docs: update README and config example for v0.11.0

chore(idlesleep): increase wake/sleep timeout to 3 minutes
chore: change ACL iso field to country
2026-01-11 22:30:47 +01:00 · 2025-04-25 14:24:28 +08:00 · 2025-04-25 13:36:04 +08:00 · 2025-04-25 13:25:45 +08:00 · 2025-04-25 12:32:02 +08:00 · 2025-04-25 11:26:24 +08:00
537 changed files with 39405 additions and 9338 deletions
--- a/.env.example
+++ b/.env.example
@@ -0,0 +1,55 @@
+# set timezone to get correct log timestamp
+TZ=ETC/UTC
+
+# API JWT Configuration (common)
+# generate secret with `openssl rand -base64 32`
+GODOXY_API_JWT_SECRET=
+# the JWT token time-to-live
+# leave empty to use default (24 hours)
+# format: https://pkg.go.dev/time#Duration
+GODOXY_API_JWT_TOKEN_TTL=
+
+# API/WebUI user password login credentials (optional)
+# These fields are not required for OIDC authentication
+GODOXY_API_USER=admin
+GODOXY_API_PASSWORD=password
+
+# OIDC Configuration (optional)
+# Uncomment and configure these values to enable OIDC authentication.
+# For `GODOXY_OIDC_SCOPES` you may also include `offline_access` if your Idp supports it (e.g. Authentik)
+#
+# GODOXY_OIDC_ISSUER_URL=https://accounts.google.com
+# GODOXY_OIDC_CLIENT_ID=your-client-id
+# GODOXY_OIDC_CLIENT_SECRET=your-client-secret
+# GODOXY_OIDC_SCOPES=openid, profile, email
+#
+# User definitions: Uncomment and configure these values to restrict access to specific users or groups.
+# These two fields act as a logical AND operator. For example, given the following membership:
+#   user1, group1
+#   user2, group1
+#   user3, group2
+#   user1, group2
+# You can allow access to user3 AND all users of group1 by providing:
+#   # GODOXY_OIDC_ALLOWED_USERS=user3
+#   # GODOXY_OIDC_ALLOWED_GROUPS=group1
+#
+# Comma-separated list of allowed users.
+# GODOXY_OIDC_ALLOWED_USERS=user1,user2
+# Optional: Comma-separated list of allowed groups.
+# GODOXY_OIDC_ALLOWED_GROUPS=group1,group2
+
+# Proxy listening address
+GODOXY_HTTP_ADDR=:80
+GODOXY_HTTPS_ADDR=:443
+
+# API listening address
+GODOXY_API_ADDR=127.0.0.1:8888
+
+# Frontend listening port
+GODOXY_FRONTEND_PORT=3000
+
+# Prometheus Metrics
+GODOXY_PROMETHEUS_ENABLED=true
+
+# Debug mode
+GODOXY_DEBUG=false
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@@ -0,0 +1,15 @@
+# These are supported funding model platforms
+
+github: yusing # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
+patreon: # Replace with a single Patreon username
+open_collective: # Replace with a single Open Collective username
+ko_fi: # Replace with a single Ko-fi username
+tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
+community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
+liberapay: # Replace with a single Liberapay username
+issuehunt: # Replace with a single IssueHunt username
+lfx_crowdfunding: # Replace with a single LFX Crowdfunding project-name e.g., cloud-foundry
+polar: # Replace with a single Polar username
+buy_me_a_coffee: yusingwysq # Replace with a single Buy Me a Coffee username
+thanks_dev: # Replace with a single thanks.dev username
+custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2']
--- a/.github/workflows/agent-binary.yml
+++ b/.github/workflows/agent-binary.yml
@@ -0,0 +1,51 @@
+name: GoDoxy agent binary
+
+on:
+  push:
+    tags:
+      - v*
+    paths:
+      - "agent/**"
+
+jobs:
+  build:
+    strategy:
+      matrix:
+        include:
+          - runner: ubuntu-latest
+            platform: linux/amd64
+            binary_name: godoxy-agent-linux-amd64
+          - runner: ubuntu-24.04-arm
+            platform: linux/arm64
+            binary_name: godoxy-agent-linux-arm64
+    name: Build ${{ matrix.platform }}
+    runs-on: ${{ matrix.runner }}
+    permissions:
+      contents: write
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+      - name: Verify dependencies
+        run: go mod verify
+      - name: Build
+        run: |
+          make agent=1 NAME=${{ matrix.binary_name }} build
+      - name: Check binary
+        run: |
+          file bin/${{ matrix.binary_name }}
+      - name: Test
+        run: |
+          go test -v ./agent/...
+      - name: Upload
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ matrix.binary_name }}
+          path: bin/${{ matrix.binary_name }}
+      - name: Upload to release
+        uses: softprops/action-gh-release@v2
+        if: startsWith(github.ref, 'refs/tags/')
+        with:
+          files: bin/${{ matrix.binary_name }}
--- a/.github/workflows/docker-image-nightly.yml
+++ b/.github/workflows/docker-image-nightly.yml
@@ -0,0 +1,23 @@
+name: Docker Image CI (nightly)
+
+on:
+  push:
+    branches:
+      - "*" # matches every branch that doesn't contain a '/'
+      - "*/*" # matches every branch containing a single '/'
+      - "**" # matches every branch
+      - "!dependabot/*"
+      - "!main" # excludes main
+
+jobs:
+  build-nightly:
+    uses: ./.github/workflows/docker-image.yml
+    with:
+      image_name: ${{ github.repository_owner }}/godoxy
+      tag: nightly
+  build-nightly-agent:
+    uses: ./.github/workflows/docker-image.yml
+    with:
+      image_name: ${{ github.repository_owner }}/godoxy-agent
+      tag: nightly
+      agent: true
--- a/.github/workflows/docker-image-prod.yml
+++ b/.github/workflows/docker-image-prod.yml
@@ -0,0 +1,20 @@
+name: Docker Image CI
+
+on:
+  push:
+    tags:
+      - v*
+
+jobs:
+  build-prod:
+    uses: ./.github/workflows/docker-image.yml
+    with:
+      image_name: ${{ github.repository_owner }}/godoxy
+      old_image_name: ${{ github.repository_owner }}/go-proxy
+      tag: latest
+  build-prod-agent:
+    uses: ./.github/workflows/docker-image.yml
+    with:
+      image_name: ${{ github.repository_owner }}/godoxy-agent
+      tag: latest
+      agent: true
--- a/.github/workflows/docker-image.yml
+++ b/.github/workflows/docker-image.yml
@@ -1,128 +1,165 @@
 name: Docker Image CI

 on:
-    push:
-        tags: ["*"]
+  workflow_call:
+    inputs:
+      tag:
+        required: true
+        type: string
+      image_name:
+        required: true
+        type: string
+      old_image_name:
+        required: false
+        type: string
+      agent:
+        required: false
+        default: false
+        type: boolean

 env:
-    REGISTRY: ghcr.io
-    IMAGE_NAME: ${{ github.repository }}
+  REGISTRY: ghcr.io
+  MAKE_ARGS: agent=${{ inputs.agent && '1' || '0' }}
+  DIGEST_PATH: /tmp/digests/${{ inputs.agent && 'agent' || 'main' }}
+  DIGEST_NAME_SUFFIX: ${{ inputs.agent && 'agent' || 'main' }}

 jobs:
-    build:
-        name: Build multi-platform Docker image
-        runs-on: ubuntu-22.04
+  build:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - runner: ubuntu-latest
+            platform: linux/amd64
+          - runner: ubuntu-24.04-arm
+            platform: linux/arm64

-        permissions:
-            contents: read
-            packages: write
-            id-token: write
-            attestations: write
+    name: Build ${{ matrix.platform }}
+    runs-on: ${{ matrix.runner }}

-        strategy:
-            fail-fast: false
-            matrix:
-                platform:
-                    - linux/amd64
-                    # - linux/arm/v6
-                    # - linux/arm/v7
-                    - linux/arm64
-        steps:
-            - name: Prepare
-              run: |
-                  platform=${{ matrix.platform }}
-                  echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      attestations: write

-            - name: Docker meta
-              id: meta
-              uses: docker/metadata-action@v5
-              with:
-                  images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+    steps:
+      - name: Prepare
+        run: |
+          platform=${{ matrix.platform }}
+          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV

-            - name: Set up QEMU
-              uses: docker/setup-qemu-action@v3
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ inputs.image_name }}
+          tags: |
+            type=raw,value=${{ inputs.tag }},event=branch
+            type=ref,event=tag

-            - name: Set up Docker Buildx
-              uses: docker/setup-buildx-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          platforms: ${{ matrix.platform }}

-            - name: Login to registry
-              uses: docker/login-action@v3
-              with:
-                  registry: ${{ env.REGISTRY }}
-                  username: ${{ github.actor }}
-                  password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}

-            - name: Build and push by digest
-              id: build
-              uses: docker/build-push-action@v6
-              with:
-                  platforms: ${{ matrix.platform }}
-                  labels: ${{ steps.meta.outputs.labels }}
-                  outputs: type=image,name=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }},push-by-digest=true,name-canonical=true,push=true
-                  cache-from: type=gha
-                  cache-to: type=gha,mode=max
-                  build-args: |
-                      VERSION=${{ github.ref_name }}
+      - name: Build and push by digest
+        id: build
+        uses: docker/build-push-action@v6
+        with:
+          platforms: ${{ matrix.platform }}
+          labels: ${{ steps.meta.outputs.labels }}
+          outputs: type=image,name=${{ env.REGISTRY }}/${{ inputs.image_name }},push-by-digest=true,name-canonical=true,push=true
+          cache-from: |
+            type=registry,ref=${{ env.REGISTRY }}/${{ inputs.image_name }}:buildcache-${{ env.PLATFORM_PAIR }}-${{ inputs.tag }}
+          cache-to: |
+            type=registry,ref=${{ env.REGISTRY }}/${{ inputs.image_name }}:buildcache-${{ env.PLATFORM_PAIR }}-${{ inputs.tag }},mode=max
+          build-args: |
+            VERSION=${{ github.ref_name }}
+            MAKE_ARGS=${{ env.MAKE_ARGS }}

-            - name: Generate artifact attestation
-              uses: actions/attest-build-provenance@v1
-              with:
-                  subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
-                  subject-digest: ${{ steps.build.outputs.digest }}
-                  push-to-registry: true
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ inputs.image_name }}
+          subject-digest: ${{ steps.build.outputs.digest }}
+          push-to-registry: true

-            - name: Export digest
-              run: |
-                  mkdir -p /tmp/digests
-                  digest="${{ steps.build.outputs.digest }}"
-                  touch "/tmp/digests/${digest#sha256:}"
+      - name: Export digest
+        run: |
+          mkdir -p ${{ env.DIGEST_PATH }}
+          digest="${{ steps.build.outputs.digest }}"
+          touch "${{ env.DIGEST_PATH }}/${digest#sha256:}"

-            - name: Upload digest
-              uses: actions/upload-artifact@v4
-              with:
-                  name: digests-${{ env.PLATFORM_PAIR }}
-                  path: /tmp/digests/*
-                  if-no-files-found: error
-                  retention-days: 1
-    merge:
-        runs-on: ubuntu-22.04
-        needs:
-            - build
-        permissions:
-            contents: read
-            packages: write
-            id-token: write
-        steps:
-            - name: Download digests
-              uses: actions/download-artifact@v4
-              with:
-                  path: /tmp/digests
-                  pattern: digests-*
-                  merge-multiple: true
+      - name: Upload digest
+        uses: actions/upload-artifact@v4
+        with:
+          name: digests-${{ env.PLATFORM_PAIR }}-${{ env.DIGEST_NAME_SUFFIX }}
+          path: ${{ env.DIGEST_PATH }}/*
+          if-no-files-found: error
+          retention-days: 1

-            - name: Set up Docker Buildx
-              uses: docker/setup-buildx-action@v3
+  merge:
+    needs: build
+    runs-on: ubuntu-latest

-            - name: Docker meta
-              id: meta
-              uses: docker/metadata-action@v5
-              with:
-                  images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+    permissions:
+      contents: read
+      packages: write
+      id-token: write

-            - name: Login to registry
-              uses: docker/login-action@v3
-              with:
-                  registry: ${{ env.REGISTRY }}
-                  username: ${{ github.actor }}
-                  password: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      - name: Download digests
+        uses: actions/download-artifact@v4
+        with:
+          path: ${{ env.DIGEST_PATH }}
+          pattern: digests-*-${{ env.DIGEST_NAME_SUFFIX }}
+          merge-multiple: true

-            - name: Create manifest list and push
-              id: push
-              working-directory: /tmp/digests
-              run: |
-                  docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
-                    $(printf '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@sha256:%s ' *)
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3

-            - name: Inspect image
-              run: |
-                  docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ inputs.image_name }}
+          tags: |
+            type=raw,value=${{ inputs.tag }},event=branch
+            type=ref,event=tag
+
+      - name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Create manifest list and push
+        id: push
+        working-directory: ${{ env.DIGEST_PATH }}
+        run: |
+          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+            $(printf '${{ env.REGISTRY }}/${{ inputs.image_name }}@sha256:%s ' *)
+
+      - name: Old image name
+        if: inputs.old_image_name != ''
+        run: |
+          docker buildx imagetools create -t ${{ env.REGISTRY }}/${{ inputs.old_image_name }}:${{ steps.meta.outputs.version }}\
+            ${{ env.REGISTRY }}/${{ inputs.image_name }}:${{ steps.meta.outputs.version }}
+
+      - name: Inspect image
+        run: |
+          docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ inputs.image_name }}:${{ steps.meta.outputs.version }}
+
+      - name: Inspect image (old)
+        if: inputs.old_image_name != ''
+        run: |
+          docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ inputs.old_image_name }}:${{ steps.meta.outputs.version }}
--- a/.gitignore
+++ b/.gitignore
@@ -1,10 +1,17 @@
 compose.yml
 *.compose.yml

+config
+certs
 config*/
+!schemas/**
 certs*/
 bin/
 error_pages/
+!examples/error_pages/
+profiles/
+data/
+debug/

 logs/
 log/
@@ -22,3 +29,12 @@ todo.md
 .aider*
 mtrace.json
 .env
+.cursorrules
+.windsurfrules
+test.Dockerfile
+
+node_modules/
+tsconfig.tsbuildinfo
+
+!agent.compose.yml
+!agent/pkg/**
--- a/.gitmodules
+++ b/.gitmodules
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -0,0 +1,135 @@
+run:
+  timeout: 10m
+
+linters-settings:
+  govet:
+    enable-all: true
+    disable:
+      - shadow
+      - fieldalignment
+  gocyclo:
+    min-complexity: 14
+  misspell:
+    locale: US
+  funlen:
+    lines: -1
+    statements: 120
+  forbidigo:
+    forbid:
+      - ^print(ln)?$
+  godox:
+    keywords:
+      - FIXME
+  tagalign:
+    align: false
+    sort: true
+    order:
+      - description
+      - json
+      - toml
+      - yaml
+      - yml
+      - label
+      - label-slice-as-struct
+      - file
+      - kv
+      - export
+  stylecheck:
+    dot-import-whitelist:
+      - github.com/yusing/go-proxy/internal/utils/testing # go tests only
+      - github.com/yusing/go-proxy/internal/api/v1/utils # api only
+  revive:
+    rules:
+      - name: struct-tag
+      - name: blank-imports
+      - name: context-as-argument
+      - name: context-keys-type
+      - name: error-return
+      - name: error-strings
+      - name: error-naming
+      - name: exported
+        disabled: true
+      - name: if-return
+      - name: increment-decrement
+      - name: var-naming
+      - name: var-declaration
+      - name: package-comments
+        disabled: true
+      - name: range
+      - name: receiver-naming
+      - name: time-naming
+      - name: unexported-return
+      - name: indent-error-flow
+      - name: errorf
+      - name: empty-block
+      - name: superfluous-else
+      - name: unused-parameter
+        disabled: true
+      - name: unreachable-code
+      - name: redefines-builtin-id
+  gomoddirectives:
+    replace-allow-list:
+      - github.com/abbot/go-http-auth
+      - github.com/gorilla/mux
+      - github.com/mailgun/minheap
+      - github.com/mailgun/multibuf
+      - github.com/jaguilar/vt100
+      - github.com/cucumber/godog
+      - github.com/http-wasm/http-wasm-host-go
+  testifylint:
+    disable:
+      - suite-dont-use-pkg
+      - require-error
+      - go-require
+  staticcheck:
+    checks:
+      - all
+      - -SA1019
+  errcheck:
+    exclude-functions:
+      - fmt.Fprintln
+linters:
+  enable-all: true
+  disable:
+    - execinquery # deprecated
+    - gomnd # deprecated
+    - sqlclosecheck # not relevant (SQL)
+    - rowserrcheck # not relevant (SQL)
+    - cyclop # duplicate of gocyclo
+    - depguard # Not relevant
+    - nakedret # Too strict
+    - lll # Not relevant
+    - gocyclo # must be fixed
+    - gocognit # Too strict
+    - nestif # Too many false-positive.
+    - prealloc # Too many false-positive.
+    - makezero # Not relevant
+    - dupl # Too strict
+    - gci # I don't care
+    - goconst # Too annoying
+    - gosec # Too strict
+    - gochecknoinits
+    - gochecknoglobals
+    - wsl # Too strict
+    - nlreturn # Not relevant
+    - mnd # Too strict
+    - testpackage # Too strict
+    - tparallel # Not relevant
+    - paralleltest # Not relevant
+    - exhaustive # Not relevant
+    - exhaustruct # Not relevant
+    - err113 # Too strict
+    - wrapcheck # Too strict
+    - noctx # Too strict
+    - bodyclose # too many false-positive
+    - forcetypeassert # Too strict
+    - tagliatelle # Too strict
+    - varnamelen # Not relevant
+    - nilnil # Not relevant
+    - ireturn # Not relevant
+    - contextcheck # too many false-positive
+    - containedctx # too many false-positive
+    - maintidx # kind of duplicate of gocyclo
+    - nonamedreturns # Too strict
+    - gosmopolitan # not relevant
+    - exportloopref # Not relevant since go1.22
--- a/.trunk/.gitignore
+++ b/.trunk/.gitignore
@@ -0,0 +1,9 @@
+*out
+*logs
+*actions
+*notifications
+*tools
+plugins
+user_trunk.yaml
+user.yaml
+tmp
--- a/.trunk/trunk.yaml
+++ b/.trunk/trunk.yaml
@@ -0,0 +1,41 @@
+# This file controls the behavior of Trunk: https://docs.trunk.io/cli
+# To learn more about the format of this file, see https://docs.trunk.io/reference/trunk-yaml
+version: 0.1
+cli:
+  version: 1.22.10
+# Trunk provides extensibility via plugins. (https://docs.trunk.io/plugins)
+plugins:
+  sources:
+    - id: trunk
+      ref: v1.6.7
+      uri: https://github.com/trunk-io/plugins
+# Many linters and tools depend on runtimes - configure them here. (https://docs.trunk.io/runtimes)
+runtimes:
+  enabled:
+    - node@18.20.5
+    - python@3.10.8
+    - go@1.23.2
+# This is the section where you manage your linters. (https://docs.trunk.io/check/configuration)
+lint:
+  disabled:
+    - markdownlint
+    - yamllint
+  enabled:
+    - hadolint@2.12.1-beta
+    - actionlint@1.7.7
+    - git-diff-check
+    - gofmt@1.20.4
+    - golangci-lint@1.64.5
+    - osv-scanner@1.9.2
+    - oxipng@9.1.4
+    - prettier@3.5.1
+    - shellcheck@0.10.0
+    - shfmt@3.6.0
+    - trufflehog@3.88.9
+actions:
+  disabled:
+    - trunk-announce
+    - trunk-check-pre-push
+    - trunk-fmt-pre-commit
+  enabled:
+    - trunk-upgrade-available
--- a/.vscode/settings.example.json
+++ b/.vscode/settings.example.json
@@ -1,10 +1,10 @@
 {
  "yaml.schemas": {
-    "https://github.com/yusing/go-proxy/raw/main/schema/config.schema.json": [
+    "https://github.com/yusing/go-proxy/raw/main/schemas/config.schema.json": [
      "config.example.yml",
      "config.yml"
    ],
-    "https://github.com/yusing/go-proxy/raw/main/schema/providers.schema.json": [
+    "https://github.com/yusing/go-proxy/raw/main/schemas/routes.schema.json": [
      "providers.example.yml"
    ]
  }
--- a/56
+++ b/56
@@ -1,34 +1,43 @@
-# Stage 1: Builder
-FROM golang:1.23.2-alpine AS builder
-RUN apk add --no-cache tzdata make
+# Stage 1: deps
+FROM golang:1.24.2-alpine AS deps
+HEALTHCHECK NONE
+
+# package version does not matter
+# trunk-ignore(hadolint/DL3018)
+RUN apk add --no-cache tzdata make libcap-setcap

 WORKDIR /src

 # Only copy go.mod and go.sum initially for better caching
 COPY go.mod go.sum /src/

-# Utilize build cache
-RUN --mount=type=cache,target="/go/pkg/mod" \
-    go mod download -x
+ENV GOPATH=/root/go
+RUN go mod download -x

-ENV GOCACHE=/root/.cache/go-build
+# Stage 2: builder
+FROM deps AS builder
+
+WORKDIR /src
+
+COPY Makefile ./
+COPY cmd ./cmd
+COPY internal ./internal
+COPY pkg ./pkg
+COPY agent ./agent

 ARG VERSION
 ENV VERSION=${VERSION}

-COPY scripts /src/scripts
-COPY Makefile /src/
+ARG MAKE_ARGS
+ENV MAKE_ARGS=${MAKE_ARGS}

-RUN --mount=type=cache,target="/go/pkg/mod" \
-    --mount=type=cache,target="/root/.cache/go-build" \
-    --mount=type=bind,src=cmd,dst=/src/cmd \
-    --mount=type=bind,src=internal,dst=/src/internal \
-    --mount=type=bind,src=pkg,dst=/src/pkg \
-    make build && \
-    mkdir -p /app/error_pages /app/certs && \
-    mv bin/go-proxy /app/go-proxy
+ENV GOCACHE=/root/.cache/go-build
+ENV GOPATH=/root/go
+RUN make ${MAKE_ARGS} build link-binary && \
+    mv bin /app/ && \
+    mkdir -p /app/error_pages /app/certs

-# Stage 2: Final image
+# Stage 3: Final image
 FROM scratch

 LABEL maintainer="yusing@6uo.me"
@@ -40,19 +49,14 @@ COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo
 # copy binary
 COPY --from=builder /app /app

-# copy schema directory
-COPY schema/ /app/schema/
+# copy example config
+COPY config.example.yml /app/config/config.yml

 # copy certs
 COPY --from=builder /etc/ssl/certs /etc/ssl/certs

 ENV DOCKER_HOST=unix:///var/run/docker.sock
-ENV GOPROXY_DEBUG=0
-
-EXPOSE 80
-EXPOSE 8888
-EXPOSE 443

 WORKDIR /app

-CMD ["/app/go-proxy"]
+CMD ["/app/run"]
--- a/116
+++ b/116
@@ -1,61 +1,103 @@
-VERSION ?= $(shell git describe --tags --abbrev=0)
-BUILD_FLAGS ?= -s -w -X github.com/yusing/go-proxy/pkg.version=${VERSION}
-export VERSION
-export BUILD_FLAGS
-export CGO_ENABLED = 0
+export VERSION ?= $(shell git describe --tags --abbrev=0)
+export BUILD_DATE ?= $(shell date -u +'%Y%m%d-%H%M')
 export GOOS = linux

-.PHONY: all setup build test up restart logs get debug run archive repush rapid-crash debug-list-containers
+LDFLAGS = -X github.com/yusing/go-proxy/pkg.version=${VERSION}

-all: debug

-build:
-	scripts/build.sh
+ifeq ($(agent), 1)
+	NAME = godoxy-agent
+	CMD_PATH = ./agent/cmd
+else
+	NAME = godoxy
+	CMD_PATH = ./cmd
+endif
+
+ifeq ($(trace), 1)
+	debug = 1
+	GODOXY_TRACE ?= 1
+	GODEBUG = gctrace=1 inittrace=1 schedtrace=3000
+endif
+
+ifeq ($(race), 1)
+	debug = 1
+  BUILD_FLAGS += -race
+endif
+
+ifeq ($(debug), 1)
+	CGO_ENABLED = 0
+	GODOXY_DEBUG = 1
+	BUILD_FLAGS += -gcflags=all='-N -l' -tags debug
+else ifeq ($(pprof), 1)
+	CGO_ENABLED = 1
+	GORACE = log_path=logs/pprof strip_path_prefix=$(shell pwd)/ halt_on_error=1
+	BUILD_FLAGS += -tags pprof
+	VERSION := ${VERSION}-pprof
+else
+	CGO_ENABLED = 0
+	LDFLAGS += -s -w
+	BUILD_FLAGS += -pgo=auto -tags production
+endif
+
+BUILD_FLAGS += -ldflags='$(LDFLAGS)'
+
+export NAME
+export CMD_PATH
+export CGO_ENABLED
+export GODOXY_DEBUG
+export GODOXY_TRACE
+export GODEBUG
+export GORACE
+export BUILD_FLAGS
+
+ifeq ($(shell id -u), 0)
+	SETCAP_CMD = setcap
+else
+	SETCAP_CMD = sudo setcap
+endif
+
+.PHONY: debug

 test:
-	GOPROXY_TEST=1 go test ./internal/...
-
-up:
-	docker compose up -d
-
-restart:
-	docker compose restart -t 0
-
-logs:
-	docker compose logs -f
+	GODOXY_TEST=1 go test ./internal/...

 get:
 	go get -u ./cmd && go mod tidy

-debug:
-	make build && sudo GOPROXY_DEBUG=1 bin/go-proxy
+build:
+	mkdir -p bin
+	go build ${BUILD_FLAGS} -o bin/${NAME} ${CMD_PATH}

-mtrace:
-	bin/go-proxy debug-ls-mtrace > mtrace.json
-
-run-test:
-	make build && sudo GOPROXY_TEST=1 bin/go-proxy
+	# CAP_NET_BIND_SERVICE: permission for binding to :80 and :443
+	$(SETCAP_CMD) CAP_NET_BIND_SERVICE=+ep bin/${NAME}

 run:
-	make build && sudo bin/go-proxy
+	[ -f .env ] && godotenv -f .env go run ${BUILD_FLAGS} ${CMD_PATH}

-archive:
-	git archive HEAD -o ../go-proxy-$$(date +"%Y%m%d%H%M").zip
+debug:
+	make NAME="godoxy-test" debug=1 build
+	sh -c 'HTTP_ADDR=:81 HTTPS_ADDR=:8443 API_ADDR=:8899 DEBUG=1 bin/godoxy-test'

-repush:
-	git reset --soft HEAD^
-	git add -A
-	git commit -m "repush"
-	git push gitlab dev --force
+mtrace:
+	bin/godoxy debug-ls-mtrace > mtrace.json

 rapid-crash:
-	sudo docker run --restart=always --name test_crash debian:bookworm-slim /bin/cat &&\
+	docker run --restart=always --name test_crash -p 80 debian:bookworm-slim /bin/cat &&\
 	sleep 3 &&\
-	sudo docker rm -f test_crash
+	docker rm -f test_crash

 debug-list-containers:
 	bash -c 'echo -e "GET /containers/json HTTP/1.0\r\n" | sudo netcat -U /var/run/docker.sock | tail -n +9 | jq'

 ci-test:
 	mkdir -p /tmp/artifacts
-	act -n --artifact-server-path /tmp/artifacts -s GITHUB_TOKEN="$$(gh auth token)"
+	act -n --artifact-server-path /tmp/artifacts -s GITHUB_TOKEN="$$(gh auth token)"
+
+cloc:
+	cloc --not-match-f '_test.go$$' cmd internal pkg
+
+link-binary:
+	ln -s /app/${NAME} bin/run
+
+push-github:
+	git push origin $(shell git rev-parse --abbrev-ref HEAD)
--- a/README.md
+++ b/README.md
@@ -1,93 +1,117 @@
-# go-proxy
+<div align="center">

-[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
-[![Lines of Code](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=ncloc)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
-[![Security Rating](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=security_rating)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
-[![Maintainability Rating](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=sqale_rating)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
-[![Vulnerabilities](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=vulnerabilities)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
-[![](https://dcbadge.limes.pink/api/server/umReR62nRd)](https://discord.gg/umReR62nRd)
+# GoDoxy

-[繁體中文文檔請看此](README_CHT.md)
+[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=yusing_godoxy)
+![GitHub last commit](https://img.shields.io/github/last-commit/yusing/godoxy)
+[![Lines of Code](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=ncloc)](https://sonarcloud.io/summary/new_code?id=yusing_godoxy)
+![Demo](https://img.shields.io/website?url=https%3A%2F%2Fgodoxy.demo.6uo.me&label=Demo&link=https%3A%2F%2Fgodoxy.demo.6uo.me)
+[![Discord](https://dcbadge.limes.pink/api/server/umReR62nRd?style=flat)](https://discord.gg/umReR62nRd)

-A lightweight, easy-to-use, and [performant](https://github.com/yusing/go-proxy/wiki/Benchmarks) reverse proxy with a Web UI and dashboard.
+A lightweight, simple, and [performant](https://github.com/yusing/godoxy/wiki/Benchmarks) reverse proxy with WebUI.

-![Screenshot](screenshots/webui.png)
+For full documentation, check out **[Wiki](https://github.com/yusing/godoxy/wiki)**

-_Join our [Discord](https://discord.gg/umReR62nRd) for help and discussions_
+**EN** | <a href="README_CHT.md">中文</a>
+
+<img src="screenshots/webui.jpg" style="max-width: 650">
+
+</div>

 ## Table of content

 <!-- TOC -->

- [go-proxy](#go-proxy)
+- [GoDoxy](#godoxy)
  - [Table of content](#table-of-content)
+  - [Running demo](#running-demo)
  - [Key Features](#key-features)
-  - [Getting Started](#getting-started)
-    - [Setup](#setup)
-    - [Use JSON Schema in VSCode](#use-json-schema-in-vscode)
+  - [Prerequisites](#prerequisites)
+  - [Setup](#setup)
+  - [How does GoDoxy work](#how-does-godoxy-work)
  - [Screenshots](#screenshots)
    - [idlesleeper](#idlesleeper)
+    - [Metrics and Logs](#metrics-and-logs)
+  - [Manual Setup](#manual-setup)
+    - [Folder structrue](#folder-structrue)
  - [Build it yourself](#build-it-yourself)

+## Running demo
+
+<https://godoxy.demo.6uo.me>
+
+[![Deployed on Zeabur](https://zeabur.com/deployed-on-zeabur-dark.svg)](https://zeabur.com/referral?referralCode=yusing&utm_source=yusing&utm_campaign=oss)
+
 ## Key Features

-   Easy to use
-    -   Effortless configuration
-    -   Simple multi-node setup
-    -   Error messages is clear and detailed, easy troubleshooting
-   Auto SSL cert management (See [Supported DNS-01 Challenge Providers](https://github.com/yusing/go-proxy/wiki/Supported-DNS%E2%80%9001-Providers)) 
-   Auto configuration for docker containers
-   Auto hot-reload on container state / config file changes
-   **idlesleeper**: stop containers on idle, wake it up on traffic _(optional, see [screenshots](#idlesleeper))_
-   HTTP(s) reserve proxy
-   [HTTP middleware support](https://github.com/yusing/go-proxy/wiki/Middlewares)
-   [Custom error pages support](https://github.com/yusing/go-proxy/wiki/Middlewares#custom-error-pages)
-   TCP and UDP port forwarding
-   **Web UI with App dashboard**
-   Supports linux/amd64, linux/arm64
-   Written in **[Go](https://go.dev)**
+- **Simple**
+  - Effortless configuration with [simple labels](https://github.com/yusing/godoxy/wiki/Docker-labels-and-Route-Files) or WebUI
+  - [Simple multi-node setup](https://github.com/yusing/godoxy/wiki/Configurations#multi-docker-nodes-setup)
+  - Detailed error messages for easy troubleshooting.
+- **ACL**: connection / request level access control
+  - IP/CIDR
+  - Country **(Maxmind account required)**
+  - Timezone **(Maxmind account required)**
+  - **Access logging**
+- **Advanced Automation**
+  - Automatic SSL certificate management with Let's Encrypt ([using DNS-01 Challenge](https://github.com/yusing/go-proxy/wiki/Supported-DNS%E2%80%9001-Providers))
+  - Auto-configuration for Docker containers
+  - Hot-reloading of configurations and container state changes
+- **Idle-sleep**: stop and wake containers based on traffic _(see [screenshots](#idlesleeper))_
+  - Docker containers
+  - Proxmox LXCs
+- **Traffic Management**
+  - HTTP reserve proxy
+  - TCP/UDP port forwarding
+  - **OpenID Connect support**: SSO and secure your apps easily
+- **Customization**
+  - [HTTP middlewares](https://github.com/yusing/go-proxy/wiki/Middlewares)
+  - [Custom error pages support](https://github.com/yusing/go-proxy/wiki/Middlewares#custom-error-pages)
+- **Web UI**
+  - App Dashboard
+  - Config Editor
+  - Uptime and System Metrics
+  - Docker Logs Viewer
+- **Cross-Platform support**
+  - Supports **linux/amd64** and **linux/arm64**
+- **Efficient and Performant**
+  - Written in **[Go](https://go.dev)**

-[🔼Back to top](#table-of-content)
+## Prerequisites

-## Getting Started
+Configure Wildcard DNS Record(s) to point to machine running `GoDoxy`, e.g.

-### Setup
+- A Record: `*.domain.com` -> `10.0.10.1`
+- AAAA Record (if you use IPv6): `*.domain.com` -> `::ffff:a00:a01`

-1.  Pull docker image 
-    
-    ```shell
-    docker pull ghcr.io/yusing/go-proxy:latest
-    ```
+## Setup

-2.  Create new directory, `cd` into it, then run setup
+> [!NOTE]
+> GoDoxy is designed to be running in `host` network mode, do not change it.
+>
+> To change listening ports, modify `.env`.

-    ```shell
-    docker run --rm -v .:/setup ghcr.io/yusing/go-proxy /app/go-proxy setup
-    ```
+1. Prepare a new directory for docker compose and config files.

-3.  Setup DNS Records point to machine which runs `go-proxy`, e.g.
+2. Run setup script inside the directory, or [set up manually](#manual-setup)

-    -   A Record: `*.y.z` -> `10.0.10.1`
-    -   AAAA Record: `*.y.z` -> `::ffff:a00:a01`
+   ```shell
+   /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/yusing/godoxy/main/scripts/setup.sh)"
+   ```

-4.  Setup `docker-socket-proxy` other docker nodes _(if any)_ (see [Multi docker nodes setup](https://github.com/yusing/go-proxy/wiki/Configurations#multi-docker-nodes-setup)) and then them inside `config.yml`
+3. You may now do some extra configuration on WebUI `https://godoxy.yourdomain.com`

-5.  Run go-proxy `docker compose up -d` 
-    then list all routes to see if further configurations are needed:
-    `docker exec go-proxy /app/go-proxy ls-routes`
+## How does GoDoxy work

-6.  You may now do some extra configuration
-    -   With text editor (e.g. Visual Studio Code)
-    -   With Web UI via `http://localhost:3000` or `https://gp.y.z`
-    -   For more info, [See Wiki]([wiki](https://github.com/yusing/go-proxy/wiki))
+1. List all the containers
+2. Read container name, labels and port configurations for each of them
+3. Create a route if applicable (a route is like a "Virtual Host" in NPM)
+4. Watch for container / config changes and update automatically

-[🔼Back to top](#table-of-content)
-
-### Use JSON Schema in VSCode
-
-Copy [`.vscode/settings.example.json`](.vscode/settings.example.json) to `.vscode/settings.json` and modify it to fit your needs
-
-[🔼Back to top](#table-of-content)
+> [!NOTE]
+> GoDoxy uses the label `proxy.aliases` as the subdomain(s), if unset it defaults to the `container_name` field in docker compose.
+>
+> For example, with the label `proxy.aliases: qbt` you can access your app via `qbt.domain.com`.

 ## Screenshots

@@ -95,12 +119,69 @@ Copy [`.vscode/settings.example.json`](.vscode/settings.example.json) to `.vscod

 ![idlesleeper](screenshots/idlesleeper.webp)

+### Metrics and Logs

-[🔼Back to top](#table-of-content)
+<div align="center">
+  <table>
+    <tr>
+      <td align="center"><img src="screenshots/uptime.png" alt="Uptime Monitor" width="250"/></td>
+      <td align="center"><img src="screenshots/docker-logs.jpg" alt="Docker Logs" width="250"/></td>
+      <td align="center"><img src="screenshots/docker.jpg" alt="Server Overview" width="250"/></td>
+    </tr>
+    <tr>
+      <td align="center"><b>Uptime Monitor</b></td>
+      <td align="center"><b>Docker Logs</b></td>
+      <td align="center"><b>Server Overview</b></td>
+    </tr>
+        <tr>
+      <td align="center"><img src="screenshots/system-monitor.jpg" alt="System Monitor" width="250"/></td>
+      <td align="center"><img src="screenshots/system-info-graphs.jpg" alt="Graphs" width="250"/></td>
+    </tr>
+    <tr>
+      <td align="center"><b>System Monitor</b></td>
+      <td align="center"><b>Graphs</b></td>
+    </tr>
+  </table>
+</div>
+
+## Manual Setup
+
+1. Make `config` directory then grab `config.example.yml` into `config/config.yml`
+
+   `mkdir -p config && wget https://raw.githubusercontent.com/yusing/godoxy/main/config.example.yml -O config/config.yml`
+
+2. Grab `.env.example` into `.env`
+
+   `wget https://raw.githubusercontent.com/yusing/godoxy/main/.env.example -O .env`
+
+3. Grab `compose.example.yml` into `compose.yml`
+
+   `wget https://raw.githubusercontent.com/yusing/godoxy/main/compose.example.yml -O compose.yml`
+
+### Folder structrue
+
+```shell
+├── certs
+│   ├── cert.crt
+│   └── priv.key
+├── compose.yml
+├── config
+│   ├── config.yml
+│   ├── middlewares
+│   │   ├── middleware1.yml
+│   │   ├── middleware2.yml
+│   ├── provider1.yml
+│   └── provider2.yml
+├── data
+│   ├── metrics # metrics data
+│   │   ├── uptime.json
+│   │   └── system_info.json
+└── .env
+```

 ## Build it yourself

-1. Clone the repository `git clone https://github.com/yusing/go-proxy --depth=1`
+1. Clone the repository `git clone https://github.com/yusing/godoxy --depth=1`

 2. Install / Upgrade [go (>=1.22)](https://go.dev/doc/install) and `make` if not already

--- a/README_CHT.md
+++ b/README_CHT.md
@@ -1,130 +1,169 @@
-# go-proxy
+<div align="center">
+
+# GoDoxy

 [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
+![GitHub last commit](https://img.shields.io/github/last-commit/yusing/godoxy)
 [![Lines of Code](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=ncloc)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
-[![Security Rating](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=security_rating)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
-[![Maintainability Rating](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=sqale_rating)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
-[![Vulnerabilities](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=vulnerabilities)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
-[![](https://dcbadge.limes.pink/api/server/umReR62nRd)](https://discord.gg/umReR62nRd)
+![Demo](https://img.shields.io/website?url=https%3A%2F%2Fgodoxy.demo.6uo.me&label=Demo&link=https%3A%2F%2Fgodoxy.demo.6uo.me)
+[![Discord](https://dcbadge.limes.pink/api/server/umReR62nRd?style=flat)](https://discord.gg/umReR62nRd)

-一個輕量化、易用且[高效]([docs/benchmark_result.md](https://github.com/yusing/go-proxy/wiki/Benchmarks)))的反向代理和端口轉發工具
+輕量、易用、 [高效能](https://github.com/yusing/godoxy/wiki/Benchmarks)，且帶有主頁和配置面板的反向代理
+
+完整文檔請查閱 **[Wiki](https://github.com/yusing/godoxy/wiki)**（暫未有中文翻譯）
+
+<a href="README.md">EN</a> | **中文**
+
+<img src="https://github.com/user-attachments/assets/4bb371f4-6e4c-425c-89b2-b9e962bdd46f" style="max-width: 650">
+
+</div>

 ## 目錄

 <!-- TOC -->

- [go-proxy](#go-proxy)
+- [GoDoxy](#godoxy)
  - [目錄](#目錄)
-  - [重點](#重點)
-  - [入門指南](#入門指南)
-    - [安裝](#安裝)
-    - [命令行參數](#命令行參數)
-    - [環境變量](#環境變量)
-    - [VSCode 中使用 JSON Schema](#vscode-中使用-json-schema)
-  - [展示](#展示)
-    - [idlesleeper](#idlesleeper)
-  - [源碼編譯](#源碼編譯)
+  - [運行示例](#運行示例)
+  - [主要特點](#主要特點)
+  - [前置需求](#前置需求)
+  - [安裝](#安裝)
+    - [手動安裝](#手動安裝)
+    - [資料夾結構](#資料夾結構)
+  - [截圖](#截圖)
+    - [閒置休眠](#閒置休眠)
+    - [監控](#監控)
+  - [自行編譯](#自行編譯)

-## 重點
+## 運行示例

-   易用
-    -   不需花費太多時間就能輕鬆配置
-    -   支持多個docker節點
-    -   除錯簡單
-   自動配置 SSL 證書（參見[可用的 DNS 供應商](https://github.com/yusing/go-proxy/wiki/Supported-DNS%E2%80%9001-Providers)）
-   透過 Docker 容器自動配置
-   容器狀態變更時自動熱重載
-   **idlesleeper** 容器閒置時自動暫停/停止，入站時自動喚醒 (可選, 參見 [展示](#idlesleeper))
-   HTTP(s) 反向代理
-   [HTTP middleware](https://github.com/yusing/go-proxy/wiki/Middlewares)
-   [自訂 error pages](https://github.com/yusing/go-proxy/wiki/Middlewares#custom-error-pages)
-   TCP/UDP 端口轉發
-   Web 面板 (內置App dashboard)
-   支持 linux/amd64、linux/arm64 平台
-   使用 **[Go](https://go.dev)** 編寫
+<https://godoxy.demo.6uo.me>

-[🔼 返回頂部](#目錄)
+[![Deployed on Zeabur](https://zeabur.com/deployed-on-zeabur-dark.svg)](https://zeabur.com/referral?referralCode=yusing&utm_source=yusing&utm_campaign=oss)

-## 入門指南
+## 主要特點

-### 安裝
+- 容易使用
+  - 輕鬆配置
+  - 簡單的多節點設置
+  - 錯誤訊息清晰詳細，易於排除故障
+- 自動 SSL 憑證管理（參見 [支援的 DNS-01 驗證提供商](https://github.com/yusing/godoxy/wiki/Supported-DNS%E2%80%9001-Providers)）
+- 自動配置 Docker 容器
+- 容器狀態/配置文件變更時自動熱重載
+- **閒置休眠**：在閒置時停止容器，有流量時喚醒（_可選，參見[截圖](#閒置休眠)_）
+- OpenID Connect：輕鬆實現單點登入
+- HTTP(s) 反向代理和TCP 和 UDP 埠轉發
+- [HTTP 中介軟體](https://github.com/yusing/godoxy/wiki/Middlewares) 和 [自定義錯誤頁面](https://github.com/yusing/godoxy/wiki/Middlewares#custom-error-pages)
+- **網頁介面，具有應用儀表板和配置編輯器**
+- 支援 linux/amd64、linux/arm64
+- 使用 **[Go](https://go.dev)** 編寫

-1. 抓取Docker鏡像
+[🔼回到頂部](#目錄)
+
+## 前置需求
+
+設置 DNS 記錄指向運行 `GoDoxy` 的機器，例如：
+
+- A 記錄：`*.y.z` -> `10.0.10.1`
+- AAAA 記錄：`*.y.z` -> `::ffff:a00:a01`
+
+## 安裝
+
+> [!NOTE]
+> GoDoxy 僅在 `host` 網路模式下運作，請勿更改。
+>
+> 如需更改監聽埠，請修改 `.env`。
+
+1. 準備一個新目錄用於 docker compose 和配置文件。
+
+2. 在目錄內運行安裝腳本，或[手動安裝](#手動安裝)

    ```shell
-    docker pull ghcr.io/yusing/go-proxy:latest
+    /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/yusing/godoxy/main/scripts/setup.sh)"
    ```

-2. 建立新的目錄，並切換到該目錄，並執行
-   
-   ```shell
-    docker run --rm -v .:/setup ghcr.io/yusing/go-proxy /app/go-proxy setup
-    ```
+3. 現在可以在 WebUI `https://godoxy.yourdomain.com` 進行額外配置

-3. 設置 DNS 記錄，例如：
+[🔼回到頂部](#目錄)

-    - A 記錄: `*.y.z` -> `10.0.10.1`
-    - AAAA 記錄: `*.y.z` -> `::ffff:a00:a01`
+### 手動安裝

-4. 配置 `docker-socket-proxy` 其他 Docker 節點（如有） (參見 [範例](docs/docker_socket_proxy.md)) 然後加到 `config.yml` 中
+1. 建立 `config` 目錄，然後將 `config.example.yml` 下載到 `config/config.yml`

-5. 大功告成，你可以做一些額外的配置
-    - 使用文本編輯器 (推薦 Visual Studio Code [參見 VSCode 使用 schema](#vscode-中使用-json-schema))
-    - 或通過 `http://localhost:3000` 使用網頁配置編輯器
-    - 詳情請參閱 [docker.md](docs/docker.md)
+   `mkdir -p config && wget https://raw.githubusercontent.com/yusing/godoxy/main/config.example.yml -O config/config.yml`

-[🔼 返回頂部](#目錄)
+2. 將 `.env.example` 下載到 `.env`

-### 命令行參數
+   `wget https://raw.githubusercontent.com/yusing/godoxy/main/.env.example -O .env`

-| 參數                      | 描述                                                                                  | 示例                                |
-| ------------------------- | ------------------------------------------------------------------------------------- | ----------------------------------- |
-| 空                        | 啟動代理服務器                                                                        |                                     |
-| `validate`                | 驗證配置並退出                                                                        |                                     |
-| `reload`                  | 強制刷新配置                                                                          |                                     |
-| `ls-config`               | 列出配置並退出                                                                        | `go-proxy ls-config \| jq`          |
-| `ls-route`                | 列出路由並退出                                                                        | `go-proxy ls-route \| jq`           |
-| `go-proxy ls-route \| jq` |
-| `ls-icons`                | 列出 [dashboard-icons](https://github.com/walkxcode/dashboard-icons/tree/main) 並退出 | `go-proxy ls-icons \| grep adguard` |
-| `debug-ls-mtrace`         | 列出middleware追蹤 **(僅限於 debug 模式)**                                            | `go-proxy debug-ls-mtrace \| jq`    |
+3. 將 `compose.example.yml` 下載到 `compose.yml`

-**使用 `docker exec go-proxy /app/go-proxy <參數>` 運行**
+   `wget https://raw.githubusercontent.com/yusing/godoxy/main/compose.example.yml -O compose.yml`

-### 環境變量
+### 資料夾結構

-| 環境變量                       | 描述             | 默認             | 格式          |
-| ------------------------------ | ---------------- | ---------------- | ------------- |
-| `GOPROXY_NO_SCHEMA_VALIDATION` | 禁用 schema 驗證 | `false`          | boolean       |
-| `GOPROXY_DEBUG`                | 啟用調試輸出     | `false`          | boolean       |
-| `GOPROXY_HTTP_ADDR`            | http 收聽地址    | `:80`            | `[host]:port` |
-| `GOPROXY_HTTPS_ADDR`           | https 收聽地址   | `:443`           | `[host]:port` |
-| `GOPROXY_API_ADDR`             | api 收聽地址     | `127.0.0.1:8888` | `[host]:port` |
+```shell
+├── certs
+│   ├── cert.crt
+│   └── priv.key
+├── compose.yml
+├── config
+│   ├── config.yml
+│   ├── middlewares
+│   │   ├── middleware1.yml
+│   │   ├── middleware2.yml
+│   ├── provider1.yml
+│   └── provider2.yml
+├── data
+│   ├── metrics # metrics data
+│   │   ├── uptime.json
+│   │   └── system_info.json
+└── .env
+```

-### VSCode 中使用 JSON Schema
+## 截圖

-複製 [`.vscode/settings.example.json`](.vscode/settings.example.json) 到 `.vscode/settings.json` 並根據需求修改
+### 閒置休眠

-[🔼 返回頂部](#目錄)
+![閒置休眠](screenshots/idlesleeper.webp)

+[🔼回到頂部](#目錄)

-## 展示
+### 監控

-### idlesleeper
+<div align="center">
+  <table>
+    <tr>
+      <td align="center"><img src="screenshots/uptime.png" alt="Uptime Monitor" width="250"/></td>
+      <td align="center"><img src="screenshots/docker-logs.jpg" alt="Docker Logs" width="250"/></td>
+      <td align="center"><img src="screenshots/docker.jpg" alt="Server Overview" width="250"/></td>
+    </tr>
+    <tr>
+      <td align="center"><b>運行時間監控</b></td>
+      <td align="center"><b>Docker 日誌</b></td>
+      <td align="center"><b>伺服器概覽</b></td>
+    </tr>
+        <tr>
+      <td align="center"><img src="screenshots/system-monitor.jpg" alt="System Monitor" width="250"/></td>
+      <td align="center"><img src="screenshots/system-info-graphs.jpg" alt="Graphs" width="250"/></td>
+    </tr>
+    <tr>
+      <td align="center"><b>系統監控</b></td>
+      <td align="center"><b>圖表</b></td>
+    </tr>
+  </table>
+</div>

-![idlesleeper](screenshots/idlesleeper.webp)
+## 自行編譯

-[🔼 返回頂部](#目錄)
+1. 克隆儲存庫 `git clone https://github.com/yusing/godoxy --depth=1`

-## 源碼編譯
+2. 如果尚未安裝，請安裝/升級 [go (>=1.22)](https://go.dev/doc/install) 和 `make`

-1. 獲取源碼 `git clone https://github.com/yusing/go-proxy --depth=1`
+3. 如果之前編譯過（go < 1.22），請使用 `go clean -cache` 清除快取

-2. 安裝/升級 [go 版本 (>=1.22)](https://go.dev/doc/install) 和 `make`（如果尚未安裝）
+4. 使用 `make get` 獲取依賴

-3. 如果之前編譯過（go 版本 < 1.22），請使用 `go clean -cache` 清除緩存
+5. 使用 `make build` 編譯二進制檔案

-4. 使用 `make get` 獲取依賴項
-
-5. 使用 `make build` 編譯
-
-[🔼 返回頂部](#目錄)
+[🔼回到頂部](#目錄)
--- a/agent/cmd/main.go
+++ b/agent/cmd/main.go
@@ -0,0 +1,61 @@
+package main
+
+import (
+	"os"
+
+	"github.com/yusing/go-proxy/agent/pkg/agent"
+	"github.com/yusing/go-proxy/agent/pkg/env"
+	"github.com/yusing/go-proxy/agent/pkg/server"
+	"github.com/yusing/go-proxy/internal/gperr"
+	"github.com/yusing/go-proxy/internal/logging"
+	"github.com/yusing/go-proxy/internal/logging/memlogger"
+	"github.com/yusing/go-proxy/internal/metrics/systeminfo"
+	"github.com/yusing/go-proxy/internal/task"
+	"github.com/yusing/go-proxy/pkg"
+)
+
+func main() {
+	logging.InitLogger(os.Stderr, memlogger.GetMemLogger())
+
+	ca := &agent.PEMPair{}
+	err := ca.Load(env.AgentCACert)
+	if err != nil {
+		gperr.LogFatal("init CA error", err)
+	}
+	caCert, err := ca.ToTLSCert()
+	if err != nil {
+		gperr.LogFatal("init CA error", err)
+	}
+
+	srv := &agent.PEMPair{}
+	srv.Load(env.AgentSSLCert)
+	if err != nil {
+		gperr.LogFatal("init SSL error", err)
+	}
+	srvCert, err := srv.ToTLSCert()
+	if err != nil {
+		gperr.LogFatal("init SSL error", err)
+	}
+
+	logging.Info().Msgf("GoDoxy Agent version %s", pkg.GetVersion())
+	logging.Info().Msgf("Agent name: %s", env.AgentName)
+	logging.Info().Msgf("Agent port: %d", env.AgentPort)
+
+	logging.Info().Msg(`
+Tips:
+1. To change the agent name, you can set the AGENT_NAME environment variable.
+2. To change the agent port, you can set the AGENT_PORT environment variable.
+`)
+
+	t := task.RootTask("agent", false)
+	opts := server.Options{
+		CACert:     caCert,
+		ServerCert: srvCert,
+		Port:       env.AgentPort,
+	}
+
+	server.StartAgentServer(t, opts)
+	systeminfo.Poller.Start()
+
+	task.WaitExit(3)
+}
--- a/agent/pkg/agent/bare_metal.go
+++ b/agent/pkg/agent/bare_metal.go
@@ -0,0 +1,23 @@
+package agent
+
+import (
+	"bytes"
+	"text/template"
+)
+
+var (
+	installScript = `AGENT_NAME="{{.Name}}" \
+	AGENT_PORT="{{.Port}}" \
+	AGENT_CA_CERT="{{.CACert}}" \
+	AGENT_SSL_CERT="{{.SSLCert}}" \
+	bash -c "$(curl -fsSL https://raw.githubusercontent.com/yusing/go-proxy/main/scripts/install-agent.sh)"`
+	installScriptTemplate = template.Must(template.New("install.sh").Parse(installScript))
+)
+
+func (c *AgentEnvConfig) Generate() (string, error) {
+	buf := bytes.NewBuffer(make([]byte, 0, 4096))
+	if err := installScriptTemplate.Execute(buf, c); err != nil {
+		return "", err
+	}
+	return buf.String(), nil
+}
--- a/agent/pkg/agent/config.go
+++ b/agent/pkg/agent/config.go
@@ -0,0 +1,190 @@
+package agent
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/json"
+	"net"
+	"net/http"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/rs/zerolog"
+	"github.com/yusing/go-proxy/agent/pkg/certs"
+	"github.com/yusing/go-proxy/internal/gperr"
+	"github.com/yusing/go-proxy/internal/logging"
+	gphttp "github.com/yusing/go-proxy/internal/net/gphttp"
+	"github.com/yusing/go-proxy/internal/net/types"
+	"github.com/yusing/go-proxy/internal/task"
+	"github.com/yusing/go-proxy/pkg"
+)
+
+type AgentConfig struct {
+	Addr string
+
+	httpClient *http.Client
+	tlsConfig  *tls.Config
+	name       string
+	l          zerolog.Logger
+}
+
+const (
+	EndpointVersion    = "/version"
+	EndpointName       = "/name"
+	EndpointProxyHTTP  = "/proxy/http"
+	EndpointHealth     = "/health"
+	EndpointLogs       = "/logs"
+	EndpointSystemInfo = "/system_info"
+
+	AgentHost = CertsDNSName
+
+	APIEndpointBase = "/godoxy/agent"
+	APIBaseURL      = "https://" + AgentHost + APIEndpointBase
+
+	DockerHost = "https://" + AgentHost
+
+	FakeDockerHostPrefix    = "agent://"
+	FakeDockerHostPrefixLen = len(FakeDockerHostPrefix)
+)
+
+var (
+	AgentURL              = types.MustParseURL(APIBaseURL)
+	HTTPProxyURL          = types.MustParseURL(APIBaseURL + EndpointProxyHTTP)
+	HTTPProxyURLPrefixLen = len(APIEndpointBase + EndpointProxyHTTP)
+)
+
+func IsDockerHostAgent(dockerHost string) bool {
+	return strings.HasPrefix(dockerHost, FakeDockerHostPrefix)
+}
+
+func GetAgentAddrFromDockerHost(dockerHost string) string {
+	return dockerHost[FakeDockerHostPrefixLen:]
+}
+
+func (cfg *AgentConfig) FakeDockerHost() string {
+	return FakeDockerHostPrefix + cfg.Addr
+}
+
+func (cfg *AgentConfig) Parse(addr string) error {
+	cfg.Addr = addr
+	return nil
+}
+
+func withoutBuildTime(version string) string {
+	return strings.Split(version, "-")[0]
+}
+
+func checkVersion(a, b string) bool {
+	return withoutBuildTime(a) == withoutBuildTime(b)
+}
+
+func (cfg *AgentConfig) StartWithCerts(parent task.Parent, ca, crt, key []byte) error {
+	clientCert, err := tls.X509KeyPair(crt, key)
+	if err != nil {
+		return err
+	}
+
+	// create tls config
+	caCertPool := x509.NewCertPool()
+	ok := caCertPool.AppendCertsFromPEM(ca)
+	if !ok {
+		return gperr.New("invalid ca certificate")
+	}
+
+	cfg.tlsConfig = &tls.Config{
+		Certificates: []tls.Certificate{clientCert},
+		RootCAs:      caCertPool,
+		ServerName:   CertsDNSName,
+	}
+
+	// create transport and http client
+	cfg.httpClient = cfg.NewHTTPClient()
+
+	ctx, cancel := context.WithTimeout(parent.Context(), 5*time.Second)
+	defer cancel()
+
+	// check agent version
+	version, _, err := cfg.Fetch(ctx, EndpointVersion)
+	if err != nil {
+		return err
+	}
+
+	versionStr := string(version)
+	// skip version check for dev versions
+	if strings.HasPrefix(versionStr, "v") && !checkVersion(versionStr, pkg.GetVersion()) {
+		return gperr.Errorf("agent version mismatch: server: %s, agent: %s", pkg.GetVersion(), versionStr)
+	}
+
+	// get agent name
+	name, _, err := cfg.Fetch(ctx, EndpointName)
+	if err != nil {
+		return err
+	}
+
+	cfg.name = string(name)
+	cfg.l = logging.With().Str("agent", cfg.name).Logger()
+
+	logging.Info().Msgf("agent %q initialized", cfg.name)
+	return nil
+}
+
+func (cfg *AgentConfig) Start(parent task.Parent) gperr.Error {
+	filepath, ok := certs.AgentCertsFilepath(cfg.Addr)
+	if !ok {
+		return gperr.New("invalid agent host").Subject(cfg.Addr)
+	}
+
+	certData, err := os.ReadFile(filepath)
+	if err != nil {
+		return gperr.Wrap(err, "failed to read agent certs")
+	}
+
+	ca, crt, key, err := certs.ExtractCert(certData)
+	if err != nil {
+		return gperr.Wrap(err, "failed to extract agent certs")
+	}
+
+	return gperr.Wrap(cfg.StartWithCerts(parent, ca, crt, key))
+}
+
+func (cfg *AgentConfig) NewHTTPClient() *http.Client {
+	return &http.Client{
+		Transport: cfg.Transport(),
+	}
+}
+
+func (cfg *AgentConfig) Transport() *http.Transport {
+	return &http.Transport{
+		DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+			if addr != AgentHost+":443" {
+				return nil, &net.AddrError{Err: "invalid address", Addr: addr}
+			}
+			if network != "tcp" {
+				return nil, &net.OpError{Op: "dial", Net: network, Source: nil, Addr: nil}
+			}
+			return cfg.DialContext(ctx)
+		},
+		TLSClientConfig: cfg.tlsConfig,
+	}
+}
+
+func (cfg *AgentConfig) DialContext(ctx context.Context) (net.Conn, error) {
+	return gphttp.DefaultDialer.DialContext(ctx, "tcp", cfg.Addr)
+}
+
+func (cfg *AgentConfig) Name() string {
+	return cfg.name
+}
+
+func (cfg *AgentConfig) String() string {
+	return cfg.name + "@" + cfg.Addr
+}
+
+func (cfg *AgentConfig) MarshalJSON() ([]byte, error) {
+	return json.Marshal(map[string]string{
+		"name": cfg.Name(),
+		"addr": cfg.Addr,
+	})
+}
--- a/agent/pkg/agent/docker_compose.go
+++ b/agent/pkg/agent/docker_compose.go
@@ -0,0 +1,27 @@
+package agent
+
+import (
+	"bytes"
+	"text/template"
+
+	_ "embed"
+)
+
+var (
+	//go:embed templates/agent.compose.yml
+	agentComposeYAML         string
+	agentComposeYAMLTemplate = template.Must(template.New("agent.compose.yml").Parse(agentComposeYAML))
+)
+
+const (
+	DockerImageProduction = "ghcr.io/yusing/godoxy-agent:latest"
+	DockerImageNightly    = "ghcr.io/yusing/godoxy-agent:nightly"
+)
+
+func (c *AgentComposeConfig) Generate() (string, error) {
+	buf := bytes.NewBuffer(make([]byte, 0, 1024))
+	if err := agentComposeYAMLTemplate.Execute(buf, c); err != nil {
+		return "", err
+	}
+	return buf.String(), nil
+}
--- a/agent/pkg/agent/env.go
+++ b/agent/pkg/agent/env.go
@@ -0,0 +1,17 @@
+package agent
+
+type (
+	AgentEnvConfig struct {
+		Name    string
+		Port    int
+		CACert  string
+		SSLCert string
+	}
+	AgentComposeConfig struct {
+		Image string
+		*AgentEnvConfig
+	}
+	Generator interface {
+		Generate() (string, error)
+	}
+)
--- a/agent/pkg/agent/new_agent.go
+++ b/agent/pkg/agent/new_agent.go
@@ -0,0 +1,139 @@
+package agent
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/base64"
+	"encoding/pem"
+	"errors"
+	"math/big"
+	"strings"
+	"time"
+)
+
+const (
+	CertsDNSName = "godoxy.agent"
+	KeySize      = 2048
+)
+
+func toPEMPair(certDER []byte, key *rsa.PrivateKey) *PEMPair {
+	return &PEMPair{
+		Cert: pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER}),
+		Key:  pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key)}),
+	}
+}
+
+func b64Encode(data []byte) string {
+	return base64.StdEncoding.EncodeToString(data)
+}
+
+func b64Decode(data string) ([]byte, error) {
+	return base64.StdEncoding.DecodeString(data)
+}
+
+type PEMPair struct {
+	Cert, Key []byte
+}
+
+func (p *PEMPair) String() string {
+	return b64Encode(p.Cert) + ";" + b64Encode(p.Key)
+}
+
+func (p *PEMPair) Load(data string) (err error) {
+	parts := strings.Split(data, ";")
+	if len(parts) != 2 {
+		return errors.New("invalid PEM pair")
+	}
+	p.Cert, err = b64Decode(parts[0])
+	if err != nil {
+		return err
+	}
+	p.Key, err = b64Decode(parts[1])
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func (p *PEMPair) ToTLSCert() (*tls.Certificate, error) {
+	cert, err := tls.X509KeyPair(p.Cert, p.Key)
+	return &cert, err
+}
+
+func NewAgent() (ca, srv, client *PEMPair, err error) {
+	// Create the CA's certificate
+	caTemplate := &x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject: pkix.Name{
+			Organization: []string{"GoDoxy"},
+			CommonName:   CertsDNSName,
+		},
+		NotBefore:             time.Now(),
+		NotAfter:              time.Now().AddDate(1000, 0, 0), // 1000 years
+		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
+		BasicConstraintsValid: true,
+		IsCA:                  true,
+	}
+
+	caKey, err := rsa.GenerateKey(rand.Reader, KeySize)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	caDER, err := x509.CreateCertificate(rand.Reader, caTemplate, caTemplate, &caKey.PublicKey, caKey)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	ca = toPEMPair(caDER, caKey)
+
+	// Generate a new private key for the server certificate
+	serverKey, err := rsa.GenerateKey(rand.Reader, KeySize)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	srvTemplate := &x509.Certificate{
+		SerialNumber: big.NewInt(2),
+		Issuer:       caTemplate.Subject,
+		Subject:      caTemplate.Subject,
+		DNSNames:     []string{CertsDNSName},
+		NotBefore:    time.Now(),
+		NotAfter:     time.Now().AddDate(1000, 0, 0), // Add validity period
+		KeyUsage:     x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+	}
+
+	srvCertDER, err := x509.CreateCertificate(rand.Reader, srvTemplate, caTemplate, &serverKey.PublicKey, caKey)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	srv = toPEMPair(srvCertDER, serverKey)
+
+	clientKey, err := rsa.GenerateKey(rand.Reader, KeySize)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	clientTemplate := &x509.Certificate{
+		SerialNumber: big.NewInt(3),
+		Issuer:       caTemplate.Subject,
+		Subject:      caTemplate.Subject,
+		DNSNames:     []string{CertsDNSName},
+		NotBefore:    time.Now(),
+		NotAfter:     time.Now().AddDate(1000, 0, 0),
+		KeyUsage:     x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
+	}
+	clientCertDER, err := x509.CreateCertificate(rand.Reader, clientTemplate, caTemplate, &clientKey.PublicKey, caKey)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	client = toPEMPair(clientCertDER, clientKey)
+	return
+}
--- a/agent/pkg/agent/new_agent_test.go
+++ b/agent/pkg/agent/new_agent_test.go
@@ -0,0 +1,91 @@
+package agent
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	. "github.com/yusing/go-proxy/internal/utils/testing"
+)
+
+func TestNewAgent(t *testing.T) {
+	ca, srv, client, err := NewAgent()
+	ExpectNoError(t, err)
+	ExpectTrue(t, ca != nil)
+	ExpectTrue(t, srv != nil)
+	ExpectTrue(t, client != nil)
+}
+
+func TestPEMPair(t *testing.T) {
+	ca, srv, client, err := NewAgent()
+	ExpectNoError(t, err)
+
+	for i, p := range []*PEMPair{ca, srv, client} {
+		t.Run(fmt.Sprintf("load-%d", i), func(t *testing.T) {
+			var pp PEMPair
+			err := pp.Load(p.String())
+			ExpectNoError(t, err)
+			ExpectEqual(t, p.Cert, pp.Cert)
+			ExpectEqual(t, p.Key, pp.Key)
+		})
+	}
+}
+
+func TestPEMPairToTLSCert(t *testing.T) {
+	ca, srv, client, err := NewAgent()
+	ExpectNoError(t, err)
+
+	for i, p := range []*PEMPair{ca, srv, client} {
+		t.Run(fmt.Sprintf("toTLSCert-%d", i), func(t *testing.T) {
+			cert, err := p.ToTLSCert()
+			ExpectNoError(t, err)
+			ExpectTrue(t, cert != nil)
+		})
+	}
+}
+
+func TestServerClient(t *testing.T) {
+	ca, srv, client, err := NewAgent()
+	ExpectNoError(t, err)
+
+	srvTLS, err := srv.ToTLSCert()
+	ExpectNoError(t, err)
+	ExpectTrue(t, srvTLS != nil)
+
+	clientTLS, err := client.ToTLSCert()
+	ExpectNoError(t, err)
+	ExpectTrue(t, clientTLS != nil)
+
+	caPool := x509.NewCertPool()
+	ExpectTrue(t, caPool.AppendCertsFromPEM(ca.Cert))
+
+	srvTLSConfig := &tls.Config{
+		Certificates: []tls.Certificate{*srvTLS},
+		ClientCAs:    caPool,
+		ClientAuth:   tls.RequireAndVerifyClientCert,
+	}
+
+	clientTLSConfig := &tls.Config{
+		Certificates: []tls.Certificate{*clientTLS},
+		RootCAs:      caPool,
+		ServerName:   CertsDNSName,
+	}
+
+	server := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+	server.TLS = srvTLSConfig
+	server.StartTLS()
+	defer server.Close()
+
+	httpClient := &http.Client{
+		Transport: &http.Transport{TLSClientConfig: clientTLSConfig},
+	}
+
+	resp, err := httpClient.Get(server.URL)
+	ExpectNoError(t, err)
+	ExpectEqual(t, resp.StatusCode, http.StatusOK)
+}
--- a/agent/pkg/agent/requests.go
+++ b/agent/pkg/agent/requests.go
@@ -0,0 +1,49 @@
+package agent
+
+import (
+	"context"
+	"io"
+	"net/http"
+
+	"github.com/coder/websocket"
+)
+
+func (cfg *AgentConfig) Do(ctx context.Context, method, endpoint string, body io.Reader) (*http.Response, error) {
+	req, err := http.NewRequestWithContext(ctx, method, APIBaseURL+endpoint, body)
+	if err != nil {
+		return nil, err
+	}
+	return cfg.httpClient.Do(req)
+}
+
+func (cfg *AgentConfig) Forward(req *http.Request, endpoint string) ([]byte, int, error) {
+	req = req.WithContext(req.Context())
+	req.URL.Host = AgentHost
+	req.URL.Scheme = "https"
+	req.URL.Path = APIEndpointBase + endpoint
+	req.RequestURI = ""
+	resp, err := cfg.httpClient.Do(req)
+	if err != nil {
+		return nil, 0, err
+	}
+	defer resp.Body.Close()
+	data, _ := io.ReadAll(resp.Body)
+	return data, resp.StatusCode, nil
+}
+
+func (cfg *AgentConfig) Fetch(ctx context.Context, endpoint string) ([]byte, int, error) {
+	resp, err := cfg.Do(ctx, "GET", endpoint, nil)
+	if err != nil {
+		return nil, 0, err
+	}
+	defer resp.Body.Close()
+	data, _ := io.ReadAll(resp.Body)
+	return data, resp.StatusCode, nil
+}
+
+func (cfg *AgentConfig) Websocket(ctx context.Context, endpoint string) (*websocket.Conn, *http.Response, error) {
+	return websocket.Dial(ctx, APIBaseURL+endpoint, &websocket.DialOptions{
+		HTTPClient: cfg.NewHTTPClient(),
+		Host:       AgentHost,
+	})
+}
--- a/agent/pkg/agent/templates/agent.compose.yml
+++ b/agent/pkg/agent/templates/agent.compose.yml
@@ -0,0 +1,14 @@
+services:
+  agent:
+    image: "{{.Image}}"
+    container_name: godoxy-agent
+    restart: always
+    network_mode: host # do not change this
+    environment:
+      AGENT_NAME: "{{.Name}}"
+      AGENT_PORT: "{{.Port}}"
+      AGENT_CA_CERT: "{{.CACert}}"
+      AGENT_SSL_CERT: "{{.SSLCert}}"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./data:/app/data
--- a/agent/pkg/agentproxy/headers.go
+++ b/agent/pkg/agentproxy/headers.go
@@ -0,0 +1,27 @@
+package agentproxy
+
+import (
+	"net/http"
+	"strconv"
+)
+
+const (
+	HeaderXProxyHost                  = "X-Proxy-Host"
+	HeaderXProxyHTTPS                 = "X-Proxy-Https"
+	HeaderXProxySkipTLSVerify         = "X-Proxy-Skip-Tls-Verify"
+	HeaderXProxyResponseHeaderTimeout = "X-Proxy-Response-Header-Timeout"
+)
+
+type AgentProxyHeaders struct {
+	Host                  string
+	IsHTTPS               bool
+	SkipTLSVerify         bool
+	ResponseHeaderTimeout int
+}
+
+func SetAgentProxyHeaders(r *http.Request, headers *AgentProxyHeaders) {
+	r.Header.Set(HeaderXProxyHost, headers.Host)
+	r.Header.Set(HeaderXProxyHTTPS, strconv.FormatBool(headers.IsHTTPS))
+	r.Header.Set(HeaderXProxySkipTLSVerify, strconv.FormatBool(headers.SkipTLSVerify))
+	r.Header.Set(HeaderXProxyResponseHeaderTimeout, strconv.Itoa(headers.ResponseHeaderTimeout))
+}
--- a/agent/pkg/certs/zip.go
+++ b/agent/pkg/certs/zip.go
@@ -0,0 +1,84 @@
+package certs
+
+import (
+	"archive/zip"
+	"bytes"
+	"io"
+	"path/filepath"
+
+	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/utils/strutils"
+)
+
+func writeFile(zipWriter *zip.Writer, name string, data []byte) error {
+	w, err := zipWriter.CreateHeader(&zip.FileHeader{
+		Name:   name,
+		Method: zip.Store,
+	})
+	if err != nil {
+		return err
+	}
+	_, err = w.Write(data)
+	return err
+}
+
+func readFile(f *zip.File) ([]byte, error) {
+	r, err := f.Open()
+	if err != nil {
+		return nil, err
+	}
+	defer r.Close()
+	return io.ReadAll(r)
+}
+
+func ZipCert(ca, crt, key []byte) ([]byte, error) {
+	data := bytes.NewBuffer(make([]byte, 0, 6144))
+	zipWriter := zip.NewWriter(data)
+	defer zipWriter.Close()
+
+	if err := writeFile(zipWriter, "ca.pem", ca); err != nil {
+		return nil, err
+	}
+	if err := writeFile(zipWriter, "cert.pem", crt); err != nil {
+		return nil, err
+	}
+	if err := writeFile(zipWriter, "key.pem", key); err != nil {
+		return nil, err
+	}
+	if err := zipWriter.Close(); err != nil {
+		return nil, err
+	}
+	return data.Bytes(), nil
+}
+
+func isValidAgentHost(host string) bool {
+	return strutils.IsValidFilename(host + ".zip")
+}
+
+func AgentCertsFilepath(host string) (filepathOut string, ok bool) {
+	if !isValidAgentHost(host) {
+		return "", false
+	}
+	return filepath.Join(common.AgentCertsBasePath, host+".zip"), true
+}
+
+func ExtractCert(data []byte) (ca, crt, key []byte, err error) {
+	zipReader, err := zip.NewReader(bytes.NewReader(data), int64(len(data)))
+	if err != nil {
+		return nil, nil, nil, err
+	}
+	for _, file := range zipReader.File {
+		switch file.Name {
+		case "ca.pem":
+			ca, err = readFile(file)
+		case "cert.pem":
+			crt, err = readFile(file)
+		case "key.pem":
+			key, err = readFile(file)
+		}
+		if err != nil {
+			return nil, nil, nil, err
+		}
+	}
+	return ca, crt, key, nil
+}
--- a/agent/pkg/certs/zip_test.go
+++ b/agent/pkg/certs/zip_test.go
@@ -0,0 +1,19 @@
+package certs
+
+import (
+	"testing"
+
+	. "github.com/yusing/go-proxy/internal/utils/testing"
+)
+
+func TestZipCert(t *testing.T) {
+	ca, crt, key := []byte("test1"), []byte("test2"), []byte("test3")
+	zipData, err := ZipCert(ca, crt, key)
+	ExpectNoError(t, err)
+
+	ca2, crt2, key2, err := ExtractCert(zipData)
+	ExpectNoError(t, err)
+	ExpectEqual(t, ca, ca2)
+	ExpectEqual(t, crt, crt2)
+	ExpectEqual(t, key, key2)
+}
--- a/agent/pkg/env/env.go
+++ b/agent/pkg/env/env.go
@@ -0,0 +1,24 @@
+package env
+
+import (
+	"os"
+
+	"github.com/yusing/go-proxy/internal/common"
+)
+
+func DefaultAgentName() string {
+	name, err := os.Hostname()
+	if err != nil {
+		return "agent"
+	}
+	return name
+}
+
+var (
+	AgentName                = common.GetEnvString("AGENT_NAME", DefaultAgentName())
+	AgentPort                = common.GetEnvInt("AGENT_PORT", 8890)
+	AgentSkipClientCertCheck = common.GetEnvBool("AGENT_SKIP_CLIENT_CERT_CHECK", false)
+
+	AgentCACert  = common.GetEnvString("AGENT_CA_CERT", "")
+	AgentSSLCert = common.GetEnvString("AGENT_SSL_CERT", "")
+)
--- a/agent/pkg/handler/check_health.go
+++ b/agent/pkg/handler/check_health.go
@@ -0,0 +1,77 @@
+package handler
+
+import (
+	"fmt"
+	"net/http"
+	"net/url"
+	"os"
+	"strings"
+
+	"github.com/yusing/go-proxy/internal/net/gphttp"
+	"github.com/yusing/go-proxy/internal/watcher/health"
+	"github.com/yusing/go-proxy/internal/watcher/health/monitor"
+)
+
+var defaultHealthConfig = health.DefaultHealthConfig()
+
+func CheckHealth(w http.ResponseWriter, r *http.Request) {
+	query := r.URL.Query()
+	scheme := query.Get("scheme")
+	if scheme == "" {
+		http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+		return
+	}
+
+	var result *health.HealthCheckResult
+	var err error
+	switch scheme {
+	case "fileserver":
+		path := query.Get("path")
+		if path == "" {
+			http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+			return
+		}
+		_, err := os.Stat(path)
+		result = &health.HealthCheckResult{Healthy: err == nil}
+		if err != nil {
+			result.Detail = err.Error()
+		}
+	case "http", "https": // path is optional
+		host := query.Get("host")
+		path := query.Get("path")
+		if host == "" {
+			http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+			return
+		}
+		result, err = monitor.NewHTTPHealthMonitor(&url.URL{
+			Scheme: scheme,
+			Host:   host,
+			Path:   path,
+		}, defaultHealthConfig).CheckHealth()
+	case "tcp", "udp":
+		host := query.Get("host")
+		if host == "" {
+			http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+			return
+		}
+		hasPort := strings.Contains(host, ":")
+		port := query.Get("port")
+		if port != "" && !hasPort {
+			host = fmt.Sprintf("%s:%s", host, port)
+		} else {
+			http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+			return
+		}
+		result, err = monitor.NewRawHealthMonitor(&url.URL{
+			Scheme: scheme,
+			Host:   host,
+		}, defaultHealthConfig).CheckHealth()
+	}
+
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadGateway)
+		return
+	}
+
+	gphttp.RespondJSON(w, r, result)
+}
--- a/agent/pkg/handler/check_health_test.go
+++ b/agent/pkg/handler/check_health_test.go
@@ -0,0 +1,216 @@
+package handler_test
+
+import (
+	"encoding/json"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"strconv"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"github.com/yusing/go-proxy/agent/pkg/agent"
+	"github.com/yusing/go-proxy/agent/pkg/handler"
+	"github.com/yusing/go-proxy/internal/watcher/health"
+)
+
+func TestCheckHealthHTTP(t *testing.T) {
+	tests := []struct {
+		name            string
+		setupServer     func() *httptest.Server
+		queryParams     map[string]string
+		expectedStatus  int
+		expectedHealthy bool
+	}{
+		{
+			name: "Valid",
+			setupServer: func() *httptest.Server {
+				return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+					w.WriteHeader(http.StatusOK)
+				}))
+			},
+			queryParams: map[string]string{
+				"scheme": "http",
+				"host":   "localhost",
+				"path":   "/",
+			},
+			expectedStatus:  http.StatusOK,
+			expectedHealthy: true,
+		},
+		{
+			name:        "InvalidQuery",
+			setupServer: nil,
+			queryParams: map[string]string{
+				"scheme": "http",
+			},
+			expectedStatus: http.StatusBadRequest,
+		},
+		{
+			name:        "ConnectionError",
+			setupServer: nil,
+			queryParams: map[string]string{
+				"scheme": "http",
+				"host":   "localhost:12345",
+			},
+			expectedStatus:  http.StatusOK,
+			expectedHealthy: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var server *httptest.Server
+			if tt.setupServer != nil {
+				server = tt.setupServer()
+				defer server.Close()
+				u, _ := url.Parse(server.URL)
+				tt.queryParams["scheme"] = u.Scheme
+				tt.queryParams["host"] = u.Host
+				tt.queryParams["path"] = u.Path
+			}
+
+			recorder := httptest.NewRecorder()
+			query := url.Values{}
+			for key, value := range tt.queryParams {
+				query.Set(key, value)
+			}
+			request := httptest.NewRequest(http.MethodGet, agent.APIEndpointBase+agent.EndpointHealth+"?"+query.Encode(), nil)
+			handler.CheckHealth(recorder, request)
+
+			require.Equal(t, recorder.Code, tt.expectedStatus)
+
+			if tt.expectedStatus == http.StatusOK {
+				var result health.HealthCheckResult
+				require.NoError(t, json.Unmarshal(recorder.Body.Bytes(), &result))
+				require.Equal(t, result.Healthy, tt.expectedHealthy)
+			}
+		})
+	}
+}
+
+func TestCheckHealthFileServer(t *testing.T) {
+	tests := []struct {
+		name            string
+		path            string
+		expectedStatus  int
+		expectedHealthy bool
+		expectedDetail  string
+	}{
+		{
+			name:            "ValidPath",
+			path:            t.TempDir(),
+			expectedStatus:  http.StatusOK,
+			expectedHealthy: true,
+			expectedDetail:  "",
+		},
+		{
+			name:            "InvalidPath",
+			path:            "/invalid",
+			expectedStatus:  http.StatusOK,
+			expectedHealthy: false,
+			expectedDetail:  "stat /invalid: no such file or directory",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			query := url.Values{}
+			query.Set("scheme", "fileserver")
+			query.Set("path", tt.path)
+
+			recorder := httptest.NewRecorder()
+			request := httptest.NewRequest(http.MethodGet, agent.APIEndpointBase+agent.EndpointHealth+"?"+query.Encode(), nil)
+			handler.CheckHealth(recorder, request)
+
+			require.Equal(t, recorder.Code, tt.expectedStatus)
+
+			var result health.HealthCheckResult
+			require.NoError(t, json.Unmarshal(recorder.Body.Bytes(), &result))
+			require.Equal(t, result.Healthy, tt.expectedHealthy)
+			require.Equal(t, result.Detail, tt.expectedDetail)
+		})
+	}
+}
+
+func TestCheckHealthTCPUDP(t *testing.T) {
+	tcp, err := net.Listen("tcp", "localhost:0")
+	require.NoError(t, err)
+	go func() {
+		conn, err := tcp.Accept()
+		require.NoError(t, err)
+		conn.Close()
+	}()
+
+	udp, err := net.ListenPacket("udp", "localhost:0")
+	require.NoError(t, err)
+	go func() {
+		buf := make([]byte, 1024)
+		n, addr, err := udp.ReadFrom(buf)
+		require.NoError(t, err)
+		require.Equal(t, string(buf[:n]), "ping")
+		_, _ = udp.WriteTo([]byte("pong"), addr)
+		udp.Close()
+	}()
+
+	tests := []struct {
+		name            string
+		scheme          string
+		host            string
+		port            int
+		expectedStatus  int
+		expectedHealthy bool
+	}{
+		{
+			name:            "ValidTCP",
+			scheme:          "tcp",
+			host:            "localhost",
+			port:            tcp.Addr().(*net.TCPAddr).Port,
+			expectedStatus:  http.StatusOK,
+			expectedHealthy: true,
+		},
+		{
+			name:            "InvalidHost",
+			scheme:          "tcp",
+			host:            "invalid",
+			port:            8080,
+			expectedStatus:  http.StatusOK,
+			expectedHealthy: false,
+		},
+		{
+			name:            "ValidUDP",
+			scheme:          "udp",
+			host:            "localhost",
+			port:            udp.LocalAddr().(*net.UDPAddr).Port,
+			expectedStatus:  http.StatusOK,
+			expectedHealthy: true,
+		},
+		{
+			name:            "InvalidHost",
+			scheme:          "udp",
+			host:            "invalid",
+			port:            8080,
+			expectedStatus:  http.StatusOK,
+			expectedHealthy: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			query := url.Values{}
+			query.Set("scheme", tt.scheme)
+			query.Set("host", tt.host)
+			query.Set("port", strconv.Itoa(tt.port))
+
+			recorder := httptest.NewRecorder()
+			request := httptest.NewRequest(http.MethodGet, agent.APIEndpointBase+agent.EndpointHealth+"?"+query.Encode(), nil)
+			handler.CheckHealth(recorder, request)
+
+			require.Equal(t, recorder.Code, tt.expectedStatus)
+
+			var result health.HealthCheckResult
+			require.NoError(t, json.Unmarshal(recorder.Body.Bytes(), &result))
+			require.Equal(t, result.Healthy, tt.expectedHealthy)
+		})
+	}
+}
--- a/agent/pkg/handler/docker_socket.go
+++ b/agent/pkg/handler/docker_socket.go
@@ -0,0 +1,31 @@
+package handler
+
+import (
+	"net/http"
+	"net/url"
+
+	"github.com/docker/docker/client"
+	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/docker"
+	"github.com/yusing/go-proxy/internal/logging"
+	"github.com/yusing/go-proxy/internal/net/gphttp/reverseproxy"
+	"github.com/yusing/go-proxy/internal/net/types"
+)
+
+func serviceUnavailable(w http.ResponseWriter, r *http.Request) {
+	http.Error(w, "docker socket is not available", http.StatusServiceUnavailable)
+}
+
+func DockerSocketHandler() http.HandlerFunc {
+	dockerClient, err := docker.NewClient(common.DockerHostFromEnv)
+	if err != nil {
+		logging.Warn().Err(err).Msg("failed to connect to docker client")
+		return serviceUnavailable
+	}
+	rp := reverseproxy.NewReverseProxy("docker", types.NewURL(&url.URL{
+		Scheme: "http",
+		Host:   client.DummyHost,
+	}), dockerClient.HTTPClient().Transport)
+
+	return rp.ServeHTTP
+}
--- a/agent/pkg/handler/handler.go
+++ b/agent/pkg/handler/handler.go
@@ -0,0 +1,49 @@
+package handler
+
+import (
+	"fmt"
+	"io"
+	"net/http"
+
+	"github.com/yusing/go-proxy/agent/pkg/agent"
+	"github.com/yusing/go-proxy/agent/pkg/env"
+	v1 "github.com/yusing/go-proxy/internal/api/v1"
+	"github.com/yusing/go-proxy/internal/logging/memlogger"
+	"github.com/yusing/go-proxy/internal/metrics/systeminfo"
+	"github.com/yusing/go-proxy/internal/utils/strutils"
+)
+
+type ServeMux struct{ *http.ServeMux }
+
+func (mux ServeMux) HandleMethods(methods, endpoint string, handler http.HandlerFunc) {
+	for _, m := range strutils.CommaSeperatedList(methods) {
+		mux.ServeMux.HandleFunc(m+" "+agent.APIEndpointBase+endpoint, handler)
+	}
+}
+
+func (mux ServeMux) HandleFunc(endpoint string, handler http.HandlerFunc) {
+	mux.ServeMux.HandleFunc(agent.APIEndpointBase+endpoint, handler)
+}
+
+type NopWriteCloser struct {
+	io.Writer
+}
+
+func (NopWriteCloser) Close() error {
+	return nil
+}
+
+func NewAgentHandler() http.Handler {
+	mux := ServeMux{http.NewServeMux()}
+
+	mux.HandleFunc(agent.EndpointProxyHTTP+"/{path...}", ProxyHTTP)
+	mux.HandleMethods("GET", agent.EndpointVersion, v1.GetVersion)
+	mux.HandleMethods("GET", agent.EndpointName, func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprint(w, env.AgentName)
+	})
+	mux.HandleMethods("GET", agent.EndpointHealth, CheckHealth)
+	mux.HandleMethods("GET", agent.EndpointLogs, memlogger.HandlerFunc())
+	mux.HandleMethods("GET", agent.EndpointSystemInfo, systeminfo.Poller.ServeHTTP)
+	mux.ServeMux.HandleFunc("/", DockerSocketHandler())
+	return mux
+}
--- a/agent/pkg/handler/proxy_http.go
+++ b/agent/pkg/handler/proxy_http.go
@@ -0,0 +1,62 @@
+package handler
+
+import (
+	"crypto/tls"
+	"net/http"
+	"net/url"
+	"strconv"
+	"time"
+
+	"github.com/yusing/go-proxy/agent/pkg/agent"
+	"github.com/yusing/go-proxy/agent/pkg/agentproxy"
+	"github.com/yusing/go-proxy/internal/logging"
+	"github.com/yusing/go-proxy/internal/net/gphttp"
+	"github.com/yusing/go-proxy/internal/net/gphttp/reverseproxy"
+	"github.com/yusing/go-proxy/internal/net/types"
+)
+
+func ProxyHTTP(w http.ResponseWriter, r *http.Request) {
+	host := r.Header.Get(agentproxy.HeaderXProxyHost)
+	isHTTPS, _ := strconv.ParseBool(r.Header.Get(agentproxy.HeaderXProxyHTTPS))
+	skipTLSVerify, _ := strconv.ParseBool(r.Header.Get(agentproxy.HeaderXProxySkipTLSVerify))
+	responseHeaderTimeout, err := strconv.Atoi(r.Header.Get(agentproxy.HeaderXProxyResponseHeaderTimeout))
+	if err != nil {
+		responseHeaderTimeout = 0
+	}
+
+	if host == "" {
+		http.Error(w, "missing required headers", http.StatusBadRequest)
+		return
+	}
+
+	scheme := "http"
+	if isHTTPS {
+		scheme = "https"
+	}
+
+	var transport *http.Transport
+	if skipTLSVerify {
+		transport = gphttp.NewTransportWithTLSConfig(&tls.Config{InsecureSkipVerify: true})
+	} else {
+		transport = gphttp.NewTransport()
+	}
+
+	if responseHeaderTimeout > 0 {
+		transport.ResponseHeaderTimeout = time.Duration(responseHeaderTimeout) * time.Second
+	}
+
+	r.URL.Scheme = ""
+	r.URL.Host = ""
+	r.URL.Path = r.URL.Path[agent.HTTPProxyURLPrefixLen:] // strip the {API_BASE}/proxy/http prefix
+	r.RequestURI = r.URL.String()
+	r.URL.Host = host
+	r.URL.Scheme = scheme
+
+	logging.Debug().Msgf("proxy http request: %s %s", r.Method, r.URL.String())
+
+	rp := reverseproxy.NewReverseProxy("agent", types.NewURL(&url.URL{
+		Scheme: scheme,
+		Host:   host,
+	}), transport)
+	rp.ServeHTTP(w, r)
+}
--- a/agent/pkg/server/server.go
+++ b/agent/pkg/server/server.go
@@ -0,0 +1,44 @@
+package server
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"net/http"
+
+	"github.com/yusing/go-proxy/agent/pkg/env"
+	"github.com/yusing/go-proxy/agent/pkg/handler"
+	"github.com/yusing/go-proxy/internal/logging"
+	"github.com/yusing/go-proxy/internal/net/gphttp/server"
+	"github.com/yusing/go-proxy/internal/task"
+)
+
+type Options struct {
+	CACert, ServerCert *tls.Certificate
+	Port               int
+}
+
+func StartAgentServer(parent task.Parent, opt Options) {
+	caCertPool := x509.NewCertPool()
+	caCertPool.AddCert(opt.CACert.Leaf)
+
+	// Configure TLS
+	tlsConfig := &tls.Config{
+		Certificates: []tls.Certificate{*opt.ServerCert},
+		ClientCAs:    caCertPool,
+		ClientAuth:   tls.RequireAndVerifyClientCert,
+	}
+
+	if env.AgentSkipClientCertCheck {
+		tlsConfig.ClientAuth = tls.NoClientCert
+	}
+
+	logger := logging.GetLogger()
+	agentServer := &http.Server{
+		Addr:      fmt.Sprintf(":%d", opt.Port),
+		Handler:   handler.NewAgentHandler(),
+		TLSConfig: tlsConfig,
+	}
+
+	server.Start(parent, agentServer, nil, logger)
+}
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -1,76 +1,98 @@
 package main

 import (
-	"context"
 	"encoding/json"
-	"io"
 	"log"
-	"net/http"
 	"os"
-	"os/signal"
-	"reflect"
-	"runtime"
-	"strings"
 	"sync"
-	"syscall"
-	"time"

-	"github.com/sirupsen/logrus"
 	"github.com/yusing/go-proxy/internal"
-	"github.com/yusing/go-proxy/internal/api"
 	"github.com/yusing/go-proxy/internal/api/v1/query"
+	"github.com/yusing/go-proxy/internal/auth"
 	"github.com/yusing/go-proxy/internal/common"
 	"github.com/yusing/go-proxy/internal/config"
-	"github.com/yusing/go-proxy/internal/docker"
-	"github.com/yusing/go-proxy/internal/docker/idlewatcher"
-	E "github.com/yusing/go-proxy/internal/error"
-	"github.com/yusing/go-proxy/internal/net/http/middleware"
-	R "github.com/yusing/go-proxy/internal/route"
-	"github.com/yusing/go-proxy/internal/server"
-	F "github.com/yusing/go-proxy/internal/utils/functional"
+	"github.com/yusing/go-proxy/internal/gperr"
+	"github.com/yusing/go-proxy/internal/logging"
+	"github.com/yusing/go-proxy/internal/logging/memlogger"
+	"github.com/yusing/go-proxy/internal/metrics/systeminfo"
+	"github.com/yusing/go-proxy/internal/metrics/uptime"
+	"github.com/yusing/go-proxy/internal/net/gphttp/middleware"
+	"github.com/yusing/go-proxy/internal/route/routes"
+	"github.com/yusing/go-proxy/internal/task"
 	"github.com/yusing/go-proxy/pkg"
 )

+var rawLogger = log.New(os.Stdout, "", 0)
+
+func parallel(fns ...func()) {
+	var wg sync.WaitGroup
+	for _, fn := range fns {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			fn()
+		}()
+	}
+	wg.Wait()
+}
+
 func main() {
-	args := common.GetArgs()
+	initProfiling()
+	args := pkg.GetArgs(common.MainServerCommandValidator{})

-	if args.Command == common.CommandSetup {
-		internal.Setup()
-		return
-	}
-
-	l := logrus.WithField("module", "main")
-	onShutdown := F.NewSlice[func()]()
-
-	if common.IsDebug {
-		logrus.SetLevel(logrus.DebugLevel)
-	}
-
-	if args.Command != common.CommandStart {
-		logrus.SetOutput(io.Discard)
-	} else {
-		logrus.SetFormatter(&logrus.TextFormatter{
-			DisableSorting:  true,
-			FullTimestamp:   true,
-			ForceColors:     true,
-			TimestampFormat: "01-02 15:04:05",
-		})
-		logrus.Infof("go-proxy version %s", pkg.GetVersion())
-	}
-
-	if args.Command == common.CommandReload {
+	switch args.Command {
+	case common.CommandReload:
 		if err := query.ReloadServer(); err != nil {
+			gperr.LogFatal("server reload error", err)
+		}
+		rawLogger.Println("ok")
+		return
+	case common.CommandListIcons:
+		icons, err := internal.ListAvailableIcons()
+		if err != nil {
+			rawLogger.Fatal(err)
+		}
+		printJSON(icons)
+		return
+	case common.CommandListRoutes:
+		routes, err := query.ListRoutes()
+		if err != nil {
+			log.Printf("failed to connect to api server: %s", err)
+			log.Printf("falling back to config file")
+		} else {
+			printJSON(routes)
+			return
+		}
+	case common.CommandDebugListMTrace:
+		trace, err := query.ListMiddlewareTraces()
+		if err != nil {
 			log.Fatal(err)
 		}
-		log.Print("ok")
+		printJSON(trace)
 		return
 	}

-	// exit if only validate config
+	if args.Command == common.CommandStart {
+		logging.InitLogger(os.Stderr, memlogger.GetMemLogger())
+		logging.Info().Msgf("GoDoxy version %s", pkg.GetVersion())
+		logging.Trace().Msg("trace enabled")
+		parallel(
+			internal.InitIconListCache,
+			systeminfo.Poller.Start,
+		)
+
+		if common.APIJWTSecret == nil {
+			logging.Warn().Msg("API_JWT_SECRET is not set, using random key")
+			common.APIJWTSecret = common.RandomJWTKey()
+		}
+	} else {
+		logging.DiscardLogger()
+	}
+
 	if args.Command == common.CommandValidate {
 		data, err := os.ReadFile(common.ConfigPath)
 		if err == nil {
-			err = config.Validate(data).Error()
+			err = config.Validate(data)
 		}
 		if err != nil {
 			log.Fatal("config error: ", err)
@@ -85,146 +107,58 @@ func main() {

 	middleware.LoadComposeFiles()

-	if err := config.Load(); err != nil {
-		logrus.Warn(err)
+	var cfg *config.Config
+	var err gperr.Error
+	if cfg, err = config.Load(); err != nil {
+		gperr.LogWarn("errors in config", err)
+		err = nil
 	}
-	cfg := config.GetInstance()

 	switch args.Command {
+	case common.CommandListRoutes:
+		cfg.StartProxyProviders()
+		printJSON(routes.ByAlias())
+		return
 	case common.CommandListConfigs:
 		printJSON(cfg.Value())
 		return
-	case common.CommandListRoutes:
-		routes, err := query.ListRoutes()
-		if err != nil {
-			log.Printf("failed to connect to api server: %s", err)
-			log.Printf("falling back to config file")
-			printJSON(cfg.RoutesByAlias())
-		} else {
-			printJSON(routes)
-		}
-		return
-	case common.CommandListIcons:
-		icons, err := internal.ListAvailableIcons()
-		if err != nil {
-			log.Fatal(err)
-		}
-		printJSON(icons)
-		return
 	case common.CommandDebugListEntries:
-		printJSON(cfg.DumpEntries())
+		printJSON(cfg.DumpRoutes())
 		return
 	case common.CommandDebugListProviders:
-		printJSON(cfg.DumpProviders())
+		printJSON(cfg.DumpRouteProviders())
 		return
-	case common.CommandDebugListMTrace:
-		trace, err := query.ListMiddlewareTraces()
-		if err != nil {
-			log.Fatal(err)
-		}
-		printJSON(trace)
 	}

-	cfg.StartProxyProviders()
-	cfg.WatchChanges()
-
-	onShutdown.Add(docker.CloseAllClients)
-	onShutdown.Add(cfg.Dispose)
-
-	sig := make(chan os.Signal, 1)
-	signal.Notify(sig, syscall.SIGINT)
-	signal.Notify(sig, syscall.SIGTERM)
-	signal.Notify(sig, syscall.SIGHUP)
-
-	autocert := cfg.GetAutoCertProvider()
-
-	if autocert != nil {
-		ctx, cancel := context.WithCancel(context.Background())
-		if err := autocert.Setup(ctx); err != nil {
-			l.Fatal(err)
-		} else {
-			onShutdown.Add(cancel)
-		}
-	} else {
-		l.Info("autocert not configured")
+	cfg.Start(&config.StartServersOptions{
+		Proxy: true,
+	})
+	if err := auth.Initialize(); err != nil {
+		logging.Fatal().Err(err).Msg("failed to initialize authentication")
 	}
-
-	proxyServer := server.InitProxyServer(server.Options{
-		Name:            "proxy",
-		CertProvider:    autocert,
-		HTTPAddr:        common.ProxyHTTPAddr,
-		HTTPSAddr:       common.ProxyHTTPSAddr,
-		Handler:         http.HandlerFunc(R.ProxyHandler),
-		RedirectToHTTPS: cfg.Value().RedirectToHTTPS,
-	})
-	apiServer := server.InitAPIServer(server.Options{
-		Name:            "api",
-		CertProvider:    autocert,
-		HTTPAddr:        common.APIHTTPAddr,
-		Handler:         api.NewHandler(cfg),
-		RedirectToHTTPS: cfg.Value().RedirectToHTTPS,
+	// API Handler needs to start after auth is initialized.
+	cfg.StartServers(&config.StartServersOptions{
+		API: true,
 	})

-	proxyServer.Start()
-	apiServer.Start()
-	onShutdown.Add(proxyServer.Stop)
-	onShutdown.Add(apiServer.Stop)
+	uptime.Poller.Start()
+	config.WatchChanges()

-	go idlewatcher.Start()
-	onShutdown.Add(idlewatcher.Stop)
-
-	// wait for signal
-	<-sig
-
-	// grafully shutdown
-	logrus.Info("shutting down")
-	done := make(chan struct{}, 1)
-
-	var wg sync.WaitGroup
-	wg.Add(onShutdown.Size())
-	onShutdown.ForEach(func(f func()) {
-		go func() {
-			l.Debugf("waiting for %s to complete...", funcName(f))
-			f()
-			l.Debugf("%s done", funcName(f))
-			wg.Done()
-		}()
-	})
-	go func() {
-		wg.Wait()
-		close(done)
-	}()
-
-	timeout := time.After(time.Duration(cfg.Value().TimeoutShutdown) * time.Second)
-	select {
-	case <-done:
-		logrus.Info("shutdown complete")
-	case <-timeout:
-		logrus.Info("timeout waiting for shutdown")
-		onShutdown.ForEach(func(f func()) {
-			l.Warnf("%s() is still running", funcName(f))
-		})
-	}
+	task.WaitExit(cfg.Value().TimeoutShutdown)
 }

 func prepareDirectory(dir string) {
 	if _, err := os.Stat(dir); os.IsNotExist(err) {
-		if err = os.MkdirAll(dir, 0755); err != nil {
-			logrus.Fatalf("failed to create directory %s: %v", dir, err)
+		if err = os.MkdirAll(dir, 0o755); err != nil {
+			logging.Fatal().Msgf("failed to create directory %s: %v", dir, err)
 		}
 	}
 }

-func funcName(f func()) string {
-	parts := strings.Split(runtime.FuncForPC(reflect.ValueOf(f).Pointer()).Name(), "/go-proxy/")
-	return parts[len(parts)-1]
-}
-
 func printJSON(obj any) {
-	j, err := E.Check(json.MarshalIndent(obj, "", "  "))
+	j, err := json.MarshalIndent(obj, "", "  ")
 	if err != nil {
-		logrus.Fatal(err)
+		logging.Fatal().Err(err).Send()
 	}
-	rawLogger := log.New(os.Stdout, "", 0)
-	rawLogger.Printf("%s", j) // raw output for convenience using "jq"
+	rawLogger.Print(string(j)) // raw output for convenience using "jq"
 }
--- a/cmd/pprof_production.go
+++ b/cmd/pprof_production.go
@@ -0,0 +1,7 @@
+//go:build !pprof
+
+package main
+
+func initProfiling() {
+	// no profiling in production
+}
--- a/cmd/pprof_prof.go
+++ b/cmd/pprof_prof.go
@@ -0,0 +1,20 @@
+//go:build pprof
+
+package main
+
+import (
+	"log"
+	"net/http"
+	_ "net/http/pprof"
+	"runtime"
+	"runtime/debug"
+)
+
+func initProfiling() {
+	runtime.GOMAXPROCS(2)
+	debug.SetMemoryLimit(100 * 1024 * 1024)
+	debug.SetMaxStack(15 * 1024 * 1024)
+	go func() {
+		log.Println(http.ListenAndServe(":7777", nil))
+	}()
+}
--- a/compose.example.yml
+++ b/compose.example.yml
@@ -1,45 +1,45 @@
+---
 services:
-    frontend:
-        image: ghcr.io/yusing/go-proxy-frontend:latest
-        container_name: go-proxy-frontend
-        restart: unless-stopped
-        network_mode: host
-        depends_on:
-            - app
-        # if you also want to proxy the WebUI and access it via gp.y.z
-        # labels:
-        #   - proxy.aliases=gp
-        #   - proxy.gp.port=3000
+  frontend:
+    image: ghcr.io/yusing/godoxy-frontend:latest
+    container_name: godoxy-frontend
+    restart: unless-stopped
+    network_mode: host # do not change this
+    env_file: .env
+    depends_on:
+      - app
+    environment:
+      PORT: ${GODOXY_FRONTEND_PORT:-3000}

-        # Make sure the value is same as `GOPROXY_API_ADDR` below (if you have changed it)
-        #
-        # environment:
-        #     GOPROXY_API_ADDR: 127.0.0.1:8888
-    app:
-        image: ghcr.io/yusing/go-proxy:latest
-        container_name: go-proxy
-        restart: always
-        network_mode: host
-        environment:
-            # (Optional) change this to your timezone to get correct log timestamp
-            TZ: ETC/UTC
+    # modify below to fit your needs
+    labels:
+      proxy.aliases: godoxy
+      proxy.godoxy.port: ${GODOXY_FRONTEND_PORT:-3000}
+      # proxy.godoxy.middlewares.cidr_whitelist: |
+      #   status: 403
+      #   message: IP not allowed
+      #   allow:
+      #     - 127.0.0.1
+      #     - 10.0.0.0/8
+      #     - 192.168.0.0/16
+      #     - 172.16.0.0/12
+  app:
+    image: ghcr.io/yusing/godoxy:latest
+    container_name: godoxy
+    restart: always
+    network_mode: host # do not change this
+    env_file: .env
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./config:/app/config
+      - ./logs:/app/logs
+      - ./error_pages:/app/error_pages
+      - ./data:/app/data

-            # Change these if you need
-            #
-            # GOPROXY_HTTP_ADDR: :80
-            # GOPROXY_HTTPS_ADDR: :443
-            # GOPROXY_API_ADDR: 127.0.0.1:8888
-        volumes:
-            - /var/run/docker.sock:/var/run/docker.sock
-            - ./config:/app/config
+      # To use autocert, certs will be stored in "./certs".
+      # You can also use a docker volume to store it
+      - ./certs:/app/certs

-            # (Optional) choose one of below to enable https
-            # 1. use existing certificate
-            # if your cert is not named `cert.crt` change `cert_path` in `config/config.yml`
-            # if your cert key is not named `priv.key` change `key_path` in `config/config.yml`
-
-            # - /path/to/certs:/app/certs
-
-            # 2. use autocert, certs will be stored in ./certs (or other path you specify)
-
-            # - ./certs:/app/certs
+      # remove "./certs:/app/certs" and uncomment below to use existing certificate
+      # - /path/to/certs/cert.crt:/app/certs/cert.crt
+      # - /path/to/certs/priv.key:/app/certs/priv.key
--- a/config.example.yml
+++ b/config.example.yml
@@ -1,24 +1,61 @@
 # Autocert (choose one below and uncomment to enable)
 #
 # 1. use existing cert
-#
+
 # autocert:
 #   provider: local
-#
-#   cert_path: certs/cert.crt         # optional, uncomment only if you need to change it
-#   key_path: certs/priv.key          # optional, uncomment only if you need to change it
-#
+
 # 2. cloudflare
-#
 # autocert:
 #   provider: cloudflare
-#   email: abc@gmail.com                            # ACME Email
-#   domains:                                        # a list of domains for cert registration
-#     - "*.y.z"                                     # remember to use double quotes to surround wildcard domain
+#   email: abc@gmail.com # ACME Email
+#   domains: # a list of domains for cert registration
+#     - "*.domain.com"
+#     - "domain.com"
 #   options:
-#     auth_token: c1234565789-abcdefghijklmnopqrst  # your zone API token
-#
-# 3. other providers, check docs/dns_providers.md for more
+#     auth_token: c1234565789-abcdefghijklmnopqrst # your zone API token
+
+# 3. other providers, see https://github.com/yusing/godoxy/wiki/Supported-DNS%E2%80%9001-Providers#supported-dns-01-providers
+
+# acl:
+#   default: allow # or deny (default: allow)
+#   allow_local: true # or false (default: true)
+#   allow:
+#     - ip:1.2.3.4
+#     - cidr:1.2.3.4/32
+#     - country:US
+#     - timezone:Asia/Shanghai
+#   deny:
+#     - ip:1.2.3.4
+#     - cidr:1.2.3.4/32
+#     - country:US
+#     - timezone:Asia/Shanghai
+#   log: # warning: logging ACL can be slow based on the number of incoming connections and configured rules
+#     buffer_size: 65536 # (default: 64KB)
+#     path: /app/logs/acl.log # (default: none)
+#     stdout: false # (default: false)
+#     keep: last 10 # (default: none)
+
+entrypoint:
+  # Below define an example of middleware config
+  # 1. block non local IP connections
+  # 2. redirect HTTP to HTTPS
+  #
+  # middlewares:
+  #   - use: CIDRWhitelist
+  #     allow:
+  #       - "127.0.0.1"
+  #       - "10.0.0.0/8"
+  #       - "172.16.0.0/12"
+  #       - "192.168.0.0/16"
+  #     status: 403
+  #     message: "Forbidden"
+  #   - use: RedirectHTTP
+
+  # below enables access log
+  access_log:
+    format: combined
+    path: /app/logs/entrypoint.log

 providers:
  # include files are standalone yaml files under `config/` directory
@@ -30,6 +67,7 @@ providers:
  docker:
    # $DOCKER_HOST implies environment variable `DOCKER_HOST` or unix:///var/run/docker.sock by default
    local: $DOCKER_HOST
+
    # explicit only mode
    # only containers with explicit aliases will be proxied
    # add "!" after provider name to enable explicit only mode
@@ -41,29 +79,40 @@ providers:
    #
    # remote-1: tcp://10.0.2.1:2375
    # remote-2: ssh://root:1234@10.0.2.2
-# if match_domains not defined
-# any host = alias+[any domain] will match
-# i.e. https://app1.y.z       will match alias app1 for any domain y.z
-#  but https://app1.node1.y.z will only match alias "app.node1"
-#
-# if match_domains defined
-# only host = alias+[one of match_domains] will match
-# i.e. match_domains = [node1.my.app, my.site]
-# https://app1.my.app, https://app1.my.net, etc. will not match even if app1 exists
-# only https://*.node1.my.app and https://*.my.site will match
-#
+
+  # notification providers (notify when service health changes)
+  #
+  # notification:
+  #   - name: gotify
+  #     provider: gotify
+  #     url: https://gotify.domain.tld
+  #     token: abcd
+  #   - name: discord
+  #     provider: webhook
+  #     url: https://discord.com/api/webhooks/...
+  #     template: discord # this means use payload template from internal/notif/templates/discord.json
+
+  # Proxmox providers (for idlesleep support for proxmox LXCs)
+  #
+  # proxmox:
+  #   - url: https://pve.domain.com:8006/api2/json
+  #     token_id: root@pam!abcdef
+  #     secret: aaaa-bbbb-cccc-dddd
+  #     no_tls_verify: true
+
+# Check https://github.com/yusing/godoxy/wiki/Certificates-and-domain-matching#domain-matching
+# for explaination of `match_domains`
 #
 # match_domains:
 #   - my.site
 #   - node1.my.app

+# homepage config
+homepage:
+  # use default app categories detected from alias or docker image name
+  use_default_categories: true
+
 # Below are fixed options (non hot-reloadable)

 # timeout for shutdown (in seconds)
-#
-# timeout_shutdown: 5
-
-# global setting redirect http requests to https (if https available, otherwise this will be ignored)
-# proxy.<alias>.middlewares.redirect_http will override this
-#
-# redirect_to_https: false
+timeout_shutdown: 5
--- a/examples/docker-compose/n8n.yml
+++ b/examples/docker-compose/n8n.yml
@@ -0,0 +1,27 @@
+---
+services:
+  n8n:
+    image: n8nio/n8n
+    container_name: n8n
+    restart: always
+    expose:
+      - 5678
+    labels:
+      proxy.n8n.middlewares.request.set_headers: |
+        SSLRedirect: true
+        STSSeconds: 315360000
+        browserXSSFilter: true
+        contentTypeNosniff: true
+        forceSTSHeader: true
+        SSLHost: ${DOMAIN_NAME}
+        STSIncludeSubdomains: true
+        STSPreload: true
+    environment:
+      - N8N_HOST=${SUBDOMAIN}.${DOMAIN_NAME}
+      - N8N_PORT=5678
+      - N8N_PROTOCOL=https
+      - NODE_ENV=production
+      - WEBHOOK_URL=https://${SUBDOMAIN}.${DOMAIN_NAME}/
+      - GENERIC_TIMEZONE=${GENERIC_TIMEZONE}
+    volumes:
+      - ./data:/home/node/.n8n
--- a/examples/error_pages/404.css
+++ b/examples/error_pages/404.css
@@ -0,0 +1,288 @@
+@import url("https://fonts.googleapis.com/css?family=Audiowide&display=swap");
+
+html,
+body {
+    margin: 0px;
+    overflow: hidden;
+}
+
+div {
+    position: absolute;
+    top: 0%;
+    left: 0%;
+    height: 100%;
+    width: 100%;
+    margin: 0px;
+    background: radial-gradient(circle, #240015 0%, #12000b 100%);
+    overflow: hidden;
+}
+
+.wrap {
+    position: absolute;
+    left: 50%;
+    top: 50%;
+    transform: translate(-50%, -50%);
+}
+
+h2 {
+    position: absolute;
+    top: 50%;
+    left: 50%;
+    margin-top: 150px;
+    font-size: 32px;
+    text-transform: uppercase;
+    transform: translate(-50%, -50%);
+    display: block;
+    color: #12000a;
+    font-weight: 300;
+    font-family: Audiowide;
+    text-shadow: 0px 0px 4px #12000a;
+    animation: fadeInText 3s ease-in 3.5s forwards,
+        flicker4 5s linear 7.5s infinite, hueRotate 6s ease-in-out 3s infinite;
+}
+
+#svgWrap_1,
+#svgWrap_2 {
+    position: absolute;
+    height: auto;
+    width: 600px;
+    max-width: 100%;
+    top: 50%;
+    left: 50%;
+    transform: translate(-50%, -50%);
+}
+
+#svgWrap_1,
+#svgWrap_2,
+div {
+    animation: hueRotate 6s ease-in-out 3s infinite;
+}
+
+#id1_1,
+#id2_1,
+#id3_1 {
+    stroke: #ff005d;
+    stroke-width: 3px;
+    fill: transparent;
+    filter: url(#glow);
+}
+
+#id1_2,
+#id2_2,
+#id3_2 {
+    stroke: #12000a;
+    stroke-width: 3px;
+    fill: transparent;
+    filter: url(#glow);
+}
+
+#id3_1 {
+    stroke-dasharray: 940px;
+    stroke-dashoffset: -940px;
+    animation: drawLine3 2.5s ease-in-out 0s forwards,
+        flicker3 4s linear 4s infinite;
+}
+
+#id2_1 {
+    stroke-dasharray: 735px;
+    stroke-dashoffset: -735px;
+    animation: drawLine2 2.5s ease-in-out 0.5s forwards,
+        flicker2 4s linear 4.5s infinite;
+}
+
+#id1_1 {
+    stroke-dasharray: 940px;
+    stroke-dashoffset: -940px;
+    animation: drawLine1 2.5s ease-in-out 1s forwards,
+        flicker1 4s linear 5s infinite;
+}
+
+@keyframes drawLine1 {
+    0% {
+        stroke-dashoffset: -940px;
+    }
+    100% {
+        stroke-dashoffset: 0px;
+    }
+}
+
+@keyframes drawLine2 {
+    0% {
+        stroke-dashoffset: -735px;
+    }
+    100% {
+        stroke-dashoffset: 0px;
+    }
+}
+
+@keyframes drawLine3 {
+    0% {
+        stroke-dashoffset: -940px;
+    }
+    100% {
+        stroke-dashoffset: 0px;
+    }
+}
+
+@keyframes flicker1 {
+    0% {
+        stroke: #ff005d;
+    }
+    1% {
+        stroke: transparent;
+    }
+    3% {
+        stroke: transparent;
+    }
+    4% {
+        stroke: #ff005d;
+    }
+    6% {
+        stroke: #ff005d;
+    }
+    7% {
+        stroke: transparent;
+    }
+    13% {
+        stroke: transparent;
+    }
+    14% {
+        stroke: #ff005d;
+    }
+    100% {
+        stroke: #ff005d;
+    }
+}
+
+@keyframes flicker2 {
+    0% {
+        stroke: #ff005d;
+    }
+    50% {
+        stroke: #ff005d;
+    }
+    51% {
+        stroke: transparent;
+    }
+    61% {
+        stroke: transparent;
+    }
+    62% {
+        stroke: #ff005d;
+    }
+    100% {
+        stroke: #ff005d;
+    }
+}
+
+@keyframes flicker3 {
+    0% {
+        stroke: #ff005d;
+    }
+    1% {
+        stroke: transparent;
+    }
+    10% {
+        stroke: transparent;
+    }
+    11% {
+        stroke: #ff005d;
+    }
+    40% {
+        stroke: #ff005d;
+    }
+    41% {
+        stroke: transparent;
+    }
+    45% {
+        stroke: transparent;
+    }
+    46% {
+        stroke: #ff005d;
+    }
+    100% {
+        stroke: #ff005d;
+    }
+}
+
+@keyframes flicker4 {
+    0% {
+        color: #ff005d;
+        text-shadow: 0px 0px 4px #ff005d;
+    }
+    30% {
+        color: #ff005d;
+        text-shadow: 0px 0px 4px #ff005d;
+    }
+    31% {
+        color: #12000a;
+        text-shadow: 0px 0px 4px #12000a;
+    }
+    32% {
+        color: #ff005d;
+        text-shadow: 0px 0px 4px #ff005d;
+    }
+    36% {
+        color: #ff005d;
+        text-shadow: 0px 0px 4px #ff005d;
+    }
+    37% {
+        color: #12000a;
+        text-shadow: 0px 0px 4px #12000a;
+    }
+    41% {
+        color: #12000a;
+        text-shadow: 0px 0px 4px #12000a;
+    }
+    42% {
+        color: #ff005d;
+        text-shadow: 0px 0px 4px #ff005d;
+    }
+    85% {
+        color: #ff005d;
+        text-shadow: 0px 0px 4px #ff005d;
+    }
+    86% {
+        color: #12000a;
+        text-shadow: 0px 0px 4px #12000a;
+    }
+    95% {
+        color: #12000a;
+        text-shadow: 0px 0px 4px #12000a;
+    }
+    96% {
+        color: #ff005d;
+        text-shadow: 0px 0px 4px #ff005d;
+    }
+    100% {
+        color: #ff005d;
+        text-shadow: 0px 0px 4px #ff005d;
+    }
+}
+
+@keyframes fadeInText {
+    1% {
+        color: #12000a;
+        text-shadow: 0px 0px 4px #12000a;
+    }
+    70% {
+        color: #ff005d;
+        text-shadow: 0px 0px 14px #ff005d;
+    }
+    100% {
+        color: #ff005d;
+        text-shadow: 0px 0px 4px #ff005d;
+    }
+}
+
+@keyframes hueRotate {
+    0% {
+        filter: hue-rotate(0deg);
+    }
+    50% {
+        filter: hue-rotate(-120deg);
+    }
+    100% {
+        filter: hue-rotate(0deg);
+    }
+}
--- a/examples/error_pages/404.html
+++ b/examples/error_pages/404.html
@@ -0,0 +1,51 @@
+{{/* Credit: https://codepen.io/code2rithik/pen/XWpVvYL */}}
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+  <meta charset="UTF-8" />
+  <title>Page Not Found</title>
+  <link rel="stylesheet" href="/$gperrorpage/404.css" type="text/css">
+  <!-- <script src="/$gperrorpage/404.js"> </script> -->
+</head>
+
+<body>
+  <script>0</script>
+  <div></div>
+  <svg id="svgWrap_2" xmlns="http://www.w3.org/2000/svg" x="0px" y="0px" viewBox="0 0 700 250">
+    <g>
+      <path id="id3_2"
+        d="M195.7 232.67h-37.1V149.7H27.76c-2.64 0-5.1-.5-7.36-1.49-2.27-.99-4.23-2.31-5.88-3.96-1.65-1.65-2.95-3.61-3.89-5.88s-1.42-4.67-1.42-7.22V29.62h36.82v82.98H158.6V29.62h37.1v203.05z" />
+      <path id="id2_2"
+        d="M470.69 147.71c0 8.31-1.06 16.17-3.19 23.58-2.12 7.41-5.12 14.28-8.99 20.6-3.87 6.33-8.45 11.99-13.74 16.99-5.29 5-11.07 9.28-17.35 12.81a85.146 85.146 0 0 1-20.04 8.14 83.637 83.637 0 0 1-21.67 2.83H319.3c-7.46 0-14.73-.94-21.81-2.83-7.08-1.89-13.76-4.6-20.04-8.14a88.292 88.292 0 0 1-17.35-12.81c-5.29-5-9.84-10.67-13.66-16.99-3.82-6.32-6.8-13.19-8.92-20.6-2.12-7.41-3.19-15.27-3.19-23.58v-33.13c0-12.46 2.34-23.88 7.01-34.27 4.67-10.38 10.92-19.33 18.76-26.83 7.83-7.5 16.87-13.36 27.12-17.56 10.24-4.2 20.93-6.3 32.07-6.3h66.41c7.36 0 14.58.94 21.67 2.83 7.08 1.89 13.76 4.6 20.04 8.14a88.292 88.292 0 0 1 17.35 12.81c5.29 5 9.86 10.67 13.74 16.99 3.87 6.33 6.87 13.19 8.99 20.6 2.13 7.41 3.19 15.27 3.19 23.58v33.14zm-37.1-33.13c0-7.27-1.32-13.88-3.96-19.82-2.64-5.95-6.16-11.04-10.55-15.29-4.39-4.25-9.46-7.5-15.22-9.77-5.76-2.27-11.8-3.35-18.13-3.26h-66.41c-6.14-.09-12.11.97-17.91 3.19-5.81 2.22-10.95 5.43-15.44 9.63-4.48 4.2-8.07 9.3-10.76 15.29-2.69 6-4.04 12.67-4.04 20.04v33.13c0 7.36 1.32 14.02 3.96 19.97 2.64 5.95 6.18 11.02 10.62 15.22 4.44 4.2 9.56 7.43 15.36 9.7 5.8 2.27 11.87 3.35 18.2 3.26h66.41c7.27 0 13.85-1.2 19.75-3.61s10.93-5.73 15.08-9.98 7.36-9.32 9.63-15.22c2.27-5.9 3.4-12.34 3.4-19.33v-33.15zm-16-26.91a17.89 17.89 0 0 1 2.83 6.73c.47 2.41.47 4.77 0 7.08-.47 2.31-1.39 4.48-2.76 6.51-1.37 2.03-3.14 3.75-5.31 5.17l-99.4 66.41c-1.61 1.23-3.26 2.08-4.96 2.55-1.7.47-3.45.71-5.24.71-3.02 0-5.9-.71-8.64-2.12-2.74-1.42-4.96-3.44-6.66-6.09a17.89 17.89 0 0 1-2.83-6.73c-.47-2.41-.5-4.77-.07-7.08.43-2.31 1.3-4.48 2.62-6.51 1.32-2.03 3.07-3.75 5.24-5.17l99.69-66.41a17.89 17.89 0 0 1 6.73-2.83c2.41-.47 4.77-.47 7.08 0 2.31.47 4.48 1.37 6.51 2.69 2.03 1.32 3.75 3.02 5.17 5.09z" />
+      <path id="id1_2"
+        d="M688.33 232.67h-37.1V149.7H520.39c-2.64 0-5.1-.5-7.36-1.49-2.27-.99-4.23-2.31-5.88-3.96-1.65-1.65-2.95-3.61-3.89-5.88s-1.42-4.67-1.42-7.22V29.62h36.82v82.98h112.57V29.62h37.1v203.05z" />
+    </g>
+  </svg>
+  <svg id="svgWrap_1" xmlns="http://www.w3.org/2000/svg" x="0px" y="0px" viewBox="0 0 700 250">
+    <g>
+      <path id="id3_1"
+        d="M195.7 232.67h-37.1V149.7H27.76c-2.64 0-5.1-.5-7.36-1.49-2.27-.99-4.23-2.31-5.88-3.96-1.65-1.65-2.95-3.61-3.89-5.88s-1.42-4.67-1.42-7.22V29.62h36.82v82.98H158.6V29.62h37.1v203.05z" />
+      <path id="id2_1"
+        d="M470.69 147.71c0 8.31-1.06 16.17-3.19 23.58-2.12 7.41-5.12 14.28-8.99 20.6-3.87 6.33-8.45 11.99-13.74 16.99-5.29 5-11.07 9.28-17.35 12.81a85.146 85.146 0 0 1-20.04 8.14 83.637 83.637 0 0 1-21.67 2.83H319.3c-7.46 0-14.73-.94-21.81-2.83-7.08-1.89-13.76-4.6-20.04-8.14a88.292 88.292 0 0 1-17.35-12.81c-5.29-5-9.84-10.67-13.66-16.99-3.82-6.32-6.8-13.19-8.92-20.6-2.12-7.41-3.19-15.27-3.19-23.58v-33.13c0-12.46 2.34-23.88 7.01-34.27 4.67-10.38 10.92-19.33 18.76-26.83 7.83-7.5 16.87-13.36 27.12-17.56 10.24-4.2 20.93-6.3 32.07-6.3h66.41c7.36 0 14.58.94 21.67 2.83 7.08 1.89 13.76 4.6 20.04 8.14a88.292 88.292 0 0 1 17.35 12.81c5.29 5 9.86 10.67 13.74 16.99 3.87 6.33 6.87 13.19 8.99 20.6 2.13 7.41 3.19 15.27 3.19 23.58v33.14zm-37.1-33.13c0-7.27-1.32-13.88-3.96-19.82-2.64-5.95-6.16-11.04-10.55-15.29-4.39-4.25-9.46-7.5-15.22-9.77-5.76-2.27-11.8-3.35-18.13-3.26h-66.41c-6.14-.09-12.11.97-17.91 3.19-5.81 2.22-10.95 5.43-15.44 9.63-4.48 4.2-8.07 9.3-10.76 15.29-2.69 6-4.04 12.67-4.04 20.04v33.13c0 7.36 1.32 14.02 3.96 19.97 2.64 5.95 6.18 11.02 10.62 15.22 4.44 4.2 9.56 7.43 15.36 9.7 5.8 2.27 11.87 3.35 18.2 3.26h66.41c7.27 0 13.85-1.2 19.75-3.61s10.93-5.73 15.08-9.98 7.36-9.32 9.63-15.22c2.27-5.9 3.4-12.34 3.4-19.33v-33.15zm-16-26.91a17.89 17.89 0 0 1 2.83 6.73c.47 2.41.47 4.77 0 7.08-.47 2.31-1.39 4.48-2.76 6.51-1.37 2.03-3.14 3.75-5.31 5.17l-99.4 66.41c-1.61 1.23-3.26 2.08-4.96 2.55-1.7.47-3.45.71-5.24.71-3.02 0-5.9-.71-8.64-2.12-2.74-1.42-4.96-3.44-6.66-6.09a17.89 17.89 0 0 1-2.83-6.73c-.47-2.41-.5-4.77-.07-7.08.43-2.31 1.3-4.48 2.62-6.51 1.32-2.03 3.07-3.75 5.24-5.17l99.69-66.41a17.89 17.89 0 0 1 6.73-2.83c2.41-.47 4.77-.47 7.08 0 2.31.47 4.48 1.37 6.51 2.69 2.03 1.32 3.75 3.02 5.17 5.09z" />
+      <path id="id1_1"
+        d="M688.33 232.67h-37.1V149.7H520.39c-2.64 0-5.1-.5-7.36-1.49-2.27-.99-4.23-2.31-5.88-3.96-1.65-1.65-2.95-3.61-3.89-5.88s-1.42-4.67-1.42-7.22V29.62h36.82v82.98h112.57V29.62h37.1v203.05z" />
+    </g>
+  </svg>
+
+  <svg>
+    <defs>
+      <filter id="glow">
+        <fegaussianblur class="blur" result="coloredBlur" stddeviation="4"></fegaussianblur>
+        <femerge>
+          <femergenode in="coloredBlur"></femergenode>
+          <femergenode in="SourceGraphic"></femergenode>
+        </femerge>
+      </filter>
+    </defs>
+  </svg>
+
+  <h2>Page Not Found</h2>
+</body>
+
+</html>
--- a/examples/grafana_template.json
+++ b/examples/grafana_template.json
--- a/examples/microbin.yml
+++ b/examples/microbin.yml
@@ -1,16 +0,0 @@
-services:
-  app:
-    container_name: microbin
-    cpu_shares: 10
-    deploy:
-      resources:
-        limits:
-          memory: 256M
-    env_file: .env
-    image: danielszabo99/microbin:latest
-    ports:
-      - 8080
-    restart: unless-stopped
-    volumes:
-      - ./data:/app/microbin_data
-# microbin.domain.tld
--- a/examples/siyuan.yml
+++ b/examples/siyuan.yml
@@ -1,16 +0,0 @@
-services:
-  main:
-    image: b3log/siyuan:v3.1.0
-    container_name: siyuan
-    command:
-      - --workspace=/siyuan/workspace/
-      - --accessAuthCode=<some password>
-    user: 1000:1000
-    volumes:
-      - ./workspace:/siyuan/workspace
-    restart: unless-stopped
-    environment:
-      - TZ=Asia/Hong_Kong
-    ports:
-      - 6806
-# siyuan.domain.tld
--- a/go.mod
+++ b/go.mod
@@ -1,59 +1,248 @@
 module github.com/yusing/go-proxy

-go 1.23.2
+go 1.24.2

 require (
-	github.com/coder/websocket v1.8.12
-	github.com/docker/cli v27.3.1+incompatible
-	github.com/docker/docker v27.3.1+incompatible
-	github.com/fsnotify/fsnotify v1.7.0
-	github.com/go-acme/lego/v4 v4.19.2
-	github.com/puzpuzpuz/xsync/v3 v3.4.0
-	github.com/santhosh-tekuri/jsonschema v1.2.4
-	github.com/sirupsen/logrus v1.9.3
-	golang.org/x/net v0.30.0
-	golang.org/x/text v0.19.0
-	gopkg.in/yaml.v3 v3.0.1
+	github.com/PuerkitoBio/goquery v1.10.3 // parsing HTML for extract fav icon
+	github.com/coder/websocket v1.8.13 // websocket for API and agent
+	github.com/coreos/go-oidc/v3 v3.14.1 // oidc authentication
+	github.com/docker/docker v28.1.1+incompatible // docker daemon
+	github.com/fsnotify/fsnotify v1.9.0 // file watcher
+	github.com/go-acme/lego/v4 v4.23.1 // acme client
+	github.com/go-playground/validator/v10 v10.26.0 // validator
+	github.com/gobwas/glob v0.2.3 // glob matcher for route rules
+	github.com/gotify/server/v2 v2.6.1 // reference the Message struct for json response
+	github.com/lithammer/fuzzysearch v1.1.8 // fuzzy search for searching icons and filtering metrics
+	github.com/puzpuzpuz/xsync/v3 v3.5.1 // lock free map for concurrent operations
+	github.com/rs/zerolog v1.34.0 // logging
+	github.com/shirou/gopsutil/v4 v4.25.3 // system info metrics
+	github.com/vincent-petithory/dataurl v1.0.0 // data url for fav icon
+	golang.org/x/crypto v0.37.0 // encrypting password with bcrypt
+	golang.org/x/net v0.39.0 // HTTP header utilities
+	golang.org/x/oauth2 v0.29.0 // oauth2 authentication
+	golang.org/x/text v0.24.0 // string utilities
+	golang.org/x/time v0.11.0 // time utilities
+	gopkg.in/yaml.v3 v3.0.1 // indirect; yaml parsing for different config files
 )

+replace github.com/coreos/go-oidc/v3 => github.com/godoxy-app/go-oidc/v3 v3.14.2
+
 require (
+	github.com/bytedance/sonic v1.13.2
+	github.com/docker/cli v28.1.1+incompatible
+	github.com/goccy/go-yaml v1.17.1
+	github.com/golang-jwt/jwt/v5 v5.2.2
+	github.com/luthermonson/go-proxmox v0.2.2
+	github.com/oschwald/maxminddb-golang v1.13.1
+	github.com/quic-go/quic-go v0.51.0
+	github.com/samber/slog-zerolog/v2 v2.7.3
+	github.com/spf13/afero v1.14.0
+	github.com/stretchr/testify v1.10.0
+	go.uber.org/atomic v1.11.0
+)
+
+replace github.com/docker/docker => github.com/godoxy-app/docker v0.0.0-20250418000134-7af8fd7b079e
+
+require (
+	cloud.google.com/go/auth v0.16.1 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
+	cloud.google.com/go/compute/metadata v0.6.0 // indirect
+	github.com/AdamSLevy/jsonrpc2/v14 v14.1.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.9.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/dns/armdns v1.2.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/privatedns/armprivatedns v1.3.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph v0.9.0 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/OpenDNS/vegadns2client v0.0.0-20180418235048-a3fa4a771d87 // indirect
+	github.com/akamai/AkamaiOPEN-edgegrid-golang v1.2.2 // indirect
+	github.com/aliyun/alibaba-cloud-sdk-go v1.63.106 // indirect
+	github.com/andybalholm/cascadia v1.3.3 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.36.3 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.29.14 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.67 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 // indirect
+	github.com/aws/aws-sdk-go-v2/service/lightsail v1.43.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/route53 v1.51.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.25.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.33.19 // indirect
+	github.com/aws/smithy-go v1.22.3 // indirect
+	github.com/baidubce/bce-sdk-go v0.9.224 // indirect
+	github.com/benbjohnson/clock v1.3.5 // indirect
+	github.com/boombuler/barcode v1.0.2 // indirect
+	github.com/buger/goterm v1.0.4 // indirect
+	github.com/bytedance/sonic/loader v0.2.4 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
-	github.com/cloudflare/cloudflare-go v0.106.0 // indirect
-	github.com/containerd/log v0.1.0 // indirect
+	github.com/civo/civogo v0.3.98 // indirect
+	github.com/cloudflare/cloudflare-go v0.115.0 // indirect
+	github.com/cloudwego/base64x v0.1.5 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/diskfs/go-diskfs v1.6.0 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
+	github.com/djherbis/times v1.6.0 // indirect
+	github.com/dnsimple/dnsimple-go v1.7.0 // indirect
 	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
+	github.com/ebitengine/purego v0.8.2 // indirect
+	github.com/exoscale/egoscale/v3 v3.1.14 // indirect
+	github.com/fatih/structs v1.1.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/go-jose/go-jose/v4 v4.0.4 // indirect
+	github.com/fxamacker/cbor/v2 v2.8.0 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.9 // indirect
+	github.com/go-errors/errors v1.5.1 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.0 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/goccy/go-json v0.10.3 // indirect
+	github.com/go-ole/go-ole v1.3.0 // indirect
+	github.com/go-playground/locales v0.14.1 // indirect
+	github.com/go-playground/universal-translator v0.18.1 // indirect
+	github.com/go-resty/resty/v2 v2.16.5 // indirect
+	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
+	github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
+	github.com/goccy/go-json v0.10.5 // indirect
+	github.com/gofrs/flock v0.12.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
-	github.com/kr/pretty v0.3.1 // indirect
-	github.com/miekg/dns v1.1.62 // indirect
+	github.com/google/pprof v0.0.0-20250423184734-337e5dd93bb4 // indirect
+	github.com/google/s2a-go v0.1.9 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
+	github.com/googleapis/gax-go/v2 v2.14.1 // indirect
+	github.com/gophercloud/gophercloud v1.14.1 // indirect
+	github.com/gophercloud/utils v0.0.0-20231010081019-80377eca5d56 // indirect
+	github.com/gorilla/websocket v1.5.3 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
+	github.com/hashicorp/go-uuid v1.0.3 // indirect
+	github.com/huaweicloud/huaweicloud-sdk-go-v3 v0.1.146 // indirect
+	github.com/iij/doapi v0.0.0-20190504054126-0bbf12d6d7df // indirect
+	github.com/infobloxopen/infoblox-go-client/v2 v2.9.0 // indirect
+	github.com/jinzhu/copier v0.4.0 // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/k0kubun/go-ansi v0.0.0-20180517002512-3bf9e2903213 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.10 // indirect
+	github.com/kolo/xmlrpc v0.0.0-20220921171641-a4b6fa1dd06b // indirect
+	github.com/kylelemons/godebug v1.1.0 // indirect
+	github.com/labbsr0x/bindman-dns-webhook v1.0.2 // indirect
+	github.com/labbsr0x/goh v1.0.1 // indirect
+	github.com/leodido/go-urn v1.4.0 // indirect
+	github.com/linode/linodego v1.49.0 // indirect
+	github.com/liquidweb/liquidweb-cli v0.7.0 // indirect
+	github.com/liquidweb/liquidweb-go v1.6.4 // indirect
+	github.com/lufia/plan9stats v0.0.0-20250317134145-8bc96cf8fc35 // indirect
+	github.com/magefile/mage v1.15.0 // indirect
+	github.com/mattn/go-colorable v0.1.14 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/miekg/dns v1.1.65 // indirect
+	github.com/mimuret/golang-iij-dpf v0.9.1 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
-	github.com/moby/term v0.5.0 // indirect
-	github.com/morikuni/aec v1.0.0 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/namedotcom/go v0.0.0-20180403034216-08470befbe04 // indirect
+	github.com/nrdcg/auroradns v1.1.0 // indirect
+	github.com/nrdcg/bunny-go v0.0.0-20250327222614-988a091fc7ea // indirect
+	github.com/nrdcg/desec v0.11.0 // indirect
+	github.com/nrdcg/freemyip v0.3.0 // indirect
+	github.com/nrdcg/goacmedns v0.2.0 // indirect
+	github.com/nrdcg/goinwx v0.11.0 // indirect
+	github.com/nrdcg/mailinabox v0.2.0 // indirect
+	github.com/nrdcg/namesilo v0.2.1 // indirect
+	github.com/nrdcg/nodion v0.1.0 // indirect
+	github.com/nrdcg/porkbun v0.4.0 // indirect
+	github.com/nzdjb/go-metaname v1.0.0 // indirect
+	github.com/onsi/ginkgo/v2 v2.23.4 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.0 // indirect
-	github.com/ovh/go-ovh v1.6.0 // indirect
+	github.com/opencontainers/image-spec v1.1.1 // indirect
+	github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b // indirect
+	github.com/oracle/oci-go-sdk/v65 v65.89.2 // indirect
+	github.com/ovh/go-ovh v1.7.0 // indirect
+	github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
+	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
+	github.com/peterhellberg/link v1.2.0 // indirect
+	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/rogpeppe/go-internal v1.12.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.55.0 // indirect
-	go.opentelemetry.io/otel v1.30.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.30.0 // indirect
-	go.opentelemetry.io/otel/metric v1.30.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.30.0 // indirect
-	go.opentelemetry.io/otel/trace v1.30.0 // indirect
-	golang.org/x/crypto v0.28.0 // indirect
-	golang.org/x/mod v0.21.0 // indirect
-	golang.org/x/oauth2 v0.23.0 // indirect
-	golang.org/x/sync v0.8.0 // indirect
-	golang.org/x/sys v0.26.0 // indirect
-	golang.org/x/time v0.7.0 // indirect
-	golang.org/x/tools v0.26.0 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
+	github.com/pquerna/otp v1.4.0 // indirect
+	github.com/quic-go/qpack v0.5.1 // indirect
+	github.com/regfish/regfish-dnsapi-go v0.1.1 // indirect
+	github.com/rogpeppe/go-internal v1.14.1 // indirect
+	github.com/sacloud/api-client-go v0.2.10 // indirect
+	github.com/sacloud/go-http v0.1.9 // indirect
+	github.com/sacloud/iaas-api-go v1.14.0 // indirect
+	github.com/sacloud/packages-go v0.0.11 // indirect
+	github.com/sagikazarmark/locafero v0.9.0 // indirect
+	github.com/samber/lo v1.49.1 // indirect
+	github.com/samber/slog-common v0.18.1 // indirect
+	github.com/scaleway/scaleway-sdk-go v1.0.0-beta.33 // indirect
+	github.com/selectel/domains-go v1.1.0 // indirect
+	github.com/selectel/go-selvpcclient/v3 v3.2.1 // indirect
+	github.com/shopspring/decimal v1.4.0 // indirect
+	github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af // indirect
+	github.com/smartystreets/go-aws-auth v0.0.0-20180515143844-0c1422d1fdb9 // indirect
+	github.com/softlayer/softlayer-go v1.1.7 // indirect
+	github.com/softlayer/xmlrpc v0.0.0-20200409220501-5f089df7cb7e // indirect
+	github.com/sony/gobreaker v1.0.0 // indirect
+	github.com/sourcegraph/conc v0.3.0 // indirect
+	github.com/spf13/cast v1.7.1 // indirect
+	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/spf13/viper v1.20.1 // indirect
+	github.com/subosito/gotenv v1.6.0 // indirect
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1150 // indirect
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/dnspod v1.0.1136 // indirect
+	github.com/tjfoc/gmsm v1.4.1 // indirect
+	github.com/tklauser/go-sysconf v0.3.15 // indirect
+	github.com/tklauser/numcpus v0.10.0 // indirect
+	github.com/transip/gotransip/v6 v6.26.0 // indirect
+	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
+	github.com/ultradns/ultradns-go-sdk v1.8.0-20241010134910-243eeec // indirect
+	github.com/vinyldns/go-vinyldns v0.9.16 // indirect
+	github.com/volcengine/volc-sdk-golang v1.0.205 // indirect
+	github.com/vultr/govultr/v3 v3.19.1 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 // indirect
+	github.com/yusufpapurcu/wmi v1.2.4 // indirect
+	go.mongodb.org/mongo-driver v1.17.3 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 // indirect
+	go.opentelemetry.io/otel v1.35.0 // indirect
+	go.opentelemetry.io/otel/metric v1.35.0 // indirect
+	go.opentelemetry.io/otel/trace v1.35.0 // indirect
+	go.uber.org/automaxprocs v1.6.0 // indirect
+	go.uber.org/mock v0.5.1 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	go.uber.org/ratelimit v0.3.1 // indirect
+	golang.org/x/arch v0.16.0 // indirect
+	golang.org/x/mod v0.24.0 // indirect
+	golang.org/x/sync v0.13.0 // indirect
+	golang.org/x/sys v0.32.0 // indirect
+	golang.org/x/tools v0.32.0 // indirect
+	google.golang.org/api v0.230.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250422160041-2d3770c4ea7f // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250422160041-2d3770c4ea7f // indirect
+	google.golang.org/grpc v1.72.0 // indirect
+	google.golang.org/protobuf v1.36.6 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
-	gotest.tools/v3 v3.5.1 // indirect
+	gopkg.in/ns1/ns1-go.v2 v2.14.2 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	k8s.io/api v0.33.0 // indirect
+	k8s.io/apimachinery v0.33.0 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e // indirect
+	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	sigs.k8s.io/randfill v1.0.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.7.0 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
--- a/internal/acl/city_cache.go
+++ b/internal/acl/city_cache.go
@@ -0,0 +1,39 @@
+package acl
+
+import (
+	"github.com/puzpuzpuz/xsync/v3"
+	acl "github.com/yusing/go-proxy/internal/acl/types"
+	"go.uber.org/atomic"
+)
+
+var cityCache = xsync.NewMapOf[string, *acl.City]()
+var numCachedLookup atomic.Uint64
+
+func (cfg *MaxMindConfig) lookupCity(ip *acl.IPInfo) (*acl.City, bool) {
+	if ip.City != nil {
+		return ip.City, true
+	}
+
+	if cfg.db.Reader == nil {
+		return nil, false
+	}
+
+	city, ok := cityCache.Load(ip.Str)
+	if ok {
+		numCachedLookup.Inc()
+		return city, true
+	}
+
+	cfg.db.RLock()
+	defer cfg.db.RUnlock()
+
+	city = new(acl.City)
+	err := cfg.db.Lookup(ip.IP, city)
+	if err != nil {
+		return nil, false
+	}
+
+	cityCache.Store(ip.Str, city)
+	ip.City = city
+	return city, true
+}
--- a/internal/acl/config.go
+++ b/internal/acl/config.go
@@ -0,0 +1,215 @@
+package acl
+
+import (
+	"net"
+	"sync"
+	"time"
+
+	"github.com/oschwald/maxminddb-golang"
+	"github.com/puzpuzpuz/xsync/v3"
+	"github.com/rs/zerolog"
+	acl "github.com/yusing/go-proxy/internal/acl/types"
+	"github.com/yusing/go-proxy/internal/gperr"
+	"github.com/yusing/go-proxy/internal/logging"
+	"github.com/yusing/go-proxy/internal/logging/accesslog"
+	"github.com/yusing/go-proxy/internal/task"
+	"github.com/yusing/go-proxy/internal/utils"
+)
+
+type Config struct {
+	Default    string                     `json:"default" validate:"omitempty,oneof=allow deny"` // default: allow
+	AllowLocal *bool                      `json:"allow_local"`                                   // default: true
+	Allow      []string                   `json:"allow"`
+	Deny       []string                   `json:"deny"`
+	Log        *accesslog.ACLLoggerConfig `json:"log"`
+
+	MaxMind *MaxMindConfig `json:"maxmind" validate:"omitempty"`
+
+	config
+}
+
+type (
+	MaxMindDatabaseType string
+	MaxMindConfig       struct {
+		AccountID  string              `json:"account_id" validate:"required"`
+		LicenseKey string              `json:"license_key" validate:"required"`
+		Database   MaxMindDatabaseType `json:"database" validate:"required,oneof=geolite geoip2"`
+
+		logger     zerolog.Logger
+		lastUpdate time.Time
+		db         struct {
+			*maxminddb.Reader
+			sync.RWMutex
+		}
+	}
+)
+
+type config struct {
+	defaultAllow bool
+	allowLocal   bool
+	allow        []matcher
+	deny         []matcher
+	ipCache      *xsync.MapOf[string, *checkCache]
+	logAllowed   bool
+	logger       *accesslog.AccessLogger
+}
+
+type checkCache struct {
+	*acl.IPInfo
+	allow   bool
+	created time.Time
+}
+
+const cacheTTL = 1 * time.Minute
+
+func (c *checkCache) Expired() bool {
+	return c.created.Add(cacheTTL).After(utils.TimeNow())
+}
+
+//TODO: add stats
+
+const (
+	ACLAllow = "allow"
+	ACLDeny  = "deny"
+)
+
+const (
+	MaxMindGeoLite MaxMindDatabaseType = "geolite"
+	MaxMindGeoIP2  MaxMindDatabaseType = "geoip2"
+)
+
+func (c *Config) Validate() gperr.Error {
+	switch c.Default {
+	case "", ACLAllow:
+		c.defaultAllow = true
+	case ACLDeny:
+		c.defaultAllow = false
+	default:
+		return gperr.New("invalid default value").Subject(c.Default)
+	}
+
+	if c.AllowLocal != nil {
+		c.allowLocal = *c.AllowLocal
+	} else {
+		c.allowLocal = true
+	}
+
+	if c.MaxMind != nil {
+		c.MaxMind.logger = logging.With().Str("type", string(c.MaxMind.Database)).Logger()
+	}
+
+	if c.Log != nil {
+		c.logAllowed = c.Log.LogAllowed
+	}
+
+	errs := gperr.NewBuilder("syntax error")
+	c.allow = make([]matcher, 0, len(c.Allow))
+	c.deny = make([]matcher, 0, len(c.Deny))
+
+	for _, s := range c.Allow {
+		m, err := c.parseMatcher(s)
+		if err != nil {
+			errs.Add(err.Subject(s))
+			continue
+		}
+		c.allow = append(c.allow, m)
+	}
+	for _, s := range c.Deny {
+		m, err := c.parseMatcher(s)
+		if err != nil {
+			errs.Add(err.Subject(s))
+			continue
+		}
+		c.deny = append(c.deny, m)
+	}
+
+	if errs.HasError() {
+		c.allow = nil
+		c.deny = nil
+		return errMatcherFormat.With(errs.Error())
+	}
+
+	c.ipCache = xsync.NewMapOf[string, *checkCache]()
+	return nil
+}
+
+func (c *Config) Valid() bool {
+	return c != nil && (len(c.allow) > 0 || len(c.deny) > 0 || c.allowLocal)
+}
+
+func (c *Config) Start(parent *task.Task) gperr.Error {
+	if c.MaxMind != nil {
+		if err := c.MaxMind.LoadMaxMindDB(parent); err != nil {
+			return err
+		}
+	}
+	if c.Log != nil {
+		logger, err := accesslog.NewAccessLogger(parent, c.Log)
+		if err != nil {
+			return gperr.New("failed to start access logger").With(err)
+		}
+		c.logger = logger
+	}
+	return nil
+}
+
+func (c *config) cacheRecord(info *acl.IPInfo, allow bool) {
+	c.ipCache.Store(info.Str, &checkCache{
+		IPInfo:  info,
+		allow:   allow,
+		created: utils.TimeNow(),
+	})
+}
+
+func (c *config) log(info *acl.IPInfo, allowed bool) {
+	if c.logger == nil {
+		return
+	}
+	if !allowed || c.logAllowed {
+		c.logger.LogACL(info, !allowed)
+	}
+}
+
+func (c *Config) IPAllowed(ip net.IP) bool {
+	if ip == nil {
+		return false
+	}
+
+	// always allow private and loopback
+	// loopback is not logged
+	if ip.IsLoopback() {
+		return true
+	}
+
+	if c.allowLocal && ip.IsPrivate() {
+		c.log(&acl.IPInfo{IP: ip, Str: ip.String()}, true)
+		return true
+	}
+
+	ipStr := ip.String()
+	record, ok := c.ipCache.Load(ipStr)
+	if ok && !record.Expired() {
+		c.log(record.IPInfo, record.allow)
+		return record.allow
+	}
+
+	ipAndStr := &acl.IPInfo{IP: ip, Str: ipStr}
+	for _, m := range c.allow {
+		if m(ipAndStr) {
+			c.log(ipAndStr, true)
+			c.cacheRecord(ipAndStr, true)
+			return true
+		}
+	}
+	for _, m := range c.deny {
+		if m(ipAndStr) {
+			c.log(ipAndStr, false)
+			c.cacheRecord(ipAndStr, false)
+			return false
+		}
+	}
+
+	c.log(ipAndStr, c.defaultAllow)
+	c.cacheRecord(ipAndStr, c.defaultAllow)
+	return c.defaultAllow
+}
--- a/internal/acl/matcher.go
+++ b/internal/acl/matcher.go
@@ -0,0 +1,99 @@
+package acl
+
+import (
+	"net"
+	"strings"
+
+	acl "github.com/yusing/go-proxy/internal/acl/types"
+	"github.com/yusing/go-proxy/internal/gperr"
+)
+
+type matcher func(*acl.IPInfo) bool
+
+const (
+	MatcherTypeIP       = "ip"
+	MatcherTypeCIDR     = "cidr"
+	MatcherTypeTimeZone = "tz"
+	MatcherTypeCountry  = "country"
+)
+
+var errMatcherFormat = gperr.Multiline().AddLines(
+	"invalid matcher format, expect {type}:{value}",
+	"Available types: ip|cidr|tz|country",
+	"ip:127.0.0.1",
+	"cidr:127.0.0.0/8",
+	"tz:Asia/Shanghai",
+	"country:GB",
+)
+var (
+	errSyntax               = gperr.New("syntax error")
+	errInvalidIP            = gperr.New("invalid IP")
+	errInvalidCIDR          = gperr.New("invalid CIDR")
+	errMaxMindNotConfigured = gperr.New("MaxMind not configured")
+)
+
+func (cfg *Config) parseMatcher(s string) (matcher, gperr.Error) {
+	parts := strings.Split(s, ":")
+	if len(parts) != 2 {
+		return nil, errSyntax
+	}
+
+	switch parts[0] {
+	case MatcherTypeIP:
+		ip := net.ParseIP(parts[1])
+		if ip == nil {
+			return nil, errInvalidIP
+		}
+		return matchIP(ip), nil
+	case MatcherTypeCIDR:
+		_, net, err := net.ParseCIDR(parts[1])
+		if err != nil {
+			return nil, errInvalidCIDR
+		}
+		return matchCIDR(net), nil
+	case MatcherTypeTimeZone:
+		if cfg.MaxMind == nil {
+			return nil, errMaxMindNotConfigured
+		}
+		return cfg.MaxMind.matchTimeZone(parts[1]), nil
+	case MatcherTypeCountry:
+		if cfg.MaxMind == nil {
+			return nil, errMaxMindNotConfigured
+		}
+		return cfg.MaxMind.matchISOCode(parts[1]), nil
+	default:
+		return nil, errSyntax
+	}
+}
+
+func matchIP(ip net.IP) matcher {
+	return func(ip2 *acl.IPInfo) bool {
+		return ip.Equal(ip2.IP)
+	}
+}
+
+func matchCIDR(n *net.IPNet) matcher {
+	return func(ip *acl.IPInfo) bool {
+		return n.Contains(ip.IP)
+	}
+}
+
+func (cfg *MaxMindConfig) matchTimeZone(tz string) matcher {
+	return func(ip *acl.IPInfo) bool {
+		city, ok := cfg.lookupCity(ip)
+		if !ok {
+			return false
+		}
+		return city.Location.TimeZone == tz
+	}
+}
+
+func (cfg *MaxMindConfig) matchISOCode(iso string) matcher {
+	return func(ip *acl.IPInfo) bool {
+		city, ok := cfg.lookupCity(ip)
+		if !ok {
+			return false
+		}
+		return city.Country.IsoCode == iso
+	}
+}
--- a/internal/acl/maxmind.go
+++ b/internal/acl/maxmind.go
@@ -0,0 +1,281 @@
+package acl
+
+import (
+	"archive/tar"
+	"compress/gzip"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"path/filepath"
+	"time"
+
+	"github.com/oschwald/maxminddb-golang"
+	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/gperr"
+	"github.com/yusing/go-proxy/internal/task"
+)
+
+var (
+	updateInterval = 24 * time.Hour
+	httpClient     = &http.Client{
+		Timeout: 10 * time.Second,
+	}
+	ErrResponseNotOK   = gperr.New("response not OK")
+	ErrDownloadFailure = gperr.New("download failure")
+)
+
+func dbPathImpl(dbType MaxMindDatabaseType) string {
+	if dbType == MaxMindGeoLite {
+		return filepath.Join(dataDir, "GeoLite2-City.mmdb")
+	}
+	return filepath.Join(dataDir, "GeoIP2-City.mmdb")
+}
+
+func dbURLimpl(dbType MaxMindDatabaseType) string {
+	if dbType == MaxMindGeoLite {
+		return "https://download.maxmind.com/geoip/databases/GeoLite2-City/download?suffix=tar.gz"
+	}
+	return "https://download.maxmind.com/geoip/databases/GeoIP2-City/download?suffix=tar.gz"
+}
+
+func dbFilename(dbType MaxMindDatabaseType) string {
+	if dbType == MaxMindGeoLite {
+		return "GeoLite2-City.mmdb"
+	}
+	return "GeoIP2-City.mmdb"
+}
+
+func (cfg *MaxMindConfig) LoadMaxMindDB(parent task.Parent) gperr.Error {
+	if cfg.Database == "" {
+		return nil
+	}
+
+	path := dbPath(cfg.Database)
+	reader, err := maxmindDBOpen(path)
+	exists := true
+	if err != nil {
+		switch {
+		case errors.Is(err, os.ErrNotExist):
+		default:
+			// ignore invalid error, just download it again
+			var invalidErr maxminddb.InvalidDatabaseError
+			if !errors.As(err, &invalidErr) {
+				return gperr.Wrap(err)
+			}
+		}
+		exists = false
+	}
+
+	if !exists {
+		cfg.logger.Info().Msg("MaxMind DB not found/invalid, downloading...")
+		reader, err = cfg.download()
+		if err != nil {
+			return ErrDownloadFailure.With(err)
+		}
+	}
+	cfg.logger.Info().Msg("MaxMind DB loaded")
+
+	cfg.db.Reader = reader
+	go cfg.scheduleUpdate(parent)
+	return nil
+}
+
+func (cfg *MaxMindConfig) loadLastUpdate() {
+	f, err := os.Stat(dbPath(cfg.Database))
+	if err != nil {
+		return
+	}
+	cfg.lastUpdate = f.ModTime()
+}
+
+func (cfg *MaxMindConfig) setLastUpdate(t time.Time) {
+	cfg.lastUpdate = t
+	_ = os.Chtimes(dbPath(cfg.Database), t, t)
+}
+
+func (cfg *MaxMindConfig) scheduleUpdate(parent task.Parent) {
+	task := parent.Subtask("schedule_update", true)
+	ticker := time.NewTicker(updateInterval)
+
+	cfg.loadLastUpdate()
+	cfg.update()
+
+	defer func() {
+		ticker.Stop()
+		if cfg.db.Reader != nil {
+			cfg.db.Reader.Close()
+		}
+		task.Finish(nil)
+	}()
+
+	for {
+		select {
+		case <-task.Context().Done():
+			return
+		case <-ticker.C:
+			cfg.update()
+		}
+	}
+}
+
+func (cfg *MaxMindConfig) update() {
+	// check for update
+	cfg.logger.Info().Msg("checking for MaxMind DB update...")
+	remoteLastModified, err := cfg.checkLastest()
+	if err != nil {
+		cfg.logger.Err(err).Msg("failed to check MaxMind DB update")
+		return
+	}
+	if remoteLastModified.Equal(cfg.lastUpdate) {
+		cfg.logger.Info().Msg("MaxMind DB is up to date")
+		return
+	}
+
+	cfg.logger.Info().
+		Time("latest", remoteLastModified.Local()).
+		Time("current", cfg.lastUpdate).
+		Msg("MaxMind DB update available")
+	reader, err := cfg.download()
+	if err != nil {
+		cfg.logger.Err(err).Msg("failed to update MaxMind DB")
+		return
+	}
+	cfg.db.Lock()
+	cfg.db.Close()
+	cfg.db.Reader = reader
+	cfg.setLastUpdate(*remoteLastModified)
+	cfg.db.Unlock()
+
+	cfg.logger.Info().Msg("MaxMind DB updated")
+}
+
+func (cfg *MaxMindConfig) newReq(method string) (*http.Response, error) {
+	req, err := http.NewRequest(method, dbURL(cfg.Database), nil)
+	if err != nil {
+		return nil, err
+	}
+	req.SetBasicAuth(cfg.AccountID, cfg.LicenseKey)
+	resp, err := httpClient.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	return resp, nil
+}
+
+func (cfg *MaxMindConfig) checkLastest() (lastModifiedT *time.Time, err error) {
+	resp, err := newReq(cfg, http.MethodHead)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("%w: %d", ErrResponseNotOK, resp.StatusCode)
+	}
+
+	lastModified := resp.Header.Get("Last-Modified")
+	if lastModified == "" {
+		cfg.logger.Warn().Msg("MaxMind responded no last modified time, update skipped")
+		return nil, nil
+	}
+
+	lastModifiedTime, err := time.Parse(http.TimeFormat, lastModified)
+	if err != nil {
+		cfg.logger.Warn().Err(err).Msg("MaxMind responded invalid last modified time, update skipped")
+		return nil, err
+	}
+
+	return &lastModifiedTime, nil
+}
+
+func (cfg *MaxMindConfig) download() (*maxminddb.Reader, error) {
+	resp, err := newReq(cfg, http.MethodGet)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("%w: %d", ErrResponseNotOK, resp.StatusCode)
+	}
+
+	path := dbPath(cfg.Database)
+	tmpPath := path + "-tmp.tar.gz"
+	file, err := os.OpenFile(tmpPath, os.O_CREATE|os.O_WRONLY, 0o644)
+	if err != nil {
+		return nil, err
+	}
+
+	cfg.logger.Info().Msg("MaxMind DB downloading...")
+
+	_, err = io.Copy(file, resp.Body)
+	if err != nil {
+		file.Close()
+		return nil, err
+	}
+
+	file.Close()
+
+	// extract .tar.gz and move only the dbFilename to path
+	err = extractFileFromTarGz(tmpPath, dbFilename(cfg.Database), path)
+	if err != nil {
+		return nil, gperr.New("failed to extract database from archive").With(err)
+	}
+	// cleanup the tar.gz file
+	_ = os.Remove(tmpPath)
+
+	db, err := maxmindDBOpen(path)
+	if err != nil {
+		return nil, err
+	}
+	return db, nil
+}
+
+func extractFileFromTarGz(tarGzPath, targetFilename, destPath string) error {
+	f, err := os.Open(tarGzPath)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	gzr, err := gzip.NewReader(f)
+	if err != nil {
+		return err
+	}
+	defer gzr.Close()
+
+	tr := tar.NewReader(gzr)
+	for {
+		hdr, err := tr.Next()
+		if err == io.EOF {
+			break // End of archive
+		}
+		if err != nil {
+			return err
+		}
+		// Only extract the file that matches targetFilename (basename match)
+		if filepath.Base(hdr.Name) == targetFilename {
+			outFile, err := os.OpenFile(destPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, hdr.FileInfo().Mode())
+			if err != nil {
+				return err
+			}
+			defer outFile.Close()
+			_, err = io.Copy(outFile, tr)
+			if err != nil {
+				return err
+			}
+			return nil // Done
+		}
+	}
+	return fmt.Errorf("file %s not found in archive", targetFilename)
+}
+
+var (
+	dataDir       = common.DataDir
+	dbURL         = dbURLimpl
+	dbPath        = dbPathImpl
+	maxmindDBOpen = maxminddb.Open
+	newReq        = (*MaxMindConfig).newReq
+)
--- a/internal/acl/maxmind_test.go
+++ b/internal/acl/maxmind_test.go
@@ -0,0 +1,213 @@
+package acl
+
+import (
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"path/filepath"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/oschwald/maxminddb-golang"
+	"github.com/rs/zerolog"
+	"github.com/yusing/go-proxy/internal/task"
+)
+
+func Test_dbPath(t *testing.T) {
+	tmpDataDir := "/tmp/testdata"
+	oldDataDir := dataDir
+	dataDir = tmpDataDir
+	defer func() { dataDir = oldDataDir }()
+
+	tests := []struct {
+		name   string
+		dbType MaxMindDatabaseType
+		want   string
+	}{
+		{"GeoLite", MaxMindGeoLite, filepath.Join(tmpDataDir, "GeoLite2-City.mmdb")},
+		{"GeoIP2", MaxMindGeoIP2, filepath.Join(tmpDataDir, "GeoIP2-City.mmdb")},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := dbPath(tt.dbType); got != tt.want {
+				t.Errorf("dbPath() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func Test_dbURL(t *testing.T) {
+	tests := []struct {
+		name   string
+		dbType MaxMindDatabaseType
+		want   string
+	}{
+		{"GeoLite", MaxMindGeoLite, "https://download.maxmind.com/geoip/databases/GeoLite2-City/download?suffix=tar.gz"},
+		{"GeoIP2", MaxMindGeoIP2, "https://download.maxmind.com/geoip/databases/GeoIP2-City/download?suffix=tar.gz"},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := dbURL(tt.dbType); got != tt.want {
+				t.Errorf("dbURL() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+// --- Helper for MaxMindConfig ---
+type testLogger struct{ zerolog.Logger }
+
+func (testLogger) Info() *zerolog.Event       { return &zerolog.Event{} }
+func (testLogger) Warn() *zerolog.Event       { return &zerolog.Event{} }
+func (testLogger) Err(_ error) *zerolog.Event { return &zerolog.Event{} }
+
+func Test_MaxMindConfig_newReq(t *testing.T) {
+	cfg := &MaxMindConfig{
+		AccountID:  "testid",
+		LicenseKey: "testkey",
+		Database:   MaxMindGeoLite,
+		logger:     zerolog.Nop(),
+	}
+
+	// Patch httpClient to use httptest
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if u, p, ok := r.BasicAuth(); !ok || u != "testid" || p != "testkey" {
+			t.Errorf("basic auth not set correctly")
+		}
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer server.Close()
+	oldURL := dbURL
+	dbURL = func(MaxMindDatabaseType) string { return server.URL }
+	defer func() { dbURL = oldURL }()
+
+	resp, err := cfg.newReq(http.MethodGet)
+	if err != nil {
+		t.Fatalf("newReq() error = %v", err)
+	}
+	if resp.StatusCode != http.StatusOK {
+		t.Errorf("unexpected status: %v", resp.StatusCode)
+	}
+}
+
+func Test_MaxMindConfig_checkUpdate(t *testing.T) {
+	cfg := &MaxMindConfig{
+		AccountID:  "id",
+		LicenseKey: "key",
+		Database:   MaxMindGeoLite,
+		logger:     zerolog.Nop(),
+	}
+	lastMod := time.Now().UTC().Format(http.TimeFormat)
+	buildTime := time.Now().Add(-time.Hour)
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Last-Modified", lastMod)
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer server.Close()
+	oldURL := dbURL
+	dbURL = func(MaxMindDatabaseType) string { return server.URL }
+	defer func() { dbURL = oldURL }()
+
+	latest, err := cfg.checkLastest()
+	if err != nil {
+		t.Fatalf("checkUpdate() error = %v", err)
+	}
+	if latest.Equal(buildTime) {
+		t.Errorf("expected update needed")
+	}
+}
+
+type fakeReadCloser struct {
+	firstRead bool
+	closed    bool
+}
+
+func (c *fakeReadCloser) Read(p []byte) (int, error) {
+	if !c.firstRead {
+		c.firstRead = true
+		return strings.NewReader("FAKEMMDB").Read(p)
+	}
+	return 0, io.EOF
+}
+
+func (c *fakeReadCloser) Close() error {
+	c.closed = true
+	return nil
+}
+
+func Test_MaxMindConfig_download(t *testing.T) {
+	cfg := &MaxMindConfig{
+		AccountID:  "id",
+		LicenseKey: "key",
+		Database:   MaxMindGeoLite,
+		logger:     zerolog.Nop(),
+	}
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		io.Copy(w, strings.NewReader("FAKEMMDB"))
+	}))
+	defer server.Close()
+	oldURL := dbURL
+	dbURL = func(MaxMindDatabaseType) string { return server.URL }
+	defer func() { dbURL = oldURL }()
+
+	tmpDir := t.TempDir()
+	oldDataDir := dataDir
+	dataDir = tmpDir
+	defer func() { dataDir = oldDataDir }()
+
+	// Patch maxminddb.Open to always succeed
+	origOpen := maxmindDBOpen
+	maxmindDBOpen = func(path string) (*maxminddb.Reader, error) {
+		return &maxminddb.Reader{}, nil
+	}
+	defer func() { maxmindDBOpen = origOpen }()
+
+	rw := &fakeReadCloser{}
+	oldNewReq := newReq
+	newReq = func(cfg *MaxMindConfig, method string) (*http.Response, error) {
+		return &http.Response{
+			StatusCode: http.StatusOK,
+			Body:       rw,
+		}, nil
+	}
+	defer func() { newReq = oldNewReq }()
+
+	db, err := cfg.download()
+	if err != nil {
+		t.Fatalf("download() error = %v", err)
+	}
+	if db == nil {
+		t.Error("expected db instance")
+	}
+	if !rw.closed {
+		t.Error("expected rw to be closed")
+	}
+}
+
+func Test_MaxMindConfig_loadMaxMindDB(t *testing.T) {
+	// This test should cover both the path where DB exists and where it does not
+	// For brevity, only the non-existing path is tested here
+	cfg := &MaxMindConfig{
+		AccountID:  "id",
+		LicenseKey: "key",
+		Database:   MaxMindGeoLite,
+		logger:     zerolog.Nop(),
+	}
+	oldOpen := maxmindDBOpen
+	maxmindDBOpen = func(path string) (*maxminddb.Reader, error) {
+		return &maxminddb.Reader{}, nil
+	}
+	defer func() { maxmindDBOpen = oldOpen }()
+
+	oldDBPath := dbPath
+	dbPath = func(MaxMindDatabaseType) string { return filepath.Join(t.TempDir(), "maxmind.mmdb") }
+	defer func() { dbPath = oldDBPath }()
+
+	task := task.RootTask("test")
+	defer task.Finish(nil)
+	err := cfg.LoadMaxMindDB(task)
+	if err != nil {
+		t.Errorf("loadMaxMindDB() error = %v", err)
+	}
+}
--- a/internal/acl/tcp_listener.go
+++ b/internal/acl/tcp_listener.go
@@ -0,0 +1,46 @@
+package acl
+
+import (
+	"net"
+)
+
+type TCPListener struct {
+	acl *Config
+	lis net.Listener
+}
+
+func (cfg *Config) WrapTCP(lis net.Listener) net.Listener {
+	if cfg == nil {
+		return lis
+	}
+	return &TCPListener{
+		acl: cfg,
+		lis: lis,
+	}
+}
+
+func (s *TCPListener) Addr() net.Addr {
+	return s.lis.Addr()
+}
+
+func (s *TCPListener) Accept() (net.Conn, error) {
+	c, err := s.lis.Accept()
+	if err != nil {
+		return nil, err
+	}
+	addr, ok := c.RemoteAddr().(*net.TCPAddr)
+	if !ok {
+		// Not a TCPAddr, drop
+		c.Close()
+		return nil, nil
+	}
+	if !s.acl.IPAllowed(addr.IP) {
+		c.Close()
+		return nil, nil
+	}
+	return c, nil
+}
+
+func (s *TCPListener) Close() error {
+	return s.lis.Close()
+}
--- a/internal/acl/types/city_info.go
+++ b/internal/acl/types/city_info.go
@@ -0,0 +1,10 @@
+package acl
+
+type City struct {
+	Location struct {
+		TimeZone string `maxminddb:"time_zone"`
+	} `maxminddb:"location"`
+	Country struct {
+		IsoCode string `maxminddb:"iso_code"`
+	} `maxminddb:"country"`
+}
--- a/internal/acl/types/ip_info.go
+++ b/internal/acl/types/ip_info.go
@@ -0,0 +1,9 @@
+package acl
+
+import "net"
+
+type IPInfo struct {
+	IP   net.IP
+	Str  string
+	City *City
+}
--- a/internal/acl/udp_listener.go
+++ b/internal/acl/udp_listener.go
@@ -0,0 +1,79 @@
+package acl
+
+import (
+	"net"
+	"time"
+)
+
+type UDPListener struct {
+	acl *Config
+	lis net.PacketConn
+}
+
+func (cfg *Config) WrapUDP(lis net.PacketConn) net.PacketConn {
+	if cfg == nil {
+		return lis
+	}
+	return &UDPListener{
+		acl: cfg,
+		lis: lis,
+	}
+}
+
+func (s *UDPListener) LocalAddr() net.Addr {
+	return s.lis.LocalAddr()
+}
+
+func (s *UDPListener) ReadFrom(p []byte) (int, net.Addr, error) {
+	for {
+		n, addr, err := s.lis.ReadFrom(p)
+		if err != nil {
+			return n, addr, err
+		}
+		udpAddr, ok := addr.(*net.UDPAddr)
+		if !ok {
+			// Not a UDPAddr, drop
+			continue
+		}
+		if !s.acl.IPAllowed(udpAddr.IP) {
+			// Drop packet from disallowed IP
+			continue
+		}
+		return n, addr, nil
+	}
+}
+
+func (s *UDPListener) WriteTo(p []byte, addr net.Addr) (int, error) {
+	for {
+		n, err := s.lis.WriteTo(p, addr)
+		if err != nil {
+			return n, err
+		}
+		udpAddr, ok := addr.(*net.UDPAddr)
+		if !ok {
+			// Not a UDPAddr, drop
+			continue
+		}
+		if !s.acl.IPAllowed(udpAddr.IP) {
+			// Drop packet to disallowed IP
+			continue
+		}
+		return n, nil
+	}
+}
+
+func (s *UDPListener) SetDeadline(t time.Time) error {
+	return s.lis.SetDeadline(t)
+}
+
+func (s *UDPListener) SetReadDeadline(t time.Time) error {
+	return s.lis.SetReadDeadline(t)
+}
+
+func (s *UDPListener) SetWriteDeadline(t time.Time) error {
+	return s.lis.SetWriteDeadline(t)
+}
+
+func (s *UDPListener) Close() error {
+	return s.lis.Close()
+}
--- a/internal/api/handler.go
+++ b/internal/api/handler.go
@@ -5,59 +5,99 @@ import (
 	"net/http"

 	v1 "github.com/yusing/go-proxy/internal/api/v1"
-	"github.com/yusing/go-proxy/internal/api/v1/error_page"
-	. "github.com/yusing/go-proxy/internal/api/v1/utils"
-	"github.com/yusing/go-proxy/internal/common"
-	"github.com/yusing/go-proxy/internal/config"
+	"github.com/yusing/go-proxy/internal/api/v1/certapi"
+	"github.com/yusing/go-proxy/internal/api/v1/dockerapi"
+	"github.com/yusing/go-proxy/internal/api/v1/favicon"
+	"github.com/yusing/go-proxy/internal/auth"
+	config "github.com/yusing/go-proxy/internal/config/types"
+	"github.com/yusing/go-proxy/internal/logging/memlogger"
+	"github.com/yusing/go-proxy/internal/metrics/uptime"
+	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
+	"github.com/yusing/go-proxy/internal/utils/strutils"
 )

-type ServeMux struct{ *http.ServeMux }
+type (
+	ServeMux struct {
+		*http.ServeMux
+		cfg config.ConfigInstance
+	}
+	WithCfgHandler = func(config.ConfigInstance, http.ResponseWriter, *http.Request)
+)

-func NewServeMux() ServeMux {
-	return ServeMux{http.NewServeMux()}
+func (mux ServeMux) HandleFunc(methods, endpoint string, h any, requireAuth ...bool) {
+	var handler http.HandlerFunc
+	switch h := h.(type) {
+	case func(http.ResponseWriter, *http.Request):
+		handler = h
+	case http.Handler:
+		handler = h.ServeHTTP
+	case WithCfgHandler:
+		handler = func(w http.ResponseWriter, r *http.Request) {
+			h(mux.cfg, w, r)
+		}
+	default:
+		panic(fmt.Errorf("unsupported handler type: %T", h))
+	}
+
+	matchDomains := mux.cfg.Value().MatchDomains
+	if len(matchDomains) > 0 {
+		origHandler := handler
+		handler = func(w http.ResponseWriter, r *http.Request) {
+			if httpheaders.IsWebsocket(r.Header) {
+				httpheaders.SetWebsocketAllowedDomains(r.Header, matchDomains)
+			}
+			origHandler(w, r)
+		}
+	}
+
+	if len(requireAuth) > 0 && requireAuth[0] {
+		handler = auth.RequireAuth(handler)
+	}
+	if methods == "" {
+		mux.ServeMux.HandleFunc(endpoint, handler)
+	} else {
+		for _, m := range strutils.CommaSeperatedList(methods) {
+			mux.ServeMux.HandleFunc(m+" "+endpoint, handler)
+		}
+	}
 }

-func (mux ServeMux) HandleFunc(method, endpoint string, handler http.HandlerFunc) {
-	mux.ServeMux.HandleFunc(fmt.Sprintf("%s %s", method, endpoint), checkHost(handler))
-}
-
-func NewHandler(cfg *config.Config) http.Handler {
-	mux := NewServeMux()
+func NewHandler(cfg config.ConfigInstance) http.Handler {
+	mux := ServeMux{http.NewServeMux(), cfg}
 	mux.HandleFunc("GET", "/v1", v1.Index)
 	mux.HandleFunc("GET", "/v1/version", v1.GetVersion)
-	mux.HandleFunc("GET", "/v1/checkhealth", wrap(cfg, v1.CheckHealth))
-	mux.HandleFunc("HEAD", "/v1/checkhealth", wrap(cfg, v1.CheckHealth))
-	mux.HandleFunc("POST", "/v1/reload", wrap(cfg, v1.Reload))
-	mux.HandleFunc("GET", "/v1/list", wrap(cfg, v1.List))
-	mux.HandleFunc("GET", "/v1/list/{what}", wrap(cfg, v1.List))
-	mux.HandleFunc("GET", "/v1/file", v1.GetFileContent)
-	mux.HandleFunc("GET", "/v1/file/{filename...}", v1.GetFileContent)
-	mux.HandleFunc("POST", "/v1/file/{filename...}", v1.SetFileContent)
-	mux.HandleFunc("PUT", "/v1/file/{filename...}", v1.SetFileContent)
-	mux.HandleFunc("GET", "/v1/stats", wrap(cfg, v1.Stats))
-	mux.HandleFunc("GET", "/v1/stats/ws", wrap(cfg, v1.StatsWS))
-	mux.HandleFunc("GET", "/v1/error_page", error_page.GetHandleFunc())
+
+	mux.HandleFunc("GET", "/v1/stats", v1.Stats, true)
+	mux.HandleFunc("POST", "/v1/reload", v1.Reload, true)
+	mux.HandleFunc("GET", "/v1/list", v1.List, true)
+	mux.HandleFunc("GET", "/v1/list/{what}", v1.List, true)
+	mux.HandleFunc("GET", "/v1/list/{what}/{which}", v1.List, true)
+	mux.HandleFunc("GET", "/v1/file/{type}/{filename}", v1.GetFileContent, true)
+	mux.HandleFunc("POST,PUT", "/v1/file/{type}/{filename}", v1.SetFileContent, true)
+	mux.HandleFunc("POST", "/v1/file/validate/{type}", v1.ValidateFile, true)
+	mux.HandleFunc("GET", "/v1/health", v1.Health, true)
+	mux.HandleFunc("GET", "/v1/logs", memlogger.Handler(), true)
+	mux.HandleFunc("GET", "/v1/favicon", favicon.GetFavIcon, true)
+	mux.HandleFunc("POST", "/v1/homepage/set", v1.SetHomePageOverrides, true)
+	mux.HandleFunc("GET", "/v1/agents", v1.ListAgents, true)
+	mux.HandleFunc("GET", "/v1/agents/new", v1.NewAgent, true)
+	mux.HandleFunc("POST", "/v1/agents/verify", v1.VerifyNewAgent, true)
+	mux.HandleFunc("GET", "/v1/metrics/system_info", v1.SystemInfo, true)
+	mux.HandleFunc("GET", "/v1/metrics/uptime", uptime.Poller.ServeHTTP, true)
+	mux.HandleFunc("GET", "/v1/cert/info", certapi.GetCertInfo, true)
+	mux.HandleFunc("", "/v1/cert/renew", certapi.RenewCert, true)
+	mux.HandleFunc("GET", "/v1/docker/info", dockerapi.DockerInfo, true)
+	mux.HandleFunc("GET", "/v1/docker/logs/{server}/{container}", dockerapi.Logs, true)
+	mux.HandleFunc("GET", "/v1/docker/containers", dockerapi.Containers, true)
+
+	defaultAuth := auth.GetDefaultAuth()
+	if defaultAuth == nil {
+		return mux
+	}
+
+	mux.HandleFunc("GET", "/v1/auth/check", auth.AuthCheckHandler)
+	mux.HandleFunc("GET", "/v1/auth/redirect", defaultAuth.LoginHandler)
+	mux.HandleFunc("GET", "/v1/auth/callback", defaultAuth.PostAuthCallbackHandler)
+	mux.HandleFunc("GET,POST", "/v1/auth/logout", defaultAuth.LogoutHandler)
 	return mux
 }
-
-// allow only requests to API server with host matching common.APIHTTPAddr
-func checkHost(f http.HandlerFunc) http.HandlerFunc {
-	if common.IsDebug {
-		return f
-	}
-	return func(w http.ResponseWriter, r *http.Request) {
-		if r.Host != common.APIHTTPAddr {
-			Logger.Warnf("invalid request to API server with host: %s, expect %s", r.Host, common.APIHTTPAddr)
-			w.WriteHeader(http.StatusForbidden)
-			w.Write([]byte("invalid request"))
-			return
-		}
-		f(w, r)
-	}
-}
-
-func wrap(cfg *config.Config, f func(cfg *config.Config, w http.ResponseWriter, r *http.Request)) http.HandlerFunc {
-	return func(w http.ResponseWriter, r *http.Request) {
-		f(cfg, w, r)
-	}
-}
--- a/internal/api/v1/agents.go
+++ b/internal/api/v1/agents.go
@@ -0,0 +1,24 @@
+package v1
+
+import (
+	"net/http"
+	"time"
+
+	"github.com/coder/websocket"
+	"github.com/coder/websocket/wsjson"
+	config "github.com/yusing/go-proxy/internal/config/types"
+	"github.com/yusing/go-proxy/internal/net/gphttp"
+	"github.com/yusing/go-proxy/internal/net/gphttp/gpwebsocket"
+	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
+)
+
+func ListAgents(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
+	if httpheaders.IsWebsocket(r.Header) {
+		gpwebsocket.Periodic(w, r, 10*time.Second, func(conn *websocket.Conn) error {
+			wsjson.Write(r.Context(), conn, cfg.ListAgents())
+			return nil
+		})
+	} else {
+		gphttp.RespondJSON(w, r, cfg.ListAgents())
+	}
+}
--- a/internal/api/v1/certapi/cert_info.go
+++ b/internal/api/v1/certapi/cert_info.go
@@ -0,0 +1,41 @@
+package certapi
+
+import (
+	"encoding/json"
+	"net/http"
+
+	config "github.com/yusing/go-proxy/internal/config/types"
+)
+
+type CertInfo struct {
+	Subject        string   `json:"subject"`
+	Issuer         string   `json:"issuer"`
+	NotBefore      int64    `json:"not_before"`
+	NotAfter       int64    `json:"not_after"`
+	DNSNames       []string `json:"dns_names"`
+	EmailAddresses []string `json:"email_addresses"`
+}
+
+func GetCertInfo(w http.ResponseWriter, r *http.Request) {
+	autocert := config.GetInstance().AutoCertProvider()
+	if autocert == nil {
+		http.Error(w, "autocert is not enabled", http.StatusNotFound)
+		return
+	}
+
+	cert, err := autocert.GetCert(nil)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	certInfo := CertInfo{
+		Subject:        cert.Leaf.Subject.CommonName,
+		Issuer:         cert.Leaf.Issuer.CommonName,
+		NotBefore:      cert.Leaf.NotBefore.Unix(),
+		NotAfter:       cert.Leaf.NotAfter.Unix(),
+		DNSNames:       cert.Leaf.DNSNames,
+		EmailAddresses: cert.Leaf.EmailAddresses,
+	}
+	json.NewEncoder(w).Encode(&certInfo)
+}
--- a/internal/api/v1/certapi/renew.go
+++ b/internal/api/v1/certapi/renew.go
@@ -0,0 +1,56 @@
+package certapi
+
+import (
+	"net/http"
+
+	config "github.com/yusing/go-proxy/internal/config/types"
+	"github.com/yusing/go-proxy/internal/gperr"
+	"github.com/yusing/go-proxy/internal/logging"
+	"github.com/yusing/go-proxy/internal/logging/memlogger"
+	"github.com/yusing/go-proxy/internal/net/gphttp/gpwebsocket"
+)
+
+func RenewCert(w http.ResponseWriter, r *http.Request) {
+	autocert := config.GetInstance().AutoCertProvider()
+	if autocert == nil {
+		http.Error(w, "autocert is not enabled", http.StatusNotFound)
+		return
+	}
+
+	conn, err := gpwebsocket.Initiate(w, r)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	//nolint:errcheck
+	defer conn.CloseNow()
+
+	logs, cancel := memlogger.Events()
+	defer cancel()
+
+	done := make(chan struct{})
+
+	go func() {
+		defer close(done)
+		err = autocert.ObtainCert()
+		if err != nil {
+			gperr.LogError("failed to obtain cert", err)
+			gpwebsocket.WriteText(r, conn, err.Error())
+		} else {
+			logging.Info().Msg("cert obtained successfully")
+		}
+	}()
+	for {
+		select {
+		case l := <-logs:
+			if err != nil {
+				return
+			}
+			if !gpwebsocket.WriteText(r, conn, string(l)) {
+				return
+			}
+		case <-done:
+			return
+		}
+	}
+}
--- a/internal/api/v1/checkhealth.go
+++ b/internal/api/v1/checkhealth.go
@@ -1,42 +0,0 @@
-package v1
-
-import (
-	"fmt"
-	"net/http"
-	"strings"
-
-	U "github.com/yusing/go-proxy/internal/api/v1/utils"
-	"github.com/yusing/go-proxy/internal/config"
-	R "github.com/yusing/go-proxy/internal/route"
-)
-
-func CheckHealth(cfg *config.Config, w http.ResponseWriter, r *http.Request) {
-	target := r.FormValue("target")
-	if target == "" {
-		U.HandleErr(w, r, U.ErrMissingKey("target"), http.StatusBadRequest)
-		return
-	}
-
-	var ok bool
-	route := cfg.FindRoute(target)
-
-	switch {
-	case route == nil:
-		U.HandleErr(w, r, U.ErrNotFound("target", target), http.StatusNotFound)
-		return
-	case route.Type() == R.RouteTypeReverseProxy:
-		ok = IsSiteHealthy(route.URL().String())
-	case route.Type() == R.RouteTypeStream:
-		entry := route.Entry()
-		ok = IsStreamHealthy(
-			strings.Split(entry.Scheme, ":")[1], // target scheme
-			fmt.Sprintf("%s:%v", entry.Host, strings.Split(entry.Port, ":")[1]),
-		)
-	}
-
-	if ok {
-		w.WriteHeader(http.StatusOK)
-	} else {
-		w.WriteHeader(http.StatusRequestTimeout)
-	}
-}
--- a/internal/api/v1/config_file.go
+++ b/internal/api/v1/config_file.go
@@ -0,0 +1,132 @@
+package v1
+
+import (
+	"io"
+	"net/http"
+	"os"
+	"path"
+	"strings"
+
+	"github.com/yusing/go-proxy/internal/common"
+	config "github.com/yusing/go-proxy/internal/config/types"
+	"github.com/yusing/go-proxy/internal/gperr"
+	"github.com/yusing/go-proxy/internal/net/gphttp"
+	"github.com/yusing/go-proxy/internal/net/gphttp/middleware"
+	"github.com/yusing/go-proxy/internal/route/provider"
+)
+
+type FileType string
+
+const (
+	FileTypeConfig     FileType = "config"
+	FileTypeProvider   FileType = "provider"
+	FileTypeMiddleware FileType = "middleware"
+)
+
+func fileType(file string) FileType {
+	switch {
+	case strings.HasPrefix(path.Base(file), "config."):
+		return FileTypeConfig
+	case strings.HasPrefix(file, common.MiddlewareComposeBasePath):
+		return FileTypeMiddleware
+	}
+	return FileTypeProvider
+}
+
+func (t FileType) IsValid() bool {
+	switch t {
+	case FileTypeConfig, FileTypeProvider, FileTypeMiddleware:
+		return true
+	}
+	return false
+}
+
+func (t FileType) GetPath(filename string) string {
+	if t == FileTypeMiddleware {
+		return path.Join(common.MiddlewareComposeBasePath, filename)
+	}
+	return path.Join(common.ConfigBasePath, filename)
+}
+
+func getArgs(r *http.Request) (fileType FileType, filename string, err error) {
+	fileType = FileType(r.PathValue("type"))
+	if !fileType.IsValid() {
+		err = gphttp.ErrInvalidKey("type")
+		return
+	}
+	filename = r.PathValue("filename")
+	if filename == "" {
+		err = gphttp.ErrMissingKey("filename")
+	}
+	return
+}
+
+func GetFileContent(w http.ResponseWriter, r *http.Request) {
+	fileType, filename, err := getArgs(r)
+	if err != nil {
+		gphttp.BadRequest(w, err.Error())
+		return
+	}
+	content, err := os.ReadFile(fileType.GetPath(filename))
+	if err != nil {
+		gphttp.ServerError(w, r, err)
+		return
+	}
+	gphttp.WriteBody(w, content)
+}
+
+func validateFile(fileType FileType, content []byte) gperr.Error {
+	switch fileType {
+	case FileTypeConfig:
+		return config.Validate(content)
+	case FileTypeMiddleware:
+		errs := gperr.NewBuilder("middleware errors")
+		middleware.BuildMiddlewaresFromYAML("", content, errs)
+		return errs.Error()
+	}
+	return provider.Validate(content)
+}
+
+func ValidateFile(w http.ResponseWriter, r *http.Request) {
+	fileType := FileType(r.PathValue("type"))
+	if !fileType.IsValid() {
+		gphttp.BadRequest(w, "invalid file type")
+		return
+	}
+	content, err := io.ReadAll(r.Body)
+	if err != nil {
+		gphttp.ServerError(w, r, err)
+		return
+	}
+	r.Body.Close()
+	if valErr := validateFile(fileType, content); valErr != nil {
+		gphttp.JSONError(w, valErr, http.StatusBadRequest)
+		return
+	}
+	w.WriteHeader(http.StatusOK)
+}
+
+func SetFileContent(w http.ResponseWriter, r *http.Request) {
+	fileType, filename, err := getArgs(r)
+	if err != nil {
+		gphttp.BadRequest(w, err.Error())
+		return
+	}
+	content, err := io.ReadAll(r.Body)
+	if err != nil {
+		gphttp.ServerError(w, r, err)
+		return
+	}
+
+	if valErr := validateFile(fileType, content); valErr != nil {
+		gphttp.JSONError(w, valErr, http.StatusBadRequest)
+		return
+	}
+
+	err = os.WriteFile(fileType.GetPath(filename), content, 0o644)
+	if err != nil {
+		gphttp.ServerError(w, r, err)
+		return
+	}
+	w.WriteHeader(http.StatusOK)
+}
--- a/internal/api/v1/dockerapi/common.go
+++ b/internal/api/v1/dockerapi/common.go
@@ -0,0 +1,5 @@
+package dockerapi
+
+import "time"
+
+const reqTimeout = 10 * time.Second
--- a/internal/api/v1/dockerapi/containers.go
+++ b/internal/api/v1/dockerapi/containers.go
@@ -0,0 +1,54 @@
+package dockerapi
+
+import (
+	"context"
+	"net/http"
+	"sort"
+
+	"github.com/docker/docker/api/types/container"
+	"github.com/yusing/go-proxy/internal/gperr"
+)
+
+type Container struct {
+	Server string `json:"server"`
+	Name   string `json:"name"`
+	ID     string `json:"id"`
+	Image  string `json:"image"`
+	State  string `json:"state"`
+}
+
+func Containers(w http.ResponseWriter, r *http.Request) {
+	serveHTTP[Container, []Container](w, r, GetContainers)
+}
+
+func GetContainers(ctx context.Context, dockerClients DockerClients) ([]Container, gperr.Error) {
+	errs := gperr.NewBuilder("failed to get containers")
+	containers := make([]Container, 0)
+	for server, dockerClient := range dockerClients {
+		conts, err := dockerClient.ContainerList(ctx, container.ListOptions{All: true})
+		if err != nil {
+			errs.Add(err)
+			continue
+		}
+		for _, cont := range conts {
+			containers = append(containers, Container{
+				Server: server,
+				Name:   cont.Names[0],
+				ID:     cont.ID,
+				Image:  cont.Image,
+				State:  cont.State,
+			})
+		}
+	}
+	sort.Slice(containers, func(i, j int) bool {
+		return containers[i].Name < containers[j].Name
+	})
+	if err := errs.Error(); err != nil {
+		gperr.LogError("failed to get containers", err)
+		if len(containers) == 0 {
+			return nil, err
+		}
+		return containers, nil
+	}
+	return containers, nil
+}
--- a/internal/api/v1/dockerapi/info.go
+++ b/internal/api/v1/dockerapi/info.go
@@ -0,0 +1,56 @@
+package dockerapi
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+	"sort"
+
+	dockerSystem "github.com/docker/docker/api/types/system"
+	"github.com/yusing/go-proxy/internal/gperr"
+	"github.com/yusing/go-proxy/internal/utils/strutils"
+)
+
+type dockerInfo dockerSystem.Info
+
+func (d *dockerInfo) MarshalJSON() ([]byte, error) {
+	return json.Marshal(map[string]any{
+		"name":    d.Name,
+		"version": d.ServerVersion,
+		"containers": map[string]int{
+			"total":   d.Containers,
+			"running": d.ContainersRunning,
+			"paused":  d.ContainersPaused,
+			"stopped": d.ContainersStopped,
+		},
+		"images": d.Images,
+		"n_cpu":  d.NCPU,
+		"memory": strutils.FormatByteSize(d.MemTotal),
+	})
+}
+
+func DockerInfo(w http.ResponseWriter, r *http.Request) {
+	serveHTTP[dockerInfo](w, r, GetDockerInfo)
+}
+
+func GetDockerInfo(ctx context.Context, dockerClients DockerClients) ([]dockerInfo, gperr.Error) {
+	errs := gperr.NewBuilder("failed to get docker info")
+	dockerInfos := make([]dockerInfo, len(dockerClients))
+
+	i := 0
+	for name, dockerClient := range dockerClients {
+		info, err := dockerClient.Info(ctx)
+		if err != nil {
+			errs.Add(err)
+			continue
+		}
+		info.Name = name
+		dockerInfos[i] = dockerInfo(info)
+		i++
+	}
+
+	sort.Slice(dockerInfos, func(i, j int) bool {
+		return dockerInfos[i].Name < dockerInfos[j].Name
+	})
+	return dockerInfos, errs.Error()
+}
--- a/internal/api/v1/dockerapi/logs.go
+++ b/internal/api/v1/dockerapi/logs.go
@@ -0,0 +1,69 @@
+package dockerapi
+
+import (
+	"net/http"
+	"strconv"
+
+	"github.com/coder/websocket"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/pkg/stdcopy"
+	"github.com/yusing/go-proxy/internal/logging"
+	"github.com/yusing/go-proxy/internal/net/gphttp"
+	"github.com/yusing/go-proxy/internal/net/gphttp/gpwebsocket"
+)
+
+func Logs(w http.ResponseWriter, r *http.Request) {
+	query := r.URL.Query()
+	server := r.PathValue("server")
+	containerID := r.PathValue("container")
+	stdout, _ := strconv.ParseBool(query.Get("stdout"))
+	stderr, _ := strconv.ParseBool(query.Get("stderr"))
+	since := query.Get("from")
+	until := query.Get("to")
+	levels := query.Get("levels") // TODO: implement levels
+
+	dockerClient, found, err := getDockerClient(w, server)
+	if err != nil {
+		gphttp.BadRequest(w, err.Error())
+		return
+	}
+	if !found {
+		gphttp.NotFound(w, "server not found")
+		return
+	}
+
+	opts := container.LogsOptions{
+		ShowStdout: stdout,
+		ShowStderr: stderr,
+		Since:      since,
+		Until:      until,
+		Timestamps: true,
+		Follow:     true,
+		Tail:       "100",
+	}
+	if levels != "" {
+		opts.Details = true
+	}
+
+	logs, err := dockerClient.ContainerLogs(r.Context(), containerID, opts)
+	if err != nil {
+		gphttp.BadRequest(w, err.Error())
+		return
+	}
+	defer logs.Close()
+
+	conn, err := gpwebsocket.Initiate(w, r)
+	if err != nil {
+		return
+	}
+	defer conn.CloseNow()
+
+	writer := gpwebsocket.NewWriter(r.Context(), conn, websocket.MessageText)
+	_, err = stdcopy.StdCopy(writer, writer, logs) // de-multiplex logs
+	if err != nil {
+		logging.Err(err).
+			Str("server", server).
+			Str("container", containerID).
+			Msg("failed to de-multiplex logs")
+	}
+}
--- a/internal/api/v1/dockerapi/utils.go
+++ b/internal/api/v1/dockerapi/utils.go
@@ -0,0 +1,124 @@
+package dockerapi
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+	"time"
+
+	"github.com/coder/websocket"
+	"github.com/coder/websocket/wsjson"
+	config "github.com/yusing/go-proxy/internal/config/types"
+	"github.com/yusing/go-proxy/internal/docker"
+	"github.com/yusing/go-proxy/internal/gperr"
+	"github.com/yusing/go-proxy/internal/net/gphttp/gpwebsocket"
+	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
+)
+
+type (
+	DockerClients     map[string]*docker.SharedClient
+	ResultType[T any] interface {
+		map[string]T | []T
+	}
+)
+
+// getDockerClients returns a map of docker clients for the current config.
+//
+// Returns a map of docker clients by server name and an error if any.
+//
+// Even if there are errors, the map of docker clients might not be empty.
+func getDockerClients() (DockerClients, gperr.Error) {
+	cfg := config.GetInstance()
+
+	dockerHosts := cfg.Value().Providers.Docker
+	dockerClients := make(DockerClients)
+
+	connErrs := gperr.NewBuilder("failed to connect to docker")
+
+	for name, host := range dockerHosts {
+		dockerClient, err := docker.NewClient(host)
+		if err != nil {
+			connErrs.Add(err)
+			continue
+		}
+		dockerClients[name] = dockerClient
+	}
+
+	for _, agent := range cfg.ListAgents() {
+		dockerClient, err := docker.NewClient(agent.FakeDockerHost())
+		if err != nil {
+			connErrs.Add(err)
+			continue
+		}
+		dockerClients[agent.Name()] = dockerClient
+	}
+
+	return dockerClients, connErrs.Error()
+}
+
+func getDockerClient(w http.ResponseWriter, server string) (*docker.SharedClient, bool, error) {
+	cfg := config.GetInstance()
+	var host string
+	for name, h := range cfg.Value().Providers.Docker {
+		if name == server {
+			host = h
+			break
+		}
+	}
+	for _, agent := range cfg.ListAgents() {
+		if agent.Name() == server {
+			host = agent.FakeDockerHost()
+			break
+		}
+	}
+	if host == "" {
+		return nil, false, nil
+	}
+	dockerClient, err := docker.NewClient(host)
+	if err != nil {
+		return nil, false, err
+	}
+	return dockerClient, true, nil
+}
+
+// closeAllClients closes all docker clients after a delay.
+//
+// This is used to ensure that all docker clients are closed after the http handler returns.
+func closeAllClients(dockerClients DockerClients) {
+	for _, dockerClient := range dockerClients {
+		dockerClient.Close()
+	}
+}
+
+func handleResult[V any, T ResultType[V]](w http.ResponseWriter, errs error, result T) {
+	if errs != nil {
+		gperr.LogError("docker errors", errs)
+		if len(result) == 0 {
+			http.Error(w, "docker errors", http.StatusInternalServerError)
+			return
+		}
+	}
+	json.NewEncoder(w).Encode(result)
+}
+
+func serveHTTP[V any, T ResultType[V]](w http.ResponseWriter, r *http.Request, getResult func(ctx context.Context, dockerClients DockerClients) (T, gperr.Error)) {
+	dockerClients, err := getDockerClients()
+	if err != nil {
+		handleResult[V, T](w, err, nil)
+		return
+	}
+	defer closeAllClients(dockerClients)
+
+	if httpheaders.IsWebsocket(r.Header) {
+		gpwebsocket.Periodic(w, r, 5*time.Second, func(conn *websocket.Conn) error {
+			result, err := getResult(r.Context(), dockerClients)
+			if err != nil {
+				return err
+			}
+			return wsjson.Write(r.Context(), conn, result)
+		})
+	} else {
+		result, err := getResult(r.Context(), dockerClients)
+		handleResult[V, T](w, err, result)
+	}
+}
--- a/internal/api/v1/error_page/http_handler.go
+++ b/internal/api/v1/error_page/http_handler.go
@@ -1,25 +0,0 @@
-package error_page
-
-import "net/http"
-
-func GetHandleFunc() http.HandlerFunc {
-	setup()
-	return serveHTTP
-}
-
-func serveHTTP(w http.ResponseWriter, r *http.Request) {
-	if r.Method != http.MethodGet {
-		http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
-		return
-	}
-	if r.URL.Path == "/" {
-		http.Error(w, "invalid path", http.StatusNotFound)
-		return
-	}
-	content, ok := fileContentMap.Load(r.URL.Path)
-	if !ok {
-		http.Error(w, "404 not found", http.StatusNotFound)
-		return
-	}
-	w.Write(content)
-}
--- a/internal/api/v1/favicon/favicon.go
+++ b/internal/api/v1/favicon/favicon.go
@@ -0,0 +1,77 @@
+package favicon
+
+import (
+	"errors"
+	"net/http"
+
+	"github.com/yusing/go-proxy/internal/gperr"
+	"github.com/yusing/go-proxy/internal/homepage"
+	"github.com/yusing/go-proxy/internal/net/gphttp"
+	"github.com/yusing/go-proxy/internal/route/routes"
+)
+
+// GetFavIcon returns the favicon of the route
+//
+// Returns:
+//   - 200 OK: if icon found
+//   - 400 Bad Request: if alias is empty or route is not HTTPRoute
+//   - 404 Not Found: if route or icon not found
+//   - 500 Internal Server Error: if internal error
+//   - others: depends on route handler response
+func GetFavIcon(w http.ResponseWriter, req *http.Request) {
+	url, alias := req.FormValue("url"), req.FormValue("alias")
+	if url == "" && alias == "" {
+		gphttp.ClientError(w, gphttp.ErrMissingKey("url or alias"), http.StatusBadRequest)
+		return
+	}
+	if url != "" && alias != "" {
+		gphttp.ClientError(w, gperr.New("url and alias are mutually exclusive"), http.StatusBadRequest)
+		return
+	}
+
+	// try with url
+	if url != "" {
+		var iconURL homepage.IconURL
+		if err := iconURL.Parse(url); err != nil {
+			gphttp.ClientError(w, err, http.StatusBadRequest)
+			return
+		}
+		fetchResult := homepage.FetchFavIconFromURL(req.Context(), &iconURL)
+		if !fetchResult.OK() {
+			http.Error(w, fetchResult.ErrMsg, fetchResult.StatusCode)
+			return
+		}
+		w.Header().Set("Content-Type", fetchResult.ContentType())
+		gphttp.WriteBody(w, fetchResult.Icon)
+		return
+	}
+
+	// try with route.Icon
+	r, ok := routes.HTTP.Get(alias)
+	if !ok {
+		gphttp.ClientError(w, errors.New("no such route"), http.StatusNotFound)
+		return
+	}
+
+	var result *homepage.FetchResult
+	hp := r.HomepageItem()
+	if hp.Icon != nil {
+		if hp.Icon.IconSource == homepage.IconSourceRelative {
+			result = homepage.FindIcon(req.Context(), r, hp.Icon.Value)
+		} else {
+			result = homepage.FetchFavIconFromURL(req.Context(), hp.Icon)
+		}
+	} else {
+		// try extract from "link[rel=icon]"
+		result = homepage.FindIcon(req.Context(), r, "/")
+	}
+	if result.StatusCode == 0 {
+		result.StatusCode = http.StatusOK
+	}
+	if !result.OK() {
+		http.Error(w, result.ErrMsg, result.StatusCode)
+		return
+	}
+	w.Header().Set("Content-Type", result.ContentType())
+	gphttp.WriteBody(w, result.Icon)
+}
--- a/internal/api/v1/file.go
+++ b/internal/api/v1/file.go
@@ -1,60 +0,0 @@
-package v1
-
-import (
-	"io"
-	"net/http"
-	"os"
-	"path"
-	"strings"
-
-	U "github.com/yusing/go-proxy/internal/api/v1/utils"
-	"github.com/yusing/go-proxy/internal/common"
-	"github.com/yusing/go-proxy/internal/config"
-	E "github.com/yusing/go-proxy/internal/error"
-	"github.com/yusing/go-proxy/internal/proxy/provider"
-)
-
-func GetFileContent(w http.ResponseWriter, r *http.Request) {
-	filename := r.PathValue("filename")
-	if filename == "" {
-		filename = common.ConfigFileName
-	}
-	content, err := os.ReadFile(path.Join(common.ConfigBasePath, filename))
-	if err != nil {
-		U.HandleErr(w, r, err)
-		return
-	}
-	w.Write(content)
-}
-
-func SetFileContent(w http.ResponseWriter, r *http.Request) {
-	filename := r.PathValue("filename")
-	if filename == "" {
-		U.HandleErr(w, r, U.ErrMissingKey("filename"), http.StatusBadRequest)
-		return
-	}
-	content, err := io.ReadAll(r.Body)
-	if err != nil {
-		U.HandleErr(w, r, err)
-		return
-	}
-
-	var validateErr E.NestedError
-	if filename == common.ConfigFileName {
-		validateErr = config.Validate(content)
-	} else if !strings.HasPrefix(filename, path.Base(common.MiddlewareComposeBasePath)) {
-		validateErr = provider.Validate(content)
-	}
-
-	if validateErr != nil {
-		U.RespondJson(w, validateErr.JSONObject(), http.StatusBadRequest)
-		return
-	}
-
-	err = os.WriteFile(path.Join(common.ConfigBasePath, filename), content, 0644)
-	if err != nil {
-		U.HandleErr(w, r, err)
-		return
-	}
-	w.WriteHeader(http.StatusOK)
-}
--- a/internal/api/v1/health.go
+++ b/internal/api/v1/health.go
@@ -0,0 +1,23 @@
+package v1
+
+import (
+	"net/http"
+	"time"
+
+	"github.com/coder/websocket"
+	"github.com/coder/websocket/wsjson"
+	"github.com/yusing/go-proxy/internal/net/gphttp"
+	"github.com/yusing/go-proxy/internal/net/gphttp/gpwebsocket"
+	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
+	"github.com/yusing/go-proxy/internal/route/routes"
+)
+
+func Health(w http.ResponseWriter, r *http.Request) {
+	if httpheaders.IsWebsocket(r.Header) {
+		gpwebsocket.Periodic(w, r, 1*time.Second, func(conn *websocket.Conn) error {
+			return wsjson.Write(r.Context(), conn, routes.HealthMap())
+		})
+	} else {
+		gphttp.RespondJSON(w, r, routes.HealthMap())
+	}
+}
--- a/internal/api/v1/health_check.go
+++ b/internal/api/v1/health_check.go
@@ -1,34 +0,0 @@
-package v1
-
-import (
-	"net"
-	"net/http"
-
-	U "github.com/yusing/go-proxy/internal/api/v1/utils"
-	"github.com/yusing/go-proxy/internal/common"
-)
-
-func IsSiteHealthy(url string) bool {
-	// try HEAD first
-	// if HEAD is not allowed, try GET
-	resp, err := U.Head(url)
-	if resp != nil {
-		resp.Body.Close()
-	}
-	if err != nil && resp != nil && resp.StatusCode == http.StatusMethodNotAllowed {
-		_, err = U.Get(url)
-	}
-	if resp != nil {
-		resp.Body.Close()
-	}
-	return err == nil
-}
-
-func IsStreamHealthy(scheme, address string) bool {
-	conn, err := net.DialTimeout(scheme, address, common.DialTimeout)
-	if err != nil {
-		return false
-	}
-	conn.Close()
-	return true
-}
--- a/internal/api/v1/homepage_overrides.go
+++ b/internal/api/v1/homepage_overrides.go
@@ -0,0 +1,90 @@
+package v1
+
+import (
+	"encoding/json"
+	"io"
+	"net/http"
+
+	"github.com/yusing/go-proxy/internal/homepage"
+	"github.com/yusing/go-proxy/internal/net/gphttp"
+)
+
+const (
+	HomepageOverrideItem          = "item"
+	HomepageOverrideItemsBatch    = "items_batch"
+	HomepageOverrideCategoryOrder = "category_order"
+	HomepageOverrideItemVisible   = "item_visible"
+)
+
+type (
+	HomepageOverrideItemParams struct {
+		Which string              `json:"which"`
+		Value homepage.ItemConfig `json:"value"`
+	}
+	HomepageOverrideItemsBatchParams struct {
+		Value map[string]*homepage.ItemConfig `json:"value"`
+	}
+	HomepageOverrideCategoryOrderParams struct {
+		Which string `json:"which"`
+		Value int    `json:"value"`
+	}
+	HomepageOverrideItemVisibleParams struct {
+		Which []string `json:"which"`
+		Value bool     `json:"value"`
+	}
+)
+
+func SetHomePageOverrides(w http.ResponseWriter, r *http.Request) {
+	what := r.FormValue("what")
+	if what == "" {
+		gphttp.BadRequest(w, "missing what or which")
+		return
+	}
+
+	data, err := io.ReadAll(r.Body)
+	if err != nil {
+		gphttp.ClientError(w, err, http.StatusBadRequest)
+		return
+	}
+	r.Body.Close()
+
+	overrides := homepage.GetOverrideConfig()
+	switch what {
+	case HomepageOverrideItem:
+		var params HomepageOverrideItemParams
+		if err := json.Unmarshal(data, &params); err != nil {
+			gphttp.ClientError(w, err, http.StatusBadRequest)
+			return
+		}
+		overrides.OverrideItem(params.Which, &params.Value)
+	case HomepageOverrideItemsBatch:
+		var params HomepageOverrideItemsBatchParams
+		if err := json.Unmarshal(data, &params); err != nil {
+			gphttp.ClientError(w, err, http.StatusBadRequest)
+			return
+		}
+		overrides.OverrideItems(params.Value)
+	case HomepageOverrideItemVisible: // POST /v1/item_visible [a,b,c], false => hide a, b, c
+		var params HomepageOverrideItemVisibleParams
+		if err := json.Unmarshal(data, &params); err != nil {
+			gphttp.ClientError(w, err, http.StatusBadRequest)
+			return
+		}
+		if params.Value {
+			overrides.UnhideItems(params.Which)
+		} else {
+			overrides.HideItems(params.Which)
+		}
+	case HomepageOverrideCategoryOrder:
+		var params HomepageOverrideCategoryOrderParams
+		if err := json.Unmarshal(data, &params); err != nil {
+			gphttp.ClientError(w, err, http.StatusBadRequest)
+			return
+		}
+		overrides.SetCategoryOrder(params.Which, params.Value)
+	default:
+		http.Error(w, "invalid what", http.StatusBadRequest)
+		return
+	}
+	w.WriteHeader(http.StatusOK)
+}
--- a/internal/api/v1/index.go
+++ b/internal/api/v1/index.go
@@ -1,7 +1,11 @@
 package v1

-import "net/http"
+import (
+	"net/http"
+
+	"github.com/yusing/go-proxy/internal/net/gphttp"
+)

 func Index(w http.ResponseWriter, r *http.Request) {
-	w.Write([]byte("API ready"))
+	gphttp.WriteBody(w, []byte("API ready"))
 }
--- a/internal/api/v1/list.go
+++ b/internal/api/v1/list.go
@@ -1,87 +1,128 @@
 package v1

 import (
+	"fmt"
 	"net/http"
+	"strconv"
 	"strings"

-	U "github.com/yusing/go-proxy/internal/api/v1/utils"
+	"github.com/yusing/go-proxy/internal"
 	"github.com/yusing/go-proxy/internal/common"
-	"github.com/yusing/go-proxy/internal/config"
-	"github.com/yusing/go-proxy/internal/net/http/middleware"
+	config "github.com/yusing/go-proxy/internal/config/types"
+	"github.com/yusing/go-proxy/internal/net/gphttp"
+	"github.com/yusing/go-proxy/internal/net/gphttp/middleware"
+	"github.com/yusing/go-proxy/internal/route/routes"
+	route "github.com/yusing/go-proxy/internal/route/types"
+	"github.com/yusing/go-proxy/internal/task"
 	"github.com/yusing/go-proxy/internal/utils"
 )

 const (
-	ListRoutes          = "routes"
-	ListConfigFiles     = "config_files"
-	ListMiddlewares     = "middlewares"
-	ListMiddlewareTrace = "middleware_trace"
-	ListMatchDomains    = "match_domains"
-	ListHomepageConfig  = "homepage_config"
+	ListRoute              = "route"
+	ListRoutes             = "routes"
+	ListFiles              = "files"
+	ListMiddlewares        = "middlewares"
+	ListMiddlewareTraces   = "middleware_trace"
+	ListMatchDomains       = "match_domains"
+	ListHomepageConfig     = "homepage_config"
+	ListRouteProviders     = "route_providers"
+	ListHomepageCategories = "homepage_categories"
+	ListIcons              = "icons"
+	ListTasks              = "tasks"
 )

-func List(cfg *config.Config, w http.ResponseWriter, r *http.Request) {
+func List(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
 	what := r.PathValue("what")
 	if what == "" {
 		what = ListRoutes
 	}
+	which := r.PathValue("which")

 	switch what {
-	case ListRoutes:
-		listRoutes(cfg, w, r)
-	case ListConfigFiles:
-		listConfigFiles(w, r)
-	case ListMiddlewares:
-		listMiddlewares(w, r)
-	case ListMiddlewareTrace:
-		listMiddlewareTrace(w, r)
-	case ListMatchDomains:
-		listMatchDomains(cfg, w, r)
-	case ListHomepageConfig:
-		listHomepageConfig(cfg, w, r)
-	default:
-		U.HandleErr(w, r, U.ErrInvalidKey("what"), http.StatusBadRequest)
-	}
-}
-
-func listRoutes(cfg *config.Config, w http.ResponseWriter, r *http.Request) {
-	routes := cfg.RoutesByAlias()
-	typeFilter := r.FormValue("type")
-	if typeFilter != "" {
-		for k, v := range routes {
-			if v["type"] != typeFilter {
-				delete(routes, k)
-			}
+	case ListRoute:
+		route := listRoute(which)
+		if route == nil {
+			http.NotFound(w, r)
+		} else {
+			gphttp.RespondJSON(w, r, route)
 		}
+	case ListRoutes:
+		gphttp.RespondJSON(w, r, routes.ByAlias(route.RouteType(r.FormValue("type"))))
+	case ListFiles:
+		listFiles(w, r)
+	case ListMiddlewares:
+		gphttp.RespondJSON(w, r, middleware.All())
+	case ListMiddlewareTraces:
+		gphttp.RespondJSON(w, r, middleware.GetAllTrace())
+	case ListMatchDomains:
+		gphttp.RespondJSON(w, r, cfg.Value().MatchDomains)
+	case ListHomepageConfig:
+		gphttp.RespondJSON(w, r, routes.HomepageConfig(r.FormValue("category"), r.FormValue("provider")))
+	case ListRouteProviders:
+		gphttp.RespondJSON(w, r, cfg.RouteProviderList())
+	case ListHomepageCategories:
+		gphttp.RespondJSON(w, r, routes.HomepageCategories())
+	case ListIcons:
+		limit, err := strconv.Atoi(r.FormValue("limit"))
+		if err != nil {
+			limit = 0
+		}
+		icons, err := internal.SearchIcons(r.FormValue("keyword"), limit)
+		if err != nil {
+			gphttp.ClientError(w, err)
+			return
+		}
+		if icons == nil {
+			icons = []string{}
+		}
+		gphttp.RespondJSON(w, r, icons)
+	case ListTasks:
+		gphttp.RespondJSON(w, r, task.DebugTaskList())
+	default:
+		gphttp.BadRequest(w, fmt.Sprintf("invalid what: %s", what))
 	}
-
-	U.HandleErr(w, r, U.RespondJson(w, routes))
 }

-func listConfigFiles(w http.ResponseWriter, r *http.Request) {
-	files, err := utils.ListFiles(common.ConfigBasePath, 1)
+// if which is "all" or empty, return map[string]Route of all routes
+// otherwise, return a single Route with alias which or nil if not found.
+func listRoute(which string) any {
+	if which == "" || which == "all" {
+		return routes.ByAlias()
+	}
+	routes := routes.ByAlias()
+	route, ok := routes[which]
+	if !ok {
+		return nil
+	}
+	return route
+}
+
+func listFiles(w http.ResponseWriter, r *http.Request) {
+	files, err := utils.ListFiles(common.ConfigBasePath, 0, true)
 	if err != nil {
-		U.HandleErr(w, r, err)
+		gphttp.ServerError(w, r, err)
 		return
 	}
-	for i := range files {
-		files[i] = strings.TrimPrefix(files[i], common.ConfigBasePath+"/")
+	resp := map[FileType][]string{
+		FileTypeConfig:     make([]string, 0),
+		FileTypeProvider:   make([]string, 0),
+		FileTypeMiddleware: make([]string, 0),
 	}
-	U.HandleErr(w, r, U.RespondJson(w, files))
-}

-func listMiddlewareTrace(w http.ResponseWriter, r *http.Request) {
-	U.HandleErr(w, r, U.RespondJson(w, middleware.GetAllTrace()))
-}
+	for _, file := range files {
+		t := fileType(file)
+		file = strings.TrimPrefix(file, common.ConfigBasePath+"/")
+		resp[t] = append(resp[t], file)
+	}

-func listMiddlewares(w http.ResponseWriter, r *http.Request) {
-	U.HandleErr(w, r, U.RespondJson(w, middleware.All()))
-}
-
-func listMatchDomains(cfg *config.Config, w http.ResponseWriter, r *http.Request) {
-	U.HandleErr(w, r, U.RespondJson(w, cfg.Value().MatchDomains))
-}
-
-func listHomepageConfig(cfg *config.Config, w http.ResponseWriter, r *http.Request) {
-	U.HandleErr(w, r, U.RespondJson(w, cfg.HomepageConfig()))
+	mids, err := utils.ListFiles(common.MiddlewareComposeBasePath, 0, true)
+	if err != nil {
+		gphttp.ServerError(w, r, err)
+		return
+	}
+	for _, mid := range mids {
+		mid = strings.TrimPrefix(mid, common.MiddlewareComposeBasePath+"/")
+		resp[FileTypeMiddleware] = append(resp[FileTypeMiddleware], mid)
+	}
+	gphttp.RespondJSON(w, r, resp)
 }
--- a/internal/api/v1/new_agent.go
+++ b/internal/api/v1/new_agent.go
@@ -0,0 +1,141 @@
+package v1
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"strconv"
+
+	_ "embed"
+
+	"github.com/yusing/go-proxy/agent/pkg/agent"
+	"github.com/yusing/go-proxy/agent/pkg/certs"
+	config "github.com/yusing/go-proxy/internal/config/types"
+	"github.com/yusing/go-proxy/internal/net/gphttp"
+)
+
+func NewAgent(w http.ResponseWriter, r *http.Request) {
+	q := r.URL.Query()
+	name := q.Get("name")
+	if name == "" {
+		gphttp.ClientError(w, gphttp.ErrMissingKey("name"))
+		return
+	}
+	host := q.Get("host")
+	if host == "" {
+		gphttp.ClientError(w, gphttp.ErrMissingKey("host"))
+		return
+	}
+	portStr := q.Get("port")
+	if portStr == "" {
+		gphttp.ClientError(w, gphttp.ErrMissingKey("port"))
+		return
+	}
+	port, err := strconv.Atoi(portStr)
+	if err != nil || port < 1 || port > 65535 {
+		gphttp.ClientError(w, gphttp.ErrInvalidKey("port"))
+		return
+	}
+	hostport := fmt.Sprintf("%s:%d", host, port)
+	if _, ok := config.GetInstance().GetAgent(hostport); ok {
+		gphttp.ClientError(w, gphttp.ErrAlreadyExists("agent", hostport), http.StatusConflict)
+		return
+	}
+	t := q.Get("type")
+	switch t {
+	case "docker", "system":
+		break
+	case "":
+		gphttp.ClientError(w, gphttp.ErrMissingKey("type"))
+		return
+	default:
+		gphttp.ClientError(w, gphttp.ErrInvalidKey("type"))
+		return
+	}
+
+	nightly, _ := strconv.ParseBool(q.Get("nightly"))
+	var image string
+	if nightly {
+		image = agent.DockerImageNightly
+	} else {
+		image = agent.DockerImageProduction
+	}
+
+	ca, srv, client, err := agent.NewAgent()
+	if err != nil {
+		gphttp.ServerError(w, r, err)
+		return
+	}
+
+	var cfg agent.Generator = &agent.AgentEnvConfig{
+		Name:    name,
+		Port:    port,
+		CACert:  ca.String(),
+		SSLCert: srv.String(),
+	}
+	if t == "docker" {
+		cfg = &agent.AgentComposeConfig{
+			Image:          image,
+			AgentEnvConfig: cfg.(*agent.AgentEnvConfig),
+		}
+	}
+	template, err := cfg.Generate()
+	if err != nil {
+		gphttp.ServerError(w, r, err)
+		return
+	}
+
+	gphttp.RespondJSON(w, r, map[string]any{
+		"compose": template,
+		"ca":      ca,
+		"client":  client,
+	})
+}
+
+func VerifyNewAgent(w http.ResponseWriter, r *http.Request) {
+	defer r.Body.Close()
+	clientPEMData, err := io.ReadAll(r.Body)
+	if err != nil {
+		gphttp.ServerError(w, r, err)
+		return
+	}
+
+	var data struct {
+		Host   string        `json:"host"`
+		CA     agent.PEMPair `json:"ca"`
+		Client agent.PEMPair `json:"client"`
+	}
+
+	if err := json.Unmarshal(clientPEMData, &data); err != nil {
+		gphttp.ClientError(w, err, http.StatusBadRequest)
+		return
+	}
+
+	nRoutesAdded, err := config.GetInstance().VerifyNewAgent(data.Host, data.CA, data.Client)
+	if err != nil {
+		gphttp.ClientError(w, err)
+		return
+	}
+
+	zip, err := certs.ZipCert(data.CA.Cert, data.Client.Cert, data.Client.Key)
+	if err != nil {
+		gphttp.ServerError(w, r, err)
+		return
+	}
+
+	filename, ok := certs.AgentCertsFilepath(data.Host)
+	if !ok {
+		gphttp.ClientError(w, gphttp.ErrInvalidKey("host"))
+		return
+	}
+
+	if err := os.WriteFile(filename, zip, 0600); err != nil {
+		gphttp.ServerError(w, r, err)
+		return
+	}
+
+	w.WriteHeader(http.StatusOK)
+	w.Write(fmt.Appendf(nil, "Added %d routes", nRoutesAdded))
+}
--- a/internal/api/v1/query/query.go
+++ b/internal/api/v1/query/query.go
@@ -7,63 +7,58 @@ import (
 	"net/http"

 	v1 "github.com/yusing/go-proxy/internal/api/v1"
-	U "github.com/yusing/go-proxy/internal/api/v1/utils"
 	"github.com/yusing/go-proxy/internal/common"
-	E "github.com/yusing/go-proxy/internal/error"
-	"github.com/yusing/go-proxy/internal/net/http/middleware"
+	"github.com/yusing/go-proxy/internal/gperr"
+	"github.com/yusing/go-proxy/internal/net/gphttp"
+	"github.com/yusing/go-proxy/internal/net/gphttp/middleware"
 )

-func ReloadServer() E.NestedError {
-	resp, err := U.Post(fmt.Sprintf("%s/v1/reload", common.APIHTTPURL), "", nil)
+func ReloadServer() gperr.Error {
+	resp, err := gphttp.Post(common.APIHTTPURL+"/v1/reload", "", nil)
 	if err != nil {
-		return E.From(err)
+		return gperr.Wrap(err)
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode != http.StatusOK {
-		failure := E.Failure("server reload").Extraf("status code: %v", resp.StatusCode)
-		b, err := io.ReadAll(resp.Body)
+		failure := gperr.Errorf("server reload status %v", resp.StatusCode)
+		body, err := io.ReadAll(resp.Body)
 		if err != nil {
-			return failure.Extraf("unable to read response body: %s", err)
+			return failure.With(err)
 		}
-		reloadErr, ok := E.FromJSON(b)
-		if ok {
-			return E.Join("reload success, but server returned error", reloadErr)
-		}
-		return failure.Extraf("unable to read response body")
+		reloadErr := string(body)
+		return failure.Withf(reloadErr)
 	}
 	return nil
 }

-func ListRoutes() (map[string]map[string]any, E.NestedError) {
-	resp, err := U.Get(fmt.Sprintf("%s/v1/list/%s", common.APIHTTPURL, v1.ListRoutes))
+func List[T any](what string) (_ T, outErr gperr.Error) {
+	resp, err := gphttp.Get(fmt.Sprintf("%s/v1/list/%s", common.APIHTTPURL, what))
 	if err != nil {
-		return nil, E.From(err)
+		outErr = gperr.Wrap(err)
+		return
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode != http.StatusOK {
-		return nil, E.Failure("list routes").Extraf("status code: %v", resp.StatusCode)
+		outErr = gperr.Errorf("list %s: failed, status %v", what, resp.StatusCode)
+		return
 	}
-	var routes map[string]map[string]any
-	err = json.NewDecoder(resp.Body).Decode(&routes)
+	var res T
+	err = json.NewDecoder(resp.Body).Decode(&res)
 	if err != nil {
-		return nil, E.From(err)
+		outErr = gperr.Wrap(err)
+		return
 	}
-	return routes, nil
+	return res, nil
 }

-func ListMiddlewareTraces() (middleware.Traces, E.NestedError) {
-	resp, err := U.Get(fmt.Sprintf("%s/v1/list/%s", common.APIHTTPURL, v1.ListMiddlewareTrace))
-	if err != nil {
-		return nil, E.From(err)
-	}
-	defer resp.Body.Close()
-	if resp.StatusCode != http.StatusOK {
-		return nil, E.Failure("list middleware trace").Extraf("status code: %v", resp.StatusCode)
-	}
-	var traces middleware.Traces
-	err = json.NewDecoder(resp.Body).Decode(&traces)
-	if err != nil {
-		return nil, E.From(err)
-	}
-	return traces, nil
+func ListRoutes() (map[string]map[string]any, gperr.Error) {
+	return List[map[string]map[string]any](v1.ListRoutes)
+}
+
+func ListMiddlewareTraces() (middleware.Traces, gperr.Error) {
+	return List[middleware.Traces](v1.ListMiddlewareTraces)
+}
+
+func DebugListTasks() (map[string]any, gperr.Error) {
+	return List[map[string]any](v1.ListTasks)
 }
--- a/internal/api/v1/reload.go
+++ b/internal/api/v1/reload.go
@@ -3,14 +3,14 @@ package v1
 import (
 	"net/http"

-	U "github.com/yusing/go-proxy/internal/api/v1/utils"
-	"github.com/yusing/go-proxy/internal/config"
+	config "github.com/yusing/go-proxy/internal/config/types"
+	"github.com/yusing/go-proxy/internal/net/gphttp"
 )

-func Reload(cfg *config.Config, w http.ResponseWriter, r *http.Request) {
+func Reload(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
 	if err := cfg.Reload(); err != nil {
-		U.RespondJson(w, err.JSONObject(), http.StatusInternalServerError)
-	} else {
-		w.WriteHeader(http.StatusOK)
+		gphttp.ServerError(w, r, err)
+		return
 	}
+	gphttp.WriteBody(w, []byte("OK"))
 }
--- a/internal/api/v1/stats.go
+++ b/internal/api/v1/stats.go
@@ -1,67 +1,33 @@
 package v1

 import (
-	"context"
 	"net/http"
 	"time"

-	U "github.com/yusing/go-proxy/internal/api/v1/utils"
-	"github.com/yusing/go-proxy/internal/common"
-	"github.com/yusing/go-proxy/internal/config"
-	"github.com/yusing/go-proxy/internal/server"
-	"github.com/yusing/go-proxy/internal/utils"
-
 	"github.com/coder/websocket"
 	"github.com/coder/websocket/wsjson"
+	config "github.com/yusing/go-proxy/internal/config/types"
+	"github.com/yusing/go-proxy/internal/net/gphttp"
+	"github.com/yusing/go-proxy/internal/net/gphttp/gpwebsocket"
+	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
+	"github.com/yusing/go-proxy/internal/utils/strutils"
 )

-func Stats(cfg *config.Config, w http.ResponseWriter, r *http.Request) {
-	U.HandleErr(w, r, U.RespondJson(w, getStats(cfg)))
-}
-
-func StatsWS(cfg *config.Config, w http.ResponseWriter, r *http.Request) {
-	localAddresses := []string{"127.0.0.1", "10.0.*.*", "172.16.*.*", "192.168.*.*"}
-	originPats := make([]string, len(cfg.Value().MatchDomains)+len(localAddresses))
-
-	if len(originPats) == 0 {
-		U.Logger.Warnf("no match domains configured, accepting websocket request from all origins")
-		originPats = []string{"*"}
+func Stats(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
+	if httpheaders.IsWebsocket(r.Header) {
+		gpwebsocket.Periodic(w, r, 1*time.Second, func(conn *websocket.Conn) error {
+			return wsjson.Write(r.Context(), conn, getStats(cfg))
+		})
 	} else {
-		for i, domain := range cfg.Value().MatchDomains {
-			originPats[i] = "*." + domain
-		}
-		originPats = append(originPats, localAddresses...)
-	}
-	if common.IsDebug {
-		originPats = []string{"*"}
-	}
-	conn, err := websocket.Accept(w, r, &websocket.AcceptOptions{
-		OriginPatterns: originPats,
-	})
-	if err != nil {
-		U.Logger.Errorf("/stats/ws failed to upgrade websocket: %s", err)
-		return
-	}
-	defer conn.CloseNow()
-
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-
-	ticker := time.NewTicker(1 * time.Second)
-	defer ticker.Stop()
-
-	for range ticker.C {
-		stats := getStats(cfg)
-		if err := wsjson.Write(ctx, conn, stats); err != nil {
-			U.Logger.Errorf("/stats/ws failed to write JSON: %s", err)
-			return
-		}
+		gphttp.RespondJSON(w, r, getStats(cfg))
 	}
 }

-func getStats(cfg *config.Config) map[string]any {
+var startTime = time.Now()
+
+func getStats(cfg config.ConfigInstance) map[string]any {
 	return map[string]any{
 		"proxies": cfg.Statistics(),
-		"uptime":  utils.FormatDuration(server.GetProxyServer().Uptime()),
+		"uptime":  strutils.FormatDuration(time.Since(startTime)),
 	}
 }
--- a/internal/api/v1/system_info.go
+++ b/internal/api/v1/system_info.go
@@ -0,0 +1,53 @@
+package v1
+
+import (
+	"net/http"
+
+	agentPkg "github.com/yusing/go-proxy/agent/pkg/agent"
+	config "github.com/yusing/go-proxy/internal/config/types"
+	"github.com/yusing/go-proxy/internal/gperr"
+	"github.com/yusing/go-proxy/internal/metrics/systeminfo"
+	"github.com/yusing/go-proxy/internal/net/gphttp"
+	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
+	"github.com/yusing/go-proxy/internal/net/gphttp/reverseproxy"
+)
+
+func SystemInfo(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
+	query := r.URL.Query()
+	agentAddr := query.Get("agent_addr")
+	query.Del("agent_addr")
+	if agentAddr == "" {
+		systeminfo.Poller.ServeHTTP(w, r)
+		return
+	}
+
+	agent, ok := cfg.GetAgent(agentAddr)
+	if !ok {
+		gphttp.NotFound(w, "agent_addr")
+		return
+	}
+
+	isWS := httpheaders.IsWebsocket(r.Header)
+	if !isWS {
+		respData, status, err := agent.Forward(r, agentPkg.EndpointSystemInfo)
+		if err != nil {
+			gphttp.ServerError(w, r, gperr.Wrap(err, "failed to forward request to agent"))
+			return
+		}
+		if status != http.StatusOK {
+			http.Error(w, string(respData), status)
+			return
+		}
+		gphttp.WriteBody(w, respData)
+	} else {
+		rp := reverseproxy.NewReverseProxy("agent", agentPkg.AgentURL, agent.Transport())
+		header := r.Header.Clone()
+		r, err := http.NewRequestWithContext(r.Context(), r.Method, agentPkg.EndpointSystemInfo+"?"+query.Encode(), nil)
+		if err != nil {
+			gphttp.ServerError(w, r, gperr.Wrap(err, "failed to create request"))
+			return
+		}
+		r.Header = header
+		rp.ServeHTTP(w, r)
+	}
+}
--- a/internal/api/v1/utils/error.go
+++ b/internal/api/v1/utils/error.go
@@ -1,37 +0,0 @@
-package utils
-
-import (
-	"errors"
-	"fmt"
-	"net/http"
-
-	"github.com/sirupsen/logrus"
-	E "github.com/yusing/go-proxy/internal/error"
-)
-
-var Logger = logrus.WithField("module", "api")
-
-func HandleErr(w http.ResponseWriter, r *http.Request, origErr error, code ...int) {
-	if origErr == nil {
-		return
-	}
-	err := E.From(origErr).Subjectf("%s %s", r.Method, r.URL)
-	Logger.Error(err)
-	if len(code) > 0 {
-		http.Error(w, err.String(), code[0])
-		return
-	}
-	http.Error(w, err.String(), http.StatusInternalServerError)
-}
-
-func ErrMissingKey(k string) error {
-	return errors.New("missing key '" + k + "' in query or request body")
-}
-
-func ErrInvalidKey(k string) error {
-	return errors.New("invalid key '" + k + "' in query or request body")
-}
-
-func ErrNotFound(k, v string) error {
-	return fmt.Errorf("key %q with value %q not found", k, v)
-}
--- a/internal/api/v1/utils/http_client.go
+++ b/internal/api/v1/utils/http_client.go
@@ -1,27 +0,0 @@
-package utils
-
-import (
-	"crypto/tls"
-	"net"
-	"net/http"
-
-	"github.com/yusing/go-proxy/internal/common"
-)
-
-var HTTPClient = &http.Client{
-	Timeout: common.ConnectionTimeout,
-	Transport: &http.Transport{
-		Proxy:             http.ProxyFromEnvironment,
-		DisableKeepAlives: true,
-		ForceAttemptHTTP2: true,
-		DialContext: (&net.Dialer{
-			Timeout:   common.DialTimeout,
-			KeepAlive: common.KeepAlive, // this is different from DisableKeepAlives
-		}).DialContext,
-		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-	},
-}
-
-var Get = HTTPClient.Get
-var Post = HTTPClient.Post
-var Head = HTTPClient.Head
--- a/internal/api/v1/utils/utils.go
+++ b/internal/api/v1/utils/utils.go
@@ -1,20 +0,0 @@
-package utils
-
-import (
-	"encoding/json"
-	"net/http"
-)
-
-func RespondJson(w http.ResponseWriter, data any, code ...int) error {
-	if len(code) > 0 {
-		w.WriteHeader(code[0])
-	}
-	w.Header().Set("Content-Type", "application/json")
-	j, err := json.MarshalIndent(data, "", "  ")
-	if err != nil {
-		return err
-	} else {
-		w.Write(j)
-	}
-	return nil
-}
--- a/internal/api/v1/version.go
+++ b/internal/api/v1/version.go
@@ -3,9 +3,10 @@ package v1
 import (
 	"net/http"

+	"github.com/yusing/go-proxy/internal/net/gphttp"
 	"github.com/yusing/go-proxy/pkg"
 )

 func GetVersion(w http.ResponseWriter, r *http.Request) {
-	w.Write([]byte(pkg.GetVersion()))
+	gphttp.WriteBody(w, []byte(pkg.GetVersion()))
 }
--- a/internal/auth/auth.go
+++ b/internal/auth/auth.go
@@ -0,0 +1,60 @@
+package auth
+
+import (
+	"net/http"
+
+	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/net/gphttp"
+)
+
+var defaultAuth Provider
+
+// Initialize sets up authentication providers.
+func Initialize() error {
+	if !IsEnabled() {
+		return nil
+	}
+
+	var err error
+	// Initialize OIDC if configured.
+	if common.OIDCIssuerURL != "" {
+		defaultAuth, err = NewOIDCProviderFromEnv()
+	} else {
+		defaultAuth, err = NewUserPassAuthFromEnv()
+	}
+
+	return err
+}
+
+func GetDefaultAuth() Provider {
+	return defaultAuth
+}
+
+func IsEnabled() bool {
+	return !common.DebugDisableAuth && (common.APIJWTSecret != nil || IsOIDCEnabled())
+}
+
+func IsOIDCEnabled() bool {
+	return common.OIDCIssuerURL != ""
+}
+
+func RequireAuth(next http.HandlerFunc) http.HandlerFunc {
+	if IsEnabled() {
+		return func(w http.ResponseWriter, r *http.Request) {
+			if err := defaultAuth.CheckToken(r); err != nil {
+				gphttp.ClientError(w, err, http.StatusUnauthorized)
+			} else {
+				next(w, r)
+			}
+		}
+	}
+	return next
+}
+
+func AuthCheckHandler(w http.ResponseWriter, r *http.Request) {
+	if err := defaultAuth.CheckToken(r); err != nil {
+		http.Redirect(w, r, "/v1/auth/login", http.StatusFound)
+	} else {
+		w.WriteHeader(http.StatusOK)
+	}
+}
--- a/internal/auth/block_page.go
+++ b/internal/auth/block_page.go
@@ -0,0 +1,22 @@
+package auth
+
+import (
+	"html/template"
+	"net/http"
+
+	_ "embed"
+)
+
+//go:embed block_page.html
+var blockPageHTML string
+
+var blockPageTemplate = template.Must(template.New("block_page").Parse(blockPageHTML))
+
+func WriteBlockPage(w http.ResponseWriter, status int, error string, logoutURL string) {
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	blockPageTemplate.Execute(w, map[string]string{
+		"StatusText": http.StatusText(status),
+		"Error":      error,
+		"LogoutURL":  logoutURL,
+	})
+}
--- a/internal/auth/block_page.html
+++ b/internal/auth/block_page.html
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+
+    <title>Access Denied</title>
+</head>
+<body>
+    <h1>{{.StatusText}}</h1>
+    <p>{{.Error}}</p>
+    <a href="{{.LogoutURL}}">Logout</a>
+</body>
+</html>
--- a/internal/auth/oauth_refresh.go
+++ b/internal/auth/oauth_refresh.go
@@ -0,0 +1,185 @@
+package auth
+
+import (
+	"crypto/rand"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"net/http"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/jsonstore"
+	"github.com/yusing/go-proxy/internal/logging"
+	"golang.org/x/oauth2"
+)
+
+type oauthRefreshToken struct {
+	Username     string    `json:"username"`
+	RefreshToken string    `json:"refresh_token"`
+	Expiry       time.Time `json:"expiry"`
+}
+
+type Session struct {
+	SessionID sessionID `json:"session_id"`
+	Username  string    `json:"username"`
+	Groups    []string  `json:"groups"`
+}
+
+type sessionClaims struct {
+	Session
+	jwt.RegisteredClaims
+}
+
+type sessionID string
+
+var oauthRefreshTokens jsonstore.MapStore[oauthRefreshToken]
+
+var (
+	defaultRefreshTokenExpiry = 30 * 24 * time.Hour // 1 month
+	refreshBefore             = 30 * time.Second
+)
+
+var (
+	errNoRefreshToken      = errors.New("no refresh token")
+	ErrRefreshTokenFailure = errors.New("failed to refresh token")
+)
+
+const sessionTokenIssuer = "GoDoxy"
+
+func init() {
+	if IsOIDCEnabled() {
+		oauthRefreshTokens = jsonstore.Store[oauthRefreshToken]("oauth_refresh_tokens")
+	}
+}
+
+func (token *oauthRefreshToken) expired() bool {
+	return time.Now().After(token.Expiry)
+}
+
+func newSessionID() sessionID {
+	b := make([]byte, 32)
+	_, _ = rand.Read(b)
+	return sessionID(base64.StdEncoding.EncodeToString(b))
+}
+
+func newSession(username string, groups []string) Session {
+	return Session{
+		SessionID: newSessionID(),
+		Username:  username,
+		Groups:    groups,
+	}
+}
+
+// getOnceOAuthRefreshToken returns the refresh token for the given session.
+//
+// The token is removed from the store after retrieval.
+func getOnceOAuthRefreshToken(claims *Session) (*oauthRefreshToken, bool) {
+	token, ok := oauthRefreshTokens.Load(string(claims.SessionID))
+	if !ok {
+		return nil, false
+	}
+	invalidateOAuthRefreshToken(claims.SessionID)
+	if token.expired() {
+		return nil, false
+	}
+	if claims.Username != token.Username {
+		return nil, false
+	}
+	return &token, true
+}
+
+func storeOAuthRefreshToken(sessionID sessionID, username, token string) {
+	oauthRefreshTokens.Store(string(sessionID), oauthRefreshToken{
+		Username:     username,
+		RefreshToken: token,
+		Expiry:       time.Now().Add(defaultRefreshTokenExpiry),
+	})
+	logging.Debug().Str("username", username).Msg("stored oauth refresh token")
+}
+
+func invalidateOAuthRefreshToken(sessionID sessionID) {
+	logging.Debug().Str("session_id", string(sessionID)).Msg("invalidating oauth refresh token")
+	oauthRefreshTokens.Delete(string(sessionID))
+}
+
+func (auth *OIDCProvider) setSessionTokenCookie(w http.ResponseWriter, r *http.Request, session Session) {
+	claims := &sessionClaims{
+		Session: session,
+		RegisteredClaims: jwt.RegisteredClaims{
+			Issuer:    sessionTokenIssuer,
+			ExpiresAt: jwt.NewNumericDate(time.Now().Add(common.APIJWTTokenTTL)),
+		},
+	}
+	jwtToken := jwt.NewWithClaims(jwt.SigningMethodHS512, claims)
+	signed, err := jwtToken.SignedString(common.APIJWTSecret)
+	if err != nil {
+		logging.Err(err).Msg("failed to sign session token")
+		return
+	}
+	setTokenCookie(w, r, CookieOauthSessionToken, signed, common.APIJWTTokenTTL)
+}
+
+func (auth *OIDCProvider) parseSessionJWT(sessionJWT string) (claims *sessionClaims, valid bool, err error) {
+	claims = &sessionClaims{}
+	sessionToken, err := jwt.ParseWithClaims(sessionJWT, claims, func(t *jwt.Token) (interface{}, error) {
+		if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
+			return nil, fmt.Errorf("unexpected signing method: %v", t.Header["alg"])
+		}
+		return common.APIJWTSecret, nil
+	})
+	if err != nil {
+		return nil, false, err
+	}
+	return claims, sessionToken.Valid && claims.Issuer == sessionTokenIssuer, nil
+}
+
+func (auth *OIDCProvider) TryRefreshToken(w http.ResponseWriter, r *http.Request, sessionJWT string) error {
+	// verify the session cookie
+	claims, valid, err := auth.parseSessionJWT(sessionJWT)
+	if err != nil {
+		return fmt.Errorf("%w: %w", ErrInvalidSessionToken, err)
+	}
+	if !valid {
+		return ErrInvalidSessionToken
+	}
+
+	// check if refresh is possible
+	refreshToken, ok := getOnceOAuthRefreshToken(&claims.Session)
+	if !ok {
+		return errNoRefreshToken
+	}
+
+	if !auth.checkAllowed(claims.Username, claims.Groups) {
+		return ErrUserNotAllowed
+	}
+
+	// this step refreshes the token
+	// see https://cs.opensource.google/go/x/oauth2/+/refs/tags/v0.29.0:oauth2.go;l=313
+	newToken, err := auth.oauthConfig.TokenSource(r.Context(), &oauth2.Token{
+		RefreshToken: refreshToken.RefreshToken,
+	}).Token()
+	if err != nil {
+		return fmt.Errorf("%w: %w", ErrRefreshTokenFailure, err)
+	}
+
+	idTokenJWT, idToken, err := auth.getIdToken(r.Context(), newToken)
+	if err != nil {
+		return err
+	}
+
+	sessionID := newSessionID()
+
+	logging.Debug().Str("username", claims.Username).Time("expiry", newToken.Expiry).Msg("refreshed token")
+	storeOAuthRefreshToken(sessionID, claims.Username, newToken.RefreshToken)
+
+	// set new idToken and new sessionToken
+	auth.setIDTokenCookie(w, r, idTokenJWT, time.Until(idToken.Expiry))
+	auth.setSessionTokenCookie(w, r, Session{
+		SessionID: sessionID,
+		Username:  claims.Username,
+		Groups:    claims.Groups,
+	})
+	return nil
+}
--- a/internal/auth/oidc.go
+++ b/internal/auth/oidc.go
@@ -0,0 +1,314 @@
+package auth
+
+import (
+	"context"
+	"crypto/rand"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"net/http"
+	"net/url"
+	"slices"
+	"time"
+
+	"github.com/coreos/go-oidc/v3/oidc"
+	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/logging"
+	"github.com/yusing/go-proxy/internal/net/gphttp"
+	"github.com/yusing/go-proxy/internal/utils"
+	"github.com/yusing/go-proxy/internal/utils/strutils"
+	"golang.org/x/oauth2"
+)
+
+type (
+	OIDCProvider struct {
+		oauthConfig   *oauth2.Config
+		oidcProvider  *oidc.Provider
+		oidcVerifier  *oidc.IDTokenVerifier
+		endSessionURL *url.URL
+		allowedUsers  []string
+		allowedGroups []string
+	}
+
+	IDTokenClaims struct {
+		Username string   `json:"preferred_username"`
+		Groups   []string `json:"groups"`
+	}
+)
+
+const (
+	CookieOauthState        = "godoxy_oidc_state"
+	CookieOauthSessionID    = "godoxy_session_id"
+	CookieOauthToken        = "godoxy_oauth_token"
+	CookieOauthSessionToken = "godoxy_session_token"
+)
+
+const (
+	OIDCAuthInitPath = "/"
+	OIDCPostAuthPath = "/auth/callback"
+	OIDCLogoutPath   = "/auth/logout"
+)
+
+var errMissingIDToken = errors.New("missing id_token field from oauth token")
+
+// generateState generates a random string for OIDC state.
+const oidcStateLength = 32
+
+func generateState() string {
+	b := make([]byte, oidcStateLength)
+	_, _ = rand.Read(b)
+	return base64.URLEncoding.EncodeToString(b)[:oidcStateLength]
+}
+
+func NewOIDCProvider(issuerURL, clientID, clientSecret string, allowedUsers, allowedGroups []string) (*OIDCProvider, error) {
+	if len(allowedUsers)+len(allowedGroups) == 0 {
+		return nil, errors.New("OIDC users, groups, or both must not be empty")
+	}
+	provider, err := oidc.NewProvider(context.Background(), issuerURL)
+	if err != nil {
+		return nil, fmt.Errorf("failed to initialize OIDC provider: %w", err)
+	}
+
+	endSessionURL, err := url.Parse(provider.EndSessionEndpoint())
+	if err != nil && provider.EndSessionEndpoint() != "" {
+		// non critical, just warn
+		logging.Warn().
+			Str("issuer", issuerURL).
+			Err(err).
+			Msg("failed to parse end session URL")
+	}
+
+	return &OIDCProvider{
+		oauthConfig: &oauth2.Config{
+			ClientID:     clientID,
+			ClientSecret: clientSecret,
+			RedirectURL:  "",
+			Endpoint:     provider.Endpoint(),
+			Scopes:       strutils.CommaSeperatedList(common.OIDCScopes),
+		},
+		oidcProvider: provider,
+		oidcVerifier: provider.Verifier(&oidc.Config{
+			ClientID: clientID,
+		}),
+		endSessionURL: endSessionURL,
+		allowedUsers:  allowedUsers,
+		allowedGroups: allowedGroups,
+	}, nil
+}
+
+// NewOIDCProviderFromEnv creates a new OIDCProvider from environment variables.
+func NewOIDCProviderFromEnv() (*OIDCProvider, error) {
+	return NewOIDCProvider(
+		common.OIDCIssuerURL,
+		common.OIDCClientID,
+		common.OIDCClientSecret,
+		common.OIDCAllowedUsers,
+		common.OIDCAllowedGroups,
+	)
+}
+
+func (auth *OIDCProvider) SetAllowedUsers(users []string) {
+	auth.allowedUsers = users
+}
+
+func (auth *OIDCProvider) SetAllowedGroups(groups []string) {
+	auth.allowedGroups = groups
+}
+
+// optRedirectPostAuth returns an oauth2 option that sets the "redirect_uri"
+// parameter of the authorization URL to the post auth path of the current
+// request host.
+func optRedirectPostAuth(r *http.Request) oauth2.AuthCodeOption {
+	return oauth2.SetAuthURLParam("redirect_uri", "https://"+requestHost(r)+OIDCPostAuthPath)
+}
+
+func (auth *OIDCProvider) getIdToken(ctx context.Context, oauthToken *oauth2.Token) (string, *oidc.IDToken, error) {
+	idTokenJWT, ok := oauthToken.Extra("id_token").(string)
+	if !ok {
+		return "", nil, errMissingIDToken
+	}
+	idToken, err := auth.oidcVerifier.Verify(ctx, idTokenJWT)
+	if err != nil {
+		return "", nil, fmt.Errorf("failed to verify ID token: %w", err)
+	}
+	return idTokenJWT, idToken, nil
+}
+
+func (auth *OIDCProvider) HandleAuth(w http.ResponseWriter, r *http.Request) {
+	switch r.URL.Path {
+	case OIDCAuthInitPath:
+		auth.LoginHandler(w, r)
+	case OIDCPostAuthPath:
+		auth.PostAuthCallbackHandler(w, r)
+	case OIDCLogoutPath:
+		auth.LogoutHandler(w, r)
+	default:
+		http.Redirect(w, r, OIDCAuthInitPath, http.StatusFound)
+	}
+}
+
+func (auth *OIDCProvider) LoginHandler(w http.ResponseWriter, r *http.Request) {
+	// check for session token
+	sessionToken, err := r.Cookie(CookieOauthSessionToken)
+	if err == nil {
+		err = auth.TryRefreshToken(w, r, sessionToken.Value)
+		if err != nil {
+			logging.Debug().Err(err).Msg("failed to refresh token")
+			auth.clearCookie(w, r)
+		}
+		http.Redirect(w, r, "/", http.StatusFound)
+		return
+	}
+
+	state := generateState()
+	setTokenCookie(w, r, CookieOauthState, state, 300*time.Second)
+	// redirect user to Idp
+	http.Redirect(w, r, auth.oauthConfig.AuthCodeURL(state, optRedirectPostAuth(r)), http.StatusFound)
+}
+
+func parseClaims(idToken *oidc.IDToken) (*IDTokenClaims, error) {
+	var claim IDTokenClaims
+	if err := idToken.Claims(&claim); err != nil {
+		return nil, fmt.Errorf("failed to parse claims: %w", err)
+	}
+	if claim.Username == "" {
+		return nil, fmt.Errorf("missing username in ID token")
+	}
+	return &claim, nil
+}
+
+func (auth *OIDCProvider) checkAllowed(user string, groups []string) bool {
+	userAllowed := slices.Contains(auth.allowedUsers, user)
+	if !userAllowed {
+		return false
+	}
+	if len(auth.allowedGroups) == 0 {
+		return true
+	}
+	return len(utils.Intersect(groups, auth.allowedGroups)) > 0
+}
+
+func (auth *OIDCProvider) CheckToken(r *http.Request) error {
+	tokenCookie, err := r.Cookie(CookieOauthToken)
+	if err != nil {
+		return ErrMissingOAuthToken
+	}
+
+	idToken, err := auth.oidcVerifier.Verify(r.Context(), tokenCookie.Value)
+	if err != nil {
+		return fmt.Errorf("%w: %w", ErrInvalidOAuthToken, err)
+	}
+
+	claims, err := parseClaims(idToken)
+	if err != nil {
+		return fmt.Errorf("%w: %w", ErrInvalidOAuthToken, err)
+	}
+
+	if !auth.checkAllowed(claims.Username, claims.Groups) {
+		return ErrUserNotAllowed
+	}
+	return nil
+}
+
+func (auth *OIDCProvider) PostAuthCallbackHandler(w http.ResponseWriter, r *http.Request) {
+	// For testing purposes, skip provider verification
+	if common.IsTest {
+		auth.handleTestCallback(w, r)
+		return
+	}
+
+	// verify state
+	state, err := r.Cookie(CookieOauthState)
+	if err != nil {
+		gphttp.BadRequest(w, "missing state cookie")
+		return
+	}
+	if r.URL.Query().Get("state") != state.Value {
+		gphttp.BadRequest(w, "invalid oauth state")
+		return
+	}
+
+	code := r.URL.Query().Get("code")
+	oauth2Token, err := auth.oauthConfig.Exchange(r.Context(), code, optRedirectPostAuth(r))
+	if err != nil {
+		gphttp.ServerError(w, r, fmt.Errorf("failed to exchange token: %w", err))
+		return
+	}
+
+	idTokenJWT, idToken, err := auth.getIdToken(r.Context(), oauth2Token)
+	if err != nil {
+		gphttp.ServerError(w, r, err)
+		return
+	}
+
+	if oauth2Token.RefreshToken != "" {
+		claims, err := parseClaims(idToken)
+		if err != nil {
+			gphttp.ServerError(w, r, err)
+			return
+		}
+		session := newSession(claims.Username, claims.Groups)
+		storeOAuthRefreshToken(session.SessionID, claims.Username, oauth2Token.RefreshToken)
+		auth.setSessionTokenCookie(w, r, session)
+	}
+	auth.setIDTokenCookie(w, r, idTokenJWT, time.Until(idToken.Expiry))
+
+	// Redirect to home page
+	http.Redirect(w, r, "/", http.StatusFound)
+}
+
+func (auth *OIDCProvider) LogoutHandler(w http.ResponseWriter, r *http.Request) {
+	oauthToken, _ := r.Cookie(CookieOauthToken)
+	sessionToken, _ := r.Cookie(CookieOauthSessionToken)
+	auth.clearCookie(w, r)
+
+	if sessionToken != nil {
+		claims, _, err := auth.parseSessionJWT(sessionToken.Value)
+		if err == nil {
+			invalidateOAuthRefreshToken(claims.SessionID)
+		}
+	}
+
+	url := "/"
+	if auth.endSessionURL != nil && oauthToken != nil {
+		query := auth.endSessionURL.Query()
+		query.Set("id_token_hint", oauthToken.Value)
+		query.Set("post_logout_redirect_uri", "https://"+requestHost(r))
+
+		clone := *auth.endSessionURL
+		clone.RawQuery = query.Encode()
+		url = clone.String()
+	} else if auth.endSessionURL != nil {
+		url = auth.endSessionURL.String()
+	}
+
+	http.Redirect(w, r, url, http.StatusFound)
+}
+
+func (auth *OIDCProvider) setIDTokenCookie(w http.ResponseWriter, r *http.Request, jwt string, ttl time.Duration) {
+	setTokenCookie(w, r, CookieOauthToken, jwt, ttl)
+}
+
+func (auth *OIDCProvider) clearCookie(w http.ResponseWriter, r *http.Request) {
+	clearTokenCookie(w, r, CookieOauthToken)
+	clearTokenCookie(w, r, CookieOauthSessionToken)
+}
+
+// handleTestCallback handles OIDC callback in test environment.
+func (auth *OIDCProvider) handleTestCallback(w http.ResponseWriter, r *http.Request) {
+	state, err := r.Cookie(CookieOauthState)
+	if err != nil {
+		gphttp.BadRequest(w, "missing state cookie")
+		return
+	}
+
+	if r.URL.Query().Get("state") != state.Value {
+		gphttp.BadRequest(w, "invalid oauth state")
+		return
+	}
+
+	// Create test JWT token
+	setTokenCookie(w, r, CookieOauthToken, "test", time.Hour)
+
+	http.Redirect(w, r, "/", http.StatusFound)
+}
--- a/internal/auth/oidc_test.go
+++ b/internal/auth/oidc_test.go
@@ -0,0 +1,484 @@
+package auth
+
+import (
+	"context"
+	"crypto/rand"
+	"crypto/rsa"
+	"encoding/base64"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"testing"
+	"time"
+
+	"github.com/coreos/go-oidc/v3/oidc"
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/yusing/go-proxy/internal/common"
+	"golang.org/x/oauth2"
+
+	. "github.com/yusing/go-proxy/internal/utils/testing"
+)
+
+// setupMockOIDC configures mock OIDC provider for testing.
+func setupMockOIDC(t *testing.T) {
+	t.Helper()
+
+	provider := (&oidc.ProviderConfig{}).NewProvider(context.TODO())
+	defaultAuth = &OIDCProvider{
+		oauthConfig: &oauth2.Config{
+			ClientID:     "test-client",
+			ClientSecret: "test-secret",
+			RedirectURL:  "http://localhost/callback",
+			Endpoint: oauth2.Endpoint{
+				AuthURL:  "http://mock-provider/auth",
+				TokenURL: "http://mock-provider/token",
+			},
+			Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
+		},
+		endSessionURL: Must(url.Parse("http://mock-provider/logout")),
+		oidcProvider:  provider,
+		oidcVerifier: provider.Verifier(&oidc.Config{
+			ClientID: "test-client",
+		}),
+		allowedUsers:  []string{"test-user"},
+		allowedGroups: []string{"test-group1", "test-group2"},
+	}
+}
+
+// discoveryDocument returns a mock OIDC discovery document.
+func discoveryDocument(t *testing.T, server *httptest.Server) map[string]any {
+	t.Helper()
+
+	discovery := map[string]any{
+		"issuer":                 server.URL,
+		"authorization_endpoint": server.URL + "/auth",
+		"token_endpoint":         server.URL + "/token",
+	}
+
+	return discovery
+}
+
+const (
+	keyID    = "test-key-id"
+	clientID = "test-client-id"
+)
+
+type provider struct {
+	ts       *httptest.Server
+	key      *rsa.PrivateKey
+	verifier *oidc.IDTokenVerifier
+}
+
+func (j *provider) SignClaims(t *testing.T, claims jwt.Claims) string {
+	t.Helper()
+
+	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
+	token.Header["kid"] = keyID
+	signed, err := token.SignedString(j.key)
+	ExpectNoError(t, err)
+	return signed
+}
+
+func setupProvider(t *testing.T) *provider {
+	t.Helper()
+
+	// Generate an RSA key pair for the test.
+	privKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	ExpectNoError(t, err)
+
+	// Build the matching public JWK that will be served by the endpoint.
+	jwk := buildRSAJWK(t, &privKey.PublicKey, keyID)
+
+	// Start a test server that serves the JWKS endpoint.
+	ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/.well-known/jwks.json":
+			_ = json.NewEncoder(w).Encode(map[string]any{
+				"keys": []any{jwk},
+			})
+		default:
+			http.NotFound(w, r)
+		}
+	}))
+	t.Cleanup(ts.Close)
+
+	// Create a test OIDCProvider.
+	providerCtx := oidc.ClientContext(context.Background(), ts.Client())
+	keySet := oidc.NewRemoteKeySet(providerCtx, ts.URL+"/.well-known/jwks.json")
+
+	return &provider{
+		ts:  ts,
+		key: privKey,
+		verifier: oidc.NewVerifier(ts.URL, keySet, &oidc.Config{
+			ClientID: clientID, // matches audience in the token
+		}),
+	}
+}
+
+// buildRSAJWK is a helper to construct a minimal JWK for the JWKS endpoint.
+func buildRSAJWK(t *testing.T, pub *rsa.PublicKey, kid string) map[string]any {
+	t.Helper()
+
+	nBytes := pub.N.Bytes()
+	eBytes := []byte{0x01, 0x00, 0x01} // Usually 65537
+
+	return map[string]any{
+		"kty": "RSA",
+		"alg": "RS256",
+		"use": "sig",
+		"kid": kid,
+		"n":   base64.RawURLEncoding.EncodeToString(nBytes),
+		"e":   base64.RawURLEncoding.EncodeToString(eBytes),
+	}
+}
+
+func cleanup() {
+	defaultAuth = nil
+}
+
+func TestOIDCLoginHandler(t *testing.T) {
+	// Setup
+	common.APIJWTSecret = []byte("test-secret")
+	t.Cleanup(cleanup)
+	setupMockOIDC(t)
+
+	tests := []struct {
+		name         string
+		wantStatus   int
+		wantRedirect bool
+	}{
+		{
+			name:         "Success - Redirects to provider",
+			wantStatus:   http.StatusFound,
+			wantRedirect: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			req := httptest.NewRequest(http.MethodGet, OIDCAuthInitPath, nil)
+			w := httptest.NewRecorder()
+
+			defaultAuth.(*OIDCProvider).HandleAuth(w, req)
+
+			if got := w.Code; got != tt.wantStatus {
+				t.Errorf("OIDCLoginHandler() status = %v, want %v", got, tt.wantStatus)
+			}
+
+			if tt.wantRedirect {
+				if loc := w.Header().Get("Location"); loc == "" {
+					t.Error("OIDCLoginHandler() missing redirect location")
+				}
+
+				cookie := w.Header().Get("Set-Cookie")
+				if cookie == "" {
+					t.Error("OIDCLoginHandler() missing state cookie")
+				}
+			}
+		})
+	}
+}
+
+func TestOIDCCallbackHandler(t *testing.T) {
+	// Setup
+	common.APIJWTSecret = []byte("test-secret")
+	t.Cleanup(cleanup)
+	tests := []struct {
+		name       string
+		state      string
+		code       string
+		setupMocks bool
+		wantStatus int
+	}{
+		{
+			name:       "Success - Valid callback",
+			state:      "valid-state",
+			code:       "valid-code",
+			setupMocks: true,
+			wantStatus: http.StatusFound,
+		},
+		{
+			name:       "Failure - Missing state",
+			code:       "valid-code",
+			setupMocks: true,
+			wantStatus: http.StatusBadRequest,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.setupMocks {
+				setupMockOIDC(t)
+			}
+
+			req := httptest.NewRequest(http.MethodGet, "/auth/callback?code="+tt.code+"&state="+tt.state, nil)
+			if tt.state != "" {
+				req.AddCookie(&http.Cookie{
+					Name:  CookieOauthState,
+					Value: tt.state,
+				})
+			}
+			w := httptest.NewRecorder()
+
+			defaultAuth.(*OIDCProvider).PostAuthCallbackHandler(w, req)
+
+			if got := w.Code; got != tt.wantStatus {
+				t.Errorf("OIDCCallbackHandler() status = %v, want %v", got, tt.wantStatus)
+			}
+
+			if tt.wantStatus == http.StatusTemporaryRedirect {
+				setCookie := Must(http.ParseSetCookie(w.Header().Get("Set-Cookie")))
+				ExpectEqual(t, setCookie.Name, CookieOauthToken)
+				ExpectTrue(t, setCookie.Value != "")
+				ExpectEqual(t, setCookie.Path, "/")
+				ExpectEqual(t, setCookie.SameSite, http.SameSiteLaxMode)
+				ExpectEqual(t, setCookie.HttpOnly, true)
+			}
+		})
+	}
+}
+
+func TestInitOIDC(t *testing.T) {
+	setupMockOIDC(t)
+	// Create a test server that serves the discovery document
+	var server *httptest.Server
+	mux := http.NewServeMux()
+	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		ExpectNoError(t, json.NewEncoder(w).Encode(discoveryDocument(t, server)))
+	})
+	server = httptest.NewServer(mux)
+	t.Cleanup(server.Close)
+	t.Cleanup(cleanup)
+
+	tests := []struct {
+		name          string
+		issuerURL     string
+		clientID      string
+		clientSecret  string
+		redirectURL   string
+		logoutURL     string
+		allowedUsers  []string
+		allowedGroups []string
+		wantErr       bool
+	}{
+		{
+			name:    "Fail - Empty configuration",
+			wantErr: true,
+		},
+		{
+			name:         "Success - Valid configuration with users",
+			issuerURL:    server.URL,
+			clientID:     "client_id",
+			clientSecret: "client_secret",
+			allowedUsers: []string{"user1", "user2"},
+			wantErr:      false,
+		},
+		{
+			name:          "Success - Valid configuration with groups",
+			issuerURL:     server.URL,
+			clientID:      "client_id",
+			clientSecret:  "client_secret",
+			allowedGroups: []string{"group1", "group2"},
+			wantErr:       false,
+		},
+		{
+			name:          "Success - Valid configuration with users, groups and logout URL",
+			issuerURL:     server.URL,
+			clientID:      "client_id",
+			clientSecret:  "client_secret",
+			logoutURL:     "https://example.com/logout",
+			allowedUsers:  []string{"user1", "user2"},
+			allowedGroups: []string{"group1", "group2"},
+			wantErr:       false,
+		},
+		{
+			name:         "Fail - No allowed users or allowed groups",
+			issuerURL:    "https://example.com",
+			clientID:     "client_id",
+			clientSecret: "client_secret",
+			wantErr:      true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			_, err := NewOIDCProvider(tt.issuerURL, tt.clientID, tt.clientSecret, tt.allowedUsers, tt.allowedGroups)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("InitOIDC() error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}
+
+func TestCheckToken(t *testing.T) {
+	provider := setupProvider(t)
+
+	tests := []struct {
+		name          string
+		allowedUsers  []string
+		allowedGroups []string
+		claims        jwt.Claims
+		wantErr       error
+	}{
+		{
+			name:         "Success - Valid token with allowed user",
+			allowedUsers: []string{"user1"},
+			claims: jwt.MapClaims{
+				"iss":                provider.ts.URL,
+				"aud":                clientID,
+				"exp":                time.Now().Add(time.Hour).Unix(),
+				"preferred_username": "user1",
+				"groups":             []string{"group1"},
+			},
+		},
+		{
+			name:          "Success - Valid token with allowed group",
+			allowedGroups: []string{"group1"},
+			claims: jwt.MapClaims{
+				"iss":                provider.ts.URL,
+				"aud":                clientID,
+				"exp":                time.Now().Add(time.Hour).Unix(),
+				"preferred_username": "user1",
+				"groups":             []string{"group1"},
+			},
+		},
+		{
+			name:         "Success - Server omits groups, but user is allowed",
+			allowedUsers: []string{"user1"},
+			claims: jwt.MapClaims{
+				"iss":                provider.ts.URL,
+				"aud":                clientID,
+				"exp":                time.Now().Add(time.Hour).Unix(),
+				"preferred_username": "user1",
+			},
+		},
+		{
+			name:          "Success - Server omits preferred_username, but group is allowed",
+			allowedGroups: []string{"group1"},
+			claims: jwt.MapClaims{
+				"iss":    provider.ts.URL,
+				"aud":    clientID,
+				"exp":    time.Now().Add(time.Hour).Unix(),
+				"groups": []string{"group1"},
+			},
+		},
+		{
+			name:          "Success - Valid token with allowed user and group",
+			allowedUsers:  []string{"user1"},
+			allowedGroups: []string{"group1"},
+			claims: jwt.MapClaims{
+				"iss":                provider.ts.URL,
+				"aud":                clientID,
+				"exp":                time.Now().Add(time.Hour).Unix(),
+				"preferred_username": "user1",
+				"groups":             []string{"group1"},
+			},
+		},
+		{
+			name:          "Error - User not allowed",
+			allowedUsers:  []string{"user2", "user3"},
+			allowedGroups: []string{"group2", "group3"},
+			claims: jwt.MapClaims{
+				"iss":                provider.ts.URL,
+				"aud":                clientID,
+				"exp":                time.Now().Add(time.Hour).Unix(),
+				"preferred_username": "user1",
+				"groups":             []string{"group1"},
+			},
+			wantErr: ErrUserNotAllowed,
+		},
+		{
+			name: "Error - Server returns incorrect issuer",
+			claims: jwt.MapClaims{
+				"iss":                "https://example.com",
+				"aud":                clientID,
+				"exp":                time.Now().Add(time.Hour).Unix(),
+				"preferred_username": "user1",
+				"groups":             []string{"group1"},
+			},
+			wantErr: ErrInvalidOAuthToken,
+		},
+		{
+			name: "Error - Server returns incorrect audience",
+			claims: jwt.MapClaims{
+				"iss":                provider.ts.URL,
+				"aud":                "some-other-audience",
+				"exp":                time.Now().Add(time.Hour).Unix(),
+				"preferred_username": "user1",
+				"groups":             []string{"group1"},
+			},
+			wantErr: ErrInvalidOAuthToken,
+		},
+		{
+			name: "Error - Server returns expired token",
+			claims: jwt.MapClaims{
+				"iss":                provider.ts.URL,
+				"aud":                clientID,
+				"exp":                time.Now().Add(-time.Hour).Unix(),
+				"preferred_username": "user1",
+				"groups":             []string{"group1"},
+			},
+			wantErr: ErrInvalidOAuthToken,
+		},
+	}
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			// Create the Auth Provider.
+			auth := &OIDCProvider{
+				oidcVerifier:  provider.verifier,
+				allowedUsers:  tc.allowedUsers,
+				allowedGroups: tc.allowedGroups,
+			}
+			// Sign the claims to create a token.
+			signedToken := provider.SignClaims(t, tc.claims)
+			// Craft a test HTTP request that includes the token as a cookie.
+			req := httptest.NewRequest(http.MethodGet, "/", nil)
+			req.AddCookie(&http.Cookie{
+				Name:  CookieOauthToken,
+				Value: signedToken,
+			})
+
+			// Call CheckToken and verify the result.
+			err := auth.CheckToken(req)
+			if tc.wantErr == nil {
+				ExpectNoError(t, err)
+			} else {
+				ExpectError(t, tc.wantErr, err)
+			}
+		})
+	}
+}
+
+func TestLogoutHandler(t *testing.T) {
+	t.Helper()
+
+	setupMockOIDC(t)
+
+	req := httptest.NewRequest(http.MethodGet, OIDCLogoutPath, nil)
+	w := httptest.NewRecorder()
+
+	req.AddCookie(&http.Cookie{
+		Name:  CookieOauthToken,
+		Value: "test-token",
+	})
+	req.AddCookie(&http.Cookie{
+		Name:  CookieOauthSessionToken,
+		Value: "test-session-token",
+	})
+
+	defaultAuth.(*OIDCProvider).LogoutHandler(w, req)
+
+	if got := w.Code; got != http.StatusFound {
+		t.Errorf("LogoutHandler() status = %v, want %v", got, http.StatusFound)
+	}
+
+	if got := w.Header().Get("Location"); got == "" {
+		t.Error("LogoutHandler() missing redirect location")
+	}
+
+	if len(w.Header().Values("Set-Cookie")) != 2 {
+		t.Error("LogoutHandler() did not clear all cookies")
+	}
+}
--- a/internal/auth/provider.go
+++ b/internal/auth/provider.go
@@ -0,0 +1,10 @@
+package auth
+
+import "net/http"
+
+type Provider interface {
+	CheckToken(r *http.Request) error
+	LoginHandler(w http.ResponseWriter, r *http.Request)
+	PostAuthCallbackHandler(w http.ResponseWriter, r *http.Request)
+	LogoutHandler(w http.ResponseWriter, r *http.Request)
+}
--- a/internal/auth/userpass.go
+++ b/internal/auth/userpass.go
@@ -0,0 +1,143 @@
+package auth
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/gperr"
+	"github.com/yusing/go-proxy/internal/net/gphttp"
+	"github.com/yusing/go-proxy/internal/utils/strutils"
+	"golang.org/x/crypto/bcrypt"
+)
+
+var (
+	ErrInvalidUsername = gperr.New("invalid username")
+	ErrInvalidPassword = gperr.New("invalid password")
+)
+
+type (
+	UserPassAuth struct {
+		username string
+		pwdHash  []byte
+		secret   []byte
+		tokenTTL time.Duration
+	}
+	UserPassClaims struct {
+		Username string `json:"username"`
+		jwt.RegisteredClaims
+	}
+)
+
+func NewUserPassAuth(username, password string, secret []byte, tokenTTL time.Duration) (*UserPassAuth, error) {
+	hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
+	if err != nil {
+		return nil, err
+	}
+	return &UserPassAuth{
+		username: username,
+		pwdHash:  hash,
+		secret:   secret,
+		tokenTTL: tokenTTL,
+	}, nil
+}
+
+func NewUserPassAuthFromEnv() (*UserPassAuth, error) {
+	return NewUserPassAuth(
+		common.APIUser,
+		common.APIPassword,
+		common.APIJWTSecret,
+		common.APIJWTTokenTTL,
+	)
+}
+
+func (auth *UserPassAuth) TokenCookieName() string {
+	return "godoxy_token"
+}
+
+func (auth *UserPassAuth) NewToken() (token string, err error) {
+	claim := &UserPassClaims{
+		Username: auth.username,
+		RegisteredClaims: jwt.RegisteredClaims{
+			ExpiresAt: jwt.NewNumericDate(time.Now().Add(auth.tokenTTL)),
+		},
+	}
+	tok := jwt.NewWithClaims(jwt.SigningMethodHS512, claim)
+	token, err = tok.SignedString(auth.secret)
+	if err != nil {
+		return "", err
+	}
+	return token, nil
+}
+
+func (auth *UserPassAuth) CheckToken(r *http.Request) error {
+	jwtCookie, err := r.Cookie(auth.TokenCookieName())
+	if err != nil {
+		return ErrMissingSessionToken
+	}
+	var claims UserPassClaims
+	token, err := jwt.ParseWithClaims(jwtCookie.Value, &claims, func(t *jwt.Token) (interface{}, error) {
+		if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
+			return nil, fmt.Errorf("unexpected signing method: %v", t.Header["alg"])
+		}
+		return auth.secret, nil
+	})
+	if err != nil {
+		return err
+	}
+	switch {
+	case !token.Valid:
+		return ErrInvalidSessionToken
+	case claims.Username != auth.username:
+		return ErrUserNotAllowed.Subject(claims.Username)
+	case claims.ExpiresAt.Before(time.Now()):
+		return gperr.Errorf("token expired on %s", strutils.FormatTime(claims.ExpiresAt.Time))
+	}
+
+	return nil
+}
+
+func (auth *UserPassAuth) LoginHandler(w http.ResponseWriter, r *http.Request) {
+	var creds struct {
+		User string `json:"username"`
+		Pass string `json:"password"`
+	}
+	err := json.NewDecoder(r.Body).Decode(&creds)
+	if err != nil {
+		gphttp.Unauthorized(w, "invalid credentials")
+		return
+	}
+	if err := auth.validatePassword(creds.User, creds.Pass); err != nil {
+		gphttp.Unauthorized(w, "invalid credentials")
+		return
+	}
+	token, err := auth.NewToken()
+	if err != nil {
+		gphttp.ServerError(w, r, err)
+		return
+	}
+	setTokenCookie(w, r, auth.TokenCookieName(), token, auth.tokenTTL)
+	w.WriteHeader(http.StatusOK)
+}
+
+func (auth *UserPassAuth) PostAuthCallbackHandler(w http.ResponseWriter, r *http.Request) {
+	http.Redirect(w, r, "/", http.StatusFound)
+}
+
+func (auth *UserPassAuth) LogoutHandler(w http.ResponseWriter, r *http.Request) {
+	clearTokenCookie(w, r, auth.TokenCookieName())
+	http.Redirect(w, r, "/", http.StatusFound)
+}
+
+func (auth *UserPassAuth) validatePassword(user, pass string) error {
+	if user != auth.username {
+		return ErrInvalidUsername.Subject(user)
+	}
+	if err := bcrypt.CompareHashAndPassword(auth.pwdHash, []byte(pass)); err != nil {
+		return ErrInvalidPassword.With(err).Subject(pass)
+	}
+	return nil
+}
--- a/internal/auth/userpass_test.go
+++ b/internal/auth/userpass_test.go
@@ -0,0 +1,115 @@
+package auth
+
+import (
+	"bytes"
+	"encoding/json"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	. "github.com/yusing/go-proxy/internal/utils/testing"
+	"golang.org/x/crypto/bcrypt"
+)
+
+func newMockUserPassAuth() *UserPassAuth {
+	return &UserPassAuth{
+		username: "username",
+		pwdHash:  Must(bcrypt.GenerateFromPassword([]byte("password"), bcrypt.DefaultCost)),
+		secret:   []byte("abcdefghijklmnopqrstuvwxyz"),
+		tokenTTL: time.Hour,
+	}
+}
+
+func TestUserPassValidateCredentials(t *testing.T) {
+	auth := newMockUserPassAuth()
+	err := auth.validatePassword("username", "password")
+	ExpectNoError(t, err)
+	err = auth.validatePassword("username", "wrong-password")
+	ExpectError(t, ErrInvalidPassword, err)
+	err = auth.validatePassword("wrong-username", "password")
+	ExpectError(t, ErrInvalidUsername, err)
+}
+
+func TestUserPassCheckToken(t *testing.T) {
+	auth := newMockUserPassAuth()
+	token, err := auth.NewToken()
+	ExpectNoError(t, err)
+	tests := []struct {
+		token   string
+		wantErr bool
+	}{
+		{
+			token:   token,
+			wantErr: false,
+		},
+		{
+			token:   "invalid-token",
+			wantErr: true,
+		},
+		{
+			token:   "",
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		req := &http.Request{Header: http.Header{}}
+		if tt.token != "" {
+			req.Header.Set("Cookie", auth.TokenCookieName()+"="+tt.token)
+		}
+		err = auth.CheckToken(req)
+		if tt.wantErr {
+			ExpectTrue(t, err != nil)
+		} else {
+			ExpectNoError(t, err)
+		}
+	}
+}
+
+func TestUserPassLoginCallbackHandler(t *testing.T) {
+	type cred struct {
+		User string `json:"username"`
+		Pass string `json:"password"`
+	}
+	auth := newMockUserPassAuth()
+	tests := []struct {
+		creds   cred
+		wantErr bool
+	}{
+		{
+			creds: cred{
+				User: "username",
+				Pass: "password",
+			},
+			wantErr: false,
+		},
+		{
+			creds: cred{
+				User: "username",
+				Pass: "wrong-password",
+			},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		w := httptest.NewRecorder()
+		req := &http.Request{
+			Host: "app.example.com",
+			Body: io.NopCloser(bytes.NewReader(Must(json.Marshal(tt.creds)))),
+		}
+		auth.LoginHandler(w, req)
+		if tt.wantErr {
+			ExpectEqual(t, w.Code, http.StatusUnauthorized)
+		} else {
+			setCookie := Must(http.ParseSetCookie(w.Header().Get("Set-Cookie")))
+			ExpectTrue(t, setCookie.Name == auth.TokenCookieName())
+			ExpectTrue(t, setCookie.Value != "")
+			ExpectEqual(t, setCookie.Domain, "example.com")
+			ExpectEqual(t, setCookie.Path, "/")
+			ExpectEqual(t, setCookie.SameSite, http.SameSiteLaxMode)
+			ExpectEqual(t, setCookie.HttpOnly, true)
+			ExpectEqual(t, w.Code, http.StatusOK)
+		}
+	}
+}
--- a/internal/auth/utils.go
+++ b/internal/auth/utils.go
@@ -0,0 +1,72 @@
+package auth
+
+import (
+	"net/http"
+	"time"
+
+	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/gperr"
+	"github.com/yusing/go-proxy/internal/utils/strutils"
+)
+
+var (
+	ErrMissingOAuthToken   = gperr.New("missing oauth token")
+	ErrMissingSessionToken = gperr.New("missing session token")
+	ErrInvalidOAuthToken   = gperr.New("invalid oauth token")
+	ErrInvalidSessionToken = gperr.New("invalid session token")
+	ErrUserNotAllowed      = gperr.New("user not allowed")
+)
+
+func requestHost(r *http.Request) string {
+	// check if it's from backend
+	switch r.Host {
+	case common.APIHTTPAddr:
+		// use XFH
+		return r.Header.Get("X-Forwarded-Host")
+	default:
+		return r.Host
+	}
+}
+
+// cookieDomain returns the fully qualified domain name of the request host
+// with subdomain stripped.
+//
+// If the request host does not have a subdomain,
+// an empty string is returned
+//
+//	"abc.example.com" -> ".example.com" (cross subdomain)
+//	"example.com" -> "" (same domain only)
+func cookieDomain(r *http.Request) string {
+	parts := strutils.SplitRune(requestHost(r), '.')
+	if len(parts) < 2 {
+		return ""
+	}
+	parts[0] = ""
+	return strutils.JoinRune(parts, '.')
+}
+
+func setTokenCookie(w http.ResponseWriter, r *http.Request, name, value string, ttl time.Duration) {
+	http.SetCookie(w, &http.Cookie{
+		Name:     name,
+		Value:    value,
+		MaxAge:   int(ttl.Seconds()),
+		Domain:   cookieDomain(r),
+		HttpOnly: true,
+		Secure:   common.APIJWTSecure,
+		SameSite: http.SameSiteLaxMode,
+		Path:     "/",
+	})
+}
+
+func clearTokenCookie(w http.ResponseWriter, r *http.Request, name string) {
+	http.SetCookie(w, &http.Cookie{
+		Name:     name,
+		Value:    "",
+		MaxAge:   -1,
+		Domain:   cookieDomain(r),
+		HttpOnly: true,
+		Secure:   common.APIJWTSecure,
+		SameSite: http.SameSiteLaxMode,
+		Path:     "/",
+	})
+}
--- a/internal/autocert/config.go
+++ b/internal/autocert/config.go
@@ -4,58 +4,115 @@ import (
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
+	"crypto/x509"
+	"os"
+	"regexp"

 	"github.com/go-acme/lego/v4/certcrypto"
 	"github.com/go-acme/lego/v4/lego"
-	E "github.com/yusing/go-proxy/internal/error"
-
-	"github.com/yusing/go-proxy/internal/types"
+	"github.com/yusing/go-proxy/internal/gperr"
+	"github.com/yusing/go-proxy/internal/logging"
+	"github.com/yusing/go-proxy/internal/utils"
+	"github.com/yusing/go-proxy/internal/utils/strutils"
 )

-type Config types.AutoCertConfig
+type (
+	AutocertConfig struct {
+		Email       string      `json:"email,omitempty"`
+		Domains     []string    `json:"domains,omitempty"`
+		CertPath    string      `json:"cert_path,omitempty"`
+		KeyPath     string      `json:"key_path,omitempty"`
+		ACMEKeyPath string      `json:"acme_key_path,omitempty"`
+		Provider    string      `json:"provider,omitempty"`
+		Options     ProviderOpt `json:"options,omitempty"`
+	}
+	ProviderOpt map[string]any
+)
+
+var (
+	ErrMissingDomain   = gperr.New("missing field 'domains'")
+	ErrMissingEmail    = gperr.New("missing field 'email'")
+	ErrMissingProvider = gperr.New("missing field 'provider'")
+	ErrInvalidDomain   = gperr.New("invalid domain")
+	ErrUnknownProvider = gperr.New("unknown provider")
+)
+
+var domainOrWildcardRE = regexp.MustCompile(`^\*?([^.]+\.)+[^.]+$`)
+
+// Validate implements the utils.CustomValidator interface.
+func (cfg *AutocertConfig) Validate() gperr.Error {
+	if cfg == nil {
+		return nil
+	}
+
+	if cfg.Provider == "" {
+		cfg.Provider = ProviderLocal
+		return nil
+	}
+
+	b := gperr.NewBuilder("autocert errors")
+	if cfg.Provider != ProviderLocal && cfg.Provider != ProviderPseudo {
+		if len(cfg.Domains) == 0 {
+			b.Add(ErrMissingDomain)
+		}
+		if cfg.Email == "" {
+			b.Add(ErrMissingEmail)
+		}
+		for i, d := range cfg.Domains {
+			if !domainOrWildcardRE.MatchString(d) {
+				b.Add(ErrInvalidDomain.Subjectf("domains[%d]", i))
+			}
+		}
+		// check if provider is implemented
+		providerConstructor, ok := providers[cfg.Provider]
+		if !ok {
+			b.Add(ErrUnknownProvider.
+				Subject(cfg.Provider).
+				Withf(strutils.DoYouMean(utils.NearestField(cfg.Provider, providers))))
+		} else {
+			_, err := providerConstructor(cfg.Options)
+			if err != nil {
+				b.Add(err)
+			}
+		}
+	}
+	return b.Error()
+}
+
+func (cfg *AutocertConfig) GetProvider() (*Provider, gperr.Error) {
+	if cfg == nil {
+		cfg = new(AutocertConfig)
+	}
+
+	if err := cfg.Validate(); err != nil {
+		return nil, err
+	}

-func NewConfig(cfg *types.AutoCertConfig) *Config {
 	if cfg.CertPath == "" {
 		cfg.CertPath = CertFileDefault
 	}
 	if cfg.KeyPath == "" {
 		cfg.KeyPath = KeyFileDefault
 	}
-	if cfg.Provider == "" {
-		cfg.Provider = ProviderLocal
-	}
-	return (*Config)(cfg)
-}
-
-func (cfg *Config) GetProvider() (provider *Provider, res E.NestedError) {
-	b := E.NewBuilder("unable to initialize autocert")
-	defer b.To(&res)
-
-	if cfg.Provider != ProviderLocal {
-		if len(cfg.Domains) == 0 {
-			b.Addf("%s", "no domains specified")
-		}
-		if cfg.Provider == "" {
-			b.Addf("%s", "no provider specified")
-		}
-		if cfg.Email == "" {
-			b.Addf("%s", "no email specified")
-		}
-		// check if provider is implemented
-		_, ok := providersGenMap[cfg.Provider]
-		if !ok {
-			b.Addf("unknown provider: %q", cfg.Provider)
-		}
+	if cfg.ACMEKeyPath == "" {
+		cfg.ACMEKeyPath = ACMEKeyFileDefault
 	}

-	if b.HasError() {
-		return
-	}
+	var privKey *ecdsa.PrivateKey
+	var err error

-	privKey, err := E.Check(ecdsa.GenerateKey(elliptic.P256(), rand.Reader))
-	if err.HasError() {
-		b.Add(E.FailWith("generate private key", err))
-		return
+	if cfg.Provider != ProviderLocal && cfg.Provider != ProviderPseudo {
+		if privKey, err = cfg.loadACMEKey(); err != nil {
+			logging.Info().Err(err).Msg("load ACME private key failed")
+			logging.Info().Msg("generate new ACME private key")
+			privKey, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+			if err != nil {
+				return nil, gperr.New("generate ACME private key").With(err)
+			}
+			if err = cfg.saveACMEKey(privKey); err != nil {
+				return nil, gperr.New("save ACME private key").With(err)
+			}
+		}
 	}

 	user := &User{
@@ -66,11 +123,25 @@ func (cfg *Config) GetProvider() (provider *Provider, res E.NestedError) {
 	legoCfg := lego.NewConfig(user)
 	legoCfg.Certificate.KeyType = certcrypto.RSA2048

-	provider = &Provider{
+	return &Provider{
 		cfg:     cfg,
 		user:    user,
 		legoCfg: legoCfg,
-	}
-
-	return
+	}, nil
+}
+
+func (cfg *AutocertConfig) loadACMEKey() (*ecdsa.PrivateKey, error) {
+	data, err := os.ReadFile(cfg.ACMEKeyPath)
+	if err != nil {
+		return nil, err
+	}
+	return x509.ParseECPrivateKey(data)
+}
+
+func (cfg *AutocertConfig) saveACMEKey(key *ecdsa.PrivateKey) error {
+	data, err := x509.MarshalECPrivateKey(key)
+	if err != nil {
+		return err
+	}
+	return os.WriteFile(cfg.ACMEKeyPath, data, 0o600)
 }
--- a/internal/autocert/constants.go
+++ b/internal/autocert/constants.go
@@ -1,40 +0,0 @@
-package autocert
-
-import (
-	"errors"
-
-	"github.com/go-acme/lego/v4/providers/dns/clouddns"
-	"github.com/go-acme/lego/v4/providers/dns/cloudflare"
-	"github.com/go-acme/lego/v4/providers/dns/duckdns"
-	"github.com/go-acme/lego/v4/providers/dns/ovh"
-	"github.com/sirupsen/logrus"
-)
-
-const (
-	certBasePath     = "certs/"
-	CertFileDefault  = certBasePath + "cert.crt"
-	KeyFileDefault   = certBasePath + "priv.key"
-	RegistrationFile = certBasePath + "registration.json"
-)
-
-const (
-	ProviderLocal      = "local"
-	ProviderCloudflare = "cloudflare"
-	ProviderClouddns   = "clouddns"
-	ProviderDuckdns    = "duckdns"
-	ProviderOVH        = "ovh"
-)
-
-var providersGenMap = map[string]ProviderGenerator{
-	ProviderLocal:      providerGenerator(NewDummyDefaultConfig, NewDummyDNSProviderConfig),
-	ProviderCloudflare: providerGenerator(cloudflare.NewDefaultConfig, cloudflare.NewDNSProviderConfig),
-	ProviderClouddns:   providerGenerator(clouddns.NewDefaultConfig, clouddns.NewDNSProviderConfig),
-	ProviderDuckdns:    providerGenerator(duckdns.NewDefaultConfig, duckdns.NewDNSProviderConfig),
-	ProviderOVH:        providerGenerator(ovh.NewDefaultConfig, ovh.NewDNSProviderConfig),
-}
-
-var (
-	ErrGetCertFailure = errors.New("get certificate failed")
-)
-
-var logger = logrus.WithField("module", "autocert")
--- a/internal/autocert/gen.py
+++ b/internal/autocert/gen.py
@@ -0,0 +1,53 @@
+import requests
+import os
+
+class Entry:
+  def __init__(self, name: str, type: str, **kwargs) -> None:
+    self.name = name
+    self.type = type
+  
+url = "https://api.github.com/repos/go-acme/lego/contents/providers/dns"
+response = requests.get(url)
+data: list[Entry] = [Entry(**i) for i in response.json()]
+
+header = "//go:generate /usr/bin/python3 gen.py\n\npackage autocert\n\n"
+names: list[str] = [
+  "ProviderLocal = \"local\"",
+  "ProviderPseudo = \"pseudo\"",
+]
+imports: list[str] = []
+genMap: list[str] = [
+  "ProviderLocal: providerGenerator(NewDummyDefaultConfig, NewDummyDNSProviderConfig),",
+  "ProviderPseudo: providerGenerator(NewDummyDefaultConfig, NewDummyDNSProviderConfig),",
+]
+
+blacklists = [
+  "internal",
+  # deprecated 
+  "azure",
+  "brandit",
+  "cloudxns",
+  "dnspod",
+  "mythicbeasts", 
+  "yandexcloud"
+]
+
+for item in data:
+    if item.type != "dir" or item.name in blacklists:
+      continue
+    imports.append(f"import \"github.com/go-acme/lego/v4/providers/dns/{item.name}\"")
+    names.append(f"Provider{item.name} = \"{item.name}\"")
+    genMap.append(f"Provider{item.name}: providerGenerator({item.name}.NewDefaultConfig, {item.name}.NewDNSProviderConfig),")
+    
+with open("providers.go", "w") as f:
+  f.write(header)
+  f.write("\n".join(imports))
+  f.write("\n\n")
+  f.write("const (\n")
+  f.write("\n".join(names))
+  f.write("\n)\n\n")
+  f.write("var providers = map[string]ProviderGenerator{\n")
+  f.write("\n".join(genMap))
+  f.write("\n}\n\n")
+  
+os.execvp("go", ["go", "fmt", "providers.go"])
--- a/internal/autocert/paths.go
+++ b/internal/autocert/paths.go
@@ -0,0 +1,8 @@
+package autocert
+
+const (
+	certBasePath       = "certs/"
+	CertFileDefault    = certBasePath + "cert.crt"
+	KeyFileDefault     = certBasePath + "priv.key"
+	ACMEKeyFileDefault = certBasePath + "acme.key"
+)
--- a/internal/autocert/provider.go
+++ b/internal/autocert/provider.go
@@ -1,37 +1,47 @@
 package autocert

 import (
-	"context"
 	"crypto/tls"
 	"crypto/x509"
+	"errors"
+	"fmt"
 	"os"
 	"path"
 	"reflect"
 	"sort"
+	"sync"
 	"time"

 	"github.com/go-acme/lego/v4/certificate"
 	"github.com/go-acme/lego/v4/challenge"
 	"github.com/go-acme/lego/v4/lego"
 	"github.com/go-acme/lego/v4/registration"
-	E "github.com/yusing/go-proxy/internal/error"
-	"github.com/yusing/go-proxy/internal/types"
-
+	"github.com/yusing/go-proxy/internal/gperr"
+	"github.com/yusing/go-proxy/internal/logging"
+	"github.com/yusing/go-proxy/internal/task"
 	U "github.com/yusing/go-proxy/internal/utils"
+	"github.com/yusing/go-proxy/internal/utils/strutils"
 )

-type Provider struct {
-	cfg     *Config
-	user    *User
-	legoCfg *lego.Config
-	client  *lego.Client
+type (
+	Provider struct {
+		cfg     *AutocertConfig
+		user    *User
+		legoCfg *lego.Config
+		client  *lego.Client

-	tlsCert      *tls.Certificate
-	certExpiries CertExpiries
-}
+		legoCert     *certificate.Resource
+		tlsCert      *tls.Certificate
+		certExpiries CertExpiries

-type ProviderGenerator func(types.AutocertProviderOpt) (challenge.Provider, E.NestedError)
-type CertExpiries map[string]time.Time
+		obtainMu sync.Mutex
+	}
+	ProviderGenerator func(ProviderOpt) (challenge.Provider, gperr.Error)
+
+	CertExpiries map[string]time.Time
+)
+
+var ErrGetCertFailure = errors.New("get certificate failed")

 func (p *Provider) GetCert(_ *tls.ClientHelloInfo) (*tls.Certificate, error) {
 	if p.tlsCert == nil {
@@ -56,54 +66,71 @@ func (p *Provider) GetExpiries() CertExpiries {
 	return p.certExpiries
 }

-func (p *Provider) ObtainCert() (res E.NestedError) {
-	b := E.NewBuilder("failed to obtain certificate")
-	defer b.To(&res)
-
+func (p *Provider) ObtainCert() error {
 	if p.cfg.Provider == ProviderLocal {
 		return nil
 	}

+	if p.cfg.Provider == ProviderPseudo {
+		t := time.NewTicker(1000 * time.Millisecond)
+		defer t.Stop()
+		logging.Info().Msg("init client for pseudo provider")
+		<-t.C
+		logging.Info().Msg("registering acme for pseudo provider")
+		<-t.C
+		logging.Info().Msg("obtained cert for pseudo provider")
+		return nil
+	}
+
 	if p.client == nil {
-		if err := p.initClient(); err.HasError() {
-			b.Add(E.FailWith("init autocert client", err))
-			return
+		if err := p.initClient(); err != nil {
+			return err
 		}
 	}

 	if p.user.Registration == nil {
-		if err := p.registerACME(); err.HasError() {
-			b.Add(E.FailWith("register ACME", err))
-			return
+		if err := p.registerACME(); err != nil {
+			return err
 		}
 	}

-	client := p.client
-	req := certificate.ObtainRequest{
-		Domains: p.cfg.Domains,
-		Bundle:  true,
-	}
-	cert, err := E.Check(client.Certificate.Obtain(req))
-	if err.HasError() {
-		b.Add(err)
-		return
+	var cert *certificate.Resource
+	var err error
+
+	if p.legoCert != nil {
+		cert, err = p.client.Certificate.RenewWithOptions(*p.legoCert, &certificate.RenewOptions{
+			Bundle: true,
+		})
+		if err != nil {
+			p.legoCert = nil
+			logging.Err(err).Msg("cert renew failed, fallback to obtain")
+		} else {
+			p.legoCert = cert
+		}
 	}

-	if err = p.saveCert(cert); err.HasError() {
-		b.Add(E.FailWith("save certificate", err))
-		return
+	if cert == nil {
+		cert, err = p.client.Certificate.Obtain(certificate.ObtainRequest{
+			Domains: p.cfg.Domains,
+			Bundle:  true,
+		})
+		if err != nil {
+			return err
+		}
 	}

-	tlsCert, err := E.Check(tls.X509KeyPair(cert.Certificate, cert.PrivateKey))
-	if err.HasError() {
-		b.Add(E.FailWith("parse obtained certificate", err))
-		return
+	if err = p.saveCert(cert); err != nil {
+		return err
+	}
+
+	tlsCert, err := tls.X509KeyPair(cert.Certificate, cert.PrivateKey)
+	if err != nil {
+		return err
 	}

 	expiries, err := getCertExpiries(&tlsCert)
-	if err.HasError() {
-		b.Add(E.FailWith("get certificate expiry", err))
-		return
+	if err != nil {
+		return err
 	}
 	p.tlsCert = &tlsCert
 	p.certExpiries = expiries
@@ -111,22 +138,23 @@ func (p *Provider) ObtainCert() (res E.NestedError) {
 	return nil
 }

-func (p *Provider) LoadCert() E.NestedError {
-	cert, err := E.Check(tls.LoadX509KeyPair(p.cfg.CertPath, p.cfg.KeyPath))
-	if err.HasError() {
-		return err
+func (p *Provider) LoadCert() error {
+	cert, err := tls.LoadX509KeyPair(p.cfg.CertPath, p.cfg.KeyPath)
+	if err != nil {
+		return fmt.Errorf("load SSL certificate: %w", err)
 	}
 	expiries, err := getCertExpiries(&cert)
-	if err.HasError() {
-		return err
+	if err != nil {
+		return fmt.Errorf("parse SSL certificate: %w", err)
 	}
 	p.tlsCert = &cert
 	p.certExpiries = expiries

-	logger.Infof("next renewal in %v", U.FormatDuration(time.Until(p.ShouldRenewOn())))
+	logging.Info().Msgf("next renewal in %v", strutils.FormatDuration(time.Until(p.ShouldRenewOn())))
 	return p.renewIfNeeded()
 }

+// ShouldRenewOn returns the time at which the certificate should be renewed.
 func (p *Provider) ShouldRenewOn() time.Time {
 	for _, expiry := range p.certExpiries {
 		return expiry.AddDate(0, -1, 0) // 1 month before
@@ -135,82 +163,103 @@ func (p *Provider) ShouldRenewOn() time.Time {
 	panic("no certificate available")
 }

-func (p *Provider) ScheduleRenewal(ctx context.Context) {
-	if p.GetName() == ProviderLocal {
+func (p *Provider) ScheduleRenewal(parent task.Parent) {
+	if p.GetName() == ProviderLocal || p.GetName() == ProviderPseudo {
 		return
 	}
+	go func() {
+		lastErrOn := time.Time{}
+		renewalTime := p.ShouldRenewOn()
+		timer := time.NewTimer(time.Until(renewalTime))
+		defer timer.Stop()

-	logger.Debug("started renewal scheduler")
-	defer logger.Debug("renewal scheduler stopped")
+		task := parent.Subtask("cert-renew-scheduler")
+		defer task.Finish(nil)

-	ticker := time.NewTicker(5 * time.Second)
-	defer ticker.Stop()
-
-	for {
-		select {
-		case <-ctx.Done():
-			return
-		case <-ticker.C: // check every 5 seconds
-			if err := p.renewIfNeeded(); err.HasError() {
-				logger.Warn(err)
+		for {
+			select {
+			case <-task.Context().Done():
+				return
+			case <-timer.C:
+				// Retry after 1 hour on failure
+				if !lastErrOn.IsZero() && time.Now().Before(lastErrOn.Add(time.Hour)) {
+					continue
+				}
+				if err := p.renewIfNeeded(); err != nil {
+					gperr.LogWarn("cert renew failed", err)
+					lastErrOn = time.Now()
+					continue
+				}
+				// Reset on success
+				lastErrOn = time.Time{}
+				renewalTime = p.ShouldRenewOn()
+				timer.Reset(time.Until(renewalTime))
 			}
 		}
-	}
+	}()
 }

-func (p *Provider) initClient() E.NestedError {
-	legoClient, err := E.Check(lego.NewClient(p.legoCfg))
-	if err.HasError() {
-		return E.FailWith("create lego client", err)
+func (p *Provider) initClient() error {
+	legoClient, err := lego.NewClient(p.legoCfg)
+	if err != nil {
+		return err
 	}

-	legoProvider, err := providersGenMap[p.cfg.Provider](p.cfg.Options)
-	if err.HasError() {
-		return E.FailWith("create lego provider", err)
+	generator := providers[p.cfg.Provider]
+	legoProvider, pErr := generator(p.cfg.Options)
+	if pErr != nil {
+		return pErr
 	}

-	err = E.From(legoClient.Challenge.SetDNS01Provider(legoProvider))
-	if err.HasError() {
-		return E.FailWith("set challenge provider", err)
+	err = legoClient.Challenge.SetDNS01Provider(legoProvider)
+	if err != nil {
+		return err
 	}

 	p.client = legoClient
 	return nil
 }

-func (p *Provider) registerACME() E.NestedError {
+func (p *Provider) registerACME() error {
 	if p.user.Registration != nil {
 		return nil
 	}
-	reg, err := E.Check(p.client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true}))
-	if err.HasError() {
+	if reg, err := p.client.Registration.ResolveAccountByKey(); err == nil {
+		p.user.Registration = reg
+		logging.Info().Msg("reused acme registration from private key")
+		return nil
+	}
+
+	reg, err := p.client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
+	if err != nil {
 		return err
 	}
 	p.user.Registration = reg
-
+	logging.Info().Interface("reg", reg).Msg("acme registered")
 	return nil
 }

-func (p *Provider) saveCert(cert *certificate.Resource) E.NestedError {
-	//* This should have been done in setup
-	//* but double check is always a good choice
+func (p *Provider) saveCert(cert *certificate.Resource) error {
+	/* This should have been done in setup
+	but double check is always a good choice.*/
 	_, err := os.Stat(path.Dir(p.cfg.CertPath))
 	if err != nil {
 		if os.IsNotExist(err) {
 			if err = os.MkdirAll(path.Dir(p.cfg.CertPath), 0o755); err != nil {
-				return E.FailWith("create cert directory", err)
+				return err
 			}
 		} else {
-			return E.FailWith("stat cert directory", err)
+			return err
 		}
 	}
 	err = os.WriteFile(p.cfg.KeyPath, cert.PrivateKey, 0o600) // -rw-------
 	if err != nil {
-		return E.FailWith("write key file", err)
+		return err
 	}
+
 	err = os.WriteFile(p.cfg.CertPath, cert.Certificate, 0o644) // -rw-r--r--
 	if err != nil {
-		return E.FailWith("write cert file", err)
+		return err
 	}
 	return nil
 }
@@ -232,39 +281,36 @@ func (p *Provider) certState() CertState {
 	sort.Strings(certDomains)

 	if !reflect.DeepEqual(certDomains, wantedDomains) {
-		logger.Debugf("cert domains mismatch: %v != %v", certDomains, p.cfg.Domains)
+		logging.Info().Msgf("cert domains mismatch: %v != %v", certDomains, p.cfg.Domains)
 		return CertStateMismatch
 	}

 	return CertStateValid
 }

-func (p *Provider) renewIfNeeded() E.NestedError {
+func (p *Provider) renewIfNeeded() error {
 	if p.cfg.Provider == ProviderLocal {
 		return nil
 	}

 	switch p.certState() {
 	case CertStateExpired:
-		logger.Info("certs expired, renewing")
+		logging.Info().Msg("certs expired, renewing")
 	case CertStateMismatch:
-		logger.Info("cert domains mismatch with config, renewing")
+		logging.Info().Msg("cert domains mismatch with config, renewing")
 	default:
 		return nil
 	}

-	if err := p.ObtainCert(); err.HasError() {
-		return E.FailWith("renew certificate", err)
-	}
-	return nil
+	return p.ObtainCert()
 }

-func getCertExpiries(cert *tls.Certificate) (CertExpiries, E.NestedError) {
+func getCertExpiries(cert *tls.Certificate) (CertExpiries, error) {
 	r := make(CertExpiries, len(cert.Certificate))
 	for _, cert := range cert.Certificate {
-		x509Cert, err := E.Check(x509.ParseCertificate(cert))
-		if err.HasError() {
-			return nil, E.FailWith("parse certificate", err)
+		x509Cert, err := x509.ParseCertificate(cert)
+		if err != nil {
+			return nil, err
 		}
 		if x509Cert.IsCA {
 			continue
@@ -281,16 +327,13 @@ func providerGenerator[CT any, PT challenge.Provider](
 	defaultCfg func() *CT,
 	newProvider func(*CT) (PT, error),
 ) ProviderGenerator {
-	return func(opt types.AutocertProviderOpt) (challenge.Provider, E.NestedError) {
+	return func(opt ProviderOpt) (challenge.Provider, gperr.Error) {
 		cfg := defaultCfg()
-		err := U.Deserialize(opt, cfg)
-		if err.HasError() {
+		err := U.Deserialize(opt, &cfg)
+		if err != nil {
 			return nil, err
 		}
-		p, err := E.Check(newProvider(cfg))
-		if err.HasError() {
-			return nil, err
-		}
-		return p, nil
+		p, pErr := newProvider(cfg)
+		return p, gperr.Wrap(pErr)
 	}
 }
--- a/Show More
+++ b/Show More