fix: security vulnerabilities

ref #31

Dockerfile

@@ -1,4 +1,4 @@
-FROM reg.cadoles.com/proxy_cache/library/golang:1.22.0 AS BUILD
+FROM reg.cadoles.com/proxy_cache/library/golang:1.22 AS BUILD
 
 RUN apt-get update \
     && apt-get install -y make
@@ -33,7 +33,7 @@ RUN /src/dist/bouncer_linux_amd64_v1/bouncer -c '' config dump > /src/dist/bounc
     && yq -i '.bootstrap.lockTimeout = "30s"' /src/dist/bouncer_linux_amd64_v1/config.yml \
     && yq -i '.integrations.kubernetes.lockTimeout = "30s"' /src/dist/bouncer_linux_amd64_v1/config.yml
 
-FROM reg.cadoles.com/proxy_cache/library/alpine:3.19.1 AS RUNTIME
+FROM reg.cadoles.com/proxy_cache/library/alpine:3.20 AS RUNTIME
 
 RUN apk add --no-cache ca-certificates dumb-init
 

Makefile

@@ -81,7 +81,7 @@ finish-release:
 	git push --tags
 
 docker-build:
-	docker build -t $(DOCKER_IMAGE_NAME):$(DOCKER_IMAGE_TAG) .
+	docker build --pull -t $(DOCKER_IMAGE_NAME):$(DOCKER_IMAGE_TAG) .
 	docker tag $(DOCKER_IMAGE_NAME):$(DOCKER_IMAGE_TAG) $(DOCKER_IMAGE_NAME):latest
 
 docker-release:

README.md

@@ -4,7 +4,16 @@
 
 # Bouncer
 
-Serveur mandataire inverse (_"reverse proxy"_) filtrant avec gestion de files d'attente dynamiques.
+Serveur mandataire inverse (_"reverse proxy"_) avec fonctionnalités avancées pilotable par API REST.
+
+## Fonctionnalités
+
+- Authentification unique basée sur entêtes HTTP ("Trusted headers SSO") avec:
+  - Fournisseur d'identité OpenID Connect ;
+  - Basic Auth ;
+  - Origine réseau ;
+- Gestion de files d'attente dynamiques pour maîtriser la charge sur les services protégés ;
+- Réécriture dynamique des attributs (notamment entêtes HTTP) des requêtes/réponses via un DSL.
 
 ## Documentation
 
@@ -12,4 +21,4 @@ Serveur mandataire inverse (_"reverse proxy"_) filtrant avec gestion de files d'
 
 ## Licence
 
-AGPL-3.0
+AGPL-3.0

doc/README.md

@@ -1,7 +1,8 @@
 # Documentation
 
-- [(FR) - Premiers pas](./fr/getting-started.md)
 - [(FR) - Architecture générale](./fr/general-architecture.md)
+- [(FR) - Terminologie](./fr/terminology.md)
+- [(FR) - Premiers pas](./fr/getting-started.md)
 
 ## Exemples
 

doc/fr/general-architecture.md

@@ -2,31 +2,6 @@
 
 ## Modèles de déploiement
 
-### Déploiement mono-noeud
+### Mode mono-noeud
 
-![](../resources/deployment_fr.png)
-
-## Terminologie
-
-Voici une liste des termes utilisés dans le lexique Bouncer.
-
-### Proxy
-
-Un "proxy" est une entité logique définissant le relation suivante:
-
-- Un ou plusieurs patrons de filtrage sous la forme d'un patron d'URL avec le caractère `*` comme caractère générique. Ceux ci identifient le ou les domaines/chemins associés à l'entité;
-- Une URL cible qui servira de base pour la réécriture des requêtes.
-
-Un "proxy" peut avoir zéro ou plusieurs "layers" associés.
-
-Un "proxy" peut être activé ou désactivé.
-
-Un "proxy" a un poids qui définit son niveau de priorité dans la pile de traitement (plus son poids est élevé plus il est prioritaire).
-
-### Layer
-
-Un "layer" (calque) est une entité logique définissant un traitement à appliquer aux requêtes et/ou aux réponses transitant par un proxy.
-
-Un "layer" peut être activé ou désactivé.
-
-Un "layer" a un poids qui définit son niveau de priorité dans la pile de traitement (plus son poids est élevé plus il est prioritaire).
+![](../resources/deployment_single_node_fr.png)

doc/fr/terminology.md

@@ -0,0 +1,29 @@
+# Terminologie
+
+Voici une liste des termes utilisés dans le lexique Bouncer.
+
+## Proxy
+
+Un proxy est une entité logique définie par les propriétés suivantes:
+
+- Il possède **un ou plusieurs filtres d'origine** sous la forme de motifs d'URL avec le caractère `*` comme joker. Ces filtres identifient le ou les URLs associées au proxy.
+- Il peut avoir **zéro ou une URL cible**, qui servira de base pour la réécriture des requêtes. Si l'URL est absente, on parle alors de "passthrough" (voir note).
+- Il peut avoir **zéro ou plusieurs "layers" associés**.
+- Il peut être **activé ou désactivé**.
+- Il a **un poids qui définit son niveau de priorité** dans la pile de traitement (plus son poids est élevé plus il est prioritaire).
+
+Pour résumer un proxy répond à la question "_Quelle URL orienter vers quel serveur cible ?_".
+
+> **Passthrough**
+>
+> Un proxy "passthrough" est un proxy n'ayant pas d'URL cible (champ vide). Dans ce cas si les motifs d'URLs correspondent à l'URL de la requête Bouncer appliquera les layers associés puis passera la main aux proxies suivants.
+
+## Layer
+
+Un layer est une entité logique définie par les propriétés suivantes:
+
+- Il a **un type auquel est associé un schéma d'options** permettant de configurer son comportement.
+- Il peut être **activé ou désactivé**.
+- Il a **un poids qui définit son niveau de priorité** dans la pile de traitement (plus son poids est élevé plus il est prioritaire).
+
+Pour résumer un layer répond à la question "_Quel traitement appliquer à la requête et/ou réponse ?_".

go.mod

@@ -1,11 +1,11 @@
 module forge.cadoles.com/cadoles/bouncer
 
-go 1.21
+go 1.22
 
 toolchain go1.22.0
 
 require (
-	forge.cadoles.com/Cadoles/go-proxy v0.0.0-20230701194111-c6b3d482cca6
+	forge.cadoles.com/Cadoles/go-proxy v0.0.0-20240626132607-e1db6466a926
 	github.com/Masterminds/sprig/v3 v3.2.3
 	github.com/bsm/redislock v0.9.4
 	github.com/btcsuite/btcd/btcutil v1.1.3
@@ -92,9 +92,9 @@ require (
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
 	go.opentelemetry.io/otel v1.21.0 // indirect
 	go.opentelemetry.io/otel/trace v1.21.0 // indirect
-	golang.org/x/net v0.19.0 // indirect
+	golang.org/x/net v0.26.0 // indirect
 	golang.org/x/sync v0.7.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/text v0.16.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	google.golang.org/appengine v1.6.8 // indirect
 	google.golang.org/protobuf v1.33.0 // indirect
@@ -111,18 +111,18 @@ require (
 require (
 	cdr.dev/slog v1.6.1 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
-	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect
+	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0 // indirect
 	github.com/go-chi/cors v1.2.1
 	github.com/go-playground/locales v0.14.0 // indirect
 	github.com/go-playground/universal-translator v0.18.0 // indirect
-	github.com/goccy/go-json v0.10.2 // indirect
+	github.com/goccy/go-json v0.10.3 // indirect
 	github.com/google/uuid v1.3.0
 	github.com/leodido/go-urn v1.2.1 // indirect
 	github.com/lestrrat-go/blackmagic v1.0.2 // indirect
 	github.com/lestrrat-go/httpcc v1.0.1 // indirect
-	github.com/lestrrat-go/httprc v1.0.4 // indirect
+	github.com/lestrrat-go/httprc v1.0.5 // indirect
 	github.com/lestrrat-go/iter v1.0.2 // indirect
-	github.com/lestrrat-go/jwx/v2 v2.0.19
+	github.com/lestrrat-go/jwx/v2 v2.1.0
 	github.com/lestrrat-go/option v1.0.1 // indirect
 	github.com/lib/pq v1.10.0 // indirect
 	github.com/lithammer/shortuuid/v4 v4.0.0
@@ -132,11 +132,11 @@ require (
 	github.com/urfave/cli/v2 v2.25.3
 	github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
 	gitlab.com/wpetit/goweb v0.0.0-20240226160244-6b2826c79f88
-	golang.org/x/crypto v0.19.0
-	golang.org/x/mod v0.14.0 // indirect
-	golang.org/x/sys v0.17.0 // indirect
-	golang.org/x/term v0.17.0 // indirect
-	golang.org/x/tools v0.16.1 // indirect
+	golang.org/x/crypto v0.24.0
+	golang.org/x/mod v0.17.0 // indirect
+	golang.org/x/sys v0.21.0 // indirect
+	golang.org/x/term v0.21.0 // indirect
+	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
 	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
 	gopkg.in/go-playground/validator.v9 v9.29.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1

go.sum

@@ -8,8 +8,8 @@ cloud.google.com/go/logging v1.7.0 h1:CJYxlNNNNAMkHp9em/YEXcfJg+rPDg7YfwoRpMU+t5
 cloud.google.com/go/logging v1.7.0/go.mod h1:3xjP2CjkM3ZkO73aj4ASA5wRPGGCRrPIAeNqVNkzY8M=
 cloud.google.com/go/longrunning v0.5.1 h1:Fr7TXftcqTudoyRJa113hyaqlGdiBQkp0Gq7tErFDWI=
 cloud.google.com/go/longrunning v0.5.1/go.mod h1:spvimkwdz6SPWKEt/XBij79E9fiTkHSQl/fRUUQJYJc=
-forge.cadoles.com/Cadoles/go-proxy v0.0.0-20230701194111-c6b3d482cca6 h1:FTk0ZoaV5N8Tkps5Da5RrDMZZXSHZIuD67Hy1Y4fsos=
-forge.cadoles.com/Cadoles/go-proxy v0.0.0-20230701194111-c6b3d482cca6/go.mod h1:o8ZK5v/3J1dRmklFVn1l6WHAyQ3LgegyHjRIT8KLAFw=
+forge.cadoles.com/Cadoles/go-proxy v0.0.0-20240626132607-e1db6466a926 h1:gSTTuW2lqH66cGVrhplrVrqos62BY1/GxR3KYh2TElk=
+forge.cadoles.com/Cadoles/go-proxy v0.0.0-20240626132607-e1db6466a926/go.mod h1:o8ZK5v/3J1dRmklFVn1l6WHAyQ3LgegyHjRIT8KLAFw=
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8=
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
@@ -83,8 +83,8 @@ github.com/dchest/uniuri v1.2.0 h1:koIcOUdrTIivZgSLhHQvKgqdWZq5d7KdMEWF1Ud6+5g=
 github.com/dchest/uniuri v1.2.0/go.mod h1:fSzm4SLHzNZvWLvWJew423PhAzkpNQYq+uNLq4kxhkY=
 github.com/decred/dcrd/crypto/blake256 v1.0.0/go.mod h1:sQl2p6Y26YV+ZOcSTP6thNdn47hh8kt6rqSlvmrXFAc=
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1/go.mod h1:hyedUtir6IdtD/7lIxGeCxkaw7y45JueMRL4DIyJDKs=
-github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 h1:8UrgZ3GkP4i/CLijOJx79Yu+etlyjdBU4sfcs2WYQMs=
-github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0 h1:rpfIENRNNilwHwZeG5+P150SMrnNEcHYvcCuK6dPZSg=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0=
 github.com/decred/dcrd/lru v1.0.0/go.mod h1:mxKOwFd7lFjN2GZYsiz/ecgqR6kkYAl+0pz0tEMk218=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
@@ -133,8 +133,8 @@ github.com/go-sql-driver/mysql v1.6.0 h1:BCTh4TKNUYmOmMUcQ3IipzF5prigylS7XXjEkfC
 github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
-github.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU=
-github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
+github.com/goccy/go-json v0.10.3 h1:KZ5WoDbxAIgm2HNbYckL0se1fHD6rz5j4ywS6ebzDqA=
+github.com/goccy/go-json v0.10.3/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/godbus/dbus/v5 v5.0.6/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
@@ -208,12 +208,12 @@ github.com/lestrrat-go/blackmagic v1.0.2 h1:Cg2gVSc9h7sz9NOByczrbUvLopQmXrfFx//N
 github.com/lestrrat-go/blackmagic v1.0.2/go.mod h1:UrEqBzIR2U6CnzVyUtfM6oZNMt/7O7Vohk2J0OGSAtU=
 github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE=
 github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E=
-github.com/lestrrat-go/httprc v1.0.4 h1:bAZymwoZQb+Oq8MEbyipag7iSq6YIga8Wj6GOiJGdI8=
-github.com/lestrrat-go/httprc v1.0.4/go.mod h1:mwwz3JMTPBjHUkkDv/IGJ39aALInZLrhBp0X7KGUZlo=
+github.com/lestrrat-go/httprc v1.0.5 h1:bsTfiH8xaKOJPrg1R+E3iE/AWZr/x0Phj9PBTG/OLUk=
+github.com/lestrrat-go/httprc v1.0.5/go.mod h1:mwwz3JMTPBjHUkkDv/IGJ39aALInZLrhBp0X7KGUZlo=
 github.com/lestrrat-go/iter v1.0.2 h1:gMXo1q4c2pHmC3dn8LzRhJfP1ceCbgSiT9lUydIzltI=
 github.com/lestrrat-go/iter v1.0.2/go.mod h1:Momfcq3AnRlRjI5b5O8/G5/BvpzrhoFTZcn06fEOPt4=
-github.com/lestrrat-go/jwx/v2 v2.0.19 h1:ekv1qEZE6BVct89QA+pRF6+4pCpfVrOnEJnTnT4RXoY=
-github.com/lestrrat-go/jwx/v2 v2.0.19/go.mod h1:l3im3coce1lL2cDeAjqmaR+Awx+X8Ih+2k8BuHNJ4CU=
+github.com/lestrrat-go/jwx/v2 v2.1.0 h1:0zs7Ya6+39qoit7gwAf+cYm1zzgS3fceIdo7RmQ5lkw=
+github.com/lestrrat-go/jwx/v2 v2.1.0/go.mod h1:Xpw9QIaUGiIUD1Wx0NcY1sIHwFf8lDuZn/cmxtXYRys=
 github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU=
 github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=
 github.com/lib/pq v1.10.0 h1:Zx5DJFEYQXio93kgXnQ09fXNiUKsqv4OUEu2UtGcB1E=
@@ -339,8 +339,8 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.4/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
-github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/syndtr/goleveldb v1.0.1-0.20210819022825-2ae1ddf74ef7/go.mod h1:q4W45IWZaF22tdD+VEXcAWRA037jwmWEB5VWYORlTpc=
 github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
@@ -375,13 +375,13 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
-golang.org/x/crypto v0.19.0 h1:ENy+Az/9Y1vSrlrvBSyna3PITt4tiZLf7sgCjZBX7Wo=
-golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
+golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI=
+golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
-golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
+golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20180719180050-a680a1efc54d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@@ -395,8 +395,8 @@ golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
-golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
-golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
+golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
+golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
 golang.org/x/oauth2 v0.13.0 h1:jDDenyj+WgFtmV3zYVoi8aE2BwtXFLWOA67ZfNWftiY=
 golang.org/x/oauth2 v0.13.0/go.mod h1:/JMhi4ZRXAf4HG9LiNmxvk+45+96RUlVThiH8FzNBn0=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -433,13 +433,13 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y=
-golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
+golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
-golang.org/x/term v0.17.0 h1:mkTF7LCd6WGJNL3K1Ad7kwxNfYAW6a8a8QqtMblp/4U=
-golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
+golang.org/x/term v0.21.0 h1:WVXCp+/EBEHOj53Rvu+7KiT/iElMrO8ACK16SMZ3jaA=
+golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -447,8 +447,8 @@ golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
-golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
+golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
 golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
 golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -457,8 +457,8 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA=
-golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

internal/admin/proxy_route.go

@@ -121,7 +121,7 @@ func (s *Server) deleteProxy(w http.ResponseWriter, r *http.Request) {
 
 type CreateProxyRequest struct {
 	Name string   `json:"name" validate:"required"`
-	To   string   `json:"to" validate:"required"`
+	To   string   `json:"to"`
 	From []string `json:"from" validate:"required"`
 }
 

internal/command/admin/layer/query.go

@@ -2,6 +2,7 @@ package layer
 
 import (
 	"os"
+	"slices"
 
 	"forge.cadoles.com/cadoles/bouncer/internal/client"
 	"forge.cadoles.com/cadoles/bouncer/internal/command/admin/apierr"
@@ -52,14 +53,16 @@ func QueryCommand() *cli.Command {
 
 			client := client.New(baseFlags.ServerURL, client.WithToken(token))
 
-			proxies, err := client.QueryLayer(ctx.Context, proxyName, options...)
+			layers, err := client.QueryLayer(ctx.Context, proxyName, options...)
 			if err != nil {
 				return errors.WithStack(apierr.Wrap(err))
 			}
 
+			slices.SortFunc(layers, sortLayerssByWeight)
+
 			hints := layerHeaderHints(baseFlags.OutputMode)
 
-			if err := format.Write(baseFlags.Format, os.Stdout, hints, clientFlag.AsAnySlice(proxies)...); err != nil {
+			if err := format.Write(baseFlags.Format, os.Stdout, hints, clientFlag.AsAnySlice(layers)...); err != nil {
 				return errors.WithStack(err)
 			}
 
@@ -67,3 +70,13 @@ func QueryCommand() *cli.Command {
 		},
 	}
 }
+
+func sortLayerssByWeight(a *store.LayerHeader, b *store.LayerHeader) int {
+	if a.Weight < b.Weight {
+		return 1
+	}
+	if a.Weight > b.Weight {
+		return -1
+	}
+	return 0
+}

internal/command/admin/proxy/create.go

@@ -19,7 +19,7 @@ func CreateCommand() *cli.Command {
 		Name:  "create",
 		Usage: "Create proxy",
 		Flags: proxyFlag.WithProxyFlags(
-			flag.ProxyTo(true),
+			flag.ProxyTo(),
 			flag.ProxyFrom(),
 		),
 		Action: func(ctx *cli.Context) error {

internal/command/admin/proxy/flag/flag.go

@@ -30,12 +30,11 @@ func ProxyName() cli.Flag {
 
 const KeyProxyTo = "proxy-to"
 
-func ProxyTo(required bool) cli.Flag {
+func ProxyTo() cli.Flag {
 	return &cli.StringFlag{
-		Name:     KeyProxyTo,
-		Usage:    "Set `PROXY_TO` as proxy's destination url",
-		Value:    "",
-		Required: required,
+		Name:  KeyProxyTo,
+		Usage: "Set `PROXY_TO` as proxy's destination url",
+		Value: "",
 	}
 }
 

internal/command/admin/proxy/query.go

@@ -2,6 +2,7 @@ package proxy
 
 import (
 	"os"
+	"slices"
 
 	"forge.cadoles.com/cadoles/bouncer/internal/client"
 	"forge.cadoles.com/cadoles/bouncer/internal/command/admin/apierr"
@@ -51,6 +52,8 @@ func QueryCommand() *cli.Command {
 				return errors.WithStack(apierr.Wrap(err))
 			}
 
+			slices.SortFunc(proxies, sortProxiesByWeight)
+
 			hints := proxyHeaderHints(baseFlags.OutputMode)
 
 			if err := format.Write(baseFlags.Format, os.Stdout, hints, clientFlag.AsAnySlice(proxies)...); err != nil {
@@ -61,3 +64,13 @@ func QueryCommand() *cli.Command {
 		},
 	}
 }
+
+func sortProxiesByWeight(a *store.ProxyHeader, b *store.ProxyHeader) int {
+	if a.Weight < b.Weight {
+		return 1
+	}
+	if a.Weight > b.Weight {
+		return -1
+	}
+	return 0
+}

internal/command/admin/proxy/update.go

@@ -19,7 +19,7 @@ func UpdateCommand() *cli.Command {
 		Name:  "update",
 		Usage: "Update proxy",
 		Flags: proxyFlag.WithProxyFlags(
-			flag.ProxyTo(false),
+			flag.ProxyTo(),
 			flag.ProxyFrom(),
 			flag.ProxyEnabled(),
 			flag.ProxyWeight(),

internal/proxy/director/context.go

@@ -34,19 +34,6 @@ func OriginalURL(ctx context.Context) (*url.URL, error) {
 	return url, nil
 }
 
-func withProxy(ctx context.Context, proxy *store.Proxy) context.Context {
-	return context.WithValue(ctx, contextKeyProxy, proxy)
-}
-
-func ctxProxy(ctx context.Context) (*store.Proxy, error) {
-	proxy, err := ctxValue[*store.Proxy](ctx, contextKeyProxy)
-	if err != nil {
-		return nil, errors.WithStack(err)
-	}
-
-	return proxy, nil
-}
-
 func withLayers(ctx context.Context, layers []*store.Layer) context.Context {
 	return context.WithValue(ctx, contextKeyLayers, layers)
 }

internal/proxy/director/director.go

@@ -36,15 +36,15 @@ func (d *Director) rewriteRequest(r *http.Request) (*http.Request, error) {
 	ctx = withOriginalURL(ctx, url)
 	ctx = logger.With(ctx, logger.F("url", url.String()))
 
-	var match *store.Proxy
+	layers := make([]*store.Layer, 0)
 
-MAIN:
 	for _, p := range proxies {
 		for _, from := range p.From {
 			logger.Debug(
 				ctx, "matching request with proxy's from",
 				logger.F("from", from),
 			)
+
 			if matches := wildcard.Match(url.String(), from); !matches {
 				continue
 			}
@@ -54,44 +54,41 @@ MAIN:
 				logger.F("from", from),
 			)
 
-			match = p
-			break MAIN
+			ctx = logger.With(ctx,
+				logger.F("proxy", p.Name),
+				logger.F("host", r.Host),
+				logger.F("remoteAddr", r.RemoteAddr),
+			)
+
+			metricProxyRequestsTotal.With(prometheus.Labels{metricLabelProxy: string(p.Name)}).Add(1)
+
+			proxyLayers, err := d.getLayers(ctx, p.Name)
+			if err != nil {
+				return r, errors.WithStack(err)
+			}
+
+			layers = append(layers, proxyLayers...)
+
+			if p.To == "" {
+				continue
+			}
+
+			toURL, err := url.Parse(p.To)
+			if err != nil {
+				return r, errors.WithStack(err)
+			}
+
+			r.URL.Host = toURL.Host
+			r.URL.Scheme = toURL.Scheme
+			r.URL.Path = toURL.JoinPath(r.URL.Path).Path
+
+			ctx = withLayers(ctx, layers)
+			r = r.WithContext(ctx)
+
+			return r, nil
 		}
 	}
 
-	if match == nil {
-		return r, nil
-	}
-
-	toURL, err := url.Parse(match.To)
-	if err != nil {
-		return r, errors.WithStack(err)
-	}
-
-	r.URL.Host = toURL.Host
-	r.URL.Scheme = toURL.Scheme
-	r.URL.Path = toURL.JoinPath(r.URL.Path).Path
-
-	ctx = logger.With(ctx,
-		logger.F("proxy", match.Name),
-		logger.F("host", r.Host),
-		logger.F("remoteAddr", r.RemoteAddr),
-	)
-
-	logger.Debug(
-		ctx, "rewritten url",
-		logger.F("rewrittenURL", r.URL.String()),
-	)
-
-	metricProxyRequestsTotal.With(prometheus.Labels{metricLabelProxy: string(match.Name)}).Add(1)
-
-	ctx = withProxy(ctx, match)
-
-	layers, err := d.getLayers(ctx, match.Name)
-	if err != nil {
-		return r, errors.WithStack(err)
-	}
-
 	ctx = withLayers(ctx, layers)
 	r = r.WithContext(ctx)
 

internal/proxy/server.go

@@ -157,6 +157,7 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
 				director.ResponseTransformer(),
 			),
 			proxy.WithReverseProxyFactory(s.createReverseProxy),
+			proxy.WithDefaultHandler(http.HandlerFunc(s.handleDefault)),
 		)
 
 		r.Handle("/*", handler)
@@ -185,12 +186,21 @@ func (s *Server) createReverseProxy(ctx context.Context, target *url.URL) *httpu
 	httpTransport.DialContext = dialer.DialContext
 
 	reverseProxy.Transport = httpTransport
-	reverseProxy.ErrorHandler = s.errorHandler
+	reverseProxy.ErrorHandler = s.handleError
 
 	return reverseProxy
 }
 
-func (s *Server) errorHandler(w http.ResponseWriter, r *http.Request, err error) {
+func (s *Server) handleDefault(w http.ResponseWriter, r *http.Request) {
+	err := errors.Errorf("no proxy target found")
+
+	logger.Error(r.Context(), "proxy error", logger.E(err))
+	sentry.CaptureException(err)
+
+	s.renderErrorPage(w, r, err, http.StatusBadGateway, http.StatusText(http.StatusBadGateway))
+}
+
+func (s *Server) handleError(w http.ResponseWriter, r *http.Request, err error) {
 	err = errors.WithStack(err)
 
 	logger.Error(r.Context(), "proxy error", logger.E(err))