API server now protected with rate limiter, fixed extra dot on URL on frontend

.gitignore

@@ -7,6 +7,7 @@ config*/
 certs*/
 bin/
 error_pages/
+!examples/error_pages/
 
 logs/
 log/

Makefile

@@ -28,23 +28,21 @@ get:
 	go get -u ./cmd && go mod tidy
 
 debug:
-	make build
-	sudo GOPROXY_DEBUG=1 bin/go-proxy
+	GOPROXY_DEBUG=1 make run
 
 debug-trace:
-	make build
-	sudo GOPROXY_DEBUG=1 GOPROXY_TRACE=1 bin/go-proxy
+	GOPROXY_DEBUG=1 GOPROXY_TRACE=1 run
 
 profile:
-	GODEBUG=gctrace=1 make build
-	sudo GOPROXY_DEBUG=1 bin/go-proxy
+	GODEBUG=gctrace=1 make debug
+
+run: build
+	sudo setcap CAP_NET_BIND_SERVICE=+eip bin/go-proxy
+	bin/go-proxy
 
 mtrace:
 	bin/go-proxy debug-ls-mtrace > mtrace.json
 
-run:
-	make build && sudo bin/go-proxy
-
 archive:
 	git archive HEAD -o ../go-proxy-$$(date +"%Y%m%d%H%M").zip
 

README.md

@@ -24,6 +24,8 @@ _Join our [Discord](https://discord.gg/umReR62nRd) for help and discussions_
   - [Key Features](#key-features)
   - [Getting Started](#getting-started)
     - [Setup](#setup)
+    - [Manual Setup](#manual-setup)
+    - [Folder structrue](#folder-structrue)
     - [Use JSON Schema in VSCode](#use-json-schema-in-vscode)
   - [Screenshots](#screenshots)
     - [idlesleeper](#idlesleeper)
@@ -59,10 +61,12 @@ _Join our [Discord](https://discord.gg/umReR62nRd) for help and discussions_
     docker pull ghcr.io/yusing/go-proxy:latest
     ```
 
-2.  Create new directory, `cd` into it, then run setup
+2.  Create new directory, `cd` into it, then run setup, or [set up manually](#manual-setup) 
 
     ```shell
     docker run --rm -v .:/setup ghcr.io/yusing/go-proxy /app/go-proxy setup
+    # Then set the JWT secret
+    sed -i "s|GOPROXY_API_JWT_SECRET=.*|GOPROXY_API_JWT_SECRET=$(openssl rand -base64 32)|g" .env
     ```
 
 3.  Setup DNS Records point to machine which runs `go-proxy`, e.g.
@@ -83,6 +87,43 @@ _Join our [Discord](https://discord.gg/umReR62nRd) for help and discussions_
 
 [🔼Back to top](#table-of-content)
 
+### Manual Setup
+
+1. Make `config` directory then grab `config.example.yml` into `config/config.yml`
+
+    `mkdir -p config && wget https://raw.githubusercontent.com/yusing/go-proxy/v0.7/config.example.yml -O config/config.yml`
+
+2. Grab `.env.example` into `.env`
+   
+    `wget https://raw.githubusercontent.com/yusing/go-proxy/v0.7/.env.example -O .env`
+
+3. Grab `compose.example.yml` into `compose.yml`
+   
+   `wget https://raw.githubusercontent.com/yusing/go-proxy/v0.7/compose.example.yml -O compose.yml`
+
+4. Set the JWT secret
+   
+   `sed -i "s|GOPROXY_API_JWT_SECRET=.*|GOPROXY_API_JWT_SECRET=$(openssl rand -base64 32)|g" .env`
+
+5. Start the container `docker compose up -d`
+
+### Folder structrue
+
+```shell
+├── certs
+│   ├── cert.crt
+│   └── priv.key
+├── compose.yml
+├── config
+│   ├── config.yml
+│   ├── middlewares
+│   │   ├── middleware1.yml
+│   │   ├── middleware2.yml
+│   ├── provider1.yml
+│   └── provider2.yml
+└── .env
+```
+
 ### Use JSON Schema in VSCode
 
 Copy [`.vscode/settings.example.json`](.vscode/settings.example.json) to `.vscode/settings.json` and modify it to fit your needs

compose.example.yml

@@ -1,3 +1,4 @@
+---
 services:
     frontend:
         image: ghcr.io/yusing/go-proxy-frontend:latest
@@ -7,10 +8,17 @@ services:
         env_file: .env
         depends_on:
             - app
-        # if you also want to proxy the WebUI and access it via gp.y.z
-        # labels:
-        #   - proxy.aliases=gp
-        #   - proxy.gp.port=3000
+        # modify below to fit your needs
+        labels:
+            proxy.aliases: gp
+            proxy.#1.port: 3000
+            proxy.#1.middlewares.cidr_whitelist.status_code: 403
+            proxy.#1.middlewares.cidr_whitelist.message: IP not allowed
+            proxy.#1.middlewares.cidr_whitelist.allow: |
+                - 127.0.0.1
+                - 10.0.0.0/8
+                - 192.168.0.0/16
+                - 172.16.0.0/12
     app:
         image: ghcr.io/yusing/go-proxy:latest
         container_name: go-proxy
@@ -20,14 +28,15 @@ services:
         volumes:
             - /var/run/docker.sock:/var/run/docker.sock
             - ./config:/app/config
+            - ./error_pages:/app/error_pages
 
             # (Optional) choose one of below to enable https
             # 1. use existing certificate
-            # if your cert is not named `cert.crt` change `cert_path` in `config/config.yml`
-            # if your cert key is not named `priv.key` change `key_path` in `config/config.yml`
 
-            # - /path/to/certs:/app/certs
+            # - /path/to/certs/cert.crt:/app/certs/cert.crt
+            # - /path/to/certs/priv.key:/app/certs/priv.key
 
-            # 2. use autocert, certs will be stored in ./certs (or other path you specify)
+            # 2. use autocert, certs will be stored in ./certs
+            #    you can also use a docker volume to store it
 
             # - ./certs:/app/certs

examples/error_pages/404.css

@@ -0,0 +1,288 @@
+@import url("https://fonts.googleapis.com/css?family=Audiowide&display=swap");
+
+html,
+body {
+    margin: 0px;
+    overflow: hidden;
+}
+
+div {
+    position: absolute;
+    top: 0%;
+    left: 0%;
+    height: 100%;
+    width: 100%;
+    margin: 0px;
+    background: radial-gradient(circle, #240015 0%, #12000b 100%);
+    overflow: hidden;
+}
+
+.wrap {
+    position: absolute;
+    left: 50%;
+    top: 50%;
+    transform: translate(-50%, -50%);
+}
+
+h2 {
+    position: absolute;
+    top: 50%;
+    left: 50%;
+    margin-top: 150px;
+    font-size: 32px;
+    text-transform: uppercase;
+    transform: translate(-50%, -50%);
+    display: block;
+    color: #12000a;
+    font-weight: 300;
+    font-family: Audiowide;
+    text-shadow: 0px 0px 4px #12000a;
+    animation: fadeInText 3s ease-in 3.5s forwards,
+        flicker4 5s linear 7.5s infinite, hueRotate 6s ease-in-out 3s infinite;
+}
+
+#svgWrap_1,
+#svgWrap_2 {
+    position: absolute;
+    height: auto;
+    width: 600px;
+    max-width: 100%;
+    top: 50%;
+    left: 50%;
+    transform: translate(-50%, -50%);
+}
+
+#svgWrap_1,
+#svgWrap_2,
+div {
+    animation: hueRotate 6s ease-in-out 3s infinite;
+}
+
+#id1_1,
+#id2_1,
+#id3_1 {
+    stroke: #ff005d;
+    stroke-width: 3px;
+    fill: transparent;
+    filter: url(#glow);
+}
+
+#id1_2,
+#id2_2,
+#id3_2 {
+    stroke: #12000a;
+    stroke-width: 3px;
+    fill: transparent;
+    filter: url(#glow);
+}
+
+#id3_1 {
+    stroke-dasharray: 940px;
+    stroke-dashoffset: -940px;
+    animation: drawLine3 2.5s ease-in-out 0s forwards,
+        flicker3 4s linear 4s infinite;
+}
+
+#id2_1 {
+    stroke-dasharray: 735px;
+    stroke-dashoffset: -735px;
+    animation: drawLine2 2.5s ease-in-out 0.5s forwards,
+        flicker2 4s linear 4.5s infinite;
+}
+
+#id1_1 {
+    stroke-dasharray: 940px;
+    stroke-dashoffset: -940px;
+    animation: drawLine1 2.5s ease-in-out 1s forwards,
+        flicker1 4s linear 5s infinite;
+}
+
+@keyframes drawLine1 {
+    0% {
+        stroke-dashoffset: -940px;
+    }
+    100% {
+        stroke-dashoffset: 0px;
+    }
+}
+
+@keyframes drawLine2 {
+    0% {
+        stroke-dashoffset: -735px;
+    }
+    100% {
+        stroke-dashoffset: 0px;
+    }
+}
+
+@keyframes drawLine3 {
+    0% {
+        stroke-dashoffset: -940px;
+    }
+    100% {
+        stroke-dashoffset: 0px;
+    }
+}
+
+@keyframes flicker1 {
+    0% {
+        stroke: #ff005d;
+    }
+    1% {
+        stroke: transparent;
+    }
+    3% {
+        stroke: transparent;
+    }
+    4% {
+        stroke: #ff005d;
+    }
+    6% {
+        stroke: #ff005d;
+    }
+    7% {
+        stroke: transparent;
+    }
+    13% {
+        stroke: transparent;
+    }
+    14% {
+        stroke: #ff005d;
+    }
+    100% {
+        stroke: #ff005d;
+    }
+}
+
+@keyframes flicker2 {
+    0% {
+        stroke: #ff005d;
+    }
+    50% {
+        stroke: #ff005d;
+    }
+    51% {
+        stroke: transparent;
+    }
+    61% {
+        stroke: transparent;
+    }
+    62% {
+        stroke: #ff005d;
+    }
+    100% {
+        stroke: #ff005d;
+    }
+}
+
+@keyframes flicker3 {
+    0% {
+        stroke: #ff005d;
+    }
+    1% {
+        stroke: transparent;
+    }
+    10% {
+        stroke: transparent;
+    }
+    11% {
+        stroke: #ff005d;
+    }
+    40% {
+        stroke: #ff005d;
+    }
+    41% {
+        stroke: transparent;
+    }
+    45% {
+        stroke: transparent;
+    }
+    46% {
+        stroke: #ff005d;
+    }
+    100% {
+        stroke: #ff005d;
+    }
+}
+
+@keyframes flicker4 {
+    0% {
+        color: #ff005d;
+        text-shadow: 0px 0px 4px #ff005d;
+    }
+    30% {
+        color: #ff005d;
+        text-shadow: 0px 0px 4px #ff005d;
+    }
+    31% {
+        color: #12000a;
+        text-shadow: 0px 0px 4px #12000a;
+    }
+    32% {
+        color: #ff005d;
+        text-shadow: 0px 0px 4px #ff005d;
+    }
+    36% {
+        color: #ff005d;
+        text-shadow: 0px 0px 4px #ff005d;
+    }
+    37% {
+        color: #12000a;
+        text-shadow: 0px 0px 4px #12000a;
+    }
+    41% {
+        color: #12000a;
+        text-shadow: 0px 0px 4px #12000a;
+    }
+    42% {
+        color: #ff005d;
+        text-shadow: 0px 0px 4px #ff005d;
+    }
+    85% {
+        color: #ff005d;
+        text-shadow: 0px 0px 4px #ff005d;
+    }
+    86% {
+        color: #12000a;
+        text-shadow: 0px 0px 4px #12000a;
+    }
+    95% {
+        color: #12000a;
+        text-shadow: 0px 0px 4px #12000a;
+    }
+    96% {
+        color: #ff005d;
+        text-shadow: 0px 0px 4px #ff005d;
+    }
+    100% {
+        color: #ff005d;
+        text-shadow: 0px 0px 4px #ff005d;
+    }
+}
+
+@keyframes fadeInText {
+    1% {
+        color: #12000a;
+        text-shadow: 0px 0px 4px #12000a;
+    }
+    70% {
+        color: #ff005d;
+        text-shadow: 0px 0px 14px #ff005d;
+    }
+    100% {
+        color: #ff005d;
+        text-shadow: 0px 0px 4px #ff005d;
+    }
+}
+
+@keyframes hueRotate {
+    0% {
+        filter: hue-rotate(0deg);
+    }
+    50% {
+        filter: hue-rotate(-120deg);
+    }
+    100% {
+        filter: hue-rotate(0deg);
+    }
+}

examples/error_pages/404.html

@@ -0,0 +1,42 @@
+{{/* Credit: https://codepen.io/code2rithik/pen/XWpVvYL */}}
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="UTF-8" />
+    <title>Page Not Found</title>
+    <link rel="stylesheet" href="/$gperrorpage/404.css" type="text/css">
+    {{/* <script src="/$gperrorpage/404.js"> */}}
+  </head>
+  <body>
+    <script>0</script>
+    <div></div>
+    <svg id="svgWrap_2" xmlns="http://www.w3.org/2000/svg" x="0px" y="0px" viewBox="0 0 700 250">
+      <g>
+        <path id="id3_2" d="M195.7 232.67h-37.1V149.7H27.76c-2.64 0-5.1-.5-7.36-1.49-2.27-.99-4.23-2.31-5.88-3.96-1.65-1.65-2.95-3.61-3.89-5.88s-1.42-4.67-1.42-7.22V29.62h36.82v82.98H158.6V29.62h37.1v203.05z"/>
+        <path id="id2_2" d="M470.69 147.71c0 8.31-1.06 16.17-3.19 23.58-2.12 7.41-5.12 14.28-8.99 20.6-3.87 6.33-8.45 11.99-13.74 16.99-5.29 5-11.07 9.28-17.35 12.81a85.146 85.146 0 0 1-20.04 8.14 83.637 83.637 0 0 1-21.67 2.83H319.3c-7.46 0-14.73-.94-21.81-2.83-7.08-1.89-13.76-4.6-20.04-8.14a88.292 88.292 0 0 1-17.35-12.81c-5.29-5-9.84-10.67-13.66-16.99-3.82-6.32-6.8-13.19-8.92-20.6-2.12-7.41-3.19-15.27-3.19-23.58v-33.13c0-12.46 2.34-23.88 7.01-34.27 4.67-10.38 10.92-19.33 18.76-26.83 7.83-7.5 16.87-13.36 27.12-17.56 10.24-4.2 20.93-6.3 32.07-6.3h66.41c7.36 0 14.58.94 21.67 2.83 7.08 1.89 13.76 4.6 20.04 8.14a88.292 88.292 0 0 1 17.35 12.81c5.29 5 9.86 10.67 13.74 16.99 3.87 6.33 6.87 13.19 8.99 20.6 2.13 7.41 3.19 15.27 3.19 23.58v33.14zm-37.1-33.13c0-7.27-1.32-13.88-3.96-19.82-2.64-5.95-6.16-11.04-10.55-15.29-4.39-4.25-9.46-7.5-15.22-9.77-5.76-2.27-11.8-3.35-18.13-3.26h-66.41c-6.14-.09-12.11.97-17.91 3.19-5.81 2.22-10.95 5.43-15.44 9.63-4.48 4.2-8.07 9.3-10.76 15.29-2.69 6-4.04 12.67-4.04 20.04v33.13c0 7.36 1.32 14.02 3.96 19.97 2.64 5.95 6.18 11.02 10.62 15.22 4.44 4.2 9.56 7.43 15.36 9.7 5.8 2.27 11.87 3.35 18.2 3.26h66.41c7.27 0 13.85-1.2 19.75-3.61s10.93-5.73 15.08-9.98 7.36-9.32 9.63-15.22c2.27-5.9 3.4-12.34 3.4-19.33v-33.15zm-16-26.91a17.89 17.89 0 0 1 2.83 6.73c.47 2.41.47 4.77 0 7.08-.47 2.31-1.39 4.48-2.76 6.51-1.37 2.03-3.14 3.75-5.31 5.17l-99.4 66.41c-1.61 1.23-3.26 2.08-4.96 2.55-1.7.47-3.45.71-5.24.71-3.02 0-5.9-.71-8.64-2.12-2.74-1.42-4.96-3.44-6.66-6.09a17.89 17.89 0 0 1-2.83-6.73c-.47-2.41-.5-4.77-.07-7.08.43-2.31 1.3-4.48 2.62-6.51 1.32-2.03 3.07-3.75 5.24-5.17l99.69-66.41a17.89 17.89 0 0 1 6.73-2.83c2.41-.47 4.77-.47 7.08 0 2.31.47 4.48 1.37 6.51 2.69 2.03 1.32 3.75 3.02 5.17 5.09z"/>
+        <path id="id1_2" d="M688.33 232.67h-37.1V149.7H520.39c-2.64 0-5.1-.5-7.36-1.49-2.27-.99-4.23-2.31-5.88-3.96-1.65-1.65-2.95-3.61-3.89-5.88s-1.42-4.67-1.42-7.22V29.62h36.82v82.98h112.57V29.62h37.1v203.05z"/>
+      </g>
+    </svg>
+    <svg id="svgWrap_1" xmlns="http://www.w3.org/2000/svg" x="0px" y="0px" viewBox="0 0 700 250">
+      <g>
+        <path id="id3_1" d="M195.7 232.67h-37.1V149.7H27.76c-2.64 0-5.1-.5-7.36-1.49-2.27-.99-4.23-2.31-5.88-3.96-1.65-1.65-2.95-3.61-3.89-5.88s-1.42-4.67-1.42-7.22V29.62h36.82v82.98H158.6V29.62h37.1v203.05z"/>
+        <path id="id2_1" d="M470.69 147.71c0 8.31-1.06 16.17-3.19 23.58-2.12 7.41-5.12 14.28-8.99 20.6-3.87 6.33-8.45 11.99-13.74 16.99-5.29 5-11.07 9.28-17.35 12.81a85.146 85.146 0 0 1-20.04 8.14 83.637 83.637 0 0 1-21.67 2.83H319.3c-7.46 0-14.73-.94-21.81-2.83-7.08-1.89-13.76-4.6-20.04-8.14a88.292 88.292 0 0 1-17.35-12.81c-5.29-5-9.84-10.67-13.66-16.99-3.82-6.32-6.8-13.19-8.92-20.6-2.12-7.41-3.19-15.27-3.19-23.58v-33.13c0-12.46 2.34-23.88 7.01-34.27 4.67-10.38 10.92-19.33 18.76-26.83 7.83-7.5 16.87-13.36 27.12-17.56 10.24-4.2 20.93-6.3 32.07-6.3h66.41c7.36 0 14.58.94 21.67 2.83 7.08 1.89 13.76 4.6 20.04 8.14a88.292 88.292 0 0 1 17.35 12.81c5.29 5 9.86 10.67 13.74 16.99 3.87 6.33 6.87 13.19 8.99 20.6 2.13 7.41 3.19 15.27 3.19 23.58v33.14zm-37.1-33.13c0-7.27-1.32-13.88-3.96-19.82-2.64-5.95-6.16-11.04-10.55-15.29-4.39-4.25-9.46-7.5-15.22-9.77-5.76-2.27-11.8-3.35-18.13-3.26h-66.41c-6.14-.09-12.11.97-17.91 3.19-5.81 2.22-10.95 5.43-15.44 9.63-4.48 4.2-8.07 9.3-10.76 15.29-2.69 6-4.04 12.67-4.04 20.04v33.13c0 7.36 1.32 14.02 3.96 19.97 2.64 5.95 6.18 11.02 10.62 15.22 4.44 4.2 9.56 7.43 15.36 9.7 5.8 2.27 11.87 3.35 18.2 3.26h66.41c7.27 0 13.85-1.2 19.75-3.61s10.93-5.73 15.08-9.98 7.36-9.32 9.63-15.22c2.27-5.9 3.4-12.34 3.4-19.33v-33.15zm-16-26.91a17.89 17.89 0 0 1 2.83 6.73c.47 2.41.47 4.77 0 7.08-.47 2.31-1.39 4.48-2.76 6.51-1.37 2.03-3.14 3.75-5.31 5.17l-99.4 66.41c-1.61 1.23-3.26 2.08-4.96 2.55-1.7.47-3.45.71-5.24.71-3.02 0-5.9-.71-8.64-2.12-2.74-1.42-4.96-3.44-6.66-6.09a17.89 17.89 0 0 1-2.83-6.73c-.47-2.41-.5-4.77-.07-7.08.43-2.31 1.3-4.48 2.62-6.51 1.32-2.03 3.07-3.75 5.24-5.17l99.69-66.41a17.89 17.89 0 0 1 6.73-2.83c2.41-.47 4.77-.47 7.08 0 2.31.47 4.48 1.37 6.51 2.69 2.03 1.32 3.75 3.02 5.17 5.09z"/>
+        <path id="id1_1" d="M688.33 232.67h-37.1V149.7H520.39c-2.64 0-5.1-.5-7.36-1.49-2.27-.99-4.23-2.31-5.88-3.96-1.65-1.65-2.95-3.61-3.89-5.88s-1.42-4.67-1.42-7.22V29.62h36.82v82.98h112.57V29.62h37.1v203.05z"/>
+      </g>
+    </svg>
+
+    <svg>
+      <defs>
+        <filter id="glow">
+          <fegaussianblur class="blur" result="coloredBlur" stddeviation="4"></fegaussianblur>
+          <femerge>
+            <femergenode in="coloredBlur"></femergenode>
+            <femergenode in="SourceGraphic"></femergenode>
+          </femerge>
+        </filter>
+      </defs>
+    </svg>
+
+    <h2>Page Not Found</h2>
+  </body>
+</html>

examples/microbin.yml

@@ -1,16 +0,0 @@
-services:
-  app:
-    container_name: microbin
-    cpu_shares: 10
-    deploy:
-      resources:
-        limits:
-          memory: 256M
-    env_file: .env
-    image: danielszabo99/microbin:latest
-    ports:
-      - 8080
-    restart: unless-stopped
-    volumes:
-      - ./data:/app/microbin_data
-# microbin.domain.tld

examples/siyuan.yml

@@ -1,16 +0,0 @@
-services:
-  main:
-    image: b3log/siyuan:v3.1.0
-    container_name: siyuan
-    command:
-      - --workspace=/siyuan/workspace/
-      - --accessAuthCode=<some password>
-    user: 1000:1000
-    volumes:
-      - ./workspace:/siyuan/workspace
-    restart: unless-stopped
-    environment:
-      - TZ=Asia/Hong_Kong
-    ports:
-      - 6806
-# siyuan.domain.tld

go.mod

@@ -15,6 +15,7 @@ require (
 	github.com/santhosh-tekuri/jsonschema v1.2.4
 	golang.org/x/net v0.30.0
 	golang.org/x/text v0.19.0
+	golang.org/x/time v0.7.0
 	gopkg.in/yaml.v3 v3.0.1
 )
 
@@ -57,7 +58,6 @@ require (
 	golang.org/x/oauth2 v0.23.0 // indirect
 	golang.org/x/sync v0.8.0 // indirect
 	golang.org/x/sys v0.26.0 // indirect
-	golang.org/x/time v0.7.0 // indirect
 	golang.org/x/tools v0.26.0 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gotest.tools/v3 v3.5.1 // indirect

internal/api/handler.go

@@ -9,6 +9,8 @@ import (
 	"github.com/yusing/go-proxy/internal/api/v1/auth"
 	. "github.com/yusing/go-proxy/internal/api/v1/utils"
 	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/logging"
+	"github.com/yusing/go-proxy/internal/net/http/middleware"
 )
 
 type ServeMux struct{ *http.ServeMux }
@@ -18,7 +20,7 @@ func NewServeMux() ServeMux {
 }
 
 func (mux ServeMux) HandleFunc(method, endpoint string, handler http.HandlerFunc) {
-	mux.ServeMux.HandleFunc(fmt.Sprintf("%s %s", method, endpoint), checkHost(handler))
+	mux.ServeMux.HandleFunc(fmt.Sprintf("%s %s", method, endpoint), checkHost(rateLimited(handler)))
 }
 
 func NewHandler() http.Handler {
@@ -56,3 +58,16 @@ func checkHost(f http.HandlerFunc) http.HandlerFunc {
 		f(w, r)
 	}
 }
+
+func rateLimited(f http.HandlerFunc) http.HandlerFunc {
+	m, err := middleware.RateLimiter.WithOptionsClone(middleware.OptionsRaw{
+		"average": 10,
+		"burst":   10,
+	})
+	if err != nil {
+		logging.Fatal().Err(err).Msg("unable to create API rate limiter")
+	}
+	return func(w http.ResponseWriter, r *http.Request) {
+		m.ModifyRequest(f, w, r)
+	}
+}

internal/api/v1/stats.go

@@ -19,18 +19,21 @@ func Stats(w http.ResponseWriter, r *http.Request) {
 }
 
 func StatsWS(w http.ResponseWriter, r *http.Request) {
-	localAddresses := []string{"127.0.0.1", "10.0.*.*", "172.16.*.*", "192.168.*.*"}
-	originPats := make([]string, len(config.Value().MatchDomains)+len(localAddresses))
+	var originPats []string
 
-	if len(originPats) == 0 {
+	localAddresses := []string{"127.0.0.1", "10.0.*.*", "172.16.*.*", "192.168.*.*"}
+
+	if len(config.Value().MatchDomains) == 0 {
 		U.LogWarn(r).Msg("no match domains configured, accepting websocket API request from all origins")
 		originPats = []string{"*"}
 	} else {
+		originPats = make([]string, len(config.Value().MatchDomains))
 		for i, domain := range config.Value().MatchDomains {
-			originPats[i] = "*." + domain
+			originPats[i] = "*" + domain
 		}
 		originPats = append(originPats, localAddresses...)
 	}
+	U.LogInfo(r).Msgf("websocket API request from origins: %s", originPats)
 	if common.IsDebug {
 		originPats = []string{"*"}
 	}

internal/api/v1/utils/utils.go

@@ -2,6 +2,7 @@ package utils
 
 import (
 	"encoding/json"
+	"fmt"
 	"net/http"
 
 	"github.com/yusing/go-proxy/internal/logging"
@@ -23,7 +24,7 @@ func RespondJSON(w http.ResponseWriter, r *http.Request, data any, code ...int)
 
 	switch data := data.(type) {
 	case string:
-		j = []byte(`"` + data + `"`)
+		j = []byte(fmt.Sprintf("%q", data))
 	case []byte:
 		j = data
 	default:

internal/config/config.go

@@ -3,6 +3,7 @@ package config
 import (
 	"os"
 	"strconv"
+	"strings"
 	"sync"
 	"time"
 
@@ -177,6 +178,11 @@ func (cfg *Config) load() E.Error {
 	errs.Add(cfg.loadRouteProviders(&model.Providers))
 
 	cfg.value = model
+	for i, domain := range model.MatchDomains {
+		if !strings.HasPrefix(domain, ".") {
+			model.MatchDomains[i] = "." + domain
+		}
+	}
 	route.SetFindMuxDomains(model.MatchDomains)
 	return errs.Error()
 }

internal/config/query.go

@@ -89,7 +89,7 @@ func HomepageConfig() homepage.Config {
 
 		if item.URL == "" {
 			if len(domains) > 0 {
-				item.URL = fmt.Sprintf("%s://%s.%s:%s", proto, strings.ToLower(alias), domains[0], port)
+				item.URL = fmt.Sprintf("%s://%s%s:%s", proto, strings.ToLower(alias), domains[0], port)
 			}
 		}
 		item.AltURL = r.TargetURL().String()

internal/net/http/common.go

@@ -16,13 +16,12 @@ var (
 		Proxy:                 http.ProxyFromEnvironment,
 		DialContext:           defaultDialer.DialContext,
 		ForceAttemptHTTP2:     true,
-		MaxIdleConns:          100,
-		MaxIdleConnsPerHost:   10,
+		MaxIdleConnsPerHost:   100,
 		TLSHandshakeTimeout:   10 * time.Second,
 		ExpectContinueTimeout: 1 * time.Second,
 	}
 	DefaultTransportNoTLS = func() *http.Transport {
-		var clone = DefaultTransport.Clone()
+		clone := DefaultTransport.Clone()
 		clone.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
 		return clone
 	}()

internal/net/http/middleware/cidr_whitelist.go

@@ -10,7 +10,7 @@ import (
 )
 
 type cidrWhitelist struct {
-	*cidrWhitelistOpts
+	cidrWhitelistOpts
 	m *Middleware
 }
 
@@ -22,18 +22,15 @@ type cidrWhitelistOpts struct {
 	cachedAddr F.Map[string, bool] // cache for trusted IPs
 }
 
-var CIDRWhiteList = &cidrWhitelist{
-	m: &Middleware{withOptions: NewCIDRWhitelist},
-}
-
-var cidrWhitelistDefaults = func() *cidrWhitelistOpts {
-	return &cidrWhitelistOpts{
+var (
+	CIDRWhiteList         = &Middleware{withOptions: NewCIDRWhitelist}
+	cidrWhitelistDefaults = cidrWhitelistOpts{
 		Allow:      []*types.CIDR{},
 		StatusCode: http.StatusForbidden,
 		Message:    "IP not allowed",
 		cachedAddr: F.NewMapOf[string, bool](),
 	}
-}
+)
 
 func NewCIDRWhitelist(opts OptionsRaw) (*Middleware, E.Error) {
 	wl := new(cidrWhitelist)
@@ -41,8 +38,8 @@ func NewCIDRWhitelist(opts OptionsRaw) (*Middleware, E.Error) {
 		impl:   wl,
 		before: wl.checkIP,
 	}
-	wl.cidrWhitelistOpts = cidrWhitelistDefaults()
-	err := Deserialize(opts, wl.cidrWhitelistOpts)
+	wl.cidrWhitelistOpts = cidrWhitelistDefaults
+	err := Deserialize(opts, &wl.cidrWhitelistOpts)
 	if err != nil {
 		return nil, err
 	}

internal/net/http/middleware/cidr_whitelist_test.go

@@ -27,8 +27,8 @@ func TestCIDRWhitelist(t *testing.T) {
 		for range 10 {
 			result, err := newMiddlewareTest(deny, nil)
 			ExpectNoError(t, err)
-			ExpectEqual(t, result.ResponseStatus, cidrWhitelistDefaults().StatusCode)
-			ExpectEqual(t, string(result.Data), cidrWhitelistDefaults().Message)
+			ExpectEqual(t, result.ResponseStatus, cidrWhitelistDefaults.StatusCode)
+			ExpectEqual(t, string(result.Data), cidrWhitelistDefaults.Message)
 		}
 	})
 

internal/net/http/middleware/cloudflare_real_ip.go

@@ -29,9 +29,7 @@ var (
 	cfCIDRsLogger     = logger.With().Str("name", "CloudflareRealIP").Logger()
 )
 
-var CloudflareRealIP = &realIP{
-	m: &Middleware{withOptions: NewCloudflareRealIP},
-}
+var CloudflareRealIP = &Middleware{withOptions: NewCloudflareRealIP}
 
 func NewCloudflareRealIP(_ OptionsRaw) (*Middleware, E.Error) {
 	cri := new(realIP)
@@ -46,7 +44,7 @@ func NewCloudflareRealIP(_ OptionsRaw) (*Middleware, E.Error) {
 			next(w, r)
 		},
 	}
-	cri.realIPOpts = &realIPOpts{
+	cri.realIPOpts = realIPOpts{
 		Header:    "CF-Connecting-IP",
 		Recursive: true,
 	}

internal/net/http/middleware/errors.go

@@ -0,0 +1,5 @@
+package middleware
+
+import E "github.com/yusing/go-proxy/internal/error"
+
+var ErrZeroValue = E.New("cannot be zero")

internal/net/http/middleware/forward_auth.go

@@ -19,7 +19,7 @@ import (
 
 type (
 	forwardAuth struct {
-		*forwardAuthOpts
+		forwardAuthOpts
 		m      *Middleware
 		client http.Client
 	}
@@ -33,14 +33,11 @@ type (
 	}
 )
 
-var ForwardAuth = &forwardAuth{
-	m: &Middleware{withOptions: NewForwardAuthfunc},
-}
+var ForwardAuth = &Middleware{withOptions: NewForwardAuthfunc}
 
 func NewForwardAuthfunc(optsRaw OptionsRaw) (*Middleware, E.Error) {
 	fa := new(forwardAuth)
-	fa.forwardAuthOpts = new(forwardAuthOpts)
-	if err := Deserialize(optsRaw, fa.forwardAuthOpts); err != nil {
+	if err := Deserialize(optsRaw, &fa.forwardAuthOpts); err != nil {
 		return nil, err
 	}
 	if _, err := url.Parse(fa.Address); err != nil {

internal/net/http/middleware/middleware.go

@@ -28,7 +28,6 @@ type (
 	CloneWithOptFunc   func(opts OptionsRaw) (*Middleware, E.Error)
 
 	OptionsRaw = map[string]any
-	Options    any
 
 	Middleware struct {
 		_ U.NoCopy

internal/net/http/middleware/middlewares.go

@@ -35,20 +35,23 @@ func All() map[string]*Middleware {
 
 // initialize middleware names and label parsers.
 func init() {
+	// snakes and cases will be stripped on `Get`
+	// so keys are lowercase without snake.
 	allMiddlewares = map[string]*Middleware{
 		"setxforwarded":    SetXForwarded,
 		"hidexforwarded":   HideXForwarded,
 		"redirecthttp":     RedirectHTTP,
-		"modifyresponse":   ModifyResponse.m,
-		"modifyrequest":    ModifyRequest.m,
+		"modifyresponse":   ModifyResponse,
+		"modifyrequest":    ModifyRequest,
 		"errorpage":        CustomErrorPage,
 		"customerrorpage":  CustomErrorPage,
-		"realip":           RealIP.m,
-		"cloudflarerealip": CloudflareRealIP.m,
-		"cidrwhitelist":    CIDRWhiteList.m,
+		"realip":           RealIP,
+		"cloudflarerealip": CloudflareRealIP,
+		"cidrwhitelist":    CIDRWhiteList,
+		"ratelimit":        RateLimiter,
 
 		// !experimental
-		"forwardauth": ForwardAuth.m,
+		"forwardauth": ForwardAuth,
 		// "oauth2":      OAuth2.m,
 	}
 	names := make(map[*Middleware][]string)

internal/net/http/middleware/modify_request.go

@@ -7,7 +7,7 @@ import (
 
 type (
 	modifyRequest struct {
-		*modifyRequestOpts
+		modifyRequestOpts
 		m *Middleware
 	}
 	// order: set_headers -> add_headers -> hide_headers
@@ -18,9 +18,7 @@ type (
 	}
 )
 
-var ModifyRequest = &modifyRequest{
-	m: &Middleware{withOptions: NewModifyRequest},
-}
+var ModifyRequest = &Middleware{withOptions: NewModifyRequest}
 
 func NewModifyRequest(optsRaw OptionsRaw) (*Middleware, E.Error) {
 	mr := new(modifyRequest)
@@ -34,8 +32,7 @@ func NewModifyRequest(optsRaw OptionsRaw) (*Middleware, E.Error) {
 		impl:   mr,
 		before: Rewrite(mrFunc),
 	}
-	mr.modifyRequestOpts = new(modifyRequestOpts)
-	err := Deserialize(optsRaw, mr.modifyRequestOpts)
+	err := Deserialize(optsRaw, &mr.modifyRequestOpts)
 	if err != nil {
 		return nil, err
 	}

internal/net/http/middleware/modify_request_test.go

@@ -15,7 +15,7 @@ func TestSetModifyRequest(t *testing.T) {
 	}
 
 	t.Run("set_options", func(t *testing.T) {
-		mr, err := ModifyRequest.m.WithOptionsClone(opts)
+		mr, err := ModifyRequest.WithOptionsClone(opts)
 		ExpectNoError(t, err)
 		ExpectDeepEqual(t, mr.impl.(*modifyRequest).SetHeaders, opts["set_headers"].(map[string]string))
 		ExpectDeepEqual(t, mr.impl.(*modifyRequest).AddHeaders, opts["add_headers"].(map[string]string))
@@ -23,7 +23,7 @@ func TestSetModifyRequest(t *testing.T) {
 	})
 
 	t.Run("request_headers", func(t *testing.T) {
-		result, err := newMiddlewareTest(ModifyRequest.m, &testArgs{
+		result, err := newMiddlewareTest(ModifyRequest, &testArgs{
 			middlewareOpt: opts,
 		})
 		ExpectNoError(t, err)

internal/net/http/middleware/modify_response.go

@@ -9,16 +9,14 @@ import (
 
 type (
 	modifyResponse struct {
-		*modifyResponseOpts
+		modifyResponseOpts
 		m *Middleware
 	}
 	// order: set_headers -> add_headers -> hide_headers
 	modifyResponseOpts = modifyRequestOpts
 )
 
-var ModifyResponse = &modifyResponse{
-	m: &Middleware{withOptions: NewModifyResponse},
-}
+var ModifyResponse = &Middleware{withOptions: NewModifyResponse}
 
 func NewModifyResponse(optsRaw OptionsRaw) (*Middleware, E.Error) {
 	mr := new(modifyResponse)
@@ -28,8 +26,7 @@ func NewModifyResponse(optsRaw OptionsRaw) (*Middleware, E.Error) {
 	} else {
 		mr.m.modifyResponse = mr.modifyResponse
 	}
-	mr.modifyResponseOpts = new(modifyResponseOpts)
-	err := Deserialize(optsRaw, mr.modifyResponseOpts)
+	err := Deserialize(optsRaw, &mr.modifyResponseOpts)
 	if err != nil {
 		return nil, err
 	}

internal/net/http/middleware/modify_response_test.go

@@ -15,7 +15,7 @@ func TestSetModifyResponse(t *testing.T) {
 	}
 
 	t.Run("set_options", func(t *testing.T) {
-		mr, err := ModifyResponse.m.WithOptionsClone(opts)
+		mr, err := ModifyResponse.WithOptionsClone(opts)
 		ExpectNoError(t, err)
 		ExpectDeepEqual(t, mr.impl.(*modifyResponse).SetHeaders, opts["set_headers"].(map[string]string))
 		ExpectDeepEqual(t, mr.impl.(*modifyResponse).AddHeaders, opts["add_headers"].(map[string]string))
@@ -23,7 +23,7 @@ func TestSetModifyResponse(t *testing.T) {
 	})
 
 	t.Run("request_headers", func(t *testing.T) {
-		result, err := newMiddlewareTest(ModifyResponse.m, &testArgs{
+		result, err := newMiddlewareTest(ModifyResponse, &testArgs{
 			middlewareOpt: opts,
 		})
 		ExpectNoError(t, err)

internal/net/http/middleware/rate_limit.go

@@ -0,0 +1,87 @@
+package middleware
+
+import (
+	"net"
+	"net/http"
+	"sync"
+	"time"
+
+	E "github.com/yusing/go-proxy/internal/error"
+	"golang.org/x/time/rate"
+)
+
+type (
+	requestMap  = map[string]*rate.Limiter
+	rateLimiter struct {
+		requestMap requestMap
+		newLimiter func() *rate.Limiter
+		m          *Middleware
+
+		mu sync.Mutex
+	}
+
+	rateLimiterOpts struct {
+		Average int           `json:"average"`
+		Burst   int           `json:"burst"`
+		Period  time.Duration `json:"period"`
+	}
+)
+
+var (
+	RateLimiter            = &Middleware{withOptions: NewRateLimiter}
+	rateLimiterOptsDefault = rateLimiterOpts{
+		Period: time.Second,
+	}
+)
+
+func NewRateLimiter(optsRaw OptionsRaw) (*Middleware, E.Error) {
+	rl := new(rateLimiter)
+	opts := rateLimiterOptsDefault
+	err := Deserialize(optsRaw, &opts)
+	if err != nil {
+		return nil, err
+	}
+	switch {
+	case opts.Average == 0:
+		return nil, ErrZeroValue.Subject("average")
+	case opts.Burst == 0:
+		return nil, ErrZeroValue.Subject("burst")
+	case opts.Period == 0:
+		return nil, ErrZeroValue.Subject("period")
+	}
+	rl.requestMap = make(requestMap, 0)
+	rl.newLimiter = func() *rate.Limiter {
+		return rate.NewLimiter(rate.Limit(opts.Average)*rate.Every(opts.Period), opts.Burst)
+	}
+	rl.m = &Middleware{
+		impl:   rl,
+		before: rl.limit,
+	}
+	return rl.m, nil
+}
+
+func (rl *rateLimiter) limit(next http.HandlerFunc, w ResponseWriter, r *Request) {
+	rl.mu.Lock()
+
+	host, _, err := net.SplitHostPort(r.RemoteAddr)
+	if err != nil {
+		rl.m.Debug().Msgf("unable to parse remote address %s", r.RemoteAddr)
+		http.Error(w, "Internal error", http.StatusInternalServerError)
+		return
+	}
+
+	limiter, ok := rl.requestMap[host]
+	if !ok {
+		limiter = rl.newLimiter()
+		rl.requestMap[host] = limiter
+	}
+
+	rl.mu.Unlock()
+
+	if limiter.Allow() {
+		next(w, r)
+		return
+	}
+
+	http.Error(w, "rate limit exceeded", http.StatusTooManyRequests)
+}

internal/net/http/middleware/rate_limit_test.go

@@ -0,0 +1,27 @@
+package middleware
+
+import (
+	"net/http"
+	"testing"
+
+	. "github.com/yusing/go-proxy/internal/utils/testing"
+)
+
+func TestRateLimit(t *testing.T) {
+	opts := OptionsRaw{
+		"average": "10",
+		"burst":   "10",
+		"period":  "1s",
+	}
+
+	rl, err := NewRateLimiter(opts)
+	ExpectNoError(t, err)
+	for range 10 {
+		result, err := newMiddlewareTest(rl, nil)
+		ExpectNoError(t, err)
+		ExpectEqual(t, result.ResponseStatus, http.StatusOK)
+	}
+	result, err := newMiddlewareTest(rl, nil)
+	ExpectNoError(t, err)
+	ExpectEqual(t, result.ResponseStatus, http.StatusTooManyRequests)
+}

internal/net/http/middleware/rate_limiter.go

@@ -1,12 +0,0 @@
-package middleware
-
-type (
-	rateLimiter struct {
-		*rateLimiterOpts
-		m *Middleware
-	}
-
-	rateLimiterOpts struct {
-		Count int `json:"count"`
-	}
-)

internal/net/http/middleware/real_ip.go

@@ -10,7 +10,7 @@ import (
 // https://nginx.org/en/docs/http/ngx_http_realip_module.html
 
 type realIP struct {
-	*realIPOpts
+	realIPOpts
 	m *Middleware
 }
 
@@ -30,16 +30,13 @@ type realIPOpts struct {
 	Recursive bool `json:"recursive"`
 }
 
-var RealIP = &realIP{
-	m: &Middleware{withOptions: NewRealIP},
-}
-
-var realIPOptsDefault = func() *realIPOpts {
-	return &realIPOpts{
+var (
+	RealIP            = &Middleware{withOptions: NewRealIP}
+	realIPOptsDefault = realIPOpts{
 		Header: "X-Real-IP",
 		From:   []*types.CIDR{},
 	}
-}
+)
 
 func NewRealIP(opts OptionsRaw) (*Middleware, E.Error) {
 	riWithOpts := new(realIP)
@@ -47,11 +44,14 @@ func NewRealIP(opts OptionsRaw) (*Middleware, E.Error) {
 		impl:   riWithOpts,
 		before: Rewrite(riWithOpts.setRealIP),
 	}
-	riWithOpts.realIPOpts = realIPOptsDefault()
-	err := Deserialize(opts, riWithOpts.realIPOpts)
+	riWithOpts.realIPOpts = realIPOptsDefault
+	err := Deserialize(opts, &riWithOpts.realIPOpts)
 	if err != nil {
 		return nil, err
 	}
+	if len(riWithOpts.From) == 0 {
+		return nil, E.New("no allowed CIDRs").Subject("from")
+	}
 	return riWithOpts.m, nil
 }
 
@@ -70,9 +70,10 @@ func (ri *realIP) setRealIP(req *Request) {
 	if err != nil {
 		clientIPStr = req.RemoteAddr
 	}
-	clientIP := net.ParseIP(clientIPStr)
 
-	var isTrusted = false
+	clientIP := net.ParseIP(clientIPStr)
+	isTrusted := false
+
 	for _, CIDR := range ri.From {
 		if CIDR.Contains(clientIP) {
 			isTrusted = true

internal/net/http/reverse_proxy_mod.go

@@ -404,7 +404,7 @@ func (p *ReverseProxy) serveHTTP(rw http.ResponseWriter, req *http.Request) {
 
 	rw.WriteHeader(res.StatusCode)
 
-	err = U.Copy2(req.Context(), rw, res.Body)
+	_, err = io.Copy(rw, res.Body)
 	if err != nil {
 		if !errors.Is(err, context.Canceled) {
 			p.errorHandler(rw, req, err, true)

internal/route/http.go

@@ -210,40 +210,51 @@ func (r *HTTPRoute) addToLoadBalancer() {
 
 func ProxyHandler(w http.ResponseWriter, r *http.Request) {
 	mux, err := findMuxFunc(r.Host)
+	if err == nil {
+		mux.ServeHTTP(w, r)
+		return
+	}
 	// Why use StatusNotFound instead of StatusBadRequest or StatusBadGateway?
 	// On nginx, when route for domain does not exist, it returns StatusBadGateway.
 	// Then scraper / scanners will know the subdomain is invalid.
 	// With StatusNotFound, they won't know whether it's the path, or the subdomain that is invalid.
-	if err != nil {
-		if !middleware.ServeStaticErrorPageFile(w, r) {
-			logger.Err(err).Str("method", r.Method).Str("url", r.URL.String()).Msg("request")
-			errorPage, ok := errorpage.GetErrorPageByStatus(http.StatusNotFound)
-			if ok {
-				w.WriteHeader(http.StatusNotFound)
-				w.Header().Set("Content-Type", "text/html; charset=utf-8")
-				if _, err := w.Write(errorPage); err != nil {
-					logger.Err(err).Msg("failed to write error page")
-				}
-			} else {
-				http.Error(w, err.Error(), http.StatusNotFound)
+	if !middleware.ServeStaticErrorPageFile(w, r) {
+		logger.Err(err).Str("method", r.Method).Str("url", r.URL.String()).Msg("request")
+		errorPage, ok := errorpage.GetErrorPageByStatus(http.StatusNotFound)
+		if ok {
+			w.WriteHeader(http.StatusNotFound)
+			w.Header().Set("Content-Type", "text/html; charset=utf-8")
+			if _, err := w.Write(errorPage); err != nil {
+				logger.Err(err).Msg("failed to write error page")
 			}
+		} else {
+			http.Error(w, err.Error(), http.StatusNotFound)
 		}
-		return
 	}
-	mux.ServeHTTP(w, r)
 }
 
 func findMuxAnyDomain(host string) (http.Handler, error) {
 	hostSplit := strings.Split(host, ".")
 	n := len(hostSplit)
-	if n <= 2 {
+	switch {
+	case n == 3:
+		host = hostSplit[0]
+	case n > 3:
+		var builder strings.Builder
+		builder.Grow(2*n - 3)
+		builder.WriteString(hostSplit[0])
+		for _, part := range hostSplit[:n-2] {
+			builder.WriteRune('.')
+			builder.WriteString(part)
+		}
+		host = builder.String()
+	default:
 		return nil, errors.New("missing subdomain in url")
 	}
-	sd := strings.Join(hostSplit[:n-2], ".")
-	if r, ok := httpRoutes.Load(sd); ok {
+	if r, ok := httpRoutes.Load(host); ok {
 		return r.handler, nil
 	}
-	return nil, fmt.Errorf("no such route: %s", sd)
+	return nil, fmt.Errorf("no such route: %s", host)
 }
 
 func findMuxByDomains(domains []string) func(host string) (http.Handler, error) {
@@ -251,20 +262,18 @@ func findMuxByDomains(domains []string) func(host string) (http.Handler, error)
 		var subdomain string
 
 		for _, domain := range domains {
-			if !strings.HasPrefix(domain, ".") {
-				domain = "." + domain
-			}
-			subdomain = strings.TrimSuffix(host, domain)
-			if len(subdomain) < len(host) {
+			if strings.HasSuffix(host, domain) {
+				subdomain = strings.TrimSuffix(host, domain)
 				break
 			}
 		}
-		if len(subdomain) == len(host) { // not matched
-			return nil, fmt.Errorf("%s does not match any base domain", host)
+
+		if subdomain != "" { // matched
+			if r, ok := httpRoutes.Load(subdomain); ok {
+				return r.handler, nil
+			}
+			return nil, fmt.Errorf("no such route: %s", subdomain)
 		}
-		if r, ok := httpRoutes.Load(subdomain); ok {
-			return r.handler, nil
-		}
-		return nil, fmt.Errorf("no such route: %s", subdomain)
+		return nil, fmt.Errorf("%s does not match any base domain", host)
 	}
 }