wallarm · afr1ka · Apr 3, 2026 · Dec 7, 2025 · Apr 1, 2026 · Apr 2, 2026
diff --git a/.github/workflows/binaries.yml b/.github/workflows/binaries.yml
@@ -51,7 +51,7 @@ jobs:
     needs:
       - draft-release
     env:
-      X_GO_DISTRIBUTION: "https://go.dev/dl/go1.24.11.linux-amd64.tar.gz"
+      X_GO_DISTRIBUTION: "https://go.dev/dl/go1.25.8.linux-amd64.tar.gz"
       APIFIREWALL_NAMESPACE: "github.com/wallarm/api-firewall"
     strategy:
       matrix:
@@ -162,7 +162,7 @@ jobs:
     needs:
       - draft-release
     env:
-      X_GO_VERSION: "1.24.11"
+      X_GO_VERSION: "1.25.8"
       APIFIREWALL_NAMESPACE: "github.com/wallarm/api-firewall"
     strategy:
       matrix:
@@ -181,7 +181,7 @@ jobs:
       -
         uses: addnab/docker-run-action@v3
         with:
-          image: golang:${{ env.X_GO_VERSION }}-alpine3.22
+          image: golang:${{ env.X_GO_VERSION }}-alpine3.23
           options: >
             --volume ${{ github.workspace }}:/build
             --workdir /build
@@ -272,19 +272,19 @@ jobs:
         include:
           - arch: armv6
             distro: bookworm
-            go_distribution: https://go.dev/dl/go1.24.11.linux-armv6l.tar.gz
+            go_distribution: https://go.dev/dl/go1.25.8.linux-armv6l.tar.gz
             artifact: armv6-libc
           - arch: aarch64
             distro: bookworm
-            go_distribution: https://go.dev/dl/go1.24.11.linux-arm64.tar.gz
+            go_distribution: https://go.dev/dl/go1.25.8.linux-arm64.tar.gz
             artifact: arm64-libc
           - arch: armv6
             distro: alpine_latest
-            go_distribution: https://go.dev/dl/go1.24.11.linux-armv6l.tar.gz
+            go_distribution: https://go.dev/dl/go1.25.8.linux-armv6l.tar.gz
             artifact: armv6-musl
           - arch: aarch64
             distro: alpine_latest
-            go_distribution: https://go.dev/dl/go1.24.11.linux-arm64.tar.gz
+            go_distribution: https://go.dev/dl/go1.25.8.linux-arm64.tar.gz
             artifact: arm64-musl
     steps:
       - uses: actions/checkout@v4

diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -30,7 +30,7 @@ jobs:
           docker build -t wallarm/api-firewall:${{ github.sha }} .
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.28.0
+        uses: aquasecurity/trivy-action@v0.35.0
         with:
           image-ref: 'wallarm/api-firewall:${{ github.sha }}'
           format: 'sarif'

diff --git a/.gitignore b/.gitignore
@@ -16,3 +16,7 @@ vendor/
 .DS_Store
 .idea/
 /dev/
+
+# Claude Code configuration
+CLAUDE.md
+.claude/
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.24-alpine3.22 AS build
+FROM golang:1.25-alpine3.23 AS build
 
 ARG APIFIREWALL_NAMESPACE
 ARG APIFIREWALL_VERSION
@@ -24,7 +24,7 @@ RUN go mod download -x                    && \
 # Smoke test
 RUN ./api-firewall -v
 
-FROM alpine:3.22 AS composer
+FROM alpine:3.23 AS composer
 
 WORKDIR /output
 
@@ -34,7 +34,7 @@ COPY docker-entrypoint.sh ./usr/local/bin/docker-entrypoint.sh
 RUN chmod 755 ./usr/local/bin/*           && \
     chown root:root ./usr/local/bin/*
 
-FROM alpine:3.22
+FROM alpine:3.23
 
 RUN adduser -u 1000 -H -h /opt -D -s /bin/sh api-firewall
 

diff --git a/Makefile b/Makefile
@@ -1,4 +1,4 @@
-VERSION := 0.9.5
+VERSION := 0.9.6
 NAMESPACE := github.com/wallarm/api-firewall
 
 .DEFAULT_GOAL := build

diff --git a/cmd/api-firewall/internal/handlers/graphql/run.go b/cmd/api-firewall/internal/handlers/graphql/run.go
@@ -24,9 +24,8 @@ import (
 const (
 	logPrefix = "main"
 
-	initialPoolCapacity = 100
-	livenessEndpoint    = "/v1/liveness"
-	readinessEndpoint   = "/v1/readiness"
+	livenessEndpoint  = "/v1/liveness"
+	readinessEndpoint = "/v1/readiness"
 )
 
 func Run(logger zerolog.Logger) error {
@@ -113,28 +112,20 @@ func Run(logger zerolog.Logger) error {
 		}
 	}
 
-	initialCap := initialPoolCapacity
-
-	if cfg.Server.ClientPoolCapacity < initialPoolCapacity {
-		initialCap = 1
-	}
-
-	options := proxy.Options{
-		InitialPoolCapacity: initialCap,
-		ClientPoolCapacity:  cfg.Server.ClientPoolCapacity,
-		InsecureConnection:  cfg.Server.InsecureConnection,
-		RootCA:              cfg.Server.RootCA,
+	pool, err := proxy.NewPoolV2(host, &proxy.PoolV2Options{
 		MaxConnsPerHost:     cfg.Server.MaxConnsPerHost,
+		MaxIdleConnDuration: cfg.Server.MaxIdleConnDuration,
 		ReadTimeout:         cfg.Server.ReadTimeout,
 		WriteTimeout:        cfg.Server.WriteTimeout,
+		DialTimeout:         cfg.Server.DialTimeout,
 		ReadBufferSize:      cfg.Server.ReadBufferSize,
 		WriteBufferSize:     cfg.Server.WriteBufferSize,
 		MaxResponseBodySize: cfg.Server.MaxResponseBodySize,
-		DialTimeout:         cfg.Server.DialTimeout,
+		InsecureConnection:  cfg.Server.InsecureConnection,
+		RootCA:              cfg.Server.RootCA,
+		HealthCheckInterval: cfg.Server.HealthCheckInterval,
 		Logger:              logger,
-	}
-
-	pool, err := proxy.NewChanPool(host, &options)
+	})
 	if err != nil {
 		return errors.Wrap(err, "proxy pool init")
 	}

diff --git a/cmd/api-firewall/internal/handlers/proxy/run.go b/cmd/api-firewall/internal/handlers/proxy/run.go
@@ -1,9 +1,7 @@
 package proxy
 
 import (
-	"context"
 	"mime"
-	"net"
 	"net/url"
 	"os"
 	"os/signal"
@@ -29,9 +27,8 @@ import (
 )
 
 const (
-	initialPoolCapacity = 100
-	livenessEndpoint    = "/v1/liveness"
-	readinessEndpoint   = "/v1/readiness"
+	livenessEndpoint  = "/v1/liveness"
+	readinessEndpoint = "/v1/readiness"
 )
 
 func Run(logger zerolog.Logger) error {
@@ -145,63 +142,20 @@ func Run(logger zerolog.Logger) error {
 		}
 	}
 
-	initialCap := initialPoolCapacity
-
-	if cfg.Server.ClientPoolCapacity < initialPoolCapacity {
-		initialCap = 1
-	}
-
-	// default DNS resolver
-	resolver := &net.Resolver{
-		PreferGo:     true,
-		StrictErrors: false,
-	}
-
-	// configuration of the custom DNS server
-	if cfg.DNS.Nameserver.Host != "" {
-		var builder strings.Builder
-		builder.WriteString(cfg.DNS.Nameserver.Host)
-		builder.WriteString(":")
-		builder.WriteString(cfg.DNS.Nameserver.Port)
-
-		resolver.Dial = func(ctx context.Context, network, address string) (net.Conn, error) {
-			d := net.Dialer{
-				Timeout: cfg.DNS.LookupTimeout,
-			}
-			return d.DialContext(ctx, cfg.DNS.Nameserver.Proto, builder.String())
-		}
-	}
-
-	// init DNS resolver
-	dnsCacheOptions := proxy.DNSCacheOptions{
-		UseCache:      cfg.DNS.Cache,
-		Logger:        logger,
-		FetchTimeout:  cfg.DNS.FetchTimeout,
-		LookupTimeout: cfg.DNS.LookupTimeout,
-	}
-
-	dnsResolver, err := proxy.NewDNSResolver(resolver, &dnsCacheOptions)
-	if err != nil {
-		return errors.Wrap(err, "DNS cache resolver init")
-	}
-
-	options := proxy.Options{
-		InitialPoolCapacity: initialCap,
-		ClientPoolCapacity:  cfg.Server.ClientPoolCapacity,
-		InsecureConnection:  cfg.Server.InsecureConnection,
-		RootCA:              cfg.Server.RootCA,
+	pool, err := proxy.NewPoolV2(host, &proxy.PoolV2Options{
 		MaxConnsPerHost:     cfg.Server.MaxConnsPerHost,
+		MaxIdleConnDuration: cfg.Server.MaxIdleConnDuration,
 		ReadTimeout:         cfg.Server.ReadTimeout,
 		WriteTimeout:        cfg.Server.WriteTimeout,
+		DialTimeout:         cfg.Server.DialTimeout,
 		ReadBufferSize:      cfg.Server.ReadBufferSize,
 		WriteBufferSize:     cfg.Server.WriteBufferSize,
 		MaxResponseBodySize: cfg.Server.MaxResponseBodySize,
-		DialTimeout:         cfg.Server.DialTimeout,
-		DNSConfig:           cfg.DNS,
+		InsecureConnection:  cfg.Server.InsecureConnection,
+		RootCA:              cfg.Server.RootCA,
+		HealthCheckInterval: cfg.Server.HealthCheckInterval,
 		Logger:              logger,
-		DNSResolver:         dnsResolver,
-	}
-	pool, err := proxy.NewChanPool(host, &options)
+	})
 	if err != nil {
 		return errors.Wrap(err, "proxy pool init")
 	}

diff --git a/cmd/api-firewall/tests/main_graphql_bench_test.go b/cmd/api-firewall/tests/main_graphql_bench_test.go
@@ -3,7 +3,6 @@ package tests
 import (
 	"bytes"
 	"errors"
-	"net"
 	"net/http"
 	"net/url"
 	"os"
@@ -126,38 +125,14 @@ func BenchmarkGraphQL(b *testing.B) {
 	}
 	host := serverURL.Host
 
-	initialCap := 100
-
-	// default DNS resolver
-	resolver := &net.Resolver{
-		PreferGo:     true,
-		StrictErrors: false,
-	}
-
-	// init DNS resolver
-	dnsCacheOptions := proxy.DNSCacheOptions{
-		UseCache:      false,
-		Logger:        logger,
-		LookupTimeout: 1000 * time.Millisecond,
-	}
-
-	dnsResolver, err := proxy.NewDNSResolver(resolver, &dnsCacheOptions)
-	if err != nil {
-		b.Fatal(err, "DNS cache resolver init")
-	}
-
-	options := proxy.Options{
-		InitialPoolCapacity: initialCap,
-		ClientPoolCapacity:  1000,
-		InsecureConnection:  true,
-		MaxConnsPerHost:     512,
-		ReadTimeout:         5 * time.Second,
-		WriteTimeout:        5 * time.Second,
-		DialTimeout:         5 * time.Second,
-		DNSResolver:         dnsResolver,
-		Logger:              logger,
-	}
-	pool, err := proxy.NewChanPool(host, &options)
+	pool, err := proxy.NewPoolV2(host, &proxy.PoolV2Options{
+		InsecureConnection: true,
+		MaxConnsPerHost:    512,
+		ReadTimeout:        5 * time.Second,
+		WriteTimeout:       5 * time.Second,
+		DialTimeout:        5 * time.Second,
+		Logger:             logger,
+	})
 	if err != nil {
 		b.Fatalf("proxy pool init: %v", err)
 	}