chore: update go and alpine docker image version

feat: use sentry tags instead of context for better observability
feat: prevent call bursts on oidc provider refresh
2025-04-03 11:12:32 +02:00 · 2025-03-19 15:04:55 +01:00 · 2025-03-18 15:51:25 +01:00 · 2025-03-18 12:52:59 +01:00 · 2025-03-18 12:20:00 +01:00 · 2025-03-18 11:35:15 +01:00
40 changed files with 600 additions and 246 deletions
--- a/12
+++ b/12
@ -1,4 +1,4 @@
-FROM reg.cadoles.com/proxy_cache/library/golang:1.23 AS BUILD
+FROM reg.cadoles.com/proxy_cache/library/golang:1.24.2 AS build

 RUN apt-get update \
    && apt-get install -y make
@ -33,7 +33,7 @@ RUN /src/dist/bouncer_linux_amd64_v1/bouncer -c '' config dump > /src/dist/bounc
    && yq -i '.bootstrap.lockTimeout = "30s"' /src/dist/bouncer_linux_amd64_v1/config.yml \
    && yq -i '.integrations.kubernetes.lockTimeout = "30s"' /src/dist/bouncer_linux_amd64_v1/config.yml

-FROM reg.cadoles.com/proxy_cache/library/alpine:3.20 AS RUNTIME
+FROM reg.cadoles.com/proxy_cache/library/alpine:3.21 AS runtime

 RUN apk add --no-cache ca-certificates dumb-init

@ -41,10 +41,10 @@ ENTRYPOINT ["/usr/bin/dumb-init", "--"]

 RUN mkdir -p /usr/local/bin /usr/share/bouncer/bin /etc/bouncer

-COPY --from=BUILD /src/dist/bouncer_linux_amd64_v1/bouncer /usr/share/bouncer/bin/bouncer
-COPY --from=BUILD /src/layers /usr/share/bouncer/layers
-COPY --from=BUILD /src/templates /usr/share/bouncer/templates
-COPY --from=BUILD /src/dist/bouncer_linux_amd64_v1/config.yml /etc/bouncer/config.yml
+COPY --from=build /src/dist/bouncer_linux_amd64_v1/bouncer /usr/share/bouncer/bin/bouncer
+COPY --from=build /src/layers /usr/share/bouncer/layers
+COPY --from=build /src/templates /usr/share/bouncer/templates
+COPY --from=build /src/dist/bouncer_linux_amd64_v1/config.yml /etc/bouncer/config.yml

 RUN ln -s /usr/share/bouncer/bin/bouncer /usr/local/bin/bouncer

--- a/4
+++ b/4
@ -17,8 +17,8 @@ GOTEST_ARGS ?= -short
 OPENWRT_DEVICE ?= 192.168.1.1

 SIEGE_URLS_FILE ?= misc/siege/urls.txt
-SIEGE_CONCURRENCY ?= 50
-SIEGE_DURATION ?= 1M
+SIEGE_CONCURRENCY ?= 200
+SIEGE_DURATION ?= 5M

 data/bootstrap.d/dummy.yml:
 	mkdir -p data/bootstrap.d
--- a/doc/fr/references/layers/rewriter.md
+++ b/doc/fr/references/layers/rewriter.md
@ -60,7 +60,7 @@ Retourne `nil` si le cookie n'existe pas.
 }
 ```

-##### `set_cookie(ctx, cookie Cookie)`
+##### `add_cookie(ctx, cookie Cookie)`

 Définit un cookie sur la requête/réponse (en fonction du contexte d'utilisation).
 Voir la méthode `get_cookie()` pour voir les attributs potentiels.
--- a/internal/admin/server.go
+++ b/internal/admin/server.go
@ -2,6 +2,7 @@ package admin

 import (
 	"context"
+	"expvar"
 	"fmt"
 	"log"
 	"net"
@ -115,7 +116,9 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
 		router.Use(middleware.RealIP)
 	}

+	router.Use(middleware.RequestID)
 	router.Use(middleware.RequestLogger(bouncerChi.NewLogFormatter()))
+	router.Use(middleware.Recoverer)

 	if s.serverConfig.Sentry.DSN != "" {
 		logger.Info(ctx, "enabling sentry http middleware")
@ -176,6 +179,7 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
 				r.HandleFunc("/profile", pprof.Profile)
 				r.HandleFunc("/symbol", pprof.Symbol)
 				r.HandleFunc("/trace", pprof.Trace)
+				r.Handle("/vars", expvar.Handler())
 				r.HandleFunc("/{name}", func(w http.ResponseWriter, r *http.Request) {
 					name := chi.URLParam(r, "name")
 					pprof.Handler(name).ServeHTTP(w, r)
--- a/internal/cache/cache.go
+++ b/internal/cache/cache.go
@ -3,4 +3,5 @@ package cache
 type Cache[K comparable, V any] interface {
 	Get(key K) (V, bool)
 	Set(key K, value V)
+	Clear()
 }
--- a/internal/cache/memory/cache.go
+++ b/internal/cache/memory/cache.go
@ -25,6 +25,10 @@ func (c *Cache[K, V]) Set(key K, value V) {
 	c.store.Store(key, value)
 }

+func (c *Cache[K, V]) Clear() {
+	c.store.Clear()
+}
+
 func NewCache[K comparable, V any]() *Cache[K, V] {
 	return &Cache[K, V]{
 		store: new(sync.Map),
--- a/internal/cache/ttl/cache.go
+++ b/internal/cache/ttl/cache.go
@ -28,6 +28,11 @@ func (c *Cache[K, V]) Set(key K, value V) {
 	c.values.Set(key, value)
 }

+func (c *Cache[K, V]) Clear() {
+	c.timestamps.Clear()
+	c.values.Clear()
+}
+
 func NewCache[K comparable, V any](values cache.Cache[K, V], timestamps cache.Cache[K, time.Time], ttl time.Duration) *Cache[K, V] {
 	return &Cache[K, V]{
 		values:     values,
--- a/internal/chi/log_formatter.go
+++ b/internal/chi/log_formatter.go
@ -2,7 +2,6 @@ package chi

 import (
 	"context"
-	"fmt"
 	"net/http"
 	"time"

@ -37,12 +36,19 @@ type LogEntry struct {

 // Panic implements middleware.LogEntry
 func (e *LogEntry) Panic(v interface{}, stack []byte) {
-	logger.Error(e.ctx, fmt.Sprintf("%s %s", e.method, e.path), logger.F("stack", string(stack)))
+	logger.Error(
+		e.ctx, "http panic",
+		logger.F("stack", string(stack)),
+		logger.F("host", e.host),
+		logger.F("method", e.method),
+		logger.F("path", e.path),
+	)
 }

 // Write implements middleware.LogEntry
 func (e *LogEntry) Write(status int, bytes int, header http.Header, elapsed time.Duration, extra interface{}) {
-	logger.Info(e.ctx, fmt.Sprintf("%s %s - %d", e.method, e.path, status),
+	logger.Info(
+		e.ctx, "http request",
 		logger.F("host", e.host),
 		logger.F("status", status),
 		logger.F("bytes", bytes),
--- a/internal/command/server/admin/run.go
+++ b/internal/command/server/admin/run.go
@ -12,14 +12,8 @@ import (
 	"gitlab.com/wpetit/goweb/logger"
 )

-const (
-	flagPrintDefaultToken = "print-default-token"
-)
-
 func RunCommand() *cli.Command {
-	flags := append(
-		common.Flags(),
-	)
+	flags := common.Flags()

 	return &cli.Command{
 		Name:  "run",
@ -34,6 +28,8 @@ func RunCommand() *cli.Command {
 			logger.SetFormat(logger.Format(conf.Logger.Format))
 			logger.SetLevel(logger.Level(conf.Logger.Level))

+			logger.Debug(ctx.Context, "using config", logger.F("config", conf))
+
 			projectVersion := ctx.String("projectVersion")

 			if conf.Proxy.Sentry.DSN != "" {
--- a/internal/command/server/proxy/run.go
+++ b/internal/command/server/proxy/run.go
@ -29,6 +29,8 @@ func RunCommand() *cli.Command {
 			logger.SetFormat(logger.Format(conf.Logger.Format))
 			logger.SetLevel(logger.Level(conf.Logger.Level))

+			logger.Debug(ctx.Context, "using config", logger.F("config", conf))
+
 			projectVersion := ctx.String("projectVersion")

 			if conf.Proxy.Sentry.DSN != "" {
@ -49,7 +51,7 @@ func RunCommand() *cli.Command {
 				proxy.WithServerConfig(conf.Proxy),
 				proxy.WithRedisConfig(conf.Redis),
 				proxy.WithDirectorLayers(layers...),
-				proxy.WithDirectorCacheTTL(time.Duration(conf.Proxy.Cache.TTL)),
+				proxy.WithDirectorCacheTTL(time.Duration(*conf.Proxy.Cache.TTL)),
 			)

 			addrs, srvErrs := srv.Start(ctx.Context)
--- a/internal/config/environment.go
+++ b/internal/config/environment.go
@ -19,7 +19,7 @@ func (is *InterpolatedString) UnmarshalYAML(value *yaml.Node) error {
 		return errors.WithStack(err)
 	}

-	str, err := envsubst.EvalEnv(str)
+	str, err := envsubst.Eval(str, getEnv)
 	if err != nil {
 		return errors.WithStack(err)
 	}
@ -38,7 +38,7 @@ func (ii *InterpolatedInt) UnmarshalYAML(value *yaml.Node) error {
 		return errors.Wrapf(err, "could not decode value '%v' (line '%d') into string", value.Value, value.Line)
 	}

-	str, err := envsubst.EvalEnv(str)
+	str, err := envsubst.Eval(str, getEnv)
 	if err != nil {
 		return errors.WithStack(err)
 	}
@ -62,7 +62,7 @@ func (ifl *InterpolatedFloat) UnmarshalYAML(value *yaml.Node) error {
 		return errors.Wrapf(err, "could not decode value '%v' (line '%d') into string", value.Value, value.Line)
 	}

-	str, err := envsubst.EvalEnv(str)
+	str, err := envsubst.Eval(str, getEnv)
 	if err != nil {
 		return errors.WithStack(err)
 	}
@ -86,7 +86,7 @@ func (ib *InterpolatedBool) UnmarshalYAML(value *yaml.Node) error {
 		return errors.Wrapf(err, "could not decode value '%v' (line '%d') into string", value.Value, value.Line)
 	}

-	str, err := envsubst.EvalEnv(str)
+	str, err := envsubst.Eval(str, getEnv)
 	if err != nil {
 		return errors.WithStack(err)
 	}
@ -101,9 +101,10 @@ func (ib *InterpolatedBool) UnmarshalYAML(value *yaml.Node) error {
 	return nil
 }

+var getEnv = os.Getenv
+
 type InterpolatedMap struct {
-	Data   map[string]any
-	getEnv func(string) string
+	Data map[string]any
 }

 func (im *InterpolatedMap) UnmarshalYAML(value *yaml.Node) error {
@ -113,10 +114,6 @@ func (im *InterpolatedMap) UnmarshalYAML(value *yaml.Node) error {
 		return errors.Wrapf(err, "could not decode value '%v' (line '%d') into map", value.Value, value.Line)
 	}

-	if im.getEnv == nil {
-		im.getEnv = os.Getenv
-	}
-
 	interpolated, err := im.interpolateRecursive(data)
 	if err != nil {
 		return errors.WithStack(err)
@ -140,7 +137,7 @@ func (im InterpolatedMap) interpolateRecursive(data any) (any, error) {
 		}

 	case string:
-		value, err := envsubst.Eval(typ, im.getEnv)
+		value, err := envsubst.Eval(typ, getEnv)
 		if err != nil {
 			return nil, errors.WithStack(err)
 		}
@ -171,7 +168,7 @@ func (iss *InterpolatedStringSlice) UnmarshalYAML(value *yaml.Node) error {
 	}

 	for index, value := range data {
-		value, err := envsubst.EvalEnv(value)
+		value, err := envsubst.Eval(value, getEnv)
 		if err != nil {
 			return errors.WithStack(err)
 		}
@ -193,7 +190,7 @@ func (id *InterpolatedDuration) UnmarshalYAML(value *yaml.Node) error {
 		return errors.Wrapf(err, "could not decode value '%v' (line '%d') into string", value.Value, value.Line)
 	}

-	str, err := envsubst.EvalEnv(str)
+	str, err := envsubst.Eval(str, getEnv)
 	if err != nil {
 		return errors.WithStack(err)
 	}
--- a/internal/config/environment_test.go
+++ b/internal/config/environment_test.go
@ -4,6 +4,7 @@ import (
 	"fmt"
 	"os"
 	"testing"
+	"time"

 	"github.com/pkg/errors"
 	"gopkg.in/yaml.v3"
@ -65,7 +66,7 @@ func TestInterpolatedMap(t *testing.T) {
 			var interpolatedMap InterpolatedMap

 			if tc.Env != nil {
-				interpolatedMap.getEnv = func(key string) string {
+				getEnv = func(key string) string {
 					return tc.Env[key]
 				}
 			}
@ -80,3 +81,54 @@ func TestInterpolatedMap(t *testing.T) {
 		})
 	}
 }
+
+func TestInterpolatedDuration(t *testing.T) {
+	type testCase struct {
+		Path   string
+		Env    map[string]string
+		Assert func(t *testing.T, parsed *InterpolatedDuration)
+	}
+
+	testCases := []testCase{
+		{
+			Path: "testdata/environment/interpolated-duration.yml",
+			Env: map[string]string{
+				"MY_DURATION": "30s",
+			},
+			Assert: func(t *testing.T, parsed *InterpolatedDuration) {
+				if e, g := 30*time.Second, parsed; e != time.Duration(*g) {
+					t.Errorf("parsed: expected '%v', got '%v'", e, g)
+				}
+			},
+		},
+	}
+
+	for idx, tc := range testCases {
+		t.Run(fmt.Sprintf("Case #%d", idx), func(t *testing.T) {
+			data, err := os.ReadFile(tc.Path)
+			if err != nil {
+				t.Fatalf("%+v", errors.WithStack(err))
+			}
+
+			if tc.Env != nil {
+				getEnv = func(key string) string {
+					return tc.Env[key]
+				}
+			}
+
+			config := struct {
+				Duration *InterpolatedDuration `yaml:"duration"`
+			}{
+				Duration: NewInterpolatedDuration(-1),
+			}
+
+			if err := yaml.Unmarshal(data, &config); err != nil {
+				t.Fatalf("%+v", errors.WithStack(err))
+			}
+
+			if tc.Assert != nil {
+				tc.Assert(t, config.Duration)
+			}
+		})
+	}
+}
--- a/internal/config/layers.go
+++ b/internal/config/layers.go
@ -20,6 +20,10 @@ func NewDefaultLayersConfig() LayersConfig {
 					TransportConfig: NewDefaultTransportConfig(),
 					Timeout:         NewInterpolatedDuration(10 * time.Second),
 				},
+				ProviderCacheTimeout: NewInterpolatedDuration(time.Hour),
+			},
+			Sessions: AuthnLayerSessionConfig{
+				TTL: NewInterpolatedDuration(time.Hour),
 			},
 		},
 	}
@ -31,13 +35,19 @@ type QueueLayerConfig struct {
 }

 type AuthnLayerConfig struct {
-	Debug       InterpolatedBool     `yaml:"debug"`
-	TemplateDir InterpolatedString   `yaml:"templateDir"`
-	OIDC        AuthnOIDCLayerConfig `yaml:"oidc"`
+	Debug       InterpolatedBool        `yaml:"debug"`
+	TemplateDir InterpolatedString      `yaml:"templateDir"`
+	OIDC        AuthnOIDCLayerConfig    `yaml:"oidc"`
+	Sessions    AuthnLayerSessionConfig `yaml:"sessions"`
+}
+
+type AuthnLayerSessionConfig struct {
+	TTL *InterpolatedDuration `yaml:"ttl"`
 }

 type AuthnOIDCLayerConfig struct {
-	HTTPClient AuthnOIDCHTTPClientConfig `yaml:"httpClient"`
+	HTTPClient           AuthnOIDCHTTPClientConfig `yaml:"httpClient"`
+	ProviderCacheTimeout *InterpolatedDuration     `yaml:"providerCacheTimeout"`
 }

 type AuthnOIDCHTTPClientConfig struct {
--- a/internal/config/proxy_server.go
+++ b/internal/config/proxy_server.go
@ -113,12 +113,12 @@ func NewDefaultDialConfig() DialConfig {
 }

 type CacheConfig struct {
-	TTL InterpolatedDuration `yaml:"ttl"`
+	TTL *InterpolatedDuration `yaml:"ttl"`
 }

 func NewDefaultCacheConfig() CacheConfig {
 	return CacheConfig{
-		TTL: *NewInterpolatedDuration(time.Second * 30),
+		TTL: NewInterpolatedDuration(time.Second * 30),
 	}
 }

--- a/internal/config/redis.go
+++ b/internal/config/redis.go
@ -9,25 +9,35 @@ const (
 )

 type RedisConfig struct {
-	Adresses       InterpolatedStringSlice `yaml:"addresses"`
-	Master         InterpolatedString      `yaml:"master"`
-	ReadTimeout    InterpolatedDuration    `yaml:"readTimeout"`
-	WriteTimeout   InterpolatedDuration    `yaml:"writeTimeout"`
-	DialTimeout    InterpolatedDuration    `yaml:"dialTimeout"`
-	LockMaxRetries InterpolatedInt         `yaml:"lockMaxRetries"`
-	MaxRetries     InterpolatedInt         `yaml:"maxRetries"`
-	PingInterval   InterpolatedDuration    `yaml:"pingInterval"`
+	Adresses              InterpolatedStringSlice `yaml:"addresses"`
+	Master                InterpolatedString      `yaml:"master"`
+	ReadTimeout           InterpolatedDuration    `yaml:"readTimeout"`
+	WriteTimeout          InterpolatedDuration    `yaml:"writeTimeout"`
+	DialTimeout           InterpolatedDuration    `yaml:"dialTimeout"`
+	LockMaxRetries        InterpolatedInt         `yaml:"lockMaxRetries"`
+	RouteByLatency        InterpolatedBool        `yaml:"routeByLatency"`
+	ContextTimeoutEnabled InterpolatedBool        `yaml:"contextTimeoutEnabled"`
+	MaxRetries            InterpolatedInt         `yaml:"maxRetries"`
+	PingInterval          InterpolatedDuration    `yaml:"pingInterval"`
+	PoolSize              InterpolatedInt         `yaml:"poolSize"`
+	PoolTimeout           InterpolatedDuration    `yaml:"poolTimeout"`
+	MinIdleConns          InterpolatedInt         `yaml:"minIdleConns"`
+	MaxIdleConns          InterpolatedInt         `yaml:"maxIdleConns"`
+	ConnMaxIdleTime       InterpolatedDuration    `yaml:"connMaxIdleTime"`
+	ConnMaxLifetime       InterpolatedDuration    `yaml:"connMaxLifeTime"`
 }

 func NewDefaultRedisConfig() RedisConfig {
 	return RedisConfig{
-		Adresses:       InterpolatedStringSlice{"localhost:6379"},
-		Master:         "",
-		ReadTimeout:    InterpolatedDuration(30 * time.Second),
-		WriteTimeout:   InterpolatedDuration(30 * time.Second),
-		DialTimeout:    InterpolatedDuration(30 * time.Second),
-		LockMaxRetries: 10,
-		MaxRetries:     3,
-		PingInterval:   InterpolatedDuration(30 * time.Second),
+		Adresses:              InterpolatedStringSlice{"localhost:6379"},
+		Master:                "",
+		ReadTimeout:           InterpolatedDuration(30 * time.Second),
+		WriteTimeout:          InterpolatedDuration(30 * time.Second),
+		DialTimeout:           InterpolatedDuration(30 * time.Second),
+		LockMaxRetries:        10,
+		MaxRetries:            3,
+		PingInterval:          InterpolatedDuration(30 * time.Second),
+		ContextTimeoutEnabled: true,
+		RouteByLatency:        true,
 	}
 }
--- a/internal/config/sentry.go
+++ b/internal/config/sentry.go
@ -28,11 +28,11 @@ func NewDefaultSentryConfig() SentryConfig {
 		Debug:              false,
 		FlushTimeout:       NewInterpolatedDuration(2 * time.Second),
 		AttachStacktrace:   true,
-		SampleRate:         0.2,
-		EnableTracing:      true,
-		TracesSampleRate:   0.2,
-		ProfilesSampleRate: 0.2,
-		IgnoreErrors:       []string{},
+		SampleRate:         1,
+		EnableTracing:      false,
+		TracesSampleRate:   0.1,
+		ProfilesSampleRate: 0.1,
+		IgnoreErrors:       []string{"context canceled", "net/http: abort"},
 		SendDefaultPII:     false,
 		ServerName:         "",
 		Environment:        "",
--- a/internal/config/testdata/environment/interpolated-duration.yml
+++ b/internal/config/testdata/environment/interpolated-duration.yml
@ -0,0 +1 @@
+duration: ${MY_DURATION}
--- a/internal/proxy/director/context.go
+++ b/internal/proxy/director/context.go
@ -6,6 +6,7 @@ import (
 	"net/url"

 	"forge.cadoles.com/cadoles/bouncer/internal/store"
+	"github.com/getsentry/sentry-go"
 	"github.com/pkg/errors"
 	"gitlab.com/wpetit/goweb/logger"
 )
@ -17,6 +18,7 @@ const (
 	contextKeyLayers      contextKey = "layers"
 	contextKeyOriginalURL contextKey = "originalURL"
 	contextKeyHandleError contextKey = "handleError"
+	contextKeySentryScope contextKey = "sentryScope"
 )

 var (
@ -82,3 +84,16 @@ func HandleError(ctx context.Context, w http.ResponseWriter, r *http.Request, st

 	fn(w, r, status, err)
 }
+
+func withSentryScope(ctx context.Context, scope *sentry.Scope) context.Context {
+	return context.WithValue(ctx, contextKeySentryScope, scope)
+}
+
+func SentryScope(ctx context.Context) (*sentry.Scope, error) {
+	scope, err := ctxValue[*sentry.Scope](ctx, contextKeySentryScope)
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	return scope, nil
+}
--- a/internal/proxy/director/director.go
+++ b/internal/proxy/director/director.go
@ -7,9 +7,9 @@ import (

 	"forge.cadoles.com/Cadoles/go-proxy"
 	"forge.cadoles.com/Cadoles/go-proxy/wildcard"
-	"forge.cadoles.com/cadoles/bouncer/internal/cache"
-	bouncersentry "forge.cadoles.com/cadoles/bouncer/internal/sentry"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
+	"forge.cadoles.com/cadoles/bouncer/internal/syncx"
+	"github.com/getsentry/sentry-go"
 	"github.com/pkg/errors"
 	"github.com/prometheus/client_golang/prometheus"
 	"gitlab.com/wpetit/goweb/logger"
@ -20,16 +20,18 @@ type Director struct {
 	layerRepository store.LayerRepository
 	layerRegistry   *LayerRegistry

-	proxyCache cache.Cache[string, []*store.Proxy]
-	layerCache cache.Cache[string, []*store.Layer]
+	cachedProxies *syncx.CachedResource[string, []*store.Proxy]
+	cachedLayers  *syncx.CachedResource[string, []*store.Layer]

 	handleError HandleErrorFunc
 }

+const proxiesCacheKey = "proxies"
+
 func (d *Director) rewriteRequest(r *http.Request) (*http.Request, error) {
 	ctx := r.Context()

-	proxies, err := d.getProxies(ctx)
+	proxies, _, err := d.cachedProxies.Get(ctx, proxiesCacheKey)
 	if err != nil {
 		return r, errors.WithStack(err)
 	}
@ -42,21 +44,11 @@ func (d *Director) rewriteRequest(r *http.Request) (*http.Request, error) {

 	for _, p := range proxies {
 		for _, from := range p.From {
-			logger.Debug(
-				ctx, "matching request with proxy's from",
-				logger.F("from", from),
-			)
-
 			if matches := wildcard.Match(url.String(), from); !matches {
 				continue
 			}

-			logger.Debug(
-				ctx, "proxy's from matched",
-				logger.F("from", from),
-			)
-
-			ctx = logger.With(ctx,
+			proxyCtx := logger.With(ctx,
 				logger.F("proxy", p.Name),
 				logger.F("host", r.Host),
 				logger.F("remoteAddr", r.RemoteAddr),
@ -64,7 +56,7 @@ func (d *Director) rewriteRequest(r *http.Request) (*http.Request, error) {

 			metricProxyRequestsTotal.With(prometheus.Labels{metricLabelProxy: string(p.Name)}).Add(1)

-			proxyLayers, err := d.getLayers(ctx, p.Name)
+			proxyLayers, _, err := d.cachedLayers.Get(proxyCtx, string(p.Name))
 			if err != nil {
 				return r, errors.WithStack(err)
 			}
@ -84,8 +76,16 @@ func (d *Director) rewriteRequest(r *http.Request) (*http.Request, error) {
 			r.URL.Scheme = toURL.Scheme
 			r.URL.Path = toURL.JoinPath(r.URL.Path).Path

-			ctx = withLayers(ctx, layers)
-			r = r.WithContext(ctx)
+			proxyCtx = withLayers(proxyCtx, layers)
+			r = r.WithContext(proxyCtx)
+
+			if sentryScope, _ := SentryScope(ctx); sentryScope != nil {
+				sentryScope.SetTags(map[string]string{
+					"bouncer.proxy.name":        string(p.Name),
+					"bouncer.proxy.target.url":  r.URL.String(),
+					"bouncer.proxy.target.host": r.URL.Host,
+				})
+			}

 			return r, nil
 		}
@ -97,13 +97,8 @@ func (d *Director) rewriteRequest(r *http.Request) (*http.Request, error) {
 	return r, nil
 }

-const proxiesCacheKey = "proxies"
-
-func (d *Director) getProxies(ctx context.Context) ([]*store.Proxy, error) {
-	proxies, exists := d.proxyCache.Get(proxiesCacheKey)
-	if exists {
-		return proxies, nil
-	}
+func (d *Director) getProxies(ctx context.Context, key string) ([]*store.Proxy, error) {
+	logger.Debug(ctx, "querying fresh proxies")

 	headers, err := d.proxyRepository.QueryProxy(ctx, store.WithProxyQueryEnabled(true))
 	if err != nil {
@ -112,7 +107,7 @@ func (d *Director) getProxies(ctx context.Context) ([]*store.Proxy, error) {

 	sort.Sort(store.ByProxyWeight(headers))

-	proxies = make([]*store.Proxy, 0, len(headers))
+	proxies := make([]*store.Proxy, 0, len(headers))

 	for _, h := range headers {
 		if !h.Enabled {
@ -127,18 +122,13 @@ func (d *Director) getProxies(ctx context.Context) ([]*store.Proxy, error) {
 		proxies = append(proxies, proxy)
 	}

-	d.proxyCache.Set(proxiesCacheKey, proxies)
-
 	return proxies, nil
 }

-func (d *Director) getLayers(ctx context.Context, proxyName store.ProxyName) ([]*store.Layer, error) {
-	cacheKey := "layers-" + string(proxyName)
+func (d *Director) getLayers(ctx context.Context, rawProxyName string) ([]*store.Layer, error) {
+	proxyName := store.ProxyName(rawProxyName)

-	layers, exists := d.layerCache.Get(cacheKey)
-	if exists {
-		return layers, nil
-	}
+	logger.Debug(ctx, "querying fresh layers")

 	headers, err := d.layerRepository.QueryLayers(ctx, proxyName, store.WithLayerQueryEnabled(true))
 	if err != nil {
@ -147,7 +137,7 @@ func (d *Director) getLayers(ctx context.Context, proxyName store.ProxyName) ([]

 	sort.Sort(store.ByLayerWeight(headers))

-	layers = make([]*store.Layer, 0, len(headers))
+	layers := make([]*store.Layer, 0, len(headers))

 	for _, h := range headers {
 		if !h.Enabled {
@ -162,8 +152,6 @@ func (d *Director) getLayers(ctx context.Context, proxyName store.ProxyName) ([]
 		layers = append(layers, layer)
 	}

-	d.layerCache.Set(cacheKey, layers)
-
 	return layers, nil
 }

@ -227,41 +215,43 @@ func (d *Director) ResponseTransformer() proxy.ResponseTransformer {
 func (d *Director) Middleware() proxy.Middleware {
 	return func(next http.Handler) http.Handler {
 		fn := func(w http.ResponseWriter, r *http.Request) {
-			ctx := withHandleError(r.Context(), d.handleError)
-			r = r.WithContext(ctx)
+			sentry.ConfigureScope(func(scope *sentry.Scope) {
+				ctx := withHandleError(r.Context(), d.handleError)
+				ctx = withSentryScope(ctx, scope)
+				r = r.WithContext(ctx)

-			r, err := d.rewriteRequest(r)
-			if err != nil {
-				HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not rewrite request"))
-				return
-			}
-
-			ctx = r.Context()
-
-			layers, err := ctxLayers(ctx)
-			if err != nil {
-				if errors.Is(err, errContextKeyNotFound) {
+				r, err := d.rewriteRequest(r)
+				if err != nil {
+					HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not rewrite request"))
 					return
 				}

-				HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not retrieve proxy and layers from context"))
-				return
-			}
+				ctx = r.Context()

-			httpMiddlewares := make([]proxy.Middleware, 0)
-			for _, layer := range layers {
-				middleware, ok := d.layerRegistry.GetMiddleware(layer.Type)
-				if !ok {
-					continue
+				layers, err := ctxLayers(ctx)
+				if err != nil {
+					if errors.Is(err, errContextKeyNotFound) {
+						return
+					}
+
+					HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not retrieve proxy and layers from context"))
+					return
 				}

-				httpMiddlewares = append(httpMiddlewares, middleware.Middleware(layer))
-			}
+				httpMiddlewares := make([]proxy.Middleware, 0)
+				for _, layer := range layers {
+					middleware, ok := d.layerRegistry.GetMiddleware(layer.Type)
+					if !ok {
+						continue
+					}

-			handler := createMiddlewareChain(next, httpMiddlewares)
-			handler = bouncersentry.SpanHandler(handler, "director.proxy")
+					httpMiddlewares = append(httpMiddlewares, middleware.Middleware(layer))
+				}

-			handler.ServeHTTP(w, r)
+				handler := createMiddlewareChain(next, httpMiddlewares)
+
+				handler.ServeHTTP(w, r)
+			})
 		}

 		return http.HandlerFunc(fn)
@ -273,12 +263,15 @@ func New(proxyRepository store.ProxyRepository, layerRepository store.LayerRepos

 	registry := NewLayerRegistry(opts.Layers...)

-	return &Director{
+	director := &Director{
 		proxyRepository: proxyRepository,
 		layerRepository: layerRepository,
 		layerRegistry:   registry,
-		proxyCache:      opts.ProxyCache,
-		layerCache:      opts.LayerCache,
 		handleError:     opts.HandleError,
 	}
+
+	director.cachedProxies = syncx.NewCachedResource(opts.ProxyCache, director.getProxies)
+	director.cachedLayers = syncx.NewCachedResource(opts.LayerCache, director.getLayers)
+
+	return director
 }
--- a/internal/proxy/director/layer/authn/layer.go
+++ b/internal/proxy/director/layer/authn/layer.go
@ -10,6 +10,9 @@ import (
 	"forge.cadoles.com/Cadoles/go-proxy"
 	"forge.cadoles.com/Cadoles/go-proxy/wildcard"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
+	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/util"
+	"forge.cadoles.com/cadoles/bouncer/internal/rule"
+	ruleHTTP "forge.cadoles.com/cadoles/bouncer/internal/rule/http"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
 	"github.com/Masterminds/sprig/v3"
 	"github.com/pkg/errors"
@ -21,6 +24,8 @@ type Layer struct {
 	auth      Authenticator
 	debug     bool

+	ruleEngineCache *util.RuleEngineCache[*Vars, *LayerOptions]
+
 	templateDir string
 }

@ -74,7 +79,7 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
 				return
 			}

-			if err := l.applyRules(ctx, r, options, user); err != nil {
+			if err := l.applyRules(ctx, r, layer, options, user); err != nil {
 				if errors.Is(err, ErrForbidden) {
 					l.renderForbiddenPage(w, r, layer, options, user)
 					return
@ -189,6 +194,18 @@ func NewLayer(layerType store.LayerType, auth Authenticator, funcs ...OptionFunc
 	opts := NewOptions(funcs...)

 	return &Layer{
+		ruleEngineCache: util.NewInMemoryRuleEngineCache[*Vars, *LayerOptions](func(options *LayerOptions) (*rule.Engine[*Vars], error) {
+			engine, err := rule.NewEngine[*Vars](
+				rule.WithRules(options.Rules...),
+				rule.WithExpr(getAuthnAPI()...),
+				ruleHTTP.WithRequestFuncs(),
+			)
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			return engine, nil
+		}),
 		layerType:   layerType,
 		auth:        auth,
 		templateDir: opts.TemplateDir,
--- a/internal/proxy/director/layer/authn/layer_options.go
+++ b/internal/proxy/director/layer/authn/layer_options.go
@ -28,12 +28,13 @@ func DefaultLayerOptions() LayerOptions {
 	return LayerOptions{
 		MatchURLs: []string{"*"},
 		Rules: []string{
-			"del_headers('Remote-*')",
-			"set_header('Remote-User', user.subject)",
+			"del_headers(ctx, 'Remote-*')",
+			"set_header(ctx,'Remote-User', vars.user.subject)",
 			`map(
-				toPairs(user.attrs), {
+				toPairs(vars.user.attrs), {
 					let name = replace(lower(string(get(#, 0))), '_', '-');
 					set_header(
+						ctx,
 						'Remote-User-Attr-' + name, 
 						get(#, 1)
 					) 
--- a/internal/proxy/director/layer/authn/oidc/authenticator.go
+++ b/internal/proxy/director/layer/authn/oidc/authenticator.go
@ -13,9 +13,12 @@ import (
 	"time"

 	"forge.cadoles.com/Cadoles/go-proxy/wildcard"
+	"forge.cadoles.com/cadoles/bouncer/internal/cache/memory"
+	"forge.cadoles.com/cadoles/bouncer/internal/cache/ttl"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/authn"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
+	"forge.cadoles.com/cadoles/bouncer/internal/syncx"
 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/gorilla/sessions"
 	"github.com/pkg/errors"
@ -24,9 +27,10 @@ import (
 )

 type Authenticator struct {
-	store             sessions.Store
-	httpTransport     *http.Transport
-	httpClientTimeout time.Duration
+	store              sessions.Store
+	httpTransport      *http.Transport
+	httpClientTimeout  time.Duration
+	cachedOIDCProvider *syncx.CachedResource[string, *oidc.Provider]
 }

 func (a *Authenticator) PreAuthentication(w http.ResponseWriter, r *http.Request, layer *store.Layer) error {
@ -52,7 +56,7 @@ func (a *Authenticator) PreAuthentication(w http.ResponseWriter, r *http.Request
 		return errors.WithStack(err)
 	}

-	client, err := a.getClient(options, loginCallbackURL.String())
+	client, err := a.getClient(ctx, options, loginCallbackURL.String())
 	if err != nil {
 		return errors.WithStack(err)
 	}
@ -158,7 +162,7 @@ func (a *Authenticator) Authenticate(w http.ResponseWriter, r *http.Request, lay
 		return nil, errors.WithStack(err)
 	}

-	client, err := a.getClient(options, loginCallbackURL.String())
+	client, err := a.getClient(ctx, options, loginCallbackURL.String())
 	if err != nil {
 		return nil, errors.WithStack(err)
 	}
@ -360,9 +364,7 @@ func (a *Authenticator) templatize(rawTemplate string, proxyName store.ProxyName
 	return raw.String(), nil
 }

-func (a *Authenticator) getClient(options *LayerOptions, redirectURL string) (*Client, error) {
-	ctx := context.Background()
-
+func (a *Authenticator) getClient(ctx context.Context, options *LayerOptions, redirectURL string) (*Client, error) {
 	transport := a.httpTransport.Clone()

 	if options.OIDC.TLSInsecureSkipVerify {
@ -373,6 +375,10 @@ func (a *Authenticator) getClient(options *LayerOptions, redirectURL string) (*C
 		transport.TLSClientConfig.InsecureSkipVerify = true
 	}

+	if options.OIDC.SkipIssuerVerification {
+		ctx = oidc.InsecureIssuerURLContext(ctx, options.OIDC.IssuerURL)
+	}
+
 	httpClient := &http.Client{
 		Timeout:   a.httpClientTimeout,
 		Transport: transport,
@ -384,9 +390,9 @@ func (a *Authenticator) getClient(options *LayerOptions, redirectURL string) (*C
 		ctx = oidc.InsecureIssuerURLContext(ctx, options.OIDC.IssuerURL)
 	}

-	provider, err := oidc.NewProvider(ctx, options.OIDC.IssuerURL)
+	provider, _, err := a.cachedOIDCProvider.Get(ctx, options.OIDC.IssuerURL)
 	if err != nil {
-		return nil, errors.Wrap(err, "could not create oidc provider")
+		return nil, errors.Wrap(err, "could not retrieve oidc provider")
 	}

 	client := NewClient(
@ -401,6 +407,17 @@ func (a *Authenticator) getClient(options *LayerOptions, redirectURL string) (*C
 	return client, nil
 }

+func (a *Authenticator) getOIDCProvider(ctx context.Context, issuerURL string) (*oidc.Provider, error) {
+	logger.Debug(ctx, "refreshing oidc provider", logger.F("issuerURL", issuerURL))
+
+	provider, err := oidc.NewProvider(ctx, issuerURL)
+	if err != nil {
+		return nil, errors.Wrap(err, "could not create oidc provider")
+	}
+
+	return provider, nil
+}
+
 const defaultCookieNamePrefix = "_bouncer_authn_oidc"

 func (a *Authenticator) getCookieName(cookieName string, proxyName store.ProxyName, layerName store.LayerName) string {
@ -411,6 +428,25 @@ func (a *Authenticator) getCookieName(cookieName string, proxyName store.ProxyNa
 	return strings.ToLower(fmt.Sprintf("%s_%s_%s", defaultCookieNamePrefix, proxyName, layerName))
 }

+func NewAuthenticator(httpTransport *http.Transport, clientTimeout time.Duration, store sessions.Store, oidcProviderCacheTimeout time.Duration) *Authenticator {
+	authenticator := &Authenticator{
+		httpTransport:     httpTransport,
+		httpClientTimeout: clientTimeout,
+		store:             store,
+	}
+
+	authenticator.cachedOIDCProvider = syncx.NewCachedResource(
+		ttl.NewCache(
+			memory.NewCache[string, *oidc.Provider](),
+			memory.NewCache[string, time.Time](),
+			oidcProviderCacheTimeout,
+		),
+		authenticator.getOIDCProvider,
+	)
+
+	return authenticator
+}
+
 var (
 	_ authn.PreAuthentication = &Authenticator{}
 	_ authn.Authenticator     = &Authenticator{}
--- a/internal/proxy/director/layer/authn/oidc/client.go
+++ b/internal/proxy/director/layer/authn/oidc/client.go
@ -48,7 +48,7 @@ func (c *Client) Provider() *oidc.Provider {
 func (c *Client) Authenticate(w http.ResponseWriter, r *http.Request, sess *sessions.Session, postLoginRedirectURL string) (*oidc.IDToken, error) {
 	idToken, err := c.getIDToken(r, sess)
 	if err != nil {
-		logger.Warn(r.Context(), "could not retrieve idtoken", logger.CapturedE(errors.WithStack(err)))
+		logger.Warn(r.Context(), "could not retrieve idtoken", logger.E(errors.WithStack(err)))

 		c.login(w, r, sess, postLoginRedirectURL)

@ -69,7 +69,7 @@ func (c *Client) login(w http.ResponseWriter, r *http.Request, sess *sessions.Se
 	sess.Values[sessionKeyPostLoginRedirectURL] = postLoginRedirectURL

 	if err := sess.Save(r, w); err != nil {
-		director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.New("could not save session"))
+		director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not save session"))

 		return
 	}
--- a/internal/proxy/director/layer/authn/oidc/layer.go
+++ b/internal/proxy/director/layer/authn/oidc/layer.go
@ -10,9 +10,11 @@ const LayerType store.LayerType = "authn-oidc"

 func NewLayer(store sessions.Store, funcs ...OptionFunc) *authn.Layer {
 	opts := NewOptions(funcs...)
-	return authn.NewLayer(LayerType, &Authenticator{
-		httpTransport:     opts.HTTPTransport,
-		httpClientTimeout: opts.HTTPClientTimeout,
-		store:             store,
-	}, opts.AuthnOptions...)
+	authenticator := NewAuthenticator(
+		opts.HTTPTransport,
+		opts.HTTPClientTimeout,
+		store,
+		opts.OIDCProviderCacheTimeout,
+	)
+	return authn.NewLayer(LayerType, authenticator, opts.AuthnOptions...)
 }
--- a/internal/proxy/director/layer/authn/oidc/options.go
+++ b/internal/proxy/director/layer/authn/oidc/options.go
@ -8,9 +8,10 @@ import (
 )

 type Options struct {
-	HTTPTransport     *http.Transport
-	HTTPClientTimeout time.Duration
-	AuthnOptions      []authn.OptionFunc
+	HTTPTransport            *http.Transport
+	HTTPClientTimeout        time.Duration
+	AuthnOptions             []authn.OptionFunc
+	OIDCProviderCacheTimeout time.Duration
 }

 type OptionFunc func(opts *Options)
@ -33,11 +34,18 @@ func WithAuthnOptions(funcs ...authn.OptionFunc) OptionFunc {
 	}
 }

+func WithOIDCProviderCacheTimeout(timeout time.Duration) OptionFunc {
+	return func(opts *Options) {
+		opts.OIDCProviderCacheTimeout = timeout
+	}
+}
+
 func NewOptions(funcs ...OptionFunc) *Options {
 	opts := &Options{
-		HTTPTransport:     http.DefaultTransport.(*http.Transport),
-		HTTPClientTimeout: 30 * time.Second,
-		AuthnOptions:      make([]authn.OptionFunc, 0),
+		HTTPTransport:            http.DefaultTransport.(*http.Transport),
+		HTTPClientTimeout:        30 * time.Second,
+		AuthnOptions:             make([]authn.OptionFunc, 0),
+		OIDCProviderCacheTimeout: time.Hour,
 	}

 	for _, fn := range funcs {
--- a/internal/proxy/director/layer/authn/rules.go
+++ b/internal/proxy/director/layer/authn/rules.go
@ -4,8 +4,8 @@ import (
 	"context"
 	"net/http"

-	"forge.cadoles.com/cadoles/bouncer/internal/rule"
 	ruleHTTP "forge.cadoles.com/cadoles/bouncer/internal/rule/http"
+	"forge.cadoles.com/cadoles/bouncer/internal/store"
 	"github.com/expr-lang/expr"
 	"github.com/pkg/errors"
 )
@ -14,17 +14,11 @@ type Vars struct {
 	User *User `expr:"user"`
 }

-func (l *Layer) applyRules(ctx context.Context, r *http.Request, options *LayerOptions, user *User) error {
-	rules := options.Rules
-	if len(rules) == 0 {
-		return nil
-	}
+func (l *Layer) applyRules(ctx context.Context, r *http.Request, layer *store.Layer, options *LayerOptions, user *User) error {
+	key := string(layer.Proxy) + "-" + string(layer.Name)
+	revisionedEngine := l.ruleEngineCache.Get(key)

-	engine, err := rule.NewEngine[*Vars](
-		rule.WithRules(options.Rules...),
-		rule.WithExpr(getAuthnAPI()...),
-		ruleHTTP.WithRequestFuncs(),
-	)
+	engine, err := revisionedEngine.Get(ctx, layer.Revision, options)
 	if err != nil {
 		return errors.WithStack(err)
 	}
--- a/internal/proxy/director/layer/queue/queue.go
+++ b/internal/proxy/director/layer/queue/queue.go
@ -54,7 +54,7 @@ func (q *Queue) Middleware(layer *store.Layer) proxy.Middleware {

 			options, err := fromStoreOptions(layer.Options, q.defaultKeepAlive)
 			if err != nil {
-				director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.New("could not parse layer options"))
+				director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not parse layer options"))
 				return
 			}

@ -89,7 +89,7 @@ func (q *Queue) Middleware(layer *store.Layer) proxy.Middleware {

 			rank, err := q.adapter.Touch(ctx, queueName, sessionID)
 			if err != nil {
-				director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.New("could not retrieve session rank"))
+				director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not update queue session rank"))
 				return
 			}

@ -142,7 +142,7 @@ func (q *Queue) renderQueuePage(w http.ResponseWriter, r *http.Request, queueNam

 	status, err := q.adapter.Status(ctx, queueName)
 	if err != nil {
-		director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.New("could not retrieve queue status"))
+		director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not retrieve queue status"))
 		return
 	}

@ -191,7 +191,7 @@ func (q *Queue) renderQueuePage(w http.ResponseWriter, r *http.Request, queueNam
 	var buf bytes.Buffer

 	if err := q.tmpl.ExecuteTemplate(&buf, "queue", templateData); err != nil {
-		director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.New("could not render queue page"))
+		director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not render queue page"))
 		return
 	}

--- a/internal/proxy/director/layer/rewriter/layer.go
+++ b/internal/proxy/director/layer/rewriter/layer.go
@ -16,8 +16,8 @@ import (
 const LayerType store.LayerType = "rewriter"

 type Layer struct {
-	requestRuleEngine  *util.RevisionedRuleEngine[*RequestVars, *LayerOptions]
-	responseRuleEngine *util.RevisionedRuleEngine[*ResponseVars, *LayerOptions]
+	requestRuleEngineCache  *util.RuleEngineCache[*RequestVars, *LayerOptions]
+	responseRuleEngineCache *util.RuleEngineCache[*ResponseVars, *LayerOptions]
 }

 func (l *Layer) LayerType() store.LayerType {
@ -31,7 +31,7 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {

 			options, err := fromStoreOptions(layer.Options)
 			if err != nil {
-				director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.New("could not parse layer options"))
+				director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not parse layer options"))
 				return
 			}

@ -42,7 +42,7 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
 				return
 			}

-			if err := l.applyRequestRules(ctx, r, layer.Revision, options); err != nil {
+			if err := l.applyRequestRules(ctx, r, layer, options); err != nil {
 				var redirect *errRedirect
 				if errors.As(err, &redirect) {
 					http.Redirect(w, r, redirect.URL(), redirect.StatusCode())
@ -76,7 +76,7 @@ func (l *Layer) ResponseTransformer(layer *store.Layer) proxy.ResponseTransforme

 		ctx := r.Request.Context()

-		if err := l.applyResponseRules(ctx, r, layer.Revision, options); err != nil {
+		if err := l.applyResponseRules(ctx, r, layer, options); err != nil {
 			return errors.WithStack(err)
 		}

@ -86,7 +86,7 @@ func (l *Layer) ResponseTransformer(layer *store.Layer) proxy.ResponseTransforme

 func New(funcs ...OptionFunc) *Layer {
 	return &Layer{
-		requestRuleEngine: util.NewRevisionedRuleEngine(func(options *LayerOptions) (*rule.Engine[*RequestVars], error) {
+		requestRuleEngineCache: util.NewInMemoryRuleEngineCache(func(options *LayerOptions) (*rule.Engine[*RequestVars], error) {
 			engine, err := rule.NewEngine[*RequestVars](
 				rule.WithRules(options.Rules.Request...),
 				ruleHTTP.WithRequestFuncs(),
@ -98,7 +98,7 @@ func New(funcs ...OptionFunc) *Layer {

 			return engine, nil
 		}),
-		responseRuleEngine: util.NewRevisionedRuleEngine(func(options *LayerOptions) (*rule.Engine[*ResponseVars], error) {
+		responseRuleEngineCache: util.NewInMemoryRuleEngineCache(func(options *LayerOptions) (*rule.Engine[*ResponseVars], error) {
 			engine, err := rule.NewEngine[*ResponseVars](
 				rule.WithRules(options.Rules.Response...),
 				ruleHTTP.WithResponseFuncs(),
--- a/internal/proxy/director/layer/rewriter/rules.go
+++ b/internal/proxy/director/layer/rewriter/rules.go
@ -8,6 +8,7 @@ import (
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
 	"forge.cadoles.com/cadoles/bouncer/internal/rule"
 	ruleHTTP "forge.cadoles.com/cadoles/bouncer/internal/rule/http"
+	"forge.cadoles.com/cadoles/bouncer/internal/store"
 	"github.com/pkg/errors"
 )

@ -87,13 +88,13 @@ func fromRequest(r *http.Request) RequestVar {
 	}
 }

-func (l *Layer) applyRequestRules(ctx context.Context, r *http.Request, layerRevision int, options *LayerOptions) error {
+func (l *Layer) applyRequestRules(ctx context.Context, r *http.Request, layer *store.Layer, options *LayerOptions) error {
 	rules := options.Rules.Request
 	if len(rules) == 0 {
 		return nil
 	}

-	engine, err := l.getRequestRuleEngine(ctx, layerRevision, options)
+	engine, err := l.getRequestRuleEngine(ctx, layer, options)
 	if err != nil {
 		return errors.WithStack(err)
 	}
@ -117,8 +118,11 @@ func (l *Layer) applyRequestRules(ctx context.Context, r *http.Request, layerRev
 	return nil
 }

-func (l *Layer) getRequestRuleEngine(ctx context.Context, layerRevision int, options *LayerOptions) (*rule.Engine[*RequestVars], error) {
-	engine, err := l.requestRuleEngine.Get(ctx, layerRevision, options)
+func (l *Layer) getRequestRuleEngine(ctx context.Context, layer *store.Layer, options *LayerOptions) (*rule.Engine[*RequestVars], error) {
+	key := string(layer.Proxy) + "-" + string(layer.Name)
+	revisionedEngine := l.requestRuleEngineCache.Get(key)
+
+	engine, err := revisionedEngine.Get(ctx, layer.Revision, options)
 	if err != nil {
 		return nil, errors.WithStack(err)
 	}
@ -145,13 +149,13 @@ type ResponseVar struct {
 	Trailer          map[string][]string `expr:"trailer"`
 }

-func (l *Layer) applyResponseRules(ctx context.Context, r *http.Response, layerRevision int, options *LayerOptions) error {
+func (l *Layer) applyResponseRules(ctx context.Context, r *http.Response, layer *store.Layer, options *LayerOptions) error {
 	rules := options.Rules.Response
 	if len(rules) == 0 {
 		return nil
 	}

-	engine, err := l.getResponseRuleEngine(ctx, layerRevision, options)
+	engine, err := l.getResponseRuleEngine(ctx, layer, options)
 	if err != nil {
 		return errors.WithStack(err)
 	}
@ -187,8 +191,11 @@ func (l *Layer) applyResponseRules(ctx context.Context, r *http.Response, layerR
 	return nil
 }

-func (l *Layer) getResponseRuleEngine(ctx context.Context, layerRevision int, options *LayerOptions) (*rule.Engine[*ResponseVars], error) {
-	engine, err := l.responseRuleEngine.Get(ctx, layerRevision, options)
+func (l *Layer) getResponseRuleEngine(ctx context.Context, layer *store.Layer, options *LayerOptions) (*rule.Engine[*ResponseVars], error) {
+	key := string(layer.Proxy) + "-" + string(layer.Name)
+	revisionedEngine := l.responseRuleEngineCache.Get(key)
+
+	engine, err := revisionedEngine.Get(ctx, layer.Revision, options)
 	if err != nil {
 		return nil, errors.WithStack(err)
 	}
--- a/internal/proxy/director/layer/util/rule_engine_cache.go
+++ b/internal/proxy/director/layer/util/rule_engine_cache.go
@ -0,0 +1,28 @@
+package util
+
+import (
+	"forge.cadoles.com/cadoles/bouncer/internal/cache"
+	"forge.cadoles.com/cadoles/bouncer/internal/cache/memory"
+)
+
+type RuleEngineCache[V any, O any] struct {
+	cache   cache.Cache[string, *RevisionedRuleEngine[V, O]]
+	factory RuleEngineFactoryFunc[V, O]
+}
+
+func (c *RuleEngineCache[V, O]) Get(key string) *RevisionedRuleEngine[V, O] {
+	revisionedRuleEngine, exists := c.cache.Get(key)
+	if !exists {
+		revisionedRuleEngine = NewRevisionedRuleEngine(c.factory)
+		c.cache.Set(key, revisionedRuleEngine)
+	}
+
+	return revisionedRuleEngine
+}
+
+func NewInMemoryRuleEngineCache[V any, O any](factory RuleEngineFactoryFunc[V, O]) *RuleEngineCache[V, O] {
+	return &RuleEngineCache[V, O]{
+		factory: factory,
+		cache:   memory.NewCache[string, *RevisionedRuleEngine[V, O]](),
+	}
+}
--- a/internal/proxy/server.go
+++ b/internal/proxy/server.go
@ -3,6 +3,7 @@ package proxy
 import (
 	"bytes"
 	"context"
+	"expvar"
 	"fmt"
 	"html/template"
 	"io"
@ -12,8 +13,11 @@ import (
 	"net/http/httputil"
 	"net/http/pprof"
 	"net/url"
+	"os"
+	"os/signal"
 	"path/filepath"
 	"strconv"
+	"syscall"
 	"time"

 	"forge.cadoles.com/Cadoles/go-proxy"
@ -31,8 +35,6 @@ import (
 	"github.com/pkg/errors"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 	"gitlab.com/wpetit/goweb/logger"
-
-	bouncersentry "forge.cadoles.com/cadoles/bouncer/internal/sentry"
 )

 type Server struct {
@ -95,24 +97,15 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e

 	logger.Info(ctx, "http server listening")

+	layerCache, proxyCache, cancel := s.createDirectorCaches(ctx)
+	defer cancel()
+
 	director := director.New(
 		s.proxyRepository,
 		s.layerRepository,
 		director.WithLayers(s.directorLayers...),
-		director.WithLayerCache(
-			ttl.NewCache(
-				memory.NewCache[string, []*store.Layer](),
-				memory.NewCache[string, time.Time](),
-				s.directorCacheTTL,
-			),
-		),
-		director.WithProxyCache(
-			ttl.NewCache(
-				memory.NewCache[string, []*store.Proxy](),
-				memory.NewCache[string, time.Time](),
-				s.directorCacheTTL,
-			),
-		),
+		director.WithLayerCache(layerCache),
+		director.WithProxyCache(proxyCache),
 		director.WithHandleErrorFunc(s.handleError),
 	)

@ -120,7 +113,9 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
 		router.Use(middleware.RealIP)
 	}

+	router.Use(middleware.RequestID)
 	router.Use(middleware.RequestLogger(bouncerChi.NewLogFormatter()))
+	router.Use(middleware.Recoverer)

 	if s.serverConfig.Sentry.DSN != "" {
 		logger.Info(ctx, "enabling sentry http middleware")
@ -171,6 +166,7 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
 				r.HandleFunc("/profile", pprof.Profile)
 				r.HandleFunc("/symbol", pprof.Symbol)
 				r.HandleFunc("/trace", pprof.Trace)
+				r.Handle("/vars", expvar.Handler())
 				r.HandleFunc("/{name}", func(w http.ResponseWriter, r *http.Request) {
 					name := chi.URLParam(r, "name")
 					pprof.Handler(name).ServeHTTP(w, r)
@ -193,7 +189,7 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
 			proxy.WithDefaultHandler(http.HandlerFunc(s.handleDefault)),
 		)

-		r.Handle("/*", bouncersentry.SpanHandler(handler, "http.proxy"))
+		r.Handle("/*", handler)
 	})

 	if err := http.Serve(listener, router); err != nil && !errors.Is(err, net.ErrClosed) {
@ -203,6 +199,44 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
 	logger.Info(ctx, "http server exiting")
 }

+func (s *Server) createDirectorCaches(ctx context.Context) (*ttl.Cache[string, []*store.Layer], *ttl.Cache[string, []*store.Proxy], func()) {
+	layerCache := ttl.NewCache(
+		memory.NewCache[string, []*store.Layer](),
+		memory.NewCache[string, time.Time](),
+		s.directorCacheTTL,
+	)
+
+	proxyCache := ttl.NewCache(
+		memory.NewCache[string, []*store.Proxy](),
+		memory.NewCache[string, time.Time](),
+		s.directorCacheTTL,
+	)
+
+	sig := make(chan os.Signal, 1)
+
+	signal.Notify(sig, syscall.SIGUSR2)
+
+	go func() {
+		for {
+			_, ok := <-sig
+			if !ok {
+				return
+			}
+
+			logger.Info(ctx, "received sigusr2 signal, clearing proxies and layers cache")
+
+			layerCache.Clear()
+			proxyCache.Clear()
+		}
+	}()
+
+	cancel := func() {
+		close(sig)
+	}
+
+	return layerCache, proxyCache, cancel
+}
+
 func (s *Server) createReverseProxy(ctx context.Context, target *url.URL) *httputil.ReverseProxy {
 	reverseProxy := httputil.NewSingleHostReverseProxy(target)

@ -230,7 +264,10 @@ func (s *Server) handleDefault(w http.ResponseWriter, r *http.Request) {

 func (s *Server) handleError(w http.ResponseWriter, r *http.Request, status int, err error) {
 	err = errors.WithStack(err)
-	logger.Error(r.Context(), err.Error(), logger.CapturedE(err))
+
+	if !errors.Is(err, context.Canceled) {
+		logger.Error(r.Context(), err.Error(), logger.CapturedE(err))
+	}

 	s.renderErrorPage(w, r, err, status, http.StatusText(status))
 }
--- a/internal/sentry/sentry.go
+++ b/internal/sentry/sentry.go
@ -1,37 +0,0 @@
-package sentry
-
-import (
-	"net/http"
-
-	"github.com/getsentry/sentry-go"
-)
-
-func SpanHandler(handler http.Handler, name string) http.Handler {
-	fn := func(w http.ResponseWriter, r *http.Request) {
-		ctx := r.Context()
-
-		hub := sentry.GetHubFromContext(ctx)
-		if hub == nil {
-			hub = sentry.CurrentHub().Clone()
-			ctx = sentry.SetHubOnContext(ctx, hub)
-		}
-
-		options := []sentry.SpanOption{
-			sentry.WithOpName(name),
-			sentry.ContinueFromRequest(r),
-			sentry.WithTransactionSource(sentry.SourceURL),
-		}
-
-		span := sentry.StartSpan(ctx,
-			name,
-			options...,
-		)
-		defer span.Finish()
-
-		r = r.WithContext(span.Context())
-
-		handler.ServeHTTP(w, r)
-	}
-
-	return http.HandlerFunc(fn)
-}
--- a/internal/session/options.go
+++ b/internal/session/options.go
@ -10,6 +10,7 @@ import (
 type Options struct {
 	Session   sessions.Options
 	KeyPrefix string
+	TTL       time.Duration
 }

 type OptionFunc func(opts *Options)
@ -25,6 +26,7 @@ func NewOptions(funcs ...OptionFunc) *Options {
 			SameSite: http.SameSiteDefaultMode,
 		},
 		KeyPrefix: "session:",
+		TTL:       time.Hour,
 	}

 	for _, fn := range funcs {
@ -45,3 +47,9 @@ func WithKeyPrefix(prefix string) OptionFunc {
 		opts.KeyPrefix = prefix
 	}
 }
+
+func WithTTL(ttl time.Duration) OptionFunc {
+	return func(opts *Options) {
+		opts.TTL = ttl
+	}
+}
--- a/internal/session/store.go
+++ b/internal/session/store.go
@ -31,6 +31,7 @@ type Store struct {
 	keyPrefix  string
 	keyGen     KeyGenFunc
 	serializer SessionSerializer
+	ttl        time.Duration
 }

 type KeyGenFunc func() (string, error)
@ -43,6 +44,7 @@ func NewStore(adapter StoreAdapter, funcs ...OptionFunc) *Store {
 		keyPrefix:  opts.KeyPrefix,
 		keyGen:     generateRandomKey,
 		serializer: GobSerializer{},
+		ttl:        opts.TTL,
 	}

 	return rs
@ -62,20 +64,21 @@ func (s *Store) New(r *http.Request, name string) (*sessions.Session, error) {
 	if err != nil {
 		return session, nil
 	}
+
 	session.ID = c.Value

 	err = s.load(r.Context(), session)
 	if err == nil {
 		session.IsNew = false
 	} else if !errors.Is(err, ErrNotFound) {
-		return nil, errors.WithStack(err)
+		return session, errors.WithStack(err)
 	}

 	return session, nil
 }

 func (s *Store) Save(r *http.Request, w http.ResponseWriter, session *sessions.Session) error {
-	if session.Options.MaxAge <= 0 {
+	if session.Options.MaxAge < 0 {
 		if err := s.delete(r.Context(), session); err != nil {
 			return errors.WithStack(err)
 		}
@ -120,7 +123,12 @@ func (s *Store) save(ctx context.Context, session *sessions.Session) error {
 		return errors.WithStack(err)
 	}

-	if err := s.adapter.Set(ctx, s.keyPrefix+session.ID, b, time.Duration(session.Options.MaxAge)*time.Second); err != nil {
+	ttl := time.Duration(session.Options.MaxAge) * time.Second
+	if s.ttl < ttl || ttl == 0 {
+		ttl = s.ttl
+	}
+
+	if err := s.adapter.Set(ctx, s.keyPrefix+session.ID, b, ttl); err != nil {
 		return errors.WithStack(err)
 	}

--- a/internal/setup/authn_oidc_layer.go
+++ b/internal/setup/authn_oidc_layer.go
@ -37,5 +37,6 @@ func setupAuthnOIDCLayer(conf *config.Config) (director.Layer, error) {
 			authn.WithTemplateDir(string(conf.Layers.Authn.TemplateDir)),
 			authn.WithDebug(bool(conf.Layers.Authn.Debug)),
 		),
+		oidc.WithOIDCProviderCacheTimeout(time.Duration(*conf.Layers.Authn.OIDC.ProviderCacheTimeout)),
 	), nil
 }
--- a/internal/setup/redis.go
+++ b/internal/setup/redis.go
@ -38,9 +38,15 @@ func newRedisClient(conf config.RedisConfig) redis.UniversalClient {
 		ReadTimeout:           time.Duration(conf.ReadTimeout),
 		WriteTimeout:          time.Duration(conf.WriteTimeout),
 		DialTimeout:           time.Duration(conf.DialTimeout),
-		RouteByLatency:        true,
-		ContextTimeoutEnabled: true,
+		RouteByLatency:        bool(conf.RouteByLatency),
+		ContextTimeoutEnabled: bool(conf.ContextTimeoutEnabled),
 		MaxRetries:            int(conf.MaxRetries),
+		PoolSize:              int(conf.PoolSize),
+		PoolTimeout:           time.Duration(conf.PoolTimeout),
+		MinIdleConns:          int(conf.MinIdleConns),
+		MaxIdleConns:          int(conf.MaxIdleConns),
+		ConnMaxIdleTime:       time.Duration(conf.ConnMaxIdleTime),
+		ConnMaxLifetime:       time.Duration(conf.ConnMaxLifetime),
 	})

 	go func() {
--- a/internal/syncx/cached_resource.go
+++ b/internal/syncx/cached_resource.go
@ -0,0 +1,63 @@
+package syncx
+
+import (
+	"context"
+	"sync"
+
+	"forge.cadoles.com/cadoles/bouncer/internal/cache"
+	"github.com/pkg/errors"
+)
+
+type RefreshFunc[K comparable, V any] func(ctx context.Context, key K) (V, error)
+
+type CachedResource[K comparable, V any] struct {
+	cache   cache.Cache[K, V]
+	lock    sync.RWMutex
+	refresh RefreshFunc[K, V]
+}
+
+func (r *CachedResource[K, V]) Clear() {
+	r.cache.Clear()
+}
+
+func (r *CachedResource[K, V]) Get(ctx context.Context, key K) (V, bool, error) {
+	value, exists := r.cache.Get(key)
+	if exists {
+		return value, false, nil
+	}
+
+	locked := r.lock.TryLock()
+	if !locked {
+		r.lock.RLock()
+
+		value, exists := r.cache.Get(key)
+		if exists {
+			r.lock.RUnlock()
+			return value, false, nil
+		}
+
+		r.lock.RUnlock()
+	}
+
+	if !locked {
+		r.lock.Lock()
+	}
+
+	defer r.lock.Unlock()
+
+	value, err := r.refresh(ctx, key)
+	if err != nil {
+		return *new(V), false, errors.WithStack(err)
+	}
+
+	r.cache.Set(key, value)
+
+	return value, true, nil
+}
+
+func NewCachedResource[K comparable, V any](cache cache.Cache[K, V], refresh RefreshFunc[K, V]) *CachedResource[K, V] {
+	return &CachedResource[K, V]{
+		cache:   cache,
+		refresh: refresh,
+	}
+}
--- a/internal/syncx/cached_resource_test.go
+++ b/internal/syncx/cached_resource_test.go
@ -0,0 +1,66 @@
+package syncx
+
+import (
+	"context"
+	"math"
+	"sync"
+	"testing"
+	"time"
+
+	"forge.cadoles.com/cadoles/bouncer/internal/cache/memory"
+	"forge.cadoles.com/cadoles/bouncer/internal/cache/ttl"
+	"github.com/pkg/errors"
+)
+
+func TestCachedResource(t *testing.T) {
+	refreshCalls := 0
+	cacheTTL := 1*time.Second + 500*time.Millisecond
+	duration := 2 * time.Second
+
+	expectedCalls := math.Ceil(float64(duration) / float64(cacheTTL))
+
+	resource := NewCachedResource(
+		ttl.NewCache(
+			memory.NewCache[string, string](),
+			memory.NewCache[string, time.Time](),
+			cacheTTL,
+		),
+		func(ctx context.Context, key string) (string, error) {
+			refreshCalls++
+			return "bar", nil
+		},
+	)
+
+	concurrents := 50
+	key := "foo"
+
+	var wg sync.WaitGroup
+
+	wg.Add(concurrents)
+
+	for i := range concurrents {
+		go func(i int) {
+			done := time.After(duration)
+
+			defer wg.Done()
+			for {
+				select {
+				case <-done:
+					return
+				default:
+					value, fresh, err := resource.Get(context.Background(), key)
+					if err != nil {
+						t.Errorf("%+v", errors.WithStack(err))
+					}
+					t.Logf("resource retrieved for goroutine #%d: (%s, %s, %v)", i, key, value, fresh)
+				}
+			}
+		}(i)
+	}
+
+	wg.Wait()
+
+	if e, g := int(expectedCalls), refreshCalls; e != g {
+		t.Errorf("refreshCalls: expected '%d', got '%d'", e, g)
+	}
+}
--- a/layers/authn/templates/error.gohtml
+++ b/layers/authn/templates/error.gohtml
@ -55,6 +55,8 @@
        border-radius: 5px;
        box-shadow: 2px 2px #cccccc1c;
        color: #810000 !important;
+        max-width: 80%;
+        overflow-x: hidden;
      }

      .title {
@ -81,7 +83,7 @@
      <div id="card">
        <h2 class="title">Une erreur est survenue !</h2>
        {{ if .Debug }}
-        <pre>{{ .Err }}</pre>
+        <pre style="overflow-x: auto">{{ .Err }}</pre>
        {{ end }}
        {{/* if a public base url is provided, show navigation link */}}
        {{ $oidc := ( index .Layer.Options "oidc" ) }}
--- a/misc/packaging/common/config.yml
+++ b/misc/packaging/common/config.yml
@ -131,6 +131,12 @@ proxy:
    # Les proxys/layers sont mis en cache local pour une durée de 30s
    # par défaut. Si les modifications sont rares, vous pouvez augmenter
    # cette valeur pour réduire la "pression" sur le serveur Redis.
+    # Il est possible de forcer la réinitialisation du cache en envoyant
+    # le signal SIGUSR2 au processus Bouncer.
+    #
+    # Exemple
+    #
+    # kill -s USR2 $(pgrep bouncer)
    ttl: 30s

  # Configuration du transport HTTP(S)
@ -218,6 +224,11 @@ layers:
  authn:
    # Répertoire contenant les templates
    templateDir: "/etc/bouncer/layers/authn/templates"
+    # Configuration des sessions
+    sessions:
+      # Temps de persistence sans actualisation des sessions dans le store
+      # (prévalent sur le MaxAge de la session)
+      ttl: "1h"

 # Configuration d'une série de proxy/layers
 # à créer par défaut par le serveur d'administration
Author	SHA1	Message	Date
William Petit	9d10a69b0d	chore: update go and alpine docker image version All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2025-04-03 11:12:32 +02:00
William Petit	8b6e75ae77	feat: use sentry tags instead of context for better observability All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2025-03-19 15:04:55 +01:00
William Petit	692523e54f	feat: prevent call bursts on oidc provider refresh All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2025-03-18 15:51:25 +01:00
William Petit	59ecfa7b4e	feat: prevent burst of proxy/layers update All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2025-03-18 12:52:59 +01:00
William Petit	cc5cdcea96	fix: cache ttl interpolation All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2025-03-18 12:20:00 +01:00
William Petit	1af7248a6f	feat: reset proxy cache with sigusr2 All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2025-03-18 11:35:15 +01:00
William Petit	8b132dddd4	feat: add proxy information in sentry context All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2025-03-17 12:07:30 +01:00
William Petit	6a4a144c97	feat: silence context expired errors All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details closes #49	2025-03-10 18:32:36 +01:00
wpetit	ac7b7e8189	Merge pull request 'Mise en cache des fournisseurs oidc pour améliorer les performances' (#48 ) from issue-47 into develop All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details Reviewed-on: #48 Reviewed-by: Laurent Gourvenec <lgourvenec@cadoles.com>	2025-03-07 13:42:39 +01:00
William Petit	2df74bad4f	feat: cache oidc.Provider to reduce pressure on OIDC identity provider (#47 ) All checks were successful Cadoles/bouncer/pipeline/pr-develop This commit looks good Details	2025-03-07 11:15:28 +01:00
wpetit	076a3d784e	Merge pull request 'Fix append error in admin/run.go' (#46 ) from fix-append into develop All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details Reviewed-on: #46	2025-03-07 10:21:27 +01:00
Matthieu Lamalle	826edef358	fix : suppression de append inutile, remonté par go vet All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details Cadoles/bouncer/pipeline/pr-develop This commit looks good Details	2024-11-18 11:05:17 +01:00
William Petit	ce7415af20	fix: prevent nil pointer when err session retrieval fails All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details see https://sentry.in.nuonet.fr/share/issue/48b82c13ee3f4721bb6306b533799709/	2024-11-14 10:10:16 +01:00
William Petit	7cc9de180c	feat(authn): add configurable global ttl for session storage	2024-11-14 10:09:33 +01:00
William Petit	74c2a2c055	fix(authn): correctly handle session-limited cookies All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details See CNOUS/mse#4347	2024-11-08 12:21:23 +01:00
William Petit	239d4573c3	feat(sentry): ignore 'net/http: abort' errors All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details See: - https://sentry.in.nuonet.fr/share/issue/972e100ea22d44759c44b6cfad8be7b2/ - https://pkg.go.dev/net/http#:~:text=ErrAbortHandler%20is%20a%20sentinel%20panic%20value%20to%20abort%20a%20handler.%20While%20any%20panic%20from%20ServeHTTP%20aborts%20the%20response%20to%20the%20client%2C%20panicking%20with%20ErrAbortHandler%20also%20suppresses%20logging%20of%20a%20stack%20trace%20to%20the%20server%27s%20error%20log.	2024-11-08 11:19:38 +01:00
William Petit	cffe3eca1b	fix: prevent loss of information when returning errors Some checks reported warnings Cadoles/bouncer/pipeline/head This commit was not built Details Linked to: - https://sentry.in.nuonet.fr/share/issue/5fa72de1b01b46bc81601958a2ff5fd2/ - https://sentry.in.nuonet.fr/share/issue/5a225f6400a647c0bbf1f7ea01566e63/	2024-11-08 11:13:39 +01:00
wpetit	a686c52aed	Merge pull request 'fix(rewriter): prevent mixing of cached rule engines (#44 )' (#45 ) from issue-44 into develop All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details Reviewed-on: #45	2024-10-21 14:07:51 +02:00
William Petit	c0470ca623	feat: better display of large error messsages Some checks are pending Cadoles/bouncer/pipeline/head Build queued... Details Cadoles/bouncer/pipeline/pr-develop Build queued... Details	2024-10-21 13:49:32 +02:00
William Petit	c611705d45	fix(rewriter): prevent mixing of cached rule engines (#44 )	2024-10-21 13:48:59 +02:00
William Petit	16fa751dc7	doc: fix rewriter rule method name	2024-10-21 13:48:07 +02:00
William Petit	8983a44d9e	feat: do not capture warning errors All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-10-11 14:18:52 +02:00
William Petit	11375e546f	feat: allow more control on redis client configuration Some checks reported warnings Cadoles/bouncer/pipeline/head This commit was not built Details	2024-10-11 14:17:45 +02:00
William Petit	69501f6302	feat: log context cancelled error as warn instead of errors All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-10-02 12:13:50 +02:00
William Petit	382d17cc85	feat: do not use logger.Debug in critical path	2024-10-02 12:13:26 +02:00
William Petit	9bd1d0fbd7	feat: remove superfluous sentry span handlers	2024-10-02 12:12:51 +02:00
William Petit	ecacbb1cbd	feat: disable sentry tracing by default	2024-10-02 12:12:10 +02:00
William Petit	910f1f8ba2	feat: do not use fmt.Sprintf in http logger	2024-10-02 12:11:30 +02:00
William Petit	be59be1795	feat: add recoverer + request-id http middlewares	2024-10-02 12:10:38 +02:00
William Petit	4d6958e2f5	chore: increase default siege requests volume	2024-10-02 12:09:41 +02:00
William Petit	f3b553cb10	feat: expose expvars as profiling endpoint	2024-10-02 12:09:02 +02:00