docs: fix rfc references and fix misc issues (#4879)

api/openapi.yml

@@ -816,7 +816,7 @@ paths:
       summary: OAuth 2.0 Authorization Server Metadata
       description: >
         This endpoint retrieves the OAuth 2.0 Authorization Server Metadata document (RFC8414) used by clients to
-        perform discovery for an OAuth 2.0 Authorization Server. See https://www.rfc-editor.org/rfc/rfc8414.
+        perform discovery for an OAuth 2.0 Authorization Server. See https://datatracker.ietf.org/doc/html/rfc8414.
       responses:
         "200":
           description: OK
@@ -2822,8 +2822,8 @@ components:
           description: >
             JSON array containing a list of the JWS [JWS] signing algorithms (alg values) [JWA] supported by the
             UserInfo Endpoint to encode the Claims in a JWT [JWT]. The value none MAY be included. See Also:
-            JWS: https://datatracker.ietf.org/doc/html/rfc7515 JWA: https://datatracker.ietf.org/doc/html/rfc7518 JWT:
+            JWS: https://datatracker.ietf.org/doc/html/rfc7515 JWA: https://datatracker.ietf.org/doc/html/rfc7518
-            https://datatracker.ietf.org/doc/html/rfc7519
+            JWT: https://datatracker.ietf.org/doc/html/rfc7519
           type: array
           example: ["none", "RS256"]
           items:

config.template.yml

@@ -426,7 +426,7 @@ authentication_backend:
     ## changed once attributed to a user otherwise it would break the configuration for that user. Technically,
     ## non-unique attributes like 'mail' can also be used but we don't recommend using them, we instead advise to use
     ## a filter to perform alternative lookups and the attributes mentioned above (sAMAccountName and uid) to
-    ## follow https://www.ietf.org/rfc/rfc2307.txt.
+    ## follow https://datatracker.ietf.org/doc/html/rfc2307.
     # username_attribute: uid
 
     ## The additional_users_dn is prefixed to base_dn and delimited by a comma when searching for users.

docs/content/en/configuration/first-factor/file.md

@@ -256,8 +256,8 @@ truncation that [Bcrypt] does. It is not supported by many other systems.*
 
 Controls the hashing cost when hashing passwords using [Bcrypt].
 
-[Argon2]: https://www.rfc-editor.org/rfc/rfc9106.html
+[Argon2]: https://datatracker.ietf.org/doc/html/rfc9106
 [Scrypt]: https://en.wikipedia.org/wiki/Scrypt
-[PBKDF2]: https://www.ietf.org/rfc/rfc2898.html
+[PBKDF2]: https://datatracker.ietf.org/doc/html/rfc2898
 [SHA2 Crypt]: https://www.akkadia.org/drepper/SHA-crypt.txt
 [Bcrypt]: https://en.wikipedia.org/wiki/Bcrypt

docs/content/en/configuration/first-factor/ldap.md

@@ -316,4 +316,4 @@ for your users.
 
 [username attribute]: #usernameattribute
 [TechNet wiki]: https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx
-[RFC2307]: https://www.rfc-editor.org/rfc/rfc2307.html
+[RFC2307]: https://datatracker.ietf.org/doc/html/rfc2307

docs/content/en/configuration/identity-providers/open-id-connect.md

@@ -170,7 +170,7 @@ encoded PEM format used to sign/encrypt the [OpenID Connect 1.0] [JWT]'s. When c
 JSON key's in the JWKs [Discoverable Endpoint](../../integration/openid-connect/introduction.md#discoverable-endpoints)
 as per [RFC7517].
 
-[RFC7517]: https://www.rfc-editor.org/rfc/rfc7517
+[RFC7517]: https://datatracker.ietf.org/doc/html/rfc7517
 [x5c]: https://datatracker.ietf.org/doc/html/rfc7517#section-4.7
 [x5t]: https://datatracker.ietf.org/doc/html/rfc7517#section-4.8
 
@@ -251,7 +251,7 @@ this value.
 
 {{< confkey type="string" default="public_clients_only" required="no" >}}
 
-[Proof Key for Code Exchange](https://www.rfc-editor.org/rfc/rfc7636.html) enforcement policy: if specified, must be
+[Proof Key for Code Exchange](https://datatracker.ietf.org/doc/html/rfc7636) enforcement policy: if specified, must be
 either `never`, `public_clients_only` or `always`.
 
 If set to `public_clients_only` (default), [PKCE] will be required for public clients using the
@@ -530,12 +530,12 @@ To integrate Authelia's [OpenID Connect 1.0] implementation with a relying party
 
 [token lifespan]: https://docs.apigee.com/api-platform/antipatterns/oauth-long-expiration
 [OpenID Connect 1.0]: https://openid.net/connect/
-[JWT]: https://www.rfc-editor.org/rfc/rfc7519.html
+[JWT]: https://datatracker.ietf.org/doc/html/rfc7519
-[RFC6234]: https://www.rfc-editor.org/rfc/rfc6234.html
+[RFC6234]: https://datatracker.ietf.org/doc/html/rfc6234
-[RFC4648]: https://www.rfc-editor.org/rfc/rfc4648.html
+[RFC4648]: https://datatracker.ietf.org/doc/html/rfc4648
-[RFC7468]: https://www.rfc-editor.org/rfc/rfc7468.html
+[RFC7468]: https://datatracker.ietf.org/doc/html/rfc7468
 [RFC6749 Section 2.1]: https://datatracker.ietf.org/doc/html/rfc6749#section-2.1
-[PKCE]: https://www.rfc-editor.org/rfc/rfc7636.html
+[PKCE]: https://datatracker.ietf.org/doc/html/rfc7636
 [Authorization Code Flow]: https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth
 [Subject Identifier Type]: https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
 [Pairwise Identifier Algorithm]: https://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg

docs/content/en/configuration/prologue/common.md

@@ -154,7 +154,7 @@ The value must be one or more certificates encoded in the DER base64 ([RFC4648])
 
 ### private_key
 
-{{< confkey type="string" required="yes" >}}
+{{< confkey type="string" required="no" >}}
 
 *__Important Note:__ This can also be defined using a [secret](../methods/secrets.md) which is __strongly recommended__
 especially for containerized deployments.*
@@ -163,6 +163,8 @@ The private key to be used with the [certificate_chain](#certificatechain) for m
 
 The value must be one private key encoded in the DER base64 ([RFC4648]) encoded PEM format.
 
+[RFC4648]: https://datatracker.ietf.org/doc/html/rfc4648
+
 ## Server Buffers
 
 ### read

docs/content/en/configuration/second-factor/time-based-one-time-password.md

@@ -172,5 +172,5 @@ at least a minimal configuration that has the storage backend connection details
 See the [CLI Documentation](../../reference/cli/authelia/authelia_storage_user_totp_export.md) for methods to perform
 exports.
 
-[RFC4226]: https://www.rfc-editor.org/rfc/rfc4226.html
+[RFC4226]: https://datatracker.ietf.org/doc/html/rfc4226
-[RFC6238]: https://www.rfc-editor.org/rfc/rfc6238.html
+[RFC6238]: https://datatracker.ietf.org/doc/html/rfc6238

docs/content/en/configuration/security/access-control.md

@@ -588,7 +588,7 @@ The match type `Equals` matches if the value extracted from the pattern is equal
 match value is a list/slice).
 
 The regex groups are case-insensitive due to the fact that the regex groups are used in domain criteria and domain names
-should not be compared in a case-sensitive way as per the [RFC4343](https://www.rfc-editor.org/rfc/rfc4343.html)
+should not be compared in a case-sensitive way as per the [RFC4343](https://datatracker.ietf.org/doc/html/rfc4343)
 abstract and [RFC3986 Section 3.2.2](https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2).
 
 We do not currently apply any other normalization to usernames or groups when matching these groups. As such it's
@@ -664,6 +664,6 @@ access_control:
       policy: bypass
 ```
 
-[RFC7231]: https://www.rfc-editor.org/rfc/rfc7231.html
+[RFC7231]: https://datatracker.ietf.org/doc/html/rfc7231
-[RFC5789]: https://www.rfc-editor.org/rfc/rfc5789.html
+[RFC5789]: https://datatracker.ietf.org/doc/html/rfc5789
-[RFC4918]: https://www.rfc-editor.org/rfc/rfc4918.html
+[RFC4918]: https://datatracker.ietf.org/doc/html/rfc4918

docs/content/en/integration/openid-connect/introduction.md

@@ -166,16 +166,16 @@ These endpoints implement OpenID Connect elements.
 [OpenID Connect 1.0]: https://openid.net/connect/
 
 [OpenID Connect Discovery]: https://openid.net/specs/openid-connect-discovery-1_0.html
-[OAuth 2.0 Authorization Server Metadata]: https://www.rfc-editor.org/rfc/rfc8414.html
+[OAuth 2.0 Authorization Server Metadata]: https://datatracker.ietf.org/doc/html/rfc8414
 
 [JSON Web Key Sets]: https://datatracker.ietf.org/doc/html/rfc7517#section-5
 
 [Authorization]: https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint
 [Token]: https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint
 [UserInfo]: https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
-[Introspection]: https://www.rfc-editor.org/rfc/rfc7662.html
+[Introspection]: https://datatracker.ietf.org/doc/html/rfc7662
-[Revocation]: https://www.rfc-editor.org/rfc/rfc7009.html
+[Revocation]: https://datatracker.ietf.org/doc/html/rfc7009
 
-[RFC8176]: https://www.rfc-editor.org/rfc/rfc8176.html
+[RFC8176]: https://datatracker.ietf.org/doc/html/rfc8176
-[RFC4122]: https://www.rfc-editor.org/rfc/rfc4122.html
+[RFC4122]: https://datatracker.ietf.org/doc/html/rfc4122
 [Subject Identifier Types]: https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes

docs/content/en/reference/guides/passwords.md

@@ -193,9 +193,9 @@ This table suggests the parameters for the [SHA2 Crypt] algorithm:
 | Standard CPU | sha512  |        50000        |    16     |
 | High End CPU | sha512  |       150000        |    16     |
 
-[Argon2]: https://www.rfc-editor.org/rfc/rfc9106.html
+[Argon2]: https://datatracker.ietf.org/doc/html/rfc9106
 [Scrypt]: https://en.wikipedia.org/wiki/Scrypt
-[PBKDF2]: https://www.ietf.org/rfc/rfc2898.html
+[PBKDF2]: https://datatracker.ietf.org/doc/html/rfc2898
 [SHA2 Crypt]: https://www.akkadia.org/drepper/SHA-crypt.txt
 [Bcrypt]: https://en.wikipedia.org/wiki/Bcrypt
 [FIPS-140 compliance]: https://csrc.nist.gov/publications/detail/fips/140/2/final

docs/content/en/reference/guides/server-asset-overrides.md

@@ -46,7 +46,7 @@ utilize these overrides should either check for changes to the files in the
 
 The locales directory holds folders of internationalization locales. This directory can be utilized to override these
 locales. They are the names of locales that are returned by the `navigator.langauge` ECMAScript command. These are
-generally those in the [RFC5646 / BCP47 Format](https://www.rfc-editor.org/rfc/rfc5646.html) specifically the language
+generally those in the [RFC5646 / BCP47 Format](https://datatracker.ietf.org/doc/html/rfc5646) specifically the language
 codes from [Crowdin](https://support.crowdin.com/api/language-codes/).
 
 Each directory has JSON files which you can explore the format of in the

docs/content/en/roadmap/active/openid-connect.md

@@ -115,7 +115,7 @@ Feature List:
 
 {{< roadmap-status stage="in-progress" version="v4.38.0" >}}
 
-* [OAuth 2.0 Pushed Authorization Requests](https://www.rfc-editor.org/rfc/rfc9126.html)
+* [OAuth 2.0 Pushed Authorization Requests](https://datatracker.ietf.org/doc/html/rfc9126)
 * Per-Client [Proof Key Code Exchange (PKCE)] Policy
 
 ### Beta 7
@@ -177,7 +177,7 @@ Should be implemented alongside [Dynamic Client Registration](#openid-connect-dy
 
 {{< roadmap-status stage="complete" version="v4.34.0" >}}
 
-See the [IETF Specification RFC8414](https://www.rfc-editor.org/rfc/rfc8414.html) for more information.
+See the [IETF Specification RFC8414](https://datatracker.ietf.org/doc/html/rfc8414) for more information.
 
 #### OpenID Connect Session Management
 
@@ -205,9 +205,9 @@ The `preferred_username` claim was missing and was fixed.
 
 [Cross Origin Resource Sharing]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
 
-[RFC8176]: https://www.rfc-editor.org/rfc/rfc8176.html
+[RFC8176]: https://datatracker.ietf.org/doc/html/rfc8176
-[RFC8693 Section 4.3]: https://www.rfc-editor.org/rfc/rfc8693.html/#section-4.3
+[RFC8693 Section 4.3]: https://datatracker.ietf.org/doc/html/rfc8693/#section-4.3
-[RFC4122]: https://www.rfc-editor.org/rfc/rfc4122.html
+[RFC4122]: https://datatracker.ietf.org/doc/html/rfc4122
 
 [OpenID Connect]: https://openid.net/connect/
 [OpenID Connect Front-Channel Logout]: https://openid.net/specs/openid-connect-frontchannel-1_0.html
@@ -219,4 +219,4 @@ The `preferred_username` claim was missing and was fixed.
 [OpenID Connect Core (Subject Identifier Types)]: https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
 [OpenID Connect Core (Pairwise Identifier Algorithm)]: https://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg
 [OpenID Connect Core (Mandatory to Implement Features for All OpenID Providers)]: https://openid.net/specs/openid-connect-core-1_0.html#ServerMTI
-[Proof Key Code Exchange (PKCE)]: https://www.rfc-editor.org/rfc/rfc7636.html
+[Proof Key Code Exchange (PKCE)]: https://datatracker.ietf.org/doc/html/rfc7636

internal/configuration/config.template.yml

@@ -426,7 +426,7 @@ authentication_backend:
     ## changed once attributed to a user otherwise it would break the configuration for that user. Technically,
     ## non-unique attributes like 'mail' can also be used but we don't recommend using them, we instead advise to use
     ## a filter to perform alternative lookups and the attributes mentioned above (sAMAccountName and uid) to
-    ## follow https://www.ietf.org/rfc/rfc2307.txt.
+    ## follow https://datatracker.ietf.org/doc/html/rfc2307.
     # username_attribute: uid
 
     ## The additional_users_dn is prefixed to base_dn and delimited by a comma when searching for users.

internal/middlewares/cors.go

@@ -234,11 +234,11 @@ func (p *CORSPolicy) handleOPTIONS(ctx *fasthttp.RequestCtx) {
 
 	/* The OPTIONS method should not return a 204 as per the following specifications when read together:
 
-	RFC7231 (https://www.rfc-editor.org/rfc/rfc7231#section-4.3.7):
+	RFC7231 (https://datatracker.ietf.org/doc/html/rfc7231#section-4.3.7):
 		A server MUST generate a Content-Length field with a value of "0" if no payload body is to be sent in
 		the response.
 
-	RFC7230 (https://www.rfc-editor.org/rfc/rfc7230#section-3.3.2):
+	RFC7230 (https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.2):
 		A server MUST NOT send a Content-Length header field in any response with a status code of 1xx (Informational)
 		or 204 (No Content).
 	*/

internal/mocks/random.go

@@ -121,33 +121,48 @@ func (mr *MockRandomMockRecorder) IntErr(arg0 interface{}) *gomock.Call {
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IntErr", reflect.TypeOf((*MockRandom)(nil).IntErr), arg0)
 }
 
-// Integer mocks base method.
+// Intn mocks base method.
-func (m *MockRandom) Integer(arg0 int) int {
+func (m *MockRandom) Intn(arg0 int) int {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "Integer", arg0)
+	ret := m.ctrl.Call(m, "Intn", arg0)
 	ret0, _ := ret[0].(int)
 	return ret0
 }
 
-// Integer indicates an expected call of Integer.
+// Intn indicates an expected call of Intn.
-func (mr *MockRandomMockRecorder) Integer(arg0 interface{}) *gomock.Call {
+func (mr *MockRandomMockRecorder) Intn(arg0 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Integer", reflect.TypeOf((*MockRandom)(nil).Integer), arg0)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Intn", reflect.TypeOf((*MockRandom)(nil).Intn), arg0)
 }
 
-// IntegerErr mocks base method.
+// IntnErr mocks base method.
-func (m *MockRandom) IntegerErr(arg0 int) (int, error) {
+func (m *MockRandom) IntnErr(arg0 int) (int, error) {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "IntegerErr", arg0)
+	ret := m.ctrl.Call(m, "IntnErr", arg0)
 	ret0, _ := ret[0].(int)
 	ret1, _ := ret[1].(error)
 	return ret0, ret1
 }
 
-// IntegerErr indicates an expected call of IntegerErr.
+// IntnErr indicates an expected call of IntnErr.
-func (mr *MockRandomMockRecorder) IntegerErr(arg0 interface{}) *gomock.Call {
+func (mr *MockRandomMockRecorder) IntnErr(arg0 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IntegerErr", reflect.TypeOf((*MockRandom)(nil).IntegerErr), arg0)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IntnErr", reflect.TypeOf((*MockRandom)(nil).IntnErr), arg0)
+}
+
+// Prime mocks base method.
+func (m *MockRandom) Prime(arg0 int) (*big.Int, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Prime", arg0)
+	ret0, _ := ret[0].(*big.Int)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// Prime indicates an expected call of Prime.
+func (mr *MockRandomMockRecorder) Prime(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Prime", reflect.TypeOf((*MockRandom)(nil).Prime), arg0)
 }
 
 // Read mocks base method.

internal/notification/smtp_notifier.go

@@ -163,8 +163,8 @@ func (n *SMTPNotifier) Send(ctx context.Context, recipient mail.Address, subject
 }
 
 func (n *SMTPNotifier) setMessageID(msg *gomail.Msg, domain string) {
-	rn := n.random.Integer(100000000)
+	rn := n.random.Intn(100000000)
-	rm := n.random.Integer(10000)
+	rm := n.random.Intn(10000)
 	rs := n.random.StringCustom(17, random.CharSetAlphaNumeric)
 	pid := os.Getpid() + rm
 

internal/oidc/store.go

@@ -180,7 +180,7 @@ func (s *Store) DeleteAccessTokenSession(ctx context.Context, signature string)
 	return s.revokeSessionBySignature(ctx, storage.OAuth2SessionTypeAccessToken, signature)
 }
 
-// RevokeAccessToken revokes an access token as specified in: https://tools.ietf.org/html/rfc7009#section-2.1
+// RevokeAccessToken revokes an access token as specified in: https://datatracker.ietf.org/doc/html/rfc7009#section-2.1
 // If the token passed to the request is an access token, the server MAY revoke the respective refresh token as well.
 // This implements a portion of oauth2.TokenRevocationStorage.
 func (s *Store) RevokeAccessToken(ctx context.Context, requestID string) (err error) {
@@ -205,7 +205,7 @@ func (s *Store) DeleteRefreshTokenSession(ctx context.Context, signature string)
 	return s.revokeSessionBySignature(ctx, storage.OAuth2SessionTypeRefreshToken, signature)
 }
 
-// RevokeRefreshToken revokes a refresh token as specified in: https://tools.ietf.org/html/rfc7009#section-2.1
+// RevokeRefreshToken revokes a refresh token as specified in: https://datatracker.ietf.org/doc/html/rfc7009#section-2.1
 // If the particular token is a refresh token and the authorization server supports the revocation of access tokens,
 // then the authorization server SHOULD also invalidate all access tokens based on the same authorization grant (see Implementation Note).
 // This implements a portion of oauth2.TokenRevocationStorage.
@@ -213,7 +213,7 @@ func (s *Store) RevokeRefreshToken(ctx context.Context, requestID string) (err e
 	return s.provider.DeactivateOAuth2SessionByRequestID(ctx, storage.OAuth2SessionTypeRefreshToken, requestID)
 }
 
-// RevokeRefreshTokenMaybeGracePeriod revokes an access token as specified in: https://tools.ietf.org/html/rfc7009#section-2.1
+// RevokeRefreshTokenMaybeGracePeriod revokes an access token as specified in: https://datatracker.ietf.org/doc/html/rfc7009#section-2.1
 // If the token passed to the request is an access token, the server MAY revoke the respective refresh token as well.
 // This implements a portion of oauth2.TokenRevocationStorage.
 func (s *Store) RevokeRefreshTokenMaybeGracePeriod(ctx context.Context, requestID string, signature string) (err error) {

internal/random/const.go

@@ -25,7 +25,7 @@ const (
 	CharSetSymbolic = "!\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~"
 
 	// CharSetSymbolicRFC3986Unreserved are RFC3986 unreserved symbol characters.
-	// See https://www.rfc-editor.org/rfc/rfc3986#section-2.3.
+	// See https://datatracker.ietf.org/doc/html/rfc3986#section-2.3.
 	CharSetSymbolicRFC3986Unreserved = "-._~"
 
 	// CharSetAlphaNumeric are literally just valid alphanumeric printable ASCII chars.
@@ -35,7 +35,7 @@ const (
 	CharSetASCII = CharSetAlphabetic + CharSetNumeric + CharSetSymbolic
 
 	// CharSetRFC3986Unreserved are RFC3986 unreserved characters.
-	// See https://www.rfc-editor.org/rfc/rfc3986#section-2.3.
+	// See https://datatracker.ietf.org/doc/html/rfc3986#section-2.3.
 	CharSetRFC3986Unreserved = CharSetAlphabetic + CharSetNumeric + CharSetSymbolicRFC3986Unreserved
 
 	// CharSetUnambiguousUpper  are a set of unambiguous uppercase characters.

internal/random/cryptographical.go

@@ -18,11 +18,7 @@ func (r *Cryptographical) Read(p []byte) (n int, err error) {
 // BytesErr returns random data as bytes with the standard random.DefaultN length and can contain any byte values
 // (including unreadable byte values). If an error is returned from the random read this function returns it.
 func (r *Cryptographical) BytesErr() (data []byte, err error) {
-	data = make([]byte, DefaultN)
+	return r.BytesCustomErr(0, nil)
-
-	_, err = rand.Read(data)
-
-	return data, err
 }
 
 // Bytes returns random data as bytes with the standard random.DefaultN length and can contain any byte values
@@ -49,9 +45,11 @@ func (r *Cryptographical) BytesCustomErr(n int, charset []byte) (data []byte, er
 
 	t := len(charset)
 
+	if t > 0 {
 		for i := 0; i < n; i++ {
 			data[i] = charset[data[i]%byte(t)]
 		}
+	}
 
 	return data, nil
 }
@@ -81,6 +79,36 @@ func (r *Cryptographical) StringCustom(n int, characters string) (data string) {
 	return string(r.BytesCustom(n, []byte(characters)))
 }
 
+// IntnErr returns a random int error combination with a maximum of n.
+func (r *Cryptographical) IntnErr(n int) (value int, err error) {
+	if n <= 0 {
+		return 0, fmt.Errorf("n must be more than 0")
+	}
+
+	max := big.NewInt(int64(n))
+
+	var result *big.Int
+
+	if result, err = r.IntErr(max); err != nil {
+		return 0, err
+	}
+
+	value = int(result.Int64())
+
+	if value < 0 {
+		return 0, fmt.Errorf("generated number is too big for int")
+	}
+
+	return value, nil
+}
+
+// Intn returns a random int with a maximum of n.
+func (r *Cryptographical) Intn(n int) (value int) {
+	value, _ = r.IntnErr(n)
+
+	return value
+}
+
 // IntErr returns a random *big.Int error combination with a maximum of max.
 func (r *Cryptographical) IntErr(max *big.Int) (value *big.Int, err error) {
 	if max == nil {
@@ -105,32 +133,8 @@ func (r *Cryptographical) Int(max *big.Int) (value *big.Int) {
 	return value
 }
 
-// IntegerErr returns a random int error combination with a maximum of n.
+// Prime returns a number of the given bit length that is prime with high probability. Prime will return error for any
-func (r *Cryptographical) IntegerErr(n int) (value int, err error) {
+// error returned by rand.Read or if bits < 2.
-	if n <= 0 {
+func (r *Cryptographical) Prime(bits int) (prime *big.Int, err error) {
-		return 0, fmt.Errorf("n must be more than 0")
+	return rand.Prime(rand.Reader, bits)
-	}
-
-	max := big.NewInt(int64(n))
-
-	var result *big.Int
-
-	if result, err = r.IntErr(max); err != nil {
-		return 0, err
-	}
-
-	value = int(result.Int64())
-
-	if value < 0 {
-		return 0, fmt.Errorf("generated number is too big for int")
-	}
-
-	return value, nil
-}
-
-// Integer returns a random int with a maximum of n.
-func (r *Cryptographical) Integer(n int) (value int) {
-	value, _ = r.IntegerErr(n)
-
-	return value
 }

internal/random/mathematical.go

@@ -1,26 +1,36 @@
 package random
 
 import (
+	crand "crypto/rand"
 	"fmt"
 	"math/big"
 	"math/rand"
+	"sync"
 	"time"
 )
 
 // NewMathematical runs rand.Seed with the current time and returns a random.Provider, specifically *random.Mathematical.
 func NewMathematical() *Mathematical {
-	rand.Seed(time.Now().UnixNano())
+	return &Mathematical{
-
+		rand: rand.New(rand.NewSource(time.Now().UnixNano())), //nolint:gosec
-	return &Mathematical{}
+		lock: &sync.Mutex{},
+	}
 }
 
 // Mathematical is the random.Provider which uses math/rand and is COMPLETELY UNSAFE FOR PRODUCTION IN MOST SITUATIONS.
 // Use random.Cryptographical instead.
-type Mathematical struct{}
+type Mathematical struct {
+	rand *rand.Rand
+	lock *sync.Mutex
+}
 
 // Read implements the io.Reader interface.
 func (r *Mathematical) Read(p []byte) (n int, err error) {
-	return rand.Read(p) //nolint:gosec
+	r.lock.Lock()
+
+	defer r.lock.Unlock()
+
+	return r.rand.Read(p)
 }
 
 // BytesErr returns random data as bytes with the standard random.DefaultN length and can contain any byte values
@@ -28,7 +38,7 @@ func (r *Mathematical) Read(p []byte) (n int, err error) {
 func (r *Mathematical) BytesErr() (data []byte, err error) {
 	data = make([]byte, DefaultN)
 
-	if _, err = rand.Read(data); err != nil { //nolint:gosec
+	if _, err = r.Read(data); err != nil {
 		return nil, err
 	}
 
@@ -53,7 +63,7 @@ func (r *Mathematical) BytesCustomErr(n int, charset []byte) (data []byte, err e
 
 	data = make([]byte, n)
 
-	if _, err = rand.Read(data); err != nil { //nolint:gosec
+	if _, err = r.Read(data); err != nil {
 		return nil, err
 	}
 
@@ -91,17 +101,18 @@ func (r *Mathematical) StringCustom(n int, characters string) (data string) {
 	return string(r.BytesCustom(n, []byte(characters)))
 }
 
-// IntErr returns a random *big.Int error combination with a maximum of max.
+// Intn returns a random int with a maximum of n.
-func (r *Mathematical) IntErr(max *big.Int) (value *big.Int, err error) {
+func (r *Mathematical) Intn(n int) int {
-	if max == nil {
+	r.lock.Lock()
-		return nil, fmt.Errorf("max is required")
+
+	defer r.lock.Unlock()
+
+	return r.rand.Intn(n)
 }
 
-	if max.Sign() <= 0 {
+// IntnErr returns a random int error combination with a maximum of n.
-		return nil, fmt.Errorf("max must be 1 or more")
+func (r *Mathematical) IntnErr(n int) (output int, err error) {
-	}
+	return r.Intn(n), nil
-
-	return big.NewInt(int64(rand.Intn(max.Sign()))), nil //nolint:gosec
 }
 
 // Int returns a random *big.Int with a maximum of max.
@@ -115,12 +126,25 @@ func (r *Mathematical) Int(max *big.Int) (value *big.Int) {
 	return value
 }
 
-// IntegerErr returns a random int error combination with a maximum of n.
+// IntErr returns a random *big.Int error combination with a maximum of max.
-func (r *Mathematical) IntegerErr(n int) (output int, err error) {
+func (r *Mathematical) IntErr(max *big.Int) (value *big.Int, err error) {
-	return r.Integer(n), nil
+	if max == nil {
+		return nil, fmt.Errorf("max is required")
 	}
 
-// Integer returns a random int with a maximum of n.
+	if max.Sign() <= 0 {
-func (r *Mathematical) Integer(n int) int {
+		return nil, fmt.Errorf("max must be 1 or more")
-	return rand.Intn(n) //nolint:gosec
+	}
+
+	r.lock.Lock()
+
+	defer r.lock.Unlock()
+
+	return big.NewInt(int64(r.Intn(max.Sign()))), nil
+}
+
+// Prime returns a number of the given bit length that is prime with high probability. Prime will return error for any
+// error returned by rand.Read or if bits < 2.
+func (r *Mathematical) Prime(bits int) (prime *big.Int, err error) {
+	return crand.Prime(r, bits)
 }

internal/random/provider.go

@@ -32,15 +32,19 @@ type Provider interface {
 	// StringCustom is an overload of GenerateCustom which takes a characters string and returns a string.
 	StringCustom(n int, characters string) (data string)
 
+	// Intn returns a random integer with a maximum of n.
+	Intn(n int) (value int)
+
+	// IntnErr returns a random int error combination with a maximum of n.
+	IntnErr(n int) (value int, err error)
+
 	// IntErr returns a random *big.Int error combination with a maximum of max.
 	IntErr(max *big.Int) (value *big.Int, err error)
 
 	// Int returns a random *big.Int with a maximum of max.
 	Int(max *big.Int) (value *big.Int)
 
-	// IntegerErr returns a random int error combination with a maximum of n.
+	// Prime returns a number of the given bit length that is prime with high probability. Prime will return error for any
-	IntegerErr(n int) (value int, err error)
+	// error returned by rand.Read or if bits < 2.
-
+	Prime(bits int) (prime *big.Int, err error)
-	// Integer returns a random integer with a maximum of n.
-	Integer(n int) (value int)
 }

internal/suites/example/compose/haproxy/http.lua

@@ -752,9 +752,9 @@ M.base64 = {}
 --- URL safe base64 encoder
 --
 -- Padding ('=') is omited, as permited per RFC
---   https://tools.ietf.org/html/rfc4648
+--   https://datatracker.ietf.org/doc/html/rfc4648
 -- in order to follow JSON Web Signature RFC
---   https://tools.ietf.org/html/rfc7515
+--   https://datatracker.ietf.org/doc/html/rfc7515
 --
 -- @param s String (can be binary data) to encode
 -- @param enc Function which implements base64 encoder (e.g. HAProxy base64 fetch)

internal/suites/example/compose/redis/templates/master.conf

@@ -1617,7 +1617,7 @@ notify-keyspace-events ""
 ############################### GOPHER SERVER #################################
 
 # Redis contains an implementation of the Gopher protocol, as specified in
-# the RFC 1436 (https://www.ietf.org/rfc/rfc1436.txt).
+# the RFC 1436 (https://datatracker.ietf.org/doc/html/rfc1436).
 #
 # The Gopher protocol was very popular in the late '90s. It is an alternative
 # to the web, and the implementation both server and client side is so simple

internal/suites/example/compose/redis/templates/slave.conf

@@ -1617,7 +1617,7 @@ notify-keyspace-events ""
 ############################### GOPHER SERVER #################################
 
 # Redis contains an implementation of the Gopher protocol, as specified in
-# the RFC 1436 (https://www.ietf.org/rfc/rfc1436.txt).
+# the RFC 1436 (https://datatracker.ietf.org/doc/html/rfc1436).
 #
 # The Gopher protocol was very popular in the late '90s. It is an alternative
 # to the web, and the implementation both server and client side is so simple