When resolveInboundMTLSProfileForRoute fails for the global profile, emit a
zerolog error and continue without applying that pool. Apply inbound mTLS from
the global profile only when err is nil and pool is non-nil.
Add yaml struct tags to InboundMTLSProfile alongside json for YAML config
loading.
Clarify no-op stub methods in inbound_mtls_validation_test with comments.
compileInboundMTLSProfiles now returns a nil map when compilation fails,
instead of a partially populated map alongside the error. This avoids
callers accidentally using incomplete state when err != nil.
Add TestCompileInboundMTLSProfilesReturnsNilMapOnError for a mixed ok/bad
profile map. Reformat fakeHTTPRoute stub methods in the test file.
Add lookupInboundMTLSProfile so global and route-scoped refs must exist
in the loaded profile map. Propagate resolver errors through TLS
GetConfigForClient; in HTTP dispatch, return 421 only for SNI and
misdirected secure-route cases and log 500 for other resolution
failures.
Support adding routes with an existing listener for tests, reserve the
port via net.Listen without a race, and use t.Cleanup for server
teardown. Move relay_proxy_protocol_header documentation to per-route
TCP config in config.example.yml.
Add root-level inbound_mtls_profiles combining optional system CAs with PEM
CA files, and entrypoint.inbound_mtls_profile to require client certificates
on every HTTPS connection. Route-level inbound_mtls_profile is allowed only
without a global profile; per-handshake TLS picks ClientCAs from SNI, and
requests fail with 421 when Host and SNI would select different mTLS routes.
Compile pools at init (SetInboundMTLSProfiles from state.initEntrypoint) and
reject unknown profile refs or mixed global-plus-route configuration.
Extend config.example.yml and package READMEs; add entrypoint and config
tests for TLS mutation, handshakes, and validation.
- Replace gperr.Error return types with standard error across test files
- Replace gperr.New with errors.New in validation and serialization tests
- Update API documentation in README files to use error instead of gperr.Error
- Simplify string parsing using strings.Cut in docker/label.go
- Update benchmarks to use NewTestEntrypoint and remove task package dependency
- Introduced `NewTestRoute` function to simplify route creation in benchmark tests.
- Replaced direct route validation and starting with error handling using `require.NoError`.
- Updated server retrieval to use `common.ProxyHTTPAddr` for consistency.
- Improved logging for HTTP route addition errors in `AddRoute` method.
* fix(tcp): wrap proxy proto listener before acl
* refactor(entrypoint): propagate errors from route registration and stream serving
* fix(docs): correct swagger and package README
Major refactoring of the access logging infrastructure to improve code organization and add proper console/stdout logging support.
- Renamed `Writer` interface to `File` and consolidated with `SupportRotate`
- Renamed `Log(req, res)` to `LogRequest(req, res)` for clarity
- Added new `ConsoleLogger` with zerolog console writer for formatted stdout output
- Moved type definitions to new `types.go` file
- Changed buffer handling from `[]byte` returns to `*bytes.Buffer` parameters
- Renamed internal files for clarity (`access_logger.go` → `file_access_logger.go`)
- Fixed fileserver access logging timing: moved logging after handler execution with defer
- Correct response handling in Fileserver
- Remove deprecated field `buffer_size`
- Simplify and removed unnecessary code
All callers have been updated to use the new APIs.
- Introduced a sync.Pool for ResponseRecorder to optimize memory usage.
- Updated ServeHTTP method to utilize the new GetResponseRecorder and PutResponseRecorder functions.
- Adjusted NewResponseRecorder to leverage the pooling mechanism.
- Added ShortLinkMatcher to handle short link routing.
- Integrated short link handling in Entrypoint.
- Introduced tests for short link matching and dispatching.
- Configured default domain suffix for subdomain aliases.
- Added logic to strip the trailing :port from the host when searching for routes.
- Updated findRouteByDomains function to ensure consistent host formatting.
- Added related tests
- Moved health check constants from common package alongside type definition.
- Updated health check configuration to use struct directly instead of pointers.
- Introduced global default health check config
- Introduced benchmark tests for Entrypoint and ReverseProxy to evaluate performance.
- Updated Entrypoint's ServeHTTP method to improve route context management.
- Added new test file for entrypoint benchmarks and refined existing tests for route handling.
- These changes makes the API incombatible with previous versions
- Added new types for error handling, success responses, and health checks.
- Updated health check logic to utilize the new types for better clarity and structure.
- Refactored existing handlers to improve response consistency and error handling.
- Updated Makefile to include a new target for generating API types from Swagger.
- Updated "new agent" API to respond an encrypted cert pair
* refactor: simplify io code and make utils module independent
* fix(docker): agent and socket-proxy docker event flushing with modified reverse proxy handler
* refactor: remove unused code
* refactor: remove the use of logging module in most code
* refactor: streamline domain mismatch check in certState function
* tweak: use ecdsa p-256 for autocert
* fix(tests): update health check tests for invalid host and add case for port in host
* feat(acme): custom acme directory
* refactor: code refactor and improved context and error handling
* tweak: optimize memory usage under load
* fix(oidc): restore old user matching behavior
* docs: add ChatGPT assistant to README
---------
Co-authored-by: yusing <yusing@6uo.me>
* cleanup code for URL type
* fix makefile for trace mode
* refactor, merge Entry, RawEntry and Route into one.
* Implement fileserver.
* refactor: rename HTTPRoute to ReverseProxyRoute to avoid confusion
* refactor: move metrics logger to middleware package
- fix prometheus metrics for load balanced routes
- route will now fail when health monitor fail to start
* fix extra output of ls-* commands by defer initializaing stuff, speed up start time
* add test for path traversal attack, small fix on FileServer.Start method
* rename rule.on.bypass to pass
* refactor and fixed map-to-map deserialization
* updated route loading logic
* schemas: add "add_prefix" option to modify_request middleware
* updated route JSONMarshalling
---------
Co-authored-by: yusing <yusing@6uo.me>
* implement OIDC middleware
* auth code cleanup
* allow override allowed_user in middleware, fix typos
* fix tests and callbackURL
* update next release docs
* fix OIDC middleware not working with Authentik
* feat: add groups support for OIDC claims (#41)
Allow users to specify allowed groups in the env and use it to inspect the claims.
This performs a logical AND of users and groups (additive).
* merge feat/oidc-middleware (#49)
* api: enrich provider statistifcs
* fix: docker monitor now uses container status
* Feat/auto schemas (#48)
* use auto generated schemas
* go version bump and dependencies upgrade
* clarify some error messages
---------
Co-authored-by: yusing <yusing@6uo.me>
* cleanup some loadbalancer code
* api: cleanup websocket code
* api: add /v1/health/ws for health bubbles on dashboard
* feat: experimental memory logger and logs api for WebUI
---------
Co-authored-by: yusing <yusing@6uo.me>
---------
Co-authored-by: yusing <yusing@6uo.me>
Co-authored-by: Peter Olds <peter@olds.co>
