13 +265,4 @@ pub async fn http01_challenge(axum::extract::Path(token): axum::extract::Path<St
         .unwrap()
 }
 
-fn key_authorization(headers: &HeaderMap, params: &HashMap<String, String>, masterkey: &str) -> bool {
-    if let Some(s) = headers.get("x-api-key").and_then(|v| v.to_str().ok()).or(params.get("key").map(|s| s.as_str())) {
-        if s.as_bytes().ct_eq(masterkey.as_bytes()).into() {
-            return true;
-        }
-    }
-    false
-}
-
 // -- ⚝ by Dave -- in NeoVim ⚝ --