Merge branch 'main' into Xe/osiris

Signed-off-by: Jason Cameron <git@jasoncameron.dev>

.devcontainer/devcontainer.json

@@ -21,7 +21,9 @@
         "golang.go",
         "unifiedjs.vscode-mdx",
         "a-h.templ",
-        "redhat.vscode-yaml"
+        "redhat.vscode-yaml",
+        "hashicorp.hcl",
+        "fredwangwang.vscode-hcl-format"
       ]
     }
   }

.dockerignore

@@ -0,0 +1,25 @@
+.env
+*.deb
+*.rpm
+
+# Additional package locks
+pnpm-lock.yaml
+yarn.lock
+
+# Go binaries and test artifacts
+main
+*.test
+
+node_modules
+
+# MacOS
+.DS_store
+
+# Intellij
+.idea
+
+# how does this get here
+doc/VERSION
+
+web/static/js/*
+!web/static/js/.gitignore

.github/workflows/docker-pr.yml

@@ -2,7 +2,7 @@ name: Docker image builds (pull requests)
 
 on:
   pull_request:
-    branches: [ "main" ]
+    branches: ["main"]
 
 env:
   DOCKER_METADATA_SET_OUTPUT_ENV: "true"
@@ -11,7 +11,32 @@ permissions:
   contents: read
 
 jobs:
-  build:
+  buildx-bake:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-tags: true
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+
+      - name: Build and push
+        id: build
+        uses: docker/bake-action@76f9fa3a758507623da19f6092dc4089a7e61592 # v6.6.0
+        with:
+          source: .
+          push: true
+          sbom: true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          set: |
+            osiris.tags=ttl.sh/techaro/pr-${{ github.event.number }}/osiris:24h
+
+  containerbuild:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout code

.github/workflows/docker.yml

@@ -17,7 +17,38 @@ permissions:
   pull-requests: write
 
 jobs:
-  build:
+  buildx-bake:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-tags: true
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+
+      - name: Log into registry
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push
+        id: build
+        uses: docker/bake-action@76f9fa3a758507623da19f6092dc4089a7e61592 # v6.6.0
+        with:
+          source: .
+          push: true
+          sbom: true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          set: ""
+
+  containerbuild:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout code

.vscode/extensions.json

@@ -5,6 +5,8 @@
     "golang.go",
     "unifiedjs.vscode-mdx",
     "a-h.templ",
-    "redhat.vscode-yaml"
+    "redhat.vscode-yaml",
+    "hashicorp.hcl",
+    "fredwangwang.vscode-hcl-format"
   ]
 }

cmd/osiris/internal/config/bind.go

@@ -0,0 +1,39 @@
+package config
+
+import (
+	"errors"
+	"fmt"
+	"net"
+)
+
+var (
+	ErrInvalidHostpost = errors.New("bind: invalid host:port")
+)
+
+type Bind struct {
+	HTTP    string `hcl:"http"`
+	HTTPS   string `hcl:"https"`
+	Metrics string `hcl:"metrics"`
+}
+
+func (b *Bind) Valid() error {
+	var errs []error
+
+	if _, _, err := net.SplitHostPort(b.HTTP); err != nil {
+		errs = append(errs, fmt.Errorf("%w %q: %w", ErrInvalidHostpost, b.HTTP, err))
+	}
+
+	if _, _, err := net.SplitHostPort(b.HTTPS); err != nil {
+		errs = append(errs, fmt.Errorf("%w %q: %w", ErrInvalidHostpost, b.HTTPS, err))
+	}
+
+	if _, _, err := net.SplitHostPort(b.Metrics); err != nil {
+		errs = append(errs, fmt.Errorf("%w %q: %w", ErrInvalidHostpost, b.Metrics, err))
+	}
+
+	if len(errs) != 0 {
+		return errors.Join(errs...)
+	}
+
+	return nil
+}

cmd/osiris/internal/config/bind_test.go

@@ -0,0 +1,55 @@
+package config
+
+import (
+	"errors"
+	"net"
+	"testing"
+)
+
+func TestBindValid(t *testing.T) {
+	for _, tt := range []struct {
+		name         string
+		precondition func(t *testing.T)
+		bind         Bind
+		err          error
+	}{
+		{
+			name:         "basic",
+			precondition: nil,
+			bind: Bind{
+				HTTP:    ":8081",
+				HTTPS:   ":8082",
+				Metrics: ":8083",
+			},
+			err: nil,
+		},
+		{
+			name: "invalid ports",
+			precondition: func(t *testing.T) {
+				ln, err := net.Listen("tcp", ":8081")
+				if err != nil {
+					t.Fatal(err)
+				}
+				t.Cleanup(func() { ln.Close() })
+			},
+			bind: Bind{
+				HTTP:    "",
+				HTTPS:   "",
+				Metrics: "",
+			},
+			err: ErrInvalidHostpost,
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.precondition != nil {
+				tt.precondition(t)
+			}
+
+			if err := tt.bind.Valid(); !errors.Is(err, tt.err) {
+				t.Logf("want: %v", tt.err)
+				t.Logf("got:  %v", err)
+				t.Error("got wrong error from validation function")
+			}
+		})
+	}
+}

cmd/osiris/internal/config/config.go

@@ -0,0 +1,31 @@
+package config
+
+import (
+	"errors"
+	"fmt"
+)
+
+type Toplevel struct {
+	Bind    Bind     `hcl:"bind,block"`
+	Domains []Domain `hcl:"domain,block"`
+}
+
+func (t *Toplevel) Valid() error {
+	var errs []error
+
+	if err := t.Bind.Valid(); err != nil {
+		errs = append(errs, fmt.Errorf("invalid bind block:\n%w", err))
+	}
+
+	for _, d := range t.Domains {
+		if err := d.Valid(); err != nil {
+			errs = append(errs, fmt.Errorf("when parsing domain %s: %w", d.Name, err))
+		}
+	}
+
+	if len(errs) != 0 {
+		return fmt.Errorf("invalid configuration file:\n%w", errors.Join(errs...))
+	}
+
+	return nil
+}

cmd/osiris/internal/config/domain.go

@@ -0,0 +1,66 @@
+package config
+
+import (
+	"errors"
+	"fmt"
+	"net/url"
+
+	"golang.org/x/net/idna"
+)
+
+var (
+	ErrInvalidDomainName      = errors.New("domain: name is invalid")
+	ErrInvalidDomainTLSConfig = errors.New("domain: TLS config is invalid")
+	ErrInvalidURL             = errors.New("invalid URL")
+	ErrInvalidURLScheme       = errors.New("URL has invalid scheme")
+)
+
+type Domain struct {
+	Name               string `hcl:"name,label"`
+	TLS                TLS    `hcl:"tls,block"`
+	Target             string `hcl:"target"`
+	InsecureSkipVerify bool   `hcl:"insecure_skip_verify,optional"`
+	HealthTarget       string `hcl:"health_target"`
+}
+
+func (d Domain) Valid() error {
+	var errs []error
+
+	if _, err := idna.Lookup.ToASCII(d.Name); err != nil {
+		errs = append(errs, fmt.Errorf("%w %q: %w", ErrInvalidDomainName, d.Name, err))
+	}
+
+	if err := d.TLS.Valid(); err != nil {
+		errs = append(errs, fmt.Errorf("%w: %w", ErrInvalidDomainTLSConfig, err))
+	}
+
+	if err := isURLValid(d.Target); err != nil {
+		errs = append(errs, fmt.Errorf("target has %w %q: %w", ErrInvalidURL, d.Target, err))
+	}
+
+	if err := isURLValid(d.HealthTarget); err != nil {
+		errs = append(errs, fmt.Errorf("health_target has %w %q: %w", ErrInvalidURL, d.HealthTarget, err))
+	}
+
+	if len(errs) != 0 {
+		return errors.Join(errs...)
+	}
+
+	return nil
+}
+
+func isURLValid(input string) error {
+	u, err := url.Parse(input)
+	if err != nil {
+		return err
+	}
+
+	switch u.Scheme {
+	case "http", "https", "h2c", "unix":
+		// do nothing
+	default:
+		return fmt.Errorf("%w %s has scheme %s (want http, https, h2c, unix)", ErrInvalidURLScheme, input, u.Scheme)
+	}
+
+	return nil
+}

cmd/osiris/internal/config/domain_test.go

@@ -0,0 +1,89 @@
+package config
+
+import (
+	"errors"
+	"testing"
+)
+
+func TestDomainValid(t *testing.T) {
+	for _, tt := range []struct {
+		name  string
+		input Domain
+		err   error
+	}{
+		{
+			name: "simple happy path",
+			input: Domain{
+				Name: "anubis.techaro.lol",
+				TLS: TLS{
+					Cert: "./testdata/tls/selfsigned.crt",
+					Key:  "./testdata/tls/selfsigned.key",
+				},
+				Target:       "http://localhost:3000",
+				HealthTarget: "http://localhost:9091/healthz",
+			},
+		},
+		{
+			name: "invalid domain name",
+			input: Domain{
+				Name: "\uFFFD.techaro.lol",
+				TLS: TLS{
+					Cert: "./testdata/tls/selfsigned.crt",
+					Key:  "./testdata/tls/selfsigned.key",
+				},
+				Target:       "http://localhost:3000",
+				HealthTarget: "http://localhost:9091/healthz",
+			},
+			err: ErrInvalidDomainName,
+		},
+		{
+			name: "invalid tls config",
+			input: Domain{
+				Name: "anubis.techaro.lol",
+				TLS: TLS{
+					Cert: "./testdata/tls/invalid.crt",
+					Key:  "./testdata/tls/invalid.key",
+				},
+				Target:       "http://localhost:3000",
+				HealthTarget: "http://localhost:9091/healthz",
+			},
+			err: ErrInvalidDomainTLSConfig,
+		},
+		{
+			name: "invalid URL",
+			input: Domain{
+				Name: "anubis.techaro.lol",
+				TLS: TLS{
+					Cert: "./testdata/tls/selfsigned.crt",
+					Key:  "./testdata/tls/selfsigned.key",
+				},
+				Target:       "file://[::1:3000",
+				HealthTarget: "file://[::1:9091/healthz",
+			},
+			err: ErrInvalidURL,
+		},
+		{
+			name: "wrong URL scheme",
+			input: Domain{
+				Name: "anubis.techaro.lol",
+				TLS: TLS{
+					Cert: "./testdata/tls/selfsigned.crt",
+					Key:  "./testdata/tls/selfsigned.key",
+				},
+				Target:       "file://localhost:3000",
+				HealthTarget: "file://localhost:9091/healthz",
+			},
+			err: ErrInvalidURLScheme,
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			if err := tt.input.Valid(); !errors.Is(err, tt.err) {
+				t.Logf("want: %v", tt.err)
+				t.Logf("got:  %v", err)
+				t.Error("got wrong error from validation function")
+			} else {
+				t.Log(err)
+			}
+		})
+	}
+}

cmd/osiris/internal/config/testdata/tls/invalid.crt

@@ -0,0 +1 @@
+aorsentaeiorsntoiearnstoieanrsoietnaioresntoeiar

cmd/osiris/internal/config/testdata/tls/invalid.key

@@ -0,0 +1 @@
+aorsentaeiorsntoiearnstoieanrsoietnaioresntoeiar

cmd/osiris/internal/config/testdata/tls/selfsigned.crt

@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBnzCCAVGgAwIBAgIUAw8funCpiB3ZAAPoWdSCWnzbsFIwBQYDK2VwMEUxCzAJ
+BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l
+dCBXaWRnaXRzIFB0eSBMdGQwHhcNMjUwNzE4MTkwMjM1WhcNMjUwODE3MTkwMjM1
+WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwY
+SW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMCowBQYDK2VwAyEAcXDHXV3vgpvjtTaz
+s0Oj/73rMr06bhyGGhleYS1MNoWjUzBRMB0GA1UdDgQWBBQwmfKPthucFHB6Wfgz
+2Nj5nkMQOjAfBgNVHSMEGDAWgBQwmfKPthucFHB6Wfgz2Nj5nkMQOjAPBgNVHRMB
+Af8EBTADAQH/MAUGAytlcANBALBYbULlGwB7Ro0UTgUoQDNxEvayn3qzVFHIt7lC
+/2/NzNBkk4yPT+a4mbRuydxLkv+JIvmQbarZxpksYnWlCAM=
+-----END CERTIFICATE-----

cmd/osiris/internal/config/testdata/tls/selfsigned.key

@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIOHKoX22Mha6SnnpLm34fSSfTUDbRiDCi6N1nOgTOlds
+-----END PRIVATE KEY-----

cmd/osiris/internal/config/tls.go

@@ -0,0 +1,40 @@
+package config
+
+import (
+	"crypto/tls"
+	"errors"
+	"fmt"
+	"os"
+)
+
+var (
+	ErrCantReadTLS       = errors.New("tls: can't read TLS")
+	ErrInvalidTLSKeypair = errors.New("tls: can't parse TLS keypair")
+)
+
+type TLS struct {
+	Cert string `hcl:"cert"`
+	Key  string `hcl:"key"`
+}
+
+func (t TLS) Valid() error {
+	var errs []error
+
+	if _, err := os.Stat(t.Cert); err != nil {
+		errs = append(errs, fmt.Errorf("%w certificate %s: %w", ErrCantReadTLS, t.Cert, err))
+	}
+
+	if _, err := os.Stat(t.Key); err != nil {
+		errs = append(errs, fmt.Errorf("%w key %s: %w", ErrCantReadTLS, t.Key, err))
+	}
+
+	if _, err := tls.LoadX509KeyPair(t.Cert, t.Key); err != nil {
+		errs = append(errs, fmt.Errorf("%w (%s, %s): %w", ErrInvalidTLSKeypair, t.Cert, t.Key, err))
+	}
+
+	if len(errs) != 0 {
+		return errors.Join(errs...)
+	}
+
+	return nil
+}

cmd/osiris/internal/config/tls_test.go

@@ -0,0 +1,48 @@
+package config
+
+import (
+	"errors"
+	"testing"
+)
+
+func TestTLSValid(t *testing.T) {
+	for _, tt := range []struct {
+		name  string
+		input TLS
+		err   error
+	}{
+		{
+			name: "simple selfsigned",
+			input: TLS{
+				Cert: "./testdata/tls/selfsigned.crt",
+				Key:  "./testdata/tls/selfsigned.key",
+			},
+		},
+		{
+			name: "files don't exist",
+			input: TLS{
+				Cert: "./testdata/tls/nonexistent.crt",
+				Key:  "./testdata/tls/nonexistent.key",
+			},
+			err: ErrCantReadTLS,
+		},
+		{
+			name: "invalid keypair",
+			input: TLS{
+				Cert: "./testdata/tls/invalid.crt",
+				Key:  "./testdata/tls/invalid.key",
+			},
+			err: ErrInvalidTLSKeypair,
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			if err := tt.input.Valid(); !errors.Is(err, tt.err) {
+				t.Logf("want: %v", tt.err)
+				t.Logf("got:  %v", err)
+				t.Error("got wrong error from validation function")
+			} else {
+				t.Log(err)
+			}
+		})
+	}
+}

cmd/osiris/internal/entrypoint/entrypoint.go

@@ -0,0 +1,85 @@
+package entrypoint
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+	"net"
+
+	"github.com/TecharoHQ/anubis/cmd/osiris/internal/config"
+	"github.com/TecharoHQ/anubis/internal"
+	"github.com/hashicorp/hcl/v2/hclsimple"
+	"golang.org/x/sync/errgroup"
+	healthv1 "google.golang.org/grpc/health/grpc_health_v1"
+)
+
+type Options struct {
+	ConfigFname string
+}
+
+func Main(ctx context.Context, opts Options) error {
+	internal.SetHealth("osiris", healthv1.HealthCheckResponse_NOT_SERVING)
+
+	var cfg config.Toplevel
+	if err := hclsimple.DecodeFile(opts.ConfigFname, nil, &cfg); err != nil {
+		return fmt.Errorf("can't read configuration file %s:\n\n%w", opts.ConfigFname, err)
+	}
+
+	if err := cfg.Valid(); err != nil {
+		return fmt.Errorf("configuration file %s is invalid:\n\n%w", opts.ConfigFname, err)
+	}
+
+	rtr, err := NewRouter(cfg)
+	if err != nil {
+		return err
+	}
+	rtr.opts = opts
+	go rtr.backgroundReloadConfig(ctx)
+
+	g, gCtx := errgroup.WithContext(ctx)
+
+	// HTTP
+	g.Go(func() error {
+		ln, err := net.Listen("tcp", cfg.Bind.HTTP)
+		if err != nil {
+			return fmt.Errorf("(HTTP) can't bind to tcp %s: %w", cfg.Bind.HTTP, err)
+		}
+		defer ln.Close()
+
+		go func(ctx context.Context) {
+			<-ctx.Done()
+			ln.Close()
+		}(ctx)
+
+		slog.Info("listening", "for", "http", "bind", cfg.Bind.HTTP)
+
+		return rtr.HandleHTTP(gCtx, ln)
+	})
+
+	// HTTPS
+	g.Go(func() error {
+		ln, err := net.Listen("tcp", cfg.Bind.HTTPS)
+		if err != nil {
+			return fmt.Errorf("(https) can't bind to tcp %s: %w", cfg.Bind.HTTPS, err)
+		}
+		defer ln.Close()
+
+		go func(ctx context.Context) {
+			<-ctx.Done()
+			ln.Close()
+		}(ctx)
+
+		slog.Info("listening", "for", "https", "bind", cfg.Bind.HTTPS)
+
+		return rtr.HandleHTTPS(gCtx, ln)
+	})
+
+	// Metrics
+	g.Go(func() error {
+		return rtr.ListenAndServeMetrics(gCtx, cfg.Bind.Metrics)
+	})
+
+	internal.SetHealth("osiris", healthv1.HealthCheckResponse_SERVING)
+
+	return g.Wait()
+}

cmd/osiris/internal/entrypoint/entrypoint_test.go

@@ -0,0 +1,93 @@
+package entrypoint
+
+import (
+	"context"
+	"errors"
+	"net"
+	"net/http"
+	"os"
+	"path/filepath"
+	"testing"
+	"time"
+)
+
+func TestMainGoodConfig(t *testing.T) {
+	files, err := os.ReadDir("./testdata/good")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	for _, st := range files {
+		t.Run(st.Name(), func(t *testing.T) {
+			ctx, cancel := context.WithCancel(t.Context())
+			cfg := loadConfig(t, filepath.Join("testdata", "good", st.Name()))
+
+			go func(ctx context.Context) {
+				if err := Main(ctx, Options{
+					ConfigFname: filepath.Join("testdata", "good", st.Name()),
+				}); err != nil {
+					var netOpErr *net.OpError
+					switch {
+					case errors.Is(err, context.Canceled):
+						// Context was canceled, this is expected
+						return
+					case errors.As(err, &netOpErr):
+						// Network operation error occurred
+						t.Logf("Network operation error: %v", netOpErr)
+						return
+					case errors.Is(err, http.ErrServerClosed):
+						// Server was closed, this is expected
+						return
+					default:
+						// Other unexpected error
+						panic(err)
+					}
+				}
+			}(ctx)
+
+			wait := 5 * time.Millisecond
+
+			for i := range make([]struct{}, 10) {
+				if i != 0 {
+					time.Sleep(wait)
+					wait = wait * 2
+				}
+
+				t.Logf("try %d (wait=%s)", i+1, wait)
+
+				resp, err := http.Get("http://localhost" + cfg.Bind.Metrics + "/readyz")
+				if err != nil {
+					continue
+				}
+
+				if resp.StatusCode != http.StatusOK {
+					continue
+				}
+
+				cancel()
+				return
+			}
+
+			t.Fatal("router initialization did not work")
+		})
+	}
+}
+
+func TestMainBadConfig(t *testing.T) {
+	files, err := os.ReadDir("./testdata/bad")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	for _, st := range files {
+		t.Run(st.Name(), func(t *testing.T) {
+			if err := Main(t.Context(), Options{
+				ConfigFname: filepath.Join("testdata", "bad", st.Name()),
+			}); err == nil {
+				t.Error("wanted an error but got none")
+			} else {
+				t.Log(err)
+			}
+		})
+	}
+}

cmd/osiris/internal/entrypoint/h2c.go

@@ -0,0 +1,35 @@
+package entrypoint
+
+import (
+	"crypto/tls"
+	"net"
+	"net/http"
+	"net/http/httputil"
+	"net/url"
+
+	"golang.org/x/net/http2"
+)
+
+func newH2CReverseProxy(target *url.URL) *httputil.ReverseProxy {
+	target.Scheme = "http"
+
+	director := func(req *http.Request) {
+		req.URL.Scheme = target.Scheme
+		req.URL.Host = target.Host
+		req.Host = target.Host
+	}
+
+	// Use h2c transport
+	transport := &http2.Transport{
+		AllowHTTP: true,
+		DialTLS: func(network, addr string, cfg *tls.Config) (net.Conn, error) {
+			// Just do plain TCP (h2c)
+			return net.Dial(network, addr)
+		},
+	}
+
+	return &httputil.ReverseProxy{
+		Director:  director,
+		Transport: transport,
+	}
+}

cmd/osiris/internal/entrypoint/h2c_test.go

@@ -0,0 +1,51 @@
+package entrypoint
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"testing"
+
+	"golang.org/x/net/http2"
+	"golang.org/x/net/http2/h2c"
+)
+
+func newH2cServer(t *testing.T, h http.Handler) *httptest.Server {
+	t.Helper()
+
+	h2s := &http2.Server{}
+
+	srv := httptest.NewServer(h2c.NewHandler(h, h2s))
+	t.Cleanup(func() {
+		srv.Close()
+	})
+
+	return srv
+}
+
+func TestH2CReverseProxy(t *testing.T) {
+	h := &ackHandler{}
+
+	srv := newH2cServer(t, h)
+
+	u, err := url.Parse(srv.URL)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	rp := httptest.NewServer(newH2CReverseProxy(u))
+	defer rp.Close()
+
+	resp, err := rp.Client().Get(rp.URL)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		t.Errorf("wrong status code from reverse proxy: %d", resp.StatusCode)
+	}
+
+	if !h.ack {
+		t.Error("h2c handler was not executed")
+	}
+}

cmd/osiris/internal/entrypoint/metrics.go

@@ -0,0 +1,72 @@
+package entrypoint
+
+import (
+	"bytes"
+	"fmt"
+	"log/slog"
+	"net/http"
+	"sort"
+
+	"github.com/TecharoHQ/anubis/internal"
+	healthv1 "google.golang.org/grpc/health/grpc_health_v1"
+)
+
+func healthz(w http.ResponseWriter, r *http.Request) {
+	services, err := internal.HealthSrv.List(r.Context(), nil)
+	if err != nil {
+		slog.Error("can't get list of services", "err", err)
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	var keys []string
+	for k := range services.Statuses {
+		if k == "" {
+			continue
+		}
+		keys = append(keys, k)
+	}
+
+	sort.Strings(keys)
+
+	var msg bytes.Buffer
+
+	var healthy bool = true
+
+	for _, k := range keys {
+		st := services.Statuses[k].GetStatus()
+		fmt.Fprintf(&msg, "%s: %s\n", k, st)
+		switch st {
+		case healthv1.HealthCheckResponse_SERVING:
+			// do nothing
+		default:
+			healthy = false
+		}
+	}
+
+	if !healthy {
+		w.WriteHeader(http.StatusInternalServerError)
+	}
+
+	w.Write(msg.Bytes())
+}
+
+func readyz(w http.ResponseWriter, r *http.Request) {
+	st, ok := internal.GetHealth("osiris")
+	if !ok {
+		slog.Error("health service osiris does not exist, file a bug")
+		http.Error(w, "health service osiris does not exist", http.StatusExpectationFailed)
+	}
+
+	switch st {
+	case healthv1.HealthCheckResponse_NOT_SERVING:
+		http.Error(w, "NOT OK", http.StatusInternalServerError)
+		return
+	case healthv1.HealthCheckResponse_SERVING:
+		fmt.Fprintln(w, "OK")
+		return
+	default:
+		http.Error(w, "UNKNOWN", http.StatusFailedDependency)
+		return
+	}
+}

cmd/osiris/internal/entrypoint/metrics_test.go

@@ -0,0 +1,66 @@
+package entrypoint
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/TecharoHQ/anubis/internal"
+	healthv1 "google.golang.org/grpc/health/grpc_health_v1"
+)
+
+func TestHealthz(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(healthz))
+
+	internal.SetHealth("osiris", healthv1.HealthCheckResponse_NOT_SERVING)
+
+	resp, err := srv.Client().Get(srv.URL)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode == http.StatusOK {
+		t.Errorf("wanted not ready but got %d", resp.StatusCode)
+	}
+
+	internal.SetHealth("osiris", healthv1.HealthCheckResponse_SERVING)
+
+	resp, err = srv.Client().Get(srv.URL)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		t.Errorf("wanted ready but got %d", resp.StatusCode)
+	}
+}
+
+func TestReadyz(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(readyz))
+
+	internal.SetHealth("osiris", healthv1.HealthCheckResponse_NOT_SERVING)
+
+	resp, err := srv.Client().Get(srv.URL)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode == http.StatusOK {
+		t.Errorf("wanted not ready but got %d", resp.StatusCode)
+	}
+
+	internal.SetHealth("osiris", healthv1.HealthCheckResponse_SERVING)
+
+	resp, err = srv.Client().Get(srv.URL)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		t.Errorf("wanted ready but got %d", resp.StatusCode)
+	}
+}

cmd/osiris/internal/entrypoint/router.go

@@ -0,0 +1,320 @@
+package entrypoint
+
+import (
+	"context"
+	"crypto/tls"
+	"errors"
+	"fmt"
+	"log/slog"
+	"net"
+	"net/http"
+	"net/http/httputil"
+	"net/url"
+	"os"
+	"os/signal"
+	"strings"
+	"sync"
+	"syscall"
+	"time"
+
+	"github.com/TecharoHQ/anubis/cmd/osiris/internal/config"
+	"github.com/TecharoHQ/anubis/internal"
+	"github.com/TecharoHQ/anubis/internal/fingerprint"
+	"github.com/felixge/httpsnoop"
+	"github.com/hashicorp/hcl/v2/hclsimple"
+	"github.com/lum8rjack/go-ja4h"
+	"github.com/prometheus/client_golang/prometheus"
+	"github.com/prometheus/client_golang/prometheus/promauto"
+	"github.com/prometheus/client_golang/prometheus/promhttp"
+)
+
+var (
+	ErrTargetInvalid     = errors.New("[unexpected] target invalid")
+	ErrNoHandler         = errors.New("[unexpected] no handler for domain")
+	ErrInvalidTLSKeypair = errors.New("[unexpected] invalid TLS keypair")
+	ErrNoCert            = errors.New("this server does not have a certificate for that domain")
+
+	requestsPerDomain = promauto.NewGaugeVec(prometheus.GaugeOpts{
+		Namespace: "techaro",
+		Subsystem: "osiris",
+		Name:      "request_count",
+	}, []string{"domain", "method", "response_code"})
+
+	responseTime = promauto.NewHistogramVec(prometheus.HistogramOpts{
+		Namespace: "techaro",
+		Subsystem: "osiris",
+		Name:      "response_time",
+	}, []string{"domain"})
+
+	unresolvedRequests = promauto.NewGauge(prometheus.GaugeOpts{
+		Namespace: "techaro",
+		Subsystem: "osiris",
+		Name:      "unresolved_requests",
+	})
+)
+
+type Router struct {
+	lock     sync.RWMutex
+	routes   map[string]http.Handler
+	tlsCerts map[string]*tls.Certificate
+	opts     Options
+}
+
+func (rtr *Router) setConfig(c config.Toplevel) error {
+	var errs []error
+	newMap := map[string]http.Handler{}
+	newCerts := map[string]*tls.Certificate{}
+
+	for _, d := range c.Domains {
+		var domainErrs []error
+
+		u, err := url.Parse(d.Target)
+		if err != nil {
+			domainErrs = append(domainErrs, fmt.Errorf("%w %q: %v", ErrTargetInvalid, d.Target, err))
+		}
+
+		var h http.Handler
+
+		if u != nil {
+			switch u.Scheme {
+			case "http", "https":
+				rp := httputil.NewSingleHostReverseProxy(u)
+
+				if d.InsecureSkipVerify {
+					rp.Transport = &http.Transport{
+						TLSClientConfig: &tls.Config{
+							InsecureSkipVerify: true,
+						},
+					}
+				}
+
+				h = rp
+			case "h2c":
+				h = newH2CReverseProxy(u)
+			case "unix":
+				h = &httputil.ReverseProxy{
+					Director: func(r *http.Request) {
+						r.URL.Scheme = "http"
+						r.URL.Host = d.Name
+						r.Host = d.Name
+					},
+					Transport: &http.Transport{
+						DialContext: func(_ context.Context, _, _ string) (net.Conn, error) {
+							return net.Dial("unix", strings.TrimPrefix(d.Target, "unix://"))
+						},
+					},
+				}
+			}
+		}
+
+		if h == nil {
+			domainErrs = append(domainErrs, ErrNoHandler)
+		}
+
+		newMap[d.Name] = h
+
+		cert, err := tls.LoadX509KeyPair(d.TLS.Cert, d.TLS.Key)
+		if err != nil {
+			domainErrs = append(domainErrs, fmt.Errorf("%w: %w", ErrInvalidTLSKeypair, err))
+		}
+
+		newCerts[d.Name] = &cert
+
+		if len(domainErrs) != 0 {
+			errs = append(errs, fmt.Errorf("invalid domain %s: %w", d.Name, errors.Join(domainErrs...)))
+		}
+	}
+
+	if len(errs) != 0 {
+		return fmt.Errorf("can't compile config to routing map: %w", errors.Join(errs...))
+	}
+
+	rtr.lock.Lock()
+	rtr.routes = newMap
+	rtr.tlsCerts = newCerts
+	rtr.lock.Unlock()
+
+	return nil
+}
+
+func (rtr *Router) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
+	rtr.lock.RLock()
+	cert, ok := rtr.tlsCerts[hello.ServerName]
+	rtr.lock.RUnlock()
+
+	if !ok {
+		return nil, ErrNoCert
+	}
+
+	return cert, nil
+}
+
+func (rtr *Router) loadConfig() error {
+	slog.Info("reloading config", "fname", rtr.opts.ConfigFname)
+	var cfg config.Toplevel
+	if err := hclsimple.DecodeFile(rtr.opts.ConfigFname, nil, &cfg); err != nil {
+		return err
+	}
+
+	if err := cfg.Valid(); err != nil {
+		return err
+	}
+
+	if err := rtr.setConfig(cfg); err != nil {
+		return err
+	}
+
+	slog.Info("done!")
+
+	return nil
+}
+
+func (rtr *Router) backgroundReloadConfig(ctx context.Context) {
+	t := time.NewTicker(time.Hour)
+	defer t.Stop()
+	ch := make(chan os.Signal, 1)
+	signal.Notify(ch, syscall.SIGHUP)
+
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case <-t.C:
+			if err := rtr.loadConfig(); err != nil {
+				slog.Error("can't reload config", "fname", rtr.opts.ConfigFname, "err", err)
+			}
+		case <-ch:
+			if err := rtr.loadConfig(); err != nil {
+				slog.Error("can't reload config", "fname", rtr.opts.ConfigFname, "err", err)
+			}
+		}
+	}
+}
+
+func NewRouter(c config.Toplevel) (*Router, error) {
+	result := &Router{
+		routes: map[string]http.Handler{},
+	}
+
+	if err := result.setConfig(c); err != nil {
+		return nil, err
+	}
+
+	return result, nil
+}
+
+func (rtr *Router) HandleHTTP(ctx context.Context, ln net.Listener) error {
+	srv := http.Server{
+		Handler:  rtr,
+		ErrorLog: internal.GetFilteredHTTPLogger(),
+	}
+
+	go func(ctx context.Context) {
+		<-ctx.Done()
+		srv.Close()
+	}(ctx)
+
+	return srv.Serve(ln)
+}
+
+func (rtr *Router) HandleHTTPS(ctx context.Context, ln net.Listener) error {
+	tc := &tls.Config{
+		GetCertificate: rtr.GetCertificate,
+	}
+
+	srv := &http.Server{
+		Handler:   rtr,
+		ErrorLog:  internal.GetFilteredHTTPLogger(),
+		TLSConfig: tc,
+	}
+
+	go func(ctx context.Context) {
+		<-ctx.Done()
+		srv.Close()
+	}(ctx)
+
+	fingerprint.ApplyTLSFingerprinter(srv)
+
+	return srv.ServeTLS(ln, "", "")
+}
+
+func (rtr *Router) ListenAndServeMetrics(ctx context.Context, addr string) error {
+	ln, err := net.Listen("tcp", addr)
+	if err != nil {
+		return fmt.Errorf("(metrics) can't bind to tcp %s: %w", addr, err)
+	}
+	defer ln.Close()
+
+	go func(ctx context.Context) {
+		<-ctx.Done()
+		ln.Close()
+	}(ctx)
+
+	mux := http.NewServeMux()
+
+	mux.Handle("/metrics", promhttp.Handler())
+	mux.HandleFunc("/readyz", readyz)
+	mux.HandleFunc("/healthz", healthz)
+
+	slog.Info("listening", "for", "metrics", "bind", addr)
+
+	srv := http.Server{
+		Addr:     addr,
+		Handler:  mux,
+		ErrorLog: internal.GetFilteredHTTPLogger(),
+	}
+
+	go func(ctx context.Context) {
+		<-ctx.Done()
+		srv.Close()
+	}(ctx)
+
+	return srv.Serve(ln)
+}
+
+func (rtr *Router) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	var host = r.Host
+
+	if strings.Contains(host, ":") {
+		host, _, _ = net.SplitHostPort(host)
+	}
+
+	var h http.Handler
+	var ok bool
+
+	ja4hFP := ja4h.JA4H(r)
+
+	slog.Info("got request", "method", r.Method, "host", host, "path", r.URL.Path)
+
+	rtr.lock.RLock()
+	h, ok = rtr.routes[host]
+	rtr.lock.RUnlock()
+
+	if !ok {
+		unresolvedRequests.Inc()
+		http.NotFound(w, r) // TODO(Xe): brand this
+		return
+	}
+
+	r.Header.Set("X-Http-Ja4h-Fingerprint", ja4hFP)
+
+	if fp := fingerprint.GetTLSFingerprint(r); fp != nil {
+		if ja3n := fp.JA3N(); ja3n != nil {
+			r.Header.Set("X-Tls-Ja3n-Fingerprint", ja3n.String())
+		}
+		if ja4 := fp.JA4(); ja4 != nil {
+			r.Header.Set("X-Tls-Ja4-Fingerprint", ja4.String())
+		}
+	}
+
+	if tcpFP := fingerprint.GetTCPFingerprint(r); tcpFP != nil {
+		r.Header.Set("X-Tcp-Ja4t-Fingerprint", tcpFP.String())
+	}
+
+	m := httpsnoop.CaptureMetrics(h, w, r)
+
+	requestsPerDomain.WithLabelValues(host, r.Method, fmt.Sprint(m.Code)).Inc()
+	responseTime.WithLabelValues(host).Observe(float64(m.Duration.Milliseconds()))
+
+	slog.Info("request completed", "host", host, "method", r.Method, "response_code", m.Code, "duration_ms", m.Duration.Milliseconds())
+}

cmd/osiris/internal/entrypoint/router_test.go

@@ -0,0 +1,319 @@
+package entrypoint
+
+import (
+	"context"
+	"crypto/tls"
+	"errors"
+	"fmt"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/TecharoHQ/anubis/cmd/osiris/internal/config"
+	"github.com/hashicorp/hcl/v2/hclsimple"
+)
+
+func loadConfig(t *testing.T, fname string) config.Toplevel {
+	t.Helper()
+
+	var cfg config.Toplevel
+	if err := hclsimple.DecodeFile(fname, nil, &cfg); err != nil {
+		t.Fatalf("can't read configuration file %s: %v", fname, err)
+	}
+
+	if err := cfg.Valid(); err != nil {
+		t.Errorf("configuration file %s is invalid: %v", "./testdata/selfsigned.hcl", err)
+	}
+
+	return cfg
+}
+
+func newRouter(t *testing.T, cfg config.Toplevel) *Router {
+	t.Helper()
+
+	rtr, err := NewRouter(cfg)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	return rtr
+}
+
+func TestNewRouter(t *testing.T) {
+	cfg := loadConfig(t, "./testdata/good/selfsigned.hcl")
+	rtr := newRouter(t, cfg)
+
+	srv := httptest.NewServer(rtr)
+	defer srv.Close()
+}
+
+func TestNewRouterFails(t *testing.T) {
+	cfg := loadConfig(t, "./testdata/good/selfsigned.hcl")
+
+	cfg.Domains = append(cfg.Domains, config.Domain{
+		Name: "test1.internal",
+		TLS: config.TLS{
+			Cert: "./testdata/tls/invalid.crt",
+			Key:  "./testdata/tls/invalid.key",
+		},
+		Target:       cfg.Domains[0].Target,
+		HealthTarget: cfg.Domains[0].HealthTarget,
+	})
+
+	rtr, err := NewRouter(cfg)
+	if err == nil {
+		t.Fatal("wanted an error but got none")
+	}
+
+	srv := httptest.NewServer(rtr)
+	defer srv.Close()
+}
+
+func TestRouterSetConfig(t *testing.T) {
+	for _, tt := range []struct {
+		name        string
+		configFname string
+		mutation    func(cfg config.Toplevel) config.Toplevel
+		err         error
+	}{
+		{
+			name:        "basic",
+			configFname: "./testdata/good/selfsigned.hcl",
+			mutation: func(cfg config.Toplevel) config.Toplevel {
+				return cfg
+			},
+		},
+		{
+			name:        "all schemes",
+			configFname: "./testdata/good/selfsigned.hcl",
+			mutation: func(cfg config.Toplevel) config.Toplevel {
+				cfg.Domains = append(cfg.Domains, config.Domain{
+					Name:         "http.internal",
+					TLS:          cfg.Domains[0].TLS,
+					Target:       "http://[::1]:3000",
+					HealthTarget: cfg.Domains[0].HealthTarget,
+				})
+				cfg.Domains = append(cfg.Domains, config.Domain{
+					Name:         "https.internal",
+					TLS:          cfg.Domains[0].TLS,
+					Target:       "https://[::1]:3000",
+					HealthTarget: cfg.Domains[0].HealthTarget,
+				})
+				cfg.Domains = append(cfg.Domains, config.Domain{
+					Name:         "h2c.internal",
+					TLS:          cfg.Domains[0].TLS,
+					Target:       "h2c://[::1]:3000",
+					HealthTarget: cfg.Domains[0].HealthTarget,
+				})
+				cfg.Domains = append(cfg.Domains, config.Domain{
+					Name:         "unix.internal",
+					TLS:          cfg.Domains[0].TLS,
+					Target:       "unix://foo.sock",
+					HealthTarget: cfg.Domains[0].HealthTarget,
+				})
+
+				return cfg
+			},
+		},
+		{
+			name:        "invalid TLS",
+			configFname: "./testdata/good/selfsigned.hcl",
+			mutation: func(cfg config.Toplevel) config.Toplevel {
+				cfg.Domains = append(cfg.Domains, config.Domain{
+					Name: "test1.internal",
+					TLS: config.TLS{
+						Cert: "./testdata/tls/invalid.crt",
+						Key:  "./testdata/tls/invalid.key",
+					},
+					Target:       cfg.Domains[0].Target,
+					HealthTarget: cfg.Domains[0].HealthTarget,
+				})
+
+				return cfg
+			},
+			err: ErrInvalidTLSKeypair,
+		},
+		{
+			name:        "target is not a valid URL",
+			configFname: "./testdata/good/selfsigned.hcl",
+			mutation: func(cfg config.Toplevel) config.Toplevel {
+				cfg.Domains = append(cfg.Domains, config.Domain{
+					Name:         "test1.internal",
+					TLS:          cfg.Domains[0].TLS,
+					Target:       "http://[::1:443",
+					HealthTarget: cfg.Domains[0].HealthTarget,
+				})
+
+				return cfg
+			},
+			err: ErrTargetInvalid,
+		},
+		{
+			name:        "invalid target scheme",
+			configFname: "./testdata/good/selfsigned.hcl",
+			mutation: func(cfg config.Toplevel) config.Toplevel {
+				cfg.Domains = append(cfg.Domains, config.Domain{
+					Name:         "test1.internal",
+					TLS:          cfg.Domains[0].TLS,
+					Target:       "foo://",
+					HealthTarget: cfg.Domains[0].HealthTarget,
+				})
+
+				return cfg
+			},
+			err: ErrNoHandler,
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			cfg := loadConfig(t, tt.configFname)
+			rtr := newRouter(t, cfg)
+
+			cfg = tt.mutation(cfg)
+
+			if err := rtr.setConfig(cfg); !errors.Is(err, tt.err) {
+				t.Logf("want: %v", tt.err)
+				t.Logf("got:  %v", err)
+				t.Error("got wrong error from rtr.setConfig function")
+			}
+		})
+	}
+}
+
+type ackHandler struct {
+	ack bool
+}
+
+func (ah *ackHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	ah.ack = true
+	fmt.Fprintln(w, "OK")
+}
+
+func (ah *ackHandler) Reset() {
+	ah.ack = false
+}
+
+func newUnixServer(t *testing.T, h http.Handler) string {
+	sockName := filepath.Join(t.TempDir(), "s")
+	ln, err := net.Listen("unix", sockName)
+	if err != nil {
+		t.Fatalf("can't listen on %s: %v", sockName, err)
+	}
+	t.Cleanup(func() {
+		ln.Close()
+		os.Remove(sockName)
+	})
+
+	go func(ctx context.Context) {
+		srv := &http.Server{
+			Handler: h,
+		}
+
+		go func() {
+			<-ctx.Done()
+			srv.Close()
+		}()
+
+		srv.Serve(ln)
+	}(t.Context())
+
+	return "unix://" + sockName
+}
+
+func TestRouterGetCertificate(t *testing.T) {
+	cfg := loadConfig(t, "./testdata/good/selfsigned.hcl")
+	rtr := newRouter(t, cfg)
+
+	for _, tt := range []struct {
+		domainName string
+		err        error
+	}{
+		{
+			domainName: "osiris.local.cetacean.club",
+		},
+		{
+			domainName: "whacky-fun.local",
+			err:        ErrNoCert,
+		},
+	} {
+		t.Run(tt.domainName, func(t *testing.T) {
+			if _, err := rtr.GetCertificate(&tls.ClientHelloInfo{ServerName: tt.domainName}); !errors.Is(err, tt.err) {
+				t.Logf("want: %v", tt.err)
+				t.Logf("got:  %v", err)
+				t.Error("got wrong error from rtr.GetCertificate")
+			}
+		})
+	}
+}
+
+func TestRouterServeAllProtocols(t *testing.T) {
+	cfg := loadConfig(t, "./testdata/good/all_protocols.hcl")
+
+	httpAckHandler := &ackHandler{}
+	httpsAckHandler := &ackHandler{}
+	h2cAckHandler := &ackHandler{}
+	unixAckHandler := &ackHandler{}
+
+	httpSrv := httptest.NewServer(httpAckHandler)
+	httpsSrv := httptest.NewTLSServer(httpsAckHandler)
+	h2cSrv := newH2cServer(t, h2cAckHandler)
+	unixPath := newUnixServer(t, unixAckHandler)
+
+	cfg.Domains[0].Target = httpSrv.URL
+	cfg.Domains[1].Target = httpsSrv.URL
+	cfg.Domains[2].Target = strings.ReplaceAll(h2cSrv.URL, "http:", "h2c:")
+	cfg.Domains[3].Target = unixPath
+
+	// enc := json.NewEncoder(os.Stderr)
+	// enc.SetIndent("", "  ")
+	// enc.Encode(cfg)
+
+	rtr := newRouter(t, cfg)
+
+	cli := &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{
+				InsecureSkipVerify: true,
+			},
+		},
+	}
+
+	t.Run("plain http", func(t *testing.T) {
+		ln, err := net.Listen("tcp", ":0")
+		if err != nil {
+			t.Fatal(err)
+		}
+		t.Cleanup(func() {
+			ln.Close()
+		})
+
+		go rtr.HandleHTTP(t.Context(), ln)
+
+		serverURL := "http://" + ln.Addr().String()
+		t.Log(serverURL)
+
+		for _, d := range cfg.Domains {
+			t.Run(d.Name, func(t *testing.T) {
+				req, err := http.NewRequestWithContext(t.Context(), http.MethodGet, serverURL, nil)
+				if err != nil {
+					t.Fatal(err)
+				}
+
+				req.Host = d.Name
+
+				resp, err := cli.Do(req)
+				if err != nil {
+					t.Fatal(err)
+				}
+				defer resp.Body.Close()
+
+				if resp.StatusCode != http.StatusOK {
+					t.Fatalf("wrong status code %d", resp.StatusCode)
+				}
+			})
+		}
+	})
+}

cmd/osiris/internal/entrypoint/testdata/bad/invalid.hcl

@@ -0,0 +1,15 @@
+bind {
+  http    = ":65530"
+  https   = ":65531"
+  metrics = ":65532"
+}
+
+domain "osiris.local.cetacean.club" {
+  tls {
+    cert = "./testdata/invalid.crt"
+    key  = "./testdata/invalid.key"
+  }
+
+  target        = "http://localhost:3000"
+  health_target = "http://localhost:9091/healthz"
+}

cmd/osiris/internal/entrypoint/testdata/good/all_protocols.hcl

@@ -0,0 +1,46 @@
+bind {
+  http    = ":65520"
+  https   = ":65521"
+  metrics = ":65522"
+}
+
+domain "http.internal" {
+  tls {
+    cert = "./testdata/selfsigned.crt"
+    key  = "./testdata/selfsigned.key"
+  }
+
+  target        = "http://localhost:65510" # XXX(Xe) this is overwritten
+  health_target = "http://localhost:9091/healthz"
+}
+
+domain "https.internal" {
+  tls {
+    cert = "./testdata/selfsigned.crt"
+    key  = "./testdata/selfsigned.key"
+  }
+
+  target               = "https://localhost:65511" # XXX(Xe) this is overwritten
+  insecure_skip_verify = true
+  health_target        = "http://localhost:9091/healthz"
+}
+
+domain "h2c.internal" {
+  tls {
+    cert = "./testdata/selfsigned.crt"
+    key  = "./testdata/selfsigned.key"
+  }
+
+  target        = "h2c://localhost:65511" # XXX(Xe) this is overwritten
+  health_target = "http://localhost:9091/healthz"
+}
+
+domain "unix.internal" {
+  tls {
+    cert = "./testdata/selfsigned.crt"
+    key  = "./testdata/selfsigned.key"
+  }
+
+  target        = "http://localhost:65511" # XXX(Xe) this is overwritten
+  health_target = "http://localhost:9091/healthz"
+}

cmd/osiris/internal/entrypoint/testdata/good/selfsigned.hcl

@@ -0,0 +1,15 @@
+bind {
+  http    = ":65530"
+  https   = ":65531"
+  metrics = ":65532"
+}
+
+domain "osiris.local.cetacean.club" {
+  tls {
+    cert = "./testdata/selfsigned.crt"
+    key  = "./testdata/selfsigned.key"
+  }
+
+  target        = "http://localhost:3000"
+  health_target = "http://localhost:9091/healthz"
+}

cmd/osiris/internal/entrypoint/testdata/selfsigned.crt

@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBnzCCAVGgAwIBAgIUOLTjSYOjFk00IemtFTC4oEZs988wBQYDK2VwMEUxCzAJ
+BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l
+dCBXaWRnaXRzIFB0eSBMdGQwHhcNMjUwNzE4MjEyNDIzWhcNMjUwODE3MjEyNDIz
+WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwY
+SW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMCowBQYDK2VwAyEAPHphABS15+4VV6R1
+vYzBQYIycQmOmlbA8QcfwzuB2VajUzBRMB0GA1UdDgQWBBT2s+MQ4AR6cbK4V0+d
+XZnok1orhDAfBgNVHSMEGDAWgBT2s+MQ4AR6cbK4V0+dXZnok1orhDAPBgNVHRMB
+Af8EBTADAQH/MAUGAytlcANBAOdoJbRMnHmkEETzVtXP+jkAI9yQNRXujnglApGP
+8I5pvIYVgYCgoQrnb4haVWFldHM1T9H698n19e/egfFb+w4=
+-----END CERTIFICATE-----

cmd/osiris/internal/entrypoint/testdata/selfsigned.key

@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIBop42tiZ0yzhaKo9NAc0PlAyBsE8NAE0i9Z7s2lgZuR
+-----END PRIVATE KEY-----

cmd/osiris/main.go

@@ -0,0 +1,43 @@
+package main
+
+import (
+	"context"
+	"flag"
+	"fmt"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/TecharoHQ/anubis"
+	"github.com/TecharoHQ/anubis/cmd/osiris/internal/entrypoint"
+	"github.com/TecharoHQ/anubis/internal"
+	"github.com/facebookgo/flagenv"
+)
+
+var (
+	configFname = flag.String("config", "./osiris.hcl", "Configuration file (HCL), see docs")
+	slogLevel   = flag.String("slog-level", "INFO", "logging level (see https://pkg.go.dev/log/slog#hdr-Levels)")
+	versionFlag = flag.Bool("version", false, "if true, show version information then quit")
+)
+
+func main() {
+	flagenv.Parse()
+	flag.Parse()
+
+	if *versionFlag {
+		fmt.Println("Osiris", anubis.Version)
+		return
+	}
+
+	internal.InitSlog(*slogLevel)
+
+	ctx, cancel := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
+	defer cancel()
+
+	if err := entrypoint.Main(ctx, entrypoint.Options{
+		ConfigFname: *configFname,
+	}); err != nil {
+		fmt.Fprintf(os.Stderr, "%v\n", err)
+		os.Exit(1)
+	}
+}

cmd/osiris/osiris.hcl

@@ -0,0 +1,15 @@
+bind {
+  http    = ":3004"
+  https   = ":3005"
+  metrics = ":9091"
+}
+
+domain "osiris.local.cetacean.club" {
+  tls {
+    cert = "./internal/config/testdata/tls/selfsigned.crt"
+    key  = "./internal/config/testdata/tls/selfsigned.key"
+  }
+
+  target        = "http://localhost:3000"
+  health_target = "http://localhost:9091/healthz"
+}

docker-bake.hcl

@@ -0,0 +1,32 @@
+variable "ALPINE_VERSION" { default = "3.22" }
+variable "GITHUB_SHA" { default = "devel" }
+variable "VERSION" { default = "devel-docker" }
+
+group "default" {
+  targets = [
+    "osiris",
+  ]
+}
+
+target "osiris" {
+  args = {
+    ALPINE_VERSION = "3.22"
+    VERSION        = "${VERSION}"
+  }
+  context    = "."
+  dockerfile = "./docker/osiris.Dockerfile"
+  platforms = [
+    "linux/amd64",
+    "linux/arm64",
+    "linux/arm/v7",
+    "linux/ppc64le",
+    "linux/riscv64",
+  ]
+  pull       = true
+  sbom       = true
+  provenance = true
+  tags = [
+    "ghcr.io/techarohq/anubis/osiris:${VERSION}",
+    "ghcr.io/techarohq/anubis/osiris:main"
+  ]
+}

docker/osiris.Dockerfile

@@ -0,0 +1,30 @@
+ARG ALPINE_VERSION=edge
+FROM --platform=${BUILDPLATFORM} alpine:${ALPINE_VERSION} AS build
+
+RUN apk -U add go nodejs git build-base git npm bash zstd brotli gzip
+
+WORKDIR /app
+
+COPY go.mod go.sum ./
+RUN --mount=type=cache,target=/root/.cache --mount=type=cache,target=/root/go go mod download
+
+COPY package.json package-lock.json ./
+RUN npm ci
+
+ARG TARGETOS
+ARG TARGETARCH
+ARG VERSION=devel-docker
+
+COPY . .
+RUN --mount=type=cache,target=/root/.cache --mount=type=cache,target=/root/go GOOS=${TARGETOS} GOARCH=${TARGETARCH} CGO_ENABLED=0 GOARM=7 go build -gcflags "all=-N -l" -o /app/bin/osiris -ldflags "-s -w -extldflags -static -X github.com/TecharoHQ/anubis.Version=${VERSION}" ./cmd/osiris
+
+FROM alpine:${ALPINE_VERSION} AS run
+WORKDIR /app
+
+RUN apk -U add ca-certificates mailcap
+
+COPY --from=build /app/bin/osiris /app/bin/osiris
+
+CMD ["/app/bin/osiris"]
+
+LABEL org.opencontainers.image.source="https://github.com/TecharoHQ/anubis"

docs/docs/CHANGELOG.md

@@ -14,6 +14,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 <!-- This changes the project to: -->
 
 - Expired records are now properly removed from bbolt databases ([#848](https://github.com/TecharoHQ/anubis/pull/848)).
+
 - Fix hanging on service restart ([#853](https://github.com/TecharoHQ/anubis/issues/853))
 
 ### Added
@@ -24,23 +25,6 @@ Anubis now supports these new languages:
 
 Anubis now supports the [`missingHeader`](./admin/configuration/expressions.mdx#missingHeader) to assert the absence of headers in requests.
 
-### Fixes
-
-#### Fix event loop thrashing when solving a proof of work challenge
-
-Previously the "fast" proof of work solver had a fragment of JavaScript that attempted to only post an update about proof of work progress to the main browser window every 1024 iterations. This fragment of JavaScript was subtly incorrect in a way that passed review but actually made the workers send an update back to the main thread every iteration. This caused a pileup of unhandled async calls (similar to a socket accept() backlog pileup in Unix) that caused stack space exhaustion.
-
-This has been fixed in the following ways:
-
-1. The complicated boolean logic has been totally removed in favour of a worker-local iteration counter.
-2. The progress bar is updated by worker `0` instead of all workers.
-
-Hopefully this should limit the event loop thrashing and let ia32 browsers (as well as any environment with a smaller stack size than amd64 and aarch64 seem to have) function normally when processing Anubis proof of work challenges.
-
-#### Fix potential memory leak when discovering a solution
-
-In some cases, the parallel solution finder in Anubis could cause all of the worker promises to leak due to the fact the promises were being improperly terminated. This was fixed by having Anubis debounce worker termination instead of allowing it to potentially recurse infinitely.
-
 ## v1.21.0: Minfilia Warde
 
 > Please, be at ease. You are among friends here.

go.mod

@@ -4,12 +4,12 @@ go 1.24.2
 
 require (
 	github.com/TecharoHQ/thoth-proto v0.4.0
-	github.com/a-h/templ v0.3.906
+	github.com/a-h/templ v0.3.920
 	github.com/cespare/xxhash/v2 v2.3.0
 	github.com/facebookgo/flagenv v0.0.0-20160425205200-fcd59fca7456
-	github.com/gaissmai/bart v0.20.5
-	github.com/golang-jwt/jwt/v5 v5.2.2
-	github.com/google/cel-go v0.25.0
+	github.com/gaissmai/bart v0.22.0
+	github.com/golang-jwt/jwt/v5 v5.2.3
+	github.com/google/cel-go v0.26.0
 	github.com/google/uuid v1.6.0
 	github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus v1.1.0
 	github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.2
@@ -21,20 +21,20 @@ require (
 	github.com/redis/go-redis/v9 v9.11.0
 	github.com/sebest/xff v0.0.0-20210106013422-671bd2870b3a
 	github.com/shirou/gopsutil/v4 v4.25.6
-	github.com/testcontainers/testcontainers-go v0.37.0
+	github.com/testcontainers/testcontainers-go v0.38.0
 	go.etcd.io/bbolt v1.4.2
 	golang.org/x/net v0.42.0
 	golang.org/x/text v0.27.0
 	google.golang.org/grpc v1.73.0
 	gopkg.in/yaml.v3 v3.0.1
-	k8s.io/apimachinery v0.33.2
+	k8s.io/apimachinery v0.33.3
 	sigs.k8s.io/yaml v1.5.0
 )
 
 require (
 	al.essio.dev/pkg/shellescape v1.6.0 // indirect
 	buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.6-20250425153114-8976f5be98c1.1 // indirect
-	cel.dev/expr v0.23.1 // indirect
+	cel.dev/expr v0.24.0 // indirect
 	dario.cat/mergo v1.0.2 // indirect
 	github.com/AlekSi/pointer v1.2.0 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
@@ -47,8 +47,10 @@ require (
 	github.com/Songmu/gitconfig v0.2.0 // indirect
 	github.com/TecharoHQ/yeet v0.6.0 // indirect
 	github.com/a-h/parse v0.0.0-20250122154542-74294addb73e // indirect
+	github.com/agext/levenshtein v1.2.1 // indirect
 	github.com/andybalholm/brotli v1.1.0 // indirect
 	github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
+	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb // indirect
 	github.com/cavaliergopher/cpio v1.0.1 // indirect
@@ -56,6 +58,8 @@ require (
 	github.com/cli/browser v1.3.0 // indirect
 	github.com/cli/go-gh v0.1.0 // indirect
 	github.com/cloudflare/circl v1.6.1 // indirect
+	github.com/containerd/errdefs v1.0.0 // indirect
+	github.com/containerd/errdefs/pkg v0.3.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/containerd/platforms v0.2.1 // indirect
 	github.com/cpuguy83/dockercfg v0.3.2 // indirect
@@ -66,7 +70,7 @@ require (
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/dlclark/regexp2 v1.11.4 // indirect
-	github.com/docker/docker v28.0.1+incompatible // indirect
+	github.com/docker/docker v28.2.2+incompatible // indirect
 	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/dop251/goja v0.0.0-20250309171923-bcd7cc6bf64c // indirect
@@ -91,6 +95,7 @@ require (
 	github.com/goccy/go-yaml v1.12.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
+	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/go-github/v70 v70.0.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/pprof v0.0.0-20230207041349-798e818bf904 // indirect
@@ -99,6 +104,7 @@ require (
 	github.com/goreleaser/fileglob v1.3.0 // indirect
 	github.com/goreleaser/nfpm/v2 v2.42.1 // indirect
 	github.com/hashicorp/go-version v1.7.0 // indirect
+	github.com/hashicorp/hcl/v2 v2.24.0 // indirect
 	github.com/huandu/xstrings v1.5.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
@@ -109,11 +115,13 @@ require (
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
+	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
+	github.com/moby/go-archive v0.1.0 // indirect
 	github.com/moby/patternmatcher v0.6.0 // indirect
-	github.com/moby/sys/sequential v0.5.0 // indirect
-	github.com/moby/sys/user v0.1.0 // indirect
+	github.com/moby/sys/sequential v0.6.0 // indirect
+	github.com/moby/sys/user v0.4.0 // indirect
 	github.com/moby/sys/userns v0.1.0 // indirect
 	github.com/moby/term v0.5.0 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
@@ -147,6 +155,7 @@ require (
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
+	github.com/zclconf/go-cty v1.16.3 // indirect
 	gitlab.com/digitalxero/go-conventional-commit v1.0.7 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect

go.sum

@@ -2,12 +2,12 @@ al.essio.dev/pkg/shellescape v1.6.0 h1:NxFcEqzFSEVCGN2yq7Huv/9hyCEGVa/TncnOOBBeX
 al.essio.dev/pkg/shellescape v1.6.0/go.mod h1:6sIqp7X2P6mThCQ7twERpZTuigpr6KbZWtls1U8I890=
 buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.6-20250425153114-8976f5be98c1.1 h1:YhMSc48s25kr7kv31Z8vf7sPUIq5YJva9z1mn/hAt0M=
 buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.6-20250425153114-8976f5be98c1.1/go.mod h1:avRlCjnFzl98VPaeCtJ24RrV/wwHFzB8sWXhj26+n/U=
-cel.dev/expr v0.23.1 h1:K4KOtPCJQjVggkARsjG9RWXP6O4R73aHeJMa/dmCQQg=
-cel.dev/expr v0.23.1/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw=
+cel.dev/expr v0.24.0 h1:56OvJKSH3hDGL0ml5uSxZmz3/3Pq4tJ+fb1unVLAFcY=
+cel.dev/expr v0.24.0/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw=
 dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8=
 dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA=
-github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU=
-github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
+github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 h1:He8afgbRMd7mFxO99hRNu+6tazq8nFF9lIwo9JFroBk=
+github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
 github.com/AlekSi/pointer v1.2.0 h1:glcy/gc4h8HnG2Z3ZECSzZ1IX1x2JxRVuDzaJwQE0+w=
 github.com/AlekSi/pointer v1.2.0/go.mod h1:gZGfd3dpW4vEc/UlyfKKi1roIqcCgwOIvb0tSNSBle0=
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8=
@@ -40,14 +40,18 @@ github.com/TecharoHQ/yeet v0.6.0 h1:RCBAjr7wIlllsgy0tpvWpLX7jsZgu2tiuBY3RrprcR0=
 github.com/TecharoHQ/yeet v0.6.0/go.mod h1:bj2V4Fg8qKQXoiuPZa3HuawrE8g+LsOQv/9q2WyGSsA=
 github.com/a-h/parse v0.0.0-20250122154542-74294addb73e h1:HjVbSQHy+dnlS6C3XajZ69NYAb5jbGNfHanvm1+iYlo=
 github.com/a-h/parse v0.0.0-20250122154542-74294addb73e/go.mod h1:3mnrkvGpurZ4ZrTDbYU84xhwXW2TjTKShSwjRi2ihfQ=
-github.com/a-h/templ v0.3.906 h1:ZUThc8Q9n04UATaCwaG60pB1AqbulLmYEAMnWV63svg=
-github.com/a-h/templ v0.3.906/go.mod h1:FFAu4dI//ESmEN7PQkJ7E7QfnSEMdcnu7QrAY8Dn334=
+github.com/agext/levenshtein v1.2.1 h1:QmvMAjj2aEICytGiWzmxoE0x2KZvE0fvmqMOfy2tjT8=
+github.com/agext/levenshtein v1.2.1/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
+github.com/a-h/templ v0.3.920 h1:IQjjTu4KGrYreHo/ewzSeS8uefecisPayIIc9VflLSE=
+github.com/a-h/templ v0.3.920/go.mod h1:FFAu4dI//ESmEN7PQkJ7E7QfnSEMdcnu7QrAY8Dn334=
 github.com/andybalholm/brotli v1.1.0 h1:eLKJA0d02Lf0mVpIDgYnqXcUn0GqVmEFny3VuID1U3M=
 github.com/andybalholm/brotli v1.1.0/go.mod h1:sms7XGricyQI9K10gOSf56VKKWS4oLer58Q+mhRPtnY=
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
 github.com/antlr4-go/antlr/v4 v4.13.0 h1:lxCg3LAv+EUK6t1i0y1V6/SLeUi0eKEKdhQAlS8TVTI=
 github.com/antlr4-go/antlr/v4 v4.13.0/go.mod h1:pfChB/xh/Unjila75QW7+VU4TSnWnnk9UTnmpPaOR2g=
+github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew1u1fNQOlOtuGxQY=
+github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
@@ -77,6 +81,10 @@ github.com/cli/safeexec v1.0.0/go.mod h1:Z/D4tTN8Vs5gXYHDCbaM1S/anmEDnJb1iW0+EJ5
 github.com/cli/shurcooL-graphql v0.0.1/go.mod h1:U7gCSuMZP/Qy7kbqkk5PrqXEeDgtfG5K+W+u8weorps=
 github.com/cloudflare/circl v1.6.1 h1:zqIqSPIndyBh1bjLVVDHMPpVKqp8Su/V+6MeDzzQBQ0=
 github.com/cloudflare/circl v1.6.1/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
+github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
+github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
+github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=
+github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk=
 github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
 github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A=
@@ -101,8 +109,8 @@ github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5Qvfr
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
 github.com/dlclark/regexp2 v1.11.4 h1:rPYF9/LECdNymJufQKmri9gV604RvvABwgOA8un7yAo=
 github.com/dlclark/regexp2 v1.11.4/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
-github.com/docker/docker v28.0.1+incompatible h1:FCHjSRdXhNRFjlHMTv4jUNlIBbTeRjrWfeFuJp7jpo0=
-github.com/docker/docker v28.0.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v28.2.2+incompatible h1:CjwRSksz8Yo4+RmQ339Dp/D2tGO5JxwYeqtMOEe0LDw=
+github.com/docker/docker v28.2.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
 github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
@@ -133,8 +141,8 @@ github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHk
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/8M=
 github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
-github.com/gaissmai/bart v0.20.5 h1:ehoWZWQ7j//qt0K0Zs4i9hpoPpbgqsMQiR8W2QPJh+c=
-github.com/gaissmai/bart v0.20.5/go.mod h1:cEed+ge8dalcbpi8wtS9x9m2hn/fNJH5suhdGQOHnYk=
+github.com/gaissmai/bart v0.22.0 h1:+yR2mCpZx8H8GlqA+Icqi7/Iwx2/OUbO4bVbsORK0ns=
+github.com/gaissmai/bart v0.22.0/go.mod h1:RpLtt3lWq1BoRz3AAyDAJ7jhLWBkYhVCfi+ximB2t68=
 github.com/gliderlabs/ssh v0.3.8 h1:a4YXD1V7xMF9g5nTkdfnja3Sxy1PVDCj1Zg4Wb8vY6c=
 github.com/gliderlabs/ssh v0.3.8/go.mod h1:xYoytBv1sV0aL3CavoDuJIQNURXkkfPA/wxQ1pL1fAU=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
@@ -175,14 +183,14 @@ github.com/goccy/go-yaml v1.12.0 h1:/1WHjnMsI1dlIBQutrvSMGZRQufVO3asrHfTwfACoPM=
 github.com/goccy/go-yaml v1.12.0/go.mod h1:wKnAMd44+9JAAnGQpWVEgBzGt3YuTaQ4uXoHvE4m7WU=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
-github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/golang-jwt/jwt/v5 v5.2.3 h1:kkGXqQOBSDDWRhWNXTFpqGSCMyh/PLnqUvMGJPDJDs0=
+github.com/golang-jwt/jwt/v5 v5.2.3/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ=
 github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8/go.mod h1:wcDNUvekVysuuOpQKo3191zZyTpiI6se1N1ULghS0sw=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
-github.com/google/cel-go v0.25.0 h1:jsFw9Fhn+3y2kBbltZR4VEz5xKkcIFRPDnuEzAGv5GY=
-github.com/google/cel-go v0.25.0/go.mod h1:hjEb6r5SuOSlhCHmFoLzu8HGCERvIsDAbxDAyNU/MmI=
+github.com/google/cel-go v0.26.0 h1:DPGjXackMpJWH680oGY4lZhYjIameYmR+/6RBdDGmaI=
+github.com/google/cel-go v0.26.0/go.mod h1:A9O8OU9rdvrK5MQyrqfIxo1a0u4g3sF8KB6PUIaryMM=
 github.com/google/go-cmdtest v0.4.1-0.20220921163831-55ab3332a786 h1:rcv+Ippz6RAtvaGgKxc+8FQIpxHgsF+HBzPyYL2cyVU=
 github.com/google/go-cmdtest v0.4.1-0.20220921163831-55ab3332a786/go.mod h1:apVn/GCasLZUVpAJ6oWAuyP7Ne7CEsQbTnc0plM3m+o=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
@@ -221,6 +229,8 @@ github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3/go.mod h1:ndYquD05frm2vACXE1ns
 github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542/go.mod h1:Ow0tF8D4Kplbc8s8sSb3V2oUCygFHVp8gC3Dn6U4MNI=
 github.com/hashicorp/go-version v1.7.0 h1:5tqGy27NaOTB8yJKUZELlFAS/LTKJkrmONwQKeRZfjY=
 github.com/hashicorp/go-version v1.7.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
+github.com/hashicorp/hcl/v2 v2.24.0 h1:2QJdZ454DSsYGoaE6QheQZjtKZSUs9Nh2izTWiwQxvE=
+github.com/hashicorp/hcl/v2 v2.24.0/go.mod h1:oGoO1FIQYfn/AgyOhlg9qLC6/nOJPX3qGbkZpYAcqfM=
 github.com/henvic/httpretty v0.0.6/go.mod h1:X38wLjWXHkXT7r2+uK8LjCMne9rsuNaBLJ+5cU2/Pmo=
 github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI=
 github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
@@ -274,16 +284,22 @@ github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa1
 github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s=
 github.com/mitchellh/go-ps v1.0.0 h1:i6ampVEEF4wQFF+bkYfwYgY+F/uYJDktmvLPf7qIgjc=
 github.com/mitchellh/go-ps v1.0.0/go.mod h1:J4lOc8z8yJs6vUwklHw2XEIiT4z4C40KtWVN3nvg8Pg=
+github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0=
+github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0=
 github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
 github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
+github.com/moby/go-archive v0.1.0 h1:Kk/5rdW/g+H8NHdJW2gsXyZ7UnzvJNOy6VKJqueWdcQ=
+github.com/moby/go-archive v0.1.0/go.mod h1:G9B+YoujNohJmrIYFBpSd54GTUB4lt9S+xVQvsJyFuo=
 github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkVGiPk=
 github.com/moby/patternmatcher v0.6.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc=
-github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5lXtc=
-github.com/moby/sys/sequential v0.5.0/go.mod h1:tH2cOOs5V9MlPiXcQzRC+eEyab644PWKGRYaaV5ZZlo=
-github.com/moby/sys/user v0.1.0 h1:WmZ93f5Ux6het5iituh9x2zAG7NFY9Aqi49jjE1PaQg=
-github.com/moby/sys/user v0.1.0/go.mod h1:fKJhFOnsCN6xZ5gSfbM6zaHGgDJMrqt9/reuj4T7MmU=
+github.com/moby/sys/atomicwriter v0.1.0 h1:kw5D/EqkBwsBFi0ss9v1VG3wIkVhzGvLklJ+w3A14Sw=
+github.com/moby/sys/atomicwriter v0.1.0/go.mod h1:Ul8oqv2ZMNHOceF643P6FKPXeCmYtlQMvpizfsSoaWs=
+github.com/moby/sys/sequential v0.6.0 h1:qrx7XFUd/5DxtqcoH1h438hF5TmOvzC/lspjy7zgvCU=
+github.com/moby/sys/sequential v0.6.0/go.mod h1:uyv8EUTrca5PnDsdMGXhZe6CCe8U/UiTWd+lL+7b/Ko=
+github.com/moby/sys/user v0.4.0 h1:jhcMKit7SA80hivmFJcbB1vqmw//wU61Zdui2eQXuMs=
+github.com/moby/sys/user v0.4.0/go.mod h1:bG+tYYYJgaMtRKgEmuueC0hJEAZWwtIbZTB+85uoHjs=
 github.com/moby/sys/userns v0.1.0 h1:tVLXkFOxVu9A64/yh59slHVv9ahO9UIev4JZusOLG/g=
 github.com/moby/sys/userns v0.1.0/go.mod h1:IHUYgu/kao6N8YZlp9Cf444ySSvCmDlmzUcYfDHOl28=
 github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
@@ -373,8 +389,8 @@ github.com/suzuki-shunsuke/pinact v1.6.0 h1:2QvSzREOquwLwKXhF9Hj0AInE/Rl63SZz9dK
 github.com/suzuki-shunsuke/pinact v1.6.0/go.mod h1:FDUMck0mmL0mcnNZ23Vjh/aOR5cIdZhF1IIpGksT4dQ=
 github.com/suzuki-shunsuke/urfave-cli-help-all v0.0.4 h1:YGHgrVjGTYHY98II6zijXUHP+OyvrzSCvd8m9iUcaK8=
 github.com/suzuki-shunsuke/urfave-cli-help-all v0.0.4/go.mod h1:sSi6xaUaHfaqu32ECLeyE7NTMv+ZM5dW0JikhllaalY=
-github.com/testcontainers/testcontainers-go v0.37.0 h1:L2Qc0vkTw2EHWQ08djon0D2uw7Z/PtHS/QzZZ5Ra/hg=
-github.com/testcontainers/testcontainers-go v0.37.0/go.mod h1:QPzbxZhQ6Bclip9igjLFj6z0hs01bU8lrl2dHQmgFGM=
+github.com/testcontainers/testcontainers-go v0.38.0 h1:d7uEapLcv2P8AvH8ahLqDMMxda2W9gQN1nRbHS28HBw=
+github.com/testcontainers/testcontainers-go v0.38.0/go.mod h1:C52c9MoHpWO+C4aqmgSU+hxlR5jlEayWtgYrb8Pzz1w=
 github.com/thlib/go-timezone-local v0.0.0-20210907160436-ef149e42d28e/go.mod h1:/Tnicc6m/lsJE0irFMA0LfIwTBo4QP7A8IfyIv4zZKI=
 github.com/tklauser/go-sysconf v0.3.12 h1:0QaGUFOdQaIVdPgfITYzaTegZvdCjmYO52cSFAEVmqU=
 github.com/tklauser/go-sysconf v0.3.12/go.mod h1:Ho14jnntGE1fpdOqQEEaiKRpvIavV0hSfmBq8nJbHYI=
@@ -395,6 +411,8 @@ github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9dec
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0=
 github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
+github.com/zclconf/go-cty v1.16.3 h1:osr++gw2T61A8KVYHoQiFbFd1Lh3JOCXc/jFLJXKTxk=
+github.com/zclconf/go-cty v1.16.3/go.mod h1:VvMs5i0vgZdhYawQNq5kePSpLAoz8u1xvZgrPIxfnZE=
 gitlab.com/digitalxero/go-conventional-commit v1.0.7 h1:8/dO6WWG+98PMhlZowt/YjuiKhqhGlOCwlIV8SqqGh8=
 gitlab.com/digitalxero/go-conventional-commit v1.0.7/go.mod h1:05Xc2BFsSyC5tKhK0y+P3bs0AwUtNuTp+mTpbCU/DZ0=
 go.etcd.io/bbolt v1.4.2 h1:IrUHp260R8c+zYx/Tm8QZr04CX+qWS5PGfPdevhdm1I=
@@ -549,12 +567,12 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU=
-gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
+gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
+gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
 honnef.co/go/tools v0.6.1 h1:R094WgE8K4JirYjBaOpz/AvTyUu/3wbmAoskKN/pxTI=
 honnef.co/go/tools v0.6.1/go.mod h1:3puzxxljPCe8RGJX7BIy1plGbxEOZni5mR2aXe3/uk4=
-k8s.io/apimachinery v0.33.2 h1:IHFVhqg59mb8PJWTLi8m1mAoepkUNYmptHsV+Z1m5jY=
-k8s.io/apimachinery v0.33.2/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM=
+k8s.io/apimachinery v0.33.3 h1:4ZSrmNa0c/ZpZJhAgRdcsFcZOw1PQU1bALVQ0B3I5LA=
+k8s.io/apimachinery v0.33.3/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM=
 mvdan.cc/sh/v3 v3.11.0 h1:q5h+XMDRfUGUedCqFFsjoFjrhwf2Mvtt1rkMvVz0blw=
 mvdan.cc/sh/v3 v3.11.0/go.mod h1:LRM+1NjoYCzuq/WZ6y44x14YNAI0NK7FLPeQSaFagGg=
 pault.ag/go/debian v0.18.0 h1:nr0iiyOU5QlG1VPnhZLNhnCcHx58kukvBJp+dvaM6CQ=

internal/fingerprint/ja3n.go

@@ -0,0 +1,97 @@
+package fingerprint
+
+import (
+	"crypto/md5"
+	"crypto/tls"
+	"encoding/hex"
+	"slices"
+	"strconv"
+)
+
+// TLSFingerprintJA3N represents a JA3N fingerprint
+type TLSFingerprintJA3N [md5.Size]byte
+
+func (f TLSFingerprintJA3N) String() string {
+	return hex.EncodeToString(f[:])
+}
+
+func buildJA3N(hello *tls.ClientHelloInfo, sortExtensions bool) TLSFingerprintJA3N {
+	buf := make([]byte, 0, 256)
+
+	{
+		var sslVersion uint16
+		var hasGrease bool
+		for _, v := range hello.SupportedVersions {
+			if v&greaseMask != greaseValue {
+				if v > sslVersion {
+					sslVersion = v
+				}
+			} else {
+				hasGrease = true
+			}
+		}
+
+		// maximum TLS 1.2 as specified on JA3, as TLS 1.3 is put in SupportedVersions
+		if slices.Contains(hello.Extensions, extensionSupportedVersions) && hasGrease && sslVersion > tls.VersionTLS12 {
+			sslVersion = tls.VersionTLS12
+		}
+
+		buf = strconv.AppendUint(buf, uint64(sslVersion), 10)
+		buf = append(buf, ',')
+	}
+
+	n := 0
+	for _, cipher := range hello.CipherSuites {
+		//if !slices.Contains(greaseValues[:], cipher) {
+		if cipher&greaseMask != greaseValue {
+			buf = strconv.AppendUint(buf, uint64(cipher), 10)
+			buf = append(buf, '-')
+			n = 1
+		}
+	}
+
+	buf = buf[:len(buf)-n]
+	buf = append(buf, ',')
+	n = 0
+
+	extensions := hello.Extensions
+	if sortExtensions {
+		extensions = slices.Clone(extensions)
+		slices.Sort(extensions)
+	}
+
+	for _, extension := range extensions {
+		if extension&greaseMask != greaseValue {
+			buf = strconv.AppendUint(buf, uint64(extension), 10)
+			buf = append(buf, '-')
+			n = 1
+		}
+	}
+
+	buf = buf[:len(buf)-n]
+	buf = append(buf, ',')
+	n = 0
+
+	for _, curve := range hello.SupportedCurves {
+		if curve&greaseMask != greaseValue {
+			buf = strconv.AppendUint(buf, uint64(curve), 10)
+			buf = append(buf, '-')
+			n = 1
+		}
+	}
+
+	buf = buf[:len(buf)-n]
+	buf = append(buf, ',')
+	n = 0
+
+	for _, point := range hello.SupportedPoints {
+		buf = strconv.AppendUint(buf, uint64(point), 10)
+		buf = append(buf, '-')
+		n = 1
+	}
+
+	buf = buf[:len(buf)-n]
+
+	sum := md5.Sum(buf)
+	return TLSFingerprintJA3N(sum[:])
+}

internal/fingerprint/ja4.go

@@ -0,0 +1,176 @@
+package fingerprint
+
+import (
+	"crypto/sha256"
+	"crypto/tls"
+	"encoding/hex"
+	"fmt"
+	"slices"
+	"strconv"
+	"strings"
+)
+
+// TLSFingerprintJA4 represents a JA4 fingerprint
+type TLSFingerprintJA4 struct {
+	A [10]byte
+	B [6]byte
+	C [6]byte
+}
+
+func (f *TLSFingerprintJA4) String() string {
+	if f == nil {
+		return ""
+	}
+
+	return strings.Join([]string{
+		string(f.A[:]),
+		hex.EncodeToString(f.B[:]),
+		hex.EncodeToString(f.C[:]),
+	}, "_")
+}
+
+func buildJA4(hello *tls.ClientHelloInfo) (ja4 TLSFingerprintJA4) {
+	buf := make([]byte, 0, 36)
+
+	hasQuic := false
+
+	for _, ext := range hello.Extensions {
+		if ext == extensionQUICTransportParameters {
+			hasQuic = true
+		}
+	}
+
+	switch hasQuic {
+	case true:
+		buf = append(buf, 'q')
+	case false:
+		buf = append(buf, 't')
+	}
+
+	{
+		var sslVersion uint16
+		for _, v := range hello.SupportedVersions {
+			if v&greaseMask != greaseValue {
+				if v > sslVersion {
+					sslVersion = v
+				}
+			}
+		}
+
+		switch sslVersion {
+		case tls.VersionTLS10:
+			buf = append(buf, '1', '0')
+		case tls.VersionTLS11:
+			buf = append(buf, '1', '1')
+		case tls.VersionTLS12:
+			buf = append(buf, '1', '2')
+		case tls.VersionTLS13:
+			buf = append(buf, '1', '3')
+		default:
+			sslVersion -= 0x0201
+			buf = strconv.AppendUint(buf, uint64(sslVersion>>8), 10)
+			buf = strconv.AppendUint(buf, uint64(sslVersion&0xff), 10)
+		}
+
+	}
+
+	if slices.Contains(hello.Extensions, extensionServerName) && hello.ServerName != "" {
+		buf = append(buf, 'd')
+	} else {
+		buf = append(buf, 'i')
+	}
+
+	ciphers := make([]uint16, 0, len(hello.CipherSuites))
+	for _, cipher := range hello.CipherSuites {
+		if cipher&greaseMask != greaseValue {
+			ciphers = append(ciphers, cipher)
+		}
+	}
+
+	extensionCount := 0
+	extensions := make([]uint16, 0, len(hello.Extensions))
+	for _, extension := range hello.Extensions {
+		if extension&greaseMask != greaseValue {
+			extensionCount++
+			if extension != extensionALPN && extension != extensionServerName {
+				extensions = append(extensions, extension)
+			}
+		}
+	}
+
+	schemes := make([]tls.SignatureScheme, 0, len(hello.SignatureSchemes))
+
+	for _, scheme := range hello.SignatureSchemes {
+		if scheme&greaseMask != greaseValue {
+			schemes = append(schemes, scheme)
+		}
+	}
+
+	//TODO: maybe little endian
+	slices.Sort(ciphers)
+	slices.Sort(extensions)
+	//slices.Sort(schemes)
+
+	if len(ciphers) < 10 {
+		buf = append(buf, '0')
+		buf = strconv.AppendUint(buf, uint64(len(ciphers)), 10)
+	} else if len(ciphers) > 99 {
+		buf = append(buf, '9', '9')
+	} else {
+		buf = strconv.AppendUint(buf, uint64(len(ciphers)), 10)
+	}
+
+	if extensionCount < 10 {
+		buf = append(buf, '0')
+		buf = strconv.AppendUint(buf, uint64(extensionCount), 10)
+	} else if extensionCount > 99 {
+		buf = append(buf, '9', '9')
+	} else {
+		buf = strconv.AppendUint(buf, uint64(extensionCount), 10)
+	}
+
+	if len(hello.SupportedProtos) > 0 && len(hello.SupportedProtos[0]) > 1 {
+		buf = append(buf, hello.SupportedProtos[0][0], hello.SupportedProtos[0][len(hello.SupportedProtos[0])-1])
+	} else {
+		buf = append(buf, '0', '0')
+	}
+
+	copy(ja4.A[:], buf)
+
+	ja4.B = ja4SHA256(uint16SliceToHex(ciphers))
+
+	extBuf := uint16SliceToHex(extensions)
+
+	if len(schemes) > 0 {
+		extBuf = append(extBuf, '_')
+		extBuf = append(extBuf, uint16SliceToHex(schemes)...)
+	}
+
+	ja4.C = ja4SHA256(extBuf)
+
+	return ja4
+}
+
+func uint16SliceToHex[T ~uint16](in []T) (out []byte) {
+	if len(in) == 0 {
+		return out
+	}
+	out = slices.Grow(out, hex.EncodedLen(len(in)*2)+len(in))
+
+	for _, n := range in {
+		out = append(out, fmt.Sprintf("%04x", uint16(n))...)
+		out = append(out, ',')
+	}
+	out = out[:len(out)-1]
+
+	return out
+}
+
+func ja4SHA256(buf []byte) [6]byte {
+	if len(buf) == 0 {
+		return [6]byte{0, 0, 0, 0, 0, 0}
+	}
+	sum := sha256.Sum256(buf)
+
+	return [6]byte(sum[:6])
+}

internal/fingerprint/tcp.go

@@ -0,0 +1,46 @@
+package fingerprint
+
+import (
+	"fmt"
+	"net/http"
+	"strings"
+)
+
+// JA4T represents a TCP fingerprint
+type JA4T struct {
+	Window      uint32
+	Options     []uint8
+	MSS         uint16
+	WindowScale uint8
+}
+
+func (j JA4T) String() string {
+	var sb strings.Builder
+
+	// Start with the window size
+	fmt.Fprintf(&sb, "%d", j.Window)
+
+	// Append each option
+	for i, opt := range j.Options {
+		if i == 0 {
+			fmt.Fprint(&sb, "_")
+		} else {
+			fmt.Fprint(&sb, "-")
+		}
+		fmt.Fprintf(&sb, "%d", opt)
+	}
+
+	// Append MSS and WindowScale
+	fmt.Fprintf(&sb, "_%d_%d", j.MSS, j.WindowScale)
+
+	return sb.String()
+}
+
+// GetTCPFingerprint extracts TCP fingerprint from HTTP request context
+func GetTCPFingerprint(r *http.Request) *JA4T {
+	ptr := r.Context().Value(tcpFingerprintKey{})
+	if fpPtr, ok := ptr.(*JA4T); ok && ptr != nil && fpPtr != nil {
+		return fpPtr
+	}
+	return nil
+}

internal/fingerprint/tcp_freebsd.go

@@ -0,0 +1,106 @@
+//go:build freebsd
+
+package fingerprint
+
+import (
+	"fmt"
+	"net"
+	"syscall"
+	"unsafe"
+)
+
+type tcpInfo struct {
+	State          uint8
+	Options        uint8
+	SndScale       uint8
+	RcvScale       uint8
+	__pad          [4]byte
+	Rto            uint32
+	Ato            uint32
+	SndMss         uint32
+	RcvMss         uint32
+	Unacked        uint32
+	Sacked         uint32
+	Lost           uint32
+	Retrans        uint32
+	Fackets        uint32
+	Last_data_sent uint32
+	Last_ack_sent  uint32
+	Last_data_recv uint32
+	Last_ack_recv  uint32
+	Pmtu           uint32
+	Rcv_ssthresh   uint32
+	RTT            uint32
+	RTTvar         uint32
+	Snd_ssthresh   uint32
+	Snd_cwnd       uint32
+	Advmss         uint32
+	Reordering     uint32
+	Rcv_rtt        uint32
+	Rcv_space      uint32
+	Total_retrans  uint32
+	Snd_wnd        uint32
+	// Truncated for brevity — add more fields if needed
+}
+
+// AssignTCPFingerprint extracts TCP fingerprint information from a connection
+func AssignTCPFingerprint(conn net.Conn) (*JA4T, error) {
+	tcpConn, ok := conn.(*net.TCPConn)
+	if !ok {
+		return nil, fmt.Errorf("not a TCPConn")
+	}
+
+	rawConn, err := tcpConn.SyscallConn()
+	if err != nil {
+		return nil, fmt.Errorf("SyscallConn failed: %w", err)
+	}
+
+	var info tcpInfo
+	var sysErr error
+
+	err = rawConn.Control(func(fd uintptr) {
+		size := uint32(unsafe.Sizeof(info))
+		_, _, errno := syscall.Syscall6(
+			syscall.SYS_GETSOCKOPT,
+			fd,
+			uintptr(syscall.IPPROTO_TCP),
+			uintptr(syscall.TCP_INFO),
+			uintptr(unsafe.Pointer(&info)),
+			uintptr(unsafe.Pointer(&size)),
+			0,
+		)
+		if errno != 0 {
+			sysErr = errno
+		}
+	})
+	if err != nil {
+		return nil, fmt.Errorf("SyscallConn.Control: %w", err)
+	}
+	if sysErr != nil {
+		return nil, fmt.Errorf("getsockopt TCP_INFO: %w", sysErr)
+	}
+
+	fp := &JA4T{
+		Window:      info.Snd_wnd,
+		MSS:         uint16(info.SndMss),
+		WindowScale: info.SndScale,
+	}
+
+	const (
+		TCPI_OPT_TIMESTAMPS = 1 << 0
+		TCPI_OPT_SACK       = 1 << 1
+		TCPI_OPT_WSCALE     = 1 << 2
+	)
+
+	if info.Options&TCPI_OPT_SACK != 0 {
+		fp.Options = append(fp.Options, 4, 1)
+	}
+	if info.Options&TCPI_OPT_TIMESTAMPS != 0 {
+		fp.Options = append(fp.Options, 8, 1)
+	}
+	if info.Options&TCPI_OPT_WSCALE != 0 {
+		fp.Options = append(fp.Options, 3)
+	}
+
+	return fp, nil
+}

internal/fingerprint/tcp_linux.go

@@ -0,0 +1,132 @@
+//go:build linux
+
+package fingerprint
+
+import (
+	"fmt"
+	"net"
+	"syscall"
+	"unsafe"
+)
+
+type tcpInfo struct {
+	State                     uint8
+	Ca_state                  uint8
+	Retransmits               uint8
+	Probes                    uint8
+	Backoff                   uint8
+	Options                   uint8
+	Wnd_scale                 uint8
+	Delivery_rate_app_limited uint8
+
+	Rto    uint32
+	Ato    uint32
+	SndMss uint32
+	RcvMss uint32
+
+	Unacked uint32
+	Sacked  uint32
+	Lost    uint32
+	Retrans uint32
+	Fackets uint32
+
+	Last_data_sent  uint32
+	Last_ack_sent   uint32
+	Last_data_recv  uint32
+	Last_ack_recv   uint32
+	PMTU            uint32
+	Rcv_ssthresh    uint32
+	RTT             uint32
+	RTTvar          uint32
+	Snd_ssthresh    uint32
+	Snd_cwnd        uint32
+	Advmss          uint32
+	Reordering      uint32
+	Rcv_rtt         uint32
+	Rcv_space       uint32
+	Total_retrans   uint32
+	Pacing_rate     uint64
+	Max_pacing_rate uint64
+	Bytes_acked     uint64
+	Bytes_received  uint64
+	Segs_out        uint32
+	Segs_in         uint32
+	Notsent_bytes   uint32
+	Min_rtt         uint32
+	Data_segs_in    uint32
+	Data_segs_out   uint32
+	Delivery_rate   uint64
+	Busy_time       uint64
+	Rwnd_limited    uint64
+	Sndbuf_limited  uint64
+	Delivered       uint32
+	Delivered_ce    uint32
+	Bytes_sent      uint64
+	Bytes_retrans   uint64
+	DSACK_dups      uint32
+	Reord_seen      uint32
+	Rcv_ooopack     uint32
+	Snd_wnd         uint32
+}
+
+// AssignTCPFingerprint extracts TCP fingerprint information from a connection
+func AssignTCPFingerprint(conn net.Conn) (*JA4T, error) {
+	tcpConn, ok := conn.(*net.TCPConn)
+	if !ok {
+		return nil, fmt.Errorf("not a TCPConn")
+	}
+
+	rawConn, err := tcpConn.SyscallConn()
+	if err != nil {
+		return nil, fmt.Errorf("SyscallConn failed: %w", err)
+	}
+
+	var info tcpInfo
+	var sysErr error
+
+	err = rawConn.Control(func(fd uintptr) {
+		size := uint32(unsafe.Sizeof(info))
+		_, _, errno := syscall.Syscall6(
+			syscall.SYS_GETSOCKOPT,
+			fd,
+			uintptr(syscall.IPPROTO_TCP),
+			uintptr(syscall.TCP_INFO),
+			uintptr(unsafe.Pointer(&info)),
+			uintptr(unsafe.Pointer(&size)),
+			0,
+		)
+		if errno != 0 {
+			sysErr = errno
+		}
+	})
+	if err != nil {
+		return nil, fmt.Errorf("SyscallConn.Control: %w", err)
+	}
+	if sysErr != nil {
+		return nil, fmt.Errorf("getsockopt TCP_INFO: %w", sysErr)
+	}
+
+	fp := &JA4T{
+		Window: info.Snd_wnd,
+		MSS:    uint16(info.SndMss),
+	}
+
+	const (
+		TCPI_OPT_TIMESTAMPS = 1 << 0
+		TCPI_OPT_SACK       = 1 << 1
+		TCPI_OPT_WSCALE     = 1 << 2
+	)
+
+	if info.Options&TCPI_OPT_SACK != 0 {
+		fp.Options = append(fp.Options, 4, 1)
+	}
+	if info.Options&TCPI_OPT_TIMESTAMPS != 0 {
+		fp.Options = append(fp.Options, 8, 1)
+	}
+	if info.Options&TCPI_OPT_WSCALE != 0 {
+		fp.Options = append(fp.Options, 3)
+		fp.WindowScale = info.Wnd_scale
+	}
+
+	return fp, nil
+}

internal/fingerprint/tcp_unsupported.go

@@ -0,0 +1,11 @@
+//go:build !linux && !freebsd
+
+package fingerprint
+
+import "net"
+
+// AssignTCPFingerprint is not supported on this platform
+func AssignTCPFingerprint(conn net.Conn) (*JA4T, error) {
+	// Not supported on macOS and other platforms
+	return &JA4T{}, nil
+}

internal/fingerprint/tls.go

@@ -0,0 +1,110 @@
+package fingerprint
+
+import (
+	"context"
+	"crypto/tls"
+	"log/slog"
+	"net"
+	"net/http"
+	"sync/atomic"
+)
+
+// ApplyTLSFingerprinter configures a TLS server to capture TLS fingerprints
+func ApplyTLSFingerprinter(server *http.Server) {
+	if server.TLSConfig == nil {
+		return
+	}
+	server.TLSConfig = server.TLSConfig.Clone()
+
+	getConfigForClient := server.TLSConfig.GetConfigForClient
+
+	if getConfigForClient == nil {
+		getConfigForClient = func(info *tls.ClientHelloInfo) (*tls.Config, error) {
+			return nil, nil
+		}
+	}
+
+	server.TLSConfig.GetConfigForClient = func(clientHello *tls.ClientHelloInfo) (*tls.Config, error) {
+		ja3n, ja4 := buildTLSFingerprint(clientHello)
+		ptr := clientHello.Context().Value(tlsFingerprintKey{})
+		if fpPtr, ok := ptr.(*TLSFingerprint); ok && ptr != nil && fpPtr != nil {
+			fpPtr.ja3n.Store(&ja3n)
+			fpPtr.ja4.Store(&ja4)
+		}
+		return getConfigForClient(clientHello)
+	}
+	server.ConnContext = func(ctx context.Context, c net.Conn) context.Context {
+		ctx = context.WithValue(ctx, tlsFingerprintKey{}, &TLSFingerprint{})
+
+		if tc, ok := c.(*tls.Conn); ok {
+			tcpFP, err := AssignTCPFingerprint(tc.NetConn())
+			if err == nil {
+				ctx = context.WithValue(ctx, tcpFingerprintKey{}, tcpFP)
+			} else {
+				slog.Debug("ja4t error", "err", err)
+			}
+		}
+
+		return ctx
+	}
+}
+
+type tcpFingerprintKey struct{}
+type tlsFingerprintKey struct{}
+
+// TLSFingerprint represents TLS fingerprint data
+type TLSFingerprint struct {
+	ja3n atomic.Pointer[TLSFingerprintJA3N]
+	ja4  atomic.Pointer[TLSFingerprintJA4]
+}
+
+// JA3N returns the JA3N fingerprint
+func (f *TLSFingerprint) JA3N() *TLSFingerprintJA3N {
+	return f.ja3n.Load()
+}
+
+// JA4 returns the JA4 fingerprint
+func (f *TLSFingerprint) JA4() *TLSFingerprintJA4 {
+	return f.ja4.Load()
+}
+
+const greaseMask = 0x0F0F
+const greaseValue = 0x0a0a
+
+// TLS extension numbers
+const (
+	extensionServerName              uint16 = 0
+	extensionStatusRequest           uint16 = 5
+	extensionSupportedCurves         uint16 = 10 // supported_groups in TLS 1.3, see RFC 8446, Section 4.2.7
+	extensionSupportedPoints         uint16 = 11
+	extensionSignatureAlgorithms     uint16 = 13
+	extensionALPN                    uint16 = 16
+	extensionSCT                     uint16 = 18
+	extensionExtendedMasterSecret    uint16 = 23
+	extensionSessionTicket           uint16 = 35
+	extensionPreSharedKey            uint16 = 41
+	extensionEarlyData               uint16 = 42
+	extensionSupportedVersions       uint16 = 43
+	extensionCookie                  uint16 = 44
+	extensionPSKModes                uint16 = 45
+	extensionCertificateAuthorities  uint16 = 47
+	extensionSignatureAlgorithmsCert uint16 = 50
+	extensionKeyShare                uint16 = 51
+	extensionQUICTransportParameters uint16 = 57
+	extensionRenegotiationInfo       uint16 = 0xff01
+	extensionECHOuterExtensions      uint16 = 0xfd00
+	extensionEncryptedClientHello    uint16 = 0xfe0d
+)
+
+func buildTLSFingerprint(hello *tls.ClientHelloInfo) (TLSFingerprintJA3N, TLSFingerprintJA4) {
+	return TLSFingerprintJA3N(buildJA3N(hello, true)), buildJA4(hello)
+}
+
+// GetTLSFingerprint extracts TLS fingerprint from HTTP request context
+func GetTLSFingerprint(r *http.Request) *TLSFingerprint {
+	ptr := r.Context().Value(tlsFingerprintKey{})
+	if fpPtr, ok := ptr.(*TLSFingerprint); ok && ptr != nil && fpPtr != nil {
+		return fpPtr
+	}
+	return nil
+}

lib/localization/locales/fil.json

@@ -45,7 +45,8 @@
   "celphase": "CELPHASE",
   "js_web_crypto_error": "Ang iyong browser ay walang gumaganang web.crypto element. Tinitingnan mo ba ito sa isang secure na konteksto?",
   "js_web_workers_error": "Hindi sinusuportahan ng iyong browser ang mga web worker (ginagamit ito ng Anubis upang maiwasan ang pag-freeze ng iyong browser). Mayroon ka bang naka-install na plugin tulad ng JShelter?",
-  "js_cookies_error": "Ang iyong browser ay hindi nag-iimbak ng cookies. Gumagamit ang Anubis ng cookies upang matukoy kung aling mga kliyente ang nakapasa sa mga hamon sa pamamagitan ng pag-iimbak ng isang nilagdaang token sa isang cookie. Mangyaring paganahin ang pag-iimbak ng cookies para sa domain na ito. Ang mga pangalan ng cookies na iniimbak ng Anubis ay maaaring mag-iba nang walang abiso. Ang mga pangalan at value ng cookie ay hindi bahagi ng pampublikong API.",
+  "js_cookies_error": "Your browser doesn't store cookies. Anubis uses cookies to determine which clients have passed challenges by storing a signed token in a cookie. Please enable storing cookies for this domain. The names of the cookies Anubis stores may vary w",
+  "js_cookies_error": "Ang iyong browser ay hindi nag-iimbak ng cookies. Gumagamit ang Anubis ng cookies upang matukoy kung aling mga kliyente ang nakapasa sa mga hamon sa pamamagitan ng pag-iimbak ng isang nilagdaang token sa isang cookie. Mangyaring paganahin ang pag-iimbak ng cookies para sa domain na ito. Ang mga pangalan ng cookies na Anubis store ay maaaring mag-iba nang walang abiso. Ang mga pangalan at value ng cookie ay hindi bahagi ng pampublikong API.",
   "js_context_not_secure": "Hindi secure ang iyong konteksto!",
   "js_context_not_secure_msg": "Subukang kumonekta sa pamamagitan ng HTTPS o sabihin sa admin na i-set up ang HTTPS. Para sa karagdagang impormasyon, tignan ang <a href=\"https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts#when_is_a_context_considered_secure\">MDN</a>.",
   "js_calculating": "Kinakalkula...",

web/js/proof-of-work-slow.mjs

@@ -14,42 +14,32 @@ export default function process(
     );
 
     let worker = new Worker(webWorkerURL);
-    let settled = false;
-
-    const cleanup = () => {
-      if (settled) return;
-      settled = true;
+    const terminate = () => {
       worker.terminate();
       if (signal != null) {
-        signal.removeEventListener("abort", onAbort);
+        // clean up listener to avoid memory leak
+        signal.removeEventListener("abort", terminate);
+        if (signal.aborted) {
+          console.log("PoW aborted");
+          reject(false);
+        }
       }
-      URL.revokeObjectURL(webWorkerURL);
     };
-
-    const onAbort = () => {
-      console.log("PoW aborted");
-      cleanup();
-      reject(new DOMException("Aborted", "AbortError"));
-    };
-
     if (signal != null) {
-      if (signal.aborted) {
-        return onAbort();
-      }
-      signal.addEventListener("abort", onAbort, { once: true });
+      signal.addEventListener("abort", terminate, { once: true });
     }
 
     worker.onmessage = (event) => {
       if (typeof event.data === "number") {
         progressCallback?.(event.data);
       } else {
-        cleanup();
+        terminate();
         resolve(event.data);
       }
     };
 
     worker.onerror = (event) => {
-      cleanup();
+      terminate();
       reject(event);
     };
 
@@ -57,6 +47,8 @@ export default function process(
       data,
       difficulty,
     });
+
+    URL.revokeObjectURL(webWorkerURL);
   });
 }
 

web/js/proof-of-work.mjs

@@ -3,7 +3,7 @@ export default function process(
   difficulty = 5,
   signal = null,
   progressCallback = null,
-  threads = Math.max(navigator.hardwareConcurrency / 2, 1),
+  threads = navigator.hardwareConcurrency || 1,
 ) {
   console.debug("fast algo");
   return new Promise((resolve, reject) => {
@@ -12,31 +12,19 @@ export default function process(
     );
 
     const workers = [];
-    let settled = false;
-
-    const cleanup = () => {
-      if (settled) {
-        return;
-      }
-      settled = true;
+    const terminate = () => {
       workers.forEach((w) => w.terminate());
       if (signal != null) {
-        signal.removeEventListener("abort", onAbort);
+        // clean up listener to avoid memory leak
+        signal.removeEventListener("abort", terminate);
+        if (signal.aborted) {
+          console.log("PoW aborted");
+          reject(false);
+        }
       }
-      URL.revokeObjectURL(webWorkerURL);
     };
-
-    const onAbort = () => {
-      console.log("PoW aborted");
-      cleanup();
-      reject(new DOMException("Aborted", "AbortError"));
-    };
-
     if (signal != null) {
-      if (signal.aborted) {
-        return onAbort();
-      }
-      signal.addEventListener("abort", onAbort, { once: true });
+      signal.addEventListener("abort", terminate, { once: true });
     }
 
     for (let i = 0; i < threads; i++) {
@@ -46,13 +34,13 @@ export default function process(
         if (typeof event.data === "number") {
           progressCallback?.(event.data);
         } else {
-          cleanup();
+          terminate();
           resolve(event.data);
         }
       };
 
       worker.onerror = (event) => {
-        cleanup();
+        terminate();
         reject(event);
       };
 
@@ -65,6 +53,8 @@ export default function process(
 
       workers.push(worker);
     }
+
+    URL.revokeObjectURL(webWorkerURL);
   });
 }
 
@@ -89,7 +79,6 @@ function processTask() {
       let threads = event.data.threads;
 
       const threadId = nonce;
-      let localIterationCount = 0;
 
       while (true) {
         const currentHash = await sha256(data + nonce);
@@ -115,15 +104,21 @@ function processTask() {
           break;
         }
 
+        const oldNonce = nonce;
         nonce += threads;
 
-        // send a progress update every 1024 iterations so that the user can be informed of
-        // the state of the challenge.
-        if (threadId == 0 && localIterationCount === 1024) {
+        // send a progress update every 1024 iterations. since each thread checks
+        // separate values, one simple way to do this is by bit masking the
+        // nonce for multiples of 1024. unfortunately, if the number of threads
+        // is not prime, only some of the threads will be sending the status
+        // update and they will get behind the others. this is slightly more
+        // complicated but ensures an even distribution between threads.
+        if (
+          (nonce > oldNonce) | 1023 && // we've wrapped past 1024
+          (nonce >> 10) % threads === threadId // and it's our turn
+        ) {
           postMessage(nonce);
-          localIterationCount = 0;
         }
-        localIterationCount++;
       }
 
       postMessage({