Add basic authentication (#1683)

* Add basic authentication

Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu>

37 files changed, 5132 insertions, 52 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d78f005..6e8a795 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,7 @@
 
 * [CHANGE]
 * [FEATURE]
+* [FEATURE] Add basic authentication #1673
 * [ENHANCEMENT] Add model_name and stepping to node_cpu_info metric #1617
 * [ENHANCEMENT] Add metrics for IO errors and retires on Darwin. #1636
 * [BUGFIX] collector/systemd: use regexp to extract systemd version #1647
diff --git a/go.mod b/go.mod
index c84801a..de7db9d 100644
--- a/go.mod
+++ b/go.mod
@@ -23,6 +23,7 @@ require (
         github.com/soundcloud/go-runit v0.0.0-20150630195641-06ad41a06c4a
         go.uber.org/atomic v1.5.1 // indirect
         go.uber.org/multierr v1.4.0 // indirect
+        golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550
         golang.org/x/lint v0.0.0-20200130185559-910be7a94367 // indirect
         golang.org/x/sys v0.0.0-20200217220822-9197077df867
         golang.org/x/tools v0.0.0-20200216192241-b320d3a0f5a2 // indirect
diff --git a/go.sum b/go.sum
index 1b43a8b..0d58055 100644
--- a/go.sum
+++ b/go.sum
@@ -208,6 +208,7 @@ github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJ
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223 h1:F9x/1yl3T2AeKLr2AMdilSD8+f9bvMnNN8VS5iDtovc=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/nats-io/jwt v0.3.0/go.mod h1:fRYCDE99xlTsqUzISS1Bi75UBJ6ljOJQOAAu5VglpSg=
 github.com/nats-io/jwt v0.3.2/go.mod h1:/euKqTS1ZD+zzjYrY7pseZrTtWQSjujC7xjPc8wL6eU=
@@ -338,6 +339,7 @@ golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnf
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550 h1:ObdrDkeb4kJdCP557AjRjq69pTHfNouLtWZG7j9rPN8=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
diff --git a/https/README.md b/https/README.md
index e8e4504..70b321e 100644
--- a/https/README.md
+++ b/https/README.md
@@ -25,4 +25,27 @@ tls_config:
 
   # CA certificate for client certificate authentication to the server
   [ client_ca_file: <filename> ]
+
+# List of usernames and hashed passwords that have full access to the web
+# server via basic authentication. If empty, no basic authentication is
+# required. Passwords are hashed with bcrypt.
+basic_auth_users:
+  [ <username>: <password> ... ]
 ```
+
+## About bcrypt
+
+There are several tools out there to generate bcrypt passwords, e.g.
+[htpasswd](https://httpd.apache.org/docs/2.4/programs/htpasswd.html):
+
+`htpasswd -nBC 10 "" | tr -d ':\n`
+
+That command will prompt you for a password and output the hashed password,
+which will look something like:
+`$2y$10$X0h1gDsPszWURQaxFh.zoubFi6DXncSjhoQNJgRrnGs7EsimhC7zG`
+
+The cost (10 in the example) influences the time it takes for computing the
+hash. A higher cost will en up slowing down the authentication process.
+Depending on the machine, a cost of 10 will take about ~70ms where a cost of
+18 can take up to a few seconds. That hash will be computed on every
+password-protected request.
diff --git a/https/testdata/tls_config_auth_user_list_invalid.bad.yml b/https/testdata/tls_config_auth_user_list_invalid.bad.yml
new file mode 100644
index 0000000..90c1d95
--- /dev/null
+++ b/https/testdata/tls_config_auth_user_list_invalid.bad.yml
@@ -0,0 +1,5 @@
+tls_config :
+  cert_file : "testdata/server.crt"
+  key_file : "testdata/server.key"
+basic_auth_users:
+  john: doe
diff --git a/https/testdata/tls_config_junk_key.yml b/https/testdata/tls_config_junk_key.yml
new file mode 100644
index 0000000..acb2cc3
--- /dev/null
+++ b/https/testdata/tls_config_junk_key.yml
@@ -0,0 +1,2 @@
+tls_config :
+  cert_filse: "testdata/server.crt"
diff --git a/https/testdata/tls_config_noAuth_certPath_keyPath_empty.bad.yml b/https/testdata/tls_config_noAuth_certPath_keyPath_empty.bad.yml
index 2ed9195..1511b5a 100644
--- a/https/testdata/tls_config_noAuth_certPath_keyPath_empty.bad.yml
+++ b/https/testdata/tls_config_noAuth_certPath_keyPath_empty.bad.yml
@@ -1,3 +1,4 @@
 tls_config :
   cert_file : ""
-  key_file : ""
\ No newline at end of file
+  key_file : ""
+  client_auth_type: "x"
diff --git a/https/testdata/tls_config_users.good.yml b/https/testdata/tls_config_users.good.yml
new file mode 100644
index 0000000..278177d
--- /dev/null
+++ b/https/testdata/tls_config_users.good.yml
@@ -0,0 +1,8 @@
+tls_config :
+  cert_file : "testdata/server.crt"
+  key_file : "testdata/server.key"
+basic_auth_users:
+  alice: $2y$12$1DpfPeqF9HzHJt.EWswy1exHluGfbhnn3yXhR7Xes6m3WJqFg0Wby
+  bob: $2y$18$4VeFDzXIoPHKnKTU3O3GH.N.vZu06CVqczYZ8WvfzrddFU6tGqjR.
+  carol: $2y$10$qRTBuFoULoYNA7AQ/F3ck.trZBPyjV64.oA4ZsSBCIWvXuvQlQTuu
+  dave: $2y$10$2UXri9cIDdgeKjBo4Rlpx.U3ZLDV8X1IxKmsfOvhcM5oXQt/mLmXq
diff --git a/https/testdata/tls_config_users_noTLS.good.yml b/https/testdata/tls_config_users_noTLS.good.yml
new file mode 100644
index 0000000..d3a7987
--- /dev/null
+++ b/https/testdata/tls_config_users_noTLS.good.yml
@@ -0,0 +1,5 @@
+basic_auth_users:
+  alice: $2y$12$1DpfPeqF9HzHJt.EWswy1exHluGfbhnn3yXhR7Xes6m3WJqFg0Wby
+  bob: $2y$18$4VeFDzXIoPHKnKTU3O3GH.N.vZu06CVqczYZ8WvfzrddFU6tGqjR.
+  carol: $2y$10$qRTBuFoULoYNA7AQ/F3ck.trZBPyjV64.oA4ZsSBCIWvXuvQlQTuu
+  dave: $2y$10$2UXri9cIDdgeKjBo4Rlpx.U3ZLDV8X1IxKmsfOvhcM5oXQt/mLmXq
diff --git a/https/tls_config.go b/https/tls_config.go
index 4b29862..44e57e9 100644
--- a/https/tls_config.go
+++ b/https/tls_config.go
@@ -20,12 +20,20 @@ import (
         "io/ioutil"
         "net/http"
 
+        "github.com/go-kit/kit/log"
+        "github.com/go-kit/kit/log/level"
         "github.com/pkg/errors"
+        config_util "github.com/prometheus/common/config"
         "gopkg.in/yaml.v2"
 )
 
+var (
+        errNoTLSConfig = errors.New("TLS config is not present")
+)
+
 type Config struct {
-        TLSConfig TLSStruct `yaml:"tls_config"`
+        TLSConfig TLSStruct                     `yaml:"tls_config"`
+        Users     map[string]config_util.Secret `yaml:"basic_auth_users"`
 }
 
 type TLSStruct struct {
@@ -35,13 +43,18 @@ type TLSStruct struct {
         ClientCAs   string `yaml:"client_ca_file"`
 }
 
-func getTLSConfig(configPath string) (*tls.Config, error) {
+func getConfig(configPath string) (*Config, error) {
         content, err := ioutil.ReadFile(configPath)
         if err != nil {
                 return nil, err
         }
         c := &Config{}
-        err = yaml.Unmarshal(content, c)
+        err = yaml.UnmarshalStrict(content, c)
+        return c, err
+}
+
+func getTLSConfig(configPath string) (*tls.Config, error) {
+        c, err := getConfig(configPath)
         if err != nil {
                 return nil, err
         }
@@ -50,14 +63,18 @@ func getTLSConfig(configPath string) (*tls.Config, error) {
 
 // ConfigToTLSConfig generates the golang tls.Config from the TLSStruct config.
 func ConfigToTLSConfig(c *TLSStruct) (*tls.Config, error) {
-        cfg := &tls.Config{
-                MinVersion: tls.VersionTLS12,
+        if c.TLSCertPath == "" && c.TLSKeyPath == "" && c.ClientAuth == "" && c.ClientCAs == "" {
+                return nil, errNoTLSConfig
         }
-        if len(c.TLSCertPath) == 0 {
-                return nil, errors.New("missing TLSCertPath")
+
+        if c.TLSCertPath == "" {
+                return nil, errors.New("missing cert_file")
         }
-        if len(c.TLSKeyPath) == 0 {
-                return nil, errors.New("missing TLSKeyPath")
+        if c.TLSKeyPath == "" {
+                return nil, errors.New("missing key_file")
+        }
+        cfg := &tls.Config{
+                MinVersion: tls.VersionTLS12,
         }
         loadCert := func() (*tls.Certificate, error) {
                 cert, err := tls.LoadX509KeyPair(c.TLSCertPath, c.TLSKeyPath)
@@ -74,7 +91,7 @@ func ConfigToTLSConfig(c *TLSStruct) (*tls.Config, error) {
                 return loadCert()
         }
 
-        if len(c.ClientCAs) > 0 {
+        if c.ClientCAs != "" {
                 clientCAPool := x509.NewCertPool()
                 clientCAFile, err := ioutil.ReadFile(c.ClientCAs)
                 if err != nil {
@@ -83,40 +100,67 @@ func ConfigToTLSConfig(c *TLSStruct) (*tls.Config, error) {
                 clientCAPool.AppendCertsFromPEM(clientCAFile)
                 cfg.ClientCAs = clientCAPool
         }
-        if len(c.ClientAuth) > 0 {
-                switch s := (c.ClientAuth); s {
-                case "NoClientCert":
-                        cfg.ClientAuth = tls.NoClientCert
-                case "RequestClientCert":
-                        cfg.ClientAuth = tls.RequestClientCert
-                case "RequireClientCert":
-                        cfg.ClientAuth = tls.RequireAnyClientCert
-                case "VerifyClientCertIfGiven":
-                        cfg.ClientAuth = tls.VerifyClientCertIfGiven
-                case "RequireAndVerifyClientCert":
-                        cfg.ClientAuth = tls.RequireAndVerifyClientCert
-                case "":
-                        cfg.ClientAuth = tls.NoClientCert
-                default:
-                        return nil, errors.New("Invalid ClientAuth: " + s)
-                }
+
+        switch c.ClientAuth {
+        case "RequestClientCert":
+                cfg.ClientAuth = tls.RequestClientCert
+        case "RequireClientCert":
+                cfg.ClientAuth = tls.RequireAnyClientCert
+        case "VerifyClientCertIfGiven":
+                cfg.ClientAuth = tls.VerifyClientCertIfGiven
+        case "RequireAndVerifyClientCert":
+                cfg.ClientAuth = tls.RequireAndVerifyClientCert
+        case "", "NoClientCert":
+                cfg.ClientAuth = tls.NoClientCert
+        default:
+                return nil, errors.New("Invalid ClientAuth: " + c.ClientAuth)
         }
-        if len(c.ClientCAs) > 0 && cfg.ClientAuth == tls.NoClientCert {
+
+        if c.ClientCAs != "" && cfg.ClientAuth == tls.NoClientCert {
                 return nil, errors.New("Client CA's have been configured without a Client Auth Policy")
         }
+
         return cfg, nil
 }
 
 // Listen starts the server on the given address. If tlsConfigPath isn't empty the server connection will be started using TLS.
-func Listen(server *http.Server, tlsConfigPath string) error {
-        if (tlsConfigPath) == "" {
+func Listen(server *http.Server, tlsConfigPath string, logger log.Logger) error {
+        if tlsConfigPath == "" {
+                level.Info(logger).Log("msg", "TLS is disabled and it cannot be enabled on the fly.")
                 return server.ListenAndServe()
         }
-        var err error
-        server.TLSConfig, err = getTLSConfig(tlsConfigPath)
-        if err != nil {
+
+        if err := validateUsers(tlsConfigPath); err != nil {
                 return err
         }
+
+        // Setup basic authentication.
+        var handler http.Handler = http.DefaultServeMux
+        if server.Handler != nil {
+                handler = server.Handler
+        }
+        server.Handler = &userAuthRoundtrip{
+                tlsConfigPath: tlsConfigPath,
+                logger:        logger,
+                handler:       handler,
+        }
+
+        config, err := getTLSConfig(tlsConfigPath)
+        switch err {
+        case nil:
+                // Valid TLS config.
+                level.Info(logger).Log("msg", "TLS is enabled and it cannot be disabled on the fly.")
+        case errNoTLSConfig:
+                // No TLS config, back to plain HTTP.
+                level.Info(logger).Log("msg", "TLS is disabled and it cannot be enabled on the fly.")
+                return server.ListenAndServe()
+        default:
+                // Invalid TLS config.
+                return err
+        }
+
+        server.TLSConfig = config
+
         // Set the GetConfigForClient method of the HTTPS server so that the config
         // and certs are reloaded on new connections.
         server.TLSConfig.GetConfigForClient = func(*tls.ClientHelloInfo) (*tls.Config, error) {
diff --git a/https/tls_config_test.go b/https/tls_config_test.go
index 4b1b4e0..07f412a 100644
--- a/https/tls_config_test.go
+++ b/https/tls_config_test.go
@@ -28,7 +28,8 @@ import (
 )
 
 var (
-        port = getPort()
+        port       = getPort()
+        testlogger = &testLogger{}
 
         ErrorMap = map[string]*regexp.Regexp{
                 "HTTP Response to HTTPS":       regexp.MustCompile(`server gave HTTP response to HTTPS client`),
@@ -38,12 +39,21 @@ var (
                 "Invalid ClientAuth":           regexp.MustCompile(`invalid ClientAuth`),
                 "TLS handshake":                regexp.MustCompile(`tls`),
                 "HTTP Request to HTTPS server": regexp.MustCompile(`HTTP`),
-                "Invalid CertPath":             regexp.MustCompile(`missing TLSCertPath`),
-                "Invalid KeyPath":              regexp.MustCompile(`missing TLSKeyPath`),
+                "Invalid CertPath":             regexp.MustCompile(`missing cert_file`),
+                "Invalid KeyPath":              regexp.MustCompile(`missing key_file`),
                 "ClientCA set without policy":  regexp.MustCompile(`Client CA's have been configured without a Client Auth Policy`),
+                "Bad password":                 regexp.MustCompile(`hashedSecret too short to be a bcrypted password`),
+                "Unauthorized":                 regexp.MustCompile(`Unauthorized`),
+                "Forbidden":                    regexp.MustCompile(`Forbidden`),
         }
 )
 
+type testLogger struct{}
+
+func (t *testLogger) Log(keyvals ...interface{}) error {
+        return nil
+}
+
 func getPort() string {
         listener, err := net.Listen("tcp", ":0")
         if err != nil {
@@ -61,6 +71,8 @@ type TestInputs struct {
         YAMLConfigPath string
         ExpectedError  *regexp.Regexp
         UseTLSClient   bool
+        Username       string
+        Password       string
 }
 
 func TestYAMLFiles(t *testing.T) {
@@ -73,7 +85,7 @@ func TestYAMLFiles(t *testing.T) {
                 {
                         Name:           `empty config yml`,
                         YAMLConfigPath: "testdata/tls_config_empty.yml",
-                        ExpectedError:  ErrorMap["Invalid CertPath"],
+                        ExpectedError:  nil,
                 },
                 {
                         Name:           `invalid config yml (invalid structure)`,
@@ -81,6 +93,11 @@ func TestYAMLFiles(t *testing.T) {
                         ExpectedError:  ErrorMap["YAML error"],
                 },
                 {
+                        Name:           `invalid config yml (invalid key)`,
+                        YAMLConfigPath: "testdata/tls_config_junk_key.yml",
+                        ExpectedError:  ErrorMap["YAML error"],
+                },
+                {
                         Name:           `invalid config yml (cert path empty)`,
                         YAMLConfigPath: "testdata/tls_config_noAuth_certPath_empty.bad.yml",
                         ExpectedError:  ErrorMap["Invalid CertPath"],
@@ -120,6 +137,11 @@ func TestYAMLFiles(t *testing.T) {
                         YAMLConfigPath: "testdata/tls_config_auth_clientCAs_invalid.bad.yml",
                         ExpectedError:  ErrorMap["No such file"],
                 },
+                {
+                        Name:           `invalid config yml (invalid user list)`,
+                        YAMLConfigPath: "testdata/tls_config_auth_user_list_invalid.bad.yml",
+                        ExpectedError:  ErrorMap["Bad password"],
+                },
         }
         for _, testInputs := range testTables {
                 t.Run(testInputs.Name, testInputs.Test)
@@ -189,7 +211,7 @@ func TestConfigReloading(t *testing.T) {
                                 recordConnectionError(errors.New("Panic starting server"))
                         }
                 }()
-                err := Listen(server, badYAMLPath)
+                err := Listen(server, badYAMLPath, testlogger)
                 recordConnectionError(err)
         }()
 
@@ -266,21 +288,28 @@ func (test *TestInputs) Test(t *testing.T) {
                                 recordConnectionError(errors.New("Panic starting server"))
                         }
                 }()
-                err := Listen(server, test.YAMLConfigPath)
+                err := Listen(server, test.YAMLConfigPath, testlogger)
                 recordConnectionError(err)
         }()
 
-        var ClientConnection func() (*http.Response, error)
-        if test.UseTLSClient {
-                ClientConnection = func() (*http.Response, error) {
-                        client := getTLSClient()
-                        return client.Get("https://localhost" + port)
+        ClientConnection := func() (*http.Response, error) {
+                var client *http.Client
+                var proto string
+                if test.UseTLSClient {
+                        client = getTLSClient()
+                        proto = "https"
+                } else {
+                        client = http.DefaultClient
+                        proto = "http"
                 }
-        } else {
-                ClientConnection = func() (*http.Response, error) {
-                        client := http.DefaultClient
-                        return client.Get("http://localhost" + port)
+                req, err := http.NewRequest("GET", proto+"://localhost"+port, nil)
+                if err != nil {
+                        t.Error(err)
                 }
+                if test.Username != "" {
+                        req.SetBasicAuth(test.Username, test.Password)
+                }
+                return client.Do(req)
         }
         go func() {
                 time.Sleep(250 * time.Millisecond)
@@ -360,3 +389,61 @@ func swapFileContents(file1, file2 string) error {
         }
         return nil
 }
+
+func TestUsers(t *testing.T) {
+        testTables := []*TestInputs{
+                {
+                        Name:           `without basic auth`,
+                        YAMLConfigPath: "testdata/tls_config_users_noTLS.good.yml",
+                        ExpectedError:  ErrorMap["Unauthorized"],
+                },
+                {
+                        Name:           `with correct basic auth`,
+                        YAMLConfigPath: "testdata/tls_config_users_noTLS.good.yml",
+                        Username:       "dave",
+                        Password:       "dave123",
+                        ExpectedError:  nil,
+                },
+                {
+                        Name:           `without basic auth and TLS`,
+                        YAMLConfigPath: "testdata/tls_config_users.good.yml",
+                        UseTLSClient:   true,
+                        ExpectedError:  ErrorMap["Unauthorized"],
+                },
+                {
+                        Name:           `with correct basic auth and TLS`,
+                        YAMLConfigPath: "testdata/tls_config_users.good.yml",
+                        UseTLSClient:   true,
+                        Username:       "dave",
+                        Password:       "dave123",
+                        ExpectedError:  nil,
+                },
+                {
+                        Name:           `with another correct basic auth and TLS`,
+                        YAMLConfigPath: "testdata/tls_config_users.good.yml",
+                        UseTLSClient:   true,
+                        Username:       "carol",
+                        Password:       "carol123",
+                        ExpectedError:  nil,
+                },
+                {
+                        Name:           `with bad password and TLS`,
+                        YAMLConfigPath: "testdata/tls_config_users.good.yml",
+                        UseTLSClient:   true,
+                        Username:       "dave",
+                        Password:       "bad",
+                        ExpectedError:  ErrorMap["Forbidden"],
+                },
+                {
+                        Name:           `with bad username and TLS`,
+                        YAMLConfigPath: "testdata/tls_config_users.good.yml",
+                        UseTLSClient:   true,
+                        Username:       "nonexistent",
+                        Password:       "nonexistent",
+                        ExpectedError:  ErrorMap["Forbidden"],
+                },
+        }
+        for _, testInputs := range testTables {
+                t.Run(testInputs.Name, testInputs.Test)
+        }
+}
diff --git a/https/users.go b/https/users.go
new file mode 100644
index 0000000..170c87b
--- /dev/null
+++ b/https/users.go
@@ -0,0 +1,73 @@
+// Copyright 2020 The Prometheus Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package https
+
+import (
+        "net/http"
+
+        "github.com/go-kit/kit/log"
+        "golang.org/x/crypto/bcrypt"
+)
+
+func validateUsers(configPath string) error {
+        c, err := getConfig(configPath)
+        if err != nil {
+                return err
+        }
+
+        for _, p := range c.Users {
+                _, err = bcrypt.Cost([]byte(p))
+                if err != nil {
+                        return err
+                }
+        }
+
+        return nil
+}
+
+type userAuthRoundtrip struct {
+        tlsConfigPath string
+        handler       http.Handler
+        logger        log.Logger
+}
+
+func (u *userAuthRoundtrip) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+        c, err := getConfig(u.tlsConfigPath)
+        if err != nil {
+                u.logger.Log("msg", "Unable to parse configuration", "err", err)
+                http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+                return
+        }
+
+        if len(c.Users) == 0 {
+                u.handler.ServeHTTP(w, r)
+                return
+        }
+
+        user, pass, ok := r.BasicAuth()
+        if !ok {
+                w.Header().Set("WWW-Authenticate", "Basic")
+                http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
+                return
+        }
+
+        if hashedPassword, ok := c.Users[user]; ok {
+                if err := bcrypt.CompareHashAndPassword([]byte(hashedPassword), []byte(pass)); err == nil {
+                        u.handler.ServeHTTP(w, r)
+                        return
+                }
+        }
+
+        http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
+}
diff --git a/node_exporter.go b/node_exporter.go
index 800be92..d195372 100644
--- a/node_exporter.go
+++ b/node_exporter.go
@@ -15,13 +15,14 @@ package main
 
 import (
         "fmt"
-        "github.com/prometheus/common/promlog"
-        "github.com/prometheus/common/promlog/flag"
         "net/http"
         _ "net/http/pprof"
         "os"
         "sort"
 
+        "github.com/prometheus/common/promlog"
+        "github.com/prometheus/common/promlog/flag"
+
         "github.com/go-kit/kit/log"
         "github.com/go-kit/kit/log/level"
         "github.com/prometheus/client_golang/prometheus"
@@ -189,7 +190,7 @@ func main() {
 
         level.Info(logger).Log("msg", "Listening on", "address", *listenAddress)
         server := &http.Server{Addr: *listenAddress}
-        if err := https.Listen(server, *configFile); err != nil {
+        if err := https.Listen(server, *configFile, logger); err != nil {
                 level.Error(logger).Log("err", err)
                 os.Exit(1)
         }
diff --git a/vendor/github.com/mwitkow/go-conntrack/.gitignore b/vendor/github.com/mwitkow/go-conntrack/.gitignore
new file mode 100644
index 0000000..406e493
--- /dev/null
+++ b/vendor/github.com/mwitkow/go-conntrack/.gitignore
@@ -0,0 +1,163 @@
+# Created by .ignore support plugin (hsz.mobi)
+### JetBrains template
+# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio and Webstorm
+# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
+
+# User-specific stuff:
+.idea
+.idea/workspace.xml
+.idea/tasks.xml
+.idea/dictionaries
+.idea/vcs.xml
+.idea/jsLibraryMappings.xml
+
+# Sensitive or high-churn files:
+.idea/dataSources.ids
+.idea/dataSources.xml
+.idea/dataSources.local.xml
+.idea/sqlDataSources.xml
+.idea/dynamic.xml
+.idea/uiDesigner.xml
+
+# Gradle:
+.idea/gradle.xml
+.idea/libraries
+
+# Mongo Explorer plugin:
+.idea/mongoSettings.xml
+
+## File-based project format:
+*.iws
+
+## Plugin-specific files:
+
+# IntelliJ
+/out/
+
+# mpeltonen/sbt-idea plugin
+.idea_modules/
+
+# JIRA plugin
+atlassian-ide-plugin.xml
+
+# Crashlytics plugin (for Android Studio and IntelliJ)
+com_crashlytics_export_strings.xml
+crashlytics.properties
+crashlytics-build.properties
+fabric.properties
+### Go template
+# Compiled Object files, Static and Dynamic libs (Shared Objects)
+*.o
+*.a
+*.so
+
+# Folders
+_obj
+_test
+
+# Architecture specific extensions/prefixes
+*.[568vq]
+[568vq].out
+
+*.cgo1.go
+*.cgo2.c
+_cgo_defun.c
+_cgo_gotypes.go
+_cgo_export.*
+
+_testmain.go
+
+*.exe
+*.test
+*.prof
+### Python template
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+env/
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+*.egg-info/
+.installed.cfg
+*.egg
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*,cover
+.hypothesis/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+target/
+
+# IPython Notebook
+.ipynb_checkpoints
+
+# pyenv
+.python-version
+
+# celery beat schedule file
+celerybeat-schedule
+
+# dotenv
+.env
+
+# virtualenv
+venv/
+ENV/
+
+# Spyder project settings
+.spyderproject
+
+# Rope project settings
+.ropeproject
+
diff --git a/vendor/github.com/mwitkow/go-conntrack/.travis.yml b/vendor/github.com/mwitkow/go-conntrack/.travis.yml
new file mode 100644
index 0000000..db676f6
--- /dev/null
+++ b/vendor/github.com/mwitkow/go-conntrack/.travis.yml
@@ -0,0 +1,13 @@
+sudo: false
+language: go
+go:
+  - 1.7
+
+install:
+  - go get github.com/stretchr/testify
+  - go get github.com/prometheus/client_golang/prometheus
+  - go get golang.org/x/net/context
+  - go get golang.org/x/net/trace
+
+script:
+ - go test -v ./...
diff --git a/vendor/github.com/mwitkow/go-conntrack/LICENSE b/vendor/github.com/mwitkow/go-conntrack/LICENSE
new file mode 100644
index 0000000..8dada3e
--- /dev/null
+++ b/vendor/github.com/mwitkow/go-conntrack/LICENSE
@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "{}"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright {yyyy} {name of copyright owner}
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/vendor/github.com/mwitkow/go-conntrack/README.md b/vendor/github.com/mwitkow/go-conntrack/README.md
new file mode 100644
index 0000000..5ae7702
--- /dev/null
+++ b/vendor/github.com/mwitkow/go-conntrack/README.md
@@ -0,0 +1,88 @@
+# Go tracing and monitoring (Prometheus) for `net.Conn`
+
+[![Travis Build](https://travis-ci.org/mwitkow/go-conntrack.svg)](https://travis-ci.org/mwitkow/go-conntrack)
+[![Go Report Card](https://goreportcard.com/badge/github.com/mwitkow/go-conntrack)](http://goreportcard.com/report/mwitkow/go-conntrack)
+[![GoDoc](http://img.shields.io/badge/GoDoc-Reference-blue.svg)](https://godoc.org/github.com/mwitkow/go-conntrack)
+[![Apache 2.0 License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](LICENSE)
+
+[Prometheus](https://prometheus.io/) monitoring and [`x/net/trace`](https://godoc.org/golang.org/x/net/trace#EventLog) tracing wrappers `net.Conn`, both inbound (`net.Listener`) and outbound (`net.Dialer`).
+
+## Why?
+
+Go standard library does a great job of doing "the right" things with your connections: `http.Transport` pools outbound ones, and `http.Server` sets good *Keep Alive* defaults.
+However, it is still easy to get it wrong, see the excellent [*The complete guide to Go net/http timeouts*](https://blog.cloudflare.com/the-complete-guide-to-golang-net-http-timeouts/). 
+
+That's why you should be able to monitor (using Prometheus) how many connections your Go frontend servers have inbound, and how big are the connection pools to your backends. You should also be able to inspect your connection without `ssh` and `netstat`.
+
+![Events page with connections](https://raw.githubusercontent.com/mwitkow/go-conntrack/images/events.png)
+
+## How to use?
+
+All of these examples can be found in [`example/server.go`](example/server.go):
+
+### Conntrack Dialer for HTTP DefaultClient
+ 
+Most often people use the default `http.DefaultClient` that uses `http.DefaultTransport`. The easiest way to make sure all your outbound connections monitored and trace is:
+
+```go
+http.DefaultTransport.(*http.Transport).DialContext = conntrack.NewDialContextFunc(
+    conntrack.DialWithTracing(),
+    conntrack.DialWithDialer(&net.Dialer{
+        Timeout:   30 * time.Second,
+        KeepAlive: 30 * time.Second,
+    }),
+)
+```
+
+#### Dialer Name
+
+Tracked outbound connections are organised by *dialer name* (with `default` being default). The *dialer name* is used for monitoring (`dialer_name` label) and tracing (`net.ClientConn.<dialer_name>` family). 
+
+You can pass `conntrack.WithDialerName()` to `NewDialContextFunc` to set the name for the dialer. Moreover, you can set the *dialer name* per invocation of the dialer, by passing it in the `Context`. For example using the [`ctxhttp`](https://godoc.org/golang.org/x/net/context/ctxhttp) lib:
+
+```go
+callCtx := conntrack.DialNameToContext(parentCtx, "google")
+ctxhttp.Get(callCtx, http.DefaultClient, "https://www.google.com")
+```
+
+### Conntrack Listener for HTTP Server
+
+Tracked inbound connections are organised by *listener name* (with `default` being default). The *listener name* is used for monitoring (`listener_name` label) and tracing (`net.ServerConn.<listener_name>` family). For example, a simple `http.Server` can be instrumented like this:
+
+```go
+listener, err := net.Listen("tcp", fmt.Sprintf(":%d", *port))
+listener = conntrack.NewListener(listener, 
+    conntrack.TrackWithName("http"), 
+    conntrack.TrackWithTracing(),
+    conntrack.TrackWithTcpKeepAlive(5 * time.Minutes))
+httpServer.Serve(listener) 
+```
+
+Note, the `TrackWithTcpKeepAlive`. The default `http.ListenAndServe` adds a tcp keep alive wrapper to inbound TCP connections. `conntrack.NewListener` allows you to do that without another layer of wrapping.
+
+#### TLS server example
+
+The standard lobrary `http.ListenAndServerTLS` does a lot to bootstrap TLS connections, including supporting HTTP2 negotiation. Unfortunately, that is hard to do if you want to provide your own `net.Listener`. That's why this repo comes with `connhelpers` package, which takes care of configuring `tls.Config` for that use case. Here's an example of use:
+
+```go
+listener, err := net.Listen("tcp", fmt.Sprintf(":%d", *port))
+listener = conntrack.NewListener(listener, 
+    conntrack.TrackWithName("https"), 
+    conntrack.TrackWithTracing(),
+    conntrack.TrackWithTcpKeepAlive(5 * time.Minutes))
+tlsConfig, err := connhelpers.TlsConfigForServerCerts(*tlsCertFilePath, *tlsKeyFilePath)
+tlsConfig, err = connhelpers.TlsConfigWithHttp2Enabled(tlsConfig)
+tlsListener := tls.NewListener(listener, tlsConfig)
+httpServer.Serve(listener) 
+```
+
+# Status
+
+This code is used by Improbable's HTTP frontending and proxying stack for debuging and monitoring of established user connections.
+
+Additional tooling will be added if needed, and contributions are welcome.
+
+#License
+
+`go-conntrack` is released under the Apache 2.0 license. See the [LICENSE](LICENSE) file for details.
+
diff --git a/vendor/github.com/mwitkow/go-conntrack/dialer_reporter.go b/vendor/github.com/mwitkow/go-conntrack/dialer_reporter.go
new file mode 100644
index 0000000..0e39886
--- /dev/null
+++ b/vendor/github.com/mwitkow/go-conntrack/dialer_reporter.go
@@ -0,0 +1,108 @@
+// Copyright 2016 Michal Witkowski. All Rights Reserved.
+// See LICENSE for licensing terms.
+
+package conntrack
+
+import (
+        "context"
+        "net"
+        "os"
+        "syscall"
+
+        prom "github.com/prometheus/client_golang/prometheus"
+)
+
+type failureReason string
+
+const (
+        failedResolution  = "resolution"
+        failedConnRefused = "refused"
+        failedTimeout     = "timeout"
+        failedUnknown     = "unknown"
+)
+
+var (
+        dialerAttemptedTotal = prom.NewCounterVec(
+                prom.CounterOpts{
+                        Namespace: "net",
+                        Subsystem: "conntrack",
+                        Name:      "dialer_conn_attempted_total",
+                        Help:      "Total number of connections attempted by the given dialer a given name.",
+                }, []string{"dialer_name"})
+
+        dialerConnEstablishedTotal = prom.NewCounterVec(
+                prom.CounterOpts{
+                        Namespace: "net",
+                        Subsystem: "conntrack",
+                        Name:      "dialer_conn_established_total",
+                        Help:      "Total number of connections successfully established by the given dialer a given name.",
+                }, []string{"dialer_name"})
+
+        dialerConnFailedTotal = prom.NewCounterVec(
+                prom.CounterOpts{
+                        Namespace: "net",
+                        Subsystem: "conntrack",
+                        Name:      "dialer_conn_failed_total",
+                        Help:      "Total number of connections failed to dial by the dialer a given name.",
+                }, []string{"dialer_name", "reason"})
+
+        dialerConnClosedTotal = prom.NewCounterVec(
+                prom.CounterOpts{
+                        Namespace: "net",
+                        Subsystem: "conntrack",
+                        Name:      "dialer_conn_closed_total",
+                        Help:      "Total number of connections closed which originated from the dialer of a given name.",
+                }, []string{"dialer_name"})
+)
+
+func init() {
+        prom.MustRegister(dialerAttemptedTotal)
+        prom.MustRegister(dialerConnEstablishedTotal)
+        prom.MustRegister(dialerConnFailedTotal)
+        prom.MustRegister(dialerConnClosedTotal)
+}
+
+// preRegisterDialerMetrics pre-populates Prometheus labels for the given dialer name, to avoid Prometheus missing labels issue.
+func PreRegisterDialerMetrics(dialerName string) {
+        dialerAttemptedTotal.WithLabelValues(dialerName)
+        dialerConnEstablishedTotal.WithLabelValues(dialerName)
+        for _, reason := range []failureReason{failedTimeout, failedResolution, failedConnRefused, failedUnknown} {
+                dialerConnFailedTotal.WithLabelValues(dialerName, string(reason))
+        }
+        dialerConnClosedTotal.WithLabelValues(dialerName)
+}
+
+func reportDialerConnAttempt(dialerName string) {
+        dialerAttemptedTotal.WithLabelValues(dialerName).Inc()
+}
+
+func reportDialerConnEstablished(dialerName string) {
+        dialerConnEstablishedTotal.WithLabelValues(dialerName).Inc()
+}
+
+func reportDialerConnClosed(dialerName string) {
+        dialerConnClosedTotal.WithLabelValues(dialerName).Inc()
+}
+
+func reportDialerConnFailed(dialerName string, err error) {
+        if netErr, ok := err.(*net.OpError); ok {
+                switch nestErr := netErr.Err.(type) {
+                case *net.DNSError:
+                        dialerConnFailedTotal.WithLabelValues(dialerName, string(failedResolution)).Inc()
+                        return
+                case *os.SyscallError:
+                        if nestErr.Err == syscall.ECONNREFUSED {
+                                dialerConnFailedTotal.WithLabelValues(dialerName, string(failedConnRefused)).Inc()
+                        }
+                        dialerConnFailedTotal.WithLabelValues(dialerName, string(failedUnknown)).Inc()
+                        return
+                }
+                if netErr.Timeout() {
+                        dialerConnFailedTotal.WithLabelValues(dialerName, string(failedTimeout)).Inc()
+                }
+        } else if err == context.Canceled || err == context.DeadlineExceeded {
+                dialerConnFailedTotal.WithLabelValues(dialerName, string(failedTimeout)).Inc()
+                return
+        }
+        dialerConnFailedTotal.WithLabelValues(dialerName, string(failedUnknown)).Inc()
+}
diff --git a/vendor/github.com/mwitkow/go-conntrack/dialer_wrapper.go b/vendor/github.com/mwitkow/go-conntrack/dialer_wrapper.go
new file mode 100644
index 0000000..cebaf96
--- /dev/null
+++ b/vendor/github.com/mwitkow/go-conntrack/dialer_wrapper.go
@@ -0,0 +1,166 @@
+// Copyright 2016 Michal Witkowski. All Rights Reserved.
+// See LICENSE for licensing terms.
+
+package conntrack
+
+import (
+        "context"
+        "fmt"
+        "net"
+        "sync"
+
+        "golang.org/x/net/trace"
+)
+
+var (
+        dialerNameKey = "conntrackDialerKey"
+)
+
+type dialerOpts struct {
+        name                  string
+        monitoring            bool
+        tracing               bool
+        parentDialContextFunc dialerContextFunc
+}
+
+type dialerOpt func(*dialerOpts)
+
+type dialerContextFunc func(context.Context, string, string) (net.Conn, error)
+
+// DialWithName sets the name of the dialer for tracking and monitoring.
+// This is the name for the dialer (default is `default`), but for `NewDialContextFunc` can be overwritten from the
+// Context using `DialNameToContext`.
+func DialWithName(name string) dialerOpt {
+        return func(opts *dialerOpts) {
+                opts.name = name
+        }
+}
+
+// DialWithoutMonitoring turns *off* Prometheus monitoring for this dialer.
+func DialWithoutMonitoring() dialerOpt {
+        return func(opts *dialerOpts) {
+                opts.monitoring = false
+        }
+}
+
+// DialWithTracing turns *on* the /debug/events tracing of the dial calls.
+func DialWithTracing() dialerOpt {
+        return func(opts *dialerOpts) {
+                opts.tracing = true
+        }
+}
+
+// DialWithDialer allows you to override the `net.Dialer` instance used to actually conduct the dials.
+func DialWithDialer(parentDialer *net.Dialer) dialerOpt {
+        return DialWithDialContextFunc(parentDialer.DialContext)
+}
+
+// DialWithDialContextFunc allows you to override func gets used for the actual dialing. The default is `net.Dialer.DialContext`.
+func DialWithDialContextFunc(parentDialerFunc dialerContextFunc) dialerOpt {
+        return func(opts *dialerOpts) {
+                opts.parentDialContextFunc = parentDialerFunc
+        }
+}
+
+// DialNameFromContext returns the name of the dialer from the context of the DialContext func, if any.
+func DialNameFromContext(ctx context.Context) string {
+        val, ok := ctx.Value(dialerNameKey).(string)
+        if !ok {
+                return ""
+        }
+        return val
+}
+
+// DialNameToContext returns a context that will contain a dialer name override.
+func DialNameToContext(ctx context.Context, dialerName string) context.Context {
+        return context.WithValue(ctx, dialerNameKey, dialerName)
+}
+
+// NewDialContextFunc returns a `DialContext` function that tracks outbound connections.
+// The signature is compatible with `http.Tranport.DialContext` and is meant to be used there.
+func NewDialContextFunc(optFuncs ...dialerOpt) func(context.Context, string, string) (net.Conn, error) {
+        opts := &dialerOpts{name: defaultName, monitoring: true, parentDialContextFunc: (&net.Dialer{}).DialContext}
+        for _, f := range optFuncs {
+                f(opts)
+        }
+        if opts.monitoring {
+                PreRegisterDialerMetrics(opts.name)
+        }
+        return func(ctx context.Context, network string, addr string) (net.Conn, error) {
+                name := opts.name
+                if ctxName := DialNameFromContext(ctx); ctxName != "" {
+                        name = ctxName
+                }
+                return dialClientConnTracker(ctx, network, addr, name, opts)
+        }
+}
+
+// NewDialFunc returns a `Dial` function that tracks outbound connections.
+// The signature is compatible with `http.Tranport.Dial` and is meant to be used there for Go < 1.7.
+func NewDialFunc(optFuncs ...dialerOpt) func(string, string) (net.Conn, error) {
+        dialContextFunc := NewDialContextFunc(optFuncs...)
+        return func(network string, addr string) (net.Conn, error) {
+                return dialContextFunc(context.TODO(), network, addr)
+        }
+}
+
+type clientConnTracker struct {
+        net.Conn
+        opts       *dialerOpts
+        dialerName string
+        event      trace.EventLog
+        mu         sync.Mutex
+}
+
+func dialClientConnTracker(ctx context.Context, network string, addr string, dialerName string, opts *dialerOpts) (net.Conn, error) {
+        var event trace.EventLog
+        if opts.tracing {
+                event = trace.NewEventLog(fmt.Sprintf("net.ClientConn.%s", dialerName), fmt.Sprintf("%v", addr))
+        }
+        if opts.monitoring {
+                reportDialerConnAttempt(dialerName)
+        }
+        conn, err := opts.parentDialContextFunc(ctx, network, addr)
+        if err != nil {
+                if event != nil {
+                        event.Errorf("failed dialing: %v", err)
+                        event.Finish()
+                }
+                if opts.monitoring {
+                        reportDialerConnFailed(dialerName, err)
+                }
+                return nil, err
+        }
+        if event != nil {
+                event.Printf("established: %s -> %s", conn.LocalAddr(), conn.RemoteAddr())
+        }
+        if opts.monitoring {
+                reportDialerConnEstablished(dialerName)
+        }
+        tracker := &clientConnTracker{
+                Conn:       conn,
+                opts:       opts,
+                dialerName: dialerName,
+                event:      event,
+        }
+        return tracker, nil
+}
+
+func (ct *clientConnTracker) Close() error {
+        err := ct.Conn.Close()
+        ct.mu.Lock()
+        if ct.event != nil {
+                if err != nil {
+                        ct.event.Errorf("failed closing: %v", err)
+                } else {
+                        ct.event.Printf("closing")
+                }
+                ct.event.Finish()
+                ct.event = nil
+        }
+        ct.mu.Unlock()
+        if ct.opts.monitoring {
+                reportDialerConnClosed(ct.dialerName)
+        }
+        return err
+}
diff --git a/vendor/github.com/mwitkow/go-conntrack/listener_reporter.go b/vendor/github.com/mwitkow/go-conntrack/listener_reporter.go
new file mode 100644
index 0000000..21a8f55
--- /dev/null
+++ b/vendor/github.com/mwitkow/go-conntrack/listener_reporter.go
@@ -0,0 +1,43 @@
+// Copyright 2016 Michal Witkowski. All Rights Reserved.
+// See LICENSE for licensing terms.
+
+package conntrack
+
+import prom "github.com/prometheus/client_golang/prometheus"
+
+var (
+        listenerAcceptedTotal = prom.NewCounterVec(
+                prom.CounterOpts{
+                        Namespace: "net",
+                        Subsystem: "conntrack",
+                        Name:      "listener_conn_accepted_total",
+                        Help:      "Total number of connections opened to the listener of a given name.",
+                }, []string{"listener_name"})
+
+        listenerClosedTotal = prom.NewCounterVec(
+                prom.CounterOpts{
+                        Namespace: "net",
+                        Subsystem: "conntrack",
+                        Name:      "listener_conn_closed_total",
+                        Help:      "Total number of connections closed that were made to the listener of a given name.",
+                }, []string{"listener_name"})
+)
+
+func init() {
+        prom.MustRegister(listenerAcceptedTotal)
+        prom.MustRegister(listenerClosedTotal)
+}
+
+// preRegisterListener pre-populates Prometheus labels for the given listener name, to avoid Prometheus missing labels issue.
+func preRegisterListenerMetrics(listenerName string) {
+        listenerAcceptedTotal.WithLabelValues(listenerName)
+        listenerClosedTotal.WithLabelValues(listenerName)
+}
+
+func reportListenerConnAccepted(listenerName string) {
+        listenerAcceptedTotal.WithLabelValues(listenerName).Inc()
+}
+
+func reportListenerConnClosed(listenerName string) {
+        listenerClosedTotal.WithLabelValues(listenerName).Inc()
+}
diff --git a/vendor/github.com/mwitkow/go-conntrack/listener_wrapper.go b/vendor/github.com/mwitkow/go-conntrack/listener_wrapper.go
new file mode 100644
index 0000000..6754c00
--- /dev/null
+++ b/vendor/github.com/mwitkow/go-conntrack/listener_wrapper.go
@@ -0,0 +1,137 @@
+// Copyright 2016 Michal Witkowski. All Rights Reserved.
+// See LICENSE for licensing terms.
+
+package conntrack
+
+import (
+        "fmt"
+        "net"
+
+        "sync"
+
+        "golang.org/x/net/trace"
+        "time"
+)
+
+const (
+        defaultName = "default"
+)
+
+type listenerOpts struct {
+        name         string
+        monitoring   bool
+        tracing      bool
+        tcpKeepAlive time.Duration
+}
+
+type listenerOpt func(*listenerOpts)
+
+// TrackWithName sets the name of the Listener for use in tracking and monitoring.
+func TrackWithName(name string) listenerOpt {
+        return func(opts *listenerOpts) {
+                opts.name = name
+        }
+}
+
+// TrackWithoutMonitoring turns *off* Prometheus monitoring for this listener.
+func TrackWithoutMonitoring() listenerOpt {
+        return func(opts *listenerOpts) {
+                opts.monitoring = false
+        }
+}
+
+// TrackWithTracing turns *on* the /debug/events tracing of the live listener connections.
+func TrackWithTracing() listenerOpt {
+        return func(opts *listenerOpts) {
+                opts.tracing = true
+        }
+}
+
+// TrackWithTcpKeepAlive makes sure that any `net.TCPConn` that get accepted have a keep-alive.
+// This is useful for HTTP servers in order for, for example laptops, to not use up resources on the
+// server while they don't utilise their connection.
+// A value of 0 disables it.
+func TrackWithTcpKeepAlive(keepalive time.Duration) listenerOpt {
+        return func(opts *listenerOpts) {
+                opts.tcpKeepAlive = keepalive
+        }
+}
+
+type connTrackListener struct {
+        net.Listener
+        opts *listenerOpts
+}
+
+// NewListener returns the given listener wrapped in connection tracking listener.
+func NewListener(inner net.Listener, optFuncs ...listenerOpt) net.Listener {
+        opts := &listenerOpts{
+                name:       defaultName,
+                monitoring: true,
+                tracing:    false,
+        }
+        for _, f := range optFuncs {
+                f(opts)
+        }
+        if opts.monitoring {
+                preRegisterListenerMetrics(opts.name)
+        }
+        return &connTrackListener{
+                Listener: inner,
+                opts:     opts,
+        }
+}
+
+func (ct *connTrackListener) Accept() (net.Conn, error) {
+        // TODO(mwitkow): Add monitoring of failed accept.
+        conn, err := ct.Listener.Accept()
+        if err != nil {
+                return nil, err
+        }
+        if tcpConn, ok := conn.(*net.TCPConn); ok && ct.opts.tcpKeepAlive > 0 {
+                tcpConn.SetKeepAlive(true)
+                tcpConn.SetKeepAlivePeriod(ct.opts.tcpKeepAlive)
+        }
+        return newServerConnTracker(conn, ct.opts), nil
+}
+
+type serverConnTracker struct {
+        net.Conn
+        opts  *listenerOpts
+        event trace.EventLog
+        mu    sync.Mutex
+}
+
+func newServerConnTracker(inner net.Conn, opts *listenerOpts) net.Conn {
+
+        tracker := &serverConnTracker{
+                Conn: inner,
+                opts: opts,
+        }
+        if opts.tracing {
+                tracker.event = trace.NewEventLog(fmt.Sprintf("net.ServerConn.%s", opts.name), fmt.Sprintf("%v", inner.RemoteAddr()))
+                tracker.event.Printf("accepted: %v -> %v", inner.RemoteAddr(), inner.LocalAddr())
+        }
+        if opts.monitoring {
+                reportListenerConnAccepted(opts.name)
+        }
+        return tracker
+}
+
+func (ct *serverConnTracker) Close() error {
+        err := ct.Conn.Close()
+        ct.mu.Lock()
+        if ct.event != nil {
+                if err != nil {
+                        ct.event.Errorf("failed closing: %v", err)
+                } else {
+                        ct.event.Printf("closing")
+                }
+                ct.event.Finish()
+                ct.event = nil
+        }
+        ct.mu.Unlock()
+        if ct.opts.monitoring {
+                reportListenerConnClosed(ct.opts.name)
+        }
+        return err
+}
diff --git a/vendor/github.com/prometheus/common/config/config.go b/vendor/github.com/prometheus/common/config/config.go
new file mode 100644
index 0000000..30719d8
--- /dev/null
+++ b/vendor/github.com/prometheus/common/config/config.go
@@ -0,0 +1,34 @@
+// Copyright 2016 The Prometheus Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// This package no longer handles safe yaml parsing. In order to
+// ensure correct yaml unmarshalling, use "yaml.UnmarshalStrict()".
+
+package config
+
+// Secret special type for storing secrets.
+type Secret string
+
+// MarshalYAML implements the yaml.Marshaler interface for Secrets.
+func (s Secret) MarshalYAML() (interface{}, error) {
+        if s != "" {
+                return "<secret>", nil
+        }
+        return nil, nil
+}
+
+//UnmarshalYAML implements the yaml.Unmarshaler interface for Secrets.
+func (s *Secret) UnmarshalYAML(unmarshal func(interface{}) error) error {
+        type plain Secret
+        return unmarshal((*plain)(s))
+}
diff --git a/vendor/github.com/prometheus/common/config/http_config.go b/vendor/github.com/prometheus/common/config/http_config.go
new file mode 100644
index 0000000..5c373d7
--- /dev/null
+++ b/vendor/github.com/prometheus/common/config/http_config.go
@@ -0,0 +1,472 @@
+// Copyright 2016 The Prometheus Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// +build go1.8
+
+package config
+
+import (
+        "bytes"
+        "crypto/md5"
+        "crypto/tls"
+        "crypto/x509"
+        "fmt"
+        "io/ioutil"
+        "net/http"
+        "net/url"
+        "strings"
+        "sync"
+        "time"
+
+        "github.com/mwitkow/go-conntrack"
+        "gopkg.in/yaml.v2"
+)
+
+type closeIdler interface {
+        CloseIdleConnections()
+}
+
+// BasicAuth contains basic HTTP authentication credentials.
+type BasicAuth struct {
+        Username     string `yaml:"username"`
+        Password     Secret `yaml:"password,omitempty"`
+        PasswordFile string `yaml:"password_file,omitempty"`
+}
+
+// URL is a custom URL type that allows validation at configuration load time.
+type URL struct {
+        *url.URL
+}
+
+// UnmarshalYAML implements the yaml.Unmarshaler interface for URLs.
+func (u *URL) UnmarshalYAML(unmarshal func(interface{}) error) error {
+        var s string
+        if err := unmarshal(&s); err != nil {
+                return err
+        }
+
+        urlp, err := url.Parse(s)
+        if err != nil {
+                return err
+        }
+        u.URL = urlp
+        return nil
+}
+
+// MarshalYAML implements the yaml.Marshaler interface for URLs.
+func (u URL) MarshalYAML() (interface{}, error) {
+        if u.URL != nil {
+                return u.String(), nil
+        }
+        return nil, nil
+}
+
+// HTTPClientConfig configures an HTTP client.
+type HTTPClientConfig struct {
+        // The HTTP basic authentication credentials for the targets.
+        BasicAuth *BasicAuth `yaml:"basic_auth,omitempty"`
+        // The bearer token for the targets.
+        BearerToken Secret `yaml:"bearer_token,omitempty"`
+        // The bearer token file for the targets.
+        BearerTokenFile string `yaml:"bearer_token_file,omitempty"`
+        // HTTP proxy server to use to connect to the targets.
+        ProxyURL URL `yaml:"proxy_url,omitempty"`
+        // TLSConfig to use to connect to the targets.
+        TLSConfig TLSConfig `yaml:"tls_config,omitempty"`
+}
+
+// Validate validates the HTTPClientConfig to check only one of BearerToken,
+// BasicAuth and BearerTokenFile is configured.
+func (c *HTTPClientConfig) Validate() error {
+        if len(c.BearerToken) > 0 && len(c.BearerTokenFile) > 0 {
+                return fmt.Errorf("at most one of bearer_token & bearer_token_file must be configured")
+        }
+        if c.BasicAuth != nil && (len(c.BearerToken) > 0 || len(c.BearerTokenFile) > 0) {
+                return fmt.Errorf("at most one of basic_auth, bearer_token & bearer_token_file must be configured")
+        }
+        if c.BasicAuth != nil && (string(c.BasicAuth.Password) != "" && c.BasicAuth.PasswordFile != "") {
+                return fmt.Errorf("at most one of basic_auth password & password_file must be configured")
+        }
+        return nil
+}
+
+// UnmarshalYAML implements the yaml.Unmarshaler interface
+func (c *HTTPClientConfig) UnmarshalYAML(unmarshal func(interface{}) error) error {
+        type plain HTTPClientConfig
+        if err := unmarshal((*plain)(c)); err != nil {
+                return err
+        }
+        return c.Validate()
+}
+
+// UnmarshalYAML implements the yaml.Unmarshaler interface.
+func (a *BasicAuth) UnmarshalYAML(unmarshal func(interface{}) error) error {
+        type plain BasicAuth
+        return unmarshal((*plain)(a))
+}
+
+// NewClient returns a http.Client using the specified http.RoundTripper.
+func newClient(rt http.RoundTripper) *http.Client {
+        return &http.Client{Transport: rt}
+}
+
+// NewClientFromConfig returns a new HTTP client configured for the
+// given config.HTTPClientConfig. The name is used as go-conntrack metric label.
+func NewClientFromConfig(cfg HTTPClientConfig, name string, disableKeepAlives bool) (*http.Client, error) {
+        rt, err := NewRoundTripperFromConfig(cfg, name, disableKeepAlives)
+        if err != nil {
+                return nil, err
+        }
+        return newClient(rt), nil
+}
+
+// NewRoundTripperFromConfig returns a new HTTP RoundTripper configured for the
+// given config.HTTPClientConfig. The name is used as go-conntrack metric label.
+func NewRoundTripperFromConfig(cfg HTTPClientConfig, name string, disableKeepAlives bool) (http.RoundTripper, error) {
+        newRT := func(tlsConfig *tls.Config) (http.RoundTripper, error) {
+                // The only timeout we care about is the configured scrape timeout.
+                // It is applied on request. So we leave out any timings here.
+                var rt http.RoundTripper = &http.Transport{
+                        Proxy:               http.ProxyURL(cfg.ProxyURL.URL),
+                        MaxIdleConns:        20000,
+                        MaxIdleConnsPerHost: 1000, // see https://github.com/golang/go/issues/13801
+                        DisableKeepAlives:   disableKeepAlives,
+                        TLSClientConfig:     tlsConfig,
+                        DisableCompression:  true,
+                        // 5 minutes is typically above the maximum sane scrape interval. So we can
+                        // use keepalive for all configurations.
+                        IdleConnTimeout:       5 * time.Minute,
+                        TLSHandshakeTimeout:   10 * time.Second,
+                        ExpectContinueTimeout: 1 * time.Second,
+                        DialContext: conntrack.NewDialContextFunc(
+                                conntrack.DialWithTracing(),
+                                conntrack.DialWithName(name),
+                        ),
+                }
+
+                // If a bearer token is provided, create a round tripper that will set the
+                // Authorization header correctly on each request.
+                if len(cfg.BearerToken) > 0 {
+                        rt = NewBearerAuthRoundTripper(cfg.BearerToken, rt)
+                } else if len(cfg.BearerTokenFile) > 0 {
+                        rt = NewBearerAuthFileRoundTripper(cfg.BearerTokenFile, rt)
+                }
+
+                if cfg.BasicAuth != nil {
+                        rt = NewBasicAuthRoundTripper(cfg.BasicAuth.Username, cfg.BasicAuth.Password, cfg.BasicAuth.PasswordFile, rt)
+                }
+                // Return a new configured RoundTripper.
+                return rt, nil
+        }
+
+        tlsConfig, err := NewTLSConfig(&cfg.TLSConfig)
+        if err != nil {
+                return nil, err
+        }
+
+        if len(cfg.TLSConfig.CAFile) == 0 {
+                // No need for a RoundTripper that reloads the CA file automatically.
+                return newRT(tlsConfig)
+        }
+
+        return newTLSRoundTripper(tlsConfig, cfg.TLSConfig.CAFile, newRT)
+}
+
+type bearerAuthRoundTripper struct {
+        bearerToken Secret
+        rt          http.RoundTripper
+}
+
+// NewBearerAuthRoundTripper adds the provided bearer token to a request unless the authorization
+// header has already been set.
+func NewBearerAuthRoundTripper(token Secret, rt http.RoundTripper) http.RoundTripper {
+        return &bearerAuthRoundTripper{token, rt}
+}
+
+func (rt *bearerAuthRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+        if len(req.Header.Get("Authorization")) == 0 {
+                req = cloneRequest(req)
+                req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", string(rt.bearerToken)))
+        }
+        return rt.rt.RoundTrip(req)
+}
+
+func (rt *bearerAuthRoundTripper) CloseIdleConnections() {
+        if ci, ok := rt.rt.(closeIdler); ok {
+                ci.CloseIdleConnections()
+        }
+}
+
+type bearerAuthFileRoundTripper struct {
+        bearerFile string
+        rt         http.RoundTripper
+}
+
+// NewBearerAuthFileRoundTripper adds the bearer token read from the provided file to a request unless
+// the authorization header has already been set. This file is read for every request.
+func NewBearerAuthFileRoundTripper(bearerFile string, rt http.RoundTripper) http.RoundTripper {
+        return &bearerAuthFileRoundTripper{bearerFile, rt}
+}
+
+func (rt *bearerAuthFileRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+        if len(req.Header.Get("Authorization")) == 0 {
+                b, err := ioutil.ReadFile(rt.bearerFile)
+                if err != nil {
+                        return nil, fmt.Errorf("unable to read bearer token file %s: %s", rt.bearerFile, err)
+                }
+                bearerToken := strings.TrimSpace(string(b))
+
+                req = cloneRequest(req)
+                req.Header.Set("Authorization", "Bearer "+bearerToken)
+        }
+
+        return rt.rt.RoundTrip(req)
+}
+
+func (rt *bearerAuthFileRoundTripper) CloseIdleConnections() {
+        if ci, ok := rt.rt.(closeIdler); ok {
+                ci.CloseIdleConnections()
+        }
+}
+
+type basicAuthRoundTripper struct {
+        username     string
+        password     Secret
+        passwordFile string
+        rt           http.RoundTripper
+}
+
+// NewBasicAuthRoundTripper will apply a BASIC auth authorization header to a request unless it has
+// already been set.
+func NewBasicAuthRoundTripper(username string, password Secret, passwordFile string, rt http.RoundTripper) http.RoundTripper {
+        return &basicAuthRoundTripper{username, password, passwordFile, rt}
+}
+
+func (rt *basicAuthRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+        if len(req.Header.Get("Authorization")) != 0 {
+                return rt.rt.RoundTrip(req)
+        }
+        req = cloneRequest(req)
+        if rt.passwordFile != "" {
+                bs, err := ioutil.ReadFile(rt.passwordFile)
+                if err != nil {
+                        return nil, fmt.Errorf("unable to read basic auth password file %s: %s", rt.passwordFile, err)
+                }
+                req.SetBasicAuth(rt.username, strings.TrimSpace(string(bs)))
+        } else {
+                req.SetBasicAuth(rt.username, strings.TrimSpace(string(rt.password)))
+        }
+        return rt.rt.RoundTrip(req)
+}
+
+func (rt *basicAuthRoundTripper) CloseIdleConnections() {
+        if ci, ok := rt.rt.(closeIdler); ok {
+                ci.CloseIdleConnections()
+        }
+}
+
+// cloneRequest returns a clone of the provided *http.Request.
+// The clone is a shallow copy of the struct and its Header map.
+func cloneRequest(r *http.Request) *http.Request {
+        // Shallow copy of the struct.
+        r2 := new(http.Request)
+        *r2 = *r
+        // Deep copy of the Header.
+        r2.Header = make(http.Header)
+        for k, s := range r.Header {
+                r2.Header[k] = s
+        }
+        return r2
+}
+
+// NewTLSConfig creates a new tls.Config from the given TLSConfig.
+func NewTLSConfig(cfg *TLSConfig) (*tls.Config, error) {
+        tlsConfig := &tls.Config{InsecureSkipVerify: cfg.InsecureSkipVerify}
+
+        // If a CA cert is provided then let's read it in so we can validate the
+        // scrape target's certificate properly.
+        if len(cfg.CAFile) > 0 {
+                b, err := readCAFile(cfg.CAFile)
+                if err != nil {
+                        return nil, err
+                }
+                if !updateRootCA(tlsConfig, b) {
+                        return nil, fmt.Errorf("unable to use specified CA cert %s", cfg.CAFile)
+                }
+        }
+
+        if len(cfg.ServerName) > 0 {
+                tlsConfig.ServerName = cfg.ServerName
+        }
+        // If a client cert & key is provided then configure TLS config accordingly.
+        if len(cfg.CertFile) > 0 && len(cfg.KeyFile) == 0 {
+                return nil, fmt.Errorf("client cert file %q specified without client key file", cfg.CertFile)
+        } else if len(cfg.KeyFile) > 0 && len(cfg.CertFile) == 0 {
+                return nil, fmt.Errorf("client key file %q specified without client cert file", cfg.KeyFile)
+        } else if len(cfg.CertFile) > 0 && len(cfg.KeyFile) > 0 {
+                // Verify that client cert and key are valid.
+                if _, err := cfg.getClientCertificate(nil); err != nil {
+                        return nil, err
+                }
+                tlsConfig.GetClientCertificate = cfg.getClientCertificate
+        }
+
+        return tlsConfig, nil
+}
+
+// TLSConfig configures the options for TLS connections.
+type TLSConfig struct {
+        // The CA cert to use for the targets.
+        CAFile string `yaml:"ca_file,omitempty"`
+        // The client cert file for the targets.
+        CertFile string `yaml:"cert_file,omitempty"`
+        // The client key file for the targets.
+        KeyFile string `yaml:"key_file,omitempty"`
+        // Used to verify the hostname for the targets.
+        ServerName string `yaml:"server_name,omitempty"`
+        // Disable target certificate validation.
+        InsecureSkipVerify bool `yaml:"insecure_skip_verify"`
+}
+
+// UnmarshalYAML implements the yaml.Unmarshaler interface.
+func (c *TLSConfig) UnmarshalYAML(unmarshal func(interface{}) error) error {
+        type plain TLSConfig
+        return unmarshal((*plain)(c))
+}
+
+// getClientCertificate reads the pair of client cert and key from disk and returns a tls.Certificate.
+func (c *TLSConfig) getClientCertificate(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
+        cert, err := tls.LoadX509KeyPair(c.CertFile, c.KeyFile)
+        if err != nil {
+                return nil, fmt.Errorf("unable to use specified client cert (%s) & key (%s): %s", c.CertFile, c.KeyFile, err)
+        }
+        return &cert, nil
+}
+
+// readCAFile reads the CA cert file from disk.
+func readCAFile(f string) ([]byte, error) {
+        data, err := ioutil.ReadFile(f)
+        if err != nil {
+                return nil, fmt.Errorf("unable to load specified CA cert %s: %s", f, err)
+        }
+        return data, nil
+}
+
+// updateRootCA parses the given byte slice as a series of PEM encoded certificates and updates tls.Config.RootCAs.
+func updateRootCA(cfg *tls.Config, b []byte) bool {
+        caCertPool := x509.NewCertPool()
+        if !caCertPool.AppendCertsFromPEM(b) {
+                return false
+        }
+        cfg.RootCAs = caCertPool
+        return true
+}
+
+// tlsRoundTripper is a RoundTripper that updates automatically its TLS
+// configuration whenever the content of the CA file changes.
+type tlsRoundTripper struct {
+        caFile string
+        // newRT returns a new RoundTripper.
+        newRT func(*tls.Config) (http.RoundTripper, error)
+
+        mtx        sync.RWMutex
+        rt         http.RoundTripper
+        hashCAFile []byte
+        tlsConfig  *tls.Config
+}
+
+func newTLSRoundTripper(
+        cfg *tls.Config,
+        caFile string,
+        newRT func(*tls.Config) (http.RoundTripper, error),
+) (http.RoundTripper, error) {
+        t := &tlsRoundTripper{
+                caFile:    caFile,
+                newRT:     newRT,
+                tlsConfig: cfg,
+        }
+
+        rt, err := t.newRT(t.tlsConfig)
+        if err != nil {
+                return nil, err
+        }
+        t.rt = rt
+
+        _, t.hashCAFile, err = t.getCAWithHash()
+        if err != nil {
+                return nil, err
+        }
+
+        return t, nil
+}
+
+func (t *tlsRoundTripper) getCAWithHash() ([]byte, []byte, error) {
+        b, err := readCAFile(t.caFile)
+        if err != nil {
+                return nil, nil, err
+        }
+        h := md5.Sum(b)
+        return b, h[:], nil
+
+}
+
+// RoundTrip implements the http.RoundTrip interface.
+func (t *tlsRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+        b, h, err := t.getCAWithHash()
+        if err != nil {
+                return nil, err
+        }
+
+        t.mtx.RLock()
+        equal := bytes.Equal(h[:], t.hashCAFile)
+        rt := t.rt
+        t.mtx.RUnlock()
+        if equal {
+                // The CA cert hasn't changed, use the existing RoundTripper.
+                return rt.RoundTrip(req)
+        }
+
+        // Create a new RoundTripper.
+        tlsConfig := t.tlsConfig.Clone()
+        if !updateRootCA(tlsConfig, b) {
+                return nil, fmt.Errorf("unable to use specified CA cert %s", t.caFile)
+        }
+        rt, err = t.newRT(tlsConfig)
+        if err != nil {
+                return nil, err
+        }
+        t.CloseIdleConnections()
+
+        t.mtx.Lock()
+        t.rt = rt
+        t.hashCAFile = h[:]
+        t.mtx.Unlock()
+
+        return rt.RoundTrip(req)
+}
+
+func (t *tlsRoundTripper) CloseIdleConnections() {
+        t.mtx.RLock()
+        defer t.mtx.RUnlock()
+        if ci, ok := t.rt.(closeIdler); ok {
+                ci.CloseIdleConnections()
+        }
+}
+
+func (c HTTPClientConfig) String() string {
+        b, err := yaml.Marshal(c)
+        if err != nil {
+                return fmt.Sprintf("<error creating http client config string: %s>", err)
+        }
+        return string(b)
+}
diff --git a/vendor/golang.org/x/crypto/AUTHORS b/vendor/golang.org/x/crypto/AUTHORS
new file mode 100644
index 0000000..2b00ddb
--- /dev/null
+++ b/vendor/golang.org/x/crypto/AUTHORS
@@ -0,0 +1,3 @@
+# This source code refers to The Go Authors for copyright purposes.
+# The master list of authors is in the main Go distribution,
+# visible at https://tip.golang.org/AUTHORS.
diff --git a/vendor/golang.org/x/crypto/CONTRIBUTORS b/vendor/golang.org/x/crypto/CONTRIBUTORS
new file mode 100644
index 0000000..1fbd3e9
--- /dev/null
+++ b/vendor/golang.org/x/crypto/CONTRIBUTORS
@@ -0,0 +1,3 @@
+# This source code was written by the Go contributors.
+# The master list of contributors is in the main Go distribution,
+# visible at https://tip.golang.org/CONTRIBUTORS.
diff --git a/vendor/golang.org/x/crypto/LICENSE b/vendor/golang.org/x/crypto/LICENSE
new file mode 100644
index 0000000..6a66aea
--- /dev/null
+++ b/vendor/golang.org/x/crypto/LICENSE
@@ -0,0 +1,27 @@
+Copyright (c) 2009 The Go Authors. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/vendor/golang.org/x/crypto/PATENTS b/vendor/golang.org/x/crypto/PATENTS
new file mode 100644
index 0000000..7330990
--- /dev/null
+++ b/vendor/golang.org/x/crypto/PATENTS
@@ -0,0 +1,22 @@
+Additional IP Rights Grant (Patents)
+
+"This implementation" means the copyrightable works distributed by
+Google as part of the Go project.
+
+Google hereby grants to You a perpetual, worldwide, non-exclusive,
+no-charge, royalty-free, irrevocable (except as stated in this section)
+patent license to make, have made, use, offer to sell, sell, import,
+transfer and otherwise run, modify and propagate the contents of this
+implementation of Go, where such license applies only to those patent
+claims, both currently owned or controlled by Google and acquired in
+the future, licensable by Google that are necessarily infringed by this
+implementation of Go.  This grant does not include claims that would be
+infringed only as a consequence of further modification of this
+implementation.  If you or your agent or exclusive licensee institute or
+order or agree to the institution of patent litigation against any
+entity (including a cross-claim or counterclaim in a lawsuit) alleging
+that this implementation of Go or any code incorporated within this
+implementation of Go constitutes direct or contributory patent
+infringement, or inducement of patent infringement, then any patent
+rights granted to you under this License for this implementation of Go
+shall terminate as of the date such litigation is filed.
diff --git a/vendor/golang.org/x/crypto/bcrypt/base64.go b/vendor/golang.org/x/crypto/bcrypt/base64.go
new file mode 100644
index 0000000..fc31160
--- /dev/null
+++ b/vendor/golang.org/x/crypto/bcrypt/base64.go
@@ -0,0 +1,35 @@
+// Copyright 2011 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package bcrypt
+
+import "encoding/base64"
+
+const alphabet = "./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
+
+var bcEncoding = base64.NewEncoding(alphabet)
+
+func base64Encode(src []byte) []byte {
+        n := bcEncoding.EncodedLen(len(src))
+        dst := make([]byte, n)
+        bcEncoding.Encode(dst, src)
+        for dst[n-1] == '=' {
+                n--
+        }
+        return dst[:n]
+}
+
+func base64Decode(src []byte) ([]byte, error) {
+        numOfEquals := 4 - (len(src) % 4)
+        for i := 0; i < numOfEquals; i++ {
+                src = append(src, '=')
+        }
+
+        dst := make([]byte, bcEncoding.DecodedLen(len(src)))
+        n, err := bcEncoding.Decode(dst, src)
+        if err != nil {
+                return nil, err
+        }
+        return dst[:n], nil
+}
diff --git a/vendor/golang.org/x/crypto/bcrypt/bcrypt.go b/vendor/golang.org/x/crypto/bcrypt/bcrypt.go
new file mode 100644
index 0000000..aeb73f8
--- /dev/null
+++ b/vendor/golang.org/x/crypto/bcrypt/bcrypt.go
@@ -0,0 +1,295 @@
+// Copyright 2011 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package bcrypt implements Provos and Mazières's bcrypt adaptive hashing
+// algorithm. See http://www.usenix.org/event/usenix99/provos/provos.pdf
+package bcrypt // import "golang.org/x/crypto/bcrypt"
+
+// The code is a port of Provos and Mazières's C implementation.
+import (
+        "crypto/rand"
+        "crypto/subtle"
+        "errors"
+        "fmt"
+        "io"
+        "strconv"
+
+        "golang.org/x/crypto/blowfish"
+)
+
+const (
+        MinCost     int = 4  // the minimum allowable cost as passed in to GenerateFromPassword
+        MaxCost     int = 31 // the maximum allowable cost as passed in to GenerateFromPassword
+        DefaultCost int = 10 // the cost that will actually be set if a cost below MinCost is passed into GenerateFromPassword
+)
+
+// The error returned from CompareHashAndPassword when a password and hash do
+// not match.
+var ErrMismatchedHashAndPassword = errors.New("crypto/bcrypt: hashedPassword is not the hash of the given password")
+
+// The error returned from CompareHashAndPassword when a hash is too short to
+// be a bcrypt hash.
+var ErrHashTooShort = errors.New("crypto/bcrypt: hashedSecret too short to be a bcrypted password")
+
+// The error returned from CompareHashAndPassword when a hash was created with
+// a bcrypt algorithm newer than this implementation.
+type HashVersionTooNewError byte
+
+func (hv HashVersionTooNewError) Error() string {
+        return fmt.Sprintf("crypto/bcrypt: bcrypt algorithm version '%c' requested is newer than current version '%c'", byte(hv), majorVersion)
+}
+
+// The error returned from CompareHashAndPassword when a hash starts with something other than '$'
+type InvalidHashPrefixError byte
+
+func (ih InvalidHashPrefixError) Error() string {
+        return fmt.Sprintf("crypto/bcrypt: bcrypt hashes must start with '$', but hashedSecret started with '%c'", byte(ih))
+}
+
+type InvalidCostError int
+
+func (ic InvalidCostError) Error() string {
+        return fmt.Sprintf("crypto/bcrypt: cost %d is outside allowed range (%d,%d)", int(ic), int(MinCost), int(MaxCost))
+}
+
+const (
+        majorVersion       = '2'
+        minorVersion       = 'a'
+        maxSaltSize        = 16
+        maxCryptedHashSize = 23
+        encodedSaltSize    = 22
+        encodedHashSize    = 31
+        minHashSize        = 59
+)
+
+// magicCipherData is an IV for the 64 Blowfish encryption calls in
+// bcrypt(). It's the string "OrpheanBeholderScryDoubt" in big-endian bytes.
+var magicCipherData = []byte{
+        0x4f, 0x72, 0x70, 0x68,
+        0x65, 0x61, 0x6e, 0x42,
+        0x65, 0x68, 0x6f, 0x6c,
+        0x64, 0x65, 0x72, 0x53,
+        0x63, 0x72, 0x79, 0x44,
+        0x6f, 0x75, 0x62, 0x74,
+}
+
+type hashed struct {
+        hash  []byte
+        salt  []byte
+        cost  int // allowed range is MinCost to MaxCost
+        major byte
+        minor byte
+}
+
+// GenerateFromPassword returns the bcrypt hash of the password at the given
+// cost. If the cost given is less than MinCost, the cost will be set to
+// DefaultCost, instead. Use CompareHashAndPassword, as defined in this package,
+// to compare the returned hashed password with its cleartext version.
+func GenerateFromPassword(password []byte, cost int) ([]byte, error) {
+        p, err := newFromPassword(password, cost)
+        if err != nil {
+                return nil, err
+        }
+        return p.Hash(), nil
+}
+
+// CompareHashAndPassword compares a bcrypt hashed password with its possible
+// plaintext equivalent. Returns nil on success, or an error on failure.
+func CompareHashAndPassword(hashedPassword, password []byte) error {
+        p, err := newFromHash(hashedPassword)
+        if err != nil {
+                return err
+        }
+
+        otherHash, err := bcrypt(password, p.cost, p.salt)
+        if err != nil {
+                return err
+        }
+
+        otherP := &hashed{otherHash, p.salt, p.cost, p.major, p.minor}
+        if subtle.ConstantTimeCompare(p.Hash(), otherP.Hash()) == 1 {
+                return nil
+        }
+
+        return ErrMismatchedHashAndPassword
+}
+
+// Cost returns the hashing cost used to create the given hashed
+// password. When, in the future, the hashing cost of a password system needs
+// to be increased in order to adjust for greater computational power, this
+// function allows one to establish which passwords need to be updated.
+func Cost(hashedPassword []byte) (int, error) {
+        p, err := newFromHash(hashedPassword)
+        if err != nil {
+                return 0, err
+        }
+        return p.cost, nil
+}
+
+func newFromPassword(password []byte, cost int) (*hashed, error) {
+        if cost < MinCost {
+                cost = DefaultCost
+        }
+        p := new(hashed)
+        p.major = majorVersion
+        p.minor = minorVersion
+
+        err := checkCost(cost)
+        if err != nil {
+                return nil, err
+        }
+        p.cost = cost
+
+        unencodedSalt := make([]byte, maxSaltSize)
+        _, err = io.ReadFull(rand.Reader, unencodedSalt)
+        if err != nil {
+                return nil, err
+        }
+
+        p.salt = base64Encode(unencodedSalt)
+        hash, err := bcrypt(password, p.cost, p.salt)
+        if err != nil {
+                return nil, err
+        }
+        p.hash = hash
+        return p, err
+}
+
+func newFromHash(hashedSecret []byte) (*hashed, error) {
+        if len(hashedSecret) < minHashSize {
+                return nil, ErrHashTooShort
+        }
+        p := new(hashed)
+        n, err := p.decodeVersion(hashedSecret)
+        if err != nil {
+                return nil, err
+        }
+        hashedSecret = hashedSecret[n:]
+        n, err = p.decodeCost(hashedSecret)
+        if err != nil {
+                return nil, err
+        }
+        hashedSecret = hashedSecret[n:]
+
+        // The "+2" is here because we'll have to append at most 2 '=' to the salt
+        // when base64 decoding it in expensiveBlowfishSetup().
+        p.salt = make([]byte, encodedSaltSize, encodedSaltSize+2)
+        copy(p.salt, hashedSecret[:encodedSaltSize])
+
+        hashedSecret = hashedSecret[encodedSaltSize:]
+        p.hash = make([]byte, len(hashedSecret))
+        copy(p.hash, hashedSecret)
+
+        return p, nil
+}
+
+func bcrypt(password []byte, cost int, salt []byte) ([]byte, error) {
+        cipherData := make([]byte, len(magicCipherData))
+        copy(cipherData, magicCipherData)
+
+        c, err := expensiveBlowfishSetup(password, uint32(cost), salt)
+        if err != nil {
+                return nil, err
+        }
+
+        for i := 0; i < 24; i += 8 {
+                for j := 0; j < 64; j++ {
+                        c.Encrypt(cipherData[i:i+8], cipherData[i:i+8])
+                }
+        }
+
+        // Bug compatibility with C bcrypt implementations. We only encode 23 of
+        // the 24 bytes encrypted.
+        hsh := base64Encode(cipherData[:maxCryptedHashSize])
+        return hsh, nil
+}
+
+func expensiveBlowfishSetup(key []byte, cost uint32, salt []byte) (*blowfish.Cipher, error) {
+        csalt, err := base64Decode(salt)
+        if err != nil {
+                return nil, err
+        }
+
+        // Bug compatibility with C bcrypt implementations. They use the trailing
+        // NULL in the key string during expansion.
+        // We copy the key to prevent changing the underlying array.
+        ckey := append(key[:len(key):len(key)], 0)
+
+        c, err := blowfish.NewSaltedCipher(ckey, csalt)
+        if err != nil {
+                return nil, err
+        }
+
+        var i, rounds uint64
+        rounds = 1 << cost
+        for i = 0; i < rounds; i++ {
+                blowfish.ExpandKey(ckey, c)
+                blowfish.ExpandKey(csalt, c)
+        }
+
+        return c, nil
+}
+
+func (p *hashed) Hash() []byte {
+        arr := make([]byte, 60)
+        arr[0] = '$'
+        arr[1] = p.major
+        n := 2
+        if p.minor != 0 {
+                arr[2] = p.minor
+                n = 3
+        }
+        arr[n] = '$'
+        n++
+        copy(arr[n:], []byte(fmt.Sprintf("%02d", p.cost)))
+        n += 2
+        arr[n] = '$'
+        n++
+        copy(arr[n:], p.salt)
+        n += encodedSaltSize
+        copy(arr[n:], p.hash)
+        n += encodedHashSize
+        return arr[:n]
+}
+
+func (p *hashed) decodeVersion(sbytes []byte) (int, error) {
+        if sbytes[0] != '$' {
+                return -1, InvalidHashPrefixError(sbytes[0])
+        }
+        if sbytes[1] > majorVersion {
+                return -1, HashVersionTooNewError(sbytes[1])
+        }
+        p.major = sbytes[1]
+        n := 3
+        if sbytes[2] != '$' {
+                p.minor = sbytes[2]
+                n++
+        }
+        return n, nil
+}
+
+// sbytes should begin where decodeVersion left off.
+func (p *hashed) decodeCost(sbytes []byte) (int, error) {
+        cost, err := strconv.Atoi(string(sbytes[0:2]))
+        if err != nil {
+                return -1, err
+        }
+        err = checkCost(cost)
+        if err != nil {
+                return -1, err
+        }
+        p.cost = cost
+        return 3, nil
+}
+
+func (p *hashed) String() string {
+        return fmt.Sprintf("&{hash: %#v, salt: %#v, cost: %d, major: %c, minor: %c}", string(p.hash), p.salt, p.cost, p.major, p.minor)
+}
+
+func checkCost(cost int) error {
+        if cost < MinCost || cost > MaxCost {
+                return InvalidCostError(cost)
+        }
+        return nil
+}
diff --git a/vendor/golang.org/x/crypto/blowfish/block.go b/vendor/golang.org/x/crypto/blowfish/block.go
new file mode 100644
index 0000000..9d80f19
--- /dev/null
+++ b/vendor/golang.org/x/crypto/blowfish/block.go
@@ -0,0 +1,159 @@
+// Copyright 2010 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package blowfish
+
+// getNextWord returns the next big-endian uint32 value from the byte slice
+// at the given position in a circular manner, updating the position.
+func getNextWord(b []byte, pos *int) uint32 {
+        var w uint32
+        j := *pos
+        for i := 0; i < 4; i++ {
+                w = w<<8 | uint32(b[j])
+                j++
+                if j >= len(b) {
+                        j = 0
+                }
+        }
+        *pos = j
+        return w
+}
+
+// ExpandKey performs a key expansion on the given *Cipher. Specifically, it
+// performs the Blowfish algorithm's key schedule which sets up the *Cipher's
+// pi and substitution tables for calls to Encrypt. This is used, primarily,
+// by the bcrypt package to reuse the Blowfish key schedule during its
+// set up. It's unlikely that you need to use this directly.
+func ExpandKey(key []byte, c *Cipher) {
+        j := 0
+        for i := 0; i < 18; i++ {
+                // Using inlined getNextWord for performance.
+                var d uint32
+                for k := 0; k < 4; k++ {
+                        d = d<<8 | uint32(key[j])
+                        j++
+                        if j >= len(key) {
+                                j = 0
+                        }
+                }
+                c.p[i] ^= d
+        }
+
+        var l, r uint32
+        for i := 0; i < 18; i += 2 {
+                l, r = encryptBlock(l, r, c)
+                c.p[i], c.p[i+1] = l, r
+        }
+
+        for i := 0; i < 256; i += 2 {
+                l, r = encryptBlock(l, r, c)
+                c.s0[i], c.s0[i+1] = l, r
+        }
+        for i := 0; i < 256; i += 2 {
+                l, r = encryptBlock(l, r, c)
+                c.s1[i], c.s1[i+1] = l, r
+        }
+        for i := 0; i < 256; i += 2 {
+                l, r = encryptBlock(l, r, c)
+                c.s2[i], c.s2[i+1] = l, r
+        }
+        for i := 0; i < 256; i += 2 {
+                l, r = encryptBlock(l, r, c)
+                c.s3[i], c.s3[i+1] = l, r
+        }
+}
+
+// This is similar to ExpandKey, but folds the salt during the key
+// schedule. While ExpandKey is essentially expandKeyWithSalt with an all-zero
+// salt passed in, reusing ExpandKey turns out to be a place of inefficiency
+// and specializing it here is useful.
+func expandKeyWithSalt(key []byte, salt []byte, c *Cipher) {
+        j := 0
+        for i := 0; i < 18; i++ {
+                c.p[i] ^= getNextWord(key, &j)
+        }
+
+        j = 0
+        var l, r uint32
+        for i := 0; i < 18; i += 2 {
+                l ^= getNextWord(salt, &j)
+                r ^= getNextWord(salt, &j)
+                l, r = encryptBlock(l, r, c)
+                c.p[i], c.p[i+1] = l, r
+        }
+
+        for i := 0; i < 256; i += 2 {
+                l ^= getNextWord(salt, &j)
+                r ^= getNextWord(salt, &j)
+                l, r = encryptBlock(l, r, c)
+                c.s0[i], c.s0[i+1] = l, r
+        }
+
+        for i := 0; i < 256; i += 2 {
+                l ^= getNextWord(salt, &j)
+                r ^= getNextWord(salt, &j)
+                l, r = encryptBlock(l, r, c)
+                c.s1[i], c.s1[i+1] = l, r
+        }
+
+        for i := 0; i < 256; i += 2 {
+                l ^= getNextWord(salt, &j)
+                r ^= getNextWord(salt, &j)
+                l, r = encryptBlock(l, r, c)
+                c.s2[i], c.s2[i+1] = l, r
+        }
+
+        for i := 0; i < 256; i += 2 {
+                l ^= getNextWord(salt, &j)
+                r ^= getNextWord(salt, &j)
+                l, r = encryptBlock(l, r, c)
+                c.s3[i], c.s3[i+1] = l, r
+        }
+}
+
+func encryptBlock(l, r uint32, c *Cipher) (uint32, uint32) {
+        xl, xr := l, r
+        xl ^= c.p[0]
+        xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[1]
+        xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[2]
+        xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[3]
+        xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[4]
+        xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[5]
+        xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[6]
+        xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[7]
+        xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[8]
+        xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[9]
+        xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[10]
+        xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[11]
+        xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[12]
+        xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[13]
+        xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[14]
+        xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[15]
+        xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[16]
+        xr ^= c.p[17]
+        return xr, xl
+}
+
+func decryptBlock(l, r uint32, c *Cipher) (uint32, uint32) {
+        xl, xr := l, r
+        xl ^= c.p[17]
+        xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[16]
+        xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[15]
+        xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[14]
+        xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[13]
+        xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[12]
+        xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[11]
+        xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[10]
+        xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[9]
+        xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[8]
+        xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[7]
+        xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[6]
+        xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[5]
+        xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[4]
+        xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[3]
+        xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[2]
+        xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[1]
+        xr ^= c.p[0]
+        return xr, xl
+}
diff --git a/vendor/golang.org/x/crypto/blowfish/cipher.go b/vendor/golang.org/x/crypto/blowfish/cipher.go
new file mode 100644
index 0000000..213bf20
--- /dev/null
+++ b/vendor/golang.org/x/crypto/blowfish/cipher.go
@@ -0,0 +1,99 @@
+// Copyright 2010 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package blowfish implements Bruce Schneier's Blowfish encryption algorithm.
+//
+// Blowfish is a legacy cipher and its short block size makes it vulnerable to
+// birthday bound attacks (see https://sweet32.info). It should only be used
+// where compatibility with legacy systems, not security, is the goal.
+//
+// Deprecated: any new system should use AES (from crypto/aes, if necessary in
+// an AEAD mode like crypto/cipher.NewGCM) or XChaCha20-Poly1305 (from
+// golang.org/x/crypto/chacha20poly1305).
+package blowfish // import "golang.org/x/crypto/blowfish"
+
+// The code is a port of Bruce Schneier's C implementation.
+// See https://www.schneier.com/blowfish.html.
+
+import "strconv"
+
+// The Blowfish block size in bytes.
+const BlockSize = 8
+
+// A Cipher is an instance of Blowfish encryption using a particular key.
+type Cipher struct {
+        p              [18]uint32
+        s0, s1, s2, s3 [256]uint32
+}
+
+type KeySizeError int
+
+func (k KeySizeError) Error() string {
+        return "crypto/blowfish: invalid key size " + strconv.Itoa(int(k))
+}
+
+// NewCipher creates and returns a Cipher.
+// The key argument should be the Blowfish key, from 1 to 56 bytes.
+func NewCipher(key []byte) (*Cipher, error) {
+        var result Cipher
+        if k := len(key); k < 1 || k > 56 {
+                return nil, KeySizeError(k)
+        }
+        initCipher(&result)
+        ExpandKey(key, &result)
+        return &result, nil
+}
+
+// NewSaltedCipher creates a returns a Cipher that folds a salt into its key
+// schedule. For most purposes, NewCipher, instead of NewSaltedCipher, is
+// sufficient and desirable. For bcrypt compatibility, the key can be over 56
+// bytes.
+func NewSaltedCipher(key, salt []byte) (*Cipher, error) {
+        if len(salt) == 0 {
+                return NewCipher(key)
+        }
+        var result Cipher
+        if k := len(key); k < 1 {
+                return nil, KeySizeError(k)
+        }
+        initCipher(&result)
+        expandKeyWithSalt(key, salt, &result)
+        return &result, nil
+}
+
+// BlockSize returns the Blowfish block size, 8 bytes.
+// It is necessary to satisfy the Block interface in the
+// package "crypto/cipher".
+func (c *Cipher) BlockSize() int { return BlockSize }
+
+// Encrypt encrypts the 8-byte buffer src using the key k
+// and stores the result in dst.
+// Note that for amounts of data larger than a block,
+// it is not safe to just call Encrypt on successive blocks;
+// instead, use an encryption mode like CBC (see crypto/cipher/cbc.go).
+func (c *Cipher) Encrypt(dst, src []byte) {
+        l := uint32(src[0])<<24 | uint32(src[1])<<16 | uint32(src[2])<<8 | uint32(src[3])
+        r := uint32(src[4])<<24 | uint32(src[5])<<16 | uint32(src[6])<<8 | uint32(src[7])
+        l, r = encryptBlock(l, r, c)
+        dst[0], dst[1], dst[2], dst[3] = byte(l>>24), byte(l>>16), byte(l>>8), byte(l)
+        dst[4], dst[5], dst[6], dst[7] = byte(r>>24), byte(r>>16), byte(r>>8), byte(r)
+}
+
+// Decrypt decrypts the 8-byte buffer src using the key k
+// and stores the result in dst.
+func (c *Cipher) Decrypt(dst, src []byte) {
+        l := uint32(src[0])<<24 | uint32(src[1])<<16 | uint32(src[2])<<8 | uint32(src[3])
+        r := uint32(src[4])<<24 | uint32(src[5])<<16 | uint32(src[6])<<8 | uint32(src[7])
+        l, r = decryptBlock(l, r, c)
+        dst[0], dst[1], dst[2], dst[3] = byte(l>>24), byte(l>>16), byte(l>>8), byte(l)
+        dst[4], dst[5], dst[6], dst[7] = byte(r>>24), byte(r>>16), byte(r>>8), byte(r)
+}
+
+func initCipher(c *Cipher) {
+        copy(c.p[0:], p[0:])
+        copy(c.s0[0:], s0[0:])
+        copy(c.s1[0:], s1[0:])
+        copy(c.s2[0:], s2[0:])
+        copy(c.s3[0:], s3[0:])
+}
diff --git a/vendor/golang.org/x/crypto/blowfish/const.go b/vendor/golang.org/x/crypto/blowfish/const.go
new file mode 100644
index 0000000..d040775
--- /dev/null
+++ b/vendor/golang.org/x/crypto/blowfish/const.go
@@ -0,0 +1,199 @@
+// Copyright 2010 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// The startup permutation array and substitution boxes.
+// They are the hexadecimal digits of PI; see:
+// https://www.schneier.com/code/constants.txt.
+
+package blowfish
+
+var s0 = [256]uint32{
+        0xd1310ba6, 0x98dfb5ac, 0x2ffd72db, 0xd01adfb7, 0xb8e1afed, 0x6a267e96,
+        0xba7c9045, 0xf12c7f99, 0x24a19947, 0xb3916cf7, 0x0801f2e2, 0x858efc16,
+        0x636920d8, 0x71574e69, 0xa458fea3, 0xf4933d7e, 0x0d95748f, 0x728eb658,
+        0x718bcd58, 0x82154aee, 0x7b54a41d, 0xc25a59b5, 0x9c30d539, 0x2af26013,
+        0xc5d1b023, 0x286085f0, 0xca417918, 0xb8db38ef, 0x8e79dcb0, 0x603a180e,
+        0x6c9e0e8b, 0xb01e8a3e, 0xd71577c1, 0xbd314b27, 0x78af2fda, 0x55605c60,
+        0xe65525f3, 0xaa55ab94, 0x57489862, 0x63e81440, 0x55ca396a, 0x2aab10b6,
+        0xb4cc5c34, 0x1141e8ce, 0xa15486af, 0x7c72e993, 0xb3ee1411, 0x636fbc2a,
+        0x2ba9c55d, 0x741831f6, 0xce5c3e16, 0x9b87931e, 0xafd6ba33, 0x6c24cf5c,
+        0x7a325381, 0x28958677, 0x3b8f4898, 0x6b4bb9af, 0xc4bfe81b, 0x66282193,
+        0x61d809cc, 0xfb21a991, 0x487cac60, 0x5dec8032, 0xef845d5d, 0xe98575b1,
+        0xdc262302, 0xeb651b88, 0x23893e81, 0xd396acc5, 0x0f6d6ff3, 0x83f44239,
+        0x2e0b4482, 0xa4842004, 0x69c8f04a, 0x9e1f9b5e, 0x21c66842, 0xf6e96c9a,
+        0x670c9c61, 0xabd388f0, 0x6a51a0d2, 0xd8542f68, 0x960fa728, 0xab5133a3,
+        0x6eef0b6c, 0x137a3be4, 0xba3bf050, 0x7efb2a98, 0xa1f1651d, 0x39af0176,
+        0x66ca593e, 0x82430e88, 0x8cee8619, 0x456f9fb4, 0x7d84a5c3, 0x3b8b5ebe,
+        0xe06f75d8, 0x85c12073, 0x401a449f, 0x56c16aa6, 0x4ed3aa62, 0x363f7706,
+        0x1bfedf72, 0x429b023d, 0x37d0d724, 0xd00a1248, 0xdb0fead3, 0x49f1c09b,
+        0x075372c9, 0x80991b7b, 0x25d479d8, 0xf6e8def7, 0xe3fe501a, 0xb6794c3b,
+        0x976ce0bd, 0x04c006ba, 0xc1a94fb6, 0x409f60c4, 0x5e5c9ec2, 0x196a2463,
+        0x68fb6faf, 0x3e6c53b5, 0x1339b2eb, 0x3b52ec6f, 0x6dfc511f, 0x9b30952c,
+        0xcc814544, 0xaf5ebd09, 0xbee3d004, 0xde334afd, 0x660f2807, 0x192e4bb3,
+        0xc0cba857, 0x45c8740f, 0xd20b5f39, 0xb9d3fbdb, 0x5579c0bd, 0x1a60320a,
+        0xd6a100c6, 0x402c7279, 0x679f25fe, 0xfb1fa3cc, 0x8ea5e9f8, 0xdb3222f8,
+        0x3c7516df, 0xfd616b15, 0x2f501ec8, 0xad0552ab, 0x323db5fa, 0xfd238760,
+        0x53317b48, 0x3e00df82, 0x9e5c57bb, 0xca6f8ca0, 0x1a87562e, 0xdf1769db,
+        0xd542a8f6, 0x287effc3, 0xac6732c6, 0x8c4f5573, 0x695b27b0, 0xbbca58c8,
+        0xe1ffa35d, 0xb8f011a0, 0x10fa3d98, 0xfd2183b8, 0x4afcb56c, 0x2dd1d35b,
+        0x9a53e479, 0xb6f84565, 0xd28e49bc, 0x4bfb9790, 0xe1ddf2da, 0xa4cb7e33,
+        0x62fb1341, 0xcee4c6e8, 0xef20cada, 0x36774c01, 0xd07e9efe, 0x2bf11fb4,
+        0x95dbda4d, 0xae909198, 0xeaad8e71, 0x6b93d5a0, 0xd08ed1d0, 0xafc725e0,
+        0x8e3c5b2f, 0x8e7594b7, 0x8ff6e2fb, 0xf2122b64, 0x8888b812, 0x900df01c,
+        0x4fad5ea0, 0x688fc31c, 0xd1cff191, 0xb3a8c1ad, 0x2f2f2218, 0xbe0e1777,
+        0xea752dfe, 0x8b021fa1, 0xe5a0cc0f, 0xb56f74e8, 0x18acf3d6, 0xce89e299,
+        0xb4a84fe0, 0xfd13e0b7, 0x7cc43b81, 0xd2ada8d9, 0x165fa266, 0x80957705,
+        0x93cc7314, 0x211a1477, 0xe6ad2065, 0x77b5fa86, 0xc75442f5, 0xfb9d35cf,
+        0xebcdaf0c, 0x7b3e89a0, 0xd6411bd3, 0xae1e7e49, 0x00250e2d, 0x2071b35e,
+        0x226800bb, 0x57b8e0af, 0x2464369b, 0xf009b91e, 0x5563911d, 0x59dfa6aa,
+        0x78c14389, 0xd95a537f, 0x207d5ba2, 0x02e5b9c5, 0x83260376, 0x6295cfa9,
+        0x11c81968, 0x4e734a41, 0xb3472dca, 0x7b14a94a, 0x1b510052, 0x9a532915,
+        0xd60f573f, 0xbc9bc6e4, 0x2b60a476, 0x81e67400, 0x08ba6fb5, 0x571be91f,
+        0xf296ec6b, 0x2a0dd915, 0xb6636521, 0xe7b9f9b6, 0xff34052e, 0xc5855664,
+        0x53b02d5d, 0xa99f8fa1, 0x08ba4799, 0x6e85076a,
+}
+
+var s1 = [256]uint32{
+        0x4b7a70e9, 0xb5b32944, 0xdb75092e, 0xc4192623, 0xad6ea6b0, 0x49a7df7d,
+        0x9cee60b8, 0x8fedb266, 0xecaa8c71, 0x699a17ff, 0x5664526c, 0xc2b19ee1,
+        0x193602a5, 0x75094c29, 0xa0591340, 0xe4183a3e, 0x3f54989a, 0x5b429d65,
+        0x6b8fe4d6, 0x99f73fd6, 0xa1d29c07, 0xefe830f5, 0x4d2d38e6, 0xf0255dc1,
+        0x4cdd2086, 0x8470eb26, 0x6382e9c6, 0x021ecc5e, 0x09686b3f, 0x3ebaefc9,
+        0x3c971814, 0x6b6a70a1, 0x687f3584, 0x52a0e286, 0xb79c5305, 0xaa500737,
+        0x3e07841c, 0x7fdeae5c, 0x8e7d44ec, 0x5716f2b8, 0xb03ada37, 0xf0500c0d,
+        0xf01c1f04, 0x0200b3ff, 0xae0cf51a, 0x3cb574b2, 0x25837a58, 0xdc0921bd,
+        0xd19113f9, 0x7ca92ff6, 0x94324773, 0x22f54701, 0x3ae5e581, 0x37c2dadc,
+        0xc8b57634, 0x9af3dda7, 0xa9446146, 0x0fd0030e, 0xecc8c73e, 0xa4751e41,
+        0xe238cd99, 0x3bea0e2f, 0x3280bba1, 0x183eb331, 0x4e548b38, 0x4f6db908,
+        0x6f420d03, 0xf60a04bf, 0x2cb81290, 0x24977c79, 0x5679b072, 0xbcaf89af,
+        0xde9a771f, 0xd9930810, 0xb38bae12, 0xdccf3f2e, 0x5512721f, 0x2e6b7124,
+        0x501adde6, 0x9f84cd87, 0x7a584718, 0x7408da17, 0xbc9f9abc, 0xe94b7d8c,
+        0xec7aec3a, 0xdb851dfa, 0x63094366, 0xc464c3d2, 0xef1c1847, 0x3215d908,
+        0xdd433b37, 0x24c2ba16, 0x12a14d43, 0x2a65c451, 0x50940002, 0x133ae4dd,
+        0x71dff89e, 0x10314e55, 0x81ac77d6, 0x5f11199b, 0x043556f1, 0xd7a3c76b,
+        0x3c11183b, 0x5924a509, 0xf28fe6ed, 0x97f1fbfa, 0x9ebabf2c, 0x1e153c6e,
+        0x86e34570, 0xeae96fb1, 0x860e5e0a, 0x5a3e2ab3, 0x771fe71c, 0x4e3d06fa,
+        0x2965dcb9, 0x99e71d0f, 0x803e89d6, 0x5266c825, 0x2e4cc978, 0x9c10b36a,
+        0xc6150eba, 0x94e2ea78, 0xa5fc3c53, 0x1e0a2df4, 0xf2f74ea7, 0x361d2b3d,
+        0x1939260f, 0x19c27960, 0x5223a708, 0xf71312b6, 0xebadfe6e, 0xeac31f66,
+        0xe3bc4595, 0xa67bc883, 0xb17f37d1, 0x018cff28, 0xc332ddef, 0xbe6c5aa5,
+        0x65582185, 0x68ab9802, 0xeecea50f, 0xdb2f953b, 0x2aef7dad, 0x5b6e2f84,
+        0x1521b628, 0x29076170, 0xecdd4775, 0x619f1510, 0x13cca830, 0xeb61bd96,
+        0x0334fe1e, 0xaa0363cf, 0xb5735c90, 0x4c70a239, 0xd59e9e0b, 0xcbaade14,
+        0xeecc86bc, 0x60622ca7, 0x9cab5cab, 0xb2f3846e, 0x648b1eaf, 0x19bdf0ca,
+        0xa02369b9, 0x655abb50, 0x40685a32, 0x3c2ab4b3, 0x319ee9d5, 0xc021b8f7,
+        0x9b540b19, 0x875fa099, 0x95f7997e, 0x623d7da8, 0xf837889a, 0x97e32d77,
+        0x11ed935f, 0x16681281, 0x0e358829, 0xc7e61fd6, 0x96dedfa1, 0x7858ba99,
+        0x57f584a5, 0x1b227263, 0x9b83c3ff, 0x1ac24696, 0xcdb30aeb, 0x532e3054,
+        0x8fd948e4, 0x6dbc3128, 0x58ebf2ef, 0x34c6ffea, 0xfe28ed61, 0xee7c3c73,
+        0x5d4a14d9, 0xe864b7e3, 0x42105d14, 0x203e13e0, 0x45eee2b6, 0xa3aaabea,
+        0xdb6c4f15, 0xfacb4fd0, 0xc742f442, 0xef6abbb5, 0x654f3b1d, 0x41cd2105,
+        0xd81e799e, 0x86854dc7, 0xe44b476a, 0x3d816250, 0xcf62a1f2, 0x5b8d2646,
+        0xfc8883a0, 0xc1c7b6a3, 0x7f1524c3, 0x69cb7492, 0x47848a0b, 0x5692b285,
+        0x095bbf00, 0xad19489d, 0x1462b174, 0x23820e00, 0x58428d2a, 0x0c55f5ea,
+        0x1dadf43e, 0x233f7061, 0x3372f092, 0x8d937e41, 0xd65fecf1, 0x6c223bdb,
+        0x7cde3759, 0xcbee7460, 0x4085f2a7, 0xce77326e, 0xa6078084, 0x19f8509e,
+        0xe8efd855, 0x61d99735, 0xa969a7aa, 0xc50c06c2, 0x5a04abfc, 0x800bcadc,
+        0x9e447a2e, 0xc3453484, 0xfdd56705, 0x0e1e9ec9, 0xdb73dbd3, 0x105588cd,
+        0x675fda79, 0xe3674340, 0xc5c43465, 0x713e38d8, 0x3d28f89e, 0xf16dff20,
+        0x153e21e7, 0x8fb03d4a, 0xe6e39f2b, 0xdb83adf7,
+}
+
+var s2 = [256]uint32{
+        0xe93d5a68, 0x948140f7, 0xf64c261c, 0x94692934, 0x411520f7, 0x7602d4f7,
+        0xbcf46b2e, 0xd4a20068, 0xd4082471, 0x3320f46a, 0x43b7d4b7, 0x500061af,
+        0x1e39f62e, 0x97244546, 0x14214f74, 0xbf8b8840, 0x4d95fc1d, 0x96b591af,
+        0x70f4ddd3, 0x66a02f45, 0xbfbc09ec, 0x03bd9785, 0x7fac6dd0, 0x31cb8504,
+        0x96eb27b3, 0x55fd3941, 0xda2547e6, 0xabca0a9a, 0x28507825, 0x530429f4,
+        0x0a2c86da, 0xe9b66dfb, 0x68dc1462, 0xd7486900, 0x680ec0a4, 0x27a18dee,
+        0x4f3ffea2, 0xe887ad8c, 0xb58ce006, 0x7af4d6b6, 0xaace1e7c, 0xd3375fec,
+        0xce78a399, 0x406b2a42, 0x20fe9e35, 0xd9f385b9, 0xee39d7ab, 0x3b124e8b,
+        0x1dc9faf7, 0x4b6d1856, 0x26a36631, 0xeae397b2, 0x3a6efa74, 0xdd5b4332,
+        0x6841e7f7, 0xca7820fb, 0xfb0af54e, 0xd8feb397, 0x454056ac, 0xba489527,
+        0x55533a3a, 0x20838d87, 0xfe6ba9b7, 0xd096954b, 0x55a867bc, 0xa1159a58,
+        0xcca92963, 0x99e1db33, 0xa62a4a56, 0x3f3125f9, 0x5ef47e1c, 0x9029317c,
+        0xfdf8e802, 0x04272f70, 0x80bb155c, 0x05282ce3, 0x95c11548, 0xe4c66d22,
+        0x48c1133f, 0xc70f86dc, 0x07f9c9ee, 0x41041f0f, 0x404779a4, 0x5d886e17,
+        0x325f51eb, 0xd59bc0d1, 0xf2bcc18f, 0x41113564, 0x257b7834, 0x602a9c60,
+        0xdff8e8a3, 0x1f636c1b, 0x0e12b4c2, 0x02e1329e, 0xaf664fd1, 0xcad18115,
+        0x6b2395e0, 0x333e92e1, 0x3b240b62, 0xeebeb922, 0x85b2a20e, 0xe6ba0d99,
+        0xde720c8c, 0x2da2f728, 0xd0127845, 0x95b794fd, 0x647d0862, 0xe7ccf5f0,
+        0x5449a36f, 0x877d48fa, 0xc39dfd27, 0xf33e8d1e, 0x0a476341, 0x992eff74,
+        0x3a6f6eab, 0xf4f8fd37, 0xa812dc60, 0xa1ebddf8, 0x991be14c, 0xdb6e6b0d,
+        0xc67b5510, 0x6d672c37, 0x2765d43b, 0xdcd0e804, 0xf1290dc7, 0xcc00ffa3,
+        0xb5390f92, 0x690fed0b, 0x667b9ffb, 0xcedb7d9c, 0xa091cf0b, 0xd9155ea3,
+        0xbb132f88, 0x515bad24, 0x7b9479bf, 0x763bd6eb, 0x37392eb3, 0xcc115979,
+        0x8026e297, 0xf42e312d, 0x6842ada7, 0xc66a2b3b, 0x12754ccc, 0x782ef11c,
+        0x6a124237, 0xb79251e7, 0x06a1bbe6, 0x4bfb6350, 0x1a6b1018, 0x11caedfa,
+        0x3d25bdd8, 0xe2e1c3c9, 0x44421659, 0x0a121386, 0xd90cec6e, 0xd5abea2a,
+        0x64af674e, 0xda86a85f, 0xbebfe988, 0x64e4c3fe, 0x9dbc8057, 0xf0f7c086,
+        0x60787bf8, 0x6003604d, 0xd1fd8346, 0xf6381fb0, 0x7745ae04, 0xd736fccc,
+        0x83426b33, 0xf01eab71, 0xb0804187, 0x3c005e5f, 0x77a057be, 0xbde8ae24,
+        0x55464299, 0xbf582e61, 0x4e58f48f, 0xf2ddfda2, 0xf474ef38, 0x8789bdc2,
+        0x5366f9c3, 0xc8b38e74, 0xb475f255, 0x46fcd9b9, 0x7aeb2661, 0x8b1ddf84,
+        0x846a0e79, 0x915f95e2, 0x466e598e, 0x20b45770, 0x8cd55591, 0xc902de4c,
+        0xb90bace1, 0xbb8205d0, 0x11a86248, 0x7574a99e, 0xb77f19b6, 0xe0a9dc09,
+        0x662d09a1, 0xc4324633, 0xe85a1f02, 0x09f0be8c, 0x4a99a025, 0x1d6efe10,
+        0x1ab93d1d, 0x0ba5a4df, 0xa186f20f, 0x2868f169, 0xdcb7da83, 0x573906fe,
+        0xa1e2ce9b, 0x4fcd7f52, 0x50115e01, 0xa70683fa, 0xa002b5c4, 0x0de6d027,
+        0x9af88c27, 0x773f8641, 0xc3604c06, 0x61a806b5, 0xf0177a28, 0xc0f586e0,
+        0x006058aa, 0x30dc7d62, 0x11e69ed7, 0x2338ea63, 0x53c2dd94, 0xc2c21634,
+        0xbbcbee56, 0x90bcb6de, 0xebfc7da1, 0xce591d76, 0x6f05e409, 0x4b7c0188,
+        0x39720a3d, 0x7c927c24, 0x86e3725f, 0x724d9db9, 0x1ac15bb4, 0xd39eb8fc,
+        0xed545578, 0x08fca5b5, 0xd83d7cd3, 0x4dad0fc4, 0x1e50ef5e, 0xb161e6f8,
+        0xa28514d9, 0x6c51133c, 0x6fd5c7e7, 0x56e14ec4, 0x362abfce, 0xddc6c837,
+        0xd79a3234, 0x92638212, 0x670efa8e, 0x406000e0,
+}
+
+var s3 = [256]uint32{
+        0x3a39ce37, 0xd3faf5cf, 0xabc27737, 0x5ac52d1b, 0x5cb0679e, 0x4fa33742,
+        0xd3822740, 0x99bc9bbe, 0xd5118e9d, 0xbf0f7315, 0xd62d1c7e, 0xc700c47b,
+        0xb78c1b6b, 0x21a19045, 0xb26eb1be, 0x6a366eb4, 0x5748ab2f, 0xbc946e79,
+        0xc6a376d2, 0x6549c2c8, 0x530ff8ee, 0x468dde7d, 0xd5730a1d, 0x4cd04dc6,
+        0x2939bbdb, 0xa9ba4650, 0xac9526e8, 0xbe5ee304, 0xa1fad5f0, 0x6a2d519a,
+        0x63ef8ce2, 0x9a86ee22, 0xc089c2b8, 0x43242ef6, 0xa51e03aa, 0x9cf2d0a4,
+        0x83c061ba, 0x9be96a4d, 0x8fe51550, 0xba645bd6, 0x2826a2f9, 0xa73a3ae1,
+        0x4ba99586, 0xef5562e9, 0xc72fefd3, 0xf752f7da, 0x3f046f69, 0x77fa0a59,
+        0x80e4a915, 0x87b08601, 0x9b09e6ad, 0x3b3ee593, 0xe990fd5a, 0x9e34d797,
+        0x2cf0b7d9, 0x022b8b51, 0x96d5ac3a, 0x017da67d, 0xd1cf3ed6, 0x7c7d2d28,
+        0x1f9f25cf, 0xadf2b89b, 0x5ad6b472, 0x5a88f54c, 0xe029ac71, 0xe019a5e6,
+        0x47b0acfd, 0xed93fa9b, 0xe8d3c48d, 0x283b57cc, 0xf8d56629, 0x79132e28,
+        0x785f0191, 0xed756055, 0xf7960e44, 0xe3d35e8c, 0x15056dd4, 0x88f46dba,
+        0x03a16125, 0x0564f0bd, 0xc3eb9e15, 0x3c9057a2, 0x97271aec, 0xa93a072a,
+        0x1b3f6d9b, 0x1e6321f5, 0xf59c66fb, 0x26dcf319, 0x7533d928, 0xb155fdf5,
+        0x03563482, 0x8aba3cbb, 0x28517711, 0xc20ad9f8, 0xabcc5167, 0xccad925f,
+        0x4de81751, 0x3830dc8e, 0x379d5862, 0x9320f991, 0xea7a90c2, 0xfb3e7bce,
+        0x5121ce64, 0x774fbe32, 0xa8b6e37e, 0xc3293d46, 0x48de5369, 0x6413e680,
+        0xa2ae0810, 0xdd6db224, 0x69852dfd, 0x09072166, 0xb39a460a, 0x6445c0dd,
+        0x586cdecf, 0x1c20c8ae, 0x5bbef7dd, 0x1b588d40, 0xccd2017f, 0x6bb4e3bb,
+        0xdda26a7e, 0x3a59ff45, 0x3e350a44, 0xbcb4cdd5, 0x72eacea8, 0xfa6484bb,
+        0x8d6612ae, 0xbf3c6f47, 0xd29be463, 0x542f5d9e, 0xaec2771b, 0xf64e6370,
+        0x740e0d8d, 0xe75b1357, 0xf8721671, 0xaf537d5d, 0x4040cb08, 0x4eb4e2cc,
+        0x34d2466a, 0x0115af84, 0xe1b00428, 0x95983a1d, 0x06b89fb4, 0xce6ea048,
+        0x6f3f3b82, 0x3520ab82, 0x011a1d4b, 0x277227f8, 0x611560b1, 0xe7933fdc,
+        0xbb3a792b, 0x344525bd, 0xa08839e1, 0x51ce794b, 0x2f32c9b7, 0xa01fbac9,
+        0xe01cc87e, 0xbcc7d1f6, 0xcf0111c3, 0xa1e8aac7, 0x1a908749, 0xd44fbd9a,
+        0xd0dadecb, 0xd50ada38, 0x0339c32a, 0xc6913667, 0x8df9317c, 0xe0b12b4f,
+        0xf79e59b7, 0x43f5bb3a, 0xf2d519ff, 0x27d9459c, 0xbf97222c, 0x15e6fc2a,
+        0x0f91fc71, 0x9b941525, 0xfae59361, 0xceb69ceb, 0xc2a86459, 0x12baa8d1,
+        0xb6c1075e, 0xe3056a0c, 0x10d25065, 0xcb03a442, 0xe0ec6e0e, 0x1698db3b,
+        0x4c98a0be, 0x3278e964, 0x9f1f9532, 0xe0d392df, 0xd3a0342b, 0x8971f21e,
+        0x1b0a7441, 0x4ba3348c, 0xc5be7120, 0xc37632d8, 0xdf359f8d, 0x9b992f2e,
+        0xe60b6f47, 0x0fe3f11d, 0xe54cda54, 0x1edad891, 0xce6279cf, 0xcd3e7e6f,
+        0x1618b166, 0xfd2c1d05, 0x848fd2c5, 0xf6fb2299, 0xf523f357, 0xa6327623,
+        0x93a83531, 0x56cccd02, 0xacf08162, 0x5a75ebb5, 0x6e163697, 0x88d273cc,
+        0xde966292, 0x81b949d0, 0x4c50901b, 0x71c65614, 0xe6c6c7bd, 0x327a140a,
+        0x45e1d006, 0xc3f27b9a, 0xc9aa53fd, 0x62a80f00, 0xbb25bfe2, 0x35bdd2f6,
+        0x71126905, 0xb2040222, 0xb6cbcf7c, 0xcd769c2b, 0x53113ec0, 0x1640e3d3,
+        0x38abbd60, 0x2547adf0, 0xba38209c, 0xf746ce76, 0x77afa1c5, 0x20756060,
+        0x85cbfe4e, 0x8ae88dd8, 0x7aaaf9b0, 0x4cf9aa7e, 0x1948c25c, 0x02fb8a8c,
+        0x01c36ae4, 0xd6ebe1f9, 0x90d4f869, 0xa65cdea0, 0x3f09252d, 0xc208e69f,
+        0xb74e6132, 0xce77e25b, 0x578fdfe3, 0x3ac372e6,
+}
+
+var p = [18]uint32{
+        0x243f6a88, 0x85a308d3, 0x13198a2e, 0x03707344, 0xa4093822, 0x299f31d0,
+        0x082efa98, 0xec4e6c89, 0x452821e6, 0x38d01377, 0xbe5466cf, 0x34e90c6c,
+        0xc0ac29b7, 0xc97c50dd, 0x3f84d5b5, 0xb5470917, 0x9216d5d9, 0x8979fb1b,
+}
diff --git a/vendor/golang.org/x/net/internal/timeseries/timeseries.go b/vendor/golang.org/x/net/internal/timeseries/timeseries.go
new file mode 100644
index 0000000..dc5225b
--- /dev/null
+++ b/vendor/golang.org/x/net/internal/timeseries/timeseries.go
@@ -0,0 +1,525 @@
+// Copyright 2015 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package timeseries implements a time series structure for stats collection.
+package timeseries // import "golang.org/x/net/internal/timeseries"
+
+import (
+        "fmt"
+        "log"
+        "time"
+)
+
+const (
+        timeSeriesNumBuckets       = 64
+        minuteHourSeriesNumBuckets = 60
+)
+
+var timeSeriesResolutions = []time.Duration{
+        1 * time.Second,
+        10 * time.Second,
+        1 * time.Minute,
+        10 * time.Minute,
+        1 * time.Hour,
+        6 * time.Hour,
+        24 * time.Hour,          // 1 day
+        7 * 24 * time.Hour,      // 1 week
+        4 * 7 * 24 * time.Hour,  // 4 weeks
+        16 * 7 * 24 * time.Hour, // 16 weeks
+}
+
+var minuteHourSeriesResolutions = []time.Duration{
+        1 * time.Second,
+        1 * time.Minute,
+}
+
+// An Observable is a kind of data that can be aggregated in a time series.
+type Observable interface {
+        Multiply(ratio float64)    // Multiplies the data in self by a given ratio
+        Add(other Observable)      // Adds the data from a different observation to self
+        Clear()                    // Clears the observation so it can be reused.
+        CopyFrom(other Observable) // Copies the contents of a given observation to self
+}
+
+// Float attaches the methods of Observable to a float64.
+type Float float64
+
+// NewFloat returns a Float.
+func NewFloat() Observable {
+        f := Float(0)
+        return &f
+}
+
+// String returns the float as a string.
+func (f *Float) String() string { return fmt.Sprintf("%g", f.Value()) }
+
+// Value returns the float's value.
+func (f *Float) Value() float64 { return float64(*f) }
+
+func (f *Float) Multiply(ratio float64) { *f *= Float(ratio) }
+
+func (f *Float) Add(other Observable) {
+        o := other.(*Float)
+        *f += *o
+}
+
+func (f *Float) Clear() { *f = 0 }
+
+func (f *Float) CopyFrom(other Observable) {
+        o := other.(*Float)
+        *f = *o
+}
+
+// A Clock tells the current time.
+type Clock interface {
+        Time() time.Time
+}
+
+type defaultClock int
+
+var defaultClockInstance defaultClock
+
+func (defaultClock) Time() time.Time { return time.Now() }
+
+// Information kept per level. Each level consists of a circular list of
+// observations. The start of the level may be derived from end and the
+// len(buckets) * sizeInMillis.
+type tsLevel struct {
+        oldest   int               // index to oldest bucketed Observable
+        newest   int               // index to newest bucketed Observable
+        end      time.Time         // end timestamp for this level
+        size     time.Duration     // duration of the bucketed Observable
+        buckets  []Observable      // collections of observations
+        provider func() Observable // used for creating new Observable
+}
+
+func (l *tsLevel) Clear() {
+        l.oldest = 0
+        l.newest = len(l.buckets) - 1
+        l.end = time.Time{}
+        for i := range l.buckets {
+                if l.buckets[i] != nil {
+                        l.buckets[i].Clear()
+                        l.buckets[i] = nil
+                }
+        }
+}
+
+func (l *tsLevel) InitLevel(size time.Duration, numBuckets int, f func() Observable) {
+        l.size = size
+        l.provider = f
+        l.buckets = make([]Observable, numBuckets)
+}
+
+// Keeps a sequence of levels. Each level is responsible for storing data at
+// a given resolution. For example, the first level stores data at a one
+// minute resolution while the second level stores data at a one hour
+// resolution.
+
+// Each level is represented by a sequence of buckets. Each bucket spans an
+// interval equal to the resolution of the level. New observations are added
+// to the last bucket.
+type timeSeries struct {
+        provider    func() Observable // make more Observable
+        numBuckets  int               // number of buckets in each level
+        levels      []*tsLevel        // levels of bucketed Observable
+        lastAdd     time.Time         // time of last Observable tracked
+        total       Observable        // convenient aggregation of all Observable
+        clock       Clock             // Clock for getting current time
+        pending     Observable        // observations not yet bucketed
+        pendingTime time.Time         // what time are we keeping in pending
+        dirty       bool              // if there are pending observations
+}
+
+// init initializes a level according to the supplied criteria.
+func (ts *timeSeries) init(resolutions []time.Duration, f func() Observable, numBuckets int, clock Clock) {
+        ts.provider = f
+        ts.numBuckets = numBuckets
+        ts.clock = clock
+        ts.levels = make([]*tsLevel, len(resolutions))
+
+        for i := range resolutions {
+                if i > 0 && resolutions[i-1] >= resolutions[i] {
+                        log.Print("timeseries: resolutions must be monotonically increasing")
+                        break
+                }
+                newLevel := new(tsLevel)
+                newLevel.InitLevel(resolutions[i], ts.numBuckets, ts.provider)
+                ts.levels[i] = newLevel
+        }
+
+        ts.Clear()
+}
+
+// Clear removes all observations from the time series.
+func (ts *timeSeries) Clear() {
+        ts.lastAdd = time.Time{}
+        ts.total = ts.resetObservation(ts.total)
+        ts.pending = ts.resetObservation(ts.pending)
+        ts.pendingTime = time.Time{}
+        ts.dirty = false
+
+        for i := range ts.levels {
+                ts.levels[i].Clear()
+        }
+}
+
+// Add records an observation at the current time.
+func (ts *timeSeries) Add(observation Observable) {
+        ts.AddWithTime(observation, ts.clock.Time())
+}
+
+// AddWithTime records an observation at the specified time.
+func (ts *timeSeries) AddWithTime(observation Observable, t time.Time) {
+
+        smallBucketDuration := ts.levels[0].size
+
+        if t.After(ts.lastAdd) {
+                ts.lastAdd = t
+        }
+
+        if t.After(ts.pendingTime) {
+                ts.advance(t)
+                ts.mergePendingUpdates()
+                ts.pendingTime = ts.levels[0].end
+                ts.pending.CopyFrom(observation)
+                ts.dirty = true
+        } else if t.After(ts.pendingTime.Add(-1 * smallBucketDuration)) {
+                // The observation is close enough to go into the pending bucket.
+                // This compensates for clock skewing and small scheduling delays
+                // by letting the update stay in the fast path.
+                ts.pending.Add(observation)
+                ts.dirty = true
+        } else {
+                ts.mergeValue(observation, t)
+        }
+}
+
+// mergeValue inserts the observation at the specified time in the past into all levels.
+func (ts *timeSeries) mergeValue(observation Observable, t time.Time) {
+        for _, level := range ts.levels {
+                index := (ts.numBuckets - 1) - int(level.end.Sub(t)/level.size)
+                if 0 <= index && index < ts.numBuckets {
+                        bucketNumber := (level.oldest + index) % ts.numBuckets
+                        if level.buckets[bucketNumber] == nil {
+                                level.buckets[bucketNumber] = level.provider()
+                        }
+                        level.buckets[bucketNumber].Add(observation)
+                }
+        }
+        ts.total.Add(observation)
+}
+
+// mergePendingUpdates applies the pending updates into all levels.
+func (ts *timeSeries) mergePendingUpdates() {
+        if ts.dirty {
+                ts.mergeValue(ts.pending, ts.pendingTime)
+                ts.pending = ts.resetObservation(ts.pending)
+                ts.dirty = false
+        }
+}
+
+// advance cycles the buckets at each level until the latest bucket in
+// each level can hold the time specified.
+func (ts *timeSeries) advance(t time.Time) {
+        if !t.After(ts.levels[0].end) {
+                return
+        }
+        for i := 0; i < len(ts.levels); i++ {
+                level := ts.levels[i]
+                if !level.end.Before(t) {
+                        break
+                }
+
+                // If the time is sufficiently far, just clear the level and advance
+                // directly.
+                if !t.Before(level.end.Add(level.size * time.Duration(ts.numBuckets))) {
+                        for _, b := range level.buckets {
+                                ts.resetObservation(b)
+                        }
+                        level.end = time.Unix(0, (t.UnixNano()/level.size.Nanoseconds())*level.size.Nanoseconds())
+                }
+
+                for t.After(level.end) {
+                        level.end = level.end.Add(level.size)
+                        level.newest = level.oldest
+                        level.oldest = (level.oldest + 1) % ts.numBuckets
+                        ts.resetObservation(level.buckets[level.newest])
+                }
+
+                t = level.end
+        }
+}
+
+// Latest returns the sum of the num latest buckets from the level.
+func (ts *timeSeries) Latest(level, num int) Observable {
+        now := ts.clock.Time()
+        if ts.levels[0].end.Before(now) {
+                ts.advance(now)
+        }
+
+        ts.mergePendingUpdates()
+
+        result := ts.provider()
+        l := ts.levels[level]
+        index := l.newest
+
+        for i := 0; i < num; i++ {
+                if l.buckets[index] != nil {
+                        result.Add(l.buckets[index])
+                }
+                if index == 0 {
+                        index = ts.numBuckets
+                }
+                index--
+        }
+
+        return result
+}
+
+// LatestBuckets returns a copy of the num latest buckets from level.
+func (ts *timeSeries) LatestBuckets(level, num int) []Observable {
+        if level < 0 || level > len(ts.levels) {
+                log.Print("timeseries: bad level argument: ", level)
+                return nil
+        }
+        if num < 0 || num >= ts.numBuckets {
+                log.Print("timeseries: bad num argument: ", num)
+                return nil
+        }
+
+        results := make([]Observable, num)
+        now := ts.clock.Time()
+        if ts.levels[0].end.Before(now) {
+                ts.advance(now)
+        }
+
+        ts.mergePendingUpdates()
+
+        l := ts.levels[level]
+        index := l.newest
+
+        for i := 0; i < num; i++ {
+                result := ts.provider()
+                results[i] = result
+                if l.buckets[index] != nil {
+                        result.CopyFrom(l.buckets[index])
+                }
+
+                if index == 0 {
+                        index = ts.numBuckets
+                }
+                index -= 1
+        }
+        return results
+}
+
+// ScaleBy updates observations by scaling by factor.
+func (ts *timeSeries) ScaleBy(factor float64) {
+        for _, l := range ts.levels {
+                for i := 0; i < ts.numBuckets; i++ {
+                        l.buckets[i].Multiply(factor)
+                }
+        }
+
+        ts.total.Multiply(factor)
+        ts.pending.Multiply(factor)
+}
+
+// Range returns the sum of observations added over the specified time range.
+// If start or finish times don't fall on bucket boundaries of the same
+// level, then return values are approximate answers.
+func (ts *timeSeries) Range(start, finish time.Time) Observable {
+        return ts.ComputeRange(start, finish, 1)[0]
+}
+
+// Recent returns the sum of observations from the last delta.
+func (ts *timeSeries) Recent(delta time.Duration) Observable {
+        now := ts.clock.Time()
+        return ts.Range(now.Add(-delta), now)
+}
+
+// Total returns the total of all observations.
+func (ts *timeSeries) Total() Observable {
+        ts.mergePendingUpdates()
+        return ts.total
+}
+
+// ComputeRange computes a specified number of values into a slice using
+// the observations recorded over the specified time period. The return
+// values are approximate if the start or finish times don't fall on the
+// bucket boundaries at the same level or if the number of buckets spanning
+// the range is not an integral multiple of num.
+func (ts *timeSeries) ComputeRange(start, finish time.Time, num int) []Observable {
+        if start.After(finish) {
+                log.Printf("timeseries: start > finish, %v>%v", start, finish)
+                return nil
+        }
+
+        if num < 0 {
+                log.Printf("timeseries: num < 0, %v", num)
+                return nil
+        }
+
+        results := make([]Observable, num)
+
+        for _, l := range ts.levels {
+                if !start.Before(l.end.Add(-l.size * time.Duration(ts.numBuckets))) {
+                        ts.extract(l, start, finish, num, results)
+                        return results
+                }
+        }
+
+        // Failed to find a level that covers the desired range. So just
+        // extract from the last level, even if it doesn't cover the entire
+        // desired range.
+        ts.extract(ts.levels[len(ts.levels)-1], start, finish, num, results)
+
+        return results
+}
+
+// RecentList returns the specified number of values in slice over the most
+// recent time period of the specified range.
+func (ts *timeSeries) RecentList(delta time.Duration, num int) []Observable {
+        if delta < 0 {
+                return nil
+        }
+        now := ts.clock.Time()
+        return ts.ComputeRange(now.Add(-delta), now, num)
+}
+
+// extract returns a slice of specified number of observations from a given
+// level over a given range.
+func (ts *timeSeries) extract(l *tsLevel, start, finish time.Time, num int, results []Observable) {
+        ts.mergePendingUpdates()
+
+        srcInterval := l.size
+        dstInterval := finish.Sub(start) / time.Duration(num)
+        dstStart := start
+        srcStart := l.end.Add(-srcInterval * time.Duration(ts.numBuckets))
+
+        srcIndex := 0
+
+        // Where should scanning start?
+        if dstStart.After(srcStart) {
+                advance := int(dstStart.Sub(srcStart) / srcInterval)
+                srcIndex += advance
+                srcStart = srcStart.Add(time.Duration(advance) * srcInterval)
+        }
+
+        // The i'th value is computed as show below.
+        // interval = (finish/start)/num
+        // i'th value = sum of observation in range
+        //   [ start + i       * interval,
+        //     start + (i + 1) * interval )
+        for i := 0; i < num; i++ {
+                results[i] = ts.resetObservation(results[i])
+                dstEnd := dstStart.Add(dstInterval)
+                for srcIndex < ts.numBuckets && srcStart.Before(dstEnd) {
+                        srcEnd := srcStart.Add(srcInterval)
+                        if srcEnd.After(ts.lastAdd) {
+                                srcEnd = ts.lastAdd
+                        }
+
+                        if !srcEnd.Before(dstStart) {
+                                srcValue := l.buckets[(srcIndex+l.oldest)%ts.numBuckets]
+                                if !srcStart.Before(dstStart) && !srcEnd.After(dstEnd) {
+                                        // dst completely contains src.
+                                        if srcValue != nil {
+                                                results[i].Add(srcValue)
+                                        }
+                                } else {
+                                        // dst partially overlaps src.
+                                        overlapStart := maxTime(srcStart, dstStart)
+                                        overlapEnd := minTime(srcEnd, dstEnd)
+                                        base := srcEnd.Sub(srcStart)
+                                        fraction := overlapEnd.Sub(overlapStart).Seconds() / base.Seconds()
+
+                                        used := ts.provider()
+                                        if srcValue != nil {
+                                                used.CopyFrom(srcValue)
+                                        }
+                                        used.Multiply(fraction)
+                                        results[i].Add(used)
+                                }
+
+                                if srcEnd.After(dstEnd) {
+                                        break
+                                }
+                        }
+                        srcIndex++
+                        srcStart = srcStart.Add(srcInterval)
+                }
+                dstStart = dstStart.Add(dstInterval)
+        }
+}
+
+// resetObservation clears the content so the struct may be reused.
+func (ts *timeSeries) resetObservation(observation Observable) Observable {
+        if observation == nil {
+                observation = ts.provider()
+        } else {
+                observation.Clear()
+        }
+        return observation
+}
+
+// TimeSeries tracks data at granularities from 1 second to 16 weeks.
+type TimeSeries struct {
+        timeSeries
+}
+
+// NewTimeSeries creates a new TimeSeries using the function provided for creating new Observable.
+func NewTimeSeries(f func() Observable) *TimeSeries {
+        return NewTimeSeriesWithClock(f, defaultClockInstance)
+}
+
+// NewTimeSeriesWithClock creates a new TimeSeries using the function provided for creating new Observable and the clock for
+// assigning timestamps.
+func NewTimeSeriesWithClock(f func() Observable, clock Clock) *TimeSeries {
+        ts := new(TimeSeries)
+        ts.timeSeries.init(timeSeriesResolutions, f, timeSeriesNumBuckets, clock)
+        return ts
+}
+
+// MinuteHourSeries tracks data at granularities of 1 minute and 1 hour.
+type MinuteHourSeries struct {
+        timeSeries
+}
+
+// NewMinuteHourSeries creates a new MinuteHourSeries using the function provided for creating new Observable.
+func NewMinuteHourSeries(f func() Observable) *MinuteHourSeries {
+        return NewMinuteHourSeriesWithClock(f, defaultClockInstance)
+}
+
+// NewMinuteHourSeriesWithClock creates a new MinuteHourSeries using the function provided for creating new Observable and the clock for
+// assigning timestamps.
+func NewMinuteHourSeriesWithClock(f func() Observable, clock Clock) *MinuteHourSeries {
+        ts := new(MinuteHourSeries)
+        ts.timeSeries.init(minuteHourSeriesResolutions, f,
+                minuteHourSeriesNumBuckets, clock)
+        return ts
+}
+
+func (ts *MinuteHourSeries) Minute() Observable {
+        return ts.timeSeries.Latest(0, 60)
+}
+
+func (ts *MinuteHourSeries) Hour() Observable {
+        return ts.timeSeries.Latest(1, 60)
+}
+
+func minTime(a, b time.Time) time.Time {
+        if a.Before(b) {
+                return a
+        }
+        return b
+}
+
+func maxTime(a, b time.Time) time.Time {
+        if a.After(b) {
+                return a
+        }
+        return b
+}
diff --git a/vendor/golang.org/x/net/trace/events.go b/vendor/golang.org/x/net/trace/events.go
new file mode 100644
index 0000000..c646a69
--- /dev/null
+++ b/vendor/golang.org/x/net/trace/events.go
@@ -0,0 +1,532 @@
+// Copyright 2015 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package trace
+
+import (
+        "bytes"
+        "fmt"
+        "html/template"
+        "io"
+        "log"
+        "net/http"
+        "runtime"
+        "sort"
+        "strconv"
+        "strings"
+        "sync"
+        "sync/atomic"
+        "text/tabwriter"
+        "time"
+)
+
+const maxEventsPerLog = 100
+
+type bucket struct {
+        MaxErrAge time.Duration
+        String    string
+}
+
+var buckets = []bucket{
+        {0, "total"},
+        {10 * time.Second, "errs<10s"},
+        {1 * time.Minute, "errs<1m"},
+        {10 * time.Minute, "errs<10m"},
+        {1 * time.Hour, "errs<1h"},
+        {10 * time.Hour, "errs<10h"},
+        {24000 * time.Hour, "errors"},
+}
+
+// RenderEvents renders the HTML page typically served at /debug/events.
+// It does not do any auth checking. The request may be nil.
+//
+// Most users will use the Events handler.
+func RenderEvents(w http.ResponseWriter, req *http.Request, sensitive bool) {
+        now := time.Now()
+        data := &struct {
+                Families []string // family names
+                Buckets  []bucket
+                Counts   [][]int // eventLog count per family/bucket
+
+                // Set when a bucket has been selected.
+                Family    string
+                Bucket    int
+                EventLogs eventLogs
+                Expanded  bool
+        }{
+                Buckets: buckets,
+        }
+
+        data.Families = make([]string, 0, len(families))
+        famMu.RLock()
+        for name := range families {
+                data.Families = append(data.Families, name)
+        }
+        famMu.RUnlock()
+        sort.Strings(data.Families)
+
+        // Count the number of eventLogs in each family for each error age.
+        data.Counts = make([][]int, len(data.Families))
+        for i, name := range data.Families {
+                // TODO(sameer): move this loop under the family lock.
+                f := getEventFamily(name)
+                data.Counts[i] = make([]int, len(data.Buckets))
+                for j, b := range data.Buckets {
+                        data.Counts[i][j] = f.Count(now, b.MaxErrAge)
+                }
+        }
+
+        if req != nil {
+                var ok bool
+                data.Family, data.Bucket, ok = parseEventsArgs(req)
+                if !ok {
+                        // No-op
+                } else {
+                        data.EventLogs = getEventFamily(data.Family).Copy(now, buckets[data.Bucket].MaxErrAge)
+                }
+                if data.EventLogs != nil {
+                        defer data.EventLogs.Free()
+                        sort.Sort(data.EventLogs)
+                }
+                if exp, err := strconv.ParseBool(req.FormValue("exp")); err == nil {
+                        data.Expanded = exp
+                }
+        }
+
+        famMu.RLock()
+        defer famMu.RUnlock()
+        if err := eventsTmpl().Execute(w, data); err != nil {
+                log.Printf("net/trace: Failed executing template: %v", err)
+        }
+}
+
+func parseEventsArgs(req *http.Request) (fam string, b int, ok bool) {
+        fam, bStr := req.FormValue("fam"), req.FormValue("b")
+        if fam == "" || bStr == "" {
+                return "", 0, false
+        }
+        b, err := strconv.Atoi(bStr)
+        if err != nil || b < 0 || b >= len(buckets) {
+                return "", 0, false
+        }
+        return fam, b, true
+}
+
+// An EventLog provides a log of events associated with a specific object.
+type EventLog interface {
+        // Printf formats its arguments with fmt.Sprintf and adds the
+        // result to the event log.
+        Printf(format string, a ...interface{})
+
+        // Errorf is like Printf, but it marks this event as an error.
+        Errorf(format string, a ...interface{})
+
+        // Finish declares that this event log is complete.
+        // The event log should not be used after calling this method.
+        Finish()
+}
+
+// NewEventLog returns a new EventLog with the specified family name
+// and title.
+func NewEventLog(family, title string) EventLog {
+        el := newEventLog()
+        el.ref()
+        el.Family, el.Title = family, title
+        el.Start = time.Now()
+        el.events = make([]logEntry, 0, maxEventsPerLog)
+        el.stack = make([]uintptr, 32)
+        n := runtime.Callers(2, el.stack)
+        el.stack = el.stack[:n]
+
+        getEventFamily(family).add(el)
+        return el
+}
+
+func (el *eventLog) Finish() {
+        getEventFamily(el.Family).remove(el)
+        el.unref() // matches ref in New
+}
+
+var (
+        famMu    sync.RWMutex
+        families = make(map[string]*eventFamily) // family name => family
+)
+
+func getEventFamily(fam string) *eventFamily {
+        famMu.Lock()
+        defer famMu.Unlock()
+        f := families[fam]
+        if f == nil {
+                f = &eventFamily{}
+                families[fam] = f
+        }
+        return f
+}
+
+type eventFamily struct {
+        mu        sync.RWMutex
+        eventLogs eventLogs
+}
+
+func (f *eventFamily) add(el *eventLog) {
+        f.mu.Lock()
+        f.eventLogs = append(f.eventLogs, el)
+        f.mu.Unlock()
+}
+
+func (f *eventFamily) remove(el *eventLog) {
+        f.mu.Lock()
+        defer f.mu.Unlock()
+        for i, el0 := range f.eventLogs {
+                if el == el0 {
+                        copy(f.eventLogs[i:], f.eventLogs[i+1:])
+                        f.eventLogs = f.eventLogs[:len(f.eventLogs)-1]
+                        return
+                }
+        }
+}
+
+func (f *eventFamily) Count(now time.Time, maxErrAge time.Duration) (n int) {
+        f.mu.RLock()
+        defer f.mu.RUnlock()
+        for _, el := range f.eventLogs {
+                if el.hasRecentError(now, maxErrAge) {
+                        n++
+                }
+        }
+        return
+}
+
+func (f *eventFamily) Copy(now time.Time, maxErrAge time.Duration) (els eventLogs) {
+        f.mu.RLock()
+        defer f.mu.RUnlock()
+        els = make(eventLogs, 0, len(f.eventLogs))
+        for _, el := range f.eventLogs {
+                if el.hasRecentError(now, maxErrAge) {
+                        el.ref()
+                        els = append(els, el)
+                }
+        }
+        return
+}
+
+type eventLogs []*eventLog
+
+// Free calls unref on each element of the list.
+func (els eventLogs) Free() {
+        for _, el := range els {
+                el.unref()
+        }
+}
+
+// eventLogs may be sorted in reverse chronological order.
+func (els eventLogs) Len() int           { return len(els) }
+func (els eventLogs) Less(i, j int) bool { return els[i].Start.After(els[j].Start) }
+func (els eventLogs) Swap(i, j int)      { els[i], els[j] = els[j], els[i] }
+
+// A logEntry is a timestamped log entry in an event log.
+type logEntry struct {
+        When    time.Time
+        Elapsed time.Duration // since previous event in log
+        NewDay  bool          // whether this event is on a different day to the previous event
+        What    string
+        IsErr   bool
+}
+
+// WhenString returns a string representation of the elapsed time of the event.
+// It will include the date if midnight was crossed.
+func (e logEntry) WhenString() string {
+        if e.NewDay {
+                return e.When.Format("2006/01/02 15:04:05.000000")
+        }
+        return e.When.Format("15:04:05.000000")
+}
+
+// An eventLog represents an active event log.
+type eventLog struct {
+        // Family is the top-level grouping of event logs to which this belongs.
+        Family string
+
+        // Title is the title of this event log.
+        Title string
+
+        // Timing information.
+        Start time.Time
+
+        // Call stack where this event log was created.
+        stack []uintptr
+
+        // Append-only sequence of events.
+        //
+        // TODO(sameer): change this to a ring buffer to avoid the array copy
+        // when we hit maxEventsPerLog.
+        mu            sync.RWMutex
+        events        []logEntry
+        LastErrorTime time.Time
+        discarded     int
+
+        refs int32 // how many buckets this is in
+}
+
+func (el *eventLog) reset() {
+        // Clear all but the mutex. Mutexes may not be copied, even when unlocked.
+        el.Family = ""
+        el.Title = ""
+        el.Start = time.Time{}
+        el.stack = nil
+        el.events = nil
+        el.LastErrorTime = time.Time{}
+        el.discarded = 0
+        el.refs = 0
+}
+
+func (el *eventLog) hasRecentError(now time.Time, maxErrAge time.Duration) bool {
+        if maxErrAge == 0 {
+                return true
+        }
+        el.mu.RLock()
+        defer el.mu.RUnlock()
+        return now.Sub(el.LastErrorTime) < maxErrAge
+}
+
+// delta returns the elapsed time since the last event or the log start,
+// and whether it spans midnight.
+// L >= el.mu
+func (el *eventLog) delta(t time.Time) (time.Duration, bool) {
+        if len(el.events) == 0 {
+                return t.Sub(el.Start), false
+        }
+        prev := el.events[len(el.events)-1].When
+        return t.Sub(prev), prev.Day() != t.Day()
+
+}
+
+func (el *eventLog) Printf(format string, a ...interface{}) {
+        el.printf(false, format, a...)
+}
+
+func (el *eventLog) Errorf(format string, a ...interface{}) {
+        el.printf(true, format, a...)
+}
+
+func (el *eventLog) printf(isErr bool, format string, a ...interface{}) {
+        e := logEntry{When: time.Now(), IsErr: isErr, What: fmt.Sprintf(format, a...)}
+        el.mu.Lock()
+        e.Elapsed, e.NewDay = el.delta(e.When)
+        if len(el.events) < maxEventsPerLog {
+                el.events = append(el.events, e)
+        } else {
+                // Discard the oldest event.
+                if el.discarded == 0 {
+                        // el.discarded starts at two to count for the event it
+                        // is replacing, plus the next one that we are about to
+                        // drop.
+                        el.discarded = 2
+                } else {
+                        el.discarded++
+                }
+                // TODO(sameer): if this causes allocations on a critical path,
+                // change eventLog.What to be a fmt.Stringer, as in trace.go.
+                el.events[0].What = fmt.Sprintf("(%d events discarded)", el.discarded)
+                // The timestamp of the discarded meta-event should be
+                // the time of the last event it is representing.
+                el.events[0].When = el.events[1].When
+                copy(el.events[1:], el.events[2:])
+                el.events[maxEventsPerLog-1] = e
+        }
+        if e.IsErr {
+                el.LastErrorTime = e.When
+        }
+        el.mu.Unlock()
+}
+
+func (el *eventLog) ref() {
+        atomic.AddInt32(&el.refs, 1)
+}
+
+func (el *eventLog) unref() {
+        if atomic.AddInt32(&el.refs, -1) == 0 {
+                freeEventLog(el)
+        }
+}
+
+func (el *eventLog) When() string {
+        return el.Start.Format("2006/01/02 15:04:05.000000")
+}
+
+func (el *eventLog) ElapsedTime() string {
+        elapsed := time.Since(el.Start)
+        return fmt.Sprintf("%.6f", elapsed.Seconds())
+}
+
+func (el *eventLog) Stack() string {
+        buf := new(bytes.Buffer)
+        tw := tabwriter.NewWriter(buf, 1, 8, 1, '\t', 0)
+        printStackRecord(tw, el.stack)
+        tw.Flush()
+        return buf.String()
+}
+
+// printStackRecord prints the function + source line information
+// for a single stack trace.
+// Adapted from runtime/pprof/pprof.go.
+func printStackRecord(w io.Writer, stk []uintptr) {
+        for _, pc := range stk {
+                f := runtime.FuncForPC(pc)
+                if f == nil {
+                        continue
+                }
+                file, line := f.FileLine(pc)
+                name := f.Name()
+                // Hide runtime.goexit and any runtime functions at the beginning.
+                if strings.HasPrefix(name, "runtime.") {
+                        continue
+                }
+                fmt.Fprintf(w, "#   %s\t%s:%d\n", name, file, line)
+        }
+}
+
+func (el *eventLog) Events() []logEntry {
+        el.mu.RLock()
+        defer el.mu.RUnlock()
+        return el.events
+}
+
+// freeEventLogs is a freelist of *eventLog
+var freeEventLogs = make(chan *eventLog, 1000)
+
+// newEventLog returns a event log ready to use.
+func newEventLog() *eventLog {
+        select {
+        case el := <-freeEventLogs:
+                return el
+        default:
+                return new(eventLog)
+        }
+}
+
+// freeEventLog adds el to freeEventLogs if there's room.
+// This is non-blocking.
+func freeEventLog(el *eventLog) {
+        el.reset()
+        select {
+        case freeEventLogs <- el:
+        default:
+        }
+}
+
+var eventsTmplCache *template.Template
+var eventsTmplOnce sync.Once
+
+func eventsTmpl() *template.Template {
+        eventsTmplOnce.Do(func() {
+                eventsTmplCache = template.Must(template.New("events").Funcs(template.FuncMap{
+                        "elapsed":   elapsed,
+                        "trimSpace": strings.TrimSpace,
+                }).Parse(eventsHTML))
+        })
+        return eventsTmplCache
+}
+
+const eventsHTML = `
+<html>
+        <head>
+                <title>events</title>
+        </head>
+        <style type="text/css">
+                body {
+                        font-family: sans-serif;
+                }
+                table#req-status td.family {
+                        padding-right: 2em;
+                }
+                table#req-status td.active {
+                        padding-right: 1em;
+                }
+                table#req-status td.empty {
+                        color: #aaa;
+                }
+                table#reqs {
+                        margin-top: 1em;
+                }
+                table#reqs tr.first {
+                        {{if $.Expanded}}font-weight: bold;{{end}}
+                }
+                table#reqs td {
+                        font-family: monospace;
+                }
+                table#reqs td.when {
+                        text-align: right;
+                        white-space: nowrap;
+                }
+                table#reqs td.elapsed {
+                        padding: 0 0.5em;
+                        text-align: right;
+                        white-space: pre;
+                        width: 10em;
+                }
+                address {
+                        font-size: smaller;
+                        margin-top: 5em;
+                }
+        </style>
+        <body>
+
+<h1>/debug/events</h1>
+
+<table id="req-status">
+        {{range $i, $fam := .Families}}
+        <tr>
+                <td class="family">{{$fam}}</td>
+
+                {{range $j, $bucket := $.Buckets}}
+                {{$n := index $.Counts $i $j}}
+                <td class="{{if not $bucket.MaxErrAge}}active{{end}}{{if not $n}}empty{{end}}">
+                        {{if $n}}<a href="?fam={{$fam}}&b={{$j}}{{if $.Expanded}}&exp=1{{end}}">{{end}}
+                        [{{$n}} {{$bucket.String}}]
+                        {{if $n}}</a>{{end}}
+                </td>
+                {{end}}
+
+        </tr>{{end}}
+</table>
+
+{{if $.EventLogs}}
+<hr />
+<h3>Family: {{$.Family}}</h3>
+
+{{if $.Expanded}}<a href="?fam={{$.Family}}&b={{$.Bucket}}">{{end}}
+[Summary]{{if $.Expanded}}</a>{{end}}
+
+{{if not $.Expanded}}<a href="?fam={{$.Family}}&b={{$.Bucket}}&exp=1">{{end}}
+[Expanded]{{if not $.Expanded}}</a>{{end}}
+
+<table id="reqs">
+        <tr><th>When</th><th>Elapsed</th></tr>
+        {{range $el := $.EventLogs}}
+        <tr class="first">
+                <td class="when">{{$el.When}}</td>
+                <td class="elapsed">{{$el.ElapsedTime}}</td>
+                <td>{{$el.Title}}
+        </tr>
+        {{if $.Expanded}}
+        <tr>
+                <td class="when"></td>
+                <td class="elapsed"></td>
+                <td><pre>{{$el.Stack|trimSpace}}</pre></td>
+        </tr>
+        {{range $el.Events}}
+        <tr>
+                <td class="when">{{.WhenString}}</td>
+                <td class="elapsed">{{elapsed .Elapsed}}</td>
+                <td>.{{if .IsErr}}E{{else}}.{{end}}. {{.What}}</td>
+        </tr>
+        {{end}}
+        {{end}}
+        {{end}}
+</table>
+{{end}}
+        </body>
+</html>
+`
diff --git a/vendor/golang.org/x/net/trace/histogram.go b/vendor/golang.org/x/net/trace/histogram.go
new file mode 100644
index 0000000..9bf4286
--- /dev/null
+++ b/vendor/golang.org/x/net/trace/histogram.go
@@ -0,0 +1,365 @@
+// Copyright 2015 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package trace
+
+// This file implements histogramming for RPC statistics collection.
+
+import (
+        "bytes"
+        "fmt"
+        "html/template"
+        "log"
+        "math"
+        "sync"
+
+        "golang.org/x/net/internal/timeseries"
+)
+
+const (
+        bucketCount = 38
+)
+
+// histogram keeps counts of values in buckets that are spaced
+// out in powers of 2: 0-1, 2-3, 4-7...
+// histogram implements timeseries.Observable
+type histogram struct {
+        sum          int64   // running total of measurements
+        sumOfSquares float64 // square of running total
+        buckets      []int64 // bucketed values for histogram
+        value        int     // holds a single value as an optimization
+        valueCount   int64   // number of values recorded for single value
+}
+
+// AddMeasurement records a value measurement observation to the histogram.
+func (h *histogram) addMeasurement(value int64) {
+        // TODO: assert invariant
+        h.sum += value
+        h.sumOfSquares += float64(value) * float64(value)
+
+        bucketIndex := getBucket(value)
+
+        if h.valueCount == 0 || (h.valueCount > 0 && h.value == bucketIndex) {
+                h.value = bucketIndex
+                h.valueCount++
+        } else {
+                h.allocateBuckets()
+                h.buckets[bucketIndex]++
+        }
+}
+
+func (h *histogram) allocateBuckets() {
+        if h.buckets == nil {
+                h.buckets = make([]int64, bucketCount)
+                h.buckets[h.value] = h.valueCount
+                h.value = 0
+                h.valueCount = -1
+        }
+}
+
+func log2(i int64) int {
+        n := 0
+        for ; i >= 0x100; i >>= 8 {
+                n += 8
+        }
+        for ; i > 0; i >>= 1 {
+                n += 1
+        }
+        return n
+}
+
+func getBucket(i int64) (index int) {
+        index = log2(i) - 1
+        if index < 0 {
+                index = 0
+        }
+        if index >= bucketCount {
+                index = bucketCount - 1
+        }
+        return
+}
+
+// Total returns the number of recorded observations.
+func (h *histogram) total() (total int64) {
+        if h.valueCount >= 0 {
+                total = h.valueCount
+        }
+        for _, val := range h.buckets {
+                total += int64(val)
+        }
+        return
+}
+
+// Average returns the average value of recorded observations.
+func (h *histogram) average() float64 {
+        t := h.total()
+        if t == 0 {
+                return 0
+        }
+        return float64(h.sum) / float64(t)
+}
+
+// Variance returns the variance of recorded observations.
+func (h *histogram) variance() float64 {
+        t := float64(h.total())
+        if t == 0 {
+                return 0
+        }
+        s := float64(h.sum) / t
+        return h.sumOfSquares/t - s*s
+}
+
+// StandardDeviation returns the standard deviation of recorded observations.
+func (h *histogram) standardDeviation() float64 {
+        return math.Sqrt(h.variance())
+}
+
+// PercentileBoundary estimates the value that the given fraction of recorded
+// observations are less than.
+func (h *histogram) percentileBoundary(percentile float64) int64 {
+        total := h.total()
+
+        // Corner cases (make sure result is strictly less than Total())
+        if total == 0 {
+                return 0
+        } else if total == 1 {
+                return int64(h.average())
+        }
+
+        percentOfTotal := round(float64(total) * percentile)
+        var runningTotal int64
+
+        for i := range h.buckets {
+                value := h.buckets[i]
+                runningTotal += value
+                if runningTotal == percentOfTotal {
+                        // We hit an exact bucket boundary. If the next bucket has data, it is a
+                        // good estimate of the value. If the bucket is empty, we interpolate the
+                        // midpoint between the next bucket's boundary and the next non-zero
+                        // bucket. If the remaining buckets are all empty, then we use the
+                        // boundary for the next bucket as the estimate.
+                        j := uint8(i + 1)
+                        min := bucketBoundary(j)
+                        if runningTotal < total {
+                                for h.buckets[j] == 0 {
+                                        j++
+                                }
+                        }
+                        max := bucketBoundary(j)
+                        return min + round(float64(max-min)/2)
+                } else if runningTotal > percentOfTotal {
+                        // The value is in this bucket. Interpolate the value.
+                        delta := runningTotal - percentOfTotal
+                        percentBucket := float64(value-delta) / float64(value)
+                        bucketMin := bucketBoundary(uint8(i))
+                        nextBucketMin := bucketBoundary(uint8(i + 1))
+                        bucketSize := nextBucketMin - bucketMin
+                        return bucketMin + round(percentBucket*float64(bucketSize))
+                }
+        }
+        return bucketBoundary(bucketCount - 1)
+}
+
+// Median returns the estimated median of the observed values.
+func (h *histogram) median() int64 {
+        return h.percentileBoundary(0.5)
+}
+
+// Add adds other to h.
+func (h *histogram) Add(other timeseries.Observable) {
+        o := other.(*histogram)
+        if o.valueCount == 0 {
+                // Other histogram is empty
+        } else if h.valueCount >= 0 && o.valueCount > 0 && h.value == o.value {
+                // Both have a single bucketed value, aggregate them
+                h.valueCount += o.valueCount
+        } else {
+                // Two different values necessitate buckets in this histogram
+                h.allocateBuckets()
+                if o.valueCount >= 0 {
+                        h.buckets[o.value] += o.valueCount
+                } else {
+                        for i := range h.buckets {
+                                h.buckets[i] += o.buckets[i]
+                        }
+                }
+        }
+        h.sumOfSquares += o.sumOfSquares
+        h.sum += o.sum
+}
+
+// Clear resets the histogram to an empty state, removing all observed values.
+func (h *histogram) Clear() {
+        h.buckets = nil
+        h.value = 0
+        h.valueCount = 0
+        h.sum = 0
+        h.sumOfSquares = 0
+}
+
+// CopyFrom copies from other, which must be a *histogram, into h.
+func (h *histogram) CopyFrom(other timeseries.Observable) {
+        o := other.(*histogram)
+        if o.valueCount == -1 {
+                h.allocateBuckets()
+                copy(h.buckets, o.buckets)
+        }
+        h.sum = o.sum
+        h.sumOfSquares = o.sumOfSquares
+        h.value = o.value
+        h.valueCount = o.valueCount
+}
+
+// Multiply scales the histogram by the specified ratio.
+func (h *histogram) Multiply(ratio float64) {
+        if h.valueCount == -1 {
+                for i := range h.buckets {
+                        h.buckets[i] = int64(float64(h.buckets[i]) * ratio)
+                }
+        } else {
+                h.valueCount = int64(float64(h.valueCount) * ratio)
+        }
+        h.sum = int64(float64(h.sum) * ratio)
+        h.sumOfSquares = h.sumOfSquares * ratio
+}
+
+// New creates a new histogram.
+func (h *histogram) New() timeseries.Observable {
+        r := new(histogram)
+        r.Clear()
+        return r
+}
+
+func (h *histogram) String() string {
+        return fmt.Sprintf("%d, %f, %d, %d, %v",
+                h.sum, h.sumOfSquares, h.value, h.valueCount, h.buckets)
+}
+
+// round returns the closest int64 to the argument
+func round(in float64) int64 {
+        return int64(math.Floor(in + 0.5))
+}
+
+// bucketBoundary returns the first value in the bucket.
+func bucketBoundary(bucket uint8) int64 {
+        if bucket == 0 {
+                return 0
+        }
+        return 1 << bucket
+}
+
+// bucketData holds data about a specific bucket for use in distTmpl.
+type bucketData struct {
+        Lower, Upper       int64
+        N                  int64
+        Pct, CumulativePct float64
+        GraphWidth         int
+}
+
+// data holds data about a Distribution for use in distTmpl.
+type data struct {
+        Buckets                 []*bucketData
+        Count, Median           int64
+        Mean, StandardDeviation float64
+}
+
+// maxHTMLBarWidth is the maximum width of the HTML bar for visualizing buckets.
+const maxHTMLBarWidth = 350.0
+
+// newData returns data representing h for use in distTmpl.
+func (h *histogram) newData() *data {
+        // Force the allocation of buckets to simplify the rendering implementation
+        h.allocateBuckets()
+        // We scale the bars on the right so that the largest bar is
+        // maxHTMLBarWidth pixels in width.
+        maxBucket := int64(0)
+        for _, n := range h.buckets {
+                if n > maxBucket {
+                        maxBucket = n
+                }
+        }
+        total := h.total()
+        barsizeMult := maxHTMLBarWidth / float64(maxBucket)
+        var pctMult float64
+        if total == 0 {
+                pctMult = 1.0
+        } else {
+                pctMult = 100.0 / float64(total)
+        }
+
+        buckets := make([]*bucketData, len(h.buckets))
+        runningTotal := int64(0)
+        for i, n := range h.buckets {
+                if n == 0 {
+                        continue
+                }
+                runningTotal += n
+                var upperBound int64
+                if i < bucketCount-1 {
+                        upperBound = bucketBoundary(uint8(i + 1))
+                } else {
+                        upperBound = math.MaxInt64
+                }
+                buckets[i] = &bucketData{
+                        Lower:         bucketBoundary(uint8(i)),
+                        Upper:         upperBound,
+                        N:             n,
+                        Pct:           float64(n) * pctMult,
+                        CumulativePct: float64(runningTotal) * pctMult,
+                        GraphWidth:    int(float64(n) * barsizeMult),
+                }
+        }
+        return &data{
+                Buckets:           buckets,
+                Count:             total,
+                Median:            h.median(),
+                Mean:              h.average(),
+                StandardDeviation: h.standardDeviation(),
+        }
+}
+
+func (h *histogram) html() template.HTML {
+        buf := new(bytes.Buffer)
+        if err := distTmpl().Execute(buf, h.newData()); err != nil {
+                buf.Reset()
+                log.Printf("net/trace: couldn't execute template: %v", err)
+        }
+        return template.HTML(buf.String())
+}
+
+var distTmplCache *template.Template
+var distTmplOnce sync.Once
+
+func distTmpl() *template.Template {
+        distTmplOnce.Do(func() {
+                // Input: data
+                distTmplCache = template.Must(template.New("distTmpl").Parse(`
+<table>
+<tr>
+    <td style="padding:0.25em">Count: {{.Count}}</td>
+    <td style="padding:0.25em">Mean: {{printf "%.0f" .Mean}}</td>
+    <td style="padding:0.25em">StdDev: {{printf "%.0f" .StandardDeviation}}</td>
+    <td style="padding:0.25em">Median: {{.Median}}</td>
+</tr>
+</table>
+<hr>
+<table>
+{{range $b := .Buckets}}
+{{if $b}}
+  <tr>
+    <td style="padding:0 0 0 0.25em">[</td>
+    <td style="text-align:right;padding:0 0.25em">{{.Lower}},</td>
+    <td style="text-align:right;padding:0 0.25em">{{.Upper}})</td>
+    <td style="text-align:right;padding:0 0.25em">{{.N}}</td>
+    <td style="text-align:right;padding:0 0.25em">{{printf "%#.3f" .Pct}}%</td>
+    <td style="text-align:right;padding:0 0.25em">{{printf "%#.3f" .CumulativePct}}%</td>
+    <td><div style="background-color: blue; height: 1em; width: {{.GraphWidth}};"></div></td>
+  </tr>
+{{end}}
+{{end}}
+</table>
+`))
+        })
+        return distTmplCache
+}
diff --git a/vendor/golang.org/x/net/trace/trace.go b/vendor/golang.org/x/net/trace/trace.go
new file mode 100644
index 0000000..3ebf6f2
--- /dev/null
+++ b/vendor/golang.org/x/net/trace/trace.go
@@ -0,0 +1,1130 @@
+// Copyright 2015 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+/*
+Package trace implements tracing of requests and long-lived objects.
+It exports HTTP interfaces on /debug/requests and /debug/events.
+
+A trace.Trace provides tracing for short-lived objects, usually requests.
+A request handler might be implemented like this:
+
+        func fooHandler(w http.ResponseWriter, req *http.Request) {
+                tr := trace.New("mypkg.Foo", req.URL.Path)
+                defer tr.Finish()
+                ...
+                tr.LazyPrintf("some event %q happened", str)
+                ...
+                if err := somethingImportant(); err != nil {
+                        tr.LazyPrintf("somethingImportant failed: %v", err)
+                        tr.SetError()
+                }
+        }
+
+The /debug/requests HTTP endpoint organizes the traces by family,
+errors, and duration.  It also provides histogram of request duration
+for each family.
+
+A trace.EventLog provides tracing for long-lived objects, such as RPC
+connections.
+
+        // A Fetcher fetches URL paths for a single domain.
+        type Fetcher struct {
+                domain string
+                events trace.EventLog
+        }
+
+        func NewFetcher(domain string) *Fetcher {
+                return &Fetcher{
+                        domain,
+                        trace.NewEventLog("mypkg.Fetcher", domain),
+                }
+        }
+
+        func (f *Fetcher) Fetch(path string) (string, error) {
+                resp, err := http.Get("http://" + f.domain + "/" + path)
+                if err != nil {
+                        f.events.Errorf("Get(%q) = %v", path, err)
+                        return "", err
+                }
+                f.events.Printf("Get(%q) = %s", path, resp.Status)
+                ...
+        }
+
+        func (f *Fetcher) Close() error {
+                f.events.Finish()
+                return nil
+        }
+
+The /debug/events HTTP endpoint organizes the event logs by family and
+by time since the last error.  The expanded view displays recent log
+entries and the log's call stack.
+*/
+package trace // import "golang.org/x/net/trace"
+
+import (
+        "bytes"
+        "context"
+        "fmt"
+        "html/template"
+        "io"
+        "log"
+        "net"
+        "net/http"
+        "net/url"
+        "runtime"
+        "sort"
+        "strconv"
+        "sync"
+        "sync/atomic"
+        "time"
+
+        "golang.org/x/net/internal/timeseries"
+)
+
+// DebugUseAfterFinish controls whether to debug uses of Trace values after finishing.
+// FOR DEBUGGING ONLY. This will slow down the program.
+var DebugUseAfterFinish = false
+
+// HTTP ServeMux paths.
+const (
+        debugRequestsPath = "/debug/requests"
+        debugEventsPath   = "/debug/events"
+)
+
+// AuthRequest determines whether a specific request is permitted to load the
+// /debug/requests or /debug/events pages.
+//
+// It returns two bools; the first indicates whether the page may be viewed at all,
+// and the second indicates whether sensitive events will be shown.
+//
+// AuthRequest may be replaced by a program to customize its authorization requirements.
+//
+// The default AuthRequest function returns (true, true) if and only if the request
+// comes from localhost/127.0.0.1/[::1].
+var AuthRequest = func(req *http.Request) (any, sensitive bool) {
+        // RemoteAddr is commonly in the form "IP" or "IP:port".
+        // If it is in the form "IP:port", split off the port.
+        host, _, err := net.SplitHostPort(req.RemoteAddr)
+        if err != nil {
+                host = req.RemoteAddr
+        }
+        switch host {
+        case "localhost", "127.0.0.1", "::1":
+                return true, true
+        default:
+                return false, false
+        }
+}
+
+func init() {
+        _, pat := http.DefaultServeMux.Handler(&http.Request{URL: &url.URL{Path: debugRequestsPath}})
+        if pat == debugRequestsPath {
+                panic("/debug/requests is already registered. You may have two independent copies of " +
+                        "golang.org/x/net/trace in your binary, trying to maintain separate state. This may " +
+                        "involve a vendored copy of golang.org/x/net/trace.")
+        }
+
+        // TODO(jbd): Serve Traces from /debug/traces in the future?
+        // There is no requirement for a request to be present to have traces.
+        http.HandleFunc(debugRequestsPath, Traces)
+        http.HandleFunc(debugEventsPath, Events)
+}
+
+// NewContext returns a copy of the parent context
+// and associates it with a Trace.
+func NewContext(ctx context.Context, tr Trace) context.Context {
+        return context.WithValue(ctx, contextKey, tr)
+}
+
+// FromContext returns the Trace bound to the context, if any.
+func FromContext(ctx context.Context) (tr Trace, ok bool) {
+        tr, ok = ctx.Value(contextKey).(Trace)
+        return
+}
+
+// Traces responds with traces from the program.
+// The package initialization registers it in http.DefaultServeMux
+// at /debug/requests.
+//
+// It performs authorization by running AuthRequest.
+func Traces(w http.ResponseWriter, req *http.Request) {
+        any, sensitive := AuthRequest(req)
+        if !any {
+                http.Error(w, "not allowed", http.StatusUnauthorized)
+                return
+        }
+        w.Header().Set("Content-Type", "text/html; charset=utf-8")
+        Render(w, req, sensitive)
+}
+
+// Events responds with a page of events collected by EventLogs.
+// The package initialization registers it in http.DefaultServeMux
+// at /debug/events.
+//
+// It performs authorization by running AuthRequest.
+func Events(w http.ResponseWriter, req *http.Request) {
+        any, sensitive := AuthRequest(req)
+        if !any {
+                http.Error(w, "not allowed", http.StatusUnauthorized)
+                return
+        }
+        w.Header().Set("Content-Type", "text/html; charset=utf-8")
+        RenderEvents(w, req, sensitive)
+}
+
+// Render renders the HTML page typically served at /debug/requests.
+// It does not do any auth checking. The request may be nil.
+//
+// Most users will use the Traces handler.
+func Render(w io.Writer, req *http.Request, sensitive bool) {
+        data := &struct {
+                Families         []string
+                ActiveTraceCount map[string]int
+                CompletedTraces  map[string]*family
+
+                // Set when a bucket has been selected.
+                Traces        traceList
+                Family        string
+                Bucket        int
+                Expanded      bool
+                Traced        bool
+                Active        bool
+                ShowSensitive bool // whether to show sensitive events
+
+                Histogram       template.HTML
+                HistogramWindow string // e.g. "last minute", "last hour", "all time"
+
+                // If non-zero, the set of traces is a partial set,
+                // and this is the total number.
+                Total int
+        }{
+                CompletedTraces: completedTraces,
+        }
+
+        data.ShowSensitive = sensitive
+        if req != nil {
+                // Allow show_sensitive=0 to force hiding of sensitive data for testing.
+                // This only goes one way; you can't use show_sensitive=1 to see things.
+                if req.FormValue("show_sensitive") == "0" {
+                        data.ShowSensitive = false
+                }
+
+                if exp, err := strconv.ParseBool(req.FormValue("exp")); err == nil {
+                        data.Expanded = exp
+                }
+                if exp, err := strconv.ParseBool(req.FormValue("rtraced")); err == nil {
+                        data.Traced = exp
+                }
+        }
+
+        completedMu.RLock()
+        data.Families = make([]string, 0, len(completedTraces))
+        for fam := range completedTraces {
+                data.Families = append(data.Families, fam)
+        }
+        completedMu.RUnlock()
+        sort.Strings(data.Families)
+
+        // We are careful here to minimize the time spent locking activeMu,
+        // since that lock is required every time an RPC starts and finishes.
+        data.ActiveTraceCount = make(map[string]int, len(data.Families))
+        activeMu.RLock()
+        for fam, s := range activeTraces {
+                data.ActiveTraceCount[fam] = s.Len()
+        }
+        activeMu.RUnlock()
+
+        var ok bool
+        data.Family, data.Bucket, ok = parseArgs(req)
+        switch {
+        case !ok:
+                // No-op
+        case data.Bucket == -1:
+                data.Active = true
+                n := data.ActiveTraceCount[data.Family]
+                data.Traces = getActiveTraces(data.Family)
+                if len(data.Traces) < n {
+                        data.Total = n
+                }
+        case data.Bucket < bucketsPerFamily:
+                if b := lookupBucket(data.Family, data.Bucket); b != nil {
+                        data.Traces = b.Copy(data.Traced)
+                }
+        default:
+                if f := getFamily(data.Family, false); f != nil {
+                        var obs timeseries.Observable
+                        f.LatencyMu.RLock()
+                        switch o := data.Bucket - bucketsPerFamily; o {
+                        case 0:
+                                obs = f.Latency.Minute()
+                                data.HistogramWindow = "last minute"
+                        case 1:
+                                obs = f.Latency.Hour()
+                                data.HistogramWindow = "last hour"
+                        case 2:
+                                obs = f.Latency.Total()
+                                data.HistogramWindow = "all time"
+                        }
+                        f.LatencyMu.RUnlock()
+                        if obs != nil {
+                                data.Histogram = obs.(*histogram).html()
+                        }
+                }
+        }
+
+        if data.Traces != nil {
+                defer data.Traces.Free()
+                sort.Sort(data.Traces)
+        }
+
+        completedMu.RLock()
+        defer completedMu.RUnlock()
+        if err := pageTmpl().ExecuteTemplate(w, "Page", data); err != nil {
+                log.Printf("net/trace: Failed executing template: %v", err)
+        }
+}
+
+func parseArgs(req *http.Request) (fam string, b int, ok bool) {
+        if req == nil {
+                return "", 0, false
+        }
+        fam, bStr := req.FormValue("fam"), req.FormValue("b")
+        if fam == "" || bStr == "" {
+                return "", 0, false
+        }
+        b, err := strconv.Atoi(bStr)
+        if err != nil || b < -1 {
+                return "", 0, false
+        }
+
+        return fam, b, true
+}
+
+func lookupBucket(fam string, b int) *traceBucket {
+        f := getFamily(fam, false)
+        if f == nil || b < 0 || b >= len(f.Buckets) {
+                return nil
+        }
+        return f.Buckets[b]
+}
+
+type contextKeyT string
+
+var contextKey = contextKeyT("golang.org/x/net/trace.Trace")
+
+// Trace represents an active request.
+type Trace interface {
+        // LazyLog adds x to the event log. It will be evaluated each time the
+        // /debug/requests page is rendered. Any memory referenced by x will be
+        // pinned until the trace is finished and later discarded.
+        LazyLog(x fmt.Stringer, sensitive bool)
+
+        // LazyPrintf evaluates its arguments with fmt.Sprintf each time the
+        // /debug/requests page is rendered. Any memory referenced by a will be
+        // pinned until the trace is finished and later discarded.
+        LazyPrintf(format string, a ...interface{})
+
+        // SetError declares that this trace resulted in an error.
+        SetError()
+
+        // SetRecycler sets a recycler for the trace.
+        // f will be called for each event passed to LazyLog at a time when
+        // it is no longer required, whether while the trace is still active
+        // and the event is discarded, or when a completed trace is discarded.
+        SetRecycler(f func(interface{}))
+
+        // SetTraceInfo sets the trace info for the trace.
+        // This is currently unused.
+        SetTraceInfo(traceID, spanID uint64)
+
+        // SetMaxEvents sets the maximum number of events that will be stored
+        // in the trace. This has no effect if any events have already been
+        // added to the trace.
+        SetMaxEvents(m int)
+
+        // Finish declares that this trace is complete.
+        // The trace should not be used after calling this method.
+        Finish()
+}
+
+type lazySprintf struct {
+        format string
+        a      []interface{}
+}
+
+func (l *lazySprintf) String() string {
+        return fmt.Sprintf(l.format, l.a...)
+}
+
+// New returns a new Trace with the specified family and title.
+func New(family, title string) Trace {
+        tr := newTrace()
+        tr.ref()
+        tr.Family, tr.Title = family, title
+        tr.Start = time.Now()
+        tr.maxEvents = maxEventsPerTrace
+        tr.events = tr.eventsBuf[:0]
+
+        activeMu.RLock()
+        s := activeTraces[tr.Family]
+        activeMu.RUnlock()
+        if s == nil {
+                activeMu.Lock()
+                s = activeTraces[tr.Family] // check again
+                if s == nil {
+                        s = new(traceSet)
+                        activeTraces[tr.Family] = s
+                }
+                activeMu.Unlock()
+        }
+        s.Add(tr)
+
+        // Trigger allocation of the completed trace structure for this family.
+        // This will cause the family to be present in the request page during
+        // the first trace of this family. We don't care about the return value,
+        // nor is there any need for this to run inline, so we execute it in its
+        // own goroutine, but only if the family isn't allocated yet.
+        completedMu.RLock()
+        if _, ok := completedTraces[tr.Family]; !ok {
+                go allocFamily(tr.Family)
+        }
+        completedMu.RUnlock()
+
+        return tr
+}
+
+func (tr *trace) Finish() {
+        elapsed := time.Now().Sub(tr.Start)
+        tr.mu.Lock()
+        tr.Elapsed = elapsed
+        tr.mu.Unlock()
+
+        if DebugUseAfterFinish {
+                buf := make([]byte, 4<<10) // 4 KB should be enough
+                n := runtime.Stack(buf, false)
+                tr.finishStack = buf[:n]
+        }
+
+        activeMu.RLock()
+        m := activeTraces[tr.Family]
+        activeMu.RUnlock()
+        m.Remove(tr)
+
+        f := getFamily(tr.Family, true)
+        tr.mu.RLock() // protects tr fields in Cond.match calls
+        for _, b := range f.Buckets {
+                if b.Cond.match(tr) {
+                        b.Add(tr)
+                }
+        }
+        tr.mu.RUnlock()
+
+        // Add a sample of elapsed time as microseconds to the family's timeseries
+        h := new(histogram)
+        h.addMeasurement(elapsed.Nanoseconds() / 1e3)
+        f.LatencyMu.Lock()
+        f.Latency.Add(h)
+        f.LatencyMu.Unlock()
+
+        tr.unref() // matches ref in New
+}
+
+const (
+        bucketsPerFamily    = 9
+        tracesPerBucket     = 10
+        maxActiveTraces     = 20 // Maximum number of active traces to show.
+        maxEventsPerTrace   = 10
+        numHistogramBuckets = 38
+)
+
+var (
+        // The active traces.
+        activeMu     sync.RWMutex
+        activeTraces = make(map[string]*traceSet) // family -> traces
+
+        // Families of completed traces.
+        completedMu     sync.RWMutex
+        completedTraces = make(map[string]*family) // family -> traces
+)
+
+type traceSet struct {
+        mu sync.RWMutex
+        m  map[*trace]bool
+
+        // We could avoid the entire map scan in FirstN by having a slice of all the traces
+        // ordered by start time, and an index into that from the trace struct, with a periodic
+        // repack of the slice after enough traces finish; we could also use a skip list or similar.
+        // However, that would shift some of the expense from /debug/requests time to RPC time,
+        // which is probably the wrong trade-off.
+}
+
+func (ts *traceSet) Len() int {
+        ts.mu.RLock()
+        defer ts.mu.RUnlock()
+        return len(ts.m)
+}
+
+func (ts *traceSet) Add(tr *trace) {
+        ts.mu.Lock()
+        if ts.m == nil {
+                ts.m = make(map[*trace]bool)
+        }
+        ts.m[tr] = true
+        ts.mu.Unlock()
+}
+
+func (ts *traceSet) Remove(tr *trace) {
+        ts.mu.Lock()
+        delete(ts.m, tr)
+        ts.mu.Unlock()
+}
+
+// FirstN returns the first n traces ordered by time.
+func (ts *traceSet) FirstN(n int) traceList {
+        ts.mu.RLock()
+        defer ts.mu.RUnlock()
+
+        if n > len(ts.m) {
+                n = len(ts.m)
+        }
+        trl := make(traceList, 0, n)
+
+        // Fast path for when no selectivity is needed.
+        if n == len(ts.m) {
+                for tr := range ts.m {
+                        tr.ref()
+                        trl = append(trl, tr)
+                }
+                sort.Sort(trl)
+                return trl
+        }
+
+        // Pick the oldest n traces.
+        // This is inefficient. See the comment in the traceSet struct.
+        for tr := range ts.m {
+                // Put the first n traces into trl in the order they occur.
+                // When we have n, sort trl, and thereafter maintain its order.
+                if len(trl) < n {
+                        tr.ref()
+                        trl = append(trl, tr)
+                        if len(trl) == n {
+                                // This is guaranteed to happen exactly once during this loop.
+                                sort.Sort(trl)
+                        }
+                        continue
+                }
+                if tr.Start.After(trl[n-1].Start) {
+                        continue
+                }
+
+                // Find where to insert this one.
+                tr.ref()
+                i := sort.Search(n, func(i int) bool { return trl[i].Start.After(tr.Start) })
+                trl[n-1].unref()
+                copy(trl[i+1:], trl[i:])
+                trl[i] = tr
+        }
+
+        return trl
+}
+
+func getActiveTraces(fam string) traceList {
+        activeMu.RLock()
+        s := activeTraces[fam]
+        activeMu.RUnlock()
+        if s == nil {
+                return nil
+        }
+        return s.FirstN(maxActiveTraces)
+}
+
+func getFamily(fam string, allocNew bool) *family {
+        completedMu.RLock()
+        f := completedTraces[fam]
+        completedMu.RUnlock()
+        if f == nil && allocNew {
+                f = allocFamily(fam)
+        }
+        return f
+}
+
+func allocFamily(fam string) *family {
+        completedMu.Lock()
+        defer completedMu.Unlock()
+        f := completedTraces[fam]
+        if f == nil {
+                f = newFamily()
+                completedTraces[fam] = f
+        }
+        return f
+}
+
+// family represents a set of trace buckets and associated latency information.
+type family struct {
+        // traces may occur in multiple buckets.
+        Buckets [bucketsPerFamily]*traceBucket
+
+        // latency time series
+        LatencyMu sync.RWMutex
+        Latency   *timeseries.MinuteHourSeries
+}
+
+func newFamily() *family {
+        return &family{
+                Buckets: [bucketsPerFamily]*traceBucket{
+                        {Cond: minCond(0)},
+                        {Cond: minCond(50 * time.Millisecond)},
+                        {Cond: minCond(100 * time.Millisecond)},
+                        {Cond: minCond(200 * time.Millisecond)},
+                        {Cond: minCond(500 * time.Millisecond)},
+                        {Cond: minCond(1 * time.Second)},
+                        {Cond: minCond(10 * time.Second)},
+                        {Cond: minCond(100 * time.Second)},
+                        {Cond: errorCond{}},
+                },
+                Latency: timeseries.NewMinuteHourSeries(func() timeseries.Observable { return new(histogram) }),
+        }
+}
+
+// traceBucket represents a size-capped bucket of historic traces,
+// along with a condition for a trace to belong to the bucket.
+type traceBucket struct {
+        Cond cond
+
+        // Ring buffer implementation of a fixed-size FIFO queue.
+        mu     sync.RWMutex
+        buf    [tracesPerBucket]*trace
+        start  int // < tracesPerBucket
+        length int // <= tracesPerBucket
+}
+
+func (b *traceBucket) Add(tr *trace) {
+        b.mu.Lock()
+        defer b.mu.Unlock()
+
+        i := b.start + b.length
+        if i >= tracesPerBucket {
+                i -= tracesPerBucket
+        }
+        if b.length == tracesPerBucket {
+                // "Remove" an element from the bucket.
+                b.buf[i].unref()
+                b.start++
+                if b.start == tracesPerBucket {
+                        b.start = 0
+                }
+        }
+        b.buf[i] = tr
+        if b.length < tracesPerBucket {
+                b.length++
+        }
+        tr.ref()
+}
+
+// Copy returns a copy of the traces in the bucket.
+// If tracedOnly is true, only the traces with trace information will be returned.
+// The logs will be ref'd before returning; the caller should call
+// the Free method when it is done with them.
+// TODO(dsymonds): keep track of traced requests in separate buckets.
+func (b *traceBucket) Copy(tracedOnly bool) traceList {
+        b.mu.RLock()
+        defer b.mu.RUnlock()
+
+        trl := make(traceList, 0, b.length)
+        for i, x := 0, b.start; i < b.length; i++ {
+                tr := b.buf[x]
+                if !tracedOnly || tr.spanID != 0 {
+                        tr.ref()
+                        trl = append(trl, tr)
+                }
+                x++
+                if x == b.length {
+                        x = 0
+                }
+        }
+        return trl
+}
+
+func (b *traceBucket) Empty() bool {
+        b.mu.RLock()
+        defer b.mu.RUnlock()
+        return b.length == 0
+}
+
+// cond represents a condition on a trace.
+type cond interface {
+        match(t *trace) bool
+        String() string
+}
+
+type minCond time.Duration
+
+func (m minCond) match(t *trace) bool { return t.Elapsed >= time.Duration(m) }
+func (m minCond) String() string      { return fmt.Sprintf("≥%gs", time.Duration(m).Seconds()) }
+
+type errorCond struct{}
+
+func (e errorCond) match(t *trace) bool { return t.IsError }
+func (e errorCond) String() string      { return "errors" }
+
+type traceList []*trace
+
+// Free calls unref on each element of the list.
+func (trl traceList) Free() {
+        for _, t := range trl {
+                t.unref()
+        }
+}
+
+// traceList may be sorted in reverse chronological order.
+func (trl traceList) Len() int           { return len(trl) }
+func (trl traceList) Less(i, j int) bool { return trl[i].Start.After(trl[j].Start) }
+func (trl traceList) Swap(i, j int)      { trl[i], trl[j] = trl[j], trl[i] }
+
+// An event is a timestamped log entry in a trace.
+type event struct {
+        When       time.Time
+        Elapsed    time.Duration // since previous event in trace
+        NewDay     bool          // whether this event is on a different day to the previous event
+        Recyclable bool          // whether this event was passed via LazyLog
+        Sensitive  bool          // whether this event contains sensitive information
+        What       interface{}   // string or fmt.Stringer
+}
+
+// WhenString returns a string representation of the elapsed time of the event.
+// It will include the date if midnight was crossed.
+func (e event) WhenString() string {
+        if e.NewDay {
+                return e.When.Format("2006/01/02 15:04:05.000000")
+        }
+        return e.When.Format("15:04:05.000000")
+}
+
+// discarded represents a number of discarded events.
+// It is stored as *discarded to make it easier to update in-place.
+type discarded int
+
+func (d *discarded) String() string {
+        return fmt.Sprintf("(%d events discarded)", int(*d))
+}
+
+// trace represents an active or complete request,
+// either sent or received by this program.
+type trace struct {
+        // Family is the top-level grouping of traces to which this belongs.
+        Family string
+
+        // Title is the title of this trace.
+        Title string
+
+        // Start time of the this trace.
+        Start time.Time
+
+        mu        sync.RWMutex
+        events    []event // Append-only sequence of events (modulo discards).
+        maxEvents int
+        recycler  func(interface{})
+        IsError   bool          // Whether this trace resulted in an error.
+        Elapsed   time.Duration // Elapsed time for this trace, zero while active.
+        traceID   uint64        // Trace information if non-zero.
+        spanID    uint64
+
+        refs int32     // how many buckets this is in
+        disc discarded // scratch space to avoid allocation
+
+        finishStack []byte // where finish was called, if DebugUseAfterFinish is set
+
+        eventsBuf [4]event // preallocated buffer in case we only log a few events
+}
+
+func (tr *trace) reset() {
+        // Clear all but the mutex. Mutexes may not be copied, even when unlocked.
+        tr.Family = ""
+        tr.Title = ""
+        tr.Start = time.Time{}
+
+        tr.mu.Lock()
+        tr.Elapsed = 0
+        tr.traceID = 0
+        tr.spanID = 0
+        tr.IsError = false
+        tr.maxEvents = 0
+        tr.events = nil
+        tr.recycler = nil
+        tr.mu.Unlock()
+
+        tr.refs = 0
+        tr.disc = 0
+        tr.finishStack = nil
+        for i := range tr.eventsBuf {
+                tr.eventsBuf[i] = event{}
+        }
+}
+
+// delta returns the elapsed time since the last event or the trace start,
+// and whether it spans midnight.
+// L >= tr.mu
+func (tr *trace) delta(t time.Time) (time.Duration, bool) {
+        if len(tr.events) == 0 {
+                return t.Sub(tr.Start), false
+        }
+        prev := tr.events[len(tr.events)-1].When
+        return t.Sub(prev), prev.Day() != t.Day()
+}
+
+func (tr *trace) addEvent(x interface{}, recyclable, sensitive bool) {
+        if DebugUseAfterFinish && tr.finishStack != nil {
+                buf := make([]byte, 4<<10) // 4 KB should be enough
+                n := runtime.Stack(buf, false)
+                log.Printf("net/trace: trace used after finish:\nFinished at:\n%s\nUsed at:\n%s", tr.finishStack, buf[:n])
+        }
+
+        /*
+                NOTE TO DEBUGGERS
+
+                If you are here because your program panicked in this code,
+                it is almost definitely the fault of code using this package,
+                and very unlikely to be the fault of this code.
+
+                The most likely scenario is that some code elsewhere is using
+                a trace.Trace after its Finish method is called.
+                You can temporarily set the DebugUseAfterFinish var
+                to help discover where that is; do not leave that var set,
+                since it makes this package much less efficient.
+        */
+
+        e := event{When: time.Now(), What: x, Recyclable: recyclable, Sensitive: sensitive}
+        tr.mu.Lock()
+        e.Elapsed, e.NewDay = tr.delta(e.When)
+        if len(tr.events) < tr.maxEvents {
+                tr.events = append(tr.events, e)
+        } else {
+                // Discard the middle events.
+                di := int((tr.maxEvents - 1) / 2)
+                if d, ok := tr.events[di].What.(*discarded); ok {
+                        (*d)++
+                } else {
+                        // disc starts at two to count for the event it is replacing,
+                        // plus the next one that we are about to drop.
+                        tr.disc = 2
+                        if tr.recycler != nil && tr.events[di].Recyclable {
+                                go tr.recycler(tr.events[di].What)
+                        }
+                        tr.events[di].What = &tr.disc
+                }
+                // The timestamp of the discarded meta-event should be
+                // the time of the last event it is representing.
+                tr.events[di].When = tr.events[di+1].When
+
+                if tr.recycler != nil && tr.events[di+1].Recyclable {
+                        go tr.recycler(tr.events[di+1].What)
+                }
+                copy(tr.events[di+1:], tr.events[di+2:])
+                tr.events[tr.maxEvents-1] = e
+        }
+        tr.mu.Unlock()
+}
+
+func (tr *trace) LazyLog(x fmt.Stringer, sensitive bool) {
+        tr.addEvent(x, true, sensitive)
+}
+
+func (tr *trace) LazyPrintf(format string, a ...interface{}) {
+        tr.addEvent(&lazySprintf{format, a}, false, false)
+}
+
+func (tr *trace) SetError() {
+        tr.mu.Lock()
+        tr.IsError = true
+        tr.mu.Unlock()
+}
+
+func (tr *trace) SetRecycler(f func(interface{})) {
+        tr.mu.Lock()
+        tr.recycler = f
+        tr.mu.Unlock()
+}
+
+func (tr *trace) SetTraceInfo(traceID, spanID uint64) {
+        tr.mu.Lock()
+        tr.traceID, tr.spanID = traceID, spanID
+        tr.mu.Unlock()
+}
+
+func (tr *trace) SetMaxEvents(m int) {
+        tr.mu.Lock()
+        // Always keep at least three events: first, discarded count, last.
+        if len(tr.events) == 0 && m > 3 {
+                tr.maxEvents = m
+        }
+        tr.mu.Unlock()
+}
+
+func (tr *trace) ref() {
+        atomic.AddInt32(&tr.refs, 1)
+}
+
+func (tr *trace) unref() {
+        if atomic.AddInt32(&tr.refs, -1) == 0 {
+                tr.mu.RLock()
+                if tr.recycler != nil {
+                        // freeTrace clears tr, so we hold tr.recycler and tr.events here.
+                        go func(f func(interface{}), es []event) {
+                                for _, e := range es {
+                                        if e.Recyclable {
+                                                f(e.What)
+                                        }
+                                }
+                        }(tr.recycler, tr.events)
+                }
+                tr.mu.RUnlock()
+
+                freeTrace(tr)
+        }
+}
+
+func (tr *trace) When() string {
+        return tr.Start.Format("2006/01/02 15:04:05.000000")
+}
+
+func (tr *trace) ElapsedTime() string {
+        tr.mu.RLock()
+        t := tr.Elapsed
+        tr.mu.RUnlock()
+
+        if t == 0 {
+                // Active trace.
+                t = time.Since(tr.Start)
+        }
+        return fmt.Sprintf("%.6f", t.Seconds())
+}
+
+func (tr *trace) Events() []event {
+        tr.mu.RLock()
+        defer tr.mu.RUnlock()
+        return tr.events
+}
+
+var traceFreeList = make(chan *trace, 1000) // TODO(dsymonds): Use sync.Pool?
+
+// newTrace returns a trace ready to use.
+func newTrace() *trace {
+        select {
+        case tr := <-traceFreeList:
+                return tr
+        default:
+                return new(trace)
+        }
+}
+
+// freeTrace adds tr to traceFreeList if there's room.
+// This is non-blocking.
+func freeTrace(tr *trace) {
+        if DebugUseAfterFinish {
+                return // never reuse
+        }
+        tr.reset()
+        select {
+        case traceFreeList <- tr:
+        default:
+        }
+}
+
+func elapsed(d time.Duration) string {
+        b := []byte(fmt.Sprintf("%.6f", d.Seconds()))
+
+        // For subsecond durations, blank all zeros before decimal point,
+        // and all zeros between the decimal point and the first non-zero digit.
+        if d < time.Second {
+                dot := bytes.IndexByte(b, '.')
+                for i := 0; i < dot; i++ {
+                        b[i] = ' '
+                }
+                for i := dot + 1; i < len(b); i++ {
+                        if b[i] == '0' {
+                                b[i] = ' '
+                        } else {
+                                break
+                        }
+                }
+        }
+
+        return string(b)
+}
+
+var pageTmplCache *template.Template
+var pageTmplOnce sync.Once
+
+func pageTmpl() *template.Template {
+        pageTmplOnce.Do(func() {
+                pageTmplCache = template.Must(template.New("Page").Funcs(template.FuncMap{
+                        "elapsed": elapsed,
+                        "add":     func(a, b int) int { return a + b },
+                }).Parse(pageHTML))
+        })
+        return pageTmplCache
+}
+
+const pageHTML = `
+{{template "Prolog" .}}
+{{template "StatusTable" .}}
+{{template "Epilog" .}}
+
+{{define "Prolog"}}
+<html>
+        <head>
+        <title>/debug/requests</title>
+        <style type="text/css">
+                body {
+                        font-family: sans-serif;
+                }
+                table#tr-status td.family {
+                        padding-right: 2em;
+                }
+                table#tr-status td.active {
+                        padding-right: 1em;
+                }
+                table#tr-status td.latency-first {
+                        padding-left: 1em;
+                }
+                table#tr-status td.empty {
+                        color: #aaa;
+                }
+                table#reqs {
+                        margin-top: 1em;
+                }
+                table#reqs tr.first {
+                        {{if $.Expanded}}font-weight: bold;{{end}}
+                }
+                table#reqs td {
+                        font-family: monospace;
+                }
+                table#reqs td.when {
+                        text-align: right;
+                        white-space: nowrap;
+                }
+                table#reqs td.elapsed {
+                        padding: 0 0.5em;
+                        text-align: right;
+                        white-space: pre;
+                        width: 10em;
+                }
+                address {
+                        font-size: smaller;
+                        margin-top: 5em;
+                }
+        </style>
+        </head>
+        <body>
+
+<h1>/debug/requests</h1>
+{{end}} {{/* end of Prolog */}}
+
+{{define "StatusTable"}}
+<table id="tr-status">
+        {{range $fam := .Families}}
+        <tr>
+                <td class="family">{{$fam}}</td>
+
+                {{$n := index $.ActiveTraceCount $fam}}
+                <td class="active {{if not $n}}empty{{end}}">
+                        {{if $n}}<a href="?fam={{$fam}}&b=-1{{if $.Expanded}}&exp=1{{end}}">{{end}}
+                        [{{$n}} active]
+                        {{if $n}}</a>{{end}}
+                </td>
+
+                {{$f := index $.CompletedTraces $fam}}
+                {{range $i, $b := $f.Buckets}}
+                {{$empty := $b.Empty}}
+                <td {{if $empty}}class="empty"{{end}}>
+                {{if not $empty}}<a href="?fam={{$fam}}&b={{$i}}{{if $.Expanded}}&exp=1{{end}}">{{end}}
+                [{{.Cond}}]
+                {{if not $empty}}</a>{{end}}
+                </td>
+                {{end}}
+
+                {{$nb := len $f.Buckets}}
+                <td class="latency-first">
+                <a href="?fam={{$fam}}&b={{$nb}}">[minute]</a>
+                </td>
+                <td>
+                <a href="?fam={{$fam}}&b={{add $nb 1}}">[hour]</a>
+                </td>
+                <td>
+                <a href="?fam={{$fam}}&b={{add $nb 2}}">[total]</a>
+                </td>
+
+        </tr>
+        {{end}}
+</table>
+{{end}} {{/* end of StatusTable */}}
+
+{{define "Epilog"}}
+{{if $.Traces}}
+<hr />
+<h3>Family: {{$.Family}}</h3>
+
+{{if or $.Expanded $.Traced}}
+  <a href="?fam={{$.Family}}&b={{$.Bucket}}">[Normal/Summary]</a>
+{{else}}
+  [Normal/Summary]
+{{end}}
+
+{{if or (not $.Expanded) $.Traced}}
+  <a href="?fam={{$.Family}}&b={{$.Bucket}}&exp=1">[Normal/Expanded]</a>
+{{else}}
+  [Normal/Expanded]
+{{end}}
+
+{{if not $.Active}}
+        {{if or $.Expanded (not $.Traced)}}
+        <a href="?fam={{$.Family}}&b={{$.Bucket}}&rtraced=1">[Traced/Summary]</a>
+        {{else}}
+        [Traced/Summary]
+        {{end}}
+        {{if or (not $.Expanded) (not $.Traced)}}
+        <a href="?fam={{$.Family}}&b={{$.Bucket}}&exp=1&rtraced=1">[Traced/Expanded]</a>
+        {{else}}
+        [Traced/Expanded]
+        {{end}}
+{{end}}
+
+{{if $.Total}}
+<p><em>Showing <b>{{len $.Traces}}</b> of <b>{{$.Total}}</b> traces.</em></p>
+{{end}}
+
+<table id="reqs">
+        <caption>
+                {{if $.Active}}Active{{else}}Completed{{end}} Requests
+        </caption>
+        <tr><th>When</th><th>Elapsed&nbsp;(s)</th></tr>
+        {{range $tr := $.Traces}}
+        <tr class="first">
+                <td class="when">{{$tr.When}}</td>
+                <td class="elapsed">{{$tr.ElapsedTime}}</td>
+                <td>{{$tr.Title}}</td>
+                {{/* TODO: include traceID/spanID */}}
+        </tr>
+        {{if $.Expanded}}
+        {{range $tr.Events}}
+        <tr>
+                <td class="when">{{.WhenString}}</td>
+                <td class="elapsed">{{elapsed .Elapsed}}</td>
+                <td>{{if or $.ShowSensitive (not .Sensitive)}}... {{.What}}{{else}}<em>[redacted]</em>{{end}}</td>
+        </tr>
+        {{end}}
+        {{end}}
+        {{end}}
+</table>
+{{end}} {{/* if $.Traces */}}
+
+{{if $.Histogram}}
+<h4>Latency (&micro;s) of {{$.Family}} over {{$.HistogramWindow}}</h4>
+{{$.Histogram}}
+{{end}} {{/* if $.Histogram */}}
+
+        </body>
+</html>
+{{end}} {{/* end of Epilog */}}
+`
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 546605c..b510145 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -44,6 +44,8 @@ github.com/mdlayher/netlink/nlenc
 # github.com/mdlayher/wifi v0.0.0-20190303161829-b1436901ddee
 github.com/mdlayher/wifi
 github.com/mdlayher/wifi/internal/nl80211
+# github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223
+github.com/mwitkow/go-conntrack
 # github.com/pkg/errors v0.9.1
 github.com/pkg/errors
 # github.com/prometheus/client_golang v1.4.1
@@ -53,6 +55,7 @@ github.com/prometheus/client_golang/prometheus/promhttp
 # github.com/prometheus/client_model v0.2.0
 github.com/prometheus/client_model/go
 # github.com/prometheus/common v0.9.1
+github.com/prometheus/common/config
 github.com/prometheus/common/expfmt
 github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg
 github.com/prometheus/common/model
@@ -78,6 +81,9 @@ go.uber.org/atomic
 go.uber.org/multierr
 # go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee
 go.uber.org/tools/update-license
+# golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550
+golang.org/x/crypto/bcrypt
+golang.org/x/crypto/blowfish
 # golang.org/x/lint v0.0.0-20200130185559-910be7a94367
 golang.org/x/lint
 golang.org/x/lint/golint
@@ -85,7 +91,9 @@ golang.org/x/lint/golint
 golang.org/x/net/bpf
 golang.org/x/net/internal/iana
 golang.org/x/net/internal/socket
+golang.org/x/net/internal/timeseries
 golang.org/x/net/ipv4
+golang.org/x/net/trace
 # golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e
 golang.org/x/sync/errgroup
 # golang.org/x/sys v0.0.0-20200217220822-9197077df867