Module config 

Configuration. Env-first so EdgeGuard drops into any PaaS that injects $PORT with zero edits; an optional TOML file layers richer policy on top.

Structs

AccessCfg

IP allow/deny lists, matched against the resolved client IP (the same IP rate limiting keys on — so behind a trusted proxy, set server.trust_forwarded_for for this to see the real client). Both lists accept plain IPs (203.0.113.7, ::1) and CIDR ranges (10.0.0.0/8, 2001:db8::/32). deny wins over allow; a non-empty allow means “only these may connect”. Both empty (the default) = allow all. Compiled into a crate::access::AccessPolicy; an unparseable entry fails at startup/reload.

AcmeCfg

Automatic certificate management (ACME / Let’s Encrypt) via the HTTP-01 challenge. The obtained certificate is written to TlsCfg::cert_path/key_path and served by the TLS listener; a background task renews it before expiry.

AuthCfg

Config

ControlPlaneCfg

Managed-mode settings: when enabled, the edge pulls its policy from a remote control plane (and hot-reloads it), reports metric deltas, and forwards CSP reports. The policy the control plane pushes is the policy subset (auth/ratelimit/validation/headers/waf) — the edge keeps its own local server/tls. The edge token is a secret, so prefer EDGEGUARD_CP_EDGE_TOKEN.

CorsCfg

Cross-Origin Resource Sharing policy. A drop-in front door commonly sits in front of an app whose browser frontend is served from a different origin (a separate static host, a preview URL, localhost:5173 in dev); without CORS those fetch calls are blocked by the browser. When enabled, EdgeGuard answers preflight OPTIONS requests itself (before auth — preflights carry no credentials) and adds the matching Access-Control-* headers to actual responses. Off by default: opening cross-origin access is a deliberate choice. Compiled into a crate::cors::CorsPolicy.

HeadersCfg

JwtCfg

JWT bearer-token verification. Either a symmetric secret (HS*) or an asymmetric key (RS*/ES*/PS*) supplied as a static public_key_pem or fetched from jwks_url.

PerKeyRateLimit

Per-principal rate limit (keyed by API-key id / JWT subject).

RateLimitCfg

RouteRateLimit

A per-route rate-limit override (matched by path prefix).

ServerCfg

TlsCfg

TLS termination. When enabled, EdgeGuard serves HTTPS on the public port using a certificate either loaded from cert_path/key_path or obtained automatically via ACME. All-default fields (disabled, empty paths, default ACME) so Default is derivable.

UpstreamRoute

A per-path-prefix upstream override (a [[upstreams]] entry). Requests whose path starts with path are forwarded to target instead of the default server.upstream; the longest matching prefix wins. This is deliberately a static prefix map for the common “static frontend + /api backend” shape — not a gateway: no service discovery, load balancing, health-based routing, or request rewriting (the path is forwarded unchanged). For those, put EdgeGuard behind a real gateway/mesh.

ValidationCfg

WafCfg

WAF-lite input inspection (Phase 4 / v2). Screens a request for common attack signatures before it is forwarded, using built-in heuristic rulesets (SQLi/XSS/path-traversal) plus any operator-defined deny patterns. Disabled by default — these are heuristics, so the intended rollout is report (log + count matches without blocking) until the operator is confident, then block (return 403). Compiled into a crate::waf::WafEngine.

WafRule

A single operator-defined WAF deny pattern (a [[waf.rules]] entry).

Functions

parse_duration

Parse a timeout like “30s”, “500ms”, “2m”, or a bare number of seconds (“45”). “0” yields a zero duration, which callers treat as “disabled”.

parse_rate

Parse a rate like “60/min” into (count, period).

parse_size

Parse a human size like “2MiB”, “512KB”, “1048576” into bytes.