fbi-proxy 1.14.0 → 1.16.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "fbi-proxy",
-  "version": "1.14.0",
+  "version": "1.16.0",
   "description": "FBI-Proxy provides easy HTTPS access to your local services with intelligent domain routing",
   "keywords": [
     "development-tools",
@@ -39,6 +39,8 @@
     "format": "prettier --write .",
     "lint": "prettier --check .",
     "prepare": "husky",
+    "port-forward:install": "bun ts/install-port-forward.ts",
+    "port-forward:uninstall": "bun ts/install-port-forward.ts --uninstall",
     "start": "bun ts/cli.ts",
     "start:rs": "./target/release/fbi-proxy",
     "test": "vitest run",

package/rs/fbi-proxy.rs

@@ -1,4 +1,5 @@
 use clap::{Arg, Command};
+use fbi_proxy::metrics::Metrics;
 use fbi_proxy::routes::{self, CompiledRoute, RouteHit};
 use futures_util::{SinkExt, StreamExt};
 use http_body_util::{BodyExt, Full};
@@ -38,6 +39,7 @@ pub struct FBIProxy {
     /// atomically at runtime (hot reload from `--routes`). Reads use
     /// `.load()` and never block; writes are atomic Arc swaps.
     compiled_routes: Arc<ArcSwap<Vec<CompiledRoute>>>,
+    metrics: Arc<Metrics>,
 }
 
 /*
@@ -90,6 +92,7 @@ impl FBIProxy {
             number_regex: Regex::new(r"^\d+$").unwrap(),
             domain_filter,
             compiled_routes: Arc::new(ArcSwap::from_pointee(compiled_routes)),
+            metrics: Metrics::new(),
         }
     }
 
@@ -100,6 +103,12 @@ impl FBIProxy {
         Arc::clone(&self.compiled_routes)
     }
 
+    /// Return a handle to the live metrics counters so the metrics
+    /// admin endpoint can read them.
+    pub fn metrics_handle(&self) -> Arc<Metrics> {
+        Arc::clone(&self.metrics)
+    }
+
     fn landing_page_html() -> String {
         r#"<!DOCTYPE html>
 <html lang="en">
@@ -266,6 +275,8 @@ npx fbi-proxy -d fbi.example.com  # Only accept *.fbi.example.com</pre>
                     host_header,
                     uri
                 );
+                self.metrics.host_rejected_total.fetch_add(1, std::sync::atomic::Ordering::Relaxed);
+                self.metrics.record_status(502);
                 return Ok(Response::builder()
                     .status(StatusCode::BAD_GATEWAY)
                     .body(Full::new(Bytes::from("Bad Gateway: Host not allowed")).map_err(|e| match e {}).boxed())?);
@@ -275,6 +286,7 @@ npx fbi-proxy -d fbi.example.com  # Only accept *.fbi.example.com</pre>
         // Serve landing page for root domain access
         if target_host == "@LANDING" {
             info!("GET {} => LANDING 200", host_header);
+            self.metrics.record_status(200);
             return Ok(Response::builder()
                 .status(StatusCode::OK)
                 .header("Content-Type", "text/html; charset=utf-8")
@@ -408,6 +420,7 @@ npx fbi-proxy -d fbi.example.com  # Only accept *.fbi.example.com</pre>
 
         // Handle WebSocket upgrade requests
         if hyper_tungstenite::is_upgrade_request(&req) {
+            self.metrics.websocket_upgrades_total.fetch_add(1, std::sync::atomic::Ordering::Relaxed);
             return self
                 .handle_websocket_upgrade(req, &target_host, &new_host)
                 .await;
@@ -457,6 +470,7 @@ npx fbi-proxy -d fbi.example.com  # Only accept *.fbi.example.com</pre>
                     original_uri,
                     status.as_u16()
                 );
+                self.metrics.record_status(status.as_u16());
                 // Convert the response body back to BoxBody
                 let (parts, body) = response.into_parts();
                 let boxed_body = body.map_err(|e| e).boxed();
@@ -471,6 +485,8 @@ npx fbi-proxy -d fbi.example.com  # Only accept *.fbi.example.com</pre>
                     original_uri,
                     e
                 );
+                self.metrics.upstream_connect_failures_total.fetch_add(1, std::sync::atomic::Ordering::Relaxed);
+                self.metrics.record_status(502);
                 Ok(Response::builder()
                     .status(StatusCode::BAD_GATEWAY)
                     .header("Content-Type", "text/plain")
@@ -484,6 +500,8 @@ npx fbi-proxy -d fbi.example.com  # Only accept *.fbi.example.com</pre>
                     target_host,
                     original_uri
                 );
+                self.metrics.upstream_timeouts_total.fetch_add(1, std::sync::atomic::Ordering::Relaxed);
+                self.metrics.record_status(502);
                 Ok(Response::builder()
                     .status(StatusCode::BAD_GATEWAY)
                     .header("Content-Type", "text/plain")
@@ -631,6 +649,50 @@ fn load_routes(yaml_src: &str, source_label: &str) -> Vec<CompiledRoute> {
     }
 }
 
+/// Run a tiny HTTP server on 127.0.0.1:{port} that responds to
+/// `GET /metrics` with the current counters in Prometheus text format.
+/// All other paths return 404. The endpoint binds loopback-only so
+/// metrics aren't exposed via the user-facing proxy port.
+async fn serve_metrics(
+    metrics: Arc<Metrics>,
+    port: u16,
+) -> Result<(), BoxError> {
+    let addr: SocketAddr = format!("127.0.0.1:{}", port).parse()?;
+    let listener = TcpListener::bind(addr).await?;
+    info!("[metrics] listening on http://{}/metrics", addr);
+    println!("[metrics] listening on http://{}/metrics", addr);
+
+    loop {
+        let (stream, _) = listener.accept().await?;
+        let metrics = Arc::clone(&metrics);
+        let io = TokioIo::new(stream);
+        tokio::spawn(async move {
+            let service = service_fn(move |req: Request<Incoming>| {
+                let metrics = Arc::clone(&metrics);
+                async move {
+                    let resp = if req.uri().path() == "/metrics" {
+                        let body = metrics.render_prometheus();
+                        Response::builder()
+                            .status(StatusCode::OK)
+                            .header("Content-Type", "text/plain; version=0.0.4")
+                            .body(Full::new(Bytes::from(body)).map_err(|e| match e {}).boxed())
+                            .unwrap()
+                    } else {
+                        Response::builder()
+                            .status(StatusCode::NOT_FOUND)
+                            .body(Full::new(Bytes::from("not found")).map_err(|e| match e {}).boxed())
+                            .unwrap()
+                    };
+                    Ok::<_, Infallible>(resp)
+                }
+            });
+            if let Err(e) = http1::Builder::new().serve_connection(io, service).await {
+                error!("[metrics] connection error: {}", e);
+            }
+        });
+    }
+}
+
 /// Parse + compile a routes file without panicking. Returns Err with a
 /// human-readable message on any failure. Used by the hot-reload path
 /// where we want to log + keep current rules rather than crash.
@@ -721,12 +783,23 @@ fn spawn_routes_watcher(
     });
 }
 
+pub struct TlsOptions {
+    /// Apex domain used for SAN entries on the self-signed cert.
+    /// Empty string falls back to `localhost` + `127.0.0.1`.
+    pub domain: String,
+    /// Directory the generated cert+key are persisted to. The same
+    /// fingerprint is reused across boots so browsers can remember
+    /// "trust this exception" once.
+    pub cert_dir: std::path::PathBuf,
+}
+
 pub async fn start_proxy_server(
     host: Option<&str>,
     port: u16,
     domain_filter: Option<String>,
     compiled_routes: Vec<CompiledRoute>,
     watch_path: Option<String>,
+    tls: Option<TlsOptions>,
 ) -> Result<(), BoxError> {
     let host = host.unwrap_or("127.0.0.1");
     let addr: SocketAddr = format!("{}:{}", host, port).parse()?;
@@ -740,10 +813,64 @@ pub async fn start_proxy_server(
         spawn_routes_watcher(path, proxy.routes_handle());
     }
 
+    // Metrics: when FBI_PROXY_METRICS_PORT is set, expose a 127.0.0.1-bound
+    // Prometheus-text endpoint at /metrics on that port. Off by default —
+    // never exposed on the proxy's user-traffic port.
+    if let Ok(metrics_port_str) = std::env::var("FBI_PROXY_METRICS_PORT") {
+        if let Ok(metrics_port) = metrics_port_str.parse::<u16>() {
+            let metrics = proxy.metrics_handle();
+            tokio::spawn(async move {
+                if let Err(e) = serve_metrics(metrics, metrics_port).await {
+                    error!("[metrics] server exited: {}", e);
+                }
+            });
+        } else {
+            warn!(
+                "[metrics] FBI_PROXY_METRICS_PORT='{}' is not a valid port number; metrics disabled",
+                metrics_port_str
+            );
+        }
+    }
+
+    let acceptor = match &tls {
+        Some(opts) => {
+            let acc = fbi_proxy::tls::build_acceptor(&opts.domain, &opts.cert_dir)?;
+            // Auto-install the self-signed leaf as a system trust anchor when
+            // running with the privileges to do so. Idempotent — no-op if
+            // already trusted. If unprivileged (and untrusted), this errors and
+            // we surface a clear message rather than booting silently into
+            // "browser warnings forever" mode.
+            let cert_path = fbi_proxy::tls::cert_pem_path(&opts.domain, &opts.cert_dir);
+            match fbi_proxy::tls::install_to_system_trust(&cert_path) {
+                Ok(true) => println!(
+                    "TLS: cert installed to system trust store ({})",
+                    cert_path.display()
+                ),
+                Ok(false) => {}
+                Err(e) => {
+                    eprintln!(
+                        "[tls] could not auto-install cert to system trust: {e}\n      \
+                         start with sudo to install, or accept the browser warning."
+                    );
+                }
+            }
+            Some(acc)
+        }
+        None => None,
+    };
+
     let listener = TcpListener::bind(addr).await?;
 
-    info!("FBI Proxy server running on http://{}", addr);
-    println!("FBI Proxy listening on: http://{}", addr);
+    let scheme = if acceptor.is_some() { "https" } else { "http" };
+    info!("FBI Proxy server running on {}://{}", scheme, addr);
+    println!("FBI Proxy listening on: {}://{}", scheme, addr);
+    if let Some(opts) = &tls {
+        println!(
+            "TLS: self-signed cert at {}/{}.pem (browser warning expected — Phase 1)",
+            opts.cert_dir.display(),
+            if opts.domain.is_empty() { "localhost" } else { &opts.domain }
+        );
+    }
     if let Some(ref domain) = domain_filter {
         if !domain.is_empty() {
             println!("Domain filter: Only accepting requests for *.{}", domain);
@@ -775,20 +902,35 @@ pub async fn start_proxy_server(
 
     loop {
         let (stream, _) = listener.accept().await?;
-        let io = TokioIo::new(stream);
         let proxy = proxy.clone();
+        let acceptor = acceptor.clone();
 
         tokio::task::spawn(async move {
             let service = service_fn(move |req| handle_connection(req, proxy.clone()));
 
-            if let Err(err) = http1::Builder::new()
+            let mut builder = http1::Builder::new();
+            builder
                 .preserve_header_case(true)
-                .title_case_headers(true)
-                .serve_connection(io, service)
-                .with_upgrades()
-                .await
-            {
-                error!("Error serving connection: {:?}", err);
+                .title_case_headers(true);
+
+            match acceptor {
+                Some(a) => match a.accept(stream).await {
+                    Ok(tls_stream) => {
+                        let io = TokioIo::new(tls_stream);
+                        if let Err(err) = builder.serve_connection(io, service).with_upgrades().await {
+                            error!("Error serving TLS connection: {:?}", err);
+                        }
+                    }
+                    Err(err) => {
+                        error!("TLS handshake failed: {:?}", err);
+                    }
+                },
+                None => {
+                    let io = TokioIo::new(stream);
+                    if let Err(err) = builder.serve_connection(io, service).with_upgrades().await {
+                        error!("Error serving connection: {:?}", err);
+                    }
+                }
             }
         });
     }
@@ -875,16 +1017,47 @@ TRY RUN:
                 .env("FBI_PROXY_ROUTES")
                 .default_value("")
         )
+        .arg(
+            Arg::new("tls")
+                .long("tls")
+                .help("Terminate TLS using a self-signed cert (browser warning expected — Phase 1, no system trust install). Use --port 443 with sudo for the standard HTTPS port. (env: FBI_PROXY_TLS)")
+                .env("FBI_PROXY_TLS")
+                .num_args(0)
+                .action(clap::ArgAction::SetTrue)
+        )
+        .arg(
+            Arg::new("cert-dir")
+                .long("cert-dir")
+                .value_name("DIR")
+                .help("Directory for the self-signed cert+key (env: FBI_PROXY_CERT_DIR, default: ~/.config/fbi-proxy/certs)")
+                .env("FBI_PROXY_CERT_DIR")
+                .default_value("")
+        )
         .get_matches();
 
-    let port = matches
-        .get_one::<String>("port")
-        .unwrap()
-        .parse::<u16>()
-        .unwrap_or_else(|_| {
-            error!("Invalid port value, using default 2432");
-            2432
-        });
+    let tls_enabled = matches.get_flag("tls");
+
+    // Default port jumps to 443 when --tls is set unless the user explicitly
+    // overrode --port / FBI_PROXY_PORT. Binding :443 needs sudo on most
+    // systems; the helpful failure path is documented in the bind error.
+    let port_source = matches.value_source("port");
+    let port_explicit = matches!(
+        port_source,
+        Some(clap::parser::ValueSource::CommandLine)
+            | Some(clap::parser::ValueSource::EnvVariable)
+    );
+    let port = if tls_enabled && !port_explicit {
+        443
+    } else {
+        matches
+            .get_one::<String>("port")
+            .unwrap()
+            .parse::<u16>()
+            .unwrap_or_else(|_| {
+                error!("Invalid port value, using default 2432");
+                2432
+            })
+    };
 
     let host = matches.get_one::<String>("host").unwrap();
     let domain = matches.get_one::<String>("domain").unwrap();
@@ -915,11 +1088,26 @@ TRY RUN:
         )
     };
 
+    let cert_dir_raw = matches.get_one::<String>("cert-dir").unwrap();
+    let tls_opts = if tls_enabled {
+        let cert_dir = if cert_dir_raw.is_empty() {
+            fbi_proxy::tls::default_cert_dir()
+        } else {
+            std::path::PathBuf::from(cert_dir_raw)
+        };
+        Some(TlsOptions {
+            domain: domain.clone(),
+            cert_dir,
+        })
+    } else {
+        None
+    };
+
     let rt = tokio::runtime::Runtime::new().unwrap();
     rt.block_on(async {
         info!(
-            "Starting FBI-Proxy on {}:{} with domain filter: {:?}",
-            host, port, domain_filter
+            "Starting FBI-Proxy on {}:{} with domain filter: {:?}, tls: {}",
+            host, port, domain_filter, tls_enabled
         );
         if let Err(e) = start_proxy_server(
             Some(host),
@@ -927,6 +1115,7 @@ TRY RUN:
             domain_filter,
             compiled_routes,
             watch_path,
+            tls_opts,
         )
         .await
         {

package/rs/lib.rs

@@ -1,12 +1,8 @@
 //! Library entry point for `fbi-proxy`.
 //!
-//! This file exists primarily so that internal modules (like `routes`)
-//! can be unit-tested via `cargo test --lib` without coupling them to
-//! the binary's runtime concerns.
-//!
-//! The binary in `rs/fbi-proxy.rs` does not currently depend on this
-//! library — the routing engine is intentionally not wired into the
-//! live request path yet (see `docs/routing.md` for the migration
-//! plan).
+//! Exposes internal modules so they can be unit-tested via
+//! `cargo test --lib` and reused by the binary in `rs/fbi-proxy.rs`.
 
+pub mod metrics;
 pub mod routes;
+pub mod tls;

package/rs/metrics.rs

@@ -0,0 +1,111 @@
+//! Simple Prometheus-text metrics for fbi-proxy.
+//!
+//! Tiny counter set, no external prom_client dep — `fmt::Write` is
+//! enough. The counters are atomic so they can be incremented from any
+//! request task without locks; the renderer reads them with `Ordering::
+//! Relaxed` (monotonic counters, dirty reads are fine).
+
+use std::sync::atomic::{AtomicU64, Ordering};
+use std::sync::Arc;
+
+#[derive(Default)]
+pub struct Metrics {
+    pub requests_total: AtomicU64,
+    pub status_2xx_total: AtomicU64,
+    pub status_3xx_total: AtomicU64,
+    pub status_4xx_total: AtomicU64,
+    pub status_5xx_total: AtomicU64,
+    pub upstream_connect_failures_total: AtomicU64,
+    pub upstream_timeouts_total: AtomicU64,
+    pub websocket_upgrades_total: AtomicU64,
+    pub host_rejected_total: AtomicU64,
+}
+
+impl Metrics {
+    pub fn new() -> Arc<Self> {
+        Arc::new(Self::default())
+    }
+
+    pub fn record_status(&self, status: u16) {
+        self.requests_total.fetch_add(1, Ordering::Relaxed);
+        let bucket = match status {
+            200..=299 => &self.status_2xx_total,
+            300..=399 => &self.status_3xx_total,
+            400..=499 => &self.status_4xx_total,
+            500..=599 => &self.status_5xx_total,
+            _ => return, // other status codes (1xx, etc.) — ignore for now
+        };
+        bucket.fetch_add(1, Ordering::Relaxed);
+    }
+
+    pub fn render_prometheus(&self) -> String {
+        let mut out = String::with_capacity(1024);
+        emit_counter(&mut out, "fbi_proxy_requests_total",
+            "Total HTTP requests handled by fbi-proxy.",
+            self.requests_total.load(Ordering::Relaxed));
+        emit_counter(&mut out, "fbi_proxy_status_2xx_total",
+            "HTTP responses with status 2xx.",
+            self.status_2xx_total.load(Ordering::Relaxed));
+        emit_counter(&mut out, "fbi_proxy_status_3xx_total",
+            "HTTP responses with status 3xx.",
+            self.status_3xx_total.load(Ordering::Relaxed));
+        emit_counter(&mut out, "fbi_proxy_status_4xx_total",
+            "HTTP responses with status 4xx.",
+            self.status_4xx_total.load(Ordering::Relaxed));
+        emit_counter(&mut out, "fbi_proxy_status_5xx_total",
+            "HTTP responses with status 5xx.",
+            self.status_5xx_total.load(Ordering::Relaxed));
+        emit_counter(&mut out, "fbi_proxy_upstream_connect_failures_total",
+            "Failed TCP/TLS connects to upstream.",
+            self.upstream_connect_failures_total.load(Ordering::Relaxed));
+        emit_counter(&mut out, "fbi_proxy_upstream_timeouts_total",
+            "Upstream requests that exceeded the request timeout.",
+            self.upstream_timeouts_total.load(Ordering::Relaxed));
+        emit_counter(&mut out, "fbi_proxy_websocket_upgrades_total",
+            "WebSocket upgrade requests handled.",
+            self.websocket_upgrades_total.load(Ordering::Relaxed));
+        emit_counter(&mut out, "fbi_proxy_host_rejected_total",
+            "Requests rejected because the Host header didn't match the domain filter or any route.",
+            self.host_rejected_total.load(Ordering::Relaxed));
+        out
+    }
+}
+
+fn emit_counter(out: &mut String, name: &str, help: &str, value: u64) {
+    use std::fmt::Write;
+    let _ = writeln!(out, "# HELP {} {}", name, help);
+    let _ = writeln!(out, "# TYPE {} counter", name);
+    let _ = writeln!(out, "{} {}", name, value);
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn record_status_routes_to_correct_bucket() {
+        let m = Metrics::new();
+        m.record_status(200);
+        m.record_status(204);
+        m.record_status(302);
+        m.record_status(404);
+        m.record_status(502);
+        m.record_status(502);
+        assert_eq!(m.requests_total.load(Ordering::Relaxed), 6);
+        assert_eq!(m.status_2xx_total.load(Ordering::Relaxed), 2);
+        assert_eq!(m.status_3xx_total.load(Ordering::Relaxed), 1);
+        assert_eq!(m.status_4xx_total.load(Ordering::Relaxed), 1);
+        assert_eq!(m.status_5xx_total.load(Ordering::Relaxed), 2);
+    }
+
+    #[test]
+    fn render_includes_help_and_type_lines() {
+        let m = Metrics::new();
+        m.record_status(200);
+        let out = m.render_prometheus();
+        assert!(out.contains("# HELP fbi_proxy_requests_total"));
+        assert!(out.contains("# TYPE fbi_proxy_requests_total counter"));
+        assert!(out.contains("fbi_proxy_requests_total 1\n"));
+        assert!(out.contains("fbi_proxy_status_2xx_total 1\n"));
+    }
+}