implement godoxy-agent

agent/pkg/agent/config.go

@@ -0,0 +1,192 @@
+package agent
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/json"
+	"net"
+	"net/http"
+	"os"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/rs/zerolog"
+	"github.com/yusing/go-proxy/agent/pkg/certs"
+	E "github.com/yusing/go-proxy/internal/error"
+	"github.com/yusing/go-proxy/internal/logging"
+	gphttp "github.com/yusing/go-proxy/internal/net/http"
+	"github.com/yusing/go-proxy/internal/net/types"
+	"github.com/yusing/go-proxy/internal/task"
+	"github.com/yusing/go-proxy/internal/utils/functional"
+	"github.com/yusing/go-proxy/pkg"
+	"golang.org/x/net/context"
+)
+
+type (
+	AgentConfig struct {
+		Addr string
+
+		httpClient *http.Client
+		tlsConfig  *tls.Config
+		name       string
+		l          zerolog.Logger
+	}
+)
+
+const (
+	EndpointVersion   = "/version"
+	EndpointName      = "/name"
+	EndpointCACert    = "/ca-cert"
+	EndpointProxyHTTP = "/proxy/http"
+	EndpointHealth    = "/health"
+	EndpointLogs      = "/logs"
+
+	AgentHost = certs.CertsDNSName
+
+	APIEndpointBase = "/godoxy/agent"
+	APIBaseURL      = "https://" + AgentHost + APIEndpointBase
+
+	DockerHost = "https://" + AgentHost
+
+	FakeDockerHostPrefix    = "agent://"
+	FakeDockerHostPrefixLen = len(FakeDockerHostPrefix)
+)
+
+var (
+	agents     = functional.NewMapOf[string, *AgentConfig]()
+	agentMapMu sync.RWMutex
+)
+
+var (
+	HTTPProxyURL         = types.MustParseURL(APIBaseURL + EndpointProxyHTTP)
+	HTTPProxyURLStripLen = len(HTTPProxyURL.Path)
+)
+
+func IsDockerHostAgent(dockerHost string) bool {
+	return strings.HasPrefix(dockerHost, FakeDockerHostPrefix)
+}
+
+func GetAgentFromDockerHost(dockerHost string) (*AgentConfig, bool) {
+	if !IsDockerHostAgent(dockerHost) {
+		return nil, false
+	}
+	return agents.Load(dockerHost[FakeDockerHostPrefixLen:])
+}
+
+func (cfg *AgentConfig) FakeDockerHost() string {
+	return FakeDockerHostPrefix + cfg.Name()
+}
+
+func (cfg *AgentConfig) Parse(addr string) error {
+	cfg.Addr = addr
+	return cfg.load()
+}
+
+func (cfg *AgentConfig) errIfNameExists() E.Error {
+	agentMapMu.RLock()
+	defer agentMapMu.RUnlock()
+	agent, ok := agents.Load(cfg.Name())
+	if ok {
+		return E.Errorf("agent with name %s (%s) already exists", cfg.Name(), agent.Addr)
+	}
+	return nil
+}
+
+func (cfg *AgentConfig) load() E.Error {
+	certData, err := os.ReadFile(certs.AgentCertsFilename(cfg.Addr))
+	if err != nil {
+		if os.IsNotExist(err) {
+			return E.Errorf("agents certs not found, did you run `godoxy new-agent %s ...`?", cfg.Addr)
+		}
+		return E.Wrap(err)
+	}
+
+	ca, crt, key, err := certs.ExtractCert(certData)
+	if err != nil {
+		return E.Wrap(err)
+	}
+
+	clientCert, err := tls.X509KeyPair(crt, key)
+	if err != nil {
+		return E.Wrap(err)
+	}
+
+	// create tls config
+	caCertPool := x509.NewCertPool()
+	ok := caCertPool.AppendCertsFromPEM(ca)
+	if !ok {
+		return E.New("invalid CA certificate")
+	}
+
+	cfg.tlsConfig = &tls.Config{
+		Certificates: []tls.Certificate{clientCert},
+		RootCAs:      caCertPool,
+	}
+
+	// create transport and http client
+	cfg.httpClient = cfg.NewHTTPClient()
+
+	ctx, cancel := context.WithTimeout(task.RootContext(), 5*time.Second)
+	defer cancel()
+
+	// check agent version
+	version, _, err := cfg.Fetch(ctx, EndpointVersion)
+	if err != nil {
+		return E.Wrap(err)
+	}
+
+	if string(version) != pkg.GetVersion() {
+		return E.Errorf("agent version mismatch: server: %s, agent: %s", pkg.GetVersion(), string(version))
+	}
+
+	// get agent name
+	name, _, err := cfg.Fetch(ctx, EndpointName)
+	if err != nil {
+		return E.Wrap(err)
+	}
+
+	// check if agent name is already used
+	cfg.name = string(name)
+	if err := cfg.errIfNameExists(); err != nil {
+		return err
+	}
+
+	cfg.l = logging.With().Str("agent", cfg.name).Logger()
+
+	agents.Store(cfg.name, cfg)
+	return nil
+}
+
+func (cfg *AgentConfig) NewHTTPClient() *http.Client {
+	return &http.Client{
+		Transport: cfg.Transport(),
+	}
+}
+
+func (cfg *AgentConfig) Transport() *http.Transport {
+	return &http.Transport{
+		DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+			if addr != AgentHost+":443" {
+				return nil, &net.AddrError{Err: "invalid address", Addr: addr}
+			}
+			return gphttp.DefaultDialer.DialContext(ctx, network, cfg.Addr)
+		},
+		TLSClientConfig: cfg.tlsConfig,
+	}
+}
+
+func (cfg *AgentConfig) Name() string {
+	return cfg.name
+}
+
+func (cfg *AgentConfig) String() string {
+	return "agent@" + cfg.Name()
+}
+
+func (cfg *AgentConfig) MarshalText() ([]byte, error) {
+	return json.Marshal(map[string]string{
+		"name": cfg.Name(),
+		"addr": cfg.Addr,
+	})
+}

agent/pkg/agent/requests.go

@@ -0,0 +1,36 @@
+package agent
+
+import (
+	"io"
+	"net/http"
+
+	"github.com/coder/websocket"
+	"github.com/yusing/go-proxy/internal/logging"
+	"golang.org/x/net/context"
+)
+
+func (cfg *AgentConfig) Do(ctx context.Context, method, endpoint string, body io.Reader) (*http.Response, error) {
+	req, err := http.NewRequestWithContext(ctx, method, APIBaseURL+endpoint, body)
+	logging.Debug().Msgf("request: %s %s", method, req.URL.String())
+	if err != nil {
+		return nil, err
+	}
+	return cfg.httpClient.Do(req)
+}
+
+func (cfg *AgentConfig) Fetch(ctx context.Context, endpoint string) ([]byte, int, error) {
+	resp, err := cfg.Do(ctx, "GET", endpoint, nil)
+	if err != nil {
+		return nil, 0, err
+	}
+	defer resp.Body.Close()
+	data, err := io.ReadAll(resp.Body)
+	return data, resp.StatusCode, nil
+}
+
+func (cfg *AgentConfig) Websocket(ctx context.Context, endpoint string) (*websocket.Conn, *http.Response, error) {
+	return websocket.Dial(ctx, APIBaseURL+endpoint, &websocket.DialOptions{
+		HTTPClient: cfg.NewHTTPClient(),
+		Host:       AgentHost,
+	})
+}

agent/pkg/agentproxy/headers.go

@@ -0,0 +1,27 @@
+package agentproxy
+
+import (
+	"net/http"
+	"strconv"
+)
+
+const (
+	HeaderXProxyHost                  = "X-Proxy-Host"
+	HeaderXProxyHTTPS                 = "X-Proxy-Https"
+	HeaderXProxySkipTLSVerify         = "X-Proxy-Skip-Tls-Verify"
+	HeaderXProxyResponseHeaderTimeout = "X-Proxy-Response-Header-Timeout"
+)
+
+type AgentProxyHeaders struct {
+	Host                  string
+	IsHTTPS               bool
+	SkipTLSVerify         bool
+	ResponseHeaderTimeout int
+}
+
+func SetAgentProxyHeaders(r *http.Request, headers *AgentProxyHeaders) {
+	r.Header.Set(HeaderXProxyHost, headers.Host)
+	r.Header.Set(HeaderXProxyHTTPS, strconv.FormatBool(headers.IsHTTPS))
+	r.Header.Set(HeaderXProxySkipTLSVerify, strconv.FormatBool(headers.SkipTLSVerify))
+	r.Header.Set(HeaderXProxyResponseHeaderTimeout, strconv.Itoa(headers.ResponseHeaderTimeout))
+}

agent/pkg/certs/certs.go

@@ -0,0 +1,201 @@
+package certs
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"errors"
+	"math/big"
+	"os"
+	"time"
+
+	E "github.com/yusing/go-proxy/internal/error"
+	"github.com/yusing/go-proxy/internal/logging"
+	"github.com/yusing/go-proxy/internal/utils"
+)
+
+const (
+	CertsDNSName = "godoxy.agent"
+
+	caCertPath  = "certs/ca.crt"
+	caKeyPath   = "certs/ca.key"
+	srvCertPath = "certs/agent.crt"
+	srvKeyPath  = "certs/agent.key"
+)
+
+func loadCerts(certPath, keyPath string) (*tls.Certificate, error) {
+	cert, err := tls.LoadX509KeyPair(certPath, keyPath)
+	return &cert, err
+}
+
+func write(b []byte, f *os.File) error {
+	_, err := f.Write(b)
+	return err
+}
+
+func saveCerts(certDER []byte, key *rsa.PrivateKey, certPath, keyPath string) ([]byte, []byte, error) {
+	certPEM, keyPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER}),
+		pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key)})
+
+	if certPath == "" || keyPath == "" {
+		return certPEM, keyPEM, nil
+	}
+
+	certFile, err := os.Create(certPath)
+	if err != nil {
+		return nil, nil, err
+	}
+	defer certFile.Close()
+
+	keyFile, err := os.Create(keyPath)
+	if err != nil {
+		return nil, nil, err
+	}
+	defer keyFile.Close()
+
+	return certPEM, keyPEM, errors.Join(
+		write(certPEM, certFile),
+		write(keyPEM, keyFile),
+	)
+}
+
+func checkExists(certPath, keyPath string) bool {
+	certExists, err := utils.FileExists(certPath)
+	if err != nil {
+		E.LogFatal("cert error", err)
+	}
+	keyExists, err := utils.FileExists(keyPath)
+	if err != nil {
+		E.LogFatal("key error", err)
+	}
+	return certExists && keyExists
+}
+
+func InitCerts() (ca *tls.Certificate, srv *tls.Certificate, isNew bool, err error) {
+	if checkExists(caCertPath, caKeyPath) && checkExists(srvCertPath, srvKeyPath) {
+		logging.Info().Msg("Loading existing certs...")
+		ca, err = loadCerts(caCertPath, caKeyPath)
+		if err != nil {
+			return nil, nil, false, err
+		}
+		srv, err = loadCerts(srvCertPath, srvKeyPath)
+		if err != nil {
+			return nil, nil, false, err
+		}
+
+		logging.Info().Msg("Verifying agent cert...")
+
+		roots := x509.NewCertPool()
+		roots.AddCert(ca.Leaf)
+
+		srvCert, err := x509.ParseCertificate(srv.Certificate[0])
+		if err != nil {
+			return nil, nil, false, err
+		}
+
+		// check if srv is signed by ca
+		if _, err := srvCert.Verify(x509.VerifyOptions{
+			Roots: roots,
+		}); err == nil {
+			logging.Info().Msg("OK")
+			return ca, srv, false, nil
+		}
+		logging.Error().Msg("Agent cert and CA cert mismatch, regenerating")
+	}
+
+	// Create the CA's certificate
+	caTemplate := x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject: pkix.Name{
+			Organization: []string{"GoDoxy"},
+		},
+		NotBefore:             time.Now(),
+		NotAfter:              time.Now().AddDate(1000, 0, 0), // 1000 years
+		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
+		BasicConstraintsValid: true,
+		IsCA:                  true,
+	}
+
+	caKey, err := rsa.GenerateKey(rand.Reader, 4096)
+	if err != nil {
+		return nil, nil, false, err
+	}
+
+	caCertDER, err := x509.CreateCertificate(rand.Reader, &caTemplate, &caTemplate, &caKey.PublicKey, caKey)
+	if err != nil {
+		return nil, nil, false, err
+	}
+
+	certPEM, keyPEM, err := saveCerts(caCertDER, caKey, caCertPath, caKeyPath)
+	if err != nil {
+		return nil, nil, false, err
+	}
+
+	cert, err := tls.X509KeyPair(certPEM, keyPEM)
+	if err != nil {
+		return nil, nil, false, err
+	}
+
+	ca = &cert
+
+	// Generate a new private key for the server certificate
+	serverKey, err := rsa.GenerateKey(rand.Reader, 4096)
+	if err != nil {
+		return nil, nil, false, err
+	}
+
+	srvTemplate := caTemplate
+	srvTemplate.Issuer = srvTemplate.Subject
+	srvTemplate.DNSNames = append(srvTemplate.DNSNames, CertsDNSName)
+
+	srvCertDER, err := x509.CreateCertificate(rand.Reader, &srvTemplate, &caTemplate, &serverKey.PublicKey, caKey)
+	if err != nil {
+		return nil, nil, false, err
+	}
+
+	certPEM, keyPEM, err = saveCerts(srvCertDER, serverKey, srvCertPath, srvKeyPath)
+	if err != nil {
+		return nil, nil, false, err
+	}
+
+	cert, err = tls.X509KeyPair(certPEM, keyPEM)
+	if err != nil {
+		return nil, nil, false, err
+	}
+
+	srv = &cert
+
+	return ca, srv, true, nil
+}
+
+func NewClientCert(ca *tls.Certificate) ([]byte, []byte, error) {
+	// Generate the SSL's private key
+	sslKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	// Create the SSL's certificate
+	sslTemplate := &x509.Certificate{
+		SerialNumber: big.NewInt(2),
+		Subject: pkix.Name{
+			Organization: []string{"GoDoxy"},
+			CommonName:   CertsDNSName,
+		},
+		NotBefore:   time.Now(),
+		NotAfter:    time.Now().AddDate(1000, 0, 0), // 1000 years
+		KeyUsage:    x509.KeyUsageDigitalSignature,
+		ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
+	}
+
+	// Sign the certificate with the CA
+	sslCertDER, err := x509.CreateCertificate(rand.Reader, sslTemplate, ca.Leaf, &sslKey.PublicKey, ca.PrivateKey)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return saveCerts(sslCertDER, sslKey, "", "")
+}

agent/pkg/certs/zip.go

@@ -0,0 +1,76 @@
+package certs
+
+import (
+	"archive/zip"
+	"bytes"
+	"io"
+	"path/filepath"
+
+	"github.com/yusing/go-proxy/internal/common"
+)
+
+func writeFile(zipWriter *zip.Writer, name string, data []byte) error {
+	w, err := zipWriter.CreateHeader(&zip.FileHeader{
+		Name:   name,
+		Method: zip.Deflate,
+	})
+	if err != nil {
+		return err
+	}
+	_, err = w.Write(data)
+	return err
+}
+
+func readFile(f *zip.File) ([]byte, error) {
+	r, err := f.Open()
+	if err != nil {
+		return nil, err
+	}
+	defer r.Close()
+	return io.ReadAll(r)
+}
+
+func ZipCert(ca, crt, key []byte) ([]byte, error) {
+	data := bytes.NewBuffer(nil)
+	zipWriter := zip.NewWriter(data)
+	defer zipWriter.Close()
+
+	if err := writeFile(zipWriter, "ca.pem", ca); err != nil {
+		return nil, err
+	}
+	if err := writeFile(zipWriter, "cert.pem", crt); err != nil {
+		return nil, err
+	}
+	if err := writeFile(zipWriter, "key.pem", key); err != nil {
+		return nil, err
+	}
+	if err := zipWriter.Close(); err != nil {
+		return nil, err
+	}
+	return data.Bytes(), nil
+}
+
+func AgentCertsFilename(host string) string {
+	return filepath.Join(common.AgentCertsBasePath, host+".zip")
+}
+
+func ExtractCert(data []byte) (ca, crt, key []byte, err error) {
+	zipReader, err := zip.NewReader(bytes.NewReader(data), int64(len(data)))
+	if err != nil {
+		return nil, nil, nil, err
+	}
+	for _, file := range zipReader.File {
+		switch file.Name {
+		case "ca.pem":
+			ca, err = readFile(file)
+		case "cert.pem":
+			crt, err = readFile(file)
+		case "key.pem":
+			key, err = readFile(file)
+		}
+		if err != nil {
+			return nil, nil, nil, err
+		}
+	}
+	return ca, crt, key, nil
+}

agent/pkg/env/env.go

@@ -0,0 +1,8 @@
+package env
+
+import "github.com/yusing/go-proxy/internal/common"
+
+var (
+	AgentName = common.GetEnvString("AGENT_NAME", "agent")
+	AgentPort = common.GetEnvInt("AGENT_PORT", 8890)
+)

agent/pkg/handler/check_health.go

@@ -0,0 +1,66 @@
+package handler
+
+import (
+	"net/http"
+	"net/url"
+
+	apiUtils "github.com/yusing/go-proxy/internal/api/v1/utils"
+	"github.com/yusing/go-proxy/internal/net/types"
+	"github.com/yusing/go-proxy/internal/utils"
+	"github.com/yusing/go-proxy/internal/watcher/health"
+	"github.com/yusing/go-proxy/internal/watcher/health/monitor"
+)
+
+func CheckHealth(w http.ResponseWriter, r *http.Request) {
+	query := r.URL.Query()
+	scheme := query.Get("scheme")
+	if scheme == "" {
+		http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+		return
+	}
+
+	var result *health.HealthCheckResult
+	var err error
+	switch scheme {
+	case "fileserver":
+		path := query.Get("path")
+		if path == "" {
+			http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+			return
+		}
+		ok, err := utils.FileExists(path)
+		result = &health.HealthCheckResult{Healthy: ok}
+		if err != nil {
+			result.Detail = err.Error()
+		}
+	case "http", "https": // path is optional
+		host := query.Get("host")
+		path := query.Get("path")
+		if host == "" {
+			http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+			return
+		}
+		result, err = monitor.NewHTTPHealthChecker(types.NewURL(&url.URL{
+			Scheme: scheme,
+			Host:   host,
+			Path:   path,
+		}), health.DefaultHealthConfig).CheckHealth()
+	case "tcp", "udp":
+		host := query.Get("host")
+		if host == "" {
+			http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+			return
+		}
+		result, err = monitor.NewRawHealthChecker(types.NewURL(&url.URL{
+			Scheme: scheme,
+			Host:   host,
+		}), health.DefaultHealthConfig).CheckHealth()
+	}
+
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadGateway)
+		return
+	}
+
+	apiUtils.RespondJSON(w, r, result)
+}

agent/pkg/handler/docker_socket.go

@@ -0,0 +1,92 @@
+package handler
+
+import (
+	"bufio"
+	"errors"
+	"io"
+	"net/http"
+	"strings"
+
+	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/docker"
+	"github.com/yusing/go-proxy/internal/logging"
+	godoxyIO "github.com/yusing/go-proxy/internal/utils"
+)
+
+func DockerSocketHandler() http.HandlerFunc {
+	dockerClient, err := docker.ConnectClient(common.DockerHostFromEnv)
+	if err != nil {
+		logging.Fatal().Err(err).Msg("failed to connect to docker client")
+	}
+	dockerDialerCallback := dockerClient.Dialer()
+
+	return func(w http.ResponseWriter, r *http.Request) {
+		conn, err := dockerDialerCallback(r.Context())
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
+		}
+		defer conn.Close()
+
+		// Create a done channel to handle cancellation
+		done := make(chan struct{})
+		defer close(done)
+
+		closed := false
+
+		// Start a goroutine to monitor context cancellation
+		go func() {
+			select {
+			case <-r.Context().Done():
+				closed = true
+				conn.Close() // Force close the connection when client disconnects
+			case <-done:
+			}
+		}()
+
+		if err := r.Write(conn); err != nil {
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
+		}
+
+		resp, err := http.ReadResponse(bufio.NewReader(conn), r)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
+		}
+		defer resp.Body.Close()
+
+		// Set any response headers before writing the status code
+		for k, v := range resp.Header {
+			w.Header()[k] = v
+		}
+		w.WriteHeader(resp.StatusCode)
+
+		// For event streams, we need to flush the writer to ensure
+		// events are sent immediately
+		if f, ok := w.(http.Flusher); ok && strings.HasSuffix(r.URL.Path, "/events") {
+			// Copy the body in chunks and flush after each write
+			buf := make([]byte, 2048)
+			for {
+				n, err := resp.Body.Read(buf)
+				if n > 0 {
+					_, werr := w.Write(buf[:n])
+					if werr != nil {
+						logging.Error().Err(werr).Msg("error writing docker event response")
+						break
+					}
+					f.Flush()
+				}
+				if err != nil {
+					if !closed && !errors.Is(err, io.EOF) {
+						logging.Error().Err(err).Msg("error reading docker event response")
+					}
+					return
+				}
+			}
+		} else {
+			// For non-event streams, just copy the body
+			godoxyIO.NewPipe(r.Context(), resp.Body, NopWriteCloser{w}).Start()
+		}
+	}
+}

agent/pkg/handler/handler.go

@@ -0,0 +1,50 @@
+package handler
+
+import (
+	"fmt"
+	"io"
+	"net/http"
+
+	"github.com/yusing/go-proxy/agent/pkg/agent"
+	"github.com/yusing/go-proxy/agent/pkg/env"
+	v1 "github.com/yusing/go-proxy/internal/api/v1"
+	"github.com/yusing/go-proxy/internal/logging/memlogger"
+	"github.com/yusing/go-proxy/internal/utils/strutils"
+)
+
+type ServeMux struct{ *http.ServeMux }
+
+func (mux ServeMux) HandleMethods(methods, endpoint string, handler http.HandlerFunc) {
+	for _, m := range strutils.CommaSeperatedList(methods) {
+		mux.ServeMux.HandleFunc(m+" "+agent.APIEndpointBase+endpoint, handler)
+	}
+}
+
+func (mux ServeMux) HandleFunc(endpoint string, handler http.HandlerFunc) {
+	mux.ServeMux.HandleFunc(agent.APIEndpointBase+endpoint, handler)
+}
+
+type NopWriteCloser struct {
+	io.Writer
+}
+
+func (NopWriteCloser) Close() error {
+	return nil
+}
+
+func NewHandler(caCertPEM []byte) http.Handler {
+	mux := ServeMux{http.NewServeMux()}
+
+	mux.HandleFunc(agent.EndpointProxyHTTP+"/{path...}", ProxyHTTP)
+	mux.HandleMethods("GET", agent.EndpointVersion, v1.GetVersion)
+	mux.HandleMethods("GET", agent.EndpointName, func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprint(w, env.AgentName)
+	})
+	mux.HandleMethods("GET", agent.EndpointCACert, func(w http.ResponseWriter, r *http.Request) {
+		w.Write(caCertPEM)
+	})
+	mux.HandleMethods("GET", agent.EndpointHealth, CheckHealth)
+	mux.HandleMethods("GET", agent.EndpointLogs, memlogger.LogsWS(nil))
+	mux.ServeMux.HandleFunc("/", DockerSocketHandler())
+	return mux
+}

agent/pkg/handler/proxy_http.go

@@ -0,0 +1,59 @@
+package handler
+
+import (
+	"crypto/tls"
+	"net/http"
+	"strconv"
+	"time"
+
+	"github.com/yusing/go-proxy/agent/pkg/agent"
+	agentproxy "github.com/yusing/go-proxy/agent/pkg/agentproxy"
+	"github.com/yusing/go-proxy/internal/logging"
+	gphttp "github.com/yusing/go-proxy/internal/net/http"
+	"github.com/yusing/go-proxy/internal/net/http/reverseproxy"
+	"github.com/yusing/go-proxy/internal/net/types"
+	"github.com/yusing/go-proxy/internal/utils/strutils"
+)
+
+func ProxyHTTP(w http.ResponseWriter, r *http.Request) {
+	host := r.Header.Get(agentproxy.HeaderXProxyHost)
+	isHTTPs := strutils.ParseBool(r.Header.Get(agentproxy.HeaderXProxyHTTPS))
+	skipTLSVerify := strutils.ParseBool(r.Header.Get(agentproxy.HeaderXProxySkipTLSVerify))
+	responseHeaderTimeout, err := strconv.Atoi(r.Header.Get(agentproxy.HeaderXProxyResponseHeaderTimeout))
+	if err != nil {
+		responseHeaderTimeout = 0
+	}
+
+	logging.Debug().Msgf("proxy http request: host=%s, isHTTPs=%t, skipTLSVerify=%t, responseHeaderTimeout=%d", host, isHTTPs, skipTLSVerify, responseHeaderTimeout)
+
+	if host == "" {
+		http.Error(w, "missing required headers", http.StatusBadRequest)
+		return
+	}
+
+	scheme := "http"
+	if isHTTPs {
+		scheme = "https"
+	}
+
+	var transport *http.Transport
+	if skipTLSVerify {
+		transport = gphttp.NewTransportWithTLSConfig(&tls.Config{InsecureSkipVerify: true})
+	} else {
+		transport = gphttp.NewTransport()
+	}
+
+	if responseHeaderTimeout > 0 {
+		transport = transport.Clone()
+		transport.ResponseHeaderTimeout = time.Duration(responseHeaderTimeout) * time.Second
+	}
+
+	r.URL.Scheme = scheme
+	r.URL.Host = host
+	r.URL.Path = r.URL.Path[agent.HTTPProxyURLStripLen:] // strip the {API_BASE}/proxy/http prefix
+
+	logging.Debug().Msgf("proxy http request: %s %s", r.Method, r.URL.String())
+
+	rp := reverseproxy.NewReverseProxy("agent", types.NewURL(r.URL), transport)
+	rp.ServeHTTP(w, r)
+}

agent/pkg/server/server.go

@@ -0,0 +1,51 @@
+package server
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"log"
+	"net"
+	"net/http"
+
+	"github.com/yusing/go-proxy/agent/pkg/handler"
+	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/logging"
+	"github.com/yusing/go-proxy/internal/task"
+)
+
+type Options struct {
+	CACert, ServerCert *tls.Certificate
+	Port               int
+}
+
+func StartAgentServer(parent task.Parent, opt Options) {
+	caCertPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: opt.CACert.Certificate[0]})
+	caCertPool := x509.NewCertPool()
+	caCertPool.AppendCertsFromPEM(caCertPEM)
+
+	// Configure TLS
+	tlsConfig := &tls.Config{
+		Certificates: []tls.Certificate{*opt.ServerCert},
+		ClientCAs:    caCertPool,
+		ClientAuth:   tls.RequireAndVerifyClientCert,
+	}
+
+	if common.IsDebug {
+		tlsConfig.ClientAuth = tls.NoClientCert
+	}
+	l, err := net.Listen("tcp", fmt.Sprintf(":%d", opt.Port))
+	if err != nil {
+		logging.Fatal().Err(err).Int("port", opt.Port).Msg("failed to listen on port")
+		return
+	}
+	defer l.Close()
+
+	server := &http.Server{
+		Handler:   handler.NewHandler(caCertPEM),
+		TLSConfig: tlsConfig,
+		ErrorLog:  log.New(logging.GetLogger(), "", 0),
+	}
+	server.Serve(tls.NewListener(l, tlsConfig))
+}