Expand description
Configuration. Env-first so EdgeGuard drops into any PaaS that injects $PORT
with zero edits; an optional TOML file layers richer policy on top.
Structs§
- AcmeCfg
- Automatic certificate management (ACME / Let’s Encrypt) via the HTTP-01 challenge. The
obtained certificate is written to
TlsCfg::cert_path/key_pathand served by the TLS listener; a background task renews it before expiry. - AuthCfg
- Config
- Headers
Cfg - JwtCfg
- JWT bearer-token verification. Either a symmetric
secret(HS*) or an asymmetric key (RS*/ES*/PS*) supplied as a staticpublic_key_pemor fetched fromjwks_url. - PerKey
Rate Limit - Per-principal rate limit (keyed by API-key id / JWT subject).
- Rate
Limit Cfg - Route
Rate Limit - A per-route rate-limit override (matched by path prefix).
- Server
Cfg - TlsCfg
- TLS termination. When
enabled, EdgeGuard serves HTTPS on the public port using a certificate either loaded fromcert_path/key_pathor obtained automatically via ACME. All-default fields (disabled, empty paths, default ACME) soDefaultis derivable. - Validation
Cfg - WafCfg
- WAF-lite input inspection (Phase 4 / v2). Screens a request for common attack signatures
before it is forwarded, using built-in heuristic rulesets (SQLi/XSS/path-traversal) plus
any operator-defined deny patterns. Disabled by default — these are heuristics, so the
intended rollout is
report(log + count matches without blocking) until the operator is confident, thenblock(return403). Compiled into acrate::waf::WafEngine. - WafRule
- A single operator-defined WAF deny pattern (a
[[waf.rules]]entry).
Functions§
- parse_
duration - Parse a timeout like “30s”, “500ms”, “2m”, or a bare number of seconds (“45”). “0” yields a zero duration, which callers treat as “disabled”.
- parse_
rate - Parse a rate like “60/min” into (count, period).
- parse_
size - Parse a human size like “2MiB”, “512KB”, “1048576” into bytes.