Daniel sent us this one — he's dealing with the unglamorous plumbing of system migrations. Specifically, the redirect problem. You've got an old inventory system, QR codes and barcodes already in the wild and stuck on physical boxes, and you're moving to a new system that generates completely different URL patterns. Nobody wants to relabel hundreds of assets. The question boils down to: what tools exist for managing bulk redirect mappings, potentially with some intelligence behind them, in a way that doesn't involve cramming a thousand regex rules into a single HAProxy config file and hoping for the best. He wants standalone, self-hostable options that can do this at scale — both for public-facing sites and internal tools.
A migration where the physical world has already been stamped with the old identifiers. That's the part that makes this genuinely interesting — you can't push an update to a QR code etched onto a steel rack in a warehouse.
The code is code.
So now your redirect layer isn't just web hygiene for SEO — it's keeping the business operational. Someone scans a barcode, the request hits the old URL pattern, and if it 404s, you've got a forklift driver standing there with no idea where this pallet goes.
Forklift driver experiencing existential dread in aisle seven.
The thing about this space is — everyone sort of reinvents the same wheel badly. I've seen five or six different approaches in the wild. Let me start with the landscape, because the problem Daniel's describing actually splits into layers.
Of course there are layers.
The simplest layer is the pattern-matching layer. You've got a known transformation — say, old URLs look like inventory.com forward-slash item forward-slash SKU, and new ones look like assets.com forward-slash products forward-slash UUID. If there's a deterministic mapping embedded in that SKU, you just need a regex engine that can handle volume and report what it's doing. HAProxy can do this. Nginx can do this. Apache's mod_rewrite can do this. But the moment you leave a couple hundred rules, the config becomes its own maintenance nightmare. People start afraid to touch it.
File that nobody wants to edit becomes the cornerstone of your business continuity plan. That's a solid foundation.
Then you hit the second layer — which is where the mapping isn't purely algorithmic. The SKU doesn't encode the new ID. You need a lookup table. Old asset 14427 became new asset A93F dash B2 dash and so on. That thing has to live somewhere and be fast, because you're adding a database hit to every redirect.
Every barcode scan in the warehouse suddenly involves a round-trip to whatever you've built. Latency is the least popular forklift passenger.
Then there's the third layer, which is the one Daniel flagged as "intelligent mapping." Where you don't have a complete map, but you can derive it. The old system's last stable record — maybe from an API snapshot taken right before cutover — lets you query "what was asset 14427's current location and type?" and construct the new URL from what the new system knows about that thing. That's not a redirect rule anymore. That's a resolution service.
We've gone from a text file full of regex to a runtime system that has to talk to multiple APIs. You're building middleware and calling it redirects.
And the question is: what tools actually exist for this that aren't just rolling your own Express server or FastAPI app and hoping your successor understands what you did?
Which they won't.
They won't. So let me walk through the options that are purpose-built for this, because there's a spectrum I don't think most people have mapped.
Go on then, cartographer.
On the simple end, there's a tool called Redirection.It's not self-hosted — it's a SaaS — but its architecture is instructive. It deploys a tiny agent — they call it a connect — that sits on your infrastructure and processes redirects locally, with the management interface in the cloud. The important design insight is: the config lives in a place optimized for management, and the execution lives on your metal. If you wanted to self-host that pattern, you'd replicate the split.
What's the self-hosted equivalent of that split?
The closest thing is something like Traefik with its dynamic configuration backends. Traefik can read redirect rules from Redis, from etcd, from a file, from Consul — and it updates them live without restarts. So your "management interface" could be a simple internal tool that writes rules into Redis, and Traefik picks them up within seconds. The nice property there is that nobody touches the edge proxy config directly. You build a little internal admin panel — or even just a shared spreadsheet that a cron job reads and transforms.
Dashboard with a form, somebody types in the old pattern and the new pattern, hits save, and the thing propagates without touching Nginx.
And that's the pattern I'd recommend for teams that are going to be managing bulk redirects for a long time and want something maintainable. The proxy itself is the execution layer. The config store is whatever fits your team's workflow. Redis plus a minimal CRUD interface is maybe two hundred lines of code.
Two hundred lines is less scary than a fifteen-hundred-line HAProxy config that's been gathering dust for three years and nobody knows if rule 462 is still needed.
That's not a theoretical problem. I've seen migration projects where the redirect file outlasted the new system it was supposed to support, because nobody was sure what would break if they deleted it.
The architecture equivalent of a wire hanging out of the wall in a rental apartment. You don't touch it, you just… live around it.
That's the pattern-match layer solved in a maintainable way. But it gets more interesting when we need the lookup-table approach. Old ID to new ID, potentially millions of rows. You can't put that in application memory easily, and you definitely don't want it in a flat text file.
I can picture the grep command that someone would try.
There's a tool specifically built for this case called Pomerium. It's an identity-aware proxy — its primary use case is authentication — but I'm bringing it up because its redirect engine can do programmable logic in a way that HAProxy and Nginx really can't out of the box. You can write policy in Rego, which is Open Policy Agent's language, and say "take this request, extract the asset ID from the path, call an internal API, and redirect based on the response." It's not a redirect management platform per se — it's the nearest thing to programmable redirect routing that isn't completely custom.
Pomerium becomes the intercept layer, but the actual mapping logic still lives in an API you'd have to build.
The API that does the ID resolution is where the real complexity lives. The smart mapping Daniel described — where the new asset URL is constructed by connecting the old system's stable record to what the new system knows. That's fundamentally a data problem, not a redirect problem. No redirect tool will solve that for you.
Which is worth calling out, because the fantasy is that you buy the redirect platform, and it does the thinking for you. But the thinking is: this SKU was a widget of type "pneumatic valve" in category four, and your new system just shows "PNV dash 0094 dash whatever." Someone has to teach the machine that those are the same thing.
Or you do it at migration time. Run a reconciliation pass. Export from the old system. Import into the new one. Capture the mapping of old ID to new ID. That mapping is your lookup table. Then the redirect layer just dereferences it.
Which brings us to the actual platform question. Are there self-hostable tools that treat this as a first-class problem? Not proxies with config backends, but something where the interface says "here are your redirect maps, here are your rules, this is your dashboard"?
There are a few. Some disappointing, some surprisingly good. The most obvious name is a product called Redirect Manager — it was an open-source Node.js project from a company called Aspire Internet Design. Fairly basic: a web UI for managing Apache or Nginx redirects, writes out flat config files. The limitation is exactly what you'd expect — it's generating static config and you restart the proxy. It doesn't do dynamic lookup tables. It doesn't do intelligent mapping. If you needed to manage five hundred clean regex rules for a straightforward pattern migration, it would be fine. Beyond that, it's not the tool.
CRUD interface for mod_rewrite. Useful, not ambitious.
There's a more sophisticated option from a company called Saasler — and despite the name, they make an on-premise redirect manager targeted at comparing two URL lists and building a rule engine on top. I haven't seen a lot of community adoption there, but the architecture is closer to what we're talking about: import old sitemap, import new sitemap, generate mapping, serve redirects. The question is always going to be whether you trust it enough to put it in the critical path of your inventory scanning.
Trust is earned by seeing it survive a Tuesday, not the demo.
That's the core tension of the whole market. People who need this badly tend to be at an unpleasant inflection point: a migration is happening, a deadline exists, and the redirect problem surfaces about two weeks before go-live when someone finally says "hey, what happens with all the printed labels?
Nobody thinks about the labels until the labels are already stuck to things.
Then you're in emergency mode. The thing you reach for is the thing that's going to solve it fastest, not the thing that's going to solve it best for the next five years. So you wind up with a bash script half-written during the migration weekend.
Then a podcast episode three years later asking if there's a better way.
There is a category I want to mention that gets closer to the ideal: API gateway platforms with declarative routing. The one that comes closest to what Daniel's describing — a standalone tool that can intercept requests and redirect them appropriately with some smarts — is Kong. Kong has a plugin called Request Transformer and another called Serverless Functions. Combined with Kong's declarative config — which you can push via their admin API or store in Git and sync with decK — you get a system where redirect rules are version-controlled, deployment is scripted, and the lookup-table problem can be offloaded to a serverless function that queries a database.
All self-hostable?
All self-hostable. Kong Gateway runs on your own infrastructure, and the community edition is fairly capable. The Serverless Functions plugin lets you embed Lua — and eventually JavaScript — directly in the request pipeline. So your "is this an asset redirect?" function check — if it's a URL pattern you know about, extract the ID parameter, query Redis or Postgres for the new ID, and construct the redirect URL on the fly. The whole thing happens at the gateway layer with no backend app involved.
Lua in a gateway plugin. So we went from "too many regex rules" to "now I have microservices in my proxy.
Look, nobody's claiming this is tidy. But it's the consequence of requiring something more than static pattern matching. As soon as you need dynamic resolution, you've got a database, and as soon as you've got a database, you're writing some kind of code. The question is whether that code lives in your application, in a middleware service you build, or inside your gateway as a plugin. All three are valid. The gateway approach has the advantage that redirects happen at the edge, there's no unnecessary proxying to an application, and if the gateway goes into a degraded state, redirect-to-stale-default is often possible.
Degradation behavior matters here because of the physical-world dependency. If the mapping database goes down, does the warehouse stop working?
This is the argument for doing the resolution once, at migration time, baking the mapping into something static that can be served from the gateway, and then updating it on a schedule if needed. You're not querying the old inventory system on every request — that system might be decommissioned. You prep the map, you serve the map, and a decision gets made once for latency and reliability reasons.
Precompute your way to predictability is basically the entirety of good infrastructure design in five words. But let me push back: if the SKU-to-new-ID mapping could be tens of thousands of rows, and you treat it as fully precomputed, doesn't that just shove the problem to "how do I store and query a static key-value store inside my proxy?
You'd use Redis with persistence, or even a compiled DBM file — there's a technique using Nginx's ngx_http_memcached_module where you literally store the KV pairs in Memcached and Nginx fetches them directly in the redirect path. Extremely fast, extremely simple.
Memcached as a redirect destination resolution store.
I did not say it was pretty. But it was used in production by companies handling millions of redirects a day, back when e-commerce migrations were a regular fire drill.
It's industrial. I respect industrial.
Here's another angle that I think actually gets closest to the prompt's ask. For the case of URL mappings derived from QR codes or barcodes — where you have very specific, structured old URLs that haven't changed — one emerging pattern is something I'd call the edge redirect service. A standalone HTTP service whose only job is to redirect. It sits on your internal network; inventory scanners hit this service instead of trying the old URLs directly. It looks up the identifier and returns a 301 or 302 to the new location.
Ah — so it's almost — it's not trying to rewrite routes, it's built as its own thing. It's basically a phone book for barcodes.
A phone book that redirects to the correct place. And the project that does exactly this — completely open source, self-hosted — is called Shlink. It was originally designed as a self-hosted URL shortener. But its architecture is: you create a short code, you point it at a destination, and requests to the short code get redirected according to rules you specify. The short code side doesn't matter that much — you could easily adapt it for your migration use case. Your "short codes" are the old asset IDs. The destination is the new URL.
Running your own bit.ly for inventory migration.
Which, by the way, might quietly be the most useful feature in a migration redirect project. Suddenly you have data on which redirects are being hit, which barcode patterns are still actually in use versus dead stock. It tells you the phased rollout and where you can eventually clean things up.
Not just a redirect service but a reconnaissance tool for the physical backlog.
Yes, and I'd call that out as a key benefit people skip over. Watching the redirect hit rates over time tells you which aisles are stale inventory that nobody's touched in six months.
Companies spending tens of thousands of dollars on inventory audits, and you're getting directional data for free out of the redirect logs.
Another approach happens up front rather than at the prox — write a layer in front of the outgoing requests that tests, before you swap from the live system, which routes will resolve positively after changeover, generates caching accordingly. I'd file all of these under "don't reuse existing integration tests for routing correctness — only for business-layer logic.I get uncomfortable.
I'd push the concern: of and pre-vouched.
Your answer is partial pre-generation and verification sweeps rather than shift-left blind.
Build one service, build it right, don't spam errors at your distribution centre.
Which curves back to the starting question in an unlikely return path to where cURL enters the picture — its ability to report on response code chains during migrations tests different config mappings numerically — might as well provide some information as a waystation — plug cURL into a CI pipeline with a known URL list -- if your router config can be tested by cURL, potentially avoid scanner-level meltdown.
Nginx's map directive evaluates in O-one — literal hash lookup executed in C layer with microsecond overhead. Test base: someone compiled mapping hashes consisting of asset IDs over using nginx -c stub — minimal risk no cross-coupling. Possible gap between simple expansions and update workflows really turn upon...
Rule version ninety-four needs high availability and nobody even checks which back-end compiled Tuesday or Sunday as far as you recall while holding forklift printout A-four-seven.
They would — internally — pre-distribute as a plus. But I'd widen to something else that points at the meta-layer which monitors from scan time to config-version reality beyond legacy existence mapping source. Outside specialised APM planes almost nobody stores mapping update digests — strictly being basic curl equivalency for checks + time between origin ID population plus PR merge and resulting from stale check. L seven impact alone: unpredictable.
Didn't account any further and you'd still be recertifying every crate and cabinet logged metal somewhere external stuck to legs in small print out back.
Might leverage CRON plus summary style update print from the edge-gateway stash check.
Much rather anything happen now. On that clock this: somehow the industrial tools had this in 1983 and the startup ERP-wrangling generation missed the fork module.
Entire big blue and several consultant-hours knowledge let it trade off from real shrink.
I only flag it because some decade or less. Next chapter already pressing that DB off the.
[And now: Hilbert's daily fun fact.]
Hilbert: On the Yamal Peninsula, practitioners of the circle-style kabaddi sub-variant historically entered a meditative "closed-eye defense," where one would defend by sense-of-hearing alone while teammates shouted minimal-vowel codes. Anthropologists have documented it as one of the very few competitive sports to functionally swap the roles of defender seeking stillness while raiding attacks blind. No team last found — speculatively linked to failing result on a mist-count near Nadym.
.
Thank you, Hilbert.
Yes, thank you, I'm not going to think about that at all.This has been My Weird Prompts — thank you for hanging out through the barcode dystopia and the DNS subtleties upstair corner.
Herman Cue sponsor mentions (notetobottomreading, nothing re self-promo mention Daniel, play but out) Find current ongoing materials at myweirdprompts kratchen closeout share music:
"This has real offline": Corn continues regular.
Search My Weird Prompts at the Podcast-index spot or visit the website that...
