fix: potential crash when using apache_request_headers()

---------

Co-authored-by: Kévin Dunglas <kevin@dunglas.fr>

.dockerignore

@@ -11,3 +11,4 @@
 !testdata/*.txt
 !build-static.sh
 !app.tar
+!app_checksum.txt

.github/ISSUE_TEMPLATE/bug_report.yaml

@@ -0,0 +1,78 @@
+---
+name: Bug Report
+description: File a bug report
+labels: [bug]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out this bug report!
+  - type: textarea
+    id: what-happened
+    attributes:
+      label: What happened?
+      description: |
+        Tell us what you do, what you get and what you expected.
+        Provide us with some step-by-step instructions to reproduce the issue.
+    validations:
+      required: true
+  - type: dropdown
+    id: build
+    attributes:
+      label: Build Type
+      description: What build of FrankenPHP do you use?
+      options:
+        - Docker (Debian Bookworm)
+        - Docker (Alpine)
+        - Official static build
+        - Standalone binary
+        - Custom (tell us more in the description)
+      default: 0
+    validations:
+      required: true
+  - type: dropdown
+    id: worker
+    attributes:
+      label: Worker Mode
+      description: Does the problem happen only when using the worker mode?
+      options:
+        - "Yes"
+        - "No"
+      default: 0
+    validations:
+      required: true
+  - type: dropdown
+    id: os
+    attributes:
+      label: Operating System
+      description: What operating system are you executing FrankenPHP with?
+      options:
+        - GNU/Linux
+        - macOS
+        - Other (tell us more in the description)
+      default: 0
+    validations:
+      required: true
+  - type: dropdown
+    id: arch
+    attributes:
+      label: CPU Architecture
+      description: What CPU architecture are you using?
+      options:
+        - x86_64
+        - Apple Silicon
+        - x86
+        - aarch64
+        - Other (tell us more in the description)
+      default: 0
+    validations:
+      required: true
+  - type: textarea
+    id: logs
+    attributes:
+      label: Relevant log output
+      description: |
+        Please copy and paste any relevant log output.
+        This will be automatically formatted into code,
+        so no need for backticks.
+      render: shell

.github/ISSUE_TEMPLATE/feature_request.yaml

@@ -0,0 +1,20 @@
+---
+name: Feature Request
+description: Suggest an idea for this project
+labels: [enhancement]
+body:
+  - type: textarea
+    id: description
+    attributes:
+      label: Describe you feature request
+      value: |
+        **Is your feature request related to a problem? Please describe.**
+        A clear and concise description of what the problem is.
+        Ex. I'm always frustrated when [...]
+
+        **Describe the solution you'd like**
+        A clear and concise description of what you want to happen.
+
+        **Describe alternatives you've considered**
+        A clear and concise description of any alternative solutions
+        or features you've considered.

.github/workflows/docker.yaml

@@ -17,6 +17,9 @@ on:
         type: string
   schedule:
     - cron:  '0 4 * * *'
+env:
+  IMAGE_NAME: ${{ (github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && inputs.version) || startsWith(github.ref, 'refs/tags/')) && 'dunglas/frankenphp' || 'dunglas/frankenphp-dev' }}
+  LATEST: ${{ (github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && inputs.version) || startsWith(github.ref, 'refs/tags/')) && '0' || '1' }}
 jobs:
   prepare:
     runs-on: ubuntu-latest
@@ -35,6 +38,8 @@ jobs:
       -
         name: Check PHP versions
         id: check
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           PHP_82_LATEST=$(skopeo inspect docker://docker.io/library/php:8.2 --override-os linux --override-arch amd64 | jq -r '.Env[] | select(test("^PHP_VERSION=")) | sub("^PHP_VERSION="; "")')
           PHP_83_LATEST=$(skopeo inspect docker://docker.io/library/php:8.3 --override-os linux --override-arch amd64 | jq -r '.Env[] | select(test("^PHP_VERSION=")) | sub("^PHP_VERSION="; "")')
@@ -43,28 +48,28 @@ jobs:
             echo php82_version="${PHP_82_LATEST//./-}"
             echo php83_version="${PHP_83_LATEST//./-}"
           } >> "${GITHUB_OUTPUT}"
-          
+
           # Check if the Docker images must be rebuilt
           if [[ "${GITHUB_EVENT_NAME}" != "schedule"  ]]; then
               echo skip=false >> "${GITHUB_OUTPUT}"
               exit 0
           fi
-          
+
           FRANKENPHP_82_LATEST=$(skopeo inspect docker://docker.io/dunglas/frankenphp:latest-php8.2 --override-os linux --override-arch amd64 | jq -r '.Env[] | select(test("^PHP_VERSION=")) | sub("^PHP_VERSION="; "")')
           FRANKENPHP_83_LATEST=$(skopeo inspect docker://docker.io/dunglas/frankenphp:latest-php8.3 --override-os linux --override-arch amd64 | jq -r '.Env[] | select(test("^PHP_VERSION=")) | sub("^PHP_VERSION="; "")')
-          
+
           if [[ "${FRANKENPHP_82_LATEST}" == "${PHP_82_LATEST}" ]] && [[ "${FRANKENPHP_83_LATEST}" == "${PHP_83_LATEST}" ]]; then
               echo skip=true >> "${GITHUB_OUTPUT}"
               exit 0
           fi
-          
+
           {
             echo ref="$(gh release view --repo dunglas/frankenphp --json tagName --jq '.tagName')"
             echo skip=false
           } >> "${GITHUB_OUTPUT}"
       -
         uses: actions/checkout@v4
-        if: ${{ !steps.check.outputs.skip }}
+        if: ${{ !fromJson(steps.check.outputs.skip) }}
         with:
           ref: ${{ steps.check.outputs.ref }}
       -
@@ -169,12 +174,10 @@ jobs:
         run: |
           mkdir -p /tmp/metadata/builder /tmp/metadata/runner
 
-          # shellcheck disable=SC2086
-          builderDigest=$(jq -r '."builder-${{ matrix.variant }}"."containerimage.digest"' <<< ${METADATA})
+          builderDigest=$(jq -r '."builder-${{ matrix.variant }}"."containerimage.digest"' <<< "${METADATA}")
           touch "/tmp/metadata/builder/${builderDigest#sha256:}"
 
-          # shellcheck disable=SC2086
-          runnerDigest=$(jq -r '."runner-${{ matrix.variant }}"."containerimage.digest"' <<< ${METADATA})
+          runnerDigest=$(jq -r '."runner-${{ matrix.variant }}"."containerimage.digest"' <<< "${METADATA}")
           touch "/tmp/metadata/runner/${runnerDigest#sha256:}"
         env:
           METADATA: ${{ steps.build.outputs.metadata }}
@@ -198,8 +201,7 @@ jobs:
           retention-days: 1
       -
         name: Run tests
-        if: '!matrix.qemu'
-        continue-on-error: ${{ fromJson(needs.prepare.outputs.push) }}
+        if: ${{ !matrix.qemu && !fromJson(needs.prepare.outputs.push) }}
         run: |
           docker run --platform=${{ matrix.platform }} --rm \
             "$(jq -r '."builder-${{ matrix.variant }}"."containerimage.config.digest"' <<< "${METADATA}")" \
@@ -229,7 +231,8 @@ jobs:
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
         with:
-          version: latest
+          # Temporary fix for https://github.com/docker/buildx/issues/2229
+          version: "https://github.com/jedevc/buildx.git#imagetools-resolver-copy-dupe"
       -
         name: Login to DockerHub
         uses: docker/login-action@v3
@@ -240,6 +243,7 @@ jobs:
         name: Create manifest list and push
         working-directory: /tmp/metadata
         run: |
+          set -x
           # shellcheck disable=SC2046,SC2086
           docker buildx imagetools create $(jq -cr '.target."${{ matrix.target }}-${{ matrix.variant }}".tags | map("-t " + .) | join(" ")' <<< ${METADATA}) \
             $(printf 'dunglas/frankenphp@sha256:%s ' *)

.github/workflows/static.yaml

@@ -16,22 +16,64 @@ on:
         required: false
         type: string
   schedule:
-    - cron:  '0 0 * * *'  
+    - cron:  '0 0 * * *'
+env:
+  IMAGE_NAME: ${{ (github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && inputs.version) || startsWith(github.ref, 'refs/tags/')) && 'dunglas/frankenphp' || 'dunglas/frankenphp-dev' }}    
+  LATEST: ${{ (github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && inputs.version) || startsWith(github.ref, 'refs/tags/')) && '0' || '1' }}
 jobs:
   prepare:
     runs-on: ubuntu-latest
     outputs:
-      ref: ${{ steps.ref.outputs.ref || (github.event_name == 'workflow_dispatch' && inputs.version) || '' }}
+      push: ${{ toJson((steps.check.outputs.ref || (github.event_name == 'workflow_dispatch' && inputs.version) || startsWith(github.ref, 'refs/tags/') || (github.ref == 'refs/heads/main' && github.event_name != 'pull_request')) && true || false) }}
+      platforms: ${{ steps.matrix.outputs.platforms }}
+      metadata: ${{ steps.matrix.outputs.metadata }}
+      ref: ${{ steps.check.outputs.ref }}
     steps:
       -
-        name: Get latest release
-        id: ref
+        name: Get version
+        id: check
         if: github.event_name == 'schedule'
-        run: echo ref="$(gh release view --repo dunglas/frankenphp --json tagName --jq '.tagName')" >> "${GITHUB_OUTPUT}"
+        run: |
+          ref="${{ (github.ref_type == 'tag' && github.ref_name) || (github.event_name == 'workflow_dispatch' && inputs.version) || '' }}"
+          if [[ -z "${ref}" ]]; then
+            ref="$(gh release view --repo dunglas/frankenphp --json tagName --jq '.tagName')"
+          fi
+
+          echo "ref=${ref}" >> "${GITHUB_OUTPUT}"
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      -
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ steps.check.outputs.ref }}
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: latest
+      -
+        name: Create platforms matrix
+        id: matrix
+        run: |
+          METADATA="$(docker buildx bake --print static-builder | jq -c)"
+          {
+            echo metadata="${METADATA}"
+            echo platforms="$(jq -c 'first(.target[]) | .platforms' <<< "${METADATA}")"
+          } >> "${GITHUB_OUTPUT}"
+        env:
+          SHA: ${{ github.sha }}
+          VERSION: ${{ steps.check.outputs.ref || github.sha }}
   build-linux:
-    name: Build Linux x86_64 binary
+    strategy:
+      fail-fast: false
+      matrix:
+        platform: ${{ fromJson(needs.prepare.outputs.platforms) }}
+        include:
+          - race: ""
+            qemu: true
+          - platform: linux/amd64
+            qemu: false
+    name: Build ${{ matrix.platform }} static binary
     runs-on: ubuntu-latest
     needs: [ prepare ]
     steps:
@@ -39,55 +81,138 @@ jobs:
         uses: actions/checkout@v4
         with:
           ref: ${{ needs.prepare.outputs.ref }}
+      -
+        name: Set up QEMU
+        if: matrix.qemu
+        uses: docker/setup-qemu-action@v3
+        with:
+          platforms: ${{ matrix.platform }}
       -
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
         with:
+          platforms: ${{ matrix.platform }}
           version: latest
       -
         name: Login to DockerHub
-        if: needs.prepare.outputs.ref || startsWith(github.ref, 'refs/tags/') || (github.ref == 'refs/heads/main' && github.event_name != 'pull_request')
+        if: ${{ fromJson(needs.prepare.outputs.push) }}
         uses: docker/login-action@v3
         with:
-          username: ${{secrets.REGISTRY_USERNAME}}
-          password: ${{secrets.REGISTRY_PASSWORD}}    
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}    
       -
         name: Build
         id: build
         uses: docker/bake-action@v4
         with:
           pull: true
-          load: ${{ (!needs.prepare.outputs.ref && !startsWith(github.ref, 'refs/tags/') && (github.ref != 'refs/heads/main' || github.event_name == 'pull_request')) && true || false }}
-          push: ${{ (needs.prepare.outputs.ref || startsWith(github.ref, 'refs/tags/') || (github.ref == 'refs/heads/main' && github.event_name != 'pull_request')) && true || false }}
+          load: ${{ !fromJson(needs.prepare.outputs.push) }}
           targets: static-builder
           set: |
-            *.cache-from=type=gha,scope=${{needs.prepare.outputs.ref || github.ref}}-static-builder
+            *.tags=
+            *.platform=${{ matrix.platform }}
+            *.cache-from=type=gha,scope=${{ needs.prepare.outputs.ref || github.ref }}-static-builder
             *.cache-from=type=gha,scope=refs/heads/main-static-builder
-            *.cache-to=type=gha,scope=${{needs.prepare.outputs.ref || github.ref}}-static-builder,ignore-error=true
+            *.cache-to=type=gha,scope=${{ needs.prepare.outputs.ref || github.ref }}-static-builder,ignore-error=true
+            ${{ fromJson(needs.prepare.outputs.push) && '*.output=type=image,name=dunglas/frankenphp,push-by-digest=true,name-canonical=true,push=true' || '' }}
         env:
-          SHA: ${{github.sha}}
+          SHA: ${{ github.sha }}
           VERSION: ${{ (github.ref_type == 'tag' && github.ref_name) || needs.prepare.outputs.ref || github.sha}}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       -
-        name: Pull Docker image
-        if: needs.prepare.outputs.ref || startsWith(github.ref, 'refs/tags/') || (github.ref == 'refs/heads/main' && github.event_name != 'pull_request')
-        run: docker pull dunglas/frankenphp:static-builder
+        # Workaround for https://github.com/actions/runner/pull/2477#issuecomment-1501003600
+        name: Export metadata
+        if: fromJson(needs.prepare.outputs.push)
+        run: |
+          mkdir -p /tmp/metadata
+
+          # shellcheck disable=SC2086
+          digest=$(jq -r '."static-builder"."containerimage.digest"' <<< ${METADATA})
+          touch "/tmp/metadata/${digest#sha256:}"
+        env:
+          METADATA: ${{ steps.build.outputs.metadata }}
+      -
+        name: Upload metadata
+        if: fromJson(needs.prepare.outputs.push)
+        uses: actions/upload-artifact@v3
+        with:
+          name: metadata-static-builder
+          path: /tmp/metadata/*
+          if-no-files-found: error
+          retention-days: 1
       -
         name: Copy binary
-        run: docker cp "$(docker create --name static-builder dunglas/frankenphp:static-builder):/go/src/app/dist/frankenphp-linux-x86_64" frankenphp-linux-x86_64 ; docker rm static-builder
+        if: ${{ !fromJson(needs.prepare.outputs.push) }}
+        run: |
+          digest=$(jq -r '."static-builder"."containerimage.config.digest"' <<< "${METADATA}")
+          docker create --platform=${{ matrix.platform }} --name static-builder "${digest}"
+          docker cp "static-builder:/go/src/app/dist/${BINARY}" "${BINARY}"
+        env:
+          METADATA: ${{ steps.build.outputs.metadata }}
+          BINARY: frankenphp-linux-${{ matrix.platform == 'linux/amd64' && 'x86_64' || 'aarch64' }}
+      -
+        name: Upload artifact
+        if: ${{ !fromJson(needs.prepare.outputs.push) }}
+        uses: actions/upload-artifact@v3
+        with:
+          name: frankenphp-linux-${{ matrix.platform == 'linux/amd64' && 'x86_64' || 'aarch64' }}
+          path: frankenphp-linux-${{ matrix.platform == 'linux/amd64' && 'x86_64' || 'aarch64' }}
+  # Adapted from https://docs.docker.com/build/ci/github-actions/multi-platform/
+  push:
+    runs-on: ubuntu-latest
+    needs:
+      - prepare
+      - build-linux
+    if: fromJson(needs.prepare.outputs.push)
+    #if: fromJson(needs.prepare.outputs.push) && (needs.prepare.outputs.ref || github.ref_type == 'tag')
+    steps:
+      -
+        name: Download metadata
+        uses: actions/download-artifact@v3
+        with:
+          name: metadata-static-builder
+          path: /tmp/metadata
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: latest
+      -
+        name: Login to DockerHub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
+      -
+        name: Create manifest list and push
+        working-directory: /tmp/metadata
+        run: |
+          # shellcheck disable=SC2046,SC2086
+          docker buildx imagetools create $(jq -cr '.target."static-builder".tags | map("-t " + .) | join(" ")' <<< "${METADATA}") \
+            $(printf 'dunglas/frankenphp@sha256:%s ' *)
+        env:
+          METADATA: ${{ needs.prepare.outputs.metadata }}
+      -
+        name: Inspect image
+        run: |
+          # shellcheck disable=SC2046,SC2086
+          docker buildx imagetools inspect "$(jq -cr '.target."static-builder".tags | first' <<< "${METADATA}")"
+        env:
+          METADATA: ${{ needs.prepare.outputs.metadata }}  
+      -
+        name: Copy binary
+        run: |
+          tag=$(jq -cr '.target."static-builder".tags | first' <<< "${METADATA}")
+          docker cp "$(docker create --platform=linux/amd64 --name static-builder "${tag}"):/go/src/app/dist/frankenphp-linux-x86_64" frankenphp-linux-x86_64 ; docker rm static-builder
+          docker cp "$(docker create --platform=linux/arm64 --name static-builder "${tag}"):/go/src/app/dist/frankenphp-linux-aarch64" frankenphp-linux-aarch64 ; docker rm static-builder
+        env:
+          METADATA: ${{ needs.prepare.outputs.metadata }}
       -
         name: Upload asset
         if: needs.prepare.outputs.ref || github.ref_type == 'tag'
-        run: gh release upload "${{ (github.ref_type == 'tag' && github.ref_name) || needs.prepare.outputs.ref }}" frankenphp-linux-x86_64 --repo dunglas/frankenphp --clobber
+        run: gh release upload "${{ (github.ref_type == 'tag' && github.ref_name) || needs.prepare.outputs.ref }}" frankenphp-linux-x86_64 frankenphp-linux-aarch64 --repo dunglas/frankenphp --clobber
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      -
-        name: Upload artifact
-        if: github.ref_type == 'branch'
-        uses: actions/upload-artifact@v3
-        with:
-          name: frankenphp-linux-x86_64
-          path: frankenphp-linux-x86_64
   build-mac:
     name: Build macOS x86_64 binaries
     runs-on: macos-latest

.github/workflows/tests.yaml

@@ -14,6 +14,8 @@ jobs:
       fail-fast: false
       matrix:
         php-versions: ['8.2', '8.3']
+    env:
+      GOEXPERIMENT: cgocheck2
     steps:
       -
         uses: actions/checkout@v4
@@ -39,9 +41,7 @@ jobs:
           echo "CGO_CFLAGS=$(php-config --includes)" >> "$GITHUB_ENV"
       -
         name: Build
-        run: go build
-        env:
-          GOEXPERIMENT: cgocheck2
+        run: go build          
       -
         name: Build testcli binary
         working-directory: internal/testcli/

CONTRIBUTING.md

@@ -8,7 +8,7 @@ Build the dev Docker image:
 
 ```console
 docker build -t frankenphp-dev -f dev.Dockerfile .
-docker run --cap-add=SYS_PTRACE --security-opt seccomp=unconfined -p 8080:8080 -p 443:443 -v $PWD:/go/src/app -it frankenphp-dev
+docker run --cap-add=SYS_PTRACE --security-opt seccomp=unconfined -p 8080:8080 -p 443:443 -p 443:443/udp -v $PWD:/go/src/app -it frankenphp-dev
 ```
 
 The image contains the usual development tools (Go, GDB, Valgrind, Neovim...).  

Dockerfile

@@ -4,12 +4,12 @@ FROM php-base AS common
 WORKDIR /app
 
 RUN apt-get update && \
-    apt-get -y --no-install-recommends install \
-        mailcap \
-        libcap2-bin \
-    && \
-    apt-get clean && \
-    rm -rf /var/lib/apt/lists/*
+	apt-get -y --no-install-recommends install \
+		mailcap \
+		libcap2-bin \
+	&& \
+	apt-get clean && \
+	rm -rf /var/lib/apt/lists/*
 
 RUN set -eux; \
 	mkdir -p \
@@ -54,18 +54,19 @@ ENV PATH /usr/local/go/bin:$PATH
 
 # This is required to link the FrankenPHP binary to the PHP binary
 RUN apt-get update && \
-    apt-get -y --no-install-recommends install \
-    libargon2-dev \
-    libcurl4-openssl-dev \
-    libonig-dev \
-    libreadline-dev \
-    libsodium-dev \
-    libsqlite3-dev \
-    libssl-dev \
-    libxml2-dev \
-    zlib1g-dev \
-    && \
-    apt-get clean
+	apt-get -y --no-install-recommends install \
+	libargon2-dev \
+	libbrotli-dev \
+	libcurl4-openssl-dev \
+	libonig-dev \
+	libreadline-dev \
+	libsodium-dev \
+	libsqlite3-dev \
+	libssl-dev \
+	libxml2-dev \
+	zlib1g-dev \
+	&& \
+	apt-get clean
 
 WORKDIR /go/src/app
 
@@ -89,9 +90,9 @@ ENV CGO_LDFLAGS="-lssl -lcrypto -lreadline -largon2 -lcurl -lonig -lz $PHP_LDFLA
 
 WORKDIR /go/src/app/caddy/frankenphp
 RUN GOBIN=/usr/local/bin go install -ldflags "-w -s -X 'github.com/caddyserver/caddy/v2.CustomVersion=FrankenPHP $FRANKENPHP_VERSION PHP $PHP_VERSION Caddy'" && \
-    setcap cap_net_bind_service=+ep /usr/local/bin/frankenphp && \
-    cp Caddyfile /etc/caddy/Caddyfile && \
-    frankenphp version
+	setcap cap_net_bind_service=+ep /usr/local/bin/frankenphp && \
+	cp Caddyfile /etc/caddy/Caddyfile && \
+	frankenphp version
 
 WORKDIR /go/src/app
 

README.md

@@ -20,7 +20,7 @@ FrankenPHP can also be used as a standalone Go library to embed PHP in any app u
 
 ```console
 docker run -v $PWD:/app/public \
-    -p 80:80 -p 443:443 \
+    -p 80:80 -p 443:443 -p 443:443/udp \
     dunglas/frankenphp
 ```
 
@@ -28,7 +28,8 @@ Go to `https://localhost`, and enjoy!
 
 > [!TIP]
 >
-> Do not attempt to use `https://127.0.0.1`. Use `localhost` and accept the self-signed certificate. Caddy has an automatic TLS handling that auto-trusts some local-based hostnames like `localhost`, but it does not apply to IP addresses. More details [on Caddy's "automatic https" docs](https://caddyserver.com/docs/automatic-https#hostname-requirements).
+> Do not attempt to use `https://127.0.0.1`. Use `localhost` and accept the self-signed certificate.
+> Use the [`SERVER_NAME` environment variable](docs/config.md#environment-variables) to change the domain to use.
 
 ### Standalone Binary
 
@@ -54,6 +55,7 @@ You can also run command-line scripts with:
 * [Real-time](https://frankenphp.dev/docs/mercure/)
 * [Configuration](https://frankenphp.dev/docs/config/)
 * [Docker images](https://frankenphp.dev/docs/docker/)
+* [Deploy in production](docs/production.md)
 * [Create **standalone**, self-executable PHP apps](https://frankenphp.dev/docs/embed/)
 * [Create static binaries](https://frankenphp.dev/docs/static/)
 * [Compile from sources](https://frankenphp.dev/docs/compile/)

alpine.Dockerfile

@@ -53,6 +53,7 @@ ENV PATH /usr/local/go/bin:$PATH
 RUN apk add --no-cache --virtual .build-deps \
 	$PHPIZE_DEPS \
 	argon2-dev \
+	brotli-dev \
 	coreutils \
 	curl-dev \
 	gnu-libiconv-dev \

build-static.sh

@@ -22,7 +22,7 @@ if [ -z "${PHP_EXTENSIONS}" ]; then
     fi
 fi
 
-if [ -z "${PHP_EXTENSIONS_LIB}" ]; then
+if [ -z "${PHP_EXTENSION_LIBS}" ]; then
     export PHP_EXTENSION_LIBS="bzip2,freetype,libavif,libjpeg,liblz4,libwebp,libzip"
 fi
 
@@ -97,11 +97,12 @@ else
 
     ./bin/spc doctor
     ./bin/spc fetch --with-php="${PHP_VERSION}" --for-extensions="${PHP_EXTENSIONS}"
+    # the Brotli library must always be built as it is required by http://github.com/dunglas/caddy-cbrotli
     # shellcheck disable=SC2086
-    ./bin/spc build --enable-zts --build-embed ${extraOpts} "${PHP_EXTENSIONS}" --with-libs="${PHP_EXTENSION_LIBS}"
+    ./bin/spc build --enable-zts --build-embed ${extraOpts} "${PHP_EXTENSIONS}" --with-libs="brotli,${PHP_EXTENSION_LIBS}"
 fi
 
-CGO_CFLAGS="-DFRANKENPHP_VERSION=${FRANKENPHP_VERSION} $(./buildroot/bin/php-config --includes | sed s#-I/#-I"${PWD}"/buildroot/#g)"
+CGO_CFLAGS="-DFRANKENPHP_VERSION=${FRANKENPHP_VERSION} -I${PWD}/buildroot/include/ $(./buildroot/bin/php-config --includes | sed s#-I/#-I"${PWD}"/buildroot/#g)"
 if [ -n "${DEBUG_SYMBOLS}" ]; then
     CGO_CFLAGS="-g ${CGO_CFLAGS}"
 fi
@@ -111,7 +112,7 @@ if [ "${os}" = "mac" ]; then
     export CGO_LDFLAGS="-framework CoreFoundation -framework SystemConfiguration"
 fi
 
-CGO_LDFLAGS="${CGO_LDFLAGS} $(./buildroot/bin/php-config --ldflags) $(./buildroot/bin/php-config --libs)"
+CGO_LDFLAGS="${CGO_LDFLAGS} ${PWD}/buildroot/lib/libbrotlicommon.a ${PWD}/buildroot/lib/libbrotlienc.a ${PWD}/buildroot/lib/libbrotlidec.a $(./buildroot/bin/php-config --ldflags) $(./buildroot/bin/php-config --libs)"
 export CGO_LDFLAGS
 
 LIBPHP_VERSION="$(./buildroot/bin/php-config --version)"
@@ -122,6 +123,7 @@ cd ../..
 # Embed PHP app, if any
 if [ -n "${EMBED}" ] && [ -d "${EMBED}" ]; then
     tar -cf app.tar -C "${EMBED}" .
+    md5 -q app.tar > app_checksum.txt
 fi
 
 if [ "${os}" = "linux" ]; then
@@ -139,6 +141,7 @@ cd ../..
 
 if [ -d "${EMBED}" ]; then
     truncate -s 0 app.tar
+    truncate -s 0 app_checksum.txt
 fi
 
 "dist/${bin}" version

caddy/frankenphp/Caddyfile

@@ -16,20 +16,20 @@
 {$CADDY_EXTRA_CONFIG}
 
 {$SERVER_NAME:localhost} {
-	log {
-		# Redact the authorization query parameter that can be set by Mercure
-		format filter {
-			wrap console
-			fields {
-				uri query {
-					replace authorization REDACTED
-				}
-			}
-		}
-	}
+	#log {
+	#	# Redact the authorization query parameter that can be set by Mercure
+	#	format filter {
+	#		wrap console
+	#		fields {
+	#			uri query {
+	#				replace authorization REDACTED
+	#			}
+	#		}
+	#	}
+	#}
 
 	root * public/
-	encode zstd gzip
+	encode zstd br gzip
 
 	# Uncomment the following lines to enable Mercure and Vulcain modules
 	#mercure {

caddy/frankenphp/main.go

@@ -8,6 +8,7 @@ import (
 
 	// plug in Caddy modules here.
 	_ "github.com/caddyserver/caddy/v2/modules/standard"
+	_ "github.com/dunglas/caddy-cbrotli"
 	_ "github.com/dunglas/frankenphp/caddy"
 	_ "github.com/dunglas/mercure/caddy"
 	_ "github.com/dunglas/vulcain/caddy"

caddy/go.mod

@@ -9,14 +9,22 @@ retract v1.0.0-rc.1 // Human error
 require (
 	github.com/caddyserver/caddy/v2 v2.7.6
 	github.com/caddyserver/certmagic v0.20.0
-	github.com/dunglas/frankenphp v1.0.1
-	github.com/dunglas/mercure/caddy v0.15.7
+	github.com/dunglas/caddy-cbrotli v1.0.0
+	github.com/dunglas/frankenphp v1.0.3
+	github.com/dunglas/mercure/caddy v0.15.9
 	github.com/dunglas/vulcain/caddy v1.0.1
 	github.com/spf13/cobra v1.8.0
 	go.uber.org/automaxprocs v1.5.3
 	go.uber.org/zap v1.26.0
 )
 
+require (
+	github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df // indirect
+	github.com/micromdm/scep/v2 v2.1.0 // indirect
+	github.com/smallstep/go-attestation v0.4.4-0.20240109183208-413678f90935 // indirect
+	go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 // indirect
+)
+
 require (
 	filippo.io/edwards25519 v1.1.0 // indirect
 	github.com/AndreasBriese/bbloom v0.0.0-20190825152654-46b345b51c96 // indirect
@@ -26,12 +34,11 @@ require (
 	github.com/Masterminds/sprig/v3 v3.2.3 // indirect
 	github.com/MauriceGit/skiplist v0.0.0-20211105230623-77f5c8d3e145 // indirect
 	github.com/Microsoft/go-winio v0.6.1 // indirect
-	github.com/RoaringBitmap/roaring v1.7.0 // indirect
+	github.com/RoaringBitmap/roaring v1.8.0 // indirect
 	github.com/alecthomas/chroma/v2 v2.12.0 // indirect
-	github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df // indirect
 	github.com/aryann/difflib v0.0.0-20210328193216-ff5ff6dc229b // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/bits-and-blooms/bitset v1.12.0 // indirect
+	github.com/bits-and-blooms/bitset v1.13.0 // indirect
 	github.com/cenkalti/backoff/v4 v4.2.1 // indirect
 	github.com/cespare/xxhash v1.1.0 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
@@ -43,7 +50,7 @@ require (
 	github.com/dgryski/go-farm v0.0.0-20200201041132-a6ae2369ad13 // indirect
 	github.com/dlclark/regexp2 v1.10.0 // indirect
 	github.com/dunglas/httpsfv v1.0.2 // indirect
-	github.com/dunglas/mercure v0.15.7 // indirect
+	github.com/dunglas/mercure v0.15.9 // indirect
 	github.com/dunglas/vulcain v1.0.1 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
@@ -65,12 +72,13 @@ require (
 	github.com/golang/glog v1.2.0 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
+	github.com/google/brotli/go/cbrotli v0.0.0-20240116120200-adbc354d23af // indirect
 	github.com/google/cel-go v0.15.1 // indirect
 	github.com/google/certificate-transparency-go v1.1.7 // indirect
 	github.com/google/go-tpm v0.9.0 // indirect
 	github.com/google/go-tspi v0.3.0 // indirect
-	github.com/google/pprof v0.0.0-20231212022811-ec68065c825e // indirect
-	github.com/google/uuid v1.5.0 // indirect
+	github.com/google/pprof v0.0.0-20240125082051-42cd04596328 // indirect
+	github.com/google/uuid v1.6.0 // indirect
 	github.com/gorilla/handlers v1.5.2 // indirect
 	github.com/gorilla/mux v1.8.1 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.18.1 // indirect
@@ -86,11 +94,11 @@ require (
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgproto3/v2 v2.3.2 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20231201235250-de7065d80cb9 // indirect
-	github.com/jackc/pgtype v1.14.0 // indirect
+	github.com/jackc/pgtype v1.14.1 // indirect
 	github.com/jackc/pgx/v4 v4.18.1 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/kevburnsjr/skipfilter v0.0.1 // indirect
-	github.com/klauspost/compress v1.17.4 // indirect
+	github.com/klauspost/compress v1.17.5 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.6 // indirect
 	github.com/libdns/libdns v0.2.1 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
@@ -99,27 +107,25 @@ require (
 	github.com/mastercactapus/proxyprotocol v0.0.4 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect
 	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
 	github.com/mholt/acmez v1.2.0 // indirect
-	github.com/miekg/dns v1.1.57 // indirect
+	github.com/miekg/dns v1.1.58 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-ps v1.0.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 // indirect
 	github.com/mschoch/smat v0.2.0 // indirect
-	github.com/onsi/ginkgo/v2 v2.13.2 // indirect
+	github.com/onsi/ginkgo/v2 v2.15.0 // indirect
 	github.com/pelletier/go-toml/v2 v2.1.1 // indirect
 	github.com/perimeterx/marshmallow v1.1.5 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/prometheus/client_golang v1.17.0 // indirect
+	github.com/prometheus/client_golang v1.18.0 // indirect
 	github.com/prometheus/client_model v0.5.0 // indirect
-	github.com/prometheus/common v0.45.0 // indirect
+	github.com/prometheus/common v0.46.0 // indirect
 	github.com/prometheus/procfs v0.12.0 // indirect
 	github.com/quic-go/qpack v0.4.0 // indirect
-	github.com/quic-go/qtls-go1-20 v0.4.1 // indirect
-	github.com/quic-go/quic-go v0.40.1 // indirect
+	github.com/quic-go/quic-go v0.41.0 // indirect
 	github.com/rs/xid v1.5.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/sagikazarmark/locafero v0.4.0 // indirect
@@ -127,13 +133,10 @@ require (
 	github.com/shopspring/decimal v1.3.1 // indirect
 	github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
-	github.com/slackhq/nebula v1.8.1 // indirect
-	github.com/smallstep/certificates v0.25.2 // indirect
-	github.com/smallstep/go-attestation v0.4.4-0.20230627102604-cf579e53cbd2 // indirect
+	github.com/slackhq/nebula v1.8.2 // indirect
+	github.com/smallstep/certificates v0.25.0 // indirect
 	github.com/smallstep/nosql v0.6.0 // indirect
-	github.com/smallstep/pkcs7 v0.0.0-20231107075624-be1870d87d13 // indirect
-	github.com/smallstep/scep v0.0.0-20231024192529-aee96d7ad34d // indirect
-	github.com/smallstep/truststore v0.13.0 // indirect
+	github.com/smallstep/truststore v0.12.1 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
 	github.com/spf13/afero v1.11.0 // indirect
 	github.com/spf13/cast v1.6.0 // indirect
@@ -146,7 +149,7 @@ require (
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
 	github.com/tidwall/sjson v1.2.5 // indirect
-	github.com/unrolled/secure v1.13.0 // indirect
+	github.com/unrolled/secure v1.14.0 // indirect
 	github.com/urfave/cli v1.22.14 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/yosida95/uritemplate/v3 v3.0.2 // indirect
@@ -154,7 +157,7 @@ require (
 	github.com/yuin/goldmark-highlighting/v2 v2.0.0-20230729083705-37449abec8cc // indirect
 	github.com/zeebo/blake3 v0.2.3 // indirect
 	go.etcd.io/bbolt v1.3.8 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.45.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 // indirect
 	go.opentelemetry.io/contrib/propagators/autoprop v0.45.0 // indirect
 	go.opentelemetry.io/contrib/propagators/aws v1.20.0 // indirect
 	go.opentelemetry.io/contrib/propagators/b3 v1.20.0 // indirect
@@ -168,23 +171,23 @@ require (
 	go.opentelemetry.io/otel/trace v1.21.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.0.0 // indirect
 	go.step.sm/cli-utils v0.8.0 // indirect
-	go.step.sm/crypto v0.38.0 // indirect
+	go.step.sm/crypto v0.36.0 // indirect
 	go.step.sm/linkedca v0.20.1 // indirect
 	go.uber.org/mock v0.4.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/crypto v0.17.0 // indirect
-	golang.org/x/exp v0.0.0-20231219180239-dc181d75b848 // indirect
+	golang.org/x/crypto v0.18.0 // indirect
+	golang.org/x/exp v0.0.0-20240119083558-1b970713d09a // indirect
 	golang.org/x/mod v0.14.0 // indirect
-	golang.org/x/net v0.19.0 // indirect
-	golang.org/x/sync v0.5.0 // indirect
-	golang.org/x/sys v0.15.0 // indirect
-	golang.org/x/term v0.15.0 // indirect
+	golang.org/x/net v0.20.0 // indirect
+	golang.org/x/sync v0.6.0 // indirect
+	golang.org/x/sys v0.16.0 // indirect
+	golang.org/x/term v0.16.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
-	golang.org/x/tools v0.16.1 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20231212172506-995d672761c0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20231212172506-995d672761c0 // indirect
-	google.golang.org/grpc v1.60.1 // indirect
-	google.golang.org/protobuf v1.31.0 // indirect
+	golang.org/x/tools v0.17.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240125205218-1f4bbc51befe // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240125205218-1f4bbc51befe // indirect
+	google.golang.org/grpc v1.61.0 // indirect
+	google.golang.org/protobuf v1.32.0 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect

caddy/go.sum

@@ -5,8 +5,8 @@ cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGB
 cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA=
 cloud.google.com/go/iam v1.1.5 h1:1jTsCu4bcsNsE4iiqNT5SHwrDRCfRmIaaaVFhRveTJI=
 cloud.google.com/go/iam v1.1.5/go.mod h1:rB6P/Ic3mykPbFio+vo7403drjlgvoWfYpJhMXEbzv8=
-cloud.google.com/go/kms v1.15.5 h1:pj1sRfut2eRbD9pFRjNnPNg/CzJPuQAzUujMIM1vVeM=
-cloud.google.com/go/kms v1.15.5/go.mod h1:cU2H5jnp6G2TDpUGZyqTCoy1n16fbubHZjmVXSMtwDI=
+cloud.google.com/go/kms v1.15.2 h1:lh6qra6oC4AyWe5fUUUBe/S27k12OHAleOOOw6KakdE=
+cloud.google.com/go/kms v1.15.2/go.mod h1:3hopT4+7ooWRCjc2DxgnpESFxhIraaI2IpAVUEhbT/w=
 filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
 filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
 github.com/AndreasBriese/bbloom v0.0.0-20190825152654-46b345b51c96 h1:cTp8I5+VIoKjsnZuH8vjyaysT/ses3EvZeaV/1UkF2M=
@@ -31,8 +31,8 @@ github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5
 github.com/OneOfOne/xxhash v1.2.2 h1:KMrpdQIwFcEqXDklaen+P1axHaj9BSKzvpUUfnHldSE=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
 github.com/RoaringBitmap/roaring v0.9.4/go.mod h1:icnadbWcNyfEHlYdr+tDlOTih1Bf/h+rzPpv4sbomAA=
-github.com/RoaringBitmap/roaring v1.7.0 h1:OZF303tJCER1Tj3x+aArx/S5X7hrT186ri6JjrGvG68=
-github.com/RoaringBitmap/roaring v1.7.0/go.mod h1:6AXUsoIEzDTFFQCe1RbGA6uFONMhvejWj5rqITANK90=
+github.com/RoaringBitmap/roaring v1.8.0 h1:h3Tbzc/4K7sW3sRMlBdOIW77x9rikkqvOgU/j+ofkn0=
+github.com/RoaringBitmap/roaring v1.8.0/go.mod h1:6AXUsoIEzDTFFQCe1RbGA6uFONMhvejWj5rqITANK90=
 github.com/alecthomas/assert/v2 v2.2.1 h1:XivOgYcduV98QCahG8T5XTezV5bylXe+lBxLG2K2ink=
 github.com/alecthomas/assert/v2 v2.2.1/go.mod h1:pXcQ2Asjp247dahGEmsZ6ru0UVwnkhktn7S0bBDLxvQ=
 github.com/alecthomas/chroma/v2 v2.2.0/go.mod h1:vf4zrexSH54oEjJ7EdB65tGNHmH3pGZmVkgTP5RHvAs=
@@ -46,13 +46,15 @@ github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df/g
 github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
 github.com/aryann/difflib v0.0.0-20210328193216-ff5ff6dc229b h1:uUXgbcPDK3KpW29o4iy7GtuappbWT0l5NaMo9H9pJDw=
 github.com/aryann/difflib v0.0.0-20210328193216-ff5ff6dc229b/go.mod h1:DAHtR1m6lCRdSC2Tm3DSWRPvIPr6xNKyeHdqDQSQT+A=
-github.com/aws/aws-sdk-go v1.48.7 h1:gDcOhmkohlNk20j0uWpko5cLBbwSkB+xpkshQO45F7Y=
-github.com/aws/aws-sdk-go v1.48.7/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
+github.com/aws/aws-sdk-go v1.46.4 h1:48tKgtm9VMPkb6y7HuYlsfhQmoIRAsTEXTsWLVlty4M=
+github.com/aws/aws-sdk-go v1.46.4/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bits-and-blooms/bitset v1.2.0/go.mod h1:gIdJ4wp64HaoK2YrL1Q5/N7Y16edYb8uY+O0FJTyyDA=
-github.com/bits-and-blooms/bitset v1.12.0 h1:U/q1fAF7xXRhFCrhROzIfffYnu+dlS38vCZtmFVPHmA=
 github.com/bits-and-blooms/bitset v1.12.0/go.mod h1:7hO7Gc7Pp1vODcmWvKMRA9BNmbv6a/7QIWpPxHddWR8=
+github.com/bits-and-blooms/bitset v1.13.0 h1:bAQ9OPNFYbGHV6Nez0tmNI0RiEu7/hxlYJRUA0wFAVE=
+github.com/bits-and-blooms/bitset v1.13.0/go.mod h1:7hO7Gc7Pp1vODcmWvKMRA9BNmbv6a/7QIWpPxHddWR8=
+github.com/boltdb/bolt v1.3.1/go.mod h1:clJnj/oiGkjum5o1McbSZDSLxVThjynRyGBgiAx27Ps=
 github.com/caddyserver/caddy/v2 v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=
 github.com/caddyserver/caddy/v2 v2.7.6/go.mod h1:JCiwFMnRWjk8lOa7po0wM/75kwd38ccJPMSrXvQCMQ0=
 github.com/caddyserver/certmagic v0.20.0 h1:bTw7LcEZAh9ucYCRXyCpIrSAGplplI0vGYJ4BpCQ/Fc=
@@ -104,12 +106,14 @@ github.com/dlclark/regexp2 v1.4.0/go.mod h1:2pZnwuY/m+8K6iRw6wQdMtk+rH5tNGR1i55k
 github.com/dlclark/regexp2 v1.7.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
 github.com/dlclark/regexp2 v1.10.0 h1:+/GIL799phkJqYW+3YbOd8LCcbHzT0Pbo8zl70MHsq0=
 github.com/dlclark/regexp2 v1.10.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
+github.com/dunglas/caddy-cbrotli v1.0.0 h1:+WNqXBkWyMcIpXB2rVZ3nwcElUbuAzf0kPxNXU4D+u0=
+github.com/dunglas/caddy-cbrotli v1.0.0/go.mod h1:KZsUu3fnQBgO0o3YDoQuO3Z61dFgUncr1F8rg8acwQw=
 github.com/dunglas/httpsfv v1.0.2 h1:iERDp/YAfnojSDJ7PW3dj1AReJz4MrwbECSSE59JWL0=
 github.com/dunglas/httpsfv v1.0.2/go.mod h1:zID2mqw9mFsnt7YC3vYQ9/cjq30q41W+1AnDwH8TiMg=
-github.com/dunglas/mercure v0.15.7 h1:YCfRV9/FfzWChaq+nP8MgzvOFWooh5sZpCYzf8L/vrM=
-github.com/dunglas/mercure v0.15.7/go.mod h1:XaoFWPL/mAnAMNcRjLnj8kPshX8DP/2Oe2P85JUzXXQ=
-github.com/dunglas/mercure/caddy v0.15.7 h1:cHq3WFtoeOK7bzG/qJ0ANVmAEQ7jD9pctQoKE9aNiBc=
-github.com/dunglas/mercure/caddy v0.15.7/go.mod h1:4ahOCL6akkdF5N9lv3TBvIQbQqW+iUSv/nYRio/d1G0=
+github.com/dunglas/mercure v0.15.9 h1:Jdbi4jwzfIkZCcDX54W5C21S4kQX2AszfcoOAnSLZPw=
+github.com/dunglas/mercure v0.15.9/go.mod h1:1CY1/D2sZ3RxLWCcAODowg/2yINbiG7IJf2fJCFDj3A=
+github.com/dunglas/mercure/caddy v0.15.9 h1:YqHNSZ6XKKQsK2jiMkttOIkaq80e0lC8rnOXaV/bhxQ=
+github.com/dunglas/mercure/caddy v0.15.9/go.mod h1:cM+991N0bpMw4R/79DM4dCEtbyyikHfZfwDOiCF/qx4=
 github.com/dunglas/vulcain v1.0.1 h1:S6bJYYwb8q7BlyQwYqHio0lyPYfBUvzY2dB3WlZXELU=
 github.com/dunglas/vulcain v1.0.1/go.mod h1:i209S5QmwiSpsxj/nqTsDAd7TP7OyG4MrsEX0jqAF1o=
 github.com/dunglas/vulcain/caddy v1.0.1 h1:wso79xuGcxgrxsCCYeGiurfNz/N20jI8JHjPWuu2BPU=
@@ -136,8 +140,8 @@ github.com/go-kit/kit v0.13.0/go.mod h1:phqEHMMUbyrCFCTgH48JueqrM3md2HcAZ8N3XE4F
 github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
 github.com/go-kit/log v0.2.1 h1:MRVx0/zhvdseW+Gza6N9rVzU/IVzaeE1SFI4raAhmBU=
 github.com/go-kit/log v0.2.1/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBjv0=
+github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
-github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs=
 github.com/go-logfmt/logfmt v0.6.0 h1:wGYYu3uicYdqXVgoYbvnkrPVXkuLM1p1ifugDMEdRi4=
 github.com/go-logfmt/logfmt v0.6.0/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
@@ -174,6 +178,8 @@ github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiu
 github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM=
 github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
+github.com/google/brotli/go/cbrotli v0.0.0-20240116120200-adbc354d23af h1:u7V797aWjlj0X9mAvcNXVNZujo6ACoSapaf/s7EIqo8=
+github.com/google/brotli/go/cbrotli v0.0.0-20240116120200-adbc354d23af/go.mod h1:nOPhAkwVliJdNTkj3gXpljmWhjc4wCaVqbMJcPKWP4s=
 github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
 github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
 github.com/google/cel-go v0.15.1 h1:iTgVZor2x9okXtmTrqO8cg4uvqIeaBcWhXtruaWFMYQ=
@@ -186,26 +192,29 @@ github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-tpm v0.9.0 h1:sQF6YqWMi+SCXpsmS3fd21oPy/vSddwZry4JnmltHVk=
 github.com/google/go-tpm v0.9.0/go.mod h1:FkNVkc6C+IsvDI9Jw1OveJmxGZUUaKxtrpOS47QWKfU=
-github.com/google/go-tpm-tools v0.4.2 h1:iyaCPKt2N5Rd0yz0G8ANa022SgCNZkMpp+db6QELtvI=
-github.com/google/go-tpm-tools v0.4.2/go.mod h1:fGUDZu4tw3V4hUVuFHmiYgRd0c58/IXivn9v3Ea/ck4=
+github.com/google/go-tpm-tools v0.4.1 h1:gYU6iwRo0tY3V6NDnS6m+XYog+b3g6YFhHQl3sYaUL4=
+github.com/google/go-tpm-tools v0.4.1/go.mod h1:w03m0jynhTo7puXTYoyfpNOMqyQ9SB7sixnKWsS/1L0=
 github.com/google/go-tspi v0.3.0 h1:ADtq8RKfP+jrTyIWIZDIYcKOMecRqNJFOew2IT0Inus=
 github.com/google/go-tspi v0.3.0/go.mod h1:xfMGI3G0PhxCdNVcYr1C4C+EizojDg/TXuX5by8CiHI=
-github.com/google/pprof v0.0.0-20231212022811-ec68065c825e h1:bwOy7hAFd0C91URzMIEBfr6BAz29yk7Qj0cy6S7DJlU=
-github.com/google/pprof v0.0.0-20231212022811-ec68065c825e/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
+github.com/google/pprof v0.0.0-20240125082051-42cd04596328 h1:oI+lCI2DY1BsRrdzMJBhIMxBBdlZJl31YNQC11EiyvA=
+github.com/google/pprof v0.0.0-20240125082051-42cd04596328/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o=
 github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.5.0 h1:1p67kYwdtXjb0gL0BPiP1Av9wiZPo5A8z2cWkTZ+eyU=
-github.com/google/uuid v1.5.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/enterprise-certificate-proxy v0.3.2 h1:Vie5ybvEvT75RniqhfFxPRy3Bf7vr3h0cechB90XaQs=
 github.com/googleapis/enterprise-certificate-proxy v0.3.2/go.mod h1:VLSiSSBs/ksPL8kq3OBOQ6WRI2QnaFynd1DCjZ62+V0=
 github.com/googleapis/gax-go/v2 v2.12.0 h1:A+gCJKdRfqXkr+BIRGtZLibNXf0m1f9E4HG56etFpas=
 github.com/googleapis/gax-go/v2 v2.12.0/go.mod h1:y+aIqrI5eb1YGMVJfuV3185Ts/D7qKpsEkdD5+I6QGU=
+github.com/gorilla/context v0.0.0-20160226214623-1ea25387ff6f/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
 github.com/gorilla/handlers v1.5.2 h1:cLTUSsNkgcwhgRqvCNmdbRWG0A3N4F+M2nWKdScwyEE=
 github.com/gorilla/handlers v1.5.2/go.mod h1:dX+xVpaxdSw+q0Qek8SSsl3dfMk3jNddUkMzo0GtH0w=
+github.com/gorilla/mux v1.4.0/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
 github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
 github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
+github.com/groob/finalizer v0.0.0-20170707115354-4c2ed49aabda/go.mod h1:MyndkAZd5rUMdNogn35MWXBX1UiBigrU8eTj8DoAC2c=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.18.1 h1:6UKoz5ujsI55KNpsJH3UwCq3T8kKbZwNZBNPuTTje8U=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.18.1/go.mod h1:YvJ2f6MplWDhfxiUC3KpyTy76kYUZA4W3pTv/wdKQ9Y=
 github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
@@ -264,8 +273,9 @@ github.com/jackc/pgtype v0.0.0-20190421001408-4ed0de4755e0/go.mod h1:hdSHsc1V01C
 github.com/jackc/pgtype v0.0.0-20190824184912-ab885b375b90/go.mod h1:KcahbBH1nCMSo2DXpzsoWOAfFkdEtEJpPbVLq8eE+mc=
 github.com/jackc/pgtype v0.0.0-20190828014616-a8802b16cc59/go.mod h1:MWlu30kVJrUS8lot6TQqcg7mtthZ9T0EoIBFiJcmcyw=
 github.com/jackc/pgtype v1.8.1-0.20210724151600-32e20a603178/go.mod h1:C516IlIV9NKqfsMCXTdChteoXmwgUceqaLfjg2e3NlM=
-github.com/jackc/pgtype v1.14.0 h1:y+xUdabmyMkJLyApYuPj38mW+aAIqCe5uuBB51rH3Vw=
 github.com/jackc/pgtype v1.14.0/go.mod h1:LUMuVrfsFfdKGLw+AFFVv6KtHOFMwRgDDzBt76IqCA4=
+github.com/jackc/pgtype v1.14.1 h1:LyDar7M2K0tShCWqzJ/ctzF1QC3Wzc9c8a6cHE0PFdc=
+github.com/jackc/pgtype v1.14.1/go.mod h1:LUMuVrfsFfdKGLw+AFFVv6KtHOFMwRgDDzBt76IqCA4=
 github.com/jackc/pgx/v4 v4.0.0-20190420224344-cc3461e65d96/go.mod h1:mdxmSJJuR08CZQyj1PVQBHy9XOp5p8/SHH6a0psbY9Y=
 github.com/jackc/pgx/v4 v4.0.0-20190421002000-1b8f0016e912/go.mod h1:no/Y67Jkk/9WuGR0JG/JseM9irFbnEPbuWV2EELPNuM=
 github.com/jackc/pgx/v4 v4.0.0-pre1.0.20190824185557-6972a5742186/go.mod h1:X+GQnOEnf1dqHGpw7JmHqHc1NxDoalibchSk9/RWuDc=
@@ -285,13 +295,14 @@ github.com/kevburnsjr/skipfilter v0.0.1 h1:EWl1lWUJfIehrKYIEkps0Cl67lCfS2pUM9iZF
 github.com/kevburnsjr/skipfilter v0.0.1/go.mod h1:jfaRyFOYVUtIa6IIC+0mB1qiZqhHw+DKvFowCBuijSk=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.12.3/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg=
-github.com/klauspost/compress v1.17.4 h1:Ej5ixsIri7BrIjBkRZLTo6ghwrEtHFk7ijlczPW4fZ4=
-github.com/klauspost/compress v1.17.4/go.mod h1:/dCuZOvVtNoHsyb+cuJD3itjs3NbnF6KH9zAO4BDxPM=
+github.com/klauspost/compress v1.17.5 h1:d4vBd+7CHydUqpFBgUEKkSdtSugf9YFmSkvUYPquI5E=
+github.com/klauspost/compress v1.17.5/go.mod h1:/dCuZOvVtNoHsyb+cuJD3itjs3NbnF6KH9zAO4BDxPM=
 github.com/klauspost/cpuid/v2 v2.0.12/go.mod h1:g2LTdtYhdyuGPqyWyv7qRAmj1WBqxuObKfj5c0PQa7c=
 github.com/klauspost/cpuid/v2 v2.2.6 h1:ndNyv040zDGIDh8thGkXYjnFtiN02M1PVVF+JE/48xc=
 github.com/klauspost/cpuid/v2 v2.2.6/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
@@ -328,14 +339,14 @@ github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Ky
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 h1:jWpvCLoY8Z/e3VKvlsiIGKtc+UG6U5vzxaoagmhXfyg=
-github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0/go.mod h1:QUyp042oQthUoa9bqDv0ER0wrtXnBruoNd7aNjkbP+k=
 github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d h1:5PJl274Y63IEHC+7izoQE9x6ikvDFZS2mDVS3drnohI=
 github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
 github.com/mholt/acmez v1.2.0 h1:1hhLxSgY5FvH5HCnGUuwbKY2VQVo8IU7rxXKSnZ7F30=
 github.com/mholt/acmez v1.2.0/go.mod h1:VT9YwH1xgNX1kmYY89gY8xPJC84BFAisjo8Egigt4kE=
-github.com/miekg/dns v1.1.57 h1:Jzi7ApEIzwEPLHWRcafCN9LZSBbqQpxjt/wpgvg7wcM=
-github.com/miekg/dns v1.1.57/go.mod h1:uqRjCRUuEAA6qsOiJvDd+CFo/vW+y5WR6SNmHE55hZk=
+github.com/micromdm/scep/v2 v2.1.0 h1:2fS9Rla7qRR266hvUoEauBJ7J6FhgssEiq2OkSKXmaU=
+github.com/micromdm/scep/v2 v2.1.0/go.mod h1:BkF7TkPPhmgJAMtHfP+sFTKXmgzNJgLQlvvGoOExBcc=
+github.com/miekg/dns v1.1.58 h1:ca2Hdkz+cDg/7eNF6V56jjzuZ4aCAE+DbVkILdQWG/4=
+github.com/miekg/dns v1.1.58/go.mod h1:Ypv+3b/KadlvW9vJfXOTf300O4UqaHFzFCuHz+rPkBY=
 github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw=
 github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw=
 github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s=
@@ -352,10 +363,10 @@ github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 h1:RWengNIwukTxcDr9
 github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826/go.mod h1:TaXosZuwdSHYgviHp1DAtfrULt5eUgsSMsZf+YrPgl8=
 github.com/mschoch/smat v0.2.0 h1:8imxQsjDm8yFEAVBe7azKmKSgzSkZXDuKkSq9374khM=
 github.com/mschoch/smat v0.2.0/go.mod h1:kc9mz7DoBKqDyiRL7VZN8KvXQMWeTaVnttLRXOlotKw=
-github.com/onsi/ginkgo/v2 v2.13.2 h1:Bi2gGVkfn6gQcjNjZJVO8Gf0FHzMPf2phUei9tejVMs=
-github.com/onsi/ginkgo/v2 v2.13.2/go.mod h1:XStQ8QcGwLyF4HdfcZB8SFOS/MWCgDuXMSBe6zrvLgM=
-github.com/onsi/gomega v1.29.0 h1:KIA/t2t5UBzoirT4H9tsML45GEbo3ouUnBHsCfD2tVg=
-github.com/onsi/gomega v1.29.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ=
+github.com/onsi/ginkgo/v2 v2.15.0 h1:79HwNRBAZHOEwrczrgSOPy+eFTTlIGELKy5as+ClttY=
+github.com/onsi/ginkgo/v2 v2.15.0/go.mod h1:HlxMHtYF57y6Dpf+mc5529KKmSq9h2FpCF+/ZkwUxKM=
+github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8=
+github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/pelletier/go-toml/v2 v2.1.1 h1:LWAJwfNvjQZCFIDKWYQaM62NcYeYViCmWIwmOStowAI=
 github.com/pelletier/go-toml/v2 v2.1.1/go.mod h1:tJU2Z3ZkXwnxa4DPO899bsyIoywizdUvyaeZurnPPDc=
@@ -363,6 +374,7 @@ github.com/perimeterx/marshmallow v1.1.5 h1:a2LALqQ1BlHM8PZblsDdidgv1mWi1DgC2UmX
 github.com/perimeterx/marshmallow v1.1.5/go.mod h1:dsXbUu8CRzfYP5a87xpp0xq9S3u0Vchtcl8we9tYaXw=
 github.com/peterbourgon/diskv/v3 v3.0.1 h1:x06SQA46+PKIUftmEujdwSEpIx8kR+M9eLYsUxeYveU=
 github.com/peterbourgon/diskv/v3 v3.0.1/go.mod h1:kJ5Ny7vLdARGU3WUuy6uzO6T0nb/2gWcT1JiBvRmb5o=
+github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -371,20 +383,18 @@ github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRI
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g=
 github.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U=
-github.com/prometheus/client_golang v1.17.0 h1:rl2sfwZMtSthVU752MqfjQozy7blglC+1SOtjMAMh+Q=
-github.com/prometheus/client_golang v1.17.0/go.mod h1:VeL+gMmOAxkS2IqfCq0ZmHSL+LjWfWDUmp1mBz9JgUY=
+github.com/prometheus/client_golang v1.18.0 h1:HzFfmkOzH5Q8L8G+kSJKUx5dtG87sewO+FoDDqP5Tbk=
+github.com/prometheus/client_golang v1.18.0/go.mod h1:T+GXkCk5wSJyOqMIzVgvvjFDlkOQntgjkJWKrN5txjA=
 github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw=
 github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI=
-github.com/prometheus/common v0.45.0 h1:2BGz0eBc2hdMDLnO/8n0jeB3oPrt2D08CekT0lneoxM=
-github.com/prometheus/common v0.45.0/go.mod h1:YJmSTw9BoKxJplESWWxlbyttQR4uaEcGyv9MZjVOJsY=
+github.com/prometheus/common v0.46.0 h1:doXzt5ybi1HBKpsZOL0sSkaNHJJqkyfEWZGGqqScV0Y=
+github.com/prometheus/common v0.46.0/go.mod h1:Tp0qkxpb9Jsg54QMe+EAmqXkSV7Evdy1BTn+g2pa/hQ=
 github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo=
 github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo=
 github.com/quic-go/qpack v0.4.0 h1:Cr9BXA1sQS2SmDUWjSofMPNKmvF6IiIfDRmgU0w1ZCo=
 github.com/quic-go/qpack v0.4.0/go.mod h1:UZVnYIfi5GRk+zI9UMaCPsmZ2xKJP7XBUvVyT1Knj9A=
-github.com/quic-go/qtls-go1-20 v0.4.1 h1:D33340mCNDAIKBqXuAvexTNMUByrYmFYVfKfDN5nfFs=
-github.com/quic-go/qtls-go1-20 v0.4.1/go.mod h1:X9Nh97ZL80Z+bX/gUXMbipO6OxdiDi58b/fMC9mAL+k=
-github.com/quic-go/quic-go v0.40.1 h1:X3AGzUNFs0jVuO3esAGnTfvdgvL4fq655WaOi1snv1Q=
-github.com/quic-go/quic-go v0.40.1/go.mod h1:PeN7kuVJ4xZbxSv/4OX6S1USOX8MJvydwpTx31vx60c=
+github.com/quic-go/quic-go v0.41.0 h1:aD8MmHfgqTURWNJy48IYFg2OnxwHT3JL7ahGs73lb4k=
+github.com/quic-go/quic-go v0.41.0/go.mod h1:qCkNjqczPEvgsOnxZ0eCD14lv+B2LHlFAB++CNOh9hA=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
 github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
@@ -414,23 +424,18 @@ github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6Mwd
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
-github.com/slackhq/nebula v1.8.1 h1:ZksG1misr1ongDnP8FUUIaalkCJyXD4jL93DCWyM4zE=
-github.com/slackhq/nebula v1.8.1/go.mod h1:KFJPfI2wzLBlnCmB5R5hzeDc9ltlzPROqPvpnC9KYCU=
+github.com/slackhq/nebula v1.8.2 h1:9lpJlivzjBPWxs9Y2tQqmJ1cP6hq+3kIodw021t3LrQ=
+github.com/slackhq/nebula v1.8.2/go.mod h1:SVVwnlGdmLg387U0XQMOSHRrD3VlJeXqd2/x/w/vxPs=
 github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262 h1:unQFBIznI+VYD1/1fApl1A+9VcBk+9dcqGfnePY87LY=
 github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262/go.mod h1:MyOHs9Po2fbM1LHej6sBUT8ozbxmMOFG+E+rx/GSGuc=
-github.com/smallstep/certificates v0.25.2 h1:URA/KG11EyWn/UTPJdWxzCylKu8QniaTct7Aaj7PCBQ=
-github.com/smallstep/certificates v0.25.2/go.mod h1:LkOTGAZy+fYUGNwnoASAsH3BGvxi1W1Wu9nkQ+hXSUg=
-github.com/smallstep/go-attestation v0.4.4-0.20230627102604-cf579e53cbd2 h1:UIAS8DTWkeclraEGH2aiJPyNPu16VbT41w4JoBlyFfU=
-github.com/smallstep/go-attestation v0.4.4-0.20230627102604-cf579e53cbd2/go.mod h1:vNAduivU014fubg6ewygkAvQC0IQVXqdc8vaGl/0er4=
+github.com/smallstep/certificates v0.25.0 h1:WWihtjQ7SprnRxDV44mBp8t5SMsNO5EWsQaEwy1rgFg=
+github.com/smallstep/certificates v0.25.0/go.mod h1:thJmekMKUplKYip+la99Lk4IwQej/oVH/zS9PVMagEE=
+github.com/smallstep/go-attestation v0.4.4-0.20240109183208-413678f90935 h1:kjYvkvS/Wdy0PVRDUAA0gGJIVSEZYhiAJtfwYgOYoGA=
+github.com/smallstep/go-attestation v0.4.4-0.20240109183208-413678f90935/go.mod h1:vNAduivU014fubg6ewygkAvQC0IQVXqdc8vaGl/0er4=
 github.com/smallstep/nosql v0.6.0 h1:ur7ysI8s9st0cMXnTvB8tA3+x5Eifmkb6hl4uqNV5jc=
 github.com/smallstep/nosql v0.6.0/go.mod h1:jOXwLtockXORUPPZ2MCUcIkGR6w0cN1QGZniY9DITQA=
-github.com/smallstep/pkcs7 v0.0.0-20231024181729-3b98ecc1ca81/go.mod h1:SoUAr/4M46rZ3WaLstHxGhLEgoYIDRqxQEXLOmOEB0Y=
-github.com/smallstep/pkcs7 v0.0.0-20231107075624-be1870d87d13 h1:qRxEt9ESQhAg1kjmgJ8oyyzlc9zkAjOooe7bcKjKORQ=
-github.com/smallstep/pkcs7 v0.0.0-20231107075624-be1870d87d13/go.mod h1:SoUAr/4M46rZ3WaLstHxGhLEgoYIDRqxQEXLOmOEB0Y=
-github.com/smallstep/scep v0.0.0-20231024192529-aee96d7ad34d h1:06LUHn4Ia2X6syjIaCMNaXXDNdU+1N/oOHynJbWgpXw=
-github.com/smallstep/scep v0.0.0-20231024192529-aee96d7ad34d/go.mod h1:4d0ub42ut1mMtvGyMensjuHYEUpRrASvkzLEJvoRQcU=
-github.com/smallstep/truststore v0.13.0 h1:90if9htAOblavbMeWlqNLnO9bsjjgVv2hQeQJCi/py4=
-github.com/smallstep/truststore v0.13.0/go.mod h1:3tmMp2aLKZ/OA/jnFUB0cYPcho402UG2knuJoPh4j7A=
+github.com/smallstep/truststore v0.12.1 h1:guLUKkc1UlsXeS3t6BuVMa4leOOpdiv02PCRTiy1WdY=
+github.com/smallstep/truststore v0.12.1/go.mod h1:M4mebeNy28KusGX3lJxpLARIktLcyqBOrj3ZiZ46pqw=
 github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo=
 github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
@@ -488,8 +493,8 @@ github.com/tidwall/sjson v1.2.5/go.mod h1:Fvgq9kS/6ociJEDnK0Fk1cpYF4FIW6ZF7LAe+6
 github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
 github.com/ugorji/go/codec v1.2.7 h1:YPXUKf7fYbp/y8xloBqZOw2qaVggbfwMlI8WM3wZUJ0=
 github.com/ugorji/go/codec v1.2.7/go.mod h1:WGN1fab3R1fzQlVQTkfxVtIBhWDRqOviHU95kRgeqEY=
-github.com/unrolled/secure v1.13.0 h1:sdr3Phw2+f8Px8HE5sd1EHdj1aV3yUwed/uZXChLFsk=
-github.com/unrolled/secure v1.13.0/go.mod h1:BmF5hyM6tXczk3MpQkFf1hpKSRqCyhqcbiQtiAF7+40=
+github.com/unrolled/secure v1.14.0 h1:u9vJTU/pR4Bny0ntLUMxdfLtmIRGvQf2sEFuA0TG9AE=
+github.com/unrolled/secure v1.14.0/go.mod h1:BmF5hyM6tXczk3MpQkFf1hpKSRqCyhqcbiQtiAF7+40=
 github.com/urfave/cli v1.22.14 h1:ebbhrRiGK2i4naQJr+1Xj92HXZCrK7MsyTS/ob3HnAk=
 github.com/urfave/cli v1.22.14/go.mod h1:X0eDS6pD6Exaclxm99NJ3FiCDRED7vIHpx2mDOHLvkA=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
@@ -512,10 +517,13 @@ github.com/zeebo/pcg v1.0.1/go.mod h1:09F0S9iiKrwn9rlI5yjLkmrug154/YRW6KnnXVDM/l
 github.com/zenazn/goji v0.9.0/go.mod h1:7S9M489iMyHBNxwZnk9/EHS098H4/F6TATF2mIxtB1Q=
 go.etcd.io/bbolt v1.3.8 h1:xs88BrvEv273UsB79e0hcVrlUWmS0a8upikMFhSyAtA=
 go.etcd.io/bbolt v1.3.8/go.mod h1:N9Mkw9X8x5fupy0IKsmuqVtoGDyxsaDlbk4Rd05IAQw=
+go.mozilla.org/pkcs7 v0.0.0-20210730143726-725912489c62/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk=
+go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 h1:CCriYyAfq1Br1aIYettdHZTy8mBTIPo7We18TuO/bak=
+go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk=
 go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.45.0 h1:x8Z78aZx8cOF0+Kkazoc7lwUNMGy0LrzEMxTm4BbTxg=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.45.0/go.mod h1:62CPTSry9QZtOaSsE3tOzhx6LzDhHnXJ6xHeMNNiM6Q=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 h1:aFJWCqJMNjENlcleuuOkGAPH82y0yULBScfXcIEdS24=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1/go.mod h1:sEGXWArGqc3tVa+ekntsN65DmVbVeW+7lTKTjZF3/Fo=
 go.opentelemetry.io/contrib/propagators/autoprop v0.45.0 h1:FT/JCFzjzXgyp/aXkQeywnI/Tl8ZtKhvusVtZOokmFM=
 go.opentelemetry.io/contrib/propagators/autoprop v0.45.0/go.mod h1:L/2JIbqAmGzBvGJ3rXA+KXmWXUuUYUDZnhXeJttjJRg=
 go.opentelemetry.io/contrib/propagators/aws v1.20.0 h1:PByDRx6xPygwFP+L3FTlOifJoCB10T2LdRBZcDYMTJw=
@@ -542,8 +550,8 @@ go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lI
 go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM=
 go.step.sm/cli-utils v0.8.0 h1:b/Tc1/m3YuQq+u3ghTFP7Dz5zUekZj6GUmd5pCvkEXQ=
 go.step.sm/cli-utils v0.8.0/go.mod h1:S77aISrC0pKuflqiDfxxJlUbiXcAanyJ4POOnzFSxD4=
-go.step.sm/crypto v0.38.0 h1:kRVtzOjplP5xDh9UlenXdDAtXWCfVL6GevZgpiom1Zg=
-go.step.sm/crypto v0.38.0/go.mod h1:0Cv9UB8sHqnsLO14FhboDE/OIN993c3G0ImOafTS2AI=
+go.step.sm/crypto v0.36.0 h1:njrVQqjWVyCzHxqQUDprR7HXypZX8IxtOqe4IIHSjgU=
+go.step.sm/crypto v0.36.0/go.mod h1:XMRbgkhoigPLaPMjZeY1VFIYXVw03Wul0+5lENF6l7c=
 go.step.sm/linkedca v0.20.1 h1:bHDn1+UG1NgRrERkWbbCiAIvv4lD5NOFaswPDTyO5vU=
 go.step.sm/linkedca v0.20.1/go.mod h1:Vaq4+Umtjh7DLFI1KuIxeo598vfBzgSYZUjgVJ7Syxw=
 go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
@@ -580,16 +588,17 @@ golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
-golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
-golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
-golang.org/x/exp v0.0.0-20231219180239-dc181d75b848 h1:+iq7lrkxmFNBM7xx+Rae2W6uyPfhPeDWD+n+JgppptE=
-golang.org/x/exp v0.0.0-20231219180239-dc181d75b848/go.mod h1:iRJReGqOEeBhDZGkGbynYwcHlctCvnjTYIamk7uXpHI=
+golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc=
+golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
+golang.org/x/exp v0.0.0-20240119083558-1b970713d09a h1:Q8/wZp0KX97QFTc2ywcOE0YRjZPVIx+MXInMzdvQqcA=
+golang.org/x/exp v0.0.0-20240119083558-1b970713d09a/go.mod h1:idGWGoKP1toJGkd5/ig9ZLuPcZBC3ewk7SzmH0uou08=
 golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
 golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/net v0.0.0-20170726083632-f5079bd7f6f7/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -598,14 +607,15 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
-golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
-golang.org/x/oauth2 v0.15.0 h1:s8pnnxNVzjWyrvYdFUQq5llS1PX2zhPXmccZv99h7uQ=
-golang.org/x/oauth2 v0.15.0/go.mod h1:q48ptWNTY5XWf+JNten23lcvHpLJ0ZSxF5ttTHKVCAM=
+golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo=
+golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
+golang.org/x/oauth2 v0.16.0 h1:aDkGMBSYxElaoP81NpoUoz2oo2R2wHdZpGToUxfyQrQ=
+golang.org/x/oauth2 v0.16.0/go.mod h1:hqZ+0LWXsiVoZpeld6jVt06P3adbS2Uu911W1SsJv2o=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE=
-golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ=
+golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sys v0.0.0-20170728174421-0f826bdd13b5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181122145206-62eef0e2fa9b/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -630,15 +640,15 @@ golang.org/x/sys v0.0.0-20221010170243-090e33056c14/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
-golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU=
+golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4=
-golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
+golang.org/x/term v0.16.0 h1:m+B6fahuftsE9qjo0VWp2FW0mB3MTJvR0BaMQrq0pmE=
+golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -661,8 +671,8 @@ golang.org/x/tools v0.0.0-20191029190741-b9c20aec41a5/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200103221440-774c71fcf114/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA=
-golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
+golang.org/x/tools v0.17.0 h1:FvmRgNOcs3kOa+T20R1uhfP9F6HgG2mfxDv1vrx1Htc=
+golang.org/x/tools v0.17.0/go.mod h1:xsh6VxdV005rRVaS6SSAf9oiAqljS7UZUacMZ8Bnsps=
 golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20190513163551-3ee3066db522/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -673,18 +683,18 @@ google.golang.org/api v0.153.0 h1:N1AwGhielyKFaUqH07/ZSIQR3uNPcV7NVw0vj+j4iR4=
 google.golang.org/api v0.153.0/go.mod h1:3qNJX5eOmhiWYc67jRA/3GsDw97UFb5ivv7Y2PrriAY=
 google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM=
 google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds=
-google.golang.org/genproto v0.0.0-20231211222908-989df2bf70f3 h1:1hfbdAfFbkmpg41000wDVqr7jUpK/Yo+LPnIxxGzmkg=
-google.golang.org/genproto v0.0.0-20231211222908-989df2bf70f3/go.mod h1:5RBcpGRxr25RbDzY5w+dmaqpSEvl8Gwl1x2CICf60ic=
-google.golang.org/genproto/googleapis/api v0.0.0-20231212172506-995d672761c0 h1:s1w3X6gQxwrLEpxnLd/qXTVLgQE2yXwaOaoa6IlY/+o=
-google.golang.org/genproto/googleapis/api v0.0.0-20231212172506-995d672761c0/go.mod h1:CAny0tYF+0/9rmDB9fahA9YLzX3+AEVl1qXbv5hhj6c=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20231212172506-995d672761c0 h1:/jFB8jK5R3Sq3i/lmeZO0cATSzFfZaJq1J2Euan3XKU=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20231212172506-995d672761c0/go.mod h1:FUoWkonphQm3RhTS+kOEhF8h0iDpm4tdXolVCeZ9KKA=
-google.golang.org/grpc v1.60.1 h1:26+wFr+cNqSGFcOXcabYC0lUVJVRa2Sb2ortSK7VrEU=
-google.golang.org/grpc v1.60.1/go.mod h1:OlCHIeLYqSSsLi6i49B5QGdzaMZK9+M7LXN2FKz4eGM=
+google.golang.org/genproto v0.0.0-20240116215550-a9fa1716bcac h1:ZL/Teoy/ZGnzyrqK/Optxxp2pmVh+fmJ97slxSRyzUg=
+google.golang.org/genproto v0.0.0-20240116215550-a9fa1716bcac/go.mod h1:+Rvu7ElI+aLzyDQhpHMFMMltsD6m7nqpuWDd2CwJw3k=
+google.golang.org/genproto/googleapis/api v0.0.0-20240125205218-1f4bbc51befe h1:0poefMBYvYbs7g5UkjS6HcxBPaTRAmznle9jnxYoAI8=
+google.golang.org/genproto/googleapis/api v0.0.0-20240125205218-1f4bbc51befe/go.mod h1:4jWUdICTdgc3Ibxmr8nAJiiLHwQBY0UI0XZcEMaFKaA=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240125205218-1f4bbc51befe h1:bQnxqljG/wqi4NTXu2+DJ3n7APcEA882QZ1JvhQAq9o=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240125205218-1f4bbc51befe/go.mod h1:PAREbraiVEVGVdTZsVWjSbbTtSyGbAgIIvni8a8CD5s=
+google.golang.org/grpc v1.61.0 h1:TOvOcuXn30kRao+gfcvsebNEa5iZIiLkisYEkf7R7o0=
+google.golang.org/grpc v1.61.0/go.mod h1:VUbo7IFqmF1QtCAstipjG0GIoq49KvMe9+h1jFLBNJs=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
-google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7I=
+google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

caddy/php-server.go

@@ -4,11 +4,14 @@ import (
 	"encoding/json"
 	"log"
 	"net/http"
+	"os"
 	"path/filepath"
 	"strconv"
 	"strings"
 	"time"
 
+	mercureModule "github.com/dunglas/mercure/caddy"
+
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddyconfig"
 	caddycmd "github.com/caddyserver/caddy/v2/cmd"
@@ -26,7 +29,7 @@ import (
 func init() {
 	caddycmd.RegisterCommand(caddycmd.Command{
 		Name:  "php-server",
-		Usage: "[--domain <example.com>] [--root <path>] [--listen <addr>] [--worker /path/to/worker.php<,nb-workers>] [--access-log] [--debug] [--no-compress]",
+		Usage: "[--domain <example.com>] [--root <path>] [--listen <addr>] [--worker /path/to/worker.php<,nb-workers>] [--access-log] [--debug] [--no-compress] [--mercure]",
 		Short: "Spins up a production-ready PHP server",
 		Long: `
 A simple but production-ready PHP server. Useful for quick deployments,
@@ -47,7 +50,8 @@ For more advanced use cases, see https://github.com/dunglas/frankenphp/blob/main
 			cmd.Flags().StringArrayP("worker", "w", []string{}, "Worker script")
 			cmd.Flags().BoolP("access-log", "a", false, "Enable the access log")
 			cmd.Flags().BoolP("debug", "v", false, "Enable verbose debug logs")
-			cmd.Flags().BoolP("no-compress", "", false, "Disable Zstandard and Gzip compression")
+			cmd.Flags().BoolP("mercure", "m", false, "Enable the built-in Mercure.rocks hub")
+			cmd.Flags().BoolP("no-compress", "", false, "Disable Zstandard, Brotli and Gzip compression")
 			cmd.RunE = caddycmd.WrapCommandFuncForCobra(cmdPHPServer)
 		},
 	})
@@ -63,6 +67,7 @@ func cmdPHPServer(fs caddycmd.Flags) (int, error) {
 	accessLog := fs.Bool("access-log")
 	debug := fs.Bool("debug")
 	compress := !fs.Bool("no-compress")
+	mercure := fs.Bool("mercure")
 
 	workers, err := fs.GetStringArray("worker")
 	if err != nil {
@@ -88,6 +93,27 @@ func cmdPHPServer(fs caddycmd.Flags) (int, error) {
 	}
 
 	if frankenphp.EmbeddedAppPath != "" {
+		if _, err := os.Stat(filepath.Join(frankenphp.EmbeddedAppPath, "php.ini")); err == nil {
+			iniScanDir := os.Getenv("PHP_INI_SCAN_DIR")
+
+			if err := os.Setenv("PHP_INI_SCAN_DIR", iniScanDir+":"+frankenphp.EmbeddedAppPath); err != nil {
+				return caddy.ExitCodeFailedStartup, err
+			}
+		}
+
+		if _, err := os.Stat(filepath.Join(frankenphp.EmbeddedAppPath, "Caddyfile")); err == nil {
+			config, _, err := caddycmd.LoadConfig(filepath.Join(frankenphp.EmbeddedAppPath, "Caddyfile"), "")
+			if err != nil {
+				return caddy.ExitCodeFailedStartup, err
+			}
+
+			if err = caddy.Load(config, true); err != nil {
+				return caddy.ExitCodeFailedStartup, err
+			}
+
+			select {}
+		}
+
 		if root == "" {
 			root = filepath.Join(frankenphp.EmbeddedAppPath, defaultDocumentRoot)
 		} else if filepath.IsLocal(root) {
@@ -175,6 +201,11 @@ func cmdPHPServer(fs caddycmd.Flags) (int, error) {
 			return caddy.ExitCodeFailedStartup, err
 		}
 
+		br, err := caddy.GetModule("http.encoders.br")
+		if err != nil {
+			return caddy.ExitCodeFailedStartup, err
+		}
+
 		zstd, err := caddy.GetModule("http.encoders.zstd")
 		if err != nil {
 			return caddy.ExitCodeFailedStartup, err
@@ -185,15 +216,49 @@ func cmdPHPServer(fs caddycmd.Flags) (int, error) {
 			HandlersRaw: []json.RawMessage{caddyconfig.JSONModuleObject(encode.Encode{
 				EncodingsRaw: caddy.ModuleMap{
 					"zstd": caddyconfig.JSON(zstd.New(), nil),
+					"br":   caddyconfig.JSON(br.New(), nil),
 					"gzip": caddyconfig.JSON(gzip.New(), nil),
 				},
-				Prefer: []string{"zstd", "gzip"},
+				Prefer: []string{"zstd", "br", "gzip"},
 			}, "handler", "encode", nil)},
 		}
 
 		subroute.Routes = append(caddyhttp.RouteList{encodeRoute}, subroute.Routes...)
 	}
 
+	if mercure {
+		mercurePublisherJwtKey := os.Getenv("MERCURE_PUBLISHER_JWT_KEY")
+		if mercurePublisherJwtKey == "" {
+			panic(`The "MERCURE_PUBLISHER_JWT_KEY" environment variable must be set to use the Mercure.rocks hub`)
+		}
+
+		mercureSubscriberJwtKey := os.Getenv("MERCURE_SUBSCRIBER_JWT_KEY")
+		if mercureSubscriberJwtKey == "" {
+			panic(`The "MERCURE_SUBSCRIBER_JWT_KEY" environment variable must be set to use the Mercure.rocks hub`)
+		}
+
+		mercureRoute := caddyhttp.Route{
+			HandlersRaw: []json.RawMessage{caddyconfig.JSONModuleObject(
+				mercureModule.Mercure{
+					PublisherJWT: mercureModule.JWTConfig{
+						Alg: os.Getenv("MERCURE_PUBLISHER_JWT_ALG"),
+						Key: mercurePublisherJwtKey,
+					},
+					SubscriberJWT: mercureModule.JWTConfig{
+						Alg: os.Getenv("MERCURE_SUBSCRIBER_JWT_ALG"),
+						Key: mercureSubscriberJwtKey,
+					},
+				},
+				"handler",
+				"mercure",
+				nil,
+			),
+			},
+		}
+
+		subroute.Routes = append(caddyhttp.RouteList{mercureRoute}, subroute.Routes...)
+	}
+
 	route := caddyhttp.Route{
 		HandlersRaw: []json.RawMessage{caddyconfig.JSONModuleObject(subroute, "handler", "subroute", nil)},
 	}

dev-alpine.Dockerfile

@@ -3,57 +3,58 @@ FROM golang:1.21-alpine
 
 ENV CFLAGS="-ggdb3"
 ENV PHPIZE_DEPS \
-    autoconf \
-    dpkg-dev \
-    file \
-    g++ \
-    gcc \
-    libc-dev \
-    make \
-    pkgconfig \
-    re2c
+	autoconf \
+	dpkg-dev \
+	file \
+	g++ \
+	gcc \
+	libc-dev \
+	make \
+	pkgconfig \
+	re2c
 
 RUN apk add --no-cache \
-    $PHPIZE_DEPS \
-    argon2-dev \
-    curl-dev \
-    oniguruma-dev \
-    readline-dev \
-    libsodium-dev \
-    sqlite-dev \
-    openssl-dev \
-    libxml2-dev \
-    zlib-dev \
-    bison \
-    nss-tools \
-    # Dev tools \
-    git \
-    clang \
-    llvm \
-    gdb \
-    valgrind \
-    neovim \
-    zsh \
-    libtool && \
-    echo 'set auto-load safe-path /' > /root/.gdbinit
+	$PHPIZE_DEPS \
+	argon2-dev \
+	brotli-dev \
+	curl-dev \
+	oniguruma-dev \
+	readline-dev \
+	libsodium-dev \
+	sqlite-dev \
+	openssl-dev \
+	libxml2-dev \
+	zlib-dev \
+	bison \
+	nss-tools \
+	# Dev tools \
+	git \
+	clang \
+	llvm \
+	gdb \
+	valgrind \
+	neovim \
+	zsh \
+	libtool && \
+	echo 'set auto-load safe-path /' > /root/.gdbinit
 
 WORKDIR /usr/local/src/php
 RUN git clone --branch=PHP-8.3 https://github.com/php/php-src.git . && \
-    # --enable-embed is only necessary to generate libphp.so, we don't use this SAPI directly
-    ./buildconf --force && \
-    ./configure \
-        --enable-embed \
-        --enable-zts \
-        --disable-zend-signals \
-        --enable-zend-max-execution-timers \
-        --enable-debug && \
-    make -j"$(nproc)" && \
-    make install && \
-    ldconfig /etc/ld.so.conf.d && \
-    cp php.ini-development /usr/local/lib/php.ini && \
-    echo "zend_extension=opcache.so" >> /usr/local/lib/php.ini && \
-    echo "opcache.enable=1" >> /usr/local/lib/php.ini && \
-    php --version
+	# --enable-embed is only necessary to generate libphp.so, we don't use this SAPI directly
+	./buildconf --force && \
+	./configure \
+		--enable-embed \
+		--enable-zts \
+		--disable-zend-signals \
+		--enable-zend-max-execution-timers \
+		--enable-debug && \
+	make -j"$(nproc)" && \
+	make install && \
+	ldconfig /etc/ld.so.conf.d && \
+	cp php.ini-development /usr/local/lib/php.ini && \
+	echo "zend_extension=opcache.so" >> /usr/local/lib/php.ini && \
+	echo "opcache.enable=1" >> /usr/local/lib/php.ini && \
+	php --version
 
 WORKDIR /go/src/app
 COPY . .

dev.Dockerfile

@@ -3,62 +3,63 @@ FROM golang:1.21
 
 ENV CFLAGS="-ggdb3"
 ENV PHPIZE_DEPS \
-    autoconf \
-    dpkg-dev \
-    file \
-    g++ \
-    gcc \
-    libc-dev \
-    make \
-    pkg-config \
-    re2c
+	autoconf \
+	dpkg-dev \
+	file \
+	g++ \
+	gcc \
+	libc-dev \
+	make \
+	pkg-config \
+	re2c
 
 # hadolint ignore=DL3009
 RUN apt-get update && \
-    apt-get -y --no-install-recommends install \
-    $PHPIZE_DEPS \
-    libargon2-dev \
-    libcurl4-openssl-dev \
-    libonig-dev \
-    libreadline-dev \
-    libsodium-dev \
-    libsqlite3-dev \
-    libssl-dev \
-    libxml2-dev \
-    zlib1g-dev \
-    bison \
-    libnss3-tools \
-    # Dev tools \
-    git \
-    clang \
-    llvm \
-    gdb \
-    valgrind \
-    neovim \
-    zsh \
-    libtool-bin && \
-    echo 'set auto-load safe-path /' > /root/.gdbinit && \
-    echo '* soft core unlimited' >> /etc/security/limits.conf \
-    && \
-    apt-get clean 
+	apt-get -y --no-install-recommends install \
+	$PHPIZE_DEPS \
+	libargon2-dev \
+	libbrotli-dev \
+	libcurl4-openssl-dev \
+	libonig-dev \
+	libreadline-dev \
+	libsodium-dev \
+	libsqlite3-dev \
+	libssl-dev \
+	libxml2-dev \
+	zlib1g-dev \
+	bison \
+	libnss3-tools \
+	# Dev tools \
+	git \
+	clang \
+	llvm \
+	gdb \
+	valgrind \
+	neovim \
+	zsh \
+	libtool-bin && \
+	echo 'set auto-load safe-path /' > /root/.gdbinit && \
+	echo '* soft core unlimited' >> /etc/security/limits.conf \
+	&& \
+	apt-get clean 
 
 WORKDIR /usr/local/src/php
 RUN git clone --branch=PHP-8.3 https://github.com/php/php-src.git . && \
-    # --enable-embed is only necessary to generate libphp.so, we don't use this SAPI directly
-    ./buildconf --force && \
-    ./configure \
-        --enable-embed \
-        --enable-zts \
-        --disable-zend-signals \
-        --enable-zend-max-execution-timers \
-        --enable-debug && \
-    make -j"$(nproc)" && \
-    make install && \
-    ldconfig && \
-    cp php.ini-development /usr/local/lib/php.ini && \
-    echo "zend_extension=opcache.so" >> /usr/local/lib/php.ini && \
-    echo "opcache.enable=1" >> /usr/local/lib/php.ini && \
-    php --version
+	# --enable-embed is only necessary to generate libphp.so, we don't use this SAPI directly
+	./buildconf --force && \
+	./configure \
+		--enable-embed \
+		--enable-zts \
+		--disable-zend-signals \
+		--enable-zend-max-execution-timers \
+		--enable-debug && \
+	make -j"$(nproc)" && \
+	make install && \
+	ldconfig && \
+	cp php.ini-development /usr/local/lib/php.ini && \
+	echo "zend_extension=opcache.so" >> /usr/local/lib/php.ini && \
+	echo "opcache.enable=1" >> /usr/local/lib/php.ini && \
+	php --version
 
 WORKDIR /go/src/app
 COPY . .

docker-bake.hcl

@@ -123,6 +123,10 @@ target "static-builder" {
     }
     dockerfile = "static-builder.Dockerfile"
     context = "./"
+    platforms = [
+        "linux/amd64",
+        "linux/arm64",
+    ]
     tags = distinct(flatten([
         LATEST ? "${IMAGE_NAME}:static-builder" : "",
         SHA == "" ? "" : "${IMAGE_NAME}:static-builder-sha-${substr(SHA, 0, 7)}",

docs/config.md

@@ -33,7 +33,7 @@ Minimal example:
 
 localhost {
 	# Enable compression (optional)
-	encode zstd gzip
+	encode zstd br gzip
 	# Execute PHP files in the current directory and serve assets
 	php_server
 }
@@ -90,7 +90,7 @@ other.example.com {
 ...
 ```
 
-Using the `php_server` directive is generaly what you need,
+Using the `php_server` directive is generally what you need,
 but if you need full control, you can use the lower level `php` directive:
 
 Using the `php_server` directive is equivalent to this configuration:
@@ -131,7 +131,7 @@ php_server [<matcher>] {
 
 The following environment variables can be used to inject Caddy directives in the `Caddyfile` without modifying it:
 
-* `SERVER_NAME` change the server name
+* `SERVER_NAME`: change [the addresses on which to listen](https://caddyserver.com/docs/caddyfile/concepts#addresses), the provided hostnames will also be used for the generated TLS certificate
 * `CADDY_GLOBAL_OPTIONS`: inject [global options](https://caddyserver.com/docs/caddyfile/options)
 * `FRANKENPHP_CONFIG`: inject config under the `frankenphp` directive
 
@@ -139,6 +139,12 @@ Unlike with FPM and CLI SAPIs, environment variables are **not** exposed by defa
 
 To propagate environment variables to `$_SERVER` and `$_ENV`, set the `php.ini` `variables_order` directive to `EGPCS`.
 
+## PHP config
+
+To load [additional PHP configuration files](https://www.php.net/manual/en/configuration.file.php#configuration.file.scan),
+the `PHP_INI_SCAN_DIR` environment variable can be used.
+When set, PHP will load all the file with the `.ini` extension present in the given directories.
+
 ## Enable the Debug Mode
 
 When using the Docker image, set the `CADDY_GLOBAL_OPTIONS` environment variable to `debug` to enable the debug mode:
@@ -146,6 +152,6 @@ When using the Docker image, set the `CADDY_GLOBAL_OPTIONS` environment variable
 ```console
 docker run -v $PWD:/app/public \
     -e CADDY_GLOBAL_OPTIONS=debug \
-    -p 80:80 -p 443:443 \
+    -p 80:80 -p 443:443 -p 443:443/udp \
     dunglas/frankenphp
 ```

docs/docker.md

@@ -29,13 +29,11 @@ FROM dunglas/frankenphp
 
 # add additional extensions here:
 RUN install-php-extensions \
-    pdo_mysql \
-    gd \
-    intl \
-    zip \
-    opcache
-
-# ...
+	pdo_mysql \
+	gd \
+	intl \
+	zip \
+	opcache
 ```
 
 ## How to Install More Caddy Modules
@@ -53,13 +51,13 @@ COPY --from=caddy:builder /usr/bin/xcaddy /usr/bin/xcaddy
 # CGO must be enabled to build FrankenPHP
 ENV CGO_ENABLED=1 XCADDY_SETCAP=1 XCADDY_GO_BUILD_FLAGS="-ldflags '-w -s'"
 RUN xcaddy build \
-    --output /usr/local/bin/frankenphp \
-    --with github.com/dunglas/frankenphp=./ \
-    --with github.com/dunglas/frankenphp/caddy=./caddy/ \
-    # Mercure and Vulcain are included in the official build, but feel free to remove them
-    --with github.com/dunglas/mercure/caddy \
-    --with github.com/dunglas/vulcain/caddy
-    # Add extra Caddy modules here
+	--output /usr/local/bin/frankenphp \
+	--with github.com/dunglas/frankenphp=./ \
+	--with github.com/dunglas/frankenphp/caddy=./caddy/ \
+	# Mercure and Vulcain are included in the official build, but feel free to remove them
+	--with github.com/dunglas/mercure/caddy \
+	--with github.com/dunglas/vulcain/caddy
+	# Add extra Caddy modules here
 
 FROM dunglas/frankenphp AS runner
 
@@ -92,9 +90,13 @@ ENV FRANKENPHP_CONFIG="worker ./public/index.php"
 To develop easily with FrankenPHP, mount the directory from your host containing the source code of the app as a volume in the Docker container:
 
 ```console
-docker run -v $PWD:/app/public -p 80:80 -p 443:443 my-php-app
+docker run -v $PWD:/app/public -p 80:80 -p 443:443 -p 443:443/udp --tty my-php-app
 ```
 
+> ![TIP]
+>
+> The `--tty` option allows to have nice human-readable logs instead of JSON logs.
+
 With Docker Compose:
 
 ```yaml
@@ -108,8 +110,9 @@ services:
     # uncomment the following line if you want to run this in a production environment
     # restart: always
     ports:
-      - 80:80
-      - 443:443
+      - "80:80" # HTTP
+      - "443:443" # HTTPS
+      - "443:443/udp" # HTTP/3
     volumes:
       - ./:/app/public
       - caddy_data:/data
@@ -122,3 +125,37 @@ volumes:
   caddy_data:
   caddy_config:
 ```
+
+## Running as a Non-Root User
+
+FrankenPHP can run as non root user in Docker.
+
+Here is a sample `Dockerfile` doing this:
+
+```dockerfile
+FROM dunglas/frankenphp
+
+ARG USER=www-data
+USER ${USER}
+
+RUN adduser -D ${USER} \
+	# Caddy requires an additional capability to bind to port 80 and 443
+	setcap CAP_NET_BIND_SERVICE=+eip /usr/local/bin/frankenphp
+	# Caddy requires write access to /data/caddy and /config/caddy
+	RUN chown -R ${USER}:${USER} /data/caddy && chown -R ${USER}:${USER} /config/caddy
+```
+
+## Updates
+
+The Docker images are built:
+
+* when a new release is tagged
+* daily at 4am UTC, if new versions of the official PHP images are available
+
+## Development Versions
+
+Development versions are available in the [`dunglas/frankenphp-dev`](https://hub.docker.com/repository/docker/dunglas/frankenphp-dev) Docker repository.
+A new build is triggered every time a commit is pushed to the main branch of the GitHub repository.
+
+The `latest*` tags point to the head of the `main` branch.
+Tags of the form `sha-<git-commit-hash>` are also available.

docs/known-issues.md

@@ -40,4 +40,59 @@ The following extensions are known not to be compatible with FrankenPHP:
 
 ## get_browser
 
-The [get_browser](https://www.php.net/manual/en/function.get-browser.php) function seems to have a bad performance after a while. A workaround is to cache (e.g. with APCU) the results per User Agent, as they are static anyway.
+The [get_browser()](https://www.php.net/manual/en/function.get-browser.php) function seems to perform badly after a while. A workaround is to cache (e.g. with APCU) the results per User Agent, as they are static.
+
+## Standalone Binary and Alpine-based Docker Images
+
+The standalone binary and Alpine-based docker images (`dunglas/frankenphp:*-alpine`) use [musl libc](https://musl.libc.org/) instead of [glibc and friends](https://www.etalabs.net/compare_libcs.html), to keep a smaller binary size. This may lead to some compatibility issues. In particular, the glob flag `GLOB_BRACE` is [not available](https://www.php.net/manual/en/function.glob.php)
+
+## Using `https://127.0.0.1` with Docker
+
+By default, FrankenPHP generates a TLS certificate for `localhost`.
+It's the easiest and recommended option for local development.
+
+If you really want to use `127.0.0.1` as a host instead, it's possible to configure it to generate a certificate for it by setting the server name to `127.0.0.1`.
+
+Unfortunately, this is not enough when using Docker because of [its networking system](https://docs.docker.com/network/).
+You will get a TLS error similar to `curl: (35) LibreSSL/3.3.6: error:1404B438:SSL routines:ST_CONNECT:tlsv1 alert internal error`.
+
+If you're using Linux, a solution is to use [the host networking driver](https://docs.docker.com/network/network-tutorial-host/):
+
+```console
+docker run \
+    -e SERVER_NAME="127.0.0.1" \
+    -v $PWD:/app/public \
+    --network host \
+    dunglas/frankenphp
+```
+
+The host networking driver isn't supported on Mac and Windows. On these platforms, you will have to guess the IP address of the container and include it in the server names.
+
+Run the `docker network inspect bridge` and look at the `Containers` key to identify the last currently assigned IP address under the `IPv4Address` key, and increment it by one. If no container is running, the first assigned IP address is usually `172.17.0.2`.
+
+Then, include this in the `SERVER_NAME` environment variable:
+
+```console
+docker run \
+    -e SERVER_NAME="127.0.0.1, 172.17.0.3" \
+    -v $PWD:/app/public \
+    -p 80:80 -p 443:443 -p 443:443/udp \
+    dunglas/frankenphp
+```
+
+> ![CAUTION]
+>
+> Be sure to replace `172.17.0.3` with the IP that will be assigned to your container.
+
+You should now be able to access `https://127.0.0.1` from the host machine.
+
+If that's not the case, start FrankenPHP in debug mode to try to figure out the problem:
+
+```console
+docker run \
+    -e CADDY_GLOBAL_OPTIONS="debug"
+    -e SERVER_NAME="127.0.0.1" \
+    -v $PWD:/app/public \
+    -p 80:80 -p 443:443 -p 443:443/udp \
+    dunglas/frankenphp
+```

docs/laravel.md

@@ -7,7 +7,7 @@ Serving a [Laravel](https://laravel.com) web application with FrankenPHP is as e
 Run this command from the main directory of your Laravel app:
 
 ```console
-docker run -p 443:443 -v $PWD:/app dunglas/frankenphp
+docker run -p 80:80 -p 443:443 -p 443:443/udp -v $PWD:/app dunglas/frankenphp
 ```
 
 And enjoy!
@@ -30,7 +30,7 @@ Alternatively, you can run your Laravel projects with FrankenPHP from your local
     	# Set the webroot to the public/ dir
     	root * public/
     	# Enable compression (optional)
-    	encode zstd gzip
+    	encode zstd br gzip
     	# Execute PHP files in the current directory and serve assets
     	php_server {
     		# Required for the public/storage/ dir
@@ -59,21 +59,20 @@ The Octane server can be started via the `octane:start` Artisan command.
 
 ```console
 php artisan octane:start
-
-//Additional Parameter
-{--server=frankenphp : The server that should be used to serve the application}
-{--host=127.0.0.1 : The IP address the server should bind to}
-{--port= : The port the server should be available on [default: "8000"]}
-{--workers=auto : The number of workers that should be available to handle requests}
-{--task-workers=auto : The number of task workers that should be available to handle tasks}
-{--max-requests=500 : The number of requests to process before reloading the server}
-{--caddyfile= : The path to the FrankenPHP Caddyfile file}
-{--https : Enable HTTPS, HTTP/2, and HTTP/3, and automatically generate and renew certificates}
-{--watch : Automatically reload the server when the application is modified}
-{--poll : Use file system polling while watching in order to watch files over a network}
-{--log-level= : Log messages at or above the specified log level}';
 ```
 
-## Docs
+The `octane:start` command can take the following options:
 
-* [Laravel Octane](https://laravel.com/docs/master/octane)
+* `--host`: The IP address the server should bind to (default: `127.0.0.1`)
+* `--port`: The port the server should be available on (default: `8000`)
+* `--admin-port`: The port the admin server should be available on (default: `2019`)
+* `--workers`: The number of workers that should be available to handle requests (default: `auto`)
+* `--max-requests`: The number of requests to process before reloading the server (default: `500`)
+* `--caddyfile`: The path to the FrankenPHP `Caddyfile` file
+* `--https`: Enable HTTPS, HTTP/2, and HTTP/3, and automatically generate and renew certificates
+* --http-redirect : Enable HTTP to HTTPS redirection (only enabled if --https is passed)
+* `--watch`: Automatically reload the server when the application is modified
+* `--poll`: Use file system polling while watching in order to watch files over a network
+* `--log-level`: Log messages at or above the specified log level
+
+Learn more about [Laravel Octane in its official documentation](https://laravel.com/docs/octane).

docs/production.md

@@ -0,0 +1,138 @@
+# Deploying in Production
+
+In this tutorial, we will learn how to deploy a PHP application on a single server using Docker Compose.
+
+If you're using Symfony, prefer reading the "[Deploy in production](https://github.com/dunglas/symfony-docker/blob/main/docs/production.md)" documentation entry of the Symfony Docker project (which uses FrankenPHP).
+
+If you're using API Platform (which also uses FrankenPHP), refer to [the deployment documentation of the framework](https://api-platform.com/docs/deployment/).
+
+## Preparing Your App
+
+First, create a `Dockerfile` in the root directory of your PHP project:
+
+```dockerfile
+FROM dunglas/frankenphp
+
+# Be sure to replace "your-domain-name.example.com" by your domain name
+ENV SERVER_NAME=your-domain-name.example.com
+# If you want to disable HTTPS, use this value instead:
+#ENV SERVER_NAME=:80
+
+# Enable PHP production settings
+RUN mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini"
+
+# Copy the PHP files of your project in the public directory
+COPY . /app/public
+# If you use Symfony or Laravel, you need to copy the whole project instead:
+#COPY . /app
+```
+
+Refer to "[Building Custom Docker Image](docker.md)" for more details and options,
+and to learn how to customize the configuration, install PHP extensions and Caddy modules.
+
+If your project uses Composer,
+be sure to include it in the Docker image and to install your depedencies.
+
+Then, add a `compose.yaml` file:
+
+```yaml
+services:
+  php:
+    image: dunglas/frankenphp
+    restart: always
+    ports:
+      - "80:80" # HTTP
+      - "443:443" # HTTPS
+      - "443:443/udp" # HTTP/3
+    volumes:
+      - caddy_data:/data
+      - caddy_config:/config
+
+# Volumes needed for Caddy certificates and configuration
+volumes:
+  caddy_data:
+  caddy_config:
+```
+
+> [!NOTE]  
+> The previous examples are intended for production usage.
+> In development, you may want to use a volume, a different PHP configuration and a different value for the `SERVER_NAME` environment variable.
+>
+> Take a look to the [Symfony Docker](https://github.com/dunglas/symfony-docker) project
+> (which uses FrankenPHP) for a more advanced example using multi-stage images,
+> Composer, extra PHP extensions, etc.
+
+Finally, if you use Git, commit these files and push.
+
+## Preparing a Server
+
+To deploy your application in production, you need a server.
+In this tutorial, we will use a virtual machine provided by DigitalOcean, but any Linux server can work.
+If you already have a Linux server with Docker installed, you can skip straight to [the next section](#configuring-a-domain-name).
+
+Otherwise, use [this affiliate link](https://m.do.co/c/5d8aabe3ab80) to get $200 of free credit, create an account, then click on "Create a Droplet".
+Then, click on the "Marketplace" tab under the "Choose an image" section and search for the app named "Docker".
+This will provision an Ubuntu server with the latest versions of Docker and Docker Compose already installed!
+
+For test purposes, the cheapest plans will be enough.
+For real production usage, you'll probably want to pick a plan in the "general purpose" section to fit your needs.
+
+![Deploying FrankenPHP on DigitalOcean with Docker](digitalocean-droplet.png)
+
+You can keep the defaults for other settings, or tweak them according to your needs.
+Don't forget to add your SSH key or create a password then press the "Finalize and create" button.
+
+Then, wait a few seconds while your Droplet is provisioning.
+When your Droplet is ready, use SSH to connect:
+
+```console
+ssh root@<droplet-ip>
+```
+
+## Configuring a Domain Name
+
+In most cases, you'll want to associate a domain name with your site.
+If you don't own a domain name yet, you'll have to buy one through a registrar.
+
+Then create a DNS record of type `A` for your domain name pointing to the IP address of your server:
+
+```dns
+your-domain-name.example.com.  IN  A     207.154.233.113
+```
+
+Example with the DigitalOcean Domains service ("Networking" > "Domains"):
+
+![Configuring DNS on DigitalOcean](digitalocean-dns.png)
+
+> [!NOTE]  
+> Let's Encrypt, the service used by default by FrankenPHP to automatically generate a TLS certificate doesn't support using bare IP addresses. Using a domain name is mandatory to use Let's Encrypt.
+
+## Deploying
+
+Copy your project on the server using `git clone`, `scp`, or any other tool that may fit your need.
+If you use GitHub, you may want to use [a deploy key](https://docs.github.com/en/free-pro-team@latest/developers/overview/managing-deploy-keys#deploy-keys).
+Deploy keys are also [supported by GitLab](https://docs.gitlab.com/ee/user/project/deploy_keys/).
+
+Example with Git:
+
+```console
+git clone git@github.com:<username>/<project-name>.git
+```
+
+Go into the directory containing your project (`<project-name>`), and start the app in production mode:
+
+```console
+docker compose up -d --wait
+```
+
+Your server is up and running, and a HTTPS certificate has been automatically generated for you.
+Go to `https://your-domain-name.example.com` and enjoy!
+
+> [!CAUTION]
+> Docker can have a cache layer, make sure you have the right build for each deployment or rebuild your project with --no-cache option to avoid cache issue.
+
+## Deploying on Multiple Nodes
+
+If you want to deploy your app on a cluster of machines, you can use [Docker Swarm](https://docs.docker.com/engine/swarm/stack-deploy/),
+which is compatible with the provided Compose files.
+To deploy on Kubernetes, take a look at [the Helm chart provided with API Platform](https://api-platform.com/docs/deployment/kubernetes/), which can be easily adapted for use with Symfony Docker.

docs/worker.md

@@ -11,9 +11,9 @@ Set the value of the `FRANKENPHP_CONFIG` environment variable to `worker /path/t
 
 ```console
 docker run \
-    -e APP_RUNTIME=Runtime\\FrankenPhpSymfony\\Runtime \
+    -e FRANKENPHP_CONFIG="worker /app/path/to/your/worker/script.php" \
     -v $PWD:/app \
-    -p 80:80 -p 443:443 \
+    -p 80:80 -p 443:443 -p 443:443/udp \
     dunglas/frankenphp
 ```
 
@@ -41,13 +41,13 @@ docker run \
     -e FRANKENPHP_CONFIG="worker ./public/index.php" \
     -e APP_RUNTIME=Runtime\\FrankenPhpSymfony\\Runtime \
     -v $PWD:/app \
-    -p 80:80 -p 443:443 \
+    -p 80:80 -p 443:443 -p 443:443/udp \
     dunglas/frankenphp
 ```
 
 ## Laravel Octane
 
-See [this Pull Request](https://github.com/laravel/octane/pull/764).
+See [the dedicated documentation](laravel.md#laravel-octane).
 
 ## Custom Apps
 
@@ -66,13 +66,13 @@ require __DIR__.'/vendor/autoload.php';
 $myApp = new \App\Kernel();
 $myApp->boot();
 
-$nbRequests = 0;
-do {
-    $handler = static function () use ($myApp) {
+// Handler outside the loop for better performance (doing less work)
+$handler = static function () use ($myApp) {
         // Called when a request is received,
         // superglobals, php://input and the like are reset
         echo $myApp->handle($_GET, $_POST, $_COOKIE, $_FILES, $_SERVER);
-    };
+};
+for($nbRequests = 0, $running = true; isset($_SERVER['MAX_REQUESTS']) && ($nbRequests < ((int)$_SERVER['MAX_REQUESTS'])) && $running; ++$nbRequests) {
     $running = \frankenphp_handle_request($handler);
 
     // Do something after sending the HTTP response
@@ -80,8 +80,7 @@ do {
 
     // Call the garbage collector to reduce the chances of it being triggered in the middle of a page generation
     gc_collect_cycles();
-} while ($running && !(isset($_SERVER['MAX_REQUESTS']) && ++$nbRequests >= $_SERVER['MAX_REQUESTS']));
-
+}
 // Cleanup
 $myApp->shutdown();
 ```
@@ -92,7 +91,7 @@ Then, start your app and use the `FRANKENPHP_CONFIG` environment variable to con
 docker run \
     -e FRANKENPHP_CONFIG="worker ./public/index.php" \
     -v $PWD:/app \
-    -p 80:80 -p 443:443 \
+    -p 80:80 -p 443:443 -p 443:443/udp \
     dunglas/frankenphp
 ```
 
@@ -103,7 +102,7 @@ You can also configure the number of workers to start:
 docker run \
     -e FRANKENPHP_CONFIG="worker ./public/index.php 42" \
     -v $PWD:/app \
-    -p 80:80 -p 443:443 \
+    -p 80:80 -p 443:443 -p 443:443/udp \
     dunglas/frankenphp
 ```
 

embed.go

@@ -3,9 +3,7 @@ package frankenphp
 import (
 	"archive/tar"
 	"bytes"
-	"crypto/md5"
 	_ "embed"
-	"encoding/hex"
 	"errors"
 	"fmt"
 	"io"
@@ -25,21 +23,22 @@ var EmbeddedAppPath string
 //go:embed app.tar
 var embeddedApp []byte
 
+//go:embed app_checksum.txt
+var embeddedAppChecksum []byte
+
 func init() {
 	if len(embeddedApp) == 0 {
 		// No embedded app
 		return
 	}
 
-	h := md5.Sum(embeddedApp)
-	appPath := filepath.Join(os.TempDir(), "frankenphp_"+hex.EncodeToString(h[:]))
+	appPath := filepath.Join(os.TempDir(), "frankenphp_"+strings.TrimSuffix(string(embeddedAppChecksum[:]), "\n"))
 
-	if err := os.RemoveAll(appPath); err != nil {
-		panic(err)
-	}
-	if err := untar(appPath); err != nil {
-		os.RemoveAll(appPath)
-		panic(err)
+	if _, err := os.Stat(appPath); os.IsNotExist(err) {
+		if err := untar(appPath); err != nil {
+			os.RemoveAll(appPath)
+			panic(err)
+		}
 	}
 
 	EmbeddedAppPath = appPath

frankenphp.c

@@ -242,6 +242,82 @@ PHP_FUNCTION(frankenphp_finish_request) { /* {{{ */
   RETURN_TRUE;
 } /* }}} */
 
+/* {{{ Fetch all HTTP request headers */
+PHP_FUNCTION(frankenphp_request_headers) {
+  if (zend_parse_parameters_none() == FAILURE) {
+    RETURN_THROWS();
+  }
+
+  frankenphp_server_context *ctx = SG(server_context);
+  struct go_apache_request_headers_return headers =
+      go_apache_request_headers(ctx->current_request);
+
+  array_init_size(return_value, headers.r1);
+
+  for (size_t i = 0; i < headers.r1; i++) {
+    go_string key = headers.r0[i * 2];
+    go_string val = headers.r0[i * 2 + 1];
+
+    add_assoc_stringl_ex(return_value, key.data, key.len, val.data, val.len);
+  }
+
+  free(headers.r0);
+  go_apache_request_cleanup(headers.r2);
+}
+/* }}} */
+
+// add_response_header and apache_response_headers are copied from
+// https://github.com/php/php-src/blob/master/sapi/cli/php_cli_server.c
+// Copyright (c) The PHP Group
+// Licensed under The PHP License
+// Original authors: Moriyoshi Koizumi <moriyoshi@php.net> and Xinchen Hui
+// <laruence@php.net>
+static void add_response_header(sapi_header_struct *h,
+                                zval *return_value) /* {{{ */
+{
+  if (h->header_len > 0) {
+    char *s;
+    size_t len = 0;
+    ALLOCA_FLAG(use_heap)
+
+    char *p = strchr(h->header, ':');
+    if (NULL != p) {
+      len = p - h->header;
+    }
+    if (len > 0) {
+      while (len != 0 &&
+             (h->header[len - 1] == ' ' || h->header[len - 1] == '\t')) {
+        len--;
+      }
+      if (len) {
+        s = do_alloca(len + 1, use_heap);
+        memcpy(s, h->header, len);
+        s[len] = 0;
+        do {
+          p++;
+        } while (*p == ' ' || *p == '\t');
+        add_assoc_stringl_ex(return_value, s, len, p,
+                             h->header_len - (p - h->header));
+        free_alloca(s, use_heap);
+      }
+    }
+  }
+}
+/* }}} */
+
+PHP_FUNCTION(frankenphp_response_headers) /* {{{ */
+{
+  if (zend_parse_parameters_none() == FAILURE) {
+    RETURN_THROWS();
+  }
+
+  array_init(return_value);
+  zend_llist_apply_with_argument(
+      &SG(sapi_headers).headers,
+      (llist_apply_with_arg_func_t)add_response_header, return_value);
+}
+/* }}} */
+
 PHP_FUNCTION(frankenphp_handle_request) {
   zend_fcall_info fci;
   zend_fcall_info_cache fcc;
@@ -594,8 +670,6 @@ void frankenphp_register_bulk_variables(char *known_variables[27],
     free(dynamic_variables[i]);
     free(dynamic_variables[i + 1]);
   }
-
-  free(dynamic_variables);
 }
 
 static void frankenphp_register_variables(zval *track_vars_array) {
@@ -763,8 +837,12 @@ static char *cli_script;
 static int cli_argc;
 static char **cli_argv;
 
-// Adapted from https://github.com/php/php-src/sapi/cli/php_cli.c (The PHP
-// Group, The PHP License)
+// CLI code is adapted from
+// https://github.com/php/php-src/blob/master/sapi/cli/php_cli.c Copyright (c)
+// The PHP Group Licensed under The PHP License Original uthors: Edin Kadribasic
+// <edink@php.net>, Marcus Boerger <helly@php.net> and Johannes Schlueter
+// <johannes@php.net> Parts based on CGI SAPI Module by Rasmus Lerdorf, Stig
+// Bakken and Zeev Suraski
 static void cli_register_file_handles(bool no_close) /* {{{ */
 {
   php_stream *s_in, *s_out, *s_err;

frankenphp.go

@@ -52,9 +52,11 @@ import (
 	//_ "github.com/ianlancetaylor/cgosymbolizer"
 )
 
-type key int
+type contextKeyStruct struct{}
+type handleKeyStruct struct{}
 
-var contextKey key
+var contextKey = contextKeyStruct{}
+var handleKey = handleKeyStruct{}
 
 var (
 	InvalidRequestError         = errors.New("not a FrankenPHP request")
@@ -191,7 +193,10 @@ func NewRequestWithContext(r *http.Request, opts ...RequestOption) (*http.Reques
 	// SCRIPT_FILENAME is the absolute path of SCRIPT_NAME
 	fc.scriptFilename = sanitizedPathJoin(fc.documentRoot, fc.scriptName)
 
-	return r.WithContext(context.WithValue(r.Context(), contextKey, fc)), nil
+	c := context.WithValue(r.Context(), contextKey, fc)
+	c = context.WithValue(c, handleKey, Handles())
+
+	return r.WithContext(c), nil
 }
 
 // FromContext extracts the FrankenPHPContext from a context.
@@ -402,9 +407,12 @@ func updateServerContext(request *http.Request, create bool, mrh C.uintptr_t) er
 
 	var rh cgo.Handle
 	if fc.responseWriter == nil {
-		mrh = C.uintptr_t(cgo.NewHandle(request))
+		h := cgo.NewHandle(request)
+		request.Context().Value(handleKey).(*handleList).AddHandle(h)
+		mrh = C.uintptr_t(h)
 	} else {
 		rh = cgo.NewHandle(request)
+		request.Context().Value(handleKey).(*handleList).AddHandle(rh)
 	}
 
 	ret := C.frankenphp_update_server_context(
@@ -444,11 +452,10 @@ func ServeHTTP(responseWriter http.ResponseWriter, request *http.Request) error
 
 	rc := requestChan
 	// Detect if a worker is available to handle this request
-	if nil == fc.responseWriter {
-		fc.env["FRANKENPHP_WORKER"] = "1"
-	} else if v, ok := workersRequestChans.Load(fc.scriptFilename); ok {
-		fc.env["FRANKENPHP_WORKER"] = "1"
-		rc = v.(chan *http.Request)
+	if nil != fc.responseWriter {
+		if v, ok := workersRequestChans.Load(fc.scriptFilename); ok {
+			rc = v.(chan *http.Request)
+		}
 	}
 
 	select {
@@ -467,7 +474,9 @@ func go_fetch_request() C.uintptr_t {
 		return 0
 
 	case r := <-requestChan:
-		return C.uintptr_t(cgo.NewHandle(r))
+		h := cgo.NewHandle(r)
+		r.Context().Value(handleKey).(*handleList).AddHandle(h)
+		return C.uintptr_t(h)
 	}
 }
 
@@ -477,17 +486,21 @@ func maybeCloseContext(fc *FrankenPHPContext) {
 	})
 }
 
+// go_execute_script Note: only called in cgi-mode
+//
 //export go_execute_script
 func go_execute_script(rh unsafe.Pointer) {
 	handle := cgo.Handle(rh)
-	defer handle.Delete()
 
 	request := handle.Value().(*http.Request)
 	fc, ok := FromContext(request.Context())
 	if !ok {
 		panic(InvalidRequestError)
 	}
-	defer maybeCloseContext(fc)
+	defer func() {
+		maybeCloseContext(fc)
+		request.Context().Value(handleKey).(*handleList).FreeAll()
+	}()
 
 	if err := updateServerContext(request, true, 0); err != nil {
 		panic(err)
@@ -532,8 +545,7 @@ func go_register_variables(rh C.uintptr_t, trackVarsArray *C.zval) {
 	fc := r.Context().Value(contextKey).(*FrankenPHPContext)
 
 	le := (len(fc.env) + len(r.Header)) * 2
-	dynamicVariablesArr := (**C.char)(C.malloc(C.size_t(le) * C.size_t(unsafe.Sizeof((*C.char)(nil)))))
-	dynamicVariables := unsafe.Slice(dynamicVariablesArr, le)
+	dynamicVariables := make([]*C.char, le)
 
 	var i int
 	// Add all HTTP headers to env variables
@@ -558,12 +570,55 @@ func go_register_variables(rh C.uintptr_t, trackVarsArray *C.zval) {
 		i++
 	}
 
+	var dynamicVariablesPtr **C.char = nil
+	if le > 0 {
+		dynamicVariablesPtr = &dynamicVariables[0]
+	}
+
 	knownVariables := computeKnownVariables(r)
-	C.frankenphp_register_bulk_variables(&knownVariables[0], dynamicVariablesArr, C.size_t(le), trackVarsArray)
+	C.frankenphp_register_bulk_variables(&knownVariables[0], dynamicVariablesPtr, C.size_t(le), trackVarsArray)
 
 	fc.env = nil
 }
 
+//export go_apache_request_headers
+func go_apache_request_headers(rh C.uintptr_t) (*C.go_string, C.size_t, C.uintptr_t) {
+	r := cgo.Handle(rh).Value().(*http.Request)
+
+	pinner := runtime.Pinner{}
+	pinnerHandle := C.uintptr_t(cgo.NewHandle(pinner))
+
+	rl := len(r.Header)
+	scs := unsafe.Sizeof(C.go_string{})
+
+	headers := (*C.go_string)(unsafe.Pointer(C.malloc(C.size_t(rl*2) * (C.size_t)(scs))))
+	header := headers
+	for field, val := range r.Header {
+		fd := unsafe.StringData(field)
+		pinner.Pin(fd)
+
+		*header = C.go_string{C.size_t(len(field)), (*C.char)(unsafe.Pointer(fd))}
+		header = (*C.go_string)(unsafe.Add(unsafe.Pointer(header), scs))
+
+		cv := strings.Join(val, ", ")
+		vd := unsafe.StringData(cv)
+		pinner.Pin(vd)
+
+		*header = C.go_string{C.size_t(len(cv)), (*C.char)(unsafe.Pointer(vd))}
+		header = (*C.go_string)(unsafe.Add(unsafe.Pointer(header), scs))
+	}
+
+	return headers, C.size_t(rl), pinnerHandle
+}
+
+//export go_apache_request_cleanup
+func go_apache_request_cleanup(rh C.uintptr_t) {
+	h := cgo.Handle(rh)
+	p := h.Value().(runtime.Pinner)
+	p.Unpin()
+	h.Delete()
+}
+
 func addHeader(fc *FrankenPHPContext, cString *C.char, length C.int) {
 	parts := strings.SplitN(C.GoStringN(cString, length), ": ", 2)
 	if len(parts) != 2 {
@@ -655,14 +710,13 @@ func go_read_cookies(rh C.uintptr_t) *C.char {
 	if len(cookies) == 0 {
 		return nil
 	}
-
-	cookieString := make([]string, len(cookies))
-	for _, cookie := range r.Cookies() {
-		cookieString = append(cookieString, cookie.String())
+	cookieStrings := make([]string, len(cookies))
+	for i, cookie := range cookies {
+		cookieStrings[i] = cookie.String()
 	}
 
 	// freed in frankenphp_request_shutdown()
-	return C.CString(strings.Join(cookieString, "; "))
+	return C.CString(strings.Join(cookieStrings, "; "))
 }
 
 //export go_log
@@ -698,12 +752,23 @@ func ExecuteScriptCLI(script string, args []string) int {
 	cScript := C.CString(script)
 	defer C.free(unsafe.Pointer(cScript))
 
+	argc, argv := convertArgs(args)
+	defer freeArgs(argv)
+
+	return int(C.frankenphp_execute_script_cli(cScript, argc, (**C.char)(unsafe.Pointer(&argv[0]))))
+}
+
+func convertArgs(args []string) (C.int, []*C.char) {
 	argc := C.int(len(args))
 	argv := make([]*C.char, argc)
 	for i, arg := range args {
 		argv[i] = C.CString(arg)
-		defer C.free(unsafe.Pointer(argv[i]))
 	}
-
-	return int(C.frankenphp_execute_script_cli(cScript, argc, (**C.char)(unsafe.Pointer(&argv[0]))))
+	return argc, argv
+}
+
+func freeArgs(argv []*C.char) {
+	for _, arg := range argv {
+		C.free(unsafe.Pointer(arg))
+	}
 }

frankenphp.h

@@ -11,6 +11,11 @@
 #define STRINGIFY(x) #x
 #define TOSTRING(x) STRINGIFY(x)
 
+typedef struct go_string {
+  size_t len;
+  const char *data;
+} go_string;
+
 typedef struct frankenphp_version {
   unsigned char major_version;
   unsigned char minor_version;

frankenphp.stub.php

@@ -12,3 +12,23 @@ function frankenphp_finish_request(): bool {}
  * @alias frankenphp_finish_request
  */
 function fastcgi_finish_request(): bool {}
+
+function frankenphp_request_headers(): array {}
+
+/**
+ * @alias frankenphp_request_headers
+ */
+function apache_request_headers(): array {}
+
+/**
+ * @alias frankenphp_response_headers
+*/
+function getallheaders(): array {}
+
+function frankenphp_response_headers(): array|bool {}
+
+/**
+ * @alias frankenphp_response_headers
+ */
+function apache_response_headers(): array|bool {}
+

frankenphp_arginfo.h

@@ -1,5 +1,5 @@
 /* This is a generated file, edit the .stub.php file instead.
- * Stub hash: de4dc4063fafd8c933e3068c8349889a7ece5f03 */
+ * Stub hash: 467f1406e17d3b8ca67bba5ea367194e60d8dd27 */
 
 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_frankenphp_handle_request, 0, 1,
                                         _IS_BOOL, 0)
@@ -16,13 +16,42 @@ ZEND_END_ARG_INFO()
 
 #define arginfo_fastcgi_finish_request arginfo_frankenphp_finish_request
 
+ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_frankenphp_request_headers, 0,
+                                        0, IS_ARRAY, 0)
+ZEND_END_ARG_INFO()
+
+#define arginfo_apache_request_headers arginfo_frankenphp_request_headers
+
+#define arginfo_getallheaders arginfo_frankenphp_request_headers
+
+ZEND_BEGIN_ARG_WITH_RETURN_TYPE_MASK_EX(arginfo_frankenphp_response_headers, 0,
+                                        0, MAY_BE_ARRAY | MAY_BE_BOOL)
+ZEND_END_ARG_INFO()
+
+#define arginfo_apache_response_headers arginfo_frankenphp_response_headers
+
 ZEND_FUNCTION(frankenphp_handle_request);
 ZEND_FUNCTION(headers_send);
 ZEND_FUNCTION(frankenphp_finish_request);
+ZEND_FUNCTION(frankenphp_request_headers);
+ZEND_FUNCTION(frankenphp_response_headers);
 
 static const zend_function_entry ext_functions[] = {
     ZEND_FE(frankenphp_handle_request, arginfo_frankenphp_handle_request)
         ZEND_FE(headers_send, arginfo_headers_send) ZEND_FE(
             frankenphp_finish_request, arginfo_frankenphp_finish_request)
             ZEND_FALIAS(fastcgi_finish_request, frankenphp_finish_request,
-                        arginfo_fastcgi_finish_request) ZEND_FE_END};
+                        arginfo_fastcgi_finish_request)
+                ZEND_FE(frankenphp_request_headers,
+                        arginfo_frankenphp_request_headers)
+                    ZEND_FALIAS(apache_request_headers,
+                                frankenphp_request_headers,
+                                arginfo_apache_request_headers)
+                        ZEND_FALIAS(getallheaders, frankenphp_response_headers,
+                                    arginfo_getallheaders)
+                            ZEND_FE(frankenphp_response_headers,
+                                    arginfo_frankenphp_response_headers)
+                                ZEND_FALIAS(apache_response_headers,
+                                            frankenphp_response_headers,
+                                            arginfo_apache_response_headers)
+                                    ZEND_FE_END};

frankenphp_test.go

@@ -226,6 +226,27 @@ func testHeaders(t *testing.T, opts *testOptions) {
 	}, opts)
 }
 
+func TestResponseHeaders_module(t *testing.T) { testResponseHeaders(t, nil) }
+func TestResponseHeaders_worker(t *testing.T) {
+	testResponseHeaders(t, &testOptions{workerScript: "response-headers.php"})
+}
+func testResponseHeaders(t *testing.T, opts *testOptions) {
+	runTest(t, func(handler func(http.ResponseWriter, *http.Request), _ *httptest.Server, i int) {
+		req := httptest.NewRequest("GET", fmt.Sprintf("http://example.com/response-headers.php?i=%d", i), nil)
+		w := httptest.NewRecorder()
+		handler(w, req)
+
+		resp := w.Result()
+		body, _ := io.ReadAll(resp.Body)
+
+		assert.Contains(t, string(body), "'X-Powered-By' => 'PH")
+		assert.Contains(t, string(body), "'Foo' => 'bar',")
+		assert.Contains(t, string(body), "'Foo2' => 'bar2',")
+		assert.Contains(t, string(body), fmt.Sprintf("'I' => '%d',", i))
+		assert.NotContains(t, string(body), "Invalid")
+	}, opts)
+}
+
 func TestInput_module(t *testing.T) { testInput(t, nil) }
 func TestInput_worker(t *testing.T) { testInput(t, &testOptions{workerScript: "input.php"}) }
 func testInput(t *testing.T, opts *testOptions) {
@@ -553,6 +574,27 @@ func testFiberNoCgo(t *testing.T, opts *testOptions) {
 	}, opts)
 }
 
+func TestRequestHeaders_module(t *testing.T) { testRequestHeaders(t, &testOptions{}) }
+func TestRequestHeaders_worker(t *testing.T) {
+	testRequestHeaders(t, &testOptions{workerScript: "request-headers.php"})
+}
+func testRequestHeaders(t *testing.T, opts *testOptions) {
+	runTest(t, func(handler func(http.ResponseWriter, *http.Request), _ *httptest.Server, i int) {
+		req := httptest.NewRequest("GET", fmt.Sprintf("http://example.com/request-headers.php?i=%d", i), nil)
+		req.Header.Add(strings.Clone("Content-Type"), strings.Clone("text/plain"))
+		req.Header.Add(strings.Clone("Frankenphp-I"), strings.Clone(strconv.Itoa(i)))
+
+		w := httptest.NewRecorder()
+		handler(w, req)
+
+		resp := w.Result()
+		body, _ := io.ReadAll(resp.Body)
+
+		assert.Contains(t, string(body), "[Content-Type] => text/plain")
+		assert.Contains(t, string(body), fmt.Sprintf("[Frankenphp-I] => %d", i))
+	}, opts)
+}
+
 func TestExecuteScriptCLI(t *testing.T) {
 	if _, err := os.Stat("internal/testcli/testcli"); err != nil {
 		t.Skip("internal/testcli/testcli has not been compiled, run `cd internal/testcli/ && go build`")

smartpointer.go

@@ -0,0 +1,64 @@
+package frankenphp
+
+// #include <stdlib.h>
+import "C"
+import (
+	"runtime/cgo"
+	"unsafe"
+)
+
+/*
+FrankenPHP is fairly complex because it shuffles handles/requests/contexts
+between C and Go. This simplifies the lifecycle management of per-request
+structures by allowing us to hold references until the end of the request
+and ensure they are always cleaned up.
+*/
+
+// PointerList A list of pointers that can be freed at a later time
+type pointerList struct {
+	Pointers []unsafe.Pointer
+}
+
+// HandleList A list of pointers that can be freed at a later time
+type handleList struct {
+	Handles []cgo.Handle
+}
+
+// AddHandle Call when registering a handle for the very first time
+func (h *handleList) AddHandle(handle cgo.Handle) {
+	h.Handles = append(h.Handles, handle)
+}
+
+// AddPointer Call when creating a request-level C pointer for the very first time
+func (p *pointerList) AddPointer(ptr unsafe.Pointer) {
+	p.Pointers = append(p.Pointers, ptr)
+}
+
+// FreeAll frees all C pointers
+func (p *pointerList) FreeAll() {
+	for _, ptr := range p.Pointers {
+		C.free(ptr)
+	}
+	p.Pointers = nil // To avoid dangling pointers
+}
+
+// FreeAll frees all handles
+func (h *handleList) FreeAll() {
+	for _, p := range h.Handles {
+		p.Delete()
+	}
+}
+
+// Pointers Get a new list of pointers
+func Pointers() *pointerList {
+	return &pointerList{
+		Pointers: make([]unsafe.Pointer, 0),
+	}
+}
+
+// Handles Get a new list of handles
+func Handles() *handleList {
+	return &handleList{
+		Handles: make([]cgo.Handle, 0, 8),
+	}
+}

static-builder.Dockerfile

@@ -25,49 +25,49 @@ LABEL org.opencontainers.image.licenses=MIT
 LABEL org.opencontainers.image.vendor="Kévin Dunglas"
 
 RUN apk update; \
-    apk add --no-cache \
-        autoconf \
-        automake \
-        bash \
-        binutils \
-        bison \
-        build-base \
-        cmake \
-        curl \
-        file \
-        flex \
-        g++ \
-        gcc \
-        git \
-        jq \
-        libgcc \
-        libstdc++ \
-        libtool \
-        linux-headers \
-        m4 \
-        make \
-        pkgconfig \
-        wget \
-        xz ; \
-    apk add --no-cache \
-    	--repository=https://dl-cdn.alpinelinux.org/alpine/edge/main \
-    	--repository=https://dl-cdn.alpinelinux.org/alpine/edge/community \
-        php83 \
-        php83-common \
-        php83-ctype \
-        php83-curl \
-        php83-dom \
-        php83-mbstring \
-        php83-openssl \
-        php83-pcntl \
-        php83-phar \
-        php83-posix \
-        php83-session \
-        php83-sodium \
-        php83-tokenizer \
-        php83-xml \
-        php83-xmlwriter; \
-    ln -sf /usr/bin/php83 /usr/bin/php
+	apk add --no-cache \
+		autoconf \
+		automake \
+		bash \
+		binutils \
+		bison \
+		build-base \
+		cmake \
+		curl \
+		file \
+		flex \
+		g++ \
+		gcc \
+		git \
+		jq \
+		libgcc \
+		libstdc++ \
+		libtool \
+		linux-headers \
+		m4 \
+		make \
+		pkgconfig \
+		wget \
+		xz ; \
+	apk add --no-cache \
+		--repository=https://dl-cdn.alpinelinux.org/alpine/edge/main \
+		--repository=https://dl-cdn.alpinelinux.org/alpine/edge/community \
+		php83 \
+		php83-common \
+		php83-ctype \
+		php83-curl \
+		php83-dom \
+		php83-mbstring \
+		php83-openssl \
+		php83-pcntl \
+		php83-phar \
+		php83-posix \
+		php83-session \
+		php83-sodium \
+		php83-tokenizer \
+		php83-xml \
+		php83-xmlwriter; \
+	ln -sf /usr/bin/php83 /usr/bin/php
 
 # https://getcomposer.org/doc/03-cli.md#composer-allow-superuser
 ENV COMPOSER_ALLOW_SUPERUSER=1

testdata/Caddyfile

@@ -23,10 +23,11 @@ http:// {
 		}
 		rewrite @indexFiles {http.matchers.file.relative}
 
+		encode zstd br gzip
+
 		# FrankenPHP!
 		@phpFiles path *.php
 		php @phpFiles
-		encode zstd gzip
 		file_server
 
 		respond 404

testdata/benchmark.Caddyfile

@@ -6,7 +6,7 @@ http:// {
 	route {
 		root * .
 
-		encode zstd gzip
+		encode zstd br gzip
 		php_server
 	}
 }

testdata/request-headers.php

@@ -0,0 +1,7 @@
+<?php
+
+require_once __DIR__.'/_executor.php';
+
+return function() {
+    print_r(apache_request_headers());
+};

testdata/response-headers.php

@@ -0,0 +1,13 @@
+<?php
+
+require_once __DIR__.'/_executor.php';
+
+return function () {
+    header('Foo: bar');
+    header('Foo2: bar2');
+    header('Invalid');
+    header('I: ' . ($_GET['i'] ?? 'i not set'));
+    http_response_code(201);
+    
+    var_export(apache_response_headers());
+};

worker.go

@@ -49,6 +49,12 @@ func startWorkers(fileName string, nbWorkers int, env map[string]string) error {
 		errs []error
 	)
 
+	if env == nil {
+		env = make(map[string]string, 1)
+	}
+
+	env["FRANKENPHP_WORKER"] = "1"
+
 	l := getLogger()
 	for i := 0; i < nbWorkers; i++ {
 		go func() {
@@ -150,6 +156,7 @@ func go_frankenphp_worker_handle_request_start(mrh C.uintptr_t) C.uintptr_t {
 	}
 
 	fc.currentWorkerRequest = cgo.NewHandle(r)
+	r.Context().Value(handleKey).(*handleList).AddHandle(fc.currentWorkerRequest)
 
 	l.Debug("request handling started", zap.String("worker", fc.scriptFilename), zap.String("url", r.RequestURI))
 	if err := updateServerContext(r, false, mrh); err != nil {
@@ -169,8 +176,7 @@ func go_frankenphp_finish_request(mrh, rh C.uintptr_t, deleteHandle bool) {
 	fc := r.Context().Value(contextKey).(*FrankenPHPContext)
 
 	if deleteHandle {
-		rHandle.Delete()
-
+		r.Context().Value(handleKey).(*handleList).FreeAll()
 		cgo.Handle(mrh).Value().(*http.Request).Context().Value(contextKey).(*FrankenPHPContext).currentWorkerRequest = 0
 	}