chore: spelling

Signed-off-by: Xe Iaso <me@xeiaso.net>
doc(default-config): add vague references to metrics server
2026-05-08 16:12:52 +00:00 · 2026-04-21 15:30:49 -04:00 · 2026-04-21 15:28:55 -04:00 · 2026-04-21 15:25:19 -04:00 · 2026-04-21 15:16:21 -04:00 · 2026-04-21 15:07:08 -04:00
108 changed files with 1523 additions and 817 deletions
@@ -31,3 +31,10 @@ Stargate
 FFXIV
 uvensys
 de
+resourced
+envoyproxy
+unipromos
+Samsung
+wenet
+qwertiko
+setuplistener
@@ -80,6 +80,7 @@ databento
 dayjob
 dco
 DDOS
+ddwrt
 Debian
 debrpm
 decaymap
@@ -102,6 +103,7 @@ duckduckbot
 eerror
 ellenjoe
 emacs
+embe
 enbyware
 etld
 everyones
@@ -119,7 +121,6 @@ FCr
 fcrdns
 fediverse
 ffprobe
-FFXIV
 fhdr
 financials
 finfos
@@ -221,7 +222,6 @@ LLU
 loadbalancer
 lol
 lominsa
-maintainership
 malware
 mcr
 memes
@@ -239,7 +239,6 @@ mymaster
 mypass
 myuser
 nbf
-Necron
 nepeat
 netsurf
 nginx
@@ -334,7 +333,6 @@ spyderbot
 srcip
 srv
 stackoverflow
-Stargate
 startprecmd
 stoppostcmd
 storetest
@@ -25,7 +25,7 @@ jobs:
      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version: "24.11.0"
-      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: "1.25.7"

@@ -29,7 +29,7 @@ jobs:
      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version: "24.11.0"
-      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: "stable"

@@ -39,14 +39,14 @@ jobs:
      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version: "24.11.0"
-      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: "stable"

      - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9

      - name: Log into registry
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
@@ -25,7 +25,7 @@ jobs:
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0

      - name: Log into registry
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: ghcr.io
          username: techarohq
@@ -53,14 +53,14 @@ jobs:
          push: true

      - name: Apply k8s manifests to limsa lominsa
-        uses: actions-hub/kubectl@5ada4e2c02eacc03978c2437e95c8b0f979a9619 # v1.35.2
+        uses: actions-hub/kubectl@934aaa4354bbbc3d2176ae8d7cae92d515032dff # v1.35.3
        env:
          KUBE_CONFIG: ${{ secrets.LIMSA_LOMINSA_KUBECONFIG }}
        with:
          args: apply -k docs/manifest

      - name: Apply k8s manifests to limsa lominsa
-        uses: actions-hub/kubectl@5ada4e2c02eacc03978c2437e95c8b0f979a9619 # v1.35.2
+        uses: actions-hub/kubectl@934aaa4354bbbc3d2176ae8d7cae92d515032dff # v1.35.3
        env:
          KUBE_CONFIG: ${{ secrets.LIMSA_LOMINSA_KUBECONFIG }}
        with:
@@ -17,7 +17,7 @@ jobs:
        with:
          persist-credentials: false

-      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: "stable"

@@ -27,12 +27,12 @@ jobs:
      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version: "24.11.0"
-      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: "stable"

      - name: Cache playwright binaries
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        id: playwright-cache
        with:
          path: |
@@ -28,7 +28,7 @@ jobs:
      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version: "24.11.0"
-      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: "stable"

@@ -29,7 +29,7 @@ jobs:
      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version: "24.11.0"
-      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: "stable"

@@ -37,7 +37,7 @@ jobs:
      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version: "24.11.0"
-      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: "stable"

@@ -89,7 +89,7 @@ jobs:
    steps:
      - name: check-spelling
        id: spelling
-        uses: check-spelling/check-spelling@c635c2f3f714eec2fcf27b643a1919b9a811ef2e # v0.0.25
+        uses: check-spelling/check-spelling@cfb6f7e75bbfc89c71eaa30366d0c166f1bd9c8c # v0.0.26
        with:
          suppress_push_for_open_pull_request: ${{ github.actor != 'dependabot[bot]' && 1 }}
          checkout: true
@@ -24,7 +24,7 @@ jobs:
          fetch-depth: 0
          persist-credentials: false
      - name: Log into registry
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
@@ -30,13 +30,13 @@ jobs:
          persist-credentials: false

      - name: Install CI target SSH key
-        uses: shimataro/ssh-key-action@6b84f2e793b32fa0b03a379cadadec75cc539391 # v2.8.0
+        uses: shimataro/ssh-key-action@87a8f067114a8ce263df83e9ed5c849953548bc3 # v2.8.1
        with:
          key: ${{ secrets.CI_SSH_KEY }}
          name: id_rsa
          known_hosts: ${{ secrets.CI_SSH_KNOWN_HOSTS }}

-      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: "stable"

@@ -21,7 +21,7 @@ jobs:
          persist-credentials: false

      - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v7.3.0
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0

      - name: Run zizmor 🌈
        run: uvx zizmor --format sarif . > results.sarif
@@ -29,7 +29,7 @@ jobs:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
+        uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
        with:
          sarif_file: results.sarif
          category: zizmor
@@ -73,6 +73,15 @@ Anubis is brought to you by sponsors and donors like:
 <a href="https://www.anexia.com/">
  <img src="./docs/static/img/sponsors/anexia-cloudsolutions-logo.webp" alt="ANEXIA Cloud Solutions" height="64">
 </a>
+<a href="https://dd-wrt.com/">
+  <img src="./docs/static/img/sponsors/ddwrt-logo.webp" alt="embeDD GmbH" height="64">
+</a>
+<a href="https://www.qwertiko.de?utm_campaign=github&utm_medium=referral&utm_content=anubis">
+  <img src="./docs/static/img/sponsors/qwertiko-logo.webp" alt="Qwertiko" height="64">
+</a>
+<a href="https://wenet.pl/?utm_campaign=github&utm_medium=referral&utm_content=anubis">
+  <img src="./docs/static/img/sponsors/wenet-logo.webp" alt="Wenet" height="64">
+</a>

 ## Overview

@@ -21,7 +21,6 @@ import (
 	"os"
 	"os/signal"
 	"path/filepath"
-	"strconv"
 	"strings"
 	"sync"
 	"syscall"
@@ -32,12 +31,12 @@ import (
 	"github.com/TecharoHQ/anubis/internal"
 	libanubis "github.com/TecharoHQ/anubis/lib"
 	"github.com/TecharoHQ/anubis/lib/config"
+	"github.com/TecharoHQ/anubis/lib/metrics"
 	botPolicy "github.com/TecharoHQ/anubis/lib/policy"
 	"github.com/TecharoHQ/anubis/lib/thoth"
 	"github.com/TecharoHQ/anubis/web"
 	"github.com/facebookgo/flagenv"
 	_ "github.com/joho/godotenv/autoload"
-	"github.com/prometheus/client_golang/prometheus/promhttp"
 	healthv1 "google.golang.org/grpc/health/grpc_health_v1"
 )

@@ -118,33 +117,6 @@ func doHealthCheck() error {
 	return nil
 }

-// parseBindNetFromAddr determine bind network and address based on the given network and address.
-func parseBindNetFromAddr(address string) (string, string) {
-	defaultScheme := "http://"
-	if !strings.Contains(address, "://") {
-		if strings.HasPrefix(address, ":") {
-			address = defaultScheme + "localhost" + address
-		} else {
-			address = defaultScheme + address
-		}
-	}
-
-	bindUri, err := url.Parse(address)
-	if err != nil {
-		log.Fatal(fmt.Errorf("failed to parse bind URL: %w", err))
-	}
-
-	switch bindUri.Scheme {
-	case "unix":
-		return "unix", bindUri.Path
-	case "tcp", "http", "https":
-		return "tcp", bindUri.Host
-	default:
-		log.Fatal(fmt.Errorf("unsupported network scheme %s in address %s", bindUri.Scheme, address))
-	}
-	return "", address
-}
-
 func parseSameSite(s string) http.SameSite {
 	switch strings.ToLower(s) {
 	case "none":
@@ -161,53 +133,6 @@ func parseSameSite(s string) http.SameSite {
 	return http.SameSiteDefaultMode
 }

-func setupListener(network string, address string) (net.Listener, string) {
-	formattedAddress := ""
-
-	if network == "" {
-		// keep compatibility
-		network, address = parseBindNetFromAddr(address)
-	}
-
-	switch network {
-	case "unix":
-		formattedAddress = "unix:" + address
-	case "tcp":
-		if strings.HasPrefix(address, ":") { // assume it's just a port e.g. :4259
-			formattedAddress = "http://localhost" + address
-		} else {
-			formattedAddress = "http://" + address
-		}
-	default:
-		formattedAddress = fmt.Sprintf(`(%s) %s`, network, address)
-	}
-
-	listener, err := net.Listen(network, address)
-	if err != nil {
-		log.Fatal(fmt.Errorf("failed to bind to %s: %w", formattedAddress, err))
-	}
-
-	// additional permission handling for unix sockets
-	if network == "unix" {
-		mode, err := strconv.ParseUint(*socketMode, 8, 0)
-		if err != nil {
-			listener.Close()
-			log.Fatal(fmt.Errorf("could not parse socket mode %s: %w", *socketMode, err))
-		}
-
-		err = os.Chmod(address, os.FileMode(mode))
-		if err != nil {
-			err := listener.Close()
-			if err != nil {
-				log.Printf("failed to close listener: %v", err)
-			}
-			log.Fatal(fmt.Errorf("could not change socket mode: %w", err))
-		}
-	}
-
-	return listener, formattedAddress
-}
-
 func makeReverseProxy(target string, targetSNI string, targetHost string, insecureSkipVerify bool, targetDisableKeepAlive bool) (http.Handler, error) {
 	targetUri, err := url.Parse(target)
 	if err != nil {
@@ -303,11 +228,6 @@ func main() {

 	wg := new(sync.WaitGroup)

-	if *metricsBind != "" {
-		wg.Add(1)
-		go metricsServer(ctx, *lg.With("subsystem", "metrics"), wg.Done)
-	}
-
 	var rp http.Handler
 	// when using anubis via Systemd and environment variables, then it is not possible to set targe to an empty string but only to space
 	if strings.TrimSpace(*target) != "" {
@@ -347,6 +267,26 @@ func main() {
 	lg.Debug("swapped to new logger")
 	slog.SetDefault(lg)

+	if *metricsBind != "" || policy.Metrics != nil {
+		wg.Add(1)
+
+		ms := &metrics.Server{
+			Config: policy.Metrics,
+			Log:    lg,
+		}
+
+		if policy.Metrics == nil {
+			lg.Debug("migrating flags to metrics config", "bind", *metricsBind, "network", *metricsBindNetwork, "socket-mode", *socketMode)
+			ms.Config = &config.Metrics{
+				Bind:       *metricsBind,
+				Network:    *metricsBindNetwork,
+				SocketMode: *socketMode,
+			}
+		}
+
+		go ms.Run(ctx, wg.Done)
+	}
+
 	// Warn if persistent storage is used without a configured signing key
 	if policy.Store.IsPersistent() {
 		if *hs512Secret == "" && *ed25519PrivateKeyHex == "" && *ed25519PrivateKeyHexFile == "" {
@@ -427,7 +367,7 @@ func main() {
 			redirectDomainsList = append(redirectDomainsList, strings.TrimSpace(domain))
 		}
 	} else {
-		lg.Warn("REDIRECT_DOMAINS is not set, Anubis will only redirect to the same domain a request is coming from, see https://anubis.techaro.lol/docs/admin/configuration/redirect-domains")
+		lg.Warn("REDIRECT_DOMAINS is not set, Anubis will redirect to any domain, see https://anubis.techaro.lol/docs/admin/configuration/redirect-domains")
 	}

 	anubis.CookieName = *cookiePrefix + "-auth"
@@ -483,7 +423,11 @@ func main() {
 	h = internal.JA4H(h)

 	srv := http.Server{Handler: h, ErrorLog: internal.GetFilteredHTTPLogger()}
-	listener, listenerUrl := setupListener(*bindNetwork, *bind)
+	listener, listenerUrl, err := internal.SetupListener(*bindNetwork, *bind, *socketMode)
+	if err != nil {
+		log.Fatalf("SetupListener(%q, %q, %q): %v", *bindNetwork, *bind, *socketMode, err)
+	}
+
 	lg.Info(
 		"listening",
 		"url", listenerUrl,
@@ -518,48 +462,6 @@ func main() {
 	wg.Wait()
 }

-func metricsServer(ctx context.Context, lg slog.Logger, done func()) {
-	defer done()
-
-	mux := http.NewServeMux()
-	mux.Handle("/metrics", promhttp.Handler())
-	mux.HandleFunc("/healthz", func(w http.ResponseWriter, r *http.Request) {
-		st, ok := internal.GetHealth("anubis")
-		if !ok {
-			slog.Error("health service anubis does not exist, file a bug")
-		}
-
-		switch st {
-		case healthv1.HealthCheckResponse_NOT_SERVING:
-			http.Error(w, "NOT OK", http.StatusInternalServerError)
-			return
-		case healthv1.HealthCheckResponse_SERVING:
-			fmt.Fprintln(w, "OK")
-			return
-		default:
-			http.Error(w, "UNKNOWN", http.StatusFailedDependency)
-			return
-		}
-	})
-
-	srv := http.Server{Handler: mux, ErrorLog: internal.GetFilteredHTTPLogger()}
-	listener, metricsUrl := setupListener(*metricsBindNetwork, *metricsBind)
-	lg.Debug("listening for metrics", "url", metricsUrl)
-
-	go func() {
-		<-ctx.Done()
-		c, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-		defer cancel()
-		if err := srv.Shutdown(c); err != nil {
-			log.Printf("cannot shut down: %v", err)
-		}
-	}()
-
-	if err := srv.Serve(listener); !errors.Is(err, http.ErrServerClosed) {
-		log.Fatal(err)
-	}
-}
-
 func extractEmbedFS(fsys embed.FS, root string, destDir string) error {
 	return fs.WalkDir(fsys, root, func(path string, d fs.DirEntry, err error) error {
 		if err != nil {
@@ -166,6 +166,15 @@ status_codes:
  CHALLENGE: 200
  DENY: 200

+# # Configuration for the metrics server. See the docs for more information:
+# #
+# # https://anubis.techaro.lol/docs/admin/policies#metrics-server
+# #
+# # This is commented out by default so that command line flags take precedence.
+# metrics:
+#   bind: ":9090"
+#   network: "tcp"
+
 # Anubis can store temporary data in one of a few backends. See the storage
 # backends section of the docs for more information:
 #
@@ -8,4 +8,5 @@
 - import: (data)/crawlers/marginalia.yaml
 - import: (data)/crawlers/mojeekbot.yaml
 - import: (data)/crawlers/commoncrawl.yaml
+- import: (data)/crawlers/wikimedia-citoid.yaml
 - import: (data)/crawlers/yandexbot.yaml
@@ -0,0 +1,18 @@
+# Wikimedia Foundation citation services
+# https://www.mediawiki.org/wiki/Citoid
+
+- name: wikimedia-citoid
+  user_agent_regex: "Citoid/WMF"
+  action: ALLOW
+  remote_addresses: [
+    "208.80.152.0/22",
+    "2620:0:860::/46",
+  ]
+
+- name: wikimedia-zotero-translation-server
+  user_agent_regex: "ZoteroTranslationServer/WMF"
+  action: ALLOW
+  remote_addresses: [
+    "208.80.152.0/22",
+    "2620:0:860::/46",
+  ]
@@ -11,12 +11,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

 ## [Unreleased]

+<!-- This changes the project to: -->
+
+- Move metrics server configuration to [the policy file](./admin/policies.mdx#metrics-server).
+- Expose [pprof endpoints](https://pkg.go.dev/net/http/pprof) on the metrics listener to enable profiling Anubis in production.
 - fix: prevent nil pointer panic in challenge validation when threshold rules match during PassChallenge (#1463)
 - Instruct reverse proxies to not cache error pages.
 - Fixed mixed tab/space indentation in Caddy documentation code block
- Rewrite main proof of work challenge to use Preact instead of Vanilla.js ([#1149](https://github.com/TecharoHQ/anubis/issues/1149))
-
-<!-- This changes the project to: -->
+- Improve error messages and fix broken REDIRECT_DOMAINS link in docs ([#1193](https://github.com/TecharoHQ/anubis/issues/1193))
+- Add Bulgarian locale ([#1394](https://github.com/TecharoHQ/anubis/pull/1394))
+- Fix CEL internal errors when iterating `headers`/`query` map wrappers by implementing map iterators for `HTTPHeaders` and `URLValues` ([#1465](https://github.com/TecharoHQ/anubis/pull/1465)).

 ## v1.25.0: Necron

@@ -87,15 +87,15 @@ Anubis uses these environment variables for configuration:
 | `ED25519_PRIVATE_KEY_HEX_FILE` | unset                   | Path to a file containing the hex-encoded ed25519 private key. Only one of this or its sister option may be set. **Required when using persistent storage backends** (like bbolt) to ensure challenges survive service restarts. When running multiple instances on the same base domain, the key must be the same across all instances.                                                                                                                                                                                                       |
 | `ERROR_TITLE`                  | unset                   | <EO /> If set, override the translation stack to show a custom title for error pages such as "Something went wrong!". See [Customizing messages](./botstopper.mdx#customizing-messages) for more details.                                                                                                                                                                                                                                                                                                                                      |
 | `JWT_RESTRICTION_HEADER`       | `X-Real-IP`             | If set, the JWT is only valid if the current value of this header matches the value when the JWT was created. You can use it e.g. to restrict a JWT to the source IP of the user using `X-Real-IP`.                                                                                                                                                                                                                                                                                                                                            |
-| `METRICS_BIND`                 | `:9090`                 | The network address that Anubis serves Prometheus metrics on. See `BIND` for more information.                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
-| `METRICS_BIND_NETWORK`         | `tcp`                   | The address family that the Anubis metrics server listens on. See `BIND_NETWORK` for more information.                                                                                                                                                                                                                                                                                                                                                                                                                                         |
+| `METRICS_BIND`                 | `:9090`                 | The legacy configuration value for the network address that Anubis serves Prometheus metrics on. Please migrate this to [the policy file](./policies.mdx#metrics-server) as soon as possible.                                                                                                                                                                                                                                                                                                                                                  |
+| `METRICS_BIND_NETWORK`         | `tcp`                   | The legacy configuration value for the address family that Anubis serves Prometheus metrics on. Please migrate this to [the policy file](./policies.mdx#metrics-server) as soon as possible.                                                                                                                                                                                                                                                                                                                                                   |
 | `OG_EXPIRY_TIME`               | `24h`                   | The expiration time for the Open Graph tag cache. Prefer using [the policy file](./configuration/open-graph.mdx) to configure the Open Graph subsystem.                                                                                                                                                                                                                                                                                                                                                                                        |
 | `OG_PASSTHROUGH`               | `false`                 | If set to `true`, Anubis will enable Open Graph tag passthrough. Prefer using [the policy file](./configuration/open-graph.mdx) to configure the Open Graph subsystem.                                                                                                                                                                                                                                                                                                                                                                         |
 | `OG_CACHE_CONSIDER_HOST`       | `false`                 | If set to `true`, Anubis will consider the host in the Open Graph tag cache key. Prefer using [the policy file](./configuration/open-graph.mdx) to configure the Open Graph subsystem.                                                                                                                                                                                                                                                                                                                                                         |
 | `OVERLAY_FOLDER`               | unset                   | <EO /> If set, treat the given path as an [overlay folder](./botstopper.mdx#custom-images-and-css), allowing you to customize CSS, fonts, images, and add other assets to BotStopper deployments.                                                                                                                                                                                                                                                                                                                                              |
 | `POLICY_FNAME`                 | unset                   | The file containing [bot policy configuration](./policies.mdx). See the bot policy documentation for more details. If unset, the default bot policy configuration is used.                                                                                                                                                                                                                                                                                                                                                                     |
 | `PUBLIC_URL`                   | unset                   | The externally accessible URL for this Anubis instance, used for constructing redirect URLs (e.g., for Traefik forwardAuth). Leave it unset when Anubis terminates traffic directly (sidecar/standalone deployments) or redirect building will fail with `redir=null`.                                                                                                                                                                                                                                                                         |
-| `REDIRECT_DOMAINS`             | unset                   | Comma-separated list of domain names that Anubis should allow redirects to when passing a challenge. See [Redirect Domain Configuration](./configuration/redirect-domains) for more details.                                                                                                                                                                                                                                                                                                                                                   |
+| `REDIRECT_DOMAINS`             | unset                   | Comma-separated list of domain names that Anubis should allow redirects to when passing a challenge. See [Redirect Domain Configuration](./configuration/redirect-domains.mdx) for more details.                                                                                                                                                                                                                                                                                                                                               |
 | `SERVE_ROBOTS_TXT`             | `false`                 | If set `true`, Anubis will serve a default `robots.txt` file that disallows all known AI scrapers by name and then additionally disallows every scraper. This is useful if facts and circumstances make it difficult to change the underlying service to serve such a `robots.txt` file.                                                                                                                                                                                                                                                       |
 | `SLOG_LEVEL`                   | `INFO`                  | The log level for structured logging. Valid values are `DEBUG`, `INFO`, `WARN`, and `ERROR`. Set to `DEBUG` to see all requests, evaluations, and detailed diagnostic information.                                                                                                                                                                                                                                                                                                                                                             |
 | `SOCKET_MODE`                  | `0770`                  | _Only used when at least one of the `*_BIND_NETWORK` variables are set to `unix`._ The socket mode (permissions) for Unix domain sockets.                                                                                                                                                                                                                                                                                                                                                                                                      |
@@ -117,6 +117,27 @@ remote_addresses:
  - 100.64.0.0/10
 ```

+## Metrics server
+
+Anubis includes support for [Prometheus-style metrics](https://prometheus.io/docs/introduction/overview/), allowing systems administrators to monitor Anubis' performance and effectiveness. This is a separate HTTP server with metrics, health checking, and debug routes.
+
+Anubis' metrics server is configured with the `metrics` block in the configuration file:
+
+```yaml
+metrics:
+  bind: ":9090"
+  network: "tcp"
+```
+
+If you want to bind metrics to a Unix socket, make sure to set the network to `unix` and add a socket mode:
+
+```yaml
+metrics:
+  bind: "/tmp/anubis_metrics.sock"
+  network: unix
+  socketMode: "0700" # must be a string
+```
+
 ## Imprint / Impressum support

 Anubis has support for showing imprint / impressum information. This is defined in the `impressum` block of your configuration. See [Imprint / Impressum configuration](./configuration/impressum.mdx) for more information.
@@ -87,6 +87,15 @@ Anubis is brought to you by sponsors and donors like:
    height="64"
  />
 </a>
+<a href="https://dd-wrt.com/">
+  <img src="/img/sponsors/ddwrt-logo.webp" alt="embeDD GmbH" height="64" />
+</a>
+<a href="https://www.qwertiko.de?utm_campaign=github&utm_medium=referral&utm_content=anubis">
+  <img src="/img/sponsors/qwertiko-logo.webp" alt="Qwertiko" height="64" />
+</a>
+<a href="https://wenet.pl/?utm_campaign=github&utm_medium=referral&utm_content=anubis">
+  <img src="/img/sponsors/wenet-logo.webp" alt="Wenet" height="64" />
+</a>

 ## Overview

@@ -22,3 +22,24 @@ If you use a browser extension such as [JShelter](https://jshelter.org/), you wi
 ## Does Anubis mine Bitcoin?

 No. Anubis does not mine Bitcoin or any other cryptocurrency.
+
+## I disabled Just-in-time compilation in my browser. Why is Anubis slow?
+
+Anubis proof-of-work checks run an open source JavaScript program in your browser. These checks do a lot of complicated math and aim to be done quickly, so the execution speed depends on [Just-in-time (JIT) compilation](https://en.wikipedia.org/wiki/Just-in-time_compilation). JIT compiles JavaScript from the Internet into native machine code at runtime. The code produced by the JIT engine is almost as good as if it was written in a native programming language and compiled for your computer in particular. Without JIT, all JavaScript programs on every website you visit run through a slow interpreter.
+
+This interpreter is much slower than native code because it has to translate each low level JavaScript operation into many dozens of calls to execute. This means that using the interpreter incurs a massive performance hit by its very nature; it takes longer to add numbers than if the CPU just added the numbers directly.
+
+Some users choose to disable JIT as a hardening measure against theoretical browser exploits. This is a reasonable choice if you face targeted attacks from well-resourced adversaries (such as nation-state actors), but it comes with real performance costs.
+
+If you've disabled JIT and find Anubis checks slow, re-enabling JIT is the fix. There is no way for Anubis to work around this on our end.
+
+## What versions of browsers does Anubis support?
+
+Anubis is written mainly by a single person in a basement in Canada. As such it is impossible for Anubis to support every version of every browser on the planet. As such, here's a few rules of thumb for the browsers that Anubis focuses on supporting:
+
+- At least the two (2) most recent LTS releases of Firefox and Chrome.
+- At least the version of Chromium as used by the Samsung Browser on Android.
+- At least the last version of Chromium and Firefox that are known to run on Windows 7.
+- At least the version of Safari that runs on the second-to-oldest iPhone model currently on the market.
+
+We cannot give more cohesive version bounds than this. If you run into problems, please file an issue. Sometimes you may just need to upgrade hardware though.
@@ -0,0 +1,92 @@
+package internal
+
+import (
+	"errors"
+	"fmt"
+	"net"
+	"net/url"
+	"os"
+	"strconv"
+	"strings"
+)
+
+// parseBindNetFromAddr determine bind network and address based on the given network and address.
+func parseBindNetFromAddr(address string) (string, string, error) {
+	defaultScheme := "http://"
+	if !strings.Contains(address, "://") {
+		if strings.HasPrefix(address, ":") {
+			address = defaultScheme + "localhost" + address
+		} else {
+			address = defaultScheme + address
+		}
+	}
+
+	bindUri, err := url.Parse(address)
+	if err != nil {
+		return "", "", fmt.Errorf("failed to parse bind URL: %w", err)
+	}
+
+	switch bindUri.Scheme {
+	case "unix":
+		return "unix", bindUri.Path, nil
+	case "tcp", "http", "https":
+		return "tcp", bindUri.Host, nil
+	default:
+		return "", "", fmt.Errorf("unsupported network scheme %s in address %s", bindUri.Scheme, address)
+	}
+}
+
+// SetupListener sets up a network listener based on the input from configuration
+// envvars. It returns a network listener and the URL to that listener or an error.
+func SetupListener(network, address, socketMode string) (net.Listener, string, error) {
+	formattedAddress := ""
+	var err error
+
+	if network == "" {
+		// keep compatibility
+		network, address, err = parseBindNetFromAddr(address)
+	}
+
+	if err != nil {
+		return nil, "", fmt.Errorf("can't parse bind and network: %w", err)
+	}
+
+	switch network {
+	case "unix":
+		formattedAddress = "unix:" + address
+	case "tcp":
+		if strings.HasPrefix(address, ":") { // assume it's just a port e.g. :4259
+			formattedAddress = "http://localhost" + address
+		} else {
+			formattedAddress = "http://" + address
+		}
+	default:
+		formattedAddress = fmt.Sprintf(`(%s) %s`, network, address)
+	}
+
+	ln, err := net.Listen(network, address)
+	if err != nil {
+		return nil, "", fmt.Errorf("failed to bind to %s: %w", formattedAddress, err)
+	}
+
+	// additional permission handling for unix sockets
+	if network == "unix" {
+		mode, err := strconv.ParseUint(socketMode, 8, 0)
+		if err != nil {
+			ln.Close()
+			return nil, "", fmt.Errorf("could not parse socket mode %s: %w", socketMode, err)
+		}
+
+		err = os.Chmod(address, os.FileMode(mode))
+		if err != nil {
+			err := fmt.Errorf("could not change socket mode: %w", err)
+			clErr := ln.Close()
+			if clErr != nil {
+				return nil, "", errors.Join(err, clErr)
+			}
+			return nil, "", err
+		}
+	}
+
+	return ln, formattedAddress, nil
+}
@@ -0,0 +1,180 @@
+package internal
+
+import (
+	"io/fs"
+	"os"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"testing"
+)
+
+func TestParseBindNetFromAddr(t *testing.T) {
+	for _, tt := range []struct {
+		name    string
+		address string
+		wantErr bool
+		network string
+		bind    string
+	}{
+		{
+			name:    "simple tcp",
+			address: "localhost:9090",
+			wantErr: false,
+			network: "tcp",
+			bind:    "localhost:9090",
+		},
+		{
+			name:    "simple unix",
+			address: "unix:///tmp/foo.sock",
+			wantErr: false,
+			network: "unix",
+			bind:    "/tmp/foo.sock",
+		},
+		{
+			name:    "invalid network",
+			address: "foo:///tmp/bar.sock",
+			wantErr: true,
+		},
+		{
+			name:    "tcp uri",
+			address: "tcp://[::]:9090",
+			wantErr: false,
+			network: "tcp",
+			bind:    "[::]:9090",
+		},
+		{
+			name:    "http uri",
+			address: "http://[::]:9090",
+			wantErr: false,
+			network: "tcp",
+			bind:    "[::]:9090",
+		},
+		{
+			name:    "https uri",
+			address: "https://[::]:9090",
+			wantErr: false,
+			network: "tcp",
+			bind:    "[::]:9090",
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			network, bind, err := parseBindNetFromAddr(tt.address)
+
+			switch {
+			case tt.wantErr && err == nil:
+				t.Errorf("parseBindNetFromAddr(%q) should have errored but did not", tt.address)
+			case !tt.wantErr && err != nil:
+				t.Errorf("parseBindNetFromAddr(%q) threw an error: %v", tt.address, err)
+			}
+
+			if network != tt.network {
+				t.Errorf("parseBindNetFromAddr(%q) wanted network: %q, got: %q", tt.address, tt.network, network)
+			}
+
+			if bind != tt.bind {
+				t.Errorf("parseBindNetFromAddr(%q) wanted bind: %q, got: %q", tt.address, tt.bind, bind)
+			}
+		})
+	}
+}
+
+func TestSetupListener(t *testing.T) {
+	td := t.TempDir()
+
+	for _, tt := range []struct {
+		name                         string
+		network, address, socketMode string
+		wantErr                      bool
+		socketURLPrefix              string
+	}{
+		{
+			name:            "simple tcp",
+			network:         "",
+			address:         ":0",
+			wantErr:         false,
+			socketURLPrefix: "http://localhost:",
+		},
+		{
+			name:            "simple unix",
+			network:         "",
+			address:         "unix://" + filepath.Join(td, "a"),
+			socketMode:      "0770",
+			wantErr:         false,
+			socketURLPrefix: "unix:" + filepath.Join(td, "a"),
+		},
+		{
+			name:            "tcp",
+			network:         "tcp",
+			address:         ":0",
+			wantErr:         false,
+			socketURLPrefix: "http://localhost:",
+		},
+		{
+			name:            "udp",
+			network:         "udp",
+			address:         ":0",
+			wantErr:         true,
+			socketURLPrefix: "http://localhost:",
+		},
+		{
+			name:            "unix socket",
+			network:         "unix",
+			socketMode:      "0770",
+			address:         filepath.Join(td, "a"),
+			wantErr:         false,
+			socketURLPrefix: "unix:" + filepath.Join(td, "a"),
+		},
+		{
+			name:            "invalid socket mode",
+			network:         "unix",
+			socketMode:      "taco bell",
+			address:         filepath.Join(td, "a"),
+			wantErr:         true,
+			socketURLPrefix: "unix:" + filepath.Join(td, "a"),
+		},
+		{
+			name:            "empty socket mode",
+			network:         "unix",
+			socketMode:      "",
+			address:         filepath.Join(td, "a"),
+			wantErr:         true,
+			socketURLPrefix: "unix:" + filepath.Join(td, "a"),
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			ln, socketURL, err := SetupListener(tt.network, tt.address, tt.socketMode)
+			switch {
+			case tt.wantErr && err == nil:
+				t.Errorf("SetupListener(%q, %q, %q) should have errored but did not", tt.network, tt.address, tt.socketMode)
+			case !tt.wantErr && err != nil:
+				t.Fatalf("SetupListener(%q, %q, %q) threw an error: %v", tt.network, tt.address, tt.socketMode, err)
+			}
+
+			if ln != nil {
+				defer ln.Close()
+			}
+
+			if !tt.wantErr && !strings.HasPrefix(socketURL, tt.socketURLPrefix) {
+				t.Errorf("SetupListener(%q, %q, %q) should have returned a URL with prefix %q but got: %q", tt.network, tt.address, tt.socketMode, tt.socketURLPrefix, socketURL)
+			}
+
+			if tt.socketMode != "" {
+				mode, err := strconv.ParseUint(tt.socketMode, 8, 0)
+				if err != nil {
+					return
+				}
+
+				sockPath := strings.TrimPrefix(socketURL, "unix:")
+				st, err := os.Stat(sockPath)
+				if err != nil {
+					t.Fatalf("can't os.Stat(%q): %v", sockPath, err)
+				}
+
+				if st.Mode().Perm() != fs.FileMode(mode) {
+					t.Errorf("file mode of %q should be %s but is actually %s", sockPath, strconv.FormatUint(mode, 8), strconv.FormatUint(uint64(st.Mode()), 8))
+				}
+			}
+		})
+	}
+}
@@ -141,7 +141,7 @@ func (s *Server) issueChallenge(ctx context.Context, r *http.Request, lg *slog.L
 		return nil, err
 	}

-	lg.Info("new challenge issued", "challenge", id.String(), "method", chall.Method)
+	lg.Info("new challenge issued", "challenge", id.String())

 	return &chall, err
 }
@@ -7,12 +7,13 @@ import (

 templ page(localizer *localization.SimpleLocalizer) {
 	<div class="centered-div">
-		<img style="display:none;" src={ anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/happy.webp?cacheBuster=" + anubis.Version }/>
-		<div id="app">
-			<img style="width:100%;max-width:256px;" src={ anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/pensive.webp?cacheBuster=" + anubis.Version }/>
-			<p id="status">{ localizer.T("loading") }</p>
-		</div>
+		<img id="image" style="width:100%;max-width:256px;" src={ anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/pensive.webp?cacheBuster=" + anubis.Version }/>
+		<img style="display:none;" style="width:100%;max-width:256px;" src={ anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/happy.webp?cacheBuster=" + anubis.Version }/>
+		<p id="status">{ localizer.T("loading") }</p>
 		<script async type="module" src={ anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/js/main.mjs?cacheBuster=" + anubis.Version }></script>
+		<div id="progress" role="progressbar" aria-labelledby="status">
+			<div class="bar-inner"></div>
+		</div>
 		<details>
 			if anubis.UseSimplifiedExplanation {
 				<p>
@@ -34,27 +34,27 @@ func page(localizer *localization.SimpleLocalizer) templ.Component {
 			templ_7745c5c3_Var1 = templ.NopComponent
 		}
 		ctx = templ.ClearChildren(ctx)
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 1, "<div class=\"centered-div\"><img style=\"display:none;\" src=\"")
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 1, "<div class=\"centered-div\"><img id=\"image\" style=\"width:100%;max-width:256px;\" src=\"")
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
 		var templ_7745c5c3_Var2 string
-		templ_7745c5c3_Var2, templ_7745c5c3_Err = templ.JoinStringErrs(anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/happy.webp?cacheBuster=" + anubis.Version)
+		templ_7745c5c3_Var2, templ_7745c5c3_Err = templ.JoinStringErrs(anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/pensive.webp?cacheBuster=" + anubis.Version)
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 10, Col: 138}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 10, Col: 165}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var2))
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 2, "\"><div id=\"app\"><img style=\"width:100%;max-width:256px;\" src=\"")
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 2, "\"> <img style=\"display:none;\" style=\"width:100%;max-width:256px;\" src=\"")
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
 		var templ_7745c5c3_Var3 string
-		templ_7745c5c3_Var3, templ_7745c5c3_Err = templ.JoinStringErrs(anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/pensive.webp?cacheBuster=" + anubis.Version)
+		templ_7745c5c3_Var3, templ_7745c5c3_Err = templ.JoinStringErrs(anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/happy.webp?cacheBuster=" + anubis.Version)
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 12, Col: 155}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 11, Col: 174}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var3))
 		if templ_7745c5c3_Err != nil {
@@ -67,26 +67,26 @@ func page(localizer *localization.SimpleLocalizer) templ.Component {
 		var templ_7745c5c3_Var4 string
 		templ_7745c5c3_Var4, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("loading"))
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 13, Col: 42}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 12, Col: 41}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var4))
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 4, "</p></div><script async type=\"module\" src=\"")
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 4, "</p><script async type=\"module\" src=\"")
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
 		var templ_7745c5c3_Var5 string
 		templ_7745c5c3_Var5, templ_7745c5c3_Err = templ.JoinStringErrs(anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/js/main.mjs?cacheBuster=" + anubis.Version)
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 15, Col: 136}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 13, Col: 136}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var5))
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 5, "\"></script><details>")
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 5, "\"></script><div id=\"progress\" role=\"progressbar\" aria-labelledby=\"status\"><div class=\"bar-inner\"></div></div><details>")
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
@@ -98,7 +98,7 @@ func page(localizer *localization.SimpleLocalizer) templ.Component {
 			var templ_7745c5c3_Var6 string
 			templ_7745c5c3_Var6, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("simplified_explanation"))
 			if templ_7745c5c3_Err != nil {
-				return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 19, Col: 44}
+				return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 20, Col: 44}
 			}
 			_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var6))
 			if templ_7745c5c3_Err != nil {
@@ -116,7 +116,7 @@ func page(localizer *localization.SimpleLocalizer) templ.Component {
 			var templ_7745c5c3_Var7 string
 			templ_7745c5c3_Var7, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("ai_companies_explanation"))
 			if templ_7745c5c3_Err != nil {
-				return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 23, Col: 46}
+				return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 24, Col: 46}
 			}
 			_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var7))
 			if templ_7745c5c3_Err != nil {
@@ -129,7 +129,7 @@ func page(localizer *localization.SimpleLocalizer) templ.Component {
 			var templ_7745c5c3_Var8 string
 			templ_7745c5c3_Var8, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("anubis_compromise"))
 			if templ_7745c5c3_Err != nil {
-				return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 26, Col: 39}
+				return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 27, Col: 39}
 			}
 			_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var8))
 			if templ_7745c5c3_Err != nil {
@@ -142,7 +142,7 @@ func page(localizer *localization.SimpleLocalizer) templ.Component {
 			var templ_7745c5c3_Var9 string
 			templ_7745c5c3_Var9, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("hack_purpose"))
 			if templ_7745c5c3_Err != nil {
-				return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 29, Col: 34}
+				return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 30, Col: 34}
 			}
 			_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var9))
 			if templ_7745c5c3_Err != nil {
@@ -155,7 +155,7 @@ func page(localizer *localization.SimpleLocalizer) templ.Component {
 			var templ_7745c5c3_Var10 string
 			templ_7745c5c3_Var10, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("jshelter_note"))
 			if templ_7745c5c3_Err != nil {
-				return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 32, Col: 35}
+				return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 33, Col: 35}
 			}
 			_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var10))
 			if templ_7745c5c3_Err != nil {
@@ -173,7 +173,7 @@ func page(localizer *localization.SimpleLocalizer) templ.Component {
 		var templ_7745c5c3_Var11 string
 		templ_7745c5c3_Var11, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("javascript_required"))
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 38, Col: 40}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 39, Col: 40}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var11))
 		if templ_7745c5c3_Err != nil {
@@ -19,7 +19,7 @@ import (
 var (
 	ErrNoBotRulesDefined                 = errors.New("config: must define at least one (1) bot rule")
 	ErrBotMustHaveName                   = errors.New("config.Bot: must set name")
-	ErrBotMustHaveUserAgentOrPath        = errors.New("config.Bot: must set either user_agent_regex, path_regex, headers_regex, or remote_addresses")
+	ErrBotMustHaveUserAgentOrPath        = errors.New("config.Bot: must set one of user_agent_regex, path_regex, headers_regex, remote_addresses, expression, or Thoth keyword")
 	ErrBotMustHaveUserAgentOrPathNotBoth = errors.New("config.Bot: must set either user_agent_regex, path_regex, and not both")
 	ErrUnknownAction                     = errors.New("config.Bot: unknown action")
 	ErrInvalidUserAgentRegex             = errors.New("config.Bot: invalid user agent regex")
@@ -334,6 +334,7 @@ type fileConfig struct {
 	DNSBL       bool                `json:"dnsbl"`
 	DNSTTL      DnsTTL              `json:"dns_ttl"`
 	Logging     *Logging            `json:"logging"`
+	Metrics     *Metrics            `json:"metrics,omitempty"`
 }

 func (c *fileConfig) Valid() error {
@@ -375,6 +376,12 @@ func (c *fileConfig) Valid() error {
 		}
 	}

+	if c.Metrics != nil {
+		if err := c.Metrics.Valid(); err != nil {
+			errs = append(errs, err)
+		}
+	}
+
 	if len(errs) != 0 {
 		return fmt.Errorf("config is not valid:\n%w", errors.Join(errs...))
 	}
@@ -417,6 +424,7 @@ func Load(fin io.Reader, fname string) (*Config, error) {
 		StatusCodes: c.StatusCodes,
 		Store:       c.Store,
 		Logging:     c.Logging,
+		Metrics:     c.Metrics,
 	}

 	if c.OpenGraph.TimeToLive != "" {
@@ -508,6 +516,7 @@ type Config struct {
 	Logging     *Logging
 	DNSBL       bool
 	DNSTTL      DnsTTL
+	Metrics     *Metrics
 }

 func (c Config) Valid() error {
@@ -0,0 +1,54 @@
+package config
+
+import (
+	"errors"
+	"fmt"
+	"strconv"
+)
+
+var (
+	ErrInvalidMetricsConfig     = errors.New("config: invalid metrics configuration")
+	ErrNoMetricsBind            = errors.New("config.Metrics: must define bind")
+	ErrNoMetricsNetwork         = errors.New("config.Metrics: must define network")
+	ErrNoMetricsSocketMode      = errors.New("config.Metrics: must define socket mode when using unix sockets")
+	ErrInvalidMetricsSocketMode = errors.New("config.Metrics: invalid unix socket mode")
+	ErrInvalidMetricsNetwork    = errors.New("config.Metrics: invalid metrics network")
+)
+
+type Metrics struct {
+	Bind       string `json:"bind" yaml:"bind"`
+	Network    string `json:"network" yaml:"network"`
+	SocketMode string `json:"socketMode" yaml:"socketMode"`
+}
+
+func (m *Metrics) Valid() error {
+	var errs []error
+
+	if m.Bind == "" {
+		errs = append(errs, ErrNoMetricsBind)
+	}
+
+	if m.Network == "" {
+		errs = append(errs, ErrNoMetricsNetwork)
+	}
+
+	switch m.Network {
+	case "tcp", "tcp4", "tcp6": // https://pkg.go.dev/net#Listen
+	case "unix":
+		if m.SocketMode == "" {
+			errs = append(errs, ErrNoMetricsSocketMode)
+		}
+
+		if _, err := strconv.ParseUint(m.SocketMode, 8, 0); err != nil {
+			errs = append(errs, fmt.Errorf("%w: %w", ErrInvalidMetricsSocketMode, err))
+		}
+	default:
+		errs = append(errs, ErrInvalidMetricsNetwork)
+	}
+
+	if len(errs) != 0 {
+		return errors.Join(ErrInvalidMetricsConfig, errors.Join(errs...))
+	}
+
+	return nil
+}
@@ -0,0 +1,87 @@
+package config
+
+import (
+	"errors"
+	"testing"
+)
+
+func TestMetricsValid(t *testing.T) {
+	for _, tt := range []struct {
+		name  string
+		input *Metrics
+		err   error
+	}{
+		{
+			name: "basic TCP",
+			input: &Metrics{
+				Bind:    ":9090",
+				Network: "tcp",
+			},
+		},
+		{
+			name: "basic TCP4",
+			input: &Metrics{
+				Bind:    ":9090",
+				Network: "tcp4",
+			},
+		},
+		{
+			name: "basic TCP6",
+			input: &Metrics{
+				Bind:    ":9090",
+				Network: "tcp6",
+			},
+		},
+		{
+			name: "basic unix",
+			input: &Metrics{
+				Bind:       "/tmp/anubis-metrics.sock",
+				Network:    "unix",
+				SocketMode: "0770",
+			},
+		},
+		{
+			name:  "no bind",
+			input: &Metrics{},
+			err:   ErrNoMetricsBind,
+		},
+		{
+			name:  "no network",
+			input: &Metrics{},
+			err:   ErrNoMetricsNetwork,
+		},
+		{
+			name: "no unix socket mode",
+			input: &Metrics{
+				Bind:    "/tmp/anubis-metrics.sock",
+				Network: "unix",
+			},
+			err: ErrNoMetricsSocketMode,
+		},
+		{
+			name: "invalid unix socket mode",
+			input: &Metrics{
+				Bind:       "/tmp/anubis-metrics.sock",
+				Network:    "unix",
+				SocketMode: "taco bell",
+			},
+			err: ErrInvalidMetricsSocketMode,
+		},
+		{
+			name: "invalid network",
+			input: &Metrics{
+				Bind:    ":9090",
+				Network: "taco",
+			},
+			err: ErrInvalidMetricsNetwork,
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			if err := tt.input.Valid(); !errors.Is(err, tt.err) {
+				t.Logf("wanted error: %v", tt.err)
+				t.Logf("got error:    %v", err)
+				t.Error("validation failed")
+			}
+		})
+	}
+}
@@ -0,0 +1,3 @@
+metrics:
+  bind: ":9090"
+  network: taco
@@ -5,5 +5,9 @@
      "remote_addresses": ["0.0.0.0/0", "::/0"],
      "action": "ALLOW"
    }
-  ]
+  ],
+  "metrics": {
+    "bind": ":9090",
+    "network": "tcp"
+  }
 }
@@ -4,3 +4,7 @@ bots:
      - "0.0.0.0/0"
      - "::/0"
    action: ALLOW
+
+metrics:
+  bind: ":9090"
+  network: "tcp"
@@ -8,5 +8,9 @@
      "action": "DENY"
    }
  ],
-  "dnsbl": false
+  "dnsbl": false,
+  "metrics": {
+    "bind": ":9090",
+    "network": "tcp"
+  }
 }
@@ -3,3 +3,7 @@ bots:
    headers_regex:
      CF-Worker: .*
    action: DENY
+
+metrics:
+  bind: ":9090"
+  network: "tcp"
@@ -4,3 +4,7 @@ bots:
    asns:
      match:
        - 13335 # Cloudflare
+
+metrics:
+  bind: ":9090"
+  network: "tcp"
@@ -5,5 +5,9 @@
      "user_agent_regex": "Mozilla",
      "action": "CHALLENGE"
    }
-  ]
+  ],
+  "metrics": {
+    "bind": ":9090",
+    "network": "tcp"
+  }
 }
@@ -2,3 +2,7 @@ bots:
  - name: generic-browser
    user_agent_regex: Mozilla
    action: CHALLENGE
+
+metrics:
+  bind: ":9090"
+  network: "tcp"
@@ -6,3 +6,7 @@ bots:
  - name: "test"
    user_agent_regex: ".*"
    action: "DENY"
+
+metrics:
+  bind: ":9090"
+  network: "tcp"
@@ -6,3 +6,7 @@ bots:
        - '"Accept" in headers'
        - headers["Accept"].contains("text/html")
        - randInt(1) == 0
+
+metrics:
+  bind: ":9090"
+  network: "tcp"
@@ -6,5 +6,9 @@
      "action": "DENY"
    }
  ],
-  "dnsbl": false
+  "dnsbl": false,
+  "metrics": {
+    "bind": ":9090",
+    "network": "tcp"
+  }
 }
@@ -2,3 +2,7 @@ bots:
  - name: everything
    user_agent_regex: .*
    action: DENY
+
+metrics:
+  bind: ":9090"
+  network: "tcp"
@@ -4,3 +4,7 @@ bots:
    geoip:
      countries:
        - US
+
+metrics:
+  bind: ":9090"
+  network: "tcp"
@@ -10,5 +10,9 @@
        ]
      }
    }
-  ]
+  ],
+  "metrics": {
+    "bind": ":9090",
+    "network": "tcp"
+  }
 }
@@ -6,3 +6,7 @@ bots:
        - userAgent.startsWith("git/") || userAgent.contains("libgit")
        - >
          "Git-Protocol" in headers && headers["Git-Protocol"] == "version=2"
+
+metrics:
+  bind: ":9090"
+  network: "tcp"
@@ -3,5 +3,9 @@
    {
      "import": "./testdata/hack-test.json"
    }
-  ]
+  ],
+  "metrics": {
+    "bind": ":9090",
+    "network": "tcp"
+  }
 }
@@ -1,2 +1,6 @@
 bots:
  - import: ./testdata/hack-test.yaml
+
+metrics:
+  bind: ":9090"
+  network: "tcp"
@@ -3,5 +3,9 @@
    {
      "import": "(data)/common/keep-internet-working.yaml"
    }
-  ]
+  ],
+  "metrics": {
+    "bind": ":9090",
+    "network": "tcp"
+  }
 }
@@ -1,2 +1,6 @@
 bots:
  - import: (data)/common/keep-internet-working.yaml
+
+metrics:
+  bind: ":9090"
+  network: "tcp"
@@ -8,3 +8,7 @@ impressum:
  page:
    title: Test
    body: <p>This is a test</p>
+
+metrics:
+  bind: ":9090"
+  network: "tcp"
@@ -13,3 +13,7 @@ logs:
    oldFileTimeFormat: 2006-01-02T15-04-05 # RFC 3339-ish
    compress: true
    useLocalTime: false # timezone for rotated files is UTC
+
+metrics:
+  bind: ":9090"
+  network: "tcp"
@@ -5,3 +5,7 @@ bots:

 logging:
  sink: "stdio"
+
+metrics:
+  bind: ":9090"
+  network: "tcp"
@@ -6,3 +6,7 @@ bots:
      adjust: 5

 thresholds: []
+
+metrics:
+  bind: ":9090"
+  network: "tcp"
@@ -75,5 +75,9 @@
      "user_agent_regex": "Mozilla",
      "action": "CHALLENGE"
    }
-  ]
+  ],
+  "metrics": {
+    "bind": ":9090",
+    "network": "tcp"
+  }
 }
@@ -10,3 +10,7 @@ openGraph:
  default:
    "og:title": "Xe's magic land of fun"
    "og:description": "We're no strangers to love, you know the rules and so do I"
+
+metrics:
+  bind: ":9090"
+  network: "tcp"
@@ -4,3 +4,7 @@ bots:
    user_agent_regex: Mozilla
    weight:
      adjust: 5
+
+metrics:
+  bind: ":9090"
+  network: "tcp"
@@ -9,5 +9,9 @@
  "status_codes": {
    "CHALLENGE": 200,
    "DENY": 200
+  },
+  "metrics": {
+    "bind": ":9090",
+    "network": "tcp"
  }
 }
@@ -6,3 +6,7 @@ bots:
 status_codes:
  CHALLENGE: 200
  DENY: 200
+
+metrics:
+  bind: ":9090"
+  network: "tcp"
@@ -9,5 +9,9 @@
  "status_codes": {
    "CHALLENGE": 403,
    "DENY": 403
+  },
+  "metrics": {
+    "bind": ":9090",
+    "network": "tcp"
  }
 }
@@ -6,3 +6,7 @@ bots:
 status_codes:
  CHALLENGE: 403
  DENY: 403
+
+metrics:
+  bind: ":9090"
+  network: "tcp"
@@ -33,3 +33,7 @@ thresholds:
    challenge:
      algorithm: fast
      difficulty: 4
+
+metrics:
+  bind: ":9090"
+  network: "tcp"
@@ -2,3 +2,7 @@ bots:
  - name: weight
    action: WEIGH
    user_agent_regex: Mozilla
+
+metrics:
+  bind: ":9090"
+  network: "tcp"
@@ -0,0 +1,66 @@
+{
+  "loading": "Зареждане...",
+  "why_am_i_seeing": "Защо виждам това?",
+  "protected_by": "Защитено от",
+  "protected_from": "От",
+  "made_with": "Направено с ❤️ в 🇨🇦",
+  "mascot_design": "Дизайн на талисмана от",
+  "ai_companies_explanation": "Виждате това, защото администраторът на този уебсайт е kонфигурирал Anubis, за да защити сървъра от агресивното събиране на данни от компании, занимаващи се с изкуствен интелект. Това може и причинява прекъсвания на уебсайтовете, което прави техните ресурси недостъпни за всички.",
+  "anubis_compromise": "Anubis е компромис. Anubis използва схема за ддоказателство-за-работа по подобие на Hashcash, предложена схема за доказателство-за-работа за намаляване на спама в имейлите. Идеята е, че при индивидуални мащаби допълнителното натоварване е пренебрежимо, но при масов ниво на събиране на данни то се натрупва и прави събирането на данни много по-скъпо.",
+  "hack_purpose": "В крайна сметка, това е временно решение, за да се отдели повече време за идентифициране и разпознаване на безглави браузъри (например чрез това как те рендират шрифтовете), така че страницата за доказателство-за-работа да не се налага да се показва на потребители, които е по-вероятно да са легитимни.",
+  "simplified_explanation": "Това е мярка срещу ботове и злонамерени заявки, подобна на CAPTCHA. Вместо да трябва да правите нещо сами, браузърът ви получава задача за изчисление, която трябва да реши, за да се увери, че е валиден клиент. Тази концепция се нарича схема доказателство-за-работа. Задачата се изчислява за няколко секунди и ви се дава достъп до уебсайта. Благодаря ви за разбирането и търпението.",
+  "jshelter_note": "Моля, имайте предвид, че Anubis изисква използването на модерни функции на JavaScript, сред които и като JShelter ще деактивират. Моля, деактивирайте JShelter или други подобни добавки за този домейн.",
+  "version_info": "Този уебсайт използва версия на Anubis",
+  "try_again": "Опитайте отново",
+  "go_home": "Отидете на началната страница",
+  "contact_webmaster": "или ако смятате, че не трябва да бъдете блокирани, моля свържете се с уебмастъра на",
+  "connection_security": "Моля, изчакайте, докато се уверим в сигурността на връзката ви",
+  "javascript_required": "За съжаление, трябва да включите JavaScript, за да минете през това предизвикателство. Това е необходимо, защото компаниите за изкуствен интелект промениха социалния договор около начина на хостинг на уебсайтове. Решение без JavaScript е в процес на разработка.",
+  "benchmark_requires_js": "За да използвате инструмента за тестване, е необходимо да включите JavaScript.",
+  "difficulty": "Трудност:",
+  "algorithm": "Алгоритъм:",
+  "compare": "Сравни:",
+  "time": "Време",
+  "iters": "Итерации",
+  "time_a": "Време А",
+  "iters_a": "Итерации А",
+  "time_b": "Време Б",
+  "iters_b": "Итерации Б",
+  "static_check_endpoint": "Това е просто краен пункт за проверка, който да използва обратният ви прокси.",
+  "authorization_required": "Изисква се авторизация",
+  "cookies_disabled": "Браузърът ви е настроен да деактивира бисквитките. Anubis изисква бисквитки за законния интерес да се увери, че сте валиден клиент. Моля, включете бисквитките за този домейн",
+  "access_denied": "Достъпът е отказан: код на грешка",
+  "dronebl_entry": "DroneBL докладва запис",
+  "see_dronebl_lookup": "вижте",
+  "internal_server_error": "Вътрешна сървърна грешка: администраторът е грешно конфигурирал Anubis. Моля, свържете се с администратора и ги помолете да проверят логовете около",
+  "invalid_redirect": "Невалидно пренасочване",
+  "redirect_not_parseable": "URL адресът за пренасочване не може да бъде разпознат",
+  "redirect_domain_not_allowed": "Домейнът за пренасочване не е позволен",
+  "missing_required_forwarded_headers": "Липсват необходимите X-Forwarded-* заглавни части",
+  "failed_to_sign_jwt": "неуспешно подписване на JWT",
+  "invalid_invocation": "Невалидно извикване на MakeChallenge",
+  "client_error_browser": "Крешка в клиента: Моля, уверете се, че браузърът ви е актуализиран и опитайте отново по-късно.",
+  "oh_noes": "О, не!",
+  "benchmarking_anubis": "Тестване на Anubis!",
+  "you_are_not_a_bot": "Ти не си бот!",
+  "making_sure_not_bot": "Уверяваме се, че не си бот!",
+  "celphase": "CELPHASE",
+  "js_web_crypto_error": "Браузърът ви няма функциониращ web.crypto елемент. Гледате ли това през сигурен контекст?",
+  "js_web_workers_error": "Браузърът ви не поддържа уеб работници (Anubis използва това, за да избегне замръзване на браузъра ви). Имате ли инсталирана добавка като JShelter?",
+  "js_cookies_error": "Браузърът ви не съхранява бисквитки. Anubis използва бисквитки, за да определи които клиенти са преминали задачите, като съхранява подписан токен в бисквитка. Моля, включете съхраняването на бисквитки за този домейн. Имената на бисквитките, съхранени от Anubis, могат да се променят без предварително уведомление. Имената и стойностите на бисквитките не са част от публичния API.",
+  "js_context_not_secure": "Вашият контекст не е сигурен!",
+  "js_context_not_secure_msg": "Опитайте да се свържете чрез HTTPS или уведомете администратора да kонфигурира HTTPS. За повече информация вижте MDN.",
+  "js_calculating": "Изчисляване...",
+  "js_missing_feature": "Липсваща функция",
+  "js_challenge_error": "Грешка при задачата!",
+  "js_challenge_error_msg": "Неуспешно разрешаване на алгоритъма за проверка. Може би искате да презаредите страницата.",
+  "js_calculating_difficulty": "Изчисляване... Трудност:",
+  "js_speed": "Скорост:",
+  "js_verification_longer": "Проверката отнема повече време от очакваното. Моля, не презареждайте страницата.",
+  "js_success": "Успех!",
+  "js_done_took": "Готово! Отне",
+  "js_iterations": "итерации",
+  "js_finished_reading": "Приключих с четенето, продължете →",
+  "js_calculation_error": "Грешка при изчислението!",
+  "js_calculation_error_msg": "Неуспешно изчисление на задачата:"
+}
@@ -62,6 +62,5 @@
  "js_finished_reading": "Čtení dokončeno, pokračovat →",
  "js_calculation_error": "Chyba výpočtu!",
  "js_calculation_error_msg": "Nepodařilo se vypočítat výzvu:",
-  "missing_required_forwarded_headers": "Chybějící požadované hlavičky X-Forwarded-*",
-  "js_challenge_data_missing": "Data pro ověření chybí. Načtěte prosím stránku znovu."
+  "missing_required_forwarded_headers": "Chybějící požadované hlavičky X-Forwarded-*"
 }
@@ -1,38 +1,38 @@
 {
-  "loading": "Ladevorgang...",
+  "loading": "Wird geladen …",
  "why_am_i_seeing": "Warum sehe ich diese Seite?",
  "protected_by": "Geschützt durch",
  "protected_from": "Von",
  "made_with": "Mit ❤️ entwickelt in 🇨🇦",
-  "mascot_design": "Maskottchen erstellt von",
-  "ai_companies_explanation": "Diese Seite wird angezeigt, da der Betreiber der Website Anubis eingerichtet hat, um sie vor aggressiven Webcrawlern von KI-Unternehmen zu schützen. Diese können Ausfälle verursachen, wodurch die Website für niemanden erreichbar ist.",
-  "anubis_compromise": "Anubis stellt einen Kompromiss dar. Es verwendet eine Proof-of-Work-Methode nach dem Hashcash-Prinzip, das ursprünglich zur Bekämpfung von E-Mail-Spam entwickelt wurde. Die Idee dahinter: Für einen einzelnen Besucher ist die Verzögerung vernachlässigbar, aber massenhaftes Scraping wird dadurch aufwändig und teuer.",
-  "hack_purpose": "Letztendlich ist dies eine Übergangslösung, um mehr Zeit für Browser-Fingerprinting und die Identifizierung von Headless-Browsern (z. B. anhand ihrer Schriftwiedergabe) zu gewinnen. So muss die Proof-of-Work-Seite nicht Nutzern angezeigt werden, die sehr wahrscheinlich legitim sind.",
-  "simplified_explanation": "Dies ist eine Maßnahme gegen Bots und bösartige Anfragen, ähnlich einem CAPTCHA. Anstatt jedoch selbst arbeiten zu müssen, erhält dein Browser eine Rechenaufgabe, um sicherzustellen, dass es sich um einen gültigen Client handelt. Dieses Konzept nennt sich <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Proof of Work</a>. Die Aufgabe wird in wenigen Sekunden berechnet und du erhältst Zugriff auf die Website. Danke für deine Geduld.",
-  "jshelter_note": "Anubis benötigt moderne JavaScript-Features, die von Plugins wie JShelter deaktiviert werden. Bitte deaktiviere JShelter oder ähnliche Plugins für diese Domain.",
-  "version_info": "Diese Website läuft mit Anubis-Version",
+  "mascot_design": "Maskottchen entworfen von",
+  "ai_companies_explanation": "Diese Seite wird angezeigt, weil der Betreiber dieser Website Anubis eingerichtet hat, um den Server vor aggressivem Scraping durch KI-Unternehmen zu schützen. Dieses Scraping kann Ausfälle verursachen, wodurch die Website für niemanden erreichbar ist.",
+  "anubis_compromise": "Anubis ist ein Kompromiss. Es verwendet ein Proof-of-Work-Verfahren nach dem Vorbild von Hashcash, das ursprünglich zur Reduzierung von E-Mail-Spam entwickelt wurde. Die Idee dahinter ist, dass die zusätzliche Last für einzelne Nutzer vernachlässigbar ist, sich aber auf der Ebene von Massen-Scrapern summiert und das Scraping deutlich teurer macht.",
+  "hack_purpose": "Letztlich ist dies eine Übergangslösung, damit mehr Zeit in das Fingerprinting und die Erkennung von Headless-Browsern investiert werden kann (z. B. anhand ihrer Schriftart-Darstellung), sodass die Proof-of-Work-Seite Nutzern, die mit hoher Wahrscheinlichkeit legitim sind, nicht mehr angezeigt werden muss.",
+  "simplified_explanation": "Dies ist eine Schutzmaßnahme gegen Bots und schädliche Anfragen, ähnlich einem CAPTCHA. Anstatt selbst eine Aufgabe lösen zu müssen, bekommt dein Browser eine Rechenaufgabe, die er lösen muss, um sicherzustellen, dass es sich um einen gültigen Client handelt. Dieses Konzept nennt sich <a href=\"https://de.wikipedia.org/wiki/Proof_of_Work\">Proof of Work</a>. Die Aufgabe wird innerhalb weniger Sekunden berechnet und du erhältst Zugang zur Website. Danke für dein Verständnis und deine Geduld.",
+  "jshelter_note": "Anubis benötigt moderne JavaScript-Funktionen, die von Plugins wie JShelter deaktiviert werden. Bitte deaktiviere JShelter oder ähnliche Plugins für diese Domain.",
+  "version_info": "Diese Website nutzt Anubis Version",
  "try_again": "Erneut versuchen",
  "go_home": "Zur Startseite",
-  "contact_webmaster": "Falls du glaubst, dass es sich um einen Fehler handelt, kontaktiere bitte den Administrator unter",
-  "connection_security": "Bitte warte einen Moment, während wir die Sicherheit deiner Verbindung prüfen.",
-  "javascript_required": "Du musst JavaScript aktivieren, um diese Prüfung durchführen zu können. Dies ist notwendig, da KI-Unternehmen die bisherigen Regeln für das Hosting von Websites nicht mehr respektieren. Eine Lösung ohne JavaScript ist in Entwicklung.",
-  "benchmark_requires_js": "Für die Nutzung des Benchmark-Tools muss JavaScript aktiviert sein.",
+  "contact_webmaster": "oder kontaktiere den Webmaster unter, falls du glaubst, dass du nicht blockiert werden solltest:",
+  "connection_security": "Bitte warte einen Moment, während wir die Sicherheit deiner Verbindung überprüfen.",
+  "javascript_required": "Du musst JavaScript aktivieren, um diese Prüfung zu bestehen. Dies ist notwendig, da KI-Unternehmen den Gesellschaftsvertrag rund um Webhosting verändert haben. Eine Lösung ohne JavaScript ist in Arbeit.",
+  "benchmark_requires_js": "Für das Benchmark-Tool muss JavaScript aktiviert sein.",
  "difficulty": "Schwierigkeit:",
  "algorithm": "Algorithmus:",
-  "compare": "Vergleich:",
+  "compare": "Vergleichen:",
  "time": "Zeit",
  "iters": "Iterationen",
  "time_a": "Zeit A",
  "iters_a": "Iterationen A",
  "time_b": "Zeit B",
  "iters_b": "Iterationen B",
-  "static_check_endpoint": "Dies ist ein Endpunkt zur Prüfung durch einen Reverse-Proxy.",
+  "static_check_endpoint": "Dies ist nur ein Prüf-Endpunkt für deinen Reverse-Proxy.",
  "authorization_required": "Autorisierung erforderlich",
-  "cookies_disabled": "Cookies sind in deinem Browser deaktiviert. Anubis benötigt Cookies, um sicherzustellen, dass es sich um einen legitimen Zugriff handelt. Bitte aktiviere Cookies für diese Domain.",
-  "access_denied": "Zugriff verweigert – Fehlercode",
-  "dronebl_entry": "Eintrag in DroneBL",
+  "cookies_disabled": "Cookies sind in deinem Browser deaktiviert. Anubis benötigt Cookies im berechtigten Interesse, sicherzustellen, dass es sich um einen gültigen Client handelt. Bitte aktiviere Cookies für diese Domain.",
+  "access_denied": "Zugriff verweigert: Fehlercode",
+  "dronebl_entry": "DroneBL hat einen Eintrag gemeldet",
  "see_dronebl_lookup": "anzeigen",
-  "internal_server_error": "Interner Serverfehler: Der Administrator hat Anubis fehlerhaft konfiguriert. Bitte kontaktiere den Administrator und bitte ihn, die Logs zu prüfen.",
+  "internal_server_error": "Interner Serverfehler: Der Administrator hat Anubis fehlerhaft konfiguriert. Bitte kontaktiere den Administrator und bitte ihn, die Logs im Zeitraum um folgenden Zeitpunkt zu prüfen:",
  "invalid_redirect": "Ungültige Weiterleitung",
  "redirect_not_parseable": "Weiterleitungs-URL kann nicht verarbeitet werden",
  "redirect_domain_not_allowed": "Weiterleitungs-Domain nicht erlaubt",
@@ -41,27 +41,26 @@
  "invalid_invocation": "Ungültiger Aufruf von MakeChallenge",
  "client_error_browser": "Client-Fehler: Bitte stelle sicher, dass dein Browser aktuell ist, und versuche es später erneut.",
  "oh_noes": "Oh nein!",
-  "benchmarking_anubis": "Benchmark wird durchgeführt!",
+  "benchmarking_anubis": "Anubis-Benchmark wird durchgeführt!",
  "you_are_not_a_bot": "Du bist kein Bot!",
  "making_sure_not_bot": "Dein Browser wird geprüft!",
  "celphase": "CELPHASE",
-  "js_web_crypto_error": "Dein Browser verfügt nicht über ein funktionierendes web.crypto-Element. Wird eine sichere Verbindung verwendet?",
-  "js_web_workers_error": "Dein Browser unterstützt keine Web-Worker (Anubis verwendet diese, damit der Browser nicht einfriert). Ist ein Plugin wie JShelter installiert?",
-  "js_cookies_error": "Dein Browser speichert keine Cookies. Anubis verwendet Cookies, um nach bestandener Prüfung ein signiertes Token abzulegen. Bitte aktiviere Cookies für diese Domain. Die Cookie-Namen von Anubis können sich jederzeit ändern. Cookie-Namen und gespeicherte Werte sind nicht Teil der öffentlichen API.",
+  "js_web_crypto_error": "Dein Browser verfügt nicht über ein funktionierendes web.crypto-Element. Wird diese Seite in einem sicheren Kontext angezeigt?",
+  "js_web_workers_error": "Dein Browser unterstützt keine Web Workers (Anubis verwendet diese, damit dein Browser nicht einfriert). Hast du ein Plugin wie JShelter installiert?",
+  "js_cookies_error": "Dein Browser speichert keine Cookies. Anubis verwendet Cookies, um nach bestandener Prüfung ein signiertes Token abzulegen. Bitte aktiviere Cookies für diese Domain. Die Cookie-Namen von Anubis können sich jederzeit ohne Vorankündigung ändern. Cookie-Namen und -Werte sind nicht Teil der öffentlichen API.",
  "js_context_not_secure": "Diese Verbindung ist nicht sicher!",
-  "js_context_not_secure_msg": "Bitte versuche, dich über HTTPS zu verbinden, oder weise den Administrator darauf hin, HTTPS einzurichten. Mehr Informationen: <a href=\"https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts#when_is_a_context_considered_secure\">MDN</a>.",
-  "js_calculating": "Berechnung läuft...",
+  "js_context_not_secure_msg": "Versuche, dich über HTTPS zu verbinden, oder informiere den Administrator, HTTPS einzurichten. Weitere Informationen unter <a href=\"https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts#when_is_a_context_considered_secure\">MDN</a>.",
+  "js_calculating": "Berechnung läuft …",
  "js_missing_feature": "Fehlendes Feature",
  "js_challenge_error": "Prüfung fehlgeschlagen!",
-  "js_challenge_error_msg": "Der Prüf-Algorithmus konnte nicht geladen werden. Bitte lade die Seite neu.",
-  "js_calculating_difficulty": "Berechnung läuft...<br/>Schwierigkeit:",
+  "js_challenge_error_msg": "Der Prüfalgorithmus konnte nicht aufgelöst werden. Bitte lade die Seite neu.",
+  "js_calculating_difficulty": "Berechnung läuft …<br/>Schwierigkeit:",
  "js_speed": "Geschwindigkeit:",
-  "js_verification_longer": "Die Prüfung dauert länger als erwartet. Bitte warte und lade die Seite nicht neu.",
-  "js_success": "Erfolgreich!",
+  "js_verification_longer": "Die Verifizierung dauert länger als erwartet. Bitte bleibe auf der Seite und lade sie nicht neu.",
+  "js_success": "Geschafft!",
  "js_done_took": "Fertig! Dauer:",
  "js_iterations": "Iterationen",
-  "js_finished_reading": "Fertig gelesen – weiter zur Seite →",
+  "js_finished_reading": "Fertig gelesen, weiter zur Seite →",
  "js_calculation_error": "Berechnungsfehler!",
-  "js_calculation_error_msg": "Fehler bei der Berechnung der Prüfung:",
-  "js_challenge_data_missing": "Die Prüfungsdaten fehlen. Bitte laden Sie die Seite neu."
+  "js_calculation_error_msg": "Fehler bei der Berechnung der Prüfung:"
 }
@@ -62,6 +62,5 @@
  "js_iterations": "iterations",
  "js_finished_reading": "I've finished reading, continue →",
  "js_calculation_error": "Calculation error!",
-  "js_calculation_error_msg": "Failed to calculate challenge:",
-  "js_challenge_data_missing": "Challenge data is missing. Please reload the page."
+  "js_calculation_error_msg": "Failed to calculate challenge:"
 }
@@ -62,6 +62,5 @@
  "js_calculation_error": "¡Error de cálculo!",
  "js_calculation_error_msg": "Falló al calcular el desafío:",
  "missing_required_forwarded_headers": "Faltan los encabezados X-Forwarded-* requeridos",
-  "simplified_explanation": "Esta es una medida contra bots y solicitudes maliciosas similar a un CAPTCHA. Sin embargo, en lugar de tener que hacer el trabajo usted mismo, a su navegador se le asigna una tarea de cálculo que debe resolver para garantizar que es un cliente válido. Este concepto se llama <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Prueba de trabajo</a>. La tarea se calcula en unos segundos y se le concede acceso al sitio web. Gracias por su comprensión y paciencia.",
-  "js_challenge_data_missing": "Faltan los datos del desafío. Por favor, recargue la página."
+  "simplified_explanation": "Esta es una medida contra bots y solicitudes maliciosas similar a un CAPTCHA. Sin embargo, en lugar de tener que hacer el trabajo usted mismo, a su navegador se le asigna una tarea de cálculo que debe resolver para garantizar que es un cliente válido. Este concepto se llama <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Prueba de trabajo</a>. La tarea se calcula en unos segundos y se le concede acceso al sitio web. Gracias por su comprensión y paciencia."
 }
@@ -62,6 +62,5 @@
  "js_calculation_error": "Arvutamise viga!",
  "js_calculation_error_msg": "Ei suutnud kontrolli arvutada:",
  "missing_required_forwarded_headers": "Puuduvad nõutud X-Forwarded-* päised",
-  "simplified_explanation": "See on meede robotite ja pahatahtlike päringute vastu, mis sarnaneb CAPTCHA-le. Kuid selle asemel, et peaksite ise tööd tegema, antakse teie brauserile arvutusülesanne, mille see peab lahendama, et tagada selle kehtivus kliendina. Seda kontseptsiooni nimetatakse <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Töötõendiks</a>. Ülesanne arvutatakse mõne sekundiga ja teile antakse juurdepääs veebisaidile. Täname teid mõistva suhtumise ja kannatlikkuse eest.",
-  "js_challenge_data_missing": "Kontrollülesande andmed puuduvad. Palun laadige leht uuesti."
+  "simplified_explanation": "See on meede robotite ja pahatahtlike päringute vastu, mis sarnaneb CAPTCHA-le. Kuid selle asemel, et peaksite ise tööd tegema, antakse teie brauserile arvutusülesanne, mille see peab lahendama, et tagada selle kehtivus kliendina. Seda kontseptsiooni nimetatakse <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Töötõendiks</a>. Ülesanne arvutatakse mõne sekundiga ja teile antakse juurdepääs veebisaidile. Täname teid mõistva suhtumise ja kannatlikkuse eest."
 }
@@ -62,6 +62,5 @@
  "js_calculation_error": "Laskentavirhe!",
  "js_calculation_error_msg": "Haasteen laskenta ei onnistunut:",
  "missing_required_forwarded_headers": "Puuttuvat vaaditut X-Forwarded-* otsikot",
-  "simplified_explanation": "Tämä on toimenpide botteja ja haitallisia pyyntöjä vastaan, joka on samanlainen kuin CAPTCHA. Sen sijaan, että joutuisit tekemään työtä itse, selaimesi saa laskentatehtävän, joka sen on ratkaistava varmistaakseen, että se on kelvollinen asiakas. Tätä käsitettä kutsutaan nimellä <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Työtodistus</a>. Tehtävä lasketaan muutamassa sekunnissa ja saat pääsyn verkkosivustolle. Kiitos ymmärryksestäsi ja kärsivällisyydestäsi.",
-  "js_challenge_data_missing": "Haastetiedot puuttuvat. Lataa sivu uudelleen."
+  "simplified_explanation": "Tämä on toimenpide botteja ja haitallisia pyyntöjä vastaan, joka on samanlainen kuin CAPTCHA. Sen sijaan, että joutuisit tekemään työtä itse, selaimesi saa laskentatehtävän, joka sen on ratkaistava varmistaakseen, että se on kelvollinen asiakas. Tätä käsitettä kutsutaan nimellä <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Työtodistus</a>. Tehtävä lasketaan muutamassa sekunnissa ja saat pääsyn verkkosivustolle. Kiitos ymmärryksestäsi ja kärsivällisyydestäsi."
 }
@@ -62,6 +62,5 @@
  "js_calculation_error": "Error sa pagkalkula!",
  "js_calculation_error_msg": "Nabigong ikalkula ang hamon:",
  "missing_required_forwarded_headers": "Nawawala ang kinakailangang X-Forwarded-* na mga header",
-  "simplified_explanation": "Ito ay isang panukala laban sa mga bot at malisyosong mga kahilingan na katulad ng isang CAPTCHA. Gayunpaman, sa halip na ikaw mismo ang gumawa ng trabaho, binibigyan ang iyong browser ng isang gawain sa pagkalkula na kailangan nitong lutasin upang matiyak na ito ay isang wastong kliyente. Ang konseptong ito ay tinatawag na <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Proof of Work</a>. Ang gawain ay kinakalkula sa loob ng ilang segundo at binibigyan ka ng access sa website. Salamat sa iyong pag-unawa at pasensya.",
-  "js_challenge_data_missing": "Nawawala ang data ng hamon. Mangyaring i-reload ang pahina."
+  "simplified_explanation": "Ito ay isang panukala laban sa mga bot at malisyosong mga kahilingan na katulad ng isang CAPTCHA. Gayunpaman, sa halip na ikaw mismo ang gumawa ng trabaho, binibigyan ang iyong browser ng isang gawain sa pagkalkula na kailangan nitong lutasin upang matiyak na ito ay isang wastong kliyente. Ang konseptong ito ay tinatawag na <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Proof of Work</a>. Ang gawain ay kinakalkula sa loob ng ilang segundo at binibigyan ka ng access sa website. Salamat sa iyong pag-unawa at pasensya."
 }
@@ -62,6 +62,5 @@
  "js_calculation_error": "Erreur de calcul !",
  "js_calculation_error_msg": "Échec du calcul du défi :",
  "missing_required_forwarded_headers": "En-têtes X-Forwarded-* manquants",
-  "simplified_explanation": "Ceci est une mesure contre les robots et les requêtes malveillantes, similaire à un CAPTCHA. Cependant, au lieu d'avoir à faire le travail vous-même, votre navigateur se voit confier une tâche de calcul qu'il doit résoudre pour confirmer qu'il est un client valide. Ce concept est nommé <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Preuve de travail</a>. La tâche s'effectue en quelques secondes, puis vous avez accès au site Web. Merci pour votre compréhension et votre patience.",
-  "js_challenge_data_missing": "Les données du défi sont manquantes. Veuillez recharger la page."
+  "simplified_explanation": "Ceci est une mesure contre les robots et les requêtes malveillantes, similaire à un CAPTCHA. Cependant, au lieu d'avoir à faire le travail vous-même, votre navigateur se voit confier une tâche de calcul qu'il doit résoudre pour confirmer qu'il est un client valide. Ce concept est nommé <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Preuve de travail</a>. La tâche s'effectue en quelques secondes, puis vous avez accès au site Web. Merci pour votre compréhension et votre patience."
 }
@@ -62,6 +62,5 @@
  "js_calculation_error": "Reiknivilla!",
  "js_calculation_error_msg": "Mistókst að reikna áskorun:",
  "missing_required_forwarded_headers": "Vantar nauðsynleg X-Forwarded-* hausar",
-  "simplified_explanation": "Þetta er ráðstöfun gegn vélmennum og illa meinandi beiðnum, sem virkar svipað og CAPTCHA-mennskupróf. Hins vegar; í stað þess að þurfa að vinna sjálfur, fær vafrinn þinn útreikningsverkefni sem hann þarf að leysa til að tryggja að hann sé gildur biðlari. Þetta hugtak er kallað <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Sönnun-á-vinnu</a>. Verkefnið er reiknað á nokkrum sekúndum og þú færð aðgang að vefsíðunni. Takk fyrir skilninginn og þolinmæðina.",
-  "js_challenge_data_missing": "Áskorunargögn vantar. Vinsamlegast endurhlaðið síðuna."
+  "simplified_explanation": "Þetta er ráðstöfun gegn vélmennum og illa meinandi beiðnum, sem virkar svipað og CAPTCHA-mennskupróf. Hins vegar; í stað þess að þurfa að vinna sjálfur, fær vafrinn þinn útreikningsverkefni sem hann þarf að leysa til að tryggja að hann sé gildur biðlari. Þetta hugtak er kallað <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Sönnun-á-vinnu</a>. Verkefnið er reiknað á nokkrum sekúndum og þú færð aðgang að vefsíðunni. Takk fyrir skilninginn og þolinmæðina."
 }
@@ -62,6 +62,5 @@
  "js_calculation_error": "Errore nel calcolo!",
  "js_calculation_error_msg": "Impossibile superare il test:",
  "missing_required_forwarded_headers": "Mancano gli header X-Forwarded-* richiesti",
-  "simplified_explanation": "Questa è una misura contro bot e richieste dannose simile a un CAPTCHA. Tuttavia, invece di dover lavorare tu stesso, al tuo browser viene assegnato un compito di calcolo che deve risolvere per garantire che sia un client valido. Questo concetto è chiamato <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Proof of Work</a>. Il compito viene calcolato in pochi secondi e ti viene concesso l'accesso al sito web. Grazie per la tua comprensione e pazienza.",
-  "js_challenge_data_missing": "I dati della sfida sono mancanti. Ricarica la pagina."
+  "simplified_explanation": "Questa è una misura contro bot e richieste dannose simile a un CAPTCHA. Tuttavia, invece di dover lavorare tu stesso, al tuo browser viene assegnato un compito di calcolo che deve risolvere per garantire che sia un client valido. Questo concetto è chiamato <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Proof of Work</a>. Il compito viene calcolato in pochi secondi e ti viene concesso l'accesso al sito web. Grazie per la tua comprensione e pazienza."
 }
@@ -9,7 +9,7 @@
  "anubis_compromise": "Anubisは妥協策です。AnubisはHashcashのようなProof-of-Work方式を採用しており、これは元々メールスパムを減らすために提案された仕組みです。個人レベルでは追加の負荷は無視できる程度ですが、大規模なスクレイピングでは負荷が積み重なり、スクレイピングのコストが大幅に増加します。",
  "hack_purpose": "最終的に、これはヘッドレスブラウザのフィンガープリントと識別に時間を費やすためのプレースホルダーソリューションです（例：フォントレンダリングの方法による）。これにより、正当なユーザーにはチャレンジのプルーフオブワークページを提示する必要がなくなります。",
  "jshelter_note": "Anubisは、JShelterのようなプラグインが無効化する最新のJavaScript機能を必要とします。このドメインではJShelterや同様のプラグインを無効にしてください。",
-  "version_info": "このウェブサイトはAnubisバージョンで動作しています",
+  "version_info": "このウェブサイトはAnubisで動作しています バージョン",
  "try_again": "再試行",
  "go_home": "ホームに戻る",
  "contact_webmaster": "もしブロックされるべきでないと思われる場合は、ウェブマスターにご連絡ください：",
@@ -62,6 +62,5 @@
  "js_calculation_error": "計算エラー！",
  "js_calculation_error_msg": "チャレンジの計算に失敗しました:",
  "missing_required_forwarded_headers": "必要な X-Forwarded-* ヘッダーがありません",
-  "simplified_explanation": "これは、CAPTCHAと同様の、ボットや悪意のあるリクエストに対する対策です。ただし、自分で作業する代わりに、ブラウザに計算タスクが与えられ、それを解決して有効なクライアントであることを確認する必要があります。この概念は<a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Proof of Work</a>と呼ばれます。タスクは数秒で計算され、ウェブサイトへのアクセスが許可されます。ご理解とご協力をお願いいたします。",
-  "js_challenge_data_missing": "チャレンジデータがありません。ページを再読み込みしてください。"
+  "simplified_explanation": "これは、CAPTCHAと同様の、ボットや悪意のあるリクエストに対する対策です。ただし、自分で作業する代わりに、ブラウザに計算タスクが与えられ、それを解決して有効なクライアントであることを確認する必要があります。この概念は<a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Proof of Work</a>と呼ばれます。タスクは数秒で計算され、ウェブサイトへのアクセスが許可されます。ご理解とご協力をお願いいたします。"
 }
@@ -36,7 +36,7 @@
  "invalid_redirect": "Netinkamas nukreipimas",
  "redirect_not_parseable": "Nukreipimo adreso nepavyko išanalizuoti",
  "redirect_domain_not_allowed": "Nukreipimo domenas neleistinas",
-  "missing_required_forwarded_headers": "Trūksta privalomų X-Forwarded-* antraščių",
+  "missing_required_forwarded_headers": "Trūksta būtinų „X-Forwarded-*“ antraščių",
  "failed_to_sign_jwt": "nepavyko pasirašyti JWT",
  "invalid_invocation": "Netinkamas kreipinys į „MakeChallenge“",
  "client_error_browser": "Problema klientinėje dalyje: įsitikinkite, jog jūsų naršyklė nepasenusi ir bandykite dar kartą.",
@@ -63,5 +63,5 @@
  "js_finished_reading": "Viską perskaičiau, tęskime →",
  "js_calculation_error": "Skaičiavimo klaida!",
  "js_calculation_error_msg": "Nepavyko įveikti iššūkio:",
-  "js_challenge_data_missing": "Trūksta iššūkio duomenų. Prašome perkrauti puslapį."
+  "missing_required_forwarded_headers": "Trūksta privalomų X-Forwarded-* antraščių"
 }
@@ -23,6 +23,7 @@
    "vi",
    "zh-CN",
    "zh-TW",
-    "sv"
+    "sv",
+    "bg"
  ]
-}
+}
@@ -62,6 +62,5 @@
  "js_calculation_error": "Beregningsfeil!",
  "js_calculation_error_msg": "Mislyktes i å beregne utfordring:",
  "missing_required_forwarded_headers": "Mangler nødvendige X-Forwarded-* header",
-  "simplified_explanation": "Dette er et tiltak mot roboter og ondsinnede forespørsler som ligner på en CAPTCHA. Men i stedet for å måtte gjøre arbeidet selv, får nettleseren din en beregningsoppgave som den må løse for å sikre at den er en gyldig klient. Dette konseptet kalles <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Proof of Work</a>. Oppgaven beregnes på noen få sekunder, og du får tilgang til nettstedet. Takk for din forståelse og tålmodighet.",
-  "js_challenge_data_missing": "Utfordringsdata mangler. Vennligst last inn siden på nytt."
+  "simplified_explanation": "Dette er et tiltak mot roboter og ondsinnede forespørsler som ligner på en CAPTCHA. Men i stedet for å måtte gjøre arbeidet selv, får nettleseren din en beregningsoppgave som den må løse for å sikre at den er en gyldig klient. Dette konseptet kalles <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Proof of Work</a>. Oppgaven beregnes på noen få sekunder, og du får tilgang til nettstedet. Takk for din forståelse og tålmodighet."
 }
@@ -62,6 +62,5 @@
  "js_calculation_error": "Rekenfout!",
  "js_calculation_error_msg": "Uitdaging niet berekend:",
  "missing_required_forwarded_headers": "Ontbrekende vereiste X-Forwarded-* headers",
-  "simplified_explanation": "Dit is een maatregel tegen bots en kwaadwillende verzoeken, vergelijkbaar met een CAPTCHA. In plaats van dat je zelf werk moet verrichten, krijgt je browser een rekentaak die moet worden opgelost om ervoor te zorgen dat het een geldige client is. Dit concept wordt <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Proof of Work</a> genoemd. De taak wordt in een paar seconden berekend en u krijgt toegang tot de website. Bedankt voor je begrip en geduld.",
-  "js_challenge_data_missing": "Uitdagingsgegevens ontbreken. Herlaad de pagina."
+  "simplified_explanation": "Dit is een maatregel tegen bots en kwaadwillende verzoeken, vergelijkbaar met een CAPTCHA. In plaats van dat je zelf werk moet verrichten, krijgt je browser een rekentaak die moet worden opgelost om ervoor te zorgen dat het een geldige client is. Dit concept wordt <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Proof of Work</a> genoemd. De taak wordt in een paar seconden berekend en u krijgt toegang tot de website. Bedankt voor je begrip en geduld."
 }
@@ -62,6 +62,5 @@
  "js_calculation_error": "Rekningsfeil!",
  "js_calculation_error_msg": "Mislukkast i å rekna utfordring:",
  "missing_required_forwarded_headers": "Vantande naudsynte «X-Forwarded-*»-overskrifter",
-  "simplified_explanation": "Dette er eit tiltak mot robotar og ondsinna førespurnader som liknar på ein CAPTCHA. Men i staden for å måtte gjera arbeidet sjølv, får netlesaren din ei utrekningsoppgåve som han må løysa for å stadfesta at han er ein gyldig klient. Dette konseptet vert kalla <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">arbeidsstadfesting</a>. Oppgåva vert rekna ut på nokre få sekund, og du får tilgang til nettstaden. Takk for forståinga di og tolmodet ditt.",
-  "js_challenge_data_missing": "Utfordringsdata manglar. Last inn sida på nytt."
+  "simplified_explanation": "Dette er eit tiltak mot robotar og ondsinna førespurnader som liknar på ein CAPTCHA. Men i staden for å måtte gjera arbeidet sjølv, får netlesaren din ei utrekningsoppgåve som han må løysa for å stadfesta at han er ein gyldig klient. Dette konseptet vert kalla <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">arbeidsstadfesting</a>. Oppgåva vert rekna ut på nokre få sekund, og du får tilgang til nettstaden. Takk for forståinga di og tolmodet ditt."
 }
@@ -62,6 +62,5 @@
  "js_iterations": "iteracji",
  "js_finished_reading": "Skończyłem czytać, kontynuuj →",
  "js_calculation_error": "Błąd obliczeń!",
-  "js_calculation_error_msg": "Nie udało się obliczyć zadania:",
-  "js_challenge_data_missing": "Brak danych wyzwania. Proszę odświeżyć stronę."
+  "js_calculation_error_msg": "Nie udało się obliczyć zadania:"
 }
@@ -62,6 +62,5 @@
  "js_calculation_error": "Erro de cálculo!",
  "js_calculation_error_msg": "Falha ao calcular a validação:",
  "missing_required_forwarded_headers": "Faltam os cabeçalhos X-Forwarded-* obrigatórios",
-  "simplified_explanation": "Esta é uma medida contra bots e solicitações maliciosas, semelhante a um CAPTCHA. No entanto, em vez de você mesmo ter que fazer o trabalho, seu navegador recebe uma tarefa de cálculo que ele deve resolver para garantir que seja um cliente válido. Esse conceito é chamado de <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Prova de Trabalho</a>. A tarefa é calculada em poucos segundos e você tem acesso ao site. Obrigado pela sua compreensão e paciência.",
-  "js_challenge_data_missing": "Os dados do desafio estão ausentes. Por favor, recarregue a página."
+  "simplified_explanation": "Esta é uma medida contra bots e solicitações maliciosas, semelhante a um CAPTCHA. No entanto, em vez de você mesmo ter que fazer o trabalho, seu navegador recebe uma tarefa de cálculo que ele deve resolver para garantir que seja um cliente válido. Esse conceito é chamado de <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Prova de Trabalho</a>. A tarefa é calculada em poucos segundos e você tem acesso ao site. Obrigado pela sua compreensão e paciência."
 }
@@ -62,6 +62,5 @@
  "js_calculation_error": "Ошибка расчёта!",
  "js_calculation_error_msg": "Не удалось рассчитать задачу:",
  "missing_required_forwarded_headers": "Отсутствуют требуемые заголовки X-Forwarded-*",
-  "simplified_explanation": "Это мера против ботов и вредоносных запросов, аналогичная CAPTCHA. Однако вместо того, чтобы вам приходилось работать самостоятельно, вашему браузеру дается задача вычисления, которую он должен решить, чтобы убедиться, что он является действительным клиентом. Эта концепция называется <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Доказательство выполнения работы</a>. Задача рассчитывается за несколько секунд, и вам предоставляется доступ к веб-сайту. Спасибо за понимание и терпение.",
-  "js_challenge_data_missing": "Данные проверки отсутствуют. Пожалуйста, перезагрузите страницу."
+  "simplified_explanation": "Это мера против ботов и вредоносных запросов, аналогичная CAPTCHA. Однако вместо того, чтобы вам приходилось работать самостоятельно, вашему браузеру дается задача вычисления, которую он должен решить, чтобы убедиться, что он является действительным клиентом. Эта концепция называется <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Доказательство выполнения работы</a>. Задача рассчитывается за несколько секунд, и вам предоставляется доступ к веб-сайту. Спасибо за понимание и терпение."
 }
@@ -62,6 +62,5 @@
  "js_calculation_error": "Beräkningsfel!",
  "js_calculation_error_msg": "Misslyckades att kalkylera utmaning:",
  "missing_required_forwarded_headers": "Saknar nödvändiga X-Forwarded-* headers",
-  "simplified_explanation": "Detta är en åtgärd mot botar och skadliga förfrågningar som liknar en CAPTCHA. Men i stället för att du själv måste göra jobbet får din webbläsare en beräkningsuppgift som den måste lösa för att säkerställa att den är en giltig klient. Detta koncept kallas <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Arbetsbevis</a>. Uppgiften beräknas på några sekunder och du beviljas tillgång till webbplatsen. Tack för din förståelse och ditt tålamod.",
-  "js_challenge_data_missing": "Utmaningsdata saknas. Vänligen ladda om sidan."
+  "simplified_explanation": "Detta är en åtgärd mot botar och skadliga förfrågningar som liknar en CAPTCHA. Men i stället för att du själv måste göra jobbet får din webbläsare en beräkningsuppgift som den måste lösa för att säkerställa att den är en giltig klient. Detta koncept kallas <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Arbetsbevis</a>. Uppgiften beräknas på några sekunder och du beviljas tillgång till webbplatsen. Tack för din förståelse och ditt tålamod."
 }
@@ -60,6 +60,5 @@
  "js_iterations": "รอบ",
  "js_finished_reading": "อ่านจบแล้ว ดำเนินการต่อ →",
  "js_calculation_error": "เกิดข้อผิดพลาดในการคำนวณ!",
-  "js_calculation_error_msg": "ไม่สามารถคำนวณการท้าทายได้:",
-  "js_challenge_data_missing": "ข้อมูลการท้าทายหายไป กรุณาโหลดหน้าใหม่"
+  "js_calculation_error_msg": "ไม่สามารถคำนวณการท้าทายได้:"
 }
@@ -62,6 +62,5 @@
  "js_calculation_error": "Hesaplama hatası!",
  "js_calculation_error_msg": "Zorluk hesaplaması başarısız oldu:",
  "missing_required_forwarded_headers": "Gerekli X-Forwarded-* başlıkları eksik",
-  "simplified_explanation": "Bu, botlara ve kötü niyetli isteklere karşı CAPTCHA'ya benzer bir önlemdir. Ancak, kendiniz çalışmak yerine, tarayıcınıza geçerli bir istemci olduğundan emin olmak için çözmesi gereken bir hesaplama görevi verilir. Bu kavrama <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">İş Kanıtı</a> denir. Görev birkaç saniye içinde hesaplanır ve web sitesine erişim hakkı kazanırsınız. Anlayışınız ve sabrınız için teşekkür ederiz.",
-  "js_challenge_data_missing": "Doğrulama verileri eksik. Lütfen sayfayı yeniden yükleyin."
+  "simplified_explanation": "Bu, botlara ve kötü niyetli isteklere karşı CAPTCHA'ya benzer bir önlemdir. Ancak, kendiniz çalışmak yerine, tarayıcınıza geçerli bir istemci olduğundan emin olmak için çözmesi gereken bir hesaplama görevi verilir. Bu kavrama <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">İş Kanıtı</a> denir. Görev birkaç saniye içinde hesaplanır ve web sitesine erişim hakkı kazanırsınız. Anlayışınız ve sabrınız için teşekkür ederiz."
 }
@@ -62,6 +62,5 @@
  "js_iterations": "ітерацій",
  "js_finished_reading": "Читання завершено, продовжити →",
  "js_calculation_error": "Помилка обчислення!",
-  "js_calculation_error_msg": "Не вдалося обчислити перевірку:",
-  "js_challenge_data_missing": "Дані перевірки відсутні. Будь ласка, перезавантажте сторінку."
+  "js_calculation_error_msg": "Не вдалося обчислити перевірку:"
 }
@@ -1,20 +1,20 @@
 {
-  "loading": "Đang nạp...",
-  "why_am_i_seeing": "Tại sao tôi đang thấy trang này?",
+  "loading": "Đang tải...",
+  "why_am_i_seeing": "Tại sao tôi thấy trang này?",
  "protected_by": "Bảo vệ bởi",
  "protected_from": "từ",
-  "made_with": "Tạo ra bằng ❤️ tại 🇨🇦",
-  "mascot_design": "Thiết kế mascot bởi",
-  "ai_companies_explanation": "Bạn đang thấy trang này do quản trị viên của trang web này đã thiết lập Anubis để bảo vệ máy chủ của họ khỏi quấy rầy từ những công ty AI hung hãn cóp nhặt nội dung khắp Internet. Điều này có thể và đã dẫn tới tình trạng gián đoạn hoạt động trên nhiều trang web, khiến tài nguyên tại đó nằm ngoài tầm với của mọi người.",
+  "made_with": "Lập trình bằng ❤️ ở 🇨🇦",
+  "mascot_design": "Mascot thiết kế bởi",
+  "ai_companies_explanation": "Bạn thấy trang này do quản trị viên của trang web này đã thiết lập Anubis để bảo vệ máy chủ của họ khỏi quấy rầy từ những công ty AI hung hãn cóp nhặt nội dung khắp Internet. Điều này dẫn tới tình trạng gián đoạn hoạt động trên nhiều trang web, khiến tài nguyên ở đó nằm ngoài tầm với của mọi người.",
  "anubis_compromise": "Anubis là giải pháp thỏa hiệp. Anubis sử dụng cơ chế Proof-of-Work dựa trên Hashcash, được thiết kế ban đầu để giảm bớt email spam. Ý tưởng đằng sau đó là với người dùng cá nhân phần nạp thêm sẽ không đáng kể, nhưng ở tầm mức quy mô lớn sẽ cộng dồn và dẫn tới chi phí tiêu hao hơn rất nhiều.",
-  "hack_purpose": "Chốt lại, đây cũng chỉ là giải pháp \"tạm ổn\" với mục đích thực sự là để giành thêm thời gian nhận diện và fingerprint những trình duyệt headless (VD: cách dựng font ra sao), sao cho hạn chế tối đa các yêu cầu tính toán trang thử thách Proof-of-Work tới nhóm người dùng có khả năng cao là con người hơn.",
+  "hack_purpose": "Chốt lại, đây cũng chỉ là giải pháp \"tạm ổn\" với mục đích thực sự là để giành thêm thời gian nhận diện và truy vết những trình duyệt headless (VD: cách dựng font ra sao), sao cho hạn chế tối đa các yêu cầu tính toán trang thử thách Proof-of-Work tới nhóm người dùng có khả năng cao là con người hơn.",
  "simplified_explanation": "Đây là một biện pháp chống lại bot và các yêu cầu độc hại tương tự như CAPTCHA. Tuy nhiên, thay vì bạn phải tự mình thực hiện, trình duyệt của bạn sẽ được giao một nhiệm vụ tính toán mà nó phải giải quyết để đảm bảo rằng nó là một máy khách hợp lệ. Khái niệm này được gọi là <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Bằng chứng Công việc</a>. Nhiệm vụ được tính toán trong vài giây và bạn được cấp quyền truy cập vào trang web. Cảm ơn sự thông cảm và kiên nhẫn của bạn.",
  "jshelter_note": "Vui lòng lưu ý Anubis cần sử dụng những tính năng JavaScript hiện đại mà một số phần mở rộng như JShelter sẽ tắt. Vui lòng vô hiệu hóa JShelter hoặc những phần mở rộng tương tự cho tên miền này.",
-  "version_info": "Trang web này đang chạy Anubis phiên bản",
+  "version_info": "Trang web này dùng Anubis bản",
  "try_again": "Thử lại",
  "go_home": "Về trang chủ",
  "contact_webmaster": "hoặc nếu bạn tin rằng mình không nên bị chặn, vui lòng liên hệ chủ trang web tại",
-  "connection_security": "Vui lòng chờ một chút trong khi chúng tôi kiểm tra an ninh kết nối của bạn.",
+  "connection_security": "Vui lòng chờ một chút trong lúc chúng tôi kiểm tra kết nối của bạn.",
  "javascript_required": "Rất tiếc, bạn phải bật JavaScript để vượt qua thử thách này. Điều này bắt buộc do những công ty AI đã thay đổi luật ngầm quanh việc hoạt động máy chủ web ra sao. Giải pháp không có JavaScript đang được phát triển.",
  "benchmark_requires_js": "Bắt buộc phải bật JavaScript để chạy công cụ benchmark.",
  "difficulty": "Độ khó:",
@@ -28,14 +28,14 @@
  "iters_b": "Lặp lại kiểu B",
  "static_check_endpoint": "Đây là điểm cuối cho reverse proxy của bạn sử dụng.",
  "authorization_required": "Bắt buộc xác thực",
-  "cookies_disabled": "Trình duyệt của bạn được thiết lập để vô hiệu hóa cookie. Anubis cần cookie cho mục đích chính đáng để kiểm tra chắc chắn bạn là người dùng hợp lệ. Vui lòng bật cookie cho tên miền này",
+  "cookies_disabled": "Trình duyệt của bạn đã vô hiệu hóa cookie. Anubis cần cookie cho mục đích chính đáng để kiểm tra chắc chắn bạn là người dùng hợp lệ. Vui lòng bật cookie cho tên miền này",
  "access_denied": "Truy cập bị từ chối: mã lỗi",
  "dronebl_entry": "DroneBL báo cáo truy cập",
  "see_dronebl_lookup": "xem",
-  "internal_server_error": "Lỗi máy chủ nội bộ: quản trị viên đã thiết lập sai Anubis. Vui lòng liên hệ quản trị viên và yêu cầu họ kiểm tra log",
+  "internal_server_error": "Lỗi nội bộ máy chủ: quản trị viên đã thiết lập sai Anubis. Vui lòng liên hệ quản trị viên và yêu cầu họ kiểm tra log",
  "invalid_redirect": "Điều hướng không hợp lệ",
-  "redirect_not_parseable": "Liên kết điều hướng không thể xử lý",
-  "redirect_domain_not_allowed": "Tên miền điều hướng không được phép",
+  "redirect_not_parseable": "Không thể xử lý liên kết điều hướng",
+  "redirect_domain_not_allowed": "Không được phép điều hướng tên miền",
  "missing_required_forwarded_headers": "Thiếu các tiêu đề X-Forwarded-* bắt buộc",
  "failed_to_sign_jwt": "không thể ký JWT",
  "invalid_invocation": "Gọi hàm MakeChallenge không hợp lệ",
@@ -43,7 +43,7 @@
  "oh_noes": "Ôi không!",
  "benchmarking_anubis": "Đang benchmark Anubis!",
  "you_are_not_a_bot": "Bạn không phải là bot!",
-  "making_sure_not_bot": "Đang kiểm tra bạn không phải là bot!",
+  "making_sure_not_bot": "Đảm bảo bạn không phải là bot!",
  "celphase": "CELPHASE",
  "js_web_crypto_error": "Trình duyệt của bạn không có web.crypto hoạt động. Liệu bạn có đang xem trang này với kết nối bảo mật không?",
  "js_web_workers_error": "Trình duyệt của bạn không hỗ trợ tính năng web worker (Anubis sử dụng để trình duyệt của bạn bị đơ). Bạn có cài đặt và sử dụng phần mở rộng như JShelter hay không?",
@@ -53,15 +53,14 @@
  "js_calculating": "Đang tính toán...",
  "js_missing_feature": "Thiếu tính năng",
  "js_challenge_error": "Lỗi thử thách!",
-  "js_challenge_error_msg": "Không thể xử lý thuật toán kiểm tra. Bạn nên nạp lại trang này.",
-  "js_calculating_difficulty": "Đang tính...<br/>Độ khó:",
+  "js_challenge_error_msg": "Không thể xử lý thuật toán kiểm tra. Bạn nên tải lại trang này.",
+  "js_calculating_difficulty": "Đang tính toán...<br/>Độ khó:",
  "js_speed": "Tốc độ:",
-  "js_verification_longer": "Quá trình kiểm tra đang kéo dài lâu hơn dự kiến. Vui lòng không nạp lại trang này.",
+  "js_verification_longer": "Quá trình kiểm tra hơi lâu hơn dự kiến. Vui lòng không tải lại trang này.",
  "js_success": "Thành công!",
-  "js_done_took": "Hoàn tất! Mất",
+  "js_done_took": "Xong rồi! Vào",
  "js_iterations": "lần lặp lại",
  "js_finished_reading": "Tôi đã đọc xong, tiếp tục →",
  "js_calculation_error": "Lỗi tính toán!",
-  "js_calculation_error_msg": "Không thể tính toán thử thách:",
-  "js_challenge_data_missing": "Thiếu dữ liệu thử thách. Vui lòng tải lại trang."
+  "js_calculation_error_msg": "Không thể tính toán thử thách:"
 }
@@ -62,6 +62,5 @@
  "js_calculation_error": "计算错误！",
  "js_calculation_error_msg": "计算挑战失败：",
  "missing_required_forwarded_headers": "缺少必要的 X-Forwarded-* 头",
-  "simplified_explanation": "这是一种类似于验证码的措施，用于防止机器人和恶意请求。但是，您无需自己动手，您的浏览器会收到一个计算任务，必须解决该任务以确保它是有效的客户端。这个概念称为<a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">工作量证明</a>。该任务在几秒钟内计算完毕，您将被授予访问网站的权限。感谢您的理解和耐心。",
-  "js_challenge_data_missing": "验证数据缺失。请重新加载页面。"
+  "simplified_explanation": "这是一种类似于验证码的措施，用于防止机器人和恶意请求。但是，您无需自己动手，您的浏览器会收到一个计算任务，必须解决该任务以确保它是有效的客户端。这个概念称为<a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">工作量证明</a>。该任务在几秒钟内计算完毕，您将被授予访问网站的权限。感谢您的理解和耐心。"
 }
@@ -62,6 +62,5 @@
  "js_calculation_error": "計算錯誤！",
  "js_calculation_error_msg": "計算挑戰失敗：",
  "missing_required_forwarded_headers": "缺少必要的 X-Forwarded-* 標頭",
-  "simplified_explanation": "這是一種類似於驗證碼的措施，用於防止機器人和惡意請求。但是，您無需自己動手，您的瀏覽器會收到一個計算任務，必須解決該任務以確保它是有效的客戶端。這個概念稱為<a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">工作量證明</a>。該任務在幾秒鐘內計算完畢，您將被授予訪問網站的權限。感謝您的理解和耐心。",
-  "js_challenge_data_missing": "驗證資料遺失。請重新載入頁面。"
+  "simplified_explanation": "這是一種類似於驗證碼的措施，用於防止機器人和惡意請求。但是，您無需自己動手，您的瀏覽器會收到一個計算任務，必須解決該任務以確保它是有效的客戶端。這個概念稱為<a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">工作量證明</a>。該任務在幾秒鐘內計算完畢，您將被授予訪問網站的權限。感謝您的理解和耐心。"
 }
@@ -14,7 +14,7 @@ func TestLocalizationService(t *testing.T) {
 	service := NewLocalizationService()

 	loadingStrMap := map[string]string{
-		"de":    "Ladevorgang...",
+		"de":    "Wird geladen …",
 		"en":    "Loading...",
 		"es":    "Cargando...",
 		"et":    "Laadin...",
@@ -30,10 +30,11 @@ func TestLocalizationService(t *testing.T) {
 		"tr":    "Yükleniyor...",
 		"ru":    "Загрузка...",
 		"uk":    "Завантаження...",
-		"vi":    "Đang nạp...",
+		"vi":    "Đang tải...",
 		"zh-CN": "加载中...",
 		"zh-TW": "載入中...",
 		"sv":    "Laddar...",
+		"bg":    "Зареждане...",
 	}

 	var keys []string
@@ -0,0 +1,81 @@
+package metrics
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"log/slog"
+	"net/http"
+	"net/http/pprof"
+	"time"
+
+	"github.com/TecharoHQ/anubis/internal"
+	"github.com/TecharoHQ/anubis/lib/config"
+	"github.com/prometheus/client_golang/prometheus/promhttp"
+	healthv1 "google.golang.org/grpc/health/grpc_health_v1"
+)
+
+type Server struct {
+	Config *config.Metrics
+	Log    *slog.Logger
+}
+
+func (s *Server) Run(ctx context.Context, done func()) error {
+	defer done()
+	lg := s.Log.With("subsystem", "metrics")
+
+	mux := http.NewServeMux()
+	mux.HandleFunc("GET /debug/pprof/", pprof.Index)
+	mux.HandleFunc("GET /debug/pprof/cmdline", pprof.Cmdline)
+	mux.HandleFunc("GET /debug/pprof/profile", pprof.Profile)
+	mux.HandleFunc("GET /debug/pprof/symbol", pprof.Symbol)
+	mux.HandleFunc("GET /debug/pprof/trace", pprof.Trace)
+	mux.Handle("/metrics", promhttp.Handler())
+	mux.HandleFunc("/healthz", func(w http.ResponseWriter, r *http.Request) {
+		st, ok := internal.GetHealth("anubis")
+		if !ok {
+			slog.Error("health service anubis does not exist, file a bug")
+		}
+
+		switch st {
+		case healthv1.HealthCheckResponse_NOT_SERVING:
+			http.Error(w, "NOT OK", http.StatusInternalServerError)
+			return
+		case healthv1.HealthCheckResponse_SERVING:
+			fmt.Fprintln(w, "OK")
+			return
+		default:
+			http.Error(w, "UNKNOWN", http.StatusFailedDependency)
+			return
+		}
+	})
+
+	srv := http.Server{
+		Handler:  mux,
+		ErrorLog: internal.GetFilteredHTTPLogger(),
+	}
+
+	ln, metricsURL, err := internal.SetupListener(s.Config.Bind, s.Config.Network, s.Config.SocketMode)
+	if err != nil {
+		return fmt.Errorf("can't setup listener: %w", err)
+	}
+
+	defer ln.Close()
+
+	lg.Debug("listening for metrics", "url", metricsURL)
+
+	go func() {
+		<-ctx.Done()
+		c, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+		defer cancel()
+		if err := srv.Shutdown(c); err != nil {
+			lg.Error("can't shut down metrics server", "err", err)
+		}
+	}()
+
+	if err := srv.Serve(ln); !errors.Is(err, http.ErrServerClosed) {
+		return fmt.Errorf("can't serve metrics server: %w", err)
+	}
+
+	return nil
+}
@@ -0,0 +1,44 @@
+package policy
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/TecharoHQ/anubis/internal/dns"
+	"github.com/TecharoHQ/anubis/lib/config"
+	"github.com/TecharoHQ/anubis/lib/store/memory"
+)
+
+func newTestDNS(t *testing.T) *dns.Dns {
+	t.Helper()
+
+	ctx := t.Context()
+	memStore := memory.New(ctx)
+	cache := dns.NewDNSCache(300, 300, memStore)
+	return dns.New(ctx, cache)
+}
+
+func TestCELChecker_MapIterationWrappers(t *testing.T) {
+	cfg := &config.ExpressionOrList{
+		Expression: `headers.exists(k, k == "Accept") && query.exists(k, k == "format")`,
+	}
+
+	checker, err := NewCELChecker(cfg, newTestDNS(t))
+	if err != nil {
+		t.Fatalf("creating CEL checker failed: %v", err)
+	}
+
+	req, err := http.NewRequest(http.MethodGet, "https://example.com/?format=json", nil)
+	if err != nil {
+		t.Fatalf("making request failed: %v", err)
+	}
+	req.Header.Set("Accept", "application/json")
+
+	got, err := checker.Check(req)
+	if err != nil {
+		t.Fatalf("checking expression failed: %v", err)
+	}
+	if !got {
+		t.Fatal("expected expression to evaluate true")
+	}
+}
@@ -66,7 +66,9 @@ func (h HTTPHeaders) Get(key ref.Val) ref.Val {
 	return result
 }

-func (h HTTPHeaders) Iterator() traits.Iterator { panic("TODO(Xe): implement me") }
+func (h HTTPHeaders) Iterator() traits.Iterator {
+	return newMapIterator(h.Header)
+}

 func (h HTTPHeaders) IsZeroValue() bool {
 	return len(h.Header) == 0
@@ -0,0 +1,60 @@
+package expressions
+
+import (
+	"errors"
+	"maps"
+	"reflect"
+	"slices"
+
+	"github.com/google/cel-go/common/types"
+	"github.com/google/cel-go/common/types/ref"
+	"github.com/google/cel-go/common/types/traits"
+)
+
+var ErrNotImplemented = errors.New("expressions: not implemented")
+
+type stringSliceIterator struct {
+	keys []string
+	idx  int
+}
+
+func (s *stringSliceIterator) Value() any {
+	return s
+}
+
+func (s *stringSliceIterator) ConvertToNative(typeDesc reflect.Type) (any, error) {
+	return nil, ErrNotImplemented
+}
+
+func (s *stringSliceIterator) ConvertToType(typeValue ref.Type) ref.Val {
+	return types.NewErr("can't convert from %q to %q", types.IteratorType, typeValue)
+}
+
+func (s *stringSliceIterator) Equal(other ref.Val) ref.Val {
+	return types.NewErr("can't compare %q to %q", types.IteratorType, other.Type())
+}
+
+func (s *stringSliceIterator) Type() ref.Type {
+	return types.IteratorType
+}
+
+func (s *stringSliceIterator) HasNext() ref.Val {
+	return types.Bool(s.idx < len(s.keys))
+}
+
+func (s *stringSliceIterator) Next() ref.Val {
+	if s.HasNext() != types.True {
+		return nil
+	}
+
+	val := s.keys[s.idx]
+	s.idx++
+	return types.String(val)
+}
+
+func newMapIterator(m map[string][]string) traits.Iterator {
+	return &stringSliceIterator{
+		keys: slices.Collect(maps.Keys(m)),
+		idx:  0,
+	}
+}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Xe Iaso	8b72ded756	chore: spelling Signed-off-by: Xe Iaso <me@xeiaso.net>	2026-04-21 15:30:49 -04:00
Xe Iaso	439860443a	doc(default-config): add vague references to metrics server Signed-off-by: Xe Iaso <me@xeiaso.net>	2026-04-21 15:28:55 -04:00
Xe Iaso	33bc4669cb	doc: add metrics server configuration docs Signed-off-by: Xe Iaso <me@xeiaso.net>	2026-04-21 15:25:19 -04:00
Xe Iaso	fa5ceedf23	feat: move metrics server to a dedicated package Signed-off-by: Xe Iaso <me@xeiaso.net>	2026-04-21 15:16:21 -04:00
Xe Iaso	49dcdbc49e	fix(config): add metrics socket mode Signed-off-by: Xe Iaso <me@xeiaso.net>	2026-04-21 15:07:08 -04:00
Xe Iaso	578f248ce1	fix(main): use internal.SetupListener Signed-off-by: Xe Iaso <me@xeiaso.net>	2026-04-21 15:00:16 -04:00
Xe Iaso	298fc0b847	feat(internal): move SetupListener from main Signed-off-by: Xe Iaso <me@xeiaso.net>	2026-04-21 14:57:59 -04:00
Xe Iaso	8af9845117	feat(config): add metrics bind config to policy file with flag hack Signed-off-by: Xe Iaso <me@xeiaso.net>	2026-04-21 14:05:05 -04:00
Xe Iaso	3a6e368179	Revert "ci(ssh): enable local machines again" This reverts commit `98afcf8c64`.	2026-04-18 11:30:32 -04:00
Xe Iaso	98afcf8c64	ci(ssh): enable local machines again Signed-off-by: Xe Iaso <me@xeiaso.net>	2026-04-18 11:22:04 -04:00
dependabot[bot]	982394ca91	build(deps): bump the github-actions group across 1 directory with 7 updates (#1560 ) Co-authored-by: Jason Cameron <git@jasoncameron.dev>	2026-04-14 03:35:30 +00:00
dependabot[bot]	66b7b27aef	build(deps): bump the npm group across 1 directory with 5 updates (#1559 ) Co-authored-by: Jason Cameron <git@jasoncameron.dev>	2026-04-13 23:31:39 -04:00
Xe Iaso	cc07be8a9e	chore: spelling Signed-off-by: Xe Iaso <me@xeiaso.net>	2026-04-10 21:40:03 -04:00
Xe Iaso	04f8b6b148	chore(sponsors): add qwertiko and wenet Closes: #1553 Signed-off-by: Xe Iaso <me@xeiaso.net>	2026-04-10 21:36:40 -04:00
Xe Iaso	dbd64e0f4f	docs(faq): document minimum versions of browsers Anubis supports (#1540 ) * docs(faq): document minimum versions of browsers Anubis supports Closes: #1534 Signed-off-by: Xe Iaso <me@xeiaso.net> * chore: update spelling Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: Xe Iaso <me@xeiaso.net>	2026-03-24 15:59:12 +00:00
dependabot[bot]	3acf8ee387	build(deps): bump the npm group with 5 updates (#1531 ) Bumps the npm group with 5 updates: \| Package \| From \| To \| \| --- \| --- \| --- \| \| [preact](https://github.com/preactjs/preact) \| `10.28.4` \| `10.29.0` \| \| [@commitlint/cli](https://github.com/conventional-changelog/commitlint/tree/HEAD/@commitlint/cli) \| `20.4.3` \| `20.5.0` \| \| [@commitlint/config-conventional](https://github.com/conventional-changelog/commitlint/tree/HEAD/@commitlint/config-conventional) \| `20.4.3` \| `20.5.0` \| \| [baseline-browser-mapping](https://github.com/web-platform-dx/baseline-browser-mapping) \| `2.10.0` \| `2.10.8` \| \| [esbuild](https://github.com/evanw/esbuild) \| `0.27.3` \| `0.27.4` \| Updates `preact` from 10.28.4 to 10.29.0 - [Release notes](https://github.com/preactjs/preact/releases) - [Commits](https://github.com/preactjs/preact/compare/10.28.4...10.29.0) Updates `@commitlint/cli` from 20.4.3 to 20.5.0 - [Release notes](https://github.com/conventional-changelog/commitlint/releases) - [Changelog](https://github.com/conventional-changelog/commitlint/blob/master/@commitlint/cli/CHANGELOG.md) - [Commits](https://github.com/conventional-changelog/commitlint/commits/v20.5.0/@commitlint/cli) Updates `@commitlint/config-conventional` from 20.4.3 to 20.5.0 - [Release notes](https://github.com/conventional-changelog/commitlint/releases) - [Changelog](https://github.com/conventional-changelog/commitlint/blob/master/@commitlint/config-conventional/CHANGELOG.md) - [Commits](https://github.com/conventional-changelog/commitlint/commits/v20.5.0/@commitlint/config-conventional) Updates `baseline-browser-mapping` from 2.10.0 to 2.10.8 - [Release notes](https://github.com/web-platform-dx/baseline-browser-mapping/releases) - [Commits](https://github.com/web-platform-dx/baseline-browser-mapping/compare/v2.10.0...v2.10.8) Updates `esbuild` from 0.27.3 to 0.27.4 - [Release notes](https://github.com/evanw/esbuild/releases) - [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG.md) - [Commits](https://github.com/evanw/esbuild/compare/v0.27.3...v0.27.4) --- updated-dependencies: - dependency-name: preact dependency-version: 10.29.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm - dependency-name: "@commitlint/cli" dependency-version: 20.5.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm - dependency-name: "@commitlint/config-conventional" dependency-version: 20.5.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm - dependency-name: baseline-browser-mapping dependency-version: 2.10.8 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm - dependency-name: esbuild dependency-version: 0.27.4 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-03-24 15:54:04 +00:00
Xe Iaso	57260a562a	chore(sponsors): add embeDD GmbH (#1539 ) * chore(sponsors): add embeDD GmbH Closes: #1535 Signed-off-by: Xe Iaso <me@xeiaso.net> * chore: update spelling Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: Xe Iaso <me@xeiaso.net>	2026-03-24 15:51:32 +00:00
dependabot[bot]	e42a328843	build(deps): bump actions-hub/kubectl in the github-actions group (#1532 ) Bumps the github-actions group with 1 update: [actions-hub/kubectl](https://github.com/actions-hub/kubectl). Updates `actions-hub/kubectl` from 1.35.2 to 1.35.3 - [Release notes](https://github.com/actions-hub/kubectl/releases) - [Commits](https://github.com/actions-hub/kubectl/compare/5ada4e2c02eacc03978c2437e95c8b0f979a9619...934aaa4354bbbc3d2176ae8d7cae92d515032dff) --- updated-dependencies: - dependency-name: actions-hub/kubectl dependency-version: 1.35.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-03-23 15:33:43 +00:00
Michael	c4b26e5a75	l10n(de): revise and update German translations (#1457 ) * l10n(de): revise and update German translations Improve strings for clarity and naturalness, update Wikipedia link to German version. Signed-off-by: Michael <87752300+michi-onl@users.noreply.github.com> * test(localization): fix tests Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: Michael <87752300+michi-onl@users.noreply.github.com> Signed-off-by: Xe Iaso <me@xeiaso.net> Co-authored-by: Xe Iaso <me@xeiaso.net>	2026-03-21 20:02:49 +00:00
Duy	1342539a41	chore: update vi.json (#1459 ) * Update vi.json Signed-off-by: Duy <104808921+honhatduy@users.noreply.github.com> * test(localization): fix tests Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: Duy <104808921+honhatduy@users.noreply.github.com> Signed-off-by: Xe Iaso <me@xeiaso.net> Co-authored-by: Xe Iaso <me@xeiaso.net>	2026-03-21 20:01:21 +00:00
ramromcode	bd6f654e1f	feat(i18n): add Bulgarian language translation (#1394 ) * feat(localization): add bulgarian language translation * fix(locales/bg): make tests pass Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: Xe Iaso <xe.iaso@techaro.lol> Signed-off-by: Xe Iaso <me@xeiaso.net> Co-authored-by: Xe Iaso <xe.iaso@techaro.lol> Co-authored-by: Xe Iaso <me@xeiaso.net>	2026-03-21 19:56:27 +00:00
Xe Iaso	d2c3a326af	feat(anubis): enable pprof endpoints on the metrics server (#1530 ) Closes: #1366 Signed-off-by: Xe Iaso <me@xeiaso.net>	2026-03-21 19:43:47 +00:00
dwhitemv25	c2ed62f51d	fix: Address issued raised in #1193 (#1519 ) * Resolve #1193 Address documentation and error message issues around REDIRECT_DOMAINS and required keywords in bot specifications. * Add CHANGELOG entry	2026-03-21 19:32:25 +00:00
Jason Cameron	11c4adc6b4	fix: add cel iterator (#1465 ) * fix: enable CEL iterators Signed-off-by: Jason Cameron <jason.cameron@stanwith.me> * test: add unit tests for CELChecker map iteration Signed-off-by: Jason Cameron <jason.cameron@stanwith.me> * fix: implement map iterators for HTTPHeaders and URLValues to resolve CEL internal errors Signed-off-by: Jason Cameron <jason.cameron@stanwith.me> * fix: replace checker.NewMapIterator with newMapIterator for HTTPHeaders and URLValues Signed-off-by: Jason Cameron <jason.cameron@stanwith.me> --------- Signed-off-by: Jason Cameron <jason.cameron@stanwith.me>	2026-03-21 19:30:05 +00:00
BALLOON \| FU-SEN	edbfd180b8	locales/ja: Change the position of the `バージョン` (version) (#1527 ) When displayed in Japanese, the `バージョン` (version) is in the middle, but the version number is at the end, so it is displayed strangely. Improve this. "version_info": ``` このウェブサイトはAnubisバージョンで動作しています ``` to ``` このウェブサイトはAnubisで動作していますバージョン ``` Signed-off-by: BALLOON \| FU-SEN <5434159+fu-sen@users.noreply.github.com>	2026-03-21 06:36:40 +00:00
Xe Iaso	efde4f0dc7	docs(faq): document that disabling JIT makes Anubis slow (#1526 ) * docs(faq): document that disabling JIT makes Anubis slow Closes: #1520 Signed-off-by: Xe Iaso <me@xeiaso.net> * chore: fix spelling Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: Xe Iaso <me@xeiaso.net> Signed-off-by: Xe Iaso <xe.iaso@techaro.lol>	2026-03-20 22:16:50 +00:00
Marielle Volz	24857f430f	feat(data): add Citoid to good bots list (#1524 ) * Add Wikimedia Foundation citoid services file Wikimedia Foundation runs a service called citoid which retrieves citation metadata from urls in order to create formatted citations. This file contains the ip ranges allocated to the WMF (https://wikitech.wikimedia.org/wiki/IP_and_AS_allocations) from which the services make requests, as well as regex for the User-Agents from both services used to generate citations (citoid, and Zotero's translation-server which citoid makes requests to as well in order to generate the metadata). Signed-off-by: Marielle Volz <marielle.volz@gmail.com> * Add Wikimedia Citoid crawler to allowed list Signed-off-by: Marielle Volz <marielle.volz@gmail.com> * chore: update spelling Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: Marielle Volz <marielle.volz@gmail.com> Signed-off-by: Xe Iaso <me@xeiaso.net> Co-authored-by: Xe Iaso <me@xeiaso.net>	2026-03-20 11:13:26 +00:00