chore: update go and alpine docker image version

feat: use sentry tags instead of context for better observability
feat: prevent call bursts on oidc provider refresh
2025-04-03 11:12:32 +02:00 · 2025-03-19 15:04:55 +01:00 · 2025-03-18 15:51:25 +01:00 · 2025-03-18 12:52:59 +01:00 · 2025-03-18 12:20:00 +01:00 · 2025-03-18 11:35:15 +01:00
140 changed files with 6134 additions and 767 deletions
--- a/.env.dist
+++ b/.env.dist
@ -0,0 +1 @@
+GODEBUG="http1debug=2 http2debug=2"
--- a/.gitignore
+++ b/.gitignore
@ -9,3 +9,5 @@
 /data
 /out
 .dockerconfigjson
+*.prof
+*.test
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@ -63,6 +63,9 @@ nfpms:
      - src: layers
        dst: /etc/bouncer/layers
        type: config
+      - src: templates
+        dst: /etc/bouncer/templates
+        type: config
      - dst: /etc/bouncer/bootstrap.d
        type: dir
        file_info:
--- a/21
+++ b/21
@ -1,4 +1,4 @@
-FROM reg.cadoles.com/proxy_cache/library/golang:1.22.0 AS BUILD
+FROM reg.cadoles.com/proxy_cache/library/golang:1.24.2 AS build

 RUN apt-get update \
    && apt-get install -y make
@ -22,15 +22,18 @@ RUN make GORELEASER_ARGS='build --rm-dist --single-target --snapshot' goreleaser

 # Patch config
 RUN /src/dist/bouncer_linux_amd64_v1/bouncer -c '' config dump > /src/dist/bouncer_linux_amd64_v1/config.yml \
+&& yq -i '.proxy.templates.dir = "/usr/share/bouncer/templates"' /src/dist/bouncer_linux_amd64_v1/config.yml \
    && yq -i '.layers.queue.templateDir = "/usr/share/bouncer/layers/queue/templates"' /src/dist/bouncer_linux_amd64_v1/config.yml \
    && yq -i '.layers.authn.templateDir = "/usr/share/bouncer/layers/authn/templates"' /src/dist/bouncer_linux_amd64_v1/config.yml \
    && yq -i '.admin.auth.privateKey = "/etc/bouncer/admin-key.json"' /src/dist/bouncer_linux_amd64_v1/config.yml \
    && yq -i '.redis.adresses = ["redis:6379"]' /src/dist/bouncer_linux_amd64_v1/config.yml \
    && yq -i '.redis.writeTimeout = "30s"' /src/dist/bouncer_linux_amd64_v1/config.yml \
    && yq -i '.redis.readTimeout = "30s"' /src/dist/bouncer_linux_amd64_v1/config.yml \
-    && yq -i '.redis.dialTimeout = "30s"' /src/dist/bouncer_linux_amd64_v1/config.yml
+    && yq -i '.redis.dialTimeout = "30s"' /src/dist/bouncer_linux_amd64_v1/config.yml \
+    && yq -i '.bootstrap.lockTimeout = "30s"' /src/dist/bouncer_linux_amd64_v1/config.yml \
+    && yq -i '.integrations.kubernetes.lockTimeout = "30s"' /src/dist/bouncer_linux_amd64_v1/config.yml

-FROM reg.cadoles.com/proxy_cache/library/alpine:3.19.1 AS RUNTIME
+FROM reg.cadoles.com/proxy_cache/library/alpine:3.21 AS runtime

 RUN apk add --no-cache ca-certificates dumb-init

@ -38,19 +41,23 @@ ENTRYPOINT ["/usr/bin/dumb-init", "--"]

 RUN mkdir -p /usr/local/bin /usr/share/bouncer/bin /etc/bouncer

-COPY --from=BUILD /src/dist/bouncer_linux_amd64_v1/bouncer /usr/share/bouncer/bin/bouncer
-COPY --from=BUILD /src/layers /usr/share/bouncer/layers
-COPY --from=BUILD /src/dist/bouncer_linux_amd64_v1/config.yml /etc/bouncer/config.yml
+COPY --from=build /src/dist/bouncer_linux_amd64_v1/bouncer /usr/share/bouncer/bin/bouncer
+COPY --from=build /src/layers /usr/share/bouncer/layers
+COPY --from=build /src/templates /usr/share/bouncer/templates
+COPY --from=build /src/dist/bouncer_linux_amd64_v1/config.yml /etc/bouncer/config.yml

 RUN ln -s /usr/share/bouncer/bin/bouncer /usr/local/bin/bouncer

 EXPOSE 8080
 EXPOSE 8081
+EXPOSE 8082

-RUN adduser -D -H bouncer
+RUN adduser -D -s /bin/sh bouncer

 ENV BOUNCER_CONFIG=/etc/bouncer/config.yml

 USER bouncer

+WORKDIR /home/bouncer
+
 CMD ["bouncer"]
--- a/661
+++ b/661
@ -0,0 +1,661 @@
+                    GNU AFFERO GENERAL PUBLIC LICENSE
+                       Version 3, 19 November 2007
+
+Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+Everyone is permitted to copy and distribute verbatim copies
+of this license document, but changing it is not allowed.
+
+                            Preamble
+
+The GNU Affero General Public License is a free, copyleft license for
+software and other kinds of works, specifically designed to ensure
+cooperation with the community in the case of network server software.
+
+The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works. By contrast,
+our General Public Licenses are intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.
+
+When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+Developers that use our General Public Licenses protect your rights
+with two steps: (1) assert copyright on the software, and (2) offer
+you this License which gives you legal permission to copy, distribute
+and/or modify the software.
+
+A secondary benefit of defending all users' freedom is that
+improvements made in alternate versions of the program, if they
+receive widespread use, become available for other developers to
+incorporate. Many developers of free software are heartened and
+encouraged by the resulting cooperation. However, in the case of
+software used on network servers, this result may fail to come about.
+The GNU General Public License permits making a modified version and
+letting the public access it on a server without ever releasing its
+source code to the public.
+
+The GNU Affero General Public License is designed specifically to
+ensure that, in such cases, the modified source code becomes available
+to the community. It requires the operator of a network server to
+provide the source code of the modified version running there to the
+users of that server. Therefore, public use of a modified version, on
+a publicly accessible server, gives the public access to the source
+code of the modified version.
+
+An older license, called the Affero General Public License and
+published by Affero, was designed to accomplish similar goals. This is
+a different license, not a version of the Affero GPL, but Affero has
+released a new version of the Affero GPL which permits relicensing under
+this license.
+
+The precise terms and conditions for copying, distribution and
+modification follow.
+
+                       TERMS AND CONDITIONS
+
+0. Definitions.
+
+"This License" refers to version 3 of the GNU Affero General Public License.
+
+"Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+"The Program" refers to any copyrightable work licensed under this
+License. Each licensee is addressed as "you". "Licensees" and
+"recipients" may be individuals or organizations.
+
+To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy. The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy. Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies. Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License. If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+1. Source Code.
+
+The "source code" for a work means the preferred form of the work
+for making modifications to it. "Object code" means any non-source
+form of a work.
+
+A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form. A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities. However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work. For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+The Corresponding Source for a work in source code form is that
+same work.
+
+2. Basic Permissions.
+
+All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met. This License explicitly affirms your unlimited
+permission to run the unmodified Program. The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work. This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force. You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright. Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+Conveying under any other circumstances is permitted solely under
+the conditions stated below. Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+4. Conveying Verbatim Copies.
+
+You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+5. Conveying Modified Source Versions.
+
+You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+    a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+
+    b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under section
+    7.  This requirement modifies the requirement in section 4 to
+    "keep intact all notices".
+
+    c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy.  This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged.  This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+
+    d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+
+A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit. Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+6. Conveying Non-Source Forms.
+
+You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+    a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+
+    b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the
+    Corresponding Source from a network server at no charge.
+
+    c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source.  This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+
+    d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge.  You need not require recipients to copy the
+    Corresponding Source along with the object code.  If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source.  Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+
+    e) Convey the object code using peer-to-peer transmission, provided
+    you inform other peers where the object code and Corresponding
+    Source of the work are being offered to the general public at no
+    charge under subsection 6d.
+
+A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling. In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage. For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product. A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+"Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source. The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information. But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed. Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+7. Additional Terms.
+
+"Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law. If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it. (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.) You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+    a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+
+    b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+
+    c) Prohibiting misrepresentation of the origin of that material, or
+    requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+
+    d) Limiting the use for publicity purposes of names of licensors or
+    authors of the material; or
+
+    e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+
+    f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions of
+    it) with contractual assumptions of liability to the recipient, for
+    any liability that these contractual assumptions directly impose on
+    those licensors and authors.
+
+All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10. If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term. If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+8. Termination.
+
+You may not propagate or modify a covered work except as expressly
+provided under this License. Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License. If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+9. Acceptance Not Required for Having Copies.
+
+You are not required to accept this License in order to receive or
+run a copy of the Program. Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance. However,
+nothing other than this License grants you permission to propagate or
+modify any covered work. These actions infringe copyright if you do
+not accept this License. Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+10. Automatic Licensing of Downstream Recipients.
+
+Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License. You are not responsible
+for enforcing compliance by third parties with this License.
+
+An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations. If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License. For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+11. Patents.
+
+A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based. The
+work thus licensed is called the contributor's "contributor version".
+
+A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version. For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement). To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients. "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License. You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+12. No Surrender of Others' Freedom.
+
+If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all. For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+13. Remote Network Interaction; Use with the GNU General Public License.
+
+Notwithstanding any other provision of this License, if you modify the
+Program, your modified version must prominently offer all users
+interacting with it remotely through a computer network (if your version
+supports such interaction) an opportunity to receive the Corresponding
+Source of your version by providing access to the Corresponding Source
+from a network server at no charge, through some standard or customary
+means of facilitating copying of software. This Corresponding Source
+shall include the Corresponding Source for any work covered by version 3
+of the GNU General Public License that is incorporated pursuant to the
+following paragraph.
+
+Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU General Public License into a single
+combined work, and to convey the resulting work. The terms of this
+License will continue to apply to the part which is the covered work,
+but the work with which it is combined will remain governed by version
+3 of the GNU General Public License.
+
+14. Revised Versions of this License.
+
+The Free Software Foundation may publish revised and/or new versions of
+the GNU Affero General Public License from time to time. Such new versions
+will be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number. If the
+Program specifies that a certain numbered version of the GNU Affero General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation. If the Program does not specify a version number of the
+GNU Affero General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+If the Program specifies that a proxy can decide which future
+versions of the GNU Affero General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+Later license versions may give you additional or different
+permissions. However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+15. Disclaimer of Warranty.
+
+THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+16. Limitation of Liability.
+
+IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+17. Interpretation of Sections 15 and 16.
+
+If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU Affero General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU Affero General Public License for more details.
+
+    You should have received a copy of the GNU Affero General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+If your software can interact with users remotely through a computer
+network, you should also make sure that it provides a way for users to
+get its source. For example, if your program is a web application, its
+interface could display a "Source" link that leads users to an archive
+of the code. There are many ways you could offer source, and different
+solutions will be better for different programs; see section 13 for the
+specific requirements.
+
+You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU AGPL, see
+<https://www.gnu.org/licenses/>.
--- a/18
+++ b/18
@ -17,7 +17,8 @@ GOTEST_ARGS ?= -short
 OPENWRT_DEVICE ?= 192.168.1.1

 SIEGE_URLS_FILE ?= misc/siege/urls.txt
-SIEGE_CONCURRENCY ?= 100
+SIEGE_CONCURRENCY ?= 200
+SIEGE_DURATION ?= 5M

 data/bootstrap.d/dummy.yml:
 	mkdir -p data/bootstrap.d
@ -59,7 +60,7 @@ deps: .env

 .PHONY: goreleaser
 goreleaser: deps
-	( set -o allexport && source .env && set +o allexport && VERSION=$(GORELEASER_VERSION) curl -sfL https://goreleaser.com/static/run | GORELEASER_CURRENT_TAG="$(FULL_VERSION)" bash /dev/stdin $(GORELEASER_ARGS) )
+	( set -o allexport && source .env && set +o allexport &&  curl -sfL https://goreleaser.com/static/run | VERSION=$(GORELEASER_VERSION) GORELEASER_CURRENT_TAG="$(FULL_VERSION)" bash /dev/stdin $(GORELEASER_ARGS) )

 .PHONY: start-release
 start-release:
@ -81,7 +82,7 @@ finish-release:
 	git push --tags

 docker-build:
-	docker build -t $(DOCKER_IMAGE_NAME):$(DOCKER_IMAGE_TAG) .
+	docker build --pull -t $(DOCKER_IMAGE_NAME):$(DOCKER_IMAGE_TAG) .
 	docker tag $(DOCKER_IMAGE_NAME):$(DOCKER_IMAGE_TAG) $(DOCKER_IMAGE_NAME):latest

 docker-release:
@ -114,7 +115,7 @@ grafterm: tools/grafterm/bin/grafterm
 siege:
 	$(eval TMP := $(shell mktemp))
 	cat $(SIEGE_URLS_FILE) | envsubst > $(TMP)
-	siege -i -b -c $(SIEGE_CONCURRENCY) -f $(TMP)
+	siege -R ./misc/siege/siege.conf -i -b -c $(SIEGE_CONCURRENCY) -t $(SIEGE_DURATION) -f $(TMP)
 	rm -rf $(TMP)

 tools/gitea-release/bin/gitea-release.sh:
@ -130,6 +131,13 @@ tools/grafterm/bin/grafterm:
 	mkdir -p tools/grafterm/bin
 	GOBIN=$(PWD)/tools/grafterm/bin go install github.com/slok/grafterm/cmd/grafterm@v0.2.0

+bench:
+	go test -bench=. -run '^$$' -benchtime=10s ./internal/bench
+
+tools/benchstat/bin/benchstat:
+	mkdir -p tools/benchstat/bin
+	GOBIN=$(PWD)/tools/benchstat/bin go install golang.org/x/perf/cmd/benchstat@latest
+
 full-version:
 	@echo $(FULL_VERSION)

@ -143,7 +151,7 @@ run-redis:
 		-v $(PWD)/data/redis:/data \
 		-p 6379:6379 \
 		redis:alpine3.17 \
-		redis-server --save 60 1 --loglevel warning
+		redis-server --save 60 1 --loglevel debug

 redis-shell:
 	docker exec -it \
--- a/README.md
+++ b/README.md
@ -4,7 +4,16 @@

 # Bouncer

-Serveur mandataire inverse (_"reverse proxy"_) filtrant avec gestion de files d'attente dynamiques.
+Serveur mandataire inverse (_"reverse proxy"_) avec fonctionnalités avancées pilotable par API REST.
+
+## Fonctionnalités
+
+- Authentification unique basée sur entêtes HTTP ("Trusted headers SSO") avec:
+  - Fournisseur d'identité OpenID Connect ;
+  - Basic Auth ;
+  - Origine réseau ;
+- Gestion de files d'attente dynamiques pour maîtriser la charge sur les services protégés ;
+- Réécriture dynamique des attributs (notamment entêtes HTTP) des requêtes/réponses via un DSL.

 ## Documentation

@ -12,4 +21,4 @@ Serveur mandataire inverse (_"reverse proxy"_) filtrant avec gestion de files d'

 ## Licence

-AGPL-3.0
+AGPL-3.0
--- a/doc/README.md
+++ b/doc/README.md
@ -1,7 +1,8 @@
 # Documentation

- [(FR) - Premiers pas](./fr/getting-started.md)
 - [(FR) - Architecture générale](./fr/general-architecture.md)
+- [(FR) - Terminologie](./fr/terminology.md)
+- [(FR) - Premiers pas](./fr/getting-started.md)

 ## Exemples

@ -11,19 +12,22 @@

 - [(FR) - Layers](./fr/references/layers/README.md)
 - [(FR) - Métriques](./fr/references/metrics.md)
- [(FR) - Fichier de configuration](../misc/packaging/common/config.yml)
+- [(FR) - Configuration](./fr/references/configuration.md)
 - [(FR) - API d'administration](./fr/references/admin_api.md)

 ## Tutoriels

 ### Utilisation

+- [(FR) - Le cas du "virtual hosting"](./fr/tutorials/virtual-hosting.md)
 - [(FR) - Ajouter un layer de type "file d'attente"](./fr/tutorials/add-queue-layer.md)
 - [(FR) - Ajouter une authentification OpenID Connect](./fr/tutorials/add-oidc-authn-layer.md)
 - [(FR) - Amorçage d'un serveur Bouncer via la configuration](./fr/tutorials/bootstrapping.md)
 - [(FR) - Intégration avec Kubernetes](./fr/tutorials/kubernetes-integration.md)
+- [(FR) - Profilage](./fr/tutorials/profiling.md)

 ### Développement

 - [(FR) - Démarrer avec les sources](./fr/tutorials/getting-started-with-sources.md)
 - [(FR) - Créer son propre layer](./fr/tutorials/create-custom-layer.md)
+- [(FR) - Étudier les performances de Bouncer](./fr/tutorials/profiling.md)
--- a/doc/fr/general-architecture.md
+++ b/doc/fr/general-architecture.md
@ -2,31 +2,6 @@

 ## Modèles de déploiement

-### Déploiement mono-noeud
+### Mode mono-noeud

-![](../resources/deployment_fr.png)
-
-## Terminologie
-
-Voici une liste des termes utilisés dans le lexique Bouncer.
-
-### Proxy
-
-Un "proxy" est une entité logique définissant le relation suivante:
-
- Un ou plusieurs patrons de filtrage sous la forme d'un patron d'URL avec le caractère `*` comme caractère générique. Ceux ci identifient le ou les domaines/chemins associés à l'entité;
- Une URL cible qui servira de base pour la réécriture des requêtes.
-
-Un "proxy" peut avoir zéro ou plusieurs "layers" associés.
-
-Un "proxy" peut être activé ou désactivé.
-
-Un "proxy" a un poids qui définit son niveau de priorité dans la pile de traitement (plus son poids est élevé plus il est prioritaire).
-
-### Layer
-
-Un "layer" (calque) est une entité logique définissant un traitement à appliquer aux requêtes et/ou aux réponses transitant par un proxy.
-
-Un "layer" peut être activé ou désactivé.
-
-Un "layer" a un poids qui définit son niveau de priorité dans la pile de traitement (plus son poids est élevé plus il est prioritaire).
+![](../resources/deployment_single_node_fr.png)
--- a/doc/fr/references/configuration.md
+++ b/doc/fr/references/configuration.md
@ -0,0 +1,34 @@
+# Configuration
+
+## Référence
+
+Vous trouverez ici un fichier de configuration de référence, complet et commenté:
+
+[`misc/packaging/common/config.yml`](../../../misc/packaging/common/config.yml)
+
+## Interpolation de variables
+
+Il est possible d'utiliser de l'interpolation de variables d'environnement dans le fichier de configuration via la syntaxe `${var}`.
+
+Les fonctions d'interpolation suivantes sont également disponibles:
+
+- `${var^}`
+- `${var^^}`
+- `${var,}`
+- `${var,,}`
+- `${var:position}`
+- `${var:position:length}`
+- `${var#substring}`
+- `${var##substring}`
+- `${var%substring}`
+- `${var%%substring}`
+- `${var/substring/replacement}`
+- `${var//substring/replacement}`
+- `${var/#substring/replacement}`
+- `${var/%substring/replacement}`
+- `${#var}`
+- `${var=default}`
+- `${var:=default}`
+- `${var:-default}`
+
+_Voir le package [`github.com/drone/envsubst`](https://pkg.go.dev/github.com/drone/envsubst) pour plus de détails._
--- a/doc/fr/references/layers/README.md
+++ b/doc/fr/references/layers/README.md
@ -4,3 +4,4 @@ Vous trouverez ci-dessous la liste des entités "Layer" activables sur vos entit

 - [Authn (`authn-*`)](./authn/README.md) - Authentification des accès (SSO)
 - [Queue](./queue.md) - File d'attente dynamique
+- [Rewriter](./rewriter.md) - Réécriture dynamiques des attributs des requêtes/réponses
--- a/doc/fr/references/layers/authn/README.md
+++ b/doc/fr/references/layers/authn/README.md
@ -27,8 +27,8 @@ Bouncer utilise le projet [`expr`](https://expr-lang.org/) comme DSL. En plus de
 Le comportement des règles par défaut est le suivant:

 1. L'ensemble des entêtes HTTP correspondant au patron `Remote-*` sont supprimés ;
-2. L'identifiant de l'utilisateur identifié (`user.subject`) est exporté sous la forme de l'entête HTTP `Remote-User` ;
-3. L'ensemble des attributs de l'utilisateur identifié (`user.attrs`) sont exportés sous la forme `Remote-User-Attr-<name>` où `<name>` est le nom de l'attribut en minuscule, avec les `_` transformés en `-`.
+2. L'identifiant de l'utilisateur identifié (`vars.user.subject`) est exporté sous la forme de l'entête HTTP `Remote-User` ;
+3. L'ensemble des attributs de l'utilisateur identifié (`vars.user.attrs`) sont exportés sous la forme `Remote-User-Attr-<name>` où `<name>` est le nom de l'attribut en minuscule, avec les `_` transformés en `-`.

 ### Fonctions

@ -36,21 +36,33 @@ Le comportement des règles par défaut est le suivant:

 Interdire l'accès à l'utilisateur.

-#### `set_header(name string, value string)`
+##### `add_header(ctx, name string, value string)`

-Définir la valeur d'une entête HTTP via son nom `name` et sa valeur `value`.
+Ajouter une valeur à un entête HTTP via son nom `name` et sa valeur `value`.

-#### `del_headers(pattern string)`
+##### `set_header(ctx, name string, value string)`
+
+Définir la valeur d'un entête HTTP via son nom `name` et sa valeur `value`. La valeur précédente est écrasée.
+
+##### `del_headers(ctx, pattern string)`

 Supprimer un ou plusieurs entêtes HTTP dont le nom correspond au patron `pattern`.

 Le patron est défini par une chaîne comprenant un ou plusieurs caractères `*`, signifiant un ou plusieurs caractères arbitraires.

+##### `set_host(ctx, host string)`
+
+Modifier la valeur de l'entête `Host` de la requête.
+
+##### `set_url(ctx, url string)`
+
+Modifier l'URL du serveur cible.
+
 ### Environnement

 Les règles ont accès aux variables suivantes pendant leur exécution.

-#### `user`
+#### `vars.user`

 L'utilisateur identifié par le layer.

--- a/doc/fr/references/layers/authn/basic.md
+++ b/doc/fr/references/layers/authn/basic.md
@ -14,12 +14,12 @@ Les options disponibles pour le layer sont décrites via un [schéma JSON](https

 En plus de ces options spécifiques le layer peut également être configuré via [les options communes aux layers `authn-*`](../../../../../internal/proxy/director/layer/authn/layer-options.json).

-## Objet `user` et attributs
+## Objet `vars.user` et attributs

 L'objet `user` exposé au moteur de règles sera construit de la manière suivante:

- `user.subject` sera initialisé avec le nom d'utilisateur identifié ;
- `user.attrs` sera composé des attributs associés à l'utilisation (voir les options).
+- `vars.user.subject` sera initialisé avec le nom d'utilisateur identifié ;
+- `vars.user.attrs` sera composé des attributs associés à l'utilisation (voir les options).

 ## Métriques

--- a/doc/fr/references/layers/authn/network.md
+++ b/doc/fr/references/layers/authn/network.md
@ -14,12 +14,12 @@ Les options disponibles pour le layer sont décrites via un [schéma JSON](https

 En plus de ces options spécifiques le layer peut également être configuré via [les options communes aux layers `authn-*`](../../../../../internal/proxy/director/layer/authn/layer-options.json).

-## Objet `user` et attributs
+## Objet `vars.user` et attributs

-L'objet `user` exposé au moteur de règles sera construit de la manière suivante:
+L'objet `vars.user` exposé au moteur de règles sera construit de la manière suivante:

- `user.subject` sera initialisé avec le couple `<remote_address>:<remote_port>` ;
- `user.attrs` sera vide.
+- `vars.user.subject` sera initialisé avec le couple `<remote_address>:<remote_port>` ;
+- `vars.user.attrs` sera vide.

 ## Métriques

--- a/doc/fr/references/layers/authn/oidc.md
+++ b/doc/fr/references/layers/authn/oidc.md
@ -16,18 +16,18 @@ Les options disponibles pour le layer sont décrites via un [schéma JSON](https

 En plus de ces options spécifiques le layer peut également être configuré via [les options communes aux layers `authn-*`](../../../../../internal/proxy/director/layer/authn/layer-options.json).

-## Objet `user` et attributs
+## Objet `vars.user` et attributs

-L'objet `user` exposé au moteur de règles sera construit de la manière suivante:
+L'objet `vars.user` exposé au moteur de règles sera construit de la manière suivante:

- `user.subject` sera initialisé avec la valeur du [claim](https://openid.net/specs/openid-connect-core-1_0.html#Claims) `sub` extrait de l'`idToken` récupéré lors de l'authentification ;
- `user.attrs` comportera les propriétés suivantes:
+- `vars.user.subject` sera initialisé avec la valeur du [claim](https://openid.net/specs/openid-connect-core-1_0.html#Claims) `sub` extrait de l'`idToken` récupéré lors de l'authentification ;
+- `vars.user.attrs` comportera les propriétés suivantes:

-  - L'ensemble des `claims` provenant de l'`idToken` seront transposés en `claim_<name>` (ex: `idToken.iss` sera transposé en `user.attrs.claim_iss`) ;
-  - `user.attrs.access_token`: le jeton d'accès associé à l'authentification ;
-  - `user.attrs.refresh_token`: le jeton de rafraîchissement associé à l'authentification (si disponible, en fonction des `scopes` demandés par le client) ;
-  - `user.attrs.token_expiry`: Horodatage Unix (en secondes) associé à la date d'expiration du jeton d'accès ;
-  - `user.attrs.logout_url`: URL de déconnexion pour la suppression de la session Bouncer.
+  - L'ensemble des `claims` provenant de l'`idToken` seront transposés en `claim_<name>` (ex: `idToken.iss` sera transposé en `vars.user.attrs.claim_iss`) ;
+  - `vars.user.attrs.access_token`: le jeton d'accès associé à l'authentification ;
+  - `vars.user.attrs.refresh_token`: le jeton de rafraîchissement associé à l'authentification (si disponible, en fonction des `scopes` demandés par le client) ;
+  - `vars.user.attrs.token_expiry`: Horodatage Unix (en secondes) associé à la date d'expiration du jeton d'accès ;
+  - `vars.user.attrs.logout_url`: URL de déconnexion pour la suppression de la session Bouncer.

    **Attention** Cette URL ne permet dans la plupart des cas que de supprimer la session côté Bouncer. La suppression de la session côté fournisseur d'identité est conditionné à la présence ou non de l'attribut [`end_session_endpoint`](https://openid.net/specs/openid-connect-session-1_0-17.html#OPMetadata) dans les données du point d'entrée de découverte de service (`.wellknown/openid-configuration`).

--- a/doc/fr/references/layers/rewriter.md
+++ b/doc/fr/references/layers/rewriter.md
@ -0,0 +1,188 @@
+# Layer "Rewriter"
+
+## Description
+
+Ce layer permet de modifier dynamiquement certains attributs de requêtes/réponses transitant par le proxy.
+
+## Type
+
+`rewriter`
+
+## Schéma des options
+
+Les options disponibles pour le layer sont décrites via un [schéma JSON](https://json-schema.org/specification). Elles sont documentées dans le [schéma visible ici](../../../../internal/proxy/director/layer/rewriter/layer-options.json).
+
+## Moteur de règles
+
+Les options `rules.request` et `rules.response` permettent de définir des listes de règles utilisant un DSL modifiant de manière dynamique les attributs des requêtes/réponses transitant par le proxy.
+
+Les listes d'instructions sont exécutées séquentiellement.
+
+Bouncer utilise le projet [`expr`](https://expr-lang.org/) comme DSL. En plus des fonctionnalités natives du langage, Bouncer ajoute un certain nombre de fonctions spécifiques au contexte d'utilisation.
+
+### Fonctions
+
+#### Communes
+
+##### `add_header(ctx, name string, value string)`
+
+Ajouter une valeur à un entête HTTP via son nom `name` et sa valeur `value`.
+
+##### `set_header(ctx, name string, value string)`
+
+Définir la valeur d'un entête HTTP via son nom `name` et sa valeur `value`. La valeur précédente est écrasée.
+
+##### `del_headers(ctx, pattern string)`
+
+Supprimer un ou plusieurs entêtes HTTP dont le nom correspond au patron `pattern`.
+
+Le patron est défini par une chaîne comprenant un ou plusieurs caractères `*`, signifiant un ou plusieurs caractères arbitraires.
+
+##### `get_cookie(ctx, name string) Cookie`
+
+Récupère un cookie depuis la requête/réponse (en fonction du contexte d'utilisation).
+Retourne `nil` si le cookie n'existe pas.
+
+**Cookie**
+
+```js
+// Plus d'informations sur https://pkg.go.dev/net/http#Cookie
+{
+  name: "string", // Nom du cookie
+  value: "string", // Valeur associée au cookie
+  path: "string", // Chemin associé au cookie (présent uniquement dans un contexte de réponse)
+  domain: "string", // Domaine associé au cookie (présent uniquement dans un contexte de réponse)
+  expires: "string", // Date d'expiration du cookie (présent uniquement dans un contexte de réponse)
+  max_age: "string", // Age maximum du cookie (présent uniquement dans un contexte de réponse)
+  secure: "boolean", // Le cookie doit-il être présent uniquement en HTTPS ? (présent uniquement dans un contexte de réponse)
+  http_only: "boolean", // Le cookie est il accessible en Javascript ? (présent uniquement dans un contexte de réponse)
+  same_site: "int" // Voir https://pkg.go.dev/net/http#SameSite (présent uniquement dans un contexte de réponse)
+}
+```
+
+##### `add_cookie(ctx, cookie Cookie)`
+
+Définit un cookie sur la requête/réponse (en fonction du contexte d'utilisation).
+Voir la méthode `get_cookie()` pour voir les attributs potentiels.
+
+#### Requête
+
+##### `set_host(ctx, host string)`
+
+Modifier la valeur de l'entête `Host` de la requête.
+
+##### `set_url(ctx, url string)`
+
+Modifier l'URL du serveur cible.
+
+##### `redirect(ctx, statusCode int, url string)`
+
+Interrompt la requête et retourne une redirection HTTP au client.
+
+Le code HTTP utilisé doit être supérieur ou égale à `300` et inférieur à `400` (non inclus).
+
+#### Réponse
+
+_Pas de fonctions spécifiques._
+
+### Environnement
+
+Les règles ont accès aux variables suivantes pendant leur exécution. **Ces données sont en lecture seule.**
+
+#### Requête
+
+##### `vars.original_url`
+
+L'URL originale, avant réécriture du `Host` par Bouncer.
+
+```js
+{
+    scheme: "string", // Schéma HTTP de l'URL
+    opaque: "string", // Données opaque de l'URL
+    user: { // Identifiants d'URL (Basic Auth)
+        username: "",
+        password: ""
+    },
+    host: "string", // Nom d'hôte (<domaine>:<port>) de l'URL
+    path: "string", // Chemin de l'URL (format assaini)
+    raw_path: "string", // Chemin de l'URL (format brut)
+    raw_query: "string", // Variables d'URL (format brut)
+    fragment : "string", // Fragment d'URL (format assaini)
+    raw_fragment : "string" // Fragment d'URL (format brut)
+}
+```
+
+##### `vars.request`
+
+La requête en cours de traitement.
+
+```js
+{
+    method: "string", // Méthode HTTP
+    host: "string", // Nom d'hôte (`Host`) associé à la requête
+    url: { // URL associée à la requête sous sa forme structurée
+        scheme: "string", // Schéma HTTP de l'URL
+        opaque: "string", // Données opaque de l'URL
+        user: { // Identifiants d'URL (Basic Auth)
+            username: "",
+            password: ""
+        },
+        host: "string", // Nom d'hôte (<domaine>:<port>) de l'URL
+        path: "string", // Chemin de l'URL (format assaini)
+        raw_path: "string", // Chemin de l'URL (format brut)
+        raw_query: "string", // Variables d'URL (format brut)
+        fragment : "string", // Fragment d'URL (format assaini)
+        raw_fragment : "string" // Fragment d'URL (format brut)
+    },
+    raw_url: "string", // URL associée à la requête (format assaini)
+    proto: "string", // Numéro de version du protocole utilisé
+    proto_major: "int", // Numéro de version majeure du protocole utilisé
+    proto_minor: "int",  // Numéro de version mineur du protocole utilisé
+    header: { // Table associative des entêtes HTTP associés à la requête
+        "string": ["string"]
+    },
+    content_length: "int", // Taille du corps de la requête
+    transfer_encoding: ["string"], // MIME-Type(s) d'encodage du corps de la requête
+    trailer: { // Table associative des entêtes HTTP associés à la requête, transmises après le corps de la requête
+        "string": ["string"]
+    },
+    remote_addr: "string", // Adresse du client HTTP à l'origine de la requête
+    request_uri: "string" // URL "brute" associée à la requêtes (avant opérations d'assainissement, utiliser "url" plutôt)
+}
+```
+
+#### Réponse
+
+##### `vars.response`
+
+La réponse en cours de traitement.
+
+```js
+{
+    status_code: "int", // Code de statut de la réponse
+    status: "string", // Message associé au code de statut
+    proto: "string", // Numéro de version du protocole utilisé
+    proto_major: "int", // Numéro de version majeure du protocole utilisé
+    proto_minor: "int",  // Numéro de version mineur du protocole utilisé
+    header: { // Table associative des entêtes HTTP associés à la requête
+        "string": ["string"]
+    },
+    content_length: "int", // Taille du corps de la réponse
+    transfer_encoding: ["string"], // MIME-Type(s) d'encodage du corps de la requête
+    trailer: { // Table associative des entêtes HTTP associés à la requête, transmises après le corps de la requête
+        "string": ["string"]
+    },
+}
+```
+
+##### `vars.request`
+
+_Voir section précédente._
+
+##### `vars.original_url`
+
+_Voir section précédente._
+
+## Métriques
+
+_Pas de métriques spécifiques._
--- a/doc/fr/terminology.md
+++ b/doc/fr/terminology.md
@ -0,0 +1,29 @@
+# Terminologie
+
+Voici une liste des termes utilisés dans le lexique Bouncer.
+
+## Proxy
+
+Un proxy est une entité logique définie par les propriétés suivantes:
+
+- Il possède **un ou plusieurs filtres d'origine** sous la forme de motifs d'URL avec le caractère `*` comme joker. Ces filtres identifient le ou les URLs associées au proxy.
+- Il peut avoir **zéro ou une URL cible**, qui servira de base pour la réécriture des requêtes. Si l'URL est absente, on parle alors de "passthrough" (voir note).
+- Il peut avoir **zéro ou plusieurs "layers" associés**.
+- Il peut être **activé ou désactivé**.
+- Il a **un poids qui définit son niveau de priorité** dans la pile de traitement (plus son poids est élevé plus il est prioritaire).
+
+Pour résumer un proxy répond à la question "_Quelle URL orienter vers quel serveur cible ?_".
+
+> **Passthrough**
+>
+> Un proxy "passthrough" est un proxy n'ayant pas d'URL cible (champ vide). Dans ce cas si les motifs d'URLs correspondent à l'URL de la requête Bouncer appliquera les layers associés puis passera la main aux proxies suivants.
+
+## Layer
+
+Un layer est une entité logique définie par les propriétés suivantes:
+
+- Il a **un type auquel est associé un schéma d'options** permettant de configurer son comportement.
+- Il peut être **activé ou désactivé**.
+- Il a **un poids qui définit son niveau de priorité** dans la pile de traitement (plus son poids est élevé plus il est prioritaire).
+
+Pour résumer un layer répond à la question "_Quel traitement appliquer à la requête et/ou réponse ?_".
--- a/doc/fr/tutorials/add-oidc-authn-layer.md
+++ b/doc/fr/tutorials/add-oidc-authn-layer.md
@ -55,7 +55,7 @@ Par défaut ce serveur écoute sur le port 8082. Il est possible de modifier l'a
   bouncer admin proxy update --proxy-name my-proxy --proxy-enabled
   ```

-3. À ce stade, vous devriez pouvoir afficher la page du serveur `dummy` en ouvrant l'URL de votre instance Bouncer, par exemple `http://localhost:8080` si vous avez travaillez avec une instance Bouncer locale avec la configuration par défaut
+3. À ce stade, vous devriez pouvoir afficher la page du serveur `dummy` en ouvrant l'URL de votre instance Bouncer, par exemple `http://localhost:8080` si vous travaillez avec une instance Bouncer locale avec la configuration par défaut

 4. Créer un layer de type `authn-oidc` pour notre nouveau proxy

--- a/doc/fr/tutorials/create-custom-layer.md
+++ b/doc/fr/tutorials/create-custom-layer.md
@ -10,13 +10,13 @@ Avoir un environnement de développement local fonctionnel. Voir tutoriel ["Dém

 ### Préparer la structure de base du nouveau layer

-Une implémetation d'un layer se compose majoritairement de 3 éléments:
+Une implémentation d'un layer se compose majoritairement de 3 éléments:

 - Une structure qui implémente une ou plusieurs interfaces (`director.MiddlewareLayer`, `director.RequestTransformerLayer` et/ou `director.ResponseTransformerLayer`);
 - Un schéma au format [JSON Schema](http://json-schema.org/) qui permettra de valider les "options" de notre layer;
 - Un fichier d'amorçage qui permettra à Bouncer de référencer notre nouveau layer.

-1. Créer le répertoire du `package` Go qui contiendra le code de votre layer. Celui ci s'appelera `basicauth`:
+1. Créer le répertoire du `package` Go qui contiendra le code de votre layer. Celui ci s’appellera `basicauth`:

   ```
   mkdir -p internal/proxy/director/layer/basicauth
@ -133,26 +133,22 @@ Une implémetation d'un layer se compose majoritairement de 3 éléments:

 ## Tester l'intégration de notre nouveau layer

-À ce stade, notre nouveau layer est normalement référencé et donc "utilisable" dans Bouncer (si on omet le fait qu'il déclenchera une `panic()`).
+À ce stade, notre nouveau layer est normalement référencé et donc "utilisable" dans Bouncer (si on omet le fait qu'il déclenchera un `panic()`).

 1. Vérifier que notre layer est bien référencé en exécutant la commande:

   ```
-   ./bin/bouncer admin layer create --help
+   ./bin/bouncer admin definition layer query --with-type basicauth
   ```

   La sortie devrait ressembler à:

   ```
-   NAME:
-   bouncer admin layer create - Create layer
-
-   USAGE:
-   bouncer admin layer create [command options] [arguments...]
-
-   OPTIONS:
-   --layer-type LAYER_TYPE        Set LAYER_TYPE as layer's type (available: [basicauth queue])
-   [...]
+    +-----------+-----------------------------------+
+    | TYPE      | OPTIONS                           |
+    +-----------+-----------------------------------+
+    | basicauth | {"type":"object","properties":... |
+    +-----------+-----------------------------------+
   ```

   Comme vous devriez le voir nous pouvons désormais créer des layers de type `basicauth`.
--- a/doc/fr/tutorials/profiling.md
+++ b/doc/fr/tutorials/profiling.md
@ -0,0 +1,68 @@
+# Étudier les performances de Bouncer
+
+## In situ
+
+Il est possible d'activer via la configuration de Bouncer de endpoints capable de générer des fichiers de profil au format [`pprof`](https://github.com/google/pprof). Par défaut, le point d'entrée est `.bouncer/profiling` (l'activation et la personnalisation de ce point d'entrée sont modifiables via la [configuration](../../../misc/packaging/common/config.yml)).
+
+**Exemple:** Visualiser l'utilisation mémoire de Bouncer
+
+```bash
+go tool pprof -web http://<bouncer_proxy>/.bouncer/profiling/heap
+```
+
+L'ensemble des profils disponibles sont visibles à l'adresse `http://<bouncer_proxy>/.bouncer/profiling`.
+
+## En développement
+
+Le package `./internal` est dédié à l'étude des performances de Bouncer. Il contient une suite de benchmarks simulant de proxies avec différentes configurations de layers afin d'évaluer les points d'engorgement sur le traitement des requêtes.
+
+Voir le répertoire `./internal/bench/testdata/proxies` pour voir les différentes configurations de cas.
+
+### Lancer les benchmarks
+
+Le plus simple est d'utiliser la commande `make bench` qui exécutera séquentiellement tous les benchmarks. Il est également possible de lancer un benchmark spécifique via la commande suivante:
+
+```bash
+go test -bench="BenchmarkProxies/$BENCH_CASE" -run='^$'  ./internal/bench
+```
+
+Par exemple:
+
+```bash
+# Pour exécuter ./internal/bench/testdata/proxies/basic-auth.yml
+go test -bench='BenchmarkProxies/basic-auth' -run='^$'  ./internal/bench
+```
+
+### Visualiser les profils d'exécution
+
+Vous pouvez visualiser les profils d'exécution via la commande suivante:
+
+```shell
+go tool pprof -web path/to/file.prof
+```
+
+Par défaut l'exécution des benchmarks créera automatiquement des fichiers de profil dans le répertoire `./internal/bench/testdata/proxies`.
+
+Par exemple:
+
+```shell
+go tool pprof -web ./internal/bench/testdata/proxies/basic-auth.prof
+```
+
+### Comparer les évolutions
+
+```bash
+# Lancer un premier benchmark
+go test -bench="BenchmarkProxies/$BENCH_CASE" -run='^$'  ./internal/bench
+
+# Faire une sauvegarde du fichier de profil
+cp ./internal/bench/testdata/proxies/$BENCH_CASE.prof ./internal/bench/testdata/proxies/$BENCH_CASE-prev.prof
+
+# Faire des modifications sur les sources
+
+# Lancer un second benchmark
+go test -bench="BenchmarkProxies/$BENCH_CASE" -run='^$'  ./internal/bench
+
+# Visualiser la différence entre les deux profils
+go tool pprof -web -base=./internal/bench/testdata/proxies/$BENCH_CASE-prev.prof ./internal/bench/testdata/proxies/$BENCH_CASE.prof
+```
--- a/doc/fr/tutorials/virtual-hosting.md
+++ b/doc/fr/tutorials/virtual-hosting.md
@ -0,0 +1,129 @@
+# Le cas du "virtual hosting"
+
+De nombreux serveurs HTTP utilisent le mécanisme du ["virtual hosting"](https://en.wikipedia.org/wiki/Virtual_hosting) afin d'héberger plusieurs sites/applications différentes sur un même serveur, se basant alors sur l'entête HTTP `Host` pour effectuer le routage.
+
+## Exemple
+
+Pour exemple, avec le site [example.net](https://example.net) il est facile de tester ce type de comportement. Ainsi, en exécutant une requête HTTP avec `curl`:
+
+```shell
+curl -I https://example.net
+```
+
+On obtient le résultat suivant:
+
+```
+HTTP/2 200
+accept-ranges: bytes
+age: 568237
+cache-control: max-age=604800
+content-type: text/html; charset=UTF-8
+date: Thu, 27 Jun 2024 08:32:46 GMT
+etag: "3147526947"
+expires: Thu, 04 Jul 2024 08:32:46 GMT
+last-modified: Thu, 17 Oct 2019 07:18:26 GMT
+server: ECAcc (bsb/2789)
+x-cache: HIT
+content-length: 1256
+```
+
+Ce résultat indique que le serveur a correctement orienté notre requête (code HTTP `200`) et qu'il nous a renvoyé la réponse attendue.
+
+Si maintenant on modifie l'entête `Host` de notre requête pour la remplacer par une valeur arbitraire:
+
+```shell
+curl -I -H 'Host: localhost:8080' https://example.net
+```
+
+On obtient alors le résultat:
+
+```
+HTTP/2 404
+content-type: text/html
+date: Thu, 27 Jun 2024 08:38:04 GMT
+server: ECAcc (bsb/2789)
+content-length: 345
+```
+
+Le serveur nous répond avec un code HTTP `404`, indiquant qu'il n'a pas trouvé la page demandée.
+
+> **Note**
+> Le code HTTP retourné par le serveur peut varier en fonction des implémentations. Parfois la requête sera orientée vers la page par défaut, parfois vous recevrez un code d'erreur HTTP comme `404`, `421`, etc.
+
+## Avec Bouncer
+
+Ce mécanisme peut parfois poser problème avec Bouncer car par défaut celui ci n'effectue pas de réécriture de l'entête `Host`. Pour exemple:
+
+1.  Créez puis activez un nouveau proxy pointant vers https://example.net
+
+    ```shell
+    bouncer admin proxy create --proxy-name example --proxy-to https://example.net
+    bouncer admin proxy update --proxy-name example --proxy-enabled=true
+    ```
+
+2.  Avec `curl`, faites une requête sur votre nouveau proxy:
+
+    ```shell
+     curl -I http://localhost:8080
+    ```
+
+    La réponse devrait ressembler à:
+
+    ```
+    HTTP/1.1 404 Not Found
+    Content-Length: 345
+    Content-Type: text/html
+    Date: Thu, 27 Jun 2024 08:49:05 GMT
+    Server: ECAcc (bsb/2789)
+    ```
+
+    On retrouve bien notre code HTTP `404` tel que vu plus haut. En effet, vu que l'on accède au proxy Bouncer avec `http://localhost:8080` alors le serveur distant recevra l'entête `Host: localhost:8080`.
+
+### Comment corriger la situation ?
+
+Le layer [`rewriter`](../references/layers/rewriter.md) a été implémenté notamment pour répondre à ce type de cas. Voyons comment l'utiliser:
+
+1. Créez puis activez un nouveau layer pour votre proxy `example`:
+
+   ```bash
+    # Création du layer
+    bouncer admin layer create --proxy-name example --layer-name host-rewrite --layer-type rewriter
+
+    # Mise à jour et activation du layer
+    bouncer admin layer update \
+        --proxy-name example \
+        --layer-name host-rewrite \
+        --layer-options '{ "rules": { "request": ["set_host(\"example.net\")"] } }' \
+        --layer-enabled=true
+   ```
+
+   > **Les règles**
+   >
+   > Le layer `rewriter` permet la modification des requêtes/réponses via un moteur de règles.
+   >
+   > [Voir la page du layer pour plus d'informations](../references/layers/rewriter.md) sur la syntaxe ainsi que sur l'API à disposition des règles.
+
+2. Testez maintenant à nouveau un appel vers votre proxy:
+
+   ```shell
+    curl -I http://localhost:8080
+   ```
+
+   La réponse devrait ressembler à:
+
+   ```
+    HTTP/1.1 200 OK
+    Accept-Ranges: bytes
+    Age: 569980
+    Cache-Control: max-age=604800
+    Content-Length: 1256
+    Content-Type: text/html; charset=UTF-8
+    Date: Thu, 27 Jun 2024 09:01:49 GMT
+    Etag: "3147526947"
+    Expires: Thu, 04 Jul 2024 09:01:49 GMT
+    Last-Modified: Thu, 17 Oct 2019 07:18:26 GMT
+    Server: ECAcc (bsb/2789)
+    X-Cache: HIT
+   ```
+
+   Cette fois ci, le serveur distant a bien identifié la cible de notre requête.
--- a/doc/resources/deployment_single_node_fr.plantuml
+++ b/doc/resources/deployment_single_node_fr.plantuml
--- a/doc/resources/deployment_single_node_fr.png
+++ b/doc/resources/deployment_single_node_fr.png
--- a/go.mod
+++ b/go.mod
@ -1,11 +1,11 @@
 module forge.cadoles.com/cadoles/bouncer

-go 1.21
+go 1.23

-toolchain go1.22.0
+toolchain go1.23.0

 require (
-	forge.cadoles.com/Cadoles/go-proxy v0.0.0-20230701194111-c6b3d482cca6
+	forge.cadoles.com/Cadoles/go-proxy v0.0.0-20240626132607-e1db6466a926
 	github.com/Masterminds/sprig/v3 v3.2.3
 	github.com/bsm/redislock v0.9.4
 	github.com/btcsuite/btcd/btcutil v1.1.3
@ -92,8 +92,9 @@ require (
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
 	go.opentelemetry.io/otel v1.21.0 // indirect
 	go.opentelemetry.io/otel/trace v1.21.0 // indirect
-	golang.org/x/net v0.19.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/net v0.26.0 // indirect
+	golang.org/x/sync v0.7.0 // indirect
+	golang.org/x/text v0.16.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	google.golang.org/appengine v1.6.8 // indirect
 	google.golang.org/protobuf v1.33.0 // indirect
@ -110,18 +111,18 @@ require (
 require (
 	cdr.dev/slog v1.6.1 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
-	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect
+	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0 // indirect
 	github.com/go-chi/cors v1.2.1
 	github.com/go-playground/locales v0.14.0 // indirect
 	github.com/go-playground/universal-translator v0.18.0 // indirect
-	github.com/goccy/go-json v0.10.2 // indirect
+	github.com/goccy/go-json v0.10.3 // indirect
 	github.com/google/uuid v1.3.0
 	github.com/leodido/go-urn v1.2.1 // indirect
 	github.com/lestrrat-go/blackmagic v1.0.2 // indirect
 	github.com/lestrrat-go/httpcc v1.0.1 // indirect
-	github.com/lestrrat-go/httprc v1.0.4 // indirect
+	github.com/lestrrat-go/httprc v1.0.5 // indirect
 	github.com/lestrrat-go/iter v1.0.2 // indirect
-	github.com/lestrrat-go/jwx/v2 v2.0.19
+	github.com/lestrrat-go/jwx/v2 v2.1.0
 	github.com/lestrrat-go/option v1.0.1 // indirect
 	github.com/lib/pq v1.10.0 // indirect
 	github.com/lithammer/shortuuid/v4 v4.0.0
@ -131,11 +132,11 @@ require (
 	github.com/urfave/cli/v2 v2.25.3
 	github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
 	gitlab.com/wpetit/goweb v0.0.0-20240226160244-6b2826c79f88
-	golang.org/x/crypto v0.19.0 // indirect
-	golang.org/x/mod v0.14.0 // indirect
-	golang.org/x/sys v0.17.0 // indirect
-	golang.org/x/term v0.17.0 // indirect
-	golang.org/x/tools v0.16.1 // indirect
+	golang.org/x/crypto v0.24.0
+	golang.org/x/mod v0.17.0 // indirect
+	golang.org/x/sys v0.21.0 // indirect
+	golang.org/x/term v0.21.0 // indirect
+	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
 	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
 	gopkg.in/go-playground/validator.v9 v9.29.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1
--- a/go.sum
+++ b/go.sum
@ -8,8 +8,8 @@ cloud.google.com/go/logging v1.7.0 h1:CJYxlNNNNAMkHp9em/YEXcfJg+rPDg7YfwoRpMU+t5
 cloud.google.com/go/logging v1.7.0/go.mod h1:3xjP2CjkM3ZkO73aj4ASA5wRPGGCRrPIAeNqVNkzY8M=
 cloud.google.com/go/longrunning v0.5.1 h1:Fr7TXftcqTudoyRJa113hyaqlGdiBQkp0Gq7tErFDWI=
 cloud.google.com/go/longrunning v0.5.1/go.mod h1:spvimkwdz6SPWKEt/XBij79E9fiTkHSQl/fRUUQJYJc=
-forge.cadoles.com/Cadoles/go-proxy v0.0.0-20230701194111-c6b3d482cca6 h1:FTk0ZoaV5N8Tkps5Da5RrDMZZXSHZIuD67Hy1Y4fsos=
-forge.cadoles.com/Cadoles/go-proxy v0.0.0-20230701194111-c6b3d482cca6/go.mod h1:o8ZK5v/3J1dRmklFVn1l6WHAyQ3LgegyHjRIT8KLAFw=
+forge.cadoles.com/Cadoles/go-proxy v0.0.0-20240626132607-e1db6466a926 h1:gSTTuW2lqH66cGVrhplrVrqos62BY1/GxR3KYh2TElk=
+forge.cadoles.com/Cadoles/go-proxy v0.0.0-20240626132607-e1db6466a926/go.mod h1:o8ZK5v/3J1dRmklFVn1l6WHAyQ3LgegyHjRIT8KLAFw=
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8=
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
@ -83,8 +83,8 @@ github.com/dchest/uniuri v1.2.0 h1:koIcOUdrTIivZgSLhHQvKgqdWZq5d7KdMEWF1Ud6+5g=
 github.com/dchest/uniuri v1.2.0/go.mod h1:fSzm4SLHzNZvWLvWJew423PhAzkpNQYq+uNLq4kxhkY=
 github.com/decred/dcrd/crypto/blake256 v1.0.0/go.mod h1:sQl2p6Y26YV+ZOcSTP6thNdn47hh8kt6rqSlvmrXFAc=
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1/go.mod h1:hyedUtir6IdtD/7lIxGeCxkaw7y45JueMRL4DIyJDKs=
-github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 h1:8UrgZ3GkP4i/CLijOJx79Yu+etlyjdBU4sfcs2WYQMs=
-github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0 h1:rpfIENRNNilwHwZeG5+P150SMrnNEcHYvcCuK6dPZSg=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0=
 github.com/decred/dcrd/lru v1.0.0/go.mod h1:mxKOwFd7lFjN2GZYsiz/ecgqR6kkYAl+0pz0tEMk218=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
@ -133,8 +133,8 @@ github.com/go-sql-driver/mysql v1.6.0 h1:BCTh4TKNUYmOmMUcQ3IipzF5prigylS7XXjEkfC
 github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
-github.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU=
-github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
+github.com/goccy/go-json v0.10.3 h1:KZ5WoDbxAIgm2HNbYckL0se1fHD6rz5j4ywS6ebzDqA=
+github.com/goccy/go-json v0.10.3/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/godbus/dbus/v5 v5.0.6/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
@ -208,12 +208,12 @@ github.com/lestrrat-go/blackmagic v1.0.2 h1:Cg2gVSc9h7sz9NOByczrbUvLopQmXrfFx//N
 github.com/lestrrat-go/blackmagic v1.0.2/go.mod h1:UrEqBzIR2U6CnzVyUtfM6oZNMt/7O7Vohk2J0OGSAtU=
 github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE=
 github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E=
-github.com/lestrrat-go/httprc v1.0.4 h1:bAZymwoZQb+Oq8MEbyipag7iSq6YIga8Wj6GOiJGdI8=
-github.com/lestrrat-go/httprc v1.0.4/go.mod h1:mwwz3JMTPBjHUkkDv/IGJ39aALInZLrhBp0X7KGUZlo=
+github.com/lestrrat-go/httprc v1.0.5 h1:bsTfiH8xaKOJPrg1R+E3iE/AWZr/x0Phj9PBTG/OLUk=
+github.com/lestrrat-go/httprc v1.0.5/go.mod h1:mwwz3JMTPBjHUkkDv/IGJ39aALInZLrhBp0X7KGUZlo=
 github.com/lestrrat-go/iter v1.0.2 h1:gMXo1q4c2pHmC3dn8LzRhJfP1ceCbgSiT9lUydIzltI=
 github.com/lestrrat-go/iter v1.0.2/go.mod h1:Momfcq3AnRlRjI5b5O8/G5/BvpzrhoFTZcn06fEOPt4=
-github.com/lestrrat-go/jwx/v2 v2.0.19 h1:ekv1qEZE6BVct89QA+pRF6+4pCpfVrOnEJnTnT4RXoY=
-github.com/lestrrat-go/jwx/v2 v2.0.19/go.mod h1:l3im3coce1lL2cDeAjqmaR+Awx+X8Ih+2k8BuHNJ4CU=
+github.com/lestrrat-go/jwx/v2 v2.1.0 h1:0zs7Ya6+39qoit7gwAf+cYm1zzgS3fceIdo7RmQ5lkw=
+github.com/lestrrat-go/jwx/v2 v2.1.0/go.mod h1:Xpw9QIaUGiIUD1Wx0NcY1sIHwFf8lDuZn/cmxtXYRys=
 github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU=
 github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=
 github.com/lib/pq v1.10.0 h1:Zx5DJFEYQXio93kgXnQ09fXNiUKsqv4OUEu2UtGcB1E=
@ -339,8 +339,8 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.4/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
-github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/syndtr/goleveldb v1.0.1-0.20210819022825-2ae1ddf74ef7/go.mod h1:q4W45IWZaF22tdD+VEXcAWRA037jwmWEB5VWYORlTpc=
 github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
@ -375,13 +375,13 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
-golang.org/x/crypto v0.19.0 h1:ENy+Az/9Y1vSrlrvBSyna3PITt4tiZLf7sgCjZBX7Wo=
-golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
+golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI=
+golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
-golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
+golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20180719180050-a680a1efc54d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@ -395,8 +395,8 @@ golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
-golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
-golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
+golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
+golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
 golang.org/x/oauth2 v0.13.0 h1:jDDenyj+WgFtmV3zYVoi8aE2BwtXFLWOA67ZfNWftiY=
 golang.org/x/oauth2 v0.13.0/go.mod h1:/JMhi4ZRXAf4HG9LiNmxvk+45+96RUlVThiH8FzNBn0=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@ -405,8 +405,8 @@ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE=
-golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
+golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@ -433,13 +433,13 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y=
-golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
+golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
-golang.org/x/term v0.17.0 h1:mkTF7LCd6WGJNL3K1Ad7kwxNfYAW6a8a8QqtMblp/4U=
-golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
+golang.org/x/term v0.21.0 h1:WVXCp+/EBEHOj53Rvu+7KiT/iElMrO8ACK16SMZ3jaA=
+golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@ -447,8 +447,8 @@ golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
-golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
+golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
 golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
 golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@ -457,8 +457,8 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA=
-golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
--- a/internal/admin/authz.go
+++ b/internal/admin/authz.go
@ -70,7 +70,7 @@ func assertRequestUser(w http.ResponseWriter, r *http.Request) (auth.User, bool)
 	ctx := r.Context()
 	user, err := auth.CtxUser(ctx)
 	if err != nil {
-		logger.Error(ctx, "could not retrieve user", logger.E(errors.WithStack(err)))
+		logger.Error(ctx, "could not retrieve user", logger.CapturedE(errors.WithStack(err)))

 		forbidden(w, r)

--- a/internal/admin/bootstrap.go
+++ b/internal/admin/bootstrap.go
@ -65,7 +65,7 @@ func (s *Server) bootstrapProxies(ctx context.Context) error {

 			for layerName, layerConfig := range proxyConfig.Layers {
 				layerType := store.LayerType(layerConfig.Type)
-				layerOptions := store.LayerOptions(layerConfig.Options)
+				layerOptions := store.LayerOptions(layerConfig.Options.Data)

 				if _, err := layerRepo.CreateLayer(ctx, proxyName, layerName, layerType, layerOptions); err != nil {
 					return errors.WithStack(err)
@ -109,7 +109,7 @@ func (s *Server) validateBootstrap(ctx context.Context) error {
 			}

 			rawOptions := func(opts config.InterpolatedMap) map[string]any {
-				return opts
+				return opts.Data
 			}(layerConf.Options)

 			if err := schema.Validate(ctx, layerOptionsSchema, rawOptions); err != nil {
--- a/internal/admin/error.go
+++ b/internal/admin/error.go
@ -6,7 +6,6 @@ import (
 	"net/http"

 	"forge.cadoles.com/cadoles/bouncer/internal/schema"
-	"github.com/getsentry/sentry-go"
 	"gitlab.com/wpetit/goweb/api"
 	"gitlab.com/wpetit/goweb/logger"
 )
@ -29,11 +28,8 @@ func invalidDataErrorResponse(w http.ResponseWriter, r *http.Request, err *schem
 	}{
 		Message: message,
 	})
-
-	return
 }

 func logAndCaptureError(ctx context.Context, message string, err error) {
-	sentry.CaptureException(err)
-	logger.Error(ctx, message, logger.E(err))
+	logger.Error(ctx, message, logger.CapturedE(err))
 }
--- a/internal/admin/init.go
+++ b/internal/admin/init.go
@ -27,7 +27,7 @@ func (s *Server) initRepositories(ctx context.Context) error {
 }

 func (s *Server) initRedisClient(ctx context.Context) error {
-	client := setup.NewRedisClient(ctx, s.redisConfig)
+	client := setup.NewSharedClient(s.redisConfig)

 	s.redisClient = client

--- a/internal/admin/proxy_route.go
+++ b/internal/admin/proxy_route.go
@ -121,7 +121,7 @@ func (s *Server) deleteProxy(w http.ResponseWriter, r *http.Request) {

 type CreateProxyRequest struct {
 	Name string   `json:"name" validate:"required"`
-	To   string   `json:"to" validate:"required"`
+	To   string   `json:"to"`
 	From []string `json:"from" validate:"required"`
 }

--- a/internal/admin/server.go
+++ b/internal/admin/server.go
@ -2,10 +2,12 @@ package admin

 import (
 	"context"
+	"expvar"
 	"fmt"
 	"log"
 	"net"
 	"net/http"
+	"net/http/pprof"

 	"forge.cadoles.com/cadoles/bouncer/internal/auth"
 	"forge.cadoles.com/cadoles/bouncer/internal/auth/jwt"
@ -114,7 +116,9 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
 		router.Use(middleware.RealIP)
 	}

+	router.Use(middleware.RequestID)
 	router.Use(middleware.RequestLogger(bouncerChi.NewLogFormatter()))
+	router.Use(middleware.Recoverer)

 	if s.serverConfig.Sentry.DSN != "" {
 		logger.Info(ctx, "enabling sentry http middleware")
@ -155,6 +159,35 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
 		})
 	}

+	if s.serverConfig.Profiling.Enabled {
+		profiling := s.serverConfig.Profiling
+		logger.Info(ctx, "enabling profiling", logger.F("endpoint", profiling.Endpoint))
+
+		router.Group(func(r chi.Router) {
+			if profiling.BasicAuth != nil {
+				logger.Info(ctx, "enabling authentication on profiling endpoint")
+
+				r.Use(middleware.BasicAuth(
+					"profiling",
+					profiling.BasicAuth.CredentialsMap(),
+				))
+			}
+
+			r.Route(string(profiling.Endpoint), func(r chi.Router) {
+				r.HandleFunc("/", pprof.Index)
+				r.HandleFunc("/cmdline", pprof.Cmdline)
+				r.HandleFunc("/profile", pprof.Profile)
+				r.HandleFunc("/symbol", pprof.Symbol)
+				r.HandleFunc("/trace", pprof.Trace)
+				r.Handle("/vars", expvar.Handler())
+				r.HandleFunc("/{name}", func(w http.ResponseWriter, r *http.Request) {
+					name := chi.URLParam(r, "name")
+					pprof.Handler(name).ServeHTTP(w, r)
+				})
+			})
+		})
+	}
+
 	router.Route("/api/v1", func(r chi.Router) {
 		r.Group(func(r chi.Router) {
 			r.Use(auth.Middleware(
--- a/internal/auth/middleware.go
+++ b/internal/auth/middleware.go
@ -52,7 +52,7 @@ func Middleware(authenticators ...Authenticator) func(http.Handler) http.Handler
 			for _, auth := range authenticators {
 				user, err = auth.Authenticate(ctx, r)
 				if err != nil {
-					logger.Debug(ctx, "could not authenticate request", logger.E(errors.WithStack(err)))
+					logger.Debug(ctx, "could not authenticate request", logger.CapturedE(errors.WithStack(err)))

 					continue
 				}
--- a/internal/bench/proxy_test.go
+++ b/internal/bench/proxy_test.go
@ -0,0 +1,318 @@
+package proxy_test
+
+import (
+	"context"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"net/http/httputil"
+	"net/url"
+	"os"
+	"path/filepath"
+	"runtime/pprof"
+	"strings"
+	"testing"
+	"time"
+
+	"forge.cadoles.com/Cadoles/go-proxy"
+	"forge.cadoles.com/cadoles/bouncer/internal/cache/memory"
+	"forge.cadoles.com/cadoles/bouncer/internal/cache/ttl"
+	"forge.cadoles.com/cadoles/bouncer/internal/config"
+	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
+	"forge.cadoles.com/cadoles/bouncer/internal/store"
+	redisStore "forge.cadoles.com/cadoles/bouncer/internal/store/redis"
+	"github.com/pkg/errors"
+	"github.com/redis/go-redis/v9"
+	"gitlab.com/wpetit/goweb/logger"
+	"gopkg.in/yaml.v3"
+
+	"forge.cadoles.com/cadoles/bouncer/internal/setup"
+)
+
+func BenchmarkProxies(b *testing.B) {
+	proxyFiles, err := filepath.Glob("testdata/proxies/*.yml")
+	if err != nil {
+		b.Fatalf("%+v", errors.WithStack(err))
+	}
+
+	for _, f := range proxyFiles {
+		name := strings.TrimSuffix(filepath.Base(f), filepath.Ext(f))
+
+		b.Run(name, func(b *testing.B) {
+			heap, err := os.Create(filepath.Join("testdata", "proxies", name+"_heap.prof"))
+			if err != nil {
+				b.Fatalf("%+v", errors.Wrapf(err, "could not create heap profile"))
+			}
+
+			defer func() {
+				defer heap.Close()
+
+				if err := pprof.WriteHeapProfile(heap); err != nil {
+					b.Fatalf("%+v", errors.WithStack(err))
+				}
+			}()
+
+			conf, err := loadProxyBenchConfig(f)
+			if err != nil {
+				b.Fatalf("%+v", errors.Wrapf(err, "could notre load bench config"))
+			}
+
+			proxy, backend, err := createProxy(name, conf, b.Logf)
+			if err != nil {
+				b.Fatalf("%+v", errors.Wrapf(err, "could not create proxy"))
+			}
+
+			defer proxy.Close()
+
+			if backend != nil {
+				defer backend.Close()
+			}
+
+			client := proxy.Client()
+
+			proxyURL, err := url.Parse(proxy.URL)
+			if err != nil {
+				b.Fatalf("%+v", errors.Wrapf(err, "could not parse proxy url"))
+			}
+
+			if conf.Fetch.URL.Path != "" {
+				proxyURL.Path = conf.Fetch.URL.Path
+			}
+
+			if conf.Fetch.URL.RawQuery != "" {
+				proxyURL.RawQuery = conf.Fetch.URL.RawQuery
+			}
+
+			if conf.Fetch.URL.User.Username != "" || conf.Fetch.URL.User.Password != "" {
+				proxyURL.User = url.UserPassword(conf.Fetch.URL.User.Username, conf.Fetch.URL.User.Password)
+			}
+
+			rawProxyURL := proxyURL.String()
+
+			b.Logf("fetching url '%s'", rawProxyURL)
+
+			profile, err := os.Create(filepath.Join("testdata", "proxies", name+"_cpu.prof"))
+			if err != nil {
+				b.Fatalf("%+v", errors.Wrapf(err, "could not create cpu profile"))
+			}
+
+			defer profile.Close()
+
+			if err := pprof.StartCPUProfile(profile); err != nil {
+				b.Fatalf("%+v", errors.WithStack(err))
+			}
+
+			defer pprof.StopCPUProfile()
+
+			b.ResetTimer()
+
+			for i := 0; i < b.N; i++ {
+				res, err := client.Get(rawProxyURL)
+				if err != nil {
+					b.Errorf("could not fetch proxy url: %+v", errors.WithStack(err))
+				}
+
+				body, err := io.ReadAll(res.Body)
+				if err != nil {
+					b.Errorf("could not read response body: %+v", errors.WithStack(err))
+				}
+
+				b.Logf("%s \n %v", res.Status, string(body))
+
+				if err := res.Body.Close(); err != nil {
+					b.Errorf("could not close response body: %+v", errors.WithStack(err))
+				}
+			}
+		})
+	}
+}
+
+type proxyBenchConfig struct {
+	Proxy config.BootstrapProxyConfig `yaml:"proxy"`
+	Fetch fetchBenchConfig            `yaml:"fetch"`
+}
+
+type fetchBenchConfig struct {
+	URL fetchURLBenchConfig `yaml:"url"`
+}
+
+type fetchURLBenchConfig struct {
+	Path     string                  `yaml:"path"`
+	RawQuery string                  `yaml:"rawQuery"`
+	User     fetchURLUserBenchConfig `yaml:"user"`
+}
+
+type fetchURLUserBenchConfig struct {
+	Username string `yaml:"username"`
+	Password string `yaml:"password"`
+}
+
+func loadProxyBenchConfig(filename string) (*proxyBenchConfig, error) {
+	data, err := os.ReadFile(filename)
+	if err != nil {
+		return nil, errors.Wrapf(err, "could not read file '%s'", filename)
+	}
+
+	conf := proxyBenchConfig{}
+
+	if err := yaml.Unmarshal(data, &conf); err != nil {
+		return nil, errors.Wrapf(err, "could not unmarshal config")
+	}
+
+	return &conf, nil
+}
+
+func createProxy(name string, conf *proxyBenchConfig, logf func(format string, a ...any)) (*httptest.Server, *httptest.Server, error) {
+	redisEndpoint := os.Getenv("BOUNCER_BENCH_REDIS_ADDR")
+	if redisEndpoint == "" {
+		redisEndpoint = "127.0.0.1:6379"
+	}
+
+	client := redis.NewUniversalClient(&redis.UniversalOptions{
+		Addrs: []string{redisEndpoint},
+	})
+
+	proxyRepository := redisStore.NewProxyRepository(client, redisStore.DefaultTxMaxAttempts, redisStore.DefaultTxBaseDelay)
+	layerRepository := redisStore.NewLayerRepository(client, redisStore.DefaultTxMaxAttempts, redisStore.DefaultTxBaseDelay)
+
+	var backend *httptest.Server
+
+	if conf.Proxy.To == "" {
+		backend = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.WriteHeader(http.StatusOK)
+			if _, err := w.Write([]byte("Hello, world.")); err != nil {
+				logf("[ERROR] %+v", errors.WithStack(err))
+			}
+		}))
+
+		if err := waitFor(backend.URL, 5*time.Second); err != nil {
+			return nil, nil, errors.WithStack(err)
+		}
+
+		logf("started backend '%s'", backend.URL)
+	}
+
+	ctx := context.Background()
+
+	proxyName := store.ProxyName("bench-" + name)
+
+	proxies, err := proxyRepository.QueryProxy(ctx)
+	if err != nil {
+		return nil, nil, errors.WithStack(err)
+	}
+
+	// Cleanup existing proxies
+	for _, p := range proxies {
+		if err := proxyRepository.DeleteProxy(ctx, p.Name); err != nil {
+			return nil, nil, errors.WithStack(err)
+		}
+	}
+
+	logf("creating proxy '%s'", proxyName)
+
+	to := string(conf.Proxy.To)
+	if to == "" {
+		to = backend.URL
+	}
+
+	if _, err := proxyRepository.CreateProxy(ctx, proxyName, to, conf.Proxy.From...); err != nil {
+		return nil, nil, errors.WithStack(err)
+	}
+
+	if _, err := proxyRepository.UpdateProxy(ctx, proxyName, store.WithProxyUpdateEnabled(true)); err != nil {
+		return nil, nil, errors.WithStack(err)
+	}
+
+	for layerName, layerConf := range conf.Proxy.Layers {
+		if err := layerRepository.DeleteLayer(ctx, proxyName, store.LayerName(layerName)); err != nil {
+			return nil, nil, errors.WithStack(err)
+		}
+
+		_, err := layerRepository.CreateLayer(ctx, proxyName, store.LayerName(layerName), store.LayerType(layerConf.Type), layerConf.Options.Data)
+		if err != nil {
+			return nil, nil, errors.WithStack(err)
+		}
+
+		_, err = layerRepository.UpdateLayer(ctx, proxyName, store.LayerName(layerName), store.WithLayerUpdateEnabled(bool(layerConf.Enabled)))
+		if err != nil {
+			return nil, nil, errors.WithStack(err)
+		}
+
+	}
+
+	appConf := config.NewDefault()
+	appConf.Logger.Level = config.InterpolatedInt(logger.LevelError)
+	appConf.Layers.Authn.TemplateDir = "../../layers/authn/templates"
+	appConf.Layers.Queue.TemplateDir = "../../layers/queue/templates"
+
+	layers, err := setup.GetLayers(context.Background(), appConf)
+	if err != nil {
+		return nil, nil, errors.WithStack(err)
+	}
+
+	director := director.New(
+		proxyRepository, layerRepository,
+		director.WithLayerCache(
+			ttl.NewCache(
+				memory.NewCache[string, []*store.Layer](),
+				memory.NewCache[string, time.Time](),
+				30*time.Second,
+			),
+		),
+		director.WithProxyCache(
+			ttl.NewCache(
+				memory.NewCache[string, []*store.Proxy](),
+				memory.NewCache[string, time.Time](),
+				30*time.Second,
+			),
+		),
+		director.WithLayers(layers...),
+	)
+
+	directorMiddleware := director.Middleware()
+
+	handler := proxy.New(
+		proxy.WithRequestTransformers(
+			director.RequestTransformer(),
+		),
+		proxy.WithResponseTransformers(
+			director.ResponseTransformer(),
+		),
+		proxy.WithReverseProxyFactory(func(ctx context.Context, target *url.URL) *httputil.ReverseProxy {
+			reverse := httputil.NewSingleHostReverseProxy(target)
+			reverse.ErrorHandler = func(w http.ResponseWriter, r *http.Request, err error) {
+				logf("[ERROR] %s", errors.WithStack(err))
+			}
+			return reverse
+		}),
+	)
+
+	server := httptest.NewServer(directorMiddleware(handler))
+
+	return server, backend, nil
+}
+
+func waitFor(url string, ttl time.Duration) error {
+	var lastErr error
+	timeout := time.After(ttl)
+	for {
+		select {
+		case <-timeout:
+			if lastErr != nil {
+				return lastErr
+			}
+
+			return errors.New("wait timed out")
+		default:
+			res, err := http.Get(url)
+			if err != nil {
+				lastErr = errors.WithStack(err)
+				continue
+			}
+
+			if res.StatusCode >= 200 && res.StatusCode < 400 {
+				return nil
+			}
+		}
+	}
+}
--- a/internal/bench/testdata/proxies/basic-auth.yml
+++ b/internal/bench/testdata/proxies/basic-auth.yml
@ -0,0 +1,20 @@
+proxy:
+  from: ["*"]
+  to: ""
+  layers:
+    basic-auth:
+      type: authn-basic
+      enabled: true
+      options:
+        users:
+          - username: foo
+            passwordHash: "$2y$10$ShTc856wMB8PCxyr46qJRO8z06MpV4UejAVRDJ/bixhu0XTGn7Giy"
+            attributes:
+              email: foo@bar.com
+        rules:
+          - set_header(ctx, "Remote-User-Attr-Email", vars.user.attrs.email)
+fetch:
+  url:
+    user:
+      username: foo
+      password: bar
--- a/internal/bench/testdata/proxies/noop.yml
+++ b/internal/bench/testdata/proxies/noop.yml
@ -0,0 +1,3 @@
+proxy:
+  from: ["*"]
+  to: ""
--- a/internal/bench/testdata/proxies/queue.yml
+++ b/internal/bench/testdata/proxies/queue.yml
@ -0,0 +1,10 @@
+proxy:
+  from: ["*"]
+  to: ""
+  layers:
+    queue:
+      type: queue
+      enabled: true
+      options:
+        capacity: 100
+        keepAlive: 10s
--- a/internal/bench/testdata/proxies/rewriter.yml
+++ b/internal/bench/testdata/proxies/rewriter.yml
@ -0,0 +1,12 @@
+proxy:
+  from: ["*"]
+  to: ""
+  layers:
+    host-rewriter:
+      type: rewriter
+      enabled: true
+      options:
+        rules:
+          request:
+            - set_host(ctx, vars.request.url.host)
+            - set_header(ctx, "X-Proxied-With", "bouncer")
--- a/internal/cache/cache.go
+++ b/internal/cache/cache.go
@ -0,0 +1,7 @@
+package cache
+
+type Cache[K comparable, V any] interface {
+	Get(key K) (V, bool)
+	Set(key K, value V)
+	Clear()
+}
--- a/internal/cache/memory/cache.go
+++ b/internal/cache/memory/cache.go
@ -0,0 +1,38 @@
+package memory
+
+import (
+	"sync"
+
+	cache "forge.cadoles.com/cadoles/bouncer/internal/cache"
+)
+
+type Cache[K comparable, V any] struct {
+	store *sync.Map
+}
+
+// Get implements cache.Cache.
+func (c *Cache[K, V]) Get(key K) (V, bool) {
+	raw, exists := c.store.Load(key)
+	if !exists {
+		return *new(V), false
+	}
+
+	return raw.(V), exists
+}
+
+// Set implements cache.Cache.
+func (c *Cache[K, V]) Set(key K, value V) {
+	c.store.Store(key, value)
+}
+
+func (c *Cache[K, V]) Clear() {
+	c.store.Clear()
+}
+
+func NewCache[K comparable, V any]() *Cache[K, V] {
+	return &Cache[K, V]{
+		store: new(sync.Map),
+	}
+}
+
+var _ cache.Cache[string, bool] = &Cache[string, bool]{}
--- a/internal/cache/ttl/cache.go
+++ b/internal/cache/ttl/cache.go
@ -0,0 +1,44 @@
+package ttl
+
+import (
+	"time"
+
+	cache "forge.cadoles.com/cadoles/bouncer/internal/cache"
+)
+
+type Cache[K comparable, V any] struct {
+	timestamps cache.Cache[K, time.Time]
+	values     cache.Cache[K, V]
+	ttl        time.Duration
+}
+
+// Get implements cache.Cache.
+func (c *Cache[K, V]) Get(key K) (V, bool) {
+	timestamp, exists := c.timestamps.Get(key)
+	if !exists || timestamp.Add(c.ttl).Before(time.Now()) {
+		return *new(V), false
+	}
+
+	return c.values.Get(key)
+}
+
+// Set implements cache.Cache.
+func (c *Cache[K, V]) Set(key K, value V) {
+	c.timestamps.Set(key, time.Now())
+	c.values.Set(key, value)
+}
+
+func (c *Cache[K, V]) Clear() {
+	c.timestamps.Clear()
+	c.values.Clear()
+}
+
+func NewCache[K comparable, V any](values cache.Cache[K, V], timestamps cache.Cache[K, time.Time], ttl time.Duration) *Cache[K, V] {
+	return &Cache[K, V]{
+		values:     values,
+		timestamps: timestamps,
+		ttl:        ttl,
+	}
+}
+
+var _ cache.Cache[string, bool] = &Cache[string, bool]{}
--- a/internal/cache/ttl/cache_test.go
+++ b/internal/cache/ttl/cache_test.go
@ -0,0 +1,39 @@
+package ttl
+
+import (
+	"testing"
+	"time"
+
+	"forge.cadoles.com/cadoles/bouncer/internal/cache/memory"
+)
+
+func TestCache(t *testing.T) {
+	cache := NewCache(
+		memory.NewCache[string, int](),
+		memory.NewCache[string, time.Time](),
+		time.Second,
+	)
+
+	key := "foo"
+
+	if _, exists := cache.Get(key); exists {
+		t.Errorf("cache.Get(\"%s\"): should not exists", key)
+	}
+
+	cache.Set(key, 1)
+
+	value, exists := cache.Get(key)
+	if !exists {
+		t.Errorf("cache.Get(\"%s\"): should exists", key)
+	}
+
+	if e, g := 1, value; e != g {
+		t.Errorf("cache.Get(\"%s\"): expected '%v', got '%v'", key, e, g)
+	}
+
+	time.Sleep(time.Second)
+
+	if _, exists := cache.Get("foo"); exists {
+		t.Errorf("cache.Get(\"%s\"): should not exists", key)
+	}
+}
--- a/internal/chi/log_formatter.go
+++ b/internal/chi/log_formatter.go
@ -2,7 +2,6 @@ package chi

 import (
 	"context"
-	"fmt"
 	"net/http"
 	"time"

@ -37,12 +36,19 @@ type LogEntry struct {

 // Panic implements middleware.LogEntry
 func (e *LogEntry) Panic(v interface{}, stack []byte) {
-	logger.Error(e.ctx, fmt.Sprintf("%s %s", e.method, e.path), logger.F("stack", string(stack)))
+	logger.Error(
+		e.ctx, "http panic",
+		logger.F("stack", string(stack)),
+		logger.F("host", e.host),
+		logger.F("method", e.method),
+		logger.F("path", e.path),
+	)
 }

 // Write implements middleware.LogEntry
 func (e *LogEntry) Write(status int, bytes int, header http.Header, elapsed time.Duration, extra interface{}) {
-	logger.Info(e.ctx, fmt.Sprintf("%s %s - %d", e.method, e.path, status),
+	logger.Info(
+		e.ctx, "http request",
 		logger.F("host", e.host),
 		logger.F("status", status),
 		logger.F("bytes", bytes),
--- a/internal/command/admin/layer/query.go
+++ b/internal/command/admin/layer/query.go
@ -2,6 +2,7 @@ package layer

 import (
 	"os"
+	"slices"

 	"forge.cadoles.com/cadoles/bouncer/internal/client"
 	"forge.cadoles.com/cadoles/bouncer/internal/command/admin/apierr"
@ -52,14 +53,16 @@ func QueryCommand() *cli.Command {

 			client := client.New(baseFlags.ServerURL, client.WithToken(token))

-			proxies, err := client.QueryLayer(ctx.Context, proxyName, options...)
+			layers, err := client.QueryLayer(ctx.Context, proxyName, options...)
 			if err != nil {
 				return errors.WithStack(apierr.Wrap(err))
 			}

+			slices.SortFunc(layers, sortLayerssByWeight)
+
 			hints := layerHeaderHints(baseFlags.OutputMode)

-			if err := format.Write(baseFlags.Format, os.Stdout, hints, clientFlag.AsAnySlice(proxies)...); err != nil {
+			if err := format.Write(baseFlags.Format, os.Stdout, hints, clientFlag.AsAnySlice(layers)...); err != nil {
 				return errors.WithStack(err)
 			}

@ -67,3 +70,13 @@ func QueryCommand() *cli.Command {
 		},
 	}
 }
+
+func sortLayerssByWeight(a *store.LayerHeader, b *store.LayerHeader) int {
+	if a.Weight < b.Weight {
+		return 1
+	}
+	if a.Weight > b.Weight {
+		return -1
+	}
+	return 0
+}
--- a/internal/command/admin/layer/util.go
+++ b/internal/command/admin/layer/util.go
@ -13,6 +13,7 @@ func layerHeaderHints(outputMode format.OutputMode) format.Hints {
 			format.NewProp("Type", "Type"),
 			format.NewProp("Enabled", "Enabled"),
 			format.NewProp("Weight", "Weight"),
+			format.NewProp("Revision", "Revision"),
 		},
 	}
 }
@ -25,6 +26,7 @@ func layerHints(outputMode format.OutputMode) format.Hints {
 			format.NewProp("Type", "Type"),
 			format.NewProp("Enabled", "Enabled"),
 			format.NewProp("Weight", "Weight"),
+			format.NewProp("Revision", "Revision"),
 			format.NewProp("Options", "Options"),
 			format.NewProp("CreatedAt", "CreatedAt", table.WithCompactModeMaxColumnWidth(20)),
 			format.NewProp("UpdatedAt", "UpdatedAt", table.WithCompactModeMaxColumnWidth(20)),
--- a/internal/command/admin/proxy/create.go
+++ b/internal/command/admin/proxy/create.go
@ -19,7 +19,7 @@ func CreateCommand() *cli.Command {
 		Name:  "create",
 		Usage: "Create proxy",
 		Flags: proxyFlag.WithProxyFlags(
-			flag.ProxyTo(true),
+			flag.ProxyTo(),
 			flag.ProxyFrom(),
 		),
 		Action: func(ctx *cli.Context) error {
--- a/internal/command/admin/proxy/flag/flag.go
+++ b/internal/command/admin/proxy/flag/flag.go
@ -30,12 +30,11 @@ func ProxyName() cli.Flag {

 const KeyProxyTo = "proxy-to"

-func ProxyTo(required bool) cli.Flag {
+func ProxyTo() cli.Flag {
 	return &cli.StringFlag{
-		Name:     KeyProxyTo,
-		Usage:    "Set `PROXY_TO` as proxy's destination url",
-		Value:    "",
-		Required: required,
+		Name:  KeyProxyTo,
+		Usage: "Set `PROXY_TO` as proxy's destination url",
+		Value: "",
 	}
 }

--- a/internal/command/admin/proxy/query.go
+++ b/internal/command/admin/proxy/query.go
@ -2,6 +2,7 @@ package proxy

 import (
 	"os"
+	"slices"

 	"forge.cadoles.com/cadoles/bouncer/internal/client"
 	"forge.cadoles.com/cadoles/bouncer/internal/command/admin/apierr"
@ -51,6 +52,8 @@ func QueryCommand() *cli.Command {
 				return errors.WithStack(apierr.Wrap(err))
 			}

+			slices.SortFunc(proxies, sortProxiesByWeight)
+
 			hints := proxyHeaderHints(baseFlags.OutputMode)

 			if err := format.Write(baseFlags.Format, os.Stdout, hints, clientFlag.AsAnySlice(proxies)...); err != nil {
@ -61,3 +64,13 @@ func QueryCommand() *cli.Command {
 		},
 	}
 }
+
+func sortProxiesByWeight(a *store.ProxyHeader, b *store.ProxyHeader) int {
+	if a.Weight < b.Weight {
+		return 1
+	}
+	if a.Weight > b.Weight {
+		return -1
+	}
+	return 0
+}
--- a/internal/command/admin/proxy/update.go
+++ b/internal/command/admin/proxy/update.go
@ -19,7 +19,7 @@ func UpdateCommand() *cli.Command {
 		Name:  "update",
 		Usage: "Update proxy",
 		Flags: proxyFlag.WithProxyFlags(
-			flag.ProxyTo(false),
+			flag.ProxyTo(),
 			flag.ProxyFrom(),
 			flag.ProxyEnabled(),
 			flag.ProxyWeight(),
--- a/internal/command/admin/proxy/util.go
+++ b/internal/command/admin/proxy/util.go
@ -12,6 +12,7 @@ func proxyHeaderHints(outputMode format.OutputMode) format.Hints {
 			format.NewProp("Name", "Name"),
 			format.NewProp("Enabled", "Enabled"),
 			format.NewProp("Weight", "Weight"),
+			format.NewProp("Revision", "Revision"),
 		},
 	}
 }
@ -25,6 +26,7 @@ func proxyHints(outputMode format.OutputMode) format.Hints {
 			format.NewProp("To", "To"),
 			format.NewProp("Enabled", "Enabled"),
 			format.NewProp("Weight", "Weight"),
+			format.NewProp("Revision", "Revision"),
 			format.NewProp("CreatedAt", "CreatedAt", table.WithCompactModeMaxColumnWidth(20)),
 			format.NewProp("UpdatedAt", "UpdatedAt", table.WithCompactModeMaxColumnWidth(20)),
 		},
--- a/internal/command/server/admin/run.go
+++ b/internal/command/server/admin/run.go
@ -12,14 +12,8 @@ import (
 	"gitlab.com/wpetit/goweb/logger"
 )

-const (
-	flagPrintDefaultToken = "print-default-token"
-)
-
 func RunCommand() *cli.Command {
-	flags := append(
-		common.Flags(),
-	)
+	flags := common.Flags()

 	return &cli.Command{
 		Name:  "run",
@ -34,13 +28,18 @@ func RunCommand() *cli.Command {
 			logger.SetFormat(logger.Format(conf.Logger.Format))
 			logger.SetLevel(logger.Level(conf.Logger.Level))

-			projectVersion := ctx.String("projectVersion")
-			flushSentry, err := setup.SetupSentry(ctx.Context, conf.Admin.Sentry, projectVersion)
-			if err != nil {
-				return errors.Wrap(err, "could not initialize sentry client")
-			}
+			logger.Debug(ctx.Context, "using config", logger.F("config", conf))

-			defer flushSentry()
+			projectVersion := ctx.String("projectVersion")
+
+			if conf.Proxy.Sentry.DSN != "" {
+				flushSentry, err := setup.SetupSentry(ctx.Context, conf.Proxy.Sentry, projectVersion)
+				if err != nil {
+					return errors.Wrap(err, "could not initialize sentry client")
+				}
+
+				defer flushSentry()
+			}

 			integrations, err := setup.SetupIntegrations(ctx.Context, conf)
 			if err != nil {
--- a/internal/command/server/dummy/index.gohtml
+++ b/internal/command/server/dummy/index.gohtml
@ -4,14 +4,14 @@
    <h2>Incoming headers</h2>
    <table style="width: 100%">
      <thead>
-        <tr>
+        <tr style="text-align: left">
          <th>Key</th>
          <th>Value</th>
        </tr>
      </thead>
      <tbody>
        {{ range $key, $val := .Request.Header }}
-        <tr>
+        <tr style="text-align: left">
          <td>
            <b>{{ $key }}</b>
          </td>
@ -27,7 +27,7 @@
    <h2>Incoming cookies</h2>
    <table style="width: 100%">
      <thead>
-        <tr>
+        <tr style="text-align: left">
          <th>Name</th>
          <th>Domain</th>
          <th>Path</th>
@ -41,7 +41,7 @@
      </thead>
      <tbody>
        {{ range $cookie := .Request.Cookies }}
-        <tr>
+        <tr style="text-align: left">
          <td>
            <b>{{ $cookie.Name }}</b>
          </td>
--- a/internal/command/server/dummy/run.go
+++ b/internal/command/server/dummy/run.go
@ -53,7 +53,7 @@ func RunCommand() *cli.Command {
 				}

 				if err := tmpl.Execute(w, data); err != nil {
-					logger.Error(ctx.Context, "could not execute template", logger.E(errors.WithStack(err)))
+					logger.Error(ctx.Context, "could not execute template", logger.CapturedE(errors.WithStack(err)))
 				}
 			})

--- a/internal/command/server/proxy/run.go
+++ b/internal/command/server/proxy/run.go
@ -3,6 +3,7 @@ package proxy
 import (
 	"fmt"
 	"strings"
+	"time"

 	"forge.cadoles.com/cadoles/bouncer/internal/command/common"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy"
@ -28,13 +29,18 @@ func RunCommand() *cli.Command {
 			logger.SetFormat(logger.Format(conf.Logger.Format))
 			logger.SetLevel(logger.Level(conf.Logger.Level))

-			projectVersion := ctx.String("projectVersion")
-			flushSentry, err := setup.SetupSentry(ctx.Context, conf.Proxy.Sentry, projectVersion)
-			if err != nil {
-				return errors.Wrap(err, "could not initialize sentry client")
-			}
+			logger.Debug(ctx.Context, "using config", logger.F("config", conf))

-			defer flushSentry()
+			projectVersion := ctx.String("projectVersion")
+
+			if conf.Proxy.Sentry.DSN != "" {
+				flushSentry, err := setup.SetupSentry(ctx.Context, conf.Proxy.Sentry, projectVersion)
+				if err != nil {
+					return errors.Wrap(err, "could not initialize sentry client")
+				}
+
+				defer flushSentry()
+			}

 			layers, err := setup.GetLayers(ctx.Context, conf)
 			if err != nil {
@ -45,6 +51,7 @@ func RunCommand() *cli.Command {
 				proxy.WithServerConfig(conf.Proxy),
 				proxy.WithRedisConfig(conf.Redis),
 				proxy.WithDirectorLayers(layers...),
+				proxy.WithDirectorCacheTTL(time.Duration(*conf.Proxy.Cache.TTL)),
 			)

 			addrs, srvErrs := srv.Start(ctx.Context)
--- a/internal/config/admin_server.go
+++ b/internal/config/admin_server.go
@ -1,20 +1,22 @@
 package config

 type AdminServerConfig struct {
-	HTTP    HTTPConfig    `yaml:"http"`
-	CORS    CORSConfig    `yaml:"cors"`
-	Auth    AuthConfig    `yaml:"auth"`
-	Metrics MetricsConfig `yaml:"metrics"`
-	Sentry  SentryConfig  `yaml:"sentry"`
+	HTTP      HTTPConfig      `yaml:"http"`
+	CORS      CORSConfig      `yaml:"cors"`
+	Auth      AuthConfig      `yaml:"auth"`
+	Metrics   MetricsConfig   `yaml:"metrics"`
+	Profiling ProfilingConfig `yaml:"profiling"`
+	Sentry    SentryConfig    `yaml:"sentry"`
 }

 func NewDefaultAdminServerConfig() AdminServerConfig {
 	return AdminServerConfig{
-		HTTP:    NewHTTPConfig("127.0.0.1", 8081),
-		CORS:    NewDefaultCORSConfig(),
-		Auth:    NewDefaultAuthConfig(),
-		Metrics: NewDefaultMetricsConfig(),
-		Sentry:  NewDefaultSentryConfig(),
+		HTTP:      NewHTTPConfig("127.0.0.1", 8081),
+		CORS:      NewDefaultCORSConfig(),
+		Auth:      NewDefaultAuthConfig(),
+		Metrics:   NewDefaultMetricsConfig(),
+		Sentry:    NewDefaultSentryConfig(),
+		Profiling: NewDefaultProfilingConfig(),
 	}
 }

--- a/internal/config/bootstrap.go
+++ b/internal/config/bootstrap.go
@ -80,24 +80,33 @@ func loadBootstrapDir(dir string) (map[store.ProxyName]BootstrapProxyConfig, err

 	proxies := make(map[store.ProxyName]BootstrapProxyConfig)
 	for _, f := range files {
-		data, err := os.ReadFile(f)
+		proxy, err := loadBootstrappedProxyConfig(f)
 		if err != nil {
-			return nil, errors.Wrapf(err, "could not read file '%s'", f)
-		}
-
-		proxy := BootstrapProxyConfig{}
-
-		if err := yaml.Unmarshal(data, &proxy); err != nil {
-			return nil, errors.Wrapf(err, "could not unmarshal proxy")
+			return nil, errors.Wrapf(err, "could not load proxy bootstrap file '%s'", f)
 		}

 		name := store.ProxyName(strings.TrimSuffix(filepath.Base(f), filepath.Ext(f)))
-		proxies[name] = proxy
+		proxies[name] = *proxy
 	}

 	return proxies, nil
 }

+func loadBootstrappedProxyConfig(filename string) (*BootstrapProxyConfig, error) {
+	data, err := os.ReadFile(filename)
+	if err != nil {
+		return nil, errors.Wrapf(err, "could not read file '%s'", filename)
+	}
+
+	proxy := BootstrapProxyConfig{}
+
+	if err := yaml.Unmarshal(data, &proxy); err != nil {
+		return nil, errors.Wrapf(err, "could not unmarshal proxy")
+	}
+
+	return &proxy, nil
+}
+
 func overrideProxies(base map[store.ProxyName]BootstrapProxyConfig, proxies map[store.ProxyName]BootstrapProxyConfig) map[store.ProxyName]BootstrapProxyConfig {
 	for name, proxy := range proxies {
 		base[name] = proxy
--- a/internal/config/environment.go
+++ b/internal/config/environment.go
@ -2,7 +2,6 @@ package config

 import (
 	"os"
-	"regexp"
 	"strconv"
 	"time"

@ -11,9 +10,6 @@ import (
 	"gopkg.in/yaml.v3"
 )

-// var reVar = regexp.MustCompile(`^\${(\w+)}$`)
-var reVar = regexp.MustCompile(`\${(.*?)}`)
-
 type InterpolatedString string

 func (is *InterpolatedString) UnmarshalYAML(value *yaml.Node) error {
@ -23,12 +19,13 @@ func (is *InterpolatedString) UnmarshalYAML(value *yaml.Node) error {
 		return errors.WithStack(err)
 	}

-	if match := reVar.FindStringSubmatch(str); len(match) > 0 {
-		*is = InterpolatedString(os.Getenv(match[1]))
-	} else {
-		*is = InterpolatedString(str)
+	str, err := envsubst.Eval(str, getEnv)
+	if err != nil {
+		return errors.WithStack(err)
 	}

+	*is = InterpolatedString(str)
+
 	return nil
 }

@ -41,8 +38,9 @@ func (ii *InterpolatedInt) UnmarshalYAML(value *yaml.Node) error {
 		return errors.Wrapf(err, "could not decode value '%v' (line '%d') into string", value.Value, value.Line)
 	}

-	if match := reVar.FindStringSubmatch(str); len(match) > 0 {
-		str = os.Getenv(match[1])
+	str, err := envsubst.Eval(str, getEnv)
+	if err != nil {
+		return errors.WithStack(err)
 	}

 	intVal, err := strconv.ParseInt(str, 10, 32)
@ -64,11 +62,12 @@ func (ifl *InterpolatedFloat) UnmarshalYAML(value *yaml.Node) error {
 		return errors.Wrapf(err, "could not decode value '%v' (line '%d') into string", value.Value, value.Line)
 	}

-	if match := reVar.FindStringSubmatch(str); len(match) > 0 {
-		str = os.Getenv(match[1])
+	str, err := envsubst.Eval(str, getEnv)
+	if err != nil {
+		return errors.WithStack(err)
 	}

-	floatVal, err := strconv.ParseFloat(str, 10)
+	floatVal, err := strconv.ParseFloat(str, 32)
 	if err != nil {
 		return errors.Wrapf(err, "could not parse float '%v',  line '%d'", str, value.Line)
 	}
@ -87,8 +86,9 @@ func (ib *InterpolatedBool) UnmarshalYAML(value *yaml.Node) error {
 		return errors.Wrapf(err, "could not decode value '%v' (line '%d') into string", value.Value, value.Line)
 	}

-	if match := reVar.FindStringSubmatch(str); len(match) > 0 {
-		str = os.Getenv(match[1])
+	str, err := envsubst.Eval(str, getEnv)
+	if err != nil {
+		return errors.WithStack(err)
 	}

 	boolVal, err := strconv.ParseBool(str)
@ -101,53 +101,76 @@ func (ib *InterpolatedBool) UnmarshalYAML(value *yaml.Node) error {
 	return nil
 }

-type InterpolatedMap map[string]interface{}
+var getEnv = os.Getenv
+
+type InterpolatedMap struct {
+	Data map[string]any
+}

 func (im *InterpolatedMap) UnmarshalYAML(value *yaml.Node) error {
-	var data map[string]interface{}
+	var data map[string]any

 	if err := value.Decode(&data); err != nil {
 		return errors.Wrapf(err, "could not decode value '%v' (line '%d') into map", value.Value, value.Line)
 	}

-	for key, value := range data {
-		strVal, ok := value.(string)
-		if !ok {
-			continue
-		}
-
-		if match := reVar.FindStringSubmatch(strVal); len(match) > 0 {
-			strVal = os.Getenv(match[1])
-		}
-
-		data[key] = strVal
+	interpolated, err := im.interpolateRecursive(data)
+	if err != nil {
+		return errors.WithStack(err)
 	}

-	*im = data
+	im.Data = interpolated.(map[string]any)

 	return nil
 }

+func (im InterpolatedMap) interpolateRecursive(data any) (any, error) {
+	switch typ := data.(type) {
+	case map[string]any:
+		for key, value := range typ {
+			value, err := im.interpolateRecursive(value)
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			typ[key] = value
+		}
+
+	case string:
+		value, err := envsubst.Eval(typ, getEnv)
+		if err != nil {
+			return nil, errors.WithStack(err)
+		}
+
+		data = value
+
+	case []any:
+		for idx := range typ {
+			value, err := im.interpolateRecursive(typ[idx])
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			typ[idx] = value
+		}
+	}
+
+	return data, nil
+}
+
 type InterpolatedStringSlice []string

 func (iss *InterpolatedStringSlice) UnmarshalYAML(value *yaml.Node) error {
 	var data []string
-	var evErr error

 	if err := value.Decode(&data); err != nil {
 		return errors.Wrapf(err, "could not decode value '%v' (line '%d') into map", value.Value, value.Line)
 	}

 	for index, value := range data {
-		//match := reVar.FindStringSubmatch(value)
-		re := regexp.MustCompile(`\${(.*?)}`)
-
-		res := re.FindAllStringSubmatch(value, 10)
-		if len(res) > 0 {
-			value, evErr = envsubst.EvalEnv(value)
-			if evErr != nil {
-				return evErr
-			}
+		value, err := envsubst.Eval(value, getEnv)
+		if err != nil {
+			return errors.WithStack(err)
 		}

 		data[index] = value
@ -167,13 +190,19 @@ func (id *InterpolatedDuration) UnmarshalYAML(value *yaml.Node) error {
 		return errors.Wrapf(err, "could not decode value '%v' (line '%d') into string", value.Value, value.Line)
 	}

-	if match := reVar.FindStringSubmatch(str); len(match) > 0 {
-		str = os.Getenv(match[1])
+	str, err := envsubst.Eval(str, getEnv)
+	if err != nil {
+		return errors.WithStack(err)
 	}

 	duration, err := time.ParseDuration(str)
 	if err != nil {
-		return errors.Wrapf(err, "could not parse duration '%v',  line '%d'", str, value.Line)
+		nanoseconds, err := strconv.ParseInt(str, 10, 64)
+		if err != nil {
+			return errors.Wrapf(err, "could not parse duration '%v',  line '%d'", str, value.Line)
+		}
+
+		duration = time.Duration(nanoseconds)
 	}

 	*id = InterpolatedDuration(duration)
--- a/internal/config/environment_test.go
+++ b/internal/config/environment_test.go
@ -0,0 +1,134 @@
+package config
+
+import (
+	"fmt"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/pkg/errors"
+	"gopkg.in/yaml.v3"
+)
+
+func TestInterpolatedMap(t *testing.T) {
+	type testCase struct {
+		Path   string
+		Env    map[string]string
+		Assert func(t *testing.T, parsed InterpolatedMap)
+	}
+
+	testCases := []testCase{
+		{
+			Path: "testdata/environment/interpolated-map-1.yml",
+			Env: map[string]string{
+				"TEST_PROP1":      "foo",
+				"TEST_SUB_PROP1":  "bar",
+				"TEST_SUB2_PROP1": "baz",
+			},
+			Assert: func(t *testing.T, parsed InterpolatedMap) {
+				if e, g := "foo", parsed.Data["prop1"]; e != g {
+					t.Errorf("parsed.Data[\"prop1\"]: expected '%v', got '%v'", e, g)
+				}
+
+				if e, g := "bar", parsed.Data["sub"].(map[string]any)["subProp1"]; e != g {
+					t.Errorf("parsed.Data[\"sub\"][\"subProp1\"]: expected '%v', got '%v'", e, g)
+				}
+
+				if e, g := "baz", parsed.Data["sub2"].(map[string]any)["sub2Prop1"].([]any)[0]; e != g {
+					t.Errorf("parsed.Data[\"sub2\"][\"sub2Prop1\"][0]: expected '%v', got '%v'", e, g)
+				}
+
+				if e, g := "test", parsed.Data["sub2"].(map[string]any)["sub2Prop1"].([]any)[1]; e != g {
+					t.Errorf("parsed.Data[\"sub2\"][\"sub2Prop1\"][1]: expected '%v', got '%v'", e, g)
+				}
+			},
+		},
+		{
+			Path: "testdata/environment/interpolated-map-2.yml",
+			Env: map[string]string{
+				"BAR": "bar",
+			},
+			Assert: func(t *testing.T, parsed InterpolatedMap) {
+				if e, g := "http://bar", parsed.Data["foo"]; e != g {
+					t.Errorf("parsed.Data[\"foo\"]: expected '%v', got '%v'", e, g)
+				}
+			},
+		},
+	}
+
+	for idx, tc := range testCases {
+		t.Run(fmt.Sprintf("Case #%d", idx), func(t *testing.T) {
+			data, err := os.ReadFile(tc.Path)
+			if err != nil {
+				t.Fatalf("%+v", errors.WithStack(err))
+			}
+
+			var interpolatedMap InterpolatedMap
+
+			if tc.Env != nil {
+				getEnv = func(key string) string {
+					return tc.Env[key]
+				}
+			}
+
+			if err := yaml.Unmarshal(data, &interpolatedMap); err != nil {
+				t.Fatalf("%+v", errors.WithStack(err))
+			}
+
+			if tc.Assert != nil {
+				tc.Assert(t, interpolatedMap)
+			}
+		})
+	}
+}
+
+func TestInterpolatedDuration(t *testing.T) {
+	type testCase struct {
+		Path   string
+		Env    map[string]string
+		Assert func(t *testing.T, parsed *InterpolatedDuration)
+	}
+
+	testCases := []testCase{
+		{
+			Path: "testdata/environment/interpolated-duration.yml",
+			Env: map[string]string{
+				"MY_DURATION": "30s",
+			},
+			Assert: func(t *testing.T, parsed *InterpolatedDuration) {
+				if e, g := 30*time.Second, parsed; e != time.Duration(*g) {
+					t.Errorf("parsed: expected '%v', got '%v'", e, g)
+				}
+			},
+		},
+	}
+
+	for idx, tc := range testCases {
+		t.Run(fmt.Sprintf("Case #%d", idx), func(t *testing.T) {
+			data, err := os.ReadFile(tc.Path)
+			if err != nil {
+				t.Fatalf("%+v", errors.WithStack(err))
+			}
+
+			if tc.Env != nil {
+				getEnv = func(key string) string {
+					return tc.Env[key]
+				}
+			}
+
+			config := struct {
+				Duration *InterpolatedDuration `yaml:"duration"`
+			}{
+				Duration: NewInterpolatedDuration(-1),
+			}
+
+			if err := yaml.Unmarshal(data, &config); err != nil {
+				t.Fatalf("%+v", errors.WithStack(err))
+			}
+
+			if tc.Assert != nil {
+				tc.Assert(t, config.Duration)
+			}
+		})
+	}
+}
--- a/internal/config/layers.go
+++ b/internal/config/layers.go
@ -15,6 +15,16 @@ func NewDefaultLayersConfig() LayersConfig {
 		},
 		Authn: AuthnLayerConfig{
 			TemplateDir: "./layers/authn/templates",
+			OIDC: AuthnOIDCLayerConfig{
+				HTTPClient: AuthnOIDCHTTPClientConfig{
+					TransportConfig: NewDefaultTransportConfig(),
+					Timeout:         NewInterpolatedDuration(10 * time.Second),
+				},
+				ProviderCacheTimeout: NewInterpolatedDuration(time.Hour),
+			},
+			Sessions: AuthnLayerSessionConfig{
+				TTL: NewInterpolatedDuration(time.Hour),
+			},
 		},
 	}
 }
@ -25,5 +35,22 @@ type QueueLayerConfig struct {
 }

 type AuthnLayerConfig struct {
-	TemplateDir InterpolatedString `yaml:"templateDir"`
+	Debug       InterpolatedBool        `yaml:"debug"`
+	TemplateDir InterpolatedString      `yaml:"templateDir"`
+	OIDC        AuthnOIDCLayerConfig    `yaml:"oidc"`
+	Sessions    AuthnLayerSessionConfig `yaml:"sessions"`
+}
+
+type AuthnLayerSessionConfig struct {
+	TTL *InterpolatedDuration `yaml:"ttl"`
+}
+
+type AuthnOIDCLayerConfig struct {
+	HTTPClient           AuthnOIDCHTTPClientConfig `yaml:"httpClient"`
+	ProviderCacheTimeout *InterpolatedDuration     `yaml:"providerCacheTimeout"`
+}
+
+type AuthnOIDCHTTPClientConfig struct {
+	TransportConfig
+	Timeout *InterpolatedDuration `yaml:"timeout"`
 }
--- a/internal/config/metrics.go
+++ b/internal/config/metrics.go
@ -17,9 +17,9 @@ func (c *BasicAuthConfig) CredentialsMap() map[string]string {
 		return map[string]string{}
 	}

-	credentials := make(map[string]string, len(*c.Credentials))
+	credentials := make(map[string]string, len(c.Credentials.Data))

-	for k, v := range *c.Credentials {
+	for k, v := range c.Credentials.Data {
 		credentials[k] = fmt.Sprintf("%v", v)
 	}

--- a/internal/config/profiling.go
+++ b/internal/config/profiling.go
@ -0,0 +1,15 @@
+package config
+
+type ProfilingConfig struct {
+	Enabled   InterpolatedBool   `yaml:"enabled"`
+	Endpoint  InterpolatedString `yaml:"endpoint"`
+	BasicAuth *BasicAuthConfig   `yaml:"basicAuth"`
+}
+
+func NewDefaultProfilingConfig() ProfilingConfig {
+	return ProfilingConfig{
+		Enabled:   true,
+		Endpoint:  "/.bouncer/profiling",
+		BasicAuth: nil,
+	}
+}
--- a/internal/config/proxy_server.go
+++ b/internal/config/proxy_server.go
@ -1,13 +1,35 @@
 package config

-import "time"
+import (
+	"crypto/tls"
+	"net/http"
+	"time"
+)

 type ProxyServerConfig struct {
-	HTTP      HTTPConfig      `yaml:"http"`
-	Metrics   MetricsConfig   `yaml:"metrics"`
-	Transport TransportConfig `yaml:"transport"`
-	Dial      DialConfig      `yaml:"dial"`
-	Sentry    SentryConfig    `yaml:"sentry"`
+	Debug     InterpolatedBool `yaml:"debug"`
+	HTTP      HTTPConfig       `yaml:"http"`
+	Metrics   MetricsConfig    `yaml:"metrics"`
+	Profiling ProfilingConfig  `yaml:"profiling"`
+	Transport TransportConfig  `yaml:"transport"`
+	Dial      DialConfig       `yaml:"dial"`
+	Sentry    SentryConfig     `yaml:"sentry"`
+	Cache     CacheConfig      `yaml:"cache"`
+	Templates TemplatesConfig  `yaml:"templates"`
+}
+
+func NewDefaultProxyServerConfig() ProxyServerConfig {
+	return ProxyServerConfig{
+		Debug:     false,
+		HTTP:      NewHTTPConfig("0.0.0.0", 8080),
+		Metrics:   NewDefaultMetricsConfig(),
+		Transport: NewDefaultTransportConfig(),
+		Dial:      NewDefaultDialConfig(),
+		Sentry:    NewDefaultSentryConfig(),
+		Cache:     NewDefaultCacheConfig(),
+		Templates: NewDefaultTemplatesConfig(),
+		Profiling: NewDefaultProfilingConfig(),
+	}
 }

 // See https://pkg.go.dev/net/http#Transport
@ -25,15 +47,51 @@ type TransportConfig struct {
 	WriteBufferSize        InterpolatedInt       `yaml:"writeBufferSize"`
 	ReadBufferSize         InterpolatedInt       `yaml:"readBufferSize"`
 	MaxResponseHeaderBytes InterpolatedInt       `yaml:"maxResponseHeaderBytes"`
+	InsecureSkipVerify     InterpolatedBool      `yaml:"insecureSkipVerify"`
 }

-func NewDefaultProxyServerConfig() ProxyServerConfig {
-	return ProxyServerConfig{
-		HTTP:      NewHTTPConfig("0.0.0.0", 8080),
-		Metrics:   NewDefaultMetricsConfig(),
-		Transport: NewDefaultTransportConfig(),
-		Dial:      NewDefaultDialConfig(),
-		Sentry:    NewDefaultSentryConfig(),
+func (c TransportConfig) AsTransport() *http.Transport {
+	httpTransport := http.DefaultTransport.(*http.Transport).Clone()
+
+	httpTransport.Proxy = http.ProxyFromEnvironment
+	httpTransport.ForceAttemptHTTP2 = bool(c.ForceAttemptHTTP2)
+	httpTransport.MaxIdleConns = int(c.MaxIdleConns)
+	httpTransport.MaxIdleConnsPerHost = int(c.MaxIdleConnsPerHost)
+	httpTransport.MaxConnsPerHost = int(c.MaxConnsPerHost)
+	httpTransport.IdleConnTimeout = time.Duration(*c.IdleConnTimeout)
+	httpTransport.TLSHandshakeTimeout = time.Duration(*c.TLSHandshakeTimeout)
+	httpTransport.ExpectContinueTimeout = time.Duration(*c.ExpectContinueTimeout)
+	httpTransport.DisableKeepAlives = bool(c.DisableKeepAlives)
+	httpTransport.DisableCompression = bool(c.DisableCompression)
+	httpTransport.ResponseHeaderTimeout = time.Duration(*c.ResponseHeaderTimeout)
+	httpTransport.WriteBufferSize = int(c.WriteBufferSize)
+	httpTransport.ReadBufferSize = int(c.ReadBufferSize)
+	httpTransport.MaxResponseHeaderBytes = int64(c.MaxResponseHeaderBytes)
+
+	if httpTransport.TLSClientConfig == nil {
+		httpTransport.TLSClientConfig = &tls.Config{}
+	}
+	httpTransport.TLSClientConfig.InsecureSkipVerify = bool(c.InsecureSkipVerify)
+
+	return httpTransport
+}
+
+func NewDefaultTransportConfig() TransportConfig {
+	return TransportConfig{
+		ForceAttemptHTTP2:      true,
+		MaxIdleConns:           100,
+		MaxIdleConnsPerHost:    100,
+		MaxConnsPerHost:        100,
+		IdleConnTimeout:        NewInterpolatedDuration(90 * time.Second),
+		TLSHandshakeTimeout:    NewInterpolatedDuration(10 * time.Second),
+		ExpectContinueTimeout:  NewInterpolatedDuration(1 * time.Second),
+		ResponseHeaderTimeout:  NewInterpolatedDuration(10 * time.Second),
+		DisableCompression:     false,
+		DisableKeepAlives:      false,
+		ReadBufferSize:         4096,
+		WriteBufferSize:        4096,
+		MaxResponseHeaderBytes: 0,
+		InsecureSkipVerify:     false,
 	}
 }

@ -54,20 +112,22 @@ func NewDefaultDialConfig() DialConfig {
 	}
 }

-func NewDefaultTransportConfig() TransportConfig {
-	return TransportConfig{
-		ForceAttemptHTTP2:      true,
-		MaxIdleConns:           100,
-		MaxIdleConnsPerHost:    100,
-		MaxConnsPerHost:        100,
-		IdleConnTimeout:        NewInterpolatedDuration(90 * time.Second),
-		TLSHandshakeTimeout:    NewInterpolatedDuration(10 * time.Second),
-		ExpectContinueTimeout:  NewInterpolatedDuration(1 * time.Second),
-		ResponseHeaderTimeout:  NewInterpolatedDuration(10 * time.Second),
-		DisableCompression:     false,
-		DisableKeepAlives:      false,
-		ReadBufferSize:         4096,
-		WriteBufferSize:        4096,
-		MaxResponseHeaderBytes: 0,
+type CacheConfig struct {
+	TTL *InterpolatedDuration `yaml:"ttl"`
+}
+
+func NewDefaultCacheConfig() CacheConfig {
+	return CacheConfig{
+		TTL: NewInterpolatedDuration(time.Second * 30),
+	}
+}
+
+type TemplatesConfig struct {
+	Dir InterpolatedString `yaml:"dir"`
+}
+
+func NewDefaultTemplatesConfig() TemplatesConfig {
+	return TemplatesConfig{
+		Dir: "./templates",
 	}
 }
--- a/internal/config/redis.go
+++ b/internal/config/redis.go
@ -9,21 +9,35 @@ const (
 )

 type RedisConfig struct {
-	Adresses       InterpolatedStringSlice `yaml:"addresses"`
-	Master         InterpolatedString      `yaml:"master"`
-	ReadTimeout    InterpolatedDuration    `yaml:"readTimeout"`
-	WriteTimeout   InterpolatedDuration    `yaml:"writeTimeout"`
-	DialTimeout    InterpolatedDuration    `yaml:"dialTimeout"`
-	LockMaxRetries InterpolatedInt         `yaml:"lockMaxRetries"`
+	Adresses              InterpolatedStringSlice `yaml:"addresses"`
+	Master                InterpolatedString      `yaml:"master"`
+	ReadTimeout           InterpolatedDuration    `yaml:"readTimeout"`
+	WriteTimeout          InterpolatedDuration    `yaml:"writeTimeout"`
+	DialTimeout           InterpolatedDuration    `yaml:"dialTimeout"`
+	LockMaxRetries        InterpolatedInt         `yaml:"lockMaxRetries"`
+	RouteByLatency        InterpolatedBool        `yaml:"routeByLatency"`
+	ContextTimeoutEnabled InterpolatedBool        `yaml:"contextTimeoutEnabled"`
+	MaxRetries            InterpolatedInt         `yaml:"maxRetries"`
+	PingInterval          InterpolatedDuration    `yaml:"pingInterval"`
+	PoolSize              InterpolatedInt         `yaml:"poolSize"`
+	PoolTimeout           InterpolatedDuration    `yaml:"poolTimeout"`
+	MinIdleConns          InterpolatedInt         `yaml:"minIdleConns"`
+	MaxIdleConns          InterpolatedInt         `yaml:"maxIdleConns"`
+	ConnMaxIdleTime       InterpolatedDuration    `yaml:"connMaxIdleTime"`
+	ConnMaxLifetime       InterpolatedDuration    `yaml:"connMaxLifeTime"`
 }

 func NewDefaultRedisConfig() RedisConfig {
 	return RedisConfig{
-		Adresses:       InterpolatedStringSlice{"localhost:6379"},
-		Master:         "",
-		ReadTimeout:    InterpolatedDuration(30 * time.Second),
-		WriteTimeout:   InterpolatedDuration(30 * time.Second),
-		DialTimeout:    InterpolatedDuration(30 * time.Second),
-		LockMaxRetries: 10,
+		Adresses:              InterpolatedStringSlice{"localhost:6379"},
+		Master:                "",
+		ReadTimeout:           InterpolatedDuration(30 * time.Second),
+		WriteTimeout:          InterpolatedDuration(30 * time.Second),
+		DialTimeout:           InterpolatedDuration(30 * time.Second),
+		LockMaxRetries:        10,
+		MaxRetries:            3,
+		PingInterval:          InterpolatedDuration(30 * time.Second),
+		ContextTimeoutEnabled: true,
+		RouteByLatency:        true,
 	}
 }
--- a/internal/config/sentry.go
+++ b/internal/config/sentry.go
@ -29,10 +29,10 @@ func NewDefaultSentryConfig() SentryConfig {
 		FlushTimeout:       NewInterpolatedDuration(2 * time.Second),
 		AttachStacktrace:   true,
 		SampleRate:         1,
-		EnableTracing:      true,
-		TracesSampleRate:   0.2,
-		ProfilesSampleRate: 1,
-		IgnoreErrors:       []string{},
+		EnableTracing:      false,
+		TracesSampleRate:   0.1,
+		ProfilesSampleRate: 0.1,
+		IgnoreErrors:       []string{"context canceled", "net/http: abort"},
 		SendDefaultPII:     false,
 		ServerName:         "",
 		Environment:        "",
--- a/internal/config/testdata/environment/interpolated-duration.yml
+++ b/internal/config/testdata/environment/interpolated-duration.yml
@ -0,0 +1 @@
+duration: ${MY_DURATION}
--- a/internal/config/testdata/environment/interpolated-map-1.yml
+++ b/internal/config/testdata/environment/interpolated-map-1.yml
@ -0,0 +1,6 @@
+prop1: "${TEST_PROP1}"
+prop2: 1
+sub:
+  subProp1: "${TEST_SUB_PROP1}"
+sub2:
+  sub2Prop1: ["${TEST_SUB2_PROP1}", "test"]
--- a/internal/config/testdata/environment/interpolated-map-2.yml
+++ b/internal/config/testdata/environment/interpolated-map-2.yml
@ -0,0 +1 @@
+foo: http://${BAR}
--- a/internal/lock/redis/locker.go
+++ b/internal/lock/redis/locker.go
@ -38,7 +38,7 @@ func (l *Locker) WithLock(ctx context.Context, key string, timeout time.Duration

 		defer func() {
 			if err := lock.Release(ctx); err != nil {
-				logger.Error(ctx, "could not release lock", logger.E(errors.WithStack(err)))
+				logger.Error(ctx, "could not release lock", logger.CapturedE(errors.WithStack(err)))
 			}

 			logger.Debug(ctx, "lock released")
--- a/internal/lock/redis/retry.go
+++ b/internal/lock/redis/retry.go
@ -30,7 +30,7 @@ func retryWithBackoff(ctx context.Context, attempts int, fn func(ctx context.Con
 			return errors.Wrapf(err, "execution failed after %d attempts", attempts)
 		}

-		logger.Error(ctx, "error while executing func, retrying with backoff", logger.E(err), logger.F("backoffDelay", backoffDelay), logger.F("remainingAttempts", attempts-count))
+		logger.Error(ctx, "error while executing func, retrying with backoff", logger.CapturedE(err), logger.F("backoffDelay", backoffDelay), logger.F("remainingAttempts", attempts-count))

 		time.Sleep(backoffDelay)

--- a/internal/proxy/director/context.go
+++ b/internal/proxy/director/context.go
@ -2,10 +2,13 @@ package director

 import (
 	"context"
+	"net/http"
 	"net/url"

 	"forge.cadoles.com/cadoles/bouncer/internal/store"
+	"github.com/getsentry/sentry-go"
 	"github.com/pkg/errors"
+	"gitlab.com/wpetit/goweb/logger"
 )

 type contextKey string
@ -14,6 +17,8 @@ const (
 	contextKeyProxy       contextKey = "proxy"
 	contextKeyLayers      contextKey = "layers"
 	contextKeyOriginalURL contextKey = "originalURL"
+	contextKeyHandleError contextKey = "handleError"
+	contextKeySentryScope contextKey = "sentryScope"
 )

 var (
@ -34,19 +39,6 @@ func OriginalURL(ctx context.Context) (*url.URL, error) {
 	return url, nil
 }

-func withProxy(ctx context.Context, proxy *store.Proxy) context.Context {
-	return context.WithValue(ctx, contextKeyProxy, proxy)
-}
-
-func ctxProxy(ctx context.Context) (*store.Proxy, error) {
-	proxy, err := ctxValue[*store.Proxy](ctx, contextKeyProxy)
-	if err != nil {
-		return nil, errors.WithStack(err)
-	}
-
-	return proxy, nil
-}
-
 func withLayers(ctx context.Context, layers []*store.Layer) context.Context {
 	return context.WithValue(ctx, contextKeyLayers, layers)
 }
@ -73,3 +65,35 @@ func ctxValue[T any](ctx context.Context, key contextKey) (T, error) {

 	return value, nil
 }
+
+type HandleErrorFunc func(w http.ResponseWriter, r *http.Request, status int, err error)
+
+func withHandleError(ctx context.Context, fn HandleErrorFunc) context.Context {
+	return context.WithValue(ctx, contextKeyHandleError, fn)
+}
+
+func HandleError(ctx context.Context, w http.ResponseWriter, r *http.Request, status int, err error) {
+	err = errors.WithStack(err)
+
+	fn, ok := ctx.Value(contextKeyHandleError).(HandleErrorFunc)
+	if !ok {
+		logger.Error(ctx, err.Error(), logger.CapturedE(err))
+		http.Error(w, http.StatusText(status), status)
+		return
+	}
+
+	fn(w, r, status, err)
+}
+
+func withSentryScope(ctx context.Context, scope *sentry.Scope) context.Context {
+	return context.WithValue(ctx, contextKeySentryScope, scope)
+}
+
+func SentryScope(ctx context.Context) (*sentry.Scope, error) {
+	scope, err := ctxValue[*sentry.Scope](ctx, contextKeySentryScope)
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	return scope, nil
+}
--- a/internal/proxy/director/director.go
+++ b/internal/proxy/director/director.go
@ -8,6 +8,8 @@ import (
 	"forge.cadoles.com/Cadoles/go-proxy"
 	"forge.cadoles.com/Cadoles/go-proxy/wildcard"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
+	"forge.cadoles.com/cadoles/bouncer/internal/syncx"
+	"github.com/getsentry/sentry-go"
 	"github.com/pkg/errors"
 	"github.com/prometheus/client_golang/prometheus"
 	"gitlab.com/wpetit/goweb/logger"
@ -17,78 +19,87 @@ type Director struct {
 	proxyRepository store.ProxyRepository
 	layerRepository store.LayerRepository
 	layerRegistry   *LayerRegistry
+
+	cachedProxies *syncx.CachedResource[string, []*store.Proxy]
+	cachedLayers  *syncx.CachedResource[string, []*store.Layer]
+
+	handleError HandleErrorFunc
 }

+const proxiesCacheKey = "proxies"
+
 func (d *Director) rewriteRequest(r *http.Request) (*http.Request, error) {
 	ctx := r.Context()

-	proxies, err := d.getProxies(ctx)
+	proxies, _, err := d.cachedProxies.Get(ctx, proxiesCacheKey)
 	if err != nil {
 		return r, errors.WithStack(err)
 	}

 	url := getRequestURL(r)
-
 	ctx = withOriginalURL(ctx, url)
 	ctx = logger.With(ctx, logger.F("url", url.String()))

-	var match *store.Proxy
+	layers := make([]*store.Layer, 0)

-MAIN:
 	for _, p := range proxies {
 		for _, from := range p.From {
-			logger.Debug(
-				ctx, "matching request with proxy's from",
-				logger.F("from", from),
-			)
 			if matches := wildcard.Match(url.String(), from); !matches {
 				continue
 			}

-			logger.Debug(
-				ctx, "proxy's from matched",
-				logger.F("from", from),
+			proxyCtx := logger.With(ctx,
+				logger.F("proxy", p.Name),
+				logger.F("host", r.Host),
+				logger.F("remoteAddr", r.RemoteAddr),
 			)

-			match = p
-			break MAIN
+			metricProxyRequestsTotal.With(prometheus.Labels{metricLabelProxy: string(p.Name)}).Add(1)
+
+			proxyLayers, _, err := d.cachedLayers.Get(proxyCtx, string(p.Name))
+			if err != nil {
+				return r, errors.WithStack(err)
+			}
+
+			layers = append(layers, proxyLayers...)
+
+			if p.To == "" {
+				continue
+			}
+
+			toURL, err := url.Parse(p.To)
+			if err != nil {
+				return r, errors.WithStack(err)
+			}
+
+			r.URL.Host = toURL.Host
+			r.URL.Scheme = toURL.Scheme
+			r.URL.Path = toURL.JoinPath(r.URL.Path).Path
+
+			proxyCtx = withLayers(proxyCtx, layers)
+			r = r.WithContext(proxyCtx)
+
+			if sentryScope, _ := SentryScope(ctx); sentryScope != nil {
+				sentryScope.SetTags(map[string]string{
+					"bouncer.proxy.name":        string(p.Name),
+					"bouncer.proxy.target.url":  r.URL.String(),
+					"bouncer.proxy.target.host": r.URL.Host,
+				})
+			}
+
+			return r, nil
 		}
 	}

-	if match == nil {
-		return r, nil
-	}
-
-	toURL, err := url.Parse(match.To)
-	if err != nil {
-		return r, errors.WithStack(err)
-	}
-
-	r.URL.Host = toURL.Host
-	r.URL.Scheme = toURL.Scheme
-
-	ctx = logger.With(ctx,
-		logger.F("proxy", match.Name),
-		logger.F("host", r.Host),
-		logger.F("remoteAddr", r.RemoteAddr),
-	)
-
-	metricProxyRequestsTotal.With(prometheus.Labels{metricLabelProxy: string(match.Name)}).Add(1)
-
-	ctx = withProxy(ctx, match)
-
-	layers, err := d.getLayers(ctx, match.Name)
-	if err != nil {
-		return r, errors.WithStack(err)
-	}
-
 	ctx = withLayers(ctx, layers)
 	r = r.WithContext(ctx)

 	return r, nil
 }

-func (d *Director) getProxies(ctx context.Context) ([]*store.Proxy, error) {
+func (d *Director) getProxies(ctx context.Context, key string) ([]*store.Proxy, error) {
+	logger.Debug(ctx, "querying fresh proxies")
+
 	headers, err := d.proxyRepository.QueryProxy(ctx, store.WithProxyQueryEnabled(true))
 	if err != nil {
 		return nil, errors.WithStack(err)
@ -114,7 +125,11 @@ func (d *Director) getProxies(ctx context.Context) ([]*store.Proxy, error) {
 	return proxies, nil
 }

-func (d *Director) getLayers(ctx context.Context, proxyName store.ProxyName) ([]*store.Layer, error) {
+func (d *Director) getLayers(ctx context.Context, rawProxyName string) ([]*store.Layer, error) {
+	proxyName := store.ProxyName(rawProxyName)
+
+	logger.Debug(ctx, "querying fresh layers")
+
 	headers, err := d.layerRepository.QueryLayers(ctx, proxyName, store.WithLayerQueryEnabled(true))
 	if err != nil {
 		return nil, errors.WithStack(err)
@ -143,13 +158,14 @@ func (d *Director) getLayers(ctx context.Context, proxyName store.ProxyName) ([]
 func (d *Director) RequestTransformer() proxy.RequestTransformer {
 	return func(r *http.Request) {
 		ctx := r.Context()
+
 		layers, err := ctxLayers(ctx)
 		if err != nil {
 			if errors.Is(err, errContextKeyNotFound) {
 				return
 			}

-			logger.Error(ctx, "could not retrieve layers from context", logger.E(errors.WithStack(err)))
+			logger.Error(ctx, "could not retrieve layers from context", logger.CapturedE(errors.WithStack(err)))

 			return
 		}
@ -199,49 +215,63 @@ func (d *Director) ResponseTransformer() proxy.ResponseTransformer {
 func (d *Director) Middleware() proxy.Middleware {
 	return func(next http.Handler) http.Handler {
 		fn := func(w http.ResponseWriter, r *http.Request) {
-			r, err := d.rewriteRequest(r)
-			if err != nil {
-				logger.Error(r.Context(), "could not rewrite request", logger.E(errors.WithStack(err)))
-				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+			sentry.ConfigureScope(func(scope *sentry.Scope) {
+				ctx := withHandleError(r.Context(), d.handleError)
+				ctx = withSentryScope(ctx, scope)
+				r = r.WithContext(ctx)

-				return
-			}
-
-			ctx := r.Context()
-
-			layers, err := ctxLayers(ctx)
-			if err != nil {
-				if errors.Is(err, errContextKeyNotFound) {
+				r, err := d.rewriteRequest(r)
+				if err != nil {
+					HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not rewrite request"))
 					return
 				}

-				logger.Error(ctx, "could not retrieve proxy and layers from context", logger.E(errors.WithStack(err)))
-				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+				ctx = r.Context()

-				return
-			}
+				layers, err := ctxLayers(ctx)
+				if err != nil {
+					if errors.Is(err, errContextKeyNotFound) {
+						return
+					}

-			httpMiddlewares := make([]proxy.Middleware, 0)
-			for _, layer := range layers {
-				middleware, ok := d.layerRegistry.GetMiddleware(layer.Type)
-				if !ok {
-					continue
+					HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not retrieve proxy and layers from context"))
+					return
 				}

-				httpMiddlewares = append(httpMiddlewares, middleware.Middleware(layer))
-			}
+				httpMiddlewares := make([]proxy.Middleware, 0)
+				for _, layer := range layers {
+					middleware, ok := d.layerRegistry.GetMiddleware(layer.Type)
+					if !ok {
+						continue
+					}

-			handler := createMiddlewareChain(next, httpMiddlewares)
+					httpMiddlewares = append(httpMiddlewares, middleware.Middleware(layer))
+				}

-			handler.ServeHTTP(w, r)
+				handler := createMiddlewareChain(next, httpMiddlewares)
+
+				handler.ServeHTTP(w, r)
+			})
 		}

 		return http.HandlerFunc(fn)
 	}
 }

-func New(proxyRepository store.ProxyRepository, layerRepository store.LayerRepository, layers ...Layer) *Director {
-	registry := NewLayerRegistry(layers...)
+func New(proxyRepository store.ProxyRepository, layerRepository store.LayerRepository, funcs ...OptionFunc) *Director {
+	opts := NewOptions(funcs...)

-	return &Director{proxyRepository, layerRepository, registry}
+	registry := NewLayerRegistry(opts.Layers...)
+
+	director := &Director{
+		proxyRepository: proxyRepository,
+		layerRepository: layerRepository,
+		layerRegistry:   registry,
+		handleError:     opts.HandleError,
+	}
+
+	director.cachedProxies = syncx.NewCachedResource(opts.ProxyCache, director.getProxies)
+	director.cachedLayers = syncx.NewCachedResource(opts.LayerCache, director.getLayers)
+
+	return director
 }
--- a/internal/proxy/director/layer/authn/layer-options.json
+++ b/internal/proxy/director/layer/authn/layer-options.json
@ -43,5 +43,6 @@
                }
            }
        }
-    }
+    },
+    "additionalProperties": false
 }
--- a/internal/proxy/director/layer/authn/layer.go
+++ b/internal/proxy/director/layer/authn/layer.go
@ -1,13 +1,18 @@
 package authn

 import (
+	"bytes"
 	"html/template"
+	"io"
 	"net/http"
 	"path/filepath"

 	"forge.cadoles.com/Cadoles/go-proxy"
 	"forge.cadoles.com/Cadoles/go-proxy/wildcard"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
+	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/util"
+	"forge.cadoles.com/cadoles/bouncer/internal/rule"
+	ruleHTTP "forge.cadoles.com/cadoles/bouncer/internal/rule/http"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
 	"github.com/Masterminds/sprig/v3"
 	"github.com/pkg/errors"
@ -17,6 +22,9 @@ import (
 type Layer struct {
 	layerType store.LayerType
 	auth      Authenticator
+	debug     bool
+
+	ruleEngineCache *util.RuleEngineCache[*Vars, *LayerOptions]

 	templateDir string
 }
@ -28,9 +36,7 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {

 			options, err := fromStoreOptions(layer.Options)
 			if err != nil {
-				logger.Error(ctx, "could not parse layer options", logger.E(errors.WithStack(err)))
-				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-
+				director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not parse layer options"))
 				return
 			}

@ -40,8 +46,9 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
 						return
 					}

-					logger.Error(ctx, "could not execute pre-auth hook", logger.E(errors.WithStack(err)))
-					http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+					err = errors.WithStack(err)
+					logger.Error(ctx, "could not execute pre-auth hook", logger.CapturedE(err))
+					l.renderErrorPage(w, r, layer, options, err)

 					return
 				}
@ -65,20 +72,22 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
 					return
 				}

-				logger.Error(ctx, "could not authenticate user", logger.E(errors.WithStack(err)))
-				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+				err = errors.WithStack(err)
+				logger.Error(ctx, "could not authenticate user", logger.CapturedE(err))
+				l.renderErrorPage(w, r, layer, options, err)

 				return
 			}

-			if err := l.applyRules(r, options, user); err != nil {
+			if err := l.applyRules(ctx, r, layer, options, user); err != nil {
 				if errors.Is(err, ErrForbidden) {
 					l.renderForbiddenPage(w, r, layer, options, user)
 					return
 				}

-				logger.Error(ctx, "could not apply rules", logger.E(errors.WithStack(err)))
-				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+				err = errors.WithStack(err)
+				logger.Error(ctx, "could not apply rules", logger.CapturedE(err))
+				l.renderErrorPage(w, r, layer, options, err)

 				return
 			}
@ -94,8 +103,9 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
 						return
 					}

-					logger.Error(ctx, "could not execute post-auth hook", logger.E(errors.WithStack(err)))
-					http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+					err = errors.WithStack(err)
+					logger.Error(ctx, "could not execute post-auth hook", logger.CapturedE(err))
+					l.renderErrorPage(w, r, layer, options, err)

 					return
 				}
@ -108,12 +118,47 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
 	}
 }

-func (l *Layer) renderForbiddenPage(w http.ResponseWriter, r *http.Request, layer *store.Layer, options *LayerOptions, user *User) {
-	w.WriteHeader(http.StatusForbidden)
-	l.renderPage(w, r, layer, "forbidden", options.Templates.Forbidden.Block, user)
+type baseTemplateData struct {
+	Layer   *store.Layer
+	Debug   bool
+	Request *http.Request
 }

-func (l *Layer) renderPage(w http.ResponseWriter, r *http.Request, layer *store.Layer, page string, block string, user *User) {
+func (l *Layer) renderForbiddenPage(w http.ResponseWriter, r *http.Request, layer *store.Layer, options *LayerOptions, user *User) {
+	templateData := struct {
+		baseTemplateData
+		User *User
+	}{
+		baseTemplateData: baseTemplateData{
+			Layer:   layer,
+			Debug:   l.debug,
+			Request: r,
+		},
+		User: user,
+	}
+
+	w.WriteHeader(http.StatusForbidden)
+	l.renderPage(w, r, "forbidden", options.Templates.Forbidden.Block, templateData)
+}
+
+func (l *Layer) renderErrorPage(w http.ResponseWriter, r *http.Request, layer *store.Layer, options *LayerOptions, err error) {
+	templateData := struct {
+		baseTemplateData
+		Err error
+	}{
+		baseTemplateData: baseTemplateData{
+			Layer:   layer,
+			Debug:   l.debug,
+			Request: r,
+		},
+		Err: err,
+	}
+
+	w.WriteHeader(http.StatusInternalServerError)
+	l.renderPage(w, r, "error", options.Templates.Error.Block, templateData)
+}
+
+func (l *Layer) renderPage(w http.ResponseWriter, r *http.Request, page string, block string, templateData any) {
 	ctx := r.Context()

 	pattern := filepath.Join(l.templateDir, page+".gohtml")
@ -122,30 +167,22 @@ func (l *Layer) renderPage(w http.ResponseWriter, r *http.Request, layer *store.

 	tmpl, err := template.New("").Funcs(sprig.FuncMap()).ParseGlob(pattern)
 	if err != nil {
-		logger.Error(ctx, "could not load authn templates", logger.E(errors.WithStack(err)))
-		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-
+		director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not load authn templates"))
 		return
 	}

-	templateData := struct {
-		Layer *store.Layer
-		User  *User
-	}{
-		Layer: layer,
-		User:  user,
-	}
-
 	w.Header().Add("Cache-Control", "no-cache")

-	w.WriteHeader(http.StatusOK)
+	var buf bytes.Buffer

 	if err := tmpl.ExecuteTemplate(w, block, templateData); err != nil {
-		logger.Error(ctx, "could not render authn page", logger.E(errors.WithStack(err)))
-		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-
+		director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not render authn page"))
 		return
 	}
+
+	if _, err := io.Copy(w, &buf); err != nil {
+		logger.Error(ctx, "could not write authn page", logger.CapturedE(errors.WithStack(err)))
+	}
 }

 // LayerType implements director.MiddlewareLayer
@ -157,9 +194,22 @@ func NewLayer(layerType store.LayerType, auth Authenticator, funcs ...OptionFunc
 	opts := NewOptions(funcs...)

 	return &Layer{
+		ruleEngineCache: util.NewInMemoryRuleEngineCache[*Vars, *LayerOptions](func(options *LayerOptions) (*rule.Engine[*Vars], error) {
+			engine, err := rule.NewEngine[*Vars](
+				rule.WithRules(options.Rules...),
+				rule.WithExpr(getAuthnAPI()...),
+				ruleHTTP.WithRequestFuncs(),
+			)
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			return engine, nil
+		}),
 		layerType:   layerType,
 		auth:        auth,
 		templateDir: opts.TemplateDir,
+		debug:       opts.Debug,
 	}
 }

--- a/internal/proxy/director/layer/authn/layer_options.go
+++ b/internal/proxy/director/layer/authn/layer_options.go
@ -17,6 +17,7 @@ type LayerOptions struct {

 type TemplatesOptions struct {
 	Forbidden TemplateOptions `mapstructure:"forbidden"`
+	Error     TemplateOptions `mapstructure:"error"`
 }

 type TemplateOptions struct {
@ -27,12 +28,13 @@ func DefaultLayerOptions() LayerOptions {
 	return LayerOptions{
 		MatchURLs: []string{"*"},
 		Rules: []string{
-			"del_headers('Remote-*')",
-			"set_header('Remote-User', user.subject)",
+			"del_headers(ctx, 'Remote-*')",
+			"set_header(ctx,'Remote-User', vars.user.subject)",
 			`map(
-				toPairs(user.attrs), {
+				toPairs(vars.user.attrs), {
 					let name = replace(lower(string(get(#, 0))), '_', '-');
 					set_header(
+						ctx,
 						'Remote-User-Attr-' + name, 
 						get(#, 1)
 					) 
@ -43,6 +45,9 @@ func DefaultLayerOptions() LayerOptions {
 			Forbidden: TemplateOptions{
 				Block: "default",
 			},
+			Error: TemplateOptions{
+				Block: "default",
+			},
 		},
 	}

--- a/internal/proxy/director/layer/authn/network/authenticator.go
+++ b/internal/proxy/director/layer/authn/network/authenticator.go
@ -4,6 +4,7 @@ import (
 	"context"
 	"net"
 	"net/http"
+	"strings"

 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/authn"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
@ -49,9 +50,15 @@ func (a *Authenticator) Authenticate(w http.ResponseWriter, r *http.Request, lay
 }

 func (a *Authenticator) matchAnyAuthorizedCIDRs(ctx context.Context, remoteHostPort string, CIDRs []string) (bool, error) {
-	remoteHost, _, err := net.SplitHostPort(remoteHostPort)
-	if err != nil {
-		return false, errors.WithStack(err)
+	var remoteHost string
+	if strings.Contains(remoteHostPort, ":") {
+		var err error
+		remoteHost, _, err = net.SplitHostPort(remoteHostPort)
+		if err != nil {
+			return false, errors.WithStack(err)
+		}
+	} else {
+		remoteHost = remoteHostPort
 	}

 	remoteAddr := net.ParseIP(remoteHost)
--- a/internal/proxy/director/layer/authn/network/authenticator_test.go
+++ b/internal/proxy/director/layer/authn/network/authenticator_test.go
@ -0,0 +1,77 @@
+package network
+
+import (
+	"context"
+	"fmt"
+	"testing"
+
+	"github.com/pkg/errors"
+)
+
+func TestMatchAuthorizedCIDRs(t *testing.T) {
+
+	type testCase struct {
+		RemoteHostPort  string
+		AuthorizedCIDRs []string
+		ExpectedResult  bool
+		ExpectedError   error
+	}
+
+	testCases := []testCase{
+		{
+			RemoteHostPort: "192.168.1.15",
+			AuthorizedCIDRs: []string{
+				"192.168.1.0/24",
+			},
+			ExpectedResult: true,
+		},
+		{
+			RemoteHostPort: "192.168.1.15:43349",
+			AuthorizedCIDRs: []string{
+				"192.168.1.0/24",
+			},
+			ExpectedResult: true,
+		},
+		{
+			RemoteHostPort: "192.168.1.15:43349",
+			AuthorizedCIDRs: []string{
+				"192.168.1.5/32",
+			},
+			ExpectedResult: false,
+		},
+		{
+			RemoteHostPort: "192.168.1.15:43349",
+			AuthorizedCIDRs: []string{
+				"192.168.1.5/32",
+				"192.168.1.0/24",
+			},
+			ExpectedResult: true,
+		},
+		{
+			RemoteHostPort: "192.168.1.15:43349",
+			AuthorizedCIDRs: []string{
+				"192.168.1.5/32",
+				"192.168.1.6/32",
+				"192.168.1.7/32",
+			},
+			ExpectedResult: false,
+		},
+	}
+
+	auth := Authenticator{}
+	ctx := context.Background()
+
+	for idx, tc := range testCases {
+		t.Run(fmt.Sprintf("Case #%d", idx), func(t *testing.T) {
+			result, err := auth.matchAnyAuthorizedCIDRs(ctx, tc.RemoteHostPort, tc.AuthorizedCIDRs)
+
+			if g, e := result, tc.ExpectedResult; e != g {
+				t.Errorf("result: expected '%v', got '%v'", e, g)
+			}
+
+			if e, g := tc.ExpectedError, err; !errors.Is(err, tc.ExpectedError) {
+				t.Errorf("err: expected '%v', got '%v'", e, g)
+			}
+		})
+	}
+}
--- a/internal/proxy/director/layer/authn/oidc/authenticator.go
+++ b/internal/proxy/director/layer/authn/oidc/authenticator.go
@ -1,14 +1,24 @@
 package oidc

 import (
+	"bytes"
 	"context"
+	"crypto/tls"
 	"fmt"
 	"net/http"
 	"net/url"
+	"slices"
+	"strings"
+	"text/template"
+	"time"

+	"forge.cadoles.com/Cadoles/go-proxy/wildcard"
+	"forge.cadoles.com/cadoles/bouncer/internal/cache/memory"
+	"forge.cadoles.com/cadoles/bouncer/internal/cache/ttl"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/authn"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
+	"forge.cadoles.com/cadoles/bouncer/internal/syncx"
 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/gorilla/sessions"
 	"github.com/pkg/errors"
@ -17,7 +27,10 @@ import (
 )

 type Authenticator struct {
-	store sessions.Store
+	store              sessions.Store
+	httpTransport      *http.Transport
+	httpClientTimeout  time.Duration
+	cachedOIDCProvider *syncx.CachedResource[string, *oidc.Provider]
 }

 func (a *Authenticator) PreAuthentication(w http.ResponseWriter, r *http.Request, layer *store.Layer) error {
@ -33,21 +46,35 @@ func (a *Authenticator) PreAuthentication(w http.ResponseWriter, r *http.Request
 		return errors.WithStack(err)
 	}

-	sess, err := a.store.Get(r, a.getCookieName(options.Cookie.Name, layer.Name))
+	sess, err := a.store.Get(r, a.getCookieName(options.Cookie.Name, layer.Proxy, layer.Name))
 	if err != nil {
-		logger.Error(ctx, "could not retrieve session", logger.E(errors.WithStack(err)))
+		logger.Error(ctx, "could not retrieve session", logger.CapturedE(errors.WithStack(err)))
 	}

-	redirectURL := a.getRedirectURL(layer.Proxy, layer.Name, originalURL, options)
-	logoutURL := a.getLogoutURL(layer.Proxy, layer.Name, originalURL, options)
-
-	client, err := a.getClient(options, redirectURL.String())
+	loginCallbackURL, err := a.getLoginCallbackURL(originalURL, layer.Proxy, layer.Name, options)
 	if err != nil {
 		return errors.WithStack(err)
 	}

-	switch r.URL.Path {
-	case redirectURL.Path:
+	client, err := a.getClient(ctx, options, loginCallbackURL.String())
+	if err != nil {
+		return errors.WithStack(err)
+	}
+
+	loginCallbackPathPattern, err := a.templatize(options.OIDC.MatchLoginCallbackPath, layer.Proxy, layer.Name)
+	if err != nil {
+		return errors.WithStack(err)
+	}
+
+	logoutPathPattern, err := a.templatize(options.OIDC.MatchLogoutPath, layer.Proxy, layer.Name)
+	if err != nil {
+		return errors.WithStack(err)
+	}
+
+	logger.Debug(ctx, "checking url", logger.F("loginCallbackPathPattern", loginCallbackPathPattern), logger.F("logoutPathPattern", logoutPathPattern))
+
+	switch {
+	case wildcard.Match(originalURL.Path, loginCallbackPathPattern):
 		if err := client.HandleCallback(w, r, sess); err != nil {
 			return errors.WithStack(err)
 		}
@ -57,10 +84,23 @@ func (a *Authenticator) PreAuthentication(w http.ResponseWriter, r *http.Request
 			metricLabelProxy: string(layer.Proxy),
 		}).Add(1)

-	case logoutURL.Path:
-		postLogoutRedirectURL := options.OIDC.PostLogoutRedirectURL
-		if options.OIDC.PostLogoutRedirectURL == "" {
-			postLogoutRedirectURL = originalURL.Scheme + "://" + originalURL.Host
+	case wildcard.Match(originalURL.Path, logoutPathPattern):
+		postLogoutRedirectURL := r.URL.Query().Get("redirect")
+
+		if postLogoutRedirectURL != "" {
+			isAuthorized := slices.Contains(options.OIDC.PostLogoutRedirectURLs, postLogoutRedirectURL)
+			if !isAuthorized {
+				director.HandleError(ctx, w, r, http.StatusBadRequest, errors.New("unauthorized post-logout redirect"))
+				return errors.WithStack(authn.ErrSkipRequest)
+			}
+		}
+
+		if postLogoutRedirectURL == "" {
+			if options.OIDC.PublicBaseURL != "" {
+				postLogoutRedirectURL = options.OIDC.PublicBaseURL
+			} else {
+				postLogoutRedirectURL = originalURL.Scheme + "://" + originalURL.Host
+			}
 		}

 		if err := client.HandleLogout(w, r, sess, postLogoutRedirectURL); err != nil {
@ -80,24 +120,19 @@ func (a *Authenticator) PreAuthentication(w http.ResponseWriter, r *http.Request
 func (a *Authenticator) Authenticate(w http.ResponseWriter, r *http.Request, layer *store.Layer) (*authn.User, error) {
 	ctx := r.Context()

-	originalURL, err := director.OriginalURL(ctx)
-	if err != nil {
-		return nil, errors.WithStack(err)
-	}
-
 	options, err := fromStoreOptions(layer.Options)
 	if err != nil {
 		return nil, errors.WithStack(err)
 	}

-	sess, err := a.store.Get(r, a.getCookieName(options.Cookie.Name, layer.Name))
+	sess, err := a.store.Get(r, a.getCookieName(options.Cookie.Name, layer.Proxy, layer.Name))
 	if err != nil {
 		return nil, errors.WithStack(err)
 	}

 	defer func() {
 		if err := sess.Save(r, w); err != nil {
-			logger.Error(ctx, "could not save session", logger.E(errors.WithStack(err)))
+			logger.Error(ctx, "could not save session", logger.CapturedE(errors.WithStack(err)))
 		}
 	}()

@ -117,14 +152,27 @@ func (a *Authenticator) Authenticate(w http.ResponseWriter, r *http.Request, lay
 		sess.Options.SameSite = http.SameSiteDefaultMode
 	}

-	redirectURL := a.getRedirectURL(layer.Proxy, layer.Name, originalURL, options)
-
-	client, err := a.getClient(options, redirectURL.String())
+	originalURL, err := director.OriginalURL(ctx)
 	if err != nil {
 		return nil, errors.WithStack(err)
 	}

-	idToken, err := client.Authenticate(w, r, sess)
+	loginCallbackURL, err := a.getLoginCallbackURL(originalURL, layer.Proxy, layer.Name, options)
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	client, err := a.getClient(ctx, options, loginCallbackURL.String())
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	postLoginRedirectURL, err := a.mergeURL(originalURL, originalURL.Path, options.OIDC.PublicBaseURL, true)
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	idToken, err := client.Authenticate(w, r, sess, postLoginRedirectURL.String())
 	if err != nil {
 		if errors.Is(err, ErrLoginRequired) {
 			metricLoginRequestsTotal.With(prometheus.Labels{
@ -138,7 +186,7 @@ func (a *Authenticator) Authenticate(w http.ResponseWriter, r *http.Request, lay
 		return nil, errors.WithStack(err)
 	}

-	user, err := a.toUser(idToken, layer.Proxy, layer.Name, originalURL, options, sess)
+	user, err := a.toUser(originalURL, idToken, layer.Proxy, layer.Name, options, sess)
 	if err != nil {
 		return nil, errors.WithStack(err)
 	}
@ -196,7 +244,7 @@ func (c claims) AsAttrs() map[string]any {
 	return attrs
 }

-func (a *Authenticator) toUser(idToken *oidc.IDToken, proxyName store.ProxyName, layerName store.LayerName, originalURL *url.URL, options *LayerOptions, sess *sessions.Session) (*authn.User, error) {
+func (a *Authenticator) toUser(originalURL *url.URL, idToken *oidc.IDToken, proxyName store.ProxyName, layerName store.LayerName, options *LayerOptions, sess *sessions.Session) (*authn.User, error) {
 	var claims claims

 	if err := idToken.Claims(&claims); err != nil {
@ -209,7 +257,11 @@ func (a *Authenticator) toUser(idToken *oidc.IDToken, proxyName store.ProxyName,

 	attrs := claims.AsAttrs()

-	logoutURL := a.getLogoutURL(proxyName, layerName, originalURL, options)
+	logoutURL, err := a.getLogoutURL(originalURL, proxyName, layerName, options)
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+
 	attrs["logout_url"] = logoutURL.String()

 	if accessToken, exists := sess.Values[sessionKeyAccessToken]; exists && accessToken != nil {
@ -229,32 +281,118 @@ func (a *Authenticator) toUser(idToken *oidc.IDToken, proxyName store.ProxyName,
 	return user, nil
 }

-func (a *Authenticator) getRedirectURL(proxyName store.ProxyName, layerName store.LayerName, u *url.URL, options *LayerOptions) *url.URL {
-	return &url.URL{
-		Scheme: u.Scheme,
-		Host:   u.Host,
-		Path:   fmt.Sprintf(options.OIDC.LoginCallbackPath, fmt.Sprintf("%s/%s", proxyName, layerName)),
+func (a *Authenticator) getLoginCallbackURL(originalURL *url.URL, proxyName store.ProxyName, layerName store.LayerName, options *LayerOptions) (*url.URL, error) {
+	path, err := a.templatize(options.OIDC.LoginCallbackPath, proxyName, layerName)
+	if err != nil {
+		return nil, errors.WithStack(err)
 	}
+
+	merged, err := a.mergeURL(originalURL, path, options.OIDC.PublicBaseURL, false)
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	return merged, nil
 }

-func (a *Authenticator) getLogoutURL(proxyName store.ProxyName, layerName store.LayerName, u *url.URL, options *LayerOptions) *url.URL {
-	return &url.URL{
-		Scheme: u.Scheme,
-		Host:   u.Host,
-		Path:   fmt.Sprintf(options.OIDC.LogoutPath, fmt.Sprintf("%s/%s", proxyName, layerName)),
+func (a *Authenticator) getLogoutURL(originalURL *url.URL, proxyName store.ProxyName, layerName store.LayerName, options *LayerOptions) (*url.URL, error) {
+	path, err := a.templatize(options.OIDC.LogoutPath, proxyName, layerName)
+	if err != nil {
+		return nil, errors.WithStack(err)
 	}
+
+	merged, err := a.mergeURL(originalURL, path, options.OIDC.PublicBaseURL, true)
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	return merged, nil
 }

-func (a *Authenticator) getClient(options *LayerOptions, redirectURL string) (*Client, error) {
-	ctx := context.Background()
+func (a *Authenticator) mergeURL(base *url.URL, path string, overlay string, withQuery bool) (*url.URL, error) {
+	merged := &url.URL{
+		Scheme: base.Scheme,
+		Host:   base.Host,
+		Path:   path,
+	}
+
+	if withQuery {
+		merged.RawQuery = base.RawQuery
+	}
+
+	if overlay != "" {
+		overlayURL, err := url.Parse(overlay)
+		if err != nil {
+			return nil, errors.WithStack(err)
+		}
+
+		merged.Scheme = overlayURL.Scheme
+		merged.Host = overlayURL.Host
+		merged.Path = overlayURL.Path + strings.TrimPrefix(path, "/")
+
+		for key, values := range overlayURL.Query() {
+			query := merged.Query()
+			for _, v := range values {
+				query.Add(key, v)
+			}
+			merged.RawQuery = query.Encode()
+		}
+	}
+
+	return merged, nil
+}
+
+func (a *Authenticator) templatize(rawTemplate string, proxyName store.ProxyName, layerName store.LayerName) (string, error) {
+	tmpl, err := template.New("").Parse(rawTemplate)
+	if err != nil {
+		return "", errors.WithStack(err)
+	}
+
+	var raw bytes.Buffer
+
+	err = tmpl.Execute(&raw, struct {
+		ProxyName store.ProxyName
+		LayerName store.LayerName
+	}{
+		ProxyName: proxyName,
+		LayerName: layerName,
+	})
+	if err != nil {
+		return "", errors.WithStack(err)
+	}
+
+	return raw.String(), nil
+}
+
+func (a *Authenticator) getClient(ctx context.Context, options *LayerOptions, redirectURL string) (*Client, error) {
+	transport := a.httpTransport.Clone()
+
+	if options.OIDC.TLSInsecureSkipVerify {
+		if transport.TLSClientConfig == nil {
+			transport.TLSClientConfig = &tls.Config{}
+		}
+
+		transport.TLSClientConfig.InsecureSkipVerify = true
+	}

 	if options.OIDC.SkipIssuerVerification {
 		ctx = oidc.InsecureIssuerURLContext(ctx, options.OIDC.IssuerURL)
 	}

-	provider, err := oidc.NewProvider(ctx, options.OIDC.IssuerURL)
+	httpClient := &http.Client{
+		Timeout:   a.httpClientTimeout,
+		Transport: transport,
+	}
+
+	ctx = oidc.ClientContext(ctx, httpClient)
+
+	if options.OIDC.SkipIssuerVerification {
+		ctx = oidc.InsecureIssuerURLContext(ctx, options.OIDC.IssuerURL)
+	}
+
+	provider, _, err := a.cachedOIDCProvider.Get(ctx, options.OIDC.IssuerURL)
 	if err != nil {
-		return nil, errors.Wrap(err, "could not create oidc provider")
+		return nil, errors.Wrap(err, "could not retrieve oidc provider")
 	}

 	client := NewClient(
@ -263,13 +401,50 @@ func (a *Authenticator) getClient(options *LayerOptions, redirectURL string) (*C
 		WithRedirectURL(redirectURL),
 		WithScopes(options.OIDC.Scopes...),
 		WithAuthParams(options.OIDC.AuthParams),
+		WithHTTPClient(httpClient),
 	)

 	return client, nil
 }

-func (a *Authenticator) getCookieName(cookieName string, layerName store.LayerName) string {
-	return fmt.Sprintf("%s_%s", cookieName, layerName)
+func (a *Authenticator) getOIDCProvider(ctx context.Context, issuerURL string) (*oidc.Provider, error) {
+	logger.Debug(ctx, "refreshing oidc provider", logger.F("issuerURL", issuerURL))
+
+	provider, err := oidc.NewProvider(ctx, issuerURL)
+	if err != nil {
+		return nil, errors.Wrap(err, "could not create oidc provider")
+	}
+
+	return provider, nil
+}
+
+const defaultCookieNamePrefix = "_bouncer_authn_oidc"
+
+func (a *Authenticator) getCookieName(cookieName string, proxyName store.ProxyName, layerName store.LayerName) string {
+	if cookieName != "" {
+		return cookieName
+	}
+
+	return strings.ToLower(fmt.Sprintf("%s_%s_%s", defaultCookieNamePrefix, proxyName, layerName))
+}
+
+func NewAuthenticator(httpTransport *http.Transport, clientTimeout time.Duration, store sessions.Store, oidcProviderCacheTimeout time.Duration) *Authenticator {
+	authenticator := &Authenticator{
+		httpTransport:     httpTransport,
+		httpClientTimeout: clientTimeout,
+		store:             store,
+	}
+
+	authenticator.cachedOIDCProvider = syncx.NewCachedResource(
+		ttl.NewCache(
+			memory.NewCache[string, *oidc.Provider](),
+			memory.NewCache[string, time.Time](),
+			oidcProviderCacheTimeout,
+		),
+		authenticator.getOIDCProvider,
+	)
+
+	return authenticator
 }

 var (
--- a/internal/proxy/director/layer/authn/oidc/client.go
+++ b/internal/proxy/director/layer/authn/oidc/client.go
@ -30,6 +30,7 @@ var (
 )

 type Client struct {
+	httpClient *http.Client
 	oauth2     *oauth2.Config
 	provider   *oidc.Provider
 	verifier   *oidc.IDTokenVerifier
@ -44,12 +45,12 @@ func (c *Client) Provider() *oidc.Provider {
 	return c.provider
 }

-func (c *Client) Authenticate(w http.ResponseWriter, r *http.Request, sess *sessions.Session) (*oidc.IDToken, error) {
+func (c *Client) Authenticate(w http.ResponseWriter, r *http.Request, sess *sessions.Session, postLoginRedirectURL string) (*oidc.IDToken, error) {
 	idToken, err := c.getIDToken(r, sess)
 	if err != nil {
-		logger.Error(r.Context(), "could not retrieve idtoken", logger.E(errors.WithStack(err)))
+		logger.Warn(r.Context(), "could not retrieve idtoken", logger.E(errors.WithStack(err)))

-		c.login(w, r, sess)
+		c.login(w, r, sess, postLoginRedirectURL)

 		return nil, errors.WithStack(ErrLoginRequired)
 	}
@ -57,27 +58,18 @@ func (c *Client) Authenticate(w http.ResponseWriter, r *http.Request, sess *sess
 	return idToken, nil
 }

-func (c *Client) login(w http.ResponseWriter, r *http.Request, sess *sessions.Session) {
+func (c *Client) login(w http.ResponseWriter, r *http.Request, sess *sessions.Session, postLoginRedirectURL string) {
 	ctx := r.Context()

 	state := uniuri.New()
 	nonce := uniuri.New()

-	originalURL, err := director.OriginalURL(ctx)
-	if err != nil {
-		logger.Error(ctx, "could not retrieve original url", logger.E(errors.WithStack(err)))
-		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-
-		return
-	}
-
 	sess.Values[sessionKeyLoginState] = state
 	sess.Values[sessionKeyLoginNonce] = nonce
-	sess.Values[sessionKeyPostLoginRedirectURL] = originalURL.String()
+	sess.Values[sessionKeyPostLoginRedirectURL] = postLoginRedirectURL

 	if err := sess.Save(r, w); err != nil {
-		logger.Error(ctx, "could not save session", logger.E(errors.WithStack(err)))
-		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+		director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not save session"))

 		return
 	}
@ -135,7 +127,7 @@ func (c *Client) HandleLogout(w http.ResponseWriter, r *http.Request, sess *sess

 	rawIDToken, err := c.getRawIDToken(sess)
 	if err != nil {
-		logger.Error(ctx, "could not retrieve raw id token", logger.E(errors.WithStack(err)))
+		logger.Error(ctx, "could not retrieve raw id token", logger.CapturedE(errors.WithStack(err)))
 	}

 	sess.Values[sessionKeyIDToken] = nil
@ -210,6 +202,7 @@ func (c *Client) sessionEndURL(idTokenHint, state, postLogoutRedirectURL string)

 func (c *Client) validate(r *http.Request, sess *sessions.Session) (*oauth2.Token, *oidc.IDToken, string, error) {
 	ctx := r.Context()
+	ctx = oidc.ClientContext(ctx, c.httpClient)

 	rawStoredState := sess.Values[sessionKeyLoginState]
 	receivedState := r.URL.Query().Get("state")
@ -246,7 +239,7 @@ func (c *Client) validate(r *http.Request, sess *sessions.Session) (*oauth2.Toke
 func (c *Client) getRawIDToken(sess *sessions.Session) (string, error) {
 	rawIDToken, ok := sess.Values[sessionKeyIDToken].(string)
 	if !ok || rawIDToken == "" {
-		return "", errors.New("invalid id token")
+		return "", errors.New("id token not found")
 	}

 	return rawIDToken, nil
@ -287,5 +280,6 @@ func NewClient(funcs ...ClientOptionFunc) *Client {
 		provider:   opts.Provider,
 		verifier:   verifier,
 		authParams: opts.AuthParams,
+		httpClient: opts.HTTPClient,
 	}
 }
--- a/internal/proxy/director/layer/authn/oidc/client_options.go
+++ b/internal/proxy/director/layer/authn/oidc/client_options.go
@ -2,6 +2,7 @@ package oidc

 import (
 	"context"
+	"net/http"

 	"github.com/coreos/go-oidc/v3/oidc"
 )
@ -14,6 +15,7 @@ type ClientOptions struct {
 	Scopes          []string
 	AuthParams      map[string]string
 	SkipIssuerCheck bool
+	HTTPClient      *http.Client
 }

 type ClientOptionFunc func(*ClientOptions)
@ -63,9 +65,16 @@ func WithProvider(provider *oidc.Provider) ClientOptionFunc {
 	}
 }

+func WithHTTPClient(client *http.Client) ClientOptionFunc {
+	return func(opt *ClientOptions) {
+		opt.HTTPClient = client
+	}
+}
+
 func NewClientOptions(funcs ...ClientOptionFunc) *ClientOptions {
 	opt := &ClientOptions{
-		Scopes: []string{oidc.ScopeOpenID, "profile"},
+		Scopes:     []string{oidc.ScopeOpenID, "profile"},
+		HTTPClient: http.DefaultClient,
 	}

 	for _, f := range funcs {
--- a/internal/proxy/director/layer/authn/oidc/layer-options.json
+++ b/internal/proxy/director/layer/authn/oidc/layer-options.json
@ -17,9 +17,13 @@
                    "title": "URL de base du fournisseur OpenID Connect (racine du .well-known/openid-configuration)",
                    "type": "string"
                },
-                "postLogoutRedirectURL": {
-                    "title": "URL de redirection après déconnexion",
-                    "type": "string"
+                "postLogoutRedirectURLs": {
+                    "title": "URLs de redirection après déconnexion autorisées",
+                    "description": "La variable d'URL 'redirect=<url>' peut être utilisée pour spécifier une redirection après déconnexion.",
+                    "type": "array",
+                    "item": {
+                        "type": "string"
+                    }
                },
                "scopes": {
                    "title": "Scopes associés au client OpenID Connect",
@ -44,20 +48,43 @@
                },
                "loginCallbackPath": {
                    "title": "Chemin associé à l'URL de callback OpenID Connect",
-                    "default": "/.bouncer/authn/oidc/%s/callback",
-                    "description": "Le marqueur '%s' peut être utilisé pour injecter l'espace de nom '<proxy>/<layer>'.",
+                    "default": "/.bouncer/authn/oidc/{{ .ProxyName }}/{{ .LayerName }}/callback",
+                    "description": "Les marqueurs '{{ .ProxyName }}' et '{{ .LayerName }}'  peuvent être utilisés pour injecter le nom du proxy ainsi que celui du layer.",
+                    "type": "string"
+                },
+                "matchLoginCallbackPath": {
+                    "title": "Patron de correspondance du chemin interne de callback OpenID Connect",
+                    "default": "*.bouncer/authn/oidc/{{ .ProxyName }}/{{ .LayerName }}/callback",
+                    "description": "Les marqueurs '{{ .ProxyName }}' et '{{ .LayerName }}'  peuvent être utilisés pour injecter le nom du proxy ainsi que celui du layer.",
                    "type": "string"
                },
                "logoutPath": {
                    "title": "Chemin associé à l'URL de déconnexion",
-                    "default": "/.bouncer/authn/oidc/%s/logout",
-                    "description": "Le marqueur '%s' peut être utilisé pour injecter l'espace de nom '<proxy>/<layer>'.",
+                    "default": "/.bouncer/authn/oidc/{{ .ProxyName }}/{{ .LayerName }}/logout",
+                    "description": "Les marqueurs '{{ .ProxyName }}' et '{{ .LayerName }}'  peuvent être utilisés pour injecter le nom du proxy ainsi que celui du layer.",
+                    "type": "string"
+                },
+                "publicBaseURL": {
+                    "title": "URL publique de base associée au service distant",
+                    "default": "",
+                    "description": "Peut être utilisé par exemple si il y a discordance de nom d'hôte ou de chemin sur les URLs publiques/internes.",
+                    "type": "string"
+                },
+                "matchLogoutPath": {
+                    "title": "Patron de correspondance du chemin interne de déconnexion",
+                    "default": "*.bouncer/authn/oidc/{{ .ProxyName }}/{{ .LayerName }}/logout",
+                    "description": "Les marqueurs '{{ .ProxyName }}' et '{{ .LayerName }}'  peuvent être utilisés pour injecter le nom du proxy ainsi que celui du layer.",
                    "type": "string"
                },
                "skipIssuerVerification": {
                    "title": "Activer/désactiver la vérification de concordance de l'identifiant du fournisseur d'identité",
                    "default": false,
                    "type": "boolean"
+                },
+                "tlsInsecureSkipVerify": {
+                    "title": "Activer/désactiver la vérification du certificat TLS distant",
+                    "default": false,
+                    "type": "boolean"
                }
            },
            "additionalProperties": false,
--- a/internal/proxy/director/layer/authn/oidc/layer.go
+++ b/internal/proxy/director/layer/authn/oidc/layer.go
@ -8,6 +8,13 @@ import (

 const LayerType store.LayerType = "authn-oidc"

-func NewLayer(store sessions.Store) *authn.Layer {
-	return authn.NewLayer(LayerType, &Authenticator{store: store})
+func NewLayer(store sessions.Store, funcs ...OptionFunc) *authn.Layer {
+	opts := NewOptions(funcs...)
+	authenticator := NewAuthenticator(
+		opts.HTTPTransport,
+		opts.HTTPClientTimeout,
+		store,
+		opts.OIDCProviderCacheTimeout,
+	)
+	return authn.NewLayer(LayerType, authenticator, opts.AuthnOptions...)
 }
--- a/internal/proxy/director/layer/authn/oidc/layer_options.go
+++ b/internal/proxy/director/layer/authn/oidc/layer_options.go
@ -8,8 +8,6 @@ import (
 	"github.com/pkg/errors"
 )

-const defaultCookieName = "_bouncer_authn_oidc"
-
 type LayerOptions struct {
 	authn.LayerOptions
 	OIDC   OIDCOptions   `mapstructure:"oidc"`
@ -19,11 +17,15 @@ type LayerOptions struct {
 type OIDCOptions struct {
 	ClientID               string            `mapstructure:"clientId"`
 	ClientSecret           string            `mapstructure:"clientSecret"`
+	PublicBaseURL          string            `mapstructure:"publicBaseURL"`
 	LoginCallbackPath      string            `mapstructure:"loginCallbackPath"`
+	MatchLoginCallbackPath string            `mapstructure:"matchLoginCallbackPath"`
 	LogoutPath             string            `mapstructure:"logoutPath"`
+	MatchLogoutPath        string            `mapstructure:"matchLogoutPath"`
 	IssuerURL              string            `mapstructure:"issuerURL"`
 	SkipIssuerVerification bool              `mapstructure:"skipIssuerVerification"`
-	PostLogoutRedirectURL  string            `mapstructure:"postLogoutRedirectURL"`
+	PostLogoutRedirectURLs []string          `mapstructure:"postLogoutRedirectURLs"`
+	TLSInsecureSkipVerify  bool              `mapstructure:"tlsInsecureSkipVerify"`
 	Scopes                 []string          `mapstructure:"scopes"`
 	AuthParams             map[string]string `mapstructure:"authParams"`
 }
@ -39,15 +41,21 @@ type CookieOptions struct {
 }

 func fromStoreOptions(storeOptions store.LayerOptions) (*LayerOptions, error) {
+	loginCallbackPath := ".bouncer/authn/oidc/{{ .ProxyName }}/{{ .LayerName }}/callback"
+	logoutPath := ".bouncer/authn/oidc/{{ .ProxyName }}/{{ .LayerName }}/logout"
+
 	layerOptions := LayerOptions{
 		LayerOptions: authn.DefaultLayerOptions(),
 		OIDC: OIDCOptions{
-			LoginCallbackPath: "/.bouncer/authn/oidc/%s/callback",
-			LogoutPath:        "/.bouncer/authn/oidc/%s/logout",
-			Scopes:            []string{"openid"},
+			PublicBaseURL:          "",
+			LoginCallbackPath:      loginCallbackPath,
+			MatchLoginCallbackPath: "*" + loginCallbackPath,
+			LogoutPath:             logoutPath,
+			MatchLogoutPath:        "*" + logoutPath,
+			Scopes:                 []string{"openid"},
 		},
 		Cookie: CookieOptions{
-			Name:     defaultCookieName,
+			Name:     "",
 			Path:     "/",
 			HTTPOnly: true,
 			MaxAge:   time.Hour,
--- a/internal/proxy/director/layer/authn/oidc/options.go
+++ b/internal/proxy/director/layer/authn/oidc/options.go
@ -0,0 +1,56 @@
+package oidc
+
+import (
+	"net/http"
+	"time"
+
+	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/authn"
+)
+
+type Options struct {
+	HTTPTransport            *http.Transport
+	HTTPClientTimeout        time.Duration
+	AuthnOptions             []authn.OptionFunc
+	OIDCProviderCacheTimeout time.Duration
+}
+
+type OptionFunc func(opts *Options)
+
+func WithHTTPTransport(transport *http.Transport) OptionFunc {
+	return func(opts *Options) {
+		opts.HTTPTransport = transport
+	}
+}
+
+func WithHTTPClientTimeout(timeout time.Duration) OptionFunc {
+	return func(opts *Options) {
+		opts.HTTPClientTimeout = timeout
+	}
+}
+
+func WithAuthnOptions(funcs ...authn.OptionFunc) OptionFunc {
+	return func(opts *Options) {
+		opts.AuthnOptions = funcs
+	}
+}
+
+func WithOIDCProviderCacheTimeout(timeout time.Duration) OptionFunc {
+	return func(opts *Options) {
+		opts.OIDCProviderCacheTimeout = timeout
+	}
+}
+
+func NewOptions(funcs ...OptionFunc) *Options {
+	opts := &Options{
+		HTTPTransport:            http.DefaultTransport.(*http.Transport),
+		HTTPClientTimeout:        30 * time.Second,
+		AuthnOptions:             make([]authn.OptionFunc, 0),
+		OIDCProviderCacheTimeout: time.Hour,
+	}
+
+	for _, fn := range funcs {
+		fn(opts)
+	}
+
+	return opts
+}
--- a/internal/proxy/director/layer/authn/options.go
+++ b/internal/proxy/director/layer/authn/options.go
@ -2,6 +2,7 @@ package authn

 type Options struct {
 	TemplateDir string
+	Debug       bool
 }

 type OptionFunc func(*Options)
@ -9,6 +10,7 @@ type OptionFunc func(*Options)
 func NewOptions(funcs ...OptionFunc) *Options {
 	opts := &Options{
 		TemplateDir: "./templates",
+		Debug:       false,
 	}

 	for _, fn := range funcs {
@ -23,3 +25,9 @@ func WithTemplateDir(templateDir string) OptionFunc {
 		o.TemplateDir = templateDir
 	}
 }
+
+func WithDebug(debug bool) OptionFunc {
+	return func(o *Options) {
+		o.Debug = debug
+	}
+}
--- a/internal/proxy/director/layer/authn/rules.go
+++ b/internal/proxy/director/layer/authn/rules.go
@ -1,110 +1,54 @@
 package authn

 import (
-	"fmt"
+	"context"
 	"net/http"
-	"strconv"
-	"strings"
-	"time"

-	"forge.cadoles.com/Cadoles/go-proxy/wildcard"
+	ruleHTTP "forge.cadoles.com/cadoles/bouncer/internal/rule/http"
+	"forge.cadoles.com/cadoles/bouncer/internal/store"
 	"github.com/expr-lang/expr"
 	"github.com/pkg/errors"
 )

-func (l *Layer) getHeaderRuleOptions(r *http.Request) []expr.Option {
-	options := make([]expr.Option, 0)
-
-	setHeader := expr.Function(
-		"set_header",
-		func(params ...any) (any, error) {
-			name := params[0].(string)
-			rawValue := params[1]
-
-			var value string
-			switch v := rawValue.(type) {
-			case []string:
-				value = strings.Join(v, ",")
-			case time.Time:
-				value = strconv.FormatInt(v.UTC().Unix(), 10)
-			case time.Duration:
-				value = strconv.FormatInt(int64(v.Seconds()), 10)
-			default:
-				value = fmt.Sprintf("%v", rawValue)
-			}
-
-			r.Header.Set(name, value)
-
-			return true, nil
-		},
-		new(func(string, string) bool),
-	)
-
-	options = append(options, setHeader)
-
-	delHeaders := expr.Function(
-		"del_headers",
-		func(params ...any) (any, error) {
-			pattern := params[0].(string)
-			deleted := false
-
-			for key := range r.Header {
-				if !wildcard.Match(key, pattern) {
-					continue
-				}
-
-				r.Header.Del(key)
-				deleted = true
-			}
-
-			return deleted, nil
-		},
-		new(func(string) bool),
-	)
-
-	options = append(options, delHeaders)
-
-	return options
+type Vars struct {
+	User *User `expr:"user"`
 }

-func (l *Layer) applyRules(r *http.Request, options *LayerOptions, user *User) error {
-	rules := options.Rules
-	if len(rules) == 0 {
-		return nil
+func (l *Layer) applyRules(ctx context.Context, r *http.Request, layer *store.Layer, options *LayerOptions, user *User) error {
+	key := string(layer.Proxy) + "-" + string(layer.Name)
+	revisionedEngine := l.ruleEngineCache.Get(key)
+
+	engine, err := revisionedEngine.Get(ctx, layer.Revision, options)
+	if err != nil {
+		return errors.WithStack(err)
 	}

-	env := map[string]any{
-		"user": user,
+	vars := &Vars{
+		User: user,
 	}

-	rulesOptions := l.getHeaderRuleOptions(r)
+	ctx = ruleHTTP.WithRequest(ctx, r)

-	var ruleErr error
-	forbidden := expr.Function(
-		"forbidden",
-		func(params ...any) (any, error) {
-			ruleErr = errors.WithStack(ErrForbidden)
-			return true, nil
-		},
-		new(func() bool),
-	)
-
-	rulesOptions = append(rulesOptions, forbidden)
-
-	for i, r := range rules {
-		program, err := expr.Compile(r, rulesOptions...)
-		if err != nil {
-			return errors.Wrapf(err, "could not compile rule #%d", i)
-		}
-
-		if _, err := expr.Run(program, env); err != nil {
-			return errors.Wrapf(err, "could not execute rule #%d", i)
-		}
-
-		if ruleErr != nil {
-			return errors.WithStack(ruleErr)
-		}
+	if _, err := engine.Apply(ctx, vars); err != nil {
+		return errors.WithStack(err)
 	}

 	return nil
 }
+
+func getAuthnAPI() []expr.Option {
+	options := make([]expr.Option, 0)
+
+	// forbidden() allows the layer to hijack the current request and return a 403 Forbidden HTTP status
+	forbidden := expr.Function(
+		"forbidden",
+		func(params ...any) (any, error) {
+			return true, errors.WithStack(ErrForbidden)
+		},
+		new(func() bool),
+	)
+
+	options = append(options, forbidden)
+
+	return options
+}
--- a/internal/proxy/director/layer/queue/adapter.go
+++ b/internal/proxy/director/layer/queue/adapter.go
@ -10,7 +10,10 @@ type Status struct {
 }

 type Adapter interface {
+	// Touch updates the session TTL and returns its current rank
 	Touch(ctx context.Context, queueName string, sessionId string) (int64, error)
+	// Status returns the queue current status
 	Status(ctx context.Context, queueName string) (*Status, error)
+	// Refresh forces a refresh of the queue, taking into account the given TTL for sessions
 	Refresh(ctx context.Context, queueName string, keepAlive time.Duration) error
 }
--- a/internal/proxy/director/layer/queue/queue.go
+++ b/internal/proxy/director/layer/queue/queue.go
@ -1,9 +1,11 @@
 package queue

 import (
+	"bytes"
 	"context"
 	"fmt"
 	"html/template"
+	"io"
 	"math/rand"
 	"net/http"
 	"path/filepath"
@ -52,9 +54,7 @@ func (q *Queue) Middleware(layer *store.Layer) proxy.Middleware {

 			options, err := fromStoreOptions(layer.Options, q.defaultKeepAlive)
 			if err != nil {
-				logger.Error(ctx, "could not parse layer options", logger.E(errors.WithStack(err)))
-				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-
+				director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not parse layer options"))
 				return
 			}

@ -65,13 +65,13 @@ func (q *Queue) Middleware(layer *store.Layer) proxy.Middleware {
 				return
 			}

-			defer q.updateMetrics(ctx, layer.Proxy, layer.Name, options)
+			defer q.updateMetrics(layer.Proxy, layer.Name, options)

 			cookieName := q.getCookieName(layer.Name)

 			cookie, err := r.Cookie(cookieName)
 			if err != nil && !errors.Is(err, http.ErrNoCookie) {
-				logger.Error(ctx, "could not retrieve cookie", logger.E(errors.WithStack(err)))
+				logger.Error(ctx, "could not retrieve cookie", logger.CapturedE(errors.WithStack(err)))
 			}

 			if cookie == nil {
@ -89,9 +89,7 @@ func (q *Queue) Middleware(layer *store.Layer) proxy.Middleware {

 			rank, err := q.adapter.Touch(ctx, queueName, sessionID)
 			if err != nil {
-				logger.Error(ctx, "could not retrieve session rank", logger.E(errors.WithStack(err)))
-				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-
+				director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not update queue session rank"))
 				return
 			}

@ -126,7 +124,7 @@ func (q *Queue) updateSessionsMetric(ctx context.Context, proxyName store.ProxyN

 	status, err := q.adapter.Status(ctx, queueName)
 	if err != nil {
-		logger.Error(ctx, "could not retrieve queue status", logger.E(errors.WithStack(err)))
+		logger.Error(ctx, "could not retrieve queue status", logger.CapturedE(errors.WithStack(err)))

 		return
 	}
@ -144,9 +142,7 @@ func (q *Queue) renderQueuePage(w http.ResponseWriter, r *http.Request, queueNam

 	status, err := q.adapter.Status(ctx, queueName)
 	if err != nil {
-		logger.Error(ctx, "could not retrieve queue status", logger.E(errors.WithStack(err)))
-		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-
+		director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not retrieve queue status"))
 		return
 	}

@ -157,7 +153,7 @@ func (q *Queue) renderQueuePage(w http.ResponseWriter, r *http.Request, queueNam

 		tmpl, err := template.New("").Funcs(sprig.FuncMap()).ParseGlob(pattern)
 		if err != nil {
-			logger.Error(ctx, "could not load queue templates", logger.E(errors.WithStack(err)))
+			logger.Error(ctx, "could not load queue templates", logger.CapturedE(errors.WithStack(err)))

 			return
 		}
@ -166,9 +162,7 @@ func (q *Queue) renderQueuePage(w http.ResponseWriter, r *http.Request, queueNam
 	})

 	if q.tmpl == nil {
-		logger.Error(ctx, "queue page templates not loaded", logger.E(errors.WithStack(err)))
-		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-
+		director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.New("queue page templates not loaded"))
 		return
 	}

@ -194,12 +188,16 @@ func (q *Queue) renderQueuePage(w http.ResponseWriter, r *http.Request, queueNam
 	w.Header().Add("Retry-After", strconv.FormatInt(int64(refreshRate.Seconds()), 10))
 	w.WriteHeader(http.StatusServiceUnavailable)

-	if err := q.tmpl.ExecuteTemplate(w, "queue", templateData); err != nil {
-		logger.Error(ctx, "could not render queue page", logger.E(errors.WithStack(err)))
-		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+	var buf bytes.Buffer

+	if err := q.tmpl.ExecuteTemplate(&buf, "queue", templateData); err != nil {
+		director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not render queue page"))
 		return
 	}
+
+	if _, err := io.Copy(w, &buf); err != nil {
+		logger.Error(ctx, "could not write queue page", logger.CapturedE(errors.WithStack(err)))
+	}
 }

 func (q *Queue) refreshQueue(ctx context.Context, layerName store.LayerName, keepAlive time.Duration) {
@ -211,13 +209,15 @@ func (q *Queue) refreshQueue(ctx context.Context, layerName store.LayerName, kee

 	if err := q.adapter.Refresh(ctx, string(layerName), keepAlive); err != nil {
 		logger.Error(ctx, "could not refresh queue",
-			logger.E(errors.WithStack(err)),
+			logger.CapturedE(errors.WithStack(err)),
 			logger.F("queue", layerName),
 		)
 	}
 }

-func (q *Queue) updateMetrics(ctx context.Context, proxyName store.ProxyName, layerName store.LayerName, options *LayerOptions) {
+func (q *Queue) updateMetrics(proxyName store.ProxyName, layerName store.LayerName, options *LayerOptions) {
+	ctx := context.Background()
+
 	// Update queue capacity metric
 	metricQueueCapacity.With(
 		prometheus.Labels{
--- a/internal/proxy/director/layer/rewriter/api.go
+++ b/internal/proxy/director/layer/rewriter/api.go
@ -0,0 +1,79 @@
+package rewriter
+
+import (
+	"context"
+	"fmt"
+
+	"forge.cadoles.com/cadoles/bouncer/internal/rule"
+	"github.com/expr-lang/expr"
+	"github.com/pkg/errors"
+)
+
+type errRedirect struct {
+	statusCode int
+	url        string
+}
+
+func (e *errRedirect) StatusCode() int {
+	return e.statusCode
+}
+
+func (e *errRedirect) URL() string {
+	return e.url
+}
+
+func (e *errRedirect) Error() string {
+	return fmt.Sprintf("redirect %d %s", e.statusCode, e.url)
+}
+
+func newErrRedirect(statusCode int, url string) *errRedirect {
+	return &errRedirect{
+		url:        url,
+		statusCode: statusCode,
+	}
+}
+
+var _ error = &errRedirect{}
+
+func redirectFunc() expr.Option {
+	return expr.Function(
+		"redirect",
+		func(params ...any) (any, error) {
+			_, err := rule.Assert[context.Context](params[0])
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			statusCode, err := rule.Assert[int](params[1])
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			if statusCode < 300 || statusCode >= 400 {
+				return nil, errors.Errorf("unexpected redirect status code '%d'", statusCode)
+			}
+
+			url, err := rule.Assert[string](params[2])
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			return nil, newErrRedirect(statusCode, url)
+		},
+		new(func(context.Context, int, string) bool),
+	)
+}
+
+func WithRewriterFuncs() rule.OptionFunc {
+	return func(opts *rule.Options) {
+		funcs := []expr.Option{
+			redirectFunc(),
+		}
+
+		if len(opts.Expr) == 0 {
+			opts.Expr = make([]expr.Option, 0)
+		}
+
+		opts.Expr = append(opts.Expr, funcs...)
+	}
+}
--- a/internal/proxy/director/layer/rewriter/layer-options.json
+++ b/internal/proxy/director/layer/rewriter/layer-options.json
@ -0,0 +1,38 @@
+{
+    "type": "object",
+    "properties": {
+        "rules": {
+            "title": "Règles appliquées aux requêtes/réponses transitant par le proxy",
+            "type": "object",
+            "properties": {
+                "request": {
+                    "title": "Règles appliquées aux requêtes transitant par le proxy",
+                    "type": "array",
+                    "items": {
+                        "type": "string"
+                    }
+                },
+                "response": {
+                    "title": "Règles appliquées aux réponses transitant par le proxy",
+                    "type": "array",
+                    "items": {
+                        "type": "string"
+                    }
+                }
+            },
+            "additionalProperties": false
+        },
+        "matchURLs": {
+            "title": "Liste de filtrage des URLs sur lesquelles le layer est actif",
+            "description": "Par exemple, si vous souhaitez limiter votre layer à l'ensemble d'une section '`/blog`' d'un site, vous pouvez déclarer la valeur `['*/blog*']`. Les autres URLs du site ne seront pas affectées par ce layer.",
+            "default": [
+                "*"
+            ],
+            "type": "array",
+            "items": {
+                "type": "string"
+            }
+        }
+    },
+    "additionalProperties": false
+}
--- a/internal/proxy/director/layer/rewriter/layer.go
+++ b/internal/proxy/director/layer/rewriter/layer.go
@ -0,0 +1,118 @@
+package rewriter
+
+import (
+	"net/http"
+
+	proxy "forge.cadoles.com/Cadoles/go-proxy"
+	"forge.cadoles.com/Cadoles/go-proxy/wildcard"
+	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
+	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/util"
+	"forge.cadoles.com/cadoles/bouncer/internal/rule"
+	ruleHTTP "forge.cadoles.com/cadoles/bouncer/internal/rule/http"
+	"forge.cadoles.com/cadoles/bouncer/internal/store"
+	"github.com/pkg/errors"
+)
+
+const LayerType store.LayerType = "rewriter"
+
+type Layer struct {
+	requestRuleEngineCache  *util.RuleEngineCache[*RequestVars, *LayerOptions]
+	responseRuleEngineCache *util.RuleEngineCache[*ResponseVars, *LayerOptions]
+}
+
+func (l *Layer) LayerType() store.LayerType {
+	return LayerType
+}
+
+func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
+	return func(next http.Handler) http.Handler {
+		fn := func(w http.ResponseWriter, r *http.Request) {
+			ctx := r.Context()
+
+			options, err := fromStoreOptions(layer.Options)
+			if err != nil {
+				director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not parse layer options"))
+				return
+			}
+
+			matches := wildcard.MatchAny(r.URL.String(), options.MatchURLs...)
+			if !matches {
+				next.ServeHTTP(w, r)
+
+				return
+			}
+
+			if err := l.applyRequestRules(ctx, r, layer, options); err != nil {
+				var redirect *errRedirect
+				if errors.As(err, &redirect) {
+					http.Redirect(w, r, redirect.URL(), redirect.StatusCode())
+					return
+				}
+
+				director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not apply request rules"))
+
+				return
+			}
+
+			next.ServeHTTP(w, r)
+		}
+
+		return http.HandlerFunc(fn)
+	}
+}
+
+// ResponseTransformer implements director.ResponseTransformerLayer.
+func (l *Layer) ResponseTransformer(layer *store.Layer) proxy.ResponseTransformer {
+	return func(r *http.Response) error {
+		options, err := fromStoreOptions(layer.Options)
+		if err != nil {
+			return errors.WithStack(err)
+		}
+
+		matches := wildcard.MatchAny(r.Request.URL.String(), options.MatchURLs...)
+		if !matches {
+			return nil
+		}
+
+		ctx := r.Request.Context()
+
+		if err := l.applyResponseRules(ctx, r, layer, options); err != nil {
+			return errors.WithStack(err)
+		}
+
+		return nil
+	}
+}
+
+func New(funcs ...OptionFunc) *Layer {
+	return &Layer{
+		requestRuleEngineCache: util.NewInMemoryRuleEngineCache(func(options *LayerOptions) (*rule.Engine[*RequestVars], error) {
+			engine, err := rule.NewEngine[*RequestVars](
+				rule.WithRules(options.Rules.Request...),
+				ruleHTTP.WithRequestFuncs(),
+				WithRewriterFuncs(),
+			)
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			return engine, nil
+		}),
+		responseRuleEngineCache: util.NewInMemoryRuleEngineCache(func(options *LayerOptions) (*rule.Engine[*ResponseVars], error) {
+			engine, err := rule.NewEngine[*ResponseVars](
+				rule.WithRules(options.Rules.Response...),
+				ruleHTTP.WithResponseFuncs(),
+			)
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			return engine, nil
+		}),
+	}
+}
+
+var (
+	_ director.MiddlewareLayer          = &Layer{}
+	_ director.ResponseTransformerLayer = &Layer{}
+)
--- a/internal/proxy/director/layer/rewriter/layer_options.go
+++ b/internal/proxy/director/layer/rewriter/layer_options.go
@ -0,0 +1,56 @@
+package rewriter
+
+import (
+	"forge.cadoles.com/cadoles/bouncer/internal/store"
+	"github.com/mitchellh/mapstructure"
+	"github.com/pkg/errors"
+)
+
+type LayerOptions struct {
+	MatchURLs []string `mapstructure:"matchURLs"`
+	Rules     Rules    `mapstructure:"rules"`
+}
+
+type Rules struct {
+	Request  []string `mapstructure:"request"`
+	Response []string `mapstructure:"response"`
+}
+
+func DefaultLayerOptions() LayerOptions {
+	return LayerOptions{
+		MatchURLs: []string{"*"},
+		Rules: Rules{
+			Request:  []string{},
+			Response: []string{},
+		},
+	}
+
+}
+
+func fromStoreOptions(storeOptions store.LayerOptions) (*LayerOptions, error) {
+	layerOptions := DefaultLayerOptions()
+
+	if err := FromStoreOptions(storeOptions, &layerOptions); err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	return &layerOptions, nil
+}
+
+func FromStoreOptions(storeOptions store.LayerOptions, dest any) error {
+	config := mapstructure.DecoderConfig{
+		Result:     dest,
+		ZeroFields: true,
+	}
+
+	decoder, err := mapstructure.NewDecoder(&config)
+	if err != nil {
+		return errors.WithStack(err)
+	}
+
+	if err := decoder.Decode(storeOptions); err != nil {
+		return errors.WithStack(err)
+	}
+
+	return nil
+}
--- a/internal/proxy/director/layer/rewriter/options.go
+++ b/internal/proxy/director/layer/rewriter/options.go
@ -0,0 +1,16 @@
+package rewriter
+
+type Options struct {
+}
+
+type OptionFunc func(opts *Options)
+
+func NewOptions(funcs ...OptionFunc) *Options {
+	opts := &Options{}
+
+	for _, fn := range funcs {
+		fn(opts)
+	}
+
+	return opts
+}
--- a/internal/proxy/director/layer/rewriter/rules.go
+++ b/internal/proxy/director/layer/rewriter/rules.go
@ -0,0 +1,204 @@
+package rewriter
+
+import (
+	"context"
+	"net/http"
+	"net/url"
+
+	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
+	"forge.cadoles.com/cadoles/bouncer/internal/rule"
+	ruleHTTP "forge.cadoles.com/cadoles/bouncer/internal/rule/http"
+	"forge.cadoles.com/cadoles/bouncer/internal/store"
+	"github.com/pkg/errors"
+)
+
+type RequestVars struct {
+	Request     RequestVar `expr:"request"`
+	OriginalURL URLVar     `expr:"original_url"`
+}
+
+type URLVar struct {
+	Scheme      string  `expr:"scheme"`
+	Opaque      string  `expr:"opaque"`
+	User        UserVar `expr:"user"`
+	Host        string  `expr:"host"`
+	Path        string  `expr:"path"`
+	RawPath     string  `expr:"raw_path"`
+	RawQuery    string  `expr:"raw_query"`
+	Fragment    string  `expr:"fragment"`
+	RawFragment string  `expr:"raw_fragment"`
+}
+
+func fromURL(url *url.URL) URLVar {
+	return URLVar{
+		Scheme: url.Scheme,
+		Opaque: url.Opaque,
+		User: UserVar{
+			Username: url.User.Username(),
+			Password: func() string {
+				passwd, _ := url.User.Password()
+				return passwd
+			}(),
+		},
+		Host:        url.Host,
+		Path:        url.Path,
+		RawPath:     url.RawPath,
+		RawQuery:    url.RawQuery,
+		Fragment:    url.Fragment,
+		RawFragment: url.RawFragment,
+	}
+}
+
+type UserVar struct {
+	Username string `expr:"username"`
+	Password string `expr:"password"`
+}
+
+type RequestVar struct {
+	Method           string              `expr:"method"`
+	URL              URLVar              `expr:"url"`
+	RawURL           string              `expr:"raw_url"`
+	Proto            string              `expr:"proto"`
+	ProtoMajor       int                 `expr:"proto_major"`
+	ProtoMinor       int                 `expr:"proto_minor"`
+	Header           map[string][]string `expr:"header"`
+	ContentLength    int64               `expr:"content_length"`
+	TransferEncoding []string            `expr:"transfer_encoding"`
+	Host             string              `expr:"host"`
+	Trailer          map[string][]string `expr:"trailer"`
+	RemoteAddr       string              `expr:"remote_addr"`
+	RequestURI       string              `expr:"request_uri"`
+}
+
+func fromRequest(r *http.Request) RequestVar {
+	return RequestVar{
+		Method:           r.Method,
+		URL:              fromURL(r.URL),
+		RawURL:           r.URL.String(),
+		Proto:            r.Proto,
+		ProtoMajor:       r.ProtoMajor,
+		ProtoMinor:       r.ProtoMinor,
+		Header:           r.Header,
+		ContentLength:    r.ContentLength,
+		TransferEncoding: r.TransferEncoding,
+		Host:             r.Host,
+		Trailer:          r.Trailer,
+		RemoteAddr:       r.RemoteAddr,
+		RequestURI:       r.RequestURI,
+	}
+}
+
+func (l *Layer) applyRequestRules(ctx context.Context, r *http.Request, layer *store.Layer, options *LayerOptions) error {
+	rules := options.Rules.Request
+	if len(rules) == 0 {
+		return nil
+	}
+
+	engine, err := l.getRequestRuleEngine(ctx, layer, options)
+	if err != nil {
+		return errors.WithStack(err)
+	}
+
+	originalURL, err := director.OriginalURL(ctx)
+	if err != nil {
+		return errors.WithStack(err)
+	}
+
+	vars := &RequestVars{
+		OriginalURL: fromURL(originalURL),
+		Request:     fromRequest(r),
+	}
+
+	ctx = ruleHTTP.WithRequest(ctx, r)
+
+	if _, err := engine.Apply(ctx, vars); err != nil {
+		return errors.WithStack(err)
+	}
+
+	return nil
+}
+
+func (l *Layer) getRequestRuleEngine(ctx context.Context, layer *store.Layer, options *LayerOptions) (*rule.Engine[*RequestVars], error) {
+	key := string(layer.Proxy) + "-" + string(layer.Name)
+	revisionedEngine := l.requestRuleEngineCache.Get(key)
+
+	engine, err := revisionedEngine.Get(ctx, layer.Revision, options)
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	return engine, nil
+}
+
+type ResponseVars struct {
+	OriginalURL URLVar      `expr:"original_url"`
+	Request     RequestVar  `expr:"request"`
+	Response    ResponseVar `expr:"response"`
+}
+
+type ResponseVar struct {
+	Status           string              `expr:"status"`
+	StatusCode       int                 `expr:"status_code"`
+	Proto            string              `expr:"proto"`
+	ProtoMajor       int                 `expr:"proto_major"`
+	ProtoMinor       int                 `expr:"proto_minor"`
+	Header           map[string][]string `expr:"header"`
+	ContentLength    int64               `expr:"content_length"`
+	TransferEncoding []string            `expr:"transfer_encoding"`
+	Uncompressed     bool                `expr:"uncompressed"`
+	Trailer          map[string][]string `expr:"trailer"`
+}
+
+func (l *Layer) applyResponseRules(ctx context.Context, r *http.Response, layer *store.Layer, options *LayerOptions) error {
+	rules := options.Rules.Response
+	if len(rules) == 0 {
+		return nil
+	}
+
+	engine, err := l.getResponseRuleEngine(ctx, layer, options)
+	if err != nil {
+		return errors.WithStack(err)
+	}
+
+	originalURL, err := director.OriginalURL(ctx)
+	if err != nil {
+		return errors.WithStack(err)
+	}
+
+	vars := &ResponseVars{
+		OriginalURL: fromURL(originalURL),
+		Request:     fromRequest(r.Request),
+		Response: ResponseVar{
+			Proto:            r.Proto,
+			ProtoMajor:       r.ProtoMajor,
+			ProtoMinor:       r.ProtoMinor,
+			Header:           r.Header,
+			ContentLength:    r.ContentLength,
+			TransferEncoding: r.TransferEncoding,
+			Trailer:          r.Trailer,
+			Status:           r.Status,
+			StatusCode:       r.StatusCode,
+		},
+	}
+
+	ctx = ruleHTTP.WithResponse(ctx, r)
+	ctx = ruleHTTP.WithRequest(ctx, r.Request)
+
+	if _, err := engine.Apply(ctx, vars); err != nil {
+		return errors.WithStack(err)
+	}
+
+	return nil
+}
+
+func (l *Layer) getResponseRuleEngine(ctx context.Context, layer *store.Layer, options *LayerOptions) (*rule.Engine[*ResponseVars], error) {
+	key := string(layer.Proxy) + "-" + string(layer.Name)
+	revisionedEngine := l.responseRuleEngineCache.Get(key)
+
+	engine, err := revisionedEngine.Get(ctx, layer.Revision, options)
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	return engine, nil
+}
--- a/internal/proxy/director/layer/rewriter/schema.go
+++ b/internal/proxy/director/layer/rewriter/schema.go
@ -0,0 +1,8 @@
+package rewriter
+
+import (
+	_ "embed"
+)
+
+//go:embed layer-options.json
+var RawLayerOptionsSchema []byte
--- a/internal/proxy/director/layer/util/revisioned_rule_engine.go
+++ b/internal/proxy/director/layer/util/revisioned_rule_engine.go
@ -0,0 +1,51 @@
+package util
+
+import (
+	"context"
+	"sync"
+
+	"forge.cadoles.com/cadoles/bouncer/internal/rule"
+	"github.com/pkg/errors"
+	"gitlab.com/wpetit/goweb/logger"
+)
+
+type RuleEngineFactoryFunc[V any, O any] func(ops O) (*rule.Engine[V], error)
+
+type RevisionedRuleEngine[V any, O any] struct {
+	mutex    sync.RWMutex
+	revision int
+	engine   *rule.Engine[V]
+	factory  RuleEngineFactoryFunc[V, O]
+}
+
+func (e *RevisionedRuleEngine[V, O]) Get(ctx context.Context, revision int, opts O) (*rule.Engine[V], error) {
+	e.mutex.RLock()
+	if revision == e.revision {
+		logger.Debug(ctx, "using cached rule engine", logger.F("layerRevision", revision))
+
+		defer e.mutex.RUnlock()
+		return e.engine, nil
+	}
+	e.mutex.RUnlock()
+
+	e.mutex.Lock()
+	defer e.mutex.Unlock()
+
+	logger.Debug(ctx, "creating rule engine", logger.F("layerRevision", revision))
+
+	engine, err := e.factory(opts)
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	e.engine = engine
+	e.revision = revision
+
+	return engine, nil
+}
+
+func NewRevisionedRuleEngine[V any, O any](factory RuleEngineFactoryFunc[V, O]) *RevisionedRuleEngine[V, O] {
+	return &RevisionedRuleEngine[V, O]{
+		factory: factory,
+	}
+}
--- a/internal/proxy/director/layer/util/rule_engine_cache.go
+++ b/internal/proxy/director/layer/util/rule_engine_cache.go
@ -0,0 +1,28 @@
+package util
+
+import (
+	"forge.cadoles.com/cadoles/bouncer/internal/cache"
+	"forge.cadoles.com/cadoles/bouncer/internal/cache/memory"
+)
+
+type RuleEngineCache[V any, O any] struct {
+	cache   cache.Cache[string, *RevisionedRuleEngine[V, O]]
+	factory RuleEngineFactoryFunc[V, O]
+}
+
+func (c *RuleEngineCache[V, O]) Get(key string) *RevisionedRuleEngine[V, O] {
+	revisionedRuleEngine, exists := c.cache.Get(key)
+	if !exists {
+		revisionedRuleEngine = NewRevisionedRuleEngine(c.factory)
+		c.cache.Set(key, revisionedRuleEngine)
+	}
+
+	return revisionedRuleEngine
+}
+
+func NewInMemoryRuleEngineCache[V any, O any](factory RuleEngineFactoryFunc[V, O]) *RuleEngineCache[V, O] {
+	return &RuleEngineCache[V, O]{
+		factory: factory,
+		cache:   memory.NewCache[string, *RevisionedRuleEngine[V, O]](),
+	}
+}
--- a/internal/proxy/director/options.go
+++ b/internal/proxy/director/options.go
@ -0,0 +1,71 @@
+package director
+
+import (
+	"net/http"
+	"time"
+
+	"forge.cadoles.com/cadoles/bouncer/internal/cache"
+	"forge.cadoles.com/cadoles/bouncer/internal/cache/memory"
+	"forge.cadoles.com/cadoles/bouncer/internal/cache/ttl"
+	"forge.cadoles.com/cadoles/bouncer/internal/store"
+	"gitlab.com/wpetit/goweb/logger"
+)
+
+type Options struct {
+	Layers      []Layer
+	ProxyCache  cache.Cache[string, []*store.Proxy]
+	LayerCache  cache.Cache[string, []*store.Layer]
+	HandleError HandleErrorFunc
+}
+
+type OptionFunc func(opts *Options)
+
+func NewOptions(funcs ...OptionFunc) *Options {
+	opts := &Options{
+		Layers: make([]Layer, 0),
+		ProxyCache: ttl.NewCache(
+			memory.NewCache[string, []*store.Proxy](),
+			memory.NewCache[string, time.Time](),
+			30*time.Second,
+		),
+		LayerCache: ttl.NewCache(
+			memory.NewCache[string, []*store.Layer](),
+			memory.NewCache[string, time.Time](),
+			30*time.Second,
+		),
+		HandleError: func(w http.ResponseWriter, r *http.Request, status int, err error) {
+			logger.Error(r.Context(), err.Error(), logger.CapturedE(err))
+			http.Error(w, http.StatusText(status), status)
+		},
+	}
+
+	for _, fn := range funcs {
+		fn(opts)
+	}
+
+	return opts
+}
+
+func WithLayers(layers ...Layer) OptionFunc {
+	return func(opts *Options) {
+		opts.Layers = layers
+	}
+}
+
+func WithProxyCache(cache cache.Cache[string, []*store.Proxy]) OptionFunc {
+	return func(opts *Options) {
+		opts.ProxyCache = cache
+	}
+}
+
+func WithLayerCache(cache cache.Cache[string, []*store.Layer]) OptionFunc {
+	return func(opts *Options) {
+		opts.LayerCache = cache
+	}
+}
+
+func WithHandleErrorFunc(fn HandleErrorFunc) OptionFunc {
+	return func(opts *Options) {
+		opts.HandleError = fn
+	}
+}
--- a/internal/proxy/init.go
+++ b/internal/proxy/init.go
@ -9,7 +9,7 @@ import (
 )

 func (s *Server) initRepositories(ctx context.Context) error {
-	client := setup.NewRedisClient(ctx, s.redisConfig)
+	client := setup.NewSharedClient(s.redisConfig)

 	if err := s.initProxyRepository(ctx, client); err != nil {
 		return errors.WithStack(err)
--- a/internal/proxy/option.go
+++ b/internal/proxy/option.go
@ -1,23 +1,27 @@
 package proxy

 import (
+	"time"
+
 	"forge.cadoles.com/cadoles/bouncer/internal/config"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
 )

 type Option struct {
-	ServerConfig   config.ProxyServerConfig
-	RedisConfig    config.RedisConfig
-	DirectorLayers []director.Layer
+	ServerConfig     config.ProxyServerConfig
+	RedisConfig      config.RedisConfig
+	DirectorLayers   []director.Layer
+	DirectorCacheTTL time.Duration
 }

 type OptionFunc func(*Option)

 func defaultOption() *Option {
 	return &Option{
-		ServerConfig:   config.NewDefaultProxyServerConfig(),
-		RedisConfig:    config.NewDefaultRedisConfig(),
-		DirectorLayers: make([]director.Layer, 0),
+		ServerConfig:     config.NewDefaultProxyServerConfig(),
+		RedisConfig:      config.NewDefaultRedisConfig(),
+		DirectorLayers:   make([]director.Layer, 0),
+		DirectorCacheTTL: 30 * time.Second,
 	}
 }

@ -38,3 +42,9 @@ func WithDirectorLayers(layers ...director.Layer) OptionFunc {
 		opt.DirectorLayers = layers
 	}
 }
+
+func WithDirectorCacheTTL(ttl time.Duration) OptionFunc {
+	return func(opt *Option) {
+		opt.DirectorCacheTTL = ttl
+	}
+}
--- a/internal/proxy/server.go
+++ b/internal/proxy/server.go
@ -1,21 +1,34 @@
 package proxy

 import (
+	"bytes"
 	"context"
+	"expvar"
 	"fmt"
+	"html/template"
+	"io"
 	"log"
 	"net"
 	"net/http"
 	"net/http/httputil"
+	"net/http/pprof"
 	"net/url"
+	"os"
+	"os/signal"
+	"path/filepath"
+	"strconv"
+	"syscall"
 	"time"

 	"forge.cadoles.com/Cadoles/go-proxy"
+	"forge.cadoles.com/cadoles/bouncer/internal/cache/memory"
+	"forge.cadoles.com/cadoles/bouncer/internal/cache/ttl"
 	bouncerChi "forge.cadoles.com/cadoles/bouncer/internal/chi"
 	"forge.cadoles.com/cadoles/bouncer/internal/config"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
-	"github.com/getsentry/sentry-go"
+
+	"github.com/Masterminds/sprig/v3"
 	sentryhttp "github.com/getsentry/sentry-go/http"
 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/chi/v5/middleware"
@ -25,11 +38,12 @@ import (
 )

 type Server struct {
-	serverConfig    config.ProxyServerConfig
-	redisConfig     config.RedisConfig
-	directorLayers  []director.Layer
-	proxyRepository store.ProxyRepository
-	layerRepository store.LayerRepository
+	serverConfig     config.ProxyServerConfig
+	redisConfig      config.RedisConfig
+	directorLayers   []director.Layer
+	directorCacheTTL time.Duration
+	proxyRepository  store.ProxyRepository
+	layerRepository  store.LayerRepository
 }

 func (s *Server) Start(ctx context.Context) (<-chan net.Addr, <-chan error) {
@ -83,17 +97,25 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e

 	logger.Info(ctx, "http server listening")

+	layerCache, proxyCache, cancel := s.createDirectorCaches(ctx)
+	defer cancel()
+
 	director := director.New(
 		s.proxyRepository,
 		s.layerRepository,
-		s.directorLayers...,
+		director.WithLayers(s.directorLayers...),
+		director.WithLayerCache(layerCache),
+		director.WithProxyCache(proxyCache),
+		director.WithHandleErrorFunc(s.handleError),
 	)

 	if s.serverConfig.HTTP.UseRealIP {
 		router.Use(middleware.RealIP)
 	}

+	router.Use(middleware.RequestID)
 	router.Use(middleware.RequestLogger(bouncerChi.NewLogFormatter()))
+	router.Use(middleware.Recoverer)

 	if s.serverConfig.Sentry.DSN != "" {
 		logger.Info(ctx, "enabling sentry http middleware")
@ -124,6 +146,35 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
 		})
 	}

+	if s.serverConfig.Profiling.Enabled {
+		profiling := s.serverConfig.Profiling
+		logger.Info(ctx, "enabling profiling", logger.F("endpoint", profiling.Endpoint))
+
+		router.Group(func(r chi.Router) {
+			if profiling.BasicAuth != nil {
+				logger.Info(ctx, "enabling authentication on profiling endpoint")
+
+				r.Use(middleware.BasicAuth(
+					"profiling",
+					profiling.BasicAuth.CredentialsMap(),
+				))
+			}
+
+			r.Route(string(profiling.Endpoint), func(r chi.Router) {
+				r.HandleFunc("/", pprof.Index)
+				r.HandleFunc("/cmdline", pprof.Cmdline)
+				r.HandleFunc("/profile", pprof.Profile)
+				r.HandleFunc("/symbol", pprof.Symbol)
+				r.HandleFunc("/trace", pprof.Trace)
+				r.Handle("/vars", expvar.Handler())
+				r.HandleFunc("/{name}", func(w http.ResponseWriter, r *http.Request) {
+					name := chi.URLParam(r, "name")
+					pprof.Handler(name).ServeHTTP(w, r)
+				})
+			})
+		})
+	}
+
 	router.Group(func(r chi.Router) {
 		r.Use(director.Middleware())

@ -135,6 +186,7 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
 				director.ResponseTransformer(),
 			),
 			proxy.WithReverseProxyFactory(s.createReverseProxy),
+			proxy.WithDefaultHandler(http.HandlerFunc(s.handleDefault)),
 		)

 		r.Handle("/*", handler)
@ -147,6 +199,44 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
 	logger.Info(ctx, "http server exiting")
 }

+func (s *Server) createDirectorCaches(ctx context.Context) (*ttl.Cache[string, []*store.Layer], *ttl.Cache[string, []*store.Proxy], func()) {
+	layerCache := ttl.NewCache(
+		memory.NewCache[string, []*store.Layer](),
+		memory.NewCache[string, time.Time](),
+		s.directorCacheTTL,
+	)
+
+	proxyCache := ttl.NewCache(
+		memory.NewCache[string, []*store.Proxy](),
+		memory.NewCache[string, time.Time](),
+		s.directorCacheTTL,
+	)
+
+	sig := make(chan os.Signal, 1)
+
+	signal.Notify(sig, syscall.SIGUSR2)
+
+	go func() {
+		for {
+			_, ok := <-sig
+			if !ok {
+				return
+			}
+
+			logger.Info(ctx, "received sigusr2 signal, clearing proxies and layers cache")
+
+			layerCache.Clear()
+			proxyCache.Clear()
+		}
+	}()
+
+	cancel := func() {
+		close(sig)
+	}
+
+	return layerCache, proxyCache, cancel
+}
+
 func (s *Server) createReverseProxy(ctx context.Context, target *url.URL) *httputil.ReverseProxy {
 	reverseProxy := httputil.NewSingleHostReverseProxy(target)

@ -159,38 +249,93 @@ func (s *Server) createReverseProxy(ctx context.Context, target *url.URL) *httpu
 		DualStack:     bool(dialConfig.DualStack),
 	}

-	transportConfig := s.serverConfig.Transport
+	httpTransport := s.serverConfig.Transport.AsTransport()
+	httpTransport.DialContext = dialer.DialContext

-	reverseProxy.Transport = &http.Transport{
-		Proxy:                  http.ProxyFromEnvironment,
-		DialContext:            dialer.DialContext,
-		ForceAttemptHTTP2:      bool(transportConfig.ForceAttemptHTTP2),
-		MaxIdleConns:           int(transportConfig.MaxIdleConns),
-		MaxIdleConnsPerHost:    int(transportConfig.MaxIdleConnsPerHost),
-		MaxConnsPerHost:        int(transportConfig.MaxConnsPerHost),
-		IdleConnTimeout:        time.Duration(*transportConfig.IdleConnTimeout),
-		TLSHandshakeTimeout:    time.Duration(*transportConfig.TLSHandshakeTimeout),
-		ExpectContinueTimeout:  time.Duration(*transportConfig.ExpectContinueTimeout),
-		DisableKeepAlives:      bool(transportConfig.DisableKeepAlives),
-		DisableCompression:     bool(transportConfig.DisableCompression),
-		ResponseHeaderTimeout:  time.Duration(*transportConfig.ResponseHeaderTimeout),
-		WriteBufferSize:        int(transportConfig.WriteBufferSize),
-		ReadBufferSize:         int(transportConfig.ReadBufferSize),
-		MaxResponseHeaderBytes: int64(transportConfig.MaxResponseHeaderBytes),
-	}
-
-	reverseProxy.ErrorHandler = s.errorHandler
+	reverseProxy.Transport = httpTransport
+	reverseProxy.ErrorHandler = s.handleProxyError

 	return reverseProxy
 }

-func (s *Server) errorHandler(w http.ResponseWriter, r *http.Request, err error) {
+func (s *Server) handleDefault(w http.ResponseWriter, r *http.Request) {
+	s.handleError(w, r, http.StatusBadGateway, errors.Errorf("no proxy target found"))
+}
+
+func (s *Server) handleError(w http.ResponseWriter, r *http.Request, status int, err error) {
 	err = errors.WithStack(err)

-	logger.Error(r.Context(), "proxy error", logger.E(err))
-	sentry.CaptureException(err)
+	if !errors.Is(err, context.Canceled) {
+		logger.Error(r.Context(), err.Error(), logger.CapturedE(err))
+	}

-	http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+	s.renderErrorPage(w, r, err, status, http.StatusText(status))
+}
+
+func (s *Server) handleProxyError(w http.ResponseWriter, r *http.Request, err error) {
+	s.handleError(w, r, http.StatusBadGateway, err)
+}
+
+func (s *Server) renderErrorPage(w http.ResponseWriter, r *http.Request, err error, statusCode int, status string) {
+	templateData := struct {
+		StatusCode int
+		Status     string
+		Err        error
+		Debug      bool
+	}{
+		Debug:      bool(s.serverConfig.Debug),
+		StatusCode: statusCode,
+		Status:     status,
+		Err:        err,
+	}
+
+	w.WriteHeader(statusCode)
+	s.renderPage(w, r, "error", strconv.FormatInt(int64(statusCode), 10), templateData)
+}
+
+func (s *Server) renderPage(w http.ResponseWriter, r *http.Request, page string, block string, templateData any) {
+	ctx := r.Context()
+
+	templatesConf := s.serverConfig.Templates
+
+	pattern := filepath.Join(string(templatesConf.Dir), page+".gohtml")
+
+	logger.Info(ctx, "loading proxy templates", logger.F("pattern", pattern))
+
+	tmpl, err := template.New("").Funcs(sprig.FuncMap()).ParseGlob(pattern)
+	if err != nil {
+		logger.Error(ctx, "could not load proxy templates", logger.CapturedE(errors.WithStack(err)))
+		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+
+		return
+	}
+
+	w.Header().Add("Cache-Control", "no-cache")
+
+	blockTmpl := tmpl.Lookup(block)
+	if blockTmpl == nil {
+		blockTmpl = tmpl.Lookup("default")
+	}
+
+	if blockTmpl == nil {
+		logger.Error(ctx, "could not find template block nor default one", logger.F("block", block))
+		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+
+		return
+	}
+
+	var buf bytes.Buffer
+
+	if err := blockTmpl.Execute(&buf, templateData); err != nil {
+		logger.Error(ctx, "could not render proxy page", logger.CapturedE(errors.WithStack(err)))
+		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+
+		return
+	}
+
+	if _, err := io.Copy(w, &buf); err != nil {
+		logger.Error(ctx, "could not write page", logger.CapturedE(errors.WithStack(err)))
+	}
 }

 func NewServer(funcs ...OptionFunc) *Server {
@ -200,8 +345,9 @@ func NewServer(funcs ...OptionFunc) *Server {
 	}

 	return &Server{
-		serverConfig:   opt.ServerConfig,
-		redisConfig:    opt.RedisConfig,
-		directorLayers: opt.DirectorLayers,
+		serverConfig:     opt.ServerConfig,
+		redisConfig:      opt.RedisConfig,
+		directorLayers:   opt.DirectorLayers,
+		directorCacheTTL: opt.DirectorCacheTTL,
 	}
 }
--- a/internal/rule/engine.go
+++ b/internal/rule/engine.go
@ -0,0 +1,79 @@
+package rule
+
+import (
+	"context"
+
+	"github.com/expr-lang/expr"
+	"github.com/expr-lang/expr/vm"
+	"github.com/pkg/errors"
+)
+
+type Engine[V any] struct {
+	rules []*vm.Program
+}
+
+func (e *Engine[V]) Apply(ctx context.Context, vars V) ([]any, error) {
+	type Env[V any] struct {
+		Context context.Context `expr:"ctx"`
+		Vars    V               `expr:"vars"`
+	}
+
+	env := Env[V]{
+		Context: ctx,
+		Vars:    vars,
+	}
+
+	results := make([]any, 0, len(e.rules))
+	for i, r := range e.rules {
+		result, err := expr.Run(r, env)
+		if err != nil {
+			return nil, errors.Wrapf(err, "could not run rule #%d", i)
+		}
+
+		results = append(results, result)
+	}
+
+	return results, nil
+}
+
+func NewEngine[E any](funcs ...OptionFunc) (*Engine[E], error) {
+	opts := NewOptions(funcs...)
+
+	engine := &Engine[E]{
+		rules: make([]*vm.Program, 0, len(opts.Rules)),
+	}
+
+	for i, r := range opts.Rules {
+		program, err := expr.Compile(r, opts.Expr...)
+		if err != nil {
+			return nil, errors.Wrapf(err, "could not compile rule #%d", i)
+		}
+
+		engine.rules = append(engine.rules, program)
+	}
+
+	return engine, nil
+}
+
+func Context[T any](ctx context.Context, key any) (T, bool) {
+	raw := ctx.Value(key)
+	if raw == nil {
+		return *new(T), false
+	}
+
+	value, err := Assert[T](raw)
+	if err != nil {
+		return *new(T), false
+	}
+
+	return value, true
+}
+
+func Assert[T any](raw any) (T, error) {
+	value, ok := raw.(T)
+	if !ok {
+		return *new(T), errors.Errorf("unexpected value '%T'", value)
+	}
+
+	return value, nil
+}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
William Petit	9d10a69b0d	chore: update go and alpine docker image version All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2025-04-03 11:12:32 +02:00
William Petit	8b6e75ae77	feat: use sentry tags instead of context for better observability All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2025-03-19 15:04:55 +01:00
William Petit	692523e54f	feat: prevent call bursts on oidc provider refresh All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2025-03-18 15:51:25 +01:00
William Petit	59ecfa7b4e	feat: prevent burst of proxy/layers update All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2025-03-18 12:52:59 +01:00
William Petit	cc5cdcea96	fix: cache ttl interpolation All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2025-03-18 12:20:00 +01:00
William Petit	1af7248a6f	feat: reset proxy cache with sigusr2 All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2025-03-18 11:35:15 +01:00
William Petit	8b132dddd4	feat: add proxy information in sentry context All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2025-03-17 12:07:30 +01:00
William Petit	6a4a144c97	feat: silence context expired errors All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details closes #49	2025-03-10 18:32:36 +01:00
wpetit	ac7b7e8189	Merge pull request 'Mise en cache des fournisseurs oidc pour améliorer les performances' (#48 ) from issue-47 into develop All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details Reviewed-on: #48 Reviewed-by: Laurent Gourvenec <lgourvenec@cadoles.com>	2025-03-07 13:42:39 +01:00
William Petit	2df74bad4f	feat: cache oidc.Provider to reduce pressure on OIDC identity provider (#47 ) All checks were successful Cadoles/bouncer/pipeline/pr-develop This commit looks good Details	2025-03-07 11:15:28 +01:00
wpetit	076a3d784e	Merge pull request 'Fix append error in admin/run.go' (#46 ) from fix-append into develop All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details Reviewed-on: #46	2025-03-07 10:21:27 +01:00
Matthieu Lamalle	826edef358	fix : suppression de append inutile, remonté par go vet All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details Cadoles/bouncer/pipeline/pr-develop This commit looks good Details	2024-11-18 11:05:17 +01:00
William Petit	ce7415af20	fix: prevent nil pointer when err session retrieval fails All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details see https://sentry.in.nuonet.fr/share/issue/48b82c13ee3f4721bb6306b533799709/	2024-11-14 10:10:16 +01:00
William Petit	7cc9de180c	feat(authn): add configurable global ttl for session storage	2024-11-14 10:09:33 +01:00
William Petit	74c2a2c055	fix(authn): correctly handle session-limited cookies All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details See CNOUS/mse#4347	2024-11-08 12:21:23 +01:00
William Petit	239d4573c3	feat(sentry): ignore 'net/http: abort' errors All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details See: - https://sentry.in.nuonet.fr/share/issue/972e100ea22d44759c44b6cfad8be7b2/ - https://pkg.go.dev/net/http#:~:text=ErrAbortHandler%20is%20a%20sentinel%20panic%20value%20to%20abort%20a%20handler.%20While%20any%20panic%20from%20ServeHTTP%20aborts%20the%20response%20to%20the%20client%2C%20panicking%20with%20ErrAbortHandler%20also%20suppresses%20logging%20of%20a%20stack%20trace%20to%20the%20server%27s%20error%20log.	2024-11-08 11:19:38 +01:00
William Petit	cffe3eca1b	fix: prevent loss of information when returning errors Some checks reported warnings Cadoles/bouncer/pipeline/head This commit was not built Details Linked to: - https://sentry.in.nuonet.fr/share/issue/5fa72de1b01b46bc81601958a2ff5fd2/ - https://sentry.in.nuonet.fr/share/issue/5a225f6400a647c0bbf1f7ea01566e63/	2024-11-08 11:13:39 +01:00
wpetit	a686c52aed	Merge pull request 'fix(rewriter): prevent mixing of cached rule engines (#44 )' (#45 ) from issue-44 into develop All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details Reviewed-on: #45	2024-10-21 14:07:51 +02:00
William Petit	c0470ca623	feat: better display of large error messsages Some checks are pending Cadoles/bouncer/pipeline/head Build queued... Details Cadoles/bouncer/pipeline/pr-develop Build queued... Details	2024-10-21 13:49:32 +02:00
William Petit	c611705d45	fix(rewriter): prevent mixing of cached rule engines (#44 )	2024-10-21 13:48:59 +02:00
William Petit	16fa751dc7	doc: fix rewriter rule method name	2024-10-21 13:48:07 +02:00
William Petit	8983a44d9e	feat: do not capture warning errors All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-10-11 14:18:52 +02:00
William Petit	11375e546f	feat: allow more control on redis client configuration Some checks reported warnings Cadoles/bouncer/pipeline/head This commit was not built Details	2024-10-11 14:17:45 +02:00
William Petit	69501f6302	feat: log context cancelled error as warn instead of errors All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-10-02 12:13:50 +02:00
William Petit	382d17cc85	feat: do not use logger.Debug in critical path	2024-10-02 12:13:26 +02:00
William Petit	9bd1d0fbd7	feat: remove superfluous sentry span handlers	2024-10-02 12:12:51 +02:00
William Petit	ecacbb1cbd	feat: disable sentry tracing by default	2024-10-02 12:12:10 +02:00
William Petit	910f1f8ba2	feat: do not use fmt.Sprintf in http logger	2024-10-02 12:11:30 +02:00
William Petit	be59be1795	feat: add recoverer + request-id http middlewares	2024-10-02 12:10:38 +02:00
William Petit	4d6958e2f5	chore: increase default siege requests volume	2024-10-02 12:09:41 +02:00
William Petit	f3b553cb10	feat: expose expvars as profiling endpoint	2024-10-02 12:09:02 +02:00
wpetit	0ff9391a1b	Merge pull request 'feat: global error handler with template rendering' (#42 ) from error-handler into develop All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details Reviewed-on: #42	2024-09-27 15:03:05 +02:00
William Petit	d4c28b80d7	feat: global error handler with template rendering Some checks are pending Cadoles/bouncer/pipeline/pr-develop Build started... Details	2024-09-27 15:02:49 +02:00
William Petit	590505e17a	feat: add sentry spans to evaluate proxy performances All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-09-27 10:46:18 +02:00
William Petit	867e7c549f	feat: capture logged errors and forward them to sentry when enabled All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-09-27 10:15:08 +02:00
William Petit	169578c25d	chore: fix log typo All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-09-26 15:48:22 +02:00
William Petit	b0a71fc599	feat: use go 1.23 for docker build All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-09-26 14:46:28 +02:00
wpetit	eea51c6030	Merge pull request 'feat(rewriter): add redirect(), get_cookie(), add_cookie() methods to rule engine (#36 )' (#41 ) from issue-36 into develop Some checks failed Cadoles/bouncer/pipeline/head There was a failure building this commit Details Reviewed-on: #41	2024-09-25 15:53:00 +02:00
William Petit	04b41baea3	feat(rewriter): add redirect(), get_cookie(), add_cookie() methods to rule engine (#36 ) Some checks are pending Cadoles/bouncer/pipeline/pr-develop Build started... Details	2024-09-25 15:52:49 +02:00
wpetit	cb9260ac2b	Merge pull request 'feat(authn) : add case to test multiples CIDR #34 ' (#35 ) from issue-4 into develop All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details Reviewed-on: #35	2024-09-25 15:15:11 +02:00
Matthieu Lamalle	5eac425fda	feat(authn) : add case to test multiples CIDR Some checks are pending Cadoles/bouncer/pipeline/pr-develop Build started... Details	2024-09-25 15:15:04 +02:00
wpetit	0b032fccc9	Merge pull request 'Moteur de règles V2' (#40 ) from rule-engine-2 into develop All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details Reviewed-on: #40	2024-09-25 09:11:46 +02:00
William Petit	fea0610346	feat: reusable rule engine to prevent memory reallocation All checks were successful Cadoles/bouncer/pipeline/pr-develop This commit looks good Details	2024-09-24 18:45:34 +02:00
William Petit	f37425018b	feat: use shared redis client to maximize pooling usage (#39 ) All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-09-23 15:16:30 +02:00
William Petit	4801974ca3	fix(queue): prevent metrics update cancellation on aborted http requests (#39 ) All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-09-23 10:34:24 +02:00
William Petit	bf15732935	feat: disable sentry integration when no dsn is defined All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-09-23 10:13:04 +02:00
William Petit	8317ac5b9a	feat: add configurable profiling endpoints (#38 )	2024-09-23 10:12:42 +02:00
William Petit	f35384c0f3	feat: create profiling package + rewrite profiling tutorial Some checks reported warnings Cadoles/bouncer/pipeline/head This commit was not built Details	2024-06-28 17:44:51 +02:00
William Petit	c73fe8cca5	feat(rewriter): pass structured url to ease request rewriting All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-06-28 10:46:38 +02:00
William Petit	3c1939f418	feat: add revision number to proxy and layers to identify changes All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-06-27 17:03:50 +02:00
William Petit	3565618335	doc: update link title Some checks failed Cadoles/bouncer/pipeline/head There was a failure building this commit Details	2024-06-27 15:53:01 +02:00
William Petit	64ca8fe1e4	fix: wrong bit size	2024-06-27 15:27:14 +02:00
William Petit	d5669a4eb5	fix: multiple environment variables interpolation in configuration file All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-06-27 15:00:25 +02:00
William Petit	f3aa8b9be6	doc: add profiling tutorial link All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-06-27 14:13:08 +02:00
William Petit	2de5e285a3	doc: add virtual hosting example All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-06-27 11:12:58 +02:00
William Petit	87e1c65607	fix: security vulnerabilities All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details ref #31	2024-06-27 10:04:29 +02:00
William Petit	f092520ee4	chore: tidy deps All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-06-26 16:31:14 +02:00
wpetit	9084b6e05f	Merge pull request 'Implémentation des proxies "passthrough"' (#30 ) from passthrough-proxy into develop All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details Reviewed-on: #30	2024-06-26 16:23:28 +02:00
William Petit	5494abded4	feat: passthrough proxies Some checks are pending Cadoles/bouncer/pipeline/head Build started... Details Cadoles/bouncer/pipeline/pr-develop Build started... Details	2024-06-26 16:22:30 +02:00
William Petit	059af1b6ee	fix: add missing templates in docker image All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-06-26 15:00:23 +02:00
William Petit	532f30c155	chore: remove artefact Dockerfile Some checks reported errors Cadoles/bouncer/pipeline/head Something is wrong with the build of this commit Details	2024-06-26 15:00:07 +02:00
William Petit	49f2ccbc7a	feat: templatized proxy error page All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-06-26 14:36:28 +02:00
William Petit	8a751afc97	chore: add http debug env in default environment file All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-06-26 13:53:52 +02:00
William Petit	4907c0b51f	feat: return status 502 on proxy error	2024-06-26 13:53:22 +02:00
William Petit	1881f27928	refactor: use new rule engine package Some checks reported errors Cadoles/bouncer/pipeline/head Something is wrong with the build of this commit Details	2024-06-26 13:52:49 +02:00
wpetit	114608931b	Merge pull request 'Layer `rewriter`: réécriture dynamiques des attributs de requêtes/réponses' (#29 ) from rewriter-layer into develop All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details Reviewed-on: #29	2024-06-25 17:02:49 +02:00
William Petit	05b547da48	feat: rewriter layer All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details Cadoles/bouncer/pipeline/pr-develop This commit looks good Details	2024-06-25 16:50:29 +02:00
William Petit	9d902a7494	doc: update create custom layer tutorial All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-06-25 11:32:54 +02:00
William Petit	ea68724635	fix: update dummy bootstrap example All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-06-25 11:25:34 +02:00
William Petit	1009eb19aa	feat: use destination path as prefix when rewritting url All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-06-24 17:18:31 +02:00
William Petit	19fda6aa64	feat(authn-oidc): allow overwriting of cookie name All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-06-05 16:13:45 +02:00
William Petit	65238f1ff3	feat(authn-oidc): include proxy in cookie name All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-06-05 16:00:23 +02:00
William Petit	d4da9cba8d	chore: fix goreleaser version All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-06-05 15:54:00 +02:00
William Petit	d5fed4c2ac	feat(authn): add templatized error page Some checks reported errors Cadoles/bouncer/pipeline/head Something is wrong with the build of this commit Details ref CNOUS/mse#3907	2024-06-05 15:53:17 +02:00
William Petit	c7ac331b10	chore: add interface description Some checks failed Cadoles/bouncer/pipeline/head There was a failure building this commit Details	2024-06-05 12:52:01 +02:00
William Petit	2952f68720	fix(config): handles raw nanoseconds durations All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-05-29 16:49:05 +02:00
William Petit	3e98901931	fix: update multi-nodes example (#25 ) All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-05-29 14:18:40 +02:00
wpetit	d667bb03f5	Merge pull request 'Mise en place de cache local au niveau du serveur pour améliorer les temps de traitement des requêtes' (#26 ) from benchmark into develop All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details Reviewed-on: #26	2024-05-28 16:52:34 +02:00
William Petit	3a9fde9bc9	feat: improve perf by caching proxy and layers locally Some checks are pending Cadoles/bouncer/pipeline/head This commit looks good Details Cadoles/bouncer/pipeline/pr-develop Build started... Details	2024-05-28 16:45:15 +02:00
William Petit	42dab5797a	chore(doc): fix typo All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-05-28 11:16:15 +02:00
William Petit	132bf1e642	feat(authn-oidc): allow for dynamic post-logout redirection All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-05-24 17:01:06 +02:00
William Petit	26a9ad0e2e	feat(authn-oidc): match login callback/logout urls with query string by default All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-05-24 15:28:21 +02:00
William Petit	3e5dd446cb	feat(authn-oidc): use relative redirection to prevent internal/public host mixing	2024-05-24 15:27:43 +02:00
William Petit	d5c846a9ce	fix(docker): format default config durations All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-05-24 14:52:31 +02:00
William Petit	82c93d3f1e	feat(config): interpolate recursively in interpolated map All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-05-24 12:49:03 +02:00
William Petit	544326a4b7	feat(authn-oidc): use full urls for login callback/logout options	2024-05-23 17:41:36 +02:00
William Petit	499bb3696d	fix(authn-network): handles r.RemoteAddr without port Some checks are pending Cadoles/bouncer/pipeline/head This commit looks good Details Cadoles/bouncer/pipeline/pr-authn-oidc-redirect-url Build started... Details	2024-05-22 15:24:40 +02:00
William Petit	572093536a	feat(authn): do not allow additional options All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-05-22 14:41:54 +02:00
William Petit	0d4319fcbb	chore: tidy deps All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-05-21 17:24:51 +02:00
William Petit	c4dcf57053	fix: add missing licence file All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-05-21 15:43:33 +02:00