[#224 ] Refactor logger tag configuration

Signed-off-by: Pavel Pogodaev <p.pogodaev@yadro.com>
[#191 ] Update integration tests
2025-04-01 11:43:51 +03:00 · 2025-03-25 06:27:56 +00:00 · 2025-03-25 06:27:56 +00:00 · 2025-03-20 18:40:28 +03:00 · 2025-03-20 13:49:55 +00:00 · 2025-03-10 18:12:36 +03:00
74 changed files with 5498 additions and 2333 deletions
--- a/.forgejo/ISSUE_TEMPLATE/bug_report.md
+++ b/.forgejo/ISSUE_TEMPLATE/bug_report.md
--- a/.forgejo/ISSUE_TEMPLATE/config.yml
+++ b/.forgejo/ISSUE_TEMPLATE/config.yml
--- a/.forgejo/ISSUE_TEMPLATE/feature_request.md
+++ b/.forgejo/ISSUE_TEMPLATE/feature_request.md
--- a/.forgejo/logo.svg
+++ b/.forgejo/logo.svg
--- a/.forgejo/workflows/builds.yml
+++ b/.forgejo/workflows/builds.yml
@ -1,4 +1,8 @@
-on: [pull_request]
+on:
  pull_request:
  push:
    branches:
      - master
 jobs:
  builds:
--- a/.forgejo/workflows/oci-image.yml
+++ b/.forgejo/workflows/oci-image.yml
@ -0,0 +1,27 @@
 on:
  pull_request:
  push:
  workflow_dispatch:
 jobs:
  image:
    name: OCI image
    runs-on: docker
    container: git.frostfs.info/truecloudlab/env:oci-image-builder-bookworm
    steps:
      - name: Clone git repo
        uses: actions/checkout@v3
      - name: Build OCI image
        run: make image
      - name: Push image to OCI registry
        run: |
          echo "$REGISTRY_PASSWORD" \
            | docker login --username truecloudlab --password-stdin git.frostfs.info
          make image-push
        if: >-
          startsWith(github.ref, 'refs/tags/v') &&
          (github.event_name == 'workflow_dispatch' || github.event_name == 'push')
        env:
          REGISTRY_PASSWORD: ${{secrets.FORGEJO_OCI_REGISTRY_PUSH_TOKEN}}
--- a/.forgejo/workflows/tests.yml
+++ b/.forgejo/workflows/tests.yml
@ -1,4 +1,8 @@
-on: [pull_request]
+on:
  pull_request:
  push:
    branches:
      - master
 jobs:
  lint:
@ -39,3 +43,19 @@ jobs:
      - name: Run tests
        run: make test
  integration:
    name: Integration tests
    runs-on: oci-runner
    steps:
      - uses: actions/checkout@v3
      - name: Set up Go
        uses: actions/setup-go@v3
        with:
          go-version: '1.23'
      - name: Run integration tests
        run: |-
          podman-service.sh
          make integration-test
--- a/.forgejo/workflows/vulncheck.yml
+++ b/.forgejo/workflows/vulncheck.yml
@ -1,4 +1,8 @@
-on: [pull_request]
+on:
  pull_request:
  push:
    branches:
      - master
 jobs:
  vulncheck:
@ -13,6 +17,7 @@ jobs:
        uses: actions/setup-go@v3
        with:
          go-version: '1.22'
          check-latest: true
      - name: Install govulncheck
        run: go install golang.org/x/vuln/cmd/govulncheck@latest
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@ -1 +0,0 @@
 *       @alexvanin @dkirillov
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -5,11 +5,83 @@ This document outlines major changes between releases.
 ## [Unreleased]
 ### Added
- Support percent-encoding for GET queries (#134)
+- Add handling quota limit reached error (#187)
- Add `trace_id` to logs (#148)
+- Add slash clipping for FileName attribute (#174)
 - Add new format of tag names config
 ## [0.32.3] - 2025-02-05
 ### Added
 - Add slash clipping for FileName attribute (#174)
 ## [0.32.2] - 2025-02-03
 ### Fixed
 - Possible memory leak in gRPC client (#202)
 ## [0.32.1] - 2025-01-27
 ### Fixed
 - SIGHUP panic (#198)
 ## [0.32.0] - Khumbu - 2024-12-20
 ### Fixed
 - Getting S3 object with FrostFS Object ID-like key (#166)
 - Ignore delete marked objects in versioned bucket in index page (#181)
 ### Added
 - Metric of dropped logs by log sampler (#150)
 - Fallback FileName attribute search during FilePath attribute search (#174)
 ### Changed
- Update go version to 1.22 (#132)
+- Updated tree service pool without api-go dependency (#178)
 ## [0.31.0] - Rongbuk - 2024-11-20
 ### Fixed
 - Docker warnings during image build (#126)
 - `trace_id` parameter in logs (#148)
 - SIGHUP support for `tracing.enabled` config parameter (#157)
 ### Added
 - Vulnerability report document (#123) 
 - Root CA configuration for tracing (#139)
 - Log sampling policy configuration (#147)
 - Index page support for buckets and containers (#137, #151)
 - CORS support (#158)
 - Source IP binding configuration for FrostFS requests (#160)
 - Tracing attributes (#164)
 ### Changed
 - Updated Go version to 1.22 (#132)
 ### Removed
 - Duplicated NNS Resolver code (#129)
 ## [0.30.3] - 2024-10-18
 ### Fixed
 - Get response on S3 multipart object (#142)
 ### Added
 - Support percent-encoding for GET queries (#134)
 ### Changed
 - Split `FrostFS` interface into separate read methods (#127)
 ## [0.30.2] - 2024-09-03
 ### Added
 - Fuzzing tests (#135)
 ## [0.30.1] - 2024-08-20
 ### Fixed
 - Error counting in pool component before connection switch (#131)
 ### Added
 - Log of endpoint address during tree pool errors (#131)
 ## [0.30.0] - Kangshung - 2024-07-22
@ -127,4 +199,12 @@ To see CHANGELOG for older versions, refer to https://github.com/nspcc-dev/neofs
 [0.28.1]: https://git.frostfs.info/TrueCloudLab/frostfs-http-gw/compare/v0.28.0...v0.28.1
 [0.29.0]: https://git.frostfs.info/TrueCloudLab/frostfs-http-gw/compare/v0.28.1...v0.29.0
 [0.30.0]: https://git.frostfs.info/TrueCloudLab/frostfs-http-gw/compare/v0.29.0...v0.30.0
-[Unreleased]: https://git.frostfs.info/TrueCloudLab/frostfs-http-gw/compare/v0.30.0...master
+[0.30.1]: https://git.frostfs.info/TrueCloudLab/frostfs-http-gw/compare/v0.30.0...v0.30.1
 [0.30.2]: https://git.frostfs.info/TrueCloudLab/frostfs-http-gw/compare/v0.30.1...v0.30.2
 [0.30.3]: https://git.frostfs.info/TrueCloudLab/frostfs-http-gw/compare/v0.30.2...v0.30.3
 [0.31.0]: https://git.frostfs.info/TrueCloudLab/frostfs-http-gw/compare/v0.30.3...v0.31.0
 [0.32.0]: https://git.frostfs.info/TrueCloudLab/frostfs-http-gw/compare/v0.31.0...v0.32.0
 [0.32.1]: https://git.frostfs.info/TrueCloudLab/frostfs-http-gw/compare/v0.32.0...v0.32.1
 [0.32.2]: https://git.frostfs.info/TrueCloudLab/frostfs-http-gw/compare/v0.32.1...v0.32.2
 [0.32.3]: https://git.frostfs.info/TrueCloudLab/frostfs-http-gw/compare/v0.32.2...v0.32.3
 [Unreleased]: https://git.frostfs.info/TrueCloudLab/frostfs-http-gw/compare/v0.32.3...master
--- a/3
+++ b/3
@ -0,0 +1,3 @@
 .*          @TrueCloudLab/storage-services-developers @TrueCloudLab/storage-services-committers
 .forgejo/.* @potyarkin
 Makefile    @potyarkin
--- a/2
+++ b/2
@ -7,7 +7,7 @@ LINT_VERSION ?= 1.60.3
 TRUECLOUDLAB_LINT_VERSION ?= 0.0.6
 BUILD ?= $(shell date -u --iso=seconds)
-HUB_IMAGE ?= truecloudlab/frostfs-http-gw
+HUB_IMAGE ?= git.frostfs.info/truecloudlab/frostfs-http-gw
 HUB_TAG ?= "$(shell echo ${VERSION} | sed 's/^v//')"
 METRICS_DUMP_OUT ?= ./metrics-dump.json
--- a/README.md
+++ b/README.md
@ -1,5 +1,5 @@
 <p align="center">
-<img src="./.github/logo.svg" width="500px" alt="FrostFS logo">
+<img src="./.forgejo/logo.svg" width="500px" alt="FrostFS logo">
 </p>
 <p align="center">
  <a href="https://frostfs.info">FrostFS</a> is a decentralized distributed object storage integrated with the <a href="https://neo.org">NEO Blockchain</a>.
@ -38,7 +38,7 @@ version      Show current version
 ```
 Or you can also use a [Docker
-image](https://hub.docker.com/r/truecloudlab/frostfs-http-gw) provided for the released
+image](https://git.frostfs.info/TrueCloudLab/-/packages/container/frostfs-http-gw) provided for the released
 (and occasionally unreleased) versions of the gateway (`:latest` points to the
 latest stable release).
@ -217,41 +217,8 @@ Also, in case of downloading, you need to have a file inside a container.
 ### NNS
 In all download/upload routes you can use container name instead of its id (`$CID`).
 Read more about it in [docs/nns.md](./docs/nns.md).
 Steps to start using name resolving:
 1. Enable NNS resolving in config (`rpc_endpoint` must be a valid neo rpc node, see [configs](./config) for other examples):
 ```yaml
 rpc_endpoint: http://morph-chain.frostfs.devenv:30333
 resolve_order:
  - nns
 ```
 2. Make sure your container is registered in NNS contract. If you use [frostfs-dev-env](https://git.frostfs.info/TrueCloudLab/frostfs-dev-env)
 you can check if your container (e.g. with `container-name` name) is registered in NNS:
 ```shell
 $ curl -s --data '{"id":1,"jsonrpc":"2.0","method":"getcontractstate","params":[1]}' \
    http://morph-chain.frostfs.devenv:30333 | jq -r '.result.hash'
 0x8e6c3cd4b976b28e84a3788f6ea9e2676c15d667
 $ docker exec -it morph_chain neo-go \
    contract testinvokefunction \
    -r http://morph-chain.frostfs.devenv:30333 0x8e6c3cd4b976b28e84a3788f6ea9e2676c15d667 \
    resolve string:container-name.container int:16 \
    | jq -r '.stack[0].value | if type=="array" then .[0].value else . end' \
    | base64 -d && echo
 7f3vvkw4iTiS5ZZbu5BQXEmJtETWbi3uUjLNaSs29xrL
 ```
 3. Use container name instead of its `$CID`. For example:
 ```shell
 $ curl http://localhost:8082/get_by_attribute/container-name/FileName/object-name
 ```
 #### Create a container
@ -462,109 +429,7 @@ object ID, like this:
 #### Authentication
-You can always upload files to public containers (open for anyone to put
+Read more about request authentication in [docs/authentication.md](./docs/authemtnication.md)
 objects into), but for restricted containers you need to explicitly allow PUT
 operations for a request signed with your HTTP Gateway keys.
 If you don't want to manage gateway's secret keys and adjust policies when
 gateway configuration changes (new gate, key rotation, etc) or you plan to use
 public services, there is an option to let your application backend (or you) to
 issue Bearer Tokens and pass them from the client via gate down to FrostFS level
 to grant access.
 FrostFS Bearer Token basically is a container owner-signed policy (refer to FrostFS
 documentation for more details). There are two options to pass them to gateway:
 * "Authorization" header with "Bearer" type and base64-encoded token in
   credentials field
 * "Bearer" cookie with base64-encoded token contents
 For example, you have a mobile application frontend with a backend part storing
 data in FrostFS. When a user authorizes in the mobile app, the backend issues a FrostFS
 Bearer token and provides it to the frontend. Then, the mobile app may generate
 some data and upload it via any available FrostFS HTTP Gateway by adding
 the corresponding header to the upload request. Accessing policy protected data
 works the same way.
 ##### Example
 In order to generate a bearer token, you need to have wallet (which will be used to sign the token)
 1. Suppose you have a container with private policy for wallet key
 ```
 $ frostfs-cli container create -r <endpoint> --wallet <wallet> -policy <policy> --basic-acl 0 --await
 CID: 9dfzyvq82JnFqp5svxcREf2iy6XNuifYcJPusEDnGK9Z
 $ frostfs-cli ape-manager add -r <endpoint> --wallet <wallet> \
  --target-type container --target-name 9dfzyvq82JnFqp5svxcREf2iy6XNuifYcJPusEDnGK9Z \
  --rule "allow Object.* RequestCondition:"\$Actor:publicKey"=03b09baabff3f6107c7e9acb8721a6fc5618d45b50247a314d82e548702cce8cd5 *" \
  --chain-id <chainID>
 ```
 2. Form a Bearer token (10000 is lifetime expiration in epoch) to impersonate
   HTTP Gateway request as wallet signed request and save it to **bearer.json**:
 ```
 {
    "body": {
        "allowImpersonate": true,
        "lifetime": {
            "exp": "10000",
            "nbf": "0",
            "iat": "0"
        }
    },
    "signature": null
 }
 ```
 3. Sign it with the wallet:
 ```
 $ frostfs-cli util sign bearer-token --from bearer.json --to signed.json -w <wallet>
 ```
 4. Encode to base64 to use in header:
 ```
 $ base64 -w 0 signed.json
 # output: Ck4KKgoECAIQBhIiCiCZGdlbN7DPGPMg9rsWqV+p2XdMzUqknRiexewSFp8kmBIbChk17MUri6OJ0X5ftsHzy7NERDNFB4C92PcaGgMIkE4SZgohAxpsb7vfAso1F0X6hrm6WpRS14WsT3/Ct1SMoqRsT89KEkEEGxKi8GjKSf52YqhppgaOTQHbUsL3jn7SHLqS3ndAQ7NtAATnmRHleZw2V2xRRSRBQdjDC05KK83LhdSax72Fsw==
 ```
 After that, the Bearer token can be used:
 ```
 $ curl -F 'file=@cat.jpeg;filename=cat.jpeg' -H "Authorization: Bearer Ck4KKgoECAIQBhIiCiCZGdlbN7DPGPMg9rsWqV+p2XdMzUqknRiexewSFp8kmBIbChk17MUri6OJ0X5ftsHzy7NERDNFB4C92PcaGgMIkE4SZgohAxpsb7vfAso1F0X6hrm6WpRS14WsT3/Ct1SMoqRsT89KEkEEGxKi8GjKSf52YqhppgaOTQHbUsL3jn7SHLqS3ndAQ7NtAATnmRHleZw2V2xRRSRBQdjDC05KK83LhdSax72Fsw==" \
  http://localhost:8082/upload/BJeErH9MWmf52VsR1mLWKkgF3pRm3FkubYxM7TZkBP4K
 # output:
 # {
 #	"object_id": "DhfES9nVrFksxGDD2jQLunGADfrXExxNwqXbDafyBn9X",
 #	"container_id": "BJeErH9MWmf52VsR1mLWKkgF3pRm3FkubYxM7TZkBP4K"
 # }
 ```
 ##### Note: Bearer Token owner
 You can specify exact key who can use Bearer Token (gateway wallet address).
 To do this, encode wallet address in base64 format
 ```
 $ echo 'NhVtreTTCoqsMQV5Wp55fqnriiUCpEaKm3' | base58 --decode | base64
 # output: NezFK4ujidF+X7bB88uzREQzRQeAvdj3Gg==
 ```
 Then specify this value in Bearer Token Json
 ```
 {
    "body": {
        "ownerID": {
            "value": "NezFK4ujidF+X7bB88uzREQzRQeAvdj3Gg=="
        },
        ...
 ```
 ##### Note: Policy override
 Instead of impersonation, you can define the set of policies that will be applied
 to the request sender. This allows to restrict access to specific operation and
 specific objects without giving full impersonation control to the token user.
 ### Metrics and Pprof
--- a/2
+++ b/2
@ -1 +1 @@
-v0.30.0
+v0.32.3
--- a/cmd/http-gw/app.go
+++ b/cmd/http-gw/app.go
--- a/cmd/http-gw/integration_test.go
+++ b/cmd/http-gw/integration_test.go
@ -14,27 +14,29 @@ import (
 	"net/http"
 	"os"
 	"sort"
 	"strings"
 	"testing"
 	"time"
-	containerv2 "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/container"
+	containerv2 "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/api/container"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl"
 	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
 	cidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id/test"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/netmap"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
 	oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/pool"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
 	docker "github.com/docker/docker/api/types/container"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/nspcc-dev/neo-go/pkg/wallet"
 	"github.com/spf13/viper"
 	"github.com/stretchr/testify/require"
 	"github.com/testcontainers/testcontainers-go"
 	"github.com/testcontainers/testcontainers-go/wait"
 	"go.uber.org/zap/zapcore"
 )
 type putResponse struct {
@ -43,18 +45,20 @@ type putResponse struct {
 }
 const (
-	testContainerName = "friendly"
+	testContainerName     = "friendly"
-	testListenAddress = "localhost:8082"
+	testListenAddress     = "localhost:8082"
-	testHost          = "http://" + testListenAddress
+	testHost              = "http://" + testListenAddress
 	testCORSContainerName = "cors"
 )
 func TestIntegration(t *testing.T) {
 	rootCtx := context.Background()
-	aioImage := "truecloudlab/frostfs-aio:"
+	aioImage := "git.frostfs.info/truecloudlab/frostfs-aio:"
 	versions := []string{
 		"1.2.7",
 		"1.3.0",
 		"1.5.0",
 		"1.6.5",
 	}
 	key, err := keys.NewPrivateKeyFromHex("1dd37fba80fec4e6a6f13fd708d8dcb3b29def768017052f6c930fa1c5d90bbb")
 	require.NoError(t, err)
@ -71,21 +75,33 @@ func TestIntegration(t *testing.T) {
 		ctx, cancel2 := context.WithCancel(rootCtx)
 		aioContainer := createDockerContainer(ctx, t, aioImage+version)
-		server, cancel := runServer(file.Name())
+		if strings.HasPrefix(version, "1.6") {
 			registerUser(t, ctx, aioContainer, file.Name())
 		}
 		// Creating CORS container
 		clientPool := getPool(ctx, t, key)
-		CID, err := createContainer(ctx, t, clientPool, ownerID, version)
+		_, err = createContainer(ctx, t, clientPool, ownerID, testCORSContainerName)
 		require.NoError(t, err, version)
-		token := makeBearerToken(t, key, ownerID, version)
+		// See the logs from the command execution.
 		server, cancel := runServer(file.Name())
 		CID, err := createContainer(ctx, t, clientPool, ownerID, testContainerName)
 		require.NoError(t, err, version)
-		t.Run("simple put "+version, func(t *testing.T) { simplePut(ctx, t, clientPool, CID, version) })
+		jsonToken, binaryToken := makeBearerTokens(t, key, ownerID, version)
-		t.Run("put with bearer token in header"+version, func(t *testing.T) { putWithBearerTokenInHeader(ctx, t, clientPool, CID, token) })
+
-		t.Run("put with bearer token in cookie"+version, func(t *testing.T) { putWithBearerTokenInCookie(ctx, t, clientPool, CID, token) })
+		t.Run("simple put "+version, func(t *testing.T) { simplePut(ctx, t, clientPool, CID) })
 		t.Run("put with json bearer token in header"+version, func(t *testing.T) { putWithBearerTokenInHeader(ctx, t, clientPool, CID, jsonToken) })
 		t.Run("put with json bearer token in cookie"+version, func(t *testing.T) { putWithBearerTokenInCookie(ctx, t, clientPool, CID, jsonToken) })
 		t.Run("put with binary bearer token in header"+version, func(t *testing.T) { putWithBearerTokenInHeader(ctx, t, clientPool, CID, binaryToken) })
 		t.Run("put with binary bearer token in cookie"+version, func(t *testing.T) { putWithBearerTokenInCookie(ctx, t, clientPool, CID, binaryToken) })
 		t.Run("put with duplicate keys "+version, func(t *testing.T) { putWithDuplicateKeys(t, CID) })
-		t.Run("simple get "+version, func(t *testing.T) { simpleGet(ctx, t, clientPool, ownerID, CID, version) })
+		t.Run("simple get "+version, func(t *testing.T) { simpleGet(ctx, t, clientPool, ownerID, CID) })
-		t.Run("get by attribute "+version, func(t *testing.T) { getByAttr(ctx, t, clientPool, ownerID, CID, version) })
+		t.Run("get by attribute "+version, func(t *testing.T) { getByAttr(ctx, t, clientPool, ownerID, CID) })
-		t.Run("get zip "+version, func(t *testing.T) { getZip(ctx, t, clientPool, ownerID, CID, version) })
+		t.Run("get zip "+version, func(t *testing.T) { getZip(ctx, t, clientPool, ownerID, CID) })
-		t.Run("test namespaces "+version, func(t *testing.T) { checkNamespaces(ctx, t, clientPool, ownerID, CID, version) })
+		t.Run("test namespaces "+version, func(t *testing.T) { checkNamespaces(ctx, t, clientPool, ownerID, CID) })
 		t.Run("test status codes "+version, func(t *testing.T) { checkStatusCodes(ctx, t, clientPool, ownerID, version) })
 		cancel()
 		server.Wait()
@ -99,17 +115,18 @@ func runServer(pathToWallet string) (App, context.CancelFunc) {
 	cancelCtx, cancel := context.WithCancel(context.Background())
 	v := getDefaultConfig()
-	v.Set(cfgWalletPath, pathToWallet)
+	v.config().Set(cfgWalletPath, pathToWallet)
-	v.Set(cfgWalletPassphrase, "")
+	v.config().Set(cfgWalletPassphrase, "")
-	l, lvl := newStdoutLogger(zapcore.DebugLevel)
+	v.config().Set(cfgContainersCORS, testCORSContainerName+"."+containerv2.SysAttributeZoneDefault)
-	application := newApp(cancelCtx, WithConfig(v), WithLogger(l, lvl))
+
 	application := newApp(cancelCtx, v)
 	go application.Serve()
 	return application, cancel
 }
-func simplePut(ctx context.Context, t *testing.T, p *pool.Pool, CID cid.ID, version string) {
+func simplePut(ctx context.Context, t *testing.T, p *pool.Pool, CID cid.ID) {
 	url := testHost + "/upload/" + CID.String()
 	makePutRequestAndCheck(ctx, t, p, CID, url)
@ -253,11 +270,11 @@ func putWithDuplicateKeys(t *testing.T, CID cid.ID) {
 	body, err := io.ReadAll(resp.Body)
 	require.NoError(t, err)
-	require.Equal(t, "key duplication error: "+attr+"\n", string(body))
+	require.Contains(t, string(body), "key duplication error: "+attr+"\n")
 	require.Equal(t, http.StatusBadRequest, resp.StatusCode)
 }
-func simpleGet(ctx context.Context, t *testing.T, clientPool *pool.Pool, ownerID user.ID, CID cid.ID, version string) {
+func simpleGet(ctx context.Context, t *testing.T, clientPool *pool.Pool, ownerID user.ID, CID cid.ID) {
 	content := "content of file"
 	attributes := map[string]string{
 		"some-attr": "some-get-value",
@ -304,7 +321,7 @@ func checkGetByAttrResponse(t *testing.T, resp *http.Response, content string, a
 	}
 }
-func getByAttr(ctx context.Context, t *testing.T, clientPool *pool.Pool, ownerID user.ID, CID cid.ID, version string) {
+func getByAttr(ctx context.Context, t *testing.T, clientPool *pool.Pool, ownerID user.ID, CID cid.ID) {
 	keyAttr, valAttr := "some-attr", "some-get-by-attr-value"
 	content := "content of file"
 	attributes := map[string]string{keyAttr: valAttr}
@ -326,7 +343,7 @@ func getByAttr(ctx context.Context, t *testing.T, clientPool *pool.Pool, ownerID
 	checkGetByAttrResponse(t, resp, content, expectedAttr)
 }
-func getZip(ctx context.Context, t *testing.T, clientPool *pool.Pool, ownerID user.ID, CID cid.ID, version string) {
+func getZip(ctx context.Context, t *testing.T, clientPool *pool.Pool, ownerID user.ID, CID cid.ID) {
 	names := []string{"zipfolder/dir/name1.txt", "zipfolder/name2.txt"}
 	contents := []string{"content of file1", "content of file2"}
 	attributes1 := map[string]string{object.AttributeFilePath: names[0]}
@ -391,7 +408,7 @@ func checkZip(t *testing.T, data []byte, length int64, names, contents []string)
 	}
 }
-func checkNamespaces(ctx context.Context, t *testing.T, clientPool *pool.Pool, ownerID user.ID, CID cid.ID, version string) {
+func checkNamespaces(ctx context.Context, t *testing.T, clientPool *pool.Pool, ownerID user.ID, CID cid.ID) {
 	content := "content of file"
 	attributes := map[string]string{
 		"some-attr": "some-get-value",
@ -422,16 +439,91 @@ func checkNamespaces(ctx context.Context, t *testing.T, clientPool *pool.Pool, o
 	resp, err = http.DefaultClient.Do(req)
 	require.NoError(t, err)
 	require.Equal(t, http.StatusNotFound, resp.StatusCode)
 }
 func checkStatusCodes(ctx context.Context, t *testing.T, clientPool *pool.Pool, ownerID user.ID, version string) {
 	cli := http.Client{Timeout: 30 * time.Second}
 	t.Run("container not found by name", func(t *testing.T) {
 		resp, err := cli.Get(testHost + "/get/unknown/object")
 		require.NoError(t, err)
 		require.Equal(t, http.StatusNotFound, resp.StatusCode)
 		requireBodyContains(t, resp, "container not found")
 	})
 	t.Run("container not found by cid", func(t *testing.T) {
 		cnrIDTest := cidtest.ID()
 		resp, err := cli.Get(testHost + "/get/" + cnrIDTest.EncodeToString() + "/object")
 		require.NoError(t, err)
 		requireBodyContains(t, resp, "container not found")
 		require.Equal(t, http.StatusNotFound, resp.StatusCode)
 	})
 	t.Run("object not found in storage", func(t *testing.T) {
 		resp, err := cli.Get(testHost + "/get_by_attribute/" + testContainerName + "/FilePath/object2")
 		require.NoError(t, err)
 		requireBodyContains(t, resp, "object not found")
 		require.Equal(t, http.StatusNotFound, resp.StatusCode)
 	})
 	t.Run("access denied", func(t *testing.T) {
 		basicACL := acl.Private
 		var recs []*eacl.Record
 		if version == "1.2.7" {
 			basicACL = acl.PublicRWExtended
 			rec := eacl.NewRecord()
 			rec.SetAction(eacl.ActionDeny)
 			rec.SetOperation(eacl.OperationGet)
 			recs = append(recs, rec)
 		}
 		cnrID, err := createContainerBase(ctx, t, clientPool, ownerID, basicACL, "")
 		require.NoError(t, err)
 		key, err := keys.NewPrivateKey()
 		require.NoError(t, err)
 		jsonToken, _ := makeBearerTokens(t, key, ownerID, version, recs...)
 		t.Run("get", func(t *testing.T) {
 			request, err := http.NewRequest(http.MethodGet, testHost+"/get/"+cnrID.EncodeToString()+"/object", nil)
 			require.NoError(t, err)
 			request.Header.Set("Authorization", "Bearer "+jsonToken)
 			resp, err := cli.Do(request)
 			require.NoError(t, err)
 			requireBodyContains(t, resp, "access denied")
 			require.Equal(t, http.StatusForbidden, resp.StatusCode)
 		})
 		t.Run("upload", func(t *testing.T) {
 			request, _, _ := makePutRequest(t, testHost+"/upload/"+cnrID.EncodeToString())
 			request.Header.Set("Authorization", "Bearer "+jsonToken)
 			resp, err := cli.Do(request)
 			require.NoError(t, err)
 			requireBodyContains(t, resp, "access denied")
 			require.Equal(t, http.StatusForbidden, resp.StatusCode)
 		})
 	})
 }
 func requireBodyContains(t *testing.T, resp *http.Response, msg string) {
 	data, err := io.ReadAll(resp.Body)
 	require.NoError(t, err)
 	defer resp.Body.Close()
 	require.Contains(t, strings.ToLower(string(data)), strings.ToLower(msg))
 }
 func createDockerContainer(ctx context.Context, t *testing.T, image string) testcontainers.Container {
 	req := testcontainers.ContainerRequest{
-		Image:       image,
+		Image:      image,
-		WaitingFor:  wait.NewLogStrategy("aio container started").WithStartupTimeout(30 * time.Second),
+		WaitingFor: wait.NewLogStrategy("aio container started").WithStartupTimeout(2 * time.Minute),
-		Name:        "aio",
+		Name:       "aio",
-		Hostname:    "aio",
+		Hostname:   "aio",
-		NetworkMode: "host",
+		HostConfigModifier: func(hc *docker.HostConfig) {
 			hc.NetworkMode = "host"
 		},
 	}
 	aioC, err := testcontainers.GenericContainer(ctx, testcontainers.GenericContainerRequest{
 		ContainerRequest: req,
@ -442,14 +534,14 @@ func createDockerContainer(ctx context.Context, t *testing.T, image string) test
 	return aioC
 }
-func getDefaultConfig() *viper.Viper {
+func getDefaultConfig() *appCfg {
 	v := settings()
-	v.SetDefault(cfgPeers+".0.address", "localhost:8080")
+	v.config().SetDefault(cfgPeers+".0.address", "localhost:8080")
-	v.SetDefault(cfgPeers+".0.weight", 1)
+	v.config().SetDefault(cfgPeers+".0.weight", 1)
-	v.SetDefault(cfgPeers+".0.priority", 1)
+	v.config().SetDefault(cfgPeers+".0.priority", 1)
-	v.SetDefault(cfgRPCEndpoint, "http://localhost:30333")
+	v.config().SetDefault(cfgRPCEndpoint, "http://localhost:30333")
-	v.SetDefault("server.0.address", testListenAddress)
+	v.config().SetDefault("server.0.address", testListenAddress)
 	return v
 }
@ -468,7 +560,11 @@ func getPool(ctx context.Context, t *testing.T, key *keys.PrivateKey) *pool.Pool
 	return clientPool
 }
-func createContainer(ctx context.Context, t *testing.T, clientPool *pool.Pool, ownerID user.ID, version string) (cid.ID, error) {
+func createContainer(ctx context.Context, t *testing.T, clientPool *pool.Pool, ownerID user.ID, name string) (cid.ID, error) {
 	return createContainerBase(ctx, t, clientPool, ownerID, acl.PublicRWExtended, name)
 }
 func createContainerBase(ctx context.Context, t *testing.T, clientPool *pool.Pool, ownerID user.ID, basicACL acl.Basic, name string) (cid.ID, error) {
 	var policy netmap.PlacementPolicy
 	err := policy.DecodeString("REP 1")
 	require.NoError(t, err)
@ -476,24 +572,28 @@ func createContainer(ctx context.Context, t *testing.T, clientPool *pool.Pool, o
 	var cnr container.Container
 	cnr.Init()
 	cnr.SetPlacementPolicy(policy)
-	cnr.SetBasicACL(acl.PublicRWExtended)
+	cnr.SetBasicACL(basicACL)
 	cnr.SetOwner(ownerID)
 	container.SetCreationTime(&cnr, time.Now())
-	var domain container.Domain
+	if name != "" {
-	domain.SetName(testContainerName)
+		var domain container.Domain
 		domain.SetName(name)
-	cnr.SetAttribute(containerv2.SysAttributeName, domain.Name())
+		cnr.SetAttribute(containerv2.SysAttributeName, domain.Name())
-	cnr.SetAttribute(containerv2.SysAttributeZone, domain.Zone())
+		cnr.SetAttribute(containerv2.SysAttributeZone, domain.Zone())
 	}
-	var waitPrm pool.WaitParams
+	prm := pool.PrmContainerPut{
-	waitPrm.SetTimeout(15 * time.Second)
+		ClientParams: client.PrmContainerPut{
-	waitPrm.SetPollInterval(3 * time.Second)
+			Container: &cnr,
-
+		},
-	var prm pool.PrmContainerPut
+		WaitParams: &pool.WaitParams{
-	prm.SetContainer(cnr)
+			Timeout:      15 * time.Second,
-	prm.SetWaitParams(waitPrm)
+			PollInterval: 3 * time.Second,
 		},
 	}
 	CID, err := clientPool.PutContainer(ctx, prm)
 	if err != nil {
@ -525,16 +625,33 @@ func putObject(ctx context.Context, t *testing.T, clientPool *pool.Pool, ownerID
 	id, err := clientPool.PutObject(ctx, prm)
 	require.NoError(t, err)
-	return id
+	return id.ObjectID
 }
-func makeBearerToken(t *testing.T, key *keys.PrivateKey, ownerID user.ID, version string) string {
+func registerUser(t *testing.T, ctx context.Context, aioContainer testcontainers.Container, pathToWallet string) {
 	err := aioContainer.CopyFileToContainer(ctx, pathToWallet, "/usr/wallet.json", 644)
 	require.NoError(t, err)
 	_, _, err = aioContainer.Exec(ctx, []string{
 		"/usr/bin/frostfs-s3-authmate", "register-user",
 		"--wallet", "/usr/wallet.json",
 		"--rpc-endpoint", "http://localhost:30333",
 		"--contract-wallet", "/config/s3-gw-wallet.json"})
 	require.NoError(t, err)
 }
 func makeBearerTokens(t *testing.T, key *keys.PrivateKey, ownerID user.ID, version string, records ...*eacl.Record) (jsonTokenBase64, binaryTokenBase64 string) {
 	tkn := new(bearer.Token)
 	tkn.ForUser(ownerID)
 	tkn.SetExp(10000)
 	if version == "1.2.7" {
-		tkn.SetEACLTable(*eacl.NewTable())
+		table := eacl.NewTable()
 		for i := range records {
 			table.AddRecord(records[i])
 		}
 		tkn.SetEACLTable(*table)
 	} else {
 		tkn.SetImpersonate(true)
 	}
@ -542,10 +659,16 @@ func makeBearerToken(t *testing.T, key *keys.PrivateKey, ownerID user.ID, versio
 	err := tkn.Sign(key.PrivateKey)
 	require.NoError(t, err)
-	t64 := base64.StdEncoding.EncodeToString(tkn.Marshal())
+	jsonToken, err := tkn.MarshalJSON()
-	require.NotEmpty(t, t64)
+	require.NoError(t, err)
-	return t64
+	jsonTokenBase64 = base64.StdEncoding.EncodeToString(jsonToken)
 	binaryTokenBase64 = base64.StdEncoding.EncodeToString(tkn.Marshal())
 	require.NotEmpty(t, jsonTokenBase64)
 	require.NotEmpty(t, binaryTokenBase64)
 	return
 }
 func makeTempWallet(t *testing.T, key *keys.PrivateKey, path string) {
--- a/cmd/http-gw/logger.go
+++ b/cmd/http-gw/logger.go
@ -0,0 +1,177 @@
 package main
 import (
 	"fmt"
 	"os"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/logs"
 	"git.frostfs.info/TrueCloudLab/zapjournald"
 	"github.com/spf13/viper"
 	"github.com/ssgreg/journald"
 	"go.uber.org/zap"
 	"go.uber.org/zap/zapcore"
 )
 func getLogLevel(v *viper.Viper) (zapcore.Level, error) {
 	var lvl zapcore.Level
 	lvlStr := v.GetString(cfgLoggerLevel)
 	err := lvl.UnmarshalText([]byte(lvlStr))
 	if err != nil {
 		return lvl, fmt.Errorf("incorrect logger level configuration %s (%v), "+
 			"value should be one of %v", lvlStr, err, [...]zapcore.Level{
 			zapcore.DebugLevel,
 			zapcore.InfoLevel,
 			zapcore.WarnLevel,
 			zapcore.ErrorLevel,
 			zapcore.DPanicLevel,
 			zapcore.PanicLevel,
 			zapcore.FatalLevel,
 		})
 	}
 	return lvl, nil
 }
 var _ zapcore.Core = (*zapCoreTagFilterWrapper)(nil)
 type zapCoreTagFilterWrapper struct {
 	core     zapcore.Core
 	settings TagFilterSettings
 	extra    []zap.Field
 }
 type TagFilterSettings interface {
 	LevelEnabled(tag string, tgtLevel zapcore.Level) bool
 	DefaultEnabled(lvl zapcore.Level) bool
 }
 func (c *zapCoreTagFilterWrapper) Enabled(level zapcore.Level) bool {
 	return c.core.Enabled(level)
 }
 func (c *zapCoreTagFilterWrapper) With(fields []zapcore.Field) zapcore.Core {
 	return &zapCoreTagFilterWrapper{
 		core:     c.core.With(fields),
 		settings: c.settings,
 		extra:    append(c.extra, fields...),
 	}
 }
 func (c *zapCoreTagFilterWrapper) Check(entry zapcore.Entry, checked *zapcore.CheckedEntry) *zapcore.CheckedEntry {
 	if c.core.Enabled(entry.Level) {
 		return checked.AddCore(entry, c)
 	}
 	return checked
 }
 func (c *zapCoreTagFilterWrapper) Write(entry zapcore.Entry, fields []zapcore.Field) error {
 	if c.shouldSkip(entry, fields, c.extra) {
 		return nil
 	}
 	return c.core.Write(entry, fields)
 }
 func (c *zapCoreTagFilterWrapper) shouldSkip(entry zapcore.Entry, fields []zap.Field, extra []zap.Field) bool {
 	for _, field := range fields {
 		if field.Key == logs.TagFieldName && field.Type == zapcore.StringType {
 			return !c.settings.LevelEnabled(field.String, entry.Level)
 		}
 	}
 	for _, field := range extra {
 		if field.Key == logs.TagFieldName && field.Type == zapcore.StringType {
 			return !c.settings.LevelEnabled(field.String, entry.Level)
 		}
 	}
 	return !c.settings.DefaultEnabled(entry.Level)
 }
 func (c *zapCoreTagFilterWrapper) Sync() error {
 	return c.core.Sync()
 }
 func applyZapCoreMiddlewares(core zapcore.Core, v *viper.Viper, loggerSettings LoggerAppSettings, tagSetting TagFilterSettings) zapcore.Core {
 	core = &zapCoreTagFilterWrapper{
 		core:     core,
 		settings: tagSetting,
 	}
 	if v.GetBool(cfgLoggerSamplingEnabled) {
 		core = zapcore.NewSamplerWithOptions(core,
 			v.GetDuration(cfgLoggerSamplingInterval),
 			v.GetInt(cfgLoggerSamplingInitial),
 			v.GetInt(cfgLoggerSamplingThereafter),
 			zapcore.SamplerHook(func(_ zapcore.Entry, dec zapcore.SamplingDecision) {
 				if dec&zapcore.LogDropped > 0 {
 					loggerSettings.DroppedLogsInc()
 				}
 			}))
 	}
 	return core
 }
 func newLogEncoder() zapcore.Encoder {
 	c := zap.NewProductionEncoderConfig()
 	c.EncodeTime = zapcore.ISO8601TimeEncoder
 	return zapcore.NewConsoleEncoder(c)
 }
 // newStdoutLogger constructs a zap.Logger instance for current application.
 // Panics on failure.
 //
 // Logger is built from zap's production logging configuration with:
 //   - parameterized level (debug by default)
 //   - console encoding
 //   - ISO8601 time encoding
 //
 // Logger records a stack trace for all messages at or above fatal level.
 //
 // See also zapcore.Level, zap.NewProductionConfig, zap.AddStacktrace.
 func newStdoutLogger(v *viper.Viper, lvl zap.AtomicLevel, loggerSettings LoggerAppSettings, tagSetting TagFilterSettings) *Logger {
 	stdout := zapcore.AddSync(os.Stderr)
 	consoleOutCore := zapcore.NewCore(newLogEncoder(), stdout, lvl)
 	consoleOutCore = applyZapCoreMiddlewares(consoleOutCore, v, loggerSettings, tagSetting)
 	return &Logger{
 		logger: zap.New(consoleOutCore, zap.AddStacktrace(zap.NewAtomicLevelAt(zap.FatalLevel))),
 		lvl:    lvl,
 	}
 }
 func newJournaldLogger(v *viper.Viper, lvl zap.AtomicLevel, loggerSettings LoggerAppSettings, tagSetting TagFilterSettings) *Logger {
 	encoder := zapjournald.NewPartialEncoder(newLogEncoder(), zapjournald.SyslogFields)
 	core := zapjournald.NewCore(lvl, encoder, &journald.Journal{}, zapjournald.SyslogFields)
 	coreWithContext := core.With([]zapcore.Field{
 		zapjournald.SyslogFacility(zapjournald.LogDaemon),
 		zapjournald.SyslogIdentifier(),
 		zapjournald.SyslogPid(),
 	})
 	coreWithContext = applyZapCoreMiddlewares(coreWithContext, v, loggerSettings, tagSetting)
 	return &Logger{
 		logger: zap.New(coreWithContext, zap.AddStacktrace(zap.NewAtomicLevelAt(zap.FatalLevel))),
 		lvl:    lvl,
 	}
 }
 type LoggerAppSettings interface {
 	DroppedLogsInc()
 }
 func pickLogger(v *viper.Viper, lvl zap.AtomicLevel, loggerSettings LoggerAppSettings, tagSettings TagFilterSettings) *Logger {
 	dest := v.GetString(cfgLoggerDestination)
 	switch dest {
 	case destinationStdout:
 		return newStdoutLogger(v, lvl, loggerSettings, tagSettings)
 	case destinationJournald:
 		return newJournaldLogger(v, lvl, loggerSettings, tagSettings)
 	default:
 		panic(fmt.Sprintf("wrong destination for logger: %s", dest))
 	}
 }
--- a/cmd/http-gw/main.go
+++ b/cmd/http-gw/main.go
@ -8,10 +8,9 @@ import (
 func main() {
 	globalContext, _ := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
-	v := settings()
+	cfg := settings()
 	logger, atomicLevel := pickLogger(v)
-	application := newApp(globalContext, WithLogger(logger, atomicLevel), WithConfig(v))
+	application := newApp(globalContext, cfg)
 	go application.Serve()
 	application.Wait()
 }
--- a/cmd/http-gw/server.go
+++ b/cmd/http-gw/server.go
@ -74,7 +74,6 @@ func newServer(ctx context.Context, serverInfo ServerInfo) (*server, error) {
 		ln = tls.NewListener(ln, &tls.Config{
 			GetCertificate: tlsProvider.GetCertificate,
 			NextProtos:     []string{"h2"}, // required to enable HTTP/2 requests in `http.Serve`
 		})
 	}
--- a/cmd/http-gw/server_test.go
+++ b/cmd/http-gw/server_test.go
@ -18,7 +18,7 @@ import (
 	"time"
 	"github.com/stretchr/testify/require"
-	"golang.org/x/net/http2"
+	"github.com/valyala/fasthttp"
 )
 const (
@ -26,14 +26,10 @@ const (
 	expHeaderValue = "Bar"
 )
-func TestHTTP2TLS(t *testing.T) {
+func TestHTTP_TLS(t *testing.T) {
 	ctx := context.Background()
 	certPath, keyPath := prepareTestCerts(t)
 	srv := &http.Server{
 		Handler: http.HandlerFunc(testHandler),
 	}
 	tlsListener, err := newServer(ctx, ServerInfo{
 		Address: ":0",
 		TLS: ServerTLSInfo{
@ -47,37 +43,34 @@ func TestHTTP2TLS(t *testing.T) {
 	addr := fmt.Sprintf("https://localhost:%d", port)
 	go func() {
-		_ = srv.Serve(tlsListener.Listener())
+		_ = fasthttp.Serve(tlsListener.Listener(), testHandler)
 	}()
 	// Server is running, now send HTTP/2 request
 	tlsClientConfig := &tls.Config{
 		InsecureSkipVerify: true,
 	}
-	cliHTTP1 := http.Client{Transport: &http.Transport{TLSClientConfig: tlsClientConfig}}
+	cliHTTP := http.Client{Transport: &http.Transport{}}
-	cliHTTP2 := http.Client{Transport: &http2.Transport{TLSClientConfig: tlsClientConfig}}
+	cliHTTPS := http.Client{Transport: &http.Transport{TLSClientConfig: tlsClientConfig}}
 	req, err := http.NewRequest("GET", addr, nil)
 	require.NoError(t, err)
 	req.Header[expHeaderKey] = []string{expHeaderValue}
-	resp, err := cliHTTP1.Do(req)
+	resp, err := cliHTTPS.Do(req)
 	require.NoError(t, err)
 	require.Equal(t, http.StatusOK, resp.StatusCode)
-	resp, err = cliHTTP2.Do(req)
+	_, err = cliHTTP.Do(req)
-	require.NoError(t, err)
+	require.ErrorContains(t, err, "failed to verify certificate")
 	require.Equal(t, http.StatusOK, resp.StatusCode)
 }
-func testHandler(resp http.ResponseWriter, req *http.Request) {
+func testHandler(ctx *fasthttp.RequestCtx) {
-	hdr, ok := req.Header[expHeaderKey]
+	hdr := ctx.Request.Header.Peek(expHeaderKey)
-	if !ok || len(hdr) != 1 || hdr[0] != expHeaderValue {
+	if len(hdr) == 0 || string(hdr) != expHeaderValue {
-		resp.WriteHeader(http.StatusBadRequest)
+		ctx.Response.SetStatusCode(http.StatusBadRequest)
 	} else {
-		resp.WriteHeader(http.StatusOK)
+		ctx.Response.SetStatusCode(http.StatusOK)
 	}
 }
--- a/cmd/http-gw/settings.go
+++ b/cmd/http-gw/settings.go
@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/hex"
 	"fmt"
 	"io"
 	"math"
 	"os"
 	"path"
@ -11,19 +12,21 @@ import (
 	"sort"
 	"strconv"
 	"strings"
 	"sync"
 	"time"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/cache"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/data"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/logs"
 	internalnet "git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/net"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/service/frostfs"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/resolver"
 	grpctracing "git.frostfs.info/TrueCloudLab/frostfs-observability/tracing/grpc"
 	qostagging "git.frostfs.info/TrueCloudLab/frostfs-qos/tagging"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/pool"
 	treepool "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/pool/tree"
 	"git.frostfs.info/TrueCloudLab/zapjournald"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/spf13/pflag"
 	"github.com/spf13/viper"
 	"github.com/ssgreg/journald"
 	"github.com/valyala/fasthttp"
 	"go.uber.org/zap"
 	"go.uber.org/zap/zapcore"
@ -55,6 +58,10 @@ const (
 	defaultReconnectInterval = time.Minute
 	defaultCORSMaxAge = 600 // seconds
 	defaultMultinetFallbackDelay = 300 * time.Millisecond
 	cfgServer      = "server"
 	cfgTLSEnabled  = "tls.enabled"
 	cfgTLSCertFile = "tls.cert_file"
@ -65,6 +72,8 @@ const (
 	cfgIndexPageEnabled      = "index_page.enabled"
 	cfgIndexPageTemplatePath = "index_page.template_path"
 	cfgWorkerPoolSize = "worker_pool_size"
 	// Web.
 	cfgWebReadBufferSize     = "web.read_buffer_size"
 	cfgWebWriteBufferSize    = "web.write_buffer_size"
@ -80,10 +89,11 @@ const (
 	cfgPprofAddress      = "pprof.address"
 	// Tracing ...
-	cfgTracingEnabled   = "tracing.enabled"
+	cfgTracingEnabled    = "tracing.enabled"
-	cfgTracingExporter  = "tracing.exporter"
+	cfgTracingExporter   = "tracing.exporter"
-	cfgTracingEndpoint  = "tracing.endpoint"
+	cfgTracingEndpoint   = "tracing.endpoint"
-	cfgTracingTrustedCa = "tracing.trusted_ca"
+	cfgTracingTrustedCa  = "tracing.trusted_ca"
 	cfgTracingAttributes = "tracing.attributes"
 	// Pool config.
 	cfgConTimeout         = "connect_timeout"
@ -101,6 +111,11 @@ const (
 	cfgLoggerSamplingThereafter = "logger.sampling.thereafter"
 	cfgLoggerSamplingInterval   = "logger.sampling.interval"
 	cfgLoggerTags           = "logger.tags"
 	cfgLoggerTagsPrefixTmpl = cfgLoggerTags + ".%d."
 	cfgLoggerTagsNameTmpl   = cfgLoggerTagsPrefixTmpl + "names"
 	cfgLoggerTagsLevelTmpl  = cfgLoggerTagsPrefixTmpl + "level"
 	// Wallet.
 	cfgWalletPassphrase = "wallet.passphrase"
 	cfgWalletPath       = "wallet.path"
@ -119,8 +134,13 @@ const (
 	cfgResolveOrder = "resolve_order"
 	// Zip compression.
 	//
 	// Deprecated: Use cfgArchiveCompression instead.
 	cfgZipCompression = "zip.compression"
 	// Archive compression.
 	cfgArchiveCompression = "archive.compression"
 	// Runtime.
 	cfgSoftMemoryLimit = "runtime.soft_memory_limit"
@ -135,11 +155,37 @@ const (
 	// Caching.
 	cfgBucketsCacheLifetime = "cache.buckets.lifetime"
 	cfgBucketsCacheSize     = "cache.buckets.size"
 	cfgNetmapCacheLifetime  = "cache.netmap.lifetime"
 	cfgCORSCacheLifetime    = "cache.cors.lifetime"
 	cfgCORSCacheSize        = "cache.cors.size"
 	// Bucket resolving options.
 	cfgResolveNamespaceHeader   = "resolve_bucket.namespace_header"
 	cfgResolveDefaultNamespaces = "resolve_bucket.default_namespaces"
 	// CORS.
 	cfgCORS                 = "cors"
 	cfgCORSAllowOrigin      = cfgCORS + ".allow_origin"
 	cfgCORSAllowMethods     = cfgCORS + ".allow_methods"
 	cfgCORSAllowHeaders     = cfgCORS + ".allow_headers"
 	cfgCORSExposeHeaders    = cfgCORS + ".expose_headers"
 	cfgCORSAllowCredentials = cfgCORS + ".allow_credentials"
 	cfgCORSMaxAge           = cfgCORS + ".max_age"
 	// Multinet.
 	cfgMultinetEnabled       = "multinet.enabled"
 	cfgMultinetBalancer      = "multinet.balancer"
 	cfgMultinetRestrict      = "multinet.restrict"
 	cfgMultinetFallbackDelay = "multinet.fallback_delay"
 	cfgMultinetSubnets       = "multinet.subnets"
 	// Feature.
 	cfgFeaturesEnableFilepathFallback = "features.enable_filepath_fallback"
 	cfgFeaturesTreePoolNetmapSupport  = "features.tree_pool_netmap_support"
 	// Containers.
 	cfgContainersCORS = "containers.cors"
 	// Command line args.
 	cmdHelp          = "help"
 	cmdVersion       = "version"
@ -158,14 +204,79 @@ var ignore = map[string]struct{}{
 	cmdVersion: {},
 }
-func settings() *viper.Viper {
+var defaultTags = []string{logs.TagApp, logs.TagDatapath, logs.TagExternalStorage, logs.TagExternalStorageTree}
 type Logger struct {
 	logger *zap.Logger
 	lvl    zap.AtomicLevel
 }
 type appCfg struct {
 	flags *pflag.FlagSet
 	mu       sync.RWMutex
 	settings *viper.Viper
 }
 func (a *appCfg) reload() error {
 	old := a.config()
 	v, err := newViper(a.flags)
 	if err != nil {
 		return err
 	}
 	if old.IsSet(cmdConfig) {
 		v.Set(cmdConfig, old.Get(cmdConfig))
 	}
 	if old.IsSet(cmdConfigDir) {
 		v.Set(cmdConfigDir, old.Get(cmdConfigDir))
 	}
 	if err = readInConfig(v); err != nil {
 		return err
 	}
 	a.setConfig(v)
 	return nil
 }
 func (a *appCfg) config() *viper.Viper {
 	a.mu.RLock()
 	defer a.mu.RUnlock()
 	return a.settings
 }
 func (a *appCfg) setConfig(v *viper.Viper) {
 	a.mu.Lock()
 	a.settings = v
 	a.mu.Unlock()
 }
 func newViper(flags *pflag.FlagSet) (*viper.Viper, error) {
 	v := viper.New()
 	v.AutomaticEnv()
 	v.SetEnvPrefix(Prefix)
 	v.AllowEmptyEnv(true)
 	v.SetConfigType("yaml")
 	v.SetEnvKeyReplacer(strings.NewReplacer(".", "_"))
 	if err := bindFlags(v, flags); err != nil {
 		return nil, err
 	}
 	setDefaults(v, flags)
 	if v.IsSet(cfgServer+".0."+cfgTLSKeyFile) && v.IsSet(cfgServer+".0."+cfgTLSCertFile) {
 		v.Set(cfgServer+".0."+cfgTLSEnabled, true)
 	}
 	return v, nil
 }
 func settings() *appCfg {
 	// flags setup:
 	flags := pflag.NewFlagSet("commandline", pflag.ExitOnError)
 	flags.SetOutput(os.Stdout)
@ -189,91 +300,17 @@ func settings() *viper.Viper {
 	flags.String(cmdListenAddress, "0.0.0.0:8080", "addresses to listen")
 	flags.String(cfgTLSCertFile, "", "TLS certificate path")
 	flags.String(cfgTLSKeyFile, "", "TLS key path")
-	peers := flags.StringArrayP(cfgPeers, "p", nil, "FrostFS nodes")
+	flags.StringArrayP(cfgPeers, "p", nil, "FrostFS nodes")
-	resolveMethods := flags.StringSlice(cfgResolveOrder, []string{resolver.NNSResolver, resolver.DNSResolver}, "set container name resolve order")
+	flags.StringSlice(cfgResolveOrder, []string{resolver.NNSResolver, resolver.DNSResolver}, "set container name resolve order")
 	// set defaults:
 	// logger:
 	v.SetDefault(cfgLoggerLevel, "debug")
 	v.SetDefault(cfgLoggerDestination, "stdout")
 	v.SetDefault(cfgLoggerSamplingEnabled, false)
 	v.SetDefault(cfgLoggerSamplingThereafter, 100)
 	v.SetDefault(cfgLoggerSamplingInitial, 100)
 	v.SetDefault(cfgLoggerSamplingInterval, defaultLoggerSamplerInterval)
 	// pool:
 	v.SetDefault(cfgPoolErrorThreshold, defaultPoolErrorThreshold)
 	v.SetDefault(cfgIndexPageEnabled, false)
 	v.SetDefault(cfgIndexPageTemplatePath, "")
 	// frostfs:
 	v.SetDefault(cfgBufferMaxSizeForPut, defaultBufferMaxSizeForPut)
 	// web-server:
 	v.SetDefault(cfgWebReadBufferSize, 4096)
 	v.SetDefault(cfgWebWriteBufferSize, 4096)
 	v.SetDefault(cfgWebReadTimeout, time.Minute*10)
 	v.SetDefault(cfgWebWriteTimeout, time.Minute*5)
 	v.SetDefault(cfgWebStreamRequestBody, true)
 	v.SetDefault(cfgWebMaxRequestBodySize, fasthttp.DefaultMaxRequestBodySize)
 	// upload header
 	v.SetDefault(cfgUploaderHeaderEnableDefaultTimestamp, false)
 	// zip:
 	v.SetDefault(cfgZipCompression, false)
 	// metrics
 	v.SetDefault(cfgPprofAddress, "localhost:8083")
 	v.SetDefault(cfgPrometheusAddress, "localhost:8084")
 	// resolve bucket
 	v.SetDefault(cfgResolveNamespaceHeader, defaultNamespaceHeader)
 	v.SetDefault(cfgResolveDefaultNamespaces, []string{"", "root"})
 	// Binding flags
 	if err := v.BindPFlag(cfgPprofEnabled, flags.Lookup(cmdPprof)); err != nil {
 		panic(err)
 	}
 	if err := v.BindPFlag(cfgPrometheusEnabled, flags.Lookup(cmdMetrics)); err != nil {
 		panic(err)
 	}
 	if err := v.BindPFlag(cfgWalletPath, flags.Lookup(cmdWallet)); err != nil {
 		panic(err)
 	}
 	if err := v.BindPFlag(cfgWalletAddress, flags.Lookup(cmdAddress)); err != nil {
 		panic(err)
 	}
 	if err := v.BindPFlags(flags); err != nil {
 		panic(err)
 	}
 	if err := v.BindPFlag(cfgServer+".0.address", flags.Lookup(cmdListenAddress)); err != nil {
 		panic(err)
 	}
 	if err := v.BindPFlag(cfgServer+".0."+cfgTLSKeyFile, flags.Lookup(cfgTLSKeyFile)); err != nil {
 		panic(err)
 	}
 	if err := v.BindPFlag(cfgServer+".0."+cfgTLSCertFile, flags.Lookup(cfgTLSCertFile)); err != nil {
 		panic(err)
 	}
 	if err := flags.Parse(os.Args); err != nil {
 		panic(err)
 	}
-	if v.IsSet(cfgServer+".0."+cfgTLSKeyFile) && v.IsSet(cfgServer+".0."+cfgTLSCertFile) {
+	v, err := newViper(flags)
-		v.Set(cfgServer+".0."+cfgTLSEnabled, true)
+	if err != nil {
-	}
+		panic(fmt.Errorf("bind flags: %w", err))
 	if resolveMethods != nil {
 		v.SetDefault(cfgResolveOrder, *resolveMethods)
 	}
 	switch {
@ -318,15 +355,97 @@ func settings() *viper.Viper {
 		panic(err)
 	}
-	if peers != nil && len(*peers) > 0 {
+	return &appCfg{
-		for i := range *peers {
+		flags:    flags,
-			v.SetDefault(cfgPeers+"."+strconv.Itoa(i)+".address", (*peers)[i])
+		settings: v,
 	}
 }
 func setDefaults(v *viper.Viper, flags *pflag.FlagSet) {
 	// set defaults:
 	// logger:
 	v.SetDefault(cfgLoggerLevel, "debug")
 	v.SetDefault(cfgLoggerDestination, "stdout")
 	v.SetDefault(cfgLoggerSamplingEnabled, false)
 	v.SetDefault(cfgLoggerSamplingThereafter, 100)
 	v.SetDefault(cfgLoggerSamplingInitial, 100)
 	v.SetDefault(cfgLoggerSamplingInterval, defaultLoggerSamplerInterval)
 	// pool:
 	v.SetDefault(cfgPoolErrorThreshold, defaultPoolErrorThreshold)
 	// frostfs:
 	v.SetDefault(cfgBufferMaxSizeForPut, defaultBufferMaxSizeForPut)
 	// web-server:
 	v.SetDefault(cfgWebReadBufferSize, 4096)
 	v.SetDefault(cfgWebWriteBufferSize, 4096)
 	v.SetDefault(cfgWebReadTimeout, time.Minute*10)
 	v.SetDefault(cfgWebWriteTimeout, time.Minute*5)
 	v.SetDefault(cfgWebStreamRequestBody, true)
 	v.SetDefault(cfgWebMaxRequestBodySize, fasthttp.DefaultMaxRequestBodySize)
 	v.SetDefault(cfgWorkerPoolSize, 1000)
 	// upload header
 	v.SetDefault(cfgUploaderHeaderEnableDefaultTimestamp, false)
 	// metrics
 	v.SetDefault(cfgPprofAddress, "localhost:8083")
 	v.SetDefault(cfgPrometheusAddress, "localhost:8084")
 	// resolve bucket
 	v.SetDefault(cfgResolveNamespaceHeader, defaultNamespaceHeader)
 	v.SetDefault(cfgResolveDefaultNamespaces, []string{"", "root"})
 	// multinet
 	v.SetDefault(cfgMultinetFallbackDelay, defaultMultinetFallbackDelay)
 	if resolveMethods, err := flags.GetStringSlice(cfgResolveOrder); err == nil {
 		v.SetDefault(cfgResolveOrder, resolveMethods)
 	}
 	if peers, err := flags.GetStringArray(cfgPeers); err == nil {
 		for i := range peers {
 			v.SetDefault(cfgPeers+"."+strconv.Itoa(i)+".address", peers[i])
 			v.SetDefault(cfgPeers+"."+strconv.Itoa(i)+".weight", 1)
 			v.SetDefault(cfgPeers+"."+strconv.Itoa(i)+".priority", 1)
 		}
 	}
 }
-	return v
+func bindFlags(v *viper.Viper, flags *pflag.FlagSet) error {
 	// Binding flags
 	if err := v.BindPFlag(cfgPprofEnabled, flags.Lookup(cmdPprof)); err != nil {
 		return err
 	}
 	if err := v.BindPFlag(cfgPrometheusEnabled, flags.Lookup(cmdMetrics)); err != nil {
 		return err
 	}
 	if err := v.BindPFlag(cfgWalletPath, flags.Lookup(cmdWallet)); err != nil {
 		return err
 	}
 	if err := v.BindPFlag(cfgWalletAddress, flags.Lookup(cmdAddress)); err != nil {
 		return err
 	}
 	if err := v.BindPFlags(flags); err != nil {
 		return err
 	}
 	if err := v.BindPFlag(cfgServer+".0.address", flags.Lookup(cmdListenAddress)); err != nil {
 		return err
 	}
 	if err := v.BindPFlag(cfgServer+".0."+cfgTLSKeyFile, flags.Lookup(cfgTLSKeyFile)); err != nil {
 		return err
 	}
 	if err := v.BindPFlag(cfgServer+".0."+cfgTLSCertFile, flags.Lookup(cfgTLSCertFile)); err != nil {
 		return err
 	}
 	return nil
 }
 func readInConfig(v *viper.Viper) error {
@ -393,107 +512,38 @@ func mergeConfig(v *viper.Viper, fileName string) error {
 	return v.MergeConfig(cfgFile)
 }
-func pickLogger(v *viper.Viper) (*zap.Logger, zap.AtomicLevel) {
+func fetchLogTagsConfig(v *viper.Viper, defaultLvl zapcore.Level) (map[string]zapcore.Level, error) {
-	lvl, err := getLogLevel(v)
+	res := make(map[string]zapcore.Level)
-	if err != nil {
+
-		panic(err)
+	for i := 0; ; i++ {
 		tagNames := v.GetString(fmt.Sprintf(cfgLoggerTagsNameTmpl, i))
 		if tagNames == "" {
 			break
 		}
 		lvl := defaultLvl
 		level := v.GetString(fmt.Sprintf(cfgLoggerTagsLevelTmpl, i))
 		if level != "" {
 			if err := lvl.Set(level); err != nil {
 				return nil, fmt.Errorf("failed to parse log tags config, unknown level: '%s'", level)
 			}
 		}
 		for _, tagName := range strings.Split(tagNames, ",") {
 			tagName = strings.TrimSpace(tagName)
 			if len(tagName) != 0 {
 				res[tagName] = lvl
 			}
 		}
 	}
-	dest := v.GetString(cfgLoggerDestination)
+	if len(res) == 0 && !v.IsSet(cfgLoggerTags) {
-
+		for _, tag := range defaultTags {
-	switch dest {
+			res[tag] = defaultLvl
-	case destinationStdout:
+		}
 		return newStdoutLogger(v, lvl)
 	case destinationJournald:
 		return newJournaldLogger(v, lvl)
 	default:
 		panic(fmt.Sprintf("wrong destination for logger: %s", dest))
 	}
 }
 // newStdoutLogger constructs a zap.Logger instance for current application.
 // Panics on failure.
 //
 // Logger is built from zap's production logging configuration with:
 //   - parameterized level (debug by default)
 //   - console encoding
 //   - ISO8601 time encoding
 //
 // Logger records a stack trace for all messages at or above fatal level.
 //
 // See also zapcore.Level, zap.NewProductionConfig, zap.AddStacktrace.
 func newStdoutLogger(v *viper.Viper, lvl zapcore.Level) (*zap.Logger, zap.AtomicLevel) {
 	stdout := zapcore.AddSync(os.Stderr)
 	level := zap.NewAtomicLevelAt(lvl)
 	consoleOutCore := zapcore.NewCore(newLogEncoder(), stdout, level)
 	consoleOutCore = samplingEnabling(v, consoleOutCore)
 	l := zap.New(consoleOutCore, zap.AddStacktrace(zap.NewAtomicLevelAt(zap.FatalLevel)))
 	return l, level
 }
 func newJournaldLogger(v *viper.Viper, lvl zapcore.Level) (*zap.Logger, zap.AtomicLevel) {
 	level := zap.NewAtomicLevelAt(lvl)
 	encoder := zapjournald.NewPartialEncoder(newLogEncoder(), zapjournald.SyslogFields)
 	core := zapjournald.NewCore(level, encoder, &journald.Journal{}, zapjournald.SyslogFields)
 	coreWithContext := core.With([]zapcore.Field{
 		zapjournald.SyslogFacility(zapjournald.LogDaemon),
 		zapjournald.SyslogIdentifier(),
 		zapjournald.SyslogPid(),
 	})
 	coreWithContext = samplingEnabling(v, coreWithContext)
 	l := zap.New(coreWithContext, zap.AddStacktrace(zap.NewAtomicLevelAt(zap.FatalLevel)))
 	return l, level
 }
 func newLogEncoder() zapcore.Encoder {
 	c := zap.NewProductionEncoderConfig()
 	c.EncodeTime = zapcore.ISO8601TimeEncoder
 	return zapcore.NewConsoleEncoder(c)
 }
 func samplingEnabling(v *viper.Viper, core zapcore.Core) zapcore.Core {
 	// Zap samples by logging the first cgfLoggerSamplingInitial entries with a given level
 	// and message within the specified time interval.
 	// In the above config, only the first cgfLoggerSamplingInitial log entries with the same level and message
 	// are recorded in cfgLoggerSamplingInterval interval. Every other log entry will be dropped within the interval since
 	// cfgLoggerSamplingThereafter is specified here.
 	if v.GetBool(cfgLoggerSamplingEnabled) {
 		core = zapcore.NewSamplerWithOptions(
 			core,
 			v.GetDuration(cfgLoggerSamplingInterval),
 			v.GetInt(cfgLoggerSamplingInitial),
 			v.GetInt(cfgLoggerSamplingThereafter),
 		)
 	}
-	return core
+	return res, nil
 }
 func getLogLevel(v *viper.Viper) (zapcore.Level, error) {
 	var lvl zapcore.Level
 	lvlStr := v.GetString(cfgLoggerLevel)
 	err := lvl.UnmarshalText([]byte(lvlStr))
 	if err != nil {
 		return lvl, fmt.Errorf("incorrect logger level configuration %s (%v), "+
 			"value should be one of %v", lvlStr, err, [...]zapcore.Level{
 			zapcore.DebugLevel,
 			zapcore.InfoLevel,
 			zapcore.WarnLevel,
 			zapcore.ErrorLevel,
 			zapcore.DPanicLevel,
 			zapcore.PanicLevel,
 			zapcore.FatalLevel,
 		})
 	}
 	return lvl, nil
 }
 func fetchReconnectInterval(cfg *viper.Viper) time.Duration {
@ -505,6 +555,45 @@ func fetchReconnectInterval(cfg *viper.Viper) time.Duration {
 	return reconnect
 }
 func fetchIndexPageTemplate(v *viper.Viper, l *zap.Logger) (string, bool) {
 	if !v.GetBool(cfgIndexPageEnabled) {
 		return "", false
 	}
 	reader, err := os.Open(v.GetString(cfgIndexPageTemplatePath))
 	if err != nil {
 		l.Warn(logs.FailedToReadIndexPageTemplate, zap.Error(err), logs.TagField(logs.TagApp))
 		return "", true
 	}
 	tmpl, err := io.ReadAll(reader)
 	if err != nil {
 		l.Warn(logs.FailedToReadIndexPageTemplate, zap.Error(err), logs.TagField(logs.TagApp))
 		return "", true
 	}
 	l.Info(logs.SetCustomIndexPageTemplate, logs.TagField(logs.TagApp))
 	return string(tmpl), true
 }
 func fetchDefaultNamespaces(v *viper.Viper) []string {
 	namespaces := v.GetStringSlice(cfgResolveDefaultNamespaces)
 	for i := range namespaces { // to be set namespaces in env variable as `HTTP_GW_RESOLVE_BUCKET_DEFAULT_NAMESPACES="" "root"`
 		namespaces[i] = strings.Trim(namespaces[i], "\"")
 	}
 	return namespaces
 }
 func fetchCORSMaxAge(v *viper.Viper) int {
 	maxAge := v.GetInt(cfgCORSMaxAge)
 	if maxAge <= 0 {
 		maxAge = defaultCORSMaxAge
 	}
 	return maxAge
 }
 func fetchServers(v *viper.Viper, log *zap.Logger) []ServerInfo {
 	var servers []ServerInfo
 	seen := make(map[string]struct{})
@ -523,7 +612,7 @@ func fetchServers(v *viper.Viper, log *zap.Logger) []ServerInfo {
 		}
 		if _, ok := seen[serverInfo.Address]; ok {
-			log.Warn(logs.WarnDuplicateAddress, zap.String("address", serverInfo.Address))
+			log.Warn(logs.WarnDuplicateAddress, zap.String("address", serverInfo.Address), logs.TagField(logs.TagApp))
 			continue
 		}
 		seen[serverInfo.Address] = struct{}{}
@ -533,10 +622,10 @@ func fetchServers(v *viper.Viper, log *zap.Logger) []ServerInfo {
 	return servers
 }
-func getPools(ctx context.Context, logger *zap.Logger, cfg *viper.Viper) (*pool.Pool, *treepool.Pool, *keys.PrivateKey) {
+func (a *app) initPools(ctx context.Context) {
-	key, err := getFrostFSKey(cfg, logger)
+	key, err := getFrostFSKey(a.config(), a.log)
 	if err != nil {
-		logger.Fatal(logs.CouldNotLoadFrostFSPrivateKey, zap.Error(err))
+		a.log.Fatal(logs.CouldNotLoadFrostFSPrivateKey, zap.Error(err), logs.TagField(logs.TagApp))
 	}
 	var prm pool.InitParameters
@ -544,82 +633,86 @@ func getPools(ctx context.Context, logger *zap.Logger, cfg *viper.Viper) (*pool.
 	prm.SetKey(&key.PrivateKey)
 	prmTree.SetKey(key)
-	logger.Info(logs.UsingCredentials, zap.String("FrostFS", hex.EncodeToString(key.PublicKey().Bytes())))
+	a.log.Info(logs.UsingCredentials, zap.String("FrostFS", hex.EncodeToString(key.PublicKey().Bytes())),
 		logs.TagField(logs.TagApp))
-	for _, peer := range fetchPeers(logger, cfg) {
+	for _, peer := range fetchPeers(a.log, a.config()) {
 		prm.AddNode(peer)
 		prmTree.AddNode(peer)
 	}
-	connTimeout := cfg.GetDuration(cfgConTimeout)
+	connTimeout := a.config().GetDuration(cfgConTimeout)
 	if connTimeout <= 0 {
 		connTimeout = defaultConnectTimeout
 	}
 	prm.SetNodeDialTimeout(connTimeout)
 	prmTree.SetNodeDialTimeout(connTimeout)
-	streamTimeout := cfg.GetDuration(cfgStreamTimeout)
+	streamTimeout := a.config().GetDuration(cfgStreamTimeout)
 	if streamTimeout <= 0 {
 		streamTimeout = defaultStreamTimeout
 	}
 	prm.SetNodeStreamTimeout(streamTimeout)
 	prmTree.SetNodeStreamTimeout(streamTimeout)
-	healthCheckTimeout := cfg.GetDuration(cfgReqTimeout)
+	healthCheckTimeout := a.config().GetDuration(cfgReqTimeout)
 	if healthCheckTimeout <= 0 {
 		healthCheckTimeout = defaultRequestTimeout
 	}
 	prm.SetHealthcheckTimeout(healthCheckTimeout)
 	prmTree.SetHealthcheckTimeout(healthCheckTimeout)
-	rebalanceInterval := cfg.GetDuration(cfgRebalance)
+	rebalanceInterval := a.config().GetDuration(cfgRebalance)
 	if rebalanceInterval <= 0 {
 		rebalanceInterval = defaultRebalanceTimer
 	}
 	prm.SetClientRebalanceInterval(rebalanceInterval)
 	prmTree.SetClientRebalanceInterval(rebalanceInterval)
-	errorThreshold := cfg.GetUint32(cfgPoolErrorThreshold)
+	errorThreshold := a.config().GetUint32(cfgPoolErrorThreshold)
 	if errorThreshold <= 0 {
 		errorThreshold = defaultPoolErrorThreshold
 	}
 	prm.SetErrorThreshold(errorThreshold)
-	prm.SetLogger(logger)
+	prm.SetLogger(a.log.With(logs.TagField(logs.TagDatapath)))
-	prmTree.SetLogger(logger)
+	prmTree.SetLogger(a.log.With(logs.TagField(logs.TagDatapath)))
-	prmTree.SetMaxRequestAttempts(cfg.GetInt(cfgTreePoolMaxAttempts))
+	prmTree.SetMaxRequestAttempts(a.config().GetInt(cfgTreePoolMaxAttempts))
-	var apiGRPCDialOpts []grpc.DialOption
+	interceptors := []grpc.DialOption{
-	var treeGRPCDialOpts []grpc.DialOption
+		grpc.WithUnaryInterceptor(grpctracing.NewUnaryClientInteceptor()),
-	if cfg.GetBool(cfgTracingEnabled) {
+		grpc.WithStreamInterceptor(grpctracing.NewStreamClientInterceptor()),
-		interceptors := []grpc.DialOption{
+		grpc.WithContextDialer(a.settings.dialerSource.GrpcContextDialer()),
-			grpc.WithUnaryInterceptor(grpctracing.NewUnaryClientInteceptor()),
+		grpc.WithChainUnaryInterceptor(qostagging.NewUnaryClientInteceptor()),
-			grpc.WithStreamInterceptor(grpctracing.NewStreamClientInterceptor()),
+		grpc.WithChainStreamInterceptor(qostagging.NewStreamClientInterceptor()),
 		}
 		treeGRPCDialOpts = append(treeGRPCDialOpts, interceptors...)
 		apiGRPCDialOpts = append(apiGRPCDialOpts, interceptors...)
 	}
-	prm.SetGRPCDialOptions(apiGRPCDialOpts...)
+	prm.SetGRPCDialOptions(interceptors...)
-	prmTree.SetGRPCDialOptions(treeGRPCDialOpts...)
+	prmTree.SetGRPCDialOptions(interceptors...)
 	p, err := pool.NewPool(prm)
 	if err != nil {
-		logger.Fatal(logs.FailedToCreateConnectionPool, zap.Error(err))
+		a.log.Fatal(logs.FailedToCreateConnectionPool, zap.Error(err), logs.TagField(logs.TagApp))
 	}
 	if err = p.Dial(ctx); err != nil {
-		logger.Fatal(logs.FailedToDialConnectionPool, zap.Error(err))
+		a.log.Fatal(logs.FailedToDialConnectionPool, zap.Error(err), logs.TagField(logs.TagApp))
 	}
 	if a.config().GetBool(cfgFeaturesTreePoolNetmapSupport) {
 		prmTree.SetNetMapInfoSource(frostfs.NewSource(frostfs.NewFrostFS(p), cache.NewNetmapCache(getNetmapCacheOptions(a.config(), a.log)), a.bucketCache, a.log))
 	}
 	treePool, err := treepool.NewPool(prmTree)
 	if err != nil {
-		logger.Fatal(logs.FailedToCreateTreePool, zap.Error(err))
+		a.log.Fatal(logs.FailedToCreateTreePool, zap.Error(err), logs.TagField(logs.TagApp))
 	}
 	if err = treePool.Dial(ctx); err != nil {
-		logger.Fatal(logs.FailedToDialTreePool, zap.Error(err))
+		a.log.Fatal(logs.FailedToDialTreePool, zap.Error(err), logs.TagField(logs.TagApp))
 	}
-	return p, treePool, key
+	a.pool = p
 	a.treePool = treePool
 	a.key = key
 }
 func fetchPeers(l *zap.Logger, v *viper.Viper) []pool.NodeParam {
@ -645,7 +738,8 @@ func fetchPeers(l *zap.Logger, v *viper.Viper) []pool.NodeParam {
 		l.Info(logs.AddedStoragePeer,
 			zap.Int("priority", priority),
 			zap.String("address", address),
-			zap.Float64("weight", weight))
+			zap.Float64("weight", weight),
 			logs.TagField(logs.TagApp))
 	}
 	return nodes
@ -660,7 +754,7 @@ func fetchSoftMemoryLimit(cfg *viper.Viper) int64 {
 	return int64(softMemoryLimit)
 }
-func getCacheOptions(v *viper.Viper, l *zap.Logger) *cache.Config {
+func getBucketCacheOptions(v *viper.Viper, l *zap.Logger) *cache.Config {
 	cacheCfg := cache.DefaultBucketConfig(l)
 	cacheCfg.Lifetime = fetchCacheLifetime(v, l, cfgBucketsCacheLifetime, cacheCfg.Lifetime)
@ -669,6 +763,23 @@ func getCacheOptions(v *viper.Viper, l *zap.Logger) *cache.Config {
 	return cacheCfg
 }
 func getNetmapCacheOptions(v *viper.Viper, l *zap.Logger) *cache.NetmapCacheConfig {
 	cacheCfg := cache.DefaultNetmapConfig(l)
 	cacheCfg.Lifetime = fetchCacheLifetime(v, l, cfgNetmapCacheLifetime, cacheCfg.Lifetime)
 	return cacheCfg
 }
 func getCORSCacheOptions(v *viper.Viper, l *zap.Logger) *cache.Config {
 	cacheCfg := cache.DefaultCORSConfig(l)
 	cacheCfg.Lifetime = fetchCacheLifetime(v, l, cfgCORSCacheLifetime, cacheCfg.Lifetime)
 	cacheCfg.Size = fetchCacheSize(v, l, cfgCORSCacheSize, cacheCfg.Size)
 	return cacheCfg
 }
 func fetchCacheLifetime(v *viper.Viper, l *zap.Logger, cfgEntry string, defaultValue time.Duration) time.Duration {
 	if v.IsSet(cfgEntry) {
 		lifetime := v.GetDuration(cfgEntry)
@ -676,7 +787,8 @@ func fetchCacheLifetime(v *viper.Viper, l *zap.Logger, cfgEntry string, defaultV
 			l.Error(logs.InvalidLifetimeUsingDefaultValue,
 				zap.String("parameter", cfgEntry),
 				zap.Duration("value in config", lifetime),
-				zap.Duration("default", defaultValue))
+				zap.Duration("default", defaultValue),
 				logs.TagField(logs.TagApp))
 		} else {
 			return lifetime
 		}
@ -692,7 +804,8 @@ func fetchCacheSize(v *viper.Viper, l *zap.Logger, cfgEntry string, defaultValue
 			l.Error(logs.InvalidCacheSizeUsingDefaultValue,
 				zap.String("parameter", cfgEntry),
 				zap.Int("value in config", size),
-				zap.Int("default", defaultValue))
+				zap.Int("default", defaultValue),
 				logs.TagField(logs.TagApp))
 		} else {
 			return size
 		}
@ -700,3 +813,80 @@ func fetchCacheSize(v *viper.Viper, l *zap.Logger, cfgEntry string, defaultValue
 	return defaultValue
 }
 func getDialerSource(logger *zap.Logger, cfg *viper.Viper) *internalnet.DialerSource {
 	source, err := internalnet.NewDialerSource(fetchMultinetConfig(cfg, logger))
 	if err != nil {
 		logger.Fatal(logs.FailedToLoadMultinetConfig, zap.Error(err), logs.TagField(logs.TagApp))
 	}
 	return source
 }
 func fetchMultinetConfig(v *viper.Viper, l *zap.Logger) (cfg internalnet.Config) {
 	cfg.Enabled = v.GetBool(cfgMultinetEnabled)
 	cfg.Balancer = v.GetString(cfgMultinetBalancer)
 	cfg.Restrict = v.GetBool(cfgMultinetRestrict)
 	cfg.FallbackDelay = v.GetDuration(cfgMultinetFallbackDelay)
 	cfg.Subnets = make([]internalnet.Subnet, 0, 5)
 	cfg.EventHandler = internalnet.NewLogEventHandler(l)
 	for i := 0; ; i++ {
 		key := cfgMultinetSubnets + "." + strconv.Itoa(i) + "."
 		subnet := internalnet.Subnet{}
 		subnet.Prefix = v.GetString(key + "mask")
 		if subnet.Prefix == "" {
 			break
 		}
 		subnet.SourceIPs = v.GetStringSlice(key + "source_ips")
 		cfg.Subnets = append(cfg.Subnets, subnet)
 	}
 	return
 }
 func fetchTracingAttributes(v *viper.Viper) (map[string]string, error) {
 	attributes := make(map[string]string)
 	for i := 0; ; i++ {
 		key := cfgTracingAttributes + "." + strconv.Itoa(i) + "."
 		attrKey := v.GetString(key + "key")
 		attrValue := v.GetString(key + "value")
 		if attrKey == "" {
 			break
 		}
 		if _, ok := attributes[attrKey]; ok {
 			return nil, fmt.Errorf("tracing attribute key %s defined more than once", attrKey)
 		}
 		if attrValue == "" {
 			return nil, fmt.Errorf("empty tracing attribute value for key %s", attrKey)
 		}
 		attributes[attrKey] = attrValue
 	}
 	return attributes, nil
 }
 func fetchArchiveCompression(v *viper.Viper) bool {
 	if v.IsSet(cfgZipCompression) {
 		return v.GetBool(cfgZipCompression)
 	}
 	return v.GetBool(cfgArchiveCompression)
 }
 func fetchCORSConfig(v *viper.Viper) *data.CORSRule {
 	if !v.IsSet(cfgCORS) {
 		return nil
 	}
 	return &data.CORSRule{
 		AllowedOrigins:     []string{v.GetString(cfgCORSAllowOrigin)},
 		AllowedMethods:     v.GetStringSlice(cfgCORSAllowMethods),
 		AllowedHeaders:     v.GetStringSlice(cfgCORSAllowHeaders),
 		ExposeHeaders:      v.GetStringSlice(cfgCORSExposeHeaders),
 		AllowedCredentials: v.GetBool(cfgCORSAllowCredentials),
 		MaxAgeSeconds:      fetchCORSMaxAge(v),
 	}
 }
--- a/cmd/http-gw/settings_test.go
+++ b/cmd/http-gw/settings_test.go
@ -0,0 +1,60 @@
 package main
 import (
 	"os"
 	"testing"
 	"time"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/resolver"
 	"github.com/stretchr/testify/require"
 )
 func TestConfigReload(t *testing.T) {
 	f, err := os.CreateTemp("", "conf")
 	require.NoError(t, err)
 	defer func() {
 		require.NoError(t, os.Remove(f.Name()))
 	}()
 	confData := `
 pprof:
  enabled: true
 resolve_bucket:
  default_namespaces: [""]
 resolve_order:
  - nns
 `
 	_, err = f.WriteString(confData)
 	require.NoError(t, err)
 	require.NoError(t, f.Close())
 	cfg := settings()
 	require.NoError(t, cfg.flags.Parse([]string{"--config", f.Name(), "--connect_timeout", "15s"}))
 	require.NoError(t, cfg.reload())
 	require.True(t, cfg.config().GetBool(cfgPprofEnabled))
 	require.Equal(t, []string{""}, cfg.config().GetStringSlice(cfgResolveDefaultNamespaces))
 	require.Equal(t, []string{resolver.NNSResolver}, cfg.config().GetStringSlice(cfgResolveOrder))
 	require.Equal(t, 15*time.Second, cfg.config().GetDuration(cfgConTimeout))
 	require.NoError(t, os.Truncate(f.Name(), 0))
 	require.NoError(t, cfg.reload())
 	require.False(t, cfg.config().GetBool(cfgPprofEnabled))
 	require.Equal(t, []string{"", "root"}, cfg.config().GetStringSlice(cfgResolveDefaultNamespaces))
 	require.Equal(t, []string{resolver.NNSResolver, resolver.DNSResolver}, cfg.config().GetStringSlice(cfgResolveOrder))
 	require.Equal(t, 15*time.Second, cfg.config().GetDuration(cfgConTimeout))
 }
 func TestSetTLSEnabled(t *testing.T) {
 	cfg := settings()
 	require.NoError(t, cfg.flags.Parse([]string{"--" + cfgTLSCertFile, "tls.crt", "--" + cfgTLSKeyFile, "tls.key"}))
 	require.NoError(t, cfg.reload())
 	require.True(t, cfg.config().GetBool(cfgServer+".0."+cfgTLSEnabled))
 }
--- a/config/config.env
+++ b/config/config.env
@ -20,6 +20,9 @@ HTTP_GW_LOGGER_SAMPLING_ENABLED=false
 HTTP_GW_LOGGER_SAMPLING_INITIAL=100
 HTTP_GW_LOGGER_SAMPLING_THEREAFTER=100
 HTTP_GW_LOGGER_SAMPLING_INTERVAL=1s
 HTTP_GW_LOGGER_TAGS_0_NAMES=app,datapath
 HTTP_GW_LOGGER_TAGS_0_LEVEL=level
 HTTP_GW_LOGGER_TAGS_1_NAME=external_storage_tree
 HTTP_GW_SERVER_0_ADDRESS=0.0.0.0:443
 HTTP_GW_SERVER_0_TLS_ENABLED=false
@ -97,13 +100,21 @@ HTTP_GW_REBALANCE_TIMER=30s
 # The number of errors on connection after which node is considered as unhealthy
 HTTP_GW_POOL_ERROR_THRESHOLD=100
-# Enable zip compression to download files by common prefix.
+# Enable archive compression to download files by common prefix.
 # DEPRECATED: Use HTTP_GW_ARCHIVE_COMPRESSION instead.
 HTTP_GW_ZIP_COMPRESSION=false
 # Enable archive compression to download files by common prefix.
 HTTP_GW_ARCHIVE_COMPRESSION=false
 HTTP_GW_TRACING_ENABLED=true
 HTTP_GW_TRACING_ENDPOINT="localhost:4317"
 HTTP_GW_TRACING_EXPORTER="otlp_grpc"
 HTTP_GW_TRACING_TRUSTED_CA=""
 HTTP_GW_TRACING_ATTRIBUTES_0_KEY=key0
 HTTP_GW_TRACING_ATTRIBUTES_0_VALUE=value
 HTTP_GW_TRACING_ATTRIBUTES_1_KEY=key1
 HTTP_GW_TRACING_ATTRIBUTES_1_VALUE=value
 HTTP_GW_RUNTIME_SOFT_MEMORY_LIMIT=1073741824
@ -117,6 +128,11 @@ HTTP_GW_FROSTFS_BUFFER_MAX_SIZE_FOR_PUT=1048576
 # Cache which contains mapping of bucket name to bucket info
 HTTP_GW_CACHE_BUCKETS_LIFETIME=1m
 HTTP_GW_CACHE_BUCKETS_SIZE=1000
 # Cache which stores netmap
 HTTP_GW_CACHE_NETMAP_LIFETIME=1m
 # Cache which stores container CORS configurations
 HTTP_GW_CACHE_CORS_LIFETIME=5m
 HTTP_GW_CACHE_CORS_SIZE=1000
 # Header to determine zone to resolve bucket name
 HTTP_GW_RESOLVE_BUCKET_NAMESPACE_HEADER=X-Frostfs-Namespace
@ -126,3 +142,40 @@ HTTP_GW_RESOLVE_BUCKET_DEFAULT_NAMESPACES="" "root"
 # Max attempt to make successful tree request.
 # default value is 0 that means the number of attempts equals to number of nodes in pool.
 HTTP_GW_FROSTFS_TREE_POOL_MAX_ATTEMPTS=0
 HTTP_GW_CORS_ALLOW_ORIGIN="*"
 HTTP_GW_CORS_ALLOW_METHODS="GET" "POST"
 HTTP_GW_CORS_ALLOW_HEADERS="*"
 HTTP_GW_CORS_EXPOSE_HEADERS="*"
 HTTP_GW_CORS_ALLOW_CREDENTIALS=false
 HTTP_GW_CORS_MAX_AGE=600
 # Multinet properties
 # Enable multinet support
 HTTP_GW_MULTINET_ENABLED=false
 # Strategy to pick source IP address
 HTTP_GW_MULTINET_BALANCER=roundrobin
 # Restrict requests with unknown destination subnet
 HTTP_GW_MULTINET_RESTRICT=false
 # Delay between ipv6 to ipv4 fallback switch
 HTTP_GW_MULTINET_FALLBACK_DELAY=300ms
 # List of subnets and IP addresses to use as source for those subnets
 HTTP_GW_MULTINET_SUBNETS_1_MASK=1.2.3.4/24
 HTTP_GW_MULTINET_SUBNETS_1_SOURCE_IPS=1.2.3.4 1.2.3.5
 # Number of workers in handler's worker pool
 HTTP_GW_WORKER_POOL_SIZE=1000
 # Index page
 # Enable index page support
 HTTP_GW_INDEX_PAGE_ENABLED=false
 # Index page template path
 HTTP_GW_INDEX_PAGE_TEMPLATE_PATH=internal/handler/templates/index.gotmpl
 # Enable using fallback path to search for a object by attribute
 HTTP_GW_FEATURES_ENABLE_FILEPATH_FALLBACK=false
 # Enable using new version of tree pool, which uses netmap to select nodes, for requests to tree service
 HTTP_GW_FEATURES_TREE_POOL_NETMAP_SUPPORT=true
 # Containers properties
 HTTP_GW_CONTAINERS_CORS=AZjLTXfK4vs4ovxMic2xEJKSymMNLqdwq9JT64ASFCRj
--- a/config/config.yaml
+++ b/config/config.yaml
@ -9,11 +9,17 @@ pprof:
 prometheus:
  enabled: false # Enable metrics.
  address: localhost:8084
 tracing:
  enabled: true
  exporter: "otlp_grpc"
  endpoint: "localhost:4317"
  trusted_ca: ""
  attributes:
    - key: key0
      value: value
    - key: key1
      value: value
 logger:
  level: debug # Log level.
@ -23,6 +29,9 @@ logger:
    initial: 100
    thereafter: 100
    interval: 1s
  tags:
    - names: app,datapath
      level: debug
 server:
  - address: 0.0.0.0:8080
@ -107,13 +116,22 @@ request_timeout: 5s # Timeout to check node health during rebalance.
 rebalance_timer: 30s # Interval to check nodes health.
 pool_error_threshold: 100 # The number of errors on connection after which node is considered as unhealthy.
-# Enable index page to see objects list for specified container and prefix
+# Number of workers in handler's worker pool
 worker_pool_size: 1000
 # Enables index page to see objects list for specified container and prefix
 index_page:
  enabled: false
  template_path: internal/handler/templates/index.gotmpl
 # Deprecated: Use archive.compression instead
 zip:
-  compression: false # Enable zip compression to download files by common prefix.
+  # Enables zip compression to download files by common prefix.
  compression: false
 archive:
  # Enables archive compression to download files by common prefix.
  compression: false
 runtime:
  soft_memory_limit: 1gb
@ -134,7 +152,48 @@ cache:
  buckets:
    lifetime: 1m
    size: 1000
  # Cache which stores netmap
  netmap:
    lifetime: 1m
  # Cache which stores container CORS configurations
  cors:
    lifetime: 5m
    size: 1000
 resolve_bucket:
  namespace_header: X-Frostfs-Namespace
  default_namespaces: [ "", "root" ]
 cors:
  allow_origin: ""
  allow_methods: []
  allow_headers: []
  expose_headers: []
  allow_credentials: false
  max_age: 600
 # Multinet properties
 multinet:
  # Enable multinet support
  enabled: false
  # Strategy to pick source IP address
  balancer: roundrobin
  # Restrict requests with unknown destination subnet
  restrict: false
  # Delay between ipv6 to ipv4 fallback switch
  fallback_delay: 300ms
  # List of subnets and IP addresses to use as source for those subnets
  subnets:
    - mask: 1.2.3.4/24
      source_ips:
        - 1.2.3.4
        - 1.2.3.5
 features:
  # Enable using fallback path to search for a object by attribute
  enable_filepath_fallback: false
  # Enable using new version of tree pool, which uses netmap to select nodes, for requests to tree service
  tree_pool_netmap_support: true
 containers:
  cors: AZjLTXfK4vs4ovxMic2xEJKSymMNLqdwq9JT64ASFCRj
--- a/docs/api.md
+++ b/docs/api.md
@ -1,14 +1,14 @@
 # HTTP Gateway Specification
-| Route                                           | Description                                  |
+| Route                                           | Description                                      |
-|-------------------------------------------------|----------------------------------------------|
+|-------------------------------------------------|--------------------------------------------------|
-| `/upload/{cid}`                                 | [Put object](#put-object)                    |
+| `/upload/{cid}`                                 | [Put object](#put-object)                        |
-| `/get/{cid}/{oid}`                              | [Get object](#get-object)                    |
+| `/get/{cid}/{oid}`                              | [Get object](#get-object)                        |
-| `/get_by_attribute/{cid}/{attr_key}/{attr_val}` | [Search object](#search-object)              |
+| `/get_by_attribute/{cid}/{attr_key}/{attr_val}` | [Search object](#search-object)                  |
-| `/zip/{cid}/{prefix}`                           | [Download objects in archive](#download-zip) |
+| `/zip/{cid}/{prefix}`, `/tar/{cid}/{prefix}`    | [Download objects in archive](#download-archive) |
 **Note:** `cid` parameter can be base58 encoded container ID or container name
-(the name must be registered in NNS, see appropriate section in [README](../README.md#nns)).
+(the name must be registered in NNS, see appropriate section in [nns.md](./nns.md)).
 Route parameters can be:
@ -18,7 +18,7 @@ Route parameters can be:
 ### Bearer token
-All routes can accept [bearer token](../README.md#authentication) from:
+All routes can accept [bearer token](./authentication.md) from:
 * `Authorization` header with `Bearer` type and base64-encoded token in
  credentials field
@ -56,12 +56,14 @@ Upload file as object with attributes to FrostFS.
 ###### Headers
-| Header                 | Description                                                                                                                                        |
+| Header                 | Description                                                                                                                                                                                                                                                                                                                 |
-|------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------|
+|------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Common headers         | See [bearer token](#bearer-token).                                                                                                                 |
+| Common headers         | See [bearer token](#bearer-token).                                                                                                                                                                                                                                                                                          |
-| `X-Attribute-System-*` | Used to set system FrostFS object attributes <br/> (e.g. use "X-Attribute-System-Expiration-Epoch" to set `__SYSTEM__EXPIRATION_EPOCH` attribute). |
+| `X-Attribute-System-*` | Used to set system FrostFS object attributes <br/> (e.g. use "X-Attribute-System-Expiration-Epoch" to set `__SYSTEM__EXPIRATION_EPOCH` attribute).                                                                                                                                                                          |
-| `X-Attribute-*`        | Used to set regular object attributes <br/> (e.g. use "X-Attribute-My-Tag" to set `My-Tag` attribute).                                             |
+| `X-Attribute-*`        | Used to set regular object attributes <br/> (e.g. use "X-Attribute-My-Tag" to set `My-Tag` attribute).                                                                                                                                                                                                                      |
-| `Date`                 | This header is used to calculate the right `__SYSTEM__EXPIRATION` attribute for object. If the header is missing, the current server time is used. |
+| `X-Explode-Archive`    | If set, gate tries to read files from uploading `tar` archive and creates an object for each file in it. Uploading `tar` could be compressed via Gzip by setting a `Content-Encoding` header. Sets a `FilePath` attribute as a relative path from archive root and a `FileName` as the last path element of the `FilePath`. |
 | `Content-Encoding`     | If set and value is `gzip`, gate will handle uploading file as a `Gzip` compressed `tar` file.                                                                                                                                                                                                                              |
 | `Date`                 | This header is used to calculate the right `__SYSTEM__EXPIRATION` attribute for object. If the header is missing, the current server time is used.                                                                                                                                                                          |
 There are some reserved headers type of `X-Attribute-FROSTFS-*` (headers are arranged in descending order of priority):
@ -92,6 +94,8 @@ The `filename` field from the multipart form will be set as `FileName` attribute
 |--------|----------------------------------------------|
 | 200    | Object created successfully.                 |
 | 400    | Some error occurred during object uploading. |
 | 403    | Access denied.                               |
 | 409    | Can not upload object due to quota reached.  |
 ## Get object
@ -139,6 +143,7 @@ Get an object (payload and attributes) by an address.
 |--------|------------------------------------------------|
 | 200    | Object got successfully.                       |
 | 400    | Some error occurred during object downloading. |
 | 403    | Access denied.                                 |
 | 404    | Container or object not found.                 |
 ###### Body
@ -181,6 +186,7 @@ Get an object attributes by an address.
 |--------|---------------------------------------------------|
 | 200    | Object head successfully.                         |
 | 400    | Some error occurred during object HEAD operation. |
 | 403    | Access denied.                                    |
 | 404    | Container or object not found.                    |
 ## Search object
@ -231,6 +237,7 @@ If more than one object is found, an arbitrary one will be returned.
 |--------|------------------------------------------------|
 | 200    | Object got successfully.                       |
 | 400    | Some error occurred during object downloading. |
 | 403    | Access denied.                                 |
 | 404    | Container or object not found.                 |
 #### HEAD
@ -267,11 +274,12 @@ If more than one object is found, an arbitrary one will be used to get attribute
 |--------|---------------------------------------|
 | 200    | Object head successfully.             |
 | 400    | Some error occurred during operation. |
 | 403    | Access denied.                        |
 | 404    | Container or object not found.        |
-## Download zip
+## Download archive
-Route: `/zip/{cid}/{prefix}`
+Route: `/zip/{cid}/{prefix}`, `/tar/{cid}/{prefix}`
 | Route parameter | Type      | Description                                             |
 |-----------------|-----------|---------------------------------------------------------|
@ -282,12 +290,13 @@ Route: `/zip/{cid}/{prefix}`
 #### GET
-Find objects by prefix for `FilePath` attributes. Return found objects in zip archive.
+Find objects by prefix for `FilePath` attributes. Return found objects in zip or tar archive.
 Name of files in archive sets to `FilePath` attribute of objects.
 Time of files sets to time when object has started downloading.
-You can download all files in container that have `FilePath` attribute by `/zip/{cid}/` route.
+You can download all files in container that have `FilePath` attribute by `/zip/{cid}/` or
 `/tar/{cid}/` route.
-Archive can be compressed (see http-gw [configuration](gate-configuration.md#zip-section)).
+Archive can be compressed (see http-gw [configuration](gate-configuration.md#archive-section)).
 ##### Request
@ -301,16 +310,16 @@ Archive can be compressed (see http-gw [configuration](gate-configuration.md#zip
 ###### Headers
-| Header                | Description                                                                                                       |
+| Header                | Description                                                                                 |
-|-----------------------|-------------------------------------------------------------------------------------------------------------------|
+|-----------------------|---------------------------------------------------------------------------------------------|
-| `Content-Disposition` | Indicate how to browsers should treat file (`attachment`). Set `filename` as `archive.zip`.                       |
+| `Content-Disposition` | Indicate how to browsers should treat file (`attachment`). Set `filename` as `archive.zip`. |
-| `Content-Type`        | Indicate content type of object. Set to `application/zip`                                                         |
+| `Content-Type`        | Indicate content type of object. Set to `application/zip`                                   |
 ###### Status codes
-| Status | Description                                         |
+| Status | Description                                    |
-|--------|-----------------------------------------------------|
+|--------|------------------------------------------------|
-| 200    | Object got successfully.                            |
+| 200    | Object got successfully.                       |
-| 400    | Some error occurred during object downloading.      |
+| 400    | Some error occurred during object downloading. |
-| 404    | Container or objects not found.                     |
+| 403    | Access denied.                                 |
-| 500    | Some inner error (e.g. error on streaming objects). |
+| 404    | Container or objects not found.                |
--- a/docs/authentication.md
+++ b/docs/authentication.md
@ -0,0 +1,108 @@
 # Request authentication
 HTTP Gateway does not authorize requests. Gateway converts HTTP request to a 
 FrostFS request and signs it with its own private key. 
 You can always upload files to public containers (open for anyone to put
 objects into), but for restricted containers you need to explicitly allow PUT
 operations for a request signed with your HTTP Gateway keys.
 If you don't want to manage gateway's secret keys and adjust policies when
 gateway configuration changes (new gate, key rotation, etc) or you plan to use
 public services, there is an option to let your application backend (or you) to
 issue Bearer Tokens and pass them from the client via gate down to FrostFS level
 to grant access.
 FrostFS Bearer Token basically is a container owner-signed policy (refer to FrostFS
 documentation for more details). There are two options to pass them to gateway:
 * "Authorization" header with "Bearer" type and base64-encoded token in
  credentials field
 * "Bearer" cookie with base64-encoded token contents
 For example, you have a mobile application frontend with a backend part storing
 data in FrostFS. When a user authorizes in the mobile app, the backend issues a FrostFS
 Bearer token and provides it to the frontend. Then, the mobile app may generate
 some data and upload it via any available FrostFS HTTP Gateway by adding
 the corresponding header to the upload request. Accessing policy protected data
 works the same way.
 ##### Example
 In order to generate a bearer token, you need to have wallet (which will be used to sign the token)
 1. Suppose you have a container with private policy for wallet key
 ```
 $ frostfs-cli container create -r <endpoint> --wallet <wallet> -policy <policy> --basic-acl 0 --await
 CID: 9dfzyvq82JnFqp5svxcREf2iy6XNuifYcJPusEDnGK9Z
 $ frostfs-cli ape-manager add -r <endpoint> --wallet <wallet> \
  --target-type container --target-name 9dfzyvq82JnFqp5svxcREf2iy6XNuifYcJPusEDnGK9Z \
  --rule "allow Object.* RequestCondition:"\$Actor:publicKey"=03b09baabff3f6107c7e9acb8721a6fc5618d45b50247a314d82e548702cce8cd5 *" \
  --chain-id <chainID>
 ```
 2. Form a Bearer token (10000 is lifetime expiration in epoch) to impersonate
   HTTP Gateway request as wallet signed request and save it to **bearer.json**:
 ```
 {
    "body": {
        "allowImpersonate": true,
        "lifetime": {
            "exp": "10000",
            "nbf": "0",
            "iat": "0"
        }
    },
    "signature": null
 }
 ```
 3. Sign it with the wallet:
 ```
 $ frostfs-cli util sign bearer-token --from bearer.json --to signed.json -w <wallet>
 ```
 4. Encode to base64 to use in header:
 ```
 $ base64 -w 0 signed.json
 # output: Ck4KKgoECAIQBhIiCiCZGdlbN7DPGPMg9rsWqV+p2XdMzUqknRiexewSFp8kmBIbChk17MUri6OJ0X5ftsHzy7NERDNFB4C92PcaGgMIkE4SZgohAxpsb7vfAso1F0X6hrm6WpRS14WsT3/Ct1SMoqRsT89KEkEEGxKi8GjKSf52YqhppgaOTQHbUsL3jn7SHLqS3ndAQ7NtAATnmRHleZw2V2xRRSRBQdjDC05KK83LhdSax72Fsw==
 ```
 After that, the Bearer token can be used:
 ```
 $ curl -F 'file=@cat.jpeg;filename=cat.jpeg' -H "Authorization: Bearer Ck4KKgoECAIQBhIiCiCZGdlbN7DPGPMg9rsWqV+p2XdMzUqknRiexewSFp8kmBIbChk17MUri6OJ0X5ftsHzy7NERDNFB4C92PcaGgMIkE4SZgohAxpsb7vfAso1F0X6hrm6WpRS14WsT3/Ct1SMoqRsT89KEkEEGxKi8GjKSf52YqhppgaOTQHbUsL3jn7SHLqS3ndAQ7NtAATnmRHleZw2V2xRRSRBQdjDC05KK83LhdSax72Fsw==" \
  http://localhost:8082/upload/BJeErH9MWmf52VsR1mLWKkgF3pRm3FkubYxM7TZkBP4K
 # output:
 # {
 #	"object_id": "DhfES9nVrFksxGDD2jQLunGADfrXExxNwqXbDafyBn9X",
 #	"container_id": "BJeErH9MWmf52VsR1mLWKkgF3pRm3FkubYxM7TZkBP4K"
 # }
 ```
 ##### Note: Bearer Token owner
 You can specify exact key who can use Bearer Token (gateway wallet address).
 To do this, encode wallet address in base64 format
 ```
 $ echo 'NhVtreTTCoqsMQV5Wp55fqnriiUCpEaKm3' | base58 --decode | base64
 # output: NezFK4ujidF+X7bB88uzREQzRQeAvdj3Gg==
 ```
 Then specify this value in Bearer Token Json
 ```
 {
    "body": {
        "ownerID": {
            "value": "NezFK4ujidF+X7bB88uzREQzRQeAvdj3Gg=="
        },
        ...
 ```
 ##### Note: Policy override
 Instead of impersonation, you can define the set of policies that will be applied
 to the request sender. This allows to restrict access to specific operation and
 specific objects without giving full impersonation control to the token user.
--- a/docs/gate-configuration.md
+++ b/docs/gate-configuration.md
@ -58,7 +58,9 @@ $ cat http.log
 | `cache`          | [Cache configuration](#cache-section)                          |
 | `resolve_bucket` | [Bucket name resolving configuration](#resolve_bucket-section) |
 | `index_page`     | [Index page configuration](#index_page-section)                |
-
+| `multinet`       | [Multinet configuration](#multinet-section)                    |
 | `features`       | [Features configuration](#features-section)                    |
 | `containers`     | [Containers configuration](#containers-section)                |
 # General section
@ -74,18 +76,21 @@ request_timeout: 5s
 rebalance_timer: 30s
 pool_error_threshold: 100
 reconnect_interval: 1m
 worker_pool_size: 1000
 ```
-| Parameter              | Type       | SIGHUP reload | Default value | Description                                                                                     |
+| Parameter              | Type       | SIGHUP reload | Default value | Description                                                                        |
-|------------------------|------------|---------------|---------------|-------------------------------------------------------------------------------------------------|
+|------------------------|------------|---------------|---------------|------------------------------------------------------------------------------------|
-| `rpc_endpoint`         | `string`   | yes           |               | The address of the RPC host to which the gateway connects to resolve bucket names.              |
+| `rpc_endpoint`         | `string`   | yes           |               | The address of the RPC host to which the gateway connects to resolve bucket names. |
-| `resolve_order`        | `[]string` | yes           | `[nns, dns]`  | Order of bucket name resolvers to use.                                                          |
+| `resolve_order`        | `[]string` | yes           | `[nns, dns]`  | Order of bucket name resolvers to use.                                             |
-| `connect_timeout`      | `duration` |               | `10s`         | Timeout to connect to a node.                                                                   |
+| `connect_timeout`      | `duration` |               | `10s`         | Timeout to connect to a node.                                                      |
-| `stream_timeout`       | `duration` |               | `10s`         | Timeout for individual operations in streaming RPC.                                             |
+| `stream_timeout`       | `duration` |               | `10s`         | Timeout for individual operations in streaming RPC.                                |
-| `request_timeout`      | `duration` |               | `15s`         | Timeout to check node health during rebalance.                                                  |
+| `request_timeout`      | `duration` |               | `15s`         | Timeout to check node health during rebalance.                                     |
-| `rebalance_timer`      | `duration` |               | `60s`         | Interval to check node health.                                                                  |
+| `rebalance_timer`      | `duration` |               | `60s`         | Interval to check node health.                                                     |
-| `pool_error_threshold` | `uint32`   |               | `100`         | The number of errors on connection after which node is considered as unhealthy.                 |
+| `pool_error_threshold` | `uint32`   |               | `100`         | The number of errors on connection after which node is considered as unhealthy.    |
-| `reconnect_interval`   | `duration` | no            | `1m`          | Listeners reconnection interval.                                                                |
+| `reconnect_interval`   | `duration` | no            | `1m`          | Listeners reconnection interval.                                                   |
 | `worker_pool_size`     | `int`      | no            | `1000`        | Maximum worker count in handler's worker pool.                                     |
 # `wallet` section
@ -170,6 +175,10 @@ logger:
    initial: 100
    thereafter: 100
    interval: 1s
  tags:
    - names: "app,datapath"
      level: info        
    - names: "external_storage_tree"
 ```
 | Parameter             | Type       | SIGHUP reload | Default value | Description                                                                                        |
@ -180,6 +189,30 @@ logger:
 | `sampling.initial`    | `int`      | no            | '100'         | Sampling count of first log entries.                                                               |
 | `sampling.thereafter` | `int`      | no            | '100'         | Sampling count of entries after an `interval`.                                                     |
 | `sampling.interval`   | `duration` | no            | '1s'          | Sampling interval of messaging similar entries.                                                    |
 | `sampling.tags`       | `[]Tag`    | yes           |               | Tagged log entries that should be additionally logged (available tags see in the next section).    |
 ## Tags
 There are additional log entries that can hurt performance and can be additionally logged by using `logger.tags`
 parameter. Available tags:
 ```yaml
 tags:
  - names: "app,datapath"
    level: info
 ```
 | Parameter | Type       | SIGHUP reload | Default value             | Description                                                                                           |
 |-----------|------------|---------------|---------------------------|-------------------------------------------------------------------------------------------------------|
 | `names`   | `[]string` | yes           |                           | Tag names separated by `,`.  Possible values see below in `Tag values` section.                       |
 | `level`   | `string`   | yes           | Value from `logger.level` | Logging level for specific tag. Possible values: `debug`, `info`, `warn`, `dpanic`, `panic`, `fatal`. |
 ### Tag values
 * `app` - common application logs (enabled by default).
 * `datapath` - main logic of application (enabled by default).
 * `external_storage` - external interaction with storage node (enabled by default).
 * `external_storage_tree` - external interaction with tree service in storage node (enabled by default).
 # `web` section
@ -214,9 +247,10 @@ upload_header:
 |-------------------------|--------|---------------|---------------|-------------------------------------------------------------|
 | `use_default_timestamp` | `bool` | yes           | `false`       | Create timestamp for object if it isn't provided by header. |
 # `zip` section
 > **_DEPRECATED:_**  Use archive section instead
 ```yaml
 zip:
  compression: false
@ -226,6 +260,17 @@ zip:
 |---------------|--------|---------------|---------------|--------------------------------------------------------------|
 | `compression` | `bool` | yes           | `false`       | Enable zip compression when download files by common prefix. |
 # `archive` section
 ```yaml
 archive:
  compression: false
 ```
 | Parameter     | Type   | SIGHUP reload | Default value | Description                                                      |
 |---------------|--------|---------------|---------------|------------------------------------------------------------------|
 | `compression` | `bool` | yes           | `false`       | Enable archive compression when download files by common prefix. |
 # `pprof` section
@ -267,14 +312,36 @@ tracing:
  exporter: "otlp_grpc"
  endpoint: "localhost:4317"
  trusted_ca: "/etc/ssl/telemetry-trusted-ca.pem"
  attributes:
    - key: key0
      value: value
    - key: key1
      value: value
 ```
-| Parameter    | Type     | SIGHUP reload | Default value | Description                                                                                                                     |
+| Parameter    | Type                                   | SIGHUP reload | Default value | Description                                                                                                                     |
-|--------------|----------|---------------|---------------|---------------------------------------------------------------------------------------------------------------------------------|
+| ------------ | -------------------------------------- | ------------- | ------------- | ------------------------------------------------------------------------------------------------------------------------------- |
-| `enabled`    | `bool`   | no            | `false`       | Flag to enable the tracing.                                                                                                     |
+| `enabled`    | `bool`                                 | yes           | `false`       | Flag to enable the tracing.                                                                                                     |
-| `exporter`   | `string` | yes           |               | Trace collector type (`stdout` or `otlp_grpc` are supported).                                                                   |
+| `exporter`   | `string`                               | yes           |               | Trace collector type (`stdout` or `otlp_grpc` are supported).                                                                   |
-| `endpoint`   | `string` | yes           |               | Address of collector endpoint for OTLP exporters.                                                                               |
+| `endpoint`   | `string`                               | yes           |               | Address of collector endpoint for OTLP exporters.                                                                               |
-| `trusted_ca` | `string` | yes           |               | Path to certificate of a certification authority in pem format, that issued the TLS certificate of the telemetry remote server. |
+| `trusted_ca` | `string`                               | yes           |               | Path to certificate of a certification authority in pem format, that issued the TLS certificate of the telemetry remote server. |
 | `attributes` | [[]Attributes](#attributes-subsection) | yes           |               | An array of configurable attributes in key-value format.                                                                        |
 #### `attributes` subsection
 ```yaml
  attributes:
    - key: key0
      value: value
    - key: key1
      value: value
 ```
 | Parameter             | Type     | SIGHUP reload | Default value | Description                                              |
 |-----------------------|----------|---------------|---------------|----------------------------------------------------------|
 | `key`                 | `string` | yes           |               | Attribute key.                                           |
 | `value`               | `string` | yes           |               | Attribute value.                                         |
 # `runtime` section
 Contains runtime parameters.
@ -313,12 +380,18 @@ cache:
  buckets:
    lifetime: 1m
    size: 1000
-
+  netmap:
    lifetime: 1m
  cors:
    lifetime: 5m
    size: 1000
 ```
-| Parameter       | Type                              | Default value                     | Description                                                                            |
+| Parameter | Type                              | Default value                   | Description                                                               |
-|-----------------|-----------------------------------|-----------------------------------|----------------------------------------------------------------------------------------|
+|-----------|-----------------------------------|---------------------------------|---------------------------------------------------------------------------|
-| `buckets`       | [Cache config](#cache-subsection) | `lifetime: 60s`<br>`size: 1000`   | Cache which contains mapping of bucket name to bucket info.                            |
+| `buckets` | [Cache config](#cache-subsection) | `lifetime: 60s`<br>`size: 1000` | Cache which contains mapping of bucket name to bucket info.               |
 | `netmap`  | [Cache config](#cache-subsection) | `lifetime: 1m`                  | Cache which stores netmap. `netmap.size` isn't applicable for this cache. |
 | `cors`    | [Cache config](#cache-subsection) | `lifetime: 5m`<br>`size: 1000`  | Cache which stores container CORS configurations.                         |
 #### `cache` subsection
@ -351,7 +424,12 @@ resolve_bucket:
 # `index_page` section
-Parameters for index HTML-page output with S3-bucket or S3-subdir content for `Get object` request
+Parameters for index HTML-page output. Activates if `GetObject` request returns `not found`. Two
 index page modes available:
 * `s3` mode uses tree service for listing objects,
 * `native` sends requests to nodes via native protocol.
  If request pass S3-bucket name instead of CID, `s3` mode will be used, otherwise `native`.
 ```yaml
 index_page:
@ -363,3 +441,94 @@ index_page:
 |-----------------|----------|---------------|---------------|---------------------------------------------------------------------------------|
 | `enabled`       | `bool`   | yes           | `false`       | Flag to enable index_page return if no object with specified S3-name was found. |
 | `template_path` | `string` | yes           | `""`          | Path to .gotmpl file with html template for index_page.                         |
 # `cors` section
 Parameters for CORS (used in OPTIONS requests and responses in all handlers).
 If values are not set, settings from CORS container will be used.
 ```yaml
 cors:
  allow_origin: "*"
  allow_methods: ["GET", "HEAD"]
  allow_headers: ["Authorization"]
  expose_headers: ["*"]
  allow_credentials: false
  max_age: 600
 ```
 | Parameter           | Type       | SIGHUP reload | Default value | Description                                            |
 |---------------------|------------|---------------|---------------|--------------------------------------------------------|
 | `allow_origin`      | `string`   | yes           |               | Values for `Access-Control-Allow-Origin` headers.      |
 | `allow_methods`     | `[]string` | yes           |               | Values for `Access-Control-Allow-Methods` headers.     |
 | `allow_headers`     | `[]string` | yes           |               | Values for `Access-Control-Allow-Headers` headers.     |
 | `expose_headers`    | `[]string` | yes           |               | Values for `Access-Control-Expose-Headers` headers.    |
 | `allow_credentials` | `bool`     | yes           | `false`       | Values for `Access-Control-Allow-Credentials` headers. |
 | `max_age`           | `int`      | yes           | `600`         | Values for `Access-Control-Max-Age ` headers.          |
 # `multinet` section
 Configuration of multinet support.
 ```yaml
 multinet:
   enabled: false
   balancer: roundrobin
   restrict: false
   fallback_delay: 300ms
   subnets:
      - mask: 1.2.3.4/24
        source_ips:
           - 1.2.3.4
           - 1.2.3.5
 ```
 | Parameter        | Type                           | SIGHUP reload | Default value | Description                                                                                |
 |------------------|--------------------------------|---------------|---------------|--------------------------------------------------------------------------------------------|
 | `enabled`        | `bool`                         | yes           | `false`       | Enables multinet setting to manage source ip of outcoming requests.                        |
 | `balancer`       | `string`                       | yes           | `""`          | Strategy to pick source IP. By default picks first address. Supports `roundrobin` setting. |
 | `restrict`       | `bool`                         | yes           | `false`       | Restricts requests to an undefined subnets.                                                |
 | `fallback_delay` | `duration`                     | yes           | `300ms`       | Delay between IPv6 and IPv4 fallback stack switch.                                         |
 | `subnets`        | [[]Subnet](#subnet-subsection) | yes           |               | Set of subnets to apply multinet dial settings.                                            |
 #### `subnet` subsection
 ```yaml
 - mask: 1.2.3.4/24
  source_ips:
    - 1.2.3.4
    - 1.2.3.5
 ```
 | Parameter    | Type       | SIGHUP reload | Default value | Description                                                          |
 |--------------|------------|---------------|---------------|----------------------------------------------------------------------|
 | `mask`       | `string`   | yes           |               | Destination subnet.                                                  |
 | `source_ips` | `[]string` | yes           |               | Array of source IP addresses to use when dialing destination subnet. |
 # `features` section
 Contains parameters for enabling features.
 ```yaml
 features:
  enable_filepath_fallback: true
  tree_pool_netmap_support: true
 ```
 | Parameter                           | Type   | SIGHUP reload | Default value | Description                                                                                                                                                                                                                                                                              |
 |-------------------------------------|--------|---------------|---------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | `features.enable_filepath_fallback` | `bool` | yes           | `false`       | Enable using fallback path to search for a object by attribute. If the value of the `FilePath` attribute in the request contains no `/` symbols or single leading `/` symbol and the object was not found, then an attempt is made to search for the object by the attribute `FileName`. |
 | `features.tree_pool_netmap_support` | `bool` | no            | `false`       | Enable using new version of tree pool, which uses netmap to select nodes, for requests to tree service.                                                                                                                                                                                  |
 # `containers` section
 Section for well-known containers to store data and settings.
 ```yaml
 containers:
  cors: AZjLTXfK4vs4ovxMic2xEJKSymMNLqdwq9JT64ASFCRj
 ```
 | Parameter   | Type     | SIGHUP reload | Default value | Description                             |
 |-------------|----------|---------------|---------------|-----------------------------------------|
 | `cors`      | `string` | no            |               | Container name for CORS configurations. |
--- a/docs/nns.md
+++ b/docs/nns.md
@ -0,0 +1,36 @@
 # Nicename Resolving with NNS
 Steps to start using name resolving:
 1. Enable NNS resolving in config (`rpc_endpoint` must be a valid neo rpc node, see [configs](./config) for other examples):
 ```yaml
 rpc_endpoint: http://morph-chain.frostfs.devenv:30333
 resolve_order:
  - nns
 ```
 2. Make sure your container is registered in NNS contract. If you use [frostfs-dev-env](https://git.frostfs.info/TrueCloudLab/frostfs-dev-env)
   you can check if your container (e.g. with `container-name` name) is registered in NNS:
 ```shell
 $ curl -s --data '{"id":1,"jsonrpc":"2.0","method":"getcontractstate","params":[1]}' \
    http://morph-chain.frostfs.devenv:30333 | jq -r '.result.hash'
 0x8e6c3cd4b976b28e84a3788f6ea9e2676c15d667
 $ docker exec -it morph_chain neo-go \
    contract testinvokefunction \
    -r http://morph-chain.frostfs.devenv:30333 0x8e6c3cd4b976b28e84a3788f6ea9e2676c15d667 \
    resolve string:container-name.container int:16 \
    | jq -r '.stack[0].value | if type=="array" then .[0].value else . end' \
    | base64 -d && echo
 7f3vvkw4iTiS5ZZbu5BQXEmJtETWbi3uUjLNaSs29xrL
 ```
 3. Use container name instead of its `$CID`. For example:
 ```shell
 $ curl http://localhost:8082/get_by_attribute/container-name/FileName/object-name
 ```
--- a/go.mod
+++ b/go.mod
@ -3,116 +3,137 @@ module git.frostfs.info/TrueCloudLab/frostfs-http-gw
 go 1.22
 require (
-	git.frostfs.info/TrueCloudLab/frostfs-api-go/v2 v2.16.1-0.20240916093537-13fa0da3741e
+	git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20241125133852-37bd75821121
-	git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20240909114314-666d326cc573
+	git.frostfs.info/TrueCloudLab/frostfs-qos v0.0.0-20250128150313-cfbca7fa1dfe
-	git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20240918095938-e580ee991d98
+	git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20250317082814-87bb55f992dc
 	git.frostfs.info/TrueCloudLab/multinet v0.0.0-20241015075604-6cb0d80e0972
 	git.frostfs.info/TrueCloudLab/zapjournald v0.0.0-20240124114243-cb2e66427d02
 	github.com/bluele/gcache v0.0.2
-	github.com/docker/go-units v0.4.0
+	github.com/docker/docker v27.1.1+incompatible
 	github.com/docker/go-units v0.5.0
 	github.com/fasthttp/router v1.4.1
 	github.com/nspcc-dev/neo-go v0.106.2
 	github.com/panjf2000/ants/v2 v2.5.0
 	github.com/prometheus/client_golang v1.19.0
 	github.com/prometheus/client_model v0.5.0
 	github.com/spf13/pflag v1.0.5
 	github.com/spf13/viper v1.15.0
 	github.com/ssgreg/journald v1.0.0
 	github.com/stretchr/testify v1.9.0
-	github.com/testcontainers/testcontainers-go v0.13.0
+	github.com/testcontainers/testcontainers-go v0.35.0
 	github.com/trailofbits/go-fuzz-utils v0.0.0-20230413173806-58c38daa3cb4
 	github.com/valyala/fasthttp v1.34.0
-	go.opentelemetry.io/otel v1.28.0
+	go.opentelemetry.io/otel v1.31.0
-	go.opentelemetry.io/otel/trace v1.28.0
+	go.opentelemetry.io/otel/trace v1.31.0
 	go.uber.org/zap v1.27.0
-	golang.org/x/exp v0.0.0-20240222234643-814bf88cf225
+	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842
-	golang.org/x/net v0.26.0
+	golang.org/x/sys v0.28.0
-	google.golang.org/grpc v1.66.2
+	google.golang.org/grpc v1.69.2
 )
 require (
 	dario.cat/mergo v1.0.0 // indirect
 	git.frostfs.info/TrueCloudLab/frostfs-contract v0.19.3-0.20240621131249-49e5270f673e // indirect
 	git.frostfs.info/TrueCloudLab/frostfs-crypto v0.6.0 // indirect
 	git.frostfs.info/TrueCloudLab/hrw v1.2.1 // indirect
 	git.frostfs.info/TrueCloudLab/rfc6979 v0.4.0 // indirect
 	git.frostfs.info/TrueCloudLab/tzhash v1.8.0 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
-	github.com/Microsoft/go-winio v0.5.2 // indirect
+	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/Microsoft/hcsshim v0.9.2 // indirect
 	github.com/VictoriaMetrics/easyproto v0.1.4 // indirect
 	github.com/andybalholm/brotli v1.0.4 // indirect
-	github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
+	github.com/antlr4-go/antlr/v4 v4.13.1 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
-	github.com/containerd/cgroups v1.0.3 // indirect
+	github.com/containerd/containerd v1.7.18 // indirect
-	github.com/containerd/containerd v1.6.2 // indirect
+	github.com/containerd/log v0.1.0 // indirect
 	github.com/containerd/platforms v0.2.1 // indirect
 	github.com/cpuguy83/dockercfg v0.3.2 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect
-	github.com/docker/distribution v2.8.1+incompatible // indirect
+	github.com/distribution/reference v0.6.0 // indirect
-	github.com/docker/docker v20.10.14+incompatible // indirect
+	github.com/docker/go-connections v0.5.0 // indirect
-	github.com/docker/go-connections v0.4.0 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.2.6 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/snappy v0.0.4 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/gorilla/mux v1.8.0 // indirect
 	github.com/gorilla/websocket v1.5.1 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect
 	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
-	github.com/josharian/intern v1.0.0 // indirect
+	github.com/ipfs/go-cid v0.0.7 // indirect
-	github.com/klauspost/compress v1.16.4 // indirect
+	github.com/klauspost/compress v1.17.4 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.6 // indirect
 	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
-	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/minio/sha256-simd v1.0.1 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
-	github.com/moby/sys/mount v0.3.2 // indirect
+	github.com/moby/docker-image-spec v1.3.1 // indirect
-	github.com/moby/sys/mountinfo v0.6.1 // indirect
+	github.com/moby/patternmatcher v0.6.0 // indirect
-	github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6 // indirect
+	github.com/moby/sys/sequential v0.5.0 // indirect
 	github.com/moby/sys/user v0.1.0 // indirect
 	github.com/moby/term v0.5.0 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/mr-tron/base58 v1.2.0 // indirect
 	github.com/multiformats/go-base32 v0.1.0 // indirect
 	github.com/multiformats/go-base36 v0.2.0 // indirect
 	github.com/multiformats/go-multiaddr v0.14.0 // indirect
 	github.com/multiformats/go-multibase v0.2.0 // indirect
 	github.com/multiformats/go-multihash v0.2.3 // indirect
 	github.com/multiformats/go-varint v0.0.7 // indirect
 	github.com/nspcc-dev/go-ordered-json v0.0.0-20240301084351-0246b013f8b2 // indirect
 	github.com/nspcc-dev/neo-go/pkg/interop v0.0.0-20240521091047-78685785716d // indirect
 	github.com/nspcc-dev/rfc6979 v0.2.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.0.2 // indirect
+	github.com/opencontainers/image-spec v1.1.0 // indirect
 	github.com/opencontainers/runc v1.1.1 // indirect
 	github.com/pelletier/go-toml/v2 v2.0.6 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
 	github.com/prometheus/common v0.48.0 // indirect
 	github.com/prometheus/procfs v0.12.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/savsgio/gotils v0.0.0-20210617111740-97865ed5a873 // indirect
-	github.com/sirupsen/logrus v1.8.1 // indirect
+	github.com/shirou/gopsutil/v3 v3.23.12 // indirect
 	github.com/shoenig/go-m1cpu v0.1.6 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/spaolacci/murmur3 v1.1.0 // indirect
 	github.com/spf13/afero v1.9.3 // indirect
 	github.com/spf13/cast v1.5.0 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/subosito/gotenv v1.4.2 // indirect
 	github.com/syndtr/goleveldb v1.0.1-0.20210819022825-2ae1ddf74ef7 // indirect
 	github.com/tklauser/go-sysconf v0.3.12 // indirect
 	github.com/tklauser/numcpus v0.6.1 // indirect
 	github.com/twmb/murmur3 v1.1.8 // indirect
-	github.com/urfave/cli v1.22.5 // indirect
+	github.com/urfave/cli v1.22.12 // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
 	github.com/yusufpapurcu/wmi v1.2.3 // indirect
 	go.etcd.io/bbolt v1.3.9 // indirect
-	go.opencensus.io v0.24.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0 // indirect
 	go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.28.0 // indirect
-	go.opentelemetry.io/otel/metric v1.28.0 // indirect
+	go.opentelemetry.io/otel/metric v1.31.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.28.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.31.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.3.1 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/crypto v0.24.0 // indirect
+	golang.org/x/crypto v0.31.0 // indirect
-	golang.org/x/sync v0.7.0 // indirect
+	golang.org/x/net v0.30.0 // indirect
-	golang.org/x/sys v0.22.0 // indirect
+	golang.org/x/sync v0.10.0 // indirect
-	golang.org/x/term v0.21.0 // indirect
+	golang.org/x/term v0.27.0 // indirect
-	golang.org/x/text v0.16.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20241015192408-796eee8c2d53 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20241015192408-796eee8c2d53 // indirect
-	google.golang.org/protobuf v1.34.2 // indirect
+	google.golang.org/protobuf v1.36.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	lukechampine.com/blake3 v1.2.1 // indirect
 )
--- a/go.sum
+++ b/go.sum
--- a/internal/cache/buckets.go
+++ b/internal/cache/buckets.go
@ -6,14 +6,16 @@ import (
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/data"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/logs"
 	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
 	"github.com/bluele/gcache"
 	"go.uber.org/zap"
 )
 // BucketCache contains cache with objects and the lifetime of cache entries.
 type BucketCache struct {
-	cache  gcache.Cache
+	cache    gcache.Cache
-	logger *zap.Logger
+	cidCache gcache.Cache
 	logger   *zap.Logger
 }
 // Config stores expiration params for cache.
@ -40,14 +42,45 @@ func DefaultBucketConfig(logger *zap.Logger) *Config {
 }
 // NewBucketCache creates an object of BucketCache.
-func NewBucketCache(config *Config) *BucketCache {
+func NewBucketCache(config *Config, cidCache bool) *BucketCache {
-	gc := gcache.New(config.Size).LRU().Expiration(config.Lifetime).Build()
+	cache := &BucketCache{
-	return &BucketCache{cache: gc, logger: config.Logger}
+		cache:  gcache.New(config.Size).LRU().Expiration(config.Lifetime).Build(),
 		logger: config.Logger,
 	}
 	if cidCache {
 		cache.cidCache = gcache.New(config.Size).LRU().Expiration(config.Lifetime).Build()
 	}
 	return cache
 }
 // Get returns a cached object.
 func (o *BucketCache) Get(ns, bktName string) *data.BucketInfo {
-	entry, err := o.cache.Get(formKey(ns, bktName))
+	return o.get(formKey(ns, bktName))
 }
 func (o *BucketCache) GetByCID(cnrID cid.ID) *data.BucketInfo {
 	if o.cidCache == nil {
 		return nil
 	}
 	entry, err := o.cidCache.Get(cnrID)
 	if err != nil {
 		return nil
 	}
 	key, ok := entry.(string)
 	if !ok {
 		o.logger.Warn(logs.InvalidCacheEntryType, zap.String("actual", fmt.Sprintf("%T", entry)),
 			zap.String("expected", fmt.Sprintf("%T", key)), logs.TagField(logs.TagDatapath))
 		return nil
 	}
 	return o.get(key)
 }
 func (o *BucketCache) get(key string) *data.BucketInfo {
 	entry, err := o.cache.Get(key)
 	if err != nil {
 		return nil
 	}
@ -55,7 +88,7 @@ func (o *BucketCache) Get(ns, bktName string) *data.BucketInfo {
 	result, ok := entry.(*data.BucketInfo)
 	if !ok {
 		o.logger.Warn(logs.InvalidCacheEntryType, zap.String("actual", fmt.Sprintf("%T", entry)),
-			zap.String("expected", fmt.Sprintf("%T", result)))
+			zap.String("expected", fmt.Sprintf("%T", result)), logs.TagField(logs.TagDatapath))
 		return nil
 	}
@ -64,6 +97,12 @@ func (o *BucketCache) Get(ns, bktName string) *data.BucketInfo {
 // Put puts an object to cache.
 func (o *BucketCache) Put(bkt *data.BucketInfo) error {
 	if o.cidCache != nil {
 		if err := o.cidCache.Set(bkt.CID, formKey(bkt.Zone, bkt.Name)); err != nil {
 			return err
 		}
 	}
 	return o.cache.Set(formKey(bkt.Zone, bkt.Name), bkt)
 }
--- a/internal/cache/cors.go
+++ b/internal/cache/cors.go
@ -0,0 +1,62 @@
 package cache
 import (
 	"fmt"
 	"time"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/data"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/logs"
 	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
 	"github.com/bluele/gcache"
 	"go.uber.org/zap"
 )
 // CORSCache contains cache with CORS objects.
 type CORSCache struct {
 	cache  gcache.Cache
 	logger *zap.Logger
 }
 const (
 	// DefaultCORSCacheSize is a default maximum number of entries in cache.
 	DefaultCORSCacheSize = 1e3
 	// DefaultCORSCacheLifetime is a default lifetime of entries in cache.
 	DefaultCORSCacheLifetime = 5 * time.Minute
 )
 // DefaultCORSConfig returns new default cache expiration values.
 func DefaultCORSConfig(logger *zap.Logger) *Config {
 	return &Config{
 		Size:     DefaultCORSCacheSize,
 		Lifetime: DefaultCORSCacheLifetime,
 		Logger:   logger,
 	}
 }
 // NewCORSCache creates an object of CORSCache.
 func NewCORSCache(config *Config) *CORSCache {
 	gc := gcache.New(config.Size).LRU().Expiration(config.Lifetime).Build()
 	return &CORSCache{cache: gc, logger: config.Logger}
 }
 // Get returns a cached object.
 func (o *CORSCache) Get(cnrID cid.ID) *data.CORSConfiguration {
 	entry, err := o.cache.Get(cnrID)
 	if err != nil {
 		return nil
 	}
 	result, ok := entry.(*data.CORSConfiguration)
 	if !ok {
 		o.logger.Warn(logs.InvalidCacheEntryType, zap.String("actual", fmt.Sprintf("%T", entry)),
 			zap.String("expected", fmt.Sprintf("%T", result)), logs.TagField(logs.TagDatapath))
 		return nil
 	}
 	return result
 }
 // Put puts an object to cache.
 func (o *CORSCache) Put(cnrID cid.ID, cors *data.CORSConfiguration) error {
 	return o.cache.Set(cnrID, cors)
 }
--- a/internal/cache/netmap.go
+++ b/internal/cache/netmap.go
@ -0,0 +1,65 @@
 package cache
 import (
 	"fmt"
 	"time"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/logs"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/netmap"
 	"github.com/bluele/gcache"
 	"go.uber.org/zap"
 )
 type (
 	// NetmapCache provides cache for netmap.
 	NetmapCache struct {
 		cache  gcache.Cache
 		logger *zap.Logger
 	}
 	// NetmapCacheConfig stores expiration params for cache.
 	NetmapCacheConfig struct {
 		Lifetime time.Duration
 		Logger   *zap.Logger
 	}
 )
 const (
 	DefaultNetmapCacheLifetime = time.Minute
 	netmapCacheSize            = 1
 	netmapKey                  = "netmap"
 )
 // DefaultNetmapConfig returns new default cache expiration values.
 func DefaultNetmapConfig(logger *zap.Logger) *NetmapCacheConfig {
 	return &NetmapCacheConfig{
 		Lifetime: DefaultNetmapCacheLifetime,
 		Logger:   logger,
 	}
 }
 // NewNetmapCache creates an object of NetmapCache.
 func NewNetmapCache(config *NetmapCacheConfig) *NetmapCache {
 	gc := gcache.New(netmapCacheSize).LRU().Expiration(config.Lifetime).Build()
 	return &NetmapCache{cache: gc, logger: config.Logger}
 }
 func (c *NetmapCache) Get() *netmap.NetMap {
 	entry, err := c.cache.Get(netmapKey)
 	if err != nil {
 		return nil
 	}
 	result, ok := entry.(netmap.NetMap)
 	if !ok {
 		c.logger.Warn(logs.InvalidCacheEntryType, zap.String("actual", fmt.Sprintf("%T", entry)),
 			zap.String("expected", fmt.Sprintf("%T", result)), logs.TagField(logs.TagDatapath))
 		return nil
 	}
 	return &result
 }
 func (c *NetmapCache) Put(nm netmap.NetMap) error {
 	return c.cache.Set(netmapKey, nm)
 }
--- a/internal/data/cors.go
+++ b/internal/data/cors.go
@ -0,0 +1,18 @@
 package data
 type (
 	// CORSConfiguration stores CORS configuration of a request.
 	CORSConfiguration struct {
 		CORSRules []CORSRule `xml:"CORSRule" json:"CORSRules"`
 	}
 	// CORSRule stores rules for CORS configuration.
 	CORSRule struct {
 		AllowedHeaders     []string `xml:"AllowedHeader" json:"AllowedHeaders"`
 		AllowedMethods     []string `xml:"AllowedMethod" json:"AllowedMethods"`
 		AllowedOrigins     []string `xml:"AllowedOrigin" json:"AllowedOrigins"`
 		ExposeHeaders      []string `xml:"ExposeHeader" json:"ExposeHeaders"`
 		MaxAgeSeconds      int      `xml:"MaxAgeSeconds,omitempty" json:"MaxAgeSeconds,omitempty"`
 		AllowedCredentials bool     `xml:"AllowedCredentials,omitempty" json:"AllowedCredentials,omitempty"`
 	}
 )
--- a/internal/data/bucket.go
+++ b/internal/data/bucket.go
@ -2,6 +2,7 @@ package data
 import (
 	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/netmap"
 )
 type BucketInfo struct {
@ -9,4 +10,5 @@ type BucketInfo struct {
 	Zone                    string // container zone from system attribute
 	CID                     cid.ID
 	HomomorphicHashDisabled bool
 	PlacementPolicy         netmap.PlacementPolicy
 }
--- a/internal/data/tree.go
+++ b/internal/data/tree.go
@ -1,4 +1,4 @@
-package api
+package data
 import (
 	oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
@ -7,12 +7,21 @@ import (
 // NodeVersion represent node from tree service.
 type NodeVersion struct {
 	BaseNodeVersion
 	DeleteMarker bool
 	IsPrefixNode bool
 }
 // BaseNodeVersion is minimal node info from tree service.
 // Basically used for "system" object.
 type BaseNodeVersion struct {
-	OID oid.ID
+	ID             uint64
 	OID            oid.ID
 	IsDeleteMarker bool
 }
 type NodeInfo struct {
 	Meta []NodeMeta
 }
 type NodeMeta interface {
 	GetKey() string
 	GetValue() []byte
 }
--- a/internal/handler/browse.go
+++ b/internal/handler/browse.go
@ -1,43 +1,102 @@
 package handler
 import (
 	"context"
 	"html/template"
 	"net/url"
 	"sort"
 	"strconv"
 	"strings"
 	"sync"
 	"time"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/data"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/logs"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/utils"
 	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
 	oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
 	"github.com/docker/go-units"
 	"github.com/valyala/fasthttp"
 	"go.uber.org/zap"
 )
 const (
-	dateFormat   = "02-01-2006 15:04"
+	dateFormat       = "02-01-2006 15:04"
-	attrOID      = "OID"
+	attrOID          = "OID"
-	attrCreated  = "Created"
+	attrCreated      = "Created"
-	attrFileName = "FileName"
+	attrFileName     = "FileName"
-	attrSize     = "Size"
+	attrFilePath     = "FilePath"
 	attrSize         = "Size"
 	attrDeleteMarker = "IsDeleteMarker"
 )
 type (
 	BrowsePageData struct {
-		BucketName,
+		HasErrors bool
-		Prefix string
+		Container string
-		Objects []ResponseObject
+		Prefix    string
 		Protocol  string
 		Objects   []ResponseObject
 	}
 	ResponseObject struct {
-		OID      string
+		OID            string
-		Created  string
+		Created        string
-		FileName string
+		FileName       string
-		Size     string
+		FilePath       string
-		IsDir    bool
+		Size           string
 		IsDir          bool
 		GetURL         string
 		IsDeleteMarker bool
 	}
 )
 func newListObjectsResponseS3(attrs map[string]string) ResponseObject {
 	return ResponseObject{
 		Created:        formatTimestamp(attrs[attrCreated]),
 		OID:            attrs[attrOID],
 		FileName:       attrs[attrFileName],
 		Size:           attrs[attrSize],
 		IsDir:          attrs[attrOID] == "",
 		IsDeleteMarker: attrs[attrDeleteMarker] == "true",
 	}
 }
 func newListObjectsResponseNative(attrs map[string]string) ResponseObject {
 	filename := lastPathElement(attrs[object.AttributeFilePath])
 	if filename == "" {
 		filename = attrs[attrFileName]
 	}
 	return ResponseObject{
 		OID:      attrs[attrOID],
 		Created:  formatTimestamp(attrs[object.AttributeTimestamp] + "000"),
 		FileName: filename,
 		FilePath: attrs[object.AttributeFilePath],
 		Size:     attrs[attrSize],
 		IsDir:    false,
 	}
 }
 func getNextDir(filepath, prefix string) string {
 	restPath := strings.Replace(filepath, prefix, "", 1)
 	index := strings.Index(restPath, "/")
 	if index == -1 {
 		return ""
 	}
 	return restPath[:index]
 }
 func lastPathElement(path string) string {
 	if path == "" {
 		return path
 	}
 	index := strings.LastIndex(path, "/")
 	if index == len(path)-1 {
 		index = strings.LastIndex(path[:index], "/")
 	}
 	return path[index+1:]
 }
 func parseTimestamp(tstamp string) (time.Time, error) {
 	millis, err := strconv.ParseInt(tstamp, 10, 64)
 	if err != nil {
@ -47,16 +106,6 @@ func parseTimestamp(tstamp string) (time.Time, error) {
 	return time.UnixMilli(millis), nil
 }
 func NewResponseObject(nodes map[string]string) ResponseObject {
 	return ResponseObject{
 		OID:      nodes[attrOID],
 		Created:  nodes[attrCreated],
 		FileName: nodes[attrFileName],
 		Size:     nodes[attrSize],
 		IsDir:    nodes[attrOID] == "",
 	}
 }
 func formatTimestamp(strdate string) string {
 	date, err := parseTimestamp(strdate)
 	if err != nil || date.IsZero() {
@ -94,12 +143,9 @@ func trimPrefix(encPrefix string) string {
 	return prefix[:slashIndex]
 }
-func urlencode(prefix, filename string) string {
+func urlencode(path string) string {
 	var res strings.Builder
-	path := filename
+
 	if prefix != "" {
 		path = strings.Join([]string{prefix, filename}, "/")
 	}
 	prefixParts := strings.Split(path, "/")
 	for _, prefixPart := range prefixParts {
 		prefixPart = "/" + url.PathEscape(prefixPart)
@ -112,48 +158,223 @@ func urlencode(prefix, filename string) string {
 	return res.String()
 }
-func (h *Handler) browseObjects(c *fasthttp.RequestCtx, bucketInfo *data.BucketInfo, prefix string) {
+type GetObjectsResponse struct {
-	ctx := utils.GetContextFromRequest(c)
+	objects   []ResponseObject
-	reqLog := utils.GetReqLogOrDefault(ctx, h.log)
+	hasErrors bool
-	log := reqLog.With(zap.String("bucket", bucketInfo.Name))
+}
-	nodes, err := h.listObjects(ctx, bucketInfo, prefix)
+func (h *Handler) getDirObjectsS3(ctx context.Context, bucketInfo *data.BucketInfo, prefix string) (*GetObjectsResponse, error) {
 	nodes, _, err := h.tree.GetSubTreeByPrefix(ctx, bucketInfo, prefix, true)
 	if err != nil {
-		logAndSendBucketError(c, log, err)
+		return nil, err
 	}
 	result := &GetObjectsResponse{
 		objects: make([]ResponseObject, 0, len(nodes)),
 	}
 	for _, node := range nodes {
 		meta := node.Meta
 		if meta == nil {
 			continue
 		}
 		var attrs = make(map[string]string, len(meta))
 		for _, m := range meta {
 			attrs[m.GetKey()] = string(m.GetValue())
 		}
 		obj := newListObjectsResponseS3(attrs)
 		if obj.IsDeleteMarker {
 			continue
 		}
 		obj.FilePath = prefix + obj.FileName
 		obj.GetURL = "/get/" + bucketInfo.Name + urlencode(obj.FilePath)
 		result.objects = append(result.objects, obj)
 	}
 	return result, nil
 }
 func (h *Handler) getDirObjectsNative(ctx context.Context, bucketInfo *data.BucketInfo, prefix string) (*GetObjectsResponse, error) {
 	var basePath string
 	if ind := strings.LastIndex(prefix, "/"); ind != -1 {
 		basePath = prefix[:ind+1]
 	}
 	filters := object.NewSearchFilters()
 	filters.AddRootFilter()
 	if prefix != "" {
 		filters.AddFilter(object.AttributeFilePath, prefix, object.MatchCommonPrefix)
 	}
 	prm := PrmObjectSearch{
 		PrmAuth: PrmAuth{
 			BearerToken: bearerToken(ctx),
 		},
 		Container: bucketInfo.CID,
 		Filters:   filters,
 	}
 	objectIDs, err := h.frostfs.SearchObjects(ctx, prm)
 	if err != nil {
 		return nil, err
 	}
 	defer objectIDs.Close()
 	resp, err := h.headDirObjects(ctx, bucketInfo.CID, objectIDs, basePath)
 	if err != nil {
 		return nil, err
 	}
 	log := h.reqLogger(ctx)
 	dirs := make(map[string]struct{})
 	result := &GetObjectsResponse{
 		objects: make([]ResponseObject, 0, 100),
 	}
 	for objExt := range resp {
 		if objExt.Error != nil {
 			log.Error(logs.FailedToHeadObject, zap.Error(objExt.Error), logs.TagField(logs.TagExternalStorage))
 			result.hasErrors = true
 			continue
 		}
 		if objExt.Object.IsDir {
 			if _, ok := dirs[objExt.Object.FileName]; ok {
 				continue
 			}
 			objExt.Object.GetURL = "/get/" + bucketInfo.CID.EncodeToString() + urlencode(objExt.Object.FilePath)
 			dirs[objExt.Object.FileName] = struct{}{}
 		} else {
 			objExt.Object.GetURL = "/get/" + bucketInfo.CID.EncodeToString() + "/" + objExt.Object.OID
 		}
 		result.objects = append(result.objects, objExt.Object)
 	}
 	return result, nil
 }
 type ResponseObjectExtended struct {
 	Object ResponseObject
 	Error  error
 }
 func (h *Handler) headDirObjects(ctx context.Context, cnrID cid.ID, objectIDs ResObjectSearch, basePath string) (<-chan ResponseObjectExtended, error) {
 	res := make(chan ResponseObjectExtended)
 	go func() {
 		defer close(res)
 		log := h.reqLogger(ctx).With(
 			zap.String("cid", cnrID.EncodeToString()),
 			zap.String("path", basePath),
 		)
 		var wg sync.WaitGroup
 		err := objectIDs.Iterate(func(id oid.ID) bool {
 			wg.Add(1)
 			err := h.workerPool.Submit(func() {
 				defer wg.Done()
 				var obj ResponseObjectExtended
 				obj.Object, obj.Error = h.headDirObject(ctx, cnrID, id, basePath)
 				res <- obj
 			})
 			if err != nil {
 				wg.Done()
 				log.Warn(logs.FailedToSubmitTaskToPool, zap.Error(err), logs.TagField(logs.TagDatapath))
 			}
 			select {
 			case <-ctx.Done():
 				return true
 			default:
 				return false
 			}
 		})
 		if err != nil {
 			log.Error(logs.FailedToIterateOverResponse, zap.Error(err), logs.TagField(logs.TagDatapath))
 		}
 		wg.Wait()
 	}()
 	return res, nil
 }
 func (h *Handler) headDirObject(ctx context.Context, cnrID cid.ID, objID oid.ID, basePath string) (ResponseObject, error) {
 	addr := newAddress(cnrID, objID)
 	obj, err := h.frostfs.HeadObject(ctx, PrmObjectHead{
 		PrmAuth: PrmAuth{BearerToken: bearerToken(ctx)},
 		Address: addr,
 	})
 	if err != nil {
 		return ResponseObject{}, err
 	}
 	attrs := loadAttributes(obj.Attributes())
 	attrs[attrOID] = objID.EncodeToString()
 	if multipartSize, ok := attrs[attributeMultipartObjectSize]; ok {
 		attrs[attrSize] = multipartSize
 	} else {
 		attrs[attrSize] = strconv.FormatUint(obj.PayloadSize(), 10)
 	}
 	dirname := getNextDir(attrs[object.AttributeFilePath], basePath)
 	if dirname == "" {
 		return newListObjectsResponseNative(attrs), nil
 	}
 	return ResponseObject{
 		FileName: dirname,
 		FilePath: basePath + dirname,
 		IsDir:    true,
 	}, nil
 }
 type browseParams struct {
 	bucketInfo  *data.BucketInfo
 	prefix      string
 	isNative    bool
 	listObjects func(ctx context.Context, bucketName *data.BucketInfo, prefix string) (*GetObjectsResponse, error)
 }
 func (h *Handler) browseObjects(ctx context.Context, req *fasthttp.RequestCtx, p browseParams) {
 	const S3Protocol = "s3"
 	const FrostfsProtocol = "frostfs"
 	ctx = utils.SetReqLog(ctx, h.reqLogger(ctx).With(
 		zap.String("bucket", p.bucketInfo.Name),
 		zap.String("container", p.bucketInfo.CID.EncodeToString()),
 		zap.String("prefix", p.prefix),
 	))
 	resp, err := p.listObjects(ctx, p.bucketInfo, p.prefix)
 	if err != nil {
 		h.logAndSendError(ctx, req, logs.FailedToListObjects, err)
 		return
 	}
-	respObjects := make([]ResponseObject, len(nodes))
+	objects := resp.objects
-
+	sort.Slice(objects, func(i, j int) bool {
-	for i, node := range nodes {
+		if objects[i].IsDir == objects[j].IsDir {
-		respObjects[i] = NewResponseObject(node)
+			return objects[i].FileName < objects[j].FileName
 	}
 	sort.Slice(respObjects, func(i, j int) bool {
 		if respObjects[i].IsDir == respObjects[j].IsDir {
 			return respObjects[i].FileName < respObjects[j].FileName
 		}
-		return respObjects[i].IsDir
+		return objects[i].IsDir
 	})
 	indexTemplate := h.config.IndexPageTemplate()
 	tmpl, err := template.New("index").Funcs(template.FuncMap{
-		"formatTimestamp": formatTimestamp,
+		"formatSize": formatSize,
-		"formatSize":      formatSize,
+		"trimPrefix": trimPrefix,
-		"trimPrefix":      trimPrefix,
+		"urlencode":  urlencode,
-		"urlencode":       urlencode,
+		"parentDir":  parentDir,
-		"parentDir":       parentDir,
+	}).Parse(h.config.IndexPageTemplate())
 	}).Parse(indexTemplate)
 	if err != nil {
-		logAndSendBucketError(c, log, err)
+		h.logAndSendError(ctx, req, logs.FailedToParseTemplate, err)
 		return
 	}
-	if err = tmpl.Execute(c, &BrowsePageData{
+	bucketName := p.bucketInfo.Name
-		BucketName: bucketInfo.Name,
+	protocol := S3Protocol
-		Prefix:     prefix,
+	if p.isNative {
-		Objects:    respObjects,
+		bucketName = p.bucketInfo.CID.EncodeToString()
 		protocol = FrostfsProtocol
 	}
 	if err = tmpl.Execute(req, &BrowsePageData{
 		Container: bucketName,
 		Prefix:    p.prefix,
 		Objects:   objects,
 		Protocol:  protocol,
 		HasErrors: resp.hasErrors,
 	}); err != nil {
-		logAndSendBucketError(c, log, err)
+		h.logAndSendError(ctx, req, logs.FailedToExecuteTemplate, err)
 		return
 	}
 }
--- a/internal/handler/cors.go
+++ b/internal/handler/cors.go
@ -0,0 +1,342 @@
 package handler
 import (
 	"context"
 	"encoding/xml"
 	"errors"
 	"fmt"
 	"sort"
 	"strconv"
 	"strings"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/data"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/logs"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/tokens"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/utils"
 	"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
 	qostagging "git.frostfs.info/TrueCloudLab/frostfs-qos/tagging"
 	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
 	oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
 	"github.com/valyala/fasthttp"
 	"go.uber.org/zap"
 )
 const (
 	internalIOTag        = "internal"
 	corsFilePathTemplate = "/%s.cors"
 	wildcard             = "*"
 )
 var errNoCORS = errors.New("no CORS objects found")
 func (h *Handler) Preflight(req *fasthttp.RequestCtx) {
 	ctx, span := tracing.StartSpanFromContext(utils.GetContextFromRequest(req), "handler.Preflight")
 	defer span.End()
 	ctx = qostagging.ContextWithIOTag(ctx, internalIOTag)
 	cidParam, _ := req.UserValue("cid").(string)
 	reqLog := h.reqLogger(ctx)
 	log := reqLog.With(zap.String("cid", cidParam))
 	origin := req.Request.Header.Peek(fasthttp.HeaderOrigin)
 	if len(origin) == 0 {
 		log.Error(logs.EmptyOriginRequestHeader, logs.TagField(logs.TagDatapath))
 		ResponseError(req, "Origin request header needed", fasthttp.StatusBadRequest)
 		return
 	}
 	method := req.Request.Header.Peek(fasthttp.HeaderAccessControlRequestMethod)
 	if len(method) == 0 {
 		log.Error(logs.EmptyAccessControlRequestMethodHeader, logs.TagField(logs.TagDatapath))
 		ResponseError(req, "Access-Control-Request-Method request header needed", fasthttp.StatusBadRequest)
 		return
 	}
 	corsRule := h.config.CORS()
 	if corsRule != nil {
 		setCORSHeadersFromRule(req, corsRule)
 		return
 	}
 	corsConfig, err := h.getCORSConfig(ctx, log, cidParam)
 	if err != nil {
 		log.Error(logs.CouldNotGetCORSConfiguration, zap.Error(err), logs.TagField(logs.TagDatapath))
 		status := fasthttp.StatusInternalServerError
 		if errors.Is(err, errNoCORS) {
 			status = fasthttp.StatusNotFound
 		}
 		ResponseError(req, "could not get CORS configuration: "+err.Error(), status)
 		return
 	}
 	var headers []string
 	requestHeaders := req.Request.Header.Peek(fasthttp.HeaderAccessControlRequestHeaders)
 	if len(requestHeaders) > 0 {
 		headers = strings.Split(string(requestHeaders), ", ")
 	}
 	for _, rule := range corsConfig.CORSRules {
 		for _, o := range rule.AllowedOrigins {
 			if o == string(origin) || o == wildcard {
 				for _, m := range rule.AllowedMethods {
 					if m == string(method) {
 						if !checkSubslice(rule.AllowedHeaders, headers) {
 							continue
 						}
 						req.Response.Header.Set(fasthttp.HeaderAccessControlAllowOrigin, string(origin))
 						req.Response.Header.Set(fasthttp.HeaderAccessControlAllowMethods, strings.Join(rule.AllowedMethods, ", "))
 						if headers != nil {
 							req.Response.Header.Set(fasthttp.HeaderAccessControlAllowHeaders, string(requestHeaders))
 						}
 						if rule.ExposeHeaders != nil {
 							req.Response.Header.Set(fasthttp.HeaderAccessControlExposeHeaders, strings.Join(rule.ExposeHeaders, ", "))
 						}
 						if rule.MaxAgeSeconds > 0 || rule.MaxAgeSeconds == -1 {
 							req.Response.Header.Set(fasthttp.HeaderAccessControlMaxAge, strconv.Itoa(rule.MaxAgeSeconds))
 						}
 						if o != wildcard {
 							req.Response.Header.Set(fasthttp.HeaderAccessControlAllowCredentials, "true")
 						}
 						return
 					}
 				}
 			}
 		}
 	}
 	log.Error(logs.CORSRuleWasNotMatched, logs.TagField(logs.TagDatapath))
 	ResponseError(req, "Forbidden", fasthttp.StatusForbidden)
 }
 func (h *Handler) SetCORSHeaders(req *fasthttp.RequestCtx) {
 	ctx, span := tracing.StartSpanFromContext(utils.GetContextFromRequest(req), "handler.SetCORSHeaders")
 	defer span.End()
 	origin := req.Request.Header.Peek(fasthttp.HeaderOrigin)
 	if len(origin) == 0 {
 		return
 	}
 	ctx = qostagging.ContextWithIOTag(ctx, internalIOTag)
 	cidParam, _ := req.UserValue("cid").(string)
 	reqLog := h.reqLogger(ctx)
 	log := reqLog.With(zap.String("cid", cidParam))
 	corsRule := h.config.CORS()
 	if corsRule != nil {
 		setCORSHeadersFromRule(req, corsRule)
 		return
 	}
 	corsConfig, err := h.getCORSConfig(ctx, log, cidParam)
 	if err != nil {
 		log.Error(logs.CouldNotGetCORSConfiguration, zap.Error(err), logs.TagField(logs.TagDatapath))
 		return
 	}
 	var withCredentials bool
 	if tkn, err := tokens.LoadBearerToken(ctx); err == nil && tkn != nil {
 		withCredentials = true
 	}
 	for _, rule := range corsConfig.CORSRules {
 		for _, o := range rule.AllowedOrigins {
 			if o == string(origin) {
 				for _, m := range rule.AllowedMethods {
 					if m == string(req.Method()) {
 						req.Response.Header.Set(fasthttp.HeaderAccessControlAllowOrigin, string(origin))
 						req.Response.Header.Set(fasthttp.HeaderAccessControlAllowMethods, strings.Join(rule.AllowedMethods, ", "))
 						req.Response.Header.Set(fasthttp.HeaderAccessControlAllowCredentials, "true")
 						req.Response.Header.Set(fasthttp.HeaderVary, fasthttp.HeaderOrigin)
 						return
 					}
 				}
 			}
 			if o == wildcard {
 				for _, m := range rule.AllowedMethods {
 					if m == string(req.Method()) {
 						if withCredentials {
 							req.Response.Header.Set(fasthttp.HeaderAccessControlAllowOrigin, string(origin))
 							req.Response.Header.Set(fasthttp.HeaderAccessControlAllowCredentials, "true")
 							req.Response.Header.Set(fasthttp.HeaderVary, fasthttp.HeaderOrigin)
 						} else {
 							req.Response.Header.Set(fasthttp.HeaderAccessControlAllowOrigin, o)
 						}
 						req.Response.Header.Set(fasthttp.HeaderAccessControlAllowMethods, strings.Join(rule.AllowedMethods, ", "))
 						return
 					}
 				}
 			}
 		}
 	}
 }
 func (h *Handler) getCORSConfig(ctx context.Context, log *zap.Logger, cidStr string) (*data.CORSConfiguration, error) {
 	cnrID, err := h.resolveContainer(ctx, cidStr)
 	if err != nil {
 		return nil, fmt.Errorf("resolve container '%s': %w", cidStr, err)
 	}
 	if cors := h.corsCache.Get(*cnrID); cors != nil {
 		return cors, nil
 	}
 	objID, err := h.getLastCORSObject(ctx, *cnrID)
 	if err != nil {
 		return nil, fmt.Errorf("get last cors object: %w", err)
 	}
 	var addr oid.Address
 	addr.SetContainer(h.corsCnrID)
 	addr.SetObject(objID)
 	corsObj, err := h.frostfs.GetObject(ctx, PrmObjectGet{
 		PrmAuth: PrmAuth{
 			BearerToken: bearerToken(ctx),
 		},
 		Address: addr,
 	})
 	if err != nil {
 		return nil, fmt.Errorf("get cors object '%s': %w", addr.EncodeToString(), err)
 	}
 	corsConfig := &data.CORSConfiguration{}
 	if err = xml.NewDecoder(corsObj.Payload).Decode(corsConfig); err != nil {
 		return nil, fmt.Errorf("decode cors object: %w", err)
 	}
 	if err = h.corsCache.Put(*cnrID, corsConfig); err != nil {
 		log.Warn(logs.CouldntCacheCors, zap.Error(err), logs.TagField(logs.TagDatapath))
 	}
 	return corsConfig, nil
 }
 func (h *Handler) getLastCORSObject(ctx context.Context, cnrID cid.ID) (oid.ID, error) {
 	filters := object.NewSearchFilters()
 	filters.AddRootFilter()
 	filters.AddFilter(object.AttributeFilePath, fmt.Sprintf(corsFilePathTemplate, cnrID), object.MatchStringEqual)
 	prmAuth := PrmAuth{
 		BearerToken: bearerToken(ctx),
 	}
 	res, err := h.frostfs.SearchObjects(ctx, PrmObjectSearch{
 		PrmAuth:   prmAuth,
 		Container: h.corsCnrID,
 		Filters:   filters,
 	})
 	if err != nil {
 		return oid.ID{}, fmt.Errorf("search cors versions: %w", err)
 	}
 	defer res.Close()
 	var (
 		addr    oid.Address
 		obj     *object.Object
 		headErr error
 		objs    = make([]*object.Object, 0)
 	)
 	addr.SetContainer(h.corsCnrID)
 	err = res.Iterate(func(id oid.ID) bool {
 		addr.SetObject(id)
 		obj, headErr = h.frostfs.HeadObject(ctx, PrmObjectHead{
 			PrmAuth: prmAuth,
 			Address: addr,
 		})
 		if headErr != nil {
 			headErr = fmt.Errorf("head cors object '%s': %w", addr.EncodeToString(), headErr)
 			return true
 		}
 		objs = append(objs, obj)
 		return false
 	})
 	if err != nil {
 		return oid.ID{}, fmt.Errorf("iterate cors objects: %w", err)
 	}
 	if headErr != nil {
 		return oid.ID{}, headErr
 	}
 	if len(objs) == 0 {
 		return oid.ID{}, errNoCORS
 	}
 	sort.Slice(objs, func(i, j int) bool {
 		versionID1, _ := objs[i].ID()
 		versionID2, _ := objs[j].ID()
 		timestamp1 := utils.GetAttributeValue(objs[i].Attributes(), object.AttributeTimestamp)
 		timestamp2 := utils.GetAttributeValue(objs[j].Attributes(), object.AttributeTimestamp)
 		if objs[i].CreationEpoch() != objs[j].CreationEpoch() {
 			return objs[i].CreationEpoch() < objs[j].CreationEpoch()
 		}
 		if len(timestamp1) > 0 && len(timestamp2) > 0 && timestamp1 != timestamp2 {
 			unixTime1, err := strconv.ParseInt(timestamp1, 10, 64)
 			if err != nil {
 				return versionID1.EncodeToString() < versionID2.EncodeToString()
 			}
 			unixTime2, err := strconv.ParseInt(timestamp2, 10, 64)
 			if err != nil {
 				return versionID1.EncodeToString() < versionID2.EncodeToString()
 			}
 			return unixTime1 < unixTime2
 		}
 		return versionID1.EncodeToString() < versionID2.EncodeToString()
 	})
 	objID, _ := objs[len(objs)-1].ID()
 	return objID, nil
 }
 func setCORSHeadersFromRule(c *fasthttp.RequestCtx, cors *data.CORSRule) {
 	c.Response.Header.Set(fasthttp.HeaderAccessControlMaxAge, strconv.Itoa(cors.MaxAgeSeconds))
 	if len(cors.AllowedOrigins) != 0 {
 		c.Response.Header.Set(fasthttp.HeaderAccessControlAllowOrigin, cors.AllowedOrigins[0])
 	}
 	if len(cors.AllowedMethods) != 0 {
 		c.Response.Header.Set(fasthttp.HeaderAccessControlAllowMethods, strings.Join(cors.AllowedMethods, ", "))
 	}
 	if len(cors.AllowedHeaders) != 0 {
 		c.Response.Header.Set(fasthttp.HeaderAccessControlAllowHeaders, strings.Join(cors.AllowedHeaders, ", "))
 	}
 	if len(cors.ExposeHeaders) != 0 {
 		c.Response.Header.Set(fasthttp.HeaderAccessControlExposeHeaders, strings.Join(cors.ExposeHeaders, ", "))
 	}
 	if cors.AllowedCredentials {
 		c.Response.Header.Set(fasthttp.HeaderAccessControlAllowCredentials, "true")
 	}
 }
 func checkSubslice(slice []string, subSlice []string) bool {
 	if sliceContains(slice, wildcard) {
 		return true
 	}
 	if len(subSlice) > len(slice) {
 		return false
 	}
 	for _, r := range subSlice {
 		if !sliceContains(slice, r) {
 			return false
 		}
 	}
 	return true
 }
 func sliceContains(slice []string, str string) bool {
 	for _, s := range slice {
 		if s == str {
 			return true
 		}
 	}
 	return false
 }
--- a/internal/handler/cors_test.go
+++ b/internal/handler/cors_test.go
@ -0,0 +1,440 @@
 package handler
 import (
 	"encoding/base64"
 	"encoding/xml"
 	"fmt"
 	"testing"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/data"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl"
 	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
 	oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
 	oidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id/test"
 	"github.com/stretchr/testify/require"
 	"github.com/valyala/fasthttp"
 )
 func TestPreflight(t *testing.T) {
 	hc := prepareHandlerContext(t)
 	bktName := "bucket-preflight"
 	cnrID, cnr, err := hc.prepareContainer(bktName, acl.Private)
 	require.NoError(t, err)
 	hc.frostfs.SetContainer(cnrID, cnr)
 	var epoch uint64
 	t.Run("CORS object", func(t *testing.T) {
 		for _, tc := range []struct {
 			name            string
 			corsConfig      *data.CORSConfiguration
 			requestHeaders  map[string]string
 			expectedHeaders map[string]string
 			status          int
 		}{
 			{
 				name: "no CORS configuration",
 				expectedHeaders: map[string]string{
 					fasthttp.HeaderAccessControlAllowOrigin:      "",
 					fasthttp.HeaderAccessControlAllowMethods:     "",
 					fasthttp.HeaderAccessControlAllowHeaders:     "",
 					fasthttp.HeaderAccessControlExposeHeaders:    "",
 					fasthttp.HeaderAccessControlMaxAge:           "",
 					fasthttp.HeaderAccessControlAllowCredentials: "",
 				},
 				requestHeaders: map[string]string{
 					fasthttp.HeaderOrigin:                     "http://example.com",
 					fasthttp.HeaderAccessControlRequestMethod: "HEAD",
 				},
 				status: fasthttp.StatusNotFound,
 			},
 			{
 				name: "specific allowed origin",
 				corsConfig: &data.CORSConfiguration{
 					CORSRules: []data.CORSRule{
 						{
 							AllowedOrigins: []string{"http://example.com"},
 							AllowedMethods: []string{"GET", "HEAD"},
 							AllowedHeaders: []string{"Content-Type"},
 							ExposeHeaders:  []string{"x-amz-*", "X-Amz-*"},
 							MaxAgeSeconds:  900,
 						},
 					},
 				},
 				requestHeaders: map[string]string{
 					fasthttp.HeaderOrigin:                      "http://example.com",
 					fasthttp.HeaderAccessControlRequestMethod:  "HEAD",
 					fasthttp.HeaderAccessControlRequestHeaders: "Content-Type",
 				},
 				expectedHeaders: map[string]string{
 					fasthttp.HeaderAccessControlAllowOrigin:      "http://example.com",
 					fasthttp.HeaderAccessControlAllowMethods:     "GET, HEAD",
 					fasthttp.HeaderAccessControlAllowHeaders:     "Content-Type",
 					fasthttp.HeaderAccessControlExposeHeaders:    "x-amz-*, X-Amz-*",
 					fasthttp.HeaderAccessControlMaxAge:           "900",
 					fasthttp.HeaderAccessControlAllowCredentials: "true",
 				},
 				status: fasthttp.StatusOK,
 			},
 			{
 				name: "wildcard allowed origin",
 				corsConfig: &data.CORSConfiguration{
 					CORSRules: []data.CORSRule{
 						{
 							AllowedOrigins: []string{"*"},
 							AllowedMethods: []string{"GET", "HEAD"},
 							AllowedHeaders: []string{"Content-Type"},
 							ExposeHeaders:  []string{"x-amz-*", "X-Amz-*"},
 							MaxAgeSeconds:  900,
 						},
 					},
 				},
 				requestHeaders: map[string]string{
 					fasthttp.HeaderOrigin:                     "http://example.com",
 					fasthttp.HeaderAccessControlRequestMethod: "HEAD",
 				},
 				expectedHeaders: map[string]string{
 					fasthttp.HeaderAccessControlAllowOrigin:      "http://example.com",
 					fasthttp.HeaderAccessControlAllowMethods:     "GET, HEAD",
 					fasthttp.HeaderAccessControlAllowHeaders:     "",
 					fasthttp.HeaderAccessControlExposeHeaders:    "x-amz-*, X-Amz-*",
 					fasthttp.HeaderAccessControlMaxAge:           "900",
 					fasthttp.HeaderAccessControlAllowCredentials: "",
 				},
 				status: fasthttp.StatusOK,
 			},
 			{
 				name: "not allowed header",
 				corsConfig: &data.CORSConfiguration{
 					CORSRules: []data.CORSRule{
 						{
 							AllowedOrigins: []string{"*"},
 							AllowedMethods: []string{"GET", "HEAD"},
 							AllowedHeaders: []string{"Content-Type"},
 						},
 					},
 				},
 				requestHeaders: map[string]string{
 					fasthttp.HeaderOrigin:                      "http://example.com",
 					fasthttp.HeaderAccessControlRequestMethod:  "GET",
 					fasthttp.HeaderAccessControlRequestHeaders: "Authorization",
 				},
 				expectedHeaders: map[string]string{
 					fasthttp.HeaderAccessControlAllowOrigin:      "",
 					fasthttp.HeaderAccessControlAllowMethods:     "",
 					fasthttp.HeaderAccessControlAllowHeaders:     "",
 					fasthttp.HeaderAccessControlExposeHeaders:    "",
 					fasthttp.HeaderAccessControlMaxAge:           "",
 					fasthttp.HeaderAccessControlAllowCredentials: "",
 				},
 				status: fasthttp.StatusForbidden,
 			},
 			{
 				name: "empty Origin header",
 				corsConfig: &data.CORSConfiguration{
 					CORSRules: []data.CORSRule{
 						{
 							AllowedOrigins: []string{"*"},
 							AllowedMethods: []string{"GET", "HEAD"},
 						},
 					},
 				},
 				expectedHeaders: map[string]string{
 					fasthttp.HeaderAccessControlAllowOrigin:      "",
 					fasthttp.HeaderAccessControlAllowMethods:     "",
 					fasthttp.HeaderAccessControlAllowHeaders:     "",
 					fasthttp.HeaderAccessControlExposeHeaders:    "",
 					fasthttp.HeaderAccessControlMaxAge:           "",
 					fasthttp.HeaderAccessControlAllowCredentials: "",
 				},
 				status: fasthttp.StatusBadRequest,
 			},
 			{
 				name: "empty Access-Control-Request-Method header",
 				corsConfig: &data.CORSConfiguration{
 					CORSRules: []data.CORSRule{
 						{
 							AllowedOrigins: []string{"*"},
 							AllowedMethods: []string{"GET", "HEAD"},
 						},
 					},
 				},
 				requestHeaders: map[string]string{
 					fasthttp.HeaderOrigin: "http://example.com",
 				},
 				expectedHeaders: map[string]string{
 					fasthttp.HeaderAccessControlAllowOrigin:      "",
 					fasthttp.HeaderAccessControlAllowMethods:     "",
 					fasthttp.HeaderAccessControlAllowHeaders:     "",
 					fasthttp.HeaderAccessControlExposeHeaders:    "",
 					fasthttp.HeaderAccessControlMaxAge:           "",
 					fasthttp.HeaderAccessControlAllowCredentials: "",
 				},
 				status: fasthttp.StatusBadRequest,
 			},
 		} {
 			t.Run(tc.name, func(t *testing.T) {
 				if tc.corsConfig != nil {
 					epoch++
 					setCORSObject(t, hc, cnrID, tc.corsConfig, epoch)
 				}
 				r := prepareCORSRequest(t, bktName, tc.requestHeaders)
 				hc.Handler().Preflight(r)
 				require.Equal(t, tc.status, r.Response.StatusCode())
 				for k, v := range tc.expectedHeaders {
 					require.Equal(t, v, string(r.Response.Header.Peek(k)))
 				}
 			})
 		}
 	})
 	t.Run("CORS config", func(t *testing.T) {
 		hc.cfg.cors = &data.CORSRule{
 			AllowedOrigins:     []string{"*"},
 			AllowedMethods:     []string{"GET", "HEAD"},
 			AllowedHeaders:     []string{"Content-Type", "Content-Encoding"},
 			ExposeHeaders:      []string{"x-amz-*", "X-Amz-*"},
 			MaxAgeSeconds:      900,
 			AllowedCredentials: true,
 		}
 		r := prepareCORSRequest(t, bktName, map[string]string{
 			fasthttp.HeaderOrigin:                     "http://example.com",
 			fasthttp.HeaderAccessControlRequestMethod: "GET",
 		})
 		hc.Handler().Preflight(r)
 		require.Equal(t, fasthttp.StatusOK, r.Response.StatusCode())
 		require.Equal(t, "900", string(r.Response.Header.Peek(fasthttp.HeaderAccessControlMaxAge)))
 		require.Equal(t, "*", string(r.Response.Header.Peek(fasthttp.HeaderAccessControlAllowOrigin)))
 		require.Equal(t, "GET, HEAD", string(r.Response.Header.Peek(fasthttp.HeaderAccessControlAllowMethods)))
 		require.Equal(t, "Content-Type, Content-Encoding", string(r.Response.Header.Peek(fasthttp.HeaderAccessControlAllowHeaders)))
 		require.Equal(t, "x-amz-*, X-Amz-*", string(r.Response.Header.Peek(fasthttp.HeaderAccessControlExposeHeaders)))
 		require.Equal(t, "true", string(r.Response.Header.Peek(fasthttp.HeaderAccessControlAllowCredentials)))
 	})
 }
 func TestSetCORSHeaders(t *testing.T) {
 	hc := prepareHandlerContext(t)
 	bktName := "bucket-set-cors-headers"
 	cnrID, cnr, err := hc.prepareContainer(bktName, acl.Private)
 	require.NoError(t, err)
 	hc.frostfs.SetContainer(cnrID, cnr)
 	var epoch uint64
 	t.Run("CORS object", func(t *testing.T) {
 		for _, tc := range []struct {
 			name            string
 			corsConfig      *data.CORSConfiguration
 			requestHeaders  map[string]string
 			expectedHeaders map[string]string
 		}{
 			{
 				name: "empty Origin header",
 				expectedHeaders: map[string]string{
 					fasthttp.HeaderAccessControlAllowOrigin:      "",
 					fasthttp.HeaderAccessControlAllowMethods:     "",
 					fasthttp.HeaderVary:                          "",
 					fasthttp.HeaderAccessControlAllowCredentials: "",
 				},
 			},
 			{
 				name: "no CORS configuration",
 				expectedHeaders: map[string]string{
 					fasthttp.HeaderAccessControlAllowOrigin:      "",
 					fasthttp.HeaderAccessControlAllowMethods:     "",
 					fasthttp.HeaderVary:                          "",
 					fasthttp.HeaderAccessControlAllowCredentials: "",
 				},
 				requestHeaders: map[string]string{
 					fasthttp.HeaderOrigin: "http://example.com",
 				},
 			},
 			{
 				name: "specific allowed origin",
 				corsConfig: &data.CORSConfiguration{
 					CORSRules: []data.CORSRule{
 						{
 							AllowedOrigins: []string{"http://example.com"},
 							AllowedMethods: []string{"GET", "HEAD"},
 						},
 					},
 				},
 				requestHeaders: map[string]string{
 					fasthttp.HeaderOrigin: "http://example.com",
 				},
 				expectedHeaders: map[string]string{
 					fasthttp.HeaderAccessControlAllowOrigin:      "http://example.com",
 					fasthttp.HeaderAccessControlAllowMethods:     "GET, HEAD",
 					fasthttp.HeaderVary:                          fasthttp.HeaderOrigin,
 					fasthttp.HeaderAccessControlAllowCredentials: "true",
 				},
 			},
 			{
 				name: "wildcard allowed origin, with credentials",
 				corsConfig: &data.CORSConfiguration{
 					CORSRules: []data.CORSRule{
 						{
 							AllowedOrigins: []string{"*"},
 							AllowedMethods: []string{"GET", "HEAD"},
 						},
 					},
 				},
 				requestHeaders: func() map[string]string {
 					tkn := new(bearer.Token)
 					err = tkn.Sign(hc.key.PrivateKey)
 					require.NoError(t, err)
 					t64 := base64.StdEncoding.EncodeToString(tkn.Marshal())
 					require.NotEmpty(t, t64)
 					return map[string]string{
 						fasthttp.HeaderOrigin:        "http://example.com",
 						fasthttp.HeaderAuthorization: "Bearer " + t64,
 					}
 				}(),
 				expectedHeaders: map[string]string{
 					fasthttp.HeaderAccessControlAllowOrigin:      "http://example.com",
 					fasthttp.HeaderAccessControlAllowMethods:     "GET, HEAD",
 					fasthttp.HeaderVary:                          fasthttp.HeaderOrigin,
 					fasthttp.HeaderAccessControlAllowCredentials: "true",
 				},
 			},
 			{
 				name: "wildcard allowed origin, without credentials",
 				corsConfig: &data.CORSConfiguration{
 					CORSRules: []data.CORSRule{
 						{
 							AllowedOrigins: []string{"*"},
 							AllowedMethods: []string{"GET", "HEAD"},
 						},
 					},
 				},
 				requestHeaders: map[string]string{
 					fasthttp.HeaderOrigin: "http://example.com",
 				},
 				expectedHeaders: map[string]string{
 					fasthttp.HeaderAccessControlAllowOrigin:      "*",
 					fasthttp.HeaderAccessControlAllowMethods:     "GET, HEAD",
 					fasthttp.HeaderVary:                          "",
 					fasthttp.HeaderAccessControlAllowCredentials: "",
 				},
 			},
 		} {
 			t.Run(tc.name, func(t *testing.T) {
 				epoch++
 				setCORSObject(t, hc, cnrID, tc.corsConfig, epoch)
 				r := prepareCORSRequest(t, bktName, tc.requestHeaders)
 				hc.Handler().SetCORSHeaders(r)
 				require.Equal(t, fasthttp.StatusOK, r.Response.StatusCode())
 				for k, v := range tc.expectedHeaders {
 					require.Equal(t, v, string(r.Response.Header.Peek(k)))
 				}
 			})
 		}
 	})
 	t.Run("CORS config", func(t *testing.T) {
 		hc.cfg.cors = &data.CORSRule{
 			AllowedOrigins:     []string{"*"},
 			AllowedMethods:     []string{"GET", "HEAD"},
 			AllowedHeaders:     []string{"Content-Type", "Content-Encoding"},
 			ExposeHeaders:      []string{"x-amz-*", "X-Amz-*"},
 			MaxAgeSeconds:      900,
 			AllowedCredentials: true,
 		}
 		r := prepareCORSRequest(t, bktName, map[string]string{fasthttp.HeaderOrigin: "http://example.com"})
 		hc.Handler().SetCORSHeaders(r)
 		require.Equal(t, "900", string(r.Response.Header.Peek(fasthttp.HeaderAccessControlMaxAge)))
 		require.Equal(t, "*", string(r.Response.Header.Peek(fasthttp.HeaderAccessControlAllowOrigin)))
 		require.Equal(t, "GET, HEAD", string(r.Response.Header.Peek(fasthttp.HeaderAccessControlAllowMethods)))
 		require.Equal(t, "Content-Type, Content-Encoding", string(r.Response.Header.Peek(fasthttp.HeaderAccessControlAllowHeaders)))
 		require.Equal(t, "x-amz-*, X-Amz-*", string(r.Response.Header.Peek(fasthttp.HeaderAccessControlExposeHeaders)))
 		require.Equal(t, "true", string(r.Response.Header.Peek(fasthttp.HeaderAccessControlAllowCredentials)))
 	})
 }
 func TestCheckSubslice(t *testing.T) {
 	for _, tc := range []struct {
 		name     string
 		allowed  []string
 		actual   []string
 		expected bool
 	}{
 		{
 			name:     "empty allowed slice",
 			allowed:  []string{},
 			actual:   []string{"str1", "str2", "str3"},
 			expected: false,
 		},
 		{
 			name:     "empty actual slice",
 			allowed:  []string{"str1", "str2", "str3"},
 			actual:   []string{},
 			expected: true,
 		},
 		{
 			name:     "allowed wildcard",
 			allowed:  []string{"str", "*"},
 			actual:   []string{"str1", "str2", "str3"},
 			expected: true,
 		},
 		{
 			name:     "similar allowed and actual",
 			allowed:  []string{"str1", "str2", "str3"},
 			actual:   []string{"str1", "str2", "str3"},
 			expected: true,
 		},
 		{
 			name:     "allowed actual",
 			allowed:  []string{"str", "str1", "str2", "str4"},
 			actual:   []string{"str1", "str2"},
 			expected: true,
 		},
 		{
 			name:     "not allowed actual",
 			allowed:  []string{"str", "str1", "str2", "str4"},
 			actual:   []string{"str1", "str5"},
 			expected: false,
 		},
 	} {
 		t.Run(tc.name, func(t *testing.T) {
 			require.Equal(t, tc.expected, checkSubslice(tc.allowed, tc.actual))
 		})
 	}
 }
 func setCORSObject(t *testing.T, hc *handlerContext, cnrID cid.ID, corsConfig *data.CORSConfiguration, epoch uint64) {
 	payload, err := xml.Marshal(corsConfig)
 	require.NoError(t, err)
 	a := object.NewAttribute()
 	a.SetKey(object.AttributeFilePath)
 	a.SetValue(fmt.Sprintf(corsFilePathTemplate, cnrID))
 	objID := oidtest.ID()
 	obj := object.New()
 	obj.SetAttributes(*a)
 	obj.SetOwnerID(hc.owner)
 	obj.SetPayload(payload)
 	obj.SetPayloadSize(uint64(len(payload)))
 	obj.SetContainerID(hc.corsCnr)
 	obj.SetID(objID)
 	obj.SetCreationEpoch(epoch)
 	var addr oid.Address
 	addr.SetObject(objID)
 	addr.SetContainer(hc.corsCnr)
 	hc.frostfs.SetObject(addr, obj)
 }
--- a/internal/handler/download.go
+++ b/internal/handler/download.go
@ -1,19 +1,22 @@
 package handler
 import (
 	"archive/tar"
 	"archive/zip"
 	"bufio"
 	"compress/gzip"
 	"context"
 	"errors"
 	"fmt"
 	"io"
 	"net/http"
 	"net/url"
 	"time"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/data"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/layer"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/logs"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/response"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/utils"
-	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
+	"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
 	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
 	oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
@ -22,30 +25,54 @@ import (
 )
 // DownloadByAddressOrBucketName handles download requests using simple cid/oid or bucketname/key format.
-func (h *Handler) DownloadByAddressOrBucketName(c *fasthttp.RequestCtx) {
+func (h *Handler) DownloadByAddressOrBucketName(req *fasthttp.RequestCtx) {
-	test, _ := c.UserValue("oid").(string)
+	ctx, span := tracing.StartSpanFromContext(utils.GetContextFromRequest(req), "handler.DownloadByAddressOrBucketName")
-	var id oid.ID
+	defer span.End()
-	err := id.DecodeString(test)
+
 	cidParam := req.UserValue("cid").(string)
 	oidParam := req.UserValue("oid").(string)
 	downloadParam := req.QueryArgs().GetBool("download")
 	ctx = utils.SetReqLog(ctx, h.reqLogger(ctx).With(
 		zap.String("cid", cidParam),
 		zap.String("oid", oidParam),
 	))
 	bktInfo, err := h.getBucketInfo(ctx, cidParam)
 	if err != nil {
-		h.byObjectName(c, h.receiveFile)
+		h.logAndSendError(ctx, req, logs.FailedToGetBucketInfo, err)
 		return
 	}
 	checkS3Err := h.tree.CheckSettingsNodeExists(ctx, bktInfo)
 	if checkS3Err != nil && !errors.Is(checkS3Err, layer.ErrNodeNotFound) {
 		h.logAndSendError(ctx, req, logs.FailedToCheckIfSettingsNodeExist, checkS3Err)
 		return
 	}
 	var objID oid.ID
 	if checkS3Err == nil && shouldDownload(oidParam, downloadParam) {
 		h.byS3Path(ctx, req, bktInfo.CID, oidParam, h.receiveFile)
 	} else if err = objID.DecodeString(oidParam); err == nil {
 		h.byNativeAddress(ctx, req, bktInfo.CID, objID, h.receiveFile)
 	} else {
-		h.byAddress(c, h.receiveFile)
+		h.browseIndex(ctx, req, cidParam, oidParam, checkS3Err != nil)
 	}
 }
-func (h *Handler) newRequest(ctx *fasthttp.RequestCtx, log *zap.Logger) *request {
+func shouldDownload(oidParam string, downloadParam bool) bool {
-	return &request{
+	return !isDir(oidParam) || downloadParam
 		RequestCtx: ctx,
 		log:        log,
 	}
 }
 // DownloadByAttribute handles attribute-based download requests.
-func (h *Handler) DownloadByAttribute(c *fasthttp.RequestCtx) {
+func (h *Handler) DownloadByAttribute(req *fasthttp.RequestCtx) {
-	h.byAttribute(c, h.receiveFile)
+	ctx, span := tracing.StartSpanFromContext(utils.GetContextFromRequest(req), "handler.DownloadByAttribute")
 	defer span.End()
 	h.byAttribute(ctx, req, h.receiveFile)
 }
-func (h *Handler) search(ctx context.Context, cnrID *cid.ID, key, val string, op object.SearchMatchType) (ResObjectSearch, error) {
+func (h *Handler) search(ctx context.Context, cnrID cid.ID, key, val string, op object.SearchMatchType) (ResObjectSearch, error) {
 	filters := object.NewSearchFilters()
 	filters.AddRootFilter()
 	filters.AddFilter(key, val, op)
@ -54,20 +81,73 @@ func (h *Handler) search(ctx context.Context, cnrID *cid.ID, key, val string, op
 		PrmAuth: PrmAuth{
 			BearerToken: bearerToken(ctx),
 		},
-		Container: *cnrID,
+		Container: cnrID,
 		Filters:   filters,
 	}
 	return h.frostfs.SearchObjects(ctx, prm)
 }
-func (h *Handler) addObjectToZip(zw *zip.Writer, obj *object.Object) (io.Writer, error) {
+// DownloadZip handles zip by prefix requests.
 func (h *Handler) DownloadZip(req *fasthttp.RequestCtx) {
 	ctx, span := tracing.StartSpanFromContext(utils.GetContextFromRequest(req), "handler.DownloadZip")
 	defer span.End()
 	scid, _ := req.UserValue("cid").(string)
 	prefix, _ := req.UserValue("prefix").(string)
 	ctx = utils.SetReqLog(ctx, h.reqLogger(ctx).With(zap.String("cid", scid), zap.String("prefix", prefix)))
 	bktInfo, err := h.getBucketInfo(ctx, scid)
 	if err != nil {
 		h.logAndSendError(ctx, req, logs.FailedToGetBucketInfo, err)
 		return
 	}
 	resSearch, err := h.searchObjectsByPrefix(ctx, bktInfo.CID, prefix)
 	if err != nil {
 		return
 	}
 	req.Response.Header.Set(fasthttp.HeaderContentType, "application/zip")
 	req.Response.Header.Set(fasthttp.HeaderContentDisposition, "attachment; filename=\"archive.zip\"")
 	req.SetBodyStreamWriter(h.getZipResponseWriter(ctx, resSearch, bktInfo))
 }
 func (h *Handler) getZipResponseWriter(ctx context.Context, resSearch ResObjectSearch, bktInfo *data.BucketInfo) func(w *bufio.Writer) {
 	return func(w *bufio.Writer) {
 		defer resSearch.Close()
 		buf := make([]byte, 3<<20)
 		zipWriter := zip.NewWriter(w)
 		var objectsWritten int
 		errIter := resSearch.Iterate(h.putObjectToArchive(ctx, bktInfo.CID, buf,
 			func(obj *object.Object) (io.Writer, error) {
 				objectsWritten++
 				return h.createZipFile(zipWriter, obj)
 			}),
 		)
 		if errIter != nil {
 			h.reqLogger(ctx).Error(logs.IteratingOverSelectedObjectsFailed, zap.Error(errIter), logs.TagField(logs.TagDatapath))
 			return
 		} else if objectsWritten == 0 {
 			h.reqLogger(ctx).Warn(logs.ObjectsNotFound, logs.TagField(logs.TagDatapath))
 		}
 		if err := zipWriter.Close(); err != nil {
 			h.reqLogger(ctx).Error(logs.CloseZipWriter, zap.Error(err), logs.TagField(logs.TagDatapath))
 		}
 	}
 }
 func (h *Handler) createZipFile(zw *zip.Writer, obj *object.Object) (io.Writer, error) {
 	method := zip.Store
-	if h.config.ZipCompression() {
+	if h.config.ArchiveCompression() {
 		method = zip.Deflate
 	}
-	filePath := getZipFilePath(obj)
+	filePath := getFilePath(obj)
 	if len(filePath) == 0 || filePath[len(filePath)-1] == '/' {
 		return nil, fmt.Errorf("invalid filepath '%s'", filePath)
 	}
@ -79,99 +159,134 @@ func (h *Handler) addObjectToZip(zw *zip.Writer, obj *object.Object) (io.Writer,
 	})
 }
-// DownloadZipped handles zip by prefix requests.
+// DownloadTar forms tar.gz from objects by prefix.
-func (h *Handler) DownloadZipped(c *fasthttp.RequestCtx) {
+func (h *Handler) DownloadTar(req *fasthttp.RequestCtx) {
-	scid, _ := c.UserValue("cid").(string)
+	ctx, span := tracing.StartSpanFromContext(utils.GetContextFromRequest(req), "handler.DownloadTar")
-	prefix, _ := c.UserValue("prefix").(string)
+	defer span.End()
-	ctx := utils.GetContextFromRequest(c)
+	scid, _ := req.UserValue("cid").(string)
-	log := utils.GetReqLogOrDefault(ctx, h.log)
+	prefix, _ := req.UserValue("prefix").(string)
-	prefix, err := url.QueryUnescape(prefix)
+	ctx = utils.SetReqLog(ctx, h.reqLogger(ctx).With(zap.String("cid", scid), zap.String("prefix", prefix)))
 	bktInfo, err := h.getBucketInfo(ctx, scid)
 	if err != nil {
-		log.Error(logs.FailedToUnescapeQuery, zap.String("cid", scid), zap.String("prefix", prefix), zap.Error(err))
+		h.logAndSendError(ctx, req, logs.FailedToGetBucketInfo, err)
 		response.Error(c, "could not unescape prefix: "+err.Error(), fasthttp.StatusBadRequest)
 		return
 	}
-	log = log.With(zap.String("cid", scid), zap.String("prefix", prefix))
+	resSearch, err := h.searchObjectsByPrefix(ctx, bktInfo.CID, prefix)
 	bktInfo, err := h.getBucketInfo(ctx, scid, log)
 	if err != nil {
 		logAndSendBucketError(c, log, err)
 		return
 	}
-	resSearch, err := h.search(ctx, &bktInfo.CID, object.AttributeFilePath, prefix, object.MatchCommonPrefix)
+	req.Response.Header.Set(fasthttp.HeaderContentType, "application/gzip")
-	if err != nil {
+	req.Response.Header.Set(fasthttp.HeaderContentDisposition, "attachment; filename=\"archive.tar.gz\"")
 		log.Error(logs.CouldNotSearchForObjects, zap.Error(err))
 		response.Error(c, "could not search for objects: "+err.Error(), fasthttp.StatusBadRequest)
 		return
 	}
-	c.Response.Header.Set(fasthttp.HeaderContentType, "application/zip")
+	req.SetBodyStreamWriter(h.getTarResponseWriter(ctx, resSearch, bktInfo))
-	c.Response.Header.Set(fasthttp.HeaderContentDisposition, "attachment; filename=\"archive.zip\"")
+}
 	c.Response.SetStatusCode(http.StatusOK)
-	c.SetBodyStreamWriter(func(w *bufio.Writer) {
+func (h *Handler) getTarResponseWriter(ctx context.Context, resSearch ResObjectSearch, bktInfo *data.BucketInfo) func(w *bufio.Writer) {
 	return func(w *bufio.Writer) {
 		defer resSearch.Close()
-		zipWriter := zip.NewWriter(w)
+		compressionLevel := gzip.NoCompression
 		if h.config.ArchiveCompression() {
 			compressionLevel = gzip.DefaultCompression
 		}
-		var bufZip []byte
+		// ignore error because it's not nil only if compressionLevel argument is invalid
-		var addr oid.Address
+		gzipWriter, _ := gzip.NewWriterLevel(w, compressionLevel)
 		tarWriter := tar.NewWriter(gzipWriter)
-		empty := true
+		defer func() {
-		called := false
+			if err := tarWriter.Close(); err != nil {
-		btoken := bearerToken(ctx)
+				h.reqLogger(ctx).Error(logs.CloseTarWriter, zap.Error(err), logs.TagField(logs.TagDatapath))
 		addr.SetContainer(bktInfo.CID)
 		errIter := resSearch.Iterate(func(id oid.ID) bool {
 			called = true
 			if empty {
 				bufZip = make([]byte, 3<<20) // the same as for upload
 			}
-			empty = false
+			if err := gzipWriter.Close(); err != nil {
-
+				h.reqLogger(ctx).Error(logs.CloseGzipWriter, zap.Error(err), logs.TagField(logs.TagDatapath))
 			addr.SetObject(id)
 			if err = h.zipObject(ctx, zipWriter, addr, btoken, bufZip); err != nil {
 				log.Error(logs.FailedToAddObjectToArchive, zap.String("oid", id.EncodeToString()), zap.Error(err))
 			}
 		}()
-			return false
+		var objectsWritten int
-		})
+		buf := make([]byte, 3<<20) // the same as for upload
 		errIter := resSearch.Iterate(h.putObjectToArchive(ctx, bktInfo.CID, buf,
 			func(obj *object.Object) (io.Writer, error) {
 				objectsWritten++
 				return h.createTarFile(tarWriter, obj)
 			}),
 		)
 		if errIter != nil {
-			log.Error(logs.IteratingOverSelectedObjectsFailed, zap.Error(errIter))
+			h.reqLogger(ctx).Error(logs.IteratingOverSelectedObjectsFailed, zap.Error(errIter), logs.TagField(logs.TagDatapath))
-		} else if !called {
+		} else if objectsWritten == 0 {
-			log.Error(logs.ObjectsNotFound)
+			h.reqLogger(ctx).Warn(logs.ObjectsNotFound, logs.TagField(logs.TagDatapath))
 		}
 	}
 }
-		if err = zipWriter.Close(); err != nil {
+func (h *Handler) createTarFile(tw *tar.Writer, obj *object.Object) (io.Writer, error) {
-			log.Error(logs.CloseZipWriter, zap.Error(err))
+	filePath := getFilePath(obj)
-		}
+	if len(filePath) == 0 || filePath[len(filePath)-1] == '/' {
 		return nil, fmt.Errorf("invalid filepath '%s'", filePath)
 	}
 	return tw, tw.WriteHeader(&tar.Header{
 		Name: filePath,
 		Mode: 0655,
 		Size: int64(obj.PayloadSize()),
 	})
 }
-func (h *Handler) zipObject(ctx context.Context, zipWriter *zip.Writer, addr oid.Address, btoken *bearer.Token, bufZip []byte) error {
+func (h *Handler) putObjectToArchive(ctx context.Context, cnrID cid.ID, buf []byte, createArchiveHeader func(obj *object.Object) (io.Writer, error)) func(id oid.ID) bool {
-	prm := PrmObjectGet{
+	return func(id oid.ID) bool {
-		PrmAuth: PrmAuth{
+		logger := h.reqLogger(ctx).With(zap.String("oid", id.EncodeToString()))
 			BearerToken: btoken,
 		},
 		Address: addr,
 	}
-	resGet, err := h.frostfs.GetObject(ctx, prm)
+		prm := PrmObjectGet{
 			PrmAuth: PrmAuth{
 				BearerToken: bearerToken(ctx),
 			},
 			Address: newAddress(cnrID, id),
 		}
 		resGet, err := h.frostfs.GetObject(ctx, prm)
 		if err != nil {
 			logger.Error(logs.FailedToGetObject, zap.Error(err), logs.TagField(logs.TagExternalStorage))
 			return false
 		}
 		fileWriter, err := createArchiveHeader(&resGet.Header)
 		if err != nil {
 			logger.Error(logs.FailedToAddObjectToArchive, zap.Error(err), logs.TagField(logs.TagDatapath))
 			return false
 		}
 		if err = writeToArchive(resGet, fileWriter, buf); err != nil {
 			logger.Error(logs.FailedToAddObjectToArchive, zap.Error(err), logs.TagField(logs.TagDatapath))
 			return false
 		}
 		return false
 	}
 }
 func (h *Handler) searchObjectsByPrefix(ctx context.Context, cnrID cid.ID, prefix string) (ResObjectSearch, error) {
 	prefix, err := url.QueryUnescape(prefix)
 	if err != nil {
-		return fmt.Errorf("get FrostFS object: %v", err)
+		return nil, fmt.Errorf("unescape prefix: %w", err)
 	}
-	objWriter, err := h.addObjectToZip(zipWriter, &resGet.Header)
+	resSearch, err := h.search(ctx, cnrID, object.AttributeFilePath, prefix, object.MatchCommonPrefix)
 	if err != nil {
-		return fmt.Errorf("zip create header: %v", err)
+		return nil, fmt.Errorf("search objects by prefix: %w", err)
 	}
-	if _, err = io.CopyBuffer(objWriter, resGet.Payload, bufZip); err != nil {
+	return resSearch, nil
 }
 func writeToArchive(resGet *Object, objWriter io.Writer, buf []byte) error {
 	var err error
 	if _, err = io.CopyBuffer(objWriter, resGet.Payload, buf); err != nil {
 		return fmt.Errorf("copy object payload to zip file: %v", err)
 	}
@ -179,14 +294,10 @@ func (h *Handler) zipObject(ctx context.Context, zipWriter *zip.Writer, addr oid
 		return fmt.Errorf("object body close error: %w", err)
 	}
 	if err = zipWriter.Flush(); err != nil {
 		return fmt.Errorf("flush zip writer: %v", err)
 	}
 	return nil
 }
-func getZipFilePath(obj *object.Object) string {
+func getFilePath(obj *object.Object) string {
 	for _, attr := range obj.Attributes() {
 		if attr.Key() == object.AttributeFilePath {
 			return attr.Value()
--- a/internal/handler/filter.go
+++ b/internal/handler/filter.go
@ -50,7 +50,8 @@ func filterHeaders(l *zap.Logger, header *fasthttp.RequestHeader) (map[string]st
 		l.Debug(logs.AddAttributeToResultObject,
 			zap.String("key", k),
-			zap.String("val", v))
+			zap.String("val", v),
 			logs.TagField(logs.TagDatapath))
 	})
 	return result, err
--- a/internal/handler/frostfs_mock.go
+++ b/internal/handler/frostfs_mock.go
@ -52,6 +52,10 @@ func (t *TestFrostFS) SetContainer(cnrID cid.ID, cnr *container.Container) {
 	t.containers[cnrID.EncodeToString()] = cnr
 }
 func (t *TestFrostFS) SetObject(addr oid.Address, obj *object.Object) {
 	t.objects[addr.EncodeToString()] = obj
 }
 // AllowUserOperation grants access to object operations.
 // Empty userID and objID means any user and object respectively.
 func (t *TestFrostFS) AllowUserOperation(cnrID cid.ID, userID user.ID, op acl.Op, objID oid.ID) {
--- a/internal/handler/handler.go
+++ b/internal/handler/handler.go
@ -11,29 +11,32 @@ import (
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/cache"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/data"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/handler/middleware"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/layer"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/logs"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/response"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/tree"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/utils"
 	"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
 	apistatus "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client/status"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container"
 	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
 	oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
 	"github.com/panjf2000/ants/v2"
 	"github.com/valyala/fasthttp"
 	"go.uber.org/zap"
 )
 type Config interface {
 	DefaultTimestamp() bool
-	ZipCompression() bool
+	ArchiveCompression() bool
 	ClientCut() bool
 	IndexPageEnabled() bool
 	IndexPageTemplate() string
 	BufferMaxSizeForPut() uint64
 	NamespaceHeader() string
 	EnableFilepathFallback() bool
 	FormContainerZone(string) string
 	CORS() *data.CORSRule
 }
 // PrmContainer groups parameters of FrostFS.Container operation.
@ -138,6 +141,12 @@ var (
 	ErrAccessDenied = errors.New("access denied")
 	// ErrGatewayTimeout is returned from FrostFS in case of timeout, deadline exceeded etc.
 	ErrGatewayTimeout = errors.New("gateway timeout")
 	// ErrQuotaLimitReached is returned from FrostFS in case of quota exceeded.
 	ErrQuotaLimitReached = errors.New("quota limit reached")
 	// ErrContainerNotFound is returned from FrostFS in case of container was not found.
 	ErrContainerNotFound = errors.New("container not found")
 	// ErrObjectNotFound is returned from FrostFS in case of object was not found.
 	ErrObjectNotFound = errors.New("object not found")
 )
 // FrostFS represents virtual connection to FrostFS network.
@ -154,7 +163,7 @@ type FrostFS interface {
 }
 type ContainerResolver interface {
-	Resolve(ctx context.Context, name string) (*cid.ID, error)
+	Resolve(ctx context.Context, zone, name string) (*cid.ID, error)
 }
 type Handler struct {
@ -163,19 +172,24 @@ type Handler struct {
 	ownerID           *user.ID
 	config            Config
 	containerResolver ContainerResolver
-	tree              *tree.Tree
+	tree              layer.TreeService
 	cache             *cache.BucketCache
 	workerPool        *ants.Pool
 	corsCnrID         cid.ID
 	corsCache         *cache.CORSCache
 }
 type AppParams struct {
-	Logger   *zap.Logger
+	Logger    *zap.Logger
-	FrostFS  FrostFS
+	FrostFS   FrostFS
-	Owner    *user.ID
+	Owner     *user.ID
-	Resolver ContainerResolver
+	Resolver  ContainerResolver
-	Cache    *cache.BucketCache
+	Cache     *cache.BucketCache
 	CORSCnrID cid.ID
 	CORSCache *cache.CORSCache
 }
-func New(params *AppParams, config Config, tree *tree.Tree) *Handler {
+func New(params *AppParams, config Config, tree layer.TreeService, workerPool *ants.Pool) *Handler {
 	return &Handler{
 		log:               params.Logger,
 		frostfs:           params.FrostFS,
@ -184,149 +198,149 @@ func New(params *AppParams, config Config, tree *tree.Tree) *Handler {
 		containerResolver: params.Resolver,
 		tree:              tree,
 		cache:             params.Cache,
 		workerPool:        workerPool,
 		corsCnrID:         params.CORSCnrID,
 		corsCache:         params.CORSCache,
 	}
 }
-// byAddress is a wrapper for function (e.g. request.headObject, request.receiveFile) that
+// byNativeAddress is a wrapper for function (e.g. request.headObject, request.receiveFile) that
 // prepares request and object address to it.
-func (h *Handler) byAddress(c *fasthttp.RequestCtx, f func(context.Context, request, oid.Address)) {
+func (h *Handler) byNativeAddress(ctx context.Context, req *fasthttp.RequestCtx, cnrID cid.ID, objID oid.ID, handler func(context.Context, *fasthttp.RequestCtx, oid.Address)) {
-	idCnr, _ := c.UserValue("cid").(string)
+	ctx, span := tracing.StartSpanFromContext(ctx, "handler.byNativeAddress")
-	idObj, _ := c.UserValue("oid").(string)
+	defer span.End()
-	ctx := utils.GetContextFromRequest(c)
+	addr := newAddress(cnrID, objID)
-	reqLog := utils.GetReqLogOrDefault(ctx, h.log)
+	handler(ctx, req, addr)
 	log := reqLog.With(zap.String("cid", idCnr), zap.String("oid", idObj))
 	bktInfo, err := h.getBucketInfo(ctx, idCnr, log)
 	if err != nil {
 		logAndSendBucketError(c, log, err)
 		return
 	}
 	objID := new(oid.ID)
 	if err = objID.DecodeString(idObj); err != nil {
 		log.Error(logs.WrongObjectID, zap.Error(err))
 		response.Error(c, "wrong object id", fasthttp.StatusBadRequest)
 		return
 	}
 	addr := newAddress(bktInfo.CID, *objID)
 	f(ctx, *h.newRequest(c, log), addr)
 }
-// byObjectName is a wrapper for function (e.g. request.headObject, request.receiveFile) that
+// byS3Path is a wrapper for function (e.g. request.headObject, request.receiveFile) that
-// prepares request and object address to it.
+// resolves object address from S3-like path <bucket name>/<object key>.
-func (h *Handler) byObjectName(c *fasthttp.RequestCtx, f func(context.Context, request, oid.Address)) {
+func (h *Handler) byS3Path(ctx context.Context, req *fasthttp.RequestCtx, cnrID cid.ID, path string, handler func(context.Context, *fasthttp.RequestCtx, oid.Address)) {
-	bucketname := c.UserValue("cid").(string)
+	ctx, span := tracing.StartSpanFromContext(ctx, "handler.byS3Path")
-	key := c.UserValue("oid").(string)
+	defer span.End()
 	download := c.QueryArgs().GetBool("download")
-	ctx := utils.GetContextFromRequest(c)
+	foundOID, err := h.tree.GetLatestVersion(ctx, &cnrID, path)
 	reqLog := utils.GetReqLogOrDefault(ctx, h.log)
 	log := reqLog.With(zap.String("bucketname", bucketname), zap.String("key", key))
 	unescapedKey, err := url.QueryUnescape(key)
 	if err != nil {
-		logAndSendBucketError(c, log, err)
+		h.logAndSendError(ctx, req, logs.FailedToGetLatestVersionOfObject, err, zap.String("path", path))
 		return
 	}
 	if foundOID.IsDeleteMarker {
 		h.logAndSendError(ctx, req, logs.ObjectWasDeleted, ErrObjectNotFound)
 		return
 	}
-	bktInfo, err := h.getBucketInfo(ctx, bucketname, log)
+	addr := newAddress(cnrID, foundOID.OID)
-	if err != nil {
+	handler(ctx, req, addr)
 		logAndSendBucketError(c, log, err)
 		return
 	}
 	foundOid, err := h.tree.GetLatestVersion(ctx, &bktInfo.CID, unescapedKey)
 	if h.config.IndexPageEnabled() && !download && string(c.Method()) != fasthttp.MethodHead {
 		if isDir(unescapedKey) || isContainerRoot(unescapedKey) {
 			if code := checkErrorType(err); code == fasthttp.StatusNotFound || code == fasthttp.StatusOK {
 				c.SetStatusCode(code)
 				h.browseObjects(c, bktInfo, unescapedKey)
 				return
 			}
 		}
 	}
 	if err != nil {
 		if errors.Is(err, tree.ErrNodeAccessDenied) {
 			response.Error(c, "Access Denied", fasthttp.StatusForbidden)
 		} else {
 			response.Error(c, "object wasn't found", fasthttp.StatusNotFound)
 			log.Error(logs.GetLatestObjectVersion, zap.Error(err))
 		}
 		return
 	}
 	if foundOid.DeleteMarker {
 		log.Error(logs.ObjectWasDeleted)
 		response.Error(c, "object deleted", fasthttp.StatusNotFound)
 		return
 	}
 	addr := newAddress(bktInfo.CID, foundOid.OID)
 	f(ctx, *h.newRequest(c, log), addr)
 }
-// byAttribute is a wrapper similar to byAddress.
+// byAttribute is a wrapper similar to byNativeAddress.
-func (h *Handler) byAttribute(c *fasthttp.RequestCtx, f func(context.Context, request, oid.Address)) {
+func (h *Handler) byAttribute(ctx context.Context, req *fasthttp.RequestCtx, handler func(context.Context, *fasthttp.RequestCtx, oid.Address)) {
-	scid, _ := c.UserValue("cid").(string)
+	cidParam, _ := req.UserValue("cid").(string)
-	key, _ := c.UserValue("attr_key").(string)
+	key, _ := req.UserValue("attr_key").(string)
-	val, _ := c.UserValue("attr_val").(string)
+	val, _ := req.UserValue("attr_val").(string)
 	ctx := utils.GetContextFromRequest(c)
 	log := utils.GetReqLogOrDefault(ctx, h.log)
 	key, err := url.QueryUnescape(key)
 	if err != nil {
-		log.Error(logs.FailedToUnescapeQuery, zap.String("cid", scid), zap.String("attr_key", key), zap.Error(err))
+		h.logAndSendError(ctx, req, logs.FailedToUnescapeQuery, err, zap.String("cid", cidParam), zap.String("attr_key", key))
 		response.Error(c, "could not unescape attr_key: "+err.Error(), fasthttp.StatusBadRequest)
 		return
 	}
 	val, err = url.QueryUnescape(val)
 	if err != nil {
-		log.Error(logs.FailedToUnescapeQuery, zap.String("cid", scid), zap.String("attr_val", val), zap.Error(err))
+		h.logAndSendError(ctx, req, logs.FailedToUnescapeQuery, err, zap.String("cid", cidParam), zap.String("attr_val", key))
 		response.Error(c, "could not unescape attr_val: "+err.Error(), fasthttp.StatusBadRequest)
 		return
 	}
-	log = log.With(zap.String("cid", scid), zap.String("attr_key", key), zap.String("attr_val", val))
+	val = prepareAtribute(key, val)
-	bktInfo, err := h.getBucketInfo(ctx, scid, log)
+	ctx = utils.SetReqLog(ctx, h.reqLogger(ctx).With(zap.String("cid", cidParam),
 		zap.String("attr_key", key), zap.String("attr_val", val)))
 	bktInfo, err := h.getBucketInfo(ctx, cidParam)
 	if err != nil {
-		logAndSendBucketError(c, log, err)
+		h.logAndSendError(ctx, req, logs.FailedToGetBucketInfo, err)
 		return
 	}
-	res, err := h.search(ctx, &bktInfo.CID, key, val, object.MatchStringEqual)
+	objID, err := h.findObjectByAttribute(ctx, bktInfo.CID, key, val)
 	if err != nil {
-		log.Error(logs.CouldNotSearchForObjects, zap.Error(err))
+		if errors.Is(err, io.EOF) {
-		response.Error(c, "could not search for objects: "+err.Error(), fasthttp.StatusBadRequest)
+			err = fmt.Errorf("%w: %s", ErrObjectNotFound, err.Error())
 		}
 		h.logAndSendError(ctx, req, logs.FailedToFindObjectByAttribute, err)
 		return
 	}
 	var addr oid.Address
 	addr.SetContainer(bktInfo.CID)
 	addr.SetObject(objID)
 	handler(ctx, req, addr)
 }
 func (h *Handler) findObjectByAttribute(ctx context.Context, cnrID cid.ID, attrKey, attrVal string) (oid.ID, error) {
 	res, err := h.search(ctx, cnrID, attrKey, attrVal, object.MatchStringEqual)
 	if err != nil {
 		return oid.ID{}, fmt.Errorf("search objects: %w", err)
 	}
 	defer res.Close()
 	buf := make([]oid.ID, 1)
 	n, err := res.Read(buf)
 	if n == 0 {
-		if errors.Is(err, io.EOF) {
+		switch {
-			log.Error(logs.ObjectNotFound, zap.Error(err))
+		case errors.Is(err, io.EOF) && h.needSearchByFileName(attrKey, attrVal):
-			response.Error(c, "object not found", fasthttp.StatusNotFound)
+			h.reqLogger(ctx).Debug(logs.ObjectNotFoundByFilePathTrySearchByFileName, logs.TagField(logs.TagExternalStorage))
-			return
+			attrVal = prepareAtribute(attrFileName, attrVal)
 			return h.findObjectByAttribute(ctx, cnrID, attrFileName, attrVal)
 		case errors.Is(err, io.EOF):
 			h.reqLogger(ctx).Error(logs.ObjectNotFound, zap.Error(err), logs.TagField(logs.TagExternalStorage))
 			return oid.ID{}, fmt.Errorf("object not found: %w", err)
 		default:
 			h.reqLogger(ctx).Error(logs.ReadObjectListFailed, zap.Error(err), logs.TagField(logs.TagExternalStorage))
 			return oid.ID{}, fmt.Errorf("read object list failed: %w", err)
 		}
 		log.Error(logs.ReadObjectListFailed, zap.Error(err))
 		response.Error(c, "read object list failed: "+err.Error(), fasthttp.StatusBadRequest)
 		return
 	}
-	var addrObj oid.Address
+	return buf[0], nil
-	addrObj.SetContainer(bktInfo.CID)
+}
 	addrObj.SetObject(buf[0])
-	f(ctx, *h.newRequest(c, log), addrObj)
+func (h *Handler) needSearchByFileName(key, val string) bool {
 	if key != attrFilePath || !h.config.EnableFilepathFallback() {
 		return false
 	}
 	return strings.HasPrefix(val, "/") && strings.Count(val, "/") == 1 || !strings.Contains(val, "/")
 }
 func prepareAtribute(attrKey, attrVal string) string {
 	if attrKey == attrFileName {
 		return prepareFileName(attrVal)
 	}
 	if attrKey == attrFilePath {
 		return prepareFilePath(attrVal)
 	}
 	return attrVal
 }
 func prepareFileName(fileName string) string {
 	if strings.HasPrefix(fileName, "/") {
 		return fileName[1:]
 	}
 	return fileName
 }
 func prepareFilePath(filePath string) string {
 	if !strings.HasPrefix(filePath, "/") {
 		return "/" + filePath
 	}
 	return filePath
 }
 // resolveContainer decode container id, if it's not a valid container id
@ -335,15 +349,22 @@ func (h *Handler) resolveContainer(ctx context.Context, containerID string) (*ci
 	cnrID := new(cid.ID)
 	err := cnrID.DecodeString(containerID)
 	if err != nil {
-		cnrID, err = h.containerResolver.Resolve(ctx, containerID)
+		var namespace string
 		namespace, err = middleware.GetNamespace(ctx)
 		if err != nil {
 			return nil, err
 		}
 		zone := h.config.FormContainerZone(namespace)
 		cnrID, err = h.containerResolver.Resolve(ctx, zone, containerID)
 		if err != nil && strings.Contains(err.Error(), "not found") {
-			err = fmt.Errorf("%w: %s", new(apistatus.ContainerNotFound), err.Error())
+			err = fmt.Errorf("%w: %s", ErrContainerNotFound, err.Error())
 		}
 	}
 	return cnrID, err
 }
-func (h *Handler) getBucketInfo(ctx context.Context, containerName string, log *zap.Logger) (*data.BucketInfo, error) {
+func (h *Handler) getBucketInfo(ctx context.Context, containerName string) (*data.BucketInfo, error) {
 	ns, err := middleware.GetNamespace(ctx)
 	if err != nil {
 		return nil, err
@ -355,19 +376,20 @@ func (h *Handler) getBucketInfo(ctx context.Context, containerName string, log *
 	cnrID, err := h.resolveContainer(ctx, containerName)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("resolve container: %w", err)
 	}
 	bktInfo, err := h.readContainer(ctx, *cnrID)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("read container: %w", err)
 	}
 	if err = h.cache.Put(bktInfo); err != nil {
-		log.Warn(logs.CouldntPutBucketIntoCache,
+		h.reqLogger(ctx).Warn(logs.CouldntPutBucketIntoCache,
 			zap.String("bucket name", bktInfo.Name),
 			zap.Stringer("bucket cid", bktInfo.CID),
-			zap.Error(err))
+			zap.Error(err),
 			logs.TagField(logs.TagDatapath))
 	}
 	return bktInfo, nil
@ -391,28 +413,42 @@ func (h *Handler) readContainer(ctx context.Context, cnrID cid.ID) (*data.Bucket
 	}
 	bktInfo.HomomorphicHashDisabled = container.IsHomomorphicHashingDisabled(*res)
 	bktInfo.PlacementPolicy = res.PlacementPolicy()
 	return bktInfo, err
 }
-func (h *Handler) listObjects(ctx context.Context, bucketInfo *data.BucketInfo, prefix string) ([]map[string]string, error) {
+func (h *Handler) browseIndex(ctx context.Context, req *fasthttp.RequestCtx, cidParam, oidParam string, isNativeList bool) {
-	nodes, _, err := h.tree.GetSubTreeByPrefix(ctx, bucketInfo, prefix, true)
+	ctx, span := tracing.StartSpanFromContext(ctx, "handler.browseIndex")
 	defer span.End()
 	if !h.config.IndexPageEnabled() {
 		req.SetStatusCode(fasthttp.StatusNotFound)
 		return
 	}
 	unescapedKey, err := url.QueryUnescape(oidParam)
 	if err != nil {
-		return nil, err
+		h.logAndSendError(ctx, req, logs.FailedToUnescapeOIDParam, err)
 		return
 	}
-	var objects = make([]map[string]string, 0, len(nodes))
+	bktInfo, err := h.getBucketInfo(ctx, cidParam)
-	for _, node := range nodes {
+	if err != nil {
-		meta := node.GetMeta()
+		h.logAndSendError(ctx, req, logs.FailedToGetBucketInfo, err)
-		if meta == nil {
+		return
 			continue
 		}
 		var obj = make(map[string]string, len(meta))
 		for _, m := range meta {
 			obj[m.GetKey()] = string(m.GetValue())
 		}
 		objects = append(objects, obj)
 	}
-	return objects, nil
+	listFunc := h.getDirObjectsS3
 	if isNativeList {
 		// tree probe failed, trying to use native
 		listFunc = h.getDirObjectsNative
 	}
 	h.browseObjects(ctx, req, browseParams{
 		bucketInfo:  bktInfo,
 		prefix:      unescapedKey,
 		listObjects: listFunc,
 		isNative:    isNativeList,
 	})
 }
--- a/internal/handler/handler_fuzz_test.go
+++ b/internal/handler/handler_fuzz_test.go
@ -21,6 +21,7 @@ import (
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
 	go_fuzz_utils "github.com/trailofbits/go-fuzz-utils"
 	"github.com/valyala/fasthttp"
 	"go.uber.org/zap"
 )
 const (
@ -125,7 +126,7 @@ func maybeFillRandom(tp *go_fuzz_utils.TypeProvider, initValue string) (string,
 }
 func upload(tp *go_fuzz_utils.TypeProvider) (context.Context, *handlerContext, cid.ID, *fasthttp.RequestCtx, string, string, string, error) {
-	hc, err := prepareHandlerContext()
+	hc, err := prepareHandlerContextBase(zap.NewExample())
 	if err != nil {
 		return nil, nil, cid.ID{}, nil, "", "", "", err
 	}
@ -517,7 +518,7 @@ func DoFuzzDownloadZipped(input []byte) int {
 	r.SetUserValue("cid", cid)
 	r.SetUserValue("prefix", prefix)
-	hc.Handler().DownloadZipped(r)
+	hc.Handler().DownloadZip(r)
 	return fuzzSuccessExitCode
 }
--- a/internal/handler/handler_test.go
+++ b/internal/handler/handler_test.go
@ -14,9 +14,11 @@ import (
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/cache"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/data"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/handler/middleware"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/layer"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/resolver"
-	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/tree"
+	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/tokens"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/utils"
 	v2container "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/api/container"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl"
 	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
@ -26,30 +28,49 @@ import (
 	oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/panjf2000/ants/v2"
 	"github.com/stretchr/testify/require"
 	"github.com/valyala/fasthttp"
 	"go.uber.org/zap"
 	"go.uber.org/zap/zaptest"
 )
-type treeClientMock struct {
+type treeServiceMock struct {
 	system map[string]map[string]*data.BaseNodeVersion
 }
-func (t *treeClientMock) GetNodes(context.Context, *tree.GetNodesParams) ([]tree.NodeResponse, error) {
+func newTreeService() *treeServiceMock {
-	return nil, nil
+	return &treeServiceMock{
 		system: make(map[string]map[string]*data.BaseNodeVersion),
 	}
 }
-func (t *treeClientMock) GetSubTree(context.Context, *data.BucketInfo, string, []uint64, uint32, bool) ([]tree.NodeResponse, error) {
+func (t *treeServiceMock) CheckSettingsNodeExists(context.Context, *data.BucketInfo) error {
 	_, ok := t.system["bucket-settings"]
 	if !ok {
 		return layer.ErrNodeNotFound
 	}
 	return nil
 }
 func (t *treeServiceMock) GetSubTreeByPrefix(context.Context, *data.BucketInfo, string, bool) ([]data.NodeInfo, string, error) {
 	return nil, "", nil
 }
 func (t *treeServiceMock) GetLatestVersion(context.Context, *cid.ID, string) (*data.NodeVersion, error) {
 	return nil, nil
 }
 type configMock struct {
 	additionalSearch bool
 	cors             *data.CORSRule
 }
 func (c *configMock) DefaultTimestamp() bool {
 	return false
 }
-func (c *configMock) ZipCompression() bool {
+func (c *configMock) ArchiveCompression() bool {
 	return false
 }
@ -57,10 +78,11 @@ func (c *configMock) IndexPageEnabled() bool {
 	return false
 }
-func (c *configMock) IndexPageTemplatePath() string {
+func (c *configMock) IndexPageTemplate() string {
 	return ""
 }
-func (c *configMock) IndexPageTemplate() string {
+
 func (c *configMock) IndexPageNativeTemplate() string {
 	return ""
 }
@ -76,13 +98,26 @@ func (c *configMock) NamespaceHeader() string {
 	return ""
 }
 func (c *configMock) EnableFilepathFallback() bool {
 	return c.additionalSearch
 }
 func (c *configMock) FormContainerZone(string) string {
 	return v2container.SysAttributeZoneDefault
 }
 func (c *configMock) CORS() *data.CORSRule {
 	return c.cors
 }
 type handlerContext struct {
-	key   *keys.PrivateKey
+	key     *keys.PrivateKey
-	owner user.ID
+	owner   user.ID
 	corsCnr cid.ID
 	h       *Handler
 	frostfs *TestFrostFS
-	tree    *treeClientMock
+	tree    *treeServiceMock
 	cfg     *configMock
 }
@ -90,12 +125,13 @@ func (hc *handlerContext) Handler() *Handler {
 	return hc.h
 }
-func prepareHandlerContext() (*handlerContext, error) {
+func prepareHandlerContext(t *testing.T) *handlerContext {
-	logger, err := zap.NewDevelopment()
+	hc, err := prepareHandlerContextBase(zaptest.NewLogger(t))
-	if err != nil {
+	require.NoError(t, err)
-		return nil, err
+	return hc
-	}
+}
 func prepareHandlerContextBase(logger *zap.Logger) (*handlerContext, error) {
 	key, err := keys.NewPrivateKey()
 	if err != nil {
 		return nil, err
@ -107,10 +143,12 @@ func prepareHandlerContext() (*handlerContext, error) {
 	testFrostFS := NewTestFrostFS(key)
 	testResolver := &resolver.Resolver{Name: "test_resolver"}
-	testResolver.SetResolveFunc(func(_ context.Context, name string) (*cid.ID, error) {
+	testResolver.SetResolveFunc(func(_ context.Context, _, name string) (*cid.ID, error) {
 		return testFrostFS.ContainerID(name)
 	})
 	cnrID := createCORSContainer(owner, testFrostFS)
 	params := &AppParams{
 		Logger:   logger,
 		FrostFS:  testFrostFS,
@ -120,17 +158,28 @@ func prepareHandlerContext() (*handlerContext, error) {
 			Size:     1,
 			Lifetime: 1,
 			Logger:   logger,
 		}, false),
 		CORSCnrID: cnrID,
 		CORSCache: cache.NewCORSCache(&cache.Config{
 			Size:     1,
 			Lifetime: 1,
 			Logger:   logger,
 		}),
 	}
-	treeMock := &treeClientMock{}
+	treeMock := newTreeService()
 	cfgMock := &configMock{}
-	handler := New(params, cfgMock, tree.NewTree(treeMock))
+	workerPool, err := ants.NewPool(1)
 	if err != nil {
 		return nil, err
 	}
 	handler := New(params, cfgMock, treeMock, workerPool)
 	return &handlerContext{
 		key:     key,
 		owner:   owner,
 		corsCnr: cnrID,
 		h:       handler,
 		frostfs: testFrostFS,
 		tree:    treeMock,
@ -138,6 +187,20 @@ func prepareHandlerContext() (*handlerContext, error) {
 	}, nil
 }
 func createCORSContainer(owner user.ID, frostfs *TestFrostFS) cid.ID {
 	var cnr container.Container
 	cnr.Init()
 	cnr.SetOwner(owner)
 	cnrID := cidtest.ID()
 	frostfs.SetContainer(cnrID, &cnr)
 	frostfs.AllowUserOperation(cnrID, owner, acl.OpObjectSearch, oid.ID{})
 	frostfs.AllowUserOperation(cnrID, owner, acl.OpObjectHead, oid.ID{})
 	frostfs.AllowUserOperation(cnrID, owner, acl.OpObjectGet, oid.ID{})
 	return cnrID
 }
 func (hc *handlerContext) prepareContainer(name string, basicACL acl.Basic) (cid.ID, *container.Container, error) {
 	var pp netmap.PlacementPolicy
 	err := pp.DecodeString("REP 1")
@ -170,8 +233,7 @@ func (hc *handlerContext) prepareContainer(name string, basicACL acl.Basic) (cid
 }
 func TestBasic(t *testing.T) {
-	hc, err := prepareHandlerContext()
+	hc := prepareHandlerContext(t)
 	require.NoError(t, err)
 	bktName := "bucket"
 	cnrID, cnr, err := hc.prepareContainer(bktName, acl.PublicRWExtended)
@ -193,10 +255,10 @@ func TestBasic(t *testing.T) {
 	require.NoError(t, err)
 	obj := hc.frostfs.objects[putRes.ContainerID+"/"+putRes.ObjectID]
-	attr := object.NewAttribute()
+	fileName := prepareObjectAttributes(object.AttributeFileName, objFileName)
-	attr.SetKey(object.AttributeFilePath)
+	filePath := prepareObjectAttributes(object.AttributeFilePath, objFilePath)
-	attr.SetValue(objFileName)
+	obj.SetAttributes(append(obj.Attributes(), fileName)...)
-	obj.SetAttributes(append(obj.Attributes(), *attr)...)
+	obj.SetAttributes(append(obj.Attributes(), filePath)...)
 	t.Run("get", func(t *testing.T) {
 		r = prepareGetRequest(ctx, cnrID.EncodeToString(), putRes.ObjectID)
@ -215,6 +277,14 @@ func TestBasic(t *testing.T) {
 		r = prepareGetByAttributeRequest(ctx, bktName, keyAttr, valAttr)
 		hc.Handler().DownloadByAttribute(r)
 		require.Equal(t, content, string(r.Response.Body()))
 		r = prepareGetByAttributeRequest(ctx, bktName, attrFileName, objFilePath)
 		hc.Handler().DownloadByAttribute(r)
 		require.Equal(t, content, string(r.Response.Body()))
 		r = prepareGetByAttributeRequest(ctx, bktName, attrFilePath, objFileName)
 		hc.Handler().DownloadByAttribute(r)
 		require.Equal(t, content, string(r.Response.Body()))
 	})
 	t.Run("head by attribute", func(t *testing.T) {
@ -222,17 +292,27 @@ func TestBasic(t *testing.T) {
 		hc.Handler().HeadByAttribute(r)
 		require.Equal(t, putRes.ObjectID, string(r.Response.Header.Peek(hdrObjectID)))
 		require.Equal(t, putRes.ContainerID, string(r.Response.Header.Peek(hdrContainerID)))
 		r = prepareGetByAttributeRequest(ctx, bktName, attrFileName, objFilePath)
 		hc.Handler().HeadByAttribute(r)
 		require.Equal(t, putRes.ObjectID, string(r.Response.Header.Peek(hdrObjectID)))
 		require.Equal(t, putRes.ContainerID, string(r.Response.Header.Peek(hdrContainerID)))
 		r = prepareGetByAttributeRequest(ctx, bktName, attrFilePath, objFileName)
 		hc.Handler().HeadByAttribute(r)
 		require.Equal(t, putRes.ObjectID, string(r.Response.Header.Peek(hdrObjectID)))
 		require.Equal(t, putRes.ContainerID, string(r.Response.Header.Peek(hdrContainerID)))
 	})
 	t.Run("zip", func(t *testing.T) {
 		r = prepareGetZipped(ctx, bktName, "")
-		hc.Handler().DownloadZipped(r)
+		hc.Handler().DownloadZip(r)
 		readerAt := bytes.NewReader(r.Response.Body())
 		zipReader, err := zip.NewReader(readerAt, int64(len(r.Response.Body())))
 		require.NoError(t, err)
 		require.Len(t, zipReader.File, 1)
-		require.Equal(t, objFileName, zipReader.File[0].Name)
+		require.Equal(t, objFilePath, zipReader.File[0].Name)
 		f, err := zipReader.File[0].Open()
 		require.NoError(t, err)
 		defer func() {
@ -245,6 +325,187 @@ func TestBasic(t *testing.T) {
 	})
 }
 func TestFindObjectByAttribute(t *testing.T) {
 	hc := prepareHandlerContext(t)
 	hc.cfg.additionalSearch = true
 	bktName := "bucket"
 	cnrID, cnr, err := hc.prepareContainer(bktName, acl.PublicRWExtended)
 	require.NoError(t, err)
 	hc.frostfs.SetContainer(cnrID, cnr)
 	ctx := context.Background()
 	ctx = middleware.SetNamespace(ctx, "")
 	content := "hello"
 	r, err := prepareUploadRequest(ctx, cnrID.EncodeToString(), content)
 	require.NoError(t, err)
 	hc.Handler().Upload(r)
 	require.Equal(t, r.Response.StatusCode(), http.StatusOK)
 	var putRes putResponse
 	err = json.Unmarshal(r.Response.Body(), &putRes)
 	require.NoError(t, err)
 	testAttrVal1 := "/folder/cat.jpg"
 	testAttrVal2 := "cat.jpg"
 	testAttrVal3 := "test-attr-val3"
 	for _, tc := range []struct {
 		name             string
 		firstAttr        object.Attribute
 		secondAttr       object.Attribute
 		reqAttrKey       string
 		reqAttrValue     string
 		err              string
 		additionalSearch bool
 	}{
 		{
 			name:             "success search by FileName",
 			firstAttr:        prepareObjectAttributes(attrFilePath, testAttrVal1),
 			secondAttr:       prepareObjectAttributes(attrFileName, testAttrVal2),
 			reqAttrKey:       attrFileName,
 			reqAttrValue:     testAttrVal2,
 			additionalSearch: false,
 		},
 		{
 			name:             "failed search by FileName",
 			firstAttr:        prepareObjectAttributes(attrFilePath, testAttrVal1),
 			secondAttr:       prepareObjectAttributes(attrFileName, testAttrVal2),
 			reqAttrKey:       attrFileName,
 			reqAttrValue:     testAttrVal3,
 			err:              "not found",
 			additionalSearch: false,
 		},
 		{
 			name:             "success search by FilePath (with additional search)",
 			firstAttr:        prepareObjectAttributes(attrFilePath, testAttrVal1),
 			secondAttr:       prepareObjectAttributes(attrFileName, testAttrVal2),
 			reqAttrKey:       attrFilePath,
 			reqAttrValue:     testAttrVal2,
 			additionalSearch: true,
 		},
 		{
 			name:             "failed by FilePath (with additional search)",
 			firstAttr:        prepareObjectAttributes(attrFilePath, testAttrVal1),
 			secondAttr:       prepareObjectAttributes(attrFileName, testAttrVal2),
 			reqAttrKey:       attrFilePath,
 			reqAttrValue:     testAttrVal3,
 			err:              "not found",
 			additionalSearch: true,
 		},
 		{
 			name:             "success search by FilePath with leading slash (with additional search)",
 			firstAttr:        prepareObjectAttributes(attrFilePath, testAttrVal1),
 			secondAttr:       prepareObjectAttributes(attrFileName, testAttrVal2),
 			reqAttrKey:       attrFilePath,
 			reqAttrValue:     "/cat.jpg",
 			additionalSearch: true,
 		},
 	} {
 		t.Run(tc.name, func(t *testing.T) {
 			obj := hc.frostfs.objects[putRes.ContainerID+"/"+putRes.ObjectID]
 			obj.SetAttributes(tc.firstAttr, tc.secondAttr)
 			hc.cfg.additionalSearch = tc.additionalSearch
 			objID, err := hc.Handler().findObjectByAttribute(ctx, cnrID, tc.reqAttrKey, tc.reqAttrValue)
 			if tc.err != "" {
 				require.Error(t, err)
 				require.Contains(t, err.Error(), tc.err)
 				return
 			}
 			require.NoError(t, err)
 			require.Equal(t, putRes.ObjectID, objID.EncodeToString())
 		})
 	}
 }
 func TestNeedSearchByFileName(t *testing.T) {
 	hc := prepareHandlerContext(t)
 	for _, tc := range []struct {
 		name             string
 		attrKey          string
 		attrVal          string
 		additionalSearch bool
 		expected         bool
 	}{
 		{
 			name:             "need search - not contains slash",
 			attrKey:          attrFilePath,
 			attrVal:          "cat.png",
 			additionalSearch: true,
 			expected:         true,
 		},
 		{
 			name:             "need search - single lead slash",
 			attrKey:          attrFilePath,
 			attrVal:          "/cat.png",
 			additionalSearch: true,
 			expected:         true,
 		},
 		{
 			name:             "don't need search - single slash but not lead",
 			attrKey:          attrFilePath,
 			attrVal:          "cats/cat.png",
 			additionalSearch: true,
 			expected:         false,
 		},
 		{
 			name:             "don't need search - more one slash",
 			attrKey:          attrFilePath,
 			attrVal:          "/cats/cat.png",
 			additionalSearch: true,
 			expected:         false,
 		},
 		{
 			name:             "don't need search - incorrect attribute key",
 			attrKey:          attrFileName,
 			attrVal:          "cat.png",
 			additionalSearch: true,
 			expected:         false,
 		},
 		{
 			name:             "don't need search - additional search disabled",
 			attrKey:          attrFilePath,
 			attrVal:          "cat.png",
 			additionalSearch: false,
 			expected:         false,
 		},
 	} {
 		t.Run(tc.name, func(t *testing.T) {
 			hc.cfg.additionalSearch = tc.additionalSearch
 			res := hc.h.needSearchByFileName(tc.attrKey, tc.attrVal)
 			require.Equal(t, tc.expected, res)
 		})
 	}
 }
 func TestPrepareFileName(t *testing.T) {
 	fileName := "/cat.jpg"
 	expected := "cat.jpg"
 	actual := prepareFileName(fileName)
 	require.Equal(t, expected, actual)
 	fileName = "cat.jpg"
 	actual = prepareFileName(fileName)
 	require.Equal(t, expected, actual)
 }
 func TestPrepareFilePath(t *testing.T) {
 	filePath := "cat.jpg"
 	expected := "/cat.jpg"
 	actual := prepareFilePath(filePath)
 	require.Equal(t, expected, actual)
 	filePath = "/cat.jpg"
 	actual = prepareFilePath(filePath)
 	require.Equal(t, expected, actual)
 }
 func prepareUploadRequest(ctx context.Context, bucket, content string) (*fasthttp.RequestCtx, error) {
 	r := new(fasthttp.RequestCtx)
 	utils.SetContextToRequest(ctx, r)
@ -260,6 +521,25 @@ func prepareGetRequest(ctx context.Context, bucket, objID string) *fasthttp.Requ
 	return r
 }
 func prepareCORSRequest(t *testing.T, bucket string, headers map[string]string) *fasthttp.RequestCtx {
 	ctx := context.Background()
 	ctx = middleware.SetNamespace(ctx, "")
 	r := new(fasthttp.RequestCtx)
 	r.SetUserValue("cid", bucket)
 	for k, v := range headers {
 		r.Request.Header.Set(k, v)
 	}
 	ctx, err := tokens.StoreBearerTokenAppCtx(ctx, r)
 	require.NoError(t, err)
 	utils.SetContextToRequest(ctx, r)
 	return r
 }
 func prepareGetByAttributeRequest(ctx context.Context, bucket, attrKey, attrVal string) *fasthttp.RequestCtx {
 	r := new(fasthttp.RequestCtx)
 	utils.SetContextToRequest(ctx, r)
@ -277,10 +557,18 @@ func prepareGetZipped(ctx context.Context, bucket, prefix string) *fasthttp.Requ
 	return r
 }
 func prepareObjectAttributes(attrKey, attrValue string) object.Attribute {
 	attr := object.NewAttribute()
 	attr.SetKey(attrKey)
 	attr.SetValue(attrValue)
 	return *attr
 }
 const (
 	keyAttr     = "User-Attribute"
 	valAttr     = "user value"
 	objFileName = "newFile.txt"
 	objFilePath = "/newFile.txt"
 )
 func fillMultipartBody(r *fasthttp.RequestCtx, content string) error {
--- a/internal/handler/head.go
+++ b/internal/handler/head.go
@ -2,13 +2,16 @@ package handler
 import (
 	"context"
 	"errors"
 	"io"
 	"net/http"
 	"strconv"
 	"time"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/layer"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/logs"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/utils"
 	"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
 	oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
 	"github.com/valyala/fasthttp"
@ -24,7 +27,7 @@ const (
 	hdrContainerID = "X-Container-Id"
 )
-func (h *Handler) headObject(ctx context.Context, req request, objectAddress oid.Address) {
+func (h *Handler) headObject(ctx context.Context, req *fasthttp.RequestCtx, objectAddress oid.Address) {
 	var start = time.Now()
 	btoken := bearerToken(ctx)
@ -38,12 +41,16 @@ func (h *Handler) headObject(ctx context.Context, req request, objectAddress oid
 	obj, err := h.frostfs.HeadObject(ctx, prm)
 	if err != nil {
-		req.handleFrostFSErr(err, start)
+		h.logAndSendError(ctx, req, logs.FailedToHeadObject, err, zap.Stringer("elapsed", time.Since(start)))
 		return
 	}
 	req.Response.Header.Set(fasthttp.HeaderContentLength, strconv.FormatUint(obj.PayloadSize(), 10))
-	var contentType string
+	var (
 		contentType string
 		filename    string
 		filepath    string
 	)
 	for _, attr := range obj.Attributes() {
 		key := attr.Key()
 		val := attr.Value()
@ -58,17 +65,25 @@ func (h *Handler) headObject(ctx context.Context, req request, objectAddress oid
 		case object.AttributeTimestamp:
 			value, err := strconv.ParseInt(val, 10, 64)
 			if err != nil {
-				req.log.Info(logs.CouldntParseCreationDate,
+				h.reqLogger(ctx).Info(logs.CouldntParseCreationDate,
 					zap.String("key", key),
 					zap.String("val", val),
-					zap.Error(err))
+					zap.Error(err),
 					logs.TagField(logs.TagDatapath))
 				continue
 			}
 			req.Response.Header.Set(fasthttp.HeaderLastModified, time.Unix(value, 0).UTC().Format(http.TimeFormat))
 		case object.AttributeContentType:
 			contentType = val
 		case object.AttributeFilePath:
 			filepath = val
 		case object.AttributeFileName:
 			filename = val
 		}
 	}
 	if filename == "" {
 		filename = filepath
 	}
 	idsToResponse(&req.Response, obj)
@ -83,9 +98,9 @@ func (h *Handler) headObject(ctx context.Context, req request, objectAddress oid
 			}
 			return h.frostfs.RangeObject(ctx, prmRange)
-		})
+		}, filename)
 		if err != nil && err != io.EOF {
-			req.handleFrostFSErr(err, start)
+			h.logAndSendError(ctx, req, logs.FailedToDetectContentTypeFromPayload, err, zap.Stringer("elapsed", time.Since(start)))
 			return
 		}
 	}
@ -101,19 +116,44 @@ func idsToResponse(resp *fasthttp.Response, obj *object.Object) {
 }
 // HeadByAddressOrBucketName handles head requests using simple cid/oid or bucketname/key format.
-func (h *Handler) HeadByAddressOrBucketName(c *fasthttp.RequestCtx) {
+func (h *Handler) HeadByAddressOrBucketName(req *fasthttp.RequestCtx) {
-	test, _ := c.UserValue("oid").(string)
+	ctx, span := tracing.StartSpanFromContext(utils.GetContextFromRequest(req), "handler.HeadByAddressOrBucketName")
-	var id oid.ID
+	defer span.End()
-	err := id.DecodeString(test)
+	cidParam, _ := req.UserValue("cid").(string)
 	oidParam, _ := req.UserValue("oid").(string)
 	ctx = utils.SetReqLog(ctx, h.reqLogger(ctx).With(
 		zap.String("cid", cidParam),
 		zap.String("oid", oidParam),
 	))
 	bktInfo, err := h.getBucketInfo(ctx, cidParam)
 	if err != nil {
-		h.byObjectName(c, h.headObject)
+		h.logAndSendError(ctx, req, logs.FailedToGetBucketInfo, err)
 		return
 	}
 	checkS3Err := h.tree.CheckSettingsNodeExists(ctx, bktInfo)
 	if checkS3Err != nil && !errors.Is(checkS3Err, layer.ErrNodeNotFound) {
 		h.logAndSendError(ctx, req, logs.FailedToCheckIfSettingsNodeExist, checkS3Err)
 		return
 	}
 	var objID oid.ID
 	if checkS3Err == nil {
 		h.byS3Path(ctx, req, bktInfo.CID, oidParam, h.headObject)
 	} else if err = objID.DecodeString(oidParam); err == nil {
 		h.byNativeAddress(ctx, req, bktInfo.CID, objID, h.headObject)
 	} else {
-		h.byAddress(c, h.headObject)
+		h.logAndSendError(ctx, req, logs.InvalidOIDParam, err)
 	}
 }
 // HeadByAttribute handles attribute-based head requests.
-func (h *Handler) HeadByAttribute(c *fasthttp.RequestCtx) {
+func (h *Handler) HeadByAttribute(req *fasthttp.RequestCtx) {
-	h.byAttribute(c, h.headObject)
+	ctx, span := tracing.StartSpanFromContext(utils.GetContextFromRequest(req), "handler.HeadByAttribute")
 	defer span.End()
 	h.byAttribute(ctx, req, h.headObject)
 }
--- a/internal/handler/multipart.go
+++ b/internal/handler/multipart.go
@ -1,6 +1,7 @@
 package handler
 import (
 	"context"
 	"errors"
 	"io"
 	"strconv"
@ -33,7 +34,7 @@ func fetchMultipartFile(l *zap.Logger, r io.Reader, boundary string) (MultipartF
 		name := part.FormName()
 		if name == "" {
-			l.Debug(logs.IgnorePartEmptyFormName)
+			l.Debug(logs.IgnorePartEmptyFormName, logs.TagField(logs.TagDatapath))
 			continue
 		}
@ -41,8 +42,10 @@ func fetchMultipartFile(l *zap.Logger, r io.Reader, boundary string) (MultipartF
 		// ignore multipart/form-data values
 		if filename == "" {
-			l.Debug(logs.IgnorePartEmptyFilename, zap.String("form", name))
+			l.Debug(logs.IgnorePartEmptyFilename, zap.String("form", name), logs.TagField(logs.TagDatapath))
-
+			if err = part.Close(); err != nil {
 				l.Warn(logs.FailedToCloseReader, zap.Error(err), logs.TagField(logs.TagDatapath))
 			}
 			continue
 		}
@ -51,7 +54,7 @@ func fetchMultipartFile(l *zap.Logger, r io.Reader, boundary string) (MultipartF
 }
 // getPayload returns initial payload if object is not multipart else composes new reader with parts data.
-func (h *Handler) getPayload(p getMultiobjectBodyParams) (io.ReadCloser, uint64, error) {
+func (h *Handler) getPayload(ctx context.Context, p getMultiobjectBodyParams) (io.ReadCloser, uint64, error) {
 	cid, ok := p.obj.Header.ContainerID()
 	if !ok {
 		return nil, 0, errors.New("no container id set")
@ -64,7 +67,6 @@ func (h *Handler) getPayload(p getMultiobjectBodyParams) (io.ReadCloser, uint64,
 	if err != nil {
 		return nil, 0, err
 	}
 	ctx := p.req.RequestCtx
 	params := PrmInitMultiObjectReader{
 		Addr:   newAddress(cid, oid),
 		Bearer: bearerToken(ctx),
--- a/internal/handler/multipart_test.go
+++ b/internal/handler/multipart_test.go
@ -60,12 +60,7 @@ func BenchmarkAll(b *testing.B) {
 func defaultMultipart(filename string) error {
 	r, bound := multipartFile(filename)
-	logger, err := zap.NewProduction()
+	file, err := fetchMultipartFileDefault(zap.NewNop(), r, bound)
 	if err != nil {
 		return err
 	}
 	file, err := fetchMultipartFileDefault(logger, r, bound)
 	if err != nil {
 		return err
 	}
@ -87,12 +82,7 @@ func TestName(t *testing.T) {
 func customMultipart(filename string) error {
 	r, bound := multipartFile(filename)
-	logger, err := zap.NewProduction()
+	file, err := fetchMultipartFile(zap.NewNop(), r, bound)
 	if err != nil {
 		return err
 	}
 	file, err := fetchMultipartFile(logger, r, bound)
 	if err != nil {
 		return err
 	}
@ -112,7 +102,7 @@ func fetchMultipartFileDefault(l *zap.Logger, r io.Reader, boundary string) (Mul
 		name := part.FormName()
 		if name == "" {
-			l.Debug(logs.IgnorePartEmptyFormName)
+			l.Debug(logs.IgnorePartEmptyFormName, logs.TagField(logs.TagDatapath))
 			continue
 		}
@ -120,8 +110,7 @@ func fetchMultipartFileDefault(l *zap.Logger, r io.Reader, boundary string) (Mul
 		// ignore multipart/form-data values
 		if filename == "" {
-			l.Debug(logs.IgnorePartEmptyFilename, zap.String("form", name))
+			l.Debug(logs.IgnorePartEmptyFilename, zap.String("form", name), logs.TagField(logs.TagDatapath))
 			continue
 		}
--- a/internal/handler/reader.go
+++ b/internal/handler/reader.go
@ -4,13 +4,14 @@ import (
 	"bytes"
 	"context"
 	"io"
 	"mime"
 	"net/http"
 	"path"
 	"strconv"
 	"strings"
 	"time"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/logs"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/response"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/utils"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
 	oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
@ -25,7 +26,7 @@ type readCloser struct {
 // initializes io.Reader with the limited size and detects Content-Type from it.
 // Returns r's error directly. Also returns the processed data.
-func readContentType(maxSize uint64, rInit func(uint64) (io.Reader, error)) (string, []byte, error) {
+func readContentType(maxSize uint64, rInit func(uint64) (io.Reader, error), filename string) (string, []byte, error) {
 	if maxSize > sizeToDetectType {
 		maxSize = sizeToDetectType
 	}
@ -44,16 +45,28 @@ func readContentType(maxSize uint64, rInit func(uint64) (io.Reader, error)) (str
 	buf = buf[:n]
-	return http.DetectContentType(buf), buf, err // to not lose io.EOF
+	contentType := http.DetectContentType(buf)
 	// Since the detector detects the "text/plain" content type for various types of text files,
 	// including CSS, JavaScript, and CSV files,
 	// we'll determine the final content type based on the file's extension.
 	if strings.HasPrefix(contentType, "text/plain") {
 		ext := path.Ext(filename)
 		// If the file doesn't have a file extension, we'll keep the content type as is.
 		if len(ext) > 0 {
 			contentType = mime.TypeByExtension(ext)
 		}
 	}
 	return contentType, buf, err // to not lose io.EOF
 }
 type getMultiobjectBodyParams struct {
 	obj     *Object
 	req     request
 	strSize string
 }
-func (h *Handler) receiveFile(ctx context.Context, req request, objAddress oid.Address) {
+func (h *Handler) receiveFile(ctx context.Context, req *fasthttp.RequestCtx, objAddress oid.Address) {
 	var (
 		shouldDownload = req.QueryArgs().GetBool("download")
 		start          = time.Now()
@ -71,12 +84,12 @@ func (h *Handler) receiveFile(ctx context.Context, req request, objAddress oid.A
 	rObj, err := h.frostfs.GetObject(ctx, prm)
 	if err != nil {
-		req.handleFrostFSErr(err, start)
+		h.logAndSendError(ctx, req, logs.FailedToGetObject, err, zap.Stringer("elapsed", time.Since(start)))
 		return
 	}
 	// we can't close reader in this function, so how to do it?
-	req.setIDs(rObj.Header)
+	setIDs(req, rObj.Header)
 	payload := rObj.Payload
 	payloadSize := rObj.Header.PayloadSize()
 	for _, attr := range rObj.Header.Attributes() {
@ -93,23 +106,23 @@ func (h *Handler) receiveFile(ctx context.Context, req request, objAddress oid.A
 		case object.AttributeFileName:
 			filename = val
 		case object.AttributeTimestamp:
-			if err = req.setTimestamp(val); err != nil {
+			if err = setTimestamp(req, val); err != nil {
-				req.log.Error(logs.CouldntParseCreationDate,
+				h.reqLogger(ctx).Error(logs.CouldntParseCreationDate,
 					zap.String("val", val),
-					zap.Error(err))
+					zap.Error(err),
 					logs.TagField(logs.TagDatapath))
 			}
 		case object.AttributeContentType:
 			contentType = val
 		case object.AttributeFilePath:
 			filepath = val
 		case attributeMultipartObjectSize:
-			payload, payloadSize, err = h.getPayload(getMultiobjectBodyParams{
+			payload, payloadSize, err = h.getPayload(ctx, getMultiobjectBodyParams{
 				obj:     rObj,
 				req:     req,
 				strSize: val,
 			})
 			if err != nil {
-				req.handleFrostFSErr(err, start)
+				h.logAndSendError(ctx, req, logs.FailedToGetObjectPayload, err, zap.Stringer("elapsed", time.Since(start)))
 				return
 			}
 		}
@ -118,7 +131,7 @@ func (h *Handler) receiveFile(ctx context.Context, req request, objAddress oid.A
 		filename = filepath
 	}
-	req.setDisposition(shouldDownload, filename)
+	setDisposition(req, shouldDownload, filename)
 	req.Response.Header.Set(fasthttp.HeaderContentLength, strconv.FormatUint(payloadSize, 10))
@ -128,10 +141,9 @@ func (h *Handler) receiveFile(ctx context.Context, req request, objAddress oid.A
 		contentType, payloadHead, err = readContentType(payloadSize, func(uint64) (io.Reader, error) {
 			return payload, nil
-		})
+		}, filename)
 		if err != nil && err != io.EOF {
-			req.log.Error(logs.CouldNotDetectContentTypeFromPayload, zap.Error(err))
+			h.logAndSendError(ctx, req, logs.FailedToDetectContentTypeFromPayload, err, zap.Stringer("elapsed", time.Since(start)))
 			response.Error(req.RequestCtx, "could not detect Content-Type from payload: "+err.Error(), fasthttp.StatusBadRequest)
 			return
 		}
@ -150,7 +162,7 @@ func (h *Handler) receiveFile(ctx context.Context, req request, objAddress oid.A
 	req.Response.SetBodyStream(payload, int(payloadSize))
 }
-func (r *request) setIDs(obj object.Object) {
+func setIDs(r *fasthttp.RequestCtx, obj object.Object) {
 	objID, _ := obj.ID()
 	cnrID, _ := obj.ContainerID()
 	r.Response.Header.Set(hdrObjectID, objID.String())
@ -158,7 +170,7 @@ func (r *request) setIDs(obj object.Object) {
 	r.Response.Header.Set(hdrContainerID, cnrID.String())
 }
-func (r *request) setDisposition(shouldDownload bool, filename string) {
+func setDisposition(r *fasthttp.RequestCtx, shouldDownload bool, filename string) {
 	const (
 		inlineDisposition     = "inline"
 		attachmentDisposition = "attachment"
@ -172,7 +184,7 @@ func (r *request) setDisposition(shouldDownload bool, filename string) {
 	r.Response.Header.Set(fasthttp.HeaderContentDisposition, dis+"; filename="+path.Base(filename))
 }
-func (r *request) setTimestamp(timestamp string) error {
+func setTimestamp(r *fasthttp.RequestCtx, timestamp string) error {
 	value, err := strconv.ParseInt(timestamp, 10, 64)
 	if err != nil {
 		return err
--- a/internal/handler/reader_test.go
+++ b/internal/handler/reader_test.go
@ -10,39 +10,80 @@ import (
 	"github.com/stretchr/testify/require"
 )
 const (
 	txtContentType        = "text/plain; charset=utf-8"
 	cssContentType        = "text/css; charset=utf-8"
 	htmlContentType       = "text/html; charset=utf-8"
 	javascriptContentType = "text/javascript; charset=utf-8"
 	htmlBody = "<!DOCTYPE html><html ><head><meta charset=\"utf-8\"><title>Test Html</title>"
 )
 func TestDetector(t *testing.T) {
 	txtContentType := "text/plain; charset=utf-8"
 	sb := strings.Builder{}
 	for i := 0; i < 10; i++ {
 		sb.WriteString("Some txt content. Content-Type must be detected properly by detector.")
 	}
 	for _, tc := range []struct {
-		Name        string
+		Name                string
-		ContentType string
+		ExpectedContentType string
-		Expected    string
+		Content             string
 		FileName            string
 	}{
 		{
-			Name:        "less than 512b",
+			Name:                "less than 512b",
-			ContentType: txtContentType,
+			ExpectedContentType: txtContentType,
-			Expected:    sb.String()[:256],
+			Content:             sb.String()[:256],
 			FileName:            "test.txt",
 		},
 		{
-			Name:        "more than 512b",
+			Name:                "more than 512b",
-			ContentType: txtContentType,
+			ExpectedContentType: txtContentType,
-			Expected:    sb.String(),
+			Content:             sb.String(),
 			FileName:            "test.txt",
 		},
 		{
 			Name:                "css content type",
 			ExpectedContentType: cssContentType,
 			Content:             sb.String(),
 			FileName:            "test.css",
 		},
 		{
 			Name:                "javascript content type",
 			ExpectedContentType: javascriptContentType,
 			Content:             sb.String(),
 			FileName:            "test.js",
 		},
 		{
 			Name:                "html content type by file content",
 			ExpectedContentType: htmlContentType,
 			Content:             htmlBody,
 			FileName:            "test.detect-by-content",
 		},
 		{
 			Name:                "html content type by file extension",
 			ExpectedContentType: htmlContentType,
 			Content:             sb.String(),
 			FileName:            "test.html",
 		},
 		{
 			Name:                "empty file extension",
 			ExpectedContentType: txtContentType,
 			Content:             sb.String(),
 			FileName:            "test",
 		},
 	} {
 		t.Run(tc.Name, func(t *testing.T) {
-			contentType, data, err := readContentType(uint64(len(tc.Expected)),
+			contentType, data, err := readContentType(uint64(len(tc.Content)),
 				func(uint64) (io.Reader, error) {
-					return strings.NewReader(tc.Expected), nil
+					return strings.NewReader(tc.Content), nil
-				},
+				}, tc.FileName,
 			)
 			require.NoError(t, err)
-			require.Equal(t, tc.ContentType, contentType)
+			require.Equal(t, tc.ExpectedContentType, contentType)
-			require.True(t, strings.HasPrefix(tc.Expected, string(data)))
+			require.True(t, strings.HasPrefix(tc.Content, string(data)))
 		})
 	}
 }
--- a/internal/handler/upload.go
+++ b/internal/handler/upload.go
@ -1,17 +1,23 @@
 package handler
 import (
 	"archive/tar"
 	"bytes"
 	"compress/gzip"
 	"context"
 	"encoding/json"
 	"errors"
 	"io"
 	"net/http"
 	"path/filepath"
 	"strconv"
 	"time"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/data"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/logs"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/response"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/tokens"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/utils"
 	"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
 	oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
@ -20,8 +26,9 @@ import (
 )
 const (
-	jsonHeader   = "application/json; charset=UTF-8"
+	jsonHeader           = "application/json; charset=UTF-8"
-	drainBufSize = 4096
+	drainBufSize         = 4096
 	explodeArchiveHeader = "X-Explode-Archive"
 )
 type putResponse struct {
@ -43,97 +50,94 @@ func (pr *putResponse) encode(w io.Writer) error {
 }
 // Upload handles multipart upload request.
-func (h *Handler) Upload(c *fasthttp.RequestCtx) {
+func (h *Handler) Upload(req *fasthttp.RequestCtx) {
-	var (
+	ctx, span := tracing.StartSpanFromContext(utils.GetContextFromRequest(req), "handler.Upload")
-		file  MultipartFile
+	defer span.End()
 		idObj oid.ID
 		addr  oid.Address
 	)
-	scid, _ := c.UserValue("cid").(string)
+	var file MultipartFile
-	bodyStream := c.RequestBodyStream()
+
 	scid, _ := req.UserValue("cid").(string)
 	bodyStream := req.RequestBodyStream()
 	drainBuf := make([]byte, drainBufSize)
-	ctx := utils.GetContextFromRequest(c)
+	log := h.reqLogger(ctx)
-	reqLog := utils.GetReqLogOrDefault(ctx, h.log)
+	ctx = utils.SetReqLog(ctx, log.With(zap.String("cid", scid)))
 	log := reqLog.With(zap.String("cid", scid))
-	bktInfo, err := h.getBucketInfo(ctx, scid, log)
+	bktInfo, err := h.getBucketInfo(ctx, scid)
 	if err != nil {
-		logAndSendBucketError(c, log, err)
+		h.logAndSendError(ctx, req, logs.FailedToGetBucketInfo, err)
 		return
 	}
-	defer func() {
+	boundary := string(req.Request.Header.MultipartFormBoundary())
 		// If the temporary reader can be closed - let's close it.
 		if file == nil {
 			return
 		}
 		err := file.Close()
 		log.Debug(
 			logs.CloseTemporaryMultipartFormFile,
 			zap.Stringer("address", addr),
 			zap.String("filename", file.FileName()),
 			zap.Error(err),
 		)
 	}()
 	boundary := string(c.Request.Header.MultipartFormBoundary())
 	if file, err = fetchMultipartFile(log, bodyStream, boundary); err != nil {
-		log.Error(logs.CouldNotReceiveMultipartForm, zap.Error(err))
+		h.logAndSendError(ctx, req, logs.CouldNotReceiveMultipartForm, err)
 		response.Error(c, "could not receive multipart/form: "+err.Error(), fasthttp.StatusBadRequest)
 		return
 	}
-	filtered, err := filterHeaders(log, &c.Request.Header)
+	filtered, err := filterHeaders(log, &req.Request.Header)
 	if err != nil {
-		log.Error(logs.CouldNotProcessHeaders, zap.Error(err))
+		h.logAndSendError(ctx, req, logs.FailedToFilterHeaders, err)
 		response.Error(c, err.Error(), fasthttp.StatusBadRequest)
 		return
 	}
-	now := time.Now()
+	if req.Request.Header.Peek(explodeArchiveHeader) != nil {
-	if rawHeader := c.Request.Header.Peek(fasthttp.HeaderDate); rawHeader != nil {
+		h.explodeArchive(ctx, req, bktInfo, file, filtered)
-		if parsed, err := time.Parse(http.TimeFormat, string(rawHeader)); err != nil {
+	} else {
-			log.Warn(logs.CouldNotParseClientTime, zap.String("Date header", string(rawHeader)), zap.Error(err))
+		h.uploadSingleObject(ctx, req, bktInfo, file, filtered)
-		} else {
+	}
-			now = parsed
+
 	// Multipart is multipart and thus can contain more than one part which
 	// we ignore at the moment. Also, when dealing with chunked encoding
 	// the last zero-length chunk might be left unread (because multipart
 	// reader only cares about its boundary and doesn't look further) and
 	// it will be (erroneously) interpreted as the start of the next
 	// pipelined header. Thus, we need to drain the body buffer.
 	for {
 		_, err = bodyStream.Read(drainBuf)
 		if err == io.EOF || errors.Is(err, io.ErrUnexpectedEOF) {
 			break
 		}
 	}
 }
-	if err = utils.PrepareExpirationHeader(c, h.frostfs, filtered, now); err != nil {
+func (h *Handler) uploadSingleObject(ctx context.Context, req *fasthttp.RequestCtx, bkt *data.BucketInfo, file MultipartFile, filtered map[string]string) {
-		log.Error(logs.CouldNotPrepareExpirationHeader, zap.Error(err))
+	ctx, span := tracing.StartSpanFromContext(ctx, "handler.uploadSingleObject")
-		response.Error(c, "could not prepare expiration header: "+err.Error(), fasthttp.StatusBadRequest)
+	defer span.End()
 	setIfNotExist(filtered, object.AttributeFileName, file.FileName())
 	attributes, err := h.extractAttributes(ctx, req, filtered)
 	if err != nil {
 		h.logAndSendError(ctx, req, logs.FailedToGetAttributes, err)
 		return
 	}
-	attributes := make([]object.Attribute, 0, len(filtered))
+	idObj, err := h.uploadObject(ctx, bkt, attributes, file)
-	// prepares attributes from filtered headers
+	if err != nil {
-	for key, val := range filtered {
+		h.logAndSendError(ctx, req, logs.FailedToUploadObject, err)
-		attribute := object.NewAttribute()
+		return
 		attribute.SetKey(key)
 		attribute.SetValue(val)
 		attributes = append(attributes, *attribute)
 	}
 	// sets FileName attribute if it wasn't set from header
 	if _, ok := filtered[object.AttributeFileName]; !ok {
 		filename := object.NewAttribute()
 		filename.SetKey(object.AttributeFileName)
 		filename.SetValue(file.FileName())
 		attributes = append(attributes, *filename)
 	}
 	// sets Timestamp attribute if it wasn't set from header and enabled by settings
 	if _, ok := filtered[object.AttributeTimestamp]; !ok && h.config.DefaultTimestamp() {
 		timestamp := object.NewAttribute()
 		timestamp.SetKey(object.AttributeTimestamp)
 		timestamp.SetValue(strconv.FormatInt(time.Now().Unix(), 10))
 		attributes = append(attributes, *timestamp)
 	}
 	h.reqLogger(ctx).Debug(logs.ObjectUploaded,
 		zap.String("oid", idObj.EncodeToString()),
 		zap.String("FileName", file.FileName()),
 		logs.TagField(logs.TagExternalStorage),
 	)
 	addr := newAddress(bkt.CID, idObj)
 	req.Response.Header.SetContentType(jsonHeader)
 	// Try to return the response, otherwise, if something went wrong, throw an error.
 	if err = newPutResponse(addr).encode(req); err != nil {
 		h.logAndSendError(ctx, req, logs.CouldNotEncodeResponse, err)
 		return
 	}
 }
 func (h *Handler) uploadObject(ctx context.Context, bkt *data.BucketInfo, attrs []object.Attribute, file io.Reader) (oid.ID, error) {
 	obj := object.New()
-	obj.SetContainerID(bktInfo.CID)
+	obj.SetContainerID(bkt.CID)
 	obj.SetOwnerID(*h.ownerID)
-	obj.SetAttributes(attributes...)
+	obj.SetAttributes(attrs...)
 	prm := PrmObjectCreate{
 		PrmAuth: PrmAuth{
@ -142,48 +146,120 @@ func (h *Handler) Upload(c *fasthttp.RequestCtx) {
 		Object:                 obj,
 		Payload:                file,
 		ClientCut:              h.config.ClientCut(),
-		WithoutHomomorphicHash: bktInfo.HomomorphicHashDisabled,
+		WithoutHomomorphicHash: bkt.HomomorphicHashDisabled,
 		BufferMaxSize:          h.config.BufferMaxSizeForPut(),
 	}
-	if idObj, err = h.frostfs.CreateObject(ctx, prm); err != nil {
+	idObj, err := h.frostfs.CreateObject(ctx, prm)
-		h.handlePutFrostFSErr(c, err, log)
+	if err != nil {
-		return
+		return oid.ID{}, err
 	}
-	addr.SetObject(idObj)
+	return idObj, nil
 	addr.SetContainer(bktInfo.CID)
 	// Try to return the response, otherwise, if something went wrong, throw an error.
 	if err = newPutResponse(addr).encode(c); err != nil {
 		log.Error(logs.CouldNotEncodeResponse, zap.Error(err))
 		response.Error(c, "could not encode response", fasthttp.StatusBadRequest)
 		return
 	}
 	// Multipart is multipart and thus can contain more than one part which
 	// we ignore at the moment. Also, when dealing with chunked encoding
 	// the last zero-length chunk might be left unread (because multipart
 	// reader only cares about its boundary and doesn't look further) and
 	// it will be (erroneously) interpreted as the start of the next
 	// pipelined header. Thus we need to drain the body buffer.
 	for {
 		_, err = bodyStream.Read(drainBuf)
 		if err == io.EOF || err == io.ErrUnexpectedEOF {
 			break
 		}
 	}
 	// Report status code and content type.
 	c.Response.SetStatusCode(fasthttp.StatusOK)
 	c.Response.Header.SetContentType(jsonHeader)
 }
-func (h *Handler) handlePutFrostFSErr(r *fasthttp.RequestCtx, err error, log *zap.Logger) {
+func (h *Handler) extractAttributes(ctx context.Context, req *fasthttp.RequestCtx, filtered map[string]string) ([]object.Attribute, error) {
-	statusCode, msg, additionalFields := response.FormErrorResponse("could not store file in frostfs", err)
+	now := time.Now()
-	logFields := append([]zap.Field{zap.Error(err)}, additionalFields...)
+	if rawHeader := req.Request.Header.Peek(fasthttp.HeaderDate); rawHeader != nil {
 		if parsed, err := time.Parse(http.TimeFormat, string(rawHeader)); err != nil {
 			h.reqLogger(ctx).Warn(logs.CouldNotParseClientTime, zap.String("Date header", string(rawHeader)), zap.Error(err),
 				logs.TagField(logs.TagDatapath))
 		} else {
 			now = parsed
 		}
 	}
 	if err := utils.PrepareExpirationHeader(ctx, h.frostfs, filtered, now); err != nil {
 		h.reqLogger(ctx).Error(logs.CouldNotPrepareExpirationHeader, zap.Error(err), logs.TagField(logs.TagDatapath))
 		return nil, err
 	}
 	attributes := make([]object.Attribute, 0, len(filtered))
 	// prepares attributes from filtered headers
 	for key, val := range filtered {
 		attribute := newAttribute(key, val)
 		attributes = append(attributes, attribute)
 	}
 	// sets Timestamp attribute if it wasn't set from header and enabled by settings
 	if _, ok := filtered[object.AttributeTimestamp]; !ok && h.config.DefaultTimestamp() {
 		timestamp := newAttribute(object.AttributeTimestamp, strconv.FormatInt(time.Now().Unix(), 10))
 		attributes = append(attributes, timestamp)
 	}
-	log.Error(logs.CouldNotStoreFileInFrostfs, logFields...)
+	return attributes, nil
-	response.Error(r, msg, statusCode)
+}
 func newAttribute(key string, val string) object.Attribute {
 	attr := object.NewAttribute()
 	attr.SetKey(key)
 	attr.SetValue(val)
 	return *attr
 }
 // explodeArchive read files from archive and creates objects for each of them.
 // Sets FilePath attribute with name from tar.Header.
 func (h *Handler) explodeArchive(ctx context.Context, req *fasthttp.RequestCtx, bkt *data.BucketInfo, file io.ReadCloser, filtered map[string]string) {
 	ctx, span := tracing.StartSpanFromContext(ctx, "handler.explodeArchive")
 	defer span.End()
 	// remove user attributes which vary for each file in archive
 	// to guarantee that they won't appear twice
 	delete(filtered, object.AttributeFileName)
 	delete(filtered, object.AttributeFilePath)
 	commonAttributes, err := h.extractAttributes(ctx, req, filtered)
 	if err != nil {
 		h.logAndSendError(ctx, req, logs.FailedToGetAttributes, err)
 		return
 	}
 	attributes := commonAttributes
 	reader := file
 	if bytes.EqualFold(req.Request.Header.Peek(fasthttp.HeaderContentEncoding), []byte("gzip")) {
 		h.reqLogger(ctx).Debug(logs.GzipReaderSelected, logs.TagField(logs.TagDatapath))
 		gzipReader, err := gzip.NewReader(file)
 		if err != nil {
 			h.logAndSendError(ctx, req, logs.FailedToCreateGzipReader, err)
 			return
 		}
 		defer func() {
 			if err := gzipReader.Close(); err != nil {
 				h.reqLogger(ctx).Warn(logs.FailedToCloseReader, zap.Error(err), logs.TagField(logs.TagDatapath))
 			}
 		}()
 		reader = gzipReader
 	}
 	tarReader := tar.NewReader(reader)
 	for {
 		obj, err := tarReader.Next()
 		if errors.Is(err, io.EOF) {
 			break
 		} else if err != nil {
 			h.logAndSendError(ctx, req, logs.FailedToReadFileFromTar, err)
 			return
 		}
 		if isDir(obj.Name) {
 			continue
 		}
 		// set varying attributes
 		attributes = attributes[:len(commonAttributes)]
 		fileName := filepath.Base(obj.Name)
 		attributes = append(attributes, newAttribute(object.AttributeFilePath, obj.Name))
 		attributes = append(attributes, newAttribute(object.AttributeFileName, fileName))
 		idObj, err := h.uploadObject(ctx, bkt, attributes, tarReader)
 		if err != nil {
 			h.logAndSendError(ctx, req, logs.FailedToUploadObject, err)
 			return
 		}
 		h.reqLogger(ctx).Debug(logs.ObjectUploaded,
 			zap.String("oid", idObj.EncodeToString()),
 			zap.String("FileName", fileName),
 			logs.TagField(logs.TagExternalStorage),
 		)
 	}
 }
 func (h *Handler) fetchBearerToken(ctx context.Context) *bearer.Token {
--- a/internal/handler/utils.go
+++ b/internal/handler/utils.go
@ -3,38 +3,21 @@ package handler
 import (
 	"context"
 	"errors"
 	"fmt"
 	"strings"
 	"time"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/layer"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/logs"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/response"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/tokens"
-	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/tree"
+	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/utils"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client"
 	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
 	oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
 	"github.com/valyala/fasthttp"
 	"go.uber.org/zap"
 )
 type request struct {
 	*fasthttp.RequestCtx
 	log *zap.Logger
 }
 func (r *request) handleFrostFSErr(err error, start time.Time) {
 	logFields := []zap.Field{
 		zap.Stringer("elapsed", time.Since(start)),
 		zap.Error(err),
 	}
 	statusCode, msg, additionalFields := response.FormErrorResponse("could not receive object", err)
 	logFields = append(logFields, additionalFields...)
 	r.log.Error(logs.CouldNotReceiveObject, logFields...)
 	response.Error(r.RequestCtx, msg, statusCode)
 }
 func bearerToken(ctx context.Context) *bearer.Token {
 	if tkn, err := tokens.LoadBearerToken(ctx); err == nil {
 		return tkn
@ -43,22 +26,15 @@ func bearerToken(ctx context.Context) *bearer.Token {
 }
 func isDir(name string) bool {
-	return strings.HasSuffix(name, "/")
+	return name == "" || strings.HasSuffix(name, "/")
 }
-func isContainerRoot(key string) bool {
+func loadAttributes(attrs []object.Attribute) map[string]string {
-	return key == ""
+	result := make(map[string]string)
-}
+	for _, attr := range attrs {
-
+		result[attr.Key()] = attr.Value()
 func checkErrorType(err error) int {
 	switch {
 	case err == nil:
 		return fasthttp.StatusOK
 	case errors.Is(err, tree.ErrNodeAccessDenied):
 		return fasthttp.StatusForbidden
 	default:
 		return fasthttp.StatusNotFound
 	}
 	return result
 }
 func isValidToken(s string) bool {
@ -83,14 +59,16 @@ func isValidValue(s string) bool {
 	return true
 }
-func logAndSendBucketError(c *fasthttp.RequestCtx, log *zap.Logger, err error) {
+func (h *Handler) reqLogger(ctx context.Context) *zap.Logger {
-	log.Error(logs.CouldntGetBucket, zap.Error(err))
+	return utils.GetReqLogOrDefault(ctx, h.log)
 }
-	if client.IsErrContainerNotFound(err) {
+func (h *Handler) logAndSendError(ctx context.Context, c *fasthttp.RequestCtx, msg string, err error, additional ...zap.Field) {
-		response.Error(c, "Not Found", fasthttp.StatusNotFound)
+	utils.GetReqLogOrDefault(ctx, h.log).Error(msg,
-		return
+		append([]zap.Field{zap.Error(err), logs.TagField(logs.TagDatapath)}, additional...)...)
-	}
+
-	response.Error(c, "could not get bucket: "+err.Error(), fasthttp.StatusBadRequest)
+	msg, code := formErrorResponse(err)
 	ResponseError(c, msg, code)
 }
 func newAddress(cnr cid.ID, obj oid.ID) oid.Address {
@ -99,3 +77,35 @@ func newAddress(cnr cid.ID, obj oid.ID) oid.Address {
 	addr.SetObject(obj)
 	return addr
 }
 // setIfNotExist sets key value to map if key is not present yet.
 func setIfNotExist(m map[string]string, key, value string) {
 	if _, ok := m[key]; !ok {
 		m[key] = value
 	}
 }
 func ResponseError(r *fasthttp.RequestCtx, msg string, code int) {
 	r.Error(msg+"\n", code)
 }
 func formErrorResponse(err error) (string, int) {
 	switch {
 	case errors.Is(err, ErrAccessDenied):
 		return fmt.Sprintf("Storage Access Denied:\n%v", err), fasthttp.StatusForbidden
 	case errors.Is(err, layer.ErrNodeAccessDenied):
 		return fmt.Sprintf("Tree Access Denied:\n%v", err), fasthttp.StatusForbidden
 	case errors.Is(err, ErrQuotaLimitReached):
 		return fmt.Sprintf("Quota Reached:\n%v", err), fasthttp.StatusConflict
 	case errors.Is(err, ErrContainerNotFound):
 		return fmt.Sprintf("Container Not Found:\n%v", err), fasthttp.StatusNotFound
 	case errors.Is(err, ErrObjectNotFound):
 		return fmt.Sprintf("Object Not Found:\n%v", err), fasthttp.StatusNotFound
 	case errors.Is(err, layer.ErrNodeNotFound):
 		return fmt.Sprintf("Tree Node Not Found:\n%v", err), fasthttp.StatusNotFound
 	case errors.Is(err, ErrGatewayTimeout):
 		return fmt.Sprintf("Gateway Timeout:\n%v", err), fasthttp.StatusGatewayTimeout
 	default:
 		return fmt.Sprintf("Bad Request:\n%v", err), fasthttp.StatusBadRequest
 	}
 }
--- a/internal/api/layer/tree_service.go
+++ b/internal/api/layer/tree_service.go
@ -4,13 +4,15 @@ import (
 	"context"
 	"errors"
-	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/api"
+	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/data"
 	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
 )
 // TreeService provide interface to interact with tree service using s3 data models.
 type TreeService interface {
-	GetLatestVersion(ctx context.Context, cnrID *cid.ID, objectName string) (*api.NodeVersion, error)
+	GetLatestVersion(ctx context.Context, cnrID *cid.ID, objectName string) (*data.NodeVersion, error)
 	GetSubTreeByPrefix(ctx context.Context, bktInfo *data.BucketInfo, prefix string, latestOnly bool) ([]data.NodeInfo, string, error)
 	CheckSettingsNodeExists(ctx context.Context, bktInfo *data.BucketInfo) error
 }
 var (
--- a/internal/logs/logs.go
+++ b/internal/logs/logs.go
@ -1,82 +1,141 @@
 package logs
 import "go.uber.org/zap"
 const (
-	CouldntParseCreationDate                                              = "couldn't parse creation date"                                                           // Info in ../../downloader/*
+	TagFieldName = "tag"
-	CouldNotDetectContentTypeFromPayload                                  = "could not detect Content-Type from payload"                                             // Error in ../../downloader/download.go
+
-	CouldNotReceiveObject                                                 = "could not receive object"                                                               // Error in ../../downloader/download.go
+	TagApp                 = "app"
-	WrongObjectID                                                         = "wrong object id"                                                                        // Error in ../../downloader/download.go
+	TagDatapath            = "datapath"
-	GetLatestObjectVersion                                                = "get latest object version"                                                              // Error in ../../downloader/download.go
+	TagExternalStorage     = "external_storage"
-	ObjectWasDeleted                                                      = "object was deleted"                                                                     // Error in ../../downloader/download.go
+	TagExternalStorageTree = "external_storage_tree"
-	CouldNotSearchForObjects                                              = "could not search for objects"                                                           // Error in ../../downloader/download.go
+)
-	ObjectNotFound                                                        = "object not found"                                                                       // Error in ../../downloader/download.go
+
-	ReadObjectListFailed                                                  = "read object list failed"                                                                // Error in ../../downloader/download.go
+func TagField(tag string) zap.Field {
-	FailedToAddObjectToArchive                                            = "failed to add object to archive"                                                        // Error in ../../downloader/download.go
+	return zap.String(TagFieldName, tag)
-	IteratingOverSelectedObjectsFailed                                    = "iterating over selected objects failed"                                                 // Error in ../../downloader/download.go
+}
-	ObjectsNotFound                                                       = "objects not found"                                                                      // Error in ../../downloader/download.go
+
-	CloseZipWriter                                                        = "close zip writer"                                                                       // Error in ../../downloader/download.go
+// Log messages with the "app" tag.
-	ServiceIsRunning                                                      = "service is running"                                                                     // Info in ../../metrics/service.go
+const (
-	ServiceCouldntStartOnConfiguredPort                                   = "service couldn't start on configured port"                                              // Warn in ../../metrics/service.go
+	ServiceIsRunning                                                      = "service is running"
-	ServiceHasntStartedSinceItsDisabled                                   = "service hasn't started since it's disabled"                                             // Info in ../../metrics/service.go
+	ServiceCouldntStartOnConfiguredPort                                   = "service couldn't start on configured port"
-	ShuttingDownService                                                   = "shutting down service"                                                                  // Info in ../../metrics/service.go
+	ServiceHasntStartedSinceItsDisabled                                   = "service hasn't started since it's disabled"
-	CantShutDownService                                                   = "can't shut down service"                                                                // Panic in ../../metrics/service.go
+	ShuttingDownService                                                   = "shutting down service"
-	CantGracefullyShutDownService                                         = "can't gracefully shut down service, force stop"                                         // Error in ../../metrics/service.go
+	CantShutDownService                                                   = "can't shut down service"
-	IgnorePartEmptyFormName                                               = "ignore part, empty form name"                                                           // Debug in ../../uploader/upload.go
+	CantGracefullyShutDownService                                         = "can't gracefully shut down service, force stop"
-	IgnorePartEmptyFilename                                               = "ignore part, empty filename"                                                            // Debug in ../../uploader/upload.go
+	FailedToCreateResolver                                                = "failed to create resolver"
-	CloseTemporaryMultipartFormFile                                       = "close temporary multipart/form file"                                                    // Debug in ../../uploader/upload.go
+	FailedToCreateWorkerPool                                              = "failed to create worker pool"
-	CouldNotReceiveMultipartForm                                          = "could not receive multipart/form"                                                       // Error in ../../uploader/upload.go
+	StartingApplication                                                   = "starting application"
-	CouldNotProcessHeaders                                                = "could not process headers"                                                              // Error in ../../uploader/upload.go
+	StartingServer                                                        = "starting server"
-	CouldNotParseClientTime                                               = "could not parse client time"                                                            // Warn in ../../uploader/upload.go
+	ListenAndServe                                                        = "listen and serve"
-	CouldNotPrepareExpirationHeader                                       = "could not prepare expiration header"                                                    // Error in ../../uploader/upload.go
+	ShuttingDownWebServer                                                 = "shutting down web server"
-	CouldNotEncodeResponse                                                = "could not encode response"                                                              // Error in ../../uploader/upload.go
+	FailedToShutdownTracing                                               = "failed to shutdown tracing"
-	CouldNotStoreFileInFrostfs                                            = "could not store file in frostfs"                                                        // Error in ../../uploader/upload.go
+	AddedPathUploadCid                                                    = "added path /upload/{cid}"
-	AddAttributeToResultObject                                            = "add attribute to result object"                                                         // Debug in ../../uploader/filter.go
+	AddedPathGetCidOid                                                    = "added path /get/{cid}/{oid}"
-	FailedToCreateResolver                                                = "failed to create resolver"                                                              // Fatal in ../../app.go
+	AddedPathGetByAttributeCidAttrKeyAttrVal                              = "added path /get_by_attribute/{cid}/{attr_key}/{attr_val:*}"
-	FailedToReadIndexPageTemplate                                         = "failed to read index page template, set default"                                        // Warn in ../../app.go
+	AddedPathZipCidPrefix                                                 = "added path /zip/{cid}/{prefix}"
-	SetCustomIndexPageTemplate                                            = "set custom index page template"                                                         // Info in ../../app.go
+	FailedToAddServer                                                     = "failed to add server"
-	ContainerResolverWillBeDisabledBecauseOfResolversResolverOrderIsEmpty = "container resolver will be disabled because of resolvers 'resolver_order' is empty"     // Info in ../../app.go
+	AddServer                                                             = "add server"
-	MetricsAreDisabled                                                    = "metrics are disabled"                                                                   // Warn in ../../app.go
+	NoHealthyServers                                                      = "no healthy servers"
-	NoWalletPathSpecifiedCreatingEphemeralKeyAutomaticallyForThisRun      = "no wallet path specified, creating ephemeral key automatically for this run"            // Info in ../../app.go
+	FailedToInitializeTracing                                             = "failed to initialize tracing"
-	StartingApplication                                                   = "starting application"                                                                   // Info in ../../app.go
+	RuntimeSoftMemoryDefinedWithGOMEMLIMIT                                = "soft runtime memory defined with GOMEMLIMIT environment variable, config value skipped"
-	StartingServer                                                        = "starting server"                                                                        // Info in ../../app.go
+	RuntimeSoftMemoryLimitUpdated                                         = "soft runtime memory limit value updated"
-	ListenAndServe                                                        = "listen and serve"                                                                       // Fatal in ../../app.go
+	CouldNotLoadFrostFSPrivateKey                                         = "could not load FrostFS private key"
-	ShuttingDownWebServer                                                 = "shutting down web server"                                                               // Info in ../../app.go
+	UsingCredentials                                                      = "using credentials"
-	FailedToShutdownTracing                                               = "failed to shutdown tracing"                                                             // Warn in ../../app.go
+	FailedToCreateConnectionPool                                          = "failed to create connection pool"
-	SIGHUPConfigReloadStarted                                             = "SIGHUP config reload started"                                                           // Info in ../../app.go
+	FailedToDialConnectionPool                                            = "failed to dial connection pool"
-	FailedToReloadConfigBecauseItsMissed                                  = "failed to reload config because it's missed"                                            // Warn in ../../app.go
+	FailedToCreateTreePool                                                = "failed to create tree pool"
-	FailedToReloadConfig                                                  = "failed to reload config"                                                                // Warn in ../../app.go
+	FailedToDialTreePool                                                  = "failed to dial tree pool"
 	LogLevelWontBeUpdated                                                 = "log level won't be updated"                                                             // Warn in ../../app.go
 	FailedToUpdateResolvers                                               = "failed to update resolvers"                                                             // Warn in ../../app.go
 	FailedToReloadServerParameters                                        = "failed to reload server parameters"                                                     // Warn in ../../app.go
 	SIGHUPConfigReloadCompleted                                           = "SIGHUP config reload completed"                                                         // Info in ../../app.go
 	AddedPathUploadCid                                                    = "added path /upload/{cid}"                                                               // Info in ../../app.go
 	AddedPathGetCidOid                                                    = "added path /get/{cid}/{oid}"                                                            // Info in ../../app.go
 	AddedPathGetByAttributeCidAttrKeyAttrVal                              = "added path /get_by_attribute/{cid}/{attr_key}/{attr_val:*}"                             // Info in ../../app.go
 	AddedPathZipCidPrefix                                                 = "added path /zip/{cid}/{prefix}"                                                         // Info in ../../app.go
 	Request                                                               = "request"                                                                                // Info in ../../app.go
 	CouldNotFetchAndStoreBearerToken                                      = "could not fetch and store bearer token"                                                 // Error in ../../app.go
 	FailedToAddServer                                                     = "failed to add server"                                                                   // Warn in ../../app.go
 	AddServer                                                             = "add server"                                                                             // Info in ../../app.go
 	NoHealthyServers                                                      = "no healthy servers"                                                                     // Fatal in ../../app.go
 	FailedToInitializeTracing                                             = "failed to initialize tracing"                                                           // Warn in ../../app.go
 	TracingConfigUpdated                                                  = "tracing config updated"                                                                 // Info in ../../app.go
 	ResolverNNSWontBeUsedSinceRPCEndpointIsntProvided                     = "resolver nns won't be used since rpc_endpoint isn't provided"                           // Warn in ../../app.go
 	RuntimeSoftMemoryDefinedWithGOMEMLIMIT                                = "soft runtime memory defined with GOMEMLIMIT environment variable, config value skipped" // Warn in ../../app.go
 	RuntimeSoftMemoryLimitUpdated                                         = "soft runtime memory limit value updated"                                                // Info in ../../app.go
 	CouldNotLoadFrostFSPrivateKey                                         = "could not load FrostFS private key"                                                     // Fatal in ../../settings.go
 	UsingCredentials                                                      = "using credentials"                                                                      // Info in ../../settings.go
 	FailedToCreateConnectionPool                                          = "failed to create connection pool"                                                       // Fatal in ../../settings.go
 	FailedToDialConnectionPool                                            = "failed to dial connection pool"                                                         // Fatal in ../../settings.go
 	FailedToCreateTreePool                                                = "failed to create tree pool"                                                             // Fatal in ../../settings.go
 	FailedToDialTreePool                                                  = "failed to dial tree pool"                                                               // Fatal in ../../settings.go
 	AddedStoragePeer                                                      = "added storage peer"                                                                     // Info in ../../settings.go
 	CouldntGetBucket                                                      = "could not get bucket"                                                                   // Error in ../handler/utils.go
 	CouldntPutBucketIntoCache                                             = "couldn't put bucket info into cache"                                                    // Warn in ../handler/handler.go
 	InvalidCacheEntryType                                                 = "invalid cache entry type"                                                               // Warn in ../cache/buckets.go
 	InvalidLifetimeUsingDefaultValue                                      = "invalid lifetime, using default value (in seconds)"                                     // Error in ../../cmd/http-gw/settings.go
 	InvalidCacheSizeUsingDefaultValue                                     = "invalid cache size, using default value"                                                // Error in ../../cmd/http-gw/settings.go
 	FailedToUnescapeQuery                                                 = "failed to unescape query"
 	ServerReconnecting                                                    = "reconnecting server..."
 	ServerReconnectedSuccessfully                                         = "server reconnected successfully"
 	ServerReconnectFailed                                                 = "failed to reconnect server"
 	MultinetDialSuccess                                                   = "multinet dial successful"
 	MultinetDialFail                                                      = "multinet dial failed"
 	ContainerResolverWillBeDisabledBecauseOfResolversResolverOrderIsEmpty = "container resolver will be disabled because of resolvers 'resolver_order' is empty"
 	MetricsAreDisabled                                                    = "metrics are disabled"
 	NoWalletPathSpecifiedCreatingEphemeralKeyAutomaticallyForThisRun      = "no wallet path specified, creating ephemeral key automatically for this run"
 	SIGHUPConfigReloadStarted                                             = "SIGHUP config reload started"
 	FailedToReloadConfigBecauseItsMissed                                  = "failed to reload config because it's missed"
 	FailedToReloadConfig                                                  = "failed to reload config"
 	FailedToUpdateResolvers                                               = "failed to update resolvers"
 	FailedToReloadServerParameters                                        = "failed to reload server parameters"
 	SIGHUPConfigReloadCompleted                                           = "SIGHUP config reload completed"
 	TracingConfigUpdated                                                  = "tracing config updated"
 	ResolverNNSWontBeUsedSinceRPCEndpointIsntProvided                     = "resolver nns won't be used since rpc_endpoint isn't provided"
 	AddedStoragePeer                                                      = "added storage peer"
 	InvalidLifetimeUsingDefaultValue                                      = "invalid lifetime, using default value (in seconds)"
 	InvalidCacheSizeUsingDefaultValue                                     = "invalid cache size, using default value"
 	WarnDuplicateAddress                                                  = "duplicate address"
 	FailedToLoadMultinetConfig                                            = "failed to load multinet config"
 	MultinetConfigWontBeUpdated                                           = "multinet config won't be updated"
 	LogLevelWontBeUpdated                                                 = "log level won't be updated"
 	TagsLogConfigWontBeUpdated                                            = "tags log config won't be updated"
 	FailedToReadIndexPageTemplate                                         = "failed to read index page template"
 	SetCustomIndexPageTemplate                                            = "set custom index page template"
 	CouldNotFetchCORSContainerInfo                                        = "couldn't fetch CORS container info"
 )
 // Log messages with the "datapath" tag.
 const (
 	CouldntParseCreationDate              = "couldn't parse creation date"
 	FailedToDetectContentTypeFromPayload  = "failed to detect Content-Type from payload"
 	FailedToAddObjectToArchive            = "failed to add object to archive"
 	CloseZipWriter                        = "close zip writer"
 	IgnorePartEmptyFormName               = "ignore part, empty form name"
 	IgnorePartEmptyFilename               = "ignore part, empty filename"
 	CouldNotParseClientTime               = "could not parse client time"
 	CouldNotPrepareExpirationHeader       = "could not prepare expiration header"
 	CouldNotEncodeResponse                = "could not encode response"
 	AddAttributeToResultObject            = "add attribute to result object"
 	Request                               = "request"
 	CouldNotFetchAndStoreBearerToken      = "could not fetch and store bearer token"
 	CouldntPutBucketIntoCache             = "couldn't put bucket info into cache"
 	FailedToIterateOverResponse           = "failed to iterate over search response"
 	InvalidCacheEntryType                 = "invalid cache entry type"
 	FailedToUnescapeQuery                 = "failed to unescape query"
 	CouldntCacheNetmap                    = "couldn't cache netmap"
 	FailedToCloseReader                   = "failed to close reader"
 	FailedToFilterHeaders                 = "failed to filter headers"
 	FailedToReadFileFromTar               = "failed to read file from tar"
 	FailedToGetAttributes                 = "failed to get attributes"
 	CloseGzipWriter                       = "close gzip writer"
 	CloseTarWriter                        = "close tar writer"
 	FailedToCreateGzipReader              = "failed to create gzip reader"
 	GzipReaderSelected                    = "gzip reader selected"
 	CouldNotReceiveMultipartForm          = "could not receive multipart/form"
 	ObjectsNotFound                       = "objects not found"
 	IteratingOverSelectedObjectsFailed    = "iterating over selected objects failed"
 	FailedToGetBucketInfo                 = "could not get bucket info"
 	FailedToSubmitTaskToPool              = "failed to submit task to pool"
 	ObjectWasDeleted                      = "object was deleted"
 	FailedToGetLatestVersionOfObject      = "failed to get latest version of object"
 	FailedToCheckIfSettingsNodeExist      = "failed to check if settings node exists"
 	FailedToListObjects                   = "failed to list objects"
 	FailedToParseTemplate                 = "failed to parse template"
 	FailedToExecuteTemplate               = "failed to execute template"
 	FailedToUploadObject                  = "failed to upload object"
 	FailedToHeadObject                    = "failed to head object"
 	FailedToGetObject                     = "failed to get object"
 	FailedToGetObjectPayload              = "failed to get object payload"
 	FailedToFindObjectByAttribute         = "failed to get find object by attribute"
 	FailedToUnescapeOIDParam              = "failed to unescape oid param"
 	InvalidOIDParam                       = "invalid oid param"
 	CouldNotGetCORSConfiguration          = "could not get cors configuration"
 	EmptyOriginRequestHeader              = "empty Origin request header"
 	EmptyAccessControlRequestMethodHeader = "empty Access-Control-Request-Method request header"
 	CORSRuleWasNotMatched                 = "cors rule was not matched"
 	CouldntCacheCors                      = "couldn't cache cors"
 )
 // Log messages with the "external_storage" tag.
 const (
 	ObjectNotFound                              = "object not found"
 	ReadObjectListFailed                        = "read object list failed"
 	ObjectNotFoundByFilePathTrySearchByFileName = "object not found by filePath attribute, try search by fileName"
 	ObjectUploaded                              = "object uploaded"
 )
 // Log messages with the "external_storage_tree" tag.
 const (
 	FoundSeveralSystemTreeNodes = "found several system tree nodes"
 )
--- a/internal/net/config.go
+++ b/internal/net/config.go
@ -0,0 +1,68 @@
 package net
 import (
 	"errors"
 	"fmt"
 	"net/netip"
 	"slices"
 	"time"
 	"git.frostfs.info/TrueCloudLab/multinet"
 )
 var errEmptySourceIPList = errors.New("empty source IP list")
 type Subnet struct {
 	Prefix    string
 	SourceIPs []string
 }
 type Config struct {
 	Enabled       bool
 	Subnets       []Subnet
 	Balancer      string
 	Restrict      bool
 	FallbackDelay time.Duration
 	EventHandler  multinet.EventHandler
 }
 func (c Config) toMultinetConfig() (multinet.Config, error) {
 	var subnets []multinet.Subnet
 	for _, s := range c.Subnets {
 		var ms multinet.Subnet
 		p, err := netip.ParsePrefix(s.Prefix)
 		if err != nil {
 			return multinet.Config{}, fmt.Errorf("parse IP prefix '%s': %w", s.Prefix, err)
 		}
 		ms.Prefix = p
 		for _, ip := range s.SourceIPs {
 			addr, err := netip.ParseAddr(ip)
 			if err != nil {
 				return multinet.Config{}, fmt.Errorf("parse IP address '%s': %w", ip, err)
 			}
 			ms.SourceIPs = append(ms.SourceIPs, addr)
 		}
 		if len(ms.SourceIPs) == 0 {
 			return multinet.Config{}, errEmptySourceIPList
 		}
 		subnets = append(subnets, ms)
 	}
 	return multinet.Config{
 		Subnets:       subnets,
 		Balancer:      multinet.BalancerType(c.Balancer),
 		Restrict:      c.Restrict,
 		FallbackDelay: c.FallbackDelay,
 		Dialer:        newDefaultDialer(),
 		EventHandler:  c.EventHandler,
 	}, nil
 }
 func (c Config) equals(other Config) bool {
 	return c.Enabled == other.Enabled &&
 		slices.EqualFunc(c.Subnets, other.Subnets, func(lhs, rhs Subnet) bool {
 			return lhs.Prefix == rhs.Prefix && slices.Equal(lhs.SourceIPs, rhs.SourceIPs)
 		}) &&
 		c.Balancer == other.Balancer &&
 		c.Restrict == other.Restrict &&
 		c.FallbackDelay == other.FallbackDelay
 }
--- a/internal/net/dial_target.go
+++ b/internal/net/dial_target.go
@ -0,0 +1,54 @@
 // NOTE: code is taken from https://github.com/grpc/grpc-go/blob/v1.68.x/internal/transport/http_util.go
 /*
 *
 * Copyright 2014 gRPC authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 */
 package net
 import (
 	"net/url"
 	"strings"
 )
 // parseDialTarget returns the network and address to pass to dialer.
 func parseDialTarget(target string) (string, string) {
 	net := "tcp"
 	m1 := strings.Index(target, ":")
 	m2 := strings.Index(target, ":/")
 	// handle unix:addr which will fail with url.Parse
 	if m1 >= 0 && m2 < 0 {
 		if n := target[0:m1]; n == "unix" {
 			return n, target[m1+1:]
 		}
 	}
 	if m2 >= 0 {
 		t, err := url.Parse(target)
 		if err != nil {
 			return net, target
 		}
 		scheme := t.Scheme
 		addr := t.Path
 		if scheme == "unix" {
 			if addr == "" {
 				addr = t.Host
 			}
 			return scheme, addr
 		}
 	}
 	return net, target
 }
--- a/internal/net/dialer.go
+++ b/internal/net/dialer.go
@ -0,0 +1,36 @@
 package net
 import (
 	"net"
 	"syscall"
 	"time"
 	"golang.org/x/sys/unix"
 )
 func newDefaultDialer() net.Dialer {
 	// From `grpc.WithContextDialer` comment:
 	//
 	// Note: All supported releases of Go (as of December 2023) override the OS
 	// defaults for TCP keepalive time and interval to 15s. To enable TCP keepalive
 	// with OS defaults for keepalive time and interval, use a net.Dialer that sets
 	// the KeepAlive field to a negative value, and sets the SO_KEEPALIVE socket
 	// option to true from the Control field. For a concrete example of how to do
 	// this, see internal.NetDialerWithTCPKeepalive().
 	//
 	// https://github.com/grpc/grpc-go/blob/830135e6c5a351abf75f0c9cfdf978e5df8daeba/dialoptions.go#L432
 	//
 	// From `internal.NetDialerWithTCPKeepalive` comment:
 	//
 	// TODO: Once https://github.com/golang/go/issues/62254 lands, and the
 	// appropriate Go version becomes less than our least supported Go version, we
 	// should look into using the new API to make things more straightforward.
 	return net.Dialer{
 		KeepAlive: time.Duration(-1),
 		Control: func(_, _ string, c syscall.RawConn) error {
 			return c.Control(func(fd uintptr) {
 				_ = unix.SetsockoptInt(int(fd), unix.SOL_SOCKET, unix.SO_KEEPALIVE, 1)
 			})
 		},
 	}
 }
--- a/internal/net/dialer_source.go
+++ b/internal/net/dialer_source.go
@ -0,0 +1,69 @@
 package net
 import (
 	"context"
 	"net"
 	"sync"
 	"git.frostfs.info/TrueCloudLab/multinet"
 )
 type DialerSource struct {
 	guard sync.RWMutex
 	c Config
 	md multinet.Dialer
 }
 func NewDialerSource(c Config) (*DialerSource, error) {
 	result := &DialerSource{}
 	if err := result.build(c); err != nil {
 		return nil, err
 	}
 	return result, nil
 }
 func (s *DialerSource) build(c Config) error {
 	if c.Enabled {
 		mc, err := c.toMultinetConfig()
 		if err != nil {
 			return err
 		}
 		md, err := multinet.NewDialer(mc)
 		if err != nil {
 			return err
 		}
 		s.md = md
 		s.c = c
 		return nil
 	}
 	s.md = nil
 	s.c = c
 	return nil
 }
 // GrpcContextDialer returns grpc.WithContextDialer func.
 // Returns nil if multinet disabled.
 func (s *DialerSource) GrpcContextDialer() func(context.Context, string) (net.Conn, error) {
 	s.guard.RLock()
 	defer s.guard.RUnlock()
 	if s.c.Enabled {
 		return func(ctx context.Context, address string) (net.Conn, error) {
 			network, address := parseDialTarget(address)
 			return s.md.DialContext(ctx, network, address)
 		}
 	}
 	return nil
 }
 func (s *DialerSource) Update(c Config) error {
 	s.guard.Lock()
 	defer s.guard.Unlock()
 	if s.c.equals(c) {
 		return nil
 	}
 	return s.build(c)
 }
--- a/internal/net/event_handler.go
+++ b/internal/net/event_handler.go
@ -0,0 +1,30 @@
 package net
 import (
 	"net"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/logs"
 	"go.uber.org/zap"
 )
 type LogEventHandler struct {
 	logger *zap.Logger
 }
 func (l LogEventHandler) DialPerformed(sourceIP net.Addr, _, address string, err error) {
 	sourceIPString := "undefined"
 	if sourceIP != nil {
 		sourceIPString = sourceIP.Network() + "://" + sourceIP.String()
 	}
 	if err == nil {
 		l.logger.Debug(logs.MultinetDialSuccess, zap.String("source", sourceIPString),
 			zap.String("destination", address), logs.TagField(logs.TagApp))
 	} else {
 		l.logger.Debug(logs.MultinetDialFail, zap.String("source", sourceIPString),
 			zap.String("destination", address), logs.TagField(logs.TagApp))
 	}
 }
 func NewLogEventHandler(logger *zap.Logger) LogEventHandler {
 	return LogEventHandler{logger: logger}
 }
--- a/internal/service/frostfs/frostfs.go
+++ b/internal/service/frostfs/frostfs.go
@ -9,8 +9,11 @@ import (
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/handler"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/utils"
 	"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client"
 	apistatus "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client/status"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/netmap"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
 	oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/pool"
@ -34,13 +37,16 @@ func NewFrostFS(p *pool.Pool) *FrostFS {
 // Container implements frostfs.FrostFS interface method.
 func (x *FrostFS) Container(ctx context.Context, containerPrm handler.PrmContainer) (*container.Container, error) {
 	ctx, span := tracing.StartSpanFromContext(ctx, "frostfs.Container")
 	defer span.End()
 	prm := pool.PrmContainerGet{
 		ContainerID: containerPrm.ContainerID,
 	}
 	res, err := x.pool.GetContainer(ctx, prm)
 	if err != nil {
-		return nil, handleObjectError("read container via connection pool", err)
+		return nil, handleStorageError("read container via connection pool", err)
 	}
 	return &res, nil
@ -48,6 +54,9 @@ func (x *FrostFS) Container(ctx context.Context, containerPrm handler.PrmContain
 // CreateObject implements frostfs.FrostFS interface method.
 func (x *FrostFS) CreateObject(ctx context.Context, prm handler.PrmObjectCreate) (oid.ID, error) {
 	ctx, span := tracing.StartSpanFromContext(ctx, "frostfs.CreateObject")
 	defer span.End()
 	var prmPut pool.PrmObjectPut
 	prmPut.SetHeader(*prm.Object)
 	prmPut.SetPayload(prm.Payload)
@ -61,7 +70,7 @@ func (x *FrostFS) CreateObject(ctx context.Context, prm handler.PrmObjectCreate)
 	idObj, err := x.pool.PutObject(ctx, prmPut)
 	if err != nil {
-		return oid.ID{}, handleObjectError("save object via connection pool", err)
+		return oid.ID{}, handleStorageError("save object via connection pool", err)
 	}
 	return idObj.ObjectID, nil
 }
@ -77,11 +86,14 @@ func (x payloadReader) Read(p []byte) (int, error) {
 	if err != nil && errors.Is(err, io.EOF) {
 		return n, err
 	}
-	return n, handleObjectError("read payload", err)
+	return n, handleStorageError("read payload", err)
 }
 // HeadObject implements frostfs.FrostFS interface method.
 func (x *FrostFS) HeadObject(ctx context.Context, prm handler.PrmObjectHead) (*object.Object, error) {
 	ctx, span := tracing.StartSpanFromContext(ctx, "frostfs.HeadObject")
 	defer span.End()
 	var prmHead pool.PrmObjectHead
 	prmHead.SetAddress(prm.Address)
@ -91,7 +103,7 @@ func (x *FrostFS) HeadObject(ctx context.Context, prm handler.PrmObjectHead) (*o
 	res, err := x.pool.HeadObject(ctx, prmHead)
 	if err != nil {
-		return nil, handleObjectError("read object header via connection pool", err)
+		return nil, handleStorageError("read object header via connection pool", err)
 	}
 	return &res, nil
@ -99,6 +111,9 @@ func (x *FrostFS) HeadObject(ctx context.Context, prm handler.PrmObjectHead) (*o
 // GetObject implements frostfs.FrostFS interface method.
 func (x *FrostFS) GetObject(ctx context.Context, prm handler.PrmObjectGet) (*handler.Object, error) {
 	ctx, span := tracing.StartSpanFromContext(ctx, "frostfs.GetObject")
 	defer span.End()
 	var prmGet pool.PrmObjectGet
 	prmGet.SetAddress(prm.Address)
@ -108,7 +123,7 @@ func (x *FrostFS) GetObject(ctx context.Context, prm handler.PrmObjectGet) (*han
 	res, err := x.pool.GetObject(ctx, prmGet)
 	if err != nil {
-		return nil, handleObjectError("init full object reading via connection pool", err)
+		return nil, handleStorageError("init full object reading via connection pool", err)
 	}
 	return &handler.Object{
@ -119,6 +134,9 @@ func (x *FrostFS) GetObject(ctx context.Context, prm handler.PrmObjectGet) (*han
 // RangeObject implements frostfs.FrostFS interface method.
 func (x *FrostFS) RangeObject(ctx context.Context, prm handler.PrmObjectRange) (io.ReadCloser, error) {
 	ctx, span := tracing.StartSpanFromContext(ctx, "frostfs.RangeObject")
 	defer span.End()
 	var prmRange pool.PrmObjectRange
 	prmRange.SetAddress(prm.Address)
 	prmRange.SetOffset(prm.PayloadRange[0])
@ -130,7 +148,7 @@ func (x *FrostFS) RangeObject(ctx context.Context, prm handler.PrmObjectRange) (
 	res, err := x.pool.ObjectRange(ctx, prmRange)
 	if err != nil {
-		return nil, handleObjectError("init payload range reading via connection pool", err)
+		return nil, handleStorageError("init payload range reading via connection pool", err)
 	}
 	return payloadReader{&res}, nil
@ -138,6 +156,9 @@ func (x *FrostFS) RangeObject(ctx context.Context, prm handler.PrmObjectRange) (
 // SearchObjects implements frostfs.FrostFS interface method.
 func (x *FrostFS) SearchObjects(ctx context.Context, prm handler.PrmObjectSearch) (handler.ResObjectSearch, error) {
 	ctx, span := tracing.StartSpanFromContext(ctx, "frostfs.SearchObjects")
 	defer span.End()
 	var prmSearch pool.PrmObjectSearch
 	prmSearch.SetContainerID(prm.Container)
 	prmSearch.SetFilters(prm.Filters)
@ -148,7 +169,7 @@ func (x *FrostFS) SearchObjects(ctx context.Context, prm handler.PrmObjectSearch
 	res, err := x.pool.SearchObjects(ctx, prmSearch)
 	if err != nil {
-		return nil, handleObjectError("init object search via connection pool", err)
+		return nil, handleStorageError("init object search via connection pool", err)
 	}
 	return &res, nil
@ -156,6 +177,9 @@ func (x *FrostFS) SearchObjects(ctx context.Context, prm handler.PrmObjectSearch
 // GetEpochDurations implements frostfs.FrostFS interface method.
 func (x *FrostFS) GetEpochDurations(ctx context.Context) (*utils.EpochDurations, error) {
 	ctx, span := tracing.StartSpanFromContext(ctx, "frostfs.GetEpochDurations")
 	defer span.End()
 	networkInfo, err := x.pool.NetworkInfo(ctx)
 	if err != nil {
 		return nil, err
@ -173,6 +197,18 @@ func (x *FrostFS) GetEpochDurations(ctx context.Context) (*utils.EpochDurations,
 	return res, nil
 }
 func (x *FrostFS) NetmapSnapshot(ctx context.Context) (netmap.NetMap, error) {
 	ctx, span := tracing.StartSpanFromContext(ctx, "frostfs.NetmapSnapshot")
 	defer span.End()
 	netmapSnapshot, err := x.pool.NetMapSnapshot(ctx)
 	if err != nil {
 		return netmapSnapshot, handleStorageError("get netmap via connection pool", err)
 	}
 	return netmapSnapshot, nil
 }
 // ResolverFrostFS represents virtual connection to the FrostFS network.
 // It implements resolver.FrostFS.
 type ResolverFrostFS struct {
@ -186,9 +222,12 @@ func NewResolverFrostFS(p *pool.Pool) *ResolverFrostFS {
 // SystemDNS implements resolver.FrostFS interface method.
 func (x *ResolverFrostFS) SystemDNS(ctx context.Context) (string, error) {
 	ctx, span := tracing.StartSpanFromContext(ctx, "frostfs.SystemDNS")
 	defer span.End()
 	networkInfo, err := x.pool.NetworkInfo(ctx)
 	if err != nil {
-		return "", handleObjectError("read network info via client", err)
+		return "", handleStorageError("read network info via client", err)
 	}
 	domain := networkInfo.RawNetworkParameter("SystemDNS")
@ -199,15 +238,27 @@ func (x *ResolverFrostFS) SystemDNS(ctx context.Context) (string, error) {
 	return string(domain), nil
 }
-func handleObjectError(msg string, err error) error {
+func handleStorageError(msg string, err error) error {
 	if err == nil {
 		return nil
 	}
 	if reason, ok := IsErrObjectAccessDenied(err); ok {
 		if strings.Contains(reason, "limit reached") {
 			return fmt.Errorf("%s: %w: %s", msg, handler.ErrQuotaLimitReached, reason)
 		}
 		return fmt.Errorf("%s: %w: %s", msg, handler.ErrAccessDenied, reason)
 	}
 	if client.IsErrContainerNotFound(err) {
 		return fmt.Errorf("%s: %w: %s", msg, handler.ErrContainerNotFound, err.Error())
 	}
 	if client.IsErrObjectNotFound(err) {
 		return fmt.Errorf("%s: %w: %s", msg, handler.ErrObjectNotFound, err.Error())
 	}
 	if IsTimeoutError(err) {
 		return fmt.Errorf("%s: %w: %s", msg, handler.ErrGatewayTimeout, err.Error())
 	}
--- a/internal/service/frostfs/frostfs_test.go
+++ b/internal/service/frostfs/frostfs_test.go
@ -0,0 +1,83 @@
 package frostfs
 import (
 	"context"
 	"errors"
 	"fmt"
 	"testing"
 	"time"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/handler"
 	apistatus "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client/status"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 )
 func TestHandleObjectError(t *testing.T) {
 	msg := "some msg"
 	t.Run("nil error", func(t *testing.T) {
 		err := handleStorageError(msg, nil)
 		require.Nil(t, err)
 	})
 	t.Run("simple access denied", func(t *testing.T) {
 		reason := "some reason"
 		inputErr := new(apistatus.ObjectAccessDenied)
 		inputErr.WriteReason(reason)
 		err := handleStorageError(msg, inputErr)
 		require.ErrorIs(t, err, handler.ErrAccessDenied)
 		require.Contains(t, err.Error(), reason)
 		require.Contains(t, err.Error(), msg)
 	})
 	t.Run("access denied - quota reached", func(t *testing.T) {
 		reason := "Quota limit reached"
 		inputErr := new(apistatus.ObjectAccessDenied)
 		inputErr.WriteReason(reason)
 		err := handleStorageError(msg, inputErr)
 		require.ErrorIs(t, err, handler.ErrQuotaLimitReached)
 		require.Contains(t, err.Error(), reason)
 		require.Contains(t, err.Error(), msg)
 	})
 	t.Run("simple timeout", func(t *testing.T) {
 		inputErr := errors.New("timeout")
 		err := handleStorageError(msg, inputErr)
 		require.ErrorIs(t, err, handler.ErrGatewayTimeout)
 		require.Contains(t, err.Error(), inputErr.Error())
 		require.Contains(t, err.Error(), msg)
 	})
 	t.Run("deadline exceeded", func(t *testing.T) {
 		ctx, cancel := context.WithTimeout(context.Background(), 10*time.Millisecond)
 		defer cancel()
 		<-ctx.Done()
 		err := handleStorageError(msg, ctx.Err())
 		require.ErrorIs(t, err, handler.ErrGatewayTimeout)
 		require.Contains(t, err.Error(), ctx.Err().Error())
 		require.Contains(t, err.Error(), msg)
 	})
 	t.Run("grpc deadline exceeded", func(t *testing.T) {
 		inputErr := fmt.Errorf("wrap grpc error: %w", status.Error(codes.DeadlineExceeded, "error"))
 		err := handleStorageError(msg, inputErr)
 		require.ErrorIs(t, err, handler.ErrGatewayTimeout)
 		require.Contains(t, err.Error(), inputErr.Error())
 		require.Contains(t, err.Error(), msg)
 	})
 	t.Run("unknown error", func(t *testing.T) {
 		inputErr := errors.New("unknown error")
 		err := handleStorageError(msg, inputErr)
 		require.ErrorIs(t, err, inputErr)
 		require.Contains(t, err.Error(), msg)
 	})
 }
--- a/internal/service/frostfs/multi_object_reader.go
+++ b/internal/service/frostfs/multi_object_reader.go
@ -9,6 +9,7 @@ import (
 	"time"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/handler"
 	"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
 	oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
 )
@ -74,6 +75,9 @@ var (
 )
 func (x *FrostFS) InitMultiObjectReader(ctx context.Context, p handler.PrmInitMultiObjectReader) (io.Reader, error) {
 	ctx, span := tracing.StartSpanFromContext(ctx, "frostfs.InitMultiObjectReader")
 	defer span.End()
 	combinedObj, err := x.GetObject(ctx, handler.PrmObjectGet{
 		PrmAuth: handler.PrmAuth{BearerToken: p.Bearer},
 		Address: p.Addr,
@ -215,6 +219,9 @@ func (x *MultiObjectReader) Read(p []byte) (n int, err error) {
 // InitFrostFSObjectPayloadReader initializes payload reader of the FrostFS object.
 // Zero range corresponds to full payload (panics if only offset is set).
 func (x *FrostFS) InitFrostFSObjectPayloadReader(ctx context.Context, p GetFrostFSParams) (io.ReadCloser, error) {
 	ctx, span := tracing.StartSpanFromContext(ctx, "frostfs.InitFrostFSObjectPayloadReader")
 	defer span.End()
 	var prmAuth handler.PrmAuth
 	if p.Off+p.Ln != 0 {
--- a/internal/service/frostfs/source.go
+++ b/internal/service/frostfs/source.go
@ -0,0 +1,69 @@
 package frostfs
 import (
 	"context"
 	"fmt"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/cache"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/handler"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/logs"
 	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/netmap"
 	"go.uber.org/zap"
 )
 type Source struct {
 	frostFS     *FrostFS
 	netmapCache *cache.NetmapCache
 	bucketCache *cache.BucketCache
 	log         *zap.Logger
 }
 func NewSource(frostFS *FrostFS, netmapCache *cache.NetmapCache, bucketCache *cache.BucketCache, log *zap.Logger) *Source {
 	return &Source{
 		frostFS:     frostFS,
 		netmapCache: netmapCache,
 		bucketCache: bucketCache,
 		log:         log,
 	}
 }
 func (s *Source) NetMapSnapshot(ctx context.Context) (netmap.NetMap, error) {
 	cachedNetmap := s.netmapCache.Get()
 	if cachedNetmap != nil {
 		return *cachedNetmap, nil
 	}
 	netmapSnapshot, err := s.frostFS.NetmapSnapshot(ctx)
 	if err != nil {
 		return netmap.NetMap{}, fmt.Errorf("get netmap: %w", err)
 	}
 	if err = s.netmapCache.Put(netmapSnapshot); err != nil {
 		s.log.Warn(logs.CouldntCacheNetmap, zap.Error(err), logs.TagField(logs.TagDatapath))
 	}
 	return netmapSnapshot, nil
 }
 func (s *Source) PlacementPolicy(ctx context.Context, cnrID cid.ID) (netmap.PlacementPolicy, error) {
 	info := s.bucketCache.GetByCID(cnrID)
 	if info != nil {
 		return info.PlacementPolicy, nil
 	}
 	prm := handler.PrmContainer{
 		ContainerID: cnrID,
 	}
 	res, err := s.frostFS.Container(ctx, prm)
 	if err != nil {
 		return netmap.PlacementPolicy{}, fmt.Errorf("get container: %w", err)
 	}
 	// We don't put container back to the cache to keep cache
 	// coherent to the requests made by users. FrostFS Source
 	// is being used by SDK Tree Pool and it should not fill cache
 	// with possibly irrelevant container values.
 	return res.PlacementPolicy(), nil
 }
--- a/internal/service/frostfs/tree_pool_wrapper.go
+++ b/internal/service/frostfs/tree_pool_wrapper.go
@ -9,20 +9,21 @@ import (
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/data"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/tokens"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/tree"
 	"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
 	apitree "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/api/tree"
 	treepool "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/pool/tree"
 	grpcService "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/pool/tree/service"
 )
 type GetNodeByPathResponseInfoWrapper struct {
-	response *grpcService.GetNodeByPathResponse_Info
+	response *apitree.GetNodeByPathResponseInfo
 }
 func (n GetNodeByPathResponseInfoWrapper) GetNodeID() []uint64 {
-	return []uint64{n.response.GetNodeId()}
+	return []uint64{n.response.GetNodeID()}
 }
 func (n GetNodeByPathResponseInfoWrapper) GetParentID() []uint64 {
-	return []uint64{n.response.GetParentId()}
+	return []uint64{n.response.GetParentID()}
 }
 func (n GetNodeByPathResponseInfoWrapper) GetTimestamp() []uint64 {
@ -30,8 +31,8 @@ func (n GetNodeByPathResponseInfoWrapper) GetTimestamp() []uint64 {
 }
 func (n GetNodeByPathResponseInfoWrapper) GetMeta() []tree.Meta {
-	res := make([]tree.Meta, len(n.response.Meta))
+	res := make([]tree.Meta, len(n.response.GetMeta()))
-	for i, value := range n.response.Meta {
+	for i, value := range n.response.GetMeta() {
 		res[i] = value
 	}
 	return res
@ -46,6 +47,9 @@ func NewPoolWrapper(p *treepool.Pool) *PoolWrapper {
 }
 func (w *PoolWrapper) GetNodes(ctx context.Context, prm *tree.GetNodesParams) ([]tree.NodeResponse, error) {
 	ctx, span := tracing.StartSpanFromContext(ctx, "frostfs.GetNodes")
 	defer span.End()
 	poolPrm := treepool.GetNodesParams{
 		CID:           prm.CnrID,
 		TreeID:        prm.TreeID,
@ -59,7 +63,7 @@ func (w *PoolWrapper) GetNodes(ctx context.Context, prm *tree.GetNodesParams) ([
 	nodes, err := w.p.GetNodes(ctx, poolPrm)
 	if err != nil {
-		return nil, handleError(err)
+		return nil, handleTreeError(err)
 	}
 	res := make([]tree.NodeResponse, len(nodes))
@ -78,7 +82,7 @@ func getBearer(ctx context.Context) []byte {
 	return token.Marshal()
 }
-func handleError(err error) error {
+func handleTreeError(err error) error {
 	if err == nil {
 		return nil
 	}
@ -93,6 +97,9 @@ func handleError(err error) error {
 }
 func (w *PoolWrapper) GetSubTree(ctx context.Context, bktInfo *data.BucketInfo, treeID string, rootID []uint64, depth uint32, sort bool) ([]tree.NodeResponse, error) {
 	ctx, span := tracing.StartSpanFromContext(ctx, "frostfs.GetSubTree")
 	defer span.End()
 	order := treepool.NoneOrder
 	if sort {
 		order = treepool.AscendingOrder
@ -115,7 +122,7 @@ func (w *PoolWrapper) GetSubTree(ctx context.Context, bktInfo *data.BucketInfo,
 	subTreeReader, err := w.p.GetSubTree(ctx, poolPrm)
 	if err != nil {
-		return nil, handleError(err)
+		return nil, handleTreeError(err)
 	}
 	var subtree []tree.NodeResponse
@ -126,22 +133,22 @@ func (w *PoolWrapper) GetSubTree(ctx context.Context, bktInfo *data.BucketInfo,
 		node, err = subTreeReader.Next()
 	}
 	if err != io.EOF {
-		return nil, handleError(err)
+		return nil, handleTreeError(err)
 	}
 	return subtree, nil
 }
 type GetSubTreeResponseBodyWrapper struct {
-	response *grpcService.GetSubTreeResponse_Body
+	response *apitree.GetSubTreeResponseBody
 }
 func (n GetSubTreeResponseBodyWrapper) GetNodeID() []uint64 {
-	return n.response.GetNodeId()
+	return n.response.GetNodeID()
 }
 func (n GetSubTreeResponseBodyWrapper) GetParentID() []uint64 {
-	resp := n.response.GetParentId()
+	resp := n.response.GetParentID()
 	if resp == nil {
 		// storage sends nil that should be interpreted as []uint64{0}
 		// due to protobuf compatibility, see 'GetSubTree' function
@ -155,8 +162,8 @@ func (n GetSubTreeResponseBodyWrapper) GetTimestamp() []uint64 {
 }
 func (n GetSubTreeResponseBodyWrapper) GetMeta() []tree.Meta {
-	res := make([]tree.Meta, len(n.response.Meta))
+	res := make([]tree.Meta, len(n.response.GetMeta()))
-	for i, value := range n.response.Meta {
+	for i, value := range n.response.GetMeta() {
 		res[i] = value
 	}
 	return res
--- a/internal/templates/index.gotmpl
+++ b/internal/templates/index.gotmpl
@ -1,11 +1,20 @@
-{{$bucketName := .BucketName}}
+{{$container := .Container}}
 {{ $prefix := trimPrefix .Prefix }}
 <!DOCTYPE html>
 <html lang="en">
 <head>
    <meta charset="UTF-8"/>
-    <title>Index of s3://{{$bucketName}}/{{if $prefix}}/{{$prefix}}/{{end}}</title>
+    <title>Index of {{.Protocol}}://{{$container}}
        /{{if $prefix}}/{{$prefix}}/{{end}}</title>
    <style>
        .alert {
            width: 80%;
            box-sizing: border-box;
            padding: 20px;
            background-color: #f44336;
            color: white;
            margin-bottom: 15px;
        }
        table {
            width: 80%;
            border-collapse: collapse;
@ -23,15 +32,25 @@
        th {
            background-color: #c3bcbc;
        }
        h1 {
            font-size: 1.5em;
        }
        tr:nth-child(even) {background-color: #ebe7e7;}
    </style>
 </head>
 <body>
-<h1>Index of s3://{{$bucketName}}/{{if $prefix}}{{$prefix}}/{{end}}</h1>
+<h1>Index of {{.Protocol}}://{{$container}}/{{if $prefix}}{{$prefix}}/{{end}}</h1>
 {{ if .HasErrors }}
    <div class="alert">
        Errors occurred while processing the request. Perhaps some objects are missing
    </div>
 {{ end }}
 <table>
    <thead>
    <tr>
        <th>Filename</th>
        <th>OID</th>
        <th>Size</th>
        <th>Created</th>
        <th>Download</th>
@ -42,20 +61,22 @@
    {{if $trimmedPrefix }}
        <tr>
            <td>
-                ⮐<a href="/get/{{$bucketName}}{{ urlencode $trimmedPrefix "" }}">..</a>
+                ⮐<a href="/get/{{$container}}{{ urlencode $trimmedPrefix }}/">..</a>
            </td>
            <td></td>
            <td></td>
            <td></td>
            <td></td>
        </tr>
    {{else}}
        <tr>
            <td>
-                ⮐<a href="/get/{{ $bucketName }}/">..</a>
+                ⮐<a href="/get/{{$container}}/">..</a>
            </td>
            <td></td>
            <td></td>
            <td></td>
            <td></td>
        </tr>
    {{end}}
    {{range .Objects}}
@ -63,21 +84,22 @@
            <td>
                {{if .IsDir}}
                    🗀
-                    <a href="/get/{{ $bucketName }}{{ urlencode $prefix .FileName }}/">
+                    <a href="{{.GetURL}}/">
                        {{.FileName}}/
                    </a>
                {{else}}
                    🗎
-                    <a href="/get/{{ $bucketName }}{{ urlencode $prefix .FileName }}">
+                    <a href="{{ .GetURL }}">
                        {{.FileName}}
                    </a>
                {{end}}
            </td>
            <td>{{.OID}}</td>
            <td>{{if not .IsDir}}{{ formatSize .Size }}{{end}}</td>
-            <td>{{if not .IsDir}}{{ formatTimestamp .Created }}{{end}}</td>
+            <td>{{ .Created }}</td>
            <td>
-                {{ if not .IsDir }}
+                {{ if .OID }}
-                    <a href="/get/{{ $bucketName}}{{ urlencode $prefix .FileName }}?download=true">
+                    <a href="{{ .GetURL }}?download=true">
                        Link
                    </a>
                {{ end }}
--- a/metrics/desc.go
+++ b/metrics/desc.go
@ -76,6 +76,15 @@ var appMetricsDesc = map[string]map[string]Description{
 			VariableLabels: []string{"endpoint"},
 		},
 	},
 	statisticSubsystem: {
 		droppedLogs: Description{
 			Type:      dto.MetricType_COUNTER,
 			Namespace: namespace,
 			Subsystem: statisticSubsystem,
 			Name:      droppedLogs,
 			Help:      "Dropped logs (by sampling) count",
 		},
 	},
 }
 type Description struct {
@ -148,3 +157,12 @@ func mustNewGaugeVec(description Description) *prometheus.GaugeVec {
 		description.VariableLabels,
 	)
 }
 func mustNewCounter(description Description) prometheus.Counter {
 	if description.Type != dto.MetricType_COUNTER {
 		panic("invalid metric type")
 	}
 	return prometheus.NewCounter(
 		prometheus.CounterOpts(newOpts(description)),
 	)
 }
--- a/metrics/metrics.go
+++ b/metrics/metrics.go
@ -10,15 +10,17 @@ import (
 )
 const (
-	namespace       = "frostfs_http_gw"
+	namespace          = "frostfs_http_gw"
-	stateSubsystem  = "state"
+	stateSubsystem     = "state"
-	poolSubsystem   = "pool"
+	poolSubsystem      = "pool"
-	serverSubsystem = "server"
+	serverSubsystem    = "server"
 	statisticSubsystem = "statistic"
 )
 const (
 	healthMetric      = "health"
 	versionInfoMetric = "version_info"
 	droppedLogs       = "dropped_logs"
 )
 const (
@ -30,21 +32,19 @@ const (
 )
 const (
-	methodGetBalance       = "get_balance"
+	methodGetBalance      = "get_balance"
-	methodPutContainer     = "put_container"
+	methodPutContainer    = "put_container"
-	methodGetContainer     = "get_container"
+	methodGetContainer    = "get_container"
-	methodListContainer    = "list_container"
+	methodListContainer   = "list_container"
-	methodDeleteContainer  = "delete_container"
+	methodDeleteContainer = "delete_container"
-	methodGetContainerEacl = "get_container_eacl"
+	methodEndpointInfo    = "endpoint_info"
-	methodSetContainerEacl = "set_container_eacl"
+	methodNetworkInfo     = "network_info"
-	methodEndpointInfo     = "endpoint_info"
+	methodPutObject       = "put_object"
-	methodNetworkInfo      = "network_info"
+	methodDeleteObject    = "delete_object"
-	methodPutObject        = "put_object"
+	methodGetObject       = "get_object"
-	methodDeleteObject     = "delete_object"
+	methodHeadObject      = "head_object"
-	methodGetObject        = "get_object"
+	methodRangeObject     = "range_object"
-	methodHeadObject       = "head_object"
+	methodCreateSession   = "create_session"
 	methodRangeObject      = "range_object"
 	methodCreateSession    = "create_session"
 )
 // HealthStatus of the gate application.
@ -69,6 +69,7 @@ type GateMetrics struct {
 	stateMetrics
 	poolMetricsCollector
 	serverMetrics
 	statisticMetrics
 }
 type stateMetrics struct {
@ -76,6 +77,10 @@ type stateMetrics struct {
 	versionInfo *prometheus.GaugeVec
 }
 type statisticMetrics struct {
 	droppedLogs prometheus.Counter
 }
 type poolMetricsCollector struct {
 	scraper             StatisticScraper
 	overallErrors       prometheus.Gauge
@ -96,10 +101,14 @@ func NewGateMetrics(p StatisticScraper) *GateMetrics {
 	serverMetric := newServerMetrics()
 	serverMetric.register()
 	statsMetric := newStatisticMetrics()
 	statsMetric.register()
 	return &GateMetrics{
 		stateMetrics:         *stateMetric,
 		poolMetricsCollector: *poolMetric,
 		serverMetrics:        *serverMetric,
 		statisticMetrics:     *statsMetric,
 	}
 }
@ -107,6 +116,7 @@ func (g *GateMetrics) Unregister() {
 	g.stateMetrics.unregister()
 	prometheus.Unregister(&g.poolMetricsCollector)
 	g.serverMetrics.unregister()
 	g.statisticMetrics.unregister()
 }
 func newStateMetrics() *stateMetrics {
@ -116,6 +126,20 @@ func newStateMetrics() *stateMetrics {
 	}
 }
 func newStatisticMetrics() *statisticMetrics {
 	return &statisticMetrics{
 		droppedLogs: mustNewCounter(appMetricsDesc[statisticSubsystem][droppedLogs]),
 	}
 }
 func (s *statisticMetrics) register() {
 	prometheus.MustRegister(s.droppedLogs)
 }
 func (s *statisticMetrics) unregister() {
 	prometheus.Unregister(s.droppedLogs)
 }
 func (m stateMetrics) register() {
 	prometheus.MustRegister(m.healthCheck)
 	prometheus.MustRegister(m.versionInfo)
@ -134,6 +158,13 @@ func (m stateMetrics) SetVersion(ver string) {
 	m.versionInfo.WithLabelValues(ver).Set(1)
 }
 func (s *statisticMetrics) DroppedLogsInc() {
 	if s == nil {
 		return
 	}
 	s.droppedLogs.Inc()
 }
 func newPoolMetricsCollector(p StatisticScraper) *poolMetricsCollector {
 	return &poolMetricsCollector{
 		scraper:             p,
--- a/metrics/service.go
+++ b/metrics/service.go
@ -25,24 +25,24 @@ type Config struct {
 // Start runs http service with the exposed endpoint on the configured port.
 func (ms *Service) Start() {
 	if ms.enabled {
-		ms.log.Info(logs.ServiceIsRunning, zap.String("endpoint", ms.Addr))
+		ms.log.Info(logs.ServiceIsRunning, zap.String("endpoint", ms.Addr), logs.TagField(logs.TagApp))
 		err := ms.ListenAndServe()
 		if err != nil && err != http.ErrServerClosed {
-			ms.log.Warn(logs.ServiceCouldntStartOnConfiguredPort)
+			ms.log.Warn(logs.ServiceCouldntStartOnConfiguredPort, logs.TagField(logs.TagApp))
 		}
 	} else {
-		ms.log.Info(logs.ServiceHasntStartedSinceItsDisabled)
+		ms.log.Info(logs.ServiceHasntStartedSinceItsDisabled, logs.TagField(logs.TagApp))
 	}
 }
 // ShutDown stops the service.
 func (ms *Service) ShutDown(ctx context.Context) {
-	ms.log.Info(logs.ShuttingDownService, zap.String("endpoint", ms.Addr))
+	ms.log.Info(logs.ShuttingDownService, zap.String("endpoint", ms.Addr), logs.TagField(logs.TagApp))
 	err := ms.Shutdown(ctx)
 	if err != nil {
-		ms.log.Error(logs.CantGracefullyShutDownService, zap.Error(err))
+		ms.log.Error(logs.CantGracefullyShutDownService, zap.Error(err), logs.TagField(logs.TagApp))
 		if err = ms.Close(); err != nil {
-			ms.log.Panic(logs.CantShutDownService, zap.Error(err))
+			ms.log.Panic(logs.CantShutDownService, zap.Error(err), logs.TagField(logs.TagApp))
 		}
 	}
 }
--- a/resolver/resolver.go
+++ b/resolver/resolver.go
@ -6,7 +6,7 @@ import (
 	"fmt"
 	"sync"
-	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/handler/middleware"
+	v2container "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/api/container"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container"
 	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/ns"
@ -29,14 +29,9 @@ type FrostFS interface {
 	SystemDNS(context.Context) (string, error)
 }
 type Settings interface {
 	FormContainerZone(ns string) (zone string, isDefault bool)
 }
 type Config struct {
 	FrostFS    FrostFS
 	RPCAddress string
 	Settings   Settings
 }
 type ContainerResolver struct {
@ -46,15 +41,15 @@ type ContainerResolver struct {
 type Resolver struct {
 	Name    string
-	resolve func(context.Context, string) (*cid.ID, error)
+	resolve func(context.Context, string, string) (*cid.ID, error)
 }
-func (r *Resolver) SetResolveFunc(fn func(context.Context, string) (*cid.ID, error)) {
+func (r *Resolver) SetResolveFunc(fn func(context.Context, string, string) (*cid.ID, error)) {
 	r.resolve = fn
 }
-func (r *Resolver) Resolve(ctx context.Context, name string) (*cid.ID, error) {
+func (r *Resolver) Resolve(ctx context.Context, zone, name string) (*cid.ID, error) {
-	return r.resolve(ctx, name)
+	return r.resolve(ctx, zone, name)
 }
 func NewContainerResolver(resolverNames []string, cfg *Config) (*ContainerResolver, error) {
@ -81,13 +76,13 @@ func createResolvers(resolverNames []string, cfg *Config) ([]*Resolver, error) {
 	return resolvers, nil
 }
-func (r *ContainerResolver) Resolve(ctx context.Context, cnrName string) (*cid.ID, error) {
+func (r *ContainerResolver) Resolve(ctx context.Context, cnrZone, cnrName string) (*cid.ID, error) {
 	r.mu.RLock()
 	defer r.mu.RUnlock()
 	var err error
 	for _, resolver := range r.resolvers {
-		cnrID, resolverErr := resolver.Resolve(ctx, cnrName)
+		cnrID, resolverErr := resolver.Resolve(ctx, cnrZone, cnrName)
 		if resolverErr != nil {
 			resolverErr = fmt.Errorf("%s: %w", resolver.Name, resolverErr)
 			if err == nil {
@ -141,34 +136,25 @@ func (r *ContainerResolver) equals(resolverNames []string) bool {
 func newResolver(name string, cfg *Config) (*Resolver, error) {
 	switch name {
 	case DNSResolver:
-		return NewDNSResolver(cfg.FrostFS, cfg.Settings)
+		return NewDNSResolver(cfg.FrostFS)
 	case NNSResolver:
-		return NewNNSResolver(cfg.RPCAddress, cfg.Settings)
+		return NewNNSResolver(cfg.RPCAddress)
 	default:
 		return nil, fmt.Errorf("unknown resolver: %s", name)
 	}
 }
-func NewDNSResolver(frostFS FrostFS, settings Settings) (*Resolver, error) {
+func NewDNSResolver(frostFS FrostFS) (*Resolver, error) {
 	if frostFS == nil {
 		return nil, fmt.Errorf("pool must not be nil for DNS resolver")
 	}
 	if settings == nil {
 		return nil, fmt.Errorf("resolver settings must not be nil for DNS resolver")
 	}
 	var dns ns.DNS
-	resolveFunc := func(ctx context.Context, name string) (*cid.ID, error) {
+	resolveFunc := func(ctx context.Context, zone, name string) (*cid.ID, error) {
 		var err error
-		namespace, err := middleware.GetNamespace(ctx)
+		if zone == v2container.SysAttributeZoneDefault {
 		if err != nil {
 			return nil, err
 		}
 		zone, isDefault := settings.FormContainerZone(namespace)
 		if isDefault {
 			zone, err = frostFS.SystemDNS(ctx)
 			if err != nil {
 				return nil, fmt.Errorf("read system DNS parameter of the FrostFS: %w", err)
@ -190,13 +176,10 @@ func NewDNSResolver(frostFS FrostFS, settings Settings) (*Resolver, error) {
 	}, nil
 }
-func NewNNSResolver(rpcAddress string, settings Settings) (*Resolver, error) {
+func NewNNSResolver(rpcAddress string) (*Resolver, error) {
 	if rpcAddress == "" {
 		return nil, fmt.Errorf("rpc address must not be empty for NNS resolver")
 	}
 	if settings == nil {
 		return nil, fmt.Errorf("resolver settings must not be nil for NNS resolver")
 	}
 	var nns ns.NNS
@ -204,16 +187,9 @@ func NewNNSResolver(rpcAddress string, settings Settings) (*Resolver, error) {
 		return nil, fmt.Errorf("could not dial nns: %w", err)
 	}
-	resolveFunc := func(ctx context.Context, name string) (*cid.ID, error) {
+	resolveFunc := func(_ context.Context, zone, name string) (*cid.ID, error) {
 		var d container.Domain
 		d.SetName(name)
 		namespace, err := middleware.GetNamespace(ctx)
 		if err != nil {
 			return nil, err
 		}
 		zone, _ := settings.FormContainerZone(namespace)
 		d.SetZone(zone)
 		cnrID, err := nns.ResolveContainerDomain(d)
--- a/response/utils.go
+++ b/response/utils.go
@ -1,41 +0,0 @@
 package response
 import (
 	"errors"
 	"fmt"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client"
 	sdkstatus "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client/status"
 	"github.com/valyala/fasthttp"
 	"go.uber.org/zap"
 )
 func Error(r *fasthttp.RequestCtx, msg string, code int) {
 	r.Error(msg+"\n", code)
 }
 func FormErrorResponse(message string, err error) (int, string, []zap.Field) {
 	var (
 		msg        string
 		statusCode int
 		logFields  []zap.Field
 	)
 	st := new(sdkstatus.ObjectAccessDenied)
 	switch {
 	case errors.As(err, &st):
 		statusCode = fasthttp.StatusForbidden
 		reason := st.Reason()
 		msg = fmt.Sprintf("%s: %v: %s", message, err, reason)
 		logFields = append(logFields, zap.String("error_detail", reason))
 	case client.IsErrObjectNotFound(err) || client.IsErrContainerNotFound(err):
 		statusCode = fasthttp.StatusNotFound
 		msg = "Not Found"
 	default:
 		statusCode = fasthttp.StatusBadRequest
 		msg = fmt.Sprintf("%s: %v", message, err)
 	}
 	return statusCode, msg, logFields
 }
--- a/tokens/bearer-token.go
+++ b/tokens/bearer-token.go
@ -82,14 +82,22 @@ func fetchBearerToken(ctx *fasthttp.RequestCtx) (*bearer.Token, error) {
 		tkn = new(bearer.Token)
 	)
 	for _, parse := range []fromHandler{BearerTokenFromHeader, BearerTokenFromCookie} {
-		if buf = parse(&ctx.Request.Header); buf == nil {
+		buf = parse(&ctx.Request.Header)
 		if buf == nil {
 			continue
-		} else if data, err := base64.StdEncoding.DecodeString(string(buf)); err != nil {
+		}
 		data, err := base64.StdEncoding.DecodeString(string(buf))
 		if err != nil {
 			lastErr = fmt.Errorf("can't base64-decode bearer token: %w", err)
 			continue
-		} else if err = tkn.Unmarshal(data); err != nil {
+		}
-			lastErr = fmt.Errorf("can't unmarshal bearer token: %w", err)
+
-			continue
+		if err = tkn.Unmarshal(data); err != nil {
 			if err = tkn.UnmarshalJSON(data); err != nil {
 				lastErr = fmt.Errorf("can't unmarshal bearer token: %w", err)
 				continue
 			}
 		}
 		return tkn, nil
--- a/tokens/bearer-token_test.go
+++ b/tokens/bearer-token_test.go
@ -98,8 +98,14 @@ func TestFetchBearerToken(t *testing.T) {
 	tkn := new(bearer.Token)
 	tkn.ForUser(uid)
-	t64 := base64.StdEncoding.EncodeToString(tkn.Marshal())
+	jsonToken, err := tkn.MarshalJSON()
-	require.NotEmpty(t, t64)
+	require.NoError(t, err)
 	jsonTokenBase64 := base64.StdEncoding.EncodeToString(jsonToken)
 	binaryTokenBase64 := base64.StdEncoding.EncodeToString(tkn.Marshal())
 	require.NotEmpty(t, jsonTokenBase64)
 	require.NotEmpty(t, binaryTokenBase64)
 	cases := []struct {
 		name   string
@ -143,25 +149,47 @@ func TestFetchBearerToken(t *testing.T) {
 			error:  "can't unmarshal bearer token",
 		},
 		{
-			name:   "bad header, but good cookie",
+			name:   "bad header, but good cookie with binary token",
 			header: "dGVzdAo=",
-			cookie: t64,
+			cookie: binaryTokenBase64,
 			expect: tkn,
 		},
 		{
-			name:   "bad cookie, but good header",
+			name:   "bad cookie, but good header with binary token",
-			header: t64,
+			header: binaryTokenBase64,
 			cookie: "dGVzdAo=",
 			expect: tkn,
 		},
 		{
-			name:   "ok for header",
+			name:   "bad header, but good cookie with json token",
-			header: t64,
+			header: "dGVzdAo=",
 			cookie: jsonTokenBase64,
 			expect: tkn,
 		},
 		{
-			name:   "ok for cookie",
+			name:   "bad cookie, but good header with json token",
-			cookie: t64,
+			header: jsonTokenBase64,
 			cookie: "dGVzdAo=",
 			expect: tkn,
 		},
 		{
 			name:   "ok for header with binary token",
 			header: binaryTokenBase64,
 			expect: tkn,
 		},
 		{
 			name:   "ok for cookie with binary token",
 			cookie: binaryTokenBase64,
 			expect: tkn,
 		},
 		{
 			name:   "ok for header with json token",
 			header: jsonTokenBase64,
 			expect: tkn,
 		},
 		{
 			name:   "ok for cookie with json token",
 			cookie: jsonTokenBase64,
 			expect: tkn,
 		},
 	}
--- a/tree/tree.go
+++ b/tree/tree.go
@ -6,16 +6,20 @@ import (
 	"fmt"
 	"strings"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/api"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/api/layer"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/data"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/layer"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/logs"
 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/utils"
 	"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
 	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
 	oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
 	"go.uber.org/zap"
 )
 type (
 	Tree struct {
 		service ServiceClient
 		log     *zap.Logger
 	}
 	// ServiceClient is a client to interact with tree service.
@ -30,6 +34,11 @@ type (
 		Meta  map[string]string
 	}
 	multiSystemNode struct {
 		// the first element is latest
 		nodes []*treeNode
 	}
 	GetNodesParams struct {
 		CnrID      cid.ID
 		BktInfo    *data.BucketInfo
@ -50,25 +59,26 @@ var (
 )
 const (
-	FileNameKey = "FileName"
+	FileNameKey      = "FileName"
-)
+	settingsFileName = "bucket-settings"
-const (
+	oidKV      = "OID"
-	oidKV = "OID"
+	uploadIDKV = "UploadId"
 	sizeKV     = "Size"
 	// keys for delete marker nodes.
 	isDeleteMarkerKV = "IsDeleteMarker"
 	sizeKV           = "Size"
 	// versionTree -- ID of a tree with object versions.
 	versionTree = "version"
 	systemTree  = "system"
 	separator = "/"
 )
 // NewTree creates instance of Tree using provided address and create grpc connection.
-func NewTree(service ServiceClient) *Tree {
+func NewTree(service ServiceClient, log *zap.Logger) *Tree {
-	return &Tree{service: service}
+	return &Tree{service: service, log: log}
 }
 type Meta interface {
@ -112,7 +122,7 @@ func (n *treeNode) FileName() (string, bool) {
 	return value, ok
 }
-func newNodeVersion(node NodeResponse) (*api.NodeVersion, error) {
+func newNodeVersion(node NodeResponse) (*data.NodeVersion, error) {
 	tNode, err := newTreeNode(node)
 	if err != nil {
 		return nil, fmt.Errorf("invalid tree node: %w", err)
@ -121,21 +131,73 @@ func newNodeVersion(node NodeResponse) (*api.NodeVersion, error) {
 	return newNodeVersionFromTreeNode(tNode), nil
 }
-func newNodeVersionFromTreeNode(treeNode *treeNode) *api.NodeVersion {
+func newNodeVersionFromTreeNode(treeNode *treeNode) *data.NodeVersion {
 	_, isDeleteMarker := treeNode.Get(isDeleteMarkerKV)
-	size, _ := treeNode.Get(sizeKV)
+	version := &data.NodeVersion{
-	version := &api.NodeVersion{
+		BaseNodeVersion: data.BaseNodeVersion{
-		BaseNodeVersion: api.BaseNodeVersion{
+			OID:            treeNode.ObjID,
-			OID: treeNode.ObjID,
+			IsDeleteMarker: isDeleteMarker,
 		},
 		DeleteMarker: isDeleteMarker,
 		IsPrefixNode: size == "",
 	}
 	return version
 }
-func (c *Tree) GetLatestVersion(ctx context.Context, cnrID *cid.ID, objectName string) (*api.NodeVersion, error) {
+func newNodeInfo(node NodeResponse) data.NodeInfo {
 	nodeMeta := node.GetMeta()
 	nodeInfo := data.NodeInfo{
 		Meta: make([]data.NodeMeta, 0, len(nodeMeta)),
 	}
 	for _, meta := range nodeMeta {
 		nodeInfo.Meta = append(nodeInfo.Meta, meta)
 	}
 	return nodeInfo
 }
 func newMultiNode(nodes []NodeResponse) (*multiSystemNode, error) {
 	var (
 		err          error
 		index        int
 		maxTimestamp uint64
 	)
 	if len(nodes) == 0 {
 		return nil, errors.New("multi node must have at least one node")
 	}
 	treeNodes := make([]*treeNode, len(nodes))
 	for i, node := range nodes {
 		if treeNodes[i], err = newTreeNode(node); err != nil {
 			return nil, fmt.Errorf("parse system node response: %w", err)
 		}
 		if timestamp := getMaxTimestamp(node); timestamp > maxTimestamp {
 			index = i
 			maxTimestamp = timestamp
 		}
 	}
 	treeNodes[0], treeNodes[index] = treeNodes[index], treeNodes[0]
 	return &multiSystemNode{
 		nodes: treeNodes,
 	}, nil
 }
 func (m *multiSystemNode) Latest() *treeNode {
 	return m.nodes[0]
 }
 func (m *multiSystemNode) Old() []*treeNode {
 	return m.nodes[1:]
 }
 func (c *Tree) GetLatestVersion(ctx context.Context, cnrID *cid.ID, objectName string) (*data.NodeVersion, error) {
 	ctx, span := tracing.StartSpanFromContext(ctx, "tree.GetLatestVersion")
 	defer span.End()
 	nodes, err := c.GetVersions(ctx, cnrID, objectName)
 	if err != nil {
 		return nil, err
@ -150,6 +212,9 @@ func (c *Tree) GetLatestVersion(ctx context.Context, cnrID *cid.ID, objectName s
 }
 func (c *Tree) GetVersions(ctx context.Context, cnrID *cid.ID, objectName string) ([]NodeResponse, error) {
 	ctx, span := tracing.StartSpanFromContext(ctx, "tree.GetVersions")
 	defer span.End()
 	meta := []string{oidKV, isDeleteMarkerKV, sizeKV}
 	path := pathFromName(objectName)
@ -165,6 +230,61 @@ func (c *Tree) GetVersions(ctx context.Context, cnrID *cid.ID, objectName string
 	return c.service.GetNodes(ctx, p)
 }
 func (c *Tree) CheckSettingsNodeExists(ctx context.Context, bktInfo *data.BucketInfo) error {
 	ctx, span := tracing.StartSpanFromContext(ctx, "tree.CheckSettingsNodeExists")
 	defer span.End()
 	_, err := c.getSystemNode(ctx, bktInfo, settingsFileName)
 	if err != nil {
 		return err
 	}
 	return nil
 }
 func (c *Tree) getSystemNode(ctx context.Context, bktInfo *data.BucketInfo, name string) (*multiSystemNode, error) {
 	p := &GetNodesParams{
 		CnrID:      bktInfo.CID,
 		BktInfo:    bktInfo,
 		TreeID:     systemTree,
 		Path:       []string{name},
 		LatestOnly: false,
 		AllAttrs:   true,
 	}
 	nodes, err := c.service.GetNodes(ctx, p)
 	if err != nil {
 		return nil, err
 	}
 	nodes = filterMultipartNodes(nodes)
 	if len(nodes) == 0 {
 		return nil, layer.ErrNodeNotFound
 	}
 	if len(nodes) != 1 {
 		c.reqLogger(ctx).Warn(logs.FoundSeveralSystemTreeNodes, zap.String("name", name), logs.TagField(logs.TagExternalStorageTree))
 	}
 	return newMultiNode(nodes)
 }
 func filterMultipartNodes(nodes []NodeResponse) []NodeResponse {
 	res := make([]NodeResponse, 0, len(nodes))
 LOOP:
 	for _, node := range nodes {
 		for _, meta := range node.GetMeta() {
 			if meta.GetKey() == uploadIDKV {
 				continue LOOP
 			}
 		}
 		res = append(res, node)
 	}
 	return res
 }
 func getLatestVersionNode(nodes []NodeResponse) (NodeResponse, error) {
 	var (
 		maxCreationTime uint64
@ -183,7 +303,7 @@ func getLatestVersionNode(nodes []NodeResponse) (NodeResponse, error) {
 	}
 	if targetIndexNode == -1 {
-		return nil, layer.ErrNodeNotFound
+		return nil, fmt.Errorf("latest version: %w", layer.ErrNodeNotFound)
 	}
 	return nodes[targetIndexNode], nil
@ -204,14 +324,17 @@ func pathFromName(objectName string) []string {
 	return strings.Split(objectName, separator)
 }
-func (c *Tree) GetSubTreeByPrefix(ctx context.Context, bktInfo *data.BucketInfo, prefix string, latestOnly bool) ([]NodeResponse, string, error) {
+func (c *Tree) GetSubTreeByPrefix(ctx context.Context, bktInfo *data.BucketInfo, prefix string, latestOnly bool) ([]data.NodeInfo, string, error) {
 	ctx, span := tracing.StartSpanFromContext(ctx, "tree.GetSubTreeByPrefix")
 	defer span.End()
 	rootID, tailPrefix, err := c.determinePrefixNode(ctx, bktInfo, versionTree, prefix)
 	if err != nil {
 		return nil, "", err
 	}
 	subTree, err := c.service.GetSubTree(ctx, bktInfo, versionTree, rootID, 2, false)
 	if err != nil {
-		if errors.Is(err, layer.ErrNodeNotFound) {
+		if errors.Is(err, ErrNodeNotFound) {
 			return nil, "", nil
 		}
 		return nil, "", err
@ -246,14 +369,23 @@ func (c *Tree) GetSubTreeByPrefix(ctx context.Context, bktInfo *data.BucketInfo,
 		nodesMap[fileName] = nodes
 	}
-	result := make([]NodeResponse, 0, len(subTree))
+	result := make([]data.NodeInfo, 0, len(subTree))
 	for _, nodes := range nodesMap {
-		result = append(result, nodes...)
+		result = append(result, nodeResponseToNodeInfo(nodes)...)
 	}
 	return result, strings.TrimSuffix(prefix, tailPrefix), nil
 }
 func nodeResponseToNodeInfo(nodes []NodeResponse) []data.NodeInfo {
 	nodesInfo := make([]data.NodeInfo, 0, len(nodes))
 	for _, node := range nodes {
 		nodesInfo = append(nodesInfo, newNodeInfo(node))
 	}
 	return nodesInfo
 }
 func (c *Tree) determinePrefixNode(ctx context.Context, bktInfo *data.BucketInfo, treeID, prefix string) ([]uint64, string, error) {
 	rootID := []uint64{0}
 	path := strings.Split(prefix, separator)
@ -298,6 +430,10 @@ func (c *Tree) getPrefixNodeID(ctx context.Context, bktInfo *data.BucketInfo, tr
 	return intermediateNodes, nil
 }
 func (c *Tree) reqLogger(ctx context.Context) *zap.Logger {
 	return utils.GetReqLogOrDefault(ctx, c.log)
 }
 func GetFilename(node NodeResponse) string {
 	for _, kv := range node.GetMeta() {
 		if kv.GetKey() == FileNameKey {
--- a/utils/attributes.go
+++ b/utils/attributes.go
@ -11,6 +11,8 @@ import (
 	"time"
 	"unicode"
 	"unicode/utf8"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
 )
 type EpochDurations struct {
@ -256,3 +258,12 @@ func (t systemTransformer) updateExpirationHeader(headers map[string]string, dur
 	headers[t.expirationEpochAttr()] = strconv.FormatUint(expirationEpoch, 10)
 }
 func GetAttributeValue(attrs []object.Attribute, key string) string {
 	for _, attr := range attrs {
 		if attr.Key() == key {
 			return attr.Value()
 		}
 	}
 	return ""
 }
Author	SHA1	Message	Date
Pavel Pogodaev	cb72d11515	[#224 ] Refactor logger tag configuration Signed-off-by: Pavel Pogodaev <p.pogodaev@yadro.com>	2025-04-01 11:43:51 +03:00
Denis Kirillov	f0b86c8ba7	[#191 ] Update integration tests Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>	2025-03-25 06:27:56 +00:00
Denis Kirillov	458bf933fc	[#191 ] Refactor error handling and logging Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>	2025-03-25 06:27:56 +00:00
Alex Vanin	0f73da258b	[#223 ] Bump frostfs-sdk-go Contains: * more detailed pool errors * disabled service config query in gRPC client Signed-off-by: Alex Vanin <a.vanin@yadro.com>	2025-03-20 18:40:28 +03:00
Vitaliy Potyarkin	d670983df4	[#208 ] govulncheck: Fix minor toolchain updates for good Signed-off-by: Vitaliy Potyarkin <v.potyarkin@yadro.com>	2025-03-20 13:49:55 +00:00
Marina Biryukova	9ef6b06e91	[#212 ] Support CORS container for CORS settings Signed-off-by: Marina Biryukova <m.biryukova@yadro.com>	2025-03-10 18:12:36 +03:00
Roman Loginov	9cf2a4f0e0	[#197 ] Add a leading slash to the FilePath attribute According to the frostfs api specification, the File Path attribute must start with a leading slash. More info: https://git.frostfs.info/TrueCloudLab/frostfs-api Signed-off-by: Roman Loginov <r.loginov@yadro.com>	2025-02-25 14:14:20 +00:00
Marina Biryukova	cc6055bd27	[#211 ] Add IO tags Signed-off-by: Marina Biryukova <m.biryukova@yadro.com>	2025-02-25 08:36:38 +00:00
Denis Kirillov	a651b5823f	[#219 ] Use zaptest.Logger Use zaptest to get logs which get printed only if a test fails or if you ran go test -v. Dont use zaptest.Logger for fuzz otherwise ngfuzz/libfuzz crashes Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>	2025-02-21 16:11:49 +03:00
Nikita Zinkevich	f9c5dc5260	[#216 ] Rework http2 test to be tls test Signed-off-by: Nikita Zinkevich <n.zinkevich@yadro.com>	2025-02-18 14:55:19 +03:00
Nikita Zinkevich	8bfaa84124	[#216 ] Remove http2 forcing fasthttp doesn't support http2 which causes errors when we enable it Signed-off-by: Nikita Zinkevich <n.zinkevich@yadro.com>	2025-02-18 14:55:19 +03:00
Alex Vanin	b362793e79	[#195 ] Use datapath tag in FrostFS pools logs Signed-off-by: Alex Vanin <a.vanin@yadro.com>	2025-02-11 18:43:31 +03:00
Roman Loginov	466f3a9531	[#174 ] Port release v0.32.3 changelog Signed-off-by: Roman Loginov <r.loginov@yadro.com>	2025-02-07 15:06:21 +03:00
Roman Loginov	47d74a5a77	[#174 ] Add slash clipping for FileName attribute According to the FrostFS API specification, the FileName attribute cannot contain a slash at the beginning. Signed-off-by: Roman Loginov <r.loginov@yadro.com>	2025-02-07 15:06:19 +03:00
Roman Loginov	20319418cc	[#145 ] Update frostfs-observability version The new version of frostfs-observability has improved the detail of tracing low-level rpc calls by adding send and receive events. Signed-off-by: Roman Loginov <r.loginov@yadro.com>	2025-02-07 14:55:55 +03:00
Roman Loginov	412886c24f	[#145 ] tree: Add spans to detail the trace Signed-off-by: Roman Loginov <r.loginov@yadro.com>	2025-02-07 14:55:55 +03:00
Roman Loginov	bfe24a458b	[#145 ] frostfs: Add spans to detail the trace Signed-off-by: Roman Loginov <r.loginov@yadro.com>	2025-02-07 14:55:55 +03:00
Roman Loginov	11846df266	[#145 ] handler: Add spans to detail the trace Signed-off-by: Roman Loginov <r.loginov@yadro.com>	2025-02-07 14:55:53 +03:00
Alex Vanin	c509ce0b28	[#195 ] Fix log record grouping Signed-off-by: Alex Vanin <a.vanin@yadro.com>	2025-02-07 11:47:38 +00:00
Alex Vanin	1e8fa19bb9	[#195 ] Make all initial logging tags as default tags Signed-off-by: Alex Vanin <a.vanin@yadro.com>	2025-02-07 11:47:38 +00:00
Aleksey Kravchenko	6a4d3206bd	[#195 ] Add tags support Signed-off-by: Aleksey Kravchenko <al.kravchenko@yadro.com>	2025-02-07 11:47:38 +00:00
Alex Vanin	76bd6ea40f	[#206 ] Bump go version in vulncheck go1.22.11 triggers GO-2025-3447 but this is applicable only for ppc64le platform. Signed-off-by: Alex Vanin <a.vanin@yadro.com>	2025-02-07 13:00:07 +03:00
Alex Vanin	1779593f46	[#203 ] Port changelog from support branch Signed-off-by: Alex Vanin <a.vanin@yadro.com>	2025-02-03 14:26:58 +00:00
Alex Vanin	7e48ca626e	[#202 ] Bump SDK version to the latest master Contains fixes: - memory leak in gRPC client, - panic and deadlock in tree pool. Signed-off-by: Alex Vanin <a.vanin@yadro.com>	2025-02-03 14:26:58 +00:00
Denis Kirillov	72e5d645b9	[#194 ] Fix updateServers finding logic Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>	2025-02-03 10:49:57 +03:00
Marina Biryukova	8362cd696e	[#199 ] Port release v0.32.1 changelog Signed-off-by: Marina Biryukova <m.biryukova@yadro.com>	2025-01-29 13:10:35 +00:00
Marina Biryukova	8de06e23a0	[#199 ] Use default value if config param is unset after SIGHUP Signed-off-by: Marina Biryukova <m.biryukova@yadro.com>	2025-01-29 13:10:35 +00:00
Marina Biryukova	a6fdaf9456	[#199 ] Clear app services list Signed-off-by: Marina Biryukova <m.biryukova@yadro.com>	2025-01-29 13:10:35 +00:00
Marina Biryukova	526da379ad	[#199 ] Fix SIGHUP panic Signed-off-by: Marina Biryukova <m.biryukova@yadro.com>	2025-01-29 13:10:35 +00:00
Vitaliy Potyarkin	87ace4f8f7	[#201 ] govulncheck: Use patch release with security fixes https://go.dev/doc/devel/release#go1.23.minor Signed-off-by: Vitaliy Potyarkin <v.potyarkin@yadro.com>	2025-01-28 18:02:43 +03:00
Nikita Zinkevich	36bd3e2d43	[#170 ] logs: Remove comments Signed-off-by: Nikita Zinkevich <n.zinkevich@yadro.com>	2025-01-23 17:16:23 +03:00
Nikita Zinkevich	1e897aa3c3	[#170 ] Updated docs and configuration of archive section Signed-off-by: Nikita Zinkevich <n.zinkevich@yadro.com>	2025-01-23 17:16:23 +03:00
Nikita Zinkevich	1e7309684b	[#170 ] Support .tar/.tgz unpacking during upload During upload if X-Explode-Archive is set, gate tries to read archive and create an object for each file. Each object acquires a FilePath attribute which is calculated relative to the archive root. Archive could have compression via Gzip if "Content-Encoding: gzip" header is specified Signed-off-by: Nikita Zinkevich <n.zinkevich@yadro.com>	2025-01-23 17:16:12 +03:00
Nikita Zinkevich	7901d00924	[#170 ] Support tar.gz downloading Split DownloadZip handler on methods. Add handler DownloadTar for downloading tar.gz archives. Make methods more universal for using in both implementations Signed-off-by: Nikita Zinkevich <n.zinkevich@yadro.com>	2025-01-23 15:42:22 +03:00
Vitaliy Potyarkin	a7617514d3	[#193 ] Use selfhosted image registry instead of Docker Hub Existing AIO image tags referenced from our integration tests were manually synced to git.frostfs.info prior to this change. Signed-off-by: Vitaliy Potyarkin <v.potyarkin@yadro.com>	2025-01-21 12:59:25 +03:00
Vitaliy Potyarkin	856e0ecf40	[#193 ] Update testcontainers to v0.35.0 Signed-off-by: Vitaliy Potyarkin <v.potyarkin@yadro.com>	2025-01-21 11:43:00 +03:00
Vitaliy Potyarkin	1e82f64dfd	[#193 ] Enable integration tests in Forgejo Actions Signed-off-by: Vitaliy Potyarkin <v.potyarkin@yadro.com>	2025-01-21 11:07:00 +03:00
Roman Loginov	4b782cf124	[#187 ] Add handling quota limit reached error The Access Denied status may be received from APE due to exceeding the quota. In this situation, you need to return the appropriate status code. Signed-off-by: Roman Loginov <r.loginov@yadro.com>	2025-01-21 06:59:47 +00:00
Aleksey Kravchenko	f0c999d9a2	[#188 ] Improve content-type detector Signed-off-by: Aleksey Kravchenko <al.kravchenko@yadro.com>	2025-01-21 06:52:37 +00:00
Marina Biryukova	1db62f9d95	[#185 ] Update SDK to support new tree/pool version Signed-off-by: Marina Biryukova <m.biryukova@yadro.com>	2025-01-21 06:47:52 +00:00
Vitaliy Potyarkin	e1b670a727	[#192 ] Build and host OCI images on our own infra Similar to TrueCloudLab/frostfs-s3-gw#587 this PR introduces a CI pipeline that builds Docker images and pushes them to our selfhosted registry. Signed-off-by: Vitaliy Potyarkin <v.potyarkin@yadro.com>	2025-01-21 06:42:25 +00:00
Roman Loginov	9551f34f00	[#163 ] Support JSON bearer token Signed-off-by: Roman Loginov <r.loginov@yadro.com>	2025-01-09 11:26:37 +03:00
Roman Loginov	a4e3767d4b	[#175 ] Adopt 1.6.* aio versoins in integration tests Signed-off-by: Roman Loginov <r.loginov@yadro.com>	2024-12-24 08:01:33 +00:00
Alex Vanin	d32ac4b537	Release v0.32.0 Signed-off-by: Alex Vanin <a.vanin@yadro.com>	2024-12-20 15:23:02 +03:00
Nikita Zinkevich	a658f3adc0	[#181 ] index_page: Ignore deleted objects in versioned buckets Signed-off-by: Nikita Zinkevich <n.zinkevich@yadro.com>	2024-12-17 13:06:57 +00:00
Alex Vanin	a945a947ac	[#183 ] Unlink API.md to README file This is useful for auto-generated document tools which parse docs dir. Signed-off-by: Alex Vanin <a.vanin@yadro.com>	2024-12-17 13:03:02 +00:00
Nikita Zinkevich	1be92fa4be	[#166 ] Fix getting s3 object with the FrostFS OID name Prioritize getting s3 object with the key, which equals to valid FrostFS OID, rather than getting non-existent object with OID via native protocol for GET and HEAD requests Signed-off-by: Nikita Zinkevich <n.zinkevich@yadro.com>	2024-12-17 10:32:22 +03:00
Roman Loginov	dc100f03a6	[#174 ] Add fallback path to search Fallback path to search is needed because some software may keep FileName attribute and ignore FilePath attribute during file upload. Therefore, if this feature is enabled under certain conditions (for more information, see gate-configuration.md) a search will be performed for the FileName attribute. Signed-off-by: Roman Loginov <r.loginov@yadro.com>	2024-12-16 10:43:34 +00:00
Vitaliy Potyarkin	bbc7c7367d	[#179 ] Refine CODEOWNERS settings Signed-off-by: Vitaliy Potyarkin <v.potyarkin@yadro.com>	2024-12-10 16:18:08 +03:00
Nikita Zinkevich	b9e44c603d	[#178 ] Update frostfs-sdk-go with new tree service client Add tree service's GetBucketSettings to use them to check for protocol to use (S3 or native). Also add mock implementations for this and GetLatestVersion methods. Signed-off-by: Nikita Zinkevich <n.zinkevich@yadro.com>	2024-12-09 15:09:08 +03:00
Pavel Pogodaev	e81f01c2ab	[#150 ] Add dropped logs metric Signed-off-by: Pavel Pogodaev <p.pogodaev@yadro.com>	2024-12-04 15:49:25 +03:00
Alex Vanin	a2f8cb6735	Release v0.31.0 Signed-off-by: Alex Vanin <a.vanin@yadro.com>	2024-11-20 11:09:31 +03:00
Nikita Zinkevich	43764772aa	[#151 ] index page: Add browse via native protocol Signed-off-by: Nikita Zinkevich <n.zinkevich@yadro.com>	2024-11-19 17:33:21 +03:00
Roman Loginov	9c0b499ea6	[#164 ] Add tracing attributes Signed-off-by: Roman Loginov <r.loginov@yadro.com>	2024-11-18 12:48:04 +00:00
Vitaliy Potyarkin	22d905e51e	[#165 ] Execute CI on push to master Discussion: TrueCloudLab/frostfs-s3-gw#550 Signed-off-by: Vitaliy Potyarkin <v.potyarkin@yadro.com>	2024-11-15 11:41:13 +00:00
Vitaliy Potyarkin	d5b92446bd	[#162 ] Stop using obsolete .github directory This commit is a part of multi-repo cleanup effort: TrueCloudLab/frostfs-infra#136 Signed-off-by: Vitaliy Potyarkin <v.potyarkin@yadro.com>	2024-11-06 15:19:54 +03:00
Denis Kirillov	679731ee52	[#161 ] Update SDK Need fix TrueCloudLab/frostfs-sdk-go#282 Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>	2024-11-05 17:51:35 +03:00
Alex Vanin	821f8c2248	[#160 ] Add documentation for multinet settings Signed-off-by: Alex Vanin <a.vanin@yadro.com>	2024-10-31 11:38:54 +03:00
Alex Vanin	8bc64ce5e9	[#160 ] Use source dialer for gRPC connection to storage Signed-off-by: Alex Vanin <a.vanin@yadro.com>	2024-10-31 11:38:49 +03:00
Alex Vanin	69b7761bd6	[#160 ] Add internal/net package with multinet dialer source Signed-off-by: Alex Vanin <a.vanin@yadro.com>	2024-10-31 11:38:41 +03:00
Denis Kirillov	46c63edd67	[#158 ] Support cors Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>	2024-10-25 09:31:59 +03:00
Denis Kirillov	901b8ff95b	[#158 ] Fix integration test compilation error Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>	2024-10-25 09:30:58 +03:00
Denis Kirillov	8dc5272965	[#158 ] Rework app settings Update settings by sighup using one lock/unlock operation Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>	2024-10-25 09:30:53 +03:00
Roman Loginov	70846fdaec	[#157 ] Support the continuous use of interceptors We can always add interceptors to the grpc connection to the storage, since the actual use will be controlled by the configuration from the frostfs-observability library. Signed-off-by: Roman Loginov <r.loginov@yadro.com>	2024-10-22 14:24:26 +00:00