Full-Stack Server Architecture
Request Flow
Client Request (TCP/TLS/QUIC)
│
├─ TLS Termination (bext-tls)
│ ├─ ACME auto-provisioned certs
│ ├─ SNI resolver (wildcard + exact match)
│ └─ OCSP stapled response
│
▼
┌────────────────────────────────────────────────────────────┐
│ MIDDLEWARE STACK │
│ (outer → inner, each wraps the next) │
│ │
│ 1. CORS ──────────── Origin validation, preflight │
│ 2. WAF ───────────── IP filter, geo, SQLi/XSS/shell, │
│ │ bot detection, DDoS guard │
│ 3. Rate Limiter ──── Per-IP token bucket (burst support, │
│ │ distributed via Redis) │
│ 4. Auth ──────────── JWT validation, API key check │
│ 5. User Middleware ── Custom user-defined middleware │
│ 6. Tenant Resolver ── Hostname → tenant_id mapping │
│ 7. Alt-Svc ───────── HTTP/3 advertisement header │
│ 8. Tracing Logger ── OpenTelemetry span injection │
│ 9. Request Logger ── Dev dashboard request capture │
└────────────────────────────────────────────────────────────┘
│
▼
┌────────────────────────────────────────────────────────────┐
│ ROUTE MATCHING │
│ │
│ /__bext/* → Internal endpoints │
│ │ /events SSE real-time stream (bext-realtime) │
│ │ /ws WebSocket hub │
│ │ /dashboard Production dashboard (HTML) │
│ │ /logs Real-time log streaming │
│ │ /cache/* Purge, inspect │
│ │ /waf/* WAF audit events │
│ │ /hub/* Hub stats, publish │
│ │ /island/* Server islands (deferred SSR) │
│ │ /turbo.js HTML-over-the-wire client │
│ │ /scheduler Task scheduler status │
│ │
│ /api/* → API endpoints │
│ │ /invalidate Cache invalidation (tag/path) │
│ │ /revalidate Proactive re-render │
│ │ /reload JSC pool hot-swap │
│ │ /build Build + reload │
│ │ /og OG image generation │
│ │ /image Image optimization │
│ │ /platform/* Deploy, rollback, promote, list │
│ │ /ssr-stream/* Streaming SSR │
│ │
│ /health → Health check (JSON) │
│ /metrics → Prometheus metrics │
│ │
│ Proxy routes (pattern-matched from config) │
│ │ → Upstream pool selection (round-robin/least-conn/ │
│ │ ip-hash/random) │
│ │ → Health-checked forwarding with retry + circuit break │
│ │
│ /* (catch-all) → SSR Handler │
└────────────────────────────────────────────────────────────┘
│
▼
┌────────────────────────────────────────────────────────────┐
│ SSR HANDLER │
│ │
│ 1. Route rules lookup (ISR/SSR/static/SWR per pattern) │
│ 2. ISR cache check (L1 in-memory → L2 Redis) │
│ ├─ HIT → serve cached (with ETag/304) │
│ ├─ STALE → serve stale + background revalidation │
│ └─ MISS → stampede guard → render │
│ 3. JSC render pool (managed workers with lifecycle) │
│ ├─ Component memoization cache │
│ ├─ Max requests/memory/uptime rotation │
│ └─ Crash recovery with exponential backoff │
│ 4. Compression (gzip/brotli/zstd, content-type aware) │
│ 5. Cache store (L1 + write-through L2) │
│ 6. Early Hints (103) sent before 200 on H2/H3 │
└────────────────────────────────────────────────────────────┘
│
▼
Response → Client
Crate Architecture
┌─────────────────────────────────────────────────────────────┐
│ bext-server (binary) │
│ CLI, HTTP server (actix-web), middleware, handlers, config │
│ Feature flags: plugins, redis, tls, waf, realtime, │
│ websocket-proxy, otel, geoip, h3-quic │
├─────────────┬──────────────┬───────────────┬────────────────┤
│ bext-tls │ bext-realtime│ bext-waf │ bext-core │
│ (optional) │ (optional) │ (optional) │ (required) │
│ │ │ │ │
│ ACME │ SSE hub │ IP filter │ Cache (ISR, │
│ Self-signed│ WS hub │ Geo-block │ tiered, vary,│
│ SNI │ Topic pub/ │ SQLi/XSS/ │ negative, │
│ OCSP │ sub │ shell/ │ stampede) │
│ Cert store │ Auth rules │ traversal │ Compress │
│ Renewal │ Redis relay │ Bot detect │ (gz/br/zstd) │
│ │ Replay │ DDoS guard │ Worker pool │
│ │ buffer │ Rate limit │ Route engine │
│ │ │ Audit log │ Observability │
│ │ │ │ Platform │
│ │ │ │ Runtime │
│ │ │ │ JSC SSR │
├─────────────┴──────────────┴───────────────┤ Scheduler │
│ bext-plugin-api (traits) │ Islands │
├────────────┬──────────────┬────────────────┤ Flow engine │
│ bext- │ bext- │ bext- │ SEO/OG │
│ plugin- │ plugin- │ plugin- │ Transforms │
│ wasm │ quickjs │ nsjail │ │
│ (wasmtime) │ (rquickjs) │ (process IPC) │ │
└────────────┴──────────────┴────────────────┴────────────────┘
Data Flow Diagram
┌──────────────┐
│ Client │
└──────┬───────┘
│ HTTPS (H1/H2/H3)
┌──────▼───────┐
│ TLS Layer │─── ACME cert auto-provisioning
│ (rustls) │─── SNI multi-domain
└──────┬───────┘
│
┌──────▼───────┐
│ WAF Engine │─── IP filter, geo-block
│ (bext-waf) │─── Rule inspection (SQLi/XSS)
└──────┬───────┘ Bot detection, DDoS guard
│
┌──────▼───────┐
│ Rate Limiter │─── Per-IP token bucket
│ │─── Redis distributed (optional)
└──────┬───────┘
│
┌────────────▼────────────┐
│ Route Matching │
└──┬───────┬──────────┬───┘
│ │ │
┌───────▼──┐ ┌──▼────┐ ┌──▼──────────┐
│ Static │ │ Proxy │ │ SSR Handler │
│ Files │ │ │ │ │
└──────────┘ │ ┌─────▼──────────┐ │
│ │ Upstream Pool │ │
│ │ (4 LB strats) │ │
│ │ Health checks │ │
│ │ Circuit break │ │
│ │ Retry │ │
│ └────────────────┘ │
└───────────────────┐ │
│ │
┌───────────────────▼───▼──┐
│ Cache Layer │
│ ┌─────────┐ ┌─────────┐ │
│ │ L1 ISR │→│ L2 Redis│ │
│ │(in-mem) │ │(optional)│ │
│ └────┬────┘ └─────────┘ │
│ │ MISS │
│ ┌────▼────────────────┐ │
│ │ Stampede Guard │ │
│ │ (coalescing lock) │ │
│ └────┬────────────────┘ │
└───────┼───────────────────┘
│
┌───────▼───────────────┐
│ JSC Render Pool │
│ (Managed Workers) │
│ ┌─────┬─────┬─────┐ │
│ │ W0 │ W1 │ W2 │ │
│ │ │ │ ... │ │
│ └─────┴─────┴─────┘ │
│ Lifecycle rotation │
│ Crash recovery │
│ Component memoization│
└───────┬───────────────┘
│
┌───────▼───────────────┐
│ Compression │
│ gzip │ brotli │ zstd│
│ Content-type aware │
│ Pre-compressed │
└───────┬───────────────┘
│
┌───────▼───────────────┐
│ Response │
│ + Early Hints (103) │
│ + Alt-Svc (H3) │
│ + Cache headers │
└───────────────────────┘
Real-Time Hub Architecture
SSE Clients ──────┐ ┌── Plugin publish
(EventSource) │ │ (bext_publish host fn)
▼ ▼
┌─────────────────────────┐
│ BextHub │
│ │
│ Topics (DashMap): │
│ ├─ system/deploy │◄── Deploy events
│ ├─ system/cache │◄── Cache invalidation
│ ├─ app/*/events │◄── Per-app events
│ ├─ user/{id} │◄── Per-user notifications
│ └─ custom/* │◄── App-defined topics
│ │
WS Clients ─┤ Replay buffer (100) │
(WebSocket) │ Auth rules per topic │
│ Dead channel cleanup │
└──────────┬──────────────┘
│
┌────▼────────────────┐
│ Redis Pub/Sub │
│ (cross-instance) │
│ │
│ Instance A ←──→ Instance B
└─────────────────────┘
Benchmarks
Compression Throughput (165KB HTML, 500 iterations):
zstd level 1 ████████████████████████████████████████ ~5,000 MB/s 89:1 ratio
gzip default ██████████ 1,038 MB/s 37:1 ratio
zstd level 3 ████████████████████████████ 2,865 MB/s 88:1 ratio
brotli q1 ████ 400 MB/s 73:1 ratio
brotli q4 ██ 258 MB/s 103:1 ratio
zstd level 9 █ 155 MB/s 89:1 ratio
WAF Inspection:
safe request ████████████████████████████████ ~5-7M req/s
SQLi match ████████████████████████████████████████ ~7M req/s
Cache Operations:
vary key gen ████████████████████████████ ~5M ops/s
param strip ██████████████████████████████████████ ~6M ops/s
encoding parse ██████████████████████████████████████ ~6M ops/s
stampede guard ████████████████████████████████████████████ ~9M ops/s
topic matching ████████████████████████████████████████████████████████ ~23M ops/s
IP CIDR filter ████████████████████████████████████████████████████████████████ ~48M ops/s
Module Status
| Module |
Crate |
Tests |
Pipeline Status |
Config |
Middleware |
| Auto-TLS |
bext-tls |
99 |
Wired (bind_rustls) |
TlsSection |
- |
| mTLS, on-demand TLS |
bext-tls |
(in TLS) |
Wired (in TLS builder) |
TlsSection |
- |
| HTTP/2 |
actix-web |
- |
Wired (native ALPN) |
Http2Config |
ALPN |
| HTTP/3 |
bext-server/h3 |
137 |
Wired (feature-gated h3-quic, quinn/h3, real UDP/QUIC) |
Http3Config |
Alt-Svc |
| Early Hints |
bext-server/protocol |
(in H3) |
Wired (discovery from HTML) |
EarlyHintsConfig |
- |
| Compression |
bext-core/compress |
67 |
Wired (in handler) |
CompressionMode |
compression.rs |
| Real-time |
bext-realtime |
159 |
Wired (SSE routes registered) |
RealtimeSection |
- |
| Worker lifecycle |
bext-core/worker |
91 |
Wired (config available) |
WorkerLifecycleSection |
- |
| Reverse proxy |
bext-server/proxy |
98 |
Built, not wired (pools exist, no routes dispatch) |
upstreams |
- |
| gRPC proxy |
bext-server/proxy |
(in proxy) |
Built, not wired (detection exists, not called) |
- |
- |
| Config hot reload |
bext-server |
- |
Built, not wired (watcher + endpoint exist, not spawned) |
- |
- |
| Middleware groups |
bext-server/config |
- |
Parsed, not applied (config parsed, not used at runtime) |
middleware_groups |
- |
| WAF |
bext-waf |
214 |
Wired (middleware in stack) |
WafSection |
waf.rs |
| Caching |
bext-core/cache |
157 |
Wired (ISR/tiered/vary/negative all used) |
CacheSection |
- |
| Observability |
bext-core/observability |
111 |
Wired (/metrics returns real data) |
- |
request_log.rs |
| Dashboard |
bext-server |
(in obs) |
Wired (/__bext/dashboard returns HTML) |
- |
- |
| OpenTelemetry |
bext-server |
- |
Wired (when otel feature enabled) |
telemetry |
- |
| Prometheus |
bext-core/observability |
(in obs) |
Wired (/metrics endpoint) |
- |
- |
| Zero-config |
bext-server/auto_config |
120 |
Wired (resolution pipeline) |
Auto-detected |
- |