From 28ea2c62de5fd7b9c8d4fcd03decfd0e0e1db09e Mon Sep 17 00:00:00 2001
From: Eloi DEMOLIS <eloi.demolis@clever-cloud.com>
Date: Tue, 7 Jan 2025 18:18:46 +0100
Subject: [PATCH] Refactor backend logic with an Origin struct

I feel like going it's nowhere...
Backend logic is messy and unclear, buffers are needlessly kept alive,
borrowing subsets of the HTTP session is harder and harder, reseting
default answers request is way too hard for what it's worth (it's
probably broken right now), gauges are desynched and we are cloning
again and again String ids...

Signed-off-by: Eloi DEMOLIS <eloi.demolis@clever-cloud.com>
---
 command/assets/custom_200.html      |   1 -
 command/assets/custom_404.html      |   1 -
 command/assets/custom_503.html      |   1 -
 command/src/state.rs                |   1 +
 e2e/src/http_utils/mod.rs           |  15 +-
 e2e/src/tests/tests.rs              |  20 +-
 lib/src/http.rs                     |  25 +-
 lib/src/https.rs                    |  23 +-
 lib/src/lib.rs                      |   4 +-
 lib/src/protocol/kawa_h1/answers.rs |  83 +++--
 lib/src/protocol/kawa_h1/editor.rs  |   2 +
 lib/src/protocol/kawa_h1/mod.rs     | 544 +++++++++++++---------------
 lib/src/router/mod.rs               |   5 +-
 lib/src/tcp.rs                      |  12 +-
 14 files changed, 360 insertions(+), 377 deletions(-)

diff --git a/command/assets/custom_200.html b/command/assets/custom_200.html
index 73e5926d9..12f2ca492 100644
--- a/command/assets/custom_200.html
+++ b/command/assets/custom_200.html
@@ -1,5 +1,4 @@
 HTTP/1.1 200 OK
-%Content-Length: %CONTENT_LENGTH
 Sozu-Id: %REQUEST_ID
 
 <h1>%CLUSTER_ID Custom 200</h1>
diff --git a/command/assets/custom_404.html b/command/assets/custom_404.html
index 8302d4319..e331b285e 100644
--- a/command/assets/custom_404.html
+++ b/command/assets/custom_404.html
@@ -1,6 +1,5 @@
 HTTP/1.1 404 Not Found
 Cache-Control: no-cache
-Connection: close
 Sozu-Id: %REQUEST_ID
 
 <h1>My own 404 error page</h1>
diff --git a/command/assets/custom_503.html b/command/assets/custom_503.html
index ac12b8825..4484f8a4e 100644
--- a/command/assets/custom_503.html
+++ b/command/assets/custom_503.html
@@ -1,7 +1,6 @@
 HTTP/1.1 503 Service Unavailable
 Cache-Control: no-cache
 Connection: close
-%Content-Length: %CONTENT_LENGTH
 Sozu-Id: %REQUEST_ID
 
 <h1>MyCluster: 503 Service Unavailable</h1>
diff --git a/command/src/state.rs b/command/src/state.rs
index 9413fa203..0d6524b23 100644
--- a/command/src/state.rs
+++ b/command/src/state.rs
@@ -1724,6 +1724,7 @@ mod tests {
                 hostname: String::from("test.local"),
                 path: PathRule::prefix(String::from("/abc")),
                 address: SocketAddress::new_v4(0, 0, 0, 0, 8080),
+                required_auth: Some(false),
                 redirect: Some(RedirectPolicy::Forward.into()),
                 redirect_scheme: Some(RedirectScheme::UseSame.into()),
                 ..Default::default()
diff --git a/e2e/src/http_utils/mod.rs b/e2e/src/http_utils/mod.rs
index 9e6248df2..345ebc1a3 100644
--- a/e2e/src/http_utils/mod.rs
+++ b/e2e/src/http_utils/mod.rs
@@ -24,12 +24,17 @@ pub fn http_request<S1: Into<String>, S2: Into<String>, S3: Into<String>, S4: In
     )
 }
 
-pub fn immutable_answer(status: u16) -> String {
+pub fn immutable_answer(status: u16, content_length: bool) -> String {
+    let content_length = if content_length {
+        "\r\nContent-Length: 0"
+    } else {
+        ""
+    };
     match status {
-        400 => String::from("HTTP/1.1 400 Bad Request\r\nCache-Control: no-cache\r\nConnection: close\r\n\r\n"),
-        404 => String::from("HTTP/1.1 404 Not Found\r\nCache-Control: no-cache\r\nConnection: close\r\n\r\n"),
-        502 => String::from("HTTP/1.1 502 Bad Gateway\r\nCache-Control: no-cache\r\nConnection: close\r\n\r\n"),
-        503 => String::from("HTTP/1.1 503 Service Unavailable\r\nCache-Control: no-cache\r\nConnection: close\r\n\r\n"),
+        400 => format!("HTTP/1.1 400 Bad Request\r\nCache-Control: no-cache\r\nConnection: close{content_length}\r\n\r\n"),
+        404 => format!("HTTP/1.1 404 Not Found\r\nCache-Control: no-cache\r\nConnection: close{content_length}\r\n\r\n"),
+        502 => format!("HTTP/1.1 502 Bad Gateway\r\nCache-Control: no-cache\r\nConnection: close{content_length}\r\n\r\n"),
+        503 => format!("HTTP/1.1 503 Service Unavailable\r\nCache-Control: no-cache\r\nConnection: close{content_length}\r\n\r\n"),
         _ => unimplemented!()
     }
 }
diff --git a/e2e/src/tests/tests.rs b/e2e/src/tests/tests.rs
index 89727f53e..4fb54f908 100644
--- a/e2e/src/tests/tests.rs
+++ b/e2e/src/tests/tests.rs
@@ -645,10 +645,10 @@ fn try_http_behaviors() -> State {
         .to_http(None)
         .unwrap();
     http_config.answers = BTreeMap::from([
-        ("400".to_string(), immutable_answer(400)),
-        ("404".to_string(), immutable_answer(404)),
-        ("502".to_string(), immutable_answer(502)),
-        ("503".to_string(), immutable_answer(503)),
+        ("400".to_string(), immutable_answer(400, false)),
+        ("404".to_string(), immutable_answer(404, false)),
+        ("502".to_string(), immutable_answer(502, false)),
+        ("503".to_string(), immutable_answer(503, false)),
     ]);
 
     worker.send_proxy_request_type(RequestType::AddHttpListener(http_config));
@@ -671,7 +671,7 @@ fn try_http_behaviors() -> State {
 
     let response = client.receive();
     println!("response: {response:?}");
-    assert_eq!(response, Some(immutable_answer(404)));
+    assert_eq!(response, Some(immutable_answer(404, true)));
     assert_eq!(client.receive(), None);
 
     worker.send_proxy_request_type(RequestType::AddHttpFrontend(RequestHttpFrontend {
@@ -686,7 +686,7 @@ fn try_http_behaviors() -> State {
 
     let response = client.receive();
     println!("response: {response:?}");
-    assert_eq!(response, Some(immutable_answer(503)));
+    assert_eq!(response, Some(immutable_answer(503, true)));
     assert_eq!(client.receive(), None);
 
     let back_address = create_local_address();
@@ -706,7 +706,7 @@ fn try_http_behaviors() -> State {
 
     let response = client.receive();
     println!("response: {response:?}");
-    assert_eq!(response, Some(immutable_answer(400)));
+    assert_eq!(response, Some(immutable_answer(400, true)));
     assert_eq!(client.receive(), None);
 
     let mut backend = SyncBackend::new("backend", back_address, "TEST\r\n\r\n");
@@ -723,7 +723,7 @@ fn try_http_behaviors() -> State {
     let response = client.receive();
     println!("request: {request:?}");
     println!("response: {response:?}");
-    assert_eq!(response, Some(immutable_answer(502)));
+    assert_eq!(response, Some(immutable_answer(502, true)));
     assert_eq!(client.receive(), None);
 
     info!("expecting 200");
@@ -786,7 +786,7 @@ fn try_http_behaviors() -> State {
     let response = client.receive();
     println!("request: {request:?}");
     println!("response: {response:?}");
-    assert_eq!(response, Some(immutable_answer(503)));
+    assert_eq!(response, Some(immutable_answer(503, true)));
     assert_eq!(client.receive(), None);
 
     worker.send_proxy_request_type(RequestType::RemoveBackend(RemoveBackend {
@@ -984,7 +984,7 @@ fn try_https_redirect() -> State {
     client.connect();
     client.send();
     let answer = client.receive();
-    let expected_answer = format!("{answer_301_prefix}https://example.com/redirected?true\r\n\r\n");
+    let expected_answer = format!("{answer_301_prefix}https://example.com/redirected?true\r\nContent-Length: 0\r\n\r\n");
     assert_eq!(answer, Some(expected_answer));
 
     State::Success
diff --git a/lib/src/http.rs b/lib/src/http.rs
index a430c1f17..8c2b20c07 100644
--- a/lib/src/http.rs
+++ b/lib/src/http.rs
@@ -209,11 +209,14 @@ impl HttpSession {
         }
     }
 
-    fn upgrade_http(&mut self, http: Http<TcpStream, HttpListener>) -> Option<HttpStateMachine> {
+    fn upgrade_http(
+        &mut self,
+        mut http: Http<TcpStream, HttpListener>,
+    ) -> Option<HttpStateMachine> {
         debug!("http switching to ws");
-        let front_token = self.frontend_token;
-        let back_token = match http.backend_token {
-            Some(back_token) => back_token,
+        let frontend_token = self.frontend_token;
+        let origin = match http.origin.take() {
+            Some(origin) => origin,
             None => {
                 warn!(
                     "Could not upgrade http request on cluster '{:?}' ({:?}) using backend '{:?}' into websocket for request '{}'",
@@ -223,7 +226,7 @@ impl HttpSession {
             }
         };
 
-        let ws_context = http.websocket_context();
+        let websocket_context = http.websocket_context();
         let mut container_frontend_timeout = http.container_frontend_timeout;
         let mut container_backend_timeout = http.container_backend_timeout;
         container_frontend_timeout.reset();
@@ -237,25 +240,25 @@ impl HttpSession {
 
         let mut pipe = Pipe::new(
             backend_buffer,
-            http.context.backend_id,
-            http.backend_socket,
-            http.backend,
+            Some(origin.backend_id),
+            Some(origin.socket),
+            Some(origin.backend),
             Some(container_backend_timeout),
             Some(container_frontend_timeout),
             http.context.cluster_id,
             http.request_stream.storage.buffer,
-            front_token,
+            frontend_token,
             http.frontend_socket,
             self.listener.clone(),
             Protocol::HTTP,
             http.context.id,
             http.context.session_address,
-            ws_context,
+            websocket_context,
         );
 
         pipe.frontend_readiness.event = http.frontend_readiness.event;
         pipe.backend_readiness.event = http.backend_readiness.event;
-        pipe.set_back_token(back_token);
+        pipe.set_back_token(origin.token);
 
         gauge_add!("protocol.http", -1);
         gauge_add!("protocol.ws", 1);
diff --git a/lib/src/https.rs b/lib/src/https.rs
index abaf162c0..58e632ef3 100644
--- a/lib/src/https.rs
+++ b/lib/src/https.rs
@@ -329,11 +329,14 @@ impl HttpsSession {
         }
     }
 
-    fn upgrade_http(&self, http: Http<FrontRustls, HttpsListener>) -> Option<HttpsStateMachine> {
+    fn upgrade_http(
+        &self,
+        mut http: Http<FrontRustls, HttpsListener>,
+    ) -> Option<HttpsStateMachine> {
         debug!("https switching to wss");
         let front_token = self.frontend_token;
-        let back_token = match http.backend_token {
-            Some(back_token) => back_token,
+        let origin = match http.origin.take() {
+            Some(origin) => origin,
             None => {
                 warn!(
                     "Could not upgrade https request on cluster '{:?}' ({:?}) using backend '{:?}' into secure websocket for request '{}'",
@@ -343,7 +346,7 @@ impl HttpsSession {
             }
         };
 
-        let ws_context = http.websocket_context();
+        let websocket_context = http.websocket_context();
         let mut container_frontend_timeout = http.container_frontend_timeout;
         let mut container_backend_timeout = http.container_backend_timeout;
         container_frontend_timeout.reset();
@@ -357,9 +360,9 @@ impl HttpsSession {
 
         let mut pipe = Pipe::new(
             backend_buffer,
-            http.context.backend_id,
-            http.backend_socket,
-            http.backend,
+            Some(origin.backend_id),
+            Some(origin.socket),
+            Some(origin.backend),
             Some(container_backend_timeout),
             Some(container_frontend_timeout),
             http.context.cluster_id,
@@ -367,15 +370,15 @@ impl HttpsSession {
             front_token,
             http.frontend_socket,
             self.listener.clone(),
-            Protocol::HTTP,
+            Protocol::HTTPS,
             http.context.id,
             http.context.session_address,
-            ws_context,
+            websocket_context,
         );
 
         pipe.frontend_readiness.event = http.frontend_readiness.event;
         pipe.backend_readiness.event = http.backend_readiness.event;
-        pipe.set_back_token(back_token);
+        pipe.set_back_token(origin.token);
 
         gauge_add!("protocol.https", -1);
         gauge_add!("protocol.wss", 1);
diff --git a/lib/src/lib.rs b/lib/src/lib.rs
index 311e83f16..eb858aafe 100644
--- a/lib/src/lib.rs
+++ b/lib/src/lib.rs
@@ -953,7 +953,6 @@ pub struct SessionMetrics {
     pub service_start: Option<Instant>,
     pub wait_start: Instant,
 
-    pub backend_id: Option<String>,
     pub backend_start: Option<Instant>,
     pub backend_connected: Option<Instant>,
     pub backend_stop: Option<Instant>,
@@ -971,7 +970,6 @@ impl SessionMetrics {
             bout: 0,
             service_start: None,
             wait_start: Instant::now(),
-            backend_id: None,
             backend_start: None,
             backend_connected: None,
             backend_stop: None,
@@ -1072,7 +1070,7 @@ impl SessionMetrics {
         time!("request_time", request_time.as_millis());
         time!("service_time", service_time.as_millis());
 
-        if let Some(backend_id) = self.backend_id.as_ref() {
+        if let Some(backend_id) = context.backend_id {
             if let Some(backend_response_time) = self.backend_response_time() {
                 record_backend_metrics!(
                     context.cluster_id.as_str_or("-"),
diff --git a/lib/src/protocol/kawa_h1/answers.rs b/lib/src/protocol/kawa_h1/answers.rs
index 6a8ae2b76..a4b4651ad 100644
--- a/lib/src/protocol/kawa_h1/answers.rs
+++ b/lib/src/protocol/kawa_h1/answers.rs
@@ -1,7 +1,7 @@
 use crate::{protocol::http::DefaultAnswer, sozu_command::state::ClusterId};
 use kawa::{
-    h1::NoCallbacks, AsBuffer, Block, BodySize, Buffer, Chunk, Kawa, Kind, Pair, ParsingPhase,
-    ParsingPhaseMarker, StatusLine, Store,
+    h1::NoCallbacks, AsBuffer, Block, BodySize, Buffer, Chunk, Flags, Kawa, Kind, Pair,
+    ParsingPhase, ParsingPhaseMarker, StatusLine, Store,
 };
 use nom::AsBytes;
 use std::{
@@ -11,6 +11,8 @@ use std::{
     str::from_utf8_unchecked,
 };
 
+use super::parser::compare_no_case;
+
 #[derive(Clone)]
 pub struct SharedBuffer(Rc<[u8]>);
 
@@ -34,6 +36,8 @@ pub enum TemplateError {
     InvalidTemplate(ParsingPhase),
     #[error("unexpected status code: {0}")]
     InvalidStatusCode(u16),
+    #[error("unexpected size info: {0:?}")]
+    InvalidSizeInfo(BodySize),
     #[error("streaming is not supported in templates")]
     UnsupportedStreaming,
     #[error("template variable {0} is not allowed in headers")]
@@ -68,6 +72,7 @@ pub struct Replacement {
 // TODO: rename for clarity, for instance HttpAnswerTemplate
 pub struct Template {
     status: u16,
+    keep_alive: bool,
     kawa: DefaultAnswerStream,
     body_replacements: Vec<Replacement>,
     header_replacements: Vec<Replacement>,
@@ -126,6 +131,9 @@ impl Template {
         if !kawa.is_main_phase() {
             return Err(TemplateError::InvalidTemplate(kawa.parsing_phase));
         }
+        if kawa.body_size != BodySize::Empty {
+            return Err(TemplateError::InvalidSizeInfo(kawa.body_size));
+        }
         let status = if let StatusLine::Response { code, .. } = &kawa.detached.status_line {
             if let Some(expected_code) = status {
                 if expected_code != *code {
@@ -141,16 +149,35 @@ impl Template {
         let mut header_replacements = Vec::new();
         let mut body_replacements = Vec::new();
         let mut body_size = 0;
+        let mut keep_alive = true;
         let mut used_once = Vec::new();
         for mut block in kawa.blocks.into_iter() {
             match &mut block {
                 Block::ChunkHeader(_) => return Err(TemplateError::UnsupportedStreaming),
+                Block::Flags(Flags {
+                    end_header: true, ..
+                }) => {
+                    header_replacements.push(Replacement {
+                        block_index: blocks.len(),
+                        typ: ReplacementType::ContentLength,
+                    });
+                    blocks.push_back(Block::Header(Pair {
+                        key: Store::Static(b"Content-Length"),
+                        val: Store::Static(b"PLACEHOLDER"),
+                    }));
+                    blocks.push_back(block);
+                }
                 Block::StatusLine | Block::Cookies | Block::Flags(_) => {
                     blocks.push_back(block);
                 }
                 Block::Header(Pair { key, val }) => {
                     let val_data = val.data(buf);
                     let key_data = key.data(buf);
+                    if compare_no_case(key_data, b"connection")
+                        && compare_no_case(val_data, b"close")
+                    {
+                        keep_alive = false;
+                    }
                     if let Some(b'%') = val_data.first() {
                         for variable in &variables {
                             if &val_data[1..] == variable.name.as_bytes() {
@@ -168,11 +195,7 @@ impl Template {
                                         }
                                         used_once.push(var_index);
                                     }
-                                    ReplacementType::ContentLength => {
-                                        if let Some(b'%') = key_data.first() {
-                                            *key = Store::new_slice(buf, &key_data[1..]);
-                                        }
-                                    }
+                                    ReplacementType::ContentLength => {}
                                 }
                                 header_replacements.push(Replacement {
                                     block_index: blocks.len(),
@@ -240,6 +263,7 @@ impl Template {
         kawa.blocks = blocks;
         Ok(Self {
             status,
+            keep_alive,
             kawa,
             body_replacements,
             header_replacements,
@@ -306,7 +330,6 @@ pub struct HttpAnswers {
 }
 
 // const HEADERS: &str = "Connection: close\r
-// Content-Length: 0\r
 // Sozu-Id: %REQUEST_ID\r
 // \r";
 // const STYLE: &str = "<style>
@@ -324,7 +347,6 @@ fn fallback() -> String {
 HTTP/1.1 404 Not Found\r
 Cache-Control: no-cache\r
 Connection: close\r
-%Content-Length: %CONTENT_LENGTH\r
 Sozu-Id: %REQUEST_ID\r
 \r
 <html><head><meta charset='utf-8'><head><body>
@@ -350,7 +372,6 @@ fn default_301() -> String {
 HTTP/1.1 301 Moved Permanently\r
 Location: %REDIRECT_LOCATION\r
 Connection: close\r
-Content-Length: 0\r
 Sozu-Id: %REQUEST_ID\r
 \r\n",
     )
@@ -362,7 +383,6 @@ fn default_400() -> String {
 HTTP/1.1 400 Bad Request\r
 Cache-Control: no-cache\r
 Connection: close\r
-%Content-Length: %CONTENT_LENGTH\r
 Sozu-Id: %REQUEST_ID\r
 \r
 <html><head><meta charset='utf-8'><head><body>
@@ -411,7 +431,6 @@ fn default_401() -> String {
 HTTP/1.1 401 Unauthorized\r
 Cache-Control: no-cache\r
 Connection: close\r
-%Content-Length: %CONTENT_LENGTH\r
 Sozu-Id: %REQUEST_ID\r
 \r
 <html><head><meta charset='utf-8'><head><body>
@@ -433,8 +452,6 @@ fn default_404() -> String {
         "\
 HTTP/1.1 404 Not Found\r
 Cache-Control: no-cache\r
-Connection: close\r
-%Content-Length: %CONTENT_LENGTH\r
 Sozu-Id: %REQUEST_ID\r
 \r
 <html><head><meta charset='utf-8'><head><body>
@@ -457,7 +474,6 @@ fn default_408() -> String {
 HTTP/1.1 408 Request Timeout\r
 Cache-Control: no-cache\r
 Connection: close\r
-%Content-Length: %CONTENT_LENGTH\r
 Sozu-Id: %REQUEST_ID\r
 \r
 <html><head><meta charset='utf-8'><head><body>
@@ -481,7 +497,6 @@ fn default_413() -> String {
 HTTP/1.1 413 Payload Too Large\r
 Cache-Control: no-cache\r
 Connection: close\r
-%Content-Length: %CONTENT_LENGTH\r
 Sozu-Id: %REQUEST_ID\r
 \r
 <html><head><meta charset='utf-8'><head><body>
@@ -505,7 +520,6 @@ fn default_502() -> String {
 HTTP/1.1 502 Bad Gateway\r
 Cache-Control: no-cache\r
 Connection: close\r
-%Content-Length: %CONTENT_LENGTH\r
 Sozu-Id: %REQUEST_ID\r
 \r
 <html><head><meta charset='utf-8'><head><body>
@@ -556,7 +570,6 @@ fn default_503() -> String {
 HTTP/1.1 503 Service Unavailable\r
 Cache-Control: no-cache\r
 Connection: close\r
-%Content-Length: %CONTENT_LENGTH\r
 Sozu-Id: %REQUEST_ID\r
 \r
 <html><head><meta charset='utf-8'><head><body>
@@ -582,7 +595,6 @@ fn default_504() -> String {
 HTTP/1.1 504 Gateway Timeout\r
 Cache-Control: no-cache\r
 Connection: close\r
-%Content-Length: %CONTENT_LENGTH\r
 Sozu-Id: %REQUEST_ID\r
 \r
 <html><head><meta charset='utf-8'><head><body>
@@ -608,7 +620,6 @@ fn default_507() -> String {
 HTTP/1.1 507 Insufficient Storage\r
 Cache-Control: no-cache\r
 Connection: close\r
-%Content-Length: %CONTENT_LENGTH\r
 Sozu-Id: %REQUEST_ID\r
 \r
 <html><head><meta charset='utf-8'><head><body>
@@ -645,13 +656,6 @@ fn phase_to_vec(phase: ParsingPhaseMarker) -> Vec<u8> {
 impl HttpAnswers {
     #[rustfmt::skip]
     pub fn template(name: &str, answer: &str) -> Result<Template, (String, TemplateError)> {
-        let length = TemplateVariable {
-            name: "CONTENT_LENGTH",
-            valid_in_body: false,
-            valid_in_header: true,
-            typ: ReplacementType::ContentLength,
-        };
-
         let route = TemplateVariable {
             name: "ROUTE",
             valid_in_body: true,
@@ -736,57 +740,57 @@ impl HttpAnswers {
             "301" => Template::new(
                 Some(301),
                 answer,
-                &[length, route, request_id, location]
+                &[route, request_id, location]
             ),
             "400" => Template::new(
                 Some(400),
                 answer,
-                &[length, route, request_id, message, phase, successfully_parsed, partially_parsed, invalid],
+                &[route, request_id, message, phase, successfully_parsed, partially_parsed, invalid],
             ),
             "401" => Template::new(
                 Some(401),
                 answer,
-                &[length, route, request_id]
+                &[route, request_id]
             ),
             "404" => Template::new(
                 Some(404),
                 answer,
-                &[length, route, request_id]
+                &[route, request_id]
             ),
             "408" => Template::new(
                 Some(408),
                 answer,
-                &[length, route, request_id, duration]
+                &[route, request_id, duration]
             ),
             "413" => Template::new(
                 Some(413),
                 answer,
-                &[length, route, request_id, capacity, message, phase],
+                &[route, request_id, capacity, message, phase],
             ),
             "502" => Template::new(
                 Some(502),
                 answer,
-                &[length, route, request_id, cluster_id, backend_id, message, phase, successfully_parsed, partially_parsed, invalid],
+                &[route, request_id, cluster_id, backend_id, message, phase, successfully_parsed, partially_parsed, invalid],
             ),
             "503" => Template::new(
                 Some(503),
                 answer,
-                &[length, route, request_id, cluster_id, backend_id, message],
+                &[route, request_id, cluster_id, backend_id, message],
             ),
             "504" => Template::new(
                 Some(504),
                 answer,
-                &[length, route, request_id, cluster_id, backend_id, duration],
+                &[route, request_id, cluster_id, backend_id, duration],
             ),
             "507" => Template::new(
                 Some(507),
                 answer,
-                &[length, route, request_id, cluster_id, backend_id, capacity, message, phase],
+                &[route, request_id, cluster_id, backend_id, capacity, message, phase],
             ),
             _ => Template::new(
                 None,
                 answer,
-                &[length, route, request_id, cluster_id, location, template_name]
+                &[route, request_id, cluster_id, location, template_name]
             )
         }
         .map_err(|e| (name.to_owned(), e))
@@ -852,7 +856,7 @@ impl HttpAnswers {
         cluster_id: Option<&str>,
         backend_id: Option<&str>,
         route: String,
-    ) -> (u16, DefaultAnswerStream) {
+    ) -> (u16, bool, DefaultAnswerStream) {
         let variables: Vec<Vec<u8>>;
         let mut variables_once: Vec<Vec<u8>>;
         let name = match answer {
@@ -987,6 +991,7 @@ impl HttpAnswers {
             .unwrap_or(&self.fallback);
         (
             template.status,
+            template.keep_alive,
             template.fill(&variables, &mut variables_once),
         )
     }
diff --git a/lib/src/protocol/kawa_h1/editor.rs b/lib/src/protocol/kawa_h1/editor.rs
index 7f6f6a2c1..4ab83418c 100644
--- a/lib/src/protocol/kawa_h1/editor.rs
+++ b/lib/src/protocol/kawa_h1/editor.rs
@@ -365,6 +365,8 @@ impl HttpContext {
         self.status = None;
         self.reason = None;
         self.user_agent = None;
+        self.cluster_id = None;
+        self.backend_id = None;
     }
 
     pub fn log_context(&self) -> LogContext {
diff --git a/lib/src/protocol/kawa_h1/mod.rs b/lib/src/protocol/kawa_h1/mod.rs
index efbd10b12..e43e9c802 100644
--- a/lib/src/protocol/kawa_h1/mod.rs
+++ b/lib/src/protocol/kawa_h1/mod.rs
@@ -6,6 +6,7 @@ pub mod parser;
 use std::{
     cell::RefCell,
     io::ErrorKind,
+    mem,
     net::{Shutdown, SocketAddr},
     rc::{Rc, Weak},
     str::from_utf8_unchecked,
@@ -40,10 +41,9 @@ use crate::{
     socket::{stats::socket_rtt, SocketHandler, SocketResult, TransportProtocol},
     sozu_command::{logging::LogContext, ready::Ready},
     timer::TimeoutContainer,
-    AcceptError, BackendConnectAction, BackendConnectionError, BackendConnectionStatus,
-    FrontendFromRequestError, L7ListenerHandler, L7Proxy, ListenerHandler, Protocol, ProxySession,
-    Readiness, RetrieveClusterError, SessionIsToBeClosed, SessionMetrics, SessionResult,
-    StateResult,
+    AcceptError, BackendConnectAction, BackendConnectionError, FrontendFromRequestError,
+    L7ListenerHandler, L7Proxy, ListenerHandler, Protocol, ProxySession, Readiness,
+    RetrieveClusterError, SessionIsToBeClosed, SessionMetrics, SessionResult, StateResult,
 };
 
 /// This macro is defined uniquely in this module to help the tracking of kawa h1
@@ -57,7 +57,7 @@ macro_rules! log_context {
             $self.context.session_address.map(|addr| addr.to_string()).unwrap_or_else(|| "<none>".to_string()),
             $self.frontend_token.0,
             $self.frontend_readiness,
-            $self.backend_token.map(|token| token.0.to_string()).unwrap_or_else(|| "<none>".to_string()),
+            $self.origin.as_ref().map(|origin| origin.token.0.to_string()).unwrap_or_else(|| "<none>".to_string()),
             $self.backend_readiness,
         )
     };
@@ -132,17 +132,35 @@ pub enum TimeoutStatus {
 pub enum ResponseStream {
     BackendAnswer(GenericHttpStream),
     DefaultAnswer(u16, DefaultAnswerStream),
+    DefaultAnswerKA(u16, DefaultAnswerStream, GenericHttpStream),
+    Swaping,
+}
+
+#[derive(Debug)]
+pub struct Origin {
+    pub cluster_id: String,
+    pub backend_id: String,
+    pub backend: Rc<RefCell<Backend>>,
+    pub token: Token,
+    connected: bool,
+    pub socket: TcpStream,
+}
+
+impl Origin {
+    fn is_connected_to(&self, cluster_id: &str) -> bool {
+        self.cluster_id == cluster_id && self.connected
+    }
 }
 
 /// Http will be contained in State which itself is contained by Session
 pub struct Http<Front: SocketHandler, L: ListenerHandler + L7ListenerHandler> {
     answers: Rc<RefCell<answers::HttpAnswers>>,
-    pub backend: Option<Rc<RefCell<Backend>>>,
-    backend_connection_status: BackendConnectionStatus,
-    pub backend_readiness: Readiness,
-    pub backend_socket: Option<TcpStream>,
+    /// The last origin server we tried to communicate with.
+    /// It may be connected or connecting. It may be the server serving the current response,
+    /// or a server kept alive while a default answer is sent. Its cluster_id might differ from context.cluster_id
+    pub origin: Option<Origin>,
     backend_stop: Option<Instant>,
-    pub backend_token: Option<Token>,
+    pub backend_readiness: Readiness,
     pub container_backend_timeout: TimeoutContainer,
     pub container_frontend_timeout: TimeoutContainer,
     configured_backend_timeout: Duration,
@@ -202,12 +220,9 @@ impl<Front: SocketHandler, L: ListenerHandler + L7ListenerHandler> Http<Front, L
         };
         Ok(Http {
             answers,
-            backend_connection_status: BackendConnectionStatus::NotConnected,
-            backend_readiness: Readiness::new(),
-            backend_socket: None,
+            origin: None,
             backend_stop: None,
-            backend_token: None,
-            backend: None,
+            backend_readiness: Readiness::new(),
             configured_backend_timeout,
             configured_connect_timeout,
             configured_frontend_timeout,
@@ -272,9 +287,11 @@ impl<Front: SocketHandler, L: ListenerHandler + L7ListenerHandler> Http<Front, L
         self.keepalive_count += 1;
         gauge_add!("http.active_requests", -1);
 
-        if let Some(backend) = &mut self.backend {
-            let mut backend = backend.borrow_mut();
-            backend.active_requests = backend.active_requests.saturating_sub(1);
+        if let Some(origin) = &self.origin {
+            if origin.connected {
+                let mut backend = origin.backend.borrow_mut();
+                backend.active_requests = backend.active_requests.saturating_sub(1);
+            }
         }
 
         // reset the front timeout and cancel the back timeout while we are
@@ -285,10 +302,6 @@ impl<Front: SocketHandler, L: ListenerHandler + L7ListenerHandler> Http<Front, L
         self.frontend_readiness.interest = Ready::READABLE | Ready::HUP | Ready::ERROR;
         self.backend_readiness.interest = Ready::HUP | Ready::ERROR;
 
-        // We are resetting the offset of request and response stream buffers
-        // We do have to keep cursor position on the request, if there is data
-        // in the request stream to preserve http pipelining.
-
         // Print the left-over response buffer output to track in which case it
         // may happens
         let response_storage = &mut response_stream.storage;
@@ -304,6 +317,9 @@ impl<Front: SocketHandler, L: ListenerHandler + L7ListenerHandler> Http<Front, L
             );
         }
 
+        // We are resetting the offset of request and response stream buffers
+        // We do have to keep cursor position on the request, if there is data
+        // in the request stream to preserve http pipelining.
         response_storage.clear();
         if !self.request_stream.storage.is_empty() {
             self.frontend_readiness.event.insert(Ready::READABLE);
@@ -324,7 +340,7 @@ impl<Front: SocketHandler, L: ListenerHandler + L7ListenerHandler> Http<Front, L
 
         let response_stream = match &mut self.response_stream {
             ResponseStream::BackendAnswer(response_stream) => response_stream,
-            ResponseStream::DefaultAnswer(..) => {
+            _ => {
                 error!(
                     "{} Sending default answer, should not read from frontend socket",
                     log_context!(self)
@@ -607,7 +623,8 @@ impl<Front: SocketHandler, L: ListenerHandler + L7ListenerHandler> Http<Front, L
             log_context!(self)
         );
         let response_stream = match &mut self.response_stream {
-            ResponseStream::DefaultAnswer(_, response_stream) => response_stream,
+            ResponseStream::DefaultAnswer(_, response_stream)
+            | ResponseStream::DefaultAnswerKA(_, response_stream, _) => response_stream,
             _ => return StateResult::CloseSession,
         };
         let bufs = response_stream.as_io_slice();
@@ -622,11 +639,16 @@ impl<Front: SocketHandler, L: ListenerHandler + L7ListenerHandler> Http<Front, L
         }
 
         if response_stream.is_completed() {
-            save_http_status_metric(self.context.status, self.context.log_context());
-            self.log_default_answer_success(metrics);
-            self.frontend_readiness.reset();
-            self.backend_readiness.reset();
-            return StateResult::CloseSession;
+            self.log_request_success(metrics);
+            return match mem::replace(&mut self.response_stream, ResponseStream::Swaping) {
+                ResponseStream::DefaultAnswerKA(_, _, kawa_back) => {
+                    self.response_stream = ResponseStream::BackendAnswer(kawa_back);
+                    metrics.reset();
+                    self.reset();
+                    return StateResult::Continue;
+                }
+                _ => StateResult::CloseSession,
+            };
         }
 
         if socket_state == SocketResult::Error {
@@ -653,10 +675,10 @@ impl<Front: SocketHandler, L: ListenerHandler + L7ListenerHandler> Http<Front, L
             return SessionResult::Continue;
         }
 
-        let backend_socket = if let Some(backend_socket) = &mut self.backend_socket {
-            backend_socket
+        let backend_socket = if let Some(origin) = &mut self.origin {
+            &mut origin.socket
         } else {
-            self.log_request_error(metrics, "back socket not found, closing session");
+            self.log_request_error(metrics, "backend socket not found, closing session");
             return SessionResult::Close;
         };
 
@@ -738,8 +760,8 @@ impl<Front: SocketHandler, L: ListenerHandler + L7ListenerHandler> Http<Front, L
             }
         };
 
-        let backend_socket = if let Some(backend_socket) = &mut self.backend_socket {
-            backend_socket
+        let backend_socket = if let Some(origin) = &mut self.origin {
+            &mut origin.socket
         } else {
             self.log_request_error(metrics, "back socket not found, closing session");
             return SessionResult::Close;
@@ -788,11 +810,12 @@ impl<Front: SocketHandler, L: ListenerHandler + L7ListenerHandler> Http<Front, L
         // TODO: close delimited and backend_hup should be handled better
         match socket_state {
             SocketResult::Error => {
-                backend_socket.read_error();
+                // backend_socket.read_error();
+                incr!("tcp.read.error");
                 self.log_request_error(
                     metrics,
                     &format!(
-                        "back socket {socket_state:?}, closing session.  Readiness: {:?} -> {:?}, read {size} bytes",
+                        "back socket {socket_state:?}, closing session. Readiness: {:?} -> {:?}, read {size} bytes",
                         self.frontend_readiness,
                         self.backend_readiness,
                     ),
@@ -880,14 +903,9 @@ impl<Front: SocketHandler, L: ListenerHandler + L7ListenerHandler> Http<Front, L
     }
 
     pub fn get_backend_address(&self) -> Option<SocketAddr> {
-        self.backend
+        self.origin
             .as_ref()
-            .map(|backend| backend.borrow().address)
-            .or_else(|| {
-                self.backend_socket
-                    .as_ref()
-                    .and_then(|backend| backend.peer_addr().ok())
-            })
+            .map(|origin| origin.backend.borrow().address)
     }
 
     // The protocol name used in the access logs
@@ -942,7 +960,7 @@ impl<Front: SocketHandler, L: ListenerHandler + L7ListenerHandler> Http<Front, L
             endpoint: self.log_endpoint(),
             tags,
             client_rtt: socket_rtt(self.front_socket()),
-            server_rtt: self.backend_socket.as_ref().and_then(socket_rtt),
+            server_rtt: self.origin.as_ref().and_then(|origin| socket_rtt(&origin.socket)),
             service_time: metrics.service_time(),
             response_time: metrics.backend_response_time(),
             request_time: metrics.request_time(),
@@ -957,9 +975,6 @@ impl<Front: SocketHandler, L: ListenerHandler + L7ListenerHandler> Http<Front, L
         self.log_request(metrics, false, None);
     }
 
-    pub fn log_default_answer_success(&self, metrics: &SessionMetrics) {
-        self.log_request(metrics, false, None);
-    }
     pub fn log_request_error(&self, metrics: &mut SessionMetrics, message: &str) {
         incr!("http.errors");
         error!(
@@ -1021,10 +1036,10 @@ impl<Front: SocketHandler, L: ListenerHandler + L7ListenerHandler> Http<Front, L
                 self.context.backend_id.as_deref()
             ),
         }
-        let (status, mut kawa) = self.answers.borrow().get(
+        let (status, keep_alive, mut kawa) = self.answers.borrow().get(
             answer,
             self.context.id.to_string(),
-            self.context.cluster_id.as_deref(), // TODO: this feels wrong
+            self.context.cluster_id.as_deref(),
             self.context.backend_id.as_deref(),
             self.get_route(),
         );
@@ -1037,23 +1052,31 @@ impl<Front: SocketHandler, L: ListenerHandler + L7ListenerHandler> Http<Front, L
         kawa.prepare(&mut kawa::h1::BlockConverter);
         self.context.status = Some(status);
         self.context.reason = None;
-        self.context.keep_alive_frontend = false;
-        self.response_stream = ResponseStream::DefaultAnswer(status, kawa);
+        if keep_alive {
+            match mem::replace(&mut self.response_stream, ResponseStream::Swaping) {
+                ResponseStream::BackendAnswer(back_kawa) => {
+                    self.response_stream = ResponseStream::DefaultAnswerKA(status, kawa, back_kawa);
+                }
+                _ => unreachable!(),
+            }
+        } else {
+            self.response_stream = ResponseStream::DefaultAnswer(status, kawa);
+        }
         self.frontend_readiness.interest = Ready::WRITABLE | Ready::HUP | Ready::ERROR;
         self.backend_readiness.interest = Ready::HUP | Ready::ERROR;
     }
 
     pub fn test_backend_socket(&self) -> bool {
-        match self.backend_socket {
-            Some(ref s) => {
+        match &self.origin {
+            Some(origin) => {
                 let mut tmp = [0u8; 1];
-                let res = s.peek(&mut tmp[..]);
+                let res = origin.socket.peek(&mut tmp[..]);
 
                 match res {
                     // if the socket is half open, it will report 0 bytes read (EOF)
                     Ok(0) => false,
                     Ok(_) => true,
-                    Err(e) => matches!(e.kind(), std::io::ErrorKind::WouldBlock),
+                    Err(e) => matches!(e.kind(), ErrorKind::WouldBlock),
                 }
             }
             None => false,
@@ -1062,110 +1085,76 @@ impl<Front: SocketHandler, L: ListenerHandler + L7ListenerHandler> Http<Front, L
 
     pub fn is_valid_backend_socket(&self) -> bool {
         // if socket was last used in the last second, test it
-        match self.backend_stop.as_ref() {
+        match &self.backend_stop {
             Some(stop_instant) => {
-                let now = Instant::now();
-                let dur = now - *stop_instant;
-                if dur > Duration::from_secs(1) {
-                    return self.test_backend_socket();
-                }
+                stop_instant.elapsed() < Duration::from_secs(1) || self.test_backend_socket()
             }
-            None => return self.test_backend_socket(),
+            None => self.test_backend_socket(),
         }
-
-        true
-    }
-
-    pub fn set_backend_socket(&mut self, socket: TcpStream, backend: Option<Rc<RefCell<Backend>>>) {
-        self.backend_socket = Some(socket);
-        self.backend = backend;
     }
 
-    pub fn set_cluster_id(&mut self, cluster_id: String) {
-        self.context.cluster_id = Some(cluster_id);
-    }
-
-    pub fn set_backend_id(&mut self, backend_id: String) {
-        self.context.backend_id = Some(backend_id);
-    }
-
-    pub fn set_backend_token(&mut self, token: Token) {
-        self.backend_token = Some(token);
-    }
-
-    pub fn clear_backend_token(&mut self) {
-        self.backend_token = None;
-    }
-
-    pub fn set_backend_timeout(&mut self, dur: Duration) {
-        if let Some(token) = self.backend_token.as_ref() {
-            self.container_backend_timeout.set_duration(dur);
-            self.container_backend_timeout.set(*token);
-        }
+    pub fn set_backend_timeout(&mut self, token: Token, dur: Duration) {
+        self.container_backend_timeout.set_duration(dur);
+        self.container_backend_timeout.set(token);
     }
 
     pub fn front_socket(&self) -> &TcpStream {
         self.frontend_socket.socket_ref()
     }
 
-    /// WARNING: this function removes the backend entry in the session manager
-    /// IF the backend_token is set, so that entry can be reused for new backend.
-    /// I don't think this is a good idea, but it is a quick fix
-    fn close_backend(&mut self, proxy: Rc<RefCell<dyn L7Proxy>>, metrics: &mut SessionMetrics) {
+    fn close_backend(
+        &mut self,
+        proxy: Rc<RefCell<dyn L7Proxy>>,
+        reuse_entry: bool,
+    ) -> Option<Token> {
         self.container_backend_timeout.cancel();
-        debug!(
-            "{}\tPROXY [{}->{}] CLOSED BACKEND",
-            log_context!(self),
-            self.frontend_token.0,
-            self.backend_token
-                .map(|t| format!("{}", t.0))
-                .unwrap_or_else(|| "-".to_string())
-        );
 
         let proxy = proxy.borrow();
-        if let Some(socket) = &mut self.backend_socket.take() {
-            if let Err(e) = proxy.deregister_socket(socket) {
+        if let Some(mut origin) = self.origin.take() {
+            debug!(
+                "{}\tPROXY [{}->{}] CLOSE BACKEND {:?}",
+                log_context!(self),
+                self.frontend_token.0,
+                format!("{}", origin.token.0),
+                origin
+            );
+
+            if let Err(e) = proxy.deregister_socket(&mut origin.socket) {
                 error!(
                     "{} Error deregistering back socket({:?}): {:?}",
                     log_context!(self),
-                    socket,
+                    origin.socket,
                     e
                 );
             }
-            if let Err(e) = socket.shutdown(Shutdown::Both) {
+            if let Err(e) = origin.socket.shutdown(Shutdown::Both) {
                 if e.kind() != ErrorKind::NotConnected {
                     error!(
                         "{} Error shutting down back socket({:?}): {:?}",
                         log_context!(self),
-                        socket,
+                        origin.socket,
                         e
                     );
                 }
             }
-        }
-
-        if let Some(token) = self.backend_token.take() {
-            proxy.remove_session(token);
-
-            if self.backend_connection_status != BackendConnectionStatus::NotConnected {
-                self.backend_readiness.event = Ready::EMPTY;
-            }
-
-            if self.backend_connection_status == BackendConnectionStatus::Connected {
+            self.backend_readiness.event = Ready::EMPTY;
+            if origin.connected {
                 gauge_add!("backend.connections", -1);
                 gauge_add!(
                     "connections_per_backend",
                     -1,
-                    self.context.cluster_id.as_deref(),
-                    metrics.backend_id.as_deref()
+                    Some(&origin.cluster_id),
+                    Some(&origin.backend_id)
                 );
             }
+            origin.backend.borrow_mut().dec_connections();
 
-            self.set_backend_connected(BackendConnectionStatus::NotConnected, metrics);
-
-            if let Some(backend) = self.backend.take() {
-                backend.borrow_mut().dec_connections();
+            if !reuse_entry {
+                proxy.remove_session(origin.token);
             }
+            Some(origin.token)
+        } else {
+            None
         }
     }
 
@@ -1189,19 +1178,16 @@ impl<Front: SocketHandler, L: ListenerHandler + L7ListenerHandler> Http<Front, L
         Ok(())
     }
 
-    fn check_backend_connection(&mut self, metrics: &mut SessionMetrics) -> bool {
+    fn check_backend_connection(&self, metrics: &mut SessionMetrics) -> bool {
         let is_valid_backend_socket = self.is_valid_backend_socket();
 
         if !is_valid_backend_socket {
             return false;
         }
 
-        //matched on keepalive
-        metrics.backend_id = self.backend.as_ref().map(|i| i.borrow().backend_id.clone());
-
         metrics.backend_start();
-        if let Some(b) = self.backend.as_mut() {
-            b.borrow_mut().active_requests += 1;
+        if let Some(origin) = &self.origin {
+            origin.backend.borrow_mut().active_requests += 1;
         }
         true
     }
@@ -1349,7 +1335,7 @@ impl<Front: SocketHandler, L: ListenerHandler + L7ListenerHandler> Http<Front, L
                 // "attached" frontends
                 (Some(cluster_id), _, _, _) => {
                     proxy.borrow().clusters().get(cluster_id).map_or(
-                        (false, false, None), // cluster not found, consider unauthorized
+                        (true, false, None), // cluster not found, consider authorized?
                         |cluster| {
                             let authorized =
                                 match (required_auth, self.context.authentication_found) {
@@ -1411,8 +1397,7 @@ impl<Front: SocketHandler, L: ListenerHandler + L7ListenerHandler> Http<Front, L
         cluster_id: &str,
         frontend_should_stick: bool,
         proxy: Rc<RefCell<dyn L7Proxy>>,
-        metrics: &mut SessionMetrics,
-    ) -> Result<TcpStream, BackendConnectionError> {
+    ) -> Result<(Rc<RefCell<Backend>>, TcpStream), BackendConnectionError> {
         let (backend, conn) = self
             .get_backend_for_sticky_session(
                 frontend_should_stick,
@@ -1442,12 +1427,7 @@ impl<Front: SocketHandler, L: ListenerHandler + L7ListenerHandler> Http<Front, L
             );
         }
 
-        metrics.backend_id = Some(backend.borrow().backend_id.clone());
-        metrics.backend_start();
-        self.set_backend_id(backend.borrow().backend_id.clone());
-
-        self.backend = Some(backend);
-        Ok(conn)
+        Ok((backend, conn))
     }
 
     fn get_backend_for_sticky_session(
@@ -1477,56 +1457,41 @@ impl<Front: SocketHandler, L: ListenerHandler + L7ListenerHandler> Http<Front, L
         proxy: Rc<RefCell<dyn L7Proxy>>,
         metrics: &mut SessionMetrics,
     ) -> Result<BackendConnectAction, BackendConnectionError> {
-        let old_cluster_id = self.context.cluster_id.clone();
-        let old_backend_token = self.backend_token;
-
         self.check_circuit_breaker()?;
 
-        // TODO: in case of default answer, should we ensure the backend is closed?
         let cluster_id = self
             .cluster_id_from_request(proxy.clone())
             .map_err(BackendConnectionError::RetrieveClusterError)?;
 
         trace!(
-            "{} Connect_to_backend: {:?} {:?} {:?}",
+            "{} {:?} Connect_to_backend: {:?}",
             log_context!(self),
-            self.context.cluster_id,
+            self.origin,
             cluster_id,
-            self.backend_connection_status
         );
+
+        // update response cluster producer
+        self.context.cluster_id = Some(cluster_id.clone());
+
         // check if we can reuse the backend connection
-        if (self.context.cluster_id.as_ref()) == Some(&cluster_id)
-            && self.backend_connection_status == BackendConnectionStatus::Connected
-        {
-            let has_backend = self
-                .backend
-                .as_ref()
-                .map(|backend| {
-                    let backend = backend.borrow();
-                    proxy
-                        .borrow()
-                        .backends()
-                        .borrow()
-                        .has_backend(&cluster_id, &backend)
-                })
-                .unwrap_or(false);
+        if let Some(origin) = &self.origin {
+            if origin.is_connected_to(&cluster_id) {
+                let has_backend = proxy
+                    .borrow()
+                    .backends()
+                    .borrow()
+                    .has_backend(&cluster_id, &origin.backend.borrow());
 
-            if has_backend && self.check_backend_connection(metrics) {
-                return Ok(BackendConnectAction::Reuse);
-            } else if self.backend_token.take().is_some() {
-                self.close_backend(proxy.clone(), metrics);
+                if has_backend && self.check_backend_connection(metrics) {
+                    // update response backend producer
+                    self.context.backend_id = Some(origin.backend.borrow().backend_id.clone());
+                    return Ok(BackendConnectAction::Reuse);
+                }
             }
         }
 
-        //replacing with a connection to another cluster
-        if old_cluster_id.is_some()
-            && old_cluster_id.as_ref() != Some(&cluster_id)
-            && self.backend_token.take().is_some()
-        {
-            self.close_backend(proxy.clone(), metrics);
-        }
-
-        self.context.cluster_id = Some(cluster_id.clone());
+        // close old backend (if it exists), replace with a connection to another cluster
+        let reusable_token = self.close_backend(proxy.clone(), true);
 
         let frontend_should_stick = proxy
             .borrow()
@@ -1535,8 +1500,9 @@ impl<Front: SocketHandler, L: ListenerHandler + L7ListenerHandler> Http<Front, L
             .map(|cluster| cluster.sticky_session)
             .unwrap_or(false);
 
-        let mut socket =
-            self.backend_from_request(&cluster_id, frontend_should_stick, proxy.clone(), metrics)?;
+        let (backend, mut socket) =
+            self.backend_from_request(&cluster_id, frontend_should_stick, proxy.clone())?;
+        metrics.backend_start();
         if let Err(e) = socket.set_nodelay(true) {
             error!(
                 "{} Error setting nodelay on backend socket({:?}): {:?}",
@@ -1547,90 +1513,69 @@ impl<Front: SocketHandler, L: ListenerHandler + L7ListenerHandler> Http<Front, L
         }
 
         self.backend_readiness.interest = Ready::WRITABLE | Ready::HUP | Ready::ERROR;
-        self.backend_connection_status = BackendConnectionStatus::Connecting(Instant::now());
-
-        match old_backend_token {
-            Some(backend_token) => {
-                self.set_backend_token(backend_token);
-                if let Err(e) = proxy.borrow().register_socket(
-                    &mut socket,
-                    backend_token,
-                    Interest::READABLE | Interest::WRITABLE,
-                ) {
-                    error!(
-                        "{} Error registering back socket({:?}): {:?}",
-                        log_context!(self),
-                        socket,
-                        e
-                    );
-                }
+        let backend_id = backend.borrow().backend_id.clone();
+        // update response backend producer
+        self.context.backend_id = Some(backend_id.clone());
 
-                self.set_backend_socket(socket, self.backend.clone());
-                self.set_backend_timeout(self.configured_connect_timeout);
+        let (token, action) = if let Some(token) = reusable_token {
+            (token, BackendConnectAction::Replace)
+        } else {
+            (
+                proxy.borrow().add_session(session_rc),
+                BackendConnectAction::New,
+            )
+        };
 
-                Ok(BackendConnectAction::Replace)
-            }
-            None => {
-                let backend_token = proxy.borrow().add_session(session_rc);
-
-                if let Err(e) = proxy.borrow().register_socket(
-                    &mut socket,
-                    backend_token,
-                    Interest::READABLE | Interest::WRITABLE,
-                ) {
-                    error!(
-                        "{} Error registering back socket({:?}): {:?}",
-                        log_context!(self),
-                        socket,
-                        e
-                    );
-                }
+        if let Err(e) = proxy.borrow().register_socket(
+            &mut socket,
+            token,
+            Interest::READABLE | Interest::WRITABLE,
+        ) {
+            error!(
+                "{} Error registering backend socket({:?}): {:?}",
+                log_context!(self),
+                socket,
+                e
+            );
+        }
 
-                self.set_backend_socket(socket, self.backend.clone());
-                self.set_backend_token(backend_token);
-                self.set_backend_timeout(self.configured_connect_timeout);
+        self.origin = Some(Origin {
+            cluster_id,
+            backend_id,
+            backend,
+            token,
+            connected: false,
+            socket,
+        });
+        self.set_backend_timeout(token, self.configured_connect_timeout);
 
-                Ok(BackendConnectAction::New)
-            }
-        }
+        Ok(action)
     }
 
-    fn set_backend_connected(
-        &mut self,
-        connected: BackendConnectionStatus,
-        metrics: &mut SessionMetrics,
-    ) {
-        let last = self.backend_connection_status;
-        self.backend_connection_status = connected;
+    fn set_backend_connected(&mut self, metrics: &mut SessionMetrics) {
+        if let Some(Origin {
+            connected: connected @ false,
+            token,
+            backend,
+            backend_id,
+            cluster_id,
+            ..
+        }) = &mut self.origin
+        {
+            *connected = true;
 
-        if connected == BackendConnectionStatus::Connected {
             gauge_add!("backend.connections", 1);
             gauge_add!(
                 "connections_per_backend",
                 1,
-                self.context.cluster_id.as_deref(),
-                metrics.backend_id.as_deref()
+                Some(cluster_id),
+                Some(backend_id)
             );
 
-            // the back timeout was of connect_timeout duration before,
-            // now that we're connected, move to backend_timeout duration
-            self.set_backend_timeout(self.configured_backend_timeout);
-            // if we are not waiting for the backend response, its timeout is concelled
-            // it should be set when the request has been entirely transmitted
-            if !self.backend_readiness.interest.is_readable() {
-                self.container_backend_timeout.cancel();
-            }
-
-            if let Some(backend) = &self.backend {
+            {
                 let mut backend = backend.borrow_mut();
-
                 if backend.retry_policy.is_down() {
-                    incr!(
-                        "backend.up",
-                        self.context.cluster_id.as_deref(),
-                        metrics.backend_id.as_deref()
-                    );
-
+                    incr!("backend.up", Some(cluster_id), Some(backend_id));
                     info!(
                         "backend server {} at {} is up",
                         backend.backend_id, backend.address
@@ -1643,21 +1588,36 @@ impl<Front: SocketHandler, L: ListenerHandler + L7ListenerHandler> Http<Front, L
                         cluster_id: None,
                     });
                 }
-
-                if let BackendConnectionStatus::Connecting(start) = last {
-                    backend.set_connection_time(Instant::now() - start);
+                if let Some(time) = metrics.backend_connection_time() {
+                    backend.set_connection_time(time);
                 }
-
                 //successful connection, reset failure counter
                 backend.failures = 0;
                 backend.active_requests += 1;
                 backend.retry_policy.succeed();
             }
+
+            // the back timeout was of connect_timeout duration before,
+            // now that we're connected, move to backend_timeout duration
+            let token = *token;
+            self.set_backend_timeout(token, self.configured_backend_timeout);
+            // if we are not waiting for the backend response, its timeout is concelled
+            // it should be set when the request has been entirely transmitted
+            if !self.backend_readiness.interest.is_readable() {
+                self.container_backend_timeout.cancel();
+            }
         }
     }
 
-    fn fail_backend_connection(&mut self, metrics: &SessionMetrics) {
-        if let Some(backend) = &self.backend {
+    fn fail_backend_connection(&mut self) {
+        if let Some(Origin {
+            connected: false,
+            backend,
+            backend_id,
+            cluster_id,
+            ..
+        }) = &self.origin
+        {
             let mut backend = backend.borrow_mut();
             backend.failures += 1;
 
@@ -1665,8 +1625,8 @@ impl<Front: SocketHandler, L: ListenerHandler + L7ListenerHandler> Http<Front, L
             backend.retry_policy.fail();
             incr!(
                 "backend.connections.error",
-                self.context.cluster_id.as_deref(),
-                metrics.backend_id.as_deref()
+                Some(cluster_id),
+                Some(backend_id)
             );
 
             if !already_unavailable && backend.retry_policy.is_down() {
@@ -1677,11 +1637,7 @@ impl<Front: SocketHandler, L: ListenerHandler + L7ListenerHandler> Http<Front, L
                     backend.address
                 );
 
-                incr!(
-                    "backend.down",
-                    self.context.cluster_id.as_deref(),
-                    metrics.backend_id.as_deref()
-                );
+                incr!("backend.down", Some(cluster_id), Some(backend_id));
 
                 push_event(Event {
                     kind: EventKind::BackendDown as i32,
@@ -1775,7 +1731,11 @@ impl<Front: SocketHandler, L: ListenerHandler + L7ListenerHandler> Http<Front, L
     ) -> SessionResult {
         let mut counter = 0;
 
-        if self.backend_connection_status.is_connecting()
+        if self
+            .origin
+            .as_ref()
+            .map(|origin| !origin.connected)
+            .unwrap_or(false)
             && !self.backend_readiness.event.is_empty()
         {
             if self.backend_readiness.event.is_hup() && !self.test_backend_socket() {
@@ -1787,13 +1747,10 @@ impl<Front: SocketHandler, L: ListenerHandler + L7ListenerHandler> Http<Front, L
                 );
 
                 self.connection_attempts += 1;
-                self.fail_backend_connection(metrics);
-
-                self.backend_connection_status =
-                    BackendConnectionStatus::Connecting(Instant::now());
+                self.fail_backend_connection();
 
                 // trigger a backend reconnection
-                self.close_backend(proxy.clone(), metrics);
+                self.close_backend(proxy.clone(), false);
 
                 let connection_result =
                     self.connect_to_backend(session.clone(), proxy.clone(), metrics);
@@ -1811,7 +1768,7 @@ impl<Front: SocketHandler, L: ListenerHandler + L7ListenerHandler> Http<Front, L
             } else {
                 metrics.backend_connected();
                 self.connection_attempts = 0;
-                self.set_backend_connected(BackendConnectionStatus::Connected, metrics);
+                self.set_backend_connected(metrics);
                 // we might get an early response from the backend, so we want to look
                 // at readable events
                 self.backend_readiness.interest.insert(Ready::READABLE);
@@ -1910,7 +1867,9 @@ impl<Front: SocketHandler, L: ListenerHandler + L7ListenerHandler> Http<Front, L
                     state_result
                 );
                 match state_result {
-                    StateResult::CloseBackend => self.close_backend(proxy.clone(), metrics),
+                    StateResult::CloseBackend => {
+                        self.close_backend(proxy.clone(), false);
+                    }
                     StateResult::CloseSession => return SessionResult::Close,
                     StateResult::Upgrade => return SessionResult::Upgrade,
                     StateResult::Continue => {}
@@ -1933,7 +1892,9 @@ impl<Front: SocketHandler, L: ListenerHandler + L7ListenerHandler> Http<Front, L
                 trace!("{} backend_hup: {:?}", log_context!(self), state_result);
                 match state_result {
                     StateResult::Continue => {}
-                    StateResult::CloseBackend => self.close_backend(proxy.clone(), metrics),
+                    StateResult::CloseBackend => {
+                        self.close_backend(proxy.clone(), false);
+                    }
                     StateResult::CloseSession => return SessionResult::Close,
                     StateResult::ConnectBackend | StateResult::Upgrade => unreachable!(),
                 }
@@ -2003,25 +1964,32 @@ impl<Front: SocketHandler, L: ListenerHandler + L7ListenerHandler> SessionState
     fn update_readiness(&mut self, token: Token, events: Ready) {
         if self.frontend_token == token {
             self.frontend_readiness.event |= events;
-        } else if self.backend_token == Some(token) {
+        } else if self
+            .origin
+            .as_ref()
+            .map(|origin| origin.token == token)
+            .unwrap_or(false)
+        {
             self.backend_readiness.event |= events;
         }
     }
 
-    fn close(&mut self, proxy: Rc<RefCell<dyn L7Proxy>>, metrics: &mut SessionMetrics) {
-        self.close_backend(proxy, metrics);
-        self.frontend_socket.socket_close();
-        let _ = self.frontend_socket.socket_write_vectored(&[]);
-
+    fn close(&mut self, proxy: Rc<RefCell<dyn L7Proxy>>, _metrics: &mut SessionMetrics) {
         //if the state was initial, the connection was already reset
         if !self.request_stream.is_initial() {
             gauge_add!("http.active_requests", -1);
 
-            if let Some(b) = self.backend.as_mut() {
-                let mut backend = b.borrow_mut();
-                backend.active_requests = backend.active_requests.saturating_sub(1);
+            if let Some(origin) = &self.origin {
+                if origin.connected {
+                    let mut backend = origin.backend.borrow_mut();
+                    backend.active_requests = backend.active_requests.saturating_sub(1);
+                }
             }
         }
+
+        self.close_backend(proxy, false);
+        self.frontend_socket.socket_close();
+        let _ = self.frontend_socket.socket_write_vectored(&[]);
     }
 
     fn timeout(&mut self, token: Token, metrics: &mut SessionMetrics) -> StateResult {
@@ -2053,7 +2021,12 @@ impl<Front: SocketHandler, L: ListenerHandler + L7ListenerHandler> SessionState
             };
         }
 
-        if self.backend_token == Some(token) {
+        if self
+            .origin
+            .as_ref()
+            .map(|origin| origin.token == token)
+            .unwrap_or(false)
+        {
             //info!("backend timeout triggered for token {:?}", token);
             self.container_backend_timeout.triggered();
             return match self.timeout_status() {
@@ -2094,21 +2067,18 @@ impl<Front: SocketHandler, L: ListenerHandler + L7ListenerHandler> SessionState
     }
 
     fn print_state(&self, context: &str) {
+        let kawa_back = match &self.response_stream {
+            ResponseStream::BackendAnswer(kawa) => format!("{:?}", kawa.parsing_phase),
+            ResponseStream::DefaultAnswer(status, ..)
+            | ResponseStream::DefaultAnswerKA(status, ..) => format!("DefaulAnswer({status})"),
+            ResponseStream::Swaping => unreachable!(),
+        };
         error!(
-            "\
-{} {} Session(Kawa)
-\tFrontend:
-\t\ttoken: {:?}\treadiness: {:?}\tstate: {:?}
-\tBackend:
-\t\ttoken: {:?}\treadiness: {:?}",
+            "{} {} kawa_front={:?}, kawa_back={}",
             log_context!(self),
             context,
-            self.frontend_token,
-            self.frontend_readiness,
             self.request_stream.parsing_phase,
-            self.backend_token,
-            self.backend_readiness,
-            // self.response_stream.parsing_phase
+            kawa_back
         );
     }
 
diff --git a/lib/src/router/mod.rs b/lib/src/router/mod.rs
index e4c752cde..e48f3d695 100644
--- a/lib/src/router/mod.rs
+++ b/lib/src/router/mod.rs
@@ -179,7 +179,6 @@ impl Router {
             front.rewrite_path.clone(),
             front.rewrite_port,
         )?;
-        println!("ROUTE:{route:#?}");
 
         let success = match front.position {
             RulePosition::Pre => self.add_pre_rule(&domain_rule, &path_rule, &method_rule, &route),
@@ -935,8 +934,8 @@ impl RouteResult {
                 _ => {}
             }
         }
-        println!("========HOST_CAPTURES: {captures_host:?}");
-        println!("========PATH_CAPTURES: {captures_path:?}");
+        // println!("========HOST_CAPTURES: {captures_host:?}");
+        // println!("========PATH_CAPTURES: {captures_path:?}");
         Self {
             cluster_id: cluster_id.clone(),
             required_auth: *required_auth,
diff --git a/lib/src/tcp.rs b/lib/src/tcp.rs
index ea6955e86..2a44341a3 100644
--- a/lib/src/tcp.rs
+++ b/lib/src/tcp.rs
@@ -495,7 +495,7 @@ impl TcpSession {
                 "connections_per_backend",
                 1,
                 self.cluster_id.as_deref(),
-                self.metrics.backend_id.as_deref()
+                self.backend_id.as_deref()
             );
 
             // the back timeout was of connect_timeout duration before,
@@ -515,7 +515,7 @@ impl TcpSession {
                     incr!(
                         "backend.up",
                         self.cluster_id.as_deref(),
-                        self.metrics.backend_id.as_deref()
+                        self.backend_id.as_deref()
                     );
                     info!(
                         "backend server {} at {} is up",
@@ -558,7 +558,7 @@ impl TcpSession {
             incr!(
                 "backend.connections.error",
                 self.cluster_id.as_deref(),
-                self.metrics.backend_id.as_deref()
+                self.backend_id.as_deref()
             );
             if !already_unavailable && backend.retry_policy.is_down() {
                 error!(
@@ -568,7 +568,7 @@ impl TcpSession {
                 incr!(
                     "backend.down",
                     self.cluster_id.as_deref(),
-                    self.metrics.backend_id.as_deref()
+                    self.backend_id.as_deref()
                 );
 
                 push_event(Event {
@@ -822,7 +822,7 @@ impl TcpSession {
                 "connections_per_backend",
                 -1,
                 self.cluster_id.as_deref(),
-                self.metrics.backend_id.as_deref()
+                self.backend_id.as_deref()
             );
         }
 
@@ -902,7 +902,7 @@ impl TcpSession {
         self.set_back_token(back_token);
         self.set_back_socket(stream);
 
-        self.metrics.backend_id = Some(backend.borrow().backend_id.clone());
+        // self.metrics.backend_id = Some(backend.borrow().backend_id.clone());
         self.metrics.backend_start();
         self.set_backend_id(backend.borrow().backend_id.clone());