pixl-server-web 2.0.0 → 2.0.2

package/README.md

@@ -34,6 +34,9 @@ This module is a component for use in [pixl-server](https://www.github.com/jhuck
 	* [http_enable_brotli](#http_enable_brotli)
 	* [http_brotli_opts](#http_brotli_opts)
 	* [http_default_acl](#http_default_acl)
+	* [http_blacklist](#http_blacklist)
+	* [http_rewrites](#http_rewrites)
+	* [http_redirects](#http_redirects)
 	* [http_log_requests](#http_log_requests)
 	* [http_log_request_details](#http_log_request_details)
 	* [http_log_body_max](#http_log_body_max)
@@ -55,6 +58,7 @@ This module is a component for use in [pixl-server](https://www.github.com/jhuck
 	* [http_req_max_dump_dir](#http_req_max_dump_dir)
 	* [http_req_max_dump_debounce](#http_req_max_dump_debounce)
 	* [http_public_ip_offset](#http_public_ip_offset)
+	* [http_legacy_callback_support](#http_legacy_callback_support)
 	* [https](#https)
 	* [https_port](#https_port)
 	* [https_alt_ports](#https_alt_ports)
@@ -421,6 +425,124 @@ This allows you to configure the default [ACL](https://en.wikipedia.org/wiki/Acc
 
 See [Access Control Lists](#access-control-lists) below for more details.
 
+## http_blacklist
+
+The `http_blacklist` property allows you to specify a list of IPs or IP ranges which are blacklisted.  Meaning, all requests from these IPs are immediately rejected by the web server (see details below).  The format of the `http_blacklist` is the same as `http_default_acl` (see [Access Control Lists](#access-control-lists)).  It defaults to an empty list (i.e. disabled).
+
+To customize it, specify an array of [IPv4](https://en.wikipedia.org/wiki/IPv4) and/or [IPv6](https://en.wikipedia.org/wiki/IPv6) addresses, partials or [CIDR blocks](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing).  Example:
+
+```json
+{
+	"http_blacklist": ["17.0.0.0/8", "12.0.0.0/8"]
+}
+```
+
+This example would reject all incoming IP addresses from Apple and AT&T (who own the `17.0.0.0/8` and `12.0.0.0/8` IPv4 blocks, respectively).
+
+When a new incoming connection is established, the socket IP is immediately checked against the blacklist, and if matched, the socket is "hard closed".  This is an early detection and rejection, before the HTTP request even comes in.  In this case a HTTP response isn't sent back (as the socket is simply slammed shut).  However, if you are using a load balancer or proxy, the user's true IP address might not be known until later on in the request cycle, once the HTTP headers are read in.  At that point all the user's IPs are checked against the blacklist again, and if any of them match, a `HTTP 403 Forbidden` response is sent back.
+
+## http_rewrites
+
+If you need to rewrite certain incoming URLs on-the-fly, you can define rules in the `http_rewrites` object.  The basic format is as follows: keys are regular expressions matched on incoming URI paths, and the values are the substitution strings to use as replacements.  Here is a simple example:
+
+```json
+{
+	"http_rewrites": {
+		"^/rewrite/me": "/target/path"
+	}
+}
+```
+
+This would match any incoming URI paths that start with `/rewrite/me` and replace that section of the path with `/target/path`.  So for example a full URI path of `/rewrite/me/please?foo=bar` would rewrite to `/target/path/please?foo=bar`.  Note that the suffix after the match was copied over, as well as the query string.  Rewriting happens very early in the request cycle before any other processing occurs, including URI filters, method handers and URI handlers, so they all see the final transformed URI, and not the original.
+
+Since URIs are matched using regular expressions, you can define capturing groups and refer to them in the target substitution string, using the standard `$1`, `$2`, `$3` syntax.  Example:
+
+```json
+{
+	"http_rewrites": {
+		"^/rewrite/me(.*)$": "/target/path?oldpath=$1"
+	}
+}
+```
+
+This example would grab everything after `/rewrite/me` and store it in a capture group, which is then expanded into the replacement string using the `$1` macro.
+
+For even more control over your rewrites, you can specify them using an advanced syntax.  Instead of the target path string, set the value to an object containing the following:
+
+| Property Name | Type | Description |
+|---------------|------|-------------|
+| `url` | String | The target URI replacement string. |
+| `headers` | Object | Optionally insert custom headers into the incoming request. |
+| `last` | Boolean | Set this to `true` to ensure no futher rewrites happen on the request. |
+
+Here is an example showing an advanced configuration:
+
+```json
+{
+	"http_rewrites": {
+		"^/rewrite/me": {
+			"url": "/target/path",
+			"headers": { "X-Rewritten": "Yes" },
+			"last": true
+		}
+	}
+}
+```
+
+A URI may be rewritten multiple times if it matches multiple rules, which are applied in the order which they appear in your configuration.  You can specify a `last` property to ensure that rule matching stops when the specified rule matches a request.
+
+You can use the `headers` property to insert custom HTTP headers into the request.  These will be accessible by downstream URI handlers, and they will also be logged if [http_log_requests](#http_log_requests) is enabled.
+
+## http_redirects
+
+If you need to redirect certain incoming requests to external URLs, you can define rules in the `http_redirects` object.  When matched, these will interrupt the current request and return a redirect response to the client.  The basic format is as follows: keys are regular expressions matched on incoming URI paths, and the values are the fully-qualified URLs to redirect to.  Here is a simple example:
+
+```json
+{
+	"http_redirects": {
+		"^/redirect/me": "https://disney.com/"
+	}
+}
+```
+
+This would match any incoming URI paths that start with `/redirect/me` and redirect the user to `https://disney.com/`.  Redirects are matched during the URI handling portion of the request cycle, so things like requests and URI filters have already been handled.  URI request handlers are not invoked if a redirect occurs.
+
+Since URIs are matched using regular expressions, you can define capturing groups and refer to them in the target redirect URL, using the standard `$1`, `$2`, `$3` syntax.  Example:
+
+```json
+{
+	"http_redirects": {
+		"^/github/(.*)$": "https://github.com/jhuckaby/$1"
+	}
+}
+```
+
+This example would grab everything after `/github/` and store it in a capture group, which is then expanded into the replacement string using the `$1` macro.  For example, `/github/pixl-server-web` would redirect to `https://github.com/jhuckaby/pixl-server-web`.
+
+For even more control over your redirects, you can specify them using an advanced syntax.  Instead of the target URL, set the value to an object containing the following:
+
+| Property Name | Type | Description |
+|---------------|------|-------------|
+| `url` | String | The fully qualified URL to redirect to. |
+| `headers` | Object | Optionally insert custom headers into the incoming request. |
+| `status` | String | The HTTP response code and status to use, default is `302 Found`. |
+
+Here is an example showing an advanced configuration:
+
+```json
+{
+	"http_redirects": {
+		"^/redirect/me": {
+			"url": "https://disney.com/",
+			"headers": { "X-Redirected": "Yes" },
+			"status": "301 Moved Permanently"
+		}
+	}
+}
+```
+
+You can use the `headers` property to insert custom HTTP headers into the redirect response.  Use the `status` to customize the HTTP response code and status (it defaults to `302 Found`).
+
 ## http_log_requests
 
 This boolean allows you to enable transaction logging in the web server.  It defaults to `false` (disabled).  See [Transaction Logging](#transaction-logging) below for details.
@@ -433,7 +555,7 @@ This boolean adds verbose detail in the transaction log.  It defaults to `false`
 
 ## http_log_body_max
 
-This property sets the maximum allowed request and response body length that can be logged, when [http_log_request_details](#http_log_request_details) is enabled.  If the request or response body length exceeds this amount, they will not be included in the transaction log.
+This property sets the maximum allowed request and response body length that can be logged, when [http_log_request_details](#http_log_request_details) is enabled.  It defaults to `32768` (32K).  If the request or response body length exceeds this amount, they will not be included in the transaction log.
 
 **Note:** This property only has effect if [http_log_request_details](#http_log_request_details) is enabled.
 
@@ -594,7 +716,7 @@ By setting `http_public_ip_offset` to an integer value, you can select *exactly*
 
 ## http_legacy_callback_support
 
-This adds support for legacy applications, which require JSONP callback-style API responses, as well as extremely old HTML-wrapped IFRAME API responses.  It defaults to disabled.  It is **highly recommended** that you *leave this dsiabled* for all modern applications, as it prevents a classic [XSS reflection attack](https://owasp.org/www-community/attacks/xss/#reflected-xss-attacks) on your APIs:
+This adds support for legacy applications, which require JSONP callback-style API responses, as well as extremely old HTML-wrapped IFRAME API responses.  It defaults to disabled.  It is **highly recommended** that you *leave this disabled* for all modern applications, as it prevents a classic [XSS reflection attack](https://owasp.org/www-community/attacks/xss/#reflected-xss-attacks) on your APIs:
 
 ```json
 {
@@ -812,7 +934,7 @@ server.WebServer.addURIHandler( '/my/custom/uri', 'Custom Name', function(args,
 } );
 ```
 
-Typically this is sent as pure JSON with the Content-Type `application/json`.  The raw HTTP response would look something like this:
+This is sent as pure JSON with the Content-Type `application/json`.  The raw HTTP response would look something like this:
 
 ```
 HTTP/1.1 200 OK
@@ -825,33 +947,6 @@ Server: Test 1.0
 {"Code":0,"Description":"Success","User":{"Name":"Joe","Email":"foo@bar.com"}}
 ```
 
-Now, depending on the request URL's query string, two variants of the JSON response are possible.  First, if there is a `callback` query parameter present, it will be prefixed onto the front of the JSON payload, which will be wrapped in parenthesis, and Content-Type will be switched to `text/javascript`.  This is an AJAX / JSONP style of response, and looks like this, assuming a request URL containing `?callback=myfunc`:
-
-```
-HTTP/1.1 200 OK
-Connection: keep-alive
-Content-Length: 88
-Content-Type: text/javascript
-Date: Sun, 05 Apr 2015 21:25:49 GMT
-Server: Test 1.0
-
-myfunc({"Code":0,"Description":"Success","User":{"Name":"Joe","Email":"foo@bar.com"}});
-```
-
-And finally, if the request URL's query string contains both a `callback`, and a `format` parameter set to `html`, the response will be actual HTML (Content-Type `text/html`) with a `<script>` tag embedded containing the JSON and callback wrapper.  This is useful for IFRAMEs which may need to talk to their parent window after a form submission.  Here is an example assuming a request URL containing `?callback=parent.myfunc&format=html`:
-
-```
-HTTP/1.1 200 OK
-Connection: keep-alive
-Content-Length: 151
-Content-Type: text/html
-Date: Sun, 05 Apr 2015 21:28:48 GMT
-Server: Test 1.0
-
-<html><head><script>parent.myfunc({"Code":0,"Description":"Success","User":{"Name":"Joe","Email":"foo@bar.com"}});
-</script></head><body>&nbsp;</body></html>
-```
-
 ### Non-Response
 
 The fourth and final type of response is a non-response, and this is achieved by passing `false` to the callback function.  This indicates to the web server that your code did *not* handle the request, and it should fall back to looking up a static file on disk.  Example:

package/lib/http.js

@@ -73,6 +73,13 @@ module.exports = class HTTP {
 				socket.destroy(); // hard close
 				return;
 			}
+			if (ip && self.aclBlacklist.checkAny(ip)) {
+				self.logError('blacklist', "IP is blacklisted, denying connection from: " + ip, { ip: ip, port: port });
+				socket.end();
+				socket.unref();
+				socket.destroy(); // hard close
+				return;
+			}
 			
 			var id = self.getNextId('c');
 			self.conns[ id ] = socket;

package/lib/https.js

@@ -71,6 +71,13 @@ module.exports = class HTTP2 {
 				socket.destroy(); // hard close
 				return;
 			}
+			if (ip && self.aclBlacklist.checkAny(ip)) {
+				self.logError('blacklist', "IP is blacklisted, denying connection from: " + ip, { ip: ip, port: port });
+				socket.end();
+				socket.unref();
+				socket.destroy(); // hard close
+				return;
+			}
 			
 			var id = self.getNextId('cs');
 			self.conns[ id ] = socket;

package/lib/request.js

@@ -53,6 +53,24 @@ module.exports = class Request {
 			return;
 		}
 		
+		// socket ip was already checked against blacklist at connection time,
+		// so here we only need to check the header IPs, if any
+		if ((ips.length > 1) && this.aclBlacklist.checkAny( ips.slice(0, -1) )) {
+			this.logError(403, "Forbidden: IP addresses blacklisted: " + ips.join(', '), {
+				id: args.id,
+				useragent: args.request.headers['user-agent'] || '',
+				referrer: args.request.headers['referer'] || '',
+				cookie: args.request.headers['cookie'] || '',
+				url: this.getSelfURL(args.request, args.request.url) || args.request.url
+			});
+			this.sendHTTPResponse( args, 
+				"403 Forbidden", 
+				{ 'Content-Type': "text/html" }, 
+				"403 Forbidden\n"
+			);
+			return;
+		}
+		
 		// allow special URIs to skip the line
 		if (this.queueSkipMatch && request.url.match(this.queueSkipMatch)) {
 			this.logDebug(8, "Bumping request to front of queue: " + request.url);
@@ -157,6 +175,21 @@ module.exports = class Request {
 		});
 		this.logDebug(9, "Incoming HTTP Headers:", request.headers);
 		
+		// url rewrites
+		for (var idx = 0, len = this.rewrites.length; idx < len; idx++) {
+			var rewrite = this.rewrites[idx];
+			if (request.url.match(rewrite.regexp)) {
+				request.url = request.url.replace(rewrite.regexp, rewrite.url);
+				this.logDebug(8, "URL rewritten to: " + request.url);
+				if (rewrite.headers) {
+					for (var key in rewrite.headers) {
+						request.headers[key] = rewrite.headers[key];
+					}
+				}
+				if (rewrite.last) idx = len;
+			}
+		}
+		
 		// detect front-end https
 		if (!request.headers.ssl && this.ssl_header_detect) {
 			for (var key in this.ssl_header_detect) {
@@ -409,6 +442,7 @@ module.exports = class Request {
 				// all filters complete
 				// if a filter handled the response, we're done
 				if (err === "ABORT") {
+					self.deleteUploadTempFiles(args);
 					if (args.callback) {
 						args.callback();
 						delete args.callback;
@@ -429,6 +463,24 @@ module.exports = class Request {
 		if (!this.config.get('http_full_uri_match')) uri = uri.replace(/\?.*$/, '');
 		var handler = null;
 		
+		// handle redirects first
+		for (var idx = 0, len = this.redirects.length; idx < len; idx++) {
+			var redirect = this.redirects[idx];
+			var matches = args.request.url.match(redirect.regexp);
+			if (matches) {
+				// redirect now
+				var headers = redirect.headers || {};
+				
+				// allow regexp-style placeholder substitution in target url
+				headers.Location = redirect.url.replace(/\$(\d+)/g, function(m_all, m_g1) { return matches[ parseInt(m_g1) ]; });
+				
+				this.logDebug(8, "Redirecting to URL: " + headers.Location);
+				this.sendHTTPResponse( args, redirect.status || "302 Found", headers, null );
+				this.deleteUploadTempFiles(args);
+				return;
+			} // matched
+		} // foreach redirect
+		
 		args.state = 'processing';
 		args.perf.begin('process');
 		

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "pixl-server-web",
-	"version": "2.0.0",
+	"version": "2.0.2",
 	"description": "A web server component for the pixl-server framework.",
 	"author": "Joseph Huckaby <jhuckaby@gmail.com>",
 	"homepage": "https://github.com/jhuckaby/pixl-server-web",

package/test/test.js

@@ -13,6 +13,8 @@ var PixlServer = require('pixl-server');
 
 var PixlRequest = require('pixl-request');
 var request = new PixlRequest();
+request.setTimeout( 5 * 1000 ); // 5 seconds
+request.setIdleTimeout( 5 * 1000 ); // 5 seconds
 
 var http = require('http');
 var agent = new http.Agent({ keepAlive: true });
@@ -52,6 +54,20 @@ var server = new PixlServer({
 			"http_recent_requests": 10,
 			"http_max_connections": 10,
 			
+			"http_blacklist": ["5.6.7.0/24"],
+			
+			"http_rewrites": {
+				"^/rewrite(.*)$": "/json$1"
+			},
+			"http_redirects": {
+				"^/disney": "https://disney.com/",
+				"^/pixar(.*)$": {
+					"url": "https://pixar.com$1",
+					"headers": { "X-Animal": "Frog" },
+					"status": "301 Moved Permanently"
+				}
+			},
+			
 			"https": 1,
 			"https_port": 3021,
 			"https_alt_ports": [3121],
@@ -193,6 +209,100 @@ module.exports = {
 			);
 		},
 		
+		function testSimpleURLRewrite(test) {
+			// test simple rewrite
+			request.json( 'http://127.0.0.1:3020/rewrite', false,
+				{
+					headers: {
+						'X-Test': "Test"
+					}
+				},
+				function(err, resp, json, perf) {
+					test.ok( !err, "No error from PixlRequest: " + err );
+					test.ok( !!resp, "Got resp from PixlRequest" );
+					test.ok( resp.statusCode == 200, "Got 200 response: " + resp.statusCode );
+					test.ok( resp.headers['via'] == "WebServerTest 1.0", "Correct Via header: " + resp.headers['via'] );
+					test.ok( !!json, "Got JSON in response" );
+					test.ok( json.code == 0, "Correct code in JSON response: " + json.code );
+					test.ok( !!json.user, "Found user object in JSON response" );
+					test.ok( json.user.Name == "Joe", "Correct user name in JSON response: " + json.user.Name );
+					
+					// request headers will be echoed back
+					test.ok( !!json.headers, "Found headers echoed in JSON response" );
+					test.ok( json.headers['x-test'] == "Test", "Found Test header echoed in JSON response" );
+					
+					test.done();
+				} 
+			);
+		},
+		
+		function testAdvancedURLRewrite(test) {
+			// test advanced rewrite
+			request.json( 'http://127.0.0.1:3020/rewrite?foo=bar1234&baz=bop%20pog&animal=frog&animal=dog', false,
+				{
+					headers: {
+						'X-Test': "Test"
+					}
+				},
+				function(err, resp, json, perf) {
+					test.ok( !err, "No error from PixlRequest: " + err );
+					test.ok( !!resp, "Got resp from PixlRequest" );
+					test.ok( resp.statusCode == 200, "Got 200 response: " + resp.statusCode );
+					test.ok( resp.headers['via'] == "WebServerTest 1.0", "Correct Via header: " + resp.headers['via'] );
+					test.ok( !!json, "Got JSON in response" );
+					test.ok( json.code == 0, "Correct code in JSON response: " + json.code );
+					test.ok( !!json.user, "Found user object in JSON response" );
+					test.ok( json.user.Name == "Joe", "Correct user name in JSON response: " + json.user.Name );
+					
+					test.ok( !!json.query, "Found query object in JSON response" );
+					test.ok( json.query.foo == "bar1234", "Query contains correct foo key" );
+					test.ok( json.query.baz == "bop pog", "Query contains correct baz key (URL encoding)" );
+					
+					// dupes should become array by default
+					test.ok( typeof(json.query.animal) == 'object', "Query param animal is an object" );
+					test.ok( json.query.animal.length == 2, "Query param animal has length 2" );
+					test.ok( json.query.animal[0] === 'frog', "First animal is frog" );
+					test.ok( json.query.animal[1] === 'dog', "Second animal is dog" );
+					
+					// request headers will be echoed back
+					test.ok( !!json.headers, "Found headers echoed in JSON response" );
+					test.ok( json.headers['x-test'] == "Test", "Found Test header echoed in JSON response" );
+					
+					test.done();
+				} 
+			);
+		},
+		
+		function testSimpleURLRedirect(test) {
+			// simple 302
+			request.get( 'http://127.0.0.1:3020/disney',
+				function(err, resp, data, perf) {
+					test.ok( !err, "No error from PixlRequest: " + err );
+					test.ok( !!resp, "Got resp from PixlRequest" );
+					test.ok( resp.statusCode == 302, "Got 302 response: " + resp.statusCode );
+					test.ok( !!resp.headers['location'], "Got Location header" );
+					test.ok( !!resp.headers['location'].match(/disney\.com/), "Correct Location header");
+					test.done();
+				} 
+			);
+		},
+		
+		function testAdvancedURLRedirect(test) {
+			// more complex redirect config (301, custom header)
+			request.get( 'http://127.0.0.1:3020/pixar/toads',
+				function(err, resp, data, perf) {
+					test.ok( !err, "No error from PixlRequest: " + err );
+					test.ok( !!resp, "Got resp from PixlRequest" );
+					test.ok( resp.statusCode == 301, "Got 301 response: " + resp.statusCode );
+					test.ok( !!resp.headers['location'], "Got Location header" );
+					test.ok( !!resp.headers['location'].match(/pixar\.com\/toads/), "Correct Location header");
+					test.ok( !!resp.headers['x-animal'], "Got x-animal header" );
+					test.ok( !!resp.headers['x-animal'].match(/frog/i), "Correct x-animal header");
+					test.done();
+				} 
+			);
+		},
+		
 		function testHTTPAltPort(test) {
 			// test simple HTTP GET request to webserver backend, alternate port
 			request.json( 'http://127.0.0.1:3120/json', false,
@@ -1360,7 +1470,7 @@ module.exports = {
 		},
 		
 		// redirect
-		function testRedirect(test) {
+		function testRedirectHandler(test) {
 			request.get( 'http://127.0.0.1:3020/redirect',
 				function(err, resp, data, perf) {
 					test.ok( !err, "No error from PixlRequest: " + err );
@@ -1522,6 +1632,53 @@ module.exports = {
 			);
 		},
 		
+		// blacklist
+		function testBlacklistedIP(test) {
+			request.get( 'http://127.0.0.1:3020/json', 
+				{
+					headers: {
+						"X-Forwarded-For": "5.6.7.8" // blacklisted
+					}
+				},
+				function(err, resp, data, perf) {
+					test.ok( !err, "No error from PixlRequest: " + err );
+					test.ok( !!resp, "Got resp from PixlRequest" );
+					test.ok( resp.statusCode == 403, "Got 403 response: " + resp.statusCode );
+					test.done();
+				} 
+			);
+		},
+		function testAnotherBlacklistedIP(test) {
+			request.get( 'http://127.0.0.1:3020/json', 
+				{
+					headers: {
+						"X-Forwarded-For": "1.2.3.4, 5.6.7.255, 2.3.4.5" // blacklisted
+					}
+				},
+				function(err, resp, data, perf) {
+					test.ok( !err, "No error from PixlRequest: " + err );
+					test.ok( !!resp, "Got resp from PixlRequest" );
+					test.ok( resp.statusCode == 403, "Got 403 response: " + resp.statusCode );
+					test.done();
+				} 
+			);
+		},
+		function testAllowedIP(test) {
+			request.get( 'http://127.0.0.1:3020/json', 
+				{
+					headers: {
+						"X-Forwarded-For": "5.6.8.7" // just outside blacklisted range
+					}
+				},
+				function(err, resp, data, perf) {
+					test.ok( !err, "No error from PixlRequest: " + err );
+					test.ok( !!resp, "Got resp from PixlRequest" );
+					test.ok( resp.statusCode == 200, "Got 200 response: " + resp.statusCode );
+					test.done();
+				} 
+			);
+		},
+		
 		function testConditionalResponseHeaders(test) {
 			// test response headers per http code
 			var self = this;

package/web_server.js

@@ -46,6 +46,7 @@ module.exports = Class({
 		"http_compress_text": false,
 		"http_enable_brotli": false,
 		"http_default_acl": ['127.0.0.1', '10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16', '::1/128', 'fd00::/8', '169.254.0.0/16', 'fe80::/10'],
+		"http_blacklist": [],
 		"http_log_requests": false,
 		"http_log_request_details": false,
 		"http_log_body_max": 32768,
@@ -99,8 +100,49 @@ class WebServer extends Component {
 		this.uriFilters = [];
 		this.uriHandlers = [];
 		this.methodHandlers = [];
-		this.defaultACL = new ACL();
-		this.aclPrivateRanges = new ACL( this.config.get('http_private_ip_ranges') );
+		this.stats = { current: {}, last: {} };
+		this.recent = [];
+		
+		this.prepConfig();
+		this.config.on('reload', this.prepConfig.bind(this) );
+		
+		// setup queue to handle all requests
+		// if both max concurrent req AND max connections are not set, just use a very large number
+		this.queue = async.queue( this.parseHTTPRequest.bind(this), this.maxConcurrentReqs || 8192 );
+		
+		// listen for tick events to swap stat buffers
+		this.server.on( 'tick', this.tick.bind(this) );
+		
+		// start listeners
+		this.startAll(callback);
+	}
+	
+	prepConfig() {
+		// prep config at startup, and when config is hot reloaded
+		try { 
+			this.defaultACL = new ACL( this.config.get('http_default_acl') ); 
+		}
+		catch (err) {
+			this.logError('acl', "Failed to initialize default ACL: " + err);
+			this.defaultACL = new ACL();
+		}
+		
+		try {
+			this.aclBlacklist = new ACL( this.config.get('http_blacklist') );
+		}
+		catch (err) {
+			this.logError('acl', "Failed to initialize blacklist: " + err);
+			this.aclBlacklist = new ACL();
+		}
+		
+		try {
+			this.aclPrivateRanges = new ACL( this.config.get('http_private_ip_ranges') );
+		}
+		catch (err) {
+			this.logError('acl', "Failed to initialize private range ACL: " + err);
+			this.aclPrivateRanges = new ACL();
+		}
+		
 		this.regexTextContent = new RegExp( this.config.get('http_regex_text'), "i" );
 		this.regexJSONContent = new RegExp( this.config.get('http_regex_json'), "i" );
 		this.logRequests = this.config.get('http_log_requests');
@@ -111,8 +153,6 @@ class WebServer extends Component {
 		this.logPerfThreshold = this.config.get('http_perf_threshold_ms');
 		this.logPerfReport = this.config.get('http_perf_report');
 		this.keepRecentRequests = this.config.get('http_recent_requests');
-		this.stats = { current: {}, last: {} };
-		this.recent = [];
 		
 		// optionally compress text
 		this.compressText = this.config.get('http_compress_text') || this.config.get('http_gzip_text');
@@ -151,18 +191,15 @@ class WebServer extends Component {
 		
 		// optional max requests per KA connection
 		this.maxReqsPerConn = this.config.get('http_max_requests_per_connection');
-		
-		// setup queue to handle all requests
-		this.maxConcurrentReqs = this.config.get('http_max_concurrent_requests') || this.config.get('http_max_connections');
 		this.maxQueueLength = this.config.get('http_max_queue_length');
 		this.maxQueueActive = this.config.get('http_max_queue_active');
 		
+		// NOTE: changing maxConcurrentReqs at runtime has no effect
+		this.maxConcurrentReqs = this.config.get('http_max_concurrent_requests') || this.config.get('http_max_connections');
+		
 		this.queueSkipMatch = this.config.get('http_queue_skip_uri_match') ? 
 			new RegExp( this.config.get('http_queue_skip_uri_match') ) : false;
 		
-		// if both max concurrent req AND max connections are not set, just use a very large number
-		this.queue = async.queue( this.parseHTTPRequest.bind(this), this.maxConcurrentReqs || 8192 );
-		
 		// front-end https header detection
 		var ssl_headers = this.config.get('https_header_detect');
 		if (ssl_headers) {
@@ -171,20 +208,7 @@ class WebServer extends Component {
 				this.ssl_header_detect[ key.toLowerCase() ] = new RegExp( ssl_headers[key] );
 			}
 		}
-		
-		// initialize default ACL blocks
-		if (this.config.get('http_default_acl')) {
-			try {
-				this.config.get('http_default_acl').forEach( function(block) {
-					self.defaultACL.add( block );
-				} );
-			}
-			catch (err) {
-				var err_msg = "Failed to initialize ACL: " + err.message;
-				this.logError('acl', err_msg);
-				throw new Error(err_msg);
-			}
-		}
+		else delete this.ssl_header_detect;
 		
 		// initialize request max dump system, if enabled
 		this.reqMaxDumpEnabled = this.config.get('http_req_max_dump_enabled');
@@ -196,10 +220,29 @@ class WebServer extends Component {
 			fs.mkdirSync( this.reqMaxDumpDir, { mode: 0o777, recursive: true } );
 		}
 		
-		// listen for tick events to swap stat buffers
-		this.server.on( 'tick', this.tick.bind(this) );
+		// url rewrites
+		this.rewrites = [];
+		if (this.config.get('http_rewrites')) {
+			var rewrite_map = this.config.get('http_rewrites');
+			for (var key in rewrite_map) {
+				var rewrite = rewrite_map[key];
+				if (typeof(rewrite) == 'string') rewrite = { url: rewrite_map[key] };
+				rewrite.regexp = new RegExp(key);
+				this.rewrites.push(rewrite);
+			}
+		}
 		
-		this.startAll(callback);
+		// url redirects
+		this.redirects = [];
+		if (this.config.get('http_redirects')) {
+			var redir_map = this.config.get('http_redirects');
+			for (var key in redir_map) {
+				var redirect = redir_map[key];
+				if (typeof(redirect) == 'string') redirect = { url: redir_map[key] };
+				redirect.regexp = new RegExp(key);
+				this.redirects.push(redirect);
+			}
+		}
 	}
 	
 	startAll(callback) {