src/config.rs

use anyhow::{Context, Result};
use serde::Deserialize;
use std::fs;

#[derive(Debug, Deserialize, Clone)]
pub struct SshConfig {
    /// Address to bind the SSH listener on, e.g. "0.0.0.0:22" or "[::]:22".
    pub listen: String,
    /// Upstream backend address, e.g. "gitea-ssh.devtools.svc.cluster.local:2222".
    pub backend: String,
}

#[derive(Debug, Deserialize, Clone)]
pub struct Config {
    pub listen: ListenConfig,
    pub tls: TlsFileConfig,
    pub telemetry: TelemetryConfig,
    pub routes: Vec<RouteConfig>,
    /// Optional SSH TCP passthrough (port 22 → Gitea SSH).
    pub ssh: Option<SshConfig>,
    /// Optional KNN-based DDoS detection.
    pub ddos: Option<DDoSConfig>,
    /// Optional per-identity rate limiting.
    pub rate_limit: Option<RateLimitConfig>,
    /// Optional per-request scanner detection.
    pub scanner: Option<ScannerConfig>,
}

#[derive(Debug, Deserialize, Clone)]
pub struct DDoSConfig {
    pub model_path: String,
    #[serde(default = "default_k")]
    pub k: usize,
    #[serde(default = "default_threshold")]
    pub threshold: f64,
    #[serde(default = "default_window_secs")]
    pub window_secs: u64,
    #[serde(default = "default_window_capacity")]
    pub window_capacity: usize,
    #[serde(default = "default_min_events")]
    pub min_events: usize,
    #[serde(default = "default_enabled")]
    pub enabled: bool,
}

#[derive(Debug, Deserialize, Clone)]
pub struct RateLimitConfig {
    #[serde(default = "default_rl_enabled")]
    pub enabled: bool,
    #[serde(default)]
    pub bypass_cidrs: Vec<String>,
    #[serde(default = "default_eviction_interval")]
    pub eviction_interval_secs: u64,
    #[serde(default = "default_stale_after")]
    pub stale_after_secs: u64,
    pub authenticated: BucketConfig,
    pub unauthenticated: BucketConfig,
}

#[derive(Debug, Deserialize, Clone)]
pub struct BucketConfig {
    pub burst: u32,
    pub rate: f64,
}

#[derive(Debug, Deserialize, Clone)]
pub struct ScannerConfig {
    pub model_path: String,
    #[serde(default = "default_scanner_threshold")]
    pub threshold: f64,
    #[serde(default = "default_scanner_enabled")]
    pub enabled: bool,
    /// How often (seconds) to check the model file for changes. 0 = no hot-reload.
    #[serde(default = "default_scanner_poll_interval")]
    pub poll_interval_secs: u64,
    /// Bot allowlist rules. Verified bots bypass the scanner model.
    #[serde(default)]
    pub allowlist: Vec<BotAllowlistRule>,
    /// TTL (seconds) for verified bot IP cache entries.
    #[serde(default = "default_bot_cache_ttl")]
    pub bot_cache_ttl_secs: u64,
}

#[derive(Debug, Deserialize, Clone)]
pub struct BotAllowlistRule {
    /// Case-insensitive UA prefix to match, e.g. "Googlebot".
    pub ua_prefix: String,
    /// Human-readable label for pipeline logs.
    pub reason: String,
    /// Reverse-DNS hostname suffixes for verification.
    /// e.g. ["googlebot.com", "google.com"]
    #[serde(default)]
    pub dns_suffixes: Vec<String>,
    /// CIDR ranges for instant IP verification.
    /// e.g. ["66.249.64.0/19"]
    #[serde(default)]
    pub cidrs: Vec<String>,
}

fn default_bot_cache_ttl() -> u64 { 86400 } // 24h

fn default_scanner_threshold() -> f64 { 0.5 }
fn default_scanner_enabled() -> bool { true }
fn default_scanner_poll_interval() -> u64 { 30 }

fn default_rl_enabled() -> bool { true }
fn default_eviction_interval() -> u64 { 300 }
fn default_stale_after() -> u64 { 600 }

fn default_k() -> usize { 5 }
fn default_threshold() -> f64 { 0.6 }
fn default_window_secs() -> u64 { 60 }
fn default_window_capacity() -> usize { 1000 }
fn default_min_events() -> usize { 10 }
fn default_enabled() -> bool { true }

#[derive(Debug, Deserialize, Clone)]
pub struct ListenConfig {
    /// HTTP listener address, e.g., "0.0.0.0:80" or "[::]:80".
    pub http: String,
    /// HTTPS listener address, e.g., "0.0.0.0:443" or "[::]:443".
    pub https: String,
}

#[derive(Debug, Deserialize, Clone)]
pub struct TlsFileConfig {
    pub cert_path: String,
    pub key_path: String,
}

#[derive(Debug, Deserialize, Clone)]
pub struct TelemetryConfig {
    pub otlp_endpoint: String,
}

/// A path-prefix sub-route within a virtual host.
/// Matched longest-prefix-first when multiple entries share a prefix.
#[derive(Debug, Deserialize, Clone)]
pub struct PathRoute {
    pub prefix: String,
    pub backend: String,
    /// Strip the matched prefix before forwarding to the backend.
    #[serde(default)]
    pub strip_prefix: bool,
    #[serde(default)]
    pub websocket: bool,
}

#[derive(Debug, Deserialize, Clone)]
pub struct RouteConfig {
    pub host_prefix: String,
    pub backend: String,
    #[serde(default)]
    pub websocket: bool,
    /// When true, plain-HTTP requests for this host are forwarded as-is rather
    /// than being redirected to HTTPS. Defaults to false (redirect enforced).
    #[serde(default)]
    pub disable_secure_redirection: bool,
    /// Optional path-based sub-routes (longest prefix wins).
    /// If the request path matches a sub-route, its backend is used instead.
    #[serde(default)]
    pub paths: Vec<PathRoute>,
}

impl Config {
    pub fn load(path: &str) -> Result<Self> {
        let raw = fs::read_to_string(path)
            .with_context(|| format!("reading config from {path}"))?;
        toml::from_str(&raw).with_context(|| "parsing config.toml")
    }
}
feat: initial sunbeam-proxy implementation Custom Pingora-based edge proxy for the Sunbeam infrastructure stack. - HTTPS termination: mkcert file-based (local dev) or rustls-acme ACME (production) - Host-prefix routing with path-based sub-routing (auth virtual host) - HTTP→HTTPS redirect, WebSocket passthrough - cert-manager HTTP-01 challenge routing via Kubernetes Ingress watcher - TLS cert auto-reload via K8s Secret watcher - JSON structured audit logging (tracing-subscriber) - OpenTelemetry OTLP stub (disabled by default) - Multi-stage Dockerfile: musl static binary on chainguard/static distroless image Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt> 2026-03-10 23:38:19 +00:00			`use anyhow::{Context, Result};`
			`use serde::Deserialize;`
			`use std::fs;`

feat(proxy): add SSH TCP passthrough and graceful HTTP-only startup Add optional [ssh] config block that proxies port 22 → Gitea SSH pod, running on a dedicated thread/runtime matching the cert-watcher pattern. Also start HTTP-only on first deploy when the TLS cert file doesn't exist yet — once ACME challenge completes and the cert watcher writes the file, a graceful upgrade adds the TLS listener without downtime. Fix ACME watcher to handle InitApply events (kube-runtime v3+) so Ingresses that existed before the proxy started are picked up correctly. Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt> 2026-03-10 23:38:19 +00:00			`#[derive(Debug, Deserialize, Clone)]`
			`pub struct SshConfig {`
feat: add native dual-stack IPv4/IPv6 support This commit implements comprehensive dual-stack support for the proxy, allowing it to listen on both IPv4 and IPv6 addresses simultaneously. Key changes: - Added new dual_stack.rs module with DualStackTcpListener implementation - Updated SSH module to use dual-stack listener - Updated configuration documentation to reflect IPv6 support - Added comprehensive tests for dual-stack functionality The implementation is inspired by tokio_dual_stack but implemented natively without external dependencies. It provides fair connection distribution between IPv4 and IPv6 clients while maintaining full backward compatibility with existing IPv4-only configurations. Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt> 2026-03-10 23:38:19 +00:00			`/// Address to bind the SSH listener on, e.g. "0.0.0.0:22" or "[::]:22".`
feat(proxy): add SSH TCP passthrough and graceful HTTP-only startup Add optional [ssh] config block that proxies port 22 → Gitea SSH pod, running on a dedicated thread/runtime matching the cert-watcher pattern. Also start HTTP-only on first deploy when the TLS cert file doesn't exist yet — once ACME challenge completes and the cert watcher writes the file, a graceful upgrade adds the TLS listener without downtime. Fix ACME watcher to handle InitApply events (kube-runtime v3+) so Ingresses that existed before the proxy started are picked up correctly. Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt> 2026-03-10 23:38:19 +00:00			`pub listen: String,`
			`/// Upstream backend address, e.g. "gitea-ssh.devtools.svc.cluster.local:2222".`
			`pub backend: String,`
			`}`

feat: initial sunbeam-proxy implementation Custom Pingora-based edge proxy for the Sunbeam infrastructure stack. - HTTPS termination: mkcert file-based (local dev) or rustls-acme ACME (production) - Host-prefix routing with path-based sub-routing (auth virtual host) - HTTP→HTTPS redirect, WebSocket passthrough - cert-manager HTTP-01 challenge routing via Kubernetes Ingress watcher - TLS cert auto-reload via K8s Secret watcher - JSON structured audit logging (tracing-subscriber) - OpenTelemetry OTLP stub (disabled by default) - Multi-stage Dockerfile: musl static binary on chainguard/static distroless image Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt> 2026-03-10 23:38:19 +00:00			`#[derive(Debug, Deserialize, Clone)]`
			`pub struct Config {`
			`pub listen: ListenConfig,`
			`pub tls: TlsFileConfig,`
			`pub telemetry: TelemetryConfig,`
			`pub routes: Vec<RouteConfig>,`
feat(proxy): add SSH TCP passthrough and graceful HTTP-only startup Add optional [ssh] config block that proxies port 22 → Gitea SSH pod, running on a dedicated thread/runtime matching the cert-watcher pattern. Also start HTTP-only on first deploy when the TLS cert file doesn't exist yet — once ACME challenge completes and the cert watcher writes the file, a graceful upgrade adds the TLS listener without downtime. Fix ACME watcher to handle InitApply events (kube-runtime v3+) so Ingresses that existed before the proxy started are picked up correctly. Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt> 2026-03-10 23:38:19 +00:00			`/// Optional SSH TCP passthrough (port 22 → Gitea SSH).`
			`pub ssh: Option<SshConfig>,`
feat(proxy): integrate DDoS, scanner, and rate limiter into request pipeline Wire up all three detection layers in request_filter with pipeline logging at each stage for unfiltered training data. Add DDoS, scanner, and rate_limit config sections. Bot allowlist check before scanner model on the hot path. CLI subcommands for train/replay. Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt> 2026-03-10 23:38:20 +00:00			`/// Optional KNN-based DDoS detection.`
			`pub ddos: Option<DDoSConfig>,`
			`/// Optional per-identity rate limiting.`
			`pub rate_limit: Option<RateLimitConfig>,`
			`/// Optional per-request scanner detection.`
			`pub scanner: Option<ScannerConfig>,`
feat: initial sunbeam-proxy implementation Custom Pingora-based edge proxy for the Sunbeam infrastructure stack. - HTTPS termination: mkcert file-based (local dev) or rustls-acme ACME (production) - Host-prefix routing with path-based sub-routing (auth virtual host) - HTTP→HTTPS redirect, WebSocket passthrough - cert-manager HTTP-01 challenge routing via Kubernetes Ingress watcher - TLS cert auto-reload via K8s Secret watcher - JSON structured audit logging (tracing-subscriber) - OpenTelemetry OTLP stub (disabled by default) - Multi-stage Dockerfile: musl static binary on chainguard/static distroless image Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt> 2026-03-10 23:38:19 +00:00			`}`

feat(proxy): integrate DDoS, scanner, and rate limiter into request pipeline Wire up all three detection layers in request_filter with pipeline logging at each stage for unfiltered training data. Add DDoS, scanner, and rate_limit config sections. Bot allowlist check before scanner model on the hot path. CLI subcommands for train/replay. Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt> 2026-03-10 23:38:20 +00:00			`#[derive(Debug, Deserialize, Clone)]`
			`pub struct DDoSConfig {`
			`pub model_path: String,`
			`#[serde(default = "default_k")]`
			`pub k: usize,`
			`#[serde(default = "default_threshold")]`
			`pub threshold: f64,`
			`#[serde(default = "default_window_secs")]`
			`pub window_secs: u64,`
			`#[serde(default = "default_window_capacity")]`
			`pub window_capacity: usize,`
			`#[serde(default = "default_min_events")]`
			`pub min_events: usize,`
			`#[serde(default = "default_enabled")]`
			`pub enabled: bool,`
			`}`

			`#[derive(Debug, Deserialize, Clone)]`
			`pub struct RateLimitConfig {`
			`#[serde(default = "default_rl_enabled")]`
			`pub enabled: bool,`
			`#[serde(default)]`
			`pub bypass_cidrs: Vec<String>,`
			`#[serde(default = "default_eviction_interval")]`
			`pub eviction_interval_secs: u64,`
			`#[serde(default = "default_stale_after")]`
			`pub stale_after_secs: u64,`
			`pub authenticated: BucketConfig,`
			`pub unauthenticated: BucketConfig,`
			`}`

			`#[derive(Debug, Deserialize, Clone)]`
			`pub struct BucketConfig {`
			`pub burst: u32,`
			`pub rate: f64,`
			`}`

			`#[derive(Debug, Deserialize, Clone)]`
			`pub struct ScannerConfig {`
			`pub model_path: String,`
			`#[serde(default = "default_scanner_threshold")]`
			`pub threshold: f64,`
			`#[serde(default = "default_scanner_enabled")]`
			`pub enabled: bool,`
			`/// How often (seconds) to check the model file for changes. 0 = no hot-reload.`
			`#[serde(default = "default_scanner_poll_interval")]`
			`pub poll_interval_secs: u64,`
			`/// Bot allowlist rules. Verified bots bypass the scanner model.`
			`#[serde(default)]`
			`pub allowlist: Vec<BotAllowlistRule>,`
			`/// TTL (seconds) for verified bot IP cache entries.`
			`#[serde(default = "default_bot_cache_ttl")]`
			`pub bot_cache_ttl_secs: u64,`
			`}`

			`#[derive(Debug, Deserialize, Clone)]`
			`pub struct BotAllowlistRule {`
			`/// Case-insensitive UA prefix to match, e.g. "Googlebot".`
			`pub ua_prefix: String,`
			`/// Human-readable label for pipeline logs.`
			`pub reason: String,`
			`/// Reverse-DNS hostname suffixes for verification.`
			`/// e.g. ["googlebot.com", "google.com"]`
			`#[serde(default)]`
			`pub dns_suffixes: Vec<String>,`
			`/// CIDR ranges for instant IP verification.`
			`/// e.g. ["66.249.64.0/19"]`
			`#[serde(default)]`
			`pub cidrs: Vec<String>,`
			`}`

			`fn default_bot_cache_ttl() -> u64 { 86400 } // 24h`

			`fn default_scanner_threshold() -> f64 { 0.5 }`
			`fn default_scanner_enabled() -> bool { true }`
			`fn default_scanner_poll_interval() -> u64 { 30 }`

			`fn default_rl_enabled() -> bool { true }`
			`fn default_eviction_interval() -> u64 { 300 }`
			`fn default_stale_after() -> u64 { 600 }`

			`fn default_k() -> usize { 5 }`
			`fn default_threshold() -> f64 { 0.6 }`
			`fn default_window_secs() -> u64 { 60 }`
			`fn default_window_capacity() -> usize { 1000 }`
			`fn default_min_events() -> usize { 10 }`
			`fn default_enabled() -> bool { true }`

feat: initial sunbeam-proxy implementation Custom Pingora-based edge proxy for the Sunbeam infrastructure stack. - HTTPS termination: mkcert file-based (local dev) or rustls-acme ACME (production) - Host-prefix routing with path-based sub-routing (auth virtual host) - HTTP→HTTPS redirect, WebSocket passthrough - cert-manager HTTP-01 challenge routing via Kubernetes Ingress watcher - TLS cert auto-reload via K8s Secret watcher - JSON structured audit logging (tracing-subscriber) - OpenTelemetry OTLP stub (disabled by default) - Multi-stage Dockerfile: musl static binary on chainguard/static distroless image Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt> 2026-03-10 23:38:19 +00:00			`#[derive(Debug, Deserialize, Clone)]`
			`pub struct ListenConfig {`
feat: add native dual-stack IPv4/IPv6 support This commit implements comprehensive dual-stack support for the proxy, allowing it to listen on both IPv4 and IPv6 addresses simultaneously. Key changes: - Added new dual_stack.rs module with DualStackTcpListener implementation - Updated SSH module to use dual-stack listener - Updated configuration documentation to reflect IPv6 support - Added comprehensive tests for dual-stack functionality The implementation is inspired by tokio_dual_stack but implemented natively without external dependencies. It provides fair connection distribution between IPv4 and IPv6 clients while maintaining full backward compatibility with existing IPv4-only configurations. Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt> 2026-03-10 23:38:19 +00:00			`/// HTTP listener address, e.g., "0.0.0.0:80" or "[::]:80".`
feat: initial sunbeam-proxy implementation Custom Pingora-based edge proxy for the Sunbeam infrastructure stack. - HTTPS termination: mkcert file-based (local dev) or rustls-acme ACME (production) - Host-prefix routing with path-based sub-routing (auth virtual host) - HTTP→HTTPS redirect, WebSocket passthrough - cert-manager HTTP-01 challenge routing via Kubernetes Ingress watcher - TLS cert auto-reload via K8s Secret watcher - JSON structured audit logging (tracing-subscriber) - OpenTelemetry OTLP stub (disabled by default) - Multi-stage Dockerfile: musl static binary on chainguard/static distroless image Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt> 2026-03-10 23:38:19 +00:00			`pub http: String,`
feat: add native dual-stack IPv4/IPv6 support This commit implements comprehensive dual-stack support for the proxy, allowing it to listen on both IPv4 and IPv6 addresses simultaneously. Key changes: - Added new dual_stack.rs module with DualStackTcpListener implementation - Updated SSH module to use dual-stack listener - Updated configuration documentation to reflect IPv6 support - Added comprehensive tests for dual-stack functionality The implementation is inspired by tokio_dual_stack but implemented natively without external dependencies. It provides fair connection distribution between IPv4 and IPv6 clients while maintaining full backward compatibility with existing IPv4-only configurations. Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt> 2026-03-10 23:38:19 +00:00			`/// HTTPS listener address, e.g., "0.0.0.0:443" or "[::]:443".`
feat: initial sunbeam-proxy implementation Custom Pingora-based edge proxy for the Sunbeam infrastructure stack. - HTTPS termination: mkcert file-based (local dev) or rustls-acme ACME (production) - Host-prefix routing with path-based sub-routing (auth virtual host) - HTTP→HTTPS redirect, WebSocket passthrough - cert-manager HTTP-01 challenge routing via Kubernetes Ingress watcher - TLS cert auto-reload via K8s Secret watcher - JSON structured audit logging (tracing-subscriber) - OpenTelemetry OTLP stub (disabled by default) - Multi-stage Dockerfile: musl static binary on chainguard/static distroless image Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt> 2026-03-10 23:38:19 +00:00			`pub https: String,`
			`}`

			`#[derive(Debug, Deserialize, Clone)]`
			`pub struct TlsFileConfig {`
			`pub cert_path: String,`
			`pub key_path: String,`
			`}`

			`#[derive(Debug, Deserialize, Clone)]`
			`pub struct TelemetryConfig {`
			`pub otlp_endpoint: String,`
			`}`

			`/// A path-prefix sub-route within a virtual host.`
			`/// Matched longest-prefix-first when multiple entries share a prefix.`
			`#[derive(Debug, Deserialize, Clone)]`
			`pub struct PathRoute {`
			`pub prefix: String,`
			`pub backend: String,`
			`/// Strip the matched prefix before forwarding to the backend.`
			`#[serde(default)]`
			`pub strip_prefix: bool,`
			`#[serde(default)]`
			`pub websocket: bool,`
			`}`

			`#[derive(Debug, Deserialize, Clone)]`
			`pub struct RouteConfig {`
			`pub host_prefix: String,`
			`pub backend: String,`
			`#[serde(default)]`
			`pub websocket: bool,`
feat(proxy): add per-route disable_secure_redirection; preserve query string in redirect By default every plain-HTTP request is 301-redirected to HTTPS — no upstream is ever contacted, making it as close to an L4 redirect as HTTP allows. New RouteConfig field `disable_secure_redirection` (bool, default false): when set to true on a route, plain-HTTP requests for that host pass through to the backend unchanged instead of being redirected. Also fixes the redirect URL to include the original query string, which was previously dropped (e.g. ?next=/dashboard would be lost after redirect). Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt> 2026-03-10 23:38:19 +00:00			`/// When true, plain-HTTP requests for this host are forwarded as-is rather`
			`/// than being redirected to HTTPS. Defaults to false (redirect enforced).`
			`#[serde(default)]`
			`pub disable_secure_redirection: bool,`
feat: initial sunbeam-proxy implementation Custom Pingora-based edge proxy for the Sunbeam infrastructure stack. - HTTPS termination: mkcert file-based (local dev) or rustls-acme ACME (production) - Host-prefix routing with path-based sub-routing (auth virtual host) - HTTP→HTTPS redirect, WebSocket passthrough - cert-manager HTTP-01 challenge routing via Kubernetes Ingress watcher - TLS cert auto-reload via K8s Secret watcher - JSON structured audit logging (tracing-subscriber) - OpenTelemetry OTLP stub (disabled by default) - Multi-stage Dockerfile: musl static binary on chainguard/static distroless image Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt> 2026-03-10 23:38:19 +00:00			`/// Optional path-based sub-routes (longest prefix wins).`
			`/// If the request path matches a sub-route, its backend is used instead.`
			`#[serde(default)]`
			`pub paths: Vec<PathRoute>,`
			`}`

			`impl Config {`
			`pub fn load(path: &str) -> Result<Self> {`
			`let raw = fs::read_to_string(path)`
			`.with_context(\|\| format!("reading config from {path}"))?;`
			`toml::from_str(&raw).with_context(\|\| "parsing config.toml")`
			`}`
			`}`