9096ec5873
Add attack surface review #006 — systematic enumeration of untrusted input entry points
2026-06-14 10:27:01 +00:00
0af1683c49
Add architectural recommendation to replace Unix socket with authenticated HTTP
2026-06-14 09:22:41 +00:00
38649e9485
Add security review #004 (post-fix) and #005 (admin socket)
2026-06-14 07:45:13 +00:00
6400c90cb3
Mark review/post-security-fix-review as completed — all 10 criteria PASS
2026-06-12 14:35:34 +00:00
75d9c263cb
Mark fix/upstream-host-validation as completed
2026-06-12 14:34:24 +00:00
ccb574c259
Merge remote-tracking branch 'origin/fix/fix/upstream-host-validation'
2026-06-12 14:33:56 +00:00
4ee9486561
feat(upstream-host-validation): validate host part of upstream address in config
...
Add host part validation to is_valid_upstream: IPv4/IPv6 addresses must parse
as valid IpAddr, bracket-enclosed hosts must parse as IPv6, DNS names must
pass is_valid_hostname. Previously, values like '!!!bad!!!:3000' would pass.
2026-06-12 14:33:48 +00:00
9730d155d2
Mark fix/token-bucket-field-visibility as completed
2026-06-12 14:33:01 +00:00
64a651242c
Merge remote-tracking branch 'origin/fix/fix/token-bucket-field-visibility'
2026-06-12 14:32:36 +00:00
cf3f00fc53
fix(token-bucket-field-visibility): make TokenBucket fields private except last_access
2026-06-12 14:32:29 +00:00
a8155d92f9
Mark fix/tls-mode-wildcard-mismatch as completed
2026-06-12 14:31:08 +00:00
717ee8e6cd
Merge remote-tracking branch 'origin/fix/fix/tls-mode-wildcard-mismatch'
2026-06-12 14:30:08 +00:00
dbedb8846c
Mark fix/rename-misleading-test as completed
2026-06-12 14:29:51 +00:00
f6e6e15ebf
feat(fix/tls-mode-wildcard-mismatch): remove unreachable TlsMode wildcard arm and add count mismatch check
...
Removed #[non_exhaustive] from TlsMode and the wildcard _ arm in the
match tls_mode block in main.rs. Since setup_tls already rejects unknown
modes with bail!, the wildcard was unreachable dead code. Removing it
ensures the compiler catches future TlsMode variant additions. Added
defense-in-depth count mismatch check after the acceptor loop to catch
any silent listener/acceptor mismatch from zip truncation.
2026-06-12 14:29:48 +00:00
d9b3a436f1
Merge remote-tracking branch 'origin/fix/fix/rename-misleading-test'
2026-06-12 14:28:41 +00:00
855c0f1d67
fix(rename-misleading-test): rename misleading test and use from_sites in dynamic config test
2026-06-12 14:28:19 +00:00
8ff8c71783
Mark fix/rate-limiter-connectinfo-tests as completed
2026-06-12 14:27:08 +00:00
c2201707bb
Merge remote-tracking branch 'origin/fix/fix/rate-limiter-connectinfo-tests'
2026-06-12 14:25:22 +00:00
603d722ad0
feat(rate-limiter): add ConnectInfo-based tests for rate limiter (ADR-025)
2026-06-12 14:24:17 +00:00
21186b8265
Mark fix/http-port-type-u16 and fix/log-root-cert-count as completed
2026-06-12 14:21:37 +00:00
1ae06b0478
Merge remote-tracking branch 'origin/fix/fix/log-root-cert-count'
2026-06-12 14:21:12 +00:00
8ac39d9cd8
feat(fix/log-root-cert-count): log system root certificate count at startup
2026-06-12 14:20:43 +00:00
d338dcab38
Merge remote-tracking branch 'origin/fix/fix/http-port-type-u16'
2026-06-12 14:20:37 +00:00
77117c29eb
feat(http-port-type): change http_port from u32 to u16 per spec (W12)
2026-06-12 14:20:15 +00:00
9a3b8831c7
Mark fix/json-format-without-logfile as completed
2026-06-12 14:19:49 +00:00
245d2a69ff
Merge remote-tracking branch 'origin/fix/fix/json-format-without-logfile'
2026-06-12 14:19:02 +00:00
01e3b1cd9a
Mark 6 fix tasks as completed (admin-socket-resource-limits, upstream-uri-error-handling, remove-dead-code-remnants, acme-contact-validation, admin-socket-reload-mutex-visibility, connector-timeout-ceiling)
2026-06-12 14:18:23 +00:00
5ea0bee73f
fix(logging): add .json() to stdout-only layer in init_json None branch
2026-06-12 14:18:17 +00:00
d224d7b409
Merge remote-tracking branch 'origin/fix/fix/connector-timeout-ceiling'
2026-06-12 14:16:47 +00:00
16ec84eea2
Merge remote-tracking branch 'origin/fix/fix/admin-socket-reload-mutex-visibility'
2026-06-12 14:15:13 +00:00
b0f83669c0
fix(proxy): raise connector timeout ceiling to 30s per ADR-026
2026-06-12 14:15:00 +00:00
eb46d9825a
Merge remote-tracking branch 'origin/fix/fix/acme-contact-validation'
2026-06-12 14:14:55 +00:00
075624368b
Merge remote-tracking branch 'origin/fix/fix/remove-dead-code-remnants'
2026-06-12 14:14:39 +00:00
80b90b5716
Merge remote-tracking branch 'origin/fix/fix/upstream-uri-error-handling'
2026-06-12 14:14:02 +00:00
636807d26e
Merge remote-tracking branch 'origin/fix/fix/admin-socket-resource-limits'
2026-06-12 14:13:27 +00:00
159eeda266
feat(admin): gate reload_mutex() with #[cfg(test)]
2026-06-12 14:11:40 +00:00
66cd116d54
feat(validation): tighten ACME contact validation to require non-empty email with @ sign
2026-06-12 14:10:28 +00:00
42b74f92af
Remove dead code remnants identified in security review #003
...
Remove unused log_rate_limit! and log_config_reload! macros,
format_event_fields() function, ProxyError::NotFound/BadRequest/
PayloadTooLarge/UpstreamTls variants, build_multi_domain_server_config(),
SniCertResolver struct, and dead test helper methods. Gate
AcmeTlsConfig::directory_url() and KvVisitor with #[cfg(test)].
2026-06-12 14:05:31 +00:00
e2440f2edb
fix: return 502 on upstream URI parse failure instead of dropping query string
...
Change build_upstream_uri to return Result<Uri, ()> so that URI parse
failures are properly handled instead of silently dropping the query
string and unwrapping a fallback. On parse failure, log a warning with
the malformed URI and return 502 Bad Gateway to the client.
2026-06-12 14:04:03 +00:00
4c6b55a780
Add read timeout and line length limit to admin socket (ADR-027)
2026-06-12 14:03:22 +00:00
db982e9c4d
Mark fix/inflight-counter-increment, fix/consolidate-config-types, fix/rate-limiter-ip-source as completed
2026-06-12 14:02:02 +00:00
e6d22bdcb8
Merge remote-tracking branch 'origin/fix/fix/rate-limiter-ip-source'
2026-06-12 14:01:16 +00:00
ad9b9b9b78
fix(rate_limit): use ConnectInfo as sole IP source, reject without it
...
The rate limiter previously extracted client IP from the X-Forwarded-For
header first, falling back to ConnectInfo. This allowed attackers to bypass
rate limits by sending spoofed X-Forwarded-For headers. Per ADR-025, the
rate limiter now uses ConnectInfo<SocketAddr> exclusively and rejects
requests with 429 when ConnectInfo is absent.
2026-06-12 14:00:31 +00:00
77ea1160de
Merge remote-tracking branch 'origin/fix/fix/consolidate-config-types'
2026-06-12 14:00:10 +00:00
1ba1d2a4de
Consolidate config types: remove RawConfig, use FullConfig in load_config
...
Delete the duplicate RawConfig struct and collect_sites helper from cli.rs.
Rewrite load_config to use FullConfig::parse + into_static_and_dynamic,
eliminating the redundant manual construction path.
2026-06-12 13:58:36 +00:00
05fea1a8e2
Fix InFlightCounter: increment in new(), use new() constructor, drain interval 100ms
2026-06-12 13:58:04 +00:00
54f1725173
Decompose security review #003 findings into 17 fix tasks and 1 review task
...
Address 4 critical, 8 warning, and 5 suggestion findings from the
security and bug review by creating atomic, dependency-ordered tasks:
Critical fixes (C1-C4): rate limiter IP source (ADR-025), InFlightCounter
increment + drain interval, connector timeout ceiling (ADR-026), JSON format
without log file.
Validation tightening (W1, W2): upstream host validation, ACME contact email
validation.
Robustness (W3, W4, W5, W12): upstream URI error handling (502 not silent
drop), admin socket resource limits (ADR-027), TlsMode wildcard mismatch,
http_port u32→u16.
Code quality (W6, W10, W11, S1, S3, W8/W9): config type consolidation,
TokenBucket field visibility, reload_mutex #[cfg(test)], dead code removal,
root cert count logging, misleading test names.
Test coverage (S10): rate limiter ConnectInfo tests (depends on C1 fix).
Review: post-security-fix-review checkpoint covering all critical fixes
and sensitive config consolidation path.
2026-06-12 13:42:37 +00:00
80d1fd0fb3
Update architecture docs to address security review #003 findings
...
Add three ADRs (025-027) and update five spec documents to close gaps
identified in the security and bug review:
- ADR-025: Rate limiter IP source must be ConnectInfo only (C1 fix)
- ADR-026: Connector timeout ceiling of 30s for per-site timeouts (C3 fix)
- ADR-027: Admin socket resource limits — 5s timeout, 4096 byte line limit (W4 fix)
Spec changes:
- proxy.md: add rate limiter IP source section, URI error handling
constraint, connector ceiling description, renumber sections
- operations.md: add ConnectInfo-only IP source, in-flight counter
architectural requirement (C2), JSON format guarantee (C4), admin
socket resource limits, 100ms drain polling interval
- config.md: fix http_port type u32→u16 (W12), tighten upstream host
validation (W1), tighten ACME contact validation (W2), add
X-Forwarded-Proto cross-reference, clarify alknet ADR-030 reference
- overview.md: fix ambiguous C1 reference, add ADR/OQ cross-references
- open-questions.md: update OQ-09 resolution, add OQ-13 (acme_contact
Vec) and OQ-14 (eviction configurability)
- README.md: add ADR-025/026/027 and OQ-13/14, update doc statuses to draft
Also fix reviewer findings: alknet ADR-030 scope clarification, RFC 2616
reference updated to RFC 7230.
2026-06-12 13:17:39 +00:00
4f537c80d2
Add security and bug review #003 (4 critical, 12 warnings, 10 suggestions)
2026-06-12 13:03:20 +00:00
c8ab794ef3
Add LICENSE, README, AGENTS.md, and deployment setup guide
...
Dual MIT/Apache-2.0 license, public-facing README with quick start
and config reference, step-by-step deploy/README.md for Docker and
systemd setups, and AGENTS.md for LLM-assisted development.
2026-06-12 11:42:08 +00:00
