feat: capture logged errors and forward them to sentry when enabled

Reviewed-on: #41

Dockerfile

@@ -1,4 +1,4 @@
-FROM reg.cadoles.com/proxy_cache/library/golang:1.22 AS BUILD
+FROM reg.cadoles.com/proxy_cache/library/golang:1.23 AS BUILD
 
 RUN apt-get update \
     && apt-get install -y make

Makefile

@@ -132,7 +132,7 @@ tools/grafterm/bin/grafterm:
 	GOBIN=$(PWD)/tools/grafterm/bin go install github.com/slok/grafterm/cmd/grafterm@v0.2.0
 
 bench:
-	go test -bench=. -run '^$$' ./internal/bench
+	go test -bench=. -run '^$$' -benchtime=10s ./internal/bench
 
 tools/benchstat/bin/benchstat:
 	mkdir -p tools/benchstat/bin

doc/fr/references/layers/authn/README.md

@@ -27,8 +27,8 @@ Bouncer utilise le projet [`expr`](https://expr-lang.org/) comme DSL. En plus de
 Le comportement des règles par défaut est le suivant:
 
 1. L'ensemble des entêtes HTTP correspondant au patron `Remote-*` sont supprimés ;
-2. L'identifiant de l'utilisateur identifié (`user.subject`) est exporté sous la forme de l'entête HTTP `Remote-User` ;
-3. L'ensemble des attributs de l'utilisateur identifié (`user.attrs`) sont exportés sous la forme `Remote-User-Attr-<name>` où `<name>` est le nom de l'attribut en minuscule, avec les `_` transformés en `-`.
+2. L'identifiant de l'utilisateur identifié (`vars.user.subject`) est exporté sous la forme de l'entête HTTP `Remote-User` ;
+3. L'ensemble des attributs de l'utilisateur identifié (`vars.user.attrs`) sont exportés sous la forme `Remote-User-Attr-<name>` où `<name>` est le nom de l'attribut en minuscule, avec les `_` transformés en `-`.
 
 ### Fonctions
 
@@ -36,25 +36,25 @@ Le comportement des règles par défaut est le suivant:
 
 Interdire l'accès à l'utilisateur.
 
-##### `add_header(name string, value string)`
+##### `add_header(ctx, name string, value string)`
 
 Ajouter une valeur à un entête HTTP via son nom `name` et sa valeur `value`.
 
-##### `set_header(name string, value string)`
+##### `set_header(ctx, name string, value string)`
 
 Définir la valeur d'un entête HTTP via son nom `name` et sa valeur `value`. La valeur précédente est écrasée.
 
-##### `del_headers(pattern string)`
+##### `del_headers(ctx, pattern string)`
 
 Supprimer un ou plusieurs entêtes HTTP dont le nom correspond au patron `pattern`.
 
 Le patron est défini par une chaîne comprenant un ou plusieurs caractères `*`, signifiant un ou plusieurs caractères arbitraires.
 
-##### `set_host(host string)`
+##### `set_host(ctx, host string)`
 
 Modifier la valeur de l'entête `Host` de la requête.
 
-##### `set_url(url string)`
+##### `set_url(ctx, url string)`
 
 Modifier l'URL du serveur cible.
 
@@ -62,7 +62,7 @@ Modifier l'URL du serveur cible.
 
 Les règles ont accès aux variables suivantes pendant leur exécution.
 
-#### `user`
+#### `vars.user`
 
 L'utilisateur identifié par le layer.
 

doc/fr/references/layers/authn/basic.md

@@ -14,12 +14,12 @@ Les options disponibles pour le layer sont décrites via un [schéma JSON](https
 
 En plus de ces options spécifiques le layer peut également être configuré via [les options communes aux layers `authn-*`](../../../../../internal/proxy/director/layer/authn/layer-options.json).
 
-## Objet `user` et attributs
+## Objet `vars.user` et attributs
 
 L'objet `user` exposé au moteur de règles sera construit de la manière suivante:
 
-- `user.subject` sera initialisé avec le nom d'utilisateur identifié ;
-- `user.attrs` sera composé des attributs associés à l'utilisation (voir les options).
+- `vars.user.subject` sera initialisé avec le nom d'utilisateur identifié ;
+- `vars.user.attrs` sera composé des attributs associés à l'utilisation (voir les options).
 
 ## Métriques
 

doc/fr/references/layers/authn/network.md

@@ -14,12 +14,12 @@ Les options disponibles pour le layer sont décrites via un [schéma JSON](https
 
 En plus de ces options spécifiques le layer peut également être configuré via [les options communes aux layers `authn-*`](../../../../../internal/proxy/director/layer/authn/layer-options.json).
 
-## Objet `user` et attributs
+## Objet `vars.user` et attributs
 
-L'objet `user` exposé au moteur de règles sera construit de la manière suivante:
+L'objet `vars.user` exposé au moteur de règles sera construit de la manière suivante:
 
-- `user.subject` sera initialisé avec le couple `<remote_address>:<remote_port>` ;
-- `user.attrs` sera vide.
+- `vars.user.subject` sera initialisé avec le couple `<remote_address>:<remote_port>` ;
+- `vars.user.attrs` sera vide.
 
 ## Métriques
 

doc/fr/references/layers/authn/oidc.md

@@ -16,18 +16,18 @@ Les options disponibles pour le layer sont décrites via un [schéma JSON](https
 
 En plus de ces options spécifiques le layer peut également être configuré via [les options communes aux layers `authn-*`](../../../../../internal/proxy/director/layer/authn/layer-options.json).
 
-## Objet `user` et attributs
+## Objet `vars.user` et attributs
 
-L'objet `user` exposé au moteur de règles sera construit de la manière suivante:
+L'objet `vars.user` exposé au moteur de règles sera construit de la manière suivante:
 
-- `user.subject` sera initialisé avec la valeur du [claim](https://openid.net/specs/openid-connect-core-1_0.html#Claims) `sub` extrait de l'`idToken` récupéré lors de l'authentification ;
-- `user.attrs` comportera les propriétés suivantes:
+- `vars.user.subject` sera initialisé avec la valeur du [claim](https://openid.net/specs/openid-connect-core-1_0.html#Claims) `sub` extrait de l'`idToken` récupéré lors de l'authentification ;
+- `vars.user.attrs` comportera les propriétés suivantes:
 
-  - L'ensemble des `claims` provenant de l'`idToken` seront transposés en `claim_<name>` (ex: `idToken.iss` sera transposé en `user.attrs.claim_iss`) ;
-  - `user.attrs.access_token`: le jeton d'accès associé à l'authentification ;
-  - `user.attrs.refresh_token`: le jeton de rafraîchissement associé à l'authentification (si disponible, en fonction des `scopes` demandés par le client) ;
-  - `user.attrs.token_expiry`: Horodatage Unix (en secondes) associé à la date d'expiration du jeton d'accès ;
-  - `user.attrs.logout_url`: URL de déconnexion pour la suppression de la session Bouncer.
+  - L'ensemble des `claims` provenant de l'`idToken` seront transposés en `claim_<name>` (ex: `idToken.iss` sera transposé en `vars.user.attrs.claim_iss`) ;
+  - `vars.user.attrs.access_token`: le jeton d'accès associé à l'authentification ;
+  - `vars.user.attrs.refresh_token`: le jeton de rafraîchissement associé à l'authentification (si disponible, en fonction des `scopes` demandés par le client) ;
+  - `vars.user.attrs.token_expiry`: Horodatage Unix (en secondes) associé à la date d'expiration du jeton d'accès ;
+  - `vars.user.attrs.logout_url`: URL de déconnexion pour la suppression de la session Bouncer.
 
     **Attention** Cette URL ne permet dans la plupart des cas que de supprimer la session côté Bouncer. La suppression de la session côté fournisseur d'identité est conditionné à la présence ou non de l'attribut [`end_session_endpoint`](https://openid.net/specs/openid-connect-session-1_0-17.html#OPMetadata) dans les données du point d'entrée de découverte de service (`.wellknown/openid-configuration`).
 

doc/fr/references/layers/rewriter.md

@@ -24,30 +24,63 @@ Bouncer utilise le projet [`expr`](https://expr-lang.org/) comme DSL. En plus de
 
 #### Communes
 
-##### `add_header(name string, value string)`
+##### `add_header(ctx, name string, value string)`
 
 Ajouter une valeur à un entête HTTP via son nom `name` et sa valeur `value`.
 
-##### `set_header(name string, value string)`
+##### `set_header(ctx, name string, value string)`
 
 Définir la valeur d'un entête HTTP via son nom `name` et sa valeur `value`. La valeur précédente est écrasée.
 
-##### `del_headers(pattern string)`
+##### `del_headers(ctx, pattern string)`
 
 Supprimer un ou plusieurs entêtes HTTP dont le nom correspond au patron `pattern`.
 
 Le patron est défini par une chaîne comprenant un ou plusieurs caractères `*`, signifiant un ou plusieurs caractères arbitraires.
 
+##### `get_cookie(ctx, name string) Cookie`
+
+Récupère un cookie depuis la requête/réponse (en fonction du contexte d'utilisation).
+Retourne `nil` si le cookie n'existe pas.
+
+**Cookie**
+
+```js
+// Plus d'informations sur https://pkg.go.dev/net/http#Cookie
+{
+  name: "string", // Nom du cookie
+  value: "string", // Valeur associée au cookie
+  path: "string", // Chemin associé au cookie (présent uniquement dans un contexte de réponse)
+  domain: "string", // Domaine associé au cookie (présent uniquement dans un contexte de réponse)
+  expires: "string", // Date d'expiration du cookie (présent uniquement dans un contexte de réponse)
+  max_age: "string", // Age maximum du cookie (présent uniquement dans un contexte de réponse)
+  secure: "boolean", // Le cookie doit-il être présent uniquement en HTTPS ? (présent uniquement dans un contexte de réponse)
+  http_only: "boolean", // Le cookie est il accessible en Javascript ? (présent uniquement dans un contexte de réponse)
+  same_site: "int" // Voir https://pkg.go.dev/net/http#SameSite (présent uniquement dans un contexte de réponse)
+}
+```
+
+##### `set_cookie(ctx, cookie Cookie)`
+
+Définit un cookie sur la requête/réponse (en fonction du contexte d'utilisation).
+Voir la méthode `get_cookie()` pour voir les attributs potentiels.
+
 #### Requête
 
-##### `set_host(host string)`
+##### `set_host(ctx, host string)`
 
 Modifier la valeur de l'entête `Host` de la requête.
 
-##### `set_url(url string)`
+##### `set_url(ctx, url string)`
 
 Modifier l'URL du serveur cible.
 
+##### `redirect(ctx, statusCode int, url string)`
+
+Interrompt la requête et retourne une redirection HTTP au client.
+
+Le code HTTP utilisé doit être supérieur ou égale à `300` et inférieur à `400` (non inclus).
+
 #### Réponse
 
 _Pas de fonctions spécifiques._
@@ -58,7 +91,28 @@ Les règles ont accès aux variables suivantes pendant leur exécution. **Ces do
 
 #### Requête
 
-##### `request`
+##### `vars.original_url`
+
+L'URL originale, avant réécriture du `Host` par Bouncer.
+
+```js
+{
+    scheme: "string", // Schéma HTTP de l'URL
+    opaque: "string", // Données opaque de l'URL
+    user: { // Identifiants d'URL (Basic Auth)
+        username: "",
+        password: ""
+    },
+    host: "string", // Nom d'hôte (<domaine>:<port>) de l'URL
+    path: "string", // Chemin de l'URL (format assaini)
+    raw_path: "string", // Chemin de l'URL (format brut)
+    raw_query: "string", // Variables d'URL (format brut)
+    fragment : "string", // Fragment d'URL (format assaini)
+    raw_fragment : "string" // Fragment d'URL (format brut)
+}
+```
+
+##### `vars.request`
 
 La requête en cours de traitement.
 
@@ -67,61 +121,65 @@ La requête en cours de traitement.
     method: "string", // Méthode HTTP
     host: "string", // Nom d'hôte (`Host`) associé à la requête
     url: { // URL associée à la requête sous sa forme structurée
-        "scheme": "string", // Schéma HTTP de l'URL
-        "opaque": "string", // Données opaque de l'URL
-        "user": { // Identifiants d'URL (Basic Auth)
-            "username": "",
-            "password": ""
+        scheme: "string", // Schéma HTTP de l'URL
+        opaque: "string", // Données opaque de l'URL
+        user: { // Identifiants d'URL (Basic Auth)
+            username: "",
+            password: ""
         },
-        "host": "string", // Nom d'hôte (<domaine>:<port>) de l'URL
-        "path": "string", // Chemin de l'URL (format assaini)
-        "rawPath": "string", // Chemin de l'URL (format brut)
-        "rawQuery": "string", // Variables d'URL (format brut)
-        "fragment" : "string", // Fragment d'URL (format assaini)
-        "rawFragment" : "string" // Fragment d'URL (format brut)
+        host: "string", // Nom d'hôte (<domaine>:<port>) de l'URL
+        path: "string", // Chemin de l'URL (format assaini)
+        raw_path: "string", // Chemin de l'URL (format brut)
+        raw_query: "string", // Variables d'URL (format brut)
+        fragment : "string", // Fragment d'URL (format assaini)
+        raw_fragment : "string" // Fragment d'URL (format brut)
     },
-    rawUrl: "string", // URL associée à la requête (format assaini)
+    raw_url: "string", // URL associée à la requête (format assaini)
     proto: "string", // Numéro de version du protocole utilisé
-    protoMajor: "int", // Numéro de version majeure du protocole utilisé
-    protoMinor: "int",  // Numéro de version mineur du protocole utilisé
+    proto_major: "int", // Numéro de version majeure du protocole utilisé
+    proto_minor: "int",  // Numéro de version mineur du protocole utilisé
     header: { // Table associative des entêtes HTTP associés à la requête
         "string": ["string"]
     },
-    contentLength: "int", // Taille du corps de la requête
-    transferEncoding: ["string"], // MIME-Type(s) d'encodage du corps de la requête
+    content_length: "int", // Taille du corps de la requête
+    transfer_encoding: ["string"], // MIME-Type(s) d'encodage du corps de la requête
     trailer: { // Table associative des entêtes HTTP associés à la requête, transmises après le corps de la requête
         "string": ["string"]
     },
-    remoteAddr: "string", // Adresse du client HTTP à l'origine de la requête
-    requestUri: "string" // URL "brute" associée à la requêtes (avant opérations d'assainissement, utiliser "url" plutôt)
+    remote_addr: "string", // Adresse du client HTTP à l'origine de la requête
+    request_uri: "string" // URL "brute" associée à la requêtes (avant opérations d'assainissement, utiliser "url" plutôt)
 }
 ```
 
 #### Réponse
 
-##### `response`
+##### `vars.response`
 
 La réponse en cours de traitement.
 
 ```js
 {
-    statusCode: "int", // Code de statut de la réponse
+    status_code: "int", // Code de statut de la réponse
     status: "string", // Message associé au code de statut
     proto: "string", // Numéro de version du protocole utilisé
-    protoMajor: "int", // Numéro de version majeure du protocole utilisé
-    protoMinor: "int",  // Numéro de version mineur du protocole utilisé
+    proto_major: "int", // Numéro de version majeure du protocole utilisé
+    proto_minor: "int",  // Numéro de version mineur du protocole utilisé
     header: { // Table associative des entêtes HTTP associés à la requête
         "string": ["string"]
     },
-    contentLength: "int", // Taille du corps de la réponse
-    transferEncoding: ["string"], // MIME-Type(s) d'encodage du corps de la requête
+    content_length: "int", // Taille du corps de la réponse
+    transfer_encoding: ["string"], // MIME-Type(s) d'encodage du corps de la requête
     trailer: { // Table associative des entêtes HTTP associés à la requête, transmises après le corps de la requête
         "string": ["string"]
     },
 }
 ```
 
-##### `request`
+##### `vars.request`
+
+_Voir section précédente._
+
+##### `vars.original_url`
 
 _Voir section précédente._
 

go.mod

@@ -1,8 +1,8 @@
 module forge.cadoles.com/cadoles/bouncer
 
-go 1.22
+go 1.23
 
-toolchain go1.22.0
+toolchain go1.23.0
 
 require (
 	forge.cadoles.com/Cadoles/go-proxy v0.0.0-20240626132607-e1db6466a926

internal/admin/authz.go

@@ -70,7 +70,7 @@ func assertRequestUser(w http.ResponseWriter, r *http.Request) (auth.User, bool)
 	ctx := r.Context()
 	user, err := auth.CtxUser(ctx)
 	if err != nil {
-		logger.Error(ctx, "could not retrieve user", logger.E(errors.WithStack(err)))
+		logger.Error(ctx, "could not retrieve user", logger.CapturedE(errors.WithStack(err)))
 
 		forbidden(w, r)
 

internal/admin/error.go

@@ -35,5 +35,5 @@ func invalidDataErrorResponse(w http.ResponseWriter, r *http.Request, err *schem
 
 func logAndCaptureError(ctx context.Context, message string, err error) {
 	sentry.CaptureException(err)
-	logger.Error(ctx, message, logger.E(err))
+	logger.Error(ctx, message, logger.CapturedE(err))
 }

internal/admin/server.go

@@ -162,7 +162,7 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
 
 		router.Group(func(r chi.Router) {
 			if profiling.BasicAuth != nil {
-				logger.Info(ctx, "enabling authentication on metrics endpoint")
+				logger.Info(ctx, "enabling authentication on profiling endpoint")
 
 				r.Use(middleware.BasicAuth(
 					"profiling",

internal/auth/middleware.go

@@ -52,7 +52,7 @@ func Middleware(authenticators ...Authenticator) func(http.Handler) http.Handler
 			for _, auth := range authenticators {
 				user, err = auth.Authenticate(ctx, r)
 				if err != nil {
-					logger.Debug(ctx, "could not authenticate request", logger.E(errors.WithStack(err)))
+					logger.Debug(ctx, "could not authenticate request", logger.CapturedE(errors.WithStack(err)))
 
 					continue
 				}

internal/bench/proxy_test.go

@@ -3,7 +3,6 @@ package proxy_test
 import (
 	"context"
 	"io"
-	"log"
 	"net/http"
 	"net/http/httptest"
 	"net/http/httputil"
@@ -24,6 +23,7 @@ import (
 	redisStore "forge.cadoles.com/cadoles/bouncer/internal/store/redis"
 	"github.com/pkg/errors"
 	"github.com/redis/go-redis/v9"
+	"gitlab.com/wpetit/goweb/logger"
 	"gopkg.in/yaml.v3"
 
 	"forge.cadoles.com/cadoles/bouncer/internal/setup"
@@ -39,6 +39,19 @@ func BenchmarkProxies(b *testing.B) {
 		name := strings.TrimSuffix(filepath.Base(f), filepath.Ext(f))
 
 		b.Run(name, func(b *testing.B) {
+			heap, err := os.Create(filepath.Join("testdata", "proxies", name+"_heap.prof"))
+			if err != nil {
+				b.Fatalf("%+v", errors.Wrapf(err, "could not create heap profile"))
+			}
+
+			defer func() {
+				defer heap.Close()
+
+				if err := pprof.WriteHeapProfile(heap); err != nil {
+					b.Fatalf("%+v", errors.WithStack(err))
+				}
+			}()
+
 			conf, err := loadProxyBenchConfig(f)
 			if err != nil {
 				b.Fatalf("%+v", errors.Wrapf(err, "could notre load bench config"))
@@ -78,7 +91,7 @@ func BenchmarkProxies(b *testing.B) {
 
 			b.Logf("fetching url '%s'", rawProxyURL)
 
-			profile, err := os.Create(filepath.Join("testdata", "proxies", name+".prof"))
+			profile, err := os.Create(filepath.Join("testdata", "proxies", name+"_cpu.prof"))
 			if err != nil {
 				b.Fatalf("%+v", errors.Wrapf(err, "could not create cpu profile"))
 			}
@@ -86,7 +99,7 @@ func BenchmarkProxies(b *testing.B) {
 			defer profile.Close()
 
 			if err := pprof.StartCPUProfile(profile); err != nil {
-				log.Fatal(err)
+				b.Fatalf("%+v", errors.WithStack(err))
 			}
 
 			defer pprof.StopCPUProfile()
@@ -227,7 +240,12 @@ func createProxy(name string, conf *proxyBenchConfig, logf func(format string, a
 
 	}
 
-	layers, err := setup.GetLayers(context.Background(), config.NewDefault())
+	appConf := config.NewDefault()
+	appConf.Logger.Level = config.InterpolatedInt(logger.LevelError)
+	appConf.Layers.Authn.TemplateDir = "../../layers/authn/templates"
+	appConf.Layers.Queue.TemplateDir = "../../layers/queue/templates"
+
+	layers, err := setup.GetLayers(context.Background(), appConf)
 	if err != nil {
 		return nil, nil, errors.WithStack(err)
 	}

internal/bench/testdata/proxies/basic-auth.yml

@@ -12,7 +12,7 @@ proxy:
             attributes:
               email: foo@bar.com
         rules:
-          - set_header("Remote-User-Attr-Email", user.attrs.email)
+          - set_header(ctx, "Remote-User-Attr-Email", vars.user.attrs.email)
 fetch:
   url:
     user:

internal/bench/testdata/proxies/queue.yml

@@ -0,0 +1,10 @@
+proxy:
+  from: ["*"]
+  to: ""
+  layers:
+    queue:
+      type: queue
+      enabled: true
+      options:
+        capacity: 100
+        keepAlive: 10s

internal/bench/testdata/proxies/rewriter.yml

@@ -8,5 +8,5 @@ proxy:
       options:
         rules:
           request:
-            - set_host(request.url.host)
-            - set_header("X-Proxied-With", "bouncer")
+            - set_host(ctx, vars.request.url.host)
+            - set_header(ctx, "X-Proxied-With", "bouncer")

internal/command/server/dummy/index.gohtml

@@ -4,14 +4,14 @@
     <h2>Incoming headers</h2>
     <table style="width: 100%">
       <thead>
-        <tr>
+        <tr style="text-align: left">
           <th>Key</th>
           <th>Value</th>
         </tr>
       </thead>
       <tbody>
         {{ range $key, $val := .Request.Header }}
-        <tr>
+        <tr style="text-align: left">
           <td>
             <b>{{ $key }}</b>
           </td>
@@ -27,7 +27,7 @@
     <h2>Incoming cookies</h2>
     <table style="width: 100%">
       <thead>
-        <tr>
+        <tr style="text-align: left">
           <th>Name</th>
           <th>Domain</th>
           <th>Path</th>
@@ -41,7 +41,7 @@
       </thead>
       <tbody>
         {{ range $cookie := .Request.Cookies }}
-        <tr>
+        <tr style="text-align: left">
           <td>
             <b>{{ $cookie.Name }}</b>
           </td>

internal/command/server/dummy/run.go

@@ -53,7 +53,7 @@ func RunCommand() *cli.Command {
 				}
 
 				if err := tmpl.Execute(w, data); err != nil {
-					logger.Error(ctx.Context, "could not execute template", logger.E(errors.WithStack(err)))
+					logger.Error(ctx.Context, "could not execute template", logger.CapturedE(errors.WithStack(err)))
 				}
 			})
 

internal/lock/redis/locker.go

@@ -38,7 +38,7 @@ func (l *Locker) WithLock(ctx context.Context, key string, timeout time.Duration
 
 		defer func() {
 			if err := lock.Release(ctx); err != nil {
-				logger.Error(ctx, "could not release lock", logger.E(errors.WithStack(err)))
+				logger.Error(ctx, "could not release lock", logger.CapturedE(errors.WithStack(err)))
 			}
 
 			logger.Debug(ctx, "lock released")

internal/lock/redis/retry.go

@@ -30,7 +30,7 @@ func retryWithBackoff(ctx context.Context, attempts int, fn func(ctx context.Con
 			return errors.Wrapf(err, "execution failed after %d attempts", attempts)
 		}
 
-		logger.Error(ctx, "error while executing func, retrying with backoff", logger.E(err), logger.F("backoffDelay", backoffDelay), logger.F("remainingAttempts", attempts-count))
+		logger.Error(ctx, "error while executing func, retrying with backoff", logger.CapturedE(err), logger.F("backoffDelay", backoffDelay), logger.F("remainingAttempts", attempts-count))
 
 		time.Sleep(backoffDelay)
 

internal/proxy/director/director.go

@@ -174,7 +174,7 @@ func (d *Director) RequestTransformer() proxy.RequestTransformer {
 				return
 			}
 
-			logger.Error(ctx, "could not retrieve layers from context", logger.E(errors.WithStack(err)))
+			logger.Error(ctx, "could not retrieve layers from context", logger.CapturedE(errors.WithStack(err)))
 
 			return
 		}
@@ -226,7 +226,7 @@ func (d *Director) Middleware() proxy.Middleware {
 		fn := func(w http.ResponseWriter, r *http.Request) {
 			r, err := d.rewriteRequest(r)
 			if err != nil {
-				logger.Error(r.Context(), "could not rewrite request", logger.E(errors.WithStack(err)))
+				logger.Error(r.Context(), "could not rewrite request", logger.CapturedE(errors.WithStack(err)))
 				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 
 				return
@@ -240,7 +240,7 @@ func (d *Director) Middleware() proxy.Middleware {
 					return
 				}
 
-				logger.Error(ctx, "could not retrieve proxy and layers from context", logger.E(errors.WithStack(err)))
+				logger.Error(ctx, "could not retrieve proxy and layers from context", logger.CapturedE(errors.WithStack(err)))
 				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 
 				return

internal/proxy/director/layer/authn/layer.go

@@ -29,7 +29,7 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
 
 			options, err := fromStoreOptions(layer.Options)
 			if err != nil {
-				logger.Error(ctx, "could not parse layer options", logger.E(errors.WithStack(err)))
+				logger.Error(ctx, "could not parse layer options", logger.CapturedE(errors.WithStack(err)))
 				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 
 				return
@@ -42,7 +42,7 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
 					}
 
 					err = errors.WithStack(err)
-					logger.Error(ctx, "could not execute pre-auth hook", logger.E(err))
+					logger.Error(ctx, "could not execute pre-auth hook", logger.CapturedE(err))
 					l.renderErrorPage(w, r, layer, options, err)
 
 					return
@@ -68,20 +68,20 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
 				}
 
 				err = errors.WithStack(err)
-				logger.Error(ctx, "could not authenticate user", logger.E(err))
+				logger.Error(ctx, "could not authenticate user", logger.CapturedE(err))
 				l.renderErrorPage(w, r, layer, options, err)
 
 				return
 			}
 
-			if err := l.applyRules(r, options, user); err != nil {
+			if err := l.applyRules(ctx, r, options, user); err != nil {
 				if errors.Is(err, ErrForbidden) {
 					l.renderForbiddenPage(w, r, layer, options, user)
 					return
 				}
 
 				err = errors.WithStack(err)
-				logger.Error(ctx, "could not apply rules", logger.E(err))
+				logger.Error(ctx, "could not apply rules", logger.CapturedE(err))
 				l.renderErrorPage(w, r, layer, options, err)
 
 				return
@@ -99,7 +99,7 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
 					}
 
 					err = errors.WithStack(err)
-					logger.Error(ctx, "could not execute post-auth hook", logger.E(err))
+					logger.Error(ctx, "could not execute post-auth hook", logger.CapturedE(err))
 					l.renderErrorPage(w, r, layer, options, err)
 
 					return
@@ -162,7 +162,7 @@ func (l *Layer) renderPage(w http.ResponseWriter, r *http.Request, page string,
 
 	tmpl, err := template.New("").Funcs(sprig.FuncMap()).ParseGlob(pattern)
 	if err != nil {
-		logger.Error(ctx, "could not load authn templates", logger.E(errors.WithStack(err)))
+		logger.Error(ctx, "could not load authn templates", logger.CapturedE(errors.WithStack(err)))
 		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 
 		return
@@ -171,7 +171,7 @@ func (l *Layer) renderPage(w http.ResponseWriter, r *http.Request, page string,
 	w.Header().Add("Cache-Control", "no-cache")
 
 	if err := tmpl.ExecuteTemplate(w, block, templateData); err != nil {
-		logger.Error(ctx, "could not render authn page", logger.E(errors.WithStack(err)))
+		logger.Error(ctx, "could not render authn page", logger.CapturedE(errors.WithStack(err)))
 		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 
 		return

internal/proxy/director/layer/authn/network/authenticator_test.go

@@ -39,6 +39,23 @@ func TestMatchAuthorizedCIDRs(t *testing.T) {
 			},
 			ExpectedResult: false,
 		},
+		{
+			RemoteHostPort: "192.168.1.15:43349",
+			AuthorizedCIDRs: []string{
+				"192.168.1.5/32",
+				"192.168.1.0/24",
+			},
+			ExpectedResult: true,
+		},
+		{
+			RemoteHostPort: "192.168.1.15:43349",
+			AuthorizedCIDRs: []string{
+				"192.168.1.5/32",
+				"192.168.1.6/32",
+				"192.168.1.7/32",
+			},
+			ExpectedResult: false,
+		},
 	}
 
 	auth := Authenticator{}

internal/proxy/director/layer/authn/oidc/authenticator.go

@@ -44,7 +44,7 @@ func (a *Authenticator) PreAuthentication(w http.ResponseWriter, r *http.Request
 
 	sess, err := a.store.Get(r, a.getCookieName(options.Cookie.Name, layer.Proxy, layer.Name))
 	if err != nil {
-		logger.Error(ctx, "could not retrieve session", logger.E(errors.WithStack(err)))
+		logger.Error(ctx, "could not retrieve session", logger.CapturedE(errors.WithStack(err)))
 	}
 
 	loginCallbackURL, err := a.getLoginCallbackURL(originalURL, layer.Proxy, layer.Name, options)
@@ -128,7 +128,7 @@ func (a *Authenticator) Authenticate(w http.ResponseWriter, r *http.Request, lay
 
 	defer func() {
 		if err := sess.Save(r, w); err != nil {
-			logger.Error(ctx, "could not save session", logger.E(errors.WithStack(err)))
+			logger.Error(ctx, "could not save session", logger.CapturedE(errors.WithStack(err)))
 		}
 	}()
 

internal/proxy/director/layer/authn/oidc/client.go

@@ -47,7 +47,7 @@ func (c *Client) Provider() *oidc.Provider {
 func (c *Client) Authenticate(w http.ResponseWriter, r *http.Request, sess *sessions.Session, postLoginRedirectURL string) (*oidc.IDToken, error) {
 	idToken, err := c.getIDToken(r, sess)
 	if err != nil {
-		logger.Warn(r.Context(), "could not retrieve idtoken", logger.E(errors.WithStack(err)))
+		logger.Warn(r.Context(), "could not retrieve idtoken", logger.CapturedE(errors.WithStack(err)))
 
 		c.login(w, r, sess, postLoginRedirectURL)
 
@@ -68,7 +68,7 @@ func (c *Client) login(w http.ResponseWriter, r *http.Request, sess *sessions.Se
 	sess.Values[sessionKeyPostLoginRedirectURL] = postLoginRedirectURL
 
 	if err := sess.Save(r, w); err != nil {
-		logger.Error(ctx, "could not save session", logger.E(errors.WithStack(err)))
+		logger.Error(ctx, "could not save session", logger.CapturedE(errors.WithStack(err)))
 		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 
 		return
@@ -127,7 +127,7 @@ func (c *Client) HandleLogout(w http.ResponseWriter, r *http.Request, sess *sess
 
 	rawIDToken, err := c.getRawIDToken(sess)
 	if err != nil {
-		logger.Error(ctx, "could not retrieve raw id token", logger.E(errors.WithStack(err)))
+		logger.Error(ctx, "could not retrieve raw id token", logger.CapturedE(errors.WithStack(err)))
 	}
 
 	sess.Values[sessionKeyIDToken] = nil

internal/proxy/director/layer/authn/rules.go

@@ -1,6 +1,7 @@
 package authn
 
 import (
+	"context"
 	"net/http"
 
 	"forge.cadoles.com/cadoles/bouncer/internal/rule"
@@ -9,30 +10,32 @@ import (
 	"github.com/pkg/errors"
 )
 
-type Env struct {
+type Vars struct {
 	User *User `expr:"user"`
 }
 
-func (l *Layer) applyRules(r *http.Request, options *LayerOptions, user *User) error {
+func (l *Layer) applyRules(ctx context.Context, r *http.Request, options *LayerOptions, user *User) error {
 	rules := options.Rules
 	if len(rules) == 0 {
 		return nil
 	}
 
-	engine, err := rule.NewEngine[*Env](
+	engine, err := rule.NewEngine[*Vars](
 		rule.WithRules(options.Rules...),
 		rule.WithExpr(getAuthnAPI()...),
-		ruleHTTP.WithRequestFuncs(r),
+		ruleHTTP.WithRequestFuncs(),
 	)
 	if err != nil {
 		return errors.WithStack(err)
 	}
 
-	env := &Env{
+	vars := &Vars{
 		User: user,
 	}
 
-	if _, err := engine.Apply(env); err != nil {
+	ctx = ruleHTTP.WithRequest(ctx, r)
+
+	if _, err := engine.Apply(ctx, vars); err != nil {
 		return errors.WithStack(err)
 	}
 

internal/proxy/director/layer/queue/queue.go

@@ -52,7 +52,7 @@ func (q *Queue) Middleware(layer *store.Layer) proxy.Middleware {
 
 			options, err := fromStoreOptions(layer.Options, q.defaultKeepAlive)
 			if err != nil {
-				logger.Error(ctx, "could not parse layer options", logger.E(errors.WithStack(err)))
+				logger.Error(ctx, "could not parse layer options", logger.CapturedE(errors.WithStack(err)))
 				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 
 				return
@@ -71,7 +71,7 @@ func (q *Queue) Middleware(layer *store.Layer) proxy.Middleware {
 
 			cookie, err := r.Cookie(cookieName)
 			if err != nil && !errors.Is(err, http.ErrNoCookie) {
-				logger.Error(ctx, "could not retrieve cookie", logger.E(errors.WithStack(err)))
+				logger.Error(ctx, "could not retrieve cookie", logger.CapturedE(errors.WithStack(err)))
 			}
 
 			if cookie == nil {
@@ -89,7 +89,7 @@ func (q *Queue) Middleware(layer *store.Layer) proxy.Middleware {
 
 			rank, err := q.adapter.Touch(ctx, queueName, sessionID)
 			if err != nil {
-				logger.Error(ctx, "could not retrieve session rank", logger.E(errors.WithStack(err)))
+				logger.Error(ctx, "could not retrieve session rank", logger.CapturedE(errors.WithStack(err)))
 				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 
 				return
@@ -126,7 +126,7 @@ func (q *Queue) updateSessionsMetric(ctx context.Context, proxyName store.ProxyN
 
 	status, err := q.adapter.Status(ctx, queueName)
 	if err != nil {
-		logger.Error(ctx, "could not retrieve queue status", logger.E(errors.WithStack(err)))
+		logger.Error(ctx, "could not retrieve queue status", logger.CapturedE(errors.WithStack(err)))
 
 		return
 	}
@@ -144,7 +144,7 @@ func (q *Queue) renderQueuePage(w http.ResponseWriter, r *http.Request, queueNam
 
 	status, err := q.adapter.Status(ctx, queueName)
 	if err != nil {
-		logger.Error(ctx, "could not retrieve queue status", logger.E(errors.WithStack(err)))
+		logger.Error(ctx, "could not retrieve queue status", logger.CapturedE(errors.WithStack(err)))
 		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 
 		return
@@ -157,7 +157,7 @@ func (q *Queue) renderQueuePage(w http.ResponseWriter, r *http.Request, queueNam
 
 		tmpl, err := template.New("").Funcs(sprig.FuncMap()).ParseGlob(pattern)
 		if err != nil {
-			logger.Error(ctx, "could not load queue templates", logger.E(errors.WithStack(err)))
+			logger.Error(ctx, "could not load queue templates", logger.CapturedE(errors.WithStack(err)))
 
 			return
 		}
@@ -166,7 +166,7 @@ func (q *Queue) renderQueuePage(w http.ResponseWriter, r *http.Request, queueNam
 	})
 
 	if q.tmpl == nil {
-		logger.Error(ctx, "queue page templates not loaded", logger.E(errors.WithStack(err)))
+		logger.Error(ctx, "queue page templates not loaded", logger.CapturedE(errors.WithStack(err)))
 		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 
 		return
@@ -195,7 +195,7 @@ func (q *Queue) renderQueuePage(w http.ResponseWriter, r *http.Request, queueNam
 	w.WriteHeader(http.StatusServiceUnavailable)
 
 	if err := q.tmpl.ExecuteTemplate(w, "queue", templateData); err != nil {
-		logger.Error(ctx, "could not render queue page", logger.E(errors.WithStack(err)))
+		logger.Error(ctx, "could not render queue page", logger.CapturedE(errors.WithStack(err)))
 		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 
 		return
@@ -211,7 +211,7 @@ func (q *Queue) refreshQueue(ctx context.Context, layerName store.LayerName, kee
 
 	if err := q.adapter.Refresh(ctx, string(layerName), keepAlive); err != nil {
 		logger.Error(ctx, "could not refresh queue",
-			logger.E(errors.WithStack(err)),
+			logger.CapturedE(errors.WithStack(err)),
 			logger.F("queue", layerName),
 		)
 	}

internal/proxy/director/layer/rewriter/api.go

@@ -0,0 +1,79 @@
+package rewriter
+
+import (
+	"context"
+	"fmt"
+
+	"forge.cadoles.com/cadoles/bouncer/internal/rule"
+	"github.com/expr-lang/expr"
+	"github.com/pkg/errors"
+)
+
+type errRedirect struct {
+	statusCode int
+	url        string
+}
+
+func (e *errRedirect) StatusCode() int {
+	return e.statusCode
+}
+
+func (e *errRedirect) URL() string {
+	return e.url
+}
+
+func (e *errRedirect) Error() string {
+	return fmt.Sprintf("redirect %d %s", e.statusCode, e.url)
+}
+
+func newErrRedirect(statusCode int, url string) *errRedirect {
+	return &errRedirect{
+		url:        url,
+		statusCode: statusCode,
+	}
+}
+
+var _ error = &errRedirect{}
+
+func redirectFunc() expr.Option {
+	return expr.Function(
+		"redirect",
+		func(params ...any) (any, error) {
+			_, err := rule.Assert[context.Context](params[0])
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			statusCode, err := rule.Assert[int](params[1])
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			if statusCode < 300 || statusCode >= 400 {
+				return nil, errors.Errorf("unexpected redirect status code '%d'", statusCode)
+			}
+
+			url, err := rule.Assert[string](params[2])
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			return nil, newErrRedirect(statusCode, url)
+		},
+		new(func(context.Context, int, string) bool),
+	)
+}
+
+func WithRewriterFuncs() rule.OptionFunc {
+	return func(opts *rule.Options) {
+		funcs := []expr.Option{
+			redirectFunc(),
+		}
+
+		if len(opts.Expr) == 0 {
+			opts.Expr = make([]expr.Option, 0)
+		}
+
+		opts.Expr = append(opts.Expr, funcs...)
+	}
+}

internal/proxy/director/layer/rewriter/layer.go

@@ -6,6 +6,9 @@ import (
 	proxy "forge.cadoles.com/Cadoles/go-proxy"
 	"forge.cadoles.com/Cadoles/go-proxy/wildcard"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
+	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/util"
+	"forge.cadoles.com/cadoles/bouncer/internal/rule"
+	ruleHTTP "forge.cadoles.com/cadoles/bouncer/internal/rule/http"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
 	"github.com/pkg/errors"
 	"gitlab.com/wpetit/goweb/logger"
@@ -13,7 +16,10 @@ import (
 
 const LayerType store.LayerType = "rewriter"
 
-type Layer struct{}
+type Layer struct {
+	requestRuleEngine  *util.RevisionedRuleEngine[*RequestVars, *LayerOptions]
+	responseRuleEngine *util.RevisionedRuleEngine[*ResponseVars, *LayerOptions]
+}
 
 func (l *Layer) LayerType() store.LayerType {
 	return LayerType
@@ -26,7 +32,7 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
 
 			options, err := fromStoreOptions(layer.Options)
 			if err != nil {
-				logger.Error(ctx, "could not parse layer options", logger.E(errors.WithStack(err)))
+				logger.Error(ctx, "could not parse layer options", logger.CapturedE(errors.WithStack(err)))
 				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 
 				return
@@ -39,8 +45,14 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
 				return
 			}
 
-			if err := l.applyRequestRules(r, options); err != nil {
-				logger.Error(ctx, "could not apply request rules", logger.E(errors.WithStack(err)))
+			if err := l.applyRequestRules(ctx, r, layer.Revision, options); err != nil {
+				var redirect *errRedirect
+				if errors.As(err, &redirect) {
+					http.Redirect(w, r, redirect.URL(), redirect.StatusCode())
+					return
+				}
+
+				logger.Error(ctx, "could not apply request rules", logger.CapturedE(errors.WithStack(err)))
 				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 
 				return
@@ -66,7 +78,9 @@ func (l *Layer) ResponseTransformer(layer *store.Layer) proxy.ResponseTransforme
 			return nil
 		}
 
-		if err := l.applyResponseRules(r, options); err != nil {
+		ctx := r.Request.Context()
+
+		if err := l.applyResponseRules(ctx, r, layer.Revision, options); err != nil {
 			return errors.WithStack(err)
 		}
 
@@ -75,7 +89,31 @@ func (l *Layer) ResponseTransformer(layer *store.Layer) proxy.ResponseTransforme
 }
 
 func New(funcs ...OptionFunc) *Layer {
-	return &Layer{}
+	return &Layer{
+		requestRuleEngine: util.NewRevisionedRuleEngine(func(options *LayerOptions) (*rule.Engine[*RequestVars], error) {
+			engine, err := rule.NewEngine[*RequestVars](
+				rule.WithRules(options.Rules.Request...),
+				ruleHTTP.WithRequestFuncs(),
+				WithRewriterFuncs(),
+			)
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			return engine, nil
+		}),
+		responseRuleEngine: util.NewRevisionedRuleEngine(func(options *LayerOptions) (*rule.Engine[*ResponseVars], error) {
+			engine, err := rule.NewEngine[*ResponseVars](
+				rule.WithRules(options.Rules.Response...),
+				ruleHTTP.WithResponseFuncs(),
+			)
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			return engine, nil
+		}),
+	}
 }
 
 var (

internal/proxy/director/layer/rewriter/rules.go

@@ -1,81 +1,78 @@
 package rewriter
 
 import (
+	"context"
 	"net/http"
+	"net/url"
 
+	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
 	"forge.cadoles.com/cadoles/bouncer/internal/rule"
 	ruleHTTP "forge.cadoles.com/cadoles/bouncer/internal/rule/http"
 	"github.com/pkg/errors"
 )
 
-type RequestEnv struct {
-	Request RequestInfo `expr:"request"`
+type RequestVars struct {
+	Request     RequestVar `expr:"request"`
+	OriginalURL URLVar     `expr:"original_url"`
 }
 
-type URLEnv struct {
+type URLVar struct {
 	Scheme      string  `expr:"scheme"`
 	Opaque      string  `expr:"opaque"`
-	User        UserInfoEnv `expr:"user"`
+	User        UserVar `expr:"user"`
 	Host        string  `expr:"host"`
 	Path        string  `expr:"path"`
-	RawPath     string      `expr:"rawPath"`
-	RawQuery    string      `expr:"rawQuery"`
+	RawPath     string  `expr:"raw_path"`
+	RawQuery    string  `expr:"raw_query"`
 	Fragment    string  `expr:"fragment"`
-	RawFragment string      `expr:"rawFragment"`
+	RawFragment string  `expr:"raw_fragment"`
 }
 
-type UserInfoEnv struct {
+func fromURL(url *url.URL) URLVar {
+	return URLVar{
+		Scheme: url.Scheme,
+		Opaque: url.Opaque,
+		User: UserVar{
+			Username: url.User.Username(),
+			Password: func() string {
+				passwd, _ := url.User.Password()
+				return passwd
+			}(),
+		},
+		Host:        url.Host,
+		Path:        url.Path,
+		RawPath:     url.RawPath,
+		RawQuery:    url.RawQuery,
+		Fragment:    url.Fragment,
+		RawFragment: url.RawFragment,
+	}
+}
+
+type UserVar struct {
 	Username string `expr:"username"`
 	Password string `expr:"password"`
 }
 
-type RequestInfo struct {
+type RequestVar struct {
 	Method           string              `expr:"method"`
-	URL              URLEnv              `expr:"url"`
-	RawURL           string              `expr:"rawUrl"`
+	URL              URLVar              `expr:"url"`
+	RawURL           string              `expr:"raw_url"`
 	Proto            string              `expr:"proto"`
-	ProtoMajor       int                 `expr:"protoMajor"`
-	ProtoMinor       int                 `expr:"protoMinor"`
+	ProtoMajor       int                 `expr:"proto_major"`
+	ProtoMinor       int                 `expr:"proto_minor"`
 	Header           map[string][]string `expr:"header"`
-	ContentLength    int64               `expr:"contentLength"`
-	TransferEncoding []string            `expr:"transferEncoding"`
+	ContentLength    int64               `expr:"content_length"`
+	TransferEncoding []string            `expr:"transfer_encoding"`
 	Host             string              `expr:"host"`
 	Trailer          map[string][]string `expr:"trailer"`
-	RemoteAddr       string              `expr:"remoteAddr"`
-	RequestURI       string              `expr:"requestUri"`
+	RemoteAddr       string              `expr:"remote_addr"`
+	RequestURI       string              `expr:"request_uri"`
 }
 
-func (l *Layer) applyRequestRules(r *http.Request, options *LayerOptions) error {
-	rules := options.Rules.Request
-	if len(rules) == 0 {
-		return nil
-	}
-
-	engine, err := l.getRequestRuleEngine(r, options)
-	if err != nil {
-		return errors.WithStack(err)
-	}
-
-	env := &RequestEnv{
-		Request: RequestInfo{
+func fromRequest(r *http.Request) RequestVar {
+	return RequestVar{
 		Method:           r.Method,
-			URL: URLEnv{
-				Scheme: r.URL.Scheme,
-				Opaque: r.URL.Opaque,
-				User: UserInfoEnv{
-					Username: r.URL.User.Username(),
-					Password: func() string {
-						passwd, _ := r.URL.User.Password()
-						return passwd
-					}(),
-				},
-				Host:        r.URL.Host,
-				Path:        r.URL.Path,
-				RawPath:     r.URL.RawPath,
-				RawQuery:    r.URL.RawQuery,
-				Fragment:    r.URL.Fragment,
-				RawFragment: r.URL.RawFragment,
-			},
+		URL:              fromURL(r.URL),
 		RawURL:           r.URL.String(),
 		Proto:            r.Proto,
 		ProtoMajor:       r.ProtoMajor,
@@ -87,21 +84,41 @@ func (l *Layer) applyRequestRules(r *http.Request, options *LayerOptions) error
 		Trailer:          r.Trailer,
 		RemoteAddr:       r.RemoteAddr,
 		RequestURI:       r.RequestURI,
-		},
+	}
 }
 
-	if _, err := engine.Apply(env); err != nil {
+func (l *Layer) applyRequestRules(ctx context.Context, r *http.Request, layerRevision int, options *LayerOptions) error {
+	rules := options.Rules.Request
+	if len(rules) == 0 {
+		return nil
+	}
+
+	engine, err := l.getRequestRuleEngine(ctx, layerRevision, options)
+	if err != nil {
+		return errors.WithStack(err)
+	}
+
+	originalURL, err := director.OriginalURL(ctx)
+	if err != nil {
+		return errors.WithStack(err)
+	}
+
+	vars := &RequestVars{
+		OriginalURL: fromURL(originalURL),
+		Request:     fromRequest(r),
+	}
+
+	ctx = ruleHTTP.WithRequest(ctx, r)
+
+	if _, err := engine.Apply(ctx, vars); err != nil {
 		return errors.WithStack(err)
 	}
 
 	return nil
 }
 
-func (l *Layer) getRequestRuleEngine(r *http.Request, options *LayerOptions) (*rule.Engine[*RequestEnv], error) {
-	engine, err := rule.NewEngine[*RequestEnv](
-		rule.WithRules(options.Rules.Request...),
-		ruleHTTP.WithRequestFuncs(r),
-	)
+func (l *Layer) getRequestRuleEngine(ctx context.Context, layerRevision int, options *LayerOptions) (*rule.Engine[*RequestVars], error) {
+	engine, err := l.requestRuleEngine.Get(ctx, layerRevision, options)
 	if err != nil {
 		return nil, errors.WithStack(err)
 	}
@@ -109,68 +126,45 @@ func (l *Layer) getRequestRuleEngine(r *http.Request, options *LayerOptions) (*r
 	return engine, nil
 }
 
-type ResponseEnv struct {
-	Request  RequestInfo  `expr:"request"`
-	Response ResponseInfo `expr:"response"`
+type ResponseVars struct {
+	OriginalURL URLVar      `expr:"original_url"`
+	Request     RequestVar  `expr:"request"`
+	Response    ResponseVar `expr:"response"`
 }
 
-type ResponseInfo struct {
+type ResponseVar struct {
 	Status           string              `expr:"status"`
-	StatusCode       int                 `expr:"statusCode"`
+	StatusCode       int                 `expr:"status_code"`
 	Proto            string              `expr:"proto"`
-	ProtoMajor       int                 `expr:"protoMajor"`
-	ProtoMinor       int                 `expr:"protoMinor"`
+	ProtoMajor       int                 `expr:"proto_major"`
+	ProtoMinor       int                 `expr:"proto_minor"`
 	Header           map[string][]string `expr:"header"`
-	ContentLength    int64               `expr:"contentLength"`
-	TransferEncoding []string            `expr:"transferEncoding"`
+	ContentLength    int64               `expr:"content_length"`
+	TransferEncoding []string            `expr:"transfer_encoding"`
 	Uncompressed     bool                `expr:"uncompressed"`
 	Trailer          map[string][]string `expr:"trailer"`
 }
 
-func (l *Layer) applyResponseRules(r *http.Response, options *LayerOptions) error {
+func (l *Layer) applyResponseRules(ctx context.Context, r *http.Response, layerRevision int, options *LayerOptions) error {
 	rules := options.Rules.Response
 	if len(rules) == 0 {
 		return nil
 	}
 
-	engine, err := l.getResponseRuleEngine(r, options)
+	engine, err := l.getResponseRuleEngine(ctx, layerRevision, options)
 	if err != nil {
 		return errors.WithStack(err)
 	}
 
-	env := &ResponseEnv{
-		Request: RequestInfo{
-			Method: r.Request.Method,
-			URL: URLEnv{
-				Scheme: r.Request.URL.Scheme,
-				Opaque: r.Request.URL.Opaque,
-				User: UserInfoEnv{
-					Username: r.Request.URL.User.Username(),
-					Password: func() string {
-						passwd, _ := r.Request.URL.User.Password()
-						return passwd
-					}(),
-				},
-				Host:        r.Request.URL.Host,
-				Path:        r.Request.URL.Path,
-				RawPath:     r.Request.URL.RawPath,
-				RawQuery:    r.Request.URL.RawQuery,
-				Fragment:    r.Request.URL.Fragment,
-				RawFragment: r.Request.URL.RawFragment,
-			},
-			RawURL:           r.Request.URL.String(),
-			Proto:            r.Request.Proto,
-			ProtoMajor:       r.Request.ProtoMajor,
-			ProtoMinor:       r.Request.ProtoMinor,
-			Header:           r.Request.Header,
-			ContentLength:    r.Request.ContentLength,
-			TransferEncoding: r.Request.TransferEncoding,
-			Host:             r.Request.Host,
-			Trailer:          r.Request.Trailer,
-			RemoteAddr:       r.Request.RemoteAddr,
-			RequestURI:       r.Request.RequestURI,
-		},
-		Response: ResponseInfo{
+	originalURL, err := director.OriginalURL(ctx)
+	if err != nil {
+		return errors.WithStack(err)
+	}
+
+	vars := &ResponseVars{
+		OriginalURL: fromURL(originalURL),
+		Request:     fromRequest(r.Request),
+		Response: ResponseVar{
 			Proto:            r.Proto,
 			ProtoMajor:       r.ProtoMajor,
 			ProtoMinor:       r.ProtoMinor,
@@ -183,18 +177,18 @@ func (l *Layer) applyResponseRules(r *http.Response, options *LayerOptions) erro
 		},
 	}
 
-	if _, err := engine.Apply(env); err != nil {
+	ctx = ruleHTTP.WithResponse(ctx, r)
+	ctx = ruleHTTP.WithRequest(ctx, r.Request)
+
+	if _, err := engine.Apply(ctx, vars); err != nil {
 		return errors.WithStack(err)
 	}
 
 	return nil
 }
 
-func (l *Layer) getResponseRuleEngine(r *http.Response, options *LayerOptions) (*rule.Engine[*ResponseEnv], error) {
-	engine, err := rule.NewEngine[*ResponseEnv](
-		rule.WithRules(options.Rules.Response...),
-		ruleHTTP.WithResponseFuncs(r),
-	)
+func (l *Layer) getResponseRuleEngine(ctx context.Context, layerRevision int, options *LayerOptions) (*rule.Engine[*ResponseVars], error) {
+	engine, err := l.responseRuleEngine.Get(ctx, layerRevision, options)
 	if err != nil {
 		return nil, errors.WithStack(err)
 	}

internal/proxy/director/layer/util/revisioned_rule_engine.go

@@ -0,0 +1,51 @@
+package util
+
+import (
+	"context"
+	"sync"
+
+	"forge.cadoles.com/cadoles/bouncer/internal/rule"
+	"github.com/pkg/errors"
+	"gitlab.com/wpetit/goweb/logger"
+)
+
+type RuleEngineFactoryFunc[V any, O any] func(ops O) (*rule.Engine[V], error)
+
+type RevisionedRuleEngine[V any, O any] struct {
+	mutex    sync.RWMutex
+	revision int
+	engine   *rule.Engine[V]
+	factory  RuleEngineFactoryFunc[V, O]
+}
+
+func (e *RevisionedRuleEngine[V, O]) Get(ctx context.Context, revision int, opts O) (*rule.Engine[V], error) {
+	e.mutex.RLock()
+	if revision == e.revision {
+		logger.Debug(ctx, "using cached rule engine", logger.F("layerRevision", revision))
+
+		defer e.mutex.RUnlock()
+		return e.engine, nil
+	}
+	e.mutex.RUnlock()
+
+	e.mutex.Lock()
+	defer e.mutex.Unlock()
+
+	logger.Debug(ctx, "creating rule engine", logger.F("layerRevision", revision))
+
+	engine, err := e.factory(opts)
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	e.engine = engine
+	e.revision = revision
+
+	return engine, nil
+}
+
+func NewRevisionedRuleEngine[V any, O any](factory RuleEngineFactoryFunc[V, O]) *RevisionedRuleEngine[V, O] {
+	return &RevisionedRuleEngine[V, O]{
+		factory: factory,
+	}
+}

internal/proxy/server.go

@@ -153,7 +153,7 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
 
 		router.Group(func(r chi.Router) {
 			if profiling.BasicAuth != nil {
-				logger.Info(ctx, "enabling authentication on metrics endpoint")
+				logger.Info(ctx, "enabling authentication on profiling endpoint")
 
 				r.Use(middleware.BasicAuth(
 					"profiling",
@@ -223,7 +223,7 @@ func (s *Server) createReverseProxy(ctx context.Context, target *url.URL) *httpu
 func (s *Server) handleDefault(w http.ResponseWriter, r *http.Request) {
 	err := errors.Errorf("no proxy target found")
 
-	logger.Error(r.Context(), "proxy error", logger.E(err))
+	logger.Error(r.Context(), "proxy error", logger.CapturedE(err))
 	sentry.CaptureException(err)
 
 	s.renderErrorPage(w, r, err, http.StatusBadGateway, http.StatusText(http.StatusBadGateway))
@@ -232,7 +232,7 @@ func (s *Server) handleDefault(w http.ResponseWriter, r *http.Request) {
 func (s *Server) handleError(w http.ResponseWriter, r *http.Request, err error) {
 	err = errors.WithStack(err)
 
-	logger.Error(r.Context(), "proxy error", logger.E(err))
+	logger.Error(r.Context(), "proxy error", logger.CapturedE(err))
 	sentry.CaptureException(err)
 
 	s.renderErrorPage(w, r, err, http.StatusBadGateway, http.StatusText(http.StatusBadGateway))
@@ -266,7 +266,7 @@ func (s *Server) renderPage(w http.ResponseWriter, r *http.Request, page string,
 
 	tmpl, err := template.New("").Funcs(sprig.FuncMap()).ParseGlob(pattern)
 	if err != nil {
-		logger.Error(ctx, "could not load proxy templates", logger.E(errors.WithStack(err)))
+		logger.Error(ctx, "could not load proxy templates", logger.CapturedE(errors.WithStack(err)))
 		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 
 		return
@@ -287,7 +287,7 @@ func (s *Server) renderPage(w http.ResponseWriter, r *http.Request, page string,
 	}
 
 	if err := blockTmpl.Execute(w, templateData); err != nil {
-		logger.Error(ctx, "could not render proxy page", logger.E(errors.WithStack(err)))
+		logger.Error(ctx, "could not render proxy page", logger.CapturedE(errors.WithStack(err)))
 		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 
 		return

internal/rule/engine.go

@@ -1,16 +1,28 @@
 package rule
 
 import (
+	"context"
+
 	"github.com/expr-lang/expr"
 	"github.com/expr-lang/expr/vm"
 	"github.com/pkg/errors"
 )
 
-type Engine[E any] struct {
+type Engine[V any] struct {
 	rules []*vm.Program
 }
 
-func (e *Engine[E]) Apply(env E) ([]any, error) {
+func (e *Engine[V]) Apply(ctx context.Context, vars V) ([]any, error) {
+	type Env[V any] struct {
+		Context context.Context `expr:"ctx"`
+		Vars    V               `expr:"vars"`
+	}
+
+	env := Env[V]{
+		Context: ctx,
+		Vars:    vars,
+	}
+
 	results := make([]any, 0, len(e.rules))
 	for i, r := range e.rules {
 		result, err := expr.Run(r, env)
@@ -42,3 +54,26 @@ func NewEngine[E any](funcs ...OptionFunc) (*Engine[E], error) {
 
 	return engine, nil
 }
+
+func Context[T any](ctx context.Context, key any) (T, bool) {
+	raw := ctx.Value(key)
+	if raw == nil {
+		return *new(T), false
+	}
+
+	value, err := Assert[T](raw)
+	if err != nil {
+		return *new(T), false
+	}
+
+	return value, true
+}
+
+func Assert[T any](raw any) (T, error) {
+	value, ok := raw.(T)
+	if !ok {
+		return *new(T), errors.Errorf("unexpected value '%T'", value)
+	}
+
+	return value, nil
+}

internal/rule/http/context.go

@@ -0,0 +1,31 @@
+package http
+
+import (
+	"context"
+	"net/http"
+
+	"forge.cadoles.com/cadoles/bouncer/internal/rule"
+)
+
+type contextKey string
+
+const (
+	contextKeyRequest  contextKey = "request"
+	contextKeyResponse contextKey = "response"
+)
+
+func WithRequest(ctx context.Context, r *http.Request) context.Context {
+	return context.WithValue(ctx, contextKeyRequest, r)
+}
+
+func WithResponse(ctx context.Context, r *http.Response) context.Context {
+	return context.WithValue(ctx, contextKeyResponse, r)
+}
+
+func CtxRequest(ctx context.Context) (*http.Request, bool) {
+	return rule.Context[*http.Request](ctx, contextKeyRequest)
+}
+
+func CtxResponse(ctx context.Context) (*http.Response, bool) {
+	return rule.Context[*http.Response](ctx, contextKeyResponse)
+}

internal/rule/http/option.go

@@ -1,20 +1,20 @@
 package http
 
 import (
-	"net/http"
-
 	"forge.cadoles.com/cadoles/bouncer/internal/rule"
 	"github.com/expr-lang/expr"
 )
 
-func WithRequestFuncs(r *http.Request) rule.OptionFunc {
+func WithRequestFuncs() rule.OptionFunc {
 	return func(opts *rule.Options) {
 		funcs := []expr.Option{
-			setRequestURL(r),
-			setRequestHeaderFunc(r),
-			addRequestHeaderFunc(r),
-			delRequestHeadersFunc(r),
-			setRequestHostFunc(r),
+			setRequestURLFunc(),
+			setRequestHeaderFunc(),
+			addRequestHeaderFunc(),
+			delRequestHeadersFunc(),
+			setRequestHostFunc(),
+			getRequestCookieFunc(),
+			addRequestCookieFunc(),
 		}
 
 		if len(opts.Expr) == 0 {
@@ -25,12 +25,14 @@ func WithRequestFuncs(r *http.Request) rule.OptionFunc {
 	}
 }
 
-func WithResponseFuncs(r *http.Response) rule.OptionFunc {
+func WithResponseFuncs() rule.OptionFunc {
 	return func(opts *rule.Options) {
 		funcs := []expr.Option{
-			setResponseHeaderFunc(r),
-			addResponseHeaderFunc(r),
-			delResponseHeadersFunc(r),
+			setResponseHeaderFunc(),
+			addResponseHeaderFunc(),
+			delResponseHeadersFunc(),
+			addResponseCookieFunc(),
+			getResponseCookieFunc(),
 		}
 
 		if len(opts.Expr) == 0 {

internal/rule/http/request.go

@@ -1,6 +1,7 @@
 package http
 
 import (
+	"context"
 	"fmt"
 	"net/http"
 	"net/url"
@@ -9,101 +10,147 @@ import (
 	"time"
 
 	"forge.cadoles.com/Cadoles/go-proxy/wildcard"
+	"forge.cadoles.com/cadoles/bouncer/internal/rule"
 	"github.com/expr-lang/expr"
 	"github.com/pkg/errors"
 )
 
-func setRequestHostFunc(r *http.Request) expr.Option {
+func setRequestHostFunc() expr.Option {
 	return expr.Function(
 		"set_host",
 		func(params ...any) (any, error) {
-			host := params[0].(string)
+			ctx, err := rule.Assert[context.Context](params[0])
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			host, err := rule.Assert[string](params[1])
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			r, ok := CtxRequest(ctx)
+			if !ok {
+				return nil, errors.New("could not find http request in context")
+			}
+
 			r.Host = host
 
 			return true, nil
 		},
-		new(func(string) bool),
+		new(func(context.Context, string) bool),
 	)
 }
 
-func setRequestURL(r *http.Request) expr.Option {
+func setRequestURLFunc() expr.Option {
 	return expr.Function(
 		"set_url",
 		func(params ...any) (any, error) {
-			rawURL := params[0].(string)
+			ctx, err := rule.Assert[context.Context](params[0])
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			rawURL, err := rule.Assert[string](params[1])
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
 
 			url, err := url.Parse(rawURL)
 			if err != nil {
 				return false, errors.WithStack(err)
 			}
 
+			r, ok := CtxRequest(ctx)
+			if !ok {
+				return nil, errors.New("could not find http request in context")
+			}
+
 			r.URL = url
 
 			return true, nil
 		},
-		new(func(string) bool),
+		new(func(context.Context, string) bool),
 	)
 }
 
-func addRequestHeaderFunc(r *http.Request) expr.Option {
+func addRequestHeaderFunc() expr.Option {
 	return expr.Function(
 		"add_header",
 		func(params ...any) (any, error) {
-			name := params[0].(string)
-			rawValue := params[1]
+			ctx, err := rule.Assert[context.Context](params[0])
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
 
-			var value string
-			switch v := rawValue.(type) {
-			case []string:
-				value = strings.Join(v, ",")
-			case time.Time:
-				value = strconv.FormatInt(v.UTC().Unix(), 10)
-			case time.Duration:
-				value = strconv.FormatInt(int64(v.Seconds()), 10)
-			default:
-				value = fmt.Sprintf("%v", rawValue)
+			name, err := rule.Assert[string](params[1])
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			value := formatValue(params[2])
+
+			r, ok := CtxRequest(ctx)
+			if !ok {
+				return nil, errors.New("could not find http request in context")
 			}
 
 			r.Header.Add(name, value)
 
 			return true, nil
 		},
-		new(func(string, string) bool),
+		new(func(context.Context, string, string) bool),
 	)
 }
 
-func setRequestHeaderFunc(r *http.Request) expr.Option {
+func setRequestHeaderFunc() expr.Option {
 	return expr.Function(
 		"set_header",
 		func(params ...any) (any, error) {
-			name := params[0].(string)
-			rawValue := params[1]
+			ctx, err := rule.Assert[context.Context](params[0])
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
 
-			var value string
-			switch v := rawValue.(type) {
-			case []string:
-				value = strings.Join(v, ",")
-			case time.Time:
-				value = strconv.FormatInt(v.UTC().Unix(), 10)
-			case time.Duration:
-				value = strconv.FormatInt(int64(v.Seconds()), 10)
-			default:
-				value = fmt.Sprintf("%v", rawValue)
+			name, err := rule.Assert[string](params[1])
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			value := formatValue(params[2])
+
+			r, ok := CtxRequest(ctx)
+			if !ok {
+				return nil, errors.New("could not find http request in context")
 			}
 
 			r.Header.Set(name, value)
 
 			return true, nil
 		},
-		new(func(string, string) bool),
+		new(func(context.Context, string, string) bool),
 	)
 }
 
-func delRequestHeadersFunc(r *http.Request) expr.Option {
+func delRequestHeadersFunc() expr.Option {
 	return expr.Function(
 		"del_headers",
 		func(params ...any) (any, error) {
-			pattern := params[0].(string)
+			ctx, err := rule.Assert[context.Context](params[0])
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			pattern, err := rule.Assert[string](params[1])
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			r, ok := CtxRequest(ctx)
+			if !ok {
+				return nil, errors.New("could not find http request in context")
+			}
+
 			deleted := false
 
 			for key := range r.Header {
@@ -117,6 +164,160 @@ func delRequestHeadersFunc(r *http.Request) expr.Option {
 
 			return deleted, nil
 		},
-		new(func(string) bool),
+		new(func(context.Context, string) bool),
 	)
 }
+
+type CookieVar struct {
+	Name     string        `expr:"name"`
+	Value    string        `expr:"value"`
+	Path     string        `expr:"path"`
+	Domain   string        `expr:"domain"`
+	Expires  time.Time     `expr:"expires"`
+	MaxAge   int           `expr:"max_age"`
+	Secure   bool          `expr:"secure"`
+	HttpOnly bool          `expr:"http_only"`
+	SameSite http.SameSite `expr:"same_site"`
+}
+
+func getRequestCookieFunc() expr.Option {
+	return expr.Function(
+		"get_cookie",
+		func(params ...any) (any, error) {
+			ctx, err := rule.Assert[context.Context](params[0])
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			name, err := rule.Assert[string](params[1])
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			r, ok := CtxRequest(ctx)
+			if !ok {
+				return nil, errors.New("could not find http request in context")
+			}
+
+			cookie, err := r.Cookie(name)
+			if err != nil && !errors.Is(err, http.ErrNoCookie) {
+				return nil, errors.WithStack(err)
+			}
+
+			if cookie == nil {
+				return nil, nil
+			}
+
+			return CookieVar{
+				Name:     cookie.Name,
+				Value:    cookie.Value,
+				Path:     cookie.Path,
+				Domain:   cookie.Domain,
+				Expires:  cookie.Expires,
+				MaxAge:   cookie.MaxAge,
+				Secure:   cookie.Secure,
+				HttpOnly: cookie.HttpOnly,
+				SameSite: cookie.SameSite,
+			}, nil
+		},
+		new(func(context.Context, string) CookieVar),
+	)
+}
+
+func addRequestCookieFunc() expr.Option {
+	return expr.Function(
+		"add_cookie",
+		func(params ...any) (any, error) {
+			ctx, err := rule.Assert[context.Context](params[0])
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			values, err := rule.Assert[map[string]any](params[1])
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			cookie, err := cookieFrom(values)
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			r, ok := CtxRequest(ctx)
+			if !ok {
+				return nil, errors.New("could not find http request in context")
+			}
+
+			r.AddCookie(cookie)
+
+			return true, nil
+		},
+		new(func(context.Context, map[string]any) bool),
+	)
+}
+
+func cookieFrom(values map[string]any) (*http.Cookie, error) {
+	cookie := &http.Cookie{}
+
+	if name, ok := values["name"].(string); ok {
+		cookie.Name = name
+	}
+
+	if value, ok := values["value"].(string); ok {
+		cookie.Value = value
+	}
+
+	if domain, ok := values["domain"].(string); ok {
+		cookie.Domain = domain
+	}
+
+	if path, ok := values["path"].(string); ok {
+		cookie.Path = path
+	}
+
+	if httpOnly, ok := values["http_only"].(bool); ok {
+		cookie.HttpOnly = httpOnly
+	}
+
+	if maxAge, ok := values["max_age"].(int); ok {
+		cookie.MaxAge = maxAge
+	}
+
+	if secure, ok := values["secure"].(bool); ok {
+		cookie.Secure = secure
+	}
+
+	if sameSite, ok := values["same_site"].(http.SameSite); ok {
+		cookie.SameSite = sameSite
+	} else if sameSite, ok := values["same_site"].(int); ok {
+		cookie.SameSite = http.SameSite(sameSite)
+	}
+
+	if expires, ok := values["expires"].(time.Time); ok {
+		cookie.Expires = expires
+	} else if rawExpires, ok := values["expires"].(string); ok {
+		expires, err := time.Parse(http.TimeFormat, rawExpires)
+		if err != nil {
+			return nil, errors.WithStack(err)
+		}
+
+		cookie.Expires = expires
+	}
+
+	return cookie, nil
+}
+
+func formatValue(v any) string {
+	var value string
+	switch v := v.(type) {
+	case []string:
+		value = strings.Join(v, ",")
+	case time.Time:
+		value = strconv.FormatInt(v.UTC().Unix(), 10)
+	case time.Duration:
+		value = strconv.FormatInt(int64(v.Seconds()), 10)
+	default:
+		value = fmt.Sprintf("%v", v)
+	}
+	return value
+}

internal/rule/http/request_test.go

@@ -0,0 +1,324 @@
+package http
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"testing"
+
+	"forge.cadoles.com/cadoles/bouncer/internal/rule"
+	"github.com/pkg/errors"
+)
+
+func TestSetRequestHost(t *testing.T) {
+	type Vars struct {
+		NewHost string `expr:"newHost"`
+	}
+
+	engine := createRuleEngine[Vars](t,
+		rule.WithExpr(setRequestHostFunc()),
+		rule.WithRules(
+			"set_host(ctx, vars.newHost)",
+		),
+	)
+
+	req, err := http.NewRequest("GET", "http://example.net", nil)
+	if err != nil {
+		t.Fatalf("%+v", errors.WithStack(err))
+	}
+
+	ctx := context.Background()
+
+	ctx = WithRequest(ctx, req)
+
+	vars := Vars{
+		NewHost: "foobar",
+	}
+
+	if _, err := engine.Apply(ctx, vars); err != nil {
+		t.Fatalf("%+v", errors.WithStack(err))
+	}
+
+	if e, g := vars.NewHost, req.Host; e != g {
+		t.Errorf("req.Host: expected '%v', got '%v'", e, g)
+	}
+}
+
+func TestSetRequestURL(t *testing.T) {
+	type Vars struct {
+		NewURL string `expr:"newURL"`
+	}
+
+	engine := createRuleEngine[Vars](t,
+		rule.WithExpr(setRequestURLFunc()),
+		rule.WithRules(
+			"set_url(ctx, vars.newURL)",
+		),
+	)
+
+	req, err := http.NewRequest("GET", "http://example.net", nil)
+	if err != nil {
+		t.Fatalf("%+v", errors.WithStack(err))
+	}
+
+	ctx := context.Background()
+
+	ctx = WithRequest(ctx, req)
+
+	vars := Vars{
+		NewURL: "http://localhost",
+	}
+
+	if _, err := engine.Apply(ctx, vars); err != nil {
+		t.Fatalf("%+v", errors.WithStack(err))
+	}
+
+	if e, g := vars.NewURL, req.URL.String(); e != g {
+		t.Errorf("req.URL.String(): expected '%v', got '%v'", e, g)
+	}
+}
+
+func TestAddRequestHeader(t *testing.T) {
+	type Vars struct {
+		NewHeaderKey   string `expr:"newHeaderKey"`
+		NewHeaderValue string `expr:"newHeaderValue"`
+	}
+
+	engine := createRuleEngine[Vars](t,
+		rule.WithExpr(addRequestHeaderFunc()),
+		rule.WithRules(
+			"add_header(ctx, vars.newHeaderKey, vars.newHeaderValue)",
+		),
+	)
+
+	req, err := http.NewRequest("GET", "http://example.net", nil)
+	if err != nil {
+		t.Fatalf("%+v", errors.WithStack(err))
+	}
+
+	ctx := context.Background()
+
+	ctx = WithRequest(ctx, req)
+
+	vars := Vars{
+		NewHeaderKey:   "X-My-Header",
+		NewHeaderValue: "foobar",
+	}
+
+	if _, err := engine.Apply(ctx, vars); err != nil {
+		t.Fatalf("%+v", errors.WithStack(err))
+	}
+
+	if e, g := vars.NewHeaderValue, req.Header.Get(vars.NewHeaderKey); e != g {
+		t.Errorf("req.Header.Get(vars.NewHeaderKey): expected '%v', got '%v'", e, g)
+	}
+}
+
+func TestSetRequestHeader(t *testing.T) {
+	type Vars struct {
+		HeaderKey   string `expr:"headerKey"`
+		HeaderValue string `expr:"headerValue"`
+	}
+
+	engine := createRuleEngine[Vars](t,
+		rule.WithExpr(setRequestHeaderFunc()),
+		rule.WithRules(
+			"set_header(ctx, vars.headerKey, vars.headerValue)",
+		),
+	)
+
+	req, err := http.NewRequest("GET", "http://example.net", nil)
+	if err != nil {
+		t.Fatalf("%+v", errors.WithStack(err))
+	}
+
+	vars := Vars{
+		HeaderKey:   "X-My-Header",
+		HeaderValue: "foobar",
+	}
+
+	req.Header.Set(vars.HeaderKey, "test")
+
+	ctx := context.Background()
+	ctx = WithRequest(ctx, req)
+
+	if _, err := engine.Apply(ctx, vars); err != nil {
+		t.Fatalf("%+v", errors.WithStack(err))
+	}
+
+	if e, g := vars.HeaderValue, req.Header.Get(vars.HeaderKey); e != g {
+		t.Errorf("req.Header.Get(vars.HeaderKey): expected '%v', got '%v'", e, g)
+	}
+}
+
+func TestDelRequestHeaders(t *testing.T) {
+	type Vars struct {
+		HeaderPattern string `expr:"headerPattern"`
+	}
+
+	engine := createRuleEngine[Vars](t,
+		rule.WithExpr(delRequestHeadersFunc()),
+		rule.WithRules(
+			"del_headers(ctx, vars.headerPattern)",
+		),
+	)
+
+	req, err := http.NewRequest("GET", "http://example.net", nil)
+	if err != nil {
+		t.Fatalf("%+v", errors.WithStack(err))
+	}
+
+	vars := Vars{
+		HeaderPattern: "X-My-*",
+	}
+
+	req.Header.Set("X-My-Header", "test")
+
+	ctx := context.Background()
+	ctx = WithRequest(ctx, req)
+
+	if _, err := engine.Apply(ctx, vars); err != nil {
+		t.Fatalf("%+v", errors.WithStack(err))
+	}
+
+	if val := req.Header.Get("X-My-Header"); val != "" {
+		t.Errorf("req.Header.Get(\"X-My-Header\") should be empty, got '%v'", val)
+	}
+}
+
+func TestAddRequestCookie(t *testing.T) {
+	type TestCase struct {
+		Cookie     map[string]any
+		Check      func(t *testing.T, tc TestCase, req *http.Request)
+		ShouldFail bool
+	}
+
+	testCases := []TestCase{
+		{
+			Cookie: map[string]any{
+				"name": "test",
+			},
+			Check: func(t *testing.T, tc TestCase, req *http.Request) {
+				cookie, err := req.Cookie(tc.Cookie["name"].(string))
+				if err != nil {
+					t.Errorf("%+v", errors.WithStack(err))
+					return
+				}
+
+				if e, g := tc.Cookie["name"], cookie.Name; e != g {
+					t.Errorf("cookie.Name: expected '%v', got '%v'", e, g)
+				}
+			},
+		},
+		{
+			Cookie: map[string]any{
+				"name":  "foo",
+				"value": "test",
+			},
+			Check: func(t *testing.T, tc TestCase, req *http.Request) {
+				cookie, err := req.Cookie(tc.Cookie["name"].(string))
+				if err != nil {
+					t.Errorf("%+v", errors.WithStack(err))
+					return
+				}
+
+				if e, g := tc.Cookie["name"], cookie.Name; e != g {
+					t.Errorf("cookie.Name: expected '%v', got '%v'", e, g)
+				}
+
+				if e, g := tc.Cookie["value"], cookie.Value; e != g {
+					t.Errorf("cookie.Value: expected '%v', got '%v'", e, g)
+				}
+			},
+		},
+	}
+
+	for idx, tc := range testCases {
+		t.Run(fmt.Sprintf("Case_%d", idx), func(t *testing.T) {
+			type Vars struct {
+				NewCookie map[string]any `expr:"new_cookie"`
+			}
+
+			engine := createRuleEngine[Vars](t,
+				rule.WithExpr(addRequestCookieFunc()),
+				rule.WithRules(
+					`add_cookie(ctx, vars.new_cookie)`,
+				),
+			)
+
+			req, err := http.NewRequest("GET", "http://example.net", nil)
+			if err != nil {
+				t.Fatalf("%+v", errors.WithStack(err))
+			}
+
+			vars := Vars{
+				NewCookie: tc.Cookie,
+			}
+
+			ctx := context.Background()
+			ctx = WithRequest(ctx, req)
+
+			if _, err := engine.Apply(ctx, vars); err != nil {
+				t.Fatalf("%+v", errors.WithStack(err))
+			}
+
+			if tc.ShouldFail {
+				t.Error("engine.Apply() should have failed")
+			}
+
+			if tc.Check != nil {
+				tc.Check(t, tc, req)
+			}
+		})
+	}
+}
+
+func TestGetRequestCookie(t *testing.T) {
+	type Vars struct {
+		CookieName string `expr:"cookieName"`
+	}
+
+	engine := createRuleEngine[Vars](t,
+		rule.WithExpr(getRequestCookieFunc()),
+		rule.WithRules(
+			"let cookie = get_cookie(ctx, vars.cookieName); cookie.value",
+		),
+	)
+
+	req, err := http.NewRequest("GET", "http://example.net", nil)
+	if err != nil {
+		t.Fatalf("%+v", errors.WithStack(err))
+	}
+
+	vars := Vars{
+		CookieName: "foo",
+	}
+
+	cookie := &http.Cookie{
+		Name:  vars.CookieName,
+		Value: "bar",
+	}
+
+	req.AddCookie(cookie)
+
+	ctx := context.Background()
+	ctx = WithRequest(ctx, req)
+
+	results, err := engine.Apply(ctx, vars)
+	if err != nil {
+		t.Fatalf("%+v", errors.WithStack(err))
+	}
+
+	if e, g := cookie.Value, results[0]; e != g {
+		t.Errorf("result[0]: expected '%v', got '%v'", e, g)
+	}
+}
+
+func createRuleEngine[V any](t *testing.T, funcs ...rule.OptionFunc) *rule.Engine[V] {
+	engine, err := rule.NewEngine[V](funcs...)
+	if err != nil {
+		t.Fatalf("%+v", errors.WithStack(err))
+	}
+
+	return engine
+}

internal/rule/http/response.go

@@ -1,6 +1,7 @@
 package http
 
 import (
+	"context"
 	"fmt"
 	"net/http"
 	"strconv"
@@ -8,15 +9,26 @@ import (
 	"time"
 
 	"forge.cadoles.com/Cadoles/go-proxy/wildcard"
+	"forge.cadoles.com/cadoles/bouncer/internal/rule"
 	"github.com/expr-lang/expr"
+	"github.com/pkg/errors"
 )
 
-func addResponseHeaderFunc(r *http.Response) expr.Option {
+func addResponseHeaderFunc() expr.Option {
 	return expr.Function(
 		"add_header",
 		func(params ...any) (any, error) {
-			name := params[0].(string)
-			rawValue := params[1]
+			ctx, err := rule.Assert[context.Context](params[0])
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			name, err := rule.Assert[string](params[1])
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			rawValue := params[2]
 
 			var value string
 			switch v := rawValue.(type) {
@@ -30,20 +42,34 @@ func addResponseHeaderFunc(r *http.Response) expr.Option {
 				value = fmt.Sprintf("%v", rawValue)
 			}
 
+			r, ok := CtxResponse(ctx)
+			if !ok {
+				return nil, errors.New("could not find http response in context")
+			}
+
 			r.Header.Add(name, value)
 
 			return true, nil
 		},
-		new(func(string, string) bool),
+		new(func(context.Context, string, string) bool),
 	)
 }
 
-func setResponseHeaderFunc(r *http.Response) expr.Option {
+func setResponseHeaderFunc() expr.Option {
 	return expr.Function(
 		"set_header",
 		func(params ...any) (any, error) {
-			name := params[0].(string)
-			rawValue := params[1]
+			ctx, err := rule.Assert[context.Context](params[0])
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			name, err := rule.Assert[string](params[1])
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			rawValue := params[2]
 
 			var value string
 			switch v := rawValue.(type) {
@@ -57,19 +83,38 @@ func setResponseHeaderFunc(r *http.Response) expr.Option {
 				value = fmt.Sprintf("%v", rawValue)
 			}
 
+			r, ok := CtxResponse(ctx)
+			if !ok {
+				return nil, errors.New("could not find http response in context")
+			}
+
 			r.Header.Set(name, value)
 
 			return true, nil
 		},
-		new(func(string, string) bool),
+		new(func(context.Context, string, string) bool),
 	)
 }
 
-func delResponseHeadersFunc(r *http.Response) expr.Option {
+func delResponseHeadersFunc() expr.Option {
 	return expr.Function(
 		"del_headers",
 		func(params ...any) (any, error) {
-			pattern := params[0].(string)
+			ctx, err := rule.Assert[context.Context](params[0])
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			pattern, err := rule.Assert[string](params[1])
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			r, ok := CtxResponse(ctx)
+			if !ok {
+				return nil, errors.New("could not find http response in context")
+			}
+
 			deleted := false
 
 			for key := range r.Header {
@@ -83,6 +128,87 @@ func delResponseHeadersFunc(r *http.Response) expr.Option {
 
 			return deleted, nil
 		},
-		new(func(string) bool),
+		new(func(context.Context, string) bool),
+	)
+}
+
+func addResponseCookieFunc() expr.Option {
+	return expr.Function(
+		"add_cookie",
+		func(params ...any) (any, error) {
+			ctx, err := rule.Assert[context.Context](params[0])
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			values, err := rule.Assert[map[string]any](params[1])
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			cookie, err := cookieFrom(values)
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			r, ok := CtxResponse(ctx)
+			if !ok {
+				return nil, errors.New("could not find http request in context")
+			}
+
+			r.Header.Add("Set-Cookie", cookie.String())
+
+			return true, nil
+		},
+		new(func(context.Context, map[string]any) bool),
+	)
+}
+
+func getResponseCookieFunc() expr.Option {
+	return expr.Function(
+		"get_cookie",
+		func(params ...any) (any, error) {
+			ctx, err := rule.Assert[context.Context](params[0])
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			name, err := rule.Assert[string](params[1])
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			res, ok := CtxResponse(ctx)
+			if !ok {
+				return nil, errors.New("could not find http response in context")
+			}
+
+			var cookie *http.Cookie
+			for _, c := range res.Cookies() {
+				if c.Name != name {
+					continue
+				}
+
+				cookie = c
+				break
+			}
+
+			if cookie == nil {
+				return nil, nil
+			}
+
+			return CookieVar{
+				Name:     cookie.Name,
+				Value:    cookie.Value,
+				Path:     cookie.Path,
+				Domain:   cookie.Domain,
+				Expires:  cookie.Expires,
+				MaxAge:   cookie.MaxAge,
+				Secure:   cookie.Secure,
+				HttpOnly: cookie.HttpOnly,
+				SameSite: cookie.SameSite,
+			}, nil
+		},
+		new(func(context.Context, string) CookieVar),
 	)
 }

internal/rule/http/response_test.go

@@ -0,0 +1,317 @@
+package http
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"net/http"
+	"testing"
+	"time"
+
+	"forge.cadoles.com/cadoles/bouncer/internal/rule"
+	"github.com/pkg/errors"
+)
+
+func TestAddResponseHeader(t *testing.T) {
+	type Vars struct {
+		NewHeaderKey   string `expr:"newHeaderKey"`
+		NewHeaderValue string `expr:"newHeaderValue"`
+	}
+
+	engine := createRuleEngine[Vars](t,
+		rule.WithExpr(addResponseHeaderFunc()),
+		rule.WithRules(
+			"add_header(ctx, vars.newHeaderKey, vars.newHeaderValue)",
+		),
+	)
+
+	req, err := http.NewRequest("GET", "http://example.net", nil)
+	if err != nil {
+		t.Fatalf("%+v", errors.WithStack(err))
+	}
+
+	resp := createResponse(req, http.StatusOK, nil)
+
+	ctx := context.Background()
+
+	ctx = WithResponse(ctx, resp)
+
+	vars := Vars{
+		NewHeaderKey:   "X-My-Header",
+		NewHeaderValue: "foobar",
+	}
+
+	if _, err := engine.Apply(ctx, vars); err != nil {
+		t.Fatalf("%+v", errors.WithStack(err))
+	}
+
+	if e, g := vars.NewHeaderValue, resp.Header.Get(vars.NewHeaderKey); e != g {
+		t.Errorf("resp.Header.Get(vars.NewHeaderKey): expected '%v', got '%v'", e, g)
+	}
+}
+
+func TestResponseSetHeader(t *testing.T) {
+	type Vars struct {
+		HeaderKey   string `expr:"headerKey"`
+		HeaderValue string `expr:"headerValue"`
+	}
+
+	engine := createRuleEngine[Vars](t,
+		rule.WithExpr(setResponseHeaderFunc()),
+		rule.WithRules(
+			"set_header(ctx, vars.headerKey, vars.headerValue)",
+		),
+	)
+
+	req, err := http.NewRequest("GET", "http://example.net", nil)
+	if err != nil {
+		t.Fatalf("%+v", errors.WithStack(err))
+	}
+
+	resp := createResponse(req, http.StatusOK, nil)
+
+	vars := Vars{
+		HeaderKey:   "X-My-Header",
+		HeaderValue: "foobar",
+	}
+
+	resp.Header.Set(vars.HeaderKey, "test")
+
+	ctx := context.Background()
+	ctx = WithResponse(ctx, resp)
+
+	if _, err := engine.Apply(ctx, vars); err != nil {
+		t.Fatalf("%+v", errors.WithStack(err))
+	}
+
+	if e, g := vars.HeaderValue, resp.Header.Get(vars.HeaderKey); e != g {
+		t.Errorf("resp.Header.Get(vars.HeaderKey): expected '%v', got '%v'", e, g)
+	}
+}
+
+func TestResponseDelHeaders(t *testing.T) {
+	type Vars struct {
+		HeaderPattern string `expr:"headerPattern"`
+	}
+
+	engine := createRuleEngine[Vars](t,
+		rule.WithExpr(delResponseHeadersFunc()),
+		rule.WithRules(
+			"del_headers(ctx, vars.headerPattern)",
+		),
+	)
+
+	req, err := http.NewRequest("GET", "http://example.net", nil)
+	if err != nil {
+		t.Fatalf("%+v", errors.WithStack(err))
+	}
+
+	resp := createResponse(req, http.StatusOK, nil)
+
+	vars := Vars{
+		HeaderPattern: "X-My-*",
+	}
+
+	resp.Header.Set("X-My-Header", "test")
+
+	ctx := context.Background()
+	ctx = WithResponse(ctx, resp)
+
+	if _, err := engine.Apply(ctx, vars); err != nil {
+		t.Fatalf("%+v", errors.WithStack(err))
+	}
+
+	if val := resp.Header.Get("X-My-Header"); val != "" {
+		t.Errorf("resp.Header.Get(\"X-My-Header\") should be empty, got '%v'", val)
+	}
+}
+
+func TestAddResponseCookie(t *testing.T) {
+	type TestCase struct {
+		Cookie     map[string]any
+		Check      func(t *testing.T, tc TestCase, res *http.Response)
+		ShouldFail bool
+	}
+
+	testCases := []TestCase{
+		{
+			Cookie: map[string]any{
+				"name":      "foo",
+				"value":     "test",
+				"domain":    "example.net",
+				"path":      "/custom",
+				"same_site": http.SameSiteStrictMode,
+				"http_only": true,
+				"secure":    false,
+				"expires":   time.Now().UTC().Truncate(time.Second),
+			},
+			Check: func(t *testing.T, tc TestCase, res *http.Response) {
+				var cookie *http.Cookie
+				for _, c := range res.Cookies() {
+					if c.Name == tc.Cookie["name"] {
+						cookie = c
+						break
+					}
+				}
+				if cookie == nil {
+					t.Errorf("could not find cookie '%s'", tc.Cookie["name"])
+					return
+				}
+
+				if e, g := tc.Cookie["name"], cookie.Name; e != g {
+					t.Errorf("cookie.Name: expected '%v', got '%v'", e, g)
+				}
+
+				if e, g := tc.Cookie["value"], cookie.Value; e != g {
+					t.Errorf("cookie.Value: expected '%v', got '%v'", e, g)
+				}
+
+				if e, g := tc.Cookie["domain"], cookie.Domain; e != g {
+					t.Errorf("cookie.Domain: expected '%v', got '%v'", e, g)
+				}
+
+				if e, g := tc.Cookie["path"], cookie.Path; e != g {
+					t.Errorf("cookie.Path: expected '%v', got '%v'", e, g)
+				}
+
+				if e, g := tc.Cookie["secure"], cookie.Secure; e != g {
+					t.Errorf("cookie.Secure: expected '%v', got '%v'", e, g)
+				}
+
+				if e, g := tc.Cookie["http_only"], cookie.HttpOnly; e != g {
+					t.Errorf("cookie.HttpOnly: expected '%v', got '%v'", e, g)
+				}
+
+				if e, g := tc.Cookie["same_site"], cookie.SameSite; e != g {
+					t.Errorf("cookie.SameSite: expected '%v', got '%v'", e, g)
+				}
+
+				if e, g := tc.Cookie["expires"], cookie.Expires; e != g {
+					t.Errorf("cookie.Expires: expected '%v', got '%v'", e, g)
+				}
+			},
+		},
+		{
+			Cookie: map[string]any{
+				"name":    "foo",
+				"expires": time.Now().UTC().Format(http.TimeFormat),
+			},
+			Check: func(t *testing.T, tc TestCase, res *http.Response) {
+				var cookie *http.Cookie
+				for _, c := range res.Cookies() {
+					if c.Name == tc.Cookie["name"] {
+						cookie = c
+						break
+					}
+				}
+				if cookie == nil {
+					t.Errorf("could not find cookie '%s'", tc.Cookie["name"])
+					return
+				}
+
+				if e, g := tc.Cookie["expires"], cookie.Expires.Format(http.TimeFormat); e != g {
+					t.Errorf("cookie.Expires: expected '%v', got '%v'", e, g)
+				}
+			},
+		},
+	}
+
+	for idx, tc := range testCases {
+		t.Run(fmt.Sprintf("Case_%d", idx), func(t *testing.T) {
+			type Vars struct {
+				NewCookie map[string]any `expr:"new_cookie"`
+			}
+
+			engine := createRuleEngine[Vars](t,
+				rule.WithExpr(addResponseCookieFunc()),
+				rule.WithRules(
+					`add_cookie(ctx, vars.new_cookie)`,
+				),
+			)
+
+			req, err := http.NewRequest("GET", "http://example.net", nil)
+			if err != nil {
+				t.Fatalf("%+v", errors.WithStack(err))
+			}
+
+			resp := createResponse(req, http.StatusOK, nil)
+
+			vars := Vars{
+				NewCookie: tc.Cookie,
+			}
+
+			ctx := context.Background()
+			ctx = WithRequest(ctx, req)
+			ctx = WithResponse(ctx, resp)
+
+			if _, err := engine.Apply(ctx, vars); err != nil {
+				t.Fatalf("%+v", errors.WithStack(err))
+			}
+
+			if tc.ShouldFail {
+				t.Error("engine.Apply() should have failed")
+			}
+
+			if tc.Check != nil {
+				tc.Check(t, tc, resp)
+			}
+		})
+	}
+}
+
+func TestGetResponseCookie(t *testing.T) {
+	type Vars struct {
+		CookieName string `expr:"cookieName"`
+	}
+
+	engine := createRuleEngine[Vars](t,
+		rule.WithExpr(getResponseCookieFunc()),
+		rule.WithRules(
+			"let cookie = get_cookie(ctx, vars.cookieName); cookie.value",
+		),
+	)
+
+	req, err := http.NewRequest("GET", "http://example.net", nil)
+	if err != nil {
+		t.Fatalf("%+v", errors.WithStack(err))
+	}
+
+	resp := createResponse(req, http.StatusOK, nil)
+
+	vars := Vars{
+		CookieName: "foo",
+	}
+
+	cookie := &http.Cookie{
+		Name:  vars.CookieName,
+		Value: "bar",
+	}
+
+	resp.Header.Add("Set-Cookie", cookie.String())
+
+	ctx := context.Background()
+	ctx = WithResponse(ctx, resp)
+
+	results, err := engine.Apply(ctx, vars)
+	if err != nil {
+		t.Fatalf("%+v", errors.WithStack(err))
+	}
+
+	if e, g := cookie.Value, results[0]; e != g {
+		t.Errorf("result[0]: expected '%v', got '%v'", e, g)
+	}
+}
+
+func createResponse(req *http.Request, statusCode int, body io.Reader) *http.Response {
+	return &http.Response{
+		Status:        http.StatusText(statusCode),
+		StatusCode:    statusCode,
+		Proto:         "HTTP/1.1",
+		ProtoMajor:    1,
+		ProtoMinor:    1,
+		Body:          io.NopCloser(body),
+		ContentLength: -1,
+		Request:       req,
+		Header:        make(http.Header, 0),
+	}
+}

internal/setup/redis.go

@@ -56,7 +56,7 @@ func newRedisClient(conf config.RedisConfig) redis.UniversalClient {
 
 		for range timer.C {
 			if _, err := client.Ping(ctx).Result(); err != nil {
-				logger.Error(ctx, "redis disconnected", logger.E(errors.WithStack(err)))
+				logger.Error(ctx, "redis disconnected", logger.CapturedE(errors.WithStack(err)))
 				connected = false
 				continue
 			}

internal/setup/sentry.go

@@ -34,6 +34,10 @@ func SetupSentry(ctx context.Context, conf config.SentryConfig, release string)
 		return nil, errors.WithStack(err)
 	}
 
+	logger.SetCaptureFunc(func(err error) {
+		sentry.CaptureException(err)
+	})
+
 	flush := func() {
 		sentry.Flush(time.Duration(*conf.FlushTimeout))
 	}

internal/store/redis/helper.go

@@ -81,7 +81,7 @@ func WithRetry(ctx context.Context, client redis.UniversalClient, key string, fn
 	for attempt := 0; attempt < maxAttempts; attempt++ {
 		if err = WithTx(ctx, client, key, fn); err != nil {
 			err = errors.WithStack(err)
-			logger.Debug(ctx, "redis transaction failed", logger.E(err))
+			logger.Debug(ctx, "redis transaction failed", logger.CapturedE(err))
 
 			if errors.Is(err, redis.TxFailedErr) {
 				logger.Debug(ctx, "retrying redis transaction", logger.F("attempts", attempt), logger.F("delay", delay))
@@ -97,7 +97,7 @@ func WithRetry(ctx context.Context, client redis.UniversalClient, key string, fn
 		return nil
 	}
 
-	logger.Error(ctx, "redis error", logger.E(errors.WithStack(err)))
+	logger.Error(ctx, "redis error", logger.CapturedE(errors.WithStack(err)))
 
 	return errors.WithStack(redis.TxFailedErr)
 }