proxy

Author	SHA1	Message	Date
Sienna Meridian Satterwhite	76ad9e93e5	feat(static_files): add static file serving, SPA fallback, rewrites, body rewriting, and auth subrequests Add static file serving with try_files chain ($uri, $uri.html, $uri/index.html, fallback), regex-based URL rewrites compiled at startup, response body find/replace for text/html and JS content, auth subrequests with header capture for path routes, and custom response headers per route. Extends RouteConfig with static_root, fallback, rewrites, body_rewrites, and response_headers fields. Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt>	2026-03-10 23:38:20 +00:00
Sienna Meridian Satterwhite	0fd10110ff	feat(proxy): add request IDs, tracing spans, and observability hooks Generate UUID v4 request IDs per request, create manual tracing spans (Pingora types don't impl Debug), record Prometheus metrics for detection decisions and request totals, and forward X-Request-Id to both upstream requests and downstream responses. Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt>	2026-03-10 23:38:20 +00:00
Sienna Meridian Satterwhite	1ae185b5a5	feat(metrics): add Prometheus metrics and scrape endpoint Add a prometheus metrics module with counters for requests, DDoS/scanner/ rate-limit decisions, active connections gauge, and request duration histogram. Spawn a lightweight HTTP server on a configurable port (default 9090) serving /metrics and /health endpoints. Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt>	2026-03-10 23:38:20 +00:00
Sienna Meridian Satterwhite	867b6b2489	feat(proxy): integrate DDoS, scanner, and rate limiter into request pipeline Wire up all three detection layers in request_filter with pipeline logging at each stage for unfiltered training data. Add DDoS, scanner, and rate_limit config sections. Bot allowlist check before scanner model on the hot path. CLI subcommands for train/replay. Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt>	2026-03-10 23:38:20 +00:00
Sienna Meridian Satterwhite	e16299068f	feat: add native dual-stack IPv4/IPv6 support This commit implements comprehensive dual-stack support for the proxy, allowing it to listen on both IPv4 and IPv6 addresses simultaneously. Key changes: - Added new dual_stack.rs module with DualStackTcpListener implementation - Updated SSH module to use dual-stack listener - Updated configuration documentation to reflect IPv6 support - Added comprehensive tests for dual-stack functionality The implementation is inspired by tokio_dual_stack but implemented natively without external dependencies. It provides fair connection distribution between IPv4 and IPv6 clients while maintaining full backward compatibility with existing IPv4-only configurations. Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt>	2026-03-10 23:38:19 +00:00
Sienna Meridian Satterwhite	41cf6ccc49	fix(deps): upgrade pingora 0.7→0.8 and aws-lc-sys to patch CVEs - pingora* 0.7.0 → 0.8.0: fixes CVE-2026-2833 (HTTP request smuggling via premature connection closure, CRITICAL) - aws-lc-sys 0.37.1 → 0.38.0: fixes GHSA-65p9-r9h6-22vj (timing side-channel in AES-CCM tag verification, HIGH) Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt>	2026-03-10 23:38:19 +00:00
Sienna Meridian Satterwhite	6ec0f78a5b	feat: initial sunbeam-proxy implementation Custom Pingora-based edge proxy for the Sunbeam infrastructure stack. - HTTPS termination: mkcert file-based (local dev) or rustls-acme ACME (production) - Host-prefix routing with path-based sub-routing (auth virtual host) - HTTP→HTTPS redirect, WebSocket passthrough - cert-manager HTTP-01 challenge routing via Kubernetes Ingress watcher - TLS cert auto-reload via K8s Secret watcher - JSON structured audit logging (tracing-subscriber) - OpenTelemetry OTLP stub (disabled by default) - Multi-stage Dockerfile: musl static binary on chainguard/static distroless image Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt>	2026-03-10 23:38:19 +00:00

7 Commits