implement mmdb file handling and worker

.github/workflows/install-test.yml

@@ -0,0 +1,58 @@
+name: Install test
+on: [push]
+jobs:
+  Build-install-ubuntu:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository code, branch='${{ github.ref }}'
+        uses: actions/checkout@v4
+
+      - name: Building package
+        run: sudo ./builder.sh
+        working-directory: ./pkg/deb
+
+      - name: Installing package
+        run: sudo dpkg --install ./synapse*.deb
+        working-directory: ./pkg/deb
+
+      - name: Start Synapse service
+        run: sudo systemctl start synapse
+
+      - name: Check Synapse running
+        run: sudo systemctl status synapse
+
+      - name: Remove package installation
+        if: always()
+        run: sudo dpkg --purge synapse
+
+
+  # Build-install-centos:
+  #   runs-on:
+  #     group: centos7
+  #   env:
+  #     repodir: ${{ github.workspace }}/${{ github.run_id }}
+  #   steps:
+  #     - name: Check out repository code, branch='${{ github.ref }}'
+  #       run: git clone https://github.com/${{ github.repository }}.git -b ${{ github.ref_name }} $repodir
+
+  #     - name: Building package
+  #       run: sudo ./builder.sh
+  #       working-directory: ${{ github.run_id }}/pkg/rpm
+
+  #     - name: Installing package
+  #       run: sudo yum install -y ./synapse*.rpm
+  #       working-directory: ${{ github.run_id }}/pkg/rpm
+
+  #     - name: Start Synapse service
+  #       run: sudo systemctl start synapse
+
+  #     - name: Check Synapse running
+  #       run: sudo systemctl status synapse
+
+  #     - name: Remove package installation
+  #       if: always()
+  #       run: sudo yum remove -y synapse
+
+  #     - name: Remove repository
+  #       if: always()
+  #       run: sudo rm -rf $repodir

.github/workflows/release.yaml

@@ -214,8 +214,52 @@ jobs:
       with:
         name: synapse-${{ matrix.target }}
         path: synapse-*
+  package-build-amd64:
+    if: ${{ startsWith(github.ref, 'refs/tags/v') }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Build Docker image
+        run: docker build -t synapse-builder:latest -f pkg/deb/docker/Dockerfile pkg/deb/docker/
+
+      - name: Package build
+        run: |
+          mkdir -p /tmp/${{ github.sha }}
+          docker run -v ${{ github.workspace }}:/tmp/repo -v /tmp/${{ github.sha }}:/tmp/output --rm synapse-builder:latest ${{ github.ref_name }}
+
+      - name: Archive output package
+        uses: actions/upload-artifact@v4
+        with:
+          name: synapse_${{ github.sha }}_amd64.deb
+          path: /tmp/${{ github.sha }}/synapse*.deb
+          retention-days: 5
+
+  package-build-arm64:
+    if: ${{ startsWith(github.ref, 'refs/tags/v') }}
+    runs-on: ubuntu-24.04-arm
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Build Docker image
+        run: docker build -t synapse-builder:latest -f pkg/deb/docker/Dockerfile pkg/deb/docker/
+
+      - name: Package build
+        run: |
+          mkdir -p /tmp/${{ github.sha }}
+          docker run -v ${{ github.workspace }}:/tmp/repo -v /tmp/${{ github.sha }}:/tmp/output --rm synapse-builder:latest ${{ github.ref_name }}
+
+      - name: Archive output package
+        uses: actions/upload-artifact@v4
+        with:
+          name: synapse_${{ github.sha }}_arm64.deb
+          path: /tmp/${{ github.sha }}/synapse*.deb
+          retention-days: 5
+
   publish-artifacts:
-      needs: [ build-artifacts ]
+      needs: [ package-build-amd64, package-build-arm64 ]
       runs-on: ubuntu-latest
 
       steps:
@@ -224,6 +268,10 @@ jobs:
         with:
           pattern: synapse-*
 
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          pattern: synapse_*
       - name: ls
         shell: bash
         run: |

.gitignore

@@ -37,3 +37,11 @@ upstreams.yaml
 docker/volumes/
 certs
 .tmp
+!config/config.yaml
+!config/upstreams.yaml
+!config/upstreams_kubernetes.yaml
+!config/upstreams_consul.yaml
+*.deb
+*.rpm
+null
+*.log

Cargo.toml

@@ -98,6 +98,7 @@ ctrlc = "3.5.0"
 arc-swap = "1.7.1"
 prometheus = "0.14.0"
 once_cell = "1.21.3"
+maxminddb = "0.23"
 axum-server = { version = "0.7.3", features = ["tls-openssl"] }
 axum = { version = "0.8.7" }
 tower-http = { version = "0.6.8", features = ["fs"] }

config_example.yaml → config/config.yaml

@@ -85,6 +85,21 @@ arxignis:
   # Maximum size for request/response bodies in access logs (bytes) - Don't override in Basic plan that's the maximum allowed by the plan.
   max_body_size: 1048576
 
+  # Threat MMDB Configuration
+  # Base URL for Threat MMDB files (version.txt and MMDB files are at this base URL)
+  # Example: https://example.com/threat/ (will use https://example.com/threat/version.txt)
+  threat_mmdb_url: ""
+
+  # Local path to Threat MMDB file (optional, for pre-downloaded files)
+  threat_mmdb_path: null
+
+  # Threat MMDB refresh interval in seconds (default: 300 = 5 minutes)
+  threat_mmdb_refresh_secs: 300
+
+  # Custom headers to add to Threat MMDB download requests (optional)
+  # Example: {"Authorization": "Bearer token", "X-Custom-Header": "value"}
+  threat_mmdb_headers: null
+
   # Captcha Configuration
   captcha:
     # Captcha site key for security verification
@@ -105,6 +120,47 @@ arxignis:
     # Captcha validation cache TTL in seconds
     cache_ttl: 300
 
+# GeoIP MMDB Configuration
+geoip:
+  # Country database configuration
+  country:
+    # URL to download GeoIP Country MMDB file
+    url: ""
+    # Local path to GeoIP Country MMDB file (full path) or directory prefix
+    # Full path example: /var/cache/synapse/GeoLite2-Country.mmdb
+    # Directory prefix example: /var/cache/synapse (will use GeoLite2-Country.mmdb)
+    path: null
+    # Custom headers to add to download requests (optional)
+    # Example: {"Authorization": "Bearer token", "X-Custom-Header": "value"}
+    headers: null
+
+  # ASN database configuration
+  asn:
+    # URL to download GeoIP ASN MMDB file
+    url: ""
+    # Local path to GeoIP ASN MMDB file (full path) or directory prefix
+    # Full path example: /var/cache/synapse/GeoLite2-ASN.mmdb
+    # Directory prefix example: /var/cache/synapse (will use GeoLite2-ASN.mmdb)
+    path: null
+    # Custom headers to add to download requests (optional)
+    # Example: {"Authorization": "Bearer token", "X-Custom-Header": "value"}
+    headers: null
+
+  # City database configuration
+  city:
+    # URL to download GeoIP City MMDB file
+    url: ""
+    # Local path to GeoIP City MMDB file (full path) or directory prefix
+    # Full path example: /var/cache/synapse/GeoLite2-City.mmdb
+    # Directory prefix example: /var/cache/synapse (will use GeoLite2-City.mmdb)
+    path: null
+    # Custom headers to add to download requests (optional)
+    # Example: {"Authorization": "Bearer token", "X-Custom-Header": "value"}
+    headers: null
+
+  # GeoIP MMDB refresh interval in seconds (default: 28800 = 8 hours)
+  refresh_secs: 28800
+
 # Content Scanning
 content_scanning:
   # Enable or disable content scanning
@@ -210,7 +266,7 @@ pingora:
   proxy_address_tls: "0.0.0.0:443"
 
   # Mandatory if proxy_address_tls is set (cert files: {NAME}.crt, {NAME}.key)
-  proxy_certificates: "/root/synapse/certs"
+  proxy_certificates: "/etc/synapse/certs"
 
   # TLS suite grade (high, medium, unsafe)
   proxy_tls_grade: "medium"
@@ -220,7 +276,7 @@ pingora:
   default_certificate: "default"
 
   # Path to upstreams configuration file
-  upstreams_conf: "/root/synapse/upstreams.yaml"
+  upstreams_conf: "/etc/synapse/upstreams.yaml"
 
   # HTTP API address for remote config updates
   config_address: "0.0.0.0:3000"

config/upstreams.yaml

@@ -0,0 +1,49 @@
+provider: "file" # "file" "consul" "kubernetes"
+config:
+  https_proxy_enabled: false
+  sticky_sessions: false
+  global_rate_limit: 100
+  global_headers:
+    - "Access-Control-Allow-Origin:*"
+    - "Access-Control-Allow-Methods:POST, GET, OPTIONS"
+    - "Access-Control-Max-Age:86400"
+    - "Strict-Transport-Security:max-age=31536000; includeSubDomains; preload"
+
+arxignis_paths:
+  "/cgi-bin/captcha/verify":
+    rate_limit: 200
+    https_proxy_enabled: false
+    ssl_enabled: false
+    servers:
+      - "127.0.0.1:3001"
+
+  "/.well-known/acme-challenge/*":
+    rate_limit: 200
+    https_proxy_enabled: false
+    ssl_enabled: false
+    servers:
+      - "127.0.0.1:9180"
+  "/health":
+    rate_limit: 100
+    https_proxy_enabled: false
+    ssl_enabled: false
+    disable_access_log: true  # Disable access logs for health checks to reduce noise
+    servers:
+      - "127.0.0.1:8000"
+
+upstreams:
+  example.com:
+    certificate: "example.com"
+    acme:
+      challenge_type: "dns-01"
+      email: "<EMAIL>"
+      wildcard: true
+    paths:
+      "/":
+        rate_limit: 200
+        force_https: true
+        ssl_enabled: true
+        headers:
+          - "Host: whoami.arxignis.com"
+        servers:
+          - "whoami.arxignis.com:443"