doc: add virtual hosting example

fix: security vulnerabilities
ref #31
2024-06-27 11:12:58 +02:00 · 2024-06-27 10:04:29 +02:00 · 2024-06-26 16:31:14 +02:00 · 2024-06-26 16:23:28 +02:00 · 2024-06-26 16:22:30 +02:00 · 2024-06-26 15:00:23 +02:00
70 changed files with 2059 additions and 382 deletions
--- a/.env.dist
+++ b/.env.dist
@ -0,0 +1 @@
+GODEBUG="http1debug=2 http2debug=2"
--- a/.gitignore
+++ b/.gitignore
@ -9,3 +9,5 @@
 /data
 /out
 .dockerconfigjson
+*.prof
+proxy.test
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@ -63,6 +63,9 @@ nfpms:
      - src: layers
        dst: /etc/bouncer/layers
        type: config
+      - src: templates
+        dst: /etc/bouncer/templates
+        type: config
      - dst: /etc/bouncer/bootstrap.d
        type: dir
        file_info:
--- a/10
+++ b/10
@ -1,4 +1,4 @@
-FROM reg.cadoles.com/proxy_cache/library/golang:1.22.0 AS BUILD
+FROM reg.cadoles.com/proxy_cache/library/golang:1.22 AS BUILD

 RUN apt-get update \
    && apt-get install -y make
@ -22,6 +22,7 @@ RUN make GORELEASER_ARGS='build --rm-dist --single-target --snapshot' goreleaser

 # Patch config
 RUN /src/dist/bouncer_linux_amd64_v1/bouncer -c '' config dump > /src/dist/bouncer_linux_amd64_v1/config.yml \
+&& yq -i '.proxy.templates.dir = "/usr/share/bouncer/templates"' /src/dist/bouncer_linux_amd64_v1/config.yml \
    && yq -i '.layers.queue.templateDir = "/usr/share/bouncer/layers/queue/templates"' /src/dist/bouncer_linux_amd64_v1/config.yml \
    && yq -i '.layers.authn.templateDir = "/usr/share/bouncer/layers/authn/templates"' /src/dist/bouncer_linux_amd64_v1/config.yml \
    && yq -i '.admin.auth.privateKey = "/etc/bouncer/admin-key.json"' /src/dist/bouncer_linux_amd64_v1/config.yml \
@ -32,7 +33,7 @@ RUN /src/dist/bouncer_linux_amd64_v1/bouncer -c '' config dump > /src/dist/bounc
    && yq -i '.bootstrap.lockTimeout = "30s"' /src/dist/bouncer_linux_amd64_v1/config.yml \
    && yq -i '.integrations.kubernetes.lockTimeout = "30s"' /src/dist/bouncer_linux_amd64_v1/config.yml

-FROM reg.cadoles.com/proxy_cache/library/alpine:3.19.1 AS RUNTIME
+FROM reg.cadoles.com/proxy_cache/library/alpine:3.20 AS RUNTIME

 RUN apk add --no-cache ca-certificates dumb-init

@ -42,6 +43,7 @@ RUN mkdir -p /usr/local/bin /usr/share/bouncer/bin /etc/bouncer

 COPY --from=BUILD /src/dist/bouncer_linux_amd64_v1/bouncer /usr/share/bouncer/bin/bouncer
 COPY --from=BUILD /src/layers /usr/share/bouncer/layers
+COPY --from=BUILD /src/templates /usr/share/bouncer/templates
 COPY --from=BUILD /src/dist/bouncer_linux_amd64_v1/config.yml /etc/bouncer/config.yml

 RUN ln -s /usr/share/bouncer/bin/bouncer /usr/local/bin/bouncer
@ -50,10 +52,12 @@ EXPOSE 8080
 EXPOSE 8081
 EXPOSE 8082

-RUN adduser -D -H bouncer
+RUN adduser -D -s /bin/sh bouncer

 ENV BOUNCER_CONFIG=/etc/bouncer/config.yml

 USER bouncer

+WORKDIR /home/bouncer
+
 CMD ["bouncer"]
--- a/11
+++ b/11
@ -59,7 +59,7 @@ deps: .env

 .PHONY: goreleaser
 goreleaser: deps
-	( set -o allexport && source .env && set +o allexport && VERSION=$(GORELEASER_VERSION) curl -sfL https://goreleaser.com/static/run | GORELEASER_CURRENT_TAG="$(FULL_VERSION)" bash /dev/stdin $(GORELEASER_ARGS) )
+	( set -o allexport && source .env && set +o allexport &&  curl -sfL https://goreleaser.com/static/run | VERSION=$(GORELEASER_VERSION) GORELEASER_CURRENT_TAG="$(FULL_VERSION)" bash /dev/stdin $(GORELEASER_ARGS) )

 .PHONY: start-release
 start-release:
@ -81,7 +81,7 @@ finish-release:
 	git push --tags

 docker-build:
-	docker build -t $(DOCKER_IMAGE_NAME):$(DOCKER_IMAGE_TAG) .
+	docker build --pull -t $(DOCKER_IMAGE_NAME):$(DOCKER_IMAGE_TAG) .
 	docker tag $(DOCKER_IMAGE_NAME):$(DOCKER_IMAGE_TAG) $(DOCKER_IMAGE_NAME):latest

 docker-release:
@ -130,6 +130,13 @@ tools/grafterm/bin/grafterm:
 	mkdir -p tools/grafterm/bin
 	GOBIN=$(PWD)/tools/grafterm/bin go install github.com/slok/grafterm/cmd/grafterm@v0.2.0

+bench:
+	go test -bench=. -run '^$$' -count=10 ./...
+
+tools/benchstat/bin/benchstat:
+	mkdir -p tools/benchstat/bin
+	GOBIN=$(PWD)/tools/benchstat/bin go install golang.org/x/perf/cmd/benchstat@latest
+
 full-version:
 	@echo $(FULL_VERSION)

--- a/README.md
+++ b/README.md
@ -4,7 +4,16 @@

 # Bouncer

-Serveur mandataire inverse (_"reverse proxy"_) filtrant avec gestion de files d'attente dynamiques.
+Serveur mandataire inverse (_"reverse proxy"_) avec fonctionnalités avancées pilotable par API REST.
+
+## Fonctionnalités
+
+- Authentification unique basée sur entêtes HTTP ("Trusted headers SSO") avec:
+  - Fournisseur d'identité OpenID Connect ;
+  - Basic Auth ;
+  - Origine réseau ;
+- Gestion de files d'attente dynamiques pour maîtriser la charge sur les services protégés ;
+- Réécriture dynamique des attributs (notamment entêtes HTTP) des requêtes/réponses via un DSL.

 ## Documentation

@ -12,4 +21,4 @@ Serveur mandataire inverse (_"reverse proxy"_) filtrant avec gestion de files d'

 ## Licence

-AGPL-3.0
+AGPL-3.0
--- a/doc/README.md
+++ b/doc/README.md
@ -1,7 +1,8 @@
 # Documentation

- [(FR) - Premiers pas](./fr/getting-started.md)
 - [(FR) - Architecture générale](./fr/general-architecture.md)
+- [(FR) - Terminologie](./fr/terminology.md)
+- [(FR) - Premiers pas](./fr/getting-started.md)

 ## Exemples

@ -18,6 +19,7 @@

 ### Utilisation

+- [(FR) - Le cas du "virtual hosting"](./fr/tutorials/virtual-hosting.md)
 - [(FR) - Ajouter un layer de type "file d'attente"](./fr/tutorials/add-queue-layer.md)
 - [(FR) - Ajouter une authentification OpenID Connect](./fr/tutorials/add-oidc-authn-layer.md)
 - [(FR) - Amorçage d'un serveur Bouncer via la configuration](./fr/tutorials/bootstrapping.md)
--- a/doc/fr/general-architecture.md
+++ b/doc/fr/general-architecture.md
@ -2,31 +2,6 @@

 ## Modèles de déploiement

-### Déploiement mono-noeud
+### Mode mono-noeud

-![](../resources/deployment_fr.png)
-
-## Terminologie
-
-Voici une liste des termes utilisés dans le lexique Bouncer.
-
-### Proxy
-
-Un "proxy" est une entité logique définissant le relation suivante:
-
- Un ou plusieurs patrons de filtrage sous la forme d'un patron d'URL avec le caractère `*` comme caractère générique. Ceux ci identifient le ou les domaines/chemins associés à l'entité;
- Une URL cible qui servira de base pour la réécriture des requêtes.
-
-Un "proxy" peut avoir zéro ou plusieurs "layers" associés.
-
-Un "proxy" peut être activé ou désactivé.
-
-Un "proxy" a un poids qui définit son niveau de priorité dans la pile de traitement (plus son poids est élevé plus il est prioritaire).
-
-### Layer
-
-Un "layer" (calque) est une entité logique définissant un traitement à appliquer aux requêtes et/ou aux réponses transitant par un proxy.
-
-Un "layer" peut être activé ou désactivé.
-
-Un "layer" a un poids qui définit son niveau de priorité dans la pile de traitement (plus son poids est élevé plus il est prioritaire).
+![](../resources/deployment_single_node_fr.png)
--- a/doc/fr/references/layers/README.md
+++ b/doc/fr/references/layers/README.md
@ -4,3 +4,4 @@ Vous trouverez ci-dessous la liste des entités "Layer" activables sur vos entit

 - [Authn (`authn-*`)](./authn/README.md) - Authentification des accès (SSO)
 - [Queue](./queue.md) - File d'attente dynamique
+- [Rewriter](./rewriter.md) - Réécriture dynamiques des attributs des requêtes/réponses
--- a/doc/fr/references/layers/authn/README.md
+++ b/doc/fr/references/layers/authn/README.md
@ -36,16 +36,28 @@ Le comportement des règles par défaut est le suivant:

 Interdire l'accès à l'utilisateur.

-#### `set_header(name string, value string)`
+##### `add_header(name string, value string)`

-Définir la valeur d'une entête HTTP via son nom `name` et sa valeur `value`.
+Ajouter une valeur à un entête HTTP via son nom `name` et sa valeur `value`.

-#### `del_headers(pattern string)`
+##### `set_header(name string, value string)`
+
+Définir la valeur d'un entête HTTP via son nom `name` et sa valeur `value`. La valeur précédente est écrasée.
+
+##### `del_headers(pattern string)`

 Supprimer un ou plusieurs entêtes HTTP dont le nom correspond au patron `pattern`.

 Le patron est défini par une chaîne comprenant un ou plusieurs caractères `*`, signifiant un ou plusieurs caractères arbitraires.

+##### `set_host(host string)`
+
+Modifier la valeur de l'entête `Host` de la requête.
+
+##### `set_url(url string)`
+
+Modifier l'URL du serveur cible.
+
 ### Environnement

 Les règles ont accès aux variables suivantes pendant leur exécution.
--- a/doc/fr/references/layers/rewriter.md
+++ b/doc/fr/references/layers/rewriter.md
@ -0,0 +1,116 @@
+# Layer "Rewriter"
+
+## Description
+
+Ce layer permet de modifier dynamiquement certains attributs de requêtes/réponses transitant par le proxy.
+
+## Type
+
+`rewriter`
+
+## Schéma des options
+
+Les options disponibles pour le layer sont décrites via un [schéma JSON](https://json-schema.org/specification). Elles sont documentées dans le [schéma visible ici](../../../../internal/proxy/director/layer/rewriter/layer-options.json).
+
+## Moteur de règles
+
+Les options `rules.request` et `rules.response` permettent de définir des listes de règles utilisant un DSL modifiant de manière dynamique les attributs des requêtes/réponses transitant par le proxy.
+
+Les listes d'instructions sont exécutées séquentiellement.
+
+Bouncer utilise le projet [`expr`](https://expr-lang.org/) comme DSL. En plus des fonctionnalités natives du langage, Bouncer ajoute un certain nombre de fonctions spécifiques au contexte d'utilisation.
+
+### Fonctions
+
+#### Communes
+
+##### `add_header(name string, value string)`
+
+Ajouter une valeur à un entête HTTP via son nom `name` et sa valeur `value`.
+
+##### `set_header(name string, value string)`
+
+Définir la valeur d'un entête HTTP via son nom `name` et sa valeur `value`. La valeur précédente est écrasée.
+
+##### `del_headers(pattern string)`
+
+Supprimer un ou plusieurs entêtes HTTP dont le nom correspond au patron `pattern`.
+
+Le patron est défini par une chaîne comprenant un ou plusieurs caractères `*`, signifiant un ou plusieurs caractères arbitraires.
+
+#### Requête
+
+##### `set_host(host string)`
+
+Modifier la valeur de l'entête `Host` de la requête.
+
+##### `set_url(url string)`
+
+Modifier l'URL du serveur cible.
+
+#### Réponse
+
+_Pas de fonctions spécifiques._
+
+### Environnement
+
+Les règles ont accès aux variables suivantes pendant leur exécution. **Ces données sont en lecture seule.**
+
+#### Requête
+
+##### `request`
+
+La requête en cours de traitement.
+
+```js
+{
+    method: "string", // Méthode HTTP
+    host: "string", // Nom d'hôte (`Host`) associé à la requête
+    url: "string", // URL associée à la requête
+    proto: "string", // Numéro de version du protocole utilisé
+    protoMajor: "int", // Numéro de version majeure du protocole utilisé
+    protoMinor: "int",  // Numéro de version mineur du protocole utilisé
+    header: { // Table associative des entêtes HTTP associés à la requête
+        "string": ["string"]
+    },
+    contentLength: "int", // Taille du corps de la requête
+    transferEncoding: ["string"], // MIME-Type(s) d'encodage du corps de la requête
+    trailer: { // Table associative des entêtes HTTP associés à la requête, transmises après le corps de la requête
+        "string": ["string"]
+    },
+    remoteAddr: "string", // Adresse du client HTTP à l'origine de la requête
+    requestUri: "string" // URL "brute" associée à la requêtes (avant opérations d'assainissement, utiliser "url" plutôt)
+}
+```
+
+#### Réponse
+
+##### `response`
+
+La réponse en cours de traitement.
+
+```js
+{
+    statusCode: "int", // Code de statut de la réponse
+    status: "string", // Message associé au code de statut
+    proto: "string", // Numéro de version du protocole utilisé
+    protoMajor: "int", // Numéro de version majeure du protocole utilisé
+    protoMinor: "int",  // Numéro de version mineur du protocole utilisé
+    header: { // Table associative des entêtes HTTP associés à la requête
+        "string": ["string"]
+    },
+    contentLength: "int", // Taille du corps de la réponse
+    transferEncoding: ["string"], // MIME-Type(s) d'encodage du corps de la requête
+    trailer: { // Table associative des entêtes HTTP associés à la requête, transmises après le corps de la requête
+        "string": ["string"]
+    },
+}
+```
+
+##### `request`
+
+_Voir section précédente._
+
+## Métriques
+
+_Pas de métriques spécifiques._
--- a/doc/fr/terminology.md
+++ b/doc/fr/terminology.md
@ -0,0 +1,29 @@
+# Terminologie
+
+Voici une liste des termes utilisés dans le lexique Bouncer.
+
+## Proxy
+
+Un proxy est une entité logique définie par les propriétés suivantes:
+
+- Il possède **un ou plusieurs filtres d'origine** sous la forme de motifs d'URL avec le caractère `*` comme joker. Ces filtres identifient le ou les URLs associées au proxy.
+- Il peut avoir **zéro ou une URL cible**, qui servira de base pour la réécriture des requêtes. Si l'URL est absente, on parle alors de "passthrough" (voir note).
+- Il peut avoir **zéro ou plusieurs "layers" associés**.
+- Il peut être **activé ou désactivé**.
+- Il a **un poids qui définit son niveau de priorité** dans la pile de traitement (plus son poids est élevé plus il est prioritaire).
+
+Pour résumer un proxy répond à la question "_Quelle URL orienter vers quel serveur cible ?_".
+
+> **Passthrough**
+>
+> Un proxy "passthrough" est un proxy n'ayant pas d'URL cible (champ vide). Dans ce cas si les motifs d'URLs correspondent à l'URL de la requête Bouncer appliquera les layers associés puis passera la main aux proxies suivants.
+
+## Layer
+
+Un layer est une entité logique définie par les propriétés suivantes:
+
+- Il a **un type auquel est associé un schéma d'options** permettant de configurer son comportement.
+- Il peut être **activé ou désactivé**.
+- Il a **un poids qui définit son niveau de priorité** dans la pile de traitement (plus son poids est élevé plus il est prioritaire).
+
+Pour résumer un layer répond à la question "_Quel traitement appliquer à la requête et/ou réponse ?_".
--- a/doc/fr/tutorials/add-oidc-authn-layer.md
+++ b/doc/fr/tutorials/add-oidc-authn-layer.md
@ -55,7 +55,7 @@ Par défaut ce serveur écoute sur le port 8082. Il est possible de modifier l'a
   bouncer admin proxy update --proxy-name my-proxy --proxy-enabled
   ```

-3. À ce stade, vous devriez pouvoir afficher la page du serveur `dummy` en ouvrant l'URL de votre instance Bouncer, par exemple `http://localhost:8080` si vous avez travaillez avec une instance Bouncer locale avec la configuration par défaut
+3. À ce stade, vous devriez pouvoir afficher la page du serveur `dummy` en ouvrant l'URL de votre instance Bouncer, par exemple `http://localhost:8080` si vous travaillez avec une instance Bouncer locale avec la configuration par défaut

 4. Créer un layer de type `authn-oidc` pour notre nouveau proxy

--- a/doc/fr/tutorials/create-custom-layer.md
+++ b/doc/fr/tutorials/create-custom-layer.md
@ -10,13 +10,13 @@ Avoir un environnement de développement local fonctionnel. Voir tutoriel ["Dém

 ### Préparer la structure de base du nouveau layer

-Une implémetation d'un layer se compose majoritairement de 3 éléments:
+Une implémentation d'un layer se compose majoritairement de 3 éléments:

 - Une structure qui implémente une ou plusieurs interfaces (`director.MiddlewareLayer`, `director.RequestTransformerLayer` et/ou `director.ResponseTransformerLayer`);
 - Un schéma au format [JSON Schema](http://json-schema.org/) qui permettra de valider les "options" de notre layer;
 - Un fichier d'amorçage qui permettra à Bouncer de référencer notre nouveau layer.

-1. Créer le répertoire du `package` Go qui contiendra le code de votre layer. Celui ci s'appelera `basicauth`:
+1. Créer le répertoire du `package` Go qui contiendra le code de votre layer. Celui ci s’appellera `basicauth`:

   ```
   mkdir -p internal/proxy/director/layer/basicauth
@ -133,26 +133,22 @@ Une implémetation d'un layer se compose majoritairement de 3 éléments:

 ## Tester l'intégration de notre nouveau layer

-À ce stade, notre nouveau layer est normalement référencé et donc "utilisable" dans Bouncer (si on omet le fait qu'il déclenchera une `panic()`).
+À ce stade, notre nouveau layer est normalement référencé et donc "utilisable" dans Bouncer (si on omet le fait qu'il déclenchera un `panic()`).

 1. Vérifier que notre layer est bien référencé en exécutant la commande:

   ```
-   ./bin/bouncer admin layer create --help
+   ./bin/bouncer admin definition layer query --with-type basicauth
   ```

   La sortie devrait ressembler à:

   ```
-   NAME:
-   bouncer admin layer create - Create layer
-
-   USAGE:
-   bouncer admin layer create [command options] [arguments...]
-
-   OPTIONS:
-   --layer-type LAYER_TYPE        Set LAYER_TYPE as layer's type (available: [basicauth queue])
-   [...]
+    +-----------+-----------------------------------+
+    | TYPE      | OPTIONS                           |
+    +-----------+-----------------------------------+
+    | basicauth | {"type":"object","properties":... |
+    +-----------+-----------------------------------+
   ```

   Comme vous devriez le voir nous pouvons désormais créer des layers de type `basicauth`.
--- a/doc/fr/tutorials/profiling.md
+++ b/doc/fr/tutorials/profiling.md
@ -0,0 +1,31 @@
+# Analyser les performances de Bouncer
+
+1. Lancer un benchmark du proxy
+
+   ```shell
+   go test -bench=. -run '^$' -count=5 -cpuprofile bench_proxy.prof ./internal/proxy
+   ```
+
+2. Visualiser les temps d'exécution
+
+   ```shell
+   go tool pprof -web bench_proxy.prof
+   ```
+
+3. Comparer les performances d'une exécution à l'autre
+
+   ```shell
+   # Lancer un premier benchmark
+   go test -bench=. -run '^$' -count=10 ./internal/proxy > bench_before.txt
+
+   # Faire des modifications sur les sources
+
+   # Lancer un second benchmark
+   go test -bench=. -run '^$' -count=10 ./internal/proxy > bench_after.txt
+
+   # Installer l'outil benchstat
+   make tools/benchstat/bin/benchstat
+
+   # Comparer les rapports
+   tools/benchstat/bin/benchstat bench_before.txt bench_after.txt
+   ```
--- a/doc/fr/tutorials/virtual-hosting.md
+++ b/doc/fr/tutorials/virtual-hosting.md
@ -0,0 +1,129 @@
+# Le cas du "virtual hosting"
+
+De nombreux serveurs HTTP utilisent le mécanisme du ["virtual hosting"](https://en.wikipedia.org/wiki/Virtual_hosting) afin d'héberger plusieurs sites/applications différentes sur un même serveur, se basant alors sur l'entête HTTP `Host` pour effectuer le routage.
+
+## Exemple
+
+Pour exemple, avec le site [example.net](https://example.net) il est facile de tester ce type de comportement. Ainsi, en exécutant une requête HTTP avec `curl`:
+
+```shell
+curl -I https://example.net
+```
+
+On obtient le résultat suivant:
+
+```
+HTTP/2 200
+accept-ranges: bytes
+age: 568237
+cache-control: max-age=604800
+content-type: text/html; charset=UTF-8
+date: Thu, 27 Jun 2024 08:32:46 GMT
+etag: "3147526947"
+expires: Thu, 04 Jul 2024 08:32:46 GMT
+last-modified: Thu, 17 Oct 2019 07:18:26 GMT
+server: ECAcc (bsb/2789)
+x-cache: HIT
+content-length: 1256
+```
+
+Ce résultat indique que le serveur a correctement orienté notre requête (code HTTP `200`) et qu'il nous a renvoyé la réponse attendue.
+
+Si maintenant on modifie l'entête `Host` de notre requête pour la remplacer par une valeur arbitraire:
+
+```shell
+curl -I -H 'Host: localhost:8080' https://example.net
+```
+
+On obtient alors le résultat:
+
+```
+HTTP/2 404
+content-type: text/html
+date: Thu, 27 Jun 2024 08:38:04 GMT
+server: ECAcc (bsb/2789)
+content-length: 345
+```
+
+Le serveur nous répond avec un code HTTP `404`, indiquant qu'il n'a pas trouvé la page demandée.
+
+> **Note**
+> Le code HTTP retourné par le serveur peut varier en fonction des implémentations. Parfois la requête sera orientée vers la page par défaut, parfois vous recevrez un code d'erreur HTTP comme `404`, `421`, etc.
+
+## Avec Bouncer
+
+Ce mécanisme peut parfois poser problème avec Bouncer car par défaut celui ci n'effectue pas de réécriture de l'entête `Host`. Pour exemple:
+
+1.  Créez puis activez un nouveau proxy pointant vers https://example.net
+
+    ```shell
+    bouncer admin proxy create --proxy-name example --proxy-to https://example.net
+    bouncer admin proxy update --proxy-name example --proxy-enabled=true
+    ```
+
+2.  Avec `curl`, faites une requête sur votre nouveau proxy:
+
+    ```shell
+     curl -I http://localhost:8080
+    ```
+
+    La réponse devrait ressembler à:
+
+    ```
+    HTTP/1.1 404 Not Found
+    Content-Length: 345
+    Content-Type: text/html
+    Date: Thu, 27 Jun 2024 08:49:05 GMT
+    Server: ECAcc (bsb/2789)
+    ```
+
+    On retrouve bien notre code HTTP `404` tel que vu plus haut. En effet, vu que l'on accède au proxy Bouncer avec `http://localhost:8080` alors le serveur distant recevra l'entête `Host: localhost:8080`.
+
+### Comment corriger la situation ?
+
+Le layer [`rewriter`](../references/layers/rewriter.md) a été implémenté notamment pour répondre à ce type de cas. Voyons comment l'utiliser:
+
+1. Créez puis activez un nouveau layer pour votre proxy `example`:
+
+   ```bash
+    # Création du layer
+    bouncer admin layer create --proxy-name example --layer-name host-rewrite --layer-type rewriter
+
+    # Mise à jour et activation du layer
+    bouncer admin layer update \
+        --proxy-name example \
+        --layer-name host-rewrite \
+        --layer-options '{ "rules": { "request": ["set_host(\"example.net\")"] } }' \
+        --layer-enabled=true
+   ```
+
+   > **Les règles**
+   >
+   > Le layer `rewriter` permet la modification des requêtes/réponses via un moteur de règles.
+   >
+   > [Voir la page du layer pour plus d'informations](../references/layers/rewriter.md) sur la syntaxe ainsi que sur l'API à disposition des règles.
+
+2. Testez maintenant à nouveau un appel vers votre proxy:
+
+   ```shell
+    curl -I http://localhost:8080
+   ```
+
+   La réponse devrait ressembler à:
+
+   ```
+    HTTP/1.1 200 OK
+    Accept-Ranges: bytes
+    Age: 569980
+    Cache-Control: max-age=604800
+    Content-Length: 1256
+    Content-Type: text/html; charset=UTF-8
+    Date: Thu, 27 Jun 2024 09:01:49 GMT
+    Etag: "3147526947"
+    Expires: Thu, 04 Jul 2024 09:01:49 GMT
+    Last-Modified: Thu, 17 Oct 2019 07:18:26 GMT
+    Server: ECAcc (bsb/2789)
+    X-Cache: HIT
+   ```
+
+   Cette fois ci, le serveur distant a bien identifié la cible de notre requête.
--- a/doc/resources/deployment_single_node_fr.plantuml
+++ b/doc/resources/deployment_single_node_fr.plantuml
--- a/doc/resources/deployment_single_node_fr.png
+++ b/doc/resources/deployment_single_node_fr.png
--- a/go.mod
+++ b/go.mod
@ -1,11 +1,11 @@
 module forge.cadoles.com/cadoles/bouncer

-go 1.21
+go 1.22

 toolchain go1.22.0

 require (
-	forge.cadoles.com/Cadoles/go-proxy v0.0.0-20230701194111-c6b3d482cca6
+	forge.cadoles.com/Cadoles/go-proxy v0.0.0-20240626132607-e1db6466a926
 	github.com/Masterminds/sprig/v3 v3.2.3
 	github.com/bsm/redislock v0.9.4
 	github.com/btcsuite/btcd/btcutil v1.1.3
@ -92,8 +92,9 @@ require (
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
 	go.opentelemetry.io/otel v1.21.0 // indirect
 	go.opentelemetry.io/otel/trace v1.21.0 // indirect
-	golang.org/x/net v0.19.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/net v0.26.0 // indirect
+	golang.org/x/sync v0.7.0 // indirect
+	golang.org/x/text v0.16.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	google.golang.org/appengine v1.6.8 // indirect
 	google.golang.org/protobuf v1.33.0 // indirect
@ -110,18 +111,18 @@ require (
 require (
 	cdr.dev/slog v1.6.1 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
-	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect
+	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0 // indirect
 	github.com/go-chi/cors v1.2.1
 	github.com/go-playground/locales v0.14.0 // indirect
 	github.com/go-playground/universal-translator v0.18.0 // indirect
-	github.com/goccy/go-json v0.10.2 // indirect
+	github.com/goccy/go-json v0.10.3 // indirect
 	github.com/google/uuid v1.3.0
 	github.com/leodido/go-urn v1.2.1 // indirect
 	github.com/lestrrat-go/blackmagic v1.0.2 // indirect
 	github.com/lestrrat-go/httpcc v1.0.1 // indirect
-	github.com/lestrrat-go/httprc v1.0.4 // indirect
+	github.com/lestrrat-go/httprc v1.0.5 // indirect
 	github.com/lestrrat-go/iter v1.0.2 // indirect
-	github.com/lestrrat-go/jwx/v2 v2.0.19
+	github.com/lestrrat-go/jwx/v2 v2.1.0
 	github.com/lestrrat-go/option v1.0.1 // indirect
 	github.com/lib/pq v1.10.0 // indirect
 	github.com/lithammer/shortuuid/v4 v4.0.0
@ -131,11 +132,11 @@ require (
 	github.com/urfave/cli/v2 v2.25.3
 	github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
 	gitlab.com/wpetit/goweb v0.0.0-20240226160244-6b2826c79f88
-	golang.org/x/crypto v0.19.0
-	golang.org/x/mod v0.14.0 // indirect
-	golang.org/x/sys v0.17.0 // indirect
-	golang.org/x/term v0.17.0 // indirect
-	golang.org/x/tools v0.16.1 // indirect
+	golang.org/x/crypto v0.24.0
+	golang.org/x/mod v0.17.0 // indirect
+	golang.org/x/sys v0.21.0 // indirect
+	golang.org/x/term v0.21.0 // indirect
+	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
 	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
 	gopkg.in/go-playground/validator.v9 v9.29.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1
--- a/go.sum
+++ b/go.sum
@ -8,8 +8,8 @@ cloud.google.com/go/logging v1.7.0 h1:CJYxlNNNNAMkHp9em/YEXcfJg+rPDg7YfwoRpMU+t5
 cloud.google.com/go/logging v1.7.0/go.mod h1:3xjP2CjkM3ZkO73aj4ASA5wRPGGCRrPIAeNqVNkzY8M=
 cloud.google.com/go/longrunning v0.5.1 h1:Fr7TXftcqTudoyRJa113hyaqlGdiBQkp0Gq7tErFDWI=
 cloud.google.com/go/longrunning v0.5.1/go.mod h1:spvimkwdz6SPWKEt/XBij79E9fiTkHSQl/fRUUQJYJc=
-forge.cadoles.com/Cadoles/go-proxy v0.0.0-20230701194111-c6b3d482cca6 h1:FTk0ZoaV5N8Tkps5Da5RrDMZZXSHZIuD67Hy1Y4fsos=
-forge.cadoles.com/Cadoles/go-proxy v0.0.0-20230701194111-c6b3d482cca6/go.mod h1:o8ZK5v/3J1dRmklFVn1l6WHAyQ3LgegyHjRIT8KLAFw=
+forge.cadoles.com/Cadoles/go-proxy v0.0.0-20240626132607-e1db6466a926 h1:gSTTuW2lqH66cGVrhplrVrqos62BY1/GxR3KYh2TElk=
+forge.cadoles.com/Cadoles/go-proxy v0.0.0-20240626132607-e1db6466a926/go.mod h1:o8ZK5v/3J1dRmklFVn1l6WHAyQ3LgegyHjRIT8KLAFw=
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8=
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
@ -83,8 +83,8 @@ github.com/dchest/uniuri v1.2.0 h1:koIcOUdrTIivZgSLhHQvKgqdWZq5d7KdMEWF1Ud6+5g=
 github.com/dchest/uniuri v1.2.0/go.mod h1:fSzm4SLHzNZvWLvWJew423PhAzkpNQYq+uNLq4kxhkY=
 github.com/decred/dcrd/crypto/blake256 v1.0.0/go.mod h1:sQl2p6Y26YV+ZOcSTP6thNdn47hh8kt6rqSlvmrXFAc=
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1/go.mod h1:hyedUtir6IdtD/7lIxGeCxkaw7y45JueMRL4DIyJDKs=
-github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 h1:8UrgZ3GkP4i/CLijOJx79Yu+etlyjdBU4sfcs2WYQMs=
-github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0 h1:rpfIENRNNilwHwZeG5+P150SMrnNEcHYvcCuK6dPZSg=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0=
 github.com/decred/dcrd/lru v1.0.0/go.mod h1:mxKOwFd7lFjN2GZYsiz/ecgqR6kkYAl+0pz0tEMk218=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
@ -133,8 +133,8 @@ github.com/go-sql-driver/mysql v1.6.0 h1:BCTh4TKNUYmOmMUcQ3IipzF5prigylS7XXjEkfC
 github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
-github.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU=
-github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
+github.com/goccy/go-json v0.10.3 h1:KZ5WoDbxAIgm2HNbYckL0se1fHD6rz5j4ywS6ebzDqA=
+github.com/goccy/go-json v0.10.3/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/godbus/dbus/v5 v5.0.6/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
@ -208,12 +208,12 @@ github.com/lestrrat-go/blackmagic v1.0.2 h1:Cg2gVSc9h7sz9NOByczrbUvLopQmXrfFx//N
 github.com/lestrrat-go/blackmagic v1.0.2/go.mod h1:UrEqBzIR2U6CnzVyUtfM6oZNMt/7O7Vohk2J0OGSAtU=
 github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE=
 github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E=
-github.com/lestrrat-go/httprc v1.0.4 h1:bAZymwoZQb+Oq8MEbyipag7iSq6YIga8Wj6GOiJGdI8=
-github.com/lestrrat-go/httprc v1.0.4/go.mod h1:mwwz3JMTPBjHUkkDv/IGJ39aALInZLrhBp0X7KGUZlo=
+github.com/lestrrat-go/httprc v1.0.5 h1:bsTfiH8xaKOJPrg1R+E3iE/AWZr/x0Phj9PBTG/OLUk=
+github.com/lestrrat-go/httprc v1.0.5/go.mod h1:mwwz3JMTPBjHUkkDv/IGJ39aALInZLrhBp0X7KGUZlo=
 github.com/lestrrat-go/iter v1.0.2 h1:gMXo1q4c2pHmC3dn8LzRhJfP1ceCbgSiT9lUydIzltI=
 github.com/lestrrat-go/iter v1.0.2/go.mod h1:Momfcq3AnRlRjI5b5O8/G5/BvpzrhoFTZcn06fEOPt4=
-github.com/lestrrat-go/jwx/v2 v2.0.19 h1:ekv1qEZE6BVct89QA+pRF6+4pCpfVrOnEJnTnT4RXoY=
-github.com/lestrrat-go/jwx/v2 v2.0.19/go.mod h1:l3im3coce1lL2cDeAjqmaR+Awx+X8Ih+2k8BuHNJ4CU=
+github.com/lestrrat-go/jwx/v2 v2.1.0 h1:0zs7Ya6+39qoit7gwAf+cYm1zzgS3fceIdo7RmQ5lkw=
+github.com/lestrrat-go/jwx/v2 v2.1.0/go.mod h1:Xpw9QIaUGiIUD1Wx0NcY1sIHwFf8lDuZn/cmxtXYRys=
 github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU=
 github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=
 github.com/lib/pq v1.10.0 h1:Zx5DJFEYQXio93kgXnQ09fXNiUKsqv4OUEu2UtGcB1E=
@ -339,8 +339,8 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.4/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
-github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/syndtr/goleveldb v1.0.1-0.20210819022825-2ae1ddf74ef7/go.mod h1:q4W45IWZaF22tdD+VEXcAWRA037jwmWEB5VWYORlTpc=
 github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
@ -375,13 +375,13 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
-golang.org/x/crypto v0.19.0 h1:ENy+Az/9Y1vSrlrvBSyna3PITt4tiZLf7sgCjZBX7Wo=
-golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
+golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI=
+golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
-golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
+golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20180719180050-a680a1efc54d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@ -395,8 +395,8 @@ golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
-golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
-golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
+golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
+golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
 golang.org/x/oauth2 v0.13.0 h1:jDDenyj+WgFtmV3zYVoi8aE2BwtXFLWOA67ZfNWftiY=
 golang.org/x/oauth2 v0.13.0/go.mod h1:/JMhi4ZRXAf4HG9LiNmxvk+45+96RUlVThiH8FzNBn0=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@ -405,8 +405,8 @@ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE=
-golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
+golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@ -433,13 +433,13 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y=
-golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
+golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
-golang.org/x/term v0.17.0 h1:mkTF7LCd6WGJNL3K1Ad7kwxNfYAW6a8a8QqtMblp/4U=
-golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
+golang.org/x/term v0.21.0 h1:WVXCp+/EBEHOj53Rvu+7KiT/iElMrO8ACK16SMZ3jaA=
+golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@ -447,8 +447,8 @@ golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
-golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
+golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
 golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
 golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@ -457,8 +457,8 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA=
-golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
--- a/internal/admin/proxy_route.go
+++ b/internal/admin/proxy_route.go
@ -121,7 +121,7 @@ func (s *Server) deleteProxy(w http.ResponseWriter, r *http.Request) {

 type CreateProxyRequest struct {
 	Name string   `json:"name" validate:"required"`
-	To   string   `json:"to" validate:"required"`
+	To   string   `json:"to"`
 	From []string `json:"from" validate:"required"`
 }

--- a/internal/cache/cache.go
+++ b/internal/cache/cache.go
@ -0,0 +1,6 @@
+package cache
+
+type Cache[K comparable, V any] interface {
+	Get(key K) (V, bool)
+	Set(key K, value V)
+}
--- a/internal/cache/memory/cache.go
+++ b/internal/cache/memory/cache.go
@ -0,0 +1,34 @@
+package memory
+
+import (
+	"sync"
+
+	cache "forge.cadoles.com/cadoles/bouncer/internal/cache"
+)
+
+type Cache[K comparable, V any] struct {
+	store *sync.Map
+}
+
+// Get implements cache.Cache.
+func (c *Cache[K, V]) Get(key K) (V, bool) {
+	raw, exists := c.store.Load(key)
+	if !exists {
+		return *new(V), false
+	}
+
+	return raw.(V), exists
+}
+
+// Set implements cache.Cache.
+func (c *Cache[K, V]) Set(key K, value V) {
+	c.store.Store(key, value)
+}
+
+func NewCache[K comparable, V any]() *Cache[K, V] {
+	return &Cache[K, V]{
+		store: new(sync.Map),
+	}
+}
+
+var _ cache.Cache[string, bool] = &Cache[string, bool]{}
--- a/internal/cache/ttl/cache.go
+++ b/internal/cache/ttl/cache.go
@ -0,0 +1,39 @@
+package ttl
+
+import (
+	"time"
+
+	cache "forge.cadoles.com/cadoles/bouncer/internal/cache"
+)
+
+type Cache[K comparable, V any] struct {
+	timestamps cache.Cache[K, time.Time]
+	values     cache.Cache[K, V]
+	ttl        time.Duration
+}
+
+// Get implements cache.Cache.
+func (c *Cache[K, V]) Get(key K) (V, bool) {
+	timestamp, exists := c.timestamps.Get(key)
+	if !exists || timestamp.Add(c.ttl).Before(time.Now()) {
+		return *new(V), false
+	}
+
+	return c.values.Get(key)
+}
+
+// Set implements cache.Cache.
+func (c *Cache[K, V]) Set(key K, value V) {
+	c.timestamps.Set(key, time.Now())
+	c.values.Set(key, value)
+}
+
+func NewCache[K comparable, V any](values cache.Cache[K, V], timestamps cache.Cache[K, time.Time], ttl time.Duration) *Cache[K, V] {
+	return &Cache[K, V]{
+		values:     values,
+		timestamps: timestamps,
+		ttl:        ttl,
+	}
+}
+
+var _ cache.Cache[string, bool] = &Cache[string, bool]{}
--- a/internal/cache/ttl/cache_test.go
+++ b/internal/cache/ttl/cache_test.go
@ -0,0 +1,39 @@
+package ttl
+
+import (
+	"testing"
+	"time"
+
+	"forge.cadoles.com/cadoles/bouncer/internal/cache/memory"
+)
+
+func TestCache(t *testing.T) {
+	cache := NewCache(
+		memory.NewCache[string, int](),
+		memory.NewCache[string, time.Time](),
+		time.Second,
+	)
+
+	key := "foo"
+
+	if _, exists := cache.Get(key); exists {
+		t.Errorf("cache.Get(\"%s\"): should not exists", key)
+	}
+
+	cache.Set(key, 1)
+
+	value, exists := cache.Get(key)
+	if !exists {
+		t.Errorf("cache.Get(\"%s\"): should exists", key)
+	}
+
+	if e, g := 1, value; e != g {
+		t.Errorf("cache.Get(\"%s\"): expected '%v', got '%v'", key, e, g)
+	}
+
+	time.Sleep(time.Second)
+
+	if _, exists := cache.Get("foo"); exists {
+		t.Errorf("cache.Get(\"%s\"): should not exists", key)
+	}
+}
--- a/internal/command/admin/layer/query.go
+++ b/internal/command/admin/layer/query.go
@ -2,6 +2,7 @@ package layer

 import (
 	"os"
+	"slices"

 	"forge.cadoles.com/cadoles/bouncer/internal/client"
 	"forge.cadoles.com/cadoles/bouncer/internal/command/admin/apierr"
@ -52,14 +53,16 @@ func QueryCommand() *cli.Command {

 			client := client.New(baseFlags.ServerURL, client.WithToken(token))

-			proxies, err := client.QueryLayer(ctx.Context, proxyName, options...)
+			layers, err := client.QueryLayer(ctx.Context, proxyName, options...)
 			if err != nil {
 				return errors.WithStack(apierr.Wrap(err))
 			}

+			slices.SortFunc(layers, sortLayerssByWeight)
+
 			hints := layerHeaderHints(baseFlags.OutputMode)

-			if err := format.Write(baseFlags.Format, os.Stdout, hints, clientFlag.AsAnySlice(proxies)...); err != nil {
+			if err := format.Write(baseFlags.Format, os.Stdout, hints, clientFlag.AsAnySlice(layers)...); err != nil {
 				return errors.WithStack(err)
 			}

@ -67,3 +70,13 @@ func QueryCommand() *cli.Command {
 		},
 	}
 }
+
+func sortLayerssByWeight(a *store.LayerHeader, b *store.LayerHeader) int {
+	if a.Weight < b.Weight {
+		return 1
+	}
+	if a.Weight > b.Weight {
+		return -1
+	}
+	return 0
+}
--- a/internal/command/admin/proxy/create.go
+++ b/internal/command/admin/proxy/create.go
@ -19,7 +19,7 @@ func CreateCommand() *cli.Command {
 		Name:  "create",
 		Usage: "Create proxy",
 		Flags: proxyFlag.WithProxyFlags(
-			flag.ProxyTo(true),
+			flag.ProxyTo(),
 			flag.ProxyFrom(),
 		),
 		Action: func(ctx *cli.Context) error {
--- a/internal/command/admin/proxy/flag/flag.go
+++ b/internal/command/admin/proxy/flag/flag.go
@ -30,12 +30,11 @@ func ProxyName() cli.Flag {

 const KeyProxyTo = "proxy-to"

-func ProxyTo(required bool) cli.Flag {
+func ProxyTo() cli.Flag {
 	return &cli.StringFlag{
-		Name:     KeyProxyTo,
-		Usage:    "Set `PROXY_TO` as proxy's destination url",
-		Value:    "",
-		Required: required,
+		Name:  KeyProxyTo,
+		Usage: "Set `PROXY_TO` as proxy's destination url",
+		Value: "",
 	}
 }

--- a/internal/command/admin/proxy/query.go
+++ b/internal/command/admin/proxy/query.go
@ -2,6 +2,7 @@ package proxy

 import (
 	"os"
+	"slices"

 	"forge.cadoles.com/cadoles/bouncer/internal/client"
 	"forge.cadoles.com/cadoles/bouncer/internal/command/admin/apierr"
@ -51,6 +52,8 @@ func QueryCommand() *cli.Command {
 				return errors.WithStack(apierr.Wrap(err))
 			}

+			slices.SortFunc(proxies, sortProxiesByWeight)
+
 			hints := proxyHeaderHints(baseFlags.OutputMode)

 			if err := format.Write(baseFlags.Format, os.Stdout, hints, clientFlag.AsAnySlice(proxies)...); err != nil {
@ -61,3 +64,13 @@ func QueryCommand() *cli.Command {
 		},
 	}
 }
+
+func sortProxiesByWeight(a *store.ProxyHeader, b *store.ProxyHeader) int {
+	if a.Weight < b.Weight {
+		return 1
+	}
+	if a.Weight > b.Weight {
+		return -1
+	}
+	return 0
+}
--- a/internal/command/admin/proxy/update.go
+++ b/internal/command/admin/proxy/update.go
@ -19,7 +19,7 @@ func UpdateCommand() *cli.Command {
 		Name:  "update",
 		Usage: "Update proxy",
 		Flags: proxyFlag.WithProxyFlags(
-			flag.ProxyTo(false),
+			flag.ProxyTo(),
 			flag.ProxyFrom(),
 			flag.ProxyEnabled(),
 			flag.ProxyWeight(),
--- a/internal/command/server/proxy/run.go
+++ b/internal/command/server/proxy/run.go
@ -3,6 +3,7 @@ package proxy
 import (
 	"fmt"
 	"strings"
+	"time"

 	"forge.cadoles.com/cadoles/bouncer/internal/command/common"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy"
@ -45,6 +46,7 @@ func RunCommand() *cli.Command {
 				proxy.WithServerConfig(conf.Proxy),
 				proxy.WithRedisConfig(conf.Redis),
 				proxy.WithDirectorLayers(layers...),
+				proxy.WithDirectorCacheTTL(time.Duration(conf.Proxy.Cache.TTL)),
 			)

 			addrs, srvErrs := srv.Start(ctx.Context)
--- a/internal/config/environment.go
+++ b/internal/config/environment.go
@ -206,7 +206,12 @@ func (id *InterpolatedDuration) UnmarshalYAML(value *yaml.Node) error {

 	duration, err := time.ParseDuration(str)
 	if err != nil {
-		return errors.Wrapf(err, "could not parse duration '%v',  line '%d'", str, value.Line)
+		nanoseconds, err := strconv.ParseInt(str, 10, 64)
+		if err != nil {
+			return errors.Wrapf(err, "could not parse duration '%v',  line '%d'", str, value.Line)
+		}
+
+		duration = time.Duration(nanoseconds)
 	}

 	*id = InterpolatedDuration(duration)
--- a/internal/config/layers.go
+++ b/internal/config/layers.go
@ -31,6 +31,7 @@ type QueueLayerConfig struct {
 }

 type AuthnLayerConfig struct {
+	Debug       InterpolatedBool     `yaml:"debug"`
 	TemplateDir InterpolatedString   `yaml:"templateDir"`
 	OIDC        AuthnOIDCLayerConfig `yaml:"oidc"`
 }
--- a/internal/config/proxy_server.go
+++ b/internal/config/proxy_server.go
@ -7,11 +7,27 @@ import (
 )

 type ProxyServerConfig struct {
-	HTTP      HTTPConfig      `yaml:"http"`
-	Metrics   MetricsConfig   `yaml:"metrics"`
-	Transport TransportConfig `yaml:"transport"`
-	Dial      DialConfig      `yaml:"dial"`
-	Sentry    SentryConfig    `yaml:"sentry"`
+	Debug     InterpolatedBool `yaml:"debug"`
+	HTTP      HTTPConfig       `yaml:"http"`
+	Metrics   MetricsConfig    `yaml:"metrics"`
+	Transport TransportConfig  `yaml:"transport"`
+	Dial      DialConfig       `yaml:"dial"`
+	Sentry    SentryConfig     `yaml:"sentry"`
+	Cache     CacheConfig      `yaml:"cache"`
+	Templates TemplatesConfig  `yaml:"templates"`
+}
+
+func NewDefaultProxyServerConfig() ProxyServerConfig {
+	return ProxyServerConfig{
+		Debug:     false,
+		HTTP:      NewHTTPConfig("0.0.0.0", 8080),
+		Metrics:   NewDefaultMetricsConfig(),
+		Transport: NewDefaultTransportConfig(),
+		Dial:      NewDefaultDialConfig(),
+		Sentry:    NewDefaultSentryConfig(),
+		Cache:     NewDefaultCacheConfig(),
+		Templates: NewDefaultTemplatesConfig(),
+	}
 }

 // See https://pkg.go.dev/net/http#Transport
@ -58,13 +74,22 @@ func (c TransportConfig) AsTransport() *http.Transport {
 	return httpTransport
 }

-func NewDefaultProxyServerConfig() ProxyServerConfig {
-	return ProxyServerConfig{
-		HTTP:      NewHTTPConfig("0.0.0.0", 8080),
-		Metrics:   NewDefaultMetricsConfig(),
-		Transport: NewDefaultTransportConfig(),
-		Dial:      NewDefaultDialConfig(),
-		Sentry:    NewDefaultSentryConfig(),
+func NewDefaultTransportConfig() TransportConfig {
+	return TransportConfig{
+		ForceAttemptHTTP2:      true,
+		MaxIdleConns:           100,
+		MaxIdleConnsPerHost:    100,
+		MaxConnsPerHost:        100,
+		IdleConnTimeout:        NewInterpolatedDuration(90 * time.Second),
+		TLSHandshakeTimeout:    NewInterpolatedDuration(10 * time.Second),
+		ExpectContinueTimeout:  NewInterpolatedDuration(1 * time.Second),
+		ResponseHeaderTimeout:  NewInterpolatedDuration(10 * time.Second),
+		DisableCompression:     false,
+		DisableKeepAlives:      false,
+		ReadBufferSize:         4096,
+		WriteBufferSize:        4096,
+		MaxResponseHeaderBytes: 0,
+		InsecureSkipVerify:     false,
 	}
 }

@ -85,21 +110,22 @@ func NewDefaultDialConfig() DialConfig {
 	}
 }

-func NewDefaultTransportConfig() TransportConfig {
-	return TransportConfig{
-		ForceAttemptHTTP2:      true,
-		MaxIdleConns:           100,
-		MaxIdleConnsPerHost:    100,
-		MaxConnsPerHost:        100,
-		IdleConnTimeout:        NewInterpolatedDuration(90 * time.Second),
-		TLSHandshakeTimeout:    NewInterpolatedDuration(10 * time.Second),
-		ExpectContinueTimeout:  NewInterpolatedDuration(1 * time.Second),
-		ResponseHeaderTimeout:  NewInterpolatedDuration(10 * time.Second),
-		DisableCompression:     false,
-		DisableKeepAlives:      false,
-		ReadBufferSize:         4096,
-		WriteBufferSize:        4096,
-		MaxResponseHeaderBytes: 0,
-		InsecureSkipVerify:     false,
+type CacheConfig struct {
+	TTL InterpolatedDuration `yaml:"ttl"`
+}
+
+func NewDefaultCacheConfig() CacheConfig {
+	return CacheConfig{
+		TTL: *NewInterpolatedDuration(time.Second * 30),
+	}
+}
+
+type TemplatesConfig struct {
+	Dir InterpolatedString `yaml:"dir"`
+}
+
+func NewDefaultTemplatesConfig() TemplatesConfig {
+	return TemplatesConfig{
+		Dir: "./templates",
 	}
 }
--- a/internal/proxy/director/context.go
+++ b/internal/proxy/director/context.go
@ -34,19 +34,6 @@ func OriginalURL(ctx context.Context) (*url.URL, error) {
 	return url, nil
 }

-func withProxy(ctx context.Context, proxy *store.Proxy) context.Context {
-	return context.WithValue(ctx, contextKeyProxy, proxy)
-}
-
-func ctxProxy(ctx context.Context) (*store.Proxy, error) {
-	proxy, err := ctxValue[*store.Proxy](ctx, contextKeyProxy)
-	if err != nil {
-		return nil, errors.WithStack(err)
-	}
-
-	return proxy, nil
-}
-
 func withLayers(ctx context.Context, layers []*store.Layer) context.Context {
 	return context.WithValue(ctx, contextKeyLayers, layers)
 }
--- a/internal/proxy/director/director.go
+++ b/internal/proxy/director/director.go
@ -7,6 +7,7 @@ import (

 	"forge.cadoles.com/Cadoles/go-proxy"
 	"forge.cadoles.com/Cadoles/go-proxy/wildcard"
+	"forge.cadoles.com/cadoles/bouncer/internal/cache"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
 	"github.com/pkg/errors"
 	"github.com/prometheus/client_golang/prometheus"
@ -17,6 +18,9 @@ type Director struct {
 	proxyRepository store.ProxyRepository
 	layerRepository store.LayerRepository
 	layerRegistry   *LayerRegistry
+
+	proxyCache cache.Cache[string, []*store.Proxy]
+	layerCache cache.Cache[string, []*store.Layer]
 }

 func (d *Director) rewriteRequest(r *http.Request) (*http.Request, error) {
@ -32,15 +36,15 @@ func (d *Director) rewriteRequest(r *http.Request) (*http.Request, error) {
 	ctx = withOriginalURL(ctx, url)
 	ctx = logger.With(ctx, logger.F("url", url.String()))

-	var match *store.Proxy
+	layers := make([]*store.Layer, 0)

-MAIN:
 	for _, p := range proxies {
 		for _, from := range p.From {
 			logger.Debug(
 				ctx, "matching request with proxy's from",
 				logger.F("from", from),
 			)
+
 			if matches := wildcard.Match(url.String(), from); !matches {
 				continue
 			}
@ -50,45 +54,55 @@ MAIN:
 				logger.F("from", from),
 			)

-			match = p
-			break MAIN
+			ctx = logger.With(ctx,
+				logger.F("proxy", p.Name),
+				logger.F("host", r.Host),
+				logger.F("remoteAddr", r.RemoteAddr),
+			)
+
+			metricProxyRequestsTotal.With(prometheus.Labels{metricLabelProxy: string(p.Name)}).Add(1)
+
+			proxyLayers, err := d.getLayers(ctx, p.Name)
+			if err != nil {
+				return r, errors.WithStack(err)
+			}
+
+			layers = append(layers, proxyLayers...)
+
+			if p.To == "" {
+				continue
+			}
+
+			toURL, err := url.Parse(p.To)
+			if err != nil {
+				return r, errors.WithStack(err)
+			}
+
+			r.URL.Host = toURL.Host
+			r.URL.Scheme = toURL.Scheme
+			r.URL.Path = toURL.JoinPath(r.URL.Path).Path
+
+			ctx = withLayers(ctx, layers)
+			r = r.WithContext(ctx)
+
+			return r, nil
 		}
 	}

-	if match == nil {
-		return r, nil
-	}
-
-	toURL, err := url.Parse(match.To)
-	if err != nil {
-		return r, errors.WithStack(err)
-	}
-
-	r.URL.Host = toURL.Host
-	r.URL.Scheme = toURL.Scheme
-
-	ctx = logger.With(ctx,
-		logger.F("proxy", match.Name),
-		logger.F("host", r.Host),
-		logger.F("remoteAddr", r.RemoteAddr),
-	)
-
-	metricProxyRequestsTotal.With(prometheus.Labels{metricLabelProxy: string(match.Name)}).Add(1)
-
-	ctx = withProxy(ctx, match)
-
-	layers, err := d.getLayers(ctx, match.Name)
-	if err != nil {
-		return r, errors.WithStack(err)
-	}
-
 	ctx = withLayers(ctx, layers)
 	r = r.WithContext(ctx)

 	return r, nil
 }

+const proxiesCacheKey = "proxies"
+
 func (d *Director) getProxies(ctx context.Context) ([]*store.Proxy, error) {
+	proxies, exists := d.proxyCache.Get(proxiesCacheKey)
+	if exists {
+		return proxies, nil
+	}
+
 	headers, err := d.proxyRepository.QueryProxy(ctx, store.WithProxyQueryEnabled(true))
 	if err != nil {
 		return nil, errors.WithStack(err)
@ -96,7 +110,7 @@ func (d *Director) getProxies(ctx context.Context) ([]*store.Proxy, error) {

 	sort.Sort(store.ByProxyWeight(headers))

-	proxies := make([]*store.Proxy, 0, len(headers))
+	proxies = make([]*store.Proxy, 0, len(headers))

 	for _, h := range headers {
 		if !h.Enabled {
@ -111,10 +125,19 @@ func (d *Director) getProxies(ctx context.Context) ([]*store.Proxy, error) {
 		proxies = append(proxies, proxy)
 	}

+	d.proxyCache.Set(proxiesCacheKey, proxies)
+
 	return proxies, nil
 }

 func (d *Director) getLayers(ctx context.Context, proxyName store.ProxyName) ([]*store.Layer, error) {
+	cacheKey := "layers-" + string(proxyName)
+
+	layers, exists := d.layerCache.Get(cacheKey)
+	if exists {
+		return layers, nil
+	}
+
 	headers, err := d.layerRepository.QueryLayers(ctx, proxyName, store.WithLayerQueryEnabled(true))
 	if err != nil {
 		return nil, errors.WithStack(err)
@ -122,7 +145,7 @@ func (d *Director) getLayers(ctx context.Context, proxyName store.ProxyName) ([]

 	sort.Sort(store.ByLayerWeight(headers))

-	layers := make([]*store.Layer, 0, len(headers))
+	layers = make([]*store.Layer, 0, len(headers))

 	for _, h := range headers {
 		if !h.Enabled {
@ -137,6 +160,8 @@ func (d *Director) getLayers(ctx context.Context, proxyName store.ProxyName) ([]
 		layers = append(layers, layer)
 	}

+	d.layerCache.Set(cacheKey, layers)
+
 	return layers, nil
 }

@ -240,8 +265,16 @@ func (d *Director) Middleware() proxy.Middleware {
 	}
 }

-func New(proxyRepository store.ProxyRepository, layerRepository store.LayerRepository, layers ...Layer) *Director {
-	registry := NewLayerRegistry(layers...)
+func New(proxyRepository store.ProxyRepository, layerRepository store.LayerRepository, funcs ...OptionFunc) *Director {
+	opts := NewOptions(funcs...)

-	return &Director{proxyRepository, layerRepository, registry}
+	registry := NewLayerRegistry(opts.Layers...)
+
+	return &Director{
+		proxyRepository: proxyRepository,
+		layerRepository: layerRepository,
+		layerRegistry:   registry,
+		proxyCache:      opts.ProxyCache,
+		layerCache:      opts.LayerCache,
+	}
 }
--- a/internal/proxy/director/layer/authn/layer.go
+++ b/internal/proxy/director/layer/authn/layer.go
@ -17,6 +17,7 @@ import (
 type Layer struct {
 	layerType store.LayerType
 	auth      Authenticator
+	debug     bool

 	templateDir string
 }
@ -40,8 +41,9 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
 						return
 					}

-					logger.Error(ctx, "could not execute pre-auth hook", logger.E(errors.WithStack(err)))
-					http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+					err = errors.WithStack(err)
+					logger.Error(ctx, "could not execute pre-auth hook", logger.E(err))
+					l.renderErrorPage(w, r, layer, options, err)

 					return
 				}
@ -65,8 +67,9 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
 					return
 				}

-				logger.Error(ctx, "could not authenticate user", logger.E(errors.WithStack(err)))
-				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+				err = errors.WithStack(err)
+				logger.Error(ctx, "could not authenticate user", logger.E(err))
+				l.renderErrorPage(w, r, layer, options, err)

 				return
 			}
@ -77,8 +80,9 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
 					return
 				}

-				logger.Error(ctx, "could not apply rules", logger.E(errors.WithStack(err)))
-				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+				err = errors.WithStack(err)
+				logger.Error(ctx, "could not apply rules", logger.E(err))
+				l.renderErrorPage(w, r, layer, options, err)

 				return
 			}
@ -94,8 +98,9 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
 						return
 					}

-					logger.Error(ctx, "could not execute post-auth hook", logger.E(errors.WithStack(err)))
-					http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+					err = errors.WithStack(err)
+					logger.Error(ctx, "could not execute post-auth hook", logger.E(err))
+					l.renderErrorPage(w, r, layer, options, err)

 					return
 				}
@ -108,12 +113,47 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
 	}
 }

-func (l *Layer) renderForbiddenPage(w http.ResponseWriter, r *http.Request, layer *store.Layer, options *LayerOptions, user *User) {
-	w.WriteHeader(http.StatusForbidden)
-	l.renderPage(w, r, layer, "forbidden", options.Templates.Forbidden.Block, user)
+type baseTemplateData struct {
+	Layer   *store.Layer
+	Debug   bool
+	Request *http.Request
 }

-func (l *Layer) renderPage(w http.ResponseWriter, r *http.Request, layer *store.Layer, page string, block string, user *User) {
+func (l *Layer) renderForbiddenPage(w http.ResponseWriter, r *http.Request, layer *store.Layer, options *LayerOptions, user *User) {
+	templateData := struct {
+		baseTemplateData
+		User *User
+	}{
+		baseTemplateData: baseTemplateData{
+			Layer:   layer,
+			Debug:   l.debug,
+			Request: r,
+		},
+		User: user,
+	}
+
+	w.WriteHeader(http.StatusForbidden)
+	l.renderPage(w, r, "forbidden", options.Templates.Forbidden.Block, templateData)
+}
+
+func (l *Layer) renderErrorPage(w http.ResponseWriter, r *http.Request, layer *store.Layer, options *LayerOptions, err error) {
+	templateData := struct {
+		baseTemplateData
+		Err error
+	}{
+		baseTemplateData: baseTemplateData{
+			Layer:   layer,
+			Debug:   l.debug,
+			Request: r,
+		},
+		Err: err,
+	}
+
+	w.WriteHeader(http.StatusInternalServerError)
+	l.renderPage(w, r, "error", options.Templates.Error.Block, templateData)
+}
+
+func (l *Layer) renderPage(w http.ResponseWriter, r *http.Request, page string, block string, templateData any) {
 	ctx := r.Context()

 	pattern := filepath.Join(l.templateDir, page+".gohtml")
@ -128,18 +168,8 @@ func (l *Layer) renderPage(w http.ResponseWriter, r *http.Request, layer *store.
 		return
 	}

-	templateData := struct {
-		Layer *store.Layer
-		User  *User
-	}{
-		Layer: layer,
-		User:  user,
-	}
-
 	w.Header().Add("Cache-Control", "no-cache")

-	w.WriteHeader(http.StatusOK)
-
 	if err := tmpl.ExecuteTemplate(w, block, templateData); err != nil {
 		logger.Error(ctx, "could not render authn page", logger.E(errors.WithStack(err)))
 		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
@ -160,6 +190,7 @@ func NewLayer(layerType store.LayerType, auth Authenticator, funcs ...OptionFunc
 		layerType:   layerType,
 		auth:        auth,
 		templateDir: opts.TemplateDir,
+		debug:       opts.Debug,
 	}
 }

--- a/internal/proxy/director/layer/authn/layer_options.go
+++ b/internal/proxy/director/layer/authn/layer_options.go
@ -17,6 +17,7 @@ type LayerOptions struct {

 type TemplatesOptions struct {
 	Forbidden TemplateOptions `mapstructure:"forbidden"`
+	Error     TemplateOptions `mapstructure:"error"`
 }

 type TemplateOptions struct {
@ -43,6 +44,9 @@ func DefaultLayerOptions() LayerOptions {
 			Forbidden: TemplateOptions{
 				Block: "default",
 			},
+			Error: TemplateOptions{
+				Block: "default",
+			},
 		},
 	}

--- a/internal/proxy/director/layer/authn/oidc/authenticator.go
+++ b/internal/proxy/director/layer/authn/oidc/authenticator.go
@ -42,7 +42,7 @@ func (a *Authenticator) PreAuthentication(w http.ResponseWriter, r *http.Request
 		return errors.WithStack(err)
 	}

-	sess, err := a.store.Get(r, a.getCookieName(options.Cookie.Name, layer.Name))
+	sess, err := a.store.Get(r, a.getCookieName(options.Cookie.Name, layer.Proxy, layer.Name))
 	if err != nil {
 		logger.Error(ctx, "could not retrieve session", logger.E(errors.WithStack(err)))
 	}
@ -121,7 +121,7 @@ func (a *Authenticator) Authenticate(w http.ResponseWriter, r *http.Request, lay
 		return nil, errors.WithStack(err)
 	}

-	sess, err := a.store.Get(r, a.getCookieName(options.Cookie.Name, layer.Name))
+	sess, err := a.store.Get(r, a.getCookieName(options.Cookie.Name, layer.Proxy, layer.Name))
 	if err != nil {
 		return nil, errors.WithStack(err)
 	}
@ -401,8 +401,14 @@ func (a *Authenticator) getClient(options *LayerOptions, redirectURL string) (*C
 	return client, nil
 }

-func (a *Authenticator) getCookieName(cookieName string, layerName store.LayerName) string {
-	return fmt.Sprintf("%s_%s", cookieName, layerName)
+const defaultCookieNamePrefix = "_bouncer_authn_oidc"
+
+func (a *Authenticator) getCookieName(cookieName string, proxyName store.ProxyName, layerName store.LayerName) string {
+	if cookieName != "" {
+		return cookieName
+	}
+
+	return strings.ToLower(fmt.Sprintf("%s_%s_%s", defaultCookieNamePrefix, proxyName, layerName))
 }

 var (
--- a/internal/proxy/director/layer/authn/oidc/layer.go
+++ b/internal/proxy/director/layer/authn/oidc/layer.go
@ -14,5 +14,5 @@ func NewLayer(store sessions.Store, funcs ...OptionFunc) *authn.Layer {
 		httpTransport:     opts.HTTPTransport,
 		httpClientTimeout: opts.HTTPClientTimeout,
 		store:             store,
-	})
+	}, opts.AuthnOptions...)
 }
--- a/internal/proxy/director/layer/authn/oidc/layer_options.go
+++ b/internal/proxy/director/layer/authn/oidc/layer_options.go
@ -8,8 +8,6 @@ import (
 	"github.com/pkg/errors"
 )

-const defaultCookieName = "_bouncer_authn_oidc"
-
 type LayerOptions struct {
 	authn.LayerOptions
 	OIDC   OIDCOptions   `mapstructure:"oidc"`
@ -57,7 +55,7 @@ func fromStoreOptions(storeOptions store.LayerOptions) (*LayerOptions, error) {
 			Scopes:                 []string{"openid"},
 		},
 		Cookie: CookieOptions{
-			Name:     defaultCookieName,
+			Name:     "",
 			Path:     "/",
 			HTTPOnly: true,
 			MaxAge:   time.Hour,
--- a/internal/proxy/director/layer/authn/oidc/options.go
+++ b/internal/proxy/director/layer/authn/oidc/options.go
@ -3,11 +3,14 @@ package oidc
 import (
 	"net/http"
 	"time"
+
+	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/authn"
 )

 type Options struct {
 	HTTPTransport     *http.Transport
 	HTTPClientTimeout time.Duration
+	AuthnOptions      []authn.OptionFunc
 }

 type OptionFunc func(opts *Options)
@ -24,10 +27,17 @@ func WithHTTPClientTimeout(timeout time.Duration) OptionFunc {
 	}
 }

+func WithAuthnOptions(funcs ...authn.OptionFunc) OptionFunc {
+	return func(opts *Options) {
+		opts.AuthnOptions = funcs
+	}
+}
+
 func NewOptions(funcs ...OptionFunc) *Options {
 	opts := &Options{
 		HTTPTransport:     http.DefaultTransport.(*http.Transport),
 		HTTPClientTimeout: 30 * time.Second,
+		AuthnOptions:      make([]authn.OptionFunc, 0),
 	}

 	for _, fn := range funcs {
--- a/internal/proxy/director/layer/authn/options.go
+++ b/internal/proxy/director/layer/authn/options.go
@ -2,6 +2,7 @@ package authn

 type Options struct {
 	TemplateDir string
+	Debug       bool
 }

 type OptionFunc func(*Options)
@ -9,6 +10,7 @@ type OptionFunc func(*Options)
 func NewOptions(funcs ...OptionFunc) *Options {
 	opts := &Options{
 		TemplateDir: "./templates",
+		Debug:       false,
 	}

 	for _, fn := range funcs {
@ -23,3 +25,9 @@ func WithTemplateDir(templateDir string) OptionFunc {
 		o.TemplateDir = templateDir
 	}
 }
+
+func WithDebug(debug bool) OptionFunc {
+	return func(o *Options) {
+		o.Debug = debug
+	}
+}
--- a/internal/proxy/director/layer/authn/rules.go
+++ b/internal/proxy/director/layer/authn/rules.go
@ -1,70 +1,16 @@
 package authn

 import (
-	"fmt"
 	"net/http"
-	"strconv"
-	"strings"
-	"time"

-	"forge.cadoles.com/Cadoles/go-proxy/wildcard"
+	"forge.cadoles.com/cadoles/bouncer/internal/rule"
+	ruleHTTP "forge.cadoles.com/cadoles/bouncer/internal/rule/http"
 	"github.com/expr-lang/expr"
 	"github.com/pkg/errors"
 )

-func (l *Layer) getHeaderRuleOptions(r *http.Request) []expr.Option {
-	options := make([]expr.Option, 0)
-
-	setHeader := expr.Function(
-		"set_header",
-		func(params ...any) (any, error) {
-			name := params[0].(string)
-			rawValue := params[1]
-
-			var value string
-			switch v := rawValue.(type) {
-			case []string:
-				value = strings.Join(v, ",")
-			case time.Time:
-				value = strconv.FormatInt(v.UTC().Unix(), 10)
-			case time.Duration:
-				value = strconv.FormatInt(int64(v.Seconds()), 10)
-			default:
-				value = fmt.Sprintf("%v", rawValue)
-			}
-
-			r.Header.Set(name, value)
-
-			return true, nil
-		},
-		new(func(string, string) bool),
-	)
-
-	options = append(options, setHeader)
-
-	delHeaders := expr.Function(
-		"del_headers",
-		func(params ...any) (any, error) {
-			pattern := params[0].(string)
-			deleted := false
-
-			for key := range r.Header {
-				if !wildcard.Match(key, pattern) {
-					continue
-				}
-
-				r.Header.Del(key)
-				deleted = true
-			}
-
-			return deleted, nil
-		},
-		new(func(string) bool),
-	)
-
-	options = append(options, delHeaders)
-
-	return options
+type Env struct {
+	User *User `expr:"user"`
 }

 func (l *Layer) applyRules(r *http.Request, options *LayerOptions, user *User) error {
@ -73,38 +19,39 @@ func (l *Layer) applyRules(r *http.Request, options *LayerOptions, user *User) e
 		return nil
 	}

-	env := map[string]any{
-		"user": user,
+	engine, err := rule.NewEngine[*Env](
+		rule.WithRules(options.Rules...),
+		rule.WithExpr(getAuthnAPI()...),
+		ruleHTTP.WithRequestFuncs(r),
+	)
+	if err != nil {
+		return errors.WithStack(err)
 	}

-	rulesOptions := l.getHeaderRuleOptions(r)
+	env := &Env{
+		User: user,
+	}

-	var ruleErr error
-	forbidden := expr.Function(
-		"forbidden",
-		func(params ...any) (any, error) {
-			ruleErr = errors.WithStack(ErrForbidden)
-			return true, nil
-		},
-		new(func() bool),
-	)
-
-	rulesOptions = append(rulesOptions, forbidden)
-
-	for i, r := range rules {
-		program, err := expr.Compile(r, rulesOptions...)
-		if err != nil {
-			return errors.Wrapf(err, "could not compile rule #%d", i)
-		}
-
-		if _, err := expr.Run(program, env); err != nil {
-			return errors.Wrapf(err, "could not execute rule #%d", i)
-		}
-
-		if ruleErr != nil {
-			return errors.WithStack(ruleErr)
-		}
+	if _, err := engine.Apply(env); err != nil {
+		return errors.WithStack(err)
 	}

 	return nil
 }
+
+func getAuthnAPI() []expr.Option {
+	options := make([]expr.Option, 0)
+
+	// forbidden() allows the layer to hijack the current request and return a 403 Forbidden HTTP status
+	forbidden := expr.Function(
+		"forbidden",
+		func(params ...any) (any, error) {
+			return true, errors.WithStack(ErrForbidden)
+		},
+		new(func() bool),
+	)
+
+	options = append(options, forbidden)
+
+	return options
+}
--- a/internal/proxy/director/layer/queue/adapter.go
+++ b/internal/proxy/director/layer/queue/adapter.go
@ -10,7 +10,10 @@ type Status struct {
 }

 type Adapter interface {
+	// Touch updates the session TTL and returns its current rank
 	Touch(ctx context.Context, queueName string, sessionId string) (int64, error)
+	// Status returns the queue current status
 	Status(ctx context.Context, queueName string) (*Status, error)
+	// Refresh forces a refresh of the queue, taking into account the given TTL for sessions
 	Refresh(ctx context.Context, queueName string, keepAlive time.Duration) error
 }
--- a/internal/proxy/director/layer/rewriter/layer-options.json
+++ b/internal/proxy/director/layer/rewriter/layer-options.json
@ -0,0 +1,38 @@
+{
+    "type": "object",
+    "properties": {
+        "rules": {
+            "title": "Règles appliquées aux requêtes/réponses transitant par le proxy",
+            "type": "object",
+            "properties": {
+                "request": {
+                    "title": "Règles appliquées aux requêtes transitant par le proxy",
+                    "type": "array",
+                    "items": {
+                        "type": "string"
+                    }
+                },
+                "response": {
+                    "title": "Règles appliquées aux réponses transitant par le proxy",
+                    "type": "array",
+                    "items": {
+                        "type": "string"
+                    }
+                }
+            },
+            "additionalProperties": false
+        },
+        "matchURLs": {
+            "title": "Liste de filtrage des URLs sur lesquelles le layer est actif",
+            "description": "Par exemple, si vous souhaitez limiter votre layer à l'ensemble d'une section '`/blog`' d'un site, vous pouvez déclarer la valeur `['*/blog*']`. Les autres URLs du site ne seront pas affectées par ce layer.",
+            "default": [
+                "*"
+            ],
+            "type": "array",
+            "items": {
+                "type": "string"
+            }
+        }
+    },
+    "additionalProperties": false
+}
--- a/internal/proxy/director/layer/rewriter/layer.go
+++ b/internal/proxy/director/layer/rewriter/layer.go
@ -0,0 +1,84 @@
+package rewriter
+
+import (
+	"net/http"
+
+	proxy "forge.cadoles.com/Cadoles/go-proxy"
+	"forge.cadoles.com/Cadoles/go-proxy/wildcard"
+	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
+	"forge.cadoles.com/cadoles/bouncer/internal/store"
+	"github.com/pkg/errors"
+	"gitlab.com/wpetit/goweb/logger"
+)
+
+const LayerType store.LayerType = "rewriter"
+
+type Layer struct{}
+
+func (l *Layer) LayerType() store.LayerType {
+	return LayerType
+}
+
+func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
+	return func(next http.Handler) http.Handler {
+		fn := func(w http.ResponseWriter, r *http.Request) {
+			ctx := r.Context()
+
+			options, err := fromStoreOptions(layer.Options)
+			if err != nil {
+				logger.Error(ctx, "could not parse layer options", logger.E(errors.WithStack(err)))
+				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+
+				return
+			}
+
+			matches := wildcard.MatchAny(r.URL.String(), options.MatchURLs...)
+			if !matches {
+				next.ServeHTTP(w, r)
+
+				return
+			}
+
+			if err := l.applyRequestRules(r, options); err != nil {
+				logger.Error(ctx, "could not apply request rules", logger.E(errors.WithStack(err)))
+				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+
+				return
+			}
+
+			next.ServeHTTP(w, r)
+		}
+
+		return http.HandlerFunc(fn)
+	}
+}
+
+// ResponseTransformer implements director.ResponseTransformerLayer.
+func (l *Layer) ResponseTransformer(layer *store.Layer) proxy.ResponseTransformer {
+	return func(r *http.Response) error {
+		options, err := fromStoreOptions(layer.Options)
+		if err != nil {
+			return errors.WithStack(err)
+		}
+
+		matches := wildcard.MatchAny(r.Request.URL.String(), options.MatchURLs...)
+		if !matches {
+			return nil
+		}
+
+		if err := l.applyResponseRules(r, options); err != nil {
+			return errors.WithStack(err)
+		}
+
+		return nil
+	}
+}
+
+func New() *Layer {
+	return &Layer{}
+}
+
+var (
+	_ director.MiddlewareLayer          = &Layer{}
+	_ director.ResponseTransformerLayer = &Layer{}
+)
--- a/internal/proxy/director/layer/rewriter/layer_options.go
+++ b/internal/proxy/director/layer/rewriter/layer_options.go
@ -0,0 +1,56 @@
+package rewriter
+
+import (
+	"forge.cadoles.com/cadoles/bouncer/internal/store"
+	"github.com/mitchellh/mapstructure"
+	"github.com/pkg/errors"
+)
+
+type LayerOptions struct {
+	MatchURLs []string `mapstructure:"matchURLs"`
+	Rules     Rules    `mapstructure:"rules"`
+}
+
+type Rules struct {
+	Request  []string `mapstructure:"request"`
+	Response []string `mapstructure:"response"`
+}
+
+func DefaultLayerOptions() LayerOptions {
+	return LayerOptions{
+		MatchURLs: []string{"*"},
+		Rules: Rules{
+			Request:  []string{},
+			Response: []string{},
+		},
+	}
+
+}
+
+func fromStoreOptions(storeOptions store.LayerOptions) (*LayerOptions, error) {
+	layerOptions := DefaultLayerOptions()
+
+	if err := FromStoreOptions(storeOptions, &layerOptions); err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	return &layerOptions, nil
+}
+
+func FromStoreOptions(storeOptions store.LayerOptions, dest any) error {
+	config := mapstructure.DecoderConfig{
+		Result:     dest,
+		ZeroFields: true,
+	}
+
+	decoder, err := mapstructure.NewDecoder(&config)
+	if err != nil {
+		return errors.WithStack(err)
+	}
+
+	if err := decoder.Decode(storeOptions); err != nil {
+		return errors.WithStack(err)
+	}
+
+	return nil
+}
--- a/internal/proxy/director/layer/rewriter/rules.go
+++ b/internal/proxy/director/layer/rewriter/rules.go
@ -0,0 +1,133 @@
+package rewriter
+
+import (
+	"net/http"
+
+	"forge.cadoles.com/cadoles/bouncer/internal/rule"
+	ruleHTTP "forge.cadoles.com/cadoles/bouncer/internal/rule/http"
+	"github.com/pkg/errors"
+)
+
+type RequestEnv struct {
+	Request RequestInfo `expr:"request"`
+}
+
+type RequestInfo struct {
+	Method           string              `expr:"method"`
+	URL              string              `expr:"url"`
+	Proto            string              `expr:"proto"`
+	ProtoMajor       int                 `expr:"protoMajor"`
+	ProtoMinor       int                 `expr:"protoMinor"`
+	Header           map[string][]string `expr:"header"`
+	ContentLength    int64               `expr:"contentLength"`
+	TransferEncoding []string            `expr:"transferEncoding"`
+	Host             string              `expr:"host"`
+	Trailer          map[string][]string `expr:"trailer"`
+	RemoteAddr       string              `expr:"remoteAddr"`
+	RequestURI       string              `expr:"requestUri"`
+}
+
+func (l *Layer) applyRequestRules(r *http.Request, options *LayerOptions) error {
+	rules := options.Rules.Request
+	if len(rules) == 0 {
+		return nil
+	}
+
+	engine, err := rule.NewEngine[*RequestEnv](
+		ruleHTTP.WithRequestFuncs(r),
+		rule.WithRules(options.Rules.Request...),
+	)
+	if err != nil {
+		return errors.WithStack(err)
+	}
+
+	env := &RequestEnv{
+		Request: RequestInfo{
+			Method:           r.Method,
+			URL:              r.URL.String(),
+			Proto:            r.Proto,
+			ProtoMajor:       r.ProtoMajor,
+			ProtoMinor:       r.ProtoMinor,
+			Header:           r.Header,
+			ContentLength:    r.ContentLength,
+			TransferEncoding: r.TransferEncoding,
+			Host:             r.Host,
+			Trailer:          r.Trailer,
+			RemoteAddr:       r.RemoteAddr,
+			RequestURI:       r.RequestURI,
+		},
+	}
+
+	if _, err := engine.Apply(env); err != nil {
+		return errors.WithStack(err)
+	}
+
+	return nil
+}
+
+type ResponseEnv struct {
+	Request  RequestInfo  `expr:"request"`
+	Response ResponseInfo `expr:"response"`
+}
+
+type ResponseInfo struct {
+	Status           string              `expr:"status"`
+	StatusCode       int                 `expr:"statusCode"`
+	Proto            string              `expr:"proto"`
+	ProtoMajor       int                 `expr:"protoMajor"`
+	ProtoMinor       int                 `expr:"protoMinor"`
+	Header           map[string][]string `expr:"header"`
+	ContentLength    int64               `expr:"contentLength"`
+	TransferEncoding []string            `expr:"transferEncoding"`
+	Uncompressed     bool                `expr:"uncompressed"`
+	Trailer          map[string][]string `expr:"trailer"`
+}
+
+func (l *Layer) applyResponseRules(r *http.Response, options *LayerOptions) error {
+	rules := options.Rules.Request
+	if len(rules) == 0 {
+		return nil
+	}
+
+	engine, err := rule.NewEngine[*ResponseEnv](
+		rule.WithRules(options.Rules.Response...),
+		ruleHTTP.WithResponseFuncs(r),
+	)
+	if err != nil {
+		return errors.WithStack(err)
+	}
+
+	env := &ResponseEnv{
+		Request: RequestInfo{
+			Method:           r.Request.Method,
+			URL:              r.Request.URL.String(),
+			Proto:            r.Request.Proto,
+			ProtoMajor:       r.Request.ProtoMajor,
+			ProtoMinor:       r.Request.ProtoMinor,
+			Header:           r.Request.Header,
+			ContentLength:    r.Request.ContentLength,
+			TransferEncoding: r.Request.TransferEncoding,
+			Host:             r.Request.Host,
+			Trailer:          r.Request.Trailer,
+			RemoteAddr:       r.Request.RemoteAddr,
+			RequestURI:       r.Request.RequestURI,
+		},
+		Response: ResponseInfo{
+			Proto:            r.Proto,
+			ProtoMajor:       r.ProtoMajor,
+			ProtoMinor:       r.ProtoMinor,
+			Header:           r.Header,
+			ContentLength:    r.ContentLength,
+			TransferEncoding: r.TransferEncoding,
+			Trailer:          r.Trailer,
+			Status:           r.Status,
+			StatusCode:       r.StatusCode,
+		},
+	}
+
+	if _, err := engine.Apply(env); err != nil {
+		return errors.WithStack(err)
+	}
+
+	return nil
+}
--- a/internal/proxy/director/layer/rewriter/schema.go
+++ b/internal/proxy/director/layer/rewriter/schema.go
@ -0,0 +1,8 @@
+package rewriter
+
+import (
+	_ "embed"
+)
+
+//go:embed layer-options.json
+var RawLayerOptionsSchema []byte
--- a/internal/proxy/director/options.go
+++ b/internal/proxy/director/options.go
@ -0,0 +1,58 @@
+package director
+
+import (
+	"time"
+
+	"forge.cadoles.com/cadoles/bouncer/internal/cache"
+	"forge.cadoles.com/cadoles/bouncer/internal/cache/memory"
+	"forge.cadoles.com/cadoles/bouncer/internal/cache/ttl"
+	"forge.cadoles.com/cadoles/bouncer/internal/store"
+)
+
+type Options struct {
+	Layers     []Layer
+	ProxyCache cache.Cache[string, []*store.Proxy]
+	LayerCache cache.Cache[string, []*store.Layer]
+}
+
+type OptionFunc func(opts *Options)
+
+func NewOptions(funcs ...OptionFunc) *Options {
+	opts := &Options{
+		Layers: make([]Layer, 0),
+		ProxyCache: ttl.NewCache(
+			memory.NewCache[string, []*store.Proxy](),
+			memory.NewCache[string, time.Time](),
+			30*time.Second,
+		),
+		LayerCache: ttl.NewCache(
+			memory.NewCache[string, []*store.Layer](),
+			memory.NewCache[string, time.Time](),
+			30*time.Second,
+		),
+	}
+
+	for _, fn := range funcs {
+		fn(opts)
+	}
+
+	return opts
+}
+
+func WithLayers(layers ...Layer) OptionFunc {
+	return func(opts *Options) {
+		opts.Layers = layers
+	}
+}
+
+func WithProxyCache(cache cache.Cache[string, []*store.Proxy]) OptionFunc {
+	return func(opts *Options) {
+		opts.ProxyCache = cache
+	}
+}
+
+func WithLayerCache(cache cache.Cache[string, []*store.Layer]) OptionFunc {
+	return func(opts *Options) {
+		opts.LayerCache = cache
+	}
+}
--- a/internal/proxy/option.go
+++ b/internal/proxy/option.go
@ -1,23 +1,27 @@
 package proxy

 import (
+	"time"
+
 	"forge.cadoles.com/cadoles/bouncer/internal/config"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
 )

 type Option struct {
-	ServerConfig   config.ProxyServerConfig
-	RedisConfig    config.RedisConfig
-	DirectorLayers []director.Layer
+	ServerConfig     config.ProxyServerConfig
+	RedisConfig      config.RedisConfig
+	DirectorLayers   []director.Layer
+	DirectorCacheTTL time.Duration
 }

 type OptionFunc func(*Option)

 func defaultOption() *Option {
 	return &Option{
-		ServerConfig:   config.NewDefaultProxyServerConfig(),
-		RedisConfig:    config.NewDefaultRedisConfig(),
-		DirectorLayers: make([]director.Layer, 0),
+		ServerConfig:     config.NewDefaultProxyServerConfig(),
+		RedisConfig:      config.NewDefaultRedisConfig(),
+		DirectorLayers:   make([]director.Layer, 0),
+		DirectorCacheTTL: 30 * time.Second,
 	}
 }

@ -38,3 +42,9 @@ func WithDirectorLayers(layers ...director.Layer) OptionFunc {
 		opt.DirectorLayers = layers
 	}
 }
+
+func WithDirectorCacheTTL(ttl time.Duration) OptionFunc {
+	return func(opt *Option) {
+		opt.DirectorCacheTTL = ttl
+	}
+}
--- a/internal/proxy/proxy_test.go
+++ b/internal/proxy/proxy_test.go
@ -0,0 +1,156 @@
+package proxy_test
+
+import (
+	"context"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"net/http/httputil"
+	"net/url"
+	"os"
+	"testing"
+	"time"
+
+	"forge.cadoles.com/Cadoles/go-proxy"
+	"forge.cadoles.com/cadoles/bouncer/internal/cache/memory"
+	"forge.cadoles.com/cadoles/bouncer/internal/cache/ttl"
+	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
+	"forge.cadoles.com/cadoles/bouncer/internal/store"
+	redisStore "forge.cadoles.com/cadoles/bouncer/internal/store/redis"
+	"github.com/pkg/errors"
+	"github.com/redis/go-redis/v9"
+)
+
+func BenchmarkProxy(b *testing.B) {
+	redisEndpoint := os.Getenv("BOUNCER_BENCH_REDIS_ADDR")
+	if redisEndpoint == "" {
+		redisEndpoint = "127.0.0.1:6379"
+	}
+
+	client := redis.NewUniversalClient(&redis.UniversalOptions{
+		Addrs: []string{redisEndpoint},
+	})
+
+	proxyRepository := redisStore.NewProxyRepository(client)
+	layerRepository := redisStore.NewLayerRepository(client)
+
+	backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+		if _, err := w.Write([]byte("Hello, world.")); err != nil {
+			b.Logf("[ERROR] %+v", errors.WithStack(err))
+		}
+	}))
+	defer backend.Close()
+
+	if err := waitFor(backend.URL, 5*time.Second); err != nil {
+		b.Fatalf("[FATAL] %+v", errors.WithStack(err))
+	}
+
+	b.Logf("started backend '%s'", backend.URL)
+
+	ctx := context.Background()
+
+	proxyName := store.ProxyName(b.Name())
+
+	b.Logf("creating proxy '%s'", proxyName)
+
+	if err := proxyRepository.DeleteProxy(ctx, proxyName); err != nil {
+		b.Fatalf("[FATAL] %+v", errors.WithStack(err))
+	}
+
+	if _, err := proxyRepository.CreateProxy(ctx, proxyName, backend.URL, "*"); err != nil {
+		b.Fatalf("[FATAL] %+v", errors.WithStack(err))
+	}
+
+	if _, err := proxyRepository.UpdateProxy(ctx, proxyName, store.WithProxyUpdateEnabled(true)); err != nil {
+		b.Fatalf("[FATAL] %+v", errors.WithStack(err))
+	}
+
+	director := director.New(
+		proxyRepository, layerRepository,
+		director.WithLayerCache(
+			ttl.NewCache(
+				memory.NewCache[string, []*store.Layer](),
+				memory.NewCache[string, time.Time](),
+				30*time.Second,
+			),
+		),
+		director.WithProxyCache(
+			ttl.NewCache(
+				memory.NewCache[string, []*store.Proxy](),
+				memory.NewCache[string, time.Time](),
+				30*time.Second,
+			),
+		),
+	)
+
+	directorMiddleware := director.Middleware()
+
+	handler := proxy.New(
+		proxy.WithRequestTransformers(
+			director.RequestTransformer(),
+		),
+		proxy.WithResponseTransformers(
+			director.ResponseTransformer(),
+		),
+		proxy.WithReverseProxyFactory(func(ctx context.Context, target *url.URL) *httputil.ReverseProxy {
+			reverse := httputil.NewSingleHostReverseProxy(target)
+			reverse.ErrorHandler = func(w http.ResponseWriter, r *http.Request, err error) {
+				b.Logf("[ERROR] %s", errors.WithStack(err))
+			}
+			return reverse
+		}),
+	)
+
+	server := httptest.NewServer(directorMiddleware(handler))
+	defer server.Close()
+
+	b.Logf("started proxy '%s'", server.URL)
+
+	httpClient := server.Client()
+
+	b.ResetTimer()
+
+	for i := 0; i < b.N; i++ {
+		res, err := httpClient.Get(server.URL)
+		if err != nil {
+			b.Errorf("could not fetch server url: %+v", errors.WithStack(err))
+		}
+
+		body, err := io.ReadAll(res.Body)
+		if err != nil {
+			b.Errorf("could not read response body: %+v", errors.WithStack(err))
+		}
+
+		b.Logf("%s - %v", res.Status, string(body))
+
+		if err := res.Body.Close(); err != nil {
+			b.Errorf("could not close response body: %+v", errors.WithStack(err))
+		}
+	}
+}
+
+func waitFor(url string, ttl time.Duration) error {
+	var lastErr error
+	timeout := time.After(ttl)
+	for {
+		select {
+		case <-timeout:
+			if lastErr != nil {
+				return lastErr
+			}
+
+			return errors.New("wait timed out")
+		default:
+			res, err := http.Get(url)
+			if err != nil {
+				lastErr = errors.WithStack(err)
+				continue
+			}
+
+			if res.StatusCode >= 200 && res.StatusCode < 400 {
+				return nil
+			}
+		}
+	}
+}
--- a/internal/proxy/server.go
+++ b/internal/proxy/server.go
@ -3,18 +3,25 @@ package proxy
 import (
 	"context"
 	"fmt"
+	"html/template"
 	"log"
 	"net"
 	"net/http"
 	"net/http/httputil"
 	"net/url"
+	"path/filepath"
+	"strconv"
 	"time"

 	"forge.cadoles.com/Cadoles/go-proxy"
+	"forge.cadoles.com/cadoles/bouncer/internal/cache/memory"
+	"forge.cadoles.com/cadoles/bouncer/internal/cache/ttl"
 	bouncerChi "forge.cadoles.com/cadoles/bouncer/internal/chi"
 	"forge.cadoles.com/cadoles/bouncer/internal/config"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
+
+	"github.com/Masterminds/sprig/v3"
 	"github.com/getsentry/sentry-go"
 	sentryhttp "github.com/getsentry/sentry-go/http"
 	"github.com/go-chi/chi/v5"
@ -25,11 +32,12 @@ import (
 )

 type Server struct {
-	serverConfig    config.ProxyServerConfig
-	redisConfig     config.RedisConfig
-	directorLayers  []director.Layer
-	proxyRepository store.ProxyRepository
-	layerRepository store.LayerRepository
+	serverConfig     config.ProxyServerConfig
+	redisConfig      config.RedisConfig
+	directorLayers   []director.Layer
+	directorCacheTTL time.Duration
+	proxyRepository  store.ProxyRepository
+	layerRepository  store.LayerRepository
 }

 func (s *Server) Start(ctx context.Context) (<-chan net.Addr, <-chan error) {
@ -86,7 +94,21 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
 	director := director.New(
 		s.proxyRepository,
 		s.layerRepository,
-		s.directorLayers...,
+		director.WithLayers(s.directorLayers...),
+		director.WithLayerCache(
+			ttl.NewCache(
+				memory.NewCache[string, []*store.Layer](),
+				memory.NewCache[string, time.Time](),
+				s.directorCacheTTL,
+			),
+		),
+		director.WithProxyCache(
+			ttl.NewCache(
+				memory.NewCache[string, []*store.Proxy](),
+				memory.NewCache[string, time.Time](),
+				s.directorCacheTTL,
+			),
+		),
 	)

 	if s.serverConfig.HTTP.UseRealIP {
@ -135,6 +157,7 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
 				director.ResponseTransformer(),
 			),
 			proxy.WithReverseProxyFactory(s.createReverseProxy),
+			proxy.WithDefaultHandler(http.HandlerFunc(s.handleDefault)),
 		)

 		r.Handle("/*", handler)
@ -163,18 +186,83 @@ func (s *Server) createReverseProxy(ctx context.Context, target *url.URL) *httpu
 	httpTransport.DialContext = dialer.DialContext

 	reverseProxy.Transport = httpTransport
-	reverseProxy.ErrorHandler = s.errorHandler
+	reverseProxy.ErrorHandler = s.handleError

 	return reverseProxy
 }

-func (s *Server) errorHandler(w http.ResponseWriter, r *http.Request, err error) {
+func (s *Server) handleDefault(w http.ResponseWriter, r *http.Request) {
+	err := errors.Errorf("no proxy target found")
+
+	logger.Error(r.Context(), "proxy error", logger.E(err))
+	sentry.CaptureException(err)
+
+	s.renderErrorPage(w, r, err, http.StatusBadGateway, http.StatusText(http.StatusBadGateway))
+}
+
+func (s *Server) handleError(w http.ResponseWriter, r *http.Request, err error) {
 	err = errors.WithStack(err)

 	logger.Error(r.Context(), "proxy error", logger.E(err))
 	sentry.CaptureException(err)

-	http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+	s.renderErrorPage(w, r, err, http.StatusBadGateway, http.StatusText(http.StatusBadGateway))
+}
+
+func (s *Server) renderErrorPage(w http.ResponseWriter, r *http.Request, err error, statusCode int, status string) {
+	templateData := struct {
+		StatusCode int
+		Status     string
+		Err        error
+		Debug      bool
+	}{
+		Debug:      bool(s.serverConfig.Debug),
+		StatusCode: statusCode,
+		Status:     status,
+		Err:        err,
+	}
+
+	w.WriteHeader(statusCode)
+	s.renderPage(w, r, "error", strconv.FormatInt(int64(statusCode), 10), templateData)
+}
+
+func (s *Server) renderPage(w http.ResponseWriter, r *http.Request, page string, block string, templateData any) {
+	ctx := r.Context()
+
+	templatesConf := s.serverConfig.Templates
+
+	pattern := filepath.Join(string(templatesConf.Dir), page+".gohtml")
+
+	logger.Info(ctx, "loading proxy templates", logger.F("pattern", pattern))
+
+	tmpl, err := template.New("").Funcs(sprig.FuncMap()).ParseGlob(pattern)
+	if err != nil {
+		logger.Error(ctx, "could not load proxy templates", logger.E(errors.WithStack(err)))
+		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+
+		return
+	}
+
+	w.Header().Add("Cache-Control", "no-cache")
+
+	blockTmpl := tmpl.Lookup(block)
+	if blockTmpl == nil {
+		blockTmpl = tmpl.Lookup("default")
+	}
+
+	if blockTmpl == nil {
+		logger.Error(ctx, "could not find template block nor default one", logger.F("block", block))
+		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+
+		return
+	}
+
+	if err := blockTmpl.Execute(w, templateData); err != nil {
+		logger.Error(ctx, "could not render proxy page", logger.E(errors.WithStack(err)))
+		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+
+		return
+	}
 }

 func NewServer(funcs ...OptionFunc) *Server {
@ -184,8 +272,9 @@ func NewServer(funcs ...OptionFunc) *Server {
 	}

 	return &Server{
-		serverConfig:   opt.ServerConfig,
-		redisConfig:    opt.RedisConfig,
-		directorLayers: opt.DirectorLayers,
+		serverConfig:     opt.ServerConfig,
+		redisConfig:      opt.RedisConfig,
+		directorLayers:   opt.DirectorLayers,
+		directorCacheTTL: opt.DirectorCacheTTL,
 	}
 }
--- a/internal/rule/engine.go
+++ b/internal/rule/engine.go
@ -0,0 +1,44 @@
+package rule
+
+import (
+	"github.com/expr-lang/expr"
+	"github.com/expr-lang/expr/vm"
+	"github.com/pkg/errors"
+)
+
+type Engine[E any] struct {
+	rules []*vm.Program
+}
+
+func (e *Engine[E]) Apply(env E) ([]any, error) {
+	results := make([]any, 0, len(e.rules))
+	for i, r := range e.rules {
+		result, err := expr.Run(r, env)
+		if err != nil {
+			return nil, errors.Wrapf(err, "could not run rule #%d", i)
+		}
+
+		results = append(results, result)
+	}
+
+	return results, nil
+}
+
+func NewEngine[E any](funcs ...OptionFunc) (*Engine[E], error) {
+	opts := NewOptions(funcs...)
+
+	engine := &Engine[E]{
+		rules: make([]*vm.Program, 0, len(opts.Rules)),
+	}
+
+	for i, r := range opts.Rules {
+		program, err := expr.Compile(r, opts.Expr...)
+		if err != nil {
+			return nil, errors.Wrapf(err, "could not compile rule #%d", i)
+		}
+
+		engine.rules = append(engine.rules, program)
+	}
+
+	return engine, nil
+}
--- a/internal/rule/http/option.go
+++ b/internal/rule/http/option.go
@ -0,0 +1,42 @@
+package http
+
+import (
+	"net/http"
+
+	"forge.cadoles.com/cadoles/bouncer/internal/rule"
+	"github.com/expr-lang/expr"
+)
+
+func WithRequestFuncs(r *http.Request) rule.OptionFunc {
+	return func(opts *rule.Options) {
+		funcs := []expr.Option{
+			setRequestURL(r),
+			setRequestHeaderFunc(r),
+			addRequestHeaderFunc(r),
+			delRequestHeadersFunc(r),
+			setRequestHostFunc(r),
+		}
+
+		if len(opts.Expr) == 0 {
+			opts.Expr = make([]expr.Option, 0)
+		}
+
+		opts.Expr = append(opts.Expr, funcs...)
+	}
+}
+
+func WithResponseFuncs(r *http.Response) rule.OptionFunc {
+	return func(opts *rule.Options) {
+		funcs := []expr.Option{
+			setResponseHeaderFunc(r),
+			addResponseHeaderFunc(r),
+			delResponseHeadersFunc(r),
+		}
+
+		if len(opts.Expr) == 0 {
+			opts.Expr = make([]expr.Option, 0)
+		}
+
+		opts.Expr = append(opts.Expr, funcs...)
+	}
+}
--- a/internal/rule/http/request.go
+++ b/internal/rule/http/request.go
@ -0,0 +1,122 @@
+package http
+
+import (
+	"fmt"
+	"net/http"
+	"net/url"
+	"strconv"
+	"strings"
+	"time"
+
+	"forge.cadoles.com/Cadoles/go-proxy/wildcard"
+	"github.com/expr-lang/expr"
+	"github.com/pkg/errors"
+)
+
+func setRequestHostFunc(r *http.Request) expr.Option {
+	return expr.Function(
+		"set_host",
+		func(params ...any) (any, error) {
+			host := params[0].(string)
+			r.Host = host
+
+			return true, nil
+		},
+		new(func(string) bool),
+	)
+}
+
+func setRequestURL(r *http.Request) expr.Option {
+	return expr.Function(
+		"set_url",
+		func(params ...any) (any, error) {
+			rawURL := params[0].(string)
+
+			url, err := url.Parse(rawURL)
+			if err != nil {
+				return false, errors.WithStack(err)
+			}
+
+			r.URL = url
+
+			return true, nil
+		},
+		new(func(string) bool),
+	)
+}
+
+func addRequestHeaderFunc(r *http.Request) expr.Option {
+	return expr.Function(
+		"add_header",
+		func(params ...any) (any, error) {
+			name := params[0].(string)
+			rawValue := params[1]
+
+			var value string
+			switch v := rawValue.(type) {
+			case []string:
+				value = strings.Join(v, ",")
+			case time.Time:
+				value = strconv.FormatInt(v.UTC().Unix(), 10)
+			case time.Duration:
+				value = strconv.FormatInt(int64(v.Seconds()), 10)
+			default:
+				value = fmt.Sprintf("%v", rawValue)
+			}
+
+			r.Header.Add(name, value)
+
+			return true, nil
+		},
+		new(func(string, string) bool),
+	)
+}
+
+func setRequestHeaderFunc(r *http.Request) expr.Option {
+	return expr.Function(
+		"set_header",
+		func(params ...any) (any, error) {
+			name := params[0].(string)
+			rawValue := params[1]
+
+			var value string
+			switch v := rawValue.(type) {
+			case []string:
+				value = strings.Join(v, ",")
+			case time.Time:
+				value = strconv.FormatInt(v.UTC().Unix(), 10)
+			case time.Duration:
+				value = strconv.FormatInt(int64(v.Seconds()), 10)
+			default:
+				value = fmt.Sprintf("%v", rawValue)
+			}
+
+			r.Header.Set(name, value)
+
+			return true, nil
+		},
+		new(func(string, string) bool),
+	)
+}
+
+func delRequestHeadersFunc(r *http.Request) expr.Option {
+	return expr.Function(
+		"del_headers",
+		func(params ...any) (any, error) {
+			pattern := params[0].(string)
+			deleted := false
+
+			for key := range r.Header {
+				if !wildcard.Match(key, pattern) {
+					continue
+				}
+
+				r.Header.Del(key)
+				deleted = true
+			}
+
+			return deleted, nil
+		},
+		new(func(string) bool),
+	)
+}
--- a/internal/rule/http/response.go
+++ b/internal/rule/http/response.go
@ -0,0 +1,88 @@
+package http
+
+import (
+	"fmt"
+	"net/http"
+	"strconv"
+	"strings"
+	"time"
+
+	"forge.cadoles.com/Cadoles/go-proxy/wildcard"
+	"github.com/expr-lang/expr"
+)
+
+func addResponseHeaderFunc(r *http.Response) expr.Option {
+	return expr.Function(
+		"add_header",
+		func(params ...any) (any, error) {
+			name := params[0].(string)
+			rawValue := params[1]
+
+			var value string
+			switch v := rawValue.(type) {
+			case []string:
+				value = strings.Join(v, ",")
+			case time.Time:
+				value = strconv.FormatInt(v.UTC().Unix(), 10)
+			case time.Duration:
+				value = strconv.FormatInt(int64(v.Seconds()), 10)
+			default:
+				value = fmt.Sprintf("%v", rawValue)
+			}
+
+			r.Header.Add(name, value)
+
+			return true, nil
+		},
+		new(func(string, string) bool),
+	)
+}
+
+func setResponseHeaderFunc(r *http.Response) expr.Option {
+	return expr.Function(
+		"set_header",
+		func(params ...any) (any, error) {
+			name := params[0].(string)
+			rawValue := params[1]
+
+			var value string
+			switch v := rawValue.(type) {
+			case []string:
+				value = strings.Join(v, ",")
+			case time.Time:
+				value = strconv.FormatInt(v.UTC().Unix(), 10)
+			case time.Duration:
+				value = strconv.FormatInt(int64(v.Seconds()), 10)
+			default:
+				value = fmt.Sprintf("%v", rawValue)
+			}
+
+			r.Header.Set(name, value)
+
+			return true, nil
+		},
+		new(func(string, string) bool),
+	)
+}
+
+func delResponseHeadersFunc(r *http.Response) expr.Option {
+	return expr.Function(
+		"del_headers",
+		func(params ...any) (any, error) {
+			pattern := params[0].(string)
+			deleted := false
+
+			for key := range r.Header {
+				if !wildcard.Match(key, pattern) {
+					continue
+				}
+
+				r.Header.Del(key)
+				deleted = true
+			}
+
+			return deleted, nil
+		},
+		new(func(string) bool),
+	)
+}
--- a/internal/rule/options.go
+++ b/internal/rule/options.go
@ -0,0 +1,35 @@
+package rule
+
+import "github.com/expr-lang/expr"
+
+type Options struct {
+	Rules []string
+	Expr  []expr.Option
+}
+
+type OptionFunc func(opts *Options)
+
+func NewOptions(funcs ...OptionFunc) *Options {
+	opts := &Options{
+		Expr:  make([]expr.Option, 0),
+		Rules: make([]string, 0),
+	}
+
+	for _, fn := range funcs {
+		fn(opts)
+	}
+
+	return opts
+}
+
+func WithRules(rules ...string) OptionFunc {
+	return func(opts *Options) {
+		opts.Rules = rules
+	}
+}
+
+func WithExpr(options ...expr.Option) OptionFunc {
+	return func(opts *Options) {
+		opts.Expr = options
+	}
+}
--- a/internal/setup/authn_basic_layer.go
+++ b/internal/setup/authn_basic_layer.go
@ -21,6 +21,7 @@ func init() {
 func setupAuthnBasicLayer(conf *config.Config) (director.Layer, error) {
 	options := []authn.OptionFunc{
 		authn.WithTemplateDir(string(conf.Layers.Authn.TemplateDir)),
+		authn.WithDebug(bool(conf.Layers.Authn.Debug)),
 	}

 	return basic.NewLayer(options...), nil
--- a/internal/setup/authn_network_layer.go
+++ b/internal/setup/authn_network_layer.go
@ -21,6 +21,7 @@ func init() {
 func setupAuthnNetworkLayer(conf *config.Config) (director.Layer, error) {
 	options := []authn.OptionFunc{
 		authn.WithTemplateDir(string(conf.Layers.Authn.TemplateDir)),
+		authn.WithDebug(bool(conf.Layers.Authn.Debug)),
 	}

 	return network.NewLayer(options...), nil
--- a/internal/setup/authn_oidc_layer.go
+++ b/internal/setup/authn_oidc_layer.go
@ -33,5 +33,9 @@ func setupAuthnOIDCLayer(conf *config.Config) (director.Layer, error) {
 		store,
 		oidc.WithHTTPTransport(transport),
 		oidc.WithHTTPClientTimeout(time.Duration(*conf.Layers.Authn.OIDC.HTTPClient.Timeout)),
+		oidc.WithAuthnOptions(
+			authn.WithTemplateDir(string(conf.Layers.Authn.TemplateDir)),
+			authn.WithDebug(bool(conf.Layers.Authn.Debug)),
+		),
 	), nil
 }
--- a/internal/setup/rewriter_layer.go
+++ b/internal/setup/rewriter_layer.go
@ -0,0 +1,15 @@
+package setup
+
+import (
+	"forge.cadoles.com/cadoles/bouncer/internal/config"
+	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
+	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/rewriter"
+)
+
+func init() {
+	RegisterLayer(rewriter.LayerType, setupRewriterLayer, rewriter.RawLayerOptionsSchema)
+}
+
+func setupRewriterLayer(conf *config.Config) (director.Layer, error) {
+	return rewriter.New(), nil
+}
--- a/layers/authn/templates/error.gohtml
+++ b/layers/authn/templates/error.gohtml
@ -0,0 +1,104 @@
+{{ define "default" }}
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width,initial-scale=1" />
+    <title>Erreur - {{ .Layer.Name }}</title>
+    <style>
+      html {
+        box-sizing: border-box;
+        font-size: 16px;
+      }
+
+      *,
+      *:before,
+      *:after {
+        box-sizing: inherit;
+      }
+
+      body,
+      h1,
+      h2,
+      h3,
+      h4,
+      h5,
+      h6,
+      p,
+      ol,
+      ul {
+        margin: 0;
+        padding: 0;
+        font-weight: normal;
+      }
+
+      html,
+      body {
+        width: 100%;
+        height: 100%;
+        font-family: Arial, Helvetica, sans-serif;
+        background-color: #ffe4e4;
+      }
+
+      #container {
+        display: flex;
+        align-items: center;
+        justify-content: center;
+        height: 100%;
+        flex-direction: column;
+      }
+
+      #card {
+        padding: 1.5em 1em;
+        border: 1px solid #d90202;
+        background-color: #feb0b0;
+        border-radius: 5px;
+        box-shadow: 2px 2px #cccccc1c;
+        color: #810000 !important;
+      }
+
+      .title {
+        margin-bottom: 1.2em;
+      }
+
+      p {
+        margin-bottom: 0.5em;
+      }
+
+      .footer {
+        font-size: 0.7em;
+        margin-top: 2em;
+        text-align: right;
+      }
+
+      .back-link {
+        text-align: center;
+      }
+    </style>
+  </head>
+  <body>
+    <div id="container">
+      <div id="card">
+        <h2 class="title">Une erreur est survenue !</h2>
+        {{ if .Debug }}
+        <pre>{{ .Err }}</pre>
+        {{ end }}
+        {{/* if a public base url is provided, show navigation link */}}
+        {{ $oidc := ( index .Layer.Options "oidc" ) }}
+        {{ $publicBaseURL := ( index $oidc "publicBaseURL" ) }}
+        {{ if $publicBaseURL }}
+        <div class="back-link">
+          <a href="{{ $publicBaseURL }}" title="Retourner sur l'application"
+            >Retourner sur l'application</a
+          >
+        </div>
+        {{ end }}
+        <p class="footer">
+          Propulsé par
+          <a href="https://forge.cadoles.com/Cadoles/bouncer">Bouncer</a>.
+        </p>
+      </div>
+    </div>
+  </body>
+</html>
+{{ end }}
--- a/misc/bootstrap.d/dummy.yml
+++ b/misc/bootstrap.d/dummy.yml
@ -19,7 +19,8 @@ layers:
  #       clientId: my-client-id
  #       clientSecret: my-client-id
  #       issuerURL: https://forge.cadoles.com/
-  #       postLogoutRedirectURL: http://localhost:8080
+  #       postLogoutRedirectURLs:
+  #         - http://localhost:8080
  #       scopes: ["profile", "openid", "email"]
  #       authParams:
  #         acr_values: "eidas2"
--- a/misc/docker-compose/README.md
+++ b/misc/docker-compose/README.md
@ -13,25 +13,31 @@ Le répertoire [`misc/docker-compose`](./) contient un exemple de déploiement d

 ## Étapes

-1. Se positionner dans le répertoire puis lancer l'environnement avec la commande `docker-compose`:
+1. Se positionner dans le répertoire puis lancer l'environnement avec la commande `docker compose`:

-    ```bash
-    cd misc/docker-compose
-    docker-compose up
-    ```
+   ```bash
+   cd misc/docker-compose
+   docker compose up
+   ```

 2. Entrer dans le conteneur `bouncer-admin` puis créer un jeton d'accès:

-    ```bash
-    docker-compose exec bouncer-admin /bin/sh
-    bouncer auth create-token --role writer > .bouncer-token
-    ```
+   ```bash
+   docker compose exec bouncer-admin /bin/sh
+   bouncer auth create-token --role writer > .bouncer-token
+   ```

 3. Créer un proxy via le CLI:

-    ```bash
-    bouncer admin proxy create --proxy-name myproxy --proxy-to "https://www.cadoles.com/"
-    bouncer admin proxy update --proxy-name myproxy --proxy-enabled=true
-    ```
+   ```bash
+   bouncer admin proxy create --proxy-name myproxy --proxy-to "https://www.cadoles.com/"
+   bouncer admin proxy update --proxy-name myproxy --proxy-enabled=true
+   ```

-4. Via votre navigateur, accéder à l'URL http://127.0.0.1:8080. La page du site Cadoles devrait s'afficher. Dans le log de la commande `docker-compose up` vous devriez voir que les requêtes sont routées à tour de rôle sur les 3 instances de Bouncer en exécution.
+4. Via votre navigateur, accéder à l'URL http://127.0.0.1:8080. La page du site Cadoles devrait s'afficher. Dans le log de la commande `docker-compose up` vous devriez voir que les requêtes sont routées à tour de rôle sur les 3 instances de Bouncer en exécution.
+
+5. Stopper l'environnement:
+
+   ```
+   docker compose down -v
+   ```
--- a/misc/docker-compose/docker-compose.yml
+++ b/misc/docker-compose/docker-compose.yml
@ -1,4 +1,3 @@
-version: "2"
 services:
  haproxy:
    image: reg.cadoles.com/proxy_cache/library/haproxy:2.7-alpine
@ -31,7 +30,7 @@ services:

  bouncer-proxy-2: *bouncer-proxy
  bouncer-proxy-3: *bouncer-proxy
-      
+
  redis:
    image: reg.cadoles.com/proxy_cache/library/redis:7-alpine
    command: redis-server --save 60 1 --loglevel verbose
@ -39,4 +38,4 @@ services:
      - redis-data:/data

 volumes:
-  redis-data:
+  redis-data:
--- a/misc/images/bouncer/Dockerfile
+++ b/misc/images/bouncer/Dockerfile
@ -1,49 +0,0 @@
-FROM golang:1.20 AS BUILD
-
-RUN apt-get update \
-    && apt-get install -y make
-
-ARG YQ_VERSION=4.34.1
-
-RUN mkdir -p /usr/local/bin \
-    && wget -O /usr/local/bin/yq https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/yq_linux_amd64 \
-    && chmod +x /usr/local/bin/yq
-
-COPY . /src
-
-WORKDIR /src
-
-RUN make GORELEASER_ARGS='build --rm-dist --single-target --snapshot' goreleaser
-
-# Patch config
-RUN /src/dist/bouncer_linux_amd64_v1/bouncer -c '' config dump > /src/dist/bouncer_linux_amd64_v1/config.yml \
-    && yq -i '.layers.queue.templateDir = "/usr/share/bouncer/layers/queue/templates"' /src/dist/bouncer_linux_amd64_v1/config.yml \
-    && yq -i '.admin.auth.privateKey = "/etc/bouncer/admin-key.json"' /src/dist/bouncer_linux_amd64_v1/config.yml \
-    && yq -i '.redis.adresses = ["redis:6379"]' /src/dist/bouncer_linux_amd64_v1/config.yml
-
-FROM alpine:3.18 AS RUNTIME
-
-ARG DUMB_INIT_VERSION=1.2.5
-
-RUN apk add --no-cache ca-certificates
-
-RUN mkdir -p /usr/local/bin \
-    && wget -O /usr/local/bin/dumb-init https://github.com/Yelp/dumb-init/releases/download/v${DUMB_INIT_VERSION}/dumb-init_${DUMB_INIT_VERSION}_x86_64 \
-    && chmod +x /usr/local/bin/dumb-init
-
-ENTRYPOINT ["/usr/local/bin/dumb-init", "--"]
-
-RUN mkdir -p /usr/local/bin /usr/share/bouncer/bin /etc/bouncer
-
-COPY --from=BUILD /src/dist/bouncer_linux_amd64_v1/bouncer /usr/share/bouncer/bin/bouncer
-COPY --from=BUILD /src/layers /usr/share/bouncer/layers
-COPY --from=BUILD /src/dist/bouncer_linux_amd64_v1/config.yml /etc/bouncer/config.yml
-
-RUN ln -s /usr/share/bouncer/bin/bouncer /usr/local/bin/bouncer
-
-EXPOSE 8080
-EXPOSE 8081
-
-ENV BOUNCER_CONFIG=/etc/bouncer/config.yml
-
-CMD ["bouncer"]
--- a/misc/packaging/common/config.yml
+++ b/misc/packaging/common/config.yml
@ -70,6 +70,12 @@ admin:

 # Configuration du service "proxy"
 proxy:
+  # Activer/désactiver le mode debug (affichage ou non des messages d'erreur)
+  debug: false
+  # Configuration des templates utilisés par le proxy
+  templates:
+    # Répertoire contenant les templates
+    dir: /etc/bouncer/templates
  http:
    # Hôte d'écoute du service,
    # 0.0.0.0 pour écouter sur toutes les interfaces
@ -93,6 +99,14 @@ proxy:
      credentials:
        prom: etheus

+  # Configuration de la mise en cache
+  # locale des données proxy/layers
+  cache:
+    # Les proxys/layers sont mis en cache local pour une durée de 30s
+    # par défaut. Si les modifications sont rares, vous pouvez augmenter
+    # cette valeur pour réduire la "pression" sur le serveur Redis.
+    ttl: 30s
+
  # Configuration du transport HTTP(S)
  # Voir https://pkg.go.dev/net/http#Transport
  transport:
--- a/templates/error.gohtml
+++ b/templates/error.gohtml
@ -0,0 +1,96 @@
+{{ define "default" }}
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width,initial-scale=1" />
+    {{ $title := print .StatusCode " - " .Status }}
+    <title>{{ $title }}</title>
+    <style>
+      html {
+        box-sizing: border-box;
+        font-size: 16px;
+      }
+
+      *,
+      *:before,
+      *:after {
+        box-sizing: inherit;
+      }
+
+      body,
+      h1,
+      h2,
+      h3,
+      h4,
+      h5,
+      h6,
+      p,
+      ol,
+      ul {
+        margin: 0;
+        padding: 0;
+        font-weight: normal;
+      }
+
+      html,
+      body {
+        width: 100%;
+        height: 100%;
+        font-family: Arial, Helvetica, sans-serif;
+        background-color: #ffe4e4;
+      }
+
+      #container {
+        display: flex;
+        align-items: center;
+        justify-content: center;
+        height: 100%;
+        flex-direction: column;
+      }
+
+      #card {
+        padding: 1.5em 1em;
+        border: 1px solid #d90202;
+        background-color: #feb0b0;
+        border-radius: 5px;
+        box-shadow: 2px 2px #cccccc1c;
+        color: #810000 !important;
+      }
+
+      .title {
+        margin-bottom: 1.2em;
+      }
+
+      p {
+        margin-bottom: 0.5em;
+      }
+
+      code,
+      pre {
+        font-family: monospace;
+      }
+
+      .footer {
+        font-size: 0.7em;
+        margin-top: 2em;
+        text-align: right;
+      }
+    </style>
+  </head>
+  <body>
+    <div id="container">
+      <div id="card">
+        <h2 class="title">{{ $title }}</h2>
+        {{ if .Debug }}
+        <pre>{{ .Err }}</pre>
+        {{ end }}
+        <p class="footer">
+          Propulsé par
+          <a href="https://forge.cadoles.com/Cadoles/bouncer">Bouncer</a>.
+        </p>
+      </div>
+    </div>
+  </body>
+</html>
+{{ end }}
Author	SHA1	Message	Date
William Petit	2de5e285a3	doc: add virtual hosting example All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-06-27 11:12:58 +02:00
William Petit	87e1c65607	fix: security vulnerabilities All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details ref #31	2024-06-27 10:04:29 +02:00
William Petit	f092520ee4	chore: tidy deps All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-06-26 16:31:14 +02:00
wpetit	9084b6e05f	Merge pull request 'Implémentation des proxies "passthrough"' (#30 ) from passthrough-proxy into develop All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details Reviewed-on: #30	2024-06-26 16:23:28 +02:00
William Petit	5494abded4	feat: passthrough proxies Some checks are pending Cadoles/bouncer/pipeline/head Build started... Details Cadoles/bouncer/pipeline/pr-develop Build started... Details	2024-06-26 16:22:30 +02:00
William Petit	059af1b6ee	fix: add missing templates in docker image All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-06-26 15:00:23 +02:00
William Petit	532f30c155	chore: remove artefact Dockerfile Some checks reported errors Cadoles/bouncer/pipeline/head Something is wrong with the build of this commit Details	2024-06-26 15:00:07 +02:00
William Petit	49f2ccbc7a	feat: templatized proxy error page All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-06-26 14:36:28 +02:00
William Petit	8a751afc97	chore: add http debug env in default environment file All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-06-26 13:53:52 +02:00
William Petit	4907c0b51f	feat: return status 502 on proxy error	2024-06-26 13:53:22 +02:00
William Petit	1881f27928	refactor: use new rule engine package Some checks reported errors Cadoles/bouncer/pipeline/head Something is wrong with the build of this commit Details	2024-06-26 13:52:49 +02:00
wpetit	114608931b	Merge pull request 'Layer `rewriter`: réécriture dynamiques des attributs de requêtes/réponses' (#29 ) from rewriter-layer into develop All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details Reviewed-on: #29	2024-06-25 17:02:49 +02:00
William Petit	05b547da48	feat: rewriter layer All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details Cadoles/bouncer/pipeline/pr-develop This commit looks good Details	2024-06-25 16:50:29 +02:00
William Petit	9d902a7494	doc: update create custom layer tutorial All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-06-25 11:32:54 +02:00
William Petit	ea68724635	fix: update dummy bootstrap example All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-06-25 11:25:34 +02:00
William Petit	1009eb19aa	feat: use destination path as prefix when rewritting url All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-06-24 17:18:31 +02:00
William Petit	19fda6aa64	feat(authn-oidc): allow overwriting of cookie name All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-06-05 16:13:45 +02:00
William Petit	65238f1ff3	feat(authn-oidc): include proxy in cookie name All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-06-05 16:00:23 +02:00
William Petit	d4da9cba8d	chore: fix goreleaser version All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-06-05 15:54:00 +02:00
William Petit	d5fed4c2ac	feat(authn): add templatized error page Some checks reported errors Cadoles/bouncer/pipeline/head Something is wrong with the build of this commit Details ref CNOUS/mse#3907	2024-06-05 15:53:17 +02:00
William Petit	c7ac331b10	chore: add interface description Some checks failed Cadoles/bouncer/pipeline/head There was a failure building this commit Details	2024-06-05 12:52:01 +02:00
William Petit	2952f68720	fix(config): handles raw nanoseconds durations All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-05-29 16:49:05 +02:00
William Petit	3e98901931	fix: update multi-nodes example (#25 ) All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-05-29 14:18:40 +02:00
wpetit	d667bb03f5	Merge pull request 'Mise en place de cache local au niveau du serveur pour améliorer les temps de traitement des requêtes' (#26 ) from benchmark into develop All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details Reviewed-on: #26	2024-05-28 16:52:34 +02:00
William Petit	3a9fde9bc9	feat: improve perf by caching proxy and layers locally Some checks are pending Cadoles/bouncer/pipeline/head This commit looks good Details Cadoles/bouncer/pipeline/pr-develop Build started... Details	2024-05-28 16:45:15 +02:00
William Petit	42dab5797a	chore(doc): fix typo All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-05-28 11:16:15 +02:00