RubyGems - itsi - Versions diffs - 0.1.19 → 0.2.2 - Mend

itsi 0.1.19 → 0.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (645) hide show

data/crates/itsi_server/src/server/binds/tls.rs CHANGED Viewed

@@ -1,9 +1,12 @@
 use base64::{engine::general_purpose, Engine as _};
+use itsi_acme::{AcmeAcceptor, AcmeConfig, AcmeState};
 use itsi_error::Result;
 use itsi_tracing::info;
 use locked_dir_cache::LockedDirCache;
+use rcgen::ExtendedKeyUsagePurpose;
 use rcgen::{
-    BasicConstraints, CertificateParams, DistinguishedName, DnType, IsCa, KeyPair, SanType,
+    BasicConstraints, CertificateParams, DistinguishedName, DnType, IsCa, KeyPair, KeyUsagePurpose,
+    SanType,
 };
 use rustls::{
     pki_types::{CertificateDer, PrivateKeyDer},
@@ -18,7 +21,6 @@ use std::{
 };
 use tokio::sync::Mutex;
 use tokio_rustls::{rustls::ServerConfig, TlsAcceptor};
-use tokio_rustls_acme::{AcmeAcceptor, AcmeConfig, AcmeState};
 use crate::env::{
     ITSI_ACME_CACHE_DIR, ITSI_ACME_CA_PEM_PATH, ITSI_ACME_CONTACT_EMAIL, ITSI_ACME_DIRECTORY_URL,
@@ -228,13 +230,14 @@ pub fn generate_ca_signed_cert(
         .push(DnType::CommonName, domains[0].clone());
     ee_params.use_authority_key_identifier_extension = true;
+    ee_params.extended_key_usages = vec![ExtendedKeyUsagePurpose::ServerAuth];
     let ee_cert = ee_params.signed_by(&ee_key, &ca_cert, &ca_kp).unwrap();
     let ee_cert_der = ee_cert.der().to_vec();
     let ee_cert = CertificateDer::from(ee_cert_der);
-    let ca_cert = CertificateDer::from(ca_cert.der().to_vec());
     Ok((
-        vec![ee_cert, ca_cert],
+        vec![ee_cert],
         PrivateKeyDer::try_from(ee_key.serialize_der()).unwrap(),
     ))
 }
@@ -253,12 +256,17 @@ fn get_or_create_local_dev_ca() -> Result<(String, String)> {
         Ok((key_pem, cert_pem))
     } else {
-        let subject_alt_names = vec!["dev.itsi.fyi".to_string(), "localhost".to_string()];
+        let subject_alt_names = vec!["ca.itsi.fyi".to_string(), "localhost".to_string()];
         let mut params = CertificateParams::new(subject_alt_names)?;
         let mut distinguished_name = DistinguishedName::new();
-        distinguished_name.push(DnType::CommonName, "Itsi Development CA");
+        distinguished_name.push(DnType::CommonName, "ca.itsi.fyi");
         params.distinguished_name = distinguished_name;
         params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained);
+        params.key_usages = vec![
+            KeyUsagePurpose::KeyCertSign,
+            KeyUsagePurpose::CrlSign,
+            KeyUsagePurpose::DigitalSignature, // useful for OCSP/CRL signing
+        ];
         let key_pair = KeyPair::generate()?;
         let cert = params.self_signed(&key_pair)?;

data/crates/itsi_server/src/server/middleware_stack/middleware.rs CHANGED Viewed

@@ -8,30 +8,31 @@ use super::middlewares::*;
 use async_trait::async_trait;
 use either::Either;
 use magnus::error::Result;
-use std::cmp::Ordering;
+use std::{cmp::Ordering, sync::Arc};
-#[derive(Debug)]
+#[derive(Debug, Clone)]
 pub enum Middleware {
-    AllowList(AllowList),
-    AuthAPIKey(AuthAPIKey),
-    AuthBasic(AuthBasic),
-    AuthJwt(Box<AuthJwt>),
-    CacheControl(CacheControl),
-    Compression(Compression),
-    Cors(Box<Cors>),
-    DenyList(DenyList),
-    ETag(ETag),
-    IntrusionProtection(IntrusionProtection),
-    LogRequests(LogRequests),
-    MaxBody(MaxBody),
-    Proxy(Proxy),
-    RateLimit(RateLimit),
-    Redirect(Redirect),
-    RequestHeaders(RequestHeaders),
-    ResponseHeaders(ResponseHeaders),
-    RubyApp(RubyApp),
-    StaticAssets(StaticAssets),
-    StaticResponse(StaticResponse),
+    AllowList(Arc<AllowList>),
+    AuthAPIKey(Arc<AuthAPIKey>),
+    AuthBasic(Arc<AuthBasic>),
+    AuthJwt(Arc<AuthJwt>),
+    CacheControl(Arc<CacheControl>),
+    Compression(Arc<Compression>),
+    Cors(Arc<Cors>),
+    Csp(Arc<Csp>),
+    DenyList(Arc<DenyList>),
+    ETag(Arc<ETag>),
+    IntrusionProtection(Arc<IntrusionProtection>),
+    LogRequests(Arc<LogRequests>),
+    MaxBody(Arc<MaxBody>),
+    Proxy(Arc<Proxy>),
+    RateLimit(Arc<RateLimit>),
+    Redirect(Arc<Redirect>),
+    RequestHeaders(Arc<RequestHeaders>),
+    ResponseHeaders(Arc<ResponseHeaders>),
+    RubyApp(Arc<RubyApp>),
+    StaticAssets(Arc<StaticAssets>),
+    StaticResponse(Arc<StaticResponse>),
 }
 #[async_trait]
@@ -51,6 +52,7 @@ impl MiddlewareLayer for Middleware {
             Middleware::ResponseHeaders(filter) => filter.initialize().await,
             Middleware::CacheControl(filter) => filter.initialize().await,
             Middleware::Cors(filter) => filter.initialize().await,
+            Middleware::Csp(filter) => filter.initialize().await,
             Middleware::ETag(filter) => filter.initialize().await,
             Middleware::StaticAssets(filter) => filter.initialize().await,
             Middleware::StaticResponse(filter) => filter.initialize().await,
@@ -80,6 +82,7 @@ impl MiddlewareLayer for Middleware {
             Middleware::RateLimit(filter) => filter.before(req, context).await,
             Middleware::CacheControl(filter) => filter.before(req, context).await,
             Middleware::Cors(filter) => filter.before(req, context).await,
+            Middleware::Csp(filter) => filter.before(req, context).await,
             Middleware::ETag(filter) => filter.before(req, context).await,
             Middleware::StaticAssets(filter) => filter.before(req, context).await,
             Middleware::StaticResponse(filter) => filter.before(req, context).await,
@@ -104,6 +107,7 @@ impl MiddlewareLayer for Middleware {
             Middleware::RequestHeaders(filter) => filter.after(res, context).await,
             Middleware::ResponseHeaders(filter) => filter.after(res, context).await,
             Middleware::CacheControl(filter) => filter.after(res, context).await,
+            Middleware::Csp(filter) => filter.after(res, context).await,
             Middleware::Cors(filter) => filter.after(res, context).await,
             Middleware::ETag(filter) => filter.after(res, context).await,
             Middleware::StaticAssets(filter) => filter.after(res, context).await,
@@ -134,12 +138,13 @@ impl Middleware {
             Middleware::AuthAPIKey(_) => 11,
             Middleware::RateLimit(_) => 12,
             Middleware::ETag(_) => 13,
-            Middleware::Compression(_) => 14,
-            Middleware::Proxy(_) => 15,
-            Middleware::Cors(_) => 16,
-            Middleware::StaticResponse(_) => 17,
-            Middleware::StaticAssets(_) => 18,
-            Middleware::RubyApp(_) => 19,
+            Middleware::Csp(_) => 14,
+            Middleware::Compression(_) => 15,
+            Middleware::Proxy(_) => 16,
+            Middleware::Cors(_) => 17,
+            Middleware::StaticResponse(_) => 18,
+            Middleware::StaticAssets(_) => 19,
+            Middleware::RubyApp(_) => 20,
         }
     }
 }

data/crates/itsi_server/src/server/middleware_stack/middlewares/allow_list.rs CHANGED Viewed

@@ -1,23 +1,23 @@
+use super::{token_source::TokenSource, ErrorResponse, FromValue, MiddlewareLayer};
 use crate::{
     server::http_message_types::{HttpRequest, HttpResponse, RequestExt},
     services::itsi_http_service::HttpRequestContext,
 };
-use super::{ErrorResponse, FromValue, MiddlewareLayer};
 use async_trait::async_trait;
 use either::Either;
 use itsi_error::ItsiError;
 use magnus::error::Result;
 use regex::RegexSet;
 use serde::Deserialize;
-use std::sync::OnceLock;
+use std::{collections::HashMap, sync::OnceLock};
+use tracing::debug;
 #[derive(Debug, Clone, Deserialize)]
 pub struct AllowList {
     #[serde(skip_deserializing)]
     pub allowed_ips: OnceLock<RegexSet>,
     pub allowed_patterns: Vec<String>,
+    pub trusted_proxies: HashMap<String, TokenSource>,
     #[serde(default = "forbidden_error_response")]
     pub error_response: ErrorResponse,
 }
@@ -42,7 +42,14 @@ impl MiddlewareLayer for AllowList {
         context: &mut HttpRequestContext,
     ) -> Result<Either<HttpRequest, HttpResponse>> {
         if let Some(allowed_ips) = self.allowed_ips.get() {
-            if !allowed_ips.is_match(&context.addr) {
+            let addr = if self.trusted_proxies.contains_key(&context.addr) {
+                let source = self.trusted_proxies.get(&context.addr).unwrap();
+                source.extract_token(&req).unwrap_or(&context.addr)
+            } else {
+                &context.addr
+            };
+            if !allowed_ips.is_match(addr) {
+                debug!(target: "middleware::allow_list", "IP address {} is not allowed", addr);
                 return Ok(Either::Right(
                     self.error_response
                         .to_http_response(req.accept().into())

data/crates/itsi_server/src/server/middleware_stack/middlewares/auth_api_key.rs CHANGED Viewed

@@ -11,6 +11,7 @@ use async_trait::async_trait;
 use either::Either;
 use magnus::error::Result;
 use serde::Deserialize;
+use tracing::debug;
 type PasswordHash = String;
@@ -51,6 +52,8 @@ impl MiddlewareLayer for AuthAPIKey {
             }
             TokenSource::Query(query_name) => req.query_param(query_name),
         } {
+            debug!(target: "middleware::auth_api_key", "API Key Retrieved. Anonymous {}", self.key_id_source.is_none());
             if let Some(key_id) = self.key_id_source.as_ref() {
                 let key_id = match &key_id {
                     TokenSource::Header { name, prefix } => {
@@ -66,17 +69,21 @@ impl MiddlewareLayer for AuthAPIKey {
                     }
                     TokenSource::Query(query_name) => req.query_param(query_name),
                 };
+                debug!(target: "middleware::auth_api_key", "Key ID Retrieved");
                 if let Some(hash) = key_id.and_then(|kid| self.valid_keys.get(kid)) {
+                    debug!(target: "middleware::auth_api_key", "Key for ID found");
                     if password_hasher::verify_password_hash(submitted_key, hash).is_ok_and(|v| v) {
                         return Ok(Either::Left(req));
                     }
                 }
-            } else if self.valid_keys.iter().any(|(_key_id, key)| {
+            } else if self.valid_keys.values().any(|key| {
                 password_hasher::verify_password_hash(submitted_key, key).is_ok_and(|v| v)
             }) {
                 return Ok(Either::Left(req));
             }
         }
+        debug!(target: "middleware::auth_api_key", "Failed to authenticate API key");
         Ok(Either::Right(
             self.error_response
                 .to_http_response(req.accept().into())

data/crates/itsi_server/src/server/middleware_stack/middlewares/auth_basic.rs CHANGED Viewed

@@ -8,6 +8,7 @@ use magnus::error::Result;
 use serde::{Deserialize, Serialize};
 use std::collections::HashMap;
 use std::str;
+use tracing::debug;
 use crate::{
     server::http_message_types::{HttpRequest, HttpResponse, RequestExt},
@@ -48,6 +49,7 @@ impl MiddlewareLayer for AuthBasic {
         let auth_header = req.header("Authorization");
         if !auth_header.is_some_and(|header| header.starts_with("Basic ")) {
+            debug!(target: "middleware::auth_basic", "Basic auth failed. Authorization Header doesn't start with 'Basic '");
             return Ok(Either::Right(self.basic_auth_failed_response()));
         }
@@ -57,6 +59,7 @@ impl MiddlewareLayer for AuthBasic {
         let decoded = match general_purpose::STANDARD.decode(encoded_credentials) {
             Ok(bytes) => bytes,
             Err(_) => {
+                debug!(target: "middleware::auth_basic", "Basic auth failed. Decoding failed");
                 return Ok(Either::Right(self.basic_auth_failed_response()));
             }
         };
@@ -64,6 +67,7 @@ impl MiddlewareLayer for AuthBasic {
         let decoded_str = match str::from_utf8(&decoded) {
             Ok(s) => s,
             Err(_) => {
+                debug!(target: "middleware::auth_basic", "Basic auth failed. Decoding failed");
                 return Ok(Either::Right(self.basic_auth_failed_response()));
             }
         };
@@ -71,6 +75,7 @@ impl MiddlewareLayer for AuthBasic {
         let mut parts = decoded_str.splitn(2, ':');
         let username = parts.next().unwrap_or("");
         let password = parts.next().unwrap_or("");
         match self.credential_pairs.get(username) {
             Some(expected_password_hash) => {
                 match verify_password_hash(password, expected_password_hash) {
@@ -78,7 +83,10 @@ impl MiddlewareLayer for AuthBasic {
                     _ => Ok(Either::Right(self.basic_auth_failed_response())),
                 }
             }
-            None => Ok(Either::Right(self.basic_auth_failed_response())),
+            None => {
+                debug!(target: "middleware::auth_basic", "Basic auth failed. Username {} not found", username);
+                Ok(Either::Right(self.basic_auth_failed_response()))
+            }
         }
     }
 }

data/crates/itsi_server/src/server/middleware_stack/middlewares/auth_jwt.rs CHANGED Viewed

@@ -18,7 +18,7 @@ use std::{
     collections::{HashMap, HashSet},
     sync::OnceLock,
 };
-use tracing::error;
+use tracing::debug;
 #[derive(Debug, Clone, Deserialize)]
 pub struct AuthJwt {
@@ -32,6 +32,10 @@ pub struct AuthJwt {
     pub audiences: Option<HashSet<String>>,
     pub subjects: Option<HashSet<String>>,
     pub issuers: Option<HashSet<String>>,
+    #[serde(skip_deserializing)]
+    pub audience_vec: OnceLock<Option<Vec<String>>>,
+    #[serde(skip_deserializing)]
+    pub issuer_vec: OnceLock<Option<Vec<String>>>,
     pub leeway: Option<u64>,
     #[serde(default = "unauthorized_error_response")]
     pub error_response: ErrorResponse,
@@ -91,7 +95,7 @@ impl JwtAlgorithm {
     /// Given a base64-encoded key string, decode and construct a jsonwebtoken::DecodingKey.
     pub fn key_from(&self, base64: &str) -> itsi_error::Result<DecodingKey> {
         match self {
-            // For HMAC algorithms, use the secret directly.
+            // For HMAC algorithms, expect a base64 encoded secret.
             JwtAlgorithm::Hs256 | JwtAlgorithm::Hs384 | JwtAlgorithm::Hs512 => {
                 Ok(DecodingKey::from_secret(
                     &general_purpose::STANDARD
@@ -118,15 +122,16 @@ impl JwtAlgorithm {
 #[derive(Debug, Deserialize)]
 #[serde(untagged)]
+#[allow(dead_code)]
 enum Audience {
     Single(String),
     Multiple(Vec<String>),
 }
 #[derive(Debug, Deserialize)]
+#[allow(dead_code)]
 struct Claims {
     // Here we assume the token includes an expiration.
-    #[allow(dead_code)]
     exp: usize,
     // The audience claim may be a single string or an array.
     aud: Option<Audience>,
@@ -137,6 +142,11 @@ struct Claims {
 #[async_trait]
 impl MiddlewareLayer for AuthJwt {
     async fn initialize(&self) -> Result<()> {
+        debug!(
+            target: "middleware::auth_jwt",
+            "Instantiating auth_jwt with {} verifiers", self.verifiers.len()
+        );
         let keys: HashMap<JwtAlgorithm, Vec<DecodingKey>> = self
             .verifiers
             .iter()
@@ -145,24 +155,54 @@ impl MiddlewareLayer for AuthJwt {
                 let keys: itsi_error::Result<Vec<DecodingKey>> = key_strings
                     .iter()
                     .map(|key_string| algorithm.key_from(key_string))
+                    .inspect(|key_result| {
+                        if key_result.is_err() {
+                            debug!(
+                                target: "middleware::auth_jwt",
+                                "Failed to load key for algorithm {:?}", algorithm
+                            )
+                        } else {
+                            debug!(
+                                target: "middleware::auth_jwt",
+                                "Loaded key for algorithm {:?}", algorithm
+                            )
+                        }
+                    })
                     .collect();
                 keys.map(|keys| (algo, keys))
             })
             .collect::<itsi_error::Result<HashMap<JwtAlgorithm, Vec<DecodingKey>>>>()?;
         self.keys
             .set(keys)
             .map_err(|_| ItsiError::new("Failed to set keys"))?;
+        if let Some(audiences) = self.audiences.as_ref() {
+            self.audience_vec
+                .set(Some(audiences.iter().cloned().collect::<Vec<_>>()))
+                .ok();
+        }
+        if let Some(issuers) = self.issuers.as_ref() {
+            self.issuer_vec
+                .set(Some(issuers.iter().cloned().collect::<Vec<_>>()))
+                .ok();
+        }
         Ok(())
     }
     async fn before(
         &self,
         req: HttpRequest,
-        _context: &mut HttpRequestContext,
+        _: &mut HttpRequestContext,
     ) -> Result<Either<HttpRequest, HttpResponse>> {
         // Retrieve the JWT token from either a header or a query parameter.
         let token_str = match &self.token_source {
             TokenSource::Header { name, prefix } => {
+                debug!(
+                    target: "middleware::auth_jwt",
+                    "Extracting JWT from header: {}, prefix: {:?}",
+                    name, prefix
+                );
                 if let Some(header) = req.header(name) {
                     if let Some(prefix) = prefix {
                         Some(header.strip_prefix(prefix).unwrap_or("").trim_ascii())
@@ -173,10 +213,21 @@ impl MiddlewareLayer for AuthJwt {
                     None
                 }
             }
-            TokenSource::Query(query_name) => req.query_param(query_name),
+            TokenSource::Query(query_name) => {
+                debug!(
+                  target: "middleware::auth_jwt",
+                    "Extracting JWT from query parameter: {}",
+                    query_name
+                );
+                req.query_param(query_name)
+            }
         };
         if token_str.is_none() {
+            debug!(
+              target: "middleware::auth_jwt",
+                "No JWT found in headers or query parameters"
+            );
             return Ok(Either::Right(
                 self.error_response
                     .to_http_response(req.accept().into())
@@ -184,10 +235,24 @@ impl MiddlewareLayer for AuthJwt {
             ));
         }
         let token_str = token_str.unwrap();
-        let header =
-            decode_header(token_str).map_err(|_| ItsiError::new("Invalid token header"))?;
+        let header = match decode_header(token_str) {
+            Ok(header) => header,
+            Err(_) => {
+                debug!(target: "middleware::auth_jwt", "JWT decoding failed");
+                return Ok(Either::Right(
+                    self.error_response
+                        .to_http_response(req.accept().into())
+                        .await,
+                ));
+            }
+        };
         let alg: JwtAlgorithm = header.alg.into();
+        debug!(
+          target: "middleware::auth_jwt",
+            "Matched algorithm {:?}", alg
+        );
         if !self.verifiers.contains_key(&alg) {
             return Ok(Either::Right(
                 self.error_response
@@ -216,15 +281,32 @@ impl MiddlewareLayer for AuthJwt {
             validation.leeway = leeway;
         }
+        if let Some(Some(auds)) = &self.audience_vec.get() {
+            validation.set_audience(auds);
+            validation.required_spec_claims.insert("aud".to_owned());
+        } else {
+            validation.validate_aud = false;
+        }
+        if let Some(Some(issuers)) = &self.issuer_vec.get() {
+            validation.set_issuer(issuers);
+            validation.required_spec_claims.insert("iss".to_owned());
+        }
+        if self.subjects.is_some() {
+            validation.required_spec_claims.insert("sub".to_owned());
+        }
         let token_data: Option<TokenData<Claims>> =
             keys.iter()
                 .find_map(|key| match decode::<Claims>(token_str, key, &validation) {
                     Ok(data) => Some(data),
                     Err(e) => {
-                        error!("Token validation failed: {:?}", e);
+                        debug!("Token validation failed: {:?}", e);
                         None
                     }
                 });
         let token_data = if let Some(data) = token_data {
             data
         } else {
@@ -237,38 +319,14 @@ impl MiddlewareLayer for AuthJwt {
         let claims = token_data.claims;
-        if let Some(expected_audiences) = &self.audiences {
-            if let Some(aud) = &claims.aud {
-                let token_auds: HashSet<String> = match aud {
-                    Audience::Single(s) => [s.clone()].into_iter().collect(),
-                    Audience::Multiple(v) => v.iter().cloned().collect(),
-                };
-                if expected_audiences.is_disjoint(&token_auds) {
-                    return Ok(Either::Right(
-                        self.error_response
-                            .to_http_response(req.accept().into())
-                            .await,
-                    ));
-                }
-            }
-        }
         if let Some(expected_subjects) = &self.subjects {
             if let Some(sub) = &claims.sub {
                 if !expected_subjects.contains(sub) {
-                    return Ok(Either::Right(
-                        self.error_response
-                            .to_http_response(req.accept().into())
-                            .await,
-                    ));
-                }
-            }
-        }
-        // Verify expected issuer.
-        if let Some(expected_issuers) = &self.issuers {
-            if let Some(iss) = &claims.iss {
-                if !expected_issuers.contains(iss) {
+                    debug!(
+                        target: "middleware::auth_jwt",
+                        "SUB check failed, token_sub: {:?}, expected_subjects: {:?}",
+                        sub, expected_subjects
+                    );
                     return Ok(Either::Right(
                         self.error_response
                             .to_http_response(req.accept().into())

data/crates/itsi_server/src/server/middleware_stack/middlewares/cache_control.rs CHANGED Viewed

@@ -8,8 +8,9 @@ use http::{HeaderName, HeaderValue};
 use magnus::error::Result;
 use serde::Deserialize;
 use std::{collections::HashMap, sync::OnceLock};
+use tracing::debug;
-#[derive(Debug, Clone, Deserialize)]
+#[derive(Debug, Deserialize)]
 pub struct CacheControl {
     #[serde(default)]
     pub max_age: Option<u64>,
@@ -87,6 +88,7 @@ impl MiddlewareLayer for CacheControl {
         // Set the Cache-Control header if we have directives
         if !directives.is_empty() {
             let cache_control_value = directives.join(", ");
+            debug!(target: "middleware::cache_control", "Built cache-control directive {}", cache_control_value);
             self.cache_control_str.set(cache_control_value).unwrap();
         }
@@ -97,20 +99,27 @@ impl MiddlewareLayer for CacheControl {
         // Skip for statuses where caching doesn't make sense
         let status = resp.status().as_u16();
         if matches!(status, 401 | 403 | 500..=599) {
+            debug!(target: "middleware::cache_control", "Skipping cache-control for status {}", status);
             return resp;
         }
         // Set the Cache-Control header if we have directives
         if let Some(cache_control_value) = self.cache_control_str.get() {
             if let Ok(value) = HeaderValue::from_str(cache_control_value) {
+                debug!(target: "middleware::cache_control", "Setting cache-control header to {}", cache_control_value);
                 resp.headers_mut().insert("Cache-Control", value);
+            } else {
+                debug!(target: "middleware::cache_control", "Failed to parse cache-control value {}", cache_control_value);
             }
+        } else {
+            debug!(target: "middleware::cache_control", "No cache-control value provided");
         }
         // Set Expires header based on max-age if present
         if let Some(max_age) = self.max_age {
             // Set the Expires header based on max-age
             // Use a helper to format the HTTP date correctly
+            debug!(target: "middleware::cache_control", "Setting expires header to {}", max_age);
             let expires = chrono::Utc::now() + chrono::Duration::seconds(max_age as i64);
             let expires_str = expires.format("%a, %d %b %Y %H:%M:%S GMT").to_string();
             if let Ok(value) = HeaderValue::from_str(&expires_str) {
@@ -118,7 +127,6 @@ impl MiddlewareLayer for CacheControl {
             }
         }
-        // Set Vary header
         if !self.vary.is_empty() {
             let vary_value = self.vary.join(", ");
             if let Ok(value) = HeaderValue::from_str(&vary_value) {
@@ -130,6 +138,7 @@ impl MiddlewareLayer for CacheControl {
         for (name, value) in &self.additional_headers {
             if let Ok(header_value) = HeaderValue::from_str(value) {
                 if let Ok(header_name) = name.parse::<HeaderName>() {
+                    debug!(target: "middleware::cache_control", "Setting custom header {} to {:?}", header_name, header_value);
                     resp.headers_mut().insert(header_name, header_value);
                 }
             }