Crate edgeguard 

EdgeGuard library surface.

The edgeguard binary (src/main.rs) is a thin CLI on top of this crate. Exposing the pipeline as a library lets integration tests drive the same build_state / build_router entry points the binary uses, so tests exercise the real request path rather than a reimplementation of it.

Re-exports

pub use crate::auth::hash_password;

Modules

acme

ACME (Let’s Encrypt) automatic certificates via the HTTP-01 challenge, using instant-acme for the protocol and rcgen for the CSR.

auth

Authentication gates: HTTP Basic, static API-key / bearer-token, and JWT (HS*/RS*/ES*/PS* with either a static key or a fetched, cached JWKS).

config

Configuration. Env-first so EdgeGuard drops into any PaaS that injects $PORT with zero edits; an optional TOML file layers richer policy on top.

generate

Static & edge host config generator (Phase 5 / v2.5).

limiter

Distributed (shared-store) rate limiting (Phase 4 / v2).

metrics

Prometheus metrics, hand-rolled.

proxy

Request path: header-size limit -> rate limit (per-IP / per-route) -> auth -> per-key rate limit -> method allowlist -> body-size limit -> WAF input inspection -> forward to upstream. Response path: header injection (incl. CSP / CSP-report-only) -> cookie hardening -> strip leaky headers.

reload

Config hot-reload.

supervisor

Co-process supervisor.

tls

TLS termination via rustls + tokio-rustls.

waf

WAF-lite: heuristic input inspection (Phase 4 / v2).

Functions

build_admin_router

The private/admin router (used in public/private split mode): the internal ops endpoints (health, readiness, metrics). It has no proxy fallback, so an unknown path returns 404 rather than being forwarded upstream. Shares the same AppState as the public router, so /__edgeguard/metrics reports the live proxy counters.

build_public_router

The public router (used in public/private split mode): the catch-all proxy plus the browser-facing CSP report sink. The ops endpoints (health/readiness/metrics) are not here — they live on the private build_admin_router listener, so they aren’t exposed publicly.

build_router

Build the combined axum Router: the internal /__edgeguard/* endpoints (health, readiness, Prometheus metrics, CSP report sink) plus the catch-all proxy handler, all on one listener. This is the default (single-port) topology; for the public/private split see build_public_router / build_admin_router. Body limits are enforced inside the proxy handler, so the default layer is disabled there; the CSP sink keeps a small explicit cap since it parses the body.

build_runtime

Build the hot-swappable Runtime from a fully-resolved Config: the rate limiters (global per-IP, per-route, per-key), the auth engine, and the parsed size/timeout limits. Errors if any size/rate/auth setting is invalid, so a bad config fails fast — at startup or on reload — rather than per-request. The HTTP client and metric registry live outside the runtime (in AppState) so a reload preserves the connection pool and counters.

build_state

Build the shared AppState: a fresh Runtime wrapped in an ArcSwap for hot-reload, the upstream HTTP client, and the metric registry.