1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
// Copyright 2026 Cloudflare, Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//! # Pingora
//!
//! Pingora is a collection of service frameworks and network libraries battle-tested by the Internet.
//! It is to build robust, scalable and secure network infrastructures and services at Internet scale.
//!
//! # Features
//! - Http 1.x and Http 2
//! - Modern TLS with OpenSSL or BoringSSL (FIPS compatible)
//! - Zero downtime upgrade
//!
//! # Usage
//! This crate provides low level service and protocol implementation and abstraction.
//!
//! If looking to build a (reverse) proxy, see [`pingora-proxy`](https://docs.rs/pingora-proxy) crate.
//!
//! # Optional features
//!
//! ## TLS backends (mutually exclusive)
//! - `openssl`: Use OpenSSL as the TLS library (default if no TLS feature is specified)
//! - `boringssl`: Use BoringSSL as the TLS library (FIPS compatible)
//! - `rustls`: Use Rustls as the TLS library
//!
//! ## Additional features
//! - `connection_filter`: Enable early TCP connection filtering before TLS handshake.
//! This allows implementing custom logic to accept/reject connections based on peer address
//! with zero overhead when disabled.
//! - `sentry`: Enable Sentry error reporting integration
//! - `patched_http1`: Enable patched HTTP/1 parser
//!
//! # Connection Filtering
//!
//! With the `connection_filter` feature enabled, you can implement early connection filtering
//! at the TCP level, before any TLS handshake or HTTP processing occurs. This is useful for:
//! - IP-based access control
//! - Rate limiting at the connection level
//! - Geographic restrictions
//! - DDoS mitigation
//!
//! ## Example
//!
//! ```rust,ignore
//! # #[cfg(feature = "connection_filter")]
//! # {
//! use async_trait::async_trait;
//! use pingora_core::listeners::ConnectionFilter;
//! use std::net::SocketAddr;
//! use std::sync::Arc;
//!
//! #[derive(Debug)]
//! struct MyFilter;
//!
//! #[async_trait]
//! impl ConnectionFilter for MyFilter {
//! async fn should_accept(&self, addr: &SocketAddr) -> bool {
//! // Custom logic to filter connections
//! !is_blocked_ip(addr.ip())
//! }
//! }
//!
//! // Apply the filter to a service
//! let mut service = my_service();
//! service.set_connection_filter(Arc::new(MyFilter));
//! # }
//! ```
//!
//! When the `connection_filter` feature is disabled, the filter API remains available
//! but becomes a no-op, ensuring zero overhead for users who don't need this functionality.
// This enables the feature that labels modules that are only available with
// certain pingora features
pub use ;
// If both openssl and boringssl are enabled, prefer boringssl.
// This is to make sure that boringssl can override the default openssl feature
// when this crate is used indirectly by other crates.
pub use pingora_boringssl as tls;
pub use pingora_openssl as tls;
pub use pingora_rustls as tls;
pub use pingora_s2n as tls;
pub use noop_tls as tls;