feat(data): add Meta's web indexer used for AI purposes (#1573 )

This indexer is documented in https://developers.facebook.com/docs/sharing/webmasters/web-crawlers. I saw it parsing the entirety of my Forgejo instance, so I suggest to widely block it. Signed-off-by: Benjamin Bouvier <benjamin@bouvier.cc>
feat: move metrics server config to the policy file (#1572 )
2026-04-21 23:56:40 +00:00 · 2026-04-21 16:56:23 -04:00 · 2026-04-21 15:36:11 -04:00 · 2026-04-18 11:30:32 -04:00 · 2026-04-18 11:22:04 -04:00 · 2026-04-14 03:35:30 +00:00
131 changed files with 2216 additions and 832 deletions
@@ -1,12 +1,12 @@
 <!--
 delete me and describe your change here, give enough context for a maintainer to understand what and why
-See https://anubis.techaro.lol/docs/developer/code-quality for more information
+See https://github.com/TecharoHQ/anubis/blob/main/CONTRIBUTING.md for more information
 -->
 Checklist:
 - [ ] Added a description of the changes to the `[Unreleased]` section of docs/docs/CHANGELOG.md
- [ ] Added test cases to [the relevant parts of the codebase](https://anubis.techaro.lol/docs/developer/code-quality)
+- [ ] Added test cases to [the relevant parts of the codebase](https://github.com/TecharoHQ/anubis/blob/main/CONTRIBUTING.md)
 - [ ] Ran integration tests `npm run test:integration` (unsupported on Windows, please use WSL)
 - [ ] All of my commits have [verified signatures](https://anubis.techaro.lol/docs/developer/signed-commits)
@@ -24,3 +24,17 @@ iplist
 NArg
 blocklists
 rififi
 prolocation
 Prolocation
 Necron
 Stargate
 FFXIV
 uvensys
 de
 resourced
 envoyproxy
 unipromos
 Samsung
 wenet
 qwertiko
 setuplistener
@@ -7,6 +7,7 @@ Aibrew
 alibaba
 alrest
 amazonbot
 anexia
 anthro
 anubis
 anubistest
@@ -64,6 +65,7 @@ cidranger
 ckie
 CLAUDE
 cloudflare
 cloudsolutions
 Codespaces
 confd
 containerbuild
@@ -78,6 +80,7 @@ databento
 dayjob
 dco
 DDOS
 ddwrt
 Debian
 debrpm
 decaymap
@@ -100,6 +103,7 @@ duckduckbot
 eerror
 ellenjoe
 emacs
 embe
 enbyware
 etld
 everyones
@@ -117,6 +121,7 @@ FCr
 fcrdns
 fediverse
 ffprobe
 fhdr
 financials
 finfos
 Firecrawl
@@ -154,6 +159,7 @@ grw
 gzw
 Hashcash
 hashrate
 hdr
 headermap
 healthcheck
 healthz
@@ -163,6 +169,7 @@ Hetzner
 hmc
 homelab
 hostable
 HSTS
 htmlc
 htmx
 httpdebug
@@ -215,7 +222,6 @@ LLU
 loadbalancer
 lol
 lominsa
 maintainership
 malware
 mcr
 memes
@@ -324,11 +330,13 @@ Spambot
 spammer
 sparkline
 spyderbot
 srcip
 srv
 stackoverflow
 startprecmd
 stoppostcmd
 storetest
 strcmp
 subgrid
 subr
 subrequest
@@ -353,6 +361,7 @@ Timpibot
 TLog
 traefik
 trunc
 txn
 uberspace
 Unbreak
 unbreakdocker
@@ -22,12 +22,12 @@ jobs:
          sudo apt-get update
          sudo apt-get install -y build-essential
-      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version: "24.11.0"
-      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
-          go-version: "1.25.4"
+          go-version: "1.25.7"
      - name: install node deps
        run: |
@@ -26,18 +26,18 @@ jobs:
          sudo apt-get update
          sudo apt-get install -y build-essential
-      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version: "24.11.0"
-      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
-          go-version: "1.25.4"
+          go-version: "stable"
      - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
        with:
          images: ghcr.io/${{ github.repository }}
@@ -36,17 +36,17 @@ jobs:
        run: |
          echo "IMAGE=ghcr.io/${GITHUB_REPOSITORY,,}" >> $GITHUB_ENV
-      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version: "24.11.0"
-      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
-          go-version: "1.25.4"
+          go-version: "stable"
      - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
      - name: Log into registry
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
@@ -54,7 +54,7 @@ jobs:
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
        with:
          images: ${{ env.IMAGE }}
@@ -68,7 +68,7 @@ jobs:
          SLOG_LEVEL: debug
      - name: Generate artifact attestation
-        uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
        with:
          subject-name: ${{ env.IMAGE }}
          subject-digest: ${{ steps.build.outputs.digest }}
@@ -22,10 +22,10 @@ jobs:
          persist-credentials: false
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
      - name: Log into registry
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: ghcr.io
          username: techarohq
@@ -33,7 +33,7 @@ jobs:
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
        with:
          images: ghcr.io/techarohq/anubis/docs
          tags: |
@@ -42,7 +42,7 @@ jobs:
      - name: Build and push
        id: build
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
        with:
          context: ./docs
          cache-to: type=gha
@@ -53,14 +53,14 @@ jobs:
          push: true
      - name: Apply k8s manifests to limsa lominsa
-        uses: actions-hub/kubectl@f6d776bd78f4523e36d6c74d34f9941c242b2213 # v1.35.0
+        uses: actions-hub/kubectl@934aaa4354bbbc3d2176ae8d7cae92d515032dff # v1.35.3
        env:
          KUBE_CONFIG: ${{ secrets.LIMSA_LOMINSA_KUBECONFIG }}
        with:
          args: apply -k docs/manifest
      - name: Apply k8s manifests to limsa lominsa
-        uses: actions-hub/kubectl@f6d776bd78f4523e36d6c74d34f9941c242b2213 # v1.35.0
+        uses: actions-hub/kubectl@934aaa4354bbbc3d2176ae8d7cae92d515032dff # v1.35.3
        env:
          KUBE_CONFIG: ${{ secrets.LIMSA_LOMINSA_KUBECONFIG }}
        with:
@@ -18,11 +18,11 @@ jobs:
          persist-credentials: false
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
        with:
          images: ghcr.io/techarohq/anubis/docs
          tags: |
@@ -31,7 +31,7 @@ jobs:
      - name: Build and push
        id: build
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
        with:
          context: ./docs
          cache-to: type=gha
@@ -17,9 +17,9 @@ jobs:
        with:
          persist-credentials: false
-      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
-          go-version: "1.25.4"
+          go-version: "stable"
      - name: Check go.mod and go.sum in main directory
        run: |
@@ -24,15 +24,15 @@ jobs:
          sudo apt-get update
          sudo apt-get install -y build-essential
-      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version: "24.11.0"
-      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
-          go-version: "1.25.4"
+          go-version: "stable"
      - name: Cache playwright binaries
-        uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        id: playwright-cache
        with:
          path: |
@@ -55,10 +55,10 @@ jobs:
        run: npm run test
      - name: Lint with staticcheck
-        uses: dominikh/staticcheck-action@024238d2898c874f26d723e7d0ff4308c35589a2 # v1.4.0
+        uses: dominikh/staticcheck-action@9716614d4101e79b4340dd97b10e54d68234e431 # v1.4.1
        with:
          version: "latest"
      - name: Govulncheck
        run: |
-          go tool govulncheck ./...
+          go tool govulncheck ./... ||:
@@ -14,6 +14,6 @@ jobs:
    permissions:
      pull-requests: read
    steps:
-      - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3
+      - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -25,12 +25,12 @@ jobs:
          sudo apt-get update
          sudo apt-get install -y build-essential
-      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version: "24.11.0"
-      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
-          go-version: "1.25.4"
+          go-version: "stable"
      - name: install node deps
        run: |
@@ -26,12 +26,12 @@ jobs:
          sudo apt-get update
          sudo apt-get install -y build-essential
-      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version: "24.11.0"
-      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
-          go-version: "1.25.4"
+          go-version: "stable"
      - name: install node deps
        run: |
@@ -41,7 +41,7 @@ jobs:
        run: |
          go tool yeet
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: packages
          path: var/*
@@ -34,12 +34,12 @@ jobs:
        with:
          persist-credentials: false
-      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version: "24.11.0"
-      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
-          go-version: "1.25.4"
+          go-version: "stable"
      - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
@@ -57,7 +57,7 @@ jobs:
        run: echo "ARTIFACT_NAME=${{ matrix.test }}" | sed 's|/|-|g' >> $GITHUB_ENV
      - name: Upload artifact
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
        if: always()
        with:
          name: ${{ env.ARTIFACT_NAME }}
@@ -89,7 +89,7 @@ jobs:
    steps:
      - name: check-spelling
        id: spelling
-        uses: check-spelling/check-spelling@c635c2f3f714eec2fcf27b643a1919b9a811ef2e # v0.0.25
+        uses: check-spelling/check-spelling@cfb6f7e75bbfc89c71eaa30366d0c166f1bd9c8c # v0.0.26
        with:
          suppress_push_for_open_pull_request: ${{ github.actor != 'dependabot[bot]' && 1 }}
          checkout: true
@@ -24,13 +24,13 @@ jobs:
          fetch-depth: 0
          persist-credentials: false
      - name: Log into registry
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
      - name: Build and push
        run: |
          cd ./test/ssh-ci
@@ -12,14 +12,15 @@ permissions:
 jobs:
  ssh:
    if: github.repository == 'TecharoHQ/anubis'
-    runs-on: alrest-techarohq
+    #runs-on: alrest-techarohq
    runs-on: ubuntu-latest
    strategy:
      matrix:
        host:
          - riscv64
          - ppc64le
-          - aarch64-4k
+          #- aarch64-4k
-          - aarch64-16k
+          #- aarch64-16k
    steps:
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -29,15 +30,15 @@ jobs:
          persist-credentials: false
      - name: Install CI target SSH key
-        uses: shimataro/ssh-key-action@d4fffb50872869abe2d9a9098a6d9c5aa7d16be4 # v2.7.0
+        uses: shimataro/ssh-key-action@87a8f067114a8ce263df83e9ed5c849953548bc3 # v2.8.1
        with:
          key: ${{ secrets.CI_SSH_KEY }}
          name: id_rsa
          known_hosts: ${{ secrets.CI_SSH_KNOWN_HOSTS }}
-      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
-          go-version: "1.25.4"
+          go-version: "stable"
      - name: Run CI
        run: go run ./utils/cmd/backoff-retry bash test/ssh-ci/rigging.sh ${{ matrix.host }}
@@ -21,7 +21,7 @@ jobs:
          persist-credentials: false
      - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b # v7.2.0
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
      - name: Run zizmor 🌈
        run: uvx zizmor --format sarif . > results.sarif
@@ -29,7 +29,7 @@ jobs:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
+        uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
        with:
          sarif_file: results.sarif
          category: zizmor
@@ -24,7 +24,6 @@ build: assets
 lint: assets
 	$(GO) vet ./...
 	$(GO) tool staticcheck ./...
 	$(GO) tool govulncheck ./...
 prebaked-build:
 	$(GO) build -o ./var/anubis -ldflags "-X 'github.com/TecharoHQ/anubis.Version=$(VERSION)'" ./cmd/anubis
@@ -26,9 +26,21 @@ Anubis is brought to you by sponsors and donors like:
 ### Gold Tier
 <a href="https://www.unipromos.com/?utm_campaign=github&utm_medium=referral&utm_content=anubis">
  <img src="./docs/static/img/sponsors/unipromos.webp" alt="Unipromos" height="64" />
 </a>
 <a href="https://uvensys.de/?utm_campaign=github&utm_medium=referral&utm_content=anubis">
  <img src="./docs/static/img/sponsors/uvensys.webp" alt="Uvensys" height="64">
 </a>
 <a href="https://distrust.co?utm_campaign=github&utm_medium=referral&utm_content=anubis">
  <img src="./docs/static/img/sponsors/distrust-logo.webp" alt="Distrust" height="64">
 </a>
 <a href="https://about.gitea.com?utm_campaign=github&utm_medium=referral&utm_content=anubis">
  <img src="./docs/static/img/sponsors/gitea-logo.webp" alt="Gitea" height="64">
 </a>
 <a href="https://prolocation.net?utm_campaign=github&utm_medium=referral&utm_content=anubis">
  <img src="./docs/static/img/sponsors/prolocation-logo.svg" alt="Prolocation" height="64">
 </a>
 <a href="https://terminaltrove.com/?utm_campaign=github&utm_medium=referral&utm_content=anubis&utm_source=abgh">
  <img src="./docs/static/img/sponsors/terminal-trove.webp" alt="Terminal Trove" height="64">
 </a>
@@ -58,6 +70,18 @@ Anubis is brought to you by sponsors and donors like:
    height="64"
  />
 </a>
 <a href="https://www.anexia.com/">
  <img src="./docs/static/img/sponsors/anexia-cloudsolutions-logo.webp" alt="ANEXIA Cloud Solutions" height="64">
 </a>
 <a href="https://dd-wrt.com/">
  <img src="./docs/static/img/sponsors/ddwrt-logo.webp" alt="embeDD GmbH" height="64">
 </a>
 <a href="https://www.qwertiko.de?utm_campaign=github&utm_medium=referral&utm_content=anubis">
  <img src="./docs/static/img/sponsors/qwertiko-logo.webp" alt="Qwertiko" height="64">
 </a>
 <a href="https://wenet.pl/?utm_campaign=github&utm_medium=referral&utm_content=anubis">
  <img src="./docs/static/img/sponsors/wenet-logo.webp" alt="Wenet" height="64">
 </a>
 ## Overview
@@ -1 +1 @@
-1.24.0
+1.25.0
@@ -21,7 +21,6 @@ import (
 	"os"
 	"os/signal"
 	"path/filepath"
 	"strconv"
 	"strings"
 	"sync"
 	"syscall"
@@ -32,12 +31,12 @@ import (
 	"github.com/TecharoHQ/anubis/internal"
 	libanubis "github.com/TecharoHQ/anubis/lib"
 	"github.com/TecharoHQ/anubis/lib/config"
 	"github.com/TecharoHQ/anubis/lib/metrics"
 	botPolicy "github.com/TecharoHQ/anubis/lib/policy"
 	"github.com/TecharoHQ/anubis/lib/thoth"
 	"github.com/TecharoHQ/anubis/web"
 	"github.com/facebookgo/flagenv"
 	_ "github.com/joho/godotenv/autoload"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 	healthv1 "google.golang.org/grpc/health/grpc_health_v1"
 )
@@ -118,33 +117,6 @@ func doHealthCheck() error {
 	return nil
 }
 // parseBindNetFromAddr determine bind network and address based on the given network and address.
 func parseBindNetFromAddr(address string) (string, string) {
 	defaultScheme := "http://"
 	if !strings.Contains(address, "://") {
 		if strings.HasPrefix(address, ":") {
 			address = defaultScheme + "localhost" + address
 		} else {
 			address = defaultScheme + address
 		}
 	}
 	bindUri, err := url.Parse(address)
 	if err != nil {
 		log.Fatal(fmt.Errorf("failed to parse bind URL: %w", err))
 	}
 	switch bindUri.Scheme {
 	case "unix":
 		return "unix", bindUri.Path
 	case "tcp", "http", "https":
 		return "tcp", bindUri.Host
 	default:
 		log.Fatal(fmt.Errorf("unsupported network scheme %s in address %s", bindUri.Scheme, address))
 	}
 	return "", address
 }
 func parseSameSite(s string) http.SameSite {
 	switch strings.ToLower(s) {
 	case "none":
@@ -161,53 +133,6 @@ func parseSameSite(s string) http.SameSite {
 	return http.SameSiteDefaultMode
 }
 func setupListener(network string, address string) (net.Listener, string) {
 	formattedAddress := ""
 	if network == "" {
 		// keep compatibility
 		network, address = parseBindNetFromAddr(address)
 	}
 	switch network {
 	case "unix":
 		formattedAddress = "unix:" + address
 	case "tcp":
 		if strings.HasPrefix(address, ":") { // assume it's just a port e.g. :4259
 			formattedAddress = "http://localhost" + address
 		} else {
 			formattedAddress = "http://" + address
 		}
 	default:
 		formattedAddress = fmt.Sprintf(`(%s) %s`, network, address)
 	}
 	listener, err := net.Listen(network, address)
 	if err != nil {
 		log.Fatal(fmt.Errorf("failed to bind to %s: %w", formattedAddress, err))
 	}
 	// additional permission handling for unix sockets
 	if network == "unix" {
 		mode, err := strconv.ParseUint(*socketMode, 8, 0)
 		if err != nil {
 			listener.Close()
 			log.Fatal(fmt.Errorf("could not parse socket mode %s: %w", *socketMode, err))
 		}
 		err = os.Chmod(address, os.FileMode(mode))
 		if err != nil {
 			err := listener.Close()
 			if err != nil {
 				log.Printf("failed to close listener: %v", err)
 			}
 			log.Fatal(fmt.Errorf("could not change socket mode: %w", err))
 		}
 	}
 	return listener, formattedAddress
 }
 func makeReverseProxy(target string, targetSNI string, targetHost string, insecureSkipVerify bool, targetDisableKeepAlive bool) (http.Handler, error) {
 	targetUri, err := url.Parse(target)
 	if err != nil {
@@ -303,11 +228,6 @@ func main() {
 	wg := new(sync.WaitGroup)
 	if *metricsBind != "" {
 		wg.Add(1)
 		go metricsServer(ctx, *lg.With("subsystem", "metrics"), wg.Done)
 	}
 	var rp http.Handler
 	// when using anubis via Systemd and environment variables, then it is not possible to set targe to an empty string but only to space
 	if strings.TrimSpace(*target) != "" {
@@ -347,6 +267,26 @@ func main() {
 	lg.Debug("swapped to new logger")
 	slog.SetDefault(lg)
 	if *metricsBind != "" || policy.Metrics != nil {
 		wg.Add(1)
 		ms := &metrics.Server{
 			Config: policy.Metrics,
 			Log:    lg,
 		}
 		if policy.Metrics == nil {
 			lg.Debug("migrating flags to metrics config", "bind", *metricsBind, "network", *metricsBindNetwork, "socket-mode", *socketMode)
 			ms.Config = &config.Metrics{
 				Bind:       *metricsBind,
 				Network:    *metricsBindNetwork,
 				SocketMode: *socketMode,
 			}
 		}
 		go ms.Run(ctx, wg.Done)
 	}
 	// Warn if persistent storage is used without a configured signing key
 	if policy.Store.IsPersistent() {
 		if *hs512Secret == "" && *ed25519PrivateKeyHex == "" && *ed25519PrivateKeyHexFile == "" {
@@ -418,8 +358,8 @@ func main() {
 	var redirectDomainsList []string
 	if *redirectDomains != "" {
-		domains := strings.Split(*redirectDomains, ",")
+		domains := strings.SplitSeq(*redirectDomains, ",")
-		for _, domain := range domains {
+		for domain := range domains {
 			_, err = url.Parse(domain)
 			if err != nil {
 				log.Fatalf("cannot parse redirect-domain %q: %s", domain, err.Error())
@@ -427,7 +367,7 @@ func main() {
 			redirectDomainsList = append(redirectDomainsList, strings.TrimSpace(domain))
 		}
 	} else {
-		lg.Warn("REDIRECT_DOMAINS is not set, Anubis will only redirect to the same domain a request is coming from, see https://anubis.techaro.lol/docs/admin/configuration/redirect-domains")
+		lg.Warn("REDIRECT_DOMAINS is not set, Anubis will redirect to any domain, see https://anubis.techaro.lol/docs/admin/configuration/redirect-domains")
 	}
 	anubis.CookieName = *cookiePrefix + "-auth"
@@ -483,7 +423,11 @@ func main() {
 	h = internal.JA4H(h)
 	srv := http.Server{Handler: h, ErrorLog: internal.GetFilteredHTTPLogger()}
-	listener, listenerUrl := setupListener(*bindNetwork, *bind)
+	listener, listenerUrl, err := internal.SetupListener(*bindNetwork, *bind, *socketMode)
 	if err != nil {
 		log.Fatalf("SetupListener(%q, %q, %q): %v", *bindNetwork, *bind, *socketMode, err)
 	}
 	lg.Info(
 		"listening",
 		"url", listenerUrl,
@@ -518,48 +462,6 @@ func main() {
 	wg.Wait()
 }
 func metricsServer(ctx context.Context, lg slog.Logger, done func()) {
 	defer done()
 	mux := http.NewServeMux()
 	mux.Handle("/metrics", promhttp.Handler())
 	mux.HandleFunc("/healthz", func(w http.ResponseWriter, r *http.Request) {
 		st, ok := internal.GetHealth("anubis")
 		if !ok {
 			slog.Error("health service anubis does not exist, file a bug")
 		}
 		switch st {
 		case healthv1.HealthCheckResponse_NOT_SERVING:
 			http.Error(w, "NOT OK", http.StatusInternalServerError)
 			return
 		case healthv1.HealthCheckResponse_SERVING:
 			fmt.Fprintln(w, "OK")
 			return
 		default:
 			http.Error(w, "UNKNOWN", http.StatusFailedDependency)
 			return
 		}
 	})
 	srv := http.Server{Handler: mux, ErrorLog: internal.GetFilteredHTTPLogger()}
 	listener, metricsUrl := setupListener(*metricsBindNetwork, *metricsBind)
 	lg.Debug("listening for metrics", "url", metricsUrl)
 	go func() {
 		<-ctx.Done()
 		c, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 		defer cancel()
 		if err := srv.Shutdown(c); err != nil {
 			log.Printf("cannot shut down: %v", err)
 		}
 	}()
 	if err := srv.Serve(listener); !errors.Is(err, http.ErrServerClosed) {
 		log.Fatal(err)
 	}
 }
 func extractEmbedFS(fsys embed.FS, root string, destDir string) error {
 	return fs.WalkDir(fsys, root, func(path string, d fs.DirEntry, err error) error {
 		if err != nil {
@@ -10,6 +10,7 @@ import (
 	"net/http"
 	"os"
 	"regexp"
 	"slices"
 	"strings"
 	"github.com/TecharoHQ/anubis/lib/config"
@@ -210,11 +211,8 @@ func parseRobotsTxt(input io.Reader) ([]RobotsRule, error) {
 	// Mark blacklisted user agents (those with "Disallow: /")
 	for i := range rules {
-		for _, disallow := range rules[i].Disallows {
+		if slices.Contains(rules[i].Disallows, "/") {
 			if disallow == "/" {
 			rules[i].IsBlacklist = true
 				break
 			}
 		}
 	}
@@ -158,8 +158,8 @@ func TestDataFileConversion(t *testing.T) {
 			}
 			if strings.ToLower(*outputFormat) == "yaml" {
-				var actualData []interface{}
+				var actualData []any
-				var expectedData []interface{}
+				var expectedData []any
 				err = yaml.Unmarshal(actualOutput, &actualData)
 				if err != nil {
@@ -178,8 +178,8 @@ func TestDataFileConversion(t *testing.T) {
 					t.Errorf("Output mismatch for %s\nExpected:\n%s\n\nActual:\n%s", tc.name, expectedStr, actualStr)
 				}
 			} else {
-				var actualData []interface{}
+				var actualData []any
-				var expectedData []interface{}
+				var expectedData []any
 				err = json.Unmarshal(actualOutput, &actualData)
 				if err != nil {
@@ -419,6 +419,6 @@ Disallow: /`
 // compareData performs a deep comparison of two data structures,
 // ignoring differences that are semantically equivalent in YAML/JSON
-func compareData(actual, expected interface{}) bool {
+func compareData(actual, expected any) bool {
 	return reflect.DeepEqual(actual, expected)
 }
@@ -166,6 +166,15 @@ status_codes:
  CHALLENGE: 200
  DENY: 200
 # # Configuration for the metrics server. See the docs for more information:
 # #
 # # https://anubis.techaro.lol/docs/admin/policies#metrics-server
 # #
 # # This is commented out by default so that command line flags take precedence.
 # metrics:
 #   bind: ":9090"
 #   network: "tcp"
 # Anubis can store temporary data in one of a few backends. See the storage
 # backends section of the docs for more information:
 #
@@ -8,4 +8,5 @@
 - import: (data)/crawlers/marginalia.yaml
 - import: (data)/crawlers/mojeekbot.yaml
 - import: (data)/crawlers/commoncrawl.yaml
 - import: (data)/crawlers/wikimedia-citoid.yaml
 - import: (data)/crawlers/yandexbot.yaml
@@ -4,5 +4,5 @@
 #  - Claude-SearchBot: No published IP allowlist
 - name: "ai-crawlers-search"
  user_agent_regex: >-
-    OAI-SearchBot|Claude-SearchBot|PerplexityBot
+    OAI-SearchBot|Claude-SearchBot|PerplexityBot|meta-webindexer
  action: DENY
@@ -0,0 +1,18 @@
 # Wikimedia Foundation citation services
 # https://www.mediawiki.org/wiki/Citoid
 - name: wikimedia-citoid
  user_agent_regex: "Citoid/WMF"
  action: ALLOW
  remote_addresses: [
    "208.80.152.0/22",
    "2620:0:860::/46",
  ]
 - name: wikimedia-zotero-translation-server
  user_agent_regex: "ZoteroTranslationServer/WMF"
  action: ALLOW
  remote_addresses: [
    "208.80.152.0/22",
    "2620:0:860::/46",
  ]
@@ -11,12 +11,47 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 <!-- This changes the project to: -->
 - Move metrics server configuration to [the policy file](./admin/policies.mdx#metrics-server).
 - Expose [pprof endpoints](https://pkg.go.dev/net/http/pprof) on the metrics listener to enable profiling Anubis in production.
 - fix: prevent nil pointer panic in challenge validation when threshold rules match during PassChallenge (#1463)
 - Instruct reverse proxies to not cache error pages.
 - Fixed mixed tab/space indentation in Caddy documentation code block
 - Improve error messages and fix broken REDIRECT_DOMAINS link in docs ([#1193](https://github.com/TecharoHQ/anubis/issues/1193))
 - Add Bulgarian locale ([#1394](https://github.com/TecharoHQ/anubis/pull/1394))
 - Fix CEL internal errors when iterating `headers`/`query` map wrappers by implementing map iterators for `HTTPHeaders` and `URLValues` ([#1465](https://github.com/TecharoHQ/anubis/pull/1465)).
 ## v1.25.0: Necron
 Hey all,
 I'm sure you've all been aware that things have been slowing down a little with Anubis development, and I want to apologize for that. A lot has been going on in my life lately (my blog will have a post out on Friday with more information), and as a result I haven't really had the energy to work on Anubis in publicly visible ways. There are things going on behind the scenes, but nothing is really shippable yet, sorry!
 I've also been feeling some burnout in the wake of perennial waves of anger directed towards me. I'm handling it, I'll be fine, I've just had a lot going on in my life and it's been rough.
 I've been missing the sense of wanderlust and discovery that comes with the artistic way I playfully develop software. I suspect that some of the stresses I've been through (setting up a complicated surgery in a country whose language you aren't fluent in is kind of an experience) have been sapping my energy. I'd gonna try to mess with things on my break, but realistically I'm probably just gonna be either watching Stargate SG-1 or doing unreasonable amounts of ocean fishing in Final Fantasy 14. Normally I'd love to keep the details about my medical state fairly private, but I'm more of a public figure now than I was this time last year so I don't really get the invisibility I'm used to for this.
 I've also had a fair amount of negativity directed at me for simply being much more visible than the anonymous threat actors running the scrapers that are ruining everything, which though understandable has not helped.
 Anyways, it all worked out and I'm about to be in the hospital for a week, so if things go really badly with this release please downgrade to the last version and/or upgrade to the main branch when the fix PR is inevitably merged. I hoped to have time to tame GPG and set up full release automation in the Anubis repo, but that didn't work out this time and that's okay.
 If I can challenge you all to do something, go out there and try to actually create something new somehow. Combine ideas you've never mixed before. Be creative, be human, make something purely for yourself to scratch an itch that you've always had yet never gotten around to actually mending.
 At the very least, try to be an example of how you want other people to act, even when you're in a situation where software written by someone else is configured to require a user agent to execute javascript to access a webpage.
 Be well,
 Xe
 PS: if you're well-versed in FFXIV lore, the release title should give you an idea of the kind of stuff I've been going through mentally.
 - Add iplist2rule tool that lets admins turn an IP address blocklist into an Anubis ruleset.
 - Add Polish locale ([#1292](https://github.com/TecharoHQ/anubis/pull/1309))
 - Fix honeypot and imprint links missing `BASE_PREFIX` when deployed behind a path prefix ([#1402](https://github.com/TecharoHQ/anubis/issues/1402))
 - Add ANEXIA Sponsor logo to docs ([#1409](https://github.com/TecharoHQ/anubis/pull/1409))
 - Improve idle performance in memory storage
-
+- Add HAProxy Configurations to Docs ([#1424](https://github.com/TecharoHQ/anubis/pull/1424))
 <!-- This changes the project to: -->
 ## v1.24.0: Y'shtola Rhul
@@ -0,0 +1,101 @@
 # HAProxy
 import CodeBlock from "@theme/CodeBlock";
 To use Anubis with HAProxy, you have two variants:
  - simple - stick Anubis between HAProxy and your application backend (simple)
    - perfect if you only have a single application in general
  - advanced - force Anubis challenge by default and route to the application backend by HAProxy if the challenge is correct
    - useful for complex setups
    - routing can be done in HAProxy
    - define ACLs in HAProxy for domains, paths etc which are required/excluded regarding Anubis
    - HAProxy 3.0 recommended
 ## Simple Variant
 ```mermaid
 ---
 title: HAProxy with simple config
 ---
 flowchart LR
    T(User Traffic)
    HAProxy(HAProxy Port 80/443)
    Anubis
    Application
    T --> HAProxy
    HAProxy --> Anubis
    Anubis --> |Happy Traffic| Application
 ```
 Your Anubis env file configuration may look like this:
 import simpleAnubis from "!!raw-loader!./haproxy/simple-config.env";
 <CodeBlock language="bash">{simpleAnubis}</CodeBlock>
 The important part is that `TARGET` points to your actual application and if Anubis and HAProxy are on the same machine, a UNIX socket can be used.
 Your frontend and backend configuration of HAProxy may look like the following:
 import simpleHAProxy from "!!raw-loader!./haproxy/simple-haproxy.cfg";
 <CodeBlock language="bash">{simpleHAProxy}</CodeBlock>
 This simply enables SSL offloading, sets some useful and required headers and routes to Anubis directly.
 ## Advanced Variant
 Due to the fact that HAProxy can decode JWT, we are able to verify the Anubis token directly in HAProxy and route the traffic to the specific backends ourselves.
 Mind that rule logic to allow Git HTTP and other legit bot traffic to bypass is delegated from Anubis to HAProxy then. If required, you should implement any whitelisting in HAProxy using `acl_anubis_ignore` yourself.
 In this example are three applications behind one HAProxy frontend. Only App1 and App2 are secured via Anubis; App3 is open for everyone. The path `/excluded/path` can also be accessed by anyone.
 ```mermaid
 ---
 title: HAProxy with advanced config
 ---
 flowchart LR
    T(User Traffic)
    HAProxy(HAProxy Port 80/443)
    B1(App1)
    B2(App2)
    B3(App3)
    Anubis
    T --> HAProxy
    HAProxy --> |Traffic for App1 and App2 without valid challenge| Anubis
    HAProxy --> |app1.example.com | B1
    HAProxy --> |app2.example.com| B2
    HAProxy --> |app3.example.com| B3
 ```
 :::note
 For an improved JWT decoding performance, it's recommended to use HAProxy version 3.0 or above.
 :::
 Your Anubis env file configuration may look like this:
 import advancedAnubis from "!!raw-loader!./haproxy/advanced-config.env";
 <CodeBlock language="bash">{advancedAnubis}</CodeBlock>
 It's important to use `HS512_SECRET` which HAProxy understands. Please replace `<SECRET-HERE>` with your own secret string (alphanumerical string with 128 characters recommended).
 You can set Anubis to force a challenge for every request using the following policy file:
 import advancedAnubisPolicy from "!!raw-loader!./haproxy/advanced-config-policy.yml";
 <CodeBlock language="yaml">{advancedAnubisPolicy}</CodeBlock>
 The HAProxy config file may look like this:
 import advancedHAProxy from "!!raw-loader!./haproxy/advanced-haproxy.cfg";
 <CodeBlock language="haproxy">{advancedHAProxy}</CodeBlock>
 Please replace `<SECRET-HERE>` with the same secret from the Anubis config.
@@ -0,0 +1,15 @@
 # /etc/anubis/challenge-any.yml
 bots:
  - name: any
    action: CHALLENGE
    user_agent_regex: .*
 status_codes:
  CHALLENGE: 403
  DENY: 403
 thresholds: []
 dnsbl: false
@@ -0,0 +1,11 @@
 # /etc/anubis/default.env
 BIND=/run/anubis/default.sock
 BIND_NETWORK=unix
 DIFFICULTY=4
 METRICS_BIND=:9090
 # target is irrelevant here, backend routing happens in HAProxy
 TARGET=http://0.0.0.0
 HS512_SECRET=<SECRET-HERE>
 COOKIE_DYNAMIC_DOMAIN=True
 POLICY_FNAME=/etc/anubis/challenge-any.yml
@@ -0,0 +1,59 @@
 # /etc/haproxy/haproxy.cfg
 frontend FE-multiple-applications
  mode http
  bind :80
  # ssl offloading on port 443 using a certificate from /etc/haproxy/ssl/ directory
  bind :443 ssl crt /etc/haproxy/ssl/ alpn h2,http/1.1 ssl-min-ver TLSv1.2 no-tls-tickets
  # set X-Real-IP header required for Anubis
  http-request set-header X-Real-IP "%[src]"
  # redirect HTTP to HTTPS
  http-request redirect scheme https code 301 unless { ssl_fc }
  # add HSTS header
  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  # only force Anubis challenge for app1 and app2
  acl acl_anubis_required hdr(host) -i "app1.example.com"
  acl acl_anubis_required hdr(host) -i "app2.example.com"
  # exclude Anubis for a specific path
  acl acl_anubis_ignore path /excluded/path
  # use Anubis if auth cookie not found
  use_backend BE-anubis if acl_anubis_required !acl_anubis_ignore !{ req.cook(techaro.lol-anubis-auth) -m found }
  # get payload of the JWT such as algorithm, expire time, restrictions
  http-request set-var(txn.anubis_jwt_alg) req.cook(techaro.lol-anubis-auth),jwt_header_query('$.alg') if acl_anubis_required !acl_anubis_ignore
  http-request set-var(txn.anubis_jwt_exp) cook(techaro.lol-anubis-auth),jwt_payload_query('$.exp','int') if acl_anubis_required !acl_anubis_ignore
  http-request set-var(txn.anubis_jwt_res) cook(techaro.lol-anubis-auth),jwt_payload_query('$.restriction') if acl_anubis_required !acl_anubis_ignore
  http-request set-var(txn.srcip) req.fhdr(X-Real-IP) if acl_anubis_required !acl_anubis_ignore
  http-request set-var(txn.now) date() if acl_anubis_required !acl_anubis_ignore
  # use Anubis if JWT has wrong algorithm, is expired, restrictions don't match or isn't signed with the correct key
  use_backend BE-anubis if acl_anubis_required !acl_anubis_ignore !{ var(txn.anubis_jwt_alg) -m str HS512 }
  use_backend BE-anubis if acl_anubis_required !acl_anubis_ignore { var(txn.anubis_jwt_exp),sub(txn.now) -m int lt 0 }
  use_backend BE-anubis if acl_anubis_required !acl_anubis_ignore !{ var(txn.srcip),digest(sha256),hex,lower,strcmp(txn.anubis_jwt_res) eq 0 }
  use_backend BE-anubis if acl_anubis_required !acl_anubis_ignore !{ cook(techaro.lol-anubis-auth),jwt_verify(txn.anubis_jwt_alg,"<SECRET-HERE>") -m int 1 }
  # custom routing in HAProxy
  use_backend BE-app1 if { hdr(host) -i "app1.example.com" }
  use_backend BE-app2 if { hdr(host) -i "app2.example.com" }
  use_backend BE-app3 if { hdr(host) -i "app3.example.com" }
 backend BE-app1
  mode http
  server app1-server 127.0.0.1:3000
 backend BE-app2
  mode http
  server app2-server 127.0.0.1:4000
 backend BE-app3
  mode http
  server app3-server 127.0.0.1:5000
 BE-anubis
  mode http
  server anubis /run/anubis/default.sock
@@ -0,0 +1,10 @@
 # /etc/anubis/default.env
 BIND=/run/anubis/default.sock
 BIND_NETWORK=unix
 SOCKET_MODE=0666
 DIFFICULTY=4
 METRICS_BIND=:9090
 COOKIE_DYNAMIC_DOMAIN=true
 # address and port of the actual application
 TARGET=http://localhost:3000
@@ -0,0 +1,22 @@
 # /etc/haproxy/haproxy.cfg
 frontend FE-application
  mode http
  bind :80
  # ssl offloading on port 443 using a certificate from /etc/haproxy/ssl/ directory
  bind :443 ssl crt /etc/haproxy/ssl/ alpn h2,http/1.1 ssl-min-ver TLSv1.2 no-tls-tickets
  # set X-Real-IP header required for Anubis
  http-request set-header X-Real-IP "%[src]"
  # redirect HTTP to HTTPS
  http-request redirect scheme https code 301 unless { ssl_fc }
  # add HSTS header
  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  # route to Anubis backend by default
  default_backend BE-anubis-application
 BE-anubis-application
  mode http
  server anubis /run/anubis/default.sock
@@ -130,3 +130,52 @@ Then point your Ingress to the Anubis port:
              # diff-add
              name: anubis
 ```
 ## Envoy Gateway
 If you are using envoy-gateway, the `X-Real-Ip` header is not set by default, but Anubis does require it. You can resolve this by adding the header, either on the specific `HTTPRoute` where Anubis is listening, or on the `ClientTrafficPolicy` to apply it to any number of Gateways:
 HTTPRoute:
 ```yaml
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
  name: app-route
 spec:
  hostnames: ["app.domain.tld"]
  parentRefs:
    - name: envoy-external
      namespace: network
      sectionName: https
  rules:
    - backendRefs:
        - identifier: *app
          port: anubis
      filters:
        - type: RequestHeaderModifier
          requestHeaderModifier:
            set:
              - name: X-Real-Ip
                value: "%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%"
 ```
 Applying to any number of Gateways:
 ```yaml
 apiVersion: gateway.envoyproxy.io/v1alpha1
 kind: ClientTrafficPolicy
 metadata:
  name: envoy
 spec:
  headers:
    earlyRequestHeaders:
      set:
        - name: X-Real-Ip
          value: "%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%"
  clientIPDetection:
    xForwardedFor:
      trustedCIDRs:
        - 10.96.0.0/16 # Cluster pod CIDR
  targetSelectors: # These will apply to all Gateways
    - group: gateway.networking.k8s.io
      kind: Gateway
 ```
@@ -87,15 +87,15 @@ Anubis uses these environment variables for configuration:
 | `ED25519_PRIVATE_KEY_HEX_FILE` | unset                   | Path to a file containing the hex-encoded ed25519 private key. Only one of this or its sister option may be set. **Required when using persistent storage backends** (like bbolt) to ensure challenges survive service restarts. When running multiple instances on the same base domain, the key must be the same across all instances.                                                                                                                                                                                                       |
 | `ERROR_TITLE`                  | unset                   | <EO /> If set, override the translation stack to show a custom title for error pages such as "Something went wrong!". See [Customizing messages](./botstopper.mdx#customizing-messages) for more details.                                                                                                                                                                                                                                                                                                                                      |
 | `JWT_RESTRICTION_HEADER`       | `X-Real-IP`             | If set, the JWT is only valid if the current value of this header matches the value when the JWT was created. You can use it e.g. to restrict a JWT to the source IP of the user using `X-Real-IP`.                                                                                                                                                                                                                                                                                                                                            |
-| `METRICS_BIND`                 | `:9090`                 | The network address that Anubis serves Prometheus metrics on. See `BIND` for more information.                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
+| `METRICS_BIND`                 | `:9090`                 | The legacy configuration value for the network address that Anubis serves Prometheus metrics on. Please migrate this to [the policy file](./policies.mdx#metrics-server) as soon as possible.                                                                                                                                                                                                                                                                                                                                                  |
-| `METRICS_BIND_NETWORK`         | `tcp`                   | The address family that the Anubis metrics server listens on. See `BIND_NETWORK` for more information.                                                                                                                                                                                                                                                                                                                                                                                                                                         |
+| `METRICS_BIND_NETWORK`         | `tcp`                   | The legacy configuration value for the address family that Anubis serves Prometheus metrics on. Please migrate this to [the policy file](./policies.mdx#metrics-server) as soon as possible.                                                                                                                                                                                                                                                                                                                                                   |
 | `OG_EXPIRY_TIME`               | `24h`                   | The expiration time for the Open Graph tag cache. Prefer using [the policy file](./configuration/open-graph.mdx) to configure the Open Graph subsystem.                                                                                                                                                                                                                                                                                                                                                                                        |
 | `OG_PASSTHROUGH`               | `false`                 | If set to `true`, Anubis will enable Open Graph tag passthrough. Prefer using [the policy file](./configuration/open-graph.mdx) to configure the Open Graph subsystem.                                                                                                                                                                                                                                                                                                                                                                         |
 | `OG_CACHE_CONSIDER_HOST`       | `false`                 | If set to `true`, Anubis will consider the host in the Open Graph tag cache key. Prefer using [the policy file](./configuration/open-graph.mdx) to configure the Open Graph subsystem.                                                                                                                                                                                                                                                                                                                                                         |
 | `OVERLAY_FOLDER`               | unset                   | <EO /> If set, treat the given path as an [overlay folder](./botstopper.mdx#custom-images-and-css), allowing you to customize CSS, fonts, images, and add other assets to BotStopper deployments.                                                                                                                                                                                                                                                                                                                                              |
 | `POLICY_FNAME`                 | unset                   | The file containing [bot policy configuration](./policies.mdx). See the bot policy documentation for more details. If unset, the default bot policy configuration is used.                                                                                                                                                                                                                                                                                                                                                                     |
 | `PUBLIC_URL`                   | unset                   | The externally accessible URL for this Anubis instance, used for constructing redirect URLs (e.g., for Traefik forwardAuth). Leave it unset when Anubis terminates traffic directly (sidecar/standalone deployments) or redirect building will fail with `redir=null`.                                                                                                                                                                                                                                                                         |
-| `REDIRECT_DOMAINS`             | unset                   | Comma-separated list of domain names that Anubis should allow redirects to when passing a challenge. See [Redirect Domain Configuration](./configuration/redirect-domains) for more details.                                                                                                                                                                                                                                                                                                                                                   |
+| `REDIRECT_DOMAINS`             | unset                   | Comma-separated list of domain names that Anubis should allow redirects to when passing a challenge. See [Redirect Domain Configuration](./configuration/redirect-domains.mdx) for more details.                                                                                                                                                                                                                                                                                                                                               |
 | `SERVE_ROBOTS_TXT`             | `false`                 | If set `true`, Anubis will serve a default `robots.txt` file that disallows all known AI scrapers by name and then additionally disallows every scraper. This is useful if facts and circumstances make it difficult to change the underlying service to serve such a `robots.txt` file.                                                                                                                                                                                                                                                       |
 | `SLOG_LEVEL`                   | `INFO`                  | The log level for structured logging. Valid values are `DEBUG`, `INFO`, `WARN`, and `ERROR`. Set to `DEBUG` to see all requests, evaluations, and detailed diagnostic information.                                                                                                                                                                                                                                                                                                                                                             |
 | `SOCKET_MODE`                  | `0770`                  | _Only used when at least one of the `*_BIND_NETWORK` variables are set to `unix`._ The socket mode (permissions) for Unix domain sockets.                                                                                                                                                                                                                                                                                                                                                                                                      |
@@ -203,6 +203,7 @@ To get Anubis filtering your traffic, you need to make sure it's added to your H
 - [Kubernetes](./environments/kubernetes.mdx)
 - [Nginx](./environments/nginx.mdx)
 - [Traefik](./environments/traefik.mdx)
 - [HAProxy](./environments/haproxy.mdx)
 :::note
@@ -143,3 +143,4 @@ For more details on particular reverse proxies, see here:
 - [Apache](./environments/apache.mdx)
 - [Nginx](./environments/nginx.mdx)
 - [HAProxy](./environments/haproxy.mdx)
@@ -117,6 +117,27 @@ remote_addresses:
  - 100.64.0.0/10
 ```
 ## Metrics server
 Anubis includes support for [Prometheus-style metrics](https://prometheus.io/docs/introduction/overview/), allowing systems administrators to monitor Anubis' performance and effectiveness. This is a separate HTTP server with metrics, health checking, and debug routes.
 Anubis' metrics server is configured with the `metrics` block in the configuration file:
 ```yaml
 metrics:
  bind: ":9090"
  network: "tcp"
 ```
 If you want to bind metrics to a Unix socket, make sure to set the network to `unix` and add a socket mode:
 ```yaml
 metrics:
  bind: "/tmp/anubis_metrics.sock"
  network: unix
  socketMode: "0700" # must be a string
 ```
 ## Imprint / Impressum support
 Anubis has support for showing imprint / impressum information. This is defined in the `impressum` block of your configuration. See [Imprint / Impressum configuration](./configuration/impressum.mdx) for more information.
@@ -393,6 +414,32 @@ logging:
 When files are rotated out, the old files will be named after the rotation timestamp in [RFC 3339 format](https://www.rfc-editor.org/rfc/rfc3339).
 :::note
 If you are running Anubis in systemd via a native package, the default systemd unit settings are very restrictive and will forbid writing to folders in `/var/log`. In order to fix this, please make a [drop-in unit](https://www.flatcar.org/docs/latest/setup/systemd/drop-in-units/) like the following:
 ```text
 # /etc/systemd/anubis@instance-name.service.d/50-var-log-readwrite.conf
 [Service]
 ReadWritePaths=/run /var/log/anubis
 ```
 Once you write this to the correct place, reload the systemd configuration:
 ```text
 sudo systemctl daemon-reload
 ```
 And then restart Anubis:
 ```text
 sudo systemctl restart anubis@instance-name
 ```
 You may be required to make drop-ins for each Anubis instance depending on the facts and circumstances of your deployment.
 :::
 ### `stdio` sink
 By default, Anubis logs everything to the standard error stream of its process. This requires no configuration:
@@ -1,31 +0,0 @@
 ---
 title: Code quality guidelines
 ---
 When submitting code to Anubis, please take the time to consider the fact that this project is security software. If things go bad, bots can pummel sites into oblivion. This is not ideal for uptime.
 As such, code reviews will be a bit more strict than you have seen in other projects. This is not people trying to be mean, this is a side effect of taking the problem seriously.
 When making code changes, try to do the following:
 - If you're submitting a bugfix, add a test case for it
 - If you're changing the JavaScript, make sure the integration tests pass (`npm run test:integration`)
 ## Commit messages
 Anubis follows the Go project's conventions for commit messages. In general, an ideal commit message should read like this:
 ```text
 path/to/folder: brief description of the change
 If the change is subtle, has implementation consequences, or is otherwise
 not entirely self-describing: take the time to spell out why. If things
 are very subtle, please also amend the documentation accordingly
 ```
 The subject of a commit message should be the second half of the sentence "This commit changes the Anubis project to:". Here's a few examples:
 - `disable DroneBL by default`
 - `port the challenge to WebAssembly`
 The extended commit message is also your place to give rationale for a new feature. When maintainers are reviewing your code, they will use this to figure out if the burden from feature maintainership is worth the merge.
@@ -35,9 +35,21 @@ Anubis is brought to you by sponsors and donors like:
 ### Gold Tier
 <a href="https://www.unipromos.com/?utm_campaign=github&utm_medium=referral&utm_content=anubis">
  <img src="/img/sponsors/unipromos.webp" alt="Uvensys" height="64" />
 </a>
 <a href="https://uvensys.de/?utm_campaign=github&utm_medium=referral&utm_content=anubis">
  <img src="/img/sponsors/uvensys.webp" alt="Uvensys" height="64" />
 </a>
 <a href="https://distrust.co?utm_campaign=github&utm_medium=referral&utm_content=anubis">
  <img src="/img/sponsors/distrust-logo.webp" alt="Distrust" height="64" />
 </a>
 <a href="https://about.gitea.com?utm_campaign=github&utm_medium=referral&utm_content=anubis">
  <img src="/img/sponsors/gitea-logo.webp" alt="Gitea" height="64" />
 </a>
 <a href="https://prolocation.net?utm_campaign=github&utm_medium=referral&utm_content=anubis">
  <img src="/img/sponsors/prolocation-logo.svg" alt="Prolocation" height="64" />
 </a>
 <a href="https://terminaltrove.com/?utm_campaign=github&utm_medium=referral&utm_content=anubis&utm_source=abgh">
  <img
    src="/img/sponsors/terminal-trove.webp"
@@ -75,6 +87,15 @@ Anubis is brought to you by sponsors and donors like:
    height="64"
  />
 </a>
 <a href="https://dd-wrt.com/">
  <img src="/img/sponsors/ddwrt-logo.webp" alt="embeDD GmbH" height="64" />
 </a>
 <a href="https://www.qwertiko.de?utm_campaign=github&utm_medium=referral&utm_content=anubis">
  <img src="/img/sponsors/qwertiko-logo.webp" alt="Qwertiko" height="64" />
 </a>
 <a href="https://wenet.pl/?utm_campaign=github&utm_medium=referral&utm_content=anubis">
  <img src="/img/sponsors/wenet-logo.webp" alt="Wenet" height="64" />
 </a>
 ## Overview
@@ -22,3 +22,24 @@ If you use a browser extension such as [JShelter](https://jshelter.org/), you wi
 ## Does Anubis mine Bitcoin?
 No. Anubis does not mine Bitcoin or any other cryptocurrency.
 ## I disabled Just-in-time compilation in my browser. Why is Anubis slow?
 Anubis proof-of-work checks run an open source JavaScript program in your browser. These checks do a lot of complicated math and aim to be done quickly, so the execution speed depends on [Just-in-time (JIT) compilation](https://en.wikipedia.org/wiki/Just-in-time_compilation). JIT compiles JavaScript from the Internet into native machine code at runtime. The code produced by the JIT engine is almost as good as if it was written in a native programming language and compiled for your computer in particular. Without JIT, all JavaScript programs on every website you visit run through a slow interpreter.
 This interpreter is much slower than native code because it has to translate each low level JavaScript operation into many dozens of calls to execute. This means that using the interpreter incurs a massive performance hit by its very nature; it takes longer to add numbers than if the CPU just added the numbers directly.
 Some users choose to disable JIT as a hardening measure against theoretical browser exploits. This is a reasonable choice if you face targeted attacks from well-resourced adversaries (such as nation-state actors), but it comes with real performance costs.
 If you've disabled JIT and find Anubis checks slow, re-enabling JIT is the fix. There is no way for Anubis to work around this on our end.
 ## What versions of browsers does Anubis support?
 Anubis is written mainly by a single person in a basement in Canada. As such it is impossible for Anubis to support every version of every browser on the planet. As such, here's a few rules of thumb for the browsers that Anubis focuses on supporting:
 - At least the two (2) most recent LTS releases of Firefox and Chrome.
 - At least the version of Chromium as used by the Samsung Browser on Android.
 - At least the last version of Chromium and Firefox that are known to run on Windows 7.
 - At least the version of Safari that runs on the second-to-oldest iPhone model currently on the market.
 We cannot give more cohesive version bounds than this. If you run into problems, please file an issue. Sometimes you may just need to upgrade hardware though.
@@ -38,10 +38,8 @@ This page contains a non-exhaustive list with all websites using Anubis.
 - https://squirreljme.cc/
 - https://superlove.sayitditto.net/
 - https://svnweb.freebsd.org/
 - https://trac.ffmpeg.org/
 - https://tumfatig.net/
 - https://wiki.archlinux.org/
 - https://wiki.dolphin-emu.org/
 - https://wiki.freepascal.org/
 - https://wiki.koha-community.org/
 - https://www.cfaarchive.org/
@@ -53,6 +51,11 @@ This page contains a non-exhaustive list with all websites using Anubis.
  - https://bbs.archlinux32.org/
  - https://bugs.archlinux32.org/
  </details>
 - <details>
  <summary>Dolphin Emulator</summary>
  - https://forums.dolphin-emu.org/
  - https://wiki.dolphin-emu.org/
  </details>
 - <details>
  <summary>Duke University</summary>
  - https://repository.duke.edu/
@@ -60,6 +63,11 @@ This page contains a non-exhaustive list with all websites using Anubis.
  - https://find.library.duke.edu/
  - https://nicholas.duke.edu/
  </details>
 - <details>
  <summary>FFmpeg</summary>
  - https://git.ffmpeg.org/
  - https://trac.ffmpeg.org/
  </details>
 - <details>
  <summary>Forschungszentrum Jülich</summary>
  - https://juser.fz-juelich.de/
@@ -112,11 +120,8 @@ This page contains a non-exhaustive list with all websites using Anubis.
  - https://git.kernel.org/
  - https://lore.kernel.org/
  </details>
 - <details>
  <summary>The United Nations</summary>
  - https://policytoolbox.iiep.unesco.org/
  </details>
 - <details>
  <summary>Valve Corporation</summary>
  - https://developer.valvesoftware.com/wiki/Main_Page
  - https://wiki.teamfortress.com/wiki/Main_Page
  </details>
@@ -0,0 +1,37 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!-- Generator: Adobe Illustrator 15.1.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
 <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
 <svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
 	 width="250px" height="42px" viewBox="0 0.05 250 42" enable-background="new 0 0.05 250 42" xml:space="preserve">
 <g>
 	<rect y="0.15" fill="#FFFFFF" width="42" height="42"/>
 	<polygon fill="#FF0600" points="0,42.05 10.5,42.05 10.5,10.55 31.5,10.55 31.5,31.55 21,31.55 10.5,42.05 42,42.05 42,0.05 
 		0,0.05 	"/>
 	<path fill="#222222" d="M59.1,24.95h-2.2v9.6h-5.3V8.05h7.5c5.7,0,7.5,3.3,7.5,8.5C66.6,21.65,64.9,24.95,59.1,24.95z M59,12.75h-2
 		v7.4h2c2.2,0,2.3-2,2.3-3.7C61.3,14.85,61.2,12.75,59,12.75z"/>
 	<path fill="#222222" d="M80.1,34.55l-3.2-10.3h-1.8v10.3h-5.3V8.05h7.6c5.8,0,7.4,3,7.4,8.1c0,2.8-0.4,5.4-3,7l3.9,11.5h-5.6V34.55
 		z M77.3,12.75h-2.2v6.7h2.2c2,0,2.1-1.8,2.1-3.4C79.4,14.55,79.3,12.75,77.3,12.75z"/>
 	<path fill="#222222" d="M101.2,32.149c-1.2,1.5-2.9,2.7-5.8,2.7s-4.6-1.2-5.8-2.7c-1.9-2.3-2-5.8-2-10.899c0-5.1,0.1-8.6,2-10.9
 		c1.2-1.5,2.9-2.7,5.8-2.7s4.6,1.2,5.8,2.7c1.9,2.3,2,5.8,2,10.9C103.2,26.35,103.1,29.85,101.2,32.149z M97.2,13.55
 		c-0.3-0.6-0.8-1-1.8-1s-1.5,0.4-1.8,1c-0.6,1.2-0.7,4.5-0.7,7.7c0,3.2,0.1,6.5,0.7,7.8c0.3,0.6,0.8,1,1.8,1s1.5-0.4,1.8-1
 		c0.6-1.2,0.7-4.5,0.7-7.8C97.9,18.05,97.8,14.75,97.2,13.55z"/>
 	<path fill="#222222" d="M106.5,34.55V8.05h5.3v21.8h6.9v4.8h-12.2V34.55z"/>
 	<path fill="#222222" d="M133.7,32.149c-1.2,1.5-2.9,2.7-5.8,2.7c-2.9,0-4.601-1.2-5.8-2.7c-1.9-2.3-2-5.8-2-10.899
 		c0-5.1,0.1-8.6,2-10.9c1.2-1.5,2.9-2.7,5.8-2.7c2.899,0,4.6,1.2,5.8,2.7c1.899,2.3,2,5.8,2,10.9
 		C135.7,26.35,135.6,29.85,133.7,32.149z M129.7,13.55c-0.3-0.6-0.8-1-1.8-1s-1.5,0.4-1.801,1c-0.6,1.2-0.7,4.5-0.7,7.7
 		c0,3.2,0.1,6.5,0.7,7.8c0.301,0.6,0.801,1,1.801,1s1.5-0.4,1.8-1c0.6-1.2,0.7-4.5,0.7-7.8C130.4,18.05,130.3,14.75,129.7,13.55z"/>
 	<path fill="#222222" d="M151.3,32.95c-1.3,1.3-2.899,1.899-5.1,1.899c-2.9,0-4.601-1.2-5.8-2.7c-1.9-2.3-2-5.8-2-10.899
 		c0-5.1,0.1-8.6,2-10.9c1.199-1.5,2.899-2.7,5.8-2.7c2.2,0,3.8,0.6,5.1,1.9c1.4,1.3,2.3,3.4,2.4,5.9h-5.3c0-0.7-0.101-1.5-0.4-2
 		c-0.3-0.6-0.8-1-1.8-1s-1.5,0.4-1.8,1c-0.601,1.2-0.7,4.5-0.7,7.7c0,3.2,0.1,6.5,0.7,7.8c0.3,0.6,0.8,1,1.8,1s1.5-0.4,1.8-1
 		c0.3-0.601,0.4-1.301,0.4-2.101h5.3C153.6,29.55,152.7,31.649,151.3,32.95z"/>
 	<path fill="#222222" d="M167.8,34.55l-0.899-4.1H160.8l-0.899,4.1h-5.5l6.899-26.5h5.2l6.8,26.5H167.8z M163.9,15.85l-2,9.8h4.1
 		L163.9,15.85z"/>
 	<path fill="#222222" d="M182.2,12.75v21.8h-5.3v-21.8h-4.5v-4.7H186.6v4.8H182.2V12.75z"/>
 	<path fill="#222222" d="M189.5,34.55V8.05h5.3v26.5H189.5z"/>
 	<path fill="#222222" d="M211.7,32.149c-1.2,1.5-2.9,2.7-5.8,2.7c-2.9,0-4.601-1.2-5.801-2.7c-1.899-2.3-2-5.8-2-10.899
 		c0-5.1,0.101-8.6,2-10.9c1.2-1.5,2.9-2.7,5.801-2.7c2.899,0,4.6,1.2,5.8,2.7c1.899,2.3,2,5.8,2,10.9
 		C213.7,26.35,213.5,29.85,211.7,32.149z M207.6,13.55c-0.3-0.6-0.8-1-1.8-1s-1.5,0.4-1.8,1c-0.6,1.2-0.7,4.5-0.7,7.7
 		c0,3.2,0.101,6.5,0.7,7.8c0.3,0.6,0.8,1,1.8,1s1.5-0.4,1.8-1c0.601-1.2,0.7-4.5,0.7-7.8C208.3,18.05,208.3,14.75,207.6,13.55z"/>
 	<path fill="#222222" d="M227.9,34.55l-5.601-13v13H217V8.05h4.6l5.5,13v-13h5.301v26.5H227.9z"/>
 </g>
 </svg>
@@ -36,7 +36,7 @@ func Glob(pattern, subj string) bool {
 	end := len(parts) - 1
 	// Go over the leading parts and ensure they match.
-	for i := 0; i < end; i++ {
+	for i := range end {
 		idx := strings.Index(subj, parts[i])
 		switch i {
@@ -184,7 +184,7 @@ func TestHashCollisions(t *testing.T) {
 	for _, prefix := range prefixes {
 		for _, suffix := range suffixes {
 			for _, variation := range variations {
-				for i := 0; i < 100; i++ {
+				for i := range 100 {
 					input := fmt.Sprintf("%s%s%s-%d", prefix, suffix, variation, i)
 					hash := XXHash64sum(input)
 					if existing, exists := xxhashHashes[hash]; exists {
@@ -211,7 +211,7 @@ func TestHashCollisions(t *testing.T) {
 	seqCount := 0
 	for _, pattern := range patterns {
-		for i := 0; i < 10000; i++ {
+		for i := range 10000 {
 			input := fmt.Sprintf(pattern, i)
 			hash := XXHash64sum(input)
 			if existing, exists := xxhashHashes[hash]; exists {
@@ -120,7 +120,7 @@ func (i *Impl) makeAffirmations() []string {
 	count := rand.IntN(5) + 1
 	var result []string
-	for j := 0; j < count; j++ {
+	for range count {
 		result = append(result, i.affirmation.Spin())
 	}
@@ -131,7 +131,7 @@ func (i *Impl) makeSpins() []string {
 	count := rand.IntN(5) + 1
 	var result []string
-	for j := 0; j < count; j++ {
+	for range count {
 		result = append(result, i.body.Spin())
 	}
@@ -16,7 +16,7 @@ func (lo *ListOr[T]) UnmarshalJSON(data []byte) error {
 	// Check if first non-whitespace character is '['
 	firstChar := data[0]
-	for i := 0; i < len(data); i++ {
+	for i := range data {
 		if data[i] != ' ' && data[i] != '\t' && data[i] != '\n' && data[i] != '\r' {
 			firstChar = data[i]
 			break
@@ -95,7 +95,7 @@ func TestMemoryUsage(t *testing.T) {
 	// Run getTarget many times
 	u, _ := url.Parse("/path/to/resource?query=1&foo=bar&baz=qux")
-	for i := 0; i < 10000; i++ {
+	for range 10000 {
 		_ = cache.getTarget(u)
 	}
@@ -129,7 +129,7 @@ func TestMemoryUsage(t *testing.T) {
 	runtime.GC()
 	runtime.ReadMemStats(&m1)
-	for i := 0; i < 1000; i++ {
+	for range 1000 {
 		_ = cache.extractOGTags(doc)
 	}
@@ -3,6 +3,7 @@ package ogtags
 import (
 	"context"
 	"net/url"
 	"slices"
 	"strings"
 	"testing"
 	"unicode/utf8"
@@ -78,7 +79,7 @@ func FuzzGetTarget(f *testing.F) {
 		}
 		// Ensure no memory corruption by calling multiple times
-		for i := 0; i < 3; i++ {
+		for range 3 {
 			result2 := cache.getTarget(u)
 			if result != result2 {
 				t.Errorf("getTarget not deterministic: %q != %q", result, result2)
@@ -148,11 +149,8 @@ func FuzzExtractOGTags(f *testing.F) {
 				}
 			}
 			if !approved {
-				for _, tag := range cache.approvedTags {
+				if slices.Contains(cache.approvedTags, property) {
 					if property == tag {
 					approved = true
 						break
 					}
 				}
 			}
 			if !approved {
@@ -260,11 +258,8 @@ func FuzzExtractMetaTagInfo(f *testing.F) {
 				}
 			}
 			if !approved {
-				for _, tag := range cache.approvedTags {
+				if slices.Contains(cache.approvedTags, property) {
 					if property == tag {
 					approved = true
 						break
 					}
 				}
 			}
 			if !approved {
@@ -1,6 +1,7 @@
 package ogtags
 import (
 	"slices"
 	"strings"
 	"golang.org/x/net/html"
@@ -65,11 +66,9 @@ func (c *OGTagCache) extractMetaTagInfo(n *html.Node) (property, content string)
 	}
 	// Check exact matches
-	for _, tag := range c.approvedTags {
+	if slices.Contains(c.approvedTags, propertyKey) {
 		if propertyKey == tag {
 		return propertyKey, content
 	}
 	}
 	return "", content
 }
@@ -0,0 +1,92 @@
 package internal
 import (
 	"errors"
 	"fmt"
 	"net"
 	"net/url"
 	"os"
 	"strconv"
 	"strings"
 )
 // parseBindNetFromAddr determine bind network and address based on the given network and address.
 func parseBindNetFromAddr(address string) (string, string, error) {
 	defaultScheme := "http://"
 	if !strings.Contains(address, "://") {
 		if strings.HasPrefix(address, ":") {
 			address = defaultScheme + "localhost" + address
 		} else {
 			address = defaultScheme + address
 		}
 	}
 	bindUri, err := url.Parse(address)
 	if err != nil {
 		return "", "", fmt.Errorf("failed to parse bind URL: %w", err)
 	}
 	switch bindUri.Scheme {
 	case "unix":
 		return "unix", bindUri.Path, nil
 	case "tcp", "http", "https":
 		return "tcp", bindUri.Host, nil
 	default:
 		return "", "", fmt.Errorf("unsupported network scheme %s in address %s", bindUri.Scheme, address)
 	}
 }
 // SetupListener sets up a network listener based on the input from configuration
 // envvars. It returns a network listener and the URL to that listener or an error.
 func SetupListener(network, address, socketMode string) (net.Listener, string, error) {
 	formattedAddress := ""
 	var err error
 	if network == "" {
 		// keep compatibility
 		network, address, err = parseBindNetFromAddr(address)
 	}
 	if err != nil {
 		return nil, "", fmt.Errorf("can't parse bind and network: %w", err)
 	}
 	switch network {
 	case "unix":
 		formattedAddress = "unix:" + address
 	case "tcp":
 		if strings.HasPrefix(address, ":") { // assume it's just a port e.g. :4259
 			formattedAddress = "http://localhost" + address
 		} else {
 			formattedAddress = "http://" + address
 		}
 	default:
 		formattedAddress = fmt.Sprintf(`(%s) %s`, network, address)
 	}
 	ln, err := net.Listen(network, address)
 	if err != nil {
 		return nil, "", fmt.Errorf("failed to bind to %s: %w", formattedAddress, err)
 	}
 	// additional permission handling for unix sockets
 	if network == "unix" {
 		mode, err := strconv.ParseUint(socketMode, 8, 0)
 		if err != nil {
 			ln.Close()
 			return nil, "", fmt.Errorf("could not parse socket mode %s: %w", socketMode, err)
 		}
 		err = os.Chmod(address, os.FileMode(mode))
 		if err != nil {
 			err := fmt.Errorf("could not change socket mode: %w", err)
 			clErr := ln.Close()
 			if clErr != nil {
 				return nil, "", errors.Join(err, clErr)
 			}
 			return nil, "", err
 		}
 	}
 	return ln, formattedAddress, nil
 }
@@ -0,0 +1,180 @@
 package internal
 import (
 	"io/fs"
 	"os"
 	"path/filepath"
 	"strconv"
 	"strings"
 	"testing"
 )
 func TestParseBindNetFromAddr(t *testing.T) {
 	for _, tt := range []struct {
 		name    string
 		address string
 		wantErr bool
 		network string
 		bind    string
 	}{
 		{
 			name:    "simple tcp",
 			address: "localhost:9090",
 			wantErr: false,
 			network: "tcp",
 			bind:    "localhost:9090",
 		},
 		{
 			name:    "simple unix",
 			address: "unix:///tmp/foo.sock",
 			wantErr: false,
 			network: "unix",
 			bind:    "/tmp/foo.sock",
 		},
 		{
 			name:    "invalid network",
 			address: "foo:///tmp/bar.sock",
 			wantErr: true,
 		},
 		{
 			name:    "tcp uri",
 			address: "tcp://[::]:9090",
 			wantErr: false,
 			network: "tcp",
 			bind:    "[::]:9090",
 		},
 		{
 			name:    "http uri",
 			address: "http://[::]:9090",
 			wantErr: false,
 			network: "tcp",
 			bind:    "[::]:9090",
 		},
 		{
 			name:    "https uri",
 			address: "https://[::]:9090",
 			wantErr: false,
 			network: "tcp",
 			bind:    "[::]:9090",
 		},
 	} {
 		t.Run(tt.name, func(t *testing.T) {
 			network, bind, err := parseBindNetFromAddr(tt.address)
 			switch {
 			case tt.wantErr && err == nil:
 				t.Errorf("parseBindNetFromAddr(%q) should have errored but did not", tt.address)
 			case !tt.wantErr && err != nil:
 				t.Errorf("parseBindNetFromAddr(%q) threw an error: %v", tt.address, err)
 			}
 			if network != tt.network {
 				t.Errorf("parseBindNetFromAddr(%q) wanted network: %q, got: %q", tt.address, tt.network, network)
 			}
 			if bind != tt.bind {
 				t.Errorf("parseBindNetFromAddr(%q) wanted bind: %q, got: %q", tt.address, tt.bind, bind)
 			}
 		})
 	}
 }
 func TestSetupListener(t *testing.T) {
 	td := t.TempDir()
 	for _, tt := range []struct {
 		name                         string
 		network, address, socketMode string
 		wantErr                      bool
 		socketURLPrefix              string
 	}{
 		{
 			name:            "simple tcp",
 			network:         "",
 			address:         ":0",
 			wantErr:         false,
 			socketURLPrefix: "http://localhost:",
 		},
 		{
 			name:            "simple unix",
 			network:         "",
 			address:         "unix://" + filepath.Join(td, "a"),
 			socketMode:      "0770",
 			wantErr:         false,
 			socketURLPrefix: "unix:" + filepath.Join(td, "a"),
 		},
 		{
 			name:            "tcp",
 			network:         "tcp",
 			address:         ":0",
 			wantErr:         false,
 			socketURLPrefix: "http://localhost:",
 		},
 		{
 			name:            "udp",
 			network:         "udp",
 			address:         ":0",
 			wantErr:         true,
 			socketURLPrefix: "http://localhost:",
 		},
 		{
 			name:            "unix socket",
 			network:         "unix",
 			socketMode:      "0770",
 			address:         filepath.Join(td, "a"),
 			wantErr:         false,
 			socketURLPrefix: "unix:" + filepath.Join(td, "a"),
 		},
 		{
 			name:            "invalid socket mode",
 			network:         "unix",
 			socketMode:      "taco bell",
 			address:         filepath.Join(td, "a"),
 			wantErr:         true,
 			socketURLPrefix: "unix:" + filepath.Join(td, "a"),
 		},
 		{
 			name:            "empty socket mode",
 			network:         "unix",
 			socketMode:      "",
 			address:         filepath.Join(td, "a"),
 			wantErr:         true,
 			socketURLPrefix: "unix:" + filepath.Join(td, "a"),
 		},
 	} {
 		t.Run(tt.name, func(t *testing.T) {
 			ln, socketURL, err := SetupListener(tt.network, tt.address, tt.socketMode)
 			switch {
 			case tt.wantErr && err == nil:
 				t.Errorf("SetupListener(%q, %q, %q) should have errored but did not", tt.network, tt.address, tt.socketMode)
 			case !tt.wantErr && err != nil:
 				t.Fatalf("SetupListener(%q, %q, %q) threw an error: %v", tt.network, tt.address, tt.socketMode, err)
 			}
 			if ln != nil {
 				defer ln.Close()
 			}
 			if !tt.wantErr && !strings.HasPrefix(socketURL, tt.socketURLPrefix) {
 				t.Errorf("SetupListener(%q, %q, %q) should have returned a URL with prefix %q but got: %q", tt.network, tt.address, tt.socketMode, tt.socketURLPrefix, socketURL)
 			}
 			if tt.socketMode != "" {
 				mode, err := strconv.ParseUint(tt.socketMode, 8, 0)
 				if err != nil {
 					return
 				}
 				sockPath := strings.TrimPrefix(socketURL, "unix:")
 				st, err := os.Stat(sockPath)
 				if err != nil {
 					t.Fatalf("can't os.Stat(%q): %v", sockPath, err)
 				}
 				if st.Mode().Perm() != fs.FileMode(mode) {
 					t.Errorf("file mode of %q should be %s but is actually %s", sockPath, strconv.FormatUint(mode, 8), strconv.FormatUint(uint64(st.Mode()), 8))
 				}
 			}
 		})
 	}
 }
@@ -270,7 +270,7 @@ func TestPlaywrightBrowser(t *testing.T) {
 				var performedAction action
 				var err error
-				for i := 0; i < 5; i++ {
+				for i := range 5 {
 					performedAction, err = executeTestCase(t, tc, typ, anubisURL)
 					if performedAction == tc.action {
 						break
@@ -81,11 +81,11 @@ type Server struct {
 func (s *Server) getTokenKeyfunc() jwt.Keyfunc {
 	// return ED25519 key if HS512 is not set
 	if len(s.hs512Secret) == 0 {
-		return func(token *jwt.Token) (interface{}, error) {
+		return func(token *jwt.Token) (any, error) {
 			return s.ed25519Priv.Public().(ed25519.PublicKey), nil
 		}
 	} else {
-		return func(token *jwt.Token) (interface{}, error) {
+		return func(token *jwt.Token) (any, error) {
 			return s.hs512Secret, nil
 		}
 	}
@@ -106,6 +106,13 @@ func (s *Server) issueChallenge(ctx context.Context, r *http.Request, lg *slog.L
 		//return nil, errors.New("[unexpected] this codepath should be impossible, asked to issue a challenge for a non-challenge rule")
 	}
 	if rule.Challenge == nil {
 		rule.Challenge = &config.ChallengeRules{
 			Difficulty: s.policy.DefaultDifficulty,
 			Algorithm:  config.DefaultAlgorithm,
 		}
 	}
 	id, err := uuid.NewV7()
 	if err != nil {
 		return nil, err
@@ -491,7 +498,11 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
 	chall, err := s.getChallenge(r)
 	if err != nil {
 		lg.Error("getChallenge failed", "err", err)
-		s.respondWithError(w, r, fmt.Sprintf("%s: %s", localizer.T("internal_server_error"), rule.Challenge.Algorithm), makeCode(err))
+		algorithm := "unknown"
 		if rule.Challenge != nil {
 			algorithm = rule.Challenge.Algorithm
 		}
 		s.respondWithError(w, r, fmt.Sprintf("%s: %s", localizer.T("internal_server_error"), algorithm), makeCode(err))
 		return
 	}
@@ -638,8 +649,16 @@ func (s *Server) check(r *http.Request, lg *slog.Logger) (policy.CheckResult, *p
 		}
 		if matches {
 			challRules := t.Challenge
 			if challRules == nil {
 				// Non-CHALLENGE thresholds (ALLOW/DENY) don't have challenge config.
 				// Use an empty struct so hydrateChallengeRule can fill from stored
 				// challenge data during validation, rather than baking in defaults
 				// that could mismatch the difficulty the client actually solved for.
 				challRules = &config.ChallengeRules{}
 			}
 			return cr("threshold/"+t.Name, t.Action, weight), &policy.Bot{
-				Challenge: t.Challenge,
+				Challenge: challRules,
 				Rules:     &checker.List{},
 			}, nil
 		}
@@ -38,8 +38,8 @@ func NewTLogWriter(t *testing.T) io.Writer {
 // Write splits input on newlines and logs each line separately.
 func (w *TLogWriter) Write(p []byte) (n int, err error) {
-	lines := strings.Split(string(p), "\n")
+	lines := strings.SplitSeq(string(p), "\n")
-	for _, line := range lines {
+	for line := range lines {
 		if line != "" {
 			w.t.Log(line)
 		}
@@ -10,6 +10,7 @@ var (
 	ErrFailed        = errors.New("challenge: user failed challenge")
 	ErrMissingField  = errors.New("challenge: missing field")
 	ErrInvalidFormat = errors.New("challenge: field has invalid format")
 	ErrInvalidInput  = errors.New("challenge: input is nil or missing required fields")
 )
 func NewError(verb, publicReason string, privateReason error) *Error {
@@ -1,6 +1,7 @@
 package challenge
 import (
 	"fmt"
 	"log/slog"
 	"net/http"
 	"sort"
@@ -50,12 +51,44 @@ type IssueInput struct {
 	Store     store.Interface
 }
 func (in *IssueInput) Valid() error {
 	if in == nil {
 		return fmt.Errorf("%w: IssueInput is nil", ErrInvalidInput)
 	}
 	if in.Rule == nil {
 		return fmt.Errorf("%w: Rule is nil", ErrInvalidInput)
 	}
 	if in.Rule.Challenge == nil {
 		return fmt.Errorf("%w: Rule.Challenge is nil", ErrInvalidInput)
 	}
 	if in.Challenge == nil {
 		return fmt.Errorf("%w: Challenge is nil", ErrInvalidInput)
 	}
 	return nil
 }
 type ValidateInput struct {
 	Rule      *policy.Bot
 	Challenge *Challenge
 	Store     store.Interface
 }
 func (in *ValidateInput) Valid() error {
 	if in == nil {
 		return fmt.Errorf("%w: ValidateInput is nil", ErrInvalidInput)
 	}
 	if in.Rule == nil {
 		return fmt.Errorf("%w: Rule is nil", ErrInvalidInput)
 	}
 	if in.Rule.Challenge == nil {
 		return fmt.Errorf("%w: Rule.Challenge is nil", ErrInvalidInput)
 	}
 	if in.Challenge == nil {
 		return fmt.Errorf("%w: Challenge is nil", ErrInvalidInput)
 	}
 	return nil
 }
 type Impl interface {
 	// Setup registers any additional routes with the Impl for assets or API routes.
 	Setup(mux *http.ServeMux)
@@ -24,6 +24,10 @@ type Impl struct{}
 func (i *Impl) Setup(mux *http.ServeMux) {}
 func (i *Impl) Issue(w http.ResponseWriter, r *http.Request, lg *slog.Logger, in *challenge.IssueInput) (templ.Component, error) {
 	if err := in.Valid(); err != nil {
 		return nil, err
 	}
 	u, err := r.URL.Parse(anubis.BasePrefix + "/.within.website/x/cmd/anubis/api/pass-challenge")
 	if err != nil {
 		return nil, fmt.Errorf("can't render page: %w", err)
@@ -49,6 +53,10 @@ func (i *Impl) Issue(w http.ResponseWriter, r *http.Request, lg *slog.Logger, in
 }
 func (i *Impl) Validate(r *http.Request, lg *slog.Logger, in *challenge.ValidateInput) error {
 	if err := in.Valid(); err != nil {
 		return challenge.NewError("validate", "invalid input", err)
 	}
 	wantTime := in.Challenge.IssuedAt.Add(time.Duration(in.Rule.Challenge.Difficulty) * 800 * time.Millisecond)
 	if time.Now().Before(wantTime) {
@@ -39,6 +39,10 @@ type impl struct{}
 func (i *impl) Setup(mux *http.ServeMux) {}
 func (i *impl) Issue(w http.ResponseWriter, r *http.Request, lg *slog.Logger, in *challenge.IssueInput) (templ.Component, error) {
 	if err := in.Valid(); err != nil {
 		return nil, err
 	}
 	u, err := r.URL.Parse(anubis.BasePrefix + "/.within.website/x/cmd/anubis/api/pass-challenge")
 	if err != nil {
 		return nil, fmt.Errorf("can't render page: %w", err)
@@ -57,6 +61,10 @@ func (i *impl) Issue(w http.ResponseWriter, r *http.Request, lg *slog.Logger, in
 }
 func (i *impl) Validate(r *http.Request, lg *slog.Logger, in *challenge.ValidateInput) error {
 	if err := in.Valid(); err != nil {
 		return challenge.NewError("validate", "invalid input", err)
 	}
 	wantTime := in.Challenge.IssuedAt.Add(time.Duration(in.Rule.Challenge.Difficulty) * 80 * time.Millisecond)
 	if time.Now().Before(wantTime) {
@@ -33,6 +33,10 @@ func (i *Impl) Issue(w http.ResponseWriter, r *http.Request, lg *slog.Logger, in
 }
 func (i *Impl) Validate(r *http.Request, lg *slog.Logger, in *chall.ValidateInput) error {
 	if err := in.Valid(); err != nil {
 		return chall.NewError("validate", "invalid input", err)
 	}
 	rule := in.Rule
 	challenge := in.Challenge.RandomData
@@ -30,6 +30,62 @@ func mkRequest(t *testing.T, values map[string]string) *http.Request {
 	return req
 }
 // TestValidateNilRuleChallenge reproduces the panic from
 // https://github.com/TecharoHQ/anubis/issues/1463
 //
 // When a threshold rule matches during PassChallenge, check() can return
 // a policy.Bot with Challenge == nil. After hydrateChallengeRule fails to
 // run (or the error path hits before it), Validate dereferences
 // rule.Challenge.Difficulty and panics.
 func TestValidateNilRuleChallenge(t *testing.T) {
 	i := &Impl{Algorithm: "fast"}
 	lg := slog.With()
 	// This is the exact response for SHA256("hunter" + "0") with 0 leading zeros required.
 	const challengeStr = "hunter"
 	const response = "2652bdba8fb4d2ab39ef28d8534d7694c557a4ae146c1e9237bd8d950280500e"
 	req := mkRequest(t, map[string]string{
 		"nonce":       "0",
 		"elapsedTime": "69",
 		"response":    response,
 	})
 	for _, tc := range []struct {
 		name  string
 		input *challenge.ValidateInput
 	}{
 		{
 			name: "nil-rule-challenge",
 			input: &challenge.ValidateInput{
 				Rule:      &policy.Bot{},
 				Challenge: &challenge.Challenge{RandomData: challengeStr},
 			},
 		},
 		{
 			name: "nil-rule",
 			input: &challenge.ValidateInput{
 				Challenge: &challenge.Challenge{RandomData: challengeStr},
 			},
 		},
 		{
 			name:  "nil-challenge",
 			input: &challenge.ValidateInput{Rule: &policy.Bot{Challenge: &config.ChallengeRules{Algorithm: "fast"}}},
 		},
 		{
 			name:  "nil-input",
 			input: nil,
 		},
 	} {
 		t.Run(tc.name, func(t *testing.T) {
 			err := i.Validate(req, lg, tc.input)
 			if !errors.Is(err, challenge.ErrInvalidInput) {
 				t.Fatalf("expected ErrInvalidInput, got: %v", err)
 			}
 		})
 	}
 }
 func TestBasic(t *testing.T) {
 	i := &Impl{Algorithm: "fast"}
 	bot := &policy.Bot{
@@ -19,7 +19,7 @@ import (
 var (
 	ErrNoBotRulesDefined                 = errors.New("config: must define at least one (1) bot rule")
 	ErrBotMustHaveName                   = errors.New("config.Bot: must set name")
-	ErrBotMustHaveUserAgentOrPath        = errors.New("config.Bot: must set either user_agent_regex, path_regex, headers_regex, or remote_addresses")
+	ErrBotMustHaveUserAgentOrPath        = errors.New("config.Bot: must set one of user_agent_regex, path_regex, headers_regex, remote_addresses, expression, or Thoth keyword")
 	ErrBotMustHaveUserAgentOrPathNotBoth = errors.New("config.Bot: must set either user_agent_regex, path_regex, and not both")
 	ErrUnknownAction                     = errors.New("config.Bot: unknown action")
 	ErrInvalidUserAgentRegex             = errors.New("config.Bot: invalid user agent regex")
@@ -228,8 +228,8 @@ type ImportStatement struct {
 }
 func (is *ImportStatement) open() (fs.File, error) {
-	if strings.HasPrefix(is.Import, "(data)/") {
+	if after, ok := strings.CutPrefix(is.Import, "(data)/"); ok {
-		fname := strings.TrimPrefix(is.Import, "(data)/")
+		fname := after
 		fin, err := data.BotPolicies.Open(fname)
 		return fin, err
 	}
@@ -325,7 +325,7 @@ func (sc StatusCodes) Valid() error {
 }
 type fileConfig struct {
-	OpenGraph   openGraphFileConfig `json:"openGraph,omitempty"`
+	OpenGraph   openGraphFileConfig `json:"openGraph"`
 	Impressum   *Impressum          `json:"impressum,omitempty"`
 	Store       *Store              `json:"store"`
 	Bots        []BotOrImport       `json:"bots"`
@@ -334,6 +334,7 @@ type fileConfig struct {
 	DNSBL       bool                `json:"dnsbl"`
 	DNSTTL      DnsTTL              `json:"dns_ttl"`
 	Logging     *Logging            `json:"logging"`
 	Metrics     *Metrics            `json:"metrics,omitempty"`
 }
 func (c *fileConfig) Valid() error {
@@ -375,6 +376,12 @@ func (c *fileConfig) Valid() error {
 		}
 	}
 	if c.Metrics != nil {
 		if err := c.Metrics.Valid(); err != nil {
 			errs = append(errs, err)
 		}
 	}
 	if len(errs) != 0 {
 		return fmt.Errorf("config is not valid:\n%w", errors.Join(errs...))
 	}
@@ -417,6 +424,7 @@ func Load(fin io.Reader, fname string) (*Config, error) {
 		StatusCodes: c.StatusCodes,
 		Store:       c.Store,
 		Logging:     c.Logging,
 		Metrics:     c.Metrics,
 	}
 	if c.OpenGraph.TimeToLive != "" {
@@ -508,6 +516,7 @@ type Config struct {
 	Logging     *Logging
 	DNSBL       bool
 	DNSTTL      DnsTTL
 	Metrics     *Metrics
 }
 func (c Config) Valid() error {
@@ -188,7 +188,6 @@ func TestBotValid(t *testing.T) {
 	}
 	for _, cs := range tests {
 		cs := cs
 		t.Run(cs.name, func(t *testing.T) {
 			err := cs.bot.Valid()
 			if err == nil && cs.err == nil {
@@ -216,7 +215,6 @@ func TestConfigValidKnownGood(t *testing.T) {
 	}
 	for _, st := range finfos {
 		st := st
 		t.Run(st.Name(), func(t *testing.T) {
 			fin, err := os.Open(filepath.Join("testdata", "good", st.Name()))
 			if err != nil {
@@ -303,7 +301,6 @@ func TestConfigValidBad(t *testing.T) {
 	}
 	for _, st := range finfos {
 		st := st
 		t.Run(st.Name(), func(t *testing.T) {
 			fin, err := os.Open(filepath.Join("testdata", "bad", st.Name()))
 			if err != nil {
@@ -0,0 +1,54 @@
 package config
 import (
 	"errors"
 	"fmt"
 	"strconv"
 )
 var (
 	ErrInvalidMetricsConfig     = errors.New("config: invalid metrics configuration")
 	ErrNoMetricsBind            = errors.New("config.Metrics: must define bind")
 	ErrNoMetricsNetwork         = errors.New("config.Metrics: must define network")
 	ErrNoMetricsSocketMode      = errors.New("config.Metrics: must define socket mode when using unix sockets")
 	ErrInvalidMetricsSocketMode = errors.New("config.Metrics: invalid unix socket mode")
 	ErrInvalidMetricsNetwork    = errors.New("config.Metrics: invalid metrics network")
 )
 type Metrics struct {
 	Bind       string `json:"bind" yaml:"bind"`
 	Network    string `json:"network" yaml:"network"`
 	SocketMode string `json:"socketMode" yaml:"socketMode"`
 }
 func (m *Metrics) Valid() error {
 	var errs []error
 	if m.Bind == "" {
 		errs = append(errs, ErrNoMetricsBind)
 	}
 	if m.Network == "" {
 		errs = append(errs, ErrNoMetricsNetwork)
 	}
 	switch m.Network {
 	case "tcp", "tcp4", "tcp6": // https://pkg.go.dev/net#Listen
 	case "unix":
 		if m.SocketMode == "" {
 			errs = append(errs, ErrNoMetricsSocketMode)
 		}
 		if _, err := strconv.ParseUint(m.SocketMode, 8, 0); err != nil {
 			errs = append(errs, fmt.Errorf("%w: %w", ErrInvalidMetricsSocketMode, err))
 		}
 	default:
 		errs = append(errs, ErrInvalidMetricsNetwork)
 	}
 	if len(errs) != 0 {
 		return errors.Join(ErrInvalidMetricsConfig, errors.Join(errs...))
 	}
 	return nil
 }
@@ -0,0 +1,87 @@
 package config
 import (
 	"errors"
 	"testing"
 )
 func TestMetricsValid(t *testing.T) {
 	for _, tt := range []struct {
 		name  string
 		input *Metrics
 		err   error
 	}{
 		{
 			name: "basic TCP",
 			input: &Metrics{
 				Bind:    ":9090",
 				Network: "tcp",
 			},
 		},
 		{
 			name: "basic TCP4",
 			input: &Metrics{
 				Bind:    ":9090",
 				Network: "tcp4",
 			},
 		},
 		{
 			name: "basic TCP6",
 			input: &Metrics{
 				Bind:    ":9090",
 				Network: "tcp6",
 			},
 		},
 		{
 			name: "basic unix",
 			input: &Metrics{
 				Bind:       "/tmp/anubis-metrics.sock",
 				Network:    "unix",
 				SocketMode: "0770",
 			},
 		},
 		{
 			name:  "no bind",
 			input: &Metrics{},
 			err:   ErrNoMetricsBind,
 		},
 		{
 			name:  "no network",
 			input: &Metrics{},
 			err:   ErrNoMetricsNetwork,
 		},
 		{
 			name: "no unix socket mode",
 			input: &Metrics{
 				Bind:    "/tmp/anubis-metrics.sock",
 				Network: "unix",
 			},
 			err: ErrNoMetricsSocketMode,
 		},
 		{
 			name: "invalid unix socket mode",
 			input: &Metrics{
 				Bind:       "/tmp/anubis-metrics.sock",
 				Network:    "unix",
 				SocketMode: "taco bell",
 			},
 			err: ErrInvalidMetricsSocketMode,
 		},
 		{
 			name: "invalid network",
 			input: &Metrics{
 				Bind:    ":9090",
 				Network: "taco",
 			},
 			err: ErrInvalidMetricsNetwork,
 		},
 	} {
 		t.Run(tt.name, func(t *testing.T) {
 			if err := tt.input.Valid(); !errors.Is(err, tt.err) {
 				t.Logf("wanted error: %v", tt.err)
 				t.Logf("got error:    %v", err)
 				t.Error("validation failed")
 			}
 		})
 	}
 }
@@ -0,0 +1,3 @@
 metrics:
  bind: ":9090"
  network: taco
@@ -5,5 +5,9 @@
      "remote_addresses": ["0.0.0.0/0", "::/0"],
      "action": "ALLOW"
    }
-  ]
+  ],
  "metrics": {
    "bind": ":9090",
    "network": "tcp"
  }
 }
@@ -4,3 +4,7 @@ bots:
      - "0.0.0.0/0"
      - "::/0"
    action: ALLOW
 metrics:
  bind: ":9090"
  network: "tcp"
@@ -8,5 +8,9 @@
      "action": "DENY"
    }
  ],
-  "dnsbl": false
+  "dnsbl": false,
  "metrics": {
    "bind": ":9090",
    "network": "tcp"
  }
 }
@@ -3,3 +3,7 @@ bots:
    headers_regex:
      CF-Worker: .*
    action: DENY
 metrics:
  bind: ":9090"
  network: "tcp"
@@ -4,3 +4,7 @@ bots:
    asns:
      match:
        - 13335 # Cloudflare
 metrics:
  bind: ":9090"
  network: "tcp"
@@ -5,5 +5,9 @@
      "user_agent_regex": "Mozilla",
      "action": "CHALLENGE"
    }
-  ]
+  ],
  "metrics": {
    "bind": ":9090",
    "network": "tcp"
  }
 }
@@ -2,3 +2,7 @@ bots:
  - name: generic-browser
    user_agent_regex: Mozilla
    action: CHALLENGE
 metrics:
  bind: ":9090"
  network: "tcp"
@@ -6,3 +6,7 @@ bots:
  - name: "test"
    user_agent_regex: ".*"
    action: "DENY"
 metrics:
  bind: ":9090"
  network: "tcp"
@@ -6,3 +6,7 @@ bots:
        - '"Accept" in headers'
        - headers["Accept"].contains("text/html")
        - randInt(1) == 0
 metrics:
  bind: ":9090"
  network: "tcp"
@@ -6,5 +6,9 @@
      "action": "DENY"
    }
  ],
-  "dnsbl": false
+  "dnsbl": false,
  "metrics": {
    "bind": ":9090",
    "network": "tcp"
  }
 }
@@ -2,3 +2,7 @@ bots:
  - name: everything
    user_agent_regex: .*
    action: DENY
 metrics:
  bind: ":9090"
  network: "tcp"
@@ -4,3 +4,7 @@ bots:
    geoip:
      countries:
        - US
 metrics:
  bind: ":9090"
  network: "tcp"
@@ -10,5 +10,9 @@
        ]
      }
    }
-  ]
+  ],
  "metrics": {
    "bind": ":9090",
    "network": "tcp"
  }
 }
@@ -6,3 +6,7 @@ bots:
        - userAgent.startsWith("git/") || userAgent.contains("libgit")
        - >
          "Git-Protocol" in headers && headers["Git-Protocol"] == "version=2"
 metrics:
  bind: ":9090"
  network: "tcp"
@@ -3,5 +3,9 @@
    {
      "import": "./testdata/hack-test.json"
    }
-  ]
+  ],
  "metrics": {
    "bind": ":9090",
    "network": "tcp"
  }
 }
@@ -1,2 +1,6 @@
 bots:
  - import: ./testdata/hack-test.yaml
 metrics:
  bind: ":9090"
  network: "tcp"
@@ -3,5 +3,9 @@
    {
      "import": "(data)/common/keep-internet-working.yaml"
    }
-  ]
+  ],
  "metrics": {
    "bind": ":9090",
    "network": "tcp"
  }
 }
@@ -1,2 +1,6 @@
 bots:
  - import: (data)/common/keep-internet-working.yaml
 metrics:
  bind: ":9090"
  network: "tcp"
@@ -8,3 +8,7 @@ impressum:
  page:
    title: Test
    body: <p>This is a test</p>
 metrics:
  bind: ":9090"
  network: "tcp"
@@ -13,3 +13,7 @@ logs:
    oldFileTimeFormat: 2006-01-02T15-04-05 # RFC 3339-ish
    compress: true
    useLocalTime: false # timezone for rotated files is UTC
 metrics:
  bind: ":9090"
  network: "tcp"
@@ -5,3 +5,7 @@ bots:
 logging:
  sink: "stdio"
 metrics:
  bind: ":9090"
  network: "tcp"
@@ -6,3 +6,7 @@ bots:
      adjust: 5
 thresholds: []
 metrics:
  bind: ":9090"
  network: "tcp"
@@ -75,5 +75,9 @@
      "user_agent_regex": "Mozilla",
      "action": "CHALLENGE"
    }
-  ]
+  ],
  "metrics": {
    "bind": ":9090",
    "network": "tcp"
  }
 }
@@ -10,3 +10,7 @@ openGraph:
  default:
    "og:title": "Xe's magic land of fun"
    "og:description": "We're no strangers to love, you know the rules and so do I"
 metrics:
  bind: ":9090"
  network: "tcp"
@@ -4,3 +4,7 @@ bots:
    user_agent_regex: Mozilla
    weight:
      adjust: 5
 metrics:
  bind: ":9090"
  network: "tcp"
@@ -9,5 +9,9 @@
  "status_codes": {
    "CHALLENGE": 200,
    "DENY": 200
  },
  "metrics": {
    "bind": ":9090",
    "network": "tcp"
  }
 }
--- a/Show More
+++ b/Show More