dependencies upgrade

2026-02-14 06:27:42 +01:00 · 2024-05-29 16:46:07 +00:00
306 changed files with 6561 additions and 21648 deletions
--- a/.env.example
+++ b/.env.example
@@ -1,25 +0,0 @@
-# set timezone to get correct log timestamp
-TZ=ETC/UTC
-
-# generate secret with `openssl rand -base64 32`
-GODOXY_API_JWT_SECRET=
-
-# the JWT token time-to-live
-GODOXY_API_JWT_TOKEN_TTL=1h
-
-# API/WebUI login credentials
-GODOXY_API_USER=admin
-GODOXY_API_PASSWORD=password
-
-# Proxy listening address
-GODOXY_HTTP_ADDR=:80
-GODOXY_HTTPS_ADDR=:443
-
-# API listening address
-GODOXY_API_ADDR=127.0.0.1:8888
-
-# Prometheus Metrics listening address (uncomment to enable)
-#GODOXY_PROMETHEUS_ADDR=:8889
-
-# Debug mode
-GODOXY_DEBUG=false
--- a/.github/workflows/docker-image.yml
+++ b/.github/workflows/docker-image.yml
@@ -1,128 +1,14 @@
 name: Docker Image CI

 on:
-    push:
-        tags: ["*"]
-
-env:
-    REGISTRY: ghcr.io
-    IMAGE_NAME: ${{ github.repository }}
-
+  push:
+    tags:
+      - "*"
 jobs:
-    build:
-        name: Build multi-platform Docker image
-        runs-on: ubuntu-22.04
-
-        permissions:
-            contents: read
-            packages: write
-            id-token: write
-            attestations: write
-
-        strategy:
-            fail-fast: false
-            matrix:
-                platform:
-                    - linux/amd64
-                    # - linux/arm/v6
-                    # - linux/arm/v7
-                    - linux/arm64
-        steps:
-            - name: Prepare
-              run: |
-                  platform=${{ matrix.platform }}
-                  echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
-
-            - name: Docker meta
-              id: meta
-              uses: docker/metadata-action@v5
-              with:
-                  images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-
-            - name: Set up QEMU
-              uses: docker/setup-qemu-action@v3
-
-            - name: Set up Docker Buildx
-              uses: docker/setup-buildx-action@v3
-
-            - name: Login to registry
-              uses: docker/login-action@v3
-              with:
-                  registry: ${{ env.REGISTRY }}
-                  username: ${{ github.actor }}
-                  password: ${{ secrets.GITHUB_TOKEN }}
-
-            - name: Build and push by digest
-              id: build
-              uses: docker/build-push-action@v6
-              with:
-                  platforms: ${{ matrix.platform }}
-                  labels: ${{ steps.meta.outputs.labels }}
-                  outputs: type=image,name=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }},push-by-digest=true,name-canonical=true,push=true
-                  cache-from: type=gha
-                  cache-to: type=gha,mode=max
-                  build-args: |
-                      VERSION=${{ github.ref_name }}
-
-            - name: Generate artifact attestation
-              uses: actions/attest-build-provenance@v1
-              with:
-                  subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
-                  subject-digest: ${{ steps.build.outputs.digest }}
-                  push-to-registry: true
-
-            - name: Export digest
-              run: |
-                  mkdir -p /tmp/digests
-                  digest="${{ steps.build.outputs.digest }}"
-                  touch "/tmp/digests/${digest#sha256:}"
-
-            - name: Upload digest
-              uses: actions/upload-artifact@v4
-              with:
-                  name: digests-${{ env.PLATFORM_PAIR }}
-                  path: /tmp/digests/*
-                  if-no-files-found: error
-                  retention-days: 1
-    merge:
-        runs-on: ubuntu-22.04
-        needs:
-            - build
-        permissions:
-            contents: read
-            packages: write
-            id-token: write
-        steps:
-            - name: Download digests
-              uses: actions/download-artifact@v4
-              with:
-                  path: /tmp/digests
-                  pattern: digests-*
-                  merge-multiple: true
-
-            - name: Set up Docker Buildx
-              uses: docker/setup-buildx-action@v3
-
-            - name: Docker meta
-              id: meta
-              uses: docker/metadata-action@v5
-              with:
-                  images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-
-            - name: Login to registry
-              uses: docker/login-action@v3
-              with:
-                  registry: ${{ env.REGISTRY }}
-                  username: ${{ github.actor }}
-                  password: ${{ secrets.GITHUB_TOKEN }}
-
-            - name: Create manifest list and push
-              id: push
-              working-directory: /tmp/digests
-              run: |
-                  docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
-                    $(printf '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@sha256:%s ' *)
-
-            - name: Inspect image
-              run: |
-                  docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}
+  build_and_push:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Build and Push Container to ghcr.io
+        uses: GlueOps/github-actions-build-push-containers@v0.3.7
+        with:
+          tags: latest,${{ github.ref_name }}
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -0,0 +1,30 @@
+# This workflow will build a golang project
+# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-go
+
+name: Go
+
+on:
+  push:
+    tags:
+      - "*"
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: "1.22.1"
+
+      - name: Build
+        run: make build
+
+      - name: Release
+        uses: softprops/action-gh-release@v2
+        with:
+          files: bin/go-proxy
+    #- name: Test
+    #  run: go test -v ./...
--- a/.gitignore
+++ b/.gitignore
@@ -1,28 +1,10 @@
 compose.yml
-*.compose.yml

-config
-certs
-config*/
-certs*/
+config/
+certs/
 bin/
-error_pages/
-!examples/error_pages/
+templates/codemirror/

 logs/
 log/
-
-.vscode/settings.json
-
-go.work.sum
-
-!cmd/**/
-!internal/**/
-
-todo.md
-
-.*.swp
-.aider*
-mtrace.json
-.env
-test.Dockerfile
+.vscode/settings.json
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -11,5 +11,5 @@ build-image:
    - echo $CI_REGISTRY_PASSWORD | docker login -u $CI_REGISTRY_USER $CI_REGISTRY --password-stdin
  script:
    - echo building $CI_REGISTRY_IMAGE
-    - docker build --no-cache --build-arg VERSION=$CI_COMMIT_REF_NAME -t $CI_REGISTRY_IMAGE .
-    - docker push $CI_REGISTRY_IMAGE
+    - docker build --pull -t $CI_REGISTRY_IMAGE .
+    - docker push $CI_REGISTRY_IMAGE
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,137 +0,0 @@
-run:
-  timeout: 10m
-
-linters-settings:
-  govet:
-    enable-all: true
-    disable:
-      - shadow
-      - fieldalignment
-  gocyclo:
-    min-complexity: 14
-  goconst:
-    min-len: 3
-    min-occurrences: 4
-  misspell:
-    locale: US
-  funlen:
-    lines: -1
-    statements: 120
-  forbidigo:
-    forbid:
-      - ^print(ln)?$
-  godox:
-    keywords:
-      - FIXME
-  tagalign:
-    align: false
-    sort: true
-    order:
-      - description
-      - json
-      - toml
-      - yaml
-      - yml
-      - label
-      - label-slice-as-struct
-      - file
-      - kv
-      - export
-  stylecheck:
-    dot-import-whitelist:
-      - github.com/yusing/go-proxy/internal/utils/testing # go tests only
-      - github.com/yusing/go-proxy/internal/api/v1/utils # api only
-  revive:
-    rules:
-      - name: struct-tag
-      - name: blank-imports
-      - name: context-as-argument
-      - name: context-keys-type
-      - name: error-return
-      - name: error-strings
-      - name: error-naming
-      - name: exported
-        disabled: true
-      - name: if-return
-      - name: increment-decrement
-      - name: var-naming
-      - name: var-declaration
-      - name: package-comments
-        disabled: true
-      - name: range
-      - name: receiver-naming
-      - name: time-naming
-      - name: unexported-return
-      - name: indent-error-flow
-      - name: errorf
-      - name: empty-block
-      - name: superfluous-else
-      - name: unused-parameter
-        disabled: true
-      - name: unreachable-code
-      - name: redefines-builtin-id
-  gomoddirectives:
-    replace-allow-list:
-      - github.com/abbot/go-http-auth
-      - github.com/gorilla/mux
-      - github.com/mailgun/minheap
-      - github.com/mailgun/multibuf
-      - github.com/jaguilar/vt100
-      - github.com/cucumber/godog
-      - github.com/http-wasm/http-wasm-host-go
-  testifylint:
-    disable:
-      - suite-dont-use-pkg
-      - require-error
-      - go-require
-  staticcheck:
-    checks:
-      - all
-      - -SA1019
-  errcheck:
-    exclude-functions:
-      - fmt.Fprintln
-linters:
-  enable-all: true
-  disable:
-    - execinquery # deprecated
-    - gomnd # deprecated
-    - sqlclosecheck # not relevant (SQL)
-    - rowserrcheck # not relevant (SQL)
-    - cyclop # duplicate of gocyclo
-    - depguard # Not relevant
-    - nakedret # Too strict
-    - lll # Not relevant
-    - gocyclo # FIXME must be fixed
-    - gocognit # Too strict
-    - nestif # Too many false-positive.
-    - prealloc # Too many false-positive.
-    - makezero # Not relevant
-    - dupl # Too strict
-    - gci # I don't care
-    - gosec # Too strict
-    - gochecknoinits
-    - gochecknoglobals
-    - wsl # Too strict
-    - nlreturn # Not relevant
-    - mnd # Too strict
-    - testpackage # Too strict
-    - tparallel # Not relevant
-    - paralleltest # Not relevant
-    - exhaustive # Not relevant
-    - exhaustruct # Not relevant
-    - err113 # Too strict
-    - wrapcheck # Too strict
-    - noctx # Too strict
-    - bodyclose # too many false-positive
-    - forcetypeassert # Too strict
-    - tagliatelle # Too strict
-    - varnamelen # Not relevant
-    - nilnil # Not relevant
-    - ireturn # Not relevant
-    - contextcheck # too many false-positive
-    - containedctx # too many false-positive
-    - maintidx # kind of duplicate of gocyclo
-    - nonamedreturns # Too strict
-    - gosmopolitan # not relevant
-    - exportloopref # Not relevant since go1.22
--- a/.trunk/.gitignore
+++ b/.trunk/.gitignore
@@ -1,9 +0,0 @@
-*out
-*logs
-*actions
-*notifications
-*tools
-plugins
-user_trunk.yaml
-user.yaml
-tmp
--- a/.trunk/trunk.yaml
+++ b/.trunk/trunk.yaml
@@ -1,42 +0,0 @@
-# This file controls the behavior of Trunk: https://docs.trunk.io/cli
-# To learn more about the format of this file, see https://docs.trunk.io/reference/trunk-yaml
-version: 0.1
-cli:
-  version: 1.22.8
-# Trunk provides extensibility via plugins. (https://docs.trunk.io/plugins)
-plugins:
-  sources:
-    - id: trunk
-      ref: v1.6.6
-      uri: https://github.com/trunk-io/plugins
-# Many linters and tools depend on runtimes - configure them here. (https://docs.trunk.io/runtimes)
-runtimes:
-  enabled:
-    - node@18.20.5
-    - python@3.10.8
-    - go@1.23.2
-# This is the section where you manage your linters. (https://docs.trunk.io/check/configuration)
-lint:
-  disabled:
-    - markdownlint
-    - yamllint
-  enabled:
-    - hadolint@2.12.1-beta
-    - actionlint@1.7.5
-    - checkov@3.2.346
-    - git-diff-check
-    - gofmt@1.20.4
-    - golangci-lint@1.62.2
-    - osv-scanner@1.9.2
-    - oxipng@9.1.3
-    - prettier@3.4.2
-    - shellcheck@0.10.0
-    - shfmt@3.6.0
-    - trufflehog@3.88.0
-actions:
-  disabled:
-    - trunk-announce
-    - trunk-check-pre-push
-    - trunk-fmt-pre-commit
-  enabled:
-    - trunk-upgrade-available
--- a/.vscode/settings.example.json
+++ b/.vscode/settings.example.json
@@ -1,11 +1,12 @@
 {
-  "yaml.schemas": {
-    "https://github.com/yusing/go-proxy/raw/v0.8/schema/config.schema.json": [
-      "config.example.yml",
-      "config.yml"
-    ],
-    "https://github.com/yusing/go-proxy/raw/v0.8/schema/providers.schema.json": [
-      "providers.example.yml"
-    ]
-  }
+    "yaml.schemas": {
+        "https://github.com/yusing/go-proxy/raw/main/schema/config.schema.json": [
+            "config.example.yml",
+            "config.yml"
+        ],
+        "https://github.com/yusing/go-proxy/raw/main/schema/providers.schema.json": [
+            "providers.example.yml",
+            "*.providers.yml"
+        ]
+    }
 }
--- a/72
+++ b/72
@@ -1,65 +1,39 @@
-# Stage 1: Builder
-FROM golang:1.23.4-alpine AS builder
-HEALTHCHECK NONE
+FROM alpine:latest AS codemirror
+RUN apk add --no-cache unzip wget make
+COPY Makefile .
+RUN make setup-codemirror

-# package version does not matter
-# trunk-ignore(hadolint/DL3018)
-RUN apk add --no-cache tzdata make
-
-WORKDIR /src
-
-# Only copy go.mod and go.sum initially for better caching
-COPY go.mod go.sum /src/
-
-# Utilize build cache
+FROM golang:1.22.2-alpine as builder
+COPY src/ /src
+COPY go.mod go.sum /src/go-proxy
+WORKDIR /src/go-proxy
 RUN --mount=type=cache,target="/go/pkg/mod" \
-    go mod download -x
+    go mod download

 ENV GOCACHE=/root/.cache/go-build
-
-ARG VERSION
-ENV VERSION=${VERSION}
-
-COPY scripts /src/scripts
-COPY Makefile /src/
-COPY cmd /src/cmd
-COPY internal /src/internal
-COPY pkg /src/pkg
-
 RUN --mount=type=cache,target="/go/pkg/mod" \
    --mount=type=cache,target="/root/.cache/go-build" \
-    make build && \
-    mkdir -p /app/error_pages /app/certs && \
-    mv bin/godoxy /app/godoxy
+    CGO_ENABLED=0 GOOS=linux go build -pgo=auto -o go-proxy

-# Stage 2: Final image
-FROM scratch
+FROM alpine:latest

 LABEL maintainer="yusing@6uo.me"
-LABEL proxy.exclude=1

-# copy timezone data
-COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo
+RUN apk add --no-cache tzdata
+RUN mkdir -p /app/templates
+COPY --from=codemirror templates/codemirror/ /app/templates/codemirror
+COPY templates/ /app/templates
+COPY schema/ /app/schema
+COPY --from=builder /src/go-proxy /app/

-# copy binary
-COPY --from=builder /app /app
-
-# copy example config
-COPY config.example.yml /app/config/config.yml
-
-# copy certs
-COPY --from=builder /etc/ssl/certs /etc/ssl/certs
-
-# copy schema
-COPY schema /app/schema
-
-ENV DOCKER_HOST=unix:///var/run/docker.sock
-ENV GODOXY_DEBUG=0
+RUN chmod +x /app/go-proxy
+ENV DOCKER_HOST unix:///var/run/docker.sock
+ENV GOPROXY_DEBUG 0

 EXPOSE 80
-EXPOSE 8888
+EXPOSE 8080
 EXPOSE 443
+EXPOSE 8443

 WORKDIR /app
-
-CMD ["/app/godoxy"]
+CMD ["/app/go-proxy"]
--- a/86
+++ b/86
@@ -1,20 +1,25 @@
-VERSION ?= $(shell git describe --tags --abbrev=0)
-BUILD_FLAGS ?= -s -w
-BUILD_DATE ?= $(shell date -u +'%Y%m%d-%H%M')
-export VERSION
-export BUILD_FLAGS
-export CGO_ENABLED = 0
-export GOOS = linux
+.PHONY: all build up quick-restart restart logs get udp-server

-.PHONY: all setup build test up restart logs get debug run archive repush rapid-crash debug-list-containers
+all: build quick-restart logs

-all: debug
+setup:
+	mkdir -p config certs
+	[ -f config/config.yml ] || cp config.example.yml config/config.yml
+	[ -f config/providers.yml ] || touch config/providers.yml
+
+setup-codemirror:
+	wget https://codemirror.net/5/codemirror.zip
+	unzip codemirror.zip
+	rm codemirror.zip
+	mkdir -p templates
+	mv codemirror-* templates/codemirror

 build:
-	scripts/build.sh
+	mkdir -p bin
+	CGO_ENABLED=0 GOOS=linux go build -pgo=auto -o bin/go-proxy src/go-proxy/*.go

 test:
-	GODOXY_TEST=1 go test ./internal/...
+	go test src/go-proxy/*.go

 up:
 	docker compose up -d
@@ -23,51 +28,22 @@ restart:
 	docker compose restart -t 0

 logs:
-	docker compose logs -f
+	tail -f log/go-proxy.log

 get:
-	go get -u ./cmd && go mod tidy
+	go get -d -u ./src/go-proxy

-debug:
-	GODOXY_DEBUG=1 BUILD_FLAGS="" make run
+repush:
+	git reset --soft HEAD^
+	git add -A
+	git commit -m "repush"
+	git push gitlab dev --force

-debug-trace:
-	GODOXY_TRACE=1 make debug
-
-profile:
-	GODEBUG=gctrace=1 make debug
-
-run: build
-	sudo setcap CAP_NET_BIND_SERVICE=+eip bin/godoxy
-	bin/godoxy
-
-mtrace:
-	bin/godoxy debug-ls-mtrace > mtrace.json
-
-rapid-crash:
-	sudo docker run --restart=always --name test_crash -p 80 debian:bookworm-slim /bin/cat &&\
-	sleep 3 &&\
-	sudo docker rm -f test_crash
-
-debug-list-containers:
-	bash -c 'echo -e "GET /containers/json HTTP/1.0\r\n" | sudo netcat -U /var/run/docker.sock | tail -n +9 | jq'
-
-ci-test:
-	mkdir -p /tmp/artifacts
-	act -n --artifact-server-path /tmp/artifacts -s GITHUB_TOKEN="$$(gh auth token)"
-
-cloc:
-	cloc --not-match-f '_test.go$$' cmd internal pkg
-
-push-docker-io:
-	BUILDER=build docker buildx build \
-		--platform linux/arm64,linux/amd64 \
-		-f Dockerfile \
-		-t docker.io/yusing/godoxy-nightly \
-		-t docker.io/yusing/godoxy-nightly:${VERSION}-${BUILD_DATE} \
-		--build-arg VERSION="${VERSION}-nightly-${BUILD_DATE}" \
-		--push .
-
-build-docker:
-	docker build -t godoxy-nightly \
-		--build-arg VERSION="${VERSION}-nightly-${BUILD_DATE}" .
+udp-server:
+	docker run -it --rm \
+		-p 9999:9999/udp \
+		--label proxy.test-udp.scheme=udp \
+		--label proxy.test-udp.port=20003:9999 \
+		--network host \
+		--name test-udp \
+		$$(docker build -q -f udp-test-server.Dockerfile .)
--- a/README.md
+++ b/README.md
@@ -1,161 +1,346 @@
-# GoDoxy
+# go-proxy

-[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
-[![Lines of Code](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=ncloc)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
-[![Security Rating](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=security_rating)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
-[![Maintainability Rating](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=sqale_rating)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
-[![Vulnerabilities](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=vulnerabilities)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
-[![](https://dcbadge.limes.pink/api/server/umReR62nRd)](https://discord.gg/umReR62nRd)
+A simple auto docker reverse proxy for home use. **Written in _Go_**

-[繁體中文文檔請看此](README_CHT.md)
-
-A lightweight, easy-to-use, and [performant](https://github.com/yusing/go-proxy/wiki/Benchmarks) reverse proxy with a Web UI and dashboard.
-
-![Screenshot](screenshots/webui.png)
-
-_Join our [Discord](https://discord.gg/umReR62nRd) for help and discussions_
+In the examples domain `x.y.z` is used, replace them with your domain

 ## Table of content

 <!-- TOC -->
+- [Table of content](#table-of-content)
+- [Key Points](#key-points)
+- [How to use](#how-to-use)
+- [Tested Services](#tested-services)
+  - [HTTP/HTTPs Reverse Proxy](#httphttps-reverse-proxy)
+  - [TCP Proxy](#tcp-proxy)
+  - [UDP Proxy](#udp-proxy)
+- [Command-line args](#command-line-args)
+  - [Commands](#commands)
+- [Use JSON Schema in VSCode](#use-json-schema-in-vscode)
+- [Environment variables](#environment-variables)
+- [Config File](#config-file)
+  - [Fields](#fields)
+  - [Provider Kinds](#provider-kinds)
+  - [Provider File](#provider-file)
+  - [Supported DNS Challenge Providers](#supported-dns-challenge-providers)
+- [Troubleshooting](#troubleshooting)
+- [Benchmarks](#benchmarks)
+- [Known issues](#known-issues)
+- [Memory usage](#memory-usage)
+- [Build it yourself](#build-it-yourself)
+<!-- /TOC -->

- [GoDoxy](#godoxy)
-  - [Table of content](#table-of-content)
-  - [Key Features](#key-features)
-  - [Getting Started](#getting-started)
-    - [Prerequisites](#prerequisites)
-    - [Setup](#setup)
-    - [Manual Setup](#manual-setup)
-    - [Folder structrue](#folder-structrue)
-    - [Use JSON Schema in VSCode](#use-json-schema-in-vscode)
-  - [Screenshots](#screenshots)
-    - [idlesleeper](#idlesleeper)
-  - [Build it yourself](#build-it-yourself)
+## Key Points

-## Key Features
+- Fast (See [benchmarks](#benchmarks))
+- Auto certificate obtaining and renewal (See [Config File](#config-file) and [Supported DNS Challenge Providers](#supported-dns-challenge-providers))
+- Auto detect reverse proxies from docker
+- Auto hot-reload on container `start` / `die` / `stop` or config file changes
+- Custom proxy entries with `config.yml` and additional provider files
+- Subdomain matching + Path matching **(domain name doesn't matter)**
+- HTTP(s) reverse proxy + TCP/UDP Proxy
+- HTTP(s) round robin load balance support (same subdomain and path across different hosts)
+- Web UI on port 8080 (http) and port 8443 (https)

- Easy to use
-  - Effortless configuration
-  - Simple multi-node setup
-  - Error messages is clear and detailed, easy troubleshooting
- Auto SSL cert management (See [Supported DNS-01 Challenge Providers](https://github.com/yusing/go-proxy/wiki/Supported-DNS%E2%80%9001-Providers))
- Auto configuration for docker containers
- Auto hot-reload on container state / config file changes
- **idlesleeper**: stop containers on idle, wake it up on traffic _(optional, see [screenshots](#idlesleeper))_
- HTTP(s) reserve proxy
- [HTTP middleware support](https://github.com/yusing/go-proxy/wiki/Middlewares)
- [Custom error pages support](https://github.com/yusing/go-proxy/wiki/Middlewares#custom-error-pages)
- TCP and UDP port forwarding
- **Web UI with App dashboard and config editor**
- Supports linux/amd64, linux/arm64
- Written in **[Go](https://go.dev)**
+  - a simple panel to see all reverse proxies and health
+
+    ![panel screenshot](screenshots/panel.png)
+
+  - a config editor to edit config and provider files with validation
+
+    **Validate and save file with Ctrl+S**
+
+    ![config editor screenshot](screenshots/config_editor.png)

 [🔼Back to top](#table-of-content)

-## Getting Started
+## How to use

-For full documentation, **[See Wiki](https://github.com/yusing/go-proxy/wiki)**
+1. Setup DNS Records to your machine's IP address

-### Prerequisites
+   - A Record: `*.y.z` -> `10.0.10.1`
+   - AAAA Record: `*.y.z` -> `::ffff:a00:a01`

-Setup DNS Records point to machine which runs `GoDoxy`, e.g.
+2. Start `go-proxy` by

- A Record: `*.y.z` -> `10.0.10.1`
- AAAA Record: `*.y.z` -> `::ffff:a00:a01`
+   - [Running from binary or as a system service](docs/binary.md)
+   - [Running as a docker container](docs/docker.md)

-### Setup
-
-1.  Pull the latest docker images
-
-    ```shell
-    docker pull ghcr.io/yusing/go-proxy:latest
-    ```
-
-2.  Create new directory, `cd` into it, then run setup, or [set up manually](#manual-setup)
-
-    ```shell
-    docker run --rm -v .:/setup ghcr.io/yusing/go-proxy /app/godoxy setup
-    ```
-
-3.  _(Optional)_ setup WebUI login
-
-    - set random JWT secret
-
-      ```shell
-      sed -i "s|API_JWT_SECRET=.*|API_JWT_SECRET=$(openssl rand -base64 32)|g" .env
-      ```
-
-    - change username and password for WebUI authentication
-      ```shell
-      sed -i "s|API_USERNAME=.*|API_USERNAME=admin|g" .env
-      sed -i "s|API_PASSWORD=.*|API_PASSWORD=some-strong-password|g" .env
-      ```
-
-4.  _(Optional)_ setup `docker-socket-proxy` other docker nodes (see [Multi docker nodes setup](https://github.com/yusing/go-proxy/wiki/Configurations#multi-docker-nodes-setup)) then add them inside `config.yml`
-
-5.  Start the container `docker compose up -d`
-
-6.  You may now do some extra configuration
-    - With text editor (e.g. Visual Studio Code)
-    - With Web UI via `https://gp.y.z`
+3. Start editing config files
+   - with text editor (i.e. Visual Studio Code)
+   - or with web config editor by navigate to `http://ip:8080`

 [🔼Back to top](#table-of-content)

-### Manual Setup
+## Tested Services

-1. Make `config` directory then grab `config.example.yml` into `config/config.yml`
+### HTTP/HTTPs Reverse Proxy

-   `mkdir -p config && wget https://raw.githubusercontent.com/yusing/go-proxy/v0.8/config.example.yml -O config/config.yml`
+- Nginx
+- Minio
+- AdguardHome Dashboard
+- etc.

-2. Grab `.env.example` into `.env`
+### TCP Proxy

-   `wget https://raw.githubusercontent.com/yusing/go-proxy/v0.8/.env.example -O .env`
+- Minecraft server
+- PostgreSQL
+- MariaDB

-3. Grab `compose.example.yml` into `compose.yml`
+### UDP Proxy

-   `wget https://raw.githubusercontent.com/yusing/go-proxy/v0.8/compose.example.yml -O compose.yml`
+- Adguardhome DNS
+- Palworld Dedicated Server

-### Folder structrue
+[🔼Back to top](#table-of-content)

-```shell
-├── certs
-│   ├── cert.crt
-│   └── priv.key
-├── compose.yml
-├── config
-│   ├── config.yml
-│   ├── middlewares
-│   │   ├── middleware1.yml
-│   │   ├── middleware2.yml
-│   ├── provider1.yml
-│   └── provider2.yml
-└── .env
+## Command-line args
+
+`go-proxy [command]`
+
+### Commands
+
+- empty: start proxy server
+- validate: validate config and exit
+- reload: trigger a force reload of config
+
+Examples:
+
+- Binary: `go-proxy reload`
+- Docker: `docker exec -it go-proxy /app/go-proxy reload`
+
+[🔼Back to top](#table-of-content)
+
+## Use JSON Schema in VSCode
+
+Copy [`.vscode/settings.example.json`](.vscode/settings.example.json) to `.vscode/settings.json` and modify to fit your needs
+
+```json
+{
+  "yaml.schemas": {
+    "https://github.com/yusing/go-proxy/raw/main/schema/config.schema.json": [
+      "config.example.yml",
+      "config.yml"
+    ],
+    "https://github.com/yusing/go-proxy/raw/main/schema/providers.schema.json": [
+      "providers.example.yml",
+      "*.providers.yml"
+    ]
+  }
+}
 ```

-### Use JSON Schema in VSCode
+[🔼Back to top](#table-of-content)

-Copy [`.vscode/settings.example.json`](.vscode/settings.example.json) to `.vscode/settings.json` and modify it to fit your needs
+## Environment variables
+
+- `GOPROXY_DEBUG`: set to `1` or `true` to enable debug behaviors (i.e. output, etc.)
+- `GOPROXY_HOST_NETWORK`: _(Docker only)_ set to `1` when `network_mode: host`
+- `GOPROXY_NO_SCHEMA_VALIDATION`: disable schema validation on config load / reload **(for testing new DNS Challenge providers)**

 [🔼Back to top](#table-of-content)

-## Screenshots
+## Config File

-### idlesleeper
+See [config.example.yml](config.example.yml) for more

-![idlesleeper](screenshots/idlesleeper.webp)
+### Fields
+
+- `autocert`: autocert configuration
+
+  - `email`: ACME Email
+  - `domains`: a list of domains for cert registration
+  - `provider`: DNS Challenge provider, see [Supported DNS Challenge Providers](#supported-dns-challenge-providers)
+  - `options`: [provider specific options](#supported-dns-challenge-providers)
+
+- `providers`: reverse proxy providers configuration
+  - `kind`: provider kind (string), see [Provider Kinds](#provider-kinds)
+  - `value`: provider specific value
+
+[🔼Back to top](#table-of-content)
+
+### Provider Kinds
+
+- `docker`: load reverse proxies from docker
+
+  values:
+
+  - `FROM_ENV`: value from environment (`DOCKER_HOST`)
+  - full url to docker host (i.e. `tcp://host:2375`)
+
+- `file`: load reverse proxies from provider file
+
+  value: relative path of file to `config/`
+
+[🔼Back to top](#table-of-content)
+
+### Provider File
+
+Fields are same as [docker labels](docs/docker.md#labels) starting from `scheme`
+
+See [providers.example.yml](providers.example.yml) for examples
+
+[🔼Back to top](#table-of-content)
+
+### Supported DNS Challenge Providers
+
+- Cloudflare
+
+  - `auth_token`: your zone API token
+
+  Follow [this guide](https://cloudkul.com/blog/automcatic-renew-and-generate-ssl-on-your-website-using-lego-client/) to create a new token with `Zone.DNS` read and edit permissions
+
+- CloudDNS
+
+  - `client_id`
+  - `email`
+  - `password`
+
+- DuckDNS (thanks [earvingad](https://github.com/earvingad))
+
+  - `token`: DuckDNS Token
+
+To add more provider support, see [this](docs/add_dns_provider.md)
+
+[🔼Back to top](#table-of-content)
+
+## Troubleshooting
+
+Q: How to fix when it shows "no matching route for subdomain \<subdomain>"?
+
+A: Make sure the container is running, and \<subdomain> matches any container name / alias
+
+[🔼Back to top](#table-of-content)
+
+## Benchmarks
+
+Benchmarked with `wrk` connecting `traefik/whoami`'s `/bench` endpoint
+
+Remote benchmark (client running wrk and `go-proxy` server are different devices)
+
+- Direct connection
+
+  ```shell
+  root@yusing-pc:~# wrk -t 10 -c 200 -d 10s -H "Host: bench.6uo.me" --latency http://10.0.100.3:8003/bench
+  Running 10s test @ http://10.0.100.3:8003/bench
+    10 threads and 200 connections
+    Thread Stats   Avg      Stdev     Max   +/- Stdev
+      Latency    94.75ms  199.92ms   1.68s    91.27%
+      Req/Sec     4.24k     1.79k   18.79k    72.13%
+    Latency Distribution
+      50%    1.14ms
+      75%  120.23ms
+      90%  245.63ms
+      99%    1.03s
+    423444 requests in 10.10s, 50.88MB read
+    Socket errors: connect 0, read 0, write 0, timeout 29
+  Requests/sec:  41926.32
+  Transfer/sec:      5.04MB
+  ```
+
+- With reverse proxy
+
+  ```shell
+  root@yusing-pc:~# wrk -t 10 -c 200 -d 10s -H "Host: bench.6uo.me" --latency http://10.0.1.7/bench
+  Running 10s test @ http://10.0.1.7/bench
+    10 threads and 200 connections
+    Thread Stats   Avg      Stdev     Max   +/- Stdev
+      Latency    79.35ms  169.79ms   1.69s    92.55%
+      Req/Sec     4.27k     1.90k   19.61k    75.81%
+    Latency Distribution
+      50%    1.12ms
+      75%  105.66ms
+      90%  200.22ms
+      99%  814.59ms
+    409836 requests in 10.10s, 49.25MB read
+    Socket errors: connect 0, read 0, write 0, timeout 18
+  Requests/sec:  40581.61
+  Transfer/sec:      4.88MB
+  ```
+
+Local benchmark (client running wrk and `go-proxy` server are under same proxmox host but different LXCs)
+
+- Direct connection
+
+  ```shell
+  root@http-benchmark-client:~# wrk -t 10 -c 200 -d 10s --latency http://10.0.100.1/bench
+  Running 10s test @ http://10.0.100.1/bench
+    10 threads and 200 connections
+    Thread Stats   Avg      Stdev     Max   +/- Stdev
+      Latency   434.08us  539.35us   8.76ms   85.28%
+      Req/Sec    67.71k     6.31k   87.21k    71.20%
+    Latency Distribution
+      50%  153.00us
+      75%  646.00us
+      90%    1.18ms
+      99%    2.38ms
+    6739591 requests in 10.01s, 809.85MB read
+  Requests/sec: 673608.15
+  Transfer/sec:     80.94MB
+  ```
+
+- With `go-proxy` reverse proxy
+
+  ```shell
+  root@http-benchmark-client:~# wrk -t 10 -c 200 -d 10s -H "Host: bench.6uo.me" --latency http://10.0.1.7/bench
+  Running 10s test @ http://10.0.1.7/bench
+    10 threads and 200 connections
+    Thread Stats   Avg      Stdev     Max   +/- Stdev
+      Latency     1.23ms    0.96ms  11.43ms   72.09%
+      Req/Sec    17.48k     1.76k   21.48k    70.20%
+    Latency Distribution
+      50%    0.98ms
+      75%    1.76ms
+      90%    2.54ms
+      99%    4.24ms
+    1739079 requests in 10.01s, 208.97MB read
+  Requests/sec: 173779.44
+  Transfer/sec:     20.88MB
+  ```
+
+- With `traefik-v3`
+
+  ```shell
+  root@traefik-benchmark:~# wrk -t10 -c200 -d10s -H "Host: benchmark.whoami" --latency http://127.0.0.1:8000/bench
+  Running 10s test @ http://127.0.0.1:8000/bench
+    10 threads and 200 connections
+    Thread Stats   Avg      Stdev     Max   +/- Stdev
+      Latency     2.81ms   10.36ms 180.26ms   98.57%
+      Req/Sec    11.35k     1.74k   13.76k    85.54%
+    Latency Distribution
+      50%    1.59ms
+      75%    2.27ms
+      90%    3.17ms
+      99%   37.91ms
+    1125723 requests in 10.01s, 109.50MB read
+  Requests/sec: 112499.59
+  Transfer/sec:     10.94MB
+  ```
+
+[🔼Back to top](#table-of-content)
+
+## Known issues
+
+- Cert "renewal" is actually obtaining a new cert instead of renewing the existing one
+
+[🔼Back to top](#table-of-content)
+
+## Memory usage
+
+It takes ~15 MB for 50 proxy entries

 [🔼Back to top](#table-of-content)

 ## Build it yourself

-1. Clone the repository `git clone https://github.com/yusing/go-proxy --depth=1`
+1. Install / Upgrade [go (>=1.22)](https://go.dev/doc/install) and `make` if not already

-2. Install / Upgrade [go (>=1.22)](https://go.dev/doc/install) and `make` if not already
+2. Clear cache if you have built this before (go < 1.22) with `go clean -cache`

-3. Clear cache if you have built this before (go < 1.22) with `go clean -cache`
+3. get dependencies with `make get`

-4. get dependencies with `make get`
+4. build binary with `make build`

-5. build binary with `make build`
+5. start your container with `make up` (docker) or `bin/go-proxy` (binary)

 [🔼Back to top](#table-of-content)
--- a/README_CHT.md
+++ b/README_CHT.md
@@ -1,161 +0,0 @@
-# GoDoxy
-
-[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
-[![Lines of Code](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=ncloc)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
-[![Security Rating](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=security_rating)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
-[![Maintainability Rating](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=sqale_rating)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
-[![Vulnerabilities](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=vulnerabilities)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
-[![](https://dcbadge.limes.pink/api/server/umReR62nRd)](https://discord.gg/umReR62nRd)
-
-[English Documentation](README.md)
-
-一個輕量級、易於使用且[高效能](https://github.com/yusing/go-proxy/wiki/Benchmarks)的反向代理，具有網頁介面和儀表板。
-
-![截圖](screenshots/webui.png)
-
-_加入我們的 [Discord](https://discord.gg/umReR62nRd) 獲取幫助和討論_
-
-## 目錄
-
-<!-- TOC -->
-
- [GoDoxy](#godoxy)
-  - [目錄](#目錄)
-  - [主要特點](#主要特點)
-  - [入門指南](#入門指南)
-    - [前置需求](#前置需求)
-    - [安裝](#安裝)
-    - [手動安裝](#手動安裝)
-    - [資料夾結構](#資料夾結構)
-    - [在 VSCode 中使用 JSON Schema](#在-vscode-中使用-json-schema)
-  - [截圖](#截圖)
-    - [閒置休眠](#閒置休眠)
-  - [自行編譯](#自行編譯)
-
-## 主要特點
-
- 容易使用
-  - 輕鬆配置
-  - 簡單的多節點設置
-  - 錯誤訊息清晰詳細，易於排除故障
- 自動 SSL 憑證管理（參見 [支援的 DNS-01 驗證提供商](https://github.com/yusing/go-proxy/wiki/Supported-DNS%E2%80%9001-Providers)）
- 自動配置 Docker 容器
- 容器狀態/配置文件變更時自動熱重載
- **閒置休眠**：在閒置時停止容器，有流量時喚醒（_可選，參見[截圖](#閒置休眠)_）
- HTTP(s) 反向代理
- [HTTP 中介軟體支援](https://github.com/yusing/go-proxy/wiki/Middlewares)
- [自訂錯誤頁面支援](https://github.com/yusing/go-proxy/wiki/Middlewares#custom-error-pages)
- TCP 和 UDP 埠轉發
- **網頁介面，具有應用儀表板和配置編輯器**
- 支援 linux/amd64、linux/arm64
- 使用 **[Go](https://go.dev)** 編寫
-
-[🔼回到頂部](#目錄)
-
-## 入門指南
-
-完整文檔請參見 **[Wiki](https://github.com/yusing/go-proxy/wiki)**
-
-### 前置需求
-
-設置 DNS 記錄指向運行 `GoDoxy` 的機器，例如：
-
- A 記錄：`*.y.z` -> `10.0.10.1`
- AAAA 記錄：`*.y.z` -> `::ffff:a00:a01`
-
-### 安裝
-
-1.  拉取最新的 Docker 映像
-
-    ```shell
-    docker pull ghcr.io/yusing/go-proxy:latest
-    ```
-
-2.  建立新目錄，`cd` 進入後運行安裝，或[手動安裝](#手動安裝)
-
-    ```shell
-    docker run --rm -v .:/setup ghcr.io/yusing/go-proxy /app/godoxy setup
-    ```
-
-3.  _（可選）_ 設置網頁介面登入
-
-    - 設置隨機 JWT 密鑰
-
-      ```shell
-      sed -i "s|API_JWT_SECRET=.*|API_JWT_SECRET=$(openssl rand -base64 32)|g" .env
-      ```
-
-    - 更改網頁介面認證的使用者名稱和密碼
-      ```shell
-      sed -i "s|API_USERNAME=.*|API_USERNAME=admin|g" .env
-      sed -i "s|API_PASSWORD=.*|API_PASSWORD=some-strong-password|g" .env
-      ```
-
-4.  _（可選）_ 設置其他 Docker 節點的 `docker-socket-proxy`（參見 [多 Docker 節點設置](https://github.com/yusing/go-proxy/wiki/Configurations#multi-docker-nodes-setup)），然後在 `config.yml` 中添加它們
-
-5.  啟動容器 `docker compose up -d`
-
-6.  現在您可以進行額外的配置
-    - 使用文字編輯器（如 Visual Studio Code）
-    - 通過網頁介面 `https://gp.y.z`
-
-[🔼回到頂部](#目錄)
-
-### 手動安裝
-
-1. 建立 `config` 目錄，然後將 `config.example.yml` 下載到 `config/config.yml`
-
-   `mkdir -p config && wget https://raw.githubusercontent.com/yusing/go-proxy/v0.8/config.example.yml -O config/config.yml`
-
-2. 將 `.env.example` 下載到 `.env`
-
-   `wget https://raw.githubusercontent.com/yusing/go-proxy/v0.8/.env.example -O .env`
-
-3. 將 `compose.example.yml` 下載到 `compose.yml`
-
-   `wget https://raw.githubusercontent.com/yusing/go-proxy/v0.8/compose.example.yml -O compose.yml`
-
-### 資料夾結構
-
-```shell
-├── certs
-│   ├── cert.crt
-│   └── priv.key
-├── compose.yml
-├── config
-│   ├── config.yml
-│   ├── middlewares
-│   │   ├── middleware1.yml
-│   │   ├── middleware2.yml
-│   ├── provider1.yml
-│   └── provider2.yml
-└── .env
-```
-
-### 在 VSCode 中使用 JSON Schema
-
-複製 [`.vscode/settings.example.json`](.vscode/settings.example.json) 到 `.vscode/settings.json` 並根據需要修改
-
-[🔼回到頂部](#目錄)
-
-## 截圖
-
-### 閒置休眠
-
-![閒置休眠](screenshots/idlesleeper.webp)
-
-[🔼回到頂部](#目錄)
-
-## 自行編譯
-
-1. 克隆儲存庫 `git clone https://github.com/yusing/go-proxy --depth=1`
-
-2. 如果尚未安裝，請安裝/升級 [go (>=1.22)](https://go.dev/doc/install) 和 `make`
-
-3. 如果之前編譯過（go < 1.22），請使用 `go clean -cache` 清除快取
-
-4. 使用 `make get` 獲取依賴
-
-5. 使用 `make build` 編譯二進制檔案
-
-[🔼回到頂部](#目錄)
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -1,180 +0,0 @@
-package main
-
-import (
-	"encoding/json"
-	"log"
-	"net/http"
-	"os"
-	"os/signal"
-	"syscall"
-	"time"
-
-	"github.com/yusing/go-proxy/internal"
-	"github.com/yusing/go-proxy/internal/api"
-	"github.com/yusing/go-proxy/internal/api/v1/query"
-	"github.com/yusing/go-proxy/internal/common"
-	"github.com/yusing/go-proxy/internal/config"
-	"github.com/yusing/go-proxy/internal/entrypoint"
-	E "github.com/yusing/go-proxy/internal/error"
-	"github.com/yusing/go-proxy/internal/logging"
-	"github.com/yusing/go-proxy/internal/metrics"
-	"github.com/yusing/go-proxy/internal/net/http/middleware"
-	"github.com/yusing/go-proxy/internal/net/http/server"
-	"github.com/yusing/go-proxy/internal/task"
-	"github.com/yusing/go-proxy/pkg"
-)
-
-func main() {
-	args := common.GetArgs()
-
-	switch args.Command {
-	case common.CommandSetup:
-		internal.Setup()
-		return
-	case common.CommandReload:
-		if err := query.ReloadServer(); err != nil {
-			E.LogFatal("server reload error", err)
-		}
-		logging.Info().Msg("ok")
-		return
-	case common.CommandListIcons:
-		icons, err := internal.ListAvailableIcons()
-		if err != nil {
-			log.Fatal(err)
-		}
-		printJSON(icons)
-		return
-	case common.CommandListRoutes:
-		routes, err := query.ListRoutes()
-		if err != nil {
-			log.Printf("failed to connect to api server: %s", err)
-			log.Printf("falling back to config file")
-		} else {
-			printJSON(routes)
-			return
-		}
-	case common.CommandDebugListMTrace:
-		trace, err := query.ListMiddlewareTraces()
-		if err != nil {
-			log.Fatal(err)
-		}
-		printJSON(trace)
-		return
-	}
-
-	if args.Command == common.CommandStart {
-		logging.Info().Msgf("GoDoxy version %s", pkg.GetVersion())
-		logging.Trace().Msg("trace enabled")
-		// logging.AddHook(notif.GetDispatcher())
-	} else {
-		logging.DiscardLogger()
-	}
-
-	if args.Command == common.CommandValidate {
-		data, err := os.ReadFile(common.ConfigPath)
-		if err == nil {
-			err = config.Validate(data)
-		}
-		if err != nil {
-			log.Fatal("config error: ", err)
-		}
-		log.Print("config OK")
-		return
-	}
-
-	for _, dir := range common.RequiredDirectories {
-		prepareDirectory(dir)
-	}
-
-	middleware.LoadComposeFiles()
-
-	var cfg *config.Config
-	var err E.Error
-	if cfg, err = config.Load(); err != nil {
-		E.LogWarn("errors in config", err)
-	}
-
-	switch args.Command {
-	case common.CommandListRoutes:
-		cfg.StartProxyProviders()
-		printJSON(config.RoutesByAlias())
-		return
-	case common.CommandListConfigs:
-		printJSON(config.Value())
-		return
-	case common.CommandDebugListEntries:
-		printJSON(config.DumpEntries())
-		return
-	case common.CommandDebugListProviders:
-		printJSON(config.DumpProviders())
-		return
-	}
-
-	if common.APIJWTSecret == nil {
-		logging.Warn().Msg("API JWT secret is empty, authentication is disabled")
-	}
-
-	cfg.StartProxyProviders()
-	config.WatchChanges()
-
-	sig := make(chan os.Signal, 1)
-	signal.Notify(sig, syscall.SIGINT)
-	signal.Notify(sig, syscall.SIGTERM)
-	signal.Notify(sig, syscall.SIGHUP)
-
-	autocert := config.GetAutoCertProvider()
-	if autocert != nil {
-		if err := autocert.Setup(); err != nil {
-			E.LogFatal("autocert setup error", err)
-		}
-	} else {
-		logging.Info().Msg("autocert not configured")
-	}
-
-	server.StartServer(server.Options{
-		Name:         "proxy",
-		CertProvider: autocert,
-		HTTPAddr:     common.ProxyHTTPAddr,
-		HTTPSAddr:    common.ProxyHTTPSAddr,
-		Handler:      http.HandlerFunc(entrypoint.Handler),
-	})
-	server.StartServer(server.Options{
-		Name:         "api",
-		CertProvider: autocert,
-		HTTPAddr:     common.APIHTTPAddr,
-		Handler:      api.NewHandler(),
-	})
-
-	if common.PrometheusEnabled {
-		server.StartServer(server.Options{
-			Name:         "metrics",
-			CertProvider: autocert,
-			HTTPAddr:     common.MetricsHTTPAddr,
-			Handler:      metrics.NewHandler(),
-		})
-	}
-
-	// wait for signal
-	<-sig
-
-	// grafully shutdown
-	logging.Info().Msg("shutting down")
-	_ = task.GracefulShutdown(time.Second * time.Duration(config.Value().TimeoutShutdown))
-}
-
-func prepareDirectory(dir string) {
-	if _, err := os.Stat(dir); os.IsNotExist(err) {
-		if err = os.MkdirAll(dir, 0o755); err != nil {
-			logging.Fatal().Msgf("failed to create directory %s: %v", dir, err)
-		}
-	}
-}
-
-func printJSON(obj any) {
-	j, err := json.MarshalIndent(obj, "", "  ")
-	if err != nil {
-		logging.Fatal().Err(err).Send()
-	}
-	rawLogger := log.New(os.Stdout, "", 0)
-	rawLogger.Print(string(j)) // raw output for convenience using "jq"
-}
--- a/compose.example.yml
+++ b/compose.example.yml
@@ -1,42 +1,45 @@
---
+version: '3'
 services:
-  frontend:
-    image: ghcr.io/yusing/go-proxy-frontend:latest
-    container_name: godoxy-frontend
-    restart: unless-stopped
-    network_mode: host
-    env_file: .env
-    depends_on:
-      - app
-    # modify below to fit your needs
-    labels:
-      proxy.aliases: gp
-      proxy.#1.port: 3000
-      # proxy.#1.middlewares.cidr_whitelist.status: 403
-      # proxy.#1.middlewares.cidr_whitelist.message: IP not allowed
-      # proxy.#1.middlewares.cidr_whitelist.allow: |
-      #     - 127.0.0.1
-      #     - 10.0.0.0/8
-      #     - 192.168.0.0/16
-      #     - 172.16.0.0/12
  app:
    image: ghcr.io/yusing/go-proxy:latest
-    container_name: godoxy
+    container_name: go-proxy
    restart: always
-    network_mode: host
-    env_file: .env
+    networks: # ^also add here
+      - default
+    ports:
+      - 80:80 # http proxy
+      - 8080:8080 # http panel
+      # - 443:443 # optional, https proxy
+      # - 8443:8443 # optional, https panel
+
+      # optional, if you declared any tcp/udp proxy, set a range you want to use
+      # - 20000:20100/tcp
+      # - 20000:20100/udp
    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
      - ./config:/app/config
-      - ./error_pages:/app/error_pages

-      # (Optional) choose one of below to enable https
-      # 1. use existing certificate
-
-      # - /path/to/certs/cert.crt:/app/certs/cert.crt
-      # - /path/to/certs/priv.key:/app/certs/priv.key
-
-      # 2. use autocert, certs will be stored in ./certs
-      #    you can also use a docker volume to store it
+      # if local docker provider is used
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      
+      # use existing certificate
+      # - /path/to/cert.pem:/app/certs/cert.crt:ro
+      # - /path/to/privkey.pem:/app/certs/priv.key:ro

+      # store autocert obtained cert
      # - ./certs:/app/certs
+    
+    # workaround for "lookup: no such host"
+    # dns:
+    #   - 127.0.0.1
+
+    # if you have container running in "host" network mode
+    # extra_hosts:
+    #   - host.docker.internal:host-gateway
+    logging:
+      driver: 'json-file'
+      options:
+        max-file: '1'
+        max-size: 128k
+networks: # ^you may add other external networks
+  default:
+    driver: bridge
--- a/config.example.yml
+++ b/config.example.yml
@@ -1,144 +1,21 @@
-# Autocert (choose one below and uncomment to enable)
-#
-# 1. use existing cert
-#
-# autocert:
-#   provider: local
-#
-#   cert_path: certs/cert.crt         # optional, uncomment only if you need to change it
-#   key_path: certs/priv.key          # optional, uncomment only if you need to change it
-#
-# 2. cloudflare
-#
-# autocert:
-#   provider: cloudflare
-#   email: abc@gmail.com                            # ACME Email
-#   domains:                                        # a list of domains for cert registration
-#     - "*.y.z"                                     # remember to use double quotes to surround wildcard domain
-#   options:
-#     auth_token: c1234565789-abcdefghijklmnopqrst  # your zone API token
-#
-# 3. other providers, check docs/dns_providers.md for more
-
-entrypoint:
-  middlewares:
-    # this part blocks all non-LAN HTTP traffic
-    # remove if you don't want this
-    - use: CIDRWhitelist
-      allow:
-        - "127.0.0.1"
-        - "10.0.0.0/8"
-        - "172.16.0.0/12"
-        - "192.168.0.0/16"
-      status: 403
-      message: "Forbidden"
-    # end of CIDRWhitelist
-
-    # this part redirects HTTP to HTTPS
-    # remove if you don't want this
-    - use: RedirectHTTP
-
-  # access_log:
-  #   buffer_size: 1024
-  #   path: /var/log/example.log
-  #   filters:
-  #     status_codes:
-  #       values:
-  #         - 200-299
-  #         - 101
-  #     method:
-  #       values:
-  #         - GET
-  #     host:
-  #       values:
-  #         - example.y.z
-  #     headers:
-  #       negative: true
-  #       values:
-  #         - foo=bar
-  #         - baz
-  #     cidr:
-  #       values:
-  #         - 192.168.10.0/24
-  #   fields:
-  #     headers:
-  #       default: keep
-  #       config:
-  #         foo: redact
-  #     query:
-  #       default: drop
-  #       config:
-  #         foo: keep
-  #     cookies:
-  #       default: redact
-  #       config:
-  #         foo: keep
-
+# Autocert (uncomment to enable)
+# autocert: # (optional, if you need autocert feature)
+#   email: "user@domain.com" # (required) email for acme certificate
+#   domains: # (required)
+#     - "*.y.z" # domain for acme certificate, use wild card to allow all subdomains
+#   provider: cloudflare # (required) dns challenge provider (string)
+#   options: # provider specific options
+#     auth_token: "YOUR_ZONE_API_TOKEN"
 providers:
-  # include files are standalone yaml files under `config/` directory
-  #
-  # include:
-  #   - file1.yml
-  #   - file2.yml
-
-  docker:
-    # $DOCKER_HOST implies environment variable `DOCKER_HOST` or unix:///var/run/docker.sock by default
-    local: $DOCKER_HOST
-    # explicit only mode
-    # only containers with explicit aliases will be proxied
-    # add "!" after provider name to enable explicit only mode
-    #
-    # local!: $DOCKER_HOST
-    #
-    # add more docker providers if needed
+  local:
+    kind: docker
    # for value format, see https://docs.docker.com/reference/cli/dockerd/
-    #
-    # remote-1: tcp://10.0.2.1:2375
-    # remote-2: ssh://root:1234@10.0.2.2
+    # i.e. FROM_ENV, ssh://user@10.0.1.1:22, tcp://10.0.2.1:2375
+    value: FROM_ENV
+  providers:
+    kind: file
+    value: providers.yml

-  # notification providers (notify when service health changes)
-  #
-  # notification:
-  #   - name: gotify
-  #     provider: gotify
-  #     url: https://gotify.domain.tld
-  #     token: abcd
-  #   - name: discord
-  #     provider: webhook
-  #     url: https://discord.com/api/webhooks/...
-  #     template: discord
-  #     # payload: | # discord template implies the following
-  #     #   {
-  #     #     "embeds": [
-  #     #       {
-  #     #         "title": $title,
-  #     #         "fields": $fields,
-  #     #         "color": "$color"
-  #     #       }
-  #     #     ]
-  #     #   }
-# if match_domains not defined
-# any host = alias+[any domain] will match
-# i.e. https://app1.y.z       will match alias app1 for any domain y.z
-#  but https://app1.node1.y.z will only match alias "app.node1"
-#
-# if match_domains defined
-# only host = alias+[one of match_domains] will match
-# i.e. match_domains = [node1.my.app, my.site]
-# https://app1.my.app, https://app1.my.net, etc. will not match even if app1 exists
-# only https://*.node1.my.app and https://*.my.site will match
-#
-#
-# match_domains:
-#   - my.site
-#   - node1.my.app
-
-# homepage config
-homepage:
-  # use default app categories detected from alias or docker image name
-  use_default_categories: true
-
-# Below are fixed options (non hot-reloadable)
-
-# timeout for shutdown (in seconds)
-timeout_shutdown: 5
+# Fixed options (optional, non hot-reloadable)
+# timeout_shutdown: 5
+# redirect_to_https: false
--- a/docs/add_dns_provider.md
+++ b/docs/add_dns_provider.md
@@ -0,0 +1,41 @@
+# Adding provider support
+
+## **CloudDNS** as an example
+
+1. Fork this repo, modify [autocert.go](../src/go-proxy/autocert.go#L305)
+
+   ```go
+   var providersGenMap = map[string]ProviderGenerator{
+     "cloudflare": providerGenerator(cloudflare.NewDefaultConfig, cloudflare.NewDNSProviderConfig),
+     // add here, i.e.
+     "clouddns": providerGenerator(clouddns.NewDefaultConfig, clouddns.NewDNSProviderConfig),
+   }
+   ```
+
+2. Go to [https://go-acme.github.io/lego/dns/clouddns](https://go-acme.github.io/lego/dns/clouddns/) and check for required config
+
+3. Build `go-proxy` with `make build`
+
+4. Set required config in `config.yml` `autocert` -> `options` section
+
+   ```shell
+   # From https://go-acme.github.io/lego/dns/clouddns/
+   CLOUDDNS_CLIENT_ID=bLsdFAks23429841238feb177a572aX \
+   CLOUDDNS_EMAIL=you@example.com \
+   CLOUDDNS_PASSWORD=b9841238feb177a84330f \
+   lego --email you@example.com --dns clouddns --domains my.example.org run
+   ```
+
+   Should turn into:
+
+   ```yaml
+   autocert:
+     ...
+     options:
+       client_id: bLsdFAks23429841238feb177a572aX
+       email: you@example.com
+       password: b9841238feb177a84330f
+   ```
+
+5. Run with `GOPROXY_NO_SCHEMA_VALIDATION=1` and test if it works
+6. Commit and create pull request
--- a/docs/binary.md
+++ b/docs/binary.md
@@ -0,0 +1,59 @@
+# Getting started with `go-proxy` (binary)
+
+## Setup
+
+1. Install `bash`, `make` and `wget` if not already
+
+2. Run setup script
+
+   To specitfy a version _(optional)_
+
+   ```shell
+   export VERSION=latest # will be resolved into real version number
+   export VERSION=<version>
+   ```
+
+   If you don't need web config editor
+
+   ```shell
+   export SETUP_CODEMIRROR=0
+   ```
+
+   Setup
+
+   ```shell
+   wget -qO- https://6uo.me/go-proxy-setup-binary | sudo bash
+   ```
+
+   What it does:
+
+   - Download source file and binary into /opt/go-proxy/$VERSION
+   - Setup `config.yml` and `providers.yml`
+   - Setup `template/codemirror` which is a dependency for web config editor
+   - Create a systemd service (if available) in `/etc/systemd/system/go-proxy.service`
+   - Enable and start `go-proxy` service
+
+3. Start editing config files in `http://<ip>:8080`
+
+4. Check logs / status with `systemctl status go-proxy`
+
+## Setup (alternative method)
+
+1. Download the latest release and extract somewhere
+
+2. Run `make setup` and _(optional) `make setup-codemirror`_
+
+3. Enable HTTPS _(optional)_
+
+   - To use autocert feature
+
+     complete `autocert` in `config/config.yml`
+
+   - To use existing certificate
+
+     Prepare your wildcard (`*.y.z`) SSL cert in `certs/`
+
+     - cert / chain / fullchain: `certs/cert.crt`
+     - private key: `certs/priv.key`
+
+4. Run the binary `bin/go-proxy`
--- a/docs/docker.md
+++ b/docs/docker.md
@@ -0,0 +1,365 @@
+# Docker container guide
+
+## Table of content
+
+<!-- TOC -->
+- [Table of content](#table-of-content)
+- [Setup](#setup)
+- [Labels](#labels)
+- [Labels (docker specific)](#labels-docker-specific)
+- [Troubleshooting](#troubleshooting)
+- [Docker compose examples](#docker-compose-examples)
+  - [Local docker provider in bridge network](#local-docker-provider-in-bridge-network)
+  - [Remote docker provider](#remote-docker-provider)
+    - [Explaination](#explaination)
+    - [Remote setup](#remote-setup)
+    - [Proxy setup](#proxy-setup)
+  - [Local docker provider in host network](#local-docker-provider-in-host-network)
+    - [Proxy setup](#proxy-setup)
+  - [Services URLs for above examples](#services-urls-for-above-examples)
+<!-- /TOC -->
+
+## Setup
+
+1. Install `wget` if not already
+
+2. Run setup script
+
+   `bash <(wget -qO- https://6uo.me/go-proxy-setup-docker)`
+
+   What it does:
+
+   - Create required directories
+   - Setup `config.yml` and `compose.yml`
+
+3. Verify folder structure and then `cd go-proxy`
+
+   ```plain
+   go-proxy
+   ├── certs
+   ├── compose.yml
+   └── config
+       ├── config.yml
+       └── providers.yml
+   ```
+
+4. Enable HTTPs _(optional)_
+
+   - To use autocert feature
+
+     - completing `autocert` section in `config/config.yml`
+     - mount `certs/` to `/app/certs` to store obtained certs
+
+   - To use existing certificate
+
+     mount your wildcard (`*.y.z`) SSL cert
+
+     - cert / chain / fullchain -> `/app/certs/cert.crt`
+     - private key -> `/app/certs/priv.key`
+
+5. Modify `compose.yml` fit your needs
+
+   Add networks to make sure it is in the same network with other containers, or make sure `proxy.<alias>.host` is reachable
+
+6. Run `docker compose up -d` to start the container
+
+7. Start editing config files in `http://<ip>:8080`
+
+[🔼Back to top](#table-of-content)
+
+## Labels
+
+- `proxy.aliases`: comma separated aliases for subdomain matching
+
+  - default: container name
+
+- `proxy.*.<field>`: wildcard label for all aliases
+
+Below labels has a **`proxy.<alias>.`** prefix (i.e. `proxy.nginx.scheme: http`)
+
+- `scheme`: proxy protocol
+  - default: `http`
+  - allowed: `http`, `https`, `tcp`, `udp`
+- `host`: proxy host
+  - default: `container_name`
+- `port`: proxy port
+  - default: first expose port (declared in `Dockerfile` or `docker-compose.yml`)
+  - `http(s)`: number in range og `0 - 65535`
+  - `tcp/udp`: `[<listeningPort>:]<targetPort>`
+    - `listeningPort`: number, when it is omitted (not suggested), a free port starting from 20000 will be used.
+    - `targetPort`: number, or predefined names (see [constants.go:14](src/go-proxy/constants.go#L14))
+- `no_tls_verify`: whether skip tls verify when scheme is https
+  - default: `false`
+- `path`: proxy path _(http(s) proxy only)_
+  - default: empty
+- `path_mode`: mode for path handling
+
+  - default: empty
+  - allowed: empty, `forward`, `sub`
+
+    - `empty`: remove path prefix from URL when proxying
+      1. apps.y.z/webdav -> webdav:80
+      2. apps.y.z./webdav/path/to/file -> webdav:80/path/to/file
+    - `forward`: path remain unchanged
+      1. apps.y.z/webdav -> webdav:80/webdav
+      2. apps.y.z./webdav/path/to/file -> webdav:80/webdav/path/to/file
+    - `sub`: **(experimental)** remove path prefix from URL and also append path to HTML link attributes (`src`, `href` and `action`) and Javascript `fetch(url)` by response body substitution
+      e.g. apps.y.z/app1 -> webdav:80, `href="/app1/path/to/file"` -> `href="/path/to/file"`
+
+  - `set_headers`: a list of header to set, (key:value, one by line)
+
+    Duplicated keys will be treated as multiple-value headers
+
+    ```yaml
+    labels:
+      proxy.app.set_headers: |
+        X-Custom-Header1: value1
+        X-Custom-Header1: value2
+        X-Custom-Header2: value2
+    ```
+
+  - `hide_headers`: comma seperated list of headers to hide
+
+[🔼Back to top](#table-of-content)
+
+## Labels (docker specific)
+
+Below labels has a **`proxy.<alias>.`** prefix (i.e. `proxy.app.load_balance=1`)
+
+- `load_balance`: enable load balance
+  - allowed: `1`, `true`
+
+[🔼Back to top](#table-of-content)
+
+## Troubleshooting
+
+- Firewall issues
+
+  If you are using `ufw` with vpn that drop all inbound traffic except vpn, run below:
+
+  `sudo ufw allow from 172.16.0.0/16 to 100.64.0.0/10`
+
+  Explaination:
+
+  Docker network is usually `172.16.0.0/16`
+
+  Tailscale is used as an example, `100.64.0.0/10` will be the CIDR
+
+  You can also list CIDRs of all docker bridge networks by:
+
+  `docker network inspect $(docker network ls | awk '$3 == "bridge" { print $1}') | jq -r '.[] | .Name + " " + .IPAM.Config[0].Subnet' -`
+
+[🔼Back to top](#table-of-content)
+
+## Docker compose examples
+
+### Local docker provider in bridge network
+
+```yaml
+volumes:
+  adg-work:
+  adg-conf:
+  mc-data:
+  palworld:
+  nginx:
+services:
+  adg:
+    image: adguard/adguardhome
+    restart: unless-stopped
+    labels:
+      - proxy.aliases=adg,adg-dns,adg-setup
+      - proxy.adg.port=80
+      - proxy.adg-setup.port=3000
+      - proxy.adg-dns.scheme=udp
+      - proxy.adg-dns.port=20000:dns
+    volumes:
+      - adg-work:/opt/adguardhome/work
+      - adg-conf:/opt/adguardhome/conf
+  mc:
+    image: itzg/minecraft-server
+    tty: true
+    stdin_open: true
+    container_name: mc
+    restart: unless-stopped
+    labels:
+      - proxy.mc.scheme=tcp
+      - proxy.mc.port=20001:25565
+    environment:
+      - EULA=TRUE
+    volumes:
+      - mc-data:/data
+  palworld:
+    image: thijsvanloef/palworld-server-docker:latest
+    restart: unless-stopped
+    container_name: pal
+    stop_grace_period: 30s
+    labels:
+      - proxy.aliases=pal1,pal2
+      - proxy.*.scheme=udp
+      - proxy.pal1.port=20002:8211
+      - proxy.pal2.port=20003:27015
+    environment: ...
+    volumes:
+      - palworld:/palworld
+  nginx:
+    image: nginx
+    container_name: nginx
+    volumes:
+      - nginx:/usr/share/nginx/html
+  go-proxy:
+    image: ghcr.io/yusing/go-proxy
+    container_name: go-proxy
+    restart: always
+    ports:
+      - 80:80 # http
+      - 443:443 # optional, https
+      - 8080:8080 # http panel
+      - 8443:8443 # optional, https panel
+
+      - 53:20000/udp # adguardhome
+      - 25565:20001/tcp # minecraft
+      - 8211:20002/udp # palworld
+      - 27015:20003/udp # palworld
+    volumes:
+      - ./config:/app/config
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    labels:
+      - proxy.aliases=gp
+      - proxy.gp.port=8080
+```
+
+[🔼Back to top](#table-of-content)
+
+### Remote docker provider
+
+#### Explaination
+
+- Expose container ports to random port in remote host
+- Use container port with an asterisk sign **(\*)** before to find remote port automatically
+
+#### Remote setup
+
+```yaml
+volumes:
+  adg-work:
+  adg-conf:
+  mc-data:
+  palworld:
+  nginx:
+services:
+  adg:
+    image: adguard/adguardhome
+    restart: unless-stopped
+    ports: # map container ports
+      - 80
+      - 3000
+      - 53/udp
+      - 53/tcp
+    labels:
+      - proxy.aliases=adg,adg-dns,adg-setup
+      # add an asterisk (*) before to find host port automatically
+      - proxy.adg.port=*80
+      - proxy.adg-setup.port=*3000
+      - proxy.adg-dns.scheme=udp
+      - proxy.adg-dns.port=*53
+    volumes:
+      - adg-work:/opt/adguardhome/work
+      - adg-conf:/opt/adguardhome/conf
+  mc:
+    image: itzg/minecraft-server
+    tty: true
+    stdin_open: true
+    container_name: mc
+    restart: unless-stopped
+    ports:
+      - 25565
+    labels:
+      - proxy.mc.scheme=tcp
+      - proxy.mc.port=*25565
+    environment:
+      - EULA=TRUE
+    volumes:
+      - mc-data:/data
+  palworld:
+    image: thijsvanloef/palworld-server-docker:latest
+    restart: unless-stopped
+    container_name: pal
+    stop_grace_period: 30s
+    ports:
+      - 8211/udp
+      - 27015/udp
+    labels:
+      - proxy.aliases=pal1,pal2
+      - proxy.*.scheme=udp
+      - proxy.pal1.port=*8211
+      - proxy.pal2.port=*27015
+    environment: ...
+    volumes:
+      - palworld:/palworld
+  nginx:
+    image: nginx
+    container_name: nginx
+    # for single port container, host port will be found automatically
+    ports:
+      - 80
+    volumes:
+      - nginx:/usr/share/nginx/html
+```
+
+[🔼Back to top](#table-of-content)
+
+#### Proxy setup
+
+```yaml
+go-proxy:
+  image: ghcr.io/yusing/go-proxy
+  container_name: go-proxy
+  restart: always
+  network_mode: host
+  volumes:
+    - ./config:/app/config
+    - /var/run/docker.sock:/var/run/docker.sock:ro
+  labels:
+    - proxy.aliases=gp
+    - proxy.gp.port=8080
+```
+
+[🔼Back to top](#table-of-content)
+
+### Local docker provider in host network
+
+Mostly as remote docker setup, see [remote setup](#remote-setup)
+
+With `GOPROXY_HOST_NETWORK=1` to treat it as remote docker provider
+
+#### Proxy setup
+
+```yaml
+go-proxy:
+  image: ghcr.io/yusing/go-proxy
+  container_name: go-proxy
+  restart: always
+  network_mode: host
+  environment: # this part is needed for local docker in host mode
+    - GOPROXY_HOST_NETWORK=1
+  volumes:
+    - ./config:/app/config
+    - /var/run/docker.sock:/var/run/docker.sock:ro
+  labels:
+    - proxy.aliases=gp
+    - proxy.gp.port=8080
+```
+
+[🔼Back to top](#table-of-content)
+
+### Services URLs for above examples
+
+- `gp.yourdomain.com`: go-proxy web panel
+- `adg-setup.yourdomain.com`: adguard setup (first time setup)
+- `adg.yourdomain.com`: adguard dashboard
+- `nginx.yourdomain.com`: nginx
+- `yourdomain.com:53`: adguard dns
+- `yourdomain.com:25565`: minecraft server
+- `yourdomain.com:8211`: palworld server
+
+[🔼Back to top](#table-of-content)
--- a/examples/docker-compose/n8n.yml
+++ b/examples/docker-compose/n8n.yml
@@ -1,27 +0,0 @@
---
-services:
-  n8n:
-    image: n8nio/n8n
-    container_name: n8n
-    restart: always
-    expose:
-      - 5678
-    labels:
-      proxy.n8n.middlewares.request.set_headers: |
-        SSLRedirect: true
-        STSSeconds: 315360000
-        browserXSSFilter: true
-        contentTypeNosniff: true
-        forceSTSHeader: true
-        SSLHost: ${DOMAIN_NAME}
-        STSIncludeSubdomains: true
-        STSPreload: true
-    environment:
-      - N8N_HOST=${SUBDOMAIN}.${DOMAIN_NAME}
-      - N8N_PORT=5678
-      - N8N_PROTOCOL=https
-      - NODE_ENV=production
-      - WEBHOOK_URL=https://${SUBDOMAIN}.${DOMAIN_NAME}/
-      - GENERIC_TIMEZONE=${GENERIC_TIMEZONE}
-    volumes:
-      - ./data:/home/node/.n8n
--- a/examples/error_pages/404.css
+++ b/examples/error_pages/404.css
@@ -1,288 +0,0 @@
-@import url("https://fonts.googleapis.com/css?family=Audiowide&display=swap");
-
-html,
-body {
-    margin: 0px;
-    overflow: hidden;
-}
-
-div {
-    position: absolute;
-    top: 0%;
-    left: 0%;
-    height: 100%;
-    width: 100%;
-    margin: 0px;
-    background: radial-gradient(circle, #240015 0%, #12000b 100%);
-    overflow: hidden;
-}
-
-.wrap {
-    position: absolute;
-    left: 50%;
-    top: 50%;
-    transform: translate(-50%, -50%);
-}
-
-h2 {
-    position: absolute;
-    top: 50%;
-    left: 50%;
-    margin-top: 150px;
-    font-size: 32px;
-    text-transform: uppercase;
-    transform: translate(-50%, -50%);
-    display: block;
-    color: #12000a;
-    font-weight: 300;
-    font-family: Audiowide;
-    text-shadow: 0px 0px 4px #12000a;
-    animation: fadeInText 3s ease-in 3.5s forwards,
-        flicker4 5s linear 7.5s infinite, hueRotate 6s ease-in-out 3s infinite;
-}
-
-#svgWrap_1,
-#svgWrap_2 {
-    position: absolute;
-    height: auto;
-    width: 600px;
-    max-width: 100%;
-    top: 50%;
-    left: 50%;
-    transform: translate(-50%, -50%);
-}
-
-#svgWrap_1,
-#svgWrap_2,
-div {
-    animation: hueRotate 6s ease-in-out 3s infinite;
-}
-
-#id1_1,
-#id2_1,
-#id3_1 {
-    stroke: #ff005d;
-    stroke-width: 3px;
-    fill: transparent;
-    filter: url(#glow);
-}
-
-#id1_2,
-#id2_2,
-#id3_2 {
-    stroke: #12000a;
-    stroke-width: 3px;
-    fill: transparent;
-    filter: url(#glow);
-}
-
-#id3_1 {
-    stroke-dasharray: 940px;
-    stroke-dashoffset: -940px;
-    animation: drawLine3 2.5s ease-in-out 0s forwards,
-        flicker3 4s linear 4s infinite;
-}
-
-#id2_1 {
-    stroke-dasharray: 735px;
-    stroke-dashoffset: -735px;
-    animation: drawLine2 2.5s ease-in-out 0.5s forwards,
-        flicker2 4s linear 4.5s infinite;
-}
-
-#id1_1 {
-    stroke-dasharray: 940px;
-    stroke-dashoffset: -940px;
-    animation: drawLine1 2.5s ease-in-out 1s forwards,
-        flicker1 4s linear 5s infinite;
-}
-
-@keyframes drawLine1 {
-    0% {
-        stroke-dashoffset: -940px;
-    }
-    100% {
-        stroke-dashoffset: 0px;
-    }
-}
-
-@keyframes drawLine2 {
-    0% {
-        stroke-dashoffset: -735px;
-    }
-    100% {
-        stroke-dashoffset: 0px;
-    }
-}
-
-@keyframes drawLine3 {
-    0% {
-        stroke-dashoffset: -940px;
-    }
-    100% {
-        stroke-dashoffset: 0px;
-    }
-}
-
-@keyframes flicker1 {
-    0% {
-        stroke: #ff005d;
-    }
-    1% {
-        stroke: transparent;
-    }
-    3% {
-        stroke: transparent;
-    }
-    4% {
-        stroke: #ff005d;
-    }
-    6% {
-        stroke: #ff005d;
-    }
-    7% {
-        stroke: transparent;
-    }
-    13% {
-        stroke: transparent;
-    }
-    14% {
-        stroke: #ff005d;
-    }
-    100% {
-        stroke: #ff005d;
-    }
-}
-
-@keyframes flicker2 {
-    0% {
-        stroke: #ff005d;
-    }
-    50% {
-        stroke: #ff005d;
-    }
-    51% {
-        stroke: transparent;
-    }
-    61% {
-        stroke: transparent;
-    }
-    62% {
-        stroke: #ff005d;
-    }
-    100% {
-        stroke: #ff005d;
-    }
-}
-
-@keyframes flicker3 {
-    0% {
-        stroke: #ff005d;
-    }
-    1% {
-        stroke: transparent;
-    }
-    10% {
-        stroke: transparent;
-    }
-    11% {
-        stroke: #ff005d;
-    }
-    40% {
-        stroke: #ff005d;
-    }
-    41% {
-        stroke: transparent;
-    }
-    45% {
-        stroke: transparent;
-    }
-    46% {
-        stroke: #ff005d;
-    }
-    100% {
-        stroke: #ff005d;
-    }
-}
-
-@keyframes flicker4 {
-    0% {
-        color: #ff005d;
-        text-shadow: 0px 0px 4px #ff005d;
-    }
-    30% {
-        color: #ff005d;
-        text-shadow: 0px 0px 4px #ff005d;
-    }
-    31% {
-        color: #12000a;
-        text-shadow: 0px 0px 4px #12000a;
-    }
-    32% {
-        color: #ff005d;
-        text-shadow: 0px 0px 4px #ff005d;
-    }
-    36% {
-        color: #ff005d;
-        text-shadow: 0px 0px 4px #ff005d;
-    }
-    37% {
-        color: #12000a;
-        text-shadow: 0px 0px 4px #12000a;
-    }
-    41% {
-        color: #12000a;
-        text-shadow: 0px 0px 4px #12000a;
-    }
-    42% {
-        color: #ff005d;
-        text-shadow: 0px 0px 4px #ff005d;
-    }
-    85% {
-        color: #ff005d;
-        text-shadow: 0px 0px 4px #ff005d;
-    }
-    86% {
-        color: #12000a;
-        text-shadow: 0px 0px 4px #12000a;
-    }
-    95% {
-        color: #12000a;
-        text-shadow: 0px 0px 4px #12000a;
-    }
-    96% {
-        color: #ff005d;
-        text-shadow: 0px 0px 4px #ff005d;
-    }
-    100% {
-        color: #ff005d;
-        text-shadow: 0px 0px 4px #ff005d;
-    }
-}
-
-@keyframes fadeInText {
-    1% {
-        color: #12000a;
-        text-shadow: 0px 0px 4px #12000a;
-    }
-    70% {
-        color: #ff005d;
-        text-shadow: 0px 0px 14px #ff005d;
-    }
-    100% {
-        color: #ff005d;
-        text-shadow: 0px 0px 4px #ff005d;
-    }
-}
-
-@keyframes hueRotate {
-    0% {
-        filter: hue-rotate(0deg);
-    }
-    50% {
-        filter: hue-rotate(-120deg);
-    }
-    100% {
-        filter: hue-rotate(0deg);
-    }
-}
--- a/examples/error_pages/404.html
+++ b/examples/error_pages/404.html
@@ -1,51 +0,0 @@
-{{/* Credit: https://codepen.io/code2rithik/pen/XWpVvYL */}}
-<!DOCTYPE html>
-<html lang="en">
-
-<head>
-  <meta charset="UTF-8" />
-  <title>Page Not Found</title>
-  <link rel="stylesheet" href="/$gperrorpage/404.css" type="text/css">
-  <!-- <script src="/$gperrorpage/404.js"> </script> -->
-</head>
-
-<body>
-  <script>0</script>
-  <div></div>
-  <svg id="svgWrap_2" xmlns="http://www.w3.org/2000/svg" x="0px" y="0px" viewBox="0 0 700 250">
-    <g>
-      <path id="id3_2"
-        d="M195.7 232.67h-37.1V149.7H27.76c-2.64 0-5.1-.5-7.36-1.49-2.27-.99-4.23-2.31-5.88-3.96-1.65-1.65-2.95-3.61-3.89-5.88s-1.42-4.67-1.42-7.22V29.62h36.82v82.98H158.6V29.62h37.1v203.05z" />
-      <path id="id2_2"
-        d="M470.69 147.71c0 8.31-1.06 16.17-3.19 23.58-2.12 7.41-5.12 14.28-8.99 20.6-3.87 6.33-8.45 11.99-13.74 16.99-5.29 5-11.07 9.28-17.35 12.81a85.146 85.146 0 0 1-20.04 8.14 83.637 83.637 0 0 1-21.67 2.83H319.3c-7.46 0-14.73-.94-21.81-2.83-7.08-1.89-13.76-4.6-20.04-8.14a88.292 88.292 0 0 1-17.35-12.81c-5.29-5-9.84-10.67-13.66-16.99-3.82-6.32-6.8-13.19-8.92-20.6-2.12-7.41-3.19-15.27-3.19-23.58v-33.13c0-12.46 2.34-23.88 7.01-34.27 4.67-10.38 10.92-19.33 18.76-26.83 7.83-7.5 16.87-13.36 27.12-17.56 10.24-4.2 20.93-6.3 32.07-6.3h66.41c7.36 0 14.58.94 21.67 2.83 7.08 1.89 13.76 4.6 20.04 8.14a88.292 88.292 0 0 1 17.35 12.81c5.29 5 9.86 10.67 13.74 16.99 3.87 6.33 6.87 13.19 8.99 20.6 2.13 7.41 3.19 15.27 3.19 23.58v33.14zm-37.1-33.13c0-7.27-1.32-13.88-3.96-19.82-2.64-5.95-6.16-11.04-10.55-15.29-4.39-4.25-9.46-7.5-15.22-9.77-5.76-2.27-11.8-3.35-18.13-3.26h-66.41c-6.14-.09-12.11.97-17.91 3.19-5.81 2.22-10.95 5.43-15.44 9.63-4.48 4.2-8.07 9.3-10.76 15.29-2.69 6-4.04 12.67-4.04 20.04v33.13c0 7.36 1.32 14.02 3.96 19.97 2.64 5.95 6.18 11.02 10.62 15.22 4.44 4.2 9.56 7.43 15.36 9.7 5.8 2.27 11.87 3.35 18.2 3.26h66.41c7.27 0 13.85-1.2 19.75-3.61s10.93-5.73 15.08-9.98 7.36-9.32 9.63-15.22c2.27-5.9 3.4-12.34 3.4-19.33v-33.15zm-16-26.91a17.89 17.89 0 0 1 2.83 6.73c.47 2.41.47 4.77 0 7.08-.47 2.31-1.39 4.48-2.76 6.51-1.37 2.03-3.14 3.75-5.31 5.17l-99.4 66.41c-1.61 1.23-3.26 2.08-4.96 2.55-1.7.47-3.45.71-5.24.71-3.02 0-5.9-.71-8.64-2.12-2.74-1.42-4.96-3.44-6.66-6.09a17.89 17.89 0 0 1-2.83-6.73c-.47-2.41-.5-4.77-.07-7.08.43-2.31 1.3-4.48 2.62-6.51 1.32-2.03 3.07-3.75 5.24-5.17l99.69-66.41a17.89 17.89 0 0 1 6.73-2.83c2.41-.47 4.77-.47 7.08 0 2.31.47 4.48 1.37 6.51 2.69 2.03 1.32 3.75 3.02 5.17 5.09z" />
-      <path id="id1_2"
-        d="M688.33 232.67h-37.1V149.7H520.39c-2.64 0-5.1-.5-7.36-1.49-2.27-.99-4.23-2.31-5.88-3.96-1.65-1.65-2.95-3.61-3.89-5.88s-1.42-4.67-1.42-7.22V29.62h36.82v82.98h112.57V29.62h37.1v203.05z" />
-    </g>
-  </svg>
-  <svg id="svgWrap_1" xmlns="http://www.w3.org/2000/svg" x="0px" y="0px" viewBox="0 0 700 250">
-    <g>
-      <path id="id3_1"
-        d="M195.7 232.67h-37.1V149.7H27.76c-2.64 0-5.1-.5-7.36-1.49-2.27-.99-4.23-2.31-5.88-3.96-1.65-1.65-2.95-3.61-3.89-5.88s-1.42-4.67-1.42-7.22V29.62h36.82v82.98H158.6V29.62h37.1v203.05z" />
-      <path id="id2_1"
-        d="M470.69 147.71c0 8.31-1.06 16.17-3.19 23.58-2.12 7.41-5.12 14.28-8.99 20.6-3.87 6.33-8.45 11.99-13.74 16.99-5.29 5-11.07 9.28-17.35 12.81a85.146 85.146 0 0 1-20.04 8.14 83.637 83.637 0 0 1-21.67 2.83H319.3c-7.46 0-14.73-.94-21.81-2.83-7.08-1.89-13.76-4.6-20.04-8.14a88.292 88.292 0 0 1-17.35-12.81c-5.29-5-9.84-10.67-13.66-16.99-3.82-6.32-6.8-13.19-8.92-20.6-2.12-7.41-3.19-15.27-3.19-23.58v-33.13c0-12.46 2.34-23.88 7.01-34.27 4.67-10.38 10.92-19.33 18.76-26.83 7.83-7.5 16.87-13.36 27.12-17.56 10.24-4.2 20.93-6.3 32.07-6.3h66.41c7.36 0 14.58.94 21.67 2.83 7.08 1.89 13.76 4.6 20.04 8.14a88.292 88.292 0 0 1 17.35 12.81c5.29 5 9.86 10.67 13.74 16.99 3.87 6.33 6.87 13.19 8.99 20.6 2.13 7.41 3.19 15.27 3.19 23.58v33.14zm-37.1-33.13c0-7.27-1.32-13.88-3.96-19.82-2.64-5.95-6.16-11.04-10.55-15.29-4.39-4.25-9.46-7.5-15.22-9.77-5.76-2.27-11.8-3.35-18.13-3.26h-66.41c-6.14-.09-12.11.97-17.91 3.19-5.81 2.22-10.95 5.43-15.44 9.63-4.48 4.2-8.07 9.3-10.76 15.29-2.69 6-4.04 12.67-4.04 20.04v33.13c0 7.36 1.32 14.02 3.96 19.97 2.64 5.95 6.18 11.02 10.62 15.22 4.44 4.2 9.56 7.43 15.36 9.7 5.8 2.27 11.87 3.35 18.2 3.26h66.41c7.27 0 13.85-1.2 19.75-3.61s10.93-5.73 15.08-9.98 7.36-9.32 9.63-15.22c2.27-5.9 3.4-12.34 3.4-19.33v-33.15zm-16-26.91a17.89 17.89 0 0 1 2.83 6.73c.47 2.41.47 4.77 0 7.08-.47 2.31-1.39 4.48-2.76 6.51-1.37 2.03-3.14 3.75-5.31 5.17l-99.4 66.41c-1.61 1.23-3.26 2.08-4.96 2.55-1.7.47-3.45.71-5.24.71-3.02 0-5.9-.71-8.64-2.12-2.74-1.42-4.96-3.44-6.66-6.09a17.89 17.89 0 0 1-2.83-6.73c-.47-2.41-.5-4.77-.07-7.08.43-2.31 1.3-4.48 2.62-6.51 1.32-2.03 3.07-3.75 5.24-5.17l99.69-66.41a17.89 17.89 0 0 1 6.73-2.83c2.41-.47 4.77-.47 7.08 0 2.31.47 4.48 1.37 6.51 2.69 2.03 1.32 3.75 3.02 5.17 5.09z" />
-      <path id="id1_1"
-        d="M688.33 232.67h-37.1V149.7H520.39c-2.64 0-5.1-.5-7.36-1.49-2.27-.99-4.23-2.31-5.88-3.96-1.65-1.65-2.95-3.61-3.89-5.88s-1.42-4.67-1.42-7.22V29.62h36.82v82.98h112.57V29.62h37.1v203.05z" />
-    </g>
-  </svg>
-
-  <svg>
-    <defs>
-      <filter id="glow">
-        <fegaussianblur class="blur" result="coloredBlur" stddeviation="4"></fegaussianblur>
-        <femerge>
-          <femergenode in="coloredBlur"></femergenode>
-          <femergenode in="SourceGraphic"></femergenode>
-        </femerge>
-      </filter>
-    </defs>
-  </svg>
-
-  <h2>Page Not Found</h2>
-</body>
-
-</html>
--- a/examples/grafana_template.json
+++ b/examples/grafana_template.json
--- a/go.mod
+++ b/go.mod
@@ -1,76 +1,54 @@
 module github.com/yusing/go-proxy

-go 1.23.4
+go 1.22

 require (
-	github.com/coder/websocket v1.8.12
-	github.com/docker/cli v27.4.1+incompatible
-	github.com/docker/docker v27.4.1+incompatible
-	github.com/fsnotify/fsnotify v1.8.0
-	github.com/go-acme/lego/v4 v4.21.0
-	github.com/go-playground/validator/v10 v10.23.0
-	github.com/golang-jwt/jwt/v5 v5.2.1
-	github.com/gotify/server/v2 v2.6.1
-	github.com/prometheus/client_golang v1.20.5
-	github.com/puzpuzpuz/xsync/v3 v3.4.0
-	github.com/rs/zerolog v1.33.0
-	golang.org/x/net v0.33.0
-	golang.org/x/text v0.21.0
-	golang.org/x/time v0.9.0
+	github.com/docker/cli v26.1.3+incompatible
+	github.com/docker/docker v26.1.3+incompatible
+	github.com/fsnotify/fsnotify v1.7.0
+	github.com/go-acme/lego/v4 v4.17.3
+	github.com/santhosh-tekuri/jsonschema v1.2.4
+	github.com/sirupsen/logrus v1.9.3
+	golang.org/x/net v0.25.0
 	gopkg.in/yaml.v3 v3.0.1
 )

 require (
 	github.com/Microsoft/go-winio v0.6.2 // indirect
-	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
-	github.com/cespare/xxhash/v2 v2.3.0 // indirect
-	github.com/cloudflare/cloudflare-go v0.113.0 // indirect
+	github.com/cloudflare/cloudflare-go v0.96.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.8 // indirect
-	github.com/go-jose/go-jose/v4 v4.0.4 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.2 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/go-playground/locales v0.14.1 // indirect
-	github.com/go-playground/universal-translator v0.18.1 // indirect
-	github.com/goccy/go-json v0.10.4 // indirect
+	github.com/goccy/go-json v0.10.3 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
-	github.com/klauspost/compress v1.17.11 // indirect
-	github.com/leodido/go-urn v1.4.0 // indirect
-	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/miekg/dns v1.1.62 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.6 // indirect
+	github.com/miekg/dns v1.1.59 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/term v0.5.0 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
-	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0 // indirect
-	github.com/ovh/go-ovh v1.6.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.61.0 // indirect
-	github.com/prometheus/procfs v0.15.1 // indirect
-	github.com/sirupsen/logrus v1.9.3 // indirect
-	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 // indirect
-	go.opentelemetry.io/otel v1.33.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.30.0 // indirect
-	go.opentelemetry.io/otel/metric v1.33.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.30.0 // indirect
-	go.opentelemetry.io/otel/trace v1.33.0 // indirect
-	golang.org/x/crypto v0.31.0 // indirect
-	golang.org/x/mod v0.22.0 // indirect
-	golang.org/x/oauth2 v0.25.0 // indirect
-	golang.org/x/sync v0.10.0 // indirect
-	golang.org/x/sys v0.29.0 // indirect
-	golang.org/x/tools v0.28.0 // indirect
-	google.golang.org/protobuf v1.36.1 // indirect
-	gopkg.in/ini.v1 v1.67.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.52.0 // indirect
+	go.opentelemetry.io/otel v1.27.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.24.0 // indirect
+	go.opentelemetry.io/otel/metric v1.27.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.24.0 // indirect
+	go.opentelemetry.io/otel/trace v1.27.0 // indirect
+	golang.org/x/crypto v0.23.0 // indirect
+	golang.org/x/mod v0.17.0 // indirect
+	golang.org/x/sync v0.7.0 // indirect
+	golang.org/x/sys v0.20.0 // indirect
+	golang.org/x/text v0.15.0 // indirect
+	golang.org/x/time v0.5.0 // indirect
+	golang.org/x/tools v0.21.0 // indirect
 	gotest.tools/v3 v3.5.1 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -2,219 +2,165 @@ github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOEl
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
-github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
-github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
 github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
-github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
-github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/cloudflare/cloudflare-go v0.113.0 h1:qnOXmA6RbgZ4rg5gNBK5QGk0Pzbv8pnUYV3C4+8CU6w=
-github.com/cloudflare/cloudflare-go v0.113.0/go.mod h1:Dlm4BAnycHc0i8yLxQZb9b+OlMwYOAoDJsUOEFgpVvo=
-github.com/coder/websocket v1.8.12 h1:5bUXkEPPIbewrnkU8LTCLVaxi4N4J8ahufH2vlo4NAo=
-github.com/coder/websocket v1.8.12/go.mod h1:LNVeNrXQZfe5qhS9ALED3uA+l5pPqvwXg3CKoDBB2gs=
+github.com/cloudflare/cloudflare-go v0.96.0 h1:wd+qrnyw+C2eXUUujE6BzFEOREkEfoCvogpO5h33FxI=
+github.com/cloudflare/cloudflare-go v0.96.0/go.mod h1:gLP9fJT8ROgRCjHNKxISNNKeU1JEg2yT5uPEEI8x9Ec=
 github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
-github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
-github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/docker/cli v27.4.1+incompatible h1:VzPiUlRJ/xh+otB75gva3r05isHMo5wXDfPRi5/b4hI=
-github.com/docker/cli v27.4.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/docker v27.4.1+incompatible h1:ZJvcY7gfwHn1JF48PfbyXg7Jyt9ZCWDW+GGXOIxEwp4=
-github.com/docker/docker v27.4.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/cli v26.1.3+incompatible h1:bUpXT/N0kDE3VUHI2r5VMsYQgi38kYuoC0oL9yt3lqc=
+github.com/docker/cli v26.1.3+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/docker v26.1.3+incompatible h1:lLCzRbrVZrljpVNobJu1J2FHk8V0s4BawoZippkc+xo=
+github.com/docker/docker v26.1.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
 github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=
+github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/8M=
-github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
-github.com/gabriel-vasile/mimetype v1.4.8 h1:FfZ3gj38NjllZIeJAmMhr+qKL8Wu+nOoI3GqacKw1NM=
-github.com/gabriel-vasile/mimetype v1.4.8/go.mod h1:ByKUIKGjh1ODkGM1asKUbQZOLGrPjydw3hYPU2YU9t8=
-github.com/go-acme/lego/v4 v4.21.0 h1:arEW+8o5p7VI8Bk1kr/PDlgD1DrxtTH1gJ4b7mehL8o=
-github.com/go-acme/lego/v4 v4.21.0/go.mod h1:HrSWzm3Ckj45Ie3i+p1zKVobbQoMOaGu9m4up0dUeDI=
-github.com/go-jose/go-jose/v4 v4.0.4 h1:VsjPI33J0SB9vQM6PLmNjoHqMQNGPiZ0rHL7Ni7Q6/E=
-github.com/go-jose/go-jose/v4 v4.0.4/go.mod h1:NKb5HO1EZccyMpiZNbdUw/14tiXNyUJh188dfnMCAfc=
+github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
+github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
+github.com/go-acme/lego/v4 v4.17.3 h1:5our7Qdyik0abag40abdmQuytq97iweaNHFMT4pYDnQ=
+github.com/go-acme/lego/v4 v4.17.3/go.mod h1:Ol6l04hnmavqVHKYS/ByhXXqE64x8yVYhomha82uAUk=
+github.com/go-jose/go-jose/v4 v4.0.2 h1:R3l3kkBds16bO7ZFAEEcofK0MkrAJt3jlJznWZG0nvk=
+github.com/go-jose/go-jose/v4 v4.0.2/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
 github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
-github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
-github.com/go-playground/assert/v2 v2.2.0/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
-github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA=
-github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
-github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
-github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
-github.com/go-playground/validator/v10 v10.23.0 h1:/PwmTwZhS0dPkav3cdK9kV1FsAmrL8sThn8IHr/sO+o=
-github.com/go-playground/validator/v10 v10.23.0/go.mod h1:dbuPbCMFw/DrkbEynArYaCwl3amGuJotoKCe95atGMM=
-github.com/goccy/go-json v0.10.4 h1:JSwxQzIqKfmFX1swYPpUThQZp/Ka4wzJdK0LWVytLPM=
-github.com/goccy/go-json v0.10.4/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
-github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/goccy/go-json v0.10.3 h1:KZ5WoDbxAIgm2HNbYckL0se1fHD6rz5j4ywS6ebzDqA=
+github.com/goccy/go-json v0.10.3/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
-github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
 github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
-github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
-github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/gotify/server/v2 v2.6.1 h1:Kf7v5fzBxzELzZa/jonWfwJMkqYqh1LBzBpCmt5QIAI=
-github.com/gotify/server/v2 v2.6.1/go.mod h1:Dk8HLyTVDqmXM8YEg6tjROBen6mxyHZFRggJFHTwZLc=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 h1:asbCHRVmodnJTuQ3qamDwqVOIjwqUPTYmYuemVOx+Ys=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0/go.mod h1:ggCgvZ2r7uOoQjOyu2Y1NhHmEPPzzuhWgcza5M1Ji1I=
-github.com/jarcoal/httpmock v1.3.0 h1:2RJ8GP0IIaWwcC9Fp2BmVi8Kog3v2Hn7VXM3fTd+nuc=
-github.com/jarcoal/httpmock v1.3.0/go.mod h1:3yb8rc4BI7TCBhFY8ng0gjuLKJNquuDNiPaZjnENuYg=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.0 h1:Wqo399gCIufwto+VfwCSvsnfGpF/w5E9CNxSwbpD6No=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.0/go.mod h1:qmOFXW2epJhM0qSnUUYpldc7gVz2KMQwJ/QYCDIa7XU=
+github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
+github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
+github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k=
+github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
+github.com/hashicorp/go-retryablehttp v0.7.6 h1:TwRYfx2z2C4cLbXmT8I5PgP/xmuqASDyiVuGYfs9GZM=
+github.com/hashicorp/go-retryablehttp v0.7.6/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc=
-github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0=
-github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
-github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=
+github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
-github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
-github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
-github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
 github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
-github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
-github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/maxatome/go-testdeep v1.12.0 h1:Ql7Go8Tg0C1D/uMMX59LAoYK7LffeJQ6X2T04nTH68g=
-github.com/maxatome/go-testdeep v1.12.0/go.mod h1:lPZc/HAcJMP92l7yI6TRz1aZN5URwUBUAfUNvrclaNM=
-github.com/miekg/dns v1.1.62 h1:cN8OuEF1/x5Rq6Np+h1epln8OiyPWV+lROx9LxcGgIQ=
-github.com/miekg/dns v1.1.62/go.mod h1:mvDlcItzm+br7MToIKqkglaGhlFMHJ9DTNNWONWXbNQ=
+github.com/miekg/dns v1.1.59 h1:C9EXc/UToRwKLhK5wKU/I4QVsBUc8kE6MkHBkeypWZs=
+github.com/miekg/dns v1.1.59/go.mod h1:nZpewl5p6IvctfgrckopVx2OlSEHPRO/U4SYkRklrEk=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
 github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
 github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y=
 github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
 github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
-github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
-github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
 github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
-github.com/ovh/go-ovh v1.6.0 h1:ixLOwxQdzYDx296sXcgS35TOPEahJkpjMGtzPadCjQI=
-github.com/ovh/go-ovh v1.6.0/go.mod h1:cTVDnl94z4tl8pP1uZ/8jlVxntjSIf09bNcQ5TJSC7c=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
-github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_golang v1.20.5 h1:cxppBPuYhUnsO6yo/aoRol4L7q7UFfdm+bR9r+8l63Y=
-github.com/prometheus/client_golang v1.20.5/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE=
-github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
-github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
-github.com/prometheus/common v0.61.0 h1:3gv/GThfX0cV2lpO7gkTUwZru38mxevy90Bj8YFSRQQ=
-github.com/prometheus/common v0.61.0/go.mod h1:zr29OCN/2BsJRaFwG8QOBr41D6kkchKbpeNH7pAjb/s=
-github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
-github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
-github.com/puzpuzpuz/xsync/v3 v3.4.0 h1:DuVBAdXuGFHv8adVXjWWZ63pJq+NRXOWVXlKDBZ+mJ4=
-github.com/puzpuzpuz/xsync/v3 v3.4.0/go.mod h1:VjzYrABPabuM4KyBh1Ftq6u8nhwY5tBPKP9jpmh0nnA=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
-github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
-github.com/rs/zerolog v1.33.0 h1:1cU2KZkvPxNyfgEmhHAz/1A9Bz+llsdYzklWFzgp0r8=
-github.com/rs/zerolog v1.33.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss=
+github.com/rogpeppe/go-internal v1.8.1 h1:geMPLpDpQOgVyCg5z5GoRwLHepNdb71NXb67XFkP+Eg=
+github.com/rogpeppe/go-internal v1.8.1/go.mod h1:JeRgkft04UBgHMgCIwADu4Pn6Mtm5d4nPKWu0nJ5d+o=
+github.com/santhosh-tekuri/jsonschema v1.2.4 h1:hNhW8e7t+H1vgY+1QeEQpveR6D4+OwKPXCfD2aieJis=
+github.com/santhosh-tekuri/jsonschema v1.2.4/go.mod h1:TEAUOeZSmIxTTuHatJzrvARHiuO9LYd+cIxzgEHCQI4=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
-go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 h1:yd02MEjBdJkG3uabWP9apV+OuWRIXGDuJEUJbOHmCFU=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0/go.mod h1:umTcuxiv1n/s/S6/c2AT/g2CQ7u5C59sHDNmfSwgz7Q=
-go.opentelemetry.io/otel v1.33.0 h1:/FerN9bax5LoK51X/sI0SVYrjSE0/yUL7DpxW4K3FWw=
-go.opentelemetry.io/otel v1.33.0/go.mod h1:SUUkR6csvUQl+yjReHu5uM3EtVV7MBm5FHKRlNx4I8I=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.30.0 h1:lsInsfvhVIfOI6qHVyysXMNDnjO9Npvl7tlDPJFBVd4=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.30.0/go.mod h1:KQsVNh4OjgjTG0G6EiNi1jVpnaeeKsKMRwbLN+f1+8M=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.30.0 h1:umZgi92IyxfXd/l4kaDhnKgY8rnN/cZcF1LKc6I8OQ8=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.30.0/go.mod h1:4lVs6obhSVRb1EW5FhOuBTyiQhtRtAnnva9vD3yRfq8=
-go.opentelemetry.io/otel/metric v1.33.0 h1:r+JOocAyeRVXD8lZpjdQjzMadVZp2M4WmQ+5WtEnklQ=
-go.opentelemetry.io/otel/metric v1.33.0/go.mod h1:L9+Fyctbp6HFTddIxClbQkjtubW6O9QS3Ann/M82u6M=
-go.opentelemetry.io/otel/sdk v1.30.0 h1:cHdik6irO49R5IysVhdn8oaiR9m8XluDaJAs4DfOrYE=
-go.opentelemetry.io/otel/sdk v1.30.0/go.mod h1:p14X4Ok8S+sygzblytT1nqG98QG2KYKv++HE0LY/mhg=
-go.opentelemetry.io/otel/trace v1.33.0 h1:cCJuF7LRjUFso9LPnEAHJDB2pqzp+hbO8eu1qqW2d/s=
-go.opentelemetry.io/otel/trace v1.33.0/go.mod h1:uIcdVUZMpTAmz0tI1z04GoVSezK37CbGV4fr1f2nBck=
-go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0=
-go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.52.0 h1:9l89oX4ba9kHbBol3Xin3leYJ+252h0zszDtBwyKe2A=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.52.0/go.mod h1:XLZfZboOJWHNKUv7eH0inh0E9VV6eWDFB/9yJyTLPp0=
+go.opentelemetry.io/otel v1.27.0 h1:9BZoF3yMK/O1AafMiQTVu0YDj5Ea4hPhxCs7sGva+cg=
+go.opentelemetry.io/otel v1.27.0/go.mod h1:DMpAK8fzYRzs+bi3rS5REupisuqTheUlSZJ1WnZaPAQ=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.24.0 h1:t6wl9SPayj+c7lEIFgm4ooDBZVb01IhLB4InpomhRw8=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.24.0/go.mod h1:iSDOcsnSA5INXzZtwaBPrKp/lWu/V14Dd+llD0oI2EA=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.24.0 h1:Xw8U6u2f8DK2XAkGRFV7BBLENgnTGX9i4rQRxJf+/vs=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.24.0/go.mod h1:6KW1Fm6R/s6Z3PGXwSJN2K4eT6wQB3vXX6CVnYX9NmM=
+go.opentelemetry.io/otel/metric v1.27.0 h1:hvj3vdEKyeCi4YaYfNjv2NUje8FqKqUY8IlF0FxV/ik=
+go.opentelemetry.io/otel/metric v1.27.0/go.mod h1:mVFgmRlhljgBiuk/MP/oKylr4hs85GZAylncepAX/ak=
+go.opentelemetry.io/otel/sdk v1.24.0 h1:YMPPDNymmQN3ZgczicBY3B6sf9n62Dlj9pWD3ucgoDw=
+go.opentelemetry.io/otel/sdk v1.24.0/go.mod h1:KVrIYw6tEubO9E96HQpcmpTKDVn9gdv35HoYiQWGDFg=
+go.opentelemetry.io/otel/trace v1.27.0 h1:IqYb813p7cmbHk0a5y6pD5JPakbVfftRXABGt5/Rscw=
+go.opentelemetry.io/otel/trace v1.27.0/go.mod h1:6RiD1hkAprV4/q+yd2ln1HG9GoPx39SuvvstaLBl+l4=
+go.opentelemetry.io/proto/otlp v1.1.0 h1:2Di21piLrCqJ3U3eXGCTPHE9R8Nh+0uglSnOyxikMeI=
+go.opentelemetry.io/proto/otlp v1.1.0/go.mod h1:GpBHCBWiqvVLDqmHZsoMM3C5ySeKTC7ej/RNTae6MdY=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
-golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
+golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI=
+golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4=
-golang.org/x/mod v0.22.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
+golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
+golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
-golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
-golang.org/x/oauth2 v0.25.0 h1:CY4y7XT9v0cRI9oupztF8AgiIu99L/ksR/Xp/6jrZ70=
-golang.org/x/oauth2 v0.25.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac=
+golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
-golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
+golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
-golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
+golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
-golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
-golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk=
+golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
+golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.28.0 h1:WuB6qZ4RPCQo5aP3WdKZS7i595EdWqWR8vqJTlwTVK8=
-golang.org/x/tools v0.28.0/go.mod h1:dcIOrVd3mfQKTgrDVQHqCPMWy6lnhfhtX3hLXYVLfRw=
+golang.org/x/tools v0.21.0 h1:qc0xYgIbsSDt9EyWz05J5wfa7LOVW0YTLOXrqdLAWIw=
+golang.org/x/tools v0.21.0/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/genproto v0.0.0-20241021214115-324edc3d5d38 h1:Q3nlH8iSQSRUwOskjbcSMcF2jiYMNiQYZ0c2KEJLKKU=
-google.golang.org/genproto/googleapis/api v0.0.0-20241118233622-e639e219e697 h1:pgr/4QbFyktUv9CtQ/Fq4gzEE6/Xs7iCXbktaGzLHbQ=
-google.golang.org/genproto/googleapis/api v0.0.0-20241118233622-e639e219e697/go.mod h1:+D9ySVjN8nY8YCVjc5O7PZDIdZporIDY3KaGfJunh88=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 h1:8ZmaLZE4XWrtU3MyClkYqqtl6Oegr3235h7jxsDyqCY=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576/go.mod h1:5uTbfoYQed2U9p3KIj2/Zzm02PYhndfdmML0qC3q3FU=
-google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E=
-google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA=
-google.golang.org/protobuf v1.36.1 h1:yBPeRvTftaleIgM3PZ/WBIZ7XM/eEYAaEyCwvyjq/gk=
-google.golang.org/protobuf v1.36.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de h1:F6qOa9AZTYJXOUEr4jDysRDLrm4PHePlge4v4TGAlxY=
+google.golang.org/genproto/googleapis/api v0.0.0-20240311132316-a219d84964c2 h1:rIo7ocm2roD9DcFIX67Ym8icoGCKSARAiPljFhh5suQ=
+google.golang.org/genproto/googleapis/api v0.0.0-20240311132316-a219d84964c2/go.mod h1:O1cOfN1Cy6QEYr7VxtjOyP5AdAuR0aJ/MYZaaof623Y=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237 h1:NnYq6UN9ReLM9/Y01KWNOWyI5xQ9kbIms5GGJVwS/Yc=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY=
+google.golang.org/grpc v1.63.1 h1:pNClQmvdlyNUiwFETOux/PYqfhmA7BrswEdGRnib1fA=
+google.golang.org/grpc v1.63.1/go.mod h1:WAX/8DgncnokcFUldAxq7GeB5DXHDbMF+lLvDomNkRA=
+google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
+google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
-gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
--- a/internal/api/handler.go
+++ b/internal/api/handler.go
@@ -1,58 +0,0 @@
-package api
-
-import (
-	"net"
-	"net/http"
-
-	v1 "github.com/yusing/go-proxy/internal/api/v1"
-	"github.com/yusing/go-proxy/internal/api/v1/auth"
-	. "github.com/yusing/go-proxy/internal/api/v1/utils"
-	"github.com/yusing/go-proxy/internal/common"
-)
-
-type ServeMux struct{ *http.ServeMux }
-
-func NewServeMux() ServeMux {
-	return ServeMux{http.NewServeMux()}
-}
-
-func (mux ServeMux) HandleFunc(method, endpoint string, handler http.HandlerFunc) {
-	mux.ServeMux.HandleFunc(method+" "+endpoint, checkHost(handler))
-}
-
-func NewHandler() http.Handler {
-	mux := NewServeMux()
-	mux.HandleFunc("GET", "/v1", v1.Index)
-	mux.HandleFunc("GET", "/v1/version", v1.GetVersion)
-	mux.HandleFunc("POST", "/v1/login", auth.LoginHandler)
-	mux.HandleFunc("GET", "/v1/logout", auth.LogoutHandler)
-	mux.HandleFunc("POST", "/v1/logout", auth.LogoutHandler)
-	mux.HandleFunc("POST", "/v1/reload", v1.Reload)
-	mux.HandleFunc("GET", "/v1/list", auth.RequireAuth(v1.List))
-	mux.HandleFunc("GET", "/v1/list/{what}", auth.RequireAuth(v1.List))
-	mux.HandleFunc("GET", "/v1/list/{what}/{which}", auth.RequireAuth(v1.List))
-	mux.HandleFunc("GET", "/v1/file/{type}/{filename}", auth.RequireAuth(v1.GetFileContent))
-	mux.HandleFunc("POST", "/v1/file/{type}/{filename}", auth.RequireAuth(v1.SetFileContent))
-	mux.HandleFunc("PUT", "/v1/file/{type}/{filename}", auth.RequireAuth(v1.SetFileContent))
-	mux.HandleFunc("GET", "/v1/schema/{filename...}", v1.GetSchemaFile)
-	mux.HandleFunc("GET", "/v1/stats", v1.Stats)
-	mux.HandleFunc("GET", "/v1/stats/ws", v1.StatsWS)
-	return mux
-}
-
-// allow only requests to API server with localhost.
-func checkHost(f http.HandlerFunc) http.HandlerFunc {
-	if common.IsDebug {
-		return f
-	}
-	return func(w http.ResponseWriter, r *http.Request) {
-		host, _, _ := net.SplitHostPort(r.RemoteAddr)
-		if host != "127.0.0.1" && host != "localhost" && host != "[::1]" {
-			LogWarn(r).Msgf("blocked API request from %s", host)
-			http.Error(w, "forbidden", http.StatusForbidden)
-			return
-		}
-		LogDebug(r).Interface("headers", r.Header).Msg("API request")
-		f(w, r)
-	}
-}
--- a/internal/api/v1/auth/auth.go
+++ b/internal/api/v1/auth/auth.go
@@ -1,135 +0,0 @@
-package auth
-
-import (
-	"bytes"
-	"encoding/json"
-	"fmt"
-	"net/http"
-	"time"
-
-	"github.com/golang-jwt/jwt/v5"
-	U "github.com/yusing/go-proxy/internal/api/v1/utils"
-	"github.com/yusing/go-proxy/internal/common"
-	E "github.com/yusing/go-proxy/internal/error"
-	"github.com/yusing/go-proxy/internal/utils/strutils"
-)
-
-type (
-	Credentials struct {
-		Username string `json:"username"`
-		Password string `json:"password"`
-	}
-	Claims struct {
-		Username string `json:"username"`
-		jwt.RegisteredClaims
-	}
-)
-
-var (
-	ErrInvalidUsername = E.New("invalid username")
-	ErrInvalidPassword = E.New("invalid password")
-)
-
-func validatePassword(cred *Credentials) error {
-	if cred.Username != common.APIUser {
-		return ErrInvalidUsername.Subject(cred.Username)
-	}
-	if !bytes.Equal(common.HashPassword(cred.Password), common.APIPasswordHash) {
-		return ErrInvalidPassword.Subject(cred.Password)
-	}
-	return nil
-}
-
-func LoginHandler(w http.ResponseWriter, r *http.Request) {
-	var creds Credentials
-	err := json.NewDecoder(r.Body).Decode(&creds)
-	if err != nil {
-		U.HandleErr(w, r, err, http.StatusBadRequest)
-		return
-	}
-	if err := validatePassword(&creds); err != nil {
-		U.HandleErr(w, r, err, http.StatusUnauthorized)
-		return
-	}
-
-	expiresAt := time.Now().Add(common.APIJWTTokenTTL)
-	claim := &Claims{
-		Username: creds.Username,
-		RegisteredClaims: jwt.RegisteredClaims{
-			ExpiresAt: jwt.NewNumericDate(expiresAt),
-		},
-	}
-	token := jwt.NewWithClaims(jwt.SigningMethodHS512, claim)
-	tokenStr, err := token.SignedString(common.APIJWTSecret)
-	if err != nil {
-		U.HandleErr(w, r, err)
-		return
-	}
-	http.SetCookie(w, &http.Cookie{
-		Name:     "token",
-		Value:    tokenStr,
-		Expires:  expiresAt,
-		HttpOnly: true,
-		SameSite: http.SameSiteStrictMode,
-		Path:     "/",
-	})
-	w.WriteHeader(http.StatusOK)
-}
-
-func LogoutHandler(w http.ResponseWriter, r *http.Request) {
-	http.SetCookie(w, &http.Cookie{
-		Name:     "token",
-		Value:    "",
-		Expires:  time.Unix(0, 0),
-		HttpOnly: true,
-		SameSite: http.SameSiteStrictMode,
-		Path:     "/",
-	})
-	w.Header().Set("location", "/login")
-	w.WriteHeader(http.StatusTemporaryRedirect)
-}
-
-func RequireAuth(next http.HandlerFunc) http.HandlerFunc {
-	if common.IsDebugSkipAuth || common.APIJWTSecret == nil {
-		return next
-	}
-
-	return func(w http.ResponseWriter, r *http.Request) {
-		if checkToken(w, r) {
-			next(w, r)
-		}
-	}
-}
-
-func checkToken(w http.ResponseWriter, r *http.Request) (ok bool) {
-	tokenCookie, err := r.Cookie("token")
-	if err != nil {
-		U.RespondError(w, E.New("missing token"), http.StatusUnauthorized)
-		return false
-	}
-	var claims Claims
-	token, err := jwt.ParseWithClaims(tokenCookie.Value, &claims, func(t *jwt.Token) (interface{}, error) {
-		if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
-			return nil, fmt.Errorf("unexpected signing method: %v", t.Header["alg"])
-		}
-		return common.APIJWTSecret, nil
-	})
-
-	switch {
-	case err != nil:
-		break
-	case !token.Valid:
-		err = E.New("invalid token")
-	case claims.Username != common.APIUser:
-		err = E.New("username mismatch").Subject(claims.Username)
-	case claims.ExpiresAt.Before(time.Now()):
-		err = E.Errorf("token expired on %s", strutils.FormatTime(claims.ExpiresAt.Time))
-	}
-
-	if err != nil {
-		U.RespondError(w, err, http.StatusForbidden)
-		return false
-	}
-
-	return true
-}
--- a/internal/api/v1/file.go
+++ b/internal/api/v1/file.go
@@ -1,113 +0,0 @@
-package v1
-
-import (
-	"io"
-	"net/http"
-	"os"
-	"path"
-	"strings"
-
-	U "github.com/yusing/go-proxy/internal/api/v1/utils"
-	"github.com/yusing/go-proxy/internal/common"
-	"github.com/yusing/go-proxy/internal/config"
-	E "github.com/yusing/go-proxy/internal/error"
-	"github.com/yusing/go-proxy/internal/net/http/middleware"
-	"github.com/yusing/go-proxy/internal/route/provider"
-)
-
-type FileType string
-
-const (
-	FileTypeConfig     FileType = "config"
-	FileTypeProvider   FileType = "provider"
-	FileTypeMiddleware FileType = "middleware"
-)
-
-func fileType(file string) FileType {
-	switch {
-	case strings.HasPrefix(path.Base(file), "config."):
-		return FileTypeConfig
-	case strings.HasPrefix(file, common.MiddlewareComposeBasePath):
-		return FileTypeMiddleware
-	}
-	return FileTypeProvider
-}
-
-func (t FileType) IsValid() bool {
-	switch t {
-	case FileTypeConfig, FileTypeProvider, FileTypeMiddleware:
-		return true
-	}
-	return false
-}
-
-func (t FileType) GetPath(filename string) string {
-	if t == FileTypeMiddleware {
-		return path.Join(common.MiddlewareComposeBasePath, filename)
-	}
-	return path.Join(common.ConfigBasePath, filename)
-}
-
-func getArgs(r *http.Request) (fileType FileType, filename string, err error) {
-	fileType = FileType(r.PathValue("type"))
-	if !fileType.IsValid() {
-		err = U.ErrInvalidKey("type")
-		return
-	}
-	filename = r.PathValue("filename")
-	if filename == "" {
-		err = U.ErrMissingKey("filename")
-	}
-	return
-}
-
-func GetFileContent(w http.ResponseWriter, r *http.Request) {
-	fileType, filename, err := getArgs(r)
-	if err != nil {
-		U.RespondError(w, err, http.StatusBadRequest)
-		return
-	}
-	content, err := os.ReadFile(fileType.GetPath(filename))
-	if err != nil {
-		U.HandleErr(w, r, err)
-		return
-	}
-	U.WriteBody(w, content)
-}
-
-func SetFileContent(w http.ResponseWriter, r *http.Request) {
-	fileType, filename, err := getArgs(r)
-	if err != nil {
-		U.RespondError(w, err, http.StatusBadRequest)
-		return
-	}
-	content, err := io.ReadAll(r.Body)
-	if err != nil {
-		U.HandleErr(w, r, err)
-		return
-	}
-
-	var valErr E.Error
-	switch fileType {
-	case FileTypeConfig:
-		valErr = config.Validate(content)
-	case FileTypeMiddleware:
-		errs := E.NewBuilder("middleware errors")
-		middleware.BuildMiddlewaresFromYAML(filename, content, errs)
-		valErr = errs.Error()
-	default:
-		valErr = provider.Validate(content)
-	}
-
-	if valErr != nil {
-		U.RespondError(w, valErr, http.StatusBadRequest)
-		return
-	}
-
-	err = os.WriteFile(fileType.GetPath(filename), content, 0o644)
-	if err != nil {
-		U.HandleErr(w, r, err)
-		return
-	}
-	w.WriteHeader(http.StatusOK)
-}
--- a/internal/api/v1/index.go
+++ b/internal/api/v1/index.go
@@ -1,11 +0,0 @@
-package v1
-
-import (
-	"net/http"
-
-	. "github.com/yusing/go-proxy/internal/api/v1/utils"
-)
-
-func Index(w http.ResponseWriter, r *http.Request) {
-	WriteBody(w, []byte("API ready"))
-}
--- a/internal/api/v1/list.go
+++ b/internal/api/v1/list.go
@@ -1,101 +0,0 @@
-package v1
-
-import (
-	"net/http"
-	"strings"
-
-	U "github.com/yusing/go-proxy/internal/api/v1/utils"
-	"github.com/yusing/go-proxy/internal/common"
-	"github.com/yusing/go-proxy/internal/config"
-	"github.com/yusing/go-proxy/internal/net/http/middleware"
-	"github.com/yusing/go-proxy/internal/route"
-	"github.com/yusing/go-proxy/internal/task"
-	"github.com/yusing/go-proxy/internal/utils"
-)
-
-const (
-	ListRoute            = "route"
-	ListRoutes           = "routes"
-	ListFiles            = "files"
-	ListMiddlewares      = "middlewares"
-	ListMiddlewareTraces = "middleware_trace"
-	ListMatchDomains     = "match_domains"
-	ListHomepageConfig   = "homepage_config"
-	ListTasks            = "tasks"
-)
-
-func List(w http.ResponseWriter, r *http.Request) {
-	what := r.PathValue("what")
-	if what == "" {
-		what = ListRoutes
-	}
-	which := r.PathValue("which")
-
-	switch what {
-	case ListRoute:
-		if route := listRoute(which); route == nil {
-			http.NotFound(w, r)
-			return
-		} else {
-			U.RespondJSON(w, r, route)
-		}
-	case ListRoutes:
-		U.RespondJSON(w, r, config.RoutesByAlias(route.RouteType(r.FormValue("type"))))
-	case ListFiles:
-		listFiles(w, r)
-	case ListMiddlewares:
-		U.RespondJSON(w, r, middleware.All())
-	case ListMiddlewareTraces:
-		U.RespondJSON(w, r, middleware.GetAllTrace())
-	case ListMatchDomains:
-		U.RespondJSON(w, r, config.Value().MatchDomains)
-	case ListHomepageConfig:
-		U.RespondJSON(w, r, config.HomepageConfig())
-	case ListTasks:
-		U.RespondJSON(w, r, task.DebugTaskList())
-	default:
-		U.HandleErr(w, r, U.ErrInvalidKey("what"), http.StatusBadRequest)
-	}
-}
-
-func listRoute(which string) any {
-	if which == "" || which == "all" {
-		return config.RoutesByAlias()
-	}
-	routes := config.RoutesByAlias()
-	route, ok := routes[which]
-	if !ok {
-		return nil
-	}
-	return route
-}
-
-func listFiles(w http.ResponseWriter, r *http.Request) {
-	files, err := utils.ListFiles(common.ConfigBasePath, 0)
-	if err != nil {
-		U.HandleErr(w, r, err)
-		return
-	}
-	resp := map[FileType][]string{
-		FileTypeConfig:     make([]string, 0),
-		FileTypeProvider:   make([]string, 0),
-		FileTypeMiddleware: make([]string, 0),
-	}
-
-	for _, file := range files {
-		t := fileType(file)
-		file = strings.TrimPrefix(file, common.ConfigBasePath+"/")
-		resp[t] = append(resp[t], file)
-	}
-
-	mids, err := utils.ListFiles(common.MiddlewareComposeBasePath, 0)
-	if err != nil {
-		U.HandleErr(w, r, err)
-		return
-	}
-	for _, mid := range mids {
-		mid = strings.TrimPrefix(mid, common.MiddlewareComposeBasePath+"/")
-		resp[FileTypeMiddleware] = append(resp[FileTypeMiddleware], mid)
-	}
-	U.RespondJSON(w, r, resp)
-}
--- a/internal/api/v1/query/query.go
+++ b/internal/api/v1/query/query.go
@@ -1,64 +0,0 @@
-package query
-
-import (
-	"encoding/json"
-	"fmt"
-	"io"
-	"net/http"
-
-	v1 "github.com/yusing/go-proxy/internal/api/v1"
-	U "github.com/yusing/go-proxy/internal/api/v1/utils"
-	"github.com/yusing/go-proxy/internal/common"
-	E "github.com/yusing/go-proxy/internal/error"
-	"github.com/yusing/go-proxy/internal/net/http/middleware"
-)
-
-func ReloadServer() E.Error {
-	resp, err := U.Post(common.APIHTTPURL+"/v1/reload", "", nil)
-	if err != nil {
-		return E.From(err)
-	}
-	defer resp.Body.Close()
-	if resp.StatusCode != http.StatusOK {
-		failure := E.Errorf("server reload status %v", resp.StatusCode)
-		body, err := io.ReadAll(resp.Body)
-		if err != nil {
-			return failure.With(err)
-		}
-		reloadErr := string(body)
-		return failure.Withf(reloadErr)
-	}
-	return nil
-}
-
-func List[T any](what string) (_ T, outErr E.Error) {
-	resp, err := U.Get(fmt.Sprintf("%s/v1/list/%s", common.APIHTTPURL, what))
-	if err != nil {
-		outErr = E.From(err)
-		return
-	}
-	defer resp.Body.Close()
-	if resp.StatusCode != http.StatusOK {
-		outErr = E.Errorf("list %s: failed, status %v", what, resp.StatusCode)
-		return
-	}
-	var res T
-	err = json.NewDecoder(resp.Body).Decode(&res)
-	if err != nil {
-		outErr = E.From(err)
-		return
-	}
-	return res, nil
-}
-
-func ListRoutes() (map[string]map[string]any, E.Error) {
-	return List[map[string]map[string]any](v1.ListRoutes)
-}
-
-func ListMiddlewareTraces() (middleware.Traces, E.Error) {
-	return List[middleware.Traces](v1.ListMiddlewareTraces)
-}
-
-func DebugListTasks() (map[string]any, E.Error) {
-	return List[map[string]any](v1.ListTasks)
-}
--- a/internal/api/v1/reload.go
+++ b/internal/api/v1/reload.go
@@ -1,16 +0,0 @@
-package v1
-
-import (
-	"net/http"
-
-	U "github.com/yusing/go-proxy/internal/api/v1/utils"
-	"github.com/yusing/go-proxy/internal/config"
-)
-
-func Reload(w http.ResponseWriter, r *http.Request) {
-	if err := config.Reload(); err != nil {
-		U.HandleErr(w, r, err)
-		return
-	}
-	U.WriteBody(w, []byte("OK"))
-}
--- a/internal/api/v1/schema.go
+++ b/internal/api/v1/schema.go
@@ -1,23 +0,0 @@
-package v1
-
-import (
-	"net/http"
-	"os"
-	"path"
-
-	U "github.com/yusing/go-proxy/internal/api/v1/utils"
-	"github.com/yusing/go-proxy/internal/common"
-)
-
-func GetSchemaFile(w http.ResponseWriter, r *http.Request) {
-	filename := r.PathValue("filename")
-	if filename == "" {
-		U.RespondError(w, U.ErrMissingKey("filename"), http.StatusBadRequest)
-	}
-	content, err := os.ReadFile(path.Join(common.SchemaBasePath, filename))
-	if err != nil {
-		U.HandleErr(w, r, err)
-		return
-	}
-	U.WriteBody(w, content)
-}
--- a/internal/api/v1/stats.go
+++ b/internal/api/v1/stats.go
@@ -1,70 +0,0 @@
-package v1
-
-import (
-	"context"
-	"net/http"
-	"time"
-
-	"github.com/coder/websocket"
-	"github.com/coder/websocket/wsjson"
-	U "github.com/yusing/go-proxy/internal/api/v1/utils"
-	"github.com/yusing/go-proxy/internal/common"
-	"github.com/yusing/go-proxy/internal/config"
-	"github.com/yusing/go-proxy/internal/utils/strutils"
-)
-
-func Stats(w http.ResponseWriter, r *http.Request) {
-	U.RespondJSON(w, r, getStats())
-}
-
-func StatsWS(w http.ResponseWriter, r *http.Request) {
-	var originPats []string
-
-	localAddresses := []string{"127.0.0.1", "10.0.*.*", "172.16.*.*", "192.168.*.*"}
-
-	if len(config.Value().MatchDomains) == 0 {
-		U.LogWarn(r).Msg("no match domains configured, accepting websocket API request from all origins")
-		originPats = []string{"*"}
-	} else {
-		originPats = make([]string, len(config.Value().MatchDomains))
-		for i, domain := range config.Value().MatchDomains {
-			originPats[i] = "*" + domain
-		}
-		originPats = append(originPats, localAddresses...)
-	}
-	if common.IsDebug {
-		originPats = []string{"*"}
-	}
-	conn, err := websocket.Accept(w, r, &websocket.AcceptOptions{
-		OriginPatterns: originPats,
-	})
-	if err != nil {
-		U.LogError(r).Err(err).Msg("failed to upgrade websocket")
-		return
-	}
-	/* trunk-ignore(golangci-lint/errcheck) */
-	defer conn.CloseNow()
-
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-
-	ticker := time.NewTicker(1 * time.Second)
-	defer ticker.Stop()
-
-	for range ticker.C {
-		stats := getStats()
-		if err := wsjson.Write(ctx, conn, stats); err != nil {
-			U.LogError(r).Msg("failed to write JSON")
-			return
-		}
-	}
-}
-
-var startTime = time.Now()
-
-func getStats() map[string]any {
-	return map[string]any{
-		"proxies": config.Statistics(),
-		"uptime":  strutils.FormatDuration(time.Since(startTime)),
-	}
-}
--- a/internal/api/v1/utils/error.go
+++ b/internal/api/v1/utils/error.go
@@ -1,43 +0,0 @@
-package utils
-
-import (
-	"net/http"
-
-	E "github.com/yusing/go-proxy/internal/error"
-	"github.com/yusing/go-proxy/internal/utils/strutils/ansi"
-)
-
-// HandleErr logs the error and returns an HTTP error response to the client.
-// If code is specified, it will be used as the HTTP status code; otherwise,
-// http.StatusInternalServerError is used.
-//
-// The error is only logged but not returned to the client.
-func HandleErr(w http.ResponseWriter, r *http.Request, err error, code ...int) {
-	if err == nil {
-		return
-	}
-	LogError(r).Msg(err.Error())
-	if len(code) == 0 {
-		code = []int{http.StatusInternalServerError}
-	}
-	http.Error(w, http.StatusText(code[0]), code[0])
-}
-
-func RespondError(w http.ResponseWriter, err error, code ...int) {
-	if len(code) == 0 {
-		code = []int{http.StatusBadRequest}
-	}
-	http.Error(w, ansi.StripANSI(err.Error()), code[0])
-}
-
-func ErrMissingKey(k string) error {
-	return E.New("missing key '" + k + "' in query or request body")
-}
-
-func ErrInvalidKey(k string) error {
-	return E.New("invalid key '" + k + "' in query or request body")
-}
-
-func ErrNotFound(k, v string) error {
-	return E.Errorf("key %q with value %q not found", k, v)
-}
--- a/internal/api/v1/utils/http_client.go
+++ b/internal/api/v1/utils/http_client.go
@@ -1,28 +0,0 @@
-package utils
-
-import (
-	"crypto/tls"
-	"net"
-	"net/http"
-
-	"github.com/yusing/go-proxy/internal/common"
-)
-
-var (
-	httpClient = &http.Client{
-		Timeout: common.ConnectionTimeout,
-		Transport: &http.Transport{
-			DisableKeepAlives: true,
-			ForceAttemptHTTP2: false,
-			DialContext: (&net.Dialer{
-				Timeout:   common.DialTimeout,
-				KeepAlive: common.KeepAlive, // this is different from DisableKeepAlives
-			}).DialContext,
-			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-		},
-	}
-
-	Get  = httpClient.Get
-	Post = httpClient.Post
-	Head = httpClient.Head
-)
--- a/internal/api/v1/utils/logging.go
+++ b/internal/api/v1/utils/logging.go
@@ -1,20 +0,0 @@
-package utils
-
-import (
-	"net/http"
-
-	"github.com/rs/zerolog"
-	"github.com/yusing/go-proxy/internal/logging"
-)
-
-func reqLogger(r *http.Request, level zerolog.Level) *zerolog.Event {
-	return logging.WithLevel(level).
-		Str("module", "api").
-		Str("remote", r.RemoteAddr).
-		Str("uri", r.Method+" "+r.RequestURI)
-}
-
-func LogError(r *http.Request) *zerolog.Event { return reqLogger(r, zerolog.ErrorLevel) }
-func LogWarn(r *http.Request) *zerolog.Event  { return reqLogger(r, zerolog.WarnLevel) }
-func LogInfo(r *http.Request) *zerolog.Event  { return reqLogger(r, zerolog.InfoLevel) }
-func LogDebug(r *http.Request) *zerolog.Event { return reqLogger(r, zerolog.DebugLevel) }
--- a/internal/api/v1/utils/utils.go
+++ b/internal/api/v1/utils/utils.go
@@ -1,48 +0,0 @@
-package utils
-
-import (
-	"encoding/json"
-	"fmt"
-	"net/http"
-
-	"github.com/yusing/go-proxy/internal/logging"
-	"github.com/yusing/go-proxy/internal/utils/strutils/ansi"
-)
-
-func WriteBody(w http.ResponseWriter, body []byte) {
-	if _, err := w.Write(body); err != nil {
-		HandleErr(w, nil, err)
-	}
-}
-
-func RespondJSON(w http.ResponseWriter, r *http.Request, data any, code ...int) (canProceed bool) {
-	if len(code) > 0 {
-		w.WriteHeader(code[0])
-	}
-	w.Header().Set("Content-Type", "application/json")
-	var j []byte
-	var err error
-
-	switch data := data.(type) {
-	case string:
-		j = []byte(fmt.Sprintf("%q", data))
-	case []byte:
-		j = data
-	case error:
-		j, err = json.Marshal(ansi.StripANSI(data.Error()))
-	default:
-		j, err = json.MarshalIndent(data, "", "  ")
-	}
-
-	if err != nil {
-		logging.Panic().Err(err).Msg("failed to marshal json")
-		return false
-	}
-
-	_, err = w.Write(j)
-	if err != nil {
-		HandleErr(w, r, err)
-		return false
-	}
-	return true
-}
--- a/internal/api/v1/version.go
+++ b/internal/api/v1/version.go
@@ -1,12 +0,0 @@
-package v1
-
-import (
-	"net/http"
-
-	. "github.com/yusing/go-proxy/internal/api/v1/utils"
-	"github.com/yusing/go-proxy/pkg"
-)
-
-func GetVersion(w http.ResponseWriter, r *http.Request) {
-	WriteBody(w, []byte(pkg.GetVersion()))
-}
--- a/internal/autocert/config.go
+++ b/internal/autocert/config.go
@@ -1,120 +0,0 @@
-package autocert
-
-import (
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
-	"crypto/x509"
-	"os"
-
-	"github.com/go-acme/lego/v4/certcrypto"
-	"github.com/go-acme/lego/v4/lego"
-	E "github.com/yusing/go-proxy/internal/error"
-	"github.com/yusing/go-proxy/internal/logging"
-	"github.com/yusing/go-proxy/internal/utils"
-	"github.com/yusing/go-proxy/internal/utils/strutils"
-
-	"github.com/yusing/go-proxy/internal/config/types"
-)
-
-type Config types.AutoCertConfig
-
-var (
-	ErrMissingDomain   = E.New("missing field 'domains'")
-	ErrMissingEmail    = E.New("missing field 'email'")
-	ErrMissingProvider = E.New("missing field 'provider'")
-	ErrUnknownProvider = E.New("unknown provider")
-)
-
-func NewConfig(cfg *types.AutoCertConfig) *Config {
-	if cfg == nil {
-		cfg = new(types.AutoCertConfig)
-	}
-	if cfg.CertPath == "" {
-		cfg.CertPath = CertFileDefault
-	}
-	if cfg.KeyPath == "" {
-		cfg.KeyPath = KeyFileDefault
-	}
-	if cfg.Provider == "" {
-		cfg.Provider = ProviderLocal
-	}
-	if cfg.ACMEKeyPath == "" {
-		cfg.ACMEKeyPath = ACMEKeyFileDefault
-	}
-	return (*Config)(cfg)
-}
-
-func (cfg *Config) GetProvider() (*Provider, E.Error) {
-	b := E.NewBuilder("autocert errors")
-
-	if cfg.Provider != ProviderLocal {
-		if len(cfg.Domains) == 0 {
-			b.Add(ErrMissingDomain)
-		}
-		if cfg.Provider == "" {
-			b.Add(ErrMissingProvider)
-		}
-		if cfg.Email == "" {
-			b.Add(ErrMissingEmail)
-		}
-		// check if provider is implemented
-		_, ok := providersGenMap[cfg.Provider]
-		if !ok {
-			b.Add(ErrUnknownProvider.
-				Subject(cfg.Provider).
-				Withf(strutils.DoYouMean(utils.NearestField(cfg.Provider, providersGenMap))))
-		}
-	}
-
-	if b.HasError() {
-		return nil, b.Error()
-	}
-
-	var privKey *ecdsa.PrivateKey
-	var err error
-
-	if cfg.Provider != ProviderLocal {
-		if privKey, err = cfg.loadACMEKey(); err != nil {
-			logging.Info().Err(err).Msg("load ACME private key failed")
-			logging.Info().Msg("generate new ACME private key")
-			privKey, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-			if err != nil {
-				return nil, E.New("generate ACME private key").With(err)
-			}
-			if err = cfg.saveACMEKey(privKey); err != nil {
-				return nil, E.New("save ACME private key").With(err)
-			}
-		}
-	}
-
-	user := &User{
-		Email: cfg.Email,
-		key:   privKey,
-	}
-
-	legoCfg := lego.NewConfig(user)
-	legoCfg.Certificate.KeyType = certcrypto.RSA2048
-
-	return &Provider{
-		cfg:     cfg,
-		user:    user,
-		legoCfg: legoCfg,
-	}, nil
-}
-
-func (cfg *Config) loadACMEKey() (*ecdsa.PrivateKey, error) {
-	data, err := os.ReadFile(cfg.ACMEKeyPath)
-	if err != nil {
-		return nil, err
-	}
-	return x509.ParseECPrivateKey(data)
-}
-
-func (cfg *Config) saveACMEKey(key *ecdsa.PrivateKey) error {
-	data, err := x509.MarshalECPrivateKey(key)
-	if err != nil {
-		return err
-	}
-	return os.WriteFile(cfg.ACMEKeyPath, data, 0o600)
-}
--- a/internal/autocert/constants.go
+++ b/internal/autocert/constants.go
@@ -1,31 +0,0 @@
-package autocert
-
-import (
-	"github.com/go-acme/lego/v4/providers/dns/clouddns"
-	"github.com/go-acme/lego/v4/providers/dns/cloudflare"
-	"github.com/go-acme/lego/v4/providers/dns/duckdns"
-	"github.com/go-acme/lego/v4/providers/dns/ovh"
-)
-
-const (
-	certBasePath       = "certs/"
-	CertFileDefault    = certBasePath + "cert.crt"
-	KeyFileDefault     = certBasePath + "priv.key"
-	ACMEKeyFileDefault = certBasePath + "acme.key"
-)
-
-const (
-	ProviderLocal      = "local"
-	ProviderCloudflare = "cloudflare"
-	ProviderClouddns   = "clouddns"
-	ProviderDuckdns    = "duckdns"
-	ProviderOVH        = "ovh"
-)
-
-var providersGenMap = map[string]ProviderGenerator{
-	ProviderLocal:      providerGenerator(NewDummyDefaultConfig, NewDummyDNSProviderConfig),
-	ProviderCloudflare: providerGenerator(cloudflare.NewDefaultConfig, cloudflare.NewDNSProviderConfig),
-	ProviderClouddns:   providerGenerator(clouddns.NewDefaultConfig, clouddns.NewDNSProviderConfig),
-	ProviderDuckdns:    providerGenerator(duckdns.NewDefaultConfig, duckdns.NewDNSProviderConfig),
-	ProviderOVH:        providerGenerator(ovh.NewDefaultConfig, ovh.NewDNSProviderConfig),
-}
--- a/internal/autocert/dummy.go
+++ b/internal/autocert/dummy.go
@@ -1,20 +0,0 @@
-package autocert
-
-type DummyConfig struct{}
-type DummyProvider struct{}
-
-func NewDummyDefaultConfig() *DummyConfig {
-	return &DummyConfig{}
-}
-
-func NewDummyDNSProviderConfig(*DummyConfig) (*DummyProvider, error) {
-	return &DummyProvider{}, nil
-}
-
-func (DummyProvider) Present(domain, token, keyAuth string) error {
-	return nil
-}
-
-func (DummyProvider) CleanUp(domain, token, keyAuth string) error {
-	return nil
-}
--- a/internal/autocert/logger.go
+++ b/internal/autocert/logger.go
@@ -1,5 +0,0 @@
-package autocert
-
-import "github.com/yusing/go-proxy/internal/logging"
-
-var logger = logging.With().Str("module", "autocert").Logger()
--- a/internal/autocert/provider.go
+++ b/internal/autocert/provider.go
@@ -1,315 +0,0 @@
-package autocert
-
-import (
-	"crypto/tls"
-	"crypto/x509"
-	"errors"
-	"os"
-	"path"
-	"reflect"
-	"sort"
-	"time"
-
-	"github.com/go-acme/lego/v4/certificate"
-	"github.com/go-acme/lego/v4/challenge"
-	"github.com/go-acme/lego/v4/lego"
-	"github.com/go-acme/lego/v4/registration"
-	"github.com/yusing/go-proxy/internal/config/types"
-	E "github.com/yusing/go-proxy/internal/error"
-	"github.com/yusing/go-proxy/internal/task"
-	U "github.com/yusing/go-proxy/internal/utils"
-	"github.com/yusing/go-proxy/internal/utils/strutils"
-)
-
-type (
-	Provider struct {
-		cfg     *Config
-		user    *User
-		legoCfg *lego.Config
-		client  *lego.Client
-
-		legoCert     *certificate.Resource
-		tlsCert      *tls.Certificate
-		certExpiries CertExpiries
-	}
-	ProviderGenerator func(types.AutocertProviderOpt) (challenge.Provider, E.Error)
-
-	CertExpiries map[string]time.Time
-)
-
-var ErrGetCertFailure = errors.New("get certificate failed")
-
-func (p *Provider) GetCert(_ *tls.ClientHelloInfo) (*tls.Certificate, error) {
-	if p.tlsCert == nil {
-		return nil, ErrGetCertFailure
-	}
-	return p.tlsCert, nil
-}
-
-func (p *Provider) GetName() string {
-	return p.cfg.Provider
-}
-
-func (p *Provider) GetCertPath() string {
-	return p.cfg.CertPath
-}
-
-func (p *Provider) GetKeyPath() string {
-	return p.cfg.KeyPath
-}
-
-func (p *Provider) GetExpiries() CertExpiries {
-	return p.certExpiries
-}
-
-func (p *Provider) ObtainCert() E.Error {
-	if p.cfg.Provider == ProviderLocal {
-		return nil
-	}
-
-	if p.client == nil {
-		if err := p.initClient(); err != nil {
-			return err
-		}
-	}
-
-	if p.user.Registration == nil {
-		if err := p.registerACME(); err != nil {
-			return E.From(err)
-		}
-	}
-
-	var cert *certificate.Resource
-	var err error
-
-	if p.legoCert != nil {
-		cert, err = p.client.Certificate.RenewWithOptions(*p.legoCert, &certificate.RenewOptions{
-			Bundle: true,
-		})
-		if err != nil {
-			p.legoCert = nil
-			logger.Err(err).Msg("cert renew failed, fallback to obtain")
-		} else {
-			p.legoCert = cert
-		}
-	}
-
-	if cert == nil {
-		cert, err = p.client.Certificate.Obtain(certificate.ObtainRequest{
-			Domains: p.cfg.Domains,
-			Bundle:  true,
-		})
-		if err != nil {
-			return E.From(err)
-		}
-	}
-
-	if err = p.saveCert(cert); err != nil {
-		return E.From(err)
-	}
-
-	tlsCert, err := tls.X509KeyPair(cert.Certificate, cert.PrivateKey)
-	if err != nil {
-		return E.From(err)
-	}
-
-	expiries, err := getCertExpiries(&tlsCert)
-	if err != nil {
-		return E.From(err)
-	}
-	p.tlsCert = &tlsCert
-	p.certExpiries = expiries
-
-	return nil
-}
-
-func (p *Provider) LoadCert() E.Error {
-	cert, err := tls.LoadX509KeyPair(p.cfg.CertPath, p.cfg.KeyPath)
-	if err != nil {
-		return E.Errorf("load SSL certificate: %w", err)
-	}
-	expiries, err := getCertExpiries(&cert)
-	if err != nil {
-		return E.Errorf("parse SSL certificate: %w", err)
-	}
-	p.tlsCert = &cert
-	p.certExpiries = expiries
-
-	logger.Info().Msgf("next renewal in %v", strutils.FormatDuration(time.Until(p.ShouldRenewOn())))
-	return p.renewIfNeeded()
-}
-
-// ShouldRenewOn returns the time at which the certificate should be renewed.
-func (p *Provider) ShouldRenewOn() time.Time {
-	for _, expiry := range p.certExpiries {
-		return expiry.AddDate(0, -1, 0) // 1 month before
-	}
-	// this line should never be reached
-	panic("no certificate available")
-}
-
-func (p *Provider) ScheduleRenewal() {
-	if p.GetName() == ProviderLocal {
-		return
-	}
-	go func() {
-		task := task.RootTask("cert-renew-scheduler", true)
-		defer task.Finish(nil)
-
-		for {
-			renewalTime := p.ShouldRenewOn()
-			timer := time.NewTimer(time.Until(renewalTime))
-
-			select {
-			case <-task.Context().Done():
-				timer.Stop()
-				return
-			case <-timer.C:
-				if err := p.renewIfNeeded(); err != nil {
-					E.LogWarn("cert renew failed", err, &logger)
-					// Retry after 1 hour on failure
-					time.Sleep(time.Hour)
-				}
-			}
-		}
-	}()
-}
-
-func (p *Provider) initClient() E.Error {
-	legoClient, err := lego.NewClient(p.legoCfg)
-	if err != nil {
-		return E.From(err)
-	}
-
-	generator := providersGenMap[p.cfg.Provider]
-	legoProvider, pErr := generator(p.cfg.Options)
-	if pErr != nil {
-		return pErr
-	}
-
-	err = legoClient.Challenge.SetDNS01Provider(legoProvider)
-	if err != nil {
-		return E.From(err)
-	}
-
-	p.client = legoClient
-	return nil
-}
-
-func (p *Provider) registerACME() error {
-	if p.user.Registration != nil {
-		return nil
-	}
-	if reg, err := p.client.Registration.ResolveAccountByKey(); err == nil {
-		p.user.Registration = reg
-		logger.Info().Msg("reused acme registration from private key")
-		return nil
-	}
-
-	reg, err := p.client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
-	if err != nil {
-		return err
-	}
-	p.user.Registration = reg
-	logger.Info().Interface("reg", reg).Msg("acme registered")
-	return nil
-}
-
-func (p *Provider) saveCert(cert *certificate.Resource) error {
-	/* This should have been done in setup
-	but double check is always a good choice.*/
-	_, err := os.Stat(path.Dir(p.cfg.CertPath))
-	if err != nil {
-		if os.IsNotExist(err) {
-			if err = os.MkdirAll(path.Dir(p.cfg.CertPath), 0o755); err != nil {
-				return err
-			}
-		} else {
-			return err
-		}
-	}
-	err = os.WriteFile(p.cfg.KeyPath, cert.PrivateKey, 0o600) // -rw-------
-	if err != nil {
-		return err
-	}
-
-	err = os.WriteFile(p.cfg.CertPath, cert.Certificate, 0o644) // -rw-r--r--
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-func (p *Provider) certState() CertState {
-	if time.Now().After(p.ShouldRenewOn()) {
-		return CertStateExpired
-	}
-
-	certDomains := make([]string, len(p.certExpiries))
-	wantedDomains := make([]string, len(p.cfg.Domains))
-	i := 0
-	for domain := range p.certExpiries {
-		certDomains[i] = domain
-		i++
-	}
-	copy(wantedDomains, p.cfg.Domains)
-	sort.Strings(wantedDomains)
-	sort.Strings(certDomains)
-
-	if !reflect.DeepEqual(certDomains, wantedDomains) {
-		logger.Info().Msgf("cert domains mismatch: %v != %v", certDomains, p.cfg.Domains)
-		return CertStateMismatch
-	}
-
-	return CertStateValid
-}
-
-func (p *Provider) renewIfNeeded() E.Error {
-	if p.cfg.Provider == ProviderLocal {
-		return nil
-	}
-
-	switch p.certState() {
-	case CertStateExpired:
-		logger.Info().Msg("certs expired, renewing")
-	case CertStateMismatch:
-		logger.Info().Msg("cert domains mismatch with config, renewing")
-	default:
-		return nil
-	}
-
-	return p.ObtainCert()
-}
-
-func getCertExpiries(cert *tls.Certificate) (CertExpiries, error) {
-	r := make(CertExpiries, len(cert.Certificate))
-	for _, cert := range cert.Certificate {
-		x509Cert, err := x509.ParseCertificate(cert)
-		if err != nil {
-			return nil, err
-		}
-		if x509Cert.IsCA {
-			continue
-		}
-		r[x509Cert.Subject.CommonName] = x509Cert.NotAfter
-		for i := range x509Cert.DNSNames {
-			r[x509Cert.DNSNames[i]] = x509Cert.NotAfter
-		}
-	}
-	return r, nil
-}
-
-func providerGenerator[CT any, PT challenge.Provider](
-	defaultCfg func() *CT,
-	newProvider func(*CT) (PT, error),
-) ProviderGenerator {
-	return func(opt types.AutocertProviderOpt) (challenge.Provider, E.Error) {
-		cfg := defaultCfg()
-		err := U.Deserialize(opt, cfg)
-		if err != nil {
-			return nil, err
-		}
-		p, pErr := newProvider(cfg)
-		return p, E.From(pErr)
-	}
-}
--- a/internal/autocert/provider_test/ovh_test.go
+++ b/internal/autocert/provider_test/ovh_test.go
@@ -1,50 +0,0 @@
-package provider_test
-
-import (
-	"testing"
-
-	"github.com/go-acme/lego/v4/providers/dns/ovh"
-	U "github.com/yusing/go-proxy/internal/utils"
-	. "github.com/yusing/go-proxy/internal/utils/testing"
-	"gopkg.in/yaml.v3"
-)
-
-// type Config struct {
-// 	APIEndpoint string
-
-// 	ApplicationKey    string
-// 	ApplicationSecret string
-// 	ConsumerKey       string
-
-// 	OAuth2Config *OAuth2Config
-
-// 	PropagationTimeout time.Duration
-// 	PollingInterval    time.Duration
-// 	TTL                int
-// 	HTTPClient         *http.Client
-// }
-
-func TestOVH(t *testing.T) {
-	cfg := &ovh.Config{}
-	testYaml := `
-api_endpoint: https://eu.api.ovh.com
-application_key: <application_key>
-application_secret: <application_secret>
-consumer_key: <consumer_key>
-oauth2_config:
-  client_id: <client_id>
-  client_secret: <client_secret>
-`
-	cfgExpected := &ovh.Config{
-		APIEndpoint:       "https://eu.api.ovh.com",
-		ApplicationKey:    "<application_key>",
-		ApplicationSecret: "<application_secret>",
-		ConsumerKey:       "<consumer_key>",
-		OAuth2Config:      &ovh.OAuth2Config{ClientID: "<client_id>", ClientSecret: "<client_secret>"},
-	}
-	testYaml = testYaml[1:] // remove first \n
-	opt := make(map[string]any)
-	ExpectNoError(t, yaml.Unmarshal([]byte(testYaml), opt))
-	ExpectNoError(t, U.Deserialize(opt, cfg))
-	ExpectDeepEqual(t, cfg, cfgExpected)
-}
--- a/internal/autocert/setup.go
+++ b/internal/autocert/setup.go
@@ -1,29 +0,0 @@
-package autocert
-
-import (
-	"os"
-
-	E "github.com/yusing/go-proxy/internal/error"
-	"github.com/yusing/go-proxy/internal/utils/strutils"
-)
-
-func (p *Provider) Setup() (err E.Error) {
-	if err = p.LoadCert(); err != nil {
-		if !err.Is(os.ErrNotExist) { // ignore if cert doesn't exist
-			return err
-		}
-		logger.Debug().Msg("obtaining cert due to error loading cert")
-		if err = p.ObtainCert(); err != nil {
-			return err
-		}
-	}
-
-	p.ScheduleRenewal()
-
-	for _, expiry := range p.GetExpiries() {
-		logger.Info().Msg("certificate expire on " + strutils.FormatTime(expiry))
-		break
-	}
-
-	return nil
-}
--- a/internal/autocert/state.go
+++ b/internal/autocert/state.go
@@ -1,9 +0,0 @@
-package autocert
-
-type CertState int
-
-const (
-	CertStateValid CertState = iota
-	CertStateExpired
-	CertStateMismatch
-)
--- a/internal/autocert/user.go
+++ b/internal/autocert/user.go
@@ -1,23 +0,0 @@
-package autocert
-
-import (
-	"crypto"
-
-	"github.com/go-acme/lego/v4/registration"
-)
-
-type User struct {
-	Email        string
-	Registration *registration.Resource
-	key          crypto.PrivateKey
-}
-
-func (u *User) GetEmail() string {
-	return u.Email
-}
-func (u *User) GetRegistration() *registration.Resource {
-	return u.Registration
-}
-func (u *User) GetPrivateKey() crypto.PrivateKey {
-	return u.key
-}
--- a/internal/common/args.go
+++ b/internal/common/args.go
@@ -1,56 +0,0 @@
-package common
-
-import (
-	"flag"
-	"fmt"
-	"log"
-)
-
-type Args struct {
-	Command string
-}
-
-const (
-	CommandStart              = ""
-	CommandSetup              = "setup"
-	CommandValidate           = "validate"
-	CommandListConfigs        = "ls-config"
-	CommandListRoutes         = "ls-routes"
-	CommandListIcons          = "ls-icons"
-	CommandReload             = "reload"
-	CommandDebugListEntries   = "debug-ls-entries"
-	CommandDebugListProviders = "debug-ls-providers"
-	CommandDebugListMTrace    = "debug-ls-mtrace"
-)
-
-var ValidCommands = []string{
-	CommandStart,
-	CommandSetup,
-	CommandValidate,
-	CommandListConfigs,
-	CommandListRoutes,
-	CommandListIcons,
-	CommandReload,
-	CommandDebugListEntries,
-	CommandDebugListProviders,
-	CommandDebugListMTrace,
-}
-
-func GetArgs() Args {
-	var args Args
-	flag.Parse()
-	args.Command = flag.Arg(0)
-	if err := validateArg(args.Command); err != nil {
-		log.Fatalf("invalid command: %s", err)
-	}
-	return args
-}
-
-func validateArg(arg string) error {
-	for _, v := range ValidCommands {
-		if arg == v {
-			return nil
-		}
-	}
-	return fmt.Errorf("invalid command %q", arg)
-}
--- a/internal/common/constants.go
+++ b/internal/common/constants.go
@@ -1,56 +0,0 @@
-package common
-
-import (
-	"time"
-)
-
-const (
-	ConnectionTimeout = 5 * time.Second
-	DialTimeout       = 3 * time.Second
-	KeepAlive         = 60 * time.Second
-)
-
-// file, folder structure
-
-const (
-	DotEnvPath        = ".env"
-	DotEnvExamplePath = ".env.example"
-
-	ConfigBasePath        = "config"
-	ConfigFileName        = "config.yml"
-	ConfigExampleFileName = "config.example.yml"
-	ConfigPath            = ConfigBasePath + "/" + ConfigFileName
-
-	JWTKeyPath = ConfigBasePath + "/jwt.key"
-
-	MiddlewareComposeBasePath = ConfigBasePath + "/middlewares"
-
-	SchemaBasePath         = "schema"
-	ConfigSchemaPath       = SchemaBasePath + "/config.schema.json"
-	FileProviderSchemaPath = SchemaBasePath + "/providers.schema.json"
-
-	ComposeFileName        = "compose.yml"
-	ComposeExampleFileName = "compose.example.yml"
-
-	ErrorPagesBasePath = "error_pages"
-)
-
-var RequiredDirectories = []string{
-	ConfigBasePath,
-	SchemaBasePath,
-	ErrorPagesBasePath,
-	MiddlewareComposeBasePath,
-}
-
-const DockerHostFromEnv = "$DOCKER_HOST"
-
-const (
-	HealthCheckIntervalDefault = 5 * time.Second
-	HealthCheckTimeoutDefault  = 5 * time.Second
-
-	WakeTimeoutDefault = "30s"
-	StopTimeoutDefault = "10s"
-	StopMethodDefault  = "stop"
-)
-
-const HeaderCheckRedirect = "X-Goproxy-Check-Redirect"
--- a/internal/common/crypto.go
+++ b/internal/common/crypto.go
@@ -1,25 +0,0 @@
-package common
-
-import (
-	"crypto/sha512"
-	"encoding/base64"
-
-	"github.com/rs/zerolog/log"
-)
-
-func HashPassword(pwd string) []byte {
-	h := sha512.New()
-	h.Write([]byte(pwd))
-	return h.Sum(nil)
-}
-
-func decodeJWTKey(key string) []byte {
-	if key == "" {
-		return nil
-	}
-	bytes, err := base64.StdEncoding.DecodeString(key)
-	if err != nil {
-		log.Panic().Err(err).Msg("failed to decode jwt key")
-	}
-	return bytes
-}
--- a/internal/common/env.go
+++ b/internal/common/env.go
@@ -1,98 +0,0 @@
-package common
-
-import (
-	"fmt"
-	"net"
-	"os"
-	"strconv"
-	"strings"
-	"time"
-
-	"github.com/rs/zerolog/log"
-)
-
-var (
-	prefixes = []string{"GODOXY_", "GOPROXY_", ""}
-
-	IsTest          = GetEnvBool("TEST", false) || strings.HasSuffix(os.Args[0], ".test")
-	IsDebug         = GetEnvBool("DEBUG", IsTest)
-	IsDebugSkipAuth = GetEnvBool("DEBUG_SKIP_AUTH", false)
-	IsTrace         = GetEnvBool("TRACE", false) && IsDebug
-	IsProduction    = !IsTest && !IsDebug
-
-	ProxyHTTPAddr,
-	ProxyHTTPHost,
-	ProxyHTTPPort,
-	ProxyHTTPURL = GetAddrEnv("HTTP_ADDR", ":80", "http")
-
-	ProxyHTTPSAddr,
-	ProxyHTTPSHost,
-	ProxyHTTPSPort,
-	ProxyHTTPSURL = GetAddrEnv("HTTPS_ADDR", ":443", "https")
-
-	APIHTTPAddr,
-	APIHTTPHost,
-	APIHTTPPort,
-	APIHTTPURL = GetAddrEnv("API_ADDR", "127.0.0.1:8888", "http")
-
-	MetricsHTTPAddr,
-	MetricsHTTPHost,
-	MetricsHTTPPort,
-	MetricsHTTPURL = GetAddrEnv("PROMETHEUS_ADDR", "", "http")
-	PrometheusEnabled = MetricsHTTPURL != ""
-
-	APIJWTSecret    = decodeJWTKey(GetEnvString("API_JWT_SECRET", ""))
-	APIJWTTokenTTL  = GetDurationEnv("API_JWT_TOKEN_TTL", time.Hour)
-	APIUser         = GetEnvString("API_USER", "admin")
-	APIPasswordHash = HashPassword(GetEnvString("API_PASSWORD", "password"))
-)
-
-func GetEnv[T any](key string, defaultValue T, parser func(string) (T, error)) T {
-	var value string
-	var ok bool
-	for _, prefix := range prefixes {
-		value, ok = os.LookupEnv(prefix + key)
-		if ok && value != "" {
-			break
-		}
-	}
-	if !ok || value == "" {
-		return defaultValue
-	}
-	parsed, err := parser(value)
-	if err == nil {
-		return parsed
-	}
-	log.Fatal().Err(err).Msgf("env %s: invalid %T value: %s", key, parsed, value)
-	return defaultValue
-}
-
-func GetEnvString(key string, defaultValue string) string {
-	return GetEnv(key, defaultValue, func(s string) (string, error) {
-		return s, nil
-	})
-}
-
-func GetEnvBool(key string, defaultValue bool) bool {
-	return GetEnv(key, defaultValue, strconv.ParseBool)
-}
-
-func GetAddrEnv(key, defaultValue, scheme string) (addr, host, port, fullURL string) {
-	addr = GetEnvString(key, defaultValue)
-	if addr == "" {
-		return
-	}
-	host, port, err := net.SplitHostPort(addr)
-	if err != nil {
-		log.Fatal().Msgf("env %s: invalid address: %s", key, addr)
-	}
-	if host == "" {
-		host = "localhost"
-	}
-	fullURL = fmt.Sprintf("%s://%s:%s", scheme, host, port)
-	return
-}
-
-func GetDurationEnv(key string, defaultValue time.Duration) time.Duration {
-	return GetEnv(key, defaultValue, time.ParseDuration)
-}
--- a/internal/common/ports.go
+++ b/internal/common/ports.go
@@ -1,75 +0,0 @@
-package common
-
-var (
-	WellKnownHTTPPorts = map[string]bool{
-		"80":   true,
-		"8000": true,
-		"8008": true,
-		"8080": true,
-		"3000": true,
-	}
-
-	ServiceNamePortMapTCP = map[string]int{
-		"mssql":            1433,
-		"mysql":            3306,
-		"mariadb":          3306,
-		"postgres":         5432,
-		"rabbitmq":         5672,
-		"redis":            6379,
-		"memcached":        11211,
-		"mongo":            27017,
-		"minecraft-server": 25565,
-
-		"ssh":  22,
-		"ftp":  21,
-		"smtp": 25,
-		"dns":  53,
-		"pop3": 110,
-		"imap": 143,
-	}
-
-	ImageNamePortMap = func() (m map[string]int) {
-		m = make(map[string]int, len(ServiceNamePortMapTCP)+len(imageNamePortMap))
-		for k, v := range ServiceNamePortMapTCP {
-			m[k] = v
-		}
-		for k, v := range imageNamePortMap {
-			m[k] = v
-		}
-		return
-	}()
-
-	imageNamePortMap = map[string]int{
-		"adguardhome":         3000,
-		"bazarr":              6767,
-		"calibre-web":         8083,
-		"changedetection.io":  3000,
-		"dockge":              5001,
-		"gitea":               3000,
-		"gogs":                3000,
-		"grafana":             3000,
-		"home-assistant":      8123,
-		"homebridge":          8581,
-		"httpd":               80,
-		"immich":              3001,
-		"jellyfin":            8096,
-		"lidarr":              8686,
-		"microbin":            8080,
-		"nginx":               80,
-		"nginx-proxy-manager": 81,
-		"open-webui":          8080,
-		"plex":                32400,
-		"portainer-be":        9443,
-		"portainer-ce":        9443,
-		"prometheus":          9090,
-		"prowlarr":            9696,
-		"radarr":              7878,
-		"radarr-sma":          7878,
-		"rsshub":              1200,
-		"rss-bridge":          80,
-		"sonarr":              8989,
-		"sonarr-sma":          8989,
-		"uptime-kuma":         3001,
-		"whisparr":            6969,
-	}
-)
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -1,243 +0,0 @@
-package config
-
-import (
-	"os"
-	"strconv"
-	"strings"
-	"sync"
-	"time"
-
-	"github.com/yusing/go-proxy/internal/autocert"
-	"github.com/yusing/go-proxy/internal/common"
-	"github.com/yusing/go-proxy/internal/config/types"
-	"github.com/yusing/go-proxy/internal/entrypoint"
-	E "github.com/yusing/go-proxy/internal/error"
-	"github.com/yusing/go-proxy/internal/logging"
-	"github.com/yusing/go-proxy/internal/notif"
-	proxy "github.com/yusing/go-proxy/internal/route/provider"
-	"github.com/yusing/go-proxy/internal/task"
-	"github.com/yusing/go-proxy/internal/utils"
-	F "github.com/yusing/go-proxy/internal/utils/functional"
-	"github.com/yusing/go-proxy/internal/watcher"
-	"github.com/yusing/go-proxy/internal/watcher/events"
-)
-
-type Config struct {
-	value            *types.Config
-	providers        F.Map[string, *proxy.Provider]
-	autocertProvider *autocert.Provider
-	task             *task.Task
-}
-
-var (
-	instance   *Config
-	cfgWatcher watcher.Watcher
-	logger     = logging.With().Str("module", "config").Logger()
-	reloadMu   sync.Mutex
-)
-
-const configEventFlushInterval = 500 * time.Millisecond
-
-const (
-	cfgRenameWarn = `Config file renamed, not reloading.
-Make sure you rename it back before next time you start.`
-	cfgDeleteWarn = `Config file deleted, not reloading.
-You may run "ls-config" to show or dump the current config.`
-)
-
-func GetInstance() *Config {
-	return instance
-}
-
-func newConfig() *Config {
-	return &Config{
-		value:     types.DefaultConfig(),
-		providers: F.NewMapOf[string, *proxy.Provider](),
-		task:      task.RootTask("config", false),
-	}
-}
-
-func Load() (*Config, E.Error) {
-	if instance != nil {
-		return instance, nil
-	}
-	instance = newConfig()
-	cfgWatcher = watcher.NewConfigFileWatcher(common.ConfigFileName)
-	return instance, instance.load()
-}
-
-func Validate(data []byte) E.Error {
-	var model types.Config
-	return utils.DeserializeYAML(data, &model)
-}
-
-func MatchDomains() []string {
-	return instance.value.MatchDomains
-}
-
-func WatchChanges() {
-	t := task.RootTask("config_watcher", true)
-	eventQueue := events.NewEventQueue(
-		t,
-		configEventFlushInterval,
-		OnConfigChange,
-		func(err E.Error) {
-			E.LogError("config reload error", err, &logger)
-		},
-	)
-	eventQueue.Start(cfgWatcher.Events(t.Context()))
-}
-
-func OnConfigChange(ev []events.Event) {
-	// no matter how many events during the interval
-	// just reload once and check the last event
-	switch ev[len(ev)-1].Action {
-	case events.ActionFileRenamed:
-		logger.Warn().Msg(cfgRenameWarn)
-		return
-	case events.ActionFileDeleted:
-		logger.Warn().Msg(cfgDeleteWarn)
-		return
-	}
-
-	if err := Reload(); err != nil {
-		// recovered in event queue
-		panic(err)
-	}
-}
-
-func Reload() E.Error {
-	// avoid race between config change and API reload request
-	reloadMu.Lock()
-	defer reloadMu.Unlock()
-
-	newCfg := newConfig()
-	err := newCfg.load()
-	if err != nil {
-		newCfg.task.Finish(err)
-		return err
-	}
-
-	// cancel all current subtasks -> wait
-	// -> replace config -> start new subtasks
-	instance.task.Finish("config changed")
-	instance = newCfg
-	instance.StartProxyProviders()
-	return nil
-}
-
-func Value() types.Config {
-	return *instance.value
-}
-
-func GetAutoCertProvider() *autocert.Provider {
-	return instance.autocertProvider
-}
-
-func (cfg *Config) Task() *task.Task {
-	return cfg.task
-}
-
-func (cfg *Config) StartProxyProviders() {
-	errs := cfg.providers.CollectErrorsParallel(
-		func(_ string, p *proxy.Provider) error {
-			return p.Start(cfg.task)
-		})
-
-	if err := E.Join(errs...); err != nil {
-		E.LogError("route provider errors", err, &logger)
-	}
-}
-
-func (cfg *Config) load() E.Error {
-	const errMsg = "config load error"
-
-	data, err := os.ReadFile(common.ConfigPath)
-	if err != nil {
-		E.LogFatal(errMsg, err, &logger)
-	}
-
-	model := types.DefaultConfig()
-	if err := utils.DeserializeYAML(data, model); err != nil {
-		E.LogFatal(errMsg, err, &logger)
-	}
-
-	// errors are non fatal below
-	errs := E.NewBuilder(errMsg)
-	errs.Add(entrypoint.SetMiddlewares(model.Entrypoint.Middlewares))
-	errs.Add(entrypoint.SetAccessLogger(cfg.task, model.Entrypoint.AccessLog))
-	errs.Add(cfg.initNotification(model.Providers.Notification))
-	errs.Add(cfg.initAutoCert(model.AutoCert))
-	errs.Add(cfg.loadRouteProviders(&model.Providers))
-
-	cfg.value = model
-	for i, domain := range model.MatchDomains {
-		if !strings.HasPrefix(domain, ".") {
-			model.MatchDomains[i] = "." + domain
-		}
-	}
-	entrypoint.SetFindRouteDomains(model.MatchDomains)
-	return errs.Error()
-}
-
-func (cfg *Config) initNotification(notifCfg []types.NotificationConfig) (err E.Error) {
-	if len(notifCfg) == 0 {
-		return
-	}
-	dispatcher := notif.StartNotifDispatcher(cfg.task)
-	errs := E.NewBuilder("notification providers load errors")
-	for i, notifier := range notifCfg {
-		_, err := dispatcher.RegisterProvider(notifier)
-		if err == nil {
-			continue
-		}
-		errs.Add(err.Subjectf("[%d]", i))
-	}
-	return errs.Error()
-}
-
-func (cfg *Config) initAutoCert(autocertCfg *types.AutoCertConfig) (err E.Error) {
-	if cfg.autocertProvider != nil {
-		return
-	}
-
-	cfg.autocertProvider, err = autocert.NewConfig(autocertCfg).GetProvider()
-	return
-}
-
-func (cfg *Config) loadRouteProviders(providers *types.Providers) E.Error {
-	errs := E.NewBuilder("route provider errors")
-	results := E.NewBuilder("loaded route providers")
-
-	lenLongestName := 0
-	for _, filename := range providers.Files {
-		p, err := proxy.NewFileProvider(filename)
-		if err != nil {
-			errs.Add(E.PrependSubject(filename, err))
-			continue
-		}
-		cfg.providers.Store(p.GetName(), p)
-		if len(p.GetName()) > lenLongestName {
-			lenLongestName = len(p.GetName())
-		}
-	}
-	for name, dockerHost := range providers.Docker {
-		p, err := proxy.NewDockerProvider(name, dockerHost)
-		if err != nil {
-			errs.Add(E.PrependSubject(name, err))
-			continue
-		}
-		cfg.providers.Store(p.GetName(), p)
-		if len(p.GetName()) > lenLongestName {
-			lenLongestName = len(p.GetName())
-		}
-	}
-	cfg.providers.RangeAllParallel(func(_ string, p *proxy.Provider) {
-		if err := p.LoadRoutes(); err != nil {
-			errs.Add(err.Subject(p.String()))
-		}
-		results.Addf("%-"+strconv.Itoa(lenLongestName)+"s %d routes", p.GetName(), p.NumRoutes())
-	})
-	logger.Info().Msg(results.String())
-	return errs.Error()
-}
--- a/internal/config/query.go
+++ b/internal/config/query.go
@@ -1,138 +0,0 @@
-package config
-
-import (
-	"strings"
-
-	"github.com/yusing/go-proxy/internal/homepage"
-	route "github.com/yusing/go-proxy/internal/route"
-	"github.com/yusing/go-proxy/internal/route/entry"
-	proxy "github.com/yusing/go-proxy/internal/route/provider"
-	"github.com/yusing/go-proxy/internal/route/routes"
-	"github.com/yusing/go-proxy/internal/route/types"
-	"github.com/yusing/go-proxy/internal/utils/strutils"
-)
-
-func DumpEntries() map[string]*types.RawEntry {
-	entries := make(map[string]*types.RawEntry)
-	instance.providers.RangeAll(func(_ string, p *proxy.Provider) {
-		p.RangeRoutes(func(alias string, r *route.Route) {
-			entries[alias] = r.Entry
-		})
-	})
-	return entries
-}
-
-func DumpProviders() map[string]*proxy.Provider {
-	entries := make(map[string]*proxy.Provider)
-	instance.providers.RangeAll(func(name string, p *proxy.Provider) {
-		entries[name] = p
-	})
-	return entries
-}
-
-func HomepageConfig() homepage.Config {
-	hpCfg := homepage.NewHomePageConfig()
-	routes.GetHTTPRoutes().RangeAll(func(alias string, r types.HTTPRoute) {
-		en := r.RawEntry()
-		item := en.Homepage
-		if item == nil {
-			item = new(homepage.Item)
-			item.Show = true
-		}
-
-		if !item.IsEmpty() {
-			item.Show = true
-		}
-
-		if !item.Show {
-			return
-		}
-
-		item.Alias = alias
-
-		if item.Name == "" {
-			item.Name = strutils.Title(
-				strings.ReplaceAll(
-					strings.ReplaceAll(alias, "-", " "),
-					"_", " ",
-				),
-			)
-		}
-
-		if instance.value.Homepage.UseDefaultCategories {
-			if en.Container != nil && item.Category == "" {
-				if category, ok := homepage.PredefinedCategories[en.Container.ImageName]; ok {
-					item.Category = category
-				}
-			}
-
-			if item.Category == "" {
-				if category, ok := homepage.PredefinedCategories[strings.ToLower(alias)]; ok {
-					item.Category = category
-				}
-			}
-		}
-
-		switch {
-		case entry.IsDocker(r):
-			if item.Category == "" {
-				item.Category = "Docker"
-			}
-			item.SourceType = string(proxy.ProviderTypeDocker)
-		case entry.UseLoadBalance(r):
-			if item.Category == "" {
-				item.Category = "Load-balanced"
-			}
-			item.SourceType = "loadbalancer"
-		default:
-			if item.Category == "" {
-				item.Category = "Others"
-			}
-			item.SourceType = string(proxy.ProviderTypeFile)
-		}
-
-		item.AltURL = r.TargetURL().String()
-		hpCfg.Add(item)
-	})
-	return hpCfg
-}
-
-func RoutesByAlias(typeFilter ...route.RouteType) map[string]any {
-	rts := make(map[string]any)
-	if len(typeFilter) == 0 || typeFilter[0] == "" {
-		typeFilter = []route.RouteType{route.RouteTypeReverseProxy, route.RouteTypeStream}
-	}
-	for _, t := range typeFilter {
-		switch t {
-		case route.RouteTypeReverseProxy:
-			routes.GetHTTPRoutes().RangeAll(func(alias string, r types.HTTPRoute) {
-				rts[alias] = r
-			})
-		case route.RouteTypeStream:
-			routes.GetStreamRoutes().RangeAll(func(alias string, r types.StreamRoute) {
-				rts[alias] = r
-			})
-		}
-	}
-	return rts
-}
-
-func Statistics() map[string]any {
-	nTotalStreams := 0
-	nTotalRPs := 0
-	providerStats := make(map[string]proxy.ProviderStats)
-
-	instance.providers.RangeAll(func(name string, p *proxy.Provider) {
-		stats := p.Statistics()
-		providerStats[name] = stats
-
-		nTotalRPs += stats.NumRPs
-		nTotalStreams += stats.NumStreams
-	})
-
-	return map[string]any{
-		"num_total_streams":         nTotalStreams,
-		"num_total_reverse_proxies": nTotalRPs,
-		"providers":                 providerStats,
-	}
-}
--- a/internal/config/types/autocert_config.go
+++ b/internal/config/types/autocert_config.go
@@ -1,14 +0,0 @@
-package types
-
-type (
-	AutoCertConfig struct {
-		Email       string              `json:"email,omitempty" validate:"email"`
-		Domains     []string            `json:"domains,omitempty"`
-		CertPath    string              `json:"cert_path,omitempty" validate:"omitempty,filepath"`
-		KeyPath     string              `json:"key_path,omitempty" validate:"omitempty,filepath"`
-		ACMEKeyPath string              `json:"acme_key_path,omitempty" validate:"omitempty,filepath"`
-		Provider    string              `json:"provider,omitempty"`
-		Options     AutocertProviderOpt `json:"options,omitempty"`
-	}
-	AutocertProviderOpt map[string]any
-)
--- a/internal/config/types/config.go
+++ b/internal/config/types/config.go
@@ -1,40 +0,0 @@
-package types
-
-import (
-	"github.com/yusing/go-proxy/internal/net/http/accesslog"
-	"github.com/yusing/go-proxy/internal/utils"
-)
-
-type (
-	Config struct {
-		AutoCert        *AutoCertConfig `json:"autocert" validate:"omitempty"`
-		Entrypoint      Entrypoint      `json:"entrypoint"`
-		Providers       Providers       `json:"providers"`
-		MatchDomains    []string        `json:"match_domains" validate:"dive,fqdn"`
-		Homepage        HomepageConfig  `json:"homepage"`
-		TimeoutShutdown int             `json:"timeout_shutdown" validate:"gte=0"`
-	}
-	Providers struct {
-		Files        []string             `json:"include" validate:"dive,filepath"`
-		Docker       map[string]string    `json:"docker" validate:"dive,unix_addr|url"`
-		Notification []NotificationConfig `json:"notification"`
-	}
-	Entrypoint struct {
-		Middlewares []map[string]any  `json:"middlewares"`
-		AccessLog   *accesslog.Config `json:"access_log" validate:"omitempty"`
-	}
-	NotificationConfig map[string]any
-)
-
-func DefaultConfig() *Config {
-	return &Config{
-		TimeoutShutdown: 3,
-		Homepage: HomepageConfig{
-			UseDefaultCategories: true,
-		},
-	}
-}
-
-func init() {
-	utils.RegisterDefaultValueFactory(DefaultConfig)
-}
--- a/internal/config/types/homepage_config.go
+++ b/internal/config/types/homepage_config.go
@@ -1,5 +0,0 @@
-package types
-
-type HomepageConfig struct {
-	UseDefaultCategories bool `json:"use_default_categories"`
-}
--- a/internal/docker/client.go
+++ b/internal/docker/client.go
@@ -1,138 +0,0 @@
-package docker
-
-import (
-	"errors"
-	"net/http"
-	"sync"
-
-	"github.com/docker/cli/cli/connhelper"
-	"github.com/docker/docker/client"
-	"github.com/rs/zerolog"
-	"github.com/yusing/go-proxy/internal/common"
-	"github.com/yusing/go-proxy/internal/logging"
-	"github.com/yusing/go-proxy/internal/task"
-	U "github.com/yusing/go-proxy/internal/utils"
-	F "github.com/yusing/go-proxy/internal/utils/functional"
-)
-
-type (
-	SharedClient struct {
-		*client.Client
-
-		key      string
-		refCount *U.RefCount
-
-		l zerolog.Logger
-	}
-)
-
-var (
-	clientMap   F.Map[string, *SharedClient] = F.NewMapOf[string, *SharedClient]()
-	clientMapMu sync.Mutex
-
-	clientOptEnvHost = []client.Opt{
-		client.WithHostFromEnv(),
-		client.WithAPIVersionNegotiation(),
-	}
-)
-
-func init() {
-	task.OnProgramExit("docker_clients_cleanup", func() {
-		clientMap.RangeAllParallel(func(_ string, c *SharedClient) {
-			if c.Connected() {
-				c.Client.Close()
-			}
-		})
-	})
-}
-
-func (c *SharedClient) Connected() bool {
-	return c != nil && c.Client != nil
-}
-
-// if the client is still referenced, this is no-op.
-func (c *SharedClient) Close() {
-	if c.Connected() {
-		c.refCount.Sub()
-	}
-}
-
-// ConnectClient creates a new Docker client connection to the specified host.
-//
-// Returns existing client if available.
-//
-// Parameters:
-//   - host: the host to connect to (either a URL or common.DockerHostFromEnv).
-//
-// Returns:
-//   - Client: the Docker client connection.
-//   - error: an error if the connection failed.
-func ConnectClient(host string) (*SharedClient, error) {
-	clientMapMu.Lock()
-	defer clientMapMu.Unlock()
-
-	// check if client exists
-	if client, ok := clientMap.Load(host); ok {
-		client.refCount.Add()
-		return client, nil
-	}
-
-	// create client
-	var opt []client.Opt
-
-	switch host {
-	case "":
-		return nil, errors.New("empty docker host")
-	case common.DockerHostFromEnv:
-		opt = clientOptEnvHost
-	default:
-		helper, err := connhelper.GetConnectionHelper(host)
-		if err != nil {
-			logging.Panic().Err(err).Msg("failed to get connection helper")
-		}
-		if helper != nil {
-			httpClient := &http.Client{
-				Transport: &http.Transport{
-					DialContext: helper.Dialer,
-				},
-			}
-			opt = []client.Opt{
-				client.WithHTTPClient(httpClient),
-				client.WithHost(helper.Host),
-				client.WithAPIVersionNegotiation(),
-				client.WithDialContext(helper.Dialer),
-			}
-		} else {
-			opt = []client.Opt{
-				client.WithHost(host),
-				client.WithAPIVersionNegotiation(),
-			}
-		}
-	}
-
-	client, err := client.NewClientWithOpts(opt...)
-	if err != nil {
-		return nil, err
-	}
-
-	c := &SharedClient{
-		Client:   client,
-		key:      host,
-		refCount: U.NewRefCounter(),
-		l:        logger.With().Str("address", client.DaemonHost()).Logger(),
-	}
-	c.l.Trace().Msg("client connected")
-
-	clientMap.Store(host, c)
-
-	go func() {
-		<-c.refCount.Zero()
-		clientMap.Delete(c.key)
-
-		if c.Connected() {
-			c.Client.Close()
-			c.l.Trace().Msg("client closed")
-		}
-	}()
-	return c, nil
-}
--- a/internal/docker/container.go
+++ b/internal/docker/container.go
@@ -1,144 +0,0 @@
-package docker
-
-import (
-	"net/url"
-	"strconv"
-	"strings"
-
-	"github.com/docker/docker/api/types"
-	U "github.com/yusing/go-proxy/internal/utils"
-	"github.com/yusing/go-proxy/internal/utils/strutils"
-)
-
-type (
-	PortMapping = map[string]types.Port
-	Container   struct {
-		_ U.NoCopy
-
-		DockerHost    string `json:"docker_host"`
-		ContainerName string `json:"container_name"`
-		ContainerID   string `json:"container_id"`
-		ImageName     string `json:"image_name"`
-
-		Labels map[string]string `json:"-"`
-
-		PublicPortMapping  PortMapping `json:"public_ports"`  // non-zero publicPort:types.Port
-		PrivatePortMapping PortMapping `json:"private_ports"` // privatePort:types.Port
-		PublicIP           string      `json:"public_ip"`
-		PrivateIP          string      `json:"private_ip"`
-		NetworkMode        string      `json:"network_mode"`
-
-		Aliases     []string `json:"aliases"`
-		IsExcluded  bool     `json:"is_excluded"`
-		IsExplicit  bool     `json:"is_explicit"`
-		IsDatabase  bool     `json:"is_database"`
-		IdleTimeout string   `json:"idle_timeout,omitempty"`
-		WakeTimeout string   `json:"wake_timeout,omitempty"`
-		StopMethod  string   `json:"stop_method,omitempty"`
-		StopTimeout string   `json:"stop_timeout,omitempty"` // stop_method = "stop" only
-		StopSignal  string   `json:"stop_signal,omitempty"`  // stop_method = "stop" | "kill" only
-		Running     bool     `json:"running"`
-	}
-)
-
-var DummyContainer = new(Container)
-
-func FromDocker(c *types.Container, dockerHost string) (res *Container) {
-	isExplicit := c.Labels[LabelAliases] != ""
-	helper := containerHelper{c}
-	res = &Container{
-		DockerHost:    dockerHost,
-		ContainerName: helper.getName(),
-		ContainerID:   c.ID,
-		ImageName:     helper.getImageName(),
-
-		Labels: c.Labels,
-
-		PublicPortMapping:  helper.getPublicPortMapping(),
-		PrivatePortMapping: helper.getPrivatePortMapping(),
-		NetworkMode:        c.HostConfig.NetworkMode,
-
-		Aliases:     helper.getAliases(),
-		IsExcluded:  strutils.ParseBool(helper.getDeleteLabel(LabelExclude)),
-		IsExplicit:  isExplicit,
-		IsDatabase:  helper.isDatabase(),
-		IdleTimeout: helper.getDeleteLabel(LabelIdleTimeout),
-		WakeTimeout: helper.getDeleteLabel(LabelWakeTimeout),
-		StopMethod:  helper.getDeleteLabel(LabelStopMethod),
-		StopTimeout: helper.getDeleteLabel(LabelStopTimeout),
-		StopSignal:  helper.getDeleteLabel(LabelStopSignal),
-		Running:     c.Status == "running" || c.State == "running",
-	}
-	res.setPrivateIP(helper)
-	res.setPublicIP()
-	return
-}
-
-func FromJSON(json types.ContainerJSON, dockerHost string) *Container {
-	ports := make([]types.Port, 0)
-	for k, bindings := range json.NetworkSettings.Ports {
-		privPortStr, proto := k.Port(), k.Proto()
-		privPort, _ := strconv.ParseUint(privPortStr, 10, 16)
-		ports = append(ports, types.Port{
-			PrivatePort: uint16(privPort),
-			Type:        proto,
-		})
-		for _, v := range bindings {
-			pubPort, _ := strconv.ParseUint(v.HostPort, 10, 16)
-			ports = append(ports, types.Port{
-				IP:          v.HostIP,
-				PublicPort:  uint16(pubPort),
-				PrivatePort: uint16(privPort),
-				Type:        proto,
-			})
-		}
-	}
-	cont := FromDocker(&types.Container{
-		ID:     json.ID,
-		Names:  []string{strings.TrimPrefix(json.Name, "/")},
-		Image:  json.Image,
-		Ports:  ports,
-		Labels: json.Config.Labels,
-		State:  json.State.Status,
-		Status: json.State.Status,
-		Mounts: json.Mounts,
-		NetworkSettings: &types.SummaryNetworkSettings{
-			Networks: json.NetworkSettings.Networks,
-		},
-	}, dockerHost)
-	cont.NetworkMode = string(json.HostConfig.NetworkMode)
-	return cont
-}
-
-func (c *Container) setPublicIP() {
-	if !c.Running {
-		return
-	}
-	if strings.HasPrefix(c.DockerHost, "unix://") {
-		c.PublicIP = "127.0.0.1"
-		return
-	}
-	url, err := url.Parse(c.DockerHost)
-	if err != nil {
-		logger.Err(err).Msgf("invalid docker host %q, falling back to 127.0.0.1", c.DockerHost)
-		c.PublicIP = "127.0.0.1"
-		return
-	}
-	c.PublicIP = url.Hostname()
-}
-
-func (c *Container) setPrivateIP(helper containerHelper) {
-	if !strings.HasPrefix(c.DockerHost, "unix://") {
-		return
-	}
-	if helper.NetworkSettings == nil {
-		return
-	}
-	for _, v := range helper.NetworkSettings.Networks {
-		if v.IPAddress == "" {
-			continue
-		}
-		c.PrivateIP = v.IPAddress
-		return
-	}
-}
--- a/internal/docker/container_helper.go
+++ b/internal/docker/container_helper.go
@@ -1,90 +0,0 @@
-package docker
-
-import (
-	"strings"
-
-	"github.com/docker/docker/api/types"
-	"github.com/yusing/go-proxy/internal/utils/strutils"
-)
-
-type containerHelper struct {
-	*types.Container
-}
-
-// getDeleteLabel gets the value of a label and then deletes it from the container.
-// If the label does not exist, an empty string is returned.
-func (c containerHelper) getDeleteLabel(label string) string {
-	if l, ok := c.Labels[label]; ok {
-		delete(c.Labels, label)
-		return l
-	}
-	return ""
-}
-
-func (c containerHelper) getAliases() []string {
-	if l := c.getDeleteLabel(LabelAliases); l != "" {
-		return strutils.CommaSeperatedList(l)
-	}
-	return []string{c.getName()}
-}
-
-func (c containerHelper) getName() string {
-	return strings.TrimPrefix(c.Names[0], "/")
-}
-
-func (c containerHelper) getImageName() string {
-	colonSep := strutils.SplitRune(c.Image, ':')
-	slashSep := strutils.SplitRune(colonSep[0], '/')
-	return slashSep[len(slashSep)-1]
-}
-
-func (c containerHelper) getPublicPortMapping() PortMapping {
-	res := make(PortMapping)
-	for _, v := range c.Ports {
-		if v.PublicPort == 0 {
-			continue
-		}
-		res[strutils.PortString(v.PublicPort)] = v
-	}
-	return res
-}
-
-func (c containerHelper) getPrivatePortMapping() PortMapping {
-	res := make(PortMapping)
-	for _, v := range c.Ports {
-		res[strutils.PortString(v.PrivatePort)] = v
-	}
-	return res
-}
-
-var databaseMPs = map[string]struct{}{
-	"/var/lib/postgresql/data": {},
-	"/var/lib/mysql":           {},
-	"/var/lib/mongodb":         {},
-	"/var/lib/mariadb":         {},
-	"/var/lib/memcached":       {},
-	"/var/lib/rabbitmq":        {},
-}
-
-var databasePrivPorts = map[uint16]struct{}{
-	5432:  {}, // postgres
-	3306:  {}, // mysql, mariadb
-	6379:  {}, // redis
-	11211: {}, // memcached
-	27017: {}, // mongodb
-}
-
-func (c containerHelper) isDatabase() bool {
-	for _, m := range c.Mounts {
-		if _, ok := databaseMPs[m.Destination]; ok {
-			return true
-		}
-	}
-
-	for _, v := range c.Ports {
-		if _, ok := databasePrivPorts[v.PrivatePort]; ok {
-			return true
-		}
-	}
-	return false
-}
--- a/internal/docker/idlewatcher/html/loading_page.html
+++ b/internal/docker/idlewatcher/html/loading_page.html
@@ -1,88 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-    <head>
-        <meta charset="UTF-8" />
-        <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-        <title>{{.Title}}</title>
-        <style>
-            /* Global Styles */
-            * {
-                box-sizing: border-box;
-                margin: 0;
-                padding: 0;
-            }
-            body {
-                font-family: Inter, Arial, sans-serif;
-                font-size: 16px;
-                line-height: 1.5;
-                color: #fff;
-                background-color: #212121;
-                display: flex;
-                justify-content: center;
-                align-items: center;
-                height: 100vh;
-                margin: 0;
-            }
-
-            /* Spinner Styles */
-            .spinner {
-                width: 120px;
-                height: 120px;
-                border: 16px solid #333;
-                border-radius: 50%;
-                border-top: 16px solid #66d9ef;
-                animation: spin 2s linear infinite;
-            }
-            @keyframes spin {
-                0% {
-                    transform: rotate(0deg);
-                }
-                100% {
-                    transform: rotate(360deg);
-                }
-            }
-
-            /* Error Styles */
-            .error {
-                display: inline-block;
-                text-align: center;
-                justify-content: center;
-            }
-            .error::before {
-                content: "\26A0"; /* Unicode for warning symbol */
-                font-size: 40px;
-                color: #ff9900;
-            }
-
-            /* Message Styles */
-            .message {
-                font-size: 24px;
-                font-weight: bold;
-                padding-left: 32px;
-                text-align: center;
-            }
-        </style>
-    </head>
-    <body>
-        <script>
-            window.onload = async function () {
-                let resp = await fetch(window.location.href, {
-                    headers: {
-                        "{{.CheckRedirectHeader}}": "1",
-                    },
-                });
-                if (resp.ok) {
-                    window.location.href = resp.url;
-                } else {
-                    document.getElementById("message").innerText =
-                        await resp.text();
-                    document
-                        .getElementById("spinner")
-                        .classList.replace("spinner", "error");
-                }
-            };
-        </script>
-        <div id="spinner" class="spinner"></div>
-        <div id="message" class="message">{{.Message}}</div>
-    </body>
-</html>
--- a/internal/docker/idlewatcher/loading_page.go
+++ b/internal/docker/idlewatcher/loading_page.go
@@ -1,36 +0,0 @@
-package idlewatcher
-
-import (
-	"bytes"
-	_ "embed"
-	"strings"
-	"text/template"
-
-	"github.com/yusing/go-proxy/internal/common"
-)
-
-type templateData struct {
-	CheckRedirectHeader string
-	Title               string
-	Message             string
-}
-
-//go:embed html/loading_page.html
-var loadingPage []byte
-var loadingPageTmpl = template.Must(template.New("loading_page").Parse(string(loadingPage)))
-
-func (w *Watcher) makeLoadingPageBody() []byte {
-	msg := w.ContainerName + " is starting..."
-
-	data := new(templateData)
-	data.CheckRedirectHeader = common.HeaderCheckRedirect
-	data.Title = w.ContainerName
-	data.Message = strings.ReplaceAll(msg, " ", "&ensp;")
-
-	buf := bytes.NewBuffer(make([]byte, len(loadingPage)+len(data.Title)+len(data.Message)+len(common.HeaderCheckRedirect)))
-	err := loadingPageTmpl.Execute(buf, data)
-	if err != nil { // should never happen in production
-		panic(err)
-	}
-	return buf.Bytes()
-}
--- a/internal/docker/idlewatcher/types/config.go
+++ b/internal/docker/idlewatcher/types/config.go
@@ -1,106 +0,0 @@
-package types
-
-import (
-	"errors"
-	"time"
-
-	"github.com/yusing/go-proxy/internal/docker"
-	E "github.com/yusing/go-proxy/internal/error"
-)
-
-type (
-	Config struct {
-		IdleTimeout time.Duration `json:"idle_timeout,omitempty"`
-		WakeTimeout time.Duration `json:"wake_timeout,omitempty"`
-		StopTimeout int           `json:"stop_timeout,omitempty"` // docker api takes integer seconds for timeout argument
-		StopMethod  StopMethod    `json:"stop_method,omitempty"`
-		StopSignal  Signal        `json:"stop_signal,omitempty"`
-
-		DockerHost       string `json:"docker_host,omitempty"`
-		ContainerName    string `json:"container_name,omitempty"`
-		ContainerID      string `json:"container_id,omitempty"`
-		ContainerRunning bool   `json:"container_running,omitempty"`
-	}
-	StopMethod string
-	Signal     string
-)
-
-const (
-	StopMethodPause StopMethod = "pause"
-	StopMethodStop  StopMethod = "stop"
-	StopMethodKill  StopMethod = "kill"
-)
-
-var validSignals = map[string]struct{}{
-	"":       {},
-	"SIGINT": {}, "SIGTERM": {}, "SIGHUP": {}, "SIGQUIT": {},
-	"INT": {}, "TERM": {}, "HUP": {}, "QUIT": {},
-}
-
-func ValidateConfig(cont *docker.Container) (*Config, E.Error) {
-	if cont == nil {
-		return nil, nil
-	}
-
-	if cont.IdleTimeout == "" {
-		return &Config{
-			DockerHost:       cont.DockerHost,
-			ContainerName:    cont.ContainerName,
-			ContainerID:      cont.ContainerID,
-			ContainerRunning: cont.Running,
-		}, nil
-	}
-
-	errs := E.NewBuilder("invalid idlewatcher config")
-
-	idleTimeout := E.Collect(errs, validateDurationPostitive, cont.IdleTimeout)
-	wakeTimeout := E.Collect(errs, validateDurationPostitive, cont.WakeTimeout)
-	stopTimeout := E.Collect(errs, validateDurationPostitive, cont.StopTimeout)
-	stopMethod := E.Collect(errs, validateStopMethod, cont.StopMethod)
-	signal := E.Collect(errs, validateSignal, cont.StopSignal)
-
-	if errs.HasError() {
-		return nil, errs.Error()
-	}
-
-	return &Config{
-		IdleTimeout: idleTimeout,
-		WakeTimeout: wakeTimeout,
-		StopTimeout: int(stopTimeout.Seconds()),
-		StopMethod:  stopMethod,
-		StopSignal:  signal,
-
-		DockerHost:       cont.DockerHost,
-		ContainerName:    cont.ContainerName,
-		ContainerID:      cont.ContainerID,
-		ContainerRunning: cont.Running,
-	}, nil
-}
-
-func validateDurationPostitive(value string) (time.Duration, error) {
-	d, err := time.ParseDuration(value)
-	if err != nil {
-		return 0, err
-	}
-	if d < 0 {
-		return 0, errors.New("duration must be positive")
-	}
-	return d, nil
-}
-
-func validateSignal(s string) (Signal, error) {
-	if _, ok := validSignals[s]; ok {
-		return Signal(s), nil
-	}
-	return "", errors.New("invalid signal " + s)
-}
-
-func validateStopMethod(s string) (StopMethod, error) {
-	sm := StopMethod(s)
-	switch sm {
-	case StopMethodPause, StopMethodStop, StopMethodKill:
-		return sm, nil
-	default:
-		return "", errors.New("invalid stop method " + s)
-	}
-}
--- a/internal/docker/idlewatcher/types/waker.go
+++ b/internal/docker/idlewatcher/types/waker.go
@@ -1,15 +0,0 @@
-package types
-
-import (
-	"net/http"
-
-	net "github.com/yusing/go-proxy/internal/net/types"
-	"github.com/yusing/go-proxy/internal/watcher/health"
-)
-
-type Waker interface {
-	health.HealthMonitor
-	http.Handler
-	net.Stream
-	Wake() error
-}
--- a/internal/docker/idlewatcher/waker.go
+++ b/internal/docker/idlewatcher/waker.go
@@ -1,163 +0,0 @@
-package idlewatcher
-
-import (
-	"sync/atomic"
-	"time"
-
-	"github.com/yusing/go-proxy/internal/common"
-	"github.com/yusing/go-proxy/internal/docker/idlewatcher/types"
-	E "github.com/yusing/go-proxy/internal/error"
-	"github.com/yusing/go-proxy/internal/metrics"
-	gphttp "github.com/yusing/go-proxy/internal/net/http"
-	net "github.com/yusing/go-proxy/internal/net/types"
-	route "github.com/yusing/go-proxy/internal/route/types"
-	"github.com/yusing/go-proxy/internal/task"
-	U "github.com/yusing/go-proxy/internal/utils"
-	"github.com/yusing/go-proxy/internal/watcher/health"
-	"github.com/yusing/go-proxy/internal/watcher/health/monitor"
-)
-
-type (
-	Waker = types.Waker
-	waker struct {
-		_ U.NoCopy
-
-		rp     *gphttp.ReverseProxy
-		stream net.Stream
-		hc     health.HealthChecker
-		metric *metrics.Gauge
-
-		ready atomic.Bool
-	}
-)
-
-const (
-	idleWakerCheckInterval = 100 * time.Millisecond
-	idleWakerCheckTimeout  = time.Second
-)
-
-// TODO: support stream
-
-func newWaker(parent task.Parent, entry route.Entry, rp *gphttp.ReverseProxy, stream net.Stream) (Waker, E.Error) {
-	hcCfg := entry.RawEntry().HealthCheck
-	hcCfg.Timeout = idleWakerCheckTimeout
-
-	waker := &waker{
-		rp:     rp,
-		stream: stream,
-	}
-	task := parent.Subtask("idlewatcher." + entry.TargetName())
-	watcher, err := registerWatcher(task, entry, waker)
-	if err != nil {
-		return nil, E.Errorf("register watcher: %w", err)
-	}
-
-	switch {
-	case rp != nil:
-		waker.hc = monitor.NewHTTPHealthChecker(entry.TargetURL(), hcCfg)
-	case stream != nil:
-		waker.hc = monitor.NewRawHealthChecker(entry.TargetURL(), hcCfg)
-	default:
-		panic("both nil")
-	}
-
-	if common.PrometheusEnabled {
-		m := metrics.GetServiceMetrics()
-		fqn := parent.Name() + "/" + entry.TargetName()
-		waker.metric = m.HealthStatus.With(metrics.HealthMetricLabels(fqn))
-		waker.metric.Set(float64(watcher.Status()))
-	}
-	return watcher, nil
-}
-
-// lifetime should follow route provider.
-func NewHTTPWaker(parent task.Parent, entry route.Entry, rp *gphttp.ReverseProxy) (Waker, E.Error) {
-	return newWaker(parent, entry, rp, nil)
-}
-
-func NewStreamWaker(parent task.Parent, entry route.Entry, stream net.Stream) (Waker, E.Error) {
-	return newWaker(parent, entry, nil, stream)
-}
-
-// Start implements health.HealthMonitor.
-func (w *Watcher) Start(parent task.Parent) E.Error {
-	w.task.OnCancel("route_cleanup", func() {
-		parent.Finish(w.task.FinishCause())
-		if w.metric != nil {
-			w.metric.Reset()
-		}
-	})
-	return nil
-}
-
-// Task implements health.HealthMonitor.
-func (w *Watcher) Task() *task.Task {
-	return w.task
-}
-
-// Finish implements health.HealthMonitor.
-func (w *Watcher) Finish(reason any) {
-	if w.stream != nil {
-		w.stream.Close()
-	}
-}
-
-// Name implements health.HealthMonitor.
-func (w *Watcher) Name() string {
-	return w.String()
-}
-
-// String implements health.HealthMonitor.
-func (w *Watcher) String() string {
-	return w.ContainerName
-}
-
-// Uptime implements health.HealthMonitor.
-func (w *Watcher) Uptime() time.Duration {
-	return 0
-}
-
-// Status implements health.HealthMonitor.
-func (w *Watcher) Status() health.Status {
-	status := w.getStatusUpdateReady()
-	if w.metric != nil {
-		w.metric.Set(float64(status))
-	}
-	return status
-}
-
-func (w *Watcher) getStatusUpdateReady() health.Status {
-	if !w.ContainerRunning {
-		return health.StatusNapping
-	}
-
-	if w.ready.Load() {
-		return health.StatusHealthy
-	}
-
-	result, err := w.hc.CheckHealth()
-	switch {
-	case err != nil:
-		w.ready.Store(false)
-		return health.StatusError
-	case result.Healthy:
-		w.ready.Store(true)
-		return health.StatusHealthy
-	default:
-		return health.StatusStarting
-	}
-}
-
-// MarshalJSON implements health.HealthMonitor.
-func (w *Watcher) MarshalJSON() ([]byte, error) {
-	var url net.URL
-	if w.hc.URL().Port() != "0" {
-		url = w.hc.URL()
-	}
-	return (&monitor.JSONRepresentation{
-		Name:   w.Name(),
-		Status: w.Status(),
-		Config: w.hc.Config(),
-		URL:    url,
-	}).MarshalJSON()
-}
--- a/internal/docker/idlewatcher/waker_http.go
+++ b/internal/docker/idlewatcher/waker_http.go
@@ -1,108 +0,0 @@
-package idlewatcher
-
-import (
-	"context"
-	"errors"
-	"net/http"
-	"strconv"
-	"time"
-
-	"github.com/yusing/go-proxy/internal/common"
-	gphttp "github.com/yusing/go-proxy/internal/net/http"
-	"github.com/yusing/go-proxy/internal/watcher/health"
-)
-
-// ServeHTTP implements http.Handler.
-func (w *Watcher) ServeHTTP(rw http.ResponseWriter, r *http.Request) {
-	shouldNext := w.wakeFromHTTP(rw, r)
-	if !shouldNext {
-		return
-	}
-	select {
-	case <-r.Context().Done():
-		return
-	default:
-		w.rp.ServeHTTP(rw, r)
-	}
-}
-
-func (w *Watcher) wakeFromHTTP(rw http.ResponseWriter, r *http.Request) (shouldNext bool) {
-	w.resetIdleTimer()
-
-	// pass through if container is already ready
-	if w.ready.Load() {
-		return true
-	}
-
-	if r.Body != nil {
-		defer r.Body.Close()
-	}
-
-	accept := gphttp.GetAccept(r.Header)
-	acceptHTML := (r.Method == http.MethodGet && accept.AcceptHTML() || r.RequestURI == "/" && accept.IsEmpty())
-
-	isCheckRedirect := r.Header.Get(common.HeaderCheckRedirect) != ""
-	if !isCheckRedirect && acceptHTML {
-		// Send a loading response to the client
-		body := w.makeLoadingPageBody()
-		rw.Header().Set("Content-Type", "text/html; charset=utf-8")
-		rw.Header().Set("Content-Length", strconv.Itoa(len(body)))
-		rw.Header().Add("Cache-Control", "no-cache")
-		rw.Header().Add("Cache-Control", "no-store")
-		rw.Header().Add("Cache-Control", "must-revalidate")
-		rw.Header().Add("Connection", "close")
-		if _, err := rw.Write(body); err != nil {
-			w.Err(err).Msg("error writing http response")
-		}
-		return false
-	}
-
-	ctx, cancel := context.WithTimeoutCause(r.Context(), w.WakeTimeout, errors.New("wake timeout"))
-	defer cancel()
-
-	checkCanceled := func() (canceled bool) {
-		select {
-		case <-ctx.Done():
-			w.WakeDebug().Str("cause", context.Cause(ctx).Error()).Msg("canceled")
-			return true
-		case <-w.task.Context().Done():
-			w.WakeDebug().Str("cause", w.task.FinishCause().Error()).Msg("canceled")
-			http.Error(rw, "Service unavailable", http.StatusServiceUnavailable)
-			return true
-		default:
-			return false
-		}
-	}
-
-	if checkCanceled() {
-		return false
-	}
-
-	w.WakeTrace().Msg("signal received")
-	err := w.wakeIfStopped()
-	if err != nil {
-		w.WakeError(err)
-		http.Error(rw, "Error waking container", http.StatusInternalServerError)
-		return false
-	}
-
-	for {
-		if checkCanceled() {
-			return false
-		}
-
-		if w.Status() == health.StatusHealthy {
-			w.resetIdleTimer()
-			if isCheckRedirect {
-				w.Debug().Msgf("redirecting to %s ...", w.hc.URL())
-				rw.WriteHeader(http.StatusOK)
-				return false
-			}
-			w.Debug().Msgf("passing through to %s ...", w.hc.URL())
-			return true
-		}
-
-		// retry until the container is ready or timeout
-		time.Sleep(idleWakerCheckInterval)
-	}
-}
--- a/internal/docker/idlewatcher/waker_stream.go
+++ b/internal/docker/idlewatcher/waker_stream.go
@@ -1,90 +0,0 @@
-package idlewatcher
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"net"
-	"time"
-
-	"github.com/yusing/go-proxy/internal/net/types"
-	"github.com/yusing/go-proxy/internal/watcher/health"
-)
-
-// Setup implements types.Stream.
-func (w *Watcher) Addr() net.Addr {
-	return w.stream.Addr()
-}
-
-// Setup implements types.Stream.
-func (w *Watcher) Setup() error {
-	return w.stream.Setup()
-}
-
-// Accept implements types.Stream.
-func (w *Watcher) Accept() (conn types.StreamConn, err error) {
-	conn, err = w.stream.Accept()
-	if err != nil {
-		return
-	}
-	if wakeErr := w.wakeFromStream(); wakeErr != nil {
-		w.WakeError(wakeErr)
-	}
-	return
-}
-
-// Handle implements types.Stream.
-func (w *Watcher) Handle(conn types.StreamConn) error {
-	if err := w.wakeFromStream(); err != nil {
-		return err
-	}
-	return w.stream.Handle(conn)
-}
-
-// Close implements types.Stream.
-func (w *Watcher) Close() error {
-	return w.stream.Close()
-}
-
-func (w *Watcher) wakeFromStream() error {
-	w.resetIdleTimer()
-
-	// pass through if container is already ready
-	if w.ready.Load() {
-		return nil
-	}
-
-	w.WakeDebug().Msg("wake signal received")
-	wakeErr := w.wakeIfStopped()
-	if wakeErr != nil {
-		wakeErr = fmt.Errorf("%s failed: %w", w.String(), wakeErr)
-		w.WakeError(wakeErr)
-		return wakeErr
-	}
-
-	ctx, cancel := context.WithTimeoutCause(w.task.Context(), w.WakeTimeout, errors.New("wake timeout"))
-	defer cancel()
-
-	for {
-		select {
-		case <-w.task.Context().Done():
-			cause := w.task.FinishCause()
-			w.WakeDebug().Str("cause", cause.Error()).Msg("canceled")
-			return cause
-		case <-ctx.Done():
-			cause := context.Cause(ctx)
-			w.WakeDebug().Str("cause", cause.Error()).Msg("timeout")
-			return cause
-		default:
-		}
-
-		if w.Status() == health.StatusHealthy {
-			w.resetIdleTimer()
-			w.Debug().Msg("container is ready, passing through to " + w.hc.URL().String())
-			return nil
-		}
-
-		// retry until the container is ready or timeout
-		time.Sleep(idleWakerCheckInterval)
-	}
-}
--- a/internal/docker/idlewatcher/watcher.go
+++ b/internal/docker/idlewatcher/watcher.go
@@ -1,298 +0,0 @@
-package idlewatcher
-
-import (
-	"context"
-	"errors"
-	"sync"
-	"time"
-
-	"github.com/docker/docker/api/types/container"
-	"github.com/rs/zerolog"
-	D "github.com/yusing/go-proxy/internal/docker"
-	idlewatcher "github.com/yusing/go-proxy/internal/docker/idlewatcher/types"
-	E "github.com/yusing/go-proxy/internal/error"
-	"github.com/yusing/go-proxy/internal/logging"
-	route "github.com/yusing/go-proxy/internal/route/types"
-	"github.com/yusing/go-proxy/internal/task"
-	U "github.com/yusing/go-proxy/internal/utils"
-	F "github.com/yusing/go-proxy/internal/utils/functional"
-	"github.com/yusing/go-proxy/internal/watcher"
-	"github.com/yusing/go-proxy/internal/watcher/events"
-)
-
-type (
-	Watcher struct {
-		_ U.NoCopy
-
-		zerolog.Logger
-
-		*idlewatcher.Config
-		*waker
-
-		client       *D.SharedClient
-		stopByMethod StopCallback // send a docker command w.r.t. `stop_method`
-		ticker       *time.Ticker
-		task         *task.Task
-	}
-
-	WakeDone     <-chan error
-	WakeFunc     func() WakeDone
-	StopCallback func() error
-)
-
-var (
-	watcherMap   = F.NewMapOf[string, *Watcher]()
-	watcherMapMu sync.Mutex
-
-	errShouldNotReachHere = errors.New("should not reach here")
-
-	logger = logging.With().Str("module", "idle_watcher").Logger()
-)
-
-const dockerReqTimeout = 3 * time.Second
-
-func registerWatcher(watcherTask *task.Task, entry route.Entry, waker *waker) (*Watcher, error) {
-	cfg := entry.IdlewatcherConfig()
-
-	if cfg.IdleTimeout == 0 {
-		panic(errShouldNotReachHere)
-	}
-
-	watcherMapMu.Lock()
-	defer watcherMapMu.Unlock()
-
-	key := cfg.ContainerID
-
-	if w, ok := watcherMap.Load(key); ok {
-		w.Config = cfg
-		w.waker = waker
-		w.resetIdleTimer()
-		watcherTask.Finish("used existing watcher")
-		return w, nil
-	}
-
-	client, err := D.ConnectClient(cfg.DockerHost)
-	if err != nil {
-		return nil, err
-	}
-
-	w := &Watcher{
-		Logger: logger.With().Str("name", cfg.ContainerName).Logger(),
-		Config: cfg,
-		waker:  waker,
-		client: client,
-		task:   watcherTask,
-		ticker: time.NewTicker(cfg.IdleTimeout),
-	}
-	w.stopByMethod = w.getStopCallback()
-	watcherMap.Store(key, w)
-
-	go func() {
-		cause := w.watchUntilDestroy()
-
-		watcherMap.Delete(w.ContainerID)
-
-		w.ticker.Stop()
-		w.client.Close()
-		w.task.Finish(cause)
-	}()
-
-	return w, nil
-}
-
-func (w *Watcher) Wake() error {
-	return w.wakeIfStopped()
-}
-
-// WakeDebug logs a debug message related to waking the container.
-func (w *Watcher) WakeDebug() *zerolog.Event {
-	//nolint:zerologlint
-	return w.Debug().Str("action", "wake")
-}
-
-func (w *Watcher) WakeTrace() *zerolog.Event {
-	//nolint:zerologlint
-	return w.Trace().Str("action", "wake")
-}
-
-func (w *Watcher) WakeError(err error) {
-	w.Err(err).Str("action", "wake").Msg("error")
-}
-
-func (w *Watcher) LogReason(action, reason string) {
-	w.Info().Str("reason", reason).Msg(action)
-}
-
-func (w *Watcher) containerStop(ctx context.Context) error {
-	return w.client.ContainerStop(ctx, w.ContainerID, container.StopOptions{
-		Signal:  string(w.StopSignal),
-		Timeout: &w.StopTimeout,
-	})
-}
-
-func (w *Watcher) containerPause(ctx context.Context) error {
-	return w.client.ContainerPause(ctx, w.ContainerID)
-}
-
-func (w *Watcher) containerKill(ctx context.Context) error {
-	return w.client.ContainerKill(ctx, w.ContainerID, string(w.StopSignal))
-}
-
-func (w *Watcher) containerUnpause(ctx context.Context) error {
-	return w.client.ContainerUnpause(ctx, w.ContainerID)
-}
-
-func (w *Watcher) containerStart(ctx context.Context) error {
-	return w.client.ContainerStart(ctx, w.ContainerID, container.StartOptions{})
-}
-
-func (w *Watcher) containerStatus() (string, error) {
-	if !w.client.Connected() {
-		return "", errors.New("docker client not connected")
-	}
-	ctx, cancel := context.WithTimeoutCause(w.task.Context(), dockerReqTimeout, errors.New("docker request timeout"))
-	defer cancel()
-	json, err := w.client.ContainerInspect(ctx, w.ContainerID)
-	if err != nil {
-		return "", err
-	}
-	return json.State.Status, nil
-}
-
-func (w *Watcher) wakeIfStopped() error {
-	if w.ContainerRunning {
-		return nil
-	}
-
-	status, err := w.containerStatus()
-	if err != nil {
-		return err
-	}
-
-	ctx, cancel := context.WithTimeout(w.task.Context(), w.WakeTimeout)
-	defer cancel()
-
-	// !Hard coded here since theres no constants from Docker API
-	switch status {
-	case "exited", "dead":
-		return w.containerStart(ctx)
-	case "paused":
-		return w.containerUnpause(ctx)
-	case "running":
-		return nil
-	default:
-		panic(errShouldNotReachHere)
-	}
-}
-
-func (w *Watcher) getStopCallback() StopCallback {
-	var cb func(context.Context) error
-	switch w.StopMethod {
-	case idlewatcher.StopMethodPause:
-		cb = w.containerPause
-	case idlewatcher.StopMethodStop:
-		cb = w.containerStop
-	case idlewatcher.StopMethodKill:
-		cb = w.containerKill
-	default:
-		panic(errShouldNotReachHere)
-	}
-	return func() error {
-		ctx, cancel := context.WithTimeout(w.task.Context(), time.Duration(w.StopTimeout)*time.Second)
-		defer cancel()
-		return cb(ctx)
-	}
-}
-
-func (w *Watcher) resetIdleTimer() {
-	w.Trace().Msg("reset idle timer")
-	w.ticker.Reset(w.IdleTimeout)
-}
-
-func (w *Watcher) getEventCh(dockerWatcher watcher.DockerWatcher) (eventCh <-chan events.Event, errCh <-chan E.Error) {
-	eventCh, errCh = dockerWatcher.EventsWithOptions(w.Task().Context(), watcher.DockerListOptions{
-		Filters: watcher.NewDockerFilter(
-			watcher.DockerFilterContainer,
-			watcher.DockerFilterContainerNameID(w.ContainerID),
-			watcher.DockerFilterStart,
-			watcher.DockerFilterStop,
-			watcher.DockerFilterDie,
-			watcher.DockerFilterKill,
-			watcher.DockerFilterDestroy,
-			watcher.DockerFilterPause,
-			watcher.DockerFilterUnpause,
-		),
-	})
-	return
-}
-
-// watchUntilDestroy waits for the container to be created, started, or unpaused,
-// and then reset the idle timer.
-//
-// When the container is stopped, paused,
-// or killed, the idle timer is stopped and the ContainerRunning flag is set to false.
-//
-// When the idle timer fires, the container is stopped according to the
-// stop method.
-//
-// it exits only if the context is canceled, the container is destroyed,
-// errors occurred on docker client, or route provider died (mainly caused by config reload).
-func (w *Watcher) watchUntilDestroy() (returnCause error) {
-	dockerWatcher := watcher.NewDockerWatcherWithClient(w.client)
-	dockerEventCh, dockerEventErrCh := w.getEventCh(dockerWatcher)
-
-	for {
-		select {
-		case <-w.task.Context().Done():
-			return w.task.FinishCause()
-		case err := <-dockerEventErrCh:
-			if !err.Is(context.Canceled) {
-				E.LogError("idlewatcher error", err, &w.Logger)
-			}
-			return err
-		case e := <-dockerEventCh:
-			switch {
-			case e.Action == events.ActionContainerDestroy:
-				w.ContainerRunning = false
-				w.ready.Store(false)
-				w.LogReason("watcher stopped", "container destroyed")
-				return errors.New("container destroyed")
-			// create / start / unpause
-			case e.Action.IsContainerWake():
-				w.ContainerRunning = true
-				w.resetIdleTimer()
-				w.Info().Msg("awaken")
-			case e.Action.IsContainerSleep(): // stop / pause / kil
-				w.ContainerRunning = false
-				w.ready.Store(false)
-				w.ticker.Stop()
-			default:
-				w.Error().Msg("unexpected docker event: " + e.String())
-			}
-			// container name changed should also change the container id
-			if w.ContainerName != e.ActorName {
-				w.Debug().Msgf("renamed %s -> %s", w.ContainerName, e.ActorName)
-				w.ContainerName = e.ActorName
-			}
-			if w.ContainerID != e.ActorID {
-				w.Debug().Msgf("id changed %s -> %s", w.ContainerID, e.ActorID)
-				w.ContainerID = e.ActorID
-				// recreate event stream
-				dockerEventCh, dockerEventErrCh = w.getEventCh(dockerWatcher)
-			}
-		case <-w.ticker.C:
-			w.ticker.Stop()
-			if w.ContainerRunning {
-				err := w.stopByMethod()
-				switch {
-				case errors.Is(err, context.Canceled):
-					continue
-				case err != nil:
-					w.Err(err).Msgf("container stop with method %q failed", w.StopMethod)
-				default:
-					w.LogReason("container stopped", "idle timeout")
-				}
-			}
-		}
-	}
-}
--- a/internal/docker/inspect.go
+++ b/internal/docker/inspect.go
@@ -1,28 +0,0 @@
-package docker
-
-import (
-	"context"
-	"errors"
-	"time"
-)
-
-func Inspect(dockerHost string, containerID string) (*Container, error) {
-	client, err := ConnectClient(dockerHost)
-	if err != nil {
-		return nil, err
-	}
-
-	defer client.Close()
-	return client.Inspect(containerID)
-}
-
-func (c *SharedClient) Inspect(containerID string) (*Container, error) {
-	ctx, cancel := context.WithTimeoutCause(context.Background(), 3*time.Second, errors.New("docker container inspect timeout"))
-	defer cancel()
-
-	json, err := c.ContainerInspect(ctx, containerID)
-	if err != nil {
-		return nil, err
-	}
-	return FromJSON(json, c.key), nil
-}
--- a/internal/docker/label.go
+++ b/internal/docker/label.go
@@ -1,52 +0,0 @@
-package docker
-
-import (
-	E "github.com/yusing/go-proxy/internal/error"
-	"github.com/yusing/go-proxy/internal/utils/strutils"
-)
-
-type LabelMap = map[string]any
-
-var ErrInvalidLabel = E.New("invalid label")
-
-func ParseLabels(labels map[string]string) (LabelMap, E.Error) {
-	nestedMap := make(LabelMap)
-	errs := E.NewBuilder("labels error")
-
-	for lbl, value := range labels {
-		parts := strutils.SplitRune(lbl, '.')
-		if parts[0] != NSProxy {
-			continue
-		}
-		if len(parts) == 1 {
-			errs.Add(ErrInvalidLabel.Subject(lbl))
-			continue
-		}
-		parts = parts[1:]
-		currentMap := nestedMap
-
-		for i, k := range parts {
-			if i == len(parts)-1 {
-				// Last element, set the value
-				currentMap[k] = value
-			} else {
-				// If the key doesn't exist, create a new map
-				if _, exists := currentMap[k]; !exists {
-					currentMap[k] = make(LabelMap)
-				}
-				// Move deeper into the nested map
-				m, ok := currentMap[k].(LabelMap)
-				if !ok && currentMap[k] != "" {
-					errs.Add(E.Errorf("expect mapping, got %T", currentMap[k]).Subject(lbl))
-					continue
-				} else if !ok {
-					m = make(LabelMap)
-					currentMap[k] = m
-				}
-				currentMap = m
-			}
-		}
-	}
-
-	return nestedMap, errs.Error()
-}
--- a/internal/docker/labels.go
+++ b/internal/docker/labels.go
@@ -1,15 +0,0 @@
-package docker
-
-const (
-	WildcardAlias = "*"
-
-	NSProxy = "proxy"
-
-	LabelAliases     = NSProxy + ".aliases"
-	LabelExclude     = NSProxy + ".exclude"
-	LabelIdleTimeout = NSProxy + ".idle_timeout"
-	LabelWakeTimeout = NSProxy + ".wake_timeout"
-	LabelStopMethod  = NSProxy + ".stop_method"
-	LabelStopTimeout = NSProxy + ".stop_timeout"
-	LabelStopSignal  = NSProxy + ".stop_signal"
-)
--- a/internal/docker/list_containers.go
+++ b/internal/docker/list_containers.go
@@ -1,44 +0,0 @@
-package docker
-
-import (
-	"context"
-	"errors"
-	"time"
-
-	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/client"
-)
-
-var listOptions = container.ListOptions{
-	// created|restarting|running|removing|paused|exited|dead
-	// Filters: filters.NewArgs(
-	// 	filters.Arg("status", "created"),
-	// 	filters.Arg("status", "restarting"),
-	// 	filters.Arg("status", "running"),
-	// 	filters.Arg("status", "paused"),
-	// 	filters.Arg("status", "exited"),
-	// ),
-	All: true,
-}
-
-func ListContainers(clientHost string) ([]types.Container, error) {
-	dockerClient, err := ConnectClient(clientHost)
-	if err != nil {
-		return nil, err
-	}
-	defer dockerClient.Close()
-
-	ctx, cancel := context.WithTimeoutCause(context.Background(), 3*time.Second, errors.New("list containers timeout"))
-	defer cancel()
-
-	containers, err := dockerClient.ContainerList(ctx, listOptions)
-	if err != nil {
-		return nil, err
-	}
-	return containers, nil
-}
-
-func IsErrConnectionFailed(err error) bool {
-	return client.IsErrConnectionFailed(err)
-}
--- a/internal/docker/logger.go
+++ b/internal/docker/logger.go
@@ -1,7 +0,0 @@
-package docker
-
-import (
-	"github.com/yusing/go-proxy/internal/logging"
-)
-
-var logger = logging.With().Str("module", "docker").Logger()
--- a/internal/entrypoint/entrypoint.go
+++ b/internal/entrypoint/entrypoint.go
@@ -1,148 +0,0 @@
-package entrypoint
-
-import (
-	"errors"
-	"fmt"
-	"net/http"
-	"strings"
-	"sync"
-
-	gphttp "github.com/yusing/go-proxy/internal/net/http"
-	"github.com/yusing/go-proxy/internal/net/http/accesslog"
-	"github.com/yusing/go-proxy/internal/net/http/middleware"
-	"github.com/yusing/go-proxy/internal/net/http/middleware/errorpage"
-	"github.com/yusing/go-proxy/internal/route/routes"
-	route "github.com/yusing/go-proxy/internal/route/types"
-	"github.com/yusing/go-proxy/internal/task"
-	"github.com/yusing/go-proxy/internal/utils/strutils"
-)
-
-var findRouteFunc = findRouteAnyDomain
-
-var (
-	epMiddleware   *middleware.Middleware
-	epMiddlewareMu sync.Mutex
-
-	epAccessLogger   *accesslog.AccessLogger
-	epAccessLoggerMu sync.Mutex
-)
-
-var ErrNoSuchRoute = errors.New("no such route")
-
-func SetFindRouteDomains(domains []string) {
-	if len(domains) == 0 {
-		findRouteFunc = findRouteAnyDomain
-	} else {
-		findRouteFunc = findRouteByDomains(domains)
-	}
-}
-
-func SetMiddlewares(mws []map[string]any) error {
-	epMiddlewareMu.Lock()
-	defer epMiddlewareMu.Unlock()
-
-	if len(mws) == 0 {
-		epMiddleware = nil
-		return nil
-	}
-
-	mid, err := middleware.BuildMiddlewareFromChainRaw("entrypoint", mws)
-	if err != nil {
-		return err
-	}
-	epMiddleware = mid
-
-	logger.Debug().Msg("entrypoint middleware loaded")
-	return nil
-}
-
-func SetAccessLogger(parent task.Parent, cfg *accesslog.Config) (err error) {
-	epAccessLoggerMu.Lock()
-	defer epAccessLoggerMu.Unlock()
-
-	if cfg == nil {
-		epAccessLogger = nil
-		return
-	}
-
-	epAccessLogger, err = accesslog.NewFileAccessLogger(parent, cfg)
-	if err != nil {
-		return
-	}
-	logger.Debug().Msg("entrypoint access logger created")
-	return
-}
-
-func Handler(w http.ResponseWriter, r *http.Request) {
-	mux, err := findRouteFunc(r.Host)
-	if err == nil {
-		if epAccessLogger != nil {
-			epMiddlewareMu.Lock()
-			if epAccessLogger != nil {
-				w = gphttp.NewModifyResponseWriter(w, r, func(resp *http.Response) error {
-					epAccessLogger.Log(r, resp)
-					return nil
-				})
-			}
-			epMiddlewareMu.Unlock()
-		}
-		if epMiddleware != nil {
-			epMiddlewareMu.Lock()
-			if epMiddleware != nil {
-				mid := epMiddleware
-				epMiddlewareMu.Unlock()
-				mid.ServeHTTP(mux.ServeHTTP, w, r)
-				return
-			}
-			epMiddlewareMu.Unlock()
-		}
-		mux.ServeHTTP(w, r)
-		return
-	}
-	// Why use StatusNotFound instead of StatusBadRequest or StatusBadGateway?
-	// On nginx, when route for domain does not exist, it returns StatusBadGateway.
-	// Then scraper / scanners will know the subdomain is invalid.
-	// With StatusNotFound, they won't know whether it's the path, or the subdomain that is invalid.
-	if served := middleware.ServeStaticErrorPageFile(w, r); !served {
-		logger.Err(err).Str("method", r.Method).Str("url", r.URL.String()).Msg("request")
-		errorPage, ok := errorpage.GetErrorPageByStatus(http.StatusNotFound)
-		if ok {
-			w.WriteHeader(http.StatusNotFound)
-			w.Header().Set("Content-Type", "text/html; charset=utf-8")
-			if _, err := w.Write(errorPage); err != nil {
-				logger.Err(err).Msg("failed to write error page")
-			}
-		} else {
-			http.Error(w, err.Error(), http.StatusNotFound)
-		}
-	}
-}
-
-func findRouteAnyDomain(host string) (route.HTTPRoute, error) {
-	hostSplit := strutils.SplitRune(host, '.')
-	target := hostSplit[0]
-
-	if r, ok := routes.GetHTTPRouteOrExact(target, host); ok {
-		return r, nil
-	}
-	return nil, fmt.Errorf("%w: %s", ErrNoSuchRoute, target)
-}
-
-func findRouteByDomains(domains []string) func(host string) (route.HTTPRoute, error) {
-	return func(host string) (route.HTTPRoute, error) {
-		for _, domain := range domains {
-			if strings.HasSuffix(host, domain) {
-				target := strings.TrimSuffix(host, domain)
-				if r, ok := routes.GetHTTPRoute(target); ok {
-					return r, nil
-				}
-			}
-		}
-
-		// fallback to exact match
-		if r, ok := routes.GetHTTPRoute(host); ok {
-			return r, nil
-		}
-		return nil, fmt.Errorf("%w: %s", ErrNoSuchRoute, host)
-	}
-}
--- a/internal/entrypoint/entrypoint_test.go
+++ b/internal/entrypoint/entrypoint_test.go
@@ -1,120 +0,0 @@
-package entrypoint
-
-import (
-	"testing"
-
-	"github.com/yusing/go-proxy/internal/route"
-	"github.com/yusing/go-proxy/internal/route/routes"
-	. "github.com/yusing/go-proxy/internal/utils/testing"
-)
-
-var r route.HTTPRoute
-
-func run(t *testing.T, match []string, noMatch []string) {
-	t.Helper()
-	t.Cleanup(routes.TestClear)
-	t.Cleanup(func() {
-		SetFindRouteDomains(nil)
-	})
-
-	for _, test := range match {
-		t.Run(test, func(t *testing.T) {
-			found, err := findRouteFunc(test)
-			ExpectNoError(t, err)
-			ExpectTrue(t, found == &r)
-		})
-	}
-
-	for _, test := range noMatch {
-		t.Run(test, func(t *testing.T) {
-			_, err := findRouteFunc(test)
-			ExpectError(t, ErrNoSuchRoute, err)
-		})
-	}
-}
-
-func TestFindRouteAnyDomain(t *testing.T) {
-	routes.SetHTTPRoute("app1", &r)
-
-	tests := []string{
-		"app1.com",
-		"app1.domain.com",
-		"app1.sub.domain.com",
-	}
-	testsNoMatch := []string{
-		"sub.app1.com",
-		"app2.com",
-		"app2.domain.com",
-		"app2.sub.domain.com",
-	}
-
-	run(t, tests, testsNoMatch)
-}
-
-func TestFindRouteExactHostMatch(t *testing.T) {
-	tests := []string{
-		"app2.com",
-		"app2.domain.com",
-		"app2.sub.domain.com",
-	}
-	testsNoMatch := []string{
-		"sub.app2.com",
-		"app1.com",
-		"app1.domain.com",
-		"app1.sub.domain.com",
-	}
-
-	for _, test := range tests {
-		routes.SetHTTPRoute(test, &r)
-	}
-
-	run(t, tests, testsNoMatch)
-}
-
-func TestFindRouteByDomains(t *testing.T) {
-	SetFindRouteDomains([]string{
-		".domain.com",
-		".sub.domain.com",
-	})
-
-	routes.SetHTTPRoute("app1", &r)
-
-	tests := []string{
-		"app1.domain.com",
-		"app1.sub.domain.com",
-	}
-	testsNoMatch := []string{
-		"sub.app1.com",
-		"app1.com",
-		"app1.domain.co",
-		"app1.domain.com.hk",
-		"app1.sub.domain.co",
-		"app2.domain.com",
-		"app2.sub.domain.com",
-	}
-
-	run(t, tests, testsNoMatch)
-}
-
-func TestFindRouteByDomainsExactMatch(t *testing.T) {
-	SetFindRouteDomains([]string{
-		".domain.com",
-		".sub.domain.com",
-	})
-
-	routes.SetHTTPRoute("app1.foo.bar", &r)
-
-	tests := []string{
-		"app1.foo.bar", // exact match
-		"app1.foo.bar.domain.com",
-		"app1.foo.bar.sub.domain.com",
-	}
-	testsNoMatch := []string{
-		"sub.app1.foo.bar",
-		"sub.app1.foo.bar.com",
-		"app1.domain.com",
-		"app1.sub.domain.com",
-	}
-
-	run(t, tests, testsNoMatch)
-}
--- a/internal/entrypoint/logger.go
+++ b/internal/entrypoint/logger.go
@@ -1,7 +0,0 @@
-package entrypoint
-
-import (
-	"github.com/yusing/go-proxy/internal/logging"
-)
-
-var logger = logging.With().Str("module", "entrypoint").Logger()
--- a/internal/error/base.go
+++ b/internal/error/base.go
@@ -1,48 +0,0 @@
-package err
-
-import (
-	"errors"
-	"fmt"
-)
-
-// baseError is an immutable wrapper around an error.
-//
-//nolint:recvcheck
-type baseError struct {
-	Err error `json:"err"`
-}
-
-func (err *baseError) Unwrap() error {
-	return err.Err
-}
-
-func (err *baseError) Is(other error) bool {
-	if other, ok := other.(*baseError); ok {
-		return errors.Is(err.Err, other.Err)
-	}
-	return errors.Is(err.Err, other)
-}
-
-func (err baseError) Subject(subject string) Error {
-	err.Err = PrependSubject(subject, err.Err)
-	return &err
-}
-
-func (err *baseError) Subjectf(format string, args ...any) Error {
-	if len(args) > 0 {
-		return err.Subject(fmt.Sprintf(format, args...))
-	}
-	return err.Subject(format)
-}
-
-func (err baseError) With(extra error) Error {
-	return &nestedError{&err, []error{extra}}
-}
-
-func (err baseError) Withf(format string, args ...any) Error {
-	return &nestedError{&err, []error{fmt.Errorf(format, args...)}}
-}
-
-func (err *baseError) Error() string {
-	return err.Err.Error()
-}
--- a/internal/error/builder.go
+++ b/internal/error/builder.go
@@ -1,124 +0,0 @@
-package err
-
-import (
-	"fmt"
-	"sync"
-)
-
-type Builder struct {
-	about string
-	errs  []error
-	sync.Mutex
-}
-
-func NewBuilder(about string) *Builder {
-	return &Builder{about: about}
-}
-
-func (b *Builder) About() string {
-	if !b.HasError() {
-		return ""
-	}
-	return b.about
-}
-
-//go:inline
-func (b *Builder) HasError() bool {
-	return len(b.errs) > 0
-}
-
-func (b *Builder) error() Error {
-	if !b.HasError() {
-		return nil
-	}
-	return &nestedError{Err: New(b.about), Extras: b.errs}
-}
-
-func (b *Builder) Error() Error {
-	if len(b.errs) == 1 {
-		return From(b.errs[0])
-	}
-	return b.error()
-}
-
-func (b *Builder) String() string {
-	err := b.error()
-	if err == nil {
-		return ""
-	}
-	return err.Error()
-}
-
-// Add adds an error to the Builder.
-//
-// adding nil is no-op.
-func (b *Builder) Add(err error) *Builder {
-	if err == nil {
-		return b
-	}
-
-	b.Lock()
-	defer b.Unlock()
-
-	switch err := From(err).(type) {
-	case *baseError:
-		b.errs = append(b.errs, err.Err)
-	case *nestedError:
-		if err.Err == nil {
-			b.errs = append(b.errs, err.Extras...)
-		} else {
-			b.errs = append(b.errs, err)
-		}
-	default:
-		panic("bug: should not reach here")
-	}
-
-	return b
-}
-
-func (b *Builder) Adds(err string) *Builder {
-	b.Lock()
-	defer b.Unlock()
-	b.errs = append(b.errs, newError(err))
-	return b
-}
-
-func (b *Builder) Addf(format string, args ...any) *Builder {
-	if len(args) > 0 {
-		b.Lock()
-		defer b.Unlock()
-		b.errs = append(b.errs, fmt.Errorf(format, args...))
-	} else {
-		b.Adds(format)
-	}
-
-	return b
-}
-
-func (b *Builder) AddFrom(other *Builder, flatten bool) *Builder {
-	if other == nil || !other.HasError() {
-		return b
-	}
-
-	b.Lock()
-	defer b.Unlock()
-	if flatten {
-		b.errs = append(b.errs, other.errs...)
-	} else {
-		b.errs = append(b.errs, other.error())
-	}
-	return b
-}
-
-func (b *Builder) AddRange(errs ...error) *Builder {
-	b.Lock()
-	defer b.Unlock()
-
-	for _, err := range errs {
-		if err != nil {
-			b.errs = append(b.errs, err)
-		}
-	}
-
-	return b
-}
--- a/internal/error/builder_test.go
+++ b/internal/error/builder_test.go
@@ -1,55 +0,0 @@
-package err_test
-
-import (
-	"context"
-	"errors"
-	"io"
-	"testing"
-
-	. "github.com/yusing/go-proxy/internal/error"
-	. "github.com/yusing/go-proxy/internal/utils/testing"
-)
-
-func TestBuilderEmpty(t *testing.T) {
-	eb := NewBuilder("foo")
-	ExpectTrue(t, errors.Is(eb.Error(), nil))
-	ExpectFalse(t, eb.HasError())
-}
-
-func TestBuilderAddNil(t *testing.T) {
-	eb := NewBuilder("foo")
-	var err Error
-	for range 3 {
-		eb.Add(nil)
-	}
-	for range 3 {
-		eb.Add(err)
-	}
-	eb.AddRange(nil, nil, err)
-	ExpectFalse(t, eb.HasError())
-	ExpectTrue(t, eb.Error() == nil)
-}
-
-func TestBuilderIs(t *testing.T) {
-	eb := NewBuilder("foo")
-	eb.Add(context.Canceled)
-	eb.Add(io.ErrShortBuffer)
-	ExpectTrue(t, eb.HasError())
-	ExpectError(t, io.ErrShortBuffer, eb.Error())
-	ExpectError(t, context.Canceled, eb.Error())
-}
-
-func TestBuilderNested(t *testing.T) {
-	eb := NewBuilder("action failed")
-	eb.Add(New("Action 1").Withf("Inner: 1").Withf("Inner: 2"))
-	eb.Add(New("Action 2").Withf("Inner: 3"))
-
-	got := eb.String()
-	expected := `action failed
-  • Action 1
-    • Inner: 1
-    • Inner: 2
-  • Action 2
-    • Inner: 3`
-	ExpectEqual(t, got, expected)
-}
--- a/internal/error/error.go
+++ b/internal/error/error.go
@@ -1,33 +0,0 @@
-package err
-
-type Error interface {
-	error
-
-	// Is is a wrapper for errors.Is when there is no sub-error.
-	//
-	// When there are sub-errors, they will also be checked.
-	Is(other error) bool
-	// With appends a sub-error to the error.
-	With(extra error) Error
-	// Withf is a wrapper for With(fmt.Errorf(format, args...)).
-	Withf(format string, args ...any) Error
-	// Subject prepends the given subject with a colon and space to the error message.
-	//
-	// If there is already a subject in the error message, the subject will be
-	// prepended to the existing subject with " > ".
-	//
-	// Subject empty string is ignored.
-	Subject(subject string) Error
-	// Subjectf is a wrapper for Subject(fmt.Sprintf(format, args...)).
-	Subjectf(format string, args ...any) Error
-}
-
-// this makes JSON marshaling work,
-// as the builtin one doesn't.
-//
-//nolint:errname
-type errStr string
-
-func (err errStr) Error() string {
-	return string(err)
-}
--- a/internal/error/error_test.go
+++ b/internal/error/error_test.go
@@ -1,157 +0,0 @@
-package err
-
-import (
-	"errors"
-	"strings"
-	"testing"
-
-	. "github.com/yusing/go-proxy/internal/utils/testing"
-)
-
-func TestBaseString(t *testing.T) {
-	ExpectEqual(t, New("error").Error(), "error")
-}
-
-func TestBaseWithSubject(t *testing.T) {
-	err := New("error")
-	withSubject := err.Subject("foo")
-	withSubjectf := err.Subjectf("%s %s", "foo", "bar")
-
-	ExpectError(t, err, withSubject)
-	ExpectEqual(t, withSubject.Error(), "foo: error")
-	ExpectTrue(t, withSubject.Is(err))
-
-	ExpectError(t, err, withSubjectf)
-	ExpectEqual(t, withSubjectf.Error(), "foo bar: error")
-	ExpectTrue(t, withSubjectf.Is(err))
-}
-
-func TestBaseWithExtra(t *testing.T) {
-	err := New("error")
-	extra := New("bar").Subject("baz")
-	withExtra := err.With(extra)
-
-	ExpectTrue(t, withExtra.Is(extra))
-	ExpectTrue(t, withExtra.Is(err))
-
-	ExpectTrue(t, errors.Is(withExtra, extra))
-	ExpectTrue(t, errors.Is(withExtra, err))
-
-	ExpectTrue(t, strings.Contains(withExtra.Error(), err.Error()))
-	ExpectTrue(t, strings.Contains(withExtra.Error(), extra.Error()))
-	ExpectTrue(t, strings.Contains(withExtra.Error(), "baz"))
-}
-
-func TestBaseUnwrap(t *testing.T) {
-	err := errors.New("err")
-	wrapped := From(err)
-
-	ExpectError(t, err, errors.Unwrap(wrapped))
-}
-
-func TestNestedUnwrap(t *testing.T) {
-	err := errors.New("err")
-	err2 := New("err2")
-	wrapped := From(err).Subject("foo").With(err2.Subject("bar"))
-
-	unwrapper, ok := wrapped.(interface{ Unwrap() []error })
-	ExpectTrue(t, ok)
-
-	ExpectError(t, err, wrapped)
-	ExpectError(t, err2, wrapped)
-	ExpectEqual(t, len(unwrapper.Unwrap()), 2)
-}
-
-func TestErrorIs(t *testing.T) {
-	from := errors.New("error")
-	err := From(from)
-	ExpectError(t, from, err)
-
-	ExpectTrue(t, err.Is(from))
-	ExpectFalse(t, err.Is(New("error")))
-
-	ExpectTrue(t, errors.Is(err.Subject("foo"), from))
-	ExpectTrue(t, errors.Is(err.Withf("foo"), from))
-	ExpectTrue(t, errors.Is(err.Subject("foo").Withf("bar"), from))
-}
-
-func TestErrorImmutability(t *testing.T) {
-	err := New("err")
-	err2 := New("err2")
-
-	for range 3 {
-		// t.Logf("%d: %v %T %s", i, errors.Unwrap(err), err, err)
-		_ = err.Subject("foo")
-		ExpectFalse(t, strings.Contains(err.Error(), "foo"))
-
-		_ = err.With(err2)
-		ExpectFalse(t, strings.Contains(err.Error(), "extra"))
-		ExpectFalse(t, err.Is(err2))
-
-		err = err.Subject("bar").Withf("baz")
-		ExpectTrue(t, err != nil)
-	}
-}
-
-func TestErrorWith(t *testing.T) {
-	err1 := New("err1")
-	err2 := New("err2")
-
-	err3 := err1.With(err2)
-
-	ExpectTrue(t, err3.Is(err1))
-	ExpectTrue(t, err3.Is(err2))
-
-	_ = err2.Subject("foo")
-
-	ExpectTrue(t, err3.Is(err1))
-	ExpectTrue(t, err3.Is(err2))
-
-	// check if err3 is affected by err2.Subject
-	ExpectFalse(t, strings.Contains(err3.Error(), "foo"))
-}
-
-func TestErrorStringSimple(t *testing.T) {
-	errFailure := New("generic failure")
-	ne := errFailure.Subject("foo bar")
-	ExpectEqual(t, ne.Error(), "foo bar: generic failure")
-	ne = ne.Subject("baz")
-	ExpectEqual(t, ne.Error(), "baz > foo bar: generic failure")
-}
-
-func TestErrorStringNested(t *testing.T) {
-	errFailure := New("generic failure")
-	inner := errFailure.Subject("inner").
-		Withf("1").
-		Withf("1")
-	inner2 := errFailure.Subject("inner2").
-		Subject("action 2").
-		Withf("2").
-		Withf("2")
-	inner3 := errFailure.Subject("inner3").
-		Subject("action 3").
-		Withf("3").
-		Withf("3")
-	ne := errFailure.
-		Subject("foo").
-		Withf("bar").
-		Withf("baz").
-		With(inner).
-		With(inner.With(inner2.With(inner3)))
-	want := `foo: generic failure
-  • bar
-  • baz
-  • inner: generic failure
-    • 1
-    • 1
-  • inner: generic failure
-    • 1
-    • 1
-    • action 2 > inner2: generic failure
-      • 2
-      • 2
-      • action 3 > inner3: generic failure
-        • 3
-        • 3`
-	ExpectEqual(t, ne.Error(), want)
-}
--- a/internal/error/log.go
+++ b/internal/error/log.go
@@ -1,43 +0,0 @@
-package err
-
-import (
-	"github.com/rs/zerolog"
-	"github.com/yusing/go-proxy/internal/logging"
-)
-
-func getLogger(logger ...*zerolog.Logger) *zerolog.Logger {
-	if len(logger) > 0 {
-		return logger[0]
-	}
-	return logging.GetLogger()
-}
-
-//go:inline
-func LogFatal(msg string, err error, logger ...*zerolog.Logger) {
-	getLogger(logger...).Fatal().Msg(err.Error())
-}
-
-//go:inline
-func LogError(msg string, err error, logger ...*zerolog.Logger) {
-	getLogger(logger...).Error().Msg(err.Error())
-}
-
-//go:inline
-func LogWarn(msg string, err error, logger ...*zerolog.Logger) {
-	getLogger(logger...).Warn().Msg(err.Error())
-}
-
-//go:inline
-func LogPanic(msg string, err error, logger ...*zerolog.Logger) {
-	getLogger(logger...).Panic().Msg(err.Error())
-}
-
-//go:inline
-func LogInfo(msg string, err error, logger ...*zerolog.Logger) {
-	getLogger(logger...).Info().Msg(err.Error())
-}
-
-//go:inline
-func LogDebug(msg string, err error, logger ...*zerolog.Logger) {
-	getLogger(logger...).Debug().Msg(err.Error())
-}
--- a/internal/error/nested_error.go
+++ b/internal/error/nested_error.go
@@ -1,115 +0,0 @@
-package err
-
-import (
-	"errors"
-	"fmt"
-
-	"github.com/yusing/go-proxy/internal/utils/strutils"
-)
-
-//nolint:recvcheck
-type nestedError struct {
-	Err    error   `json:"err"`
-	Extras []error `json:"extras"`
-}
-
-func (err nestedError) Subject(subject string) Error {
-	if err.Err == nil {
-		err.Err = newError(subject)
-	} else {
-		err.Err = PrependSubject(subject, err.Err)
-	}
-	return &err
-}
-
-func (err *nestedError) Subjectf(format string, args ...any) Error {
-	if len(args) > 0 {
-		return err.Subject(fmt.Sprintf(format, args...))
-	}
-	return err.Subject(format)
-}
-
-func (err nestedError) With(extra error) Error {
-	if extra != nil {
-		err.Extras = append(err.Extras, extra)
-	}
-	return &err
-}
-
-func (err nestedError) Withf(format string, args ...any) Error {
-	if len(args) > 0 {
-		err.Extras = append(err.Extras, fmt.Errorf(format, args...))
-	} else {
-		err.Extras = append(err.Extras, newError(format))
-	}
-	return &err
-}
-
-func (err *nestedError) Unwrap() []error {
-	if err.Err == nil {
-		if len(err.Extras) == 0 {
-			return nil
-		}
-		return err.Extras
-	}
-	return append([]error{err.Err}, err.Extras...)
-}
-
-func (err *nestedError) Is(other error) bool {
-	if errors.Is(err.Err, other) {
-		return true
-	}
-	for _, e := range err.Extras {
-		if errors.Is(e, other) {
-			return true
-		}
-	}
-	return false
-}
-
-func (err *nestedError) Error() string {
-	if err == nil {
-		return makeLine("<nil>", 0)
-	}
-
-	lines := make([]string, 0, 1+len(err.Extras))
-	if err.Err != nil {
-		lines = append(lines, makeLine(err.Err.Error(), 0))
-	}
-	if extras := makeLines(err.Extras, 1); len(extras) > 0 {
-		lines = append(lines, extras...)
-	}
-	return strutils.JoinLines(lines)
-}
-
-//go:inline
-func makeLine(err string, level int) string {
-	const bulletPrefix = "• "
-	const spaces = "                "
-
-	if level == 0 {
-		return err
-	}
-	return spaces[:2*level] + bulletPrefix + err
-}
-
-func makeLines(errs []error, level int) []string {
-	if len(errs) == 0 {
-		return nil
-	}
-	lines := make([]string, 0, len(errs))
-	for _, err := range errs {
-		switch err := From(err).(type) {
-		case *nestedError:
-			if err.Err != nil {
-				lines = append(lines, makeLine(err.Err.Error(), level))
-			}
-			if extras := makeLines(err.Extras, level+1); len(extras) > 0 {
-				lines = append(lines, extras...)
-			}
-		default:
-			lines = append(lines, makeLine(err.Error(), level))
-		}
-	}
-	return lines
-}
--- a/internal/error/subject.go
+++ b/internal/error/subject.go
@@ -1,56 +0,0 @@
-package err
-
-import (
-	"strings"
-
-	"github.com/yusing/go-proxy/internal/utils/strutils/ansi"
-)
-
-//nolint:errname
-type withSubject struct {
-	Subject string `json:"subject"`
-	Err     error  `json:"err"`
-}
-
-const subjectSep = " > "
-
-func highlight(subject string) string {
-	return ansi.HighlightRed + subject + ansi.Reset
-}
-
-func PrependSubject(subject string, err error) error {
-	if err == nil {
-		return nil
-	}
-
-	//nolint:errorlint
-	switch err := err.(type) {
-	case *withSubject:
-		return err.Prepend(subject)
-	case Error:
-		return err.Subject(subject)
-	}
-	return &withSubject{subject, err}
-}
-
-func (err *withSubject) Prepend(subject string) *withSubject {
-	clone := *err
-	if subject != "" {
-		clone.Subject = subject + subjectSep + clone.Subject
-	}
-	return &clone
-}
-
-func (err *withSubject) Is(other error) bool {
-	return err.Err == other
-}
-
-func (err *withSubject) Unwrap() error {
-	return err.Err
-}
-
-func (err *withSubject) Error() string {
-	subjects := strings.Split(err.Subject, subjectSep)
-	subjects[len(subjects)-1] = highlight(subjects[len(subjects)-1])
-	return strings.Join(subjects, subjectSep) + ": " + err.Err.Error()
-}
--- a/internal/error/utils.go
+++ b/internal/error/utils.go
@@ -1,74 +0,0 @@
-package err
-
-import (
-	"fmt"
-)
-
-func newError(message string) error {
-	return errStr(message)
-}
-
-func New(message string) Error {
-	if message == "" {
-		return nil
-	}
-	return &baseError{newError(message)}
-}
-
-func Errorf(format string, args ...any) Error {
-	return &baseError{fmt.Errorf(format, args...)}
-}
-
-func From(err error) Error {
-	if err == nil {
-		return nil
-	}
-	//nolint:errorlint
-	switch err := err.(type) {
-	case *baseError:
-		return err
-	case *nestedError:
-		return err
-	}
-	return &baseError{err}
-}
-
-func Must[T any](v T, err error) T {
-	if err != nil {
-		LogPanic("must failed", err)
-	}
-	return v
-}
-
-func Join(errors ...error) Error {
-	n := 0
-	for _, err := range errors {
-		if err != nil {
-			n++
-		}
-	}
-	if n == 0 {
-		return nil
-	}
-	errs := make([]error, n)
-	i := 0
-	for _, err := range errors {
-		if err != nil {
-			errs[i] = err
-			i++
-		}
-	}
-	return &nestedError{Extras: errs}
-}
-
-func Collect[T any, Err error, Arg any, Func func(Arg) (T, Err)](eb *Builder, fn Func, arg Arg) T {
-	result, err := fn(arg)
-	eb.Add(err)
-	return result
-}
-
-func Collect2[T any, Err error, Arg1 any, Arg2 any, Func func(Arg1, Arg2) (T, Err)](eb *Builder, fn Func, arg1 Arg1, arg2 Arg2) T {
-	result, err := fn(arg1, arg2)
-	eb.Add(err)
-	return result
-}
--- a/internal/homepage/categories.go
+++ b/internal/homepage/categories.go
@@ -1,64 +0,0 @@
-package homepage
-
-// PredefinedCategories by alias or docker image name.
-var PredefinedCategories = map[string]string{
-	"sonarr":       "Torrenting",
-	"radarr":       "Torrenting",
-	"bazarr":       "Torrenting",
-	"lidarr":       "Torrenting",
-	"readarr":      "Torrenting",
-	"prowlarr":     "Torrenting",
-	"watcharr":     "Torrenting",
-	"qbittorrent":  "Torrenting",
-	"qbit":         "Torrenting",
-	"qbt":          "Torrenting",
-	"transmission": "Torrenting",
-
-	"jellyfin":   "Media",
-	"jellyseerr": "Media",
-	"emby":       "Media",
-	"plex":       "Media",
-	"navidrome":  "Media",
-	"immich":     "Media",
-	"tautulli":   "Media",
-	"nextcloud":  "Media",
-	"invidious":  "Media",
-
-	"uptime":             "Monitoring",
-	"uptime-kuma":        "Monitoring",
-	"prometheus":         "Monitoring",
-	"grafana":            "Monitoring",
-	"netdata":            "Monitoring",
-	"changedetection.io": "Monitoring",
-	"changedetection":    "Monitoring",
-	"influxdb":           "Monitoring",
-	"influx":             "Monitoring",
-	"dozzle":             "Monitoring",
-
-	"adguardhome":  "Networking",
-	"adgh":         "Networking",
-	"adg":          "Networking",
-	"pihole":       "Networking",
-	"flaresolverr": "Networking",
-
-	"homebridge":     "Home Automation",
-	"home-assistant": "Home Automation",
-
-	"dockge":       "Container Management",
-	"portainer-ce": "Container Management",
-	"portainer-be": "Container Management",
-
-	"rss":        "RSS",
-	"rsshub":     "RSS",
-	"rss-bridge": "RSS",
-	"miniflux":   "RSS",
-	"freshrss":   "RSS",
-
-	"paperless":     "Documents",
-	"paperless-ngx": "Documents",
-	"s-pdf":         "Documents",
-
-	"minio":       "Storage",
-	"filebrowser": "Storage",
-	"rclone":      "Storage",
-}
--- a/internal/homepage/homepage.go
+++ b/internal/homepage/homepage.go
@@ -1,45 +0,0 @@
-package homepage
-
-type (
-	//nolint:recvcheck
-	Config   map[string]Category
-	Category []*Item
-
-	Item struct {
-		Show         bool           `json:"show"`
-		Name         string         `json:"name"` // display name
-		Icon         string         `json:"icon"`
-		URL          string         `json:"url"` // alias + domain
-		Category     string         `json:"category"`
-		Description  string         `json:"description" aliases:"desc"`
-		WidgetConfig map[string]any `json:"widget_config" aliases:"widget"`
-
-		Alias      string `json:"alias"` // proxy alias
-		SourceType string `json:"source_type"`
-		AltURL     string `json:"alt_url"` // original proxy target
-	}
-)
-
-func (item *Item) IsEmpty() bool {
-	return item == nil || (item.Name == "" &&
-		item.Icon == "" &&
-		item.URL == "" &&
-		item.Category == "" &&
-		item.Description == "" &&
-		len(item.WidgetConfig) == 0)
-}
-
-func NewHomePageConfig() Config {
-	return Config(make(map[string]Category))
-}
-
-func (c *Config) Clear() {
-	*c = make(Config)
-}
-
-func (c Config) Add(item *Item) {
-	if c[item.Category] == nil {
-		c[item.Category] = make(Category, 0)
-	}
-	c[item.Category] = append(c[item.Category], item)
-}
--- a/internal/list-icons.go
+++ b/internal/list-icons.go
@@ -1,101 +0,0 @@
-package internal
-
-import (
-	"encoding/json"
-	"fmt"
-	"io"
-	"log"
-	"net/http"
-	"os"
-	"time"
-
-	"github.com/yusing/go-proxy/internal/utils"
-)
-
-type GitHubContents struct { //! keep this, may reuse in future
-	Type string `json:"type"`
-	Path string `json:"path"`
-	Name string `json:"name"`
-	Sha  string `json:"sha"`
-	Size int    `json:"size"`
-}
-
-const (
-	iconsCachePath = "/tmp/icons_cache.json"
-	updateInterval = 1 * time.Hour
-)
-
-func ListAvailableIcons() ([]string, error) {
-	owner := "walkxcode"
-	repo := "dashboard-icons"
-	ref := "main"
-
-	var lastUpdate time.Time
-
-	icons := make([]string, 0)
-	info, err := os.Stat(iconsCachePath)
-	if err == nil {
-		lastUpdate = info.ModTime().Local()
-	}
-	if time.Since(lastUpdate) < updateInterval {
-		err := utils.LoadJSON(iconsCachePath, &icons)
-		if err == nil {
-			return icons, nil
-		}
-	}
-
-	contents, err := getRepoContents(http.DefaultClient, owner, repo, ref, "")
-	if err != nil {
-		return nil, err
-	}
-	for _, content := range contents {
-		if content.Type != "dir" {
-			icons = append(icons, content.Path)
-		}
-	}
-	err = utils.SaveJSON(iconsCachePath, &icons, 0o644)
-	if err != nil {
-		log.Print("error saving cache", err)
-	}
-	return icons, nil
-}
-
-func getRepoContents(client *http.Client, owner string, repo string, ref string, path string) ([]GitHubContents, error) {
-	req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("https://api.github.com/repos/%s/%s/contents/%s?ref=%s", owner, repo, path, ref), nil)
-	if err != nil {
-		return nil, err
-	}
-	req.Header.Set("Accept", "application/json")
-
-	resp, err := client.Do(req)
-	if err != nil {
-		return nil, err
-	}
-	defer resp.Body.Close()
-
-	body, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return nil, err
-	}
-
-	var contents []GitHubContents
-	err = json.Unmarshal(body, &contents)
-	if err != nil {
-		return nil, err
-	}
-
-	filesAndDirs := make([]GitHubContents, 0)
-	for _, content := range contents {
-		if content.Type == "dir" {
-			subContents, err := getRepoContents(client, owner, repo, ref, content.Path)
-			if err != nil {
-				return nil, err
-			}
-			filesAndDirs = append(filesAndDirs, subContents...)
-		} else {
-			filesAndDirs = append(filesAndDirs, content)
-		}
-	}
-
-	return filesAndDirs, nil
-}
--- a/internal/logging/logging.go
+++ b/internal/logging/logging.go
@@ -1,72 +0,0 @@
-//nolint:zerologlint
-package logging
-
-import (
-	"os"
-	"strings"
-
-	"github.com/rs/zerolog"
-	"github.com/yusing/go-proxy/internal/common"
-	"github.com/yusing/go-proxy/internal/utils/strutils"
-)
-
-var logger zerolog.Logger
-
-func init() {
-	var timeFmt string
-	var level zerolog.Level
-	var exclude []string
-
-	switch {
-	case common.IsTrace:
-		timeFmt = "04:05"
-		level = zerolog.TraceLevel
-	case common.IsDebug:
-		timeFmt = "01-02 15:04"
-		level = zerolog.DebugLevel
-	default:
-		timeFmt = "01-02 15:04"
-		level = zerolog.InfoLevel
-		exclude = []string{"module"}
-	}
-
-	prefixLength := len(timeFmt) + 5 // level takes 3 + 2 spaces
-	prefix := strings.Repeat(" ", prefixLength)
-
-	logger = zerolog.New(
-		zerolog.ConsoleWriter{
-			Out:           os.Stderr,
-			TimeFormat:    timeFmt,
-			FieldsExclude: exclude,
-			FormatMessage: func(msgI interface{}) string { // pad spaces for each line
-				msg := msgI.(string)
-				lines := strutils.SplitRune(msg, '\n')
-				if len(lines) == 1 {
-					return msg
-				}
-				for i := 1; i < len(lines); i++ {
-					lines[i] = prefix + lines[i]
-				}
-				return strutils.JoinRune(lines, '\n')
-			},
-		},
-	).Level(level).With().Timestamp().Logger()
-}
-
-func DiscardLogger() { zerolog.SetGlobalLevel(zerolog.Disabled) }
-
-func AddHook(h zerolog.Hook) { logger = logger.Hook(h) }
-
-func GetLogger() *zerolog.Logger { return &logger }
-func With() zerolog.Context      { return logger.With() }
-
-func WithLevel(level zerolog.Level) *zerolog.Event { return logger.WithLevel(level) }
-
-func Info() *zerolog.Event         { return logger.Info() }
-func Warn() *zerolog.Event         { return logger.Warn() }
-func Error() *zerolog.Event        { return logger.Error() }
-func Err(err error) *zerolog.Event { return logger.Err(err) }
-func Debug() *zerolog.Event        { return logger.Debug() }
-func Fatal() *zerolog.Event        { return logger.Fatal() }
-func Panic() *zerolog.Event        { return logger.Panic() }
-func Trace() *zerolog.Event        { return logger.Trace() }
--- a/internal/metrics/http_handler.go
+++ b/internal/metrics/http_handler.go
@@ -1,13 +0,0 @@
-package metrics
-
-import (
-	"net/http"
-
-	"github.com/prometheus/client_golang/prometheus/promhttp"
-)
-
-func NewHandler() http.Handler {
-	mux := http.NewServeMux()
-	mux.Handle("/metrics", promhttp.Handler())
-	return mux
-}
--- a/internal/metrics/labels.go
+++ b/internal/metrics/labels.go
@@ -1,36 +0,0 @@
-package metrics
-
-import "github.com/prometheus/client_golang/prometheus"
-
-type (
-	HTTPRouteMetricLabels struct {
-		Service, Method, Host, Visitor, Path string
-	}
-	StreamRouteMetricLabels struct {
-		Service, Visitor string
-	}
-	HealthMetricLabels string
-)
-
-func (lbl *HTTPRouteMetricLabels) toPromLabels() prometheus.Labels {
-	return prometheus.Labels{
-		"service": lbl.Service,
-		"method":  lbl.Method,
-		"host":    lbl.Host,
-		"visitor": lbl.Visitor,
-		"path":    lbl.Path,
-	}
-}
-
-func (lbl *StreamRouteMetricLabels) toPromLabels() prometheus.Labels {
-	return prometheus.Labels{
-		"service": lbl.Service,
-		"visitor": lbl.Visitor,
-	}
-}
-
-func (lbl HealthMetricLabels) toPromLabels() prometheus.Labels {
-	return prometheus.Labels{
-		"service": string(lbl),
-	}
-}
--- a/internal/metrics/metric.go
+++ b/internal/metrics/metric.go
@@ -1,89 +0,0 @@
-package metrics
-
-import "github.com/prometheus/client_golang/prometheus"
-
-type (
-	Counter struct {
-		mv        *prometheus.CounterVec
-		collector prometheus.Counter
-	}
-	Gauge struct {
-		mv        *prometheus.GaugeVec
-		collector prometheus.Gauge
-	}
-	Labels interface {
-		toPromLabels() prometheus.Labels
-	}
-)
-
-func NewCounter(opts prometheus.CounterOpts, labels ...string) *Counter {
-	m := &Counter{
-		mv: prometheus.NewCounterVec(opts, labels),
-	}
-	if len(labels) == 0 {
-		m.collector = m.mv.WithLabelValues()
-		m.collector.Add(0)
-	}
-	prometheus.MustRegister(m)
-	return m
-}
-
-func NewGauge(opts prometheus.GaugeOpts, labels ...string) *Gauge {
-	m := &Gauge{
-		mv: prometheus.NewGaugeVec(opts, labels),
-	}
-	if len(labels) == 0 {
-		m.collector = m.mv.WithLabelValues()
-		m.collector.Set(0)
-	}
-	prometheus.MustRegister(m)
-	return m
-}
-
-func (c *Counter) Collect(ch chan<- prometheus.Metric) {
-	c.mv.Collect(ch)
-}
-
-func (c *Counter) Describe(ch chan<- *prometheus.Desc) {
-	c.mv.Describe(ch)
-}
-
-func (c *Counter) Inc() {
-	c.collector.Inc()
-}
-
-func (c *Counter) With(l Labels) *Counter {
-	return &Counter{mv: c.mv, collector: c.mv.With(l.toPromLabels())}
-}
-
-func (c *Counter) Delete(l Labels) {
-	c.mv.Delete(l.toPromLabels())
-}
-
-func (c *Counter) Reset() {
-	c.mv.Reset()
-}
-
-func (g *Gauge) Collect(ch chan<- prometheus.Metric) {
-	g.mv.Collect(ch)
-}
-
-func (g *Gauge) Describe(ch chan<- *prometheus.Desc) {
-	g.mv.Describe(ch)
-}
-
-func (g *Gauge) Set(v float64) {
-	g.collector.Set(v)
-}
-
-func (g *Gauge) With(l Labels) *Gauge {
-	return &Gauge{mv: g.mv, collector: g.mv.With(l.toPromLabels())}
-}
-
-func (g *Gauge) Delete(l Labels) {
-	g.mv.Delete(l.toPromLabels())
-}
-
-func (g *Gauge) Reset() {
-	g.mv.Reset()
-}
--- a/internal/metrics/metrics.go
+++ b/internal/metrics/metrics.go
@@ -1,105 +0,0 @@
-package metrics
-
-import (
-	"strings"
-
-	"github.com/prometheus/client_golang/prometheus"
-	"github.com/yusing/go-proxy/internal/common"
-)
-
-type (
-	RouteMetrics struct {
-		HTTPReqTotal,
-		HTTP2xx3xx,
-		HTTP4xx,
-		HTTP5xx *Counter
-		HTTPReqElapsed *Gauge
-	}
-
-	ServiceMetrics struct {
-		HealthStatus *Gauge
-	}
-)
-
-var (
-	rm RouteMetrics
-	sm ServiceMetrics
-)
-
-const (
-	routerNamespace     = "router"
-	routerHTTPSubsystem = "http"
-
-	serviceNamespace = "service"
-)
-
-func GetRouteMetrics() *RouteMetrics {
-	return &rm
-}
-
-func GetServiceMetrics() *ServiceMetrics {
-	return &sm
-}
-
-func (rm *RouteMetrics) UnregisterService(service string) {
-	lbls := &HTTPRouteMetricLabels{Service: service}
-	rm.HTTP2xx3xx.Delete(lbls)
-	rm.HTTP4xx.Delete(lbls)
-	rm.HTTP5xx.Delete(lbls)
-	rm.HTTPReqElapsed.Delete(lbls)
-}
-
-func init() {
-	if !common.PrometheusEnabled {
-		return
-	}
-	initRouteMetrics()
-	initServiceMetrics()
-}
-
-func initRouteMetrics() {
-	lbls := []string{"service", "method", "host", "visitor", "path"}
-	partitionsHelp := ", partitioned by " + strings.Join(lbls, ", ")
-	rm = RouteMetrics{
-		HTTPReqTotal: NewCounter(prometheus.CounterOpts{
-			Namespace: routerNamespace,
-			Subsystem: routerHTTPSubsystem,
-			Name:      "req_total",
-			Help:      "How many requests processed in total",
-		}),
-		HTTP2xx3xx: NewCounter(prometheus.CounterOpts{
-			Namespace: routerNamespace,
-			Subsystem: routerHTTPSubsystem,
-			Name:      "req_ok_count",
-			Help:      "How many 2xx-3xx requests processed" + partitionsHelp,
-		}, lbls...),
-		HTTP4xx: NewCounter(prometheus.CounterOpts{
-			Namespace: routerNamespace,
-			Subsystem: routerHTTPSubsystem,
-			Name:      "req_4xx_count",
-			Help:      "How many 4xx requests processed" + partitionsHelp,
-		}, lbls...),
-		HTTP5xx: NewCounter(prometheus.CounterOpts{
-			Namespace: routerNamespace,
-			Subsystem: routerHTTPSubsystem,
-			Name:      "req_5xx_count",
-			Help:      "How many 5xx requests processed" + partitionsHelp,
-		}, lbls...),
-		HTTPReqElapsed: NewGauge(prometheus.GaugeOpts{
-			Namespace: routerNamespace,
-			Subsystem: routerHTTPSubsystem,
-			Name:      "req_elapsed_ms",
-			Help:      "How long it took to process the request and respond a status code" + partitionsHelp,
-		}, lbls...),
-	}
-}
-
-func initServiceMetrics() {
-	sm = ServiceMetrics{
-		HealthStatus: NewGauge(prometheus.GaugeOpts{
-			Namespace: serviceNamespace,
-			Name:      "health_status",
-			Help:      "The health status of the router by service",
-		}, "service"),
-	}
-}
--- a/internal/metrics/router_metrics.go
+++ b/internal/metrics/router_metrics.go
@@ -1,26 +0,0 @@
-package metrics
-
-import (
-	"github.com/prometheus/client_golang/prometheus"
-	"github.com/yusing/go-proxy/internal/common"
-)
-
-func InitRouterMetrics(getRPsCount func() int, getStreamsCount func() int) {
-	if !common.PrometheusEnabled {
-		return
-	}
-	prometheus.MustRegister(prometheus.NewGaugeFunc(prometheus.GaugeOpts{
-		Namespace: "entrypoint",
-		Name:      "num_reverse_proxies",
-		Help:      "The number of reverse proxies",
-	}, func() float64 {
-		return float64(getRPsCount())
-	}))
-	prometheus.MustRegister(prometheus.NewGaugeFunc(prometheus.GaugeOpts{
-		Namespace: "entrypoint",
-		Name:      "num_streams",
-		Help:      "The number of streams",
-	}, func() float64 {
-		return float64(getStreamsCount())
-	}))
-}
--- a/internal/net/http/accesslog/access_logger.go
+++ b/internal/net/http/accesslog/access_logger.go
@@ -1,174 +0,0 @@
-package accesslog
-
-import (
-	"bytes"
-	"io"
-	"net/http"
-	"sync"
-	"time"
-
-	E "github.com/yusing/go-proxy/internal/error"
-	"github.com/yusing/go-proxy/internal/logging"
-	"github.com/yusing/go-proxy/internal/task"
-)
-
-type (
-	AccessLogger struct {
-		task *task.Task
-		cfg  *Config
-		io   AccessLogIO
-
-		buf     bytes.Buffer // buffer for non-flushed log
-		bufMu   sync.Mutex   // protect buf
-		bufPool sync.Pool    // buffer pool for formatting a single log line
-
-		flushThreshold int
-
-		Formatter
-	}
-
-	AccessLogIO interface {
-		io.ReadWriteCloser
-		io.ReadWriteSeeker
-		io.ReaderAt
-		sync.Locker
-		Name() string // file name or path
-		Truncate(size int64) error
-	}
-
-	Formatter interface {
-		// Format writes a log line to line without a trailing newline
-		Format(line *bytes.Buffer, req *http.Request, res *http.Response)
-		SetGetTimeNow(getTimeNow func() time.Time)
-	}
-)
-
-var logger = logging.With().Str("module", "accesslog").Logger()
-
-func NewAccessLogger(parent task.Parent, io AccessLogIO, cfg *Config) *AccessLogger {
-	l := &AccessLogger{
-		task: parent.Subtask("accesslog"),
-		cfg:  cfg,
-		io:   io,
-	}
-	if cfg.BufferSize < 1024 {
-		cfg.BufferSize = DefaultBufferSize
-	}
-
-	fmt := CommonFormatter{cfg: &l.cfg.Fields, GetTimeNow: time.Now}
-	switch l.cfg.Format {
-	case FormatCommon:
-		l.Formatter = &fmt
-	case FormatCombined:
-		l.Formatter = &CombinedFormatter{fmt}
-	case FormatJSON:
-		l.Formatter = &JSONFormatter{fmt}
-	default: // should not happen, validation has done by validate tags
-		panic("invalid access log format")
-	}
-
-	l.flushThreshold = int(cfg.BufferSize * 4 / 5) // 80%
-	l.buf.Grow(int(cfg.BufferSize))
-	l.bufPool.New = func() any {
-		return new(bytes.Buffer)
-	}
-	go l.start()
-	return l
-}
-
-func (l *AccessLogger) checkKeep(req *http.Request, res *http.Response) bool {
-	if !l.cfg.Filters.StatusCodes.CheckKeep(req, res) ||
-		!l.cfg.Filters.Method.CheckKeep(req, res) ||
-		!l.cfg.Filters.Headers.CheckKeep(req, res) ||
-		!l.cfg.Filters.CIDR.CheckKeep(req, res) {
-		return false
-	}
-	return true
-}
-
-func (l *AccessLogger) Log(req *http.Request, res *http.Response) {
-	if !l.checkKeep(req, res) {
-		return
-	}
-
-	line := l.bufPool.Get().(*bytes.Buffer)
-	l.Format(line, req, res)
-	line.WriteRune('\n')
-
-	l.bufMu.Lock()
-	l.buf.Write(line.Bytes())
-	line.Reset()
-	l.bufPool.Put(line)
-	l.bufMu.Unlock()
-}
-
-func (l *AccessLogger) LogError(req *http.Request, err error) {
-	l.Log(req, &http.Response{StatusCode: http.StatusInternalServerError, Status: err.Error()})
-}
-
-func (l *AccessLogger) Config() *Config {
-	return l.cfg
-}
-
-func (l *AccessLogger) Rotate() error {
-	if l.cfg.Retention == nil {
-		return nil
-	}
-	l.io.Lock()
-	defer l.io.Unlock()
-
-	return l.cfg.Retention.rotateLogFile(l.io)
-}
-
-func (l *AccessLogger) Flush(force bool) {
-	if l.buf.Len() == 0 {
-		return
-	}
-	if force || l.buf.Len() >= l.flushThreshold {
-		l.bufMu.Lock()
-		l.write(l.buf.Bytes())
-		l.buf.Reset()
-		l.bufMu.Unlock()
-		logger.Debug().Msg("access log flushed to " + l.io.Name())
-	}
-}
-
-func (l *AccessLogger) handleErr(err error) {
-	E.LogError("failed to write access log", err, &logger)
-}
-
-func (l *AccessLogger) start() {
-	defer func() {
-		if l.buf.Len() > 0 { // flush last
-			l.write(l.buf.Bytes())
-		}
-		l.io.Close()
-		l.task.Finish(nil)
-	}()
-
-	// periodic flush + threshold flush
-	periodic := time.NewTicker(5 * time.Second)
-	threshold := time.NewTicker(time.Second)
-	defer periodic.Stop()
-	defer threshold.Stop()
-
-	for {
-		select {
-		case <-l.task.Context().Done():
-			return
-		case <-periodic.C:
-			l.Flush(true)
-		case <-threshold.C:
-			l.Flush(false)
-		}
-	}
-}
-
-func (l *AccessLogger) write(data []byte) {
-	l.io.Lock() // prevent concurrent write, i.e. log rotation, other access loggers
-	_, err := l.io.Write(data)
-	l.io.Unlock()
-	if err != nil {
-		l.handleErr(err)
-	}
-}
--- a/internal/net/http/accesslog/access_logger_test.go
+++ b/internal/net/http/accesslog/access_logger_test.go
@@ -1,128 +0,0 @@
-package accesslog_test
-
-import (
-	"bytes"
-	"encoding/json"
-	"fmt"
-	"net/http"
-	"net/url"
-	"testing"
-	"time"
-
-	E "github.com/yusing/go-proxy/internal/error"
-	. "github.com/yusing/go-proxy/internal/net/http/accesslog"
-	"github.com/yusing/go-proxy/internal/task"
-	. "github.com/yusing/go-proxy/internal/utils/testing"
-)
-
-const (
-	remote        = "192.168.1.1"
-	host          = "example.com"
-	uri           = "/?bar=baz&foo=bar"
-	uriRedacted   = "/?bar=" + RedactedValue + "&foo=" + RedactedValue
-	referer       = "https://www.google.com/"
-	proto         = "HTTP/1.1"
-	ua            = "Go-http-client/1.1"
-	status        = http.StatusOK
-	contentLength = 100
-	method        = http.MethodGet
-)
-
-var (
-	testTask = task.RootTask("test", false)
-	testURL  = E.Must(url.Parse("http://" + host + uri))
-	req      = &http.Request{
-		RemoteAddr: remote,
-		Method:     method,
-		Proto:      proto,
-		Host:       testURL.Host,
-		URL:        testURL,
-		Header: http.Header{
-			"User-Agent": []string{ua},
-			"Referer":    []string{referer},
-			"Cookie": []string{
-				"foo=bar",
-				"bar=baz",
-			},
-		},
-	}
-	resp = &http.Response{
-		StatusCode:    status,
-		ContentLength: contentLength,
-		Header:        http.Header{"Content-Type": []string{"text/plain"}},
-	}
-)
-
-func fmtLog(cfg *Config) (ts string, line string) {
-	var buf bytes.Buffer
-
-	t := time.Now()
-	logger := NewAccessLogger(testTask, nil, cfg)
-	logger.Formatter.SetGetTimeNow(func() time.Time {
-		return t
-	})
-	logger.Format(&buf, req, resp)
-	return t.Format(LogTimeFormat), buf.String()
-}
-
-func TestAccessLoggerCommon(t *testing.T) {
-	config := DefaultConfig()
-	config.Format = FormatCommon
-	ts, log := fmtLog(config)
-	ExpectEqual(t, log,
-		fmt.Sprintf("%s %s - - [%s] \"%s %s %s\" %d %d",
-			host, remote, ts, method, uri, proto, status, contentLength,
-		),
-	)
-}
-
-func TestAccessLoggerCombined(t *testing.T) {
-	config := DefaultConfig()
-	config.Format = FormatCombined
-	ts, log := fmtLog(config)
-	ExpectEqual(t, log,
-		fmt.Sprintf("%s %s - - [%s] \"%s %s %s\" %d %d \"%s\" \"%s\"",
-			host, remote, ts, method, uri, proto, status, contentLength, referer, ua,
-		),
-	)
-}
-
-func TestAccessLoggerRedactQuery(t *testing.T) {
-	config := DefaultConfig()
-	config.Format = FormatCommon
-	config.Fields.Query.Default = FieldModeRedact
-	ts, log := fmtLog(config)
-	ExpectEqual(t, log,
-		fmt.Sprintf("%s %s - - [%s] \"%s %s %s\" %d %d",
-			host, remote, ts, method, uriRedacted, proto, status, contentLength,
-		),
-	)
-}
-
-func getJSONEntry(t *testing.T, config *Config) JSONLogEntry {
-	t.Helper()
-	config.Format = FormatJSON
-	var entry JSONLogEntry
-	_, log := fmtLog(config)
-	err := json.Unmarshal([]byte(log), &entry)
-	ExpectNoError(t, err)
-	return entry
-}
-
-func TestAccessLoggerJSON(t *testing.T) {
-	config := DefaultConfig()
-	entry := getJSONEntry(t, config)
-	ExpectEqual(t, entry.IP, remote)
-	ExpectEqual(t, entry.Method, method)
-	ExpectEqual(t, entry.Scheme, "http")
-	ExpectEqual(t, entry.Host, testURL.Host)
-	ExpectEqual(t, entry.URI, testURL.RequestURI())
-	ExpectEqual(t, entry.Protocol, proto)
-	ExpectEqual(t, entry.Status, status)
-	ExpectEqual(t, entry.ContentType, "text/plain")
-	ExpectEqual(t, entry.Size, contentLength)
-	ExpectEqual(t, entry.Referer, referer)
-	ExpectEqual(t, entry.UserAgent, ua)
-	ExpectEqual(t, len(entry.Headers), 0)
-	ExpectEqual(t, len(entry.Cookies), 0)
-}
--- a/internal/net/http/accesslog/config.go
+++ b/internal/net/http/accesslog/config.go
@@ -1,57 +0,0 @@
-package accesslog
-
-import "github.com/yusing/go-proxy/internal/utils"
-
-type (
-	Format  string
-	Filters struct {
-		StatusCodes LogFilter[*StatusCodeRange] `json:"status_codes"`
-		Method      LogFilter[HTTPMethod]       `json:"method"`
-		Host        LogFilter[Host]             `json:"host"`
-		Headers     LogFilter[*HTTPHeader]      `json:"headers"` // header exists or header == value
-		CIDR        LogFilter[*CIDR]            `json:"cidr"`
-	}
-	Fields struct {
-		Headers FieldConfig `json:"headers"`
-		Query   FieldConfig `json:"query"`
-		Cookies FieldConfig `json:"cookies"`
-	}
-	Config struct {
-		BufferSize uint       `json:"buffer_size" validate:"gte=1"`
-		Format     Format     `json:"format" validate:"oneof=common combined json"`
-		Path       string     `json:"path" validate:"required"`
-		Filters    Filters    `json:"filters"`
-		Fields     Fields     `json:"fields"`
-		Retention  *Retention `json:"retention"`
-	}
-)
-
-var (
-	FormatCommon   Format = "common"
-	FormatCombined Format = "combined"
-	FormatJSON     Format = "json"
-)
-
-const DefaultBufferSize = 64 * 1024 // 64KB
-
-func DefaultConfig() *Config {
-	return &Config{
-		BufferSize: DefaultBufferSize,
-		Format:     FormatCombined,
-		Fields: Fields{
-			Headers: FieldConfig{
-				Default: FieldModeDrop,
-			},
-			Query: FieldConfig{
-				Default: FieldModeKeep,
-			},
-			Cookies: FieldConfig{
-				Default: FieldModeDrop,
-			},
-		},
-	}
-}
-
-func init() {
-	utils.RegisterDefaultValueFactory(DefaultConfig)
-}
--- a/internal/net/http/accesslog/config_test.go
+++ b/internal/net/http/accesslog/config_test.go
@@ -1,53 +0,0 @@
-package accesslog_test
-
-import (
-	"testing"
-
-	"github.com/yusing/go-proxy/internal/docker"
-	. "github.com/yusing/go-proxy/internal/net/http/accesslog"
-	"github.com/yusing/go-proxy/internal/utils"
-	. "github.com/yusing/go-proxy/internal/utils/testing"
-)
-
-func TestNewConfig(t *testing.T) {
-	labels := map[string]string{
-		"proxy.buffer_size":                 "10",
-		"proxy.format":                      "combined",
-		"proxy.path":                        "/tmp/access.log",
-		"proxy.filters.status_codes.values": "200-299",
-		"proxy.filters.method.values":       "GET, POST",
-		"proxy.filters.headers.values":      "foo=bar, baz",
-		"proxy.filters.headers.negative":    "true",
-		"proxy.filters.cidr.values":         "192.168.10.0/24",
-		"proxy.fields.headers.default":      "keep",
-		"proxy.fields.headers.config.foo":   "redact",
-		"proxy.fields.query.default":        "drop",
-		"proxy.fields.query.config.foo":     "keep",
-		"proxy.fields.cookies.default":      "redact",
-		"proxy.fields.cookies.config.foo":   "keep",
-	}
-	parsed, err := docker.ParseLabels(labels)
-	ExpectNoError(t, err)
-
-	var config Config
-	err = utils.Deserialize(parsed, &config)
-	ExpectNoError(t, err)
-
-	ExpectEqual(t, config.BufferSize, 10)
-	ExpectEqual(t, config.Format, FormatCombined)
-	ExpectEqual(t, config.Path, "/tmp/access.log")
-	ExpectDeepEqual(t, config.Filters.StatusCodes.Values, []*StatusCodeRange{{Start: 200, End: 299}})
-	ExpectEqual(t, len(config.Filters.Method.Values), 2)
-	ExpectDeepEqual(t, config.Filters.Method.Values, []HTTPMethod{"GET", "POST"})
-	ExpectEqual(t, len(config.Filters.Headers.Values), 2)
-	ExpectDeepEqual(t, config.Filters.Headers.Values, []*HTTPHeader{{Key: "foo", Value: "bar"}, {Key: "baz", Value: ""}})
-	ExpectTrue(t, config.Filters.Headers.Negative)
-	ExpectEqual(t, len(config.Filters.CIDR.Values), 1)
-	ExpectEqual(t, config.Filters.CIDR.Values[0].String(), "192.168.10.0/24")
-	ExpectEqual(t, config.Fields.Headers.Default, FieldModeKeep)
-	ExpectEqual(t, config.Fields.Headers.Config["foo"], FieldModeRedact)
-	ExpectEqual(t, config.Fields.Query.Default, FieldModeDrop)
-	ExpectEqual(t, config.Fields.Query.Config["foo"], FieldModeKeep)
-	ExpectEqual(t, config.Fields.Cookies.Default, FieldModeRedact)
-	ExpectEqual(t, config.Fields.Cookies.Config["foo"], FieldModeKeep)
-}
--- a/internal/net/http/accesslog/fields.go
+++ b/internal/net/http/accesslog/fields.go
@@ -1,103 +0,0 @@
-package accesslog
-
-import (
-	"net/http"
-	"net/url"
-)
-
-type (
-	FieldConfig struct {
-		Default FieldMode            `json:"default" validate:"oneof=keep drop redact"`
-		Config  map[string]FieldMode `json:"config" validate:"dive,oneof=keep drop redact"`
-	}
-	FieldMode string
-)
-
-const (
-	FieldModeKeep   FieldMode = "keep"
-	FieldModeDrop   FieldMode = "drop"
-	FieldModeRedact FieldMode = "redact"
-
-	RedactedValue = "REDACTED"
-)
-
-func processMap[V any](cfg *FieldConfig, m map[string]V, redactedV V) map[string]V {
-	if len(cfg.Config) == 0 {
-		switch cfg.Default {
-		case FieldModeKeep:
-			return m
-		case FieldModeDrop:
-			return nil
-		case FieldModeRedact:
-			redacted := make(map[string]V)
-			for k := range m {
-				redacted[k] = redactedV
-			}
-			return redacted
-		}
-	}
-
-	if len(m) == 0 {
-		return m
-	}
-
-	newMap := make(map[string]V, len(m))
-	for k := range m {
-		var mode FieldMode
-		var ok bool
-		if mode, ok = cfg.Config[k]; !ok {
-			mode = cfg.Default
-		}
-		switch mode {
-		case FieldModeKeep:
-			newMap[k] = m[k]
-		case FieldModeRedact:
-			newMap[k] = redactedV
-		}
-	}
-	return newMap
-}
-
-func processSlice[V any, VReturn any](cfg *FieldConfig, s []V, getKey func(V) string, convert func(V) VReturn, redact func(V) VReturn) map[string]VReturn {
-	if len(s) == 0 ||
-		len(cfg.Config) == 0 && cfg.Default == FieldModeDrop {
-		return nil
-	}
-	newMap := make(map[string]VReturn, len(s))
-	for _, v := range s {
-		var mode FieldMode
-		var ok bool
-		k := getKey(v)
-		if mode, ok = cfg.Config[k]; !ok {
-			mode = cfg.Default
-		}
-		switch mode {
-		case FieldModeKeep:
-			newMap[k] = convert(v)
-		case FieldModeRedact:
-			newMap[k] = redact(v)
-		}
-	}
-	return newMap
-}
-
-func (cfg *FieldConfig) ProcessHeaders(headers http.Header) http.Header {
-	return processMap(cfg, headers, []string{RedactedValue})
-}
-
-func (cfg *FieldConfig) ProcessQuery(q url.Values) url.Values {
-	return processMap(cfg, q, []string{RedactedValue})
-}
-
-func (cfg *FieldConfig) ProcessCookies(cookies []*http.Cookie) map[string]string {
-	return processSlice(cfg, cookies,
-		func(c *http.Cookie) string {
-			return c.Name
-		},
-		func(c *http.Cookie) string {
-			return c.Value
-		},
-		func(c *http.Cookie) string {
-			return RedactedValue
-		})
-}
--- a/Show More
+++ b/Show More