itsi-scheduler 0.1.5 → 0.1.19

data/ext/itsi_server/src/server/{tls → binds/tls}/locked_dir_cache.rs

@@ -1,34 +1,68 @@
 use async_trait::async_trait;
-use fs2::FileExt; // for lock_exclusive, unlock
-use std::fs::OpenOptions;
+use fs2::FileExt;
+use parking_lot::Mutex;
+use std::fs::{self, OpenOptions};
 use std::io::Error as IoError;
 use std::path::{Path, PathBuf};
 use tokio_rustls_acme::caches::DirCache;
 use tokio_rustls_acme::{AccountCache, CertCache};
 
+use crate::env::ITSI_ACME_LOCK_FILE_NAME;
+
 /// A wrapper around DirCache that locks a file before writing cert/account data.
 pub struct LockedDirCache<P: AsRef<Path> + Send + Sync> {
     inner: DirCache<P>,
     lock_path: PathBuf,
+    current_lock: Mutex<Option<std::fs::File>>,
 }
 
 impl<P: AsRef<Path> + Send + Sync> LockedDirCache<P> {
     pub fn new(dir: P) -> Self {
         let dir_path = dir.as_ref().to_path_buf();
-        let lock_path = dir_path.join(".acme.lock");
+        std::fs::create_dir_all(&dir_path).unwrap();
+        let lock_path = dir_path.join(&*ITSI_ACME_LOCK_FILE_NAME);
+        Self::touch_file(&lock_path).expect("Failed to create lock file");
+
         Self {
             inner: DirCache::new(dir),
             lock_path,
+            current_lock: Mutex::new(None),
+        }
+    }
+
+    fn touch_file(path: &PathBuf) -> std::io::Result<()> {
+        if let Some(parent) = path.parent() {
+            fs::create_dir_all(parent)?;
         }
+        fs::OpenOptions::new()
+            .create(true)
+            .write(true)
+            .truncate(true)
+            .open(path)?;
+        Ok(())
     }
 
-    fn lock_exclusive(&self) -> Result<std::fs::File, IoError> {
+    fn lock_exclusive(&self) -> Result<(), IoError> {
+        if self.current_lock.lock().is_some() {
+            return Ok(());
+        }
+
+        if let Some(parent) = self.lock_path.parent() {
+            std::fs::create_dir_all(parent)?;
+        }
         let lockfile = OpenOptions::new()
+            .create(true)
             .write(true)
             .truncate(true)
             .open(&self.lock_path)?;
         lockfile.lock_exclusive()?;
-        Ok(lockfile)
+        *self.current_lock.lock() = Some(lockfile);
+        Ok(())
+    }
+
+    fn unlock(&self) -> Result<(), IoError> {
+        self.current_lock.lock().take();
+        Ok(())
     }
 }
 
@@ -41,8 +75,14 @@ impl<P: AsRef<Path> + Send + Sync> CertCache for LockedDirCache<P> {
         domains: &[String],
         directory_url: &str,
     ) -> Result<Option<Vec<u8>>, Self::EC> {
-        // Just delegate to the inner DirCache
-        self.inner.load_cert(domains, directory_url).await
+        self.lock_exclusive()?;
+        let result = self.inner.load_cert(domains, directory_url).await;
+
+        if let Ok(Some(_)) = result {
+            self.unlock()?;
+        }
+
+        result
     }
 
     async fn store_cert(
@@ -52,13 +92,14 @@ impl<P: AsRef<Path> + Send + Sync> CertCache for LockedDirCache<P> {
         cert: &[u8],
     ) -> Result<(), Self::EC> {
         // Acquire the lock before storing
-        let lockfile = self.lock_exclusive()?;
+        self.lock_exclusive()?;
 
         // Perform the store operation
         let result = self.inner.store_cert(domains, directory_url, cert).await;
 
-        // Unlock and return
-        let _ = fs2::FileExt::unlock(&lockfile);
+        if let Ok(()) = result {
+            self.unlock()?;
+        }
         result
     }
 }
@@ -72,6 +113,7 @@ impl<P: AsRef<Path> + Send + Sync> AccountCache for LockedDirCache<P> {
         contact: &[String],
         directory_url: &str,
     ) -> Result<Option<Vec<u8>>, Self::EA> {
+        self.lock_exclusive()?;
         self.inner.load_account(contact, directory_url).await
     }
 
@@ -81,14 +123,10 @@ impl<P: AsRef<Path> + Send + Sync> AccountCache for LockedDirCache<P> {
         directory_url: &str,
         account: &[u8],
     ) -> Result<(), Self::EA> {
-        let lockfile = self.lock_exclusive()?;
+        self.lock_exclusive()?;
 
-        let result = self
-            .inner
+        self.inner
             .store_account(contact, directory_url, account)
-            .await;
-
-        let _ = fs2::FileExt::unlock(&lockfile);
-        result
+            .await
     }
 }

data/ext/itsi_server/src/server/{tls.rs → binds/tls.rs}

@@ -2,21 +2,30 @@ use base64::{engine::general_purpose, Engine as _};
 use itsi_error::Result;
 use itsi_tracing::info;
 use locked_dir_cache::LockedDirCache;
-use rcgen::{CertificateParams, DnType, KeyPair, SanType};
-use rustls::pki_types::{CertificateDer, PrivateKeyDer};
+use rcgen::{
+    BasicConstraints, CertificateParams, DistinguishedName, DnType, IsCa, KeyPair, SanType,
+};
+use rustls::{
+    pki_types::{CertificateDer, PrivateKeyDer},
+    ClientConfig, RootCertStore,
+};
 use rustls_pemfile::{certs, pkcs8_private_keys};
 use std::{
     collections::HashMap,
-    env, fs,
+    fs,
     io::{BufReader, Error},
     sync::Arc,
 };
 use tokio::sync::Mutex;
 use tokio_rustls::{rustls::ServerConfig, TlsAcceptor};
 use tokio_rustls_acme::{AcmeAcceptor, AcmeConfig, AcmeState};
+
+use crate::env::{
+    ITSI_ACME_CACHE_DIR, ITSI_ACME_CA_PEM_PATH, ITSI_ACME_CONTACT_EMAIL, ITSI_ACME_DIRECTORY_URL,
+    ITSI_LOCAL_CA_DIR,
+};
+
 mod locked_dir_cache;
-const ITS_CA_CERT: &str = include_str!("./itsi_ca/itsi_ca.crt");
-const ITS_CA_KEY: &str = include_str!("./itsi_ca/itsi_ca.key");
 
 #[derive(Clone)]
 pub enum ItsiTlsAcceptor {
@@ -28,35 +37,72 @@ pub enum ItsiTlsAcceptor {
     ),
 }
 
-// Generates a TLS configuration based on either :
-// * Input "cert" and "key" options (either paths or Base64-encoded strings) or
-// * Performs automatic certificate generation/retrieval. Generated certs use an internal self-signed Isti CA.
-// If a non-local host or optional domain parameter is provided,
-// an automated certificate will attempt to be fetched using let's encrypt.
+/// Generates a TLS configuration based on either :
+/// * Input "cert" and "key" options (either paths or Base64-encoded strings) or
+/// * Performs automatic certificate generation/retrieval. Generated certs use an internal self-signed Isti CA.
+///
+/// If a non-local host or optional domain parameter is provided,
+/// an automated certificate will attempt to be fetched using let's encrypt.
 pub fn configure_tls(
     host: &str,
     query_params: &HashMap<String, String>,
 ) -> Result<ItsiTlsAcceptor> {
     let domains = query_params
         .get("domains")
-        .map(|v| v.split(',').map(String::from).collect::<Vec<_>>());
+        .map(|v| v.split(',').map(String::from).collect::<Vec<_>>())
+        .or_else(|| query_params.get("domain").map(|v| vec![v.to_string()]));
 
-    if query_params.get("cert").is_none() || query_params.get("key").is_none() {
+    if query_params.get("cert").is_some_and(|c| c == "acme") {
         if let Some(domains) = domains {
-            let directory_url = env::var("ACME_DIRECTORY_URL")
-                .unwrap_or_else(|_| "https://acme-v02.api.letsencrypt.org/directory".to_string());
+            let directory_url = &*ITSI_ACME_DIRECTORY_URL;
             info!(
                 domains = format!("{:?}", domains),
                 directory_url, "Requesting acme cert"
             );
-            let acme_state = AcmeConfig::new(domains)
-                .contact(["mailto:wc@pico.net.nz"])
-                .cache(LockedDirCache::new("./rustls_acme_cache"))
-                .directory(directory_url)
-                .state();
-            let rustls_config = ServerConfig::builder()
+            let acme_contact_email = query_params
+                .get("acme_email")
+                .map(|s| s.to_string())
+                .or_else(|| (*ITSI_ACME_CONTACT_EMAIL).as_ref().ok().map(|s| s.to_string()))
+                .ok_or_else(|| itsi_error::ItsiError::ArgumentError(
+                    "acme_email query param or ITSI_ACME_CONTACT_EMAIL must be set before you can auto-generate let's encrypt certificates".to_string(),
+                ))?;
+
+            let acme_config = AcmeConfig::new(domains)
+                .contact([format!("mailto:{}", acme_contact_email)])
+                .cache(LockedDirCache::new(&*ITSI_ACME_CACHE_DIR))
+                .directory(directory_url);
+
+            let acme_state = if let Ok(ca_pem_path) = &*ITSI_ACME_CA_PEM_PATH {
+                let mut root_cert_store = RootCertStore::empty();
+
+                let ca_pem = fs::read(ca_pem_path).expect("failed to read CA pem file");
+                let mut ca_reader = BufReader::new(&ca_pem[..]);
+                let der_certs: Vec<CertificateDer> = certs(&mut ca_reader)
+                    .collect::<std::result::Result<Vec<CertificateDer>, _>>()
+                    .map_err(|e| {
+                        itsi_error::ItsiError::ArgumentError(format!(
+                            "Invalid ACME CA Pem path {:?}",
+                            e
+                        ))
+                    })?;
+                root_cert_store.add_parsable_certificates(der_certs);
+
+                let client_config = ClientConfig::builder()
+                    .with_root_certificates(root_cert_store)
+                    .with_no_client_auth();
+                acme_config
+                    .client_tls_config(Arc::new(client_config))
+                    .state()
+            } else {
+                acme_config.state()
+            };
+
+            let mut rustls_config = ServerConfig::builder()
                 .with_no_client_auth()
                 .with_cert_resolver(acme_state.resolver());
+
+            rustls_config.alpn_protocols = vec![b"h2".to_vec(), b"http/1.1".to_vec()];
+
             let acceptor = acme_state.acceptor();
             return Ok(ItsiTlsAcceptor::Automatic(
                 acceptor,
@@ -73,7 +119,7 @@ pub fn configure_tls(
         let key = load_private_key(key_path);
         (certs, key)
     } else {
-        generate_ca_signed_cert(vec![host.to_owned()])?
+        generate_ca_signed_cert(domains.unwrap_or(vec![host.to_owned()]))?
     };
 
     let mut config = ServerConfig::builder()
@@ -144,10 +190,19 @@ pub fn load_private_key(path: &str) -> PrivateKeyDer<'static> {
 pub fn generate_ca_signed_cert(
     domains: Vec<String>,
 ) -> Result<(Vec<CertificateDer<'static>>, PrivateKeyDer<'static>)> {
-    info!("Generating New Itsi CA - Self signed Certificate. Use `itsi ca export` to export the CA certificate for import into your local trust store.");
+    info!(
+        domains = format!("{}", domains.join(", ")),
+        "Self signed cert",
+    );
+    info!(
+        "Add {} to your system's trusted cert store to resolve certificate errors.",
+        format!("{}/itsi_dev_ca.crt", ITSI_LOCAL_CA_DIR.to_str().unwrap())
+    );
+    info!("Dev CA path can be overridden by setting env var: `ITSI_LOCAL_CA_DIR`.");
+    let (ca_key_pem, ca_cert_pem) = get_or_create_local_dev_ca()?;
 
-    let ca_kp = KeyPair::from_pem(ITS_CA_KEY).expect("Failed to load embedded CA key");
-    let ca_cert = CertificateParams::from_ca_cert_pem(ITS_CA_CERT)
+    let ca_kp = KeyPair::from_pem(&ca_key_pem).expect("Failed to load CA key");
+    let ca_cert = CertificateParams::from_ca_cert_pem(&ca_cert_pem)
         .expect("Failed to parse embedded CA certificate")
         .self_signed(&ca_kp)
         .expect("Failed to self-sign embedded CA cert");
@@ -155,10 +210,6 @@ pub fn generate_ca_signed_cert(
     let ee_key = KeyPair::generate_for(&rcgen::PKCS_ECDSA_P256_SHA256).unwrap();
     let mut ee_params = CertificateParams::default();
 
-    info!(
-        "Generated certificate will be valid for domains {:?}",
-        domains
-    );
     use std::net::IpAddr;
 
     ee_params.subject_alt_names = domains
@@ -187,3 +238,33 @@ pub fn generate_ca_signed_cert(
         PrivateKeyDer::try_from(ee_key.serialize_der()).unwrap(),
     ))
 }
+
+fn get_or_create_local_dev_ca() -> Result<(String, String)> {
+    let ca_dir = &*ITSI_LOCAL_CA_DIR;
+    fs::create_dir_all(ca_dir)?;
+
+    let key_path = ca_dir.join("itsi_dev_ca.key");
+    let cert_path = ca_dir.join("itsi_dev_ca.crt");
+
+    if key_path.exists() && cert_path.exists() {
+        // Already have a local CA
+        let key_pem = fs::read_to_string(&key_path)?;
+        let cert_pem = fs::read_to_string(&cert_path)?;
+
+        Ok((key_pem, cert_pem))
+    } else {
+        let subject_alt_names = vec!["dev.itsi.fyi".to_string(), "localhost".to_string()];
+        let mut params = CertificateParams::new(subject_alt_names)?;
+        let mut distinguished_name = DistinguishedName::new();
+        distinguished_name.push(DnType::CommonName, "Itsi Development CA");
+        params.distinguished_name = distinguished_name;
+        params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained);
+        let key_pair = KeyPair::generate()?;
+        let cert = params.self_signed(&key_pair)?;
+
+        fs::write(&key_path, key_pair.serialize_pem())?;
+        fs::write(&cert_path, cert.pem())?;
+
+        Ok((key_pair.serialize_pem(), cert.pem()))
+    }
+}

data/ext/itsi_server/src/server/byte_frame.rs

@@ -0,0 +1,32 @@
+use std::ops::Deref;
+
+use bytes::Bytes;
+
+#[derive(Debug)]
+pub enum ByteFrame {
+    Data(Bytes),
+    End(Bytes),
+    Empty,
+}
+
+impl Deref for ByteFrame {
+    type Target = Bytes;
+
+    fn deref(&self) -> &Self::Target {
+        match self {
+            ByteFrame::Data(data) => data,
+            ByteFrame::End(data) => data,
+            ByteFrame::Empty => unreachable!(),
+        }
+    }
+}
+
+impl From<ByteFrame> for Bytes {
+    fn from(frame: ByteFrame) -> Self {
+        match frame {
+            ByteFrame::Data(data) => data,
+            ByteFrame::End(data) => data,
+            ByteFrame::Empty => unreachable!(),
+        }
+    }
+}

data/ext/itsi_server/src/server/http_message_types.rs

@@ -0,0 +1,97 @@
+use std::convert::Infallible;
+
+use bytes::Bytes;
+use http::{Request, Response};
+use http_body_util::combinators::BoxBody;
+use hyper::body::Incoming;
+
+use super::size_limited_incoming::SizeLimitedIncoming;
+
+pub type HttpResponse = Response<BoxBody<Bytes, Infallible>>;
+pub type HttpRequest = Request<SizeLimitedIncoming<Incoming>>;
+
+pub trait ConversionExt {
+    fn limit(self) -> HttpRequest;
+}
+
+impl ConversionExt for Request<Incoming> {
+    fn limit(self) -> HttpRequest {
+        let (parts, body) = self.into_parts();
+        Request::from_parts(parts, SizeLimitedIncoming::new(body))
+    }
+}
+
+pub trait RequestExt {
+    fn content_type(&self) -> Option<&str>;
+    fn accept(&self) -> Option<&str>;
+    fn header(&self, header_name: &str) -> Option<&str>;
+    fn query_param(&self, query_name: &str) -> Option<&str>;
+}
+
+pub trait PathExt {
+    fn no_trailing_slash(&self) -> &str;
+}
+
+#[derive(Debug, Clone)]
+pub enum ResponseFormat {
+    JSON,
+    HTML,
+    TEXT,
+    UNKNOWN,
+}
+
+#[derive(Debug, Clone, Default)]
+pub struct SupportedEncodingSet {
+    pub zstd: bool,
+    pub br: bool,
+    pub deflate: bool,
+    pub gzip: bool,
+}
+
+impl From<Option<&str>> for ResponseFormat {
+    fn from(value: Option<&str>) -> Self {
+        match value {
+            Some("application/json") => ResponseFormat::JSON,
+            Some("text/html") => ResponseFormat::HTML,
+            Some("text/plain") => ResponseFormat::TEXT,
+            _ => ResponseFormat::UNKNOWN,
+        }
+    }
+}
+
+impl PathExt for str {
+    fn no_trailing_slash(&self) -> &str {
+        if self == "/" {
+            self
+        } else {
+            self.trim_end_matches("/")
+        }
+    }
+}
+
+impl RequestExt for HttpRequest {
+    fn content_type(&self) -> Option<&str> {
+        self.headers()
+            .get("content-type")
+            .map(|hv| hv.to_str().unwrap_or(""))
+    }
+
+    fn accept(&self) -> Option<&str> {
+        self.headers()
+            .get("accept")
+            .map(|hv| hv.to_str().unwrap_or(""))
+    }
+
+    fn header(&self, header_name: &str) -> Option<&str> {
+        self.headers()
+            .get(header_name)
+            .map(|hv| hv.to_str().unwrap_or(""))
+    }
+
+    fn query_param(&self, query_name: &str) -> Option<&str> {
+        self.uri()
+            .query()
+            .and_then(|query| query.split('&').find(|param| param.starts_with(query_name)))
+            .map(|param| param.split('=').nth(1).unwrap_or(""))
+    }
+}

data/ext/itsi_server/src/server/io_stream.rs

@@ -1,4 +1,3 @@
-use super::listener::SockAddr;
 use pin_project::pin_project;
 use tokio::net::{TcpStream, UnixStream};
 use tokio_rustls::server::TlsStream;
@@ -8,6 +7,8 @@ use std::pin::Pin;
 use std::task::{Context, Poll};
 use tokio::io::{AsyncRead, AsyncWrite};
 
+use super::binds::listener::SockAddr;
+
 #[pin_project(project = IoStreamEnumProj)]
 pub enum IoStream {
     Tcp {

data/ext/itsi_server/src/server/lifecycle_event.rs

@@ -3,7 +3,10 @@ pub enum LifecycleEvent {
     Start,
     Shutdown,
     Restart,
+    Reload,
     IncreaseWorkers,
     DecreaseWorkers,
     ForceShutdown,
+    PrintInfo,
+    ChildTerminated,
 }

data/ext/itsi_server/src/server/middleware_stack/middleware.rs

@@ -0,0 +1,165 @@
+use crate::{
+    server::http_message_types::{HttpRequest, HttpResponse},
+    services::itsi_http_service::HttpRequestContext,
+};
+
+use super::middlewares::*;
+
+use async_trait::async_trait;
+use either::Either;
+use magnus::error::Result;
+use std::cmp::Ordering;
+
+#[derive(Debug)]
+pub enum Middleware {
+    AllowList(AllowList),
+    AuthAPIKey(AuthAPIKey),
+    AuthBasic(AuthBasic),
+    AuthJwt(Box<AuthJwt>),
+    CacheControl(CacheControl),
+    Compression(Compression),
+    Cors(Box<Cors>),
+    DenyList(DenyList),
+    ETag(ETag),
+    IntrusionProtection(IntrusionProtection),
+    LogRequests(LogRequests),
+    MaxBody(MaxBody),
+    Proxy(Proxy),
+    RateLimit(RateLimit),
+    Redirect(Redirect),
+    RequestHeaders(RequestHeaders),
+    ResponseHeaders(ResponseHeaders),
+    RubyApp(RubyApp),
+    StaticAssets(StaticAssets),
+    StaticResponse(StaticResponse),
+}
+
+#[async_trait]
+impl MiddlewareLayer for Middleware {
+    /// Called just once, to initialize the middleware state.
+    async fn initialize(&self) -> Result<()> {
+        match self {
+            Middleware::DenyList(filter) => filter.initialize().await,
+            Middleware::AllowList(filter) => filter.initialize().await,
+            Middleware::AuthBasic(filter) => filter.initialize().await,
+            Middleware::AuthJwt(filter) => filter.initialize().await,
+            Middleware::AuthAPIKey(filter) => filter.initialize().await,
+            Middleware::IntrusionProtection(filter) => filter.initialize().await,
+            Middleware::MaxBody(filter) => filter.initialize().await,
+            Middleware::RateLimit(filter) => filter.initialize().await,
+            Middleware::RequestHeaders(filter) => filter.initialize().await,
+            Middleware::ResponseHeaders(filter) => filter.initialize().await,
+            Middleware::CacheControl(filter) => filter.initialize().await,
+            Middleware::Cors(filter) => filter.initialize().await,
+            Middleware::ETag(filter) => filter.initialize().await,
+            Middleware::StaticAssets(filter) => filter.initialize().await,
+            Middleware::StaticResponse(filter) => filter.initialize().await,
+            Middleware::Compression(filter) => filter.initialize().await,
+            Middleware::LogRequests(filter) => filter.initialize().await,
+            Middleware::Redirect(filter) => filter.initialize().await,
+            Middleware::Proxy(filter) => filter.initialize().await,
+            Middleware::RubyApp(filter) => filter.initialize().await,
+        }
+    }
+
+    async fn before(
+        &self,
+        req: HttpRequest,
+        context: &mut HttpRequestContext,
+    ) -> Result<Either<HttpRequest, HttpResponse>> {
+        match self {
+            Middleware::DenyList(filter) => filter.before(req, context).await,
+            Middleware::AllowList(filter) => filter.before(req, context).await,
+            Middleware::AuthBasic(filter) => filter.before(req, context).await,
+            Middleware::AuthJwt(filter) => filter.before(req, context).await,
+            Middleware::AuthAPIKey(filter) => filter.before(req, context).await,
+            Middleware::IntrusionProtection(filter) => filter.before(req, context).await,
+            Middleware::MaxBody(filter) => filter.before(req, context).await,
+            Middleware::RequestHeaders(filter) => filter.before(req, context).await,
+            Middleware::ResponseHeaders(filter) => filter.before(req, context).await,
+            Middleware::RateLimit(filter) => filter.before(req, context).await,
+            Middleware::CacheControl(filter) => filter.before(req, context).await,
+            Middleware::Cors(filter) => filter.before(req, context).await,
+            Middleware::ETag(filter) => filter.before(req, context).await,
+            Middleware::StaticAssets(filter) => filter.before(req, context).await,
+            Middleware::StaticResponse(filter) => filter.before(req, context).await,
+            Middleware::Compression(filter) => filter.before(req, context).await,
+            Middleware::LogRequests(filter) => filter.before(req, context).await,
+            Middleware::Redirect(filter) => filter.before(req, context).await,
+            Middleware::Proxy(filter) => filter.before(req, context).await,
+            Middleware::RubyApp(filter) => filter.before(req, context).await,
+        }
+    }
+
+    async fn after(&self, res: HttpResponse, context: &mut HttpRequestContext) -> HttpResponse {
+        match self {
+            Middleware::DenyList(filter) => filter.after(res, context).await,
+            Middleware::AllowList(filter) => filter.after(res, context).await,
+            Middleware::AuthBasic(filter) => filter.after(res, context).await,
+            Middleware::AuthJwt(filter) => filter.after(res, context).await,
+            Middleware::AuthAPIKey(filter) => filter.after(res, context).await,
+            Middleware::IntrusionProtection(filter) => filter.after(res, context).await,
+            Middleware::MaxBody(filter) => filter.after(res, context).await,
+            Middleware::RateLimit(filter) => filter.after(res, context).await,
+            Middleware::RequestHeaders(filter) => filter.after(res, context).await,
+            Middleware::ResponseHeaders(filter) => filter.after(res, context).await,
+            Middleware::CacheControl(filter) => filter.after(res, context).await,
+            Middleware::Cors(filter) => filter.after(res, context).await,
+            Middleware::ETag(filter) => filter.after(res, context).await,
+            Middleware::StaticAssets(filter) => filter.after(res, context).await,
+            Middleware::StaticResponse(filter) => filter.after(res, context).await,
+            Middleware::Compression(filter) => filter.after(res, context).await,
+            Middleware::LogRequests(filter) => filter.after(res, context).await,
+            Middleware::Redirect(filter) => filter.after(res, context).await,
+            Middleware::Proxy(filter) => filter.after(res, context).await,
+            Middleware::RubyApp(filter) => filter.after(res, context).await,
+        }
+    }
+}
+
+impl Middleware {
+    fn variant_order(&self) -> usize {
+        match self {
+            Middleware::DenyList(_) => 0,
+            Middleware::AllowList(_) => 1,
+            Middleware::IntrusionProtection(_) => 2,
+            Middleware::Redirect(_) => 3,
+            Middleware::LogRequests(_) => 4,
+            Middleware::CacheControl(_) => 5,
+            Middleware::RequestHeaders(_) => 6,
+            Middleware::ResponseHeaders(_) => 7,
+            Middleware::MaxBody(_) => 8,
+            Middleware::AuthBasic(_) => 9,
+            Middleware::AuthJwt(_) => 10,
+            Middleware::AuthAPIKey(_) => 11,
+            Middleware::RateLimit(_) => 12,
+            Middleware::ETag(_) => 13,
+            Middleware::Compression(_) => 14,
+            Middleware::Proxy(_) => 15,
+            Middleware::Cors(_) => 16,
+            Middleware::StaticResponse(_) => 17,
+            Middleware::StaticAssets(_) => 18,
+            Middleware::RubyApp(_) => 19,
+        }
+    }
+}
+
+impl PartialEq for Middleware {
+    fn eq(&self, other: &Self) -> bool {
+        self.variant_order() == other.variant_order()
+    }
+}
+
+impl Eq for Middleware {}
+
+impl PartialOrd for Middleware {
+    fn partial_cmp(&self, other: &Self) -> Option<Ordering> {
+        Some(self.variant_order().cmp(&other.variant_order()))
+    }
+}
+
+impl Ord for Middleware {
+    fn cmp(&self, other: &Self) -> Ordering {
+        self.variant_order().cmp(&other.variant_order())
+    }
+}