wisegate 0.11.0

A high-performance, secure reverse proxy with rate limiting and IP filtering
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205

//! Environment variable constants for WiseGate configuration.
//!
//! This module centralizes all environment variable names used by WiseGate,
//! making it easy to document and maintain configuration options.
//!
//! # Categories
//!
//! - **Proxy Security**: Control trusted proxy IPs and validation
//! - **Filtering**: Block IPs, HTTP methods, and URL patterns
//! - **Rate Limiting**: Configure request limits and cleanup
//! - **Proxy Behavior**: Timeouts and size limits
//!
//! # Example
//!
//! ```bash
//! export CC_REVERSE_PROXY_IPS="192.168.1.1,10.0.0.1"
//! export BLOCKED_IPS="malicious.ip.here"
//! export RATE_LIMIT_REQUESTS=100
//! ```

// ============================================================================
// Proxy Security Configuration
// ============================================================================

/// Comma-separated list of trusted proxy/load balancer IPs.
///
/// When set, enables strict mode with header validation.
/// Requests must come from these IPs to be accepted.
///
/// **Example**: `"192.168.1.1,10.0.0.1"`
pub const ALLOWED_PROXY_IPS: &str = "CC_REVERSE_PROXY_IPS";

/// Alternative environment variable name for trusted proxy IPs.
///
/// Must be one of the whitelisted names for security:
/// `TRUSTED_PROXY_IPS`, `REVERSE_PROXY_IPS`, `PROXY_ALLOWLIST`,
/// `ALLOWED_PROXY_IPS`, `PROXY_IPS`
///
/// **Example**: `"TRUSTED_PROXY_IPS"`
pub const TRUSTED_PROXY_IPS_VAR: &str = "TRUSTED_PROXY_IPS_VAR";

// ============================================================================
// IP and Request Filtering
// ============================================================================

/// Comma-separated list of blocked client IP addresses.
///
/// Requests from these IPs will receive a 403 Forbidden response.
///
/// **Example**: `"192.168.1.100,10.0.0.50"`
pub const BLOCKED_IPS: &str = "BLOCKED_IPS";

/// Comma-separated list of blocked HTTP methods.
///
/// Requests using these methods will receive a 405 Method Not Allowed response.
///
/// **Example**: `"PUT,DELETE,PATCH"`
pub const BLOCKED_METHODS: &str = "BLOCKED_METHODS";

/// Comma-separated list of blocked URL patterns.
///
/// Requests with URLs containing these patterns will receive a 404 Not Found response.
/// Patterns are matched as substrings (case-insensitive).
///
/// **Example**: `".php,.yaml,/admin,wp-login"`
pub const BLOCKED_PATTERNS: &str = "BLOCKED_PATTERNS";

// ============================================================================
// Rate Limiting Configuration
// ============================================================================

/// Maximum requests allowed per IP within the time window.
///
/// **Default**: `100`
///
/// **Example**: `"200"`
pub const RATE_LIMIT_REQUESTS: &str = "RATE_LIMIT_REQUESTS";

/// Duration of the rate limiting window in seconds.
///
/// **Default**: `60`
///
/// **Example**: `"120"`
pub const RATE_LIMIT_WINDOW_SECS: &str = "RATE_LIMIT_WINDOW_SECS";

/// Number of rate limit entries before triggering automatic cleanup.
///
/// Set to `0` to disable automatic cleanup.
///
/// **Default**: `10000`
///
/// **Example**: `"50000"`
pub const RATE_LIMIT_CLEANUP_THRESHOLD: &str = "RATE_LIMIT_CLEANUP_THRESHOLD";

/// Minimum interval between cleanup operations in seconds.
///
/// **Default**: `60`
///
/// **Example**: `"300"`
pub const RATE_LIMIT_CLEANUP_INTERVAL_SECS: &str = "RATE_LIMIT_CLEANUP_INTERVAL_SECS";

// ============================================================================
// Authentication Configuration
// ============================================================================

/// HTTP Basic Authentication credentials.
///
/// Format: `"username:password"` or `"username:$2y$...hash..."`
/// Supports plain text, bcrypt, APR1 MD5, and SHA1 password formats.
///
/// **Example**: `"admin:secretpassword"` or `"admin:$2y$05$..."`
pub const CC_HTTP_BASIC_AUTH: &str = "CC_HTTP_BASIC_AUTH";

/// Additional HTTP Basic Authentication credentials (numbered).
///
/// Use with suffix _1, _2, etc. for multiple users.
/// Variables are read sequentially until one is not found.
///
/// **Example**: Set `CC_HTTP_BASIC_AUTH_1="user1:pass1"`, `CC_HTTP_BASIC_AUTH_2="user2:pass2"`
pub const CC_HTTP_BASIC_AUTH_N: &str = "CC_HTTP_BASIC_AUTH_";

/// Custom realm for HTTP Basic Authentication.
///
/// Displayed in the browser's authentication dialog.
///
/// **Default**: `"WiseGate"`
///
/// **Example**: `"My Protected Area"`
pub const CC_HTTP_BASIC_AUTH_REALM: &str = "CC_HTTP_BASIC_AUTH_REALM";

/// Bearer token for API authentication (RFC 6750).
///
/// When set, requests must include `Authorization: Bearer <token>` header.
/// If both Basic Auth and Bearer Token are configured, either method is accepted.
///
/// **Example**: `"my-secret-api-key"`
pub const CC_BEARER_TOKEN: &str = "CC_BEARER_TOKEN";

// ============================================================================
// Proxy Behavior Configuration
// ============================================================================

/// Timeout for upstream requests in seconds.
///
/// **Default**: `30`
///
/// **Example**: `"60"`
pub const PROXY_TIMEOUT_SECS: &str = "PROXY_TIMEOUT_SECS";

/// Maximum request body size in megabytes.
///
/// Set to `0` for unlimited size.
///
/// **Default**: `100`
///
/// **Example**: `"50"`
pub const MAX_BODY_SIZE_MB: &str = "MAX_BODY_SIZE_MB";

/// Maximum number of concurrent connections.
///
/// Limits simultaneous connections to prevent resource exhaustion.
/// New connections are rejected when the limit is reached.
/// Set to `0` for unlimited connections (not recommended for production).
///
/// **Default**: `10000`
///
/// **Example**: `"5000"`
pub const MAX_CONNECTIONS: &str = "MAX_CONNECTIONS";

// ============================================================================
// Utility Functions
// ============================================================================

/// Returns a slice containing all environment variable names.
///
/// Useful for documentation, validation, and verbose logging.
///
/// # Example
///
/// ```
/// use wisegate::env_vars::all_env_vars;
///
/// for var_name in all_env_vars() {
///     println!("Supported: {}", var_name);
/// }
/// ```
pub fn all_env_vars() -> &'static [&'static str] {
    &[
        ALLOWED_PROXY_IPS,
        TRUSTED_PROXY_IPS_VAR,
        BLOCKED_IPS,
        BLOCKED_METHODS,
        BLOCKED_PATTERNS,
        RATE_LIMIT_REQUESTS,
        RATE_LIMIT_WINDOW_SECS,
        RATE_LIMIT_CLEANUP_THRESHOLD,
        RATE_LIMIT_CLEANUP_INTERVAL_SECS,
        CC_HTTP_BASIC_AUTH,
        CC_HTTP_BASIC_AUTH_REALM,
        CC_BEARER_TOKEN,
        PROXY_TIMEOUT_SECS,
        MAX_BODY_SIZE_MB,
        MAX_CONNECTIONS,
    ]
}