feat: silence context expired errors

closes #49

Dockerfile

@@ -1,4 +1,4 @@
-FROM reg.cadoles.com/proxy_cache/library/golang:1.22 AS BUILD
+FROM reg.cadoles.com/proxy_cache/library/golang:1.23 AS BUILD
 
 RUN apt-get update \
     && apt-get install -y make

Makefile

@@ -17,8 +17,8 @@ GOTEST_ARGS ?= -short
 OPENWRT_DEVICE ?= 192.168.1.1
 
 SIEGE_URLS_FILE ?= misc/siege/urls.txt
-SIEGE_CONCURRENCY ?= 50
+SIEGE_CONCURRENCY ?= 200
-SIEGE_DURATION ?= 1M
+SIEGE_DURATION ?= 5M
 
 data/bootstrap.d/dummy.yml:
 	mkdir -p data/bootstrap.d

doc/fr/references/layers/rewriter.md

@@ -60,7 +60,7 @@ Retourne `nil` si le cookie n'existe pas.
 }
 ```
 
-##### `set_cookie(ctx, cookie Cookie)`
+##### `add_cookie(ctx, cookie Cookie)`
 
 Définit un cookie sur la requête/réponse (en fonction du contexte d'utilisation).
 Voir la méthode `get_cookie()` pour voir les attributs potentiels.

internal/admin/authz.go

@@ -70,7 +70,7 @@ func assertRequestUser(w http.ResponseWriter, r *http.Request) (auth.User, bool)
 	ctx := r.Context()
 	user, err := auth.CtxUser(ctx)
 	if err != nil {
-		logger.Error(ctx, "could not retrieve user", logger.E(errors.WithStack(err)))
+		logger.Error(ctx, "could not retrieve user", logger.CapturedE(errors.WithStack(err)))
 
 		forbidden(w, r)
 

internal/admin/error.go

@@ -6,7 +6,6 @@ import (
 	"net/http"
 
 	"forge.cadoles.com/cadoles/bouncer/internal/schema"
-	"github.com/getsentry/sentry-go"
 	"gitlab.com/wpetit/goweb/api"
 	"gitlab.com/wpetit/goweb/logger"
 )
@@ -29,11 +28,8 @@ func invalidDataErrorResponse(w http.ResponseWriter, r *http.Request, err *schem
 	}{
 		Message: message,
 	})
-
-	return
 }
 
 func logAndCaptureError(ctx context.Context, message string, err error) {
-	sentry.CaptureException(err)
+	logger.Error(ctx, message, logger.CapturedE(err))
-	logger.Error(ctx, message, logger.E(err))
 }

internal/admin/server.go

@@ -2,6 +2,7 @@ package admin
 
 import (
 	"context"
+	"expvar"
 	"fmt"
 	"log"
 	"net"
@@ -115,7 +116,9 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
 		router.Use(middleware.RealIP)
 	}
 
+	router.Use(middleware.RequestID)
 	router.Use(middleware.RequestLogger(bouncerChi.NewLogFormatter()))
+	router.Use(middleware.Recoverer)
 
 	if s.serverConfig.Sentry.DSN != "" {
 		logger.Info(ctx, "enabling sentry http middleware")
@@ -162,7 +165,7 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
 
 		router.Group(func(r chi.Router) {
 			if profiling.BasicAuth != nil {
-				logger.Info(ctx, "enabling authentication on metrics endpoint")
+				logger.Info(ctx, "enabling authentication on profiling endpoint")
 
 				r.Use(middleware.BasicAuth(
 					"profiling",
@@ -176,6 +179,7 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
 				r.HandleFunc("/profile", pprof.Profile)
 				r.HandleFunc("/symbol", pprof.Symbol)
 				r.HandleFunc("/trace", pprof.Trace)
+				r.Handle("/vars", expvar.Handler())
 				r.HandleFunc("/{name}", func(w http.ResponseWriter, r *http.Request) {
 					name := chi.URLParam(r, "name")
 					pprof.Handler(name).ServeHTTP(w, r)

internal/auth/middleware.go

@@ -52,7 +52,7 @@ func Middleware(authenticators ...Authenticator) func(http.Handler) http.Handler
 			for _, auth := range authenticators {
 				user, err = auth.Authenticate(ctx, r)
 				if err != nil {
-					logger.Debug(ctx, "could not authenticate request", logger.E(errors.WithStack(err)))
+					logger.Debug(ctx, "could not authenticate request", logger.CapturedE(errors.WithStack(err)))
 
 					continue
 				}

internal/chi/log_formatter.go

@@ -2,7 +2,6 @@ package chi
 
 import (
 	"context"
-	"fmt"
 	"net/http"
 	"time"
 
@@ -37,12 +36,19 @@ type LogEntry struct {
 
 // Panic implements middleware.LogEntry
 func (e *LogEntry) Panic(v interface{}, stack []byte) {
-	logger.Error(e.ctx, fmt.Sprintf("%s %s", e.method, e.path), logger.F("stack", string(stack)))
+	logger.Error(
+		e.ctx, "http panic",
+		logger.F("stack", string(stack)),
+		logger.F("host", e.host),
+		logger.F("method", e.method),
+		logger.F("path", e.path),
+	)
 }
 
 // Write implements middleware.LogEntry
 func (e *LogEntry) Write(status int, bytes int, header http.Header, elapsed time.Duration, extra interface{}) {
-	logger.Info(e.ctx, fmt.Sprintf("%s %s - %d", e.method, e.path, status),
+	logger.Info(
+		e.ctx, "http request",
 		logger.F("host", e.host),
 		logger.F("status", status),
 		logger.F("bytes", bytes),

internal/command/server/admin/run.go

@@ -17,9 +17,7 @@ const (
 )
 
 func RunCommand() *cli.Command {
-	flags := append(
+	flags := common.Flags()
-		common.Flags(),
-	)
 
 	return &cli.Command{
 		Name:  "run",

internal/command/server/dummy/run.go

@@ -53,7 +53,7 @@ func RunCommand() *cli.Command {
 				}
 
 				if err := tmpl.Execute(w, data); err != nil {
-					logger.Error(ctx.Context, "could not execute template", logger.E(errors.WithStack(err)))
+					logger.Error(ctx.Context, "could not execute template", logger.CapturedE(errors.WithStack(err)))
 				}
 			})
 

internal/config/layers.go

@@ -20,6 +20,10 @@ func NewDefaultLayersConfig() LayersConfig {
 					TransportConfig: NewDefaultTransportConfig(),
 					Timeout:         NewInterpolatedDuration(10 * time.Second),
 				},
+				ProviderCacheTimeout: NewInterpolatedDuration(time.Hour),
+			},
+			Sessions: AuthnLayerSessionConfig{
+				TTL: NewInterpolatedDuration(time.Hour),
 			},
 		},
 	}
@@ -34,10 +38,16 @@ type AuthnLayerConfig struct {
 	Debug       InterpolatedBool        `yaml:"debug"`
 	TemplateDir InterpolatedString      `yaml:"templateDir"`
 	OIDC        AuthnOIDCLayerConfig    `yaml:"oidc"`
+	Sessions    AuthnLayerSessionConfig `yaml:"sessions"`
+}
+
+type AuthnLayerSessionConfig struct {
+	TTL *InterpolatedDuration `yaml:"ttl"`
 }
 
 type AuthnOIDCLayerConfig struct {
 	HTTPClient           AuthnOIDCHTTPClientConfig `yaml:"httpClient"`
+	ProviderCacheTimeout *InterpolatedDuration     `yaml:"providerCacheTimeout"`
 }
 
 type AuthnOIDCHTTPClientConfig struct {

internal/config/redis.go

@@ -15,8 +15,16 @@ type RedisConfig struct {
 	WriteTimeout          InterpolatedDuration    `yaml:"writeTimeout"`
 	DialTimeout           InterpolatedDuration    `yaml:"dialTimeout"`
 	LockMaxRetries        InterpolatedInt         `yaml:"lockMaxRetries"`
+	RouteByLatency        InterpolatedBool        `yaml:"routeByLatency"`
+	ContextTimeoutEnabled InterpolatedBool        `yaml:"contextTimeoutEnabled"`
 	MaxRetries            InterpolatedInt         `yaml:"maxRetries"`
 	PingInterval          InterpolatedDuration    `yaml:"pingInterval"`
+	PoolSize              InterpolatedInt         `yaml:"poolSize"`
+	PoolTimeout           InterpolatedDuration    `yaml:"poolTimeout"`
+	MinIdleConns          InterpolatedInt         `yaml:"minIdleConns"`
+	MaxIdleConns          InterpolatedInt         `yaml:"maxIdleConns"`
+	ConnMaxIdleTime       InterpolatedDuration    `yaml:"connMaxIdleTime"`
+	ConnMaxLifetime       InterpolatedDuration    `yaml:"connMaxLifeTime"`
 }
 
 func NewDefaultRedisConfig() RedisConfig {
@@ -29,5 +37,7 @@ func NewDefaultRedisConfig() RedisConfig {
 		LockMaxRetries:        10,
 		MaxRetries:            3,
 		PingInterval:          InterpolatedDuration(30 * time.Second),
+		ContextTimeoutEnabled: true,
+		RouteByLatency:        true,
 	}
 }

internal/config/sentry.go

@@ -28,11 +28,11 @@ func NewDefaultSentryConfig() SentryConfig {
 		Debug:              false,
 		FlushTimeout:       NewInterpolatedDuration(2 * time.Second),
 		AttachStacktrace:   true,
-		SampleRate:         0.2,
+		SampleRate:         1,
-		EnableTracing:      true,
+		EnableTracing:      false,
-		TracesSampleRate:   0.2,
+		TracesSampleRate:   0.1,
-		ProfilesSampleRate: 0.2,
+		ProfilesSampleRate: 0.1,
-		IgnoreErrors:       []string{},
+		IgnoreErrors:       []string{"context canceled", "net/http: abort"},
 		SendDefaultPII:     false,
 		ServerName:         "",
 		Environment:        "",

internal/lock/redis/locker.go

@@ -38,7 +38,7 @@ func (l *Locker) WithLock(ctx context.Context, key string, timeout time.Duration
 
 		defer func() {
 			if err := lock.Release(ctx); err != nil {
-				logger.Error(ctx, "could not release lock", logger.E(errors.WithStack(err)))
+				logger.Error(ctx, "could not release lock", logger.CapturedE(errors.WithStack(err)))
 			}
 
 			logger.Debug(ctx, "lock released")

internal/lock/redis/retry.go

@@ -30,7 +30,7 @@ func retryWithBackoff(ctx context.Context, attempts int, fn func(ctx context.Con
 			return errors.Wrapf(err, "execution failed after %d attempts", attempts)
 		}
 
-		logger.Error(ctx, "error while executing func, retrying with backoff", logger.E(err), logger.F("backoffDelay", backoffDelay), logger.F("remainingAttempts", attempts-count))
+		logger.Error(ctx, "error while executing func, retrying with backoff", logger.CapturedE(err), logger.F("backoffDelay", backoffDelay), logger.F("remainingAttempts", attempts-count))
 
 		time.Sleep(backoffDelay)
 

internal/proxy/director/context.go

@@ -2,10 +2,12 @@ package director
 
 import (
 	"context"
+	"net/http"
 	"net/url"
 
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
 	"github.com/pkg/errors"
+	"gitlab.com/wpetit/goweb/logger"
 )
 
 type contextKey string
@@ -14,6 +16,7 @@ const (
 	contextKeyProxy       contextKey = "proxy"
 	contextKeyLayers      contextKey = "layers"
 	contextKeyOriginalURL contextKey = "originalURL"
+	contextKeyHandleError contextKey = "handleError"
 )
 
 var (
@@ -60,3 +63,22 @@ func ctxValue[T any](ctx context.Context, key contextKey) (T, error) {
 
 	return value, nil
 }
+
+type HandleErrorFunc func(w http.ResponseWriter, r *http.Request, status int, err error)
+
+func withHandleError(ctx context.Context, fn HandleErrorFunc) context.Context {
+	return context.WithValue(ctx, contextKeyHandleError, fn)
+}
+
+func HandleError(ctx context.Context, w http.ResponseWriter, r *http.Request, status int, err error) {
+	err = errors.WithStack(err)
+
+	fn, ok := ctx.Value(contextKeyHandleError).(HandleErrorFunc)
+	if !ok {
+		logger.Error(ctx, err.Error(), logger.CapturedE(err))
+		http.Error(w, http.StatusText(status), status)
+		return
+	}
+
+	fn(w, r, status, err)
+}

internal/proxy/director/director.go

@@ -21,6 +21,8 @@ type Director struct {
 
 	proxyCache cache.Cache[string, []*store.Proxy]
 	layerCache cache.Cache[string, []*store.Layer]
+
+	handleError HandleErrorFunc
 }
 
 func (d *Director) rewriteRequest(r *http.Request) (*http.Request, error) {
@@ -32,7 +34,6 @@ func (d *Director) rewriteRequest(r *http.Request) (*http.Request, error) {
 	}
 
 	url := getRequestURL(r)
-
 	ctx = withOriginalURL(ctx, url)
 	ctx = logger.With(ctx, logger.F("url", url.String()))
 
@@ -40,21 +41,11 @@ func (d *Director) rewriteRequest(r *http.Request) (*http.Request, error) {
 
 	for _, p := range proxies {
 		for _, from := range p.From {
-			logger.Debug(
-				ctx, "matching request with proxy's from",
-				logger.F("from", from),
-			)
-
 			if matches := wildcard.Match(url.String(), from); !matches {
 				continue
 			}
 
-			logger.Debug(
+			proxyCtx := logger.With(ctx,
-				ctx, "proxy's from matched",
-				logger.F("from", from),
-			)
-
-			ctx = logger.With(ctx,
 				logger.F("proxy", p.Name),
 				logger.F("host", r.Host),
 				logger.F("remoteAddr", r.RemoteAddr),
@@ -62,7 +53,7 @@ func (d *Director) rewriteRequest(r *http.Request) (*http.Request, error) {
 
 			metricProxyRequestsTotal.With(prometheus.Labels{metricLabelProxy: string(p.Name)}).Add(1)
 
-			proxyLayers, err := d.getLayers(ctx, p.Name)
+			proxyLayers, err := d.getLayers(proxyCtx, p.Name)
 			if err != nil {
 				return r, errors.WithStack(err)
 			}
@@ -82,8 +73,8 @@ func (d *Director) rewriteRequest(r *http.Request) (*http.Request, error) {
 			r.URL.Scheme = toURL.Scheme
 			r.URL.Path = toURL.JoinPath(r.URL.Path).Path
 
-			ctx = withLayers(ctx, layers)
+			proxyCtx = withLayers(proxyCtx, layers)
-			r = r.WithContext(ctx)
+			r = r.WithContext(proxyCtx)
 
 			return r, nil
 		}
@@ -168,13 +159,14 @@ func (d *Director) getLayers(ctx context.Context, proxyName store.ProxyName) ([]
 func (d *Director) RequestTransformer() proxy.RequestTransformer {
 	return func(r *http.Request) {
 		ctx := r.Context()
+
 		layers, err := ctxLayers(ctx)
 		if err != nil {
 			if errors.Is(err, errContextKeyNotFound) {
 				return
 			}
 
-			logger.Error(ctx, "could not retrieve layers from context", logger.E(errors.WithStack(err)))
+			logger.Error(ctx, "could not retrieve layers from context", logger.CapturedE(errors.WithStack(err)))
 
 			return
 		}
@@ -224,15 +216,16 @@ func (d *Director) ResponseTransformer() proxy.ResponseTransformer {
 func (d *Director) Middleware() proxy.Middleware {
 	return func(next http.Handler) http.Handler {
 		fn := func(w http.ResponseWriter, r *http.Request) {
+			ctx := withHandleError(r.Context(), d.handleError)
+			r = r.WithContext(ctx)
+
 			r, err := d.rewriteRequest(r)
 			if err != nil {
-				logger.Error(r.Context(), "could not rewrite request", logger.E(errors.WithStack(err)))
+				HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not rewrite request"))
-				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-
 				return
 			}
 
-			ctx := r.Context()
+			ctx = r.Context()
 
 			layers, err := ctxLayers(ctx)
 			if err != nil {
@@ -240,9 +233,7 @@ func (d *Director) Middleware() proxy.Middleware {
 					return
 				}
 
-				logger.Error(ctx, "could not retrieve proxy and layers from context", logger.E(errors.WithStack(err)))
+				HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not retrieve proxy and layers from context"))
-				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-
 				return
 			}
 
@@ -276,5 +267,6 @@ func New(proxyRepository store.ProxyRepository, layerRepository store.LayerRepos
 		layerRegistry:   registry,
 		proxyCache:      opts.ProxyCache,
 		layerCache:      opts.LayerCache,
+		handleError:     opts.HandleError,
 	}
 }

internal/proxy/director/layer/authn/layer.go

@@ -1,13 +1,18 @@
 package authn
 
 import (
+	"bytes"
 	"html/template"
+	"io"
 	"net/http"
 	"path/filepath"
 
 	"forge.cadoles.com/Cadoles/go-proxy"
 	"forge.cadoles.com/Cadoles/go-proxy/wildcard"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
+	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/util"
+	"forge.cadoles.com/cadoles/bouncer/internal/rule"
+	ruleHTTP "forge.cadoles.com/cadoles/bouncer/internal/rule/http"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
 	"github.com/Masterminds/sprig/v3"
 	"github.com/pkg/errors"
@@ -19,6 +24,8 @@ type Layer struct {
 	auth      Authenticator
 	debug     bool
 
+	ruleEngineCache *util.RuleEngineCache[*Vars, *LayerOptions]
+
 	templateDir string
 }
 
@@ -29,9 +36,7 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
 
 			options, err := fromStoreOptions(layer.Options)
 			if err != nil {
-				logger.Error(ctx, "could not parse layer options", logger.E(errors.WithStack(err)))
+				director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not parse layer options"))
-				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-
 				return
 			}
 
@@ -42,7 +47,7 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
 					}
 
 					err = errors.WithStack(err)
-					logger.Error(ctx, "could not execute pre-auth hook", logger.E(err))
+					logger.Error(ctx, "could not execute pre-auth hook", logger.CapturedE(err))
 					l.renderErrorPage(w, r, layer, options, err)
 
 					return
@@ -68,20 +73,20 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
 				}
 
 				err = errors.WithStack(err)
-				logger.Error(ctx, "could not authenticate user", logger.E(err))
+				logger.Error(ctx, "could not authenticate user", logger.CapturedE(err))
 				l.renderErrorPage(w, r, layer, options, err)
 
 				return
 			}
 
-			if err := l.applyRules(ctx, r, options, user); err != nil {
+			if err := l.applyRules(ctx, r, layer, options, user); err != nil {
 				if errors.Is(err, ErrForbidden) {
 					l.renderForbiddenPage(w, r, layer, options, user)
 					return
 				}
 
 				err = errors.WithStack(err)
-				logger.Error(ctx, "could not apply rules", logger.E(err))
+				logger.Error(ctx, "could not apply rules", logger.CapturedE(err))
 				l.renderErrorPage(w, r, layer, options, err)
 
 				return
@@ -99,7 +104,7 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
 					}
 
 					err = errors.WithStack(err)
-					logger.Error(ctx, "could not execute post-auth hook", logger.E(err))
+					logger.Error(ctx, "could not execute post-auth hook", logger.CapturedE(err))
 					l.renderErrorPage(w, r, layer, options, err)
 
 					return
@@ -162,20 +167,22 @@ func (l *Layer) renderPage(w http.ResponseWriter, r *http.Request, page string,
 
 	tmpl, err := template.New("").Funcs(sprig.FuncMap()).ParseGlob(pattern)
 	if err != nil {
-		logger.Error(ctx, "could not load authn templates", logger.E(errors.WithStack(err)))
+		director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not load authn templates"))
-		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-
 		return
 	}
 
 	w.Header().Add("Cache-Control", "no-cache")
 
-	if err := tmpl.ExecuteTemplate(w, block, templateData); err != nil {
+	var buf bytes.Buffer
-		logger.Error(ctx, "could not render authn page", logger.E(errors.WithStack(err)))
-		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 
+	if err := tmpl.ExecuteTemplate(w, block, templateData); err != nil {
+		director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not render authn page"))
 		return
 	}
+
+	if _, err := io.Copy(w, &buf); err != nil {
+		logger.Error(ctx, "could not write authn page", logger.CapturedE(errors.WithStack(err)))
+	}
 }
 
 // LayerType implements director.MiddlewareLayer
@@ -187,6 +194,18 @@ func NewLayer(layerType store.LayerType, auth Authenticator, funcs ...OptionFunc
 	opts := NewOptions(funcs...)
 
 	return &Layer{
+		ruleEngineCache: util.NewInMemoryRuleEngineCache[*Vars, *LayerOptions](func(options *LayerOptions) (*rule.Engine[*Vars], error) {
+			engine, err := rule.NewEngine[*Vars](
+				rule.WithRules(options.Rules...),
+				rule.WithExpr(getAuthnAPI()...),
+				ruleHTTP.WithRequestFuncs(),
+			)
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			return engine, nil
+		}),
 		layerType:   layerType,
 		auth:        auth,
 		templateDir: opts.TemplateDir,

internal/proxy/director/layer/authn/layer_options.go

@@ -28,12 +28,13 @@ func DefaultLayerOptions() LayerOptions {
 	return LayerOptions{
 		MatchURLs: []string{"*"},
 		Rules: []string{
-			"del_headers('Remote-*')",
+			"del_headers(ctx, 'Remote-*')",
-			"set_header('Remote-User', user.subject)",
+			"set_header(ctx,'Remote-User', vars.user.subject)",
 			`map(
-				toPairs(user.attrs), {
+				toPairs(vars.user.attrs), {
 					let name = replace(lower(string(get(#, 0))), '_', '-');
 					set_header(
+						ctx,
 						'Remote-User-Attr-' + name, 
 						get(#, 1)
 					) 

internal/proxy/director/layer/authn/oidc/authenticator.go

@@ -13,6 +13,7 @@ import (
 	"time"
 
 	"forge.cadoles.com/Cadoles/go-proxy/wildcard"
+	"forge.cadoles.com/cadoles/bouncer/internal/cache"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/authn"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
@@ -27,6 +28,7 @@ type Authenticator struct {
 	store             sessions.Store
 	httpTransport     *http.Transport
 	httpClientTimeout time.Duration
+	oidcProviderCache cache.Cache[string, *oidc.Provider]
 }
 
 func (a *Authenticator) PreAuthentication(w http.ResponseWriter, r *http.Request, layer *store.Layer) error {
@@ -44,7 +46,7 @@ func (a *Authenticator) PreAuthentication(w http.ResponseWriter, r *http.Request
 
 	sess, err := a.store.Get(r, a.getCookieName(options.Cookie.Name, layer.Proxy, layer.Name))
 	if err != nil {
-		logger.Error(ctx, "could not retrieve session", logger.E(errors.WithStack(err)))
+		logger.Error(ctx, "could not retrieve session", logger.CapturedE(errors.WithStack(err)))
 	}
 
 	loginCallbackURL, err := a.getLoginCallbackURL(originalURL, layer.Proxy, layer.Name, options)
@@ -86,7 +88,7 @@ func (a *Authenticator) PreAuthentication(w http.ResponseWriter, r *http.Request
 		if postLogoutRedirectURL != "" {
 			isAuthorized := slices.Contains(options.OIDC.PostLogoutRedirectURLs, postLogoutRedirectURL)
 			if !isAuthorized {
-				http.Error(w, "unauthorized post-logout redirect", http.StatusBadRequest)
+				director.HandleError(ctx, w, r, http.StatusBadRequest, errors.New("unauthorized post-logout redirect"))
 				return errors.WithStack(authn.ErrSkipRequest)
 			}
 		}
@@ -128,7 +130,7 @@ func (a *Authenticator) Authenticate(w http.ResponseWriter, r *http.Request, lay
 
 	defer func() {
 		if err := sess.Save(r, w); err != nil {
-			logger.Error(ctx, "could not save session", logger.E(errors.WithStack(err)))
+			logger.Error(ctx, "could not save session", logger.CapturedE(errors.WithStack(err)))
 		}
 	}()
 
@@ -378,17 +380,25 @@ func (a *Authenticator) getClient(options *LayerOptions, redirectURL string) (*C
 		Transport: transport,
 	}
 
+	provider, exists := a.oidcProviderCache.Get(options.OIDC.IssuerURL)
+	if !exists {
+		var err error
 		ctx = oidc.ClientContext(ctx, httpClient)
 
 		if options.OIDC.SkipIssuerVerification {
 			ctx = oidc.InsecureIssuerURLContext(ctx, options.OIDC.IssuerURL)
 		}
 
-	provider, err := oidc.NewProvider(ctx, options.OIDC.IssuerURL)
+		logger.Debug(ctx, "refreshing oidc provider", logger.F("issuerURL", options.OIDC.IssuerURL))
+
+		provider, err = oidc.NewProvider(ctx, options.OIDC.IssuerURL)
 		if err != nil {
 			return nil, errors.Wrap(err, "could not create oidc provider")
 		}
 
+		a.oidcProviderCache.Set(options.OIDC.IssuerURL, provider)
+	}
+
 	client := NewClient(
 		WithCredentials(options.OIDC.ClientID, options.OIDC.ClientSecret),
 		WithProvider(provider),

internal/proxy/director/layer/authn/oidc/client.go

@@ -6,6 +6,7 @@ import (
 	"net/url"
 	"strings"
 
+	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/dchest/uniuri"
 	"github.com/gorilla/sessions"
@@ -68,8 +69,7 @@ func (c *Client) login(w http.ResponseWriter, r *http.Request, sess *sessions.Se
 	sess.Values[sessionKeyPostLoginRedirectURL] = postLoginRedirectURL
 
 	if err := sess.Save(r, w); err != nil {
-		logger.Error(ctx, "could not save session", logger.E(errors.WithStack(err)))
+		director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not save session"))
-		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 
 		return
 	}
@@ -127,7 +127,7 @@ func (c *Client) HandleLogout(w http.ResponseWriter, r *http.Request, sess *sess
 
 	rawIDToken, err := c.getRawIDToken(sess)
 	if err != nil {
-		logger.Error(ctx, "could not retrieve raw id token", logger.E(errors.WithStack(err)))
+		logger.Error(ctx, "could not retrieve raw id token", logger.CapturedE(errors.WithStack(err)))
 	}
 
 	sess.Values[sessionKeyIDToken] = nil

internal/proxy/director/layer/authn/oidc/layer.go

@@ -1,8 +1,13 @@
 package oidc
 
 import (
+	"time"
+
+	"forge.cadoles.com/cadoles/bouncer/internal/cache/memory"
+	"forge.cadoles.com/cadoles/bouncer/internal/cache/ttl"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/authn"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
+	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/gorilla/sessions"
 )
 
@@ -14,5 +19,10 @@ func NewLayer(store sessions.Store, funcs ...OptionFunc) *authn.Layer {
 		httpTransport:     opts.HTTPTransport,
 		httpClientTimeout: opts.HTTPClientTimeout,
 		store:             store,
+		oidcProviderCache: ttl.NewCache(
+			memory.NewCache[string, *oidc.Provider](),
+			memory.NewCache[string, time.Time](),
+			opts.OIDCProviderCacheTimeout,
+		),
 	}, opts.AuthnOptions...)
 }

internal/proxy/director/layer/authn/oidc/options.go

@@ -11,6 +11,7 @@ type Options struct {
 	HTTPTransport            *http.Transport
 	HTTPClientTimeout        time.Duration
 	AuthnOptions             []authn.OptionFunc
+	OIDCProviderCacheTimeout time.Duration
 }
 
 type OptionFunc func(opts *Options)
@@ -33,11 +34,18 @@ func WithAuthnOptions(funcs ...authn.OptionFunc) OptionFunc {
 	}
 }
 
+func WithOIDCProviderCacheTimeout(timeout time.Duration) OptionFunc {
+	return func(opts *Options) {
+		opts.OIDCProviderCacheTimeout = timeout
+	}
+}
+
 func NewOptions(funcs ...OptionFunc) *Options {
 	opts := &Options{
 		HTTPTransport:            http.DefaultTransport.(*http.Transport),
 		HTTPClientTimeout:        30 * time.Second,
 		AuthnOptions:             make([]authn.OptionFunc, 0),
+		OIDCProviderCacheTimeout: time.Hour,
 	}
 
 	for _, fn := range funcs {

internal/proxy/director/layer/authn/rules.go

@@ -4,8 +4,8 @@ import (
 	"context"
 	"net/http"
 
-	"forge.cadoles.com/cadoles/bouncer/internal/rule"
 	ruleHTTP "forge.cadoles.com/cadoles/bouncer/internal/rule/http"
+	"forge.cadoles.com/cadoles/bouncer/internal/store"
 	"github.com/expr-lang/expr"
 	"github.com/pkg/errors"
 )
@@ -14,17 +14,11 @@ type Vars struct {
 	User *User `expr:"user"`
 }
 
-func (l *Layer) applyRules(ctx context.Context, r *http.Request, options *LayerOptions, user *User) error {
+func (l *Layer) applyRules(ctx context.Context, r *http.Request, layer *store.Layer, options *LayerOptions, user *User) error {
-	rules := options.Rules
+	key := string(layer.Proxy) + "-" + string(layer.Name)
-	if len(rules) == 0 {
+	revisionedEngine := l.ruleEngineCache.Get(key)
-		return nil
-	}
 
-	engine, err := rule.NewEngine[*Vars](
+	engine, err := revisionedEngine.Get(ctx, layer.Revision, options)
-		rule.WithRules(options.Rules...),
-		rule.WithExpr(getAuthnAPI()...),
-		ruleHTTP.WithRequestFuncs(),
-	)
 	if err != nil {
 		return errors.WithStack(err)
 	}

internal/proxy/director/layer/queue/queue.go

@@ -1,9 +1,11 @@
 package queue
 
 import (
+	"bytes"
 	"context"
 	"fmt"
 	"html/template"
+	"io"
 	"math/rand"
 	"net/http"
 	"path/filepath"
@@ -52,9 +54,7 @@ func (q *Queue) Middleware(layer *store.Layer) proxy.Middleware {
 
 			options, err := fromStoreOptions(layer.Options, q.defaultKeepAlive)
 			if err != nil {
-				logger.Error(ctx, "could not parse layer options", logger.E(errors.WithStack(err)))
+				director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not parse layer options"))
-				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-
 				return
 			}
 
@@ -71,7 +71,7 @@ func (q *Queue) Middleware(layer *store.Layer) proxy.Middleware {
 
 			cookie, err := r.Cookie(cookieName)
 			if err != nil && !errors.Is(err, http.ErrNoCookie) {
-				logger.Error(ctx, "could not retrieve cookie", logger.E(errors.WithStack(err)))
+				logger.Error(ctx, "could not retrieve cookie", logger.CapturedE(errors.WithStack(err)))
 			}
 
 			if cookie == nil {
@@ -89,9 +89,7 @@ func (q *Queue) Middleware(layer *store.Layer) proxy.Middleware {
 
 			rank, err := q.adapter.Touch(ctx, queueName, sessionID)
 			if err != nil {
-				logger.Error(ctx, "could not retrieve session rank", logger.E(errors.WithStack(err)))
+				director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not update queue session rank"))
-				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-
 				return
 			}
 
@@ -126,7 +124,7 @@ func (q *Queue) updateSessionsMetric(ctx context.Context, proxyName store.ProxyN
 
 	status, err := q.adapter.Status(ctx, queueName)
 	if err != nil {
-		logger.Error(ctx, "could not retrieve queue status", logger.E(errors.WithStack(err)))
+		logger.Error(ctx, "could not retrieve queue status", logger.CapturedE(errors.WithStack(err)))
 
 		return
 	}
@@ -144,9 +142,7 @@ func (q *Queue) renderQueuePage(w http.ResponseWriter, r *http.Request, queueNam
 
 	status, err := q.adapter.Status(ctx, queueName)
 	if err != nil {
-		logger.Error(ctx, "could not retrieve queue status", logger.E(errors.WithStack(err)))
+		director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not retrieve queue status"))
-		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-
 		return
 	}
 
@@ -157,7 +153,7 @@ func (q *Queue) renderQueuePage(w http.ResponseWriter, r *http.Request, queueNam
 
 		tmpl, err := template.New("").Funcs(sprig.FuncMap()).ParseGlob(pattern)
 		if err != nil {
-			logger.Error(ctx, "could not load queue templates", logger.E(errors.WithStack(err)))
+			logger.Error(ctx, "could not load queue templates", logger.CapturedE(errors.WithStack(err)))
 
 			return
 		}
@@ -166,9 +162,7 @@ func (q *Queue) renderQueuePage(w http.ResponseWriter, r *http.Request, queueNam
 	})
 
 	if q.tmpl == nil {
-		logger.Error(ctx, "queue page templates not loaded", logger.E(errors.WithStack(err)))
+		director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.New("queue page templates not loaded"))
-		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-
 		return
 	}
 
@@ -194,12 +188,16 @@ func (q *Queue) renderQueuePage(w http.ResponseWriter, r *http.Request, queueNam
 	w.Header().Add("Retry-After", strconv.FormatInt(int64(refreshRate.Seconds()), 10))
 	w.WriteHeader(http.StatusServiceUnavailable)
 
-	if err := q.tmpl.ExecuteTemplate(w, "queue", templateData); err != nil {
+	var buf bytes.Buffer
-		logger.Error(ctx, "could not render queue page", logger.E(errors.WithStack(err)))
-		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 
+	if err := q.tmpl.ExecuteTemplate(&buf, "queue", templateData); err != nil {
+		director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not render queue page"))
 		return
 	}
+
+	if _, err := io.Copy(w, &buf); err != nil {
+		logger.Error(ctx, "could not write queue page", logger.CapturedE(errors.WithStack(err)))
+	}
 }
 
 func (q *Queue) refreshQueue(ctx context.Context, layerName store.LayerName, keepAlive time.Duration) {
@@ -211,7 +209,7 @@ func (q *Queue) refreshQueue(ctx context.Context, layerName store.LayerName, kee
 
 	if err := q.adapter.Refresh(ctx, string(layerName), keepAlive); err != nil {
 		logger.Error(ctx, "could not refresh queue",
-			logger.E(errors.WithStack(err)),
+			logger.CapturedE(errors.WithStack(err)),
 			logger.F("queue", layerName),
 		)
 	}

internal/proxy/director/layer/rewriter/layer.go

@@ -11,14 +11,13 @@ import (
 	ruleHTTP "forge.cadoles.com/cadoles/bouncer/internal/rule/http"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
 	"github.com/pkg/errors"
-	"gitlab.com/wpetit/goweb/logger"
 )
 
 const LayerType store.LayerType = "rewriter"
 
 type Layer struct {
-	requestRuleEngine  *util.RevisionedRuleEngine[*RequestVars, *LayerOptions]
+	requestRuleEngineCache  *util.RuleEngineCache[*RequestVars, *LayerOptions]
-	responseRuleEngine *util.RevisionedRuleEngine[*ResponseVars, *LayerOptions]
+	responseRuleEngineCache *util.RuleEngineCache[*ResponseVars, *LayerOptions]
 }
 
 func (l *Layer) LayerType() store.LayerType {
@@ -32,9 +31,7 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
 
 			options, err := fromStoreOptions(layer.Options)
 			if err != nil {
-				logger.Error(ctx, "could not parse layer options", logger.E(errors.WithStack(err)))
+				director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not parse layer options"))
-				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-
 				return
 			}
 
@@ -45,15 +42,14 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
 				return
 			}
 
-			if err := l.applyRequestRules(ctx, r, layer.Revision, options); err != nil {
+			if err := l.applyRequestRules(ctx, r, layer, options); err != nil {
 				var redirect *errRedirect
 				if errors.As(err, &redirect) {
 					http.Redirect(w, r, redirect.URL(), redirect.StatusCode())
 					return
 				}
 
-				logger.Error(ctx, "could not apply request rules", logger.E(errors.WithStack(err)))
+				director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not apply request rules"))
-				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 
 				return
 			}
@@ -80,7 +76,7 @@ func (l *Layer) ResponseTransformer(layer *store.Layer) proxy.ResponseTransforme
 
 		ctx := r.Request.Context()
 
-		if err := l.applyResponseRules(ctx, r, layer.Revision, options); err != nil {
+		if err := l.applyResponseRules(ctx, r, layer, options); err != nil {
 			return errors.WithStack(err)
 		}
 
@@ -90,7 +86,7 @@ func (l *Layer) ResponseTransformer(layer *store.Layer) proxy.ResponseTransforme
 
 func New(funcs ...OptionFunc) *Layer {
 	return &Layer{
-		requestRuleEngine: util.NewRevisionedRuleEngine(func(options *LayerOptions) (*rule.Engine[*RequestVars], error) {
+		requestRuleEngineCache: util.NewInMemoryRuleEngineCache(func(options *LayerOptions) (*rule.Engine[*RequestVars], error) {
 			engine, err := rule.NewEngine[*RequestVars](
 				rule.WithRules(options.Rules.Request...),
 				ruleHTTP.WithRequestFuncs(),
@@ -102,7 +98,7 @@ func New(funcs ...OptionFunc) *Layer {
 
 			return engine, nil
 		}),
-		responseRuleEngine: util.NewRevisionedRuleEngine(func(options *LayerOptions) (*rule.Engine[*ResponseVars], error) {
+		responseRuleEngineCache: util.NewInMemoryRuleEngineCache(func(options *LayerOptions) (*rule.Engine[*ResponseVars], error) {
 			engine, err := rule.NewEngine[*ResponseVars](
 				rule.WithRules(options.Rules.Response...),
 				ruleHTTP.WithResponseFuncs(),

internal/proxy/director/layer/rewriter/rules.go

@@ -8,6 +8,7 @@ import (
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
 	"forge.cadoles.com/cadoles/bouncer/internal/rule"
 	ruleHTTP "forge.cadoles.com/cadoles/bouncer/internal/rule/http"
+	"forge.cadoles.com/cadoles/bouncer/internal/store"
 	"github.com/pkg/errors"
 )
 
@@ -87,13 +88,13 @@ func fromRequest(r *http.Request) RequestVar {
 	}
 }
 
-func (l *Layer) applyRequestRules(ctx context.Context, r *http.Request, layerRevision int, options *LayerOptions) error {
+func (l *Layer) applyRequestRules(ctx context.Context, r *http.Request, layer *store.Layer, options *LayerOptions) error {
 	rules := options.Rules.Request
 	if len(rules) == 0 {
 		return nil
 	}
 
-	engine, err := l.getRequestRuleEngine(ctx, layerRevision, options)
+	engine, err := l.getRequestRuleEngine(ctx, layer, options)
 	if err != nil {
 		return errors.WithStack(err)
 	}
@@ -117,8 +118,11 @@ func (l *Layer) applyRequestRules(ctx context.Context, r *http.Request, layerRev
 	return nil
 }
 
-func (l *Layer) getRequestRuleEngine(ctx context.Context, layerRevision int, options *LayerOptions) (*rule.Engine[*RequestVars], error) {
+func (l *Layer) getRequestRuleEngine(ctx context.Context, layer *store.Layer, options *LayerOptions) (*rule.Engine[*RequestVars], error) {
-	engine, err := l.requestRuleEngine.Get(ctx, layerRevision, options)
+	key := string(layer.Proxy) + "-" + string(layer.Name)
+	revisionedEngine := l.requestRuleEngineCache.Get(key)
+
+	engine, err := revisionedEngine.Get(ctx, layer.Revision, options)
 	if err != nil {
 		return nil, errors.WithStack(err)
 	}
@@ -145,13 +149,13 @@ type ResponseVar struct {
 	Trailer          map[string][]string `expr:"trailer"`
 }
 
-func (l *Layer) applyResponseRules(ctx context.Context, r *http.Response, layerRevision int, options *LayerOptions) error {
+func (l *Layer) applyResponseRules(ctx context.Context, r *http.Response, layer *store.Layer, options *LayerOptions) error {
 	rules := options.Rules.Response
 	if len(rules) == 0 {
 		return nil
 	}
 
-	engine, err := l.getResponseRuleEngine(ctx, layerRevision, options)
+	engine, err := l.getResponseRuleEngine(ctx, layer, options)
 	if err != nil {
 		return errors.WithStack(err)
 	}
@@ -187,8 +191,11 @@ func (l *Layer) applyResponseRules(ctx context.Context, r *http.Response, layerR
 	return nil
 }
 
-func (l *Layer) getResponseRuleEngine(ctx context.Context, layerRevision int, options *LayerOptions) (*rule.Engine[*ResponseVars], error) {
+func (l *Layer) getResponseRuleEngine(ctx context.Context, layer *store.Layer, options *LayerOptions) (*rule.Engine[*ResponseVars], error) {
-	engine, err := l.responseRuleEngine.Get(ctx, layerRevision, options)
+	key := string(layer.Proxy) + "-" + string(layer.Name)
+	revisionedEngine := l.responseRuleEngineCache.Get(key)
+
+	engine, err := revisionedEngine.Get(ctx, layer.Revision, options)
 	if err != nil {
 		return nil, errors.WithStack(err)
 	}

internal/proxy/director/layer/util/rule_engine_cache.go

@@ -0,0 +1,28 @@
+package util
+
+import (
+	"forge.cadoles.com/cadoles/bouncer/internal/cache"
+	"forge.cadoles.com/cadoles/bouncer/internal/cache/memory"
+)
+
+type RuleEngineCache[V any, O any] struct {
+	cache   cache.Cache[string, *RevisionedRuleEngine[V, O]]
+	factory RuleEngineFactoryFunc[V, O]
+}
+
+func (c *RuleEngineCache[V, O]) Get(key string) *RevisionedRuleEngine[V, O] {
+	revisionedRuleEngine, exists := c.cache.Get(key)
+	if !exists {
+		revisionedRuleEngine = NewRevisionedRuleEngine(c.factory)
+		c.cache.Set(key, revisionedRuleEngine)
+	}
+
+	return revisionedRuleEngine
+}
+
+func NewInMemoryRuleEngineCache[V any, O any](factory RuleEngineFactoryFunc[V, O]) *RuleEngineCache[V, O] {
+	return &RuleEngineCache[V, O]{
+		factory: factory,
+		cache:   memory.NewCache[string, *RevisionedRuleEngine[V, O]](),
+	}
+}

internal/proxy/director/options.go

@@ -1,18 +1,21 @@
 package director
 
 import (
+	"net/http"
 	"time"
 
 	"forge.cadoles.com/cadoles/bouncer/internal/cache"
 	"forge.cadoles.com/cadoles/bouncer/internal/cache/memory"
 	"forge.cadoles.com/cadoles/bouncer/internal/cache/ttl"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
+	"gitlab.com/wpetit/goweb/logger"
 )
 
 type Options struct {
 	Layers      []Layer
 	ProxyCache  cache.Cache[string, []*store.Proxy]
 	LayerCache  cache.Cache[string, []*store.Layer]
+	HandleError HandleErrorFunc
 }
 
 type OptionFunc func(opts *Options)
@@ -30,6 +33,10 @@ func NewOptions(funcs ...OptionFunc) *Options {
 			memory.NewCache[string, time.Time](),
 			30*time.Second,
 		),
+		HandleError: func(w http.ResponseWriter, r *http.Request, status int, err error) {
+			logger.Error(r.Context(), err.Error(), logger.CapturedE(err))
+			http.Error(w, http.StatusText(status), status)
+		},
 	}
 
 	for _, fn := range funcs {
@@ -56,3 +63,9 @@ func WithLayerCache(cache cache.Cache[string, []*store.Layer]) OptionFunc {
 		opts.LayerCache = cache
 	}
 }
+
+func WithHandleErrorFunc(fn HandleErrorFunc) OptionFunc {
+	return func(opts *Options) {
+		opts.HandleError = fn
+	}
+}

internal/proxy/server.go

@@ -1,9 +1,12 @@
 package proxy
 
 import (
+	"bytes"
 	"context"
+	"expvar"
 	"fmt"
 	"html/template"
+	"io"
 	"log"
 	"net"
 	"net/http"
@@ -23,7 +26,6 @@ import (
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
 
 	"github.com/Masterminds/sprig/v3"
-	"github.com/getsentry/sentry-go"
 	sentryhttp "github.com/getsentry/sentry-go/http"
 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/chi/v5/middleware"
@@ -110,13 +112,16 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
 				s.directorCacheTTL,
 			),
 		),
+		director.WithHandleErrorFunc(s.handleError),
 	)
 
 	if s.serverConfig.HTTP.UseRealIP {
 		router.Use(middleware.RealIP)
 	}
 
+	router.Use(middleware.RequestID)
 	router.Use(middleware.RequestLogger(bouncerChi.NewLogFormatter()))
+	router.Use(middleware.Recoverer)
 
 	if s.serverConfig.Sentry.DSN != "" {
 		logger.Info(ctx, "enabling sentry http middleware")
@@ -153,7 +158,7 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
 
 		router.Group(func(r chi.Router) {
 			if profiling.BasicAuth != nil {
-				logger.Info(ctx, "enabling authentication on metrics endpoint")
+				logger.Info(ctx, "enabling authentication on profiling endpoint")
 
 				r.Use(middleware.BasicAuth(
 					"profiling",
@@ -167,6 +172,7 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
 				r.HandleFunc("/profile", pprof.Profile)
 				r.HandleFunc("/symbol", pprof.Symbol)
 				r.HandleFunc("/trace", pprof.Trace)
+				r.Handle("/vars", expvar.Handler())
 				r.HandleFunc("/{name}", func(w http.ResponseWriter, r *http.Request) {
 					name := chi.URLParam(r, "name")
 					pprof.Handler(name).ServeHTTP(w, r)
@@ -215,27 +221,27 @@ func (s *Server) createReverseProxy(ctx context.Context, target *url.URL) *httpu
 	httpTransport.DialContext = dialer.DialContext
 
 	reverseProxy.Transport = httpTransport
-	reverseProxy.ErrorHandler = s.handleError
+	reverseProxy.ErrorHandler = s.handleProxyError
 
 	return reverseProxy
 }
 
 func (s *Server) handleDefault(w http.ResponseWriter, r *http.Request) {
-	err := errors.Errorf("no proxy target found")
+	s.handleError(w, r, http.StatusBadGateway, errors.Errorf("no proxy target found"))
-
-	logger.Error(r.Context(), "proxy error", logger.E(err))
-	sentry.CaptureException(err)
-
-	s.renderErrorPage(w, r, err, http.StatusBadGateway, http.StatusText(http.StatusBadGateway))
 }
 
-func (s *Server) handleError(w http.ResponseWriter, r *http.Request, err error) {
+func (s *Server) handleError(w http.ResponseWriter, r *http.Request, status int, err error) {
 	err = errors.WithStack(err)
 
-	logger.Error(r.Context(), "proxy error", logger.E(err))
+	if !errors.Is(err, context.Canceled) {
-	sentry.CaptureException(err)
+		logger.Error(r.Context(), err.Error(), logger.CapturedE(err))
+	}
 
-	s.renderErrorPage(w, r, err, http.StatusBadGateway, http.StatusText(http.StatusBadGateway))
+	s.renderErrorPage(w, r, err, status, http.StatusText(status))
+}
+
+func (s *Server) handleProxyError(w http.ResponseWriter, r *http.Request, err error) {
+	s.handleError(w, r, http.StatusBadGateway, err)
 }
 
 func (s *Server) renderErrorPage(w http.ResponseWriter, r *http.Request, err error, statusCode int, status string) {
@@ -266,7 +272,7 @@ func (s *Server) renderPage(w http.ResponseWriter, r *http.Request, page string,
 
 	tmpl, err := template.New("").Funcs(sprig.FuncMap()).ParseGlob(pattern)
 	if err != nil {
-		logger.Error(ctx, "could not load proxy templates", logger.E(errors.WithStack(err)))
+		logger.Error(ctx, "could not load proxy templates", logger.CapturedE(errors.WithStack(err)))
 		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 
 		return
@@ -286,12 +292,18 @@ func (s *Server) renderPage(w http.ResponseWriter, r *http.Request, page string,
 		return
 	}
 
-	if err := blockTmpl.Execute(w, templateData); err != nil {
+	var buf bytes.Buffer
-		logger.Error(ctx, "could not render proxy page", logger.E(errors.WithStack(err)))
+
+	if err := blockTmpl.Execute(&buf, templateData); err != nil {
+		logger.Error(ctx, "could not render proxy page", logger.CapturedE(errors.WithStack(err)))
 		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 
 		return
 	}
+
+	if _, err := io.Copy(w, &buf); err != nil {
+		logger.Error(ctx, "could not write page", logger.CapturedE(errors.WithStack(err)))
+	}
 }
 
 func NewServer(funcs ...OptionFunc) *Server {

internal/session/options.go

@@ -10,6 +10,7 @@ import (
 type Options struct {
 	Session   sessions.Options
 	KeyPrefix string
+	TTL       time.Duration
 }
 
 type OptionFunc func(opts *Options)
@@ -25,6 +26,7 @@ func NewOptions(funcs ...OptionFunc) *Options {
 			SameSite: http.SameSiteDefaultMode,
 		},
 		KeyPrefix: "session:",
+		TTL:       time.Hour,
 	}
 
 	for _, fn := range funcs {
@@ -45,3 +47,9 @@ func WithKeyPrefix(prefix string) OptionFunc {
 		opts.KeyPrefix = prefix
 	}
 }
+
+func WithTTL(ttl time.Duration) OptionFunc {
+	return func(opts *Options) {
+		opts.TTL = ttl
+	}
+}

internal/session/store.go

@@ -31,6 +31,7 @@ type Store struct {
 	keyPrefix  string
 	keyGen     KeyGenFunc
 	serializer SessionSerializer
+	ttl        time.Duration
 }
 
 type KeyGenFunc func() (string, error)
@@ -43,6 +44,7 @@ func NewStore(adapter StoreAdapter, funcs ...OptionFunc) *Store {
 		keyPrefix:  opts.KeyPrefix,
 		keyGen:     generateRandomKey,
 		serializer: GobSerializer{},
+		ttl:        opts.TTL,
 	}
 
 	return rs
@@ -62,20 +64,21 @@ func (s *Store) New(r *http.Request, name string) (*sessions.Session, error) {
 	if err != nil {
 		return session, nil
 	}
+
 	session.ID = c.Value
 
 	err = s.load(r.Context(), session)
 	if err == nil {
 		session.IsNew = false
 	} else if !errors.Is(err, ErrNotFound) {
-		return nil, errors.WithStack(err)
+		return session, errors.WithStack(err)
 	}
 
 	return session, nil
 }
 
 func (s *Store) Save(r *http.Request, w http.ResponseWriter, session *sessions.Session) error {
-	if session.Options.MaxAge <= 0 {
+	if session.Options.MaxAge < 0 {
 		if err := s.delete(r.Context(), session); err != nil {
 			return errors.WithStack(err)
 		}
@@ -120,7 +123,12 @@ func (s *Store) save(ctx context.Context, session *sessions.Session) error {
 		return errors.WithStack(err)
 	}
 
-	if err := s.adapter.Set(ctx, s.keyPrefix+session.ID, b, time.Duration(session.Options.MaxAge)*time.Second); err != nil {
+	ttl := time.Duration(session.Options.MaxAge) * time.Second
+	if s.ttl < ttl || ttl == 0 {
+		ttl = s.ttl
+	}
+
+	if err := s.adapter.Set(ctx, s.keyPrefix+session.ID, b, ttl); err != nil {
 		return errors.WithStack(err)
 	}
 

internal/setup/authn_oidc_layer.go

@@ -37,5 +37,6 @@ func setupAuthnOIDCLayer(conf *config.Config) (director.Layer, error) {
 			authn.WithTemplateDir(string(conf.Layers.Authn.TemplateDir)),
 			authn.WithDebug(bool(conf.Layers.Authn.Debug)),
 		),
+		oidc.WithOIDCProviderCacheTimeout(time.Duration(*conf.Layers.Authn.OIDC.ProviderCacheTimeout)),
 	), nil
 }

internal/setup/redis.go

@@ -38,9 +38,15 @@ func newRedisClient(conf config.RedisConfig) redis.UniversalClient {
 		ReadTimeout:           time.Duration(conf.ReadTimeout),
 		WriteTimeout:          time.Duration(conf.WriteTimeout),
 		DialTimeout:           time.Duration(conf.DialTimeout),
-		RouteByLatency:        true,
+		RouteByLatency:        bool(conf.RouteByLatency),
-		ContextTimeoutEnabled: true,
+		ContextTimeoutEnabled: bool(conf.ContextTimeoutEnabled),
 		MaxRetries:            int(conf.MaxRetries),
+		PoolSize:              int(conf.PoolSize),
+		PoolTimeout:           time.Duration(conf.PoolTimeout),
+		MinIdleConns:          int(conf.MinIdleConns),
+		MaxIdleConns:          int(conf.MaxIdleConns),
+		ConnMaxIdleTime:       time.Duration(conf.ConnMaxIdleTime),
+		ConnMaxLifetime:       time.Duration(conf.ConnMaxLifetime),
 	})
 
 	go func() {
@@ -56,7 +62,7 @@ func newRedisClient(conf config.RedisConfig) redis.UniversalClient {
 
 		for range timer.C {
 			if _, err := client.Ping(ctx).Result(); err != nil {
-				logger.Error(ctx, "redis disconnected", logger.E(errors.WithStack(err)))
+				logger.Error(ctx, "redis disconnected", logger.CapturedE(errors.WithStack(err)))
 				connected = false
 				continue
 			}

internal/setup/sentry.go

@@ -34,6 +34,10 @@ func SetupSentry(ctx context.Context, conf config.SentryConfig, release string)
 		return nil, errors.WithStack(err)
 	}
 
+	logger.SetCaptureFunc(func(err error) {
+		sentry.CaptureException(err)
+	})
+
 	flush := func() {
 		sentry.Flush(time.Duration(*conf.FlushTimeout))
 	}

internal/store/redis/helper.go

@@ -81,7 +81,7 @@ func WithRetry(ctx context.Context, client redis.UniversalClient, key string, fn
 	for attempt := 0; attempt < maxAttempts; attempt++ {
 		if err = WithTx(ctx, client, key, fn); err != nil {
 			err = errors.WithStack(err)
-			logger.Debug(ctx, "redis transaction failed", logger.E(err))
+			logger.Debug(ctx, "redis transaction failed", logger.CapturedE(err))
 
 			if errors.Is(err, redis.TxFailedErr) {
 				logger.Debug(ctx, "retrying redis transaction", logger.F("attempts", attempt), logger.F("delay", delay))
@@ -97,7 +97,7 @@ func WithRetry(ctx context.Context, client redis.UniversalClient, key string, fn
 		return nil
 	}
 
-	logger.Error(ctx, "redis error", logger.E(errors.WithStack(err)))
+	logger.Error(ctx, "redis error", logger.CapturedE(errors.WithStack(err)))
 
 	return errors.WithStack(redis.TxFailedErr)
 }

layers/authn/templates/error.gohtml

@@ -55,6 +55,8 @@
         border-radius: 5px;
         box-shadow: 2px 2px #cccccc1c;
         color: #810000 !important;
+        max-width: 80%;
+        overflow-x: hidden;
       }
 
       .title {
@@ -81,7 +83,7 @@
       <div id="card">
         <h2 class="title">Une erreur est survenue !</h2>
         {{ if .Debug }}
-        <pre>{{ .Err }}</pre>
+        <pre style="overflow-x: auto">{{ .Err }}</pre>
         {{ end }}
         {{/* if a public base url is provided, show navigation link */}}
         {{ $oidc := ( index .Layer.Options "oidc" ) }}

misc/packaging/common/config.yml

@@ -218,6 +218,11 @@ layers:
   authn:
     # Répertoire contenant les templates
     templateDir: "/etc/bouncer/layers/authn/templates"
+    # Configuration des sessions
+    sessions:
+      # Temps de persistence sans actualisation des sessions dans le store
+      # (prévalent sur le MaxAge de la session)
+      ttl: "1h"
 
 # Configuration d'une série de proxy/layers
 # à créer par défaut par le serveur d'administration

templates/error.gohtml

@@ -76,14 +76,26 @@
         margin-top: 2em;
         text-align: right;
       }
+
+      .stacktrace {
+        max-height: 250px;
+        overflow-y: auto;
+        background-color: #dca0a0;
+        padding: 0 10px;
+        border-radius: 5px;
+        margin-top: 10px;
+      }
     </style>
   </head>
   <body>
     <div id="container">
       <div id="card">
-        <h2 class="title">{{ $title }}</h2>
+        <h2 class="title">⚠ {{ $title }}</h2>
         {{ if .Debug }}
-        <pre>{{ .Err }}</pre>
+        <h3>Stack Trace</h3>
+        <div class="stacktrace">
+          <pre>{{ printf "%+v" .Err }}</pre>
+        </div>
         {{ end }}
         <p class="footer">
           Propulsé par