Initialize Rust project with Cargo, dependencies, and module skeleton

Set up single-binary reverse-proxy project with all core dependencies
(axum, tokio, hyper, tower, rustls, tokio-rustls, rustls-acme, serde,
toml, arc-swap, tracing, tracing-subscriber, rustls-pemfile,
rustls-pki-types, clap, signal-hook, anyhow, thiserror) pinned to exact
versions. Create module skeleton (config, proxy, tls, rate_limit,
logging, admin, health, shutdown) matching architecture spec.

.gitignore

@@ -0,0 +1 @@
+/target

Cargo.toml

@@ -0,0 +1,29 @@
+[package]
+name = "reverse-proxy"
+version = "0.1.0"
+edition = "2021"
+license = "MIT OR Apache-2.0"
+
+[[bin]]
+name = "reverse-proxy"
+path = "src/main.rs"
+
+[dependencies]
+axum = "=0.8.9"
+tokio = { version = "=1.45.1", features = ["full"] }
+hyper = "=1.6.0"
+tower = "=0.5.2"
+rustls = { version = "=0.23.28", features = ["aws_lc_rs"] }
+tokio-rustls = "=0.26.2"
+rustls-acme = { version = "=0.12.1", features = ["aws-lc-rs"] }
+serde = { version = "=1.0.228", features = ["derive"] }
+toml = "=0.8.23"
+arc-swap = "=1.7.1"
+tracing = "=0.1.41"
+tracing-subscriber = "=0.3.19"
+rustls-pemfile = "=2.2.0"
+rustls-pki-types = "=1.12.0"
+clap = { version = "=4.6.1", features = ["derive"] }
+signal-hook = "=0.3.18"
+anyhow = "=1.0.102"
+thiserror = "=2.0.18"

src/admin/mod.rs

@@ -0,0 +1 @@
+pub mod socket;

src/admin/socket.rs

@@ -0,0 +1,2 @@
+#[allow(dead_code)]
+pub struct AdminSocket;

src/config/dynamic_config.rs

@@ -0,0 +1,50 @@
+use serde::Deserialize;
+
+#[allow(dead_code)]
+#[derive(Debug, Deserialize, Clone)]
+pub struct DynamicConfig {
+    pub sites: Vec<SiteConfig>,
+    pub rate_limit: RateLimitConfig,
+    pub body: BodyConfig,
+}
+
+#[allow(dead_code)]
+#[derive(Debug, Deserialize, Clone)]
+pub struct SiteConfig {
+    pub host: String,
+    pub upstream: String,
+    #[serde(default = "default_upstream_scheme")]
+    pub upstream_scheme: String,
+    #[serde(default = "default_connect_timeout")]
+    pub upstream_connect_timeout_secs: u64,
+    #[serde(default = "default_request_timeout")]
+    pub upstream_request_timeout_secs: u64,
+}
+
+#[allow(dead_code)]
+fn default_upstream_scheme() -> String {
+    "http".to_string()
+}
+
+#[allow(dead_code)]
+fn default_connect_timeout() -> u64 {
+    5
+}
+
+#[allow(dead_code)]
+fn default_request_timeout() -> u64 {
+    60
+}
+
+#[allow(dead_code)]
+#[derive(Debug, Deserialize, Clone)]
+pub struct RateLimitConfig {
+    pub requests_per_second: u32,
+    pub burst: u32,
+}
+
+#[allow(dead_code)]
+#[derive(Debug, Deserialize, Clone)]
+pub struct BodyConfig {
+    pub limit_bytes: u64,
+}

src/config/mod.rs

@@ -0,0 +1,3 @@
+pub mod dynamic_config;
+pub mod static_config;
+pub mod validation;

src/config/static_config.rs

@@ -0,0 +1,107 @@
+use serde::Deserialize;
+
+#[allow(dead_code)]
+#[derive(Debug, Deserialize)]
+pub struct StaticConfig {
+    pub listeners: Vec<ListenerConfig>,
+    #[serde(default)]
+    pub allow_wildcard_bind: bool,
+    #[serde(default = "default_health_check_port")]
+    pub health_check_port: u16,
+    #[serde(default = "default_admin_socket_path")]
+    pub admin_socket_path: String,
+    #[serde(default = "default_shutdown_timeout_secs")]
+    pub shutdown_timeout_secs: u64,
+    #[serde(default)]
+    pub logging: LoggingConfig,
+}
+
+#[allow(dead_code)]
+fn default_health_check_port() -> u16 {
+    9900
+}
+
+#[allow(dead_code)]
+fn default_admin_socket_path() -> String {
+    "/run/reverse-proxy/admin.sock".to_string()
+}
+
+#[allow(dead_code)]
+fn default_shutdown_timeout_secs() -> u64 {
+    30
+}
+
+#[allow(dead_code)]
+#[derive(Debug, Deserialize)]
+pub struct ListenerConfig {
+    pub bind_addr: String,
+    #[serde(default = "default_http_port")]
+    pub http_port: u16,
+    #[serde(default = "default_https_port")]
+    pub https_port: u16,
+    pub tls: TlsConfig,
+    #[serde(default)]
+    pub sites: Vec<crate::config::dynamic_config::SiteConfig>,
+}
+
+#[allow(dead_code)]
+fn default_http_port() -> u16 {
+    80
+}
+
+#[allow(dead_code)]
+fn default_https_port() -> u16 {
+    443
+}
+
+#[allow(dead_code)]
+#[derive(Debug, Deserialize)]
+pub struct TlsConfig {
+    pub mode: String,
+    #[serde(default)]
+    pub acme_domains: Vec<String>,
+    #[serde(default)]
+    pub acme_cache_dir: String,
+    #[serde(default = "default_acme_directory")]
+    pub acme_directory: String,
+    #[serde(default)]
+    pub cert_path: String,
+    #[serde(default)]
+    pub key_path: String,
+}
+
+#[allow(dead_code)]
+fn default_acme_directory() -> String {
+    "production".to_string()
+}
+
+#[allow(dead_code)]
+#[derive(Debug, Deserialize)]
+pub struct LoggingConfig {
+    #[serde(default = "default_log_level")]
+    pub level: String,
+    #[serde(default = "default_log_format")]
+    pub format: String,
+    #[serde(default)]
+    pub log_file_path: Option<String>,
+}
+
+#[allow(dead_code)]
+fn default_log_level() -> String {
+    "info".to_string()
+}
+
+#[allow(dead_code)]
+fn default_log_format() -> String {
+    "text".to_string()
+}
+
+impl Default for LoggingConfig {
+    fn default() -> Self {
+        Self {
+            level: default_log_level(),
+            format: default_log_format(),
+            log_file_path: None,
+        }
+    }
+}

src/config/validation.rs

@@ -0,0 +1,12 @@
+use anyhow::Result;
+
+use super::dynamic_config::DynamicConfig;
+use super::static_config::StaticConfig;
+
+#[allow(dead_code)]
+pub fn validate_config(
+    _static_config: &StaticConfig,
+    _dynamic_config: &DynamicConfig,
+) -> Result<()> {
+    Ok(())
+}

src/health.rs

@@ -0,0 +1,2 @@
+#[allow(dead_code)]
+pub struct HealthCheck;

src/logging/format.rs

@@ -0,0 +1,2 @@
+#[allow(dead_code)]
+pub struct LogFormat;

src/logging/mod.rs

@@ -0,0 +1 @@
+pub mod format;

src/main.rs

@@ -0,0 +1,12 @@
+mod admin;
+mod config;
+mod health;
+mod logging;
+mod proxy;
+mod rate_limit;
+mod shutdown;
+mod tls;
+
+fn main() {
+    tracing::info!("reverse-proxy starting");
+}

src/proxy/error.rs

@@ -0,0 +1,2 @@
+#[allow(dead_code)]
+pub struct ProxyError;

src/proxy/handler.rs

@@ -0,0 +1,2 @@
+#[allow(dead_code)]
+pub struct ProxyHandler;

src/proxy/headers.rs

@@ -0,0 +1,2 @@
+#[allow(dead_code)]
+pub struct ProxyHeaders;

src/proxy/mod.rs

@@ -0,0 +1,3 @@
+pub mod error;
+pub mod handler;
+pub mod headers;

src/rate_limit/bucket.rs

@@ -0,0 +1,2 @@
+#[allow(dead_code)]
+pub struct TokenBucket;

src/rate_limit/mod.rs

@@ -0,0 +1 @@
+pub mod bucket;

src/shutdown.rs

@@ -0,0 +1,2 @@
+#[allow(dead_code)]
+pub struct GracefulShutdown;

src/tls/acceptor.rs

@@ -0,0 +1,2 @@
+#[allow(dead_code)]
+pub struct TlsAcceptor;

src/tls/mod.rs

@@ -0,0 +1,2 @@
+pub mod acceptor;
+pub mod redirect;

src/tls/redirect.rs

@@ -0,0 +1,2 @@
+#[allow(dead_code)]
+pub struct HttpsRedirect;