Based on the first sentence of the description, I was expecting a proxy that added callback support to arbitrary APIs. I hit "<a href="https://my-templar-proxy/?real_url=$x&real_param_a=10&callback_url=$foo"" rel="nofollow">https://my-templar-proxy/?real_url=$x&real_param_a=10&callba...</a>, it hits the real API and waits for the response, then hits my callback with it.<p>I feel like that might be more useful than what appears to be just a special-purpose varnish/squid
This could be really useful for sending outbound webhooks, if it grew a couple of extra features:<p>1. "Fire and forget" ability. It would be great if I could send a request through Templar with an X-Templar-Fire-And-Forget: 1 HTTP header which means "deliver the request in your own time, but return a 200 OK to my client straight away so I don't have to wait for it.<p>2. It would be great if it could "validate" the URLs going through it somehow. When sending webhooks, it's important to be sure that they are going to the rest of the internet and not being used to probe internal IPs/hostnames of your own infrastructure. This is a bit of a fiddly problem, which is why it would be nice to have a proxy like Templar take it on. Take a look at the blocked_hosts section in <a href="http://search.cpan.org/~bradfitz/LWPx-ParanoidAgent-1.02/lib/LWPx/ParanoidAgent.pm" rel="nofollow">http://search.cpan.org/~bradfitz/LWPx-ParanoidAgent-1.02/lib...</a> for an example. I'm not sure how this would translate into X-Templar HTTP headers though.
The HTTPS implementation looks dangerous at first sight - it looks like an attacker could very easily just strip the X-Templar-Upgrade out from the request, and then end up with everything being un-encrypted - without the client throwing any warnings.<p>Could you possibly provide more details of how you avoid this?
Maybe I'm missing the point here, but I'm not entirely sure I see the point here.<p>What can Templar do for me that, say, nginx can't? All else equal, if nginx is already in my stack and Templar is not, why do I want to adopt Templar, or indeed even look twice at it?
Request collapsing looks like a nice feature .
Regarding HTTPS support, I am not really sure if I understood the details mentioned in the Docs properly .<p>Does Templar implement SSL Termination ?
The caching part looks really interesting -- have you considered adding support for more fine-grained caching control, such as respecting etags and last-modified times?<p>Thanks for sharing this!