warpdrive_proxy/config/

env.rs

//! Configuration management for WarpDrive
//!
//! This module provides environment-based configuration with sensible defaults,
//! type-safe parsing, and validation. It supports both prefixed (`WARPDRIVE_*`)
//! and unprefixed environment variables, with prefixed taking precedence.
//!
//! # Example
//!
//! ```no_run
//! use warpdrive::config::Config;
//!
//! let config = Config::from_env().expect("Failed to load configuration");
//! config.validate().expect("Invalid configuration");
//! ```

use std::env;
use std::path::PathBuf;
use std::time::Duration;

/// Size constants for byte-based configuration
pub const KB: usize = 1024;
pub const MB: usize = 1024 * KB;

/// Environment variable prefix for WarpDrive-specific variables
const ENV_PREFIX: &str = "WARPDRIVE_";

/// Default target host for upstream server
const DEFAULT_TARGET_HOST: &str = "127.0.0.1";

/// Default target port for upstream server
const DEFAULT_TARGET_PORT: u16 = 3000;

/// Default cache size (64MB)
const DEFAULT_CACHE_SIZE_BYTES: usize = 64 * MB;

/// Default maximum cache item size (1MB)
const DEFAULT_MAX_CACHE_ITEM_SIZE_BYTES: usize = MB;

/// Default ACME directory URL (Let's Encrypt production)
const DEFAULT_ACME_DIRECTORY_URL: &str = "https://acme-v02.api.letsencrypt.org/directory";

/// Default storage path for TLS certificates
const DEFAULT_STORAGE_PATH: &str = "./storage/warpdrive";

/// Default bad gateway page path
const DEFAULT_BAD_GATEWAY_PAGE: &str = "./public/502.html";

/// Default HTTP port (unprivileged - no root/setcap required)
const DEFAULT_HTTP_PORT: u16 = 8080;

/// Default HTTPS port (unprivileged - no root/setcap required)
const DEFAULT_HTTPS_PORT: u16 = 8443;

/// Default HTTP idle timeout (60 seconds)
const DEFAULT_HTTP_IDLE_TIMEOUT: Duration = Duration::from_secs(60);

/// Default HTTP read timeout (30 seconds)
const DEFAULT_HTTP_READ_TIMEOUT: Duration = Duration::from_secs(30);

/// Default HTTP write timeout (30 seconds)
const DEFAULT_HTTP_WRITE_TIMEOUT: Duration = Duration::from_secs(30);

/// Default log level
const DEFAULT_LOG_LEVEL: LogLevel = LogLevel::Info;

/// Default graceful shutdown timeout (30 seconds)
const DEFAULT_SHUTDOWN_TIMEOUT_SECS: u64 = 30;

/// Default upstream request timeout (30 seconds)
const DEFAULT_UPSTREAM_TIMEOUT: Duration = Duration::from_secs(30);

/// Default rate limit requests per second (100)
const DEFAULT_RATE_LIMIT_RPS: u32 = 100;

/// Default rate limit burst size (200)
const DEFAULT_RATE_LIMIT_BURST: u32 = 200;

/// Default circuit breaker failure threshold (5 failures)
const DEFAULT_CB_FAILURE_THRESHOLD: u32 = 5;

/// Default circuit breaker timeout (60 seconds)
const DEFAULT_CB_TIMEOUT_SECS: u64 = 60;

/// Default metrics port (9090)
const DEFAULT_METRICS_PORT: u16 = 9090;

/// Default static file paths
const DEFAULT_STATIC_PATHS: &[&str] = &["/assets", "/packs", "/images", "/favicon.ico"];

/// Default static inline file size limit (4MB)
pub const DEFAULT_STATIC_INLINE_SIZE_LIMIT: u64 = 4 * MB as u64;

/// Default static file root directory
const DEFAULT_STATIC_ROOT: &str = "./public";

/// Default Cache-Control header for static files (1 year immutable)
const DEFAULT_STATIC_CACHE_CONTROL: &str = "public, max-age=31536000, immutable";

/// Log level enumeration
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum LogLevel {
    Error,
    Warn,
    Info,
    Debug,
}

impl LogLevel {
    /// Parse log level from string
    fn from_str(s: &str) -> Option<Self> {
        match s.to_lowercase().as_str() {
            "error" => Some(LogLevel::Error),
            "warn" => Some(LogLevel::Warn),
            "info" => Some(LogLevel::Info),
            "debug" => Some(LogLevel::Debug),
            _ => None,
        }
    }
}

/// WarpDrive configuration
///
/// This struct contains all configuration options for WarpDrive, including
/// proxy settings, caching, TLS/ACME, and PostgreSQL/Redis coordination features.
#[derive(Debug, Clone)]
pub struct Config {
    // Upstream configuration
    /// Hostname or IP of the upstream server to proxy to
    pub target_host: String,

    /// Port of the upstream server to proxy to
    pub target_port: u16,

    /// Command to spawn upstream process (for supervision)
    pub upstream_command: Option<String>,

    /// Arguments for upstream command
    pub upstream_args: Vec<String>,

    // Cache configuration
    /// Total cache size in bytes
    pub cache_size_bytes: usize,

    /// Maximum size for a single cached item in bytes
    pub max_cache_item_size_bytes: usize,

    /// Enable X-Sendfile header support
    pub x_sendfile_enabled: bool,

    /// Enable gzip compression
    pub gzip_compression_enabled: bool,

    /// Maximum request body size in bytes (0 = unlimited)
    pub max_request_body: usize,

    // TLS/ACME configuration
    /// List of domains for TLS certificates
    pub tls_domains: Vec<String>,

    /// Path to TLS certificate file (PEM format) - for self-signed or manual certs
    pub tls_cert_path: Option<String>,

    /// Path to TLS private key file (PEM format) - for self-signed or manual certs
    pub tls_key_path: Option<String>,

    /// ACME directory URL for certificate provisioning
    pub acme_directory_url: String,

    /// External Account Binding (EAB) key ID
    pub eab_kid: Option<String>,

    /// External Account Binding (EAB) HMAC key
    pub eab_hmac_key: Option<String>,

    /// Storage path for TLS certificates and state
    pub storage_path: String,

    /// Path to custom 502 Bad Gateway HTML page
    pub bad_gateway_page: String,

    // Server configuration
    /// HTTP listen port
    pub http_port: u16,

    /// HTTPS listen port
    pub https_port: u16,

    /// HTTP idle timeout
    pub http_idle_timeout: Duration,

    /// HTTP read timeout
    pub http_read_timeout: Duration,

    /// HTTP write timeout
    pub http_write_timeout: Duration,

    /// Enable HTTP/2 cleartext (h2c) support for AWS ALB and Cloud Run
    pub h2c_enabled: bool,

    // Headers and logging
    /// Forward X-Forwarded-* headers to upstream
    pub forward_headers: bool,

    /// Enable request logging
    pub log_requests: bool,

    /// Log level
    pub log_level: LogLevel,

    // Shutdown configuration
    /// Graceful shutdown timeout in seconds
    pub shutdown_timeout_secs: u64,

    // WarpDrive-specific: PostgreSQL coordination
    /// PostgreSQL connection URL for coordination
    pub database_url: Option<String>,

    /// PostgreSQL NOTIFY channel for cache invalidation
    pub pg_channel_cache_invalidation: String,

    /// PostgreSQL NOTIFY channel for configuration updates
    pub pg_channel_config_update: String,

    /// PostgreSQL NOTIFY channel for health checks
    pub pg_channel_health: String,

    // WarpDrive-specific: Redis
    /// Redis connection URL for distributed cache
    pub redis_url: Option<String>,

    // Multi-upstream routing
    /// TOML configuration for advanced routing (None = simple mode)
    pub toml_config: Option<crate::config::toml::TomlConfig>,

    // Phase 6: Performance & Resilience
    /// Enable rate limiting per IP
    pub rate_limit_enabled: bool,

    /// Maximum requests per second per IP
    pub rate_limit_requests_per_sec: u32,

    /// Rate limit burst size (tokens available immediately)
    pub rate_limit_burst_size: u32,

    /// Upstream request timeout
    pub upstream_timeout: Duration,

    /// Enable circuit breaker
    pub circuit_breaker_enabled: bool,

    /// Circuit breaker failure threshold (failures before opening)
    pub circuit_breaker_failure_threshold: u32,

    /// Circuit breaker timeout (seconds before trying half-open)
    pub circuit_breaker_timeout_secs: u64,

    /// Maximum concurrent requests (0 = unlimited)
    pub max_concurrent_requests: usize,

    // Phase 2: Observability
    /// Enable Prometheus metrics endpoint
    pub metrics_enabled: bool,

    /// Port for Prometheus metrics HTTP server
    pub metrics_port: u16,

    // Static file serving
    /// Enable static file serving
    pub static_enabled: bool,

    /// Root directory for static files
    pub static_root: PathBuf,

    /// URL paths that should be served as static files
    pub static_paths: Vec<String>,

    /// Cache-Control header for static files
    pub static_cache_control: String,

    /// Enable gzip compression for static files
    pub static_gzip_enabled: bool,

    /// Index files to serve for directory requests
    pub static_index_files: Vec<String>,

    /// If true, continue to backend if static file not found; if false, return 404
    pub static_fallthrough: bool,

    /// Maximum file size to keep in memory (larger files are streamed)
    pub static_inline_size_limit: u64,

    // Trusted IP ranges and client IP normalization
    /// Header name to extract real client IP from (e.g., "CF-Connecting-IP", "X-Real-IP")
    pub client_ip_header: Option<String>,

    /// Path to file containing trusted IP ranges (CIDR format, one per line)
    pub trusted_ranges_file: Option<PathBuf>,
}

impl Config {
    /// Create configuration from environment variables
    ///
    /// Loads configuration from environment variables, with support for both
    /// prefixed (`WARPDRIVE_*`) and unprefixed variables. Prefixed variables
    /// take precedence. Falls back to sensible defaults for all values.
    ///
    /// # Errors
    ///
    /// Returns an error if `.env` file exists but cannot be loaded.
    ///
    /// # Example
    ///
    /// ```no_run
    /// use warpdrive::config::Config;
    ///
    /// let config = Config::from_env().expect("Failed to load config");
    /// ```
    pub fn from_env() -> Result<Self, String> {
        // Load .env file if present (ignore if not found)
        let _ = dotenvy::dotenv();

        let config = Config {
            target_host: get_env_string("TARGET_HOST")
                .unwrap_or_else(|| DEFAULT_TARGET_HOST.to_string()),
            target_port: get_env_u16("TARGET_PORT", DEFAULT_TARGET_PORT),
            upstream_command: get_env_string("UPSTREAM_COMMAND"),
            upstream_args: get_env_strings("UPSTREAM_ARGS", vec![]),

            cache_size_bytes: get_env_usize("CACHE_SIZE", DEFAULT_CACHE_SIZE_BYTES),
            max_cache_item_size_bytes: get_env_usize(
                "MAX_CACHE_ITEM_SIZE",
                DEFAULT_MAX_CACHE_ITEM_SIZE_BYTES,
            ),
            x_sendfile_enabled: get_env_bool("X_SENDFILE_ENABLED", true),
            gzip_compression_enabled: get_env_bool("GZIP_COMPRESSION_ENABLED", true),
            max_request_body: get_env_usize("MAX_REQUEST_BODY", 0),

            tls_domains: get_env_strings("TLS_DOMAIN", vec![]),
            tls_cert_path: get_env_string("TLS_CERT_PATH"),
            tls_key_path: get_env_string("TLS_KEY_PATH"),
            acme_directory_url: get_env_string("ACME_DIRECTORY")
                .unwrap_or_else(|| DEFAULT_ACME_DIRECTORY_URL.to_string()),
            eab_kid: get_env_string("EAB_KID"),
            eab_hmac_key: get_env_string("EAB_HMAC_KEY"),
            storage_path: get_env_string("STORAGE_PATH")
                .unwrap_or_else(|| DEFAULT_STORAGE_PATH.to_string()),
            bad_gateway_page: get_env_string("BAD_GATEWAY_PAGE")
                .unwrap_or_else(|| DEFAULT_BAD_GATEWAY_PAGE.to_string()),

            http_port: get_env_u16("HTTP_PORT", DEFAULT_HTTP_PORT),
            https_port: get_env_u16("HTTPS_PORT", DEFAULT_HTTPS_PORT),
            http_idle_timeout: get_env_duration("HTTP_IDLE_TIMEOUT", DEFAULT_HTTP_IDLE_TIMEOUT),
            http_read_timeout: get_env_duration("HTTP_READ_TIMEOUT", DEFAULT_HTTP_READ_TIMEOUT),
            http_write_timeout: get_env_duration("HTTP_WRITE_TIMEOUT", DEFAULT_HTTP_WRITE_TIMEOUT),
            h2c_enabled: get_env_bool("H2C_ENABLED", false),

            forward_headers: get_env_bool("FORWARD_HEADERS", false), // Will be adjusted below
            log_requests: get_env_bool("LOG_REQUESTS", true),
            log_level: get_env_log_level("LOG_LEVEL", DEFAULT_LOG_LEVEL),

            shutdown_timeout_secs: get_env_u64(
                "SHUTDOWN_TIMEOUT_SECS",
                DEFAULT_SHUTDOWN_TIMEOUT_SECS,
            ),

            database_url: get_env_string("DATABASE_URL"),
            pg_channel_cache_invalidation: get_env_string("PG_CHANNEL_CACHE_INVALIDATION")
                .unwrap_or_else(|| "warpdrive:cache:invalidate".to_string()),
            pg_channel_config_update: get_env_string("PG_CHANNEL_CONFIG_UPDATE")
                .unwrap_or_else(|| "warpdrive:config:update".to_string()),
            pg_channel_health: get_env_string("PG_CHANNEL_HEALTH")
                .unwrap_or_else(|| "warpdrive:health".to_string()),

            redis_url: get_env_string("REDIS_URL"),

            // Load TOML config if WARPDRIVE_CONFIG env var is set
            toml_config: get_env_string("CONFIG")
                .map(|path| {
                    crate::config::toml::TomlConfig::from_file(&path)
                        .map_err(|e| format!("Failed to load TOML config from {}: {}", path, e))
                })
                .transpose()?,

            // Phase 6: Performance & Resilience
            rate_limit_enabled: get_env_bool("RATE_LIMIT_ENABLED", false),
            rate_limit_requests_per_sec: get_env_u32("RATE_LIMIT_RPS", DEFAULT_RATE_LIMIT_RPS),
            rate_limit_burst_size: get_env_u32("RATE_LIMIT_BURST", DEFAULT_RATE_LIMIT_BURST),
            upstream_timeout: get_env_duration("UPSTREAM_TIMEOUT", DEFAULT_UPSTREAM_TIMEOUT),
            circuit_breaker_enabled: get_env_bool("CIRCUIT_BREAKER_ENABLED", false),
            circuit_breaker_failure_threshold: get_env_u32(
                "CIRCUIT_BREAKER_FAILURE_THRESHOLD",
                DEFAULT_CB_FAILURE_THRESHOLD,
            ),
            circuit_breaker_timeout_secs: get_env_u64(
                "CIRCUIT_BREAKER_TIMEOUT_SECS",
                DEFAULT_CB_TIMEOUT_SECS,
            ),
            max_concurrent_requests: get_env_usize("MAX_CONCURRENT_REQUESTS", 0),

            // Phase 2: Observability
            metrics_enabled: get_env_bool("METRICS_ENABLED", false),
            metrics_port: get_env_u16("METRICS_PORT", DEFAULT_METRICS_PORT),

            // Static file serving
            static_enabled: get_env_bool("STATIC_ENABLED", true),
            static_root: PathBuf::from(
                get_env_string("STATIC_ROOT").unwrap_or_else(|| DEFAULT_STATIC_ROOT.to_string()),
            ),
            static_paths: get_env_strings(
                "STATIC_PATHS",
                DEFAULT_STATIC_PATHS.iter().map(|s| s.to_string()).collect(),
            ),
            static_cache_control: get_env_string("STATIC_CACHE_CONTROL")
                .unwrap_or_else(|| DEFAULT_STATIC_CACHE_CONTROL.to_string()),
            static_gzip_enabled: get_env_bool("STATIC_GZIP", true),
            static_index_files: get_env_strings(
                "STATIC_INDEX_FILES",
                vec!["index.html".to_string()],
            ),
            static_fallthrough: get_env_bool("STATIC_FALLTHROUGH", true),
            static_inline_size_limit: get_env_u64(
                "STATIC_INLINE_SIZE_LIMIT",
                DEFAULT_STATIC_INLINE_SIZE_LIMIT,
            ),

            // Trusted IP ranges
            client_ip_header: get_env_string("CLIENT_IP_HEADER"),
            trusted_ranges_file: get_env_string("TRUSTED_RANGES_FILE").map(PathBuf::from),
        };

        // Adjust forward_headers based on TLS configuration if not explicitly set
        let config = if find_env("FORWARD_HEADERS").is_none() {
            Config {
                forward_headers: !config.has_tls(),
                ..config
            }
        } else {
            config
        };

        Ok(config)
    }

    /// Check if TLS is enabled
    ///
    /// Returns `true` if either:
    /// - TLS certificate/key paths are provided (self-signed/manual), OR
    /// - At least one TLS domain is configured (ACME)
    pub fn has_tls(&self) -> bool {
        (self.tls_cert_path.is_some() && self.tls_key_path.is_some())
            || !self.tls_domains.is_empty()
    }

    /// Check if using manual TLS certificates (vs ACME)
    pub fn has_manual_tls(&self) -> bool {
        self.tls_cert_path.is_some() && self.tls_key_path.is_some()
    }

    /// Check if ACME certificate provisioning is needed
    ///
    /// Returns `true` if TLS domains are configured (without manual certs)
    pub fn has_acme_domains(&self) -> bool {
        !self.tls_domains.is_empty() && !self.has_manual_tls()
    }

    /// Validate configuration
    ///
    /// Performs validation checks on the configuration to ensure it's internally
    /// consistent and meets requirements.
    ///
    /// # Errors
    ///
    /// Returns an error if:
    /// - TLS domains are specified without required ACME configuration
    /// - TLS certificate path specified without key path (or vice versa)
    /// - Ports are invalid (0 or above 65535)
    /// - Cache sizes are invalid
    /// - Database/Redis URLs are malformed
    pub fn validate(&self) -> Result<(), String> {
        // Validate manual TLS configuration
        if self.tls_cert_path.is_some() != self.tls_key_path.is_some() {
            return Err(
                "Both TLS_CERT_PATH and TLS_KEY_PATH must be specified together".to_string(),
            );
        }

        // Validate ACME TLS configuration
        if !self.tls_domains.is_empty() && !self.has_manual_tls() {
            if self.acme_directory_url.is_empty() {
                return Err(
                    "ACME directory URL required when TLS domains are specified".to_string()
                );
            }

            // Validate URL format
            if !self.acme_directory_url.starts_with("http://")
                && !self.acme_directory_url.starts_with("https://")
            {
                return Err("ACME directory URL must be a valid HTTP(S) URL".to_string());
            }
        }

        // Validate ports
        if self.http_port == 0 {
            return Err("HTTP port cannot be 0".to_string());
        }
        if self.https_port == 0 {
            return Err("HTTPS port cannot be 0".to_string());
        }
        if self.target_port == 0 {
            return Err("Target port cannot be 0".to_string());
        }

        if self.target_host.trim().is_empty() {
            return Err("Target host cannot be empty".to_string());
        }

        // Validate cache configuration
        if self.max_cache_item_size_bytes > self.cache_size_bytes {
            return Err("Maximum cache item size cannot exceed total cache size".to_string());
        }

        // Validate database URL if present
        if let Some(ref db_url) = self.database_url {
            if !db_url.starts_with("postgres://") && !db_url.starts_with("postgresql://") {
                return Err("Database URL must be a valid PostgreSQL connection string".to_string());
            }
        }

        // Validate Redis URL if present
        if let Some(ref redis_url) = self.redis_url {
            if !redis_url.starts_with("redis://") && !redis_url.starts_with("rediss://") {
                return Err("Redis URL must be a valid Redis connection string".to_string());
            }
        }

        Ok(())
    }
}

impl Default for Config {
    fn default() -> Self {
        Config {
            target_host: DEFAULT_TARGET_HOST.to_string(),
            target_port: DEFAULT_TARGET_PORT,
            upstream_command: None,
            upstream_args: vec![],

            cache_size_bytes: DEFAULT_CACHE_SIZE_BYTES,
            max_cache_item_size_bytes: DEFAULT_MAX_CACHE_ITEM_SIZE_BYTES,
            x_sendfile_enabled: true,
            gzip_compression_enabled: true,
            max_request_body: 0,

            tls_domains: vec![],
            tls_cert_path: None,
            tls_key_path: None,
            acme_directory_url: DEFAULT_ACME_DIRECTORY_URL.to_string(),
            eab_kid: None,
            eab_hmac_key: None,
            storage_path: DEFAULT_STORAGE_PATH.to_string(),
            bad_gateway_page: DEFAULT_BAD_GATEWAY_PAGE.to_string(),

            http_port: DEFAULT_HTTP_PORT,
            https_port: DEFAULT_HTTPS_PORT,
            http_idle_timeout: DEFAULT_HTTP_IDLE_TIMEOUT,
            http_read_timeout: DEFAULT_HTTP_READ_TIMEOUT,
            http_write_timeout: DEFAULT_HTTP_WRITE_TIMEOUT,
            h2c_enabled: false,

            forward_headers: true,
            log_requests: true,
            log_level: DEFAULT_LOG_LEVEL,

            shutdown_timeout_secs: DEFAULT_SHUTDOWN_TIMEOUT_SECS,

            database_url: None,
            pg_channel_cache_invalidation: "warpdrive:cache:invalidate".to_string(),
            pg_channel_config_update: "warpdrive:config:update".to_string(),
            pg_channel_health: "warpdrive:health".to_string(),

            redis_url: None,

            toml_config: None,

            // Phase 6: Performance & Resilience
            rate_limit_enabled: false,
            rate_limit_requests_per_sec: DEFAULT_RATE_LIMIT_RPS,
            rate_limit_burst_size: DEFAULT_RATE_LIMIT_BURST,
            upstream_timeout: DEFAULT_UPSTREAM_TIMEOUT,
            circuit_breaker_enabled: false,
            circuit_breaker_failure_threshold: DEFAULT_CB_FAILURE_THRESHOLD,
            circuit_breaker_timeout_secs: DEFAULT_CB_TIMEOUT_SECS,
            max_concurrent_requests: 0,

            // Phase 2: Observability
            metrics_enabled: false,
            metrics_port: DEFAULT_METRICS_PORT,

            // Static file serving
            static_enabled: true,
            static_root: PathBuf::from(DEFAULT_STATIC_ROOT),
            static_paths: DEFAULT_STATIC_PATHS.iter().map(|s| s.to_string()).collect(),
            static_cache_control: DEFAULT_STATIC_CACHE_CONTROL.to_string(),
            static_gzip_enabled: true,
            static_index_files: vec!["index.html".to_string()],
            static_fallthrough: true,
            static_inline_size_limit: DEFAULT_STATIC_INLINE_SIZE_LIMIT,

            // Trusted IP ranges
            client_ip_header: None,
            trusted_ranges_file: None,
        }
    }
}

// Environment variable helper functions

/// Find environment variable with prefix support
///
/// Looks for prefixed variable first (`WARPDRIVE_*`), then unprefixed.
/// Returns the value if found.
fn find_env(key: &str) -> Option<String> {
    // Try prefixed first
    if let Ok(value) = env::var(format!("{}{}", ENV_PREFIX, key)) {
        return Some(value);
    }

    // Fall back to unprefixed
    env::var(key).ok()
}

/// Get string environment variable with optional default
fn get_env_string(key: &str) -> Option<String> {
    find_env(key)
}

/// Get comma-separated string list from environment variable
fn get_env_strings(key: &str, default: Vec<String>) -> Vec<String> {
    match find_env(key) {
        Some(value) => value
            .split(',')
            .map(|s| s.trim().to_string())
            .filter(|s| !s.is_empty())
            .collect(),
        None => default,
    }
}

/// Get unsigned 16-bit integer from environment variable
fn get_env_u16(key: &str, default: u16) -> u16 {
    find_env(key)
        .and_then(|v| v.parse().ok())
        .unwrap_or(default)
}

/// Get unsigned 32-bit integer from environment variable
fn get_env_u32(key: &str, default: u32) -> u32 {
    find_env(key)
        .and_then(|v| v.parse().ok())
        .unwrap_or(default)
}

/// Get usize from environment variable
fn get_env_usize(key: &str, default: usize) -> usize {
    find_env(key)
        .and_then(|v| v.parse().ok())
        .unwrap_or(default)
}

/// Get unsigned 64-bit integer from environment variable
fn get_env_u64(key: &str, default: u64) -> u64 {
    find_env(key)
        .and_then(|v| v.parse().ok())
        .unwrap_or(default)
}

/// Get boolean from environment variable
fn get_env_bool(key: &str, default: bool) -> bool {
    find_env(key)
        .and_then(|v| match v.to_lowercase().as_str() {
            "true" | "1" | "yes" | "on" => Some(true),
            "false" | "0" | "no" | "off" => Some(false),
            _ => None,
        })
        .unwrap_or(default)
}

/// Get duration from environment variable (specified in seconds)
fn get_env_duration(key: &str, default: Duration) -> Duration {
    find_env(key)
        .and_then(|v| v.parse::<u64>().ok())
        .map(Duration::from_secs)
        .unwrap_or(default)
}

/// Get log level from environment variable
fn get_env_log_level(key: &str, default: LogLevel) -> LogLevel {
    find_env(key)
        .and_then(|v| LogLevel::from_str(&v))
        .unwrap_or(default)
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_default_config() {
        let config = Config::default();
        assert_eq!(config.target_port, 3000);
        assert_eq!(config.cache_size_bytes, 64 * MB);
        assert_eq!(config.max_cache_item_size_bytes, MB);
        assert!(config.x_sendfile_enabled);
        assert!(config.gzip_compression_enabled);
        assert_eq!(config.max_request_body, 0);
        assert!(config.tls_domains.is_empty());
        assert_eq!(config.http_port, 8080);
        assert_eq!(config.https_port, 8443);
        assert!(!config.h2c_enabled); // h2c disabled by default
        assert!(config.log_requests);
    }

    #[test]
    fn test_has_tls() {
        let mut config = Config::default();
        assert!(!config.has_tls());

        config.tls_domains = vec!["example.com".to_string()];
        assert!(config.has_tls());
    }

    #[test]
    fn test_validate_valid_config() {
        let config = Config::default();
        assert!(config.validate().is_ok());
    }

    #[test]
    fn test_validate_zero_ports() {
        let config = Config {
            http_port: 0,
            ..Default::default()
        };
        assert!(config.validate().is_err());
    }

    #[test]
    fn test_validate_cache_size() {
        let config = Config {
            max_cache_item_size_bytes: DEFAULT_CACHE_SIZE_BYTES + 1,
            ..Default::default()
        };
        assert!(config.validate().is_err());
    }

    #[test]
    fn test_validate_tls_without_acme() {
        let config = Config {
            tls_domains: vec!["example.com".to_string()],
            acme_directory_url: String::new(),
            ..Default::default()
        };
        assert!(config.validate().is_err());
    }

    #[test]
    fn test_validate_invalid_acme_url() {
        let config = Config {
            tls_domains: vec!["example.com".to_string()],
            acme_directory_url: "invalid-url".to_string(),
            ..Default::default()
        };
        assert!(config.validate().is_err());
    }

    #[test]
    fn test_validate_invalid_database_url() {
        let config = Config {
            database_url: Some("invalid-db-url".to_string()),
            ..Default::default()
        };
        assert!(config.validate().is_err());
    }

    #[test]
    fn test_validate_invalid_redis_url() {
        let config = Config {
            redis_url: Some("invalid-redis-url".to_string()),
            ..Default::default()
        };
        assert!(config.validate().is_err());
    }

    #[test]
    fn test_log_level_from_str() {
        assert_eq!(LogLevel::from_str("error"), Some(LogLevel::Error));
        assert_eq!(LogLevel::from_str("ERROR"), Some(LogLevel::Error));
        assert_eq!(LogLevel::from_str("warn"), Some(LogLevel::Warn));
        assert_eq!(LogLevel::from_str("info"), Some(LogLevel::Info));
        assert_eq!(LogLevel::from_str("debug"), Some(LogLevel::Debug));
        assert_eq!(LogLevel::from_str("invalid"), None);
    }
}