fix negative waitgroup, fix cert expiry date, better auto renewal strategy

readme update
readme and dockerfile fix for v0.3 update
2026-01-14 07:33:36 +01:00 · 2024-03-23 20:06:34 +00:00 · 2024-03-23 03:46:18 +00:00 · 2024-03-23 03:29:35 +00:00 · 2024-03-23 03:16:27 +00:00 · 2024-03-23 03:05:41 +00:00
25 changed files with 901 additions and 287 deletions
--- a/2
+++ b/2
@@ -6,7 +6,7 @@ RUN apk add --no-cache bash tzdata
 RUN mkdir /app
 COPY bin/go-proxy entrypoint.sh /app/
 COPY templates/ /app/templates
-COPY config.default.yml /app/config.yml
+COPY config.example.yml /app/config.yml

 RUN chmod +x /app/go-proxy /app/entrypoint.sh
 ENV DOCKER_HOST unix:///var/run/docker.sock
--- a/README.md
+++ b/README.md
@@ -11,6 +11,12 @@ In the examples domain `x.y.z` is used, replace them with your domain
  - [Binary](#binary)
  - [Docker](#docker)
 - [Configuration](#configuration)
+  - [Labels](#labels)
+  - [Environment Variables](#environment-variables)
+  - [Config File](#config-file)
+  - [Provider File](#provider-file)
+  - [Supported Cert Providers](#supported-cert-providers)
+- [Examples](#examples)
  - [Single Port Configuration](#single-port-configuration-example)
  - [Multiple Ports Configuration](#multiple-ports-configuration-example)
  - [TCP/UDP Configuration](#tcpudp-configuration-example)
@@ -19,7 +25,6 @@ In the examples domain `x.y.z` is used, replace them with your domain
 - [Benchmarks](#benchmarks)
 - [Memory usage](#memory-usage)
 - [Build it yourself](#build-it-yourself)
- [Getting SSL certs](#getting-ssl-certs)

 ## Key Points

@@ -27,6 +32,7 @@ In the examples domain `x.y.z` is used, replace them with your domain
 - auto detect reverse proxies from docker
 - additional reverse proxies from provider yaml file
 - allow multiple docker / file providers by custom `config.yml` file
+- auto certificate obtaining and renewal (See [Config File](#config-file) and [Supported Cert Providers](#supported-cert-providers))
 - subdomain matching **(domain name doesn't matter)**
 - path matching
 - HTTP proxy
@@ -35,6 +41,8 @@ In the examples domain `x.y.z` is used, replace them with your domain
 - Auto hot-reload on container start / die / stop or config changes.
 - Simple panel to see all reverse proxies and health (visit port [panel port] of go-proxy `https://*.y.z:[panel port]`)

+  - you can customize it by modifying [templates/panel.html](templates/panel.html)
+
  ![panel screenshot](screenshots/panel.png)

 ## How to use
@@ -49,11 +57,16 @@ In the examples domain `x.y.z` is used, replace them with your domain

 ### Binary

-1. (Optional) Prepare your certificates in `certs/` to enable https. See [Getting SSL Certs](#getting-ssl-certs)
+1. (Optional) enabled HTTPS

+   - Use autocert feature by completing `autocert` in `config.yml`

-    - cert / chain / fullchain: ./certs/cert.crt
-    - private key: ./certs/priv.key
+   - Use existing certificate
+
+     Prepare your wildcard (`*.y.z`) SSL cert in `certs/`
+
+     - cert / chain / fullchain: `./certs/cert.crt`
+     - private key: `./certs/priv.key`

 2. run the binary `bin/go-proxy`

@@ -65,25 +78,38 @@ In the examples domain `x.y.z` is used, replace them with your domain

 2. Add networks to make sure it is in the same network with other containers, or make sure `proxy.<alias>.host` is reachable

-3. (Optional) Mount your SSL certs to enable https. See [Getting SSL Certs](#getting-ssl-certs)
+3. (Optional) enable HTTPS

+   - Use autocert feature

-    - cert / chain / fullchain -> /app/certs/cert.crt
-    - private key -> /app/certs/priv.key
+     1. mount `./certs` to `/app/certs`
+     ```yaml
+     go-proxy:
+      ...
+      volumes:
+        - ./certs:/app/certs
+     ```
+     2. complete `autocert` in `config.yml`
+
+   - Use existing certificate
+
+     Mount your wildcard (`*.y.z`) SSL cert to enable https. See [Getting SSL Certs](#getting-ssl-certs)
+
+     - cert / chain / fullchain -> `/app/certs/cert.crt`
+     - private key -> `/app/certs/priv.key`

 4. Start `go-proxy` with `docker compose up -d` or `make up`.

 5. (Optional) If you are using ufw with vpn that drop all inbound traffic except vpn, run below to allow docker containers to connect to `go-proxy`

+   In case the network of your container is in subnet `172.16.0.0/16` (bridge),
+   and vpn network is under `100.64.0.0/10` (i.e. tailscale)

-    In case the network of your container is in subnet `172.16.0.0/16` (bridge),
-    and vpn network is under `100.64.0.0/10` (i.e. tailscale)
+   `sudo ufw allow from 172.16.0.0/16 to 100.64.0.0/10`

-    `sudo ufw allow from 172.16.0.0/16 to 100.64.0.0/10`
+   You can also list CIDRs of all docker bridge networks by:

-    You can also list CIDRs of all docker bridge networks by:
-
-    `docker network inspect $(docker network ls | awk '$3 == "bridge" { print $1}') | jq -r '.[] | .Name + " " + .IPAM.Config[0].Subnet' -`
+   `docker network inspect $(docker network ls | awk '$3 == "bridge" { print $1}') | jq -r '.[] | .Name + " " + .IPAM.Config[0].Subnet' -`

 6. start your docker app, and visit <container_name>.y.z

@@ -95,9 +121,9 @@ None

 ## Configuration

-With container name, no label needs to be added.
+With container name, most of the time no label needs to be added.

-However, there are some labels you can manipulate with:
+### Labels

 - `proxy.aliases`: comma separated aliases for subdomain matching
  - defaults to `container_name`
@@ -110,8 +136,8 @@ However, there are some labels you can manipulate with:
  - http/https: defaults to first expose port (declared in `Dockerfile` or `docker-compose.yml`)
  - tcp/udp: is in format of `[<listeningPort>:]<targetPort>`
    - when `listeningPort` is omitted (not suggested), a free port will be used automatically.
-    - `targetPort` must be a number, or the predefined names (see [stream.go](src/go-proxy/stream.go#L28))
- `no_tls_verify`: whether skip tls verify when scheme is https
+    - `targetPort` must be a number, or the predefined names (see [constants.go:14](src/go-proxy/constants.go#L14))
+- `proxy.<alias>.no_tls_verify`: whether skip tls verify when scheme is https
  - defaults to false
 - `proxy.<alias>.path`: path matching (for http proxy only)
  - defaults to empty
@@ -131,6 +157,34 @@ However, there are some labels you can manipulate with:
 - `proxy.<alias>.load_balance`: enable load balance
  - allowed: `1`, `true`

+### Environment variables
+
+- `GOPROXY_DEBUG`: set to `1` or `true` to enable debug behaviors (i.e. output, etc.)
+- `GOPROXY_REDIRECT_HTTP`: set to `0` or `false` to disable http to https redirect (only when certs are located)
+
+### Config File
+
+See [config.example.yml](config.example.yml)
+
+### Provider File
+
+See [providers.example.yml](providers.example.yml)
+
+### Supported cert providers
+
+- Cloudflare
+
+  ```yaml
+  autocert:
+    ...
+    options:
+      auth_token: "YOUR_ZONE_API_TOKEN"
+  ```
+
+  Follow [this guide](https://cloudkul.com/blog/automcatic-renew-and-generate-ssl-on-your-website-using-lego-client/) to create a new token with `Zone.DNS` read and edit permissions
+
+## Examples
+
 ### Single port configuration example

 ```yaml
@@ -220,39 +274,41 @@ Remote benchmark (client running wrk and `go-proxy` server are different devices
 - Direct connection

  ```shell
-  root@yusing-pc:~# wrk -t 10 -c 200 -d 30s --latency http://10.0.100.1/bench
-  Running 30s test @ http://10.0.100.1/bench
+  root@yusing-pc:~# wrk -t 10 -c 200 -d 10s -H "Host: bench.6uo.me" --latency http://10.0.100.3:8003/bench
+  Running 10s test @ http://10.0.100.3:8003/bench
    10 threads and 200 connections
    Thread Stats   Avg      Stdev     Max   +/- Stdev
-      Latency     4.34ms    1.16ms  22.76ms   85.77%
-      Req/Sec     4.63k   435.14     5.47k    90.07%
+      Latency    94.75ms  199.92ms   1.68s    91.27%
+      Req/Sec     4.24k     1.79k   18.79k    72.13%
    Latency Distribution
-      50%    3.95ms
-      75%    4.71ms
-      90%    5.68ms
-      99%    8.61ms
-    1383812 requests in 30.02s, 166.28MB read
-  Requests/sec:  46100.87
-  Transfer/sec:      5.54MB
+      50%    1.14ms
+      75%  120.23ms
+      90%  245.63ms
+      99%    1.03s
+    423444 requests in 10.10s, 50.88MB read
+    Socket errors: connect 0, read 0, write 0, timeout 29
+  Requests/sec:  41926.32
+  Transfer/sec:      5.04MB
  ```

 - With reverse proxy

  ```shell
-  root@yusing-pc:~# wrk -t 10 -c 200 -d 30s --latency http://bench.6uo.me/bench
-  Running 30s test @ http://bench.6uo.me/bench
+  root@yusing-pc:~# wrk -t 10 -c 200 -d 10s -H "Host: bench.6uo.me" --latency http://10.0.1.7/bench
+  Running 10s test @ http://10.0.1.7/bench
    10 threads and 200 connections
    Thread Stats   Avg      Stdev     Max   +/- Stdev
-      Latency     4.50ms    1.44ms  27.53ms   86.48%
-      Req/Sec     4.48k   375.00     5.12k    84.73%
+      Latency    79.35ms  169.79ms   1.69s    92.55%
+      Req/Sec     4.27k     1.90k   19.61k    75.81%
    Latency Distribution
-      50%    4.09ms
-      75%    5.06ms
-      90%    6.03ms
-      99%    9.41ms
-    1338996 requests in 30.01s, 160.90MB read
-  Requests/sec:  44616.36
-  Transfer/sec:      5.36MB
+      50%    1.12ms
+      75%  105.66ms
+      90%  200.22ms
+      99%  814.59ms
+    409836 requests in 10.10s, 49.25MB read
+    Socket errors: connect 0, read 0, write 0, timeout 18
+  Requests/sec:  40581.61
+  Transfer/sec:      4.88MB
  ```

 Local benchmark (client running wrk and `go-proxy` server are under same proxmox host but different LXCs)
@@ -276,27 +332,46 @@ Local benchmark (client running wrk and `go-proxy` server are under same proxmox
  Transfer/sec:     80.94MB
  ```

- With reverse proxy
+- With `go-proxy` reverse proxy
+
  ```
-  root@http-benchmark-client:~# wrk -t 10 -c 200 -d 10s --latency http://bench.6uo.me/bench
-  Running 10s test @ http://bench.6uo.me/bench
+  root@http-benchmark-client:~# wrk -t 10 -c 200 -d 10s -H "Host: bench.6uo.me" --latency http://10.0.1.7/bench
+  Running 10s test @ http://10.0.1.7/bench
    10 threads and 200 connections
    Thread Stats   Avg      Stdev     Max   +/- Stdev
-      Latency     1.78ms    5.49ms 117.53ms   99.00%
-      Req/Sec    16.31k     2.30k   21.01k    86.69%
+      Latency     1.23ms    0.96ms  11.43ms   72.09%
+      Req/Sec    17.48k     1.76k   21.48k    70.20%
    Latency Distribution
-      50%    1.12ms
-      75%    1.88ms
-      90%    2.80ms
-      99%    7.27ms
-    1634774 requests in 10.10s, 196.44MB read
-  Requests/sec: 161858.70
-  Transfer/sec:     19.45MB
+      50%    0.98ms
+      75%    1.76ms
+      90%    2.54ms
+      99%    4.24ms
+    1739079 requests in 10.01s, 208.97MB read
+  Requests/sec: 173779.44
+  Transfer/sec:     20.88MB
+  ```
+
+- With `traefik-v3`
+  ```
+  root@traefik-benchmark:~# wrk -t10 -c200 -d10s -H "Host: benchmark.whoami" --latency http://127.0.0.1:8000/bench
+  Running 10s test @ http://127.0.0.1:8000/bench
+    10 threads and 200 connections
+    Thread Stats   Avg      Stdev     Max   +/- Stdev
+      Latency     2.81ms   10.36ms 180.26ms   98.57%
+      Req/Sec    11.35k     1.74k   13.76k    85.54%
+    Latency Distribution
+      50%    1.59ms
+      75%    2.27ms
+      90%    3.17ms
+      99%   37.91ms
+    1125723 requests in 10.01s, 109.50MB read
+  Requests/sec: 112499.59
+  Transfer/sec:     10.94MB
  ```

 ## Memory usage

-It takes ~ 0.1-0.4MB for each HTTP Proxy, and <2MB for each TCP/UDP Proxy
+It takes ~13 MB for 50 proxy entries

 ## Build it yourself

@@ -306,10 +381,6 @@ It takes ~ 0.1-0.4MB for each HTTP Proxy, and <2MB for each TCP/UDP Proxy

 3. build binary with `make build`

-4. start your container with `docker compose up -d`
-
-## Getting SSL certs
-
-I personally use `nginx-proxy-manager` to get SSL certs with auto renewal by Cloudflare DNS challenge. You may symlink the certs from `nginx-proxy-manager` to somewhere else, and mount them to `go-proxy`'s `/certs`
+4. start your container with `make up` (docker) or `bin/go-proxy` (binary)

 [panel port]: 8443
--- a/bin/go-proxy
+++ b/bin/go-proxy
--- a/compose.example.yml
+++ b/compose.example.yml
@@ -19,15 +19,14 @@ services:
      # - 20000:20100/tcp
      # - 20000:20100/udp
    volumes:
-      # if you want https
+      # use existing certificate
      # - /path/to/cert.pem:/app/certs/cert.crt:ro
      # - /path/to/privkey.pem:/app/certs/priv.key:ro

-      # path to logs
-      - ./log:/app/log
+      # use autocert feature
+      # - ./certs:/app/certs

-      # if you use default config, or declared local docker provider
-      # otherwise comment this line
+      # if local docker provider is used (by default)
      - /var/run/docker.sock:/var/run/docker.sock:ro

      # to use custom config
--- a/config.default.yml
+++ b/config.default.yml
@@ -1,17 +0,0 @@
-providers:
-  local:
-    kind: docker
-    # for value format, see https://docs.docker.com/reference/cli/dockerd/
-    value: FROM_ENV
-  remote1:
-    kind: docker
-    value: ssh://user@10.0.1.1
-  remote2:
-    kind: docker
-    value: tcp://10.0.1.1:2375
-  # provider1:
-  #   kind: file
-  #   value: provider1.yml
-  # provider2:
-  #   kind: file
-  #   value: provider2.yml
--- a/config.example.yml
+++ b/config.example.yml
@@ -0,0 +1,25 @@
+# uncomment to use autocert
+# autocert:
+#   email: "user@y.z" # email for acme certificate
+#   domains:
+#     - "*.y.z" # domain for acme certificate, use wild card to allow all subdomains
+#   provider: cloudflare
+#   options:
+#     auth_token: "YOUR_ZONE_API_TOKEN"
+providers:
+  local:
+    kind: docker
+    # for value format, see https://docs.docker.com/reference/cli/dockerd/
+    value: FROM_ENV
+  # remote1:
+  #   kind: docker
+  #   value: ssh://user@10.0.1.1
+  # remote2:
+  #   kind: docker
+  #   value: tcp://10.0.1.1:2375
+  # provider1:
+  #   kind: file
+  #   value: provider1.yml
+  # provider2:
+  #   kind: file
+  #   value: provider2.yml
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -3,7 +3,7 @@ if [ "$1" == "restart" ]; then
    echo "restarting"
    killall go-proxy
 fi
-if [ "$DEBUG" == "1" ]; then
+if [ "$GOPROXY_DEBUG" == "1" ]; then
    /app/go-proxy 2> log/go-proxy.log &
    tail -f /dev/null
 else
--- a/go.mod
+++ b/go.mod
@@ -3,9 +3,10 @@ module github.com/yusing/go-proxy
 go 1.21.7

 require (
-	github.com/docker/cli v25.0.4+incompatible
-	github.com/docker/docker v25.0.4+incompatible
+	github.com/docker/cli v26.0.0+incompatible
+	github.com/docker/docker v26.0.0+incompatible
 	github.com/fsnotify/fsnotify v1.7.0
+	github.com/go-acme/lego/v4 v4.16.1
 	github.com/sirupsen/logrus v1.9.3
 	golang.org/x/net v0.22.0
 	gopkg.in/yaml.v3 v3.0.1
@@ -13,14 +14,23 @@ require (

 require (
 	github.com/Microsoft/go-winio v0.6.1 // indirect
+	github.com/cenkalti/backoff/v4 v4.2.1 // indirect
+	github.com/cloudflare/cloudflare-go v0.91.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/distribution/reference v0.5.0 // indirect
 	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.1 // indirect
 	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/goccy/go-json v0.10.2 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/google/go-querystring v1.1.0 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.5 // indirect
+	github.com/miekg/dns v1.1.58 // indirect
+	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/term v0.5.0 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
@@ -32,6 +42,7 @@ require (
 	go.opentelemetry.io/otel/metric v1.24.0 // indirect
 	go.opentelemetry.io/otel/sdk v1.24.0 // indirect
 	go.opentelemetry.io/otel/trace v1.24.0 // indirect
+	golang.org/x/crypto v0.21.0 // indirect
 	golang.org/x/mod v0.16.0 // indirect
 	golang.org/x/sys v0.18.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
--- a/go.sum
+++ b/go.sum
@@ -1,9 +1,15 @@
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8=
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
+github.com/Microsoft/go-winio v0.4.14 h1:+hMXMk01us9KgxGb7ftKQt2Xpf5hH/yky+TDA+qxleU=
+github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA=
 github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
 github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
 github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM=
 github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
+github.com/cloudflare/cloudflare-go v0.86.0 h1:jEKN5VHNYNYtfDL2lUFLTRo+nOVNPFxpXTstVx0rqHI=
+github.com/cloudflare/cloudflare-go v0.86.0/go.mod h1:wYW/5UP02TUfBToa/yKbQHV+r6h1NnJ1Je7XjuGM4Jw=
+github.com/cloudflare/cloudflare-go v0.91.0 h1:L7IR+86qrZuEMSjGFg4cwRwtHqC8uCPmMUkP7BD4CPw=
+github.com/cloudflare/cloudflare-go v0.91.0/go.mod h1:nUqvBUUDRxNzsDSQjbqUNWHEIYAoUlgRmcAzMKlFdKs=
 github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -11,33 +17,64 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/distribution/reference v0.5.0 h1:/FUIFXtfc/x2gpa5/VGfiGLuOIdYa1t65IKK2OFGvA0=
 github.com/distribution/reference v0.5.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/docker/cli v25.0.4+incompatible h1:DatRkJ+nrFoYL2HZUzjM5Z5sAmcA5XGp+AW0oEw2+cA=
-github.com/docker/cli v25.0.4+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/docker v25.0.4+incompatible h1:XITZTrq+52tZyZxUOtFIahUf3aH367FLxJzt9vZeAF8=
-github.com/docker/docker v25.0.4+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/cli v26.0.0+incompatible h1:90BKrx1a1HKYpSnnBFR6AgDq/FqkHxwlUyzJVPxD30I=
+github.com/docker/cli v26.0.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/docker v26.0.0+incompatible h1:Ng2qi+gdKADUa/VM+6b6YaY2nlZhk/lVJiKR/2bMudU=
+github.com/docker/docker v26.0.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
 github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/fatih/color v1.13.0 h1:8LOYc1KYPPmyKMuN8QV2DNRWNbLo6LZ0iLs8+mlH53w=
+github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
 github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
+github.com/go-acme/lego/v4 v4.16.1 h1:JxZ93s4KG0jL27rZ30UsIgxap6VGzKuREsSkkyzeoCQ=
+github.com/go-acme/lego/v4 v4.16.1/go.mod h1:AVvwdPned/IWpD/ihHhMsKnveF7HHYAz/CmtXi7OZoE=
+github.com/go-jose/go-jose/v4 v4.0.1 h1:QVEPDE3OluqXBQZDcnNvQrInro2h0e4eqNbnZSWqS6U=
+github.com/go-jose/go-jose/v4 v4.0.1/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
 github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
+github.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU=
+github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
 github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
+github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.0 h1:Wqo399gCIufwto+VfwCSvsnfGpF/w5E9CNxSwbpD6No=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.0/go.mod h1:qmOFXW2epJhM0qSnUUYpldc7gVz2KMQwJ/QYCDIa7XU=
+github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
+github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
+github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
+github.com/hashicorp/go-hclog v1.2.0 h1:La19f8d7WIlm4ogzNHB0JGqs5AUDAZ2UfCY4sJXcJdM=
+github.com/hashicorp/go-hclog v1.2.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ=
+github.com/hashicorp/go-retryablehttp v0.7.5 h1:bJj+Pj19UZMIweq/iie+1u5YCdGrnxCT9yvm0e+Nd5M=
+github.com/hashicorp/go-retryablehttp v0.7.5/go.mod h1:Jy/gPYAdjqffZ/yFGCFV2doI5wjtH1ewM9u8iYVjtX8=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=
+github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/mattn/go-colorable v0.1.12 h1:jF+Du6AlPIjs2BiUiQlKOX0rt3SujHxPnksPKZbaA40=
+github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/miekg/dns v1.1.58 h1:ca2Hdkz+cDg/7eNF6V56jjzuZ4aCAE+DbVkILdQWG/4=
+github.com/miekg/dns v1.1.58/go.mod h1:Ypv+3b/KadlvW9vJfXOTf300O4UqaHFzFCuHz+rPkBY=
+github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
+github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
 github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
 github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y=
 github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
@@ -46,16 +83,23 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
 github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
+github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/rogpeppe/go-internal v1.8.1 h1:geMPLpDpQOgVyCg5z5GoRwLHepNdb71NXb67XFkP+Eg=
+github.com/rogpeppe/go-internal v1.8.1/go.mod h1:JeRgkft04UBgHMgCIwADu4Pn6Mtm5d4nPKWu0nJ5d+o=
+github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 h1:jq9TW8u3so/bN+JPT166wjOI6/vQPF6Xe7nMNIltagk=
@@ -77,8 +121,12 @@ go.opentelemetry.io/proto/otlp v1.1.0/go.mod h1:GpBHCBWiqvVLDqmHZsoMM3C5ySeKTC7e
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
+golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
+golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.16.0 h1:QX4fJ0Rr5cPQCF7O9lh9Se4pmwfwskqZfq5moyldzic=
 golang.org/x/mod v0.16.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@@ -92,8 +140,10 @@ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
@@ -108,12 +158,15 @@ golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGm
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.17.0 h1:FvmRgNOcs3kOa+T20R1uhfP9F6HgG2mfxDv1vrx1Htc=
+golang.org/x/tools v0.17.0/go.mod h1:xsh6VxdV005rRVaS6SSAf9oiAqljS7UZUacMZ8Bnsps=
 golang.org/x/tools v0.19.0 h1:tfGCXNR1OsFG+sVdLAitlpjAvD/I6dHDKnYrpEZUHkw=
 golang.org/x/tools v0.19.0/go.mod h1:qoJWxmGSIBmAeriMx19ogtrEPrGtDbPK634QFIcLAhc=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/genproto v0.0.0-20230530153820-e85fd2cbaebc h1:8DyZCyvI8mE1IdLy/60bS+52xfymkE72wv1asokgtao=
 google.golang.org/genproto/googleapis/api v0.0.0-20240102182953-50ed04b92917 h1:rcS6EyEaoCO52hQDupoSfrxI3R6C2Tq741is7X8OvnM=
 google.golang.org/genproto/googleapis/api v0.0.0-20240102182953-50ed04b92917/go.mod h1:CmlNWB9lSezaYELKS5Ym1r44VrrbPUa7JTvw+6MbpJ0=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20240102182953-50ed04b92917 h1:6G8oQ016D88m1xAKljMlBOOGWDZkes4kMhgGFlf8WcQ=
@@ -122,8 +175,9 @@ google.golang.org/grpc v1.61.1 h1:kLAiWrZs7YeDM6MumDe7m3y4aM6wacLzM1Y/wiLP9XY=
 google.golang.org/grpc v1.61.1/go.mod h1:VUbo7IFqmF1QtCAstipjG0GIoq49KvMe9+h1jFLBNJs=
 google.golang.org/protobuf v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7I=
 google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
--- a/src/go-proxy/autocert.go
+++ b/src/go-proxy/autocert.go
@@ -0,0 +1,297 @@
+package main
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"os"
+	"path"
+	"sync"
+	"time"
+
+	"github.com/go-acme/lego/v4/certcrypto"
+	"github.com/go-acme/lego/v4/certificate"
+	"github.com/go-acme/lego/v4/challenge"
+	"github.com/go-acme/lego/v4/lego"
+	"github.com/go-acme/lego/v4/providers/dns/cloudflare"
+	"github.com/go-acme/lego/v4/registration"
+)
+
+type ProviderOptions = map[string]string
+type ProviderGenerator = func(ProviderOptions) (challenge.Provider, error)
+type CertExpiries = map[string]time.Time
+
+type AutoCertConfig struct {
+	Email    string
+	Domains  []string `yaml:",flow"`
+	Provider string
+	Options  ProviderOptions `yaml:",flow"`
+}
+
+type AutoCertUser struct {
+	Email        string
+	Registration *registration.Resource
+	key          crypto.PrivateKey
+}
+
+func (u *AutoCertUser) GetEmail() string {
+	return u.Email
+}
+func (u *AutoCertUser) GetRegistration() *registration.Resource {
+	return u.Registration
+}
+func (u *AutoCertUser) GetPrivateKey() crypto.PrivateKey {
+	return u.key
+}
+
+type AutoCertProvider interface {
+	GetCert(*tls.ClientHelloInfo) (*tls.Certificate, error)
+	GetName() string
+	GetExpiries() CertExpiries
+	LoadCert() bool
+	ObtainCert() error
+	RenewalOn() time.Time
+	ScheduleRenewal()
+}
+
+func (cfg AutoCertConfig) GetProvider() (AutoCertProvider, error) {
+	if len(cfg.Domains) == 0 {
+		return nil, fmt.Errorf("no domains specified")
+	}
+	if cfg.Provider == "" {
+		return nil, fmt.Errorf("no provider specified")
+	}
+	if cfg.Email == "" {
+		return nil, fmt.Errorf("no email specified")
+	}
+
+	privKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		return nil, fmt.Errorf("unable to generate private key: %v", err)
+	}
+	user := &AutoCertUser{
+		Email: cfg.Email,
+		key:   privKey,
+	}
+	legoCfg := lego.NewConfig(user)
+	legoCfg.Certificate.KeyType = certcrypto.RSA2048
+	legoClient, err := lego.NewClient(legoCfg)
+	if err != nil {
+		return nil, fmt.Errorf("unable to create lego client: %v", err)
+	}
+	base := &autoCertProvider{
+		name:    cfg.Provider,
+		cfg:     cfg,
+		user:    user,
+		legoCfg: legoCfg,
+		client:  legoClient,
+	}
+	gen, ok := providersGenMap[cfg.Provider]
+	if !ok {
+		return nil, fmt.Errorf("unknown provider: %s", cfg.Provider)
+	}
+	legoProvider, err := gen(cfg.Options)
+	if err != nil {
+		return nil, fmt.Errorf("unable to create provider: %v", err)
+	}
+	err = legoClient.Challenge.SetDNS01Provider(legoProvider)
+	if err != nil {
+		return nil, fmt.Errorf("unable to set challenge provider: %v", err)
+	}
+	return base, nil
+}
+
+type autoCertProvider struct {
+	name    string
+	cfg     AutoCertConfig
+	user    *AutoCertUser
+	legoCfg *lego.Config
+	client  *lego.Client
+
+	tlsCert      *tls.Certificate
+	certExpiries CertExpiries
+	mutex        sync.Mutex
+}
+
+func (p *autoCertProvider) GetCert(_ *tls.ClientHelloInfo) (*tls.Certificate, error) {
+	if p.tlsCert == nil {
+		aclog.Fatal("no certificate available")
+	}
+	return p.tlsCert, nil
+}
+
+func (p *autoCertProvider) GetName() string {
+	return p.name
+}
+
+func (p *autoCertProvider) GetExpiries() CertExpiries {
+	return p.certExpiries
+}
+
+func (p *autoCertProvider) ObtainCert() error {
+	client := p.client
+	if p.user.Registration == nil {
+		reg, err := client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
+		if err != nil {
+			return err
+		}
+		p.user.Registration = reg
+	}
+	req := certificate.ObtainRequest{
+		Domains: p.cfg.Domains,
+		Bundle:  true,
+	}
+	cert, err := client.Certificate.Obtain(req)
+	if err != nil {
+		return err
+	}
+	err = p.saveCert(cert)
+	if err != nil {
+		return err
+	}
+	tlsCert, err := tls.X509KeyPair(cert.Certificate, cert.PrivateKey)
+	if err != nil {
+		return err
+	}
+	expiries, err := getCertExpiries(&tlsCert)
+	if err != nil {
+		return err
+	}
+	p.tlsCert = &tlsCert
+	p.certExpiries = expiries
+	return nil
+}
+
+func (p *autoCertProvider) LoadCert() bool {
+	cert, err := tls.LoadX509KeyPair(certFileDefault, keyFileDefault)
+	if err != nil {
+		return false
+	}
+	expiries, err := getCertExpiries(&cert)
+	if err != nil {
+		return false
+	}
+	p.tlsCert = &cert
+	p.certExpiries = expiries
+	p.renewIfNeeded()
+	return true
+}
+
+func (p *autoCertProvider) RenewalOn() time.Time {
+	t := time.Now().AddDate(0, 0, 3)
+	for _, expiry := range p.certExpiries {
+		if expiry.Before(t) {
+			return time.Now()
+		}
+		return t
+	}
+	// this line should never be reached
+	panic("no certificate available")
+}
+
+func (p *autoCertProvider) ScheduleRenewal() {
+	for {
+		t := time.Until(p.RenewalOn())
+		aclog.Infof("next renewal in %v", t)
+		time.Sleep(t)
+		err := p.renewIfNeeded()
+		if err != nil {
+			aclog.Fatal(err)
+		}
+	}
+}
+
+func (p *autoCertProvider) saveCert(cert *certificate.Resource) error {
+	err := os.MkdirAll(path.Dir(certFileDefault), 0644)
+	if err != nil {
+		return fmt.Errorf("unable to create cert directory: %v", err)
+	}
+	err = os.WriteFile(keyFileDefault, cert.PrivateKey, 0600) // -rw-------
+	if err != nil {
+		return fmt.Errorf("unable to write key file: %v", err)
+	}
+	err = os.WriteFile(certFileDefault, cert.Certificate, 0644) // -rw-r--r--
+	if err != nil {
+		return fmt.Errorf("unable to write cert file: %v", err)
+	}
+	return nil
+}
+
+func (p *autoCertProvider) needRenewal() bool {
+	return time.Now().After(p.RenewalOn())
+}
+
+func (p *autoCertProvider) renewIfNeeded() error {
+	if !p.needRenewal() {
+		return nil
+	}
+
+	p.mutex.Lock()
+	defer p.mutex.Unlock()
+	
+	if !p.needRenewal() {
+		return nil
+	}
+	
+	trials := 0
+	for {
+		err := p.ObtainCert()
+		if err == nil {
+			return nil
+		}
+		trials++
+		if trials > 3 {
+			return fmt.Errorf("unable to renew certificate: %v after 3 trials", err)
+		}
+		aclog.Errorf("failed to renew certificate: %v, trying again in 5 seconds", err)
+		time.Sleep(5 * time.Second)
+	}
+}
+
+func providerGenerator[CT interface{}, PT challenge.Provider](defaultCfg func() *CT, newProvider func(*CT) (PT, error)) ProviderGenerator {
+	return func(opt ProviderOptions) (challenge.Provider, error) {
+		cfg := defaultCfg()
+		err := setOptions(cfg, opt)
+		if err != nil {
+			return nil, err
+		}
+		p, err := newProvider(cfg)
+		if err != nil {
+			return nil, err
+		}
+		return p, nil
+	}
+}
+
+func getCertExpiries(cert *tls.Certificate) (CertExpiries, error) {
+	r := make(CertExpiries, len(cert.Certificate))
+	for _, cert := range cert.Certificate {
+		x509Cert, err := x509.ParseCertificate(cert)
+		if err != nil {
+			return nil, err
+		}
+		if x509Cert.IsCA {
+			continue
+		}
+		r[x509Cert.Subject.CommonName] = x509Cert.NotAfter
+	}
+	return r, nil
+}
+
+func setOptions[T interface{}](cfg *T, opt ProviderOptions) error {
+	for k, v := range opt {
+		err := SetFieldFromSnake(cfg, k, v)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+var providersGenMap = map[string]ProviderGenerator{
+	"cloudflare": providerGenerator(cloudflare.NewDefaultConfig, cloudflare.NewDNSProviderConfig),
+}
--- a/src/go-proxy/config.go
+++ b/src/go-proxy/config.go
@@ -12,6 +12,7 @@ import (
 type Config interface {
 	// Load() error
 	MustLoad()
+	GetAutoCertProvider() (AutoCertProvider, error)
 	// MustReload()
 	// Reload() error
 	StartProviders()
@@ -35,24 +36,24 @@ func (cfg *config) Load() error {
 	defer cfg.mutex.Unlock()

 	// unload if any
-	if cfg.Providers != nil {
-		for _, p := range cfg.Providers {
-			p.StopAllRoutes()
-		}
-	}
-	cfg.Providers = make(map[string]*Provider)
+	cfg.StopProviders()

 	data, err := os.ReadFile(configPath)
 	if err != nil {
 		return fmt.Errorf("unable to read config file: %v", err)
 	}

+	cfg.Providers = make(map[string]*Provider)
 	if err = yaml.Unmarshal(data, &cfg); err != nil {
 		return fmt.Errorf("unable to parse config file: %v", err)
 	}

 	for name, p := range cfg.Providers {
-		p.name = name
+		err := p.Init(name)
+		if err != nil {
+			cfgl.Errorf("failed to initialize provider %q %v", name, err)
+			cfg.Providers[name] = nil
+		}
 	}

 	return nil
@@ -64,6 +65,10 @@ func (cfg *config) MustLoad() {
 	}
 }

+func (cfg *config) GetAutoCertProvider() (AutoCertProvider, error) {
+	return cfg.AutoCert.GetProvider()
+}
+
 func (cfg *config) Reload() error {
 	return cfg.Load()
 }
@@ -73,13 +78,18 @@ func (cfg *config) MustReload() {
 }

 func (cfg *config) StartProviders() {
+	if cfg.Providers == nil {
+		cfgl.Fatal("providers not loaded")
+	}
 	// Providers have their own mutex, no lock needed
 	ParallelForEachValue(cfg.Providers, (*Provider).StartAllRoutes)
 }

 func (cfg *config) StopProviders() {
-	// Providers have their own mutex, no lock needed
-	ParallelForEachValue(cfg.Providers, (*Provider).StopAllRoutes)
+	if cfg.Providers != nil {
+		// Providers have their own mutex, no lock needed
+		ParallelForEachValue(cfg.Providers, (*Provider).StopAllRoutes)
+	}
 }

 func (cfg *config) WatchChanges() {
@@ -92,6 +102,7 @@ func (cfg *config) StopWatching() {

 type config struct {
 	Providers map[string]*Provider `yaml:",flow"`
+	AutoCert  AutoCertConfig       `yaml:",flow"`
 	watcher   Watcher
 	mutex     sync.Mutex
 }
--- a/src/go-proxy/constants.go
+++ b/src/go-proxy/constants.go
@@ -63,11 +63,6 @@ const (
 	ProviderKind_File   = "file"
 )

-const (
-	certPath = "certs/cert.crt"
-	keyPath  = "certs/priv.key"
-)
-
 // TODO: default + per proxy
 var (
 	transport = &http.Transport{
@@ -92,8 +87,10 @@ const wildcardLabelPrefix = "proxy.*."
 const clientUrlFromEnv = "FROM_ENV"

 const (
-	configPath   = "config.yml"
-	templatePath = "templates/panel.html"
+	certFileDefault = "certs/cert.crt"
+	keyFileDefault  = "certs/priv.key"
+	configPath      = "config.yml"
+	templatePath    = "templates/panel.html"
 )

 const StreamStopListenTimeout = 1 * time.Second
--- a/src/go-proxy/docker_provider.go
+++ b/src/go-proxy/docker_provider.go
@@ -3,8 +3,8 @@ package main
 import (
 	"fmt"
 	"net/http"
-	"reflect"
 	"strings"
+	"time"

 	"github.com/docker/cli/cli/connhelper"
 	"github.com/docker/docker/api/types"
@@ -16,12 +16,7 @@ import (
 func (p *Provider) setConfigField(c *ProxyConfig, label string, value string, prefix string) error {
 	if strings.HasPrefix(label, prefix) {
 		field := strings.TrimPrefix(label, prefix)
-		field = utils.snakeToCamel(field)
-		prop := reflect.ValueOf(c).Elem().FieldByName(field)
-		if prop.Kind() == 0 {
-			return fmt.Errorf("ignoring unknown field %s", field)
-		}
-		prop.Set(reflect.ValueOf(value))
+		SetFieldFromSnake(c, field, value)
 	}
 	return nil
 }
@@ -61,7 +56,7 @@ func (p *Provider) getContainerProxyConfigs(container types.Container, clientIP
 		}
 		if config.Port == "0" {
 			// no ports exposed or specified
-			l.Info("no ports exposed, ignored")
+			l.Debugf("no ports exposed, ignored")
 			continue
 		}
 		if config.Scheme == "" {
@@ -116,26 +111,17 @@ func (p *Provider) getContainerProxyConfigs(container types.Container, clientIP
 	return cfgs
 }

-func (p *Provider) getDockerProxyConfigs() ([]*ProxyConfig, error) {
-	var clientIP string
-	var opts []client.Opt
-	var err error
-
+func (p *Provider) getDockerClient() (*client.Client, error) {
+	var dockerOpts []client.Opt
 	if p.Value == clientUrlFromEnv {
-		clientIP = ""
-		opts = []client.Opt{
+		dockerOpts = []client.Opt{
 			client.WithHostFromEnv(),
 			client.WithAPIVersionNegotiation(),
 		}
 	} else {
-		url, err := client.ParseHostURL(p.Value)
-		if err != nil {
-			return nil, fmt.Errorf("unable to parse docker host url: %v", err)
-		}
-		clientIP = strings.Split(url.Host, ":")[0]
 		helper, err := connhelper.GetConnectionHelper(p.Value)
 		if err != nil {
-			return nil, fmt.Errorf("unexpected error: %v", err)
+			p.l.Fatal("unexpected error: ", err)
 		}
 		if helper != nil {
 			httpClient := &http.Client{
@@ -143,26 +129,44 @@ func (p *Provider) getDockerProxyConfigs() ([]*ProxyConfig, error) {
 					DialContext: helper.Dialer,
 				},
 			}
-			opts = []client.Opt{
+			dockerOpts = []client.Opt{
 				client.WithHTTPClient(httpClient),
 				client.WithHost(helper.Host),
 				client.WithAPIVersionNegotiation(),
 				client.WithDialContext(helper.Dialer),
 			}
 		} else {
-			opts = []client.Opt{
+			dockerOpts = []client.Opt{
 				client.WithHost(p.Value),
 				client.WithAPIVersionNegotiation(),
 			}
 		}
 	}
+	return client.NewClientWithOpts(dockerOpts...)
+}
+
+func (p *Provider) getDockerProxyConfigs() ([]*ProxyConfig, error) {
+	var clientIP string
+
+	if p.Value == clientUrlFromEnv {
+		clientIP = ""
+	} else {
+		url, err := client.ParseHostURL(p.Value)
+		if err != nil {
+			return nil, fmt.Errorf("unable to parse docker host url: %v", err)
+		}
+		clientIP = strings.Split(url.Host, ":")[0]
+	}
+
+	dockerClient, err := p.getDockerClient()

-	p.dockerClient, err = client.NewClientWithOpts(opts...)
 	if err != nil {
 		return nil, fmt.Errorf("unable to create docker client: %v", err)
 	}

-	containerSlice, err := p.dockerClient.ContainerList(context.Background(), container.ListOptions{All: true})
+	ctx, _ := context.WithTimeout(context.Background(), 3*time.Second)
+	containerSlice, err := dockerClient.ContainerList(ctx, container.ListOptions{All: true})
+
 	if err != nil {
 		return nil, fmt.Errorf("unable to list containers: %v", err)
 	}
--- a/src/go-proxy/http_route.go
+++ b/src/go-proxy/http_route.go
@@ -103,12 +103,12 @@ func NewHTTPRoute(config *ProxyConfig) (*HTTPRoute, error) {
 	if logLevel == logrus.DebugLevel {
 		route.Proxy.Rewrite = func(pr *ProxyRequest) {
 			rewrite(pr)
-			route.l.Debug("Request URL: ", pr.In.Host, pr.In.URL.Path)
-			route.l.Debug("Request headers: ", pr.In.Header)
+			route.l.Debug("request URL: ", pr.In.Host, pr.In.URL.Path)
+			route.l.Debug("request headers: ", pr.In.Header)
 		}
 		route.Proxy.ModifyResponse = func(r *http.Response) error {
-			route.l.Debug("Response URL: ", r.Request.URL.String())
-			route.l.Debug("Response headers: ", r.Header)
+			route.l.Debug("response URL: ", r.Request.URL.String())
+			route.l.Debug("response headers: ", r.Header)
 			if modifyResponse != nil {
 				return modifyResponse(r)
 			}
@@ -121,15 +121,11 @@ func NewHTTPRoute(config *ProxyConfig) (*HTTPRoute, error) {
 	return route, nil
 }

-func (r *HTTPRoute) RemoveFromRoutes() {
+func (r *HTTPRoute) Start() {}
+func (r *HTTPRoute) Stop() {
 	httpRoutes.Delete(r.Alias)
 }

-// dummy implementation for Route interface
-func (r *HTTPRoute) SetupListen()   {}
-func (r *HTTPRoute) Listen()        {}
-func (r *HTTPRoute) StopListening() {}
-
 func isValidProxyPathMode(mode string) bool {
 	switch mode {
 	case ProxyPathMode_Forward, ProxyPathMode_Sub, ProxyPathMode_RemovedPath:
@@ -139,7 +135,7 @@ func isValidProxyPathMode(mode string) bool {
 	}
 }

-func redirectToTLS(w http.ResponseWriter, r *http.Request) {
+func redirectToTLSHandler(w http.ResponseWriter, r *http.Request) {
 	// Redirect to the same host but with HTTPS
 	var redirectCode int
 	if r.Method == http.MethodGet {
@@ -159,7 +155,7 @@ func findHTTPRoute(host string, path string) (*HTTPRoute, error) {
 	return nil, fmt.Errorf("no matching route for subdomain %s", subdomain)
 }

-func httpProxyHandler(w http.ResponseWriter, r *http.Request) {
+func proxyHandler(w http.ResponseWriter, r *http.Request) {
 	route, err := findHTTPRoute(r.Host, r.URL.Path)
 	if err != nil {
 		err = fmt.Errorf("request failed %s %s%s, error: %v",
--- a/src/go-proxy/loggers.go
+++ b/src/go-proxy/loggers.go
@@ -8,3 +8,4 @@ var cfgl = logrus.WithField("component", "config")
 var hrlog = logrus.WithField("component", "http_proxy")
 var srlog = logrus.WithField("component", "stream")
 var wlog = logrus.WithField("component", "watcher")
+var aclog = logrus.WithField("component", "autocert")
--- a/src/go-proxy/main.go
+++ b/src/go-proxy/main.go
@@ -7,74 +7,90 @@ import (
 	"runtime"
 	"syscall"

-	log "github.com/sirupsen/logrus"
+	"github.com/sirupsen/logrus"
 )

 func main() {
-	var err error
-
-	// flag.Parse()
 	runtime.GOMAXPROCS(runtime.NumCPU())

-	log.SetFormatter(&log.TextFormatter{
+	logrus.SetFormatter(&logrus.TextFormatter{
 		ForceColors:   true,
 		DisableColors: false,
 		FullTimestamp: true,
 	})
-	InitFSWatcher()
-	InitDockerWatcher()

 	cfg := NewConfig()
 	cfg.MustLoad()
+
+	autoCertProvider, err := cfg.GetAutoCertProvider()
+
+	if err != nil {
+		aclog.Warn(err)
+		autoCertProvider = nil
+	}
+
+	var httpProxyHandler http.Handler
+	var httpPanelHandler http.Handler
+
+	var proxyServer *Server
+	var panelServer *Server
+
+	if redirectHTTP {
+		httpProxyHandler = http.HandlerFunc(redirectToTLSHandler)
+		httpPanelHandler = http.HandlerFunc(redirectToTLSHandler)
+	} else {
+		httpProxyHandler = http.HandlerFunc(proxyHandler)
+		httpPanelHandler = http.HandlerFunc(panelHandler)
+	}
+
+	if autoCertProvider != nil {
+		ok := autoCertProvider.LoadCert()
+		if !ok {
+			err := autoCertProvider.ObtainCert()
+			if err != nil {
+				aclog.Fatal("error obtaining certificate ", err)
+			}
+		}
+		for name, expiry := range autoCertProvider.GetExpiries() {
+			aclog.Infof("certificate %q: expire on %v", name, expiry)
+		}
+		go autoCertProvider.ScheduleRenewal()
+	}
+	proxyServer = NewServer(
+		"proxy",
+		autoCertProvider,
+		":80",
+		httpProxyHandler,
+		":443",
+		http.HandlerFunc(proxyHandler),
+	)
+	panelServer = NewServer(
+		"panel",
+		autoCertProvider,
+		":8080",
+		httpPanelHandler,
+		":8443",
+		http.HandlerFunc(panelHandler),
+	)
+
+	proxyServer.Start()
+	panelServer.Start()
+
+	InitFSWatcher()
+	InitDockerWatcher()
+
 	cfg.StartProviders()
 	cfg.WatchChanges()

-	var certAvailable = utils.fileOK(certPath) && utils.fileOK(keyPath)
-
-	go func() {
-		log.Info("starting http server on port 80")
-		if certAvailable && redirectHTTP {
-			err = http.ListenAndServe(":80", http.HandlerFunc(redirectToTLS))
-		} else {
-			err = http.ListenAndServe(":80", http.HandlerFunc(httpProxyHandler))
-		}
-		if err != nil {
-			log.Fatal("HTTP server error: ", err)
-		}
-	}()
-	go func() {
-		log.Infof("starting http panel on port 8080")
-		err = http.ListenAndServe(":8080", http.HandlerFunc(panelHandler))
-		if err != nil {
-			log.Warning("HTTP panel error: ", err)
-		}
-	}()
-
-	if certAvailable {
-		go func() {
-			log.Info("starting https server on port 443")
-			err = http.ListenAndServeTLS(":443", certPath, keyPath, http.HandlerFunc(httpProxyHandler))
-			if err != nil {
-				log.Fatal("https server error: ", err)
-			}
-		}()
-		go func() {
-			log.Info("starting https panel on port 8443")
-			err := http.ListenAndServeTLS(":8443", certPath, keyPath, http.HandlerFunc(panelHandler))
-			if err != nil {
-				log.Warning("http panel error: ", err)
-			}
-		}()
-	}
-
 	sig := make(chan os.Signal, 1)
 	signal.Notify(sig, syscall.SIGINT)
 	signal.Notify(sig, syscall.SIGTERM)
 	signal.Notify(sig, syscall.SIGHUP)

 	<-sig
-	cfg.StopWatching()
+	// cfg.StopWatching()
+	
 	cfg.StopProviders()
-	close(fsWatcherStop)
-	close(dockerWatcherStop)
+	panelServer.Stop()
+	proxyServer.Stop()
 }
--- a/src/go-proxy/panel.go
+++ b/src/go-proxy/panel.go
@@ -38,7 +38,7 @@ func panelHandler(w http.ResponseWriter, r *http.Request) {

 func panelIndex(w http.ResponseWriter, r *http.Request) {
 	if r.Method != http.MethodGet {
-		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
 		return
 	}

@@ -67,7 +67,7 @@ func panelIndex(w http.ResponseWriter, r *http.Request) {

 func panelCheckTargetHealth(w http.ResponseWriter, r *http.Request) {
 	if r.Method != http.MethodHead {
-		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
 		return
 	}

--- a/src/go-proxy/provider.go
+++ b/src/go-proxy/provider.go
@@ -4,7 +4,6 @@ import (
 	"fmt"
 	"sync"

-	"github.com/docker/docker/client"
 	"github.com/sirupsen/logrus"
 )

@@ -12,27 +11,57 @@ type Provider struct {
 	Kind  string // docker, file
 	Value string

-	name         string
-	watcher      Watcher
-	routes       map[string]Route // id -> Route
-	dockerClient *client.Client
-	mutex        sync.Mutex
-	l logrus.FieldLogger
+	watcher Watcher
+	routes  map[string]Route // id -> Route
+	mutex   sync.Mutex
+	l       logrus.FieldLogger
 }

-func (p *Provider) Setup() error {
+// Init is called after LoadProxyConfig
+func (p *Provider) Init(name string) error {
+	p.l = prlog.WithFields(logrus.Fields{"kind": p.Kind, "name": name})
+
+	if err := p.loadProxyConfig(); err != nil {
+		return err
+	}
+
+	p.initWatcher()
+	return nil
+}
+
+func (p *Provider) StartAllRoutes() {
+	ParallelForEachValue(p.routes, Route.Start)
+	p.watcher.Start()
+}
+
+func (p *Provider) StopAllRoutes() {
+	p.watcher.Stop()
+	ParallelForEachValue(p.routes, Route.Stop)
+	p.routes = make(map[string]Route)
+}
+
+func (p *Provider) ReloadRoutes() {
+	p.mutex.Lock()
+	defer p.mutex.Unlock()
+
+	p.StopAllRoutes()
+	err := p.loadProxyConfig()
+	if err != nil {
+		p.l.Error("failed to reload routes: ", err)
+		return
+	}
+	p.StartAllRoutes()
+}
+
+func (p *Provider) loadProxyConfig() error {
 	var cfgs []*ProxyConfig
 	var err error

-	p.l = prlog.WithFields(logrus.Fields{"kind": p.Kind, "name": p.name})
-
 	switch p.Kind {
 	case ProviderKind_Docker:
 		cfgs, err = p.getDockerProxyConfigs()
-		p.watcher = NewDockerWatcher(p.dockerClient, p.ReloadRoutes)
 	case ProviderKind_File:
 		cfgs, err = p.getFileProxyConfigs()
-		p.watcher = NewFileWatcher(p.Value, p.ReloadRoutes, p.StopAllRoutes)
 	default:
 		// this line should never be reached
 		return fmt.Errorf("unknown provider kind")
@@ -43,45 +72,30 @@ func (p *Provider) Setup() error {
 	}
 	p.l.Infof("loaded %d proxy configurations", len(cfgs))

+	p.routes = make(map[string]Route, len(cfgs))
 	for _, cfg := range cfgs {
 		r, err := NewRoute(cfg)
 		if err != nil {
 			p.l.Errorf("error creating route %s: %v", cfg.Alias, err)
 			continue
 		}
-		r.SetupListen()
-		r.Listen()
 		p.routes[cfg.GetID()] = r
 	}
+
 	return nil
 }

-func (p *Provider) StartAllRoutes() {
-	p.routes = make(map[string]Route)
-	err := p.Setup()
-	if err != nil {
-		p.l.Error(err)
-		return
+func (p *Provider) initWatcher() error {
+	switch p.Kind {
+	case ProviderKind_Docker:
+		var err error
+		dockerClient, err := p.getDockerClient()
+		if err != nil {
+			return fmt.Errorf("unable to create docker client: %v", err)
+		}
+		p.watcher = NewDockerWatcher(dockerClient, p.ReloadRoutes)
+	case ProviderKind_File:
+		p.watcher = NewFileWatcher(p.Value, p.ReloadRoutes, p.StopAllRoutes)
 	}
-	p.watcher.Start()
+	return nil
 }
-
-func (p *Provider) StopAllRoutes() {
-	p.watcher.Stop()
-	p.dockerClient = nil
-
-	ParallelForEachValue(p.routes, func(r Route) {
-		r.StopListening()
-		r.RemoveFromRoutes()
-	})
-
-	p.routes = make(map[string]Route)
-}
-
-func (p *Provider) ReloadRoutes() {
-	p.mutex.Lock()
-	defer p.mutex.Unlock()
-
-	p.StopAllRoutes()
-	p.StartAllRoutes()
-}
--- a/src/go-proxy/route.go
+++ b/src/go-proxy/route.go
@@ -5,10 +5,8 @@ import (
 )

 type Route interface {
-	SetupListen()
-	Listen()
-	StopListening()
-	RemoveFromRoutes()
+	Start()
+	Stop()
 }

 func NewRoute(cfg *ProxyConfig) (Route, error) {
--- a/src/go-proxy/server.go
+++ b/src/go-proxy/server.go
@@ -0,0 +1,99 @@
+package main
+
+import (
+	"crypto/tls"
+	"net/http"
+	"time"
+
+	"github.com/sirupsen/logrus"
+	"golang.org/x/net/context"
+)
+
+type Server struct {
+	Name         string
+	KeyFile      string
+	CertFile     string
+	CertProvider AutoCertProvider
+	http         *http.Server
+	https        *http.Server
+	httpStarted  bool
+	httpsStarted bool
+}
+
+func NewServer(name string, provider AutoCertProvider, httpAddr string, httpHandler http.Handler, httpsAddr string, httpsHandler http.Handler) *Server {
+	if provider != nil {
+		return &Server{
+			Name:         name,
+			CertProvider: provider,
+			http: &http.Server{
+				Addr:    httpAddr,
+				Handler: httpHandler,
+			},
+			https: &http.Server{
+				Addr:    httpsAddr,
+				Handler: httpsHandler,
+				TLSConfig: &tls.Config{
+					GetCertificate: provider.GetCert,
+				},
+			},
+		}
+	}
+	return &Server{
+		Name:     name,
+		KeyFile:  keyFileDefault,
+		CertFile: certFileDefault,
+		http: &http.Server{
+			Addr:    httpAddr,
+			Handler: httpHandler,
+		},
+		https: &http.Server{
+			Addr:    httpsAddr,
+			Handler: httpsHandler,
+		},
+	}
+}
+
+func (s *Server) Start() {
+	if s.http != nil {
+		s.httpStarted = true
+		logrus.Printf("starting http %s server on %s", s.Name, s.http.Addr)
+		go func() {
+			err := s.http.ListenAndServe()
+			s.handleErr("http", err)
+		}()
+	}
+
+	if s.https != nil && (s.CertProvider != nil || utils.fileOK(s.CertFile) && utils.fileOK(s.KeyFile)) {
+		s.httpsStarted = true
+		logrus.Printf("starting https %s server on %s", s.Name, s.https.Addr)
+		go func() {
+			err := s.https.ListenAndServeTLS(s.CertFile, s.KeyFile)
+			s.handleErr("https", err)
+		}()
+	}
+}
+
+func (s *Server) Stop() {
+	ctx, _ := context.WithTimeout(context.Background(), 3*time.Second)
+
+	if s.httpStarted {
+		errHTTP := s.http.Shutdown(ctx)
+		s.handleErr("http", errHTTP)
+		s.httpStarted = false
+	}
+
+	if s.httpsStarted {
+		errHTTPS := s.https.Shutdown(ctx)
+		s.handleErr("https", errHTTPS)
+		s.httpsStarted = false
+	}
+}
+
+func (s *Server) handleErr(scheme string, err error) {
+	switch err {
+	case nil, http.ErrServerClosed:
+		return
+	default:
+		logrus.Fatalf("failed to start %s %s server: %v", scheme, s.Name, err)
+	}
+}
--- a/src/go-proxy/stream_route.go
+++ b/src/go-proxy/stream_route.go
@@ -47,7 +47,7 @@ func newStreamRouteBase(config *ProxyConfig) (*StreamRouteBase, error) {

 	port_split := strings.Split(config.Port, ":")
 	if len(port_split) != 2 {
-		cfgl.Warnf("Invalid port %s, assuming it is target port", config.Port)
+		cfgl.Warnf("invalid port %s, assuming it is target port", config.Port)
 		srcPort = "0"
 		dstPort = config.Port
 	} else {
@@ -96,7 +96,7 @@ func newStreamRouteBase(config *ProxyConfig) (*StreamRouteBase, error) {

 		id:        config.GetID(),
 		wg:        sync.WaitGroup{},
-		stopChann: make(chan struct{}),
+		stopChann: make(chan struct{}, 1),
 		l: srlog.WithFields(logrus.Fields{
 			"alias": config.Alias,
 			"src":   fmt.Sprintf("%s://:%d", srcScheme, srcPortInt),
@@ -128,7 +128,7 @@ func (route *StreamRouteBase) Logger() logrus.FieldLogger {
 	return route.l
 }

-func (route *StreamRouteBase) SetupListen() {
+func (route *StreamRouteBase) setupListen() {
 	if route.ListeningPort == 0 {
 		freePort, err := utils.findUseFreePort(20000)
 		if err != nil {
@@ -136,13 +136,10 @@ func (route *StreamRouteBase) SetupListen() {
 			return
 		}
 		route.ListeningPort = freePort
-		route.l.Info("Assigned free port ", route.ListeningPort)
+		route.l.Info("listening on free port ", route.ListeningPort)
+		return
 	}
-	route.l.Info("Listening on ", route.ListeningUrl())
-}
-
-func (route *StreamRouteBase) RemoveFromRoutes() {
-	streamRoutes.Delete(route.id)
+	route.l.Info("listening on ", route.ListeningUrl())
 }

 func (route *StreamRouteBase) wait() {
@@ -159,12 +156,14 @@ func (route *StreamRouteBase) unmarkPort() {

 func stopListening(route StreamRoute) {
 	l := route.Logger()
-	l.Debug("Stopping listening")
+	l.Debug("stopping listening")
+
+	// close channel -> wait -> close listeners
+
 	route.closeChannel()
-	route.closeListeners()

 	done := make(chan struct{})
-
+	
 	go func() {
 		route.wait()
 		close(done)
@@ -173,10 +172,10 @@ func stopListening(route StreamRoute) {

 	select {
 	case <-done:
-		l.Info("Stopped listening")
-		return
+		l.Info("stopped listening")
 	case <-time.After(StreamStopListenTimeout):
 		l.Error("timed out waiting for connections")
-		return
 	}
+
+	route.closeListeners()
 }
--- a/src/go-proxy/tcp_route.go
+++ b/src/go-proxy/tcp_route.go
@@ -32,7 +32,8 @@ func NewTCPRoute(config *ProxyConfig) (StreamRoute, error) {
 	}, nil
 }

-func (route *TCPRoute) Listen() {
+func (route *TCPRoute) Start() {
+	route.setupListen()
 	in, err := net.Listen("tcp", fmt.Sprintf(":%v", route.ListeningPort))
 	if err != nil {
 		route.l.Error(err)
@@ -44,8 +45,9 @@ func (route *TCPRoute) Listen() {
 	go route.grHandleConnections()
 }

-func (route *TCPRoute) StopListening() {
+func (route *TCPRoute) Stop() {
 	stopListening(route)
+	streamRoutes.Delete(route.id)
 }

 func (route *TCPRoute) closeListeners() {
--- a/src/go-proxy/udp_route.go
+++ b/src/go-proxy/udp_route.go
@@ -45,7 +45,9 @@ func NewUDPRoute(config *ProxyConfig) (StreamRoute, error) {
 	}, nil
 }

-func (route *UDPRoute) Listen() {
+func (route *UDPRoute) Start() {
+	route.setupListen()
+
 	source, err := net.ListenPacket(route.ListeningScheme, fmt.Sprintf(":%v", route.ListeningPort))
 	if err != nil {
 		route.l.Error(err)
@@ -67,22 +69,24 @@ func (route *UDPRoute) Listen() {
 	go route.grHandleConnections()
 }

-func (route *UDPRoute) StopListening() {
+func (route *UDPRoute) Stop() {
 	stopListening(route)
+	streamRoutes.Delete(route.id)
 }

 func (route *UDPRoute) closeListeners() {
 	if route.listeningConn != nil {
 		route.listeningConn.Close()
+		route.listeningConn = nil
 	}
 	if route.targetConn != nil {
 		route.targetConn.Close()
+		route.targetConn = nil
 	}
-	route.listeningConn = nil
-	route.targetConn = nil
 	for _, conn := range route.connMap {
 		conn.(*net.UDPConn).Close() // TODO: change on non udp target
 	}
+	route.connMap = make(map[net.Addr]net.Conn)
 }

 func (route *UDPRoute) grAcceptConnections() {
@@ -236,4 +240,4 @@ func (route *UDPRoute) forwardReceivedDebug(receivedConn *UDPConn, dest net.Conn
 		dest.RemoteAddr().String(),
 	)
 	return route.forwardReceivedReal(receivedConn, dest)
-}
+}
--- a/src/go-proxy/utils.go
+++ b/src/go-proxy/utils.go
@@ -9,6 +9,7 @@ import (
 	"os"
 	"path"
 	"path/filepath"
+	"reflect"
 	"regexp"
 	"strings"
 	"sync"
@@ -91,7 +92,7 @@ func (*Utils) healthCheckStream(scheme, host string) error {
 	return nil
 }

-func (*Utils) snakeToCamel(s string) string {
+func (*Utils) snakeToPascal(s string) string {
 	toHyphenCamel := http.CanonicalHeaderKey(strings.ReplaceAll(s, "_", "-"))
 	return strings.ReplaceAll(toHyphenCamel, "-", "")
 }
@@ -192,3 +193,13 @@ func (*Utils) fileOK(path string) bool {
 	_, err := os.Stat(path)
 	return err == nil
 }
+
+func SetFieldFromSnake[T interface{}, VT interface{}](obj *T, field string, value VT) error {
+	field = utils.snakeToPascal(field)
+	prop := reflect.ValueOf(obj).Elem().FieldByName(field)
+	if prop.Kind() == 0 {
+		return fmt.Errorf("unknown field %s", field)
+	}
+	prop.Set(reflect.ValueOf(value))
+	return nil
+}
--- a/src/go-proxy/watcher.go
+++ b/src/go-proxy/watcher.go
@@ -18,6 +18,7 @@ import (
 type Watcher interface {
 	Start()
 	Stop()
+	Dispose()
 }

 type watcherBase struct {
@@ -36,7 +37,7 @@ type fileWatcher struct {
 type dockerWatcher struct {
 	*watcherBase
 	client *client.Client
-	stop   chan struct{}
+	stopCh chan struct{}
 	wg     sync.WaitGroup
 }

@@ -60,7 +61,7 @@ func NewDockerWatcher(c *client.Client, onChange func()) Watcher {
 	return &dockerWatcher{
 		watcherBase: newWatcher("Docker", c.DaemonHost(), onChange),
 		client:      c,
-		stop:        make(chan struct{}, 1),
+		stopCh:      make(chan struct{}, 1),
 	}
 }

@@ -71,11 +72,15 @@ func (w *fileWatcher) Start() {
 	err := fsWatcher.Add(w.path)
 	if err != nil {
 		w.l.Error("failed to start: ", err)
+		return
 	}
 	fileWatchMap.Set(w.path, w)
 }

 func (w *fileWatcher) Stop() {
+	if fsWatcher == nil {
+		return
+	}
 	fileWatchMap.Delete(w.path)
 	err := fsWatcher.Remove(w.path)
 	if err != nil {
@@ -83,20 +88,29 @@ func (w *fileWatcher) Stop() {
 	}
 }

+func (w *fileWatcher) Dispose() {
+	w.Stop()
+}
+
 func (w *dockerWatcher) Start() {
 	dockerWatchMap.Set(w.name, w)
 	w.wg.Add(1)
-	go func() {
-		w.watch()
-		w.wg.Done()
-	}()
+	go w.watch()
 }

 func (w *dockerWatcher) Stop() {
-	close(w.stop)
-	w.stop = nil
-	dockerWatchMap.Delete(w.name)
+	if w.stopCh == nil {
+		return
+	}
+	close(w.stopCh)
 	w.wg.Wait()
+	w.stopCh = nil
+	dockerWatchMap.Delete(w.name)
+}
+
+func (w *dockerWatcher) Dispose() {
+	w.Stop()
+	w.client.Close()
 }

 func InitFSWatcher() {
@@ -106,6 +120,7 @@ func InitFSWatcher() {
 		return
 	}
 	fsWatcher = w
+	fsWatcherWg.Add(1)
 	go watchFiles()
 }

@@ -113,26 +128,27 @@ func InitDockerWatcher() {
 	// stop all docker client on watcher stop
 	go func() {
 		<-dockerWatcherStop
-		stopAllDockerClients()
+		ParallelForEachValue(
+			dockerWatchMap.Iterator(),
+			(*dockerWatcher).Dispose,
+		)
+		dockerWatcherWg.Done()
 	}()
 }

-func stopAllDockerClients() {
-	ParallelForEachValue(
-		dockerWatchMap.Iterator(),
-		func(w *dockerWatcher) {
-			w.Stop()
-			err := w.client.Close()
-			if err != nil {
-				w.l.WithField("action", "stop").Error(err)
-			}
-			w.client = nil
-		},
-	)
+func StopFSWatcher() {
+	close(fsWatcherStop)
+	fsWatcherWg.Wait()
+}
+
+func StopDockerWatcher() {
+	close(dockerWatcherStop)
+	dockerWatcherWg.Wait()
 }

 func watchFiles() {
 	defer fsWatcher.Close()
+	defer fsWatcherWg.Done()
 	for {
 		select {
 		case <-fsWatcherStop:
@@ -148,11 +164,11 @@ func watchFiles() {
 			}
 			switch {
 			case event.Has(fsnotify.Write):
-				w.l.Info("File change detected")
-				w.onChange()
+				w.l.Info("file changed")
+				go w.onChange()
 			case event.Has(fsnotify.Remove), event.Has(fsnotify.Rename):
-				w.l.Info("File renamed / deleted")
-				w.onDelete()
+				w.l.Info("file renamed / deleted")
+				go w.onDelete()
 			}
 		case err := <-fsWatcher.Errors:
 			wlog.Error(err)
@@ -161,6 +177,8 @@ func watchFiles() {
 }

 func (w *dockerWatcher) watch() {
+	defer w.wg.Done()
+
 	filter := filters.NewArgs(
 		filters.Arg("type", "container"),
 		filters.Arg("event", "start"),
@@ -173,11 +191,11 @@ func (w *dockerWatcher) watch() {

 	for {
 		select {
-		case <-w.stop:
+		case <-w.stopCh:
 			return
 		case msg := <-msgChan:
 			w.l.Infof("container %s %s", msg.Actor.Attributes["name"], msg.Action)
-			w.onChange()
+			go w.onChange()
 		case err := <-errChan:
 			w.l.Errorf("%s, retrying in 1s", err)
 			time.Sleep(1 * time.Second)
@@ -195,3 +213,7 @@ var (
 	fsWatcherStop     = make(chan struct{}, 1)
 	dockerWatcherStop = make(chan struct{}, 1)
 )
+var (
+	fsWatcherWg     sync.WaitGroup
+	dockerWatcherWg sync.WaitGroup
+)
Author	SHA1	Message	Date
yusing	539ef911de	fix negative waitgroup, fix cert expiry date, better auto renewal strategy	2024-03-23 20:06:34 +00:00
yusing	fff790b527	readme update	2024-03-23 03:46:18 +00:00
yusing	094f75ef46	readme and dockerfile fix for v0.3 update	2024-03-23 03:29:35 +00:00
yusing	43ecd80687	added mkdir before saving cert	2024-03-23 03:16:27 +00:00
yusing	e7f6abf027	initial autocert support, readme update	2024-03-23 03:05:41 +00:00
yusing	22f911c30f	entrypoint fix for debugging and readme update	2024-03-22 15:39:23 +00:00
yusing	5272829582	bug fixes	2024-03-21 04:23:07 +00:00
yusing	48a9e312f5	bug fixes	2024-03-21 04:21:28 +00:00
Yuzerion	f09b152cf9	Merge pull request #3 from yusing/dependabot/go_modules/github.com/docker/docker-25.0.5incompatible Bump github.com/docker/docker from 25.0.4+incompatible to 25.0.5+incompatible	2024-03-21 09:34:41 +08:00
dependabot[bot]	8184eb5aff	Bump github.com/docker/docker Bumps [github.com/docker/docker](https://github.com/docker/docker) from 25.0.4+incompatible to 25.0.5+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Commits](https://github.com/docker/docker/compare/v25.0.4...v25.0.5) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>	2024-03-20 18:01:46 +00:00
yusing	b37e201ea8	benchmark update	2024-03-18 21:57:29 +00:00
yusing	ad9fc3cfe5	benchmark update	2024-03-18 21:56:09 +00:00
yusing	264ac4886d	benchmark update	2024-03-18 21:56:01 +00:00
yusing	50eb5e9eb1	readme fixes	2024-03-18 21:01:37 +00:00