chore: update go and alpine docker image version

feat: use sentry tags instead of context for better observability
feat: prevent call bursts on oidc provider refresh
2025-04-03 11:12:32 +02:00 · 2025-03-19 15:04:55 +01:00 · 2025-03-18 15:51:25 +01:00 · 2025-03-18 12:52:59 +01:00 · 2025-03-18 12:20:00 +01:00 · 2025-03-18 11:35:15 +01:00
100 changed files with 3484 additions and 776 deletions
--- a/.gitignore
+++ b/.gitignore
@ -10,4 +10,4 @@
 /out
 .dockerconfigjson
 *.prof
-proxy.test
+*.test
--- a/12
+++ b/12
@ -1,4 +1,4 @@
-FROM reg.cadoles.com/proxy_cache/library/golang:1.22.0 AS BUILD
+FROM reg.cadoles.com/proxy_cache/library/golang:1.24.2 AS build
 RUN apt-get update \
    && apt-get install -y make
@ -33,7 +33,7 @@ RUN /src/dist/bouncer_linux_amd64_v1/bouncer -c '' config dump > /src/dist/bounc
    && yq -i '.bootstrap.lockTimeout = "30s"' /src/dist/bouncer_linux_amd64_v1/config.yml \
    && yq -i '.integrations.kubernetes.lockTimeout = "30s"' /src/dist/bouncer_linux_amd64_v1/config.yml
-FROM reg.cadoles.com/proxy_cache/library/alpine:3.19.1 AS RUNTIME
+FROM reg.cadoles.com/proxy_cache/library/alpine:3.21 AS runtime
 RUN apk add --no-cache ca-certificates dumb-init
@ -41,10 +41,10 @@ ENTRYPOINT ["/usr/bin/dumb-init", "--"]
 RUN mkdir -p /usr/local/bin /usr/share/bouncer/bin /etc/bouncer
-COPY --from=BUILD /src/dist/bouncer_linux_amd64_v1/bouncer /usr/share/bouncer/bin/bouncer
+COPY --from=build /src/dist/bouncer_linux_amd64_v1/bouncer /usr/share/bouncer/bin/bouncer
-COPY --from=BUILD /src/layers /usr/share/bouncer/layers
+COPY --from=build /src/layers /usr/share/bouncer/layers
-COPY --from=BUILD /src/templates /usr/share/bouncer/templates
+COPY --from=build /src/templates /usr/share/bouncer/templates
-COPY --from=BUILD /src/dist/bouncer_linux_amd64_v1/config.yml /etc/bouncer/config.yml
+COPY --from=build /src/dist/bouncer_linux_amd64_v1/config.yml /etc/bouncer/config.yml
 RUN ln -s /usr/share/bouncer/bin/bouncer /usr/local/bin/bouncer
--- a/11
+++ b/11
@ -17,7 +17,8 @@ GOTEST_ARGS ?= -short
 OPENWRT_DEVICE ?= 192.168.1.1
 SIEGE_URLS_FILE ?= misc/siege/urls.txt
-SIEGE_CONCURRENCY ?= 100
+SIEGE_CONCURRENCY ?= 200
 SIEGE_DURATION ?= 5M
 data/bootstrap.d/dummy.yml:
 	mkdir -p data/bootstrap.d
@ -81,7 +82,7 @@ finish-release:
 	git push --tags
 docker-build:
-	docker build -t $(DOCKER_IMAGE_NAME):$(DOCKER_IMAGE_TAG) .
+	docker build --pull -t $(DOCKER_IMAGE_NAME):$(DOCKER_IMAGE_TAG) .
 	docker tag $(DOCKER_IMAGE_NAME):$(DOCKER_IMAGE_TAG) $(DOCKER_IMAGE_NAME):latest
 docker-release:
@ -114,7 +115,7 @@ grafterm: tools/grafterm/bin/grafterm
 siege:
 	$(eval TMP := $(shell mktemp))
 	cat $(SIEGE_URLS_FILE) | envsubst > $(TMP)
-	siege -i -b -c $(SIEGE_CONCURRENCY) -f $(TMP)
+	siege -R ./misc/siege/siege.conf -i -b -c $(SIEGE_CONCURRENCY) -t $(SIEGE_DURATION) -f $(TMP)
 	rm -rf $(TMP)
 tools/gitea-release/bin/gitea-release.sh:
@ -131,7 +132,7 @@ tools/grafterm/bin/grafterm:
 	GOBIN=$(PWD)/tools/grafterm/bin go install github.com/slok/grafterm/cmd/grafterm@v0.2.0
 bench:
-	go test -bench=. -run '^$$' -count=10 ./...
+	go test -bench=. -run '^$$' -benchtime=10s ./internal/bench
 tools/benchstat/bin/benchstat:
 	mkdir -p tools/benchstat/bin
@ -150,7 +151,7 @@ run-redis:
 		-v $(PWD)/data/redis:/data \
 		-p 6379:6379 \
 		redis:alpine3.17 \
-		redis-server --save 60 1 --loglevel warning
+		redis-server --save 60 1 --loglevel debug
 redis-shell:
 	docker exec -it \
--- a/doc/README.md
+++ b/doc/README.md
@ -12,19 +12,22 @@
 - [(FR) - Layers](./fr/references/layers/README.md)
 - [(FR) - Métriques](./fr/references/metrics.md)
- [(FR) - Fichier de configuration](../misc/packaging/common/config.yml)
+- [(FR) - Configuration](./fr/references/configuration.md)
 - [(FR) - API d'administration](./fr/references/admin_api.md)
 ## Tutoriels
 ### Utilisation
 - [(FR) - Le cas du "virtual hosting"](./fr/tutorials/virtual-hosting.md)
 - [(FR) - Ajouter un layer de type "file d'attente"](./fr/tutorials/add-queue-layer.md)
 - [(FR) - Ajouter une authentification OpenID Connect](./fr/tutorials/add-oidc-authn-layer.md)
 - [(FR) - Amorçage d'un serveur Bouncer via la configuration](./fr/tutorials/bootstrapping.md)
 - [(FR) - Intégration avec Kubernetes](./fr/tutorials/kubernetes-integration.md)
 - [(FR) - Profilage](./fr/tutorials/profiling.md)
 ### Développement
 - [(FR) - Démarrer avec les sources](./fr/tutorials/getting-started-with-sources.md)
 - [(FR) - Créer son propre layer](./fr/tutorials/create-custom-layer.md)
 - [(FR) - Étudier les performances de Bouncer](./fr/tutorials/profiling.md)
--- a/doc/fr/references/configuration.md
+++ b/doc/fr/references/configuration.md
@ -0,0 +1,34 @@
 # Configuration
 ## Référence
 Vous trouverez ici un fichier de configuration de référence, complet et commenté:
 [`misc/packaging/common/config.yml`](../../../misc/packaging/common/config.yml)
 ## Interpolation de variables
 Il est possible d'utiliser de l'interpolation de variables d'environnement dans le fichier de configuration via la syntaxe `${var}`.
 Les fonctions d'interpolation suivantes sont également disponibles:
 - `${var^}`
 - `${var^^}`
 - `${var,}`
 - `${var,,}`
 - `${var:position}`
 - `${var:position:length}`
 - `${var#substring}`
 - `${var##substring}`
 - `${var%substring}`
 - `${var%%substring}`
 - `${var/substring/replacement}`
 - `${var//substring/replacement}`
 - `${var/#substring/replacement}`
 - `${var/%substring/replacement}`
 - `${#var}`
 - `${var=default}`
 - `${var:=default}`
 - `${var:-default}`
 _Voir le package [`github.com/drone/envsubst`](https://pkg.go.dev/github.com/drone/envsubst) pour plus de détails._
--- a/doc/fr/references/layers/authn/README.md
+++ b/doc/fr/references/layers/authn/README.md
@ -27,8 +27,8 @@ Bouncer utilise le projet [`expr`](https://expr-lang.org/) comme DSL. En plus de
 Le comportement des règles par défaut est le suivant:
 1. L'ensemble des entêtes HTTP correspondant au patron `Remote-*` sont supprimés ;
-2. L'identifiant de l'utilisateur identifié (`user.subject`) est exporté sous la forme de l'entête HTTP `Remote-User` ;
+2. L'identifiant de l'utilisateur identifié (`vars.user.subject`) est exporté sous la forme de l'entête HTTP `Remote-User` ;
-3. L'ensemble des attributs de l'utilisateur identifié (`user.attrs`) sont exportés sous la forme `Remote-User-Attr-<name>` où `<name>` est le nom de l'attribut en minuscule, avec les `_` transformés en `-`.
+3. L'ensemble des attributs de l'utilisateur identifié (`vars.user.attrs`) sont exportés sous la forme `Remote-User-Attr-<name>` où `<name>` est le nom de l'attribut en minuscule, avec les `_` transformés en `-`.
 ### Fonctions
@ -36,25 +36,25 @@ Le comportement des règles par défaut est le suivant:
 Interdire l'accès à l'utilisateur.
-##### `add_header(name string, value string)`
+##### `add_header(ctx, name string, value string)`
 Ajouter une valeur à un entête HTTP via son nom `name` et sa valeur `value`.
-##### `set_header(name string, value string)`
+##### `set_header(ctx, name string, value string)`
 Définir la valeur d'un entête HTTP via son nom `name` et sa valeur `value`. La valeur précédente est écrasée.
-##### `del_headers(pattern string)`
+##### `del_headers(ctx, pattern string)`
 Supprimer un ou plusieurs entêtes HTTP dont le nom correspond au patron `pattern`.
 Le patron est défini par une chaîne comprenant un ou plusieurs caractères `*`, signifiant un ou plusieurs caractères arbitraires.
-##### `set_host(host string)`
+##### `set_host(ctx, host string)`
 Modifier la valeur de l'entête `Host` de la requête.
-##### `set_url(url string)`
+##### `set_url(ctx, url string)`
 Modifier l'URL du serveur cible.
@ -62,7 +62,7 @@ Modifier l'URL du serveur cible.
 Les règles ont accès aux variables suivantes pendant leur exécution.
-#### `user`
+#### `vars.user`
 L'utilisateur identifié par le layer.
--- a/doc/fr/references/layers/authn/basic.md
+++ b/doc/fr/references/layers/authn/basic.md
@ -14,12 +14,12 @@ Les options disponibles pour le layer sont décrites via un [schéma JSON](https
 En plus de ces options spécifiques le layer peut également être configuré via [les options communes aux layers `authn-*`](../../../../../internal/proxy/director/layer/authn/layer-options.json).
-## Objet `user` et attributs
+## Objet `vars.user` et attributs
 L'objet `user` exposé au moteur de règles sera construit de la manière suivante:
- `user.subject` sera initialisé avec le nom d'utilisateur identifié ;
+- `vars.user.subject` sera initialisé avec le nom d'utilisateur identifié ;
- `user.attrs` sera composé des attributs associés à l'utilisation (voir les options).
+- `vars.user.attrs` sera composé des attributs associés à l'utilisation (voir les options).
 ## Métriques
--- a/doc/fr/references/layers/authn/network.md
+++ b/doc/fr/references/layers/authn/network.md
@ -14,12 +14,12 @@ Les options disponibles pour le layer sont décrites via un [schéma JSON](https
 En plus de ces options spécifiques le layer peut également être configuré via [les options communes aux layers `authn-*`](../../../../../internal/proxy/director/layer/authn/layer-options.json).
-## Objet `user` et attributs
+## Objet `vars.user` et attributs
-L'objet `user` exposé au moteur de règles sera construit de la manière suivante:
+L'objet `vars.user` exposé au moteur de règles sera construit de la manière suivante:
- `user.subject` sera initialisé avec le couple `<remote_address>:<remote_port>` ;
+- `vars.user.subject` sera initialisé avec le couple `<remote_address>:<remote_port>` ;
- `user.attrs` sera vide.
+- `vars.user.attrs` sera vide.
 ## Métriques
--- a/doc/fr/references/layers/authn/oidc.md
+++ b/doc/fr/references/layers/authn/oidc.md
@ -16,18 +16,18 @@ Les options disponibles pour le layer sont décrites via un [schéma JSON](https
 En plus de ces options spécifiques le layer peut également être configuré via [les options communes aux layers `authn-*`](../../../../../internal/proxy/director/layer/authn/layer-options.json).
-## Objet `user` et attributs
+## Objet `vars.user` et attributs
-L'objet `user` exposé au moteur de règles sera construit de la manière suivante:
+L'objet `vars.user` exposé au moteur de règles sera construit de la manière suivante:
- `user.subject` sera initialisé avec la valeur du [claim](https://openid.net/specs/openid-connect-core-1_0.html#Claims) `sub` extrait de l'`idToken` récupéré lors de l'authentification ;
+- `vars.user.subject` sera initialisé avec la valeur du [claim](https://openid.net/specs/openid-connect-core-1_0.html#Claims) `sub` extrait de l'`idToken` récupéré lors de l'authentification ;
- `user.attrs` comportera les propriétés suivantes:
+- `vars.user.attrs` comportera les propriétés suivantes:
-  - L'ensemble des `claims` provenant de l'`idToken` seront transposés en `claim_<name>` (ex: `idToken.iss` sera transposé en `user.attrs.claim_iss`) ;
+  - L'ensemble des `claims` provenant de l'`idToken` seront transposés en `claim_<name>` (ex: `idToken.iss` sera transposé en `vars.user.attrs.claim_iss`) ;
-  - `user.attrs.access_token`: le jeton d'accès associé à l'authentification ;
+  - `vars.user.attrs.access_token`: le jeton d'accès associé à l'authentification ;
-  - `user.attrs.refresh_token`: le jeton de rafraîchissement associé à l'authentification (si disponible, en fonction des `scopes` demandés par le client) ;
+  - `vars.user.attrs.refresh_token`: le jeton de rafraîchissement associé à l'authentification (si disponible, en fonction des `scopes` demandés par le client) ;
-  - `user.attrs.token_expiry`: Horodatage Unix (en secondes) associé à la date d'expiration du jeton d'accès ;
+  - `vars.user.attrs.token_expiry`: Horodatage Unix (en secondes) associé à la date d'expiration du jeton d'accès ;
-  - `user.attrs.logout_url`: URL de déconnexion pour la suppression de la session Bouncer.
+  - `vars.user.attrs.logout_url`: URL de déconnexion pour la suppression de la session Bouncer.
    **Attention** Cette URL ne permet dans la plupart des cas que de supprimer la session côté Bouncer. La suppression de la session côté fournisseur d'identité est conditionné à la présence ou non de l'attribut [`end_session_endpoint`](https://openid.net/specs/openid-connect-session-1_0-17.html#OPMetadata) dans les données du point d'entrée de découverte de service (`.wellknown/openid-configuration`).
--- a/doc/fr/references/layers/rewriter.md
+++ b/doc/fr/references/layers/rewriter.md
@ -24,30 +24,63 @@ Bouncer utilise le projet [`expr`](https://expr-lang.org/) comme DSL. En plus de
 #### Communes
-##### `add_header(name string, value string)`
+##### `add_header(ctx, name string, value string)`
 Ajouter une valeur à un entête HTTP via son nom `name` et sa valeur `value`.
-##### `set_header(name string, value string)`
+##### `set_header(ctx, name string, value string)`
 Définir la valeur d'un entête HTTP via son nom `name` et sa valeur `value`. La valeur précédente est écrasée.
-##### `del_headers(pattern string)`
+##### `del_headers(ctx, pattern string)`
 Supprimer un ou plusieurs entêtes HTTP dont le nom correspond au patron `pattern`.
 Le patron est défini par une chaîne comprenant un ou plusieurs caractères `*`, signifiant un ou plusieurs caractères arbitraires.
 ##### `get_cookie(ctx, name string) Cookie`
 Récupère un cookie depuis la requête/réponse (en fonction du contexte d'utilisation).
 Retourne `nil` si le cookie n'existe pas.
 **Cookie**
 ```js
 // Plus d'informations sur https://pkg.go.dev/net/http#Cookie
 {
  name: "string", // Nom du cookie
  value: "string", // Valeur associée au cookie
  path: "string", // Chemin associé au cookie (présent uniquement dans un contexte de réponse)
  domain: "string", // Domaine associé au cookie (présent uniquement dans un contexte de réponse)
  expires: "string", // Date d'expiration du cookie (présent uniquement dans un contexte de réponse)
  max_age: "string", // Age maximum du cookie (présent uniquement dans un contexte de réponse)
  secure: "boolean", // Le cookie doit-il être présent uniquement en HTTPS ? (présent uniquement dans un contexte de réponse)
  http_only: "boolean", // Le cookie est il accessible en Javascript ? (présent uniquement dans un contexte de réponse)
  same_site: "int" // Voir https://pkg.go.dev/net/http#SameSite (présent uniquement dans un contexte de réponse)
 }
 ```
 ##### `add_cookie(ctx, cookie Cookie)`
 Définit un cookie sur la requête/réponse (en fonction du contexte d'utilisation).
 Voir la méthode `get_cookie()` pour voir les attributs potentiels.
 #### Requête
-##### `set_host(host string)`
+##### `set_host(ctx, host string)`
 Modifier la valeur de l'entête `Host` de la requête.
-##### `set_url(url string)`
+##### `set_url(ctx, url string)`
 Modifier l'URL du serveur cible.
 ##### `redirect(ctx, statusCode int, url string)`
 Interrompt la requête et retourne une redirection HTTP au client.
 Le code HTTP utilisé doit être supérieur ou égale à `300` et inférieur à `400` (non inclus).
 #### Réponse
 _Pas de fonctions spécifiques._
@ -58,7 +91,28 @@ Les règles ont accès aux variables suivantes pendant leur exécution. **Ces do
 #### Requête
-##### `request`
+##### `vars.original_url`
 L'URL originale, avant réécriture du `Host` par Bouncer.
 ```js
 {
    scheme: "string", // Schéma HTTP de l'URL
    opaque: "string", // Données opaque de l'URL
    user: { // Identifiants d'URL (Basic Auth)
        username: "",
        password: ""
    },
    host: "string", // Nom d'hôte (<domaine>:<port>) de l'URL
    path: "string", // Chemin de l'URL (format assaini)
    raw_path: "string", // Chemin de l'URL (format brut)
    raw_query: "string", // Variables d'URL (format brut)
    fragment : "string", // Fragment d'URL (format assaini)
    raw_fragment : "string" // Fragment d'URL (format brut)
 }
 ```
 ##### `vars.request`
 La requête en cours de traitement.
@ -66,48 +120,66 @@ La requête en cours de traitement.
 {
    method: "string", // Méthode HTTP
    host: "string", // Nom d'hôte (`Host`) associé à la requête
-    url: "string", // URL associée à la requête
+    url: { // URL associée à la requête sous sa forme structurée
        scheme: "string", // Schéma HTTP de l'URL
        opaque: "string", // Données opaque de l'URL
        user: { // Identifiants d'URL (Basic Auth)
            username: "",
            password: ""
        },
        host: "string", // Nom d'hôte (<domaine>:<port>) de l'URL
        path: "string", // Chemin de l'URL (format assaini)
        raw_path: "string", // Chemin de l'URL (format brut)
        raw_query: "string", // Variables d'URL (format brut)
        fragment : "string", // Fragment d'URL (format assaini)
        raw_fragment : "string" // Fragment d'URL (format brut)
    },
    raw_url: "string", // URL associée à la requête (format assaini)
    proto: "string", // Numéro de version du protocole utilisé
-    protoMajor: "int", // Numéro de version majeure du protocole utilisé
+    proto_major: "int", // Numéro de version majeure du protocole utilisé
-    protoMinor: "int",  // Numéro de version mineur du protocole utilisé
+    proto_minor: "int",  // Numéro de version mineur du protocole utilisé
    header: { // Table associative des entêtes HTTP associés à la requête
        "string": ["string"]
    },
-    contentLength: "int", // Taille du corps de la requête
+    content_length: "int", // Taille du corps de la requête
-    transferEncoding: ["string"], // MIME-Type(s) d'encodage du corps de la requête
+    transfer_encoding: ["string"], // MIME-Type(s) d'encodage du corps de la requête
    trailer: { // Table associative des entêtes HTTP associés à la requête, transmises après le corps de la requête
        "string": ["string"]
    },
-    remoteAddr: "string", // Adresse du client HTTP à l'origine de la requête
+    remote_addr: "string", // Adresse du client HTTP à l'origine de la requête
-    requestUri: "string" // URL "brute" associée à la requêtes (avant opérations d'assainissement, utiliser "url" plutôt)
+    request_uri: "string" // URL "brute" associée à la requêtes (avant opérations d'assainissement, utiliser "url" plutôt)
 }
 ```
 #### Réponse
-##### `response`
+##### `vars.response`
 La réponse en cours de traitement.
 ```js
 {
-    statusCode: "int", // Code de statut de la réponse
+    status_code: "int", // Code de statut de la réponse
    status: "string", // Message associé au code de statut
    proto: "string", // Numéro de version du protocole utilisé
-    protoMajor: "int", // Numéro de version majeure du protocole utilisé
+    proto_major: "int", // Numéro de version majeure du protocole utilisé
-    protoMinor: "int",  // Numéro de version mineur du protocole utilisé
+    proto_minor: "int",  // Numéro de version mineur du protocole utilisé
    header: { // Table associative des entêtes HTTP associés à la requête
        "string": ["string"]
    },
-    contentLength: "int", // Taille du corps de la réponse
+    content_length: "int", // Taille du corps de la réponse
-    transferEncoding: ["string"], // MIME-Type(s) d'encodage du corps de la requête
+    transfer_encoding: ["string"], // MIME-Type(s) d'encodage du corps de la requête
    trailer: { // Table associative des entêtes HTTP associés à la requête, transmises après le corps de la requête
        "string": ["string"]
    },
 }
 ```
-##### `request`
+##### `vars.request`
 _Voir section précédente._
 ##### `vars.original_url`
 _Voir section précédente._
--- a/doc/fr/tutorials/profiling.md
+++ b/doc/fr/tutorials/profiling.md
@ -1,31 +1,68 @@
-# Analyser les performances de Bouncer
+# Étudier les performances de Bouncer
-1. Lancer un benchmark du proxy
+## In situ
-   ```shell
+Il est possible d'activer via la configuration de Bouncer de endpoints capable de générer des fichiers de profil au format [`pprof`](https://github.com/google/pprof). Par défaut, le point d'entrée est `.bouncer/profiling` (l'activation et la personnalisation de ce point d'entrée sont modifiables via la [configuration](../../../misc/packaging/common/config.yml)).
-   go test -bench=. -run '^$' -count=5 -cpuprofile bench_proxy.prof ./internal/proxy
+
 **Exemple:** Visualiser l'utilisation mémoire de Bouncer
 ```bash
 go tool pprof -web http://<bouncer_proxy>/.bouncer/profiling/heap
 ```
-2. Visualiser les temps d'exécution
+L'ensemble des profils disponibles sont visibles à l'adresse `http://<bouncer_proxy>/.bouncer/profiling`.
-   ```shell
+## En développement
-   go tool pprof -web bench_proxy.prof
+
 Le package `./internal` est dédié à l'étude des performances de Bouncer. Il contient une suite de benchmarks simulant de proxies avec différentes configurations de layers afin d'évaluer les points d'engorgement sur le traitement des requêtes.
 Voir le répertoire `./internal/bench/testdata/proxies` pour voir les différentes configurations de cas.
 ### Lancer les benchmarks
 Le plus simple est d'utiliser la commande `make bench` qui exécutera séquentiellement tous les benchmarks. Il est également possible de lancer un benchmark spécifique via la commande suivante:
 ```bash
 go test -bench="BenchmarkProxies/$BENCH_CASE" -run='^$'  ./internal/bench
 ```
-3. Comparer les performances d'une exécution à l'autre
+Par exemple:
 ```bash
 # Pour exécuter ./internal/bench/testdata/proxies/basic-auth.yml
 go test -bench='BenchmarkProxies/basic-auth' -run='^$'  ./internal/bench
 ```
 ### Visualiser les profils d'exécution
 Vous pouvez visualiser les profils d'exécution via la commande suivante:
 ```shell
 go tool pprof -web path/to/file.prof
 ```
 Par défaut l'exécution des benchmarks créera automatiquement des fichiers de profil dans le répertoire `./internal/bench/testdata/proxies`.
 Par exemple:
 ```shell
 go tool pprof -web ./internal/bench/testdata/proxies/basic-auth.prof
 ```
 ### Comparer les évolutions
 ```bash
 # Lancer un premier benchmark
-   go test -bench=. -run '^$' -count=10 ./internal/proxy > bench_before.txt
+go test -bench="BenchmarkProxies/$BENCH_CASE" -run='^$'  ./internal/bench
 # Faire une sauvegarde du fichier de profil
 cp ./internal/bench/testdata/proxies/$BENCH_CASE.prof ./internal/bench/testdata/proxies/$BENCH_CASE-prev.prof
 # Faire des modifications sur les sources
 # Lancer un second benchmark
-   go test -bench=. -run '^$' -count=10 ./internal/proxy > bench_after.txt
+go test -bench="BenchmarkProxies/$BENCH_CASE" -run='^$'  ./internal/bench
-   # Installer l'outil benchstat
+# Visualiser la différence entre les deux profils
-   make tools/benchstat/bin/benchstat
+go tool pprof -web -base=./internal/bench/testdata/proxies/$BENCH_CASE-prev.prof ./internal/bench/testdata/proxies/$BENCH_CASE.prof
   # Comparer les rapports
   tools/benchstat/bin/benchstat bench_before.txt bench_after.txt
 ```
--- a/doc/fr/tutorials/virtual-hosting.md
+++ b/doc/fr/tutorials/virtual-hosting.md
@ -0,0 +1,129 @@
 # Le cas du "virtual hosting"
 De nombreux serveurs HTTP utilisent le mécanisme du ["virtual hosting"](https://en.wikipedia.org/wiki/Virtual_hosting) afin d'héberger plusieurs sites/applications différentes sur un même serveur, se basant alors sur l'entête HTTP `Host` pour effectuer le routage.
 ## Exemple
 Pour exemple, avec le site [example.net](https://example.net) il est facile de tester ce type de comportement. Ainsi, en exécutant une requête HTTP avec `curl`:
 ```shell
 curl -I https://example.net
 ```
 On obtient le résultat suivant:
 ```
 HTTP/2 200
 accept-ranges: bytes
 age: 568237
 cache-control: max-age=604800
 content-type: text/html; charset=UTF-8
 date: Thu, 27 Jun 2024 08:32:46 GMT
 etag: "3147526947"
 expires: Thu, 04 Jul 2024 08:32:46 GMT
 last-modified: Thu, 17 Oct 2019 07:18:26 GMT
 server: ECAcc (bsb/2789)
 x-cache: HIT
 content-length: 1256
 ```
 Ce résultat indique que le serveur a correctement orienté notre requête (code HTTP `200`) et qu'il nous a renvoyé la réponse attendue.
 Si maintenant on modifie l'entête `Host` de notre requête pour la remplacer par une valeur arbitraire:
 ```shell
 curl -I -H 'Host: localhost:8080' https://example.net
 ```
 On obtient alors le résultat:
 ```
 HTTP/2 404
 content-type: text/html
 date: Thu, 27 Jun 2024 08:38:04 GMT
 server: ECAcc (bsb/2789)
 content-length: 345
 ```
 Le serveur nous répond avec un code HTTP `404`, indiquant qu'il n'a pas trouvé la page demandée.
 > **Note**
 > Le code HTTP retourné par le serveur peut varier en fonction des implémentations. Parfois la requête sera orientée vers la page par défaut, parfois vous recevrez un code d'erreur HTTP comme `404`, `421`, etc.
 ## Avec Bouncer
 Ce mécanisme peut parfois poser problème avec Bouncer car par défaut celui ci n'effectue pas de réécriture de l'entête `Host`. Pour exemple:
 1.  Créez puis activez un nouveau proxy pointant vers https://example.net
    ```shell
    bouncer admin proxy create --proxy-name example --proxy-to https://example.net
    bouncer admin proxy update --proxy-name example --proxy-enabled=true
    ```
 2.  Avec `curl`, faites une requête sur votre nouveau proxy:
    ```shell
     curl -I http://localhost:8080
    ```
    La réponse devrait ressembler à:
    ```
    HTTP/1.1 404 Not Found
    Content-Length: 345
    Content-Type: text/html
    Date: Thu, 27 Jun 2024 08:49:05 GMT
    Server: ECAcc (bsb/2789)
    ```
    On retrouve bien notre code HTTP `404` tel que vu plus haut. En effet, vu que l'on accède au proxy Bouncer avec `http://localhost:8080` alors le serveur distant recevra l'entête `Host: localhost:8080`.
 ### Comment corriger la situation ?
 Le layer [`rewriter`](../references/layers/rewriter.md) a été implémenté notamment pour répondre à ce type de cas. Voyons comment l'utiliser:
 1. Créez puis activez un nouveau layer pour votre proxy `example`:
   ```bash
    # Création du layer
    bouncer admin layer create --proxy-name example --layer-name host-rewrite --layer-type rewriter
    # Mise à jour et activation du layer
    bouncer admin layer update \
        --proxy-name example \
        --layer-name host-rewrite \
        --layer-options '{ "rules": { "request": ["set_host(\"example.net\")"] } }' \
        --layer-enabled=true
   ```
   > **Les règles**
   >
   > Le layer `rewriter` permet la modification des requêtes/réponses via un moteur de règles.
   >
   > [Voir la page du layer pour plus d'informations](../references/layers/rewriter.md) sur la syntaxe ainsi que sur l'API à disposition des règles.
 2. Testez maintenant à nouveau un appel vers votre proxy:
   ```shell
    curl -I http://localhost:8080
   ```
   La réponse devrait ressembler à:
   ```
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Age: 569980
    Cache-Control: max-age=604800
    Content-Length: 1256
    Content-Type: text/html; charset=UTF-8
    Date: Thu, 27 Jun 2024 09:01:49 GMT
    Etag: "3147526947"
    Expires: Thu, 04 Jul 2024 09:01:49 GMT
    Last-Modified: Thu, 17 Oct 2019 07:18:26 GMT
    Server: ECAcc (bsb/2789)
    X-Cache: HIT
   ```
   Cette fois ci, le serveur distant a bien identifié la cible de notre requête.
--- a/go.mod
+++ b/go.mod
@ -1,8 +1,8 @@
 module forge.cadoles.com/cadoles/bouncer
-go 1.21
+go 1.23
-toolchain go1.22.0
+toolchain go1.23.0
 require (
 	forge.cadoles.com/Cadoles/go-proxy v0.0.0-20240626132607-e1db6466a926
@ -92,9 +92,9 @@ require (
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
 	go.opentelemetry.io/otel v1.21.0 // indirect
 	go.opentelemetry.io/otel/trace v1.21.0 // indirect
-	golang.org/x/net v0.19.0 // indirect
+	golang.org/x/net v0.26.0 // indirect
 	golang.org/x/sync v0.7.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/text v0.16.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	google.golang.org/appengine v1.6.8 // indirect
 	google.golang.org/protobuf v1.33.0 // indirect
@ -111,18 +111,18 @@ require (
 require (
 	cdr.dev/slog v1.6.1 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
-	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect
+	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0 // indirect
 	github.com/go-chi/cors v1.2.1
 	github.com/go-playground/locales v0.14.0 // indirect
 	github.com/go-playground/universal-translator v0.18.0 // indirect
-	github.com/goccy/go-json v0.10.2 // indirect
+	github.com/goccy/go-json v0.10.3 // indirect
 	github.com/google/uuid v1.3.0
 	github.com/leodido/go-urn v1.2.1 // indirect
 	github.com/lestrrat-go/blackmagic v1.0.2 // indirect
 	github.com/lestrrat-go/httpcc v1.0.1 // indirect
-	github.com/lestrrat-go/httprc v1.0.4 // indirect
+	github.com/lestrrat-go/httprc v1.0.5 // indirect
 	github.com/lestrrat-go/iter v1.0.2 // indirect
-	github.com/lestrrat-go/jwx/v2 v2.0.19
+	github.com/lestrrat-go/jwx/v2 v2.1.0
 	github.com/lestrrat-go/option v1.0.1 // indirect
 	github.com/lib/pq v1.10.0 // indirect
 	github.com/lithammer/shortuuid/v4 v4.0.0
@ -132,11 +132,11 @@ require (
 	github.com/urfave/cli/v2 v2.25.3
 	github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
 	gitlab.com/wpetit/goweb v0.0.0-20240226160244-6b2826c79f88
-	golang.org/x/crypto v0.19.0
+	golang.org/x/crypto v0.24.0
-	golang.org/x/mod v0.14.0 // indirect
+	golang.org/x/mod v0.17.0 // indirect
-	golang.org/x/sys v0.17.0 // indirect
+	golang.org/x/sys v0.21.0 // indirect
-	golang.org/x/term v0.17.0 // indirect
+	golang.org/x/term v0.21.0 // indirect
-	golang.org/x/tools v0.16.1 // indirect
+	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
 	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
 	gopkg.in/go-playground/validator.v9 v9.29.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1
--- a/go.sum
+++ b/go.sum
@ -8,8 +8,6 @@ cloud.google.com/go/logging v1.7.0 h1:CJYxlNNNNAMkHp9em/YEXcfJg+rPDg7YfwoRpMU+t5
 cloud.google.com/go/logging v1.7.0/go.mod h1:3xjP2CjkM3ZkO73aj4ASA5wRPGGCRrPIAeNqVNkzY8M=
 cloud.google.com/go/longrunning v0.5.1 h1:Fr7TXftcqTudoyRJa113hyaqlGdiBQkp0Gq7tErFDWI=
 cloud.google.com/go/longrunning v0.5.1/go.mod h1:spvimkwdz6SPWKEt/XBij79E9fiTkHSQl/fRUUQJYJc=
 forge.cadoles.com/Cadoles/go-proxy v0.0.0-20230701194111-c6b3d482cca6 h1:FTk0ZoaV5N8Tkps5Da5RrDMZZXSHZIuD67Hy1Y4fsos=
 forge.cadoles.com/Cadoles/go-proxy v0.0.0-20230701194111-c6b3d482cca6/go.mod h1:o8ZK5v/3J1dRmklFVn1l6WHAyQ3LgegyHjRIT8KLAFw=
 forge.cadoles.com/Cadoles/go-proxy v0.0.0-20240626132607-e1db6466a926 h1:gSTTuW2lqH66cGVrhplrVrqos62BY1/GxR3KYh2TElk=
 forge.cadoles.com/Cadoles/go-proxy v0.0.0-20240626132607-e1db6466a926/go.mod h1:o8ZK5v/3J1dRmklFVn1l6WHAyQ3LgegyHjRIT8KLAFw=
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8=
@ -85,8 +83,8 @@ github.com/dchest/uniuri v1.2.0 h1:koIcOUdrTIivZgSLhHQvKgqdWZq5d7KdMEWF1Ud6+5g=
 github.com/dchest/uniuri v1.2.0/go.mod h1:fSzm4SLHzNZvWLvWJew423PhAzkpNQYq+uNLq4kxhkY=
 github.com/decred/dcrd/crypto/blake256 v1.0.0/go.mod h1:sQl2p6Y26YV+ZOcSTP6thNdn47hh8kt6rqSlvmrXFAc=
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1/go.mod h1:hyedUtir6IdtD/7lIxGeCxkaw7y45JueMRL4DIyJDKs=
-github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 h1:8UrgZ3GkP4i/CLijOJx79Yu+etlyjdBU4sfcs2WYQMs=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0 h1:rpfIENRNNilwHwZeG5+P150SMrnNEcHYvcCuK6dPZSg=
-github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0=
 github.com/decred/dcrd/lru v1.0.0/go.mod h1:mxKOwFd7lFjN2GZYsiz/ecgqR6kkYAl+0pz0tEMk218=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
@ -135,8 +133,8 @@ github.com/go-sql-driver/mysql v1.6.0 h1:BCTh4TKNUYmOmMUcQ3IipzF5prigylS7XXjEkfC
 github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
-github.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU=
+github.com/goccy/go-json v0.10.3 h1:KZ5WoDbxAIgm2HNbYckL0se1fHD6rz5j4ywS6ebzDqA=
-github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
+github.com/goccy/go-json v0.10.3/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/godbus/dbus/v5 v5.0.6/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
@ -210,12 +208,12 @@ github.com/lestrrat-go/blackmagic v1.0.2 h1:Cg2gVSc9h7sz9NOByczrbUvLopQmXrfFx//N
 github.com/lestrrat-go/blackmagic v1.0.2/go.mod h1:UrEqBzIR2U6CnzVyUtfM6oZNMt/7O7Vohk2J0OGSAtU=
 github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE=
 github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E=
-github.com/lestrrat-go/httprc v1.0.4 h1:bAZymwoZQb+Oq8MEbyipag7iSq6YIga8Wj6GOiJGdI8=
+github.com/lestrrat-go/httprc v1.0.5 h1:bsTfiH8xaKOJPrg1R+E3iE/AWZr/x0Phj9PBTG/OLUk=
-github.com/lestrrat-go/httprc v1.0.4/go.mod h1:mwwz3JMTPBjHUkkDv/IGJ39aALInZLrhBp0X7KGUZlo=
+github.com/lestrrat-go/httprc v1.0.5/go.mod h1:mwwz3JMTPBjHUkkDv/IGJ39aALInZLrhBp0X7KGUZlo=
 github.com/lestrrat-go/iter v1.0.2 h1:gMXo1q4c2pHmC3dn8LzRhJfP1ceCbgSiT9lUydIzltI=
 github.com/lestrrat-go/iter v1.0.2/go.mod h1:Momfcq3AnRlRjI5b5O8/G5/BvpzrhoFTZcn06fEOPt4=
-github.com/lestrrat-go/jwx/v2 v2.0.19 h1:ekv1qEZE6BVct89QA+pRF6+4pCpfVrOnEJnTnT4RXoY=
+github.com/lestrrat-go/jwx/v2 v2.1.0 h1:0zs7Ya6+39qoit7gwAf+cYm1zzgS3fceIdo7RmQ5lkw=
-github.com/lestrrat-go/jwx/v2 v2.0.19/go.mod h1:l3im3coce1lL2cDeAjqmaR+Awx+X8Ih+2k8BuHNJ4CU=
+github.com/lestrrat-go/jwx/v2 v2.1.0/go.mod h1:Xpw9QIaUGiIUD1Wx0NcY1sIHwFf8lDuZn/cmxtXYRys=
 github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU=
 github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=
 github.com/lib/pq v1.10.0 h1:Zx5DJFEYQXio93kgXnQ09fXNiUKsqv4OUEu2UtGcB1E=
@ -341,8 +339,8 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.4/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
-github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/syndtr/goleveldb v1.0.1-0.20210819022825-2ae1ddf74ef7/go.mod h1:q4W45IWZaF22tdD+VEXcAWRA037jwmWEB5VWYORlTpc=
 github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
@ -377,13 +375,13 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
-golang.org/x/crypto v0.19.0 h1:ENy+Az/9Y1vSrlrvBSyna3PITt4tiZLf7sgCjZBX7Wo=
+golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI=
-golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
+golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
+golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
-golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20180719180050-a680a1efc54d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@ -397,8 +395,8 @@ golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
-golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
+golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
-golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
+golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
 golang.org/x/oauth2 v0.13.0 h1:jDDenyj+WgFtmV3zYVoi8aE2BwtXFLWOA67ZfNWftiY=
 golang.org/x/oauth2 v0.13.0/go.mod h1:/JMhi4ZRXAf4HG9LiNmxvk+45+96RUlVThiH8FzNBn0=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@ -435,13 +433,13 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y=
+golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
-golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
-golang.org/x/term v0.17.0 h1:mkTF7LCd6WGJNL3K1Ad7kwxNfYAW6a8a8QqtMblp/4U=
+golang.org/x/term v0.21.0 h1:WVXCp+/EBEHOj53Rvu+7KiT/iElMrO8ACK16SMZ3jaA=
-golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
+golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@ -449,8 +447,8 @@ golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
+golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
-golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
 golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
 golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@ -459,8 +457,8 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg=
-golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
--- a/internal/admin/authz.go
+++ b/internal/admin/authz.go
@ -70,7 +70,7 @@ func assertRequestUser(w http.ResponseWriter, r *http.Request) (auth.User, bool)
 	ctx := r.Context()
 	user, err := auth.CtxUser(ctx)
 	if err != nil {
-		logger.Error(ctx, "could not retrieve user", logger.E(errors.WithStack(err)))
+		logger.Error(ctx, "could not retrieve user", logger.CapturedE(errors.WithStack(err)))
 		forbidden(w, r)
--- a/internal/admin/error.go
+++ b/internal/admin/error.go
@ -6,7 +6,6 @@ import (
 	"net/http"
 	"forge.cadoles.com/cadoles/bouncer/internal/schema"
 	"github.com/getsentry/sentry-go"
 	"gitlab.com/wpetit/goweb/api"
 	"gitlab.com/wpetit/goweb/logger"
 )
@ -29,11 +28,8 @@ func invalidDataErrorResponse(w http.ResponseWriter, r *http.Request, err *schem
 	}{
 		Message: message,
 	})
 	return
 }
 func logAndCaptureError(ctx context.Context, message string, err error) {
-	sentry.CaptureException(err)
+	logger.Error(ctx, message, logger.CapturedE(err))
 	logger.Error(ctx, message, logger.E(err))
 }
--- a/internal/admin/init.go
+++ b/internal/admin/init.go
@ -27,7 +27,7 @@ func (s *Server) initRepositories(ctx context.Context) error {
 }
 func (s *Server) initRedisClient(ctx context.Context) error {
-	client := setup.NewRedisClient(ctx, s.redisConfig)
+	client := setup.NewSharedClient(s.redisConfig)
 	s.redisClient = client
--- a/internal/admin/server.go
+++ b/internal/admin/server.go
@ -2,10 +2,12 @@ package admin
 import (
 	"context"
 	"expvar"
 	"fmt"
 	"log"
 	"net"
 	"net/http"
 	"net/http/pprof"
 	"forge.cadoles.com/cadoles/bouncer/internal/auth"
 	"forge.cadoles.com/cadoles/bouncer/internal/auth/jwt"
@ -114,7 +116,9 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
 		router.Use(middleware.RealIP)
 	}
 	router.Use(middleware.RequestID)
 	router.Use(middleware.RequestLogger(bouncerChi.NewLogFormatter()))
 	router.Use(middleware.Recoverer)
 	if s.serverConfig.Sentry.DSN != "" {
 		logger.Info(ctx, "enabling sentry http middleware")
@ -155,6 +159,35 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
 		})
 	}
 	if s.serverConfig.Profiling.Enabled {
 		profiling := s.serverConfig.Profiling
 		logger.Info(ctx, "enabling profiling", logger.F("endpoint", profiling.Endpoint))
 		router.Group(func(r chi.Router) {
 			if profiling.BasicAuth != nil {
 				logger.Info(ctx, "enabling authentication on profiling endpoint")
 				r.Use(middleware.BasicAuth(
 					"profiling",
 					profiling.BasicAuth.CredentialsMap(),
 				))
 			}
 			r.Route(string(profiling.Endpoint), func(r chi.Router) {
 				r.HandleFunc("/", pprof.Index)
 				r.HandleFunc("/cmdline", pprof.Cmdline)
 				r.HandleFunc("/profile", pprof.Profile)
 				r.HandleFunc("/symbol", pprof.Symbol)
 				r.HandleFunc("/trace", pprof.Trace)
 				r.Handle("/vars", expvar.Handler())
 				r.HandleFunc("/{name}", func(w http.ResponseWriter, r *http.Request) {
 					name := chi.URLParam(r, "name")
 					pprof.Handler(name).ServeHTTP(w, r)
 				})
 			})
 		})
 	}
 	router.Route("/api/v1", func(r chi.Router) {
 		r.Group(func(r chi.Router) {
 			r.Use(auth.Middleware(
--- a/internal/auth/middleware.go
+++ b/internal/auth/middleware.go
@ -52,7 +52,7 @@ func Middleware(authenticators ...Authenticator) func(http.Handler) http.Handler
 			for _, auth := range authenticators {
 				user, err = auth.Authenticate(ctx, r)
 				if err != nil {
-					logger.Debug(ctx, "could not authenticate request", logger.E(errors.WithStack(err)))
+					logger.Debug(ctx, "could not authenticate request", logger.CapturedE(errors.WithStack(err)))
 					continue
 				}
--- a/internal/bench/proxy_test.go
+++ b/internal/bench/proxy_test.go
@ -0,0 +1,318 @@
 package proxy_test
 import (
 	"context"
 	"io"
 	"net/http"
 	"net/http/httptest"
 	"net/http/httputil"
 	"net/url"
 	"os"
 	"path/filepath"
 	"runtime/pprof"
 	"strings"
 	"testing"
 	"time"
 	"forge.cadoles.com/Cadoles/go-proxy"
 	"forge.cadoles.com/cadoles/bouncer/internal/cache/memory"
 	"forge.cadoles.com/cadoles/bouncer/internal/cache/ttl"
 	"forge.cadoles.com/cadoles/bouncer/internal/config"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
 	redisStore "forge.cadoles.com/cadoles/bouncer/internal/store/redis"
 	"github.com/pkg/errors"
 	"github.com/redis/go-redis/v9"
 	"gitlab.com/wpetit/goweb/logger"
 	"gopkg.in/yaml.v3"
 	"forge.cadoles.com/cadoles/bouncer/internal/setup"
 )
 func BenchmarkProxies(b *testing.B) {
 	proxyFiles, err := filepath.Glob("testdata/proxies/*.yml")
 	if err != nil {
 		b.Fatalf("%+v", errors.WithStack(err))
 	}
 	for _, f := range proxyFiles {
 		name := strings.TrimSuffix(filepath.Base(f), filepath.Ext(f))
 		b.Run(name, func(b *testing.B) {
 			heap, err := os.Create(filepath.Join("testdata", "proxies", name+"_heap.prof"))
 			if err != nil {
 				b.Fatalf("%+v", errors.Wrapf(err, "could not create heap profile"))
 			}
 			defer func() {
 				defer heap.Close()
 				if err := pprof.WriteHeapProfile(heap); err != nil {
 					b.Fatalf("%+v", errors.WithStack(err))
 				}
 			}()
 			conf, err := loadProxyBenchConfig(f)
 			if err != nil {
 				b.Fatalf("%+v", errors.Wrapf(err, "could notre load bench config"))
 			}
 			proxy, backend, err := createProxy(name, conf, b.Logf)
 			if err != nil {
 				b.Fatalf("%+v", errors.Wrapf(err, "could not create proxy"))
 			}
 			defer proxy.Close()
 			if backend != nil {
 				defer backend.Close()
 			}
 			client := proxy.Client()
 			proxyURL, err := url.Parse(proxy.URL)
 			if err != nil {
 				b.Fatalf("%+v", errors.Wrapf(err, "could not parse proxy url"))
 			}
 			if conf.Fetch.URL.Path != "" {
 				proxyURL.Path = conf.Fetch.URL.Path
 			}
 			if conf.Fetch.URL.RawQuery != "" {
 				proxyURL.RawQuery = conf.Fetch.URL.RawQuery
 			}
 			if conf.Fetch.URL.User.Username != "" || conf.Fetch.URL.User.Password != "" {
 				proxyURL.User = url.UserPassword(conf.Fetch.URL.User.Username, conf.Fetch.URL.User.Password)
 			}
 			rawProxyURL := proxyURL.String()
 			b.Logf("fetching url '%s'", rawProxyURL)
 			profile, err := os.Create(filepath.Join("testdata", "proxies", name+"_cpu.prof"))
 			if err != nil {
 				b.Fatalf("%+v", errors.Wrapf(err, "could not create cpu profile"))
 			}
 			defer profile.Close()
 			if err := pprof.StartCPUProfile(profile); err != nil {
 				b.Fatalf("%+v", errors.WithStack(err))
 			}
 			defer pprof.StopCPUProfile()
 			b.ResetTimer()
 			for i := 0; i < b.N; i++ {
 				res, err := client.Get(rawProxyURL)
 				if err != nil {
 					b.Errorf("could not fetch proxy url: %+v", errors.WithStack(err))
 				}
 				body, err := io.ReadAll(res.Body)
 				if err != nil {
 					b.Errorf("could not read response body: %+v", errors.WithStack(err))
 				}
 				b.Logf("%s \n %v", res.Status, string(body))
 				if err := res.Body.Close(); err != nil {
 					b.Errorf("could not close response body: %+v", errors.WithStack(err))
 				}
 			}
 		})
 	}
 }
 type proxyBenchConfig struct {
 	Proxy config.BootstrapProxyConfig `yaml:"proxy"`
 	Fetch fetchBenchConfig            `yaml:"fetch"`
 }
 type fetchBenchConfig struct {
 	URL fetchURLBenchConfig `yaml:"url"`
 }
 type fetchURLBenchConfig struct {
 	Path     string                  `yaml:"path"`
 	RawQuery string                  `yaml:"rawQuery"`
 	User     fetchURLUserBenchConfig `yaml:"user"`
 }
 type fetchURLUserBenchConfig struct {
 	Username string `yaml:"username"`
 	Password string `yaml:"password"`
 }
 func loadProxyBenchConfig(filename string) (*proxyBenchConfig, error) {
 	data, err := os.ReadFile(filename)
 	if err != nil {
 		return nil, errors.Wrapf(err, "could not read file '%s'", filename)
 	}
 	conf := proxyBenchConfig{}
 	if err := yaml.Unmarshal(data, &conf); err != nil {
 		return nil, errors.Wrapf(err, "could not unmarshal config")
 	}
 	return &conf, nil
 }
 func createProxy(name string, conf *proxyBenchConfig, logf func(format string, a ...any)) (*httptest.Server, *httptest.Server, error) {
 	redisEndpoint := os.Getenv("BOUNCER_BENCH_REDIS_ADDR")
 	if redisEndpoint == "" {
 		redisEndpoint = "127.0.0.1:6379"
 	}
 	client := redis.NewUniversalClient(&redis.UniversalOptions{
 		Addrs: []string{redisEndpoint},
 	})
 	proxyRepository := redisStore.NewProxyRepository(client, redisStore.DefaultTxMaxAttempts, redisStore.DefaultTxBaseDelay)
 	layerRepository := redisStore.NewLayerRepository(client, redisStore.DefaultTxMaxAttempts, redisStore.DefaultTxBaseDelay)
 	var backend *httptest.Server
 	if conf.Proxy.To == "" {
 		backend = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			w.WriteHeader(http.StatusOK)
 			if _, err := w.Write([]byte("Hello, world.")); err != nil {
 				logf("[ERROR] %+v", errors.WithStack(err))
 			}
 		}))
 		if err := waitFor(backend.URL, 5*time.Second); err != nil {
 			return nil, nil, errors.WithStack(err)
 		}
 		logf("started backend '%s'", backend.URL)
 	}
 	ctx := context.Background()
 	proxyName := store.ProxyName("bench-" + name)
 	proxies, err := proxyRepository.QueryProxy(ctx)
 	if err != nil {
 		return nil, nil, errors.WithStack(err)
 	}
 	// Cleanup existing proxies
 	for _, p := range proxies {
 		if err := proxyRepository.DeleteProxy(ctx, p.Name); err != nil {
 			return nil, nil, errors.WithStack(err)
 		}
 	}
 	logf("creating proxy '%s'", proxyName)
 	to := string(conf.Proxy.To)
 	if to == "" {
 		to = backend.URL
 	}
 	if _, err := proxyRepository.CreateProxy(ctx, proxyName, to, conf.Proxy.From...); err != nil {
 		return nil, nil, errors.WithStack(err)
 	}
 	if _, err := proxyRepository.UpdateProxy(ctx, proxyName, store.WithProxyUpdateEnabled(true)); err != nil {
 		return nil, nil, errors.WithStack(err)
 	}
 	for layerName, layerConf := range conf.Proxy.Layers {
 		if err := layerRepository.DeleteLayer(ctx, proxyName, store.LayerName(layerName)); err != nil {
 			return nil, nil, errors.WithStack(err)
 		}
 		_, err := layerRepository.CreateLayer(ctx, proxyName, store.LayerName(layerName), store.LayerType(layerConf.Type), layerConf.Options.Data)
 		if err != nil {
 			return nil, nil, errors.WithStack(err)
 		}
 		_, err = layerRepository.UpdateLayer(ctx, proxyName, store.LayerName(layerName), store.WithLayerUpdateEnabled(bool(layerConf.Enabled)))
 		if err != nil {
 			return nil, nil, errors.WithStack(err)
 		}
 	}
 	appConf := config.NewDefault()
 	appConf.Logger.Level = config.InterpolatedInt(logger.LevelError)
 	appConf.Layers.Authn.TemplateDir = "../../layers/authn/templates"
 	appConf.Layers.Queue.TemplateDir = "../../layers/queue/templates"
 	layers, err := setup.GetLayers(context.Background(), appConf)
 	if err != nil {
 		return nil, nil, errors.WithStack(err)
 	}
 	director := director.New(
 		proxyRepository, layerRepository,
 		director.WithLayerCache(
 			ttl.NewCache(
 				memory.NewCache[string, []*store.Layer](),
 				memory.NewCache[string, time.Time](),
 				30*time.Second,
 			),
 		),
 		director.WithProxyCache(
 			ttl.NewCache(
 				memory.NewCache[string, []*store.Proxy](),
 				memory.NewCache[string, time.Time](),
 				30*time.Second,
 			),
 		),
 		director.WithLayers(layers...),
 	)
 	directorMiddleware := director.Middleware()
 	handler := proxy.New(
 		proxy.WithRequestTransformers(
 			director.RequestTransformer(),
 		),
 		proxy.WithResponseTransformers(
 			director.ResponseTransformer(),
 		),
 		proxy.WithReverseProxyFactory(func(ctx context.Context, target *url.URL) *httputil.ReverseProxy {
 			reverse := httputil.NewSingleHostReverseProxy(target)
 			reverse.ErrorHandler = func(w http.ResponseWriter, r *http.Request, err error) {
 				logf("[ERROR] %s", errors.WithStack(err))
 			}
 			return reverse
 		}),
 	)
 	server := httptest.NewServer(directorMiddleware(handler))
 	return server, backend, nil
 }
 func waitFor(url string, ttl time.Duration) error {
 	var lastErr error
 	timeout := time.After(ttl)
 	for {
 		select {
 		case <-timeout:
 			if lastErr != nil {
 				return lastErr
 			}
 			return errors.New("wait timed out")
 		default:
 			res, err := http.Get(url)
 			if err != nil {
 				lastErr = errors.WithStack(err)
 				continue
 			}
 			if res.StatusCode >= 200 && res.StatusCode < 400 {
 				return nil
 			}
 		}
 	}
 }
--- a/internal/bench/testdata/proxies/basic-auth.yml
+++ b/internal/bench/testdata/proxies/basic-auth.yml
@ -0,0 +1,20 @@
 proxy:
  from: ["*"]
  to: ""
  layers:
    basic-auth:
      type: authn-basic
      enabled: true
      options:
        users:
          - username: foo
            passwordHash: "$2y$10$ShTc856wMB8PCxyr46qJRO8z06MpV4UejAVRDJ/bixhu0XTGn7Giy"
            attributes:
              email: foo@bar.com
        rules:
          - set_header(ctx, "Remote-User-Attr-Email", vars.user.attrs.email)
 fetch:
  url:
    user:
      username: foo
      password: bar
--- a/internal/bench/testdata/proxies/noop.yml
+++ b/internal/bench/testdata/proxies/noop.yml
@ -0,0 +1,3 @@
 proxy:
  from: ["*"]
  to: ""
--- a/internal/bench/testdata/proxies/queue.yml
+++ b/internal/bench/testdata/proxies/queue.yml
@ -0,0 +1,10 @@
 proxy:
  from: ["*"]
  to: ""
  layers:
    queue:
      type: queue
      enabled: true
      options:
        capacity: 100
        keepAlive: 10s
--- a/internal/bench/testdata/proxies/rewriter.yml
+++ b/internal/bench/testdata/proxies/rewriter.yml
@ -0,0 +1,12 @@
 proxy:
  from: ["*"]
  to: ""
  layers:
    host-rewriter:
      type: rewriter
      enabled: true
      options:
        rules:
          request:
            - set_host(ctx, vars.request.url.host)
            - set_header(ctx, "X-Proxied-With", "bouncer")
--- a/internal/cache/cache.go
+++ b/internal/cache/cache.go
@ -3,4 +3,5 @@ package cache
 type Cache[K comparable, V any] interface {
 	Get(key K) (V, bool)
 	Set(key K, value V)
 	Clear()
 }
--- a/internal/cache/memory/cache.go
+++ b/internal/cache/memory/cache.go
@ -25,6 +25,10 @@ func (c *Cache[K, V]) Set(key K, value V) {
 	c.store.Store(key, value)
 }
 func (c *Cache[K, V]) Clear() {
 	c.store.Clear()
 }
 func NewCache[K comparable, V any]() *Cache[K, V] {
 	return &Cache[K, V]{
 		store: new(sync.Map),
--- a/internal/cache/ttl/cache.go
+++ b/internal/cache/ttl/cache.go
@ -28,6 +28,11 @@ func (c *Cache[K, V]) Set(key K, value V) {
 	c.values.Set(key, value)
 }
 func (c *Cache[K, V]) Clear() {
 	c.timestamps.Clear()
 	c.values.Clear()
 }
 func NewCache[K comparable, V any](values cache.Cache[K, V], timestamps cache.Cache[K, time.Time], ttl time.Duration) *Cache[K, V] {
 	return &Cache[K, V]{
 		values:     values,
--- a/internal/chi/log_formatter.go
+++ b/internal/chi/log_formatter.go
@ -2,7 +2,6 @@ package chi
 import (
 	"context"
 	"fmt"
 	"net/http"
 	"time"
@ -37,12 +36,19 @@ type LogEntry struct {
 // Panic implements middleware.LogEntry
 func (e *LogEntry) Panic(v interface{}, stack []byte) {
-	logger.Error(e.ctx, fmt.Sprintf("%s %s", e.method, e.path), logger.F("stack", string(stack)))
+	logger.Error(
 		e.ctx, "http panic",
 		logger.F("stack", string(stack)),
 		logger.F("host", e.host),
 		logger.F("method", e.method),
 		logger.F("path", e.path),
 	)
 }
 // Write implements middleware.LogEntry
 func (e *LogEntry) Write(status int, bytes int, header http.Header, elapsed time.Duration, extra interface{}) {
-	logger.Info(e.ctx, fmt.Sprintf("%s %s - %d", e.method, e.path, status),
+	logger.Info(
 		e.ctx, "http request",
 		logger.F("host", e.host),
 		logger.F("status", status),
 		logger.F("bytes", bytes),
--- a/internal/command/admin/layer/util.go
+++ b/internal/command/admin/layer/util.go
@ -13,6 +13,7 @@ func layerHeaderHints(outputMode format.OutputMode) format.Hints {
 			format.NewProp("Type", "Type"),
 			format.NewProp("Enabled", "Enabled"),
 			format.NewProp("Weight", "Weight"),
 			format.NewProp("Revision", "Revision"),
 		},
 	}
 }
@ -25,6 +26,7 @@ func layerHints(outputMode format.OutputMode) format.Hints {
 			format.NewProp("Type", "Type"),
 			format.NewProp("Enabled", "Enabled"),
 			format.NewProp("Weight", "Weight"),
 			format.NewProp("Revision", "Revision"),
 			format.NewProp("Options", "Options"),
 			format.NewProp("CreatedAt", "CreatedAt", table.WithCompactModeMaxColumnWidth(20)),
 			format.NewProp("UpdatedAt", "UpdatedAt", table.WithCompactModeMaxColumnWidth(20)),
--- a/internal/command/admin/proxy/util.go
+++ b/internal/command/admin/proxy/util.go
@ -12,6 +12,7 @@ func proxyHeaderHints(outputMode format.OutputMode) format.Hints {
 			format.NewProp("Name", "Name"),
 			format.NewProp("Enabled", "Enabled"),
 			format.NewProp("Weight", "Weight"),
 			format.NewProp("Revision", "Revision"),
 		},
 	}
 }
@ -25,6 +26,7 @@ func proxyHints(outputMode format.OutputMode) format.Hints {
 			format.NewProp("To", "To"),
 			format.NewProp("Enabled", "Enabled"),
 			format.NewProp("Weight", "Weight"),
 			format.NewProp("Revision", "Revision"),
 			format.NewProp("CreatedAt", "CreatedAt", table.WithCompactModeMaxColumnWidth(20)),
 			format.NewProp("UpdatedAt", "UpdatedAt", table.WithCompactModeMaxColumnWidth(20)),
 		},
--- a/internal/command/server/admin/run.go
+++ b/internal/command/server/admin/run.go
@ -12,14 +12,8 @@ import (
 	"gitlab.com/wpetit/goweb/logger"
 )
 const (
 	flagPrintDefaultToken = "print-default-token"
 )
 func RunCommand() *cli.Command {
-	flags := append(
+	flags := common.Flags()
 		common.Flags(),
 	)
 	return &cli.Command{
 		Name:  "run",
@ -34,13 +28,18 @@ func RunCommand() *cli.Command {
 			logger.SetFormat(logger.Format(conf.Logger.Format))
 			logger.SetLevel(logger.Level(conf.Logger.Level))
 			logger.Debug(ctx.Context, "using config", logger.F("config", conf))
 			projectVersion := ctx.String("projectVersion")
-			flushSentry, err := setup.SetupSentry(ctx.Context, conf.Admin.Sentry, projectVersion)
+
 			if conf.Proxy.Sentry.DSN != "" {
 				flushSentry, err := setup.SetupSentry(ctx.Context, conf.Proxy.Sentry, projectVersion)
 				if err != nil {
 					return errors.Wrap(err, "could not initialize sentry client")
 				}
 				defer flushSentry()
 			}
 			integrations, err := setup.SetupIntegrations(ctx.Context, conf)
 			if err != nil {
--- a/internal/command/server/dummy/index.gohtml
+++ b/internal/command/server/dummy/index.gohtml
@ -4,14 +4,14 @@
    <h2>Incoming headers</h2>
    <table style="width: 100%">
      <thead>
-        <tr>
+        <tr style="text-align: left">
          <th>Key</th>
          <th>Value</th>
        </tr>
      </thead>
      <tbody>
        {{ range $key, $val := .Request.Header }}
-        <tr>
+        <tr style="text-align: left">
          <td>
            <b>{{ $key }}</b>
          </td>
@ -27,7 +27,7 @@
    <h2>Incoming cookies</h2>
    <table style="width: 100%">
      <thead>
-        <tr>
+        <tr style="text-align: left">
          <th>Name</th>
          <th>Domain</th>
          <th>Path</th>
@ -41,7 +41,7 @@
      </thead>
      <tbody>
        {{ range $cookie := .Request.Cookies }}
-        <tr>
+        <tr style="text-align: left">
          <td>
            <b>{{ $cookie.Name }}</b>
          </td>
--- a/internal/command/server/dummy/run.go
+++ b/internal/command/server/dummy/run.go
@ -53,7 +53,7 @@ func RunCommand() *cli.Command {
 				}
 				if err := tmpl.Execute(w, data); err != nil {
-					logger.Error(ctx.Context, "could not execute template", logger.E(errors.WithStack(err)))
+					logger.Error(ctx.Context, "could not execute template", logger.CapturedE(errors.WithStack(err)))
 				}
 			})
--- a/internal/command/server/proxy/run.go
+++ b/internal/command/server/proxy/run.go
@ -29,13 +29,18 @@ func RunCommand() *cli.Command {
 			logger.SetFormat(logger.Format(conf.Logger.Format))
 			logger.SetLevel(logger.Level(conf.Logger.Level))
 			logger.Debug(ctx.Context, "using config", logger.F("config", conf))
 			projectVersion := ctx.String("projectVersion")
 			if conf.Proxy.Sentry.DSN != "" {
 				flushSentry, err := setup.SetupSentry(ctx.Context, conf.Proxy.Sentry, projectVersion)
 				if err != nil {
 					return errors.Wrap(err, "could not initialize sentry client")
 				}
 				defer flushSentry()
 			}
 			layers, err := setup.GetLayers(ctx.Context, conf)
 			if err != nil {
@ -46,7 +51,7 @@ func RunCommand() *cli.Command {
 				proxy.WithServerConfig(conf.Proxy),
 				proxy.WithRedisConfig(conf.Redis),
 				proxy.WithDirectorLayers(layers...),
-				proxy.WithDirectorCacheTTL(time.Duration(conf.Proxy.Cache.TTL)),
+				proxy.WithDirectorCacheTTL(time.Duration(*conf.Proxy.Cache.TTL)),
 			)
 			addrs, srvErrs := srv.Start(ctx.Context)
--- a/internal/config/admin_server.go
+++ b/internal/config/admin_server.go
@ -5,6 +5,7 @@ type AdminServerConfig struct {
 	CORS      CORSConfig      `yaml:"cors"`
 	Auth      AuthConfig      `yaml:"auth"`
 	Metrics   MetricsConfig   `yaml:"metrics"`
 	Profiling ProfilingConfig `yaml:"profiling"`
 	Sentry    SentryConfig    `yaml:"sentry"`
 }
@ -15,6 +16,7 @@ func NewDefaultAdminServerConfig() AdminServerConfig {
 		Auth:      NewDefaultAuthConfig(),
 		Metrics:   NewDefaultMetricsConfig(),
 		Sentry:    NewDefaultSentryConfig(),
 		Profiling: NewDefaultProfilingConfig(),
 	}
 }
--- a/internal/config/bootstrap.go
+++ b/internal/config/bootstrap.go
@ -80,9 +80,22 @@ func loadBootstrapDir(dir string) (map[store.ProxyName]BootstrapProxyConfig, err
 	proxies := make(map[store.ProxyName]BootstrapProxyConfig)
 	for _, f := range files {
-		data, err := os.ReadFile(f)
+		proxy, err := loadBootstrappedProxyConfig(f)
 		if err != nil {
-			return nil, errors.Wrapf(err, "could not read file '%s'", f)
+			return nil, errors.Wrapf(err, "could not load proxy bootstrap file '%s'", f)
 		}
 		name := store.ProxyName(strings.TrimSuffix(filepath.Base(f), filepath.Ext(f)))
 		proxies[name] = *proxy
 	}
 	return proxies, nil
 }
 func loadBootstrappedProxyConfig(filename string) (*BootstrapProxyConfig, error) {
 	data, err := os.ReadFile(filename)
 	if err != nil {
 		return nil, errors.Wrapf(err, "could not read file '%s'", filename)
 	}
 	proxy := BootstrapProxyConfig{}
@ -91,11 +104,7 @@ func loadBootstrapDir(dir string) (map[store.ProxyName]BootstrapProxyConfig, err
 		return nil, errors.Wrapf(err, "could not unmarshal proxy")
 	}
-		name := store.ProxyName(strings.TrimSuffix(filepath.Base(f), filepath.Ext(f)))
+	return &proxy, nil
 		proxies[name] = proxy
 	}
 	return proxies, nil
 }
 func overrideProxies(base map[store.ProxyName]BootstrapProxyConfig, proxies map[store.ProxyName]BootstrapProxyConfig) map[store.ProxyName]BootstrapProxyConfig {
--- a/internal/config/environment.go
+++ b/internal/config/environment.go
@ -2,7 +2,6 @@ package config
 import (
 	"os"
 	"regexp"
 	"strconv"
 	"time"
@ -11,9 +10,6 @@ import (
 	"gopkg.in/yaml.v3"
 )
 // var reVar = regexp.MustCompile(`^\${(\w+)}$`)
 var reVar = regexp.MustCompile(`\${(.*?)}`)
 type InterpolatedString string
 func (is *InterpolatedString) UnmarshalYAML(value *yaml.Node) error {
@ -23,12 +19,13 @@ func (is *InterpolatedString) UnmarshalYAML(value *yaml.Node) error {
 		return errors.WithStack(err)
 	}
-	if match := reVar.FindStringSubmatch(str); len(match) > 0 {
+	str, err := envsubst.Eval(str, getEnv)
-		*is = InterpolatedString(os.Getenv(match[1]))
+	if err != nil {
-	} else {
+		return errors.WithStack(err)
 		*is = InterpolatedString(str)
 	}
 	*is = InterpolatedString(str)
 	return nil
 }
@ -41,8 +38,9 @@ func (ii *InterpolatedInt) UnmarshalYAML(value *yaml.Node) error {
 		return errors.Wrapf(err, "could not decode value '%v' (line '%d') into string", value.Value, value.Line)
 	}
-	if match := reVar.FindStringSubmatch(str); len(match) > 0 {
+	str, err := envsubst.Eval(str, getEnv)
-		str = os.Getenv(match[1])
+	if err != nil {
 		return errors.WithStack(err)
 	}
 	intVal, err := strconv.ParseInt(str, 10, 32)
@ -64,11 +62,12 @@ func (ifl *InterpolatedFloat) UnmarshalYAML(value *yaml.Node) error {
 		return errors.Wrapf(err, "could not decode value '%v' (line '%d') into string", value.Value, value.Line)
 	}
-	if match := reVar.FindStringSubmatch(str); len(match) > 0 {
+	str, err := envsubst.Eval(str, getEnv)
-		str = os.Getenv(match[1])
+	if err != nil {
 		return errors.WithStack(err)
 	}
-	floatVal, err := strconv.ParseFloat(str, 10)
+	floatVal, err := strconv.ParseFloat(str, 32)
 	if err != nil {
 		return errors.Wrapf(err, "could not parse float '%v',  line '%d'", str, value.Line)
 	}
@ -87,8 +86,9 @@ func (ib *InterpolatedBool) UnmarshalYAML(value *yaml.Node) error {
 		return errors.Wrapf(err, "could not decode value '%v' (line '%d') into string", value.Value, value.Line)
 	}
-	if match := reVar.FindStringSubmatch(str); len(match) > 0 {
+	str, err := envsubst.Eval(str, getEnv)
-		str = os.Getenv(match[1])
+	if err != nil {
 		return errors.WithStack(err)
 	}
 	boolVal, err := strconv.ParseBool(str)
@ -101,9 +101,10 @@ func (ib *InterpolatedBool) UnmarshalYAML(value *yaml.Node) error {
 	return nil
 }
 var getEnv = os.Getenv
 type InterpolatedMap struct {
 	Data map[string]any
 	getEnv func(string) string
 }
 func (im *InterpolatedMap) UnmarshalYAML(value *yaml.Node) error {
@ -113,10 +114,6 @@ func (im *InterpolatedMap) UnmarshalYAML(value *yaml.Node) error {
 		return errors.Wrapf(err, "could not decode value '%v' (line '%d') into map", value.Value, value.Line)
 	}
 	if im.getEnv == nil {
 		im.getEnv = os.Getenv
 	}
 	interpolated, err := im.interpolateRecursive(data)
 	if err != nil {
 		return errors.WithStack(err)
@ -127,7 +124,7 @@ func (im *InterpolatedMap) UnmarshalYAML(value *yaml.Node) error {
 	return nil
 }
-func (im *InterpolatedMap) interpolateRecursive(data any) (any, error) {
+func (im InterpolatedMap) interpolateRecursive(data any) (any, error) {
 	switch typ := data.(type) {
 	case map[string]any:
 		for key, value := range typ {
@ -140,7 +137,7 @@ func (im *InterpolatedMap) interpolateRecursive(data any) (any, error) {
 		}
 	case string:
-		value, err := envsubst.Eval(typ, im.getEnv)
+		value, err := envsubst.Eval(typ, getEnv)
 		if err != nil {
 			return nil, errors.WithStack(err)
 		}
@ -165,22 +162,15 @@ type InterpolatedStringSlice []string
 func (iss *InterpolatedStringSlice) UnmarshalYAML(value *yaml.Node) error {
 	var data []string
 	var evErr error
 	if err := value.Decode(&data); err != nil {
 		return errors.Wrapf(err, "could not decode value '%v' (line '%d') into map", value.Value, value.Line)
 	}
 	for index, value := range data {
-		//match := reVar.FindStringSubmatch(value)
+		value, err := envsubst.Eval(value, getEnv)
-		re := regexp.MustCompile(`\${(.*?)}`)
+		if err != nil {
-
+			return errors.WithStack(err)
 		res := re.FindAllStringSubmatch(value, 10)
 		if len(res) > 0 {
 			value, evErr = envsubst.EvalEnv(value)
 			if evErr != nil {
 				return evErr
 			}
 		}
 		data[index] = value
@ -200,8 +190,9 @@ func (id *InterpolatedDuration) UnmarshalYAML(value *yaml.Node) error {
 		return errors.Wrapf(err, "could not decode value '%v' (line '%d') into string", value.Value, value.Line)
 	}
-	if match := reVar.FindStringSubmatch(str); len(match) > 0 {
+	str, err := envsubst.Eval(str, getEnv)
-		str = os.Getenv(match[1])
+	if err != nil {
 		return errors.WithStack(err)
 	}
 	duration, err := time.ParseDuration(str)
--- a/internal/config/environment_test.go
+++ b/internal/config/environment_test.go
@ -4,6 +4,7 @@ import (
 	"fmt"
 	"os"
 	"testing"
 	"time"
 	"github.com/pkg/errors"
 	"gopkg.in/yaml.v3"
@ -65,7 +66,7 @@ func TestInterpolatedMap(t *testing.T) {
 			var interpolatedMap InterpolatedMap
 			if tc.Env != nil {
-				interpolatedMap.getEnv = func(key string) string {
+				getEnv = func(key string) string {
 					return tc.Env[key]
 				}
 			}
@ -80,3 +81,54 @@ func TestInterpolatedMap(t *testing.T) {
 		})
 	}
 }
 func TestInterpolatedDuration(t *testing.T) {
 	type testCase struct {
 		Path   string
 		Env    map[string]string
 		Assert func(t *testing.T, parsed *InterpolatedDuration)
 	}
 	testCases := []testCase{
 		{
 			Path: "testdata/environment/interpolated-duration.yml",
 			Env: map[string]string{
 				"MY_DURATION": "30s",
 			},
 			Assert: func(t *testing.T, parsed *InterpolatedDuration) {
 				if e, g := 30*time.Second, parsed; e != time.Duration(*g) {
 					t.Errorf("parsed: expected '%v', got '%v'", e, g)
 				}
 			},
 		},
 	}
 	for idx, tc := range testCases {
 		t.Run(fmt.Sprintf("Case #%d", idx), func(t *testing.T) {
 			data, err := os.ReadFile(tc.Path)
 			if err != nil {
 				t.Fatalf("%+v", errors.WithStack(err))
 			}
 			if tc.Env != nil {
 				getEnv = func(key string) string {
 					return tc.Env[key]
 				}
 			}
 			config := struct {
 				Duration *InterpolatedDuration `yaml:"duration"`
 			}{
 				Duration: NewInterpolatedDuration(-1),
 			}
 			if err := yaml.Unmarshal(data, &config); err != nil {
 				t.Fatalf("%+v", errors.WithStack(err))
 			}
 			if tc.Assert != nil {
 				tc.Assert(t, config.Duration)
 			}
 		})
 	}
 }
--- a/internal/config/layers.go
+++ b/internal/config/layers.go
@ -20,6 +20,10 @@ func NewDefaultLayersConfig() LayersConfig {
 					TransportConfig: NewDefaultTransportConfig(),
 					Timeout:         NewInterpolatedDuration(10 * time.Second),
 				},
 				ProviderCacheTimeout: NewInterpolatedDuration(time.Hour),
 			},
 			Sessions: AuthnLayerSessionConfig{
 				TTL: NewInterpolatedDuration(time.Hour),
 			},
 		},
 	}
@ -34,10 +38,16 @@ type AuthnLayerConfig struct {
 	Debug       InterpolatedBool        `yaml:"debug"`
 	TemplateDir InterpolatedString      `yaml:"templateDir"`
 	OIDC        AuthnOIDCLayerConfig    `yaml:"oidc"`
 	Sessions    AuthnLayerSessionConfig `yaml:"sessions"`
 }
 type AuthnLayerSessionConfig struct {
 	TTL *InterpolatedDuration `yaml:"ttl"`
 }
 type AuthnOIDCLayerConfig struct {
 	HTTPClient           AuthnOIDCHTTPClientConfig `yaml:"httpClient"`
 	ProviderCacheTimeout *InterpolatedDuration     `yaml:"providerCacheTimeout"`
 }
 type AuthnOIDCHTTPClientConfig struct {
--- a/internal/config/profiling.go
+++ b/internal/config/profiling.go
@ -0,0 +1,15 @@
 package config
 type ProfilingConfig struct {
 	Enabled   InterpolatedBool   `yaml:"enabled"`
 	Endpoint  InterpolatedString `yaml:"endpoint"`
 	BasicAuth *BasicAuthConfig   `yaml:"basicAuth"`
 }
 func NewDefaultProfilingConfig() ProfilingConfig {
 	return ProfilingConfig{
 		Enabled:   true,
 		Endpoint:  "/.bouncer/profiling",
 		BasicAuth: nil,
 	}
 }
--- a/internal/config/proxy_server.go
+++ b/internal/config/proxy_server.go
@ -10,6 +10,7 @@ type ProxyServerConfig struct {
 	Debug     InterpolatedBool `yaml:"debug"`
 	HTTP      HTTPConfig       `yaml:"http"`
 	Metrics   MetricsConfig    `yaml:"metrics"`
 	Profiling ProfilingConfig  `yaml:"profiling"`
 	Transport TransportConfig  `yaml:"transport"`
 	Dial      DialConfig       `yaml:"dial"`
 	Sentry    SentryConfig     `yaml:"sentry"`
@ -27,6 +28,7 @@ func NewDefaultProxyServerConfig() ProxyServerConfig {
 		Sentry:    NewDefaultSentryConfig(),
 		Cache:     NewDefaultCacheConfig(),
 		Templates: NewDefaultTemplatesConfig(),
 		Profiling: NewDefaultProfilingConfig(),
 	}
 }
@ -111,12 +113,12 @@ func NewDefaultDialConfig() DialConfig {
 }
 type CacheConfig struct {
-	TTL InterpolatedDuration `yaml:"ttl"`
+	TTL *InterpolatedDuration `yaml:"ttl"`
 }
 func NewDefaultCacheConfig() CacheConfig {
 	return CacheConfig{
-		TTL: *NewInterpolatedDuration(time.Second * 30),
+		TTL: NewInterpolatedDuration(time.Second * 30),
 	}
 }
--- a/internal/config/redis.go
+++ b/internal/config/redis.go
@ -15,6 +15,16 @@ type RedisConfig struct {
 	WriteTimeout          InterpolatedDuration    `yaml:"writeTimeout"`
 	DialTimeout           InterpolatedDuration    `yaml:"dialTimeout"`
 	LockMaxRetries        InterpolatedInt         `yaml:"lockMaxRetries"`
 	RouteByLatency        InterpolatedBool        `yaml:"routeByLatency"`
 	ContextTimeoutEnabled InterpolatedBool        `yaml:"contextTimeoutEnabled"`
 	MaxRetries            InterpolatedInt         `yaml:"maxRetries"`
 	PingInterval          InterpolatedDuration    `yaml:"pingInterval"`
 	PoolSize              InterpolatedInt         `yaml:"poolSize"`
 	PoolTimeout           InterpolatedDuration    `yaml:"poolTimeout"`
 	MinIdleConns          InterpolatedInt         `yaml:"minIdleConns"`
 	MaxIdleConns          InterpolatedInt         `yaml:"maxIdleConns"`
 	ConnMaxIdleTime       InterpolatedDuration    `yaml:"connMaxIdleTime"`
 	ConnMaxLifetime       InterpolatedDuration    `yaml:"connMaxLifeTime"`
 }
 func NewDefaultRedisConfig() RedisConfig {
@ -25,5 +35,9 @@ func NewDefaultRedisConfig() RedisConfig {
 		WriteTimeout:          InterpolatedDuration(30 * time.Second),
 		DialTimeout:           InterpolatedDuration(30 * time.Second),
 		LockMaxRetries:        10,
 		MaxRetries:            3,
 		PingInterval:          InterpolatedDuration(30 * time.Second),
 		ContextTimeoutEnabled: true,
 		RouteByLatency:        true,
 	}
 }
--- a/internal/config/sentry.go
+++ b/internal/config/sentry.go
@ -29,10 +29,10 @@ func NewDefaultSentryConfig() SentryConfig {
 		FlushTimeout:       NewInterpolatedDuration(2 * time.Second),
 		AttachStacktrace:   true,
 		SampleRate:         1,
-		EnableTracing:      true,
+		EnableTracing:      false,
-		TracesSampleRate:   0.2,
+		TracesSampleRate:   0.1,
-		ProfilesSampleRate: 1,
+		ProfilesSampleRate: 0.1,
-		IgnoreErrors:       []string{},
+		IgnoreErrors:       []string{"context canceled", "net/http: abort"},
 		SendDefaultPII:     false,
 		ServerName:         "",
 		Environment:        "",
--- a/internal/config/testdata/environment/interpolated-duration.yml
+++ b/internal/config/testdata/environment/interpolated-duration.yml
@ -0,0 +1 @@
 duration: ${MY_DURATION}
--- a/internal/lock/redis/locker.go
+++ b/internal/lock/redis/locker.go
@ -38,7 +38,7 @@ func (l *Locker) WithLock(ctx context.Context, key string, timeout time.Duration
 		defer func() {
 			if err := lock.Release(ctx); err != nil {
-				logger.Error(ctx, "could not release lock", logger.E(errors.WithStack(err)))
+				logger.Error(ctx, "could not release lock", logger.CapturedE(errors.WithStack(err)))
 			}
 			logger.Debug(ctx, "lock released")
--- a/internal/lock/redis/retry.go
+++ b/internal/lock/redis/retry.go
@ -30,7 +30,7 @@ func retryWithBackoff(ctx context.Context, attempts int, fn func(ctx context.Con
 			return errors.Wrapf(err, "execution failed after %d attempts", attempts)
 		}
-		logger.Error(ctx, "error while executing func, retrying with backoff", logger.E(err), logger.F("backoffDelay", backoffDelay), logger.F("remainingAttempts", attempts-count))
+		logger.Error(ctx, "error while executing func, retrying with backoff", logger.CapturedE(err), logger.F("backoffDelay", backoffDelay), logger.F("remainingAttempts", attempts-count))
 		time.Sleep(backoffDelay)
--- a/internal/proxy/director/context.go
+++ b/internal/proxy/director/context.go
@ -2,10 +2,13 @@ package director
 import (
 	"context"
 	"net/http"
 	"net/url"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
 	"github.com/getsentry/sentry-go"
 	"github.com/pkg/errors"
 	"gitlab.com/wpetit/goweb/logger"
 )
 type contextKey string
@ -14,6 +17,8 @@ const (
 	contextKeyProxy       contextKey = "proxy"
 	contextKeyLayers      contextKey = "layers"
 	contextKeyOriginalURL contextKey = "originalURL"
 	contextKeyHandleError contextKey = "handleError"
 	contextKeySentryScope contextKey = "sentryScope"
 )
 var (
@ -60,3 +65,35 @@ func ctxValue[T any](ctx context.Context, key contextKey) (T, error) {
 	return value, nil
 }
 type HandleErrorFunc func(w http.ResponseWriter, r *http.Request, status int, err error)
 func withHandleError(ctx context.Context, fn HandleErrorFunc) context.Context {
 	return context.WithValue(ctx, contextKeyHandleError, fn)
 }
 func HandleError(ctx context.Context, w http.ResponseWriter, r *http.Request, status int, err error) {
 	err = errors.WithStack(err)
 	fn, ok := ctx.Value(contextKeyHandleError).(HandleErrorFunc)
 	if !ok {
 		logger.Error(ctx, err.Error(), logger.CapturedE(err))
 		http.Error(w, http.StatusText(status), status)
 		return
 	}
 	fn(w, r, status, err)
 }
 func withSentryScope(ctx context.Context, scope *sentry.Scope) context.Context {
 	return context.WithValue(ctx, contextKeySentryScope, scope)
 }
 func SentryScope(ctx context.Context) (*sentry.Scope, error) {
 	scope, err := ctxValue[*sentry.Scope](ctx, contextKeySentryScope)
 	if err != nil {
 		return nil, errors.WithStack(err)
 	}
 	return scope, nil
 }
--- a/internal/proxy/director/director.go
+++ b/internal/proxy/director/director.go
@ -7,8 +7,9 @@ import (
 	"forge.cadoles.com/Cadoles/go-proxy"
 	"forge.cadoles.com/Cadoles/go-proxy/wildcard"
 	"forge.cadoles.com/cadoles/bouncer/internal/cache"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
 	"forge.cadoles.com/cadoles/bouncer/internal/syncx"
 	"github.com/getsentry/sentry-go"
 	"github.com/pkg/errors"
 	"github.com/prometheus/client_golang/prometheus"
 	"gitlab.com/wpetit/goweb/logger"
@ -19,20 +20,23 @@ type Director struct {
 	layerRepository store.LayerRepository
 	layerRegistry   *LayerRegistry
-	proxyCache cache.Cache[string, []*store.Proxy]
+	cachedProxies *syncx.CachedResource[string, []*store.Proxy]
-	layerCache cache.Cache[string, []*store.Layer]
+	cachedLayers  *syncx.CachedResource[string, []*store.Layer]
 	handleError HandleErrorFunc
 }
 const proxiesCacheKey = "proxies"
 func (d *Director) rewriteRequest(r *http.Request) (*http.Request, error) {
 	ctx := r.Context()
-	proxies, err := d.getProxies(ctx)
+	proxies, _, err := d.cachedProxies.Get(ctx, proxiesCacheKey)
 	if err != nil {
 		return r, errors.WithStack(err)
 	}
 	url := getRequestURL(r)
 	ctx = withOriginalURL(ctx, url)
 	ctx = logger.With(ctx, logger.F("url", url.String()))
@ -40,21 +44,11 @@ func (d *Director) rewriteRequest(r *http.Request) (*http.Request, error) {
 	for _, p := range proxies {
 		for _, from := range p.From {
 			logger.Debug(
 				ctx, "matching request with proxy's from",
 				logger.F("from", from),
 			)
 			if matches := wildcard.Match(url.String(), from); !matches {
 				continue
 			}
-			logger.Debug(
+			proxyCtx := logger.With(ctx,
 				ctx, "proxy's from matched",
 				logger.F("from", from),
 			)
 			ctx = logger.With(ctx,
 				logger.F("proxy", p.Name),
 				logger.F("host", r.Host),
 				logger.F("remoteAddr", r.RemoteAddr),
@ -62,7 +56,7 @@ func (d *Director) rewriteRequest(r *http.Request) (*http.Request, error) {
 			metricProxyRequestsTotal.With(prometheus.Labels{metricLabelProxy: string(p.Name)}).Add(1)
-			proxyLayers, err := d.getLayers(ctx, p.Name)
+			proxyLayers, _, err := d.cachedLayers.Get(proxyCtx, string(p.Name))
 			if err != nil {
 				return r, errors.WithStack(err)
 			}
@ -82,8 +76,16 @@ func (d *Director) rewriteRequest(r *http.Request) (*http.Request, error) {
 			r.URL.Scheme = toURL.Scheme
 			r.URL.Path = toURL.JoinPath(r.URL.Path).Path
-			ctx = withLayers(ctx, layers)
+			proxyCtx = withLayers(proxyCtx, layers)
-			r = r.WithContext(ctx)
+			r = r.WithContext(proxyCtx)
 			if sentryScope, _ := SentryScope(ctx); sentryScope != nil {
 				sentryScope.SetTags(map[string]string{
 					"bouncer.proxy.name":        string(p.Name),
 					"bouncer.proxy.target.url":  r.URL.String(),
 					"bouncer.proxy.target.host": r.URL.Host,
 				})
 			}
 			return r, nil
 		}
@ -95,13 +97,8 @@ func (d *Director) rewriteRequest(r *http.Request) (*http.Request, error) {
 	return r, nil
 }
-const proxiesCacheKey = "proxies"
+func (d *Director) getProxies(ctx context.Context, key string) ([]*store.Proxy, error) {
-
+	logger.Debug(ctx, "querying fresh proxies")
 func (d *Director) getProxies(ctx context.Context) ([]*store.Proxy, error) {
 	proxies, exists := d.proxyCache.Get(proxiesCacheKey)
 	if exists {
 		return proxies, nil
 	}
 	headers, err := d.proxyRepository.QueryProxy(ctx, store.WithProxyQueryEnabled(true))
 	if err != nil {
@ -110,7 +107,7 @@ func (d *Director) getProxies(ctx context.Context) ([]*store.Proxy, error) {
 	sort.Sort(store.ByProxyWeight(headers))
-	proxies = make([]*store.Proxy, 0, len(headers))
+	proxies := make([]*store.Proxy, 0, len(headers))
 	for _, h := range headers {
 		if !h.Enabled {
@ -125,18 +122,13 @@ func (d *Director) getProxies(ctx context.Context) ([]*store.Proxy, error) {
 		proxies = append(proxies, proxy)
 	}
 	d.proxyCache.Set(proxiesCacheKey, proxies)
 	return proxies, nil
 }
-func (d *Director) getLayers(ctx context.Context, proxyName store.ProxyName) ([]*store.Layer, error) {
+func (d *Director) getLayers(ctx context.Context, rawProxyName string) ([]*store.Layer, error) {
-	cacheKey := "layers-" + string(proxyName)
+	proxyName := store.ProxyName(rawProxyName)
-	layers, exists := d.layerCache.Get(cacheKey)
+	logger.Debug(ctx, "querying fresh layers")
 	if exists {
 		return layers, nil
 	}
 	headers, err := d.layerRepository.QueryLayers(ctx, proxyName, store.WithLayerQueryEnabled(true))
 	if err != nil {
@ -145,7 +137,7 @@ func (d *Director) getLayers(ctx context.Context, proxyName store.ProxyName) ([]
 	sort.Sort(store.ByLayerWeight(headers))
-	layers = make([]*store.Layer, 0, len(headers))
+	layers := make([]*store.Layer, 0, len(headers))
 	for _, h := range headers {
 		if !h.Enabled {
@ -160,21 +152,20 @@ func (d *Director) getLayers(ctx context.Context, proxyName store.ProxyName) ([]
 		layers = append(layers, layer)
 	}
 	d.layerCache.Set(cacheKey, layers)
 	return layers, nil
 }
 func (d *Director) RequestTransformer() proxy.RequestTransformer {
 	return func(r *http.Request) {
 		ctx := r.Context()
 		layers, err := ctxLayers(ctx)
 		if err != nil {
 			if errors.Is(err, errContextKeyNotFound) {
 				return
 			}
-			logger.Error(ctx, "could not retrieve layers from context", logger.E(errors.WithStack(err)))
+			logger.Error(ctx, "could not retrieve layers from context", logger.CapturedE(errors.WithStack(err)))
 			return
 		}
@ -224,15 +215,18 @@ func (d *Director) ResponseTransformer() proxy.ResponseTransformer {
 func (d *Director) Middleware() proxy.Middleware {
 	return func(next http.Handler) http.Handler {
 		fn := func(w http.ResponseWriter, r *http.Request) {
 			sentry.ConfigureScope(func(scope *sentry.Scope) {
 				ctx := withHandleError(r.Context(), d.handleError)
 				ctx = withSentryScope(ctx, scope)
 				r = r.WithContext(ctx)
 				r, err := d.rewriteRequest(r)
 				if err != nil {
-				logger.Error(r.Context(), "could not rewrite request", logger.E(errors.WithStack(err)))
+					HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not rewrite request"))
 				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 					return
 				}
-			ctx := r.Context()
+				ctx = r.Context()
 				layers, err := ctxLayers(ctx)
 				if err != nil {
@ -240,9 +234,7 @@ func (d *Director) Middleware() proxy.Middleware {
 						return
 					}
-				logger.Error(ctx, "could not retrieve proxy and layers from context", logger.E(errors.WithStack(err)))
+					HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not retrieve proxy and layers from context"))
 				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 					return
 				}
@ -259,6 +251,7 @@ func (d *Director) Middleware() proxy.Middleware {
 				handler := createMiddlewareChain(next, httpMiddlewares)
 				handler.ServeHTTP(w, r)
 			})
 		}
 		return http.HandlerFunc(fn)
@ -270,11 +263,15 @@ func New(proxyRepository store.ProxyRepository, layerRepository store.LayerRepos
 	registry := NewLayerRegistry(opts.Layers...)
-	return &Director{
+	director := &Director{
 		proxyRepository: proxyRepository,
 		layerRepository: layerRepository,
 		layerRegistry:   registry,
-		proxyCache:      opts.ProxyCache,
+		handleError:     opts.HandleError,
 		layerCache:      opts.LayerCache,
 	}
 	director.cachedProxies = syncx.NewCachedResource(opts.ProxyCache, director.getProxies)
 	director.cachedLayers = syncx.NewCachedResource(opts.LayerCache, director.getLayers)
 	return director
 }
--- a/internal/proxy/director/layer/authn/layer.go
+++ b/internal/proxy/director/layer/authn/layer.go
@ -1,13 +1,18 @@
 package authn
 import (
 	"bytes"
 	"html/template"
 	"io"
 	"net/http"
 	"path/filepath"
 	"forge.cadoles.com/Cadoles/go-proxy"
 	"forge.cadoles.com/Cadoles/go-proxy/wildcard"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/util"
 	"forge.cadoles.com/cadoles/bouncer/internal/rule"
 	ruleHTTP "forge.cadoles.com/cadoles/bouncer/internal/rule/http"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
 	"github.com/Masterminds/sprig/v3"
 	"github.com/pkg/errors"
@ -19,6 +24,8 @@ type Layer struct {
 	auth      Authenticator
 	debug     bool
 	ruleEngineCache *util.RuleEngineCache[*Vars, *LayerOptions]
 	templateDir string
 }
@ -29,9 +36,7 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
 			options, err := fromStoreOptions(layer.Options)
 			if err != nil {
-				logger.Error(ctx, "could not parse layer options", logger.E(errors.WithStack(err)))
+				director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not parse layer options"))
 				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 				return
 			}
@ -42,7 +47,7 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
 					}
 					err = errors.WithStack(err)
-					logger.Error(ctx, "could not execute pre-auth hook", logger.E(err))
+					logger.Error(ctx, "could not execute pre-auth hook", logger.CapturedE(err))
 					l.renderErrorPage(w, r, layer, options, err)
 					return
@ -68,20 +73,20 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
 				}
 				err = errors.WithStack(err)
-				logger.Error(ctx, "could not authenticate user", logger.E(err))
+				logger.Error(ctx, "could not authenticate user", logger.CapturedE(err))
 				l.renderErrorPage(w, r, layer, options, err)
 				return
 			}
-			if err := l.applyRules(r, options, user); err != nil {
+			if err := l.applyRules(ctx, r, layer, options, user); err != nil {
 				if errors.Is(err, ErrForbidden) {
 					l.renderForbiddenPage(w, r, layer, options, user)
 					return
 				}
 				err = errors.WithStack(err)
-				logger.Error(ctx, "could not apply rules", logger.E(err))
+				logger.Error(ctx, "could not apply rules", logger.CapturedE(err))
 				l.renderErrorPage(w, r, layer, options, err)
 				return
@ -99,7 +104,7 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
 					}
 					err = errors.WithStack(err)
-					logger.Error(ctx, "could not execute post-auth hook", logger.E(err))
+					logger.Error(ctx, "could not execute post-auth hook", logger.CapturedE(err))
 					l.renderErrorPage(w, r, layer, options, err)
 					return
@ -162,20 +167,22 @@ func (l *Layer) renderPage(w http.ResponseWriter, r *http.Request, page string,
 	tmpl, err := template.New("").Funcs(sprig.FuncMap()).ParseGlob(pattern)
 	if err != nil {
-		logger.Error(ctx, "could not load authn templates", logger.E(errors.WithStack(err)))
+		director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not load authn templates"))
 		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 		return
 	}
 	w.Header().Add("Cache-Control", "no-cache")
-	if err := tmpl.ExecuteTemplate(w, block, templateData); err != nil {
+	var buf bytes.Buffer
 		logger.Error(ctx, "could not render authn page", logger.E(errors.WithStack(err)))
 		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 	if err := tmpl.ExecuteTemplate(w, block, templateData); err != nil {
 		director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not render authn page"))
 		return
 	}
 	if _, err := io.Copy(w, &buf); err != nil {
 		logger.Error(ctx, "could not write authn page", logger.CapturedE(errors.WithStack(err)))
 	}
 }
 // LayerType implements director.MiddlewareLayer
@ -187,6 +194,18 @@ func NewLayer(layerType store.LayerType, auth Authenticator, funcs ...OptionFunc
 	opts := NewOptions(funcs...)
 	return &Layer{
 		ruleEngineCache: util.NewInMemoryRuleEngineCache[*Vars, *LayerOptions](func(options *LayerOptions) (*rule.Engine[*Vars], error) {
 			engine, err := rule.NewEngine[*Vars](
 				rule.WithRules(options.Rules...),
 				rule.WithExpr(getAuthnAPI()...),
 				ruleHTTP.WithRequestFuncs(),
 			)
 			if err != nil {
 				return nil, errors.WithStack(err)
 			}
 			return engine, nil
 		}),
 		layerType:   layerType,
 		auth:        auth,
 		templateDir: opts.TemplateDir,
--- a/internal/proxy/director/layer/authn/layer_options.go
+++ b/internal/proxy/director/layer/authn/layer_options.go
@ -28,12 +28,13 @@ func DefaultLayerOptions() LayerOptions {
 	return LayerOptions{
 		MatchURLs: []string{"*"},
 		Rules: []string{
-			"del_headers('Remote-*')",
+			"del_headers(ctx, 'Remote-*')",
-			"set_header('Remote-User', user.subject)",
+			"set_header(ctx,'Remote-User', vars.user.subject)",
 			`map(
-				toPairs(user.attrs), {
+				toPairs(vars.user.attrs), {
 					let name = replace(lower(string(get(#, 0))), '_', '-');
 					set_header(
 						ctx,
 						'Remote-User-Attr-' + name, 
 						get(#, 1)
 					) 
--- a/internal/proxy/director/layer/authn/network/authenticator_test.go
+++ b/internal/proxy/director/layer/authn/network/authenticator_test.go
@ -39,6 +39,23 @@ func TestMatchAuthorizedCIDRs(t *testing.T) {
 			},
 			ExpectedResult: false,
 		},
 		{
 			RemoteHostPort: "192.168.1.15:43349",
 			AuthorizedCIDRs: []string{
 				"192.168.1.5/32",
 				"192.168.1.0/24",
 			},
 			ExpectedResult: true,
 		},
 		{
 			RemoteHostPort: "192.168.1.15:43349",
 			AuthorizedCIDRs: []string{
 				"192.168.1.5/32",
 				"192.168.1.6/32",
 				"192.168.1.7/32",
 			},
 			ExpectedResult: false,
 		},
 	}
 	auth := Authenticator{}
--- a/internal/proxy/director/layer/authn/oidc/authenticator.go
+++ b/internal/proxy/director/layer/authn/oidc/authenticator.go
@ -13,9 +13,12 @@ import (
 	"time"
 	"forge.cadoles.com/Cadoles/go-proxy/wildcard"
 	"forge.cadoles.com/cadoles/bouncer/internal/cache/memory"
 	"forge.cadoles.com/cadoles/bouncer/internal/cache/ttl"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/authn"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
 	"forge.cadoles.com/cadoles/bouncer/internal/syncx"
 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/gorilla/sessions"
 	"github.com/pkg/errors"
@ -27,6 +30,7 @@ type Authenticator struct {
 	store              sessions.Store
 	httpTransport      *http.Transport
 	httpClientTimeout  time.Duration
 	cachedOIDCProvider *syncx.CachedResource[string, *oidc.Provider]
 }
 func (a *Authenticator) PreAuthentication(w http.ResponseWriter, r *http.Request, layer *store.Layer) error {
@ -44,7 +48,7 @@ func (a *Authenticator) PreAuthentication(w http.ResponseWriter, r *http.Request
 	sess, err := a.store.Get(r, a.getCookieName(options.Cookie.Name, layer.Proxy, layer.Name))
 	if err != nil {
-		logger.Error(ctx, "could not retrieve session", logger.E(errors.WithStack(err)))
+		logger.Error(ctx, "could not retrieve session", logger.CapturedE(errors.WithStack(err)))
 	}
 	loginCallbackURL, err := a.getLoginCallbackURL(originalURL, layer.Proxy, layer.Name, options)
@ -52,7 +56,7 @@ func (a *Authenticator) PreAuthentication(w http.ResponseWriter, r *http.Request
 		return errors.WithStack(err)
 	}
-	client, err := a.getClient(options, loginCallbackURL.String())
+	client, err := a.getClient(ctx, options, loginCallbackURL.String())
 	if err != nil {
 		return errors.WithStack(err)
 	}
@ -86,7 +90,7 @@ func (a *Authenticator) PreAuthentication(w http.ResponseWriter, r *http.Request
 		if postLogoutRedirectURL != "" {
 			isAuthorized := slices.Contains(options.OIDC.PostLogoutRedirectURLs, postLogoutRedirectURL)
 			if !isAuthorized {
-				http.Error(w, "unauthorized post-logout redirect", http.StatusBadRequest)
+				director.HandleError(ctx, w, r, http.StatusBadRequest, errors.New("unauthorized post-logout redirect"))
 				return errors.WithStack(authn.ErrSkipRequest)
 			}
 		}
@ -128,7 +132,7 @@ func (a *Authenticator) Authenticate(w http.ResponseWriter, r *http.Request, lay
 	defer func() {
 		if err := sess.Save(r, w); err != nil {
-			logger.Error(ctx, "could not save session", logger.E(errors.WithStack(err)))
+			logger.Error(ctx, "could not save session", logger.CapturedE(errors.WithStack(err)))
 		}
 	}()
@ -158,7 +162,7 @@ func (a *Authenticator) Authenticate(w http.ResponseWriter, r *http.Request, lay
 		return nil, errors.WithStack(err)
 	}
-	client, err := a.getClient(options, loginCallbackURL.String())
+	client, err := a.getClient(ctx, options, loginCallbackURL.String())
 	if err != nil {
 		return nil, errors.WithStack(err)
 	}
@ -360,9 +364,7 @@ func (a *Authenticator) templatize(rawTemplate string, proxyName store.ProxyName
 	return raw.String(), nil
 }
-func (a *Authenticator) getClient(options *LayerOptions, redirectURL string) (*Client, error) {
+func (a *Authenticator) getClient(ctx context.Context, options *LayerOptions, redirectURL string) (*Client, error) {
 	ctx := context.Background()
 	transport := a.httpTransport.Clone()
 	if options.OIDC.TLSInsecureSkipVerify {
@ -373,6 +375,10 @@ func (a *Authenticator) getClient(options *LayerOptions, redirectURL string) (*C
 		transport.TLSClientConfig.InsecureSkipVerify = true
 	}
 	if options.OIDC.SkipIssuerVerification {
 		ctx = oidc.InsecureIssuerURLContext(ctx, options.OIDC.IssuerURL)
 	}
 	httpClient := &http.Client{
 		Timeout:   a.httpClientTimeout,
 		Transport: transport,
@ -384,9 +390,9 @@ func (a *Authenticator) getClient(options *LayerOptions, redirectURL string) (*C
 		ctx = oidc.InsecureIssuerURLContext(ctx, options.OIDC.IssuerURL)
 	}
-	provider, err := oidc.NewProvider(ctx, options.OIDC.IssuerURL)
+	provider, _, err := a.cachedOIDCProvider.Get(ctx, options.OIDC.IssuerURL)
 	if err != nil {
-		return nil, errors.Wrap(err, "could not create oidc provider")
+		return nil, errors.Wrap(err, "could not retrieve oidc provider")
 	}
 	client := NewClient(
@ -401,6 +407,17 @@ func (a *Authenticator) getClient(options *LayerOptions, redirectURL string) (*C
 	return client, nil
 }
 func (a *Authenticator) getOIDCProvider(ctx context.Context, issuerURL string) (*oidc.Provider, error) {
 	logger.Debug(ctx, "refreshing oidc provider", logger.F("issuerURL", issuerURL))
 	provider, err := oidc.NewProvider(ctx, issuerURL)
 	if err != nil {
 		return nil, errors.Wrap(err, "could not create oidc provider")
 	}
 	return provider, nil
 }
 const defaultCookieNamePrefix = "_bouncer_authn_oidc"
 func (a *Authenticator) getCookieName(cookieName string, proxyName store.ProxyName, layerName store.LayerName) string {
@ -411,6 +428,25 @@ func (a *Authenticator) getCookieName(cookieName string, proxyName store.ProxyNa
 	return strings.ToLower(fmt.Sprintf("%s_%s_%s", defaultCookieNamePrefix, proxyName, layerName))
 }
 func NewAuthenticator(httpTransport *http.Transport, clientTimeout time.Duration, store sessions.Store, oidcProviderCacheTimeout time.Duration) *Authenticator {
 	authenticator := &Authenticator{
 		httpTransport:     httpTransport,
 		httpClientTimeout: clientTimeout,
 		store:             store,
 	}
 	authenticator.cachedOIDCProvider = syncx.NewCachedResource(
 		ttl.NewCache(
 			memory.NewCache[string, *oidc.Provider](),
 			memory.NewCache[string, time.Time](),
 			oidcProviderCacheTimeout,
 		),
 		authenticator.getOIDCProvider,
 	)
 	return authenticator
 }
 var (
 	_ authn.PreAuthentication = &Authenticator{}
 	_ authn.Authenticator     = &Authenticator{}
--- a/internal/proxy/director/layer/authn/oidc/client.go
+++ b/internal/proxy/director/layer/authn/oidc/client.go
@ -6,6 +6,7 @@ import (
 	"net/url"
 	"strings"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/dchest/uniuri"
 	"github.com/gorilla/sessions"
@ -68,8 +69,7 @@ func (c *Client) login(w http.ResponseWriter, r *http.Request, sess *sessions.Se
 	sess.Values[sessionKeyPostLoginRedirectURL] = postLoginRedirectURL
 	if err := sess.Save(r, w); err != nil {
-		logger.Error(ctx, "could not save session", logger.E(errors.WithStack(err)))
+		director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not save session"))
 		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 		return
 	}
@ -127,7 +127,7 @@ func (c *Client) HandleLogout(w http.ResponseWriter, r *http.Request, sess *sess
 	rawIDToken, err := c.getRawIDToken(sess)
 	if err != nil {
-		logger.Error(ctx, "could not retrieve raw id token", logger.E(errors.WithStack(err)))
+		logger.Error(ctx, "could not retrieve raw id token", logger.CapturedE(errors.WithStack(err)))
 	}
 	sess.Values[sessionKeyIDToken] = nil
--- a/internal/proxy/director/layer/authn/oidc/layer.go
+++ b/internal/proxy/director/layer/authn/oidc/layer.go
@ -10,9 +10,11 @@ const LayerType store.LayerType = "authn-oidc"
 func NewLayer(store sessions.Store, funcs ...OptionFunc) *authn.Layer {
 	opts := NewOptions(funcs...)
-	return authn.NewLayer(LayerType, &Authenticator{
+	authenticator := NewAuthenticator(
-		httpTransport:     opts.HTTPTransport,
+		opts.HTTPTransport,
-		httpClientTimeout: opts.HTTPClientTimeout,
+		opts.HTTPClientTimeout,
-		store:             store,
+		store,
-	}, opts.AuthnOptions...)
+		opts.OIDCProviderCacheTimeout,
 	)
 	return authn.NewLayer(LayerType, authenticator, opts.AuthnOptions...)
 }
--- a/internal/proxy/director/layer/authn/oidc/options.go
+++ b/internal/proxy/director/layer/authn/oidc/options.go
@ -11,6 +11,7 @@ type Options struct {
 	HTTPTransport            *http.Transport
 	HTTPClientTimeout        time.Duration
 	AuthnOptions             []authn.OptionFunc
 	OIDCProviderCacheTimeout time.Duration
 }
 type OptionFunc func(opts *Options)
@ -33,11 +34,18 @@ func WithAuthnOptions(funcs ...authn.OptionFunc) OptionFunc {
 	}
 }
 func WithOIDCProviderCacheTimeout(timeout time.Duration) OptionFunc {
 	return func(opts *Options) {
 		opts.OIDCProviderCacheTimeout = timeout
 	}
 }
 func NewOptions(funcs ...OptionFunc) *Options {
 	opts := &Options{
 		HTTPTransport:            http.DefaultTransport.(*http.Transport),
 		HTTPClientTimeout:        30 * time.Second,
 		AuthnOptions:             make([]authn.OptionFunc, 0),
 		OIDCProviderCacheTimeout: time.Hour,
 	}
 	for _, fn := range funcs {
--- a/internal/proxy/director/layer/authn/rules.go
+++ b/internal/proxy/director/layer/authn/rules.go
@ -1,38 +1,35 @@
 package authn
 import (
 	"context"
 	"net/http"
 	"forge.cadoles.com/cadoles/bouncer/internal/rule"
 	ruleHTTP "forge.cadoles.com/cadoles/bouncer/internal/rule/http"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
 	"github.com/expr-lang/expr"
 	"github.com/pkg/errors"
 )
-type Env struct {
+type Vars struct {
 	User *User `expr:"user"`
 }
-func (l *Layer) applyRules(r *http.Request, options *LayerOptions, user *User) error {
+func (l *Layer) applyRules(ctx context.Context, r *http.Request, layer *store.Layer, options *LayerOptions, user *User) error {
-	rules := options.Rules
+	key := string(layer.Proxy) + "-" + string(layer.Name)
-	if len(rules) == 0 {
+	revisionedEngine := l.ruleEngineCache.Get(key)
 		return nil
 	}
-	engine, err := rule.NewEngine[*Env](
+	engine, err := revisionedEngine.Get(ctx, layer.Revision, options)
 		rule.WithRules(options.Rules...),
 		rule.WithExpr(getAuthnAPI()...),
 		ruleHTTP.WithRequestFuncs(r),
 	)
 	if err != nil {
 		return errors.WithStack(err)
 	}
-	env := &Env{
+	vars := &Vars{
 		User: user,
 	}
-	if _, err := engine.Apply(env); err != nil {
+	ctx = ruleHTTP.WithRequest(ctx, r)
 	if _, err := engine.Apply(ctx, vars); err != nil {
 		return errors.WithStack(err)
 	}
--- a/internal/proxy/director/layer/queue/queue.go
+++ b/internal/proxy/director/layer/queue/queue.go
@ -1,9 +1,11 @@
 package queue
 import (
 	"bytes"
 	"context"
 	"fmt"
 	"html/template"
 	"io"
 	"math/rand"
 	"net/http"
 	"path/filepath"
@ -52,9 +54,7 @@ func (q *Queue) Middleware(layer *store.Layer) proxy.Middleware {
 			options, err := fromStoreOptions(layer.Options, q.defaultKeepAlive)
 			if err != nil {
-				logger.Error(ctx, "could not parse layer options", logger.E(errors.WithStack(err)))
+				director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not parse layer options"))
 				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 				return
 			}
@ -65,13 +65,13 @@ func (q *Queue) Middleware(layer *store.Layer) proxy.Middleware {
 				return
 			}
-			defer q.updateMetrics(ctx, layer.Proxy, layer.Name, options)
+			defer q.updateMetrics(layer.Proxy, layer.Name, options)
 			cookieName := q.getCookieName(layer.Name)
 			cookie, err := r.Cookie(cookieName)
 			if err != nil && !errors.Is(err, http.ErrNoCookie) {
-				logger.Error(ctx, "could not retrieve cookie", logger.E(errors.WithStack(err)))
+				logger.Error(ctx, "could not retrieve cookie", logger.CapturedE(errors.WithStack(err)))
 			}
 			if cookie == nil {
@ -89,9 +89,7 @@ func (q *Queue) Middleware(layer *store.Layer) proxy.Middleware {
 			rank, err := q.adapter.Touch(ctx, queueName, sessionID)
 			if err != nil {
-				logger.Error(ctx, "could not retrieve session rank", logger.E(errors.WithStack(err)))
+				director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not update queue session rank"))
 				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 				return
 			}
@ -126,7 +124,7 @@ func (q *Queue) updateSessionsMetric(ctx context.Context, proxyName store.ProxyN
 	status, err := q.adapter.Status(ctx, queueName)
 	if err != nil {
-		logger.Error(ctx, "could not retrieve queue status", logger.E(errors.WithStack(err)))
+		logger.Error(ctx, "could not retrieve queue status", logger.CapturedE(errors.WithStack(err)))
 		return
 	}
@ -144,9 +142,7 @@ func (q *Queue) renderQueuePage(w http.ResponseWriter, r *http.Request, queueNam
 	status, err := q.adapter.Status(ctx, queueName)
 	if err != nil {
-		logger.Error(ctx, "could not retrieve queue status", logger.E(errors.WithStack(err)))
+		director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not retrieve queue status"))
 		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 		return
 	}
@ -157,7 +153,7 @@ func (q *Queue) renderQueuePage(w http.ResponseWriter, r *http.Request, queueNam
 		tmpl, err := template.New("").Funcs(sprig.FuncMap()).ParseGlob(pattern)
 		if err != nil {
-			logger.Error(ctx, "could not load queue templates", logger.E(errors.WithStack(err)))
+			logger.Error(ctx, "could not load queue templates", logger.CapturedE(errors.WithStack(err)))
 			return
 		}
@ -166,9 +162,7 @@ func (q *Queue) renderQueuePage(w http.ResponseWriter, r *http.Request, queueNam
 	})
 	if q.tmpl == nil {
-		logger.Error(ctx, "queue page templates not loaded", logger.E(errors.WithStack(err)))
+		director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.New("queue page templates not loaded"))
 		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 		return
 	}
@ -194,12 +188,16 @@ func (q *Queue) renderQueuePage(w http.ResponseWriter, r *http.Request, queueNam
 	w.Header().Add("Retry-After", strconv.FormatInt(int64(refreshRate.Seconds()), 10))
 	w.WriteHeader(http.StatusServiceUnavailable)
-	if err := q.tmpl.ExecuteTemplate(w, "queue", templateData); err != nil {
+	var buf bytes.Buffer
 		logger.Error(ctx, "could not render queue page", logger.E(errors.WithStack(err)))
 		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 	if err := q.tmpl.ExecuteTemplate(&buf, "queue", templateData); err != nil {
 		director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not render queue page"))
 		return
 	}
 	if _, err := io.Copy(w, &buf); err != nil {
 		logger.Error(ctx, "could not write queue page", logger.CapturedE(errors.WithStack(err)))
 	}
 }
 func (q *Queue) refreshQueue(ctx context.Context, layerName store.LayerName, keepAlive time.Duration) {
@ -211,13 +209,15 @@ func (q *Queue) refreshQueue(ctx context.Context, layerName store.LayerName, kee
 	if err := q.adapter.Refresh(ctx, string(layerName), keepAlive); err != nil {
 		logger.Error(ctx, "could not refresh queue",
-			logger.E(errors.WithStack(err)),
+			logger.CapturedE(errors.WithStack(err)),
 			logger.F("queue", layerName),
 		)
 	}
 }
-func (q *Queue) updateMetrics(ctx context.Context, proxyName store.ProxyName, layerName store.LayerName, options *LayerOptions) {
+func (q *Queue) updateMetrics(proxyName store.ProxyName, layerName store.LayerName, options *LayerOptions) {
 	ctx := context.Background()
 	// Update queue capacity metric
 	metricQueueCapacity.With(
 		prometheus.Labels{
--- a/internal/proxy/director/layer/rewriter/api.go
+++ b/internal/proxy/director/layer/rewriter/api.go
@ -0,0 +1,79 @@
 package rewriter
 import (
 	"context"
 	"fmt"
 	"forge.cadoles.com/cadoles/bouncer/internal/rule"
 	"github.com/expr-lang/expr"
 	"github.com/pkg/errors"
 )
 type errRedirect struct {
 	statusCode int
 	url        string
 }
 func (e *errRedirect) StatusCode() int {
 	return e.statusCode
 }
 func (e *errRedirect) URL() string {
 	return e.url
 }
 func (e *errRedirect) Error() string {
 	return fmt.Sprintf("redirect %d %s", e.statusCode, e.url)
 }
 func newErrRedirect(statusCode int, url string) *errRedirect {
 	return &errRedirect{
 		url:        url,
 		statusCode: statusCode,
 	}
 }
 var _ error = &errRedirect{}
 func redirectFunc() expr.Option {
 	return expr.Function(
 		"redirect",
 		func(params ...any) (any, error) {
 			_, err := rule.Assert[context.Context](params[0])
 			if err != nil {
 				return nil, errors.WithStack(err)
 			}
 			statusCode, err := rule.Assert[int](params[1])
 			if err != nil {
 				return nil, errors.WithStack(err)
 			}
 			if statusCode < 300 || statusCode >= 400 {
 				return nil, errors.Errorf("unexpected redirect status code '%d'", statusCode)
 			}
 			url, err := rule.Assert[string](params[2])
 			if err != nil {
 				return nil, errors.WithStack(err)
 			}
 			return nil, newErrRedirect(statusCode, url)
 		},
 		new(func(context.Context, int, string) bool),
 	)
 }
 func WithRewriterFuncs() rule.OptionFunc {
 	return func(opts *rule.Options) {
 		funcs := []expr.Option{
 			redirectFunc(),
 		}
 		if len(opts.Expr) == 0 {
 			opts.Expr = make([]expr.Option, 0)
 		}
 		opts.Expr = append(opts.Expr, funcs...)
 	}
 }
--- a/internal/proxy/director/layer/rewriter/layer.go
+++ b/internal/proxy/director/layer/rewriter/layer.go
@ -6,14 +6,19 @@ import (
 	proxy "forge.cadoles.com/Cadoles/go-proxy"
 	"forge.cadoles.com/Cadoles/go-proxy/wildcard"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/util"
 	"forge.cadoles.com/cadoles/bouncer/internal/rule"
 	ruleHTTP "forge.cadoles.com/cadoles/bouncer/internal/rule/http"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
 	"github.com/pkg/errors"
 	"gitlab.com/wpetit/goweb/logger"
 )
 const LayerType store.LayerType = "rewriter"
-type Layer struct{}
+type Layer struct {
 	requestRuleEngineCache  *util.RuleEngineCache[*RequestVars, *LayerOptions]
 	responseRuleEngineCache *util.RuleEngineCache[*ResponseVars, *LayerOptions]
 }
 func (l *Layer) LayerType() store.LayerType {
 	return LayerType
@ -26,9 +31,7 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
 			options, err := fromStoreOptions(layer.Options)
 			if err != nil {
-				logger.Error(ctx, "could not parse layer options", logger.E(errors.WithStack(err)))
+				director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not parse layer options"))
 				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 				return
 			}
@ -39,9 +42,14 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
 				return
 			}
-			if err := l.applyRequestRules(r, options); err != nil {
+			if err := l.applyRequestRules(ctx, r, layer, options); err != nil {
-				logger.Error(ctx, "could not apply request rules", logger.E(errors.WithStack(err)))
+				var redirect *errRedirect
-				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+				if errors.As(err, &redirect) {
 					http.Redirect(w, r, redirect.URL(), redirect.StatusCode())
 					return
 				}
 				director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not apply request rules"))
 				return
 			}
@ -66,7 +74,9 @@ func (l *Layer) ResponseTransformer(layer *store.Layer) proxy.ResponseTransforme
 			return nil
 		}
-		if err := l.applyResponseRules(r, options); err != nil {
+		ctx := r.Request.Context()
 		if err := l.applyResponseRules(ctx, r, layer, options); err != nil {
 			return errors.WithStack(err)
 		}
@ -74,8 +84,32 @@ func (l *Layer) ResponseTransformer(layer *store.Layer) proxy.ResponseTransforme
 	}
 }
-func New() *Layer {
+func New(funcs ...OptionFunc) *Layer {
-	return &Layer{}
+	return &Layer{
 		requestRuleEngineCache: util.NewInMemoryRuleEngineCache(func(options *LayerOptions) (*rule.Engine[*RequestVars], error) {
 			engine, err := rule.NewEngine[*RequestVars](
 				rule.WithRules(options.Rules.Request...),
 				ruleHTTP.WithRequestFuncs(),
 				WithRewriterFuncs(),
 			)
 			if err != nil {
 				return nil, errors.WithStack(err)
 			}
 			return engine, nil
 		}),
 		responseRuleEngineCache: util.NewInMemoryRuleEngineCache(func(options *LayerOptions) (*rule.Engine[*ResponseVars], error) {
 			engine, err := rule.NewEngine[*ResponseVars](
 				rule.WithRules(options.Rules.Response...),
 				ruleHTTP.WithResponseFuncs(),
 			)
 			if err != nil {
 				return nil, errors.WithStack(err)
 			}
 			return engine, nil
 		}),
 	}
 }
 var (
--- a/internal/proxy/director/layer/rewriter/options.go
+++ b/internal/proxy/director/layer/rewriter/options.go
@ -0,0 +1,16 @@
 package rewriter
 type Options struct {
 }
 type OptionFunc func(opts *Options)
 func NewOptions(funcs ...OptionFunc) *Options {
 	opts := &Options{}
 	for _, fn := range funcs {
 		fn(opts)
 	}
 	return opts
 }
--- a/internal/proxy/director/layer/rewriter/rules.go
+++ b/internal/proxy/director/layer/rewriter/rules.go
@ -1,50 +1,80 @@
 package rewriter
 import (
 	"context"
 	"net/http"
 	"net/url"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
 	"forge.cadoles.com/cadoles/bouncer/internal/rule"
 	ruleHTTP "forge.cadoles.com/cadoles/bouncer/internal/rule/http"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
 	"github.com/pkg/errors"
 )
-type RequestEnv struct {
+type RequestVars struct {
-	Request RequestInfo `expr:"request"`
+	Request     RequestVar `expr:"request"`
 	OriginalURL URLVar     `expr:"original_url"`
 }
-type RequestInfo struct {
+type URLVar struct {
 	Scheme      string  `expr:"scheme"`
 	Opaque      string  `expr:"opaque"`
 	User        UserVar `expr:"user"`
 	Host        string  `expr:"host"`
 	Path        string  `expr:"path"`
 	RawPath     string  `expr:"raw_path"`
 	RawQuery    string  `expr:"raw_query"`
 	Fragment    string  `expr:"fragment"`
 	RawFragment string  `expr:"raw_fragment"`
 }
 func fromURL(url *url.URL) URLVar {
 	return URLVar{
 		Scheme: url.Scheme,
 		Opaque: url.Opaque,
 		User: UserVar{
 			Username: url.User.Username(),
 			Password: func() string {
 				passwd, _ := url.User.Password()
 				return passwd
 			}(),
 		},
 		Host:        url.Host,
 		Path:        url.Path,
 		RawPath:     url.RawPath,
 		RawQuery:    url.RawQuery,
 		Fragment:    url.Fragment,
 		RawFragment: url.RawFragment,
 	}
 }
 type UserVar struct {
 	Username string `expr:"username"`
 	Password string `expr:"password"`
 }
 type RequestVar struct {
 	Method           string              `expr:"method"`
-	URL              string              `expr:"url"`
+	URL              URLVar              `expr:"url"`
 	RawURL           string              `expr:"raw_url"`
 	Proto            string              `expr:"proto"`
-	ProtoMajor       int                 `expr:"protoMajor"`
+	ProtoMajor       int                 `expr:"proto_major"`
-	ProtoMinor       int                 `expr:"protoMinor"`
+	ProtoMinor       int                 `expr:"proto_minor"`
 	Header           map[string][]string `expr:"header"`
-	ContentLength    int64               `expr:"contentLength"`
+	ContentLength    int64               `expr:"content_length"`
-	TransferEncoding []string            `expr:"transferEncoding"`
+	TransferEncoding []string            `expr:"transfer_encoding"`
 	Host             string              `expr:"host"`
 	Trailer          map[string][]string `expr:"trailer"`
-	RemoteAddr       string              `expr:"remoteAddr"`
+	RemoteAddr       string              `expr:"remote_addr"`
-	RequestURI       string              `expr:"requestUri"`
+	RequestURI       string              `expr:"request_uri"`
 }
-func (l *Layer) applyRequestRules(r *http.Request, options *LayerOptions) error {
+func fromRequest(r *http.Request) RequestVar {
-	rules := options.Rules.Request
+	return RequestVar{
 	if len(rules) == 0 {
 		return nil
 	}
 	engine, err := rule.NewEngine[*RequestEnv](
 		ruleHTTP.WithRequestFuncs(r),
 		rule.WithRules(options.Rules.Request...),
 	)
 	if err != nil {
 		return errors.WithStack(err)
 	}
 	env := &RequestEnv{
 		Request: RequestInfo{
 		Method:           r.Method,
-			URL:              r.URL.String(),
+		URL:              fromURL(r.URL),
 		RawURL:           r.URL.String(),
 		Proto:            r.Proto,
 		ProtoMajor:       r.ProtoMajor,
 		ProtoMinor:       r.ProtoMinor,
@ -55,64 +85,90 @@ func (l *Layer) applyRequestRules(r *http.Request, options *LayerOptions) error
 		Trailer:          r.Trailer,
 		RemoteAddr:       r.RemoteAddr,
 		RequestURI:       r.RequestURI,
-		},
+	}
 }
-	if _, err := engine.Apply(env); err != nil {
+func (l *Layer) applyRequestRules(ctx context.Context, r *http.Request, layer *store.Layer, options *LayerOptions) error {
 		return errors.WithStack(err)
 	}
 	return nil
 }
 type ResponseEnv struct {
 	Request  RequestInfo  `expr:"request"`
 	Response ResponseInfo `expr:"response"`
 }
 type ResponseInfo struct {
 	Status           string              `expr:"status"`
 	StatusCode       int                 `expr:"statusCode"`
 	Proto            string              `expr:"proto"`
 	ProtoMajor       int                 `expr:"protoMajor"`
 	ProtoMinor       int                 `expr:"protoMinor"`
 	Header           map[string][]string `expr:"header"`
 	ContentLength    int64               `expr:"contentLength"`
 	TransferEncoding []string            `expr:"transferEncoding"`
 	Uncompressed     bool                `expr:"uncompressed"`
 	Trailer          map[string][]string `expr:"trailer"`
 }
 func (l *Layer) applyResponseRules(r *http.Response, options *LayerOptions) error {
 	rules := options.Rules.Request
 	if len(rules) == 0 {
 		return nil
 	}
-	engine, err := rule.NewEngine[*ResponseEnv](
+	engine, err := l.getRequestRuleEngine(ctx, layer, options)
 		rule.WithRules(options.Rules.Response...),
 		ruleHTTP.WithResponseFuncs(r),
 	)
 	if err != nil {
 		return errors.WithStack(err)
 	}
-	env := &ResponseEnv{
+	originalURL, err := director.OriginalURL(ctx)
-		Request: RequestInfo{
+	if err != nil {
-			Method:           r.Request.Method,
+		return errors.WithStack(err)
-			URL:              r.Request.URL.String(),
+	}
-			Proto:            r.Request.Proto,
+
-			ProtoMajor:       r.Request.ProtoMajor,
+	vars := &RequestVars{
-			ProtoMinor:       r.Request.ProtoMinor,
+		OriginalURL: fromURL(originalURL),
-			Header:           r.Request.Header,
+		Request:     fromRequest(r),
-			ContentLength:    r.Request.ContentLength,
+	}
-			TransferEncoding: r.Request.TransferEncoding,
+
-			Host:             r.Request.Host,
+	ctx = ruleHTTP.WithRequest(ctx, r)
-			Trailer:          r.Request.Trailer,
+
-			RemoteAddr:       r.Request.RemoteAddr,
+	if _, err := engine.Apply(ctx, vars); err != nil {
-			RequestURI:       r.Request.RequestURI,
+		return errors.WithStack(err)
-		},
+	}
-		Response: ResponseInfo{
+
 	return nil
 }
 func (l *Layer) getRequestRuleEngine(ctx context.Context, layer *store.Layer, options *LayerOptions) (*rule.Engine[*RequestVars], error) {
 	key := string(layer.Proxy) + "-" + string(layer.Name)
 	revisionedEngine := l.requestRuleEngineCache.Get(key)
 	engine, err := revisionedEngine.Get(ctx, layer.Revision, options)
 	if err != nil {
 		return nil, errors.WithStack(err)
 	}
 	return engine, nil
 }
 type ResponseVars struct {
 	OriginalURL URLVar      `expr:"original_url"`
 	Request     RequestVar  `expr:"request"`
 	Response    ResponseVar `expr:"response"`
 }
 type ResponseVar struct {
 	Status           string              `expr:"status"`
 	StatusCode       int                 `expr:"status_code"`
 	Proto            string              `expr:"proto"`
 	ProtoMajor       int                 `expr:"proto_major"`
 	ProtoMinor       int                 `expr:"proto_minor"`
 	Header           map[string][]string `expr:"header"`
 	ContentLength    int64               `expr:"content_length"`
 	TransferEncoding []string            `expr:"transfer_encoding"`
 	Uncompressed     bool                `expr:"uncompressed"`
 	Trailer          map[string][]string `expr:"trailer"`
 }
 func (l *Layer) applyResponseRules(ctx context.Context, r *http.Response, layer *store.Layer, options *LayerOptions) error {
 	rules := options.Rules.Response
 	if len(rules) == 0 {
 		return nil
 	}
 	engine, err := l.getResponseRuleEngine(ctx, layer, options)
 	if err != nil {
 		return errors.WithStack(err)
 	}
 	originalURL, err := director.OriginalURL(ctx)
 	if err != nil {
 		return errors.WithStack(err)
 	}
 	vars := &ResponseVars{
 		OriginalURL: fromURL(originalURL),
 		Request:     fromRequest(r.Request),
 		Response: ResponseVar{
 			Proto:            r.Proto,
 			ProtoMajor:       r.ProtoMajor,
 			ProtoMinor:       r.ProtoMinor,
@ -125,9 +181,24 @@ func (l *Layer) applyResponseRules(r *http.Response, options *LayerOptions) erro
 		},
 	}
-	if _, err := engine.Apply(env); err != nil {
+	ctx = ruleHTTP.WithResponse(ctx, r)
 	ctx = ruleHTTP.WithRequest(ctx, r.Request)
 	if _, err := engine.Apply(ctx, vars); err != nil {
 		return errors.WithStack(err)
 	}
 	return nil
 }
 func (l *Layer) getResponseRuleEngine(ctx context.Context, layer *store.Layer, options *LayerOptions) (*rule.Engine[*ResponseVars], error) {
 	key := string(layer.Proxy) + "-" + string(layer.Name)
 	revisionedEngine := l.responseRuleEngineCache.Get(key)
 	engine, err := revisionedEngine.Get(ctx, layer.Revision, options)
 	if err != nil {
 		return nil, errors.WithStack(err)
 	}
 	return engine, nil
 }
--- a/internal/proxy/director/layer/util/revisioned_rule_engine.go
+++ b/internal/proxy/director/layer/util/revisioned_rule_engine.go
@ -0,0 +1,51 @@
 package util
 import (
 	"context"
 	"sync"
 	"forge.cadoles.com/cadoles/bouncer/internal/rule"
 	"github.com/pkg/errors"
 	"gitlab.com/wpetit/goweb/logger"
 )
 type RuleEngineFactoryFunc[V any, O any] func(ops O) (*rule.Engine[V], error)
 type RevisionedRuleEngine[V any, O any] struct {
 	mutex    sync.RWMutex
 	revision int
 	engine   *rule.Engine[V]
 	factory  RuleEngineFactoryFunc[V, O]
 }
 func (e *RevisionedRuleEngine[V, O]) Get(ctx context.Context, revision int, opts O) (*rule.Engine[V], error) {
 	e.mutex.RLock()
 	if revision == e.revision {
 		logger.Debug(ctx, "using cached rule engine", logger.F("layerRevision", revision))
 		defer e.mutex.RUnlock()
 		return e.engine, nil
 	}
 	e.mutex.RUnlock()
 	e.mutex.Lock()
 	defer e.mutex.Unlock()
 	logger.Debug(ctx, "creating rule engine", logger.F("layerRevision", revision))
 	engine, err := e.factory(opts)
 	if err != nil {
 		return nil, errors.WithStack(err)
 	}
 	e.engine = engine
 	e.revision = revision
 	return engine, nil
 }
 func NewRevisionedRuleEngine[V any, O any](factory RuleEngineFactoryFunc[V, O]) *RevisionedRuleEngine[V, O] {
 	return &RevisionedRuleEngine[V, O]{
 		factory: factory,
 	}
 }
--- a/internal/proxy/director/layer/util/rule_engine_cache.go
+++ b/internal/proxy/director/layer/util/rule_engine_cache.go
@ -0,0 +1,28 @@
 package util
 import (
 	"forge.cadoles.com/cadoles/bouncer/internal/cache"
 	"forge.cadoles.com/cadoles/bouncer/internal/cache/memory"
 )
 type RuleEngineCache[V any, O any] struct {
 	cache   cache.Cache[string, *RevisionedRuleEngine[V, O]]
 	factory RuleEngineFactoryFunc[V, O]
 }
 func (c *RuleEngineCache[V, O]) Get(key string) *RevisionedRuleEngine[V, O] {
 	revisionedRuleEngine, exists := c.cache.Get(key)
 	if !exists {
 		revisionedRuleEngine = NewRevisionedRuleEngine(c.factory)
 		c.cache.Set(key, revisionedRuleEngine)
 	}
 	return revisionedRuleEngine
 }
 func NewInMemoryRuleEngineCache[V any, O any](factory RuleEngineFactoryFunc[V, O]) *RuleEngineCache[V, O] {
 	return &RuleEngineCache[V, O]{
 		factory: factory,
 		cache:   memory.NewCache[string, *RevisionedRuleEngine[V, O]](),
 	}
 }
--- a/internal/proxy/director/options.go
+++ b/internal/proxy/director/options.go
@ -1,18 +1,21 @@
 package director
 import (
 	"net/http"
 	"time"
 	"forge.cadoles.com/cadoles/bouncer/internal/cache"
 	"forge.cadoles.com/cadoles/bouncer/internal/cache/memory"
 	"forge.cadoles.com/cadoles/bouncer/internal/cache/ttl"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
 	"gitlab.com/wpetit/goweb/logger"
 )
 type Options struct {
 	Layers      []Layer
 	ProxyCache  cache.Cache[string, []*store.Proxy]
 	LayerCache  cache.Cache[string, []*store.Layer]
 	HandleError HandleErrorFunc
 }
 type OptionFunc func(opts *Options)
@ -30,6 +33,10 @@ func NewOptions(funcs ...OptionFunc) *Options {
 			memory.NewCache[string, time.Time](),
 			30*time.Second,
 		),
 		HandleError: func(w http.ResponseWriter, r *http.Request, status int, err error) {
 			logger.Error(r.Context(), err.Error(), logger.CapturedE(err))
 			http.Error(w, http.StatusText(status), status)
 		},
 	}
 	for _, fn := range funcs {
@ -56,3 +63,9 @@ func WithLayerCache(cache cache.Cache[string, []*store.Layer]) OptionFunc {
 		opts.LayerCache = cache
 	}
 }
 func WithHandleErrorFunc(fn HandleErrorFunc) OptionFunc {
 	return func(opts *Options) {
 		opts.HandleError = fn
 	}
 }
--- a/internal/proxy/init.go
+++ b/internal/proxy/init.go
@ -9,7 +9,7 @@ import (
 )
 func (s *Server) initRepositories(ctx context.Context) error {
-	client := setup.NewRedisClient(ctx, s.redisConfig)
+	client := setup.NewSharedClient(s.redisConfig)
 	if err := s.initProxyRepository(ctx, client); err != nil {
 		return errors.WithStack(err)
--- a/internal/proxy/proxy_test.go
+++ b/internal/proxy/proxy_test.go
@ -1,156 +0,0 @@
 package proxy_test
 import (
 	"context"
 	"io"
 	"net/http"
 	"net/http/httptest"
 	"net/http/httputil"
 	"net/url"
 	"os"
 	"testing"
 	"time"
 	"forge.cadoles.com/Cadoles/go-proxy"
 	"forge.cadoles.com/cadoles/bouncer/internal/cache/memory"
 	"forge.cadoles.com/cadoles/bouncer/internal/cache/ttl"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
 	redisStore "forge.cadoles.com/cadoles/bouncer/internal/store/redis"
 	"github.com/pkg/errors"
 	"github.com/redis/go-redis/v9"
 )
 func BenchmarkProxy(b *testing.B) {
 	redisEndpoint := os.Getenv("BOUNCER_BENCH_REDIS_ADDR")
 	if redisEndpoint == "" {
 		redisEndpoint = "127.0.0.1:6379"
 	}
 	client := redis.NewUniversalClient(&redis.UniversalOptions{
 		Addrs: []string{redisEndpoint},
 	})
 	proxyRepository := redisStore.NewProxyRepository(client)
 	layerRepository := redisStore.NewLayerRepository(client)
 	backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
 		if _, err := w.Write([]byte("Hello, world.")); err != nil {
 			b.Logf("[ERROR] %+v", errors.WithStack(err))
 		}
 	}))
 	defer backend.Close()
 	if err := waitFor(backend.URL, 5*time.Second); err != nil {
 		b.Fatalf("[FATAL] %+v", errors.WithStack(err))
 	}
 	b.Logf("started backend '%s'", backend.URL)
 	ctx := context.Background()
 	proxyName := store.ProxyName(b.Name())
 	b.Logf("creating proxy '%s'", proxyName)
 	if err := proxyRepository.DeleteProxy(ctx, proxyName); err != nil {
 		b.Fatalf("[FATAL] %+v", errors.WithStack(err))
 	}
 	if _, err := proxyRepository.CreateProxy(ctx, proxyName, backend.URL, "*"); err != nil {
 		b.Fatalf("[FATAL] %+v", errors.WithStack(err))
 	}
 	if _, err := proxyRepository.UpdateProxy(ctx, proxyName, store.WithProxyUpdateEnabled(true)); err != nil {
 		b.Fatalf("[FATAL] %+v", errors.WithStack(err))
 	}
 	director := director.New(
 		proxyRepository, layerRepository,
 		director.WithLayerCache(
 			ttl.NewCache(
 				memory.NewCache[string, []*store.Layer](),
 				memory.NewCache[string, time.Time](),
 				30*time.Second,
 			),
 		),
 		director.WithProxyCache(
 			ttl.NewCache(
 				memory.NewCache[string, []*store.Proxy](),
 				memory.NewCache[string, time.Time](),
 				30*time.Second,
 			),
 		),
 	)
 	directorMiddleware := director.Middleware()
 	handler := proxy.New(
 		proxy.WithRequestTransformers(
 			director.RequestTransformer(),
 		),
 		proxy.WithResponseTransformers(
 			director.ResponseTransformer(),
 		),
 		proxy.WithReverseProxyFactory(func(ctx context.Context, target *url.URL) *httputil.ReverseProxy {
 			reverse := httputil.NewSingleHostReverseProxy(target)
 			reverse.ErrorHandler = func(w http.ResponseWriter, r *http.Request, err error) {
 				b.Logf("[ERROR] %s", errors.WithStack(err))
 			}
 			return reverse
 		}),
 	)
 	server := httptest.NewServer(directorMiddleware(handler))
 	defer server.Close()
 	b.Logf("started proxy '%s'", server.URL)
 	httpClient := server.Client()
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
 		res, err := httpClient.Get(server.URL)
 		if err != nil {
 			b.Errorf("could not fetch server url: %+v", errors.WithStack(err))
 		}
 		body, err := io.ReadAll(res.Body)
 		if err != nil {
 			b.Errorf("could not read response body: %+v", errors.WithStack(err))
 		}
 		b.Logf("%s - %v", res.Status, string(body))
 		if err := res.Body.Close(); err != nil {
 			b.Errorf("could not close response body: %+v", errors.WithStack(err))
 		}
 	}
 }
 func waitFor(url string, ttl time.Duration) error {
 	var lastErr error
 	timeout := time.After(ttl)
 	for {
 		select {
 		case <-timeout:
 			if lastErr != nil {
 				return lastErr
 			}
 			return errors.New("wait timed out")
 		default:
 			res, err := http.Get(url)
 			if err != nil {
 				lastErr = errors.WithStack(err)
 				continue
 			}
 			if res.StatusCode >= 200 && res.StatusCode < 400 {
 				return nil
 			}
 		}
 	}
 }
--- a/internal/proxy/server.go
+++ b/internal/proxy/server.go
@ -1,16 +1,23 @@
 package proxy
 import (
 	"bytes"
 	"context"
 	"expvar"
 	"fmt"
 	"html/template"
 	"io"
 	"log"
 	"net"
 	"net/http"
 	"net/http/httputil"
 	"net/http/pprof"
 	"net/url"
 	"os"
 	"os/signal"
 	"path/filepath"
 	"strconv"
 	"syscall"
 	"time"
 	"forge.cadoles.com/Cadoles/go-proxy"
@ -22,7 +29,6 @@ import (
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
 	"github.com/Masterminds/sprig/v3"
 	"github.com/getsentry/sentry-go"
 	sentryhttp "github.com/getsentry/sentry-go/http"
 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/chi/v5/middleware"
@ -91,31 +97,25 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
 	logger.Info(ctx, "http server listening")
 	layerCache, proxyCache, cancel := s.createDirectorCaches(ctx)
 	defer cancel()
 	director := director.New(
 		s.proxyRepository,
 		s.layerRepository,
 		director.WithLayers(s.directorLayers...),
-		director.WithLayerCache(
+		director.WithLayerCache(layerCache),
-			ttl.NewCache(
+		director.WithProxyCache(proxyCache),
-				memory.NewCache[string, []*store.Layer](),
+		director.WithHandleErrorFunc(s.handleError),
 				memory.NewCache[string, time.Time](),
 				s.directorCacheTTL,
 			),
 		),
 		director.WithProxyCache(
 			ttl.NewCache(
 				memory.NewCache[string, []*store.Proxy](),
 				memory.NewCache[string, time.Time](),
 				s.directorCacheTTL,
 			),
 		),
 	)
 	if s.serverConfig.HTTP.UseRealIP {
 		router.Use(middleware.RealIP)
 	}
 	router.Use(middleware.RequestID)
 	router.Use(middleware.RequestLogger(bouncerChi.NewLogFormatter()))
 	router.Use(middleware.Recoverer)
 	if s.serverConfig.Sentry.DSN != "" {
 		logger.Info(ctx, "enabling sentry http middleware")
@ -146,6 +146,35 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
 		})
 	}
 	if s.serverConfig.Profiling.Enabled {
 		profiling := s.serverConfig.Profiling
 		logger.Info(ctx, "enabling profiling", logger.F("endpoint", profiling.Endpoint))
 		router.Group(func(r chi.Router) {
 			if profiling.BasicAuth != nil {
 				logger.Info(ctx, "enabling authentication on profiling endpoint")
 				r.Use(middleware.BasicAuth(
 					"profiling",
 					profiling.BasicAuth.CredentialsMap(),
 				))
 			}
 			r.Route(string(profiling.Endpoint), func(r chi.Router) {
 				r.HandleFunc("/", pprof.Index)
 				r.HandleFunc("/cmdline", pprof.Cmdline)
 				r.HandleFunc("/profile", pprof.Profile)
 				r.HandleFunc("/symbol", pprof.Symbol)
 				r.HandleFunc("/trace", pprof.Trace)
 				r.Handle("/vars", expvar.Handler())
 				r.HandleFunc("/{name}", func(w http.ResponseWriter, r *http.Request) {
 					name := chi.URLParam(r, "name")
 					pprof.Handler(name).ServeHTTP(w, r)
 				})
 			})
 		})
 	}
 	router.Group(func(r chi.Router) {
 		r.Use(director.Middleware())
@ -170,6 +199,44 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
 	logger.Info(ctx, "http server exiting")
 }
 func (s *Server) createDirectorCaches(ctx context.Context) (*ttl.Cache[string, []*store.Layer], *ttl.Cache[string, []*store.Proxy], func()) {
 	layerCache := ttl.NewCache(
 		memory.NewCache[string, []*store.Layer](),
 		memory.NewCache[string, time.Time](),
 		s.directorCacheTTL,
 	)
 	proxyCache := ttl.NewCache(
 		memory.NewCache[string, []*store.Proxy](),
 		memory.NewCache[string, time.Time](),
 		s.directorCacheTTL,
 	)
 	sig := make(chan os.Signal, 1)
 	signal.Notify(sig, syscall.SIGUSR2)
 	go func() {
 		for {
 			_, ok := <-sig
 			if !ok {
 				return
 			}
 			logger.Info(ctx, "received sigusr2 signal, clearing proxies and layers cache")
 			layerCache.Clear()
 			proxyCache.Clear()
 		}
 	}()
 	cancel := func() {
 		close(sig)
 	}
 	return layerCache, proxyCache, cancel
 }
 func (s *Server) createReverseProxy(ctx context.Context, target *url.URL) *httputil.ReverseProxy {
 	reverseProxy := httputil.NewSingleHostReverseProxy(target)
@ -186,27 +253,27 @@ func (s *Server) createReverseProxy(ctx context.Context, target *url.URL) *httpu
 	httpTransport.DialContext = dialer.DialContext
 	reverseProxy.Transport = httpTransport
-	reverseProxy.ErrorHandler = s.handleError
+	reverseProxy.ErrorHandler = s.handleProxyError
 	return reverseProxy
 }
 func (s *Server) handleDefault(w http.ResponseWriter, r *http.Request) {
-	err := errors.Errorf("no proxy target found")
+	s.handleError(w, r, http.StatusBadGateway, errors.Errorf("no proxy target found"))
 	logger.Error(r.Context(), "proxy error", logger.E(err))
 	sentry.CaptureException(err)
 	s.renderErrorPage(w, r, err, http.StatusBadGateway, http.StatusText(http.StatusBadGateway))
 }
-func (s *Server) handleError(w http.ResponseWriter, r *http.Request, err error) {
+func (s *Server) handleError(w http.ResponseWriter, r *http.Request, status int, err error) {
 	err = errors.WithStack(err)
-	logger.Error(r.Context(), "proxy error", logger.E(err))
+	if !errors.Is(err, context.Canceled) {
-	sentry.CaptureException(err)
+		logger.Error(r.Context(), err.Error(), logger.CapturedE(err))
 	}
-	s.renderErrorPage(w, r, err, http.StatusBadGateway, http.StatusText(http.StatusBadGateway))
+	s.renderErrorPage(w, r, err, status, http.StatusText(status))
 }
 func (s *Server) handleProxyError(w http.ResponseWriter, r *http.Request, err error) {
 	s.handleError(w, r, http.StatusBadGateway, err)
 }
 func (s *Server) renderErrorPage(w http.ResponseWriter, r *http.Request, err error, statusCode int, status string) {
@ -237,7 +304,7 @@ func (s *Server) renderPage(w http.ResponseWriter, r *http.Request, page string,
 	tmpl, err := template.New("").Funcs(sprig.FuncMap()).ParseGlob(pattern)
 	if err != nil {
-		logger.Error(ctx, "could not load proxy templates", logger.E(errors.WithStack(err)))
+		logger.Error(ctx, "could not load proxy templates", logger.CapturedE(errors.WithStack(err)))
 		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 		return
@ -257,12 +324,18 @@ func (s *Server) renderPage(w http.ResponseWriter, r *http.Request, page string,
 		return
 	}
-	if err := blockTmpl.Execute(w, templateData); err != nil {
+	var buf bytes.Buffer
-		logger.Error(ctx, "could not render proxy page", logger.E(errors.WithStack(err)))
+
 	if err := blockTmpl.Execute(&buf, templateData); err != nil {
 		logger.Error(ctx, "could not render proxy page", logger.CapturedE(errors.WithStack(err)))
 		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 		return
 	}
 	if _, err := io.Copy(w, &buf); err != nil {
 		logger.Error(ctx, "could not write page", logger.CapturedE(errors.WithStack(err)))
 	}
 }
 func NewServer(funcs ...OptionFunc) *Server {
--- a/internal/rule/engine.go
+++ b/internal/rule/engine.go
@ -1,16 +1,28 @@
 package rule
 import (
 	"context"
 	"github.com/expr-lang/expr"
 	"github.com/expr-lang/expr/vm"
 	"github.com/pkg/errors"
 )
-type Engine[E any] struct {
+type Engine[V any] struct {
 	rules []*vm.Program
 }
-func (e *Engine[E]) Apply(env E) ([]any, error) {
+func (e *Engine[V]) Apply(ctx context.Context, vars V) ([]any, error) {
 	type Env[V any] struct {
 		Context context.Context `expr:"ctx"`
 		Vars    V               `expr:"vars"`
 	}
 	env := Env[V]{
 		Context: ctx,
 		Vars:    vars,
 	}
 	results := make([]any, 0, len(e.rules))
 	for i, r := range e.rules {
 		result, err := expr.Run(r, env)
@ -42,3 +54,26 @@ func NewEngine[E any](funcs ...OptionFunc) (*Engine[E], error) {
 	return engine, nil
 }
 func Context[T any](ctx context.Context, key any) (T, bool) {
 	raw := ctx.Value(key)
 	if raw == nil {
 		return *new(T), false
 	}
 	value, err := Assert[T](raw)
 	if err != nil {
 		return *new(T), false
 	}
 	return value, true
 }
 func Assert[T any](raw any) (T, error) {
 	value, ok := raw.(T)
 	if !ok {
 		return *new(T), errors.Errorf("unexpected value '%T'", value)
 	}
 	return value, nil
 }
--- a/internal/rule/http/context.go
+++ b/internal/rule/http/context.go
@ -0,0 +1,31 @@
 package http
 import (
 	"context"
 	"net/http"
 	"forge.cadoles.com/cadoles/bouncer/internal/rule"
 )
 type contextKey string
 const (
 	contextKeyRequest  contextKey = "request"
 	contextKeyResponse contextKey = "response"
 )
 func WithRequest(ctx context.Context, r *http.Request) context.Context {
 	return context.WithValue(ctx, contextKeyRequest, r)
 }
 func WithResponse(ctx context.Context, r *http.Response) context.Context {
 	return context.WithValue(ctx, contextKeyResponse, r)
 }
 func CtxRequest(ctx context.Context) (*http.Request, bool) {
 	return rule.Context[*http.Request](ctx, contextKeyRequest)
 }
 func CtxResponse(ctx context.Context) (*http.Response, bool) {
 	return rule.Context[*http.Response](ctx, contextKeyResponse)
 }
--- a/internal/rule/http/option.go
+++ b/internal/rule/http/option.go
@ -1,20 +1,20 @@
 package http
 import (
 	"net/http"
 	"forge.cadoles.com/cadoles/bouncer/internal/rule"
 	"github.com/expr-lang/expr"
 )
-func WithRequestFuncs(r *http.Request) rule.OptionFunc {
+func WithRequestFuncs() rule.OptionFunc {
 	return func(opts *rule.Options) {
 		funcs := []expr.Option{
-			setRequestURL(r),
+			setRequestURLFunc(),
-			setRequestHeaderFunc(r),
+			setRequestHeaderFunc(),
-			addRequestHeaderFunc(r),
+			addRequestHeaderFunc(),
-			delRequestHeadersFunc(r),
+			delRequestHeadersFunc(),
-			setRequestHostFunc(r),
+			setRequestHostFunc(),
 			getRequestCookieFunc(),
 			addRequestCookieFunc(),
 		}
 		if len(opts.Expr) == 0 {
@ -25,12 +25,14 @@ func WithRequestFuncs(r *http.Request) rule.OptionFunc {
 	}
 }
-func WithResponseFuncs(r *http.Response) rule.OptionFunc {
+func WithResponseFuncs() rule.OptionFunc {
 	return func(opts *rule.Options) {
 		funcs := []expr.Option{
-			setResponseHeaderFunc(r),
+			setResponseHeaderFunc(),
-			addResponseHeaderFunc(r),
+			addResponseHeaderFunc(),
-			delResponseHeadersFunc(r),
+			delResponseHeadersFunc(),
 			addResponseCookieFunc(),
 			getResponseCookieFunc(),
 		}
 		if len(opts.Expr) == 0 {
--- a/internal/rule/http/request.go
+++ b/internal/rule/http/request.go
@ -1,6 +1,7 @@
 package http
 import (
 	"context"
 	"fmt"
 	"net/http"
 	"net/url"
@ -9,101 +10,147 @@ import (
 	"time"
 	"forge.cadoles.com/Cadoles/go-proxy/wildcard"
 	"forge.cadoles.com/cadoles/bouncer/internal/rule"
 	"github.com/expr-lang/expr"
 	"github.com/pkg/errors"
 )
-func setRequestHostFunc(r *http.Request) expr.Option {
+func setRequestHostFunc() expr.Option {
 	return expr.Function(
 		"set_host",
 		func(params ...any) (any, error) {
-			host := params[0].(string)
+			ctx, err := rule.Assert[context.Context](params[0])
 			if err != nil {
 				return nil, errors.WithStack(err)
 			}
 			host, err := rule.Assert[string](params[1])
 			if err != nil {
 				return nil, errors.WithStack(err)
 			}
 			r, ok := CtxRequest(ctx)
 			if !ok {
 				return nil, errors.New("could not find http request in context")
 			}
 			r.Host = host
 			return true, nil
 		},
-		new(func(string) bool),
+		new(func(context.Context, string) bool),
 	)
 }
-func setRequestURL(r *http.Request) expr.Option {
+func setRequestURLFunc() expr.Option {
 	return expr.Function(
 		"set_url",
 		func(params ...any) (any, error) {
-			rawURL := params[0].(string)
+			ctx, err := rule.Assert[context.Context](params[0])
 			if err != nil {
 				return nil, errors.WithStack(err)
 			}
 			rawURL, err := rule.Assert[string](params[1])
 			if err != nil {
 				return nil, errors.WithStack(err)
 			}
 			url, err := url.Parse(rawURL)
 			if err != nil {
 				return false, errors.WithStack(err)
 			}
 			r, ok := CtxRequest(ctx)
 			if !ok {
 				return nil, errors.New("could not find http request in context")
 			}
 			r.URL = url
 			return true, nil
 		},
-		new(func(string) bool),
+		new(func(context.Context, string) bool),
 	)
 }
-func addRequestHeaderFunc(r *http.Request) expr.Option {
+func addRequestHeaderFunc() expr.Option {
 	return expr.Function(
 		"add_header",
 		func(params ...any) (any, error) {
-			name := params[0].(string)
+			ctx, err := rule.Assert[context.Context](params[0])
-			rawValue := params[1]
+			if err != nil {
 				return nil, errors.WithStack(err)
 			}
-			var value string
+			name, err := rule.Assert[string](params[1])
-			switch v := rawValue.(type) {
+			if err != nil {
-			case []string:
+				return nil, errors.WithStack(err)
-				value = strings.Join(v, ",")
+			}
-			case time.Time:
+
-				value = strconv.FormatInt(v.UTC().Unix(), 10)
+			value := formatValue(params[2])
-			case time.Duration:
+
-				value = strconv.FormatInt(int64(v.Seconds()), 10)
+			r, ok := CtxRequest(ctx)
-			default:
+			if !ok {
-				value = fmt.Sprintf("%v", rawValue)
+				return nil, errors.New("could not find http request in context")
 			}
 			r.Header.Add(name, value)
 			return true, nil
 		},
-		new(func(string, string) bool),
+		new(func(context.Context, string, string) bool),
 	)
 }
-func setRequestHeaderFunc(r *http.Request) expr.Option {
+func setRequestHeaderFunc() expr.Option {
 	return expr.Function(
 		"set_header",
 		func(params ...any) (any, error) {
-			name := params[0].(string)
+			ctx, err := rule.Assert[context.Context](params[0])
-			rawValue := params[1]
+			if err != nil {
 				return nil, errors.WithStack(err)
 			}
-			var value string
+			name, err := rule.Assert[string](params[1])
-			switch v := rawValue.(type) {
+			if err != nil {
-			case []string:
+				return nil, errors.WithStack(err)
-				value = strings.Join(v, ",")
+			}
-			case time.Time:
+
-				value = strconv.FormatInt(v.UTC().Unix(), 10)
+			value := formatValue(params[2])
-			case time.Duration:
+
-				value = strconv.FormatInt(int64(v.Seconds()), 10)
+			r, ok := CtxRequest(ctx)
-			default:
+			if !ok {
-				value = fmt.Sprintf("%v", rawValue)
+				return nil, errors.New("could not find http request in context")
 			}
 			r.Header.Set(name, value)
 			return true, nil
 		},
-		new(func(string, string) bool),
+		new(func(context.Context, string, string) bool),
 	)
 }
-func delRequestHeadersFunc(r *http.Request) expr.Option {
+func delRequestHeadersFunc() expr.Option {
 	return expr.Function(
 		"del_headers",
 		func(params ...any) (any, error) {
-			pattern := params[0].(string)
+			ctx, err := rule.Assert[context.Context](params[0])
 			if err != nil {
 				return nil, errors.WithStack(err)
 			}
 			pattern, err := rule.Assert[string](params[1])
 			if err != nil {
 				return nil, errors.WithStack(err)
 			}
 			r, ok := CtxRequest(ctx)
 			if !ok {
 				return nil, errors.New("could not find http request in context")
 			}
 			deleted := false
 			for key := range r.Header {
@ -117,6 +164,160 @@ func delRequestHeadersFunc(r *http.Request) expr.Option {
 			return deleted, nil
 		},
-		new(func(string) bool),
+		new(func(context.Context, string) bool),
 	)
 }
 type CookieVar struct {
 	Name     string        `expr:"name"`
 	Value    string        `expr:"value"`
 	Path     string        `expr:"path"`
 	Domain   string        `expr:"domain"`
 	Expires  time.Time     `expr:"expires"`
 	MaxAge   int           `expr:"max_age"`
 	Secure   bool          `expr:"secure"`
 	HttpOnly bool          `expr:"http_only"`
 	SameSite http.SameSite `expr:"same_site"`
 }
 func getRequestCookieFunc() expr.Option {
 	return expr.Function(
 		"get_cookie",
 		func(params ...any) (any, error) {
 			ctx, err := rule.Assert[context.Context](params[0])
 			if err != nil {
 				return nil, errors.WithStack(err)
 			}
 			name, err := rule.Assert[string](params[1])
 			if err != nil {
 				return nil, errors.WithStack(err)
 			}
 			r, ok := CtxRequest(ctx)
 			if !ok {
 				return nil, errors.New("could not find http request in context")
 			}
 			cookie, err := r.Cookie(name)
 			if err != nil && !errors.Is(err, http.ErrNoCookie) {
 				return nil, errors.WithStack(err)
 			}
 			if cookie == nil {
 				return nil, nil
 			}
 			return CookieVar{
 				Name:     cookie.Name,
 				Value:    cookie.Value,
 				Path:     cookie.Path,
 				Domain:   cookie.Domain,
 				Expires:  cookie.Expires,
 				MaxAge:   cookie.MaxAge,
 				Secure:   cookie.Secure,
 				HttpOnly: cookie.HttpOnly,
 				SameSite: cookie.SameSite,
 			}, nil
 		},
 		new(func(context.Context, string) CookieVar),
 	)
 }
 func addRequestCookieFunc() expr.Option {
 	return expr.Function(
 		"add_cookie",
 		func(params ...any) (any, error) {
 			ctx, err := rule.Assert[context.Context](params[0])
 			if err != nil {
 				return nil, errors.WithStack(err)
 			}
 			values, err := rule.Assert[map[string]any](params[1])
 			if err != nil {
 				return nil, errors.WithStack(err)
 			}
 			cookie, err := cookieFrom(values)
 			if err != nil {
 				return nil, errors.WithStack(err)
 			}
 			r, ok := CtxRequest(ctx)
 			if !ok {
 				return nil, errors.New("could not find http request in context")
 			}
 			r.AddCookie(cookie)
 			return true, nil
 		},
 		new(func(context.Context, map[string]any) bool),
 	)
 }
 func cookieFrom(values map[string]any) (*http.Cookie, error) {
 	cookie := &http.Cookie{}
 	if name, ok := values["name"].(string); ok {
 		cookie.Name = name
 	}
 	if value, ok := values["value"].(string); ok {
 		cookie.Value = value
 	}
 	if domain, ok := values["domain"].(string); ok {
 		cookie.Domain = domain
 	}
 	if path, ok := values["path"].(string); ok {
 		cookie.Path = path
 	}
 	if httpOnly, ok := values["http_only"].(bool); ok {
 		cookie.HttpOnly = httpOnly
 	}
 	if maxAge, ok := values["max_age"].(int); ok {
 		cookie.MaxAge = maxAge
 	}
 	if secure, ok := values["secure"].(bool); ok {
 		cookie.Secure = secure
 	}
 	if sameSite, ok := values["same_site"].(http.SameSite); ok {
 		cookie.SameSite = sameSite
 	} else if sameSite, ok := values["same_site"].(int); ok {
 		cookie.SameSite = http.SameSite(sameSite)
 	}
 	if expires, ok := values["expires"].(time.Time); ok {
 		cookie.Expires = expires
 	} else if rawExpires, ok := values["expires"].(string); ok {
 		expires, err := time.Parse(http.TimeFormat, rawExpires)
 		if err != nil {
 			return nil, errors.WithStack(err)
 		}
 		cookie.Expires = expires
 	}
 	return cookie, nil
 }
 func formatValue(v any) string {
 	var value string
 	switch v := v.(type) {
 	case []string:
 		value = strings.Join(v, ",")
 	case time.Time:
 		value = strconv.FormatInt(v.UTC().Unix(), 10)
 	case time.Duration:
 		value = strconv.FormatInt(int64(v.Seconds()), 10)
 	default:
 		value = fmt.Sprintf("%v", v)
 	}
 	return value
 }
--- a/internal/rule/http/request_test.go
+++ b/internal/rule/http/request_test.go
@ -0,0 +1,324 @@
 package http
 import (
 	"context"
 	"fmt"
 	"net/http"
 	"testing"
 	"forge.cadoles.com/cadoles/bouncer/internal/rule"
 	"github.com/pkg/errors"
 )
 func TestSetRequestHost(t *testing.T) {
 	type Vars struct {
 		NewHost string `expr:"newHost"`
 	}
 	engine := createRuleEngine[Vars](t,
 		rule.WithExpr(setRequestHostFunc()),
 		rule.WithRules(
 			"set_host(ctx, vars.newHost)",
 		),
 	)
 	req, err := http.NewRequest("GET", "http://example.net", nil)
 	if err != nil {
 		t.Fatalf("%+v", errors.WithStack(err))
 	}
 	ctx := context.Background()
 	ctx = WithRequest(ctx, req)
 	vars := Vars{
 		NewHost: "foobar",
 	}
 	if _, err := engine.Apply(ctx, vars); err != nil {
 		t.Fatalf("%+v", errors.WithStack(err))
 	}
 	if e, g := vars.NewHost, req.Host; e != g {
 		t.Errorf("req.Host: expected '%v', got '%v'", e, g)
 	}
 }
 func TestSetRequestURL(t *testing.T) {
 	type Vars struct {
 		NewURL string `expr:"newURL"`
 	}
 	engine := createRuleEngine[Vars](t,
 		rule.WithExpr(setRequestURLFunc()),
 		rule.WithRules(
 			"set_url(ctx, vars.newURL)",
 		),
 	)
 	req, err := http.NewRequest("GET", "http://example.net", nil)
 	if err != nil {
 		t.Fatalf("%+v", errors.WithStack(err))
 	}
 	ctx := context.Background()
 	ctx = WithRequest(ctx, req)
 	vars := Vars{
 		NewURL: "http://localhost",
 	}
 	if _, err := engine.Apply(ctx, vars); err != nil {
 		t.Fatalf("%+v", errors.WithStack(err))
 	}
 	if e, g := vars.NewURL, req.URL.String(); e != g {
 		t.Errorf("req.URL.String(): expected '%v', got '%v'", e, g)
 	}
 }
 func TestAddRequestHeader(t *testing.T) {
 	type Vars struct {
 		NewHeaderKey   string `expr:"newHeaderKey"`
 		NewHeaderValue string `expr:"newHeaderValue"`
 	}
 	engine := createRuleEngine[Vars](t,
 		rule.WithExpr(addRequestHeaderFunc()),
 		rule.WithRules(
 			"add_header(ctx, vars.newHeaderKey, vars.newHeaderValue)",
 		),
 	)
 	req, err := http.NewRequest("GET", "http://example.net", nil)
 	if err != nil {
 		t.Fatalf("%+v", errors.WithStack(err))
 	}
 	ctx := context.Background()
 	ctx = WithRequest(ctx, req)
 	vars := Vars{
 		NewHeaderKey:   "X-My-Header",
 		NewHeaderValue: "foobar",
 	}
 	if _, err := engine.Apply(ctx, vars); err != nil {
 		t.Fatalf("%+v", errors.WithStack(err))
 	}
 	if e, g := vars.NewHeaderValue, req.Header.Get(vars.NewHeaderKey); e != g {
 		t.Errorf("req.Header.Get(vars.NewHeaderKey): expected '%v', got '%v'", e, g)
 	}
 }
 func TestSetRequestHeader(t *testing.T) {
 	type Vars struct {
 		HeaderKey   string `expr:"headerKey"`
 		HeaderValue string `expr:"headerValue"`
 	}
 	engine := createRuleEngine[Vars](t,
 		rule.WithExpr(setRequestHeaderFunc()),
 		rule.WithRules(
 			"set_header(ctx, vars.headerKey, vars.headerValue)",
 		),
 	)
 	req, err := http.NewRequest("GET", "http://example.net", nil)
 	if err != nil {
 		t.Fatalf("%+v", errors.WithStack(err))
 	}
 	vars := Vars{
 		HeaderKey:   "X-My-Header",
 		HeaderValue: "foobar",
 	}
 	req.Header.Set(vars.HeaderKey, "test")
 	ctx := context.Background()
 	ctx = WithRequest(ctx, req)
 	if _, err := engine.Apply(ctx, vars); err != nil {
 		t.Fatalf("%+v", errors.WithStack(err))
 	}
 	if e, g := vars.HeaderValue, req.Header.Get(vars.HeaderKey); e != g {
 		t.Errorf("req.Header.Get(vars.HeaderKey): expected '%v', got '%v'", e, g)
 	}
 }
 func TestDelRequestHeaders(t *testing.T) {
 	type Vars struct {
 		HeaderPattern string `expr:"headerPattern"`
 	}
 	engine := createRuleEngine[Vars](t,
 		rule.WithExpr(delRequestHeadersFunc()),
 		rule.WithRules(
 			"del_headers(ctx, vars.headerPattern)",
 		),
 	)
 	req, err := http.NewRequest("GET", "http://example.net", nil)
 	if err != nil {
 		t.Fatalf("%+v", errors.WithStack(err))
 	}
 	vars := Vars{
 		HeaderPattern: "X-My-*",
 	}
 	req.Header.Set("X-My-Header", "test")
 	ctx := context.Background()
 	ctx = WithRequest(ctx, req)
 	if _, err := engine.Apply(ctx, vars); err != nil {
 		t.Fatalf("%+v", errors.WithStack(err))
 	}
 	if val := req.Header.Get("X-My-Header"); val != "" {
 		t.Errorf("req.Header.Get(\"X-My-Header\") should be empty, got '%v'", val)
 	}
 }
 func TestAddRequestCookie(t *testing.T) {
 	type TestCase struct {
 		Cookie     map[string]any
 		Check      func(t *testing.T, tc TestCase, req *http.Request)
 		ShouldFail bool
 	}
 	testCases := []TestCase{
 		{
 			Cookie: map[string]any{
 				"name": "test",
 			},
 			Check: func(t *testing.T, tc TestCase, req *http.Request) {
 				cookie, err := req.Cookie(tc.Cookie["name"].(string))
 				if err != nil {
 					t.Errorf("%+v", errors.WithStack(err))
 					return
 				}
 				if e, g := tc.Cookie["name"], cookie.Name; e != g {
 					t.Errorf("cookie.Name: expected '%v', got '%v'", e, g)
 				}
 			},
 		},
 		{
 			Cookie: map[string]any{
 				"name":  "foo",
 				"value": "test",
 			},
 			Check: func(t *testing.T, tc TestCase, req *http.Request) {
 				cookie, err := req.Cookie(tc.Cookie["name"].(string))
 				if err != nil {
 					t.Errorf("%+v", errors.WithStack(err))
 					return
 				}
 				if e, g := tc.Cookie["name"], cookie.Name; e != g {
 					t.Errorf("cookie.Name: expected '%v', got '%v'", e, g)
 				}
 				if e, g := tc.Cookie["value"], cookie.Value; e != g {
 					t.Errorf("cookie.Value: expected '%v', got '%v'", e, g)
 				}
 			},
 		},
 	}
 	for idx, tc := range testCases {
 		t.Run(fmt.Sprintf("Case_%d", idx), func(t *testing.T) {
 			type Vars struct {
 				NewCookie map[string]any `expr:"new_cookie"`
 			}
 			engine := createRuleEngine[Vars](t,
 				rule.WithExpr(addRequestCookieFunc()),
 				rule.WithRules(
 					`add_cookie(ctx, vars.new_cookie)`,
 				),
 			)
 			req, err := http.NewRequest("GET", "http://example.net", nil)
 			if err != nil {
 				t.Fatalf("%+v", errors.WithStack(err))
 			}
 			vars := Vars{
 				NewCookie: tc.Cookie,
 			}
 			ctx := context.Background()
 			ctx = WithRequest(ctx, req)
 			if _, err := engine.Apply(ctx, vars); err != nil {
 				t.Fatalf("%+v", errors.WithStack(err))
 			}
 			if tc.ShouldFail {
 				t.Error("engine.Apply() should have failed")
 			}
 			if tc.Check != nil {
 				tc.Check(t, tc, req)
 			}
 		})
 	}
 }
 func TestGetRequestCookie(t *testing.T) {
 	type Vars struct {
 		CookieName string `expr:"cookieName"`
 	}
 	engine := createRuleEngine[Vars](t,
 		rule.WithExpr(getRequestCookieFunc()),
 		rule.WithRules(
 			"let cookie = get_cookie(ctx, vars.cookieName); cookie.value",
 		),
 	)
 	req, err := http.NewRequest("GET", "http://example.net", nil)
 	if err != nil {
 		t.Fatalf("%+v", errors.WithStack(err))
 	}
 	vars := Vars{
 		CookieName: "foo",
 	}
 	cookie := &http.Cookie{
 		Name:  vars.CookieName,
 		Value: "bar",
 	}
 	req.AddCookie(cookie)
 	ctx := context.Background()
 	ctx = WithRequest(ctx, req)
 	results, err := engine.Apply(ctx, vars)
 	if err != nil {
 		t.Fatalf("%+v", errors.WithStack(err))
 	}
 	if e, g := cookie.Value, results[0]; e != g {
 		t.Errorf("result[0]: expected '%v', got '%v'", e, g)
 	}
 }
 func createRuleEngine[V any](t *testing.T, funcs ...rule.OptionFunc) *rule.Engine[V] {
 	engine, err := rule.NewEngine[V](funcs...)
 	if err != nil {
 		t.Fatalf("%+v", errors.WithStack(err))
 	}
 	return engine
 }
--- a/internal/rule/http/response.go
+++ b/internal/rule/http/response.go
@ -1,6 +1,7 @@
 package http
 import (
 	"context"
 	"fmt"
 	"net/http"
 	"strconv"
@ -8,15 +9,26 @@ import (
 	"time"
 	"forge.cadoles.com/Cadoles/go-proxy/wildcard"
 	"forge.cadoles.com/cadoles/bouncer/internal/rule"
 	"github.com/expr-lang/expr"
 	"github.com/pkg/errors"
 )
-func addResponseHeaderFunc(r *http.Response) expr.Option {
+func addResponseHeaderFunc() expr.Option {
 	return expr.Function(
 		"add_header",
 		func(params ...any) (any, error) {
-			name := params[0].(string)
+			ctx, err := rule.Assert[context.Context](params[0])
-			rawValue := params[1]
+			if err != nil {
 				return nil, errors.WithStack(err)
 			}
 			name, err := rule.Assert[string](params[1])
 			if err != nil {
 				return nil, errors.WithStack(err)
 			}
 			rawValue := params[2]
 			var value string
 			switch v := rawValue.(type) {
@ -30,20 +42,34 @@ func addResponseHeaderFunc(r *http.Response) expr.Option {
 				value = fmt.Sprintf("%v", rawValue)
 			}
 			r, ok := CtxResponse(ctx)
 			if !ok {
 				return nil, errors.New("could not find http response in context")
 			}
 			r.Header.Add(name, value)
 			return true, nil
 		},
-		new(func(string, string) bool),
+		new(func(context.Context, string, string) bool),
 	)
 }
-func setResponseHeaderFunc(r *http.Response) expr.Option {
+func setResponseHeaderFunc() expr.Option {
 	return expr.Function(
 		"set_header",
 		func(params ...any) (any, error) {
-			name := params[0].(string)
+			ctx, err := rule.Assert[context.Context](params[0])
-			rawValue := params[1]
+			if err != nil {
 				return nil, errors.WithStack(err)
 			}
 			name, err := rule.Assert[string](params[1])
 			if err != nil {
 				return nil, errors.WithStack(err)
 			}
 			rawValue := params[2]
 			var value string
 			switch v := rawValue.(type) {
@ -57,19 +83,38 @@ func setResponseHeaderFunc(r *http.Response) expr.Option {
 				value = fmt.Sprintf("%v", rawValue)
 			}
 			r, ok := CtxResponse(ctx)
 			if !ok {
 				return nil, errors.New("could not find http response in context")
 			}
 			r.Header.Set(name, value)
 			return true, nil
 		},
-		new(func(string, string) bool),
+		new(func(context.Context, string, string) bool),
 	)
 }
-func delResponseHeadersFunc(r *http.Response) expr.Option {
+func delResponseHeadersFunc() expr.Option {
 	return expr.Function(
 		"del_headers",
 		func(params ...any) (any, error) {
-			pattern := params[0].(string)
+			ctx, err := rule.Assert[context.Context](params[0])
 			if err != nil {
 				return nil, errors.WithStack(err)
 			}
 			pattern, err := rule.Assert[string](params[1])
 			if err != nil {
 				return nil, errors.WithStack(err)
 			}
 			r, ok := CtxResponse(ctx)
 			if !ok {
 				return nil, errors.New("could not find http response in context")
 			}
 			deleted := false
 			for key := range r.Header {
@ -83,6 +128,87 @@ func delResponseHeadersFunc(r *http.Response) expr.Option {
 			return deleted, nil
 		},
-		new(func(string) bool),
+		new(func(context.Context, string) bool),
 	)
 }
 func addResponseCookieFunc() expr.Option {
 	return expr.Function(
 		"add_cookie",
 		func(params ...any) (any, error) {
 			ctx, err := rule.Assert[context.Context](params[0])
 			if err != nil {
 				return nil, errors.WithStack(err)
 			}
 			values, err := rule.Assert[map[string]any](params[1])
 			if err != nil {
 				return nil, errors.WithStack(err)
 			}
 			cookie, err := cookieFrom(values)
 			if err != nil {
 				return nil, errors.WithStack(err)
 			}
 			r, ok := CtxResponse(ctx)
 			if !ok {
 				return nil, errors.New("could not find http request in context")
 			}
 			r.Header.Add("Set-Cookie", cookie.String())
 			return true, nil
 		},
 		new(func(context.Context, map[string]any) bool),
 	)
 }
 func getResponseCookieFunc() expr.Option {
 	return expr.Function(
 		"get_cookie",
 		func(params ...any) (any, error) {
 			ctx, err := rule.Assert[context.Context](params[0])
 			if err != nil {
 				return nil, errors.WithStack(err)
 			}
 			name, err := rule.Assert[string](params[1])
 			if err != nil {
 				return nil, errors.WithStack(err)
 			}
 			res, ok := CtxResponse(ctx)
 			if !ok {
 				return nil, errors.New("could not find http response in context")
 			}
 			var cookie *http.Cookie
 			for _, c := range res.Cookies() {
 				if c.Name != name {
 					continue
 				}
 				cookie = c
 				break
 			}
 			if cookie == nil {
 				return nil, nil
 			}
 			return CookieVar{
 				Name:     cookie.Name,
 				Value:    cookie.Value,
 				Path:     cookie.Path,
 				Domain:   cookie.Domain,
 				Expires:  cookie.Expires,
 				MaxAge:   cookie.MaxAge,
 				Secure:   cookie.Secure,
 				HttpOnly: cookie.HttpOnly,
 				SameSite: cookie.SameSite,
 			}, nil
 		},
 		new(func(context.Context, string) CookieVar),
 	)
 }
--- a/internal/rule/http/response_test.go
+++ b/internal/rule/http/response_test.go
@ -0,0 +1,317 @@
 package http
 import (
 	"context"
 	"fmt"
 	"io"
 	"net/http"
 	"testing"
 	"time"
 	"forge.cadoles.com/cadoles/bouncer/internal/rule"
 	"github.com/pkg/errors"
 )
 func TestAddResponseHeader(t *testing.T) {
 	type Vars struct {
 		NewHeaderKey   string `expr:"newHeaderKey"`
 		NewHeaderValue string `expr:"newHeaderValue"`
 	}
 	engine := createRuleEngine[Vars](t,
 		rule.WithExpr(addResponseHeaderFunc()),
 		rule.WithRules(
 			"add_header(ctx, vars.newHeaderKey, vars.newHeaderValue)",
 		),
 	)
 	req, err := http.NewRequest("GET", "http://example.net", nil)
 	if err != nil {
 		t.Fatalf("%+v", errors.WithStack(err))
 	}
 	resp := createResponse(req, http.StatusOK, nil)
 	ctx := context.Background()
 	ctx = WithResponse(ctx, resp)
 	vars := Vars{
 		NewHeaderKey:   "X-My-Header",
 		NewHeaderValue: "foobar",
 	}
 	if _, err := engine.Apply(ctx, vars); err != nil {
 		t.Fatalf("%+v", errors.WithStack(err))
 	}
 	if e, g := vars.NewHeaderValue, resp.Header.Get(vars.NewHeaderKey); e != g {
 		t.Errorf("resp.Header.Get(vars.NewHeaderKey): expected '%v', got '%v'", e, g)
 	}
 }
 func TestResponseSetHeader(t *testing.T) {
 	type Vars struct {
 		HeaderKey   string `expr:"headerKey"`
 		HeaderValue string `expr:"headerValue"`
 	}
 	engine := createRuleEngine[Vars](t,
 		rule.WithExpr(setResponseHeaderFunc()),
 		rule.WithRules(
 			"set_header(ctx, vars.headerKey, vars.headerValue)",
 		),
 	)
 	req, err := http.NewRequest("GET", "http://example.net", nil)
 	if err != nil {
 		t.Fatalf("%+v", errors.WithStack(err))
 	}
 	resp := createResponse(req, http.StatusOK, nil)
 	vars := Vars{
 		HeaderKey:   "X-My-Header",
 		HeaderValue: "foobar",
 	}
 	resp.Header.Set(vars.HeaderKey, "test")
 	ctx := context.Background()
 	ctx = WithResponse(ctx, resp)
 	if _, err := engine.Apply(ctx, vars); err != nil {
 		t.Fatalf("%+v", errors.WithStack(err))
 	}
 	if e, g := vars.HeaderValue, resp.Header.Get(vars.HeaderKey); e != g {
 		t.Errorf("resp.Header.Get(vars.HeaderKey): expected '%v', got '%v'", e, g)
 	}
 }
 func TestResponseDelHeaders(t *testing.T) {
 	type Vars struct {
 		HeaderPattern string `expr:"headerPattern"`
 	}
 	engine := createRuleEngine[Vars](t,
 		rule.WithExpr(delResponseHeadersFunc()),
 		rule.WithRules(
 			"del_headers(ctx, vars.headerPattern)",
 		),
 	)
 	req, err := http.NewRequest("GET", "http://example.net", nil)
 	if err != nil {
 		t.Fatalf("%+v", errors.WithStack(err))
 	}
 	resp := createResponse(req, http.StatusOK, nil)
 	vars := Vars{
 		HeaderPattern: "X-My-*",
 	}
 	resp.Header.Set("X-My-Header", "test")
 	ctx := context.Background()
 	ctx = WithResponse(ctx, resp)
 	if _, err := engine.Apply(ctx, vars); err != nil {
 		t.Fatalf("%+v", errors.WithStack(err))
 	}
 	if val := resp.Header.Get("X-My-Header"); val != "" {
 		t.Errorf("resp.Header.Get(\"X-My-Header\") should be empty, got '%v'", val)
 	}
 }
 func TestAddResponseCookie(t *testing.T) {
 	type TestCase struct {
 		Cookie     map[string]any
 		Check      func(t *testing.T, tc TestCase, res *http.Response)
 		ShouldFail bool
 	}
 	testCases := []TestCase{
 		{
 			Cookie: map[string]any{
 				"name":      "foo",
 				"value":     "test",
 				"domain":    "example.net",
 				"path":      "/custom",
 				"same_site": http.SameSiteStrictMode,
 				"http_only": true,
 				"secure":    false,
 				"expires":   time.Now().UTC().Truncate(time.Second),
 			},
 			Check: func(t *testing.T, tc TestCase, res *http.Response) {
 				var cookie *http.Cookie
 				for _, c := range res.Cookies() {
 					if c.Name == tc.Cookie["name"] {
 						cookie = c
 						break
 					}
 				}
 				if cookie == nil {
 					t.Errorf("could not find cookie '%s'", tc.Cookie["name"])
 					return
 				}
 				if e, g := tc.Cookie["name"], cookie.Name; e != g {
 					t.Errorf("cookie.Name: expected '%v', got '%v'", e, g)
 				}
 				if e, g := tc.Cookie["value"], cookie.Value; e != g {
 					t.Errorf("cookie.Value: expected '%v', got '%v'", e, g)
 				}
 				if e, g := tc.Cookie["domain"], cookie.Domain; e != g {
 					t.Errorf("cookie.Domain: expected '%v', got '%v'", e, g)
 				}
 				if e, g := tc.Cookie["path"], cookie.Path; e != g {
 					t.Errorf("cookie.Path: expected '%v', got '%v'", e, g)
 				}
 				if e, g := tc.Cookie["secure"], cookie.Secure; e != g {
 					t.Errorf("cookie.Secure: expected '%v', got '%v'", e, g)
 				}
 				if e, g := tc.Cookie["http_only"], cookie.HttpOnly; e != g {
 					t.Errorf("cookie.HttpOnly: expected '%v', got '%v'", e, g)
 				}
 				if e, g := tc.Cookie["same_site"], cookie.SameSite; e != g {
 					t.Errorf("cookie.SameSite: expected '%v', got '%v'", e, g)
 				}
 				if e, g := tc.Cookie["expires"], cookie.Expires; e != g {
 					t.Errorf("cookie.Expires: expected '%v', got '%v'", e, g)
 				}
 			},
 		},
 		{
 			Cookie: map[string]any{
 				"name":    "foo",
 				"expires": time.Now().UTC().Format(http.TimeFormat),
 			},
 			Check: func(t *testing.T, tc TestCase, res *http.Response) {
 				var cookie *http.Cookie
 				for _, c := range res.Cookies() {
 					if c.Name == tc.Cookie["name"] {
 						cookie = c
 						break
 					}
 				}
 				if cookie == nil {
 					t.Errorf("could not find cookie '%s'", tc.Cookie["name"])
 					return
 				}
 				if e, g := tc.Cookie["expires"], cookie.Expires.Format(http.TimeFormat); e != g {
 					t.Errorf("cookie.Expires: expected '%v', got '%v'", e, g)
 				}
 			},
 		},
 	}
 	for idx, tc := range testCases {
 		t.Run(fmt.Sprintf("Case_%d", idx), func(t *testing.T) {
 			type Vars struct {
 				NewCookie map[string]any `expr:"new_cookie"`
 			}
 			engine := createRuleEngine[Vars](t,
 				rule.WithExpr(addResponseCookieFunc()),
 				rule.WithRules(
 					`add_cookie(ctx, vars.new_cookie)`,
 				),
 			)
 			req, err := http.NewRequest("GET", "http://example.net", nil)
 			if err != nil {
 				t.Fatalf("%+v", errors.WithStack(err))
 			}
 			resp := createResponse(req, http.StatusOK, nil)
 			vars := Vars{
 				NewCookie: tc.Cookie,
 			}
 			ctx := context.Background()
 			ctx = WithRequest(ctx, req)
 			ctx = WithResponse(ctx, resp)
 			if _, err := engine.Apply(ctx, vars); err != nil {
 				t.Fatalf("%+v", errors.WithStack(err))
 			}
 			if tc.ShouldFail {
 				t.Error("engine.Apply() should have failed")
 			}
 			if tc.Check != nil {
 				tc.Check(t, tc, resp)
 			}
 		})
 	}
 }
 func TestGetResponseCookie(t *testing.T) {
 	type Vars struct {
 		CookieName string `expr:"cookieName"`
 	}
 	engine := createRuleEngine[Vars](t,
 		rule.WithExpr(getResponseCookieFunc()),
 		rule.WithRules(
 			"let cookie = get_cookie(ctx, vars.cookieName); cookie.value",
 		),
 	)
 	req, err := http.NewRequest("GET", "http://example.net", nil)
 	if err != nil {
 		t.Fatalf("%+v", errors.WithStack(err))
 	}
 	resp := createResponse(req, http.StatusOK, nil)
 	vars := Vars{
 		CookieName: "foo",
 	}
 	cookie := &http.Cookie{
 		Name:  vars.CookieName,
 		Value: "bar",
 	}
 	resp.Header.Add("Set-Cookie", cookie.String())
 	ctx := context.Background()
 	ctx = WithResponse(ctx, resp)
 	results, err := engine.Apply(ctx, vars)
 	if err != nil {
 		t.Fatalf("%+v", errors.WithStack(err))
 	}
 	if e, g := cookie.Value, results[0]; e != g {
 		t.Errorf("result[0]: expected '%v', got '%v'", e, g)
 	}
 }
 func createResponse(req *http.Request, statusCode int, body io.Reader) *http.Response {
 	return &http.Response{
 		Status:        http.StatusText(statusCode),
 		StatusCode:    statusCode,
 		Proto:         "HTTP/1.1",
 		ProtoMajor:    1,
 		ProtoMinor:    1,
 		Body:          io.NopCloser(body),
 		ContentLength: -1,
 		Request:       req,
 		Header:        make(http.Header, 0),
 	}
 }
--- a/internal/session/options.go
+++ b/internal/session/options.go
@ -10,6 +10,7 @@ import (
 type Options struct {
 	Session   sessions.Options
 	KeyPrefix string
 	TTL       time.Duration
 }
 type OptionFunc func(opts *Options)
@ -25,6 +26,7 @@ func NewOptions(funcs ...OptionFunc) *Options {
 			SameSite: http.SameSiteDefaultMode,
 		},
 		KeyPrefix: "session:",
 		TTL:       time.Hour,
 	}
 	for _, fn := range funcs {
@ -45,3 +47,9 @@ func WithKeyPrefix(prefix string) OptionFunc {
 		opts.KeyPrefix = prefix
 	}
 }
 func WithTTL(ttl time.Duration) OptionFunc {
 	return func(opts *Options) {
 		opts.TTL = ttl
 	}
 }
--- a/internal/session/store.go
+++ b/internal/session/store.go
@ -31,6 +31,7 @@ type Store struct {
 	keyPrefix  string
 	keyGen     KeyGenFunc
 	serializer SessionSerializer
 	ttl        time.Duration
 }
 type KeyGenFunc func() (string, error)
@ -43,6 +44,7 @@ func NewStore(adapter StoreAdapter, funcs ...OptionFunc) *Store {
 		keyPrefix:  opts.KeyPrefix,
 		keyGen:     generateRandomKey,
 		serializer: GobSerializer{},
 		ttl:        opts.TTL,
 	}
 	return rs
@ -62,20 +64,21 @@ func (s *Store) New(r *http.Request, name string) (*sessions.Session, error) {
 	if err != nil {
 		return session, nil
 	}
 	session.ID = c.Value
 	err = s.load(r.Context(), session)
 	if err == nil {
 		session.IsNew = false
 	} else if !errors.Is(err, ErrNotFound) {
-		return nil, errors.WithStack(err)
+		return session, errors.WithStack(err)
 	}
 	return session, nil
 }
 func (s *Store) Save(r *http.Request, w http.ResponseWriter, session *sessions.Session) error {
-	if session.Options.MaxAge <= 0 {
+	if session.Options.MaxAge < 0 {
 		if err := s.delete(r.Context(), session); err != nil {
 			return errors.WithStack(err)
 		}
@ -120,7 +123,12 @@ func (s *Store) save(ctx context.Context, session *sessions.Session) error {
 		return errors.WithStack(err)
 	}
-	if err := s.adapter.Set(ctx, s.keyPrefix+session.ID, b, time.Duration(session.Options.MaxAge)*time.Second); err != nil {
+	ttl := time.Duration(session.Options.MaxAge) * time.Second
 	if s.ttl < ttl || ttl == 0 {
 		ttl = s.ttl
 	}
 	if err := s.adapter.Set(ctx, s.keyPrefix+session.ID, b, ttl); err != nil {
 		return errors.WithStack(err)
 	}
--- a/internal/setup/authn_oidc_layer.go
+++ b/internal/setup/authn_oidc_layer.go
@ -23,7 +23,7 @@ func init() {
 }
 func setupAuthnOIDCLayer(conf *config.Config) (director.Layer, error) {
-	rdb := newRedisClient(conf.Redis)
+	rdb := NewSharedClient(conf.Redis)
 	adapter := redis.NewStoreAdapter(rdb)
 	store := session.NewStore(adapter)
@ -37,5 +37,6 @@ func setupAuthnOIDCLayer(conf *config.Config) (director.Layer, error) {
 			authn.WithTemplateDir(string(conf.Layers.Authn.TemplateDir)),
 			authn.WithDebug(bool(conf.Layers.Authn.Debug)),
 		),
 		oidc.WithOIDCProviderCacheTimeout(time.Duration(*conf.Layers.Authn.OIDC.ProviderCacheTimeout)),
 	), nil
 }
--- a/internal/setup/integrations.go
+++ b/internal/setup/integrations.go
@ -27,7 +27,7 @@ func SetupIntegrations(ctx context.Context, conf *config.Config) ([]integration.
 }
 func setupKubernetesIntegration(ctx context.Context, conf *config.Config) (*kubernetes.Integration, error) {
-	client := newRedisClient(conf.Redis)
+	client := NewSharedClient(conf.Redis)
 	locker := redis.NewLocker(client, 10)
 	integration := kubernetes.NewIntegration(
--- a/internal/setup/lock.go
+++ b/internal/setup/lock.go
@ -9,7 +9,7 @@ import (
 )
 func SetupLocker(ctx context.Context, conf *config.Config) (lock.Locker, error) {
-	client := newRedisClient(conf.Redis)
+	client := NewSharedClient(conf.Redis)
 	locker := redis.NewLocker(client, int(conf.Redis.LockMaxRetries))
 	return locker, nil
 }
--- a/internal/setup/proxy_repository.go
+++ b/internal/setup/proxy_repository.go
@ -3,23 +3,15 @@ package setup
 import (
 	"context"
 	"forge.cadoles.com/cadoles/bouncer/internal/config"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
 	redisStore "forge.cadoles.com/cadoles/bouncer/internal/store/redis"
 	"github.com/redis/go-redis/v9"
 )
 func NewRedisClient(ctx context.Context, conf config.RedisConfig) redis.UniversalClient {
 	return redis.NewUniversalClient(&redis.UniversalOptions{
 		Addrs:      conf.Adresses,
 		MasterName: string(conf.Master),
 	})
 }
 func NewProxyRepository(ctx context.Context, client redis.UniversalClient) (store.ProxyRepository, error) {
-	return redisStore.NewProxyRepository(client), nil
+	return redisStore.NewProxyRepository(client, redisStore.DefaultTxMaxAttempts, redisStore.DefaultTxBaseDelay), nil
 }
 func NewLayerRepository(ctx context.Context, client redis.UniversalClient) (store.LayerRepository, error) {
-	return redisStore.NewLayerRepository(client), nil
+	return redisStore.NewLayerRepository(client, redisStore.DefaultTxMaxAttempts, redisStore.DefaultTxBaseDelay), nil
 }
--- a/internal/setup/queue_layer.go
+++ b/internal/setup/queue_layer.go
@ -35,6 +35,6 @@ func setupQueueLayer(conf *config.Config) (director.Layer, error) {
 }
 func newQueueAdapter(redisConf config.RedisConfig) (queue.Adapter, error) {
-	rdb := newRedisClient(redisConf)
+	rdb := NewSharedClient(redisConf)
 	return queueRedis.NewAdapter(rdb, 2), nil
 }
--- a/internal/setup/redis.go
+++ b/internal/setup/redis.go
@ -1,20 +1,78 @@
 package setup
 import (
 	"context"
 	"strings"
 	"sync"
 	"time"
 	"forge.cadoles.com/cadoles/bouncer/internal/config"
 	"github.com/pkg/errors"
 	"github.com/redis/go-redis/v9"
 	"gitlab.com/wpetit/goweb/logger"
 )
 var clients sync.Map
 func NewSharedClient(conf config.RedisConfig) redis.UniversalClient {
 	key := strings.Join(conf.Adresses, "|") + "|" + string(conf.Master)
 	value, exists := clients.Load(key)
 	if exists {
 		if client, ok := (value).(redis.UniversalClient); ok {
 			return client
 		}
 	}
 	client := newRedisClient(conf)
 	clients.Store(key, client)
 	return client
 }
 func newRedisClient(conf config.RedisConfig) redis.UniversalClient {
-	return redis.NewUniversalClient(&redis.UniversalOptions{
+	client := redis.NewUniversalClient(&redis.UniversalOptions{
 		Addrs:                 conf.Adresses,
 		MasterName:            string(conf.Master),
 		ReadTimeout:           time.Duration(conf.ReadTimeout),
 		WriteTimeout:          time.Duration(conf.WriteTimeout),
 		DialTimeout:           time.Duration(conf.DialTimeout),
-		RouteByLatency:        true,
+		RouteByLatency:        bool(conf.RouteByLatency),
-		ContextTimeoutEnabled: true,
+		ContextTimeoutEnabled: bool(conf.ContextTimeoutEnabled),
 		MaxRetries:            int(conf.MaxRetries),
 		PoolSize:              int(conf.PoolSize),
 		PoolTimeout:           time.Duration(conf.PoolTimeout),
 		MinIdleConns:          int(conf.MinIdleConns),
 		MaxIdleConns:          int(conf.MaxIdleConns),
 		ConnMaxIdleTime:       time.Duration(conf.ConnMaxIdleTime),
 		ConnMaxLifetime:       time.Duration(conf.ConnMaxLifetime),
 	})
 	go func() {
 		ctx := logger.With(context.Background(),
 			logger.F("adresses", conf.Adresses),
 			logger.F("master", conf.Master),
 		)
 		timer := time.NewTicker(time.Duration(conf.PingInterval))
 		defer timer.Stop()
 		connected := true
 		for range timer.C {
 			if _, err := client.Ping(ctx).Result(); err != nil {
 				logger.Error(ctx, "redis disconnected", logger.CapturedE(errors.WithStack(err)))
 				connected = false
 				continue
 			}
 			if !connected {
 				logger.Info(ctx, "redis reconnected")
 				connected = true
 			}
 		}
 	}()
 	return client
 }
--- a/internal/setup/sentry.go
+++ b/internal/setup/sentry.go
@ -34,6 +34,10 @@ func SetupSentry(ctx context.Context, conf config.SentryConfig, release string)
 		return nil, errors.WithStack(err)
 	}
 	logger.SetCaptureFunc(func(err error) {
 		sentry.CaptureException(err)
 	})
 	flush := func() {
 		sentry.Flush(time.Duration(*conf.FlushTimeout))
 	}
--- a/internal/store/layer.go
+++ b/internal/store/layer.go
@ -13,6 +13,7 @@ type (
 type LayerHeader struct {
 	Proxy    ProxyName `json:"proxy"`
 	Name     LayerName `json:"name"`
 	Revision int       `json:"revision"`
 	Type     LayerType `json:"type"`
 	Weight  int  `json:"weight"`
--- a/internal/store/proxy.go
+++ b/internal/store/proxy.go
@ -8,7 +8,7 @@ type ProxyName Name
 type ProxyHeader struct {
 	Name     ProxyName `json:"name"`
-
+	Revision int       `json:"revision"`
 	Weight   int       `json:"weight"`
 	Enabled  bool      `json:"enabled"`
 }
--- a/internal/store/redis/helper.go
+++ b/internal/store/redis/helper.go
@ -3,10 +3,18 @@ package redis
 import (
 	"context"
 	"encoding/json"
 	"math/rand"
 	"strings"
 	"time"
 	"github.com/pkg/errors"
 	"github.com/redis/go-redis/v9"
 	"gitlab.com/wpetit/goweb/logger"
 )
 var (
 	DefaultTxMaxAttempts = 20
 	DefaultTxBaseDelay   = 100 * time.Millisecond
 )
 type jsonWrapper[T any] struct {
@ -65,6 +73,35 @@ func key(parts ...string) string {
 	return strings.Join(parts, ":")
 }
 func WithRetry(ctx context.Context, client redis.UniversalClient, key string, fn func(ctx context.Context, tx *redis.Tx) error, maxAttempts int, baseDelay time.Duration) error {
 	var err error
 	delay := baseDelay
 	for attempt := 0; attempt < maxAttempts; attempt++ {
 		if err = WithTx(ctx, client, key, fn); err != nil {
 			err = errors.WithStack(err)
 			logger.Debug(ctx, "redis transaction failed", logger.CapturedE(err))
 			if errors.Is(err, redis.TxFailedErr) {
 				logger.Debug(ctx, "retrying redis transaction", logger.F("attempts", attempt), logger.F("delay", delay))
 				time.Sleep(delay)
 				delay = delay*2 + time.Duration(rand.Int63n(int64(baseDelay)))
 				continue
 			}
 			return errors.WithStack(err)
 		}
 		return nil
 	}
 	logger.Error(ctx, "redis error", logger.CapturedE(errors.WithStack(err)))
 	return errors.WithStack(redis.TxFailedErr)
 }
 func WithTx(ctx context.Context, client redis.UniversalClient, key string, fn func(ctx context.Context, tx *redis.Tx) error) error {
 	txf := func(tx *redis.Tx) error {
 		if err := fn(ctx, tx); err != nil {
--- a/internal/store/redis/layer_item.go
+++ b/internal/store/redis/layer_item.go
@ -10,6 +10,7 @@ import (
 type layerHeaderItem struct {
 	Proxy    string `redis:"proxy"`
 	Name     string `redis:"name"`
 	Revision int    `redis:"revision"`
 	Type     string `redis:"type"`
 	Weight  int  `redis:"weight"`
@ -20,6 +21,7 @@ func (i *layerHeaderItem) ToLayerHeader() (*store.LayerHeader, error) {
 	layerHeader := &store.LayerHeader{
 		Proxy:    store.ProxyName(i.Proxy),
 		Name:     store.LayerName(i.Name),
 		Revision: i.Revision,
 		Type:     store.LayerType(i.Type),
 		Weight:   i.Weight,
 		Enabled:  i.Enabled,
--- a/internal/store/redis/layer_repository.go
+++ b/internal/store/redis/layer_repository.go
@ -15,6 +15,8 @@ const (
 type LayerRepository struct {
 	client           redis.UniversalClient
 	txMaxAttempts    int
 	txRetryBaseDelay time.Duration
 }
 // CreateLayer implements store.LayerRepository
@ -28,12 +30,13 @@ func (r *LayerRepository) CreateLayer(ctx context.Context, proxyName store.Proxy
 			Name:     string(layerName),
 			Type:     string(layerType),
 			Weight:   0,
 			Revision: 0,
 			Enabled:  false,
 		},
 		CreatedAt: wrap(now),
 		UpdatedAt: wrap(now),
-		Options:   wrap(store.LayerOptions{}),
+		Options:   wrap(options),
 	}
 	txf := func(tx *redis.Tx) error {
@ -57,6 +60,11 @@ func (r *LayerRepository) CreateLayer(ctx context.Context, proxyName store.Proxy
 			return errors.WithStack(err)
 		}
 		layerItem, err = r.txGetLayerItem(ctx, tx, proxyName, layerName)
 		if err != nil {
 			return errors.WithStack(err)
 		}
 		return nil
 	}
@ -67,16 +75,16 @@ func (r *LayerRepository) CreateLayer(ctx context.Context, proxyName store.Proxy
 	return &store.Layer{
 		LayerHeader: store.LayerHeader{
-			Name:    layerName,
+			Name:    store.LayerName(layerItem.Name),
-			Proxy:   proxyName,
+			Proxy:   store.ProxyName(layerItem.Proxy),
-			Type:    layerType,
+			Type:    store.LayerType(layerItem.Type),
-			Weight:  0,
+			Weight:  layerItem.Weight,
-			Enabled: false,
+			Enabled: layerItem.Enabled,
 		},
-		CreatedAt: now,
+		CreatedAt: layerItem.CreatedAt.Value(),
-		UpdatedAt: now,
+		UpdatedAt: layerItem.UpdatedAt.Value(),
-		Options:   store.LayerOptions{},
+		Options:   layerItem.Options.Value(),
 	}, nil
 }
@ -96,7 +104,7 @@ func (r *LayerRepository) GetLayer(ctx context.Context, proxyName store.ProxyNam
 	key := layerKey(proxyName, layerName)
 	var layerItem *layerItem
-	err := WithTx(ctx, r.client, key, func(ctx context.Context, tx *redis.Tx) error {
+	err := WithRetry(ctx, r.client, key, func(ctx context.Context, tx *redis.Tx) error {
 		pItem, err := r.txGetLayerItem(ctx, tx, proxyName, layerName)
 		if err != nil {
 			return errors.WithStack(err)
@ -105,7 +113,7 @@ func (r *LayerRepository) GetLayer(ctx context.Context, proxyName store.ProxyNam
 		layerItem = pItem
 		return nil
-	})
+	}, r.txMaxAttempts, r.txRetryBaseDelay)
 	if err != nil {
 		return nil, errors.WithStack(err)
 	}
@ -197,7 +205,7 @@ func (r *LayerRepository) UpdateLayer(ctx context.Context, proxyName store.Proxy
 	key := layerKey(proxyName, layerName)
 	var layerItem layerItem
-	err := WithTx(ctx, r.client, key, func(ctx context.Context, tx *redis.Tx) error {
+	err := WithRetry(ctx, r.client, key, func(ctx context.Context, tx *redis.Tx) error {
 		item, err := r.txGetLayerItem(ctx, tx, proxyName, layerName)
 		if err != nil {
 			return errors.WithStack(err)
@ -216,6 +224,7 @@ func (r *LayerRepository) UpdateLayer(ctx context.Context, proxyName store.Proxy
 		}
 		item.UpdatedAt = wrap(time.Now().UTC())
 		item.Revision = item.Revision + 1
 		_, err = tx.TxPipelined(ctx, func(p redis.Pipeliner) error {
 			p.HMSet(ctx, key, item.layerHeaderItem)
@ -230,7 +239,7 @@ func (r *LayerRepository) UpdateLayer(ctx context.Context, proxyName store.Proxy
 		layerItem = *item
 		return nil
-	})
+	}, r.txMaxAttempts, r.txRetryBaseDelay)
 	if err != nil {
 		return nil, errors.WithStack(err)
 	}
@ -243,9 +252,11 @@ func (r *LayerRepository) UpdateLayer(ctx context.Context, proxyName store.Proxy
 	return layer, nil
 }
-func NewLayerRepository(client redis.UniversalClient) *LayerRepository {
+func NewLayerRepository(client redis.UniversalClient, txMaxAttempts int, txRetryBaseDelay time.Duration) *LayerRepository {
 	return &LayerRepository{
 		client:           client,
 		txMaxAttempts:    txMaxAttempts,
 		txRetryBaseDelay: txRetryBaseDelay,
 	}
 }
--- a/internal/store/redis/layer_repository_test.go
+++ b/internal/store/redis/layer_repository_test.go
@ -7,6 +7,6 @@ import (
 )
 func TestLayerRepository(t *testing.T) {
-	repository := NewLayerRepository(client)
+	repository := NewLayerRepository(client, DefaultTxMaxAttempts, DefaultTxBaseDelay)
 	testsuite.TestLayerRepository(t, repository)
 }
--- a/internal/store/redis/proxy_item.go
+++ b/internal/store/redis/proxy_item.go
@ -9,6 +9,7 @@ import (
 type proxyHeaderItem struct {
 	Name     string `redis:"name"`
 	Revision int    `redis:"revision"`
 	Weight  int  `redis:"weight"`
 	Enabled bool `redis:"enabled"`
@ -20,6 +21,7 @@ type proxyHeaderItem struct {
 func (i *proxyHeaderItem) ToProxyHeader() (*store.ProxyHeader, error) {
 	proxyHeader := &store.ProxyHeader{
 		Name:     store.ProxyName(i.Name),
 		Revision: i.Revision,
 		Weight:   i.Weight,
 		Enabled:  i.Enabled,
 	}
--- a/internal/store/redis/proxy_repository.go
+++ b/internal/store/redis/proxy_repository.go
@ -15,6 +15,8 @@ const (
 type ProxyRepository struct {
 	client           redis.UniversalClient
 	txMaxAttempts    int
 	txRetryBaseDelay time.Duration
 }
 // GetProxy implements store.ProxyRepository
@ -22,7 +24,7 @@ func (r *ProxyRepository) GetProxy(ctx context.Context, name store.ProxyName) (*
 	key := proxyKey(name)
 	var proxyItem *proxyItem
-	err := WithTx(ctx, r.client, key, func(ctx context.Context, tx *redis.Tx) error {
+	err := WithRetry(ctx, r.client, key, func(ctx context.Context, tx *redis.Tx) error {
 		pItem, err := r.txGetProxyItem(ctx, tx, name)
 		if err != nil {
 			return errors.WithStack(err)
@ -31,7 +33,7 @@ func (r *ProxyRepository) GetProxy(ctx context.Context, name store.ProxyName) (*
 		proxyItem = pItem
 		return nil
-	})
+	}, r.txMaxAttempts, r.txRetryBaseDelay)
 	if err != nil {
 		return nil, errors.WithStack(err)
 	}
@ -89,6 +91,7 @@ func (r *ProxyRepository) CreateProxy(ctx context.Context, name store.ProxyName,
 				CreatedAt: wrap(now),
 				UpdatedAt: wrap(now),
 				Weight:    0,
 				Revision:  0,
 				Enabled:   false,
 			},
 			To:   to,
@ -191,7 +194,7 @@ func (r *ProxyRepository) UpdateProxy(ctx context.Context, name store.ProxyName,
 	key := proxyKey(name)
 	var proxyItem proxyItem
-	err := WithTx(ctx, r.client, key, func(ctx context.Context, tx *redis.Tx) error {
+	err := WithRetry(ctx, r.client, key, func(ctx context.Context, tx *redis.Tx) error {
 		item, err := r.txGetProxyItem(ctx, tx, name)
 		if err != nil {
 			return errors.WithStack(err)
@ -214,6 +217,7 @@ func (r *ProxyRepository) UpdateProxy(ctx context.Context, name store.ProxyName,
 		}
 		item.UpdatedAt = wrap(time.Now().UTC())
 		item.Revision = item.Revision + 1
 		_, err = tx.TxPipelined(ctx, func(p redis.Pipeliner) error {
 			p.HMSet(ctx, key, item.proxyHeaderItem)
@ -228,7 +232,7 @@ func (r *ProxyRepository) UpdateProxy(ctx context.Context, name store.ProxyName,
 		proxyItem = *item
 		return nil
-	})
+	}, r.txMaxAttempts, r.txRetryBaseDelay)
 	if err != nil {
 		return nil, errors.WithStack(err)
 	}
@ -241,9 +245,11 @@ func (r *ProxyRepository) UpdateProxy(ctx context.Context, name store.ProxyName,
 	return proxy, nil
 }
-func NewProxyRepository(client redis.UniversalClient) *ProxyRepository {
+func NewProxyRepository(client redis.UniversalClient, txMaxAttempts int, txRetryBaseDelay time.Duration) *ProxyRepository {
 	return &ProxyRepository{
 		client:           client,
 		txMaxAttempts:    20,
 		txRetryBaseDelay: txRetryBaseDelay,
 	}
 }
--- a/internal/store/redis/proxy_repository_test.go
+++ b/internal/store/redis/proxy_repository_test.go
@ -7,6 +7,6 @@ import (
 )
 func TestProxyRepository(t *testing.T) {
-	repository := NewProxyRepository(client)
+	repository := NewProxyRepository(client, DefaultTxMaxAttempts, DefaultTxBaseDelay)
 	testsuite.TestProxyRepository(t, repository)
 }
--- a/internal/store/testsuite/layer_repository.go
+++ b/internal/store/testsuite/layer_repository.go
@ -3,6 +3,7 @@ package testsuite
 import (
 	"context"
 	"reflect"
 	"sync"
 	"testing"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
@ -49,6 +50,10 @@ var layerRepositoryTestCases = []layerRepositoryTestCase{
 				return errors.Errorf("layer.UpdatedAt should not be zero value")
 			}
 			if layer.Revision != 0 {
 				return errors.Errorf("layer.Revision should be zero")
 			}
 			return nil
 		},
 	},
@ -230,6 +235,86 @@ var layerRepositoryTestCases = []layerRepositoryTestCase{
 				return errors.New("could not find created layer in query results")
 			}
 			return nil
 		},
 	},
 	{
 		Name: "Create then update layer",
 		Do: func(repo store.LayerRepository) error {
 			ctx := context.Background()
 			var layerName store.LayerName = "create_then_update_layer"
 			var proxyName store.ProxyName = store.ProxyName(string(layerName) + "_proxy")
 			var layerType store.LayerType = "dummy"
 			var layerOptions store.LayerOptions = store.LayerOptions{}
 			createdLayer, err := repo.CreateLayer(ctx, proxyName, layerName, layerType, layerOptions)
 			if err != nil {
 				return errors.WithStack(err)
 			}
 			if e, g := 0, createdLayer.Revision; e != g {
 				return errors.Errorf("createdLayer.Revision: expected '%v', got '%v'", e, g)
 			}
 			updatedLayer, err := repo.UpdateLayer(ctx, proxyName, layerName)
 			if err != nil {
 				return errors.Wrap(err, "err should be nil")
 			}
 			if e, g := 1, updatedLayer.Revision; e != g {
 				return errors.Errorf("updatedLayer.Revision: expected '%v', got '%v'", e, g)
 			}
 			return nil
 		},
 	},
 	{
 		Name: "Update layer concurrently",
 		Do: func(repo store.LayerRepository) error {
 			ctx := context.Background()
 			var layerName store.LayerName = "update_layer_concurrently"
 			var proxyName store.ProxyName = store.ProxyName(string(layerName) + "_proxy")
 			var layerType store.LayerType = "dummy"
 			var layerOptions store.LayerOptions = store.LayerOptions{}
 			createdLayer, err := repo.CreateLayer(ctx, proxyName, layerName, layerType, layerOptions)
 			if err != nil {
 				return errors.WithStack(err)
 			}
 			if createdLayer.Revision != 0 {
 				return errors.Errorf("createdLayer.Revision should be zero")
 			}
 			var wg sync.WaitGroup
 			total := 100
 			wg.Add(total)
 			for i := 0; i < total; i++ {
 				go func(i int) {
 					defer wg.Done()
 					if _, err := repo.UpdateLayer(ctx, createdLayer.Proxy, createdLayer.Name); err != nil {
 						panic(errors.Wrap(err, "err should be nil"))
 					}
 				}(i)
 			}
 			wg.Wait()
 			layer, err := repo.GetLayer(ctx, createdLayer.Proxy, createdLayer.Name)
 			if err != nil {
 				return errors.Wrap(err, "err should be nil")
 			}
 			if e, g := total, layer.Revision; e != g {
 				return errors.Errorf("layer.Revision: expected '%v', got '%v'", e, g)
 			}
 			return nil
 		},
 	},
--- a/internal/store/testsuite/proxy_repository.go
+++ b/internal/store/testsuite/proxy_repository.go
@ -3,6 +3,7 @@ package testsuite
 import (
 	"context"
 	"reflect"
 	"sync"
 	"testing"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
@ -51,6 +52,10 @@ var proxyRepositoryTestCases = []proxyRepositoryTestCase{
 				return errors.Errorf("proxy.UpdatedAt should not be zero value")
 			}
 			if proxy.Revision != 0 {
 				return errors.Errorf("proxy.Revision should be zero")
 			}
 			return nil
 		},
 	},
@ -99,6 +104,10 @@ var proxyRepositoryTestCases = []proxyRepositoryTestCase{
 				return errors.Errorf("foundProxy.UpdatedAt: expected '%v', got '%v'", createdProxy.UpdatedAt, foundProxy.UpdatedAt)
 			}
 			if foundProxy.Revision != 0 {
 				return errors.Errorf("foundProxy.Revision should be zero")
 			}
 			return nil
 		},
 	},
@ -194,6 +203,84 @@ var proxyRepositoryTestCases = []proxyRepositoryTestCase{
 				return errors.Errorf("err: expected store.ErrAlreadyExists, got '%+v'", err)
 			}
 			return nil
 		},
 	},
 	{
 		Name: "Create then update proxy",
 		Do: func(repo store.ProxyRepository) error {
 			ctx := context.Background()
 			to := "http://example.com"
 			var name store.ProxyName = "create_then_update_proxy"
 			createdProxy, err := repo.CreateProxy(ctx, name, to, "127.0.0.1:*", "localhost:*")
 			if err != nil {
 				return errors.Wrap(err, "err should be nil")
 			}
 			if createdProxy.Revision != 0 {
 				return errors.Errorf("createdProxy.Revision should be zero")
 			}
 			updatedProxy, err := repo.UpdateProxy(ctx, name)
 			if err != nil {
 				return errors.Wrap(err, "err should be nil")
 			}
 			if e, g := 1, updatedProxy.Revision; e != g {
 				return errors.Errorf("updatedProxy.Revision: expected '%v', got '%v'", e, g)
 			}
 			return nil
 		},
 	},
 	{
 		Name: "Update proxy concurrently",
 		Do: func(repo store.ProxyRepository) error {
 			ctx := context.Background()
 			to := "http://example.com"
 			var name store.ProxyName = "update_proxy_concurrently"
 			createdProxy, err := repo.CreateProxy(ctx, name, to, "127.0.0.1:*", "localhost:*")
 			if err != nil {
 				return errors.Wrap(err, "err should be nil")
 			}
 			if createdProxy.Revision != 0 {
 				return errors.Errorf("createdProxy.Revision should be zero")
 			}
 			var wg sync.WaitGroup
 			total := 100
 			wg.Add(total)
 			for i := 0; i < total; i++ {
 				go func(i int) {
 					defer wg.Done()
 					if _, err := repo.UpdateProxy(ctx, name); err != nil {
 						panic(errors.Wrap(err, "err should be nil"))
 					}
 				}(i)
 			}
 			wg.Wait()
 			proxy, err := repo.GetProxy(ctx, name)
 			if err != nil {
 				return errors.Wrap(err, "err should be nil")
 			}
 			if e, g := total, proxy.Revision; e != g {
 				return errors.Errorf("proxy.Revision: expected '%v', got '%v'", e, g)
 			}
 			return nil
 		},
 	},
--- a/internal/syncx/cached_resource.go
+++ b/internal/syncx/cached_resource.go
@ -0,0 +1,63 @@
 package syncx
 import (
 	"context"
 	"sync"
 	"forge.cadoles.com/cadoles/bouncer/internal/cache"
 	"github.com/pkg/errors"
 )
 type RefreshFunc[K comparable, V any] func(ctx context.Context, key K) (V, error)
 type CachedResource[K comparable, V any] struct {
 	cache   cache.Cache[K, V]
 	lock    sync.RWMutex
 	refresh RefreshFunc[K, V]
 }
 func (r *CachedResource[K, V]) Clear() {
 	r.cache.Clear()
 }
 func (r *CachedResource[K, V]) Get(ctx context.Context, key K) (V, bool, error) {
 	value, exists := r.cache.Get(key)
 	if exists {
 		return value, false, nil
 	}
 	locked := r.lock.TryLock()
 	if !locked {
 		r.lock.RLock()
 		value, exists := r.cache.Get(key)
 		if exists {
 			r.lock.RUnlock()
 			return value, false, nil
 		}
 		r.lock.RUnlock()
 	}
 	if !locked {
 		r.lock.Lock()
 	}
 	defer r.lock.Unlock()
 	value, err := r.refresh(ctx, key)
 	if err != nil {
 		return *new(V), false, errors.WithStack(err)
 	}
 	r.cache.Set(key, value)
 	return value, true, nil
 }
 func NewCachedResource[K comparable, V any](cache cache.Cache[K, V], refresh RefreshFunc[K, V]) *CachedResource[K, V] {
 	return &CachedResource[K, V]{
 		cache:   cache,
 		refresh: refresh,
 	}
 }
--- a/internal/syncx/cached_resource_test.go
+++ b/internal/syncx/cached_resource_test.go
@ -0,0 +1,66 @@
 package syncx
 import (
 	"context"
 	"math"
 	"sync"
 	"testing"
 	"time"
 	"forge.cadoles.com/cadoles/bouncer/internal/cache/memory"
 	"forge.cadoles.com/cadoles/bouncer/internal/cache/ttl"
 	"github.com/pkg/errors"
 )
 func TestCachedResource(t *testing.T) {
 	refreshCalls := 0
 	cacheTTL := 1*time.Second + 500*time.Millisecond
 	duration := 2 * time.Second
 	expectedCalls := math.Ceil(float64(duration) / float64(cacheTTL))
 	resource := NewCachedResource(
 		ttl.NewCache(
 			memory.NewCache[string, string](),
 			memory.NewCache[string, time.Time](),
 			cacheTTL,
 		),
 		func(ctx context.Context, key string) (string, error) {
 			refreshCalls++
 			return "bar", nil
 		},
 	)
 	concurrents := 50
 	key := "foo"
 	var wg sync.WaitGroup
 	wg.Add(concurrents)
 	for i := range concurrents {
 		go func(i int) {
 			done := time.After(duration)
 			defer wg.Done()
 			for {
 				select {
 				case <-done:
 					return
 				default:
 					value, fresh, err := resource.Get(context.Background(), key)
 					if err != nil {
 						t.Errorf("%+v", errors.WithStack(err))
 					}
 					t.Logf("resource retrieved for goroutine #%d: (%s, %s, %v)", i, key, value, fresh)
 				}
 			}
 		}(i)
 	}
 	wg.Wait()
 	if e, g := int(expectedCalls), refreshCalls; e != g {
 		t.Errorf("refreshCalls: expected '%d', got '%d'", e, g)
 	}
 }
--- a/layers/authn/templates/error.gohtml
+++ b/layers/authn/templates/error.gohtml
@ -55,6 +55,8 @@
        border-radius: 5px;
        box-shadow: 2px 2px #cccccc1c;
        color: #810000 !important;
        max-width: 80%;
        overflow-x: hidden;
      }
      .title {
@ -81,7 +83,7 @@
      <div id="card">
        <h2 class="title">Une erreur est survenue !</h2>
        {{ if .Debug }}
-        <pre>{{ .Err }}</pre>
+        <pre style="overflow-x: auto">{{ .Err }}</pre>
        {{ end }}
        {{/* if a public base url is provided, show navigation link */}}
        {{ $oidc := ( index .Layer.Options "oidc" ) }}
--- a/misc/packaging/common/config.yml
+++ b/misc/packaging/common/config.yml
@ -49,6 +49,19 @@ admin:
    # Mettre à null pour désactiver l'authentification
    basicAuth: null
  # Profiling
  profiling:
    # Activer ou désactiver les endpoints de profiling
    enabled: true
    # Route de publication des endpoints de profiling
    endpoint: /.bouncer/profiling
    # Authentification "basic auth" sur les endpoints
    # de profiling
    # Mettre à null pour désactiver l'authentification
    basicAuth:
      credentials:
        prof: iling
  # Configuration de l'intégration Sentry
  # Voir https://pkg.go.dev/github.com/getsentry/sentry-go?utm_source=godoc#ClientOptions
  sentry:
@ -59,7 +72,7 @@ admin:
    sampleRate: 1
    enableTracing: true
    tracesSampleRate: 0.2
-    profilesSampleRate: 1
+    profilesSampleRate: 0.2
    ignoreErrors: []
    sendDefaultPII: false
    serverName: ""
@ -99,12 +112,31 @@ proxy:
      credentials:
        prom: etheus
  # Profiling
  profiling:
    # Activer ou désactiver les endpoints de profiling
    enabled: true
    # Route de publication des endpoints de profiling
    endpoint: /.bouncer/profiling
    # Authentification "basic auth" sur les endpoints
    # de profiling
    # Mettre à null pour désactiver l'authentification
    basicAuth:
      credentials:
        prof: iling
  # Configuration de la mise en cache
  # locale des données proxy/layers
  cache:
    # Les proxys/layers sont mis en cache local pour une durée de 30s
    # par défaut. Si les modifications sont rares, vous pouvez augmenter
    # cette valeur pour réduire la "pression" sur le serveur Redis.
    # Il est possible de forcer la réinitialisation du cache en envoyant
    # le signal SIGUSR2 au processus Bouncer.
    #
    # Exemple
    #
    # kill -s USR2 $(pgrep bouncer)
    ttl: 30s
  # Configuration du transport HTTP(S)
@ -164,6 +196,8 @@ redis:
  writeTimeout: 30s
  readTimeout: 30s
  dialTimeout: 30s
  maxRetries: 3
  pingInterval: 30s
 # Configuration des logs
 logger:
@ -190,6 +224,11 @@ layers:
  authn:
    # Répertoire contenant les templates
    templateDir: "/etc/bouncer/layers/authn/templates"
    # Configuration des sessions
    sessions:
      # Temps de persistence sans actualisation des sessions dans le store
      # (prévalent sur le MaxAge de la session)
      ttl: "1h"
 # Configuration d'une série de proxy/layers
 # à créer par défaut par le serveur d'administration
--- a/misc/siege/siege.conf
+++ b/misc/siege/siege.conf
@ -0,0 +1,79 @@
 # Updated by Siege %_VERSION%, %_DATE%
 # Copyright 2000-2016 by %_AUTHOR%
 # 
 # Siege configuration file -- edit as necessary
 # For more information about configuring and running this program, 
 # visit: http://www.joedog.org/
 #
 #
 # Verbose mode: With this feature enabled, siege will print the
 # result of each transaction to stdout. (Enabled by default)
 #
 # ex: verbose = true|false
 #
 verbose = true
 #
 # Color mode: This option works in conjunction with verbose mode.
 # It tells siege whether or not it should display its output in
 # color-coded output. (Enabled by default)
 #
 # ex: color = on | off
 # 
 color = on
 # 
 # Cache revalidation. Siege supports cache revalidation for both ETag
 # and Last-modified headers. If a copy is still fresh, the server 
 # responds with 304. While this feature is required for HTTP/1.1, it 
 # may not be welcomed for load testing. We allow you to breach the 
 # protocol and turn off caching
 #
 # HTTP/1.1 200   0.00 secs:    2326 bytes ==> /apache_pb.gif
 # HTTP/1.1 304   0.00 secs:       0 bytes ==> /apache_pb.gif
 # HTTP/1.1 304   0.00 secs:       0 bytes ==> /apache_pb.gif
 #
 # Siege also supports Cache-control headers. Consider this server 
 # response: Cache-Control: max-age=3
 # That tells siege to cache the file for three seconds. While it
 # doesn't actually store the file, it will logically grab it from
 # its cache. In verbose output, it designates a cached resource 
 # with (c):
 #
 # HTTP/1.1 200     0.25 secs:     159 bytes ==> GET  /expires/
 # HTTP/1.1 200     1.48 secs:  498419 bytes ==> GET  /expires/Otter_in_Southwold.jpg
 # HTTP/1.1 200     0.24 secs:     159 bytes ==> GET  /expires/
 # HTTP/1.1 200(C)  0.00 secs:       0 bytes ==> GET  /expires/Otter_in_Southwold.jpg
 #
 # NOTE: with color enabled, cached URLs appear in green
 # 
 # ex: cache = true
 #
 cache = true
 #
 # Cookie support: by default siege accepts cookies. This directive is
 # available to disable that support. Set cookies to 'false' to refuse 
 # cookies. Set it to 'true' to accept them. The default value is true. 
 # If you want to maintain state with the server, then this MUST be set 
 # to true.
 #
 # ex: cookies = false
 #
 cookies = true 
 #
 # Failures: This is the number of total connection failures allowed 
 # before siege aborts. Connection failures (timeouts, socket failures,
 # etc.) are combined with 400 and 500 level errors in the final stats, 
 # but those errors do not count against the abort total.  If you set 
 # this total to 10, then siege will abort after ten socket timeouts, 
 # but it will NOT abort after ten 404s. This is designed to prevent a 
 # run-away mess on an unattended siege. 
 #
 # The default value is 1024
 #
 # ex: failures = 50
 #
 failures = -1 
--- a/templates/error.gohtml
+++ b/templates/error.gohtml
@ -76,14 +76,26 @@
        margin-top: 2em;
        text-align: right;
      }
      .stacktrace {
        max-height: 250px;
        overflow-y: auto;
        background-color: #dca0a0;
        padding: 0 10px;
        border-radius: 5px;
        margin-top: 10px;
      }
    </style>
  </head>
  <body>
    <div id="container">
      <div id="card">
-        <h2 class="title">{{ $title }}</h2>
+        <h2 class="title">⚠ {{ $title }}</h2>
        {{ if .Debug }}
-        <pre>{{ .Err }}</pre>
+        <h3>Stack Trace</h3>
        <div class="stacktrace">
          <pre>{{ printf "%+v" .Err }}</pre>
        </div>
        {{ end }}
        <p class="footer">
          Propulsé par
Author	SHA1	Message	Date
William Petit	9d10a69b0d	chore: update go and alpine docker image version All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2025-04-03 11:12:32 +02:00
William Petit	8b6e75ae77	feat: use sentry tags instead of context for better observability All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2025-03-19 15:04:55 +01:00
William Petit	692523e54f	feat: prevent call bursts on oidc provider refresh All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2025-03-18 15:51:25 +01:00
William Petit	59ecfa7b4e	feat: prevent burst of proxy/layers update All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2025-03-18 12:52:59 +01:00
William Petit	cc5cdcea96	fix: cache ttl interpolation All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2025-03-18 12:20:00 +01:00
William Petit	1af7248a6f	feat: reset proxy cache with sigusr2 All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2025-03-18 11:35:15 +01:00
William Petit	8b132dddd4	feat: add proxy information in sentry context All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2025-03-17 12:07:30 +01:00
William Petit	6a4a144c97	feat: silence context expired errors All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details closes #49	2025-03-10 18:32:36 +01:00
wpetit	ac7b7e8189	Merge pull request 'Mise en cache des fournisseurs oidc pour améliorer les performances' (#48 ) from issue-47 into develop All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details Reviewed-on: #48 Reviewed-by: Laurent Gourvenec <lgourvenec@cadoles.com>	2025-03-07 13:42:39 +01:00
William Petit	2df74bad4f	feat: cache oidc.Provider to reduce pressure on OIDC identity provider (#47 ) All checks were successful Cadoles/bouncer/pipeline/pr-develop This commit looks good Details	2025-03-07 11:15:28 +01:00
wpetit	076a3d784e	Merge pull request 'Fix append error in admin/run.go' (#46 ) from fix-append into develop All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details Reviewed-on: #46	2025-03-07 10:21:27 +01:00
Matthieu Lamalle	826edef358	fix : suppression de append inutile, remonté par go vet All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details Cadoles/bouncer/pipeline/pr-develop This commit looks good Details	2024-11-18 11:05:17 +01:00
William Petit	ce7415af20	fix: prevent nil pointer when err session retrieval fails All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details see https://sentry.in.nuonet.fr/share/issue/48b82c13ee3f4721bb6306b533799709/	2024-11-14 10:10:16 +01:00
William Petit	7cc9de180c	feat(authn): add configurable global ttl for session storage	2024-11-14 10:09:33 +01:00
William Petit	74c2a2c055	fix(authn): correctly handle session-limited cookies All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details See CNOUS/mse#4347	2024-11-08 12:21:23 +01:00
William Petit	239d4573c3	feat(sentry): ignore 'net/http: abort' errors All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details See: - https://sentry.in.nuonet.fr/share/issue/972e100ea22d44759c44b6cfad8be7b2/ - https://pkg.go.dev/net/http#:~:text=ErrAbortHandler%20is%20a%20sentinel%20panic%20value%20to%20abort%20a%20handler.%20While%20any%20panic%20from%20ServeHTTP%20aborts%20the%20response%20to%20the%20client%2C%20panicking%20with%20ErrAbortHandler%20also%20suppresses%20logging%20of%20a%20stack%20trace%20to%20the%20server%27s%20error%20log.	2024-11-08 11:19:38 +01:00
William Petit	cffe3eca1b	fix: prevent loss of information when returning errors Some checks reported warnings Cadoles/bouncer/pipeline/head This commit was not built Details Linked to: - https://sentry.in.nuonet.fr/share/issue/5fa72de1b01b46bc81601958a2ff5fd2/ - https://sentry.in.nuonet.fr/share/issue/5a225f6400a647c0bbf1f7ea01566e63/	2024-11-08 11:13:39 +01:00
wpetit	a686c52aed	Merge pull request 'fix(rewriter): prevent mixing of cached rule engines (#44 )' (#45 ) from issue-44 into develop All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details Reviewed-on: #45	2024-10-21 14:07:51 +02:00
William Petit	c0470ca623	feat: better display of large error messsages Some checks are pending Cadoles/bouncer/pipeline/head Build queued... Details Cadoles/bouncer/pipeline/pr-develop Build queued... Details	2024-10-21 13:49:32 +02:00
William Petit	c611705d45	fix(rewriter): prevent mixing of cached rule engines (#44 )	2024-10-21 13:48:59 +02:00
William Petit	16fa751dc7	doc: fix rewriter rule method name	2024-10-21 13:48:07 +02:00
William Petit	8983a44d9e	feat: do not capture warning errors All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-10-11 14:18:52 +02:00
William Petit	11375e546f	feat: allow more control on redis client configuration Some checks reported warnings Cadoles/bouncer/pipeline/head This commit was not built Details	2024-10-11 14:17:45 +02:00
William Petit	69501f6302	feat: log context cancelled error as warn instead of errors All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-10-02 12:13:50 +02:00
William Petit	382d17cc85	feat: do not use logger.Debug in critical path	2024-10-02 12:13:26 +02:00
William Petit	9bd1d0fbd7	feat: remove superfluous sentry span handlers	2024-10-02 12:12:51 +02:00
William Petit	ecacbb1cbd	feat: disable sentry tracing by default	2024-10-02 12:12:10 +02:00
William Petit	910f1f8ba2	feat: do not use fmt.Sprintf in http logger	2024-10-02 12:11:30 +02:00
William Petit	be59be1795	feat: add recoverer + request-id http middlewares	2024-10-02 12:10:38 +02:00
William Petit	4d6958e2f5	chore: increase default siege requests volume	2024-10-02 12:09:41 +02:00
William Petit	f3b553cb10	feat: expose expvars as profiling endpoint	2024-10-02 12:09:02 +02:00
wpetit	0ff9391a1b	Merge pull request 'feat: global error handler with template rendering' (#42 ) from error-handler into develop All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details Reviewed-on: #42	2024-09-27 15:03:05 +02:00
William Petit	d4c28b80d7	feat: global error handler with template rendering Some checks are pending Cadoles/bouncer/pipeline/pr-develop Build started... Details	2024-09-27 15:02:49 +02:00
William Petit	590505e17a	feat: add sentry spans to evaluate proxy performances All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-09-27 10:46:18 +02:00
William Petit	867e7c549f	feat: capture logged errors and forward them to sentry when enabled All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-09-27 10:15:08 +02:00
William Petit	169578c25d	chore: fix log typo All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-09-26 15:48:22 +02:00
William Petit	b0a71fc599	feat: use go 1.23 for docker build All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-09-26 14:46:28 +02:00
wpetit	eea51c6030	Merge pull request 'feat(rewriter): add redirect(), get_cookie(), add_cookie() methods to rule engine (#36 )' (#41 ) from issue-36 into develop Some checks failed Cadoles/bouncer/pipeline/head There was a failure building this commit Details Reviewed-on: #41	2024-09-25 15:53:00 +02:00
William Petit	04b41baea3	feat(rewriter): add redirect(), get_cookie(), add_cookie() methods to rule engine (#36 ) Some checks are pending Cadoles/bouncer/pipeline/pr-develop Build started... Details	2024-09-25 15:52:49 +02:00
wpetit	cb9260ac2b	Merge pull request 'feat(authn) : add case to test multiples CIDR #34 ' (#35 ) from issue-4 into develop All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details Reviewed-on: #35	2024-09-25 15:15:11 +02:00
Matthieu Lamalle	5eac425fda	feat(authn) : add case to test multiples CIDR Some checks are pending Cadoles/bouncer/pipeline/pr-develop Build started... Details	2024-09-25 15:15:04 +02:00
wpetit	0b032fccc9	Merge pull request 'Moteur de règles V2' (#40 ) from rule-engine-2 into develop All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details Reviewed-on: #40	2024-09-25 09:11:46 +02:00
William Petit	fea0610346	feat: reusable rule engine to prevent memory reallocation All checks were successful Cadoles/bouncer/pipeline/pr-develop This commit looks good Details	2024-09-24 18:45:34 +02:00
William Petit	f37425018b	feat: use shared redis client to maximize pooling usage (#39 ) All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-09-23 15:16:30 +02:00
William Petit	4801974ca3	fix(queue): prevent metrics update cancellation on aborted http requests (#39 ) All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-09-23 10:34:24 +02:00
William Petit	bf15732935	feat: disable sentry integration when no dsn is defined All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-09-23 10:13:04 +02:00
William Petit	8317ac5b9a	feat: add configurable profiling endpoints (#38 )	2024-09-23 10:12:42 +02:00
William Petit	f35384c0f3	feat: create profiling package + rewrite profiling tutorial Some checks reported warnings Cadoles/bouncer/pipeline/head This commit was not built Details	2024-06-28 17:44:51 +02:00
William Petit	c73fe8cca5	feat(rewriter): pass structured url to ease request rewriting All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-06-28 10:46:38 +02:00
William Petit	3c1939f418	feat: add revision number to proxy and layers to identify changes All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-06-27 17:03:50 +02:00
William Petit	3565618335	doc: update link title Some checks failed Cadoles/bouncer/pipeline/head There was a failure building this commit Details	2024-06-27 15:53:01 +02:00
William Petit	64ca8fe1e4	fix: wrong bit size	2024-06-27 15:27:14 +02:00
William Petit	d5669a4eb5	fix: multiple environment variables interpolation in configuration file All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-06-27 15:00:25 +02:00
William Petit	f3aa8b9be6	doc: add profiling tutorial link All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-06-27 14:13:08 +02:00
William Petit	2de5e285a3	doc: add virtual hosting example All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-06-27 11:12:58 +02:00
William Petit	87e1c65607	fix: security vulnerabilities All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details ref #31	2024-06-27 10:04:29 +02:00
William Petit	f092520ee4	chore: tidy deps All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-06-26 16:31:14 +02:00