added explicit only mode for docker provider, updated dependencies

ci speedup
fixed some containers being excluded on restart
2026-01-14 07:33:36 +01:00 · 2024-09-29 11:24:41 +08:00 · 2024-09-29 06:00:52 +08:00 · 2024-09-28 12:34:06 +08:00 · 2024-09-28 11:55:26 +08:00 · 2024-09-28 11:51:47 +08:00
165 changed files with 5843 additions and 2720 deletions
--- a/.github/workflows/docker-image.yml
+++ b/.github/workflows/docker-image.yml
@@ -1,21 +1,132 @@
 name: Docker Image CI

 on:
-  push:
-    tags:
-      - "*"
-jobs:
-  build_and_push:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Set up Docker Build and Push
-        id: docker_build_push
-        uses: GlueOps/github-actions-build-push-containers@v0.3.7
-        with:
-          tags: ${{ github.ref_name }}
+    push:
+        tags: ["*"]

-      - name: Tag as latest
-        if: startsWith(github.ref, 'refs/tags/') && !contains(github.ref_name, '-')
-        run: |
-          docker tag ghcr.io/${{ github.repository }}:${{ github.ref_name }} ghcr.io/${{ github.repository }}:latest
-          docker push ghcr.io/${{ github.repository }}:latest
+env:
+    REGISTRY: ghcr.io
+    IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+    build:
+        name: Build multi-platform Docker image
+        runs-on: self-hosted
+
+        permissions:
+            contents: read
+            packages: write
+            id-token: write
+            attestations: write
+
+        strategy:
+            fail-fast: false
+            matrix:
+                platform:
+                    - linux/amd64
+                    - linux/arm/v6
+                    - linux/arm/v7
+                    - linux/arm64
+        steps:
+            - name: Prepare
+              run: |
+                  platform=${{ matrix.platform }}
+                  echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
+
+            - name: Docker meta
+              id: meta
+              uses: docker/metadata-action@v5
+              with:
+                  images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+            - name: Set up QEMU
+              uses: docker/setup-qemu-action@v3
+
+            - name: Set up Docker Buildx
+              uses: docker/setup-buildx-action@v3
+
+            - name: Login to registry
+              uses: docker/login-action@v3
+              with:
+                  registry: ${{ env.REGISTRY }}
+                  username: ${{ github.actor }}
+                  password: ${{ secrets.GITHUB_TOKEN }}
+
+            - name: Build and push by digest
+              id: build
+              uses: docker/build-push-action@v6
+              with:
+                  platforms: ${{ matrix.platform }}
+                  labels: ${{ steps.meta.outputs.labels }}
+                  outputs: type=image,name=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }},push-by-digest=true,name-canonical=true,push=true
+                  cache-from: type=gha
+                  cache-to: type=gha,mode=max
+
+            - name: Generate artifact attestation
+              uses: actions/attest-build-provenance@v1
+              with:
+                  subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
+                  subject-digest: ${{ steps.build.outputs.digest }}
+                  push-to-registry: true
+
+            - name: Export digest
+              run: |
+                  mkdir -p /tmp/digests
+                  digest="${{ steps.build.outputs.digest }}"
+                  touch "/tmp/digests/${digest#sha256:}"
+
+            - name: Upload digest
+              uses: actions/upload-artifact@v4
+              with:
+                  name: digests-${{ env.PLATFORM_PAIR }}
+                  path: /tmp/digests/*
+                  if-no-files-found: error
+                  retention-days: 1
+    merge:
+        runs-on: self-hosted
+        needs:
+            - build
+        permissions:
+            contents: read
+            packages: write
+            id-token: write
+        steps:
+            - name: Download digests
+              uses: actions/download-artifact@v4
+              with:
+                  path: /tmp/digests
+                  pattern: digests-*
+                  merge-multiple: true
+
+            - name: Set up Docker Buildx
+              uses: docker/setup-buildx-action@v3
+
+            - name: Docker meta
+              id: meta
+              uses: docker/metadata-action@v5
+              with:
+                  images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+            - name: Login to registry
+              uses: docker/login-action@v3
+              with:
+                  registry: ${{ env.REGISTRY }}
+                  username: ${{ github.actor }}
+                  password: ${{ secrets.GITHUB_TOKEN }}
+
+            - name: Create manifest list and push
+              id: push
+              working-directory: /tmp/digests
+              run: |
+                  docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+                    $(printf '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@sha256:%s ' *)
+
+            - name: Inspect image
+              run: |
+                  docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}
+
+            - name: Tag as latest
+              if: startsWith(github.ref, 'refs/tags/') && !contains(github.ref_name, '-')
+              run: |
+                  docker tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }} ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+                  docker push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
--- a/.gitignore
+++ b/.gitignore
@@ -1,10 +1,9 @@
 compose.yml

-config/
-certs/
+config*/
+certs*/
 bin/
-
-templates/codemirror/
+error_pages/

 logs/
 log/
@@ -13,6 +12,10 @@ log/

 go.work.sum

-!src/config/
+!cmd/**/
+!internal/**/

-todo.md
+todo.md
+
+.*.swp
+.aider*
--- a/.gitmodules
+++ b/.gitmodules
@@ -1,3 +0,0 @@
-[submodule "frontend"]
-	path = frontend
-	url = https://github.com/yusing/go-proxy-frontend
--- a/43
+++ b/43
@@ -1,22 +1,44 @@
+# Stage 1: Builder
 FROM golang:1.23.1-alpine AS builder
-COPY src /src
-ENV GOCACHE=/root/.cache/go-build
+RUN apk add --no-cache tzdata
+
 WORKDIR /src
+
+# Only copy go.mod and go.sum initially for better caching
+COPY go.mod go.sum /src
+
+# Utilize build cache
+RUN --mount=type=cache,target="/go/pkg/mod" \
+    go mod graph | awk '{if ($1 !~ "@") print $2}' | xargs go get
+
+ENV GOCACHE=/root/.cache/go-build
+
+# Build the application with better caching
 RUN --mount=type=cache,target="/go/pkg/mod" \
    --mount=type=cache,target="/root/.cache/go-build" \
-    go mod download && \
-    CGO_ENABLED=0 GOOS=linux go build -pgo=auto -o go-proxy github.com/yusing/go-proxy
+    --mount=type=bind,src=cmd,dst=/src/cmd \
+    --mount=type=bind,src=internal,dst=/src/internal \
+    CGO_ENABLED=0 GOOS=linux go build -ldflags '-w -s' -pgo=auto -o /app/go-proxy ./cmd && \
+    mkdir /app/error_pages /app/certs

-FROM alpine:3.20
+# Stage 2: Final image
+FROM scratch

 LABEL maintainer="yusing@6uo.me"
+LABEL proxy.exclude=1
+
+# copy timezone data
+COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo

-RUN apk add --no-cache tzdata
 # copy binary
-COPY --from=builder /src/go-proxy /app/
-COPY schema/ /app/schema
+COPY --from=builder /app /app
+
+# copy schema directory
+COPY schema/ /app/schema/
+
+# copy certs
+COPY --from=builder /etc/ssl/certs /etc/ssl/certs

-RUN chmod +x /app/go-proxy
 ENV DOCKER_HOST=unix:///var/run/docker.sock
 ENV GOPROXY_DEBUG=0

@@ -25,4 +47,5 @@ EXPOSE 8888
 EXPOSE 443

 WORKDIR /app
-CMD ["/app/go-proxy"]
+
+CMD ["/app/go-proxy"]
--- a/24
+++ b/24
@@ -1,6 +1,8 @@
-.PHONY: all build up quick-restart restart logs get udp-server
+BUILD_FLAG ?= -s -w

-all: build quick-restart logs
+.PHONY: all setup build test up restart logs get debug run archive repush rapid-crash debug-list-containers
+
+all: debug

 setup:
 	mkdir -p config certs
@@ -9,10 +11,11 @@ setup:

 build:
 	mkdir -p bin
-	CGO_ENABLED=0 GOOS=linux go build -pgo=auto -o bin/go-proxy github.com/yusing/go-proxy
+	CGO_ENABLED=0 GOOS=linux \
+		go build -ldflags '${BUILD_FLAG}' -pgo=auto -o bin/go-proxy ./cmd

 test:
-	go test ./src/...
+	go test ./internal/...

 up:
 	docker compose up -d
@@ -24,10 +27,13 @@ logs:
 	docker compose logs -f

 get:
-	cd src && go get -u && go mod tidy && cd ..
+	cd cmd && go get -u && go mod tidy && cd ..

 debug:
-	make build && sudo GOPROXY_DEBUG=1 bin/go-proxy
+	make BUILD_FLAG="" build && sudo GOPROXY_DEBUG=1 bin/go-proxy
+
+run:
+	make build && sudo bin/go-proxy

 archive:
 	git archive HEAD -o ../go-proxy-$$(date +"%Y%m%d%H%M").zip
@@ -44,4 +50,8 @@ rapid-crash:
 	sudo docker rm -f test_crash

 debug-list-containers:
-	bash -c 'echo -e "GET /containers/json HTTP/1.0\r\n" | sudo netcat -U /var/run/docker.sock | tail -n +9 | jq'
+	bash -c 'echo -e "GET /containers/json HTTP/1.0\r\n" | sudo netcat -U /var/run/docker.sock | tail -n +9 | jq'
+
+ci-test:
+	mkdir -p /tmp/artifacts
+	act -n --artifact-server-path /tmp/artifacts -s GITHUB_TOKEN="$$(gh auth token)"
--- a/README.md
+++ b/README.md
@@ -5,6 +5,7 @@
 [![Security Rating](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=security_rating)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
 [![Maintainability Rating](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=sqale_rating)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
 [![Vulnerabilities](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=vulnerabilities)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
+[![](https://dcbadge.limes.pink/api/server/umReR62nRd)](https://discord.gg/umReR62nRd)

 [繁體中文文檔請看此](README_CHT.md)

@@ -23,23 +24,28 @@ A lightweight, easy-to-use, and [performant](docs/benchmark_result.md) reverse p
    - [Environment variables](#environment-variables)
    - [Use JSON Schema in VSCode](#use-json-schema-in-vscode)
    - [Config File](#config-file)
-    - [Provider File](#provider-file)
-  - [Known issues](#known-issues)
+    - [Include Files](#include-files)
+  - [Showcase](#showcase)
+    - [idlesleeper](#idlesleeper)
  - [Build it yourself](#build-it-yourself)

 ## Key Points

- Easy to use
-  - Effortless configuration
-  - Error messages is clear and detailed, easy troubleshooting
- Auto certificate obtaining and renewal (See [Supported DNS Challenge Providers](docs/dns_providers.md))
- Auto configuration for docker containers
- Auto hot-reload on container state / config file changes
- Stop containers on idle, wake it up on traffic _(optional)_
- HTTP(s) reserve proxy
- TCP and UDP port forwarding
- Web UI for configuration and monitoring (See [screenshots](https://github.com/yusing/go-proxy-frontend?tab=readme-ov-file#screenshots))
- Written in **[Go](https://go.dev)**
+-   Easy to use
+    -   Effortless configuration
+    -   Simple multi-node setup
+    -   Error messages is clear and detailed, easy troubleshooting
+-   Auto SSL cert management (See [Supported DNS Challenge Providers](docs/dns_providers.md)) 
+-   Auto configuration for docker containers
+-   Auto hot-reload on container state / config file changes
+-   **idlesleeper**: stop containers on idle, wake it up on traffic _(optional, see [showcase](#idlesleeper))_
+-   HTTP(s) reserve proxy
+-   [HTTP middleware support](docs/middlewares.md) _(experimental)_
+-   [Custom error pages support](docs/middlewares.md#custom-error-pages)
+-   TCP and UDP port forwarding
+-   Web UI for configuration and monitoring (See [screenshots](https://github.com/yusing/go-proxy-frontend?tab=readme-ov-file#screenshots))
+-   Supports linux/amd64, linux/arm64, linux/arm/v7, linux/arm/v6 multi-platform
+-   Written in **[Go](https://go.dev)**

 [🔼Back to top](#table-of-content)

@@ -47,16 +53,29 @@ A lightweight, easy-to-use, and [performant](docs/benchmark_result.md) reverse p

 ### Setup

-1. Setup DNS Records, e.g.
+1.  Pull docker image 
+    
+    ```shell
+    docker pull ghcr.io/yusing/go-proxy:latest
+    ```

-   - A Record: `*.y.z` -> `10.0.10.1`
-   - AAAA Record: `*.y.z` -> `::ffff:a00:a01`
+2.  Create new directory, `cd` into it, then run setup

-2. Setup `go-proxy` [See here](docs/docker.md)
+    ```shell
+    docker run --rm -v .:/setup ghcr.io/yusing/go-proxy /app/go-proxy setup
+    ```

-3. Configure `go-proxy`
-   - with text editor (e.g. Visual Studio Code)
-   - or with web config editor via `http://gp.y.z`
+3.  Setup DNS Records point to machine which runs `go-proxy`, e.g.
+
+    -   A Record: `*.y.z` -> `10.0.10.1`
+    -   AAAA Record: `*.y.z` -> `::ffff:a00:a01`
+
+4.  Setup `docker-socket-proxy` other docker nodes _(if any)_ (see [example](docs/docker_socket_proxy.md)) and then them inside `config.yml`
+
+5.  Done. You may now do some extra configuration
+    -   With text editor (e.g. Visual Studio Code)
+    -   With Web UI via `gp.y.z`
+    -   For more info, [See docker.md](docs/docker.md)

 [🔼Back to top](#table-of-content)

@@ -70,17 +89,17 @@ A lightweight, easy-to-use, and [performant](docs/benchmark_result.md) reverse p
 | `ls-config` | list config and exit             | `go-proxy ls-config \| jq` |
 | `ls-route`  | list proxy entries and exit      | `go-proxy ls-route \| jq`  |

-**run with `docker exec <container_name> /app/go-proxy <command>`**
+**run with `docker exec go-proxy /app/go-proxy <command>`**

 ### Environment variables

-| Environment Variable           | Description                   | Default | Values  |
-| ------------------------------ | ----------------------------- | ------- | ------- |
-| `GOPROXY_NO_SCHEMA_VALIDATION` | disable schema validation     | `false` | boolean |
-| `GOPROXY_DEBUG`                | enable debug behaviors        | `false` | boolean |
-| `GOPROXY_HTTP_PORT`            | http server port              | `80`    | integer |
-| `GOPROXY_HTTPS_PORT`           | http server port (if enabled) | `443`   | integer |
-| `GOPROXY_API_PORT`             | api server port               | `8888`  | integer |
+| Environment Variable           | Description                                 | Default          | Values        |
+| ------------------------------ | ------------------------------------------- | ---------------- | ------------- |
+| `GOPROXY_NO_SCHEMA_VALIDATION` | disable schema validation                   | `false`          | boolean       |
+| `GOPROXY_DEBUG`                | enable debug behaviors                      | `false`          | boolean       |
+| `GOPROXY_HTTP_ADDR`            | http server listening address               | `:80`            | `[host]:port` |
+| `GOPROXY_HTTPS_ADDR`           | https server listening address (if enabled) | `:443`           | `[host]:port` |
+| `GOPROXY_API_ADDR`             | api server listening address                | `127.0.0.1:8888` | `[host]:port` |

 ### Use JSON Schema in VSCode

@@ -90,31 +109,13 @@ Copy [`.vscode/settings.example.json`](.vscode/settings.example.json) to `.vscod

 ### Config File

-See [config.example.yml](config.example.yml) for more
-
-```yaml
-# autocert configuration
-autocert:
-  email: # ACME Email
-  domains: # a list of domains for cert registration
-  provider: # DNS Challenge provider
-  options: # provider specific options
-    - ...
-# reverse proxy providers configuration
-providers:
-  include:
-    - providers.yml
-    - other_file_1.yml
-    - ...
-  docker:
-    local: $DOCKER_HOST
-    remote-1: tcp://10.0.2.1:2375
-    remote-2: ssh://root:1234@10.0.2.2
-```
+See [config.example.yml](config.example.yml)

 [🔼Back to top](#table-of-content)

-### Provider File
+### Include Files
+
+These are files that include standalone proxy entries

 See [Fields](docs/docker.md#fields)

@@ -122,11 +123,11 @@ See [providers.example.yml](providers.example.yml) for examples

 [🔼Back to top](#table-of-content)

-## Known issues
+## Showcase

- Cert "renewal" is actually obtaining a new cert instead of renewing the existing one
+### idlesleeper

- `autocert` config is not hot-reloadable
+![idlesleeper](showcase/idlesleeper.webp)

 [🔼Back to top](#table-of-content)

--- a/README_CHT.md
+++ b/README_CHT.md
@@ -5,8 +5,9 @@
 [![Security Rating](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=security_rating)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
 [![Maintainability Rating](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=sqale_rating)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
 [![Vulnerabilities](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=vulnerabilities)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
+[![](https://dcbadge.limes.pink/api/server/umReR62nRd)](https://discord.gg/umReR62nRd)

-一個輕量化、易用且[高效](docs/benchmark_result.md)的反向代理工具
+一個輕量化、易用且[高效](docs/benchmark_result.md)的反向代理和端口轉發工具

 ## 目錄

@@ -22,22 +23,25 @@
    - [VSCode 中使用 JSON Schema](#vscode-中使用-json-schema)
    - [配置文件](#配置文件)
    - [透過文件配置](#透過文件配置)
-  - [已知問題](#已知問題)
+  - [展示](#展示)
+    - [idlesleeper](#idlesleeper)
  - [源碼編譯](#源碼編譯)

 ## 重點

- 易用
-  - 不需花費太多時間就能輕鬆配置
-  - 除錯簡單
- 自動處理 HTTPS 證書（參見[可用的 DNS 供應商](docs/dns_providers.md)）
- 透過 Docker 容器自動配置
- 容器狀態變更時自動熱重載
- 容器閒置時自動暫停/停止，入站時自動喚醒
- HTTP(s)反向代理
- TCP/UDP 端口轉發
- 用於配置和監控的前端 Web 面板（[截圖](https://github.com/yusing/go-proxy-frontend?tab=readme-ov-file#screenshots)）
- 使用 **[Go](https://go.dev)** 編寫
+-   易用
+    -   不需花費太多時間就能輕鬆配置
+    -   支持多個docker節點
+    -   除錯簡單
+-   自動配置 SSL 證書（參見[可用的 DNS 供應商](docs/dns_providers.md)）
+-   透過 Docker 容器自動配置
+-   容器狀態變更時自動熱重載
+-   容器閒置時自動暫停/停止，入站時自動喚醒
+-   HTTP(s) 反向代理
+-   TCP/UDP 端口轉發
+-   用於配置和監控的前端 Web 面板（[截圖](https://github.com/yusing/go-proxy-frontend?tab=readme-ov-file#screenshots)）
+-   支持 linux/amd64、linux/arm64、linux/arm/v7、linux/arm/v6 多平台
+-   使用 **[Go](https://go.dev)** 編寫

 [🔼 返回頂部](#目錄)

@@ -45,16 +49,29 @@

 ### 安裝

-1. 設置 DNS 記錄，例如：
+1. 抓取Docker鏡像

-   - A 記錄: `*.y.z` -> `10.0.10.1`
-   - AAAA 記錄: `*.y.z` -> `::ffff:a00:a01`
+    ```shell
+    docker pull ghcr.io/yusing/go-proxy:latest
+    ```

-2. 安裝 `go-proxy` [參見這裡](docs/docker.md)
+2. 建立新的目錄，並切換到該目錄，並執行
+   
+   ```shell
+    docker run --rm -v .:/setup ghcr.io/yusing/go-proxy /app/go-proxy setup
+    ```

-3. 配置 `go-proxy`
-   - 使用文本編輯器 (推薦 Visual Studio Code [參見 VSCode 使用 schema](#vscode-中使用-json-schema))
-   - 或通過 `http://gp.y.z` 使用網頁配置編輯器
+3. 設置 DNS 記錄，例如：
+
+    - A 記錄: `*.y.z` -> `10.0.10.1`
+    - AAAA 記錄: `*.y.z` -> `::ffff:a00:a01`
+
+4. 配置 `docker-socket-proxy` 其他 Docker 節點（如有） (參見 [範例](docs/docker_socket_proxy.md)) 然後加到 `config.yml` 中
+
+5. 大功告成，你可以做一些額外的配置
+    - 使用文本編輯器 (推薦 Visual Studio Code [參見 VSCode 使用 schema](#vscode-中使用-json-schema))
+    - 或通過 `http://gp.y.z` 使用網頁配置編輯器
+    - 詳情請參閱 [docker.md](docs/docker.md)

 [🔼 返回頂部](#目錄)

@@ -68,14 +85,17 @@
 | `ls-config` | 列出配置並退出 | `go-proxy ls-config \| jq` |
 | `ls-route`  | 列出路由並退出 | `go-proxy ls-route \| jq`  |

-**使用 `docker exec <容器名稱> /app/go-proxy <參數>` 運行**
+**使用 `docker exec go-proxy /app/go-proxy <參數>` 運行**

 ### 環境變量

-| 環境變量                       | 描述             | 默認    | 值      |
-| ------------------------------ | ---------------- | ------- | ------- |
-| `GOPROXY_NO_SCHEMA_VALIDATION` | 禁用 schema 驗證 | `false` | boolean |
-| `GOPROXY_DEBUG`                | 啟用調試輸出     | `false` | boolean |
+| 環境變量                       | 描述             | 默認             | 格式          |
+| ------------------------------ | ---------------- | ---------------- | ------------- |
+| `GOPROXY_NO_SCHEMA_VALIDATION` | 禁用 schema 驗證 | `false`          | boolean       |
+| `GOPROXY_DEBUG`                | 啟用調試輸出     | `false`          | boolean       |
+| `GOPROXY_HTTP_ADDR`            | http 收聽地址    | `:80`            | `[host]:port` |
+| `GOPROXY_HTTPS_ADDR`           | https 收聽地址   | `:443`           | `[host]:port` |
+| `GOPROXY_API_ADDR`             | api 收聽地址     | `127.0.0.1:8888` | `[host]:port` |

 ### VSCode 中使用 JSON Schema

@@ -85,27 +105,7 @@

 ### 配置文件

-參見 [config.example.yml](config.example.yml) 了解更多
-
-```yaml
-# autocert 配置
-autocert:
-  email: # ACME 電子郵件
-  domains: # 域名列表
-  provider: # DNS 供應商
-  options: # 供應商個別配置
-    - ...
-# 配置文件 / docker
-providers:
-  include:
-    - providers.yml
-    - other_file_1.yml
-    - ...
-  docker:
-    local: $DOCKER_HOST
-    remote-1: tcp://10.0.2.1:2375
-    remote-2: ssh://root:1234@10.0.2.2
-```
+參見 [config.example.yml](config.example.yml)

 [🔼 返回頂部](#目錄)

@@ -117,11 +117,11 @@ providers:

 [🔼 返回頂部](#目錄)

-## 已知問題
+## 展示

- 證書“更新”實際上是獲取新證書而不是更新現有證書
+### idlesleeper

- `autocert` 配置不能熱重載
+![idlesleeper](showcase/idlesleeper.webp)

 [🔼 返回頂部](#目錄)

--- a/cmd/main.go
+++ b/cmd/main.go
@@ -3,55 +3,66 @@ package main
 import (
 	"context"
 	"encoding/json"
+	"io"
 	"log"
 	"net/http"
 	"os"
 	"os/signal"
+	"reflect"
 	"runtime"
+	"strings"
 	"sync"
 	"syscall"
 	"time"

 	"github.com/sirupsen/logrus"
-	"github.com/yusing/go-proxy/api"
-	apiUtils "github.com/yusing/go-proxy/api/v1/utils"
-	"github.com/yusing/go-proxy/common"
-	"github.com/yusing/go-proxy/config"
-	"github.com/yusing/go-proxy/docker"
-	"github.com/yusing/go-proxy/docker/idlewatcher"
-	E "github.com/yusing/go-proxy/error"
-	R "github.com/yusing/go-proxy/route"
-	"github.com/yusing/go-proxy/server"
-	F "github.com/yusing/go-proxy/utils/functional"
+	"github.com/yusing/go-proxy/internal"
+	"github.com/yusing/go-proxy/internal/api"
+	apiUtils "github.com/yusing/go-proxy/internal/api/v1/utils"
+	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/config"
+	"github.com/yusing/go-proxy/internal/docker"
+	"github.com/yusing/go-proxy/internal/docker/idlewatcher"
+	E "github.com/yusing/go-proxy/internal/error"
+	R "github.com/yusing/go-proxy/internal/route"
+	"github.com/yusing/go-proxy/internal/server"
+	F "github.com/yusing/go-proxy/internal/utils/functional"
 )

 func main() {
-	runtime.GOMAXPROCS(runtime.NumCPU())
-
 	args := common.GetArgs()
+
+	if args.Command == common.CommandSetup {
+		internal.Setup()
+		return
+	}
+
 	l := logrus.WithField("module", "main")
+	onShutdown := F.NewSlice[func()]()

 	if common.IsDebug {
 		logrus.SetLevel(logrus.DebugLevel)
 	}

-	logrus.SetFormatter(&logrus.TextFormatter{
-		DisableSorting:         true,
-		DisableLevelTruncation: true,
-		FullTimestamp:          true,
-		ForceColors:            true,
-		TimestampFormat:        "01-02 15:04:05",
-	})
+	if args.Command != common.CommandStart {
+		logrus.SetOutput(io.Discard)
+	} else {
+		logrus.SetFormatter(&logrus.TextFormatter{
+			DisableSorting:  true,
+			FullTimestamp:   true,
+			ForceColors:     true,
+			TimestampFormat: "01-02 15:04:05",
+		})
+	}

 	if args.Command == common.CommandReload {
 		if err := apiUtils.ReloadServer(); err.HasError() {
-			l.Fatal(err)
+			log.Fatal(err)
 		}
+		log.Print("ok")
 		return
 	}

-	onShutdown := F.NewSlice[func()]()
-
 	// exit if only validate config
 	if args.Command == common.CommandValidate {
 		data, err := os.ReadFile(common.ConfigPath)
@@ -59,34 +70,43 @@ func main() {
 			err = config.Validate(data).Error()
 		}
 		if err != nil {
-			l.Fatal("config error: ", err)
+			log.Fatal("config error: ", err)
 		}
-		l.Printf("config OK")
+		log.Print("config OK")
 		return
 	}

-	cfg, err := config.Load()
-	if err.IsFatal() {
-		l.Fatal(err)
+	for _, dir := range common.RequiredDirectories {
+		prepareDirectory(dir)
 	}

-	if args.Command == common.CommandListConfigs {
+	err := config.Load()
+	if err != nil {
+		logrus.Warn(err)
+	}
+	cfg := config.GetInstance()
+
+	switch args.Command {
+	case common.CommandListConfigs:
 		printJSON(cfg.Value())
 		return
+	case common.CommandListRoutes:
+		printJSON(cfg.RoutesByAlias())
+		return
+	case common.CommandDebugListEntries:
+		printJSON(cfg.DumpEntries())
+		return
+	case common.CommandDebugListProviders:
+		printJSON(cfg.DumpProviders())
+		return
+	}
+
+	if common.IsDebug {
+		printJSON(docker.GetRegisteredNamespaces())
 	}

 	cfg.StartProxyProviders()

-	if args.Command == common.CommandListRoutes {
-		printJSON(cfg.RoutesByAlias())
-		return
-	}
-
-	if args.Command == common.CommandDebugListEntries {
-		printJSON(cfg.DumpEntries())
-		return
-	}
-
 	if err.HasError() {
 		l.Warn(err)
 	}
@@ -104,25 +124,11 @@ func main() {
 	autocert := cfg.GetAutoCertProvider()

 	if autocert != nil {
-		if err = autocert.LoadCert(); err.HasError() {
-			if !err.Is(os.ErrNotExist) { // ignore if cert doesn't exist
-				l.Error(err)
-			}
-			l.Debug("obtaining cert due to error loading cert")
-			if err = autocert.ObtainCert(); err.HasError() {
-				l.Warn(err)
-			}
-		}
-
-		if err.NoError() {
-			ctx, certRenewalCancel := context.WithCancel(context.Background())
-			go autocert.ScheduleRenewal(ctx)
-			onShutdown.Add(certRenewalCancel)
-		}
-
-		for _, expiry := range autocert.GetExpiries() {
-			l.Infof("certificate expire on %s", expiry)
-			break
+		ctx, cancel := context.WithCancel(context.Background())
+		if err = autocert.Setup(ctx); err != nil {
+			l.Fatal(err)
+		} else {
+			onShutdown.Add(cancel)
 		}
 	} else {
 		l.Info("autocert not configured")
@@ -131,15 +137,15 @@ func main() {
 	proxyServer := server.InitProxyServer(server.Options{
 		Name:            "proxy",
 		CertProvider:    autocert,
-		HTTPPort:        common.ProxyHTTPPort,
-		HTTPSPort:       common.ProxyHTTPSPort,
+		HTTPAddr:        common.ProxyHTTPAddr,
+		HTTPSAddr:       common.ProxyHTTPSAddr,
 		Handler:         http.HandlerFunc(R.ProxyHandler),
 		RedirectToHTTPS: cfg.Value().RedirectToHTTPS,
 	})
 	apiServer := server.InitAPIServer(server.Options{
 		Name:            "api",
 		CertProvider:    autocert,
-		HTTPPort:        common.APIHTTPPort,
+		HTTPAddr:        common.APIHTTPAddr,
 		Handler:         api.NewHandler(cfg),
 		RedirectToHTTPS: cfg.Value().RedirectToHTTPS,
 	})
@@ -163,7 +169,9 @@ func main() {
 	wg.Add(onShutdown.Size())
 	onShutdown.ForEach(func(f func()) {
 		go func() {
+			l.Debugf("waiting for %s to complete...", funcName(f))
 			f()
+			l.Debugf("%s done", funcName(f))
 			wg.Done()
 		}()
 	})
@@ -172,16 +180,33 @@ func main() {
 		close(done)
 	}()

+	timeout := time.After(time.Duration(cfg.Value().TimeoutShutdown) * time.Second)
 	select {
 	case <-done:
 		logrus.Info("shutdown complete")
-	case <-time.After(time.Duration(cfg.Value().TimeoutShutdown) * time.Second):
+	case <-timeout:
 		logrus.Info("timeout waiting for shutdown")
+		onShutdown.ForEach(func(f func()) {
+			l.Warnf("%s() is still running", funcName(f))
+		})
 	}
 }

+func prepareDirectory(dir string) {
+	if _, err := os.Stat(dir); os.IsNotExist(err) {
+		if err = os.MkdirAll(dir, 0755); err != nil {
+			logrus.Fatalf("failed to create directory %s: %v", dir, err)
+		}
+	}
+}
+
+func funcName(f func()) string {
+	parts := strings.Split(runtime.FuncForPC(reflect.ValueOf(f).Pointer()).Name(), "/go-proxy/")
+	return parts[len(parts)-1]
+}
+
 func printJSON(obj any) {
-	j, err := E.Check(json.Marshal(obj))
+	j, err := E.Check(json.MarshalIndent(obj, "", "  "))
 	if err.HasError() {
 		logrus.Fatal(err)
 	}
--- a/config.example.yml
+++ b/config.example.yml
@@ -1,37 +1,69 @@
 # Autocert (choose one below and uncomment to enable)
-
+#
 # 1. use existing cert
+#
 # autocert:
 #   provider: local
-#   cert_path: certs/cert.crt # optional, uncomment only if you need to change it
-#   key_path: certs/priv.key # optional, uncomment only if you need to change it
-
+#
+#   cert_path: certs/cert.crt         # optional, uncomment only if you need to change it
+#   key_path: certs/priv.key          # optional, uncomment only if you need to change it
+#
 # 2. cloudflare
+#
 # autocert:
 #   provider: cloudflare
-#   email: # ACME Email
-#   domains: # a list of domains for cert registration
-#     - x.y.z
+#   email: abc@gmail.com                            # ACME Email
+#   domains:                                        # a list of domains for cert registration
+#     - "*.y.z"                                     # remember to use double quotes to surround wildcard domain
 #   options:
-#     - auth_token: c1234565789-abcdefghijklmnopqrst # your zone API token
-
-# 3. other providers, check readme for more
+#     auth_token: c1234565789-abcdefghijklmnopqrst  # your zone API token
+#
+# 3. other providers, check docs/dns_providers.md for more

 providers:
-  include:
-    - providers.yml # config/providers.yml
-    # add some more below if you want
-    # - file1.yml # config/file_1.yml
-    # - file2.yml
+  # include files are standalone yaml files under `config/` directory
+  #
+  # include:
+  #   - file1.yml
+  #   - file2.yml
+
  docker:
-    # for value format, see https://docs.docker.com/reference/cli/dockerd/
-    # $DOCKER_HOST implies unix:///var/run/docker.sock by default
+    # $DOCKER_HOST implies environment variable `DOCKER_HOST` or unix:///var/run/docker.sock by default
    local: $DOCKER_HOST
+    # explicit only mode
+    # only containers with explicit aliases will be proxied
+    # add "!" after provider name to enable explicit only mode
+    #
+    # local!: $DOCKER_HOST
+    #
    # add more docker providers if needed
+    # for value format, see https://docs.docker.com/reference/cli/dockerd/
+    #
    # remote-1: tcp://10.0.2.1:2375
    # remote-2: ssh://root:1234@10.0.2.2
+# if match_domains not defined
+# any host = alias+[any domain] will match
+# i.e. https://app1.y.z       will match alias app1 for any domain y.z
+#  but https://app1.node1.y.z will only match alias "app.node1"
+#
+# if match_domains defined
+# only host = alias+[one of match_domains] will match
+# i.e. match_domains = [node1.my.app, my.site]
+# https://app1.my.app, https://app1.my.net, etc. will not match even if app1 exists
+# only https://*.node1.my.app and https://*.my.site will match
+#
+#
+# match_domains:
+#   - my.site
+#   - node1.my.app

-# Fixed options (optional, non hot-reloadable)
+# Below are fixed options (non hot-reloadable)

+# timeout for shutdown (in seconds)
+#
 # timeout_shutdown: 5
+
+# global setting redirect http requests to https (if https available, otherwise this will be ignored)
+# proxy.<alias>.middlewares.redirect_http will override this
+#
 # redirect_to_https: false
--- a/docs/dns_providers.md
+++ b/docs/dns_providers.md
@@ -11,42 +11,70 @@

 ## Cloudflare

+```yaml
+autocert:
+    provider: cloudflare
+    options:
+        auth_token:
+```
+
 `auth_token` your zone API token

 Follow [this guide](https://cloudkul.com/blog/automcatic-renew-and-generate-ssl-on-your-website-using-lego-client/) to create a new token with `Zone.DNS` read and edit permissions

 ## CloudDNS

- `client_id`
-
- `email`
-
- `password`
+```yaml
+autocert:
+    provider: clouddns
+    options:
+        client_id:
+        email:
+        password:
+```

 ## DuckDNS

- `token`: DuckDNS Token
+```yaml
+autocert:
+    provider: duckdns
+    options:
+        token:
+```

 Tested by [earvingad](https://github.com/earvingad)

 ## OVHCloud

+```yaml
+autocert:
+    provider: ovh
+    options:
+        api_endpoint:
+        application_key:
+        application_secret:
+        consumer_key:
+        oauth2_config:
+            client_id:
+            client_secret:
+```
+
 _Note, `application_key` and `oauth2_config` **CANNOT** be used together_

- `api_endpoint`: Endpoint URL, or one of
-  - `ovh-eu`,
-  - `ovh-ca`,
-  - `ovh-us`,
-  - `kimsufi-eu`,
-  - `kimsufi-ca`,
-  - `soyoustart-eu`,
-  - `soyoustart-ca`
- `application_secret`
- `application_key`
- `consumer_key`
- `oauth2_config`: Client ID and Client Secret
-  - `client_id`
-  - `client_secret`
+-   `api_endpoint`: Endpoint URL, or one of
+    -   `ovh-eu`,
+    -   `ovh-ca`,
+    -   `ovh-us`,
+    -   `kimsufi-eu`,
+    -   `kimsufi-ca`,
+    -   `soyoustart-eu`,
+    -   `soyoustart-ca`
+-   `application_secret`
+-   `application_key`
+-   `consumer_key`
+-   `oauth2_config`: Client ID and Client Secret
+    -   `client_id`
+    -   `client_secret`

 ## Implement other DNS providers

--- a/docs/docker.md
+++ b/docs/docker.md
@@ -6,7 +6,7 @@

 - [Docker compose guide](#docker-compose-guide)
  - [Table of content](#table-of-content)
-  - [Setup](#setup)
+  - [Additional setup](#additional-setup)
  - [Labels](#labels)
    - [Syntax](#syntax)
    - [Fields](#fields)
@@ -16,34 +16,11 @@
  - [Docker compose examples](#docker-compose-examples)
    - [Services URLs for above examples](#services-urls-for-above-examples)

-## Setup
+## Additional setup

-1.  Install `wget` if not already
+1.  Enable HTTPs _(optional)_

-    - Ubuntu based: `sudo apt install -y wget`
-    - Fedora based: `sudo yum install -y wget`
-    - Arch based: `sudo pacman -Sy wget`
-
-2.  Run setup script
-
-    `bash <(wget -qO- https://github.com/yusing/go-proxy/raw/main/setup-docker.sh)`
-
-    It will setup folder structure and required config files
-
-3.  Verify folder structure and then `cd go-proxy`
-
-    ```plain
-    go-proxy
-    ├── certs
-    ├── compose.yml
-    └── config
-        ├── config.yml
-        └── providers.yml
-    ```
-
-4.  Enable HTTPs _(optional)_
-
-    Mount a folder (to store obtained certs) or (containing existing cert)
+    Mount a folder to store obtained certs or to load existing cert

    ```yaml
    services:
@@ -57,59 +34,63 @@

    ```yaml
    autocert:
-      email: john.doe@x.y.z # ACME Email
-      domains: # a list of domains for cert registration
-        - x.y.z
-      provider: cloudflare
-      options:
-        - auth_token: c1234565789-abcdefghijklmnopqrst # your zone API token
+        email: john.doe@x.y.z # ACME Email
+        domains: # a list of domains for cert registration
+            - y.z
+            - *.y.z
+        provider: cloudflare
+        options:
+            auth_token: c1234565789-abcdefghijklmnopqrst # your zone API token
    ```

    To use **existing certificate**, set path for cert and key in `config.yml`, e.g.

    ```yaml
    autocert:
-      cert_path: /app/certs/cert.crt
-      key_path: /app/certs/priv.key
+        provider: local
+        cert_path: /app/certs/cert.crt
+        key_path: /app/certs/priv.key
    ```

-5.  Modify `compose.yml` to fit your needs
+2.  Modify `compose.yml` to fit your needs

-6.  Run `docker compose up -d` to start the container
+3.  Run `docker compose up -d` to start the container

-7.  Navigate to Web panel `http://gp.yourdomain.com` or use **Visual Studio Code (provides schema check)** to edit proxy config
+4.  Navigate to Web panel `http://gp.yourdomain.com` or use **Visual Studio Code (provides schema check)** to edit proxy config

 [🔼Back to top](#table-of-content)

 ## Labels

+**Parts surrounded by `[]` are optional**
+
 ### Syntax

-| Label                    | Description                                                           | Default              | Accepted values                                                           |
-| ------------------------ | --------------------------------------------------------------------- | -------------------- | ------------------------------------------------------------------------- |
-| `proxy.aliases`          | comma separated aliases for subdomain and label matching              | `container_name`     | any                                                                       |
-| `proxy.exclude`          | to be excluded from `go-proxy`                                        | false                | boolean                                                                   |
-| `proxy.idle_timeout`     | time for idle (no traffic) before put it into sleep **(http/s only)** | empty **(disabled)** | `number[unit]...`, e.g. `1m30s`                                           |
-| `proxy.wake_timeout`     | time to wait for container to start before responding a loading page  | empty                | `number[unit]...`                                                         |
-| `proxy.stop_method`      | method to stop after `idle_timeout`                                   | `stop`               | `stop`, `pause`, `kill`                                                   |
-| `proxy.stop_timeout`     | time to wait for stop command                                         | `10s`                | `number[unit]...`                                                         |
-| `proxy.stop_signal`      | signal sent to container for `stop` and `kill` methods                | docker's default     | `SIGINT`, `SIGTERM`, `SIGHUP`, `SIGQUIT` and those without **SIG** prefix |
-| `proxy.<alias>.<field>`  | set field for specific alias                                          | N/A                  | N/A                                                                       |
-| `proxy.$<index>.<field>` | set field for specific alias at index (starting from **1**)            | N/A                  | N/A                                                                       |
-| `proxy.*.<field>`        | set field for all aliases                                             | N/A                  | N/A                                                                       |
+| Label                                        | Description                                                                                                                                                         | Example                                                                                                                                                                                                                     | Default                     | Accepted values                                                           |
+| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------- | ------------------------------------------------------------------------- |
+| `proxy.aliases`                              | comma separated aliases for subdomain and label matching                                                                                                            | `gitlab,gitlab-reg,gitlab-ssh`                                                                                                                                                                                              | `container_name`            | any                                                                       |
+| `proxy.exclude`                              | to be excluded from `go-proxy`                                                                                                                                      |                                                                                                                                                                                                                             | false                       | boolean                                                                   |
+| `proxy.idle_timeout`                         | time for idle (no traffic) before put it into sleep **(http/s only)**<br> _**NOTE: idlewatcher will only be enabled containers that has non-empty `idle_timeout`**_ | `1h`                                                                                                                                                                                                                        | empty or `0` **(disabled)** | `number[unit]...`, e.g. `1m30s`                                           |
+| `proxy.wake_timeout`                         | time to wait for target site to be ready                                                                                                                            |                                                                                                                                                                                                                             | `30s`                       | `number[unit]...`                                                         |
+| `proxy.stop_method`                          | method to stop after `idle_timeout`                                                                                                                                 |                                                                                                                                                                                                                             | `stop`                      | `stop`, `pause`, `kill`                                                   |
+| `proxy.stop_timeout`                         | time to wait for stop command                                                                                                                                       |                                                                                                                                                                                                                             | `10s`                       | `number[unit]...`                                                         |
+| `proxy.stop_signal`                          | signal sent to container for `stop` and `kill` methods                                                                                                              |                                                                                                                                                                                                                             | docker's default            | `SIGINT`, `SIGTERM`, `SIGHUP`, `SIGQUIT` and those without **SIG** prefix |
+| `proxy.<alias>.<field>`                      | set field for specific alias                                                                                                                                        | `proxy.gitlab-ssh.scheme`                                                                                                                                                                                                   | N/A                         | N/A                                                                       |
+| `proxy.#<index>.<field>`                     | set field for specific alias at index (starting from **1**)                                                                                                         | `proxy.#3.port`                                                                                                                                                                                                             | N/A                         | N/A                                                                       |
+| `proxy.*.<field>`                            | set field for all aliases                                                                                                                                           | `proxy.*.set_headers`                                                                                                                                                                                                       | N/A                         | N/A                                                                       |
+| `proxy.?.middlewares.<middleware>[.<field>]` | enable and set field for specific middleware                                                                                                                        | **?** here means `<alias>` / `$<index>` / `*` <ul><li>`proxy.#1.middlewares.modify_request.set_headers`</li><li>`proxy.*.middlewares.modify_response.hide_headers`</li><li>`proxy.app1.middlewares.redirect_http`</li></ul> | N/A                         | Middleware specific<br>See [middlewares.md](middlewares.md) for more      |

 ### Fields

-| Field                 | Description                                                                                    | Default                                                                          | Allowed Values / Syntax                                                                                                                                 |
-| --------------------- | ---------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `scheme`              | proxy protocol                                                                                 | <ul><li>`http` for numeric port</li><li>`tcp` for `x:y` port</li></ul>           | `http`, `https`, `tcp`, `udp`                                                                                                                           |
-| `host`                | proxy host                                                                                     | <ul><li>Docker: docker client IP / hostname </li><li>File: `localhost`</li></ul> | IP address, hostname                                                                                                                                    |
-| `port`                | proxy port **(http/s)**                                                                        | first port in `ports:`                                                           | number in range of `1 - 65535`                                                                                                                          |
-| `port` **(required)** | proxy port **(tcp/udp)**                                                                       | N/A                                                                              | `x:y` <br><ul><li>x: port for `go-proxy` to listen on</li><li>y: port or [_service name_](../src/common/constants.go#L55) of target container</li></ul> |
-| `no_tls_verify`       | whether skip tls verify **(https only)**                                                       | `false`                                                                          | boolean                                                                                                                                                 |
-| `path_patterns`       | proxy path patterns **(http/s only)**<br> only requests that matched a pattern will be proxied | empty **(proxy all requests)**                                                   | yaml style list[<sup>1</sup>](#list-example) of path patterns ([syntax](https://pkg.go.dev/net/http#hdr-Patterns-ServeMux))                             |
-| `set_headers`         | header to set **(http/s only)**                                                                | empty                                                                            | yaml style key-value mapping[<sup>2</sup>](#key-value-mapping-example) of header-value pairs                                                            |
-| `hide_headers`        | header to hide **(http/s only)**                                                               | empty                                                                            | yaml style list[<sup>1</sup>](#list-example) of headers                                                                                                 |
+| Field           | Description                                                                                    | Default                                                                          | Allowed Values / Syntax                                                                                                                                                                                                 |
+| --------------- | ---------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `scheme`        | proxy protocol                                                                                 | <ul><li>`http` for numeric port</li><li>`tcp` for `x:y` port</li></ul>           | `http`, `https`, `tcp`, `udp`                                                                                                                                                                                           |
+| `host`          | proxy host                                                                                     | <ul><li>Docker: docker client IP / hostname </li><li>File: `localhost`</li></ul> | IP address, hostname                                                                                                                                                                                                    |
+| `port`          | proxy port **(http/s)**                                                                        | first port returned from docker                                                  | number in range of `1 - 65535`                                                                                                                                                                                          |
+| `port`          | proxy port **(tcp/udp)**                                                                       | `0:first_port`                                                                   | `x:y` <br><ul><li>**x**: port for `go-proxy` to listen on.<br>**x** can be 0, which means listen on a random port</li><li>**y**: port or [_service name_](../src/common/constants.go#L55) of target container</li></ul> |
+| `no_tls_verify` | whether skip tls verify **(https only)**                                                       | `false`                                                                          | boolean                                                                                                                                                                                                                 |
+| `path_patterns` | proxy path patterns **(http/s only)**<br> only requests that matched a pattern will be proxied | `/` **(proxy all requests)**                                                     | yaml style list[<sup>1</sup>](#list-example) of ([path patterns](https://pkg.go.dev/net/http#hdr-Patterns-ServeMux))                                                                                                    |
+

 [🔼Back to top](#table-of-content)

@@ -122,23 +103,21 @@ services:
  nginx:
    ...
    labels:
-      # values from duplicated header keys will be combined
-      proxy.nginx.set_headers: | # remember to add the '|'
+      proxy.nginx.middlewares.modify_request.set_headers: | # remember to add the '|'
        X-Custom-Header1: value1, value2
-        X-Custom-Header2: value3
-        X-Custom-Header2: value4
-      # X-Custom-Header2 will be "value3, value4"
+        X-Custom-Header2: value3, value4
 ```

 File Provider

 ```yaml
 service_a:
-  host: service_a.internal
-  set_headers:
-    # do not duplicate header keys, as it is not allowed in YAML
-    X-Custom-Header1: value1, value2
-    X-Custom-Header2: value3
+    host: service_a.internal
+    middlewares:
+        modify_request:
+            set_headers:
+                X-Custom-Header1: value1, value2
+                X-Custom-Header2: value3
 ```

 [🔼Back to top](#table-of-content)
@@ -155,160 +134,163 @@ services:
      proxy.nginx.path_patterns: | # remember to add the '|'
        - GET /
        - POST /auth
-      proxy.nginx.hide_headers: | # remember to add the '|'
+      proxy.nginx.middlewares.modify_request.hide_headers: | # remember to add the '|'
        - X-Custom-Header1
        - X-Custom-Header2
 ```

-File Provider
+Include file

 ```yaml
 service_a:
-  host: service_a.internal
-  path_patterns:
-    - GET /
-    - POST /auth
-  hide_headers:
-    - X-Custom-Header1
-    - X-Custom-Header2
+    host: service_a.internal
+    path_patterns:
+        - GET /
+        - POST /auth
+    middlewares:
+        modify_request:
+            hide_headers:
+                - X-Custom-Header1
+                - X-Custom-Header2
 ```

 [🔼Back to top](#table-of-content)

 ## Troubleshooting

- Container not showing up in proxies list
+-   Container not showing up in proxies list

-  Please check that either `ports` or label `proxy.<alias>.port` is declared, e.g.
+    Please check that either `ports` or label `proxy.<alias>.port` is declared, e.g.

-  ```yaml
-  services:
-    nginx-1: # Option 1
-      ...
-      ports:
-        - 80
-    nginx-2: # Option 2
-      ...
-      container_name: nginx-2
-      network_mode: host
-      labels:
-        proxy.nginx-2.port: 80
-  ```
+    ```yaml
+    services:
+      nginx-1: # Option 1
+        ...
+        ports:
+          - 80
+      nginx-2: # Option 2
+        ...
+        container_name: nginx-2
+        network_mode: host
+        labels:
+          proxy.nginx-2.port: 80
+    ```

- Firewall issues
+-   Firewall issues

-  If you are using `ufw` with vpn that drop all inbound traffic except vpn, run below:
+    If you are using `ufw` with vpn that drop all inbound traffic except vpn, run below:

-  `sudo ufw allow from 172.16.0.0/16 to 100.64.0.0/10`
+    `sudo ufw allow from 172.16.0.0/16 to 100.64.0.0/10`

-  Explaination:
+    Explaination:

-  Docker network is usually `172.16.0.0/16`
+    Docker network is usually `172.16.0.0/16`

-  Tailscale is used as an example, `100.64.0.0/10` will be the CIDR
+    Tailscale is used as an example, `100.64.0.0/10` will be the CIDR

-  You can also list CIDRs of all docker bridge networks by:
+    You can also list CIDRs of all docker bridge networks by:

-  `docker network inspect $(docker network ls | awk '$3 == "bridge" { print $1}') | jq -r '.[] | .Name + " " + .IPAM.Config[0].Subnet' -`
+    `docker network inspect $(docker network ls | awk '$3 == "bridge" { print $1}') | jq -r '.[] | .Name + " " + .IPAM.Config[0].Subnet' -`

 [🔼Back to top](#table-of-content)

 ## Docker compose examples

+More examples in [here](examples/)
+
 ```yaml
 volumes:
-  adg-work:
-  adg-conf:
-  mc-data:
-  palworld:
-  nginx:
+    adg-work:
+    adg-conf:
+    mc-data:
+    palworld:
+    nginx:
 services:
-  adg:
-    image: adguard/adguardhome
-    restart: unless-stopped
-    labels:
-      - proxy.aliases=adg,adg-dns,adg-setup
-      - proxy.$1.port=80
-      - proxy.$2.scheme=udp
-      - proxy.$2.port=20000:dns
-      - proxy.$3.port=3000
-    volumes:
-      - adg-work:/opt/adguardhome/work
-      - adg-conf:/opt/adguardhome/conf
-    ports:
-      - 80
-      - 3000
-      - 53/udp
-  mc:
-    image: itzg/minecraft-server
-    tty: true
-    stdin_open: true
-    container_name: mc
-    restart: unless-stopped
-    ports:
-      - 25565
-    labels:
-      - proxy.mc.scheme=tcp
-      - proxy.mc.port=20001:25565
-    environment:
-      - EULA=TRUE
-    volumes:
-      - mc-data:/data
-  palworld:
-    image: thijsvanloef/palworld-server-docker:latest
-    restart: unless-stopped
-    container_name: pal
-    stop_grace_period: 30s
-    ports:
-      - 8211/udp
-      - 27015/udp
-    labels:
-      - proxy.aliases=pal1,pal2
-      - proxy.*.scheme=udp
-      - proxy.$1.port=20002:8211
-      - proxy.$2.port=20003:27015
-    environment: ...
-    volumes:
-      - palworld:/palworld
-  nginx:
-    image: nginx
-    container_name: nginx
-    volumes:
-      - nginx:/usr/share/nginx/html
-    ports:
-      - 80
-    labels:
-      proxy.idle_timeout: 1m
-  go-proxy:
-    image: ghcr.io/yusing/go-proxy:latest
-    container_name: go-proxy
-    restart: always
-    network_mode: host
-    volumes:
-      - ./config:/app/config
-      - /var/run/docker.sock:/var/run/docker.sock
-  go-proxy-frontend:
-    image: ghcr.io/yusing/go-proxy-frontend:latest
-    container_name: go-proxy-frontend
-    restart: unless-stopped
-    network_mode: host
-    labels:
-      - proxy.aliases=gp
-      - proxy.gp.port=3000
-    depends_on:
-      - go-proxy
+    adg:
+        image: adguard/adguardhome
+        restart: unless-stopped
+        labels:
+            - proxy.aliases=adg,adg-dns,adg-setup
+            - proxy.#1.port=80
+            - proxy.#2.scheme=udp
+            - proxy.#2.port=20000:dns
+            - proxy.#3.port=3000
+        volumes:
+            - adg-work:/opt/adguardhome/work
+            - adg-conf:/opt/adguardhome/conf
+        ports:
+            - 80
+            - 3000
+            - 53/udp
+    mc:
+        image: itzg/minecraft-server
+        tty: true
+        stdin_open: true
+        container_name: mc
+        restart: unless-stopped
+        ports:
+            - 25565
+        labels:
+            - proxy.mc.port=20001:25565
+        environment:
+            - EULA=TRUE
+        volumes:
+            - mc-data:/data
+    palworld:
+        image: thijsvanloef/palworld-server-docker:latest
+        restart: unless-stopped
+        container_name: pal
+        stop_grace_period: 30s
+        ports:
+            - 8211/udp
+            - 27015/udp
+        labels:
+            - proxy.aliases=pal1,pal2
+            - proxy.*.scheme=udp
+            - proxy.#1.port=20002:8211
+            - proxy.#2.port=20003:27015
+        environment: ...
+        volumes:
+            - palworld:/palworld
+    nginx:
+        image: nginx
+        container_name: nginx
+        volumes:
+            - nginx:/usr/share/nginx/html
+        ports:
+            - 80
+        labels:
+            proxy.idle_timeout: 1m
+    go-proxy:
+        image: ghcr.io/yusing/go-proxy:latest
+        container_name: go-proxy
+        restart: always
+        network_mode: host
+        volumes:
+            - ./config:/app/config
+            - /var/run/docker.sock:/var/run/docker.sock
+    go-proxy-frontend:
+        image: ghcr.io/yusing/go-proxy-frontend:latest
+        container_name: go-proxy-frontend
+        restart: unless-stopped
+        network_mode: host
+        labels:
+            - proxy.aliases=gp
+            - proxy.gp.port=3000
+        depends_on:
+            - go-proxy
 ```

 [🔼Back to top](#table-of-content)

 ### Services URLs for above examples

- `gp.yourdomain.com`: go-proxy web panel
- `adg-setup.yourdomain.com`: adguard setup (first time setup)
- `adg.yourdomain.com`: adguard dashboard
- `nginx.yourdomain.com`: nginx
- `yourdomain.com:2000`: adguard dns (udp)
- `yourdomain.com:20001`: minecraft server
- `yourdomain.com:20002`: palworld server
+-   `gp.yourdomain.com`: go-proxy web panel
+-   `adg-setup.yourdomain.com`: adguard setup (first time setup)
+-   `adg.yourdomain.com`: adguard dashboard
+-   `nginx.yourdomain.com`: nginx
+-   `yourdomain.com:2000`: adguard dns (udp)
+-   `yourdomain.com:20001`: minecraft server
+-   `yourdomain.com:20002`: palworld server

 [🔼Back to top](#table-of-content)
--- a/docs/docker_socket_proxy.md
+++ b/docs/docker_socket_proxy.md
@@ -0,0 +1,40 @@
+## Docker Socket Proxy
+
+For docker client on other machine, set this up, then add `name: tcp://<machine_ip>:2375` to `config.yml` under `docker` section
+
+```yml
+# compose.yml on remote machine (e.g. server1)
+docker-proxy:
+  container_name: docker-proxy
+  image: tecnativa/docker-socket-proxy
+  privileged: true
+  environment:
+    - ALLOW_START=1
+    - ALLOW_STOP=1
+    - ALLOW_RESTARTS=1
+    - CONTAINERS=1
+    - EVENTS=1
+    - PING=1
+    - POST=1
+    - VERSION=1
+  volumes:
+    - /var/run/docker.sock:/var/run/docker.sock
+  restart: always
+  ports:
+    - 2375:2375
+    # or more secure
+    - <machine_private_ip>:2375:2375
+```
+
+```yml
+# config.yml on go-proxy machine
+autocert:
+  ... # your config
+
+providers:
+  include:
+    ...
+  docker:
+    ...
+    server1: tcp://<machine_ip>:2375
+```
--- a/docs/middlewares.md
+++ b/docs/middlewares.md
@@ -0,0 +1,333 @@
+# Middlewares
+
+## Table of content
+
+<!-- TOC -->
+
+- [Middlewares](#middlewares)
+  - [Table of content](#table-of-content)
+  - [Available middlewares](#available-middlewares)
+    - [Redirect http](#redirect-http)
+    - [Custom error pages](#custom-error-pages)
+    - [Modify request or response](#modify-request-or-response)
+      - [Set headers](#set-headers)
+      - [Add headers](#add-headers)
+      - [Hide headers](#hide-headers)
+    - [X-Forwarded-\* Headers](#x-forwarded--headers)
+      - [Add X-Forwarded-\*](#add-x-forwarded-)
+      - [Set X-Forwarded-\*](#set-x-forwarded-)
+    - [Forward Authorization header (experimental)](#forward-authorization-header-experimental)
+  - [Examples](#examples)
+    - [Authentik (untested, experimental)](#authentik-untested-experimental)
+
+<!-- TOC -->
+
+## Available middlewares
+
+### Redirect http
+
+Redirect http requests to https
+
+```yaml
+# docker labels
+proxy.app1.middlewares.redirect_http:
+
+# include file
+app1:
+  middlewares:
+    redirect_http:
+```
+
+nginx equivalent:
+```nginx
+server {
+    listen 80;
+    server_name domain.tld;
+    return 301 https://$host$request_uri;
+}
+```
+
+[🔼Back to top](#table-of-content)
+
+### Custom error pages
+
+To enable custom error pages, mount a folder containing your `html`, `js`, `css` files to `/app/error_pages` of _go-proxy_ container **(subfolders are ignored, please place all files in root directory)**
+
+Any path under `error_pages` directory (e.g. `href` tag), should starts with `/$gperrorpage/`
+
+Example:
+```html
+<html>
+<head>
+    <title>404 Not Found</title>
+    <link type="text/css" rel="stylesheet" href="/$gperrorpage/style.css" />
+</head>
+<body>
+    ...
+</body>
+</html>
+```
+
+Hot-reloading is **supported**, you can **edit**, **rename** or **delete** files **without restarting**. Changes will be reflected after page reload
+
+Error page will be served if:
+
+- route does not exist or domain does not match any of `match_domains`
+
+or 
+
+- status code is not in range of 200 to 300, and
+- content type is `text/html`, `application/xhtml+xml` or `text/plain`
+
+Error page will be served:
+
+- from file `<statusCode>.html` if exists
+- otherwise from `404.html`
+- if they don't exist, original response will be served
+
+```yaml
+# docker labels
+proxy.app1.middlewares.custom_error_page:
+
+# include file
+app1:
+  middlewares:
+    custom_error_page:
+```
+
+nginx equivalent:
+```nginx
+location / {
+    try_files $uri $uri/ /error_pages/404.html =404;
+}
+```
+
+[🔼Back to top](#table-of-content)
+
+### Modify request or response
+
+```yaml
+# docker labels
+proxy.app1.middlewares.modify_request.field:
+proxy.app1.middlewares.modify_response.field:
+
+# include file
+app1:
+  middlewares:
+    modify_request:
+      field:
+    modify_response:
+      field:
+```
+
+#### Set headers
+
+```yaml
+# docker labels
+proxy.app1.middlewares.modify_request.set_headers: |
+  X-Custom-Header1: value1, value2
+  X-Custom-Header2: value3
+
+# include file
+app1:
+  middlewares:
+    modify_request:
+      set_headers:
+        X-Custom-Header1: value1, value2
+        X-Custom-Header2: value3
+```
+
+nginx equivalent:
+```nginx
+location / {
+    add_header X-Custom-Header1 value1, value2;
+    add_header X-Custom-Header2 value3;
+}
+```
+
+[🔼Back to top](#table-of-content)
+
+#### Add headers
+
+```yaml
+# docker labels
+proxy.app1.middlewares.modify_request.add_headers: |
+  X-Custom-Header1: value1, value2
+  X-Custom-Header2: value3
+
+# include file
+app1:
+  middlewares:
+    modify_request:
+      add_headers:
+        X-Custom-Header1: value1, value2
+        X-Custom-Header2: value3
+```
+
+nginx equivalent:
+```nginx
+location / {
+    more_set_headers "X-Custom-Header1: value1, value2";
+    more_set_headers "X-Custom-Header2: value3";
+}
+```
+
+[🔼Back to top](#table-of-content)
+
+#### Hide headers
+
+```yaml
+# docker labels
+proxy.app1.middlewares.modify_request.hide_headers: |
+  - X-Custom-Header1
+  - X-Custom-Header2
+
+# include file
+app1:
+  middlewares:
+    modify_request:
+      hide_headers:
+        - X-Custom-Header1
+        - X-Custom-Header2
+```
+
+nginx equivalent:
+```nginx
+location / {
+    more_clear_headers "X-Custom-Header1";
+    more_clear_headers "X-Custom-Header2";
+}
+```
+
+### X-Forwarded-* Headers
+
+#### Add X-Forwarded-*
+
+Append `X-Forwarded-*` headers to existing headers
+
+```yaml
+# docker labels
+proxy.app1.middlewares.modify_request.add_x_forwarded:
+
+# include file
+app1:
+  middlewares:
+    modify_request:
+      add_x_forwarded:
+```
+
+#### Set X-Forwarded-*
+
+Replace existing `X-Forwarded-*` headers with `go-proxy` provided headers
+
+```yaml
+# docker labels
+proxy.app1.middlewares.modify_request.set_x_forwarded:
+
+# include file
+app1:
+  middlewares:
+    modify_request:
+      set_x_forwarded:
+```
+
+[🔼Back to top](#table-of-content)
+
+### Forward Authorization header (experimental)
+
+Fields:
+- `address`: authentication provider URL _(required)_
+- `trust_forward_header`: whether to trust `X-Forwarded-*` headers from upstream proxies _(default: `false`)_
+- `auth_response_headers`: list of headers to copy from auth response _(default: empty)_
+- `add_auth_cookies_to_response`: list of cookies to add to response _(default: empty)_
+
+```yaml
+# docker labels
+proxy.app1.middlewares.forward_auth.address: https://auth.example.com
+proxy.app1.middlewares.forward_auth.trust_forward_header: true
+proxy.app1.middlewares.forward_auth.auth_response_headers: |
+  - X-Auth-Token
+  - X-Auth-User
+proxy.app1.middlewares.forward_auth.add_auth_cookies_to_response: |
+  - uid
+  - session_id
+
+# include file
+app1:
+  middlewares:
+    forward_authorization:
+        address: https://auth.example.com
+        trust_forward_header: true
+        auth_response_headers:
+            - X-Auth-Token
+            - X-Auth-User
+        add_auth_cookies_to_response:
+            - uid
+            - session_id
+```
+
+Traefik equivalent:
+```yaml
+# docker labels
+traefik.http.middlewares.authentik.forwardauth.address: https://auth.example.com
+traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
+traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: X-Auth-Token, X-Auth-User
+traefik.http.middlewares.authentik.forwardauth.addAuthCookiesToResponse: uid, session_id
+
+# standalone
+http:
+  middlewares:
+    forwardAuth:
+        address: https://auth.example.com
+        trustForwardHeader: true
+        authResponseHeaders:
+            - X-Auth-Token
+            - X-Auth-User
+        addAuthCookiesToResponse:
+            - uid
+            - session_id
+```
+
+[🔼Back to top](#table-of-content)
+
+## Examples
+
+### Authentik (untested, experimental)
+
+```yaml
+# docker compose
+services:
+  ...
+  server:
+    ...
+    container_name: authentik
+    labels:
+      proxy.authentik.middlewares.redirect_http:
+      proxy.authentik.middlewares.set_x_forwarded:
+      proxy.authentik.middlewares.modify_request.add_headers: |
+        Strict-Transport-Security: "max-age=63072000" always
+
+  whoami:
+    image: containous/whoami
+    container_name: whoami
+    ports:
+      - 80
+    labels:
+      proxy.#1.middlewares.forward_auth.address: https://your_authentik_forward_address
+      proxy.#1.middlewares.forward_auth.trustForwardHeader: true
+      proxy.#1.middlewares.forward_auth.authResponseHeaders: |
+        - X-authentik-username
+        - X-authentik-groups
+        - X-authentik-email
+        - X-authentik-name
+        - X-authentik-uid
+        - X-authentik-jwt
+        - X-authentik-meta-jwks
+        - X-authentik-meta-outpost
+        - X-authentik-meta-provider
+        - X-authentik-meta-app
+        - X-authentik-meta-version
+    restart: unless-stopped
+```
+
+[🔼Back to top](#table-of-content)
--- a/examples/microbin.yml
+++ b/examples/microbin.yml
@@ -0,0 +1,16 @@
+services:
+  app:
+    container_name: microbin
+    cpu_shares: 10
+    deploy:
+      resources:
+        limits:
+          memory: 256M
+    env_file: .env
+    image: docker.i.sh/danielszabo99/microbin:latest
+    ports:
+      - 8080
+    restart: unless-stopped
+    volumes:
+      - ./data:/app/microbin_data
+# microbin.domain.tld
--- a/examples/siyuan.yml
+++ b/examples/siyuan.yml
@@ -0,0 +1,16 @@
+services:
+  main:
+    image: b3log/siyuan:v3.1.0
+    container_name: siyuan
+    command:
+      - --workspace=/siyuan/workspace/
+      - --accessAuthCode=<some password>
+    user: 1000:1000
+    volumes:
+      - ./workspace:/siyuan/workspace
+    restart: unless-stopped
+    environment:
+      - TZ=Asia/Hong_Kong
+    ports:
+      - 6806
+# siyuan.domain.tld
--- a/1
+++ b/1
--- a/src/go.mod
+++ b/src/go.mod
@@ -1,6 +1,6 @@
 module github.com/yusing/go-proxy

-go 1.22.0
+go 1.23.1

 require (
 	github.com/docker/cli v27.3.1+incompatible
@@ -17,7 +17,7 @@ require (
 require (
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
-	github.com/cloudflare/cloudflare-go v0.104.0 // indirect
+	github.com/cloudflare/cloudflare-go v0.106.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/docker/go-connections v0.5.0 // indirect
@@ -29,6 +29,7 @@ require (
 	github.com/goccy/go-json v0.10.3 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
+	github.com/kr/pretty v0.3.1 // indirect
 	github.com/miekg/dns v1.1.62 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/term v0.5.0 // indirect
@@ -37,11 +38,12 @@ require (
 	github.com/opencontainers/image-spec v1.1.0 // indirect
 	github.com/ovh/go-ovh v1.6.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
+	github.com/rogpeppe/go-internal v1.12.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.55.0 // indirect
 	go.opentelemetry.io/otel v1.30.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.24.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.30.0 // indirect
 	go.opentelemetry.io/otel/metric v1.30.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.24.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.30.0 // indirect
 	go.opentelemetry.io/otel/trace v1.30.0 // indirect
 	golang.org/x/crypto v0.27.0 // indirect
 	golang.org/x/mod v0.21.0 // indirect
--- a/src/go.sum
+++ b/src/go.sum
@@ -4,10 +4,11 @@ github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERo
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
 github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
-github.com/cloudflare/cloudflare-go v0.104.0 h1:R/lB0dZupaZbOgibAH/BRrkFbZ6Acn/WsKg2iX2xXuY=
-github.com/cloudflare/cloudflare-go v0.104.0/go.mod h1:pfUQ4PIG4ISI0/Mmc21Bp86UnFU0ktmPf3iTgbSL+cM=
+github.com/cloudflare/cloudflare-go v0.106.0 h1:q41gC5Wc1nfi0D1ZhSHokWcd9mGMbqC7RE7qiP+qE00=
+github.com/cloudflare/cloudflare-go v0.106.0/go.mod h1:pfUQ4PIG4ISI0/Mmc21Bp86UnFU0ktmPf3iTgbSL+cM=
 github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -43,14 +44,16 @@ github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
 github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.0 h1:Wqo399gCIufwto+VfwCSvsnfGpF/w5E9CNxSwbpD6No=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.0/go.mod h1:qmOFXW2epJhM0qSnUUYpldc7gVz2KMQwJ/QYCDIa7XU=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 h1:asbCHRVmodnJTuQ3qamDwqVOIjwqUPTYmYuemVOx+Ys=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0/go.mod h1:ggCgvZ2r7uOoQjOyu2Y1NhHmEPPzzuhWgcza5M1Ji1I=
 github.com/jarcoal/httpmock v1.3.0 h1:2RJ8GP0IIaWwcC9Fp2BmVi8Kog3v2Hn7VXM3fTd+nuc=
 github.com/jarcoal/httpmock v1.3.0/go.mod h1:3yb8rc4BI7TCBhFY8ng0gjuLKJNquuDNiPaZjnENuYg=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=
-github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/maxatome/go-testdeep v1.12.0 h1:Ql7Go8Tg0C1D/uMMX59LAoYK7LffeJQ6X2T04nTH68g=
@@ -69,14 +72,16 @@ github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQ
 github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
 github.com/ovh/go-ovh v1.6.0 h1:ixLOwxQdzYDx296sXcgS35TOPEahJkpjMGtzPadCjQI=
 github.com/ovh/go-ovh v1.6.0/go.mod h1:cTVDnl94z4tl8pP1uZ/8jlVxntjSIf09bNcQ5TJSC7c=
+github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/puzpuzpuz/xsync/v3 v3.4.0 h1:DuVBAdXuGFHv8adVXjWWZ63pJq+NRXOWVXlKDBZ+mJ4=
 github.com/puzpuzpuz/xsync/v3 v3.4.0/go.mod h1:VjzYrABPabuM4KyBh1Ftq6u8nhwY5tBPKP9jpmh0nnA=
-github.com/rogpeppe/go-internal v1.8.1 h1:geMPLpDpQOgVyCg5z5GoRwLHepNdb71NXb67XFkP+Eg=
-github.com/rogpeppe/go-internal v1.8.1/go.mod h1:JeRgkft04UBgHMgCIwADu4Pn6Mtm5d4nPKWu0nJ5d+o=
+github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
+github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
+github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
 github.com/santhosh-tekuri/jsonschema v1.2.4 h1:hNhW8e7t+H1vgY+1QeEQpveR6D4+OwKPXCfD2aieJis=
 github.com/santhosh-tekuri/jsonschema v1.2.4/go.mod h1:TEAUOeZSmIxTTuHatJzrvARHiuO9LYd+cIxzgEHCQI4=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
@@ -91,18 +96,18 @@ go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.55.0 h1:ZIg3ZT/
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.55.0/go.mod h1:DQAwmETtZV00skUwgD6+0U89g80NKsJE3DCKeLLPQMI=
 go.opentelemetry.io/otel v1.30.0 h1:F2t8sK4qf1fAmY9ua4ohFS/K+FUuOPemHUIXHtktrts=
 go.opentelemetry.io/otel v1.30.0/go.mod h1:tFw4Br9b7fOS+uEao81PJjVMjW/5fvNCbpsDIXqP0pc=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.24.0 h1:t6wl9SPayj+c7lEIFgm4ooDBZVb01IhLB4InpomhRw8=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.24.0/go.mod h1:iSDOcsnSA5INXzZtwaBPrKp/lWu/V14Dd+llD0oI2EA=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.24.0 h1:Xw8U6u2f8DK2XAkGRFV7BBLENgnTGX9i4rQRxJf+/vs=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.24.0/go.mod h1:6KW1Fm6R/s6Z3PGXwSJN2K4eT6wQB3vXX6CVnYX9NmM=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.30.0 h1:lsInsfvhVIfOI6qHVyysXMNDnjO9Npvl7tlDPJFBVd4=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.30.0/go.mod h1:KQsVNh4OjgjTG0G6EiNi1jVpnaeeKsKMRwbLN+f1+8M=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.30.0 h1:umZgi92IyxfXd/l4kaDhnKgY8rnN/cZcF1LKc6I8OQ8=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.30.0/go.mod h1:4lVs6obhSVRb1EW5FhOuBTyiQhtRtAnnva9vD3yRfq8=
 go.opentelemetry.io/otel/metric v1.30.0 h1:4xNulvn9gjzo4hjg+wzIKG7iNFEaBMX00Qd4QIZs7+w=
 go.opentelemetry.io/otel/metric v1.30.0/go.mod h1:aXTfST94tswhWEb+5QjlSqG+cZlmyXy/u8jFpor3WqQ=
-go.opentelemetry.io/otel/sdk v1.24.0 h1:YMPPDNymmQN3ZgczicBY3B6sf9n62Dlj9pWD3ucgoDw=
-go.opentelemetry.io/otel/sdk v1.24.0/go.mod h1:KVrIYw6tEubO9E96HQpcmpTKDVn9gdv35HoYiQWGDFg=
+go.opentelemetry.io/otel/sdk v1.30.0 h1:cHdik6irO49R5IysVhdn8oaiR9m8XluDaJAs4DfOrYE=
+go.opentelemetry.io/otel/sdk v1.30.0/go.mod h1:p14X4Ok8S+sygzblytT1nqG98QG2KYKv++HE0LY/mhg=
 go.opentelemetry.io/otel/trace v1.30.0 h1:7UBkkYzeg3C7kQX8VAidWh2biiQbtAKjyIML8dQ9wmc=
 go.opentelemetry.io/otel/trace v1.30.0/go.mod h1:5EyKqTzzmyqB9bwtCCq6pDLktPK6fmGf/Dph+8VI02o=
-go.opentelemetry.io/proto/otlp v1.1.0 h1:2Di21piLrCqJ3U3eXGCTPHE9R8Nh+0uglSnOyxikMeI=
-go.opentelemetry.io/proto/otlp v1.1.0/go.mod h1:GpBHCBWiqvVLDqmHZsoMM3C5ySeKTC7ej/RNTae6MdY=
+go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0=
+go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
@@ -148,14 +153,14 @@ golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de h1:F6qOa9AZTYJXOUEr4jDysRDLrm4PHePlge4v4TGAlxY=
-google.golang.org/genproto/googleapis/api v0.0.0-20240311132316-a219d84964c2 h1:rIo7ocm2roD9DcFIX67Ym8icoGCKSARAiPljFhh5suQ=
-google.golang.org/genproto/googleapis/api v0.0.0-20240311132316-a219d84964c2/go.mod h1:O1cOfN1Cy6QEYr7VxtjOyP5AdAuR0aJ/MYZaaof623Y=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237 h1:NnYq6UN9ReLM9/Y01KWNOWyI5xQ9kbIms5GGJVwS/Yc=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY=
-google.golang.org/grpc v1.63.1 h1:pNClQmvdlyNUiwFETOux/PYqfhmA7BrswEdGRnib1fA=
-google.golang.org/grpc v1.63.1/go.mod h1:WAX/8DgncnokcFUldAxq7GeB5DXHDbMF+lLvDomNkRA=
-google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
-google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
+google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 h1:hjSy6tcFQZ171igDaN5QHOw2n6vx40juYbC/x67CEhc=
+google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:qpvKtACPCQhAdu3PyQgV4l3LMXZEtft7y8QcarRsp9I=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 h1:pPJltXNxVzT4pK9yD8vR9X75DaWYYmLGMsEvBfFQZzQ=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU=
+google.golang.org/grpc v1.66.1 h1:hO5qAXR19+/Z44hmvIM4dQFMSYX9XcWsByfoxutBpAM=
+google.golang.org/grpc v1.66.1/go.mod h1:s3/l6xSSCURdVfAnL+TqCNMyTDAGN6+lZeVxnZR128Y=
+google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
+google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
--- a/go.work
+++ b/go.work
@@ -1,5 +0,0 @@
-go 1.22.0
-
-toolchain go1.23.1
-
-use ./src
--- a/internal/api/handler.go
+++ b/internal/api/handler.go
@@ -0,0 +1,58 @@
+package api
+
+import (
+	"fmt"
+	"net/http"
+
+	v1 "github.com/yusing/go-proxy/internal/api/v1"
+	"github.com/yusing/go-proxy/internal/api/v1/error_page"
+	. "github.com/yusing/go-proxy/internal/api/v1/utils"
+	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/config"
+)
+
+type ServeMux struct{ *http.ServeMux }
+
+func NewServeMux() ServeMux {
+	return ServeMux{http.NewServeMux()}
+}
+
+func (mux ServeMux) HandleFunc(method, endpoint string, handler http.HandlerFunc) {
+	mux.ServeMux.HandleFunc(fmt.Sprintf("%s %s", method, endpoint), checkHost(handler))
+}
+
+func NewHandler(cfg *config.Config) http.Handler {
+	mux := NewServeMux()
+	mux.HandleFunc("GET", "/v1", v1.Index)
+	mux.HandleFunc("GET", "/v1/checkhealth", wrap(cfg, v1.CheckHealth))
+	mux.HandleFunc("HEAD", "/v1/checkhealth", wrap(cfg, v1.CheckHealth))
+	mux.HandleFunc("POST", "/v1/reload", wrap(cfg, v1.Reload))
+	mux.HandleFunc("GET", "/v1/list", wrap(cfg, v1.List))
+	mux.HandleFunc("GET", "/v1/list/{what}", wrap(cfg, v1.List))
+	mux.HandleFunc("GET", "/v1/file", v1.GetFileContent)
+	mux.HandleFunc("GET", "/v1/file/{filename}", v1.GetFileContent)
+	mux.HandleFunc("POST", "/v1/file/{filename}", v1.SetFileContent)
+	mux.HandleFunc("PUT", "/v1/file/{filename}", v1.SetFileContent)
+	mux.HandleFunc("GET", "/v1/stats", wrap(cfg, v1.Stats))
+	mux.HandleFunc("GET", "/v1/error_page", error_page.GetHandleFunc())
+	return mux
+}
+
+// allow only requests to API server with host matching common.APIHTTPAddr
+func checkHost(f http.HandlerFunc) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		if r.Host != common.APIHTTPAddr {
+			Logger.Warnf("invalid request to API server with host: %s, expect %s", r.Host, common.APIHTTPAddr)
+			w.WriteHeader(http.StatusNotFound)
+			w.Write([]byte("invalid request"))
+			return
+		}
+		f(w, r)
+	}
+}
+
+func wrap(cfg *config.Config, f func(cfg *config.Config, w http.ResponseWriter, r *http.Request)) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		f(cfg, w, r)
+	}
+}
--- a/internal/api/v1/checkhealth.go
+++ b/internal/api/v1/checkhealth.go
@@ -5,9 +5,9 @@ import (
 	"net/http"
 	"strings"

-	U "github.com/yusing/go-proxy/api/v1/utils"
-	"github.com/yusing/go-proxy/config"
-	R "github.com/yusing/go-proxy/route"
+	U "github.com/yusing/go-proxy/internal/api/v1/utils"
+	"github.com/yusing/go-proxy/internal/config"
+	R "github.com/yusing/go-proxy/internal/route"
 )

 func CheckHealth(cfg *config.Config, w http.ResponseWriter, r *http.Request) {
--- a/internal/api/v1/error_page/error_page.go
+++ b/internal/api/v1/error_page/error_page.go
@@ -0,0 +1,88 @@
+package error_page
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path"
+	"sync"
+
+	api "github.com/yusing/go-proxy/internal/api/v1/utils"
+	"github.com/yusing/go-proxy/internal/common"
+	U "github.com/yusing/go-proxy/internal/utils"
+	F "github.com/yusing/go-proxy/internal/utils/functional"
+	W "github.com/yusing/go-proxy/internal/watcher"
+	"github.com/yusing/go-proxy/internal/watcher/events"
+)
+
+const errPagesBasePath = common.ErrorPagesBasePath
+
+var setup = sync.OnceFunc(func() {
+	dirWatcher = W.NewDirectoryWatcher(context.Background(), errPagesBasePath)
+	loadContent()
+	go watchDir()
+})
+
+func GetStaticFile(filename string) ([]byte, bool) {
+	return fileContentMap.Load(filename)
+}
+
+// try <statusCode>.html -> 404.html -> not ok
+func GetErrorPageByStatus(statusCode int) (content []byte, ok bool) {
+	content, ok = fileContentMap.Load(fmt.Sprintf("%d.html", statusCode))
+	if !ok && statusCode != 404 {
+		return fileContentMap.Load("404.html")
+	}
+	return
+}
+
+func loadContent() {
+	files, err := U.ListFiles(errPagesBasePath, 0)
+	if err != nil {
+		api.Logger.Error(err)
+		return
+	}
+	for _, file := range files {
+		if fileContentMap.Has(file) {
+			continue
+		}
+		content, err := os.ReadFile(file)
+		if err != nil {
+			api.Logger.Errorf("failed to read error page resource %s: %s", file, err)
+			continue
+		}
+		file = path.Base(file)
+		api.Logger.Infof("error page resource %s loaded", file)
+		fileContentMap.Store(file, content)
+	}
+}
+
+func watchDir() {
+	eventCh, errCh := dirWatcher.Events(context.Background())
+	for {
+		select {
+		case event, ok := <-eventCh:
+			if !ok {
+				return
+			}
+			filename := event.ActorName
+			switch event.Action {
+			case events.ActionFileWritten:
+				fileContentMap.Delete(filename)
+				loadContent()
+			case events.ActionFileDeleted:
+				fileContentMap.Delete(filename)
+				api.Logger.Infof("error page resource %s deleted", filename)
+			case events.ActionFileRenamed:
+				api.Logger.Infof("error page resource %s deleted", filename)
+				fileContentMap.Delete(filename)
+				loadContent()
+			}
+		case err := <-errCh:
+			api.Logger.Errorf("error watching error page directory: %s", err)
+		}
+	}
+}
+
+var dirWatcher W.Watcher
+var fileContentMap = F.NewMapOf[string, []byte]()
--- a/internal/api/v1/error_page/http_handler.go
+++ b/internal/api/v1/error_page/http_handler.go
@@ -0,0 +1,25 @@
+package error_page
+
+import "net/http"
+
+func GetHandleFunc() http.HandlerFunc {
+	setup()
+	return serveHTTP
+}
+
+func serveHTTP(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+	if r.URL.Path == "/" {
+		http.Error(w, "invalid path", http.StatusNotFound)
+		return
+	}
+	content, ok := fileContentMap.Load(r.URL.Path)
+	if !ok {
+		http.Error(w, "404 not found", http.StatusNotFound)
+		return
+	}
+	w.Write(content)
+}
--- a/internal/api/v1/file.go
+++ b/internal/api/v1/file.go
@@ -6,10 +6,11 @@ import (
 	"os"
 	"path"

-	U "github.com/yusing/go-proxy/api/v1/utils"
-	"github.com/yusing/go-proxy/common"
-	"github.com/yusing/go-proxy/config"
-	"github.com/yusing/go-proxy/proxy/provider"
+	U "github.com/yusing/go-proxy/internal/api/v1/utils"
+	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/config"
+	E "github.com/yusing/go-proxy/internal/error"
+	"github.com/yusing/go-proxy/internal/proxy/provider"
 )

 func GetFileContent(w http.ResponseWriter, r *http.Request) {
@@ -37,14 +38,15 @@ func SetFileContent(w http.ResponseWriter, r *http.Request) {
 		return
 	}

+	var validateErr E.NestedError
 	if filename == common.ConfigFileName {
-		err = config.Validate(content).Error()
+		validateErr = config.Validate(content)
 	} else {
-		err = provider.Validate(content).Error()
+		validateErr = provider.Validate(content)
 	}

-	if err != nil {
-		U.HandleErr(w, r, err, http.StatusBadRequest)
+	if validateErr != nil {
+		U.RespondJson(w, validateErr.JSONObject(), http.StatusBadRequest)
 		return
 	}

--- a/internal/api/v1/index.go
+++ b/internal/api/v1/index.go
--- a/internal/api/v1/list.go
+++ b/internal/api/v1/list.go
@@ -5,10 +5,9 @@ import (
 	"net/http"
 	"os"

-	"github.com/yusing/go-proxy/common"
-	"github.com/yusing/go-proxy/config"
-
-	U "github.com/yusing/go-proxy/api/v1/utils"
+	U "github.com/yusing/go-proxy/internal/api/v1/utils"
+	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/config"
 )

 func List(cfg *config.Config, w http.ResponseWriter, r *http.Request) {
@@ -38,7 +37,7 @@ func listRoutes(cfg *config.Config, w http.ResponseWriter, r *http.Request) {
 		}
 	}

-	if err := U.RespondJson(routes, w); err != nil {
+	if err := U.RespondJson(w, routes); err != nil {
 		U.HandleErr(w, r, err)
 	}
 }
--- a/internal/api/v1/reload.go
+++ b/internal/api/v1/reload.go
@@ -0,0 +1,16 @@
+package v1
+
+import (
+	"net/http"
+
+	U "github.com/yusing/go-proxy/internal/api/v1/utils"
+	"github.com/yusing/go-proxy/internal/config"
+)
+
+func Reload(cfg *config.Config, w http.ResponseWriter, r *http.Request) {
+	if err := cfg.Reload(); err != nil {
+		U.RespondJson(w, err.JSONObject(), http.StatusInternalServerError)
+	} else {
+		w.WriteHeader(http.StatusOK)
+	}
+}
--- a/internal/api/v1/stats.go
+++ b/internal/api/v1/stats.go
@@ -3,10 +3,10 @@ package v1
 import (
 	"net/http"

-	U "github.com/yusing/go-proxy/api/v1/utils"
-	"github.com/yusing/go-proxy/config"
-	"github.com/yusing/go-proxy/server"
-	"github.com/yusing/go-proxy/utils"
+	U "github.com/yusing/go-proxy/internal/api/v1/utils"
+	"github.com/yusing/go-proxy/internal/config"
+	"github.com/yusing/go-proxy/internal/server"
+	"github.com/yusing/go-proxy/internal/utils"
 )

 func Stats(cfg *config.Config, w http.ResponseWriter, r *http.Request) {
@@ -14,7 +14,7 @@ func Stats(cfg *config.Config, w http.ResponseWriter, r *http.Request) {
 		"proxies": cfg.Statistics(),
 		"uptime":  utils.FormatDuration(server.GetProxyServer().Uptime()),
 	}
-	if err := U.RespondJson(stats, w); err != nil {
+	if err := U.RespondJson(w, stats); err != nil {
 		U.HandleErr(w, r, err)
 	}
 }
--- a/internal/api/v1/utils/error.go
+++ b/internal/api/v1/utils/error.go
@@ -6,12 +6,14 @@ import (
 	"net/http"

 	"github.com/sirupsen/logrus"
-	E "github.com/yusing/go-proxy/error"
+	E "github.com/yusing/go-proxy/internal/error"
 )

+var Logger = logrus.WithField("module", "api")
+
 func HandleErr(w http.ResponseWriter, r *http.Request, origErr error, code ...int) {
 	err := E.From(origErr).Subjectf("%s %s", r.Method, r.URL)
-	logrus.WithField("module", "api").Error(err)
+	Logger.Error(err)
 	if len(code) > 0 {
 		http.Error(w, err.String(), code[0])
 		return
--- a/internal/api/v1/utils/health_check.go
+++ b/internal/api/v1/utils/health_check.go
@@ -0,0 +1,33 @@
+package utils
+
+import (
+	"net"
+	"net/http"
+
+	"github.com/yusing/go-proxy/internal/common"
+)
+
+func IsSiteHealthy(url string) bool {
+	// try HEAD first
+	// if HEAD is not allowed, try GET
+	resp, err := httpClient.Head(url)
+	if resp != nil {
+		resp.Body.Close()
+	}
+	if err != nil && resp != nil && resp.StatusCode == http.StatusMethodNotAllowed {
+		_, err = httpClient.Get(url)
+	}
+	if resp != nil {
+		resp.Body.Close()
+	}
+	return err == nil
+}
+
+func IsStreamHealthy(scheme, address string) bool {
+	conn, err := net.DialTimeout(scheme, address, common.DialTimeout)
+	if err != nil {
+		return false
+	}
+	conn.Close()
+	return true
+}
--- a/internal/api/v1/utils/http_client.go
+++ b/internal/api/v1/utils/http_client.go
@@ -0,0 +1,23 @@
+package utils
+
+import (
+	"crypto/tls"
+	"net"
+	"net/http"
+
+	"github.com/yusing/go-proxy/internal/common"
+)
+
+var httpClient = &http.Client{
+	Timeout: common.ConnectionTimeout,
+	Transport: &http.Transport{
+		Proxy:             http.ProxyFromEnvironment,
+		DisableKeepAlives: true,
+		ForceAttemptHTTP2: true,
+		DialContext: (&net.Dialer{
+			Timeout:   common.DialTimeout,
+			KeepAlive: common.KeepAlive, // this is different from DisableKeepAlives
+		}).DialContext,
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+	},
+}
--- a/internal/api/v1/utils/localhost.go
+++ b/internal/api/v1/utils/localhost.go
@@ -0,0 +1,31 @@
+package utils
+
+import (
+	"fmt"
+	"io"
+	"net/http"
+
+	"github.com/yusing/go-proxy/internal/common"
+	E "github.com/yusing/go-proxy/internal/error"
+)
+
+func ReloadServer() E.NestedError {
+	resp, err := httpClient.Post(fmt.Sprintf("%s/v1/reload", common.APIHTTPURL), "", nil)
+	if err != nil {
+		return E.From(err)
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		failure := E.Failure("server reload").Extraf("status code: %v", resp.StatusCode)
+		b, err := io.ReadAll(resp.Body)
+		if err != nil {
+			return failure.Extraf("unable to read response body: %s", err)
+		}
+		reloadErr, ok := E.FromJSON(b)
+		if ok {
+			return E.Join("reload success, but server returned error", reloadErr)
+		}
+		return failure.Extraf("unable to read response body")
+	}
+	return nil
+}
--- a/internal/api/v1/utils/utils.go
+++ b/internal/api/v1/utils/utils.go
@@ -5,9 +5,12 @@ import (
 	"net/http"
 )

-func RespondJson(data any, w http.ResponseWriter) error {
+func RespondJson(w http.ResponseWriter, data any, code ...int) error {
+	if len(code) > 0 {
+		w.WriteHeader(code[0])
+	}
 	w.Header().Set("Content-Type", "application/json")
-	j, err := json.Marshal(data)
+	j, err := json.MarshalIndent(data, "", "  ")
 	if err != nil {
 		return err
 	} else {
--- a/internal/autocert/config.go
+++ b/internal/autocert/config.go
@@ -7,8 +7,8 @@ import (

 	"github.com/go-acme/lego/v4/certcrypto"
 	"github.com/go-acme/lego/v4/lego"
-	E "github.com/yusing/go-proxy/error"
-	M "github.com/yusing/go-proxy/models"
+	E "github.com/yusing/go-proxy/internal/error"
+	M "github.com/yusing/go-proxy/internal/models"
 )

 type Config M.AutoCertConfig
@@ -32,13 +32,13 @@ func (cfg *Config) GetProvider() (provider *Provider, res E.NestedError) {

 	if cfg.Provider != ProviderLocal {
 		if len(cfg.Domains) == 0 {
-			b.Addf("no domains specified")
+			b.Addf("%s", "no domains specified")
 		}
 		if cfg.Provider == "" {
-			b.Addf("no provider specified")
+			b.Addf("%s", "no provider specified")
 		}
 		if cfg.Email == "" {
-			b.Addf("no email specified")
+			b.Addf("%s", "no email specified")
 		}
 		// check if provider is implemented
 		_, ok := providersGenMap[cfg.Provider]
--- a/internal/autocert/constants.go
+++ b/internal/autocert/constants.go
--- a/internal/autocert/dummy.go
+++ b/internal/autocert/dummy.go
--- a/internal/autocert/provider.go
+++ b/internal/autocert/provider.go
@@ -5,6 +5,7 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"os"
+	"path"
 	"reflect"
 	"sort"
 	"time"
@@ -13,9 +14,9 @@ import (
 	"github.com/go-acme/lego/v4/challenge"
 	"github.com/go-acme/lego/v4/lego"
 	"github.com/go-acme/lego/v4/registration"
-	E "github.com/yusing/go-proxy/error"
-	M "github.com/yusing/go-proxy/models"
-	U "github.com/yusing/go-proxy/utils"
+	E "github.com/yusing/go-proxy/internal/error"
+	M "github.com/yusing/go-proxy/internal/models"
+	U "github.com/yusing/go-proxy/internal/utils"
 )

 type Provider struct {
@@ -59,8 +60,7 @@ func (p *Provider) ObtainCert() (res E.NestedError) {
 	defer b.To(&res)

 	if p.cfg.Provider == ProviderLocal {
-		b.Addf("provider is set to %q", ProviderLocal)
-		return
+		return nil
 	}

 	if p.client == nil {
@@ -71,11 +71,9 @@ func (p *Provider) ObtainCert() (res E.NestedError) {
 	}

 	if p.user.Registration == nil {
-		if err := p.loadRegistration(); err.HasError() {
-			if err := p.registerACME(); err.HasError() {
-				b.Add(E.FailWith("register ACME", err))
-				return
-			}
+		if err := p.registerACME(); err.HasError() {
+			b.Add(E.FailWith("register ACME", err))
+			return
 		}
 	}

@@ -89,16 +87,18 @@ func (p *Provider) ObtainCert() (res E.NestedError) {
 		b.Add(err)
 		return
 	}
-	err = p.saveCert(cert)
-	if err.HasError() {
+
+	if err = p.saveCert(cert); err.HasError() {
 		b.Add(E.FailWith("save certificate", err))
 		return
 	}
+
 	tlsCert, err := E.Check(tls.X509KeyPair(cert.Certificate, cert.PrivateKey))
 	if err.HasError() {
 		b.Add(E.FailWith("parse obtained certificate", err))
 		return
 	}
+
 	expiries, err := getCertExpiries(&tlsCert)
 	if err.HasError() {
 		b.Add(E.FailWith("get certificate expiry", err))
@@ -187,31 +187,23 @@ func (p *Provider) registerACME() E.NestedError {
 	}
 	p.user.Registration = reg

-	if err := p.saveRegistration(); err.HasError() {
-		logger.Warn(err)
-	}
 	return nil
 }

-func (p *Provider) loadRegistration() E.NestedError {
-	if p.user.Registration != nil {
-		return nil
-	}
-	reg := &registration.Resource{}
-	err := U.LoadJson(RegistrationFile, reg)
-	if err.HasError() {
-		return E.FailWith("parse registration file", err)
-	}
-	p.user.Registration = reg
-	return nil
-}
-
-func (p *Provider) saveRegistration() E.NestedError {
-	return U.SaveJson(RegistrationFile, p.user.Registration, 0o600)
-}
-
 func (p *Provider) saveCert(cert *certificate.Resource) E.NestedError {
-	err := os.WriteFile(p.cfg.KeyPath, cert.PrivateKey, 0o600) // -rw-------
+	//* This should have been done in setup
+	//* but double check is always a good choice
+	_, err := os.Stat(path.Dir(p.cfg.CertPath))
+	if err != nil {
+		if os.IsNotExist(err) {
+			if err = os.MkdirAll(path.Dir(p.cfg.CertPath), 0o755); err != nil {
+				return E.FailWith("create cert directory", err)
+			}
+		} else {
+			return E.FailWith("stat cert directory", err)
+		}
+	}
+	err = os.WriteFile(p.cfg.KeyPath, cert.PrivateKey, 0o600) // -rw-------
 	if err != nil {
 		return E.FailWith("write key file", err)
 	}
@@ -247,6 +239,10 @@ func (p *Provider) certState() CertState {
 }

 func (p *Provider) renewIfNeeded() E.NestedError {
+	if p.cfg.Provider == ProviderLocal {
+		return nil
+	}
+
 	switch p.certState() {
 	case CertStateExpired:
 		logger.Info("certs expired, renewing")
--- a/internal/autocert/provider_test/ovh_test.go
+++ b/internal/autocert/provider_test/ovh_test.go
@@ -4,8 +4,8 @@ import (
 	"testing"

 	"github.com/go-acme/lego/v4/providers/dns/ovh"
-	U "github.com/yusing/go-proxy/utils"
-	. "github.com/yusing/go-proxy/utils/testing"
+	U "github.com/yusing/go-proxy/internal/utils"
+	. "github.com/yusing/go-proxy/internal/utils/testing"
 	"gopkg.in/yaml.v3"
 )

--- a/internal/autocert/setup.go
+++ b/internal/autocert/setup.go
@@ -0,0 +1,29 @@
+package autocert
+
+import (
+	"context"
+	"os"
+
+	E "github.com/yusing/go-proxy/internal/error"
+)
+
+func (p *Provider) Setup(ctx context.Context) (err E.NestedError) {
+	if err = p.LoadCert(); err != nil {
+		if !err.Is(os.ErrNotExist) { // ignore if cert doesn't exist
+			return err
+		}
+		logger.Debug("obtaining cert due to error loading cert")
+		if err = p.ObtainCert(); err != nil {
+			return err
+		}
+	}
+
+	go p.ScheduleRenewal(ctx)
+
+	for _, expiry := range p.GetExpiries() {
+		logger.Infof("certificate expire on %s", expiry)
+		break
+	}
+
+	return nil
+}
--- a/internal/autocert/state.go
+++ b/internal/autocert/state.go
@@ -0,0 +1,9 @@
+package autocert
+
+type CertState int
+
+const (
+	CertStateValid CertState = iota
+	CertStateExpired
+	CertStateMismatch
+)
--- a/internal/autocert/user.go
+++ b/internal/autocert/user.go
--- a/internal/common/args.go
+++ b/internal/common/args.go
@@ -4,7 +4,7 @@ import (
 	"flag"

 	"github.com/sirupsen/logrus"
-	E "github.com/yusing/go-proxy/error"
+	E "github.com/yusing/go-proxy/internal/error"
 )

 type Args struct {
@@ -12,21 +12,25 @@ type Args struct {
 }

 const (
-	CommandStart            = ""
-	CommandValidate         = "validate"
-	CommandListConfigs      = "ls-config"
-	CommandListRoutes       = "ls-routes"
-	CommandReload           = "reload"
-	CommandDebugListEntries = "debug-ls-entries"
+	CommandStart              = ""
+	CommandSetup              = "setup"
+	CommandValidate           = "validate"
+	CommandListConfigs        = "ls-config"
+	CommandListRoutes         = "ls-routes"
+	CommandReload             = "reload"
+	CommandDebugListEntries   = "debug-ls-entries"
+	CommandDebugListProviders = "debug-ls-providers"
 )

 var ValidCommands = []string{
 	CommandStart,
+	CommandSetup,
 	CommandValidate,
 	CommandListConfigs,
 	CommandListRoutes,
 	CommandReload,
 	CommandDebugListEntries,
+	CommandDebugListProviders,
 }

 func GetArgs() Args {
--- a/internal/common/constants.go
+++ b/internal/common/constants.go
@@ -0,0 +1,52 @@
+package common
+
+import (
+	"time"
+)
+
+const (
+	ConnectionTimeout = 5 * time.Second
+	DialTimeout       = 3 * time.Second
+	KeepAlive         = 60 * time.Second
+)
+
+// file, folder structure
+
+const (
+	ConfigBasePath        = "config"
+	ConfigFileName        = "config.yml"
+	ConfigExampleFileName = "config.example.yml"
+	ConfigPath            = ConfigBasePath + "/" + ConfigFileName
+)
+
+const (
+	SchemaBasePath         = "schema"
+	ConfigSchemaPath       = SchemaBasePath + "/config.schema.json"
+	FileProviderSchemaPath = SchemaBasePath + "/providers.schema.json"
+)
+
+const (
+	ComposeFileName        = "compose.yml"
+	ComposeExampleFileName = "compose.example.yml"
+)
+
+const (
+	ErrorPagesBasePath = "error_pages"
+)
+
+var (
+	RequiredDirectories = []string{
+		ConfigBasePath,
+		SchemaBasePath,
+		ErrorPagesBasePath,
+	}
+)
+
+const DockerHostFromEnv = "$DOCKER_HOST"
+
+const (
+	IdleTimeoutDefault = "0"
+	WakeTimeoutDefault = "30s"
+	StopTimeoutDefault = "10s"
+	StopMethodDefault  = "stop"
+)
--- a/internal/common/env.go
+++ b/internal/common/env.go
@@ -0,0 +1,59 @@
+package common
+
+import (
+	"fmt"
+	"net"
+	"os"
+
+	"github.com/sirupsen/logrus"
+	U "github.com/yusing/go-proxy/internal/utils"
+)
+
+var (
+	NoSchemaValidation = GetEnvBool("GOPROXY_NO_SCHEMA_VALIDATION", false)
+	IsDebug            = GetEnvBool("GOPROXY_DEBUG", false)
+
+	ProxyHTTPAddr,
+	ProxyHTTPHost,
+	ProxyHTTPPort,
+	ProxyHTTPURL = GetAddrEnv("GOPROXY_HTTP_ADDR", ":80", "http")
+
+	ProxyHTTPSAddr,
+	ProxyHTTPSHost,
+	ProxyHTTPSPort,
+	ProxyHTTPSURL = GetAddrEnv("GOPROXY_HTTPS_ADDR", ":443", "https")
+
+	APIHTTPAddr,
+	APIHTTPHost,
+	APIHTTPPort,
+	APIHTTPURL = GetAddrEnv("GOPROXY_API_ADDR", "127.0.0.1:8888", "http")
+)
+
+func GetEnvBool(key string, defaultValue bool) bool {
+	value, ok := os.LookupEnv(key)
+	if !ok || value == "" {
+		return defaultValue
+	}
+	return U.ParseBool(value)
+}
+
+func GetEnv(key, defaultValue string) string {
+	value, ok := os.LookupEnv(key)
+	if !ok || value == "" {
+		value = defaultValue
+	}
+	return value
+}
+
+func GetAddrEnv(key, defaultValue, scheme string) (addr, host, port, fullURL string) {
+	addr = GetEnv(key, defaultValue)
+	host, port, err := net.SplitHostPort(addr)
+	if err != nil {
+		logrus.Fatalf("Invalid address: %s", addr)
+	}
+	if host == "" {
+		host = "localhost"
+	}
+	fullURL = fmt.Sprintf("%s://%s:%s", scheme, host, port)
+	return
+}
--- a/internal/common/http.go
+++ b/internal/common/http.go
@@ -0,0 +1,27 @@
+package common
+
+import (
+	"crypto/tls"
+	"net"
+	"net/http"
+	"time"
+)
+
+var (
+	defaultDialer = net.Dialer{
+		Timeout:   60 * time.Second,
+		KeepAlive: 60 * time.Second,
+	}
+	DefaultTransport = &http.Transport{
+		Proxy:               http.ProxyFromEnvironment,
+		DialContext:         defaultDialer.DialContext,
+		MaxIdleConnsPerHost: 1000,
+	}
+	DefaultTransportNoTLS = func() *http.Transport {
+		var clone = DefaultTransport.Clone()
+		clone.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
+		return clone
+	}()
+)
+
+const StaticFilePathPrefix = "/$gperrorpage/"
--- a/internal/common/ports.go
+++ b/internal/common/ports.go
@@ -0,0 +1,75 @@
+package common
+
+var (
+	WellKnownHTTPPorts = map[string]bool{
+		"80":   true,
+		"8000": true,
+		"8008": true,
+		"8080": true,
+		"3000": true,
+	}
+
+	ServiceNamePortMapTCP = map[string]int{
+		"mssql":            1433,
+		"mysql":            3306,
+		"mariadb":          3306,
+		"postgres":         5432,
+		"rabbitmq":         5672,
+		"redis":            6379,
+		"memcached":        11211,
+		"mongo":            27017,
+		"minecraft-server": 25565,
+
+		"ssh":  22,
+		"ftp":  21,
+		"smtp": 25,
+		"dns":  53,
+		"pop3": 110,
+		"imap": 143,
+	}
+
+	ImageNamePortMap = func() (m map[string]int) {
+		m = make(map[string]int, len(ServiceNamePortMapTCP)+len(imageNamePortMap))
+		for k, v := range ServiceNamePortMapTCP {
+			m[k] = v
+		}
+		for k, v := range imageNamePortMap {
+			m[k] = v
+		}
+		return
+	}()
+
+	imageNamePortMap = map[string]int{
+		"adguardhome":         3000,
+		"bazarr":              6767,
+		"calibre-web":         8083,
+		"changedetection.io":  3000,
+		"dockge":              5001,
+		"gitea":               3000,
+		"gogs":                3000,
+		"grafana":             3000,
+		"home-assistant":      8123,
+		"homebridge":          8581,
+		"httpd":               80,
+		"immich":              3001,
+		"jellyfin":            8096,
+		"lidarr":              8686,
+		"microbin":            8080,
+		"nginx":               80,
+		"nginx-proxy-manager": 81,
+		"open-webui":          8080,
+		"plex":                32400,
+		"portainer-be":        9443,
+		"portainer-ce":        9443,
+		"prometheus":          9090,
+		"prowlarr":            9696,
+		"radarr":              7878,
+		"radarr-sma":          7878,
+		"rsshub":              1200,
+		"rss-bridge":          80,
+		"sonarr":              8989,
+		"sonarr-sma":          8989,
+		"uptime-kuma":         3001,
+		"whisparr":            6969,
+	}
+)
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -5,15 +5,16 @@ import (
 	"os"

 	"github.com/sirupsen/logrus"
-	"github.com/yusing/go-proxy/autocert"
-	"github.com/yusing/go-proxy/common"
-	E "github.com/yusing/go-proxy/error"
-	M "github.com/yusing/go-proxy/models"
-	PR "github.com/yusing/go-proxy/proxy/provider"
-	R "github.com/yusing/go-proxy/route"
-	U "github.com/yusing/go-proxy/utils"
-	F "github.com/yusing/go-proxy/utils/functional"
-	W "github.com/yusing/go-proxy/watcher"
+	"github.com/yusing/go-proxy/internal/autocert"
+	"github.com/yusing/go-proxy/internal/common"
+	E "github.com/yusing/go-proxy/internal/error"
+	M "github.com/yusing/go-proxy/internal/models"
+	PR "github.com/yusing/go-proxy/internal/proxy/provider"
+	R "github.com/yusing/go-proxy/internal/route"
+	U "github.com/yusing/go-proxy/internal/utils"
+	F "github.com/yusing/go-proxy/internal/utils/functional"
+	W "github.com/yusing/go-proxy/internal/watcher"
+	"github.com/yusing/go-proxy/internal/watcher/events"
 	"gopkg.in/yaml.v3"
 )

@@ -30,25 +31,48 @@ type Config struct {
 	reloadReq     chan struct{}
 }

-func Load() (*Config, E.NestedError) {
-	cfg := &Config{
+var instance *Config
+
+func GetInstance() *Config {
+	return instance
+}
+
+func Load() E.NestedError {
+	if instance != nil {
+		return nil
+	}
+	instance = &Config{
+		value:          M.DefaultConfig(),
 		proxyProviders: F.NewMapOf[string, *PR.Provider](),
 		l:              logrus.WithField("module", "config"),
-		watcher:        W.NewFileWatcher(common.ConfigFileName),
+		watcher:        W.NewConfigFileWatcher(common.ConfigFileName),
 		reloadReq:      make(chan struct{}, 1),
 	}
-	return cfg, cfg.load()
+	return instance.load()
 }

 func Validate(data []byte) E.NestedError {
 	return U.ValidateYaml(U.GetSchema(common.ConfigSchemaPath), data)
 }

+func MatchDomains() []string {
+	if instance == nil {
+		logrus.Panic("config has not been loaded, please check if there is any errors")
+	}
+	return instance.value.MatchDomains
+}
+
 func (cfg *Config) Value() M.Config {
+	if cfg == nil {
+		logrus.Panic("config has not been loaded, please check if there is any errors")
+	}
 	return *cfg.value
 }

 func (cfg *Config) GetAutoCertProvider() *autocert.Provider {
+	if instance == nil {
+		logrus.Panic("config has not been loaded, please check if there is any errors")
+	}
 	return cfg.autocertProvider
 }

@@ -60,13 +84,11 @@ func (cfg *Config) Dispose() {
 	cfg.stopProviders()
 }

-func (cfg *Config) Reload() E.NestedError {
+func (cfg *Config) Reload() (err E.NestedError) {
 	cfg.stopProviders()
-	if err := cfg.load(); err.HasError() {
-		return err
-	}
+	err = cfg.load()
 	cfg.StartProxyProviders()
-	return nil
+	return
 }

 func (cfg *Config) StartProxyProviders() {
@@ -94,8 +116,9 @@ func (cfg *Config) WatchChanges() {
 			case <-cfg.watcherCtx.Done():
 				return
 			case event := <-eventCh:
-				if event.Action.IsDelete() {
-					cfg.stopProviders()
+				if event.Action == events.ActionFileDeleted || event.Action == events.ActionFileRenamed {
+					cfg.l.Error("config file deleted or renamed, ignoring...")
+					continue
 				} else {
 					cfg.reloadReq <- struct{}{}
 				}
@@ -107,71 +130,6 @@ func (cfg *Config) WatchChanges() {
 	}()
 }

-func (cfg *Config) FindRoute(alias string) R.Route {
-	return F.MapFind(cfg.proxyProviders,
-		func(p *PR.Provider) (R.Route, bool) {
-			if route, ok := p.GetRoute(alias); ok {
-				return route, true
-			}
-			return nil, false
-		},
-	)
-}
-
-func (cfg *Config) RoutesByAlias() map[string]U.SerializedObject {
-	routes := make(map[string]U.SerializedObject)
-	cfg.forEachRoute(func(alias string, r R.Route, p *PR.Provider) {
-		obj, err := U.Serialize(r)
-		if err.HasError() {
-			cfg.l.Error(err)
-			return
-		}
-		obj["provider"] = p.GetName()
-		obj["type"] = string(r.Type())
-		routes[alias] = obj
-	})
-	return routes
-}
-
-func (cfg *Config) Statistics() map[string]any {
-	nTotalStreams := 0
-	nTotalRPs := 0
-	providerStats := make(map[string]any)
-
-	cfg.forEachRoute(func(alias string, r R.Route, p *PR.Provider) {
-		s, ok := providerStats[p.GetName()]
-		if !ok {
-			s = make(map[string]int)
-		}
-
-		stats := s.(map[string]int)
-		switch r.Type() {
-		case R.RouteTypeStream:
-			stats["num_streams"]++
-			nTotalStreams++
-		case R.RouteTypeReverseProxy:
-			stats["num_reverse_proxies"]++
-			nTotalRPs++
-		default:
-			panic("bug: should not reach here")
-		}
-	})
-
-	return map[string]any{
-		"num_total_streams":         nTotalStreams,
-		"num_total_reverse_proxies": nTotalRPs,
-		"providers":                 providerStats,
-	}
-}
-
-func (cfg *Config) DumpEntries() map[string]*M.ProxyEntry {
-	entries := make(map[string]*M.ProxyEntry)
-	cfg.forEachRoute(func(alias string, r R.Route, p *PR.Provider) {
-		entries[alias] = r.Entry()
-	})
-	return entries
-}
-
 func (cfg *Config) forEachRoute(do func(alias string, r R.Route, p *PR.Provider)) {
 	cfg.proxyProviders.RangeAll(func(_ string, p *PR.Provider) {
 		p.RangeRoutes(func(a string, r R.Route) {
@@ -190,28 +148,28 @@ func (cfg *Config) load() (res E.NestedError) {
 	data, err := E.Check(os.ReadFile(common.ConfigPath))
 	if err.HasError() {
 		b.Add(E.FailWith("read config", err))
-		return
+		logrus.Fatal(b.Build())
 	}

 	if !common.NoSchemaValidation {
 		if err = Validate(data); err.HasError() {
 			b.Add(E.FailWith("schema validation", err))
-			return
+			logrus.Fatal(b.Build())
 		}
 	}

 	model := M.DefaultConfig()
 	if err := E.From(yaml.Unmarshal(data, model)); err.HasError() {
 		b.Add(E.FailWith("parse config", err))
-		return
+		logrus.Fatal(b.Build())
 	}

 	// errors are non fatal below
-	b.WithSeverity(E.SeverityWarning)
 	b.Add(cfg.initAutoCert(&model.AutoCert))
 	b.Add(cfg.loadProviders(&model.Providers))

 	cfg.value = model
+	R.SetFindMuxDomains(model.MatchDomains)
 	return
 }

@@ -238,20 +196,28 @@ func (cfg *Config) loadProviders(providers *M.ProxyProviders) (res E.NestedError
 	defer b.To(&res)

 	for _, filename := range providers.Files {
-		p := PR.NewFileProvider(filename)
+		p, err := PR.NewFileProvider(filename)
+		if err != nil {
+			b.Add(err.Subject(filename))
+			continue
+		}
 		cfg.proxyProviders.Store(p.GetName(), p)
-		b.Add(p.LoadRoutes())
+		b.Add(p.LoadRoutes().Subject(filename))
 	}
 	for name, dockerHost := range providers.Docker {
-		p := PR.NewDockerProvider(name, dockerHost)
+		p, err := PR.NewDockerProvider(name, dockerHost)
+		if err != nil {
+			b.Add(err.Subjectf("%s (%s)", name, dockerHost))
+			continue
+		}
 		cfg.proxyProviders.Store(p.GetName(), p)
-		b.Add(p.LoadRoutes())
+		b.Add(p.LoadRoutes().Subject(dockerHost))
 	}
 	return
 }

 func (cfg *Config) controlProviders(action string, do func(*PR.Provider) E.NestedError) {
-	errors := E.NewBuilder("cannot %s these providers", action)
+	errors := E.NewBuilder("errors in %s these providers", action)

 	cfg.proxyProviders.RangeAll(func(name string, p *PR.Provider) {
 		if err := do(p); err.HasError() {
--- a/internal/config/query.go
+++ b/internal/config/query.go
@@ -0,0 +1,82 @@
+package config
+
+import (
+	M "github.com/yusing/go-proxy/internal/models"
+	PR "github.com/yusing/go-proxy/internal/proxy/provider"
+	R "github.com/yusing/go-proxy/internal/route"
+	U "github.com/yusing/go-proxy/internal/utils"
+	F "github.com/yusing/go-proxy/internal/utils/functional"
+)
+
+func (cfg *Config) DumpEntries() map[string]*M.RawEntry {
+	entries := make(map[string]*M.RawEntry)
+	cfg.forEachRoute(func(alias string, r R.Route, p *PR.Provider) {
+		entries[alias] = r.Entry()
+	})
+	return entries
+}
+
+func (cfg *Config) DumpProviders() map[string]*PR.Provider {
+	entries := make(map[string]*PR.Provider)
+	cfg.proxyProviders.RangeAll(func(name string, p *PR.Provider) {
+		entries[name] = p
+	})
+	return entries
+}
+
+func (cfg *Config) RoutesByAlias() map[string]U.SerializedObject {
+	routes := make(map[string]U.SerializedObject)
+	cfg.forEachRoute(func(alias string, r R.Route, p *PR.Provider) {
+		obj, err := U.Serialize(r)
+		if err.HasError() {
+			cfg.l.Error(err)
+			return
+		}
+		obj["provider"] = p.GetName()
+		obj["type"] = string(r.Type())
+		routes[alias] = obj
+	})
+	return routes
+}
+
+func (cfg *Config) Statistics() map[string]any {
+	nTotalStreams := 0
+	nTotalRPs := 0
+	providerStats := make(map[string]any)
+
+	cfg.forEachRoute(func(alias string, r R.Route, p *PR.Provider) {
+		s, ok := providerStats[p.GetName()]
+		if !ok {
+			s = make(map[string]int)
+		}
+
+		stats := s.(map[string]int)
+		switch r.Type() {
+		case R.RouteTypeStream:
+			stats["num_streams"]++
+			nTotalStreams++
+		case R.RouteTypeReverseProxy:
+			stats["num_reverse_proxies"]++
+			nTotalRPs++
+		default:
+			panic("bug: should not reach here")
+		}
+	})
+
+	return map[string]any{
+		"num_total_streams":         nTotalStreams,
+		"num_total_reverse_proxies": nTotalRPs,
+		"providers":                 providerStats,
+	}
+}
+
+func (cfg *Config) FindRoute(alias string) R.Route {
+	return F.MapFind(cfg.proxyProviders,
+		func(p *PR.Provider) (R.Route, bool) {
+			if route, ok := p.GetRoute(alias); ok {
+				return route, true
+			}
+			return nil, false
+		},
+	)
+}
--- a/internal/docker/client.go
+++ b/internal/docker/client.go
@@ -8,8 +8,9 @@ import (
 	"github.com/docker/cli/cli/connhelper"
 	"github.com/docker/docker/client"
 	"github.com/sirupsen/logrus"
-	"github.com/yusing/go-proxy/common"
-	E "github.com/yusing/go-proxy/error"
+	"github.com/yusing/go-proxy/internal/common"
+	E "github.com/yusing/go-proxy/internal/error"
+	F "github.com/yusing/go-proxy/internal/utils/functional"
 )

 type Client struct {
@@ -20,9 +21,22 @@ type Client struct {
 	l logrus.FieldLogger
 }

+func ParseDockerHostname(host string) (string, E.NestedError) {
+	switch host {
+	case common.DockerHostFromEnv, "":
+		return "localhost", nil
+	}
+	url, err := E.Check(client.ParseHostURL(host))
+	if err != nil {
+		return "", E.Invalid("host", host).With(err)
+	}
+	return url.Hostname(), nil
+}
+
 func (c Client) DaemonHostname() string {
-	url, _ := client.ParseHostURL(c.DaemonHost())
-	return url.Hostname()
+	// DaemonHost should always return a valid host
+	hostname, _ := ParseDockerHostname(c.DaemonHost())
+	return hostname
 }

 func (c Client) Connected() bool {
@@ -35,9 +49,7 @@ func (c *Client) Close() error {
 		return nil
 	}

-	clientMapMu.Lock()
-	defer clientMapMu.Unlock()
-	delete(clientMap, c.key)
+	clientMap.Delete(c.key)

 	client := c.Client
 	c.Client = nil
@@ -65,7 +77,7 @@ func ConnectClient(host string) (Client, E.NestedError) {
 	defer clientMapMu.Unlock()

 	// check if client exists
-	if client, ok := clientMap[host]; ok {
+	if client, ok := clientMap.Load(host); ok {
 		client.refCount.Add(1)
 		return client, nil
 	}
@@ -116,23 +128,22 @@ func ConnectClient(host string) (Client, E.NestedError) {
 	c.refCount.Add(1)
 	c.l.Debugf("client connected")

-	clientMap[host] = c
-	return clientMap[host], nil
+	clientMap.Store(host, c)
+	return c, nil
 }

 func CloseAllClients() {
-	clientMapMu.Lock()
-	defer clientMapMu.Unlock()
-	for _, client := range clientMap {
-		client.Close()
-	}
-	clientMap = make(map[string]Client)
+	clientMap.RangeAll(func(_ string, c Client) {
+		c.Client.Close()
+	})
+	clientMap.Clear()
 	logger.Debug("closed all clients")
 }

 var (
-	clientMap        map[string]Client = make(map[string]Client)
-	clientMapMu      sync.Mutex
+	clientMap   F.Map[string, Client] = F.NewMapOf[string, Client]()
+	clientMapMu sync.Mutex
+
 	clientOptEnvHost = []client.Opt{
 		client.WithHostFromEnv(),
 		client.WithAPIVersionNegotiation(),
--- a/internal/docker/client_info.go
+++ b/internal/docker/client_info.go
@@ -8,7 +8,7 @@ import (
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/client"

-	E "github.com/yusing/go-proxy/error"
+	E "github.com/yusing/go-proxy/internal/error"
 )

 type ClientInfo struct {
--- a/internal/docker/container.go
+++ b/internal/docker/container.go
@@ -0,0 +1,109 @@
+package docker
+
+import (
+	"fmt"
+	"strconv"
+	"strings"
+
+	"github.com/docker/docker/api/types"
+	U "github.com/yusing/go-proxy/internal/utils"
+)
+
+type Container struct {
+	*types.Container
+	*ProxyProperties
+}
+
+func FromDocker(c *types.Container, dockerHost string) (res Container) {
+	res.Container = c
+	isExplicit := c.Labels[LabelAliases] != ""
+	res.ProxyProperties = &ProxyProperties{
+		DockerHost:         dockerHost,
+		ContainerName:      res.getName(),
+		ImageName:          res.getImageName(),
+		PublicPortMapping:  res.getPublicPortMapping(),
+		PrivatePortMapping: res.getPrivatePortMapping(),
+		NetworkMode:        c.HostConfig.NetworkMode,
+		Aliases:            res.getAliases(),
+		IsExcluded:         U.ParseBool(res.getDeleteLabel(LabelExclude)),
+		IsExplicit:         isExplicit,
+		IdleTimeout:        res.getDeleteLabel(LabelIdleTimeout),
+		WakeTimeout:        res.getDeleteLabel(LabelWakeTimeout),
+		StopMethod:         res.getDeleteLabel(LabelStopMethod),
+		StopTimeout:        res.getDeleteLabel(LabelStopTimeout),
+		StopSignal:         res.getDeleteLabel(LabelStopSignal),
+		Running:            c.Status == "running" || c.State == "running",
+	}
+	return
+}
+
+func FromJson(json types.ContainerJSON, dockerHost string) Container {
+	ports := make([]types.Port, 0)
+	for k, bindings := range json.NetworkSettings.Ports {
+		for _, v := range bindings {
+			pubPort, _ := strconv.ParseUint(v.HostPort, 10, 16)
+			privPort, _ := strconv.ParseUint(k.Port(), 10, 16)
+			ports = append(ports, types.Port{
+				IP:          v.HostIP,
+				PublicPort:  uint16(pubPort),
+				PrivatePort: uint16(privPort),
+			})
+		}
+	}
+	cont := FromDocker(&types.Container{
+		ID:     json.ID,
+		Names:  []string{json.Name},
+		Image:  json.Image,
+		Ports:  ports,
+		Labels: json.Config.Labels,
+		State:  json.State.Status,
+		Status: json.State.Status,
+	}, dockerHost)
+	cont.NetworkMode = string(json.HostConfig.NetworkMode)
+	return cont
+}
+
+func (c Container) getDeleteLabel(label string) string {
+	if l, ok := c.Labels[label]; ok {
+		delete(c.Labels, label)
+		return l
+	}
+	return ""
+}
+
+func (c Container) getAliases() []string {
+	if l := c.getDeleteLabel(LabelAliases); l != "" {
+		return U.CommaSeperatedList(l)
+	} else {
+		return []string{c.getName()}
+	}
+}
+
+func (c Container) getName() string {
+	return strings.TrimPrefix(c.Names[0], "/")
+}
+
+func (c Container) getImageName() string {
+	colonSep := strings.Split(c.Image, ":")
+	slashSep := strings.Split(colonSep[0], "/")
+	return slashSep[len(slashSep)-1]
+}
+
+func (c Container) getPublicPortMapping() PortMapping {
+	res := make(PortMapping)
+	for _, v := range c.Ports {
+		if v.PublicPort == 0 {
+			continue
+		}
+		res[fmt.Sprint(v.PublicPort)] = v
+	}
+	return res
+}
+
+func (c Container) getPrivatePortMapping() PortMapping {
+	res := make(PortMapping)
+	for _, v := range c.Ports {
+		res[fmt.Sprint(v.PrivatePort)] = v
+	}
+	return res
+}
--- a/internal/docker/homepage_label.go
+++ b/internal/docker/homepage_label.go
--- a/internal/docker/idlewatcher/html/loading_page.html
+++ b/internal/docker/idlewatcher/html/loading_page.html
@@ -0,0 +1,87 @@
+<!DOCTYPE html>
+<html lang="en">
+    <head>
+        <meta charset="UTF-8" />
+        <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+        <title>{{.Title}}</title>
+        <style>
+            /* Global Styles */
+            * {
+                box-sizing: border-box;
+                margin: 0;
+                padding: 0;
+            }
+            body {
+                font-family: Inter, Arial, sans-serif;
+                font-size: 16px;
+                line-height: 1.5;
+                color: #fff;
+                background-color: #212121;
+                display: flex;
+                justify-content: center;
+                align-items: center;
+                height: 100vh;
+                margin: 0;
+            }
+
+            /* Spinner Styles */
+            .spinner {
+                width: 120px;
+                height: 120px;
+                border: 16px solid #333;
+                border-radius: 50%;
+                border-top: 16px solid #66d9ef;
+                animation: spin 2s linear infinite;
+            }
+            @keyframes spin {
+                0% {
+                    transform: rotate(0deg);
+                }
+                100% {
+                    transform: rotate(360deg);
+                }
+            }
+
+            /* Error Styles */
+            .error {
+                display: inline-block;
+                text-align: center;
+                justify-content: center;
+            }
+            .error::before {
+                content: "\26A0"; /* Unicode for warning symbol */
+                font-size: 40px;
+                color: #ff9900;
+            }
+
+            /* Message Styles */
+            .message {
+                font-size: 24px;
+                font-weight: bold;
+                padding-left: 32px;
+                text-align: center;
+            }
+        </style>
+    </head>
+    <body>
+        <script>
+            window.onload = async function () {
+                let result = await fetch(window.location.href, {
+                    headers: {
+                        {{ range $key, $value := .RequestHeaders }}
+                        '{{ $key }}' : {{ $value }}
+                        {{ end }}
+                    },
+                }).then((resp) => resp.text())
+                    .catch((err) => {
+                        document.getElementById("message").innerText = err;
+                    });
+                if (result) {
+                    document.documentElement.innerHTML = result
+                }
+            };
+        </script>
+        <div class="{{.SpinnerClass}}"></div>
+        <div class="message">{{.Message}}</div>
+    </body>
+</html>
--- a/internal/docker/idlewatcher/http.go
+++ b/internal/docker/idlewatcher/http.go
@@ -0,0 +1,87 @@
+package idlewatcher
+
+import (
+	"bytes"
+	_ "embed"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+	"text/template"
+)
+
+type templateData struct {
+	Title          string
+	Message        string
+	RequestHeaders http.Header
+	SpinnerClass   string
+}
+
+//go:embed html/loading_page.html
+var loadingPage []byte
+var loadingPageTmpl = template.Must(template.New("loading_page").Parse(string(loadingPage)))
+
+const (
+	htmlContentType = "text/html; charset=utf-8"
+
+	errPrefix = "\u1000"
+
+	headerGoProxyTargetURL = "X-GoProxy-Target"
+	headerContentType      = "Content-Type"
+
+	spinnerClassSpinner   = "spinner"
+	spinnerClassErrorSign = "error"
+)
+
+func (w *watcher) makeSuccResp(redirectURL string, resp *http.Response) (*http.Response, error) {
+	h := make(http.Header)
+	h.Set("Location", redirectURL)
+	h.Set("Content-Length", "0")
+	h.Set(headerContentType, htmlContentType)
+	return &http.Response{
+		StatusCode: http.StatusTemporaryRedirect,
+		Header:     h,
+		Body:       http.NoBody,
+		TLS:        resp.TLS,
+	}, nil
+}
+
+func (w *watcher) makeErrResp(errFmt string, args ...any) (*http.Response, error) {
+	return w.makeResp(errPrefix+errFmt, args...)
+}
+
+func (w *watcher) makeResp(format string, args ...any) (*http.Response, error) {
+	msg := fmt.Sprintf(format, args...)
+
+	data := new(templateData)
+	data.Title = w.ContainerName
+	data.Message = strings.ReplaceAll(msg, "\n", "<br>")
+	data.Message = strings.ReplaceAll(data.Message, " ", "&ensp;")
+	data.RequestHeaders = make(http.Header)
+	data.RequestHeaders.Add(headerGoProxyTargetURL, "window.location.href")
+	if strings.HasPrefix(data.Message, errPrefix) {
+		data.Message = strings.TrimLeft(data.Message, errPrefix)
+		data.SpinnerClass = spinnerClassErrorSign
+	} else {
+		data.SpinnerClass = spinnerClassSpinner
+	}
+
+	buf := bytes.NewBuffer(make([]byte, 128)) // more than enough
+	err := loadingPageTmpl.Execute(buf, data)
+	if err != nil { // should never happen
+		panic(err)
+	}
+	return &http.Response{
+		StatusCode: http.StatusAccepted,
+		Header: http.Header{
+			headerContentType: {htmlContentType},
+			"Cache-Control": {
+				"no-cache",
+				"no-store",
+				"must-revalidate",
+			},
+		},
+		Body:          io.NopCloser(buf),
+		ContentLength: int64(buf.Len()),
+	}, nil
+}
--- a/internal/docker/idlewatcher/round_trip.go
+++ b/internal/docker/idlewatcher/round_trip.go
@@ -0,0 +1,83 @@
+package idlewatcher
+
+import (
+	"context"
+	"net/http"
+)
+
+type (
+	roundTripper struct {
+		patched roundTripFunc
+	}
+	roundTripFunc func(*http.Request) (*http.Response, error)
+)
+
+func (rt roundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	return rt.patched(req)
+}
+
+func (w *watcher) roundTrip(origRoundTrip roundTripFunc, req *http.Request) (*http.Response, error) {
+	// wake the container
+	select {
+	case w.wakeCh <- struct{}{}:
+	default:
+	}
+
+	// target site is ready, passthrough
+	if w.ready.Load() {
+		return origRoundTrip(req)
+	}
+
+	// initial request
+	targetUrl := req.Header.Get(headerGoProxyTargetURL)
+	if targetUrl == "" {
+		return w.makeResp(
+			"%s is starting... Please wait",
+			w.ContainerName,
+		)
+	}
+
+	w.l.Debug("serving event")
+
+	// stream request
+	rtDone := make(chan *http.Response, 1)
+	ctx, cancel := context.WithTimeout(req.Context(), w.WakeTimeout)
+	defer cancel()
+
+	// loop original round trip until success in a goroutine
+	go func() {
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			case <-w.ctx.Done():
+				return
+			default:
+				resp, err := origRoundTrip(req)
+				if err == nil {
+					w.ready.Store(true)
+					rtDone <- resp
+					return
+				}
+			}
+		}
+	}()
+
+	for {
+		select {
+		case resp := <-rtDone:
+			return w.makeSuccResp(targetUrl, resp)
+		case err := <-w.wakeDone:
+			if err != nil {
+				return w.makeErrResp("error waking up %s\n%s", w.ContainerName, err.Error())
+			}
+		case <-ctx.Done():
+			if ctx.Err() == context.DeadlineExceeded {
+				return w.makeErrResp("Timed out waiting for %s to fully wake", w.ContainerName)
+			}
+			return w.makeErrResp("idlewatcher has stopped\n%s", w.ctx.Err().Error())
+		case <-w.ctx.Done():
+			return w.makeErrResp("idlewatcher has stopped\n%s", w.ctx.Err().Error())
+		}
+	}
+}
--- a/internal/docker/idlewatcher/watcher.go
+++ b/internal/docker/idlewatcher/watcher.go
@@ -1,9 +1,7 @@
 package idlewatcher

 import (
-	"bytes"
 	"context"
-	"io"
 	"net/http"
 	"sync"
 	"sync/atomic"
@@ -11,38 +9,50 @@ import (

 	"github.com/docker/docker/api/types/container"
 	"github.com/sirupsen/logrus"
-	D "github.com/yusing/go-proxy/docker"
-	E "github.com/yusing/go-proxy/error"
-	P "github.com/yusing/go-proxy/proxy"
-	PT "github.com/yusing/go-proxy/proxy/fields"
-	W "github.com/yusing/go-proxy/watcher"
-	event "github.com/yusing/go-proxy/watcher/events"
+	D "github.com/yusing/go-proxy/internal/docker"
+	E "github.com/yusing/go-proxy/internal/error"
+	P "github.com/yusing/go-proxy/internal/proxy"
+	PT "github.com/yusing/go-proxy/internal/proxy/fields"
+	W "github.com/yusing/go-proxy/internal/watcher"
 )

-type watcher struct {
-	*P.ReverseProxyEntry
-
-	client D.Client
-
-	refCount atomic.Int32
-
-	stopByMethod StopCallback
-	wakeCh       chan struct{}
-	wakeDone     chan E.NestedError
-	running      atomic.Bool
-
-	ctx    context.Context
-	cancel context.CancelFunc
-
-	l logrus.FieldLogger
-}
-
 type (
+	watcher struct {
+		*P.ReverseProxyEntry
+
+		client D.Client
+
+		ready        atomic.Bool  // whether the site is ready to accept connection
+		stopByMethod StopCallback // send a docker command w.r.t. `stop_method`
+
+		wakeCh   chan struct{}
+		wakeDone chan E.NestedError
+
+		ctx      context.Context
+		cancel   context.CancelFunc
+		refCount *sync.WaitGroup
+
+		l logrus.FieldLogger
+	}
+
 	WakeDone     <-chan error
 	WakeFunc     func() WakeDone
 	StopCallback func() E.NestedError
 )

+var (
+	mainLoopCtx    context.Context
+	mainLoopCancel context.CancelFunc
+	mainLoopWg     sync.WaitGroup
+
+	watcherMap   = make(map[string]*watcher)
+	watcherMapMu sync.Mutex
+
+	newWatcherCh = make(chan *watcher)
+
+	logger = logrus.WithField("module", "idle_watcher")
+)
+
 func Register(entry *P.ReverseProxyEntry) (*watcher, E.NestedError) {
 	failure := E.Failure("idle_watcher register")

@@ -67,12 +77,12 @@ func Register(entry *P.ReverseProxyEntry) (*watcher, E.NestedError) {
 	w := &watcher{
 		ReverseProxyEntry: entry,
 		client:            client,
-		wakeCh:            make(chan struct{}, 1),
-		wakeDone:          make(chan E.NestedError, 1),
+		refCount:          &sync.WaitGroup{},
+		wakeCh:            make(chan struct{}),
+		wakeDone:          make(chan E.NestedError),
 		l:                 logger.WithField("container", entry.ContainerName),
 	}
 	w.refCount.Add(1)
-	w.running.Store(entry.ContainerRunning)
 	w.stopByMethod = w.getStopCallback()

 	watcherMap[w.ContainerName] = w
@@ -84,20 +94,9 @@ func Register(entry *P.ReverseProxyEntry) (*watcher, E.NestedError) {
 	return w, nil
 }

-// If the container is not registered, this is no-op
 func Unregister(containerName string) {
-	watcherMapMu.Lock()
-	defer watcherMapMu.Unlock()
-
 	if w, ok := watcherMap[containerName]; ok {
-		if w.refCount.Add(-1) > 0 {
-			return
-		}
-		if w.cancel != nil {
-			w.cancel()
-		}
-		w.client.Close()
-		delete(watcherMap, containerName)
+		w.refCount.Add(-1)
 	}
 }

@@ -107,8 +106,6 @@ func Start() {

 	mainLoopCtx, mainLoopCancel = context.WithCancel(context.Background())

-	defer mainLoopWg.Wait()
-
 	for {
 		select {
 		case <-mainLoopCtx.Done():
@@ -117,8 +114,11 @@ func Start() {
 			w.l.Debug("registered")
 			mainLoopWg.Add(1)
 			go func() {
-				w.watch()
-				Unregister(w.ContainerName)
+				w.watchUntilCancel()
+				w.refCount.Wait() // wait for 0 ref count
+
+				w.client.Close()
+				delete(watcherMap, w.ContainerName)
 				w.l.Debug("unregistered")
 				mainLoopWg.Done()
 			}()
@@ -137,31 +137,6 @@ func (w *watcher) PatchRoundTripper(rtp http.RoundTripper) roundTripper {
 	}}
 }

-func (w *watcher) roundTrip(origRoundTrip roundTripFunc, req *http.Request) (*http.Response, error) {
-	w.wakeCh <- struct{}{}
-
-	if w.running.Load() {
-		return origRoundTrip(req)
-	}
-	timeout := time.After(w.WakeTimeout)
-
-	for {
-		if w.running.Load() {
-			return origRoundTrip(req)
-		}
-		select {
-		case <-req.Context().Done():
-			return nil, req.Context().Err()
-		case err := <-w.wakeDone:
-			if err != nil {
-				return nil, err.Error()
-			}
-		case <-timeout:
-			return getLoadingResponse(), nil
-		}
-	}
-}
-
 func (w *watcher) containerStop() error {
 	return w.client.ContainerStop(w.ctx, w.ContainerName, container.StopOptions{
 		Signal:  string(w.StopSignal),
@@ -205,7 +180,6 @@ func (w *watcher) wakeIfStopped() E.NestedError {
 	case "paused":
 		return E.From(w.containerUnpause())
 	case "running":
-		w.running.Store(true)
 		return nil
 	default:
 		return E.Unexpected("container state", status)
@@ -236,15 +210,12 @@ func (w *watcher) getStopCallback() StopCallback {
 	}
 }

-func (w *watcher) watch() {
-	watcherCtx, watcherCancel := context.WithCancel(context.Background())
-	w.ctx = watcherCtx
-	w.cancel = watcherCancel
-
-	dockerWatcher := W.NewDockerWatcherWithClient(w.client)
-
+func (w *watcher) watchUntilCancel() {
 	defer close(w.wakeCh)

+	w.ctx, w.cancel = context.WithCancel(context.Background())
+
+	dockerWatcher := W.NewDockerWatcherWithClient(w.client)
 	dockerEventCh, dockerEventErrCh := dockerWatcher.EventsWithOptions(w.ctx, W.DockerListOptions{
 		Filters: W.NewDockerFilter(
 			W.DockerFilterContainer,
@@ -265,7 +236,7 @@ func (w *watcher) watch() {
 		select {
 		case <-mainLoopCtx.Done():
 			w.cancel()
-		case <-watcherCtx.Done():
+		case <-w.ctx.Done():
 			w.l.Debug("stopped")
 			return
 		case err := <-dockerEventErrCh:
@@ -273,16 +244,18 @@ func (w *watcher) watch() {
 				w.l.Error(E.FailWith("docker watcher", err))
 			}
 		case e := <-dockerEventCh:
-			switch e.Action {
-			case event.ActionDockerStartUnpause:
-				w.running.Store(true)
-				w.l.Infof("%s %s", e.ActorName, e.Action)
-			case event.ActionDockerStopPause:
-				w.running.Store(false)
-				w.l.Infof("%s %s", e.ActorName, e.Action)
+			switch {
+			// create / start / unpause
+			case e.Action.IsContainerWake():
+				ticker.Reset(w.IdleTimeout)
+				w.l.Info(e)
+			default: // stop / pause / kill
+				ticker.Stop()
+				w.ready.Store(false)
+				w.l.Info(e)
 			}
 		case <-ticker.C:
-			w.l.Debug("timeout")
+			w.l.Debug("idle timeout")
 			ticker.Stop()
 			if err := w.stopByMethod(); err != nil && err.IsNot(context.Canceled) {
 				w.l.Error(E.FailWith("stop", err).Extraf("stop method: %s", w.StopMethod))
@@ -301,57 +274,3 @@ func (w *watcher) watch() {
 		}
 	}
 }
-
-func getLoadingResponse() *http.Response {
-	return &http.Response{
-		StatusCode: http.StatusAccepted,
-		Header: http.Header{
-			"Content-Type": {"text/html"},
-			"Cache-Control": {
-				"no-cache",
-				"no-store",
-				"must-revalidate",
-			},
-		},
-		Body:          io.NopCloser(bytes.NewReader((loadingPage))),
-		ContentLength: int64(len(loadingPage)),
-	}
-}
-
-var (
-	mainLoopCtx    context.Context
-	mainLoopCancel context.CancelFunc
-	mainLoopWg     sync.WaitGroup
-
-	watcherMap   = make(map[string]*watcher)
-	watcherMapMu sync.Mutex
-
-	newWatcherCh = make(chan *watcher)
-
-	logger = logrus.WithField("module", "idle_watcher")
-
-	loadingPage = []byte(`
-<!DOCTYPE html>
-<html>
-<head>
-	<meta charset="UTF-8">
-	<meta name="viewport" content="width=device-width, initial-scale=1.0">
-	<title>Loading...</title>
-</head>
-<body>
-	<script>
-		window.onload = function() {
-			setTimeout(function() {
-				window.location.reload()
-			}, 1000)
-            // fetch(window.location.href)
-			// 	.then(resp => resp.text())
-			// 	.then(data => { document.body.innerHTML = data; })
-			// 	.catch(err => { document.body.innerHTML = 'Error: ' + err; });
-        };
-	</script>
-	<h1>Container is starting... Please wait</h1>
-</body>
-</html>
-`[1:])
-)
--- a/internal/docker/inspect.go
+++ b/internal/docker/inspect.go
@@ -4,7 +4,7 @@ import (
 	"context"
 	"time"

-	E "github.com/yusing/go-proxy/error"
+	E "github.com/yusing/go-proxy/internal/error"
 )

 func (c Client) Inspect(containerID string) (Container, E.NestedError) {
--- a/internal/docker/label.go
+++ b/internal/docker/label.go
@@ -0,0 +1,151 @@
+package docker
+
+import (
+	"reflect"
+	"strings"
+
+	E "github.com/yusing/go-proxy/internal/error"
+	U "github.com/yusing/go-proxy/internal/utils"
+	F "github.com/yusing/go-proxy/internal/utils/functional"
+)
+
+/*
+Formats:
+  - namespace.attribute
+  - namespace.target.attribute
+  - namespace.target.attribute.namespace2.attribute
+*/
+type (
+	Label struct {
+		Namespace string
+		Target    string
+		Attribute string
+		Value     any
+	}
+	NestedLabelMap map[string]U.SerializedObject
+	ValueParser    func(string) (any, E.NestedError)
+	ValueParserMap map[string]ValueParser
+)
+
+func (l *Label) String() string {
+	if l.Attribute == "" {
+		return l.Namespace + "." + l.Target
+	}
+	return l.Namespace + "." + l.Target + "." + l.Attribute
+}
+
+// Apply applies the value of a Label to the corresponding field in the given object.
+//
+// Parameters:
+//   - obj: a pointer to the object to which the Label value will be applied.
+//   - l: a pointer to the Label containing the attribute and value to be applied.
+//
+// Returns:
+//   - error: an error if the field does not exist.
+func ApplyLabel[T any](obj *T, l *Label) E.NestedError {
+	if obj == nil {
+		return E.Invalid("nil object", l)
+	}
+	switch nestedLabel := l.Value.(type) {
+	case *Label:
+		var field reflect.Value
+		objType := reflect.TypeFor[T]()
+		for i := 0; i < reflect.TypeFor[T]().NumField(); i++ {
+			if objType.Field(i).Tag.Get("yaml") == l.Attribute {
+				field = reflect.ValueOf(obj).Elem().Field(i)
+				break
+			}
+		}
+		if !field.IsValid() {
+			return E.NotExist("field", l.Attribute)
+		}
+		dst, ok := field.Interface().(NestedLabelMap)
+		if !ok {
+			return E.Invalid("type", field.Type())
+		}
+		if dst == nil {
+			field.Set(reflect.MakeMap(reflect.TypeFor[NestedLabelMap]()))
+			dst = field.Interface().(NestedLabelMap)
+		}
+		if dst[nestedLabel.Namespace] == nil {
+			dst[nestedLabel.Namespace] = make(U.SerializedObject)
+		}
+		dst[nestedLabel.Namespace][nestedLabel.Attribute] = nestedLabel.Value
+		return nil
+	default:
+		return U.Deserialize(U.SerializedObject{l.Attribute: l.Value}, obj)
+	}
+}
+
+func ParseLabel(label string, value string) (*Label, E.NestedError) {
+	parts := strings.Split(label, ".")
+
+	if len(parts) < 2 {
+		return &Label{
+			Namespace: label,
+			Value:     value,
+		}, nil
+	}
+
+	l := &Label{
+		Namespace: parts[0],
+		Target:    parts[1],
+		Value:     value,
+	}
+
+	switch len(parts) {
+	case 2:
+		l.Attribute = l.Target
+	case 3:
+		l.Attribute = parts[2]
+	default:
+		l.Attribute = parts[2]
+		nestedLabel, err := ParseLabel(strings.Join(parts[3:], "."), value)
+		if err.HasError() {
+			return nil, err
+		}
+		l.Value = nestedLabel
+	}
+
+	// find if namespace has value parser
+	pm, ok := valueParserMap.Load(U.ToLowerNoSnake(l.Namespace))
+	if !ok {
+		return l, nil
+	}
+	// find if attribute has value parser
+	p, ok := pm[U.ToLowerNoSnake(l.Attribute)]
+	if !ok {
+		return l, nil
+	}
+	// try to parse value
+	v, err := p(value)
+	if err.HasError() {
+		return nil, err.Subject(label)
+	}
+	l.Value = v
+	return l, nil
+}
+
+func RegisterNamespace(namespace string, pm ValueParserMap) {
+	pmCleaned := make(ValueParserMap, len(pm))
+	for k, v := range pm {
+		pmCleaned[U.ToLowerNoSnake(k)] = v
+	}
+	valueParserMap.Store(U.ToLowerNoSnake(namespace), pmCleaned)
+}
+
+func GetRegisteredNamespaces() map[string][]string {
+	r := make(map[string][]string)
+
+	valueParserMap.RangeAll(func(ns string, vpm ValueParserMap) {
+		r[ns] = make([]string, 0, len(vpm))
+		for attr := range vpm {
+			r[ns] = append(r[ns], attr)
+		}
+	})
+
+	return r
+}
+
+// namespace:target.attribute -> func(string) (any, error)
+var valueParserMap = F.NewMapOf[string, ValueParserMap]()
--- a/internal/docker/label_parser.go
+++ b/internal/docker/label_parser.go
@@ -0,0 +1,78 @@
+package docker
+
+import (
+	"strings"
+
+	E "github.com/yusing/go-proxy/internal/error"
+	"gopkg.in/yaml.v3"
+)
+
+const (
+	NSProxy                    = "proxy"
+	ProxyAttributePathPatterns = "path_patterns"
+	ProxyAttributeNoTLSVerify  = "no_tls_verify"
+	ProxyAttributeMiddlewares  = "middlewares"
+)
+
+var _ = func() int {
+	RegisterNamespace(NSProxy, ValueParserMap{
+		ProxyAttributePathPatterns: YamlStringListParser,
+		ProxyAttributeNoTLSVerify:  BoolParser,
+	})
+	return 0
+}()
+
+func YamlStringListParser(value string) (any, E.NestedError) {
+	/*
+		- foo
+		- bar
+		- baz
+	*/
+	value = strings.TrimSpace(value)
+	if value == "" {
+		return []string{}, nil
+	}
+	var data []string
+	err := E.From(yaml.Unmarshal([]byte(value), &data))
+	return data, err
+}
+
+func YamlLikeMappingParser(allowDuplicate bool) func(string) (any, E.NestedError) {
+	return func(value string) (any, E.NestedError) {
+		/*
+			foo: bar
+			boo: baz
+		*/
+		value = strings.TrimSpace(value)
+		lines := strings.Split(value, "\n")
+		h := make(map[string]string)
+		for _, line := range lines {
+			parts := strings.SplitN(line, ":", 2)
+			if len(parts) != 2 {
+				return nil, E.Invalid("syntax", line).With("too many colons")
+			}
+			key := strings.TrimSpace(parts[0])
+			val := strings.TrimSpace(parts[1])
+			if existing, ok := h[key]; ok {
+				if !allowDuplicate {
+					return nil, E.Duplicated("key", key)
+				}
+				h[key] = existing + ", " + val
+			} else {
+				h[key] = val
+			}
+		}
+		return h, nil
+	}
+}
+
+func BoolParser(value string) (any, E.NestedError) {
+	switch strings.ToLower(value) {
+	case "true", "yes", "1":
+		return true, nil
+	case "false", "no", "0":
+		return false, nil
+	default:
+		return nil, E.Invalid("boolean value", value)
+	}
+}
--- a/internal/docker/label_parser_test.go
+++ b/internal/docker/label_parser_test.go
@@ -0,0 +1,106 @@
+package docker
+
+import (
+	"fmt"
+	"testing"
+
+	E "github.com/yusing/go-proxy/internal/error"
+	. "github.com/yusing/go-proxy/internal/utils/testing"
+)
+
+func makeLabel(namespace string, alias string, field string) string {
+	return fmt.Sprintf("%s.%s.%s", namespace, alias, field)
+}
+
+func TestParseLabel(t *testing.T) {
+	alias := "foo"
+	field := "ip"
+	v := "bar"
+	pl, err := ParseLabel(makeLabel(NSHomePage, alias, field), v)
+	ExpectNoError(t, err.Error())
+	ExpectEqual(t, pl.Namespace, NSHomePage)
+	ExpectEqual(t, pl.Target, alias)
+	ExpectEqual(t, pl.Attribute, field)
+	ExpectEqual(t, pl.Value.(string), v)
+}
+
+func TestStringProxyLabel(t *testing.T) {
+	v := "bar"
+	pl, err := ParseLabel(makeLabel(NSProxy, "foo", "ip"), v)
+	ExpectNoError(t, err.Error())
+	ExpectEqual(t, pl.Value.(string), v)
+}
+
+func TestBoolProxyLabelValid(t *testing.T) {
+	tests := map[string]bool{
+		"true":  true,
+		"TRUE":  true,
+		"yes":   true,
+		"1":     true,
+		"false": false,
+		"FALSE": false,
+		"no":    false,
+		"0":     false,
+	}
+
+	for k, v := range tests {
+		pl, err := ParseLabel(makeLabel(NSProxy, "foo", ProxyAttributeNoTLSVerify), k)
+		ExpectNoError(t, err.Error())
+		ExpectEqual(t, pl.Value.(bool), v)
+	}
+}
+
+func TestBoolProxyLabelInvalid(t *testing.T) {
+	_, err := ParseLabel(makeLabel(NSProxy, "foo", ProxyAttributeNoTLSVerify), "invalid")
+	if !err.Is(E.ErrInvalid) {
+		t.Errorf("Expected err InvalidProxyLabel, got %s", err.Error())
+	}
+}
+
+// func TestSetHeaderProxyLabelValid(t *testing.T) {
+// 	v := `
+// X-Custom-Header1: foo, bar
+// X-Custom-Header1: baz
+// X-Custom-Header2: boo`
+// 	v = strings.TrimPrefix(v, "\n")
+// 	h := map[string]string{
+// 		"X-Custom-Header1": "foo, bar, baz",
+// 		"X-Custom-Header2": "boo",
+// 	}
+
+// 	pl, err := ParseLabel(makeLabel(NSProxy, "foo", ProxyAttributeSetHeaders), v)
+// 	ExpectNoError(t, err.Error())
+// 	hGot := ExpectType[map[string]string](t, pl.Value)
+// 	ExpectFalse(t, hGot == nil)
+// 	ExpectDeepEqual(t, h, hGot)
+// }
+
+// func TestSetHeaderProxyLabelInvalid(t *testing.T) {
+// 	tests := []string{
+// 		"X-Custom-Header1 = bar",
+// 		"X-Custom-Header1",
+// 		"- X-Custom-Header1",
+// 	}
+
+// 	for _, v := range tests {
+// 		_, err := ParseLabel(makeLabel(NSProxy, "foo", ProxyAttributeSetHeaders), v)
+// 		if !err.Is(E.ErrInvalid) {
+// 			t.Errorf("Expected invalid err for %q, got %s", v, err.Error())
+// 		}
+// 	}
+// }
+
+// func TestHideHeadersProxyLabel(t *testing.T) {
+// 	v := `
+// - X-Custom-Header1
+// - X-Custom-Header2
+// - X-Custom-Header3
+// `
+// 	v = strings.TrimPrefix(v, "\n")
+// 	pl, err := ParseLabel(makeLabel(NSProxy, "foo", ProxyAttributeHideHeaders), v)
+// 	ExpectNoError(t, err.Error())
+// 	sGot := ExpectType[[]string](t, pl.Value)
+// 	sWant := []string{"X-Custom-Header1", "X-Custom-Header2", "X-Custom-Header3"}
+// 	ExpectFalse(t, sGot == nil)
+// 	ExpectDeepEqual(t, sGot, sWant)
+// }
--- a/internal/docker/label_test.go
+++ b/internal/docker/label_test.go
@@ -0,0 +1,85 @@
+package docker
+
+import (
+	"fmt"
+	"testing"
+
+	U "github.com/yusing/go-proxy/internal/utils"
+	. "github.com/yusing/go-proxy/internal/utils/testing"
+)
+
+func TestNestedLabel(t *testing.T) {
+	mName := "middleware1"
+	mAttr := "prop1"
+	v := "value1"
+	pl, err := ParseLabel(makeLabel(NSProxy, "foo", fmt.Sprintf("%s.%s.%s", ProxyAttributeMiddlewares, mName, mAttr)), v)
+	ExpectNoError(t, err.Error())
+	sGot := ExpectType[*Label](t, pl.Value)
+	ExpectFalse(t, sGot == nil)
+	ExpectEqual(t, sGot.Namespace, mName)
+	ExpectEqual(t, sGot.Attribute, mAttr)
+}
+
+func TestApplyNestedLabel(t *testing.T) {
+	entry := new(struct {
+		Middlewares NestedLabelMap `yaml:"middlewares"`
+	})
+	mName := "middleware1"
+	mAttr := "prop1"
+	v := "value1"
+	pl, err := ParseLabel(makeLabel(NSProxy, "foo", fmt.Sprintf("%s.%s.%s", ProxyAttributeMiddlewares, mName, mAttr)), v)
+	ExpectNoError(t, err.Error())
+	err = ApplyLabel(entry, pl)
+	ExpectNoError(t, err.Error())
+	middleware1, ok := entry.Middlewares[mName]
+	ExpectTrue(t, ok)
+	got := ExpectType[string](t, middleware1[mAttr])
+	ExpectEqual(t, got, v)
+}
+
+func TestApplyNestedLabelExisting(t *testing.T) {
+	mName := "middleware1"
+	mAttr := "prop1"
+	v := "value1"
+
+	checkAttr := "prop2"
+	checkV := "value2"
+	entry := new(struct {
+		Middlewares NestedLabelMap `yaml:"middlewares"`
+	})
+	entry.Middlewares = make(NestedLabelMap)
+	entry.Middlewares[mName] = make(U.SerializedObject)
+	entry.Middlewares[mName][checkAttr] = checkV
+
+	pl, err := ParseLabel(makeLabel(NSProxy, "foo", fmt.Sprintf("%s.%s.%s", ProxyAttributeMiddlewares, mName, mAttr)), v)
+	ExpectNoError(t, err.Error())
+	err = ApplyLabel(entry, pl)
+	ExpectNoError(t, err.Error())
+	middleware1, ok := entry.Middlewares[mName]
+	ExpectTrue(t, ok)
+	got := ExpectType[string](t, middleware1[mAttr])
+	ExpectEqual(t, got, v)
+
+	// check if prop2 is affected
+	ExpectFalse(t, middleware1[checkAttr] == nil)
+	got = ExpectType[string](t, middleware1[checkAttr])
+	ExpectEqual(t, got, checkV)
+}
+
+func TestApplyNestedLabelNoAttr(t *testing.T) {
+	mName := "middleware1"
+	v := "value1"
+
+	entry := new(struct {
+		Middlewares NestedLabelMap `yaml:"middlewares"`
+	})
+	entry.Middlewares = make(NestedLabelMap)
+	entry.Middlewares[mName] = make(U.SerializedObject)
+
+	pl, err := ParseLabel(makeLabel(NSProxy, "foo", fmt.Sprintf("%s.%s", ProxyAttributeMiddlewares, mName)), v)
+	ExpectNoError(t, err.Error())
+	err = ApplyLabel(entry, pl)
+	ExpectNoError(t, err.Error())
+	_, ok := entry.Middlewares[mName]
+	ExpectTrue(t, ok)
+}
--- a/internal/docker/labels.go
+++ b/internal/docker/labels.go
@@ -3,8 +3,8 @@ package docker
 const (
 	WildcardAlias = "*"

-	LableAliases     = NSProxy + ".aliases"
-	LableExclude     = NSProxy + ".exclude"
+	LabelAliases     = NSProxy + ".aliases"
+	LabelExclude     = NSProxy + ".exclude"
 	LabelIdleTimeout = NSProxy + ".idle_timeout"
 	LabelWakeTimeout = NSProxy + ".wake_timeout"
 	LabelStopMethod  = NSProxy + ".stop_method"
--- a/internal/docker/proxy_properties.go
+++ b/internal/docker/proxy_properties.go
@@ -0,0 +1,23 @@
+package docker
+
+import "github.com/docker/docker/api/types"
+
+type PortMapping = map[string]types.Port
+type ProxyProperties struct {
+	DockerHost         string      `yaml:"-" json:"docker_host"`
+	ContainerName      string      `yaml:"-" json:"container_name"`
+	ImageName          string      `yaml:"-" json:"image_name"`
+	PublicPortMapping  PortMapping `yaml:"-" json:"public_port_mapping"`  // non-zero publicPort:types.Port
+	PrivatePortMapping PortMapping `yaml:"-" json:"private_port_mapping"` // privatePort:types.Port
+	NetworkMode        string      `yaml:"-" json:"network_mode"`
+
+	Aliases     []string `yaml:"-" json:"aliases"`
+	IsExcluded  bool     `yaml:"-" json:"is_excluded"`
+	IsExplicit  bool     `yaml:"-" json:"is_explicit"`
+	IdleTimeout string   `yaml:"-" json:"idle_timeout"`
+	WakeTimeout string   `yaml:"-" json:"wake_timeout"`
+	StopMethod  string   `yaml:"-" json:"stop_method"`
+	StopTimeout string   `yaml:"-" json:"stop_timeout"` // stop_method = "stop" only
+	StopSignal  string   `yaml:"-" json:"stop_signal"`  // stop_method = "stop" | "kill" only
+	Running     bool     `yaml:"-" json:"running"`
+}
--- a/internal/error/builder.go
+++ b/internal/error/builder.go
@@ -10,9 +10,8 @@ type Builder struct {
 }

 type builder struct {
-	message  string
-	errors   []NestedError
-	severity Severity
+	message string
+	errors  []NestedError
 	sync.Mutex
 }

@@ -25,6 +24,7 @@ func NewBuilder(format string, args ...any) Builder {
 func (b Builder) Add(err NestedError) Builder {
 	if err != nil {
 		b.Lock()
+		// TODO: if err severity is higher than b.severity, update b.severity
 		b.errors = append(b.errors, err)
 		b.Unlock()
 	}
@@ -39,11 +39,6 @@ func (b Builder) Addf(format string, args ...any) Builder {
 	return b.Add(errorf(format, args...))
 }

-func (b Builder) WithSeverity(s Severity) Builder {
-	b.severity = s
-	return b
-}
-
 // Build builds a NestedError based on the errors collected in the Builder.
 //
 // If there are no errors in the Builder, it returns a Nil() NestedError.
@@ -54,15 +49,19 @@ func (b Builder) WithSeverity(s Severity) Builder {
 func (b Builder) Build() NestedError {
 	if len(b.errors) == 0 {
 		return nil
+	} else if len(b.errors) == 1 {
+		return b.errors[0]
 	}
-	return Join(b.message, b.errors...).Severity(b.severity)
+	return Join(b.message, b.errors...)
 }

 func (b Builder) To(ptr *NestedError) {
-	if *ptr == nil {
+	if ptr == nil {
+		return
+	} else if *ptr == nil {
 		*ptr = b.Build()
 	} else {
-		**ptr = *b.Build()
+		(*ptr).With(b.Build())
 	}
 }

--- a/internal/error/builder_test.go
+++ b/internal/error/builder_test.go
@@ -3,7 +3,7 @@ package error
 import (
 	"testing"

-	. "github.com/yusing/go-proxy/utils/testing"
+	. "github.com/yusing/go-proxy/internal/utils/testing"
 )

 func TestBuilderEmpty(t *testing.T) {
@@ -43,10 +43,10 @@ func TestBuilderNested(t *testing.T) {
 	expected2 :=
 		(`error occurred:
  - Action 1 failed:
-    - invalid Inner: 2
-    - invalid Inner: 1
+    - invalid Inner: "1"
+    - invalid Inner: "2"
  - Action 2 failed:
-    - invalid Inner: 3`)
+    - invalid Inner: "3"`)
 	if got != expected1 && got != expected2 {
 		t.Errorf("expected \n%s, got \n%s", expected1, got)
 	}
--- a/internal/error/error.go
+++ b/internal/error/error.go
@@ -1,6 +1,7 @@
 package error

 import (
+	"encoding/json"
 	"errors"
 	"fmt"
 	"strings"
@@ -9,17 +10,15 @@ import (
 type (
 	NestedError = *nestedError
 	nestedError struct {
-		subject  string
-		err      error
-		extras   []nestedError
-		severity Severity
+		subject string
+		err     error
+		extras  []nestedError
+	}
+	jsonNestedError struct {
+		Subject string
+		Err     string
+		Extras  []jsonNestedError
 	}
-	Severity uint8
-)
-
-const (
-	SeverityFatal Severity = iota
-	SeverityWarning
 )

 func From(err error) NestedError {
@@ -29,6 +28,29 @@ func From(err error) NestedError {
 	return &nestedError{err: err}
 }

+func FromJSON(data []byte) (NestedError, bool) {
+	var j jsonNestedError
+	if err := json.Unmarshal(data, &j); err != nil {
+		return nil, false
+	}
+	if j.Err == "" {
+		return nil, false
+	}
+	extras := make([]nestedError, len(j.Extras))
+	for i, e := range j.Extras {
+		extra, ok := fromJSONObject(e)
+		if !ok {
+			return nil, false
+		}
+		extras[i] = *extra
+	}
+	return &nestedError{
+		subject: j.Subject,
+		err:     errors.New(j.Err),
+		extras:  extras,
+	}, true
+}
+
 // Check is a helper function that
 // convert (T, error) to (T, NestedError).
 func Check[T any](obj T, err error) (T, NestedError) {
@@ -118,9 +140,9 @@ func (ne NestedError) With(s any) NestedError {
 	case string:
 		msg = ss
 	case fmt.Stringer:
-		msg = ss.String()
+		return ne.appendMsg(ss.String())
 	default:
-		msg = fmt.Sprint(s)
+		return ne.appendMsg(fmt.Sprint(s))
 	}
 	return ne.withError(From(errors.New(msg)))
 }
@@ -133,13 +155,19 @@ func (ne NestedError) Subject(s any) NestedError {
 	if ne == nil {
 		return ne
 	}
+	var subject string
 	switch ss := s.(type) {
 	case string:
-		ne.subject = ss
+		subject = ss
 	case fmt.Stringer:
-		ne.subject = ss.String()
+		subject = ss.String()
 	default:
-		ne.subject = fmt.Sprint(s)
+		subject = fmt.Sprint(s)
+	}
+	if ne.subject == "" {
+		ne.subject = subject
+	} else {
+		ne.subject = fmt.Sprintf("%s > %s", subject, ne.subject)
 	}
 	return ne
 }
@@ -158,20 +186,21 @@ func (ne NestedError) Subjectf(format string, args ...any) NestedError {
 	return ne
 }

-func (ne NestedError) Severity(s Severity) NestedError {
-	if ne == nil {
-		return ne
+func (ne NestedError) JSONObject() jsonNestedError {
+	extras := make([]jsonNestedError, len(ne.extras))
+	for i, e := range ne.extras {
+		extras[i] = e.JSONObject()
+	}
+	return jsonNestedError{
+		Subject: ne.subject,
+		Err:     ne.err.Error(),
+		Extras:  extras,
 	}
-	ne.severity = s
-	return ne
 }

-func (ne NestedError) Warn() NestedError {
-	if ne == nil {
-		return ne
-	}
-	ne.severity = SeverityWarning
-	return ne
+func (ne NestedError) JSON() []byte {
+	b, _ := json.MarshalIndent(ne.JSONObject(), "", "  ")
+	return b
 }

 func (ne NestedError) NoError() bool {
@@ -182,18 +211,18 @@ func (ne NestedError) HasError() bool {
 	return ne != nil
 }

-func (ne NestedError) IsFatal() bool {
-	return ne != nil && ne.severity == SeverityFatal
-}
-
-func (ne NestedError) IsWarning() bool {
-	return ne != nil && ne.severity == SeverityWarning
-}
-
 func errorf(format string, args ...any) NestedError {
 	return From(fmt.Errorf(format, args...))
 }

+func fromJSONObject(obj jsonNestedError) (NestedError, bool) {
+	data, err := json.Marshal(obj)
+	if err != nil {
+		return nil, false
+	}
+	return FromJSON(data)
+}
+
 func (ne NestedError) withError(err NestedError) NestedError {
 	if ne != nil && err != nil {
 		ne.extras = append(ne.extras, *err)
@@ -201,6 +230,14 @@ func (ne NestedError) withError(err NestedError) NestedError {
 	return ne
 }

+func (ne NestedError) appendMsg(msg string) NestedError {
+	if ne == nil {
+		return nil
+	}
+	ne.err = fmt.Errorf("%w %s", ne.err, msg)
+	return ne
+}
+
 func (ne NestedError) writeToSB(sb *strings.Builder, level int, prefix string) {
 	for i := 0; i < level; i++ {
 		sb.WriteString("  ")
@@ -251,6 +288,8 @@ func (ne NestedError) buildError(level int, prefix string) error {
 		for _, extra := range ne.extras {
 			res = errors.Join(res, extra.buildError(level+1, "- "))
 		}
+	} else {
+		res = fmt.Errorf("%w%s", res, sb.String())
 	}
 	return res
 }
--- a/internal/error/error_test.go
+++ b/internal/error/error_test.go
@@ -4,8 +4,8 @@ import (
 	"errors"
 	"testing"

-	. "github.com/yusing/go-proxy/error"
-	. "github.com/yusing/go-proxy/utils/testing"
+	. "github.com/yusing/go-proxy/internal/error"
+	. "github.com/yusing/go-proxy/internal/utils/testing"
 )

 func TestErrorIs(t *testing.T) {
@@ -31,11 +31,11 @@ func TestErrorNestedIs(t *testing.T) {

 	err = Failure("some reason")
 	ExpectTrue(t, err.Is(ErrFailure))
-	ExpectFalse(t, err.Is(ErrAlreadyExist))
+	ExpectFalse(t, err.Is(ErrDuplicated))

-	err.With(AlreadyExist("something", ""))
+	err.With(Duplicated("something", ""))
 	ExpectTrue(t, err.Is(ErrFailure))
-	ExpectTrue(t, err.Is(ErrAlreadyExist))
+	ExpectTrue(t, err.Is(ErrDuplicated))
 	ExpectFalse(t, err.Is(ErrInvalid))
 }

--- a/internal/error/errors.go
+++ b/internal/error/errors.go
@@ -5,22 +5,24 @@ import (
 )

 var (
-	ErrFailure      = stderrors.New("failed")
-	ErrInvalid      = stderrors.New("invalid")
-	ErrUnsupported  = stderrors.New("unsupported")
-	ErrUnexpected   = stderrors.New("unexpected")
-	ErrNotExists    = stderrors.New("does not exist")
-	ErrAlreadyExist = stderrors.New("already exist")
+	ErrFailure     = stderrors.New("failed")
+	ErrInvalid     = stderrors.New("invalid")
+	ErrUnsupported = stderrors.New("unsupported")
+	ErrUnexpected  = stderrors.New("unexpected")
+	ErrNotExists   = stderrors.New("does not exist")
+	ErrMissing     = stderrors.New("missing")
+	ErrDuplicated  = stderrors.New("duplicated")
+	ErrOutOfRange  = stderrors.New("out of range")
 )

-const fmtSubjectWhat = "%w %v: %v"
+const fmtSubjectWhat = "%w %v: %q"

 func Failure(what string) NestedError {
 	return errorf("%s %w", what, ErrFailure)
 }

 func FailedWhy(what string, why string) NestedError {
-	return errorf("%s %w because %s", what, ErrFailure, why)
+	return Failure(what).With(why)
 }

 func FailWith(what string, err any) NestedError {
@@ -47,6 +49,14 @@ func NotExist(subject, what any) NestedError {
 	return errorf("%v %w: %v", subject, ErrNotExists, what)
 }

-func AlreadyExist(subject, what any) NestedError {
-	return errorf("%v %w: %v", subject, ErrAlreadyExist, what)
+func Missing(subject any) NestedError {
+	return errorf("%w %v", ErrMissing, subject)
+}
+
+func Duplicated(subject, what any) NestedError {
+	return errorf("%w %v: %v", ErrDuplicated, subject, what)
+}
+
+func OutOfRange(subject string, value any) NestedError {
+	return errorf("%v %w: %v", subject, ErrOutOfRange, value)
 }
--- a/internal/http/content_type.go
+++ b/internal/http/content_type.go
@@ -0,0 +1,32 @@
+package http
+
+import (
+	"mime"
+	"net/http"
+)
+
+type ContentType string
+
+func GetContentType(h http.Header) ContentType {
+	ct := h.Get("Content-Type")
+	if ct == "" {
+		return ""
+	}
+	ct, _, err := mime.ParseMediaType(ct)
+	if err != nil {
+		return ""
+	}
+	return ContentType(ct)
+}
+
+func (ct ContentType) IsHTML() bool {
+	return ct == "text/html" || ct == "application/xhtml+xml"
+}
+
+func (ct ContentType) IsJSON() bool {
+	return ct == "application/json"
+}
+
+func (ct ContentType) IsPlainText() bool {
+	return ct == "text/plain"
+}
--- a/internal/http/header_utils.go
+++ b/internal/http/header_utils.go
@@ -0,0 +1,42 @@
+package http
+
+import (
+	"net/http"
+	"slices"
+)
+
+func RemoveHop(h http.Header) {
+	reqUpType := UpgradeType(h)
+	RemoveHopByHopHeaders(h)
+
+	if reqUpType != "" {
+		h.Set("Connection", "Upgrade")
+		h.Set("Upgrade", reqUpType)
+	} else {
+		h.Del("Connection")
+	}
+}
+
+func CopyHeader(dst, src http.Header) {
+	for k, vv := range src {
+		for _, v := range vv {
+			dst.Add(k, v)
+		}
+	}
+}
+
+func FilterHeaders(h http.Header, allowed []string) {
+	if allowed == nil {
+		return
+	}
+
+	for i := range allowed {
+		allowed[i] = http.CanonicalHeaderKey(allowed[i])
+	}
+
+	for key := range h {
+		if !slices.Contains(allowed, key) {
+			h.Del(key)
+		}
+	}
+}
--- a/internal/http/modify_response_writer.go
+++ b/internal/http/modify_response_writer.go
@@ -0,0 +1,96 @@
+// Modified from Traefik Labs's MIT-licensed code (https://github.com/traefik/traefik/blob/master/pkg/middlewares/response_modifier.go)
+// Copyright (c) 2020-2024 Traefik Labs
+
+package http
+
+import (
+	"bufio"
+	"fmt"
+	"net"
+	"net/http"
+)
+
+type ModifyResponseFunc func(*http.Response) error
+type ModifyResponseWriter struct {
+	w http.ResponseWriter
+	r *http.Request
+
+	headerSent bool
+	code       int
+
+	modifier    ModifyResponseFunc
+	modified    bool
+	modifierErr error
+}
+
+func NewModifyResponseWriter(w http.ResponseWriter, r *http.Request, f ModifyResponseFunc) *ModifyResponseWriter {
+	return &ModifyResponseWriter{
+		w:        w,
+		r:        r,
+		modifier: f,
+		code:     http.StatusOK,
+	}
+}
+
+func (w *ModifyResponseWriter) WriteHeader(code int) {
+	if w.headerSent {
+		return
+	}
+
+	if code >= http.StatusContinue && code < http.StatusOK {
+		w.w.WriteHeader(code)
+	}
+
+	defer func() {
+		w.headerSent = true
+		w.code = code
+	}()
+
+	if w.modifier == nil || w.modified {
+		w.w.WriteHeader(code)
+		return
+	}
+
+	resp := http.Response{
+		Header:  w.w.Header(),
+		Request: w.r,
+	}
+
+	if err := w.modifier(&resp); err != nil {
+		w.modifierErr = err
+		logger.Errorf("error modifying response: %s", err)
+		w.w.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+
+	w.modified = true
+	w.w.WriteHeader(code)
+}
+
+func (w *ModifyResponseWriter) Header() http.Header {
+	return w.w.Header()
+}
+
+func (w *ModifyResponseWriter) Write(b []byte) (int, error) {
+	w.WriteHeader(w.code)
+	if w.modifierErr != nil {
+		return 0, w.modifierErr
+	}
+	return w.w.Write(b)
+}
+
+// Hijack hijacks the connection.
+func (w *ModifyResponseWriter) Hijack() (net.Conn, *bufio.ReadWriter, error) {
+	if h, ok := w.w.(http.Hijacker); ok {
+		return h.Hijack()
+	}
+
+	return nil, nil, fmt.Errorf("not a hijacker: %T", w.w)
+}
+
+// Flush sends any buffered data to the client.
+func (w *ModifyResponseWriter) Flush() {
+	if flusher, ok := w.w.(http.Flusher); ok {
+		flusher.Flush()
+	}
+}
--- a/internal/http/reverse_proxy_mod.go
+++ b/internal/http/reverse_proxy_mod.go
@@ -1,9 +1,16 @@
-package proxy
+// Copyright 2011 The Go Authors.
+// Modified from the Go project under the a BSD-style License (https://cs.opensource.google/go/go/+/refs/tags/go1.23.1:src/net/http/httputil/reverseproxy.go)
+// https://cs.opensource.google/go/go/+/master:LICENSE

-// A small mod on net/http/httputil/reverseproxy.go
-// that doubled the performance
+package http
+
+// This is a small mod on net/http/httputil/reverseproxy.go
+// that boosts performance in some cases
+// and compatible to other modules of this project
+// Copyright (c) 2024 yusing

 import (
+	"bytes"
 	"context"
 	"errors"
 	"fmt"
@@ -52,6 +59,21 @@ type ProxyRequest struct {
 //		r.SetXForwarded()
 //	}
 func (r *ProxyRequest) SetXForwarded() {
+	clientIP, _, err := net.SplitHostPort(r.In.RemoteAddr)
+	if err == nil {
+		r.Out.Header.Set("X-Forwarded-For", clientIP)
+	} else {
+		r.Out.Header.Del("X-Forwarded-For")
+	}
+	r.Out.Header.Set("X-Forwarded-Host", r.In.Host)
+	if r.In.TLS == nil {
+		r.Out.Header.Set("X-Forwarded-Proto", "http")
+	} else {
+		r.Out.Header.Set("X-Forwarded-Proto", "https")
+	}
+}
+
+func (r *ProxyRequest) AddXForwarded() {
 	clientIP, _, err := net.SplitHostPort(r.In.RemoteAddr)
 	if err == nil {
 		prior := r.Out.Header["X-Forwarded-For"]
@@ -104,45 +126,18 @@ type ReverseProxy struct {
 	// If nil, http.DefaultTransport is used.
 	Transport http.RoundTripper

-	// FlushInterval specifies the flush interval
-	// to flush to the client while copying the
-	// response body.
-	// If zero, no periodic flushing is done.
-	// A negative value means to flush immediately
-	// after each write to the client.
-	// The FlushInterval is ignored when ReverseProxy
-	// recognizes a response as a streaming response, or
-	// if its ContentLength is -1; for such responses, writes
-	// are flushed to the client immediately.
-	// FlushInterval time.Duration
-
-	// ErrorLog specifies an optional logger for errors
-	// that occur when attempting to proxy the request.
-	// If nil, logging is done via the log package's standard logger.
-	// ErrorLog *log.Logger
-
-	// BufferPool optionally specifies a buffer pool to
-	// get byte slices for use by io.CopyBuffer when
-	// copying HTTP response bodies.
-	// BufferPool BufferPool
-
 	// ModifyResponse is an optional function that modifies the
 	// Response from the backend. It is called if the backend
 	// returns a response at all, with any HTTP status code.
 	// If the backend is unreachable, the optional ErrorHandler is
-	// called without any call to ModifyResponse.
+	// called before ModifyResponse.
 	//
 	// If ModifyResponse returns an error, ErrorHandler is called
 	// with its error value. If ErrorHandler is nil, its default
 	// implementation is used.
 	ModifyResponse func(*http.Response) error

-	// ErrorHandler is an optional function that handles errors
-	// reaching the backend or errors from ModifyResponse.
-	//
-	// If nil, the default is to log the provided error and return
-	// a 502 Status Bad Gateway response.
-	ErrorHandler func(http.ResponseWriter, *http.Request, error)
+	ServeHTTP http.HandlerFunc
 }

 // A BufferPool is an interface for getting and returning temporary
@@ -206,36 +201,15 @@ func joinURLPath(a, b *url.URL) (path, rawpath string) {
 //		},
 //	}
 //
-// TODO: headers in ModifyResponse
-func NewReverseProxy(target *url.URL, transport http.RoundTripper, entry *ReverseProxyEntry) *ReverseProxy {
-	// check on init rather than on request
-	var setHeaders = func(r *http.Request) {}
-	var hideHeaders = func(r *http.Request) {}
-	if len(entry.SetHeaders) > 0 {
-		setHeaders = func(r *http.Request) {
-			h := entry.SetHeaders.Clone()
-			for k, vv := range h {
-				if k == "Host" {
-					r.Host = vv[0]
-				} else {
-					r.Header[k] = vv
-				}
-			}
-		}
+
+func NewReverseProxy(target *url.URL, transport http.RoundTripper) *ReverseProxy {
+	rp := &ReverseProxy{
+		Rewrite: func(pr *ProxyRequest) {
+			rewriteRequestURL(pr.Out, target)
+		}, Transport: transport,
 	}
-	if len(entry.HideHeaders) > 0 {
-		hideHeaders = func(r *http.Request) {
-			for _, k := range entry.HideHeaders {
-				r.Header.Del(k)
-			}
-		}
-	}
-	return &ReverseProxy{Rewrite: func(pr *ProxyRequest) {
-		rewriteRequestURL(pr.Out, target)
-		pr.SetXForwarded()
-		setHeaders(pr.Out)
-		hideHeaders(pr.Out)
-	}, Transport: transport}
+	rp.ServeHTTP = rp.serveHTTP
+	return rp
 }

 func rewriteRequestURL(req *http.Request, target *url.URL) {
@@ -250,6 +224,23 @@ func rewriteRequestURL(req *http.Request, target *url.URL) {
 	}
 }

+// Hop-by-hop headers. These are removed when sent to the backend.
+// As of RFC 7230, hop-by-hop headers are required to appear in the
+// Connection header field. These are the headers defined by the
+// obsoleted RFC 2616 (section 13.5.1) and are used for backward
+// compatibility.
+var hopHeaders = []string{
+	"Connection",
+	"Proxy-Connection", // non-standard but still sent by libcurl and rejected by e.g. google
+	"Keep-Alive",
+	"Proxy-Authenticate",
+	"Proxy-Authorization",
+	"Te",      // canonicalized version of "TE"
+	"Trailer", // not Trailers per URL above; https://www.rfc-editor.org/errata_search.php?eid=4522
+	"Transfer-Encoding",
+	"Upgrade",
+}
+
 func copyHeader(dst, src http.Header) {
 	for k, vv := range src {
 		for _, v := range vv {
@@ -258,9 +249,11 @@ func copyHeader(dst, src http.Header) {
 	}
 }

-func (p *ReverseProxy) errorHandler(rw http.ResponseWriter, _ *http.Request, err error) {
-	logger.Errorf("http: proxy error: %s", err)
-	rw.WriteHeader(http.StatusBadGateway)
+func (p *ReverseProxy) errorHandler(rw http.ResponseWriter, r *http.Request, err error, writeHeader bool) {
+	logger.Errorf("http proxy to %s failed: %s", r.URL.String(), err)
+	if writeHeader {
+		rw.WriteHeader(http.StatusBadGateway)
+	}
 }

 // modifyResponse conditionally runs the optional ModifyResponse hook
@@ -271,13 +264,13 @@ func (p *ReverseProxy) modifyResponse(rw http.ResponseWriter, res *http.Response
 	}
 	if err := p.ModifyResponse(res); err != nil {
 		res.Body.Close()
-		p.errorHandler(rw, req, err)
+		p.errorHandler(rw, req, err, true)
 		return false
 	}
 	return true
 }

-func (p *ReverseProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
+func (p *ReverseProxy) serveHTTP(rw http.ResponseWriter, req *http.Request) {
 	transport := p.Transport

 	ctx := req.Context()
@@ -325,12 +318,14 @@ func (p *ReverseProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {

 	outreq.Close = false

-	reqUpType := upgradeType(outreq.Header)
+	reqUpType := UpgradeType(outreq.Header)
 	if !IsPrint(reqUpType) {
-		p.errorHandler(rw, req, fmt.Errorf("client tried to switch to invalid protocol %q", reqUpType))
+		p.errorHandler(rw, req, fmt.Errorf("client tried to switch to invalid protocol %q", reqUpType), true)
 		return
 	}

+	RemoveHopByHopHeaders(outreq.Header)
+
 	// Issue 21096: tell backend applications that care about trailer support
 	// that we support trailers. (We do, but we don't go out of our way to
 	// advertise that unless the incoming client request thought it was worth
@@ -385,8 +380,20 @@ func (p *ReverseProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {

 	res, err := transport.RoundTrip(outreq)
 	if err != nil {
-		p.errorHandler(rw, outreq, err)
-		return
+		p.errorHandler(rw, outreq, err, false)
+		errMsg := err.Error()
+		res = &http.Response{
+			Status:        http.StatusText(http.StatusBadGateway),
+			StatusCode:    http.StatusBadGateway,
+			Proto:         outreq.Proto,
+			ProtoMajor:    outreq.ProtoMajor,
+			ProtoMinor:    outreq.ProtoMinor,
+			Header:        make(http.Header),
+			Body:          io.NopCloser(bytes.NewReader([]byte(errMsg))),
+			Request:       outreq,
+			ContentLength: int64(len(errMsg)),
+			TLS:           outreq.TLS,
+		}
 	}

 	// Deal with 101 Switching Protocols responses: (WebSocket, h2c, etc)
@@ -419,16 +426,9 @@ func (p *ReverseProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {

 	_, err = io.Copy(rw, res.Body)
 	if err != nil {
-		defer res.Body.Close()
-		// note: removed
-		// Since we're streaming the response, if we run into an error all we can do
-		// is abort the request. Issue 23643: ReverseProxy should use ErrAbortHandler
-		// on read error while copying body.
-		// if !shouldPanicOnCopyError(req) {
-		// 	p.logf("suppressing panic for copyResponse error in test; copy error: %s", err)
-		// 	return
-		// }
-		panic(http.ErrAbortHandler)
+		p.errorHandler(rw, req, err, true)
+		res.Body.Close()
+		return
 	}
 	res.Body.Close() // close now, instead of defer, to populate res.Trailer

@@ -452,34 +452,52 @@ func (p *ReverseProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 	}
 }

-func upgradeType(h http.Header) string {
+func UpgradeType(h http.Header) string {
 	if !httpguts.HeaderValuesContainsToken(h["Connection"], "Upgrade") {
 		return ""
 	}
 	return h.Get("Upgrade")
 }

+// RemoveHopByHopHeaders removes hop-by-hop headers.
+func RemoveHopByHopHeaders(h http.Header) {
+	// RFC 7230, section 6.1: Remove headers listed in the "Connection" header.
+	for _, f := range h["Connection"] {
+		for _, sf := range strings.Split(f, ",") {
+			if sf = textproto.TrimString(sf); sf != "" {
+				h.Del(sf)
+			}
+		}
+	}
+	// RFC 2616, section 13.5.1: Remove a set of known hop-by-hop headers.
+	// This behavior is superseded by the RFC 7230 Connection header, but
+	// preserve it for backwards compatibility.
+	for _, f := range hopHeaders {
+		h.Del(f)
+	}
+}
+
 func (p *ReverseProxy) handleUpgradeResponse(rw http.ResponseWriter, req *http.Request, res *http.Response) {
-	reqUpType := upgradeType(req.Header)
-	resUpType := upgradeType(res.Header)
+	reqUpType := UpgradeType(req.Header)
+	resUpType := UpgradeType(res.Header)
 	if !IsPrint(resUpType) { // We know reqUpType is ASCII, it's checked by the caller.
-		p.errorHandler(rw, req, fmt.Errorf("backend tried to switch to invalid protocol %q", resUpType))
+		p.errorHandler(rw, req, fmt.Errorf("backend tried to switch to invalid protocol %q", resUpType), true)
 	}
 	if !strings.EqualFold(reqUpType, resUpType) {
-		p.errorHandler(rw, req, fmt.Errorf("backend tried to switch protocol %q when %q was requested", resUpType, reqUpType))
+		p.errorHandler(rw, req, fmt.Errorf("backend tried to switch protocol %q when %q was requested", resUpType, reqUpType), true)
 		return
 	}

 	backConn, ok := res.Body.(io.ReadWriteCloser)
 	if !ok {
-		p.errorHandler(rw, req, fmt.Errorf("internal error: 101 switching protocols response with non-writable body"))
+		p.errorHandler(rw, req, fmt.Errorf("internal error: 101 switching protocols response with non-writable body"), true)
 		return
 	}

 	rc := http.NewResponseController(rw)
 	conn, brw, hijackErr := rc.Hijack()
 	if errors.Is(hijackErr, http.ErrNotSupported) {
-		p.errorHandler(rw, req, fmt.Errorf("can't switch protocols using non-Hijacker ResponseWriter type %T", rw))
+		p.errorHandler(rw, req, fmt.Errorf("can't switch protocols using non-Hijacker ResponseWriter type %T", rw), true)
 		return
 	}

@@ -496,7 +514,7 @@ func (p *ReverseProxy) handleUpgradeResponse(rw http.ResponseWriter, req *http.R
 	defer close(backConnCloseCh)

 	if hijackErr != nil {
-		p.errorHandler(rw, req, fmt.Errorf("hijack failed on protocol switch: %w", hijackErr))
+		p.errorHandler(rw, req, fmt.Errorf("hijack failed on protocol switch: %w", hijackErr), true)
 		return
 	}
 	defer conn.Close()
@@ -506,11 +524,11 @@ func (p *ReverseProxy) handleUpgradeResponse(rw http.ResponseWriter, req *http.R
 	res.Header = rw.Header()
 	res.Body = nil // so res.Write only writes the headers; we have res.Body in backConn above
 	if err := res.Write(brw); err != nil {
-		p.errorHandler(rw, req, fmt.Errorf("response write: %s", err))
+		p.errorHandler(rw, req, fmt.Errorf("response write: %s", err), true)
 		return
 	}
 	if err := brw.Flush(); err != nil {
-		p.errorHandler(rw, req, fmt.Errorf("response flush: %s", err))
+		p.errorHandler(rw, req, fmt.Errorf("response flush: %s", err), true)
 		return
 	}
 	errc := make(chan error, 1)
--- a/internal/http/status_code.go
+++ b/internal/http/status_code.go
@@ -0,0 +1,7 @@
+package http
+
+import "net/http"
+
+func IsSuccess(status int) bool {
+	return status >= http.StatusOK && status < http.StatusMultipleChoices
+}
--- a/internal/models/autocert_config.go
+++ b/internal/models/autocert_config.go
--- a/internal/models/config.go
+++ b/internal/models/config.go
@@ -3,6 +3,8 @@ package model
 type Config struct {
 	Providers       ProxyProviders `yaml:",flow" json:"providers"`
 	AutoCert        AutoCertConfig `yaml:",flow" json:"autocert"`
+	ExplicitOnly    bool           `yaml:"explicit_only" json:"explicit_only"`
+	MatchDomains    []string       `yaml:"match_domains" json:"match_domains"`
 	TimeoutShutdown int            `yaml:"timeout_shutdown" json:"timeout_shutdown"`
 	RedirectToHTTPS bool           `yaml:"redirect_to_https" json:"redirect_to_https"`
 }
@@ -11,6 +13,6 @@ func DefaultConfig() *Config {
 	return &Config{
 		Providers:       ProxyProviders{},
 		TimeoutShutdown: 3,
-		RedirectToHTTPS: true,
+		RedirectToHTTPS: false,
 	}
 }
--- a/internal/models/proxy_providers.go
+++ b/internal/models/proxy_providers.go
--- a/internal/models/raw_entry.go
+++ b/internal/models/raw_entry.go
@@ -0,0 +1,151 @@
+package model
+
+import (
+	"fmt"
+	"strconv"
+	"strings"
+
+	. "github.com/yusing/go-proxy/internal/common"
+	D "github.com/yusing/go-proxy/internal/docker"
+	F "github.com/yusing/go-proxy/internal/utils/functional"
+)
+
+type (
+	RawEntry struct {
+		// raw entry object before validation
+		// loaded from docker labels or yaml file
+		Alias        string           `yaml:"-" json:"-"`
+		Scheme       string           `yaml:"scheme" json:"scheme"`
+		Host         string           `yaml:"host" json:"host"`
+		Port         string           `yaml:"port" json:"port"`
+		NoTLSVerify  bool             `yaml:"no_tls_verify" json:"no_tls_verify"` // https proxy only
+		PathPatterns []string         `yaml:"path_patterns" json:"path_patterns"` // http(s) proxy only
+		Middlewares  D.NestedLabelMap `yaml:"middlewares" json:"middlewares"`
+
+		/* Docker only */
+		*D.ProxyProperties `yaml:"-" json:"proxy_properties"`
+	}
+
+	RawEntries = F.Map[string, *RawEntry]
+)
+
+var NewProxyEntries = F.NewMapOf[string, *RawEntry]
+
+func (e *RawEntry) FillMissingFields() bool {
+	isDocker := e.ProxyProperties != nil
+	if !isDocker {
+		e.ProxyProperties = &D.ProxyProperties{}
+	}
+
+	lp, pp, extra := e.splitPorts()
+
+	if port, ok := ServiceNamePortMapTCP[e.ImageName]; ok {
+		if pp == "" {
+			pp = strconv.Itoa(port)
+		}
+		if e.Scheme == "" {
+			e.Scheme = "tcp"
+		}
+	} else if port, ok := ImageNamePortMap[e.ImageName]; ok {
+		if pp == "" {
+			pp = strconv.Itoa(port)
+		}
+		if e.Scheme == "" {
+			e.Scheme = "http"
+		}
+	} else if pp == "" && e.Scheme == "https" {
+		pp = "443"
+	} else if pp == "" {
+		if p, ok := F.FirstValueOf(e.PrivatePortMapping); ok {
+			pp = fmt.Sprint(p.PrivatePort)
+		} else {
+			pp = "80"
+		}
+	}
+
+	// replace private port with public port (if any)
+	if isDocker && e.NetworkMode != "host" {
+		if p, ok := e.PrivatePortMapping[pp]; ok {
+			pp = fmt.Sprint(p.PublicPort)
+		}
+		if _, ok := e.PublicPortMapping[pp]; !ok { // port is not exposed, but specified
+			// try to fallback to first public port
+			if p, ok := F.FirstValueOf(e.PublicPortMapping); ok {
+				pp = fmt.Sprint(p.PublicPort)
+			}
+			// ignore only if it is NOT RUNNING
+			// because stopped containers
+			// will have empty port mapping got from docker
+			if e.Running {
+				return false
+			}
+		}
+	}
+
+	if e.Scheme == "" && isDocker {
+		if p, ok := e.PublicPortMapping[pp]; ok && p.Type == "udp" {
+			e.Scheme = "udp"
+		}
+	}
+
+	if e.Scheme == "" {
+		if lp != "" {
+			e.Scheme = "tcp"
+		} else if strings.HasSuffix(pp, "443") {
+			e.Scheme = "https"
+		} else if _, ok := WellKnownHTTPPorts[pp]; ok {
+			e.Scheme = "http"
+		} else {
+			// assume its http
+			e.Scheme = "http"
+		}
+	}
+
+	if e.Host == "" {
+		e.Host = "localhost"
+	}
+	if e.IdleTimeout == "" {
+		e.IdleTimeout = IdleTimeoutDefault
+	}
+	if e.WakeTimeout == "" {
+		e.WakeTimeout = WakeTimeoutDefault
+	}
+	if e.StopTimeout == "" {
+		e.StopTimeout = StopTimeoutDefault
+	}
+	if e.StopMethod == "" {
+		e.StopMethod = StopMethodDefault
+	}
+
+	e.Port = joinPorts(lp, pp, extra)
+
+	return true
+}
+
+func (e *RawEntry) splitPorts() (lp string, pp string, extra string) {
+	portSplit := strings.Split(e.Port, ":")
+	if len(portSplit) == 1 {
+		pp = portSplit[0]
+	} else {
+		lp = portSplit[0]
+		pp = portSplit[1]
+	}
+	if len(portSplit) > 2 {
+		extra = strings.Join(portSplit[2:], ":")
+	}
+	return
+}
+
+func joinPorts(lp string, pp string, extra string) string {
+	s := make([]string, 0, 3)
+	if lp != "" {
+		s = append(s, lp)
+	}
+	if pp != "" {
+		s = append(s, pp)
+	}
+	if extra != "" {
+		s = append(s, extra)
+	}
+	return strings.Join(s, ":")
+}
--- a/internal/proxy/entry.go
+++ b/internal/proxy/entry.go
@@ -2,13 +2,13 @@ package proxy

 import (
 	"fmt"
-	"net/http"
 	"net/url"
 	"time"

-	E "github.com/yusing/go-proxy/error"
-	M "github.com/yusing/go-proxy/models"
-	T "github.com/yusing/go-proxy/proxy/fields"
+	D "github.com/yusing/go-proxy/internal/docker"
+	E "github.com/yusing/go-proxy/internal/error"
+	M "github.com/yusing/go-proxy/internal/models"
+	T "github.com/yusing/go-proxy/internal/proxy/fields"
 )

 type (
@@ -18,8 +18,7 @@ type (
 		URL          *url.URL
 		NoTLSVerify  bool
 		PathPatterns T.PathPatterns
-		SetHeaders   http.Header
-		HideHeaders  []string
+		Middlewares  D.NestedLabelMap

 		/* Docker only */
 		IdleTimeout      time.Duration
@@ -43,15 +42,18 @@ func (rp *ReverseProxyEntry) UseIdleWatcher() bool {
 	return rp.IdleTimeout > 0 && rp.DockerHost != ""
 }

-func ValidateEntry(m *M.ProxyEntry) (any, E.NestedError) {
-	m.SetDefaults()
+func ValidateEntry(m *M.RawEntry) (any, E.NestedError) {
+	if !m.FillMissingFields() {
+		return nil, E.Missing("fields")
+	}
+
 	scheme, err := T.NewScheme(m.Scheme)
 	if err.HasError() {
 		return nil, err
 	}

 	var entry any
-	e := E.NewBuilder("error validating proxy entry")
+	e := E.NewBuilder("error validating entry")
 	if scheme.IsStream() {
 		entry = validateStreamEntry(m, e)
 	} else {
@@ -63,7 +65,7 @@ func ValidateEntry(m *M.ProxyEntry) (any, E.NestedError) {
 	return entry, nil
 }

-func validateRPEntry(m *M.ProxyEntry, s T.Scheme, b E.Builder) *ReverseProxyEntry {
+func validateRPEntry(m *M.RawEntry, s T.Scheme, b E.Builder) *ReverseProxyEntry {
 	var stopTimeOut time.Duration

 	host, err := T.ValidateHost(m.Host)
@@ -75,9 +77,6 @@ func validateRPEntry(m *M.ProxyEntry, s T.Scheme, b E.Builder) *ReverseProxyEntr
 	pathPatterns, err := T.ValidatePathPatterns(m.PathPatterns)
 	b.Add(err)

-	setHeaders, err := T.ValidateHTTPHeaders(m.SetHeaders)
-	b.Add(err)
-
 	url, err := E.Check(url.Parse(fmt.Sprintf("%s://%s:%d", s, host, port)))
 	b.Add(err)

@@ -108,8 +107,7 @@ func validateRPEntry(m *M.ProxyEntry, s T.Scheme, b E.Builder) *ReverseProxyEntr
 		URL:              url,
 		NoTLSVerify:      m.NoTLSVerify,
 		PathPatterns:     pathPatterns,
-		SetHeaders:       setHeaders,
-		HideHeaders:      m.HideHeaders,
+		Middlewares:      m.Middlewares,
 		IdleTimeout:      idleTimeout,
 		WakeTimeout:      wakeTimeout,
 		StopMethod:       stopMethod,
@@ -121,7 +119,7 @@ func validateRPEntry(m *M.ProxyEntry, s T.Scheme, b E.Builder) *ReverseProxyEntr
 	}
 }

-func validateStreamEntry(m *M.ProxyEntry, b E.Builder) *StreamEntry {
+func validateStreamEntry(m *M.RawEntry, b E.Builder) *StreamEntry {
 	host, err := T.ValidateHost(m.Host)
 	b.Add(err)

--- a/internal/proxy/fields/alias.go
+++ b/internal/proxy/fields/alias.go
--- a/internal/proxy/fields/headers.go
+++ b/internal/proxy/fields/headers.go
@@ -4,7 +4,7 @@ import (
 	"net/http"
 	"strings"

-	E "github.com/yusing/go-proxy/error"
+	E "github.com/yusing/go-proxy/internal/error"
 )

 func ValidateHTTPHeaders(headers map[string]string) (http.Header, E.NestedError) {
--- a/internal/proxy/fields/host.go
+++ b/internal/proxy/fields/host.go
@@ -0,0 +1,12 @@
+package fields
+
+import (
+	E "github.com/yusing/go-proxy/internal/error"
+)
+
+type Host string
+type Subdomain = Alias
+
+func ValidateHost[String ~string](s String) (Host, E.NestedError) {
+	return Host(s), nil
+}
--- a/internal/proxy/fields/path_mode.go
+++ b/internal/proxy/fields/path_mode.go
@@ -1,7 +1,7 @@
 package fields

 import (
-	E "github.com/yusing/go-proxy/error"
+	E "github.com/yusing/go-proxy/internal/error"
 )

 type PathMode string
--- a/internal/proxy/fields/path_pattern.go
+++ b/internal/proxy/fields/path_pattern.go
@@ -3,7 +3,7 @@ package fields
 import (
 	"regexp"

-	E "github.com/yusing/go-proxy/error"
+	E "github.com/yusing/go-proxy/internal/error"
 )

 type PathPattern string
@@ -13,7 +13,7 @@ func NewPathPattern(s string) (PathPattern, E.NestedError) {
 	if len(s) == 0 {
 		return "", E.Invalid("path", "must not be empty")
 	}
-	if !pathPattern.MatchString(string(s)) {
+	if !pathPattern.MatchString(s) {
 		return "", E.Invalid("path pattern", s)
 	}
 	return PathPattern(s), nil
@@ -34,4 +34,4 @@ func ValidatePathPatterns(s []string) (PathPatterns, E.NestedError) {
 	return pp, nil
 }

-var pathPattern = regexp.MustCompile("^((GET|POST|DELETE|PUT|PATCH|HEAD|OPTIONS|CONNECT)\\s)?(/\\w*)+/?$")
+var pathPattern = regexp.MustCompile(`^(/[-\w./]*({\$\})?|((GET|POST|DELETE|PUT|HEAD|OPTION) /[-\w./]*({\$\})?))$`)
--- a/internal/proxy/fields/path_pattern_test.go
+++ b/internal/proxy/fields/path_pattern_test.go
@@ -0,0 +1,47 @@
+package fields
+
+import (
+	"testing"
+
+	E "github.com/yusing/go-proxy/internal/error"
+	U "github.com/yusing/go-proxy/internal/utils/testing"
+)
+
+var validPatterns = []string{
+	"/",
+	"/index.html",
+	"/somepage/",
+	"/drive/abc.mp4",
+	"/{$}",
+	"/some-page/{$}",
+	"GET /",
+	"GET /static/{$}",
+	"GET /drive/abc.mp4",
+	"GET /drive/abc.mp4/{$}",
+	"POST /auth",
+	"DELETE /user/",
+	"PUT /storage/id/",
+}
+
+var invalidPatterns = []string{
+	"/$",
+	"/{$}{$}",
+	"/{$}/{$}",
+	"/index.html$",
+	"get /",
+	"GET/",
+	"GET /$",
+	"GET /drive/{$}/abc.mp4/",
+	"OPTION /config/{$}/abc.conf/{$}",
+}
+
+func TestPathPatternRegex(t *testing.T) {
+	for _, pattern := range validPatterns {
+		_, err := NewPathPattern(pattern)
+		U.ExpectNoError(t, err.Error())
+	}
+	for _, pattern := range invalidPatterns {
+		_, err := NewPathPattern(pattern)
+		U.ExpectError2(t, pattern, E.ErrInvalid, err.Error())
+	}
+}
--- a/internal/proxy/fields/port.go
+++ b/internal/proxy/fields/port.go
@@ -0,0 +1,41 @@
+package fields
+
+import (
+	"strconv"
+
+	E "github.com/yusing/go-proxy/internal/error"
+)
+
+type Port int
+
+func ValidatePort[String ~string](v String) (Port, E.NestedError) {
+	p, err := strconv.Atoi(string(v))
+	if err != nil {
+		return ErrPort, E.Invalid("port number", v).With(err)
+	}
+	return ValidatePortInt(p)
+}
+
+func ValidatePortInt[Int int | uint16](v Int) (Port, E.NestedError) {
+	p := Port(v)
+	if !p.inBound() {
+		return ErrPort, E.OutOfRange("port", p)
+	}
+	return p, nil
+}
+
+func (p Port) inBound() bool {
+	return p >= MinPort && p <= MaxPort
+}
+
+func (p Port) String() string {
+	return strconv.Itoa(int(p))
+}
+
+const (
+	MinPort  = 0
+	MaxPort  = 65535
+	ErrPort  = Port(-1)
+	NoPort   = Port(-1)
+	ZeroPort = Port(0)
+)
--- a/internal/proxy/fields/scheme.go
+++ b/internal/proxy/fields/scheme.go
@@ -1,12 +1,12 @@
 package fields

 import (
-	E "github.com/yusing/go-proxy/error"
+	E "github.com/yusing/go-proxy/internal/error"
 )

 type Scheme string

-func NewScheme(s string) (Scheme, E.NestedError) {
+func NewScheme[String ~string](s String) (Scheme, E.NestedError) {
 	switch s {
 	case "http", "https", "tcp", "udp":
 		return Scheme(s), nil
--- a/internal/proxy/fields/signal.go
+++ b/internal/proxy/fields/signal.go
@@ -1,7 +1,7 @@
 package fields

 import (
-	E "github.com/yusing/go-proxy/error"
+	E "github.com/yusing/go-proxy/internal/error"
 )

 type Signal string
--- a/internal/proxy/fields/stop_method.go
+++ b/internal/proxy/fields/stop_method.go
@@ -1,7 +1,7 @@
 package fields

 import (
-	E "github.com/yusing/go-proxy/error"
+	E "github.com/yusing/go-proxy/internal/error"
 )

 type StopMethod string
--- a/internal/proxy/fields/stream_port.go
+++ b/internal/proxy/fields/stream_port.go
@@ -0,0 +1,56 @@
+package fields
+
+import (
+	"strings"
+
+	"github.com/yusing/go-proxy/internal/common"
+	E "github.com/yusing/go-proxy/internal/error"
+)
+
+type StreamPort struct {
+	ListeningPort Port `json:"listening"`
+	ProxyPort     Port `json:"proxy"`
+}
+
+func ValidateStreamPort(p string) (StreamPort, E.NestedError) {
+	split := strings.Split(p, ":")
+
+	switch len(split) {
+	case 1:
+		split = []string{"0", split[0]}
+	case 2:
+		break
+	default:
+		return ErrStreamPort, E.Invalid("stream port", p).With("too many colons")
+	}
+
+	listeningPort, err := ValidatePort(split[0])
+	if err != nil {
+		return ErrStreamPort, err.Subject("listening port")
+	}
+
+	proxyPort, err := ValidatePort(split[1])
+
+	if err.Is(E.ErrOutOfRange) {
+		return ErrStreamPort, err.Subject("proxy port")
+	} else if proxyPort == 0 {
+		return ErrStreamPort, E.Invalid("proxy port", p)
+	} else if err != nil {
+		proxyPort, err = parseNameToPort(split[1])
+		if err != nil {
+			return ErrStreamPort, E.Invalid("proxy port", proxyPort)
+		}
+	}
+
+	return StreamPort{listeningPort, proxyPort}, nil
+}
+
+func parseNameToPort(name string) (Port, E.NestedError) {
+	port, ok := common.ServiceNamePortMapTCP[name]
+	if !ok {
+		return ErrPort, E.Invalid("service", name)
+	}
+	return Port(port), nil
+}
+
+var ErrStreamPort = StreamPort{ErrPort, ErrPort}
--- a/internal/proxy/fields/stream_port_test.go
+++ b/internal/proxy/fields/stream_port_test.go
@@ -0,0 +1,48 @@
+package fields
+
+import (
+	"testing"
+
+	E "github.com/yusing/go-proxy/internal/error"
+	. "github.com/yusing/go-proxy/internal/utils/testing"
+)
+
+var validPorts = []string{
+	"1234:5678",
+	"0:2345",
+	"2345",
+	"1234:postgres",
+}
+
+var invalidPorts = []string{
+	"",
+	"123:",
+	"0:",
+	":1234",
+	"1234:1234:1234",
+	"qwerty",
+	"asdfgh:asdfgh",
+	"1234:asdfgh",
+}
+
+var outOfRangePorts = []string{
+	"-1:1234",
+	"1234:-1",
+	"65536",
+	"0:65536",
+}
+
+func TestStreamPort(t *testing.T) {
+	for _, port := range validPorts {
+		_, err := ValidateStreamPort(port)
+		ExpectNoError(t, err.Error())
+	}
+	for _, port := range invalidPorts {
+		_, err := ValidateStreamPort(port)
+		ExpectError2(t, port, E.ErrInvalid, err.Error())
+	}
+	for _, port := range outOfRangePorts {
+		_, err := ValidateStreamPort(port)
+		ExpectError2(t, port, E.ErrOutOfRange, err.Error())
+	}
+}
--- a/internal/proxy/fields/stream_scheme.go
+++ b/internal/proxy/fields/stream_scheme.go
@@ -4,7 +4,7 @@ import (
 	"fmt"
 	"strings"

-	E "github.com/yusing/go-proxy/error"
+	E "github.com/yusing/go-proxy/internal/error"
 )

 type StreamScheme struct {
@@ -32,7 +32,7 @@ func ValidateStreamScheme(s string) (ss *StreamScheme, err E.NestedError) {
 }

 func (s StreamScheme) String() string {
-	return fmt.Sprintf("%s -> %s", s.ListeningScheme, s.ProxyScheme)
+	return fmt.Sprintf("%s:%s", s.ListeningScheme, s.ProxyScheme)
 }

 // IsCoherent checks if the ListeningScheme and ProxyScheme of the StreamScheme are equal.
--- a/internal/proxy/fields/timeout.go
+++ b/internal/proxy/fields/timeout.go
@@ -3,7 +3,7 @@ package fields
 import (
 	"time"

-	E "github.com/yusing/go-proxy/error"
+	E "github.com/yusing/go-proxy/internal/error"
 )

 func ValidateDurationPostitive(value string) (time.Duration, E.NestedError) {
--- a/src/proxy/provider/docker_provider.go
+++ b/src/proxy/provider/docker_provider.go
@@ -1,25 +1,37 @@
 package provider

 import (
+	"fmt"
 	"regexp"
 	"strconv"
 	"strings"

-	D "github.com/yusing/go-proxy/docker"
-	E "github.com/yusing/go-proxy/error"
-	M "github.com/yusing/go-proxy/models"
-	R "github.com/yusing/go-proxy/route"
-	W "github.com/yusing/go-proxy/watcher"
+	"github.com/sirupsen/logrus"
+	D "github.com/yusing/go-proxy/internal/docker"
+	E "github.com/yusing/go-proxy/internal/error"
+	M "github.com/yusing/go-proxy/internal/models"
+	R "github.com/yusing/go-proxy/internal/route"
+	W "github.com/yusing/go-proxy/internal/watcher"
 )

 type DockerProvider struct {
 	dockerHost, hostname string
+	ExplicitOnly         bool
 }

-var AliasRefRegex = regexp.MustCompile(`\$\d+`)
+var AliasRefRegex = regexp.MustCompile(`#\d+`)
+var AliasRefRegexOld = regexp.MustCompile(`\$\d+`)

-func DockerProviderImpl(dockerHost string) ProviderImpl {
-	return &DockerProvider{dockerHost: dockerHost}
+func DockerProviderImpl(dockerHost string, explicitOnly bool) (ProviderImpl, E.NestedError) {
+	hostname, err := D.ParseDockerHostname(dockerHost)
+	if err.HasError() {
+		return nil, err
+	}
+	return &DockerProvider{dockerHost, hostname, explicitOnly}, nil
+}
+
+func (p *DockerProvider) String() string {
+	return fmt.Sprintf("docker:%s", p.dockerHost)
 }

 func (p *DockerProvider) NewWatcher() W.Watcher {
@@ -27,6 +39,7 @@ func (p *DockerProvider) NewWatcher() W.Watcher {
 }

 func (p *DockerProvider) LoadRoutesImpl() (routes R.Routes, err E.NestedError) {
+	routes = R.NewRoutes()
 	entries := M.NewProxyEntries()

 	info, err := D.GetClientInfo(p.dockerHost, true)
@@ -50,12 +63,12 @@ func (p *DockerProvider) LoadRoutesImpl() (routes R.Routes, err E.NestedError) {
 		// there may be some valid entries in `en`
 		dups := entries.MergeFrom(newEntries)
 		// add the duplicate proxy entries to the error
-		dups.RangeAll(func(k string, v *M.ProxyEntry) {
+		dups.RangeAll(func(k string, v *M.RawEntry) {
 			errors.Addf("duplicate alias %s", k)
 		})
 	}

-	entries.RangeAll(func(_ string, e *M.ProxyEntry) {
+	entries.RangeAll(func(_ string, e *M.RawEntry) {
 		e.DockerHost = p.dockerHost
 	})

@@ -91,9 +104,9 @@ func (p *DockerProvider) OnEvent(event W.Event, routes R.Routes) (res EventResul
 	entries, err := p.entriesFromContainerLabels(cont)
 	b.Add(err)

-	entries.RangeAll(func(alias string, entry *M.ProxyEntry) {
+	entries.RangeAll(func(alias string, entry *M.RawEntry) {
 		if routes.Has(alias) {
-			b.Add(E.AlreadyExist("alias", alias))
+			b.Add(E.Duplicated("alias", alias))
 		} else {
 			if route, err := R.NewRoute(entry); err.HasError() {
 				b.Add(err)
@@ -110,12 +123,17 @@ func (p *DockerProvider) OnEvent(event W.Event, routes R.Routes) (res EventResul

 // Returns a list of proxy entries for a container.
 // Always non-nil
-func (p *DockerProvider) entriesFromContainerLabels(container D.Container) (M.ProxyEntries, E.NestedError) {
-	entries := M.NewProxyEntries()
+func (p *DockerProvider) entriesFromContainerLabels(container D.Container) (entries M.RawEntries, _ E.NestedError) {
+	entries = M.NewProxyEntries()
+
+	if container.IsExcluded ||
+		!container.IsExplicit && p.ExplicitOnly {
+		return
+	}

 	// init entries map for all aliases
 	for _, a := range container.Aliases {
-		entries.Store(a, &M.ProxyEntry{
+		entries.Store(a, &M.RawEntry{
 			Alias:           a,
 			Host:            p.hostname,
 			ProxyProperties: container.ProxyProperties,
@@ -127,34 +145,32 @@ func (p *DockerProvider) entriesFromContainerLabels(container D.Container) (M.Pr
 		errors.Add(p.applyLabel(container, entries, key, val))
 	}

-	// selecting correct host port
-	if container.HostConfig.NetworkMode != "host" {
-		for _, a := range container.Aliases {
-			entry, ok := entries.Load(a)
-			if !ok {
-				continue
-			}
-			for _, p := range container.Ports {
-				containerPort := strconv.Itoa(int(p.PrivatePort))
-				publicPort := strconv.Itoa(int(p.PublicPort))
-				entryPortSplit := strings.Split(entry.Port, ":")
-				if len(entryPortSplit) == 2 && entryPortSplit[1] == containerPort {
-					entryPortSplit[1] = publicPort
-				} else if entryPortSplit[0] == containerPort {
-					entryPortSplit[0] = publicPort
-				}
-				entry.Port = strings.Join(entryPortSplit, ":")
-			}
-		}
-	}
+	// remove all entries that failed to fill in missing fields
+	entries.RemoveAll(func(re *M.RawEntry) bool {
+		return !re.FillMissingFields()
+	})

 	return entries, errors.Build().Subject(container.ContainerName)
 }

-func (p *DockerProvider) applyLabel(container D.Container, entries M.ProxyEntries, key, val string) (res E.NestedError) {
+func (p *DockerProvider) applyLabel(container D.Container, entries M.RawEntries, key, val string) (res E.NestedError) {
 	b := E.NewBuilder("errors in label %s", key)
 	defer b.To(&res)

+	refErr := E.NewBuilder("errors parsing alias references")
+	replaceIndexRef := func(ref string) string {
+		index, err := strconv.Atoi(ref[1:])
+		if err != nil {
+			refErr.Add(E.Invalid("integer", ref))
+			return ref
+		}
+		if index < 1 || index > len(container.Aliases) {
+			refErr.Add(E.OutOfRange("index", ref))
+			return ref
+		}
+		return container.Aliases[index-1]
+	}
+
 	lbl, err := D.ParseLabel(key, val)
 	if err.HasError() {
 		b.Add(err.Subject(key))
@@ -164,24 +180,16 @@ func (p *DockerProvider) applyLabel(container D.Container, entries M.ProxyEntrie
 	}
 	if lbl.Target == D.WildcardAlias {
 		// apply label for all aliases
-		entries.RangeAll(func(a string, e *M.ProxyEntry) {
+		entries.RangeAll(func(a string, e *M.RawEntry) {
 			if err = D.ApplyLabel(e, lbl); err.HasError() {
-				b.Add(err.Subject(lbl.Target))
+				b.Add(err.Subjectf("alias %s", lbl.Target))
 			}
 		})
 	} else {
-		refErr := E.NewBuilder("errors parsing alias references")
-		lbl.Target = AliasRefRegex.ReplaceAllStringFunc(lbl.Target, func(ref string) string {
-			index, err := strconv.Atoi(ref[1:])
-			if err != nil {
-				refErr.Add(E.Invalid("integer", ref))
-				return ref
-			}
-			if index < 1 || index > len(container.Aliases) {
-				refErr.Add(E.Invalid("index", ref).Extraf("index out of range"))
-				return ref
-			}
-			return container.Aliases[index-1]
+		lbl.Target = AliasRefRegex.ReplaceAllStringFunc(lbl.Target, replaceIndexRef)
+		lbl.Target = AliasRefRegexOld.ReplaceAllStringFunc(lbl.Target, func(s string) string {
+			logrus.Warnf("%q should now be %q, old syntax will be removed in a future version", lbl, strings.ReplaceAll(lbl.String(), "$", "#"))
+			return replaceIndexRef(s)
 		})
 		if refErr.HasError() {
 			b.Add(refErr.Build())
@@ -193,7 +201,7 @@ func (p *DockerProvider) applyLabel(container D.Container, entries M.ProxyEntrie
 			return
 		}
 		if err = D.ApplyLabel(config, lbl); err.HasError() {
-			b.Add(err.Subject(lbl.Target))
+			b.Add(err.Subjectf("alias %s", lbl.Target))
 		}
 	}
 	return
--- a/internal/proxy/provider/docker_test.go
+++ b/internal/proxy/provider/docker_test.go
@@ -0,0 +1,307 @@
+package provider
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/yusing/go-proxy/internal/common"
+	D "github.com/yusing/go-proxy/internal/docker"
+	E "github.com/yusing/go-proxy/internal/error"
+	P "github.com/yusing/go-proxy/internal/proxy"
+	T "github.com/yusing/go-proxy/internal/proxy/fields"
+
+	. "github.com/yusing/go-proxy/internal/utils/testing"
+)
+
+var dummyNames = []string{"/a"}
+
+func TestApplyLabelFieldValidity(t *testing.T) {
+	pathPatterns := `
+- /
+- POST /upload/{$}
+- GET /static
+`[1:]
+	pathPatternsExpect := []string{
+		"/",
+		"POST /upload/{$}",
+		"GET /static",
+	}
+	middlewaresExpect := D.NestedLabelMap{
+		"middleware1": {
+			"prop1": "value1",
+			"prop2": "value2",
+		},
+		"middleware2": {
+			"prop3": "value3",
+			"prop4": "value4",
+		},
+	}
+	var p DockerProvider
+	entries, err := p.entriesFromContainerLabels(D.FromDocker(&types.Container{
+		Names: dummyNames,
+		Labels: map[string]string{
+			D.LabelAliases:                          "a,b",
+			D.LabelIdleTimeout:                      common.IdleTimeoutDefault,
+			D.LabelStopMethod:                       common.StopMethodDefault,
+			D.LabelStopSignal:                       "SIGTERM",
+			D.LabelStopTimeout:                      common.StopTimeoutDefault,
+			D.LabelWakeTimeout:                      common.WakeTimeoutDefault,
+			"proxy.*.no_tls_verify":                 "true",
+			"proxy.*.scheme":                        "https",
+			"proxy.*.host":                          "app",
+			"proxy.*.port":                          "4567",
+			"proxy.a.no_tls_verify":                 "true",
+			"proxy.a.path_patterns":                 pathPatterns,
+			"proxy.a.middlewares.middleware1.prop1": "value1",
+			"proxy.a.middlewares.middleware1.prop2": "value2",
+			"proxy.a.middlewares.middleware2.prop3": "value3",
+			"proxy.a.middlewares.middleware2.prop4": "value4",
+		},
+		Ports: []types.Port{
+			{Type: "tcp", PrivatePort: 4567, PublicPort: 8888},
+		}}, ""))
+	ExpectNoError(t, err.Error())
+
+	a, ok := entries.Load("a")
+	ExpectTrue(t, ok)
+	b, ok := entries.Load("b")
+	ExpectTrue(t, ok)
+
+	ExpectEqual(t, a.Scheme, "https")
+	ExpectEqual(t, b.Scheme, "https")
+
+	ExpectEqual(t, a.Host, "app")
+	ExpectEqual(t, b.Host, "app")
+
+	ExpectEqual(t, a.Port, "8888")
+	ExpectEqual(t, b.Port, "8888")
+
+	ExpectTrue(t, a.NoTLSVerify)
+	ExpectTrue(t, b.NoTLSVerify)
+
+	ExpectDeepEqual(t, a.PathPatterns, pathPatternsExpect)
+	ExpectEqual(t, len(b.PathPatterns), 0)
+
+	ExpectDeepEqual(t, a.Middlewares, middlewaresExpect)
+	ExpectEqual(t, len(b.Middlewares), 0)
+
+	ExpectEqual(t, a.IdleTimeout, common.IdleTimeoutDefault)
+	ExpectEqual(t, b.IdleTimeout, common.IdleTimeoutDefault)
+
+	ExpectEqual(t, a.StopTimeout, common.StopTimeoutDefault)
+	ExpectEqual(t, b.StopTimeout, common.StopTimeoutDefault)
+
+	ExpectEqual(t, a.StopMethod, common.StopMethodDefault)
+	ExpectEqual(t, b.StopMethod, common.StopMethodDefault)
+
+	ExpectEqual(t, a.WakeTimeout, common.WakeTimeoutDefault)
+	ExpectEqual(t, b.WakeTimeout, common.WakeTimeoutDefault)
+
+	ExpectEqual(t, a.StopSignal, "SIGTERM")
+	ExpectEqual(t, b.StopSignal, "SIGTERM")
+}
+
+func TestApplyLabel(t *testing.T) {
+	var p DockerProvider
+	entries, err := p.entriesFromContainerLabels(D.FromDocker(&types.Container{
+		Names: dummyNames,
+		Labels: map[string]string{
+			D.LabelAliases:          "a,b,c",
+			"proxy.a.no_tls_verify": "true",
+			"proxy.a.port":          "3333",
+			"proxy.b.port":          "1234",
+			"proxy.c.scheme":        "https",
+		},
+		Ports: []types.Port{
+			{Type: "tcp", PrivatePort: 3333, PublicPort: 1111},
+			{Type: "tcp", PrivatePort: 4444, PublicPort: 1234},
+		}}, "",
+	))
+	a, ok := entries.Load("a")
+	ExpectTrue(t, ok)
+	b, ok := entries.Load("b")
+	ExpectTrue(t, ok)
+	c, ok := entries.Load("c")
+	ExpectTrue(t, ok)
+
+	ExpectNoError(t, err.Error())
+	ExpectEqual(t, a.Scheme, "http")
+	ExpectEqual(t, a.Port, "1111")
+	ExpectEqual(t, a.NoTLSVerify, true)
+	ExpectEqual(t, b.Scheme, "http")
+	ExpectEqual(t, b.Port, "1234")
+	ExpectEqual(t, c.Scheme, "https")
+	// map does not necessary follow the order above
+	ExpectEqualAny(t, c.Port, []string{"1111", "1234"})
+}
+
+func TestApplyLabelWithRef(t *testing.T) {
+	var p DockerProvider
+	entries, err := p.entriesFromContainerLabels(D.FromDocker(&types.Container{
+		Names: dummyNames,
+		Labels: map[string]string{
+			D.LabelAliases:    "a,b,c",
+			"proxy.#1.host":   "localhost",
+			"proxy.#1.port":   "4444",
+			"proxy.#2.port":   "9999",
+			"proxy.#3.port":   "1111",
+			"proxy.#3.scheme": "https",
+		},
+		Ports: []types.Port{
+			{Type: "tcp", PrivatePort: 3333, PublicPort: 9999},
+			{Type: "tcp", PrivatePort: 4444, PublicPort: 5555},
+			{Type: "tcp", PrivatePort: 1111, PublicPort: 2222},
+		}}, ""))
+	a, ok := entries.Load("a")
+	ExpectTrue(t, ok)
+	b, ok := entries.Load("b")
+	ExpectTrue(t, ok)
+	c, ok := entries.Load("c")
+	ExpectTrue(t, ok)
+
+	ExpectNoError(t, err.Error())
+	ExpectEqual(t, a.Scheme, "http")
+	ExpectEqual(t, a.Host, "localhost")
+	ExpectEqual(t, a.Port, "5555")
+	ExpectEqual(t, b.Port, "9999")
+	ExpectEqual(t, c.Scheme, "https")
+	ExpectEqual(t, c.Port, "2222")
+}
+
+func TestApplyLabelWithRefIndexError(t *testing.T) {
+	var p DockerProvider
+	var c = D.FromDocker(&types.Container{
+		Names: dummyNames,
+		Labels: map[string]string{
+			D.LabelAliases:    "a,b",
+			"proxy.#1.host":   "localhost",
+			"proxy.#4.scheme": "https",
+		}}, "")
+	_, err := p.entriesFromContainerLabels(c)
+	ExpectError(t, E.ErrOutOfRange, err.Error())
+	ExpectTrue(t, strings.Contains(err.String(), "index out of range"))
+
+	_, err = p.entriesFromContainerLabels(D.FromDocker(&types.Container{
+		Names: dummyNames,
+		Labels: map[string]string{
+			D.LabelAliases:  "a,b",
+			"proxy.#0.host": "localhost",
+		}}, ""))
+	ExpectError(t, E.ErrOutOfRange, err.Error())
+	ExpectTrue(t, strings.Contains(err.String(), "index out of range"))
+}
+
+func TestStreamDefaultValues(t *testing.T) {
+	var p DockerProvider
+	var c = D.FromDocker(&types.Container{
+		Names: dummyNames,
+		Labels: map[string]string{
+			D.LabelAliases:          "a",
+			"proxy.*.no_tls_verify": "true",
+		},
+		Ports: []types.Port{
+			{Type: "udp", PrivatePort: 1234, PublicPort: 5678},
+		}}, "",
+	)
+	entries, err := p.entriesFromContainerLabels(c)
+	ExpectNoError(t, err.Error())
+
+	raw, ok := entries.Load("a")
+	ExpectTrue(t, ok)
+
+	entry, err := P.ValidateEntry(raw)
+	ExpectNoError(t, err.Error())
+
+	a := ExpectType[*P.StreamEntry](t, entry)
+	ExpectEqual(t, a.Scheme.ListeningScheme, T.Scheme("udp"))
+	ExpectEqual(t, a.Scheme.ProxyScheme, T.Scheme("udp"))
+	ExpectEqual(t, a.Port.ListeningPort, 0)
+	ExpectEqual(t, a.Port.ProxyPort, 5678)
+}
+
+func TestExplicitExclude(t *testing.T) {
+	var p DockerProvider
+	entries, err := p.entriesFromContainerLabels(D.FromDocker(&types.Container{
+		Names: dummyNames,
+		Labels: map[string]string{
+			D.LabelAliases:          "a",
+			D.LabelExclude:          "true",
+			"proxy.a.no_tls_verify": "true",
+		}}, ""))
+	ExpectNoError(t, err.Error())
+
+	_, ok := entries.Load("a")
+	ExpectFalse(t, ok)
+}
+
+func TestImplicitExclude(t *testing.T) {
+	var p DockerProvider
+	entries, err := p.entriesFromContainerLabels(D.FromDocker(&types.Container{
+		Names: dummyNames,
+		Labels: map[string]string{
+			D.LabelAliases:          "a",
+			"proxy.a.no_tls_verify": "true",
+		},
+		State: "running",
+	}, ""))
+	ExpectNoError(t, err.Error())
+
+	_, ok := entries.Load("a")
+	ExpectFalse(t, ok)
+}
+
+func TestImplicitExcludeNoExposedPort(t *testing.T) {
+	var p DockerProvider
+	entries, err := p.entriesFromContainerLabels(D.FromDocker(&types.Container{
+		Image: "redis",
+		Names: []string{"redis"},
+		Ports: []types.Port{
+			{Type: "tcp", PrivatePort: 6379, PublicPort: 0}, // not exposed
+		},
+		State: "running",
+	}, ""))
+	ExpectNoError(t, err.Error())
+
+	_, ok := entries.Load("redis")
+	ExpectFalse(t, ok)
+}
+
+func TestNotExcludeSpecifiedPort(t *testing.T) {
+	var p DockerProvider
+	entries, err := p.entriesFromContainerLabels(D.FromDocker(&types.Container{
+		Image: "redis",
+		Names: []string{"redis"},
+		Ports: []types.Port{
+			{Type: "tcp", PrivatePort: 6379, PublicPort: 0}, // not exposed
+		},
+		Labels: map[string]string{
+			"proxy.redis.port": "6379:6379", // but specified in label
+		},
+	}, ""))
+	ExpectNoError(t, err.Error())
+
+	_, ok := entries.Load("redis")
+	ExpectTrue(t, ok)
+}
+
+func TestNotExcludeNonExposedPortHostNetwork(t *testing.T) {
+	var p DockerProvider
+	cont := &types.Container{
+		Image: "redis",
+		Names: []string{"redis"},
+		Ports: []types.Port{
+			{Type: "tcp", PrivatePort: 6379, PublicPort: 0}, // not exposed
+		},
+		Labels: map[string]string{
+			"proxy.redis.port": "6379:6379",
+		},
+	}
+	cont.HostConfig.NetworkMode = "host"
+
+	entries, err := p.entriesFromContainerLabels(D.FromDocker(cont, ""))
+	ExpectNoError(t, err.Error())
+
+	_, ok := entries.Load("redis")
+	ExpectTrue(t, ok)
+}
--- a/src/proxy/provider/file_provider.go
+++ b/src/proxy/provider/file_provider.go
@@ -1,15 +1,16 @@
 package provider

 import (
+	"errors"
 	"os"
 	"path"

-	"github.com/yusing/go-proxy/common"
-	E "github.com/yusing/go-proxy/error"
-	M "github.com/yusing/go-proxy/models"
-	R "github.com/yusing/go-proxy/route"
-	U "github.com/yusing/go-proxy/utils"
-	W "github.com/yusing/go-proxy/watcher"
+	"github.com/yusing/go-proxy/internal/common"
+	E "github.com/yusing/go-proxy/internal/error"
+	M "github.com/yusing/go-proxy/internal/models"
+	R "github.com/yusing/go-proxy/internal/route"
+	U "github.com/yusing/go-proxy/internal/utils"
+	W "github.com/yusing/go-proxy/internal/watcher"
 )

 type FileProvider struct {
@@ -17,15 +18,28 @@ type FileProvider struct {
 	path     string
 }

-func FileProviderImpl(filename string) ProviderImpl {
-	return &FileProvider{
+func FileProviderImpl(filename string) (ProviderImpl, E.NestedError) {
+	impl := &FileProvider{
 		fileName: filename,
 		path:     path.Join(common.ConfigBasePath, filename),
 	}
+	_, err := os.Stat(impl.path)
+	switch {
+	case err == nil:
+		return impl, nil
+	case errors.Is(err, os.ErrNotExist):
+		return nil, E.NotExist("file", impl.path)
+	default:
+		return nil, E.UnexpectedError(err)
+	}
 }

 func Validate(data []byte) E.NestedError {
-	return U.ValidateYaml(U.GetSchema(common.ProvidersSchemaPath), data)
+	return U.ValidateYaml(U.GetSchema(common.FileProviderSchemaPath), data)
+}
+
+func (p FileProvider) String() string {
+	return p.fileName
 }

 func (p FileProvider) OnEvent(event W.Event, routes R.Routes) (res EventResult) {
@@ -52,6 +66,8 @@ func (p FileProvider) OnEvent(event W.Event, routes R.Routes) (res EventResult)
 }

 func (p *FileProvider) LoadRoutesImpl() (routes R.Routes, res E.NestedError) {
+	routes = R.NewRoutes()
+
 	b := E.NewBuilder("file %q validation failure", p.fileName)
 	defer b.To(&res)

@@ -78,5 +94,5 @@ func (p *FileProvider) LoadRoutesImpl() (routes R.Routes, res E.NestedError) {
 }

 func (p *FileProvider) NewWatcher() W.Watcher {
-	return W.NewFileWatcher(p.fileName)
+	return W.NewConfigFileWatcher(p.fileName)
 }
--- a/internal/proxy/provider/provider.go
+++ b/internal/proxy/provider/provider.go
@@ -2,18 +2,17 @@ package provider

 import (
 	"context"
-	"fmt"
 	"path"

 	"github.com/sirupsen/logrus"
-	E "github.com/yusing/go-proxy/error"
-	R "github.com/yusing/go-proxy/route"
-	W "github.com/yusing/go-proxy/watcher"
+	E "github.com/yusing/go-proxy/internal/error"
+	R "github.com/yusing/go-proxy/internal/route"
+	W "github.com/yusing/go-proxy/internal/watcher"
 )

 type (
 	Provider struct {
-		ProviderImpl
+		ProviderImpl `json:"-"`

 		name   string
 		t      ProviderType
@@ -27,8 +26,10 @@ type (
 	}
 	ProviderImpl interface {
 		NewWatcher() W.Watcher
+		// even returns error, routes must be non-nil
 		LoadRoutesImpl() (R.Routes, E.NestedError)
 		OnEvent(event W.Event, routes R.Routes) EventResult
+		String() string
 	}
 	ProviderType string
 	EventResult  struct {
@@ -53,19 +54,37 @@ func newProvider(name string, t ProviderType) *Provider {
 	return p
 }

-func NewFileProvider(filename string) *Provider {
+func NewFileProvider(filename string) (p *Provider, err E.NestedError) {
 	name := path.Base(filename)
-	p := newProvider(name, ProviderTypeFile)
-	p.ProviderImpl = FileProviderImpl(filename)
+	if name == "" {
+		return nil, E.Invalid("file name", "empty")
+	}
+	p = newProvider(name, ProviderTypeFile)
+	p.ProviderImpl, err = FileProviderImpl(filename)
+	if err != nil {
+		return nil, err
+	}
 	p.watcher = p.NewWatcher()
-	return p
+	return
 }

-func NewDockerProvider(name string, dockerHost string) *Provider {
-	p := newProvider(name, ProviderTypeDocker)
-	p.ProviderImpl = DockerProviderImpl(dockerHost)
+func NewDockerProvider(name string, dockerHost string) (p *Provider, err E.NestedError) {
+	if name == "" {
+		return nil, E.Invalid("provider name", "empty")
+	}
+	explicitOnly := false
+	if name[len(name)-1] == '!' {
+		explicitOnly = true
+		name = name[:len(name)-1]
+	}
+
+	p = newProvider(name, ProviderTypeDocker)
+	p.ProviderImpl, err = DockerProviderImpl(dockerHost, explicitOnly)
+	if err != nil {
+		return nil, err
+	}
 	p.watcher = p.NewWatcher()
-	return p
+	return
 }

 func (p *Provider) GetName() string {
@@ -76,8 +95,9 @@ func (p *Provider) GetType() ProviderType {
 	return p.t
 }

-func (p *Provider) String() string {
-	return fmt.Sprintf("%s-%s", p.t, p.name)
+// to work with json marshaller
+func (p *Provider) MarshalText() ([]byte, error) {
+	return []byte(p.String()), nil
 }

 func (p *Provider) StartAllRoutes() (res E.NestedError) {
@@ -85,7 +105,6 @@ func (p *Provider) StartAllRoutes() (res E.NestedError) {
 	defer errors.To(&res)

 	// start watcher no matter load success or not
-	p.watcherCtx, p.watcherCancel = context.WithCancel(context.Background())
 	go p.watchEvents()

 	nStarted := 0
@@ -136,15 +155,17 @@ func (p *Provider) GetRoute(alias string) (R.Route, bool) {
 }

 func (p *Provider) LoadRoutes() E.NestedError {
-	routes, err := p.LoadRoutesImpl()
-	if err != nil {
+	var err E.NestedError
+	p.routes, err = p.LoadRoutesImpl()
+	if p.routes.Size() > 0 {
+		p.l.Infof("loaded %d routes", p.routes.Size())
 		return err
 	}
-	p.routes = routes
-	return nil
+	return E.FailWith("loading routes", err)
 }

 func (p *Provider) watchEvents() {
+	p.watcherCtx, p.watcherCancel = context.WithCancel(context.Background())
 	events, errs := p.watcher.Events(p.watcherCtx)
 	l := p.l.WithField("module", "watcher")

@@ -152,21 +173,15 @@ func (p *Provider) watchEvents() {
 		select {
 		case <-p.watcherCtx.Done():
 			return
-		case event, ok := <-events:
-			if !ok { // channel closed
-				return
-			}
+		case event := <-events:
 			res := p.OnEvent(event, p.routes)
 			l.Infof("%s event %q", event.Type, event)
 			l.Infof("%d route added, %d routes removed", res.nAdded, res.nRemoved)
 			if res.err.HasError() {
 				l.Error(res.err)
 			}
-		case err, ok := <-errs:
-			if !ok {
-				return
-			}
-			if err.Is(context.Canceled) {
+		case err := <-errs:
+			if err == nil || err.Is(context.Canceled) {
 				continue
 			}
 			l.Errorf("watcher error: %s", err)
--- a/internal/route/constants.go
+++ b/internal/route/constants.go
@@ -4,5 +4,5 @@ import (
 	"time"
 )

-const udpBufferSize = 1500
+const udpBufferSize = 8192
 const streamStopListenTimeout = 1 * time.Second
--- a/internal/route/http.go
+++ b/internal/route/http.go
@@ -0,0 +1,226 @@
+package route
+
+import (
+	"fmt"
+	"sync"
+
+	"net/http"
+	"net/url"
+	"strings"
+
+	"github.com/sirupsen/logrus"
+	"github.com/yusing/go-proxy/internal/api/v1/error_page"
+	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/docker/idlewatcher"
+	E "github.com/yusing/go-proxy/internal/error"
+	. "github.com/yusing/go-proxy/internal/http"
+	P "github.com/yusing/go-proxy/internal/proxy"
+	PT "github.com/yusing/go-proxy/internal/proxy/fields"
+	"github.com/yusing/go-proxy/internal/route/middleware"
+	F "github.com/yusing/go-proxy/internal/utils/functional"
+)
+
+type (
+	HTTPRoute struct {
+		Alias        PT.Alias        `json:"alias"`
+		TargetURL    *URL            `json:"target_url"`
+		PathPatterns PT.PathPatterns `json:"path_patterns"`
+
+		entry   *P.ReverseProxyEntry
+		mux     *http.ServeMux
+		handler *ReverseProxy
+
+		regIdleWatcher   func() E.NestedError
+		unregIdleWatcher func()
+	}
+
+	URL          url.URL
+	SubdomainKey = PT.Alias
+)
+
+var (
+	findMuxFunc = findMuxAnyDomain
+
+	httpRoutes   = F.NewMapOf[SubdomainKey, *HTTPRoute]()
+	httpRoutesMu sync.Mutex
+	globalMux    = http.NewServeMux() // TODO: support regex subdomain matching
+)
+
+func SetFindMuxDomains(domains []string) {
+	if len(domains) == 0 {
+		findMuxFunc = findMuxAnyDomain
+	} else {
+		findMuxFunc = findMuxByDomains(domains)
+	}
+}
+
+func NewHTTPRoute(entry *P.ReverseProxyEntry) (*HTTPRoute, E.NestedError) {
+	var trans *http.Transport
+	var regIdleWatcher func() E.NestedError
+	var unregIdleWatcher func()
+
+	if entry.NoTLSVerify {
+		trans = common.DefaultTransportNoTLS.Clone()
+	} else {
+		trans = common.DefaultTransport.Clone()
+	}
+
+	rp := NewReverseProxy(entry.URL, trans)
+
+	if len(entry.Middlewares) > 0 {
+		err := middleware.PatchReverseProxy(rp, entry.Middlewares)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	if entry.UseIdleWatcher() {
+		// allow time for response header up to `WakeTimeout`
+		if entry.WakeTimeout > trans.ResponseHeaderTimeout {
+			trans.ResponseHeaderTimeout = entry.WakeTimeout
+		}
+		regIdleWatcher = func() E.NestedError {
+			watcher, err := idlewatcher.Register(entry)
+			if err.HasError() {
+				return err
+			}
+			// patch round-tripper
+			rp.Transport = watcher.PatchRoundTripper(trans)
+			return nil
+		}
+		unregIdleWatcher = func() {
+			idlewatcher.Unregister(entry.ContainerName)
+			rp.Transport = trans
+		}
+	}
+
+	httpRoutesMu.Lock()
+	defer httpRoutesMu.Unlock()
+
+	_, exists := httpRoutes.Load(entry.Alias)
+	if exists {
+		return nil, E.Duplicated("HTTPRoute alias", entry.Alias)
+	}
+
+	r := &HTTPRoute{
+		Alias:            entry.Alias,
+		TargetURL:        (*URL)(entry.URL),
+		PathPatterns:     entry.PathPatterns,
+		entry:            entry,
+		handler:          rp,
+		regIdleWatcher:   regIdleWatcher,
+		unregIdleWatcher: unregIdleWatcher,
+	}
+	return r, nil
+}
+
+func (r *HTTPRoute) String() string {
+	return string(r.Alias)
+}
+
+func (r *HTTPRoute) Start() E.NestedError {
+	if r.mux != nil {
+		return nil
+	}
+
+	httpRoutesMu.Lock()
+	defer httpRoutesMu.Unlock()
+
+	if r.regIdleWatcher != nil {
+		if err := r.regIdleWatcher(); err.HasError() {
+			r.unregIdleWatcher = nil
+			return err
+		}
+	}
+
+	r.mux = http.NewServeMux()
+	for _, p := range r.PathPatterns {
+		r.mux.HandleFunc(string(p), r.handler.ServeHTTP)
+	}
+
+	httpRoutes.Store(r.Alias, r)
+	return nil
+}
+
+func (r *HTTPRoute) Stop() E.NestedError {
+	if r.mux == nil {
+		return nil
+	}
+
+	httpRoutesMu.Lock()
+	defer httpRoutesMu.Unlock()
+
+	if r.unregIdleWatcher != nil {
+		r.unregIdleWatcher()
+		r.unregIdleWatcher = nil
+	}
+
+	r.mux = nil
+	httpRoutes.Delete(r.Alias)
+	return nil
+}
+
+func (u *URL) String() string {
+	return (*url.URL)(u).String()
+}
+
+func (u *URL) MarshalText() (text []byte, err error) {
+	return []byte(u.String()), nil
+}
+
+func ProxyHandler(w http.ResponseWriter, r *http.Request) {
+	mux, err := findMuxFunc(r.Host)
+	if err != nil {
+		if !middleware.ServeStaticErrorPageFile(w, r) {
+			logrus.Error(E.Failure("request").
+				Subjectf("%s %s", r.Method, r.URL.String()).
+				With(err))
+			errorPage, ok := error_page.GetErrorPageByStatus(http.StatusNotFound)
+			if ok {
+				w.WriteHeader(http.StatusNotFound)
+				w.Header().Set("Content-Type", "text/html; charset=utf-8")
+				w.Write(errorPage)
+			} else {
+				http.Error(w, err.Error(), http.StatusNotFound)
+			}
+		}
+		return
+	}
+	mux.ServeHTTP(w, r)
+}
+
+func findMuxAnyDomain(host string) (*http.ServeMux, error) {
+	hostSplit := strings.Split(host, ".")
+	n := len(hostSplit)
+	if n <= 2 {
+		return nil, fmt.Errorf("missing subdomain in url")
+	}
+	sd := strings.Join(hostSplit[:n-2], ".")
+	if r, ok := httpRoutes.Load(PT.Alias(sd)); ok {
+		return r.mux, nil
+	}
+	return nil, fmt.Errorf("no such route: %s", sd)
+}
+
+func findMuxByDomains(domains []string) func(host string) (*http.ServeMux, error) {
+	return func(host string) (*http.ServeMux, error) {
+		var subdomain string
+
+		for _, domain := range domains {
+			if !strings.HasPrefix(domain, ".") {
+				domain = "." + domain
+			}
+			subdomain = strings.TrimSuffix(host, domain)
+			if len(subdomain) < len(host) {
+				break
+			}
+		}
+		if len(subdomain) == len(host) { // not matched
+			return nil, fmt.Errorf("%s does not match any base domain", host)
+		}
+		if r, ok := httpRoutes.Load(PT.Alias(subdomain)); ok {
+			return r.mux, nil
+		}
+		return nil, fmt.Errorf("no such route: %s", subdomain)
+	}
+}
--- a/internal/route/middleware/custom_error_page.go
+++ b/internal/route/middleware/custom_error_page.go
@@ -0,0 +1,75 @@
+package middleware
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"net/http"
+	"path/filepath"
+	"strings"
+
+	"github.com/sirupsen/logrus"
+	"github.com/yusing/go-proxy/internal/api/v1/error_page"
+	"github.com/yusing/go-proxy/internal/common"
+	gpHTTP "github.com/yusing/go-proxy/internal/http"
+)
+
+var CustomErrorPage = &Middleware{
+	before: func(next http.Handler, w ResponseWriter, r *Request) {
+		if !ServeStaticErrorPageFile(w, r) {
+			next.ServeHTTP(w, r)
+		}
+	},
+	modifyResponse: func(resp *Response) error {
+		// only handles non-success status code and html/plain content type
+		contentType := gpHTTP.GetContentType(resp.Header)
+		if !gpHTTP.IsSuccess(resp.StatusCode) && (contentType.IsHTML() || contentType.IsPlainText()) {
+			errorPage, ok := error_page.GetErrorPageByStatus(resp.StatusCode)
+			if ok {
+				errPageLogger.Debugf("error page for status %d loaded", resp.StatusCode)
+				io.Copy(io.Discard, resp.Body) // drain the original body
+				resp.Body.Close()
+				resp.Body = io.NopCloser(bytes.NewReader(errorPage))
+				resp.ContentLength = int64(len(errorPage))
+				resp.Header.Set("Content-Length", fmt.Sprint(len(errorPage)))
+				resp.Header.Set("Content-Type", "text/html; charset=utf-8")
+			} else {
+				errPageLogger.Errorf("unable to load error page for status %d", resp.StatusCode)
+			}
+			return nil
+		}
+		return nil
+	},
+}
+
+func ServeStaticErrorPageFile(w http.ResponseWriter, r *http.Request) bool {
+	path := r.URL.Path
+	if path != "" && path[0] != '/' {
+		path = "/" + path
+	}
+	if strings.HasPrefix(path, common.StaticFilePathPrefix) {
+		filename := path[len(common.StaticFilePathPrefix):]
+		file, ok := error_page.GetStaticFile(filename)
+		if !ok {
+			errPageLogger.Errorf("unable to load resource %s", filename)
+			return false
+		} else {
+			ext := filepath.Ext(filename)
+			switch ext {
+			case ".html":
+				w.Header().Set("Content-Type", "text/html; charset=utf-8")
+			case ".js":
+				w.Header().Set("Content-Type", "application/javascript; charset=utf-8")
+			case ".css":
+				w.Header().Set("Content-Type", "text/css; charset=utf-8")
+			default:
+				errPageLogger.Errorf("unexpected file type %q for %s", ext, filename)
+			}
+			w.Write(file)
+			return true
+		}
+	}
+	return false
+}
+
+var errPageLogger = logrus.WithField("middleware", "error_page")
--- a/internal/route/middleware/forward_auth.go
+++ b/internal/route/middleware/forward_auth.go
@@ -0,0 +1,249 @@
+// Modified from Traefik Labs's MIT-licensed code (https://github.com/traefik/traefik/blob/master/pkg/middlewares/auth/forward.go)
+// Copyright (c) 2020-2024 Traefik Labs
+// Copyright (c) 2024 yusing
+
+package middleware
+
+import (
+	"io"
+	"net"
+	"net/http"
+	"net/url"
+	"slices"
+	"strings"
+	"time"
+
+	"github.com/sirupsen/logrus"
+	"github.com/yusing/go-proxy/internal/common"
+	D "github.com/yusing/go-proxy/internal/docker"
+	E "github.com/yusing/go-proxy/internal/error"
+	gpHTTP "github.com/yusing/go-proxy/internal/http"
+	U "github.com/yusing/go-proxy/internal/utils"
+)
+
+type (
+	forwardAuth struct {
+		*forwardAuthOpts
+		m      *Middleware
+		client http.Client
+	}
+	forwardAuthOpts struct {
+		Address                  string
+		TrustForwardHeader       bool
+		AuthResponseHeaders      []string
+		AddAuthCookiesToResponse []string
+	}
+)
+
+const (
+	xForwardedFor    = "X-Forwarded-For"
+	xForwardedMethod = "X-Forwarded-Method"
+	xForwardedHost   = "X-Forwarded-Host"
+	xForwardedProto  = "X-Forwarded-Proto"
+	xForwardedURI    = "X-Forwarded-Uri"
+	xForwardedPort   = "X-Forwarded-Port"
+)
+
+var ForwardAuth = newForwardAuth()
+var faLogger = logrus.WithField("middleware", "ForwardAuth")
+
+func newForwardAuth() (fa *forwardAuth) {
+	fa = new(forwardAuth)
+	fa.m = new(Middleware)
+	fa.m.labelParserMap = D.ValueParserMap{
+		"trust_forward_header":         D.BoolParser,
+		"auth_response_headers":        D.YamlStringListParser,
+		"add_auth_cookies_to_response": D.YamlStringListParser,
+	}
+	fa.m.withOptions = func(optsRaw OptionsRaw, rp *ReverseProxy) (*Middleware, E.NestedError) {
+		tr, ok := rp.Transport.(*http.Transport)
+		if ok {
+			tr = tr.Clone()
+		} else {
+			tr = common.DefaultTransport.Clone()
+		}
+
+		faWithOpts := new(forwardAuth)
+		faWithOpts.forwardAuthOpts = new(forwardAuthOpts)
+		faWithOpts.client = http.Client{
+			CheckRedirect: func(r *Request, via []*Request) error {
+				return http.ErrUseLastResponse
+			},
+			Timeout:   30 * time.Second,
+			Transport: tr,
+		}
+		faWithOpts.m = &Middleware{
+			impl:   faWithOpts,
+			before: faWithOpts.forward,
+		}
+
+		err := U.Deserialize(optsRaw, faWithOpts.forwardAuthOpts)
+		if err != nil {
+			return nil, E.FailWith("set options", err)
+		}
+		_, err = E.Check(url.Parse(faWithOpts.Address))
+		if err != nil {
+			return nil, E.Invalid("address", faWithOpts.Address)
+		}
+		return faWithOpts.m, nil
+	}
+	return
+}
+
+func (fa *forwardAuth) forward(next http.Handler, w ResponseWriter, req *Request) {
+	gpHTTP.RemoveHop(req.Header)
+
+	faReq, err := http.NewRequestWithContext(
+		req.Context(),
+		http.MethodGet,
+		fa.Address,
+		nil,
+	)
+	if err != nil {
+		faLogger.Debugf("new request err to %s: %s", fa.Address, err)
+		w.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+
+	gpHTTP.CopyHeader(faReq.Header, req.Header)
+	gpHTTP.RemoveHop(faReq.Header)
+
+	gpHTTP.FilterHeaders(faReq.Header, fa.AuthResponseHeaders)
+	fa.setAuthHeaders(req, faReq)
+
+	faResp, err := fa.client.Do(faReq)
+	if err != nil {
+		faLogger.Debugf("failed to call %s: %s", fa.Address, err)
+		w.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+	defer faResp.Body.Close()
+
+	body, err := io.ReadAll(faResp.Body)
+	if err != nil {
+		faLogger.Debugf("failed to read response body from %s: %s", fa.Address, err)
+		w.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+
+	if faResp.StatusCode < http.StatusOK || faResp.StatusCode >= http.StatusMultipleChoices {
+		gpHTTP.CopyHeader(w.Header(), faResp.Header)
+		gpHTTP.RemoveHop(w.Header())
+
+		redirectURL, err := faResp.Location()
+		if err != nil {
+			faLogger.Debugf("failed to get location from %s: %s", fa.Address, err)
+			w.WriteHeader(http.StatusInternalServerError)
+			return
+		} else if redirectURL.String() != "" {
+			w.Header().Set("Location", redirectURL.String())
+		}
+
+		w.WriteHeader(faResp.StatusCode)
+
+		if _, err = w.Write(body); err != nil {
+			faLogger.Debugf("failed to write response body from %s: %s", fa.Address, err)
+		}
+		return
+	}
+
+	for _, key := range fa.AuthResponseHeaders {
+		key := http.CanonicalHeaderKey(key)
+		req.Header.Del(key)
+		if len(faResp.Header[key]) > 0 {
+			req.Header[key] = append([]string(nil), faResp.Header[key]...)
+		}
+	}
+
+	req.RequestURI = req.URL.RequestURI()
+
+	authCookies := faResp.Cookies()
+
+	if len(authCookies) == 0 {
+		next.ServeHTTP(w, req)
+		return
+	}
+
+	next.ServeHTTP(gpHTTP.NewModifyResponseWriter(w, req, func(resp *Response) error {
+		fa.setAuthCookies(resp, authCookies)
+		return nil
+	}), req)
+}
+
+func (fa *forwardAuth) setAuthCookies(resp *Response, authCookies []*Cookie) {
+	if len(fa.AddAuthCookiesToResponse) == 0 {
+		return
+	}
+
+	cookies := resp.Cookies()
+	resp.Header.Del("Set-Cookie")
+
+	for _, cookie := range cookies {
+		if !slices.Contains(fa.AddAuthCookiesToResponse, cookie.Name) {
+			// this cookie is not an auth cookie, so add it back
+			resp.Header.Add("Set-Cookie", cookie.String())
+		}
+	}
+
+	for _, cookie := range authCookies {
+		if slices.Contains(fa.AddAuthCookiesToResponse, cookie.Name) {
+			// this cookie is an auth cookie, so add to resp
+			resp.Header.Add("Set-Cookie", cookie.String())
+		}
+	}
+}
+
+func (fa *forwardAuth) setAuthHeaders(req, faReq *Request) {
+	if clientIP, _, err := net.SplitHostPort(req.RemoteAddr); err == nil {
+		if fa.TrustForwardHeader {
+			if prior, ok := req.Header[xForwardedFor]; ok {
+				clientIP = strings.Join(prior, ", ") + ", " + clientIP
+			}
+		}
+		faReq.Header.Set(xForwardedFor, clientIP)
+	}
+
+	xMethod := req.Header.Get(xForwardedMethod)
+	switch {
+	case xMethod != "" && fa.TrustForwardHeader:
+		faReq.Header.Set(xForwardedMethod, xMethod)
+	case req.Method != "":
+		faReq.Header.Set(xForwardedMethod, req.Method)
+	default:
+		faReq.Header.Del(xForwardedMethod)
+	}
+
+	xfp := req.Header.Get(xForwardedProto)
+	switch {
+	case xfp != "" && fa.TrustForwardHeader:
+		faReq.Header.Set(xForwardedProto, xfp)
+	case req.TLS != nil:
+		faReq.Header.Set(xForwardedProto, "https")
+	default:
+		faReq.Header.Set(xForwardedProto, "http")
+	}
+
+	if xfp := req.Header.Get(xForwardedPort); xfp != "" && fa.TrustForwardHeader {
+		faReq.Header.Set(xForwardedPort, xfp)
+	}
+
+	xfh := req.Header.Get(xForwardedHost)
+	switch {
+	case xfh != "" && fa.TrustForwardHeader:
+		faReq.Header.Set(xForwardedHost, xfh)
+	case req.Host != "":
+		faReq.Header.Set(xForwardedHost, req.Host)
+	default:
+		faReq.Header.Del(xForwardedHost)
+	}
+
+	xfURI := req.Header.Get(xForwardedURI)
+	switch {
+	case xfURI != "" && fa.TrustForwardHeader:
+		faReq.Header.Set(xForwardedURI, xfURI)
+	case req.URL.RequestURI() != "":
+		faReq.Header.Set(xForwardedURI, req.URL.RequestURI())
+	default:
+		faReq.Header.Del(xForwardedURI)
+	}
+}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
yusing	415f169f48	added explicit only mode for docker provider, updated dependencies	2024-09-29 11:24:41 +08:00
yusing	e2b08d8667	ci speedup	2024-09-29 06:00:52 +08:00
yusing	91e7f4894a	fixed some containers being excluded on restart	2024-09-28 12:34:06 +08:00
yusing	a78dba5191	added response message on invalid api request host	2024-09-28 11:55:26 +08:00
yusing	c7208c90c6	updated example	2024-09-28 11:51:47 +08:00
yusing	da6a2756fa	custom error page enabled for default for non-exist routes and invalid host	2024-09-28 11:45:01 +08:00
yusing	9a6a66f5a8	fixing dockerfile	2024-09-28 09:58:08 +08:00
yusing	90487bfde6	restructured the project to comply community guideline, for others check release note	2024-09-28 09:51:34 +08:00
yusing	4120fd8d1c	fixed unchecked integer conversion, fixed 'invalid host' bug, corrected error message	2024-09-28 01:20:18 +08:00
yusing	6f3a5ebe6e	Update documentation for Docker labels and middlewares, now fields works for snake cases, camel cases, pascal cases	2024-09-27 23:44:45 +08:00
yusing	a935f200a3	removed config example from README, check config.example.yml for complete explaination	2024-09-27 09:59:36 +08:00
yusing	f474ae4f75	added support for a few middlewares, added `match_domain` option, changed index reference prefix from $ to #, etc.	2024-09-27 09:57:57 +08:00
yusing	345a4417a6	changing alias index prefix from '$' to '#', to avoid unquoted/unescaped dollar sign being treated as interpolation	2024-09-27 00:34:14 +08:00
yusing	8cca83723c	added discord invite badge	2024-09-27 00:23:46 +08:00
Yuzerion	aa2fcd47c2	Update docker.md	2024-09-26 22:52:56 +08:00
Yuzerion	0580a7d3cd	Update config.example.yml	2024-09-26 22:51:29 +08:00
Yuzerion	a43c242c66	fixing wrong format for config example	2024-09-26 22:50:56 +08:00
yusing	45d4b92fc6	Fixed missing error subject	2024-09-26 20:11:05 +08:00
yusing	72df9ff3e4	Initial abstract implementation of middlewares	2024-09-25 14:12:40 +08:00
yusing	48bf31fd0e	refactor file names, readme updates, removed frontend submodule as it is being built independently	2024-09-25 11:22:25 +08:00
yusing	4ee5383f7d	github ci fix attempt, speedup docker build on CI	2024-09-25 10:46:45 +08:00
yusing	33fb60a32d	Refactor Docker CI workflow for multi-platform builds	2024-09-25 10:09:50 +08:00
yusing	d10d0e49fa	Update default wake timeout to 30 seconds, fixed port selection, improved idlewatcher	2024-09-25 05:27:12 +08:00
yusing	dc3575c8fd	Refactoring	2024-09-25 03:43:47 +08:00
yusing	17115cfb0b	Refactor and fixed port and scheme assignment logic in FillMissingFields. Fixed issue that when a container is stopped or network=host, it will be excluded.	2024-09-25 03:40:57 +08:00
yusing	498082f7e5	no longer exclude a stopped container that have user specified port	2024-09-25 00:56:33 +08:00
yusing	99216ffe59	fixed subdomain matching for sub-sub-subdomain and so on, now return 404 when subdomain is missing	2024-09-24 18:30:25 +08:00
yusing	f426dbc9cf	removed save registration.json since it does not work properly	2024-09-24 18:18:37 +08:00
yusing	1c611cc9b9	example fix	2024-09-24 03:13:39 +08:00
yusing	dc43e26770	Format README for better clarity in setup instructions	2024-09-24 03:09:50 +08:00
yusing	79ae26f1b5	new simpler setup method, readme and doc update	2024-09-23 22:10:13 +08:00
yusing	109c2460fa	fixed container being excluded in host network_mode	2024-09-23 20:34:46 +08:00
yusing	71e8e4a462	smarter scheme and port detection	2024-09-23 20:16:38 +08:00
yusing	8e2cc56afb	Fixed nil dereferencing and added missing fields validation	2024-09-23 16:14:34 +08:00
yusing	6728bc39d2	fixed nil dereferencing	2024-09-23 07:19:47 +08:00
yusing	daca4b7735	shrink docker image size in half, adding back ForceColor for logrus	2024-09-23 05:34:50 +08:00
yusing	3b597eea29	support '0' listening port, readme update, showcase added	2024-09-23 04:09:56 +08:00
yusing	090b73d287	fixed tcp/udp I/O, deadlock, nil dereference; improved docker watcher, idlewatcher, loading page	2024-09-23 00:49:46 +08:00
yusing	96bce79e4b	changed env GOPROXY__PORT to GOPROXY__ADDR, changed api server default to listen on localhost only, readme update	2024-09-22 06:06:24 +08:00
yusing	d9fd399e43	fix stuck loading in some scenerios for ls-* command line options	2024-09-22 05:01:36 +08:00
yusing	46281aa3b0	renamed ProxyEntry to RawEntry to avoid confusion with src/proxy/entry.go	2024-09-22 04:13:42 +08:00
yusing	d39b68bfd8	fixed possible resource leak	2024-09-22 04:11:02 +08:00
yusing	a11ce46028	added some docker compose examples; fixed defaults to wrong host; updated watcher behavior to retry connection every 3 secs until success or until cancelled	2024-09-22 04:00:08 +08:00
yusing	6388d9d44d	fixed outputing error in ls-config, ls-routes, etc.	2024-09-21 18:47:38 +08:00
yusing	69361aea1b	fixed host set to localhost even on remote docker, fixed one error in provider causing all routes not to load	2024-09-21 18:23:20 +08:00